渗透工具UACMe:通过滥用内置的Windows AutoElevate后门来击败Windows用户帐户控制。

文档中心

Git地址：

hfiref0x/UACME：击败 Windows 用户帐户控制 (github.com)

UACMe

通过滥用内置的Windows AutoElevate后门来击败Windows用户帐户控制。

系统要求

x86-32/x64 Windows 7/8/8.1/10（客户端，但某些方法也适用于服务器版本）。
管理员帐户，其中 UAC 设置为默认设置，需要。

用法

从命令行运行可执行文件：akagi32 [Key] [Param] 或 akagi64 [Key] [Param]。有关详细信息，请参阅下面的“运行示例”。

第一个参数是要使用的方法的数量，第二个是要运行的可选命令（可执行文件名，包括完整路径）。第二个参数可以为空 - 在这种情况下，程序将从system32文件夹中执行提升的cmd.exe。

注意：从3.5.0版本开始，所有“固定”方法都被视为过时，并与所有支持代码/单元一起完全删除。如果仍需要它们，请使用 v3.2.x 分支

Author: Leo Davidson

Type: Dll Hijack

Method: IFileOperation

Target(s): \system32\sysprep\sysprep.exe

Component(s): cryptbase.dll

Implementation: ucmStandardAutoElevation

Works from: Windows 7 (7600)

Fixed in: Windows 8.1 (9600)

How: sysprep.exe hardened LoadFrom manifest elements

Code status: removed starting from v3.5.0 🚜

Author: Leo Davidson derivative

Type: Dll Hijack

Method: IFileOperation

Target(s): \system32\sysprep\sysprep.exe

Component(s): ShCore.dll

Implementation: ucmStandardAutoElevation

Works from: Windows 8.1 (9600)

Fixed in: Windows 10 TP (> 9600)

How: Side effect of ShCore.dll moving to \KnownDlls

Code status: removed starting from v3.5.0 🚜

Author: Leo Davidson derivative by WinNT/Pitou

Type: Dll Hijack

Method: IFileOperation

Target(s): \system32\oobe\setupsqm.exe

Component(s): WdsCore.dll

Implementation: ucmStandardAutoElevation

Works from: Windows 7 (7600)

Fixed in: Windows 10 TH2 (10558)

How: Side effect of OOBE redesign

Code status: removed starting from v3.5.0 🚜

Author: Jon Ericson, WinNT/Gootkit, mzH

Type: AppCompat

Method: RedirectEXE Shim

Target(s): \system32\cliconfg.exe

Component(s): -

Implementation: ucmShimRedirectEXE

Works from: Windows 7 (7600)

Fixed in: Windows 10 TP (> 9600)

How: Sdbinst.exe autoelevation removed, KB3045645/KB3048097 for rest Windows versions

Code status: removed starting from v3.5.0 🚜

Author: WinNT/Simda

Type: Elevated COM interface

Method: ISecurityEditor

Target(s): HKLM registry keys

Component(s): -

Implementation: ucmSimdaTurnOffUac

Works from: Windows 7 (7600)

Fixed in: Windows 10 TH1 (10147)

How: ISecurityEditor interface method changed

Code status: removed starting from v3.5.0 🚜

Author: Win32/Carberp

Type: Dll Hijack

Method: WUSA

Target(s): \ehome\mcx2prov.exe, \system32\migwiz\migwiz.exe

Component(s): WdsCore.dll, CryptBase.dll, CryptSP.dll

Implementation: ucmWusaMethod

Works from: Windows 7 (7600)

Fixed in: Windows 10 TH1 (10147)

How: WUSA /extract option removed

Code status: removed starting from v3.5.0 🚜

Author: Win32/Carberp derivative

Type: Dll Hijack

Method: WUSA

Target(s): \system32\cliconfg.exe

Component(s): ntwdblib.dll

Implementation: ucmWusaMethod

Works from: Windows 7 (7600)

Fixed in: Windows 10 TH1 (10147)

How: WUSA /extract option removed

Code status: removed starting from v3.5.0 🚜

Author: Leo Davidson derivative by Win32/Tilon

Type: Dll Hijack

Method: IFileOperation

Target(s): \system32\sysprep\sysprep.exe

Component(s): Actionqueue.dll

Implementation: ucmStandardAutoElevation

Works from: Windows 7 (7600)

Fixed in: Windows 8.1 (9600)

How: sysprep.exe hardened LoadFrom manifest

Code status: removed starting from v3.5.0 🚜

Author: Leo Davidson, WinNT/Simda, Win32/Carberp derivative

Type: Dll Hijack

Method: IFileOperation, ISecurityEditor, WUSA

Target(s): IFEO registry keys, \system32\cliconfg.exe

Component(s): Attacker defined Application Verifier Dll

Implementation: ucmAvrfMethod

Works from: Windows 7 (7600)

Fixed in: Windows 10 TH1 (10147)

How: WUSA /extract option removed, ISecurityEditor interface method changed

Code status: removed starting from v3.5.0 🚜

Author: WinNT/Pitou, Win32/Carberp derivative

Type: Dll Hijack

Method: IFileOperation, WUSA

Target(s): \system32\{New}or{Existing}\{autoelevated}.exe, e.g. winsat.exe

Component(s): Attacker defined dll, e.g. PowProf.dll, DevObj.dll

Implementation: ucmWinSATMethod

Works from: Windows 7 (7600)

Fixed in: Windows 10 TH2 (10548)

How: AppInfo elevated application path control hardening

Code status: removed starting from v3.5.0 🚜

Author: Jon Ericson, WinNT/Gootkit, mzH

Type: AppCompat

Method: Shim Memory Patch

Target(s): \system32\iscsicli.exe

Component(s): Attacker prepared shellcode

Implementation: ucmShimPatch

Works from: Windows 7 (7600)

Fixed in: Windows 8.1 (9600)

How: Sdbinst.exe autoelevation removed, KB3045645/KB3048097 for rest Windows versions

Code status: removed starting from v3.5.0 🚜

Author: Leo Davidson derivative

Type: Dll Hijack

Method: IFileOperation

Target(s): \system32\sysprep\sysprep.exe

Component(s): dbgcore.dll

Implementation: ucmStandardAutoElevation

Works from: Windows 10 TH1 (10240)

Fixed in: Windows 10 TH2 (10565)

How: sysprep.exe manifest updated

Code status: removed starting from v3.5.0 🚜

Author: Leo Davidson derivative

Type: Dll Hijack

Method: IFileOperation

Target(s): \system32\mmc.exe EventVwr.msc

Component(s): elsext.dll

Implementation: ucmMMCMethod

Works from: Windows 7 (7600)

Fixed in: Windows 10 RS1 (14316)

How: Missing dependency removed

Code status: removed starting from v3.5.0 🚜

Author: Leo Davidson, WinNT/Sirefef derivative

Type: Dll Hijack

Method: IFileOperation

Target(s): \system\credwiz.exe, \system32\wbem\oobe.exe

Component(s): netutils.dll

Implementation: ucmSirefefMethod

Works from: Windows 7 (7600)

Fixed in: Windows 10 TH2 (10548)

How: AppInfo elevated application path control hardening

Code status: removed starting from v3.5.0 🚜

Author: Leo Davidson, Win32/Addrop, Metasploit derivative

Type: Dll Hijack

Method: IFileOperation

Target(s): \system32\cliconfg.exe

Component(s): ntwdblib.dll

Implementation: ucmGenericAutoelevation

Works from: Windows 7 (7600)

Fixed in: Windows 10 RS1 (14316)

How: Cliconfg.exe autoelevation removed

Code status: removed starting from v3.5.0 🚜

Author: Leo Davidson derivative

Type: Dll Hijack

Method: IFileOperation

Target(s): \system32\GWX\GWXUXWorker.exe, \system32\inetsrv\inetmgr.exe

Component(s): SLC.dll

Implementation: ucmGWX

Works from: Windows 7 (7600)

Fixed in: Windows 10 RS1 (14316)

How: AppInfo elevated application path control and inetmgr executable hardening

Code status: removed starting from v3.5.0 🚜

Author: Leo Davidson derivative

Type: Dll Hijack (Import forwarding)

Method: IFileOperation

Target(s): \system32\sysprep\sysprep.exe

Component(s): unbcl.dll

Implementation: ucmStandardAutoElevation2

Works from: Windows 8.1 (9600)

Fixed in: Windows 10 RS1 (14371)

How: sysprep.exe manifest updated

Code status: removed starting from v3.5.0 🚜

Author: Leo Davidson derivative

Type: Dll Hijack (Manifest)

Method: IFileOperation

Target(s): \system32\taskhost.exe, \system32\tzsync.exe (any ms exe without manifest)

Component(s): Attacker defined

Implementation: ucmAutoElevateManifest

Works from: Windows 7 (7600)

Fixed in: Windows 10 RS1 (14371)

How: Manifest parsing logic reviewed

Code status: removed starting from v3.5.0 🚜

Author: Leo Davidson derivative

Type: Dll Hijack

Method: IFileOperation

Target(s): \system32\inetsrv\inetmgr.exe

Component(s): MsCoree.dll

Implementation: ucmInetMgrMethod

Works from: Windows 7 (7600)

Fixed in: Windows 10 RS1 (14376)

How: inetmgr.exe executable manifest hardening, MitigationPolicy->ProcessImageLoadPolicy->PreferSystem32Images

Code status: removed starting from v3.5.0 🚜

Author: Leo Davidson derivative

Type: Dll Hijack

Method: IFileOperation

Target(s): \system32\mmc.exe, Rsop.msc

Component(s): WbemComn.dll

Implementation: ucmMMCMethod

Works from: Windows 7 (7600)

Fixed in: Windows 10 RS3 (16232)

How: Target requires wbemcomn.dll to be signed by MS

Code status: removed starting from v3.5.0 🚜

Author: Leo Davidson derivative

Type: Dll Hijack

Method: IFileOperation, SxS DotLocal

Target(s): \system32\sysprep\sysprep.exe

Component(s): comctl32.dll

Implementation: ucmSXSMethod

Works from: Windows 7 (7600)

Fixed in: Windows 10 RS3 (16232)

How: MitigationPolicy->ProcessImageLoadPolicy->PreferSystem32Images

Code status: removed starting from v3.5.0 🚜

Author: Leo Davidson derivative

Type: Dll Hijack

Method: IFileOperation, SxS DotLocal

Target(s): \system32\consent.exe

Component(s): comctl32.dll

Implementation: ucmSXSMethod

Works from: Windows 7 (7600)

Fixed in: unfixed 🙈

How: -

Code status: added in v2.5.0

Author: Leo Davidson derivative

Type: Dll Hijack

Method: IFileOperation

Target(s): \system32\pkgmgr.exe

Component(s): DismCore.dll

Implementation: ucmDismMethod

Works from: Windows 7 (7600)

Fixed in: unfixed 🙈

How: -

Code status: added in v2.5.1

Author: BreakingMalware

Type: Shell API

Method: Environment variables expansion

Target(s): \system32\CompMgmtLauncher.exe

Component(s): Attacker defined

Implementation: ucmCometMethod

Works from: Windows 7 (7600)

Fixed in: Windows 10 RS2 (15031)

How: CompMgmtLauncher.exe autoelevation removed

Code status: removed starting from v3.5.0 🚜

Author: Enigma0x3

Type: Shell API

Method: Registry key manipulation

Target(s): \system32\EventVwr.exe, \system32\CompMgmtLauncher.exe

Component(s): Attacker defined

Implementation: ucmHijackShellCommandMethod

Works from: Windows 7 (7600)

Fixed in: Windows 10 RS2 (15031)

How: EventVwr.exe redesigned, CompMgmtLauncher.exe autoelevation removed

Code status: removed starting from v3.5.0 🚜

Author: Enigma0x3

Type: Race Condition

Method: File overwrite

Target(s): %temp%\GUID\dismhost.exe

Component(s): LogProvider.dll

Implementation: ucmDiskCleanupRaceCondition

Works from: Windows 10 TH1 (10240)

AlwaysNotify compatible

Fixed in: Windows 10 RS2 (15031)

How: File security permissions altered

Code status: removed starting from v3.5.0 🚜

Author: ExpLife

Type: Elevated COM interface

Method: IARPUninstallStringLauncher

Target(s): Attacker defined

Component(s): Attacker defined

Implementation: ucmUninstallLauncherMethod

Works from: Windows 7 (7600)

Fixed in: Windows 10 RS3 (16199)

How: UninstallStringLauncher interface removed from COMAutoApprovalList

Code status: removed starting from v3.5.0 🚜

Author: Exploit/Sandworm

Type: Whitelisted component

Method: InfDefaultInstall

Target(s): Attacker defined

Component(s): Attacker defined

Implementation: ucmSandwormMethod

Works from: Windows 7 (7600)

Fixed in: Windows 8.1 (9600)

How: InfDefaultInstall.exe removed from g_lpAutoApproveEXEList (MS14-060)

Code status: removed starting from v3.5.0 🚜

Author: Enigma0x3

Type: Shell API

Method: Registry key manipulation

Target(s): \system32\sdclt.exe

Component(s): Attacker defined

Implementation: ucmAppPathMethod

Works from: Windows 10 TH1 (10240)

Fixed in: Windows 10 RS3 (16215)

How: Shell API update

Code status: removed starting from v3.5.0 🚜

Author: Leo Davidson derivative, lhc645

Type: Dll Hijack

Method: WOW64 logger

Target(s): \syswow64\{any elevated exe, e.g wusa.exe}

Component(s): wow64log.dll

Implementation: ucmWow64LoggerMethod

Works from: Windows 7 (7600)

Fixed in: unfixed 🙈

How: -

Code status: added in v2.7.0

Author: Enigma0x3

Type: Shell API

Method: Registry key manipulation

Target(s): \system32\sdclt.exe

Component(s): Attacker defined

Implementation: ucmSdcltIsolatedCommandMethod

Works from: Windows 10 TH1 (10240)

Fixed in: Windows 10 RS4 (17025)

How: Shell API / Windows components update

Code status: removed starting from v3.5.0 🚜

Author: xi-tauw

Type: Dll Hijack

Method: UIPI bypass with uiAccess application

Target(s): \Program Files\Windows Media Player\osk.exe, \system32\EventVwr.exe, \system32\mmc.exe

Component(s): duser.dll, osksupport.dll

Implementation: ucmUiAccessMethod

Works from: Windows 7 (7600)

Fixed in: unfixed 🙈

How: -

Code status: added in v2.7.1

Author: winscripting.blog

Type: Shell API

Method: Registry key manipulation

Target(s): \system32\fodhelper.exe

Component(s): Attacker defined

Implementation: ucmShellRegModMethod

Works from: Windows 10 TH1 (10240)

Fixed in: unfixed 🙈

How: -

Code status: added in v2.7.2

Author: James Forshaw

Type: Shell API

Method: Environment variables expansion

Target(s): \system32\svchost.exe via \system32\schtasks.exe

Component(s): Attacker defined

Implementation: ucmDiskCleanupEnvironmentVariable

Works from: Windows 8.1 (9600)

AlwaysNotify compatible

Fixed in: unfixed 🙈

How: -

Code status: added in v2.7.2

Author: CIA & James Forshaw

Type: Impersonation

Method: Token Manipulations

Target(s): Autoelevated applications

Component(s): Attacker defined

Implementation: ucmTokenModification

Works from: Windows 7 (7600)

AlwaysNotify compatible, see note

Fixed in: Windows 10 RS5 (17686)

How: ntoskrnl.exe->SeTokenCanImpersonate additional access token check added

Code status: removed starting from v3.5.0 🚜

Author: Thomas Vanhoutte aka SandboxEscaper

Type: Race condition

Method: NTFS reparse point & Dll Hijack

Target(s): wusa.exe, pkgmgr.exe

Component(s): Attacker defined

Implementation: ucmJunctionMethod

Works from: Windows 7 (7600)

Fixed in: unfixed 🙈

How: -

Code status: added in v2.7.4

Author: Ernesto Fernandez, Thomas Vanhoutte

Type: Dll Hijack

Method: SxS DotLocal, NTFS reparse point

Target(s): \system32\dccw.exe

Component(s): GdiPlus.dll

Implementation: ucmSXSDccwMethod

Works from: Windows 7 (7600)

Fixed in: unfixed 🙈

How: -

Code status: added in v2.7.5

Author: Clement Rouault

Type: Whitelisted component

Method: APPINFO command line spoofing

Target(s): \system32\mmc.exe

Component(s): Attacker defined

Implementation: ucmHakrilMethod

Works from: Windows 7 (7600)

Fixed in: unfixed 🙈

How: -

Code status: added in v2.7.6

Author: Stefan Kanthak

Type: Dll Hijack

Method: .NET Code Profiler

Target(s): \system32\mmc.exe

Component(s): Attacker defined

Implementation: ucmCorProfilerMethod

Works from: Windows 7 (7600)

Fixed in: unfixed 🙈

How: -

Code status: added in v2.7.7

Author: Ruben Boonen

Type: COM Handler Hijack

Method: Registry key manipulation

Target(s): \system32\mmc.exe, \system32\recdisc.exe

Component(s): Attacker defined

Implementation: ucmCOMHandlersMethod

Works from: Windows 7 (7600)

Fixed in: Windows 10 19H1 (18362)

How: Side effect of Windows changes

Code status: removed starting from v3.5.0 🚜

Author: Oddvar Moe

Type: Elevated COM interface

Method: ICMLuaUtil

Target(s): Attacker defined

Component(s): Attacker defined

Implementation: ucmCMLuaUtilShellExecMethod

Works from: Windows 7 (7600)

Fixed in: unfixed 🙈

How: -

Code status: added in v2.7.9

Author: BreakingMalware and Enigma0x3

Type: Elevated COM interface

Method: IFwCplLua

Target(s): Attacker defined

Component(s): Attacker defined

Implementation: ucmFwCplLuaMethod

Works from: Windows 7 (7600)

Fixed in: Windows 10 RS4 (17134)

How: Shell API update

Code status: removed starting from v3.5.0 🚜

Author: Oddvar Moe derivative

Type: Elevated COM interface

Method: IColorDataProxy, ICMLuaUtil

Target(s): Attacker defined

Component(s): Attacker defined

Implementation: ucmDccwCOMMethod

Works from: Windows 7 (7600)

Fixed in: unfixed 🙈

How: -

Code status: added in v2.8.3

Author: bytecode77

Type: Shell API

Method: Environment variables expansion

Target(s): Multiple auto-elevated processes

Component(s): Various per target

Implementation: ucmVolatileEnvMethod

Works from: Windows 7 (7600)

Fixed in: Windows 10 RS3 (16299)

How: Current user system directory variables ignored during process creation

Code status: removed starting from v3.5.0 🚜

Author: bytecode77

Type: Shell API

Method: Registry key manipulation

Target(s): \system32\slui.exe

Component(s): Attacker defined

Implementation: ucmSluiHijackMethod

Works from: Windows 8.1 (9600)

Fixed in: Windows 10 20H1 (19041)

How: Side effect of Windows changes

Code status: removed starting from v3.5.0 🚜

Author: Anonymous

Type: Race Condition

Method: Registry key manipulation

Target(s): \system32\BitlockerWizardElev.exe

Component(s): Attacker defined

Implementation: ucmBitlockerRCMethod

Works from: Windows 7 (7600)

Fixed in: Windows 10 RS4 (>16299)

How: Shell API update

Code status: removed starting from v3.5.0 🚜

Author: clavoillotte & 3gstudent

Type: COM Handler Hijack

Method: Registry key manipulation

Target(s): \system32\mmc.exe

Component(s): Attacker defined

Implementation: ucmCOMHandlersMethod2

Works from: Windows 7 (7600)

Fixed in: Windows 10 19H1 (18362)

How: Side effect of Windows changes

Code status: removed starting from v3.5.0 🚜

Author: deroko

Type: Elevated COM interface

Method: ISPPLUAObject

Target(s): Attacker defined

Component(s): Attacker defined

Implementation: ucmSPPLUAObjectMethod

Works from: Windows 7 (7600)

Fixed in: Windows 10 RS5 (17763)

How: ISPPLUAObject interface method changed

Code status: removed starting from v3.5.0 🚜

Author: RinN

Type: Elevated COM interface

Method: ICreateNewLink

Target(s): \system32\TpmInit.exe

Component(s): WbemComn.dll

Implementation: ucmCreateNewLinkMethod

Works from: Windows 7 (7600)

Fixed in: Windows 10 RS1 (14393)

How: Side effect of consent.exe COMAutoApprovalList introduction

Code status: removed starting from v3.5.0 🚜

Author: Anonymous

Type: Elevated COM interface

Method: IDateTimeStateWrite, ISPPLUAObject

Target(s): w32time service

Component(s): w32time.dll

Implementation: ucmDateTimeStateWriterMethod

Works from: Windows 7 (7600)

Fixed in: Windows 10 RS5 (17763)

How: Side effect of ISPPLUAObject interface change

Code status: removed starting from v3.5.0 🚜

Author: bytecode77 derivative

Type: Elevated COM interface

Method: IAccessibilityCplAdmin

Target(s): \system32\rstrui.exe

Component(s): Attacker defined

Implementation: ucmAcCplAdminMethod

Works from: Windows 7 (7600)

Fixed in: Windows 10 RS4 (17134)

How: Shell API update

Code status: removed starting from v3.5.0 🚜

Author: David Wells

Type: Whitelisted component

Method: AipNormalizePath parsing abuse

Target(s): Attacker defined

Component(s): Attacker defined

Implementation: ucmDirectoryMockMethod

Works from: Windows 7 (7600)

Fixed in: unfixed 🙈

How: -

Code status: added in v3.0.4

Author: Emeric Nasi

Type: Shell API

Method: Registry key manipulation

Target(s): \system32\sdclt.exe

Component(s): Attacker defined

Implementation: ucmShellRegModMethod

Works from: Windows 10 (14393)

Fixed in: unfixed 🙈

How: -

Code status: added in v3.1.3

Author: egre55

Type: Dll Hijack

Method: Dll path search abuse

Target(s): \syswow64\SystemPropertiesAdvanced.exe and other SystemProperties*.exe

Component(s): \AppData\Local\Microsoft\WindowsApps\srrstr.dll

Implementation: ucmEgre55Method

Works from: Windows 10 (14393)

Fixed in: Windows 10 19H1 (18362)

How: SysDm.cpl!_CreateSystemRestorePage has been updated for secured load library call

Code status: removed starting from v3.5.0 🚜

Author: James Forshaw

Type: GUI Hack

Method: UIPI bypass with token modification

Target(s): \system32\osk.exe, \system32\msconfig.exe

Component(s): Attacker defined

Implementation: ucmTokenModUIAccessMethod

Works from: Windows 7 (7600)

Fixed in: unfixed 🙈

How: -

Code status: added in v3.1.5

Author: Hashim Jawad

Type: Shell API

Method: Registry key manipulation

Target(s): \system32\WSReset.exe

Component(s): Attacker defined

Implementation: ucmShellRegModMethod2

Works from: Windows 10 (17134)

Fixed in: Windows 11 (22000)

How: Windows components redesign

Code status: removed starting from v3.5.7 🚜

Author: Leo Davidson derivative by Win32/Gapz

Type: Dll Hijack

Method: IFileOperation

Target(s): \system32\sysprep\sysprep.exe

Component(s): unattend.dll

Implementation: ucmStandardAutoElevation

Works from: Windows 7 (7600)

Fixed in: Windows 8.1 (9600)

How: sysprep.exe hardened LoadFrom manifest elements

Code status: removed starting from v3.5.0 🚜

Author: RinN

Type: Elevated COM interface

Method: IEditionUpgradeManager

Target(s): \system32\clipup.exe

Component(s): Attacker defined

Implementation: ucmEditionUpgradeManagerMethod

Works from: Windows 10 (14393)

Fixed in: unfixed 🙈

How: -

Code status: added in v3.2.0

Author: James Forshaw

Type: AppInfo ALPC

Method: RAiLaunchAdminProcess and DebugObject

Target(s): Attacker defined

Component(s): Attacker defined

Implementation: ucmDebugObjectMethod

Works from: Windows 7 (7600)

Fixed in: unfixed 🙈

How: -

Code status: added in v3.2.3

Author: Enigma0x3 derivative by WinNT/Glupteba

Type: Shell API

Method: Registry key manipulation

Target(s): \system32\CompMgmtLauncher.exe

Component(s): Attacker defined

Implementation: ucmGluptebaMethod

Works from: Windows 7 (7600)

Fixed in: Windows 10 RS2 (15063)

How: CompMgmtLauncher.exe autoelevation removed

Code status: removed starting from v3.5.0 🚜

Author: Enigma0x3/bytecode77 derivative by Nassim Asrir

Type: Shell API

Method: Registry key manipulation

Target(s): \system32\slui.exe, \system32\changepk.exe

Component(s): Attacker defined

Implementation: ucmShellRegModMethod

Works from: Windows 10 (14393)

Fixed in: unfixed 🙈

How: -

Code status: added in v3.2.5

Author: winscripting.blog

Type: Shell API

Method: Registry key manipulation

Target(s): \system32\computerdefaults.exe

Component(s): Attacker defined

Implementation: ucmShellRegModMethod

Works from: Windows 10 RS4 (17134)

Fixed in: unfixed 🙈

How: -

Code status: added in v3.2.6

Author: Arush Agarampur

Type: Dll Hijack

Method: ISecurityEditor

Target(s): Native Image Cache elements

Component(s): Attacker defined

Implementation: ucmNICPoisonMethod

Works from: Windows 7 (7600)

Fixed in: unfixed 🙈

How: -

Code status: added in v3.2.7

Author: Arush Agarampur

Type: Elevated COM interface

Method: IIEAxiAdminInstaller, IIEAxiInstaller2, IFileOperation

Target(s): IE add-on install cache

Component(s): Attacker defined

Implementation: ucmIeAddOnInstallMethod

Works from: Windows 7 (7600)

Fixed in: unfixed 🙈

How: -

Code status: added in v3.5.1

Author: Arush Agarampur

Type: Elevated COM interface

Method: IWscAdmin

Target(s): Shell Protocol Hijack

Component(s): Attacker defined

Implementation: ucmWscActionProtocolMethod

Works from: Windows 7 (7600)

Fixed in: unfixed 🙈

How: -

Code status: added in v3.5.2

Author: Arush Agarampur

Type: Elevated COM interface

Method: IFwCplLua, Shell Protocol Hijack

Target(s): Shell protocol registry entry and environment variables

Component(s): Attacker defined

Implementation: ucmFwCplLuaMethod2

Works from: Windows 7 (7600)

Fixed in: unfixed 🙈

How: -

Code status: added in v3.5.3

Author: Arush Agarampur

Type: Shell API

Method: Shell Protocol Hijack

Target(s): \system32\fodhelper.exe

Component(s): Attacker defined

Implementation: ucmMsSettingsProtocolMethod

Works from: Windows 10 TH1 (10240)

Fixed in: unfixed 🙈

How: -

Code status: added in v3.5.4

Author: Arush Agarampur

Type: Shell API

Method: Shell Protocol Hijack

Target(s): \system32\wsreset.exe

Component(s): Attacker defined

Implementation: ucmMsStoreProtocolMethod

Works from: Windows 10 RS5 (17763)

Fixed in: unfixed 🙈

How: -

Code status: added in v3.5.5

Author: Arush Agarampur

Type: Shell API

Method: Environment variables expansion, Dll Hijack

Target(s): \system32\taskhostw.exe

Component(s): pcadm.dll

Implementation: ucmPcaMethod

Works from: Windows 7 (7600)

AlwaysNotify compatible

Fixed in: unfixed 🙈

How: -

Code status: added in v3.5.6

Author: V3ded

Type: Shell API

Method: Registry key manipulation

Target(s): \system32\fodhelper.exe, \system32\computerdefaults.exe

Component(s): Attacker defined

Implementation: ucmShellRegModMethod3

Works from: Windows 10 (10240)

Fixed in: unfixed 🙈

How: -

Code status: added in v3.5.7

Author: Arush Agarampur

Type: Dll Hijack

Method: ISecurityEditor

Target(s): Native Image Cache elements

Component(s): Attacker defined

Implementation: ucmNICPoisonMethod2

Works from: Windows 7 RTM (7600)

Fixed in: unfixed 🙈

How: -

Code status: added in v3.5.8

Author: Emeric Nasi

Type: Dll Hijack

Method: Dll path search abuse

Target(s): \syswow64\msdt.exe, \system32\sdiagnhost.exe

Component(s): BluetoothDiagnosticUtil.dll

Implementation: ucmMsdtMethod

Works from: Windows 10 (10240)

Fixed in: unfixed 🙈

How: -

Code status: added in v3.5.9

注意：

方法（30）（63）及更高版本仅在x64版本中实现;
方法（30）需要x64，因为它滥用WOW64子系统功能;
方法（55）不是很可靠（就像任何GUI黑客一样），并且只是为了好玩而包含。

运行示例：

赤城32.exe 23
赤城64.exe 61
akagi32 23 c：\windows\system32\calc.exe
akagi64 61 c：\windows\system32\charmap.exe

注意：

方法（30）（63）及更高版本仅在x64版本中实现;
方法（30）需要x64，因为它滥用WOW64子系统功能;
方法（55）不是很可靠（就像任何GUI黑客一样），并且只是为了好玩而包含。

运行示例：

赤城32.exe 23
赤城64.exe 61
akagi32 23 c：\windows\system32\calc.exe
akagi64 61 c：\windows\system32\charmap.exe

警告

此工具仅显示恶意软件使用的流行的UAC绕过方法，并以不同的方式重新实现其中一些方法，以改善原始概念。有不同的，尚不为公众所知的方法。请注意这一点;
此工具不适用于AV测试，并且未经测试可在激进的AV环境中工作，如果您仍然计划将其与已安装的膨胀软件AV软件一起使用 - 请自行承担使用风险;
一些AV可能会将此工具标记为HackTool，MSE / WinDefender不断将其标记为恶意软件，没有;
如果您在真实计算机上运行此程序，请记住在使用后删除所有程序剩余部分，有关它掉落到系统文件夹的文件的更多信息，请参阅源代码;
为 x64 创建的大多数方法，没有考虑 x86-32 支持。我认为支持32位版本的Windows或wow64没有任何意义，但是通过小的调整，它们中的大多数也将在wow64下运行。

如果您想知道为什么这仍然存在并且有效 - 这是解释 - 官方Microsoft WHITEFLAG（包括完全无能的声明作为奖励）There are really only two effectively distinct settings for the UAC slider - The Old New Thing

Windows 10 支持和测试策略

UACMe仅使用LSTB / LTSC变体（1607 / 1809）和最后RTM-1版本进行测试，例如，如果当前版本是2004年，它将在2004年（19041）和先前版本1909（18363）上进行测试;
不支持内部生成，因为方法可能已在此处修复。

保护

没有管理权限的帐户。

恶意软件使用情况

我们不对此工具在恶意目的中的使用承担任何责任。它是免费的，开源的，并为每个人提供原样。

其他用法

目前用作“THOR APT”扫描仪的“签名”（来自德国的手工图案匹配欺诈软件）。对于欺诈软件中此工具的使用，我们不承担任何责任;
存储库 GitHub - hfiref0x/UACME: Defeating Windows User Account Control，其内容是 UACMe 代码的唯一正版来源。我们与该项目的外部链接无关，在任何地方都提到以及修改（分叉）;
2016年7月，所谓的“安全公司”Cymmetria发布了有关名为“Patchwork”的脚本小子恶意软件捆绑包的报告，并将其错误地标记为APT。他们表示它正在使用“UACME方法”，实际上它只是UACMe v1.9中略微和不专业地修改的注入器dll，并且正在以恶意软件自我实现的方式使用Carberp / Pitou混合方法。对于在第三方“安全公司”的可疑广告活动中使用UACMe，我们不承担任何责任。

源代码

UACMe附带完整的源代码，用C语言编写;
为了从源代码构建，您需要Microsoft Visual Studio 2015及更高版本。

已编译的二进制文件

自 2.8.9 起不再提供，将来也永远不会提供。原因（以及为什么你也不应该向公众提供）：
- 如果你简单地看一下这个项目，它是一个HackTool，尽管最初的目标是成为一个演示者。当然，一些AV将其检测为HackTool（例如MS WD），但是大多数VirusTotal患者将其检测为通用“恶意软件”。这当然是不正确的，但是不幸的是，一些懒惰的恶意软件编写者盲目地将代码复制粘贴到他们的垃圾软件中（甚至直接使用此工具），因此一些AV根据项目代码部分创建了签名;
- 通过向每个人提供编译的二进制文件，您可以使脚本小子的生活变得更加轻松，因为需要从源代码编译对于非常愚蠢的脚本小子和“按钮点击器”来说是一个完美的障碍;
- 在存储库中编译二进制文件最终将导致各种内容过滤器（SmartScreen，Google安全浏览等）将此存储库页面标记为恶意（由于上述原因）。
此决定是最终决定，不会改变。

提示

首先为要生成的解决方案中的项目选择“平台工具集”（项目>属性>常规）：
- v140 for Visual Studio 2015;
- v141 for Visual Studio 2017;
- v142 for Visual Studio 2019.
对于 v140 及更高版本，设置目标平台版本（项目>属性>常规）：
- 如果选择 v140，则选择 8.1（请注意，必须安装 Windows 8.1 SDK）;
- 如果为 v141/v142，请选择“10”（请注意，必须安装 Windows 10 （19041） SDK）。
要构建工作二进制文件：
- 编译有效负载单位
- 编译 Naka 模块
- 使用 Naka 模块加密所有有效负载单元
- 使用 Naka 模块为这些单元生成秘密 blob
- 将编译的单元和秘密 blob 移动到 Akagi\Bin 目录
- 重建赤城

引用

Windows 7 UAC 白名单，Windows 7 UAC whitelist: Code-injection Issue (and more)
恶意应用程序兼容性填充程序，https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf
来自WinSxS开发团队博客的张俊峰，https://blogs.msdn.microsoft.com/junfeng/
除了好的运行键，系列文章，http://www.hexacorn.com/blog
KernelMode.Info UACMe 线程，https://www.kernelmode.info/forum/viewtopicf985.html?f=11&t=3643
命令注入/提升 - 重新访问环境变量，https://breakingmalware.com/vulnerabilities/command-injection-and-elevation-environment-variables-revisited
“无文件”UAC 绕过使用 eventvwr.exe和注册表劫持，“Fileless” UAC Bypass Using eventvwr.exe and Registry Hijacking | enigma0x3
使用磁盘清理绕过 Windows 10 上的 UAC，Bypassing UAC on Windows 10 using Disk Cleanup | enigma0x3
使用 IARPUninstallStringLauncher COM 接口绕过 UAC，访问的文章审核中... - FreeBuf网络安全行业门户
使用应用程序路径绕过 UAC，Bypassing UAC using App Paths | enigma0x3
使用 sdclt.exe https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/ 的“无文件”UAC 旁路
UAC旁路或关于三个升级的故事，UAC Bypass или история о трех эскалациях / Habr
利用 UAC 绕过的计划任务中的环境变量，https://tyranidslair.blogspot.ru/2017/05/exploiting-environment-variables-in.html
第一个条目：欢迎和无文件 UAC 绕过，First entry: Welcome and fileless UAC bypass – winscripting.blog
阅读UAC的3个部分：
1. https://tyranidslair.blogspot.ru/2017/05/reading-your-way-around-uac-part-1.html
2. https://tyranidslair.blogspot.ru/2017/05/reading-your-way-around-uac-part-2.html
3. https://tyranidslair.blogspot.ru/2017/05/reading-your-way-around-uac-part-3.html
关于CMSTP.exe的研究，Research on CMSTP.exe – MSitPros Blog
通过提升的 .NET 应用程序绕过 UAC，UAC bypass via elevated .NET applications - Almond Offensive Security Blog
通过模拟可信目录绕过 UAC，https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e
另一个sdclt UAC旁路，http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass
UAC绕过通过系统属性高级.exe和DLL劫持，SystemPropertiesAdvanced.exe DLL Hijacking UAC Bypass – egre55 – thoughts on security
访问 UIAccess 的访问令牌，https://tyranidslair.blogspot.com/2019/02/accessing-access-tokens-for-uiaccess.html
Windows 应用商店二进制文件中的无文件 UAC 绕过，https://www.activecyber.us/1/post/2019/03/windows-uac-bypass.html
从 .NET 调用本地 Windows RPC 服务器，https://googleprojectzero.blogspot.com/2019/12/calling-local-windows-rpc-servers-from.html
Microsoft Windows 10 UAC 绕过本地权限提升漏洞，Microsoft Windows 10 Local Privilege Escalation ≈ Packet Storm
UACMe 3.5，WD和缓解方法，https://swapcontext.blogspot.com/2020/10/uacme-35-wd-and-ways-of-mitigation.html
UAC 绕过 COMAutoApprovalList，https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html
将编程标识符（ProgID）用于 UAC 绕过、Utilizing Programmatic Identifiers (ProgIDs) for UAC Bypasses
MSDT DLL 劫持 UAC 绕过，MSDT DLL Hijack UAC bypass - Sevagas

🏹每日分享🏹：

人的自身比起财产和他人对自己的看法具有压倒性的优势；由此可知，注重保持身体健康和发挥个人自身才能比全力投入获得财富更为明智。但我们不应该把这一说法错误地理解为：我们不应在意去获得我们的生活必需品。

一《人生的智慧第一章基本的划分》

渗透工具UACMe:通过滥用内置的Windows AutoElevate后门来击败Windows用户帐户控制。

UACMe

系统要求

用法

警告

Windows 10 支持和测试策略

保护

恶意软件使用情况

其他用法

源代码

已编译的二进制文件

提示

引用

🏹每日分享🏹：

公告

标签

渗透工具UACMe:通过滥用内置的Windows AutoElevate后门来击败Windows用户帐户控制。

UACMe

系统要求

用法

警告

Windows 10 支持和测试策略

保护

恶意软件使用情况

其他用法

源代码

已编译的二进制文件

提示

引用

🏹每日分享🏹：

相关问题

公告

标签