Extradata on Raw Hypervisor CPUID Leaves

Discussions related to using VirtualBox on Windows hosts.
Post Reply
TiTi87
Posts: 4
Joined: 25. Jul 2016, 15:58
Primary OS: MS Windows 7
VBox Version: OSE Debian
Guest OSses: Win7
Contact:

Extradata on Raw Hypervisor CPUID Leaves

Post by TiTi87 »

Hello,

I need to change the "hypervisor vendor" value seen by a Windows 7 guest on a VBox 5.0.26.
More exactly the value VboxVboxVbox from CPUID infos as Pafish gets it (github - a0rtega/pafish),
or as we can get with the VBoxManage command :
`--> VBoxManage debugvm 'test-VM' info cpuid
[...]
Raw Hypervisor CPUID Leaves
Leaf/sub-leaf eax ebx ecx edx
Gst: 40000000/0000 40000001 786f4256 786f4256 786f4256
Hst: 07280202 00000000 00000000 00000503
Gst: 40000001/0000 656e6f6e 00000000 00000000 00000000
Hst: 07280202 00000000 00000000 00000503

[...]
Where 786f4256 786f4256 786f4256 is xobVxobVxobV in hexadecimal (or VboxVboxVbox)

I was already able to change some CPUID values with these :
> vboxmanage setextradata "$vm" VBoxInternal/CPUM/HostCPUID/00000000/${register} 0x${value}
> vboxmanage setextradata "$vm" VBoxInternal/CPUM/HostCPUID/80000000/${register} 0x${value}
> vboxmanage setextradata "$vm" VBoxInternal/CPUM/HostCPUID/80000002/${register} 0x${value}
> vboxmanage setextradata "$vm" VBoxInternal/CPUM/HostCPUID/80000003/${register} 0x${value}
> vboxmanage setextradata "$vm" VBoxInternal/CPUM/HostCPUID/80000004/${register} 0x${value}

So I thougth that :
> vboxmanage setextradata "$vm" VBoxInternal/CPUM/HostCPUID/40000000/ebx 0xdeadbeef
> vboxmanage setextradata "$vm" VBoxInternal/CPUM/HostCPUID/40000000/ecx 0xdeadbeef
> vboxmanage setextradata "$vm" VBoxInternal/CPUM/HostCPUID/40000000/edx 0xdeadbeef
would do the trick, but no.

I'm stuck here, I'm pretty sure there is a way to set this register but can't find how.
Does someone have any idea ?

Thanks in advance.
klaus
Oracle Corporation
Posts: 1110
Joined: 10. May 2007, 14:57

Re: Extradata on Raw Hypervisor CPUID Leaves

Post by klaus »

You're staring at mechanisms which are much too low level, ignoring what's already there and documented.

Have a peek at the HyperV tweaks.
TiTi87
Posts: 4
Joined: 25. Jul 2016, 15:58
Primary OS: MS Windows 7
VBox Version: OSE Debian
Guest OSses: Win7
Contact:

Re: Extradata on Raw Hypervisor CPUID Leaves

Post by TiTi87 »

Hello,

Thanks for your answer.

option paravirtdebug is not available in version 5.0.26 :

Code: Select all

VBoxManage modifyvm test-VM --paravirtdebug "vendorid=customViD"
VBoxManage: error: Unknown option: --paravirtdebug
Just upgraded Vbox to 5.1.2 and run :

Code: Select all

VBoxManage modifyvm test-VM --paravirtdebug ""enabled=1"
wich should set the vendorId to 'Microsoft Hv'. But in the guest Machine, nothing change. Turned out that i was running paravirtualisation in "legacy" mod.
Change it for default paravirtualization : Hypervisor CPUID did change to "Microsoft HV".

At this point, I tried to change the value "Microsoft HV" to a custom one like 'AuthenticAMD' :

Code: Select all

VBoxManage modifyvm test-VM --paravirtdebug "enabled=1,vendorid='AuthenticAMD'"
It appears that it is not possible... as stated in hyperv-debug option :
"For debugging Microsoft Windows guests, it is required the hypervisor reports the Microsoft vendor."
I tried the others mod, just for fun :
  1. Hyper-V : VM doesn't start 'Unrecognized Hyper-V debug option 'vendorid' in 'enabled=1,vendorid=AuthenticAMD' (VERR_INVALID_PARAMETER).'
  • Default :VM doesn't start 'Unrecognized Hyper-V debug option 'vendorid' in 'enabled=1,vendorid=AuthenticAMD' (VERR_INVALID_PARAMETER).''
  • KVM : value KVMVMKVM despite of the debug option
  • Minimal : VBoxVboxVbox despite of the debug option
  • Legacy : VBoxVboxVbox despite of the debug option
  • None : VBoxVboxVbox despite of the debug option

Since 'Microsoft Hv' is a known value for cpuid-hypervisor, I'm still stuck here...
=> Any chance a futur update of VirtualBox unlock this behavior ?
=> is there any other way of doing this ? is set extradata a deadend ?

Thanks for your help.
michaln
Oracle Corporation
Posts: 2973
Joined: 19. Dec 2007, 15:45
Primary OS: MS Windows 7
VBox Version: PUEL
Guest OSses: Any and all
Contact:

Re: Extradata on Raw Hypervisor CPUID Leaves

Post by michaln »

TiTi87 wrote:=> Any chance a futur update of VirtualBox unlock this behavior ?
What exactly are you trying to achieve? And since when is "AuthenticAMD" a hypervisor interface?
=> is there any other way of doing this ? is set extradata a deadend ?
Yes, it's a dead end because the value will be overridden elsewhere.
klaus
Oracle Corporation
Posts: 1110
Joined: 10. May 2007, 14:57

Re: Extradata on Raw Hypervisor CPUID Leaves

Post by klaus »

Never told you to enable paravirt debugging :) just to change the vendor this way. When paravirt debugging is enabled one can't change the vendor.

Either way, what you wrote regarding "None" looks like a bug to me.
Ramshankar
Oracle Corporation
Posts: 793
Joined: 7. Jan 2008, 16:17

Re: Extradata on Raw Hypervisor CPUID Leaves

Post by Ramshankar »

I don't really understand what the original poster is attempting to do but there seems to be quite a lot of confusion going on here...

The VendorID setting that is documented as part of the Hyper-V debug options paravirtualization (PV) hypervisor specific. CPUID (EAX=0x40000000:0x40000001) are guaranteed to exist if the Hypervisor Present (HVP) bit is enabled in CPUID (EAX=0x00000001 returns ECX:bit 31 set) which is a requirement for Hyper-V PV interface.

This is not the same as the standard CPUID leaf (EAX:0) where EBX,ECX,EDX return the CPU vendor signature. This standard leaf will exist regardless of whether a PV interface is used for the VM.

Code: Select all

VBoxManage modifyvm test-VM --paravirtdebug "enabled=1,vendorid='AuthenticAMD'"
The above syntax is wrong! Don't use any quotes and remember the signature has a fixed 12 characters so if your specified string is shorter, it will be padded with 0's.
There is currently a bug in the manual, where it's documented as 'vendorid' when it should be 'vendor'

What you probably want is this:

Code: Select all

VBoxManage modifyvm test-VM --paravirtdebug "enabled=1,vendor=AuthenticAMD"
Although the above is syntactically correct it makes no sense as to why you would want to specify "AuthenticAMD" as the hypervisor vendor. It's not, which is why it's either "VBoxVBoxVBox" (which is the default) or to get Hyper-V paravirtualized debugging going, we need to pretend to be "Microsoft Hv" which is done automatically when you set "enabled=1". You don't need to manually specify the vendor ID again unless you want to override it for some strange reason...
TiTi87 wrote: Minimal : VBoxVboxVbox despite of the debug option
Legacy : VBoxVboxVbox despite of the debug option
None : VBoxVboxVbox despite of the debug option
Ignore "Legacy", as it gets translated into Hyper-V, KVM, Minimal or None anyway.

For Minimal, KVM and Hyper-V the HVP bit is required, and therefore by default the hypervisor vendor will be advertised as "VBoxVBoxVBox". For None, this should not be the case unless you deliberately modified the HVP bit to be enabled. Then the Hyper-V, KVM provider in VirtualBox can and does modify this leaf as it required which is why you see 'KVMKVMKVM' for the KVM PV option. If this is not true, please provide a VBox.log showing where you chose "None" and we reported "VBoxVBoxVBox" as the hypervisor vendor ID.

Anyway, I don't want to spend time explaining things any more in detail when I have no idea why you even need to play around with these signatures.
Oracle Corp.
TiTi87
Posts: 4
Joined: 25. Jul 2016, 15:58
Primary OS: MS Windows 7
VBox Version: OSE Debian
Guest OSses: Win7
Contact:

Re: Extradata on Raw Hypervisor CPUID Leaves

Post by TiTi87 »

First : thanks to all of you for every infos here ! It is really helpfull.
There is currently a bug in the manual, where it's documented as 'vendorid' when it should be 'vendor'
Ahah, funny... so I just tried, with the correct parameters :

Code: Select all

VBoxManage modifyvm test-VM --paravirtdebug "enabled=1,vendor=AuthenticAMD"
and it works exactly as I expected... thanks !
(note : works only with default para-virtualization mod, and debug do need to be enabled)

Now the reason why i'm trying such weird settings : i'm not trying to achieve some para-virtualization debug here.
In this particular case, I use Virtualbox with Cuckoo-Sandbox to perform malware analysis. And I'm want to hide from the host the facts that he "is" a sandbox.
So that sandbox aware malware would still detonate (in the sandbox) as they does in a "normal" environnement.
Pafish is just an opensource basic detection of sandbox environnement, close to malware way to do it.
So yes : I need to manually specify the vendor ID to override it for some strange reason... ^^

About "None", I agree VboxVboxVbox should not be specified, but it is, pleased fin attached a Vbox File.

I run :

Code: Select all

VBoxManage modifyvm test-VM --paravirtprovider none
Before sarting the VM

And still :

Code: Select all

00:00:00.923310   HVP - Hypervisor Present (we're a guest)                = 0 (0)
[...]
00:00:00.923371 Gst: 40000000/0000  40000001 786f4256 786f4256 786f4256
And 786f4256 786f4256 786f4256 is xobVxobVxobV in hexadecimal (or VboxVboxVbox) as stated before.

If you need a more verbose log, please specify the setting you need.

Thanks again for your help.
Attachments
test-VM_Vbox.log
Vbox.Log
(64.67 KiB) Downloaded 33 times
Ramshankar
Oracle Corporation
Posts: 793
Joined: 7. Jan 2008, 16:17

Re: Extradata on Raw Hypervisor CPUID Leaves

Post by Ramshankar »

TiTi87 wrote:Now the reason why i'm trying such weird settings : i'm not trying to achieve some para-virtualization debug here.
In this particular case, I use Virtualbox with Cuckoo-Sandbox to perform malware analysis. And I'm want to hide from the host the facts that he "is" a sandbox.
So that sandbox aware malware would still detonate (in the sandbox) as they does in a "normal" environnement.
Pafish is just an opensource basic detection of sandbox environnement, close to malware way to do it.
So yes : I need to manually specify the vendor ID to override it for some strange reason... ^^
Okay, now I can see what your reasons for trying to modify the signature are but just be aware that there are many ways of for software to detect whether its running in a virtualized environment (not just CPUID).

Anyway, thanks for the log files regarding "None" still planting the hypervisor leafs. We'll look into it.
Oracle Corp.
TiTi87
Posts: 4
Joined: 25. Jul 2016, 15:58
Primary OS: MS Windows 7
VBox Version: OSE Debian
Guest OSses: Win7
Contact:

Re: Extradata on Raw Hypervisor CPUID Leaves

Post by TiTi87 »

I am fully aware that there are many ways to detect virtualized environment. I just focus on this one now, because it seems to be interesting to understand and mitigate, and I couldn't find an explanation anywhere else.
Thanks for your help.
Post Reply