[Q] Hacking Windows RT to Run Desktop Apps?

Search This thread
By:
Advanced…
P

peterdn

Member
Sep 19, 2010
36
11
Oxford
clrokr said:
Awesome! Try out more open source stuff, I know I will.
Click to expand...
Click to collapse

Now, who wants to port Chromium? :D

netham45 said:
I seem to be missing a number of libs required for things like putty and the such, any clues on where they are?
Click to expand...
Click to collapse

The list of libs I needed (to make manually, as they aren't included in any SDKs) were:

comctl32.lib
imm32.lib
winmm.lib
gdi32.lib
advapi32.lib
ole32.lib
shell32.lib
comdlg32.lib
winspool.lib (from winspool.drv)

I'd be happy to send my *.libs and *.defs if that's allowed, would save you some time.
 
  • Like
Reactions: netham45 and clrokr
N

netham45

Inactive Recognized Developer
Jun 24, 2009
886
569
Denver
peterdn said:
Now, who wants to port Chromium? :D
I'd be happy to send my *.libs and *.defs if that's allowed, would save you some time.
Click to expand...
Click to collapse
That'd be very appreciated. I already sent you a PM about that a few minutes ago, heh.

Already working on getting Synergy going, too.

Edit: Holy crap, tons of stupid version number checks, freaks out if it can't find VS2010. :|

More edit: TightVNC seems to only be requiring a few missing .libs to build. I've got to go for a few hours, but when I get back I'll see if I can come up with a script to generate .libs for all the .dll's that x86/x64 has .libs for. Then we can give that to people, and not worry about distributing potentially copyrighted .libs.

Even more edit: Benchmark in 7z (Compiled by Cotulla):
mjbqrl.png
 
Last edited:
P

peterdn

Member
Sep 19, 2010
36
11
Oxford
netham45 said:
More edit: TightVNC seems to only be requiring a few missing .libs to build. I've got to go for a few hours, but when I get back I'll see if I can come up with a script to generate .libs for all the .dll's that x86/x64 has .libs for. Then we can give that to people, and not worry about distributing potentially copyrighted .libs.
Click to expand...
Click to collapse

I've whipped up a super simple C# app that generates a .lib from a .dll. It relies on dumpbin.exe and lib.exe being in %PATH%, so you just run it from the ARM cross tools command prompt. It works for all the .dlls I mentioned above, but I can't promise it'll work for everything -- it just does some very rough chopping to create the .def file.

Source & binary on Github: https://github.com/peterdn/dll2lib
 
vincepg13

vincepg13

Senior Member
Jul 23, 2011
961
135
Great work guys looks like lots of progress. Hopefully this becomes possible for us with less knowledge of the subject. I just wanna run Utorrent :p

Sent from my HTC One X using xda premium
 
M

mamaich

Retired Recognized Developer
Apr 29, 2004
1,150
228
mamaich-eng.blogspot.ru
netham45 said:
That's not exactly legal, nor can it be given to aspiring developers on XDA.
Click to expand...
Click to collapse

Yes. But this topic is also completely illegal as decompilation, reverse engineering and modifying Windows executables is explicitly prohibited in its EULA :)

Anyway, really good job is already done by clrokr. Unfortunately the value is hardcoded in ntoskrnl.exe, and is reseted to zero only when kernel debugger is initialized - in SepInitializeDebugOptions function in the case if SepIsUmciDisabled returns true ("\MACHINE\System\CurrentControlSet\Control\CI\UMCIDisabled" is set).
But there are some more checks, instead of that unnamed variable that allow loading of unsigned files. I'll download and look at the x86 Win8 checked build, as its files usually contain more information. Unfortunately we can't get the checked arm ntoskrnl...
 
Last edited:
M

mamaich

Retired Recognized Developer
Apr 29, 2004
1,150
228
mamaich-eng.blogspot.ru
Can someone check this idea?

First read this post: http://forums.mydigitallife.info/threads/39411-Windows-Product-Policy-Editor - it describes the way how you can edit the kernel policies (i.e. limitations in different OS editions). Check that the process is working on RT - a provided .NET program obviously would not work, so you should do the same manually (look into the source code, and don't forget to disable all sppsvc tasks in scheduler, or just set the "deny everything to everyone" NTFS right on sppsvc.exe).
I'd recommend to play with the "WorkstationService-DomainJoinEnabled" value, setting it to 1 would unlock the "join domain" button in "change computer name" window, so you'll easily see the result.

When you'll get the process working (I'm sure that it would work on RT too) - then here is the idea.

Look into the PoInitSystem disassembly of ARM ntoskrnl. It checks the Kernel-CsChecksDisabled policy (ZwQueryLicenseValue function), and if it is set to "1" - ignores the TESTSIGNING setting in BCD. And the TESTSIGNING flag is ignored by the WinRT kernel, as you've already found, so this may be the reason of such behavior.
And even more, you can play with the "SecureStartupFeature-Enabled" policies setting all of them to zero, but be careful as this may break the bitlocker and make your device unbootable.

I still have not ordered the device to test, so posting here the idea that I can't check myself yet.
If all my thoughts are right - you'll get a "testsign-unlocked" device. The process could be easily automated, so that any unexperienced user would be able to use it by running a simple VBS/CMD or powershell script. And if it would not work - I have tons of other ideas to check :)
 
Last edited:
  • Like
Reactions: kitor, coldbloc, foolguy and 1 other person
W

WithinRafael

Senior Member
Mar 17, 2010
147
48
Bellevue, WA
www.withinwindows.com
T

tq959

Member
Jul 12, 2007
45
3
netham45 said:
That'd be very appreciated. I already sent you a PM about that a few minutes ago, heh.

Already working on getting Synergy going, too.

Edit: Holy crap, tons of stupid version number checks, freaks out if it can't find VS2010. :|

More edit: TightVNC seems to only be requiring a few missing .libs to build. I've got to go for a few hours, but when I get back I'll see if I can come up with a script to generate .libs for all the .dll's that x86/x64 has .libs for. Then we can give that to people, and not worry about distributing potentially copyrighted .libs.

Even more edit: Benchmark in 7z (Compiled by Cotulla):
mjbqrl.png
Click to expand...
Click to collapse

Is that any guid of compile desktop programe on Surface RT?
 
M

mamaich

Retired Recognized Developer
Apr 29, 2004
1,150
228
mamaich-eng.blogspot.ru
tq959 said:
Is that any guid of compile desktop programe on Surface RT?
Click to expand...
Click to collapse

You can't currently compile programs "on" RT as there are no native compilers, though GCC can be easily ported. You can compile programs "for" RT with Visual Studio 2012 running on your desktop, but you need to hack it a bit (described earlier in this topic) and provide it some additional import libraries.

But first of all you need to hack RT device to allow running the unsigned or testsigned apps. clrokr found one method, but it is really inconvenient for users (as you need to work with a debugger on your desktop PC). I've posted another idea, lets wait for someone to check it.

and please edit your post and remove unneeded screenshots from it.
 
W

WithinRafael

Senior Member
Mar 17, 2010
147
48
Bellevue, WA
www.withinwindows.com
mamaich said:
Can someone check this idea?
And even more, you can play with the "SecureStartupFeature-Enabled" policies setting all of them to zero, but be careful as this may break the bitlocker and make your device unbootable.
Click to expand...
Click to collapse

Bitlocker and Secure Startup aren't related; you can actually disable and use Surface without Bitlocker. But you're right, might render the device unbootable.
 
N

netham45

Inactive Recognized Developer
Jun 24, 2009
886
569
Denver
Bitlocker has already done it's thing far before the kernel is loaded, and even farther before those keys are accessed, I wouldn't worry about it.

I'm not sure what clrokr was using, but I used the remote debugger and the memory window in VS2012. I used a small vb program to use 'sendkeys' from a textbox to type into the memory window, since for some reason you can't paste to it.

