Quick set of notes from UWP/Windows mobile assessment
Proxying
I was stumped for a significant period of time when trying to bypass SSL pinning on a UWP app. Turns out it was nothing to do with SSL pinning. UWP Apps by default cannot communicate with localhost ports. This is part of Network Isolation. You will have to create an exemption for the UWP app:
https://archive.codeplex.com/?p=loopback
Debugging
Windbg can be used to debug the UWP application at startup
.\windbg.exe -plmPackage <PackageFullName> -plmApp App
x64dbg/ollydbg can attach to UWP apps. But cannot debug at startup. Image Execution Options trick used to debug windows services at startup does not work for UWP apps.
Instrumentation
API Monitor cannot monitor the process at startup. However, it can attach at runtime. To attach the process at startup, a simple trick would be to start debugging using windbg and when windbg hits application entry point (break at RHBinder__ShimExeMain) API monitor can be attached.
Storage
- Reg Hives
Applications often use the reg hive format as a storage format and it can be loaded using regedit. Regedit->Load Hive. The file can be identified by the first 4 bytes – REGF.
- Protected Files
Windows 10 lately protects the applications installation folder and any user mode provisions such as making the folder owner as the user and other techniques seems ineffective. This makes patching the application non-trivial. There are few options here:
-
Use this driver
https://github.com/DavidXanatos/IgnoreACLs
-
Dump the application binary and run it from the dumped path as shown below
https://github.com/Wunkolo/UWPDumper