Hacking Safe Exam Browser(s), Bypassing VM Detection
Hey! How are you doing? Welcome to yet another blog documenting my recent technical exploit, which is hacking safe exam browser(s) and giving your online tests under virtual machines! But before starting, let me present to you the old boring warning!
All the content I show here is for educational purposes only, I do not wish to and neither want to instigate cheating in assessment, safe exam browsers are made for a reason and you should respect them
Now that’s out of the way, let’s start with the real deal!
Motivation
I hope you all know what safe exam browsers are, if not then here you go
Safe Exam Browser is a web browser environment to carry out e-assessments safely. The software turns any computer temporarily into a secure workstation. It controls access to resources like system functions, other websites and applications and prevents unauthorized resources being used during an exam.
https://safeexambrowser.org/about_overview_en.html
So what happened was, there is this company that visited our campus for recruitments, and they had an assessment that had to be conducted through their own Secure Exam Browser, now this was “Secure Exam Browser” not “Safe Exam Browser”, you may ask what’s the difference? I’d say none! The trick? Well Basically all the safe/secure/etc exam browsers work the same way, they get you to install an application that is launched with administrative permissions whenever you need to attempt the supported assessment, Now because there are so many different varieties of these exam browsers, I just call them all as Safe Exam Browser(s), notice that extra s, it covers all type of exam browsers.
Getting back to the topic, one of these so-called exam browser’s basic requirements is to have Windows operating system, which unfortunately I didn’t have (because I’m a hard-core Linux user, Varenyam would be proud of me), but I did have installation image of windows 10, which I thought I can maybe use to give assessment?
so what I did, was quickly boot up the machine and try to give a mock assessment, which as I was expecting, failed with a sweet message saying “Virtual Machine, Not Allowed”.. well after this I had 2 options,
- Installing Windows/dual-booting to give assessments or borrowing a friend’s laptop
- Hacking secure exam browsers to run under Virtual Machines
Now you would agree with me, any sane person might have chosen #1, but the programmer/hacker inside me screamed loudly to try #2, and thus I started onto my quest, filled with great adventures and sacrifices.
Starting off
Here are the adventures (ie the painstaking journey) that I had to go through to get everything working, I’m really sorry if this is boring you but just a reminder, this is a technical + experience blog, so this much is expected! If you, still quickly want to get the gist of it, go to #my-personalized-vm-software, but I’d strongly recommend reading all of it, by going through my approaches, and why I did what I did, it might be very beneficial to the programmer inside you, plus you can in future apply the same learnings here to find exploit of other games/apps (tho please do it in a morally good way, again I am not promoting hacking/cheating)
Research
So first, I started researching safe exam browsers, and how they work, most notably if there is any existing exploit already available, and to my surprise, I got one, which was:
- https://github.com/nxvvvv/safe-exam-browser-bypass
- https://github.com/spuuntries/sebroken
- https://github.com/tynkering/seb-patch
But like these links, they all had some problems, mostly for older versions that once used to work, but now cannot… In all of these articles, I found mainly 2 types of things, 1st -> Installing/Sideloading some .dlls to bypass detection, and using VMWare with SMBIOS.reflectHost = “True” parameter (to imitate host machine as much as it could), and the other was to change config file? or something, Well I couldn’t understand this one, as I only have a link to assessment.. but who cares?
So to start off my journey, I started off by using this method that is, setting reflectHost to be true, well, I thought that maybe changing these manufacturer names, and other parameters may allow me to run the test under VM? But to nobody’s surprise, even after whacking my head at installing/configuring VMware and making necessary changes, It didn’t work at all.. well yeah! That is to be expected, after all, this has already been found by the community, and counter-measures regarding the same should already be implemented! Well, I was absolutely right!! While looking for the solution, I came across this github repository which hosts the source code of the official safe-exam browser!
Well, I quickly dug up the code and found this specific file – VirtualMachineDetector.cs which I hope is pretty self-explanatory in itself! I thought I found the lead I required, and quickly read through the code for possible machine detection! (In fact, the community is so nice, that they explicitly marked the symbols required to detect specific VM software in comments) After finding some pieces of code, that might be of interest, I started finding ways to change these identifiers that were giving away my identity of being run on virtual machines!
Here’s an example of some of the code that was being used
private static readonly string[] DeviceBlacklist =
{
// Hyper-V
"PROD_VIRTUAL", "HYPER_V",
// QEMU
"qemu", "ven_1af4", "ven_1b36", "subsys_11001af4",
// VirtualBox
"vbox", "vid_80ee",
// VMware
"PROD_VMWARE", "VEN_VMWARE", "VMWARE_IDE"
};
...
isVirtualSystem |= biosInfo.Contains("vmware");
...
isVirtualSystem |= manufacturer.Contains("vmware");
...
foreach (var device in systemInfo.PlugAndPlayDeviceIds)
{
hasVirtualDevice |= DeviceBlacklist.Any(d => device.ToLower().Contains(d.ToLower())) && DeviceWhitelist.All(d => !device.ToLower().Contains(d.ToLower()));
}
...Analysis
Well, I got the code! And I know where exactly to make changes, So it should be pretty easy from this point on, Right? Well, You couldn’t be more wrong, Even after getting this much information, I had to go to great lengths and make great sacrifices to get everything working.
And let me tell you a funny thing!
At that time, I thought the assessment link I had, was the same software as the safe-exam-browser repository I was inspecting, well.. at that time I totally made a blunder by not realizing that my assessment had to be done on “Secure Exam Browser”.. they are fact different application! (But with many similarities!) (So I mistook my Secure Exam Browser for Safe Exam Browser!)
Proceeding further, I took a point of parameters that are used to detect a virtual machine, I was also pretty confident to circumvent them, I thought that It would be pretty easy, will see exactly what parameters are being used, change them (like mac-address prefix) and then BAM! Everything works, will get a little cheaty-cheaty and score highest in assessment, which will enable me to sit for further rounds, clearing this will get me placed, get a good job enjoy my life, and tell my grandsons about that one-time when their grandpa used his intellect to change his life
Well, not so fast! So while finding the parameters required to change, I realized one thing, that is: VMWare didn’t allow the level of modification the change has required, so yea, I could change mac-addresses but the same is not really true about the internal driver ids, or some other constant!
and that, was when I hit the wall for the first time, unsure of how to proceed further, I was truly baffled! and that is when, I had this eureka moment, where I started finding other virtual machine software manufacturers available on the market, Maybe there could be some other new software for running Windows in VM, and it is totally possible for it to escape the attention of the community/developers building a safe exam browser.
You see, I was thinking the right thing, and for many software/detectors this approach can work, but in this case, It wouldn’t because even after searching everywhere, I only got 4-5 software capable of Windows emulation, and all of them already had their respective entries for detection in the script, Oh yes, hit the wall, for the second time!
and let me tell you, the timeline when all of this was happening! So I started at around 10 pm at night, when my assessment was scheduled in one of the computer labs in the morning at 9 am, and had something around 11 hours, The first 5 were spent in research and setting up VMware, So it was at around 3:00 of night, I started getting sleepy and my mind was starting to go into slumber but then a realization hit me: Why not create your own virtual machine emulation software? that perhaps bypass all the detection mechanism used by safe-exam-browser(s)?
and my answer to that was: Oh hell yeah, why not!
My Personalized VM Software
Before you start hitting me with bricks, and complaining in comments that hey, “I cannot believe you can create a whole software like VMWare in one night”, and yea, you are totally right, I really cannot (Let me join in too), but What I can do is to tweak just bits and pieces to bypass the VM detection, sounds right, No?
Well yeah, but to do that with VMWare? the one who charges their customer to pay and get a licence, has fully closed source codes? Well, definitely not!
To tackle this problem, I used Oracle VM Virtualbox, they have fully open-source code with all the documentation to compile it from scratch, hell ya! So what next? I quickly downloaded the code, set the environment to compile by installing the required dependencies, and finally, compiled and ran the VM, created a Windows 10 virtual machine from the downloaded iso, and ya! It was booting up!! YAY, I again tried to install the secure browser, and see if I could use it, and to my expectations, It was still giving the same error
Well, frankly speaking, I would have loved it if it could work here itself, and I didn’t have to delve into code and change the required constants, but okay, it is reality, efforts are needed.
