Page 17 of 25
Re: VBoxAntiVMDetectHardened mitigation X64 only (23/11/16)
PostPosted:Mon Nov 28, 2016 8:25 am
by EP_X0FF
newcomer wrote:vboxmanage setextradata mx VBoxInternal/CPUM/HostCPUID/80000003/ebx 0x50202952
I don't know why you want randomize what is not used. Also note that VBox check values and probably won't allow any garbage to be set.
Processor serial number is unused feature nobody cares about it. Itself is 96 bit value combined from three registers: eax = processor signature (most significant 32-bits of PSN), edx = middle 32-bits of PSN and ecx = least significant 32-bits, so PSN = EAX+EDX+ECX. On Pentium4+ Intel CPU ecx/edx (after cpuid eax=3) pair will be zero and eax is processor signature nobody can use to "detect" anything as it will be the same on at least all CPU in the same batch. So practically the whole randomization thing makes completely no sense here.
Re: VBoxAntiVMDetectHardened mitigation X64 only (23/11/16)
PostPosted:Mon Nov 28, 2016 7:37 pm
by SSBIZ
Hi,
Imagine that I have different CPUID from different PCs I got lets say. But my question is....how can a VM become totally an anonymous one?
What are the detection vectors that can make a VM running through a machine to make it appear as the VM is one other machine totally different from the machine running the VM itself?
That is my question
Thanks for your effort!!!!
Re: VBoxAntiVMDetectHardened mitigation X64 only (23/11/16)
PostPosted:Mon Nov 28, 2016 8:46 pm
by rootw0rm
EP_X0FF wrote:rootw0rm wrote:VMDE almost passes, but fails on PCI. Is loader not supposed to handle that? (host and guest: w10 x64, 14393)
Nope, if driver agent loaded and loader set up it settings and PCI hw id still present in registry this mean you misconfigured VM. Either VM tools were installed or installed Windows not genuine (warez pack).
Literally every other protection is working, there's just a lone Oracle vendor ID in there. Thanks for being a badass like always though, I'll figure it out and let you know what's happening on my side.
Re: VBoxAntiVMDetectHardened mitigation X64 only (23/11/16)
PostPosted:Tue Nov 29, 2016 7:10 am
by EP_X0FF
rootw0rm wrote:EP_X0FF wrote:rootw0rm wrote:VMDE almost passes, but fails on PCI. Is loader not supposed to handle that? (host and guest: w10 x64, 14393)
Nope, if driver agent loaded and loader set up it settings and PCI hw id still present in registry this mean you misconfigured VM. Either VM tools were installed or installed Windows not genuine (warez pack).
Literally every other protection is working, there's just a lone Oracle vendor ID in there. Thanks for being a badass like always though, I'll figure it out and let you know what's happening on my side.
http://www.kernelmode.info/forum/viewto ... 145#p29145
Re: VBoxAntiVMDetectHardened mitigation X64 only (23/11/16)
PostPosted:Tue Nov 29, 2016 7:11 am
by EP_X0FF
SSBIZ wrote:Hi,
Imagine that I have different CPUID from different PCs I got lets say. But my question is....how can a VM become totally an anonymous one?
What are the detection vectors that can make a VM running through a machine to make it appear as the VM is one other machine totally different from the machine running the VM itself?
That is my question :-)
Thanks for your effort!!!!
Randomize it DMI info, IP/MAC address, Windows/other software product id's - enough for 99.99% of all malware.
Re: VBoxAntiVMDetectHardened mitigation X64 only (23/11/16)
PostPosted:Tue Nov 29, 2016 8:41 am
by BWEL
Hi,
the first and the second one is runned pretty great and well by your hidevm_ahci. What about the third one?(am not talking about the Windows product ID
What my question is: If I have an nvidia graphics card....can I make appear VM is running under lets say intel graphics card or even one nvidia graphic card but with a different(driver) ID? Or sound card and so on lets say.
Thanks a lot!
Re: VBoxAntiVMDetectHardened mitigation X64 only (23/11/16)
PostPosted:Tue Nov 29, 2016 3:27 pm
by EP_X0FF
BWEL wrote:Hi,
the first and the second one is runned pretty great and well by your hidevm_ahci. What about the third one?(am not talking about the Windows product ID :-)
Google for activators/product key generators. This site is not about warez.
can I make appear VM is running under lets say intel graphics card or even one nvidia graphic card but with a different(driver) ID? Or sound card and so on lets say.
Thanks a lot!
This loader already fakes virtualbox videocard vendor/device id to look like nvidia videocard. This doesn't make them real nvidia card or what so ever. It is still Virtualbox virtual device with limited capabilities. VirtualBox emulates Sigmatel HDA codec, nothing to fake here, it is generic "Microsoft High Definition Audio". This can't be used for detection of any kind.
Re: VBoxAntiVMDetectHardened mitigation X64 only (23/11/16)
PostPosted:Wed Nov 30, 2016 9:43 am
by newcomer
Good afternoon,
can you give some comments about hidevm_ahci.cmd. What each string is exactly changing in Vbox or the place where can read about this parameters?
Also maybe you know parameter which can set screen resolution and colour deep (16-32 bit), want to add them to .cmd file.
PUT YOUR OWN RANDOM information in the data fields, DO NOT USE THE SAME AS BELOW so this can't be used as detection markers.
Additionally where can i find values - HDD serial number, name and other - for setting them as original. Don't want they a look same garbage.
Re: VBoxAntiVMDetectHardened mitigation X64 only (23/11/16)
PostPosted:Wed Nov 30, 2016 11:25 am
by SSBIZ
Thanks for your gentle reply!!!!
What my question is about the graphics card how it can be changed in different VMs the settings of the graphics card in order to look different and unique in each VM?
Lets say I need to build 5 different VM that appear to have 5 different graphics cards?
Thanks a lot!!!!!!
Re: VBoxAntiVMDetectHardened mitigation X64 only (23/11/16)
PostPosted:Wed Nov 30, 2016 11:50 am
by e192168
EP_X0FF wrote:Hello,
Set of files for 5.1.6 in attach, original source http://download.virtualbox.org/virtualb ... _amd64.deb
Hardware ID part not patched (I don't patch them on Linux because personally I don't need this level of hardening). If you want to patch them too, see this post -> http://www.kernelmode.info/forum/viewto ... 806#p24806, its about old Windows version, so offsets obviosly different but as hint "what to do" this post should be enough.
newcomer wrote:
If you need example of patched VBoxDD.so I can upload it later.
Yes, it will be nice to see, maybe someone more interested in run Vbox on debian.
Hi, I am interesting in to patch hardware ID part in your example VBoxDD.so library. I read post how to do it and have some questions:
- How calkculate CRC summ for patched file? Because link in post (
https://taesoo.org/files/code/acpi.c.html) don't work.
- How aalgoritm use to CRC protect?
- Whatoffset byte do you fix to correct CRC summ in yor patched VBoxDD.so library?
Thanks!