KernelMode.info

A forum for reverse engineering, OS internals and malware analysis
https://www.kernelmode.info/forum/

VBoxAntiVMDetectHardened mitigation X64 only

https://www.kernelmode.info/forum/viewtopic.php?f=11&t=3478

Page 19 of 25

Re: VBoxAntiVMDetectHardened mitigation X64 only (23/11/16)

PostPosted:Fri Dec 23, 2016 9:38 pm
by newcomer
good afternoon,

Regarding,
Code: Select all
wmic cpu get processorid
wmic bios get serialnumber
seems wmic don't work correctly even in Virtualbox.

The other issue is about
Code: Select all
VBoxInternal/Devices/pcbios/0/Config/BiosRom
when apply copy of your bios, some info inf msinfo32 showing in correctly. (Note, I don't apply any other options only psbios.bin). In attachments you will find screenshots with problems.
  • Registry entries is missing.
    SMBIOS string is missing in msinfo32
    Some string is displayed wrong (marked with red)
Why does it happen? Is anyway to solve a problem?

Also is it possible to set different video bios, of example emulation nvidia or amd card? Try to set from real card, but it is not applied.

The second question about
Code: Select all
VBoxInternal/Devices/pcbios/0/Config/DmiChassisType
VBoxInternal/Devices/pcbios/0/Config/DmiBoardBoardType
VBOX manual told that this parameters need to be integer. My laptop returns them via dmidecode - Type: Motherboard and Type: Portable - for each according. So how this can be handle to set them up?

Re: VBoxAntiVMDetectHardened mitigation X64 only (23/11/16)

PostPosted:Sun Dec 25, 2016 3:12 am
by EP_X0FF
All offtopic moved http://www.kernelmode.info/forum/viewto ... =11&t=4605.

1) This is not VirtualBox support forum.
2) This is not Vmware support forum/fan club.

VBoxAntiVMDetectHardened mitigation X64 only (25/12/16)

PostPosted:Sun Dec 25, 2016 4:02 am
by EP_X0FF
Loader updated to support 5.1.12

Re: VBoxAntiVMDetectHardened mitigation X64 only (25/12/16)

PostPosted:Mon Dec 26, 2016 1:53 am
by newcomer
Good morning,

EP_X0FF, can you answer my questions in post from Fri Dec 23, 2016 9:38 pm?
Will really appreciate that.

Re: VBoxAntiVMDetectHardened mitigation X64 only (23/11/16)

PostPosted:Tue Dec 27, 2016 4:42 am
by EP_X0FF
newcomer wrote:The other issue is about
Code: Select all
VBoxInternal/Devices/pcbios/0/Config/BiosRom
when apply copy of your bios, some info inf msinfo32 showing in correctly. (Note, I don't apply any other options only psbios.bin). In attachments you will find screenshots with problems.
From your description and screenshots - you didn't set all settings listed in script file. This ain't gonna work separately.
Also is it possible to set different video bios, of example emulation nvidia or amd card? Try to set from real card, but it is not applied.
No. I already answered this question. Changing BIOS doesn't change hardware. You can't use any other BIOS.
The second question about
Code: Select all
VBoxInternal/Devices/pcbios/0/Config/DmiChassisType
VBoxInternal/Devices/pcbios/0/Config/DmiBoardBoardType
VBOX manual told that this parameters need to be integer. My laptop returns them via dmidecode - Type: Motherboard and Type: Portable - for each according. So how this can be handle to set them up?
This is numeric ID that interpreted to description string. List of it can be found here -> http://www.dmtf.org/sites/default/files ... _3.0.0.pdf (SMBIOS Specification), page 36 & for chassis at page 38.

Re: VBoxAntiVMDetectHardened mitigation X64 only (23/11/16)

PostPosted:Sat Jan 14, 2017 6:07 pm
by newcomer
E_X0FF wrote:
newcomer wrote:The other issue is about
Code: Select all
VBoxInternal/Devices/pcbios/0/Config/BiosRom
when apply copy of your bios, some info inf msinfo32 showing in correctly. (Note, I don't apply any other options only psbios.bin). In attachments you will find screenshots with problems.
From your description and screenshots - you didn't set all settings listed in script file. This ain't gonna work separately.
Good afternoon,

returning to message from Fri Dec 23, 2016 9:38 pm about missing registry entries and smbios information. I fill out configuration file with original info gathered from real pc, so no fake or generated info (attach it). As commented before if you don't apply psbios.bin file all registry entries and smbios forwarding works fine, after applying
Code: Select all
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/BiosRom" "%vmscfgdir%pcbios.bin"
some info is missing.
Also make some checks on Debian, dmidecode returns error - No SMBIOS nor DMI entry point found,sorry
Screenshot with missing registry entries and msinfo have attached before.

VBoxAntiVMDetectHardened mitigation X64 only (19/01/17)

PostPosted:Thu Jan 19, 2017 6:50 am
by EP_X0FF
Loader updated to support 5.1.14

Re: VBoxAntiVMDetectHardened mitigation X64 only (19/01/17)

PostPosted:Thu Jan 26, 2017 1:29 pm
by newcomer
Good afternoon,

what is the purpose of new file, Kasumi, included in patch?

Re: VBoxAntiVMDetectHardened mitigation X64 only (19/01/17)

PostPosted:Thu Jan 26, 2017 5:31 pm
by EP_X0FF
newcomer wrote:Good afternoon,

what is the purpose of new file, Kasumi, included in patch?
This is VirtualBox patch table generator. As input parameter it takes filepath to VBoxDD.dll. Output file then can be used by loader. As you may guess the only thing changing with each new version of loader is the internal patch table list. New version of VBox - new entry in this list. By using this generator you can use same loader version with future VBox versions by just giving it generated table.

VBoxAntiVMDetectHardened mitigation X64 only (01/02/17)

PostPosted:Wed Feb 01, 2017 4:58 pm
by EP_X0FF
Loader v 1.8.0 released.

Changelog:

1) Patch generator integrated into loader, so we hope from now there is no need to update it every time new VirtualBox version released.
2) Build configurations and code updated to be ready for code signing. Signed versions are not included in public build (for signing you need kernel mode code signing certificate).
For more info about code signing see https://github.com/hfiref0x/VBoxHardene ... igning.txt
3) Documentation updated.

For default github unsigned version installation and usage didn't changed, manual as before here -> https://github.com/hfiref0x/VBoxHardene ... README.txt
For signed version installation and usage instuctions here -> https://github.com/hfiref0x/VBoxHardene ... SIGNED.txt (the only difference in the way of loading Tsugumi monitoring driver and work with it).

Note that Windows 10 TH2 updated PatchGuard and it will trigger BSOD with unsigned Tsugumi.sys loaded by TDL.

With Best Regards to my old good friend - Fyyre (http://fyyre.ivory-tower.de/).
All times are UTC
Page 19 of 25
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/