Virtual Machine / Virtual Box Guide?

by Amato Masaki

Amato Masaki
Equinity 4 world
lainchan
Posts: 129
Threads: 8
Joined: Jul 2016
Reputation: 3
10-12-2016, 06:45 AM
#61206 (1)
I want to ask about using a virtual machine.
(im using VirtualBox)
I have a problem when starting the machine
ss : https://u.pomf.is/dapjwt.JPG
its always (0x1)

Log file can be founded here : Log file

Anyway the detail is
Host : Windows 7 Ultimate(64 bit)
Guest : Kali linux amd64

Any solution?

Thanks


Obviously Yawning Right now
RX14
Chibi Hentai Master
Optimist
Posts: 760
Threads: 8
Joined: Nov 2015
Reputation: 6
10-12-2016, 07:31 AM
#61207 (2)
Probably your custom theme messing with SHELL32.dll. Unfortunately there doesn't seem to be a way to disable Virtualbox's DLL verification, so you're going to have to either uninstall your themes and restore backups of your patched DLLs, or manually sign your DLLs. Signing your patched DLLs is going to be a bit of a pain though because you're going to have to create a certificate pair.

[Image: 68747470733a2f2f6177772e6d6f652f683731666e372e706e67]
English animemester
Amato Masaki
Equinity 4 world
lainchan
Posts: 129
Threads: 8
Joined: Jul 2016
Reputation: 3
10-12-2016, 08:26 AM
#61216 (3)
(10-12-2016, 07:31 AM)RX14 Wrote: Probably your custom theme messing with SHELL32.dll. Unfortunately there doesn't seem to be a way to disable Virtualbox's DLL verification, so you're going to have to either uninstall your themes and restore backups of your patched DLLs, or manually sign your DLLs. Signing your patched DLLs is going to be a bit of a pain though because you're going to have to create a certificate pair.

Just the Theme Patched dll's right?

i think i got the restore point..
thanks.xd


Obviously Yawning Right now
malmon
I ♥ ϗ
Neko
Posts: 2,270
Threads: 34
Joined: Nov 2015
Reputation: 18
10-12-2016, 11:24 AM
#61226 (4)
(10-12-2016, 07:31 AM)RX14 Wrote: Probably your custom theme messing with SHELL32.dll. Unfortunately there doesn't seem to be a way to disable Virtualbox's DLL verification, so you're going to have to either uninstall your themes and restore backups of your patched DLLs, or manually sign your DLLs. Signing your patched DLLs is going to be a bit of a pain though because you're going to have to create a certificate pair.

Why does VB even care about this?

[Image: 68747470733a2f2f63646e2e706272642e636f2f...612e676966]
„こころゆらゆらゆれてる”
RX14
Chibi Hentai Master
Optimist
Posts: 760
Threads: 8
Joined: Nov 2015
Reputation: 6
10-12-2016, 12:03 PM
#61228 (5)
@malmon It's to protect againt DLL injection exploits

[Image: 68747470733a2f2f6177772e6d6f652f683731666e372e706e67]
English animemester
malmon
I ♥ ϗ
Neko
Posts: 2,270
Threads: 34
Joined: Nov 2015
Reputation: 18
10-12-2016, 12:38 PM
#61233 (6)
(10-12-2016, 12:03 PM)RX14 Wrote: @malmon It's to protect againt DLL injection exploits

So if you run a modded Windows installation VB won't work?

[Image: 68747470733a2f2f63646e2e706272642e636f2f...612e676966]
„こころゆらゆらゆれてる”
RX14
Chibi Hentai Master
Optimist
Posts: 760
Threads: 8
Joined: Nov 2015
Reputation: 6
10-12-2016, 01:30 PM
#61236 (7)
@malmon, yes

[Image: 68747470733a2f2f6177772e6d6f652f683731666e372e706e67]
English animemester
malmon
I ♥ ϗ
Neko
Posts: 2,270
Threads: 34
Joined: Nov 2015
Reputation: 18
10-12-2016, 01:47 PM
#61237 (8)
(10-12-2016, 01:30 PM)RX14 Wrote: @malmon, yes

Guess the Microsoft shills did their job well. How the hell does an open source project fuck up so badly?

[Image: 68747470733a2f2f63646e2e706272642e636f2f...612e676966]
„こころゆらゆらゆれてる”
RX14
Chibi Hentai Master
Optimist
Posts: 760
Threads: 8
Joined: Nov 2015
Reputation: 6
10-12-2016, 02:11 PM
#61239 (9)
@malmon, no, I said it was to stop exploits. There were known exploits in virtualbox, and they fixed them. If you're oracle, what do you do? Not fix a massive explot just so that some people can mod their windows? Seems like a terrible idea to me.

