Tuesday, October 2, 2012

Modifying VirtualBox settings for malware analysis part 3

 Follow up on my two previous post regarding preparing Virtualbox for malware analysis.

I hope this third post, concludes this research for a while at least ..

Please review the two earlier post before apply the settings below.


Modify the BIOS.

I decided to test Virtualbox 4.2 which enables you to install your own SLIC (there were a couple of patches for 4.1 floating around).

By adding your own SLIC, you will be able to close a couple of more ways to detect the presence of a virtual machine. And it also makes the guest look a bit more "natural"

Start with generating a SLIC.bin

    sudo dd if=/sys/firmware/acpi/tables/SLIC of=SLIC.bin

Move the SLIC.bin to somewhere you see fit

   mv SLIC.bin ../VirtualBox VMs <vm name>
   sudo chown <vbox users>.<vbox user> SLIC.bin


Then run the following command to update the config for your guest

    VBoxManage setextradata "<VM name>" "VBoxInternal/Devices/acpi/0/Config/CustomTable"    <path to SLIC.bin>

Virtualbox 4.2 also enables the guest to retrieve a few more values from the host. If not set they will contain strings like "Oracle" and "Virtualbox/VBOX"

Start with retrieving some more information from your physical host:
   sudo dmidecode -t2

Sample output:

Base Board Information
    Manufacturer: <Vendor>
    Product Name: <Product>
    Version: Not Available
    Serial Number: <Serial>
    Asset Tag: Not Specified
    Features: None
    Location In Chassis: Not Specified
    Chassis Handle: <Value>
    Type: Unknown
    Contained Object Handles: 0


Set the values using the output above

    VBoxManage setextradata "<VM name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardVendor" "<Vendor>"
    VBoxManage setextradata "<VM name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardProduct" "<Product>"
    VBoxManage setextradata "<VM name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardVersion" "Not Available"
    VBoxManage setextradata "<VM name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardSerial"  "<Serial>"
    VBoxManage setextradata "<VM name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardAssetTag"  "Not Specified"
    VBoxManage setextradata "<VM name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardLocInChass" "Not Specified"


Then run dmidecode once more:

    sudo dmidecode -t3

Chassis Information
    Manufacturer: <Vendor>
    Type: Notebook
    Lock: Not Present
    Version: Not Available
    Serial Number: <Serial>
    Asset Tag: No Asset Information
    Boot-up State: Unknown
    Power Supply State: Unknown
    Thermal State: Unknown
    Security Status: Unknown
    OEM Information: 0x00000000
    Height: Unspecified
    Number Of Power Cords: Unspecified
    Contained Elements: 0



Set the values using the output above

    VBoxManage setextradata "<VM name>" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisVendor"     "<Vendor>"
    VBoxManage setextradata "<VM name>" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisVersion"    "Not Availible"
    VBoxManage setextradata "<VM name>" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisSerial"     "<Serial>"
    VBoxManage setextradata "<VM name>"  "VBoxInternal/Devices/pcbios/0/Config/DmiChassisAssetTag"   "No Asset Information"


The above settings means that you will have to update the batch script described in previous posts

The script will now look like: 

Replace: VENDOR with your hw vendor

--- start script -------

@reg copy HKLM\HARDWARE\ACPI\DSDT\VBOX__ HKLM\HARDWARE\ACPI\DSDT\WOOT__ /s /f
@reg delete HKLM\HARDWARE\ACPI\DSDT\VBOX__ /f

@reg copy HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\WOOT__\VBOXBIOS HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\WOOT__\WOOTBIOS /s /f
@reg delete HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\WOOT__\VBOXBIOS /f

@reg copy HKEY_LOCAL_MACHINE\HARDWARE\ACPI\FADT\<VENDOR>\VBOXFACP HKEY_LOCAL_MACHINE\HARDWARE\ACPI\FADT\<VENDOR>\WOOTFACP /s /f
@reg delete HKEY_LOCAL_MACHINE\HARDWARE\ACPI\FADT\<VENDOR>\VBOXFACP /f

@reg copy HKEY_LOCAL_MACHINE\HARDWARE\ACPI\RSDT\<VENDOR>\VBOXRSDT HKEY_LOCAL_MACHINE\HARDWARE\ACPI\RSDT\<VENDOR>\WOOTRSDT /s /f
@reg delete HKEY_LOCAL_MACHINE\HARDWARE\ACPI\RSDT\<VENDOR>\VBOXRSDT /f

@reg add HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System /v VideoBiosVersion /t REG_MULTI_SZ /d "VGA BIOS v1.14" /f

----  end of script ---


No comments:

Post a Comment