A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #29027  by EP_X0FF
 Sat Aug 13, 2016 1:49 pm
viandy wrote:I quite understand this. But here is where I need help:
1. I have Parallels Desktop running on Mac OSX Captain.
2. I have Windows running on Parallels.
3. I need somebody to help me install VBoxAntiVMDetectHardened on Windows (which is also virtual already). So, I need VBoxAntiVMDetectHardened mitigation X64 to be installed into virtual Windows run on Parallels.

I think you don't understand purpose of this loader or I don't understand you. This loader works with VirtualBox software and not affect Windows itself. So by installing it in Windows running inside Parallels VM you won't protect this Windows from VM detect.
EP_XOFF, I tried to contact you personally through sending message but could not do it for some reasons... If you can, please get in touch with me through message and I will explain to you what I mean...
http://www.kernelmode.info/forum/viewto ... f=2&t=3137
 #29030  by tizanidine
 Sat Aug 13, 2016 8:49 pm
Hi guys, I just want to pitch in with my little contribution.

I've been trying to harden my VirtualBox 5.1.2 instance that I run under cuckoo on Debian against detections. My guest is a Win10 x64 installation.
It was a huge pain in the ass and pretty much took two days of trial and error until I'm finally done, so in case you're facing a similar situation maybe I can save you some trouble.

On Windows hosts, EP_X0FF's runtime patcher is probably your best bet, but since porting it to linux would be pretty much be a full rewrite, I found it easiest to just hack VBOX's source and compile my own build.
You simply cannot do everything needed from the outside, no matter how much you call VBoxManage setextradata. Don't waste your time on values that aren't fixable this way, like the hypervisor vendor string. The easiest way to go is:
  • 1) Use nsmfoo's script from https://github.com/nsmfoo/antivmdetection to create or modify the initial VM. It's a very thorough script that clones most extradata values from the host and makes up a lot of others. Be sure to first apt-get install acpidump python-dmidecode libcdio-utils cd-drive hdparm lspci smartctl to avoid broken values.
  • 2) Some extradata settings will probably break. Remove all the broken ones (using VBoxManage setextradata <machine> <setting> without a value) until your VM boots normally.
  • 3) At this point you're probably facing trouble from the following that are left: acpi tables (DSDT et al), the PCI base object device vendor/product id, hypervisor vendor string.
  • 4) If your replacement ACPI tables from linux are too large (as it was in my case) or for some other reason don't work, download Read & Write Everything from http://rweverything.com/, and use it to dump the full binary default tables under your Windows guest. Copy the file onto your host and edit it either with a hex editor or by decompiling using iasl -d AcpiTbls.bin, then editing the resulting .dsl script and then recompiling using iasl -tc AcpiTbls.dsl. Set the resulting .aml binary table as your ACPI table using VBoxManage setextradata <machine> "VBoxInternal/Devices/acpi/0/Config/CustomTable" "/yourpath/DSDT.aml". Be sure to at least change all vendor names from VBox/Virtualbox/innotek to something else.
  • 5) Now for the remaining fixes you will need to hack the source. Download the VirtualBox 5.1.2 source tarball from http://download.virtualbox.org/virtualb ... .2.tar.bz2. Don't check out from SVN, the last thing you'll want is a broken build and unsupported version.
You'll want to hack the following:
Code: Select all
// In \include\VBox\param.h:
#define VBOX_PCI_VENDORID // to something else (google PCI vendor id tables)
#define VBOX_DEVICEID // to something else (make sure this isn't a real used deviceid by the vendor you chose)
#define VBOX_VESA_DEVICEID // to something else (make sure this isn't a real used deviceid by the vendor you chose)
#define VMMDEV_DEVICEID// to something else (make sure this isn't a real used deviceid by the vendor you chose)

