Extradata on Raw Hypervisor CPUID Leaves
-
- Posts: 4
- Joined: 25. Jul 2016, 15:58
- Primary OS: MS Windows 7
- VBox Version: OSE Debian
- Guest OSses: Win7
- Contact:
Extradata on Raw Hypervisor CPUID Leaves
Hello,
I need to change the "hypervisor vendor" value seen by a Windows 7 guest on a VBox 5.0.26.
More exactly the value VboxVboxVbox from CPUID infos as Pafish gets it (github - a0rtega/pafish),
or as we can get with the VBoxManage command :
`--> VBoxManage debugvm 'test-VM' info cpuid
[...]
Raw Hypervisor CPUID Leaves
Leaf/sub-leaf eax ebx ecx edx
Gst: 40000000/0000 40000001 786f4256 786f4256 786f4256
Hst: 07280202 00000000 00000000 00000503
Gst: 40000001/0000 656e6f6e 00000000 00000000 00000000
Hst: 07280202 00000000 00000000 00000503
[...]
Where 786f4256 786f4256 786f4256 is xobVxobVxobV in hexadecimal (or VboxVboxVbox)
I was already able to change some CPUID values with these :
> vboxmanage setextradata "$vm" VBoxInternal/CPUM/HostCPUID/00000000/${register} 0x${value}
> vboxmanage setextradata "$vm" VBoxInternal/CPUM/HostCPUID/80000000/${register} 0x${value}
> vboxmanage setextradata "$vm" VBoxInternal/CPUM/HostCPUID/80000002/${register} 0x${value}
> vboxmanage setextradata "$vm" VBoxInternal/CPUM/HostCPUID/80000003/${register} 0x${value}
> vboxmanage setextradata "$vm" VBoxInternal/CPUM/HostCPUID/80000004/${register} 0x${value}
So I thougth that :
> vboxmanage setextradata "$vm" VBoxInternal/CPUM/HostCPUID/40000000/ebx 0xdeadbeef
> vboxmanage setextradata "$vm" VBoxInternal/CPUM/HostCPUID/40000000/ecx 0xdeadbeef
> vboxmanage setextradata "$vm" VBoxInternal/CPUM/HostCPUID/40000000/edx 0xdeadbeef
would do the trick, but no.
I'm stuck here, I'm pretty sure there is a way to set this register but can't find how.
Does someone have any idea ?
Thanks in advance.
I need to change the "hypervisor vendor" value seen by a Windows 7 guest on a VBox 5.0.26.
More exactly the value VboxVboxVbox from CPUID infos as Pafish gets it (github - a0rtega/pafish),
or as we can get with the VBoxManage command :
`--> VBoxManage debugvm 'test-VM' info cpuid
[...]
Raw Hypervisor CPUID Leaves
Leaf/sub-leaf eax ebx ecx edx
Gst: 40000000/0000 40000001 786f4256 786f4256 786f4256
Hst: 07280202 00000000 00000000 00000503
Gst: 40000001/0000 656e6f6e 00000000 00000000 00000000
Hst: 07280202 00000000 00000000 00000503
[...]
Where 786f4256 786f4256 786f4256 is xobVxobVxobV in hexadecimal (or VboxVboxVbox)
I was already able to change some CPUID values with these :
> vboxmanage setextradata "$vm" VBoxInternal/CPUM/HostCPUID/00000000/${register} 0x${value}
> vboxmanage setextradata "$vm" VBoxInternal/CPUM/HostCPUID/80000000/${register} 0x${value}
> vboxmanage setextradata "$vm" VBoxInternal/CPUM/HostCPUID/80000002/${register} 0x${value}
> vboxmanage setextradata "$vm" VBoxInternal/CPUM/HostCPUID/80000003/${register} 0x${value}
> vboxmanage setextradata "$vm" VBoxInternal/CPUM/HostCPUID/80000004/${register} 0x${value}
So I thougth that :
> vboxmanage setextradata "$vm" VBoxInternal/CPUM/HostCPUID/40000000/ebx 0xdeadbeef
> vboxmanage setextradata "$vm" VBoxInternal/CPUM/HostCPUID/40000000/ecx 0xdeadbeef
> vboxmanage setextradata "$vm" VBoxInternal/CPUM/HostCPUID/40000000/edx 0xdeadbeef
would do the trick, but no.
I'm stuck here, I'm pretty sure there is a way to set this register but can't find how.
Does someone have any idea ?
Thanks in advance.
Re: Extradata on Raw Hypervisor CPUID Leaves
You're staring at mechanisms which are much too low level, ignoring what's already there and documented.
Have a peek at the HyperV tweaks.
Have a peek at the HyperV tweaks.
-
- Posts: 4
- Joined: 25. Jul 2016, 15:58
- Primary OS: MS Windows 7
- VBox Version: OSE Debian
- Guest OSses: Win7
- Contact:
Re: Extradata on Raw Hypervisor CPUID Leaves
Hello,
Thanks for your answer.
option paravirtdebug is not available in version 5.0.26 :
Just upgraded Vbox to 5.1.2 and run :
wich should set the vendorId to 'Microsoft Hv'. But in the guest Machine, nothing change. Turned out that i was running paravirtualisation in "legacy" mod.
Change it for default paravirtualization : Hypervisor CPUID did change to "Microsoft HV".
At this point, I tried to change the value "Microsoft HV" to a custom one like 'AuthenticAMD' :
It appears that it is not possible... as stated in hyperv-debug option :
Since 'Microsoft Hv' is a known value for cpuid-hypervisor, I'm still stuck here...
=> Any chance a futur update of VirtualBox unlock this behavior ?
=> is there any other way of doing this ? is set extradata a deadend ?
Thanks for your help.
Thanks for your answer.
option paravirtdebug is not available in version 5.0.26 :
Code: Select all
VBoxManage modifyvm test-VM --paravirtdebug "vendorid=customViD"
VBoxManage: error: Unknown option: --paravirtdebug
Code: Select all
VBoxManage modifyvm test-VM --paravirtdebug ""enabled=1"
Change it for default paravirtualization : Hypervisor CPUID did change to "Microsoft HV".
At this point, I tried to change the value "Microsoft HV" to a custom one like 'AuthenticAMD' :
Code: Select all
VBoxManage modifyvm test-VM --paravirtdebug "enabled=1,vendorid='AuthenticAMD'"
I tried the others mod, just for fun :"For debugging Microsoft Windows guests, it is required the hypervisor reports the Microsoft vendor."
- Hyper-V : VM doesn't start 'Unrecognized Hyper-V debug option 'vendorid' in 'enabled=1,vendorid=AuthenticAMD' (VERR_INVALID_PARAMETER).'
- Default :VM doesn't start 'Unrecognized Hyper-V debug option 'vendorid' in 'enabled=1,vendorid=AuthenticAMD' (VERR_INVALID_PARAMETER).''
- KVM : value KVMVMKVM despite of the debug option
- Minimal : VBoxVboxVbox despite of the debug option
- Legacy : VBoxVboxVbox despite of the debug option
- None : VBoxVboxVbox despite of the debug option
Since 'Microsoft Hv' is a known value for cpuid-hypervisor, I'm still stuck here...
=> Any chance a futur update of VirtualBox unlock this behavior ?
=> is there any other way of doing this ? is set extradata a deadend ?
Thanks for your help.
-
- Oracle Corporation
- Posts: 2973
- Joined: 19. Dec 2007, 15:45
- Primary OS: MS Windows 7
- VBox Version: PUEL
- Guest OSses: Any and all
- Contact:
Re: Extradata on Raw Hypervisor CPUID Leaves
What exactly are you trying to achieve? And since when is "AuthenticAMD" a hypervisor interface?TiTi87 wrote:=> Any chance a futur update of VirtualBox unlock this behavior ?
Yes, it's a dead end because the value will be overridden elsewhere.=> is there any other way of doing this ? is set extradata a deadend ?
Re: Extradata on Raw Hypervisor CPUID Leaves
Never told you to enable paravirt debugging just to change the vendor this way. When paravirt debugging is enabled one can't change the vendor.
Either way, what you wrote regarding "None" looks like a bug to me.
Either way, what you wrote regarding "None" looks like a bug to me.
-
- Oracle Corporation
- Posts: 793
- Joined: 7. Jan 2008, 16:17
Re: Extradata on Raw Hypervisor CPUID Leaves
I don't really understand what the original poster is attempting to do but there seems to be quite a lot of confusion going on here...
The VendorID setting that is documented as part of the Hyper-V debug options paravirtualization (PV) hypervisor specific. CPUID (EAX=0x40000000:0x40000001) are guaranteed to exist if the Hypervisor Present (HVP) bit is enabled in CPUID (EAX=0x00000001 returns ECX:bit 31 set) which is a requirement for Hyper-V PV interface.
This is not the same as the standard CPUID leaf (EAX:0) where EBX,ECX,EDX return the CPU vendor signature. This standard leaf will exist regardless of whether a PV interface is used for the VM.
The above syntax is wrong! Don't use any quotes and remember the signature has a fixed 12 characters so if your specified string is shorter, it will be padded with 0's.
There is currently a bug in the manual, where it's documented as 'vendorid' when it should be 'vendor'
What you probably want is this:
Although the above is syntactically correct it makes no sense as to why you would want to specify "AuthenticAMD" as the hypervisor vendor. It's not, which is why it's either "VBoxVBoxVBox" (which is the default) or to get Hyper-V paravirtualized debugging going, we need to pretend to be "Microsoft Hv" which is done automatically when you set "enabled=1". You don't need to manually specify the vendor ID again unless you want to override it for some strange reason...
For Minimal, KVM and Hyper-V the HVP bit is required, and therefore by default the hypervisor vendor will be advertised as "VBoxVBoxVBox". For None, this should not be the case unless you deliberately modified the HVP bit to be enabled. Then the Hyper-V, KVM provider in VirtualBox can and does modify this leaf as it required which is why you see 'KVMKVMKVM' for the KVM PV option. If this is not true, please provide a VBox.log showing where you chose "None" and we reported "VBoxVBoxVBox" as the hypervisor vendor ID.
Anyway, I don't want to spend time explaining things any more in detail when I have no idea why you even need to play around with these signatures.
The VendorID setting that is documented as part of the Hyper-V debug options paravirtualization (PV) hypervisor specific. CPUID (EAX=0x40000000:0x40000001) are guaranteed to exist if the Hypervisor Present (HVP) bit is enabled in CPUID (EAX=0x00000001 returns ECX:bit 31 set) which is a requirement for Hyper-V PV interface.
This is not the same as the standard CPUID leaf (EAX:0) where EBX,ECX,EDX return the CPU vendor signature. This standard leaf will exist regardless of whether a PV interface is used for the VM.
Code: Select all
VBoxManage modifyvm test-VM --paravirtdebug "enabled=1,vendorid='AuthenticAMD'"
There is currently a bug in the manual, where it's documented as 'vendorid' when it should be 'vendor'
What you probably want is this:
Code: Select all
VBoxManage modifyvm test-VM --paravirtdebug "enabled=1,vendor=AuthenticAMD"
Ignore "Legacy", as it gets translated into Hyper-V, KVM, Minimal or None anyway.TiTi87 wrote: Minimal : VBoxVboxVbox despite of the debug option
Legacy : VBoxVboxVbox despite of the debug option
None : VBoxVboxVbox despite of the debug option
For Minimal, KVM and Hyper-V the HVP bit is required, and therefore by default the hypervisor vendor will be advertised as "VBoxVBoxVBox". For None, this should not be the case unless you deliberately modified the HVP bit to be enabled. Then the Hyper-V, KVM provider in VirtualBox can and does modify this leaf as it required which is why you see 'KVMKVMKVM' for the KVM PV option. If this is not true, please provide a VBox.log showing where you chose "None" and we reported "VBoxVBoxVBox" as the hypervisor vendor ID.
Anyway, I don't want to spend time explaining things any more in detail when I have no idea why you even need to play around with these signatures.
Oracle Corp.
-
- Posts: 4
- Joined: 25. Jul 2016, 15:58
- Primary OS: MS Windows 7
- VBox Version: OSE Debian
- Guest OSses: Win7
- Contact:
Re: Extradata on Raw Hypervisor CPUID Leaves
First : thanks to all of you for every infos here ! It is really helpfull.
and it works exactly as I expected... thanks !
(note : works only with default para-virtualization mod, and debug do need to be enabled)
Now the reason why i'm trying such weird settings : i'm not trying to achieve some para-virtualization debug here.
In this particular case, I use Virtualbox with Cuckoo-Sandbox to perform malware analysis. And I'm want to hide from the host the facts that he "is" a sandbox.
So that sandbox aware malware would still detonate (in the sandbox) as they does in a "normal" environnement.
Pafish is just an opensource basic detection of sandbox environnement, close to malware way to do it.
So yes : I need to manually specify the vendor ID to override it for some strange reason... ^^
About "None", I agree VboxVboxVbox should not be specified, but it is, pleased fin attached a Vbox File.
I run :
Before sarting the VM
And still :
And 786f4256 786f4256 786f4256 is xobVxobVxobV in hexadecimal (or VboxVboxVbox) as stated before.
If you need a more verbose log, please specify the setting you need.
Thanks again for your help.
Ahah, funny... so I just tried, with the correct parameters :There is currently a bug in the manual, where it's documented as 'vendorid' when it should be 'vendor'
Code: Select all
VBoxManage modifyvm test-VM --paravirtdebug "enabled=1,vendor=AuthenticAMD"
(note : works only with default para-virtualization mod, and debug do need to be enabled)
Now the reason why i'm trying such weird settings : i'm not trying to achieve some para-virtualization debug here.
In this particular case, I use Virtualbox with Cuckoo-Sandbox to perform malware analysis. And I'm want to hide from the host the facts that he "is" a sandbox.
So that sandbox aware malware would still detonate (in the sandbox) as they does in a "normal" environnement.
Pafish is just an opensource basic detection of sandbox environnement, close to malware way to do it.
So yes : I need to manually specify the vendor ID to override it for some strange reason... ^^
About "None", I agree VboxVboxVbox should not be specified, but it is, pleased fin attached a Vbox File.
I run :
Code: Select all
VBoxManage modifyvm test-VM --paravirtprovider none
And still :
Code: Select all
00:00:00.923310 HVP - Hypervisor Present (we're a guest) = 0 (0)
[...]
00:00:00.923371 Gst: 40000000/0000 40000001 786f4256 786f4256 786f4256
If you need a more verbose log, please specify the setting you need.
Thanks again for your help.
- Attachments
-
- test-VM_Vbox.log
- Vbox.Log
- (64.67 KiB) Downloaded 33 times
-
- Oracle Corporation
- Posts: 793
- Joined: 7. Jan 2008, 16:17
Re: Extradata on Raw Hypervisor CPUID Leaves
Okay, now I can see what your reasons for trying to modify the signature are but just be aware that there are many ways of for software to detect whether its running in a virtualized environment (not just CPUID).TiTi87 wrote:Now the reason why i'm trying such weird settings : i'm not trying to achieve some para-virtualization debug here.
In this particular case, I use Virtualbox with Cuckoo-Sandbox to perform malware analysis. And I'm want to hide from the host the facts that he "is" a sandbox.
So that sandbox aware malware would still detonate (in the sandbox) as they does in a "normal" environnement.
Pafish is just an opensource basic detection of sandbox environnement, close to malware way to do it.
So yes : I need to manually specify the vendor ID to override it for some strange reason... ^^
Anyway, thanks for the log files regarding "None" still planting the hypervisor leafs. We'll look into it.
Oracle Corp.
-
- Posts: 4
- Joined: 25. Jul 2016, 15:58
- Primary OS: MS Windows 7
- VBox Version: OSE Debian
- Guest OSses: Win7
- Contact:
Re: Extradata on Raw Hypervisor CPUID Leaves
I am fully aware that there are many ways to detect virtualized environment. I just focus on this one now, because it seems to be interesting to understand and mitigate, and I couldn't find an explanation anywhere else.
Thanks for your help.
Thanks for your help.