Go Back   Exetools > General > Source Code


Thread Tools Display Modes
Prev Previous Post   Next Post Next
Old 03-29-2015, 18:32
Insid3Code's Avatar
Insid3Code Insid3Code is offline
Join Date: May 2013
Location: Algeria
Posts: 84
Rept. Given: 47
Rept. Rcvd 60 Times in 30 Posts
Thanks Given: 24
Thanks Rcvd at 108 Times in 56 Posts
Insid3Code Reputation: 60
[C/C++] UACME (kernelmode.info)

Defeating Windows User Account Control from kernelmode.info.

Defeating Windows User Account Control by abusing built-in Windows AutoElevate backdoor.
PHP Code:
System Requirements
x86-32/x64 Windows 7/8/8.1/10.
Admin account with UAC set on default settings required.

Run executable from command line with following keys (watch debug ouput with dbgview or similar for more info):

1 - Leo Davidson sysprep method, this will work only on Windows 7 and Windows 8, used in multiple malware;
2 - Tweaked Leo Davidson sysprep method, this will work only on Windows 8.1;
3 - Leo Davidson method tweaked by WinNT/Pitou developers, works from Windows 7 up to Windows 10 b10041;
4 - Application Compatibility Shim RedirectEXE method, from WinNT/Gootkit. Works from Windows 7 up to Windows 8.1;
5 - ISecurityEditor WinNT/Simda method, used to turn off UAC, works from Windows 7 up to Windows 10 b10041.
6 - Wusa method used by Win32/Carberp, tweaked to work with Windows 8/8.1 also.

Methods (1), (2), (3), (5) require process injection, so they won't work from wow64, you need either Heavens gate or use x64 edition of this tool;
Method (4) unavailable in 64 bit edition because of Shim restriction.
Method (6) unavailable in wow64 environment starting from Windows 8. Also target application absent in recent Windows 10 TP 10041 build.

Run examples:
akagi32.exe 1
akagi64.exe 3

Using (5) method will permanently turn off UAC (after reboot), make sure to do this in test environment or don't forget to re-enable UAC after tool usage;
This tool is not intended for AV tests and not tested to work in aggressive AV environment, if you still plan to use it with installed bloatware AV soft - you use it at your own risk.

UAC turned on maximum level and full awareness about every window it will show;
Account without administrative privileges.

UACMe comes with full source code, written in C.
In order to build from source you need Microsoft Visual Studio 2013 U4 and later versions.

(c) 2014 - 2015 UACMe Project
PHP Code:
Computer Forensics
Reply With Quote
The Following User Gave Reputation+1 to Insid3Code For This Useful Post:
Computer_Angel (03-29-2015)
The Following User Says Thank You to Insid3Code For This Useful Post:
nimaarek (09-11-2017)

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On

Similar Threads
Thread Thread Starter Forum Replies Last Post
kernelmode.info (The End of Adventure) Insid3Code General Discussion 10 04-01-2018 07:21
VirtualBox Hardened Loader x64 (kernelmode.info) Insid3Code x64 OS 21 01-12-2018 10:40
DSEFix x64 (kernelmode.info) Insid3Code x64 OS 1 05-15-2017 01:53
[C/C++ ] VMDE (kernelmode.info) Insid3Code Source Code 0 03-18-2015 20:47
WinObjEx64 (kernelmode.info) Insid3Code Community Tools 1 03-02-2015 00:04

All times are GMT +8. The time now is 10:48.

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )