Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,731,985 Members 41,249 Now Online
XDA Developers Android and Mobile Development Forum

Running Homebrew Native Executables - Status: DONE!!

Tip us?
 
Heathcliff74
Old
(Last edited by Heathcliff74; 12th November 2012 at 10:57 PM.)
#1  
Heathcliff74's Avatar
Recognized Developer - OP
Thanks Meter 2054
Posts: 1,439
Join Date: Dec 2010

 
DONATE TO ME
Talking Running Homebrew Native Executables - Status: DONE!!

[2012/06/03] IMPORTANT UPDATE HERE

Hi hackers,

This is meant as a little update on one of the projects I've been working on. I'm kinda stuck now. I have a suspicion of what the problem is. I thought that maybe if I write a post about it, me or someone else will have an idea on how to get this working.

The goal is to run native homebrew executables on WP7

This has not been done yet. All apps are Silverlight apps that are compiled as DLL and run by Taskhost.exe with least privileges. All other executables are signed by Microsoft. Executables that are compiled as ARM executable cannot be started.

The angle is to create a certificate that allows to sign a WP7 executable. Then add that to the appropriate certificate store. Create an executable. Sign it with the private key. Load it onto a WP7 device. Copy it to the Windows folder. Use an OEM driver to launch the executable.

First I did research on the certificate stores. I can now with certainty state that there are 4 certificate stores:
- CA
- Root
- My
- Code Integrity

After a lot of research I finally got complete read/write access to all of these stores. The Code Integrity store contains all the certificates that are used by the Loader Verifier to verify the executable that is being launched. When the device is launched for the first time, the certificates that are in \Windows\ciroots.p7b are installed to that certificate store. These certificates have these properties:

Key Usage = 0x86 = Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing
Entended Key Usage = Code Signing (1.3.6.1.5.5.7.3.3) + Unknown key usage (1.3.6.1.4.1.311.10.3.14)

So I used OpenSSL to create such an certificate (with private key) for myself. And I installed the certificate in the Code Integrity store.

I then used VS2008 to create a completely barebone executable (ARMv4 Console app with only Sleep(-1) in the Main). I signed it with SignTool from Microsoft.

I loaded the executable to my device and I copied it to the \Windows folder (I think the policies restrict executing to only from that folder, but I'm not sure about that).

I use the Samsung driver to launch the executable, because I need at least Standard Rights to launch an executable. The Samsung driver has Elevated Rights. My own app has only Least Privileges. Using the Samsung driver does not return any success or fail codes. But looking at the Running Processes list, I don't see my Test.exe running. It should be, because the main thread is put to sleep infinitely.

So why is this not working?

Well, I have a guess. I think it's the policies that bind the certificates in the Code Integrity store to the different accounts/chambers. In the \Windows folder there are a lot of policy xml-files. On fist boot, these are merged into PolicyCommit.xml and then compiled to policydb.vol. When the Loader Verifier (lvmod.dll) loads an executable, it queries the policies to determine access rights and chamber for that executable. The policies that matter in this context are defined in 8314B832-8D03-444f-9A2A-1EF6FADCC3B8.policy.xml. It's an xml-file that basically says this:

Code:
Microsoft Mobile Device Privileged PCA       - ced778d7bb4cb41d26c40328cc9c0397926b4eea - not used in this context
Microsoft Mobile Device TCB PCA              - 88bcaec267ef8b366c6e6215ac4028e7a1be2deb - honored by System Identity Group
Microsoft Mobile Device Unprivileged PCA     - 1c8229f5c8d6e256bdcb427cc5521ec2f8ff011a - honored by Standard Right Identity Group
Microsoft Mobile Device VSD PCA              - 91b318116f8897d2860733fdf757b93345373574 - not used in this context
VeriSign Mobile Root Authority for Microsoft - 069dbcca9590d1b5ed7c73de65795348e58d4ae3 - honored by LPC Identity Group
I should find a way to add a policy with my certificate in it. Any ideas?

Ciao,
Heathcliff74

www.wp7roottools.com

Developer of "WP7 Root Tools"
Pioneer of "Interop Unlock"
Pioneer in Native Code Development on WP7


Also look at some of my other work:
Collection of all official WP7 updates, language packs and OEM updates
Guide for deploying files to your WP7 device


If you have questions about unlocking, please read this before you start mailing me, because my mailboxes are full

The Following 10 Users Say Thank You to Heathcliff74 For This Useful Post: [ Click to Expand ]
 
Flow WP7
Old
#2  
Junior Member
Thanks Meter 3
Posts: 29
Join Date: Mar 2011
If you are able to re-sign an executable that is already in the ROM, i would try that, so you know the problem isn't within the native code, but only with the signing. Or maybe the other way round which would be awesome.

regards
The Following 2 Users Say Thank You to Flow WP7 For This Useful Post: [ Click to Expand ]
 
Heathcliff74
Old
#3  
Heathcliff74's Avatar
Recognized Developer - OP
Thanks Meter 2054
Posts: 1,439
Join Date: Dec 2010

 
DONATE TO ME
Quote:
Originally Posted by Flow WP7 View Post
If you are able to re-sign an executable that is already in the ROM, i would try that, so you know the problem isn't within the native code, but only with the signing. Or maybe the other way round which would be awesome.

regards
That's a good idea. I must say that I don't have much faith in the current RecMod tools for WP7 right now. I am able to get the binaries recmodded so that I can disassemble them correctly. But I don't think they can be easily launched. But there are executables that are on the rom as complete binaries, instead of rom-modules. To begin with, I have to select one that does not need much privileges to run and try to sign that one and then run it.

I'm really busy with work right now, so I think I won't be able to try it until the day after tomorrow. But I will try it and will let know how that went.

Thanks!

www.wp7roottools.com

Developer of "WP7 Root Tools"
Pioneer of "Interop Unlock"
Pioneer in Native Code Development on WP7


Also look at some of my other work:
Collection of all official WP7 updates, language packs and OEM updates
Guide for deploying files to your WP7 device


If you have questions about unlocking, please read this before you start mailing me, because my mailboxes are full

The Following 2 Users Say Thank You to Heathcliff74 For This Useful Post: [ Click to Expand ]
 
fiinix
Old
(Last edited by fiinix; 8th June 2011 at 09:53 PM.)
#4  
fiinix's Avatar
Retired Recognized Developer
Thanks Meter 224
Posts: 568
Join Date: Oct 2010
Location: Stockholm

 
DONATE TO ME
Decompiled taskhost.exe, so it gets more easy for us to see if its able to make taskhost to start another exe for us. Lots of code tho (C code).

taskhost.c (276 KB) in attachments.

edit: Oh, WOW, this really shows how to call those anonymous methods without call signature "Hello" (signature: "??z_Hello_?mze")

Hmm, pretty much about the pause part?
Code:
if ( v10 )
{
  a7 = sub_178E7(v10);
  if ( a7 >= 0 )
  {
    a7 = sub_180A5(v7, v7 + 64);
    if ( a7 >= 0 )
    {
      a7 = ThemeInitialize(v7 + 136);
      if ( a7 >= 0 )
      {
        v11 = sub_1862B(v13, v7);
        EnableHostAutoDehydration(v11 == 3);
        v16 = 0;
        a7 = InitializeEmClientEx(&a2, 0, &v16);
        if ( a7 >= 0 )
        {
          a7 = RegisterPausedHostCallback(sub_19D0D, 0);
          if ( a7 >= 0 )
          {
            a7 = RegisterResumingHostCallback(sub_19D31, 0);
            if ( a7 >= 0 )
            {
              if ( v11 != 3
                || (a7 = RegisterDehydrateHostCallback(sub_19D76, 0), a7 >= 0)
                && (a7 = RegisterFreezeHostCallback(sub_19D97, 0), a7 >= 0) )
              {
                a7 = RegisterExitHostCallback(sub_19D55, 0);
                if ( a7 >= 0 )
                  a7 = sub_17C0A(*(_DWORD *)(v7 + 128), 0);
              }
            }
          }
        }
      }
    }
  }
}
UIX framework entry-point (exe)
Code:
int __cdecl sub_11114(int a1, int a2, int a3)
{
  int v4; // [sp+0h] [bp-38h]@1
  char Dst; // [sp+4h] [bp-34h]@1
  int v6; // [sp+8h] [bp-30h]@1
  int v7; // [sp+Ch] [bp-2Ch]@1
  int v8; // [sp+18h] [bp-20h]@1
  int v9; // [sp+28h] [bp-10h]@1

  v4 = 0;
  memset(&Dst, 0, 0x34u);
  v8 = a3;
  v6 = (int)L"res://FlightModeUXDLL!FlightMode.uix";
  v7 = (int)L"FMMain";
  v9 = 2;
  RunApplication(&v4);
  return dword_12034;
}

C++ converted
Code:
UIXApplicationInfo app;
app { ... }

RunApplication(&app);

struct UIXApplicationInfo
{
  int UNK_v4 = 0;
  char Dst = {0};
  char* uixFile;
  char* uixEntryPoint;
  int UNK_v8;
  int UNK_v9 = 2;
}
Then just figure out the UIX part (or test the existing "res://FlightModeUXDLL!FlightMode.uix" if it launches, if so, we made it).

