search

hfiref0x / VBoxHardenedLoader

VirtualBox VM detection mitigation loader
BSD 2-Clause "Simplified" License
913 stars 278 forks source link

Could not read DEVICE_OBJECT error 87 (Vanguard anticheat vgk.sys) #79

Closed ThePcSkrub closed 4 years ago

ThePcSkrub commented 4 years ago

eroor 87 Got a could not read DEVICE_OBJECT (Error 87) and did not inject the monitor code. Let me know if I am doing something wrong or want I can do to prevent this error.

hfiref0x commented 4 years ago

Does this error persistent?

ThePcSkrub commented 4 years ago

Yes it does, I have tried restarting my computer and re-running the loader.exe, gives the same error. Might try this on a different computer to see if it gives the same error

hfiref0x commented 4 years ago

Can you attach list of loaded drivers from driverquery? Maybe there is a conflict with something.

ThePcSkrub commented 4 years ago

VirtualBox Hardened Loader v2.0.1.2005 [>] Entering VBoxLdrMain LDR: Listing process token privileges... LDR: SeIncreaseQuotaPrivilege Disabled LDR: SeTcbPrivilege Disabled LDR: SeSecurityPrivilege Disabled LDR: SeTakeOwnershipPrivilege Disabled LDR: SeLoadDriverPrivilege Disabled LDR: SeSystemProfilePrivilege Disabled LDR: SeSystemtimePrivilege Disabled LDR: SeProfileSingleProcessPrivilege Disabled LDR: SeIncreaseBasePriorityPrivilege Disabled LDR: SeCreatePagefilePrivilege Disabled LDR: SeBackupPrivilege Disabled LDR: SeRestorePrivilege Disabled LDR: SeShutdownPrivilege Disabled LDR: SeDebugPrivilege Disabled LDR: SeSystemEnvironmentPrivilege Disabled LDR: SeChangeNotifyPrivilege Enabled (Default Enabled) LDR: SeRemoteShutdownPrivilege Disabled LDR: SeUndockPrivilege Disabled LDR: SeManageVolumePrivilege Disabled LDR: SeImpersonatePrivilege Enabled (Default Enabled) LDR: SeCreateGlobalPrivilege Enabled (Default Enabled) LDR: SeIncreaseWorkingSetPrivilege Disabled LDR: SeTimeZonePrivilege Disabled LDR: SeCreateSymbolicLinkPrivilege Disabled LDR: SeDelegateSessionUserImpersonatePrivilege Disabled LDR: VirtualBox version 6.1.10 LDR: Windows version: 10.0 build 18363 LDR: Maximum User Mode address 0x7FFFFFFEFFFF

Pattern matching: 'VBOX'

Pattern FACP (pre v6.1) was not found FACP (v6.1+) 0x35197 Pattern RSDT (pre 6.1) was not found RSDT (6.1+) 0x353fe XSDT 0x35555 APIC 0x357ab HPET 0x35954 MCFG 0x35a58 VBOXCPU 0x3fb90 Pattern VBOX generic (pre 6.1) was not found VBOX (6.1+) 0x12f63c

Pattern matching: 'VirtualBox'

VirtualBox 0x134a48 VirtualBox__ 0x1441b0 VirtualBox GIM 0x144838 VirtualBox VMM 0x145010

Pattern matching: 'Configuration'

Pattern Configuration (pre 6.1) was not found Configuration (6.1+) 0x141285

Pattern matching: Hardware ID

80EE 0x92d1 80EE 0x20e31 80EE 0x20e55 80EE 0x47ab5 BEEF 0x20e47 BEEF 0x20e61 CAFE 0x47b5d

hfiref0x commented 4 years ago

That program log. What I want is the list of loaded driver. Open cmd.exe prompt and type driverquery

ThePcSkrub commented 4 years ago

Module Name Display Name Driver Type Link Date ============ ====================== ============= ====================== 1394ohci 1394 OHCI Compliant Ho Kernel 3ware 3ware Kernel 5/18/2015 6:28:03 PM ACPI Microsoft ACPI Driver Kernel AcpiDev ACPI Devices driver Kernel acpiex Microsoft ACPIEx Drive Kernel acpipagr ACPI Processor Aggrega Kernel AcpiPmi ACPI Power Meter Drive Kernel acpitime ACPI Wake Alarm Driver Kernel Acx01000 Acx01000 Kernel ADP80XX ADP80XX Kernel 4/9/2015 4:49:48 PM AFD Ancillary Function Dri Kernel afunix afunix Kernel ahcache Application Compatibil Kernel amdgpio2 AMD GPIO Client Driver Kernel 2/7/2019 4:32:20 AM amdi2c AMD I2C Controller Ser Kernel 6/13/2018 1:25:43 AM AmdK8 AMD K8 Processor Drive Kernel amdkmpfd AMD PCI Root Bus Lower Kernel 3/20/2019 9:28:52 AM AmdPPM AMD Processor Driver Kernel amdsata amdsata Kernel 5/14/2015 8:14:52 AM amdsbs amdsbs Kernel 12/11/2012 4:21:44 PM amdxata amdxata Kernel 4/30/2015 8:55:35 PM AppID AppID Driver Kernel applockerflt Smartlocker Filter Dri Kernel AppvStrm AppvStrm File System AppvVemgr AppvVemgr File System AppvVfs AppvVfs File System arcsas Adaptec SAS/SATA-II RA Kernel 4/9/2015 3:12:07 PM AsyncMac RAS Asynchronous Media Kernel atapi IDE Channel Kernel AtiHDAudioSe AMD Function Driver fo Kernel 11/15/2019 9:55:23 AM b06bdrv QLogic Network Adapter Kernel 5/25/2016 3:03:08 AM bam Background Activity Mo Kernel BasicDisplay BasicDisplay Kernel BasicRender BasicRender Kernel bcmfn2 bcmfn2 Service Kernel 10/31/2016 10:09:15 PM Beep Beep Kernel BfLwf Killer Bandwidth Contr Kernel 11/20/2015 1:59:13 PM bindflt Windows Bind Filter Dr File System bowser Browser File System BthA2dp Microsoft Bluetooth A2 Kernel BthEnum Bluetooth Enumerator S Kernel BthHFEnum Microsoft Bluetooth Ha Kernel BthLEEnum Bluetooth Low Energy D Kernel BthMini Bluetooth Radio Driver Kernel BTHMODEM Bluetooth Modem Commun Kernel BTHPORT Bluetooth Port Driver Kernel BTHUSB Bluetooth Radio USB Dr Kernel bttflt Microsoft Hyper-V VHDP Kernel buttonconver Service for Portable D Kernel CAD Charge Arbitration Dri Kernel cdfs CD/DVD File System Rea File System cdrom CD-ROM Driver Kernel cht4iscsi cht4iscsi Kernel 5/8/2018 9:27:04 AM cht4vbd Chelsio Virtual Bus Dr Kernel 5/8/2018 9:23:38 AM circlass Consumer IR Devices Kernel CldFlt Windows Cloud Files Fi File System CLFS Common Log (CLFS) Kernel CmBatt Microsoft ACPI Control Kernel CMUSBDAC USB Audio Class 1.0 an Kernel 7/13/2018 6:31:23 AM CNG CNG Kernel cnghwassist CNG Hardware Assist al Kernel CompositeBus Composite Bus Enumerat Kernel condrv Console Driver Kernel CSC Offline Files Driver Kernel dam Desktop Activity Moder Kernel dc1-controll Xbox Peripherals Drive Kernel Dfsc DFS Namespace Client D File System disk Disk Driver Kernel dmvsc dmvsc Kernel drmkaud Microsoft Trusted Audi Kernel DXGKrnl LDDM Graphics Subsyste Kernel ebdrv QLogic 10 Gigabit Ethe Kernel 5/25/2016 3:01:05 AM EhStorClass Enhanced Storage Filte Kernel EhStorTcgDrv Microsoft driver for s Kernel ElcMouLFlt ELECOM USB Mouse Lower Kernel 10/9/2019 9:33:08 PM ElcMouUFlt ELECOM USB Mouse Upper Kernel 10/9/2019 9:33:08 PM ErrDev Microsoft Hardware Err Kernel exfat exFAT File System Driv File System fastfat FAT12/16/32 File Syste File System fdc Floppy Disk Controller Kernel FileCrypt FileCrypt File System FileInfo File Information FS Mi File System Filetrace Filetrace File System flpydisk Floppy Disk Driver Kernel FltMgr FltMgr File System FsDepends File System Dependency File System fvevol BitLocker Drive Encryp Kernel gencounter Microsoft Hyper-V Gene Kernel genericusbfn Generic USB Function C Kernel GPIOClx0101 Microsoft GPIO Class E Kernel GpuEnergyDrv GPU Energy Driver Kernel Hamachi LogMeIn Hamachi Virtua Kernel 3/30/2015 9:28:42 AM hcmon VMware hcmon Kernel 4/7/2019 11:15:05 AM HdAudAddServ Microsoft 1.1 UAA Func Kernel HDAudBus Microsoft UAA Bus Driv Kernel HidBatt HID UPS Battery Driver Kernel HidBth Microsoft Bluetooth HI Kernel hidi2c Microsoft I2C HID Mini Kernel hidinterrupt Common Driver for HID Kernel HidIr Microsoft Infrared HID Kernel hidspi Microsoft SPI HID Mini Kernel HidUsb Microsoft HID Class Dr Kernel HpSAMD HpSAMD Kernel 3/26/2013 5:36:54 PM HTTP HTTP Service Kernel hvcrash hvcrash Kernel hvservice Hypervisor/Virtual Mac Kernel HwNClx0101 Microsoft Hardware Not Kernel hwpolicy Hardware Policy Driver Kernel hyperkbd hyperkbd Kernel HyperVideo HyperVideo Kernel i8042prt i8042 Keyboard and PS/ Kernel iagpio Intel Serial IO GPIO C Kernel 7/23/2018 5:04:46 AM iai2c Intel(R) Serial IO I2C Kernel 7/23/2018 5:04:39 AM iaLPSS2i_GPI Intel(R) Serial IO GPI Kernel 4/19/2018 3:53:24 AM iaLPSS2i_GPI Intel(R) Serial IO GPI Kernel 4/17/2018 5:25:15 AM iaLPSS2i_GPI Intel(R) Serial IO GPI Kernel 4/17/2018 3:07:03 AM iaLPSS2i_GPI Intel(R) Serial IO GPI Kernel 5/16/2018 1:46:36 AM iaLPSS2i_I2C Intel(R) Serial IO I2C Kernel 4/19/2018 3:52:58 AM iaLPSS2i_I2C Intel(R) Serial IO I2C Kernel 4/17/2018 5:24:40 AM iaLPSS2i_I2C Intel(R) Serial IO I2C Kernel 4/17/2018 3:06:22 AM iaLPSS2i_I2C Intel(R) Serial IO I2C Kernel 5/16/2018 1:46:02 AM iaLPSSi_GPIO Intel(R) Serial IO GPI Kernel 2/2/2015 4:00:09 AM iaLPSSi_I2C Intel(R) Serial IO I2C Kernel 2/24/2015 10:52:07 AM iaStorAVC Intel Chipset SATA RAI Kernel 2/7/2018 6:53:36 AM iaStorV Intel RAID Controller Kernel 4/11/2011 2:48:16 PM ibbus Mellanox InfiniBand Bu Kernel 4/25/2018 12:29:09 PM igfx igfx Kernel 9/29/2016 10:43:27 AM IndirectKmd Indirect Displays Kern Kernel intaud_WaveE Intel WiDi Audio Devic Kernel 6/8/2015 6:12:39 PM IntcAzAudAdd Service for Realtek HD Kernel 6/3/2016 7:28:58 AM IntelHaxm Intel HAXM Service Kernel 9/25/2019 7:47:38 AM intelide intelide Kernel intelpep Intel(R) Power Engine Kernel intelpmax Intel Power Limit Driv Kernel intelppm Intel Processor Driver Kernel iorate Disk I/O Rate Filter D Kernel IpFilterDriv IP Traffic Filter Driv Kernel IPMIDRV IPMIDRV Kernel IPNAT IP Network Address Tra Kernel IPT IPT Kernel isapnp isapnp Kernel iScsiPrt iScsiPort Driver Kernel ItSas35i ItSas35i Kernel 5/3/2018 5:57:21 AM iwdbus IWD Bus Enumerator Kernel 6/8/2015 6:12:39 PM kbdclass Keyboard Class Driver Kernel kbdhid Keyboard HID Driver Kernel kdnic Microsoft Kernel Debug Kernel KillerEth NDIS Miniport Driver f Kernel 9/14/2016 4:52:26 PM KSecDD KSecDD Kernel KSecPkg KSecPkg Kernel ksthunk Kernel Streaming Thunk Kernel LGHUBTempera LGHUB Core Temperature Kernel 11/16/2018 3:23:07 AM LGVirHid Logitech Gamepanel Vir Kernel 6/13/2016 2:47:03 PM lltdio Link-Layer Topology Di Kernel LMIInfo LogMeIn Kernel Informa Kernel 1/10/2017 11:30:08 AM lmimirr lmimirr Kernel 4/10/2007 6:32:45 PM LMIRfsDriver LogMeIn Remote File Sy File System 1/9/2017 11:14:48 AM logi_joy_bus Logitech G HUB Virtual Kernel 11/20/2018 10:28:21 AM logi_joy_vir Logitech G HUB Virtual Kernel 4/20/2020 12:57:11 PM logi_joy_xlc Logitech G HUB Transla Kernel 11/20/2018 10:28:25 AM LSI_SAS LSI_SAS Kernel 3/25/2015 3:36:48 PM LSI_SAS2i LSI_SAS2i Kernel 8/2/2017 9:29:59 AM LSI_SAS3i LSI_SAS3i Kernel 5/2/2018 5:40:30 AM LSI_SSS LSI_SSS Kernel 3/15/2013 7:39:38 PM luafv UAC File Virtualizatio File System mausbhost MA-USB Host Controller Kernel mausbip MA-USB IP Filter Drive Kernel MbamElam MbamElam Kernel 5/12/2020 2:47:31 PM MBAMSwissArm MBAMSwissArmy Kernel 11/20/2019 9:57:29 AM MbbCx MBB Network Adapter Cl Kernel megasas megasas Kernel 3/4/2015 9:36:29 PM megasas2i megasas2i Kernel 7/24/2017 5:46:09 AM megasas35i megasas35i Kernel 12/6/2018 12:45:11 PM megasr megasr Kernel 6/3/2013 6:02:39 PM MEIx64 Intel(R) Management En Kernel 4/11/2018 10:46:32 AM Microsoft_Bl Microsoft Bluetooth Av Kernel mlx4_bus Mellanox ConnectX Bus Kernel 4/25/2018 12:29:43 PM MMCSS Multimedia Class Sched Kernel Modem Modem Kernel monitor Microsoft Monitor Clas Kernel mouclass Mouse Class Driver Kernel mouhid Mouse HID Driver Kernel mountmgr Mount Point Manager Kernel MpKslDrv MpKslDrv Kernel mpsdrv Windows Defender Firew Kernel MRxDAV WebDav Client Redirect File System mrxsmb SMB MiniRedirector Wra File System mrxsmb20 SMB 2.0 MiniRedirector File System MsBridge Microsoft MAC Bridge Kernel Msfs Msfs File System msgpiowin32 Common Driver for Butt Kernel mshidkmdf Pass-through HID to KM Kernel mshidumdf Pass-through HID to UM Kernel msisadrv msisadrv Kernel MSKSSRV Microsoft Streaming Se Kernel MsLldp Microsoft Link-Layer D Kernel MSPCLOCK Microsoft Streaming Cl Kernel MSPQM Microsoft Streaming Qu Kernel MsRPC MsRPC Kernel MsSecFlt Microsoft Security Eve Kernel mssmbios Microsoft System Manag Kernel MSTEE Microsoft Streaming Te Kernel MTConfig Microsoft Input Config Kernel Mup Mup File System mvumis mvumis Kernel 5/23/2014 4:39:04 PM NativeWifiP NativeWiFi Filter Kernel ndfltr NetworkDirect Service Kernel 4/25/2018 12:28:08 PM NDIS NDIS System Driver Kernel NdisCap Microsoft NDIS Capture Kernel NdisImPlatfo Microsoft Network Adap Kernel NdisTapi Remote Access NDIS TAP Kernel Ndisuio NDIS Usermode I/O Prot Kernel NdisVirtualB Microsoft Virtual Netw Kernel NdisWan Remote Access NDIS WAN Kernel ndiswanlegac Remote Access LEGACY N Kernel NDKPing NDKPing Driver Kernel ndproxy NDIS Proxy Driver Kernel Ndu Windows Network Data U Kernel NetAdapterCx Network Adapter Wdf Cl Kernel NetBIOS NetBIOS Interface File System NetBT NetBT Kernel netr28x Ralink 802.11n Extensi Kernel 5/29/2015 7:26:59 AM netvsc netvsc Kernel npcap Npcap Packet Driver (N Kernel 8/28/2019 5:25:12 PM npcap_wifi Npcap Packet Driver (N Kernel 8/28/2019 5:25:12 PM Npfs Npfs File System npsvctrig Named pipe service tri Kernel nsiproxy NSI Proxy Service Driv Kernel Ntfs Ntfs File System Null Null Kernel nvdimm Microsoft NVDIMM devic Kernel NVHDA Service for NVIDIA Hig Kernel 2/19/2020 1:55:13 AM nvlddmkm nvlddmkm Kernel 5/15/2020 7:55:17 PM nvraid nvraid Kernel 4/21/2014 2:28:42 PM nvstor nvstor Kernel 4/21/2014 2:34:03 PM NvStreamKms NVIDIA KMS Kernel 6/25/2018 7:52:03 PM nvvad_WaveEx NVIDIA Virtual Audio D Kernel 3/14/2019 4:58:48 AM nvvhci NVVHCI Enumerator Serv Kernel 1/10/2020 1:31:07 PM nxaudio NoMachine Audio Adapte Kernel 7/11/2016 5:35:31 AM nxfs NoMachine Filesystem A File System 12/11/2018 3:40:21 AM nxusbf NoMachine USB Hub Kernel 8/20/2018 12:12:17 PM nxusbh NoMachine USB Adapter Kernel 8/20/2018 12:12:10 PM nxusbs NoMachine USB Host Ada Kernel 8/20/2018 12:12:20 PM Parport Parallel port driver Kernel partmgr Partition driver Kernel pci PCI Bus Driver Kernel pciide pciide Kernel pcmcia pcmcia Kernel pcw Performance Counters f Kernel pdc pdc Kernel PEAUTH PEAUTH Kernel percsas2i percsas2i Kernel 3/14/2016 8:50:11 PM percsas3i percsas3i Kernel 6/1/2018 5:47:02 PM PktMon Packet Monitor Driver Kernel pmem Microsoft persistent m Kernel PNPMEM Microsoft Memory Modul Kernel portcfg portcfg Kernel PptpMiniport WAN Miniport (PPTP) Kernel Processor Processor Driver Kernel PROCEXP152 PROCEXP152 Kernel 12/13/2019 11:37:59 AM Psched QoS Packet Scheduler Kernel QWAVEdrv QWAVE driver Kernel Ramdisk Windows RAM Disk Drive Kernel RasAcd Remote Access Auto Con Kernel RasAgileVpn WAN Miniport (IKEv2) Kernel Rasl2tp WAN Miniport (L2TP) Kernel RasPppoe Remote Access PPPOE Dr Kernel RasSstp WAN Miniport (SSTP) Kernel rdbss Redirected Buffering S File System rdpbus Remote Desktop Device Kernel RDPDR Remote Desktop Device Kernel RdpVideoMini Remote Desktop Video M Kernel rdyboost ReadyBoost Kernel ReFS ReFS File System ReFSv1 ReFSv1 File System RFCOMM Bluetooth Device (RFCO Kernel rhproxy Resource Hub proxy dri Kernel rspndr Link-Layer Topology Di Kernel rt640x64 Realtek RT640 NT Drive Kernel 5/24/2019 4:47:02 AM s3cap s3cap Kernel sbp2port SBP-2 Transport/Protoc Kernel scfilter Smart card PnP Class F Kernel scmbus Microsoft Storage Clas Kernel ScreamBAudio ScreamingBee Audio Kernel 5/14/2016 2:49:07 PM sdbus sdbus Kernel SDFRd SDF Reflector Kernel sdstor SD Storage Port Driver Kernel SerCx Serial UART Support Li Kernel SerCx2 Serial UART Support Li Kernel Serenum Serenum Filter Driver Kernel Serial Serial port driver Kernel sermouse Serial Mouse Driver Kernel sfloppy High-Capacity Floppy D Kernel SgrmAgent System Guard Runtime M Kernel SiSRaid2 SiSRaid2 Kernel 9/24/2008 2:28:20 PM SiSRaid4 SiSRaid4 Kernel 10/1/2008 5:56:04 PM SmartSAMD SmartSAMD Kernel 4/17/2018 11:29:21 AM smbdirect smbdirect File System spaceport Storage Spaces Driver Kernel SpatialGraph Holographic Spatial Gr Kernel SpbCx Simple Peripheral Bus Kernel srv2 Server SMB 2.xxx Drive File System srvnet srvnet File System SteamStreami Steam Streaming Microp Kernel 7/28/2017 11:33:15 AM SteamStreami Steam Streaming Speake Kernel 7/20/2017 8:56:15 PM stexstor stexstor Kernel 11/26/2012 7:02:51 PM storahci Microsoft Standard SAT Kernel storflt Microsoft Hyper-V Stor Kernel stornvme Microsoft Standard NVM Kernel storqosflt Storage QoS Filter Dri File System storufs Microsoft Universal Fl Kernel storvsc storvsc Kernel swenum Software Bus Driver Kernel Synth3dVsc Synth3dVsc Kernel tap-tb-0901 TunnelBear Adapter V9 Kernel 8/12/2014 3:45:22 AM Tcpip TCP/IP Protocol Driver Kernel Tcpip6 @todo.dll,-100;Microso Kernel tcpipreg TCP/IP Registry Compat Kernel tdx NetIO Legacy TDI Suppo Kernel terminpt Microsoft Remote Deskt Kernel TPM TPM Kernel TsUsbFlt Remote Desktop USB Hub Kernel TsUsbGD Remote Desktop Generic Kernel tsusbhub Remote Desktop USB Hub Kernel tunnel Microsoft Tunnel Minip Kernel UASPStor USB Attached SCSI (UAS Kernel UcmCx0101 USB Connector Manager Kernel UcmTcpciCx01 UCM-TCPCI KMDF Class E Kernel UcmUcsiAcpiC UCM-UCSI ACPI Client Kernel UcmUcsiCx010 UCM-UCSI KMDF Class Ex Kernel Ucx01000 USB Host Support Libra Kernel UdeCx USB Device Emulation S Kernel udfs udfs File System UEFI Microsoft UEFI Driver Kernel UevAgentDriv UevAgentDriver File System Ufx01000 USB Function Class Ext Kernel UfxChipidea USB Chipidea Controlle Kernel ufxsynopsys USB Synopsys Controlle Kernel umbus UMBus Enumerator Drive Kernel UmPass Microsoft UMPass Drive Kernel UrsChipidea Chipidea USB Role-Swit Kernel UrsCx01000 USB Role-Switch Suppor Kernel UrsSynopsys Synopsys USB Role-Swit Kernel usbaudio USB Audio Driver (WDM) Kernel usbaudio2 USB Audio 2.0 Service Kernel usbccgp Microsoft USB Generic Kernel usbcir eHome Infrared Receive Kernel usbehci Microsoft USB 2.0 Enha Kernel usbhub Microsoft USB Standard Kernel USBHUB3 SuperSpeed Hub Kernel usbohci Microsoft USB Open Hos Kernel usbprint Microsoft USB PRINTER Kernel usbser Microsoft USB Serial D Kernel USBSTOR USB Mass Storage Drive Kernel usbuhci Microsoft USB Universa Kernel usbvideo USB Video Device (WDM) Kernel USBXHCI USB xHCI Compliant Hos Kernel VBoxDrv VirtualBox Service Kernel 6/4/2020 12:23:54 PM VBoxNetAdp VirtualBox NDIS 6.0 Mi Kernel 6/4/2020 12:23:03 PM VBoxNetLwf VirtualBox NDIS6 Bridg Kernel 6/4/2020 12:23:03 PM VBoxUSBMon VirtualBox USB Monitor Kernel 6/4/2020 12:23:03 PM vdrvroot Microsoft Virtual Driv Kernel VerifierExt Driver Verifier Extens Kernel vgk vgk Kernel 6/22/2020 1:40:50 PM vhdmp vhdmp Kernel vhf Virtual HID Framework Kernel Vid Vid Kernel ViGEmBus Virtual Gamepad Emulat Kernel 10/17/2018 2:02:19 PM VKbms Virtual HID Minidriver Kernel 7/10/2014 11:42:22 PM vmbus Virtual Machine Bus Kernel VMBusHID VMBusHID Kernel vmci VMware VMCI Bus Driver Kernel 7/16/2019 1:03:34 AM vmgid Microsoft Hyper-V Gues Kernel VMnetBridge VMware Bridge Protocol Kernel 8/9/2019 7:14:57 AM VMnetuserif VMware Virtual Etherne Kernel 8/9/2019 7:14:55 AM vmx86 VMware vmx86 Kernel 8/6/2019 4:38:59 AM VOICEMOD_Dri Voicemod Virtual Audio Kernel 1/10/2018 5:18:37 AM volmgr Volume Manager Driver Kernel volmgrx Dynamic Volume Manager Kernel volsnap Volume Shadow Copy dri Kernel volume Volume driver Kernel vpci Microsoft Hyper-V Virt Kernel vsmraid vsmraid Kernel 4/22/2014 3:21:41 PM vsock vSockets Virtual Machi Kernel 7/16/2019 1:04:39 AM VSTXRAID VIA StorX Storage RAID Kernel 1/21/2013 2:00:28 PM vwifibus Virtual Wireless Bus D Kernel vwififlt Virtual WiFi Filter Dr Kernel vwifimp Virtual WiFi Miniport Kernel WacomPen Wacom Serial Pen HID D Kernel wanarp Remote Access IP ARP D Kernel wanarpv6 Remote Access IPv6 ARP Kernel wcifs Windows Container Isol File System wcnfs Windows Container Name File System WdBoot Windows Defender Antiv Kernel Wdf01000 Kernel Mode Driver Fra Kernel WdFilter Windows Defender Antiv File System wdiwifi WDI Driver Framework Kernel WdmCompanion WdmCompanionFilter Kernel WdNisDrv Windows Defender Antiv Kernel WFPLWFS Microsoft Windows Filt Kernel WIMMount WIMMount File System WindowsTrust Windows Trusted Execut Kernel WindowsTrust Microsoft Windows Trus Kernel WinMad WinMad Service Kernel 4/25/2018 12:27:32 PM WinNat Windows NAT Driver Kernel WinQuic WinQuic Kernel WINUSB WinUsb Driver Kernel WinVerbs WinVerbs Service Kernel 4/25/2018 12:28:00 PM WmiAcpi Microsoft Windows Mana Kernel Wof Windows Overlay File S File System WpdUpFltr WPD Upper Class Filter Kernel ws2ifsl Windows Socket 2.0 Non Kernel WSDPrintDevi WSD Print Support Kernel WSDScan WSD Scan Support Kernel WudfPf User Mode Driver Frame Kernel WUDFRd Windows Driver Foundat Kernel WUDFWpdFs WPD File System driver Kernel xboxgip Xbox Game Input Protoc Kernel xinputhid XINPUT HID Filter Driv Kernel

ThePcSkrub commented 4 years ago

I read another issue and I thought it could be the intel NAT driver

hfiref0x commented 4 years ago

Your first screenshot indicates it was successfuly loaded and loader didn't reported that it was already in system. Try disabling MBAM driver.

ThePcSkrub commented 4 years ago

How would I do that?

hfiref0x commented 4 years ago

Uninstall MBAM.

ThePcSkrub commented 4 years ago

Uninstalled MBAM and restarted pc. Error Persists, same could not read DEVICE_OBJECT.

hfiref0x commented 4 years ago

Well I will make test utility that will load this nal driver, read some data from kernel and output all statuses, will post it here.

ThePcSkrub commented 4 years ago

Thanks!

hfiref0x commented 4 years ago

Can you run this https://github.com/hfiref0x/VBoxHardenedLoader/blob/LoaderTest/Binary/LoaderTest.exe and post here full results? It will load intel nal driver, open handle for it, read FILE_OBJECT and then read DEVICE_OBJECT, unload nal driver and quit. While work it will output all parameters and what this nal driver returns upon calls.

Source code of this test can be found https://github.com/hfiref0x/VBoxHardenedLoader/tree/LoaderTest/Source/LoaderTest if you are interested what is it.

KaidenP commented 4 years ago

I am also having a similar issue. I am running Windows 10 Version 1909. (driverquery)

LOADER TEST
LDR: User is admin
LDR: VirtualBox version 6.1.6
LDR: Windows version: 10.0 build 18363
LDR: SeDebugPrivilege assigned
LDR: SeLoadDriverPrivilege assigned
LDR: Maximum User Mode address 0x7FFFFFFEFFFF
[>] Entering TestRead
[>] Entering ProviderCreate
[>] Entering StartVulnerableDriver
[>] Entering LoadVulnerableDriver
LDR: NtLoadDriver, NTSTATUS (0x0)
LDR: Vulnerable driver "IntelNal" loaded
LDR: Vulnerable driver opened, handle 0x00000000000000A0
[<] Leaving LoadVulnerableDriver
[<] Leaving StartVulnerableDriver
[<] Leaving ProviderCreate
ReadKernelVM(00000000000000A0, 0xffffaa8825c99ec0, 0x0000004CB839F3F0, 216)
-> NalReadVirtualMemoryEx(00000000000000A0, 0xffffaa8825c99ec0, Out, 0xd8)
-> NalVirtualToPhysical(00000000000000A0, 0xffffaa8825c99ec0, Out)
-> NalCallDriver(00000000000000A0, 0x0000004CB839F350, 0x20)
NalCallDriver return IO_STATUS_BLOCK: Information 0, Status 0
-> NalMapAddressEx(00000000000000A0, 0x2b2299ec0, Out, 0xd8)
-> NalCallDriver(00000000000000A0, 0x0000004CB839F350, 0x30)
NalCallDriver return IO_STATUS_BLOCK: Information 0, Status 0
-> NalReadVirtualMemory(00000000000000A0, 0xffffd680135cb000, Out, 0xd8)
-> NalCallDriver(00000000000000A0, 0x0000004CB839F350, 0x28)
NalCallDriver return IO_STATUS_BLOCK: Information 0, Status 0
-> NalCallDriver(00000000000000A0, 0x0000004CB839F2D0, 0x30)
NalCallDriver return IO_STATUS_BLOCK: Information 0, Status 0
FILE_OBJECT->DeviceObject 0x0000000000000000
[!] Invalid DeviceObject address
[>] Entering ProviderRelease
[>] Entering StopVulnerableDriver
LDR: Vulnerable driver unloaded
LDR: Vulnerable driver file removed
[<] Leaving StopVulnerableDriver
[<] Leaving ProviderRelease
[<] Leaving TestRead
KaidenP commented 4 years ago

I'm not well seasoned in winapi, but I'm trying to help debug. I've built and run LoaderTest and I'm currently debuging it in VS debugger. AFTER LoaderTest/idrv/nal.c#L228 gets called, lockedBuffer doesn't seem to be written to.

I'll update if I find out anything else.

image

EDIT: Welp I'm out of my depth. Hope this information helps though.

hfiref0x commented 4 years ago

This is interesting. Does this is full patch Windows?

p.s. Can you re-run this updated test from latest commit https://github.com/hfiref0x/VBoxHardenedLoader/blob/LoaderTest/Binary/LoaderTest.exe with DbgView from sysinternals running.

In DbgView (as admin) select menu Capture -> Capture Kernel, Capture -> Enable Verbose Kernel Output. Upon execution of LoaderTest.exe there should be some entries labeled as "Kernel: Nal..... " for example Untitled

ThePcSkrub commented 4 years ago

Ran the Loadertest.exe LDR: User is admin LDR: VirtualBox version 6.1.10 LDR: Windows version: 10.0 build 18363 LDR: SeDebugPrivilege assigned LDR: SeLoadDriverPrivilege assigned LDR: Maximum User Mode address 0x7FFFFFFEFFFF [>] Entering TestRead [>] Entering ProviderCreate [>] Entering StartVulnerableDriver [>] Entering LoadVulnerableDriver LDR: NtLoadDriver, NTSTATUS (0x0) LDR: Vulnerable driver "IntelNal" loaded LDR: Vulnerable driver opened, handle 0x00000000000000C4 [<] Leaving LoadVulnerableDriver [<] Leaving StartVulnerableDriver [<] Leaving ProviderCreate -> NalCallDriver(00000000000000C4, 0x000000862F2FF330, 0x18) NalCallDriver return IO_STATUS_BLOCK: Information 0, Status 0 LDR: Debug print enabled for Intel Nal ReadKernelVM(00000000000000C4, 0xffffac819c541340, 0x000000862F2FF350, 216) -> NalReadVirtualMemoryEx(00000000000000C4, 0xffffac819c541340, Out, 0xd8) -> NalVirtualToPhysical(00000000000000C4, 0xffffac819c541340, Out) -> NalCallDriver(00000000000000C4, 0x000000862F2FF290, 0x20) NalCallDriver return IO_STATUS_BLOCK: Information 0, Status 0 -> NalMapAddressEx(00000000000000C4, 0x164cab340, Out, 0xd8) -> NalCallDriver(00000000000000C4, 0x000000862F2FF290, 0x30) NalCallDriver return IO_STATUS_BLOCK: Information 0, Status 0 -> NalReadVirtualMemory(00000000000000C4, 0xffff8201ebbe7000, Out, 0xd8) -> NalCallDriver(00000000000000C4, 0x000000862F2FF290, 0x28) NalCallDriver return IO_STATUS_BLOCK: Information 0, Status 0 -> NalCallDriver(00000000000000C4, 0x000000862F2FF210, 0x30) NalCallDriver return IO_STATUS_BLOCK: Information 0, Status 0 FILE_OBJECT->DeviceObject 0x0000000000000000 [!] Invalid DeviceObject address [>] Entering ProviderRelease [>] Entering StopVulnerableDriver LDR: Vulnerable driver unloaded LDR: Vulnerable driver file removed [<] Leaving StopVulnerableDriver [<] Leaving ProviderRelease [<] Leaving TestRead

hfiref0x commented 4 years ago

I need a log from DbgView as mentioned here https://github.com/hfiref0x/VBoxHardenedLoader/issues/79#issuecomment-649880973

ThePcSkrub commented 4 years ago

Kernel: NalMmapAddressEx: Vaddress = 0xFFFF8201E7EAE000 Kernel: NalMmapAddressEx: *VirtualAddress = 0xFFFF8201E7EAE000 (not mapped to user) Kernel: NalUnmapAddress: Unmapping non-usermode mapped address 0xFFFF8201E7EAE000, Length 216 Kernel: Nal Windows DriverClose: Starting Kernel: Nal Windows DriverClose: Leaving Kernel: Nal Windows Driver Unload: Starting Kernel: Nal Windows Driver Unload: Leaving...

hfiref0x commented 4 years ago

It seems memory mapped ok, however Intel Nal driver memmove failed or copied zero bytes. So far I cannot reproduce this on full patch 14393/17763 or even on 20150.

What is the exact version of your Windows? I might try to setup it in VM for test.

winver command from run dialog, I interested in exact revision number

e.g. 18363.1234

ThePcSkrub commented 4 years ago

Version 10.0.18363 Build 18363

ThePcSkrub commented 4 years ago

18363.900

hfiref0x commented 4 years ago

Okay, thanks.

hfiref0x commented 4 years ago

Unfortunately I cannot reproduce that on fresh 18363.900 install. What is your hardware setup btw?

