From dbbcc714ee0238c28f172d73c85e90d378533f5e Mon Sep 17 00:00:00 2001 From: hfiref0x Date: Thu, 16 Feb 2023 18:39:49 +0700 Subject: [PATCH] v 3.6.4 More gracefully revert --- Source/Akagi/methods/methods.c | 21 ++++-- Source/Akagi/sup.c | 129 +++++++++++++++++++++++++++------ Source/Akagi/sup.h | 17 ++++- Source/Fubuki/version.aps | Bin 2588 -> 0 bytes Source/Shared/ntos/ntos.h | 53 +++++++++++++- UACME.sha256 | 9 +-- 6 files changed, 188 insertions(+), 41 deletions(-) delete mode 100644 Source/Fubuki/version.aps diff --git a/Source/Akagi/methods/methods.c b/Source/Akagi/methods/methods.c index 070251c..7653705 100644 --- a/Source/Akagi/methods/methods.c +++ b/Source/Akagi/methods/methods.c @@ -6,7 +6,7 @@ * * VERSION: 3.64 * -* DATE: 04 Feb 2023 +* DATE: 15 Feb 2023 * * UAC bypass dispatch. * @@ -319,15 +319,26 @@ NTSTATUS MethodsManagerCall( if (Entry->PayloadResourceId != PAYLOAD_ID_NONE) { - Resource = supLdrQueryResourceData( + Status = supLdrQueryResourceDataEx( Entry->PayloadResourceId, ImageBaseAddress, - &DataSize); + &DataSize, + &Resource); - if (Resource) { - PayloadCode = g_ctx->DecompressRoutine(Entry->PayloadResourceId, Resource, DataSize, &PayloadSize); + if (!NT_SUCCESS(Status)) { + + if (Status == STATUS_RESOURCE_TYPE_NOT_FOUND) + return STATUS_INVALID_IMAGE_FORMAT; + + return Status; } + if (DataSize == 0 || Resource == NULL) { + return STATUS_INVALID_IMAGE_FORMAT; + } + + PayloadCode = g_ctx->DecompressRoutine(Entry->PayloadResourceId, Resource, DataSize, &PayloadSize); + if ((PayloadCode == NULL) || (PayloadSize == 0)) { return STATUS_DATA_ERROR; } diff --git a/Source/Akagi/sup.c b/Source/Akagi/sup.c index 46693ab..5fb488d 100644 --- a/Source/Akagi/sup.c +++ b/Source/Akagi/sup.c @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2015 - 2022 +* (C) COPYRIGHT AUTHORS, 2015 - 2023 * * TITLE: SUP.C * -* VERSION: 3.63 +* VERSION: 3.64 * -* DATE: 16 Jul 2022 +* DATE: 15 Feb 2023 * * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED @@ -912,6 +912,49 @@ BOOLEAN supSetCheckSumForMappedFile( return FALSE; } +/* +* supLdrQueryResourceDataEx +* +* Purpose: +* +* Load resource by given id (win32 FindResource, SizeofResource, LockResource). +* +*/ +NTSTATUS supLdrQueryResourceDataEx( + _In_ ULONG_PTR ResourceId, + _In_ PVOID DllHandle, + _Out_ PULONG DataSize, + _Out_ PVOID* Data +) +{ + NTSTATUS status; + ULONG_PTR IdPath[3]; + IMAGE_RESOURCE_DATA_ENTRY* DataEntry; + ULONG SizeOfData = 0; + + *DataSize = 0; + + if (DllHandle == NULL) { + return STATUS_INVALID_PARAMETER_2; + } + + IdPath[0] = (ULONG_PTR)RT_RCDATA; //type + IdPath[1] = ResourceId; //id + IdPath[2] = 0; //lang + + status = LdrFindResource_U(DllHandle, (ULONG_PTR*)&IdPath, 3, &DataEntry); + if (NT_SUCCESS(status)) { + status = LdrAccessResource(DllHandle, DataEntry, Data, &SizeOfData); + if (NT_SUCCESS(status)) { + if (DataSize) { + *DataSize = SizeOfData; + } + } + } + + return status; +} + /* * supLdrQueryResourceData * @@ -923,32 +966,21 @@ BOOLEAN supSetCheckSumForMappedFile( PBYTE supLdrQueryResourceData( _In_ ULONG_PTR ResourceId, _In_ PVOID DllHandle, - _In_ PULONG DataSize + _Out_ PULONG DataSize ) { - NTSTATUS status; - ULONG_PTR IdPath[3]; - IMAGE_RESOURCE_DATA_ENTRY* DataEntry; - PBYTE Data = NULL; - ULONG SizeOfData = 0; + NTSTATUS status; + PBYTE Data = NULL; - if (DllHandle != NULL) { + status = supLdrQueryResourceDataEx(ResourceId, + DllHandle, + DataSize, + &Data); - IdPath[0] = (ULONG_PTR)RT_RCDATA; //type - IdPath[1] = ResourceId; //id - IdPath[2] = 0; //lang + if (NT_SUCCESS(status)) + return Data; - status = LdrFindResource_U(DllHandle, (ULONG_PTR*)&IdPath, 3, &DataEntry); - if (NT_SUCCESS(status)) { - status = LdrAccessResource(DllHandle, DataEntry, (PVOID*)&Data, &SizeOfData); - if (NT_SUCCESS(status)) { - if (DataSize) { - *DataSize = SizeOfData; - } - } - } - } - return Data; + return NULL; } /* @@ -4218,3 +4250,52 @@ ULONG supWaitForChildProcesses( return dwCurrentWait; } + +/* +* supRaiseHardError +* +* Purpose: +* +* Display UACMe hard error. +* +*/ +VOID supRaiseHardError( + _In_ NTSTATUS HardErrorStatus +) +{ + ULONG dwFlags; + HMODULE hModule = NULL; + WCHAR errorBuffer[1024]; + + UNICODE_STRING usText; + ULONG_PTR params[] = { (ULONG_PTR)&usText }; + HARDERROR_RESPONSE heResponse; + + if (HRESULT_FACILITY(HardErrorStatus) == FACILITY_WIN32) { + dwFlags = FORMAT_MESSAGE_IGNORE_INSERTS | FORMAT_MESSAGE_FROM_SYSTEM; + } + else { + dwFlags = FORMAT_MESSAGE_IGNORE_INSERTS | FORMAT_MESSAGE_FROM_HMODULE; + hModule = GetModuleHandle(RtlNtdllName); + } + + errorBuffer[0] = 0; + + if (FormatMessage(dwFlags, + hModule, + HardErrorStatus, + 0, + errorBuffer, + RTL_NUMBER_OF(errorBuffer), + NULL)) + { + RtlInitUnicodeString(&usText, errorBuffer); + + NtRaiseHardError(STATUS_FATAL_APP_EXIT | HARDERROR_OVERRIDE_ERRORMODE, + RTL_NUMBER_OF(params), + 1, + (PULONG_PTR)params, + OptionOk, + (PULONG)&heResponse); + } +} diff --git a/Source/Akagi/sup.h b/Source/Akagi/sup.h index 21f6193..754b0d4 100644 --- a/Source/Akagi/sup.h +++ b/Source/Akagi/sup.h @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2014 - 2022 +* (C) COPYRIGHT AUTHORS, 2014 - 2023 * * TITLE: SUP.H * -* VERSION: 3.63 +* VERSION: 3.64 * -* DATE: 16 Jul 2022 +* DATE: 15 Feb 2023 * * Common header file for the program support routines. * @@ -186,10 +186,16 @@ BOOLEAN supSetCheckSumForMappedFile( _In_ PVOID BaseAddress, _In_ ULONG CheckSum); +NTSTATUS supLdrQueryResourceDataEx( + _In_ ULONG_PTR ResourceId, + _In_ PVOID DllHandle, + _Out_ PULONG DataSize, + _Out_ PVOID* Data); + PBYTE supLdrQueryResourceData( _In_ ULONG_PTR ResourceId, _In_ PVOID DllHandle, - _In_ PULONG DataSize); + _Out_ PULONG DataSize); VOID supMasqueradeProcess( _In_ BOOL Restore); @@ -467,6 +473,9 @@ ULONG supWaitForChildProcesses( _In_ LPCWSTR lpProcessName, _In_ DWORD dwWaitMiliseconds); +VOID supRaiseHardError( + _In_ NTSTATUS HardErrorStatus); + #ifdef _DEBUG #define supDbgMsg(Message) OutputDebugString(Message) #else diff --git a/Source/Fubuki/version.aps b/Source/Fubuki/version.aps deleted file mode 100644 index 5d0163172b5a8874ae8b3c4e142177f1dc9387e6..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2588 zcmb7G&2Af26#k|)w4orPE>Kr!S|ZU(#Eg>=phCc8JRzfuXClwoO(aXx#Bo!ri4!?7 zDH6**01FoEV8MnRFTkz~#1pWscmQ|;%y;g1Ja;^8O0RWi?mhqaoO`}80GOQPaXPsy zjQ6=);M~AHtnob_8x#IqWwOBjRlvF1Y1o^tyX|&bw$pGs>!ZEVqkiY>-te@4Jg5%4 zz%wcoZT+rHSjcVNRFs<-_D+vS!)~wo5OkQ>TTv3Y+i}u#qp;O<+@x*$Ef+PbhB=+@ zgpGzB)F$b`$YMJ04;Yq;$Y@7N+igZ(7$jb> z9-@ZpFub~xM6n%v4sI{j?qCsy(v|05Oz>np;k%fJKNLsLL(Ic^f#bL8Jfz|-F!wrj z>ABS9DYdpr#n~|bN10X_+juPVPueQR`5|ioSo3+k9Na|*4cOR(%ilI<2QBU$Qf0l4 z5%xGAq0ikAJ)Gj0`yskqSMiV*Q!87f9piw{T^zxrW*>)2-o$M@#wS?C9oo1@`T+Zs zJ*O>`p8GiCs>1_Ye0t<|sX3xdZ$hn-QzidXzE}8`eTNc9e4Zft7XCTF&wBpRewDB{?G89z%%^jXwalEgBu<7EXbhqP1Osir9AwEu5jvq!Y^R37muD`{+aeZMMG9fvC zwu=f(CoHw#48PpN6wtbBQRRYt%QG?4>fXhyd%&CI^Y+zA$+1fBD-Boh&P(;vO6&UX z^#|R<(SFaom7&3{w}>ye{8C#Y!QRoZP86Tgg-QB&JkQA-bLcWpFUbkph>-B1&1@_Ms>N=D;!U_9zfNvO+^leX>x3R^#nAAyeY6J6>&pNuUy1J|Up3r}v zb_Pl>LyjJGPZSNU+yn|6lm{9J#Tk*#vddx<}bS6W6Iubk^l=?oa_ zp%$@@QX+pJ@6wM?*#jjhCp}>#lBok?)){5WG!wrtR`FV6#!P+yWG!)+L_|F!pR03( z6MK?N!{Wwer0&i*fl)%vSP0LwsHIKjRts-xXxa{~w-^ z{{#KycFNyY`L2CQ$GJ@TyS7G|&)BlLOd0K~@)RWM3$$$IS~oiuAY WP6)bud!dd<%wh}h6LnsMJ^umSL#A;6 diff --git a/Source/Shared/ntos/ntos.h b/Source/Shared/ntos/ntos.h index 2c282f0..ff1eb0f 100644 --- a/Source/Shared/ntos/ntos.h +++ b/Source/Shared/ntos/ntos.h @@ -1,13 +1,13 @@ /************************************************************************************ * -* (C) COPYRIGHT AUTHORS, 2015 - 2022 +* (C) COPYRIGHT AUTHORS, 2015 - 2023 * Translated from Microsoft sources/debugger or mentioned elsewhere. * * TITLE: NTOS.H * -* VERSION: 1.201 +* VERSION: 1.205 * -* DATE: 17 Aug 2022 +* DATE: 15 Feb 2023 * * Common header file for the ntos API functions and definitions. * @@ -14490,6 +14490,53 @@ NtSystemDebugControl( _In_ ULONG OutputBufferLength, _Out_opt_ PULONG ReturnLength); +/************************************************************************************ +* +* HardError API. +* +************************************************************************************/ + +#ifndef HARDERROR_OVERRIDE_ERRORMODE +#define HARDERROR_OVERRIDE_ERRORMODE 0x10000000 +#endif + +typedef enum _HARDERROR_RESPONSE_OPTION { + OptionAbortRetryIgnore, + OptionOk, + OptionOkCancel, + OptionRetryCancel, + OptionYesNo, + OptionYesNoCancel, + OptionShutdownSystem, + OptionOkNoWait, + OptionCancelTryContinue +} HARDERROR_RESPONSE_OPTION; + +typedef enum _HARDERROR_RESPONSE { + ResponseReturnToCaller, + ResponseNotHandled, + ResponseAbort, + ResponseCancel, + ResponseIgnore, + ResponseNo, + ResponseOk, + ResponseRetry, + ResponseYes, + ResponseTryAgain, + ResponseContinue +} HARDERROR_RESPONSE; + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtRaiseHardError( + _In_ NTSTATUS ErrorStatus, + _In_ ULONG NumberOfParameters, + _In_ ULONG UnicodeStringParameterMask, + _In_reads_(NumberOfParameters) PULONG_PTR Parameters, + _In_ ULONG ValidResponseOptions, + _Out_ PULONG Response); + /************************************************************************************ * * Application Verifier API and definitions. diff --git a/UACME.sha256 b/UACME.sha256 index ebe1778..f5835f2 100644 --- a/UACME.sha256 +++ b/UACME.sha256 @@ -24,8 +24,8 @@ c90cec4c10cde815fd286d83601b4cd3738097e8e0b2e592dc28c1325c12918d *Source\Akagi\r b289e30ce698eb0402babc2788ac7022b6a7db161296182e0e13fd021a3bee03 *Source\Akagi\Resource.rc 7be72ada31cc042e7dea712308f59235516a6ae1d434b24645cd4726a12b5d64 *Source\Akagi\stub.c b1b79e79880d60412e41d43b5e9ef936fdb3e66ad85e47fc0e1261ed07322d06 *Source\Akagi\stub.h -95fba77cb776a76a952de3b32dd3cf3fa6c396db5734f8b56799b8cc23ae3463 *Source\Akagi\sup.c -0a8f87da972b812ba917fa5a172aebf5a9acdd7b8ee8e7fda3616f4eba7a4d20 *Source\Akagi\sup.h +46d3b09bd585bf87f555b3c4249e586b267839319fee1b37026062fe0d9f23a1 *Source\Akagi\sup.c +695f6fc13c134fb9506720ff19b403a4cbeab39888c7eaaebc1adc51ed23881a *Source\Akagi\sup.h e6b96e43c3a1a8de682f16086ea8639cfe4649092fc2f47e26fb5baa42a70caf *Source\Akagi\uacme.vcxproj fa20d8ff56109734866c6baed5d8be316d4d24a5dbf074e0e90d7e458978de1c *Source\Akagi\uacme.vcxproj.filters 6fd24772137188fc9afd29563f97b1a0255e6c79a8d23e1c7c164151bc9993da *Source\Akagi\uacme.vcxproj.user @@ -50,7 +50,7 @@ cb1bf87f2976eb49c5560b16a69c742b39706c48314bcc0bdeeaf545910bd380 *Source\Akagi\m 2e64396f0b5cc2f6e59f5d329ffbb1ef0e6dd5e0547bd6fff5567f72cca6ace9 *Source\Akagi\methods\elvint.h 49d94561eee009acc25c36857bb0260dd8d8a38e6cdf0286a49463d90724b9b1 *Source\Akagi\methods\hakril.c 5c96d6754fab5329173536f2a4b29997c1661927f28b9ddcb091e4652e0bb014 *Source\Akagi\methods\hybrids.c -b2facd987d8573b1bcb25fb72309f64272610d3a159f20f9356399f886a91d5f *Source\Akagi\methods\methods.c +23af06a7987966a7e51336b3cdd33b411fa05778ec14179a50a60fa0f6aee1af *Source\Akagi\methods\methods.c 44c2e8c3e25b9d75d319a256eaaca3d195d789209a6491795696b5e33b142513 *Source\Akagi\methods\methods.h bbcd54496dca975abf6089526023446984238d464e2df7485230b76072ff2ea1 *Source\Akagi\methods\rinn.c 8d41849fa260b5a4a6a05db8312b60b3f6f2b5efe4f4d4fdd05c70701c7aabed *Source\Akagi\methods\routines.h @@ -91,7 +91,6 @@ f0b8b0d1d5b85c4324c8cbb21d94dd8db69fd21bb5e37491bbd6aa2297fa0fc7 *Source\Fubuki\ 785ca1f83eab4185774f140b74d30823a69dec01ca06ccba4bfd8d1ddd3255d9 *Source\Fubuki\resource.h 4aa24c1115cc3ed71027f760c7564357c162a09de58d75b5e9037cd869fb2a8a *Source\Fubuki\uihacks.c 73e735426c5fab97a7289a7a57bc8bb21bce7b2b1995ae076c41027780ed88c9 *Source\Fubuki\uihacks.h -148c6e77a257d2362eea4cee8864afa1aff400de2f4d46bffbd679410c8a1a75 *Source\Fubuki\version.aps 835798995e6df38e12ef18fdcfda6dd1bb8fdffb567a03da46ed1ab7b66a0194 *Source\Fubuki\version.rc b419f6b7b8d24dc61e7473092a8326720ef54e1f65cc185da0c6e080c9debb94 *Source\Fubuki\winmm.h f66280e29c2116d4b83f2c6899d8caf432f7a4d1ccc4e4cf4e72b05d0fbd1f25 *Source\Kamikaze\Kamikaze.msc @@ -137,7 +136,7 @@ e99aa4997bda14b534c614c3d8cb78a72c4aca91a1212c8b03ec605d1d75e36e *Source\Shared\ f8e6a0be357726bee35c7247b57408b54bb38d94e8324a6bb84b91c462b2be30 *Source\Shared\hde\pstdint.h b774446d2f110ce954fb0a710f4693c5562ddbd8d56fe84106f2ee80db8b50a2 *Source\Shared\hde\table64.h b8b228021a6f3ae2c364a433db66617b93e8e38fbfb0de5235d2b1b3c6612892 *Source\Shared\ntos\ntbuilds.h -0078fbdb03efa638ecf840f776afd4fc4f69e0e96c6bd48363a51350f4321266 *Source\Shared\ntos\ntos.h +420142163bee49efebc2fc99d7118e6e8e3f167c384113d46bc5bb7438db727e *Source\Shared\ntos\ntos.h b61eb9474f593e61a241495f6c06c6c3c1afe03d45b1b23af33075ecc02f4ad1 *Source\Shared\ntos\ntsxs.h fa0df73ca48d6e73c1e57b6630d09ec86f04f9a1f8cfaec88d7938b2d97403ef *Source\Yuubari\appinfo.c 82928d0a1d3263a9676b6587feba86e1716c1a2c20294c6c2210d4557975ff69 *Source\Yuubari\appinfo.h