Exetools

Exetools (https://forum.exetools.com/index.php)
-   x64 OS (https://forum.exetools.com/forumdisplay.php?f=44)
-   -   VirtualBox Hardened Loader x64 (kernelmode.info) (https://forum.exetools.com/showthread.php?t=16681)

Insid3Code 03-16-2015 01:57

VirtualBox Hardened Loader x64 (kernelmode.info)
 
VirtualBox Hardened VM detection mitigation loader x64 from kernelmode.info.

Step by step guide for VirtualBox Hardened (4.3.14+) VM detection mitigation configuring.
PHP Code:

http://www.kernelmode.info/forum/viewtopic.php?f=11&t=3478 


Quote:

Project comes with full source code. In order to build from source you need: Microsoft Visual Studio 2013 U4 and later versions for loader build. Windows Driver Kit 8.1 U1 and later versions for driver build.
PHP Code:

https://github.com/hfiref0x/VBoxHardenedLoader 


user1 03-16-2015 04:10

May I ask to explain a bit more?

Insid3Code 03-16-2015 06:12

Quote:

Originally Posted by user1 (Post 98347)
May I ask to explain a bit more?

When you try to analyze a suspicious file (malware), usually you do it in a virtual machine, and in case where the suspicious file uses some tricks to detect your virtual analysis lab, based on its strings or hardware signature, here you need to make a custom configuration or patch some strings/hardware signature to avoid virtual machine detection.

EP_X0FF has made a great job by releasing and sharing (tut and tool with source) VM detection mitigation for (VirtualBox)

user1 03-16-2015 15:32

So if I give u a custom Hwid that has a soft tied to HDD and BIOS can this VirtualBox emulate them?

sendersu 03-17-2015 04:59

>Project comes with full source code. In order to build from source you need: Microsoft Visual Studio 2013 U4 and later versions for loader build. Windows Driver Kit 8.1 U1 and later versions for driver build.

vbox AFAIK has a lot of drivers, what about signing them for correct usage udner win7+?

mr.exodia 03-17-2015 07:03

Quote:

Originally Posted by sendersu (Post 98372)
vbox AFAIK has a lot of drivers, what about signing them for correct usage udner win7+?

use a patched kernel or enable testsigning :)

Insid3Code 03-17-2015 16:00

Quote:

Originally Posted by user1 (Post 98360)
So if I give u a custom Hwid that has a soft tied to HDD and BIOS can this VirtualBox emulate them?

The main problem you need to resolve when using another Hardware (configuration) is the compatibility with VirtualBox releases, so full testing is required.
I have not yet replaced or modified the (Tables) provided by EP_X0FF.

Quote:

Originally Posted by sendersu (Post 98372)
vbox AFAIK has a lot of drivers, what about signing them for correct usage udner win7+?

Self-Signing and changing/patching the boot configuration (x64 kernel) is the best way you need for testing purpose as alternative to (Buy) digital certificate $$$

ahmadmansoor 03-19-2015 19:56

what about vmware ??, alot of guys use it .

Insid3Code 03-20-2015 03:30

Quote:

Originally Posted by ahmadmansoor (Post 98432)
what about vmware ??, alot of guys use it .

Yes, I have read several articles dealing with the subject, I think the best way is to try to collect and expose all VMware detection tricks (widely used/private) in open source snippet project (GitHub) and binary ready to use for testing purpose, then develop some countermeasures.

Insid3Code 04-02-2015 01:09

Updated...
Quote:

VirtualBox EFI video driver patched. Now you can install UEFI compatible OS'es using AntiVM detection patch without problems with video (e.g. black screen during install, or when already installed VM accessible only via RDP).

If you plan to use EFI based VM's:

1) Make sure, Tsugumi is properly unloaded (using remove.cmd) before doing next step.
2) Make copy of VBoxEFI64.fd in VirtualBox directory.
3) Replace VBoxEFI64.fd in VirtualBox directory with it patched version from this patch data directory.
4) Use hidevm_efiahci (AHCI controller mode) or hidevm_efiide (IDE controller mode) for your EFI VM.
5) Load Tsugumi (using install.cmd).
6) Run VirtualBox.

Binaries and loader source -> https://github.com/hfiref0x/VBoxHardenedLoader.

user1 04-03-2015 01:18

Quote:

Yes, I have read several articles dealing with the subject, I think the best way is to try to collect and expose all VMware detection tricks (widely used/private) in open source snippet project (GitHub) and binary ready to use for testing purpose, then develop some countermeasures.
Don't know if open source project is best way to expose anti - VM detection tricks....

Insid3Code 04-03-2015 04:11

Yes, releasing something (vulnerability/exploit) that can be used for malicious purposes by bad guys is always problematic, but IMHO expose a vulnerability (to the author first, then to the public after that the fix was released) can help developers and users to be better protected.

In VM detection case, EP_X0FF work around known tricks used by malware authors in real life, and malware authors also search what is new (Underground/Private forums). Do not expose these tricks lead to more victims.

Collect and expose all VM detection tricks in open source project can help also all RCE Newbies to better learn and test binary analysis.

