1.2) We inject code into the selected process and make it run that code on a new thread. Explorer.exe runs at medium integrity and is system critical but not protected in anyway so it means we can use it as a target as it contains no Windows deep protections.
1.3) The injected code creates an elevated IFileOperation object.
1.4) The injected code uses the IFileOperation object to copy FileA to FolderB.
1.5) The injected code launches ProgramC. (Doesn't have to happen in the injected code but doing it there is easier.)
1.6) The injected code waits for ProgramC to finish.
1.7) The injected code uses the IFileOperation object to delete FileA from FolderB. (Cleaning up after itself.)
First of all this exploit has been patched way before and most likely you will find only < 1% of PC in Windows actually are still vulnerable to this attack.
Not to mention, these people do not even care about security (so you AV will most likely never be sold\distributed to those). Next, Even if they did have a Anti-Virus solution. It would detect your AV as being a threat as you first do not have a legitimate signature and you are using exploits in order to function. This means when the < 1% clients patch their OS. Your AV would crash and not function.
Any exploits must be before the Microsoft patch and either a 0day or a newest release exploit for it to work for SOME TIME effectively before it too would be patched up.
Unless you are NSA, don't expect Microsoft to even cooperate with you on these type of shady stuff. Let alone even take you seriously.
Next the best is to detour SeSinglePrivilegeCheck to avoid privilege checks, and to ensure your application (layer 3) runs in SYSTEM privileges.
Okay, wont it be nice to do this on task scheduler and schedule the task to run on every reboot?
Anyways, Task Scheduler saves its data into C:\Windows\Task folder, in the form of *.job files.
How can I create a *.job file myself without the Task Scheduler or Schtasks.exe?
This is the job for the programmers research comeses into play. I am not going to disturb this as spoon-feeding simply makes you dependent on others. Look on internet man there are tonnes of blogs and such about this.
Anyway why not simply add it to System32 folder or \\Run in registry it too would start your application every reboot and is more simpler.
I understand what you are telling:
If you place your app in Run in HKLM it will run as admin, right?
More nice if kept in System32 folder?
Anyways, my app is not elevated, thats all I know!
Help, sorry for troubling you...
Okay, after reading some MSDN docs, I found out that the RunOnce key allows elevation without prompt.
BUT, the logging user must be admin!?
Will the Winlogon key elevate my app without prompt? (For All Users, not only Admin)
But, as of Vista according to MSDN, apps, that require elevation which are added to Run key are BLOCKED!
and I told I need to go for Silent elevation, Does the Userinit value in winlogon registry key, do that for me?