OS: Windows 2003 x86/PAE - 32gb
VBox 4.3.18 (and previous few builds) are incompatible with Outpost Firewall Pro v6.7.x and others, that used "WL_HOOK.DLL" to inject to all processes to get some information in RING3 (usermode). WL_HOOK.DLL is digitally signed, and must be allowed (I can attach this file, if needed). But VirtualBox incorrectly recognize a path to it. There is a bug in VirtualBox path parsing (probably, is because of special inject technics, that used). Please see a VBoxStartup.log:
Please see a lot of garbage (binary garbage) after "\Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume3\Program Files\Outpost Firewall" string.
The real path to wl_hook.dll is E:\Program Files\Outpost Firewall Pro\wl_hook.dll
So it must be like: "\Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume3\Program Files\Outpost Firewall\wl_hook.dll"
But you had incorrectly parsed details, like string's zero is missed or something, so you are reading garbage memory. After that you a providing this information to a system function WinVerifyTrust to check digital signature. But path is invalid (garbaged), so it cannot to find it to check. So you are REJECTING to load this .dll. After that, we have a problems to use VirtualMachine. Because Outpost cannot read information about process without this dll injected to it, so it can't get correct ProcessName and can't allow/create_rule to any network or other activity from VM, so it is UNUSABLE.
Please fix path parsing or this inject method allowing and allow WL_HOOK.DLL (digitally signed) to inject to your process.
Log is above, please see details.
P.S.
And some advice about this "security function" from the guy, who are working in Windows security area for more than 15+ years (anti-rootkits / anti-malware / anti-viruses / debugging / etc). It is really bad idea to do not allow to map any modules to your process, to filter this. You will have a lot of non-solving issues on most of the users computers. There are a very big amount of .dlls that are injected by some reasons to all or some processes to work. Like special keyboard keys hooks, special capabilities, special software, etc. And not all of them are signed. I seen, that you had ignoring this, so, just saying what I know for sure, my experience in that.
The other way - do it as option (default enabled, if you want) - Hardening. Most of adequate users will disable it. Or users who have a problems with VB working. (Option in GUI or even in XML-settings).
VBoxStartup.log:
Code: Select all
...
e4.11ec: supR3HardenedScreenImage/NtCreateSection: cache hit (Unknown Status 22900 (0x5974)) on \Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume3\WINDOWS\system32\imm32.dll [lacks WinVerifyTrust]
e4.11ec: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0x0 hMod=76290000 'E:\WINDOWS\system32\IMM32.DLL'
e4.11ec: supHardenedWinVerifyImageByHandle: -> -23021 (\Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume3\Program Files\Outpost Firewallц╜ОцХоц╝атБжцб┤тБетА▒цЕ░цб┤чМитАйцЕицХ╢цДачРачХ▓чС│цДацНоц╜ит╣▓тА║фСЬчЩецНйх▒ецЕИцС▓цедцн│ц╡Дц╜ЦчХмцХнх▒│цбРчН╣цНйц▒бц╡Дц╜ЦчХмцХнх▒│ц▒ВцНпхЩлц▒пц╡╡уНехБЬц╜▓чЙзц╡бфШац▒йчНеф╜ЬчС╡ц╜░чС│фШачЙйчЭец▒бюЩмш║╜щЧжюЪоъВ╝шЗвюЪжыТбшЗвюКеыЖАшЧжюЪ░ыТбш│зюКиъжАшЧжюЪиыЪХшУжюЮаъВРщЧзюЮ▓ыОСшУжюЪаъ║Ны╖жюКиыК╣шГв┬║)
e4.11ec: Error (rc=0):
e4.11ec: supR3HardenedScreenImage/LdrLoadDll: rc=Unknown Status -23021 (0xffffa613) fImage=1 fProtect=0x0 fAccess=0x0 \Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume3\Program Files\Outpost Firewallц╜ОцХоц╝атБжцб┤тБетА▒цЕ░цб┤чМитАйцЕицХ╢цДачРачХ▓чС│цДацНоц╜ит╣▓тА║фСЬчЩецНйх▒ецЕИцС▓цедцн│ц╡Дц╜ЦчХмцХнх▒│цбРчН╣цНйц▒бц╡Дц╜ЦчХмцХнх▒│ц▒ВцНпхЩлц▒пц╡╡уНехБЬц╜▓чЙзц╡бфШац▒йчНеф╜ЬчС╡ц╜░чС│фШачЙйчЭец▒бюЩмш║╜щЧжюЪоъВ╝шЗвюЪжыТбшЗвюКеыЖАшЧжюЪ░ыТбш│зюКиъжАшЧжюЪиыЪХшУжюЮаъВРщЧзюЮ▓ыОСшУжюЪаъ║Ны╖жюКиыК╣шГв┬║: None of the 1 path(s) have a trust anchor.: \Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume3\Program Files\Outpost Firewallц╜ОцХоц╝атБжцб┤тБетА▒цЕ░цб┤чМитАйцЕицХ╢цДачРачХ▓чС│цДацНоц╜ит╣▓тА║
e4.11ec: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume3\Program Files\Outpost Firewallц╜ОцХоц╝атБжцб┤тБетА▒цЕ░цб┤чМитАйцЕицХ╢цДачРачХ▓чС│цДацНоц╜ит╣▓тА║фСЬчЩецНйх▒ецЕИцС▓цедцн│ц╡Дц╜ЦчХмцХнх▒│цбРчН╣цНйц▒бц╡Дц╜ЦчХмцХнх▒│ц▒ВцНпхЩлц▒пц╡╡уНехБЬц╜▓чЙзц╡бфШац▒йчНеф╜ЬчС╡ц╜░чС│фШачЙйчЭец▒бюЩмш║╜щЧжюЪоъВ╝шЗвюЪжыТбшЗвюКеыЖАшЧжюЪ░ыТбш│зюКиъжАшЧжюЪиыЪХшУжюЮаъВРщЧзюЮ▓ыОСшУжюЪаъ║Ны╖жюКиыК╣шГв┬║
e4.11ec: Error (rc=0):
e4.11ec: supR3HardenedMonitor_LdrLoadDll: rejecting 'e:\progra~1\outpos~1\wl_hook.dll': rcNt=0xc0000190
e4.11ec: supR3HardenedMonitor_LdrLoadDll: returns rcNt=0xc0000190 'e:\progra~1\outpos~1\wl_hook.dll'
...
How it seems in modules list normally? For example, in explorer.exe. Windows parsing path to the module correctly. Any software showing modules - showing them correctly, including "wl_hook.dll".
Code: Select all
Modules:
Base Size Path, version, description
01000000 104000 E:\WINDOWS\Explorer.EXE 6.00.3790.3959 (srv03_sp2_rtm.070216-1710) Windows Explorer
7C800000 C3000 E:\WINDOWS\system32\ntdll.dll 5.2.3790.4937 (srv03_sp2_gdr.111121-0236) NT Layer DLL
77E40000 104000 E:\WINDOWS\system32\kernel32.dll 5.2.3790.5295 (srv03_sp2_qfe.140205-1447) Windows NT BASE API Client DLL
...
71B70000 36000 E:\WINDOWS\system32\UxTheme.dll 6.00.3790.3959 (srv03_sp2_rtm.070216-1710) Microsoft UxTheme Library
76290000 1D000 E:\WINDOWS\system32\IMM32.DLL 5.2.3790.3959 (srv03_sp2_rtm.070216-1710) Windows IMM32 API Client DLL
10000000 A4000 e:\progra~1\outpos~1\wl_hook.dll 6.7.2922.10022 Outpost Hooking Module
00870000 E000 E:\WINDOWS\system32\hplun.dll 1.00.2 HotPlug help module
77420000 103000 E:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.5190_x-ww_319264BE\comctl32.dll 6.0 (srv03_sp2_qfe.130703-1535) User Experience Controls Library
75E60000 27000 E:\WINDOWS\system32\apphelp.dll 5.2.3790.3959 (srv03_sp2_rtm.070216-1710) Application Compatibility Client Library
...