Comments (13)
Well I'm honestly surprised that this has worked for 2 years now without any patches. I'll look into it though and see if it's easy to fix
from lockdown-browser.
Same here. quite surprised they never picked that out.
I wouldn't be surprised if the hard-coded a function sees if there's a folder named "Runtime_directory" on desktop
from lockdown-browser.
After looking into this, lockdown created a newer update as a security patch.
This could be them using the "wsb-detect" library or something similar to such as detecting the Username of the Windows Sandbox such as "WDAGUtilityUserAccount" or most likely trying to see if there's a running process called "CExecSvc.exe".
I will be digging around and seeing if I can figure out something here.
from lockdown-browser.
I figured it out, it's detecting to see if there's a service running called:
-> Service Host: Network Service -> "Remote Desktop Services" and killing that process that closes down the sandbox.
from lockdown-browser.
update: I was able to hide the processes for RDP however, whenever I disable or stop VmComputeAgent.exe
is closing down Windows Sandbox which makes me think the lockdown browser tries to end process "VmComputeAgent.exe" or in short, Hyper-V Guest Compute (System32 File).
Any idea how we would be able to hide it from the process list?
Edit: It's called Hyper-V Guest Compute Service
from the Taskmager / Process List
from lockdown-browser.
To get the process list, the Lockdown Browser is using the EnumProcesses
Win32 function. Now, you'd think that we'd be able to hook this just like we hooked GetSystemMetrics
:
lockdown-browser/src/GetSystemMetrics-Hook.cpp
Lines 9 to 21 in af9bfd4
but that doesn't actually work. If we run the Lockdown Browser in a quasi-debugger, we can see that the calls to GetSystemMetrics
look something like:
GetSystemMetrics(0) -> 600
GetSystemMetrics(1) -> 360
GetSystemMetrics(2000) -> 0
[etc.]
Now, the calls to EnumProcesses
are a lot more interesting:
LoadLibraryW(PSAPI) -> 74e80000
GetProcAddress(74e80000,EnumProcesses) -> 74e813c0
[nothing]
Instead of actually calling the function named EnumProcesses
, it looks up the function's address in psapi.dll
, then calls the address. This is almost certainly made to deter any function hooks, making this a little trickier to work around.
I'll keep investigating though, although I can't promise anything.
from lockdown-browser.
So with that newer update instead of going through EnumProcesses
it is now looking up the function's address via psapi.dll
?
I originally spent hours working out which process it was detecting, the only thing it made sense to me was when ending a specific process I've said above which yielded the same result (closing Windows Sandbox) so I figured it was that.
The reason was whenever you launch Lockdown Browser and for example, it detects the anydesk_service.exe
instance, it would ask you to close it. However, with this new update only specifies this:
I can provide you with the newer update if you don't have it available though D:
from lockdown-browser.
I can confirm the newer patch works now.
Appreciate it. π
from lockdown-browser.
I can confirm the newer patch works now.
Glad to hear.
So with that newer update instead of going through EnumProcesses it is now looking up the function's address via psapi.dll?
It still uses EnumProcesesses
, but it's loading it in a funny way.
The "proper" way to use EnumProcesesses
would be something roughly like:
(my C is terrible, so this is very rough and mostly incorrect)
#include <windows.h>
#include <psapi.h>
void main() {
DWORD lpidProcess [1024];
DWORD lpcbNeeded;
EnumProcesses(lpidProcess, sizeof(lpidProcess), &lpcbNeeded);
return lpidProcess;
}
but the Browser is doing something more like:
#include <windows.h>
void main() {
BOOL (WINAPI *_EnumProcesses)(DWORD *lpidProcess, DWORD cb, LPDWORD lpcbNeeded);
DWORD lpidProcess [1024];
DWORD lpcbNeeded;
_EnumProcesses = GetProcAddress(LoadLibraryW("PSAPI"), "EnumProcesses")
_EnumProcesses(lpidProcess, sizeof(lpidProcess), &lpcbNeeded);
return lpidProcess;
}
So instead of calling the function by name, it looks up the function's address directly from psapi.dll
then calls that. If there aren't any hooks installed, these should both have the same result; however, the hooks modify the program so that the name EnumProcesses
resolves to the injected dll
and not the system one.
The browser has used this weird workaround on EnumProcesses
for a few years now (I think), so this project has never hooked that. What has changed in the most recent update is that VmComputeAgent.exe
has been added to the list of "forbidden" programs.
from lockdown-browser.
Thanks for the explanation, Iβm still learning C as Iβve been more into other web projects such as Node.JS, PHP , backend network administration, etc so this is all new to me.
If they ever stumbled upon this and magically did a new patch fixing this up, I believe the only workaround in the future is to prevent a new automatic update to be installed and run it on legacy instead. I believe itβs kind of possible by tricking it into believing it installed the newer update or just simply blocking the update checker overall. ππ»
from lockdown-browser.
I can confirm the newer patch works now.
Glad to hear.
So with that newer update instead of going through EnumProcesses it is now looking up the function's address via psapi.dll?
It still uses
EnumProcesesses
, but it's loading it in a funny way.The "proper" way to use
EnumProcesesses
would be something roughly like:(my C is terrible, so this is very rough and mostly incorrect)
#include <windows.h> #include <psapi.h> void main() { DWORD lpidProcess [1024]; DWORD lpcbNeeded; EnumProcesses(lpidProcess, sizeof(lpidProcess), &lpcbNeeded); return lpidProcess; }but the Browser is doing something more like:
#include <windows.h> void main() { BOOL (WINAPI *_EnumProcesses)(DWORD *lpidProcess, DWORD cb, LPDWORD lpcbNeeded); DWORD lpidProcess [1024]; DWORD lpcbNeeded; _EnumProcesses = GetProcAddress(LoadLibraryW("PSAPI"), "EnumProcesses") _EnumProcesses(lpidProcess, sizeof(lpidProcess), &lpcbNeeded); return lpidProcess; }So instead of calling the function by name, it looks up the function's address directly from
psapi.dll
then calls that. If there aren't any hooks installed, these should both have the same result; however, the hooks modify the program so that the nameEnumProcesses
resolves to the injecteddll
and not the system one.The browser has used this weird workaround on
EnumProcesses
for a few years now (I think), so this project has never hooked that. What has changed in the most recent update is thatVmComputeAgent.exe
has been added to the list of "forbidden" programs.
Not to be that guy but maybe for the sake of us students you could remove the comment that hands them the answer to patching this? π
from lockdown-browser.
Not to be that guy but maybe for the sake of us students you could remove the comment that hands them the answer to patching this? π
I mean, they could see the commit and know what we've done exactly. Even if they decide to patch it, there can be always a bypass no matter what. Lockdown isn't some sort of kernel application.
from lockdown-browser.
Not to be that guy but maybe for the sake of us students you could remove the comment that hands them the answer to patching this? π
Wouldn't do any good since
-
They clearly already know how to block functions from being hooked, since they are already doing so for
EnumProcesses
-
The actual code itself clearly shows which functions I'm hooking
lockdown-browser/src/GetSystemMetrics-Hook.cpp
Lines 9 to 22 in c284f12
I mean, look at the filename!
-
Those code snippets are my reconstructed version of the code in the Lockdown Browser. The people from Respondus don't need that since they already have the actual code for the Lockdown Browser!
-
The point of this tool is to show school administrators that the Lockdown Browser is trivial to bypass so that they stop forcing what is essentially spyware onto their students. The point is not for students to use this on actual exams for the purpose of cheating, since that would just make administrators think that the solution is more spying. (I'm not stupid thoughβ―ββ―I know what people are actually using this tool for)
I mean, they could see the commit and know what we've done exactly. Even if they decide to patch it, there can be always a bypass no matter what. Lockdown isn't some sort of kernel application.
Yep, unless I make this project closed-source, then it's trivial for Respondus to patch any of these issues. Of course, the point of this project is to avoid running sketchy closed-source software on your computer, so this project kinda needs to be open source.
from lockdown-browser.
Related Issues (20)
- ALEKS doesn't play well? HOT 5
- Project Status HOT 1
- Minimizing the Sandbox is detected by the Browser HOT 1
- Update server is not supplying update information, or the connection to Update server is blocked. Please try again later. HOT 3
- Does not work on VM HOT 8
- Issue when I click open from my school site HOT 4
- Can you help me because I don't know where to start and I have a lockdown browser Lab OEM and if you help me and it works, I can pay you. HOT 1
- Does Not Work For Lockdown Browser OEM HOT 1
- Using with versions β₯ `2.1.2.04` may get your account permanently banned. HOT 22
- HELP HELP HELP HOT 2
- "This browser can't be used while Remote Desktop or Terminal Services are active" HOT 3
- Update server is not supplying update information
- Lockdown Browser Account Banned HOT 2
- LockDown Browser May Be Banning Your Institutional Account HOT 1
- Audio from webcam not going through. HOT 1
- Getting a "Processing Your image" at the Face Detection. Doesn't go through. HOT 2
- While running build.ps1 script, completely errors out at line 40. HOT 1
- IMPORTANT: Using new versions of Respondus Lockdown browser does not work HOT 2
- It's still working? HOT 2
- Permission isssue HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from lockdown-browser.