VBoxAntiVMDetectHardened mitigation X64 only

Forum for announcements and questions about tools and software.
User avatar
EP_X0FF
Global Moderator
Posts: 4811
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: VBoxAntiVMDetectHardened mitigation X64 only

Post by EP_X0FF » Sun Mar 26, 2017 5:39 pm

It is

Code: Select all

 [ / code] tags. Why you placed files in the root directory? That's not a wise decision at all. Seems some files missied or their security permissions won't allow VBox to open them. Redownload files from github and place them in dedicated directory NOT root.
Ring0 - the source of inspiration

Trelowin
Posts: 10
Joined: Tue Mar 14, 2017 12:14 pm

Re: VBoxAntiVMDetectHardened mitigation X64 only

Post by Trelowin » Sun Mar 26, 2017 7:20 pm

Some mysticism.
I transferred to the C:\VBox\Binary folder files from the folder date.
Launching the monitoring driver.
Start a standard script with the changed folders.

Code: Select all

set vboxman="C:\Program Files\Oracle\VirtualBox\vboxmanage.exe"
set vmscfgdir=C:\VBox\Binary
set /P n1="Enter Virtual Machine name: " 
result

Code: Select all

00:00:01.400581 VMSetError: F:\tinderbox\win-5.1\src\VBox\Devices\PC\DevPcBios.cpp(1404) int __cdecl pcbiosConstruct(struct PDMDEVINS *,int,struct CFGMNODE *); rc=VERR_FILE_NOT_FOUND
00:00:01.400590 VMSetError: Failed to open system BIOS file 'C:\VBox\Binarypcbios.bin'
00:00:01.400603 PDM: Failed to construct 'pcbios'/0! VERR_FILE_NOT_FOUND (-102) - File not found.
00:00:01.529995 ERROR [COM]: aRC=E_FAIL (0x80004005) aIID={872da645-4a9b-1727-bee2-5585105b9eed} aComponent={ConsoleWrap} aText={Failed to open system BIOS file 'C:\VBox\Binarypcbios.bin' (VERR_FILE_NOT_FOUND)}, preserve=false aResultDetail=0
00:00:01.530289 Console: Machine state changed to 'PoweredOff'
00:00:01.561229 Power up failed (vrc=VERR_FILE_NOT_FOUND, rc=E_FAIL (0X80004005))
00:00:01.698571 GUI: UIMachineViewNormal::resendSizeHint: Restoring guest size-hint for screen 0 to 800x600
00:00:01.698615 ERROR [COM]: aRC=E_ACCESSDENIED (0x80070005) aIID={02326f63-bcb3-4481-96e0-30d1c2ee97f6} aComponent={DisplayWrap} aText={The console is not powered up}, preserve=false aResultDetail=0
00:00:01.698890 GUI: Aborting startup due to power up progress issue detected..
You do not have the required permissions to view the files attached to this post.

User avatar
EP_X0FF
Global Moderator
Posts: 4811
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: VBoxAntiVMDetectHardened mitigation X64 only

Post by EP_X0FF » Mon Mar 27, 2017 3:46 am

Add backslash to C:\VBox\Binary
set vmscfgdir=C:\VBox\Binary\
Probably my mistake in tutorial, I thought this was obvious that backslash is required.
Ring0 - the source of inspiration

olivasafford
Posts: 2
Joined: Sun Aug 30, 2015 1:35 pm

Re: VBoxAntiVMDetectHardened mitigation X64 only

Post by olivasafford » Tue Mar 28, 2017 11:13 am

Sandbox traced by checking operating system uptime using GetTickCount()how to fix

User avatar
EP_X0FF
Global Moderator
Posts: 4811
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: VBoxAntiVMDetectHardened mitigation X64 only

Post by EP_X0FF » Tue Mar 28, 2017 11:35 am

olivasafford wrote:Sandbox traced by checking operating system uptime using GetTickCount()how to fix
How does this related to vbox and loader? Browse for some porn before launching exe and don't ask such stupid questions anymore.
Ring0 - the source of inspiration

olivasafford
Posts: 2
Joined: Sun Aug 30, 2015 1:35 pm

Re: VBoxAntiVMDetectHardened mitigation X64 only

Post by olivasafford » Tue Mar 28, 2017 1:39 pm

Pafish gave a check log:
pafish] Sandbox traced by checking operating system uptime using GetTickCount()
[pafish] Sandbox traced using mouse activity
How to correct remaining holes?

ciba
Posts: 1
Joined: Wed Mar 22, 2017 3:49 am

Re: VBoxAntiVMDetectHardened mitigation X64 only

Post by ciba » Wed Mar 29, 2017 3:54 am

Been getting bluescreen while running the VM. Have attached the minidumps
Hopefully can get some help here.

Thanks a lot
You do not have the required permissions to view the files attached to this post.

User avatar
EP_X0FF
Global Moderator
Posts: 4811
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: VBoxAntiVMDetectHardened mitigation X64 only

Post by EP_X0FF » Wed Mar 29, 2017 4:18 am

ciba wrote:Been getting bluescreen while running the VM. Have attached the minidumps
Hopefully can get some help here.

Thanks a lot
You are using Windows 10. On Windows 10 PatchGuard enforced to do more ridiculous checks in kernel mode.

You have 5 options:

1) Leave as is. It will BSOD on Windows 10+, nothing can be done here unless 3 or 4 option.
2) Don't use Windows 10.
3) Build signed version of loader and driver and use them. That's how personally I use it. No I won't give you any of my certificates nor sign any binary. You have to buy your own. https://github.com/hfiref0x/VBoxHardene ... igning.txt
4) Disable PatchGuard (it is absolutely useless marketing/drm feature tbh).
5) Don't use this loader and say "thank you" to Oracle and Microsoft for building out-standing software products unusable without patching.

Bonus: just a hint.
Linux is free from both PatchGuard and Oracle "hardenning" idiocy. And linux vbox version can be patched and configured to do all what this loader do.
Ring0 - the source of inspiration

User avatar
EP_X0FF
Global Moderator
Posts: 4811
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: VBoxAntiVMDetectHardened mitigation X64 only

Post by EP_X0FF » Wed Mar 29, 2017 4:19 am

olivasafford wrote:Pafish gave a check log:
pafish] Sandbox traced by checking operating system uptime using GetTickCount()
Wait few minutes before running any samples since Windows startup or learn already how to use snapshots in VBox.
[pafish] Sandbox traced using mouse activity
How to correct remaining holes?
Move mouse all the time while running pafish and learn how to read this thread before asking already answered questions.
Ring0 - the source of inspiration

User avatar
Vrtule
Posts: 461
Joined: Sat Mar 13, 2010 9:14 pm
Location: Czech Republic
Contact:

Re: VBoxAntiVMDetectHardened mitigation X64 only

Post by Vrtule » Wed Mar 29, 2017 11:28 am

You are using Windows 10. On Windows 10 PatchGuard enforced to do more ridiculous checks in kernel mode.
Which of the checks actually causes the problem? Is it the fact that the "signature enfrocement" variable(s) are protected or something else (like checking whether some registered callback reside inside a driver)?

As for driver signing:
It is also possible to sign the driver "directly" by Visual Studio (2013+ I suppose). Go to project properties -> Driver Signing. But SignTool allows to specify more options. And I had also some problems specifying the signing certificate in the project properties.

Locked