Circumventing Windows RT’s Code Integrity Mechanism

clrokr (@clrokr) – 6. Jan 2013
It’s taken longer than expected but it has finally happened: unsigned desktop applications run on Windows RT. Ironically, a vulnerability in the Windows kernel that has existed for some time and got ported to ARM just like the rest of Windows made this possible. MSFT’s artificial incompatibility does not work because Windows RT is not in any way reduced in functionality. It’s a clean port, and a good one. But deep in the kernel, in a hashed and signed data section protected by UEFI’s Secure Boot, lies a byte that represents the minimum signing level.

Finding the right spot

The minimum signing level determines how good an executable’s signature is on a scale like this: Unsigned(0), Authenticode(4), Microsoft(8), Windows(12). The default value on x86 machines is of course 0 because you can run anything you like on your computer. On ARM machines, it defaults to 8.
That means that even if you sign your apps using your Authenticode certificate, the Surface or any other Windows RT device (at this moment) will not run them. This is not a user setting, but a hardcoded global value in the kernel itself. It cannot be changed permanently on devices with UEFI’s Secure Boot enabled. It can, however, be changed in memory.
Finding this byte in the kernel takes a while, there is no exported symbol for it and not even in the symbol database at MSFT. I found it using WinDbg and a machine running Windows 8 Pro, creating processes and watching how the system behaves when the signature checks happen all the way through CI.dll and back. Because Windows 8 and Windows RT are so similar, locating it in the ARM kernel was not hard:

SeGetImageRequiredSigningLevel+0x18
LDR R3, =0x59FFA6 This is our byte, 0x19FFA6 at 0x400000 image base
LDRB R3, [R3]
CMP R3, #4
BHI loc_HighSigReq
B.W loc_LowSigReq

There are many more places where you can find this byte accessed, but none of them have an exported symbol.

Prerequisites

A while ago I read an article about how the Windows kernel assumes that data passed by certain processes is always well-formed [1]. This vulnerability exists in Windows RT, but exploitation is a bit harder than on Windows 8 because unsigned binaries can’t be run in the first place (and store apps don’t have the security context you need to attach to other processes). But Microsoft decided to provide something very important [2] that made this whole endeavour a lot easier. This remote debugger, when run as Administrator, can attach to the user’s CSRSS process and manipulate its memory.
CSRSS contains a lot of calls to the vulnerable NtUserSetInformationThread function, including some that use the right parameters to exploit it. This is one of them (from winsrv.dll):

TerminalServerRequestThread+0x230
MOVS R3, #0xC
ADD R2, SP, #0x58
MOVS R1, #9
MOV R0, 0xFFFFFFFE
BL NtUserSetInformationThread

A CSRSS thread executes this code. Using a breakpoint, we can change the data structure pointed to by R2 before the NtUserSetInformationThread call happens to exploit the vulnerability. Sadly, this is very impractical because the exploit subtracts 1 from the specified address and we need to subtract 0x80000. This is because we can’t do an unaligned access on ARM (remember, our byte’s offset is 0x19FFA6), so we need to use 0x19FFA4.
We also need the linear address at which the kernel image resides. We can find this out by calling (on the device, this can be done from a store app which will run unsigned) NtQuerySystemInformation with information class 11. If you want to know how to use NtQuerySystemInformation from a store app, read [3]. This gives us a list of all loaded drivers and their image bases, effectively bypassing ASLR in this case (although this is not what ASLR is for, it is annoying in these situations).

Exploitation

Using the remote debugger and MSFT’s armasm, I used a half-empty code page in winsrv.dll (0x10800 from the image base) to store this small payload:

push {r5-r8}
mov r7, 0x80000
ldr r8, my_addr
loc_loop_begin:
movs r3, 0xC
add r2, sp, 0x68 ;0x58 org.
add r5, r2, 4
str r8, [r5]
movs r1, 9
mvn r0, 1
mov r12, 0x10E1
svc 1
subs r7, r7, 1
cmp r7, 0
bne loc_loop_begin
pop {r5-r8}
mov r0, r0
my_addr dcd 0x12345678 the kernel's base address + 0x18

We now set a breakpoint directly after the legitimate NtUserSetInformationThread call in TerminalServerRequestThread, pressing a volume button will trigger it. This is where it gets interesting.
Redirect the instruction pointer to the payload in memory and set a breakpoint at the mov r0, r0 instruction at the end. Press F5. Now set the instruction back to the first breakpoint and remove both. Press F5 again.
Congratulations, your Windows RT device is unlocked!

Conclusion

Windows RT is a clean port of Windows 8. They are the same thing and MSFT enforces Code Integrity to artificially separate these platforms. It does not stop pirates from modifying store apps (and their license checks) because store apps are the only things that can actually run unsigned. The fact that this method works on Windows 8 as well shows how similar the systems are. You can even enforce Code Integrity on Windows 8 to see what Windows RT feels like!
The decision to ban traditional desktop applications was not a technical one, but a bad marketing decision. Windows RT needs the Win32 ecosystem to strengthen its position as a productivity tool. There are enough “consumption” tablets already.

Microsoft, please consider making code signing optional and thereby increasing the value of your Windows RT devices!

Drawbacks

  • Sometimes this triggers a bugcheck because we can’t control the bytes at 0x19FFA4 and 0x19FFA5 from the kernel base and they sometimes are zero, causing a 0x18 bugcheck.
  • This method is not practical for most users, especially because tablet buyers are less likely to know enough about computers to do this than PC users.

Sources

[1] j00ru//vx tech blog: Defeating Windows Driver Signature Enforcement #2: CSRSS and thread desktops
[2] Visual Studio 2012 Remote Tools
[3] Using the complete Windows API in store apps (mamaich at XDA-Developers)
also for further reading
[*] Discussion about this on XDA-Developers

Changelog

6. Jan 2013: Added 0x18 offset in payload because it is very important and the article at [1] doesn’t mention it. Also added link to discussion on XDA-Developers for further reading.


331 comments

  1. HI, my name is Kirk I searched binary forex options, and found your page, I see you are interested in Circumventing Windows RT’s Code Integrity Mechanism …, so let me show you my page- Binary Options Software | 100% Auto Trading Signals , please visit my website and you will learn how you can generate 30$-60$ every five – ten minutes, HOUNDREDS of dollars a day, watsh proof video, Greeting Kirk

  2. A fascinating discussion is definitely worth comment.
    I think that you ought to publish more on this topic, it may not be a taboo
    subject but usually people do not speak about such subjects.
    To the next! Kind regards!!

  3. It’s actually a cool and useful piece of information.

    I’m happy that you shared this useful info with
    us. Please stay us up to date like this. Thanks for sharing.

  4. Wonderful beat ! I would like to apprentice while you amend your site, how could i subscribe for a blog site?
    The account aided me a acceptable deal. I were a little bit familiar of this your
    broadcast offered vibrant transparent concept

  5. Thank you for another great post. Where else could anybody get that
    kind of information in such an ideal way of writing? I have a
    presentation subsequent week, and I’m on the look for such info.

  6. When you use the Photo Cool Maker program to create your photo projects, you have
    the option of adding frames. You can add frames to the photos, and you can add frames to
    the background. In this guide, I am going to show you how to add frames to your photos
    and to the backgrounds in Photo Cool Maker. You will need to open
    your Photo Cool Program. You can open a photo to use for this guide.

    CPA Cost Per Action This is banner maker a method of
    measuring how much you will pay for a banner ad based on the actions taking.
    An action can be considered a click, or it can be considered
    a conversion. If a website offers banner advertising on a “CPA basis” this means you only pay when someone actually clicks on your ad (as
    opposed to impressions).

