Jump to content

UxTheme Signature Bypass


bigmuscle

Recommended Posts

On 01.03.2017 at 4:17 PM, UCyborg said:

If it helps anyone, I wrote a small batch script that runs aerohost.exe as a service with the help of the srvany.exe wrapper mentioned few posts above. Just extract both files and run InstallAGService as admin. And do stop Aero Glass task beforehand from Task Scheduler and disable/delete it.

If you want to delete the service:


sc stop aerohost
sc delete aerohost

Then only the wrapper, which is copied to either Windows\System32 or Windows\SysWOW64 remains.

AeroGlassAsService.zip

Just on my work Windows 10 x32 Pro tried to start aerohost as a service. All works fine. Aerohost service started. Task has been stopped and disabled. UxTSB.dll removed from AppInit.dll and placed near Aerohost.exe and DWMGlass.dll. Next step - reboot.

After reboot recieved about 2-3 minutes neverending logons. Then logons stopped and winlogon window left on screen. Pressing logon gives black screen with mouse pointer for 30 seconds and after returns to logon window.

Removed UxTSB.dll from AeroGlass folder. Add to AppInit key. Reboot and all goes normal.

In debug.log:

[2017-03-03 14:14:56][0x1190:0x2BDC] Installing DWM hook...
[2017-03-03 14:14:56][0x1190:0x2BDC] User: СИСТЕМА
[2017-03-03 14:14:56][0x1190:0x2BDC] Module: C:\Program Files\AeroGlass\DWMGlass.dll
[2017-03-03 14:14:56][0x1190:0x2BDC] Pipe error: 5 - Отказано в доступе.
[2017-03-03 14:14:56][0x1190:0x2BDC] C:\Program Files\AeroGlass\DWMGlass.dll has been injected into dwm.exe.
[2017-03-03 14:17:20][0x5E0:0x5E4] VirtualAllocEx failed with error 5 - Отказано в доступе.
[2017-03-03 14:17:20][0x5E0:0x5E4] C:\Program Files\AeroGlass\UxTSB.dll has been injected into explorer.exe.
[2017-03-03 14:17:21][0x1190:0x2BDC] VirtualAllocEx failed with error 5 - Отказано в доступе.
[2017-03-03 14:17:21][0x1190:0x2BDC] C:\Program Files\AeroGlass\UxTSB.dll has been injected into explorer.exe.
[2017-03-03 14:17:24][0x5E0:0x5E4] VirtualAllocEx failed with error 5 - Отказано в доступе.
[2017-03-03 14:17:25][0x1190:0x2BDC] VirtualAllocEx failed with error 5 - Отказано в доступе.
[2017-03-03 14:17:28][0x5E0:0x5E4] VirtualAllocEx failed with error 5 - Отказано в доступе.
[2017-03-03 14:17:29][0x1190:0x2BDC] VirtualAllocEx failed with error 5 - Отказано в доступе.
[2017-03-03 14:17:32][0x5E0:0x5E4] w process crashed several times. DLL injection has been stopped.
[2017-03-03 14:17:33][0x1190:0x2BDC] w process crashed several times. DLL injection has been stopped.
[2017-03-03 14:17:36][0x5E0:0x5E4] VirtualAllocEx failed with error 5 - Отказано в доступе.
 

last string repeats many times after that every 1-3 seconds.

Link to comment
Share on other sites


17 minutes ago, UCyborg said:

Install AeroGlass in C:\AeroGlass.

Why? I want install it in Program Files. Only UxTSB didn't work. Permissions to folder set as normal folder like in any other folder.

Link to comment
Share on other sites

44 minutes ago, CKyHC said:

Why? I want install it in Program Files. Only UxTSB didn't work. Permissions to folder set as normal folder like in any other folder.

Just an idea. Interestingly, on Windows 8.1 majority of log entries don't appear, while on Windows 10 they do, so something changed in that regard. Either way, I don't think that problem would be solved by changing aerohost.exe into service. There is nothing particularly special about services, just that they interact with Service Control Manager.

Would the problem occur on completely fresh bare-bones Windows installation? I don't have any other ideas besides maybe some 3rd party software interfering somehow. I have 4 different machines at home and none of them have this issue. Sorry, can't help you with this one.

