Here are a few tips to make your VirtualBox guest somewhat harder to detect.
First run dmidecode on your host (I assume it's a Linux based one, but this can be performed on other OSes as well)
#dmidecode -t0
#dmidecode -t1
You will get an output that looks something like this:
BIOS Information
- Vendor: <vendor>
- Version: <BIOS version>
- Release Date: <BIOS date>
- Manufacturer: <vendor>
- Product Name: <product>
- Version: <hw "version">
- Serial Number: <S/N>
- UUID: <UUID>
- Wake-up Type: Power Switch
- SKU Number: Not Specified
- Family: <"hw "version">
contains the following commands:
(Populate the values with information from the Dmidecode output above)
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVendor" "<vendor>"
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVersion" "<BIOS version>"
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseDate" "<BIOS date"
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseMajor" <value from BIOS date>
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseMinor" <value from BIOS date>
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSFirmwareMajor" <value from BIOS date>
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSFirmwareMinor" <value from BIOS date>
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemVendor" "<vendor>"
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemProduct" "<product>"
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemVersion" "<product>"
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemSerial" "<S/N>"
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemSKU" "Not Specified"
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemFamily" "<"hw version">"
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemUuid" "<UUID>"
Also:
- Change MAC address:
- Change disk settings:
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/FirmwareRevision" "<firmware>"
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/ModelNumber" "<model>"
- Detach CDROM (or change settings for the CD-ROM)
- Don't install vbox tools!
/Micke
Update1:
Untested but might be useful..
VBoxManage setextradata "VM name" "VBoxInternal/TM/TSCTiedToExecution" 1
Good info, but you are missing some parameters:
ReplyDeletehttp://www.virtualbox.org/manual/ch09.html#changedmi
Hi you are correct. I have not updated the blog post in a while. Which I might have to do. The missing settings I guess were added in newer version. It seems like as time progress more values are being able populate from the host to the guest which is great. Thanks for you comment!
DeleteHello Mikael,
ReplyDeleteI have tried the changes but the virtual machine seems no to get them even been correctly applied, checked with enumerate.
Any idea?
The vm is a windows xp sp3.
Thanks for your time
Hi Janus,
DeleteSorry for my late reply. Which version of VBox are you using?
I am having the same issue. Ubuntu 13.04 host running Windows XP SP2 inside of VirtualBox 4.2.10. I run the setextradata command to change the vendor and version for DMI Type 0, and when I run dmidecode in the XP guest, the BIOS info still shows innotek GmbH and VirtualBox for the vendor and version.
DeleteHi,
DeleteI will post an update regarding how to modify VBox, give me a few days to finish it. The setup is the same as the one you describe so hopefully your issue will be resolved.
Otherwise please let me know!
/Micke
Thnx for a nice tutorial (and all over top notch blog entries)!
ReplyDelete//B. September
Thank you! =)
DeleteDoes not work in VirtualBox 4.3.28, ubunit 14.0.2
ReplyDeleteenumerate shows values when queried with vboxmange, but inside the machine, dmidecode shows default values
ReplyDeletedmidecode 2.12
SMBIOS 2.5 present.
Handle 0x0000, DMI type 0, 20 bytes
BIOS Information
Vendor: innotek GmbH
Version: VirtualBox
Release Date: 12/01/2006
Address: 0xE0000
Runtime Size: 128 kB
ROM Size: 128 kB
Characteristics:
ISA is supported
PCI is supported
Boot from CD is supported
Selectable boot is supported
8042 keyboard services are supported (int 9h)
CGA/mono video services are supported (int 10h)
ACPI is supported
From enumerate
Key: GUI/LastNormalWindowPosition, Value: 392,25,1204,841
Key: VBoxInternal/Devices/pcbios/0/Config/DmiBIOSFirmwareMajor, Value: 3
Key: VBoxInternal/Devices/pcbios/0/Config/DmiBIOSFirmwareMinor, Value: 4
Key: VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseDate, Value: 06/25/2013
Key: VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseMajor, Value: 1
Key: VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseMinor, Value: 2
Key: VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVendor, Value: Dell Inc.
