This UAC bypass method encompasses manipulating application compatibility databases.
Method of Operation:
1. ucmInitAppHelp
* Purpose:
*Initialize AppHelp routines.
* Purpose:
*Initialize AppHelp routines.
2. ucmRegisterAndRunTarget
* Purpose:
* Register shim database and execute target app.
3. ucmShimRedirectEXE
* Purpose:
* Build, register shim database and execute target app.
* Initially used in BlackEnergy2 and Gootkit by mzH (alive-green).
* Currently used in number of trojans (Win32/Dyre, WinNT/Cridex)
tidShim = SdbBeginWriteListTag(hShimDb, TAG_SHIM_REF);
if (tidShim != TAGID_NULL) {
SdbWriteStringTag(hShimDb, TAG_NAME, L“RedirectEXE”);
SdbWriteStringTag(hShimDb, TAG_COMMAND_LINE, lpszPayloadEXE);
SdbEndWriteListTag(hShimDb, tidShim);
}
SdbEndWriteListTag(hShimDb, tidEXE);
4. ucmAppcompatElevation
* Purpose:
* AutoElevation using Application Compatibility engine.