由于 Anti-Virus .dll 注入,VirtualBox VM 无法启动
Posted
技术标签:
【中文标题】由于 Anti-Virus .dll 注入,VirtualBox VM 无法启动【英文标题】:VirtualBox VM won't start because of Anti-Virus .dll injection 【发布时间】:2018-07-07 12:24:44 【问题描述】:首先,我无法删除 BeyondTrust PowerBroker / Symantec Anti-virus。最近的更新添加了对 VirtualBox 的注入,VirtualBox 将其视为入侵,因此 VM 将无法启动。现在,VirtualBox 本身可以正常启动,但是启动 VM 会给我这样的信息:
(rc = -5640) 请尝试重新安装 VirtualBox。
其中:supR3HardenedWinReSpawn 内容:1 VERR_SUP_VP_THREAD_NOT_ALONE (-5640) - 进程验证失败:进程有多个线程。
这里是 Hardening.log:
2e84.1340: Log file opened: 5.2.14r123301 g_hStartupLog=0000000000000170 g_uNtVerCombined=0xa0383900
2e84.1340: \SystemRoot\System32\ntdll.dll:
2e84.1340: CreationTime: 2017-10-16T14:10:15.589015400Z
2e84.1340: LastWriteTime: 2017-09-07T06:03:35.589628500Z
2e84.1340: ChangeTime: 2018-03-22T16:54:40.122678600Z
2e84.1340: FileAttributes: 0x20
2e84.1340: Size: 0x1cccb0
2e84.1340: NT Headers: 0xd8
2e84.1340: Timestamp: 0x59b0d03e
2e84.1340: Machine: 0x8664 - amd64
2e84.1340: Timestamp: 0x59b0d03e
2e84.1340: Image Version: 10.0
2e84.1340: SizeOfImage: 0x1d2000 (1908736)
2e84.1340: Resource Dir: 0x169000 LB 0x67a50
2e84.1340: [Version info resource found at 0xd8! (ID/Name: 0x1; SubID/SubName: 0x409)]
2e84.1340: [Raw version resource data: 0x1690f0 LB 0x398, codepage 0x0 (reserved 0x0)]
2e84.1340: ProductName: Microsoft® Windows® Operating System
2e84.1340: ProductVersion: 10.0.14393.1715
2e84.1340: FileVersion: 10.0.14393.1715 (rs1_release_inmarket.170906-1810)
2e84.1340: FileDescription: NT Layer DLL
2e84.1340: \SystemRoot\System32\kernel32.dll:
2e84.1340: CreationTime: 2017-08-05T12:04:26.342899300Z
2e84.1340: LastWriteTime: 2017-04-28T00:49:43.332433600Z
2e84.1340: ChangeTime: 2018-03-22T16:54:38.891444600Z
2e84.1340: FileAttributes: 0x20
2e84.1340: Size: 0xab208
2e84.1340: NT Headers: 0xf0
2e84.1340: Timestamp: 0x59028368
2e84.1340: Machine: 0x8664 - amd64
2e84.1340: Timestamp: 0x59028368
2e84.1340: Image Version: 10.0
2e84.1340: SizeOfImage: 0xac000 (704512)
2e84.1340: Resource Dir: 0xaa000 LB 0x530
2e84.1340: [Version info resource found at 0x90! (ID/Name: 0x1; SubID/SubName: 0x409)]
2e84.1340: [Raw version resource data: 0xaa0b0 LB 0x3b4, codepage 0x0 (reserved 0x0)]
2e84.1340: ProductName: Microsoft® Windows® Operating System
2e84.1340: ProductVersion: 10.0.14393.1198
2e84.1340: FileVersion: 10.0.14393.1198 (rs1_release_sec.170427-1353)
2e84.1340: FileDescription: Windows NT BASE API Client DLL
2e84.1340: \SystemRoot\System32\KernelBase.dll:
2e84.1340: CreationTime: 2018-03-22T16:27:49.530367800Z
2e84.1340: LastWriteTime: 2018-03-02T09:07:30.254111800Z
2e84.1340: ChangeTime: 2018-03-23T12:02:59.582556100Z
2e84.1340: FileAttributes: 0x20
2e84.1340: Size: 0x21c780
2e84.1340: NT Headers: 0xf8
2e84.1340: Timestamp: 0x5a9906f8
2e84.1340: Machine: 0x8664 - amd64
2e84.1340: Timestamp: 0x5a9906f8
2e84.1340: Image Version: 10.0
2e84.1340: SizeOfImage: 0x21d000 (2215936)
2e84.1340: Resource Dir: 0x201000 LB 0x550
2e84.1340: [Version info resource found at 0x90! (ID/Name: 0x1; SubID/SubName: 0x409)]
2e84.1340: [Raw version resource data: 0x2010b0 LB 0x3c4, codepage 0x0 (reserved 0x0)]
2e84.1340: ProductName: Microsoft® Windows® Operating System
2e84.1340: ProductVersion: 10.0.14393.2125
2e84.1340: FileVersion: 10.0.14393.2125 (rs1_release.180301-2139)
2e84.1340: FileDescription: Windows NT BASE API Client DLL
2e84.1340: \SystemRoot\System32\apisetschema.dll:
2e84.1340: CreationTime: 2018-03-22T16:21:43.172673700Z
2e84.1340: LastWriteTime: 2018-03-02T09:07:28.044323200Z
2e84.1340: ChangeTime: 2018-03-23T12:02:57.396184500Z
2e84.1340: FileAttributes: 0x20
2e84.1340: Size: 0x18960
2e84.1340: NT Headers: 0xc8
2e84.1340: Timestamp: 0x5a990a54
2e84.1340: Machine: 0x8664 - amd64
2e84.1340: Timestamp: 0x5a990a54
2e84.1340: Image Version: 10.0
2e84.1340: SizeOfImage: 0x19000 (102400)
2e84.1340: Resource Dir: 0x18000 LB 0x400
2e84.1340: [Version info resource found at 0x48! (ID/Name: 0x1; SubID/SubName: 0x409)]
2e84.1340: [Raw version resource data: 0x18060 LB 0x3a0, codepage 0x0 (reserved 0x0)]
2e84.1340: ProductName: Microsoft® Windows® Operating System
2e84.1340: ProductVersion: 10.0.14393.2125
2e84.1340: FileVersion: 10.0.14393.2125 (rs1_release.180301-2139)
2e84.1340: FileDescription: ApiSet Schema DLL
2e84.1340: NtOpenDirectoryObject failed on \Driver: 0xc0000022
2e84.1340: supR3HardenedWinFindAdversaries: 0x12000
2e84.1340: \SystemRoot\System32\drivers\dgmaster.sys:
2e84.1340: CreationTime: 2018-05-23T15:36:37.521261200Z
2e84.1340: LastWriteTime: 2018-05-02T22:14:14.000000000Z
2e84.1340: ChangeTime: 2018-05-23T15:36:37.646276400Z
2e84.1340: FileAttributes: 0x20
2e84.1340: Size: 0x2643c8
2e84.1340: NT Headers: 0x108
2e84.1340: Timestamp: 0x5aea3ef6
2e84.1340: Machine: 0x8664 - amd64
2e84.1340: Timestamp: 0x5aea3ef6
2e84.1340: Image Version: 6.3
2e84.1340: SizeOfImage: 0x33f000 (3403776)
2e84.1340: Resource Dir: 0x2ff000 LB 0x35f68
2e84.1340: [Version info resource found at 0x270! (ID/Name: 0x1; SubID/SubName: 0x409)]
2e84.1340: [Raw version resource data: 0x334c30 LB 0x338, codepage 0x0 (reserved 0x0)]
2e84.1340: ProductName: Digital Guardian
2e84.1340: ProductVersion: 7.4
2e84.1340: FileVersion: 7.4.1.0186
2e84.1340: FileDescription: Digital Guardian Agent Master
2e84.1340: supR3HardenedWinFindAdversaries: Found newer version: 0x12000 -> 0x14000
2e84.1340: \SystemRoot\System32\drivers\privman.sys:
2e84.1340: CreationTime: 2018-07-06T11:53:05.369267500Z
2e84.1340: LastWriteTime: 2018-05-16T17:23:54.000000000Z
2e84.1340: ChangeTime: 2018-07-07T02:57:42.758964100Z
2e84.1340: FileAttributes: 0x20
2e84.1340: Size: 0x115e8
2e84.1340: NT Headers: 0xf8
2e84.1340: Timestamp: 0x5afc5ee2
2e84.1340: Machine: 0x8664 - amd64
2e84.1340: Timestamp: 0x5afc5ee2
2e84.1340: Image Version: 6.1
2e84.1340: SizeOfImage: 0x11000 (69632)
2e84.1340: Resource Dir: 0xc000 LB 0x32a8
2e84.1340: [Version info resource found at 0x90! (ID/Name: 0x1; SubID/SubName: 0x0)]
2e84.1340: [Raw version resource data: 0xc0a0 LB 0x33c, codepage 0x0 (reserved 0x0)]
2e84.1340: ProductName: PowerBroker for Windows
2e84.1340: ProductVersion: 7.5.0.0
2e84.1340: FileVersion: 7.5.0.0
2e84.1340: FileDescription: PowerBroker for Windows
2e84.1340: \SystemRoot\System32\privman64.dll:
2e84.1340: CreationTime: 2018-05-16T17:59:28.000000000Z
2e84.1340: LastWriteTime: 2018-05-16T17:59:28.000000000Z
2e84.1340: ChangeTime: 2018-07-07T02:57:42.788041900Z
2e84.1340: FileAttributes: 0x20
2e84.1340: Size: 0x3a178
2e84.1340: NT Headers: 0xf8
2e84.1340: Timestamp: 0x5afc5e64
2e84.1340: Machine: 0x8664 - amd64
2e84.1340: Timestamp: 0x5afc5e64
2e84.1340: Image Version: 0.0
2e84.1340: SizeOfImage: 0x3c000 (245760)
2e84.1340: Resource Dir: 0x3a000 LB 0x578
2e84.1340: [Version info resource found at 0x80! (ID/Name: 0x1; SubID/SubName: 0x0)]
2e84.1340: [Raw version resource data: 0x3a0a0 LB 0x37c, codepage 0x4e4 (reserved 0x0)]
2e84.1340: ProductName: PowerBroker for Windows
2e84.1340: ProductVersion: 7.5.0.0
2e84.1340: FileVersion: 7.5.0.0
2e84.1340: FileDescription: BeyondTrust PowerBroker for Windows DLL
2e84.1340: supR3HardenedWinInitAppBin(0x0): '\Device\HarddiskVolume4\Program Files\Oracle\VirtualBox'
2e84.1340: Calling main()
2e84.1340: SUPR3HardenedMain: pszProgName=VirtualBox fFlags=0x2
2e84.1340: supR3HardenedWinInitAppBin(0x2): '\Device\HarddiskVolume4\Program Files\Oracle\VirtualBox'
2e84.1340: SUPR3HardenedMain: Respawn #1
2e84.1340: System32: \Device\HarddiskVolume4\Windows\System32
2e84.1340: WinSxS: \Device\HarddiskVolume4\Windows\WinSxS
2e84.1340: KnownDllPath: C:\WINDOWS\System32
2e84.1340: '\Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBox.exe' has no imports
2e84.1340: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBox.exe)
3338.3344: supR3HardenedScreenImage/LdrLoadDll: cache hit (VINF_SUCCESS) on \Device\HarddiskVolume4\Windows\System32\SHCore.dll [lacks WinVerifyTrust]
3338.3344: supR3HardenedMonitor_LdrLoadDll: pName=C:\WINDOWS\system32\SHCore.dll (rcNtResolve=0xc0150008) *pfFlags=0x0 pwszSearchPath=0000000000000001:<flags> [calling]
3338.3344: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0x0 hMod=00007ffdad240000 'C:\WINDOWS\system32\SHCore.dll'
3338.3344: supR3HardenedMonitor_LdrLoadDll: error opening 'C:\WINDOWS\system32\wintab32.dll': 0 (NtPath=\??\C:\WINDOWS\system32\wintab32.dll; Input=C:\WINDOWS\system32\wintab32.dll; rcNtGetDll=0x0
hMod=00007ffdb0790000 'C:\WINDOWS\System32\ntdll.dll'
3338.3344: supR3HardenedScreenImage/LdrLoadDll: cache hit (VINF_SUCCESS) on \Device\HarddiskVolume4\Windows\System32\ntdll.dll [lacks WinVerifyTrust]
3338.3344: supR3HardenedMonitor_LdrLoadDll: pName=C:\WINDOWS\System32\ntdll.dll (Input=ntdll.dll, rcNtResolve=0xc0150008) *pfFlags=0x0 pwszSearchPath=0000000000000801:<flags> [calling]
3338.3344: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0x0 hMod=00007ffdb0790000 'C:\WINDOWS\System32\ntdll.dll'
2e84.1340: supR3HardNtChildWaitFor[1]: Quitting: ExitCode=0x1 (rcNtWait=0x0, rcNt1=0x0, rcNt2=0x103, rcNt3=0x103, 79688 ms, the end);
现在我已经尝试了很多东西。
-
重新安装 VirtualBox
这个工作在这里https://forums.virtualbox.org/viewtopic.php?f=6&t=82277#p404341
尝试过旧版本。
基本上,我需要一种在防病毒不知道的情况下启动 VB VM 的方法(并且不向防病毒程序添加异常,因为它无法访问)。有人有什么建议吗?
【问题讨论】:
【参考方案1】:您必须编辑您的策略权限才能在您的 Regedit 文件中禁用。 去这里:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
并使用 0 进行编辑以禁用 ValidateAdminCodeSignatures。
【讨论】:
以上是关于由于 Anti-Virus .dll 注入,VirtualBox VM 无法启动的主要内容,如果未能解决你的问题,请参考以下文章