Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,806,072 Members 46,998 Now Online
XDA Developers Android and Mobile Development Forum

code integrity / signing policy toggle

Tip us?
 
bfosterjr
Old
(Last edited by bfosterjr; 1st September 2014 at 01:34 PM.)
#1  
Senior Member - OP
Thanks Meter 153
Posts: 156
Join Date: Jan 2013

 
DONATE TO ME
Wink code integrity / signing policy toggle

All,

First, let me say that this is not a jailbreak tool for RT 8.1! All clear? Good.

I've written a simple little driver and exe tool to patch the g_CiOptions and SeILSigningPolicy variables in ci and ntos. The obvious kicker is that you need the driver loaded for this to work -- but once loaded you can effectively use this to turn on/off the signing at will (eg: useful to avoid -- not disable -- patch guard).

I've tested this on my Surface RT as well as Windows 8 without issue.

You can find the code and binaries on github ( https://github.com/bfosterjr/ci_mod ). There isn't a whole lot of documentation (nearly zero), but you'll find batch files, windbg scripts, and various other bits which should help you figure out how it works (or you can just read the code).

Now, before you all flame me about how useless this is without a jailbreak or kernel execution for RT 8.1, let me say this: I've spent the last few days catching up on a lot of threads (over a years worth) in this form and there is enough information (if you look hard enough, open your mind, and tilt your head) in the threads to successfully start your own driver on 8.1 RT.

Cheers!
The Following 7 Users Say Thank You to bfosterjr For This Useful Post: [ Click to Expand ]
 
LolitaPlus
Old
#2  
Member
Thanks Meter 12
Posts: 62
Join Date: Oct 2013
Any hint please?
The Following User Says Thank You to LolitaPlus For This Useful Post: [ Click to Expand ]
 
Myriachan
Old
#3  
Myriachan's Avatar
Senior Member
Thanks Meter 149
Posts: 112
Join Date: Feb 2013
Note that I would not recommend leaving this hack enabled on 8.1 once whatever programs are loaded. This will set off PatchGuard and the system will bluescreen. Enable it, run whatever, then disable it. Most programs should be OK once fully started to leave running with the hack disabled. Only loading unsigned DLLs from that point on would mess up.

8.0, do whatever; doesn't matter.

Melissa
The Following User Says Thank You to Myriachan For This Useful Post: [ Click to Expand ]
 
bfosterjr
Old
#4  
Senior Member - OP
Thanks Meter 153
Posts: 156
Join Date: Jan 2013

 
DONATE TO ME
Quote:
Originally Posted by Myriachan View Post
Note that I would not recommend leaving this hack enabled on 8.1 once whatever programs are loaded. This will set off PatchGuard and the system will bluescreen. Enable it, run whatever, then disable it. Most programs should be OK once fully started to leave running with the hack disabled. Only loading unsigned DLLs from that point on would mess up.

8.0, do whatever; doesn't matter.

Melissa
Quite right - which is why the ci_mod program I wrote will run indefinitely waiting for user input to toggle on, or off, the kernel patching. So.. (1) Load the driver which will immediately toggle patching ON... (2) start ci_mod.exe and toggle patching back OFF ... (3) leave ci_mod.exe running. Doing so you will always re-toggle patching on (then off again) so you can run your unsigned app with minimal likelihood of PatchGuard being a problem.

Hopefully that makes sense.

Obviously, if anyone wants to make changes to the driver or program -- perhaps to alter it to suit initial driver execution conditions -- they're welcome too -- the code is GPL.

Cheers!
 
bfosterjr
Old
#5  
Senior Member - OP
Thanks Meter 153
Posts: 156
Join Date: Jan 2013

 
DONATE TO ME
Quote:
Originally Posted by LolitaPlus View Post
Any hint please?
Sorry no. There are serious reasons why I can't explain further. So please don't ask.

