Installation guide

Mitigation of VM detection
This website is dedicated to disseminating critical information on the detection and mitigation of virtual machines (vm). Configure VirtualBox x64 Hardened loader v2 to prevent VM detection.

Section on characteristics:

What is detection of virtual machines (vm)?

Malware uses VM detection to determine whether a threat is running inside a virtual environment. Several popular approaches include the use of the CPUID instruction, inserting code into system memory and checking whether it returns the expected error code, or checking the framework’s.NET implementation version loaded.

How does it function?

Detecting that a system is infected with detectmalware that virtualdetectvirtualenvironments virtualization can be detected in one of two ways: (1) by doing nothing and waiting for malware to detect and halt its own execution due to the fact that it is running in a virtual environment; or (2) by explicitly detecting whether the system is executing in a virtual environment.

Why should you care?

VM Detection enables malware to evade detection and removal from your system, leading in longer infection, greater data theft, and the possibility of a costly cleanup process. This may also result in the exposure of your data to other hostile actors who were previously unaware of your sensitive information.

Step by step guide for VM detection mitigation configuring using VirtualBox x64 Hardened loader v2.

Note: Minimum required VirtualBox version is 6.1.2

Contents:

  • Installing VirtualBox
  • Creating VM with required settings
  • Using batch script to apply fake VM system information
  • Loading monitoring driver for load-in-memory VM dll patch
  • Stopping monitoring driver
  • Warning: VirtualBox Additions
  • Appendix A: Using EFI VM
  • Appendix B: Uninstalling VirtualBox loader
  • Appendix C: Updating VirtualBox

Step 1. Installing VirtualBox

  1. Download VirtualBox from official site (https://www.virtualbox.org/wiki/Downloads).
  2. Do clean installation of latest VirtualBox.
    • Clean mean – you must firstly uninstall any other versions of VirtualBox and reboot Windows to complete uninstallation. This ensures that no old VirtualBox files will left in system memory and on disk. Unfortunately VirtualBox setup sometimes can’t do complete removal without reboot, so do reboot after uninstall.
  3. Start installation and select VirtualBox components to install as shown on fugure below.
umair-akbar-1 install - Guide: How to evade virtual machine detection; hide OS on VMWare and VirtualBox

Step 2. Creating VM with required setting

In this example we are installing and configuring VirtualBox on x64 PC running full patch Windows 8.1.

Create a new virtual machine (in this example it will be named “vm0”) and configure it in the following way:

umair-akbar-2 createvm - Guide: How to evade virtual machine detection; hide OS on VMWare and VirtualBox

Note: 2048 Mb is not requirement, you can adjust or lower this value as you want, but keep in mind – some lame malware attempt to detect VM by available physical memory size, and if its too low – use it as VM detection flag.

Setup Virtual disk

umair-akbar-3 createhdd - Guide: How to evade virtual machine detection; hide OS on VMWare and VirtualBox

Note: 64 Gb is not requirement and just used as example, however yet again some lame malware attempt to detect VM by hard disk size, so give it reasonable size (>32 Gb).

After VM (vm0 is our case) created, open it setting and do some changes.

System

On “Motherboard” tab ensure Enable I/O APIC is turned on. If you plan to use EFI please read Appendix A: Using EFI VM.

On “Motherboard” tab also ensure that the Pointing Device is set to PS/2 Mouse. You may want to disable “Enhance pointer precision” in Windows Mouse settings as it will make it work much better.

umair-akbar-4 settings mb - Guide: How to evade virtual machine detection; hide OS on VMWare and VirtualBox

On “Processor” tab ensure PAE/NX enabled. Also note that your VM must have at least TWO CPUs because again number of processors used by malware to determinate VM execution. So give VM at minimum two processors.

umair-akbar-5 settings cpu - Guide: How to evade virtual machine detection; hide OS on VMWare and VirtualBox

On “Acceleration” tab set Paravirtualization Interface to “Legacy” and enable VT-x/Nested Paging. The “Default” paravirtualization interface give VM ability to detect VirtualBox hypervisor by “hypervisor present bit” and hypervisor name via cpuid instruction. Switching paravirtualization interface to “Legacy” effectively turns off these malware vm-detect friendly features.

umair-akbar-6 settings accel - Guide: How to evade virtual machine detection; hide OS on VMWare and VirtualBox

Display

On “Screen” tab disable 3D/2D Acceleration and set the Graphics Controller to VMSVGA.

umair-akbar-7 display - Guide: How to evade virtual machine detection; hide OS on VMWare and VirtualBox

Storage

Storage configuration would be looking like that

umair-akbar-8 storage - Guide: How to evade virtual machine detection; hide OS on VMWare and VirtualBox

You can use IDE controller instead of SATA, but we will be assuming that you use default SATA next.

