WIDCOMM, Dropbox and other DLLs

[Giangi]

Hi all!
After a long, long time using 4.3.12 to avoid the "hardening troubles" I decided to give v5.0.10 a try.

Well, my guest VMs are working and so I'm happy!

Having received a notification about the USB hub (I had to reconfigure to 1.1 until loading the new v5 extension) I gave a look into the logs and found many references to DLLs for the Widcomm's BT stack, Dropbox and sometimes other extensions.

Since the guests are working I'm opening a separate thread just to know if this is correct or something that should be investigated more.

My host is an HP ProBook 6560b running Win7 32bit (domain joined) with System Center Endpoint Protection.

The zipped logs are from two guests, an XP and a Seven.

Ciao
Giangi

[mpack]

Uh, you want to check the reason for a non-crash?

A foreign DLL doesn't necessarily cause the VM to crash. First, if the DLL has a valid signature then it's allowed to remain. Second, even if the DLL is kicked out of the VirtualBox execution playground the VM will only crash if the DLL is called, which often doesn't happen, because the VM may not call the relevant host APIs - and even if it does then the caller may check for the presence of the DLL before calling.

The devs don't really document what the hardening does, probably for obvious reasons, so the following is guesswork base on my observations: I believe the early versions of the hardening feature raised an error message if it found a interloper DLL in its address space. However that has been relaxed over time because the feature is used suprisingly often on Windows platforms. I believe that now the feature either keeps or ejects the DLL: so the only people still having problems will be those where they have (a) unsigned DLL which (b) causes a crash if removed, plus those people (c) for whom the certificates checking functions in the host OS are broken somehow (Win7 had a problem with this after a couple of rogue updates were pushed).

[Giangi]

Uh, you want to check the reason for a non-crash?

...let's call it proactive debugging... I have wrote a couple of times "what I think about this hardening thing", but these words (from me and many others) where just as leafs in the wind... anyway I thought it was time to test VB again and since it's now working for me I will start updating the extensions; I do not want to have to downgrade as I had to do with the latest v4 releases!

So, seriously, if I have understood correctly my VMs may have troubles if/when they may interact with the Bluetooth stack?

Thank you
Giangi

[mpack]

You have access to as much information as I do regarding the hardening feature, so I won't speculate on what will or won't cause problems. I suggest testing it for your specific scenario.

[Giangi]

Well, it looks that I actually have a problem with 5.0.10

NAT isn't working anymore. I'm primarily using VB on a network which has Microsoft Forefront TMG as proxy/firewall (it's actually in the process to be replaced, probably by first months of 2016).

I do have full admin access on TMG and enabling the logging I do not see any errors but I do not see any "real traffic" too, just the start/close session

Googling I have found this bug report https://www.virtualbox.org/ticket/13292 where (what a surprise ) the hardening feature seems involved.

On my pc I have the Forefront TMG Client installed and enabled, could it be that its DLLs are being blocked?

In the logs there are many references to these DLLs, like the following.

1388.1bb0: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume2\Program Files\Forefront TMG Client\FwcWsp.dll) WinVerifyTrust
1388.1bb0: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume2\Program Files\Forefront TMG Client\FwcWsp.dll

1388.1bb0: supR3HardenedMonitor_LdrLoadDll: pName=C:\Program Files\Forefront TMG Client\FwcWsp.dll (rcNtResolve=0xc0150008) *pfFlags=0x0 pwszSearchPath=007c7b5c:C:\Program Files\Oracle\VirtualBox;C:\Windows\system32 [calling]
1388.1bb0: supR3HardenedScreenImage/NtCreateSection: cache hit (VINF_SUCCESS) on \Device\HarddiskVolume2\Program Files\Forefront TMG Client\FwcWsp.dll
1388.1bb0: supR3HardenedDllNotificationCallback: load 74bb0000 LB 0x001fc000 C:\Program Files\Forefront TMG Client\FwcWsp.dll [fFlags=0x0]
1388.1bb0: supR3HardenedScreenImage/LdrLoadDll: cache hit (VINF_SUCCESS) on \Device\HarddiskVolume2\Program Files\Forefront TMG Client\FwcWsp.dll

[mpack]

It seems to me that the Discuss the 5.0.10 release topic is the appropriate place to raise these issues.

[Giangi]

Thanks, I have reposted there!