LOADER TEST LDR: User is admin LDR: Windows version: 10.0 build 18363 LDR: SeDebugPrivilege assigned LDR: SeLoadDriverPrivilege assigned LDR: Maximum User Mode address 0x7FFFFFFEFFFF [>] Entering TestRead [>] Entering ProviderCreate [>] Entering StartVulnerableDriver [>] Entering LoadVulnerableDriver LDR: NtLoadDriver, NTSTATUS (0x0) LDR: Vulnerable driver "IntelNal" loaded LDR: Vulnerable driver opened, handle 0x00000000000000A0 [<] Leaving LoadVulnerableDriver [<] Leaving StartVulnerableDriver [<] Leaving ProviderCreate -> NalCallDriver(00000000000000A0, 0x00000011F6CFF2C0, 0x18) NalCallDriver return IO_STATUS_BLOCK: Information 0, Status 0 LDR: Debug print enabled for Intel Nal ReadKernelVM(00000000000000A0, 0xffffb88de041d8f0, 0x00000011F6CFF2E0, 216) -> NalReadVirtualMemoryEx(00000000000000A0, 0xffffb88de041d8f0, Out, 0xd8) -> NalVirtualToPhysical(00000000000000A0, 0xffffb88de041d8f0, Out) -> NalCallDriver(00000000000000A0, 0x00000011F6CFF220, 0x20) NalCallDriver return IO_STATUS_BLOCK: Information 0, Status 0 -> NalMapAddressEx(00000000000000A0, 0x5072e8f0, Out, 0xd8) -> NalCallDriver(00000000000000A0, 0x00000011F6CFF220, 0x30) NalCallDriver return IO_STATUS_BLOCK: Information 0, Status 0 -> NalReadVirtualMemory(00000000000000A0, 0xffff8b81e59818f0, Out, 0xd8) -> NalCallDriver(00000000000000A0, 0x00000011F6CFF220, 0x28) NalCallDriver return IO_STATUS_BLOCK: Information 0, Status 0 -> NalCallDriver(00000000000000A0, 0x00000011F6CFF1A0, 0x30) NalCallDriver return IO_STATUS_BLOCK: Information 0, Status 0 FILE_OBJECT->DeviceObject 0xFFFFB88DDE62D4B0 ReadKernelVM(00000000000000A0, 0xffffb88dde62d4b0, 0x00000011F6CFF3C0, 336) -> NalReadVirtualMemoryEx(00000000000000A0, 0xffffb88dde62d4b0, Out, 0x150) -> NalVirtualToPhysical(00000000000000A0, 0xffffb88dde62d4b0, Out) -> NalCallDriver(00000000000000A0, 0x00000011F6CFF220, 0x20) NalCallDriver return IO_STATUS_BLOCK: Information 0, Status 0 -> NalMapAddressEx(00000000000000A0, 0x10a62d4b0, Out, 0x150) -> NalCallDriver(00000000000000A0, 0x00000011F6CFF220, 0x30) NalCallDriver return IO_STATUS_BLOCK: Information 0, Status 0 -> NalReadVirtualMemory(00000000000000A0, 0xffff8b81e58304b0, Out, 0x150) -> NalCallDriver(00000000000000A0, 0x00000011F6CFF220, 0x28) NalCallDriver return IO_STATUS_BLOCK: Information 0, Status 0 -> NalCallDriver(00000000000000A0, 0x00000011F6CFF1A0, 0x30) NalCallDriver return IO_STATUS_BLOCK: Information 0, Status 0 DEVICE_OBJECT->DriverObject 0xFFFFB88DE05DBE30 [>] Entering ProviderRelease [>] Entering StopVulnerableDriver LDR: Vulnerable driver unloaded LDR: Vulnerable driver file removed [<] Leaving StopVulnerableDriver [<] Leaving ProviderRelease [<] Leaving TestRead

KaidenP commented 4 years ago

Processor is Intel(R) Xeon(R) CPU E5-1620 0 @ 3.60GHz, With a 1060 GPU

I have the same windows version, and I too also had malwarebytes installed on my PC at some time. I also had almost identical log entries for all of the logs posted so far, except memory addresses

hfiref0x commented 4 years ago

Can you show msinfo32 first page info about Hyper-V?

KaidenP commented 4 years ago

Is this useful? sys.zip

hfiref0x commented 4 years ago

Yes. Can you try this test version? https://github.com/hfiref0x/VBoxHardenedLoader/blob/LoaderTest/Binary/LoaderTest.exe

