Post Reply

code integrity / signing policy toggle

OP bfosterjr

1st September 2014, 01:21 PM   |  #1  
OP Senior Member
Thanks Meter: 156
 
156 posts
Join Date:Joined: Jan 2013
Donate to Me
All,

First, let me say that this is not a jailbreak tool for RT 8.1! All clear? Good.

I've written a simple little driver and exe tool to patch the g_CiOptions and SeILSigningPolicy variables in ci and ntos. The obvious kicker is that you need the driver loaded for this to work -- but once loaded you can effectively use this to turn on/off the signing at will (eg: useful to avoid -- not disable -- patch guard).

I've tested this on my Surface RT as well as Windows 8 without issue.

You can find the code and binaries on github ( https://github.com/bfosterjr/ci_mod ). There isn't a whole lot of documentation (nearly zero), but you'll find batch files, windbg scripts, and various other bits which should help you figure out how it works (or you can just read the code).

Now, before you all flame me about how useless this is without a jailbreak or kernel execution for RT 8.1, let me say this: I've spent the last few days catching up on a lot of threads (over a years worth) in this form and there is enough information (if you look hard enough, open your mind, and tilt your head) in the threads to successfully start your own driver on 8.1 RT.

Cheers!
Last edited by bfosterjr; 1st September 2014 at 01:34 PM.
The Following 7 Users Say Thank You to bfosterjr For This Useful Post: [ View ]
1st September 2014, 10:08 PM   |  #2  
Member
Thanks Meter: 12
 
62 posts
Join Date:Joined: Oct 2013
Any hint please?
The Following User Says Thank You to LolitaPlus For This Useful Post: [ View ]
1st September 2014, 10:48 PM   |  #3  
Myriachan's Avatar
Senior Member
Thanks Meter: 149
 
112 posts
Join Date:Joined: Feb 2013
Note that I would not recommend leaving this hack enabled on 8.1 once whatever programs are loaded. This will set off PatchGuard and the system will bluescreen. Enable it, run whatever, then disable it. Most programs should be OK once fully started to leave running with the hack disabled. Only loading unsigned DLLs from that point on would mess up.

8.0, do whatever; doesn't matter.

Melissa
The Following User Says Thank You to Myriachan For This Useful Post: [ View ]
2nd September 2014, 11:13 AM   |  #4  
OP Senior Member
Thanks Meter: 156
 
156 posts
Join Date:Joined: Jan 2013
Donate to Me
Quote:
Originally Posted by Myriachan

Note that I would not recommend leaving this hack enabled on 8.1 once whatever programs are loaded. This will set off PatchGuard and the system will bluescreen. Enable it, run whatever, then disable it. Most programs should be OK once fully started to leave running with the hack disabled. Only loading unsigned DLLs from that point on would mess up.

8.0, do whatever; doesn't matter.

Melissa

Quite right - which is why the ci_mod program I wrote will run indefinitely waiting for user input to toggle on, or off, the kernel patching. So.. (1) Load the driver which will immediately toggle patching ON... (2) start ci_mod.exe and toggle patching back OFF ... (3) leave ci_mod.exe running. Doing so you will always re-toggle patching on (then off again) so you can run your unsigned app with minimal likelihood of PatchGuard being a problem.

Hopefully that makes sense.

Obviously, if anyone wants to make changes to the driver or program -- perhaps to alter it to suit initial driver execution conditions -- they're welcome too -- the code is GPL.

Cheers!
2nd September 2014, 11:16 AM   |  #5  
OP Senior Member
Thanks Meter: 156
 
156 posts
Join Date:Joined: Jan 2013
Donate to Me
Quote:
Originally Posted by LolitaPlus

Any hint please?

Sorry no. There are serious reasons why I can't explain further. So please don't ask.

But trust me.. the bits you need are there... you just need to stitch them together.
3rd September 2014, 07:03 AM   |  #6  
filfat's Avatar
Member
Flag Mellerud
Thanks Meter: 6
 
49 posts
Join Date:Joined: Sep 2013
Donate to Me
More
Quote:
Originally Posted by bfosterjr

Sorry no. There are serious reasons why I can't explain further. So please don't ask.

But trust me.. the bits you need are there... you just need to stitch them together.

Hai, I'm kinda new to this whole hacking scene especially to the x86/x64 bit one (has been working on arm for a little while) and I was wondering what knowledge was necessary to be able to glue everything together? Which glue I need to use so to say

Thanks.
3rd September 2014, 11:43 AM   |  #7  
OP Senior Member
Thanks Meter: 156
 
156 posts
Join Date:Joined: Jan 2013
Donate to Me
Quote:
Originally Posted by filfat

Hai, I'm kinda new to this whole hacking scene especially to the x86/x64 bit one (has been working on arm for a little while) and I was wondering what knowledge was necessary to be able to glue everything together? Which glue I need to use so to say

Thanks.

Years of Windows internals/development/debugging makes for good glue. That and the general desire (and patience) to want to mess with software....
The Following User Says Thank You to bfosterjr For This Useful Post: [ View ]
3rd September 2014, 01:27 PM   |  #8  
BIade's Avatar
Senior Member
Flag Cologne
Thanks Meter: 66
 
222 posts
Join Date:Joined: Apr 2013
More
Quote:
Originally Posted by bfosterjr

...

You can find the code and binaries on github ( https://github.com/bfosterjr/ci_mod ). ...

Hey mate, this looks very nice and far more user(noob)-friendly. Thank you soo much for sharing.

Cheers
Blade

P.S.:
1) Is your deleted sign.bat a kind of launcher which : toggle -> start app -> toggle ?
2) Is it possible to share the compiled version? [Don't want to bother you] (Just formated my dev-pc and set it up to compile Android 4.4.4 for my desire Z. I know i need a new pc with a bigger hdd)
3rd September 2014, 02:36 PM   |  #9  
OP Senior Member
Thanks Meter: 156
 
156 posts
Join Date:Joined: Jan 2013
Donate to Me
Quote:
Originally Posted by BIade

Hey mate, this looks very nice and far more user(noob)-friendly. Thank you soo much for sharing.

Cheers
Blade

P.S.:
1) Is your deleted sign.bat a kind of launcher which : toggle -> start app -> toggle ?
2) Is it possible to share the compiled version? [Don't want to bother you] (Just formated my dev-pc and set it up to compile Android 4.4.4 for my desire Z. I know i need a new pc with a bigger hdd)

Hey Blade!

1) nope. that was a batch file to test sign the driver. its not required. the toggling of the patching is done by the user through cimod.exe (runs in a continuous user-input loop)
2) binaries for all supported platforms are there already -- https://github.com/bfosterjr/ci_mod/tree/master/bin

Cheers!
The Following User Says Thank You to bfosterjr For This Useful Post: [ View ]
3rd September 2014, 10:13 PM   |  #10  
Recognized Developer
Flag Seattle
Thanks Meter: 2,709
 
5,736 posts
Join Date:Joined: Jan 2011
More
It would be really cool to hook the CreateProcess and LoadLibrary calls such that, if the target binary is unsigned and the caller isn't in an appcontainer, the policy is (automatically) flipped juuuust long enough for the call to succeed, and then (automatically) flipped back. That means minimal risk of a BSOD and maximum user-friendliness.

I proposed this approach months ago on the JB discussion thread, but never got around to writing it. Now bfosterjr has written the driver part (probably by far the hardest part) in a few days! We missed you...

Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


Top Threads in Windows RT Development and Hacking by ThreadRank