Click here to Skip to main content
12,353,602 members (69,696 online)
Click here to Skip to main content
Add your own
alternative version

Stats

135.7K views
3.5K downloads
43 bookmarked
Posted

Circumventing Windows Group Policies using Detours

, 25 Apr 2004 GPL3
Rate this:
Please Sign up or sign in to vote.
This article will highlight how to circumvent Group Policy settings using Detours. A few examples will of course be given as demonstration. Example will include running the "Command Interpreter" - CMD.EXE, and the "Registry Editor" - RegEdit.EXE ,even when it's disabled by the ad

Introduction

This is an introductory article to a series that I am going to publish at CodeProject about Detours.

Throughout the series we will focus on how to leverage the power of Detours to our advantage without going into the intricacies of the technology itself.

The discerning reader is advised to go through the excellent presentations prepared by Galen Hunt, as well as the documentation provided with the Detours package itself.

In this article we shall understand what Detours is and what it can do. Then, we shall follow up with a set of samples outlining the material.

Background

It is often that a legacy application needs to be extended, but the source is not readily available. Or maybe you find out that it would have been great if you had used CToolBar::CreateEx() with the TBSTYLE_FLAT flag instead of simple Create() to make your toolbars look more snazzy..

These are the times when toiling thorough the source tends to put one off - after all, why sweat just to make you app look a bit more nicer Wink | ;)

In such cases, a Detour based solution comes very handy. In fact, after using it, you will wonder what you were doing without it since '99.

In short, what Detours really does, is just detour calls to a function(s) to another (user supplied) one, but obviously, their signatures should match.

Detours in a line

It is a library for intercepting arbitrary Win32 binary functions on x86 machines.

Using Detours

Detours is a Microsoft Research project, and till date a pre-release package. As a result, you are requested to obtain the Detours package (~627KB) yourself from the Microsoft Research site. Typically, all that we will be needing is the detours.lib and the detours.h files to compile the samples which I have provided here .

It is to be noted that you MUST first read and agree to the EULA provided with Detours in order to use parts which belong to it (which includes detours.lib, detours.h), in conjunction with this article.

Basic framework code for projects using Detours

First timers may find Detours a little intimidating, so besides the suggestion that Galen Hunt has put out in his publication, I myself make another one.

The framework give below however is for static trampolines which are extremely easy to use when the target function(s) are available as link symbol(s). In the scope of this article, we will be content with Win32 APIs which are usually available for linking.

However, very little modification is required for supporting dynamic trampolines. So here goes...

#include <windows.h>
#include "detours.h"

#pragma warning(disable:4100)   
 /* Trampolines don't use formal parameters.*/
#pragma comment(lib,"detours.lib")

/*
Define as many trampolines as required
DETOUR_TRAMPOLINE(ReturnType WINAPI Real_FunctionName(
 Formal Parameters Here..),Win32APIToBeDetoured);
Example:
*/

DETOUR_TRAMPOLINE(HANDLE WINAPI Real_CreateFile(LPCTSTR lpFileName,
  DWORD dwDesiredAccess,DWORD dwShareMode,
    LPSECURITY_ATTRIBUTES lpSecurityAttributes,
    DWORD dwCreationDisposition,DWORD dwFlagsAndAttributes,
    HANDLE hTemplateFile),CreateFile);

/* Now define your own customized function to replace
   /modify/extend the original Win32API.
   However, note that the call signature of the detour and trampoline 
   functions MUST exactly match the that of the target function.
   Otherwise, obviously the registers AND the stack will just throw up ;)

ReturnType WINAPI DetourFunctionName(Formal Parameters Here..)
{
    //Custom body ...
}

Example:
*/

BOOL WINAPI DetourWriteFile(HANDLE hFile,LPCVOID lpBuffer,
  DWORD nNumberOfBytesToWrite,LPDWORD lpNumberOfBytesWritten,
  LPOVERLAPPED lpOverlapped)
{
    BOOL bRet=Real_WriteFile(hFile,lpBuffer,
      nNumberOfBytesToWrite,lpNumberOfBytesWritten,lpOverlapped);

    if(*(const char*)lpBuffer)
    {
        DWORD dwBytesWrote;
        Real_WriteFile(hOutFile,(LPCTSTR)lpBuffer,lstrlen(
            (const char*)lpBuffer),&dwBytesWrote,NULL);
    }
    return bRet;
}

BOOL APIENTRY DllMain( HANDLE hModule, 
                       DWORD  ul_reason_for_call, 
                       LPVOID lpReserved
                     )
{
    if (ul_reason_for_call == DLL_PROCESS_ATTACH)
    {
        /*
    Define the static trampolines for attaching
        DetourFunctionWithTrampoline((PBYTE)Real_FunctionName, 
         (PBYTE)DetourFunctionName);
        Example:
    */

        DetourFunctionWithTrampoline((PBYTE)Real_CreateFile, 
           (PBYTE)DetourCreateFile);
    }
    else if (ul_reason_for_call == DLL_PROCESS_DETACH) 
    {
        /*
    Remove the attached trampolines which were previously attached
        DetourRemove((PBYTE)Real_FunctionName, (PBYTE)DetourFunctionName);
        
    Example:
    */

        DetourRemove((PBYTE)Real_CreateFile, (PBYTE)DetourCreateFile);
    }
    return TRUE;
}

Putting what we learnt to use : Making Windows programs disobedient

Many a time I have received cries for help from people who locked themselves out after experimenting with Group Policies.

Sometimes I can figure out it's just a kid trying to get around the restrictions set by his parents, and sometimes it's a genuine request.

Group policies are mostly maintained thorough the omnipresent registry. Each setting has a corresponding registry setting which is evaluated by the concerned components during execution.

For demonstration purposes, we will consider the following :

  • DisableCMD - HKCU\Software\Policies\Microsoft\Windows\System.

    This determines whether the current user can run the command prompt - Cmd.exe, and determines if batch files can be executed while this user is logged on.

  • DisableTaskMgr - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System.

    A value of '1' will prevent the user from starting Task Manager - Taskmgr.exe.

  • DisableRegistryTools - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System.

    A value of '1' will disable the Windows registry editors, Regedt32.exe and Regedit.exe.

Our samples will allow us to circumvent these policies even when they are in effect.

You are requested to use the Group Policy editor to put these policies in effect and verify that the samples indeed circumvent the security settings.

What did we do ?

Well, to put to simply, we "detoured" the RegQueryValueEx (RegQueryValueExW to be precise..) which is called by the afore mentioned tools to find out if the group policy allows them to run or not, to go though our modified 'DetourRegQueryValueEx' function which checks if the above keys are being checked for. If they are, we make the function return a value which it otherwise would have returned if the restriction had not been there ! This fools the concerned programs into believing that the restrictions actually do not exist (even when they really do).

Well, so much for Group Policies...

History

  • 20040414 - Formatting changes
  • 20040329 - Initial draft

Send in your feedback

Please send in feedback as to if this article came to use to you. This will help me gauge the acceptance of such material, and will affect further submitting of my articles regarding Detours.

I have kept a brief plan of the articles that I wish to write at http://www.geocities.com/kbshankar2000/ArticleSchedule.html. You may go through it and suggest your choice of precedence.

License

This article, along with any associated source code and files, is licensed under The GNU General Public License (GPLv3)

Share

About the Author

Kamal Shankar
Web Developer
United States United States
Kamal Shankar is a programming freak (or so he feels).He currently lives in the Salt Lake City and loves doing what he has been since 1990 - coding horribly Wink | ;)

You may also be interested in...

Comments and Discussions

 
GeneralWhen compiling under Visual Studio 2005 I obtain the following errors: Pin
proxsys127-Feb-08 5:26
memberproxsys127-Feb-08 5:26 
GeneralRe: When compiling under Visual Studio 2005 I obtain the following errors: Pin
yyV23-Apr-08 11:43
memberyyV23-Apr-08 11:43 
GeneralRe: When compiling under Visual Studio 2005 I obtain the following errors: Pin
yyV23-Apr-08 12:17
memberyyV23-Apr-08 12:17 
GeneralThe zip file is unzippable Pin
proxsys127-Feb-08 3:17
memberproxsys127-Feb-08 3:17 
Generalcompilation error Pin
tmp09-Jul-07 18:31
membertmp09-Jul-07 18:31 
Questionhow did you compile the detours.lib from microsoft research website? Pin
atabac_200031-Jan-07 15:42
memberatabac_200031-Jan-07 15:42 
AnswerRe: how did you compile the detours.lib from microsoft research website? Pin
hegh309200231512-Apr-07 17:41
memberhegh309200231512-Apr-07 17:41 
GeneralCANT UNZIP Pin
sdssd28-Dec-04 5:06
membersdssd28-Dec-04 5:06 
GeneralRe: CANT UNZIP Pin
Patel4202-Jan-05 0:33
memberPatel4202-Jan-05 0:33 
Generaldetours with ogl Pin
z100021-Oct-04 5:32
memberz100021-Oct-04 5:32 
QuestionCan detours be used for opengl functions? Pin
Anonymous5-Jul-04 9:06
sussAnonymous5-Jul-04 9:06 
AnswerRe: Can detours be used for opengl functions? Pin
eatmyfeat12-Jan-05 17:14
membereatmyfeat12-Jan-05 17:14 
GeneralTrying out samples from detour package Pin
naikp23-Jun-04 11:25
membernaikp23-Jun-04 11:25 
Generalgranting a group Netshares Pin
singapuree24-May-04 22:49
membersingapuree24-May-04 22:49 
GeneralProblem unzipping the source files. Pin
WREY29-Mar-04 6:51
memberWREY29-Mar-04 6:51 
GeneralNishant - please replace the current zip files with these [was -&gt;Re: Problem unzipping the source files.] Pin
Kamal Shankar29-Mar-04 7:29
memberKamal Shankar29-Mar-04 7:29 
GeneralRe: Problem unzipping the source files. Pin
John C. Turner29-Mar-04 10:30
memberJohn C. Turner29-Mar-04 10:30 
GeneralRe: Problem unzipping the source files. Pin
WREY29-Mar-04 11:18
memberWREY29-Mar-04 11:18 
GeneralI am very sorry ! Please use WinZip 9 [was -&gt; Re: Problem unzipping the source files.] Pin
Kamal Shankar31-Mar-04 6:51
memberKamal Shankar31-Mar-04 6:51 
GeneralRe: I am very sorry ! Please use WinZip 9 [was -&gt; Re: Problem unzipping the source files.] Pin
Anonymous20-May-04 18:28
sussAnonymous20-May-04 18:28 
GeneralRe: I am very sorry ! Please use WinZip 9 [was -&gt; Re: Problem unzipping the source files.] Pin
Speed_D23-Feb-06 14:50
memberSpeed_D23-Feb-06 14:50 
GeneralEULA Pin
Hans Dietrich29-Mar-04 3:03
memberHans Dietrich29-Mar-04 3:03 
GeneralRe: EULA Pin
WREY29-Mar-04 6:35
memberWREY29-Mar-04 6:35 
GeneralRe: EULA Pin
WREY30-Mar-04 3:10
memberWREY30-Mar-04 3:10 
GeneralRe: EULA Pin
Sam Levy30-Mar-04 16:51
memberSam Levy30-Mar-04 16:51 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Terms of Use | Mobile
Web02 | 2.8.160621.1 | Last Updated 26 Apr 2004
Article Copyright 2004 by Kamal Shankar
Everything else Copyright © CodeProject, 1999-2016
Layout: fixed | fluid