<div id="__MailbirdStyleContent" style="font-size: 10pt;font-family: Arial;color: #000000">
Let's try this again. <div>This is a very annoying issue, yet probably very easy to fix. </div><div>No dev here has an idea why minifilters are preventing VBox from starting ?</div><div><br></div><div>Regards,<br><div class="mb_sig"></div><blockquote class="history_container" type="cite" style="border-left-style:solid;border-width:1px; margin-top:20px; margin-left:0px;padding-left:10px;">
<p style="color: #AAAAAA; margin-top: 10px;">Le 11/06/2020 14:09:10, Tigzy <tigzyrk@gmail.com> a écrit :</p><div style="font-family:Arial,Helvetica,sans-serif"><div id="__MailbirdStyleContent" style="font-size: 10pt;font-family: Arial;color: #000000">
Hello, <div>I'm updating this ticket since I haven't gotten any answer so far...</div><div>We are still running into this annoying issue, and the Anti-debugging tricks make it hard to debug. </div><div>I've been tracing the 2 child processes created when running the VM, and it seems the 3rd layer is been given a wrong file path (that's the only reason I can see when reading the MSDN documentation for CreateProcess). </div><div><br></div><div>Anyone can answer me ?</div><div>Thanks,<br><div class="mb_sig"></div><blockquote class="history_container" type="cite" style="border-left-style:solid;border-width:1px; margin-top:20px; margin-left:0px;padding-left:10px;">
<p style="color: #AAAAAA; margin-top: 10px;">Le 09/12/2019 20:12:40, Tigzy <tigzyrk@gmail.com> a écrit :</p><div style="font-family:Arial,Helvetica,sans-serif"><div id="__MailbirdStyleContent" style="font-size: 10pt;font-family: Arial;color: #000000"><span style="color: rgb(51, 51, 51);font-family: "Lucida Grande", "Trebuchet MS", Verdana, Helvetica, Arial, sans-serif;font-size: 13px;background-color: rgb(225, 235, 242)">Hello,</span><br style="margin: 0px;padding: 0px;color: rgb(51, 51, 51);font-family: "Lucida Grande", "Trebuchet MS", Verdana, Helvetica, Arial, sans-serif;font-size: 13px;background-color: rgb(225, 235, 242)"><span style="color: rgb(51, 51, 51);font-family: "Lucida Grande", "Trebuchet MS", Verdana, Helvetica, Arial, sans-serif;font-size: 13px;background-color: rgb(225, 235, 242)">I know this error is well known but I'm beyond the point of re-installing the driver and such, I'm more trying to find an "officially supported" way to avoid this.</span><br style="margin: 0px;padding: 0px;color: rgb(51, 51, 51);font-family: "Lucida Grande", "Trebuchet MS", Verdana, Helvetica, Arial, sans-serif;font-size: 13px;background-color: rgb(225, 235, 242)"><br style="margin: 0px;padding: 0px;color: rgb(51, 51, 51);font-family: "Lucida Grande", "Trebuchet MS", Verdana, Helvetica, Arial, sans-serif;font-size: 13px;background-color: rgb(225, 235, 242)"><span style="color: rgb(51, 51, 51);font-family: "Lucida Grande", "Trebuchet MS", Verdana, Helvetica, Arial, sans-serif;font-size: 13px;background-color: rgb(225, 235, 242)">We are developing an Anti-malware (minifilter based) and I've noticed when the VBox driver is loaded AFTER our minifilter it works fine. When it's the opposite (VBox BEFORE our filter) the error occurs because Virtualbox is probably enumerating \Driver directory and compares to a whitelist.</span><br style="margin: 0px;padding: 0px;color: rgb(51, 51, 51);font-family: "Lucida Grande", "Trebuchet MS", Verdana, Helvetica, Arial, sans-serif;font-size: 13px;background-color: rgb(225, 235, 242)"><br style="margin: 0px;padding: 0px;color: rgb(51, 51, 51);font-family: "Lucida Grande", "Trebuchet MS", Verdana, Helvetica, Arial, sans-serif;font-size: 13px;background-color: rgb(225, 235, 242)"><span style="color: rgb(51, 51, 51);font-family: "Lucida Grande", "Trebuchet MS", Verdana, Helvetica, Arial, sans-serif;font-size: 13px;background-color: rgb(225, 235, 242)">We don't have anything injecting DLLs into it, so I have no idea what is the requirement for VirtualBox not detecting our driver (also it's EV-signed and by Microsoft portal as well).