Thursday, August 8, 2013

Modifying VirtualBox settings for malware analysis 2013 ed

I had gotten a few comments regarding missing settings and comments regarding trouble applying these settings.

So here is an updated version of the previous posts regarding, on how to make VirtualBox more like the hardware it's run up on. 2013 edition. 

First some hints:

* After you have created the guest, but before you do a first run to install the guest OS. Run the script to apply these settings. 

This will keep the guest free of any leftover settings that can occur if you set them afterwards.

* Be sure to compare the scripts setting with those in the VirtualBox manager, for example:

    VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/SerialNumber
<-- Verify that the hdd is set to Primary master

    VBoxInternal/Devices/piix3ide/0/Config/PrimarySlave/ATAPIVendorId <-- For the CD-ROM, be sure that the device is set to Primary Slave, otherwise change the script or the guest settings from within the VboxManager (or from command line) to reflect the environment you are trying to change.

* Also note the occurrences of piix3ide in the script (for IDE controllers PIIX4 seems to be the default now days in VBox), change the VBox settings for the guest to use PIIX3 (controller: IDE -> Attributes).

* Don't forget to add the DSDT (not covered in the script) but it's applied using the following command:

    VBoxManage setextradata "<vm>" "VBoxInternal/Devices/acpi/0/Config/CustomTable" /home/<user>/VirtualBox\ VMs/<vm>/DSDT.bin
How to create the DSDT image can be found in previous posts

* The script should be run with the guest powered off and the VirtualBox GUI closed, otherwise settings can/will be overwritten. This also applies if you would like to change any of the settings by re-running the script or perform changes by hand.

* Don't install VirtualBox Guest Additions

* Change the MAC address for the guest

* Use dmidecode -t0, -t1, t2, -t3, -t4 and -t11 to gather the information need for the script below

There is almost nothing that prevents you from being creative, e.g most setting can be set to a value of your choice.

--- updated script to be run from the host OS ----------
* ./script.sh <vm>

#!/bin/bash
VBoxManage setextradata "$1" "VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/SerialNumber" "xxxxxx"
VBoxManage setextradata "$1" "VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/FirmwareRevision" "xxxxx"
VBoxManage setextradata "$1" "VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/ModelNumber" "xxxxx"

VBoxManage setextradata "$1" "VBoxInternal/Devices/piix3ide/0/Config/PrimarySlave/ATAPIVendorId" "xxxxx"
VBoxManage setextradata "$1" "VBoxInternal/Devices/piix3ide/0/Config/PrimarySlave/ATAPIProductId" "xxxxx"
VBoxManage setextradata "$1" "VBoxInternal/Devices/piix3ide/0/Config/PrimarySlave/ATAPIRevision" "xxxxx"

VBoxManage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVendor"        "xxxxx"
VBoxManage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVersion"       "xxxxx"
VBoxManage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseDate"   "xxxxx"
VBoxManage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseMajor"  x
VBoxManage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseMinor"  x
VBoxManage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSFirmwareMajor" x
VBoxManage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSFirmwareMinor" x

VBoxManage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemVendor"      "xxxxx"
VBoxManage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemProduct"     "xxxxx"
VBoxManage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemVersion"     "xxxxx"
VBoxManage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemSerial"      "xxxxx"
VBoxManage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemSKU"         "xxxxx"
VBoxManage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemFamily"      "xxxxx"
VBoxManage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemUuid"      "xxxxx"

VBoxManage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardVendor"      "xxxxx"
VBoxManage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardProduct"      "xxxxx"
VBoxManage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardVersion"      "xxxxx"
VBoxManage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardSerial"       "xxxxx"
VBoxManage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardAssetTag"     "xxxxx"
VBoxManage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardLocInChass"   "xxxxx"
VBoxManage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardType"         ""

VBoxManage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisVendor"     "xxxxx"
VBoxManage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisVersion"    "xxxxx"
VBoxManage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisSerial"     "xxxxx"
VBoxManage setextradata "$1"  "VBoxInternal/Devices/pcbios/0/Config/DmiChassisAssetTag"  "xxxxx"

VBoxManage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiProcManufacturer"  "xxxxx"
VBoxManage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiProcVersion"       "xxxxx"

VBoxManage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiOEMVBoxVer"        "xxxxx"
VBoxManage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiOEMVBoxRev"        " " <- note space

--------------------------------------------------------

--- script to be run from inside the guest OS  -------

* These settings have to be re-applied after each boot, if you are using Cuckoo this only have to be run once due to fact that you are working with snapshots.

