As you know this VBoxAntiVMDetectHardened is a complex of methods implemented to reduce VM detection possibilities of the common malware.
DMI information faking, various BIOS replacements using documented VirtualBox interfaces etc;
Driver agent with loader used for hardcore VirtualBox patching in the memory, because unfortunately VirtualBox itself not enough customizable to do this simple.
Both parts can be used independently.
Note: this loader considered as something used to "circumvent protection policies" (c) Perryg an Oracle yet another
imbecile. So don't waste your time with Oracle employees and do not ask anything related to this loader/or about hiding vm from malware. Oracle stuff either dumb or don't know, plus most of them are simple brainwashed idiots (for example bird).
Details what exactly patched by driver inside VBoxDD.dll can be found here ->
http://www.kernelmode.info/forum/viewto ... 806#p24806, despite it was posted in the beginning of this year, patch targets are mostly the same, the only thing is changing between VBox releases are offsets inside VBoxDD.dll Having all this information you can easily create your own patch for any of existing Windows VirtualBox 4.3+ versions.
During patch driver overwrite hardware ID (VBOX_VENDOR_ID, VBOX_VGA_DEVICE_ID) used by VirtualBox for certain devices, including video. It works well for legacy VM setups without using UEFI. But if you run VM with UEFI setup, it will result in black screen, because UEFI module has it own video driver that does additional device checks before run. This was fixed in April 2015 update of loader - see
http://www.kernelmode.info/forum/viewto ... 549#p25549, starting from this each loader update include patched version of VirtualBox UEFI module VBoxEFI64.fd to be placed inside VBox installation folder overwriting original file (here is additional readme especially for UEFI setup ->
https://raw.githubusercontent.com/hfire ... dme1st.txt).
Now there details on this patch and how to do it manually.
Stage 1. Extract msi and cab file from VirtualBox setup.
Run setup (no admin rights required) and then goto %temp% folder. Here you will find folder "VirtualBox" with two files inside (depending on 32/64 they will be named differently):
common.cab
VirtualBox-5.0.10-r104061-MultiArch_amd64.msi (used 5.0.10 version as example).
Copy these files somewhere and cancel VBox installation.
Stage 2. Extract files using msiexec.
Use console (no admin rights required).
Code: Select allmsiexec /a c:\temp\virtualbox\VirtualBox-5.0.10-r104061-MultiArch_amd64.msi /qb TARGETDIR=C:\temp\extracted
This command will extract contents of msi file to the existing directory C:\temp\extracted.
Extracted files will be located in the C:\temp\extracted\PFiles\Oracle\VirtualBox folder. Go there. We need BIOS image file VBoxEFI64.fd file (and VBoxDD.dll if you plan to build your own patch table).
Stage 3. Extract VBoxVgaDxe EFI module from VBoxEFI64.fd
Download UEFITool (
https://github.com/LongSoft/UEFITool/releases)
UEFITool is a cross-platform C++/Qt program for parsing, extracting and modifying UEFI firmware images.
It supports parsing of full BIOS images starting with the flash descriptor or any binary files containing UEFI volumes.
Original development was started here at MDL forums as a cross-platform analog to PhoenixTool's structure mode with some additional features, but the program's engine was proven to be usefull for another projects like UEFIPatch, UBU and OZMTool.
More info on project page.
Run it and open VBoxEFI64.fd with it (File -> Open image file...)
It will list you module structrure, we interested only in embedded drivers so go to as shown on picture below
Extract VBoxVgaDxe as shown on figure below
Extracted file is a 64 bit PE, EFI boot image. It complete source code located in
VirtualBox-5.0.12\src\VBox\Devices\EFI\Firmware\VBoxPkg\VBoxVgaDxe folder of the VirtualBox sources.
Stage 4. Patch and rebuild BIOS image.
We need to make 2 changes inside this binary and then replace it inside BIOS image.
Source code for place of patch: VirtualBox-5.0.12\src\VBox\Devices\EFI\Firmware\VBoxPkg\VBoxVgaDxe\VBoxVga.c
Target routine: VBoxVgaControllerDriverSupported
Code: Select all //
// See if the I/O enable is on. Most systems only allow one VGA device to be turned on
// at a time, so see if this is one that is turned on.
//
// if (((Pci.Hdr.Command & 0x01) == 0x01)) {
//
// See if this is a Cirrus Logic PCI controller
//
if (Pci.Hdr.VendorId == VBOX_VENDOR_ID) {
if (Pci.Hdr.DeviceId == VBOX_VGA_DEVICE_ID) {
VBox devs very lazy to change comments regarding Cirrus Logic.
Code: Select all//
// Cirrus Logic 5430 PCI Configuration Header values
//
#define VBOX_VENDOR_ID 0x80ee
#define VBOX_VGA_DEVICE_ID 0xbeef
Locate this check in the binary as shown on figure below, it only in 1 place.
Overwrite HW ID's with HW ID's used in patch (F3 in Hiew), we use nVidia HW ID.
E.g.
Save file. Then in UEFITool on selected VBoxVgaDxe use context menu "Replace body as is" and "File -> Save image file..." to commit changes.
Now you can replace installed VBoxEFI64.fd with your patched version and use VBox UEFI VM's together with hardened loader.
