Digiexam

2 minute read

DigiExam is a digital examination tool designed to provide teachers and students with a secure testing environment. It operates by closing all non-essential programs upon the commencement of an exam. Additionally, it monitors for any suspicious activity, locking the exam and alerting the teacher if any is detected. Built with Electron, DigiExam is compatible across Linux, Mac, and Windows platforms. The methods described herein are tested on Windows and may have limited applicability to other operating systems.

Tools Used

• Node.js: The primary programming language.
• Asar addon for 7zip: Used for extracting the source code.

Exploits

"External" Method

DigiExam attempts to shut down non-essential programs during an examination. However, newly launched programs can run for approximately 1 second before termination, and DigiExam does not lock down the exam upon detecting this. This presents two challenges:

1. Executing a Custom Script with DigiExam Active: This can be achieved by either employing a service that initiates your script via the Windows Task Scheduler or by substituting utilman.exe with your script, activated by pressing the shift key five times consecutively. The latter is preferred for its user control.

2. Interacting with DigiExam via the Script: This involves injecting characters using emulated keystrokes through the Windows API, simulating user input. The script can input around 20 characters per second, making it less ideal for lengthy texts as it requires frequent script restarts through the shift key but serves as a viable proof of concept.

This method primarily facilitates copy/pasting functionality, offering limited utility unless the text is prepared in advance.

"Internal" Method

This approach requires modifying DigiExam's source code directly. By extracting the app.asar file located in C:\Users\[username]\AppData\Local\DigiExam\app-[version_number]\resources\, you gain access to the source code. Electron prioritizes loading files from an extracted \app folder over \app.asar, allowing for direct source code modifications without needing to reconvert to .asar. Although the JavaScript files were obfuscated, making direct edits challenging, it was still possible to inject new code.

One successful modification involved linking a keyboard shortcut to the visibility of a webview element displaying google.com, enabling website access during exams. However, attempting to start an online exam revealed a security measure where DigiExam verifies the integrity of its code through file signature comparisons, detecting modifications.

This verification occurs only at the exam's start, not when DigiExam is launched. Hence, it's possible to use a modified DigiExam version at startup, quickly switching to the original script after launch, facilitated by the modified DigiExam.