A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #29561  by e192168
 Tue Nov 15, 2016 10:56 pm
Hello!

Thank you EP_X0FF for work!

But I Have the problem My system Windows 7 x64 is going BSOD when I try to start patched VM. I patched my VM to the instruction above.
I try another VirtualBox version... :(

Adition information:
Windows 7 x64 ultimate
VirtualBox - 5.1.2-108956
Loader - v1.6.5 from GIT
CPU - Intel® Core™ i5-3450 CPU @ 3.10GHz × 4
Motherboard - Asus Sabertooth z77 with last BIOS update
RAM - 8 GB DDR3
==================================================
Dump File : 111516-11294-01.dmp
Crash Time : 13.11.2016 4:35:50
Bug Check String : SYSTEM_SERVICE_EXCEPTION
Bug Check Code : 0x0000003b
Parameter 1 : 00000000`c0000005
Parameter 2 : fffff800`036ae22b
Parameter 3 : fffff880`09dd8b90
Parameter 4 : 00000000`00000000
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+75bc0
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.1.7601.17835 (win7sp1_gdr.120503-2030)
Processor : x64
Crash Address : ntoskrnl.exe+75bc0
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\Windows\Minidump\111516-11294-01.dmp
Processors Count : 4
Major Version : 15
Minor Version : 7601
Dump File Size : 321 144
Dump File Time : 15.11.2016 16:53:00
==================================================

What am I doing wrong?

Thanks.
 #29565  by SSBIZ
 Wed Nov 16, 2016 12:25 pm
Hi,

I did proceed exactly as shown ...

and it gives me out this error that I attached.

I uploaded even a video as I proceeded and probably can help any one of you understand where my problem is :(

https://vimeo.com/191786699

Thanks a lot in advance!!!!
Attachments
screen.jpg
error
screen.jpg (116.5 KiB) Viewed 437 times
 #29568  by EP_X0FF
 Thu Nov 17, 2016 4:06 am
Hello,

which loader version are you using? If it the last one than I would like to see your VBoxDD.dll
SSBIZ wrote:Hi,

I did proceed exactly as shown ...

and it gives me out this error that I attached.

I uploaded even a video as I proceeded and probably can help any one of you understand where my problem is :(

https://vimeo.com/191786699

Thanks a lot in advance!!!!
 #29569  by EP_X0FF
 Thu Nov 17, 2016 4:30 am
e192168 wrote:
EP_X0FF wrote:Hello,

attach your minidump.
Hello!
minidumps.rar
An exception occured in RtlImageNtHeaderEx, maybe due to corrupted image.

1) Does it worked prior to 5.1.2?
2) Is it working on 5.1.4+?
3) memtest results?
4) Do you have any kernel mode drivers from security or DRM protection products loaded in the same time?
5) Can you provide full memory dump?
 #29579  by e192168
 Fri Nov 18, 2016 3:00 pm
An exception occured in RtlImageNtHeaderEx, maybe due to corrupted image.

1) Does it worked prior to 5.1.2?
2) Is it working on 5.1.4+?
3) memtest results?
4) Do you have any kernel mode drivers from security or DRM protection products loaded in the same time?
5) Can you provide full memory dump?
Thank you very mutch!
I have solved my problem with your help.
VM boot without errors.
 #29584  by EP_X0FF
 Sat Nov 19, 2016 6:24 am
Hello,

error from your video indicates that vboxdd.dll wasn't patched correctly in memory. However from your video you did every required steps.

What can fail here:

1) new VirtualBox version (or updated build) released which is not supported by current loader

But your VBoxDD.dll is identical to that used to create patch table, so it is not our case

2) you use old loader.exe which unsupports 5.1.6

Each new version of VirtualBox require update to loader patch tables, because of VirtualBox dll offset changes.

3) something prevented loader.exe from writing to the registry (HKLM\System\CurrentControlSet\Services\Tsugumi <- used to store driver patch settings) or/and reading this key (HKLM\Software\Oracle\VirtualBox <- used to determine installed VirtualBox version)

Here is loader.exe in attach with more verbose console output. I would like to see it output on your machine.

If tsugumi.sys loaded -> simple run this loader.exe elevated, it will overwrite driver parameters and call driver to reload them.
If tsugumi.sys not loaded -> load it as before and use this loader.exe as above.
SSBIZ wrote:Thanks for your gentle and quick response!

I use version of virtual box 5.1.6 r110634 (Qt5.5.1)

http://www.filedropper.com/showdownload.php/vboxdd

SUPER THANKS!
Attachments
(6.62 KiB) Downloaded 31 times
 #29589  by SSBIZ
 Sun Nov 20, 2016 12:55 am
Hello,

First of all I was using your last release of loader.exe. I overwrited it with this new copy of yours. Attached the result.

Whats more I tried to start virtualbox and now error is as attached.

P.S: After that I did tried to make every step from the beginning but error is the same and virtualbox error on start was the same as above.

Thanks a lot for your quick responses and effort!
Attachments
Untitled-2.jpg
Untitled-2.jpg (48.37 KiB) Viewed 397 times
Untitled-1.jpg
Untitled-1.jpg (140.38 KiB) Viewed 397 times
  • 1
  • 12
  • 13
  • 14
  • 15
  • 16
  • 25