UACME/README.md

# UACMe
* Defeating Windows User Account Control by abusing built-in Windows AutoElevate backdoor.

# System Requirements

* x86-32/x64 Windows 7/8/8.1/10 (client, some methods however works on server version too).
* Admin account with UAC set on default settings required.

# Usage

Run executable from command line: akagi32 [Key] [Param] or akagi64 [Key] [Param]. See "Run examples" below for more info.

First param is number of method to use, second is optional command (executable file name including full path) to run. Second param can be empty - in this case program will execute elevated cmd.exe from system32 folder.

Keys (watch debug ouput with dbgview or similar for more info):
* 1 - Leo Davidson sysprep method, this will work only on Windows 7 and Windows 8, used in multiple malware;
* 2 - Tweaked Leo Davidson sysprep method, this will work only on Windows 8.1.9600;
* 3 - Leo Davidson method tweaked by WinNT/Pitou developers, works from Windows 7 up to 10th2 10532;
* 4 - Application Compatibility Shim RedirectEXE method, from WinNT/Gootkit. Works from Windows 7 up to 8.1.9600;
* 5 - ISecurityEditor WinNT/Simda method, used to turn off UAC, works from Windows 7 up to Windows 10th1 100136;
* 6 - Wusa method used by Win32/Carberp, tweaked to work with Windows 8/8.1 also;
* 7 - Wusa method, tweaked to work from Windows 7 up to 10th1 10136;
* 8 - Slightly modified Leo Davidson method used by Win32/Tilon, works only on Windows 7;
* 9 - Hybrid method, combination of WinNT/Simda and Win32/Carberp + AVrf, works from Windows 7 up to 10th1 10136;
* 10 - Hybrid method, abusing appinfo.dll way of whitelisting autoelevated applications and KnownDlls cache changes, works from Windows 7 up to 10th2 10532;
* 11 - WinNT/Gootkit second method based on the memory patching from MS "Fix it" patch shim (and as side effect - arbitrary dll injection), works from Windows 7 up to 8.1.9600;
* 12 - Windows 10 sysprep method, abusing different dll dependency added in Windows 10 (works up to 10th2 10558);
* 13 - Hybrid method, abusing appinfo.dll way of whitelisting MMC console commands and EventViewer missing dependency, works from Windows 7 up to 10rs1 14295;
* 14 - WinNT/Sirefef method, abusing appinfo.dll way of whitelisting OOBE.exe, works from Windows 7 up to 10th2 10558;
* 15 - Win32/Addrop method, also used in Metasploit uacbypass module, works from Windows 7 up to 10rs1 14295;
* 16 - Hybrid method working together with Microsoft GWX backdoor, work from Windows 7 up to 10rs1 14295;
* 17 - Hybrid method, abuses appinfo whitelist/logic/API choice&usage, work from Windows 8.1 (9600) up to 10rs1 14332.

Note:
* Several methods require process injection, so they won't work from wow64, use x64 edition of this tool;
* Method (4) unavailable in 64 bit edition because of Shim restriction;
* Method (6) unavailable in wow64 environment starting from Windows 8. Also target application unavailable in Windows 10;
* Method (11) implemented in x86-32 version;
* Method (13) implemented only in x64 version.

Run examples:
* akagi32.exe 1
* akagi64.exe 3
* akagi32 1 c:\windows\system32\calc.exe
* akagi64 3 c:\windows\system32\charmap.exe

# Warning
* This tool shows ONLY popular UAC bypass method used by malware, and reimplement some of them in a different way improving original concepts. There are exists different, not yet known to general public methods, be aware of this;  
* Using (5) method will permanently turn off UAC (after reboot), make sure to do this in test environment or don't forget to re-enable UAC after tool usage;
* Using (5), (9) methods will permanently compromise security of target keys (UAC Settings key for (5) and IFEO for (9)), if you do tests on your real machine - restore keys security manually after you complete this tool usage;
* This tool is not intended for AV tests and not tested to work in aggressive AV environment, if you still plan to use it with installed bloatware AV soft - you use it at your own risk;
* Some AV may flag this tools as HackTool, MSE/WinDefender constantly marks it as malware, nope;
* If you run this program on real computer remember to remove all program leftovers after usage, for more info about files it drops to system folders see source code.

# Microsoft countermeasures
Methods fixed:
* 1 - Fixed with Windows 8.1 release, still work on Windows 7;
* 2 - Fixed in Windows 10 starting from earlier preview builds;
* 3 - Fixed in Windows 10 TH2 starting from 1055X builds;
* 4 - Fixed in Windows 10 starting from first preview builds, earlier OS versions got KB3045645/KB3048097 fix;
* 5 - Fixed in Windows 10 starting from 10147 build;
* 6 - Fixed in Windows 10 starting from 10147 build;
* 7 - Fixed in Windows 10 starting from 10147 build;
* 8 - Fixed with Windows 8.1 release, still work on Windows 7;
* 9 - Fixed in Windows 10 starting from 10147 build;
* 10 - Fixed in Windows 10 TH2 starting from build 10548;
* 11 - Fixed in Windows 10 starting from first preview builds, earlier OS versions got KB3045645/KB3048097 fix;
* 12 - Fixed in Windows 10 TH2 starting from 10565 build;
* 13 - Fixed in Windows 10 RS1 starting from public 14316 build;
* 14 - Fixed in Windows 10 TH2 starting from 10548 build;
* 15 - Fixed in Windows 10 RS1 starting from public 14316 build;
* 16 - Fixed in Windows 10 RS1 starting from public 14316 build.

# Protection
* UAC turned on maximum level and full awareness about every window it will show;
* Account without administrative privileges.

# Malware usage
* It is currently known that UACMe used by Adware/Multiplug (9), by Win32/Dyre (3), by Win32/Empercrypt (10 & 13). We do  not take any responsibility for this tool usage in the malicious purposes. It is free, open-source and provided AS-IS for everyone.

# Build 

* UACMe comes with full source code, written in C;
* In order to build from source you need Microsoft Visual Studio 2013/2015 U2 and later versions.

# References

* Windows 7 UAC whitelist, http://www.pretentiousname.com/misc/win7_uac_whitelist2.html
* Malicious Application Compatibility Shims, https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf

 
# Authors

(c) 2014 - 2016 UACMe Project
Initial commit v 1.1.0 2015-03-28 12:00:29 +00:00			`# UACMe`
			`* Defeating Windows User Account Control by abusing built-in Windows AutoElevate backdoor.`

			`# System Requirements`

v 1.8.1 Ported to MSVS 2015, Server 2016 build 10514 info added. 2015-08-16 05:39:47 +00:00			`* x86-32/x64 Windows 7/8/8.1/10 (client, some methods however works on server version too).`
Initial commit v 1.1.0 2015-03-28 12:00:29 +00:00			`* Admin account with UAC set on default settings required.`

			`# Usage`

v 1.9.0 mmc method added, optional second param to execute added 2015-09-17 07:31:36 +00:00			`Run executable from command line: akagi32 [Key] [Param] or akagi64 [Key] [Param]. See "Run examples" below for more info.`

v 1.9.1 Zlader method added, readme updated. 2015-10-12 15:05:38 +00:00			`First param is number of method to use, second is optional command (executable file name including full path) to run. Second param can be empty - in this case program will execute elevated cmd.exe from system32 folder.`
v 1.9.0 mmc method added, optional second param to execute added 2015-09-17 07:31:36 +00:00
			`Keys (watch debug ouput with dbgview or similar for more info):`
v 1.2.0 Tweaked Win32/Carberp method added 2015-03-29 08:12:55 +00:00			`* 1 - Leo Davidson sysprep method, this will work only on Windows 7 and Windows 8, used in multiple malware;`
v 1.5.0 Hybrid Simda/Carberp with AppVerif added. 2015-04-05 16:28:52 +00:00			`* 2 - Tweaked Leo Davidson sysprep method, this will work only on Windows 8.1.9600;`
v 2.0.0 Recompiled with vs2k15 U1, readme update for Win10 RS1 11082, sha256 instead of sha512 2015-12-18 14:52:54 +00:00			`* 3 - Leo Davidson method tweaked by WinNT/Pitou developers, works from Windows 7 up to 10th2 10532;`
v 1.9.2 update with TH2 10565 info 2015-10-14 09:18:14 +00:00			`* 4 - Application Compatibility Shim RedirectEXE method, from WinNT/Gootkit. Works from Windows 7 up to 8.1.9600;`
v 2.0.0 Recompiled with vs2k15 U1, readme update for Win10 RS1 11082, sha256 instead of sha512 2015-12-18 14:52:54 +00:00			`* 5 - ISecurityEditor WinNT/Simda method, used to turn off UAC, works from Windows 7 up to Windows 10th1 100136;`
v 1.4.0 Win32/Tilon. 2015-04-04 15:37:21 +00:00			`* 6 - Wusa method used by Win32/Carberp, tweaked to work with Windows 8/8.1 also;`
v 2.0.0 Recompiled with vs2k15 U1, readme update for Win10 RS1 11082, sha256 instead of sha512 2015-12-18 14:52:54 +00:00			`* 7 - Wusa method, tweaked to work from Windows 7 up to 10th1 10136;`
v 1.5.0 Hybrid Simda/Carberp with AppVerif added. 2015-04-05 16:28:52 +00:00			`* 8 - Slightly modified Leo Davidson method used by Win32/Tilon, works only on Windows 7;`
v 2.0.0 Recompiled with vs2k15 U1, readme update for Win10 RS1 11082, sha256 instead of sha512 2015-12-18 14:52:54 +00:00			`* 9 - Hybrid method, combination of WinNT/Simda and Win32/Carberp + AVrf, works from Windows 7 up to 10th1 10136;`
			`* 10 - Hybrid method, abusing appinfo.dll way of whitelisting autoelevated applications and KnownDlls cache changes, works from Windows 7 up to 10th2 10532;`
v 1.9.2 update with TH2 10565 info 2015-10-14 09:18:14 +00:00			`* 11 - WinNT/Gootkit second method based on the memory patching from MS "Fix it" patch shim (and as side effect - arbitrary dll injection), works from Windows 7 up to 8.1.9600;`
v 2.0.0 Recompiled with vs2k15 U1, readme update for Win10 RS1 11082, sha256 instead of sha512 2015-12-18 14:52:54 +00:00			`* 12 - Windows 10 sysprep method, abusing different dll dependency added in Windows 10 (works up to 10th2 10558);`
v 2.0.1 readme update for 14316 2016-04-10 17:36:43 +00:00			`* 13 - Hybrid method, abusing appinfo.dll way of whitelisting MMC console commands and EventViewer missing dependency, works from Windows 7 up to 10rs1 14295;`
v 2.0.1 readme update 2016-01-04 11:44:07 +00:00			`* 14 - WinNT/Sirefef method, abusing appinfo.dll way of whitelisting OOBE.exe, works from Windows 7 up to 10th2 10558;`
v 2.0.1 readme update for 14316 2016-04-10 17:36:43 +00:00			`* 15 - Win32/Addrop method, also used in Metasploit uacbypass module, works from Windows 7 up to 10rs1 14295;`
v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00			`* 16 - Hybrid method working together with Microsoft GWX backdoor, work from Windows 7 up to 10rs1 14295;`
readme update updated with 14332 info 2016-04-27 04:59:31 +00:00			`* 17 - Hybrid method, abuses appinfo whitelist/logic/API choice&usage, work from Windows 8.1 (9600) up to 10rs1 14332.`
Initial commit v 1.1.0 2015-03-28 12:00:29 +00:00
			`Note:`
v 1.9.1 Zlader method added 2015-10-12 10:38:28 +00:00			`* Several methods require process injection, so they won't work from wow64, use x64 edition of this tool;`
v 1.6.0 Readme update for win10.0.10061 build 2015-04-23 11:00:45 +00:00			`* Method (4) unavailable in 64 bit edition because of Shim restriction;`
v 1.8.0 Readme update for win10 build 10240 2015-07-17 04:41:20 +00:00			`* Method (6) unavailable in wow64 environment starting from Windows 8. Also target application unavailable in Windows 10;`
v 1.7.2 Readme update, considering latest MS patch. 2015-04-30 07:39:41 +00:00			`* Method (11) implemented in x86-32 version;`
v 2.0.0 Recompiled with vs2k15 U1, readme update for Win10 RS1 11082, sha256 instead of sha512 2015-12-18 14:52:54 +00:00			`* Method (13) implemented only in x64 version.`
Initial commit v 1.1.0 2015-03-28 12:00:29 +00:00
			`Run examples:`
			`* akagi32.exe 1`
			`* akagi64.exe 3`
v 1.9.0 mmc method added, optional second param to execute added 2015-09-17 07:31:36 +00:00			`* akagi32 1 c:\windows\system32\calc.exe`
			`* akagi64 3 c:\windows\system32\charmap.exe`
Initial commit v 1.1.0 2015-03-28 12:00:29 +00:00
			`# Warning`
v 1.7.3 Method #12 (sysprep win10) again work with recent win10 build 10125 2015-05-29 06:43:56 +00:00			`* This tool shows ONLY popular UAC bypass method used by malware, and reimplement some of them in a different way improving original concepts. There are exists different, not yet known to general public methods, be aware of this;`
Initial commit v 1.1.0 2015-03-28 12:00:29 +00:00			`* Using (5) method will permanently turn off UAC (after reboot), make sure to do this in test environment or don't forget to re-enable UAC after tool usage;`
v 1.7.1 Inazuma shellcode opt. 2015-04-25 05:16:44 +00:00			`* Using (5), (9) methods will permanently compromise security of target keys (UAC Settings key for (5) and IFEO for (9)), if you do tests on your real machine - restore keys security manually after you complete this tool usage;`
v 1.9.0 mmc method added, optional second param to execute added 2015-09-17 07:31:36 +00:00			`* This tool is not intended for AV tests and not tested to work in aggressive AV environment, if you still plan to use it with installed bloatware AV soft - you use it at your own risk;`
v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00			`* Some AV may flag this tools as HackTool, MSE/WinDefender constantly marks it as malware, nope;`
v 1.9.0 mmc method added, optional second param to execute added 2015-09-17 07:31:36 +00:00			`* If you run this program on real computer remember to remove all program leftovers after usage, for more info about files it drops to system folders see source code.`
Initial commit v 1.1.0 2015-03-28 12:00:29 +00:00
v 1.9.1 Zlader method added 2015-10-12 10:38:28 +00:00			`# Microsoft countermeasures`
			`Methods fixed:`
readme update updated with 14332 info 2016-04-27 04:59:31 +00:00			`* 1 - Fixed with Windows 8.1 release, still work on Windows 7;`
			`* 2 - Fixed in Windows 10 starting from earlier preview builds;`
			`* 3 - Fixed in Windows 10 TH2 starting from 1055X builds;`
v 1.9.1 Zlader method added 2015-10-12 10:38:28 +00:00			`* 4 - Fixed in Windows 10 starting from first preview builds, earlier OS versions got KB3045645/KB3048097 fix;`
readme update updated with 14332 info 2016-04-27 04:59:31 +00:00			`* 5 - Fixed in Windows 10 starting from 10147 build;`
			`* 6 - Fixed in Windows 10 starting from 10147 build;`
			`* 7 - Fixed in Windows 10 starting from 10147 build;`
			`* 8 - Fixed with Windows 8.1 release, still work on Windows 7;`
			`* 9 - Fixed in Windows 10 starting from 10147 build;`
			`* 10 - Fixed in Windows 10 TH2 starting from build 10548;`
v 1.9.1 Zlader method added 2015-10-12 10:38:28 +00:00			`* 11 - Fixed in Windows 10 starting from first preview builds, earlier OS versions got KB3045645/KB3048097 fix;`
v 1.9.2 update with TH2 10565 info 2015-10-14 09:20:49 +00:00			`* 12 - Fixed in Windows 10 TH2 starting from 10565 build;`
v 2.0.1 readme update for 14316 2016-04-10 17:36:43 +00:00			`* 13 - Fixed in Windows 10 RS1 starting from public 14316 build;`
			`* 14 - Fixed in Windows 10 TH2 starting from 10548 build;`
			`* 15 - Fixed in Windows 10 RS1 starting from public 14316 build;`
			`* 16 - Fixed in Windows 10 RS1 starting from public 14316 build.`
v 1.9.1 Zlader method added 2015-10-12 10:38:28 +00:00
Initial commit v 1.1.0 2015-03-28 12:00:29 +00:00			`# Protection`
			`* UAC turned on maximum level and full awareness about every window it will show;`
			`* Account without administrative privileges.`

