[FIXED IN SVN] VirtualBox fails to start on Windows 10 14286

[Jiri Hruska]

Hi guys,

it's that time of the year again – the sizeof(IMAGE_LOAD_CONFIG_DIRECTORY64) has changed.

C:\Program Files\Oracle\VirtualBox>VBoxSDL.exe
: RTLdrOpenWithReader failed: Unknown Status -626 (0xfffffd8e) (Image='\SystemRoot\System32\ntdll.dll').

(Where -626 is VERR_LDRPE_LOAD_CONFIG_SIZE, for the external readers.)

Like in #13665 before, it is related to more "Control Flow Guard" changes (​https://msdn.microsoft.com/en-us/library/windows/desktop/mt637065.aspx). The latest Visual Studio 2015 tools apparently support it already:

C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\bin\>dumpbin.exe /LOADCONFIG C:\Windows\System32\ntdll.dll
Microsoft (R) COFF/PE Dumper Version 14.00.23506.0
Copyright (C) Microsoft Corporation.  All rights reserved.


Dump of file C:\Windows\System32\ntdll.dll

File Type: DLL

  Section contains the following load config:

            000000C0 size
                   0 time date stamp
                0.00 Version
                   0 GlobalFlags Clear
                   0 GlobalFlags Set
                   0 Critical Section Default Timeout
                   0 Decommit Free Block Threshold
                   0 Decommit Total Free Threshold
    0000000000000000 Lock Prefix Table
                   0 Maximum Allocation Size
                   0 Virtual Memory Threshold
                   0 Process Heap Flags
                   0 Process Affinity Mask
                   0 CSD Version
                0000 Reserved
    0000000000000000 Edit list
    0000000180160410 Security Cookie
    000000018015D1D0 Guard CF address of check-function pointer
    0000000180104000 Guard CF address of dispatch-function pointer
    0000000180104008 Guard CF function table
                 774 Guard CF function count
            10013500 Guard Flags
                       CF Instrumented
                       FID table present
                       Protect delayload IAT
                       Delayload IAT in its own section
                       Long jump target table present
                0000 Code Integrity Flags
                0000 Code Integrity Catalog
            00000000 Code Integrity Catalog Offset
            00000000 Code Integrity Reserved
    0000000000000000 Guard CF address taken IAT entry table
                   0 Guard CF address taken IAT entry count
    0000000000000000 Guard CF long jump target table
                   0 Guard CF long jump target count

I failed to find any public headers or symbols with the updated structure yet, so this might be open for a while.

But if there is some consistency applied to naming the new fields there, the dumpbin output above hints towards this addition to what the latest Windows SDK has:

    ULONGLONG  GuardCFAddressTakenIatEntryTable; // VA
    ULONGLONG  GuardCFAddressTakenIatEntryCount;
    ULONGLONG  GuardCFLongJumpTargetTable;       // VA
    ULONGLONG  GuardCFLongJumpTargetCount;

VirtualBox Testbuild 5.0.17.105971
Windows 10 Enterprise Insider Preview x64 rs1_release.14286 (and newer)

Thanks and sorry for the trouble!

[Jiri Hruska]

A minor correction. rs1_release.14291 has hit the public Insider Fast ring and public symbols for WinTypes.pdb are now available on the MS Symbol Server. The fields are actually named without the "CF" part:

    ULONGLONG  GuardAddressTakenIatEntryTable; // VA
    ULONGLONG  GuardAddressTakenIatEntryCount;
    ULONGLONG  GuardLongJumpTargetTable;       // VA
    ULONGLONG  GuardLongJumpTargetCount;

[bird]

Thanks for the report! I've updated our structures and PE parser code to handle them.

Here is a test build: https://www.virtualbox.org/download/testcase/VirtualBox-5.0.17-106344-Win.exe

[Jiri Hruska]

Cool, thank you!

Verified working on:

• VirtualBox test build 5.0.17 r106344
• Windows 10 Enterprise Insider Preview x64 rs1_release.14312

Ticket can be closed as fixed.

[Jacob Klein]

Could you please also port the fix to a VirtualBox 4.3.37 Test Build? I cannot upgrade to 5.x yet, but still want to help test the fix on Windows 10 Build 14295 (released to Fast and Slow rings)!

Thanks, Jacob Klein

[Frank Mehnert]

The latest 4.3 Windows test build has the fix as well. And the 5.0 build is now also properly linked from the test builds page as well.

[Jacob Klein]

I confirm that "Oracle VirtualBox v4.3.37 Test Build 106347" does indeed start correctly on Windows 10 Build 14295. Thanks bird and frank!!

[Frank Mehnert]

Fix is part of VBox 5.0.18.

[Stanzilla]

Is this the same bug? ​http://i.imgur.com/PYmGjQQ.png Started with build 14328 of Win10.

[Jessica Hamilton]

I've just upgraded to build 14328 (released today), and this problem is back with 5.0.18. Previous test build 5.0.17 that I was on doesn't work either.

C:\Program Files\Oracle\VirtualBox>vboxsdl
: RTLdrOpenWithReader failed: Unknown Status -626 (0xfffffd8e) (Image='\SystemRoot\System32\ntdll.dll').

C:\Program Files\Oracle\VirtualBox>vboxmanage --version
5.0.18r106667

[Jessica Hamilton]

This issue is still present with 5.0.19r106806, fwiw, but probably a bit too early to expect a fixed build...

[Jiri Hruska]

Lol, that did not last long, did it...

Indeed, there is another new pointer-sized value at the end of the structure for ASLR improvements in the latest builds.

Edit: details moved to the new #15337, sorry for the necromancy!

Reopening to not have a thousand tickets about the same thing - sorry if that's not what you guys prefer (the previous fix already in a release etc.).

[Frank Mehnert]

Ticket #15337 was already opened for the new insider build so please continue the discussion there.