Follow up on my two previous post regarding preparing Virtualbox for malware analysis.
I hope this third post, concludes this research for a while at least ..
Please review the two earlier post before apply the settings below.
Modify the BIOS.
By adding your own DSDT image, you will be able to close a couple of more ways to detect the presence of a virtual machine. And it also makes the guest look a bit more "natural"
Start with generating a DSDT image
sudo dd if=/sys/firmware/acpi/tables/DSDT of=DSDT.bin
Move the DSDT.bin to somewhere you see fit
mv DSDT.bin ../VirtualBox VMs <vm name>
sudo chown <vbox users>.<vbox user> DSDT.bin
Then run the following command to update the config for your guest
VBoxManage setextradata "<VM name>" "VBoxInternal/Devices/acpi/0/Config/CustomTable" <path to DSDT.bin>
Virtualbox 4.2 also enables the guest to retrieve a few more values from the host. If not set they will contain strings like "Oracle" and "Virtualbox/VBOX"
Start with retrieving some more information from your physical host:
sudo dmidecode -t2
Sample output:
Base Board Information
Manufacturer: <Vendor>
Product Name: <Product>
Version: Not Available
Serial Number: <Serial>
Asset Tag: Not Specified
Features: None
Location In Chassis: Not Specified
Chassis Handle: <Value>
Type: Unknown
Contained Object Handles: 0
Set the values using the output above
VBoxManage setextradata "<VM name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardVendor" "<Vendor>"
VBoxManage setextradata "<VM name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardProduct" "<Product>"
VBoxManage setextradata "<VM name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardVersion" "Not Available"
VBoxManage setextradata "<VM name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardSerial" "<Serial>"
VBoxManage setextradata "<VM name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardAssetTag" "Not Specified"
VBoxManage setextradata "<VM name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardLocInChass" "Not Specified"
Then run dmidecode once more:
sudo dmidecode -t3
Chassis Information
Manufacturer: <Vendor>
Type: Notebook
Lock: Not Present
Version: Not Available
Serial Number: <Serial>
Asset Tag: No Asset Information
Boot-up State: Unknown
Power Supply State: Unknown
Thermal State: Unknown
Security Status: Unknown
OEM Information: 0x00000000
Height: Unspecified
Number Of Power Cords: Unspecified
Contained Elements: 0
Set the values using the output above
VBoxManage setextradata "<VM name>" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisVendor" "<Vendor>"
VBoxManage setextradata "<VM name>" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisVersion" "Not Availible"
VBoxManage setextradata "<VM name>" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisSerial" "<Serial>"
VBoxManage setextradata "<VM name>" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisAssetTag" "No Asset Information"
The above settings means that you will have to update the batch script described in previous posts
The script will now look like:
Replace: VENDOR with your hw vendor
--- start script -------
@reg copy HKLM\HARDWARE\ACPI\DSDT\VBOX__ HKLM\HARDWARE\ACPI\DSDT\WOOT__ /s /f
@reg delete HKLM\HARDWARE\ACPI\DSDT\VBOX__ /f
@reg copy HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\WOOT__\VBOXBIOS HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\WOOT__\WOOTBIOS /s /f
@reg delete HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\WOOT__\VBOXBIOS /f
@reg copy HKEY_LOCAL_MACHINE\HARDWARE\ACPI\FADT\<VENDOR>\VBOXFACP HKEY_LOCAL_MACHINE\HARDWARE\ACPI\FADT\<VENDOR>\WOOTFACP /s /f
@reg delete HKEY_LOCAL_MACHINE\HARDWARE\ACPI\FADT\<VENDOR>\VBOXFACP /f
@reg copy HKEY_LOCAL_MACHINE\HARDWARE\ACPI\RSDT\<VENDOR>\VBOXRSDT HKEY_LOCAL_MACHINE\HARDWARE\ACPI\RSDT\<VENDOR>\WOOTRSDT /s /f
@reg delete HKEY_LOCAL_MACHINE\HARDWARE\ACPI\RSDT\<VENDOR>\VBOXRSDT /f
@reg add HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System /v VideoBiosVersion /t REG_MULTI_SZ /d "VGA BIOS v1.14" /f
---- end of script ---
No comments:
Post a Comment