Diagnosing VirtualBox Hardening Issues

Post Reply
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Diagnosing VirtualBox Hardening Issues

Post by mpack »

Back in 4.3.14 VirtualBox introduced a new security feature on Windows Hosts: HARDENING.

This was introduced to guard against the possibility that malware running on the HOST could inject a DLL1 into a VM which could then run at elevated privileges (hiding behind Oracle certification) which would be denied to it if it were to run stand alone. The technology press wrote scare stores about this possibility, and with the reputation of Oracle and VirtualBox at stake the problem could not be ignored. Note that the concern is that this injected DLL could use elevated privileges to attack the HOST, we aren't merely talking guest OS malware here.

1 DLL == Dynamic Link Library, a secondary executable file which is loaded after and runs in the context of some parent exe program. The Windows OS makes extensive use of DLLs, just look in the \Windows\System32 folder some time! Injecting a DLL means to trick a program into loading a "foreign" library module that it wouldn't ordinarily have loaded.
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: Diagnosing VirtualBox Hardening Issues

Post by mpack »

4.3.14 made a first stab at dealing with the problem by forbidding all non-VirtualBox non-System DLLs from running as part of the VirtualBox program. That might sound reasonable, after all injecting a DLL sounds like a shady thing to do... but in fact it turns out that LOTs of legitimate Windows apps need to install DLLs that run in other processes, including :-
  • Graphics drivers (e.g. from NVidia) may inject a DLL which filters graphics function calls to the host OS, redirecting them from software to hardware accelerated versions. VirtualBox VMs use OpenGL, which is precisely the main API that most benefits from this.
  • Unofficial Windows Theme providers often used hacked versions of the Windows theme DLL (uxtheme.dll). Happily this is becoming less common.
  • Accessibility tools designed to help partially sighted people sometimes inject themselves into standard apps in order to speak the text, force high contrast colors etc.
  • Antivirus software is invasive by its very nature, with behaviour hard to distinguish from malware.
  • Many others.
Later VirtualBox versions relaxed the rules:

(RULE1) "Foreign" DLLs can now run inside the VirtualBox process space, provided they are "signed", i.e. have a trusted provider certificate embedded in the software. Malware writers don't want to be identified, and bona fide signature owners don't want to have their certificates revoked, so this should be effective at excluding malware and spyware.

(RULE2) VirtualBox no longer "errors out" when an unsigned DLL is found. Instead the rule is that VirtualBox now merely discards the errant DLL and continues.
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: Diagnosing VirtualBox Hardening Issues

Post by mpack »

BEGINNING A DIAGNOSIS:

The first thing to do is to view the hardening log, stored as <VM folder>\Logs\VBoxHardening.log. This file can be viewed in any standard text editor, such as Notepad - or better yet Notepad++.

The very last line in the log reports an error code. If this error code is 0 then you don't have a hardening problem at all.

WHAT CAN CAUSE A HARDENING RELATED FAILURE?: The root cause of most hardening failures (see note) is no valid certificate found in a DLL which has been loaded into the VirtualBox execution space. No valid certificate can be due to one of four things (1) the DLL never had a valid certificate - e.g. malware, free software, or the vendor made a mistake, (2) the DLL has been hacked, invalidating the signature, (3) the Windows host certificates database has been damaged by host corruption or a buggy Windows update, (4) something, most likely your antivirus, is blocking VirtualBox's attempts to access the executable to check its certificate.

In the first two cases the fix is to exclude the DLL or replace it with one with a valid certificate.

If you suspect the third case then you need to ask Microsoft about how to check and repair the certificates database. For some reason Windows 7 hosts seem especially prone, although this has become less important since Win7 was dropped as a supported host in VirtualBox 6.1.0.

In the fourth error case the fix is to configure a host antivirus exclusion to allow VirtualBox to make its checks, or choose a different antivirus product (VirtualBox works best with the "Windows Defender" AV which is now built into Windows 10/11 - there is considerable doubt whether Win10/Win11 gets any benefit at all from third party apps).

NOTE VirtualBox versions since 5.2.x (?) produce errors for a new class of hardening problems. This is signified by an error message "Thread not alone" being shown to the user, and "More than one thread in process" being recorded in the log. This message implies that a foreign program has successfully injected itself into the VirtualBox executable space and is now running, this success indicates that the associated DLLs presumably must have been correctly signed. Even so VirtualBox cannot allow this because a foreign program could conceivably be faking results to get past VirtualBox's hardening checks. The usual culprits for this error are certain kinds of "web safe" internet browser filters or remote desktop applications. Those applications must be uninstalled, or VirtualBox must be added as an exception to their activities.
Last edited by mpack on 19. Nov 2022, 14:02, edited 17 times in total.
Reason: Add "more than one thread" note.
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: Diagnosing VirtualBox Hardening Issues

Post by mpack »

Error Symptom 1: Exit with error code 1

This seems to have several causes, but one of the main ones seems to be that some DLL that VirtualBox requires has failed to load. That probably indicates corruption somewhere. Sometimes you find an error related to USER32.DLL in the hardening log. This may be fixed by running "sfc /scannow" in an administrator command prompt window.

