A demo to bypass windows 10 default UAC configuration using IFileOperation and dll hijacking
Switch branches/tags
Nothing to show
Clone or download
hjc4869 Merge pull request #1 from bryant1410/master
Fix broken headings in Markdown files
Latest commit b63c856 May 29, 2018
Permalink
Failed to load latest commit information.
UacBypass Initial commit Oct 31, 2015
UacBypassTest Initial commit Oct 31, 2015
ntwdblib Initial commit Oct 31, 2015
.gitignore Initial commit Oct 31, 2015
LICENSE Initial commit Oct 31, 2015
README.md Update README.md May 29, 2018
UacBypass.sln Initial commit Oct 31, 2015

README.md

UacBypass

A demo to bypass windows 10 default UAC configuration using IFileOperation and dll hijacking.
DO NOT USE THIS UNLESS YOU UNDERSTAND EXACTLY WHAT THE CODE DOES

Requirements

  • An administrator account with UAC enabled.
  • UAC level is set to default.
  • Tested on Windows 10.10240 (English) x86/x64.

Usage

  • Download and extract/compile a release.
  • Run UacBypassTest.exe
  • If a cmd with administrator privilege is launched without UAC prompt, the bypass is successful.

Known issues

  • a fake ntwdblib.dll will be copied to C:\Windows\System32. Any program tries to load this dll will launch cmd.exe and exit itself. You should remove this file manually after trying the bypass
  • explorer.exe will load UacBypass.dll and cannot unload it. Restart the Windows Explorer process can solve this problem.  
  • Microsoft seems to have fixed all the known dll hijack exploits on Windows 10 version 1607 including what this project uses(ntwdblib.dll), so the bypass will fail on any later versions.

Chinese introduction: https://hjc.im/bypass-win10-uac/