vbox_stealth/README.md

# VirtualBox Stealth Configuration Scripts

Bash scripts to configure VirtualBox VMs with realistic hardware identifiers to reduce detectability.

## ⚠️ Disclaimer

**My boy Big Claude helped me out with these scripts so they are probably jank.** However, they will get you significantly further than running VBoxCloak.ps1 alone because they modify the VM's hardware configuration at the hypervisor level *before* the OS boots, making the guest OS believe it has different hardware than what VirtualBox supplies by default.

## 📋 What's Included

- **`vbox_stealth.sh`** - Main configuration script that applies stealth settings
- **`undo.sh`** - Reverts all changes and restores VirtualBox defaults

## 🎯 Best Results

These scripts work best when combined with **[VBoxCloak by Kyle Cucci](https://github.com/d4rksystem/VBoxCloak)**. 

**Recommended workflow:**
1. Power off your VM completely
2. Run `vbox_stealth.sh` to configure hardware identifiers
3. Start the VM
4. Run VBoxCloak.ps1 inside the guest OS to clean up registry entries and artifacts

This two-pronged approach addresses detection vectors at both the hypervisor level (hardware) and the guest OS level (software artifacts).

## 💻 Windows Users - Running Bash Scripts

Since these are bash scripts but VirtualBox runs on Windows, you'll need a bash environment. Here are the easiest options:

### Option 1: Git Bash (Recommended - Easiest)

1. **Install Git for Windows** from [git-scm.com](https://git-scm.com/download/win)
   - During installation, make sure "Git Bash" is selected
2. **Open Git Bash** (search for it in Start menu)
3. **Navigate to your scripts folder:**
   ```bash
   cd /c/path/to/your/scripts
   ```
4. **Run the scripts** as shown in the Usage section below

### Option 2: WSL (Windows Subsystem for Linux)

1. **Install WSL** (PowerShell as Admin):
   ```powershell
   wsl --install
   ```
2. **Restart your computer** when prompted
3. **Open Ubuntu** (or your chosen distro) from Start menu
4. **Navigate to Windows files:**
   ```bash
   cd /mnt/c/path/to/your/scripts
   ```
5. **Run the scripts** as shown in the Usage section below

### Option 3: Cygwin

1. Download and install [Cygwin](https://www.cygwin.com/)
2. Ensure `bash` package is selected during installation
3. Open Cygwin terminal and run scripts

**Note:** VBoxManage must be in your PATH. If you get "VBoxManage not found" errors:
```bash
# Add to PATH (Git Bash/WSL)
export PATH="$PATH:/c/Program Files/Oracle/VirtualBox"

# Or use full path
"/c/Program Files/Oracle/VirtualBox/VBoxManage.exe" list vms
```

## 🚀 Usage

### Initial Setup

```bash
# Make scripts executable
chmod +x vbox_stealth.sh undo.sh

# Apply stealth configuration (Dell preset)
./vbox_stealth.sh "VM Name" dell

# Available presets: dell, hp, lenovo, asus
./vbox_stealth.sh "Windows 10" hp
```

### Reverting Changes

```bash
# Restore VirtualBox defaults
./undo.sh "VM Name"
```

## 🔧 What Gets Modified

The script configures the following to mimic real hardware:

### BIOS/SMBIOS Information
- BIOS vendor, version, and release date
- System vendor and product names
- Motherboard details and serials
- Chassis information

### Hardware Identifiers
- Randomized serial numbers for system, board, and chassis
- Realistic disk model and serial numbers
- MAC address changed from VirtualBox range (08:00:27:xx:xx:xx)

### CPU Configuration
- Removes hypervisor CPUID leaves
- Disables paravirtualization provider
- Masks virtualization detection flags

### Timing & Performance
- TSC tied to execution
- Disabled time synchronization
- Large pages enabled

### ACPI Tables
- OEM IDs changed to match manufacturer presets

## 📝 Requirements

- VirtualBox 7.x (tested on 7.2.2)
- VM must be **powered off** before running scripts
- `uuidgen` or `/proc/sys/kernel/random/uuid` for UUID generation
- Bash shell

## ⚙️ Hardware Presets

| Preset | System | BIOS | Typical Use Case |
|--------|--------|------|------------------|
| `dell` | OptiPlex 7090 | American Megatrends | Corporate desktop |
| `hp` | EliteDesk 800 G6 | HP | Enterprise workstation |
| `lenovo` | ThinkCentre M720q | Lenovo | Small form factor PC |
| `asus` | PRIME B560M-A | American Megatrends | Custom build |

## 🛡️ Additional Steps (Important!)

After running the script, you should:

1. **Start the VM** and run VBoxCloak.ps1:
   ```powershell
   PowerShell -ExecutionPolicy Bypass -File VBoxCloak.ps1 -all
   ```

2. **Remove VirtualBox Guest Additions** completely

3. **Disable in VirtualBox settings:**
   - Shared folders
   - Bidirectional clipboard
   - Drag and drop

4. **Verify in Device Manager:**
   - No VirtualBox devices should be visible
   - Remove any "Unknown devices" related to VBox

5. **Test with detection tools:**
   - al-khaser
   - pafish
   - Ensure Guest Additions are removed first

## 🚨 Known Limitations

Some detections will likely remain due to VirtualBox's architecture:

- WMI class instance checks (Win32_PhysicalMemory, etc.)
- Thermal zone information (MSAcpi_ThermalZoneTemperature)
- Some CIM sensor classes
- Power management capability differences
- Hardware timing variations

These would require kernel-mode drivers or VirtualBox source code modifications to address.

## 🔄 Backup & Recovery

The `undo.sh` script automatically creates backups before making changes:
- Backups stored in `/tmp/vbox_backups/`
- Named with timestamp: `vbox_backup_VMName_YYYYMMDD_HHMMSS.txt`
- Contains all original settings for manual restoration if needed

## 📚 Resources

- [VBoxCloak](https://github.com/d4rksystem/VBoxCloak) - Companion PowerShell script for guest OS cleanup
- [VirtualBox Manual](https://www.virtualbox.org/manual/) - Official documentation
- [al-khaser](https://github.com/LordNoteworthy/al-khaser) - VM detection testing tool
- [pafish](https://github.com/a0rtega/pafish) - Paranoid Fish VM detection

## ⚖️ Legal Notice

These scripts are for **educational and legitimate testing purposes only**. Users are responsible for ensuring compliance with applicable laws and terms of service. Bypassing security measures or evading detection for malicious purposes is illegal.

## 📄 License

MIT License - Feel free to use, modify, and distribute.

---

**Note:** Always test in a non-production environment first. VM detection is a cat-and-mouse game, and no solution is 100% foolproof.