由 dawei
从2009年7月的一篇名为
Inside Windows 7 User Account Control的Technet文章中,Mark Russinovish描述了以标准用户身份运行的应用程序可以默默地提升并获得管理权限:
…it’s possible for third-party
software running in a PA (Protected Administrator) account with
standard user rights to take advantage
of auto-elevation to gain
administrative rights. For example,
the software can use the
07001 to inject code into Explorer and the
07002 to execute that code,a technique called DLL
injection. Since the code is executing
in Explorer,which is a Windows
executable,it can leverage the COM
objects that auto-elevate,like the
Copy/Move/Rename/Delete/Link Object,
to modify system registry keys or
directories and give the software
administrative rights.
他接着提到恶意软件永远不会这样做,因为它太难了:
…these steps require
deliberate intent,aren’t trivial…
最后
…malware could gain administrative
rights using the same techniques.
所以我很想看到一个实际的实现.
我原以为PROCESS_VM_WRITE将是一个没有给予标准用户的权利.
注意:我自己永远不会做任何不好的事情,对世界上其他所有开发者来说也是如此.
龙征,在
istartedsomething.com有一些关于自动提升申请的帖子.他不是源代码的作者,但他链接到做出概念验证的人.
你可以阅读更多关于它here.