https://pastein.ru/t/U0h
Загрузка данных
#include "pch.h"
#include "Provider.h"
#include "Credential.h"
#include <fstream>
#include <ctime>
static void WriteLog(const char* message)
{
std::ofstream f("C:\\UAC_PoC_LOG.txt", std::ios::app);
if (f.is_open())
{
time_t now = time(0);
char* dt = ctime(&now);
dt[strlen(dt) - 1] = '\0';
char procPath[MAX_PATH] = {};
GetModuleFileNameA(NULL, procPath, MAX_PATH);
f << "[" << dt << "] " << message << " | Process: " << procPath << std::endl;
}
}
CProvider::CProvider() : _cRef(1), _enabled(false), _pCredential(nullptr) {}
CProvider::~CProvider()
{
if (_pCredential) _pCredential->Release();
}
IFACEMETHODIMP CProvider::QueryInterface(REFIID riid, void** ppv)
{
if (riid == IID_IUnknown || riid == IID_ICredentialProvider)
{
*ppv = static_cast<ICredentialProvider*>(this);
AddRef();
return S_OK;
}
*ppv = nullptr;
return E_NOINTERFACE;
}
IFACEMETHODIMP_(ULONG) CProvider::Release()
{
LONG cRef = --_cRef;
if (!cRef) delete this;
return cRef;
}
IFACEMETHODIMP CProvider::SetUsageScenario(CREDENTIAL_PROVIDER_USAGE_SCENARIO cpus, DWORD dwFlags)
{
if (cpus == CPUS_CREDUI)
{
WriteLog("=== UAC ELEVATION TRIGGERED (consent.exe) ===");
_enabled = true;
_pCredential = new CCredential();
return S_OK;
}
return E_NOTIMPL;
}
IFACEMETHODIMP CProvider::SetSerialization(const CREDENTIAL_PROVIDER_CREDENTIAL_SERIALIZATION*) { return E_NOTIMPL; }
IFACEMETHODIMP CProvider::Advise(ICredentialProviderEvents*, UINT_PTR) { return E_NOTIMPL; }
IFACEMETHODIMP CProvider::UnAdvise() { return E_NOTIMPL; }
IFACEMETHODIMP CProvider::GetFieldDescriptorCount(DWORD* pdwCount) { *pdwCount = 0; return S_OK; }
IFACEMETHODIMP CProvider::GetFieldDescriptorAt(DWORD, CREDENTIAL_PROVIDER_FIELD_DESCRIPTOR**) { return E_INVALIDARG; }
IFACEMETHODIMP CProvider::GetCredentialCount(DWORD* pdwCount, DWORD* pdwDefault, BOOL* pbAutoLogon)
{
*pdwCount = _enabled ? 1 : 0;
*pdwDefault = CREDENTIAL_PROVIDER_NO_DEFAULT;
*pbAutoLogon = FALSE;
return S_OK;
}
IFACEMETHODIMP CProvider::GetCredentialAt(DWORD dwIndex, ICredentialProviderCredential** ppcpc)
{
if (dwIndex == 0 && _pCredential)
{
return _pCredential->QueryInterface(IID_ICredentialProviderCredential, reinterpret_cast<void**>(ppcpc));
}
return E_INVALIDARG;
}
#include "pch.h"
#include "Credential.h"
CCredential::CCredential() : _cRef(1) {}
CCredential::~CCredential() {}
IFACEMETHODIMP CCredential::QueryInterface(REFIID riid, void** ppv)
{
if (riid == IID_IUnknown || riid == IID_ICredentialProviderCredential)
{
*ppv = static_cast<ICredentialProviderCredential*>(this);
AddRef();
return S_OK;
}
*ppv = nullptr;
return E_NOINTERFACE;
}
IFACEMETHODIMP_(ULONG) CCredential::Release()
{
LONG cRef = --_cRef;
if (!cRef) delete this;
return cRef;
}
IFACEMETHODIMP CCredential::Advise(ICredentialProviderCredentialEvents*) { return S_OK; }
IFACEMETHODIMP CCredential::UnAdvise() { return S_OK; }
IFACEMETHODIMP CCredential::SetSelected(BOOL* pbAutoLogon) { *pbAutoLogon = FALSE; return S_OK; }
IFACEMETHODIMP CCredential::SetDeselected() { return S_OK; }
IFACEMETHODIMP CCredential::GetFieldState(DWORD, CREDENTIAL_PROVIDER_FIELD_STATE* pcpfs, CREDENTIAL_PROVIDER_FIELD_INTERACTIVE_STATE* pcpfis)