* To be able to set the "correct" values, please copy the information from a native installation, i.e. from a none VM installation)

- Replace <VENDOR>, <V1> and <V2>

<VENDOR> = BIOS VENDOR, egg: LENOVO
<V1> =  e.g. TP-GX__  *
<V2> = on the limited machines I have looked at, the values is the same for all three categories. In VBox the values differs hence the change
<V3> =  <version string> (<version number>) 

*) If you find the above statements to be incorrect please let me know, I have limited access to none VM Windows machines, XP in particular

 -----------------
@reg copy HKLM\HARDWARE\ACPI\DSDT\VBOX__ HKLM\HARDWARE\ACPI\DSDT\<VENDOR> /s /f
@reg delete HKLM\HARDWARE\ACPI\DSDT\VBOX__ /f

@reg copy HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\<VENDOR>\VBOXBIOS HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\<VENDOR>\<V1>__ /s /f
@reg delete HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\LENOVO\VBOXBIOS /f

@reg copy HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\LENOVO\<V1>__\00000002 HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\LENOVO\<V1>__\<V2> /s /f
@reg delete HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\LENOVO\V1>__\00000002 /f

@reg copy HKEY_LOCAL_MACHINE\HARDWARE\ACPI\FADT\LENOVO\VBOXFACP HKEY_LOCAL_MACHINE\HARDWARE\ACPI\FADT\LENOVO\<V1>__ /s /f
@reg delete HKEY_LOCAL_MACHINE\HARDWARE\ACPI\FADT\LENOVO\VBOXFACP /f

@reg copy HKEY_LOCAL_MACHINE\HARDWARE\ACPI\FADT\LENOVO\<V1>__\00000001 HKEY_LOCAL_MACHINE\HARDWARE\ACPI\FADT\LENOVO\<V1>__\<V2> /s /f
@reg delete HKEY_LOCAL_MACHINE\HARDWARE\ACPI\FADT\LENOVO\<V1>__\00000001 /f

@reg copy HKEY_LOCAL_MACHINE\HARDWARE\ACPI\RSDT\LENOVO\VBOXRSDT HKEY_LOCAL_MACHINE\HARDWARE\ACPI\RSDT\LENOVO\<V1>__ /s /f
@reg delete HKEY_LOCAL_MACHINE\HARDWARE\ACPI\RSDT\LENOVO\VBOXRSDT /f

@reg copy HKEY_LOCAL_MACHINE\HARDWARE\ACPI\RSDT\LENOVO\<V1>__\00000001 HKEY_LOCAL_MACHINE\HARDWARE\ACPI\RSDT\LENOVO\<V1>__\<V2> /s /f
@reg delete HKEY_LOCAL_MACHINE\HARDWARE\ACPI\RSDT\LENOVO\<V1>__\00000001 /f

@reg add HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System /v VideoBiosVersion /t REG_MULTI_SZ /d "<V3>" /f

------------

/Micke - @nsmfoo

3 comments:

  1. These are all specific to IDE, any idea what the changes would look like when involving SATA as the primary OS disk?

    ReplyDelete
    Replies
    1. Hi David,

      A quick but untested response would be to change the IDE specific settings to lsilogic. Please let me know, if this solves your problem or not. Otherwise I will try to find some time to look into it.

      Delete
  2. I misread your question, you asked for SATA settings and not SCSI my bad. Try to replace the piix3ide (IDE) with ahci (SATA)

    ReplyDelete