[vbox-dev] Re : Anti-malware: VirtualBox error STATUS_OBJECT_NAME_NOT_FOUND when Minifilter is loaded

Tigzy tigzyrk at gmail.com
Thu Jun 11 12:09:08 GMT 2020 

Hello, 
I'm updating this ticket since I haven't gotten any answer so far...
We are still running into this annoying issue, and the Anti-debugging tricks make it hard to debug. 
I've been tracing the 2 child processes created when running the VM, and it seems the 3rd layer is been given a wrong file path (that's the only reason I can see when reading the MSDN documentation for CreateProcess). 

Anyone can answer me ?
Thanks,

Le 09/12/2019 20:12:40, Tigzy <tigzyrk at gmail.com> a écrit :
Hello,
I know this error is well known but I'm beyond the point of re-installing the driver and such, I'm more trying to find an "officially supported" way to avoid this.

We are developing an Anti-malware (minifilter based) and I've noticed when the VBox driver is loaded AFTER our minifilter it works fine. When it's the opposite (VBox BEFORE our filter) the error occurs because Virtualbox is probably enumerating \Driver directory and compares to a whitelist.

We don't have anything injecting DLLs into it, so I have no idea what is the requirement for VirtualBox not detecting our driver (also it's EV-signed and by Microsoft portal as well).

The logs isn't really helpful to me as there's no mention of what test failed, nor mention of our minifilter (but I'm sure it's the issue, by playing with start/stop)

Has anyone from Antivirus company ever bypassed this ?
If this is private information, can anyone contact me directly to work this out ?

Thanks,

Adlice Software

2ef4.43c: NtOpenDirectoryObject failed on \Driver: 0xc0000022
    2ef4.43c: supR3HardenedWinFindAdversaries: 0x0
    2ef4.43c: supR3HardenedWinInitAppBin(0x0): '\Device\HarddiskVolume3\Program Files\Oracle\VirtualBox'
    2ef4.43c: Calling main()
    2ef4.43c: SUPR3HardenedMain: pszProgName=VirtualBoxVM fFlags=0x2
    2ef4.43c: supR3HardenedWinInitAppBin(0x2): '\Device\HarddiskVolume3\Program Files\Oracle\VirtualBox'
    2ef4.43c: '\Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe' has no imports
    2ef4.43c: supHardenedWinVerifyImageByHandle: -> 24202 (\Device\HarddiskVolume3\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe)
    2ef4.43c: SUPR3HardenedMain: Respawn #2
    2ef4.43c: supR3HardNtEnableThreadCreationEx:
    2ef4.43c: supR3HardenedDllNotificationCallback: load   00007ffecc270000 LB 0x00120000 C:\WINDOWS\System32\RPCRT4.dll [fFlags=0x0]
    2ef4.43c: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume3\Windows\System32\rpcrt4.dll)
    2ef4.43c: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume3\Windows\System32\rpcrt4.dll
    2ef4.43c: supR3HardenedDllNotificationCallback: load   00007ffecd4b0000 LB 0x00097000 C:\WINDOWS\System32\sechost.dll [fFlags=0x0]
    2ef4.43c: supR3HardenedWinVerifyCacheScheduleImports: Import todo: #11 'rpcrt4.dll'.
    2ef4.43c: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume3\Windows\System32\sechost.dll)
    2ef4.43c: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume3\Windows\System32\sechost.dll
    2ef4.43c: '\Device\HarddiskVolume3\Windows\System32\ntdll.dll' has no imports
    2ef4.43c: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume3\Windows\System32\ntdll.dll)
    2ef4.43c: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume3\Windows\System32\ntdll.dll
    2ef4.43c: supR3HardenedWinVerifyCacheProcessImportTodos: Processing 'rpcrt4.dll'...
    2ef4.43c: supR3HardenedWinVerifyCacheProcessImportTodos: 'rpcrt4.dll' -> '\Device\HarddiskVolume3\Windows\System32\rpcrt4.dll' [rcNtRedir=0xc0150008]
    2ef4.43c: supR3HardenedScreenImage/Imports: cache hit (VINF_SUCCESS) on \Device\HarddiskVolume3\Windows\System32\rpcrt4.dll [lacks WinVerifyTrust]
    2ef4.43c: supR3HardenedMonitor_LdrLoadDll: pName=C:\WINDOWS\System32\ntdll.dll (Input=ntdll.dll, rcNtResolve=0xc0150008) *pfFlags=0x0 pwszSearchPath=0000000000000801:<flags> [calling]
    2ef4.43c: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0x0 hMod=00007ffece100000 'C:\WINDOWS\System32\ntdll.dll'
    2ef4.43c: Error -104 in supR3HardenedWinReSpawn! (enmWhat=5)
    2ef4.43c: Error relaunching VirtualBox VM process: 5
    Command line: '60eaff78-4bdd-042d-2e72-669728efd737-suplib-3rdchild --comment "Windows 10x64 - 1903" --startvm bac20d47-9bce-4e8b-ba5e-61685372e1ec --no-startvm-errormsgbox "--sup-hardening-log=E:\VBox\Test\Windows 10x64 - 1903\Logs\VBoxHardening.log"'

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.virtualbox.org/pipermail/vbox-dev/attachments/20200611/03069a75/attachment.html>

More information about the vbox-dev mailing list