// In include\VBox\usblib-win.h (better safe than sorry)
#define USBFLT_SERVICE_NAME // to something else
#define USBFLT_NTDEVICE_NAME_STRING // to something else
#define USBFLT_SYMBOLIC_NAME_STRING // to something else
#define USBMON_SERVICE_NAME_W // to something else
#define USBMON_DEVICE_NAME // to something else
#define USBMON_DEVICE_NAME_NT // to something else
#define USBMON_DEVICE_NAME_DOS // to something else

// In src\VBox\Devices\EFI\Firmware\VBoxPkg\VBoxVgaDxe\ComponentName.c, change all of these, better safe than sorry
  { "eng;en", L"VirtualBox SVGA Driver" },
  { NULL , NULL }
  { "eng;en", L"VirtualBox SVGA PCI Adapter" },
  { NULL , NULL }

// In src\VBox\Devices\GIMDev\GIMDev.cpp all names under here
 * The device registration structure.
const PDMDEVREG g_DeviceGIMDev =
{ ....

// In src\VBox\Devices\Graphics\BIOS\vbe.c all of these
char vbebios_copyright[]        = "VirtualBox VESA BIOS";
char vbebios_vendor_name[]      = VBOX_VENDOR;
char vbebios_product_name[]     = VBOX_PRODUCT " VBE Adapter";
char vbebios_product_revision[] = VBOX_PRODUCT " Version " VBOX_VERSION_STRING;
char vbebios_info_string[]    = "VirtualBox VBE Display Adapter enabled\r\n\r\n";
char no_vbebios_info_string[] = "No VirtualBox VBE support available!\r\n\r\n";
char msg_vbe_init[] = "VirtualBox Version " VBOX_VERSION_STRING " VBE Display Adapter\r\n";

// In src\VBox\Devices\Graphics\BIOS\vgabios.c at least these
.ascii  "VirtualBox VGA BIOS"
char msg_vga_init[] = "Oracle VM VirtualBox Version " VBOX_VERSION_STRING " VGA BIOS\r\n";

// In src\VBox\Devices\Input\UsbKbd.cpp
{ USBHID_STR_ID_MANUFACTURER,   "VirtualBox"    },

// In src\VBox\Devices\Input\UsbMouse.cpp
{ USBHID_STR_ID_MANUFACTURER,   "VirtualBox"      },

// In src\VBBox\Devices\PC\BIOS\bios.c
static  const char  bios_cvs_version_string[] = "VirtualBox " VBOX_VERSION_STRING;
#define BX_APPNAME          "VirtualBox"

// In src\VBox\Devices\PC\DevACPI.cpp
memcpy(header->au8OemTabId, "VBOX", 4);
rc = CFGMR3QueryStringAllocDef(pCfg, "AcpiOemId", &pszOemId, "VBOX  ");

// In src\VBox\Devices\PC\DevFwCommon.cpp
Search and change every string instance containing: innotek, VirtualBox, Oracle, VBOXCPU

// In src\VBox\Devices\Storage\VSCSI\VSCSILunMmc.cpp
vscsiPadStr(ScsiInquiryReply.achVendorId, "VBOX", 8);

// In src\VBox\Devices\Storage\VSCSI\VSCSILunSbc.cpp
vscsiPadStr(ScsiInquiryReply.achVendorId, "VBOX", 8);

// In src\VBox\Devices\Storage\DevAHCI.cpp
ataSCSIPadStr((uint8_t *)pvBuf + 8, "VBOX", 8);
RTStrPrintf(szSerial, sizeof(szSerial), "VB%x-1a2b3c4d",
RTStrPrintf(szSerial, sizeof(szSerial), "VB%08x-%08x", Uuid.au32[0], Uuid.au32[3]);

// In src\VBox\Devices\Storage\DevATA.cpp
ataR3SCSIPadStr(s->CTX_SUFF(pbIOBuffer) + 8, "VBOX", 8);
                    rc = CFGMR3QueryStringDef(pCfgNode, "ModelNumber", pIf->szModelNumber, sizeof(pIf->szModelNumber),
                                              pIf->fATAPI ? "VBOX CD-ROM" : "VBOX HARDDISK");
                        rc = CFGMR3QueryStringDef(pCfgNode, "ATAPIVendorId", pIf->szInquiryVendorId, sizeof(pIf->szInquiryVendorId),

// In src\VBox\Devices\Storage\UsbMsd.cpp

// In src\VBox\Devices\VMMDev\VMMDev.cpp everything under here:
 * The device registration structure.
extern "C" const PDMDEVREG g_DeviceVMMDev =

// In src\VBox\VMM\VMMR3\CPUMR3CpuId.cpp THIS IS THE GODDAMN HYPERVISOR VENDOR ID. Change these to zero.
    NewLeaf.uEbx         = 0x786f4256 /* 'VBox' */;
    NewLeaf.uEcx         = 0x786f4256 /* 'VBox' */;
    NewLeaf.uEdx         = 0x786f4256 /* 'VBox' */;
Finally, read Oracle's build instructions at https://www.virtualbox.org/wiki/Linux%2 ... structions and keep fixing dependecies and shit until it compiles.
Note: The instructions talk about qt4, but 5.1.2 has moved to qt5. So don't bother installing any qt4 dependencies, instead install everything for qt5.
As suggested, run ./configure with --disable-hardening or you're asking for trouble.

Not all of these changes are necessary depending on your chosen hardware for the VM, but don't be lazy, it's just some find+replace work anyway.
I'm not going to post any diff files, binaries or a code repository because you should make up your own values and not share them. If we all use the same fake values, it's just one more detectable to add to the list for criminals. Be smart.

My setup now fully passes pafish, al-khaser & VMDE! Have fun 8-)

Image Image
 #29045  by EP_X0FF
 Tue Aug 16, 2016 5:23 am
If you ask me, then regarding non-Windows usage I ended up using fixed compiled binaries (from http://download.virtualbox.org/virtualb ... _amd64.deb) because it much faster and most of the offsets inside VBoxDD.so/VBoxVMM.so are the same as on Windows. Also because there is no fucking hardening bullshit VBox works much more stable and faster.
 #29056  by tizanidine
 Wed Aug 17, 2016 2:10 am
Yeah, fuck the (Oracle's) hardening. When building yourself you also get non-"hardened" binaries as long as you ./configure with --disable-hardening.
I didn't find the build process too bad at all, it compiled very neatly out of the box on Debian after fetching the dependencies. The biggest hurdle was having to compile the KMK build system as well first, since jessie's packaged version was too old, but even that was a total non-issue.
But hey, binary patching is just as fine, whatever works :D
 #29068  by EP_X0FF
 Fri Aug 19, 2016 7:39 am
Loader updated to support 5.1.4.

Note they reworked part related to HV identification, cpumR3CpuIdPlantHypervisorLeaves removed, and now VMM patch set inside gimR3HvInit.
 #29072  by EP_X0FF
 Fri Aug 19, 2016 5:26 pm
EP_X0FF wrote:Well then VirtualBox ignores this setting and only removes hypervisor bit, leaving hypervisor name available via cpuid. Nice job Oracle as always.
Apparently Oracle fixed this behavior and VBoxVMM patching is no longer needed.
 #29131  by atom686
 Mon Aug 29, 2016 8:25 am
Hi guys,
Thanks for the awesome thread EP_X0FF.

I'm trying to pass VMDE test and fail. I did everything step by step as described, so all hardware parameters were changed, and VM settings are also exactly same as described.

I'm using Virtualbox 5.1.2 with latest patch from EP_X0FF.

What could be wrong?
 #29140  by EP_X0FF
 Tue Aug 30, 2016 2:36 pm
Monitoring driver is not loaded and vbox dlls are not patched in memory.


you use vbox loader version that no support 5.1.2, it is supported (from the box) only by 1.6.4 and 1.6.5 loader versions.
  • 1
  • 9
  • 10
  • 11
  • 12
  • 13
  • 25