UAC bypasses ideas (not finished)

---restore content starts---

What is UAC?

After the program starts, the UAC flowchart:

If UAC is turned off, the program will run with power .

Privilege Contents:

Reference: https://msdn.microsoft.com/en-us/library/windows/desktop/bb530716%28v=vs.85%29.aspx?f=255&mspperror=- 2147217396

If UAC is started and the program requires the power to run or run as an administrator, System starts the Consent.exe process.

When UAC is turned on, UAC virtualization is turned on even if the user chooses No:
After 1.UAC virtualization, the application redirects to a different location and the user can still use the program, but the data written by the application does not take effect in the real system to prevent the virus from destroying the core files of the system and infecting them.
2. Virtualization can improve program compatibility, which is mentioned above, where UAC places file and registry writes into a special location.

What happens when UAC is triggered:

1, UAC will only be triggered if the program attempts to affect the operation of the system
2, the application of the right to the operation of most of the programmer himself triggered the right to power, the purpose is to privilege content mentioned in several operations.
3, only a few cases of the system itself will trigger UAC, such as installation Services.

To bypass the UAC method summary:

1, the use of scheduled task bypass.

2, Path spoofing.

3, white list mechanism.

Keywords:

"With NetUserGetInfo this interface from these two aspects: 1) Start a process with high permissions and other users 2) Get other users ' registry and user directory specifically how to do not know, ask the great God to explain"

Inject explorer.exe, DLL to start your own program

"Counterfeit Tokens"

WUSA.exe

Reference: http://net.zol.com.cn/402/4020871_all.html#p4021155

On September 24, Syscan , Asia's leading security technology summit, Instruder a speech on the security issues behind UAC , which provides a way to run the program directly under current user rights, bypassing UAC prompts, And can be implemented to modify the Startup items, release files to the system directory and other functions, and this process must be done without the user aware of the situation. The method used by the author is to take advantage of the operating system's own upgrade program, WUSA.EXE, to read the release files, this process will not trigger UAC, using this mechanism can easily break the UAC limit .

Reference: http://blog.sina.com.cn/s/blog_454378100100xu05.html

Double-click Run to show how it is used:

Use WUSA.EXE to release a MSU file, see if it succeeds, the experiment method is as follows, copy an MSU file to the D:\TEMP directory, then switch directories under CMD to C: \windows\syswow64, and finally run Wusa.exe d:\temp\ Msu.msu/extract:d:\temp then saw a quick progress flashed over, go to the D:\TEMP directory to see what the situation.

Can see the file to successfully release, this is good, the next step to continue the experiment, the release directory modified, directly released into the system directory Windows , see how it will behave, execute Wusa.exe d:\temp\msu.msu/extract:c:\ Windows

The results are ideal, released successfully, and no UAC prompts are triggered.

Until now we can consider some of the evil things, such as the release of some Trojan virus dll hijacked files to the system directory this way, will not trigger the UAC program, and Trojan Horse and virus will boot up, and then continue to experiment with the current thinking is no problem, then to consider is the MSU file, This file looks at the Microsoft digital signature.

We can verify this by destroying the digital signature by using the 16 binary Editing tool to add a few bytes to the MSU file. After cleaning up the files released before, run it again for release detection, look at the results, very ideal.

white list mechanism:

The basic process of protecting permissions from user Account Control can be seen in the process of running a program with administrator privileges, the user Account Control before the user to ask for the right, will first query the local System white list to determine whether direct release, therefore, the white list mechanism is an important part of user Account Control. User Account Control restricts the operation of the program with advanced permissions, but the mechanism also affects the system itself, and Microsoft does not want the system to run and ask the user because they are safe. As a result, Microsoft added a whitelist mechanism to UAC, that is, a form is recorded in the system, and for system programs in the form, it is not restricted to direct elevation to administrator privileges. There are many white list programs in the system, among which, Msconfig, taskmgr, Perfmon, cleanmgr and so on are usually used in the program.

Direct rights:

The most common method of using the system program is to use the system dynamic load DLL features, in the system there is a list of KnownDlls, when a program needs to dynamically load the DLL, will be in this list to find, if found to load the corresponding path DLL file, If not found then the current directory, the System32 directory in the order of the search, so if you can find a program dynamically called DLL file is not in KnownDLLs, and under System32, you can forge a corresponding DLL, to implement other programs to perform the required operations.

In all white-list programs, there is exactly one program, Sysprep.exe, whose location is system32/sysprep/, and it dynamically loads a cryptbase at startup. DLL, this DLL is under System32, so Sysprep.exe will fail to load when the current directory is looking, then go to System32 directory lookup and try to temporarily generate a fake cryptbase. The DLL is placed under the Sysprep folder, and the fake cryptbase is loaded when the Sysprep.exe starts. DLL to perform the operations we need.

Sysprep.exe loading fake cryptbase. DLL thread injection Whitelist programs are all in the system directory, so to copy the generated fake DLL into the program directory, will be triggered by the permissions issue UAC, this will be invalidated. Therefore, a special method is required to copy the fake DLL to the system directory without triggering the system's permission control.

This step of the operation also requires the System white list of the program to implement, the selection of programs for the explorer process, the first use of remote threading method to inject DLL into the explorer process, and then through the Explorer to copy CRYPTBASE.DLL to the specified directory UAC will not prompt. When all operations are completed and started Sysprep.exe our DLLs will be loaded, bypassing the success. But the disadvantage of this method is also obvious, in the injection of the explorer process, antivirus software has begun to pay attention to.

UAC bypasses ideas (not finished)