|
#1
|
||||
|
||||
VirtualBox Hardened Loader x64 (kernelmode.info)
VirtualBox Hardened VM detection mitigation loader x64 from kernelmode.info.
Step by step guide for VirtualBox Hardened (4.3.14+) VM detection mitigation configuring. PHP Code:
Quote:
PHP Code:
__________________
Computer Forensics |
The Following 4 Users Gave Reputation+1 to Insid3Code For This Useful Post: | ||
#3
|
||||
|
||||
When you try to analyze a suspicious file (malware), usually you do it in a virtual machine, and in case where the suspicious file uses some tricks to detect your virtual analysis lab, based on its strings or hardware signature, here you need to make a custom configuration or patch some strings/hardware signature to avoid virtual machine detection.
EP_X0FF has made a great job by releasing and sharing (tut and tool with source) VM detection mitigation for (VirtualBox)
__________________
Computer Forensics |
#4
|
|||
|
|||
So if I give u a custom Hwid that has a soft tied to HDD and BIOS can this VirtualBox emulate them?
|
The Following User Says Thank You to user1 For This Useful Post: | ||
Indigo (07-19-2019) |
#5
|
|||
|
|||
>Project comes with full source code. In order to build from source you need: Microsoft Visual Studio 2013 U4 and later versions for loader build. Windows Driver Kit 8.1 U1 and later versions for driver build.
vbox AFAIK has a lot of drivers, what about signing them for correct usage udner win7+? |
#7
|
||||
|
||||
Quote:
I have not yet replaced or modified the (Tables) provided by EP_X0FF. Self-Signing and changing/patching the boot configuration (x64 kernel) is the best way you need for testing purpose as alternative to (Buy) digital certificate $$$
__________________
Computer Forensics |
The Following User Gave Reputation+1 to Insid3Code For This Useful Post: | ||
user1 (03-19-2015) |
#8
|
||||
|
||||
what about vmware ??, alot of guys use it .
__________________
Ur Best Friend Ahmadmansoor Always My Best Friend: Aaron & JMI & ZeNiX |
#9
|
||||
|
||||
Yes, I have read several articles dealing with the subject, I think the best way is to try to collect and expose all VMware detection tricks (widely used/private) in open source snippet project (GitHub) and binary ready to use for testing purpose, then develop some countermeasures.
__________________
Computer Forensics |
The Following User Gave Reputation+1 to Insid3Code For This Useful Post: | ||
user1 (03-23-2015) |
#10
|
||||
|
||||
Updated...
Quote:
__________________
Computer Forensics |
The Following User Gave Reputation+1 to Insid3Code For This Useful Post: | ||
user1 (04-03-2015) |
#11
|
|||
|
|||
Quote:
|
The Following User Says Thank You to user1 For This Useful Post: | ||
Indigo (07-19-2019) |
#12
|
||||
|
||||
Yes, releasing something (vulnerability/exploit) that can be used for malicious purposes by bad guys is always problematic, but IMHO expose a vulnerability (to the author first, then to the public after that the fix was released) can help developers and users to be better protected.
In VM detection case, EP_X0FF work around known tricks used by malware authors in real life, and malware authors also search what is new (Underground/Private forums). Do not expose these tricks lead to more victims. Collect and expose all VM detection tricks in open source project can help also all RCE Newbies to better learn and test binary analysis.
__________________
Computer Forensics |
The Following User Gave Reputation+1 to Insid3Code For This Useful Post: | ||
user1 (04-03-2015) |
#13
|
|||
|
|||
I have previously tried vbox , but its is slow compared to vmware workstation. how much performance hit will i get disabling the 2d/3d accelerations and these customizations
|
The Following User Says Thank You to Conquest For This Useful Post: | ||
Indigo (07-19-2019) |
#14
|
|||
|
|||
Loader has been updated for VirtualBox 4.3.28, UEFI - available on the github repository previously mentioned.
|
The Following User Says Thank You to Evilcry For This Useful Post: | ||
Indigo (07-19-2019) |
#15
|
||||
|
||||
EP_X0FF is a long time good friend of mine. He makes such tools not for malicious usage.
__________________
Best Wishes, Fyyre -- https://github.com/Fyyre |
The Following 2 Users Say Thank You to Fyyre For This Useful Post: | ||
Indigo (07-19-2019), Insid3Code (05-27-2015) |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
kernelmode.info (The End of Adventure) | Insid3Code | General Discussion | 10 | 04-01-2018 07:21 |
DSEFix x64 (kernelmode.info) | Insid3Code | x64 OS | 1 | 05-15-2017 01:53 |
[C/C++] UACME (kernelmode.info) | Insid3Code | Source Code | 0 | 03-29-2015 18:32 |
[C/C++ ] VMDE (kernelmode.info) | Insid3Code | Source Code | 0 | 03-18-2015 20:47 |
WinObjEx64 (kernelmode.info) | Insid3Code | Community Tools | 1 | 03-02-2015 00:04 |