[Release] RT Jailbreak Tool

My in-progress 8.1 jailbreak hack doesn't require the Windows Kits Policy to be installed, no. It bootstraps execution of unsigned native code using an exploit in PowerShell, then loads a kernel driver using a flaw in the code signing system.

The PowerShell exploit is, in effect, a sandbox escape. It does not require Administrator privilege, but all you get is native code execution at the same privilege as your user account.

The kernel driver loading bug requires Administrator privilege; it is not bypassing the requirement of your account needing Administrator privilege to ask the Service Control Manager to load a driver on your behalf. In Raymond Chen terms, it's "already on the other side of the airtight hatchway".

The hack is designed to be automatically started and permanent; once installed, it'll load at each boot, until you uninstall it. It won't load if Safe Mode is enabled, to aid with troubleshooting. When it loads, it will write to the Security audit log to indicate that it has jailbroken the system. Also, I plan on enabling the desktop watermark as if a prerelease build and changing the text to "Jailbroken" or similar.

Melissa

Great news!!! This will permit the Surface 2 to be the best ARM tablet produced until now! … Thanks for all your work

If Nokia 2520 don't launch before it release.

-e Event

Signals the debugger that the specified event has occurred. This option is only used when starting the debugger programmatically.

Howdy netham45, wondering if you or someone in-the-know could take a look at this and give me some quick and dirty info on how to use the cdb.exe tool from your Tool™

Looking for a simple (to a developer's ear) explanation of what this RT Jailbreak inject payload is doing and how to use the cdb.exe. To me it looks like it does on-the-fly hex edit of winsrv.dll and those 0x####'s are starting offsets. Just curious if I am right/wrong and if I could re-write this snippet / use cdb.exe to patch a different dll in a regular Windows Desktop. (thus avoiding frankenbuild) Basically I want to patch a single file at multiple offsets in memory every reboot and was hoping this cdb.exe is the ticket.

Is this just the an umodified cdb.exe from the DDK or is it 'special' for RT Jailbreak or just debugging 'RT' in general.

rem Inject payload and hook
cdb -pvr -p %PID% -c "e winsrv.dll+0x3644 0d f0 dc b8;e winsrv.dll+0x10800 2D E9 FF 1F EB 46 84 B0 4F F4 00 53 03 93 4F F0 00 03 02 93 04 23 01 93 4F F4 80 53 00 93 03 AB 00 22 02 A9 4F F6 FF 70 CF F6 FF 70 4F F0 16 0C 01 DF 00 23 4F F4 00 52 02 99 0B 20 4F F0 34 0C 01 DF 02 99 C9 68 4E F6 F0 77 C0 F2 07 07 88 46 DF F8 64 90 C8 44 0C 23 1A AA 02 F1 04 05 C5 F8 00 80 09 21 6F F0 01 00 41 F2 E1 0C 01 DF 7F 1E 00 2F F0 D1 02 99 D1 F8 24 1B 40 F2 25 07 C0 F2 00 07 88 46 DF F8 34 90 C8 44 0C 23 1A AA 02 F1 04 05 C5 F8 00 80 09 21 6F F0 01 00 41 F2 E1 0C 01 DF 7F 1E 00 2F F0 D1 DD 46 BD E8 FF 1F 07 46 00 2F FD E7 F2 F7 CB BE %signinglevel% %ciOptions%;.detach;q" 1>nul 2>nul

It's just the normal CDB from the DDK for 8.0. Do note that it only edits a .dll in memory within that one application's memory space (ex. only csrss instance specified by %PID% sees the changed winsrv.dll).

Everything else you stated is correct. To get the address of winsrv.dll I do need the .pdb for it, though, which MS so graciously gave out.

I see. So for my case, would first need the pid of svchost.exe, (1671 for example) and it'd only be patching it's view of the dll. Understood.

I can get the offsets from HxD, for instance "C1B51", now imagine I want to NOP a few bits.

cdb -pvr -p "1671" -c "e winsrv.dll+0xC1B51 90 90 90;.detach;q"

The ;detach;q simply detaches from the process then quits out of CDB (I'm more or less running a script with this).

Out of curiosity, what service are you patching?

termsrv.dll

Trying to enable the server? If you get anywhere with that let me know, I'd be interested to see it.