Thursday, August 8, 2013

Modifying VirtualBox settings for malware analysis 2013 ed

I had gotten a few comments regarding missing settings and comments regarding trouble applying these settings.

So here is an updated version of the previous posts regarding, on how to make VirtualBox more like the hardware it's run up on. 2013 edition. 

First some hints:

* After you have created the guest, but before you do a first run to install the guest OS. Run the script to apply these settings. 

This will keep the guest free of any leftover settings that can occur if you set them afterwards.

* Be sure to compare the scripts setting with those in the VirtualBox manager, for example:

    VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/SerialNumber
<-- Verify that the hdd is set to Primary master

    VBoxInternal/Devices/piix3ide/0/Config/PrimarySlave/ATAPIVendorId <-- For the CD-ROM, be sure that the device is set to Primary Slave, otherwise change the script or the guest settings from within the VboxManager (or from command line) to reflect the environment you are trying to change.

* Also note the occurrences of piix3ide in the script (for IDE controllers PIIX4 seems to be the default now days in VBox), change the VBox settings for the guest to use PIIX3 (controller: IDE -> Attributes).

* Don't forget to add the DSDT (not covered in the script) but it's applied using the following command:

    VBoxManage setextradata "<vm>" "VBoxInternal/Devices/acpi/0/Config/CustomTable" /home/<user>/VirtualBox\ VMs/<vm>/DSDT.bin
How to create the DSDT image can be found in previous posts

* The script should be run with the guest powered off and the VirtualBox GUI closed, otherwise settings can/will be overwritten. This also applies if you would like to change any of the settings by re-running the script or perform changes by hand.

* Don't install VirtualBox Guest Additions

* Change the MAC address for the guest

* Use dmidecode -t0, -t1, t2, -t3, -t4 and -t11 to gather the information need for the script below

There is almost nothing that prevents you from being creative, e.g most setting can be set to a value of your choice.

--- updated script to be run from the host OS ----------
* ./script.sh <vm>

#!/bin/bash
VBoxManage setextradata "$1" "VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/SerialNumber" "xxxxxx"
VBoxManage setextradata "$1" "VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/FirmwareRevision" "xxxxx"
VBoxManage setextradata "$1" "VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/ModelNumber" "xxxxx"

VBoxManage setextradata "$1" "VBoxInternal/Devices/piix3ide/0/Config/PrimarySlave/ATAPIVendorId" "xxxxx"
VBoxManage setextradata "$1" "VBoxInternal/Devices/piix3ide/0/Config/PrimarySlave/ATAPIProductId" "xxxxx"
VBoxManage setextradata "$1" "VBoxInternal/Devices/piix3ide/0/Config/PrimarySlave/ATAPIRevision" "xxxxx"

VBoxManage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVendor"        "xxxxx"
VBoxManage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVersion"       "xxxxx"
VBoxManage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseDate"   "xxxxx"
VBoxManage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseMajor"  x
VBoxManage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseMinor"  x
VBoxManage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSFirmwareMajor" x
VBoxManage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSFirmwareMinor" x

VBoxManage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemVendor"      "xxxxx"
VBoxManage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemProduct"     "xxxxx"
VBoxManage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemVersion"     "xxxxx"
VBoxManage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemSerial"      "xxxxx"
VBoxManage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemSKU"         "xxxxx"
VBoxManage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemFamily"      "xxxxx"
VBoxManage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemUuid"      "xxxxx"

VBoxManage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardVendor"      "xxxxx"
VBoxManage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardProduct"      "xxxxx"
VBoxManage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardVersion"      "xxxxx"
VBoxManage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardSerial"       "xxxxx"
VBoxManage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardAssetTag"     "xxxxx"
VBoxManage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardLocInChass"   "xxxxx"
VBoxManage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardType"         ""

VBoxManage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisVendor"     "xxxxx"
VBoxManage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisVersion"    "xxxxx"
VBoxManage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisSerial"     "xxxxx"
VBoxManage setextradata "$1"  "VBoxInternal/Devices/pcbios/0/Config/DmiChassisAssetTag"  "xxxxx"

VBoxManage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiProcManufacturer"  "xxxxx"
VBoxManage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiProcVersion"       "xxxxx"

VBoxManage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiOEMVBoxVer"        "xxxxx"
VBoxManage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiOEMVBoxRev"        " " <- note space

--------------------------------------------------------

--- script to be run from inside the guest OS  -------

* These settings have to be re-applied after each boot, if you are using Cuckoo this only have to be run once due to fact that you are working with snapshots.

* To be able to set the "correct" values, please copy the information from a native installation, i.e. from a none VM installation)

- Replace <VENDOR>, <V1> and <V2>

<VENDOR> = BIOS VENDOR, egg: LENOVO
<V1> =  e.g. TP-GX__  *
<V2> = on the limited machines I have looked at, the values is the same for all three categories. In VBox the values differs hence the change
<V3> =  <version string> (<version number>) 

*) If you find the above statements to be incorrect please let me know, I have limited access to none VM Windows machines, XP in particular

 -----------------
@reg copy HKLM\HARDWARE\ACPI\DSDT\VBOX__ HKLM\HARDWARE\ACPI\DSDT\<VENDOR> /s /f
@reg delete HKLM\HARDWARE\ACPI\DSDT\VBOX__ /f

@reg copy HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\<VENDOR>\VBOXBIOS HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\<VENDOR>\<V1>__ /s /f
@reg delete HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\LENOVO\VBOXBIOS /f

@reg copy HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\LENOVO\<V1>__\00000002 HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\LENOVO\<V1>__\<V2> /s /f
@reg delete HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\LENOVO\V1>__\00000002 /f

@reg copy HKEY_LOCAL_MACHINE\HARDWARE\ACPI\FADT\LENOVO\VBOXFACP HKEY_LOCAL_MACHINE\HARDWARE\ACPI\FADT\LENOVO\<V1>__ /s /f
@reg delete HKEY_LOCAL_MACHINE\HARDWARE\ACPI\FADT\LENOVO\VBOXFACP /f

@reg copy HKEY_LOCAL_MACHINE\HARDWARE\ACPI\FADT\LENOVO\<V1>__\00000001 HKEY_LOCAL_MACHINE\HARDWARE\ACPI\FADT\LENOVO\<V1>__\<V2> /s /f
@reg delete HKEY_LOCAL_MACHINE\HARDWARE\ACPI\FADT\LENOVO\<V1>__\00000001 /f

@reg copy HKEY_LOCAL_MACHINE\HARDWARE\ACPI\RSDT\LENOVO\VBOXRSDT HKEY_LOCAL_MACHINE\HARDWARE\ACPI\RSDT\LENOVO\<V1>__ /s /f
@reg delete HKEY_LOCAL_MACHINE\HARDWARE\ACPI\RSDT\LENOVO\VBOXRSDT /f

@reg copy HKEY_LOCAL_MACHINE\HARDWARE\ACPI\RSDT\LENOVO\<V1>__\00000001 HKEY_LOCAL_MACHINE\HARDWARE\ACPI\RSDT\LENOVO\<V1>__\<V2> /s /f
@reg delete HKEY_LOCAL_MACHINE\HARDWARE\ACPI\RSDT\LENOVO\<V1>__\00000001 /f

@reg add HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System /v VideoBiosVersion /t REG_MULTI_SZ /d "<V3>" /f

------------

/Micke - @nsmfoo

Tuesday, August 6, 2013

VirtualBox IBM/Lenovo and the missing VPD

While having a go at writing an updated post regarding how to configure Virtualbox to avoid VM detection, new versions of VBox has been released since I wrote my previous posts.

I found something that could potentially give away the Virtual guest, especially if you pretend or use IBM/Lenovo hardware. For those of us that don't use Apple hardware, Lenovo seems still to be a favourite, I guess because of their Linux compatibility and their stylish black color. So this case might not be that far fetched.

Anyway almost all IBM/Lenovo hardware has something called Vital Product Data, VPD for short. It's information like:

BIOS Build ID
Box Serial Number
Motherboard Serial Number
Machine Type/Model

Information you can get from running dmidecode. But it's the lack of VPD information that could be a tell tell sign that something is fishy.

In the dmidecode package (there is a windows build out there as well) it ships with tools like biosdecode and vpddecode.

Below is part of the output from these two commands on a Linux host OS:

# biosdecode 2.11
VPD present.
    BIOS Build ID: XXXX
    Box Serial Number: XXXX
    Motherboard Serial Number: XXXX
    Machine Type/Model: XXXX


# vpddecode 2.11
BIOS Build ID: XXXX
Box Serial Number: XXXX
Motherboard Serial Number: XXXX
Machine Type/Model: XXXX

The same command, only this time from inside the guest OS (VirtualBox with XP)

# biosdecode 2.10
... no VPD in the output

# vppdecode 2.10
# No VPD stucture found, sorry.


The guest is set to present LENOVO as the BIOS vendor. This could be used to check if vendor is IBM/Lenovo and there is no VPD present if so that would/could mean that the system is not native.

Just a thought ..

/Micke