A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #28412  by EP_X0FF
 Mon Apr 25, 2016 3:18 pm
bykvaadm wrote:well, then i should use older version of vbox?
Have no idea when they added this "paravirt support". To "fix" this it is required patch another virtualbox dll (vboxvmm) that is responsible for this initialization. Maybe this will be added in the next version of loader.
 #28456  by EP_X0FF
 Thu May 05, 2016 7:25 am
VBox hypervisor detection will be rendered useless in loader v1.6, which will be released asap.

However there will be some limitations:

- legacy mode for paravirt interface still must be enabled (removes hv bit)
- all your vm saved states must be discarded so changes from patch can apply to VBoxVMM data it set during VM boot (simple restart vm)

Since settings for loader will be changed 1.6 will only support 5.0.16 and above.

As for 5.0.18 and 5.0.20 I checked both and didn't found anything what can force me to install them. They will be skipped. No dramatic changes inside and working with them just for changed offsets in dlls is meh.
 #28462  by EP_X0FF
 Fri May 06, 2016 4:59 am
Loader v1.6 with hv detect fix released. Reboot PC before using it (this will make sure driver from previous version is not loaded). Specially for this lame malware that ignores "hypervisor set" bit.

VM Legacy paravirt. interface must be set, your VM settings->System->Acceleration.

This loader now patch two dlls in memory -> VBoxDD.dll and VBoxVMM.dll.

Exact location of patch in VBoxVMM.dll is cpumR3CpuIdPlantHypervisorLeaves.

Loader 1.6 support only 5.0.16 VirtualBox, for older versions use loader v1.5.

Download, updated guide, etc
https://github.com/hfiref0x/VBoxHardene ... ter/Binary
 #28509  by EP_X0FF
 Mon May 16, 2016 3:53 am

what exactly it should do when installed properly, except "i am installed" message in IE?
Also I see failed attempt to load this page
Code: Select all
where newjobcreator.link is malware site.


 #28512  by EP_X0FF
 Tue May 17, 2016 2:29 am
Sure can you please upload fresh binary. As far I see Delphi with ZipMonster HTML GUI hidden inside as base64 encoded strings, some system information collecting (with help of WMI) and usage of heavy weight 3rd party components. I don't think it is capable of any VM detect, however it does collect some system information including cpuid data.
  • 1
  • 7
  • 8
  • 9
  • 10
  • 11
  • 25