Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to create a 'sandbox' with a virtualised registry for an application?

Tags:

windows

process

registry

sandbox

registry-virtualization

We have a 3rd party native application (written in C I believe) which we want to run multiple instances of on a machine.

however the application reads and writes from one particular registry key in order to find the location of a config file. It reads this location continuously during its running. The registry key is in HKLM. this means that if we try and run 2 different instances of the app with 2 different locations for the config file the processes tread on each others toes.

Is it possible to 'virtualise' the registry (or run each process in a sandbox) that the processes are using so that they can both think they are writing to a single location, but actually they are writing and reading from somewhere different and they won't step on each others toes?

like image 577
Sam Holder Avatar asked Jun 17 '13 19:06

Sam Holder

2 Answers

There are several options to virtualize a program:
https://en.wikipedia.org/wiki/Portable_application_creators

Creating your own virtualization software is much more complicated and would require an entire coarse on programming and hooking library calls using the windows SDK.

However an easier option that doesn't require setting up and running additional software for each copy of the program I suggest creating multiple copies of the program and hex editing each executable.

Make as many copies of the application as you need to run, then open the application file in a hex editor and search for the name of the registry key, ie:
HKLM\System\CurrentControlSet\Control\Session Manager

Then change the last byte to a digit for each different version (1 byte, 0-9) ie:
HKLM\System\CurrentControlSet\Control\Session Manage1
HKLM\System\CurrentControlSet\Control\Session Manage2
HKLM\System\CurrentControlSet\Control\Session Manage3

For more than 10 differences (2 bytes, 00-99) use the last two bytes:
HKLM\System\CurrentControlSet\Control\Session Manag01
HKLM\System\CurrentControlSet\Control\Session Manag02
HKLM\System\CurrentControlSet\Control\Session Manag03

like image 98
Joshua Briefman Avatar answered Nov 15 '22 06:11

Joshua Briefman

While the solution from Joshua will work for this particular application, it might not work for others (f.e. where the registry path is constructed in code or when the application is signed).

Therefore, I would suggest using DLL injection and intercept calls to RegOpenKey(Ex), RegCreateKey(Ex), etc. That way, you can fiddle with the registry path before passing the call down to the real Windows Advapi32.dll.

Some great articles about API hooking:

API Hooking and DLL Injection on Windows

API Hooking with MS Detours

like image 21
huysentruitw Avatar answered Nov 15 '22 06:11

huysentruitw
Sign in to Comment

Related questions

What are standard unicode fonts?
Case Sensitivity in C++ Header Files
Volume Shadow Copy using Java
Boost.Test on 64-bit Windows
C++ DLL Unload Destructor?
looking for a MAC address of a physical adapter
How can I read a child process's output?
Creating a keytab to use with kinit in Windows
How to find and install CIM Studio in Windows 7 and above?
How can I backup a 13 GB SVN repository? The dump is 100+ GB
PHP upload file inherit permissions error using Windows IIS Server
Windows batch, select ONLY user variables
What's the order of Windows startup?
backward slash followed by a number in python strings
Setting up a LESS file watcher in PHPStorm 6 using node.js on Windows?
How to set breakpoints programmatically in Visual C++?
String comparison not working in PowerShell function - what am I doing wrong?
How do I take advantage of RDMA in windows
How to install opencv with tbb enabled using mingw
Get-ChildItem equivalent of DIR /X

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!