tag:blogger.com,1999:blog-8463491790630642817.post986077896962385428..comments2023-05-02T08:56:30.928+02:00Comments on prowling - NSM foo: Modifying VirtualBox settings for malware analysis Mikaelhttp://www.blogger.com/profile/17555357318307623181noreply@blogger.comBlogger23125tag:blogger.com,1999:blog-8463491790630642817.post-15984106890741706802019-02-12T09:45:52.555+01:002019-02-12T09:45:52.555+01:005 years later still have 64k limitation 5 years later still have 64k limitation Anonymoushttps://www.blogger.com/profile/07431073104472474456noreply@blogger.comtag:blogger.com,1999:blog-8463491790630642817.post-65632303117353033002015-09-03T09:13:05.040+02:002015-09-03T09:13:05.040+02:00Hi, I can see your fork, but not the pull request....Hi, I can see your fork, but not the pull request. Can you try again? No worries I'm not a Git ninja either =)Mikaelhttps://www.blogger.com/profile/17555357318307623181noreply@blogger.comtag:blogger.com,1999:blog-8463491790630642817.post-35198888888329522242015-08-31T15:40:47.477+02:002015-08-31T15:40:47.477+02:00Hi Mikael! I have made a pull request on github to...Hi Mikael! I have made a pull request on github to show you my changes to your script. Check them, It's the first time that I post something on github, I'm not skilled, I could have made some mistakes.<br />Let me know! Good day!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8463491790630642817.post-32379971949049389142015-08-25T21:32:55.322+02:002015-08-25T21:32:55.322+02:00Sorry, late reply. If you have the possibility to ...Sorry, late reply. If you have the possibility to follow me on Twitter temporary. DM me for contact information. Let me know if this is not an option. <br /><br />I did not have access to any HP clients. I will try to implement a fix for the issue. Thanks for bringing this forward. Much appreciated! Mikaelhttps://www.blogger.com/profile/17555357318307623181noreply@blogger.comtag:blogger.com,1999:blog-8463491790630642817.post-52387563512829600002015-08-18T14:52:59.179+02:002015-08-18T14:52:59.179+02:00My file DSDT_HPPavilion15NotebookPC.bin is 61.2 kB...My file DSDT_HPPavilion15NotebookPC.bin is 61.2 kB but nevertheless it gives me the "too large" error message. Do you want to see that file? If yes, how can I give it to you?<br /><br />Another thing, the vbox application expects for the DmiBoardProduct parameter a string but the field gathered in my case is an integer. Maybe a check about the type could be usefull. In my case I have solved it by adding a space after that int, doing something like that<br />line 55 dmi_info['DmiBoardProduct'] = v['data']['Product Name']+' '<br />I'm doing that, but I don't know the field will be processed by vbox. Is it correct?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8463491790630642817.post-56775359872093959132015-08-18T13:45:29.033+02:002015-08-18T13:45:29.033+02:00If the file size is lower then 64k, then it should...If the file size is lower then 64k, then it should be OK and you should not see the "to large" error message. Can you verify in the .vbox file that it uses the DSDT file you created that had a "good" size? If so, then I need to look what more into it I guess =)Mikaelhttps://www.blogger.com/profile/17555357318307623181noreply@blogger.comtag:blogger.com,1999:blog-8463491790630642817.post-79041745519704311152015-08-18T11:38:49.434+02:002015-08-18T11:38:49.434+02:00Ok thanks! I will try with an old laptop. I have u...Ok thanks! I will try with an old laptop. I have used the last release but no warning was given. I have printed the variable in the if construct ( line 322 ) and in my case is lower than 64k, precisely 61230, maybe you must check another variable. I hope It will help you. Great Work!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8463491790630642817.post-9313479398272053982015-08-18T09:09:18.582+02:002015-08-18T09:09:18.582+02:00The latest release (https://github.com/nsmfoo/anti...The latest release (https://github.com/nsmfoo/antivmdetection) will give you a warning if your DSDT table is larger then 64K, which is sadly very common in new hardware. So you will have to find a computer that produces DSDT tables that are smaller then the maximum size. Question has been raised with the VBox devs but not sure the size will be increased anytime soon..<br />Mikaelhttps://www.blogger.com/profile/17555357318307623181noreply@blogger.comtag:blogger.com,1999:blog-8463491790630642817.post-81146965738072541972015-08-18T08:48:01.729+02:002015-08-18T08:48:01.729+02:00I will make a note to add a check to see if necess...I will make a note to add a check to see if necessary applications are installed Mikaelhttps://www.blogger.com/profile/17555357318307623181noreply@blogger.comtag:blogger.com,1999:blog-8463491790630642817.post-7946522988015863232015-08-17T23:06:24.159+02:002015-08-17T23:06:24.159+02:00Hi Mikael! It's me again! In order to take all...Hi Mikael! It's me again! In order to take all my information system I have downloaded and installed smartmontools and libcdio-utils. Then I have created a new VM and I have executed the .sh file. I have enabled the I/O APIC too. Everything goes ok, but when I launch for the first time my machine I have an error:<br />ACPI tables bigger than 64KB (VERR_TOO_MUCH_DATA).<br />How I can solve it?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8463491790630642817.post-73670495023800465942015-08-17T17:53:29.609+02:002015-08-17T17:53:29.609+02:00Hi Mikael! It seems that the first error was cause...Hi Mikael! It seems that the first error was caused by the missing on my system of acpidump, so I have solved doing:<br />apt-get install acpidumpAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-8463491790630642817.post-72903882783612770482015-08-17T15:18:29.097+02:002015-08-17T15:18:29.097+02:00Hi Mikael, first of all thanks for your great work...Hi Mikael, first of all thanks for your great work. I have 2 error when I launch the antivmdetect.py. The first error says<br />------------------------------------------------------------------------------------------------------<br />File "antivmdetect.py", line 302, in <br />logfile.write('VBoxManage setextradata "$1" VBoxInternal/Devices/acpi/0/Config/AcpiCreatorRev\t\'' + acpi_list[5] + '\'\n')<br />IndexError: list index out of range<br />------------------------------------------------------------------------------------------------------<br />Solved by replacing the line 302 with<br />if len(acpi_list) == 6 : logfile.write('VBoxManage setextradata "$1" VBoxInternal/Devices/acpi/0/Config/AcpiCreatorRev\t\'' + acpi_list[5] + '\'\n')<br /><br />The second is:<br />------------------------------------------------------------------------------------------------------<br />File "antivmdetect.py", line 349, in <br />logfile.write('@reg copy HKLM\HARDWARE\ACPI\DSDT\VBOX__ HKLM\HARDWARE\ACPI\DSDT\\' + manu + ' /s /f\r\n')<br />NameError: name 'manu' is not defined<br />------------------------------------------------------------------------------------------------------<br />Solved by adding a:<br />manu = acpi_list[1]<br />outside the if construct. I have an HP Pavilion and the if cases does not consider that.<br />Are my patch correct?<br />Thanks Again!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8463491790630642817.post-46729122715809016402015-08-03T10:56:31.527+02:002015-08-03T10:56:31.527+02:00Hi,
The latest version of the script is available...Hi,<br /><br />The latest version of the script is available on Github, please try that one and please apply the setting before your first boot of the vm. If you don't get it to work please let me know.<br /><br />https://github.com/nsmfoo/antivmdetection<br /><br />Regards<br />Mikael @nsmfoo Mikaelhttps://www.blogger.com/profile/17555357318307623181noreply@blogger.comtag:blogger.com,1999:blog-8463491790630642817.post-63661915246803438082015-06-17T15:42:19.761+02:002015-06-17T15:42:19.761+02:00enumerate shows values when queried with vboxmange...enumerate shows values when queried with vboxmange, but inside the machine, dmidecode shows default values<br /><br />dmidecode 2.12<br />SMBIOS 2.5 present.<br /><br />Handle 0x0000, DMI type 0, 20 bytes<br />BIOS Information<br /> Vendor: innotek GmbH<br /> Version: VirtualBox<br /> Release Date: 12/01/2006<br /> Address: 0xE0000<br /> Runtime Size: 128 kB<br /> ROM Size: 128 kB<br /> Characteristics:<br /> ISA is supported<br /> PCI is supported<br /> Boot from CD is supported<br /> Selectable boot is supported<br /> 8042 keyboard services are supported (int 9h)<br /> CGA/mono video services are supported (int 10h)<br /> ACPI is supported<br />From enumerate<br /><br />Key: GUI/LastNormalWindowPosition, Value: 392,25,1204,841<br />Key: VBoxInternal/Devices/pcbios/0/Config/DmiBIOSFirmwareMajor, Value: 3<br />Key: VBoxInternal/Devices/pcbios/0/Config/DmiBIOSFirmwareMinor, Value: 4<br />Key: VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseDate, Value: 06/25/2013<br />Key: VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseMajor, Value: 1<br />Key: VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseMinor, Value: 2<br />Key: VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVendor, Value: Dell Inc.<br />Key: VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVersion, Value: string:Version A16<br />Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8463491790630642817.post-55781401353245923662015-06-17T15:37:25.402+02:002015-06-17T15:37:25.402+02:00Does not work in VirtualBox 4.3.28, ubunit 14.0.2Does not work in VirtualBox 4.3.28, ubunit 14.0.2Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8463491790630642817.post-42994180478828445222013-08-14T12:15:30.788+02:002013-08-14T12:15:30.788+02:00Thank you! =)Thank you! =)Mikaelhttps://www.blogger.com/profile/17555357318307623181noreply@blogger.comtag:blogger.com,1999:blog-8463491790630642817.post-83188425781076665952013-08-11T18:09:10.962+02:002013-08-11T18:09:10.962+02:00Thnx for a nice tutorial (and all over top notch b...Thnx for a nice tutorial (and all over top notch blog entries)!<br /><br />//B. SeptemberAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-8463491790630642817.post-21041745605281739842013-08-04T22:18:28.983+02:002013-08-04T22:18:28.983+02:00Hi,
I will post an update regarding how to modify ...Hi,<br />I will post an update regarding how to modify VBox, give me a few days to finish it. The setup is the same as the one you describe so hopefully your issue will be resolved.<br />Otherwise please let me know! <br /><br />/Micke Mikaelhttps://www.blogger.com/profile/17555357318307623181noreply@blogger.comtag:blogger.com,1999:blog-8463491790630642817.post-48724728896155216862013-07-17T21:40:01.740+02:002013-07-17T21:40:01.740+02:00I am having the same issue. Ubuntu 13.04 host runn...I am having the same issue. Ubuntu 13.04 host running Windows XP SP2 inside of VirtualBox 4.2.10. I run the setextradata command to change the vendor and version for DMI Type 0, and when I run dmidecode in the XP guest, the BIOS info still shows innotek GmbH and VirtualBox for the vendor and version.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8463491790630642817.post-8262275741580608682013-05-11T00:11:23.780+02:002013-05-11T00:11:23.780+02:00Hi you are correct. I have not updated the blog po...Hi you are correct. I have not updated the blog post in a while. Which I might have to do. The missing settings I guess were added in newer version. It seems like as time progress more values are being able populate from the host to the guest which is great. Thanks for you comment!Mikaelhttps://www.blogger.com/profile/17555357318307623181noreply@blogger.comtag:blogger.com,1999:blog-8463491790630642817.post-77118117878813675312013-05-11T00:06:47.947+02:002013-05-11T00:06:47.947+02:00Hi Janus,
Sorry for my late reply. Which version ...Hi Janus,<br /><br />Sorry for my late reply. Which version of VBox are you using?Mikaelhttps://www.blogger.com/profile/17555357318307623181noreply@blogger.comtag:blogger.com,1999:blog-8463491790630642817.post-76825437925301949102013-03-08T18:19:33.327+01:002013-03-08T18:19:33.327+01:00Hello Mikael,
I have tried the changes but the vi...Hello Mikael,<br /><br />I have tried the changes but the virtual machine seems no to get them even been correctly applied, checked with enumerate.<br /><br />Any idea?<br /><br />The vm is a windows xp sp3.<br /><br />Thanks for your timeJanushttp://erehon-network.netnoreply@blogger.comtag:blogger.com,1999:blog-8463491790630642817.post-28429372937560497442013-02-18T11:52:25.866+01:002013-02-18T11:52:25.866+01:00Good info, but you are missing some parameters:
h...Good info, but you are missing some parameters:<br /><br />http://www.virtualbox.org/manual/ch09.html#changedmiAnonymousnoreply@blogger.com