Welcome to XDA

Search to go directly to your device's forum

Register an account

Unlock full posting privileges

Ask a question

No registration required
Post Reply

[Q] Hacking Windows RT to Run Desktop Apps?

OP revxx14

5th January 2013, 10:38 PM   |  #191  
Recognized Developer
Flag Denver
Thanks Meter: 543
 
868 posts
Join Date:Joined: Jun 2009
Donate to Me
More
Quote:
Originally Posted by clrokr

I'm working on that. In the meantime, some good news. I managed to run my own desktop program, unsigned and everything. We have to compile the release version because the Surface doesn't come with debug runtime libs for C++.

One thing though: we need to attach to csrss.exe because the exploit depends on it. I don't think this is possible locally because stopping csrss effectively stops the computer (well, the whole Windows subsystem) and we can't send the network packages to continue.

Sign on as a different user to spawn another instance of CSRSS, then attach it from the first user?
6th January 2013, 03:17 AM   |  #192  
Member
Thanks Meter: 53
 
69 posts
Join Date:Joined: Aug 2009
Have at it!
Circumventing Windows RT's Code Integrity Mechanism
The Following 6 Users Say Thank You to clrokr For This Useful Post: [ View ]
6th January 2013, 03:38 AM   |  #193  
Recognized Developer
Flag Denver
Thanks Meter: 543
 
868 posts
Join Date:Joined: Jun 2009
Donate to Me
More
Quote:
Originally Posted by clrokr

Have at it!
Circumventing Windows RT's Code Integrity Mechanism

Excellent. Any chance you could post the app you're using to get the kernel's base address? Would be very appreciated.
6th January 2013, 03:43 AM   |  #194  
Member
Thanks Meter: 53
 
69 posts
Join Date:Joined: Aug 2009
Quote:
Originally Posted by netham45

Excellent. Any chance you could post the app you're using to get the kernel's base address? Would be very appreciated.

Sorry, no. I don't trust MSFT's compiler, it may include some licensing info in the binaries. But it's really easy, you call NtQuerySystemInformation with information class 11 and make the output buffer really big (like 0x20000). The structure is easily recognizable when viewing the memory.
6th January 2013, 05:02 AM   |  #195  
Recognized Developer
Flag Denver
Thanks Meter: 543
 
868 posts
Join Date:Joined: Jun 2009
Donate to Me
More
Quote:
Originally Posted by clrokr

Sorry, no. I don't trust MSFT's compiler, it may include some licensing info in the binaries. But it's really easy, you call NtQuerySystemInformation with information class 11 and make the output buffer really big (like 0x20000). The structure is easily recognizable when viewing the memory.

Code:
#include <Windows.h>
#include <iostream>

typedef struct _SYSTEM_MODULE {
  ULONG                Reserved1;
  ULONG                Reserved2;
  PVOID                ImageBaseAddress;
  ULONG                ImageSize;
  ULONG                Flags;
  WORD                 Id;
  WORD                 Rank;
  WORD                 w018;
  WORD                 NameOffset;
  BYTE                 Name[255];
} SYSTEM_MODULE, *PSYSTEM_MODULE;

typedef struct _SYSTEM_MODULE_INFORMATION {
  ULONG                ModulesCount;
  SYSTEM_MODULE        Modules[0];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;

typedef NTSTATUS (NTAPI *_NtQuerySystemInformation) (
ULONG SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength OPTIONAL
);

BOOL GetKernelBase()
{
	_NtQuerySystemInformation NtQuerySystemInformation;
	PSYSTEM_MODULE_INFORMATION pModuleInfo;
	ULONG i,len;
	NTSTATUS ret;
	HMODULE ntdllHandle;

	ntdllHandle = GetModuleHandle(L"ntdll");
	if (!ntdllHandle)
		return false;
	NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(ntdllHandle,"NtQuerySystemInformation");
	if (!NtQuerySystemInformation)
		return false;
	NtQuerySystemInformation(11,NULL,0,&len);
	pModuleInfo = (PSYSTEM_MODULE_INFORMATION)GlobalAlloc(GMEM_ZEROINIT, len);
	NtQuerySystemInformation(11,pModuleInfo,len,&len);

	for (i=0;i<pModuleInfo->ModulesCount;i++)
	{
		if (strcmp((const char*)pModuleInfo->Modules[i].Name,"\\SystemRoot\\system32\\ntoskrnl.exe") == 0)
			printf("[*] Driver Entry: %s at %p\n",pModuleInfo->Modules[i].Name,pModuleInfo->Modules[i].ImageBaseAddress);
	}
	return true;
}

int main()
{
	GetKernelBase();
	system("pause");
	return 0;
}
If anyone else needs it.

