2015-03-28 12:00:29 +00:00
# UACMe
* Defeating Windows User Account Control by abusing built-in Windows AutoElevate backdoor.
# System Requirements
2015-08-16 05:39:47 +00:00
* x86-32/x64 Windows 7/8/8.1/10 (client, some methods however works on server version too).
2015-03-28 12:00:29 +00:00
* Admin account with UAC set on default settings required.
# Usage
2015-09-17 07:31:36 +00:00
Run executable from command line: akagi32 [Key] [Param] or akagi64 [Key] [Param]. See "Run examples" below for more info.
2015-10-12 15:05:38 +00:00
First param is number of method to use, second is optional command (executable file name including full path) to run. Second param can be empty - in this case program will execute elevated cmd.exe from system32 folder.
2015-09-17 07:31:36 +00:00
Keys (watch debug ouput with dbgview or similar for more info):
2015-03-29 08:12:55 +00:00
* 1 - Leo Davidson sysprep method, this will work only on Windows 7 and Windows 8, used in multiple malware;
2015-04-05 16:28:52 +00:00
* 2 - Tweaked Leo Davidson sysprep method, this will work only on Windows 8.1.9600;
2015-12-18 14:52:54 +00:00
* 3 - Leo Davidson method tweaked by WinNT/Pitou developers, works from Windows 7 up to 10th2 10532;
2015-10-14 09:18:14 +00:00
* 4 - Application Compatibility Shim RedirectEXE method, from WinNT/Gootkit. Works from Windows 7 up to 8.1.9600;
2015-12-18 14:52:54 +00:00
* 5 - ISecurityEditor WinNT/Simda method, used to turn off UAC, works from Windows 7 up to Windows 10th1 100136;
2015-04-04 15:37:21 +00:00
* 6 - Wusa method used by Win32/Carberp, tweaked to work with Windows 8/8.1 also;
2015-12-18 14:52:54 +00:00
* 7 - Wusa method, tweaked to work from Windows 7 up to 10th1 10136;
2015-04-05 16:28:52 +00:00
* 8 - Slightly modified Leo Davidson method used by Win32/Tilon, works only on Windows 7;
2015-12-18 14:52:54 +00:00
* 9 - Hybrid method, combination of WinNT/Simda and Win32/Carberp + AVrf, works from Windows 7 up to 10th1 10136;
* 10 - Hybrid method, abusing appinfo.dll way of whitelisting autoelevated applications and KnownDlls cache changes, works from Windows 7 up to 10th2 10532;
2015-10-14 09:18:14 +00:00
* 11 - WinNT/Gootkit second method based on the memory patching from MS "Fix it" patch shim (and as side effect - arbitrary dll injection), works from Windows 7 up to 8.1.9600;
2015-12-18 14:52:54 +00:00
* 12 - Windows 10 sysprep method, abusing different dll dependency added in Windows 10 (works up to 10th2 10558);
2016-07-05 08:28:44 +00:00
* 13 - Hybrid method, abusing Microsoft Management Console and EventViewer missing dependency, works from Windows 7 up to 10rs1 14295;
2016-01-04 11:44:07 +00:00
* 14 - WinNT/Sirefef method, abusing appinfo.dll way of whitelisting OOBE.exe, works from Windows 7 up to 10th2 10558;
2016-04-10 17:36:43 +00:00
* 15 - Win32/Addrop method, also used in Metasploit uacbypass module, works from Windows 7 up to 10rs1 14295;
2016-05-29 08:07:15 +00:00
* 16 - Hybrid method working together with Microsoft GWX backdoor, works from Windows 7 up to 10rs1 14295;
2016-06-19 08:57:23 +00:00
* 17 - Hybrid method, abuses appinfo whitelist/logic/API choice& usage, works from Windows 8.1 (9600) up to 10rs1 14367;
* 18 - Hybrid method, abuses SxS undocumented backdoor used to fix (1) and appinfo whitelist, works from Windows 7 up to 10rs1 14367;
2016-07-05 08:28:44 +00:00
* 19 - Hybrid method, using InetMgr IIS module and based on 10 & 16 MS fixes, works from Windows 7 up to 10rs1 14372;
2016-07-11 08:09:48 +00:00
* 20 - Hybrid method, abusing Microsoft Management Console and incorrect dll loading scheme, works from Windows 7 up to 10rs1 14385;
* 21 - Hybrid method, abusing SxS DotLocal and targeting sysprep, works from Windows 7 up to 10rs1 14385;
* 22 - Hybrid method, abusing SxS DotLocal and targeting consent to gain system privileges, works from Windows 7 up to 10rs1 14385;
* 23 - Hybrid method, abusing Package Manager and DISM, works from Windows 7 up to 10rs1 14385.
2015-03-28 12:00:29 +00:00
Note:
2015-10-12 10:38:28 +00:00
* Several methods require process injection, so they won't work from wow64, use x64 edition of this tool;
2015-04-23 11:00:45 +00:00
* Method (4) unavailable in 64 bit edition because of Shim restriction;
2016-05-29 08:07:15 +00:00
* Method (6) unavailable in wow64 environment starting from Windows 8.
2015-04-30 07:39:41 +00:00
* Method (11) implemented in x86-32 version;
2016-07-11 08:09:48 +00:00
* Method (13) (19) and above implemented only in x64 version.
2015-03-28 12:00:29 +00:00
Run examples:
* akagi32.exe 1
* akagi64.exe 3
2015-09-17 07:31:36 +00:00
* akagi32 1 c:\windows\system32\calc.exe
* akagi64 3 c:\windows\system32\charmap.exe
2015-03-28 12:00:29 +00:00
# Warning
2015-05-29 06:43:56 +00:00
* This tool shows ONLY popular UAC bypass method used by malware, and reimplement some of them in a different way improving original concepts. There are exists different, not yet known to general public methods, be aware of this;
2015-03-28 12:00:29 +00:00
* Using (5) method will permanently turn off UAC (after reboot), make sure to do this in test environment or don't forget to re-enable UAC after tool usage;
2015-04-25 05:16:44 +00:00
* Using (5), (9) methods will permanently compromise security of target keys (UAC Settings key for (5) and IFEO for (9)), if you do tests on your real machine - restore keys security manually after you complete this tool usage;
2015-09-17 07:31:36 +00:00
* This tool is not intended for AV tests and not tested to work in aggressive AV environment, if you still plan to use it with installed bloatware AV soft - you use it at your own risk;
2016-05-12 03:21:26 +00:00
* Some AV may flag this tool as HackTool, MSE/WinDefender constantly marks it as malware, nope;
2016-07-05 08:28:44 +00:00
* If you run this program on real computer remember to remove all program leftovers after usage, for more info about files it drops to system folders see source code;
* Since 2.4 all added methods/code will be strictly x64. I don't see any sense in supporting 32 bit versions of Windows in 2016 year.
2015-03-28 12:00:29 +00:00
2015-10-12 10:38:28 +00:00
# Microsoft countermeasures
Methods fixed:
2016-06-10 17:35:51 +00:00
* 1 - Windows 8.1 release and above, still work on Windows 7;
* 2 - Windows 10 starting from earlier preview builds;
* 3 - Windows 10 TH2 starting from 1055X builds;
* 4 - Windows 10 starting from first preview builds, earlier OS versions got KB3045645/KB3048097 fix;
* 5 - Windows 10 starting from 10147 build;
* 6 - Windows 10 starting from 10147 build;
* 7 - Windows 10 starting from 10147 build;
* 8 - Windows 8.1 release and above, still work on Windows 7;
* 9 - Windows 10 starting from 10147 build;
* 10 - Windows 10 TH2 starting from build 10548;
* 11 - Windows 10 starting from first preview builds, earlier OS versions got KB3045645/KB3048097 fix;
* 12 - Windows 10 TH2 starting from 10565 build;
* 13 - Windows 10 RS1 starting from public 14316 build;
* 14 - Windows 10 TH2 starting from 10548 build;
* 15 - Windows 10 RS1 starting from public 14316 build;
2016-06-23 03:54:11 +00:00
* 16 - Windows 10 RS1 starting from public 14316 build;
* 17 - Windows 10 RS1 starting from public 14371 build;
2016-06-29 06:37:33 +00:00
* 18 - Windows 10 RS1 starting from public 14371 build;
* 19 - Windows 10 RS1 starting from public 14376 build.
2016-06-10 17:35:51 +00:00
2016-07-11 08:09:48 +00:00
** 20, 21, 22, 23 are not fixed as at 11 July 2016.
2015-10-12 10:38:28 +00:00
2015-03-28 12:00:29 +00:00
# Protection
* UAC turned on maximum level and full awareness about every window it will show;
* Account without administrative privileges.
2015-07-11 10:13:14 +00:00
# Malware usage
2016-04-27 04:59:31 +00:00
* It is currently known that UACMe used by Adware/Multiplug (9), by Win32/Dyre (3), by Win32/Empercrypt (10 & 13). We do not take any responsibility for this tool usage in the malicious purposes. It is free, open-source and provided AS-IS for everyone.
2015-07-11 10:13:14 +00:00
2016-05-29 08:07:15 +00:00
# Other usage
* Currently used as "signature" by "THOR APT" scanner (handmade pattern matching fraudware from Germany). We do not take any responsibility for this tool usage in the fraudware.
2016-07-11 08:09:48 +00:00
# VirusTotal reference report
* Akagi32 https://www.virustotal.com/en/file/60734c75dd46508a8dc8e14e4bbecdab31816a2df74b5ffabc8a35f307919915/analysis/1468224001/
* Akagi64 https://www.virustotal.com/en/file/f8e57a07560e49cf7b051f45066945634f281739cee4b072c11131e638b276bc/analysis/1468224011/
2015-03-28 12:00:29 +00:00
# Build
2015-04-23 11:00:45 +00:00
* UACMe comes with full source code, written in C;
2016-04-16 03:46:41 +00:00
* In order to build from source you need Microsoft Visual Studio 2013/2015 U2 and later versions.
2016-03-18 04:45:19 +00:00
# References
* Windows 7 UAC whitelist, http://www.pretentiousname.com/misc/win7_uac_whitelist2.html
* Malicious Application Compatibility Shims, https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf
2016-07-08 08:49:51 +00:00
* Junfeng Zhang's from WinSxS dev team blog, https://blogs.msdn.microsoft.com/junfeng/
2016-07-08 08:51:48 +00:00
* Beyond good ol' Run key, series of articles, http://www.hexacorn.com/blog
2016-07-08 08:49:51 +00:00
* KernelMode.Info UACMe thread, http://www.kernelmode.info/forum/viewtopic.php?f=11& t=3643
2016-03-18 04:45:19 +00:00
2015-03-28 12:00:29 +00:00
# Authors
2015-12-18 14:52:54 +00:00
(c) 2014 - 2016 UACMe Project
