ManipUni said:
wastingtimewithforums said:
*snip*

I cannot show you an application that disables UAC instantly.

But what can be done is you can write an application that will monitor process launches within its session, inject code into them, and wait for a user to escalate any one of them. As soon as any process is escalated you've won. Since Win32 let's you alter other processes within the same session it is fairly trivial to do.

Alternatively, and as pointed out above, you could monitor downloaded files and inject code into any *.dll *.exe *.com etc files you run across. Even if it invalidates the signiture most people would assume that something from Microsoft.com for example is safe and launch it.

"But what can be done is you can write an application that will monitor process launches within its session, inject code into them, and wait for a user to escalate any one of them. As soon as any process is escalated you've won. Since Win32 let's you alter other processes within the same session it is fairly trivial to do."

And this is easy? First of all you would have a background application in the task manager always visible - problem 1 (and some anti virus-anti spyware software give alarms if an unknown process is always active in the background)

It's a guess game - there is very high chance that the user won't elevate any application. If mom&pop work only with the browser+mail client+word they don't see the elevation prompt that often. Maybe once a week or so (MAYBE) - problem 2

Problem 3 - this attack works with a standard account! And exactly like that - it lurks in the background and injects into processes, if the user elevates an infected process.. boom. What's the difference? Where is the standard account superior then? The additional password request?

 

Your second way has the same problems. Sorry, but I still don't see how being able to circumvent UAC instantly, without any guess games, is supposed to be not a vulnerability.