VirtualBox Detection, Anti-Detection
The subject I will explain in this article is how to detect whether malware or certain programs installed on a virtual machine are in a virtual environment. On the other hand, I will tell you what we should do for a healthier environment.
Virtual Machine Detection
In short, it is the process of determining whether the software is running on a physical machine or a virtual machine.
In my opinion, one of the best detection programs is Pafish.
When we run Pafish in a VM, we may encounter a table like the one below. If we ask what this means, it means that our Pafish understands that it is in a virtual environment.
Since I am using VirtualBox, I will apply Anti-detection methods against it.
The place that interests us from the captured places on Pafish is the Virtualbox detection part.
What we’re going to do here is actually to escape from these captured places.
In order to do this escape, we need to understand how they were captured.
Let’s examine the source codes of Pafish.
Let’s first examine the main.c code.
We see that the above code structure is an architecture that only prints the returned values. The source code that makes the actual vbox queries is the vbox.c file.
Let’s examine the vbox.c code.
We see the queries made in this code that we have examined.
Here is a simple example query:
Code block querying bios date:
Code block querying some system files in environments installed with Virtualbox:
In the image below, we see the codes that query Registry keys.
So how do we get around these queries? While I was searching for the answer to this, I came across 3 projects.
Projects:
1.) github.com/hfiref0x/VBoxHardenedLoader
2.) github.com/d4rksystem/VBoxCloak
3.) github.com/JayMontana36/vBoxSysInfoMod
The first project consists of approximately 3–4 thousand lines of C code, and when we implement it, there is 3 line where we are caught.
The second is a runtime Powershell script with a total of 300 lines of code. When we try this, the vbox is captured from 4 places in the detection section.
The third one is modifying the VM with VBoxManager, but the writer didn’t modify it enough, so he can’t escape anyone.
Let me tell you how I went through it all.
VirtualBox Anti-Detection
First, let’s set up our machine.
If AMD-V supports it, tick it as well.
Now that we have our VM environment set up, let’s close it and we’re doing it my way.
Our captured items after running pafish in it are as follows.
It’s time to close them.
First, let’s shut down the VM and run the static.bat file.
As soon as we continue, it will modify our machine with VBoxManager, enter extra fake data and start our machine.
Example fake data information:
keep continue.
Start the VM and install dynamic.ps1
dynamic.ps1 is a Powershell script and it is doing randomly renames registry files captured by Pafish.
Run PowerShell as administrator and run “dynamic.ps1 -all”
If you get a Policy error try this script: “Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass”
If you get an error, don’t worry Guest additions because it does not exist.
Our code worked, now let’s run pafish in the VM.
As you can see, we only got 1 control,
Device Manager > Other Devices > Base System Device Uninstall to turn it off.
Let’s run Pafish again.
And we’re done.
Every time the VM is turned on and off, dynamic.ps1 must be run again.