Page 1 of 25

VBoxAntiVMDetectHardened mitigation X64 only

PostPosted:Thu Aug 28, 2014 7:46 am
by EP_X0FF
WARNING: This information is obsolete.

For last available information and guides please visit project github page -> https://github.com/hfiref0x/VBoxHardenedLoader
Step by step guide for VirtualBox Hardened (4.3.14+) VM detection mitigation configuring.

This guide and AntiVMDetect only applies to x86-64 Windows platform.

Guide consists the following parts:

1) VirtualBox Installation
2) AntiVMDetect installation and configuring
3) VirtualBox VM installation and configuring

1) VirtualBox installation

1.1) Do clean installation of latest VirtualBox. Clean mean - you must firstly uninstall any other versions of VirtualBox and reboot Windows to complete uninstallation. This ensures that no old VBox files will left in system memory and disk. Unfortunately VBox setup sometimes can't do complete removal without reboot.

1.2) Start installation and select VirtualBox components to install as shown on fugure below.

Image

DO NOT INSTALL VirtualBox Networking, otherwise you will have problems with part 2 and 3 of this guide, as VirtualBox driver cannot be stoped when VirtualBox networking is active. This feature is pretty useless however, NAT still will be available for virtual machines.

2) AntiVMDetect VM installation and configuring

2.1) What we will target:

- DMI Information;
- IDE/AHCI devices (harddisks, cd-rom's);
- ACPI OEM Information;
- Ethernet Adapter MAC address;
- PXE Boot data;
- ACPI DSDT (Differentiated System Description Table);
- ACPI SSDT (Secondary System Descriptor Table);
- VGA Video BIOS data;
- BIOS data;
- VM splashscreen (optional, just for nice looking).

How do we target this: we remove all sings of Oracle/Innotek signatures inside original data extracted by various ways from Oracle VirtualBox itself and then use documented and "not documented" ways to set these customized data for specific virtual machine using batch scripts, see 2.2 for more info and example.

2.2) Run the following commands combined in batch script. As parameter to script give a full virtual machine name you want to use, in this example it is "sbox"

PUT YOUR OWN RANDOM information in the data fields, DO NOT USE THE SAME AS BELOW so this can't be used as detection markers.

Script for VM with IDE controller
Code: Select all
rem @echo off

rem BIOS/IDE mode

rem vboxman is the full path to the vboxmanage executable
rem vmscfgdir is the path to directory that keeps vbox custom configuration data (bioses, tables etc)

set vboxman="C:\Program Files\Oracle\VirtualBox\vboxmanage.exe"
set vmscfgdir=D:\Virtual\VBOX\Settings\

%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVendor" "Asus"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVersion" "MB52.88Z.0088.B05.0904162222"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseDate" "08/10/13"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseMajor" "5"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseMinor" "9"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSFirmwareMajor" "1"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSFirmwareMinor" "0"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemVendor" "Asus"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemProduct" "MyBook5,2"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemVersion" "1.0"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemSerial" "CSN12345678901234567"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemSKU" "FM550EA#ACB"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemFamily" "Ultrabook"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemUuid" "B5FA3000-9403-81E0-3ADA-F46D045CB676"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardVendor" "Asus"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardProduct" "Mac-F22788AA"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardVersion" "3.0"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardSerial" "BSN12345678901234567"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardAssetTag" "Base Board Asset Tag#"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardLocInChass" "Board Loc In"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardBoardType" 10
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisVendor" "Asus Inc."
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisType" 10
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisVersion" "Mac-F22788AA"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisSerial" "CSN12345678901234567"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisAssetTag" "WhiteHouse"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiOEMVBoxVer" "Extended version info: 1.00.00"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiOEMVBoxRev" "Extended revision info: 1A"
%vboxman% setextradata "%1" "VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/ModelNumber" "Hitachi HTS543232A8A384"
%vboxman% setextradata "%1" "VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/FirmwareRevision" "ES2OA60W"
%vboxman% setextradata "%1" "VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/SerialNumber" "2E3024L1T2V9KA"
%vboxman% setextradata "%1" "VBoxInternal/Devices/piix3ide/0/Config/SecondaryMaster/ModelNumber" "Slimtype DVD A  DS8A8SH"
%vboxman% setextradata "%1" "VBoxInternal/Devices/piix3ide/0/Config/SecondaryMaster/FirmwareRevision" "KAA2"
%vboxman% setextradata "%1" "VBoxInternal/Devices/piix3ide/0/Config/SecondaryMaster/SerialNumber" "ABCDEF0123456789"
%vboxman% setextradata "%1" "VBoxInternal/Devices/piix3ide/0/Config/SecondaryMaster/ATAPIVendorId" "Slimtype"
%vboxman% setextradata "%1" "VBoxInternal/Devices/piix3ide/0/Config/SecondaryMaster/ATAPIProductId" "DVD A  DS8A8SH"
%vboxman% setextradata "%1" "VBoxInternal/Devices/piix3ide/0/Config/SecondaryMaster/ATAPIRevision" "KAA2"

