KernelMode.info

Has anyone considered forking VBox source and removing the "hardenings" to make a version suitable for malware analysis? It would cause problems with driver signing I guess? And of course lots of work as well.

Just my random 2 cents...

Simpler switch to the VMWare. Guess, this is the main target of saboteurs that are working in Oracle.

h00key wrote:Has anyone considered forking VBox source and removing the "hardenings" to make a version suitable for malware analysis? It would cause problems with driver signing I guess? And of course lots of work as well.

Just my random 2 cents...

Yes, you would need to sign the driver. And AFAIR there are parts of VirtualBox source code of which is not available. But I don't know how much important these parts are. You can build a functional VBox the source but, certain features (maybe something from USB field) will be missing.

My information, however, might not be correct since I used VirtualBox about 5-6 years ago.

4.3.24 VBoxDD unchanged, patch from 4.3.22 will work.

Latest version, including updated ACPI table published on GitHub https://github.com/hfiref0x/VBoxHardenedLoader, further updates (if any) will be posted on git also.

4.3.26 VBoxDD unchanged, patch from previous version will work.

VirtualBox EFI video driver patched. Now you can install UEFI compatible OS'es using AntiVM detection patch without problems with video (e.g. black screen during install, or when already installed VM accessible only via RDP).

If you plan to use EFI based VM's:

1) Make sure, Tsugumi is properly unloaded (using remove.cmd) before doing next step.
2) Make copy of VBoxEFI64.fd in VirtualBox directory.
3) Replace VBoxEFI64.fd in VirtualBox directory with it patched version from this patch data directory.
4) Use hidevm_efiahci (AHCI controller mode) or hidevm_efiide (IDE controller mode) for your EFI VM.
5) Load Tsugumi (using install.cmd).
6) Run VirtualBox.

Binaries and loader source -> https://github.com/hfiref0x/VBoxHardenedLoader.

EP_X0FF wrote:VirtualBox EFI video driver patched. Now you can install UEFI compatible OS'es using AntiVM detection patch without problems with video (e.g. black screen during install, or when already installed VM accessible only via RDP).

If you plan to use EFI based VM's:

1) Make sure, Tsugumi is properly unloaded (using remove.cmd) before doing next step.
2) Make copy of VBoxEFI64.fd in VirtualBox directory.
3) Replace VBoxEFI64.fd in VirtualBox directory with it patched version from this patch data directory.
4) Use hidevm_efiahci (AHCI controller mode) or hidevm_efiide (IDE controller mode) for your EFI VM.
5) Load Tsugumi (using install.cmd).
6) Run VirtualBox.

Binaries and loader source -> https://github.com/hfiref0x/VBoxHardenedLoader.

I have read through the thread, more than once, and am still not sure on a couple of small things.

Where in the above 6 steps is the VBoxManage (re in post#1 #2.2) batch for the hardware inputs applied?
Are "hidevm_efiahci (AHCI controller mode) or hidevm_efiide (IDE controller mode) " moved to the VBox\Binary\data directory as replacements?

Thanks much,
Jon

All batch scripts, bioses, modified uefi driver and other data in Binary/data (https://github.com/hfiref0x/VBoxHardene ... inary/data). This guide was created long before project files moved to github.

Loader updated for VirtualBox 4.3.28, UEFI patch included. Setup and configuring is the same.