October 9, 2011 at 12:00 PM
Computer administrators use software restriction policies to prevent users from installing and/or running unwanted programs, such as video games, on company computers. Windows has quite a few methods for restricting programs, a full list of which can be found here: http://technet2.microsoft.com/windowsse...21033.mspx In this article, I will be discussing specifically how to bypass hash rules.
Hash rules work by adding either a MD5 or SHA-1 hash for an application an administrator wants to restrict to a blacklist. Whenever a user tries to run a program, its hash is checked against the list of blacklisted programs; if it matches, the program will be prevented from executing. Hash rules are useful because they will remain effective regardless if a user moves or renames the file. The problem is that they only apply to files that share the same hash as the file used to generate the original hash. So in order to sidestep a hash rule, one need only modify the restricted executable so that its hash no longer matches the one for the rule.
Alright, on to business. First, create a text file in the directory of the restricted file. Next open up a command prompt, and cd into the directory of the restricted file. Then run the following command,
copy /B restricted_exe.exe + text_file.txt new_exe.exe
The result will be a slightly larger executable with a different hash from the original. That's it you're done, it's that easy.