Difference between revisions of "Import:UAC Bypass"
(Created page with "UAC has been used in every version of Windows since Windows Vista, it basically requires the user to click on the "yes" button everytime an application requires a higher set of p...") |
(No difference)
|
Revision as of 01:36, 3 August 2012
UAC has been used in every version of Windows since Windows Vista, it basically requires the user to click on the "yes" button everytime an application requires a higher set of permissions to run. I won't go into the granules of the Windows security model, but UAC will run a set of heuristics on a file to query if it needs elevated permissions.
UAC Bypassing is a very commonly used technique in installations of malware, and other attacks against Windows. Even though Microsoft has been informed many times of the bugs within UAC and the ability to bypass it with simplistic techniques, Microsoft still has not fixed it, and has continued to use it in their latest release Windows 8. Lets get down to some techniques.
The entire process of bypassing UAC relies on process hijacking or process spawning, if you are able to hijack a process that can either create elevated COM objects or spawn a process and have the process run your code, you will not recieve a UAC prompt. A few pre-elevated processes are:
- taskmgr.exe
- cleanmgr.exe
- diskpart.exe
A few processes that can create elevated COM objects are:
- explorer.exe
- notepad.exe
- calc.exe
The most amazing thing is that you can inject code into a running process by using APIs like WriteProcessMemory and CreateRemoteThread.