Crash when injection dll into VirtualBox

c++ / delphi package - dll injection and api hooking
Post Reply
marcusssong
Posts: 22
Joined: Wed Apr 26, 2017 1:14 pm

Crash when injection dll into VirtualBox

Post by marcusssong »

im using madcodehook 4.0.2 and injection dll into all process.

in win7(64bit), inject the dll into virtualBox.exe then virtual Boxc cannot run anymore.

can run VBoxSVC.exe but cannot run virtual machine.

even i removed hooking code but still cannot run.

here is my dll main source.

Code: Select all

        switch( ul_reason_for_call )
        {
            // PROCESS
            case DLL_PROCESS_ATTACH:
            {

                DisableThreadLibraryCalls( hModule );
                InitializeMadCHook();

                //HookWorker( hModule );
                break;
            }
            case DLL_PROCESS_DETACH:
            {
                FinalizeMadCHook();
                break;
            }

            // THREAD
            case DLL_THREAD_ATTACH:
            case DLL_THREAD_DETACH:
                break;
        }
here is orginal virtual box process tree

VBoxSVC.exe
L VirtualBox.exe
L VirtualBox.exe
L VirtualBox.exe

but when i inject the dll then

VBoxSVC.exe
L VirtualBox.exe
L VirtualBox.exe

and Virtual box occure the error after few mins.

i think the dll cannot inject last virtualbox.exe or virtualbox.exe dectect the injection so didnt work like this...but it run well on win10

how can i solve this problem? i have to inject to virtual box :cry:

Thanks.
Attachments
error.PNG
error.PNG (93.19 KiB) Viewed 20281 times
afterInjection.PNG
afterInjection.PNG (20.87 KiB) Viewed 20281 times
beforeInjection.PNG
beforeInjection.PNG (15.81 KiB) Viewed 20281 times
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Crash when injection dll into VirtualBox

Post by madshi »

Can you please double check if the same issue occurs with this demo:

http://madshi.net/PrintMonitor.zip

Please run it as is (compiled by me), to rule out any problem with your linker/code signing etc. Thanks!
marcusssong
Posts: 22
Joined: Wed Apr 26, 2017 1:14 pm

Re: Crash when injection dll into VirtualBox

Post by marcusssong »

i run the demo that you upload but same result :cry:

thanks.
Attachments
ScreenShot-184.PNG
ScreenShot-184.PNG (155.24 KiB) Viewed 20268 times
marcusssong
Posts: 22
Joined: Wed Apr 26, 2017 1:14 pm

Re: Crash when injection dll into VirtualBox

Post by marcusssong »

And I tried virtual Box version 5.0.30 and 5.1.20.

Thx.
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: Crash when injection dll into VirtualBox

Post by iconic »

Upload your VBoxHardening.log file. I reproduced the issue on my machine with PrintMonitor. The error log shows VBox setting up a load image callback (LdrRegisterDllNotification exported by NTDLL) which it monitors dynamically loaded DLLs, checks their signatures (WinVerifyTrust) etc. as part of the security hardening. The error appears after NtCreateSection is called according to the log.

Code: Select all

ef0.868: Registered Dll notification callback with NTDLL.
ef0.868: supHardenedWinVerifyImageByHandle: -> 22900 (\Device\HarddiskVolume2\Windows\System32\kernel32.dll)
ef0.868: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume2\Windows\System32\kernel32.dll
ef0.868: supR3HardenedMonitor_LdrLoadDll: pName=C:\Windows\system32\kernel32.dll (Input=kernel32.dll, rcNtResolve=0xc0150008) *pfFlags=0xffffffff pwszSearchPath=0000000000000000:<flags> [calling]
ef0.868: supR3HardenedScreenImage/NtCreateSection: cache hit (Unknown Status 22900 (0x5974)) on \Device\HarddiskVolume2\Windows\System32\kernel32.dll [lacks WinVerifyTrust]
f1c.4f8: Error (rc=258):
f1c.4f8: Timed out after 60001 ms waiting for child request #1 (CloseEvents).
f1c.4f8: Error 258 in supR3HardNtChildWaitFor! (enmWhat=5)
f1c.4f8: Timed out after 60001 ms waiting for child request #1 (CloseEvents).
--Iconic
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: Crash when injection dll into VirtualBox

Post by iconic »

Code containing ntdll hooks and image callback used in VBox here https://www.virtualbox.org/svn/vbox/tru ... in-win.cpp

--Iconic
marcusssong
Posts: 22
Joined: Wed Apr 26, 2017 1:14 pm

Re: Crash when injection dll into VirtualBox

Post by marcusssong »

there is same error when i use my dll.

Code: Select all

1cc.f50: ntdll.dll: timestamp 0x4ce7b96e (rc=VINF_SUCCESS)
1cc.f50: New simple heap: #1 00270000 LB 0x400000 (for 1294336 allocation)
1cc.f50: supR3HardenedWinInitAppBin(0x0): '\Device\HarddiskVolume1\Program Files\Oracle\VirtualBox'
1cc.f50: System32:  \Device\HarddiskVolume1\Windows\System32
1cc.f50: WinSxS:    \Device\HarddiskVolume1\Windows\winsxs
1cc.f50: KnownDllPath: C:\Windows\system32
1cc.f50: supR3HardenedVmProcessInit: Opening vboxdrv stub...
1cc.f50: supR3HardenedVmProcessInit: Restoring LdrInitializeThunk...
1cc.f50: supR3HardenedVmProcessInit: Returning to LdrInitializeThunk...
1cc.f50: Registered Dll notification callback with NTDLL.
1cc.f50: supHardenedWinVerifyImageByHandle: -> 22900 (\Device\HarddiskVolume1\Windows\System32\kernel32.dll)
1cc.f50: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume1\Windows\System32\kernel32.dll
1cc.f50: supR3HardenedMonitor_LdrLoadDll: pName=C:\Windows\system32\kernel32.dll (Input=kernel32.dll, rcNtResolve=0xc0150008) *pfFlags=0xffffffff pwszSearchPath=00000000:<flags> [calling]
1cc.f50: supR3HardenedScreenImage/NtCreateSection: cache hit (Unknown Status 22900 (0x5974)) on \Device\HarddiskVolume1\Windows\System32\kernel32.dll [lacks WinVerifyTrust]
780.74c: supR3HardNtEnableThreadCreation:
780.74c: Error (rc=258):
780.74c: Timed out after 60005 ms waiting for child request #1 (CloseEvents).
780.74c: Error 258 in supR3HardNtChildWaitFor! (enmWhat=5)
780.74c: Timed out after 60005 ms waiting for child request #1 (CloseEvents).
and i also post VBox forum and they said
"If the application injects a DLL then that DLL must have a valid signature. There is no way around that. If yours doesn't then you should report the problem to your AV vendor, or check out any updates they've made available."

but i already signed the dll and it run well on win10 :confused:

Thx.
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: Crash when injection dll into VirtualBox

Post by iconic »

The VBox forum will not be of help to you. The issue directly involves madCodeHook's injection driver itself, not your hook DLL or the signature placed on it. The reason I know this is because I used my own kernel injection package and injected PrintMonitor's hook DLLs 100% just fine so I can certainly say, without guessing, that I've ruled out the hooking aspect of MCH as well as the code certificate signatures applied to the injected DLLs, they're valid and accepted by VBox. MCH driver (only responsible for injecting into new processes) hooks NtTestAlert() which is a native API, VBox also hooks some native APIs if you look at my previous post referencing the source code module responsible for the crash. An issue could very well be there. But, according to the log the error is occurring right after NtCreateSection() is called and iirc (no source for MCH here) MCH driver uses NtCreateSection() in order to relocate the injection stub into the newly created process. So, it's likely one of the two things I've noted that are creating the conflict with VBox. I don't have time to debug, maybe tomorrow however, but I am sure Madshi will get around to this eventually once he sees this thread so please be patient ;)

--Iconic
marcusssong
Posts: 22
Joined: Wed Apr 26, 2017 1:14 pm

Re: Crash when injection dll into VirtualBox

Post by marcusssong »

Okay i will wait for it :D

Thank you :crazy:
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Crash when injection dll into VirtualBox

Post by madshi »

I'm not using NtCreateSection. The driver installs a user mode NtTestAlert hook, and in the hook callback I'm calling LdrLoadDll. It's a relatively simple solution.

Not sure where the problem is coming from. I'll try to reproduce this here.
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: Crash when injection dll into VirtualBox

Post by iconic »

Madshi,

Are you absolutely sure you're not using such calls? I see 4 references to ZwCreateSection(), not Nt* but accomplishes the same thing, in your DemoDriver64.sys (which was signed on April 20th, 2017 and distributed with PrintMonitor). Some of those calls appear to be located inside a loadimage callback. Maybe you've left other code in that's just not being executed?

--Iconic
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Crash when injection dll into VirtualBox

Post by madshi »

Yes, I use those calls inside of the driver to temporarily map dlls into RAM to do some checks, e.g. signature verification. But these calls are not part of the actual DLL injection.
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Crash when injection dll into VirtualBox

Post by madshi »

The problem should finally be fixed in this build:

http://madshi.net/madCollectionBeta.exe (installer 2.8.2.13)

Can you confirm?
marcusssong
Posts: 22
Joined: Wed Apr 26, 2017 1:14 pm

Re: Crash when injection dll into VirtualBox

Post by marcusssong »

i did test and it works too well :crazy:

Thx too much.
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Crash when injection dll into VirtualBox

Post by madshi »

Glad to hear that, thanks for reporting back!

New official build out now:

http://madshi.net/madCollection.exe (installer 2.8.3.0)
Post Reply