Page 23 of 25
Re: VBoxAntiVMDetectHardened mitigation X64 only
PostPosted:Sun Mar 26, 2017 5:39 pm
by EP_X0FF
It is
Code: Select all [ / code] tags. Why you placed files in the root directory? That's not a wise decision at all. Seems some files missied or their security permissions won't allow VBox to open them. Redownload files from github and place them in dedicated directory NOT root.
Re: VBoxAntiVMDetectHardened mitigation X64 only
PostPosted:Sun Mar 26, 2017 7:20 pm
by Trelowin
Some mysticism.
I transferred to the C:\VBox\Binary folder files from the folder date.
Launching the monitoring driver.
Start a standard script with the changed folders.
Code: Select allset vboxman="C:\Program Files\Oracle\VirtualBox\vboxmanage.exe"
set vmscfgdir=C:\VBox\Binary
set /P n1="Enter Virtual Machine name: "
result
Code: Select all00:00:01.400581 VMSetError: F:\tinderbox\win-5.1\src\VBox\Devices\PC\DevPcBios.cpp(1404) int __cdecl pcbiosConstruct(struct PDMDEVINS *,int,struct CFGMNODE *); rc=VERR_FILE_NOT_FOUND
00:00:01.400590 VMSetError: Failed to open system BIOS file 'C:\VBox\Binarypcbios.bin'
00:00:01.400603 PDM: Failed to construct 'pcbios'/0! VERR_FILE_NOT_FOUND (-102) - File not found.
00:00:01.529995 ERROR [COM]: aRC=E_FAIL (0x80004005) aIID={872da645-4a9b-1727-bee2-5585105b9eed} aComponent={ConsoleWrap} aText={Failed to open system BIOS file 'C:\VBox\Binarypcbios.bin' (VERR_FILE_NOT_FOUND)}, preserve=false aResultDetail=0
00:00:01.530289 Console: Machine state changed to 'PoweredOff'
00:00:01.561229 Power up failed (vrc=VERR_FILE_NOT_FOUND, rc=E_FAIL (0X80004005))
00:00:01.698571 GUI: UIMachineViewNormal::resendSizeHint: Restoring guest size-hint for screen 0 to 800x600
00:00:01.698615 ERROR [COM]: aRC=E_ACCESSDENIED (0x80070005) aIID={02326f63-bcb3-4481-96e0-30d1c2ee97f6} aComponent={DisplayWrap} aText={The console is not powered up}, preserve=false aResultDetail=0
00:00:01.698890 GUI: Aborting startup due to power up progress issue detected..
Re: VBoxAntiVMDetectHardened mitigation X64 only
PostPosted:Mon Mar 27, 2017 3:46 am
by EP_X0FF
Add backslash to C:\VBox\Binary
set vmscfgdir=C:\VBox\Binary\
Probably my mistake in tutorial, I thought this was obvious that backslash is required.
Re: VBoxAntiVMDetectHardened mitigation X64 only
PostPosted:Tue Mar 28, 2017 11:13 am
by olivasafford
Sandbox traced by checking operating system uptime using GetTickCount()how to fix
Re: VBoxAntiVMDetectHardened mitigation X64 only
PostPosted:Tue Mar 28, 2017 11:35 am
by EP_X0FF
olivasafford wrote:Sandbox traced by checking operating system uptime using GetTickCount()how to fix
How does this related to vbox and loader? Browse for some porn before launching exe and don't ask such stupid questions anymore.
Re: VBoxAntiVMDetectHardened mitigation X64 only
PostPosted:Tue Mar 28, 2017 1:39 pm
by olivasafford
Pafish gave a check log:
pafish] Sandbox traced by checking operating system uptime using GetTickCount()
[pafish] Sandbox traced using mouse activity
How to correct remaining holes?
Re: VBoxAntiVMDetectHardened mitigation X64 only
PostPosted:Wed Mar 29, 2017 3:54 am
by ciba
Been getting bluescreen while running the VM. Have attached the minidumps
Hopefully can get some help here.
Thanks a lot
Re: VBoxAntiVMDetectHardened mitigation X64 only
PostPosted:Wed Mar 29, 2017 4:18 am
by EP_X0FF
ciba wrote:Been getting bluescreen while running the VM. Have attached the minidumps
Hopefully can get some help here.
Thanks a lot
You are using Windows 10. On Windows 10 PatchGuard enforced to do more ridiculous checks in kernel mode.
You have 5 options:
1) Leave as is. It will BSOD on Windows 10+, nothing can be done here unless 3 or 4 option.
2) Don't use Windows 10.
3) Build signed version of loader and driver and use them. That's how personally I use it. No I won't give you any of my certificates nor sign any binary. You have to buy your own.
https://github.com/hfiref0x/VBoxHardene ... igning.txt
4) Disable PatchGuard (it is absolutely useless marketing/drm feature tbh).
5) Don't use this loader and say "thank you" to Oracle and Microsoft for building out-standing software products unusable without patching.
Bonus: just a hint.
Linux is free from both PatchGuard and Oracle "hardenning" idiocy. And linux vbox version can be patched and configured to do all what this loader do.
Re: VBoxAntiVMDetectHardened mitigation X64 only
PostPosted:Wed Mar 29, 2017 4:19 am
by EP_X0FF
olivasafford wrote:Pafish gave a check log:
pafish] Sandbox traced by checking operating system uptime using GetTickCount()
Wait few minutes before running any samples since Windows startup or learn already how to use snapshots in VBox.
[pafish] Sandbox traced using mouse activity
How to correct remaining holes?
Move mouse all the time while running pafish and learn how to read this thread before asking already answered questions.
Re: VBoxAntiVMDetectHardened mitigation X64 only
PostPosted:Wed Mar 29, 2017 11:28 am
by Vrtule
You are using Windows 10. On Windows 10 PatchGuard enforced to do more ridiculous checks in kernel mode.
Which of the checks actually causes the problem? Is it the fact that the "signature enfrocement" variable(s) are protected or something else (like checking whether some registered callback reside inside a driver)?
As for driver signing:
It is also possible to sign the driver "directly" by Visual Studio (2013+ I suppose). Go to project properties -> Driver Signing. But SignTool allows to specify more options. And I had also some problems specifying the signing certificate in the project properties.