Skip to content

proctortrack

branover edited this page Dec 2, 2016 · 5 revisions

Introduction

This write-up is a description of how I bypassed the VM detection of the online exam proctoring software Proctortrack from Verificient Technologies. The software is meant to prevent cheating for students taking online exams. It records your screen, your webcam, and microphone during the exam and prevents you from using non approved software while taking it. The software has protections in place to make sure it is not run in a virtual machine. If a student were able to run the software in a VM, it would render the software useless since they could escape the VM and do whatever they wanted without the software having the ability to track or prevent it. For example, they could open a web browser in their host OS and google the subject of an exam question, or chat online with other students taking the exam.

Summary

In short, I bypassed the checks that the software does to determine if it is in a VM by opening the executable up in a disassembler (like Ida, Binary Ninja, etc) and searched for the string in the message box that basically says "You're in a VM, quitting program". From there I traced the calls back until I found the point where it branches based on the result of the VM checks and simply changed one instruction from a conditional jump to jump always. This one change completely bypassed the checks and let me open the software right up in a Windows VM.

Proof of Concept

To patch the software to bypass the VM checks, just follow the below steps. This works as of 12-2-2016, but is unlikely to work precisely on future versions due to the offset locations likely changing.

  1. Run the Proctortrack.exe downloaded from the website for the test you are trying to take. The offset locations were done on the practice test.

  2. When the executable opens up the software, it unpacks it into the C:\Users\CurrentUser\AppData\Roaming\Verificient directory. Close out of the program that runs after it gives you the VM error message.

  3. Run the following commands in powershell to make the patch:

$bytes = [System.IO.File]::ReadAllBytes("$env:APPDATA\Verificient\Proctortrack.exe") $offset = 17012

$bytes[$offset] = 0xE9 $bytes[$offset+1] = 0xC4 $bytes[$offset+2] = 0x00

[System.IO.File]::WriteAllBytes("$env:APPDATA\Verificient\Proctortrack.exe", $bytes) ``` 4. Run the binary in the AppData directory again and it works! Just don't run the original exe that you downloaded from the website, otherwise it will unpack again over the modified binary.

Walkthrough

Clone this wiki locally