Context Navigation

← Previous Change
Ticket History
Next Change →

Changes between Initial Version and Version 2 of Ticket #16782

Timestamp:: May 29, 2017 8:03:26 AM (7 years ago)
Author:: Frank Mehnert
Comment:

Legend:

: Unmodified
: Added
: Removed
: Modified

Ticket #16782 – Description

-              initial
+              v2
 The virtual machine 'Ubuntu' has terminated unexpectedly during startup with exit code 1 (0x1). More details may be available in 'C:\Users\User\VirtualBox VMs\Ubuntu\Logs\VBoxHardening.log'.
+{{{
 Код ошибки:
 E_FAIL (0x80004005)
 …
 Интерфейс:
 IMachine {b2547866-a0a1-4391-8b86-6952d82efaa0}
+}}}
+VBoxHardening.log
+.3b14: Log file opened: 5.1.22r115126 g_hStartupLog=0000000000000058 g_uNtVerCombined=0xa0295a00
+.3b14: \SystemRoot\System32\ntdll.dll:
+.3b14:     CreationTime:    2017-03-23T11:58:31.877923500Z
+.3b14:     LastWriteTime:   2016-10-25T09:41:10.545861300Z
+.3b14:     ChangeTime:      2017-03-23T13:58:40.040817900Z
+.3b14:     FileAttributes:  0x20
+.3b14:     Size:            0x1bc248
+.3b14:     NT Headers:      0xe0
+.3b14:     Timestamp:       0x580ee321
+.3b14:     Machine:         0x8664 - amd64
+.3b14:     Timestamp:       0x580ee321
+.3b14:     Image Version:   10.0
+.3b14:     SizeOfImage:     0x1c1000 (1839104)
+.3b14:     Resource Dir:    0x159000 LB 0x66218
+.3b14:     [Version info resource found at 0xd8! (ID/Name: 0x1; SubID/SubName: 0x409)]
+.3b14:     [Raw version resource data: 0x1590f0 LB 0x390, codepage 0x0 (reserved 0x0)]
+.3b14:     ProductName:     Microsoft® Windows® Operating System
+.3b14:     ProductVersion:  10.0.10586.672
+.3b14:     FileVersion:     10.0.10586.672 (th2_release_sec.161024-1825)
+.3b14:     FileDescription: NT Layer DLL
+.3b14: \SystemRoot\System32\kernel32.dll:
+.3b14:     CreationTime:    2017-03-23T11:57:47.269024600Z
+.3b14:     LastWriteTime:   2016-09-07T05:39:18.648308100Z
+.3b14:     ChangeTime:      2017-03-23T13:58:30.134550000Z
+.3b14:     FileAttributes:  0x20
+.3b14:     Size:            0xac428
+.3b14:     NT Headers:      0xf0
+.3b14:     Timestamp:       0x57cf97d5
+.3b14:     Machine:         0x8664 - amd64
+.3b14:     Timestamp:       0x57cf97d5
+.3b14:     Image Version:   10.0
+.3b14:     SizeOfImage:     0xad000 (708608)
+.3b14:     Resource Dir:    0xab000 LB 0x528
+.3b14:     [Version info resource found at 0x90! (ID/Name: 0x1; SubID/SubName: 0x409)]
+.3b14:     [Raw version resource data: 0xab0b0 LB 0x3ac, codepage 0x0 (reserved 0x0)]
+.3b14:     ProductName:     Microsoft® Windows® Operating System
+.3b14:     ProductVersion:  10.0.10586.589
+.3b14:     FileVersion:     10.0.10586.589 (th2_release.160906-1759)
+.3b14:     FileDescription: Windows NT BASE API Client DLL
+.3b14: \SystemRoot\System32\KernelBase.dll:
+.3b14:     CreationTime:    2017-03-23T11:59:45.048244800Z
+.3b14:     LastWriteTime:   2017-03-04T08:13:23.756197200Z
+.3b14:     ChangeTime:      2017-03-23T13:58:38.275189500Z
+.3b14:     FileAttributes:  0x20
+.3b14:     Size:            0x1e7c08
+.3b14:     NT Headers:      0xf0
+.3b14:     Timestamp:       0x58ba4019
+.3b14:     Machine:         0x8664 - amd64
+.3b14:     Timestamp:       0x58ba4019
+.3b14:     Image Version:   10.0
+.3b14:     SizeOfImage:     0x1e8000 (1998848)
+.3b14:     Resource Dir:    0x1d1000 LB 0x540
+.3b14:     [Version info resource found at 0x90! (ID/Name: 0x1; SubID/SubName: 0x409)]
+.3b14:     [Raw version resource data: 0x1d10b0 LB 0x3c4, codepage 0x0 (reserved 0x0)]
+.3b14:     ProductName:     Microsoft® Windows® Operating System
+.3b14:     ProductVersion:  10.0.10586.839
+.3b14:     FileVersion:     10.0.10586.839 (th2_release.170303-1605)
+.3b14:     FileDescription: Windows NT BASE API Client DLL
+.3b14: \SystemRoot\System32\apisetschema.dll:
+.3b14:     CreationTime:    2015-10-30T07:17:57.502957900Z
+.3b14:     LastWriteTime:   2015-10-30T07:17:57.502957900Z
+.3b14:     ChangeTime:      2017-03-22T15:02:37.830590200Z
+.3b14:     FileAttributes:  0x20
+.3b14:     Size:            0x16d60
+.3b14:     NT Headers:      0xc8
+.3b14:     Timestamp:       0x5632d94c
+.3b14:     Machine:         0x8664 - amd64
+.3b14:     Timestamp:       0x5632d94c
+.3b14:     Image Version:   10.0
+.3b14:     SizeOfImage:     0x18000 (98304)
+.3b14:     Resource Dir:    0x17000 LB 0x400
+.3b14:     [Version info resource found at 0x48! (ID/Name: 0x1; SubID/SubName: 0x409)]
+.3b14:     [Raw version resource data: 0x17060 LB 0x3a0, codepage 0x0 (reserved 0x0)]
+.3b14:     ProductName:     Microsoft® Windows® Operating System
+.3b14:     ProductVersion:  10.0.10586.0
+.3b14:     FileVersion:     10.0.10586.0 (th2_release.151029-1700)
+.3b14:     FileDescription: ApiSet Schema DLL
+.3b14: NtOpenDirectoryObject failed on \Driver: 0xc0000022
+.3b14: supR3HardenedWinFindAdversaries: 0x2040
+.3b14: \SystemRoot\System32\drivers\kl1.sys:
+.3b14:     CreationTime:    2016-09-30T23:26:00.000000000Z
+.3b14:     LastWriteTime:   2016-09-30T23:26:00.000000000Z
+.3b14:     ChangeTime:      2017-05-16T14:10:25.306400500Z
+.3b14:     FileAttributes:  0x20
+.3b14:     Size:            0x875a8
+.3b14:     NT Headers:      0xe8
+.3b14:     Timestamp:       0x56fe83ac
+.3b14:     Machine:         0x8664 - amd64
+.3b14:     Timestamp:       0x56fe83ac
+.3b14:     Image Version:   0.0
+.3b14:     SizeOfImage:     0x709000 (7376896)
+.3b14:     Resource Dir:    0x707000 LB 0x448
+.3b14:     [Version info resource found at 0x48! (ID/Name: 0x1; SubID/SubName: 0x419)]
+.3b14:     [Raw version resource data: 0x707060 LB 0x3e4, codepage 0x0 (reserved 0x0)]
+.3b14:     ProductName:     Kaspersky Anti-Virus
+.3b14:     ProductVersion:  6.0.1.990
+.3b14:     FileVersion:     6.8.0.67
+.3b14:     FileDescription: Kaspersky Unified Driver
+.3b14: \SystemRoot\System32\drivers\klflt.sys:
+.3b14:     CreationTime:    2017-05-16T14:10:07.441578000Z
