渗透工具UACMe:滥用内置的Windows AutoElevate后门

风过留不留声

已于 2022-04-25 16:03:12 修改

阅读量4.7k

点赞数 5

分类专栏：渗透工具文章标签：系统安全测试工具安全 c语言

于 2022-04-23 07:15:00 首次发布

本文链接：https://blog.csdn.net/phpppppppppp/article/details/124324832

版权

渗透工具专栏收录该内容

25 篇文章

订阅专栏

Git地址：

hfiref0x/UACME：击败 Windows 用户帐户控制 (github.com)

系统要求

x86-32/x64 Windows 7/8/8.1/10（客户端，但某些方法也适用于服务器版本）。
管理员帐户，其中 UAC 设置为默认设置，需要。

用法

从命令行运行可执行文件：akagi32 [Key] [Param] 或 akagi64 [Key] [Param]。有关详细信息，请参阅下面的“运行示例”。

第一个参数是要使用的方法的数量，第二个是要运行的可选命令（可执行文件名，包括完整路径）。第二个参数可以为空 - 在这种情况下，程序将从system32文件夹中执行提升的cmd.exe。

注意：从3.5.0版本开始，所有“固定”方法都被视为过时，并与所有支持代码/单元一起完全删除。如果仍需要它们，请使用 v3.2.x 分支

Author: Leo Davidson
Type: Dll Hijack
Method: IFileOperation
Target(s): \system32\sysprep\sysprep.exe
Component(s): cryptbase.dll
Implementation: ucmStandardAutoElevation
Works from: Windows 7 (7600)
Fixed in: Windows 8.1 (9600)
How: sysprep.exe hardened LoadFrom manifest elements
Code status: removed starting from v3.5.0 🚜
Author: Leo Davidson derivative
Type: Dll Hijack
Method: IFileOperation
Target(s): \system32\sysprep\sysprep.exe
Component(s): ShCore.dll
Implementation: ucmStandardAutoElevation
Works from: Windows 8.1 (9600)
Fixed in: Windows 10 TP (> 9600)
How: Side effect of ShCore.dll moving to \KnownDlls
Code status: removed starting from v3.5.0 🚜
Author: Leo Davidson derivative by WinNT/Pitou
Type: Dll Hijack
Method: IFileOperation
Target(s): \system32\oobe\setupsqm.exe
Component(s): WdsCore.dll
Implementation: ucmStandardAutoElevation
Works from: Windows 7 (7600)
Fixed in: Windows 10 TH2 (10558)
How: Side effect of OOBE redesign
Code status: removed starting from v3.5.0 🚜
Author: Jon Ericson, WinNT/Gootkit, mzH
Type: AppCompat
Method: RedirectEXE Shim
Target(s): \system32\cliconfg.exe
Component(s): -
Implementation: ucmShimRedirectEXE
Works from: Windows 7 (7600)
Fixed in: Windows 10 TP (> 9600)
How: Sdbinst.exe autoelevation removed, KB3045645/KB3048097 for rest Windows versions
Code status: removed starting from v3.5.0 🚜
Author: WinNT/Simda
Type: Elevated COM interface
Method: ISecurityEditor
Target(s): HKLM registry keys
Component(s): -
Implementation: ucmSimdaTurnOffUac
Works from: Windows 7 (7600)
Fixed in: Windows 10 TH1 (10147)
How: ISecurityEditor interface method changed
Code status: removed starting from v3.5.0 🚜
Author: Win32/Carberp
Type: Dll Hijack
Method: WUSA
Target(s): \ehome\mcx2prov.exe, \system32\migwiz\migwiz.exe
Component(s): WdsCore.dll, CryptBase.dll, CryptSP.dll
Implementation: ucmWusaMethod
Works from: Windows 7 (7600)
Fixed in: Windows 10 TH1 (10147)
How: WUSA /extract option removed
Code status: removed starting from v3.5.0 🚜
Author: Win32/Carberp derivative
Type: Dll Hijack
Method: WUSA
Target(s): \system32\cliconfg.exe
Component(s): ntwdblib.dll
Implementation: ucmWusaMethod
Works from: Windows 7 (7600)
Fixed in: Windows 10 TH1 (10147)
How: WUSA /extract option removed
Code status: removed starting from v3.5.0 🚜
Author: Leo Davidson derivative by Win32/Tilon
Type: Dll Hijack
Method: IFileOperation
Target(s): \system32\sysprep\sysprep.exe
Component(s): Actionqueue.dll
Implementation: ucmStandardAutoElevation
Works from: Windows 7 (7600)
Fixed in: Windows 8.1 (9600)
How: sysprep.exe hardened LoadFrom manifest
Code status: removed starting from v3.5.0 🚜
Author: Leo Davidson, WinNT/Simda, Win32/Carberp derivative
Type: Dll Hijack
Method: IFileOperation, ISecurityEditor, WUSA
Target(s): IFEO registry keys, \system32\cliconfg.exe
Component(s): Attacker defined Application Verifier Dll
Implementation: ucmAvrfMethod
Works from: Windows 7 (7600)
Fixed in: Windows 10 TH1 (10147)
How: WUSA /extract option removed, ISecurityEditor interface method changed
Code status: removed starting from v3.5.0 🚜
Author: WinNT/Pitou, Win32/Carberp derivative
Type: Dll Hijack
Method: IFileOperation, WUSA
Target(s): \system32\{New}or{Existing}\{autoelevated}.exe, e.g. winsat.exe
Component(s): Attacker defined dll, e.g. PowProf.dll, DevObj.dll
Implementation: ucmWinSATMethod
Works from: Windows 7 (7600)
Fixed in: Windows 10 TH2 (10548)
How: AppInfo elevated application path control hardening
Code status: removed starting from v3.5.0 🚜
Author: Jon Ericson, WinNT/Gootkit, mzH
Type: AppCompat
Method: Shim Memory Patch
Target(s): \system32\iscsicli.exe
Component(s): Attacker prepared shellcode
Implementation: ucmShimPatch
Works from: Windows 7 (7600)
Fixed in: Windows 8.1 (9600)
How: Sdbinst.exe autoelevation removed, KB3045645/KB3048097 for rest Windows versions
Code status: removed starting from v3.5.0 🚜
Author: Leo Davidson derivative
Type: Dll Hijack
Method: IFileOperation
Target(s): \system32\sysprep\sysprep.exe
Component(s): dbgcore.dll
Implementation: ucmStandardAutoElevation
Works from: Windows 10 TH1 (10240)
Fixed in: Windows 10 TH2 (10565)
How: sysprep.exe manifest updated
Code status: removed starting from v3.5.0 🚜
Author: Leo Davidson derivative
Type: Dll Hijack
Method: IFileOperation
Target(s): \system32\mmc.exe EventVwr.msc
Component(s): elsext.dll
Implementation: ucmMMCMethod
Works from: Windows 7 (7600)
Fixed in: Windows 10 RS1 (14316)
How: Missing dependency removed
Code status: removed starting from v3.5.0 🚜
Author: Leo Davidson, WinNT/Sirefef derivative
Type: Dll Hijack
Method: IFileOperation
Target(s): \system\credwiz.exe, \system32\wbem\oobe.exe
Component(s): netutils.dll
Implementation: ucmSirefefMethod
Works from: Windows 7 (7600)
Fixed in: Windows 10 TH2 (10548)
How: AppInfo elevated application path control hardening
Code status: removed starting from v3.5.0 🚜
Author: Leo Davidson, Win32/Addrop, Metasploit derivative
Type: Dll Hijack
Method: IFileOperation
Target(s): \system32\cliconfg.exe
Component(s): ntwdblib.dll
Implementation: ucmGenericAutoelevation
Works from: Windows 7 (7600)
Fixed in: Windows 10 RS1 (14316)
How: Cliconfg.exe autoelevation removed
Code status: removed starting from v3.5.0 🚜
Author: Leo Davidson derivative
Type: Dll Hijack
Method: IFileOperation
Target(s): \system32\GWX\GWXUXWorker.exe, \system32\inetsrv\inetmgr.exe
Component(s): SLC.dll
Implementation: ucmGWX
Works from: Windows 7 (7600)
Fixed in: Windows 10 RS1 (14316)
How: AppInfo elevated application path control and inetmgr executable hardening
Code status: removed starting from v3.5.0 🚜
Author: Leo Davidson derivative
Type: Dll Hijack (Import forwarding)
Method: IFileOperation
Target(s): \system32\sysprep\sysprep.exe
Component(s): unbcl.dll
Implementation: ucmStandardAutoElevation2
Works from: Windows 8.1 (9600)
Fixed in: Windows 10 RS1 (14371)
How: sysprep.exe manifest updated
Code status: removed starting from v3.5.0 🚜
Author: Leo Davidson derivative
Type: Dll Hijack (Manifest)
Method: IFileOperation
Target(s): \system32\taskhost.exe, \system32\tzsync.exe (any ms exe without manifest)
Component(s): Attacker defined
Implementation: ucmAutoElevateManifest
Works from: Windows 7 (7600)
Fixed in: Windows 10 RS1 (14371)
How: Manifest parsing logic reviewed
Code status: removed starting from v3.5.0 🚜
Author: Leo Davidson derivative
Type: Dll Hijack
Method: IFileOperation
Target(s): \system32\inetsrv\inetmgr.exe
Component(s): MsCoree.dll
Implementation: ucmInetMgrMethod
Works from: Windows 7 (7600)
Fixed in: Windows 10 RS1 (14376)
How: inetmgr.exe executable manifest hardening, MitigationPolicy->ProcessImageLoadPolicy->PreferSystem32Images
Code status: removed starting from v3.5.0 🚜
Author: Leo Davidson derivative
Type: Dll Hijack
Method: IFileOperation
Target(s): \system32\mmc.exe, Rsop.msc
Component(s): WbemComn.dll
Implementation: ucmMMCMethod
Works from: Windows 7 (7600)
Fixed in: Windows 10 RS3 (16232)
How: Target requires wbemcomn.dll to be signed by MS
Code status: removed starting from v3.5.0 🚜
Author: Leo Davidson derivative
Type: Dll Hijack
Method: IFileOperation, SxS DotLocal
Target(s): \system32\sysprep\sysprep.exe
Component(s): comctl32.dll
Implementation: ucmSXSMethod
Works from: Windows 7 (7600)
Fixed in: Windows 10 RS3 (16232)
How: MitigationPolicy->ProcessImageLoadPolicy->PreferSystem32Images
Code status: removed starting from v3.5.0 🚜
Author: Leo Davidson derivative
Type: Dll Hijack
Method: IFileOperation, SxS DotLocal
Target(s): \system32\consent.exe
Component(s): comctl32.dll
Implementation: ucmSXSMethod
Works from: Windows 7 (7600)
Fixed in: unfixed 🙈
How: -
Code status: added in v2.5.0
Author: Leo Davidson derivative
Type: Dll Hijack
Method: IFileOperation
Target(s): \system32\pkgmgr.exe
Component(s): DismCore.dll
Implementation: ucmDismMethod
Works from: Windows 7 (7600)
Fixed in: unfixed 🙈
How: -
Code status: added in v2.5.1
Author: BreakingMalware
Type: Shell API
Method: Environment variables expansion
Target(s): \system32\CompMgmtLauncher.exe
Component(s): Attacker defined
Implementation: ucmCometMethod
Works from: Windows 7 (7600)
Fixed in: Windows 10 RS2 (15031)
How: CompMgmtLauncher.exe autoelevation removed
Code status: removed starting from v3.5.0 🚜
Author: Enigma0x3
Type: Shell API
Method: Registry key manipulation
Target(s): \system32\EventVwr.exe, \system32\CompMgmtLauncher.exe
Component(s): Attacker defined
Implementation: ucmHijackShellCommandMethod
Works from: Windows 7 (7600)
Fixed in: Windows 10 RS2 (15031)
How: EventVwr.exe redesigned, CompMgmtLauncher.exe autoelevation removed
Code status: removed starting from v3.5.0 🚜
Author: Enigma0x3
Type: Race Condition
Method: File overwrite
Target(s): %temp%\GUID\dismhost.exe
Component(s): LogProvider.dll
Implementation: ucmDiskCleanupRaceCondition
Works from: Windows 10 TH1 (10240)
AlwaysNotify compatible
Fixed in: Windows 10 RS2 (15031)
How: File security permissions altered
Code status: removed starting from v3.5.0 🚜
Author: ExpLife
Type: Elevated COM interface
Method: IARPUninstallStringLauncher
Target(s): Attacker defined
Component(s): Attacker defined
Implementation: ucmUninstallLauncherMethod
Works from: Windows 7 (7600)
Fixed in: Windows 10 RS3 (16199)
How: UninstallStringLauncher interface removed from COMAutoApprovalList
Code status: removed starting from v3.5.0 🚜
Author: Exploit/Sandworm
Type: Whitelisted component
Method: InfDefaultInstall
Target(s): Attacker defined
Component(s): Attacker defined
Implementation: ucmSandwormMethod
Works from: Windows 7 (7600)
Fixed in: Windows 8.1 (9600)
How: InfDefaultInstall.exe removed from g_lpAutoApproveEXEList (MS14-060)
Code status: removed starting from v3.5.0 🚜
Author: Enigma0x3
Type: Shell API
Method: Registry key manipulation
Target(s): \system32\sdclt.exe
Component(s): Attacker defined
Implementation: ucmAppPathMethod
Works from: Windows 10 TH1 (10240)
Fixed in: Windows 10 RS3 (16215)
How: Shell API update
Code status: removed starting from v3.5.0 🚜
Author: Leo Davidson derivative, lhc645
Type: Dll Hijack
Method: WOW64 logger
Target(s): \syswow64\{any elevated exe, e.g wusa.exe}
Component(s): wow64log.dll
Implementation: ucmWow64LoggerMethod
Works from: Windows 7 (7600)
Fixed in: unfixed 🙈
How: -
Code status: added in v2.7.0
Author: Enigma0x3
Type: Shell API
Method: Registry key manipulation
Target(s): \system32\sdclt.exe
Component(s): Attacker defined
Implementation: ucmSdcltIsolatedCommandMethod
Works from: Windows 10 TH1 (10240)
Fixed in: Windows 10 RS4 (17025)
How: Shell API / Windows components update
Code status: removed starting from v3.5.0 🚜
Author: xi-tauw
Type: Dll Hijack
Method: UIPI bypass with uiAccess application
Target(s): \Program Files\Windows Media Player\osk.exe, \system32\EventVwr.exe, \system32\mmc.exe
Component(s): duser.dll, osksupport.dll
Implementation: ucmUiAccessMethod
Works from: Windows 7 (7600)
Fixed in: unfixed 🙈
How: -
Code status: added in v2.7.1
Author: winscripting.blog
Type: Shell API
Method: Registry key manipulation
Target(s): \system32\fodhelper.exe
Component(s): Attacker defined
Implementation: ucmShellRegModMethod
Works from: Windows 10 TH1 (10240)
Fixed in: unfixed 🙈
How: -
Code status: added in v2.7.2
Author: James Forshaw
Type: Shell API
Method: Environment variables expansion
Target(s): \system32\svchost.exe via \system32\schtasks.exe
Component(s): Attacker defined
Implementation: ucmDiskCleanupEnvironmentVariable
Works from: Windows 8.1 (9600)
AlwaysNotify compatible
Fixed in: unfixed 🙈
How: -
Code status: added in v2.7.2
Author: CIA & James Forshaw
Type: Impersonation
Method: Token Manipulations
Target(s): Autoelevated applications
Component(s): Attacker defined
Implementation: ucmTokenModification
Works from: Windows 7 (7600)
AlwaysNotify compatible, see note
Fixed in: Windows 10 RS5 (17686)
How: ntoskrnl.exe->SeTokenCanImpersonate additional access token check added
Code status: removed starting from v3.5.0 🚜
Author: Thomas Vanhoutte aka SandboxEscaper
Type: Race condition
Method: NTFS reparse point & Dll Hijack
Target(s): wusa.exe, pkgmgr.exe
Component(s): Attacker defined
Implementation: ucmJunctionMethod
Works from: Windows 7 (7600)
Fixed in: unfixed 🙈
How: -
Code status: added in v2.7.4
Author: Ernesto Fernandez, Thomas Vanhoutte
Type: Dll Hijack
Method: SxS DotLocal, NTFS reparse point
Target(s): \system32\dccw.exe
Component(s): GdiPlus.dll
Implementation: ucmSXSDccwMethod
Works from: Windows 7 (7600)
Fixed in: unfixed 🙈
How: -
Code status: added in v2.7.5
Author: Clement Rouault
Type: Whitelisted component
Method: APPINFO command line spoofing
Target(s): \system32\mmc.exe
Component(s): Attacker defined
Implementation: ucmHakrilMethod
Works from: Windows 7 (7600)
Fixed in: unfixed 🙈
How: -
Code status: added in v2.7.6
Author: Stefan Kanthak
Type: Dll Hijack
Method: .NET Code Profiler
Target(s): \system32\mmc.exe
Component(s): Attacker defined
Implementation: ucmCorProfilerMethod
Works from: Windows 7 (7600)
Fixed in: unfixed 🙈
How: -
Code status: added in v2.7.7
Author: Ruben Boonen
Type: COM Handler Hijack
Method: Registry key manipulation
Target(s): \system32\mmc.exe, \system32\recdisc.exe
Component(s): Attacker defined
Implementation: ucmCOMHandlersMethod
Works from: Windows 7 (7600)
Fixed in: Windows 10 19H1 (18362)
How: Side effect of Windows changes
Code status: removed starting from v3.5.0 🚜
Author: Oddvar Moe
Type: Elevated COM interface
Method: ICMLuaUtil
Target(s): Attacker defined
Component(s): Attacker defined
Implementation: ucmCMLuaUtilShellExecMethod
Works from: Windows 7 (7600)
Fixed in: unfixed 🙈
How: -
Code status: added in v2.7.9
Author: BreakingMalware and Enigma0x3
Type: Elevated COM interface
Method: IFwCplLua
Target(s): Attacker defined
Component(s): Attacker defined
Implementation: ucmFwCplLuaMethod
Works from: Windows 7 (7600)
Fixed in: Windows 10 RS4 (17134)
How: Shell API update
Code status: removed starting from v3.5.0 🚜
Author: Oddvar Moe derivative
Type: Elevated COM interface
Method: IColorDataProxy, ICMLuaUtil
Target(s): Attacker defined
Component(s): Attacker defined
Implementation: ucmDccwCOMMethod
Works from: Windows 7 (7600)
Fixed in: unfixed 🙈
How: -
Code status: added in v2.8.3
Author: bytecode77
Type: Shell API
Method: Environment variables expansion
Target(s): Multiple auto-elevated processes
Component(s): Various per target
Implementation: ucmVolatileEnvMethod
Works from: Windows 7 (7600)
Fixed in: Windows 10 RS3 (16299)
How: Current user system directory variables ignored during process creation
Code status: removed starting from v3.5.0 🚜
Author: bytecode77
Type: Shell API
Method: Registry key manipulation
Target(s): \system32\slui.exe
Component(s): Attacker defined
Implementation: ucmSluiHijackMethod
Works from: Windows 8.1 (9600)
Fixed in: Windows 10 20H1 (19041)
How: Side effect of Windows changes
Code status: removed starting from v3.5.0 🚜
Author: Anonymous
Type: Race Condition
Method: Registry key manipulation
Target(s): \system32\BitlockerWizardElev.exe
Component(s): Attacker defined
Implementation: ucmBitlockerRCMethod
Works from: Windows 7 (7600)
Fixed in: Windows 10 RS4 (>16299)
How: Shell API update
Code status: removed starting from v3.5.0 🚜
Author: clavoillotte & 3gstudent
Type: COM Handler Hijack
Method: Registry key manipulation
Target(s): \system32\mmc.exe
Component(s): Attacker defined
Implementation: ucmCOMHandlersMethod2
Works from: Windows 7 (7600)
Fixed in: Windows 10 19H1 (18362)
How: Side effect of Windows changes
Code status: removed starting from v3.5.0 🚜
Author: deroko
Type: Elevated COM interface
Method: ISPPLUAObject
Target(s): Attacker defined
Component(s): Attacker defined
Implementation: ucmSPPLUAObjectMethod
Works from: Windows 7 (7600)
Fixed in: Windows 10 RS5 (17763)
How: ISPPLUAObject interface method changed
Code status: removed starting from v3.5.0 🚜
Author: RinN
Type: Elevated COM interface
Method: ICreateNewLink
Target(s): \system32\TpmInit.exe
Component(s): WbemComn.dll
Implementation: ucmCreateNewLinkMethod
Works from: Windows 7 (7600)
Fixed in: Windows 10 RS1 (14393)
How: Side effect of consent.exe COMAutoApprovalList introduction
Code status: removed starting from v3.5.0 🚜
Author: Anonymous
Type: Elevated COM interface
Method: IDateTimeStateWrite, ISPPLUAObject
Target(s): w32time service
Component(s): w32time.dll
Implementation: ucmDateTimeStateWriterMethod
Works from: Windows 7 (7600)
Fixed in: Windows 10 RS5 (17763)
How: Side effect of ISPPLUAObject interface change
Code status: removed starting from v3.5.0 🚜
Author: bytecode77 derivative
Type: Elevated COM interface
Method: IAccessibilityCplAdmin
Target(s): \system32\rstrui.exe
Component(s): Attacker defined
Implementation: ucmAcCplAdminMethod
Works from: Windows 7 (7600)
Fixed in: Windows 10 RS4 (17134)
How: Shell API update
Code status: removed starting from v3.5.0 🚜
Author: David Wells
Type: Whitelisted component
Method: AipNormalizePath parsing abuse
Target(s): Attacker defined
Component(s): Attacker defined
Implementation: ucmDirectoryMockMethod
Works from: Windows 7 (7600)
Fixed in: unfixed 🙈
How: -
Code status: added in v3.0.4
Author: Emeric Nasi
Type: Shell API
Method: Registry key manipulation
Target(s): \system32\sdclt.exe
Component(s): Attacker defined
Implementation: ucmShellRegModMethod
Works from: Windows 10 (14393)
Fixed in: unfixed 🙈
How: -
Code status: added in v3.1.3
Author: egre55
Type: Dll Hijack
Method: Dll path search abuse
Target(s): \syswow64\SystemPropertiesAdvanced.exe and other SystemProperties*.exe
Component(s): \AppData\Local\Microsoft\WindowsApps\srrstr.dll
Implementation: ucmEgre55Method
Works from: Windows 10 (14393)
Fixed in: Windows 10 19H1 (18362)
How: SysDm.cpl!_CreateSystemRestorePage has been updated for secured load library call
Code status: removed starting from v3.5.0 🚜
Author: James Forshaw
Type: GUI Hack
Method: UIPI bypass with token modification
Target(s): \system32\osk.exe, \system32\msconfig.exe
Component(s): Attacker defined
Implementation: ucmTokenModUIAccessMethod
Works from: Windows 7 (7600)
Fixed in: unfixed 🙈
How: -
Code status: added in v3.1.5
Author: Hashim Jawad
Type: Shell API
Method: Registry key manipulation
Target(s): \system32\WSReset.exe
Component(s): Attacker defined
Implementation: ucmShellRegModMethod2
Works from: Windows 10 (17134)
Fixed in: Windows 11 (22000)
How: Windows components redesign
Code status: removed starting from v3.5.7 🚜
Author: Leo Davidson derivative by Win32/Gapz
Type: Dll Hijack
Method: IFileOperation
Target(s): \system32\sysprep\sysprep.exe
Component(s): unattend.dll
Implementation: ucmStandardAutoElevation
Works from: Windows 7 (7600)
Fixed in: Windows 8.1 (9600)
How: sysprep.exe hardened LoadFrom manifest elements
Code status: removed starting from v3.5.0 🚜
Author: RinN
Type: Elevated COM interface
Method: IEditionUpgradeManager
Target(s): \system32\clipup.exe
Component(s): Attacker defined
Implementation: ucmEditionUpgradeManagerMethod
Works from: Windows 10 (14393)
Fixed in: unfixed 🙈
How: -
Code status: added in v3.2.0
Author: James Forshaw
Type: AppInfo ALPC
Method: RAiLaunchAdminProcess and DebugObject
Target(s): Attacker defined
Component(s): Attacker defined
Implementation: ucmDebugObjectMethod
Works from: Windows 7 (7600)
Fixed in: unfixed 🙈
How: -
Code status: added in v3.2.3
Author: Enigma0x3 derivative by WinNT/Glupteba
Type: Shell API
Method: Registry key manipulation
Target(s): \system32\CompMgmtLauncher.exe
Component(s): Attacker defined
Implementation: ucmGluptebaMethod
Works from: Windows 7 (7600)
Fixed in: Windows 10 RS2 (15063)
How: CompMgmtLauncher.exe autoelevation removed
Code status: removed starting from v3.5.0 🚜
Author: Enigma0x3/bytecode77 derivative by Nassim Asrir
Type: Shell API
Method: Registry key manipulation
Target(s): \system32\slui.exe, \system32\changepk.exe
Component(s): Attacker defined
Implementation: ucmShellRegModMethod
Works from: Windows 10 (14393)
Fixed in: unfixed 🙈
How: -
Code status: added in v3.2.5
Author: winscripting.blog
Type: Shell API
Method: Registry key manipulation
Target(s): \system32\computerdefaults.exe
Component(s): Attacker defined
Implementation: ucmShellRegModMethod
Works from: Windows 10 RS4 (17134)
Fixed in: unfixed 🙈
How: -
Code status: added in v3.2.6
Author: Arush Agarampur
Type: Dll Hijack
Method: ISecurityEditor
Target(s): Native Image Cache elements
Component(s): Attacker defined
Implementation: ucmNICPoisonMethod
Works from: Windows 7 (7600)
Fixed in: unfixed 🙈
How: -
Code status: added in v3.2.7
Author: Arush Agarampur
Type: Elevated COM interface
Method: IIEAxiAdminInstaller, IIEAxiInstaller2, IFileOperation
Target(s): IE add-on install cache
Component(s): Attacker defined
Implementation: ucmIeAddOnInstallMethod
Works from: Windows 7 (7600)
Fixed in: unfixed 🙈
How: -
Code status: added in v3.5.1
Author: Arush Agarampur
Type: Elevated COM interface
Method: IWscAdmin
Target(s): Shell Protocol Hijack
Component(s): Attacker defined
Implementation: ucmWscActionProtocolMethod
Works from: Windows 7 (7600)
Fixed in: unfixed 🙈
How: -
Code status: added in v3.5.2
Author: Arush Agarampur
Type: Elevated COM interface
Method: IFwCplLua, Shell Protocol Hijack
Target(s): Shell protocol registry entry and environment variables
Component(s): Attacker defined
Implementation: ucmFwCplLuaMethod2
Works from: Windows 7 (7600)
Fixed in: unfixed 🙈
How: -
Code status: added in v3.5.3
Author: Arush Agarampur
Type: Shell API
Method: Shell Protocol Hijack
Target(s): \system32\fodhelper.exe
Component(s): Attacker defined
Implementation: ucmMsSettingsProtocolMethod
Works from: Windows 10 TH1 (10240)
Fixed in: unfixed 🙈
How: -
Code status: added in v3.5.4
Author: Arush Agarampur
Type: Shell API
Method: Shell Protocol Hijack
Target(s): \system32\wsreset.exe
Component(s): Attacker defined
Implementation: ucmMsStoreProtocolMethod
Works from: Windows 10 RS5 (17763)
Fixed in: unfixed 🙈
How: -
Code status: added in v3.5.5
Author: Arush Agarampur
Type: Shell API
Method: Environment variables expansion, Dll Hijack
Target(s): \system32\taskhostw.exe
Component(s): pcadm.dll
Implementation: ucmPcaMethod
Works from: Windows 7 (7600)
AlwaysNotify compatible
Fixed in: unfixed 🙈
How: -
Code status: added in v3.5.6
Author: V3ded
Type: Shell API
Method: Registry key manipulation
Target(s): \system32\fodhelper.exe, \system32\computerdefaults.exe
Component(s): Attacker defined
Implementation: ucmShellRegModMethod3
Works from: Windows 10 (10240)
Fixed in: unfixed 🙈
How: -
Code status: added in v3.5.7
Author: Arush Agarampur
Type: Dll Hijack
Method: ISecurityEditor
Target(s): Native Image Cache elements
Component(s): Attacker defined
Implementation: ucmNICPoisonMethod2
Works from: Windows 7 RTM (7600)
Fixed in: unfixed 🙈
How: -
Code status: added in v3.5.8
Author: Emeric Nasi
Type: Dll Hijack
Method: Dll path search abuse
Target(s): \syswow64\msdt.exe, \system32\sdiagnhost.exe
Component(s): BluetoothDiagnosticUtil.dll
Implementation: ucmMsdtMethod
Works from: Windows 10 (10240)
Fixed in: unfixed 🙈
How: -
Code status: added in v3.5.9

注意：

方法（30）（63）及更高版本仅在x64版本中实现;
方法（30）需要x64，因为它滥用WOW64子系统功能;
方法（55）不是很可靠（就像任何GUI黑客一样），并且只是为了好玩而包含。

运行示例：

赤城32.exe 23
赤城64.exe 61
akagi32 23 c：\windows\system32\calc.exe
akagi64 61 c：\windows\system32\charmap.exe

注意：

方法（30）（63）及更高版本仅在x64版本中实现;
方法（30）需要x64，因为它滥用WOW64子系统功能;
方法（55）不是很可靠（就像任何GUI黑客一样），并且只是为了好玩而包含。

运行示例：

赤城32.exe 23
赤城64.exe 61
akagi32 23 c：\windows\system32\calc.exe
akagi64 61 c：\windows\system32\charmap.exe

警告

此工具仅显示恶意软件使用的流行的UAC绕过方法，并以不同的方式重新实现其中一些方法，以改善原始概念。有不同的，尚不为公众所知的方法。请注意这一点;
此工具不适用于AV测试，并且未经测试可在激进的AV环境中工作，如果您仍然计划将其与已安装的膨胀软件AV软件一起使用 - 请自行承担使用风险;
一些AV可能会将此工具标记为HackTool，MSE / WinDefender不断将其标记为恶意软件，没有;
如果您在真实计算机上运行此程序，请记住在使用后删除所有程序剩余部分，有关它掉落到系统文件夹的文件的更多信息，请参阅源代码;
为 x64 创建的大多数方法，没有考虑 x86-32 支持。我认为支持32位版本的Windows或wow64没有任何意义，但是通过小的调整，它们中的大多数也将在wow64下运行。

如果您想知道为什么这仍然存在并且有效 - 这是解释 - 官方Microsoft WHITEFLAG（包括完全无能的声明作为奖励）There are really only two effectively distinct settings for the UAC slider - The Old New Thing

Windows 10 支持和测试策略

UACMe仅使用LSTB / LTSC变体（1607 / 1809）和最后RTM-1版本进行测试，例如，如果当前版本是2004年，它将在2004年（19041）和先前版本1909（18363）上进行测试;
不支持内部生成，因为方法可能已在此处修复。

保护

没有管理权限的帐户。

恶意软件使用情况

我们不对此工具在恶意目的中的使用承担任何责任。它是免费的，开源的，并为每个人提供原样。

其他用法

目前用作“THOR APT”扫描仪的“签名”（来自德国的手工图案匹配欺诈软件）。对于欺诈软件中此工具的使用，我们不承担任何责任;
存储库 GitHub - hfiref0x/UACME: Defeating Windows User Account Control，其内容是 UACMe 代码的唯一正版来源。我们与该项目的外部链接无关，在任何地方都提到以及修改（分叉）;
2016年7月，所谓的“安全公司”Cymmetria发布了有关名为“Patchwork”的脚本小子恶意软件捆绑包的报告，并将其错误地标记为APT。他们表示它正在使用“UACME方法”，实际上它只是UACMe v1.9中略微和不专业地修改的注入器dll，并且正在以恶意软件自我实现的方式使用Carberp / Pitou混合方法。对于在第三方“安全公司”的可疑广告活动中使用UACMe，我们不承担任何责任。

源代码

UACMe附带完整的源代码，用C语言编写;
为了从源代码构建，您需要Microsoft Visual Studio 2015及更高版本。

已编译的二进制文件

自 2.8.9 起不再提供，将来也永远不会提供。原因（以及为什么你也不应该向公众提供）：
- 如果你简单地看一下这个项目，它是一个HackTool，尽管最初的目标是成为一个演示者。当然，一些AV将其检测为HackTool（例如MS WD），但是大多数VirusTotal患者将其检测为通用“恶意软件”。这当然是不正确的，但是不幸的是，一些懒惰的恶意软件编写者盲目地将代码复制粘贴到他们的垃圾软件中（甚至直接使用此工具），因此一些AV根据项目代码部分创建了签名;
- 通过向每个人提供编译的二进制文件，您可以使脚本小子的生活变得更加轻松，因为需要从源代码编译对于非常愚蠢的脚本小子和“按钮点击器”来说是一个完美的障碍;
- 在存储库中编译二进制文件最终将导致各种内容过滤器（SmartScreen，Google安全浏览等）将此存储库页面标记为恶意（由于上述原因）。
此决定是最终决定，不会改变。

提示

首先为要生成的解决方案中的项目选择“平台工具集”（项目>属性>常规）：
- v140 for Visual Studio 2015;
- v141 for Visual Studio 2017;
- v142 for Visual Studio 2019.
对于 v140 及更高版本，设置目标平台版本（项目>属性>常规）：
- 如果选择 v140，则选择 8.1（请注意，必须安装 Windows 8.1 SDK）;
- 如果为 v141/v142，请选择“10”（请注意，必须安装 Windows 10 （19041） SDK）。
要构建工作二进制文件：
- 编译有效负载单位
- 编译 Naka 模块
- 使用 Naka 模块加密所有有效负载单元
- 使用 Naka 模块为这些单元生成秘密 blob
- 将编译的单元和秘密 blob 移动到 Akagi\Bin 目录
- 重建赤城