Circumventing Windows RT’s Code Integrity Mechanism

clrokr (@clrokr) – 6. Jan 2013
It’s taken longer than expected but it has finally happened: unsigned desktop applications run on Windows RT. Ironically, a vulnerability in the Windows kernel that has existed for some time and got ported to ARM just like the rest of Windows made this possible. MSFT’s artificial incompatibility does not work because Windows RT is not in any way reduced in functionality. It’s a clean port, and a good one. But deep in the kernel, in a hashed and signed data section protected by UEFI’s Secure Boot, lies a byte that represents the minimum signing level.

Finding the right spot

The minimum signing level determines how good an executable’s signature is on a scale like this: Unsigned(0), Authenticode(4), Microsoft(8), Windows(12). The default value on x86 machines is of course 0 because you can run anything you like on your computer. On ARM machines, it defaults to 8.
That means that even if you sign your apps using your Authenticode certificate, the Surface or any other Windows RT device (at this moment) will not run them. This is not a user setting, but a hardcoded global value in the kernel itself. It cannot be changed permanently on devices with UEFI’s Secure Boot enabled. It can, however, be changed in memory.
Finding this byte in the kernel takes a while, there is no exported symbol for it and not even in the symbol database at MSFT. I found it using WinDbg and a machine running Windows 8 Pro, creating processes and watching how the system behaves when the signature checks happen all the way through CI.dll and back. Because Windows 8 and Windows RT are so similar, locating it in the ARM kernel was not hard:

LDR R3, =0x59FFA6 This is our byte, 0x19FFA6 at 0x400000 image base
LDRB R3, [R3]
CMP R3, #4
BHI loc_HighSigReq
B.W loc_LowSigReq

There are many more places where you can find this byte accessed, but none of them have an exported symbol.


A while ago I read an article about how the Windows kernel assumes that data passed by certain processes is always well-formed [1]. This vulnerability exists in Windows RT, but exploitation is a bit harder than on Windows 8 because unsigned binaries can’t be run in the first place (and store apps don’t have the security context you need to attach to other processes). But Microsoft decided to provide something very important [2] that made this whole endeavour a lot easier. This remote debugger, when run as Administrator, can attach to the user’s CSRSS process and manipulate its memory.
CSRSS contains a lot of calls to the vulnerable NtUserSetInformationThread function, including some that use the right parameters to exploit it. This is one of them (from winsrv.dll):

MOVS R3, #0xC
ADD R2, SP, #0x58
MOVS R1, #9
BL NtUserSetInformationThread

A CSRSS thread executes this code. Using a breakpoint, we can change the data structure pointed to by R2 before the NtUserSetInformationThread call happens to exploit the vulnerability. Sadly, this is very impractical because the exploit subtracts 1 from the specified address and we need to subtract 0×80000. This is because we can’t do an unaligned access on ARM (remember, our byte’s offset is 0x19FFA6), so we need to use 0x19FFA4.
We also need the linear address at which the kernel image resides. We can find this out by calling (on the device, this can be done from a store app which will run unsigned) NtQuerySystemInformation with information class 11. If you want to know how to use NtQuerySystemInformation from a store app, read [3]. This gives us a list of all loaded drivers and their image bases, effectively bypassing ASLR in this case (although this is not what ASLR is for, it is annoying in these situations).


Using the remote debugger and MSFT’s armasm, I used a half-empty code page in winsrv.dll (0×10800 from the image base) to store this small payload:

push {r5-r8}
mov r7, 0x80000
ldr r8, my_addr
movs r3, 0xC
add r2, sp, 0x68 ;0x58 org.
add r5, r2, 4
str r8, [r5]
movs r1, 9
mvn r0, 1
mov r12, 0x10E1
svc 1
subs r7, r7, 1
cmp r7, 0
bne loc_loop_begin
pop {r5-r8}
mov r0, r0
my_addr dcd 0x12345678 the kernel's base address + 0x18

We now set a breakpoint directly after the legitimate NtUserSetInformationThread call in TerminalServerRequestThread, pressing a volume button will trigger it. This is where it gets interesting.
Redirect the instruction pointer to the payload in memory and set a breakpoint at the mov r0, r0 instruction at the end. Press F5. Now set the instruction back to the first breakpoint and remove both. Press F5 again.
Congratulations, your Windows RT device is unlocked!


