search

hfiref0x / VBoxHardenedLoader

VirtualBox VM detection mitigation loader
BSD 2-Clause "Simplified" License
916 stars 278 forks source link

Tips for Enhance Project ! #58

Closed Whibelf2 closed 4 years ago

Whibelf2 commented 4 years ago

Hello @hfiref0x we have some tips to you consider change in some future update Please consider make these changes: Thanks !

Tip 1:

Add "%VM%" instead of "%1" in batch script

set /p VM="Input Name of VM: "

sample: https://imgur.com/a/t44AIuD

Tip 2:

efi_amd64_fixed_6.1.2.fd Patched EFI module for some reason don't allow change string DmiSystemUuid Please rool back to VBoxEFI64-6.0.10.fd version that allows change DmiSystemUuid

sample: https://github.com/hfiref0x/VBoxHardenedLoader/commit/2e364299b73e25ae937c941c8b5bb4a09bcd9d92#diff-03a551b86c64cdeb37a9ba33a0759da6

Tip 3:

Put back .bat script file to start and stop loader.exe

REM Append full patch to loader.exe and run this batch file elevated
@echo
echo Running loader
loader.exe

sample: https://gofile.io/?c=v5a6nz

Tip 4:

Add anti_RTSC in batch script

sample: https://github.com/vektort13/antiRTSC

hfiref0x commented 4 years ago

1) Ok, this will be in next commit(s). 2) If it doesn't work then it is Oracle bug, using EFI rom from previous VBox version isn't wise as it contain a lot of various modules and they maybe heavily changed between 6.0.x and 6.1.x

I cannot reproduce this on test.

<ExtraDataItem name="VBoxInternal/Devices/efi/0/Config/DmiSystemUuid" value="80A3D0F4-9FAB-E211-8D78-8851FB5B5288"/>

Result from RWEverything

UUID    0x80 0xA3 0xD0 0xF4 0x9F 0xAB 0xE2 0x11 0x8D 0x78 0x88 0x51 0xFB 0x5B 0x52 0x88 
Wakeup Type 0x06 - Power Switch 
SKU Number  String5 - <censored>
Family  String6 - <censored>

3) Ok, I will add these scripts back in the next commit(s). 4) This works not as you expect it to be working. Practically this settings is almost useless.

Here is a simple test program.

https://gist.github.com/hfiref0x/e0eb1f7588613b01526efceb85cde80b

This is a test on real hardware (note that cpuid always add overhead) host is Linux guest is Windows 10, 1909

cpuid test
interval: 339
interval: 450
interval: 277
interval: 353
interval: 217
interval: 226
interval: 217
interval: 225
interval: 108
interval: 111
empty test
interval: 53
interval: 24
interval: 24
interval: 53
interval: 21
interval: 53
interval: 53
interval: 53
interval: 27
interval: 53

Result with default VM TSC config (2 CPU)

cpuid test
interval: 18159
interval: 18558
interval: 18424
interval: 16471
interval: 18199
interval: 17246
interval: 18184
interval: 16280
interval: 16175
interval: 19324
empty test
interval: 8608
interval: 7567
interval: 3583
interval: 7157
interval: 5957
interval: 7262
interval: 9246
interval: 8459
interval: 7151
interval: 8345

Result with RealTSCOffset set in VM (2 CPU)

cpuid test
interval: 17026
interval: 17377
interval: 17677
interval: 16687
interval: 17093
interval: 18623
interval: 17467
interval: 18390
interval: 12344
interval: 10089
empty test
interval: 53
interval: 35
interval: 21
interval: 53
interval: 28
interval: 51
interval: 53
interval: 53
interval: 46
interval: 46

With Dynamic set in VM (2 CPU)

cpuid test
interval: 17153
interval: 20085
interval: 16419
interval: 16500
interval: 15757
interval: 16659
interval: 10695
interval: 16110
interval: 18127
interval: 16424
empty test
interval: 24
interval: 24
interval: 53
interval: 49
interval: 44
interval: 53
interval: 36
interval: 28
interval: 53
interval: 53

Cpuid breaks this entirely, so it is almost useless.

