Hello, I'm updating this ticket since I haven't gotten any answer so far... We are still running into this annoying issue, and the Anti-debugging tricks make it hard to debug. I've been tracing the 2 child processes created when running the VM, and it seems the 3rd layer is been given a wrong file path (that's the only reason I can see when reading the MSDN documentation for CreateProcess).
Anyone can answer me ? Thanks, Le 09/12/2019 20:12:40, Tigzy <tigz...@gmail.com> a écrit : Hello, I know this error is well known but I'm beyond the point of re-installing the driver and such, I'm more trying to find an "officially supported" way to avoid this. We are developing an Anti-malware (minifilter based) and I've noticed when the VBox driver is loaded AFTER our minifilter it works fine. When it's the opposite (VBox BEFORE our filter) the error occurs because Virtualbox is probably enumerating \Driver directory and compares to a whitelist. We don't have anything injecting DLLs into it, so I have no idea what is the requirement for VirtualBox not detecting our driver (also it's EV-signed and by Microsoft portal as well). The logs isn't really helpful to me as there's no mention of what test failed, nor mention of our minifilter (but I'm sure it's the issue, by playing with start/stop) Has anyone from Antivirus company ever bypassed this ? If this is private information, can anyone contact me directly to work this out ? Thanks, Adlice Software 2ef4.43c: NtOpenDirectoryObject failed on \Driver: 0xc0000022 2ef4.43c: supR3HardenedWinFindAdversaries: 0x0 2ef4.43c: supR3HardenedWinInitAppBin(0x0): '\Device\HarddiskVolume3\Program Files\Oracle\VirtualBox' 2ef4.43c: Calling main() 2ef4.43c: SUPR3HardenedMain: pszProgName=VirtualBoxVM fFlags=0x2 2ef4.43c: supR3HardenedWinInitAppBin(0x2): '\Device\HarddiskVolume3\Program Files\Oracle\VirtualBox' 2ef4.43c: '\Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe' has no imports 2ef4.43c: supHardenedWinVerifyImageByHandle: -> 24202 (\Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe) 2ef4.43c: SUPR3HardenedMain: Respawn #2 2ef4.43c: supR3HardNtEnableThreadCreationEx: 2ef4.43c: supR3HardenedDllNotificationCallback: load 00007ffecc270000 LB 0x00120000 C:\WINDOWS\System32\RPCRT4.dll [fFlags=0x0] 2ef4.43c: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume3\Windows\System32\rpcrt4.dll) 2ef4.43c: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume3\Windows\System32\rpcrt4.dll 2ef4.43c: supR3HardenedDllNotificationCallback: load 00007ffecd4b0000 LB 0x00097000 C:\WINDOWS\System32\sechost.dll [fFlags=0x0] 2ef4.43c: supR3HardenedWinVerifyCacheScheduleImports: Import todo: #11 'rpcrt4.dll'. 2ef4.43c: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume3\Windows\System32\sechost.dll) 2ef4.43c: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume3\Windows\System32\sechost.dll 2ef4.43c: '\Device\HarddiskVolume3\Windows\System32\ntdll.dll' has no imports 2ef4.43c: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume3\Windows\System32\ntdll.dll) 2ef4.43c: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume3\Windows\System32\ntdll.dll 2ef4.43c: supR3HardenedWinVerifyCacheProcessImportTodos: Processing 'rpcrt4.dll'... 2ef4.43c: supR3HardenedWinVerifyCacheProcessImportTodos: 'rpcrt4.dll' -> '\Device\HarddiskVolume3\Windows\System32\rpcrt4.dll' [rcNtRedir=0xc0150008] 2ef4.43c: supR3HardenedScreenImage/Imports: cache hit (VINF_SUCCESS) on \Device\HarddiskVolume3\Windows\System32\rpcrt4.dll [lacks WinVerifyTrust] 2ef4.43c: supR3HardenedMonitor_LdrLoadDll: pName=C:\WINDOWS\System32\ntdll.dll (Input=ntdll.dll, rcNtResolve=0xc0150008) *pfFlags=0x0 pwszSearchPath=0000000000000801:<flags> [calling] 2ef4.43c: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0x0 hMod=00007ffece100000 'C:\WINDOWS\System32\ntdll.dll' 2ef4.43c: Error -104 in supR3HardenedWinReSpawn! (enmWhat=5) 2ef4.43c: Error relaunching VirtualBox VM process: 5 Command line: '60eaff78-4bdd-042d-2e72-669728efd737-suplib-3rdchild --comment "Windows 10x64 - 1903" --startvm bac20d47-9bce-4e8b-ba5e-61685372e1ec --no-startvm-errormsgbox "--sup-hardening-log=E:\VBox\Test\Windows 10x64 - 1903\Logs\VBoxHardening.log"'
_______________________________________________ vbox-dev mailing list vbox-dev@virtualbox.org https://www.virtualbox.org/mailman/listinfo/vbox-dev