See also the "More than one thread in process" note in the previous post.

Another possible cause of Exit Code 1 is here: viewtopic.php?p=545920#p545920
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: Diagnosing VirtualBox Hardening Issues

Post by mpack »

Error Symptom 2: Error code 0xC0000005

Error 0xC0000005 is what's known as an general protection fault or memory access error: the application tried to access an invalid memory address or jump to code which doesn't exist. Hence this is most likely a consequence of RULE2: a bad DLL got unloaded, but some other DLL is still trying to use it.

You can often narrow the cause if you look at which DLL faulted. Try disabling audio as a test, likewise try disabling 3D acceleration. Quite often you find that the bad memory access came from a graphics related DLL, which implies that the graphics provider omitted to sign one of their DLLs. You should check for updates for your graphics card drivers.

1 If you find that the VM will not start in normal mode, but will start when run in headless mode, then that makes it pretty much certain that your problem is the graphics drivers. This test could be tried if disabling 3D acceleration had no effect.
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: Diagnosing VirtualBox Hardening Issues

Post by mpack »

Other things to try:
  • Disable your real-time antivirus, at least temporarily, to test whether this is conflicting with VirtualBox. On Windows 10 hosts the Windows Defender AV is designed by people who know how to write low level code for Windows without fighting it or breaking it. It does not conflict with VirtualBox. You would perhaps be wise to stick to that.
    .
  • Expanding on the previous point, some antivirus don't provide an effective "disable" function. To be absolutely sure it won't interfere you have to uninstall it completely and perform a full reboot of your host PC.
    .
  • Make sure Hyper-v is disabled. Modern VirtualBox VMs usually can't run if Hyper-v is hogging the hardware resources required for virtualization. This may present itself first as a hardening error, so it's worth checking. Note that this advice may soon change, as VirtualBox v6.x adds experimental support for Windows 10 Hypervisor Platform.
    .
  • Power down your VM (not suspended state) and restart.
    .
  • Fully power down and then restart your host. Sometimes this shakes something loose.
    .
  • Fully uninstall and then reinstall VirtualBox using "Run as administrator" to run the installer. Sometimes this replaces a corrupted DLL that was causing a problem, or changes the order that Windows calls on device drivers.
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: Diagnosing VirtualBox Hardening Issues

Post by mpack »

The following information is courtesy of user "Socratis". He has made a list of new features that Microsoft have added to Windows 10 which implicitly enable Hyper-v and therefore cause problems for VirtualBox. In an ideal world these should all be disabled, and please understand that Microsoft seems to be adding to this list all the time, and sometimes the same feature is given different names.
Socratis wrote: Here's the list that I have so far:
  • Application Guard
  • Credential Guard
  • Device Guard
  • <any> * Guard
  • Containers
  • Core Isolation
  • Memory Integrity
  • Virtualization Based Security
  • Hyper-V
  • Virtual Machine Platform
  • Windows Hypervisor Platform
  • Windows Sandbox
  • Windows Subsystem for Linux 2 (WSL2) (WSL1 does not enable Hyper-v)
If Hyper-v cannot be disabled, e.g. due to company policy, then VirtualBox v6.x has a new ability to run via the Windows Hypervisor Platform, however Windows 10 (1809) or later is required, and it currently causes a significant drop in VM performance.
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: Diagnosing VirtualBox Hardening Issues

Post by mpack »

And finally...

If the above didn't help you solve the problem then ask a question about it in the Windows Hosts forum. Remember to attach a zipped copy of your VBoxHardening.log file.
fth0
Volunteer
Posts: 5661
Joined: 14. Feb 2019, 03:06
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Linux, Windows 10, ...
Location: Germany

Re: Diagnosing VirtualBox Hardening Issues

Post by fth0 »

The VirtualBox Hardening log file (VBoxHardening.log) can indicate a lot of different types of issues. I'll try and describe some of them here from time to time.



Damaged installation of the Microsoft Visual C++ Runtime

During its initialization, VirtualBox (e.g. VirtualBoxVM.exe) tries to load the VirtualBox runtime DLL (VBoxRT.dll), which is the first VirtualBox component that in turn depends on the Microsoft Visual C++ Runtime (e.g. vcruntime140.dll, vcruntime140_1.dll). Before trying to load VBoxRT.dll, VirtualBox tries to verify the integrity of VBoxRT.dll and its dependencies. If for example vcruntime140_1.dll is missing, the following log messages can be found in the VBoxHardening.log file:
VBoxHardening.log wrote:Failed to locate 'vcruntime140_1.dll'
and
VBoxHardening.log wrote:LoadLibrary "C:\Program Files\Oracle\VirtualBox/VBoxRT.dll" failed (rc=126)
The return code 126 (0x0000007E, ERROR_MOD_NOT_FOUND, "The specified module could not be found.") indicates that either VBoxRT.dll or one of its dependencies could not be found by the Windows LoadLibrary() function. If one of the Microsoft Visual C++ Runtime libraries is missing, a repair installation of the Microsoft Visual C++ Runtime can solve the problem.

PS: This is one example of Error Symptom 1: Exit with error code 1
Post Reply