These settings

VBoxInternal/CPUM/SSE4.1 1
VBoxInternal/CPUM/SSE4.2 1

are default VBox settings, e.g. output of lscpu on default Linux VM

fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt rdtscp lm constant_tsc rep_good nopl nonstop_tsc cpuid extd_apicid tsc_known_freq pni pclmulqdq monitor ssse3 cx16 sse4_1 sse4_2 x2apic movbe popcnt aes xsave avx rdrand hypervisor lahf_lm cr8_legacy abm sse4a misalignsse 3dnowprefetch ssbd vmmcall fsgsbase avx2 rdseed clflushopt arat

Quote

These are per-VM settings which are enabled by default.

https://www.virtualbox.org/manual/ch09.html#sse412passthrough

Additionaly these settings are completely unrelated / does not affect TSC in any way.

I don't think it is possible to completely evade detection of running in a VM.

hfiref0x commented 4 years ago

See commit in dev branch. If it is Ok for you this will be merged later to the master.

Whibelf2 commented 4 years ago

All sounds very good changes, better than i expected

About issue number 2 using efi_amd64_fixed_6.1.2.fd Are you able to change DmiSystemUuid value GUID ? For me is not possible, when i change this value him never refect in VM Its remains unalterable, All VMs have same value GUID "VBoxInternal/Devices/efi/0/Config/DmiSystemUuid" "B5FA3000-9403-81E0-3ADA-F46D045CB676"

The only way of modify this is using module EFI from the old version of the project.

hfiref0x commented 4 years ago

The value "B5FA3000-9403-81E0-3ADA-F46D045CB676" is the UUID specified in patch scripts.

VBox UUID is 0x34 0x1E 0x2B 0xB8 0x80 0x2C 0x42 0x2B 0xBF 0xAD 0xAE 0x96 0x31 0x7F 0x09 0x01

I dont see any problem or bug here.

Whibelf2 commented 4 years ago

The value "B5FA3000-9403-81E0-3ADA-F46D045CB676" is the UUID specified in patch scripts.

VBox UUID is 0x34 0x1E 0x2B 0xB8 0x80 0x2C 0x42 0x2B 0xBF 0xAD 0xAE 0x96 0x31 0x7F 0x09 0x01

I dont see any problem or bug here.

Yes rigth, but if i need change this value im not able, im sticky in just this value: "B5FA3000-9403-81E0-3ADA-F46D045CB676" I hope in future Oracle updates this issue has fixed Until then i will have to use an old version of EFI module, because i need to constantly change the UUID value, this is very important for my tasks Any EFI module from VBoxEFI64-6.0.x.fd versions working fine.

Whibelf2 commented 4 years ago

Any chance to re-open this topic https://github.com/hfiref0x/VBoxHardenedLoader/issues/56 To me write a final solution for users with the same issue ?

hfiref0x commented 4 years ago

Successfully changed it to "12345678-9403-81E0-3ADA-F46D045CB676". It is something on your side or how you change it. There is no bug.

I absolutely UNADVISE you use of EFI ROM from 6.0x on 6.1x. They are different, there will be setbacks where you can't expect.

Whibelf2 commented 4 years ago

Successfully changed it to "12345678-9403-81E0-3ADA-F46D045CB676". It is something on your side or how you change it. There is no bug.

I absolutely UNADVISE you use of EFI ROM from 6.0x on 6.1x. They are different, there will be setbacks where you can't expect.

These value UUID reflect in VM ? Im using macOS Guest, and the value UUID dont reflect in VM Still sticky in "B5FA3000-9403-81E0-3ADA-F46D045CB676" No matter how many times I change it in the batch script and apply In few hours i will create a screenshot to attach this topic.

Whibelf2 commented 4 years ago

Up

hfiref0x commented 4 years ago

You need to cross check UUID from different OS, for example by booting from CD-ROM in this VM. This thing maybe just remembered initial value.

P.S. You may also try removing nvram file located in your VM directory (do the backup copy for sure).

Whibelf2 commented 4 years ago

You need to cross check UUID from different OS, for example by booting from CD-ROM in this VM. This thing maybe just remembered initial value.

P.S. You may also try removing nvram file located in your VM directory (do the backup copy for sure).

Delete file nvram fix issue temporary, but if i need change UUID again i need delete file nvram again

This is a bug from oracle ?

Whibelf2 commented 4 years ago

Found another bug/issue:

If i put a USB Stick for start with VM ( USB Settings 3.0 xHCI ) The VM dont start, just a black screen is showed, when i remove USB Stick, VM Start normaly. Using the latest version of module EFI, in old version this bug dont exists.

hfiref0x commented 4 years ago

None of this are issues of this loader.