A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #30164  by EP_X0FF
 Sun Mar 26, 2017 5:39 pm
It is
Code: Select all
 [ / code] tags. Why you placed files in the root directory? That's not a wise decision at all. Seems some files missied or their security permissions won't allow VBox to open them. Redownload files from github and place them in dedicated directory NOT root.
 #30165  by Trelowin
 Sun Mar 26, 2017 7:20 pm
Some mysticism.
I transferred to the C:\VBox\Binary folder files from the folder date.
Launching the monitoring driver.
Start a standard script with the changed folders.
Code: Select all
set vboxman="C:\Program Files\Oracle\VirtualBox\vboxmanage.exe"
set vmscfgdir=C:\VBox\Binary
set /P n1="Enter Virtual Machine name: " 
result
Code: Select all
00:00:01.400581 VMSetError: F:\tinderbox\win-5.1\src\VBox\Devices\PC\DevPcBios.cpp(1404) int __cdecl pcbiosConstruct(struct PDMDEVINS *,int,struct CFGMNODE *); rc=VERR_FILE_NOT_FOUND
00:00:01.400590 VMSetError: Failed to open system BIOS file 'C:\VBox\Binarypcbios.bin'
00:00:01.400603 PDM: Failed to construct 'pcbios'/0! VERR_FILE_NOT_FOUND (-102) - File not found.
00:00:01.529995 ERROR [COM]: aRC=E_FAIL (0x80004005) aIID={872da645-4a9b-1727-bee2-5585105b9eed} aComponent={ConsoleWrap} aText={Failed to open system BIOS file 'C:\VBox\Binarypcbios.bin' (VERR_FILE_NOT_FOUND)}, preserve=false aResultDetail=0
00:00:01.530289 Console: Machine state changed to 'PoweredOff'
00:00:01.561229 Power up failed (vrc=VERR_FILE_NOT_FOUND, rc=E_FAIL (0X80004005))
00:00:01.698571 GUI: UIMachineViewNormal::resendSizeHint: Restoring guest size-hint for screen 0 to 800x600
00:00:01.698615 ERROR [COM]: aRC=E_ACCESSDENIED (0x80070005) aIID={02326f63-bcb3-4481-96e0-30d1c2ee97f6} aComponent={DisplayWrap} aText={The console is not powered up}, preserve=false aResultDetail=0
00:00:01.698890 GUI: Aborting startup due to power up progress issue detected..
Attachments
Скриншот 2017-03-26 22.18.36.png
Скриншот 2017-03-26 22.18.36.png (50.34 KiB) Viewed 524 times
 #30169  by EP_X0FF
 Mon Mar 27, 2017 3:46 am
Add backslash to C:\VBox\Binary
set vmscfgdir=C:\VBox\Binary\
Probably my mistake in tutorial, I thought this was obvious that backslash is required.
 #30179  by EP_X0FF
 Tue Mar 28, 2017 11:35 am
olivasafford wrote:Sandbox traced by checking operating system uptime using GetTickCount()how to fix
How does this related to vbox and loader? Browse for some porn before launching exe and don't ask such stupid questions anymore.
 #30185  by EP_X0FF
 Wed Mar 29, 2017 4:18 am
ciba wrote:Been getting bluescreen while running the VM. Have attached the minidumps
Hopefully can get some help here.

Thanks a lot
You are using Windows 10. On Windows 10 PatchGuard enforced to do more ridiculous checks in kernel mode.

You have 5 options:

1) Leave as is. It will BSOD on Windows 10+, nothing can be done here unless 3 or 4 option.
2) Don't use Windows 10.
3) Build signed version of loader and driver and use them. That's how personally I use it. No I won't give you any of my certificates nor sign any binary. You have to buy your own. https://github.com/hfiref0x/VBoxHardene ... igning.txt
4) Disable PatchGuard (it is absolutely useless marketing/drm feature tbh).
5) Don't use this loader and say "thank you" to Oracle and Microsoft for building out-standing software products unusable without patching.

Bonus: just a hint.
Linux is free from both PatchGuard and Oracle "hardenning" idiocy. And linux vbox version can be patched and configured to do all what this loader do.
 #30186  by EP_X0FF
 Wed Mar 29, 2017 4:19 am
olivasafford wrote:Pafish gave a check log:
pafish] Sandbox traced by checking operating system uptime using GetTickCount()
Wait few minutes before running any samples since Windows startup or learn already how to use snapshots in VBox.
[pafish] Sandbox traced using mouse activity
How to correct remaining holes?
Move mouse all the time while running pafish and learn how to read this thread before asking already answered questions.
 #30187  by Vrtule
 Wed Mar 29, 2017 11:28 am
You are using Windows 10. On Windows 10 PatchGuard enforced to do more ridiculous checks in kernel mode.
Which of the checks actually causes the problem? Is it the fact that the "signature enfrocement" variable(s) are protected or something else (like checking whether some registered callback reside inside a driver)?

As for driver signing:
It is also possible to sign the driver "directly" by Visual Studio (2013+ I suppose). Go to project properties -> Driver Signing. But SignTool allows to specify more options. And I had also some problems specifying the signing certificate in the project properties.
  • 1
  • 21
  • 22
  • 23
  • 24
  • 25