KernelMode.info

A forum for reverse engineering, OS internals and malware analysis
https://www.kernelmode.info/forum/

VirtualBox Anti-AntiVM

https://www.kernelmode.info/forum/viewtopic.php?f=11&t=1911

Page 2 of 7

Re: VirtualBox Anti-AntiVM

PostPosted:Mon Oct 22, 2012 7:41 am
by nex
You might want to give a look at:
http://pastebin.com/RU6A2UuB
https://github.com/cuckoobox/community/ ... ntifier.py
https://github.com/cuckoobox/community/ ... ct_acpi.py

The last two are signatures to detect those tricks, but you can find the indicators to modify.

Attached is a sample that employs lot of anti-vm tricks, you might want to use it as a test run. It's a DirtJumper.

Re: VirtualBox Anti-AntiVM

PostPosted:Mon Dec 03, 2012 9:06 pm
by kareldjag/michk
Also interesting Pafish demo which checks for several VM
https://github.com/a0rtega/pafish

rgds

Re: Rootkit MaxSS (alias TDSS, SST, Alureon.FE, Olmasco)

PostPosted:Tue Dec 04, 2012 4:57 pm
by Ormu
EP_X0FF wrote:
kmd wrote::( still not luck for me... any tips?
You either did not configured your machine or missed something. 0x16/7ton revealed all, so he stole most of my spoilers :D To be able to work with this rootkit setup new virtual machine. I think Virtual Box is OK, since its light, free and has configurable DMI settings (while VPC not, unsure about VmWare). Install Windows and do not install any kind of VM tools. Or wipe them if they are installed. This is important part of any malware research - never use any kind of VM tools. Next configure DMI information to fool rootkit antivm checking. For vbox:

VBoxManage setextradata "My VM" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVendor" "Gigabyte" (any vendor but not Microsoft/Virtual Box etc)
VBoxManage setextradata "My VM" "VBoxInternal/Devices/ahci/0/Config/Port0/ModelNumber" "SAMSUNG" (any vendor not in blacklist)
VBoxManage setextradata "My VM" VBoxInternal/Devices/pcbios/0/Config/DmiSystemFamily "Anything"
VBoxManage setextradata "My VM" VBoxInternal/Devices/pcbios/0/Config/DmiSystemVendor "Anything"

...
Considering how much VBox is used in malware research couldn't they add a GUI configuration panel for these options? Not that using vboxmanage is hard, but...

Re: VirtualBox Anti-AntiVM

PostPosted:Thu Jan 03, 2013 2:24 pm
by Cassiel
I followed all the steps you asked with one exception. Considering I am using a debian as host I cannot replace the dll files. Are there also patched versions for Debian/Linux?

Re: VirtualBox Anti-AntiVM

PostPosted:Thu Jan 03, 2013 5:22 pm
by EP_X0FF
Cassiel wrote:Are there also patched versions for Debian/Linux?
No, you have to do this yourself. Have no idea how this will be looking for Linux.

Re: VirtualBox Anti-AntiVM

PostPosted:Tue Jan 15, 2013 3:29 pm
by Cassiel
I have tried to do this with Virtualbox on Debian but Dirt Jumper refused to run, so far i haven't found any alternative for the DLL's.
Currently I am using Qemu/KVM which allowed me to run Dirt Jumper fairly easy after configuring it a bit.
For those who use a Linux distro and have issues with Virtualbox detection I advice that you go Qemu/KVM.

Re: VirtualBox Anti-AntiVM

PostPosted:Sun Feb 03, 2013 2:47 pm
by EP_X0FF
Patched dlls for Win64 VirtualBox-4.2.6-82870. Backup original Vbox files and replace with attached. Due to patch digital signature is broken, however it is not important and do not affect Vbox work.

Re: VirtualBox Anti-AntiVM

PostPosted:Mon Feb 18, 2013 1:38 pm
by TwinHeadedEagle
Someone has patches for x86 version of VBox...

Re: VirtualBox Anti-AntiVM

PostPosted:Mon Feb 18, 2013 4:41 pm
by EP_X0FF
MAXS wrote:Someone has patches for x86 version of VBox...
fc to find difference with original files and hexeditor to do the same for 32 bit dlls.

No plans for patching x86 dlls as we don't use 32 bit VBox.

Re: VirtualBox Anti-AntiVM

PostPosted:Mon Feb 18, 2013 5:34 pm
by TwinHeadedEagle
Can you be little more precise?
All times are UTC
Page 2 of 7
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/