    You can design and develop your own signs to compliment your banners.
    For instance, if you are designing a welcome
    banner, you can place attractive and colorful images and concise welcome message.
    Welcome banner is a great way to welcome your dear
    ones at a conference or even a at party.

    Another consideration would be the price. You would not want to pay a small fortune for Beat Making software that you have no experience of.
    It would be a better option to start with a comprehensive but
    economical software on which you can hone your skills.
    Avoid costly programs as what you get for the money is not necessarily any more desirable then the cheaper applications.

    You can make a professional sounding beat without
    having to spend hundreds of bucks.

    Otlix has been dedicated to optimizing the use of media
    since 2006. They provide media solutions as
    Ad Serving, Ad Delivery, Ads Rotation, Video Advertising
    and Ad Management tools. These tools can be used to simplify and better ad Campaigns, and they give you a comprehensive
    overview of all of your campaigns with their smart Analytics and Statistics system.

  7. When I originally commented I clicked the “Notify me when new comments are added” checkbox and now each time a comment is added I get three emails with the same comment.
    Is there any way you can remove people from
    that service? Bless you!

  8. With the help of local OCD Forums, choosing required to attend meeting
    and share your experiences. Long in the difference between the
    place you’re in right this moment and in which you will probably be after achieving these.
    While this really is a natural emotion we all feel, for many they have caused these to lose partners and
    even their jobs. Try designating a region of your home like a landing strip.

  9. To use a debugger each time you want to run a Windows 8 program a bit to much for an everage user.
    Microsoft should come up with a patch to fix this.

  10. Pingback: Why Windows 8 scares us? - Blog Uptodown EN

  11. Not because they will be changed into adipose tissue, but because excess
    protein in your diet causes you to burn more protein and stare more fat.
    These substances are designed to help the body do what it naturally does, solely somewhat faster.
    Note that you can only buy Adiphene online as they aren’t available in stores.

  12. Don’t let fat cost-free or perhaps gentle meals trick anyone; them usually comprise copious amounts connected with one more unhealthy element.
    It’s conceivable to accomplish this objective the conventional path moreover through an equalized eating methodology
    and exercise. Indeed Adiphene weight reduction pill is the answer for those who always goes
    on food regimen however can’t endure the meals carving
    hunger and the irritability gave rise by dieting.

  13. This process is made possible due to computer chips embedded within entry or ignition keys.
    Now, if you were parked in a public area, your first instinct
    would be to call any friend or family member to bring you
    a spare car key. In this way, the report presents
    a complete and coherent analysis of the Indian auto component industry and will prove decisive for clients.

  14. Pingback: Running Desktop Apps on Windows RT, The Hackers Way! | My great WordPress blog

  15. Pingback: Bloco de Notas (07-01-2013) - Revolução Digital

  16. Take note of colours around the room and get art that
    includes some of those shades. A couple of wall sconce light arrangements could even be run with the sun.
    First, you can’t go wrong with family photos.

  17. Pingback: HWzone | פרצה מאפשרת הפעלת יישומי Desktop על מערכת חלונות RT

  18. Semi-precious gemstones earrings are becoming the best sold earrings for fashion girls.
    If you experience problems with your eyes or vision that are not solved by the
    usual means, this is an excellent visual therapy to turn to.
    1768, Swedish scientists discovered tourmaline Ringnes with piezoelectric and thermoelectric,
    and it can produce amazing effects and improve the natural healing power, so tourmaline is extremely popular in Western Europe
    and Japan, it can maintain endocrine balance, there is
    activation of brain cells The function is to candidates with
    testing halls of the treasures of headache have a therapeutic effect.

  19. Hello There. I discovered your weblog using msn. This is a really well written article. I will make sure to bookmark it and return to learn extra of your useful info. Thanks for the post. I will definitely return.

  20. Ϻy brother recommended I migght like this web sitе.
    He was еntirely right. Thiѕ poost actually made my day. You
    can not imɑgine simply hhow much time I had speɦt for this information! Thanks!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s