A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #29663  by EP_X0FF
 Wed Nov 30, 2016 2:29 pm
newcomer wrote:Good afternoon,

can you give some comments about hidevm_ahci.cmd. What each string is exactly changing in Vbox or the place where can read about this parameters?
Also maybe you know parameter which can set screen resolution and colour deep (16-32 bit), want to add them to .cmd file.
PUT YOUR OWN RANDOM information in the data fields, DO NOT USE THE SAME AS BELOW so this can't be used as detection markers.
Additionally where can i find values - HDD serial number, name and other - for setting them as original. Don't want they a look same garbage.

Values you can grab from real computers using system information tools like for example AIDA64.
 #29664  by EP_X0FF
 Wed Nov 30, 2016 2:32 pm
SSBIZ wrote:Thanks for your gentle reply!!!!

What my question is about the graphics card how it can be changed in different VMs the settings of the graphics card in order to look different and unique in each VM?

Lets say I need to build 5 different VM that appear to have 5 different graphics cards?

Thanks a lot!!!!!!
These HW ID comes from VirtualBox dll which can be patched on Windows only when loaded because of their idiotic "vbox hardening" feature. Forget about this idea, VirtualBox does not support this kind of customization and what already done is a very dirty and low level hack.
 #29665  by EP_X0FF
 Wed Nov 30, 2016 2:49 pm
e192168 wrote:Hi, I am interesting in to patch hardware ID part in your example VBoxDD.so library. I read post how to do it and have some questions:
- How calkculate CRC summ for patched file? Because link in post (https://taesoo.org/files/code/acpi.c.html) don't work.
- How aalgoritm use to CRC protect?
- Whatoffset byte do you fix to correct CRC summ in yor patched VBoxDD.so library?

This link and part of manual was about ACPI table checksum fixing not about fixing checksum of VBoxDD after patch. And as for table, it turned out VBox will do this for you itself, so this is not needed. If you still interested in ACPI table format -> http://www.acpi.info/spec.htm, some examples http://wiki.osdev.org/RSDT
 #29667  by SSBIZ
 Wed Nov 30, 2016 8:33 pm
Hi and thanks for your gently response.

As to your knowledge does Vmware instead have this feature or have you got any clue which other system can handle this kind of customization?

Thanks a lot!
 #29669  by EP_X0FF
 Thu Dec 01, 2016 4:02 am
SSBIZ wrote:Hi and thanks for your gently response.

As to your knowledge does Vmware instead have this feature or have you got any clue which other system can handle this kind of customization?

Thanks a lot!

I dont use this trash.
 #29671  by EP_X0FF
 Thu Dec 01, 2016 7:21 am
SSBIZ wrote:Do you have any suggestion how to handle this particular situation of 5 VMs from 5 different PCs showing different graphics card?
The most strange ever question not to mention it is complete offtopic here.
 #29690  by newcomer
 Wed Dec 07, 2016 10:25 pm
EP_X0FF wrote:
newcomer wrote:
vboxmanage setextradata mx VBoxInternal/CPUM/HostCPUID/80000003/ebx 0x50202952
I don't know why you want randomize what is not used. Also note that VBox check values and probably won't allow any garbage to be set.

Processor serial number is unused feature nobody cares about it. Itself is 96 bit value combined from three registers: eax = processor signature (most significant 32-bits of PSN), edx = middle 32-bits of PSN and ecx = least significant 32-bits, so PSN = EAX+EDX+ECX. On Pentium4+ Intel CPU ecx/edx (after cpuid eax=3) pair will be zero and eax is processor signature nobody can use to "detect" anything as it will be the same on at least all CPU in the same batch. So practically the whole randomization thing makes completely no sense here.
Finally get result with processor name randomization. Adding the following strings to hidevm_ahci.bat allows to change processor name. For more models, can google, have info.
Code: Select all
%vboxman% setextradata "%1" VBoxInternal/CPUM/HostCPUID/80000002/eax 0x65746e49
%vboxman% setextradata "%1" VBoxInternal/CPUM/HostCPUID/80000002/ebx 0x2952286c
%vboxman% setextradata "%1" VBoxInternal/CPUM/HostCPUID/80000002/ecx 0x726f4320
%vboxman% setextradata "%1" VBoxInternal/CPUM/HostCPUID/80000002/edx 0x4d542865
%vboxman% setextradata "%1" VBoxInternal/CPUM/HostCPUID/80000003/eax 0x43203229
%vboxman% setextradata "%1" VBoxInternal/CPUM/HostCPUID/80000003/ebx 0x20205550
%vboxman% setextradata "%1" VBoxInternal/CPUM/HostCPUID/80000003/ecx 0x20202020
%vboxman% setextradata "%1" VBoxInternal/CPUM/HostCPUID/80000003/edx 0x20202020
%vboxman% setextradata "%1" VBoxInternal/CPUM/HostCPUID/80000004/eax 0x30303636
%vboxman% setextradata "%1" VBoxInternal/CPUM/HostCPUID/80000004/ebx 0x20402020
%vboxman% setextradata "%1" VBoxInternal/CPUM/HostCPUID/80000004/ecx 0x30342e32
%vboxman% setextradata "%1" VBoxInternal/CPUM/HostCPUID/80000004/edx 0x007a4847

At guest VB is running Windows 7 (several machines with different Win7 versions), try to execute WMIC command, but get blank output.
In host machine this commands work fine as well as in Vmware.
Is it ok in VB ?
Code: Select all
wmic cpu get ProcessorId - normally this one returns Processor serial number.
wmic bios get serialnumber - this one bios serial
wmic csproduct get name, vendor, identifyingnumber  - need to return name of computer (Dell,Acer or Vmware) and identiryingnumber(same as bios serial)
If checking Msinfo (system information) System Manufacture and System model returns - QROX_ and QROXBIOS. Normaly this fields contains, for example - Dell.inc and Dell inspiron N5894. Additionally SMBIOS version field is missing in system information, but at host system it is presented.

But even command wmic cpu get ProcessorId get nothing, AIDA64 get this Processorid at section Motherboard-CPUID-CPUID Revision.
Is anyway to set this parameters and change them - System Manufacture and System model, Processorid.

Also about adding new screen resolutions to virtual machine use this string. Will add 1280x720 in Windows resolution menu.
Code: Select all
%vboxman% setextradata "%1" "CustomVideoMode1" "1280x720x32"
The open question is how to set this resolution by default when VB is loading. Can't find anything about this in manuals, if someone know - welcome to help.
 #29702  by newcomer
 Sat Dec 10, 2016 8:21 pm
Hello again,

make more researches of CPU topic and find this two parameters in user manual.
Code: Select all
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiProcManufacturer" "Intel"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiProcVersion" "Intel(R) Xeon(R) CPU E5-1630 v4 @ 3.70GHz"
Apply them, but have not effect on system.
Attach log. (CPU not change.)
How is this parameters suppose to work?

Aslo notice this string in logs DMI Product Name: Dell System Inspiron N4110. Is it supposed to be change with *.cmd file?
(101.66 KiB) Downloaded 29 times
(414.55 KiB) Downloaded 29 times
  • 1
  • 16
  • 17
  • 18
  • 19
  • 20
  • 25