A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #29717  by SSBIZ
 Wed Dec 14, 2016 3:10 am
newcomer thank you for the cupid and video mode resolution. Great tricks. I have noticed too that the machines do not report at all the bios info using the wmic commands you mentioned:
  1. wmic cpu get ProcessorId (normally this one returns Processor Serial Number a 96 bit value combined from three registers: eax = processor signature (most significant 32-bits of PSN), edx = middle 32-bits of PSN and ecx = least significant 32-bits, so PSN = EAX+EDX+ECX from cpu flag 0 or 1 I am not sure)
  • wmic bios get serialnumber (normally this one returns the bios serial number)
  • wmic csproduct get name, vendor, identifyingnumber (normally this one returns name of computer - Dell, Acer or VMware - and identifying number same as bios serial)
  • wmic bios get name, serialnumber, version (normally this one returns the name of your BIOS, current version and it’s serial number if there is any)
  • wmic csproduct get name, identifyingnumber, uuid (normally this one returns the system motherboard that happen to be the name and it’s UUID)
Obviously something is wrong, I think EP_X0FF didn't update things properly when he made the jump from version 4 to version 5. Because this issue has been going on since version 5. I actually wanted to let EP_X0FF know about it, but haven't had the time to get around it.

It would be great if we could address this issue as obviously the lack of DMI data in bios is absolutely a major flaw.
 #29718  by EP_X0FF
 Wed Dec 14, 2016 7:57 am
SSBIZ wrote:
Obviously something is wrong, I think EP_X0FF didn't update things properly when he made the jump from version 4 to version 5. Because this issue has been going on since version 5. I actually wanted to let EP_X0FF know about it, but haven't had the time to get around it.

It would be great if we could address this issue as obviously the lack of DMI data in bios is absolutely a major flaw.
Combine in one post what you talking about:

problem | expected result -> observed result (steps to reproduce).
 #29725  by SSBIZ
 Wed Dec 14, 2016 5:35 pm
Dear EP_X0FF,

First of all thanks for the great job you've done so far. We're just trying to improve on it and in the process newcomer and I have come to the same conclusion that the BIOS and system tables are not being parsed correctly for that whenever we attempt to pull that information from the system via the WMIC commands mentioned in the other posts, no results with the data entered in the hidevm_ahci.cmd will show up. This is an issue I've faced since when the Loader was upgraded for VirtualBox 5. Please view the video below to understand better what we're trying to say.

