From 966f2eeb9504bc82e21f300791325e9496db8d44 Mon Sep 17 00:00:00 2001 From: bRootForceOfficial <226203328+bRootForceOfficial@users.noreply.github.com> Date: Sat, 25 Oct 2025 09:11:11 -0400 Subject: [PATCH] Create README.md --- README.md | 197 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 197 insertions(+) create mode 100644 README.md diff --git a/README.md b/README.md new file mode 100644 index 0000000..3d0f372 --- /dev/null +++ b/README.md @@ -0,0 +1,197 @@ +# VirtualBox Stealth Configuration Scripts + +Bash scripts to configure VirtualBox VMs with realistic hardware identifiers to reduce detectability. + +## ⚠️ Disclaimer + +**My boy Big Claude helped me out with these scripts so they are probably jank.** However, they will get you significantly further than running VBoxCloak.ps1 alone because they modify the VM's hardware configuration at the hypervisor level *before* the OS boots, making the guest OS believe it has different hardware than what VirtualBox supplies by default. + +## 📋 What's Included + +- **`vbox_stealth.sh`** - Main configuration script that applies stealth settings +- **`undo.sh`** - Reverts all changes and restores VirtualBox defaults + +## 🎯 Best Results + +These scripts work best when combined with **[VBoxCloak by Kyle Cucci](https://github.com/d4rksystem/VBoxCloak)**. + +**Recommended workflow:** +1. Power off your VM completely +2. Run `vbox_stealth.sh` to configure hardware identifiers +3. Start the VM +4. Run VBoxCloak.ps1 inside the guest OS to clean up registry entries and artifacts + +This two-pronged approach addresses detection vectors at both the hypervisor level (hardware) and the guest OS level (software artifacts). + +## 💻 Windows Users - Running Bash Scripts + +Since these are bash scripts but VirtualBox runs on Windows, you'll need a bash environment. Here are the easiest options: + +### Option 1: Git Bash (Recommended - Easiest) + +1. **Install Git for Windows** from [git-scm.com](https://git-scm.com/download/win) + - During installation, make sure "Git Bash" is selected +2. **Open Git Bash** (search for it in Start menu) +3. **Navigate to your scripts folder:** + ```bash + cd /c/path/to/your/scripts + ``` +4. **Run the scripts** as shown in the Usage section below + +### Option 2: WSL (Windows Subsystem for Linux) + +1. **Install WSL** (PowerShell as Admin): + ```powershell + wsl --install + ``` +2. **Restart your computer** when prompted +3. **Open Ubuntu** (or your chosen distro) from Start menu +4. **Navigate to Windows files:** + ```bash + cd /mnt/c/path/to/your/scripts + ``` +5. **Run the scripts** as shown in the Usage section below + +### Option 3: Cygwin + +1. Download and install [Cygwin](https://www.cygwin.com/) +2. Ensure `bash` package is selected during installation +3. Open Cygwin terminal and run scripts + +**Note:** VBoxManage must be in your PATH. If you get "VBoxManage not found" errors: +```bash +# Add to PATH (Git Bash/WSL) +export PATH="$PATH:/c/Program Files/Oracle/VirtualBox" + +# Or use full path +"/c/Program Files/Oracle/VirtualBox/VBoxManage.exe" list vms +``` + +## 🚀 Usage + +### Initial Setup + +```bash +# Make scripts executable +chmod +x vbox_stealth.sh undo.sh + +# Apply stealth configuration (Dell preset) +./vbox_stealth.sh "VM Name" dell + +# Available presets: dell, hp, lenovo, asus +./vbox_stealth.sh "Windows 10" hp +``` + +### Reverting Changes + +```bash +# Restore VirtualBox defaults +./undo.sh "VM Name" +``` + +## 🔧 What Gets Modified + +The script configures the following to mimic real hardware: + +### BIOS/SMBIOS Information +- BIOS vendor, version, and release date +- System vendor and product names +- Motherboard details and serials +- Chassis information + +### Hardware Identifiers +- Randomized serial numbers for system, board, and chassis +- Realistic disk model and serial numbers +- MAC address changed from VirtualBox range (08:00:27:xx:xx:xx) + +### CPU Configuration +- Removes hypervisor CPUID leaves +- Disables paravirtualization provider +- Masks virtualization detection flags + +### Timing & Performance +- TSC tied to execution +- Disabled time synchronization +- Large pages enabled + +### ACPI Tables +- OEM IDs changed to match manufacturer presets + +## 📝 Requirements + +- VirtualBox 7.x (tested on 7.2.2) +- VM must be **powered off** before running scripts +- `uuidgen` or `/proc/sys/kernel/random/uuid` for UUID generation +- Bash shell + +## ⚙️ Hardware Presets + +| Preset | System | BIOS | Typical Use Case | +|--------|--------|------|------------------| +| `dell` | OptiPlex 7090 | American Megatrends | Corporate desktop | +| `hp` | EliteDesk 800 G6 | HP | Enterprise workstation | +| `lenovo` | ThinkCentre M720q | Lenovo | Small form factor PC | +| `asus` | PRIME B560M-A | American Megatrends | Custom build | + +## 🛡️ Additional Steps (Important!) + +After running the script, you should: + +1. **Start the VM** and run VBoxCloak.ps1: + ```powershell + PowerShell -ExecutionPolicy Bypass -File VBoxCloak.ps1 -all + ``` + +2. **Remove VirtualBox Guest Additions** completely + +3. **Disable in VirtualBox settings:** + - Shared folders + - Bidirectional clipboard + - Drag and drop + +4. **Verify in Device Manager:** + - No VirtualBox devices should be visible + - Remove any "Unknown devices" related to VBox + +5. **Test with detection tools:** + - al-khaser + - pafish + - Ensure Guest Additions are removed first + +## 🚨 Known Limitations + +Some detections will likely remain due to VirtualBox's architecture: + +- WMI class instance checks (Win32_PhysicalMemory, etc.) +- Thermal zone information (MSAcpi_ThermalZoneTemperature) +- Some CIM sensor classes +- Power management capability differences +- Hardware timing variations + +These would require kernel-mode drivers or VirtualBox source code modifications to address. + +## 🔄 Backup & Recovery + +The `undo.sh` script automatically creates backups before making changes: +- Backups stored in `/tmp/vbox_backups/` +- Named with timestamp: `vbox_backup_VMName_YYYYMMDD_HHMMSS.txt` +- Contains all original settings for manual restoration if needed + +## 📚 Resources + +- [VBoxCloak](https://github.com/d4rksystem/VBoxCloak) - Companion PowerShell script for guest OS cleanup +- [VirtualBox Manual](https://www.virtualbox.org/manual/) - Official documentation +- [al-khaser](https://github.com/LordNoteworthy/al-khaser) - VM detection testing tool +- [pafish](https://github.com/a0rtega/pafish) - Paranoid Fish VM detection + +## ⚖️ Legal Notice + +These scripts are for **educational and legitimate testing purposes only**. Users are responsible for ensuring compliance with applicable laws and terms of service. Bypassing security measures or evading detection for malicious purposes is illegal. + +## 📄 License + +MIT License - Feel free to use, modify, and distribute. + +--- + +**Note:** Always test in a non-production environment first. VM detection is a cat-and-mouse game, and no solution is 100% foolproof.