[Image: 68747470733a2f2f6177772e6d6f652f683731666e372e706e67]
English animemester
malmon
I ♥ ϗ
Neko
Posts: 2,270
Threads: 34
Joined: Nov 2015
Reputation: 18
10-12-2016, 02:30 PM
#61246 (10)
(10-12-2016, 02:11 PM)RX14 Wrote: @malmon, no, I said it was to stop exploits. There were known exploits in virtualbox, and they fixed them. If you're oracle, what do you do? Not fix a massive explot just so that some people can mod their windows? Seems like a terrible idea to me.

Isn't it more of a Windows issue then? And not a VirtualBox issue? Surely it's Windows' responsibility to keep the integrity of it's DLLs in check?

[Image: 68747470733a2f2f63646e2e706272642e636f2f...612e676966]
„こころゆらゆらゆれてる”
RX14
Chibi Hentai Master
Optimist
Posts: 760
Threads: 8
Joined: Nov 2015
Reputation: 6
10-12-2016, 03:10 PM
#61254 (11)
(10-12-2016, 02:30 PM)malmon Wrote:
(10-12-2016, 02:11 PM)RX14 Wrote: @malmon, no, I said it was to stop exploits. There were known exploits in virtualbox, and they fixed them. If you're oracle, what do you do? Not fix a massive explot just so that some people can mod their windows? Seems like a terrible idea to me.

Isn't it more of a Windows issue then? And not a VirtualBox issue? Surely it's Windows' responsibility to keep the integrity of it's DLLs in check?

Yes, it's a windows issue because windows loads DLLs from too many places, many of which don't need superadmin to access. So VirtualBox requires all loaded DLLs to be signed by a certificate trusted by windows. If you really really want to use a custom DLL, just create a custom certificate and sign it yourself. This is both supposedly secure if you do it right and customisable.

[Image: 68747470733a2f2f6177772e6d6f652f683731666e372e706e67]
English animemester
malmon
I ♥ ϗ
Neko
Posts: 2,270
Threads: 34
Joined: Nov 2015
Reputation: 18
10-12-2016, 05:33 PM
#61278 (12)
(10-12-2016, 03:10 PM)RX14 Wrote:
(10-12-2016, 02:30 PM)malmon Wrote:
(10-12-2016, 02:11 PM)RX14 Wrote: @malmon, no, I said it was to stop exploits. There were known exploits in virtualbox, and they fixed them. If you're oracle, what do you do? Not fix a massive explot just so that some people can mod their windows? Seems like a terrible idea to me.

Isn't it more of a Windows issue then? And not a VirtualBox issue? Surely it's Windows' responsibility to keep the integrity of it's DLLs in check?

Yes, it's a windows issue because windows loads DLLs from too many places, many of which don't need superadmin to access. So VirtualBox requires all loaded DLLs to be signed by a certificate trusted by windows. If you really really want to use a custom DLL, just create a custom certificate and sign it yourself. This is both supposedly secure if you do it right and customisable.

So how come Linux isn't vulnrable to this?

[Image: 68747470733a2f2f63646e2e706272642e636f2f...612e676966]
„こころゆらゆらゆれてる”
Melancholy
unlucky
Admin
Posts: 4,042
Threads: 219
Joined: Jul 2014
Reputation: 65
10-12-2016, 08:36 PM
#61303 (13)
(10-12-2016, 05:33 PM)malmon Wrote:
(10-12-2016, 03:10 PM)RX14 Wrote:
(10-12-2016, 02:30 PM)malmon Wrote:
(10-12-2016, 02:11 PM)RX14 Wrote: @malmon, no, I said it was to stop exploits. There were known exploits in virtualbox, and they fixed them. If you're oracle, what do you do? Not fix a massive explot just so that some people can mod their windows? Seems like a terrible idea to me.

Isn't it more of a Windows issue then? And not a VirtualBox issue? Surely it's Windows' responsibility to keep the integrity of it's DLLs in check?

Yes, it's a windows issue because windows loads DLLs from too many places, many of which don't need superadmin to access. So VirtualBox requires all loaded DLLs to be signed by a certificate trusted by windows. If you really really want to use a custom DLL, just create a custom certificate and sign it yourself. This is both supposedly secure if you do it right and customisable.

So how come Linux isn't vulnrable to this?

it is, isn't it? like, isn't that how rootkits work? by injecting themselves into .so files?

RX14
Chibi Hentai Master
Optimist
Posts: 760
Threads: 8
Joined: Nov 2015
Reputation: 6
10-13-2016, 05:29 AM
#61337 (14)
(10-12-2016, 05:33 PM)malmon Wrote:
(10-12-2016, 03:10 PM)RX14 Wrote:
(10-12-2016, 02:30 PM)malmon Wrote:
(10-12-2016, 02:11 PM)RX14 Wrote: @malmon, no, I said it was to stop exploits. There were known exploits in virtualbox, and they fixed them. If you're oracle, what do you do? Not fix a massive explot just so that some people can mod their windows? Seems like a terrible idea to me.

Isn't it more of a Windows issue then? And not a VirtualBox issue? Surely it's Windows' responsibility to keep the integrity of it's DLLs in check?

Yes, it's a windows issue because windows loads DLLs from too many places, many of which don't need superadmin to access. So VirtualBox requires all loaded DLLs to be signed by a certificate trusted by windows. If you really really want to use a custom DLL, just create a custom certificate and sign it yourself. This is both supposedly secure if you do it right and customisable.

So how come Linux isn't vulnrable to this?

Because the paths where .so files are stored in are owned by root, so normal users can't modify them. You can do injection by modifying `LD_PRELOAD` env var then running a process, but thats not particularly exploitable.

DLL/shared library injection is a method of injecting code into a process which runs at a higher permission level than you. Virtualbox is one of the processes that has needs to run as a higher-level user so it protects itself from this. On linux, you would need to set LD_PRELOAD in the environment of a process that's run as root, which would usually require an exploit in the init scripts, which doesn't happen often.

Rootkits using shared libraries is different, simply a way of hiding the virus. To inject into the shared library files, you already need to be root, which is usually obtained through another exploit of week ssh. If someone is root on your linux box, there's 1000 ways they can hide their code, including inside the kernel itself, shared library injection is simply another techique.

[Image: 68747470733a2f2f6177772e6d6f652f683731666e372e706e67]
English animemester
[+] 2 users love RX14's post
malmon
I ♥ ϗ
Neko
Posts: 2,270
Threads: 34
Joined: Nov 2015
Reputation: 18
10-13-2016, 10:00 AM
#61348 (15)
(10-13-2016, 05:29 AM)RX14 Wrote:
(10-12-2016, 05:33 PM)malmon Wrote:
(10-12-2016, 03:10 PM)RX14 Wrote:
(10-12-2016, 02:30 PM)malmon Wrote: Isn't it more of a Windows issue then? And not a VirtualBox issue? Surely it's Windows' responsibility to keep the integrity of it's DLLs in check?

Yes, it's a windows issue because windows loads DLLs from too many places, many of which don't need superadmin to access. So VirtualBox requires all loaded DLLs to be signed by a certificate trusted by windows. If you really really want to use a custom DLL, just create a custom certificate and sign it yourself. This is both supposedly secure if you do it right and customisable.

So how come Linux isn't vulnrable to this?

Because the paths where .so files are stored in are owned by root, so normal users can't modify them. You can do injection by modifying `LD_PRELOAD` env var then running a process, but thats not particularly exploitable.

DLL/shared library injection is a method of injecting code into a process which runs at a higher permission level than you. Virtualbox is one of the processes that has needs to run as a higher-level user so it protects itself from this. On linux, you would need to set LD_PRELOAD in the environment of a process that's run as root, which would usually require an exploit in the init scripts, which doesn't happen often.

Rootkits using shared libraries is different, simply a way of hiding the virus. To inject into the shared library files, you already need to be root, which is usually obtained through another exploit of week ssh. If someone is root on your linux box, there's 1000 ways they can hide their code, including inside the kernel itself, shared library injection is simply another techique.

Fair enough. Well, guess I'm stuck using Hyper-V for now

[Image: 68747470733a2f2f63646e2e706272642e636f2f...612e676966]
„こころゆらゆらゆれてる”
RX14
Chibi Hentai Master
Optimist
Posts: 760
Threads: 8
Joined: Nov 2015
Reputation: 6
10-13-2016, 11:53 AM
#61354 (16)
(10-13-2016, 10:00 AM)malmon Wrote:
(10-13-2016, 05:29 AM)RX14 Wrote:
(10-12-2016, 05:33 PM)malmon Wrote:
(10-12-2016, 03:10 PM)RX14 Wrote: Yes, it's a windows issue because windows loads DLLs from too many places, many of which don't need superadmin to access. So VirtualBox requires all loaded DLLs to be signed by a certificate trusted by windows. If you really really want to use a custom DLL, just create a custom certificate and sign it yourself. This is both supposedly secure if you do it right and customisable.

So how come Linux isn't vulnrable to this?

Because the paths where .so files are stored in are owned by root, so normal users can't modify them. You can do injection by modifying `LD_PRELOAD` env var then running a process, but thats not particularly exploitable.

DLL/shared library injection is a method of injecting code into a process which runs at a higher permission level than you. Virtualbox is one of the processes that has needs to run as a higher-level user so it protects itself from this. On linux, you would need to set LD_PRELOAD in the environment of a process that's run as root, which would usually require an exploit in the init scripts, which doesn't happen often.

Rootkits using shared libraries is different, simply a way of hiding the virus. To inject into the shared library files, you already need to be root, which is usually obtained through another exploit of week ssh. If someone is root on your linux box, there's 1000 ways they can hide their code, including inside the kernel itself, shared library injection is simply another techique.

Fair enough. Well, guess I'm stuck using Hyper-V for now

Or sign the DLL yourself, of course. It shouldn't be too hard at all.

[Image: 68747470733a2f2f6177772e6d6f652f683731666e372e706e67]
English animemester