But trust me.. the bits you need are there... you just need to stitch them together.
 
filfat
Old
#6  
filfat's Avatar
Member
Thanks Meter 6
Posts: 48
Join Date: Sep 2013
Location: Mellerud

 
DONATE TO ME
Quote:
Originally Posted by bfosterjr View Post
Sorry no. There are serious reasons why I can't explain further. So please don't ask.

But trust me.. the bits you need are there... you just need to stitch them together.
Hai, I'm kinda new to this whole hacking scene especially to the x86/x64 bit one (has been working on arm for a little while) and I was wondering what knowledge was necessary to be able to glue everything together? Which glue I need to use so to say

Thanks.
 
bfosterjr
Old
#7  
Senior Member - OP
Thanks Meter 153
Posts: 156
Join Date: Jan 2013

 
DONATE TO ME
Quote:
Originally Posted by filfat View Post
Hai, I'm kinda new to this whole hacking scene especially to the x86/x64 bit one (has been working on arm for a little while) and I was wondering what knowledge was necessary to be able to glue everything together? Which glue I need to use so to say

Thanks.
Years of Windows internals/development/debugging makes for good glue. That and the general desire (and patience) to want to mess with software....
The Following User Says Thank You to bfosterjr For This Useful Post: [ Click to Expand ]
 
BIade
Old
#8  
BIade's Avatar
Senior Member
Thanks Meter 64
Posts: 218
Join Date: Apr 2013
Location: Cologne
Quote:
Originally Posted by bfosterjr View Post
...

You can find the code and binaries on github ( https://github.com/bfosterjr/ci_mod ). ...
Hey mate, this looks very nice and far more user(noob)-friendly. Thank you soo much for sharing.

Cheers
Blade

P.S.:
1) Is your deleted sign.bat a kind of launcher which : toggle -> start app -> toggle ?
2) Is it possible to share the compiled version? [Don't want to bother you] (Just formated my dev-pc and set it up to compile Android 4.4.4 for my desire Z. I know i need a new pc with a bigger hdd)
 
bfosterjr
Old
#9  
Senior Member - OP
Thanks Meter 153
Posts: 156
Join Date: Jan 2013

 
DONATE TO ME
Quote:
Originally Posted by BIade View Post
Hey mate, this looks very nice and far more user(noob)-friendly. Thank you soo much for sharing.

Cheers
Blade

P.S.:
1) Is your deleted sign.bat a kind of launcher which : toggle -> start app -> toggle ?
2) Is it possible to share the compiled version? [Don't want to bother you] (Just formated my dev-pc and set it up to compile Android 4.4.4 for my desire Z. I know i need a new pc with a bigger hdd)
Hey Blade!

1) nope. that was a batch file to test sign the driver. its not required. the toggling of the patching is done by the user through cimod.exe (runs in a continuous user-input loop)
2) binaries for all supported platforms are there already -- https://github.com/bfosterjr/ci_mod/tree/master/bin

Cheers!
 
GoodDayToDie
Old
#10  
Recognized Developer
Thanks Meter 2,699
Posts: 5,680
Join Date: Jan 2011
Location: Seattle
It would be really cool to hook the CreateProcess and LoadLibrary calls such that, if the target binary is unsigned and the caller isn't in an appcontainer, the policy is (automatically) flipped juuuust long enough for the call to succeed, and then (automatically) flipped back. That means minimal risk of a BSOD and maximum user-friendliness.

I proposed this approach months ago on the JB discussion thread, but never got around to writing it. Now bfosterjr has written the driver part (probably by far the hardest part) in a few days! We missed you...
Win8/Windows RT projects:
List of desktop apps for hacked RT devices

WP8 projects:
Native Access WebServer and Libraries
WP8 Interop Unlocks
Storage Cleanup tool

WP7 projects:
XapHandler, Root Webserver, OEM Marketplace XAPs, Bookmarklets collection (Find On Page), Interop-unlock hacks.


Do not private message me with questions that should have been posted on the forum! Not only are you wasting your time - I'm not going to bother writing an answer to such a question for only one person - but I will probably block you from PMing me in the future as well.

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes