Bypass UAC at any level by abusing the Program Compatibility Assistant with RPC, WDI, and more Windows components

Overview

ByeIntegrity 8.0

The eighth Windows privilege escalation attack in the ByeIntegrity family. ByeIntegrity 8.0 is the most complex one I've created so far; however, because of its complexity, it's able to reveal and exploit hidden design and security flaws in the operating system. After all, it even works when UAC is set to its maximum security level — AlwaysNotify.

Attack overview

Just like every other ByeIntegrity attack, ByeIntegrity 8.0 needs to be run under an account with administrator privileges. ByeIntegrity 8.0 relies on the Task Scheduler to start the WDI ResolutionHost task. The task is started with an elevated token of the current user that the task scheduler creates. The task proceeds to read parameters from the WDI host and reads from the registry to figure out where to load the requested diagnostic module. These module paths are stored in the registry with the form %WinDir%\System32\.... ByeIntegrity 8.0 sets a custom WinDir environment variable to load its own payload module into the ResolutionHost task, which then launches any program inheriting the full administrative privileges.

How it works

The majority of the ByeIntegrity 8.0 attack is getting the WDI ResolutionHost started. This task is triggered to start via an ETW event. There are many services which write events to trigger the task (Windows Resource Exhaustion, Corrupted File Recovery, etc.).

The Program Compatibility Assistant (PCA) is part of Windows's Application Experience, and will automatically monitor processes for problematic behaviors and attempt to resolve them. It is implemented as a service, PcaSvc, and in a set of libraries, apphelp.dll, being one of them. apphelp.dll will hook certain WinAPI functions depending on what genome (Application type: Win7RTM, WinBlueRTM, etc.) PcaSvc decides the process contains. apphelp.dll intercepts the function calls and reports back any possible results to PcaSvc via writing ETW events. PcaSvc inspects the event information, and if it matches a threshold, PcaSvc will attempt to start the Program Compatibility Assistant Troubleshooter. This is implemented as a diagnostic module (DM), and it is loaded via the WDI ResolutionHost task. PcaSvc starts this task with its parameters by triggering it via the PCA's "start diagnostics" ETW event write. (If you're thinking of simply writing this ETW event manually to launch the DM, you'll be greeted with an Access is denied error.)

ByeIntegrity 8.0 creates this sequence of events in a controlled, exploitable manner. On Windows 8+, only processes launched from Windows Explorer are monitored PcaSvc, as explorer calls pcacli!PcaMonitorProcess to tell PcaSvc to start monitoring the process for events. ByeIntegrity 8.0 uses RPC to talk directly to PcaSvc to tell it to monitor the "trigger" process ByeIntegrity 8.0 launches. Talking directly via RPC to PcaSvc is better, faster, more controlled, and it also allows ByeIntegrity 8.0 to also bypass a policy that can disable the PCA if it is set. The "trigger" process writes two ETW events that apphelp.dll would usually write if it detects a program is displaying an error message box about running on an incorrect version of Windows.

On Windows 7, a different method is used. If the PCA detects an unhandled exception that occurs during a user callback, it will attempt to launch the DM. PcaSvc monitors all processes launched, nothing is required from explorer here. If such an exception is caught, PcaSvc will launch the DM. The function that Windows 7's PcaSvc uses to handle detection of an unhandled callback exception is actually an RPC function that PcaSvc calls from itself. ByeIntegrity 8.0 once again uses RPC to call this function remotely, triggering the launch of the DM manually.

Once the DM is launched, it loads the ByeIntegrity 8.0 Pca Payload. This payload acts as a WDI diagnostic module. When loaded, it creates the requested process as a child of the WDI ResolutionHost task executable (taskhostw.exe). The payload needs to export a few WDI functions in order to function properly. These functions initialize the WDI diagnostics instance (PCA diagnostics in this case) and then flush the diagnostics queue so that ByeIntegrity 8.0 can be run multiple times and so that the PCA does not re-launch the DM multiple times because of the diagnostic instance still being in the queue. Finally, the task is stopped and after cleanup, the whole process can be repeated again.

Attack schema + Windows Defender bypass

Evident from the above, this is a pretty complex attack that abuses many things:

  • Program Compatibility Assistant
  • Poor Windows Defender design
  • Environment variables
  • Task Scheduler
  • DLL Hijack
  • ETW
  • RPC
  • WDI
Complete attack diagram

Windows Defender was discovered to be a small annoyance while developing this attack. Windows Defender's filter driver catches the creation of a rouge WinDir value in the HKCU\Environment key. If caught, Windows Defender will eventually kill the offending process. The problem is there is a huge delay after the notification from the filter driver and the action taken by Windows Defender. Every time, Windows Defender completely misses the attack. In order to bypass even detection by Windows Defender, ByeIntegrity 8.0 renames the HKCU\Environment key a random name, creates WinDir in the fake key, then renames it back to HKCU\Environment. And Windows Defender doesn’t even notice a thing. Credit for this trick — @hfiref0x — who discovered it while working on UACMe method integration.

UACMe

ByeIntegrity 8.0 is implemented in UACMe as method number 69. Implementations are the exact same except UACMe uses only NdrClientCall2 for RPC calls, and does not use the custom RpcBindingSetOption() that ByeIntegrity 8.0 uses. These two differences don't change anything about the attack.

