In a July Technet article entitled Inside Windows 7 User Account Control , Mark Russinovish describes that itβs possible for an application that works as a standard user to quietly elevate and gain administrator rights:
... it is possible for third-party software running in a PA (Protected Administrator) account with standard user rights to use auto-elevation to gain administrative rights. For example, software may use the WriteProcessMemory API to enter code into Explorer and the CreateRemoteThread API to execute this code, a method called DLL injection. Since the code is executed in Windows Explorer, which is a Windows executable file, it can use COM objects that are automatically raised, for example, Copy / Move / Rename / Delete / Link object, to change system registry keys or directories and grant software administrative rights.
He further mentioned that malware will never do this because it is too complicated:
... these steps require intentional intentions, are not trivial ...
and finally
... malware can get administrative using the same methods.
So I'm curious to see the real implementation.
I would think that PROCESS_VM_WRITE would be correct, not provided to standard users.
Note: I would never do anything wrong, as is true for any other developer in the world.
source
share