Hi guys, I just want to pitch in with my little contribution.
I've been trying to harden my VirtualBox 5.1.2 instance that I run under
cuckoo on Debian against detections. My guest is a Win10 x64 installation.
It was a huge pain in the ass and pretty much took two days of trial and error until I'm finally done, so in case you're facing a similar situation maybe I can save you some trouble.
On Windows hosts, EP_X0FF's runtime patcher is probably your best bet, but since porting it to linux would be pretty much be a full rewrite, I found it easiest to just hack VBOX's source and compile my own build.
You simply cannot do everything needed from the outside, no matter how much you call
VBoxManage setextradata. Don't waste your time on values that aren't fixable this way, like the hypervisor vendor string. The easiest way to go is:
- 1) Use nsmfoo's script from https://github.com/nsmfoo/antivmdetection to create or modify the initial VM. It's a very thorough script that clones most extradata values from the host and makes up a lot of others. Be sure to first apt-get install acpidump python-dmidecode libcdio-utils cd-drive hdparm lspci smartctl to avoid broken values.
- 2) Some extradata settings will probably break. Remove all the broken ones (using VBoxManage setextradata <machine> <setting> without a value) until your VM boots normally.
- 3) At this point you're probably facing trouble from the following that are left: acpi tables (DSDT et al), the PCI base object device vendor/product id, hypervisor vendor string.
- 4) If your replacement ACPI tables from linux are too large (as it was in my case) or for some other reason don't work, download Read & Write Everything from http://rweverything.com/, and use it to dump the full binary default tables under your Windows guest. Copy the file onto your host and edit it either with a hex editor or by decompiling using iasl -d AcpiTbls.bin, then editing the resulting .dsl script and then recompiling using iasl -tc AcpiTbls.dsl. Set the resulting .aml binary table as your ACPI table using VBoxManage setextradata <machine> "VBoxInternal/Devices/acpi/0/Config/CustomTable" "/yourpath/DSDT.aml". Be sure to at least change all vendor names from VBox/Virtualbox/innotek to something else.
- 5) Now for the remaining fixes you will need to hack the source. Download the VirtualBox 5.1.2 source tarball from http://download.virtualbox.org/virtualb ... .2.tar.bz2. Don't check out from SVN, the last thing you'll want is a broken build and unsupported version.
You'll want to hack the following:
Code: Select all// In \include\VBox\param.h:
#define VBOX_PCI_VENDORID // to something else (google PCI vendor id tables)
#define VBOX_DEVICEID // to something else (make sure this isn't a real used deviceid by the vendor you chose)
#define VBOX_VESA_DEVICEID // to something else (make sure this isn't a real used deviceid by the vendor you chose)
#define VMMDEV_DEVICEID// to something else (make sure this isn't a real used deviceid by the vendor you chose)
// In include\VBox\usblib-win.h (better safe than sorry)
DEFINE_GUID(GUID_CLASS_VBOXUSB // to something else
#define USBFLT_SERVICE_NAME // to something else
#define USBFLT_NTDEVICE_NAME_STRING // to something else
#define USBFLT_SYMBOLIC_NAME_STRING // to something else
#define USBMON_SERVICE_NAME_W // to something else
#define USBMON_DEVICE_NAME // to something else
#define USBMON_DEVICE_NAME_NT // to something else
#define USBMON_DEVICE_NAME_DOS // to something else
// In src\VBox\Devices\EFI\Firmware\VBoxPkg\VBoxVgaDxe\ComponentName.c, change all of these, better safe than sorry
GLOBAL_REMOVE_IF_UNREFERENCED EFI_UNICODE_STRING_TABLE mVBoxVgaDriverNameTable[] = {
{ "eng;en", L"VirtualBox SVGA Driver" },
{ NULL , NULL }
};
GLOBAL_REMOVE_IF_UNREFERENCED EFI_UNICODE_STRING_TABLE mVBoxVgaControllerNameTable[] = {
{ "eng;en", L"VirtualBox SVGA PCI Adapter" },
{ NULL , NULL }
};
// In src\VBox\Devices\GIMDev\GIMDev.cpp all names under here
/**
* The device registration structure.
*/
const PDMDEVREG g_DeviceGIMDev =
{ ....
// In src\VBox\Devices\Graphics\BIOS\vbe.c all of these
char vbebios_copyright[] = "VirtualBox VESA BIOS";
char vbebios_vendor_name[] = VBOX_VENDOR;
char vbebios_product_name[] = VBOX_PRODUCT " VBE Adapter";
char vbebios_product_revision[] = VBOX_PRODUCT " Version " VBOX_VERSION_STRING;
char vbebios_info_string[] = "VirtualBox VBE Display Adapter enabled\r\n\r\n";
char no_vbebios_info_string[] = "No VirtualBox VBE support available!\r\n\r\n";
char msg_vbe_init[] = "VirtualBox Version " VBOX_VERSION_STRING " VBE Display Adapter\r\n";
// In src\VBox\Devices\Graphics\BIOS\vgabios.c at least these
.ascii "VirtualBox VGA BIOS"
char msg_vga_init[] = "Oracle VM VirtualBox Version " VBOX_VERSION_STRING " VGA BIOS\r\n";
// In src\VBox\Devices\Input\UsbKbd.cpp
{ USBHID_STR_ID_MANUFACTURER, "VirtualBox" },
// In src\VBox\Devices\Input\UsbMouse.cpp
{ USBHID_STR_ID_MANUFACTURER, "VirtualBox" },
// In src\VBBox\Devices\PC\BIOS\bios.c
static const char bios_cvs_version_string[] = "VirtualBox " VBOX_VERSION_STRING;
#define BX_APPNAME "VirtualBox"
// In src\VBox\Devices\PC\DevACPI.cpp
memcpy(header->au8OemTabId, "VBOX", 4);
rc = CFGMR3QueryStringAllocDef(pCfg, "AcpiOemId", &pszOemId, "VBOX ");
// In src\VBox\Devices\PC\DevFwCommon.cpp
Search and change every string instance containing: innotek, VirtualBox, Oracle, VBOXCPU
// In src\VBox\Devices\Storage\VSCSI\VSCSILunMmc.cpp
vscsiPadStr(ScsiInquiryReply.achVendorId, "VBOX", 8);
// In src\VBox\Devices\Storage\VSCSI\VSCSILunSbc.cpp
vscsiPadStr(ScsiInquiryReply.achVendorId, "VBOX", 8);
// In src\VBox\Devices\Storage\DevAHCI.cpp
ataSCSIPadStr((uint8_t *)pvBuf + 8, "VBOX", 8);
RTStrPrintf(szSerial, sizeof(szSerial), "VB%x-1a2b3c4d",
RTStrPrintf(szSerial, sizeof(szSerial), "VB%08x-%08x", Uuid.au32[0], Uuid.au32[3]);
// In src\VBox\Devices\Storage\DevATA.cpp
ataR3SCSIPadStr(s->CTX_SUFF(pbIOBuffer) + 8, "VBOX", 8);
rc = CFGMR3QueryStringDef(pCfgNode, "ModelNumber", pIf->szModelNumber, sizeof(pIf->szModelNumber),
pIf->fATAPI ? "VBOX CD-ROM" : "VBOX HARDDISK");
rc = CFGMR3QueryStringDef(pCfgNode, "ATAPIVendorId", pIf->szInquiryVendorId, sizeof(pIf->szInquiryVendorId),
"VBOX");
// In src\VBox\Devices\Storage\UsbMsd.cpp
{ USBMSD_STR_ID_MANUFACTURER, "VirtualBox" },
// In src\VBox\Devices\VMMDev\VMMDev.cpp everything under here:
/**
* The device registration structure.
*/
extern "C" const PDMDEVREG g_DeviceVMMDev =
{
// In src\VBox\VMM\VMMR3\CPUMR3CpuId.cpp THIS IS THE GODDAMN HYPERVISOR VENDOR ID. Change these to zero.
NewLeaf.uEbx = 0x786f4256 /* 'VBox' */;
NewLeaf.uEcx = 0x786f4256 /* 'VBox' */;
NewLeaf.uEdx = 0x786f4256 /* 'VBox' */;
Finally, read Oracle's build instructions at
https://www.virtualbox.org/wiki/Linux%2 ... structions and keep fixing dependecies and shit until it compiles.
Note: The instructions talk about qt4, but 5.1.2 has moved to qt5. So don't bother installing any qt4 dependencies, instead install everything for qt5.
As suggested, run ./configure with --disable-hardening or you're asking for trouble.
Not all of these changes are necessary depending on your chosen hardware for the VM, but don't be lazy, it's just some find+replace work anyway.
I'm not going to post any diff files, binaries or a code repository because
you should make up your own values and not share them. If we all use the same fake values, it's just one more detectable to add to the list for criminals. Be smart.
My setup now fully passes pafish, al-khaser & VMDE! Have fun