%vboxman% setextradata "%1" "VBoxInternal/Devices/acpi/0/Config/AcpiOemId" "ASUS"
%vboxman% modifyvm "%1" --macaddress1 6CF0491A6E02
%vboxman% modifyvm "%1" --paravirtprovider legacy

cd /d %vmscfgdir%
%vboxman% setextradata "%1" "VBoxInternal/Devices/acpi/0/Config/DsdtFilePath" "%vmscfgdir%ACPI-DSDT.bin"
%vboxman% setextradata "%1" "VBoxInternal/Devices/acpi/0/Config/SsdtFilePath" "%vmscfgdir%ACPI-SSDT1.bin"
%vboxman% setextradata "%1" "VBoxInternal/Devices/vga/0/Config/BiosRom" "%vmscfgdir%videorom.bin"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/BiosRom" "%vmscfgdir%pcbios.bin"
%vboxman% setextradata "%1"  "VBoxInternal/Devices/pcbios/0/Config/LanBootRom" "%vmscfgdir%pxerom.bin"
%vboxman% modifyvm "%1" --bioslogoimagepath  "%vmscfgdir%splash.bmp"

@pause
Script for AHCI controller
Code: Select all
rem @echo off

rem BIOS/AHCI mode

rem vboxman is the full path to the vboxmanage executable
rem vmscfgdir is the path to directory that keeps vbox custom configuration data (bioses, tables etc)

set vboxman="C:\Program Files\Oracle\VirtualBox\vboxmanage.exe"
set vmscfgdir=D:\Virtual\VBOX\Settings\

%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVendor" "Asus"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVersion" "MB52.88Z.0088.B05.0904162222"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseDate" "08/10/13"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseMajor" "5"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseMinor" "9"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSFirmwareMajor" "1"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSFirmwareMinor" "0"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemVendor" "Asus"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemProduct" "MyBook5,2"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemVersion" "1.0"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemSerial" "CSN12345678901234567"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemSKU" "FM550EA#ACB"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemFamily" "Ultrabook"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemUuid" "B5FA3000-9403-81E0-3ADA-F46D045CB676"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardVendor" "Asus"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardProduct" "Mac-F22788AA"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardVersion" "3.0"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardSerial" "BSN12345678901234567"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardAssetTag" "Base Board Asset Tag#"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardLocInChass" "Board Loc In"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardBoardType" 10
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisVendor" "Asus Inc."
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisType" 10
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisVersion" "Mac-F22788AA"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisSerial" "CSN12345678901234567"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisAssetTag" "WhiteHouse"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiOEMVBoxVer" "Extended version info: 1.00.00"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiOEMVBoxRev" "Extended revision info: 1A"
%vboxman% setextradata "%1" "VBoxInternal/Devices/ahci/0/Config/Port0/ModelNumber" "Hitachi HTS543230AAA384"
%vboxman% setextradata "%1" "VBoxInternal/Devices/ahci/0/Config/Port0/FirmwareRevision" "ES2OA60W"
%vboxman% setextradata "%1" "VBoxInternal/Devices/ahci/0/Config/Port0/SerialNumber" "2E3024L1T2V9KA"
%vboxman% setextradata "%1" "VBoxInternal/Devices/ahci/0/Config/Port1/ModelNumber" "Slimtype DVD A  DS8A8SH"
%vboxman% setextradata "%1" "VBoxInternal/Devices/ahci/0/Config/Port1/FirmwareRevision" "KAA2"
%vboxman% setextradata "%1" "VBoxInternal/Devices/ahci/0/Config/Port1/SerialNumber" "ABCDEF0123456789"
%vboxman% setextradata "%1" "VBoxInternal/Devices/ahci/0/Config/Port1/ATAPIVendorId" "Slimtype"
%vboxman% setextradata "%1" "VBoxInternal/Devices/ahci/0/Config/Port1/ATAPIProductId" "DVD A  DS8A8SH"
%vboxman% setextradata "%1" "VBoxInternal/Devices/ahci/0/Config/Port1/ATAPIRevision" "KAA2"


%vboxman% setextradata "%1" "VBoxInternal/Devices/acpi/0/Config/AcpiOemId" "ASUS"
%vboxman% modifyvm "%1" --macaddress1 6CF0491A6E12
%vboxman% modifyvm "%1" --paravirtprovider legacy

cd /d %vmscfgdir%

%vboxman% setextradata "%1" "VBoxInternal/Devices/acpi/0/Config/DsdtFilePath" "%vmscfgdir%ACPI-DSDT.bin"
%vboxman% setextradata "%1" "VBoxInternal/Devices/acpi/0/Config/SsdtFilePath" "%vmscfgdir%ACPI-SSDT1.bin"
%vboxman% setextradata "%1" "VBoxInternal/Devices/vga/0/Config/BiosRom" "%vmscfgdir%videorom.bin"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/BiosRom" "%vmscfgdir%pcbios.bin"
%vboxman% setextradata "%1"  "VBoxInternal/Devices/pcbios/0/Config/LanBootRom" "%vmscfgdir%pxerom.bin"
%vboxman% modifyvm "%1" --bioslogoimagepath  "%vmscfgdir%splash.bmp"

@pause
Script for IDE controller with enabled UEFI
Code: Select all
rem @echo off

rem EFI/IDE mode

rem vboxman is the full path to the vboxmanage executable
rem vmscfgdir is the path to directory that keeps vbox custom configuration data (bioses, tables etc)

set vboxman="C:\Program Files\Oracle\VirtualBox\vboxmanage.exe"
set vmscfgdir=D:\Virtual\VBOX\Settings\

%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBIOSVendor" "Apple Inc."
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBIOSVersion" "MB52.88Z.0088.B05.0904162222"
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBIOSReleaseDate" "08/10/13"
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBIOSReleaseMajor" "5"
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBIOSReleaseMinor" "9"
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBIOSFirmwareMajor" "1"
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBIOSFirmwareMinor" "0"
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiSystemVendor" "Apple Inc."
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiSystemProduct" "MacBook5,2"
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiSystemVersion" "1.0"
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiSystemSerial" "CSN12345678901234567"
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiSystemSKU" "FM550EA#ACB"
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiSystemFamily" "Ultrabook"
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiSystemUuid" "B5FA3000-9403-81E0-3ADA-F46D045CB676"
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBoardVendor" "Apple Inc."
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBoardProduct" "Mac-F22788AA"
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBoardVersion" "3.0"
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBoardSerial" "BSN12345678901234567"
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBoardAssetTag" "Base Board Asset Tag#"
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBoardLocInChass" "Board Loc In"
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBoardBoardType" 10
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiChassisVendor" "Apple Inc."
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiChassisType" 10
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiChassisVersion" "Mac-F22788AA"
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiChassisSerial" "CSN12345678901234567"
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiChassisAssetTag" "Apple"
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiOEMVBoxVer" "Extended version info: 1.00.00"
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiOEMVBoxRev" "Extended revision info: 1A"
%vboxman% setextradata "%1" "VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/ModelNumber" "Hitachi HTS543232A7A484"
%vboxman% setextradata "%1" "VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/FirmwareRevision" "ES2OA60W"
%vboxman% setextradata "%1" "VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/SerialNumber" "2E3024L1T2V9KA"
%vboxman% setextradata "%1" "VBoxInternal/Devices/piix3ide/0/Config/SecondaryMaster/ModelNumber" "Slimtype DVD A  DS8A8SH"
%vboxman% setextradata "%1" "VBoxInternal/Devices/piix3ide/0/Config/SecondaryMaster/FirmwareRevision" "KAA2"
%vboxman% setextradata "%1" "VBoxInternal/Devices/piix3ide/0/Config/SecondaryMaster/SerialNumber" "ABCDEF0123456789"
%vboxman% setextradata "%1" "VBoxInternal/Devices/piix3ide/0/Config/SecondaryMaster/ATAPIVendorId" "Slimtype"
%vboxman% setextradata "%1" "VBoxInternal/Devices/piix3ide/0/Config/SecondaryMaster/ATAPIProductId" "DVD A  DS8A8SH"
%vboxman% setextradata "%1" "VBoxInternal/Devices/piix3ide/0/Config/SecondaryMaster/ATAPIRevision" "KAA2"

%vboxman% setextradata "%1" "VBoxInternal/Devices/acpi/0/Config/AcpiOemId" "APPLE"
%vboxman% modifyvm "%1" --macaddress1 6CF0491A6E85
%vboxman% modifyvm "%1" --paravirtprovider legacy

cd /d %vmscfgdir%

%vboxman% setextradata "%1" "VBoxInternal/Devices/acpi/0/Config/DsdtFilePath" "%vmscfgdir%ACPI-DSDT.bin"
%vboxman% setextradata "%1" "VBoxInternal/Devices/acpi/0/Config/SsdtFilePath" "%vmscfgdir%ACPI-SSDT1.bin"
%vboxman% setextradata "%1" "VBoxInternal/Devices/vga/0/Config/BiosRom" "%vmscfgdir%videorom.bin"

@pause
Script for AHCI controller with enabled UEFI
Code: Select all
rem @echo off

rem EFI/AHCI mode

rem vboxman is the full path to the vboxmanage executable
rem vmscfgdir is the path to directory that keeps vbox custom configuration data (bioses, tables etc)

set vboxman="C:\Program Files\Oracle\VirtualBox\vboxmanage.exe"
set vmscfgdir=D:\Virtual\VBOX\Settings\

%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBIOSVendor" "Apple Inc."
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBIOSVersion" "MB52.88Z.0088.B05.0904162222"
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBIOSReleaseDate" "08/10/13"
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBIOSReleaseMajor" "5"
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBIOSReleaseMinor" "9"
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBIOSFirmwareMajor" "1"
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBIOSFirmwareMinor" "0"
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiSystemVendor" "Apple Inc."
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiSystemProduct" "MacBook5,2"
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiSystemVersion" "1.0"
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiSystemSerial" "CSN12345678901234567"
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiSystemSKU" "FM550EA#ACB"
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiSystemFamily" "Ultrabook"
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiSystemUuid" "B5FA3000-9403-81E0-3ADA-F46D045CB676"
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBoardVendor" "Apple Inc."
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBoardProduct" "Mac-F22788AA"
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBoardVersion" "3.0"
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBoardSerial" "BSN12345678901234567"
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBoardAssetTag" "Base Board Asset Tag#"
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBoardLocInChass" "Board Loc In"
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBoardBoardType" 10
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiChassisVendor" "Apple Inc."
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiChassisType" 10
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiChassisVersion" "Mac-F22788AA"
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiChassisSerial" "CSN12345678901234567"
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiChassisAssetTag" "Apple"
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiOEMVBoxVer" "Extended version info: 1.00.00"
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiOEMVBoxRev" "Extended revision info: 1A"

%vboxman% setextradata "%1" "VBoxInternal/Devices/ahci/0/Config/Port0/ModelNumber" "Hitachi HTS543240A7A384"
%vboxman% setextradata "%1" "VBoxInternal/Devices/ahci/0/Config/Port0/FirmwareRevision" "ES2OA60W"
%vboxman% setextradata "%1" "VBoxInternal/Devices/ahci/0/Config/Port0/SerialNumber" "2E3024L1T2V9KA"
%vboxman% setextradata "%1" "VBoxInternal/Devices/ahci/0/Config/Port1/ModelNumber" "Slimtype DVD A  DS8A8SH"
%vboxman% setextradata "%1" "VBoxInternal/Devices/ahci/0/Config/Port1/FirmwareRevision" "KAA2"
%vboxman% setextradata "%1" "VBoxInternal/Devices/ahci/0/Config/Port1/SerialNumber" "ABCDEF0123456789"
%vboxman% setextradata "%1" "VBoxInternal/Devices/ahci/0/Config/Port1/ATAPIVendorId" "Slimtype"
%vboxman% setextradata "%1" "VBoxInternal/Devices/ahci/0/Config/Port1/ATAPIProductId" "DVD A  DS8A8SH"
%vboxman% setextradata "%1" "VBoxInternal/Devices/ahci/0/Config/Port1/ATAPIRevision" "KAA2"

%vboxman% setextradata "%1" "VBoxInternal/Devices/acpi/0/Config/AcpiOemId" "APPLE"
%vboxman% modifyvm "%1" --macaddress1 6CF0491A6E85
%vboxman% modifyvm "%1" --paravirtprovider legacy

cd /d %vmscfgdir%

%vboxman% setextradata "%1" "VBoxInternal/Devices/acpi/0/Config/DsdtFilePath" "%vmscfgdir%ACPI-DSDT.bin"
%vboxman% setextradata "%1" "VBoxInternal/Devices/acpi/0/Config/SsdtFilePath" "%vmscfgdir%ACPI-SSDT1.bin"
%vboxman% setextradata "%1" "VBoxInternal/Devices/vga/0/Config/BiosRom" "%vmscfgdir%videorom.bin"

@pause
NOTE:

These commands:

VBoxInternal/Devices/acpi/0/Config/DsdtFilePath
VBoxInternal/Devices/acpi/0/Config/SsdtFilePath


Supported by VirtualBox, it has code to successfully load and work with this data, but these two commands not listed as acceptable by VirtualBox.
If you are interested in more details see VirtualBox source:

src\VBox\Devices\PC\ACPI\VBoxAcpi.cpp -> Dsdt/Ssdt
src\VBox\Devices\PC\DevACPI.cpp -> CFGMR3AreValuesValid

The only way we can use them - force VirtualBox to allow them. Without this patch both commands will not be recognized by VBox as acceptable and VM won't start.

Additionally even after heavy reconfiguring some virtual machine devices data still will point on Oracle - PCI HWID (hardware identificators). For more info about possible vm detection methods see our VMDE.

The only way we can change these ID - memory patch of the VBoxDD.dll where located most of VM related logic.

Unfortunatelly in the patetic attempt to stop VirtualBox exploitation attempts Oracle have made a decision to create a some kind of "patchguard" for VBox, known as "Hardened VirtualBox". See http://www.kernelmode.info/forum/viewto ... 1&start=50 for more details.

2.3) Installing AntiVMDetect helper.

Install Tsugumi monitor driver (perform real time VirtualBox memory patch).

Run from elevated command prompt

tdl.exe tsugumi.sys

Note that tsugumi.sys must be in the same directory as tdl.exe

Run from elevated command prompt

loader.exe

loader will generate patch data for your VirtualBox installed version, write it to the registry, and notify monitoring driver about new data.

