Rooba
/
UACME
mirror of https://github.com/hfiref0x/UACME.git
1
1
Fork 0
Code Issues Packages Projects Releases Wiki Activity

v 1.7.2 

KB articles links and ID's added.
This commit is contained in:
hfiref0x 2015-04-30 19:12:18 +07:00
parent 6491b19bfb
commit b4746ee34c
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@ -13,14 +13,14 @@ Run executable from command line with following keys (watch debug ouput with dbg
* 1 - Leo Davidson sysprep method, this will work only on Windows 7 and Windows 8, used in multiple malware;
* 2 - Tweaked Leo Davidson sysprep method, this will work only on Windows 8.1.9600;
* 3 - Leo Davidson method tweaked by WinNT/Pitou developers, works from Windows 7 up to 10.0.10061;
* 4 - Application Compatibility Shim RedirectEXE method, from WinNT/Gootkit. Works from Windows 7 up to 8.1.9600;
* 4 - Application Compatibility Shim RedirectEXE method, from WinNT/Gootkit. Works from Windows 7 up to 8.1.9600 (KB3045645 and KB3048097 targets this by removing sdbinst autoelevation ability);
* 5 - ISecurityEditor WinNT/Simda method, used to turn off UAC, works from Windows 7 up to Windows 10.0.10061;
* 6 - Wusa method used by Win32/Carberp, tweaked to work with Windows 8/8.1 also;
* 7 - Wusa method, tweaked to work from Windows 7 up to 10.0.10061;
* 8 - Slightly modified Leo Davidson method used by Win32/Tilon, works only on Windows 7;
* 9 - Hybrid method, combination of WinNT/Simda and Win32/Carberp + AVrf, works from Windows 7 up to 10.0.10061;
* 10 - Hybrid method, abusing appinfo.dll way of whitelisting autoelevated applications and KnownDlls cache changes, works from Windows 7 up to 10.0.10061;
* 11 - WinNT/Gootkit second method based on the memory patching from MS "Fix it" patch shim (and as side effect - arbitrary dll injection), works from Windows 7 up to 8.1.9600;
* 11 - WinNT/Gootkit second method based on the memory patching from MS "Fix it" patch shim (and as side effect - arbitrary dll injection), works from Windows 7 up to 8.1.9600 (KB3045645 and KB3048097 targets this by removing sdbinst autoelevation ability);
* 12 - Windows 10 sysprep method, abusing different dll dependency added in Windows 10.
Note:
@ -28,7 +28,7 @@ Note:
* Method (4) unavailable in 64 bit edition because of Shim restriction;
* Method (6) unavailable in wow64 environment starting from Windows 8. Also target application absent in recent Windows 10 TP 10061 build;
* Method (11) implemented in x86-32 version;
* Methods (4), (11) targeted by MS April patch by removing autoelevation from sdbinst.
* Methods (4), (11) targeted by MS April patch by removing autoelevation from sdbinst. Install KB3045645 for Win7/8 and KB3048097 for Win8.1 to apply security fix. More info: https://support.microsoft.com/en-us/kb/3045645, https://support.microsoft.com/en-us/kb/3048097.
Run examples:
* akagi32.exe 1