﻿id	summary	reporter	owner	description	type	status	component	version	resolution	keywords	cc	guest	host
15245	[FIXED IN SVN] VirtualBox fails to start on Windows 10 14286	Jiri Hruska		"Hi guys,

it's that time of the year again – the `sizeof(IMAGE_LOAD_CONFIG_DIRECTORY64)` has changed.

{{{
C:\Program Files\Oracle\VirtualBox>VBoxSDL.exe
: RTLdrOpenWithReader failed: Unknown Status -626 (0xfffffd8e) (Image='\SystemRoot\System32\ntdll.dll').
}}}

(Where -626 is `VERR_LDRPE_LOAD_CONFIG_SIZE`, for the external readers.)

Like in #13665 before, it is related to more ""Control Flow Guard"" changes (https://msdn.microsoft.com/en-us/library/windows/desktop/mt637065.aspx). The latest Visual Studio 2015 tools apparently support it already:

{{{
C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\bin\>dumpbin.exe /LOADCONFIG C:\Windows\System32\ntdll.dll
Microsoft (R) COFF/PE Dumper Version 14.00.23506.0
Copyright (C) Microsoft Corporation.  All rights reserved.


Dump of file C:\Windows\System32\ntdll.dll

File Type: DLL

  Section contains the following load config:

            000000C0 size
                   0 time date stamp
                0.00 Version
                   0 GlobalFlags Clear
                   0 GlobalFlags Set
                   0 Critical Section Default Timeout
                   0 Decommit Free Block Threshold
                   0 Decommit Total Free Threshold
    0000000000000000 Lock Prefix Table
                   0 Maximum Allocation Size
                   0 Virtual Memory Threshold
                   0 Process Heap Flags
                   0 Process Affinity Mask
                   0 CSD Version
                0000 Reserved
    0000000000000000 Edit list
    0000000180160410 Security Cookie
    000000018015D1D0 Guard CF address of check-function pointer
    0000000180104000 Guard CF address of dispatch-function pointer
    0000000180104008 Guard CF function table
                 774 Guard CF function count
            10013500 Guard Flags
                       CF Instrumented
                       FID table present
                       Protect delayload IAT
                       Delayload IAT in its own section
                       Long jump target table present
                0000 Code Integrity Flags
                0000 Code Integrity Catalog
            00000000 Code Integrity Catalog Offset
            00000000 Code Integrity Reserved
    0000000000000000 Guard CF address taken IAT entry table
                   0 Guard CF address taken IAT entry count
    0000000000000000 Guard CF long jump target table
                   0 Guard CF long jump target count
}}}

I failed to find any public headers or symbols with the updated structure yet, so this might be open for a while.

But if there is some consistency applied to naming the new fields there, the dumpbin output above hints towards this addition to what the latest Windows SDK has:

{{{
    ULONGLONG  GuardCFAddressTakenIatEntryTable; // VA
    ULONGLONG  GuardCFAddressTakenIatEntryCount;
    ULONGLONG  GuardCFLongJumpTargetTable;       // VA
    ULONGLONG  GuardCFLongJumpTargetCount;
}}}

!VirtualBox Testbuild 5.0.17.105971[[br]]
Windows 10 Enterprise Insider Preview x64 rs1_release.14286 (and newer)

Thanks and sorry for the trouble!"	defect	closed	other		fixed	win10 hardening		all	Windows
