[bykvaadm]

well, then i should use older version of vbox?

[EP_X0FF]

well, then i should use older version of vbox?

Have no idea when they added this "paravirt support". To "fix" this it is required patch another virtualbox dll (vboxvmm) that is responsible for this initialization. Maybe this will be added in the next version of loader.

[EP_X0FF]

VBox hypervisor detection will be rendered useless in loader v1.6, which will be released asap.

However there will be some limitations:

- legacy mode for paravirt interface still must be enabled (removes hv bit)
- all your vm saved states must be discarded so changes from patch can apply to VBoxVMM data it set during VM boot (simple restart vm)

Since settings for loader will be changed 1.6 will only support 5.0.16 and above.

As for 5.0.18 and 5.0.20 I checked both and didn't found anything what can force me to install them. They will be skipped. No dramatic changes inside and working with them just for changed offsets in dlls is meh.

[EP_X0FF]

Loader v1.6 with hv detect fix released. Reboot PC before using it (this will make sure driver from previous version is not loaded). Specially for this lame malware that ignores "hypervisor set" bit.

VM Legacy paravirt. interface must be set, your VM settings->System->Acceleration.

This loader now patch two dlls in memory -> VBoxDD.dll and VBoxVMM.dll.

Exact location of patch in VBoxVMM.dll is cpumR3CpuIdPlantHypervisorLeaves.

Loader 1.6 support only 5.0.16 VirtualBox, for older versions use loader v1.5.

Download, updated guide, etc
https://github.com/hfiref0x/VBoxHardene ... ter/Binary

[confirmed]

Step by step guide for VirtualBox Hardened (4.3.14+) VM detection mitigation configuring.

hey bro it is a great work, best what i ever seen :)

[Malekal_morte]

Hello,

Are you able to get it fully working on your vbox ?
i follow a part of your tutorial but, seems, this one is able to detect the VM.

[EP_X0FF]

Hello,

what exactly it should do when installed properly, except "i am installed" message in IE?
Also I see failed attempt to load this page

Code: Select all

http://newjobcreator.link/Symantec%20Norton%20Utilities%2016%20Crack%20[Serial%20Key%20+%20Final]%20Full%20Download

where newjobcreator.link is malware site.


HTTP ERROR 500


Thanks.

[Malekal_morte]

I think i sould load adwares & browser hijacker on Google Chrome like Smartsputnik.ru
it comes from fake cracked sites that is loading .ru files like crackedpc.com
can you try with a fresh binary ?

Thanks !

[EP_X0FF]

Sure can you please upload fresh binary. As far I see Delphi with ZipMonster HTML GUI hidden inside as base64 encoded strings, some system information collecting (with help of WMI) and usage of heavy weight 3rd party components. I don't think it is capable of any VM detect, however it does collect some system information including cpuid data.

[Malekal_morte]

of course, here it is. :)