I am trying to make a sandbox in order to examine behavior of malware. In order to provoke malware execution I need to make VM to be undetectable by malware. I am using VirtualBox, and VirtualBox loads some Kernel modules(vboxguest and vboxvideo) on Linux guest machine. By searching for that modules malware can find out that is executed in VM, and it won't show malicious behavior. I want to hide those modules(e.g. by renaming them or unloading them). For now I have managed to unload vboxguest.ko but I can't unload vboxvideo.ko(ERROR it is used and it can't be unloaded).
For now I have tried to compile that module on my own and to make identical module but with different name. I have blacklisted vboxvideo.ko, and I have put my module(mvideo.ko) to be loaded in boot time. When I reboot my VM is not working(black screen). Apparently it needs vboxvideo module to be loaded with exact name. Also I have these modules by default(I haven't installed Guest Additions). Later I tried installing and uninstalling Guest Additions but that didn't help. You can see output of lsmod command:
Code: Select all
lsmod | grep "vbox"
vboxvideo 32768 2
ttm 102400 1 vboxvideo
drm_kms_helper 180224 1 vboxvideo
drm 479232 5 drm_kms_helper,vboxvideo,ttm
vboxguest 335872 0
Best regards,
Igor Vurdelja