v 3.6.2

Method 75 added, see #130 for more info; Fix Win7 regression added in 3.6.1; Readme updated.
hfiref0x · Jul 9, 2022 · b0855e2 · b0855e2
1 parent af0b0d6
commit b0855e2
Show file tree

Hide file tree

Showing 26 changed files with 991 additions and 160 deletions.
diff --git a/LICENSE.md b/LICENSE.md
@@ -1,4 +1,4 @@
-Copyright (c) 2014 - 2022, UACMe authors
+Copyright (c) 2014 - 2022, UACMe Project
 
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are met:

diff --git a/README.md b/README.md
@@ -758,11 +758,21 @@ First parameter is number of method to use, second is optional command (executab
  * Method: IElevatedFactoryServer
  * Target(s): Attacker defined
  * Component(s): Attacker defined
- * Implementation: ucmVirtualFactoryServer
+ * Implementation: ucmVFServerTaskSchedMethod
  * Works from: Windows 8.1 (9600)
  * Fixed in: unfixed :see_no_evil:
  * How: -
  * Code status: added in v3.6.1
+75. Author: zcgonvh derivative by Wh04m1001
+ * Type: Elevated COM interface
+ * Method: IDiagnosticProfile
+ * Target(s): Attacker defined
+ * Component(s): Attacker defined
+ * Implementation: ucmVFServerDiagProfileMethod
+ * Works from: Windows 7 RTM (7600)
+ * Fixed in: unfixed :see_no_evil:
+ * How: -
+ * Code status: added in v3.6.2
 
 </details>
 

diff --git a/Source/Akagi/Resource.rc b/Source/Akagi/Resource.rc
diff --git a/Source/Akagi/console.c b/Source/Akagi/console.c
@@ -0,0 +1,125 @@
+/*******************************************************************************
+*
+* (C) COPYRIGHT AUTHORS, 2022
+*
+* TITLE: CONSOLE.C
+*
+* VERSION: 3.62
+*
+* DATE: 08 Jul 2022
+*
+* Debug console.
+*
+* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
+* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
+* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
+* PARTICULAR PURPOSE.
+*
+*******************************************************************************/
+
+#include "global.h"
+
+HANDLE StdOutputHandle = NULL;
+
+pswprintf_s _swprintf_s = NULL;
+
+VOID ConsolePrint(
+ _In_ LPCWSTR Message
+)
+{
+ WriteConsole(StdOutputHandle, Message, (ULONG)_strlen(Message), NULL, NULL);
+}
+
+VOID ConsolePrintValueUlong(
+ _In_ LPCWSTR Message,
+ _In_ ULONG Value,
+ _In_ BOOL Hexademical
+)
+{
+ WCHAR szText[200];
+
+ if (_swprintf_s) {
+
+ _swprintf_s(szText, RTL_NUMBER_OF(szText),
+ Hexademical ? TEXT("%ws 0x%lX\r\n") : TEXT("%ws %lu\r\n"),
+ Message,
+ Value);
+
+ ConsolePrint(szText);
+ }
+}
+
+VOID ConsolePrintStatus(
+ _In_ LPCWSTR Message,
+ _In_ NTSTATUS Status
+)
+{
+ ConsolePrintValueUlong(Message, Status, TRUE);
+}
+
+VOID ConsoleInit(
+ VOID
+)
+{
+ WCHAR szBuffer[100];
+ HMODULE hNtdll = GetModuleHandle(L"ntdll.dll");
+
+ if (hNtdll == NULL || !AllocConsole())
+ return;
+
+ _swprintf_s = (pswprintf_s)GetProcAddress(hNtdll, "swprintf_s");
+ if (_swprintf_s == NULL)
+ return;
+
+ StdOutputHandle = GetStdHandle(STD_OUTPUT_HANDLE);
+ SetConsoleMode(StdOutputHandle, ENABLE_PROCESSED_OUTPUT |
+ ENABLE_VIRTUAL_TERMINAL_PROCESSING);
+
+ _swprintf_s(szBuffer, RTL_NUMBER_OF(szBuffer), TEXT("[*] UACMe v%lu.%lu.%lu.%lu\r\n"),
+ UCM_VERSION_MAJOR,
+ UCM_VERSION_MINOR,
+ UCM_VERSION_REVISION,
+ UCM_VERSION_BUILD);
+
+ SetConsoleTitle(szBuffer);
+}
+
+BOOL ConsoleIsKeyPressed(
+ _In_ WORD VirtualKeyCode
+)
+{
+ BOOL bResult = FALSE;
+ DWORD numberOfEvents = 0;
+ INPUT_RECORD inp1;
+ HANDLE nStdHandle = GetStdHandle(STD_INPUT_HANDLE);
+
+ GetNumberOfConsoleInputEvents(nStdHandle, &numberOfEvents);
+
+ if (numberOfEvents) {
+
+ PeekConsoleInput(nStdHandle, &inp1, 1, &numberOfEvents);
+
+ bResult = (numberOfEvents != 0 &&
+ inp1.EventType == KEY_EVENT &&
+ inp1.Event.KeyEvent.bKeyDown &&
+ inp1.Event.KeyEvent.wVirtualKeyCode == VirtualKeyCode);
+
+ FlushConsoleInputBuffer(nStdHandle);
+ }
+
+ return bResult;
+}
+
+VOID ConsoleRelease(
+ VOID
+)
+{
+ DWORD dwStop = GetTickCount() + (10 * 1000);
+
+ ConsolePrint(TEXT("[+] Press Enter to exit or wait few seconds and it will close automatically\r\n"));
+
+ while (!ConsoleIsKeyPressed(VK_RETURN) && GetTickCount() < dwStop)
+ Sleep(50);
+
+ FreeConsole();
+}
diff --git a/Source/Akagi/console.h b/Source/Akagi/console.h
@@ -0,0 +1,52 @@
+/*******************************************************************************
+*
+* (C) COPYRIGHT AUTHORS, 2022
+*
+* TITLE: CONSOLE.H
+*
+* VERSION: 3.62
+*
+* DATE: 08 Jul 2022
+*
+* Debug console header file.
+*
+* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
+* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
+* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
+* PARTICULAR PURPOSE.
+*
+*******************************************************************************/
+
+#pragma once
+
+VOID ConsoleInit(
+ VOID);
+
+VOID ConsoleRelease(
+ VOID);
+
+VOID ConsolePrintStatus(
+ _In_ LPCWSTR Message,
+ _In_ NTSTATUS Status);
+
+VOID ConsolePrint(
+ _In_ LPCWSTR Message);
+
+VOID ConsolePrintValueUlong(
+ _In_ LPCWSTR Message,
+ _In_ ULONG Value,
+ _In_ BOOL Hexademical);
+
+#ifdef _UCM_CONSOLE
+#define ucmConsoleInit ConsoleInit
+#define ucmConsoleRelease ConsoleRelease
+#define ucmConsolePrintStatus ConsolePrintStatus
+#define ucmConsolePrint ConsolePrint
+#define ucmConsolePrintValueUlong ConsolePrintValueUlong
+#else
+#define ucmConsoleInit()
+#define ucmConsoleRelease()
+#define ucmConsolePrintStatus(Message, Status)
+#define ucmConsolePrint(Message)
+#define ucmConsolePrintValueUlong(Message, Value, Hexademical)
+#endif
diff --git a/Source/Akagi/global.h b/Source/Akagi/global.h
@@ -4,9 +4,9 @@
 *
 * TITLE: GLOBAL.H
 *
-* VERSION: 3.61
+* VERSION: 3.62
 *
-* DATE: 22 Jun 2022
+* DATE: 07 Jul 2022
 *
 * Common header file for the program support routines.
 *
@@ -82,6 +82,7 @@
 #include "compress.h"
 #include "aic.h"
 #include "stub.h"
+#include "console.h"
 #include "methods\methods.h"
 
 //default execution flow
@@ -108,6 +109,8 @@ typedef struct _UACME_CONTEXT {
 
  PVOID ucmHeap;
  pfnDecompressPayload DecompressRoutine;
+ pswprintf_s swprintf_s;
+
  UACME_FUSION_CONTEXT FusionContext;
  UACME_SHARED_CONTEXT SharedContext;
 

diff --git a/Source/Akagi/main.c b/Source/Akagi/main.c
@@ -26,39 +26,6 @@ PUACMECONTEXT g_ctx;
 //Image Base Address global variable
 HINSTANCE g_hInstance;
 
-#define ENABLE_OUTPUT
-#undef ENABLE_OUTPUT
-
-#ifdef ENABLE_OUTPUT
-VOID ucmShowVersion(
- VOID)
-{
- DWORD bytesIO;
- WCHAR szVersion[100];
-
-#ifdef _DEBUG
- if (!AllocConsole()) {
- return;
- }
-#else
- if (!AttachConsole(ATTACH_PARENT_PROCESS)) {
- return;
- }
-#endif
-
- RtlSecureZeroMemory(&szVersion, sizeof(szVersion));
- wsprintf(szVersion, TEXT("v%lu.%lu.%lu.%lu"),
- UCM_VERSION_MAJOR,
- UCM_VERSION_MINOR,
- UCM_VERSION_REVISION,
- UCM_VERSION_BUILD);
-
- WriteConsole(GetStdHandle(STD_OUTPUT_HANDLE), &szVersion, _strlen(szVersion), &bytesIO, NULL);
-
- FreeConsole();
-}
-#endif
-
 /*
 * ucmInit
 *
@@ -90,6 +57,8 @@ NTSTATUS ucmInit(
 
  wdCheckEmulatedVFS();
 
+ ucmConsoleInit();
+
  bytesIO = 0;
  RtlQueryElevationFlags(&bytesIO);
  if ((bytesIO & DBG_FLAG_ELEVATION_ENABLED) == 0)
@@ -109,9 +78,6 @@ NTSTATUS ucmInit(
  RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
  GetCommandLineParam(GetCommandLine(), 1, szBuffer, MAX_PATH, &bytesIO);
  if (bytesIO == 0) {
-#ifdef ENABLE_OUTPUT
- ucmShowVersion();
-#endif
  return STATUS_INVALID_PARAMETER;
  }
 
@@ -193,6 +159,8 @@ NTSTATUS WINAPI ucmMain(
  OptionalParameter,
  OptionalParameterLength);
 
+ ucmConsolePrintStatus(TEXT("[*] ucmInit"), Status);
+
  if (!NT_SUCCESS(Status))
  return Status;
 
@@ -212,5 +180,15 @@ NTSTATUS WINAPI ucmMain(
 #pragma comment(linker, "/ENTRY:main")
 VOID __cdecl main()
 {
+#ifdef _UCM_CONSOLE
+ ULONG result;
+
+ result = StubInit(ucmMain);
+ ucmConsolePrintValueUlong(TEXT("[+] ucmMain"), result, TRUE);
+ ucmConsoleRelease();
+ ExitProcess(result);
+
+#else
  ExitProcess(StubInit(ucmMain));
+#endif
 }
diff --git a/Source/Akagi/methods/comsup.h b/Source/Akagi/methods/comsup.h
@@ -4,9 +4,9 @@
 *
 * TITLE: COMSUP.H
 *
-* VERSION: 3.61
+* VERSION: 3.62
 *
-* DATE: 22 Jun 2022
+* DATE: 04 Jul 2022
 *
 * Prototypes and definitions for COM interfaces and routines.
 *

diff --git a/Source/Akagi/methods/elvint.h b/Source/Akagi/methods/elvint.h
@@ -4,9 +4,9 @@
 *
 * TITLE: ELVINT.H
 *
-* VERSION: 3.61
+* VERSION: 3.62
 *
-* DATE: 22 Jun 2022
+* DATE: 04 Jul 2022
 *
 * Prototypes and definitions for elevated interface methods.
 *
@@ -481,7 +481,7 @@ typedef struct IElevatedFactoryServerVtbl {
 
  END_INTERFACE
 
-} *PIElevatedFactoryServerVtbll;
+} *PIElevatedFactoryServerVtbl;
 
 // INTERFACE DEF