hello, I hope I'm in the right section.
I have a physical Freebsd machine with an openbsd virtual machine. I strongly suspect I've been hacked and I'm investigating thoroughly. This is because reinstallation is not enough since I think the attacker has a 0day on the kernel. However, my problem is that it could be a virtual rootkit on the kernel of the virtual machine. And I would like to ask where I can find the bios of the virtual machine and how to extract it with common unix tools such as dd. I'm talking about dd because I imagine or believe that the firmware, i.e. the bios, is on the virtual machine file. My idea would be to extract it and take a look at it with a hexdump and then send it to virustotal.
VirtualBox version 6.1.50 r161033 on FreeBSD 14.1
Guest OpenBSD 7.6
where is the virtual bios ?
Re: where is the virtual bios ?
By default the firmware images used by VirtualBox are built into VBoxDD.so (one can also use custom images but that needs tweaking the VM config, setting VBoxInternal/Devices/pcbios/0/Config/BiosRom which would be easily visible in the .vbox file). Every VM start uses the authoritative firmware, it can't be changed from inside a VM.