"LockDown Browser has been illicitly modified" message in v2.0.9.00

[gucci-on-fleek]

After updating the Lockdown Browser to version 2.0.9.00, the browser refuses to load and presents the following warning in a message box:

LockDown Browser has been illicitly modified, or your PC is unable to validate its certificate. The software will now shut down and you will be unable to continue. We recommend performing a Windows update to see if that fixes the issue. Your instructor has been notified of this issue.

This is a known issue, with no current fix available. I am currently working on patching this; however, it may be some time until a fix is available. Any PRs to fix the issue will be greatly appreciated.

[mayed505]

Hey @gucci-on-fleek,

I've stumped upon this post which refers to the same message error:
https://systemfailu.re/2020/11/14/lockdownbrowser-analysis/

Go down to "<:: MISC. DETECTIONS" and you will find how this is being done.

The following message on that article is:
"The best assumption I could make about this function is that it ensure the name of the exe currently running is ‘LockDownBrowser.exe” and has not changed or been modified. If this returns false, meaning the module name is not the same, then it will send the modified message to the main loop."

Maybe looking into it we could probably know how they are checking the integrity.

[gucci-on-fleek]

I can't tell exactly how they're detecting this, but my guess is that they're just detecting if Detours has been loaded or not. However they are doing it, they just started detecting this in this last update.

Probably the "easiest" solution would be to patch the system file user32.dll to make GetSystemMetrics(SM_REMOTESESSION) always return false. The patch itself should only need like 10 lines of assembly, but correctly applying the patch on a running system may be a little tricky.

[mayed505]

Wouldn’t it be possible to patch the DLL in memory theoretically?

Also regarding the GetSystemMetrics, they could possibly also be looking into GetVersionEx (OSVERSIONINFOEX.wSuiteMask) but I’m not sure as I could be wrong.

I’d need to fiddle around on that part, I’ll try getting around and see if I can do a real-time patch on that one with a DLL injector that I have laying around. Possibly even go the hard way of modifying LockdownBrowser.dll with a byte patch.

[gucci-on-fleek]

Wouldn’t it be possible to patch the DLL in memory theoretically?

That's essentially what this tool is doing right now (Detours docs). I'm not sure if the Browser is detecting if any of its code has been modified at runtime, or if it's just detecting if Detours has been loaded.

they could possibly also be looking into GetVersionEx (OSVERSIONINFOEX.wSuiteMask)

I don't think that there's anything particularly interesting in there, but I may be wrong. That only shows if terminal services are installed, not if they're active (I think...)

Possibly even go the hard way of modifying LockdownBrowser.dll with a byte patch.

That's pretty challenging since the program detects it it's been modified. You could patch that out too, but it would be extra work.

---

The reason that I'm thinking of patching the system .dll files is because it is completely insane. No one in their right mind would modify such a core file on a regular system; however, since we're in a disposable VM, we don't really need to worry about safety/sanity. I'm not sure if it's the best way forward, but it may be easier than trying to reverse-engineer some of the Browser code.

[mayed505]

Any update on the user32.dll's patch?

[gucci-on-fleek]

@mayed505 It's somewhere on "the list", although not particularly high up. Realistically, I'm unlikely to start working on this until September, although I may end up with some spare time in the next couple of weeks. No solid plans at the moment, although it will probably get done eventually.

[mayed505]

@gucci-on-fleek I've attempted to play with the user.dll and all but it doesn't seem to work up correctly.

The best bet is to leave it up to you because I'm probably doing something wrong here.

[gucci-on-fleek]

@mayed505

Which user32.dll were you modifying? You would need to patch the one in C:\Windows\SysWOW64, not the one in C:\Windows\System32.

[mayed505]

@gucci-on-fleek

I have no idea what I've done, but I updated the lockdown, and it seems to be working.
https://i.imgur.com/NzZjFQL.png

It used to show that dialog upon the browser start-up.

Checking the change log since July 26 reveals the following:

Version 2.0.9.03, 7-26-22
Improvements to security

[mayed505]

This probably should be closed. Issue hasn’t occurred since the issue was made.