Skip to content
This repository has been archived by the owner on Apr 2, 2023. It is now read-only.

Issue on Driver "vboxdrv" ! #44

Closed
Whibelf2 opened this issue Jan 4, 2019 · 8 comments
Closed

Issue on Driver "vboxdrv" ! #44

Whibelf2 opened this issue Jan 4, 2019 · 8 comments
Assignees
@hfiref0x
Labels
bug resolved

Comments

@Whibelf2
Copy link

Whibelf2 commented Jan 4, 2019
edited

When I run the install.cmd script, apparently everything runs fine except for vboxdrv, it looks like the patch deletes the virtualbox driver, I have to open the default virtualbox folder and install the driver manually.

C:\Program Files\Oracle\VirtualBox\drivers\vboxdrv

50699332-b4d66400-102e-11e9-90b2-611af808dd3c

After manually install vboxdrv, we need run "net start vboxdrv" again
@hfiref0x
Copy link
Owner

hfiref0x commented Jan 4, 2019
edited

It should not. Loader uses TDL to load driver. Which backups original vboxdrv.sys as vboxdrv.backup if it detected loaded. Full log from install.cmd is required to figure out what is wrong here.

Moreover there is no changes regarding to driver installation part in this version.

@Whibelf2
Copy link
Author

Whibelf2 commented Jan 4, 2019

It should not. Loader uses TDL to load driver. Which backups original vboxdrv.sys as vboxdrv.backup if it detected loaded. Full log from install.cmd is required to figure out what is wrong here.

Moreover there is no changes regarding to driver installation part in this version.

Where is the path of Full log from install.cmd ?

@hfiref0x
Copy link
Owner

hfiref0x commented Jan 4, 2019

There is no log file. Log is only print to the console output. The only component that can delete vboxdrv.sys is tdl.exe. So please save it console window output next time if this behavior will be reproduced.

@Whibelf2
Copy link
Author

Whibelf2 commented Jan 4, 2019

C:\VBoxLdr>install

C:\VBoxLdr>REM Append full patch to tdl.exe/tsugumi.sys and run this batch file elevated
Run TDL (tdl.exe tsugumi.sys)
Press any key to continue. . .
Turla Driver Loader v1.1.3 started
(c) 2016 - 2018 TDL Project
Supported x64 OS : 7 and above

Ldr: Windows v10.0 build 17763
SCM: Vulnerable driver loaded and opened
Ldr: Kernel base = 0xFFFFF8074F2A1000
Ldr: Input driver file loaded at 0x00007FF710330000
Ldr: Loading ntoskrnl.exe
Ldr: ntoskrnl.exe loaded at 0x00007FF75A500000
Ldr: ExAllocatePoolWithTag 0xFFFFF8074F5EA030
Ldr: Shellcode allocated at 0x000001B297C00000
Ldr: Windows 10 RS2+ bootstrap shellcode selected
Ldr: Resolving kernel import
Ldr: Executing exploit
Ldr: OpenLdr.u.Out.pvImageBase = 0xFFFF8B0240C7E080
Ldr: SUP_IOCTL_LDR_LOAD, success
Shellcode mapped at 0xFFFF8B0240C7E080, size = 0x00008000
Driver image mapped at 0xFFFF8B0240C7E38A
Ldr: SUP_IOCTL_SET_VM_FOR_FAST call complete
Ldr: SUP_IOCTL_FAST_DO_NOP
Ldr: SUP_IOCTL_LDR_FREE
SCM: Unloading vulnerable driver
SCM: Vulnerable driver successfully unloaded
SCM: Driver entry removed from registry
Ldr: Driver file removed
Run loader
Press any key to continue. . .
ECHO is disabled.
Running loader
VirtualBox Hardened Loader v1.10.0.1901

Pattern matching: 'VBOX'

FACP 0x000314BD
RSDT 0x00031724
XSDT 0x00031877
APIC 0x00031AC2
HPET 0x00031C64
MCFG 0x00031D68
VBOXCPU 0x0003BC40
VBOX 0x0012625D

Pattern matching: 'VirtualBox'

VirtualBox 0x0012BA30
VirtualBox__ 0x0013A7A8
VirtualBox GIM 0x0013AE78
VirtualBox VMM 0x0013B600

Pattern matching: Configuration

Cfg 0x001379BB

Pattern matching: Hardware ID

80EE 0x0000906C
80EE 0x0001E329
80EE 0x0001E349
80EE 0x000439D2
BEEF 0x0001E33B
BEEF 0x0001E351
CAFE 0x000439E7
Ldr: Patch table created
Ldr: Tsugumi patch table parameters set
Ldr: Tsugumi device handle opened = 152
Ldr: TSUGUMI_IOCTL_REFRESH_LIST request successful
Ldr: purge system cache
Ldr: supRestartVBoxDrv = 0x00000424
Ldr: exit
The service name is invalid.

For more help, type NET HELPMSG 2185.

@Whibelf2
Copy link
Author

Whibelf2 commented Jan 4, 2019

If you need a pic of console just say, i go get now

@hfiref0x
Copy link
Owner

hfiref0x commented Jan 4, 2019

It seems there is a "bug" in tdl. More specifically I forgot to remove debug comments

See this line

https://github.com/hfiref0x/TDL/blob/master/Source/Furutaka/main.c#L871

"#if 0"
...
#endif

This little comment make this variable g_VBoxInstalled be always false and no backup/restore code involved.

https://github.com/hfiref0x/TDL/blob/master/Source/Furutaka/main.c#L624
https://github.com/hfiref0x/TDL/blob/master/Source/Furutaka/main.c#L646

That's embarrassing bug wasn't noticed probably because most of tdl users doesn't use it with virtualbox on same machine.

It was added in 1.1.3 of TDL and previous VBoxHardenedLoader version used tdl 1.1.2 without this "addition".

So before I fix this TDL misbehavior I advise you to use tdl.exe from previous VBox loader commit (tdl v 1.1.2 if not mistaken).

@hfiref0x hfiref0x mentioned this issue Jan 4, 2019
Closed
@hfiref0x hfiref0x added the bug label Jan 4, 2019
@hfiref0x hfiref0x self-assigned this Jan 4, 2019
hfiref0x added a commit that referenced this issue Jan 5, 2019
@hfiref0x
TDL update
cccc639 
Updated TDL to v1.1.4 to address #44
@hfiref0x
Copy link
Owner

hfiref0x commented Jan 5, 2019

Well, now it should work like before.

@Whibelf2
Copy link
Author

Whibelf2 commented Jan 5, 2019

Loader working fine now !

Thanks for this wonderful work. :)

@hfiref0x hfiref0x closed this as completed Jan 5, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@hfiref0x hfiref0x

Labels
bug resolved
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hfiref0x @Whibelf2