EXETOOLS FORUM  

Go Back   EXETOOLS FORUM > General > x64 OS

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 03-16-2015, 01:57
Insid3Code's Avatar
Insid3Code Insid3Code is offline
Family
 
Join Date: May 2013
Location: Antartica
Posts: 71
Rept. Given: 36
Rept. Rcvd 60 Times in 30 Posts
Thanks Given: 11
Thanks Rcvd at 45 Times in 21 Posts
Insid3Code Reputation: 60
VirtualBox Hardened Loader x64 (kernelmode.info)

VirtualBox Hardened VM detection mitigation loader x64 from kernelmode.info.

Step by step guide for VirtualBox Hardened (4.3.14+) VM detection mitigation configuring.
PHP Code:
http://www.kernelmode.info/forum/viewtopic.php?f=11&t=3478 

Quote:
Project comes with full source code. In order to build from source you need: Microsoft Visual Studio 2013 U4 and later versions for loader build. Windows Driver Kit 8.1 U1 and later versions for driver build.
PHP Code:
https://github.com/hfiref0x/VBoxHardenedLoader 
__________________
Computer Forensics
Reply With Quote
The Following 4 Users Gave Reputation+1 to Insid3Code For This Useful Post:
ahmadmansoor (03-19-2015), niculaita (03-23-2015), uranus64 (03-19-2015), user1 (03-16-2015)
The Following User Says Thank You to Insid3Code For This Useful Post:
user1 (04-03-2015)
  #2  
Old 03-16-2015, 04:10
user1's Avatar
user1 user1 is offline
Family
 
Join Date: Sep 2012
Location: Romania
Posts: 484
Rept. Given: 301
Rept. Rcvd 100 Times in 49 Posts
Thanks Given: 190
Thanks Rcvd at 115 Times in 59 Posts
user1 Reputation: 21
May I ask to explain a bit more?
Reply With Quote
  #3  
Old 03-16-2015, 06:12
Insid3Code's Avatar
Insid3Code Insid3Code is offline
Family
 
Join Date: May 2013
Location: Antartica
Posts: 71
Rept. Given: 36
Rept. Rcvd 60 Times in 30 Posts
Thanks Given: 11
Thanks Rcvd at 45 Times in 21 Posts
Insid3Code Reputation: 60
Quote:
Originally Posted by user1 View Post
May I ask to explain a bit more?
When you try to analyze a suspicious file (malware), usually you do it in a virtual machine, and in case where the suspicious file uses some tricks to detect your virtual analysis lab, based on its strings or hardware signature, here you need to make a custom configuration or patch some strings/hardware signature to avoid virtual machine detection.

EP_X0FF has made a great job by releasing and sharing (tut and tool with source) VM detection mitigation for (VirtualBox)
__________________
Computer Forensics
Reply With Quote
The Following 2 Users Gave Reputation+1 to Insid3Code For This Useful Post:
niculaita (03-23-2015), user1 (03-16-2015)
The Following 2 Users Say Thank You to Insid3Code For This Useful Post:
softgate (04-02-2015), user1 (04-03-2015)
  #4  
Old 03-16-2015, 15:32
user1's Avatar
user1 user1 is offline
Family
 
Join Date: Sep 2012
Location: Romania
Posts: 484
Rept. Given: 301
Rept. Rcvd 100 Times in 49 Posts
Thanks Given: 190
Thanks Rcvd at 115 Times in 59 Posts
user1 Reputation: 21
So if I give u a custom Hwid that has a soft tied to HDD and BIOS can this VirtualBox emulate them?
Reply With Quote
  #5  
Old 03-17-2015, 04:59
sendersu sendersu is offline
VIP
 
Join Date: Oct 2010
Posts: 603
Rept. Given: 321
Rept. Rcvd 211 Times in 105 Posts
Thanks Given: 68
Thanks Rcvd at 98 Times in 41 Posts
sendersu Reputation: 200-299 sendersu Reputation: 200-299 sendersu Reputation: 200-299
>Project comes with full source code. In order to build from source you need: Microsoft Visual Studio 2013 U4 and later versions for loader build. Windows Driver Kit 8.1 U1 and later versions for driver build.

vbox AFAIK has a lot of drivers, what about signing them for correct usage udner win7+?
Reply With Quote
The Following User Says Thank You to sendersu For This Useful Post:
user1 (04-03-2015)
  #6  
Old 03-17-2015, 07:03
mr.exodia's Avatar
mr.exodia mr.exodia is offline
Super Moderator
 
Join Date: Nov 2011
Posts: 820
Rept. Given: 475
Rept. Rcvd 1,154 Times in 308 Posts
Thanks Given: 73
Thanks Rcvd at 428 Times in 168 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
Quote:
Originally Posted by sendersu View Post
vbox AFAIK has a lot of drivers, what about signing them for correct usage udner win7+?
use a patched kernel or enable testsigning
__________________
x64dbg: http://x64dbg.com
My Blog: http://mrexodia.cf
Reply With Quote
The Following User Gave Reputation+1 to mr.exodia For This Useful Post:
user1 (04-03-2015)
The Following User Says Thank You to mr.exodia For This Useful Post:
user1 (04-03-2015)
  #7  
Old 03-17-2015, 16:00
Insid3Code's Avatar
Insid3Code Insid3Code is offline
Family
 
Join Date: May 2013
Location: Antartica
Posts: 71
Rept. Given: 36
Rept. Rcvd 60 Times in 30 Posts
Thanks Given: 11
Thanks Rcvd at 45 Times in 21 Posts
Insid3Code Reputation: 60
Quote:
Originally Posted by user1 View Post
So if I give u a custom Hwid that has a soft tied to HDD and BIOS can this VirtualBox emulate them?
The main problem you need to resolve when using another Hardware (configuration) is the compatibility with VirtualBox releases, so full testing is required.
I have not yet replaced or modified the (Tables) provided by EP_X0FF.

Quote:
Originally Posted by sendersu View Post
vbox AFAIK has a lot of drivers, what about signing them for correct usage udner win7+?
Self-Signing and changing/patching the boot configuration (x64 kernel) is the best way you need for testing purpose as alternative to (Buy) digital certificate $$$
__________________
Computer Forensics
Reply With Quote
The Following User Gave Reputation+1 to Insid3Code For This Useful Post:
user1 (03-19-2015)
The Following User Says Thank You to Insid3Code For This Useful Post:
user1 (04-03-2015)
  #8  
Old 03-19-2015, 19:56
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Exetools Team Manager
 
Join Date: Feb 2006
Location: Syria
Posts: 955
Rept. Given: 442
Rept. Rcvd 341 Times in 124 Posts
Thanks Given: 82
Thanks Rcvd at 34 Times in 19 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
what about vmware ??, alot of guys use it .
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
The Following User Says Thank You to ahmadmansoor For This Useful Post:
user1 (04-03-2015)
  #9  
Old 03-20-2015, 03:30
Insid3Code's Avatar
Insid3Code Insid3Code is offline
Family
 
Join Date: May 2013
Location: Antartica
Posts: 71
Rept. Given: 36
Rept. Rcvd 60 Times in 30 Posts
Thanks Given: 11
Thanks Rcvd at 45 Times in 21 Posts
Insid3Code Reputation: 60
Quote:
Originally Posted by ahmadmansoor View Post
what about vmware ??, alot of guys use it .
Yes, I have read several articles dealing with the subject, I think the best way is to try to collect and expose all VMware detection tricks (widely used/private) in open source snippet project (GitHub) and binary ready to use for testing purpose, then develop some countermeasures.
__________________
Computer Forensics
Reply With Quote
The Following User Gave Reputation+1 to Insid3Code For This Useful Post:
user1 (03-23-2015)
The Following User Says Thank You to Insid3Code For This Useful Post:
user1 (04-03-2015)
  #10  
Old 04-02-2015, 01:09
Insid3Code's Avatar
Insid3Code Insid3Code is offline
Family
 
Join Date: May 2013
Location: Antartica
Posts: 71
Rept. Given: 36
Rept. Rcvd 60 Times in 30 Posts
Thanks Given: 11
Thanks Rcvd at 45 Times in 21 Posts
Insid3Code Reputation: 60
Updated...
Quote:
VirtualBox EFI video driver patched. Now you can install UEFI compatible OS'es using AntiVM detection patch without problems with video (e.g. black screen during install, or when already installed VM accessible only via RDP).

If you plan to use EFI based VM's:

1) Make sure, Tsugumi is properly unloaded (using remove.cmd) before doing next step.
2) Make copy of VBoxEFI64.fd in VirtualBox directory.
3) Replace VBoxEFI64.fd in VirtualBox directory with it patched version from this patch data directory.
4) Use hidevm_efiahci (AHCI controller mode) or hidevm_efiide (IDE controller mode) for your EFI VM.
5) Load Tsugumi (using install.cmd).
6) Run VirtualBox.

