VM Hardening for analysis



  • Hello everyone,

    This is my first post here and I’m fairly new to RE and malware analysis.
    I am preparing my master’s thesis about creating a virtual lab for malware analysis and I have some doubts about getting on the right path.

    I have prepared a VM with virtualbox (i chose it because it’s free and I can save snapshots) with Win7 32bit and I’m trying to get it as stealthy as possible. So the first thing is not to install the VM Guest Additions.

    I have used to create that VM the python script nsmfoo-antivmdetection. That was a bumpy ride. However it finally worked ( I might write all the steps and workarounds as a little tutorial on the forum when I have some spare time)

    It makes the VM pass the pafish test all in green except rdtsc - which I read that is not a reliable method and few to none malware use it actually.

    When I run al-khaser test it is mostly good except for:

    • SMBIOS firmware
    • ACPI tables

    Should I worry much about these two? Are these methods commonly used?
    How can I get this two checks corrected?

    I tried creating a fresh VM with VBoxHardenedLoader but it’s been a pain. I lost a lot of time just to learn the hard way that win10 doesn’t fit well with it and I had to re-do everything on an old win7 x64 machine.
    Finally the VM passed al-khaser test except a couple of checks.

    Would you recommend any other tool to make the VM stealthier?



  • @joscandreu I would probably as the app.any.run team, they might give you some insight if you ask them (they have FUD as of now). Also in my experience, the steps you have completed have always been enough for me, without having to patch binaries to bypass checks.



  • Hey @joscandreu welcome to Malware Analysis Forums! You may find these additional utilities useful:

    https://github.com/LordNoteworthy/al-khaser

    https://github.com/secrary/makin

    The first one can be used in additional to pafish and the second one can be used on specific samples.

    Your tutorial would be greatly appreciated when you have time.

    Personally, I think you should mostly be good with what you have already done but it really depends on what you are trying to accomplish.

    You could get a Hypervisor server off eBay or something for pretty cheap, or even a cheap box like a Intel NUC and use that as a physical analysis machine. Just make sure you snapshot the drive first and have another drive on standby. Then you won’t have to worry about anti-VM stuff at all. But again, it depends entirely on your requirements. For me, I don’t worry too much about Anti-VM because I know enough to detect when a sample is trying to avoid the VM and I can use some code analysis, patch it, or even do static analysis to get the info I need.

    The thing is, I’m not sure if it is even possible to 100% harden a VM anyway. There are always some checks that could be performed to detect the VM which is why some folks are using a hypervisor instead since it is completely abstracted from the OS and doesn’t leave as many tells. For example, some VMs have unique CPU instructions in addition to the regular x86 ones and the malware can try and run one of them and if it doesn’t trigger an exception, they know it’s a VM.



  • @ziran Thanks for the feedback.

    @moveax41h Thanks for all the explanations. I already tried al-khaser and it’s much more challenging than pafish. After posting here I resolved another check with al-khaser, now I’m only left with 1 which is the ACPI tables…
    makin looks good. I forked the project a couple of weeks ago and I started coding to add another dll (advapi32) to enable VM detection through registry keys. However I got some issues that I still haven’t resolved. I think I’ll have to contact secrary. If I make it ever work I’ll submit a PR and see if it gets accepted.

    Getting a dedicated server or a machine is a little out of scope for the thesis but I might give it a try on an old laptop just for fun. VMWare ESXi has a reasonably usable free version, right?




Log in to reply