Closed Whibelf2 closed 5 years ago
hfiref0x
commented
5 years ago It should not. Loader uses TDL to load driver. Which backups original vboxdrv.sys as vboxdrv.backup if it detected loaded. Full log from install.cmd is required to figure out what is wrong here.
Moreover there is no changes regarding to driver installation part in this version.
Whibelf2
commented
5 years ago It should not. Loader uses TDL to load driver. Which backups original vboxdrv.sys as vboxdrv.backup if it detected loaded. Full log from install.cmd is required to figure out what is wrong here.
Moreover there is no changes regarding to driver installation part in this version.
Where is the path of Full log from install.cmd ?
hfiref0x
commented
5 years ago There is no log file. Log is only print to the console output. The only component that can delete vboxdrv.sys is tdl.exe. So please save it console window output next time if this behavior will be reproduced.
Whibelf2
commented
5 years ago C:\VBoxLdr>install
C:\VBoxLdr>REM Append full patch to tdl.exe/tsugumi.sys and run this batch file elevated Run TDL (tdl.exe tsugumi.sys) Press any key to continue. . . Turla Driver Loader v1.1.3 started (c) 2016 - 2018 TDL Project Supported x64 OS : 7 and above
Ldr: Windows v10.0 build 17763 SCM: Vulnerable driver loaded and opened Ldr: Kernel base = 0xFFFFF8074F2A1000 Ldr: Input driver file loaded at 0x00007FF710330000 Ldr: Loading ntoskrnl.exe Ldr: ntoskrnl.exe loaded at 0x00007FF75A500000 Ldr: ExAllocatePoolWithTag 0xFFFFF8074F5EA030 Ldr: Shellcode allocated at 0x000001B297C00000 Ldr: Windows 10 RS2+ bootstrap shellcode selected Ldr: Resolving kernel import Ldr: Executing exploit Ldr: OpenLdr.u.Out.pvImageBase = 0xFFFF8B0240C7E080 Ldr: SUP_IOCTL_LDR_LOAD, success Shellcode mapped at 0xFFFF8B0240C7E080, size = 0x00008000 Driver image mapped at 0xFFFF8B0240C7E38A Ldr: SUP_IOCTL_SET_VM_FOR_FAST call complete Ldr: SUP_IOCTL_FAST_DO_NOP Ldr: SUP_IOCTL_LDR_FREE SCM: Unloading vulnerable driver SCM: Vulnerable driver successfully unloaded SCM: Driver entry removed from registry Ldr: Driver file removed Run loader Press any key to continue. . . ECHO is disabled. Running loader VirtualBox Hardened Loader v1.10.0.1901
Pattern matching: 'VBOX'
FACP 0x000314BD RSDT 0x00031724 XSDT 0x00031877 APIC 0x00031AC2 HPET 0x00031C64 MCFG 0x00031D68 VBOXCPU 0x0003BC40 VBOX 0x0012625D
Pattern matching: 'VirtualBox'
VirtualBox 0x0012BA30 VirtualBox__ 0x0013A7A8 VirtualBox GIM 0x0013AE78 VirtualBox VMM 0x0013B600
Pattern matching: Configuration
Cfg 0x001379BB
Pattern matching: Hardware ID
80EE 0x0000906C 80EE 0x0001E329 80EE 0x0001E349 80EE 0x000439D2 BEEF 0x0001E33B BEEF 0x0001E351 CAFE 0x000439E7 Ldr: Patch table created Ldr: Tsugumi patch table parameters set Ldr: Tsugumi device handle opened = 152 Ldr: TSUGUMI_IOCTL_REFRESH_LIST request successful Ldr: purge system cache Ldr: supRestartVBoxDrv = 0x00000424 Ldr: exit The service name is invalid.
For more help, type NET HELPMSG 2185.
Whibelf2
commented
5 years ago If you need a pic of console just say, i go get now
hfiref0x
commented
5 years ago It seems there is a "bug" in tdl. More specifically I forgot to remove debug comments
See this line
https://github.com/hfiref0x/TDL/blob/master/Source/Furutaka/main.c#L871
"#if 0" ...
This little comment make this variable g_VBoxInstalled be always false and no backup/restore code involved.
https://github.com/hfiref0x/TDL/blob/master/Source/Furutaka/main.c#L624 https://github.com/hfiref0x/TDL/blob/master/Source/Furutaka/main.c#L646
That's embarrassing bug wasn't noticed probably because most of tdl users doesn't use it with virtualbox on same machine.
It was added in 1.1.3 of TDL and previous VBoxHardenedLoader version used tdl 1.1.2 without this "addition".
So before I fix this TDL misbehavior I advise you to use tdl.exe from previous VBox loader commit (tdl v 1.1.2 if not mistaken).
hfiref0x
commented
5 years ago Well, now it should work like before.
Whibelf2
commented
5 years ago Loader working fine now !
Thanks for this wonderful work. :)
When I run the install.cmd script, apparently everything runs fine except for vboxdrv, it looks like the patch deletes the virtualbox driver, I have to open the default virtualbox folder and install the driver manually.
C:\Program Files\Oracle\VirtualBox\drivers\vboxdrv
After manually install vboxdrv, we need run "net start vboxdrv" again