How to create a 'sandbox' with a virtualised registry for an application?

StackOverflow https://stackoverflow.com/questions/17154890

Question

We have a 3rd party native application (written in C I believe) which we want to run multiple instances of on a machine.

however the application reads and writes from one particular registry key in order to find the location of a config file. It reads this location continuously during its running. The registry key is in HKLM. this means that if we try and run 2 different instances of the app with 2 different locations for the config file the processes tread on each others toes.

Is it possible to 'virtualise' the registry (or run each process in a sandbox) that the processes are using so that they can both think they are writing to a single location, but actually they are writing and reading from somewhere different and they won't step on each others toes?

Was it helpful?

Solution

There are several options to virtualize a program:
https://en.wikipedia.org/wiki/Portable_application_creators

Creating your own virtualization software is much more complicated and would require an entire coarse on programming and hooking library calls using the windows SDK.

However an easier option that doesn't require setting up and running additional software for each copy of the program I suggest creating multiple copies of the program and hex editing each executable.

Make as many copies of the application as you need to run, then open the application file in a hex editor and search for the name of the registry key, ie:
HKLM\System\CurrentControlSet\Control\Session Manager

Then change the last byte to a digit for each different version (1 byte, 0-9) ie:
HKLM\System\CurrentControlSet\Control\Session Manage1
HKLM\System\CurrentControlSet\Control\Session Manage2
HKLM\System\CurrentControlSet\Control\Session Manage3

For more than 10 differences (2 bytes, 00-99) use the last two bytes:
HKLM\System\CurrentControlSet\Control\Session Manag01
HKLM\System\CurrentControlSet\Control\Session Manag02
HKLM\System\CurrentControlSet\Control\Session Manag03

OTHER TIPS

While the solution from Joshua will work for this particular application, it might not work for others (f.e. where the registry path is constructed in code or when the application is signed).

Therefore, I would suggest using DLL injection and intercept calls to RegOpenKey(Ex), RegCreateKey(Ex), etc. That way, you can fiddle with the registry path before passing the call down to the real Windows Advapi32.dll.

Some great articles about API hooking:

API Hooking and DLL Injection on Windows

API Hooking with MS Detours

Yes, Sandboxie can run multiple instances of an app, each in it's own "Sandbox" which it believes to be the entire universe. But you can also access the data directly through the normal ways if you need to.

So in other words, Sandboxie lets you see all the registry changes that were made in the app's operations, and you can roll them back if you like.

Yes, you can virtualize the application, this technology is called Application Virtualization. Try http://www.cameyo.com/. Cameyo is a software used to build virtual application.

A virtual application is a single EXE file that holds an entire application including files, DLLs and registry. Virtual apps are isolated from your system and can be copied & moved from one computer to another without installation.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top