Last active
November 11, 2019 12:21
-
-
Save hasherezade/036cd8b6226bfbdb6377a7b02fbe59c9 to your computer and use it in GitHub Desktop.
Run elevated via rundll32.exe (NOTE: it is NOT a stealthy UAC bypass!)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/** | |
The role of this snippet is to enforce a user to elevate a process, | |
simply by flooding them with repeatitive requests till they agree. | |
I do NOT recommend it as a UAC bypass technique as it is very noisy! | |
*/ | |
#include <stdio.h> | |
#include <Windows.h> | |
char mutex_name[] = "elev_mutex"; | |
bool RunElevated(char *app_path) | |
{ | |
char operation[] = "runas"; | |
char run_path[MAX_PATH] = { 0 }; | |
ExpandEnvironmentStrings("%SystemRoot%\\system32\\rundll32.exe", (LPSTR)run_path, MAX_PATH); | |
char cmd[MAX_PATH * 2] = { 0 }; | |
sprintf_s(cmd, "SHELL32.DLL,ShellExec_RunDLL \"%s\"", app_path); | |
HINSTANCE hndl = ShellExecuteA(NULL, operation, run_path, cmd, NULL, SW_HIDE); | |
if (hndl != NULL) { | |
return true; | |
} | |
return false; | |
} | |
BOOL IsUserAdminMember() | |
{ | |
SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY; | |
PSID SecurityIdentifier; | |
if (!AllocateAndInitializeSid(&NtAuthority, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &SecurityIdentifier)) { | |
return 0; | |
} | |
BOOL IsAdminMember; | |
if (!CheckTokenMembership(NULL, SecurityIdentifier, &IsAdminMember)) { | |
IsAdminMember = FALSE; | |
} | |
FreeSid(SecurityIdentifier); | |
return IsAdminMember; | |
} | |
bool is_elevated_running() | |
{ | |
if (OpenMutexA(MUTEX_ALL_ACCESS, FALSE, mutex_name)) { | |
//already running as admin | |
return true; | |
} | |
return false; | |
} | |
int do_actions() | |
{ | |
MessageBoxA(NULL, "App Elevated", "OK", MB_OK); | |
return 0; | |
} | |
int main(int argc, char argv[]) | |
{ | |
if (IsUserAdminMember()) { | |
HANDLE hMutex = CreateMutexA(NULL, FALSE, mutex_name); | |
if (!hMutex) return -1; | |
if (GetLastError() == ERROR_ALREADY_EXISTS) { | |
return -2; | |
} | |
return do_actions(); | |
} | |
while (!is_elevated_running()) { | |
char app_path[MAX_PATH]; | |
GetModuleFileNameA(0, (LPSTR)app_path, MAX_PATH); | |
RunElevated(app_path); | |
} | |
return 0; | |
} |
@zer0cat - thank you for reporting. indeed, it was an unfinished snippet, and I forgot about it. check out the updated version.
Anyway, I already have an infinite loop (in win7, win10 and others).
I think IsUserAdminMember is the wrong way. You must check the integrity level, nor admin.
see my sample https://gist.github.com/zer0cat/089c396788acb182fbd2b4d2c55b43fa
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This code do infinity loop! Don't work.
You must exit this and start new exe item