Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to create a 'sandbox' with a virtualised registry for an application?

We have a 3rd party native application (written in C I believe) which we want to run multiple instances of on a machine.

however the application reads and writes from one particular registry key in order to find the location of a config file. It reads this location continuously during its running. The registry key is in HKLM. this means that if we try and run 2 different instances of the app with 2 different locations for the config file the processes tread on each others toes.

Is it possible to 'virtualise' the registry (or run each process in a sandbox) that the processes are using so that they can both think they are writing to a single location, but actually they are writing and reading from somewhere different and they won't step on each others toes?

like image 577
Sam Holder Avatar asked Jun 17 '13 19:06

Sam Holder


2 Answers

There are several options to virtualize a program:
https://en.wikipedia.org/wiki/Portable_application_creators

Creating your own virtualization software is much more complicated and would require an entire coarse on programming and hooking library calls using the windows SDK.

However an easier option that doesn't require setting up and running additional software for each copy of the program I suggest creating multiple copies of the program and hex editing each executable.

Make as many copies of the application as you need to run, then open the application file in a hex editor and search for the name of the registry key, ie:
HKLM\System\CurrentControlSet\Control\Session Manager

Then change the last byte to a digit for each different version (1 byte, 0-9) ie:
HKLM\System\CurrentControlSet\Control\Session Manage1
HKLM\System\CurrentControlSet\Control\Session Manage2
HKLM\System\CurrentControlSet\Control\Session Manage3

For more than 10 differences (2 bytes, 00-99) use the last two bytes:
HKLM\System\CurrentControlSet\Control\Session Manag01
HKLM\System\CurrentControlSet\Control\Session Manag02
HKLM\System\CurrentControlSet\Control\Session Manag03

like image 98
Joshua Briefman Avatar answered Nov 15 '22 06:11

Joshua Briefman


While the solution from Joshua will work for this particular application, it might not work for others (f.e. where the registry path is constructed in code or when the application is signed).

Therefore, I would suggest using DLL injection and intercept calls to RegOpenKey(Ex), RegCreateKey(Ex), etc. That way, you can fiddle with the registry path before passing the call down to the real Windows Advapi32.dll.

Some great articles about API hooking:

API Hooking and DLL Injection on Windows

API Hooking with MS Detours

like image 21
huysentruitw Avatar answered Nov 15 '22 06:11

huysentruitw