v 3.6.2

Initial method #130 implementation. Currently tested only on 21H2 (19044).
hfiref0x · Jul 7, 2022 · f1c42ac · f1c42ac
1 parent af0b0d6
commit f1c42ac
Show file tree

Hide file tree

Showing 13 changed files with 373 additions and 67 deletions.
diff --git a/README.md b/README.md
@@ -758,11 +758,21 @@ First parameter is number of method to use, second is optional command (executab
      * Method: IElevatedFactoryServer
      * Target(s): Attacker defined
      * Component(s): Attacker defined
-     * Implementation: ucmVirtualFactoryServer
+     * Implementation: ucmVFServerTaskSchedMethod
      * Works from: Windows 8.1 (9600)
      * Fixed in: unfixed :see_no_evil:
         * How: -
       * Code status: added in v3.6.1
+75. Author: zcgonvh derivative by Wh04m1001
+     * Type: Elevated COM interface
+     * Method: IDiagnosticProfile
+     * Target(s): Attacker defined
+     * Component(s): Attacker defined
+     * Implementation: ucmVFServerDiagProfileMethod
+     * Works from: Windows 7 RTM (7600)
+     * Fixed in: unfixed :see_no_evil:
+        * How: -
+      * Code status: added in v3.6.2
 
 </details>
 

diff --git a/Source/Akagi/Resource.rc b/Source/Akagi/Resource.rc
diff --git a/Source/Akagi/methods/comsup.h b/Source/Akagi/methods/comsup.h
@@ -4,9 +4,9 @@
 *
 *  TITLE:       COMSUP.H
 *
-*  VERSION:     3.61
+*  VERSION:     3.62
 *
-*  DATE:        22 Jun 2022
+*  DATE:        04 Jul 2022
 *
 *  Prototypes and definitions for COM interfaces and routines.
 *

diff --git a/Source/Akagi/methods/elvint.h b/Source/Akagi/methods/elvint.h
@@ -4,9 +4,9 @@
 *
 *  TITLE:       ELVINT.H
 *
-*  VERSION:     3.61
+*  VERSION:     3.62
 *
-*  DATE:        22 Jun 2022
+*  DATE:        04 Jul 2022
 *
 *  Prototypes and definitions for elevated interface methods.
 *
@@ -481,7 +481,7 @@ typedef struct IElevatedFactoryServerVtbl {
 
     END_INTERFACE
 
-} *PIElevatedFactoryServerVtbll;
+} *PIElevatedFactoryServerVtbl;
 
 // INTERFACE DEF
 

diff --git a/Source/Akagi/methods/methods.c b/Source/Akagi/methods/methods.c
@@ -4,9 +4,9 @@
 *
 *  TITLE:       METHODS.C
 *
-*  VERSION:     3.61
+*  VERSION:     3.62
 *
-*  DATE:        22 Jun 2022
+*  DATE:        04 Jul 2022
 *
 *  UAC bypass dispatch.
 *
@@ -47,7 +47,8 @@ UCM_API(MethodPca);
 UCM_API(MethodCurVer);
 UCM_API(MethodMsdt);
 UCM_API(MethodDotNetSerial);
-UCM_API(MethodVFServer);
+UCM_API(MethodVFServerTaskSched);
+UCM_API(MethodVFServerDiagProf);
 
 ULONG UCM_WIN32_NOT_IMPLEMENTED[] = {
     UacMethodWow64Logger,
@@ -60,7 +61,8 @@ ULONG UCM_WIN32_NOT_IMPLEMENTED[] = {
     UacMethodMsStoreProtocol,
     UacMethodPca,
     UacMethodCurVer,
-    UacMethodVFServer
+    UacMethodVFServerTaskSched,
+    UacMethodVFServerDiagProf
 };
 
 UCM_API_DISPATCH_ENTRY ucmMethodsDispatchTable[UCM_DISPATCH_ENTRY_MAX] = {
@@ -138,7 +140,8 @@ UCM_API_DISPATCH_ENTRY ucmMethodsDispatchTable[UCM_DISPATCH_ENTRY_MAX] = {
     { MethodNICPoison, { NT_WIN7_RTM, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE },
     { MethodMsdt, { NT_WIN10_THRESHOLD1, MAXDWORD }, FUBUKI32_ID, FALSE, FALSE, TRUE },
     { MethodDotNetSerial, { NT_WIN7_RTM, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, TRUE, FALSE },
-    { MethodVFServer, { NT_WIN8_BLUE, MAXDWORD}, AKATSUKI_ID, FALSE, TRUE, TRUE }
+    { MethodVFServerTaskSched, { NT_WIN8_BLUE, MAXDWORD}, AKATSUKI_ID, FALSE, TRUE, TRUE },
+    { MethodVFServerDiagProf, { NT_WIN7_RTM, MAXDWORD}, AKATSUKI_ID, FALSE, TRUE, TRUE }
 };
 
 /*
@@ -226,6 +229,7 @@ VOID PostCleanupAttempt(
         break;
 
     case UacMethodWow64Logger:
+    case UacMethodVFServerDiagProf:
         ucmMethodCleanupSingleItemSystem32(WOW64LOG_DLL);
         break;
 
@@ -759,9 +763,16 @@ UCM_API(MethodDotNetSerial)
     return ucmDotNetSerialMethod(lpszPayload);
 }
 
-UCM_API(MethodVFServer)
+UCM_API(MethodVFServerTaskSched)
 {
-    return ucmVirtualFactoryServer(
+    return ucmVFServerTaskSchedMethod(
+        Parameter->PayloadCode,
+        Parameter->PayloadSize);
+}
+
+UCM_API(MethodVFServerDiagProf)
+{
+    return ucmVFServerDiagProfileMethod(
         Parameter->PayloadCode,
         Parameter->PayloadSize);
 }
diff --git a/Source/Akagi/methods/methods.h b/Source/Akagi/methods/methods.h
@@ -4,9 +4,9 @@
 *
 *  TITLE:       METHODS.H
 *
-*  VERSION:     3.61
+*  VERSION:     3.62
 *
-*  DATE:        22 Jun 2022
+*  DATE:        04 Jul 2022
 *
 *  Prototypes and definitions for UAC bypass methods table.
 *
@@ -93,7 +93,8 @@ typedef enum _UCM_METHOD {
     UacMethodNICPoison2,        //+
     UacMethodMsdt,              //+
     UacMethodDotNetSerial,      //+
-    UacMethodVFServer,          //+
+    UacMethodVFServerTaskSched, //+
+    UacMethodVFServerDiagProf,  //+
     UacMethodMax,
     UacMethodInvalid = 0xabcdef
 } UCM_METHOD;

diff --git a/Source/Akagi/methods/routines.h b/Source/Akagi/methods/routines.h
@@ -4,9 +4,9 @@
 *
 *  TITLE:       ROUTINES.H
 *
-*  VERSION:     3.61
+*  VERSION:     3.62
 *
-*  DATE:        22 Jun 2022
+*  DATE:        04 Jul 2022
 *
 *  Prototypes of methods for UAC bypass methods table.
 *
@@ -130,7 +130,11 @@ NTSTATUS ucmTokenModUIAccessMethod(
 NTSTATUS ucmDebugObjectMethod(
     _In_ LPWSTR lpszPayload);
 
-NTSTATUS ucmVirtualFactoryServer(
+NTSTATUS ucmVFServerTaskSchedMethod(
+    _In_ PVOID ProxyDll,
+    _In_ DWORD ProxyDllSize);
+
+NTSTATUS ucmVFServerDiagProfileMethod(
     _In_ PVOID ProxyDll,
     _In_ DWORD ProxyDllSize);