If you want to stop monitor driver, without doing system reboot: run loader elevated with command line parameter /s (e.g. loader.exe /s). This will disable Tsugumi monitoring and allow you to use VM without dlls patch. Run loader again to start monitoring (see above).

For more info about loader parameters run loader with /?

Example given
Code: Select all
d:\Virtual\VBOX\Settings>loader /?
VirtualBox Hardened Loader v1.8.0.1702
Sets parameters for Tsugumi driver.

Optional parameters to execute:

LOADER [/s] or [Table]

  /s - stop monitoring and purge system cache.
  Table - optional, custom VBoxDD patch table fullpath.
  Example: ldr.exe vboxdd.bin
What/Where/Data for patch stored in the HKEY_LOCAL_MACHINE\SOFTWARE\Tsugumi\Parameters. Loader will store here patch information that later will be used by driver.

Note: Driver ONLY patch ONE VirtualBox dll in memory, nothing else in system modified.

Patch data described as set of linked chains
Code: Select all
typedef struct _BINARY_PATCH_BLOCK {
	ULONG	VirtualOffset;
	UCHAR	DataLength;
	UCHAR	Data[1];
} BINARY_PATCH_BLOCK, *PBINARY_PATCH_BLOCK;
Where:
VirtualOffset - is v.offset in VirtualBox VBoxDD dll.
DataLength - length of input patch data
Data - your input data to write with length of DataLength

Once patch driver installed by loader it will enable ACPI tables related commands, fake HWID's and patch several instructions with hardcoded VBox signatures.

3) VirtualBox VM installation and configuring

3.1) Create a new virtual machine (in this example it named "sbox") and configure it in the following way:

Motherboard
Image

Processor
Image

Acceleration (make sure your CPU support virtualization technologies)
Image

Note: starting from VirtualBox 5.0 this settings changed. Always set Paravirtualization Interface to "Legacy". This need to be done to avoid detection by Hypervisor Present flag.

Image

Display (UNCHECK any kind of acceleration here - totally bugged and previously exploited feature)
Image

Storage*
Image

* We use here IDE controller, you can use AHCI it is not important.

Image

Better use dynamically allocated VDI images, with size not less than 16 GB, as HDD size is VM indicator for some lame malware.

Network*
Image

*For example used to access host computer via FTP and provide web access to the virtual machine and malware.

3.2) Install Windows (any you want, in this example we used machine with Windows XP SP3 RTM).

DO NOT INSTALL VirtualBox Additions. NEVER. Once installed you may consider your VM as lost.

How then copy all your instruments/tools/etc to the VM space? Do a prebuild ISO image, copy all your stuff on it, use VM CD-ROM drive for it. Copy a small ftp client to the VM and use Host-FTP-Server -> Guest->FTP-Client. In this example we copied all what we need on a prebuilt ISO image called VBoxAfterInstall.ISO, mounted it in virtual CD-ROM and then used our self made FTP server for other file transfers to the VM.

Update 15 Mar 2015
latest available source, loader and patched data can be found here

Update 02 Feb 2017
Post updated to reflect loader changes.

Update 09 Mar 2017
Initial post updated.

Re: VBoxAntiVMDetectHardened mitigation (10/09/14)

PostPosted:Wed Sep 17, 2014 2:29 am
by n0mad
Thank you very much for this.

I am sorry for this dumb question, but, where I can find the parameters information from a existing computer?

Re: VBoxAntiVMDetectHardened mitigation (10/09/14)

PostPosted:Thu Sep 18, 2014 2:28 am
by EP_X0FF
n0mad wrote:Thank you very much for this.

I am sorry for this dumb question, but, where I can find the parameters information from a existing computer?
cmd->systeminfo or use hwinfo/aida

Re: VBoxAntiVMDetectHardened mitigation (10/09/14)

PostPosted:Wed Oct 15, 2014 4:00 am
by rinn
EP_X0FF wrote:What/Where/Data for patch stored in the "Tsugumi" driver key under "Parameters" subkey in "PatchData" value -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\tsugumi\Parameters. Loader will store here patch information that later will be used by driver.

Note: Driver ONLY patch ONE VirtualBox dll in memory, nothing else in system modified.

This mechanism supports proving custom patch data, you can specify path to custom patch data file as second param of "-l" command, e.g. loader.exe -l "c:\vbox\mycustompdata.bin"
Patch data described as set of linked chains
Code: Select all
typedef struct _BINARY_PATCH_BLOCK {
	ULONG	VirtualOffset;
	UCHAR	DataLength;
	UCHAR	Data[1];
} BINARY_PATCH_BLOCK, *PBINARY_PATCH_BLOCK;
Where:
VirtualOffset - is v.offset in VirtualBox VBoxDD dll.
DataLength - length of input patch data
Data - your input data to write with length of DataLength

Once patch driver installed by loader it will enable ACPI tables related commands, fake HWID's and patch several instructions with hardcoded VBox signatures.
This driver has no interface, it works semi-automatic, relying only on PatchData described above.

All source of loader, driver, support tools can be found in attach.

Hello,

4.3.18 patch data block
Code: Select all
//4.3.18
static unsigned char TsmiPatchDataValue[136] = {
	0x6D, 0x20, 0x03, 0x00, 0x02, 0x51, 0x52, 0xd4, 0x22, 0x03, 0x00, 0x02, 0x51, 0x52, 0x27, 0x24, 
	0x03, 0x00, 0x02, 0x51, 0x52, 0x52, 0x27, 0x03, 0x00, 0x02, 0x51, 0x52, 0xf4, 0x28, 0x03, 0x00, 
	0x02, 0x51, 0x52, 0x28, 0x2a, 0x03, 0x00, 0x02, 0x51, 0x52, 0x10, 0xBE, 0x03, 0x00, 0x02, 0x51, 
	0x52, 0xE8, 0xFE, 0x10, 0x00, 0x08, 0x4D, 0x61, 0x67, 0x69, 0x63, 0x61, 0x6C, 0x52, 0x37, 0xD5, 
	0x10, 0x00, 0x1B, 0x44, 0x73, 0x64, 0x74, 0x46, 0x69, 0x6C, 0x65, 0x50, 0x61, 0x74, 0x68, 0x00, 
	0x53, 0x73, 0x64, 0x74, 0x46, 0x69, 0x6C, 0x65, 0x50, 0x61, 0x74, 0x68, 0x00, 0x00, 0xB6, 0xD8, 
	0x00, 0x00, 0x02, 0xDE, 0x10, 0x26, 0x20, 0x01, 0x00, 0x02, 0xDE, 0x10, 0x0D, 0xF6, 0x01, 0x00, 
	0x02, 0xDE, 0x10, 0xb1, 0x1d, 0x04, 0x00, 0x02, 0xDE, 0x10, 0xC5, 0x1D, 0x04, 0x00, 0x02, 0xAD, 
	0xDE, 0x1A, 0xF6, 0x01, 0x00, 0x02, 0xC0, 0xC0
};
Replace in loader or use as external binary file, submitting it path to loader as second param, e.g.
loader -l c:\vbox\4.3.18.bin

Best Regards,
-rin

Re: VBoxAntiVMDetectHardened mitigation (10/09/14)

PostPosted:Sun Nov 23, 2014 8:48 am
by rinn
Hello,

4.3.20 patch data block
Code: Select all
//4.3.20
static unsigned char TsmiPatchDataValue[143] = {
	0x8D, 0x21, 0x03, 0x00, 0x02, 0x51, 0x52, 0xf4, 0x23, 0x03, 0x00, 0x02, 0x51, 0x52, 0x47, 0x25, 
	0x03, 0x00, 0x02, 0x51, 0x52, 0x72, 0x28, 0x03, 0x00, 0x02, 0x51, 0x52, 0x14, 0x2a, 0x03, 0x00, 
	0x02, 0x51, 0x52, 0x48, 0x2b, 0x03, 0x00, 0x02, 0x51, 0x52, 0x30, 0xbf, 0x03, 0x00, 0x02, 0x51, 
	0x52, 0x98, 0xbf, 0x11, 0x00, 0x08, 0x4D, 0x61, 0x67, 0x69, 0x63, 0x61, 0x6C, 0x52, 0xe7, 0x95, 
	0x11, 0x00, 0x1B, 0x44, 0x73, 0x64, 0x74, 0x46, 0x69, 0x6C, 0x65, 0x50, 0x61, 0x74, 0x68, 0x00, 
	0x53, 0x73, 0x64, 0x74, 0x46, 0x69, 0x6C, 0x65, 0x50, 0x61, 0x74, 0x68, 0x00, 0x00, 0xB6, 0xD8, 
	0x00, 0x00, 0x02, 0xDE, 0x10, 0x26, 0x20, 0x01, 0x00, 0x02, 0xDE, 0x10, 0x0e, 0xF7, 0x01, 0x00, 
	0x02, 0xDE, 0x10, 0xf1, 0x1e, 0x04, 0x00, 0x02, 0xDE, 0x10, 0x05, 0x1f, 0x04, 0x00, 0x02, 0xAD, 
	0xDE, 0x01, 0xF7, 0x01, 0x00, 0x02, 0xDE, 0x10, 0x0e, 0xF7, 0x01, 0x00, 0x02, 0xC0, 0xC0
};
adapted to 4.3.20 and additionally strengthened video card id faking.

If someone interested I can post complete guide how to create such dumps for new virtual box releases.

usage:
Replace in loader or use as external translated to the binary file, submitting it path to loader as second param, e.g.
loader -l c:\vbox\4.3.20.bin

Best Regards,
-rin

Re: VBoxAntiVMDetectHardened mitigation (10/09/14)

PostPosted:Fri Jan 02, 2015 5:20 pm
by kmd
coupe of questions if u dont mind

1. does it support 4.3.12 and lower versions?
2. ive a problem - your loader reports it cannot load driver, vbox 4.3.20 win7sp1 x64 driver signing policy is enabled, whats up with it?
3. how to create binary patch table like above?

