Are there any known reputed guides for VM hardening/steath techniques?

This is for discussing general topics about how to use VirtualBox.
Post Reply
jefazo92
Posts: 19
Joined: 3. Mar 2022, 16:00

Are there any known reputed guides for VM hardening/steath techniques?

Post by jefazo92 »

I'm trying to create a Windows 7 VM environment, using Virtualbox, which looks as much as a real machine as possible. I've been searching online but I only find pieces of information here and there and haven't found any reputed guides describing all (or as many) VM artifacts and how these can be changed so the environment looks more like a real machine. I would really appreciate it if someone knows of a good guide for VM hardening/stealth techniques.
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: Are there any known reputed guides for VM hardening/steath techniques?

Post by scottgus1 »

Virtualbox can't be hidden from being seen as a VM. There's 'virtualbox'-sounding names in the drivers which can't be changed or the drivers won't work. And any decent app that wants to discover it's running in a VM can do so. Other forum gurus will tell you more.
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: Are there any known reputed guides for VM hardening/steath techniques?

Post by mpack »

Basically, the job of a VM is to look like a standard/generic PC. It is not the job of a VM to look like a specific real PC because that would be impossible: it would require VirtualBox to include code to simulate every bit of hardware that ever existed (and you say you want to pay how much for this?).

Since the hardware of a VM is very predictable it is trivially easy to detect a VM, even leaving aside that modern CPUs have a direct status flag that says so.
jefazo92
Posts: 19
Joined: 3. Mar 2022, 16:00

Re: Are there any known reputed guides for VM hardening/steath techniques?

Post by jefazo92 »

mpack wrote:Basically, the job of a VM is to look like a standard/generic PC. It is not the job of a VM to look like a specific real PC because that would be impossible: it would require VirtualBox to include code to simulate every bit of hardware that ever existed (and you say you want to pay how much for this?).

Since the hardware of a VM is very predictable it is trivially easy to detect a VM, even leaving aside that modern CPUs have a direct status flag that says so.
@mpack what would be the CPU status flag which states the system is being virtualised? And where can I find out more about these details?
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: Are there any known reputed guides for VM hardening/steath techniques?

Post by mpack »

Google for how to detect a VM. The easiest methods will be there, including the CPU flag.
jefazo92
Posts: 19
Joined: 3. Mar 2022, 16:00

Re: Are there any known reputed guides for VM hardening/steath techniques?

Post by jefazo92 »

I've already google it but the sources are very scarce and I only find info on some registry keys to be modified. Nothing about actual CPU flags until you mentioned it.
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: Are there any known reputed guides for VM hardening/steath techniques?

Post by mpack »

Sorry, but my time is limited. Certainly not enough to do your research for you. I know that I have done that search myself and had no problem finding a description of the CPU flag, detailed enough for me to implement in my own code. From memory it was an app note by VMWare.
 Edit:  In fact here it is. https://kb.vmware.com/s/article/1009458.

Note however that this is far from being the only way, it is just one convenient method documented by VMWare. 
Post Reply