VBoxAntiVMDetectHardened mitigation X64 only (05/01/15)

Aerosol · January 11, 2015

Step by step guide for VirtualBox Hardened (4.3.14+) VM detection mitigation configuring.

Later if nothing changes in Oracle product this will be moved to public forums.

This guide and AntiVMDetect only applies to x86-64 Windows platform.

Guide consists the following parts:

VirtualBox Installation
AntiVMDetect installation and configuring
VirtualBox VM installation and configuring

1) VirtualBox installation

1.1) Do clean installation of latest VirtualBox. Clean mean - you must firstly uninstall any other versions of VirtualBox and reboot Windows to complete uninstallation. This ensures that no old VBox files will left in system memory and disk. Unfortunately VBox setup sometimes can't do complete removal without reboot.

1.2) Start installation and select VirtualBox components to install as shown on fugure below.

DO NOT INSTALL VirtualBox Networking, otherwise you will have problems with part 2 and 3 of this guide, as VirtualBox driver cannot be stoped when VirtualBox networking is active. This feature is pretty useless however, NAT still will be available for virtual machines.

2) AntiVMDetect VM installation and configuring

2.1) What we will target:

DMI Information;

- IDE/AHCI devices (harddisks, cd-rom's);
- ACPI OEM Information;
- Ethernet Adapter MAC address;
- PXE Boot data;
- ACPI DSDT (Differentiated System Description Table);
- ACPI SSDT (Secondary System Descriptor Table);
- VGA Video BIOS data;
- BIOS data;
- VM splashscreen (optional, just for nice looking).

How do we target this: we remove all sings of Oracle/Innotek signatures inside original data extracted by various ways from Oracle VirtualBox itself and then use documented and "not documented" ways to set these customized data for specific virtual machine using batch scripts, see 2.2 for more info and example.

2.2) Run the following commands combined in batch script. As parameter to script give a full virtual machine name you want to use, in this example it is "sbox"

PUT YOUR OWN RANDOM information in the data fields, DO NOT USE THE SAME AS BELOW so this can't be used as detection markers.

Script for VM with IDE controller

@ Echo off

rem vboxman is the full path to the vboxmanage executable
rem vmscfgdir is the path to directory that keeps vbox custom configuration data (bioses, tables etc)

set vboxman="C:\Program Files\Oracle\VirtualBox\vboxmanage.exe"
set vmscfgdir=D:\Virtual\VBOX\Settings\

%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVendor" "Asus"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVersion" "MB52.88Z.0088.B05.0904162222"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseDate" "08/10/13"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseMajor" "5"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseMinor" "9"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSFirmwareMajor" "1"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSFirmwareMinor" "0"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemVendor" "Asus"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemProduct" "MyBook5,2"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemVersion" "1.0"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemSerial" "CSN12345678901234567"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemSKU" "FM550EA#ACB"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemFamily" "Ultrabook"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemUuid" "B5FA3000-9403-81E0-3ADA-F46D045CB676"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardVendor" "Asus"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardProduct" "Mac-F22788AA"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardVersion" "3.0"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardSerial" "BSN12345678901234567"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardAssetTag" "Base Board Asset Tag#"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardLocInChass" "Board Loc In"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardBoardType" 10
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisVendor" "Asus Inc."
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisType" 10
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisVersion" "Mac-F22788AA"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisSerial" "CSN12345678901234567"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisAssetTag" "WhiteHouse"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiOEMVBoxVer" "Extended version info: 1.00.00"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiOEMVBoxRev" "Extended revision info: 1A"
%vboxman% setextradata "%1" "VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/ModelNumber" "Hitachi HTS543232A7A384"
%vboxman% setextradata "%1" "VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/FirmwareRevision" "ES2OA60W"
%vboxman% setextradata "%1" "VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/SerialNumber" "2E3024L1T2V9KA"
%vboxman% setextradata "%1" "VBoxInternal/Devices/piix3ide/0/Config/SecondaryMaster/ModelNumber" "Slimtype DVD A  DS8A8SH"
%vboxman% setextradata "%1" "VBoxInternal/Devices/piix3ide/0/Config/SecondaryMaster/FirmwareRevision" "KAA2"
%vboxman% setextradata "%1" "VBoxInternal/Devices/piix3ide/0/Config/SecondaryMaster/SerialNumber" "ABCDEF0123456789"
%vboxman% setextradata "%1" "VBoxInternal/Devices/piix3ide/0/Config/SecondaryMaster/ATAPIVendorId" "Slimtype"
%vboxman% setextradata "%1" "VBoxInternal/Devices/piix3ide/0/Config/SecondaryMaster/ATAPIProductId" "DVD A  DS8A8SH"
%vboxman% setextradata "%1" "VBoxInternal/Devices/piix3ide/0/Config/SecondaryMaster/ATAPIRevision" "KAA2"