KaidenP commented 4 years ago 
LOADER TEST
LDR: User is admin
LDR: VirtualBox version 6.1.6
LDR: Windows version: 10.0 build 18363
LDR: SeDebugPrivilege assigned
LDR: SeLoadDriverPrivilege assigned
LDR: Maximum User Mode address 0x7FFFFFFEFFFF
[>] Entering TestRead
[>] Entering ProviderCreate
[>] Entering StartVulnerableDriver
[>] Entering LoadVulnerableDriver
LDR: NtLoadDriver, NTSTATUS (0x0)
LDR: Vulnerable driver "Ene64" loaded
LDR: Vulnerable driver opened, handle 0x00000000000000CC
[<] Leaving LoadVulnerableDriver
[<] Leaving StartVulnerableDriver
[<] Leaving ProviderCreate
ReadKernelVM(00000000000000CC, 0xffff9f8758d357c0, 0x000000903FCFF970, 216)
-> supCallDriver(00000000000000CC, 2148540480, InputBuffer, 56, OutputBuffer, 56)
supCallDriver return IO_STATUS_BLOCK: Information 38, Status 0
-> supCallDriver(00000000000000CC, 2148540484, InputBuffer, 56, OutputBuffer, 56)
supCallDriver return IO_STATUS_BLOCK: Information 0, Status 0
-> supCallDriver(00000000000000CC, 2148540480, InputBuffer, 56, OutputBuffer, 56)
supCallDriver return IO_STATUS_BLOCK: Information 38, Status 0
-> supCallDriver(00000000000000CC, 2148540484, InputBuffer, 56, OutputBuffer, 56)
supCallDriver return IO_STATUS_BLOCK: Information 0, Status 0
-> supCallDriver(00000000000000CC, 2148540480, InputBuffer, 56, OutputBuffer, 56)
supCallDriver return IO_STATUS_BLOCK: Information 38, Status 0
-> supCallDriver(00000000000000CC, 2148540484, InputBuffer, 56, OutputBuffer, 56)
supCallDriver return IO_STATUS_BLOCK: Information 0, Status 0
-> supCallDriver(00000000000000CC, 2148540480, InputBuffer, 56, OutputBuffer, 56)
supCallDriver return IO_STATUS_BLOCK: Information 38, Status 0
-> supCallDriver(00000000000000CC, 2148540484, InputBuffer, 56, OutputBuffer, 56)
supCallDriver return IO_STATUS_BLOCK: Information 0, Status 0
-> supCallDriver(00000000000000CC, 2148540480, InputBuffer, 56, OutputBuffer, 56)
supCallDriver return IO_STATUS_BLOCK: Information 38, Status 0
-> supCallDriver(00000000000000CC, 2148540484, InputBuffer, 56, OutputBuffer, 56)
supCallDriver return IO_STATUS_BLOCK: Information 0, Status 0
FILE_OBJECT->DeviceObject 0xFFFF9F87612C19F0
ReadKernelVM(00000000000000CC, 0xffff9f87612c19f0, 0x000000903FCFFA50, 336)
-> supCallDriver(00000000000000CC, 2148540480, InputBuffer, 56, OutputBuffer, 56)
supCallDriver return IO_STATUS_BLOCK: Information 38, Status 0
-> supCallDriver(00000000000000CC, 2148540484, InputBuffer, 56, OutputBuffer, 56)
supCallDriver return IO_STATUS_BLOCK: Information 0, Status 0
-> supCallDriver(00000000000000CC, 2148540480, InputBuffer, 56, OutputBuffer, 56)
supCallDriver return IO_STATUS_BLOCK: Information 38, Status 0
-> supCallDriver(00000000000000CC, 2148540484, InputBuffer, 56, OutputBuffer, 56)
supCallDriver return IO_STATUS_BLOCK: Information 0, Status 0
-> supCallDriver(00000000000000CC, 2148540480, InputBuffer, 56, OutputBuffer, 56)
supCallDriver return IO_STATUS_BLOCK: Information 38, Status 0
-> supCallDriver(00000000000000CC, 2148540484, InputBuffer, 56, OutputBuffer, 56)
supCallDriver return IO_STATUS_BLOCK: Information 0, Status 0
-> supCallDriver(00000000000000CC, 2148540480, InputBuffer, 56, OutputBuffer, 56)
supCallDriver return IO_STATUS_BLOCK: Information 38, Status 0
-> supCallDriver(00000000000000CC, 2148540484, InputBuffer, 56, OutputBuffer, 56)
supCallDriver return IO_STATUS_BLOCK: Information 0, Status 0
-> supCallDriver(00000000000000CC, 2148540480, InputBuffer, 56, OutputBuffer, 56)
supCallDriver return IO_STATUS_BLOCK: Information 38, Status 0
-> supCallDriver(00000000000000CC, 2148540484, InputBuffer, 56, OutputBuffer, 56)
supCallDriver return IO_STATUS_BLOCK: Information 0, Status 0
-> supCallDriver(00000000000000CC, 2148540480, InputBuffer, 56, OutputBuffer, 56)
supCallDriver return IO_STATUS_BLOCK: Information 38, Status 0
-> supCallDriver(00000000000000CC, 2148540484, InputBuffer, 56, OutputBuffer, 56)
supCallDriver return IO_STATUS_BLOCK: Information 0, Status 0
DEVICE_OBJECT->DriverObject 0xFFFF9F876371FE30
[>] Entering ProviderRelease
[>] Entering StopVulnerableDriver
LDR: Vulnerable driver unloaded
LDR: Vulnerable driver file removed
[<] Leaving StopVulnerableDriver
[<] Leaving ProviderRelease
[<] Leaving TestRead
hfiref0x commented 4 years ago

Ok, thanks. Another driver seems works just fine.

Well it seems exact problem is with Intel NAL driver (used by loader) on your system. Something blocking it functionality. I have a question regarding this loader, did you used it before on this machine or you use it just first time?

Can you upload drvmain.sdb file from Windows btw? C:\Windows\AppPatch\drvmain.sdb

KaidenP commented 4 years ago

First time afaik. Last time I wiped my windows clean was a few months ago though. Where is this driver located, and is it possible if you send me a copy of a know working copy, or at the least a checksum of it?  ---- On Fri, 26 Jun 2020 15:36:04 -0400 notifications@github.com wrote ---- Ok, thanks. Another driver seems works just fine. Well it seems exact problem is with Intel NAL driver (used by loader) on your system. Something blocking it functionality. I have a question regarding this loader, did you used it before on this machine or you use it just first time?

—You are receiving this because you commented.Reply to this email directly, view it on GitHub, or unsubscribe.

hfiref0x commented 4 years ago

This loader uses this driver, it is built-in of this executable and extracted upon it work.

Additionaly to drvmain.sdb, can you show (using regedit) what inside your

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Compatibility ?

KaidenP commented 4 years ago

Oh I see. What's drvmain.sdb? image

hfiref0x commented 4 years ago

Its file in your Windows\AppPatch folder. It contain compatibility rules for drivers. It should not be big (~200kb), please attach it here.

Also can you show this key and it subkeys completely? Select this key and export to file Untitled

as text, so you can simple post it here next.

Untitled

E.g. exported

Key Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Compatibility\Driver Class Name: Last Write Time: 7/16/2016 - 6:45 PM

Key Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Compatibility\Driver\storahci.sys Class Name: Last Write Time: 9/25/2018 - 5:56 PM Value 0 Name: Shims Type: REG_MULTI_SZ Data: Srbshim

KaidenP commented 4 years ago

debugFiles.zip

Thanks for all the help btw

hfiref0x commented 4 years ago

Thanks, seems no difference with mine. Okay last one if you don't mind.

Open eventvwr.msc Application and Services Logs -> Microsoft -> Windows -> Kernel-ShimEngine -> Operational and save it to upload here.

This is a log of compatibility fixes that Windows kernel applies to drivers.

Untitled

ghost commented 4 years ago

Same problem here

LDR: Victim driver loaded, handle 0x00000000000000C0 LDR: Reading FILE_OBJECT at 0xFFFFD18A1B717CC0 - OK [!] Could not read DEVICE_OBJECT at 0x0000000000000000 (Error 87)

hfiref0x commented 4 years ago

Instead of posting meaningless "same problem here" follow this thread and do what I asked otherwise there will be no fix or solution.

ghost commented 4 years ago

Ok

hfiref0x commented 4 years ago

Unfortunately this log also doesn't shred the light on what is wrong on this particular case as it look usual. Except Intel driver doesn't work on several PC and this is not reproducible here - there is no more information for now.

hfiref0x commented 4 years ago

The reason why it doesn't work is an anti-cheat driver called vgk.sys

vgk vgk Kernel 6/22/2020 1:40:50 PM

This is Vanguard driver. It install kernel mode hook on Intel driver import MmMapIoSpace. The interceptor hook is responsible for zeroing out API call result. That is why Intel "works" but with "no result".

Solution - uninstall Vanguard.