Using the code

If you’re reading this then you probably know how to compile the source. Just note that this hasn’t been tested or designed with x86 in mind at all, and it probably won’t work on x86 anyways.

Just like UACMe, I will never upload compiled binaries to this repo. There are always people who want the world to crash and burn, and I'm not going to provide an easy route for them to run this on somebody else's computer and cause intentional damage. I also don't want script-kiddies to use this attack without understanding what it does and the damage it can cause.

Supported versions

ByeIntegrity 8.0 works from Windows 7 until the latest version of Windows.

You might also like...
Blumentals Program Protector v4.x protection bypass.
Blumentals Program Protector v4.x protection bypass.

cphookLoader64 A Blumentals Program Protector v4.x protection bypass implemented as a memory loader. Screenshot & demo cphookloader64demo.mp4 Overview

Yet another alarm (control) panel for Home Assistant.
Yet another alarm (control) panel for Home Assistant.

HASS-YAAP Yet another alarm (control) panel for Home Assistant. Change alarm system mode (away, home, night, disarmed) Welcome people arriving by thei

Automated hydroponics with Home Assistant & ESP8266 controllers
Automated hydroponics with Home Assistant & ESP8266 controllers

ESPonics Automated hydroponics with ESP8266 microcontrollers & Home Assistant I absolutely want to credit Reddit user u/ghoofman for both the inspirat

A hacky e-ink display for Home Assistant sensors
A hacky e-ink display for Home Assistant sensors

This is a hacky PlatformIO project in which Home Assistant data is displayed in an e-ink display. Useful Links Display Hardware on Tindie Official Git

Home Assistant E-Ink Dashboard on the Inkplate 10
Home Assistant E-Ink Dashboard on the Inkplate 10

HomePlate Home Assistant E-Ink Dashboard on the Inkplate 10 Features Display Home Assistant dashboards on a beautiful e-ink display Display WiFi QR Co

Kernel source for j7y17lte - the goal is to make it as closest to linux-stable sources as possible without breaking OneUI compatibility.

Linux kernel release 3.x http://kernel.org/ These are the release notes for Linux version 3. Read them carefully, as they tell you what this is al

A water tank level sensor **Built With WisBlock** to detect overflow and low level conditions.
A water tank level sensor **Built With WisBlock** to detect overflow and low level conditions.

RAK12014 Laser TOF sensor coming soon WisBlock Watertank Level Sensor Watertank Overflow detection using the RAKwireless WisBlock modules. It implemen

High-level interface for low-level programming

Singeli Singeli is now able to compile useful programs to C, but it's very rough around the edges, with poor error reporting. We are beginning to use

3D scanning is becoming more and more ubiquitous.

Welcome to the MeshLib! 3D scanning is becoming more and more ubiquitous. Robotic automation, self-driving cars and multitude of other industrial, med

Comments
  • I'm fucked..

    I'm fucked..

    Ayo g what's cracking. Me and a friend are using BI8 for a "school project" and while i had it in my computer it somehow created a "panther" folder inside the folder i had it and now my WD is erased, i cant open task manager or regedit and bassically im fucked.. how do i remove it and stop it?

    opened by MYKO133 3
Owner
Arush Agarampur
High schooler — I enjoy Windows internals, low-level development, reverse engineering, and security
Arush Agarampur
Compatibility tool for Steam Play based on Wine and additional components

Introduction Proton is a tool for use with the Steam client which allows games which are exclusive to Windows to run on the Linux operating system. It

Valve Software 19.1k Dec 30, 2022
Cobalt Strike beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving

Beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving "cmd.exe" by using DCOM object.

Chris Au 91 Dec 28, 2022
A UAC bypass written in powershell

Powershell UAC bypass Originally discovered by Daniel Gebert Table of Contents Deployment Explanations What is UAC? DLL Hijacking Mock Directories Aut

Matt 3 Sep 28, 2021
New lateral movement technique by abusing Windows Perception Simulation Service to achieve DLL hijacking code execution.

BOF - Lateral movement technique by abusing Windows Perception Simulation Service to achieve DLL hijacking ServiceMove is a POC code for an interestin

Chris Au 190 Nov 14, 2022
ScriptHook Bypass For Fivem / bypass hardware ID For nvdia only

Fivem-Bypass ScriptHook Bypass For Fivem / bypass hardware ID For nvdia only Not Working? Run as admin and disable your antivirus. How to use 1. Put y

Sarnax 38 Dec 25, 2022
An open-source replacement for Windows UAC

Custom UAC What is it It is an open source replacement of UAC. It was a successor of my previous project UAC Renderer. As the functionalities and usag

null 4 Dec 1, 2022
NavMeshComponents - High Level API Components for Runtime NavMesh Building

Status of the project Development This project is now developed as part of the AI Navigation package. Please add that package to your project in order

Unity Technologies 2.7k Jan 8, 2023
Phan Sang 17 Dec 29, 2022
UAC - Cheat developer platform

UAC UAC - Cheat developer platform A long time ago there was an idea to implement my own anti-cheat that would help me in detecting my shortcomings in

Artemiy 22 Nov 21, 2022
Inject a DLL into any program using this C++ program

DLL-Injection-Cpp Inject a DLL into any process using this C++ program Installation Go into a folder and open up Command Prompt. In command prompt run

n0 5 Sep 12, 2022