Exetools  

Go Back   Exetools > General > x64 OS

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 03-16-2015, 01:57
Insid3Code's Avatar
Insid3Code Insid3Code is offline
Family
 
Join Date: May 2013
Location: Algeria
Posts: 84
Rept. Given: 47
Rept. Rcvd 60 Times in 30 Posts
Thanks Given: 24
Thanks Rcvd at 108 Times in 56 Posts
Insid3Code Reputation: 60
VirtualBox Hardened Loader x64 (kernelmode.info)

VirtualBox Hardened VM detection mitigation loader x64 from kernelmode.info.

Step by step guide for VirtualBox Hardened (4.3.14+) VM detection mitigation configuring.
PHP Code:
http://www.kernelmode.info/forum/viewtopic.php?f=11&t=3478 

Quote:
Project comes with full source code. In order to build from source you need: Microsoft Visual Studio 2013 U4 and later versions for loader build. Windows Driver Kit 8.1 U1 and later versions for driver build.
PHP Code:
https://github.com/hfiref0x/VBoxHardenedLoader 
__________________
Computer Forensics
Reply With Quote
The Following 4 Users Gave Reputation+1 to Insid3Code For This Useful Post:
ahmadmansoor (03-19-2015), niculaita (03-23-2015), uranus64 (03-19-2015), user1 (03-16-2015)
The Following 4 Users Say Thank You to Insid3Code For This Useful Post:
icebp (01-23-2018), Indigo (07-19-2019), Stingered (01-10-2018), user1 (04-03-2015)
  #2  
Old 03-16-2015, 04:10
user1 user1 is offline
Family
 
Join Date: Sep 2012
Location: OUT
Posts: 1,061
Rept. Given: 591
Rept. Rcvd 120 Times in 67 Posts
Thanks Given: 737
Thanks Rcvd at 590 Times in 350 Posts
user1 Reputation: 41
May I ask to explain a bit more?
Reply With Quote
The Following User Says Thank You to user1 For This Useful Post:
Indigo (07-19-2019)
  #3  
Old 03-16-2015, 06:12
Insid3Code's Avatar
Insid3Code Insid3Code is offline
Family
 
Join Date: May 2013
Location: Algeria
Posts: 84
Rept. Given: 47
Rept. Rcvd 60 Times in 30 Posts
Thanks Given: 24
Thanks Rcvd at 108 Times in 56 Posts
Insid3Code Reputation: 60
Quote:
Originally Posted by user1 View Post
May I ask to explain a bit more?
When you try to analyze a suspicious file (malware), usually you do it in a virtual machine, and in case where the suspicious file uses some tricks to detect your virtual analysis lab, based on its strings or hardware signature, here you need to make a custom configuration or patch some strings/hardware signature to avoid virtual machine detection.

EP_X0FF has made a great job by releasing and sharing (tut and tool with source) VM detection mitigation for (VirtualBox)
__________________
Computer Forensics
Reply With Quote
The Following 2 Users Gave Reputation+1 to Insid3Code For This Useful Post:
niculaita (03-23-2015), user1 (03-16-2015)
The Following 3 Users Say Thank You to Insid3Code For This Useful Post:
Indigo (07-19-2019), softgate (04-02-2015), user1 (04-03-2015)
  #4  
Old 03-16-2015, 15:32
user1 user1 is offline
Family
 
Join Date: Sep 2012
Location: OUT
Posts: 1,061
Rept. Given: 591
Rept. Rcvd 120 Times in 67 Posts
Thanks Given: 737
Thanks Rcvd at 590 Times in 350 Posts
user1 Reputation: 41
So if I give u a custom Hwid that has a soft tied to HDD and BIOS can this VirtualBox emulate them?
Reply With Quote
The Following User Says Thank You to user1 For This Useful Post:
Indigo (07-19-2019)
  #5  
Old 03-17-2015, 04:59
sendersu sendersu is offline
VIP
 
Join Date: Oct 2010
Posts: 1,167
Rept. Given: 334
Rept. Rcvd 233 Times in 123 Posts
Thanks Given: 273
Thanks Rcvd at 556 Times in 312 Posts
sendersu Reputation: 200-299 sendersu Reputation: 200-299 sendersu Reputation: 200-299
>Project comes with full source code. In order to build from source you need: Microsoft Visual Studio 2013 U4 and later versions for loader build. Windows Driver Kit 8.1 U1 and later versions for driver build.

vbox AFAIK has a lot of drivers, what about signing them for correct usage udner win7+?
Reply With Quote
The Following 2 Users Say Thank You to sendersu For This Useful Post:
Indigo (07-19-2019), user1 (04-03-2015)
  #6  
Old 03-17-2015, 07:03
mr.exodia mr.exodia is offline
Retired Moderator
 
Join Date: Nov 2011
Posts: 784
Rept. Given: 490
Rept. Rcvd 1,122 Times in 305 Posts
Thanks Given: 89
Thanks Rcvd at 714 Times in 333 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
Quote:
Originally Posted by sendersu View Post
vbox AFAIK has a lot of drivers, what about signing them for correct usage udner win7+?
use a patched kernel or enable testsigning
Reply With Quote
The Following User Gave Reputation+1 to mr.exodia For This Useful Post:
user1 (04-03-2015)
The Following 2 Users Say Thank You to mr.exodia For This Useful Post:
Indigo (07-19-2019), user1 (04-03-2015)
  #7  
Old 03-17-2015, 16:00
Insid3Code's Avatar
Insid3Code Insid3Code is offline
Family
 
Join Date: May 2013
Location: Algeria
Posts: 84
Rept. Given: 47
Rept. Rcvd 60 Times in 30 Posts
Thanks Given: 24
Thanks Rcvd at 108 Times in 56 Posts
Insid3Code Reputation: 60
Quote:
Originally Posted by user1 View Post
So if I give u a custom Hwid that has a soft tied to HDD and BIOS can this VirtualBox emulate them?
The main problem you need to resolve when using another Hardware (configuration) is the compatibility with VirtualBox releases, so full testing is required.
I have not yet replaced or modified the (Tables) provided by EP_X0FF.

Quote:
Originally Posted by sendersu View Post
vbox AFAIK has a lot of drivers, what about signing them for correct usage udner win7+?
Self-Signing and changing/patching the boot configuration (x64 kernel) is the best way you need for testing purpose as alternative to (Buy) digital certificate $$$
__________________
Computer Forensics
Reply With Quote
The Following User Gave Reputation+1 to Insid3Code For This Useful Post:
user1 (03-19-2015)
The Following 2 Users Say Thank You to Insid3Code For This Useful Post:
Indigo (07-19-2019), user1 (04-03-2015)
  #8  
Old 03-19-2015, 19:56
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Coder
 
Join Date: Feb 2006
Location: Syria
Posts: 1,047
Rept. Given: 515
Rept. Rcvd 374 Times in 142 Posts
Thanks Given: 378
Thanks Rcvd at 410 Times in 119 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
what about vmware ??, alot of guys use it .
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
The Following 2 Users Say Thank You to ahmadmansoor For This Useful Post:
Indigo (07-19-2019), user1 (04-03-2015)
  #9  
Old 03-20-2015, 03:30
Insid3Code's Avatar
Insid3Code Insid3Code is offline
Family
 
Join Date: May 2013
Location: Algeria
Posts: 84
Rept. Given: 47
Rept. Rcvd 60 Times in 30 Posts
Thanks Given: 24
Thanks Rcvd at 108 Times in 56 Posts
Insid3Code Reputation: 60
Quote:
Originally Posted by ahmadmansoor View Post
what about vmware ??, alot of guys use it .
Yes, I have read several articles dealing with the subject, I think the best way is to try to collect and expose all VMware detection tricks (widely used/private) in open source snippet project (GitHub) and binary ready to use for testing purpose, then develop some countermeasures.
__________________
Computer Forensics
Reply With Quote
The Following User Gave Reputation+1 to Insid3Code For This Useful Post:
user1 (03-23-2015)
The Following 2 Users Say Thank You to Insid3Code For This Useful Post:
Indigo (07-19-2019), user1 (04-03-2015)
  #10  
Old 04-02-2015, 01:09
Insid3Code's Avatar
Insid3Code Insid3Code is offline
Family
 
Join Date: May 2013
Location: Algeria
Posts: 84
Rept. Given: 47
Rept. Rcvd 60 Times in 30 Posts
Thanks Given: 24
Thanks Rcvd at 108 Times in 56 Posts
Insid3Code Reputation: 60
Updated...
Quote:
VirtualBox EFI video driver patched. Now you can install UEFI compatible OS'es using AntiVM detection patch without problems with video (e.g. black screen during install, or when already installed VM accessible only via RDP).

If you plan to use EFI based VM's:

1) Make sure, Tsugumi is properly unloaded (using remove.cmd) before doing next step.
2) Make copy of VBoxEFI64.fd in VirtualBox directory.
3) Replace VBoxEFI64.fd in VirtualBox directory with it patched version from this patch data directory.
4) Use hidevm_efiahci (AHCI controller mode) or hidevm_efiide (IDE controller mode) for your EFI VM.
5) Load Tsugumi (using install.cmd).
6) Run VirtualBox.

Binaries and loader source -> https://github.com/hfiref0x/VBoxHardenedLoader.
__________________
Computer Forensics
Reply With Quote
The Following User Gave Reputation+1 to Insid3Code For This Useful Post:
user1 (04-03-2015)
The Following 3 Users Say Thank You to Insid3Code For This Useful Post:
Indigo (07-19-2019), softgate (04-02-2015), user1 (04-03-2015)
  #11  
Old 04-03-2015, 01:18
user1 user1 is offline
Family
 
Join Date: Sep 2012
Location: OUT
Posts: 1,061
Rept. Given: 591
Rept. Rcvd 120 Times in 67 Posts
Thanks Given: 737
Thanks Rcvd at 590 Times in 350 Posts
user1 Reputation: 41
Quote:
Yes, I have read several articles dealing with the subject, I think the best way is to try to collect and expose all VMware detection tricks (widely used/private) in open source snippet project (GitHub) and binary ready to use for testing purpose, then develop some countermeasures.
Don't know if open source project is best way to expose anti - VM detection tricks....
Reply With Quote
The Following User Says Thank You to user1 For This Useful Post:
Indigo (07-19-2019)
  #12  
Old 04-03-2015, 04:11
Insid3Code's Avatar
Insid3Code Insid3Code is offline
Family
 
Join Date: May 2013
Location: Algeria
Posts: 84
Rept. Given: 47
Rept. Rcvd 60 Times in 30 Posts
Thanks Given: 24
Thanks Rcvd at 108 Times in 56 Posts
Insid3Code Reputation: 60
Yes, releasing something (vulnerability/exploit) that can be used for malicious purposes by bad guys is always problematic, but IMHO expose a vulnerability (to the author first, then to the public after that the fix was released) can help developers and users to be better protected.

In VM detection case, EP_X0FF work around known tricks used by malware authors in real life, and malware authors also search what is new (Underground/Private forums). Do not expose these tricks lead to more victims.

Collect and expose all VM detection tricks in open source project can help also all RCE Newbies to better learn and test binary analysis.
__________________
Computer Forensics
Reply With Quote
The Following User Gave Reputation+1 to Insid3Code For This Useful Post:
user1 (04-03-2015)
The Following 2 Users Say Thank You to Insid3Code For This Useful Post:
Indigo (07-19-2019), user1 (04-03-2015)
  #13  
Old 04-25-2015, 00:53
Conquest Conquest is offline
Friend
 
Join Date: Jan 2013
Location: 0x484F4D45
Posts: 125
Rept. Given: 46
Rept. Rcvd 29 Times in 17 Posts
Thanks Given: 31
Thanks Rcvd at 60 Times in 29 Posts
Conquest Reputation: 29
I have previously tried vbox , but its is slow compared to vmware workstation. how much performance hit will i get disabling the 2d/3d accelerations and these customizations
Reply With Quote
The Following User Says Thank You to Conquest For This Useful Post:
Indigo (07-19-2019)
  #14  
Old 05-24-2015, 03:46
Evilcry Evilcry is offline
Friend
 
Join Date: Jan 2009
Posts: 58
Rept. Given: 4
Rept. Rcvd 15 Times in 9 Posts
Thanks Given: 2
Thanks Rcvd at 41 Times in 18 Posts
Evilcry Reputation: 15
Loader has been updated for VirtualBox 4.3.28, UEFI - available on the github repository previously mentioned.
Reply With Quote
The Following User Says Thank You to Evilcry For This Useful Post:
Indigo (07-19-2019)
  #15  
Old 05-27-2015, 09:15
Fyyre's Avatar
Fyyre Fyyre is offline
Fyyre
 
Join Date: Dec 2009
Location: 0°N 0°E / 0°N 0°E / 0; 0
Posts: 273
Rept. Given: 89
Rept. Rcvd 86 Times in 39 Posts
Thanks Given: 167
Thanks Rcvd at 340 Times in 118 Posts
Fyyre Reputation: 86
EP_X0FF is a long time good friend of mine. He makes such tools not for malicious usage.
__________________
Best Wishes,

Fyyre

--

https://github.com/Fyyre
Reply With Quote
The Following 2 Users Say Thank You to Fyyre For This Useful Post:
Indigo (07-19-2019), Insid3Code (05-27-2015)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
kernelmode.info (The End of Adventure) Insid3Code General Discussion 10 04-01-2018 07:21
DSEFix x64 (kernelmode.info) Insid3Code x64 OS 1 05-15-2017 01:53
[C/C++] UACME (kernelmode.info) Insid3Code Source Code 0 03-29-2015 18:32
[C/C++ ] VMDE (kernelmode.info) Insid3Code Source Code 0 03-18-2015 20:47
WinObjEx64 (kernelmode.info) Insid3Code Community Tools 1 03-02-2015 00:04


All times are GMT +8. The time now is 01:13.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )