Uacme - Defeating Windows User Trouble Organisation Human Relationship Control

Defeating Windows User Account Control past times abusing built-in Windows AutoElevate backdoor.

System Requirements

x86-32/x64 Windows 7/8/8.1/10 (client, around methods notwithstanding industrial plant on server version too).
Admin trouble organization human relationship amongst UAC onset default settings required.

Usage
Run executable from command line: akagi32 [Key] [Param] or akagi64 [Key] [Param]. See "Run examples" below for to a greater extent than info.
First param is set out of method to use, 2nd is optional command (executable file call including total path) to run. Second param tin can travel empty - inwards this instance computer programme volition execute elevated cmd.exe from system32 folder.
Keys (watch debug output amongst dbgview or like for to a greater extent than info):

Author: Leo Davidson
- Type: Dll Hijack
- Method: IFileOperation
- Target(s): \system32\sysprep\sysprep.exe
- Component(s): cryptbase.dll
- Implementation: ucmStandardAutoElevation
- Works from: Windows vii (7600)
- Fixed in: Windows 8.1 (9600)
  - How: sysprep.exe hardened LoadFrom manifest elements
Author: Leo Davidson derivative
- Type: Dll Hijack
- Method: IFileOperation
- Target(s): \system32\sysprep\sysprep.exe
- Component(s): ShCore.dll
- Implementation: ucmStandardAutoElevation
- Works from: Windows 8.1 (9600)
- Fixed in: Windows 10 TP (> 9600)
  - How: Side upshot of ShCore.dll moving to \KnownDlls
Author: Leo Davidson derivative past times WinNT/Pitou
- Type: Dll Hijack
- Method: IFileOperation
- Target(s): \system32\oobe\setupsqm.exe
- Component(s): WdsCore.dll
- Implementation: ucmStandardAutoElevation
- Works from: Windows vii (7600)
- Fixed in: Windows 10 TH2 (10558)
  - How: Side upshot of OOBE redesign
Author: Jon Ericson, WinNT/Gootkit, mzH
- Type: AppCompat
- Method: RedirectEXE Shim
- Target(s): \system32\cliconfg.exe
- Component(s): -
- Implementation: ucmShimRedirectEXE
- Works from: Windows vii (7600)
- Fixed in: Windows 10 TP (> 9600)
  - How: Sdbinst.exe autoelevation removed, KB3045645/KB3048097 for residuum Windows versions
Author: WinNT/Simda
- Type: Elevated COM interface
- Method: ISecurityEditor
- Target(s): HKLM registry keys
- Component(s): -
- Implementation: ucmSimdaTurnOffUac
- Works from: Windows vii (7600)
- Fixed in: Windows 10 TH1 (10147)
  - How: ISecurityEditor interface method changed
Author: Win32/Carberp
- Type: Dll Hijack
- Method: WUSA
- Target(s): \ehome\mcx2prov.exe, \system32\migwiz\migwiz.exe
- Component(s): WdsCore.dll, CryptBase.dll, CryptSP.dll
- Implementation: ucmWusaMethod
- Works from: Windows vii (7600)
- Fixed in: Windows 10 TH1 (10147)
  - How: WUSA /extract choice removed
Author: Win32/Carberp derivative
- Type: Dll Hijack
- Method: WUSA
- Target(s): \system32\cliconfg.exe
- Component(s): ntwdblib.dll
- Implementation: ucmWusaMethod
- Works from: Windows vii (7600)
- Fixed in: Windows 10 TH1 (10147)
  - How: WUSA /extract choice removed
Author: Leo Davidson derivative past times Win32/Tilon
- Type: Dll Hijack
- Method: IFileOperation
- Target(s): \system32\sysprep\sysprep.exe
- Component(s): Actionqueue.dll
- Implementation: ucmStandardAutoElevation
- Works from: Windows vii (7600)
- Fixed in: Windows 8.1 (9600)
  - How: sysprep.exe hardened LoadFrom manifest
Author: Leo Davidson, WinNT/Simda, Win32/Carberp derivative
- Type: Dll Hijack
- Method: IFileOperation, ISecurityEditor, WUSA
- Target(s): IFEO registry keys, \system32\cliconfg.exe
- Component(s): Attacker defined Application Verifier Dll
- Implementation: ucmAvrfMethod
- Works from: Windows vii (7600)
- Fixed in: Windows 10 TH1 (10147)
  - How: WUSA /extract choice removed, ISecurityEditor interface method changed
Author: WinNT/Pitou, Win32/Carberp derivative
- Type: Dll Hijack
- Method: IFileOperation, WUSA
- Target(s): \system32\{New}or{Existing}\{autoelevated}.exe, e.g. winsat.exe
- Component(s): Attacker defined dll, e.g. PowProf.dll, DevObj.dll
- Implementation: ucmWinSATMethod
- Works from: Windows vii (7600)
- Fixed in: Windows 10 TH2 (10548)
  - How: AppInfo elevated application path command hardening
Author: Jon Ericson, WinNT/Gootkit, mzH
- Type: AppCompat
- Method: Shim Memory Patch
- Target(s): \system32\iscsicli.exe
- Component(s): Attacker prepared shellcode
- Implementation: ucmShimPatch
- Works from: Windows vii (7600)
- Fixed in: Windows 8.1 (9600)
  - How: Sdbinst.exe autoelevation removed, KB3045645/KB3048097 for residuum Windows versions
Author: Leo Davidson derivative
- Type: Dll Hijack
- Method: IFileOperation
- Target(s): \system32\sysprep\sysprep.exe
- Component(s): dbgcore.dll
- Implementation: ucmStandardAutoElevation
- Works from: Windows 10 TH1 (10240)
- Fixed in: Windows 10 TH2 (10565)
  - How: sysprep.exe manifest updated
Author: Leo Davidson derivative
- Type: Dll Hijack
- Method: IFileOperation
- Target(s): \system32\mmc.exe EventVwr.msc
- Component(s): elsext.dll
- Implementation: ucmMMCMethod
- Works from: Windows vii (7600)
- Fixed in: Windows 10 RS1 (14316)
  - How: Missing dependency removed
Author: Leo Davidson, WinNT/Sirefef derivative
- Type: Dll Hijack
- Method: IFileOperation
- Target(s): \system\credwiz.exe, \system32\wbem\oobe.exe
- Component(s): netutils.dll
- Implementation: ucmSirefefMethod
- Works from: Windows vii (7600)
- Fixed in: Windows 10 TH2 (10548)
  - How: AppInfo elevated application path command hardening
Author: Leo Davidson, Win32/Addrop, Metasploit derivative
- Type: Dll Hijack
- Method: IFileOperation
- Target(s): \system32\cliconfg.exe
- Component(s): ntwdblib.dll
- Implementation: ucmGenericAutoelevation
- Works from: Windows vii (7600)
- Fixed in: Windows 10 RS1 (14316)
  - How: Cliconfg.exe autoelevation removed
Author: Leo Davidson derivative
- Type: Dll Hijack
- Method: IFileOperation
- Target(s): \system32\GWX\GWXUXWorker.exe, \system32\inetsrv\inetmgr.exe
- Component(s): SLC.dll
- Implementation: ucmGWX
- Works from: Windows vii (7600)
- Fixed in: Windows 10 RS1 (14316)
  - How: AppInfo elevated application path command in addition to inetmgr executable hardening
Author: Leo Davidson derivative
- Type: Dll Hijack (Import forwarding)
- Method: IFileOperation
- Target(s): \system32\sysprep\sysprep.exe
- Component(s): unbcl.dll
- Implementation: ucmStandardAutoElevation2
- Works from: Windows 8.1 (9600)
- Fixed in: Windows 10 RS1 (14371)
  - How: sysprep.exe manifest updated
Author: Leo Davidson derivative
- Type: Dll Hijack (Manifest)
- Method: IFileOperation
- Target(s): \system32\taskhost.exe, \system32\tzsync.exe (any ms exe without manifest)
- Component(s): Attacker defined
- Implementation: ucmAutoElevateManifest
- Works from: Windows vii (7600)
- Fixed in: Windows 10 RS1 (14371)
  - How: Manifest parsing logic reviewed
Author: Leo Davidson derivative
- Type: Dll Hijack
- Method: IFileOperation
- Target(s): \system32\inetsrv\inetmgr.exe
- Component(s): MsCoree.dll
- Implementation: ucmInetMgrMethod
- Works from: Windows vii (7600)
- Fixed in: Windows 10 RS1 (14376)
  - How: inetmgr.exe executable manifest hardening, MitigationPolicy->ProcessImageLoadPolicy->PreferSystem32Images
Author: Leo Davidson derivative
- Type: Dll Hijack
- Method: IFileOperation
- Target(s): \system32\mmc.exe, Rsop.msc
- Component(s): WbemComn.dll
- Implementation: ucmMMCMethod
- Works from: Windows vii (7600)
- Fixed in: Windows 10 RS3 (16232)
  - How: Target requires wbemcomn.dll to travel signed past times MS
Author: Leo Davidson derivative
- Type: Dll Hijack
- Method: IFileOperation, SxS DotLocal
- Target(s): \system32\sysprep\sysprep.exe
- Component(s): comctl32.dll
- Implementation: ucmSXSMethod
- Works from: Windows vii (7600)
- Fixed in: Windows 10 RS3 (16232)
  - How: MitigationPolicy->ProcessImageLoadPolicy->PreferSystem32Images
Author: Leo Davidson derivative
- Type: Dll Hijack
- Method: IFileOperation, SxS DotLocal
- Target(s): \system32\consent.exe
- Component(s): comctl32.dll
- Implementation: ucmSXSMethod
- Works from: Windows vii (7600)
- Fixed in: unfixed ,
  - How: -
Author: Leo Davidson derivative
- Type: Dll Hijack
- Method: IFileOperation
- Target(s): \system32\pkgmgr.exe
- Component(s): DismCore.dll
- Implementation: ucmDismMethod
- Works from: Windows vii (7600)
- Fixed in: unfixed ,
  - How: -
Author: BreakingMalware
- Type: Shell API
- Method: Environment variables expansion
- Target(s): \system32\CompMgmtLauncher.exe
- Component(s): Attacker defined
- Implementation: ucmCometMethod
- Works from: Windows vii (7600)
- Fixed in: Windows 10 RS2 (15031)
  - How: CompMgmtLauncher.exe autoelevation removed
Author: Enigma0x3
- Type: Shell API
- Method: Registry substitution manipulation
- Target(s): \system32\EventVwr.exe, \system32\CompMgmtLauncher.exe
- Component(s): Attacker defined
- Implementation: ucmHijackShellCommandMethod
- Works from: Windows vii (7600)
- Fixed in: Windows 10 RS2 (15031)
  - How: EventVwr.exe redesigned, CompMgmtLauncher.exe autoelevation removed
Author: Enigma0x3
- Type: Race Condition
- Method: File overwrite
- Target(s): %temp%\GUID\dismhost.exe
- Component(s): LogProvider.dll
- Implementation: ucmDiskCleanupRaceCondition
- Works from: Windows 10 TH1 (10240)
- AlwaysNotify compatible
- Fixed in: Windows 10 RS2 (15031)
  - How: File safety permissions altered
Author: ExpLife
- Type: Elevated COM interface
- Method: IARPUninstallStringLauncher
- Target(s): Attacker defined
- Component(s): Attacker defined
- Implementation: ucmUninstallLauncherMethod
- Works from: Windows vii (7600)
- Fixed in: Windows 10 RS3 (16199)
  - How: UninstallStringLauncher interface removed from COMAutoApprovalList
Author: Exploit/Sandworm
- Type: Whitelisted component
- Method: InfDefaultInstall
- Target(s): Attacker defined
- Component(s): Attacker defined
- Implementation: ucmSandwormMethod
- Works from: Windows vii (7600)
- Fixed in: Windows 8.1 (9600)
  - How: InfDefaultInstall.exe removed from g_lpAutoApproveEXEList (MS14-060)
Author: Enigma0x3
- Type: Shell API
- Method: Registry substitution manipulation
- Target(s): \system32\sdclt.exe
- Component(s): Attacker defined
- Implementation: ucmAppPathMethod
- Works from: Windows 10 TH1 (10240)
- Fixed in: Windows 10 RS3 (16215)
  - How: Shell API update
Author: Leo Davidson derivative, lhc645
- Type: Dll Hijack
- Method: WOW64 logger
- Target(s): \syswow64\{any elevated exe, e.g wusa.exe}
- Component(s): wow64log.dll
- Implementation: ucmWow64LoggerMethod
- Works from: Windows vii (7600)
- Fixed in: unfixed ,
  - How: -
Author: Enigma0x3
- Type: Shell API
- Method: Registry substitution manipulation
- Target(s): \system32\sdclt.exe
- Component(s): Attacker defined
- Implementation: ucmSdcltIsolatedCommandMethod
- Works from: Windows 10 TH1 (10240)
- Fixed in: Windows 10 RS4 (17025)
  - How: Shell API / Windows components update
Author: xi-tauw
- Type: Dll Hijack
- Method: UIPI bypass amongst uiAccess application
- Target(s): \Program Files\Windows Media Player\osk.exe, \system32\EventVwr.exe, \system32\mmc.exe
- Component(s): duser.dll, osksupport.dll
- Implementation: ucmUiAccessMethod
- Works from: Windows vii (7600)
- Fixed in: unfixed ,
  - How: -
Author: winscripting.blog
- Type: Shell API
- Method: Registry substitution manipulation
- Target(s): \system32\fodhelper.exe, \system32\computerdefaults.exe
- Component(s): Attacker defined
- Implementation: ucmMsSettingsDelegateExecuteMethod
- Works from: Windows 10 TH1 (10240)
- Fixed in: unfixed ,
  - How: -
Author: James Forshaw
- Type: Shell API
- Method: Environment variables expansion
- Target(s): \system32\svchost.exe via \system32\schtasks.exe
- Component(s): Attacker defined
- Implementation: ucmDiskCleanupEnvironmentVariable
- Works from: Windows 8.1 (9600)
- AlwaysNotify compatible
- Fixed in: unfixed ,
  - How: -
Author: CIA & James Forshaw
- Type: Impersonation
- Method: Token Manipulations
- Target(s): Autoelevated applications
- Component(s): Attacker defined
- Implementation: ucmTokenModification
- Works from: Windows vii (7600)
- AlwaysNotify compatible, encounter note
- Fixed in: Windows 10 RS5 (17686)
  - How: ntoskrnl.exe->SeTokenCanImpersonate additional access token depository fiscal establishment check added
Author: Thomas Vanhoutte aka SandboxEscaper
- Type: Race condition
- Method: NTFS reparse betoken & Dll Hijack
- Target(s): wusa.exe
- Component(s): dcomcnfg.exe, mmc.exe, ole32.dll, MsCoree.dll
- Implementation: ucmJunctionMethod
- Works from: Windows vii (7600)
- Fixed in: unfixed ,
  - How: -
Author: Ernesto Fernandez, Thomas Vanhoutte
- Type: Dll Hijack
- Method: SxS DotLocal, NTFS reparse point
- Target(s): \system32\dccw.exe
- Component(s): GdiPlus.dll
- Implementation: ucmSXSDccwMethod
- Works from: Windows vii (7600)
- Fixed in: unfixed ,
  - How: -
Author: Clement Rouault
- Type: Whitelisted component
- Method: APPINFO command line spoofing
- Target(s): \system32\mmc.exe
- Component(s): Attacker defined
- Implementation: ucmHakrilMethod
- Works from: Windows vii (7600)
- Fixed in: unfixed ,
  - How: -
Author: Stefan Kanthak
- Type: Dll Hijack
- Method: .NET Code Profiler
- Target(s): \system32\mmc.exe
- Component(s): Attacker defined
- Implementation: ucmCorProfilerMethod
- Works from: Windows vii (7600)
- Fixed in: unfixed ,
  - How: -
Author: Ruben Boonen
- Type: COM Handler Hijack
- Method: Registry substitution manipulation
- Target(s): \system32\mmc.exe, \System32\recdisc.exe
- Component(s): Attacker defined
- Implementation: ucmCOMHandlersMethod
- Works from: Windows vii (7600)
- Fixed in: Windows 10 19H1 (18362)
  - How: Side upshot of Windows changes
Author: Oddvar Moe
- Type: Elevated COM interface
- Method: ICMLuaUtil
- Target(s): Attacker defined
- Component(s): Attacker defined
- Implementation: ucmCMLuaUtilShellExecMethod
- Works from: Windows vii (7600)
- Fixed in: unfixed ,
  - How: -
Author: BreakingMalware in addition to Enigma0x3
- Type: Elevated COM interface
- Method: IFwCplLua
- Target(s): Attacker defined
- Component(s): Attacker defined
- Implementation: ucmFwCplLuaMethod
- Works from: Windows vii (7600)
- Fixed in: Windows 10 RS4 (17134)
  - How: Shell API update
Author: Oddvar Moe derivative
- Type: Elevated COM interface
- Method: IColorDataProxy, ICMLuaUtil
- Target(s): Attacker defined
- Component(s): Attacker defined
- Implementation: ucmDccwCOMMethod
- Works from: Windows vii (7600)
- Fixed in: unfixed ,
  - How: -
Author: bytecode77
- Type: Shell API
- Method: Environment variables expansion
- Target(s): Multiple auto-elevated processes
- Component(s): Various per target
- Implementation: ucmVolatileEnvMethod
- Works from: Windows vii (7600)
- Fixed in: Windows 10 RS3 (16299)
  - How: Current user organization directory variables ignored during procedure creation
Author: bytecode77
- Type: Shell API
- Method: Registry substitution manipulation
- Target(s): \system32\slui.exe
- Component(s): Attacker defined
- Implementation: ucmSluiHijackMethod
- Works from: Windows 8.1 (9600)
- Fixed in: unfixed ,
  - How: -
Author: Anonymous
- Type: Race Condition
- Method: Registry substitution manipulation
- Target(s): \system32\BitlockerWizardElev.exe
- Component(s): Attacker defined
- Implementation: ucmBitlockerRCMethod
- Works from: Windows vii (7600)
- Fixed in: Windows 10 RS4 (>16299)
  - How: Shell API update
Author: clavoillotte & 3gstudent
- Type: COM Handler Hijack
- Method: Registry substitution manipulation
- Target(s): \system32\mmc.exe
- Component(s): Attacker defined
- Implementation: ucmCOMHandlersMethod2
- Works from: Windows vii (7600)
- Fixed in: Windows 10 19H1 (18362)
  - How: Side upshot of Windows changes
Author: deroko
- Type: Elevated COM interface
- Method: ISPPLUAObject
- Target(s): Attacker defined
- Component(s): Attacker defined
- Implementation: ucmSPPLUAObjectMethod
- Works from: Windows vii (7600)
- Fixed in: Windows 10 RS5 (17763)
  - How: ISPPLUAObject interface method changed
Author: RinN
- Type: Elevated COM interface
- Method: ICreateNewLink
- Target(s): \system32\TpmInit.exe
- Component(s): WbemComn.dll
- Implementation: ucmCreateNewLinkMethod
- Works from: Windows vii (7600)
- Fixed in: Windows 10 RS1 (14393)
  - How: Side upshot of consent.exe COMAutoApprovalList introduction
Author: Anonymous
- Type: Elevated COM interface
- Method: IDateTimeStateWrite, ISPPLUAObject
- Target(s): w32time service
- Component(s): w32time.dll
- Implementation: ucmDateTimeStateWriterMethod
- Works from: Windows vii (7600)
- Fixed in: Windows 10 RS5 (17763)
  - How: Side upshot of ISPPLUAObject interface change
Author: bytecode77 derivative
- Type: Elevated COM interface
- Method: IAccessibilityCplAdmin
- Target(s): \system32\rstrui.exe
- Component(s): Attacker defined
- Implementation: ucmAcCplAdminMethod
- Works from: Windows vii (7600)
- Fixed in: Windows 10 RS4 (17134)
  - How: Shell API update
Author: David Wells
- Type: Whitelisted component
- Method: AipNormalizePath parsing abuse
- Target(s): Attacker defined
- Component(s): Attacker defined
- Implementation: ucmDirectoryMockMethod
- Works from: Windows vii (7600)
- Fixed in: unfixed ,
  - How: -
Author: Emeric Nasi
- Type: Shell API
- Method: Registry substitution manipulation
- Target(s): \system32\sdclt.exe
- Component(s): Attacker defined
- Implementation: ucmShellDelegateExecuteCommandMethod
- Works from: Windows 10 (14393)
- Fixed in: unfixed ,
  - How: -
Author: egre55
- Type: Dll Hijack
- Method: Dll path search abuse
- Target(s): \syswow64\SystemPropertiesAdvanced.exe in addition to other SystemProperties*.exe
- Component(s): \AppData\Local\Microsoft\WindowsApps\srrstr.dll
- Implementation: ucmEgre55Method
- Works from: Windows 10 (14393)
- Fixed in: unfixed ,
  - How: -
Author: James Forshaw
- Type: GUI Hack
- Method: UIPI bypass amongst token modification
- Target(s): \system32\osk.exe, \system32\msconfig.exe
- Component(s): Attacker defined
- Implementation: ucmTokenModUIAccessMethod
- Works from: Windows vii (7600)
- Fixed in: unfixed ,
  - How: -
Author: Hashim Jawad
- Type: Shell API
- Method: Registry substitution manipulation
- Target(s): \system32\WSReset.exe
- Component(s): Attacker defined
- Implementation: ucmShellDelegateExecuteCommandMethod
- Works from: Windows 10 (17134)
- Fixed in: unfixed ,
  - How: -
Author: Leo Davidson derivative past times Win32/Gapz
- Type: Dll Hijack
- Method: IFileOperation
- Target(s): \system32\sysprep\sysprep.exe
- Component(s): unattend.dll
- Implementation: ucmStandardAutoElevation
- Works from: Windows vii (7600)
- Fixed in: Windows 8.1 (9600)
  - How: sysprep.exe hardened LoadFrom manifest elements

Note:

Method (6) unavailable inwards wow64 surroundings starting from Windows 8;
Method (11) (54) implemented alone inwards x86-32 version;
Method (13) (19) (30) (38) (50) implemented alone inwards x64 version;
Method (14) require procedure injection, wow64 unsupported, utilisation x64 version of this tool;
Method (26) is silent working, notwithstanding it original payoff was UAC bypass on AlwaysNotify level. Since 15031 it is gone;
Method (30) require x64 because it abuses WOW64 subsystem feature;
Method (35) AlwaysNotify compatible every bit at that topographic point ever volition travel running autoelevated apps or user volition receive got to launch them anyway;
Method (38) require meshwork connectedness every bit it executes remote script located at github.com/hfiref0x/Beacon/blob/master/uac/exec.html;
Method (55) is non actually reliable (as whatsoever GUI hacks) in addition to included but for fun.

Run examples:

akagi32.exe 1
akagi64.exe 3
akagi32 1 c:\windows\system32\calc.exe
akagi64 iii c:\windows\system32\charmap.exe

Warning

This tool shows ONLY pop UAC bypass method used past times malware, in addition to reimplement around of them inwards a dissimilar agency improving original concepts. There are exists different, non yet known to full general populace methods, travel aware of this;
Using (5) method volition permanently plough off UAC (after reboot), brand certain to create this inwards assay out surroundings or don't forget to re-enable UAC after tool usage;
Using (5), (9) methods volition permanently compromise safety of target keys (UAC Settings substitution for (5) in addition to IFEO for (9)), if y'all create tests on your existent machine - restore keys safety manually after y'all consummate this tool usage;
This tool is non intended for AV tests in addition to non tested to operate inwards aggressive AV environment, if y'all silent programme to utilisation it amongst installed bloatware AV soft - y'all utilisation it at your ain risk;
Some AV may flag this tool every bit HackTool, MSE/WinDefender constantly marks it every bit malware, nope;
If y'all run this computer programme on existent figurer call upwards to take all computer programme leftovers after usage, for to a greater extent than information near files it drops to organization folders encounter source code;
Most of methods created for x64, amongst no x86-32 back upwards inwards mind. I don't encounter whatsoever feel inwards supporting 32 flake versions of Windows or wow64, notwithstanding amongst modest tweaks most of them volition run nether wow64 every bit well.

If y'all wondering why this silent be in addition to operate hither is the explanation, an official Microsoft WHITEFLAG (including totally incompetent statements every bit bonus) https://blogs.msdn.microsoft.com/oldnewthing/20160816-00/?p=94105

Windows 10 back upwards in addition to testing policy

EOL'ed versions of Windows 10 are non supported in addition to hence non tested (at instant of writing EOL'ed Windows 10 versions are: TH1 (10240), TH2 (10586));
Insider builds are non supported every bit methods may travel fixed there.

Protection

Account without administrative privileges.

Malware usage

It is currently known that UACMe used past times Adware/Multiplug (9), past times Win32/Dyre (3), past times Win32/Empercrypt (10 & 13), past times IcedID downloader (35 & 41). We create non accept whatsoever responsibleness for this tool usage inwards the malicious purposes. It is free, open-source in addition to provided AS-IS for everyone.

Other usage

Currently used every bit "signature" past times "THOR APT" scanner (handmade pattern matching fraudware from Germany). We create non accept whatsoever responsibleness for this tool usage inwards the fraudware;
The scamware projection called "uacguard" has references to UACMe from their platform. We create non accept whatsoever responsibleness for this tool usage inwards the scamware. The repository https://github.com/hfiref0x/UACME in addition to it contents are the alone genuine source for UACMe code. We receive got nix to create amongst external links to this project, mentions anywhere every bit good every bit modifications (forks);
In July 2016 so-called "security company" Cymmetria released written report near script-kiddie malware packet called "Patchwork" in addition to fake flagged it every bit APT. They stated it was using "UACME method", which inwards fact is but slightly in addition to unprofessionally modified injector dll from UACMe v1.9 in addition to was using Carberp/Pitou hybrid method inwards malware self-implemented way. We create non accept whatsoever responsibleness for UACMe usage inwards the dubious advertising campaigns from tertiary political party "security companies".

Build

UACMe comes amongst total source code, written inwards C amongst around parts written inwards C#;
In guild to create from source y'all demand Microsoft Visual Studio 2013/2015 U2 in addition to afterwards versions.

Instructions

Select Platform ToolSet start for projection inwards solution y'all desire to create (Project->Properties->General):
- v120 for Visual Studio 2013;
- v140 for Visual Studio 2015;
- v141 for Visual Studio 2017.
For v140 in addition to inwards a higher identify laid Target Platform Version (Project->Properties->General):
- If v140 in addition to so conduct 8.1 (Note that Windows 8.1 SDK must travel installed);
- If v141 in addition to so conduct 10.0.17134.0 (Note that Windows 10.0.17134 SDK must travel installed).
Note that Fujinami module built amongst .NET Framework 3.0 (this is requirement for it work), so .NET Framework 3.0 must travel installed if y'all desire to create this module.
Can travel built amongst SDK 8.1/10.17134/10.17763.

References

Windows vii UAC whitelist, http://www.pretentiousname.com/misc/win7_uac_whitelist2.html
Malicious Application Compatibility Shims, https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf
Junfeng Zhang from WinSxS dev squad blog, https://blogs.msdn.microsoft.com/junfeng/
Beyond expert ol' Run key, serial of articles, http://www.hexacorn.com/blog
KernelMode.Info UACMe thread, http://www.kernelmode.info/forum/viewtopic.php?f=11&t=3643
Command Injection/Elevation - Environment Variables Revisited, https://breakingmalware.com/vulnerabilities/command-injection-and-elevation-environment-variables-revisited
"Fileless" UAC Bypass Using eventvwr.exe in addition to Registry Hijacking, http://www.freebuf.com/articles/system/116611.html
Bypassing UAC using App Paths, /search?q=accessing-access-tokens-for-uiaccess
First entry: Welcome in addition to fileless UAC bypass, /search?q=accessing-access-tokens-for-uiaccess
/search?q=accessing-access-tokens-for-uiaccess
/search?q=accessing-access-tokens-for-uiaccess
Research on CMSTP.exe, https://msitpros.com/?p=3960
UAC bypass via elevated .NET applications, https://offsec.provadys.com/UAC-bypass-dotnet.html
UAC Bypass past times Mocking Trusted Directories, https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e
Yet around other sdclt UAC bypass, http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass
UAC Bypass via SystemPropertiesAdvanced.exe in addition to DLL Hijacking, https://egre55.github.io/system-properties-uac-bypass/
Accessing Access Tokens for UIAccess, /search?q=accessing-access-tokens-for-uiaccess
Fileless UAC Bypass inwards Windows Store Binary, /search?q=accessing-access-tokens-for-uiaccess

Authors
(c) 2014 - 2019 UACMe Project

Download UACME

Nexus

Uacme - Defeating Windows User Trouble Organisation Human Relationship Control

Recent Posts

Facebook

Nexus

Uacme - Defeating Windows User Trouble Organisation Human Relationship Control

You Might Also Like

Recent Posts

Facebook