A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #23561  by EP_X0FF
 Sat Aug 09, 2014 3:24 pm
We've successfully patched hardened VirtualBox starting from build 95226, up to 95286 (and inc.latest svn build with "advanced unhooking" crap they implemented) without any binary modifications on disk and with NO reaction from their crapware protection. Details will be posted later, with official release as we still have to re-check all things are OK in case if Oracle drugdillers deliver more cocaine to VBox dev's.
 #23565  by frame4-mdpro
 Sun Aug 10, 2014 12:31 am
EP_X0FF wrote:... as we still have to re-check all things are OK in case if Oracle drugdillers deliver more cocaine to VBox dev's.
Hahaha, I sincerely hope Oracle/VBox guys read this and it hurts...
 #23567  by EP_X0FF
 Sun Aug 10, 2014 3:41 am
Just in case if someone interested about what we speak:

fortunately this is open source, saving time needed for reverse.

Their latest trunk with hardened crap (routines shared between VirtualBox.exe, VBoxDrv.sys and VBoxRT.dll)

http://www.virtualbox.org/svn/vbox/trun ... s/Support/

http://www.virtualbox.org/svn/vbox/trun ... edMain.cpp
http://www.virtualbox.org/svn/vbox/trun ... Verify.cpp

http://www.virtualbox.org/svn/vbox/trun ... pport/win/

http://www.virtualbox.org/svn/vbox/trun ... ge-win.cpp
http://www.virtualbox.org/svn/vbox/trun ... ss-win.cpp
http://www.virtualbox.org/svn/vbox/trun ... in-win.cpp
http://www.virtualbox.org/svn/vbox/trun ... rv-win.cpp (ObRegisterCallbacks here)

Just FYI - they were doing this crap last few months, implementing around 200kb of this source code instead of fixing bugs or adding useful things to their VM.

VirtualBox support thread, full of butthurt -> https://forums.virtualbox.org/viewtopic.php?f=6&t=62615, here you can download their latest builds with fireworks. As you can read from that thread - Oracle developers hardly fucking with AV software, reinventing wheels and making glorious victories over common sense, however still crashing on a user PC's.
 #23616  by EP_X0FF
 Fri Aug 15, 2014 6:48 am
This thread is now closed. This thread was about VM detection mitigation and was for VirtualBox version up to 4.3.12 (incl).

Current 4.3.14 and 4.3.15 versions both are malware friendly and this cannot be simple reconfigured by VBoxManage no matter what skid "examples" available in the web told you.

New thread about 4.3.14+ VM detection mitigation will be created after Oracle stable release.
  • 1
  • 3
  • 4
  • 5
  • 6
  • 7