KernelMode.info

EP_X0FF wrote: Unfortunatelly in the patetic attempt to stop VirtualBox exploitation attempts Oracle have made a decision to create a some kind of "patchguard" for VBox, known as "Hardened VirtualBox". See http://www.kernelmode.info/forum/viewto ... 1&start=50 for more details.

Hm what were these exploits and why oracle took them so seriously? Were they used to escape from VM? That's almost only very serious thing I can imagine...

h00key wrote:

EP_X0FF wrote: Unfortunatelly in the patetic attempt to stop VirtualBox exploitation attempts Oracle have made a decision to create a some kind of "patchguard" for VBox, known as "Hardened VirtualBox". See http://www.kernelmode.info/forum/viewto ... 1&start=50 for more details.

Hm what were these exploits and why oracle took them so seriously? Were they used to escape from VM? That's almost only very serious thing I can imagine...

http://www.kernelmode.info/forum/viewto ... =10#p22352

h00key wrote:

EP_X0FF wrote: Unfortunatelly in the patetic attempt to stop VirtualBox exploitation attempts Oracle have made a decision to create a some kind of "patchguard" for VBox, known as "Hardened VirtualBox". See http://www.kernelmode.info/forum/viewto ... 1&start=50 for more details.

Hm what were these exploits and why oracle took them so seriously? Were they used to escape from VM? That's almost only very serious thing I can imagine...

It is Oracle butthurt after their 3d acceleration multiple fuckups and other new exploit. It wasn't published only reported to Oracle, (based on linked in the above post Turla exploit) and it was using latest at that time VBoxDrv to write to the arbitrary kernel memory addresses.

Ahh, so VBox driver was used as an infection "assist module". Well I understand their concerns but can't really say if that's the correct way to prevent exploitation.

Update to 4.3.22.

Important note - due to moronic stealth "security" updates from Oracle the following additional installation steps now required:

1) After you install this new VirtualBox, goto registry-> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\VBoxDrv, change Start from 1 (System) to 3 (Load On Demand).
2) Reboot Windows
3) Run loader.exe
4) Only after this you can start Virtualbox itself.

New table can be found in src->tables.h, it is already embedded in loader.

Hello,

Thanks for this piece of work! However, I'm having a little trouble starting up the VM...

I think I've followed every step in the 1st post: Uninstalled old version of VBox (.14) and rebooted, installed new version (.22) without networking, changed VBoxDrv registry entry and rebooted again, downloaded VBox_4.3.22.rar, extracted and ran install.cmd, confirmed the driver was loaded and working (DbgView showed debug string and XueTr showed it loaded), started VBox, created the VM and configured it as described, closed VBox, customized the batch script and ran, no error message displayed, started VBox again, tried to start up the VM - failed with the following message:

The virtual machine 'Windows XP' has terminated unexpectedly during startup with exit code -1073741819 (0xc0000005). More details may be available in 'K:\VirtualBox VMs\Windows XP\Logs\VBoxStartup.log'.

The log file is attached, if you need.

Hello,

does it works without patch? Log indicates their hardened crap failure.

EP_X0FF wrote:Hello,

does it works without patch? Log indicates their hardened crap failure.

It seems there's nothing to do with the patch - it doesn't work even after I did a fresh install of VBox and created a new VM without patch. The error message is the same as before.

So it's a problem with my own machine, not the patch. Sorry for bringing this up.

But now I can't use VBox even if I did NOTHING wrong. Damn Oracle.

Well uninstalling AV's/Firewalls/any hooking/injecting anything software could help. In theory.

The only software on my machine that could possibly install hooks are Sandboxie, TrueCrypt, and VirtualBox. Not sure if previously uninstalled software left something behind that could cause this.

Guess I should just go to their forum and complain. Thanks for your help!