%vboxman% setextradata "%1" "VBoxInternal/Devices/acpi/0/Config/AcpiOemId" "ASUS"
%vboxman% modifyvm "%1" --macaddress1 6CF0491A6E02

cd /d %vmscfgdir%
%vboxman% setextradata "%1" "VBoxInternal/Devices/acpi/0/Config/DsdtFilePath" "%vmscfgdir%ACPI-DSDT.bin"
%vboxman% setextradata "%1" "VBoxInternal/Devices/acpi/0/Config/SsdtFilePath" "%vmscfgdir%ACPI-SSDT1.bin"
%vboxman% setextradata "%1" "VBoxInternal/Devices/vga/0/Config/BiosRom" "%vmscfgdir%videorom.bin"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/BiosRom" "%vmscfgdir%pcbios.bin"
%vboxman% setextradata "%1"  "VBoxInternal/Devices/pcbios/0/Config/LanBootRom" "%vmscfgdir%pxerom.bin"
%vboxman% modifyvm "%1" --bioslogoimagepath  "%vmscfgdir%splash.bmp"

  @ pause

Script for AHCI controller

rem @ Echo off

rem vboxman is the full path to the vboxmanage executable
rem vmscfgdir is the path to directory that keeps vbox custom configuration data (bioses, tables etc)

set vboxman="C:\Program Files\Oracle\VirtualBox\vboxmanage.exe"
set vmscfgdir=D:\Virtual\VBOX\Settings\

%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVendor" "Asus"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVersion" "MB52.88Z.0088.B05.0904162222"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseDate" "08/10/13"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseMajor" "5"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseMinor" "9"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSFirmwareMajor" "1"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSFirmwareMinor" "0"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemVendor" "Asus"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemProduct" "MyBook5,2"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemVersion" "1.0"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemSerial" "CSN12345678901234567"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemSKU" "FM550EA#ACB"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemFamily" "Ultrabook"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemUuid" "B5FA3000-9403-81E0-3ADA-F46D045CB676"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardVendor" "Asus"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardProduct" "Mac-F22788AA"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardVersion" "3.0"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardSerial" "BSN12345678901234567"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardAssetTag" "Base Board Asset Tag#"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardLocInChass" "Board Loc In"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardBoardType" 10
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisVendor" "Asus Inc."
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisType" 10
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisVersion" "Mac-F22788AA"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisSerial" "CSN12345678901234567"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisAssetTag" "WhiteHouse"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiOEMVBoxVer" "Extended version info: 1.00.00"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiOEMVBoxRev" "Extended revision info: 1A"
%vboxman% setextradata "%1" "VBoxInternal/Devices/ahci/0/Config/Port0/ModelNumber" "Hitachi HTS543232A7A384"
%vboxman% setextradata "%1" "VBoxInternal/Devices/ahci/0/Config/Port0/FirmwareRevision" "ES2OA60W"
%vboxman% setextradata "%1" "VBoxInternal/Devices/ahci/0/Config/Port0/SerialNumber" "2E3024L1T2V9KA"
%vboxman% setextradata "%1" "VBoxInternal/Devices/ahci/0/Config/Port1/ModelNumber" "Slimtype DVD A  DS8A8SH"
%vboxman% setextradata "%1" "VBoxInternal/Devices/ahci/0/Config/Port1/FirmwareRevision" "KAA2"
%vboxman% setextradata "%1" "VBoxInternal/Devices/ahci/0/Config/Port1/SerialNumber" "ABCDEF0123456789"
%vboxman% setextradata "%1" "VBoxInternal/Devices/ahci/0/Config/Port1/ATAPIVendorId" "Slimtype"
%vboxman% setextradata "%1" "VBoxInternal/Devices/ahci/0/Config/Port1/ATAPIProductId" "DVD A  DS8A8SH"
%vboxman% setextradata "%1" "VBoxInternal/Devices/ahci/0/Config/Port1/ATAPIRevision" "KAA2"


