Knowledge Fragment: Hardening Win10 x64 on VirtualBox for Malware Analysis
Since I started running more and more into issues being able to debug and unpack malware samples effectively on my trusty old Windows 7 x64 reference system, it was time to finally move to Windows 10/11.
About 6 years ago, I wrote a Win7 Hardening Guide that outlined in detail my experience with using the antivmdetection approach by nsmfoo.
In this (kind of) short update to my previous blog post, I decided to go with the same approach since it carried very well all this time, hoping it would be seamlessly transferrable to Win10.
TL;DR: It is!
That means you can essentially just strictly follow the instructions given in the repo at antivmdetection and get a great hardening result.
In the following, I will just list a few observations and tweaks that I had to make in order to have a truely green PAfish result:
Outside the VM
Just following all the steps worked fine for me.
I still have an ACPI table dump from a legacy board sized less than 64KB that I was able to reuse and overwrite my VirtualBox parameters / ExtraData section with.
Inside the VM
Lowering UAC and running powershell as administrator was one thing, I just recommend dropping the execution policy for powershell scripts to Unrestricted on top of that.
So simply run
Set-ExecutionPolicy Unrestricted
before running the powershell script that you previously generated using antivmdetect.py.
For good measure, I also ran regedit.exe as Administrator and searched across all Hives to really really purge every last key and value containing vbox, which I had to do in another maybe 10 locations.
In the end, this led to the result shown in the screenshot above.
Dependencies
In the last blog post, I recommended installing all MSVC runtimes and .NET.
Same this time, but I found a really convenient collection that simplifies the MSVCRT part: Visual C++ Redistributable Runtimes All-in-One.
With this, you can apply all individual runtime packages with unattended install by simply running the accompanying batch file.
For .NET, you want to check for the latest version here and install it, I went with 7.0 since it’s the current stable release.
Summary
I hope this short review in combination with my previous blog post may help you on your way to set up an almost undetectable VirtualBox VM for malware analysis and sandboxing.
Once again I’d like to express my gratitude to nsmfoo for creating the tooling antivmdetection.
This time, the whole procedure took me maybe one hour, and that would have been significantly more time without it.
Just like last time, I’d like to send you off with a music recommendation, which is WARGASM UK’s latest single Do It So Good this time.
Epilepsy Warning!
