Unable to headless start and detachable start

For discussions related to using VirtualBox on Windows pre-releases (e.g. Windows 10 > build 10240).
fth0
Volunteer
Posts: 5668
Joined: 14. Feb 2019, 03:06
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Linux, Windows 10, ...
Location: Germany

Re: Unable to headless start and detachable start

Post by fth0 »

If you provided the ntdll.dll file (outside of this forum, please ;)), I'd be interested to take a peek.
moranrs
Posts: 5
Joined: 9. Jun 2022, 17:15

Re: Unable to headless start and detachable start

Post by moranrs »

I also encountered this problem,i have been unable to solve it.I saw something about vagrant in the reply, my centos was also created through vagrant. So, I tried to create through iso, but unfortunately still can't solve the problem。
Attachments
centos7-2022-12-31-19-16-55.log
(24.98 KiB) Downloaded 50 times
moranrs
Posts: 5
Joined: 9. Jun 2022, 17:15

Re: Unable to headless start and detachable start

Post by moranrs »

moranrs wrote:I also encountered this problem,i have been unable to solve it.I saw something about vagrant in the reply, my centos was also created through vagrant. So, I tried to create through iso, but unfortunately still can't solve the problem。
and my vm log
Attachments
centos7-2022-12-31-19-14-36.zip
(33.99 KiB) Downloaded 49 times
fth0
Volunteer
Posts: 5668
Joined: 14. Feb 2019, 03:06
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Linux, Windows 10, ...
Location: Germany

Re: Unable to headless start and detachable start

Post by fth0 »

The centos7-2022-12-31-19-16-55.log file (VirtualBox hardening log file) indicates that VirtualBox rejected the ntdll.dll, just like in the other users' cases. So far, nobody was interested in me having a look ... ;)
Oracleiscool
Posts: 71
Joined: 12. Aug 2021, 19:51
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows 11 22H2
Location: US

Re: Unable to headless start and detachable start

Post by Oracleiscool »

@fth0

Hi there. Happy New Year! Just wanted to let you know I ran a full administrative powershell SFC /SCANNOW on both of my machines (Win10 22H2, Win11 22H2) and they both came back with corrupt system files since the last iteration of updates (they were .net and a part of the new 22H2 version). I did not see what files were corrupted, but I think the SFC in Windows runs more in-depth in admin mode (but I don't know for sure). Might be worth a look if the results of the scan is different.(Admin vs. Normal User Account). Point being, they were both corrupted, even after Windows verified the Update downloads. Weird.
moranrs
Posts: 5
Joined: 9. Jun 2022, 17:15

Re: Unable to headless start and detachable start

Post by moranrs »

fth0 wrote:The centos7-2022-12-31-19-16-55.log file (VirtualBox hardening log file) indicates that VirtualBox rejected the ntdll.dll, just like in the other users' cases. So far, nobody was interested in me having a look ... ;)
I am willing to provide ntdll.dll, how can I contact you
fth0
Volunteer
Posts: 5668
Joined: 14. Feb 2019, 03:06
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Linux, Windows 10, ...
Location: Germany

Re: Unable to headless start and detachable start

Post by fth0 »

moranrs wrote:I am willing to provide ntdll.dll, how can I contact you
Look to the right of this forum post. ;)

But note that you have to provide the file outside of a PM.
moranrs
Posts: 5
Joined: 9. Jun 2022, 17:15

Re: Unable to headless start and detachable start

Post by moranrs »

fth0 wrote:
moranrs wrote:I am willing to provide ntdll.dll, how can I contact you
Look to the right of this forum post. ;)

But note that you have to provide the file outside of a PM.
I'm sorry, due to the forum's posting limit (5 posts are required to send the link) I can't provide the dll via PM, please give me your email, I will send it to you via email
fth0
Volunteer
Posts: 5668
Joined: 14. Feb 2019, 03:06
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Linux, Windows 10, ...
Location: Germany

Re: Unable to headless start and detachable start

Post by fth0 »

moranrs wrote:I can't provide the dll via PM
fth0 wrote:But note that you have to provide the file outside of a PM.
Choose some public pastebin service, where I can download the file anonymously, and send the link obfuscated as text in a PM.
fth0
Volunteer
Posts: 5668
Joined: 14. Feb 2019, 03:06
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Linux, Windows 10, ...
Location: Germany

Re: Unable to headless start and detachable start

Post by fth0 »

VBoxHardening.log file wrote:
30f0.1458: \SystemRoot\System32\ntdll.dll:
30f0.1458:     CreationTime:    2022-12-10T11:21:46.101759900Z
30f0.1458:     LastWriteTime:   2022-12-10T11:21:46.101759900Z
30f0.1458:     ChangeTime:      2022-12-16T11:52:35.091603100Z
30f0.1458:     FileAttributes:  0x20
30f0.1458:     Size:            0x213b90
30f0.1458:     NT Headers:      0xe0
30f0.1458:     Timestamp:       0x664ac545
30f0.1458:     Machine:         0x8664 - amd64
30f0.1458:     Timestamp:       0x664ac545
30f0.1458:     Image Version:   10.0
30f0.1458:     SizeOfImage:     0x215000 (2183168)
30f0.1458:     Resource Dir:    0x19e000 LB 0x75448
30f0.1458:     [Version info resource found at 0xd8! (ID/Name: 0x1; SubID/SubName: 0x409)]
30f0.1458:     [Raw version resource data: 0x19e0f0 LB 0x380, codepage 0x0 (reserved 0x0)]
30f0.1458:     ProductName:     Microsoft® Windows® Operating System
30f0.1458:     ProductVersion:  10.0.25267.1000
30f0.1458:     FileVersion:     10.0.25267.1000 (WinBuild.160101.0800)
30f0.1458:     FileDescription: NT Layer DLL

30f0.1458: Error (rc=-5607):
30f0.1458: ntdll.dll: SizeOfImage (0x215000) isn't close enough to the mapping size (0x217000)

30f0.1458:  *00007ffa675d0000-00007ffa675d0fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume7\Windows\System32\ntdll.dll
30f0.1458:   00007ffa675d1000-00007ffa67700fff 0x0020/0x0080 0x1000000  \Device\HarddiskVolume7\Windows\System32\ntdll.dll
30f0.1458:   00007ffa67701000-00007ffa67750fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume7\Windows\System32\ntdll.dll
30f0.1458:   00007ffa67751000-00007ffa67759fff 0x0004/0x0080 0x1000000  \Device\HarddiskVolume7\Windows\System32\ntdll.dll
30f0.1458:   00007ffa6775a000-00007ffa677e4fff 0x0002/0x0080 0x1000000  \Device\HarddiskVolume7\Windows\System32\ntdll.dll
30f0.1458:   00007ffa677e5000-00007ffa677e6fff 0x0000/0x0080 0x1000000  \Device\HarddiskVolume7\Windows\System32\ntdll.dll
Sections of ntdll.dll 10.0.25267.1000
Sections of ntdll.dll 10.0.25267.1000
Screenshot 2023-01-08 131914.png (18.59 KiB) Viewed 7278 times
Thanks for providing the ntdll.dll file version 10.0.25267.1000. The section information confirms that the file should only use 0x215000 bytes of virtual memory. I don't know why Windows Insider (or some software within it) allocates the additional 8 kB memory region (without access protection bits). The latter also happened for kernel32.dll and KernelBase.dll, BTW.
snydergd
Posts: 3
Joined: 15. Dec 2023, 20:32

Re: Unable to headless start and detachable start

Post by snydergd »

Sorry to be so late to the party. :P I'm also using Windows 11 Pro Insider Preview, and seeing the same thing with the 8kb differences. Here's a short excerpt of mine VBoxHardening logs, but very similar to previous.

Code: Select all

1988.239c: supHardenedWinVerifyProcess failed with -5607: ntdll.dll: SizeOfImage (0x239000) isn't close enough to the mapping size (0x23c000)
fth0 wrote: 8. Jan 2023, 14:56 Thanks for providing the ntdll.dll file version 10.0.25267.1000. The section information confirms that the file should only use 0x215000 bytes of virtual memory. I don't know why Windows Insider (or some software within it) allocates the additional 8 kB memory region (without access protection bits). The latter also happened for kernel32.dll and KernelBase.dll, BTW.
Thanks so much for taking time to look at this. I was almost ready to throw in the towel until I saw this. I linked this thread on a tech community post (Google tech community "Vagrant up fails with supHardenedWinVerifyProcess failed with -5607: ntdll.dll on Windows 11 Pro Ins") Hopefully there's enough for someone to help us with this on the Microsoft side 🙏

I'm trying my best to piece together some of the pieces and find something useful to someone, but am totally clueless on some of this and am sure maybe some of you have more context.

So is basically what's happening like this?
  1. Something launches VBoxManage or VBoxHeadless (in my case, vagrant, but also if I do startmachine from command line)
  2. Windows loads up the EXE, including the DLLs it's asking for -- and the program starts running
  3. The program decides to examine itself, if it is pure and worthy of running a VM -- looking at it's own memory structure through some Windows APIs?
  4. While looking at it's memory, it finds that Windows mapped out some extra memory for the sections of the DLLs that were loaded, and is not happy with that, so spits out these logs and dies
Just want to make sure I've got the mechanics roughly right. I can look more and hopefully find something, but if anyone can help me understand here, I would be very thankful to you.
fth0
Volunteer
Posts: 5668
Joined: 14. Feb 2019, 03:06
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Linux, Windows 10, ...
Location: Germany

Re: Unable to headless start and detachable start

Post by fth0 »

snydergd wrote: 15. Dec 2023, 20:57 So is basically what's happening like this?
Yes. The executable files are VirtualBoxVM.exe (normal + detachable start) and VBoxHeadless.exe (headless + detachable start). They can use (for example) NtQueryVirtualMemory() to query their virtual memory regions, they can read their own executable files and compare the information in the executable file headers with the in-memory representation.

