hax/vbox_stealth
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Bash script that spoofs hardware identifiers and some other things to better disguise a VirtualBox VM
2 commits 1 branch 0 tags 39 KiB
Find a file
Exact
bRootForceOfficial 966f2eeb95
Create README.md
2025-10-25 09:11:11 -04:00
README.md Create README.md 2025-10-25 09:11:11 -04:00
undo.sh Add files via upload 2025-10-25 09:08:49 -04:00
vbox_stealth.sh Add files via upload 2025-10-25 09:08:49 -04:00

README.md

VirtualBox Stealth Configuration Scripts

Bash scripts to configure VirtualBox VMs with realistic hardware identifiers to reduce detectability.

⚠️ Disclaimer

My boy Big Claude helped me out with these scripts so they are probably jank. However, they will get you significantly further than running VBoxCloak.ps1 alone because they modify the VM's hardware configuration at the hypervisor level before the OS boots, making the guest OS believe it has different hardware than what VirtualBox supplies by default.

📋 What's Included

  • vbox_stealth.sh - Main configuration script that applies stealth settings
  • undo.sh - Reverts all changes and restores VirtualBox defaults

🎯 Best Results

These scripts work best when combined with VBoxCloak by Kyle Cucci.

Recommended workflow:

  1. Power off your VM completely
  2. Run vbox_stealth.sh to configure hardware identifiers
  3. Start the VM
  4. Run VBoxCloak.ps1 inside the guest OS to clean up registry entries and artifacts

This two-pronged approach addresses detection vectors at both the hypervisor level (hardware) and the guest OS level (software artifacts).

💻 Windows Users - Running Bash Scripts

Since these are bash scripts but VirtualBox runs on Windows, you'll need a bash environment. Here are the easiest options:

Option 1: Git Bash (Recommended - Easiest)

  1. Install Git for Windows from git-scm.com
    • During installation, make sure "Git Bash" is selected
  2. Open Git Bash (search for it in Start menu)
  3. Navigate to your scripts folder: 
    cd /c/path/to/your/scripts
  4. Run the scripts as shown in the Usage section below

Option 2: WSL (Windows Subsystem for Linux)

  1. Install WSL (PowerShell as Admin): 
    wsl --install
  2. Restart your computer when prompted
  3. Open Ubuntu (or your chosen distro) from Start menu
  4. Navigate to Windows files: 
    cd /mnt/c/path/to/your/scripts
  5. Run the scripts as shown in the Usage section below

Option 3: Cygwin

  1. Download and install Cygwin
  2. Ensure bash package is selected during installation
  3. Open Cygwin terminal and run scripts

Note: VBoxManage must be in your PATH. If you get "VBoxManage not found" errors:

# Add to PATH (Git Bash/WSL)
export PATH="$PATH:/c/Program Files/Oracle/VirtualBox"

# Or use full path
"/c/Program Files/Oracle/VirtualBox/VBoxManage.exe" list vms

🚀 Usage

Initial Setup

# Make scripts executable
chmod +x vbox_stealth.sh undo.sh

# Apply stealth configuration (Dell preset)
./vbox_stealth.sh "VM Name" dell

# Available presets: dell, hp, lenovo, asus
./vbox_stealth.sh "Windows 10" hp

Reverting Changes

# Restore VirtualBox defaults
./undo.sh "VM Name"

🔧 What Gets Modified

The script configures the following to mimic real hardware:

BIOS/SMBIOS Information

  • BIOS vendor, version, and release date
  • System vendor and product names
  • Motherboard details and serials
  • Chassis information

Hardware Identifiers

  • Randomized serial numbers for system, board, and chassis
  • Realistic disk model and serial numbers
  • MAC address changed from VirtualBox range (08:00:27:xx:xx:xx)

CPU Configuration

  • Removes hypervisor CPUID leaves
  • Disables paravirtualization provider
  • Masks virtualization detection flags

Timing & Performance

  • TSC tied to execution
  • Disabled time synchronization
  • Large pages enabled

ACPI Tables

  • OEM IDs changed to match manufacturer presets

📝 Requirements

  • VirtualBox 7.x (tested on 7.2.2)
  • VM must be powered off before running scripts
  • uuidgen or /proc/sys/kernel/random/uuid for UUID generation
  • Bash shell

⚙️ Hardware Presets

Preset System BIOS Typical Use Case
dell OptiPlex 7090 American Megatrends Corporate desktop
hp EliteDesk 800 G6 HP Enterprise workstation
lenovo ThinkCentre M720q Lenovo Small form factor PC
asus PRIME B560M-A American Megatrends Custom build

🛡️ Additional Steps (Important!)

After running the script, you should:

  1. Start the VM and run VBoxCloak.ps1:

    PowerShell -ExecutionPolicy Bypass -File VBoxCloak.ps1 -all

  2. Remove VirtualBox Guest Additions completely

  3. Disable in VirtualBox settings:

    • Shared folders
    • Bidirectional clipboard
    • Drag and drop

  4. Verify in Device Manager:

    • No VirtualBox devices should be visible
    • Remove any "Unknown devices" related to VBox

  5. Test with detection tools:

    • al-khaser
    • pafish
    • Ensure Guest Additions are removed first

🚨 Known Limitations

Some detections will likely remain due to VirtualBox's architecture:

  • WMI class instance checks (Win32_PhysicalMemory, etc.)
  • Thermal zone information (MSAcpi_ThermalZoneTemperature)
  • Some CIM sensor classes
  • Power management capability differences
  • Hardware timing variations

These would require kernel-mode drivers or VirtualBox source code modifications to address.

🔄 Backup & Recovery

The undo.sh script automatically creates backups before making changes:

  • Backups stored in /tmp/vbox_backups/
  • Named with timestamp: vbox_backup_VMName_YYYYMMDD_HHMMSS.txt
  • Contains all original settings for manual restoration if needed

📚 Resources

⚖️ Legal Notice

These scripts are for educational and legitimate testing purposes only. Users are responsible for ensuring compliance with applicable laws and terms of service. Bypassing security measures or evading detection for malicious purposes is illegal.

📄 License

MIT License - Feel free to use, modify, and distribute.

Note: Always test in a non-production environment first. VM detection is a cat-and-mouse game, and no solution is 100% foolproof.