___
Found this in mango dump:
> Uninstall provxml
Code:
<!-- Uninstall Xbox LIVE Extras App  -->
<characteristic type="AppInstall">
      <nocharacteristic type="{0c17d153-b5d5-df11-a844-00237de2db9e}"/>
</characteristic>
Attached Files
File Type: zip taskhost.zip - [Click for QR Code] (44.0 KB, 218 views)
Samsung Omnia 7
- ATO MAGLDR v2
Windows Phone 7

The hottest geek girl in the world SassiBoB, SassyBoB, Sassy BoB, sassibob
May the Thanks's button be with me at all time Luke Skywalker
The Following 2 Users Say Thank You to fiinix For This Useful Post: [ Click to Expand ]
 
athompson
Old
#5  
Senior Member
Thanks Meter 2
Posts: 112
Join Date: Oct 2010
Is there a reason you can't just use COM interop to run native code? Check out this thread for a discussion covering the technique: http://forum.xda-developers.com/showthread.php?t=820455
The Following User Says Thank You to athompson For This Useful Post: [ Click to Expand ]
 
Heathcliff74
Old
#6  
Heathcliff74's Avatar
Recognized Developer - OP
Thanks Meter 2054
Posts: 1,439
Join Date: Dec 2010

 
DONATE TO ME
Quote:
Originally Posted by athompson View Post
Is there a reason you can't just use COM interop to run native code? Check out this thread for a discussion covering the technique: http://forum.xda-developers.com/showthread.php?t=820455
Hello "co-founder of native code on WP7"

I'm fully aware of the possibility of native code through COM. I use it for example in the WP7 Root Tools. But I just wanted to take it a step further. Running native executables give a lot more freedom. Not being bound to the watchdog, getting higher privileges and running in the background for instance. But there's a whole lot more. So that's why I started research on it. Thanks anyway. You helped making native code possible on WP7.

Ciao,
Heathcliff74

www.wp7roottools.com

Developer of "WP7 Root Tools"
Pioneer of "Interop Unlock"
Pioneer in Native Code Development on WP7


Also look at some of my other work:
Collection of all official WP7 updates, language packs and OEM updates
Guide for deploying files to your WP7 device


If you have questions about unlocking, please read this before you start mailing me, because my mailboxes are full

The Following User Says Thank You to Heathcliff74 For This Useful Post: [ Click to Expand ]
 
fiinix
Old
#7  
fiinix's Avatar
Retired Recognized Developer
Thanks Meter 224
Posts: 568
Join Date: Oct 2010
Location: Stockholm

 
DONATE TO ME
The taskhost.exe is our RAM, because our app run in it, giving us full RAM access inside our "viritual ram". So that means we own all strings, int, floats etc. Then rewrite the ram to change strings in mscorlib. The checksum if an exe has been modified is only checked at startup, without checking if we modify the dll at runtime.
My purpose with this is that some function's call external apps, where we rewrite the args going in to the function. Just find an exploitable function and modify it after JIT has been there one before generating the pre ram, that we modify and call yet again but with the modified ram values behind.

Marshal.Copy, my friends, there.

[Security****ingSafeCritical]
(byte[] source, IntPtr destination, int length)
> Interopservices leaked dll (\windows)
destination = our ram ptr to modify.
Samsung Omnia 7
- ATO MAGLDR v2
Windows Phone 7

The hottest geek girl in the world SassiBoB, SassyBoB, Sassy BoB, sassibob
May the Thanks's button be with me at all time Luke Skywalker
 
Heathcliff74
Old
(Last edited by Heathcliff74; 10th June 2011 at 08:55 AM.)
#8  
Heathcliff74's Avatar
Recognized Developer - OP
Thanks Meter 2054
Posts: 1,439
Join Date: Dec 2010

 
DONATE TO ME
Quote:
Originally Posted by fiinix View Post
The taskhost.exe is our RAM, because our app run in it, giving us full RAM access inside our "viritual ram". So that means we own all strings, int, floats etc. Then rewrite the ram to change strings in mscorlib. The checksum if an exe has been modified is only checked at startup, without checking if we modify the dll at runtime.

My purpose with this is that some function's call external apps, where we rewrite the args going in to the function. Just find an exploitable function and modify it after JIT has been there one before generating the pre ram, that we modify and call yet again but with the modified ram values behind.



Marshal.Copy, my friends, there.



[Security****ingSafeCritical]

(byte[] source, IntPtr destination, int length)

> Interopservices leaked dll (\windows)

destination = our ram ptr to modify.
Hmmm. 10 Points for inventiveness But I don't think it's going to work. Even if you could find a function where the executable is passed as argument you still don't have enough privileges. Most code will have the path to the executable hardcoded instead of an argument. And you will still run under TaskHost with Least Privileges. And you need to have at least Standard Privileges or higher to launch most executables with CreateProcess() or ShellExecuteEx().


Sent from my OMNIA7 using XDA Windows Phone 7 App

www.wp7roottools.com

Developer of "WP7 Root Tools"
Pioneer of "Interop Unlock"
Pioneer in Native Code Development on WP7


Also look at some of my other work:
Collection of all official WP7 updates, language packs and OEM updates
Guide for deploying files to your WP7 device


If you have questions about unlocking, please read this before you start mailing me, because my mailboxes are full

The Following User Says Thank You to Heathcliff74 For This Useful Post: [ Click to Expand ]
 
fiinix
Old
#9  
fiinix's Avatar
Retired Recognized Developer
Thanks Meter 224
Posts: 568
Join Date: Oct 2010
Location: Stockholm

 
DONATE TO ME
Quote:
Originally Posted by Heathcliff74 View Post
Hmmm. 10 Points for inventiveness But I don't think it's going to work. Even if you could find a function where the executable is passed as argument you still don't have enough privileges. Most code will have the path to the executable hardcoded instead of an argument. And you will still run under TaskHost with Least Privileges. And you need to have at least Standard Privileges or higher to launch most executables with CreateProcess() or ShellExecuteEx().


Sent from my OMNIA7 using XDA Windows Phone 7 App
"And you will still run under TaskHost with Least Privileges"
I know, i dont need standard rights to do it. Because i call a mscorlib function that is trusted code. I think you saw my idea wrong, let me show you.

[mscorlib, SecuritySafeCritical]
public static void example(string str)
{
string mscorlibStr = "you cant change my value :P";
Debug.WriteLine(mscorlibStr + str);
}

This is where we modify "mscorlibStr" in ram and the function is still trusted code. But its doing something totally different from that it would do.
Samsung Omnia 7
- ATO MAGLDR v2
Windows Phone 7

The hottest geek girl in the world SassiBoB, SassyBoB, Sassy BoB, sassibob
May the Thanks's button be with me at all time Luke Skywalker
The Following User Says Thank You to fiinix For This Useful Post: [ Click to Expand ]
 
Heathcliff74
Old
#10  
Heathcliff74's Avatar
Recognized Developer - OP
Thanks Meter 2054
Posts: 1,439
Join Date: Dec 2010

 
DONATE TO ME
Quote:
Originally Posted by fiinix View Post
"And you will still run under TaskHost with Least Privileges"
I know, i dont need standard rights to do it. Because i call a mscorlib function that is trusted code. I think you saw my idea wrong, let me show you.

[mscorlib, SecuritySafeCritical]
public static void example(string str)
{
string mscorlibStr = "you cant change my value :P";
Debug.WriteLine(mscorlibStr + str);
}

This is where we modify "mscorlibStr" in ram and the function is still trusted code. But its doing something totally different from that it would do.
I really hate to break it for you. But the [SecuritySafeCritical] is indeed trusted code, but it will still check your privileges. All the API functions that do system modifications like that, do the security checks. Read the note under SecuritySafeCriticalAttribute here. Also read this; same problem. You are in process TaskHost.exe and it is launched in LPC (Least Privilege Chamber), so every CeImpersonateToken() to do the important stuff will fail and return an error code. I also wouldn't know how you would modify the stack-frame of a function that you call. Seems impossible to me, because at the moment you call the function, that stack-frame has not been allocated yet.

Anyway, although I don't think that is going to work in any way, I absolutely don't want to discourage you, because my experience is that when you try enough, sooner or later you will find an exploit

Ciao,
Heathcliff74

www.wp7roottools.com

Developer of "WP7 Root Tools"
Pioneer of "Interop Unlock"
Pioneer in Native Code Development on WP7


Also look at some of my other work:
Collection of all official WP7 updates, language packs and OEM updates
Guide for deploying files to your WP7 device


If you have questions about unlocking, please read this before you start mailing me, because my mailboxes are full


The Following User Says Thank You to Heathcliff74 For This Useful Post: [ Click to Expand ]
Tags
executable, homebrew, mango, native, wp7
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes