Jump to content
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble

MSFN is made available via donations, subscriptions and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, register and become a site sponsor/subscriber and ads will be disabled automatically. 



bigmuscle

UxTheme Signature Bypass

Recommended Posts

Is there is any progress with UxTSB.dll injecting by DWMGlass.dll and logon problem?

  • Upvote 1

Share this post


Link to post
Share on other sites

If UxTSB.dll is loaded from registry HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs, Windows 8.1, 10 RTM, 10 TH, 10 RS can't open *.deskthemepack files.

If UxTSB.dll is loaded from DWMGlass.dll 1.5.2, there is no such problem.

Please fix this bug, or modify DWMGlass.dll 1.4.6 for loading UxTSB.dll. But loading UxTSB.dll from DWMGlass.dll may cause winlogon-loop problem...

Share this post


Link to post
Share on other sites

A bit off-topic, but UxStyle seems to work on Win10 latest build 14393 at first glance, though no luck on build 10586 and the word is it doesn't work on newer Insider builds. There have been reports about certain issues, but no new commits. None of the people that forked it changed anything either. Just bringing it up because its different approach might bypass winlogon-loop problem. If only someone with the knowledge addressed its issues.

Share this post


Link to post
Share on other sites
2 hours ago, UCyborg said:

different approach might bypass winlogon-loop problem

There is only one stable way to "bypass" f*cking DRM secure boot fully - sign the driver with a certificate obtained from a trusted certification authority like VeriSign. Both for UxStyle or Aero Glass (\uxstyle\code\tools\_sign.bat). Self-signed certificate not works if secure boot is enabled. Another way is to use known vulnerability in Microsoft Windows like MS16-094 or MY123/Slipstream.

Share this post


Link to post
Share on other sites

New injection method by DWMGlass.dll doesn't require signed DLL, something else can go wrong. Microsoft's official opinion is that there is no reliable method for injecting a DLL in a running process, if that has something to do with it. At least, their own Detours library version 1.5 had a function for DLL injection, which I believe, under the hood utilized the CreateRemoteThread method, like DWMGlass.dll.

The only bad thing that happened once on my end were tons of VirtualAllocEx errors in debug.log and at the time it seemed like logon process was aborted, second logon attempt worked, but apparently, things can go worse for unknown reasons.

Good point about the signing, AppInit_DLLs method would work with secure boot if UxTSB.dll was signed, just the fact that it lands in almost every process is a bit of an overkill. They wrote long time ago on MSDN they may remove it in the future. Good point about UxStyle as well, I forgot about the driver that has to be signed.

Late edit: Actually, AppInit_DLLs is completely disabled when Secure Boot is active.

Edited by UCyborg

Share this post


Link to post
Share on other sites
2 hours ago, UCyborg said:

New injection method by DWMGlass.dll doesn't require signed DLL

Secure boot requires signed DLL for AppInit_DLLs or signed SYS driver in any case. Or may be start as unsigned service more early than scheduler (srvany.exe works good for me). And DWMGlass.dll 1.4.6 for actual Windows 8.1 can't load UxTSB.dll,  *.deskthemepack files can not be opened.

Share this post


Link to post
Share on other sites
On 21.01.2017 at 11:40 AM, CKyHC said:

Is there is any progress with UxTSB.dll injecting by DWMGlass.dll and logon problem?

Up. Bigmuscle, is anything for this problem?

Share this post


Link to post
Share on other sites

Just for informational purposes, UxTSB no longer works with Insider build 15042. UltraUXThemePatcher is updated to support it. Old .msstyles for Anniversary Update still work with minor glitches, I only noticed some outlines being visible inside the window while in Peek Desktop.

This build doesn't have the watermark. Maybe theme related things won't see further changes. But 1 month is still plenty of time to flip everything upside-down. No symbols to see Aero Glass in action, but again, nothing crashes. Says it runs in always-glass mode, though it looks more like no-glass mode.

Share this post


Link to post
Share on other sites
On 24. 2. 2017 at 10:03 AM, CKyHC said:

Up. Bigmuscle, is anything for this problem?

Unfortunately not, because I was not able to reproduce it.

Share this post


Link to post
Share on other sites
6 hours ago, bigmuscle said:

Unfortunately not, because I was not able to reproduce it.

Fine... And what to do? Can you make a version with aerohost.exe or dwmglass,dll running as a service? I think, this can help...

I'm not alone with that bug. Many peoples have it. It must to do something this that...

Edited by CKyHC

Share this post


Link to post
Share on other sites
Posted (edited)

If it helps anyone, I wrote a small batch script that runs aerohost.exe as a service with the help of the srvany.exe wrapper mentioned few posts above. Just extract both files and run InstallAGService as admin. And do stop Aero Glass task beforehand from Task Scheduler and disable/delete it.

If you want to delete the service:

sc stop aerohost
sc delete aerohost

Then only the wrapper, which is copied to either Windows\System32 or Windows\SysWOW64 remains.

AeroGlassAsService.zip

Edited by UCyborg

Share this post


Link to post
Share on other sites
Posted (edited)
3 hours ago, UCyborg said:

If it helps anyone, I wrote a small batch script that runs aerohost.exe as a service with the help of the srvany.exe wrapper mentioned few posts above. Just extract both files and run InstallAGService as admin. And do stop Aero Glass task beforehand from Task Scheduler and disable/delete it.

If you want to delete the service:


sc stop aerohost
sc delete aerohost

Then only the wrapper, which is copied to either Windows\System32 or Windows\SysWOW64 remains.

AeroGlassAsService.zip

I don't think that application wich is not designed as a service will running long time. After some time system will close it because it not a service at all. And after that UxTSB.dll will stop to injects to processes...

Maybe i'm wrong or don't understand all right... Correct me then. It's only imho...

Edited by CKyHC

Share this post


Link to post
Share on other sites
Posted (edited)

Absolutely nothing prevents a process from running forever, except that if it's started by a logged-on user it will be terminated at logoff.  But an application which is not a service but started as independent from the interactive user by the Task Scheduler, for example, could run forever.  Aerohost is just such an application.  Note the run time on mine, from my Win 8.1 system...

AerohostRunTime.png

Often long-running applications that are intended to be independent of the interactive user are made into services just because the system provides a good way to manage such things.  But it's not a necessity.

-Noel

Edited by NoelC

Share this post


Link to post
Share on other sites

I just wrote wrong. I wanted to say that prosess not designed as a service can't long run if it starts as a service.

I don't know, but i think that not any process can start as a service...

Share this post


Link to post
Share on other sites
Posted (edited)

Exactly, applications that are run under SYSTEM account run indefinitely unless you fully shut down or reboot the system. This just makes it independent from the Task Scheduler so maybe it starts sooner. Better solution would be modifying aerohost.exe to accept service events.

srvany.exe is the wrapper that can make any application run as the service, but it is obsolete and has number of limitations. It's true that you can't make aerohost.exe directy run as the service with sc create. https://www.coretechnologies.com/products/AlwaysUp/srvany.html Then you have paid solutions like FireDaemon Pro or AlwaysUp. Those are the must if you want to run eg. a game server which wasn't coded as the service. There is also free NSSM.

I can't really say if this helps with anything as I can't reproduce the injection problem on my end neither, but those are the only ways to run non-service application like it was the service. If it actually helps, judging by UxStyle source code, it doesn't seem it would take a lot of effort to turn aerohost.exe into real service.

Edited by UCyborg

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.

×