Does not work in Windows 11 about lockdown-browser HOT 6 CLOSED

Heh, so now I remember why this issue seemed familiar. Because it was! And the reason that I had such detailed proposed solutions is that I had already implemented it!

lockdown-browser/runtime_directory/sandbox_run.ps1

Lines 20 to 24 in ba6c018

	# We're in a short-lived VM, so we can safely delete any necessary files
	$vmcompute_path = "C:\Windows\System32\VmComputeAgent.exe"
	takeown /f $vmcompute_path
	icacls $vmcompute_path /grant "Everyone:(D)"
	rm $vmcompute_path

But the reason why that wasn't working was because the previous lines failed:

lockdown-browser/runtime_directory/sandbox_run.ps1

Lines 17 to 18 in ba6c018

	Get-ChildItem -Path "HKLM:\HARDWARE\DESCRIPTION" | Remove-ItemProperty -Name SystemBiosVersion
	rm HKLM:\HARDWARE\DESCRIPTION\System\BIOS

Can you try changing those lines to the following:

Get-ChildItem -Path "HKLM:\HARDWARE\DESCRIPTION" | Remove-ItemProperty -Name SystemBiosVersion -ErrorAction Ignore
rm HKLM:\HARDWARE\DESCRIPTION\System\BIOS -ErrorAction Ignore

If that works, then I'll make those changes to the default installation.

Problem solved!

I will try again with my modified Windows 11 that I had originally done the testing on, which is just a local account and disabling system requirements. I had reinstalled Windows 11 in the "proper way" to reduce niche issues and ensure it wasn't my Windows installation.

from lockdown-browser.

Hmm, that's a new one. Might be easy for me to patch, might not. Unfortunately, I don't have any Windows 11 computers right now. I'll try and set up a VM, but it might be a while before I get around to it.

You might just be able to hook the EnumProcesses, function, but I seem to recall that the Browser tries pretty hard to prevent you from hooking that function through some GetProcAddress trickery. EnumProcesses is exported by kernel32.dll (and also psapi.dll, but I don't think that the Browser uses that one) so it's not like we can easily bypass the whole library.

I see a few options forward here:

1. If EnumProcesses isn't protected, then we can just hook it like we do with GetSystemMetrics. My recollections suggests that this is probably not the case.
2. Killing vmcomputeagent.exe kills the VM pretty abruptly if I remember correctly, so any solution that requires killing or relaunching the program is completely out of the question. But we should be able to delete or rename the file while the process is still running, which may trick the Browser.
3. We could always hook GetProcAddress. We'd need it to return a valid function pointer somewhere in kernel32.dll, but there might be an inert enough function with a close enough function signature that this might work. Returning an error for GetProcAddress might also work, but I kind of doubt it.
4. Binary patch the LockdownBrowser.exe file. This is a bit of a pain since the Browser is fairly decent at making sure that it hasn't been modified. Not insurmountable, but kind of a pain.
5. Have a program launch the Browser, suspend the process, patch out the detection code in memory, then resume the process. Again based off of this article, it looks like the Browser only verifies that its executable file is intact, not its memory. This is kind of a pain, but looks like a decent option forward.
6. Binary patch kernel32.dll. This option is fairly insane, but since we're in an ephemeral VM, it is actually doable. I haven't checked how the Browser enforces the DLL load paths, but we may even be able to just drop a modifed kernel32.dll in the same folder as the Browser which would actually be relatively straightforward.
7. The really crazy option is of course to make a custom kernel module/driver. This is complicated by the fact that kernel development is hard, driver signature enforcement, and the fact that the Windows Sandbox doesn't let you load kernel modules. Not a very good option.

If it's just (1) or (2), then there's a chance (but no guarantee) that I'll have time to fix it in the next month or so. If it's any of the other options, then I have no idea when (or if) I'll have enough free time to patch this. You're best bet here is to submit a PR, which I would be completely willing to review and merge.

from lockdown-browser.

After some testing it seems like an "easy" fix. Since in Windows 11 Sandbox the LockDown browser does not automatically install and launch, I need to manually install it. Causing LockDown browser to notice the prohibited processes running due to not running "sandbox_run.ps1" before hand. Somehow we just need to fix the auto install and running of LockDown Browser in Windows 11 Sandbox and the issue will likely be fixed.

from lockdown-browser.

After some testing it seems like an "easy" fix. Since in Windows 11 Sandbox the LockDown browser does not automatically install and launch, I need to manually install it. Causing LockDown browser to notice the prohibited processes running due to not running "sandbox_run.ps1" before hand. Somehow we just need to fix the auto install and running of LockDown Browser in Windows 11 Sandbox and the issue will likely be fixed.

Running the start up command manually shows this error.

from lockdown-browser.

Heh, so now I remember why this issue seemed familiar. Because it was! And the reason that I had such detailed proposed solutions is that I had already implemented it!

But the reason why that wasn't working was because the previous lines failed:

Can you try changing those lines to the following:

Get-ChildItem -Path "HKLM:\HARDWARE\DESCRIPTION" | Remove-ItemProperty -Name SystemBiosVersion -ErrorAction Ignore
rm HKLM:\HARDWARE\DESCRIPTION\System\BIOS -ErrorAction Ignore

If that works, then I'll make those changes to the default installation.

from lockdown-browser.

Glad to hear that this solved the issue. I've pushed a fix to master in 7248e29.

Thanks for a good bug report!

from lockdown-browser.