UACME/README.md

# UACMe
* Defeating Windows User Account Control by abusing built-in Windows AutoElevate backdoor.
* More info http://www.kernelmode.info/forum/viewtopic.php?f=11&t=3643

# System Requirements

* x86-32/x64 Windows 7/8/8.1/10.
* Admin account with UAC set on default settings required.

# Usage

Run executable from command line with following keys (watch debug ouput with dbgview or similar for more info):
* 1 - Leo Davidson sysprep method, this will work only on Windows 7 and Windows 8, used in multiple malware;
* 2 - Tweaked Leo Davidson sysprep method, this will work only on Windows 8.1.9600;
* 3 - Leo Davidson method tweaked by WinNT/Pitou developers, works from Windows 7 up to 10.0.10049;
* 4 - Application Compatibility Shim RedirectEXE method, from WinNT/Gootkit. Works from Windows 7 up to 8.1.9600;
* 5 - ISecurityEditor WinNT/Simda method, used to turn off UAC, works from Windows 7 up to Windows 10.0.10049;
* 6 - Wusa method used by Win32/Carberp, tweaked to work with Windows 8/8.1 also;
* 7 - Wusa method, tweaked to work from Windows 7 up to 10.0.10049;
* 8 - Slightly modified Leo Davidson method used by Win32/Tilon, works only on Windows 7;
* 9 - Hybrid method, combination of WinNT/Simda and Win32/Carberp + AVrf, works from Windows 7 up to 10.0.10049.

Note:
* Methods (1), (2), (3), (5), (8), (9) require process injection, so they won't work from wow64, you need either Heavens gate or use x64 edition of this tool;
* Method (4) unavailable in 64 bit edition because of Shim restriction.
* Method (6) unavailable in wow64 environment starting from Windows 8. Also target application absent in recent Windows 10 TP 10049 build.

Run examples:
* akagi32.exe 1
* akagi64.exe 3

# Warning
* Using (5) method will permanently turn off UAC (after reboot), make sure to do this in test environment or don't forget to re-enable UAC after tool usage;
* Using (9) method will permanently compromise security of IFEO key, if you do tests on your real machine - restore IFEO security manually after you complete this tool usage;
* This tool is not intended for AV tests and not tested to work in aggressive AV environment, if you still plan to use it with installed bloatware AV soft - you use it at your 

own risk.

# Protection
* UAC turned on maximum level and full awareness about every window it will show;
* Account without administrative privileges.

# Build 

* UACMe comes with full source code, written in C.
* In order to build from source you need Microsoft Visual Studio 2013 U4 and later versions.
 
# Authors

(c) 2014 - 2015 UACMe Project
Initial commit v 1.1.0 2015-03-28 12:00:29 +00:00			`# UACMe`
			`* Defeating Windows User Account Control by abusing built-in Windows AutoElevate backdoor.`
			`* More info http://www.kernelmode.info/forum/viewtopic.php?f=11&t=3643`

			`# System Requirements`

			`* x86-32/x64 Windows 7/8/8.1/10.`
			`* Admin account with UAC set on default settings required.`

			`# Usage`

			`Run executable from command line with following keys (watch debug ouput with dbgview or similar for more info):`
v 1.2.0 Tweaked Win32/Carberp method added 2015-03-29 08:12:55 +00:00			`* 1 - Leo Davidson sysprep method, this will work only on Windows 7 and Windows 8, used in multiple malware;`
v 1.5.0 Hybrid Simda/Carberp with AppVerif added. 2015-04-05 16:28:52 +00:00			`* 2 - Tweaked Leo Davidson sysprep method, this will work only on Windows 8.1.9600;`
			`* 3 - Leo Davidson method tweaked by WinNT/Pitou developers, works from Windows 7 up to 10.0.10049;`
			`* 4 - Application Compatibility Shim RedirectEXE method, from WinNT/Gootkit. Works from Windows 7 up to 8.1.9600;`
			`* 5 - ISecurityEditor WinNT/Simda method, used to turn off UAC, works from Windows 7 up to Windows 10.0.10049;`
v 1.4.0 Win32/Tilon. 2015-04-04 15:37:21 +00:00			`* 6 - Wusa method used by Win32/Carberp, tweaked to work with Windows 8/8.1 also;`
v 1.5.0 Hybrid Simda/Carberp with AppVerif added. 2015-04-05 16:28:52 +00:00			`* 7 - Wusa method, tweaked to work from Windows 7 up to 10.0.10049;`
			`* 8 - Slightly modified Leo Davidson method used by Win32/Tilon, works only on Windows 7;`
			`* 9 - Hybrid method, combination of WinNT/Simda and Win32/Carberp + AVrf, works from Windows 7 up to 10.0.10049.`
Initial commit v 1.1.0 2015-03-28 12:00:29 +00:00
			`Note:`
v 1.5.0 Hybrid Simda/Carberp with AppVerif added. 2015-04-05 16:28:52 +00:00			`* Methods (1), (2), (3), (5), (8), (9) require process injection, so they won't work from wow64, you need either Heavens gate or use x64 edition of this tool;`
Initial commit v 1.1.0 2015-03-28 12:00:29 +00:00			`* Method (4) unavailable in 64 bit edition because of Shim restriction.`
v 1.5.0 Hybrid Simda/Carberp with AppVerif added. 2015-04-05 16:28:52 +00:00			`* Method (6) unavailable in wow64 environment starting from Windows 8. Also target application absent in recent Windows 10 TP 10049 build.`
Initial commit v 1.1.0 2015-03-28 12:00:29 +00:00
			`Run examples:`
			`* akagi32.exe 1`
			`* akagi64.exe 3`

			`# Warning`
			`* Using (5) method will permanently turn off UAC (after reboot), make sure to do this in test environment or don't forget to re-enable UAC after tool usage;`
v 1.5.0 Hybrid Simda/Carberp with AppVerif added. 2015-04-05 16:28:52 +00:00			`* Using (9) method will permanently compromise security of IFEO key, if you do tests on your real machine - restore IFEO security manually after you complete this tool usage;`
			`* This tool is not intended for AV tests and not tested to work in aggressive AV environment, if you still plan to use it with installed bloatware AV soft - you use it at your`

			`own risk.`
Initial commit v 1.1.0 2015-03-28 12:00:29 +00:00
			`# Protection`
			`* UAC turned on maximum level and full awareness about every window it will show;`
			`* Account without administrative privileges.`

			`# Build`

			`* UACMe comes with full source code, written in C.`
			`* In order to build from source you need Microsoft Visual Studio 2013 U4 and later versions.`

			`# Authors`

			`(c) 2014 - 2015 UACMe Project`