</span><br style="margin: 0px;padding: 0px;color: rgb(51, 51, 51);font-family: "Lucida Grande", "Trebuchet MS", Verdana, Helvetica, Arial, sans-serif;font-size: 13px;background-color: rgb(225, 235, 242)"><br style="margin: 0px;padding: 0px;color: rgb(51, 51, 51);font-family: "Lucida Grande", "Trebuchet MS", Verdana, Helvetica, Arial, sans-serif;font-size: 13px;background-color: rgb(225, 235, 242)"><span style="color: rgb(51, 51, 51);font-family: "Lucida Grande", "Trebuchet MS", Verdana, Helvetica, Arial, sans-serif;font-size: 13px;background-color: rgb(225, 235, 242)">The logs isn't really helpful to me as there's no mention of what test failed, nor mention of our minifilter (but I'm sure it's the issue, by playing with start/stop)</span><br style="margin: 0px;padding: 0px;color: rgb(51, 51, 51);font-family: "Lucida Grande", "Trebuchet MS", Verdana, Helvetica, Arial, sans-serif;font-size: 13px;background-color: rgb(225, 235, 242)"><br style="margin: 0px;padding: 0px;color: rgb(51, 51, 51);font-family: "Lucida Grande", "Trebuchet MS", Verdana, Helvetica, Arial, sans-serif;font-size: 13px;background-color: rgb(225, 235, 242)"><span style="color: rgb(51, 51, 51);font-family: "Lucida Grande", "Trebuchet MS", Verdana, Helvetica, Arial, sans-serif;font-size: 13px;background-color: rgb(225, 235, 242)">Has anyone from Antivirus company ever bypassed this ?</span><div>If this is private information, can anyone contact me directly to work this out ?</div><div><br style="margin: 0px;padding: 0px;color: rgb(51, 51, 51);font-family: "Lucida Grande", "Trebuchet MS", Verdana, Helvetica, Arial, sans-serif;font-size: 13px;background-color: rgb(225, 235, 242)"><span style="color: rgb(51, 51, 51);font-family: "Lucida Grande", "Trebuchet MS", Verdana, Helvetica, Arial, sans-serif;font-size: 13px;background-color: rgb(225, 235, 242)">Thanks,</span><br><div class="mb_sig"></div><div class="mb_sig"></div></div><div><span style="color: rgb(51, 51, 51);font-family: "Lucida Grande", "Trebuchet MS", Verdana, Helvetica, Arial, sans-serif;font-size: 13px;background-color: rgb(225, 235, 242)">Adlice Software</span></div><div><span style="color: rgb(51, 51, 51);font-family: "Lucida Grande", "Trebuchet MS", Verdana, Helvetica, Arial, sans-serif;font-size: 13px;background-color: rgb(225, 235, 242)"><br></span></div><div><span style="color: rgb(46, 139, 87);font-family: Monaco, "Andale Mono", "Courier New", Courier, mono;font-size: 11.7px;background-color: rgb(255, 255, 255)">2ef4.43c: NtOpenDirectoryObject failed on \Driver: 0xc0000022</span><br style="margin: 0px;padding: 0px;color: rgb(46, 139, 87);font-family: Monaco, "Andale Mono", "Courier New", Courier, mono;font-size: 11.7px;background-color: rgb(255, 255, 255)"><span style="color: rgb(46, 139, 87);font-family: Monaco, "Andale Mono", "Courier New", Courier, mono;font-size: 11.7px;background-color: rgb(255, 255, 255)"> 2ef4.43c: supR3HardenedWinFindAdversaries: 0x0</span><br style="margin: 0px;padding: 0px;color: rgb(46, 139, 87);font-family: Monaco, "Andale Mono", "Courier New", Courier, mono;font-size: 11.7px;background-color: rgb(255, 255, 255)"><span style="color: rgb(46, 139, 87);font-family: Monaco, "Andale Mono", "Courier New", Courier, mono;font-size: 11.7px;background-color: rgb(255, 255, 255)"> 2ef4.43c: supR3HardenedWinInitAppBin(0x0): '\Device\HarddiskVolume3\Program Files\Oracle\VirtualBox'</span><br style="margin: 0px;padding: 0px;color: rgb(46, 139, 87);font-family: Monaco, "Andale Mono", "Courier New", Courier, mono;font-size: 11.7px;background-color: rgb(255, 255, 255)"><span style="color: rgb(46, 139, 