Re: [Full-disclosure] elevating privileges from Admin to SYSTEM



Dear NULL,

from Administrator to SYSTEM level

- Task sheduler
at xx:xx cmd.exe
- CreateRemoteThread & LoadLibrary Thread injection (lsass etc.)
http://www.codeproject.com/threads/winspy.asp
- The CreateRemoteThread & WriteProcessMemory Technique (lsass etc.)
http://win32.mvps.org/processes/remthread.html
http://www.codeproject.com/threads/winspy.asp
- CreateRemoteProcess() Process injection (lsass etc.)
http://www.anticracking.sk/EliCZ/export/CPRPICHA.zip
- Drivers/services creating windows (handles)....
- Drivers/services opening a "Can't find help file" when sending F1 keypress to
the windows it's supposed not to create, then browing to cmd.exe and
right clicking open..
- Driver/services calling c:\program files\whatever.exe without quotes
*wink wink* had to put that one here.
....
..



--
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/