VirtualBox VMs can't start while Windhawk is running

[The-MAZZTer]

OS: Windows Professional 11 Version 22H2 22621.900 x64

Reproduction Steps:

1. Install Windhawk and run it. No plugins are required to be enabled.
2. Install VirtualBox 7 and run it.
3. Create a VM if you don't have one. It shouldn't matter what you do (it doesn't even have to boot) but one VM I specifically tried is this one: https://www.whonix.org/wiki/VirtualBox
4. Attempt to start the VM (for Whonix it has two VMs, either one reproduces the problem).

Expected:

VM starts and runs as expected.

Actual:

If Windhawk is running and you attempt to start a VirtualBox 7.0.2 or 7.0.4 (and possibly other versions) VM, you receive an error message:

---

VirtualBox - Error In supR3HardNtChildPurify

supHardenedWinVerifyProcess failed with VERR_SUP_VP_NT_QI_VIRTUAL_MEMORY_ERROR: (rc=-5637)

Please try reinstalling VirtualBox.

where: supR3HardNtChildPurify what: 5 VERR_SUP_VP_NT_QI_VIRTUAL_MEMORY_ERROR (-5637) - Process Verification Failure: Error query virtual memory information. --------------------------- OK ---------------------------

The corresponding VirtualBox log file which contains more detailed information on the failure including memory addresses that failed to validate: VBoxHardening.log

My research suggests this failure is due to unsigned code injection being detected in the VM host process, so VirtualBox refuses to start the VM. This system is called "VM hardening" in VirtualBox.

https://forums.virtualbox.org/viewtopic.php?f=25&t=82106

Workaround:

Quitting Windhawk and restarting VirtualBox, and then starting VMs while Windhawk is not running resolves this error. Windhawk can be started while VMs are running with no effect to them in my testing.

Suggested Fix:

Windhawk should not inject into a process unless a plugin specifically requests it (or requests all processes, but then an exclusion list would be required as I said above). Right now it seems Windhawk injects into all processes, presumably to simplify the coding. This would resolve the issue as long as no plugins attempt specifically to inject into VirtualBox VMs.

If it is possible for a plugin to inject into ALL processes, an exclusion list would need to be maintained. This list could also optionally be exposed to the user in settings to allow the user to add new entries to this list for the purpose of resolving other compatibility problems.

Alternatively, the current method of injection could be kept with just the exclusion list.

[m417z]

Thanks for the report. An option for an exclusion list will be added in the next version.

Right now it seems Windhawk injects into all processes, presumably to simplify the coding.

Not for simplicity, but to be able to hijack process creation. See a more detailed explanation here: #21 (comment)

Edit: For future visitors, it's enough to add the VirtualBox installation path to the exclusion list in Windhawk's settings. The installation path is ususally:

%ProgramFiles%\Oracle\VirtualBox\*

Exclude-VirtualBox-in-Windhawk.mp4

[m417z]

With Windhawk v1.0, it's now possible to exclude processes in Windhawk. Please try it and let me know whether it helps.