A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #30124  by EP_X0FF
 Sat Mar 18, 2017 3:49 am
Trelowin wrote:[pafish] VirtualBox traced using Reg key HKLM\HARDWARE\ACPI\DSDT\VBOX__
If you installed patch this line can't be in this log. You either installed it on VM that was already used or installed it incorrectly/something failed. Open regedit and navigate to this key. If it present here and no other keys around - DSDT table wasn't loaded and patch install broken.

Rdtsc detection cannot be taken seriously as it gives lots of FP.

For VMDE. Use Sysinternals DbgView to view exact detection status.
EricBeale wrote:Hello! Help me plz! How to configure the shared clipboard and shared folders without installing Additions?
No how. Forget about them.
 #30125  by Trelowin
 Sat Mar 18, 2017 10:37 pm
If you installed patch this line can't be in this log. You either installed it on VM that was already used or installed it incorrectly/something failed. Open regedit and navigate to this key. If it present here and no other keys around - DSDT table wasn't loaded and patch install broken.
I didn't find other records in the catalog. Most likely made a mistake in case of installation. How to make complete deleting VM and AntiVMDetect?
For VMDE. Use Sysinternals DbgView to view exact detection status.
What places need to be checked? I had no experience in this sphere earlier.
Thanks for the help!
Attachments
Скриншот 2017-03-19 01.21.52.png
Скриншот 2017-03-19 01.21.52.png (80.44 KiB) Viewed 389 times
 #30128  by EP_X0FF
 Sun Mar 19, 2017 6:23 pm
According to your screenshot patch doesn't work at all.
How to make complete deleting VM and AntiVMDetect?
1) In VBox main window select VM - right click -> Remove -> Delete all files.
2) Reboot Windows.
3) Open regedit and delete keys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tsugumi
HKEY_LOCAL_MACHINE\SOFTWARE\Tsugumi

if present.

If you want to try again - follow this install instructions https://github.com/hfiref0x/VBoxHardene ... install.md
Especially note part about modifying paths (used in scripts) for your actual location.
What places need to be checked? I had no experience in this sphere earlier.
When everything installed again. Inside VM download DbgView from live.sysinternals.com
Run it as admin and select in main menu Capture -> Capture Win32 (if not selected). Don't close DbgView and run vmde.exe. When something detected by vmde it will print details with OutputDebugString and DbgView will show it to you.
 #30134  by Trelowin
 Tue Mar 21, 2017 1:14 am
I solved a problem with DSDT tables. I commented (rem) before start of hidevm_ahci.
rem %vboxman% setextradata "%n1%" "VBoxInternal/Devices/acpi/0/Config/DsdtFilePath" "%vmscfgdir%ACPI-DSDT.bin"
rem %vboxman% setextradata "%n1%" "VBoxInternal/Devices/acpi/0/Config/SsdtFilePath" "%vmscfgdir%ACPI-SSDT1.bin"
Then established Tsugumi and loader. Removal (rem) and start (hidevm_ahci) solved a problem with
[pafish] of VirtualBox traced using Reg key HKLM\HARDWARE\ACPI\DSDT\VBOX _
Now I have a detection on a mouse. Tried all 3 modes. It was not succeeded to correct. :D
Start of Dbgview showed
00000001 0.00000000 [1976] IsVirtualBox, PCI
What can be made?)
 #30135  by EP_X0FF
 Tue Mar 21, 2017 2:26 pm
Trelowin wrote:What can be made?)
Open regedit. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PCI, find all entries with Oracle Vendor Hardware Id (80EE). If they present patch wasn't applied correctly or you have used this VM before installing patch and they are dead duplicate entries need to be removed. We had seen this scenario before in this thread http://www.kernelmode.info/forum/viewto ... &start=110 where user used pirated OS ISO for Windows guest install.
 #30160  by Trelowin
 Sun Mar 26, 2017 9:18 am
Unexpectedly hidevm_ahci ceased to work. I try with new and old machines.pcbios.bin didn't change all this time. Only I opened through notepad.
error code:
Code: Select all
00:00:01.379882 VMSetError: F:\tinderbox\win-5.1\src\VBox\Devices\PC\DevPcBios.cpp(1404) int __cdecl pcbiosConstruct(struct PDMDEVINS *,int,struct CFGMNODE *); rc=VERR_FILE_NOT_FOUND
00:00:01.379892 VMSetError: Failed to open system BIOS file 'C:\ pcbios.bin'
00:00:01.379905 PDM: Failed to construct 'pcbios'/0! VERR_FILE_NOT_FOUND (-102) - File not found.
00:00:01.508985 ERROR [COM]: aRC=E_FAIL (0x80004005) aIID={872da645-4a9b-1727-bee2-5585105b9eed} aComponent={ConsoleWrap} aText={Failed to open system BIOS file 'C:\ pcbios.bin' (VERR_FILE_NOT_FOUND)}, preserve=false aResultDetail=0
00:00:01.509289 Console: Machine state changed to 'PoweredOff'
00:00:01.550293 Power up failed (vrc=VERR_FILE_NOT_FOUND, rc=E_FAIL (0X80004005))
00:00:01.672468 GUI: UIMachineViewNormal::resendSizeHint: Restoring guest size-hint for screen 0 to 800x600
00:00:01.672500 ERROR [COM]: aRC=E_ACCESSDENIED (0x80070005) aIID={02326f63-bcb3-4481-96e0-30d1c2ee97f6} aComponent={DisplayWrap} aText={The console is not powered up}, preserve=false aResultDetail=0
00:00:01.672747 GUI: Aborting startup due to power up progress issue detected...
 #30163  by Trelowin
 Sun Mar 26, 2017 4:50 pm
I didn't find a spoiler code at a forum:(.
files in "C:\ " directory
Code: Select all
rem @echo off

