Page 4 of 7
Re: VirtualBox Anti-AntiVM
PostPosted:Sat Apr 13, 2013 1:05 pm
by DerW_234
Patched DLLs for v4.2.12 (x64) in attach.
I tried to stick to the changes EP_X0FF did, so the signature is broken once again, but the files are working.
Re: VirtualBox Anti-AntiVM
PostPosted:Sun Apr 14, 2013 3:58 am
by EP_X0FF
Thanks for update. It is all very cool but only good for primitive malware. VirtualBox (anyhow moded) can be detected in a few lines of primitive code. This information is not zeroday, it is used in some top class commercial protection software and it is up to Oracle to patch this.
1. Register top level exception handler
2. Set TF in EFLAGS
3. Execute "cpuid" instruction (on older VirtualBox versions "rdtsc" works the same way)
4. In exception handler check exception Eip. VirtualBox will eat 1 instruction after cpuid. Check if Eip points to 2 instruction after cpuid.
Code: Select all__declspec(naked) void fnCheckVBox()
{
__asm {
pushfd
pop eax
or ah, 1
push eax
popfd
cpuid
nop
call fnNotDetected ;<- if Eip == this address we are in the VBox.
ret
}
}
As a side effect - VirtualPC completely freezes after execution of this code. Some sort of VM detection too.
Re: VirtualBox Anti-AntiVM
PostPosted:Sun Jun 23, 2013 4:00 pm
by EP_X0FF
Patched dlls for Win64 VirtualBox-4.2.14-86644. Backup original Vbox files and replace with attached. Due to patch digital signature is broken, however it is not important and do not affect Vbox work.
Re: VirtualBox Anti-AntiVM
PostPosted:Fri Sep 06, 2013 9:25 pm
by TwinHeadedEagle
@EP_XOFF
Are you going to patch latest 4.2.18 release?
Re: VirtualBox Anti-AntiVM
PostPosted:Sat Sep 07, 2013 11:56 am
by EP_X0FF
MAXS wrote:@EP_XOFF
Are you going to patch latest 4.2.18 release?
The following
http://download.virtualbox.org/virtualb ... 80-Win.exe link points to a corrupted file.
Re: VirtualBox Anti-AntiVM
PostPosted:Sat Sep 07, 2013 1:56 pm
by TwinHeadedEagle
Don't know, I updated it succesfully...
Re: VirtualBox Anti-AntiVM
PostPosted:Sat Sep 14, 2013 7:39 pm
by DerW_234
The update worked for me, so I patched the files. Hope I didn't forget anything (basically it's just string replacements of VBOX, VirtualBox and Oracle). However as stated earlier this will only work for some very basic string detection, so don't relay on just this.
Re: VirtualBox Anti-AntiVM
PostPosted:Fri Oct 18, 2013 6:26 am
by Tigzy
Hey, there's the new version 4.3
Someone for patching the DLLs ? :)
Re: VirtualBox Anti-AntiVM
PostPosted:Sun Oct 20, 2013 10:16 am
by DerW_234
Here you go :)
I noticed that in one of my VMs old values were still saved from before I applied this:
http://www.kernelmode.info/forum/viewto ... 102#p16102, so if you want to make sure it worked, search your registry for VBox, VirtualBox etc. the keys might need to be deleted from user SYSTEM.
Re: VirtualBox Anti-AntiVM
PostPosted:Sun Nov 10, 2013 9:44 am
by DerW_234
Update for the new 4.3.2 version.
