Undetectable VM on Linux

- 4 mins
windows linux malware-analysis

There are already tons of blogs about how to setup an Undetectable VM for malware analysis on the Internet and tons literally means tons but most of them are for Windows HOST OS and I as of usually prefer my Host OS as Linux(specifically Ubuntu) cause of its community support and you never know when there would be a 0-Day that could cause RCE over VM Bypass and your system dead.

So to come over all of this I setup Windows 7 Guest OS VirtualBox over Ubuntu Host and it was a pretty tedious task to do it as my crashing again and again cause of no proper documentation on how to do it.

Let’s get started and get some prerequistes if you wanna settle your mal analysis lab :)

Prerequisites:

  1. Virtual Box
  2. A fresh Windows 7 Image (.iso/.ova)
  3. https://github.com/nsmfoo/antivmdetection
  4. https://github.com/d4rksystem/VBoxCloak
  5. https://www.nirsoft.net/utils/devmanview.zip
  6. https://download.sysinternals.com/files/VolumeId.zip

Setup

First and Foremost Install your VirtualBox from the .deb file.

sudo dpkg -i virtualbox*.deb

Second right now I have both x32 and x64 both in my system (x64 due to recent BlackCocaine Ransomware). But as of now I will help you install x32 bit through Windows 7 x32bit VM as most of the malwares are of x32 bit architecture only.

Install your Windows 7 Image in VirtualBox.

Things to note while installing:

  1. Put number of cores more than 2.
  2. Put RAM more than 1Gb if your system can support.
  3. Enable Audio Support.
  4. Set paravirtualization interface to ‘None’.
  5. Enable I/O APIC.

After the image is installed note down it’s name, written above or put up this command

vboxmanage list vms

and note down your vm-name

Now clone the antivmdetection repo into your HOST and go into it.

Download the devmanview.zip and Volumeid.zip from given prerequistes.

Run two commands:

echo "some-computername" > computer.lst

echo "some-username" > user.lst

and now run

python3 antivmdetection.py

This creates now the two scripts:

<DmiSystemProduct>.sh (to be used on your host)
<DmiSystemProduct>.ps1 (to be used inside your windows VM)

Now make your <DmiSystemProduct>.sh executable by

sudo chmod a+x <DmiSystemProduct>.sh

and then with the noted VM-Name Now execute.

./<DmiSystemProduct>.sh vm-name

Errors(that could occur):

  1. Size of the DSDT file is too large (> 64k). Try to build the template from another computer
    This error occured due to new architectures. So to over come this go to this site https://www.tonymacx86.com/dsdt-database Download a random DSDT file go to your antivmdetection folder there would be a {your-system-name}.bin file copy it’s full name and rename the random DSDT file as {your-system-name}.bin remove the older bin file and just run again the shell script. Problem Resolved

  2. PIIX3 configuration error: failed to read "SerialNumber" as string (VERR_CFGM_NOT_STRING).return code:E_FAIL (0x80004005) Component:ConsoleWrap

This error was there due to Numbers support in harddiskID of virtualBox so to clear it out go to your shell script. In the line

VBoxManage setextradata "$1" VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/SerialNumber	'12345678901234567890'

Just add a letter in the starting and make it as

VBoxManage setextradata "$1" VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/SerialNumber	'A3456789012345678902'

And again run the shell script. Problem Resolved

hehe the work is till not complete

Now start your VM and take a snapshot so that anything bad happens you can just revert

[Note: Please take snapshots every feasible time so that you wont have to revert everything back to basics.]

Download the VBoxCloak repo and transfer it to the GUEST VM.

[Now as of what i do generally to transfer files from HOST to GUEST VM go to Sharing Folders then to Machine Folders and add that folder you want to import (put folders read only) ]

Now in the VM go transfer that VboxCloak folder, fire the Powershell as As Administrator and go to the VBoxCloak folder and execute

.\VBoxCloak.ps1 -all

After running of this take a second snapshot as you have done so much work and it should not get wasted.

Take Snapshot Please :)

And after all of this you can bypass 92-93% of PaFish detections. :)

Refrences:

https://wiki.elvis.science/index.php?title=VirtualBox:_How_to_Setup_your_Malware_Analysis

Related Posts

comments powered by Disqus
rss facebook twitter github mail instagram linkedin