All geek questions in one place

Low to medium lift

It’s like β€œ how to create a process of integrity level of an environment from a process of low integrity?, But I come from a slightly different angle. (And this will not answer in any case.) :)

If the file is saved as low integrity (usually from an application with a low degree of integrity, such as a browser), then it is marked as a mandatory label with low integrity. (This label can also be applied using icacls /setintegritylevel low .) If such a file is executed, it becomes an understandable process with low integrity.

Is there a way to raise (through the UI) this process back to medium integrity? This is possible for high integrity if the application is marked with the requiresAdministrator manifest, or if it calls ShellExecute with the runas verb, but obviously this also requires administrator permissions. Switching to medium integrity does not require administrator rights and still opens up many permissions that are not available for processes with low integrity.

Obviously, some mechanism for this should require a user interface (it should be impossible to do it silently, otherwise, what's the point?), But how can this be called?

The only discussion of this topic that I found includes the process of initially-honest integrity and disconnecting from it the process of low integrity; this allows you to increase communication by feedback from the integrity process and make it run everything. But this does not help when the OS itself starts the process with low integrity.

+4
source share
2 answers

I have never seen or heard about how to get user consent to increase the process from low to medium. I would say that you are out of luck.

Also see this blog article for reference: Internet Explorer in Protected Mode - How to Create a Low-Integrity Environment

0
source

You will need to do what Internet Explorer (and Chrome) do. The browser tabs themselves are separate processes that run with a low required integrity level . But still there is a parent process level of Medium .

The client processes the connection with the parent process, albeit with named pipes, and asks the parent to take some action. Since the parent medium is medium, it can run something in the environment.

Update . Here is an example of how you cannot create an environmental integrity process from a low integrity process:

 void CreateLowProcess(String szProcessName; String IntegritySid) { hToken: THandle; hNewToken: THandle; szIntegritySid: WideString; pIntegritySid: PSID; TIL: TOKEN_MANDATORY_LABEL; ProcInfo: PROCESS_INFORMATION; startupInfo: TStartupInfo; const int SE_GROUP_INTEGRITY = 0x00000020; const int TokenIntegrityLevel = 25; const String SLowIntegritySid = "S-1-16-4096"; const String SMediumIntegritySid = "S-1-16-8192"; const String SHighIntegritySid = "S-1-16-12288"; const String SSystemIntegritySid = "S-1-16-16384"; /* Designing Applications to Run at a Low Integrity Level http://msdn.microsoft.com/en-us/library/bb625960.aspx */ // Low integrity SID if IntegritySid == "" IntegritySid = SMediumIntegritySid; pIntegritySid = null; ZeroMemory(@startupInfo, sizeof(startupInfo)); if (!OpenProcessToken(GetCurrentProcess(), TOKEN_DUPLICATE or TOKEN_ADJUST_DEFAULT or TOKEN_QUERY or TOKEN_ASSIGN_PRIMARY, ref hToken)) RaiseLastWin32Error; try if (not DuplicateTokenEx(hToken, 0, nil, SecurityImpersonation, TokenPrimary, {var}hNewToken)) then RaiseLastWin32Error; try if (not ConvertStringSidToSidW(PWideChar(szIntegritySid), {var}pIntegritySid)) then RaiseLastWin32Error; try TIL._Label.Attributes := SE_GROUP_INTEGRITY; TIL._Label.Sid := pIntegritySid; // Set the process integrity level if (not SetTokenInformation(hNewToken, TTokenInformationClass(TokenIntegrityLevel), @TIL, sizeof(TOKEN_MANDATORY_LABEL) + GetLengthSid(pIntegritySid))) then RaiseLastWin32Error; //Create the new process at Low integrity Result := CreateProcessAsUserW( hNewToken, nil, PWideChar(szProcessName), nil, //ProcessAttributes nil, //ThreadAttributes False, //bInheritHandles 0, //dwCreationFlags nil, //lpEnvironment nil, //lpCurrentDirectory startupInfo, ProcInfo); finally LocalFree(Cardinal(pIntegritySid)); end; finally CloseHandle(hNewToken); end; finally CloseHandle(hToken); end; end;

And I will refuse transcoding the rest from pascal to C #. This cannot be done in any case, that is the answer.

+1
source

Source: https://habr.com/ru/post/1383967/

More articles:


All Articles