Changing VM features for malware analysis

[jano]

Hello all,

I am trying to change my Windows XP SP3 features for malware analysis not to be detecte by malware but even having changed and checked the changes, the windows box seems not to get the changes.

The changes I have made are the following ones:

Code: Select all

VBoxManage setextradata "Analysis" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVersion"       "Version 1.16"
VBoxManage setextradata "Analysis" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVendor"        "FUJITSU // Phoenix Technologies Ltd."
VBoxManage setextradata "Analysis" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseDate"   "12/09/2011"
VBoxManage setextradata "Analysis" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemVendor"      "FUJITSU"
VBoxManage setextradata "Analysis" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemVendor"      "LIFEBOOK S751"
VBoxManage setextradata "Analysis" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemVersion"     "10601409485"
VBoxManage setextradata "Analysis" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemSerial"      "DSBW057252"
VBoxManage setextradata "Analysis"  "VBoxInternal/Devices/pcbios/0/Config/DmiSystemUuid"     "C0EC81E9-6729-11E1-8B14-502690982710"
VBoxManage setextradata "Analysis" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardVendor" "FUJITSU"
VBoxManage setextradata "Analysis" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardProduct" "FJNB223"
VBoxManage setextradata "Analysis" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardVersion" "H3"
VBoxManage setextradata "Analysis" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardSerial"  "H1 7X5C"

Launching -> VBoxManage getextradata "Analysis" enumerate <- I get the following info:

Code: Select all

Key: GUI/LastCloseAction, Value: powerOff,discardCurState
Key: GUI/LastGuestSizeHint, Value: 1152,864
Key: GUI/LastNormalWindowPosition, Value: 1,44,1918,1029,max
Key: GUI/MiniToolBarAlignment, Value: bottom
Key: GUI/SaveMountedAtRuntime, Value: yes
Key: GUI/ShowMiniToolBar, Value: yes
Key: VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseDate, Value: 12/09/2011
Key: VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVendor, Value: FUJITSU // Phoenix Technologies Ltd.
Key: VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVersion, Value: Version 1.16
Key: VBoxInternal/Devices/pcbios/0/Config/DmiBoardProduct, Value: FJNB223
Key: VBoxInternal/Devices/pcbios/0/Config/DmiBoardSerial, Value: H1 7X5C
Key: VBoxInternal/Devices/pcbios/0/Config/DmiBoardVendor, Value: FUJITSU
Key: VBoxInternal/Devices/pcbios/0/Config/DmiBoardVersion, Value: H3
Key: VBoxInternal/Devices/pcbios/0/Config/DmiSystemSerial, Value: DSBW057252
Key: VBoxInternal/Devices/pcbios/0/Config/DmiSystemUuid, Value: C0EC81E9-6729-11E1-8B14-502690982710
Key: VBoxInternal/Devices/pcbios/0/Config/DmiSystemVendor, Value: LIFEBOOK S751
Key: VBoxInternal/TM/TSCTiedToExecution, Value: 1

The software I use to check the changes at the windows box is called PA-fish

All this updates have been made with the system shuted down and no snapshots but nothing, the registry seems not to update.

If any more information is needed do not hesitate contacting me

Thanks for your time,

[PaulCooper]

the thing about 3rd party software and snaps of virtualbox or any virtual software is: the software sees one huge file... it can not (in most cases) enter into that file to do things like "diffs" or differentials. so you can not do incrementals either. it is better to do individual backups.

[mpack]

I'm afraid that VirtualBox has no control over at what point a Windows guest grabs DMI info and stores it in the registry. You would have to ask Microsoft for clarification about that. Other users have used direct software, i.e. DMIdecode to verify that the BIOS/DMI data is indeed being changed by VirtualBox.

[karthick Ranga]

Hi
you done some mistake. use following command and try it.

VBoxManage setextradata "inxp" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemVersion" "string:10601409485"
VBoxManage setextradata "winxp" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardSerial" "string:H1 7X5C"

run and check it.