rem BIOS/AHCI mode

rem vboxman is the full path to the vboxmanage executable
rem vmscfgdir is the path to directory that keeps vbox custom configuration data (bioses, tables etc)

TaskKill /IM "VirtualBox.exe" 
TaskKill /IM "VBoxSVC.exe" 

set vboxman="C:\Program Files\Oracle\VirtualBox\vboxmanage.exe"
set vmscfgdir=C:\ 
set /P n1="Enter Virtual Machine name: " 

%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVendor" "Asus"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVersion" "MB52.88Z.0088.B05.0904162222"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseDate" "08/10/13"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseMajor" "5"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseMinor" "9"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSFirmwareMajor" "1"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSFirmwareMinor" "0"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemVendor" "Asus"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemProduct" "MyBook5,2"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemVersion" "1.0"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemSerial" "CSN12345678901234567"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemSKU" "FM550EA#ACB"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemFamily" "Ultrabook"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemUuid" "B5FA3000-9403-81E0-3ADA-F46D045CB676"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardVendor" "Asus"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardProduct" "Mac-F22788AA"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardVersion" "3.0"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardSerial" "BSN12345678901234567"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardAssetTag" "Base Board Asset Tag#"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardLocInChass" "Board Loc In"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardBoardType" 10
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisVendor" "Asus Inc."
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisType" 10
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisVersion" "Mac-F22788AA"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisSerial" "CSN12345678901234567"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisAssetTag" "WhiteHouse"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiOEMVBoxVer" "Extended version info: 1.00.00"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/DmiOEMVBoxRev" "Extended revision info: 1A"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/ahci/0/Config/Port0/ModelNumber" "Hitachi HTS543230AAA384"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/ahci/0/Config/Port0/FirmwareRevision" "ES2OA60W"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/ahci/0/Config/Port0/SerialNumber" "2E3024L1T2V9KA"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/ahci/0/Config/Port1/ModelNumber" "Slimtype DVD A  DS8A8SH"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/ahci/0/Config/Port1/FirmwareRevision" "KAA2"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/ahci/0/Config/Port1/SerialNumber" "ABCDEF0123456789"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/ahci/0/Config/Port1/ATAPIVendorId" "Slimtype"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/ahci/0/Config/Port1/ATAPIProductId" "DVD A  DS8A8SH"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/ahci/0/Config/Port1/ATAPIRevision" "KAA2"


%vboxman% setextradata "%n1%" "VBoxInternal/Devices/acpi/0/Config/AcpiOemId" "ASUS"
%vboxman% modifyvm "%n1%" --macaddress1 4CF0491A6E12
%vboxman% modifyvm "%n1%" --paravirtprovider legacy

cd /d %vmscfgdir%

%vboxman% setextradata "%n1%" "VBoxInternal/Devices/acpi/0/Config/DsdtFilePath" "%vmscfgdir%ACPI-DSDT.bin"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/acpi/0/Config/SsdtFilePath" "%vmscfgdir%ACPI-SSDT1.bin"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/vga/0/Config/BiosRom" "%vmscfgdir%videorom.bin"
%vboxman% setextradata "%n1%" "VBoxInternal/Devices/pcbios/0/Config/BiosRom" "%vmscfgdir%pcbios.bin"
%vboxman% setextradata "%n1%"  "VBoxInternal/Devices/pcbios/0/Config/LanBootRom" "%vmscfgdir%pxerom.bin"
%vboxman% modifyvm "%n1%" --bioslogoimagepath  "%vmscfgdir%splash.bmp"

@pause
Last edited by EP_X0FF on Sun Mar 26, 2017 5:35 pm, edited 1 time in total. Reason: code tags
  • 1
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25