Jump to content

UxTheme Signature Bypass

bigmuscle

By bigmuscle
in Aero Glass For Windows 8+

 Share

Recommended Posts

  • 1 month later...

evgnb

evgnb

Posted
Posted

If UxTSB.dll is loaded from registry HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs, Windows 8.1, 10 RTM, 10 TH, 10 RS can't open *.deskthemepack files.

If UxTSB.dll is loaded from DWMGlass.dll 1.5.2, there is no such problem.

Please fix this bug, or modify DWMGlass.dll 1.4.6 for loading UxTSB.dll. But loading UxTSB.dll from DWMGlass.dll may cause winlogon-loop problem...

Link to comment
Share on other sites
UCyborg

UCyborg

Posted
Posted

A bit off-topic, but UxStyle seems to work on Win10 latest build 14393 at first glance, though no luck on build 10586 and the word is it doesn't work on newer Insider builds. There have been reports about certain issues, but no new commits. None of the people that forked it changed anything either. Just bringing it up because its different approach might bypass winlogon-loop problem. If only someone with the knowledge addressed its issues.

Link to comment
Share on other sites
evgnb

evgnb

Posted
Posted
2 hours ago, UCyborg said:

different approach might bypass winlogon-loop problem

There is only one stable way to "bypass" f*cking DRM secure boot fully - sign the driver with a certificate obtained from a trusted certification authority like VeriSign. Both for UxStyle or Aero Glass (\uxstyle\code\tools\_sign.bat). Self-signed certificate not works if secure boot is enabled. Another way is to use known vulnerability in Microsoft Windows like MS16-094 or MY123/Slipstream.

Link to comment
Share on other sites
UCyborg

UCyborg

Posted
Posted (edited)

New injection method by DWMGlass.dll doesn't require signed DLL, something else can go wrong. Microsoft's official opinion is that there is no reliable method for injecting a DLL in a running process, if that has something to do with it. At least, their own Detours library version 1.5 had a function for DLL injection, which I believe, under the hood utilized the CreateRemoteThread method, like DWMGlass.dll.

The only bad thing that happened once on my end were tons of VirtualAllocEx errors in debug.log and at the time it seemed like logon process was aborted, second logon attempt worked, but apparently, things can go worse for unknown reasons.

Good point about the signing, AppInit_DLLs method would work with secure boot if UxTSB.dll was signed, just the fact that it lands in almost every process is a bit of an overkill. They wrote long time ago on MSDN they may remove it in the future. Good point about UxStyle as well, I forgot about the driver that has to be signed.

Late edit: Actually, AppInit_DLLs is completely disabled when Secure Boot is active.

Edited by UCyborg
Link to comment
Share on other sites
evgnb

evgnb

Posted
Posted
2 hours ago, UCyborg said:

New injection method by DWMGlass.dll doesn't require signed DLL

Secure boot requires signed DLL for AppInit_DLLs or signed SYS driver in any case. Or may be start as unsigned service more early than scheduler (srvany.exe works good for me). And DWMGlass.dll 1.4.6 for actual Windows 8.1 can't load UxTSB.dll,  *.deskthemepack files can not be opened.

Link to comment
Share on other sites
UCyborg

UCyborg

Posted
Posted

Just for informational purposes, UxTSB no longer works with Insider build 15042. UltraUXThemePatcher is updated to support it. Old .msstyles for Anniversary Update still work with minor glitches, I only noticed some outlines being visible inside the window while in Peek Desktop.

This build doesn't have the watermark. Maybe theme related things won't see further changes. But 1 month is still plenty of time to flip everything upside-down. No symbols to see Aero Glass in action, but again, nothing crashes. Says it runs in always-glass mode, though it looks more like no-glass mode.

Link to comment
Share on other sites
CKyHC

CKyHC

Posted
Posted (edited)
6 hours ago, bigmuscle said:

Unfortunately not, because I was not able to reproduce it.

Fine... And what to do? Can you make a version with aerohost.exe or dwmglass,dll running as a service? I think, this can help...

I'm not alone with that bug. Many peoples have it. It must to do something this that...

Edited by CKyHC
Link to comment
Share on other sites
UCyborg

UCyborg

Posted
Posted (edited)

If it helps anyone, I wrote a small batch script that runs aerohost.exe as a service with the help of the srvany.exe wrapper mentioned few posts above. Just extract both files and run InstallAGService as admin. And do stop Aero Glass task beforehand from Task Scheduler and disable/delete it.

If you want to delete the service: 

sc stop aerohost
sc delete aerohost

Then only the wrapper, which is copied to either Windows\System32 or Windows\SysWOW64 remains.

AeroGlassAsService.zip

Edited by UCyborg
Link to comment
Share on other sites
CKyHC

CKyHC

Posted
Posted (edited)
3 hours ago, UCyborg said:

If it helps anyone, I wrote a small batch script that runs aerohost.exe as a service with the help of the srvany.exe wrapper mentioned few posts above. Just extract both files and run InstallAGService as admin. And do stop Aero Glass task beforehand from Task Scheduler and disable/delete it.

If you want to delete the service: 


sc stop aerohost
sc delete aerohost

Then only the wrapper, which is copied to either Windows\System32 or Windows\SysWOW64 remains.

AeroGlassAsService.zip

I don't think that application wich is not designed as a service will running long time. After some time system will close it because it not a service at all. And after that UxTSB.dll will stop to injects to processes...

Maybe i'm wrong or don't understand all right... Correct me then. It's only imho...

Edited by CKyHC
Link to comment
Share on other sites
NoelC

NoelC

Posted
Posted (edited)

Absolutely nothing prevents a process from running forever, except that if it's started by a logged-on user it will be terminated at logoff.  But an application which is not a service but started as independent from the interactive user by the Task Scheduler, for example, could run forever.  Aerohost is just such an application.  Note the run time on mine, from my Win 8.1 system...

AerohostRunTime.png

Often long-running applications that are intended to be independent of the interactive user are made into services just because the system provides a good way to manage such things.  But it's not a necessity.

-Noel

Edited by NoelC
Link to comment
Share on other sites
CKyHC

CKyHC

Posted
Posted

I just wrote wrong. I wanted to say that prosess not designed as a service can't long run if it starts as a service.

I don't know, but i think that not any process can start as a service...

Link to comment
Share on other sites
UCyborg

UCyborg

Posted
Posted (edited)

Exactly, applications that are run under SYSTEM account run indefinitely unless you fully shut down or reboot the system. This just makes it independent from the Task Scheduler so maybe it starts sooner. Better solution would be modifying aerohost.exe to accept service events.

srvany.exe is the wrapper that can make any application run as the service, but it is obsolete and has number of limitations. It's true that you can't make aerohost.exe directy run as the service with sc create. https://www.coretechnologies.com/products/AlwaysUp/srvany.html Then you have paid solutions like FireDaemon Pro or AlwaysUp. Those are the must if you want to run eg. a game server which wasn't coded as the service. There is also free NSSM.

I can't really say if this helps with anything as I can't reproduce the injection problem on my end neither, but those are the only ways to run non-service application like it was the service. If it actually helps, judging by UxStyle source code, it doesn't seem it would take a lot of effort to turn aerohost.exe into real service.

Edited by UCyborg
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...