13
Aug 2011
11 Comments
The case of the broken Hello Kitty IZMO toy (Part 2 of 2)

Recap

So, back in Part 1, I managed to find software for the obscure Hello Kitty IZMO USB toy and patched it to sort of work on Windows 7. While the toy lit up at start, it didn’t quite function correctly – that is, every time I pressed keys on the keyboard, nothing happened. (This worked just fine on my Windows XP virtual machine.)

Y U NO SEE MY KEYS?

Before I could move on, I had to figure out how this software captured keystrokes. Scanning through the executable’s imports, I came across SetWindowsHookEx.  SetWindowsHook is an old school API used to tap into various system events; it supports a number of hook types including those involving the keyboard (WH_KEYBOARD) and mouse (WH_MOUSE).

I set a few breakpoints, all on calls to SetWindowsHookEx, and only one was actually used. It looked like so:

SetWindowsHookExA(WH_JOURNALRECORD, myJournalRecordProc, GetModuleHandle(NULL), 0 /* dwThreadId */);

I was puzzled by the use of WH_JOURNALRECORD here, given the toy only monitors keyboard input. Perhaps the developers, at some point, were looking to capture mouse input as well. Or maybe this was a cut/paste job. Regardless, I wasn’t going to spend time changing it. (It would have required some manual assembly writing work.) Instead I focused on the GetLastError value being returned to me — ERROR_ACCESS_DENIED.

We need more power

Elevating the application did no good. I was stuck. Out of options at the time, I decided to disable User Account Control (UAC) on my system. The program started working, holy assembler Batman! But, I was confused – why was this thing working with UAC off, but not when elevated? It turns out, disabling UAC also has a collateral impact on the state of another Windows feature called User Interface Privilege Isolation (UIPI). Introduced back in Windows Vista days, along with UAC, UIPI acts as an insulating layer of protection for processes with higher privileges. In other words, this layer prevents the little guys like Calculator from sending special messages to security-critical processes like an elevated Command Prompt preventing a specific type of evil – shatter attacks. (This insulting layer is what prevents you from dragging files onto an elevated Notepad instance, for example.)

Additional research into UIPI led to me a blurb on MSDN explaining what breaks with UIPI turned on, emphasis mine.

A lower privilege process cannot:

  • Perform a window handle validation of higher process privilege.
  • SendMessage or PostMessage to higher privilege application windows. These application programming interfaces (APIs) return success but silently drop the window message.
  • Use thread hooks to attach to a higher privilege process.
  • Use Journal hooks to monitor a higher privilege process.
  • Perform dynamic link-library (DLL) injection to a higher privilege process.

Okay, so I knew UIPI was the culprit here… but I thought: How do I workaround this? Or more importantly, promote the Hello Kitty application to a first class Windows citizen? After hours of stumbling around on MSDN, I came across a useful attribute you can throw into your application’s manifest – uiAccess. You may have seen a manifest before, with a segment that looked something like this:

<requestedExecutionLevel uiAccess="false" level="requireAdministrator" />

It turns out, uiAccess is a special attribute that whitelists the application, letting it pass through UIPI’s gates system-wide. (This is typically reserved for rare UI assistive technology, like screen readers.) Okay, so I created a plain manifest, set uiAccess to true, and fired up Hello Kitty.exe. Still nothing. AHHHHHHHHHHHH.

RTFM

The software still didn’t work, with my skim of the documentation to blame. I re-read the page, this time with a discerning eye, and came across the following warning (emphasis mine):

Important: Applications with the uiAccess flag set to true must be Authenticode signed to start properly. In addition, the application must reside in a protected location in the file system. \Program Files\ and \windows\system32\ are currently the two allowable protected locations.

I remember thinking, !#$% could they have made this more difficult? Thankfully, I already had a legit code-signing certificate ready to rock and roll. (I’ve signed various titles, including Geosense for Windows.) A few minutes with signtool.exe and the binary was digitally signed. I copied the relevant binaries (executable, library, sound file) to a new folder, as the instructions stated, within \Program Files (x86), crossed my fingers, and tried again. (Actually, the documentation claims Program Files\ and \System32 were the only two valid folders. This is not the case on x64 systems. Both Program Files\ and Program Files (x86)\ work in this case.)

IT WORKED. Whoo hoo! Now to get Jenny to come over and pick this thing up…

Summary

In this case, I…

  • … came across supporting software bundled with InstallShield 3.0 (16-bit executable)
  • … unpacked the InstallShield special cabinets manually
  • … virtualized Windows XP to ensure the device worked
  • … disassembled TenxHID.dll, to discover there was a change to Windows that affected the way we interact with HID devices
  • … disassembled Hello Kitty.exe to discover its use of Journal Hooks to receive keyboard/mouse input
  • … nearly gave up and disabled UAC on my system, revealing its impact on the application
  • … discovered UIPI shuts down if UAC is disabled
  • … discovered uiAccess whitelists applications for UIPI pass-through and requires you follow a very specific set of rules for use
  • … learned more about solving application compatibility problems. (I hope to one day meet up with the Microsoft Windows Application Experience SWAT team led by Chris Jackson.)
  • http://twitter.com/wolfsbane_pc John Blanton

    This was very cool and interesting. Thanks for the behind the desktop look at how Windows works.

  • Leo Davidson

    “This insulting layer is what prevents you from cut and pasting data into an elevated Notepad instance, for example.”

    UIPI doesn’t affect the clipboard AFAIK. At least, you can copy/cut/paste text between elevated and non-elevated programs like Notepad without UIPI getting in the way.

    Maybe you were thinking of drag & drop rather than copy & paste?

    • http://www.withinwindows.com Rafael R.

      Thanks Leo, I was indeed thinking about copy and paste. My fingers and brain don’t cooperate at times.

  • http://windowssucks.wordpress.com/ WindowsSucks

     My guess in part 1 was not that far off then :) For people without a cert., the code for WH_KEYBOARD_LL handling should be shorter than WH_JOURNALRECORD so some asm/hex editing should be possible

  • Anonymous

    Just as I thought. Only I didn’t know that there is a name for UIPI because we did have something like UIPI in Windows XP were User Account Control was nonexistent. (Actually, I mentally identified it as “impersonation is fragile”.)

    But if I were you, I’d try Windows 7 Compatibility settings too.

  • http://twitter.com/aSMiLoN aSMiLoN

    Thanks for what seemed an insignificant problem and the in dept resolution! It was really interesting!

  • Steven

    AWESOME! DO MORE OF THESE!

  • Andrew Britton

    Love this. In an age when most problems are worked around or it is heartening to read about someone taking the time to actually understand and solve a problem. More work in the same vein here: http://blogs.technet.com/b/markrussinovich/

  • Guest

    Nice post. It’ll be interesting to list also the tools you used; just in case someone else’s interested.

  • Emp

    Do you have files that ended up working, I am wondering if you can put them available for download, I have one of these for my daughters computer that I am trying to get working, and I cannot find the original disk for it, and I would like to get it working on her new x64 Win7

    • http://www.withinwindows.com Rafael R.

      Sure, email me (see top of page for link).