For compiling, there are two issues: 1) Visual Studio tells you that desktop apps don't work on ARM, to fix this you need to go edit an XML value (It was mentioned at least twice in the thread), and 2) A large number of .libs are missing. You can either generate these yourself or use the (questionably legal) ones from the WDK.

I'll see if I can get a step-by-step guide typed up later, though I should advise that if you're the type of person who needs a step-by-step guide this hack may be a bit too complex for you in it's present state.
 
Last edited:
lilstevie

lilstevie

Senior Recognized Developer
Apr 17, 2009
1,339
1,040
netham45 said:
Bitlocker has already done it's thing far before the kernel is loaded, and even farther before those keys are accessed, I wouldn't worry about it.

I'm not sure what cklokr was using, but I used the remote debugger and the memory window in VS2012. I used a small vb program to use 'sendkeys' from a textbox to type into the memory window, since for some reason you can't paste to it.

For compiling, there are two issues: 1) Visual Studio tells you that desktop apps don't work on ARM, to fix this you need to go edit an XML value (It was mentioned at least twice in the thread), and 2) A large number of .libs are missing. You can either generate these yourself or use the (questionably legal) ones from the WDK.

I'll see if I can get a step-by-step guide typed up later, though I should advise that if you're the type of person who needs a step-by-step guide this hack may be a bit too complex for you in it's present state.
Click to expand...
Click to collapse

did you ever manage to get it working properly? I tried following your instructions but every time it leads to bsod
 
S

samco08

Senior Member
Jan 24, 2009
159
7
?

cool !
Do you think that Microsoft can patch your exploit ?
You think we should stop Surface Update until you provide us a tool or something like that ?
I dont know if you foresee to do that :confused:
@+
 
M

mamaich

Retired Recognized Developer
Apr 29, 2004
1,150
228
mamaich-eng.blogspot.ru
WithinRafael said:
Bitlocker and Secure Startup aren't related; you can actually disable and use Surface without Bitlocker....
Click to expand...
Click to collapse

Yes, I mean that these strings are referenced in bitlocker modules, so the behavior may be unexpected.
By the way, as far as I see in policies - it is allowed to boot WinRT from VHD file located on the device (maybe on SD card?). So you can try to restore your recovery image into VHD, modify it, and then boot from it, without bothering that anything would be broken on the "real" partition (of cause if you would not trash the BCD).

By the way, after further reading the disasm - Kernel-CsChecksDisabled would give you nothing. But playing with SecureStartupFeature-Enabled-* may be worth trying.
 
N

netham45

Inactive Recognized Developer
Jun 24, 2009
886
569
Denver
samco08 said:
cool !
Do you think that Microsoft can patch your exploit ?
You think we should stop Surface Update until you provide us a tool or something like that ?
I dont know if you foresee to do that :confused:
@+
Click to expand...
Click to collapse

They could, but since we can reinstall the OS from the recovery partition and there'll always be a copy of the unpatched recovery partition around we can revert any patches they throw out.

They could also ban MS accounts for doing this too, though I don't expect them to do that.
 
M

mamaich

Retired Recognized Developer
Apr 29, 2004
1,150
228
mamaich-eng.blogspot.ru
Hmm, seems that there is already a working and very easy method that allows running unsigned apps on RT:
http://younsi.blogspot.ru/2012/10/notepad-for-windows-8-rt.html
Just create UMCIAuditMode=1 in "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CI" and reboot.

Can someone confirm that it works? As far as I see - this really should work, as this sets in ci.dll the g_CiOptions|=0x40, that later sets g_CiDeveloperMode=6, which should allow unsigned apps in dir specified in "HKLM\System\CurrentControlSet\Control\CI\TRSData" "TestPath" key (see this post: http://xdaforums.com/showpost.php?p=33069395&postcount=10).

