A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #21418  by bitstechs
 Mon Nov 18, 2013 7:03 pm
I just wanted to thank you guys so much for this information.

Upon creating a new virtual box vm I realized that I was unable to open some malware/viruses, more specifically Antivirus Security Pro. Then, I ran across this thread and after doing some research and applying these settings and dll's I started up the vm and Antivirus Security Pro popped up immediately. Again, thanks for all the info I feel a lot less like a vm noob now!

Edit: Also, the patched dll's for 4.3.2 that Derw_234 posted are the ones I used and they worked like a charm.
 #21601  by EP_X0FF
 Sat Dec 07, 2013 3:41 am
rinn wrote:Hello.

Important fix for everyone who use VBox for malware research. Bug described here http://www.kernelmode.info/forum/viewto ... 930#p18930

Wrong instruction after single-step exception with 'rdtsc' and 'cpuid'


Assume vmprotect author should do another research for VBox now.

Best Regards

Especially I like comment 2, https://www.virtualbox.org/ticket/10947#comment:2
Now you all know the reason and person who is responsible why this bug wasn't fixed for years -> a typical idiot who cannot into "asm".
 #21632  by feryno
 Mon Dec 09, 2013 12:09 pm
Wrong instruction after single-step exception with 'rdtsc' and 'cpuid'
It seems there is (at least) one lazy programmer in the VirtualBox team - just forgot to generate #DB after emulating these instructions in VBox hypervisor vm exit handler. I would say it is more laziness than a bug.
I just wonder how they implement emulation if somebody sets DebugCtl.BTF and then do single step - implementing that into VBox is not so trivial task.
 #21814  by DerW_234
 Sun Dec 29, 2013 12:05 pm
Happy new year everyone :).

I attached the patched DLLs for the latest VirtualBox version (4.3.6-91406).

PS: Does anybody know of a good hex editor that supports regular expression search? Would make the process a little faster.
(986.32 KiB) Downloaded 61 times
 #22838  by n0mad
 Thu May 08, 2014 8:34 pm

My first post. I love this forums I am learning much. :shock:

I will post a Anti-AntiVM process I found on the Net:

1, Installation of VirtualBox Xp32bit VirtualMachine.

2, Use this 2 scripts (In windows you need Python 2 : https://www.python.org/downloads/ ):
Code: Select all
#!/usr/bin/env python  
 import os  
 import sys  
 import subprocess  
 def runcmd(cmd):  
     print "Executing %s" % ' '.join(cmd)  
     output = subprocess.check_output(cmd)  
     print output  
     return output  
     print "Failed"  
     return None  
 VBoxManage = '/usr/bin/VBoxManage'  
 vboxConfBios = '/MART/bin/vboxConfBios.py'  
 for machine in sys.argv[1:]:  
   hdpath = os.path.join('/','MART','VirtualBox VMs',machine,machine+'.vdi')  
   runcmd([VBoxManage,'storagectl',machine,'--name','SATA Controller','--add','sata','--controller','IntelAHCI'])  
   runcmd([VBoxManage,'storageattach',machine,'--storagectl','SATA Controller','--port','0','--device','0','--type','hdd','--medium',hdpath])  

Code: Select all
#!/usr/bin/env python  
 import re  
 import subprocess  
 import sys  
 import os  
 import json  
 from pprint import pprint  
 def cloneMAC():  
   ifconfig_out = runcmd(["/sbin/ifconfig","eth0"])  
   regex = r"([0-9A-F]{2}[:-]){5}([0-9A-F]{2})"  
   pat = re.compile(regex, re.I | re.S | re.M)  
   for line in ifconfig_out:  
     if pat.search(line):  
       mac = pat.match(line).group().split(":")  
       mac[0] = int(mac[0], 16)  
       mac[1] = int(mac[1], 16)  
       mac[2] = int(mac[2], 16)  
       mac[3] = random.randint(0x00, 0x7f)  
       mac[4] = random.randint(0x00, 0xff)  
       mac[5] = random.randint(0x00, 0xff)  
       return ''.join(map(lambda x: "%02x" % x, mac))  
 def randomMAC():  
   # 00:1b:fc = ASUSTek COMPUTER INC.  
   mac = [ 0x00, 0x1b, 0xfc,  
     random.randint(0x00, 0x7f),  
     random.randint(0x00, 0xff),  
     random.randint(0x00, 0xff) ]  
   return ''.join(map(lambda x: "%02x" % x, mac))  
 def getnewmac(hostname):  
   regex = r"(%s)\s+([0-9A-Fa-f]+)\s+([0-9\.]+)" % hostname  
   pat = re.compile(regex, re.I | re.S | re.M)  
   with open("/MART/etc/macs.txt") as fh:  
     for line in fh:  
       if pat.search(line):  
         (hostname,mac,ip) = pat.match(line).groups()  
         if mac:  
           return mac  
   return randomMAC()  
 def runcmd(cmd):  
     print "Executing %s" % ' '.join(cmd)  
     output = subprocess.check_output(cmd)  
     print output  
     return output  
     print "Failed"  
     return None  
 # Gather system information  
 def getdmi():  
   dmi = {}  
   # Anti-VM detection, DMI BIOS information (type 0)  
   dmitmp = runcmd(["sudo","dmidecode","-t0"])  
   dmi['DmiBIOSVendor'] = re.search("Vendor: ([A-Z0-9\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1)  
   dmi['DmiBIOSVersion'] = "string:" + re.search("Version: ([A-Z0-9\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1)  
   dmi['DmiBIOSReleaseDate']= re.search("Release Date: ([0-9\\/\\-]+)", dmitmp, re.I | re.S | re.M).group(1)  
   # Anti-VM detection, DMI BIOS information (type 1)  
   dmitmp = runcmd(["sudo","dmidecode","-t1"])  
   dmi['DmiSystemVendor'] = re.search("Manufacturer: ([A-Z0-9\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1)  
   dmi['DmiSystemProduct'] = re.search("Product Name: ([A-Z0-9\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1)  
   dmi['DmiSystemVersion'] = "string:" + re.search("Version: ([A-Z0-9\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1)  
   dmi['DmiSystemSerial'] = "string:" + re.search("Serial Number: ([0-9A-Z\\ \\-]+)", dmitmp, re.I | re.S | re.M).group(1)  
   dmi['DmiSystemSKU']   = re.search("SKU Number: ([0-9A-Z\\ \\-\\.]+)", dmitmp, re.I | re.S | re.M).group(1)  
   dmi['DmiSystemFamily'] = re.search("Family: ([0-9A-Z\\ \\-\\.]+)", dmitmp, re.I | re.S | re.M).group(1)  
   dmi['DmiSystemUuid']  = re.search("UUID: ([0-9A-Z\\-]+)", dmitmp, re.I | re.S | re.M).group(1)  
   # Anti-VM detection, DMI BIOS information (type 2)  
   MotherboardTypes = [  
     "Server Blade",  
     "Connectivity Switch",  
     "System Management Module",  
     "Processor Module",  
     "I/O Module",  
     "Memory Module",  
     "Daughter Board",  
     "Processor+Memory Module",  
     "Processor+I/O Module",  
     "Interconnect Board"  
   dmitmp = runcmd(["sudo","dmidecode","-t2"])  
   dmi['DmiBoardVendor']   = re.search("Manufacturer: ([A-Z0-9\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1)  
   dmi['DmiBoardProduct']  = re.search("Product Name: ([A-Z0-9\\ \\.\\-/]+)", dmitmp, re.I | re.S | re.M).group(1)  
   dmi['DmiBoardVersion']  = "string:" + re.search("Version: ([A-Z0-9\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1)  
   dmi['DmiBoardSerial']   = "string:" + re.search("Serial Number: ([0-9A-Z\\ \\-]+)", dmitmp, re.I | re.S | re.M).group(1)  
   dmi['DmiBoardAssetTag']  = re.search("Asset Tag: ([0-9A-Z\\ \\-\\.]+)", dmitmp, re.I | re.S | re.M).group(1)  
   dmi['DmiBoardLocInChass'] = re.search("Location In Chassis: ([0-9A-Z\\ \\-\\.]+)", dmitmp, re.I | re.S | re.M).group(1)  
   dmi['DmiBoardBoardType'] = str(MotherboardTypes.index(re.search("Type: ([0-9A-Z\\ \\-]+)", dmitmp, re.I | re.S | re.M).group(1))+1)  
   # Anti-VM detection, DMI system enclosure or chassis (type 3) 
   ChassiTypes = [  
     "Low Profile Desktop",  
     "Pizza Box",  
     "Mini Tower",  
     "Hand Held",  
     "Docking Station",  
     "All In One",  
     "Sub Notebook",  
     "Lunch Box",  
     "Main Server Chassis",  
     "Expansion Chassis",  
     "Sub Chassis",  
     "Bus Expansion Chassis",  
     "Peripheral Chassis",  
     "RAID Chassis",  
     "Rack Mount Chassis",  
     "Sealed-case PC",  
     "Blade Enclosing"  
   dmitmp = runcmd(["sudo","dmidecode","-t3"])  
   dmi['DmiChassisVendor']  = re.search("Manufacturer: ([A-Z0-9\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1)  
   dmi['DmiChassisType']   = str(ChassiTypes.index(re.search("Type: ([0-9A-Z\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1))+1)  
   dmi['DmiChassisVersion'] = "string:" + re.search("Version: ([A-Z0-9\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1)  
   dmi['DmiChassisSerial']  = "string:" + re.search("Serial Number: ([A-Z0-9\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1)  
   dmi['DmiChassisAssetTag'] = re.search("Asset Tag: ([A-Z0-9\\ \\.\\-]+)", dmitmp, re.I | re.S | re.M).group(1)  
   # Anti-VM detection, DMI processor informatiion (type 4)    
   dmitmp = runcmd(["sudo","dmidecode","-t4"])  
   dmi['DmiProcManufacturer'] = re.search("Manufacturer: ([A-Z0-9\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1)  
   dmi['DmiProcVersion']   = "string:" + re.search("Version: ([A-Z0-9\\ \\.\\(\\)\\-]+)", dmitmp, re.I | re.S | re.M).group(1)  
   for key, value in dmi.iteritems():  
     if value == None:  
       del dmi[key]  
       if isinstance( value, ( int, long ) ):  
         dmi[key] = str(value)  
         dmi[key] = value.strip()  
   return dmi  
 dmi = None  
   fh = open('/MART/etc/dmi.txt', 'r')  
   if fh:  
     dmi = json.load(fh)  
 except Exception:  
   dmi = getdmi()  
   with open('/MART/etc/dmi.txt', 'w') as outfile:  
     json.dump(dmi, outfile, sort_keys=True, indent=4, separators=(',', ': '))  
   print json.dumps(dmi, sort_keys=True, indent=4, separators=(',', ': '))  
 # Globals, of sorts  
 VBoxManage = '/usr/bin/VBoxManage'  
 # Get the DSDT   
 if not os.path.exists(DSDT_BIN):  
 for target in sys.argv[1:]:  
   # Configure all the virtual BIOS setings  
   for key, value in dmi.iteritems():  
     runcmd([VBoxManage,"setextradata",target,"VBoxInternal/Devices/pcbios/0/Config/" + key,value])  
   # Configure DSDT  
   if os.path.exists(DSDT_BIN):  
   # Setting guest MAC  
   #newmac = getnewmac(target)  
   newmac = cloneMAC()  
   # Enable memory ballooning  
 dmi = None  
   fh = open('/MART/etc/dmi.txt', 'r')  
   if fh:  
     dmi = json.load(fh)  
 except Exception:  
   dmi = getdmi()  
   with open('/MART/etc/dmi.txt', 'w') as outfile:  
     json.dump(dmi, outfile, sort_keys=True, indent=4, separators=(',', ': '))  
   print json.dumps(dmi, sort_keys=True, indent=4, separators=(',', ': '))  
 # Globals, of sorts  
 VBoxManage = '/usr/bin/VBoxManage'  
 # Get the DSDT   
 if not os.path.exists(DSDT_BIN):  
 for target in sys.argv[1:]:  
   # Configure all the virtual BIOS setings  
   for key, value in dmi.iteritems():  
     runcmd([VBoxManage,"setextradata",target,"VBoxInternal/Devices/pcbios/0/Config/" + key,value])  
   # Configure DSDT  
   if os.path.exists(DSDT_BIN):  
   # Setting guest MAC  
   #newmac = getnewmac(target)  
   newmac = cloneMAC()  
   # Enable memory ballooning  
   # Configure VRDP  
   runcmd([VBoxManage,"modifyvm",target,"--vrdeport",str(3389 + int(target.split("-")[2]))])
3, Use of scripts against the Virtual Mahine with XP32bit.
Code: Select all
C:\Python27> python createVBoxVM.py


C:\Python27> python vboxConfBios.py
Then replace the DLL's on your VB from the DLL's on this post acording to your VB version.

4, Try if the VM is Anti-AntiVM with "pafish" (Paranoid Fish). You can download pafish here: https://github.com/a0rtega/pafish

5, Check the "pafish.log" output.

Found: http://blog.michaelboman.org/2014/01/ma ... table.html

The End.
 #22894  by EP_X0FF
 Sun May 18, 2014 3:01 am
VirtualBox cannot be hidden at all, even we have a prof in vmde. All the above is only works for very stupid general malware.
  • 1
  • 3
  • 4
  • 5
  • 6
  • 7