TDL and logs leaved behind about tdl HOT 1 CLOSED

TDL does not log anything anywhere except in the console window output.

The only certificate this vboxdrv.sys uses is in virtual box driver itself.

If vboxdrv.sys was removed from disk and all registry entries removed then only possible leftovers are:

1. eventlog (which is ridiculous)

2. kernel pool (this vbox does not properly free kernel memory afaik)

3. MmUnloadedDrivers (it has limited capacity and updates every time new driver loaded/unloaded)

4. named objects it may create during work and not deleted at driver unload

5. and 3) no credible 100% verdict, because driver file can be already deleted and they cannot calculate and compare hash

6. raises a chance of protection driver bugchecks and no 100% credible verdict

7. afaik there are no such objects in this vboxdrv version

If the protection driver was loaded before TDL it will be able to log and intercept any load driver attempt, and ban driver load by for (simple) example file hash which will be calculated from registry callback filter on ImagePath value of hardcoded VBox key when SCM/Native will try to install driver.

I'm afraid this is not TDL issue. TDL was never designed to be against any 3rd party software protection drivers, only against Windows itself.

from tdl.