Cracking Software to Run as Non-Admin
Friday, 26 August 2005
This is one of the lamer things I’ve done as a computer geek, and that’s saying a lot. However, any self-respecting person does not compromise on their values. One of my computer values happens to be “Run with Least Privilege.”
What’s a geek to do, then, when a cherished application fails to run under a non-admin account? Often, the solution is more of a negotiation between your security goals, and the software reality. A program scribbles all over its installation directory (in Program Files\<Program>,) so you grudgingly grant yourself full control over that specific directory. Or, it performs a similar travesty by continually modifying data under HKLM\Software\<Vendor>\<Program>. So, you grudgingly grant yourself full control over that specific registry key.
Now, the cherished software in question is very helpful: Macro Maker. It’s a very useful macro program, but not very friendly when run as a non-Administrator.
After installing it (as Administrator,) you run into issues the first time you run it:
Temporarily(!) giving ourselves full access to this key makes the error go away, and the program loads fine. However, that’s not something I’m willing to negotiate. If I have full access to HKLM\Software, I can completely destroy my system, as can malware acting on my behalf. I can add spyware to my startup folders, and much more. So, hastily remove our elevated permissions from the Software key.
Next, we fire up RegMon from a MakeMeAdmin window to see what the problem is. Set your filter to MacroMaker.exe, and try to run the program again. The offending entry appears:
The requested access is 0xF003F (just off of the screen shot above.) You can determine what this means by looking in MSDN, or by looking up the values for the registry access flags in the header files that ship with Visual Studio.
However, we intend to fix the program, so let’s try another approach. Before we start, copy “MacroMaker.exe” to “MacroMaker.exe.bak.”
Now, open up OllyDbg from a MakeMeAdmin window, and then open the MacroMaker.exe program. The main debugging window comes up, so right-click it. Select “Search for | All referenced text strings.”
In the window that pops up, right-click and select “Search for text.” Search for “Error opening Software key.” OllyDbg shows a hit, so double-click on it.
Now, OllyDbg has some pretty awesome analysis capabilities. It’s pinpointed the entrypoint to the assembler routine several lines above: “> 6A 00”. Right-click that line, and select “Find references to | Selected command.” OllyDbg opens a references window that shows two locations: “JNZ MacroMak.00410E71” (may be different on your system,) and “PUSH 0, (Initial CPU Selection).” The first one is a jump into this routine, while the second is the routine itself. Double click on the first address.
The culprit pops out almost immediately, 6 lines above the jump to the “Error Routine:”
MacroMaker opens the Software key (presumably to see if it exists,) but uses KEY_ALL_ACCESS as the access request. Do you recognize the number in the assembly instruction for that line? PUSH 0F0030F.
So how do we fix this? Well, we’ll make it request only KEY_READ access. After all, that’s all it should require.
MSDN documents the values for the registry access flags well in this article. The value for KEY_READ is 0×20019. Double-click the line with “Access = KEY_ALL_ACCESS,” and change “PUSH 0F003F” to “PUSH 020019”, then click “Assemble.”
Right-click anywhere in the disassembly window, and select “Analysis | Analyze Code.” Voila, it now requests KEY_READ access.
Right-click the disassembly area again, select “Copy to executable | All modifications,” then click “Copy All.” In the window that opens, right-click the disassembly, select “Save file,” and name the program “MacroMakerFixed.exe”
Finally, select the “Debug” menu option, “Close,” and click “Yes.” Close OllyDbg.
Now, run “MacroMakerFixed.exe” and enjoy your cherished least privilege account! When you feel comfortable that you haven’t broken the program, copy it over MacroMaker.exe and delete MacroMakerFixed.exe.