Windows RT is a clean port of Windows 8. They are the same thing and MSFT enforces Code Integrity to artificially separate these platforms. It does not stop pirates from modifying store apps (and their license checks) because store apps are the only things that can actually run unsigned. The fact that this method works on Windows 8 as well shows how similar the systems are. You can even enforce Code Integrity on Windows 8 to see what Windows RT feels like!
The decision to ban traditional desktop applications was not a technical one, but a bad marketing decision. Windows RT needs the Win32 ecosystem to strengthen its position as a productivity tool. There are enough “consumption” tablets already.

Microsoft, please consider making code signing optional and thereby increasing the value of your Windows RT devices!


  • Sometimes this triggers a bugcheck because we can’t control the bytes at 0x19FFA4 and 0x19FFA5 from the kernel base and they sometimes are zero, causing a 0×18 bugcheck.
  • This method is not practical for most users, especially because tablet buyers are less likely to know enough about computers to do this than PC users.


[1] j00ru//vx tech blog: Defeating Windows Driver Signature Enforcement #2: CSRSS and thread desktops
[2] Visual Studio 2012 Remote Tools
[3] Using the complete Windows API in store apps (mamaich at XDA-Developers)
also for further reading
[*] Discussion about this on XDA-Developers


6. Jan 2013: Added 0×18 offset in payload because it is very important and the article at [1] doesn’t mention it. Also added link to discussion on XDA-Developers for further reading.


  1. HI, my name is Kirk I searched binary forex options, and found your page, I see you are interested in Circumventing Windows RT’s Code Integrity Mechanism …, so let me show you my page- Binary Options Software | 100% Auto Trading Signals , please visit my website and you will learn how you can generate 30$-60$ every five – ten minutes, HOUNDREDS of dollars a day, watsh proof video, Greeting Kirk

  2. A fascinating discussion is definitely worth comment.
    I think that you ought to publish more on this topic, it may not be a taboo
    subject but usually people do not speak about such subjects.
    To the next! Kind regards!!

  3. It’s actually a cool and useful piece of information.

    I’m happy that you shared this useful info with
    us. Please stay us up to date like this. Thanks for sharing.

  4. Wonderful beat ! I would like to apprentice while you amend your site, how could i subscribe for a blog site?
    The account aided me a acceptable deal. I were a little bit familiar of this your
    broadcast offered vibrant transparent concept

  5. Thank you for another great post. Where else could anybody get that
    kind of information in such an ideal way of writing? I have a
    presentation subsequent week, and I’m on the look for such info.

  6. When you use the Photo Cool Maker program to create your photo projects, you have
    the option of adding frames. You can add frames to the photos, and you can add frames to
    the background. In this guide, I am going to show you how to add frames to your photos
    and to the backgrounds in Photo Cool Maker. You will need to open
    your Photo Cool Program. You can open a photo to use for this guide.

    CPA Cost Per Action This is banner maker a method of
    measuring how much you will pay for a banner ad based on the actions taking.
    An action can be considered a click, or it can be considered
    a conversion. If a website offers banner advertising on a “CPA basis” this means you only pay when someone actually clicks on your ad (as
    opposed to impressions).

    You can design and develop your own signs to compliment your banners.
    For instance, if you are designing a welcome
    banner, you can place attractive and colorful images and concise welcome message.
    Welcome banner is a great way to welcome your dear
    ones at a conference or even a at party.

    Another consideration would be the price. You would not want to pay a small fortune for Beat Making software that you have no experience of.
    It would be a better option to start with a comprehensive but
    economical software on which you can hone your skills.
    Avoid costly programs as what you get for the money is not necessarily any more desirable then the cheaper applications.

    You can make a professional sounding beat without
    having to spend hundreds of bucks.

    Otlix has been dedicated to optimizing the use of media
    since 2006. They provide media solutions as
    Ad Serving, Ad Delivery, Ads Rotation, Video Advertising
    and Ad Management tools. These tools can be used to simplify and better ad Campaigns, and they give you a comprehensive
    overview of all of your campaigns with their smart Analytics and Statistics system.

  7. When I originally commented I clicked the “Notify me when new comments are added” checkbox and now each time a comment is added I get three emails with the same comment.
    Is there any way you can remove people from
    that service? Bless you!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s