Edited by UCyborg
Link to comment
Share on other sites

 UCyborg, On my 3 machines i have this bug. Only on my main home comp when SSD it occuers only if I quick type password. After 1-5 seconds after login window appers bug is gone. On other 2 comps with HDD problem doesn't allow to login at all. Only 1 difference - on my main comp is password protected login. On other 2 comps were are no password. Maybe that make a difference?

Link to comment
Share on other sites

It's hard to say. Type of disk and passworded vs passwordless account could be influencing factors in your particular case. Would be interesting to know what happens if you set passwords on those 2 computers you said don't have passwords. Apparently that extra time it takes to type in password helps on your computer with SSD. My machines have regular HDDs and using passwordless account works fine.

All this still doesn't explain why VirtualAllocEx fails. Just access denied is not verbose enough. Does UxStyle work on your end? I suggested it some time ago as its different approach might work, the only problem is that it still needs some fixes; not working on build 10586 and Creators Update builds, in some scenarios its service has to be restarted for the themes to work again and it's been said its driver doesn't load on UEFI systems with Secure Boot due to signing requirements.

Link to comment
Share on other sites

6 hours ago, CKyHC said:

[2017-03-03 14:17:33][0x1190:0x2BDC] w process crashed several times. DLL injection has been stopped.

[2017-03-03 14:17:36][0x5E0:0x5E4] VirtualAllocEx failed with error 5 - Отказано в доступе.
 

last string repeats many times after that every 1-3 seconds.

The question is why the error appears twice for two different processes. Does your aerohost start twice?

Link to comment
Share on other sites

18 minutes ago, bigmuscle said:

The question is why the error appears twice for two different processes. Does your aerohost start twice?

Only one task scheduled. Now task is disabled and service starts.

Link to comment
Share on other sites

So it really works now? Starting aerohost.exe with the method I posted? You said you did disable the scheduled task the first time. I can confirm Pipe error occurs if you try to run 2 aerohost.exe instances.

Link to comment
Share on other sites

6 hours ago, UCyborg said:

So it really works now? Starting aerohost.exe with the method I posted? You said you did disable the scheduled task the first time. I can confirm Pipe error occurs if you try to run 2 aerohost.exe instances.

But how it can be 2 instances? Task disabled and 1 service created. Maybe after 1st not successfull login aerohost.exe stay in memory? And after tries to run again?

Edited by CKyHC
Link to comment
Share on other sites

Disable option in Task Scheduler doesn't stop it if it's already running, must select End and then Disable. That's the only possibility for ending up with 2 running aerohost instances I could think of. So if you just select disable in Task Scheduler and run the script to install it as service, you end up with 2 instances. But after a reboot, you should have only 1 aerohost started by srvany.exe.

Edited by UCyborg
Link to comment
Share on other sites

59 minutes ago, UCyborg said:

Disable option in Task Scheduler doesn't stop it if it's already running, must select End and then Disable. That's the only possibility for ending up with 2 running aerohost instances I could think of. So if you just select disable in Task Scheduler and run the script to install it as service, you end up with 2 instances. But after a reboot, you should have only 1 aerohost started by srvany.exe.

I did all the way you discribed. 1st I stopped task, after disabled task. And then i ran the script to add service. In registry disabled loading UxTSB.dll setting LoadAppInit_DLLs to 0. In task manager was only 1 aerohost.exe. And after I rebooted. And what happend I wrote before.

After failure to load system I load Windows 10 PE from fash drive. In registry set back LoadAppInit_DLLs to 1 and renamed UxTSB.dll in folder with Aeroglass to UxTSB.dll.back. After reboot and loading system normal in task manager only 1 aerohost.exe loaded by service.

Edited by CKyHC
Link to comment
Share on other sites

16 hours ago, UCyborg said:

OK, I understand now that running aerohost via srvany doesn't solve DLL injection problem. So we're still at the dead end...

Folder C:\Program Files\AeroGlass can cause this problem? When I will have time I try to change folder to C:\AeroGlass. But it's very doubtfully...

The owner of C:\Program Files\AeroGlass is my account with administrator permissions. SYSTEM account have full rights. What permissions more folder must to have to work properly?

Link to comment
Share on other sites

On 28. 2. 2017 at 6:02 AM, UCyborg said:

Just for informational purposes, UxTSB no longer works with Insider build 15042.

Correction: themes still work on newer insider builds, just selecting them under Themes doesn't work, have to manually set path to .msstyles in registry then it works after re-logging in.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...