Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,729,619 Members 46,250 Now Online
XDA Developers Android and Mobile Development Forum

[Q] Hacking Windows RT to Run Desktop Apps?

Tip us?
 
netham45
Old
#191  
Recognized Developer
Thanks Meter 528
Posts: 859
Join Date: Jun 2009
Location: Denver

 
DONATE TO ME
Quote:
Originally Posted by clrokr View Post
I'm working on that. In the meantime, some good news. I managed to run my own desktop program, unsigned and everything. We have to compile the release version because the Surface doesn't come with debug runtime libs for C++.

One thing though: we need to attach to csrss.exe because the exploit depends on it. I don't think this is possible locally because stopping csrss effectively stops the computer (well, the whole Windows subsystem) and we can't send the network packages to continue.
Sign on as a different user to spawn another instance of CSRSS, then attach it from the first user?
Don't PM me for help, post on the forums. I won't respond to basic questions.

I wrote and maintain the jailbreak scripts for Windows RT.

Tablet: Microsoft Surface RT 32GB, Type Keyboard
Phone: Samsung Galaxy Note III

Helpful Windows RT Links:
Windows RT Jailbreak Tool
List of ported apps
Disabling Windows Update
 
clrokr
Old
#192  
Member
Thanks Meter 53
Posts: 69
Join Date: Aug 2009
Have at it!
Circumventing Windows RT's Code Integrity Mechanism
The Following 6 Users Say Thank You to clrokr For This Useful Post: [ Click to Expand ]
 
netham45
Old
#193  
Recognized Developer
Thanks Meter 528
Posts: 859
Join Date: Jun 2009
Location: Denver

 
DONATE TO ME
Quote:
Originally Posted by clrokr View Post
Excellent. Any chance you could post the app you're using to get the kernel's base address? Would be very appreciated.
Don't PM me for help, post on the forums. I won't respond to basic questions.

I wrote and maintain the jailbreak scripts for Windows RT.

Tablet: Microsoft Surface RT 32GB, Type Keyboard
Phone: Samsung Galaxy Note III

Helpful Windows RT Links:
Windows RT Jailbreak Tool
List of ported apps
Disabling Windows Update
 
clrokr
Old
#194  
Member
Thanks Meter 53
Posts: 69
Join Date: Aug 2009
Quote:
Originally Posted by netham45 View Post
Excellent. Any chance you could post the app you're using to get the kernel's base address? Would be very appreciated.
Sorry, no. I don't trust MSFT's compiler, it may include some licensing info in the binaries. But it's really easy, you call NtQuerySystemInformation with information class 11 and make the output buffer really big (like 0x20000). The structure is easily recognizable when viewing the memory.
 
netham45
Old
(Last edited by netham45; 6th January 2013 at 07:39 AM.)
#195  
Recognized Developer
Thanks Meter 528
Posts: 859
Join Date: Jun 2009
Location: Denver

 
DONATE TO ME
Quote:
Originally Posted by clrokr View Post
Sorry, no. I don't trust MSFT's compiler, it may include some licensing info in the binaries. But it's really easy, you call NtQuerySystemInformation with information class 11 and make the output buffer really big (like 0x20000). The structure is easily recognizable when viewing the memory.
Code:
#include <Windows.h>
#include <iostream>

typedef struct _SYSTEM_MODULE {
  ULONG                Reserved1;
  ULONG                Reserved2;
  PVOID                ImageBaseAddress;
  ULONG                ImageSize;
  ULONG                Flags;
  WORD                 Id;
  WORD                 Rank;
  WORD                 w018;
  WORD                 NameOffset;
  BYTE                 Name[255];
} SYSTEM_MODULE, *PSYSTEM_MODULE;

typedef struct _SYSTEM_MODULE_INFORMATION {
  ULONG                ModulesCount;
  SYSTEM_MODULE        Modules[0];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;

typedef NTSTATUS (NTAPI *_NtQuerySystemInformation) (
ULONG SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength OPTIONAL
);

BOOL GetKernelBase()
{
	_NtQuerySystemInformation NtQuerySystemInformation;
	PSYSTEM_MODULE_INFORMATION pModuleInfo;
	ULONG i,len;
	NTSTATUS ret;
	HMODULE ntdllHandle;

	ntdllHandle = GetModuleHandle(L"ntdll");
	if (!ntdllHandle)
		return false;
	NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(ntdllHandle,"NtQuerySystemInformation");
	if (!NtQuerySystemInformation)
		return false;
	NtQuerySystemInformation(11,NULL,0,&len);
	pModuleInfo = (PSYSTEM_MODULE_INFORMATION)GlobalAlloc(GMEM_ZEROINIT, len);
	NtQuerySystemInformation(11,pModuleInfo,len,&len);

	for (i=0;i<pModuleInfo->ModulesCount;i++)
	{
		if (strcmp((const char*)pModuleInfo->Modules[i].Name,"\\SystemRoot\\system32\\ntoskrnl.exe") == 0)
			printf("[*] Driver Entry: %s at %p\n",pModuleInfo->Modules[i].Name,pModuleInfo->Modules[i].ImageBaseAddress);
	}
	return true;
}

int main()
{
	GetKernelBase();
	system("pause");
	return 0;
}
If anyone else needs it.

