This post is long overdue, but here it is.
How to make qemu-kvm a bit harder to detect for malware and pentesters alike (ex: fool Metasploit checkvm).
I have found that using libvirt and virsh edit is a simple way to change the settings for the guest OS.
General guidelines:
* Don't install guest additions
* Change MAC address
<interface type='network'>
<mac address='xx:xx:xx:xx:xx:xx'/>
<source network='default'/>
<model type='rtl8139'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>
*
Copy the host CPU info into the guest. (can be done in the XML file or
via virt-manager)
Processor -> configuration -> Copy host CPU
configuration
* Change BIOS information
Start by retrieving the dmidecode information for your host.
<os>
<smbios mode='sysinfo'/>
...
</os>
<sysinfo type='smbios'>
<bios>
<entry name='vendor'>XXXX</entry>
<entry name='version'>XXXXXX</entry>
<entry name='date'>XXXXX</entry>
<entry name='release'>XXXXX</entry>
</bios>
<system>
<entry name='manufacturer'>XXXXX</entry>
<entry name='product'>XXXXX</entry>
<entry name='version'>XXXXX</entry>
<entry name='serial'>XXXXX</entry>
<entry name='uuid'>XXXXXXXX</entry> <-- This values has to be the same as the other UUID variable found in the xml file
<entry name='sku'>XXXXXX</entry>
<entry name='family'>XXXXXX</entry>
</system>
</sysinfo>
* Change Harddrive model
In my quest to find an easy way to change the harddrive model number from QEMU HARDDISK to something else, I stumble up on this patch:
https://lists.gnu.org/archive/html/qemu-devel/2012-03/msg02272.html.
But the stock qemu-kvm shipped with Ubuntu does not support the "model=" setting. So I downloaded the latest qemu-kvm source, as I thought that the patch would be incorporated in that release. Sadly I did not get it to work quickly (adding it as a qdev option might have worked)
It could have been that libvirt version which is shipped with Ubuntu did not support
me adding the setting via virsh ..anyway a quick fix to the problem was to edit
core.c and replace "QEMU HARDDISK" with something else as I already had the source.
Edit file: qemu-kvm-1.2.0-rc2/hw/ide/core.c
Org: strcpy(s->drive_model_str, "QEMU HARDDISK");
Change: strcpy(s->drive_model_str, "XXXXXXX");
* Registry edit
Change "WOOT" to something more suitable. As with Virtualbox, if you are using Cuckoo this script has to be run only once. If you need to reboot, add the script to auto execute after reboot to change those pesky registry values that are reset after each reboot.
-- start of script ---
@reg copy HKLM\HARDWARE\ACPI\DSDT\BXPC HKLM\HARDWARE\ACPI\DSDT\WOOT /s /f
@reg delete HKLM\HARDWARE\ACPI\DSDT\BXPC /f
@reg copy HKLM\HARDWARE\ACPI\DSDT\WOOT\BXDSDT HKLM\HARDWARE\ACPI\DSDT\WOOT\WOOT /s /f
@reg delete HKLM\HARDWARE\ACPI\DSDT\WOOT\BXDSDT /f
@reg copy HKLM\HARDWARE\ACPI\FADT\BOCHS_ HKLM\HARDWARE\ACPI\FADT\WOOT /s /f
@reg delete HKLM\HARDWARE\ACPI\FADT\BOCHS_ /f
@reg copy HKLM\HARDWARE\ACPI\FADT\WOOT\BXPCFACP HKLM\HARDWARE\ACPI\FADT\WOOT\WOOT /s /f
@reg delete HKLM\HARDWARE\ACPI\FADT\WOOT\BXPCFACP /f
@reg copy HKLM\HARDWARE\ACPI\RSDT\BOCHS_ HKLM\HARDWARE\ACPI\RSDT\WOOT /s /f
@reg delete HKLM\HARDWARE\ACPI\RSDT\BOCHS_ /f
@reg copy HKLM\HARDWARE\ACPI\RSDT\WOOT\BXPCRSDT HKLM\HARDWARE\ACPI\RSDT\WOOT\WOOT /s /f
@reg delete HKLM\HARDWARE\ACPI\RSDT\WOOT\BXPCRSDT /f
@reg add HKLM\HARDWARE\DESCRIPTION\System /v SystemBiosVersion /t REG_MULTI_SZ /d "WOOT -1" /f
--- end of script ----
Update 1: Modify the BIOS.
At the moment my blog posts reflects my research, sporadic and a bit chaotic. Anyway I just noticed (it quite obvious really) that the BIOS would reveal the presences of a virtual guest so here is a way to make it less obvious.
Download the BIOS (seabios) source:
git clone git://git.seabios.org/seabios.git
Edit the following file:
seabios/src/config.h
Locate the following part:
#define CONFIG_APPNAME "Bochs"
#define CONFIG_CPUNAME8 "BOCHSCPU"
#define CONFIG_APPNAME6 "BOCHS "
#define CONFIG_APPNAME4 "BXPC"
And change it to something appropriate
#define CONFIG_APPNAME "DELL"
#define CONFIG_CPUNAME8 "DELLCPU"
#define CONFIG_APPNAME6 "DELL "
#define CONFIG_APPNAME4 "DELLS" (I don't know just change it to something..)
Run make and then replace the current one with the new one found in the "out" directory.
You can verify the change by using the Windows port of dmidecode, which contains a application called biosdecode.exe.
The value to look for is the OEM identifier. The change will also have some positive effect on the reg settings, in the sense that they will look more "natural"(?)
/Micke
@nsmfoo
Network security with a twist of Incident Response tidbits and other IT-security related topics.
Thursday, September 20, 2012
Sunday, September 2, 2012
Modifying VirtualBox settings for malware analysis part 2
I did some more research and noted that my previous post lacked some information/fixes.
If you apply the previously mentioned setting you will still be able to detected the guest, for example by using the Metasploit script checkvm.. but this can be fixed.
1) Start off with applying the previous setting for the virtualbox guest.
2) Then login to the guest and delete registry keys that is called something
like "VBOX".
On one of my guests I found the following. But you milage may vary depending on if you
added the virtualbox setting before booting the guest for the first time or not
I had VBOX related reg keys in the following locations:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\IDE\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\IDE\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\DeviceClasses\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\DeviceClasses\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\DeviceClasses\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\IDE\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\IDE\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\IDE\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\IDE\
There are a few keys that will be reset on reboot.
Reboot the guest and search once again in the registry to identify them.
If you are using cuckoo this will not be a problem as you don't restart the guest between tests. However if you do manually test you could add a script that performes the changes at boot.
The batch script below is based in information bluntly stolen from:
https://itsultra.wordpress.com/2011/12/07/how-to-play-maplestory-using-virtualbox-4-1-x/
I have added some more keys that the original script did not cover
Note: replace the string "WOOT" and "VGA BIOS v1.54" with a string of your choice.
-- start of script ---
@reg copy HKLM\HARDWARE\ACPI\DSDT\VBOX__ HKLM\HARDWARE\ACPI\DSDT\WOOT__ /s /f
@reg delete HKLM\HARDWARE\ACPI\DSDT\VBOX__ /f
@reg copy HKLM\HARDWARE\ACPI\RSDT\VBOX__ HKLM\HARDWARE\ACPI\RSDT\WOOT__ /s /f
@reg delete HKLM\HARDWARE\ACPI\RSDT\VBOX__ /f
@reg copy HKLM\HARDWARE\ACPI\FADT\VBOX__ HKLM\HARDWARE\ACPI\FADT\WOOT__ /s /f
@reg delete HKLM\HARDWARE\ACPI\FADT\VBOX__ /f
@reg copy HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\WOOT__\VBOXBIOS
HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\WOOT__\WOOTBIOS /s /f
@reg delete HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\WOOT__\VBOXBIOS /f
@reg copy HKEY_LOCAL_MACHINE\HARDWARE\ACPI\FADT\WOOT__\VBOXFACP
HKEY_LOCAL_MACHINE\HARDWARE\ACPI\FADT\WOOT__\WOOTFACP /s /f
@reg delete HKEY_LOCAL_MACHINE\HARDWARE\ACPI\FADT\WOOT__\VBOXFACP /f
@reg copy HKEY_LOCAL_MACHINE\HARDWARE\ACPI\RSDT\WOOT__\VBOXRSDT
HKEY_LOCAL_MACHINE\HARDWARE\ACPI\RSDT\WOOT__\WOOTRSDT /s /f
@reg delete HKEY_LOCAL_MACHINE\HARDWARE\ACPI\RSDT\WOOT__\VBOXRSDT /f
@reg add HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System /v
SystemBiosVersion /t REG_MULTI_SZ /d "WOOT -1" /f
@reg add HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System /v
VideoBiosVersion /t REG_MULTI_SZ /d "VGA BIOS v1.54" /f
--- end of script ---
There are of course other ways to identify a Virtualbox instance (or a Cuckoo sandbox in VBox or KVM). Some can be fixed other may not be so easily solved. I will update this post with some more fixed soon.
/Micke @nsmfoo
If you apply the previously mentioned setting you will still be able to detected the guest, for example by using the Metasploit script checkvm.. but this can be fixed.
1) Start off with applying the previous setting for the virtualbox guest.
2) Then login to the guest and delete registry keys that is called something
like "VBOX".
On one of my guests I found the following. But you milage may vary depending on if you
added the virtualbox setting before booting the guest for the first time or not
I had VBOX related reg keys in the following locations:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\IDE\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\IDE\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\DeviceClasses\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\DeviceClasses\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\DeviceClasses\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\IDE\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\IDE\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\IDE\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\IDE\
There are a few keys that will be reset on reboot.
Reboot the guest and search once again in the registry to identify them.
If you are using cuckoo this will not be a problem as you don't restart the guest between tests. However if you do manually test you could add a script that performes the changes at boot.
The batch script below is based in information bluntly stolen from:
https://itsultra.wordpress.com/2011/12/07/how-to-play-maplestory-using-virtualbox-4-1-x/
I have added some more keys that the original script did not cover
Note: replace the string "WOOT" and "VGA BIOS v1.54" with a string of your choice.
-- start of script ---
@reg copy HKLM\HARDWARE\ACPI\DSDT\VBOX__ HKLM\HARDWARE\ACPI\DSDT\WOOT__ /s /f
@reg delete HKLM\HARDWARE\ACPI\DSDT\VBOX__ /f
@reg copy HKLM\HARDWARE\ACPI\RSDT\VBOX__ HKLM\HARDWARE\ACPI\RSDT\WOOT__ /s /f
@reg delete HKLM\HARDWARE\ACPI\RSDT\VBOX__ /f
@reg copy HKLM\HARDWARE\ACPI\FADT\VBOX__ HKLM\HARDWARE\ACPI\FADT\WOOT__ /s /f
@reg delete HKLM\HARDWARE\ACPI\FADT\VBOX__ /f
@reg copy HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\WOOT__\VBOXBIOS
HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\WOOT__\WOOTBIOS /s /f
@reg delete HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\WOOT__\VBOXBIOS /f
@reg copy HKEY_LOCAL_MACHINE\HARDWARE\ACPI\FADT\WOOT__\VBOXFACP
HKEY_LOCAL_MACHINE\HARDWARE\ACPI\FADT\WOOT__\WOOTFACP /s /f
@reg delete HKEY_LOCAL_MACHINE\HARDWARE\ACPI\FADT\WOOT__\VBOXFACP /f
@reg copy HKEY_LOCAL_MACHINE\HARDWARE\ACPI\RSDT\WOOT__\VBOXRSDT
HKEY_LOCAL_MACHINE\HARDWARE\ACPI\RSDT\WOOT__\WOOTRSDT /s /f
@reg delete HKEY_LOCAL_MACHINE\HARDWARE\ACPI\RSDT\WOOT__\VBOXRSDT /f
@reg add HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System /v
SystemBiosVersion /t REG_MULTI_SZ /d "WOOT -1" /f
@reg add HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System /v
VideoBiosVersion /t REG_MULTI_SZ /d "VGA BIOS v1.54" /f
--- end of script ---
There are of course other ways to identify a Virtualbox instance (or a Cuckoo sandbox in VBox or KVM). Some can be fixed other may not be so easily solved. I will update this post with some more fixed soon.
/Micke @nsmfoo
Subscribe to:
Posts (Atom)