Re: VBoxAntiVMDetectHardened mitigation (10/09/14)

PostPosted:Fri Jan 02, 2015 5:52 pm
by EP_X0FF
kmd wrote:1. does it support 4.3.12 and lower versions?
No. Minimum supported version is 4.3.14 (but it not work by itself), so take 4.3.18/20. On earlier versions use patched dlls from this topic.
2. ive a problem - your loader reports it cannot load driver, vbox 4.3.20 win7sp1 x64 driver signing policy is enabled, whats up with it?
You probably using loader on system where virtualbox was already installed with default settings like "Networking support"? If so, then before running loader you need to turn off VirtualBox networking, run loader and then restart it. This is required because loader reloads VBoxDrv.sys (and requires this) but when Virtual Box networking is running VBoxDrv cannot be unloaded.

Go to "Control Panel->Network and Internet->Network Connections" , find "VirtualBox Host-Only Network" adapter and disable it. Then run loader again with -l key.

E.g. from elevated command prompt: D:\Virtual\VBOX\Settings\ayaseldr.exe -l where "D:\Virtual\VBOX\Settings\" is your location of file instead.

After successful loading with no error messages, go back to control panel and reenable "VirtualBox Host-Only Network" adapter.
Note: you will have to do this after every system reboot, because our driver doesn't stay and do not load itself automatically. Perform steps above before you launch VBox each Windows session. It maybe not that comfortable, but it not that hard. Of course you can avoid using loader if you don't want but then without our driver helper loaded huge amount of VM specific data will be accessible from the VM, revealing it detection to malware. Also DsdtFilePath and SsdtFilePath commands will not work (as VBox will not recognize them as acceptable commands), so you will need to remove them from VM configuration file, again making VM friendly to VM detection.
3. how to create binary patch table like above?
This array is array of structures BINARY_PATCH_BLOCK (see declaration in first post), 16 entries actually in last patch version above, describing:

- offset in VBoxDD.dll;
- patch data to apply;
- patch data size.

Each entry describes varios places in VBoxDD where Oracle developers used "VBOX" strings for example, or hardcoded Oracle HWID's. We patch only data accessible inside VM and only in VBoxDD nothing more. Later I will post detailed "how to" build such table yourself. Given array then must be written as binary data to registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\tsugumi\Parameters value PatchData type REG_BINARY.
It will be used by our driver as map and data to apply VBoxDD patch on the fly in memory when this dll will be loaded by VirtualBox. Before this was accomplished direct file modification but since 4.3.14 as you know Oracle banned this way.

Re: VBoxAntiVMDetectHardened mitigation (10/09/14)

PostPosted:Sat Jan 03, 2015 7:03 am
by EP_X0FF
NOTE: everything in this thread about x64 version of VirtualBox, we do not support x86-32 version and have no plans to do so.
kmd wrote:3. how to create binary patch table like above?
A visual example of decoded table (lets take 4.3.20 from rinn post as example).

Note: we use different patch table with different patch content so do not worry to copy-paste detections to your trojans - they won't work.

This table described as list of BINARY_PATCH_BLOCK entries
Code: Select all
typedef struct _BINARY_PATCH_BLOCK {
	ULONG	VirtualOffset;
	UCHAR	DataLength;
	UCHAR	Data[1];
} BINARY_PATCH_BLOCK, *PBINARY_PATCH_BLOCK;
Lets see what it described and how, simple walk all of them and watch results
Code: Select all
	l = 0;
	Chains = (PBINARY_PATCH_BLOCK)&TsmiPatchDataValue[0];

	while ( l+BLOCK_DATA_OFFSET<sizeof(TsmiPatchDataValue) ) {
		if ( Chains->DataLength != 0 ) {
			wsprintf(szOutput, TEXT("Chain->Offset: %lx, Chain->DataLength: %lx\n"), Chains->VirtualOffset, Chains->DataLength);
			OutputDebugString(szOutput);
		}
		l += BLOCK_DATA_OFFSET + Chains->DataLength;
		Chains = (PBINARY_PATCH_BLOCK)((ULONG_PTR)Chains + BLOCK_DATA_OFFSET + Chains->DataLength);
	}
result:
Code: Select all
Chain->Offset: 3218d, Chain->DataLength: 2
Chain->Offset: 323f4, Chain->DataLength: 2
Chain->Offset: 32547, Chain->DataLength: 2
Chain->Offset: 32872, Chain->DataLength: 2
Chain->Offset: 32a14, Chain->DataLength: 2
Chain->Offset: 32b48, Chain->DataLength: 2
Chain->Offset: 3bf30, Chain->DataLength: 2
Chain->Offset: 11bf98, Chain->DataLength: 8
Chain->Offset: 1195e7, Chain->DataLength: 1b
Chain->Offset: d8b6, Chain->DataLength: 2
Chain->Offset: 12026, Chain->DataLength: 2
Chain->Offset: 1f70e, Chain->DataLength: 2
Chain->Offset: 41ef1, Chain->DataLength: 2
Chain->Offset: 41f05, Chain->DataLength: 2
Chain->Offset: 1f701, Chain->DataLength: 2
Now lets examine offsets in VBoxDD 4.3.20.