+.3b14:     LastWriteTime:   2017-03-10T12:55:16.000000000Z
+.3b14:     ChangeTime:      2017-05-16T14:10:10.124569700Z
+.3b14:     FileAttributes:  0x20
+.3b14:     Size:            0x306e0
+.3b14:     NT Headers:      0x108
+.3b14:     Timestamp:       0x58500f78
+.3b14:     Machine:         0x8664 - amd64
+.3b14:     Timestamp:       0x58500f78
+.3b14:     Image Version:   6.2
+.3b14:     SizeOfImage:     0x3d000 (249856)
+.3b14:     Resource Dir:    0x3b000 LB 0x418
+.3b14:     [Version info resource found at 0x48! (ID/Name: 0x1; SubID/SubName: 0x409)]
+.3b14:     [Raw version resource data: 0x3b060 LB 0x3b8, codepage 0x0 (reserved 0x0)]
+.3b14:     ProductName:     System Interceptors PDK
+.3b14:     ProductVersion:  12.3.26.0
+.3b14:     FileVersion:     12.3.26.0
+.3b14:     FileDescription: Filter Core [fre_win8_x64]
+.3b14: \SystemRoot\System32\drivers\klif.sys:
+.3b14:     CreationTime:    2017-05-16T14:10:07.446084700Z
+.3b14:     LastWriteTime:   2017-03-10T12:55:18.000000000Z
+.3b14:     ChangeTime:      2017-05-16T14:10:10.121565500Z
+.3b14:     FileAttributes:  0x20
+.3b14:     Size:            0x1030e0
+.3b14:     NT Headers:      0x118
+.3b14:     Timestamp:       0x58be8d89
+.3b14:     Machine:         0x8664 - amd64
+.3b14:     Timestamp:       0x58be8d89
+.3b14:     Image Version:   6.2
+.3b14:     SizeOfImage:     0x107000 (1077248)
+.3b14:     Resource Dir:    0x104000 LB 0x1fe8
+.3b14:     [Version info resource found at 0x150! (ID/Name: 0x1; SubID/SubName: 0x409)]
+.3b14:     [Raw version resource data: 0x104618 LB 0x3d8, codepage 0x0 (reserved 0x0)]
+.3b14:     ProductName:     System Interceptors PDK
+.3b14:     ProductVersion:  12.2.116.0
+.3b14:     FileVersion:     12.2.116.0
+.3b14:     FileDescription: Core System Interceptors [fre_win8_x64]
+.3b14: \SystemRoot\System32\drivers\klim6.sys:
+.3b14:     CreationTime:    2016-09-30T23:31:28.000000000Z
+.3b14:     LastWriteTime:   2016-09-30T23:31:28.000000000Z
+.3b14:     ChangeTime:      2017-05-16T14:10:26.074471500Z
+.3b14:     FileAttributes:  0x20
+.3b14:     Size:            0xc358
+.3b14:     NT Headers:      0x100
+.3b14:     Timestamp:       0x57bc2881
+.3b14:     Machine:         0x8664 - amd64
+.3b14:     Timestamp:       0x57bc2881
+.3b14:     Image Version:   6.2
+.3b14:     SizeOfImage:     0xc000 (49152)
+.3b14:     Resource Dir:    0xa000 LB 0x430
+.3b14:     [Version info resource found at 0x48! (ID/Name: 0x1; SubID/SubName: 0x409)]
+.3b14:     [Raw version resource data: 0xa060 LB 0x3cc, codepage 0x0 (reserved 0x0)]
+.3b14:     ProductName:     System Interceptors PDK
+.3b14:     ProductVersion:  13.0.0.5
+.3b14:     FileVersion:     13.0.0.5
+.3b14:     FileDescription: Packet Network Filter [fre_win8_x64]
+.3b14: \SystemRoot\System32\drivers\kneps.sys:
+.3b14:     CreationTime:    2016-10-09T03:56:32.000000000Z
+.3b14:     LastWriteTime:   2016-10-09T03:56:32.000000000Z