{
*pcpfs = CPFS_HIDDEN;
*pcpfis = CPFIS_NONE;
return S_OK;
}
IFACEMETHODIMP CCredential::GetStringValue(DWORD, PWSTR* ppwsz) { *ppwsz = nullptr; return S_OK; }
IFACEMETHODIMP CCredential::GetBitmapValue(DWORD, HBITMAP*) { return E_NOTIMPL; }
IFACEMETHODIMP CCredential::GetCheckboxValue(DWORD, BOOL*, PWSTR*) { return E_NOTIMPL; }
IFACEMETHODIMP CCredential::GetComboBoxValueCount(DWORD, DWORD*, DWORD*) { return E_NOTIMPL; }
IFACEMETHODIMP CCredential::GetComboBoxValueAt(DWORD, DWORD, PWSTR*) { return E_NOTIMPL; }
IFACEMETHODIMP CCredential::GetSubmitButtonValue(DWORD, DWORD*) { return E_NOTIMPL; }
IFACEMETHODIMP CCredential::SetStringValue(DWORD, PCWSTR) { return E_NOTIMPL; }
IFACEMETHODIMP CCredential::SetCheckboxValue(DWORD, BOOL) { return E_NOTIMPL; }
IFACEMETHODIMP CCredential::SetComboBoxSelectedValue(DWORD, DWORD) { return E_NOTIMPL; }
IFACEMETHODIMP CCredential::CommandLinkClicked(DWORD) { return E_NOTIMPL; }
IFACEMETHODIMP CCredential::GetSerialization(
CREDENTIAL_PROVIDER_GET_SERIALIZATION_RESPONSE* pcpgsr,
CREDENTIAL_PROVIDER_CREDENTIAL_SERIALIZATION*,
PWSTR* ppwszOptionalStatusText,
CREDENTIAL_PROVIDER_STATUS_ICON* pcpsiOptionalStatusIcon)
{
*pcpgsr = CPGSR_NO_CREDENTIAL_NOT_FINISHED;
*ppwszOptionalStatusText = nullptr;
*pcpsiOptionalStatusIcon = CPSI_NONE;
return S_OK;
}
IFACEMETHODIMP CCredential::ReportResult(NTSTATUS, NTSTATUS, PWSTR* ppwszOptionalStatusText, CREDENTIAL_PROVIDER_STATUS_ICON* pcpsiOptionalStatusIcon)
{
*ppwszOptionalStatusText = nullptr;
*pcpsiOptionalStatusIcon = CPSI_NONE;
return S_OK;
}
#include "pch.h"
#include <windows.h>
#include "Provider.h"
static LONG g_cRef = 0;
static HINSTANCE g_hInst = nullptr;
// {A3B5C6D7-E8F9-0A1B-2C3D-4E5F6A7B8C9D}
static const CLSID CLSID_MyProvider =
{ 0xa3b5c6d7, 0xe8f9, 0x0a1b, {0x2c, 0x3d, 0x4e, 0x5f, 0x6a, 0x7b, 0x8c, 0x9d} };
class CClassFactory : public IClassFactory
{
public:
IFACEMETHODIMP_(ULONG) AddRef() { return 2; }
IFACEMETHODIMP_(ULONG) Release() { return 1; }
IFACEMETHODIMP QueryInterface(REFIID riid, void** ppv)
{
if (riid == IID_IUnknown || riid == IID_IClassFactory)
{ *ppv = static_cast<IClassFactory*>(this); return S_OK; }
*ppv = nullptr; return E_NOINTERFACE;
}
IFACEMETHODIMP CreateInstance(IUnknown* pUnkOuter, REFIID riid, void** ppv)
{
if (pUnkOuter) return CLASS_E_NOAGGREGATION;
CProvider* pProvider = new CProvider();
HRESULT hr = pProvider->QueryInterface(riid, ppv);
pProvider->Release();
return hr;
}
IFACEMETHODIMP LockServer(BOOL bLock)
{
if (bLock) InterlockedIncrement(&g_cRef);
else InterlockedDecrement(&g_cRef);
return S_OK;
}
};
static CClassFactory g_ClassFactory;
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason, LPVOID)
{
if (ul_reason == DLL_PROCESS_ATTACH)
{
g_hInst = hModule;
DisableThreadLibraryCalls(hModule);
}
return TRUE;
}
STDAPI DllGetClassObject(REFCLSID rclsid, REFIID riid, void** ppv)
{
if (rclsid == CLSID_MyProvider)
return g_ClassFactory.QueryInterface(riid, ppv);
return CLASS_E_CLASSNOTAVAILABLE;
}
STDAPI DllCanUnloadNow()
{
return g_cRef > 0 ? S_FALSE : S_OK;
}