A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #24658  by EP_X0FF
 Fri Dec 19, 2014 6:19 am
Inspired by ITW WinNT/Pitou legacy MBR x86-64 bootkit dropper.

Before anything else read this excellent work -> Windows 7 UAC whitelist, read it carefully as it explains everything especially why Windows User Account Control is a big fucken marketing joke from Microsoft just like DSE.

Below is our variant of his work with removal of all C++ trash and adapting different UAC bypass method from WinNT/Pitou (bootkit authors also used as base Leo Davidson work).

The only setting UAC somehow is able to show itself - if they are set on maximum. But here revealed another Microsoft UAC architecture flaw by design - even when it blocks something, it cannot properly determine what it blocked, representing possible malicious actions as taken by Microsoft, facepalm. Will you trust verified Microsoft action with verified digital certificate from Microsoft?

Supported Windows version, all from 7xxx builds up to latest so "confidential" MS build 9901.

Project overview:

Win32 and x64 configurations.
Compiled in MSVS 2013 U4, used pure C, compiled as C++
No additional dependencies.
All libs in attach.

Debug builds configurations present only for debugging stuff not for UAC bypass stage execution (shellcode will be screwed up).
Require Heavens Gate adaptation for proper work from Win32 app under WOW64, if you don't know what is HG then skip this moment.

x64 loader VT
https://www.virustotal.com/en/file/78ca ... 418968668/

x86-32 loader VT
https://www.virustotal.com/en/file/9795 ... 418968812/

Screeenshots taken from Windows 10 TP build 9901
uac101.png
uac101.png (325.47 KiB) Viewed 2420 times
uac102.png
uac102.png (215.73 KiB) Viewed 2420 times
Last edited by EP_X0FF on Sun Mar 29, 2015 8:48 am, edited 1 time in total. Reason: removed attach, see http://www.kernelmode.info/forum/viewtopic.php?p=25523#p25523 for more info
 #24661  by sww
 Fri Dec 19, 2014 9:22 am
NytroRST wrote:It does not work for "Always notify".
For the default settings I get the following error:
It looks like something is blocking it. LOL.
 #24666  by Vrtule
 Fri Dec 19, 2014 1:20 pm
Hello EP_X0FF,

thanks for sharing the code. In the past, I was playing with the "original" code downloadable from the link in your post, I also removed all of the C++ stuff and was able to make it working on Windows 7 with with code about seven times smallwer than the original.

It would be interesting to look at what prevented my demo from working on Windows 8+.
 #24667  by EP_X0FF
 Fri Dec 19, 2014 1:27 pm
Vrtule wrote:It would be interesting to look at what prevented my demo from working on Windows 8+.

MS answer on your question by direct message in the w8+ sysprep.exe manifest.
Code: Select all
</asmv3:application>
  <!--
      Specifically load these DLLs from the specified path. This
      is done as a defence-in-depth approach to closing a known UAC
      exploit related to Sysprep.exe being auto-elevated. The list
      need not contain KnownDlls since those are always loaded
      by the loader from the system directory.
  -->
  <file
      loadFrom="%systemroot%\system32\actionqueue.dll"
      name="actionqueue.dll"
      />
  <file
      loadFrom="%systemroot%\system32\bcryptprimitives.dll"
      name="bcryptprimitives.dll"
      />
  <file
      loadFrom="%systemroot%\system32\cryptbase.dll"
      name="cryptbase.dll"
      />
  <file
      loadFrom="%systemroot%\system32\unattend.dll"
      name="unattend.dll"
      />
  <file
      loadFrom="%systemroot%\system32\wdscore.dll"
      name="wdscore.dll"
      />
Even if they manage to fix setupsqm.exe in the same way, there still will be the ways to defeat UAC until this whitelist exists.
Not redesign application but add yet another "defence-in-depth" crutch (in favorite MS style).
 #24673  by EP_X0FF
 Sat Dec 20, 2014 4:43 am
kmd wrote:hehe nice work, interesting non-technical discuss here http://www.wilderssecurity.com/threads/ ... ol.371439/ got some lulz from there :lol:
do u have pitou dropper hash?
If you mean safegay post, where he copy-pasted my link and then copy-pasted links from source then it is typical wilderssecurity user who masturbate all the day on his bloatware security setup and meditating on mass media mantras from guys like M.Russinovich. There are no problem with them as they do not know anything about the system they use, except what officials told them. As for "Integrity Levels" bullshit and overall Mark post then - Russinovich were never security expert for start. All his contribution to Windows users ended 1 November 2006, when he was buyed by Microsoft, to provide mass media propaganda, as they critically required good and very well known media speaker with reputation who can help with their failured Vista, crappy Windows XP No Security Edition and further versions. When this was accomplished with Seven release he was moved to somewhere where he can do anything else - Azure. I can tell you this because we actually were at sysinternals for a long time (almost 4 years) and saw all the stuff happened after MS acquired Mark. Haha, you can't believe but that was main reason this site was created - when new MS administration censored all the security discussions on sysinternals and forum was flooded with fat trolls, including one idiot from wilders SystemPro.

As for UAC as security feature, it is a joke because we have:
1) Exploits for Windows 7 (that still works - what so hard to patch Windows 7?), available from earlier builds up to current full patched state. Abused ITW by multiple malware. Patched only in Win8, see post above.
2) Exploits for Windows 8/8.1/10TP available since Windows 8 release and not patched too.
Timeline 2009-2014 idiots still thinking UAC is good because Mark blah(1000$)blah(2000$)blah(100000$) told them so, he can't be wrong isn't it? UAC useful? No it is not, prooflink can be found in ITW malware, mostly bootkits. What to do? Turn it on the maximum level and pray it will work (ops malware actions can be verified by Microsoft), or switch to the regular user FINALLY where all this trash unavailable by Windows NT original design.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 14