A forum for reverse engineering, OS internals and malware analysis
https://www.kernelmode.info/forum/
idorosido wrote:Hi,I've no idea. Perhaps you also need to patch some binary like VBoxDD in Windows.
I'm looking for a way to harden Cuckoo sandbox machines that are running on Ubuntu host using vbox.
Is there any guide / documentation for hardening win7 64bit vm on VBOX installed on Linux hypervisor ?
I want to get rid from "80ee:cafe" & "80ee:beef" device ids.
Thanks,
Installation and use.
1) Install supported VirtualBox version.
5.0.0
5.0.2
5.0.8
5.0.10
5.0.12
5.0.16
2) Create a new vm with the following settings.
System->Mortherboard
Chipset = PIIX3
Pointing Device = PS/2 Mouse
Extended features: [+]Enabled I/O APIC, ([+]Enable EFI, see EFI note)
System->Processor
Processors = set at minumum 2
Extended features: [+]Enable PAE/NX
System->Acceleration (some of these settings may be unavailable in earlier VBox versions)
Paravirtualization Interface = set Legacy
Hardware Virtualization = [+]Enable VT-x/AMD-V, [+]Enable Nested Paging
Display->Screen
Acceleration = [-]Enable 3D Acceleration, [-]Enable 2D Video Acceleration
Storage
Controller: SATA or IDE
Network
Enable NAT for adapter
Close virtualbox, do not start machine.
If you selected Enable EFI see step (5) before doing step (3)
3) Depending on settings use following batch scripts
if you selected EFI and IDE controller
hidevm_efiide.cmd YOURMACHINENAME e.g. hidevm_efiahci.cmd win10
if you selected EFI and SATA controller
hidevm_efiahci.cmd YOURMACHINENAME e.g. hidevm_efiahci.cmd win10
if you selected IDE controller without EFI
hidevm_ide.cmd YOURMACHINENAME e.g. hidevm_ide.cmd win7
if your selected SATA controller without EFI
hidevm_ahci.cmd YOURMACHINENAME e.g. hidevm_ahci.cmd win7
Before running scripts make sure vmscfgdir variable inside points to directory where all required files available (copy contents of Binary folder somewhere, for example D:\Virtual\VBOX\Settings, where VBox is folder for virtual machines).
4) Install tsugumi monitor driver.
Run from elevated command prompt
tdl.exe tsugumi.sys
Run from elevated command prompt
loader.exe
That all, now you can run your VM.
DO NOT INSTALL VBOX ADDITIONS, this will ruin everything and there is NO WORKAROUND for this.
Note: tsugumi.sys will be unloaded ONLY at system reboot. So if you plan update VirtualBox better do reboot after update.
5) EFI Note
If you plan to use EFI based VM's:
a) Make sure, Tsugumi is not loaded before doing next step.
b) Make copy of VBoxEFI64.fd in VirtualBox directory.
c) Replace VBoxEFI64.fd in VirtualBox directory with it patched version from this data directory.
d) Use hidevm_efiahci (AHCI controller mode) or hidevm_efiide (IDE controller mode) for your EFI VM.
e) Load Tsugumi (see step (4)).
f) Run VirtualBox.
please see comments in install.cmd, loader.cmd before running them.idorosido wrote:Hi,Maybe you can take a look at http://vmcloak.org/
I'm looking for a way to harden Cuckoo sandbox machines that are running on Ubuntu host using vbox.
Is there any guide / documentation for hardening win7 64bit vm on VBOX installed on Linux hypervisor ?
I want to get rid from "80ee:cafe" & "80ee:beef" device ids.
Thanks,