“VBoxCloak” – Hiding VirtualBox from Malware

“VBoxCloak” – Hiding VirtualBox from Malware

Many malware families still use simple evasion techniques for detection of virtual machine environments and malware analysis sandboxes. These simple checks are enumerating things on the host such as processes, certain files and directories, specific drivers and hardware configurations, and registry keys that may give away the presence of a hypervisor. If a virtual machine is detected, the malware may kill itself or perform other evasive actions.

Did you know that many of these simple checks can be completely bypassed by slightly modifying the analysis environment before running the malware? I wrote a quick Powershell script to make these modifications quickly and automagically. Note: This script only supports VirtualBox so far, but will support VMWare in the near future.

The script is very simple. Give it one of several parameters and it will get to work cleaning up your Windows VirtualBox VM and priming it for malware analysis. The changes it makes are as follows:

  • Renames several registry keys that malware typically used for VirtualBox detection.
  • Kills VirtualBox processes (VBoxService and VBoxTray).
  • Deletes VirtualBox driver files.
  • Deletes or renames VirtualBox supporting files in System32 directory.

The script can be downloaded from here.

One popular question I get a lot is: “Won’t making these types of changes, especially to driver files and processes, break or crash my VM?”

Answer: No! The file modifications the script makes are only on the disk. VirtualBox loads these files into memory anyway, so we can freely modify file and directory names without affecting the VM too much. I say “too much” because your VM will likely slow down a bit after these changes are made (especially after terminating VBox processes) and it won’t be as user friendly. The script, for example, will break drag/drop, clipboard, and shared folder settings, but this is a side affect of making your VM more difficult to detect. If you really want to be hardcore reversing evasive malware, you wouldn’t want these features enabled anyway 😉

To run, just invoke the PowerShell script like this:

“Vboxcloak.ps1 -all”

This command will make all configuration changes to the virtual guest system. We can see this in the screenshot below:

vboxcloak-evasive-malware-bypass
VBoxCloak in action.

I tested this script with a few evasive malware samples and it seems to work well, on many occasions. Obviously, it’s not perfect and will not evade all malware anti-analysis checks, but it is a good start when analyzing an evasive sample.

Once again, the script can be downloaded from: https://github.com/d4rksystem/VBoxCloak

Enjoy! Feel free to yell at me when you inevitably find bugs in the script 🙂

Comments are closed.