Thursday, August 23, 2012

Modifying VirtualBox settings for malware analysis

If you are using VirtualBox for malware analysis,  either with a sandbox like Cuckoo or stand alone. You probably would like to be able to run modern malware even those samples that are VM aware.

Here are a few tips to make your VirtualBox guest somewhat harder to detect.

First run dmidecode on your host (I assume it's a Linux based one, but this can be performed on other OSes as well)

#dmidecode -t0
#dmidecode -t1

You will get an output that looks something like this:

BIOS Information
  •     Vendor: <vendor>
  •     Version: <BIOS version>
  •     Release Date: <BIOS date>
System Information
  •     Manufacturer: <vendor>
  •     Product Name: <product>
  •     Version: <hw "version">
  •     Serial Number: <S/N>
  •     UUID: <UUID>
  •     Wake-up Type: Power Switch
  •     SKU Number: Not Specified
  •     Family: <"hw "version">
To make it easier to apply these settings on several guest's, create a script that
contains the following commands:
(Populate the values with information from the Dmidecode output above)

VBoxManage setextradata  "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVendor"        "<vendor>"
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVersion"       "<BIOS version>"
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseDate"   "<BIOS date"
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseMajor"  <value from BIOS date>
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseMinor"  <value from BIOS date>
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSFirmwareMajor" <value from BIOS date>
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSFirmwareMinor" <value from BIOS date>
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemVendor"      "<vendor>"
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemProduct"     "<product>"
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemVersion"     "<product>"
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemSerial"      "<S/N>"
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemSKU"         "Not Specified"
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemFamily"      "<"hw version">"
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemUuid"     "<UUID>"


Also:
  • Change MAC address:     
 VBoxManage modifyvm "<vm name>" --macaddressX <MAC>
  •  Change disk settings:
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/SerialNumber"  "<serial>"
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/FirmwareRevision" "<firmware>"
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/ModelNumber" "<model>"

  • Detach CDROM (or change settings for the CD-ROM)
  • Don't install vbox tools! 
Use:" VBoxManage getextradata "<vm name>"  enumerate " to review your settings.

/Micke

Update1:

Untested but might be useful..
VBoxManage setextradata "VM name" "VBoxInternal/TM/TSCTiedToExecution" 1


23 comments:

  1. Good info, but you are missing some parameters:

    http://www.virtualbox.org/manual/ch09.html#changedmi

    ReplyDelete
    Replies
    1. Hi you are correct. I have not updated the blog post in a while. Which I might have to do. The missing settings I guess were added in newer version. It seems like as time progress more values are being able populate from the host to the guest which is great. Thanks for you comment!

      Delete
  2. Hello Mikael,

    I have tried the changes but the virtual machine seems no to get them even been correctly applied, checked with enumerate.

    Any idea?

    The vm is a windows xp sp3.

    Thanks for your time

    ReplyDelete
    Replies
    1. Hi Janus,

      Sorry for my late reply. Which version of VBox are you using?

      Delete
    2. I am having the same issue. Ubuntu 13.04 host running Windows XP SP2 inside of VirtualBox 4.2.10. I run the setextradata command to change the vendor and version for DMI Type 0, and when I run dmidecode in the XP guest, the BIOS info still shows innotek GmbH and VirtualBox for the vendor and version.

      Delete
    3. Hi,
      I will post an update regarding how to modify VBox, give me a few days to finish it. The setup is the same as the one you describe so hopefully your issue will be resolved.
      Otherwise please let me know!

      /Micke

      Delete
  3. Thnx for a nice tutorial (and all over top notch blog entries)!

    //B. September

    ReplyDelete
  4. Does not work in VirtualBox 4.3.28, ubunit 14.0.2

    ReplyDelete
  5. enumerate shows values when queried with vboxmange, but inside the machine, dmidecode shows default values

    dmidecode 2.12
    SMBIOS 2.5 present.

    Handle 0x0000, DMI type 0, 20 bytes
    BIOS Information
    Vendor: innotek GmbH
    Version: VirtualBox
    Release Date: 12/01/2006
    Address: 0xE0000
    Runtime Size: 128 kB
    ROM Size: 128 kB
    Characteristics:
    ISA is supported
    PCI is supported
    Boot from CD is supported
    Selectable boot is supported
    8042 keyboard services are supported (int 9h)
    CGA/mono video services are supported (int 10h)
    ACPI is supported
    From enumerate

    Key: GUI/LastNormalWindowPosition, Value: 392,25,1204,841
    Key: VBoxInternal/Devices/pcbios/0/Config/DmiBIOSFirmwareMajor, Value: 3
    Key: VBoxInternal/Devices/pcbios/0/Config/DmiBIOSFirmwareMinor, Value: 4
    Key: VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseDate, Value: 06/25/2013
    Key: VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseMajor, Value: 1
    Key: VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseMinor, Value: 2
    Key: VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVendor, Value: Dell Inc.
    Key: VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVersion, Value: string:Version A16

    ReplyDelete
  6. Hi,

    The latest version of the script is available on Github, please try that one and please apply the setting before your first boot of the vm. If you don't get it to work please let me know.

    https://github.com/nsmfoo/antivmdetection

    Regards
    Mikael @nsmfoo

    ReplyDelete
  7. Hi Mikael, first of all thanks for your great work. I have 2 error when I launch the antivmdetect.py. The first error says
    ------------------------------------------------------------------------------------------------------
    File "antivmdetect.py", line 302, in
    logfile.write('VBoxManage setextradata "$1" VBoxInternal/Devices/acpi/0/Config/AcpiCreatorRev\t\'' + acpi_list[5] + '\'\n')
    IndexError: list index out of range
    ------------------------------------------------------------------------------------------------------
    Solved by replacing the line 302 with
    if len(acpi_list) == 6 : logfile.write('VBoxManage setextradata "$1" VBoxInternal/Devices/acpi/0/Config/AcpiCreatorRev\t\'' + acpi_list[5] + '\'\n')

    The second is:
    ------------------------------------------------------------------------------------------------------
    File "antivmdetect.py", line 349, in
    logfile.write('@reg copy HKLM\HARDWARE\ACPI\DSDT\VBOX__ HKLM\HARDWARE\ACPI\DSDT\\' + manu + ' /s /f\r\n')
    NameError: name 'manu' is not defined
    ------------------------------------------------------------------------------------------------------
    Solved by adding a:
    manu = acpi_list[1]
    outside the if construct. I have an HP Pavilion and the if cases does not consider that.
    Are my patch correct?
    Thanks Again!

    ReplyDelete
  8. Hi Mikael! It seems that the first error was caused by the missing on my system of acpidump, so I have solved doing:
    apt-get install acpidump

    ReplyDelete
    Replies
    1. I will make a note to add a check to see if necessary applications are installed

      Delete
  9. Hi Mikael! It's me again! In order to take all my information system I have downloaded and installed smartmontools and libcdio-utils. Then I have created a new VM and I have executed the .sh file. I have enabled the I/O APIC too. Everything goes ok, but when I launch for the first time my machine I have an error:
    ACPI tables bigger than 64KB (VERR_TOO_MUCH_DATA).
    How I can solve it?

    ReplyDelete
  10. The latest release (https://github.com/nsmfoo/antivmdetection) will give you a warning if your DSDT table is larger then 64K, which is sadly very common in new hardware. So you will have to find a computer that produces DSDT tables that are smaller then the maximum size. Question has been raised with the VBox devs but not sure the size will be increased anytime soon..

    ReplyDelete
    Replies
    1. Ok thanks! I will try with an old laptop. I have used the last release but no warning was given. I have printed the variable in the if construct ( line 322 ) and in my case is lower than 64k, precisely 61230, maybe you must check another variable. I hope It will help you. Great Work!

      Delete
  11. If the file size is lower then 64k, then it should be OK and you should not see the "to large" error message. Can you verify in the .vbox file that it uses the DSDT file you created that had a "good" size? If so, then I need to look what more into it I guess =)

    ReplyDelete
  12. My file DSDT_HPPavilion15NotebookPC.bin is 61.2 kB but nevertheless it gives me the "too large" error message. Do you want to see that file? If yes, how can I give it to you?

    Another thing, the vbox application expects for the DmiBoardProduct parameter a string but the field gathered in my case is an integer. Maybe a check about the type could be usefull. In my case I have solved it by adding a space after that int, doing something like that
    line 55 dmi_info['DmiBoardProduct'] = v['data']['Product Name']+' '
    I'm doing that, but I don't know the field will be processed by vbox. Is it correct?

    ReplyDelete
  13. Sorry, late reply. If you have the possibility to follow me on Twitter temporary. DM me for contact information. Let me know if this is not an option.

    I did not have access to any HP clients. I will try to implement a fix for the issue. Thanks for bringing this forward. Much appreciated!

    ReplyDelete
    Replies
    1. Hi Mikael! I have made a pull request on github to show you my changes to your script. Check them, It's the first time that I post something on github, I'm not skilled, I could have made some mistakes.
      Let me know! Good day!

      Delete
  14. Hi, I can see your fork, but not the pull request. Can you try again? No worries I'm not a Git ninja either =)

    ReplyDelete
  15. 5 years later still have 64k limitation

    ReplyDelete