Friday, February 12, 2016

Defeating WMI detection of VirtualBox take 2

My previous attempt to twart WMI detection of VirtualBox, by disabling the Plug and Play service, had the mildly obnoxious side effect of disallowing the OS to check if it was registered or not.

This resulted in that, already registered installations became unlicensed (The same issue applied to MS Office installations)


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\PlugPlay


Being that It is always hard to find time for fun/interesting research. I had to put this issue back into my ToDo list, until now. And I guess leaving a problem to fend for itself for a while makes you look at it in a more logical way then you previously did, at least this was true for this issue at this time.

So enters my second attempt to solve this issue.

The remaining culprit that enables one to detect the presence of VirtualBox through WMI(1) is the






As we have chosen not install VirtualBox Guest Additions, the device is missing it's driver (Error 28, I will come back to this one later). It is that device that is detected, DEV_CAFE. (If you need a quick fix goto 2.

My first thought was to ty to replace corresponding values in the registry, but that one did not work out either.

Microsoft Windows does not supply you with a command line option to install/remove/uninstall devices by default. They have however an application that is available in their Windows Driver Kit (WDK), called DevCon. 

DevCon sounded like the way to go, given the fact that I had to use a none pre-installed application anyway.

But once again, reality came repelling down the ceiling and smacked me in the head. DevCon was not able to remove a device that was not fully installed, remember the Error 28.

DevManView from Nirsoft(3) to the rescue! While DevCon was not able to remove the device, DevManView were!

So now that we have a working solution that we can script, it was time to figure out how to make it user friendly given that we have to use a 3rd party application.

The easiest way would have been to leave the "user" to move the application to the VM guest themselves... but why miss the opportunity to do something hideous?

So I decided to embed the binary in the batch script by Base64 encode DevManView.exe. The Base64 encoded part is then in the guest decoded, up on execution of the batch script.

I guess I could try to sugar coat this by pointing to the fact that it is a bit more user friendly..

Please remember to pick the version of DevManView corresponding to the guests O architecture.

An updated version of the script can be found at: https://github.com/nsmfoo/antivmdetection/

As always any kind of feedback is welcomed

/Mikael

(1) If you use previous versions of the antivmdetction script
(2) just right-click on the Base System Device and choose uninstall ;)
(3) http://www.nirsoft.net/utils/device_manager_view.html
Posted by at

10 comments:

  1. AnonymousMarch 28, 2016 at 3:43 PM

    Hi Mikael! If you do not install Guest Additions vm. Headless VirtualBox - the on screen mouse and the remote mouse are grossly offset. How to get around the problem without installing the drivers?

    ReplyDelete
  2. MikaelMarch 29, 2016 at 11:05 AM

    Hi,

    In my experience moving away from XP guests and using VBox 5+ has made the issue less of a problem. Are you using DKMS along side with VBox? If the installation is to be used with Cuckoo, the unsync will not affect the analyze.

    Let me know if this answered your question or not =)

    /Mikael

    ReplyDelete
    Replies
    1. AnonymousMarch 30, 2016 at 10:46 AM

      Yes I use DKMS - virtbox 4.3.20. If you use rdesktop-vrdp, then there are problems with synchronization of the mouse cursor (two mouse pointer)
      If I install virtbox 5.0 -it eliminates the problem?
      Or you still need to install Guest Additions?
      Sorry for my bad English =)

      Delete
  3. MikaelMarch 31, 2016 at 11:03 AM

    I can't say for sure that your setup will work in the same way as mine does, but given that I use old HP servers with Vbox 5 and vrdp *without* the guest addition and it works well. I suggest you upgrade to 5+, there will be other benefits as well.

    But please note that I'm using Windows 7 as the guest OS

    Excuse my bad English as well =)

    /Mikael

    ReplyDelete
    Replies
    1. AnonymousApril 4, 2016 at 9:15 AM

      I installed virtualbox - 5.0.16 . It did not solve my problem with the mouse cursor. As a guest OS system is Win 7.

      Delete
  4. MikaelApril 4, 2016 at 2:14 PM

    Hm.. Ok let's try something else, I forgot to ask you previously if you have installed the VirtualBox Extension Pack? It needs to be updated with each release as well

    ReplyDelete
    Replies
    1. AnonymousApril 17, 2016 at 4:35 PM

      No, I didn't install VirtualBox Extension Pack =) It is not recommended to install? (https://github.com/a0rtega/pafish) Installation of add-ons of course, will solve this problem.

      Delete
  5. MikaelApril 17, 2016 at 8:55 PM

    Hi,

    The VM VirtualBox Extension Pack (which you install on the host) is not the same as the Guest Additions (which you install inside the guest). What pafish detects is presence of the Gust Addition installer.

    I hope this clear things up =)

    /Mikael

    ReplyDelete
    Replies
    1. AnonymousApril 18, 2016 at 5:58 PM

      Hi!
      Yes of course, on the host install!! The guest is not installed.

      Delete
  6. MikaelApril 19, 2016 at 2:17 PM

    That's good, so the followup question as you are running a headless installation you will need to manually install new ext packs (replace the old one) with every new VBox release. Please verify that you are keeping them at the "same" version.

    /Mikael

    ReplyDelete

Subscribe to: Post Comments (Atom)