Author: rodream ( rodream@gmail.com )
WebSite: http://rodream.net


Windows Vista has UAC function and it protects hamful file system operation such as copying file to Windows directory or Program Files.
Users can turn off UAC, but people can not do this because they don't know about it or want to protect system.
In this situation, many system programer has got a headache. I wanna know how to kickout this damn protection.

Finally, I found one way to kickout.

The method which I found is use Native Application.

Native Application is user mode program which uses ntdll.dll and runs likes autochk.exe (scandisk's WindowsNT version)
You can get additional information from the SysInternals (http://www.microsoft.com/technet/sysinternals/information/nativeapplications.mspx)



You can setup Native Application to your system by registry. Following instruction is how to install Native Application to your system.

Intructions(How to install):
1. run regedit.exe
2. move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
3. Edit BootExecute (REG_MULTI_SZ value) like this :
-< BootExecute Value >------------
autocheck autochk *
NativeTest test!!!
-< BootExecute Value >------------
4. Copy NativeTest.exe file to 'C:\Windows\system32' (copy NativeTest.exe C:\Windows\System32\NativeTest.exe)

NativeTest.exe is sample code's output file name.

But, Native Application can not same as application and device driver. It has some different features between others.
Following requirements are differents.

The requirements are :
1. Native Application requires ddk to compile successfully.
2. You can use only ntdll.dll's function. You can't use any Win32 function.
3. You can't access all registry. because when Native Application executed the System don't load all registry yet. (You can use HKLM/SYSTEM)
4. You must setup heap memory space manually.

The problems is not hard. I think it's easy to you (rootkit user)

When you finished coding, you can compile it with Windows DDK console by 'build' command.
In my sample code's 'SOURCES' file contains all sources file. if you wanna add some your own file, you can edit it.

The sample code consists some functions which controls registry(NtReg.c NtReg.h) and file system(NtFile.c , NtFile.h).
If you using sample code, it setup heap memory space, so you can use heap memory without manual setup. :)

This is simple function tree of sample code.

(native.c)
- NtProcessStartup (entry point)
- UserMain (User main)
- RemoveEntryFromBootExecute (remove entry from bootexecute registry entry)
- FileTest (file access test)

This is my sample source code.
Download Sample Source Code

Thanks for reading and sorry for my english skill

read comments (10) / write comment

recent comments:

bypassing VISTA	elyes_kh	25.Oct:12:07
Native can use more then just ntdll	BanMe	08.Oct:00:44
How does this really related to UAC?	EP_X0FF	06.Oct:02:25
missed this one	hoglund	06.Oct:02:23

views: 11433   printer-friendly version