VirtualBox 5.0.10 r104061
Host: Windows 2012 R2 x64 with all updates installed
Guest: Windows XP x86
Shortly description of this post:
Found
incompatibility with ViPNet CSP (c) InfoTeCS (v4.2.4.33325, http://www.infotecs.ru) -- crypto-provider, popular in Russia, used in government, enterprise and... for common people to sign requests for government services. More details here:
http://infotecs.ru/products/catalog.php ... NT_ID=2096
Detailed description:
Hardened protection again does not allow to boot any VM. Moreover, in this case it was really hard to understand the reason from the VBoxHardening.log.
What I see at the end of log, is only these strings - that says nothing to me, because I do not see the REASON of quitting. What was failed?
When I starting VM, I got an error messagebox:
Code: Select all
---------------------------
VirtualBox.exe - Application Error
---------------------------
The instruction at 0x6d001d80 referenced memory at 0x6d001d80. The memory could not be written.
Click on OK to terminate the program
Click on CANCEL to debug the program
---------------------------
OK Cancel
---------------------------
Probably, this is the main answer.
After pressing OK:
Code: Select all
The virtual machine 'Windows XP SP3 (...)' has terminated unexpectedly during startup with exit code 0 (0x0). More details may be available in 'X:\(skipped)\Logs\VBoxHardening.log'.
Result Code:
E_FAIL (0x80004005)
Component:
MachineWrap
Interface:
IMachine {f30138d4-e5ea-4b3a-8858-a059de4c93fd}
Code: Select all
...
11dc.11e0: supR3HardenedScreenImage/Imports: cache hit (VINF_SUCCESS) on \Device\HarddiskVolume22\Windows\System32\msvcrt.dll [lacks WinVerifyTrust]
11dc.11e0: supR3HardenedMonitor_LdrLoadDll: pName=C:\Windows\system32\Wintrust.dll (rcNtResolve=0xc0150008) *pfFlags=0x0 pwszSearchPath=0000000000000801:<flags> [calling]
11dc.11e0: supR3HardenedScreenImage/NtCreateSection: cache hit (VINF_SUCCESS) on \Device\HarddiskVolume22\Windows\System32\wintrust.dll [lacks WinVerifyTrust]
11cc.11d0: supR3HardNtChildWaitFor[2]: Quitting: ExitCode=0xc0000005 (rcNtWait=0x0, rcNt1=0x0, rcNt2=0x103, rcNt3=0x103, 4976 ms, the end);
11c4.11c8: supR3HardNtChildWaitFor[1]: Quitting: ExitCode=0xc0000005 (rcNtWait=0x0, rcNt1=0x0, rcNt2=0x103, rcNt3=0x103, 5348 ms, the end);
Full log is attached. Probably hardening just waiting a process that... already crashed (see messagebox).
Now I re-checked a hardening logs more detailed, and found following -- the real reason of the problem:
Code: Select all
1354.b78: *000000006d000000-000000006d000fff 0x0002/0x0080 0x1000000 \Device\HarddiskVolume22\Windows\System32\itcspea64.dll.000
1354.b78: supHardNtVpScanVirtualMemory: Unmapping image mem at 000000006d000000 (000000006d000000 LB 0x1000) - 'itcspea64.dll.000'
It seems that hardening protection has unmapped image of itcsprea64.dll, so... it is crashed, of course.
1. Could I ask to mark following strings with something like "WARNING:" or some other marks to search them through logs more easier?
2. Why it had tried to unmap this image module?! No any messages/information about reason for that. I had checked: module is digitally signed, signature is correct (but probably, not cached locally).
Code: Select all
...
CN = VeriSign Class 3 Code Signing 2010 CA
OU = Terms of use at https://www.verisign.com/rpa (c)10
OU = VeriSign Trust Network
O = VeriSign, Inc.
C = US
...
[1]Authority Info Access
Access Method=On-line Certificate Status Protocol (1.3.6.1.5.5.7.48.1)
Alternative Name:
URL=http://ocsp.verisign.com
[2]Authority Info Access
Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2)
Alternative Name:
URL=http://csc3-2010-aia.verisign.com/CSC3-2010.cer
...
Revocation Status : OK. Effective Date <15 November 2015 22:39:34> Next Update <22 November 2015 22:39:34>
Details from unmapped image at 0x6d001d80:
Code: Select all
.00000000`6D001D7E: CC int 3
.00000000`6D001D7F: CC int 3
OnImageLoaded: 4885C9 test rcx,rcx
.00000000`6D001D83: 0F848B000000 jz .06D001E14
.00000000`6D001D89: 48895C2408 mov [rsp][8],rbx
.00000000`6D001D8E: 4889742410 mov [rsp][010],rsi
.00000000`6D001D93: 57 push rdi
Normally, it must execute code from OnImageLoaded, but... fails, because this code is unmapped already by VB Hardening protection. So, it calls for unmapped region of memory (without code). So... process is crashed.
It is incompatibility with ViPNet CSP (c) InfoTeCS (v4.2.4.33325, http://www.infotecs.ru) -- crypto-provider, popular in Russia, used in government, enterprise and... for common people to sign requests for government services. More details here:
http://infotecs.ru/products/catalog.php ... NT_ID=2096
Very "funny" code from Hardening:
Code: Select all
if (!pImage->pszName)
{
/*
* Unknown image.
*
* If we're cleaning up a child process, we can unmap the offending
* DLL... Might have interesting side effects, or at least interesting
* as in "may you live in interesting times".
*/
#ifdef IN_RING3
if ( pMemInfo->AllocationBase == pMemInfo->BaseAddress
&& pThis->enmKind == SUPHARDNTVPKIND_CHILD_PURIFICATION)
{
SUP_DPRINTF(("supHardNtVpScanVirtualMemory: Unmapping image mem at %p (%p LB %#zx) - '%ls'\n",
pMemInfo->AllocationBase, pMemInfo->BaseAddress, pMemInfo->RegionSize, pwszFilename));
NTSTATUS rcNt = NtUnmapViewOfSection(pThis->hProcess, pMemInfo->AllocationBase);
if (NT_SUCCESS(rcNt))
return VINF_OBJECT_DESTROYED;
pThis->cFixes++;
SUP_DPRINTF(("supHardNtVpScanVirtualMemory: NtUnmapViewOfSection(,%p) failed: %#x\n", pMemInfo->AllocationBase, rcNt));
}
#endif
How to fix this hardening problem? I can't use VirtualBox at all, at this is really annoying
Please provide a quick solution. (The best solution, of course, it is to change the policy of non-disabling hardening feature)