This is a PoC for bypassing UAC using DLL hijacking and abusing the "Trusted Directories" verification.

Overview

UAC bypass - DLL hijacking

Description

This is a PoC for bypassing UAC using DLL hijacking and abusing the "Trusted Directories" verification.

Summary

Generate Header from CSV

The python script CsvToHeader.py can be used to generate a header file. By default it will use the CSV file dll_hijacking_candidates.csv that can be found here: dll_hijacking_candidates.csv.

The script will check for each portable executable(PE) the following condition:

  • If the PE exists in the file system.
  • In the manifest of the PE, if the requestedExecutionLevel is set to one of the following values:
    • asInvoker
    • highestAvailable
    • requireAdministrator
  • In the manifest if the autoElevate is set to true:
    <autoElevate>true</autoElevate>
  • If the user specified the -c argument, the script will check if the DLL to hijack is in the list of DLLs imported form PE table.

Arguments

> python .\CsvToHeader.py -h
usage: CsvToHeader.py -f [DLL_PATH] -c

CsvToHeader can be used to generate a header file from a CSV.

optional arguments:
  -h, --help      show this help message and exit
  -f  [DLL_PATH]  Path of the csv to convert (default="dll_hijacking_candidates.csv")
  -c              Enable import dll in PE (default=False)
  -v, --version   Show program's version number and exit

To generate the header file you can use the following command:

python CsvToHeader.py > dll_hijacking_candidates.h

Generate the list of vulnerable PE and DLL

The files that will be used are DLLHijacking.exe and test.dll.

DLLHijacking.exe

DLLHijacking.exe is the file that will be used to generate the list of vulnerable PE. It will perform the following steps:

  1. CreateFakeDirectory

    Function that create a directory in C:\windows \system32.

  2. Copy Files in the new directory

    • from C:\windows\system32\[TARGET.EXE] to C:\windows \system32\[TARGET.EXE]
    • from [CUSTOM_DLL_PATH] to C:\windows \system32\[TARGET.DLL]
  3. Trigger

    Run the executable from C:\windows \system32\[TARGET.EXE]

  4. CleanUpFakeDirectory

    Function that delete the directory created in step 1 and files from step 2.

  5. CheckExploit

    Check the content of the file C:\ProgramData\exploit.txt to see if the exploit was successful.

Log file

DLLHijacking.exe will always generate a log file exploitable.log with the following content:

  • 0 or 1 to indicates whether the exploit was able to bypass the UAC.
  • The executable name
  • The dll name

E.g.

1,computerdefaults.exe,PROPSYS.dll
0,computerdefaults.exe,Secur32.dll

Execution

Command to run:

DLLHijacking.exe [DLL_PATH]

if no argument is passed, the script will use the DLL test.dll which is stored in the resouce of DLLHijacking.exe.

Result

Tested on Windows 10 Pro (10.0.19043 N/A Build 19043).

ExploitResult

test.dll

test.dll is a simple dynamic library that will be use to see if the exploit is successfully. The DLL will create a file C:\ProgramData\exploit.txt with the following content:

  • 0 or 1 to indicates whether the exploit was able to bypass the UAC.
  • The executable name
  • The DLL name

This file will be deleted once the exploit is complete.

Sources:

Legal Disclaimer:

This project is made for educational and ethical testing purposes only. Usage of this software for attacking targets without prior mutual consent is illegal. 
It is the end user's responsibility to obey all applicable local, state and federal laws. 
Developers assume no liability and are not responsible for any misuse or damage caused by this program.
Issues
  • the uac bypass can be used now?

    the uac bypass can be used now?

    I had test the uac bypass though the uacbypass'author(https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e),but I can't execute the execute which in "C:\window \system32 "folder(although I can copy file to this folder) so I think that the uac bypass had fixed.

    I wondered if your way can use now? Thanks!

    opened by GUANCAIBAN 4
Releases(0.0.0.2)
Bypass UAC at any level by abusing the Program Compatibility Assistant with RPC, WDI, and more Windows components

ByeIntegrity 8.0 The eighth Windows privilege escalation attack in the ByeIntegrity family. ByeIntegrity 8.0 is the most complex one I've created so f

Arush Agarampur 213 Jun 27, 2022
Simple one file header for hijacking windows version.dll for desired executable to do 3rd party modifying without dll injection.

Version-Hijack Simple one file header for hijacking windows version.dll for desired executable to do 3rd party modifying without dll injection. Usage

sneakyevil 5 Mar 31, 2022
An example of COM hijacking using a proxy DLL.

COM-Hijacking An example of COM hijacking using a proxy DLL. Demo using getmac/wbemprox.dll In this demo, we use the fact that the getmac.exe command

Solomon Sklash 13 Jun 4, 2022
Evasive shellcode loader for bypassing event-based injection detection (PoC)

(cleaned up version here: https://github.com/xinbailu/DripLoader-Ops) DripLoader (PoC) Evasive shellcode loader for bypassing event-based injection de

Filip Olszak 504 Jul 3, 2022
Evasive shellcode loader for bypassing event-based injection detection (PoC)

DripLoader (PoC) Evasive shellcode loader for bypassing event-based injection detection, without necessarily suppressing event collection. The project

Filip Olszak 504 Jul 3, 2022
DLL Hooker using DLL Redirection

DLLHooker DLL Hooker using DLL Redirection. Development Environment IDE: Visual Studio 2019 Demonstration References [1] https://www.exploit-db.com/do

Jack Ren 1 Jan 21, 2022
Shared to msvcrt.dll or ucrtbase.dll and optimize the C/C++ application file size.

VC-LTL - An elegant way to compile lighter binaries. 简体中文 I would like to turn into a stone bridge, go through 500 years of wind, 500 years of Sun, ra

Chuyu Team 180 Jun 23, 2022
Collection of DLL function export forwards for DLL export function proxying

dll-exports Collection of DLL function export forwards for DLL export function proxying. Typical usecase is for backdooring applications for persisten

Magnus Stubman 34 Jun 26, 2022
A method from GH on how to stream a dll without touching disk, TAGS: fortnite cheat fortnite injector dll injector

dll-encryptor People who make pay hacks typically have down syndrome and are incapable of using their brains in any fashion, and yet these bath salt s

Micca 2 Nov 24, 2021
Cobalt Strike beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving

Beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving "cmd.exe" by using DCOM object.

Chris Au 75 Jun 15, 2022
A UAC bypass written in powershell

Powershell UAC bypass Originally discovered by Daniel Gebert Table of Contents Deployment Explanations What is UAC? DLL Hijacking Mock Directories Aut

Matt 3 Sep 28, 2021
UAC - Cheat developer platform

UAC UAC - Cheat developer platform A long time ago there was an idea to implement my own anti-cheat that would help me in detecting my shortcomings in

Artemiy 21 May 25, 2022
An open-source replacement for Windows UAC

Custom UAC What is it It is an open source replacement of UAC. It was a successor of my previous project UAC Renderer. As the functionalities and usag

null 3 Mar 6, 2022
A collection of DLLs that use search order hijacking to automatically inject specified DLLs.

?? Koaloader ?? A collection of DLLs that use search order hijacking to automatically inject specified DLLs. ?? Usage Simply place one of the proxy dl

null 28 Jun 25, 2022
TartarusGate, Bypassing EDRs

Tartarus' Gate - Bypassing EDRs Description Hell's Gate evolved to Halo's Gate to bypass EDRs by unhooking some of them and now it turned to Tartarus'

Thanasis Tserpelis 202 Jun 23, 2022
RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc

Introduction RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc. In order to bypass the user-mode hooks,

Halil Dalabasmaz 354 Jun 25, 2022
EasyAntiCheat bypassing driver

EasyEACBypass EasyAntiCheat bypassing driver (23/01/2022) KernelMode driver with some parts not included so no pasta! Includes This driver includes a

0xfaer 23 Jun 17, 2022
Inject a DLL into any program using this C++ program

DLL-Injection-Cpp Inject a DLL into any process using this C++ program Installation Go into a folder and open up Command Prompt. In command prompt run

n0 4 Apr 25, 2022
EarlyBird: a poc of using the tech with syscalls on powershell.exe

EarlyBird: a poc of using the tech with syscalls on powershell.exe injecting cobalt strike shellcode to powershell.exe using EarlyBird Tech USAGE: fir

null 47 Jan 22, 2022