Results 1 to 3 of 3

Thread: Thwarting VM Detection from within a VirtualBox VM?

  1. #1
    Junior Member
    Join Date
    Jan 2010
    Posts
    68

    Default Thwarting VM Detection from within a VirtualBox VM?

    Hi, this isn't specific to backtrack but I'm searching high and low (and have asked the VirtualBox community but got no answers).

    This is however related to malware analysis (and security in general) and will no doubt be encountered by backtrack users (if not already).

    In VMWare, it is possible to stop applications from detecting that they are being run from within a virtual machine by adding specific config options to the VMX file of a halted machine (see below).

    isolation.tools.getPtrLocation.disable = "TRUE"
    isolation.tools.setPtrLocation.disable = "TRUE"
    isolation.tools.setVersion.disable = "TRUE"
    isolation.tools.getVersion.disable = "TRUE"
    monitor_control.disable_directexec = "TRUE"
    monitor_control.disable_chksimd = "TRUE"
    monitor_control.disable_ntreloc = "TRUE"
    monitor_control.disable_selfmod = "TRUE"
    monitor_control.disable_reloc = "TRUE"
    monitor_control.disable_btinout = "TRUE"
    monitor_control.disable_btmemspace = "TRUE"
    monitor_control.disable_btpriv = "TRUE"
    monitor_control.disable_btseg = "TRUE"
    How can one go about this in VBox? I can't find any information about thwarting VM detection from within VirtualBox.

    Has anyone had to work around this problem and can enlighten me?

    Cheers

    --Bruk0ut

    Thanks

  2. #2
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default Re: Thwarting VM Detection from within a VirtualBox VM?

    It depends on how the Virtual Machine detection is done - there are multiple ways, such as checking for processes/registry settings associated with virtual machine clients, as well as attempting assembly instructions that are vm only or which return different values in virtual machines vs physical machines. Google can tell you more.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  3. #3
    Senior Member hypervista's Avatar
    Join Date
    Feb 2010
    Posts
    121

    Default Re: Thwarting VM Detection from within a VirtualBox VM?

    lupin is absolutely correct; it depends on how the detection is done. Some malware is quite sophistocated at detecting if it's running in a viritalized environment. I've written a custom hypervisor (type-1 bare metal hypervisor) that doesn't have any of the "usual" virtualization signatures for just this purpose, malware analysis (I gave a presentation on a UEFI version of my hypervisor at Black Hat last year, but that's another story). I developed a hypervisor runtime debugger to do the analysis. But it's still a "cat and mouse" game. There was much talk in the "hypervisor" community a few years ago about detection and one of the methods was to do timing differences on instructions that would force a hypervisor from guest mode to root mode. Because the hypervisor "owns" the machine, one way around this threat is to simply trap when a timing attack is detected and report back a false clock time since you "own" the clock if you're the hypervisor. Still, even after going to such great lengths, there are still at least one way malwale can detect it's running on a hypervisor; detecting displacements in the TLB (Translation Lookaside Buffer). Even a type-1 hypervisor can't mask TLB displacements caused by movements between guest and root modes. That will change in the near future when Intel ships a new virtualized memory architecture known as VPID, but for now, there is always a way for malware to tell if a hypervisor is present, but that would have to be one heck of a sophistocated piece of malware.

Similar Threads

  1. Host-based intrusion detection using psad
    By brtw2003 in forum Experts Forum
    Replies: 3
    Last Post: 03-30-2010, 05:54 AM
  2. BT4 VirtualBox and Mac OS
    By brif8 in forum Beginners Forum
    Replies: 5
    Last Post: 03-22-2010, 09:44 PM
  3. Production use of Virtualbox and BT4
    By Gavin in forum Experts Forum
    Replies: 0
    Last Post: 03-13-2010, 08:13 PM
  4. wifi on virtualbox vm
    By alazarev in forum Beginners Forum
    Replies: 3
    Last Post: 02-11-2010, 05:05 AM
  5. wifi on virtualbox vm
    By Archangel-Amael in forum Beginners Forum
    Replies: 2
    Last Post: 01-19-2010, 08:17 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •