1.2) We inject code into the selected process and make it run that code on a new thread. Explorer.exe runs at medium integrity and is system critical but not protected in anyway so it means we can use it as a target as it contains no Windows deep protections.
1.3) The injected code creates an elevated IFileOperation object.
1.4) The injected code uses the IFileOperation object to copy FileA to FolderB.
1.5) The injected code launches ProgramC. (Doesn't have to happen in the injected code but doing it there is easier.)
1.6) The injected code waits for ProgramC to finish.
1.7) The injected code uses the IFileOperation object to delete FileA from FolderB. (Cleaning up after itself.)
I don't even know what you are making next the grammar is not correct. The word order is completely messed up.
Anyway maybe you can explain it more clearly following my post or so.
Okay,
What Im asking is:
Can I inject shellexecute with runas verb into explorer.exe and it will elevate my app without prompt?
Why should I use IFileOperation and all those stuff?
First of all this exploit has been patched way before and most likely you will find only < 1% of PC in Windows actually are still vulnerable to this attack.
Not to mention, these people do not even care about security (so you AV will most likely never be sold\distributed to those). Next, Even if they did have a Anti-Virus solution. It would detect your AV as being a threat as you first do not have a legitimate signature and you are using exploits in order to function. This means when the < 1% clients patch their OS. Your AV would crash and not function.
Any exploits must be before the Microsoft patch and either a 0day or a newest release exploit for it to work for SOME TIME effectively before it too would be patched up.
Unless you are NSA, don't expect Microsoft to even cooperate with you on these type of shady stuff. Let alone even take you seriously.
Next the best is to detour SeSinglePrivilegeCheck to avoid privilege checks, and to ensure your application (layer 3) runs in SYSTEM privileges.
Okay, wont it be nice to do this on task scheduler and schedule the task to run on every reboot?
Anyways, Task Scheduler saves its data into C:\Windows\Task folder, in the form of *.job files.
How can I create a *.job file myself without the Task Scheduler or Schtasks.exe?
This is the job for the programmers research comeses into play. I am not going to disturb this as spoon-feeding simply makes you dependent on others. Look on internet man there are tonnes of blogs and such about this.
Anyway why not simply add it to System32 folder or \\Run in registry it too would start your application every reboot and is more simpler.
My time is being wasted here, if you place it in HKEY_LOCAL_MACHINE every reboot it starts as Elevated. Many Malwares do that. SpyEye for example does that
No you don't get it do you or is it me, it starts it in all users unlike HKCU which only starts in one users. But this starts in all users & is that not what you want.
I think I am mistaken here about what you want to do.
I understand what you are telling:
If you place your app in Run in HKLM it will run as admin, right?
More nice if kept in System32 folder?
Anyways, my app is not elevated, thats all I know!
Help, sorry for troubling you...
Okay, after reading some MSDN docs, I found out that the RunOnce key allows elevation without prompt.
BUT, the logging user must be admin!?
Will the Winlogon key elevate my app without prompt? (For All Users, not only Admin)
But, as of Vista according to MSDN, apps, that require elevation which are added to Run key are BLOCKED!
and I told I need to go for Silent elevation, Does the Userinit value in winlogon registry key, do that for me?
Look, why not try it yourself rather than asking all of us. Surely you should have got your computer fixed by now. It's been over 2-3 weeks until you said it.