VIDEO REPRODUCING THE ISSUE (length 3 mins)
https://vimeo.com/195660743

Usually in a real system when we run the WMIC commands we receive the following response:
Code: Select all
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Windows\system32>wmic bios get name, serialnumber, version
Name       SerialNumber  Version
3.11.1450  081244243353  OEMC - 300
Whereas in any windows machine I create with the loader the only response we get using wmic bios is from AcpiOemId whereas wmic csproduct are always showing up blank with the following response: NO INSTANCE(S) FOUND which obviously would lead anyone to think that the tables are not being loaded correctly into the virtualbox machines. Check out the screenshot as well.
Attachments
vmic.jpg
WMIC Commands Screenshot
vmic.jpg (72.45 KiB) Viewed 829 times
Last edited by SSBIZ on Wed Dec 14, 2016 9:51 pm, edited 3 times in total.
 #29726  by SSBIZ
 Wed Dec 14, 2016 8:10 pm
Also upon changing randomly the hidevm_ahci.cmd, the virtualbox machine crashes with the error:
Code: Select all
The VM session was aborted.
Result Code: 
E_FAIL (0x80004005)
Component: 
SessionMachine
Interface: 
ISession {7844aa05-b02e-4cdd-a04f-ade4a762e6b7}
and upon extensive testing I've pinpointed the issue to be at hidevm_ahci.cmd:
Code: Select all
%vboxman% setextradata "%1" "VBoxInternal/Devices/acpi/0/Config/AcpiOemId" "TOSHIBA"
What I've noticed is that if I change AcpiOemId to any name that is 6 CHARACTERS LONG it works fine, but at the moment it gets 7 CHARACTERS LONG then I receive the following error as described in the attached picture. It should also be mentioned that AcpiOemId value is read as the BIOS VERSION from the wmic bios command line.
Attachments
vboxerror.jpg
Error Screenshot
vboxerror.jpg (109.81 KiB) Viewed 832 times
 #29727  by cross282
 Wed Dec 14, 2016 11:21 pm
Hello, I very badly know English. I get an error after running the script. To explain the order of actions can not. I have a big request, write a detailed video from start to end of installing the patch please
Attachments
png.png
png.png (58.13 KiB) Viewed 829 times
 #29728  by EP_X0FF
 Thu Dec 15, 2016 5:20 am
ACPI Subtable OEM ID member cannot be larger than 6 bytes. Nothing wrong here.
SSBIZ wrote:Also upon changing randomly the hidevm_ahci.cmd, the virtualbox machine crashes with the error:
Code: Select all
The VM session was aborted.
Result Code: 
E_FAIL (0x80004005)
Component: 
SessionMachine
Interface: 
ISession {7844aa05-b02e-4cdd-a04f-ade4a762e6b7}
and upon extensive testing I've pinpointed the issue to be at hidevm_ahci.cmd:
Code: Select all
%vboxman% setextradata "%1" "VBoxInternal/Devices/acpi/0/Config/AcpiOemId" "TOSHIBA"
What I've noticed is that if I change AcpiOemId to any name that is 6 CHARACTERS LONG it works fine, but at the moment it gets 7 CHARACTERS LONG then I receive the following error as described in the attached picture. It should also be mentioned that AcpiOemId value is read as the BIOS VERSION from the wmic bios command line.
 #29729  by EP_X0FF
 Thu Dec 15, 2016 5:23 am
cross282 wrote:Hello, I very badly know English. I get an error after running the script. To explain the order of actions can not. I have a big request, write a detailed video from start to end of installing the patch please
You didn't specified virtual machine name as argument to script, leaving it empty.
Correct usage script.cmd yourvmname
 #29730  by EP_X0FF
 Thu Dec 15, 2016 6:17 am
You are putting random values to the DMI data and expecting WMI to correct work with them. Totally wrong, don't you think?

You either experiment with DMI data to force WMI show you cute useless output (and wasting your time) or make it random. I won't *fix* anything here, because there is nothing to fix. It is working as expected. As I said - experiment yourself.
SSBIZ wrote:VIDEO REPRODUCING THE ISSUE (length 3 mins)
https://vimeo.com/195660743

Usually in a real system when we run the WMIC commands we receive the following response:
Code: Select all
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Windows\system32>wmic bios get name, serialnumber, version
Name       SerialNumber  Version
3.11.1450  081244243353  OEMC - 300
Whereas in any windows machine I create with the loader the only response we get using wmic bios is from AcpiOemId whereas wmic csproduct are always showing up blank with the following response: NO INSTANCE(S) FOUND which obviously would lead anyone to think that the tables are not being loaded correctly into the virtualbox machines. Check out the screenshot as well.
 #29736  by cross282
 Thu Dec 15, 2016 4:42 pm
after installing the script hidevm_ide.cmd start a virtual machine gives an error
Result Code:E_FAIL (0x80004005)
above already wrote about this, but could not say specifically which parts of me in the source code of the script
thank you
 #29737  by EP_X0FF
 Fri Dec 16, 2016 5:29 am
cross282 wrote:after installing the script hidevm_ide.cmd start a virtual machine gives an error
Result Code:E_FAIL (0x80004005)
above already wrote about this, but could not say specifically which parts of me in the source code of the script
thank you
Good. Now re-read first post and do as it tell. Otherwise there will be more error posts from you.