virtual-machinevirtualboxantimalware

How to change the vendor id of any Pnp (Plug and Play) device inside Virtualbox?


I want to change the default vendor id prefix VID_80EE Give by Virtual Box.

VID_80EE

I am doing malware analysis and malware use this id to detect whether it is running in a Virtual BOX or not.


Solution

  • It is a virtual usb device, which runs inside the VM. Normal usb drivers talk to usb devices on the usb bus. This virtual device is still on the virtual usb bus, but it is not a hardware, instead it is talking to the virtualbox process on the host. The virtualbox has some kernel drivers, they provide the virtual usb devices which bind the virtual usb bus of the guest with the virtualbox process of the host.

    To change their USB vendor/product ID, I see no way than change their source code and recompiling them. They are Linux kernel drivers, part of the upstream virtualbox sources.

    The vendor/product id of the virtual USB keyboard is here, and of the mouse is here.

    You can do the recompilation following the virtualbox build instructions.

    I did already some vbox recompilation, and it is not trivial, but it can be done without major problems. And you only need the guest kernel drivers.