hfiref0x / VBoxHardenedLoader

VirtualBox VM detection mitigation loader
BSD 2-Clause "Simplified" License
916 stars 278 forks source link

"Cannot inject monitor code" with loader.exe #71

Closed yeet-hash closed 4 years ago

yeet-hash commented 4 years ago

I have tried reinstalling Virtualbox and redoing everything, nothing is working. image

yeet-hash commented 4 years ago

I also did net start vboxdrv and it says they are already started. Also, The hardening was working fine yesterday and I went to turn on my computer and launch the loader.exe command now it doesn't work

yeet-hash commented 4 years ago

I have tried LITERALLY everything possible and cannot figure out why my loader.exe doesn't work. please help

hfiref0x commented 4 years ago

Show your loaded drivers list before loader.exe start and after. Show full output of loader.exe, select all console text and copy it here.

P.S. use loader from https://github.com/hfiref0x/VBoxHardenedLoader/blob/dev-201/Binary/loader.exe

dehsar27 commented 4 years ago

i had the same issue, ive been trying to fix it but could not,

C:\VBoxLdr\Binary\data>cd..

C:\VBoxLdr\Binary>loader.exe VirtualBox Hardened Loader v2.0.1.2005 [>] Entering VBoxLdrMain LDR: Listing process token privileges... LDR: SeIncreaseQuotaPrivilege Disabled LDR: SeSecurityPrivilege Disabled LDR: SeTakeOwnershipPrivilege Disabled LDR: SeLoadDriverPrivilege Disabled LDR: SeSystemProfilePrivilege Disabled LDR: SeSystemtimePrivilege Disabled LDR: SeProfileSingleProcessPrivilege Disabled LDR: SeIncreaseBasePriorityPrivilege Disabled LDR: SeCreatePagefilePrivilege Disabled LDR: SeBackupPrivilege Disabled LDR: SeRestorePrivilege Disabled LDR: SeShutdownPrivilege Disabled LDR: SeDebugPrivilege Disabled LDR: SeSystemEnvironmentPrivilege Disabled LDR: SeChangeNotifyPrivilege Enabled (Default Enabled) LDR: SeRemoteShutdownPrivilege Disabled LDR: SeUndockPrivilege Disabled LDR: SeManageVolumePrivilege Disabled LDR: SeImpersonatePrivilege Enabled (Default Enabled) LDR: SeCreateGlobalPrivilege Enabled (Default Enabled) LDR: SeIncreaseWorkingSetPrivilege Disabled LDR: SeTimeZonePrivilege Disabled LDR: SeCreateSymbolicLinkPrivilege Disabled LDR: SeDelegateSessionUserImpersonatePrivilege Disabled LDR: VirtualBox version 6.1.6 LDR: Windows version: 10.0 build 18363 LDR: Maximum User Mode address 0x7FFFFFFEFFFF

Pattern matching: 'VBOX'

Pattern FACP (pre v6.1) was not found FACP (v6.1+) 0x35227 Pattern RSDT (pre 6.1) was not found RSDT (6.1+) 0x3548e XSDT 0x355e5 APIC 0x3583b HPET 0x359e4 MCFG 0x35ae8 VBOXCPU 0x3fc20 Pattern VBOX generic (pre 6.1) was not found VBOX (6.1+) 0x12f5cc

Pattern matching: 'VirtualBox'

VirtualBox 0x134a38 VirtualBox__ 0x1441a0 VirtualBox GIM 0x144828 VirtualBox VMM 0x145000

Pattern matching: 'Configuration'

Pattern Configuration (pre 6.1) was not found Configuration (6.1+) 0x141275

Pattern matching: Hardware ID

80EE 0x92d1 80EE 0x20e61 80EE 0x20e85 80EE 0x47bb5 BEEF 0x20e77 BEEF 0x20e91 CAFE 0x47c5d LDR: Patch table created [LDR: SeDebugPrivilege assigned [LDR: SeLoadDriverPrivilege assigned [>] Entering MapTsugumi [>] Entering ProviderCreate [>] Entering StartVulnerableDriver [!] Vulnerable provider device already exist, checking loaded driver version LDR: Currently loaded driver version 1.3.2.13, required version 1.3.0.7 [!] Driver version is unknown and we cannot continue. If you still want to use this loader find and uninstall software that uses this driver first! [<] Leaving StartVulnerableDriver [<] Leaving ProviderCreate [!] ProviderCreate failed, abort LDR: Cannot inject monitor code [<] Leaving VBoxLdrMain

C:\VBoxLdr\Binary>

hfiref0x commented 4 years ago

Get rid of Intel NAL driver from your system

[!] Vulnerable provider device already exist, checking loaded driver version LDR: Currently loaded driver version 1.3.2.13, required version 1.3.0.7 [!] Driver version is unknown and we cannot continue. If you still want to use this loader find and uninstall software that uses this driver first!

fars1233 commented 4 years ago

how do you uninstall NAL driver from the system and where can i find it

hfiref0x commented 4 years ago

From elevated command prompt

sc stop Nal sc delete Nal

reboot your PC

fars1233 commented 4 years ago

do you know how to fix this

Unknown configuration value '/DsdtFilePath' found in the configuration of acpi instance #0 (VERR_CFGM_CONFIG_UNKNOWN_VALUE).

hfiref0x commented 4 years ago

You either not read installation guide or don't understand it.

fars1233 commented 4 years ago

i did everything in the installation guide but still, the loader is not working, i deleted Nal and the loader is not working

fars1233 commented 4 years ago

how about i pay you to do it for me

hfiref0x commented 4 years ago

No you didn't. Otherwise you would know that loader need to be restarted each your Windows boot which is CLEARLY stated in guide (https://github.com/hfiref0x/VBoxHardenedLoader/blob/master/Binary/howto.md#step-4-loading-monitoring-driver-for-load-in-memory-vm-dll-patch at the end of Step 4), which you obviously didn't bother to read.

In the last 2 weeks or so I've registered huge activity over this repository mostly with referering site as "youtube". Multiple newly registered or empty github accounts posting same and same issues again and again and doesn't even bothering to provide comprehensive details in their reports - just OMGWTFSOMESHITHAPPENED, SCREENSHOT, SOME TEXT, +1, Ko-ko-ko. Like for example this OP - some generic issue post 12 days ago and silence after that.

I've no idea what kind of youtube video is that and who did it. However I would like to tell exact purpose of this repository and what it expects from it users.

This repository is indended to harden VirtualBox under Windows against malicious software VM detection capabilities. Basically it is created for people working with Windows security and reverse-engineering. Thus obvisouly you have to be familiar with what this repo is giving you and able to provide comprehensive report if something went wrong while your usage of it.

For example, your particular case is https://github.com/hfiref0x/VBoxHardenedLoader/issues/59 Another example of good input - https://github.com/hfiref0x/VBoxHardenedLoader/issues/56

Nothing like that observed there. Excuse me, but you all looking like a bunch of kids playing with a toy they can't handle because that's not their level.

What do I expect from a good bug report here. At least I need to know your configuration, list of loaded drivers, what you did, how, where and why. I don't need your screenshots if only they are really necessuarry. As well as I don't need 5 duplicate issues created by random junk github accounts at same time.

Currently my patience is over.

This issue cannot be reproduced. It is either your PC 3rd party software incompatibilities (like from guy yesterday with PC full of wormhole drivers running at same time) or your hardware fault.

Closed.