A Windows UAC Bypass using Device Manager

Today while working on a Windows 10 machine, I had the need to open the Device Manager for some hardware maintenance. While opening the Windows Device manager I noticed that there was no UAC prompt when I started it. This was a little strange because the Device Manager exists as a Management Console snap-in in %systemroot%\System32\devmgmt.msc and is launched by mmc.exe.

When you start the Device Manager, mmc.exe is launched with %systemroot%\System32\devmgmt.msc as an argument.

Independently, the Microsoft Management Console requires elevation to run. When you go to run and launch mmc.exe, Windows will ask you to allow elevation using the UAC prompt.

If the Device Manager can be opened without a UAC prompt it means that it was launched with High Integrity level. If this process can be used to spawn other processes, they will be launched with High integrity level too.
It was trivial from here to find a way to open an elevated Command Prompt without being prompted by UAC.
User Access Control on my machine was set to the default value of “Notify me only when apps try to make changes to my computer (default)”
To reproduce this:
1. Go to Start run and type devmgmt.msc. Notice that there is no UAC prompt.
2. Once the Device Manager opens, goto Help > Help Topics
3. This will open up the Microsoft Management Console Help window. Right click any where in the right pane and select View Source
4. This will open notepad (the editor may vary if you have set IE’s source viewer to a different text editor).
5. Using notepad’s File > Open menu, navigate to the System32 directory.
6. Set the File type to “All files (*.*) and right click select “Run as Administrator” on cmd.exe
7. This should launch a elevated Command Prompt without any UAC prompts. You can run whoami /priv to check that you have a lot of privileges available now (disabled but available).
8. The process tree also shows that the cmd.exe that was spawned was started with High Integrity level.
There are several other techniques available on Windows that allow you to bypass UAC and most of them are well documented (see references below).

Please note, according to Microsoft, UAC bypasses are not a security problem as UAC is a convenience feature (more references in that page).

Other UAC Bypass references

1. https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
2. https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup/
3. https://github.com/hfiref0x/UACME
4. https://habrahabr.ru/company/pm/blog/328008/ [Use Google translate, worth reading]

I will try and find other bypasses and post them here. Till then Happy Hacking!!

The Case of the Persistent Executable

This is the first of the 2 case studies which won me a signed copy of Windows Internals, 4th Edition, by Mark Russinovich, Microsoft last year.

I woke up last Saturday around 11:00 in the morning to find my friend sitting at the computer typing some document in MSWord, he then minimized the document and proceeded to open the D: drive from My Computer. My usually fast Windows responded extremely slowly to the double click. I sat bolt upright in my bed and asked him to repeat the procedure with the other drives. The same delay was noticed on the other drives too. I then asked him to right click on any drive expecting a change in the context menu due to the presence of an autorun file. The menu was intact. I then got down and sat at the chair and used the attrib command at the prompt for each drive. This is what I got.

Certainly signs of malicious presence. I used the type command to read the contents of autorun.inf although I knew what it would point at.

I then immediately fired Process Explorer to see if the process was running. Failing to find the process or a handle to it, I then used the attrib –s –h –r fppg1.exe to reset attributes and proceeded to delete it using del fppg1.exe. I repeated the same procedure with the autorun.inf file. Since I have 6 partitions on my hard drive, I wrote a bat file, named it clean.bat and saved it in %systemroot% with the following contents.

@echo off
attrib -s -h -r fppg1.exe
del fppg1.exe
attrib -s -h -r autorun.inf
del autorun.inf
echo All done
echo.

I then ran clean.bat from the console on each partition. Happy that my system was back to normal, I restarted explorer to remove the effects of the autorun.inf file on the default open option on the drives. I then proceeded to open F: drive using the double click through My Computer. I was surprised to see the delay occurring again. The attrib command confirmed my doubts. The two files were back. I decided to dump the strings from the fppg1.exe file to see if I could find any clues. I ran the strings utility and piped the output to a text file called fppg1.text.

The file contained loads of ASCII characters and just three APIs that I recognized. That didn’t help much.

I then fired up Process Monitor to see what process was writing these files to disk. I used two filters with Path contains autorun.inf then include and Path contains fppg1.exe then include. I was surprised to see which process was writing, setting attributes and querying information.

It wasn’t only explorer.exe that drained my happiness out of me.

I then right clicked on Explorer to view its stack when IRP_MJ_CREATE Operation was performed. The stack had one unfamiliar entry.

I used the find handle or dll feature of Process Explorer to search for amvo0.dll. The returned results didn’t raise my spirits.

The dll had attached itself to other processes I had opened after restarting explorer. I then opened up cmd, changed to C:\Windows\System32\ and used the attrib command to confirm my suspicions about the attributes of amvo0.dll. I wasn’t disappointed.

I suspected that there could be an associated executable also present in the same directory and hence used attrib amv*. With my suspicions confirmed, I used strings.exe to dump strings from amvo.exe and did a file compare with fppg1.txt. Bingo! They were the same files in essence. The dll amvo0.dll was making explorer.exe and the system process to recreate the files fppg1.exe and autorun.inf whenever they were not found in the root of the drives. I used attrib again to remove the system and hidden attribute from amvo.exe and amvo0.dll and deleted amvo.exe through the command prompt. The file amvo0.dll was in memory and hence could not be deleted. One shortcoming of Process Explorer, I found would have really helped me, was to unload dlls which would have allowed me to delete the file immediately. I used autoruns.exe, another of Sysinternals creations, and found that amvo.exe created a registry entry in HKCU\Software\Microsoft\Windows\CurrentVersion\Run that caused it to be run at system startup. With the file gone, I restarted my system and then deleted amvo0.dll manually, fppg1.exe and the autorun.inf file using the bat file.

Case closed. I then went on to start my morning.

Convert normal folders to Windows Shell Folders

I normally store all data in separate logical drives on my computer. My movie collection goes to a drive called Multimedia, so does the music. My code and office work goes to another drive called Office and my OS silently resides in my C drive. I have seen many people, and not just the technology illiterates, but even the tech savvy store sensitive data right on their desktop and in My Documents.

Nothing wrong with it, but if your system is used by multiple people; nosy in essesnce, you wouldn’t want your privacy to be breached.

The NTFS filesystem provides adequate protection to data via Access Control Lists, but that is another topic altogether. Playing around with System folders in Windows, I found that you could convert any folder to a system folder with the right desktop.ini file. Although later research showd me that this is an old trick, I was still fascinated by the sheer simplicity of it.

Shell folders are special Windows folders like My Computer, Recycle Bin and My Network Places. I wouldn’t go in to the math of why it works the way it works, but rather just show you how you could keep all your data inside a folder, convert it to the Recycle Bin and keep it on your Desktop and nobody would suspect there was data in it.

Here’s how:
1. Create a folder called “Secret” on your desktop and copy some files to it.

2. Open notepad [Start > Run > notepad] and type the following exactly as shown:

[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}

3. Save the file as desktop.ini in the Secret folder on the desktop. Select “All Files” under “Save as type” in the Save As dialog of notepad and type the name of the file as desktop.ini

4. Open command prompt by going to Start > Run > cmd

5. Navigate to the directory containing your “Secret” folder, this would be the desktop in this example, using the cd command.

6. Type “attrib +S Secret” at the prompt and press Enter.

7. Navigate to your desktop and find your folder containing your precious cargo converted to the Recycle Bin. View the properties of the folder to find the Recycle Bin properties pop up.

8. Open it to find the contents of the Recycle Bin instead of your data.


This happens because Windows finds the desktop.ini file in the folder and the System attribute on the folder. Windows then reads the desktop.ini file to find the Class Identifier [CLSID] for Recycle Bin, which is {645FF040-5081-101B-9F08-00AA002F954E}. Your data is present in the folder but not accessible to Windows because the Windows Directory Enumeration APIs detect the folder as the Recycle Bin and not a file folder.

To get your data back, just open command prompt and enter the attrib –S Secret folder after navigating to the Desktop to remove the System attribute on the folder.

There are plenty of shell folders around Windows, but the most frequent ones that I use are the following with their CLSID values, just replace the CLSID values in the desktop.ini file:
My Computer: {20D04FE0-3AEA-1069-A2D8-08002B30309D}
Recycle Bin: {645FF040-5081-101B-9F08-00AA002F954E}
My Network Places: {208D2C60-3AEA-1069-A2D7-08002B30309D}

To automate the entire process, I wrote a simple tool called FolderCloak that just allows you to do the above with a nice GUI interface. You can download FolderCloak [and my other tools] at http://riyazahemed.webng.com