gucci-on-fleek / lockdown-browser

Run the ”Respondus Lockdown Browser“ in the ”Windows Sandbox“
Other
132 stars 25 forks source link

Lockdown Browser in Windows Sandbox

A demonstration of the software in action

View Demo Video

What is this?

This repo allows you to run the Respondus Lockdown Browser in an isolated sandbox, thus completely bypassing its “security measures”. Normally, the Lockdown Browser blocks you from running it if it detects that it is being virtualized. However, this tool bypasses the detection, allowing us to virtualize it.

Why the Lockdown Browser is bad

First, I am uncomfortable with installing random software on my computer. As I rule, I will only install software that is Open Source or that is from a trusted publisher. This is neither, so I am naturally a little uncomfortable installing it.

Second, the Lockdown Browser is essentially indistinguishable from malware. Read this following list of documented behaviors, and see how similar these behaviors are to actual malware.

And of course, there are the privacy issues. Cheating is no doubt an issue, but school-mandated surveillance software is a step too far. As far as I am concerned, this is the most significant issue. I strongly recommend reading these following links from the EFF, a non-profit who focuses on defending digital privacy.

Purpose

This tool is not designed to facilitate cheating. Instead, I built it for two purposes:

First, it is designed to show school administrators that the Lockdown Browser is entirely ineffective. Respondus claims that it is the “gold standard” and that it cannot be bypassed, but that is clearly false. I, a random University student, managed to bypass the Lockdown Browser in a single day. This removes all of the (supposed) benefits of the Lockdown Browser, and thus makes the issues look even worse.

Second, it is designed to prevent students from having to install invasive spyware on their personal computers. Sometimes, administrators won't listen and will still force the Lockdown Browser on their students. This tool allows you to run the Lockdown Browser in an isolated sandbox, thus prevent the Lockdown Browser from modifying or spying on the rest of your computer. This tool is designed for to run in the Windows Sandbox, but users should be able to easily adapt it to run in other Virtual Machine software. This is especially valuable for the Linux users since the Lockdown Browser does not run on Linux and otherwise refuses to run in a VM.

Disclaimer

This repository does not contain any materials belonging to Respondus Inc. You must supply your legally-acquired Lockdown Browser .exe yourself. Any supporting and auxiliary files were either created by myself or gathered from various OSS projects with proper attribution. This project is not endorsed by Respondus Inc., nor by anyone except for myself.

This project is intended merely as a proof-of-concept. While this tool could conceivably be used to facilitate cheating, this is not my intent. Any consequences of using this tool in a real exam are entirely your own responsibility.

Also note that Respondus has explicitly granted permission for this type of research. From their website:

Hacker Tested, Market Approved – Hundreds of universities and schools around the world use LockDown Browser. It seems that at least one person (or team) at each institution makes it a quest to “break out” or beat the system. Some of the best minds have taken our software to task over the years, and we’ve addressed each issue that’s been raised. (Yes, you have our blessing… go ahead and see if you can break it.)

System Requirements

Building

Clone the repository, then run build.ps1. Then, install the Windows Sandbox. That's it!

Running

  1. Build the project as shown above.
  2. Download the Respondus Lockdown Browser and place it in runtime_directory\.
  3. Double-click Sandbox.wsb (it’s in runtime_directory\)

    (Alternative) If you want to pass your microphone and camera through to the Lockdown Browser, run Sandbox-with-Microphone-Camera.wsb instead.

  4. Wait. It’ll take about a minute, but eventually the Lockdown Browser will open, completely automatically.

Common Issues

The Browser updates itself, then it stops working

This tool does not support having the Lockdown Browser update itself. Instead, whenever there is an update available for the browser, you should download a fresh installer from wherever you originally downloaded it from. The URL should be similar in format to:

https://download.respondus.com/lockdown/download7.php?id=XXXXXXXXX

You get a “Terminal Services” error message

If the Lockdown Browser fails to launch, do not double-click the file on the VM's desktop. Instead, open a PowerShell prompt inside the VM and run:

cd C:\Users\WDAGUtilityAccount\Desktop\runtime_directory\
.\withdll.exe /d:GetSystemMetrics-Hook.dll "C:\Program Files (x86)\Respondus\LockDown Browser\LockDownBrowser.exe"

Of course, this is usually symptomatic of another issue, so please make sure that you have followed all the earlier instructions.

Other issues

If you have made sure that you have followed all the instructions, please feel free to open a new issue. Make sure to include any error messages and your Lockdown Browser version.

Technical Details (How does it work?)

This repo consists of a few fairly simple tools cobbled together into a coherent package.

The Lockdown Browser detects a few BIOS-related registry keys in HKLM:\HARDWARE\DESCRIPTION. Therefore, sandbox_run.ps1 deletes these keys/values.

When the Lockdown Browser detects that VmComputeAgent.exe is running, it realizes that it is in a VM and refuses to launch. This program is a part of the Windows Sandbox, and cannot be stopped without crashing the VM. However, when the Browser checks all the running programs, it also opens and examines each image file. It turns out that if sandbox_run.ps1 deletes the image file, the Lockdown Browser acts as if the program isn't even running.

The Lockdown Browser calls GetSystemMetrics(SM_REMOTESESSION) to determine if it is running in and RDP session. Since this function is in user32.dll, there aren’t any trivial ways to fix this. However, Microsoft Detours allows for you to intercept and replace any function in any .dll. A small hook (GetSystemMetrics-Hook.cpp) is used with Detours to intercept the function call and return a false value.

Because this tool runs in the Windows Sandbox, no state is retained between sessions. Therefore, this tool provides a scripted installer for the Lockdown Browser. The Lockdown Browser’s installer is a little tricky to script, so the installation is a little hacky, but it works. And again, the Sandbox is completely isolated from the rest of your system, so the Lockdown Browser cannot cause any harm to your computer.

License

All code is licensed under the Mozilla Public License, version 2.0 or greater. The documentation is licensed under CC-BY-SA, version 4.0 or greater, in addition to the MPL. The Detours submodule has an MIT licence as detailed in Detours/LICENSE.md.

In addition to the formal licence terms, I would appreciate it if users do not distribute any binaries: I intend for this project to be merely a proof-of-concept, and any binaries circulating on the internet diminish this status. Of course, you are well within your rights to ignore this request, but I would appreciate it if you respect my wishes. Thanks!