由于 Anti-Virus .dll 注入,VirtualBox VM 无法启动

Posted

技术标签:

【中文标题】由于 Anti-Virus .dll 注入,VirtualBox VM 无法启动【英文标题】:VirtualBox VM won't start because of Anti-Virus .dll injection 【发布时间】:2018-07-07 12:24:44 【问题描述】:

首先,我无法删除 BeyondTrust PowerBroker / Symantec Anti-virus。最近的更新添加了对 VirtualBox 的注入,VirtualBox 将其视为入侵,因此 VM 将无法启动。现在,VirtualBox 本身可以正常启动,但是启动 VM 会给我这样的信息:

(rc = -5640) 请尝试重新安装 VirtualBox。

其中:supR3HardenedWinReSpawn 内容:1 VERR_SUP_VP_THREAD_NOT_ALONE (-5640) - 进程验证失败:进程有多个线程。

这里是 Hardening.log:

2e84.1340: Log file opened: 5.2.14r123301 g_hStartupLog=0000000000000170 g_uNtVerCombined=0xa0383900
2e84.1340: \SystemRoot\System32\ntdll.dll:
2e84.1340:     CreationTime:    2017-10-16T14:10:15.589015400Z
2e84.1340:     LastWriteTime:   2017-09-07T06:03:35.589628500Z
2e84.1340:     ChangeTime:      2018-03-22T16:54:40.122678600Z
2e84.1340:     FileAttributes:  0x20
2e84.1340:     Size:            0x1cccb0
2e84.1340:     NT Headers:      0xd8
2e84.1340:     Timestamp:       0x59b0d03e
2e84.1340:     Machine:         0x8664 - amd64
2e84.1340:     Timestamp:       0x59b0d03e
2e84.1340:     Image Version:   10.0
2e84.1340:     SizeOfImage:     0x1d2000 (1908736)
2e84.1340:     Resource Dir:    0x169000 LB 0x67a50
2e84.1340:     [Version info resource found at 0xd8! (ID/Name: 0x1; SubID/SubName: 0x409)]
2e84.1340:     [Raw version resource data: 0x1690f0 LB 0x398, codepage 0x0 (reserved 0x0)]
2e84.1340:     ProductName:     Microsoft® Windows® Operating System
2e84.1340:     ProductVersion:  10.0.14393.1715
2e84.1340:     FileVersion:     10.0.14393.1715 (rs1_release_inmarket.170906-1810)
2e84.1340:     FileDescription: NT Layer DLL
2e84.1340: \SystemRoot\System32\kernel32.dll:
2e84.1340:     CreationTime:    2017-08-05T12:04:26.342899300Z
2e84.1340:     LastWriteTime:   2017-04-28T00:49:43.332433600Z
2e84.1340:     ChangeTime:      2018-03-22T16:54:38.891444600Z
2e84.1340:     FileAttributes:  0x20
2e84.1340:     Size:            0xab208
2e84.1340:     NT Headers:      0xf0
2e84.1340:     Timestamp:       0x59028368
2e84.1340:     Machine:         0x8664 - amd64
2e84.1340:     Timestamp:       0x59028368
2e84.1340:     Image Version:   10.0
2e84.1340:     SizeOfImage:     0xac000 (704512)
2e84.1340:     Resource Dir:    0xaa000 LB 0x530
2e84.1340:     [Version info resource found at 0x90! (ID/Name: 0x1; SubID/SubName: 0x409)]
2e84.1340:     [Raw version resource data: 0xaa0b0 LB 0x3b4, codepage 0x0 (reserved 0x0)]
2e84.1340:     ProductName:     Microsoft® Windows® Operating System
2e84.1340:     ProductVersion:  10.0.14393.1198
2e84.1340:     FileVersion:     10.0.14393.1198 (rs1_release_sec.170427-1353)
2e84.1340:     FileDescription: Windows NT BASE API Client DLL
2e84.1340: \SystemRoot\System32\KernelBase.dll:
2e84.1340:     CreationTime:    2018-03-22T16:27:49.530367800Z
2e84.1340:     LastWriteTime:   2018-03-02T09:07:30.254111800Z
2e84.1340:     ChangeTime:      2018-03-23T12:02:59.582556100Z
2e84.1340:     FileAttributes:  0x20
2e84.1340:     Size:            0x21c780
2e84.1340:     NT Headers:      0xf8
2e84.1340:     Timestamp:       0x5a9906f8
2e84.1340:     Machine:         0x8664 - amd64
2e84.1340:     Timestamp:       0x5a9906f8
2e84.1340:     Image Version:   10.0
2e84.1340:     SizeOfImage:     0x21d000 (2215936)
2e84.1340:     Resource Dir:    0x201000 LB 0x550
2e84.1340:     [Version info resource found at 0x90! (ID/Name: 0x1; SubID/SubName: 0x409)]
2e84.1340:     [Raw version resource data: 0x2010b0 LB 0x3c4, codepage 0x0 (reserved 0x0)]
2e84.1340:     ProductName:     Microsoft® Windows® Operating System
2e84.1340:     ProductVersion:  10.0.14393.2125
2e84.1340:     FileVersion:     10.0.14393.2125 (rs1_release.180301-2139)
2e84.1340:     FileDescription: Windows NT BASE API Client DLL
2e84.1340: \SystemRoot\System32\apisetschema.dll:
2e84.1340:     CreationTime:    2018-03-22T16:21:43.172673700Z
2e84.1340:     LastWriteTime:   2018-03-02T09:07:28.044323200Z
2e84.1340:     ChangeTime:      2018-03-23T12:02:57.396184500Z
2e84.1340:     FileAttributes:  0x20
2e84.1340:     Size:            0x18960
2e84.1340:     NT Headers:      0xc8
2e84.1340:     Timestamp:       0x5a990a54
2e84.1340:     Machine:         0x8664 - amd64
2e84.1340:     Timestamp:       0x5a990a54
2e84.1340:     Image Version:   10.0
2e84.1340:     SizeOfImage:     0x19000 (102400)
2e84.1340:     Resource Dir:    0x18000 LB 0x400
2e84.1340:     [Version info resource found at 0x48! (ID/Name: 0x1; SubID/SubName: 0x409)]
2e84.1340:     [Raw version resource data: 0x18060 LB 0x3a0, codepage 0x0 (reserved 0x0)]
2e84.1340:     ProductName:     Microsoft® Windows® Operating System
2e84.1340:     ProductVersion:  10.0.14393.2125
2e84.1340:     FileVersion:     10.0.14393.2125 (rs1_release.180301-2139)
2e84.1340:     FileDescription: ApiSet Schema DLL
2e84.1340: NtOpenDirectoryObject failed on \Driver: 0xc0000022
2e84.1340: supR3HardenedWinFindAdversaries: 0x12000
2e84.1340: \SystemRoot\System32\drivers\dgmaster.sys:
2e84.1340:     CreationTime:    2018-05-23T15:36:37.521261200Z
2e84.1340:     LastWriteTime:   2018-05-02T22:14:14.000000000Z
2e84.1340:     ChangeTime:      2018-05-23T15:36:37.646276400Z
2e84.1340:     FileAttributes:  0x20
2e84.1340:     Size:            0x2643c8
2e84.1340:     NT Headers:      0x108
2e84.1340:     Timestamp:       0x5aea3ef6
2e84.1340:     Machine:         0x8664 - amd64
2e84.1340:     Timestamp:       0x5aea3ef6
2e84.1340:     Image Version:   6.3
2e84.1340:     SizeOfImage:     0x33f000 (3403776)
2e84.1340:     Resource Dir:    0x2ff000 LB 0x35f68
2e84.1340:     [Version info resource found at 0x270! (ID/Name: 0x1; SubID/SubName: 0x409)]
2e84.1340:     [Raw version resource data: 0x334c30 LB 0x338, codepage 0x0 (reserved 0x0)]
2e84.1340:     ProductName:     Digital Guardian
2e84.1340:     ProductVersion:  7.4
2e84.1340:     FileVersion:     7.4.1.0186
2e84.1340:     FileDescription: Digital Guardian Agent Master
2e84.1340: supR3HardenedWinFindAdversaries: Found newer version: 0x12000 -> 0x14000
2e84.1340: \SystemRoot\System32\drivers\privman.sys:
2e84.1340:     CreationTime:    2018-07-06T11:53:05.369267500Z
2e84.1340:     LastWriteTime:   2018-05-16T17:23:54.000000000Z
2e84.1340:     ChangeTime:      2018-07-07T02:57:42.758964100Z
2e84.1340:     FileAttributes:  0x20
2e84.1340:     Size:            0x115e8
2e84.1340:     NT Headers:      0xf8
2e84.1340:     Timestamp:       0x5afc5ee2
2e84.1340:     Machine:         0x8664 - amd64
2e84.1340:     Timestamp:       0x5afc5ee2
2e84.1340:     Image Version:   6.1
2e84.1340:     SizeOfImage:     0x11000 (69632)
2e84.1340:     Resource Dir:    0xc000 LB 0x32a8
2e84.1340:     [Version info resource found at 0x90! (ID/Name: 0x1; SubID/SubName: 0x0)]
2e84.1340:     [Raw version resource data: 0xc0a0 LB 0x33c, codepage 0x0 (reserved 0x0)]
2e84.1340:     ProductName:     PowerBroker for Windows
2e84.1340:     ProductVersion:  7.5.0.0
2e84.1340:     FileVersion:     7.5.0.0
2e84.1340:     FileDescription: PowerBroker for Windows
2e84.1340: \SystemRoot\System32\privman64.dll:
2e84.1340:     CreationTime:    2018-05-16T17:59:28.000000000Z
2e84.1340:     LastWriteTime:   2018-05-16T17:59:28.000000000Z
2e84.1340:     ChangeTime:      2018-07-07T02:57:42.788041900Z
2e84.1340:     FileAttributes:  0x20
2e84.1340:     Size:            0x3a178
2e84.1340:     NT Headers:      0xf8
2e84.1340:     Timestamp:       0x5afc5e64
2e84.1340:     Machine:         0x8664 - amd64
2e84.1340:     Timestamp:       0x5afc5e64
2e84.1340:     Image Version:   0.0
2e84.1340:     SizeOfImage:     0x3c000 (245760)
2e84.1340:     Resource Dir:    0x3a000 LB 0x578
2e84.1340:     [Version info resource found at 0x80! (ID/Name: 0x1; SubID/SubName: 0x0)]
2e84.1340:     [Raw version resource data: 0x3a0a0 LB 0x37c, codepage 0x4e4 (reserved 0x0)]
2e84.1340:     ProductName:     PowerBroker for Windows
2e84.1340:     ProductVersion:  7.5.0.0
2e84.1340:     FileVersion:     7.5.0.0
2e84.1340:     FileDescription: BeyondTrust PowerBroker for Windows DLL
2e84.1340: supR3HardenedWinInitAppBin(0x0): '\Device\HarddiskVolume4\Program Files\Oracle\VirtualBox'
2e84.1340: Calling main()
2e84.1340: SUPR3HardenedMain: pszProgName=VirtualBox fFlags=0x2
2e84.1340: supR3HardenedWinInitAppBin(0x2): '\Device\HarddiskVolume4\Program Files\Oracle\VirtualBox'
2e84.1340: SUPR3HardenedMain: Respawn #1
2e84.1340: System32:  \Device\HarddiskVolume4\Windows\System32
2e84.1340: WinSxS:    \Device\HarddiskVolume4\Windows\WinSxS
2e84.1340: KnownDllPath: C:\WINDOWS\System32
2e84.1340: '\Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBox.exe' has no imports
2e84.1340: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume4\Program Files\Oracle\VirtualBox\VirtualBox.exe)
3338.3344: supR3HardenedScreenImage/LdrLoadDll: cache hit (VINF_SUCCESS) on \Device\HarddiskVolume4\Windows\System32\SHCore.dll [lacks WinVerifyTrust]
3338.3344: supR3HardenedMonitor_LdrLoadDll: pName=C:\WINDOWS\system32\SHCore.dll (rcNtResolve=0xc0150008) *pfFlags=0x0 pwszSearchPath=0000000000000001:<flags> [calling]
3338.3344: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0x0 hMod=00007ffdad240000 'C:\WINDOWS\system32\SHCore.dll'
3338.3344: supR3HardenedMonitor_LdrLoadDll: error opening 'C:\WINDOWS\system32\wintab32.dll': 0 (NtPath=\??\C:\WINDOWS\system32\wintab32.dll; Input=C:\WINDOWS\system32\wintab32.dll; rcNtGetDll=0x0
hMod=00007ffdb0790000 'C:\WINDOWS\System32\ntdll.dll'
3338.3344: supR3HardenedScreenImage/LdrLoadDll: cache hit (VINF_SUCCESS) on \Device\HarddiskVolume4\Windows\System32\ntdll.dll [lacks WinVerifyTrust]
3338.3344: supR3HardenedMonitor_LdrLoadDll: pName=C:\WINDOWS\System32\ntdll.dll (Input=ntdll.dll, rcNtResolve=0xc0150008) *pfFlags=0x0 pwszSearchPath=0000000000000801:<flags> [calling]
3338.3344: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0x0 hMod=00007ffdb0790000 'C:\WINDOWS\System32\ntdll.dll'
2e84.1340: supR3HardNtChildWaitFor[1]: Quitting: ExitCode=0x1 (rcNtWait=0x0, rcNt1=0x0, rcNt2=0x103, rcNt3=0x103, 79688 ms, the end);

现在我已经尝试了很多东西。

    重新安装 VirtualBox 这个工作在这里https://forums.virtualbox.org/viewtopic.php?f=6&t=82277#p404341 尝试过旧版本。

基本上,我需要一种在防病毒不知道的情况下启动 VB VM 的方法(并且不向防病毒程序添加异常,因为它无法访问)。有人有什么建议吗?

【问题讨论】:

【参考方案1】:

您必须编辑您的策略权限才能在您的 Regedit 文件中禁用。 去这里:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

并使用 0 进行编辑以禁用 ValidateAdminCodeSignatures

【讨论】:

以上是关于由于 Anti-Virus .dll 注入,VirtualBox VM 无法启动的主要内容,如果未能解决你的问题,请参考以下文章

PE格式:手工实现IAT导入表注入劫持

如何实现静态dll注入

dll注入器怎么用 看完你就知道了

dll注入器怎么用 看完你就知道了

vc 无dll的代码注入

如何追踪哪个应用程序将 dbghelp 注入所有其他进程?