A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #25104  by h00key
 Thu Jan 29, 2015 4:57 pm
EP_X0FF wrote: Unfortunatelly in the patetic attempt to stop VirtualBox exploitation attempts Oracle have made a decision to create a some kind of "patchguard" for VBox, known as "Hardened VirtualBox". See http://www.kernelmode.info/forum/viewto ... 1&start=50 for more details.
Hm what were these exploits and why oracle took them so seriously? Were they used to escape from VM? That's almost only very serious thing I can imagine...
 #25109  by Cody Johnston
 Thu Jan 29, 2015 11:49 pm
h00key wrote:
EP_X0FF wrote: Unfortunatelly in the patetic attempt to stop VirtualBox exploitation attempts Oracle have made a decision to create a some kind of "patchguard" for VBox, known as "Hardened VirtualBox". See http://www.kernelmode.info/forum/viewto ... 1&start=50 for more details.
Hm what were these exploits and why oracle took them so seriously? Were they used to escape from VM? That's almost only very serious thing I can imagine...
http://www.kernelmode.info/forum/viewto ... =10#p22352
 #25110  by EP_X0FF
 Fri Jan 30, 2015 6:10 am
h00key wrote:
EP_X0FF wrote: Unfortunatelly in the patetic attempt to stop VirtualBox exploitation attempts Oracle have made a decision to create a some kind of "patchguard" for VBox, known as "Hardened VirtualBox". See http://www.kernelmode.info/forum/viewto ... 1&start=50 for more details.
Hm what were these exploits and why oracle took them so seriously? Were they used to escape from VM? That's almost only very serious thing I can imagine...
It is Oracle butthurt after their 3d acceleration multiple fuckups and other new exploit. It wasn't published only reported to Oracle, (based on linked in the above post Turla exploit) and it was using latest at that time VBoxDrv to write to the arbitrary kernel memory addresses.
 #25245  by EP_X0FF
 Sat Feb 14, 2015 4:49 pm
Update to 4.3.22.

Important note - due to moronic stealth "security" updates from Oracle the following additional installation steps now required:

1) After you install this new VirtualBox, goto registry-> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\VBoxDrv, change Start from 1 (System) to 3 (Load On Demand).
2) Reboot Windows
3) Run loader.exe
4) Only after this you can start Virtualbox itself.

New table can be found in src->tables.h, it is already embedded in loader.
Last edited by EP_X0FF on Sun Mar 15, 2015 8:02 am, edited 1 time in total. Reason: removed attach, see http://www.kernelmode.info/forum/viewtopic.php?f=11&t=3478 last update note
 #25246  by hx1997
 Sat Feb 14, 2015 6:28 pm
Hello,

Thanks for this piece of work! However, I'm having a little trouble starting up the VM...

I think I've followed every step in the 1st post: Uninstalled old version of VBox (.14) and rebooted, installed new version (.22) without networking, changed VBoxDrv registry entry and rebooted again, downloaded VBox_4.3.22.rar, extracted and ran install.cmd, confirmed the driver was loaded and working (DbgView showed debug string and XueTr showed it loaded), started VBox, created the VM and configured it as described, closed VBox, customized the batch script and ran, no error message displayed, started VBox again, tried to start up the VM - failed with the following message:
The virtual machine 'Windows XP' has terminated unexpectedly during startup with exit code -1073741819 (0xc0000005). More details may be available in 'K:\VirtualBox VMs\Windows XP\Logs\VBoxStartup.log'.
The log file is attached, if you need.
Attachments
Password: virtualbox
(2.51 KiB) Downloaded 43 times
 #25250  by hx1997
 Sun Feb 15, 2015 8:17 am
EP_X0FF wrote:Hello,

does it works without patch? Log indicates their hardened crap failure.
It seems there's nothing to do with the patch - it doesn't work even after I did a fresh install of VBox and created a new VM without patch. The error message is the same as before.

So it's a problem with my own machine, not the patch. Sorry for bringing this up.

But now I can't use VBox even if I did NOTHING wrong. Damn Oracle.
 #25253  by hx1997
 Sun Feb 15, 2015 12:51 pm
The only software on my machine that could possibly install hooks are Sandboxie, TrueCrypt, and VirtualBox. Not sure if previously uninstalled software left something behind that could cause this.

Guess I should just go to their forum and complain. Thanks for your help!
  • 1
  • 2
  • 3
  • 4
  • 5
  • 25