So all greetings for finding a working and easy "desktop-unlocking" method should go to Thomas Younsi

Edited:
As far as I see - this effectively turns on the "CI Audit" mode, that does not block unsigned apps from running, but just logs them. So adding a path to the "TestPath" should not be necessary.
And yes, this can be blocked by MS in later updates. But I really don't think that they would do that soon (or ever).
 
Last edited:
  • Like
Reactions: MLX
You must log in or register to reply here.

Similar threads

G
Desktop apps ported to Windows RT
Replies
1K
Views
2M
M
michael.santos
N
  • Locked
  • Sticky
[Release] RT Jailbreak Tool
Replies
519
Views
1M
N
netham45
M
[Beta] Win86emu: Running x86 apps on WinRT devices
Replies
427
Views
590K
G
gailium
V
[Windows RT 8.1] Development Tool V3.0 BUILD XXXX
Replies
685
Views
340K
N
naytmare66
T
[RT] Windows RT 8.1 Jailbreak Discussion
Replies
230
Views
286K
N
nar001

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 17
    N
    netham45
    diablos991 said:
    This would be fantastic.
    Click to expand...
    Click to collapse

    Other than one bug I just tracked down I've got everything except getting the kernel base automated in a batch file + debugger.

    Edit: Here's what I've got so far. To use:

    1) Install the app in the top of THIS thread (Sorry, you'll have to compile it for now, I'm working on a clean app I can package, but it's not ready yet)
    2) Copy the 'getKernelBase.exe' from the ZIP attached to this post to the folder it installs to (%userprofile%\appxlayouts\<appname>)
    3) Run the app, click the button
    4) Click OK on the prompt, type 'getKernelBase' into the command prompt. If it doesn't do anything, snap the app to the side of your screen.
    5) Keep the 4 numbers it gives you
    6) Open 'runExploit.bat' as an administrator
    7) Put those 4 numbers in there, make sure you keep the spaces between them
    8) Press enter
    9) Press Volume Down
    10) Press enter again
    11) You should be jailbroken now.

    And a writeup for what I'm doing for my hack:
    It's mainly the same basic hack as clrokr, but I found a way that I could write process memory using cdb (but, I can't attach as a debugger, so I lose breakpoints)

    I change winsrv.dll+0x3644 to redirect to winsrv.dll+0x10800

    I inject this modified payload at winsrv.dll+0x10800:
    Code: 
    	push {r5-r8}
	mov r7, 0x80000
	ldr r8, my_addr
loc_loop_begin
	movs r3, 0xC
	add r2, sp, 0x68 ;0x58 org.
	add r5, r2, 4
	str r8, [r5]
	movs r1, 9
	mvn r0, 1
	mov r12, 0x10E1
	svc 1
	subs r7, r7, 1
	cmp r7, 0
	bne loc_loop_begin
	pop {r5-r8}
	mov r7, r0
endloop
	cmp r7,#0
	b endloop
	b -0xD1E6
my_addr dcd 0x<Kernel Base>
	end

    That then gets called when you press vol down. It hangs at the loop at the end so it doesn't execute the exploit twice (which would crash the tablet)

    I then reset winsrv.dll+0x3644 back to default
    Once it's default, I zero out 'b endloop', allowing it to progress to the b -0xD1E6 and resume execution

    cdb -pvr <pid> attaches to <pid> in non-invasive mode, which grants the ability to see loaded modules and change ram but not debug (pause, resume, break, manage breakpoints, get debug events), since there's no debugger actually attaching. That's why it works on the ARM too.

    And that's it.


    Edit: I missed something, it's not working in the zip. I'll check it real fast.
    More edit: I see what I did, fix in a couple minutes.
    Even more edit: Should be fixed, the offset I had at the bottom of the payload was off by 0x6.
    Super edit: Nope, something is still up. It works perfectly if the debugger is attached to csrss, but if not it crashes. =/
    Super-duper edit: seems to work intermittently, I'm not 100% sure why it crashes some of the time, though.
    Mega Edit: One of the offsets I'm using changes randomly between a few different possibilities, I'll see if I can come up with some way to generate the code for it.
    View
    9
    N
    netham45
    I just got the exploit running using only on-tablet programs, I should be able to bundle it into a nice little app where you just have to click one or two things.
    View
    9
    N
    netham45
    Got Mouse Without Borders (MS-Made Synergy-ish app) working.
    Simple guide:
    Install it on desktop
    Copy the folder out of the program files to the tablet
    Open admin command prompt on tablet
    run sc create MouseWithoutBorders binpath="c:\Path\To\MouseWithoutBordersSvc.exe" (Fix the path)
    Open services.msc, start the service you just created
    It'll then prompt to set it up.
    View
    7
    N
    netham45
    GoodDayToDie said:
    Pardon if I misunderstood, but why *not* decrement it oh, 0x7FFF0 times? That way, if it was 0x80101, it will now be 0x00110 (which is maybe not ideal, but depending on what those other bytes represent it might still work) and if it was 0x80000, it will now be 0x0000F (which again may be less than ideal, but won't be the fully zeroed-out value).
    Click to expand...
    Click to collapse

    Working on that exact thing right now. Should have a result momentarily.

    Edit: Seems to have worked, at least for the initial test. If all goes well, I should be able to get a 100% exploit rate.

    Edit 2: 3 for 4 so far, with the one that failed being because the offset was off.

    Edit 3: Still getting a crash. Going to try 0x7EFF0 instead of 0x7FFF0.

    Edit 4: Seem to at least be getting a higher success rate with this method.

    Edit 5: Hopefully not jumping the gun, but I seem to have gotten it except in the occasions where the offset is not what I've preprogrammed. I think I've got a means to fix it when the offset is wrong, but I haven't actually managed to get a debugger attached recently when it was wrong.

    Edits are fun: I've tried it 7 times now, all worked. I've never had that success rate with it before, I'm going to call this one fixed.

    More edit: It's odd, it only seems to give the SYSTEM_SERVICE_EXCEPTION when I don't have a debugger attached. Guess I get to go dig through a memory dump. Does it make sense that the debugger would be shifting everything down (0x....3646 -> 0x....3644) just by having a debugger on?

    Edit 8: I can say with 75% certainty that I've fixed the 0x18 bugcheck.

    Edit 9: I think the bug might be caused because the debuggers I'm using in the script don't have the PDB loaded for winsrv.dll, I'm going to give it the PDB and see what it does.

    Edit 10: I've found out that the crash happens reliably if the exploit is ran within a few seconds of the system booting, it seems to work best if you wait at least a minute after logging in before running it.

    Edit 11: Please see THIS THREAD for what I believe will be the final version of my jailbreaking tool.
    View
    7
    C
    clrokr
    Okay you guys, I found a way to change the required signing level. I'm trying to figure out how to automate this so everybody can profit. You basically use VS2012 to edit the last code page of a module that runs in CSRSS's process. Insert some hand-assembled ARM opcodes to trigger the (still not patched) exploit in NtUserSetInformationThread, set a breakpoint somewhere specific and hit it, then modify this instruction pointer PC to point to the hand assembled code. Boom.

    As you can see, this is not quite ready for the general public.

    I have built a proof of concept that loads ntoskrnl as an image resource and scans through the code segment to find the literal that points to the value we need to change. Using this offset and NtQuerySystemInformation it calculates the linear address of the byte that needs to be zeroed out and fixes the alignment.

    Note that using the hand assembled code we can easily trigger the exploit 524288 times which would be impractical otherwise.

    You can however set a trace point in VS2012 that displays a message and use the evaluation function to change memory just before NtUserSetInformationThread is called. For example, the last call to NtUserSetInformationThread in TerminalServerRequestThread is perfect for this. It hits every time you press a volume button. I got the signature level down from 8 (the address read 0x00080101) to 7 by pressing a volume button very often.

    So, stay prepared.
    View

New posts