virtualbox.org

Not knowing exactly how the whole dll injection thing works, this may be a moot question:

I understand that if security-hardened Virtualbox detects an unsecure program trying to shoehorn its way in, Virtualbox won't start guests.

What happens if a guest is already running in security-hardened Virtualbox, and the unsecure program then tries to get in, perhaps by the user running a non-installed program (one of the type that downloads in a zip and just needs to be extracted and run, for example)? Or if the user installs then runs a program while guests are running?

Not a useful answer, but I'd like to thank you for posting the question. That's got to be a really interesting problem. As far as I know (and that's limited), once a DLL is in memory you can't reload it. But your question poses a really interesting question; what if the DLL becomes available later? And it loads? And it "poisons" the VBox process itself?

All I can think of is that as far as I've seen (in the VBoxStartup.logs), there have been mentions of DLLs trying to come later in the process of running guests and they have all failed. So, that tells me that VBox.exe is always looking for anything that's trying to load anything in its own process... My 0.02€.

We've had examples posted in the security discussion where an hardening error has been raised at runtime (i.e. not during startup).

Speaking as a Windows developer myself, ISTR that the app can install hooks that would allow it to be notified by the OS when a DLL loads inside the apps address space, so it would be a simple matter to intercept the load and check the DLL, and I'm sure that's exactly what VBox does.