KernelMode.info

So what I did:
1. downloaded latest version of files from Git (1.6.5), replaced old files.
2. cmd.exe (with administrator permissions)

Everything was executed with no errors as far as I see.

Still, VMDE shows PCI leak.

What could be wrong?

Navigate to HKLM\SYSTEM\CurrentControlSet\Enum\PCI key

Look for Oracle HWID 80EE in registry names.

The possible scenario which maybe caused your problem -

a) VM created,
b) installed Windows,
c) loaded Windows, then turned off,
?) vbox settings applied manually via vboxmanage or automatically from script,
d) monitoring driver loaded via TDL, tables installed via loader.exe
e) Windows loaded again.

Usual scenario that should not cause problem

a)VM created,
b) vbox settings applied manually via vboxmanage or automatically from script,
c) monitoring driver loaded via TDL, (if it was already loaded before you don't need to load it again, just running loader.exe will be enough to update patch tables)
d) tables installed via loader.exe,
e) Windows installed and loaded.

If this is not your case then I will check myself if the patching offsets for HWID's are valid for 5.1.2

Tried it again from the scratch as you described step by step.

One thing, I did it on another PC, and I got this error

I've fixed it with the command "sc.exe start vboxdrv", after that VM started and I've successfully installed Windows.

Still, VMDE shows PCI leak and HKLM\SYSTEM\CurrentControlSet\Enum\PCI shows 80EE https://gyazo.com/1fd52e02783d05c2cd89af9b6ac03b4b

Could launching that driver cause a problem? I have no idea why I got Hardened Error, it never happened on another PC. Those are two exactly same laptops with different windows installations.

But previously I could have messed with the loader.exe consequence. I've launched tdl and loader first, and only after that vboxmanage script. But never installed windows first anyway.

atom686 wrote:Could launching that driver cause a problem? I have no idea why I got Hardened Error, it never happened on another PC. Those are two exactly same laptops with different windows installations.

It is normal behavior of VBox. When TDL loaded driver it firstly unloaded current VboxDrv.sys. VBoxDrv.sys normally loaded at Windows startup AFAIK via it service entry or loaded during VirtualBox installation process. Then you started VirtualBox.exe and it checked if vboxdrv.sys loaded - if you are running under UAC then VirtualBox.exe is running at Medium integrity level, which disallow VirtualBox.exe load drivers. To reload vboxdrv you can use net/sc or simple "Run As Administrator" for VirtualBox.exe then close it and run normally. I'll recheck patch for 5.1.2 and let you know results.

Do you installed anything else on this system? Your screenshot indicates two graphic cards.

Edit:
Ok I rechecked patch, all offsets are correct. Exact location of this patch is in vgaR3Construct from VBox/Devices/Graphics/DevVGA.cpp
Please post screenshot of Windows Device Manager (My Computer -> Properties -> Device Manager -> Display Adapters). Also try to remove this 80EE/BEEF entry with regedit. Unsure how you managed to get it however. The only reasonable explanation is that you loaded Windows 1 time before loading monitoring driver and applying patch.

Looks like I've figured out an issue.
I used custom Windows7 build by m0nkrus, which I've downloaded from the web. And it had this stuff inside. I've installed another build of Windows and everything is good, no 80EE entries.
Thanks again for your help and for this manual.

Always use ISO from MSDN subscription, all these warez trash trojanized or misconfigured.

Thanks!

Is there any way to block access to a battery for VM?
My virtual machine is running on the laptop, and I see that it has battery charge level etc. User can be identified via Battery API in HTML5 (https://www.hackread.com/smartphone-lap ... g-privacy/) How to avoid it?

You can try disabling ACPI for VM via vboxmanage or remove battery physically.

Hello.

You may try rebuild ACPI table to remove BAT0 from it. At your own risk :) I'm unsure how exactly battery presense fact can be used to identify VM.

Best Regards,
-rin

atom686 wrote:Thanks!

Is there any way to block access to a battery for VM?
My virtual machine is running on the laptop, and I see that it has battery charge level etc. User can be identified via Battery API in HTML5 (https://www.hackread.com/smartphone-lap ... g-privacy/) How to avoid it?

Loader updated to support 5.1.6.

Since 5.1.4 version VirtualBox fixed it behavior with HV bit set/unset so VBoxVMM.dll patching is no longer needed. Previously VirtualBox ignored HV present bit state (see http://www.kernelmode.info/forum/viewto ... 407#p28407) and was always returning HV name thus making VirtualBox detection usermode friendly and trivial.