Edit: Just getting a BSoD with this. Here's what I'm doing:
1) Get kernel base w/ app higher in post
2) Put base in the my_addr field in the source
3) armasm -o exploit.o exploit.asm
4) Taking the code starting at 0x64 (push r5) and putting it in Winsrv.dll!0x10800
5) Placing a breakpoint right after 'bl NtUserSetInformationThread (75475134h)' (Note that there are two calls to NtUserSetInformationThread, I've tried putting the break right after both)
6) Placing a breakpoint at mov r0,r0 at Winsrv.dll!0x10800
7) Resuming CSRSS
8) Hitting vol down
9) Moving PC to Winsrv.dll!0x10800
10) Resume, at this point I BSoD.

I've checked, and it BSoD's on the 'svc 1' line, citing csrss dying.

Here are the registers going into svc 1:
Code:
R0  *=*FFFFFFFE R1  *=*00000009 R2  *=*0117FCA0 R3  *=*0000000C R4  *=*00000013 R5  *=*0117FCA4 R6  *=*00000000 R7  *=*00080000 R8  *=*8381E000 R9  *=*755D1118 R10 *=*755D7A50 R11 *=*0117FCF8 R12 *=*000010E1 SP  *=*0117FC38 LR  *=*755C3645 PC  *=*755D0822 CPSR*=*00000030
Don't PM me for help, post on the forums. I won't respond to basic questions.

I wrote and maintain the jailbreak scripts for Windows RT.

Tablet: Microsoft Surface RT 32GB, Type Keyboard
Phone: Samsung Galaxy Note III

Helpful Windows RT Links:
Windows RT Jailbreak Tool
List of ported apps
Disabling Windows Update
The Following User Says Thank You to netham45 For This Useful Post: [ Click to Expand ]
 
peterdn
Old
#196  
Member
Thanks Meter 11
Posts: 35
Join Date: Sep 2010
Location: Oxford
Looking great guys!

Quote:
Originally Posted by netham45 View Post
1) Get kernel base w/ app higher in post
2) Put base in the my_addr field in the source
Fyi, I believe that my_addr should actually contain the address of the word we want to modify, i.e. in this case nt+0x19ffa4.

Otherwise I ran through those steps exactly and I'm getting the 0x18 REFERENCE_BY_POINTER bugcheck as described at the end of clrokr's blog post.

For every dump I have, address nt+0x19ffa4 contains the value 0x00080101. Does that look like what you guys have?
 
clrokr
Old
(Last edited by clrokr; 6th January 2013 at 02:08 PM.)
#197  
Member
Thanks Meter 53
Posts: 69
Join Date: Aug 2009
@netham45:
You need to add 0x18 to the address you supply in your step 2), because ObfDereferenceObject subtracts 0x18 from it, so it changes the wrong address in your case. I updated the article accordingly.
@peterdn:
0x00080101 looks right and is the reason we can do this without a bluescreen.
The Following 2 Users Say Thank You to clrokr For This Useful Post: [ Click to Expand ]
 
peterdn
Old
(Last edited by peterdn; 6th January 2013 at 03:09 PM.)
#198  
Member
Thanks Meter 11
Posts: 35
Join Date: Sep 2010
Location: Oxford
Quote:
Originally Posted by clrokr View Post
@netham45:
You need to add 0x18 to the address you supply in your step 2), because ObfDereferenceObject subtracts 0x18 from it, so it changes the wrong address in your case. I updated the article accordingly.
Oops, I forgot to add the 0x18 as well.

Will have another go in a few minutes.

EDIT: works beautifully
 
peterdn
Old
#199  
Member
Thanks Meter 11
Posts: 35
Join Date: Sep 2010
Location: Oxford
Utterly fantastic. Managed to compile PuTTY with not much trouble and it runs perfectly!

The Following 3 Users Say Thank You to peterdn For This Useful Post: [ Click to Expand ]
 
netham45
Old
(Last edited by netham45; 6th January 2013 at 04:46 PM.)
#200  
Recognized Developer
Thanks Meter 528
Posts: 859
Join Date: Jun 2009
Location: Denver

 
DONATE TO ME
I just tried a simple pure .net program (Form with a label on it) and the same .exe works on both my desktop and my tablet. I can't believe MS locked this out.

Edit: Oddly enough, running from a metro app has debug dlls, while running from desktop doesn't.
Don't PM me for help, post on the forums. I won't respond to basic questions.

I wrote and maintain the jailbreak scripts for Windows RT.

Tablet: Microsoft Surface RT 32GB, Type Keyboard
Phone: Samsung Galaxy Note III

Helpful Windows RT Links:
Windows RT Jailbreak Tool
List of ported apps
Disabling Windows Update

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes