[vbox-dev] cpuid - anit-vm-detection

Klaus Espenlaub klaus.espenlaub at oracle.com
Tue Jan 17 18:05:46 UTC 2017


if the hypervisor present bit is set then you have configured the VM to 
use paravirtualization (which is the default for new VMs these days). 
You need to disable that, then CPUID should automatically not have the 
bit set and the hypervisor type should also disappear.

VBoxManage modifyvm "vmname" --paravirtprovider none

Messing with CPUID is possible using the --cpuidset options, but you 
need to keep in mind that "normal" VM settings like the paravirt 
provider are applied after the CPUID tweaking, so they'll win.

Regarding your sandboxing tweak: Could you provide a list of changes 
which are necessary (ideally in patch form, controlled by a config 
setting)? We don't think much about hiding the presence of VirtualBox, 
so it won't happen without help by someone who knows what's needed.


On 06.01.2017 09:19, Holger Unterbrink (hunterbr) wrote:
> oh, I forgot, I should add that I tried to set the other two leafs (EAX= 1 and EAX=0x40000000) via --cpuidset, too, but when I am doing that the VM does not start anymore.
> -h
>> -----Original Message-----
>> From: Holger Unterbrink (hunterbr)
>> Sent: Thursday, January 5, 2017 19:02
>> To: 'vbox-dev at virtualbox.org' <vbox-dev at virtualbox.org>
>> Subject: cpuid - anit-vm-detection
>> Hi,
>> I am in the process of hardening a VBOX VM against VM-detection. Most thinks
>> are working, but I can't get cpuid to do what I want.
>> VBoxManage modifyvm "VM" --cpuidset 0 0d 756e6547 6c65746e 49656e69
>> changed the vendor string, but not the Hypervisor Present Bit (EAX = 0x1 Bit 31)
>> and Intel/AMD software use string (CPUID EAX = 0x40000000) which usually is
>> set to the hypervisor vendor...
>> mov eax, 0x40000000
>> cpuid
>> also still returns the vendor string (vboxboxvbox) in ebx,ecx,edx
>> Q: how can I disable this behavior in vbox ? Best with a VBoxmanage cmd, but
>> patching the source is also fine for me.
>> Any help or comments highly welcome !
>> thx,
>> holger
>> P.S. FR: for sandbox setups, a configure option to automatically replace all vbox
>> strings and 0x8088 PCI ids, etc in the src code, would be nice for a future release
>> (done that manually now)

More information about the vbox-dev mailing list