5

From a July 2009 Technet article entitled Inside Windows 7 User Account Control, Mark Russinovish describes that it's possible for an application running as standard user to silently elevate and gain administrative rights:

...it's possible for third-party software running in a PA (Protected Administrator) account with standard user rights to take advantage of auto-elevation to gain administrative rights. For example, the software can use the WriteProcessMemory API to inject code into Explorer and the CreateRemoteThread API to execute that code, a technique called DLL injection. Since the code is executing in Explorer, which is a Windows executable, it can leverage the COM objects that auto-elevate, like the Copy/Move/Rename/Delete/Link Object, to modify system registry keys or directories and give the software administrative rights.

He goes on to mention that malware will never do this, because it's too hard:

...these steps require deliberate intent, aren't trivial...

and finally

...malware could gain administrative rights using the same techniques.

So i'm curious to see an actual implementation.

i would have thought PROCESS_VM_WRITE would be a right not given to standard users.

Note: i would never actually do anything bad myself, as is true for every other developer in the world.

Ian Boyd
  • 246,734
  • 253
  • 869
  • 1,219
  • 3
    Malware's never been something to balk at things being too hard :) – bdonlan Jun 18 '09 at 16:40
  • i know. i was also hoping for further discussion here on that point. – Ian Boyd Jun 18 '09 at 17:20
  • The guys that write malware have no deadlines, do not have to worry about budgets and do not have to write nicely formatted code that does not break things :). In my opinion, if they want to do something, they will find a way to do it, no matter how difficult. – alex Jun 19 '09 at 13:54
  • 2
    Please don't do this. It will only make the Windows team very unhappy when they are forced to figure out how to keep your application working in the future. This kind of technique is best left to malware - if your application requires elevation to work correctly, there are other techniques to avoid the elevation prompt that ARE supported (for instance you can isolate the code that requires elevation into a service and use RPC to communicate with the service). – Larry Osterman Jun 21 '09 at 01:13
  • @Larry: i have no actual intention of using this hole to elevate anything. i'm hoping that by getting it out there, with malware taking advantage of it to gain complete control of systems, Microsoft will address the issue. (p.s. more blogs please) – Ian Boyd Jun 21 '09 at 07:09
  • The behavior isn't going to be changed, the system is working as designed. Asking for sample code won't help. – Larry Osterman Jun 22 '09 at 03:26
  • With enough malicious software taking advantage of it, i hope it will. – Ian Boyd Jun 22 '09 at 13:29

2 Answers2

3

Long Zheng, over at istartedsomething.com has a few posts about autoelevating an application. He's not the author of the source code, but he links to the person that made the proof-of-concept.

You can read more about it here.

alex
  • 3,710
  • 32
  • 44
1

are you talking about using process injection? or elevating the privileges?'

If you want to see a code sample of a process injection this thread has some samples: http://www.rohitab.com/discuss/index.php?showtopic=23539&hl=bypassing+firewall

wonderer
  • 3,487
  • 11
  • 49
  • 59
  • Those guys have an interesting way of communicating... And as for bypassing the UAC: Microsoft puts out a bounty of up to $ 100.000 for a functioning exploit. So you can guess it's both hard to do and you would want to give it to Microsoft instead of posting it on a hacker's forum. – bytecode77 Feb 09 '17 at 23:02