Crash when injection dll into VirtualBox

c++ / delphi package - dll injection and api hooking

Crash when injection dll into VirtualBox

Postby marcusssong » Wed Apr 26, 2017 1:47 pm

im using madcodehook 4.0.2 and injection dll into all process.

in win7(64bit), inject the dll into virtualBox.exe then virtual Boxc cannot run anymore.

can run VBoxSVC.exe but cannot run virtual machine.

even i removed hooking code but still cannot run.

here is my dll main source.
Code: Select all
        switch( ul_reason_for_call )
        {
            // PROCESS
            case DLL_PROCESS_ATTACH:
            {

                DisableThreadLibraryCalls( hModule );
                InitializeMadCHook();

                //HookWorker( hModule );
                break;
            }
            case DLL_PROCESS_DETACH:
            {
                FinalizeMadCHook();
                break;
            }

            // THREAD
            case DLL_THREAD_ATTACH:
            case DLL_THREAD_DETACH:
                break;
        }

here is orginal virtual box process tree

VBoxSVC.exe
L VirtualBox.exe
L VirtualBox.exe
L VirtualBox.exe

but when i inject the dll then

VBoxSVC.exe
L VirtualBox.exe
L VirtualBox.exe

and Virtual box occure the error after few mins.

i think the dll cannot inject last virtualbox.exe or virtualbox.exe dectect the injection so didnt work like this...but it run well on win10

how can i solve this problem? i have to inject to virtual box :cry:

Thanks.
Attachments
error.PNG
error.PNG (93.55 KiB) Viewed 963 times
afterInjection.PNG
afterInjection.PNG (20.96 KiB) Viewed 963 times
beforeInjection.PNG
beforeInjection.PNG (15.88 KiB) Viewed 963 times
marcusssong
 
Posts: 8
Joined: Wed Apr 26, 2017 1:14 pm

Re: Crash when injection dll into VirtualBox

Postby madshi » Wed Apr 26, 2017 10:57 pm

Can you please double check if the same issue occurs with this demo:

http://madshi.net/PrintMonitor.zip

Please run it as is (compiled by me), to rule out any problem with your linker/code signing etc. Thanks!
madshi
Site Admin
 
Posts: 9388
Joined: Sun Mar 21, 2004 5:25 pm

Re: Crash when injection dll into VirtualBox

Postby marcusssong » Thu Apr 27, 2017 12:26 am

i run the demo that you upload but same result :cry:

thanks.
Attachments
ScreenShot-184.PNG
ScreenShot-184.PNG (155.85 KiB) Viewed 950 times
marcusssong
 
Posts: 8
Joined: Wed Apr 26, 2017 1:14 pm

Re: Crash when injection dll into VirtualBox

Postby marcusssong » Thu Apr 27, 2017 4:07 am

And I tried virtual Box version 5.0.30 and 5.1.20.

Thx.
marcusssong
 
Posts: 8
Joined: Wed Apr 26, 2017 1:14 pm

Re: Crash when injection dll into VirtualBox

Postby iconic » Thu Apr 27, 2017 10:53 am

Upload your VBoxHardening.log file. I reproduced the issue on my machine with PrintMonitor. The error log shows VBox setting up a load image callback (LdrRegisterDllNotification exported by NTDLL) which it monitors dynamically loaded DLLs, checks their signatures (WinVerifyTrust) etc. as part of the security hardening. The error appears after NtCreateSection is called according to the log.

Code: Select all
ef0.868: Registered Dll notification callback with NTDLL.
ef0.868: supHardenedWinVerifyImageByHandle: -> 22900 (\Device\HarddiskVolume2\Windows\System32\kernel32.dll)
ef0.868: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume2\Windows\System32\kernel32.dll
ef0.868: supR3HardenedMonitor_LdrLoadDll: pName=C:\Windows\system32\kernel32.dll (Input=kernel32.dll, rcNtResolve=0xc0150008) *pfFlags=0xffffffff pwszSearchPath=0000000000000000:<flags> [calling]
ef0.868: supR3HardenedScreenImage/NtCreateSection: cache hit (Unknown Status 22900 (0x5974)) on \Device\HarddiskVolume2\Windows\System32\kernel32.dll [lacks WinVerifyTrust]
f1c.4f8: Error (rc=258):
f1c.4f8: Timed out after 60001 ms waiting for child request #1 (CloseEvents).
f1c.4f8: Error 258 in supR3HardNtChildWaitFor! (enmWhat=5)
f1c.4f8: Timed out after 60001 ms waiting for child request #1 (CloseEvents).


--Iconic
iconic
 
Posts: 807
Joined: Wed Jun 08, 2005 5:08 am

Re: Crash when injection dll into VirtualBox

Postby iconic » Thu Apr 27, 2017 11:32 am

Code containing ntdll hooks and image callback used in VBox here https://www.virtualbox.org/svn/vbox/tru ... in-win.cpp

--Iconic
iconic
 
Posts: 807
Joined: Wed Jun 08, 2005 5:08 am

Re: Crash when injection dll into VirtualBox

Postby marcusssong » Fri Apr 28, 2017 12:53 am

there is same error when i use my dll.

Code: Select all
1cc.f50: ntdll.dll: timestamp 0x4ce7b96e (rc=VINF_SUCCESS)
1cc.f50: New simple heap: #1 00270000 LB 0x400000 (for 1294336 allocation)
1cc.f50: supR3HardenedWinInitAppBin(0x0): '\Device\HarddiskVolume1\Program Files\Oracle\VirtualBox'
1cc.f50: System32:  \Device\HarddiskVolume1\Windows\System32
1cc.f50: WinSxS:    \Device\HarddiskVolume1\Windows\winsxs
1cc.f50: KnownDllPath: C:\Windows\system32
1cc.f50: supR3HardenedVmProcessInit: Opening vboxdrv stub...
1cc.f50: supR3HardenedVmProcessInit: Restoring LdrInitializeThunk...
1cc.f50: supR3HardenedVmProcessInit: Returning to LdrInitializeThunk...
1cc.f50: Registered Dll notification callback with NTDLL.
1cc.f50: supHardenedWinVerifyImageByHandle: -> 22900 (\Device\HarddiskVolume1\Windows\System32\kernel32.dll)
1cc.f50: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume1\Windows\System32\kernel32.dll
1cc.f50: supR3HardenedMonitor_LdrLoadDll: pName=C:\Windows\system32\kernel32.dll (Input=kernel32.dll, rcNtResolve=0xc0150008) *pfFlags=0xffffffff pwszSearchPath=00000000:<flags> [calling]
1cc.f50: supR3HardenedScreenImage/NtCreateSection: cache hit (Unknown Status 22900 (0x5974)) on \Device\HarddiskVolume1\Windows\System32\kernel32.dll [lacks WinVerifyTrust]
780.74c: supR3HardNtEnableThreadCreation:
780.74c: Error (rc=258):
780.74c: Timed out after 60005 ms waiting for child request #1 (CloseEvents).
780.74c: Error 258 in supR3HardNtChildWaitFor! (enmWhat=5)
780.74c: Timed out after 60005 ms waiting for child request #1 (CloseEvents).


and i also post VBox forum and they said
"If the application injects a DLL then that DLL must have a valid signature. There is no way around that. If yours doesn't then you should report the problem to your AV vendor, or check out any updates they've made available."

but i already signed the dll and it run well on win10 :confused:

Thx.
marcusssong
 
Posts: 8
Joined: Wed Apr 26, 2017 1:14 pm

Re: Crash when injection dll into VirtualBox

Postby iconic » Fri Apr 28, 2017 5:17 am

The VBox forum will not be of help to you. The issue directly involves madCodeHook's injection driver itself, not your hook DLL or the signature placed on it. The reason I know this is because I used my own kernel injection package and injected PrintMonitor's hook DLLs 100% just fine so I can certainly say, without guessing, that I've ruled out the hooking aspect of MCH as well as the code certificate signatures applied to the injected DLLs, they're valid and accepted by VBox. MCH driver (only responsible for injecting into new processes) hooks NtTestAlert() which is a native API, VBox also hooks some native APIs if you look at my previous post referencing the source code module responsible for the crash. An issue could very well be there. But, according to the log the error is occurring right after NtCreateSection() is called and iirc (no source for MCH here) MCH driver uses NtCreateSection() in order to relocate the injection stub into the newly created process. So, it's likely one of the two things I've noted that are creating the conflict with VBox. I don't have time to debug, maybe tomorrow however, but I am sure Madshi will get around to this eventually once he sees this thread so please be patient ;)

--Iconic
iconic
 
Posts: 807
Joined: Wed Jun 08, 2005 5:08 am

Re: Crash when injection dll into VirtualBox

Postby marcusssong » Fri Apr 28, 2017 9:12 am

Okay i will wait for it :D

Thank you :crazy:
marcusssong
 
Posts: 8
Joined: Wed Apr 26, 2017 1:14 pm

Re: Crash when injection dll into VirtualBox

Postby madshi » Sat May 06, 2017 5:43 pm

I'm not using NtCreateSection. The driver installs a user mode NtTestAlert hook, and in the hook callback I'm calling LdrLoadDll. It's a relatively simple solution.

Not sure where the problem is coming from. I'll try to reproduce this here.
madshi
Site Admin
 
Posts: 9388
Joined: Sun Mar 21, 2004 5:25 pm

Re: Crash when injection dll into VirtualBox

Postby iconic » Sat May 06, 2017 6:44 pm

Madshi,

Are you absolutely sure you're not using such calls? I see 4 references to ZwCreateSection(), not Nt* but accomplishes the same thing, in your DemoDriver64.sys (which was signed on April 20th, 2017 and distributed with PrintMonitor). Some of those calls appear to be located inside a loadimage callback. Maybe you've left other code in that's just not being executed?

--Iconic
iconic
 
Posts: 807
Joined: Wed Jun 08, 2005 5:08 am

Re: Crash when injection dll into VirtualBox

Postby madshi » Sat May 06, 2017 7:25 pm

Yes, I use those calls inside of the driver to temporarily map dlls into RAM to do some checks, e.g. signature verification. But these calls are not part of the actual DLL injection.
madshi
Site Admin
 
Posts: 9388
Joined: Sun Mar 21, 2004 5:25 pm

Re: Crash when injection dll into VirtualBox

Postby madshi » Thu Jul 13, 2017 12:03 pm

The problem should finally be fixed in this build:

http://madshi.net/madCollectionBeta.exe (installer 2.8.2.13)

Can you confirm?
madshi
Site Admin
 
Posts: 9388
Joined: Sun Mar 21, 2004 5:25 pm

Re: Crash when injection dll into VirtualBox

Postby marcusssong » Fri Jul 14, 2017 12:24 pm

i did test and it works too well :crazy:

Thx too much.
marcusssong
 
Posts: 8
Joined: Wed Apr 26, 2017 1:14 pm

Re: Crash when injection dll into VirtualBox

Postby madshi » Fri Jul 14, 2017 12:34 pm

Glad to hear that, thanks for reporting back!

New official build out now:

http://madshi.net/madCollection.exe (installer 2.8.3.0)
madshi
Site Admin
 
Posts: 9388
Joined: Sun Mar 21, 2004 5:25 pm


Return to madCodeHook

Who is online

Users browsing this forum: No registered users and 3 guests