v 1.8 Method 10 reworked, MS signature removed, readme updated to reflect latest win10 build 10166 changes. 2015-07-11 10:13:14 +00:00			`# Malware usage`
readme update updated with 14332 info 2016-04-27 04:59:31 +00:00			`* It is currently known that UACMe used by Adware/Multiplug (9), by Win32/Dyre (3), by Win32/Empercrypt (10 & 13). We do not take any responsibility for this tool usage in the malicious purposes. It is free, open-source and provided AS-IS for everyone.`
v 1.8 Method 10 reworked, MS signature removed, readme updated to reflect latest win10 build 10166 changes. 2015-07-11 10:13:14 +00:00
Initial commit v 1.1.0 2015-03-28 12:00:29 +00:00			`# Build`

v 1.6.0 Readme update for win10.0.10061 build 2015-04-23 11:00:45 +00:00			`* UACMe comes with full source code, written in C;`
v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00			`* In order to build from source you need Microsoft Visual Studio 2013/2015 U2 and later versions.`
v 2.0.1 readme update 2016-03-18 04:45:19 +00:00
			`# References`

			`* Windows 7 UAC whitelist, http://www.pretentiousname.com/misc/win7_uac_whitelist2.html`
			`* Malicious Application Compatibility Shims, https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf`

Initial commit v 1.1.0 2015-03-28 12:00:29 +00:00
			`# Authors`

v 2.0.0 Recompiled with vs2k15 U1, readme update for Win10 RS1 11082, sha256 instead of sha512 2015-12-18 14:52:54 +00:00			`(c) 2014 - 2016 UACMe Project`