Key: VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVersion, Value: string:Version A16
Hi,
ReplyDeleteThe latest version of the script is available on Github, please try that one and please apply the setting before your first boot of the vm. If you don't get it to work please let me know.
https://github.com/nsmfoo/antivmdetection
Regards
Mikael @nsmfoo
Hi Mikael, first of all thanks for your great work. I have 2 error when I launch the antivmdetect.py. The first error says
ReplyDelete------------------------------------------------------------------------------------------------------
File "antivmdetect.py", line 302, in
logfile.write('VBoxManage setextradata "$1" VBoxInternal/Devices/acpi/0/Config/AcpiCreatorRev\t\'' + acpi_list[5] + '\'\n')
IndexError: list index out of range
------------------------------------------------------------------------------------------------------
Solved by replacing the line 302 with
if len(acpi_list) == 6 : logfile.write('VBoxManage setextradata "$1" VBoxInternal/Devices/acpi/0/Config/AcpiCreatorRev\t\'' + acpi_list[5] + '\'\n')
The second is:
------------------------------------------------------------------------------------------------------
File "antivmdetect.py", line 349, in
logfile.write('@reg copy HKLM\HARDWARE\ACPI\DSDT\VBOX__ HKLM\HARDWARE\ACPI\DSDT\\' + manu + ' /s /f\r\n')
NameError: name 'manu' is not defined
------------------------------------------------------------------------------------------------------
Solved by adding a:
manu = acpi_list[1]
outside the if construct. I have an HP Pavilion and the if cases does not consider that.
Are my patch correct?
Thanks Again!
Hi Mikael! It seems that the first error was caused by the missing on my system of acpidump, so I have solved doing:
ReplyDeleteapt-get install acpidump
I will make a note to add a check to see if necessary applications are installed
DeleteHi Mikael! It's me again! In order to take all my information system I have downloaded and installed smartmontools and libcdio-utils. Then I have created a new VM and I have executed the .sh file. I have enabled the I/O APIC too. Everything goes ok, but when I launch for the first time my machine I have an error:
ReplyDeleteACPI tables bigger than 64KB (VERR_TOO_MUCH_DATA).
How I can solve it?
The latest release (https://github.com/nsmfoo/antivmdetection) will give you a warning if your DSDT table is larger then 64K, which is sadly very common in new hardware. So you will have to find a computer that produces DSDT tables that are smaller then the maximum size. Question has been raised with the VBox devs but not sure the size will be increased anytime soon..
ReplyDeleteOk thanks! I will try with an old laptop. I have used the last release but no warning was given. I have printed the variable in the if construct ( line 322 ) and in my case is lower than 64k, precisely 61230, maybe you must check another variable. I hope It will help you. Great Work!
DeleteIf the file size is lower then 64k, then it should be OK and you should not see the "to large" error message. Can you verify in the .vbox file that it uses the DSDT file you created that had a "good" size? If so, then I need to look what more into it I guess =)
ReplyDeleteMy file DSDT_HPPavilion15NotebookPC.bin is 61.2 kB but nevertheless it gives me the "too large" error message. Do you want to see that file? If yes, how can I give it to you?
ReplyDeleteAnother thing, the vbox application expects for the DmiBoardProduct parameter a string but the field gathered in my case is an integer. Maybe a check about the type could be usefull. In my case I have solved it by adding a space after that int, doing something like that
line 55 dmi_info['DmiBoardProduct'] = v['data']['Product Name']+' '
I'm doing that, but I don't know the field will be processed by vbox. Is it correct?
Sorry, late reply. If you have the possibility to follow me on Twitter temporary. DM me for contact information. Let me know if this is not an option.
ReplyDeleteI did not have access to any HP clients. I will try to implement a fix for the issue. Thanks for bringing this forward. Much appreciated!
Hi Mikael! I have made a pull request on github to show you my changes to your script. Check them, It's the first time that I post something on github, I'm not skilled, I could have made some mistakes.
DeleteLet me know! Good day!
Hi, I can see your fork, but not the pull request. Can you try again? No worries I'm not a Git ninja either =)
ReplyDelete5 years later still have 64k limitation
ReplyDelete