ShameOnUAC
When the Cylance SPEAR Team was formed late last year we startedlooking into an area that we had long wanted to study: the potential for
subverting programs during privilege elevation through UAC. We created
proof of concept malware that attacks Windows Explorer, which we dubbed
ShameOnUAC.
ShameOnUAC injects itself into the unprivileged Explorer process,
where it hooks SHELL32!AicLaunchAdminProcess and waits for the user to
ask to run a program as administrator. It then then tampers with the
elevation requests before they're sent to the AppInfo service. (This is a
downside of having an unprivileged process submit elevation requests
for you.)
Here's how UAC works normally:
Trick me once, ShameOnUAC