87);font-family: Monaco, "Andale Mono", "Courier New", Courier, mono;font-size: 11.7px;background-color: rgb(255, 255, 255)"> 2ef4.43c: Calling main()</span><br style="margin: 0px;padding: 0px;color: rgb(46, 139, 87);font-family: Monaco, "Andale Mono", "Courier New", Courier, mono;font-size: 11.7px;background-color: rgb(255, 255, 255)"><span style="color: rgb(46, 139, 87);font-family: Monaco, "Andale Mono", "Courier New", Courier, mono;font-size: 11.7px;background-color: rgb(255, 255, 255)"> 2ef4.43c: SUPR3HardenedMain: pszProgName=VirtualBoxVM fFlags=0x2</span><br style="margin: 0px;padding: 0px;color: rgb(46, 139, 87);font-family: Monaco, "Andale Mono", "Courier New", Courier, mono;font-size: 11.7px;background-color: rgb(255, 255, 255)"><span style="color: rgb(46, 139, 87);font-family: Monaco, "Andale Mono", "Courier New", Courier, mono;font-size: 11.7px;background-color: rgb(255, 255, 255)"> 2ef4.43c: supR3HardenedWinInitAppBin(0x2): '\Device\HarddiskVolume3\Program Files\Oracle\VirtualBox'</span><br style="margin: 0px;padding: 0px;color: rgb(46, 139, 87);font-family: Monaco, "Andale Mono", "Courier New", Courier, mono;font-size: 11.7px;background-color: rgb(255, 255, 255)"><span style="color: rgb(46, 139, 87);font-family: Monaco, "Andale Mono", "Courier New", Courier, mono;font-size: 11.7px;background-color: rgb(255, 255, 255)"> 2ef4.43c: '\Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe' has no imports</span><br style="margin: 0px;padding: 0px;color: rgb(46, 139, 87);font-family: Monaco, "Andale Mono", "Courier New", Courier, mono;font-size: 11.7px;background-color: rgb(255, 255, 255)"><span style="color: rgb(46, 139, 87);font-family: Monaco, "Andale Mono", "Courier New", Courier, mono;font-size: 11.7px;background-color: rgb(255, 255, 255)"> 2ef4.43c: supHardenedWinVerifyImageByHandle: -> 24202 (\Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe)</span><br style="margin: 0px;padding: 0px;color: rgb(46, 139, 87);font-family: Monaco, "Andale Mono", "Courier New", Courier, mono;font-size: 11.7px;background-color: rgb(255, 255, 255)"><span style="color: rgb(46, 139, 87);font-family: Monaco, "Andale Mono", "Courier New", Courier, mono;font-size: 11.7px;background-color: rgb(255, 255, 255)"> 2ef4.43c: SUPR3HardenedMain: Respawn #2</span><br style="margin: 0px;padding: 0px;color: rgb(46, 139, 87);font-family: Monaco, "Andale Mono", "Courier New", Courier, mono;font-size: 11.7px;background-color: rgb(255, 255, 255)"><span style="color: rgb(46, 139, 87);font-family: Monaco, "Andale Mono", "Courier New", Courier, mono;font-size: 11.7px;background-color: rgb(255, 255, 255)"> 2ef4.43c: supR3HardNtEnableThreadCreationEx:</span><br style="margin: 0px;padding: 0px;color: rgb(46, 139, 87);font-family: Monaco, "Andale Mono", "Courier New", Courier, mono;font-size: 11.7px;background-color: rgb(255, 255, 255)"><span style="color: rgb(46, 139, 87);font-family: Monaco, "Andale Mono", "Courier New", Courier, mono;font-size: 11.7px;background-color: rgb(255, 255, 255)"> 2ef4.43c: supR3HardenedDllNotificationCallback: load 00007ffecc270000 LB 0x00120000 C:\WINDOWS\System32\RPCRT4.dll [fFlags=0x0]</span><br style="margin: 0px;padding: 0px;color: rgb(46, 139, 87);font-family: Monaco, "Andale Mono", "Courier New", Courier, mono;font-size: 11.7px;background-color: rgb(255, 255, 255)"><span style="color: rgb(46, 139, 87);font-family: Monaco, "Andale Mono", "Courier New", Courier, mono;font-size: 11.7px;background-color: rgb(255, 255, 255)"> 2ef4.43c: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume3\Windows\System32\rpcrt4.dll)</span><br style="margin: 0px;padding: 0px;color: rgb(46, 139, 87);font-family: Monaco, "Andale Mono", "Courier New", Courier, mono;font-size: 11.7px;background-color: rgb(255, 255, 255)"><span style="color: rgb(46, 