Click here to Skip to main content
16,019,273 members
Articles / Programming Languages / C++
Article

Circumventing Windows Group Policies using Detours

Rate me:
Please Sign up or sign in to vote.
3.53/5 (16 votes)
25 Apr 2004GPL34 min read 157.7K   3.7K   44   32
This article will highlight how to circumvent Group Policy settings using Detours. A few examples will of course be given as demonstration. Example will include running the "Command Interpreter" - CMD.EXE, and the "Registry Editor" - RegEdit.EXE ,even when it's disabled by the ad

Introduction

This is an introductory article to a series that I am going to publish at CodeProject about Detours.

Throughout the series we will focus on how to leverage the power of Detours to our advantage without going into the intricacies of the technology itself.

The discerning reader is advised to go through the excellent presentations prepared by Galen Hunt, as well as the documentation provided with the Detours package itself.

In this article we shall understand what Detours is and what it can do. Then, we shall follow up with a set of samples outlining the material.

Background

It is often that a legacy application needs to be extended, but the source is not readily available. Or maybe you find out that it would have been great if you had used CToolBar::CreateEx() with the TBSTYLE_FLAT flag instead of simple Create() to make your toolbars look more snazzy..

These are the times when toiling thorough the source tends to put one off - after all, why sweat just to make you app look a bit more nicer ;)

In such cases, a Detour based solution comes very handy. In fact, after using it, you will wonder what you were doing without it since '99.

In short, what Detours really does, is just detour calls to a function(s) to another (user supplied) one, but obviously, their signatures should match.

Detours in a line

It is a library for intercepting arbitrary Win32 binary functions on x86 machines.

Using Detours

Detours is a Microsoft Research project, and till date a pre-release package. As a result, you are requested to obtain the Detours package (~627KB) yourself from the Microsoft Research site. Typically, all that we will be needing is the detours.lib and the detours.h files to compile the samples which I have provided here .

It is to be noted that you MUST first read and agree to the EULA provided with Detours in order to use parts which belong to it (which includes detours.lib, detours.h), in conjunction with this article.

Basic framework code for projects using Detours

First timers may find Detours a little intimidating, so besides the suggestion that Galen Hunt has put out in his publication, I myself make another one.

The framework give below however is for static trampolines which are extremely easy to use when the target function(s) are available as link symbol(s). In the scope of this article, we will be content with Win32 APIs which are usually available for linking.

However, very little modification is required for supporting dynamic trampolines. So here goes...

#include <windows.h>
#include "detours.h"

#pragma warning(disable:4100)   
 /* Trampolines don't use formal parameters.*/
#pragma comment(lib,"detours.lib")

/*
Define as many trampolines as required
DETOUR_TRAMPOLINE(ReturnType WINAPI Real_FunctionName(
 Formal Parameters Here..),Win32APIToBeDetoured);
Example:
*/

DETOUR_TRAMPOLINE(HANDLE WINAPI Real_CreateFile(LPCTSTR lpFileName,
  DWORD dwDesiredAccess,DWORD dwShareMode,
    LPSECURITY_ATTRIBUTES lpSecurityAttributes,
    DWORD dwCreationDisposition,DWORD dwFlagsAndAttributes,
    HANDLE hTemplateFile),CreateFile);

/* Now define your own customized function to replace
   /modify/extend the original Win32API.
   However, note that the call signature of the detour and trampoline 
   functions MUST exactly match the that of the target function.
   Otherwise, obviously the registers AND the stack will just throw up ;)

ReturnType WINAPI DetourFunctionName(Formal Parameters Here..)
{
    //Custom body ...
}

Example:
*/

BOOL WINAPI DetourWriteFile(HANDLE hFile,LPCVOID lpBuffer,
  DWORD nNumberOfBytesToWrite,LPDWORD lpNumberOfBytesWritten,
  LPOVERLAPPED lpOverlapped)
{
    BOOL bRet=Real_WriteFile(hFile,lpBuffer,
      nNumberOfBytesToWrite,lpNumberOfBytesWritten,lpOverlapped);

    if(*(const char*)lpBuffer)
    {
        DWORD dwBytesWrote;
        Real_WriteFile(hOutFile,(LPCTSTR)lpBuffer,lstrlen(
            (const char*)lpBuffer),&dwBytesWrote,NULL);
    }
    return bRet;
}

BOOL APIENTRY DllMain( HANDLE hModule, 
                       DWORD  ul_reason_for_call, 
                       LPVOID lpReserved
                     )
{
    if (ul_reason_for_call == DLL_PROCESS_ATTACH)
    {
        /*
    Define the static trampolines for attaching
        DetourFunctionWithTrampoline((PBYTE)Real_FunctionName, 
         (PBYTE)DetourFunctionName);
        Example:
    */

        DetourFunctionWithTrampoline((PBYTE)Real_CreateFile, 
           (PBYTE)DetourCreateFile);
    }
    else if (ul_reason_for_call == DLL_PROCESS_DETACH) 
    {
        /*
    Remove the attached trampolines which were previously attached
        DetourRemove((PBYTE)Real_FunctionName, (PBYTE)DetourFunctionName);
        
    Example:
    */

        DetourRemove((PBYTE)Real_CreateFile, (PBYTE)DetourCreateFile);
    }
    return TRUE;
}

Putting what we learnt to use : Making Windows programs disobedient

Many a time I have received cries for help from people who locked themselves out after experimenting with Group Policies.

Sometimes I can figure out it's just a kid trying to get around the restrictions set by his parents, and sometimes it's a genuine request.

Group policies are mostly maintained thorough the omnipresent registry. Each setting has a corresponding registry setting which is evaluated by the concerned components during execution.

For demonstration purposes, we will consider the following :

  • DisableCMD - HKCU\Software\Policies\Microsoft\Windows\System.

    This determines whether the current user can run the command prompt - Cmd.exe, and determines if batch files can be executed while this user is logged on.

  • DisableTaskMgr - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System.

    A value of '1' will prevent the user from starting Task Manager - Taskmgr.exe.

  • DisableRegistryTools - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System.

    A value of '1' will disable the Windows registry editors, Regedt32.exe and Regedit.exe.

Our samples will allow us to circumvent these policies even when they are in effect.

You are requested to use the Group Policy editor to put these policies in effect and verify that the samples indeed circumvent the security settings.

What did we do ?

Well, to put to simply, we "detoured" the RegQueryValueEx (RegQueryValueExW to be precise..) which is called by the afore mentioned tools to find out if the group policy allows them to run or not, to go though our modified 'DetourRegQueryValueEx' function which checks if the above keys are being checked for. If they are, we make the function return a value which it otherwise would have returned if the restriction had not been there ! This fools the concerned programs into believing that the restrictions actually do not exist (even when they really do).

Well, so much for Group Policies...

History

  • 20040414 - Formatting changes
  • 20040329 - Initial draft

Send in your feedback

Please send in feedback as to if this article came to use to you. This will help me gauge the acceptance of such material, and will affect further submitting of my articles regarding Detours.

I have kept a brief plan of the articles that I wish to write at http://www.geocities.com/kbshankar2000/ArticleSchedule.html. You may go through it and suggest your choice of precedence.

License

This article, along with any associated source code and files, is licensed under The GNU General Public License (GPLv3)


Written By
Web Developer
United States United States
Kamal Shankar is a programming freak (or so he feels).He currently lives in the Salt Lake City and loves doing what he has been since 1990 - coding horribly Wink | ;)

Comments and Discussions

 
GeneralEULA Pin
Hans Dietrich29-Mar-04 3:03
mentorHans Dietrich29-Mar-04 3:03 
GeneralRe: EULA Pin
WREY29-Mar-04 6:35
WREY29-Mar-04 6:35 
GeneralRe: EULA Pin
WREY30-Mar-04 3:10
WREY30-Mar-04 3:10 
GeneralRe: EULA Pin
Sam Levy30-Mar-04 16:51
Sam Levy30-Mar-04 16:51 
GeneralRe: EULA Pin
WREY31-Mar-04 9:01
WREY31-Mar-04 9:01 
GeneralRe: EULA Pin
Sam Levy31-Mar-04 13:19
Sam Levy31-Mar-04 13:19 
GeneralRe: EULA Pin
WREY1-Apr-04 9:33
WREY1-Apr-04 9:33 
GeneralRe: EULA Pin
Artem Moroz4-Apr-04 0:45
Artem Moroz4-Apr-04 0:45 
This problem has an easy solution: use pirated software
GeneralRe: EULA Pin
Anonymous7-Apr-04 1:34
Anonymous7-Apr-04 1:34 
GeneralAll posters to this thread PLEASE read this... Pin
Kamal Shankar2-Apr-04 21:38
Kamal Shankar2-Apr-04 21:38 
GeneralRe: All posters to this thread PLEASE read this... Pin
naikp23-Jun-04 11:33
naikp23-Jun-04 11:33 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.