- .NET library that serves as a boilerplate to bypass UAC x64 using uiAccess
- Any* process with the uiAccess flag enabled can "Send Keystrokes" to high integrity processes even from medium integrity
- We steal the token of On Screen Keyboard (uiAccess enabled) to spawn a new process that does GUI automation
- The GUI automation simply sends keystrokes to taskmgr (auto elevate) to spawn our new desired process in high integrity
- *Refer to tiraniddo's article for requirements, although they can easily be conjured up
Because I was bored of registry / DLL / com UAC bypasses
The code really serves as boilerplate to abuse the uiAcess feature in convenient c# where you can easily replace the GUI automation code/logic to your liking. Because the library is so simple, you have granular and absolute control over your actions as opposed to other libraries out there. (i.e awareness of what your code is actually doing)
c# port of https://www.tiraniddo.dev/2019/02/accessing-access-tokens-for-uiaccess.html with some troll flavouring.
Refer to article for full explanation, technique is 5 years old but still works :)
- Download project & Compile solution as Release, x64, check the box "allow unsafe code"
- No external dependencies needed
> Start with Medium Integrity
> [System.Reflection.Assembly]::LoadFrom("C:\users\public\TrollUAC.dll") //can Load() as well
> [TrollUAC]::uiAccessPlease(<Process>) //for non sys32 binaries, set full path
> [TrollUAC]::uiAccessPlease("notepad")
- This project is declared 100% opsec unsafe
- none, i think it works fine in any non-production environment like security certification exams
Should only be used for educational purposes!