KernelMode.info

Hey kernelmode,

I've successfully bypassed UAC restrictions with a technique found by this guy:

http://www.pretentiousname.com/misc/W7E ... tails.html

But when I try to make the same thing on windows 8.1(not with sysprep.exe of course), my.dll is successfully mmaped in .exe autoelevated, but then process returns 0xc000007b error, this guy managed to do it in windows 8.1:

http://blog.cobaltstrike.com/2014/03/20 ... ould-know/

So my question is, are autoelevated processes doing some kind of extracheck for whitelisted dlls or something?

And why do you need this?

EP_X0FF wrote:And why do you need this?

Because my reversing skills are quite limited, I do not understand why the autoelevated.exe exits with 0xc000007b error, because my.dll is successfully mmaped in memory, but it looks like dllentrypoint is not called

TurlaBoy wrote:

EP_X0FF wrote:And why do you need this?

Because my reversing skills are quite limited, I do not understand why the autoelevated.exe exits with 0xc000007b error, because my.dll is successfully mmaped in memory, but it looks like dllentrypoint is not called

http://msdn.microsoft.com/en-us/library/cc704588.aspx

0xC000007B
STATUS_INVALID_IMAGE_FORMAT
{Bad Image} %hs is either not designed to run on Windows or it contains an error. Try installing the program again using the original installation media or contact your system administrator or the software vendor for support.

UAC bypassing only needed for malware purposes. This what I was asking.

EP_X0FF wrote:

TurlaBoy wrote:

EP_X0FF wrote:And why do you need this?

Because my reversing skills are quite limited, I do not understand why the autoelevated.exe exits with 0xc000007b error, because my.dll is successfully mmaped in memory, but it looks like dllentrypoint is not called

http://msdn.microsoft.com/en-us/library/cc704588.aspx

0xC000007B
STATUS_INVALID_IMAGE_FORMAT
{Bad Image} %hs is either not designed to run on Windows or it contains an error. Try installing the program again using the original installation media or contact your system administrator or the software vendor for support.

UAC bypassing only needed for malware purposes. This what I was asking.

It's for pentesting, but I do not have money to pay $2500 for a license, well, I'm gonna try to reverse it, thanks

If you want to bypass UAC window then hook/overwrite RtlQueryElevationFlags and return 0 in flags.

EP_X0FF wrote:If you want to bypass UAC window then hook/overwrite RtlQueryElevationFlags and return 0 in flags.

I believe if i do this the process is not elevated, I've just found out the solution for my problem, win8.1 PE loader workd a lil bit different, i've changed a couple of things in my dll and it worked :geek:

If you guys got any paper about the internals of UAC and consent.exe i'd appreciate to read

thanks

TurlaBoy wrote:

EP_X0FF wrote:If you want to bypass UAC window then hook/overwrite RtlQueryElevationFlags and return 0 in flags.

I believe if i do this the process is not elevated, I've just found out the solution for my problem, win8.1 PE loader workd a lil bit different, i've changed a couple of things in my dll and it worked :geek:

If you guys got any paper about the internals of UAC and consent.exe i'd appreciate to read

thanks

Yes, I told you this patch only to disable uac window, not bypass uac itself.

Offense removed, thread cleanup.

Marqo09 - permanent ban. Second account simple deleted. Any others will be deleted too.

For a butthurting cretins from the twitter: you are not welcome here. Sell your shi.. oh I mean super software somewhere else.

Closed.