[vbox-dev] Anti-malware: VirtualBox error STATUS_OBJECT_NAME_NOT_FOUND when Minifilter is loaded

Tigzy Rk tigzyrk at gmail.com
Thu Dec 19 12:46:14 GMT 2019 

Hello,
I know this error is well known but I'm beyond the point of re-installing
the driver and such, I'm more trying to find an "officially supported" way
to avoid this.

We are developing an Anti-malware (minifilter based) and I've noticed when
the VBox driver is loaded AFTER our minifilter it works fine. When it's the
opposite (VBox BEFORE our filter) the error occurs because Virtualbox is
probably enumerating \Driver directory and compares to a whitelist.

We don't have anything injecting DLLs into it, so I have no idea what is
the requirement for VirtualBox not detecting our driver (also it's
EV-signed and by Microsoft portal as well).

The logs isn't really helpful to me as there's no mention of what test
failed, nor mention of our minifilter (but I'm sure it's the issue, by
playing with start/stop)

Has anyone from Antivirus company ever bypassed this ?
If this is private information, can anyone contact me directly to work this
out ?

Thanks,
Adlice Software

2ef4.43c: NtOpenDirectoryObject failed on \Driver: 0xc0000022
2ef4.43c: supR3HardenedWinFindAdversaries: 0x0
2ef4.43c: supR3HardenedWinInitAppBin(0x0): '\Device\HarddiskVolume3\Program
Files\Oracle\VirtualBox'
2ef4.43c: Calling main()
2ef4.43c: SUPR3HardenedMain: pszProgName=VirtualBoxVM fFlags=0x2
2ef4.43c: supR3HardenedWinInitAppBin(0x2): '\Device\HarddiskVolume3\Program
Files\Oracle\VirtualBox'
2ef4.43c: '\Device\HarddiskVolume3\Program
Files\Oracle\VirtualBox\VirtualBoxVM.exe' has no imports
2ef4.43c: supHardenedWinVerifyImageByHandle: -> 24202
(\Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe)
2ef4.43c: SUPR3HardenedMain: Respawn #2
2ef4.43c: supR3HardNtEnableThreadCreationEx:
2ef4.43c: supR3HardenedDllNotificationCallback: load 00007ffecc270000 LB
0x00120000 C:\WINDOWS\System32\RPCRT4.dll [fFlags=0x0]
2ef4.43c: supHardenedWinVerifyImageByHandle: -> 0
(\Device\HarddiskVolume3\Windows\System32\rpcrt4.dll)
2ef4.43c: supR3HardenedWinVerifyCacheInsert:
\Device\HarddiskVolume3\Windows\System32\rpcrt4.dll
2ef4.43c: supR3HardenedDllNotificationCallback: load 00007ffecd4b0000 LB
0x00097000 C:\WINDOWS\System32\sechost.dll [fFlags=0x0]
2ef4.43c: supR3HardenedWinVerifyCacheScheduleImports: Import todo: #11
'rpcrt4.dll'.
2ef4.43c: supHardenedWinVerifyImageByHandle: -> 0
(\Device\HarddiskVolume3\Windows\System32\sechost.dll)
2ef4.43c: supR3HardenedWinVerifyCacheInsert:
\Device\HarddiskVolume3\Windows\System32\sechost.dll
2ef4.43c: '\Device\HarddiskVolume3\Windows\System32\ntdll.dll' has no
imports
2ef4.43c: supHardenedWinVerifyImageByHandle: -> 0
(\Device\HarddiskVolume3\Windows\System32\ntdll.dll)
2ef4.43c: supR3HardenedWinVerifyCacheInsert:
\Device\HarddiskVolume3\Windows\System32\ntdll.dll
2ef4.43c: supR3HardenedWinVerifyCacheProcessImportTodos: Processing
'rpcrt4.dll'...
2ef4.43c: supR3HardenedWinVerifyCacheProcessImportTodos: 'rpcrt4.dll' ->
'\Device\HarddiskVolume3\Windows\System32\rpcrt4.dll' [rcNtRedir=0xc0150008]
2ef4.43c: supR3HardenedScreenImage/Imports: cache hit (VINF_SUCCESS) on
\Device\HarddiskVolume3\Windows\System32\rpcrt4.dll [lacks WinVerifyTrust]
2ef4.43c: supR3HardenedMonitor_LdrLoadDll:
pName=C:\WINDOWS\System32\ntdll.dll (Input=ntdll.dll,
rcNtResolve=0xc0150008) *pfFlags=0x0
pwszSearchPath=0000000000000801:<flags> [calling]
2ef4.43c: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0x0
hMod=00007ffece100000 'C:\WINDOWS\System32\ntdll.dll'
2ef4.43c: Error -104 in supR3HardenedWinReSpawn! (enmWhat=5)
2ef4.43c: Error relaunching VirtualBox VM process: 5
Command line: '60eaff78-4bdd-042d-2e72-669728efd737-suplib-3rdchild
--comment "Windows 10x64 - 1903" --startvm
bac20d47-9bce-4e8b-ba5e-61685372e1ec --no-startvm-errormsgbox
"--sup-hardening-log=E:\VBox\Test\Windows 10x64 -
1903\Logs\VBoxHardening.log"'

-- 
*Tigzy*
*Malware analyst. Reverser. *
*C/C++ Developer*

*@tigzyRK <https://twitter.com/TigzyRK> - adlice.com
<http://www.adlice.com/>*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.virtualbox.org/pipermail/vbox-dev/attachments/20191219/c974c036/attachment.html>

More information about the vbox-dev mailing list