139, 87);font-family: Monaco, "Andale Mono", "Courier New", Courier, mono;font-size: 11.7px;background-color: rgb(255, 255, 255)"> 2ef4.43c: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume3\Windows\System32\rpcrt4.dll</span><br style="margin: 0px;padding: 0px;color: rgb(46, 139, 87);font-family: Monaco, "Andale Mono", "Courier New", Courier, mono;font-size: 11.7px;background-color: rgb(255, 255, 255)"><span style="color: rgb(46, 139, 87);font-family: Monaco, "Andale Mono", "Courier New", Courier, mono;font-size: 11.7px;background-color: rgb(255, 255, 255)"> 2ef4.43c: supR3HardenedDllNotificationCallback: load 00007ffecd4b0000 LB 0x00097000 C:\WINDOWS\System32\sechost.dll [fFlags=0x0]</span><br style="margin: 0px;padding: 0px;color: rgb(46, 139, 87);font-family: Monaco, "Andale Mono", "Courier New", Courier, mono;font-size: 11.7px;background-color: rgb(255, 255, 255)"><span style="color: rgb(46, 139, 87);font-family: Monaco, "Andale Mono", "Courier New", Courier, mono;font-size: 11.7px;background-color: rgb(255, 255, 255)"> 2ef4.43c: supR3HardenedWinVerifyCacheScheduleImports: Import todo: #11 'rpcrt4.dll'.</span><br style="margin: 0px;padding: 0px;color: rgb(46, 139, 87);font-family: Monaco, "Andale Mono", "Courier New", Courier, mono;font-size: 11.7px;background-color: rgb(255, 255, 255)"><span style="color: rgb(46, 139, 87);font-family: Monaco, "Andale Mono", "Courier New", Courier, mono;font-size: 11.7px;background-color: rgb(255, 255, 255)"> 2ef4.43c: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume3\Windows\System32\sechost.dll)</span><br style="margin: 0px;padding: 0px;color: rgb(46, 139, 87);font-family: Monaco, "Andale Mono", "Courier New", Courier, mono;font-size: 11.7px;background-color: rgb(255, 255, 255)"><span style="color: rgb(46, 139, 87);font-family: Monaco, "Andale Mono", "Courier New", Courier, mono;font-size: 11.7px;background-color: rgb(255, 255, 255)"> 2ef4.43c: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume3\Windows\System32\sechost.dll</span><br style="margin: 0px;padding: 0px;color: rgb(46, 139, 87);font-family: Monaco, "Andale Mono", "Courier New", Courier, mono;font-size: 11.7px;background-color: rgb(255, 255, 255)"><span style="color: rgb(46, 139, 87);font-family: Monaco, "Andale Mono", "Courier New", Courier, mono;font-size: 11.7px;background-color: rgb(255, 255, 255)"> 2ef4.43c: '\Device\HarddiskVolume3\Windows\System32\ntdll.dll' has no imports</span><br style="margin: 0px;padding: 0px;color: rgb(46, 139, 87);font-family: Monaco, "Andale Mono", "Courier New", Courier, mono;font-size: 11.7px;background-color: rgb(255, 255, 255)"><span style="color: rgb(46, 139, 87);font-family: Monaco, "Andale Mono", "Courier New", Courier, mono;font-size: 11.7px;background-color: rgb(255, 255, 255)"> 2ef4.43c: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume3\Windows\System32\ntdll.dll)</span><br style="margin: 0px;padding: 0px;color: rgb(46, 139, 87);font-family: Monaco, "Andale Mono", "Courier New", Courier, mono;font-size: 11.7px;background-color: rgb(255, 255, 255)"><span style="color: rgb(46, 139, 87);font-family: Monaco, "Andale Mono", "Courier New", Courier, mono;font-size: 11.7px;background-color: rgb(255, 255, 255)"> 2ef4.43c: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume3\Windows\System32\ntdll.dll</span><br style="margin: 0px;padding: 0px;color: rgb(46, 139, 87);font-family: Monaco, "Andale Mono", "Courier New", Courier, mono;font-size: 11.7px;background-color: rgb(255, 255, 255)"><span style="color: rgb(46, 139, 87);font-family: Monaco, "Andale Mono", "Courier New", Courier, mono;font-size: 11.7px;background-color: rgb(255, 255, 255)"> 2ef4.43c: supR3HardenedWinVerifyCacheProcessImportTodos: Processing 'rpcrt4.dll'...