Binaries and loader source -> https://github.com/hfiref0x/VBoxHardenedLoader.
__________________
Computer Forensics
Reply With Quote
The Following User Gave Reputation+1 to Insid3Code For This Useful Post:
user1 (04-03-2015)
The Following 2 Users Say Thank You to Insid3Code For This Useful Post:
softgate (04-02-2015), user1 (04-03-2015)
  #11  
Old 04-03-2015, 01:18
user1's Avatar
user1 user1 is offline
Family
 
Join Date: Sep 2012
Location: Romania
Posts: 484
Rept. Given: 301
Rept. Rcvd 100 Times in 49 Posts
Thanks Given: 190
Thanks Rcvd at 115 Times in 59 Posts
user1 Reputation: 21
Quote:
Yes, I have read several articles dealing with the subject, I think the best way is to try to collect and expose all VMware detection tricks (widely used/private) in open source snippet project (GitHub) and binary ready to use for testing purpose, then develop some countermeasures.
Don't know if open source project is best way to expose anti - VM detection tricks....
Reply With Quote
  #12  
Old 04-03-2015, 04:11
Insid3Code's Avatar
Insid3Code Insid3Code is offline
Family
 
Join Date: May 2013
Location: Antartica
Posts: 71
Rept. Given: 36
Rept. Rcvd 60 Times in 30 Posts
Thanks Given: 11
Thanks Rcvd at 45 Times in 21 Posts
Insid3Code Reputation: 60
Yes, releasing something (vulnerability/exploit) that can be used for malicious purposes by bad guys is always problematic, but IMHO expose a vulnerability (to the author first, then to the public after that the fix was released) can help developers and users to be better protected.

In VM detection case, EP_X0FF work around known tricks used by malware authors in real life, and malware authors also search what is new (Underground/Private forums). Do not expose these tricks lead to more victims.

Collect and expose all VM detection tricks in open source project can help also all RCE Newbies to better learn and test binary analysis.
__________________
Computer Forensics
Reply With Quote
The Following User Gave Reputation+1 to Insid3Code For This Useful Post:
user1 (04-03-2015)
The Following User Says Thank You to Insid3Code For This Useful Post:
user1 (04-03-2015)
  #13  
Old 04-25-2015, 00:53
Conquest Conquest is offline
Friend
 
Join Date: Jan 2013
Location: 0x484F4D45
Posts: 96
Rept. Given: 46
Rept. Rcvd 29 Times in 17 Posts
Thanks Given: 16
Thanks Rcvd at 16 Times in 8 Posts
Conquest Reputation: 29
I have previously tried vbox , but its is slow compared to vmware workstation. how much performance hit will i get disabling the 2d/3d accelerations and these customizations
Reply With Quote
  #14  
Old 05-24-2015, 03:46
Evilcry Evilcry is offline
Friend
 
Join Date: Jan 2009
Posts: 48
Rept. Given: 4
Rept. Rcvd 15 Times in 9 Posts
Thanks Given: 1
Thanks Rcvd at 25 Times in 8 Posts
Evilcry Reputation: 15
Loader has been updated for VirtualBox 4.3.28, UEFI - available on the github repository previously mentioned.
Reply With Quote
  #15  
Old 05-27-2015, 09:15
Fyyre's Avatar
Fyyre Fyyre is offline
VIP
 
Join Date: Dec 2009
Location: 0xfffffffe
Posts: 115
Rept. Given: 38
Rept. Rcvd 57 Times in 26 Posts
Thanks Given: 9
Thanks Rcvd at 51 Times in 11 Posts
Fyyre Reputation: 57
EP_X0FF is a long time good friend of mine. He makes such tools not for malicious usage.
__________________
-Fyyre

--
http://twitter.com/Fyyre
http://fyyre.ru
Reply With Quote
The Following User Says Thank You to Fyyre For This Useful Post:
Insid3Code (05-27-2015)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
DSEFix x64 (kernelmode.info) Insid3Code x64 OS 1 05-15-2017 01:53
[C/C++] UACME (kernelmode.info) Insid3Code Source Code 0 03-29-2015 18:32
[C/C++ ] VMDE (kernelmode.info) Insid3Code Source Code 0 03-18-2015 20:47
WinObjEx64 (kernelmode.info) Insid3Code Community Tools 1 03-02-2015 00:04
Hardened Anti-Reverse Engineering System (HARES) atomix General Discussion 7 02-15-2015 21:14


All times are GMT +8. The time now is 20:15.


ICP05004977
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX