code integrity / signing policy toggle

bfosterjr · Sep 1, 2014

All,

First, let me say that this is not a jailbreak tool for RT 8.1! All clear? Good.

I've written a simple little driver and exe tool to patch the g_CiOptions and SeILSigningPolicy variables in ci and ntos. The obvious kicker is that you need the driver loaded for this to work -- but once loaded you can effectively use this to turn on/off the signing at will (eg: useful to avoid -- not disable -- patch guard).

I've tested this on my Surface RT as well as Windows 8 without issue.

You can find the code and binaries on github ( https://github.com/bfosterjr/ci_mod ). There isn't a whole lot of documentation (nearly zero), but you'll find batch files, windbg scripts, and various other bits which should help you figure out how it works (or you can just read the code).

Now, before you all flame me about how useless this is without a jailbreak or kernel execution for RT 8.1, let me say this: I've spent the last few days catching up on a lot of threads (over a years worth) in this form and there is enough information (if you look hard enough, open your mind, and tilt your head) in the threads to successfully start your own driver on 8.1 RT.

Cheers!

LolitaPlus · Sep 1, 2014

Any hint please?

Myriachan · Sep 1, 2014

Note that I would not recommend leaving this hack enabled on 8.1 once whatever programs are loaded. This will set off PatchGuard and the system will bluescreen. Enable it, run whatever, then disable it. Most programs should be OK once fully started to leave running with the hack disabled. Only loading unsigned DLLs from that point on would mess up.

8.0, do whatever; doesn't matter.

Melissa

bfosterjr · Sep 2, 2014

Myriachan said:
Note that I would not recommend leaving this hack enabled on 8.1 once whatever programs are loaded. This will set off PatchGuard and the system will bluescreen. Enable it, run whatever, then disable it. Most programs should be OK once fully started to leave running with the hack disabled. Only loading unsigned DLLs from that point on would mess up.

8.0, do whatever; doesn't matter.

Melissa

Quite right - which is why the ci_mod program I wrote will run indefinitely waiting for user input to toggle on, or off, the kernel patching. So.. (1) Load the driver which will immediately toggle patching ON... (2) start ci_mod.exe and toggle patching back OFF ... (3) leave ci_mod.exe running. Doing so you will always re-toggle patching on (then off again) so you can run your unsigned app with minimal likelihood of PatchGuard being a problem.

Hopefully that makes sense.

Obviously, if anyone wants to make changes to the driver or program -- perhaps to alter it to suit initial driver execution conditions -- they're welcome too -- the code is GPL.

Cheers!

bfosterjr · Sep 2, 2014

LolitaPlus said:
Any hint please?

Sorry no. There are serious reasons why I can't explain further. So please don't ask.

But trust me.. the bits you need are there... you just need to stitch them together.

filfat · Sep 3, 2014

bfosterjr said:
Sorry no. There are serious reasons why I can't explain further. So please don't ask.

But trust me.. the bits you need are there... you just need to stitch them together.

Hai, I'm kinda new to this whole hacking scene especially to the x86/x64 bit one (has been working on arm for a little while) and I was wondering what knowledge was necessary to be able to glue everything together? Which glue I need to use so to say

Thanks.

bfosterjr · Sep 3, 2014

filfat said:
Hai, I'm kinda new to this whole hacking scene especially to the x86/x64 bit one (has been working on arm for a little while) and I was wondering what knowledge was necessary to be able to glue everything together? Which glue I need to use so to say

Thanks.

Years of Windows internals/development/debugging makes for good glue. That and the general desire (and patience) to want to mess with software....

BIade · Sep 3, 2014

bfosterjr said:
...

You can find the code and binaries on github ( https://github.com/bfosterjr/ci_mod ). ...

Hey mate, this looks very nice and far more user(noob)-friendly. Thank you soo much for sharing. :good:

Cheers
Blade

P.S.:
1) Is your deleted sign.bat a kind of launcher which : toggle -> start app -> toggle ?

2) Is it possible to share the compiled version? [Don't want to bother you] (Just formated my dev-pc and set it up to compile Android 4.4.4 for my desire Z. I know i need a new pc with a bigger hdd) :crying:

bfosterjr · Sep 3, 2014

BIade said:
Hey mate, this looks very nice and far more user(noob)-friendly. Thank you soo much for sharing. :good:

Cheers
Blade

P.S.:
1) Is your deleted sign.bat a kind of launcher which : toggle -> start app -> toggle ?
2) Is it possible to share the compiled version? [Don't want to bother you] (Just formated my dev-pc and set it up to compile Android 4.4.4 for my desire Z. I know i need a new pc with a bigger hdd) :crying:

Hey Blade!

1) nope. that was a batch file to test sign the driver. its not required. the toggling of the patching is done by the user through cimod.exe (runs in a continuous user-input loop)
2) binaries for all supported platforms are there already -- https://github.com/bfosterjr/ci_mod/tree/master/bin

Cheers!

GoodDayToDie · Sep 3, 2014

It would be really cool to hook the CreateProcess and LoadLibrary calls such that, if the target binary is unsigned and the caller isn't in an appcontainer, the policy is (automatically) flipped juuuust long enough for the call to succeed, and then (automatically) flipped back. That means minimal risk of a BSOD and maximum user-friendliness.

I proposed this approach months ago on the JB discussion thread, but never got around to writing it. Now bfosterjr has written the driver part (probably by far the hardest part) in a few days! We missed you...

bfosterjr · Sep 3, 2014

GoodDayToDie said:
It would be really cool to hook the CreateProcess and LoadLibrary calls such that, if the target binary is unsigned and the caller isn't in an appcontainer, the policy is (automatically) flipped juuuust long enough for the call to succeed, and then (automatically) flipped back. That means minimal risk of a BSOD and maximum user-friendliness.

I proposed this approach months ago on the JB discussion thread, but never got around to writing it. Now bfosterjr has written the driver part (probably by far the hardest part) in a few days! We missed you...

Thanks man. Really wasn't all that difficult. The driver isn't quite as flexible (or perfect) as it could be. To accomplish what you're suggesting might take some effort because, IIRC, the normal process create callbacks don't get triggered until after process image verification. I'll have to double check that.

I might take a stab at updating the driver to make it more automated. Once I have a bough free time. Stay tuned

Cheers!

LolitaPlus · Sep 4, 2014

bfosterjr said:
Thanks man. Really wasn't all that difficult. The driver isn't quite as flexible (or perfect) as it could be. To accomplish what you're suggesting might take some effort because, IIRC, the normal process create callbacks don't get triggered until after process image verification. I'll have to double check that.

I might take a stab at updating the driver to make it more automated. Once I have a bough free time. Stay tuned

Cheers!

What GoodDayToDie suggested is not using PsSetCreateProcessNotifyRoutineEx but hooking Ring3 API. I can offer some help if you need ARM Ring3 inline hook. I already wrote a hook engine though it is more like a POC.

bfosterjr · Sep 4, 2014

LolitaPlus said:
What GoodDayToDie suggested is not using PsSetCreateProcessNotifyRoutineEx but hooking Ring3 API. I can offer some help if you need ARM Ring3 inline hook. I already wrote a hook engine though it is more like a POC.

Yeah, I got that.. but I'm just not a fan of hooking the be-jesus outta usermode to solve this problem. I don't' like hooking in general.. as it tends to just lead to more problems and complications. I'd rather try to find a more clever way to solve this problem with callbacks or some other OS supported mechanism.

Cheers!

GoodDayToDie · Oct 29, 2014

Yeah... another option would be hooking NtCreateProcess (ring 0) either in the actual entry point or at the syscall table, but I can't imagine you're *more* enthusiastic about hooking kernel-mode than user-mode, and messing with the syscall table could make PatchGuard angry too. With that said, the user-mode hook would be pretty easy, actually; once the tool is running, it uses the process instrumentation/shimming stuff in Windows (ImageFileExecutionOptions key?) to have every EXE load a (homebrew) DLL at startup. The DLL installs the requisite hooks (and probably then unloads itself). You'd need to inject that DLL into already-running processes, but that's not hard.

Windows automation isn't my strong point, but I know the x86 emulation layer is able to detect when somebody tries to run an x86 EXE and intercept the attempt *before* the process launch fails. Is this usable here (i.e. does whatever that listens on trigger before the signature check)? If not, a hook may be the only workable approach, hacky though it is.

xsoliman3 · Oct 29, 2014

bfosterjr said:
there is enough information (if you look hard enough, open your mind, and tilt your head) in the threads to successfully start your own driver on 8.1 RT.
Cheers!

Well I've been looking, and contributing, for a long time, but still cant quite crack it ...

wcomhelp · Nov 11, 2014

Can't quite understand

I have read through your source code. I don't quite understand the point though. Is this app and driver to allow unsigned exe to run? Is the batch file required? From what I can see all that is required is netham45's Jailbreak and this to run unsigned exe. I would like to share my finding's in an instruction post but thought I would ask your permission first. May I?

Thanks,

Wcomhelp

GoodDayToDie · Nov 11, 2014

The purpose of this is to make it "safer" to jailbreak 8.1, since if you change the code integrity flag in 8.1 and leave it changed for any length of time, the system will crash due to PatchGuard. This driver is so you can only change the code integrity settings when you need to load unsigned code, giving minimal time for PatchGuard to notice and minimizing the risk of a crash.

HOWEVER, you cannot load this driver unless you already have unsigned code execution through some other means. That other means has not yet been published; if you want to use this tool you will need to figure out how to install it yourself (or wait for a published hack).

Velda2222 · Nov 13, 2014

EDIT:
Wouldn't CVE-2014-4148 / CVE-2014-4113 (MS14-058) be sufficient to initially load this tool?

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4113
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4148
technet.microsoft.com/library/security/MS14-058

GoodDayToDie · Nov 13, 2014

Yeeeeesssssss... yes it probably would!

Of course, you'd need to avoid installing the patch for it - not really a "proper" jailbreak, in that sense - but yeah, that should work. All you need to do is toggle code signing off for a second to load the driver, and code execution in Win32k.sys should manage that.

Oh, win32k, how we love you... so many vulnerabilities in just one little kernel-mode component!

wcomhelp · Nov 20, 2014

GoodDayToDie said:
The purpose of this is to make it "safer" to jailbreak 8.1, since if you change the code integrity flag in 8.1 and leave it changed for any length of time, the system will crash due to PatchGuard. This driver is so you can only change the code integrity settings when you need to load unsigned code, giving minimal time for PatchGuard to notice and minimizing the risk of a crash.

HOWEVER, you cannot load this driver unless you already have unsigned code execution through some other means. That other means has not yet been published; if you want to use this tool you will need to figure out how to install it yourself (or wait for a published hack).

Does this work?
http://msdn.microsoft.com/en-us/library/ff547565.aspx

code integrity / signing policy toggle

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Inactive Recognized Developer

Senior Member

Senior Member

Senior Member

Inactive Recognized Developer

Senior Member

Senior Member

Inactive Recognized Developer

Member

Inactive Recognized Developer

Senior Member

Similar threads

Top Liked Posts