Unsigned code running on Windows RT


A crack has been found in the armor of Windows RT. This subset of Windows 8 is designed to run on ARM processors. The payload listed in the image above allows you to run unsigned desktop applications on the OS.

We haven’t seen very much about the Windows RT package, so it’s nice to hear [Clrokr’s] thoughts on it. As far as he can tell the system has not been watered down from its Intel-aimed (x86) counterpart. Rather, RT seems to be a direct port with what is called “Code Integrity” mechanisms switched on. There is a kernel-level setting, barricaded behind UEFI’s Secure Boot, which determines the minimum software signing level allowed to run on the device. This is set to zero on a Windows 8 machine, but defaults to 8 on an ARM device. [Clrokr] uses a debugger to insert the code seen above into a DLL file in order to reset that minimum signing value to 0.

Do you have a project in mind for which this is useful? We’d love to hear about it in the comments!

[via Reddit]

32 thoughts on “Unsigned code running on Windows RT

        1. Yet I still can’t run the latest games on a traffic light.

          Linux may be great (I use it) but until developers start releasing game of the years on it, it’s never going to have the attention of the masses.

          1. Also five figure management overhead just for small businesses who use it on infrastructure doesn’t help…

            An operating system that needs to be rebuilt to add hardware and some software support and has 20th century usability on everything from implementation to network configuration… but it’s free

          2. > Linux may be great (I use it) but until developers start releasing game of the years on it, it’s never going to have the attention of the masses.

            Do you really want the audience so-called game-of-the-years are targetted for on linux? Really?

          3. @xorpunk I’ll bet you still wonder why people think you don’t have a clue…
            Remote managed, Linux based, small business infrastructure is by far the cheapest solution available. Cheaper setup, much cheaper ongoing maintenance.

          4. * Yet I still can’t run the latest games on a traffic light. *

            You seriously value a game more than getting to and from work/school/food alive each and every day?

          5. @Cyril: I’m clueless? You forgot to factor in that it takes humans to manage the systems who require salary and there is the cost of training and support. You obviously know about the professional aspect of the IT industry more than me…

            Windows you install some roles, configure them with users, and disable some services, and you have a ‘hardened windows server’ in a matter of hours that not only has unmatched support, but out-of-box CHM based documentation on everything, and network-distributed installation in a few clicks, for free outside machine license cost…

            Most idiots like you don’t even know the pros and cons of open source development and support, let alone the build processes and efficient configuration and implementation.

            Speaking as someone who has been a kernel developer both for BSD and Linux for years and is over-qualified for the sysop garbage you’re failing to look insightful on…

          6. xorpunk you are an idiot.
            an install of windows sever is not and never will be comparable to a hardened Linux server. windows simply lack much of the security functionality (have a look at NSA’s SELinux, GRSecurity etc..). just because windows has pseudo-ACLs, stupid remote administration interfaces, and weak ASLR it does not mean it is “hardened”.
            lets not even talk about the fact that windows sysadmins are (in average) dumber and less cult than the others. if you think a sysadmin is productive managing windows installs, then its because you never tried other solutions.

            and yes, Linux is everywhere. you probably have it in your TV, router, fixed IP phone (not even to talk about mobile phone) and you don’t even know.

            desktop computers and mobile computers are coming into a collision route, Ballmer knows it, that’s why you see their scared brainless tactics to enter the mobile ecosystem. But guess what? Android is eating everything in its path…

          7. @MrX: Even the GCC/Kernel developer who created SELinux says MS overflow protection are more expensive to bypass…

            Neither you or Cyril have said anything that isn’t trendy opinion on end-user forums. MS policies with DEP and ASLR are more expensive to work around by a long shot, policies still aren’t enabled out of box even on 2012 server though which is the source of most of the end-user BS you and Cyril are rumor milling. It’s basically idiots who can’t properly roll out servers and need out-of-box setups, like you and Cryil who obviously know shit about compiler design and mitigation of exploits, who are rumor milling that…

            P.S.: This is debug api runtime patching

          8. @xorpunk
            “MS overflow protection are more expensive to bypass…”
            you are using general on this phrase, I take you don’t know much about the subject, nice try.

            The default security model of Linux does indeed provide a weaker process space randomization than windows. However, pretty much all Linux server solutions have support for PAX which has a STRONGER ASLR than windows:

            Then, while Linux has SELinux (or GRSecurity) implementations of mandatory access control, Windows has NONE. Btw: Integrity control is NOT MAC. Then there is the windows ACLs which the the windows sysadmins so much praise – they suck. Linux ones are simpler and provide the same level of control. It is not the first time I see windows sysadmins bitching around because they have a ACL clusterfuck and the new rule they are trying to get in does not work as expected.
            And then, there is the stupid remote administration of servers where you have to either use RDP/VNC or the stupid management console.
            You can bitch whatever you want, I’m faster than you changing configurations on remote computers (guess what? I just need SSH) and.. I don’t even need to reboot the computer :P

            Now continue shilling as much as you want – this will be my last message.

          9. @xoropunk “Speaking as someone who has been a kernel developer both for BSD and Linux for years and is over-qualified for the sysop garbage….”

            Bullshit detector OVERLOAD!!.

            Old man tip: When you actually know something, it’s easy to pick those that do not, no matter how much they pretend/insist they do ;)

      1. Everything runs Linux*!

        *For some definitions of everything.

        To many of the above posters: Anyone who thinks the OS of choice for servers, routers, or whatever other specialist role you please has any bearing on discussion of consumer electronics you need to think really, really hard about why this hack was posted.

  1. I was under the impression that even RT would have an Android style “side loading” or something similar. Is that not correct? If there is “side loading”, what would the point of this be?

    1. thats the point of this right now. Windows RT will only run applications obtained from the windows store and that is it. It wont run applications from USB, CD, download (non store) etc.

      He has lifted this restriction so it will run any application (provided it is compiled for Windows RT in the first place that is).

      Microsoft have acknowledged the hacks existence now and commented on the ingenuity of the hacker but said something that implied the hack might not work in future versions of RT.

      If you want to sideload on a windows tablet without this hack (which also needs reapplying every reboot) then your just going to have to splash out more on an x86 based windows 8 tablet rather than an ARM windows RT tablet.

      1. That is not entirely true. You can easily sideload applications on Windows RT simply by obtaining a free developer’s key. (It’s quite easy.)

        However, even then it won’t allow the execution of “Desktop” (i.e., non-Modern/Metro) applications. The re-jiggering in this article allows users to run “Desktop” applications as well (which, right now, is of limited utility because the Windows RT devices use ARM processors).

      2. You can “sideload” Windows Store apps onto Windows RT devices if you have a developer license installed (so you can test the app you’re writing on actual hardware instead of just the emulator) without this hack. There may be a way for enterprises and OEMs to pre/sideload Windows Store apps onto Windows RT devices too, but I can’t remember exactly.

        This hack is for making unsigned (or non-Microsoft signed) desktop apps work on Windows RT devices (so long as they’ve been compiled for Windows RT, as Six677 said).

  2. I despise the concept of the lockdown of RT, but when you see how android has 100,000 apps of which 80,000 are designed mainly to gather info on you as a trojan horse.. well then you can see how MS can fuel their arguments.

  3. Surface RT is a wonderful piece of hardware.

    Microsoft sells at ~600 bucks ($499+$100) a thing requiring less than $287 to manufacture. This means that if I buy it to install Linux, Microsoft will still make large profit.

    Honestly: running ARM-compiled versions of Windows apps is not as exciting as a minimal Linux install.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.