VBoxAntiVMDetectHardened mitigation X64 only

Forum for announcements and questions about tools and software.

Re: VBoxAntiVMDetectHardened mitigation X64 only

Postby EP_X0FF » Sat Mar 18, 2017 3:49 am

Trelowin wrote:[pafish] VirtualBox traced using Reg key HKLM\HARDWARE\ACPI\DSDT\VBOX__

If you installed patch this line can't be in this log. You either installed it on VM that was already used or installed it incorrectly/something failed. Open regedit and navigate to this key. If it present here and no other keys around - DSDT table wasn't loaded and patch install broken.

Rdtsc detection cannot be taken seriously as it gives lots of FP.

For VMDE. Use Sysinternals DbgView to view exact detection status.

EricBeale wrote:Hello! Help me plz! How to configure the shared clipboard and shared folders without installing Additions?


No how. Forget about them.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4750
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: VBoxAntiVMDetectHardened mitigation X64 only

Postby Trelowin » Sat Mar 18, 2017 10:37 pm

If you installed patch this line can't be in this log. You either installed it on VM that was already used or installed it incorrectly/something failed. Open regedit and navigate to this key. If it present here and no other keys around - DSDT table wasn't loaded and patch install broken.

I didn't find other records in the catalog. Most likely made a mistake in case of installation. How to make complete deleting VM and AntiVMDetect?
For VMDE. Use Sysinternals DbgView to view exact detection status.

What places need to be checked? I had no experience in this sphere earlier.
Thanks for the help!
You do not have the required permissions to view the files attached to this post.
Trelowin
 
Posts: 10
Joined: Tue Mar 14, 2017 12:14 pm
Reputation point: 0

Re: VBoxAntiVMDetectHardened mitigation X64 only

Postby EP_X0FF » Sun Mar 19, 2017 6:23 pm

According to your screenshot patch doesn't work at all.

How to make complete deleting VM and AntiVMDetect?


1) In VBox main window select VM - right click -> Remove -> Delete all files.
2) Reboot Windows.
3) Open regedit and delete keys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tsugumi
HKEY_LOCAL_MACHINE\SOFTWARE\Tsugumi

if present.

If you want to try again - follow this install instructions https://github.com/hfiref0x/VBoxHardene ... install.md
Especially note part about modifying paths (used in scripts) for your actual location.

What places need to be checked? I had no experience in this sphere earlier.


When everything installed again. Inside VM download DbgView from live.sysinternals.com
Run it as admin and select in main menu Capture -> Capture Win32 (if not selected). Don't close DbgView and run vmde.exe. When something detected by vmde it will print details with OutputDebugString and DbgView will show it to you.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4750
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: VBoxAntiVMDetectHardened mitigation X64 only

Postby Trelowin » Tue Mar 21, 2017 1:14 am

I solved a problem with DSDT tables. I commented (rem) before start of hidevm_ahci.
rem %vboxman% setextradata "%n1%" "VBoxInternal/Devices/acpi/0/Config/DsdtFilePath" "%vmscfgdir%ACPI-DSDT.bin"
rem %vboxman% setextradata "%n1%" "VBoxInternal/Devices/acpi/0/Config/SsdtFilePath" "%vmscfgdir%ACPI-SSDT1.bin"

Then established Tsugumi and loader. Removal (rem) and start (hidevm_ahci) solved a problem with
[pafish] of VirtualBox traced using Reg key HKLM\HARDWARE\ACPI\DSDT\VBOX _

Now I have a detection on a mouse. Tried all 3 modes. It was not succeeded to correct. :D
Start of Dbgview showed
00000001 0.00000000 [1976] IsVirtualBox, PCI

What can be made?)
Trelowin
 
Posts: 10
Joined: Tue Mar 14, 2017 12:14 pm
Reputation point: 0

Re: VBoxAntiVMDetectHardened mitigation X64 only

Postby EP_X0FF » Tue Mar 21, 2017 2:26 pm

Trelowin wrote:What can be made?)


Open regedit. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PCI, find all entries with Oracle Vendor Hardware Id (80EE). If they present patch wasn't applied correctly or you have used this VM before installing patch and they are dead duplicate entries need to be removed. We had seen this scenario before in this thread viewtopic.php?f=11&t=3478&start=110 where user used pirated OS ISO for Windows guest install.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4750
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: VBoxAntiVMDetectHardened mitigation X64 only

Postby Trelowin » Wed Mar 22, 2017 11:05 am

Installation of an original image of system solved problem 80EE.VMDE now However, detection of a mouse isn't corrected. Detection of a mouse happens on the main and virtual machine :D .
Trelowin
 
Posts: 10
Joined: Tue Mar 14, 2017 12:14 pm
Reputation point: 0

Re: VBoxAntiVMDetectHardened mitigation X64 only

Postby EP_X0FF » Wed Mar 22, 2017 2:47 pm

If you mean this shit -> https://github.com/a0rtega/pafish/blob/ ... dbox.c#L20

Just move mouse chaotically all time during pafish run.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4750
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: VBoxAntiVMDetectHardened mitigation X64 only

Postby Trelowin » Sun Mar 26, 2017 9:18 am

Unexpectedly hidevm_ahci ceased to work. I try with new and old machines.pcbios.bin didn't change all this time. Only I opened through notepad.
error code:
Code: Select all
00:00:01.379882 VMSetError: F:\tinderbox\win-5.1\src\VBox\Devices\PC\DevPcBios.cpp(1404) int __cdecl pcbiosConstruct(struct PDMDEVINS *,int,struct CFGMNODE *); rc=VERR_FILE_NOT_FOUND
00:00:01.379892 VMSetError: Failed to open system BIOS file 'C:\ pcbios.bin'
00:00:01.379905 PDM: Failed to construct 'pcbios'/0! VERR_FILE_NOT_FOUND (-102) - File not found.
00:00:01.508985 ERROR [COM]: aRC=E_FAIL (0x80004005) aIID={872da645-4a9b-1727-bee2-5585105b9eed} aComponent={ConsoleWrap} aText={Failed to open system BIOS file 'C:\ pcbios.bin' (VERR_FILE_NOT_FOUND)}, preserve=false aResultDetail=0
00:00:01.509289 Console: Machine state changed to 'PoweredOff'
00:00:01.550293 Power up failed (vrc=VERR_FILE_NOT_FOUND, rc=E_FAIL (0X80004005))
00:00:01.672468 GUI: UIMachineViewNormal::resendSizeHint: Restoring guest size-hint for screen 0 to 800x600
00:00:01.672500 ERROR [COM]: aRC=E_ACCESSDENIED (0x80070005) aIID={02326f63-bcb3-4481-96e0-30d1c2ee97f6} aComponent={DisplayWrap} aText={The console is not powered up}, preserve=false aResultDetail=0
00:00:01.672747 GUI: Aborting startup due to power up progress issue detected...
Trelowin
 
Posts: 10
Joined: Tue Mar 14, 2017 12:14 pm
Reputation point: 0

Re: VBoxAntiVMDetectHardened mitigation X64 only

Postby EP_X0FF » Sun Mar 26, 2017 4:23 pm

Your log indicate that your pcibios.bin file was not found. Show your cmd file.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4750
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: VBoxAntiVMDetectHardened mitigation X64 only

Postby Trelowin » Sun Mar 26, 2017 4:50 pm

I didn't find a spoiler code at a forum:(.
files in "C:\ " directory
Code: Select all
rem @echo off

rem BIOS/AHCI mode

rem vboxman is the full path to the vboxmanage executable
rem vmscfgdir is the path to directory that keeps vbox custom configuration data (bioses, tables etc)

TaskKill /IM "VirtualBox.exe"
TaskKill /IM "VBoxSVC.exe"

set vboxman="C:\Program Files\Oracle\VirtualBox\vboxmanage.exe"
set vmscfgdir=C:\
set /P n1="Enter Virtual Machine name: "

%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVendor" "Asus"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVersion" "MB52.88Z.0088.B05.0904162222"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseDate" "08/10/13"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseMajor" "5"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseMinor" "9"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSFirmwareMajor" "1"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSFirmwareMinor" "0"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemVendor" "Asus"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemProduct" "MyBook5,2"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemVersion" "1.0"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemSerial" "CSN12345678901234567"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemSKU" "FM550EA#ACB"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemFamily" "Ultrabook"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemUuid" "B5FA3000-9403-81E0-3ADA-F46D045CB676"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardVendor" "Asus"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardProduct" "Mac-F22788AA"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardVersion" "3.0"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardSerial" "BSN12345678901234567"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardAssetTag" "Base Board Asset Tag#"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardLocInChass" "Board Loc In"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardBoardType" 10
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisVendor" "Asus Inc."
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisType" 10
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisVersion" "Mac-F22788AA"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisSerial" "CSN12345678901234567"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisAssetTag" "WhiteHouse"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiOEMVBoxVer" "Extended version info: 1.00.00"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiOEMVBoxRev" "Extended revision info: 1A"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/ahci/0/Config/Port0/ModelNumber" "Hitachi HTS543230AAA384"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/ahci/0/Config/Port0/FirmwareRevision" "ES2OA60W"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/ahci/0/Config/Port0/SerialNumber" "2E3024L1T2V9KA"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/ahci/0/Config/Port1/ModelNumber" "Slimtype DVD A  DS8A8SH"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/ahci/0/Config/Port1/FirmwareRevision" "KAA2"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/ahci/0/Config/Port1/SerialNumber" "ABCDEF0123456789"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/ahci/0/Config/Port1/ATAPIVendorId" "Slimtype"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/ahci/0/Config/Port1/ATAPIProductId" "DVD A  DS8A8SH"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/ahci/0/Config/Port1/ATAPIRevision" "KAA2"


%vboxman% setextradata "%n1%" "VBoxInternal/Devices/acpi/0/Config/AcpiOemId" "ASUS"
%vboxman% modifyvm "%n1%" --macaddress1 4CF0491A6E12
%vboxman% modifyvm "%n1%" --paravirtprovider legacy

cd /d %vmscfgdir%

%vboxman% setextradata "%n1%" "VBoxInternal/Devices/acpi/0/Config/DsdtFilePath" "%vmscfgdir%ACPI-DSDT.bin"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/acpi/0/Config/SsdtFilePath" "%vmscfgdir%ACPI-SSDT1.bin"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/vga/0/Config/BiosRom" "%vmscfgdir%videorom.bin"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/BiosRom" "%vmscfgdir%pcbios.bin"
%vboxman% setextradata "%n1%"  "VBoxInternal/Devices/pcbios/0/Config/LanBootRom" "%vmscfgdir%pxerom.bin"
%vboxman% modifyvm "%n1%" --bioslogoimagepath  "%vmscfgdir%splash.bmp"

@pause
Last edited by EP_X0FF on Sun Mar 26, 2017 5:35 pm, edited 1 time in total.
Reason: code tags
Trelowin
 
Posts: 10
Joined: Tue Mar 14, 2017 12:14 pm
Reputation point: 0

PreviousNext

Return to Tools/Software

Who is online

Users browsing this forum: No registered users and 2 guests