- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
GPCul8r - Group Policy Bypassing Tool
------------------------------------------------------------------------
SUMMARY
DETAILS
Overview
The following tool is quick little program for bypassing certain group
policy restrictions under Windows. It s not technically novel or
interesting, but it s handy to have if you need to operate within a
domain-joined desktop environment that s subject to group policy controls.
Installing GPCul8r:
1. Copy GPCul8r.dll and detoured.dll to a permanent location.
2. Use withdll.exe to launch regedit.exe with GPCul8r.dll & detoured.dll
mapped into its process space as follows:
c:\> withdll /p:<full pathname of detoured.dll> /d:<full pathname of
gpcul8r.dll> regedit.exe
3. Edit HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows\AppInit_DLLs, adding both GPCul8r.dll and
detoured.dll to the list of DLL's.
That should do it.
Note that if you don't have admin rights, you won't be able to perform
this last step -- sorry. You'll still be able to launch individual
programs using GPCul8r as described in step #2, but if you want GPCul8r to
be loaded automatically by all applications, you're on your own.
(Also, technically speaking, detoured.dll is only necessary in order to be
compliant with the Microsoft Detours licensing terms. GPCul8r will work
just fine without it.)
Troubleshooting
The AppInit_DLLs key specifies a list of DLL's to be loaded by all
processes -- from this point forward, both of these DLL's will be loaded
in every desktop application process that gets created.)
If GPCul8r doesn't seem to be working, use Process Explorer or any
standard debugger to check whether GPCul8r.dll is mapped into the process
space you're trying to liberate. If you don't see it in the list of
loaded DLL's, that's why it's not working. :)
Also -- since GPCul8r intentionally lies to callers about the existence of
certain registry keys (see below), this means that GPCul8r will interfere
with normal editing of these registry keys. In other words, don't be
surprised when Regedit.exe has problems editing the keys named below.
How it works
In order to do its thing, GPCul8r.dll needs to be loaded into the process
space of whatever program needs to bypass group policy. Once loaded,
GPCul8r works by detouring calls to the ZwQueryValueKey function to see if
the program is querying one of the keys related to a group policy setting
we want to bypass. If so, GPCul8r returns STATUS_OBJECT_NOT_FOUND,
thereby tricking the caller into thinking the key doesn't exist.
GPCul8r being a quick & dirty little tool is not configurable. The
targeted key names are hard-coded in the source. They are:
- TransparentEnabled (controls software restriction policy settings)
- ProxySettingsPerUser (controls access to the IE proxy settings dialog)
- DisableRegistryTools (duh)
- DisableTaskMgr (duh)
For more on the technique that GPCul8r uses, see Mark Russinovich's
original article on the subject:
<http://blogs.technet.com/markrussinovich/archive/2005/12/12/circumventing-group-policy-as-a-limited-user.aspx> http://blogs.technet.com/markrussinovich/archive/2005/12/12/circumventing-group-policy-as-a-limited-user.aspx
ADDITIONAL INFORMATION
The information has been provided by <mailto:eric@rachner.us> Eric
Rachner.
The original article can be found at: <http://www.rachner.us/blog/?p=15>
http://www.rachner.us/blog/?p=15
To keep updated with the tool visit the project's homepage at:
<http://www.rachner.us/files/GPCul8r/GPCul8r-0.1-src.zip>
http://www.rachner.us/files/GPCul8r/GPCul8r-0.1-src.zip
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
No comments:
Post a Comment