%vboxman% setextradata "%1" "VBoxInternal/Devices/acpi/0/Config/AcpiOemId" "ASUS"
%vboxman% modifyvm "%1" --macaddress1 6CF0491A6E02

cd /d %vmscfgdir%

%vboxman% setextradata "%1" "VBoxInternal/Devices/acpi/0/Config/DsdtFilePath" "%vmscfgdir%ACPI-DSDT.bin"
%vboxman% setextradata "%1" "VBoxInternal/Devices/acpi/0/Config/SsdtFilePath" "%vmscfgdir%ACPI-SSDT1.bin"
%vboxman% setextradata "%1" "VBoxInternal/Devices/vga/0/Config/BiosRom" "%vmscfgdir%videorom.bin"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/BiosRom" "%vmscfgdir%pcbios.bin"
%vboxman% setextradata "%1"  "VBoxInternal/Devices/pcbios/0/Config/LanBootRom" "%vmscfgdir%pxerom.bin"
%vboxman% modifyvm "%1" --bioslogoimagepath  "%vmscfgdir%splash.bmp"

 @ pause

NOTE:

These commands:

VBoxInternal/Devices/acpi/0/Config/DsdtFilePath

VBoxInternal/Devices/acpi/0/Config/SsdtFilePath

Supported by VirtualBox, it has code to successfully load and work with this data, but these two commands not listed as acceptable by VirtualBox.

If you are interested in more details see VirtualBox source:

src\VBox\Devices\PC\ACPI\VBoxAcpi.cpp -> Dsdt/Ssdt

src\VBox\Devices\PC\DevACPI.cpp -> CFGMR3AreValuesValid

The only way we can use them - force VirtualBox to allow them. Without this patch both commands will not be recognized by VBox as acceptable and VM won't start.

Additionally even after heavy reconfiguring some virtual machine devices data still will point on Oracle - PCI HWID (hardware identificators). For more info about possible vm detection methods see our VMDE.

The only way we can change these ID - memory patch of the VBoxDD.dll where located most of VM related logic.

Unfortunatelly in the patetic attempt to stop VirtualBox exploitation attempts Oracle have made a decision to create a some kind of "patchguard" for VBox, known as "Hardened VirtualBox". See viewtopic.php?f=11&t=1911&start=50 for more details.

2.3) Installing AntiVMDetect helper.

Use loader.exe from attach. It is command line utility which serves purpose of bypassing Hardened VirtualBox crap.

Without param it will show list of possible commands, here are they:

-l opt_custom_patch_data
first param: patch dse(OFF), load tsugumi, patch dse(ON)
second param: optional, path to custom patch data
-u
first param: unload tsugumi, do not patch anything"

where "tsugumi" is a kernel mode x64 driver used for VBox patching.

-l command
Example of usage, installation batch script (must be run with admin privileges).

D:\Virtual\Vbox\Settings\loader.exe -l
  [@ pause

This command load driver and it starts monitoring VirtualBox dlls loading.

-u command

Example of usage, uninstallation batch script (must be run with admin privileges).

D:\Virtual\Vbox\Settings\loader.exe -u
   @pause

This command unloads tsugumi driver and flushes Windows file cache and standby list, so Windows force reloading dlls from disk into memory and VirtualBox will be able use unpatched dlls.

What/Where/Data for patch stored in the "Tsugumi" driver key under "Parameters" subkey in "PatchData" value -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\tsugumi\Parameters. Loader will store here patch information that later will be used by driver.

Note: Driver ONLY patch ONE VirtualBox dll in memory, nothing else in system modified.

This mechanism supports proving custom patch data, you can specify path to custom patch data file as second param of "-l" command, e.g. loader.exe -l "c:\vbox\mycustompdata.bin"

Patch data described as set of linked chains

typedef struct _BINARY_PATCH_BLOCK {
   ULONG   VirtualOffset;
   UCHAR   DataLength;
   UCHAR   Data[1];
} BINARY_PATCH_BLOCK, *PBINARY_PATCH_BLOCK;

Where:

VirtualOffset - is v.offset in VirtualBox VBoxDD dll.

DataLength - length of input patch data

Data - your input data to write with length of DataLength

Once patch driver installed by loader it will enable ACPI tables related commands, fake HWID's and patch several instructions with hardcoded VBox signatures.

This driver has no interface, it works semi-automatic, relying only on PatchData described above.

All source of loader, driver, support tools can be found in attach.

3) VirtualBox VM installation and configuring

3.1) Create a new virtual machine (in this example it named "sbox") and configure it in the following way:

Motherboard

Processor

Acceleration (make sure your CPU support virtualization technologies

Display (UNCHECK any kind of acceleration here - totally bugged and previously exploited feature)

Storage*

* We use here IDE controller, you can use AHCI it is not important.

Better use dynamically allocated VDI images, with size not less than 16 GB, as HDD size is VM indicator for some lame malware.

Network*

*For example used to access host computer via FTP and provide web access to the virtual machine and malware.

3.2) Install Windows (any you want, in this example we used machine with Windows XP SP3 RTM).

DO NOT INSTALL VirtualBox Additions. NEVER. Once installed you may consider your VM as lost.

How then copy all your instruments/tools/etc to the VM space? Do a prebuild ISO image, copy all your stuff on it, use VM CD-ROM drive for it. Copy a small ftp client to the VM and use Host-FTP-Server -> Guest->FTP-Client. In this example we copied all what we need on a prebuilt ISO image called VBoxAfterInstall.ISO, mounted it in virtual CD-ROM and then used our self made FTP server for other file transfers to the VM.

Attachment structure

loader.exe - driver loader
install.cmd - runs loader with -l param, need admin rights
uninstall.cmd - runs loader with -u param, need admin rights
data - modified and original data from VBox 4.3.16, batch scripts
loader - partial source code of loader
driver - partial source code of loader, use WDK to build

util ---
          -> biosextract - tool and source of it to extract bioses from virtualbox VBOXDD2.DLL
         |
         -> vmde - test tool to detect vm presense
         |
         -> patchlist - test tool for patch hex construction

Note: for patching DSDT table - aware that it is CRC protected, so you need to re-calculate and write proper CRC otherwise your customized machine won't load (https://taesoo.org/files/code/acpi.c.html).

05/01/15 update

loader changes

+ Resolved few startup issues;

+ Support for new Microsoft versioning;

+ Built in tables for 4.3.16, 4.3.18 and 4.3.20 versions, so you no longer need to load them as external file (however you still can do that supplying patch table filename as second parameter to the loader);

+ "VirtualBox Host-Only Network" connection no longer needs to be disabled for starting this loader, it will disable and reenable it automatically;

+ New presets for EFI (IDE/AHCI) VirtualBox machines (see hidevm_efiahci.cmd, hidevm_efiide.cmd). Note: EFI supported by VirtualBox only from 4.3.20;

+ Updated all bios data and ACPI tables up to current 4.3.20 version;

+ More source included, source that wasn't changed (driver) is not included in this pack.

VBOX

Pass: virtualbox

Source

Edited January 11, 2015 by Aerosol

Sign In

VBoxAntiVMDetectHardened mitigation X64 only (05/01/15)

Recommended Posts

Aerosol

Join the conversation

Browse

Activity

Pages