Page 9 of 25
Re: VBoxAntiVMDetectHardened mitigation X64 only (14/03/16)
PostPosted:Mon Apr 25, 2016 2:13 pm
by bykvaadm
well, then i should use older version of vbox?
Re: VBoxAntiVMDetectHardened mitigation X64 only (14/03/16)
PostPosted:Mon Apr 25, 2016 3:18 pm
by EP_X0FF
bykvaadm wrote:well, then i should use older version of vbox?
Have no idea when they added this "paravirt support". To "fix" this it is required patch another virtualbox dll (vboxvmm) that is responsible for this initialization. Maybe this will be added in the next version of loader.
Re: VBoxAntiVMDetectHardened mitigation X64 only (14/03/16)
PostPosted:Thu May 05, 2016 7:25 am
by EP_X0FF
VBox hypervisor detection will be rendered useless in loader v1.6, which will be released asap.
However there will be some limitations:
- legacy mode for paravirt interface still must be enabled (removes hv bit)
- all your vm saved states must be discarded so changes from patch can apply to VBoxVMM data it set during VM boot (simple restart vm)
Since settings for loader will be changed 1.6 will only support 5.0.16 and above.
As for 5.0.18 and 5.0.20 I checked both and didn't found anything what can force me to install them. They will be skipped. No dramatic changes inside and working with them just for changed offsets in dlls is meh.
VBoxAntiVMDetectHardened mitigation X64 only (06/05/16)
PostPosted:Fri May 06, 2016 4:59 am
by EP_X0FF
Loader v1.6 with hv detect fix released. Reboot PC before using it (this will make sure driver from previous version is not loaded). Specially for this lame malware that ignores "hypervisor set" bit.
VM Legacy paravirt. interface must be set, your VM settings->System->Acceleration.
This loader now patch two dlls in memory -> VBoxDD.dll and VBoxVMM.dll.
Exact location of patch in VBoxVMM.dll is cpumR3CpuIdPlantHypervisorLeaves.
Loader 1.6 support only 5.0.16 VirtualBox, for older versions use loader v1.5.
Download, updated guide, etc
https://github.com/hfiref0x/VBoxHardene ... ter/Binary
Re: VBoxAntiVMDetectHardened mitigation X64 only (06/05/16)
PostPosted:Tue May 10, 2016 10:37 pm
by confirmed
EP_X0FF wrote:Step by step guide for VirtualBox Hardened (4.3.14+) VM detection mitigation configuring.
hey bro it is a great work, best what i ever seen :)
Re: VBoxAntiVMDetectHardened mitigation X64 only (06/05/16)
PostPosted:Sun May 15, 2016 10:24 pm
by Malekal_morte
Hello,
Are you able to get it fully working on your vbox ?
i follow a part of your tutorial but, seems, this one is able to detect the VM.
Re: VBoxAntiVMDetectHardened mitigation X64 only (06/05/16)
PostPosted:Mon May 16, 2016 3:53 am
by EP_X0FF
Hello,
what exactly it should do when installed properly, except "i am installed" message in IE?
Also I see failed attempt to load this page
Code: Select allhttp://newjobcreator.link/Symantec%20Norton%20Utilities%2016%20Crack%20[Serial%20Key%20+%20Final]%20Full%20Download
where newjobcreator.link is malware site.
HTTP ERROR 500
Thanks.
Re: VBoxAntiVMDetectHardened mitigation X64 only (06/05/16)
PostPosted:Mon May 16, 2016 8:44 pm
by Malekal_morte
I think i sould load adwares & browser hijacker on Google Chrome like Smartsputnik.ru
it comes from fake cracked sites that is loading .ru files like crackedpc.com
can you try with a fresh binary ?
Thanks !
Re: VBoxAntiVMDetectHardened mitigation X64 only (06/05/16)
PostPosted:Tue May 17, 2016 2:29 am
by EP_X0FF
Sure can you please upload fresh binary. As far I see Delphi with ZipMonster HTML GUI hidden inside as base64 encoded strings, some system information collecting (with help of WMI) and usage of heavy weight 3rd party components. I don't think it is capable of any VM detect, however it does collect some system information including cpuid data.
Re: VBoxAntiVMDetectHardened mitigation X64 only (06/05/16)
PostPosted:Tue May 17, 2016 8:35 am
by Malekal_morte
of course, here it is. :)