Conquest 04-25-2015 00:53

I have previously tried vbox , but its is slow compared to vmware workstation. how much performance hit will i get disabling the 2d/3d accelerations and these customizations

Evilcry 05-24-2015 03:46

Loader has been updated for VirtualBox 4.3.28, UEFI - available on the github repository previously mentioned.

Fyyre 05-27-2015 09:15

EP_X0FF is a long time good friend of mine. He makes such tools not for malicious usage.

Insid3Code 05-27-2015 16:29

I Agree with you!

I appreciate a lot his works (old and new) (open source/closed source/PoCs and more...) and specially his coding style (Delphi 5/C/C++/Native API).

Repo recently created!
PHP Code:

https://github.com/hfiref0x?tab=repositories 

Also DrvMon coded together with you, unfortunately (release 2.x not available for public)
PHP Code:

http://www.kernelmode.info/forum/viewtopic.php?f=11&t=217 

Quote:

We decided to do not release newer version (2.x) to the public. Overall it's now completely different application than that attached here.

Ahmed18 08-06-2015 05:04

thanks bro ;)

Sakaroz 01-08-2018 06:04

it doesn't work correctly very unstable .. VMWare Workstation has a lot of secret options by manually editing the .vmx file you can make it almost undetectable .. changing the CPU IDs, disabling the VMWARE Tools, reflecting the host information to virtual machine .. using the Actual Hard drive instead of Virtual Machine controller .. , changing the ethernet mac address, memory addresses, ........ I was unable to get this software to work but by Modifying Vmware using a Custom BIOS I was able to defeat all the targets with virtual machine detection in VMWare Environment ..

TechLord 01-08-2018 11:01

Quote:

Originally Posted by Sakaroz (Post 111806)
it doesn't work correctly very unstable .. VMWare Workstation has a lot of secret options by manually editing the .vmx file you can make it almost undetectable .. changing the CPU IDs, disabling the VMWARE Tools, reflecting the host information to virtual machine .. using the Actual Hard drive instead of Virtual Machine controller .. , changing the ethernet mac address, memory addresses, ........ I was unable to get this software to work but by Modifying Vmware using a Custom BIOS I was able to defeat all the targets with virtual machine detection in VMWare Environment ..

Maybe you can share a sample .VMX file for all of us to know better.

Yes, even I do some of the stuff that you mentioned but a sample VMX file (as well as the custom BIOS taht actually works) as an example would be nice :)

Maybe as a PoC, we can see if it can bypass the Anti-VMWare/VM functions of the VMProtect v3.xx without needing to make any changes to the actual protected executable.
Am sure would be an interesting exercise ...

Thank you..

Stingered 01-10-2018 02:50

Quote:

Originally Posted by TechLord (Post 111810)
Maybe you can share a sample .VMX file for all of us to know better.

Yes, even I do some of the stuff that you mentioned but a sample VMX file (as well as the custom BIOS taht actually works) as an example would be nice :)

Maybe as a PoC, we can see if it can bypass the Anti-VMWare/VM functions of the VMProtect v3.xx without needing to make any changes to the actual protected executable.
Am sure would be an interesting exercise ...

Thank you..

YES!!! Sakaroz, if you could proved a PoC that could be what would make me switch over the VMware.

Sakaroz 01-12-2018 08:51

I will make an article and will share it ..

You can verify your system file with this :
https://github.com/LordNoteworthy/al-khaser

there are two main difficulty .. assigning actual hard drive to virtual machine to avoid using the VMWare IDE/SCSI/SATA Controller

and BIOS patching .. you need to extract the BIOS and Change the VMWare values in the BIOS , modify the .vmx file to read your modified BIOS ..

I will share everything in that article ..

TechLord 01-12-2018 10:40

Quote:

Originally Posted by Sakaroz (Post 111852)
You can verify your system file with this :
https://github.com/LordNoteworthy/al-khaser

...

Yes, I'd shared that on this very forum at least twice ... Here and here for example :)



Quote:

Originally Posted by Sakaroz (Post 111852)
there are two main difficulty .. assigning actual hard drive to virtual machine to avoid using the VMWare IDE/SCSI/SATA Controller

and BIOS patching .. you need to extract the BIOS and Change the VMWare values in the BIOS , modify the .vmx file to read your modified BIOS ..
..

Yes, not only me but many others are also aware of these practical difficulties ... After all, this is a forum for members advanced in RE :)

What I ( and I presume others following this thread) are looking for, is mainly an account of how you actually managed to achieve it, so that we could possibly replicate it .

Articles are numerous and while they are useful, since you'd specifically stated earlier in this thread that "I was unable to get this software to work but by Modifying Vmware using a Custom BIOS I was able to defeat all the targets with virtual machine detection in VMWare Environment .. " , we are looking to see a practical example of how you managed to accomplish it...

In fact, content from this repo is still relevant but seems to fail when attempting to bypass the VM Check of VMP 3.1 ..
These steps still continue to work on a majority of targets...

As I said earlier, a good PoC would be if you could show us an example of how a VM Check of an executable protected with VMProtect >v3.1 could be bypassed without any modification to the executable (or to its image in memory using a loader etc) itself, as we are already well aware of how to do so when we are allowed to patch the executable or its memory space.

Thank you :)


All times are GMT +8. The time now is 12:25.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2022, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX