Step by step guide for VirtualBox x64 Hardened (5.1.16+) VM detection mitigation configuring.

Contents:

• Installing VirtualBox
• Creating VM with required settings
• Using batch script to apply fake VM system information
• Loading monitoring driver for load-in-memory VM dll patch
• Using VirtualBox loader to manage monitoring driver behavior
• Warning: VirtualBox Additions
• Appendix A: Using EFI VM
• Appendix B: Uninstalling VirtualBox loader
• Appendix C: Updating VirtualBox

1. Download VirtualBox from official site (https://www.virtualbox.org/wiki/Downloads).
2. Do clean installation of latest VirtualBox.
   • Clean mean - you must firstly uninstall any other versions of VirtualBox and reboot Windows to complete uninstallation. This ensures that no old VirtualBox files will left in system memory and on disk. Unfortunately VirtualBox setup sometimes can't do complete removal without reboot, so do reboot after uninstall.
3. Start installation and select VirtualBox components to install as shown on fugure below.

In this example we are installing and configuring VirtualBox on x64 notebook with 6Gb of RAM and 4x Intel Core i7 Haswell CPU running full patch Windows 8.1.

Create a new virtual machine (in this example it will be named "vm0") and configure it in the following way:

Note: 512 Mb is not requirement, you can adjust or lower this value as you want, but keep in mind - some lame malware attempt to detect VM by available physical memory size, and if its too low - use it as VM detection flag.

Setup Virtual disk

Note: 64 Gb is not requirement however yet again some lame malware attempt to detect VM by hard disk size, so give it reasonable size.

After VM (vm0 is our case) created, open it setting and do some changes.

On "Motherboard" tab ensure Enable I/O API is turned on. If you plan to use EFI please read Appendix A: Using EFI VM.

On "Processor" tab ensure PAE/NX enabled. Also note that your VM must have at least TWO CPUs because again number of processors used by malware to determinate VM execution. So give VM at minimum two processors.

On "Acceleration" tab set Paravirtualization Interface to "Legacy" and enable VT-x/Nested Paging. The "Default" paravirtualization interface give VM ability to detect VirtualBox hypervisor by "hypervisor present bit" and hypervisor name via cpuid instruction. Switching paravirtualization interface to "Legacy" effectively turns off these malware vm-detect friendly features.

On "Screen" tab disable 3D/2D Acceleration.

Storage configuration would be looking like that

You can use IDE controller instead of SATA, but we will be assuming that you use default SATA next.

Enable NAT for virtual machine, so you can use FTP like programs to communicate with it and machine will have access to internet (if you have it).

Once all settings set, press OK button.

Close VirtualBox.

Save https://github.com/hfiref0x/VBoxHardenedLoader/tree/master/Binary folder to your PC, for example we will save it as C:\VBoxLdr and use this directory next in examples. Open command line prompt (Win+R, type cmd, press Enter). Change current directory to VBoxLdr\data directory (type cd C:\VBoxLdr\data, press Enter)

Now important part. Select script to work with it next depending on your VM configuration.

hidevm_ahci is for VM with SATA/AHCI controller and classical BIOS

hidevm_ide is for VM with IDE controller and classical BIOS

hidevm_efiahci is for VM with SATA/AHCI controller and EFI

hidevm_efiide is for VM with IDE controller and EFI

If you plan to use EFI VM see "Appendix A: Using EFI VM" before doing any further steps.

In our example we created VM without EFI support and with SATA/AHCI controller so we will use hidevm_ahci script. Open it with notepad and change the following lines:

set vboxman="C:\Program Files\Oracle\VirtualBox\vboxmanage.exe"

set vmscfgdir=D:\Virtual\VBOX\Settings\

Here you see two variables used as filepaths below in script, change them to actual locations.

Depending on where your VirtualBox installed place correct path to vboxmanage.exe in vboxman variable. Depending on where you saved Binary folder change it for vmscfgdir variable.

In our example we will leave vboxman as is, because we didn't changed VirtualBox installation path and change D:\Virtual\VBOX\Settings\ to C:\VBoxLdr\data so both lines will look like

set vboxman="C:\Program Files\Oracle\VirtualBox\vboxmanage.exe"

set vmscfgdir=C:\VBoxLdr\data\

Note the backslash at the end of vmscfgdir.

After that save script changes.

Type it in comand line prompt and add your VM name as parameter, e.g. in our case:

Run it by pressing Enter. This will setup additional configuration for your VM.

Do not run any VM, as it is not ready yet.

Close VirtualBox if it opened.

Open elevated command line prompt. Run cmd.exe as admin and switch current directory to C:\VBoxLdr (or where you saved Binary folder). Use tdl.exe to load monitoring driver, type as below on screenshot:

Upon successful execution you will see something like that:

Done, monitoring driver loaded. Now we need to properly configure it. Do not start VirtualBox as we didn't finished yet.

Close VirtualBox if it opened.

We need to give our monitoring driver proper data to work with. Loader.exe is the application that does this. Running it with /? will give you small help on it usage.

So we will just run it without parameters. In same elevated command line prompt type loader and press Enter, upon succesful execution you will see something like that:

That's is all. Now you can start VirtualBox and load prepared VM.

If you want to stop monitoring driver, open elevated command line prompt, navigate to VBoxLdr folder and run loader with /s switch, e.g. loader.exe /s. To reenable monitoring just re-run loader without parameters elevated (as admin). Monitoring driver will be unloaded at Windows shutdown or reboot. To start it again repeat step 4 (step 5 repeat is only needed when you decided to upgrade VirtualBox without uninstalling previous version and rebooting).

Do not install VirtualBox Additions! This will ruin everything and there is NO workaround for this.

There are two ways to set your patched/custom EFI ROM for EFI VM.

During Step 3.

• Make backup copy of original VBoxEFI64.fd in VirtualBox directory somewhere;
• Replace VBoxEFI64.fd in VirtualBox directory with it patched version from VBoxLdr\data directory. Select proper version of file and then rename it to VBoxEFI64.fd (e.g. you have installed 5.1.18 then select VBoxEFI64_5.1.18.fd);
• Use hidevm_efiahci (AHCI controller mode) or hidevm_efiide (IDE controller mode) for your EFI VM.

It is the simple way, without any file replacing:

• Configure VM to use alternative EFI ROM with help of VBoxManage.

vboxmanage setextradata vmname "VBoxInternal/Devices/efi/0/Config/EfiRom" full_path_to_your_patched_efirom

e.g. vboxmanage setextradata vm01 "VBoxInternal/Devices/efi/0/Config/EfiRom" C:\VM\PinkiPie.fd

To automate this you can add the following string to EFI vm configuration scripts %vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/EfiRom" full_path_to_your_patched_efirom

Note that some VirtualBox versions might not support this.

If monitoring driver loaded - reboot Windows. Delete VBoxLdr folder. Open regedit and delete keys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tsugumi

HKEY_LOCAL_MACHINE\SOFTWARE\Tsugumi

if present.

If you used patched EFI module then restore VBoxEFI64.fd file from backup otherwise VirtualBox will be unable to work with EFI VM's.

Scenario: you decided update VirtualBox without clean reinstall and rebooting your PC. Will the loader work with new version? Yes it will, but you need re-run loader.exe in elevated command prompt to update patch information for new version of VirtualBox dynamic link library VBoxDD.dll. Basically you need to repeat Step 5.