In the last weeks, a certain amount of VirtualBox users have reported a completely different VirtualBox issue on Windows Insider builds. This amount of users is much larger than the amount of users that have reported your issue, giving the impression that your issue affects only a small fraction of VirtualBox users of Windows Insider builds. Whatever that really means. ;)
snydergd
Posts: 3
Joined: 15. Dec 2023, 20:32

Re: Unable to headless start and detachable start

Post by snydergd »

Very interesting. So maybe something is weird on my machine then. Do you have any ideas about how that extra 8kb could be getting mapped? Could it be code outside those DLLs or the VirtualBox EXEs that has it's fingers into Windows, or that somehow injects itself into these processes, or would it have to be either Windows or the VirtualBox/DLL code?

Is it meaningful to you that VBoxHeadless.exe has this issue but that VirtualBoxVM.exe seems to work just fine, do you think?

As far as I can tell, these files are fresh installed from the MSI I got from the VirtualBox website - version 7.0.12.159484. I don't think I've done all that much with this machine that's unique -- I may have installed VirtualBox using Chocolatey at one point, but have since uninstalled and reinstalled it manually. I also tried getting it to start a VM when windows started a while back. I never succeeded, but I did mess with some of my user's privileges and group membership. I'm also running as a local user account vs. whatever the ones are that Microsoft recommends where you have it tied to a Microsoft account.
fth0
Volunteer
Posts: 5668
Joined: 14. Feb 2019, 03:06
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Linux, Windows 10, ...
Location: Germany

Re: Unable to headless start and detachable start

Post by fth0 »

snydergd wrote: 16. Dec 2023, 20:33 Do you have any ideas about how that extra 8kb could be getting mapped? Could it be code outside those DLLs or the VirtualBox EXEs that has it's fingers into Windows, or that somehow injects itself into these processes, or would it have to be either Windows or the VirtualBox/DLL code?
I don't have a concrete idea yet, but you've asked another interesting question:
snydergd wrote: 16. Dec 2023, 20:33 Is it meaningful to you that VBoxHeadless.exe has this issue but that VirtualBoxVM.exe seems to work just fine, do you think?
Please start the VM in all three modes (normal, headless, detachable) and save the VBoxHardening.log file after each attempt, so that it doesn't get overwritten. Provide the three log files in a zip file.

PS: The OP already provided two log files, but from different VirtualBox versions, so I couldn't be sure if a comparison was valid.
snydergd
Posts: 3
Joined: 15. Dec 2023, 20:32

Re: Unable to headless start and detachable start

Post by snydergd »

Ok, I've tried starting my VM in 3 different modes -- I used VBoxManage.exe to launch. E.g., VBoxManage.exe startvm guid-of-vm --type=headless I used "--help" to see the options for --type and the options listed for that were "gui | headless | sdl | separate". So I went with gui, headless, and separate (it said "Invalid frontend name: 'sdl'", when I tried "sdl").

I've uploaded my zip to filebin dot net / 48l0mtzj9lxruuma. It contains three folders for "gui", "separate", and "headless", each with a VBoxHardening.log in them.

Here is some other interesting news, and I can't tell how it plays in or not. When I first went to create these logs, I was getting the same exact message with "gui", as well as in the GUI interface itself -- and I know for sure that I was not getting this before - so I blamed some things I'd been playing with. I uninstalled VirtualBox, made sure it was gone from Program Files, and installed it again from the same installer as last time. After this I got the same exact result. I tried launching the VM from the UI and was also now getting the message about SizeOfImage not being close enough. I had been messing with Windows Defender in the Windows Settings app, under App & browser controls -> Program Settings, and had added (but not set any overrides for), VirtualBoxVM.exe to that list, so now to try and get it working again, I removed it from the list (again, it said 0 overrides - while here, I also removed VBoxHeadless from the list). After doing this, I could once again launch it from the GUI and VBoxManage with "gui" now works again, and I produced these logs. I added it back to the list again and am still not getting the error on "gui", which has me sketical. I even tried adding back VBoxHeadless.exe and adding some overrides in there, but that doesn't seem to have made a difference.

I can't tell if that is a coincidence or not. However, it's now consistently how it was before -- gui works, and the others have this error. The logs are from how it is now. I also did a separate capture when it was failing the first time if that would be helpful.
Post Reply