So I searched for those constants from earlier
// VirtualBox
"vbox", "vid_80ee",and quickly changed those values manually (because simple search-replace might have broken the software), and there were more such checks, for example in particular there were these 3 major ways safe-exam-browsers were detecting Oracle VirtualBox
- Any device or driver that has vbox or vid_80ee in information (can be name, manufacturer, etc)
- If there is virtualbox in bios/model data
- If the mac id’s of network drivers start with 080027 (prefix)
Please note, this was what the safe exam browser available open-sourced used at the time of writing this blog (14th November 2023), I cannot guarantee that these would still be the same by the time you are reading this! (In fact, I believe they will add more methods to make it difficult to bypass their system)
It took me another 2-3 hours to make and test all those changes, a matter of fact now I had this virtual machine from my own model (HSKBOX)
you might ask, who/what is HSK? (self-plug incoming)
Hi, I am Harishankar Kumar, people abbreviate my name as HSK, I am a tech-nerd and I love programming/coding/exploiting and creating innovative things, Well there’s a lot more to my introduction and let’s avoid it here! Ending up, One of the reasons I was a bit confident about editing the source code of VirtualBox and compiling my own variant was also because I have worked on something similar in the past, where I used to work on virtual machines (albeit it was lot simpler), You can read the article with my whole experience and journey here
Getting back to the topic, after I got this lovely virtual machine compiled, and made all the required changes, I simply ran the software again… and, now, after a lot of hard work, it finally showed to me:
VIRTUAL MACHINE DETECTED
My heart sank, It was around 7 am the morning, and I was up all night trying to figure out stuff, it was around this time that I started getting serious sleep attacks, my mind literally failing to process what just happened, In this moment of sadness, I realized one fatal mistake I made… I patched my virtual machine keeping in mind how safe-exam-browser identifies VM, but what I was using is secure-exam-browser (Which was closed-source, ie didn’t have any source code publicly available)
It was this time, that I realized that all my hard work and staying up the whole night was a waste, in fact now I had this evaluation in an hour, And I was totally confident that I’d fail miserably because of my sleep attacks and the aptitude being asked (I am very bad at it), realizing my back up to the wall, I took a great heroic step, which I bet many of you might second-thought,
I….. went to sleep
Sacrifices
Well, there is nothing of a sacrifice here, not what you’d expect it to be! But in simple terms, after staying up all night and preparing this exploit, and finally seeing it to not work and realizing that I failed miserably, wasted my time, and now sure to have a bad performance in assessment (due to sleepiness that time), I just said
Fuck it, I am sleeping now
and what does sleep at that time mean? Obviously, If I were to sleep when the exam was just starting in an hour, It’s almost giving up! because I don’t know if it happens to you too but staying up three hours more in continuous with all-nighter is lot simpler than pulling all-nighter, taking a small nap and waking up!
So that’s what I did, I took some rest, time to process what happened, and went to bed! Some 5-6 hours later when I woke up (with the assessment successfully missed), I started looking into the code again (because my adamant self was not accepting defeat, just yet)
Starting Again
So this time, with new passion and vigor (err, I mean good sleep), I started looking again, one thing for sure is that I cannot rely on the source code as a reference! Luckily I also realized that these safe-exam browsers are created using .NET (C#), How? Because they had lots of .dll files, (and I have also created applications for Windows desktop using c#, so I can identify it) and with I also remembered one key thing, the code files created from C# can be easily viewed!
So I quickly took all the files from the Secure-exam-browser directory, run it through disassembler, searched for files that verified virtual machines, and VOILA! I found it!
I quickly copied the code, and this time to be extra-extra sure, I even installed tools to run standalone C# code, So I quickly tested by adding debug statements and running this code to see where was it detecting the virtual machine
and what was happening is, for the most part, my changes were good (and in fact, the secure browser almost used the same testing mechanism as safe-browser) but there were some drivers which was being installed at runtime perhaps, which I was not able to identify from source-code! Anyway once I knew the source of the problem, I quickly ran a script that removed that unnecessarily problematic driver and once again ran the test:
At this point, I was pretty hopeful that it would work, with twisted fingers and praying to god, I opened the assessment link again.. and now..:
IT WORKED… YAY
With this, all my hard work has not gone to waste, even though I missed the assessment, there is still a story I can tell to my grandkids, and a blog I can write! With a smug face of doing the impossible (just kidding)!
The End
Thank you for reading this article, I hope it was a great read and very informative, I apologize for any writing mistakes or grammatical errors! Please do share the blog and comment with your honest feedback here, It really keeps me motivated! You can also follow this site itself where I publish my personal blogs/articles! With that being said See you next time!
Hats off to the dedication!!!
Manifesting a high-level “jugaad” like this somewhere in the near future to re-kindle that engineering energy in me!