Chain with offset 3218d

Image

is a offset to VBOX identifier used in instruction.

Patch takes first 2 bytes of this identifier and overwrites them with "QR" (stored in Chain->Data) resulting in QROX instead of VBOX.

Chains 323f4, 32547, 32872, 32a14, 32b48, 3bf30 does the same for their offsets .

This pieces of code used for initialization of virtual machine and these signs WILL BE visible inside VM - revealing it is VBOX virtual machine.

Chain with offset 11bf98 points to "VirtualBox" string.

Image

we replace 8 bytes of it with "MagicalR" resulting in "MagicalRox"

Chain with offset 1195e7

This is offset to NULL terminator used to indicate the end of string array representing acceptable vboxmanage utility commands

Image

In VirtualBox source this is located in the src\VBox\Devices\PC\DevACPI.cpp and declared as
Code: Select all
  if (!CFGMR3AreValuesValid(pCfg,
                              "RamSize\0"
                              "RamHoleSize\0"
                              "IOAPIC\0"
                              "NumCPUs\0"
                              "GCEnabled\0"
                              "R0Enabled\0"
                              "HpetEnabled\0"
                              "McfgEnabled\0"
                              "McfgBase\0"
                              "McfgLength\0"
                              "SmcEnabled\0"
                              "FdcEnabled\0"
                              "ShowRtc\0"
                              "ShowCpu\0"
                              "NicPciAddress\0"
                              "AudioPciAddress\0"
                              "IocPciAddress\0"
                              "HostBusPciAddress\0"
                              "EnableSuspendToDisk\0"
                              "PowerS1Enabled\0"
                              "PowerS4Enabled\0"
                              "CpuHotPlug\0"
                              "AmlFilePath\0"
                              "Serial0IoPortBase\0"
                              "Serial1IoPortBase\0"
                              "Serial0Irq\0"
                              "Serial1Irq\0"
                              "AcpiOemId\0"
                              "AcpiCreatorId\0"
                              "AcpiCreatorRev\0"
                              "CustomTable\0"
                              "SLICTable\0"
                              )) 
there is no DsdtFilePath and SsdtFilePath commands. However VirtualBox natively supports them, DSDT stands for Differentiated System Description Table and SSDT stands for Secondary System Descriptor Table. So we can load our custom tables free from VBox signatures, but VirtualBox doesn't recognize these commands because they are not in list. What we do: we extend this list by inserting two mentioned commands after the terminating NULL so the table will look like
Code: Select all
...
                              "AcpiCreatorRev\0"
                              "CustomTable\0"
                              "SLICTable\0"
                              "DsdtFilePath\0"
                              "SsdtFilePath\0"
                              )) 
This will overwrite the following debug messages located below target code but they are not important.

Image

Chain with offset d8b6

This is VirtualBox HWID 80EE -> https://pci-ids.ucw.cz/read/PC/80ee

Image

As result of patch it will be changed to 10DE - NVIDIA -> https://pci-ids.ucw.cz/read/PC/10de

Chains with offset 12026, 1f701, 41ef1 does the same.

Chains 41f05 and 1f70e patches another HWID - CAFE -> https://pci-ids.ucw.cz/read/PC/80ee/cafe

Image

they replaced with C0C0.

That's all. With all countermeasures used (including loading custom system tables and bioses) even full memory dump of virtual machine will not reveal simple VirtualBox indicators so loved by malware.

P.S.
Also latest rinn posted table contain 1 duplicate entry (last one) :)

Re: VBoxAntiVMDetectHardened mitigation X64 only(03/01/15)

PostPosted:Sun Jan 04, 2015 11:44 am
by TETYYSs
I think something went wrong for me... Image -> Image

And I think it's because of this part:
Note: for patching DSDT table - aware that it is CRC protected, so you need to re-calculate and write proper CRC otherwise your customized machine won't load (https://taesoo.org/files/code/acpi.c.html).
I didn't quite understand what I have to do there..

Re: VBoxAntiVMDetectHardened mitigation X64 only(03/01/15)

PostPosted:Sun Jan 04, 2015 11:51 am
by EP_X0FF
Your VirtualBox version (including build number) and how do you start VM, all steps (how do you run loader etc, is it loaded driver etc).
And I think it's because of this part
This was note to people who want to patch DSDT table manually (for future versions of VBox). Table in 1st post attach already with fixed checksum.