</span><br style="margin: 0px;padding: 0px;color: rgb(46, 139, 87);font-family: Monaco, "Andale Mono", "Courier New", Courier, mono;font-size: 11.7px;background-color: rgb(255, 255, 255)"><span style="color: rgb(46, 139, 87);font-family: Monaco, "Andale Mono", "Courier New", Courier, mono;font-size: 11.7px;background-color: rgb(255, 255, 255)"> 2ef4.43c: supR3HardenedWinVerifyCacheProcessImportTodos: 'rpcrt4.dll' -> '\Device\HarddiskVolume3\Windows\System32\rpcrt4.dll' [rcNtRedir=0xc0150008]</span><br style="margin: 0px;padding: 0px;color: rgb(46, 139, 87);font-family: Monaco, "Andale Mono", "Courier New", Courier, mono;font-size: 11.7px;background-color: rgb(255, 255, 255)"><span style="color: rgb(46, 139, 87);font-family: Monaco, "Andale Mono", "Courier New", Courier, mono;font-size: 11.7px;background-color: rgb(255, 255, 255)"> 2ef4.43c: supR3HardenedScreenImage/Imports: cache hit (VINF_SUCCESS) on \Device\HarddiskVolume3\Windows\System32\rpcrt4.dll [lacks WinVerifyTrust]</span><br style="margin: 0px;padding: 0px;color: rgb(46, 139, 87);font-family: Monaco, "Andale Mono", "Courier New", Courier, mono;font-size: 11.7px;background-color: rgb(255, 255, 255)"><span style="color: rgb(46, 139, 87);font-family: Monaco, "Andale Mono", "Courier New", Courier, mono;font-size: 11.7px;background-color: rgb(255, 255, 255)"> 2ef4.43c: supR3HardenedMonitor_LdrLoadDll: pName=C:\WINDOWS\System32\ntdll.dll (Input=ntdll.dll, rcNtResolve=0xc0150008) *pfFlags=0x0 pwszSearchPath=0000000000000801:<flags> [calling]</span><br style="margin: 0px;padding: 0px;color: rgb(46, 139, 87);font-family: Monaco, "Andale Mono", "Courier New", Courier, mono;font-size: 11.7px;background-color: rgb(255, 255, 255)"><span style="color: rgb(46, 139, 87);font-family: Monaco, "Andale Mono", "Courier New", Courier, mono;font-size: 11.7px;background-color: rgb(255, 255, 255)"> 2ef4.43c: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0x0 hMod=00007ffece100000 'C:\WINDOWS\System32\ntdll.dll'</span><br style="margin: 0px;padding: 0px;color: rgb(46, 139, 87);font-family: Monaco, "Andale Mono", "Courier New", Courier, mono;font-size: 11.7px;background-color: rgb(255, 255, 255)"><span style="color: rgb(46, 139, 87);font-family: Monaco, "Andale Mono", "Courier New", Courier, mono;font-size: 11.7px;background-color: rgb(255, 255, 255)"> 2ef4.43c: Error -104 in supR3HardenedWinReSpawn! (enmWhat=5)</span><br style="margin: 0px;padding: 0px;color: rgb(46, 139, 87);font-family: Monaco, "Andale Mono", "Courier New", Courier, mono;font-size: 11.7px;background-color: rgb(255, 255, 255)"><span style="color: rgb(46, 139, 87);font-family: Monaco, "Andale Mono", "Courier New", Courier, mono;font-size: 11.7px;background-color: rgb(255, 255, 255)"> 2ef4.43c: Error relaunching VirtualBox VM process: 5</span><br style="margin: 0px;padding: 0px;color: rgb(46, 139, 87);font-family: Monaco, "Andale Mono", "Courier New", Courier, mono;font-size: 11.7px;background-color: rgb(255, 255, 255)"><span style="color: rgb(46, 139, 87);font-family: Monaco, "Andale Mono", "Courier New", Courier, mono;font-size: 11.7px;background-color: rgb(255, 255, 255)"> Command line: '60eaff78-4bdd-042d-2e72-669728efd737-suplib-3rdchild --comment "Windows 10x64 - 1903" --startvm bac20d47-9bce-4e8b-ba5e-61685372e1ec --no-startvm-errormsgbox "--sup-hardening-log=E:\VBox\Test\Windows 10x64 - 1903\Logs\VBoxHardening.log"'</span><span style="color: rgb(51, 51, 51);font-family: "Lucida Grande", "Trebuchet MS", Verdana, Helvetica, Arial, sans-serif;font-size: 13px;background-color: rgb(225, 235, 242)"><br></span></div><div><span style="color: rgb(51, 51, 51);font-family: "Lucida Grande", "Trebuchet MS", Verdana, Helvetica, Arial, sans-serif;font-size: 13px;background-color: rgb(225, 235, 242)"><br></span></div></div></div></blockquote>
</div></div></div></blockquote>
</div></div>