Edit: Just getting a BSoD with this. Here's what I'm doing:
1) Get kernel base w/ app higher in post
2) Put base in the my_addr field in the source
3) armasm -o exploit.o exploit.asm
4) Taking the code starting at 0x64 (push r5) and putting it in Winsrv.dll!0x10800
5) Placing a breakpoint right after 'bl NtUserSetInformationThread (75475134h)' (Note that there are two calls to NtUserSetInformationThread, I've tried putting the break right after both)
6) Placing a breakpoint at mov r0,r0 at Winsrv.dll!0x10800
7) Resuming CSRSS
8) Hitting vol down
9) Moving PC to Winsrv.dll!0x10800
10) Resume, at this point I BSoD.

I've checked, and it BSoD's on the 'svc 1' line, citing csrss dying.

Here are the registers going into svc 1:
Code:
R0  *=*FFFFFFFE R1  *=*00000009 R2  *=*0117FCA0 R3  *=*0000000C R4  *=*00000013 R5  *=*0117FCA4 R6  *=*00000000 R7  *=*00080000 R8  *=*8381E000 R9  *=*755D1118 R10 *=*755D7A50 R11 *=*0117FCF8 R12 *=*000010E1 SP  *=*0117FC38 LR  *=*755C3645 PC  *=*755D0822 CPSR*=*00000030
Last edited by netham45; 6th January 2013 at 08:39 AM.
The Following User Says Thank You to netham45 For This Useful Post: [ View ]
6th January 2013, 01:17 PM   |  #196  
Member
Flag Oxford
Thanks Meter: 11
 
35 posts
Join Date:Joined: Sep 2010
More
Looking great guys!

Quote:
Originally Posted by netham45

1) Get kernel base w/ app higher in post
2) Put base in the my_addr field in the source

Fyi, I believe that my_addr should actually contain the address of the word we want to modify, i.e. in this case nt+0x19ffa4.

Otherwise I ran through those steps exactly and I'm getting the 0x18 REFERENCE_BY_POINTER bugcheck as described at the end of clrokr's blog post.

For every dump I have, address nt+0x19ffa4 contains the value 0x00080101. Does that look like what you guys have?
6th January 2013, 02:56 PM   |  #197  
Member
Thanks Meter: 53
 
69 posts
Join Date:Joined: Aug 2009
@netham45:
You need to add 0x18 to the address you supply in your step 2), because ObfDereferenceObject subtracts 0x18 from it, so it changes the wrong address in your case. I updated the article accordingly.
@peterdn:
0x00080101 looks right and is the reason we can do this without a bluescreen.
Last edited by clrokr; 6th January 2013 at 03:08 PM.
The Following 2 Users Say Thank You to clrokr For This Useful Post: [ View ]
6th January 2013, 03:30 PM   |  #198  
Member
Flag Oxford
Thanks Meter: 11
 
35 posts
Join Date:Joined: Sep 2010
More
Quote:
Originally Posted by clrokr

@netham45:
You need to add 0x18 to the address you supply in your step 2), because ObfDereferenceObject subtracts 0x18 from it, so it changes the wrong address in your case. I updated the article accordingly.

Oops, I forgot to add the 0x18 as well.

Will have another go in a few minutes.

EDIT: works beautifully
Last edited by peterdn; 6th January 2013 at 04:09 PM.
6th January 2013, 05:20 PM   |  #199  
Member
Flag Oxford
Thanks Meter: 11
 
35 posts
Join Date:Joined: Sep 2010
More
Utterly fantastic. Managed to compile PuTTY with not much trouble and it runs perfectly!

The Following 3 Users Say Thank You to peterdn For This Useful Post: [ View ]
6th January 2013, 05:28 PM   |  #200  
Recognized Developer
Flag Denver
Thanks Meter: 543
 
868 posts
Join Date:Joined: Jun 2009
Donate to Me
More
I just tried a simple pure .net program (Form with a label on it) and the same .exe works on both my desktop and my tablet. I can't believe MS locked this out.

Edit: Oddly enough, running from a metro app has debug dlls, while running from desktop doesn't.
Last edited by netham45; 6th January 2013 at 05:46 PM.

Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes