A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #24726  by EP_X0FF
 Tue Dec 23, 2014 5:35 pm
kmd wrote:Am i correct and can use other auto-elevated bins with this method? Also you missed my question about Pitou dropper...
Why not, try it, specify different auto-elevated executable as target instead of cliconfg. No I won't share Pitou dropper just because of the same reason why I didn't shared Gootkit back in April 2014 with this method, persons with whom I work will be unhappy/promised not to share as long as they do not tell me.
 #24727  by EP_X0FF
 Tue Dec 23, 2014 5:40 pm
n4cr wrote:@EP_X0FF

Yes, it was already mentioned in the following article http://ddilabs.blogspot.com/2014/05/shi ... t-uac.html (just checked, one have to be invited to read blog post, but it is almost the same example as you posted).

And, it is not working with 10TP, simply because Sdbinst.exe in 10TP have to be ran elevated (contrary to previous Windows versions). Anyway, I'm quite sure that there will be a few methods to defeat UAC before Windows 10 launch (haven't checked whether https://github.com/MalwareTech/UACElevator works on it, thou).

Regards,
Tio

OK, thanks for 10 info. Sure even with this ridiculous whitelist we can find another ways.
 #24728  by kmd
 Tue Dec 23, 2014 6:18 pm
n4cr wrote:And, it is not working with 10TP, simply because Sdbinst.exe in 10TP have to be ran elevated (contrary to previous Windows versions). Anyway, I'm quite sure that there will be a few methods to defeat UAC before Windows 10 launch (haven't checked whether https://github.com/MalwareTech/UACElevator works on it, thou).
sdbinst manifest from 9901
Code: Select all
S t r i n g F i l e I n f o   ф   0 4 0 9 0 4 B 0   L   C o m p a n y N a m e     M i c r o s o f t   C o r p o r a t i o n   ‚ -  F i l e D e s c r i p t i o n     A p p l i c a t i o n   C o m p a t i b i l i t y   D a t a b a s e   I n s t a l l e r     l &  F i l e V e r s i o n     1 0 . 0 . 9 9 0 1 . 0   ( w i n m a i n _ p r s . 1 4 1 2 0 2 - 1 7 1 8 )   8   I n t e r n a l N a m e   s d b i n s t . e x e   Ђ .  L e g a l C o p y r i g h t   ©   M i c r o s o f t   C o r p o r a t i o n .   A l l   r i g h t s   r e s e r v e d .   @   O r i g i n a l F i l e n a m e   s d b i n s t . e x e   j %  P r o d u c t N a m e     M i c r o s o f t ®   W i n d o w s ®   O p e r a t i n g   S y s t e m     <   P r o d u c t V e r s i o n   1 0 . 0 . 9 9 0 1 . 0   D    V a r F i l e I n f o     $    T r a n s l a t i o n     	°<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!-- Copyright (c) Microsoft Corporation -->
<assembly xmlns="urn:schemas-microsoft-com:asm.v1"  xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" manifestVersion="1.0">
<assemblyIdentity
    version="5.1.0.0"
    processorArchitecture="x86"
    name="Microsoft-Windows-Application-Experience-SDBInst"
    type="win32"
/>
<description>Application Compatibility Database Installer</description>

<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
        <requestedPrivileges>
            <requestedExecutionLevel
                level="requireAdministrator"
                uiAccess="false"
            />
        </requestedPrivileges>
    </security>
</trustInfo>
<asmv3:application>
   <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">
        <autoElevate>true</autoElevate>
   </asmv3:windowsSettings>
</asmv3:application>
</assembly>
sdbinst from 8.1
Code: Select all
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!-- Copyright (c) Microsoft Corporation -->
<assembly xmlns="urn:schemas-microsoft-com:asm.v1"  xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" manifestVersion="1.0">
<assemblyIdentity
    version="5.1.0.0"
    processorArchitecture="x86"
    name="Microsoft-Windows-Application-Experience-SDBInst"
    type="win32"
/>
<description>Application Compatibility Database Installer</description>

<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
        <requestedPrivileges>
            <requestedExecutionLevel
                level="requireAdministrator"
                uiAccess="false"
            />
        </requestedPrivileges>
    </security>
</trustInfo>
<asmv3:application>
   <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">
        <autoElevate>true</autoElevate>
   </asmv3:windowsSettings>
</asmv3:application>
</assembly>
they are the same, and if you launch sdbinst directly no uac window found.
but the method isn't working either because this shim doesn't supported or because tp10 is bugged as shit which is more likely.
Last edited by EP_X0FF on Tue Dec 23, 2014 6:22 pm, edited 1 time in total. Reason: use code tags instead of quote
 #24730  by r3shl4k1sh
 Tue Dec 23, 2014 7:48 pm
Just read the Microsoft description about the shim and found an interesting quote:
Application redirected to the shim prior to calling Windows, the code that runs inside a shim still sits outside Windows. Consequently, Windows holds shim code to the same security restrictions as the application code itself. In fact, to Windows, the shim code appears to be application code. As a result, you cannot use shims to bypass any security mechanisms present in Windows. For example, no shim is available to bypass the Windows 7 User Account Control (UAC) prompts while still running the application with elevated permissions.
I am still don't know if the Gootkit method of bypassing the UAC is derived from the shim it creates or from the auto-elevated process(es) it runs but still it is nice to see that Microsoft thought about it... ;)

EDIT:
If you want to learn more about the shim and how to create one (with a tool) read here:
http://blogs.technet.com/b/askperf/arch ... stuff.aspx

It is unbelievable how simple the Gootkit method is.

As for the source provided it seems like you should unregister the pe386.sdb after you done testing (sdbinst.exe -u FILE_PATH).
 #24731  by t4L
 Wed Dec 24, 2014 3:30 am
Off topic, but these lines:
Code: Select all
#ifdef _DEBUG
   wsprintfW(szShimDbPath, L"Z:\\MAKEEXE\\shim_gootkit\\huy32.sdb");
#else
   wsprintfW(szShimDbPath, L"%wspe386.sdb", szTempDirectory);
#endif
remind me of Rustock and phide_ex old time ..
 #24732  by EP_X0FF
 Wed Dec 24, 2014 4:43 am
r3shl4k1sh wrote:I am still don't know if the Gootkit method of bypassing the UAC is derived from the shim it creates or from the auto-elevated process(es) it runs but still it is nice to see that Microsoft thought about it...
This statement from MS is actually somehow valid for Windows Vista, time when it was written. But what happened next ->

Image
r3shl4k1sh wrote:As for the source provided it seems like you should unregister the pe386.sdb after you done testing (sdbinst.exe -u FILE_PATH).
This was left as intended. We used ACT 5.6 to check database generated structure (and remove generated shims) and shim patch seems rely on database GUID rather than name.
 #24742  by EP_X0FF
 Thu Dec 25, 2014 12:07 pm
WawaSeb wrote:Here is another paper about "bypassing UAC" : http://www.greyhathacker.net/?p=796
Out of date and incompetent copy-paste "article" of yet another "security expert".

Main idea comes from http://download.pureftpd.org/pub/misc/UAC.cpp copyrighted copy-paste work made by well known <color>hat (currently) Peter Kleissner. His main addition to the original Leo Davidson work was adding ridiculous comments in the code, for example this
This was reported to Microsoft multiple times (months ago) and they are too lame to fix injection to explorer.exe.
I've followed the responsible disclosure guidelines, no need to get angry on me. TDL4 is using the bypass for 64-bit already.
(Wow, wow take it easy, explorer injection wow, reported to Microsoft, wow, they are too lame lol, no need to get angry on me <- OK Also I like this part when he looks for explorer.exe)
Code: Select all
   // Step 1: find explorer.exe process we can inject to (to-do: maybe using some other process?)
    DWORD Processes[1024], BytesReturned;

    if (!EnumProcesses(Processes, sizeof(Processes), &BytesReturned))
        return 0;
    
    HANDLE TargetProcess = NULL;

    for (unsigned i = 0; i < BytesReturned / 4; i++)
    {
        if (Processes[i] != 0)
        {
            TargetProcess = OpenProcess(/*PROCESS_QUERY_INFORMATION | PROCESS_VM_READ*/PROCESS_ALL_ACCESS, FALSE, Processes[i]);

            // Get the process name.
            if (TargetProcess)
            {
                HMODULE hMod;
                DWORD cbNeeded;
        
                if (EnumProcessModules(TargetProcess, &hMod, sizeof(hMod),  &cbNeeded) )
                {
                    wchar_t ProcessName[MAX_PATH];
                    GetModuleBaseName(TargetProcess, hMod, ProcessName,   sizeof(ProcessName)/sizeof(TCHAR) );
                    
                    if (_wcsicmp(ProcessName, L"explorer.exe") == 0)
                        break;
                }

                CloseHandle(TargetProcess);
                TargetProcess = NULL;
            }
        }
    }
(Quite incompetent BTW. What else you expect from him well, he did the same with his own private TDL4 copy-paste clone he was trying to sell few years ago)

+ he optimized shellcode data write stage, doing it in single VirtualAllocEx/WriteProcessMemory.

Well, lets get back to the story. The same sysprep/cryptbase code next was copied into Carberp (you can find it as Carberp is open-source since last year).

What left in this article? A lot of stupid conclusions, incomplete and simple broken list of autoelevated apps (what so fucking hard to do strings search <autoElevate>true</autoElevate> over Windows directory?).

Another reinventing the wheel for sysprep trick which is so popular, so it used not only by malware, but as I heard some legitimate software too.
 #24748  by WawaSeb
 Thu Dec 25, 2014 3:29 pm
Hello EP_X0FF,

Thanks for your feed-back.
It's not so easy to spot what's really news in this field, especially for newbies.
:)

Do you have any way to detect those "copy-paste" without already having the required knowledge ?
This forum could do the job but we can't paste every link waiting for your conclusions.

Keep posting and have a nice day.

Best regards,
 #24749  by EP_X0FF
 Thu Dec 25, 2014 3:51 pm
All the UAC bypass methods available divides on 4 group types:

First group is everything based on original Leo Davidson work, if you see anything related to sysprep and IFileOperation - then you can be sure 100% it is copy-paste from his articles. Just a brief looking on source is enough. They can change shellcode, coding language, or target dll names, but method itself is still the same. For example Pitou method reconstructed in UACMe is a derivative from original, using different auto-elevate process target but same implementation. Original implementation 2009 year, even before Windows 7 RTM release. This is conceptual UAC flaw added after Vista failure.

Second group methods are passive UAC bypass - user forced (social-engineered) to run legal program which requires elevation and malicious code runs in the context of this program. Malware itself also can initiate this process. Example of this method is Sirefef installer. Once loaded it extracts and runs legitimate Adobe Flash installer, which is abused by dll hijacking so Sirefef code will execute in the context of this program, which user will likely allow because Adobe looks trusted publisher and it certificate is OK. Another example in this group is RunDll32 abuse.

Third group are not widely known methods and known/unknown privilege escalation exploits. Examples - Windows Shim and EnableEUDC exploit.

Fourth group is lulz group. Example - from GUI hacking to running malware app in cycle of elevation just to make user crazy and finally press - Yes in UAC window. Quite popular on various skid forums with number of "crypters" sellers - hackforums etc
  • 1
  • 2
  • 3
  • 4
  • 5
  • 14