+.3b14:     ChangeTime:      2017-05-16T14:10:25.390000500Z
+.3b14:     FileAttributes:  0x20
+.3b14:     Size:            0x31050
+.3b14:     NT Headers:      0x108
+.3b14:     Timestamp:       0x57c93a6b
+.3b14:     Machine:         0x8664 - amd64
+.3b14:     Timestamp:       0x57c93a6b
+.3b14:     Image Version:   5.2
+.3b14:     SizeOfImage:     0x2e000 (188416)
+.3b14:     Resource Dir:    0x2c000 LB 0x428
+.3b14:     [Version info resource found at 0x48! (ID/Name: 0x1; SubID/SubName: 0x409)]
+.3b14:     [Raw version resource data: 0x2c060 LB 0x3c4, codepage 0x0 (reserved 0x0)]
+.3b14:     ProductName:     System Interceptors PDK
+.3b14:     ProductVersion:  13.0.0.6
+.3b14:     FileVersion:     13.0.0.6
+.3b14:     FileDescription: Network Processor [fre_wnet_x64]
+.3b14: \SystemRoot\System32\drivers\dgmaster.sys:
+.3b14:     CreationTime:    2017-03-23T11:10:47.143393600Z
+.3b14:     LastWriteTime:   2016-06-13T09:34:32.000000000Z
+.3b14:     ChangeTime:      2017-03-23T11:10:47.174643600Z
+.3b14:     FileAttributes:  0x20
+.3b14:     Size:            0x23cd50
+.3b14:     NT Headers:      0x108
+.3b14:     Timestamp:       0x575ee065
+.3b14:     Machine:         0x8664 - amd64
+.3b14:     Timestamp:       0x575ee065
+.3b14:     Image Version:   6.3
+.3b14:     SizeOfImage:     0x2f4000 (3096576)
+.3b14:     Resource Dir:    0x2b4000 LB 0x35f48
+.3b14:     [Version info resource found at 0x270! (ID/Name: 0x1; SubID/SubName: 0x409)]
+.3b14:     [Raw version resource data: 0x2e9c30 LB 0x318, codepage 0x0 (reserved 0x0)]
+.3b14:     ProductName:     Digital Guardian
+.3b14:     ProductVersion:  7.0
+.3b14:     FileVersion:     7.2.0.0141
+.3b14:     FileDescription: Digital Guardian Agent Master
+.3b14: supR3HardenedWinInitAppBin(0x0): '\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox'
+.3b14: Calling main()
+.3b14: SUPR3HardenedMain: pszProgName=VirtualBox fFlags=0x2
+.3b14: supR3HardenedWinInitAppBin(0x2): '\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox'
+.3b14: SUPR3HardenedMain: Respawn #1
+.3b14: System32:  \Device\HarddiskVolume2\Windows\System32
+.3b14: WinSxS:    \Device\HarddiskVolume2\Windows\WinSxS
+.3b14: KnownDllPath: C:\Windows\system32
+.3b14: '\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe' has no imports
+.3b14: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume2\Program Files\Oracle\VirtualBox\VirtualBox.exe)
+.3b14: supR3HardNtEnableThreadCreation:
+.3b14: supR3HardNtDisableThreadCreation: pvLdrInitThunk=00007ff97c9f6d50 pvNtTerminateThread=00007ff97ca25b20
+.3b14: supR3HardenedWinDoReSpawn(1): New child 2aec.3a38 [kernel32].
+.3b14: supR3HardNtChildGatherData: PebBaseAddress=000000000042c000 cbPeb=0x388
+.3b14: supR3HardNtPuChFindNtdll: uNtDllParentAddr=00007ff97c980000 uNtDllChildAddr=00007ff97c980000
+.3b14: supR3HardenedWinSetupChildInit: uLdrInitThunk=00007ff97c9f6d50
+.3b14: supR3HardenedWinSetupChildInit: Start child.
+.3b14: supR3HardNtChildWaitFor: Found expected request 0 (PurifyChildAndCloseHandles) after 1 ms.
+.3b14: supR3HardNtChildPurify: Startup delay kludge #1/0: 517 ms, 59 sleeps
+.3b14: supHardNtVpScanVirtualMemory: enmKind=CHILD_PURIFICATION
+.3b14:  *0000000000000000-00000000002bffff 0x0001/0x0000 0x0000000
+.3b14:  *00000000002c0000-00000000002dffff 0x0004/0x0004 0x0020000
+.3b14:  *00000000002e0000-00000000002f4fff 0x0002/0x0002 0x0040000
+.3b14:   00000000002f5000-00000000002fffff 0x0001/0x0000 0x0000000
+.3b14:  *0000000000300000-00000000003fafff 0x0000/0x0004 0x0020000
+.3b14:   00000000003fb000-00000000003fdfff 0x0104/0x0004 0x0020000
+.3b14:   00000000003fe000-00000000003fffff 0x0004/0x0004 0x0020000
+.3b14:  *0000000000400000-000000000042bfff 0x0000/0x0004 0x0020000
+.3b14:   000000000042c000-000000000042efff 0x0004/0x0004 0x0020000
+.3b14:   000000000042f000-00000000005fffff 0x0000/0x0004 0x0020000
+.3b14:  *0000000000600000-0000000000603fff 0x0002/0x0002 0x0040000
+.3b14:   0000000000604000-000000000060ffff 0x0001/0x0000 0x0000000
+.3b14:  *0000000000610000-0000000000611fff 0x0004/0x0004 0x0020000
+.3b14:   0000000000612000-0000000001fcffff 0x0001/0x0000 0x0000000
+.3b14:  *0000000001fd0000-0000000001fd0fff 0x0002/0x0002 0x0020000
+.3b14:   0000000001fd1000-0000000001fdffff 0x0001/0x0000 0x0000000
+.3b14:  *0000000001fe0000-0000000001fe0fff 0x0010/0x0010 0x0020000 !!
+.3b14: supHardNtVpFreeOrReplacePrivateExecMemory: Replacing exec mem at 0000000001fe0000 (LB 0x1000, 0000000001fe0000 LB 0x1000)
+.3b14: supHardNtVpFreeOrReplacePrivateExecMemory: Free attempt #1 succeeded: 0x0 [0000000001fe0000/0000000001fe0000 LB 0/0x1000]
+.3b14: supHardNtVpFreeOrReplacePrivateExecMemory: QVM after free 0: [0000000000000000]/0000000001fe0000 LB 0x10000 s=0x10000 ap=0x0 rp=0x8a211a7200000001
+.3b14: Error (rc=-5673):
+.3b14: NtAllocateVirtualMemory (0000000001fe0000 LB 0x1000) failed with rcNt=0xc0000018 allocating replacement memory for working around buggy protection software. See VBoxStartup.log for more details
+.3b14: Error (rc=-5645):
+.3b14: Too many virtual memory regions.
+.3b14: Error (rc=-5673):
+.3b14: supHardenedWinVerifyProcess failed with Unknown Status -5673 (0xffffe9d7): NtAllocateVirtualMemory (0000000001fe0000 LB 0x1000) failed with rcNt=0xc0000018 allocating replacement memory for working around buggy protection software. See VBoxStartup.log for more details
+[rc=-5645] Too many virtual memory regions.
+.3b14: Error -5673 in supR3HardNtChildPurify! (enmWhat=5)
+.3b14: supHardenedWinVerifyProcess failed with Unknown Status -5673 (0xffffe9d7): NtAllocateVirtualMemory (0000000001fe0000 LB 0x1000) failed with rcNt=0xc0000018 allocating replacement memory for working around buggy protection software. See VBoxStartup.log for more details
+[rc=-5645] Too many virtual memory regions.
+.3b14: supR3HardNtEnableThreadCreation:
+(removed pasted VBoxHardening.log)