I am trying to elevate a process when it starts to run as administrator, given that the current (and only) user is a regular user, not an administrator.
I have found a really nice article from ired.team (privilege escalation ). Using windbg i have manage to grab the SYSTEM token and place it on a new process started from the user. Everything works, the process is escalated. However, it does run as SYSTEM.
For the tests, i am using cmd.exe in an Windows 10 environment, and by typing "whoami /all", i can see the user and the privileges.
My attempt right now is to use the "PsSetCreateProcessNotifyRoutineEx" routine in a minifilter driver. Upon process creation (taking cmd.exe in my example), i can get the current running user (standard user), i can get the system token. The only thing that i managed to do without getting myself a nice BSOD was to copy the token privileges from the SYSTEM token to the user token. However, that does not give the freshly created cmd.exe process admin rights. I need to raise it to a high privileged token.
Does anybody has any experience with this? I've been searching and trying everything, can't find anything relevant.
The purpose of this would be a security, i'm trying to write a piece of software that replaces the UAC and has additional validation on what you can and cannot elevate. However, i'm stuck in this phase.