This is my first post here and I’m fairly new to RE and malware analysis.
I am preparing my master’s thesis about creating a virtual lab for malware analysis and I have some doubts about getting on the right path.
I have prepared a VM with virtualbox (i chose it because it’s free and I can save snapshots) with Win7 32bit and I’m trying to get it as stealthy as possible. So the first thing is not to install the VM Guest Additions.
I have used to create that VM the python script nsmfoo-antivmdetection. That was a bumpy ride. However it finally worked ( I might write all the steps and workarounds as a little tutorial on the forum when I have some spare time)
It makes the VM pass the pafish test all in green except rdtsc - which I read that is not a reliable method and few to none malware use it actually.
When I run al-khaser test it is mostly good except for:
- SMBIOS firmware
- ACPI tables
Should I worry much about these two? Are these methods commonly used?
How can I get this two checks corrected?
I tried creating a fresh VM with VBoxHardenedLoader but it’s been a pain. I lost a lot of time just to learn the hard way that win10 doesn’t fit well with it and I had to re-do everything on an old win7 x64 machine.
Finally the VM passed al-khaser test except a couple of checks.
Would you recommend any other tool to make the VM stealthier?