Network

Enable NAT for virtual machine, so you can use FTP like programs to communicate with it and machine will have access to internet (if you have it).

umair-akbar-9 network - Guide: How to evade virtual machine detection; hide OS on VMWare and VirtualBox

Once all settings set, press OK button.

Step 3. Using batch script to apply fake VM system information

Close VirtualBox.

Save https://github.com/hfiref0x/VBoxHardenedLoader/tree/master/Binary folder to your PC, for example we will save it as C:\VBoxLdr and use this directory next in examples. Open command line prompt (Win+R, type cmd, press Enter). Change current directory to VBoxLdr\data directory (type cd C:\VBoxLdr\data, press Enter)

Now important part. Select script to work with it next depending on your VM configuration.

hidevm_ahci is for VM with SATA/AHCI controller and classical BIOS

hidevm_ide is for VM with IDE controller and classical BIOS

hidevm_efiahci is for VM with SATA/AHCI controller and EFI

hidevm_efiide is for VM with IDE controller and EFI

If you plan to use EFI VM see “Appendix A: Using EFI VM” before doing any further steps.

In our example we created VM without EFI support and with SATA/AHCI controller so we will use hidevm_ahci script. Open it with notepad and change the following lines:

set vboxman=”C:\Program Files\Oracle\VirtualBox\vboxmanage.exe”

set vmscfgdir=D:\Virtual\VBOX\Settings\

Here you see two variables used as filepaths below in script, change them to actual locations.

Depending on where your VirtualBox installed place correct path to vboxmanage.exe in vboxman variable. Depending on where you saved Binary folder change it for vmscfgdir variable.

In our example we will leave vboxman as is, because we didn’t changed VirtualBox installation path and change D:\Virtual\VBOX\Settings\ to C:\VBoxLdr\data so both lines will look like

set vboxman=”C:\Program Files\Oracle\VirtualBox\vboxmanage.exe”

set vmscfgdir=C:\VBoxLdr\data\

Note the backslash at the end of vmscfgdir.

After that save script changes.

Type it in comand line prompt and add your VM name as parameter, e.g. in our case:

umair-akbar-10 script - Guide: How to evade virtual machine detection; hide OS on VMWare and VirtualBox

Run it by pressing Enter. This will setup additional configuration for your VM.

Do not run any VM, as it is not ready yet.

Step 4. Loading monitoring driver for load-in-memory VM dll patch

Close VirtualBox if it opened.

Open elevated command line prompt. Run cmd.exe as admin and switch current directory to C:\VBoxLdr (or where you saved Binary folder). Use loader.exe to start monitoring, type as below on screenshot:

umair-akbar-11 loader before - Guide: How to evade virtual machine detection; hide OS on VMWare and VirtualBox

Upon successful execution you will see something like that:

umair-akbar-12 loader after - Guide: How to evade virtual machine detection; hide OS on VMWare and VirtualBox

Done, monitoring driver loaded and configured. You will have to repeat this (and only) step each time you boot Windows, because monitoring driver will be unloaded automatically upon system shutdown/reboot.

Step 5. Stopping monitoring driver.

Close VirtualBox if it opened.

Open elevated command line prompt, navigate to VBoxLdr folder and run loader with /s switch, e.g. loader.exe /s. To reenable monitoring just re-run loader without parameters elevated (as admin). Monitoring driver will be unloaded at Windows shutdown or reboot. To start it again repeat step 4.

Warning: VirtualBox Additions

Do not install VirtualBox Additions! This will ruin everything and there is NO workaround for this.

Appendix A: Using EFI VM

Configure VM to use alternative EFI ROM with help of VBoxManage.

vboxmanage setextradata vmname “VBoxInternal/Devices/efi/0/Config/EfiRom” full_path_to_your_patched_efirom

For example, if you are using VirtualBox 6.1.2 then

vboxmanage setextradata vm01 “VBoxInternal/Devices/efi/0/Config/EfiRom” C:\VBoxLdr\data\efi_amd64_fixed_6.1.2

To automate this you can add the following string to EFI vm configuration scripts

%vboxman% setextradata “%1” “VBoxInternal/Devices/efi/0/Config/EfiRom” full_path_to_your_patched_efirom

Note: configuration scripts hidevm_efiahci/hidevm_efiide already has this setting set.

Appendix B: Uninstalling VirtualBox loader

If monitoring driver loaded – reboot Windows. Delete VBoxLdr folder.

Appendix C: Updating VirtualBox

Scenario: you decided update VirtualBox without clean reinstall and rebooting your PC. Will the loader work with new version? Yes it will, but you have to re-run loader.exe in elevated command prompt to update patch information for new version of VirtualBox dynamic link library VBoxDD.dll. Basically you need to repeat Step 4.

About the Author

USA

Umair Akbar | Cloud Engineer

Umair Akbar is a Senior Information Security Engineer with over 5 years of experience leading the development and daily management of InfoSec systems.

View All Articles