Page 22 of 25

Re: VBoxAntiVMDetectHardened mitigation X64 only

PostPosted:Sat Mar 18, 2017 3:49 am
by EP_X0FF
Trelowin wrote:[pafish] VirtualBox traced using Reg key HKLM\HARDWARE\ACPI\DSDT\VBOX__
If you installed patch this line can't be in this log. You either installed it on VM that was already used or installed it incorrectly/something failed. Open regedit and navigate to this key. If it present here and no other keys around - DSDT table wasn't loaded and patch install broken.

Rdtsc detection cannot be taken seriously as it gives lots of FP.

For VMDE. Use Sysinternals DbgView to view exact detection status.
EricBeale wrote:Hello! Help me plz! How to configure the shared clipboard and shared folders without installing Additions?
No how. Forget about them.

Re: VBoxAntiVMDetectHardened mitigation X64 only

PostPosted:Sat Mar 18, 2017 10:37 pm
by Trelowin
If you installed patch this line can't be in this log. You either installed it on VM that was already used or installed it incorrectly/something failed. Open regedit and navigate to this key. If it present here and no other keys around - DSDT table wasn't loaded and patch install broken.
I didn't find other records in the catalog. Most likely made a mistake in case of installation. How to make complete deleting VM and AntiVMDetect?
For VMDE. Use Sysinternals DbgView to view exact detection status.
What places need to be checked? I had no experience in this sphere earlier.
Thanks for the help!

Re: VBoxAntiVMDetectHardened mitigation X64 only

PostPosted:Sun Mar 19, 2017 6:23 pm
by EP_X0FF
According to your screenshot patch doesn't work at all.
How to make complete deleting VM and AntiVMDetect?
1) In VBox main window select VM - right click -> Remove -> Delete all files.
2) Reboot Windows.
3) Open regedit and delete keys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tsugumi
HKEY_LOCAL_MACHINE\SOFTWARE\Tsugumi

if present.

If you want to try again - follow this install instructions https://github.com/hfiref0x/VBoxHardene ... install.md
Especially note part about modifying paths (used in scripts) for your actual location.
What places need to be checked? I had no experience in this sphere earlier.
When everything installed again. Inside VM download DbgView from live.sysinternals.com
Run it as admin and select in main menu Capture -> Capture Win32 (if not selected). Don't close DbgView and run vmde.exe. When something detected by vmde it will print details with OutputDebugString and DbgView will show it to you.

Re: VBoxAntiVMDetectHardened mitigation X64 only

PostPosted:Tue Mar 21, 2017 1:14 am
by Trelowin
I solved a problem with DSDT tables. I commented (rem) before start of hidevm_ahci.
rem %vboxman% setextradata "%n1%" "VBoxInternal/Devices/acpi/0/Config/DsdtFilePath" "%vmscfgdir%ACPI-DSDT.bin"
rem %vboxman% setextradata "%n1%" "VBoxInternal/Devices/acpi/0/Config/SsdtFilePath" "%vmscfgdir%ACPI-SSDT1.bin"
Then established Tsugumi and loader. Removal (rem) and start (hidevm_ahci) solved a problem with
[pafish] of VirtualBox traced using Reg key HKLM\HARDWARE\ACPI\DSDT\VBOX _
Now I have a detection on a mouse. Tried all 3 modes. It was not succeeded to correct. :D
Start of Dbgview showed
00000001 0.00000000 [1976] IsVirtualBox, PCI
What can be made?)

Re: VBoxAntiVMDetectHardened mitigation X64 only

PostPosted:Tue Mar 21, 2017 2:26 pm
by EP_X0FF
Trelowin wrote:What can be made?)
Open regedit. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PCI, find all entries with Oracle Vendor Hardware Id (80EE). If they present patch wasn't applied correctly or you have used this VM before installing patch and they are dead duplicate entries need to be removed. We had seen this scenario before in this thread http://www.kernelmode.info/forum/viewto ... &start=110 where user used pirated OS ISO for Windows guest install.

Re: VBoxAntiVMDetectHardened mitigation X64 only

PostPosted:Wed Mar 22, 2017 11:05 am
by Trelowin
Installation of an original image of system solved problem 80EE.VMDE now However, detection of a mouse isn't corrected. Detection of a mouse happens on the main and virtual machine :D .

Re: VBoxAntiVMDetectHardened mitigation X64 only

PostPosted:Wed Mar 22, 2017 2:47 pm
by EP_X0FF
If you mean this shit -> https://github.com/a0rtega/pafish/blob/ ... dbox.c#L20

Just move mouse chaotically all time during pafish run.

Re: VBoxAntiVMDetectHardened mitigation X64 only

PostPosted:Sun Mar 26, 2017 9:18 am
by Trelowin
Unexpectedly hidevm_ahci ceased to work. I try with new and old machines.pcbios.bin didn't change all this time. Only I opened through notepad.
error code:
Code: Select all
00:00:01.379882 VMSetError: F:\tinderbox\win-5.1\src\VBox\Devices\PC\DevPcBios.cpp(1404) int __cdecl pcbiosConstruct(struct PDMDEVINS *,int,struct CFGMNODE *); rc=VERR_FILE_NOT_FOUND
00:00:01.379892 VMSetError: Failed to open system BIOS file 'C:\ pcbios.bin'
00:00:01.379905 PDM: Failed to construct 'pcbios'/0! VERR_FILE_NOT_FOUND (-102) - File not found.
00:00:01.508985 ERROR [COM]: aRC=E_FAIL (0x80004005) aIID={872da645-4a9b-1727-bee2-5585105b9eed} aComponent={ConsoleWrap} aText={Failed to open system BIOS file 'C:\ pcbios.bin' (VERR_FILE_NOT_FOUND)}, preserve=false aResultDetail=0
00:00:01.509289 Console: Machine state changed to 'PoweredOff'
00:00:01.550293 Power up failed (vrc=VERR_FILE_NOT_FOUND, rc=E_FAIL (0X80004005))
00:00:01.672468 GUI: UIMachineViewNormal::resendSizeHint: Restoring guest size-hint for screen 0 to 800x600
00:00:01.672500 ERROR [COM]: aRC=E_ACCESSDENIED (0x80070005) aIID={02326f63-bcb3-4481-96e0-30d1c2ee97f6} aComponent={DisplayWrap} aText={The console is not powered up}, preserve=false aResultDetail=0
00:00:01.672747 GUI: Aborting startup due to power up progress issue detected...

Re: VBoxAntiVMDetectHardened mitigation X64 only

PostPosted:Sun Mar 26, 2017 4:23 pm
by EP_X0FF
Your log indicate that your pcibios.bin file was not found. Show your cmd file.

Re: VBoxAntiVMDetectHardened mitigation X64 only

PostPosted:Sun Mar 26, 2017 4:50 pm
by Trelowin
I didn't find a spoiler code at a forum:(.
files in "C:\ " directory
Code: Select all
rem @echo off

rem BIOS/AHCI mode

rem vboxman is the full path to the vboxmanage executable
rem vmscfgdir is the path to directory that keeps vbox custom configuration data (bioses, tables etc)

TaskKill /IM "VirtualBox.exe" 
TaskKill /IM "VBoxSVC.exe" 

set vboxman="C:\Program Files\Oracle\VirtualBox\vboxmanage.exe"
set vmscfgdir=C:\ 
set /P n1="Enter Virtual Machine name: " 

%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVendor" "Asus"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVersion" "MB52.88Z.0088.B05.0904162222"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseDate" "08/10/13"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseMajor" "5"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseMinor" "9"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSFirmwareMajor" "1"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSFirmwareMinor" "0"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemVendor" "Asus"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemProduct" "MyBook5,2"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemVersion" "1.0"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemSerial" "CSN12345678901234567"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemSKU" "FM550EA#ACB"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemFamily" "Ultrabook"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemUuid" "B5FA3000-9403-81E0-3ADA-F46D045CB676"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardVendor" "Asus"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardProduct" "Mac-F22788AA"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardVersion" "3.0"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardSerial" "BSN12345678901234567"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardAssetTag" "Base Board Asset Tag#"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardLocInChass" "Board Loc In"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardBoardType" 10
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisVendor" "Asus Inc."
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisType" 10
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisVersion" "Mac-F22788AA"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisSerial" "CSN12345678901234567"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisAssetTag" "WhiteHouse"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiOEMVBoxVer" "Extended version info: 1.00.00"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiOEMVBoxRev" "Extended revision info: 1A"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/ahci/0/Config/Port0/ModelNumber" "Hitachi HTS543230AAA384"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/ahci/0/Config/Port0/FirmwareRevision" "ES2OA60W"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/ahci/0/Config/Port0/SerialNumber" "2E3024L1T2V9KA"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/ahci/0/Config/Port1/ModelNumber" "Slimtype DVD A  DS8A8SH"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/ahci/0/Config/Port1/FirmwareRevision" "KAA2"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/ahci/0/Config/Port1/SerialNumber" "ABCDEF0123456789"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/ahci/0/Config/Port1/ATAPIVendorId" "Slimtype"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/ahci/0/Config/Port1/ATAPIProductId" "DVD A  DS8A8SH"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/ahci/0/Config/Port1/ATAPIRevision" "KAA2"


%vboxman% setextradata "%n1%" "VBoxInternal/Devices/acpi/0/Config/AcpiOemId" "ASUS"
%vboxman% modifyvm "%n1%" --macaddress1 4CF0491A6E12
%vboxman% modifyvm "%n1%" --paravirtprovider legacy

cd /d %vmscfgdir%

%vboxman% setextradata "%n1%" "VBoxInternal/Devices/acpi/0/Config/DsdtFilePath" "%vmscfgdir%ACPI-DSDT.bin"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/acpi/0/Config/SsdtFilePath" "%vmscfgdir%ACPI-SSDT1.bin"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/vga/0/Config/BiosRom" "%vmscfgdir%videorom.bin"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/BiosRom" "%vmscfgdir%pcbios.bin"
%vboxman% setextradata "%n1%"  "VBoxInternal/Devices/pcbios/0/Config/LanBootRom" "%vmscfgdir%pxerom.bin"
%vboxman% modifyvm "%n1%" --bioslogoimagepath  "%vmscfgdir%splash.bmp"

@pause