A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #18925  by DerW_234
 Sat Apr 13, 2013 1:05 pm
Patched DLLs for v4.2.12 (x64) in attach.
I tried to stick to the changes EP_X0FF did, so the signature is broken once again, but the files are working.
Attachments
(943.76 KiB) Downloaded 61 times
 #18930  by EP_X0FF
 Sun Apr 14, 2013 3:58 am
Thanks for update. It is all very cool but only good for primitive malware. VirtualBox (anyhow moded) can be detected in a few lines of primitive code. This information is not zeroday, it is used in some top class commercial protection software and it is up to Oracle to patch this.

1. Register top level exception handler
2. Set TF in EFLAGS
3. Execute "cpuid" instruction (on older VirtualBox versions "rdtsc" works the same way)
4. In exception handler check exception Eip. VirtualBox will eat 1 instruction after cpuid. Check if Eip points to 2 instruction after cpuid.
Code: Select all
__declspec(naked) void fnCheckVBox()
{
	__asm {
		pushfd
		pop eax
		or ah, 1
		push eax
		popfd
		cpuid 
		nop
		call fnNotDetected  ;<- if Eip == this address we are in the VBox.
		ret
	}
}
As a side effect - VirtualPC completely freezes after execution of this code. Some sort of VM detection too.
 #19749  by EP_X0FF
 Sun Jun 23, 2013 4:00 pm
Patched dlls for Win64 VirtualBox-4.2.14-86644. Backup original Vbox files and replace with attached. Due to patch digital signature is broken, however it is not important and do not affect Vbox work.

Image
Attachments
no pass, 4.2.14-86644 only
(1.15 MiB) Downloaded 69 times
 #20837  by DerW_234
 Sat Sep 14, 2013 7:39 pm
The update worked for me, so I patched the files. Hope I didn't forget anything (basically it's just string replacements of VBOX, VirtualBox and Oracle). However as stated earlier this will only work for some very basic string detection, so don't relay on just this.
Attachments
(2.69 MiB) Downloaded 51 times
 #21205  by DerW_234
 Sun Oct 20, 2013 10:16 am
Here you go :)
I noticed that in one of my VMs old values were still saved from before I applied this: http://www.kernelmode.info/forum/viewto ... 102#p16102, so if you want to make sure it worked, search your registry for VBox, VirtualBox etc. the keys might need to be deleted from user SYSTEM.
Attachments
(983.75 KiB) Downloaded 44 times
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7