Question: Am I following right steps?

[sanjayc1]

Hello, I am trying to compile your project. These are the steps I followed:

Git clone and then use visual studio 2019 Build project Akatsuki. -> Akatsuki64.dll Build project Fabuki -> Fabuki64.dll Build project Naka -> Naka64.exe

Then used Naka64.exe -> output is create .cd .key Then used Naka64.exe --stable to create secrets64.bin and secrets32.bin. I got error during this key generation process. Upon examining the code I found that code is looking for Akatsuki32 and Fabuki32 and kamikaze. I ignored the error as I only want 64bit binary

Then I copied Akatsuki64.dll, Akatsuki64.cd,Akatsuki64.key and Fabuki64.dll, Fabuki64.cd, Fabuki64.key and secrets64.bin file to UACME/Source/Akagi/bin directory.

Thereafter, I clean and rebuild Akagi project from visual studio. I do have executable, Akagi64.exe size - 154,112. But when I run it with command Akagi64.exe 61 c:\windows\system32\cmd.exe , nothing happens. No error.

I will appreciate if you kindly identify what am I doing wrong here?

Thanks.

[hfiref0x]

Hello,

everything should be compiled in "release" configuration. Newest versions also require you to build 32 bit version of Fubuki dll even if you use only x64 executable.

Then I copied Akatsuki64.dll, Akatsuki64.cd,Akatsuki64.key and Fabuki64.dll, Fabuki64.cd, Fabuki64.key and secrets64.bin file to UACME/Source/Akagi/bin directory.

you don't need to copy dll files. Only .cd and .bin. Try again with latest version.

[sanjayc1]

Hello

Thanks for your response.

After following your instructions, I generated Naka32.exe and also Fabuki32.dll. Then using commands

C:\Users\user\source\repos\UACME\Source\Naka\output\Win32\Release>Naka32.exe Fubuki32.dll

C:\Users\user\source\repos\UACME\Source\Naka\output\Win32\Release>Naka32.exe --stable

I generated Fubuki32.cd and Secrets32.bin

Contents of Bin directory:-

C:\Users\user\source\repos\UACME\Source\Akagi\bin>dir Volume in drive C has no label. Volume Serial Number is A05B-765E

Directory of C:\Users\user\source\repos\UACME\Source\Akagi\bin

02/04/2022 10:17 PM

. 02/04/2022 10:17 PM .. 02/04/2022 06:48 PM 5,424 Akatsuki64.cd 02/04/2022 10:12 PM 9,776 Fubuki32.cd 02/04/2022 06:48 PM 10,944 Fubuki64.cd 02/04/2022 06:58 PM 0 kamikaze.cd 02/04/2022 10:12 PM 36 secrets32.bin 02/04/2022 06:52 PM 72 secrets64.bin

Then I build Akagi64.exe but still similar behavior as before.

C:\Users\user\source\repos\UACME\Source\Akagi\output\x64\Release>dir Akagi64.exe Volume in drive C has no label. Volume Serial Number is A05B-765E

Directory of C:\Users\user\source\repos\UACME\Source\Akagi\output\x64\Release

02/04/2022 10:17 PM 154,112 Akagi64.exe

All projects are compiled in "release" configuration using visual studio.

Thanks for you help.

PS. I am using latest source from master vs release.

[hfiref0x]

Method 61 doesn't use any dlls. What is your windows version, do you have windows defender running? (sometimes it may catch suspicious registry operations). Does running executable without parameters gives you any message box?

[sanjayc1]

When I just run Akagi64.exe, no message box or message is displayed.

Windows info

OS Name: Microsoft Windows 10 Enterprise N OS Version: 10.0.19042 N/A Build 19042 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Workstation

Hotfix(s): 6 Hotfix(s) Installed.

                       [02]: KB4562830
                       [03]: KB5009543
                       [04]: KB5006753
                       [05]: KB5007273
                       [06]: KB5005260

I have turned off windows defender and virus protection

[hfiref0x]

Do full cleanup and rebuild from latest sources. When run without parameters it must display you message box.

[sanjayc1]

Thanks, I deleted the project and recreate using fresh git clone. It works fine now. This is awesome!!!!!!!!!!. Thanks for building it and I appreciate your help.

One last question - for "Fileless" UAC Bypass Using eventvwr.exe and Registry Hijacking on windows 10, do we use key 32? For example : Akagi64.exe 32 C:\Users\Administrator\Downloads\rev7274.exe (where rev7274.exe is a reverse shell code )?

[hfiref0x]

According to https://github.com/hfiref0x/UACME#usage, key 32 is for dll hijack for uiAccess app. Method you are asking about is probably mscfile registry entry hijack, however it was removed from uacme as it is fixed in current Windows version.

[sanjayc1]

Thanks !! Once again awesome tool and great help from author.

[karmamaster]

Thanks, I deleted the project and recreate using fresh git clone. It works fine now. This is awesome!!!!!!!!!!. Thanks for building it and I appreciate your help.

One last question - for "Fileless" UAC Bypass Using eventvwr.exe and Registry Hijacking on windows 10, do we use key 32? For example : Akagi64.exe 32 C:\Users\Administrator\Downloads\rev7274.exe (where rev7274.exe is a reverse shell code )?

Hello, Can I ask that if there is any notification or anyway to check if the exe file is "patched" or not? I don't know if the Akagi is working well or not because there is no notification and I followed all steps that @hfiref0x mentioned, no error occured on steps

I have tried to run the debug and see that maybe an issue came StubInit function, it is going to except code block (bellow codeblock) of StubInit and set v= 1.

__except (ucmSehHandler(GetExceptionCode(), GetExceptionInformation())) { v = 1; } I am sure that I was going through whole steps that need to build the Akani

Update: Maybe I was miss-use this tool, it is using to open the exe file through Akani, not to "embed" Akani to the exe file

[hfiref0x]

Your result executable must be linked with non zero valid and encrypted dlls (fubukixx.dll, and others) as PE resources. You compile dlls first, encrypt them with Naka.exe, move encrypted results to akagi\bin folder together with "secrets" file. Then you recompile Akagi itself so it will link these files as resources. If everything was done properly then all methods that require dll/pe file planting will work. Otherwise they all will fail and executable will return error code 0xC000007B (STATUS_INVALID_IMAGE_FORMAT), GetExitCodeProcess.

[karmamaster]

Your result executable must be linked with non zero valid and encrypted dlls (fubukixx.dll, and others) as PE resources. You compile dlls first, encrypt them with Naka.exe, move encrypted results to akagi\bin folder together with "secrets" file. Then you recompile Akagi itself so it will link these files as resources. If everything was done properly then all methods that require dll/pe file planting will work. Otherwise they all will fail and executable will return error code 0xC000007B (STATUS_INVALID_IMAGE_FORMAT), GetExitCodeProcess.

Thanks for your quick supporting! The Akagi is working perfectly now.