Page 8 of 25

Re: VBoxAntiVMDetectHardened mitigation X64 only (27/01/16)

PostPosted:Mon Mar 14, 2016 4:02 pm
by EP_X0FF
idorosido wrote:Hi,

I'm looking for a way to harden Cuckoo sandbox machines that are running on Ubuntu host using vbox.
Is there any guide / documentation for hardening win7 64bit vm on VBOX installed on Linux hypervisor ?

I want to get rid from "80ee:cafe" & "80ee:beef" device ids.

Thanks,
I've no idea. Perhaps you also need to patch some binary like VBoxDD in Windows.

VBoxAntiVMDetectHardened mitigation X64 only (14/03/16)

PostPosted:Mon Mar 14, 2016 4:04 pm
by EP_X0FF
Loader updated to support 5.0.16. Also switched from DSEFix to TDL.
Code: Select all
Installation and use.

1) Install supported VirtualBox version.
 
5.0.0
5.0.2 
5.0.8 
5.0.10 
5.0.12 
5.0.16

2) Create a new vm with the following settings.

System->Mortherboard
Chipset = PIIX3
Pointing Device = PS/2 Mouse
Extended features: [+]Enabled I/O APIC, ([+]Enable EFI, see EFI note)

System->Processor
Processors = set at minumum 2
Extended features: [+]Enable PAE/NX

System->Acceleration (some of these settings may be unavailable in earlier VBox versions)
Paravirtualization Interface = set Legacy
Hardware Virtualization = [+]Enable VT-x/AMD-V, [+]Enable Nested Paging

Display->Screen
Acceleration = [-]Enable 3D Acceleration, [-]Enable 2D Video Acceleration

Storage
Controller: SATA or IDE

Network
Enable NAT for adapter

Close virtualbox, do not start machine.

If you selected Enable EFI see step (5) before doing step (3)

3) Depending on settings use following batch scripts

if you selected EFI and IDE controller
hidevm_efiide.cmd YOURMACHINENAME e.g. hidevm_efiahci.cmd win10

if you selected EFI and SATA controller
hidevm_efiahci.cmd YOURMACHINENAME e.g. hidevm_efiahci.cmd win10

if you selected IDE controller without EFI
hidevm_ide.cmd YOURMACHINENAME e.g. hidevm_ide.cmd win7

if your selected SATA controller without EFI
hidevm_ahci.cmd YOURMACHINENAME e.g. hidevm_ahci.cmd win7

Before running scripts make sure vmscfgdir variable inside points to directory where all required files available (copy contents of Binary folder somewhere, for example D:\Virtual\VBOX\Settings, where VBox is folder for virtual machines).

4) Install tsugumi monitor driver.

Run from elevated command prompt

tdl.exe tsugumi.sys

Run from elevated command prompt

loader.exe


That all, now you can run your VM.

DO NOT INSTALL VBOX ADDITIONS, this will ruin everything and there is NO WORKAROUND for this.

Note: tsugumi.sys will be unloaded ONLY at system reboot. So if you plan update VirtualBox better do reboot after update.

5) EFI Note

If you plan to use EFI based VM's:

a) Make sure, Tsugumi is not loaded before doing next step.
b) Make copy of VBoxEFI64.fd in VirtualBox directory.
c) Replace VBoxEFI64.fd in VirtualBox directory with it patched version from this data directory. 
d) Use hidevm_efiahci (AHCI controller mode) or hidevm_efiide (IDE controller mode) for your EFI VM.
e) Load Tsugumi (see step (4)).
f) Run VirtualBox.

please see comments in install.cmd, loader.cmd before running them.
D/L from https://github.com/hfiref0x/VBoxHardenedLoader

Re: VBoxAntiVMDetectHardened mitigation X64 only (27/01/16)

PostPosted:Mon Mar 14, 2016 4:07 pm
by futex
idorosido wrote:Hi,

I'm looking for a way to harden Cuckoo sandbox machines that are running on Ubuntu host using vbox.
Is there any guide / documentation for hardening win7 64bit vm on VBOX installed on Linux hypervisor ?

I want to get rid from "80ee:cafe" & "80ee:beef" device ids.

Thanks,
Maybe you can take a look at http://vmcloak.org/

Re: VBoxAntiVMDetectHardened mitigation X64 only (14/03/16)

PostPosted:Tue Apr 05, 2016 6:19 am
by EP_X0FF
Offtop questions of "how to use windows" moved. Further this kind of offtop will be removed. If you cannot manage this beginner level Windows usage - this topic clearly not for you.

Re: VBoxAntiVMDetectHardened mitigation X64 only (14/03/16)

PostPosted:Sun Apr 24, 2016 8:25 am
by bykvaadm
Hi!
could u please help me?
i'm trying to use yours patch, but when starting VM, get error.
i'm running win10 x64, vbox 5.0.16. do almost everything as guide says.

Re: VBoxAntiVMDetectHardened mitigation X64 only (14/03/16)

PostPosted:Sun Apr 24, 2016 12:22 pm
by EP_X0FF
"net start vboxdrv" in elevated command prompt or run vbox elevated, otherwise vbox is unable to load it driver (as we unloaded it before).

Re: VBoxAntiVMDetectHardened mitigation X64 only (14/03/16)

PostPosted:Mon Apr 25, 2016 10:16 am
by bykvaadm
i've successfuly started my VM, thx alot! but, still my software cannot start in it, it writes that i should'n start it in virtaul machine =)
also i started pafish (from posts above) and it told me that checking cpuid hypervisor vendor for known vm vendors was failed. is it my misconfiguration?
log says: CPU: GenuineIntel (HV:VboxVboxVbox)

if u could see it yourself it will be great. i'm talking about game (lineage2, asterios.tm) or... i can try to reverse it myself

btw, the first checker was passed. (the game aked me not to run in vm right after launch. after your's project launching the game successfuly checks it's files, tries to run and then alerts that it runs into VM)

Re: VBoxAntiVMDetectHardened mitigation X64 only (14/03/16)

PostPosted:Mon Apr 25, 2016 12:01 pm
by EP_X0FF
Did you enabled Legacy mode in Paravirtualization options of the VBox settings?

Re: VBoxAntiVMDetectHardened mitigation X64 only (14/03/16)

PostPosted:Mon Apr 25, 2016 1:06 pm
by bykvaadm
yes of course. i did everything in guide

Re: VBoxAntiVMDetectHardened mitigation X64 only (14/03/16)

PostPosted:Mon Apr 25, 2016 1:09 pm
by EP_X0FF
Well then VirtualBox ignores this setting and only removes hypervisor bit, leaving hypervisor name available via cpuid. Nice job Oracle as always.