Elevating from low to medium integrity

问题

This is similar to " how create medium integrity level process from low integrity level process? ", but I'm coming from a slightly different angle. (And that isn't answered anyway.) :)

If a file is saved as low integrity (typically from a low integrity app such as a browser) then it is marked with a Low Integrity Mandatory Label. (This label can also be applied with icacls /setintegritylevel low.) If such a file is executed, it becomes a low integrity process, understandably.

Is there some way to elevate (via consent UI) this process back to medium integrity? It's possible to go to high integrity if the app is marked with a requiresAdministrator manifest, or if it calls ShellExecute with the runas verb, but obviously this requires admin permissions as well. Going to medium integrity doesn't require admin permissions and it still unlocks a lot of permissions unavailable to low integrity processes.

Obviously any mechanism to do so should require the user consent UI (it should be impossible to do it silently, otherwise what's the point?), but how can that be invoked?

The only discussion on this topic that I've found involves having an originally-medium-integrity process of your own and spinning off the low-integrity process from it; this permits elevation by communication back to the medium-integrity process and getting it to launch whatever. But this doesn't help when it's the OS itself that initially starts the process with low integrity.

回答1:

I have never seen or heard of a way to get a user's consent to elevate a process from low to medium integrity. I would say you are out of luck.

Please also see this blog article for reference: Internet Explorer in Protected Mode – How the Low Integrity Environment Gets Created

回答2:

You will have to do what Internet Explorer (and Chrome) do. The browser tabs themselves are separate processes running at Low Mandatory Integrity Level. But there is still a Medium level parent process.

The client processes communicate back to the "parent" process though named pipes, asking the parent to perform some action. Since the parent is medium, it can launch something at medium.

---

Update: Here's an example of how you cannot create a medium integrity process from a low integrity process:

void CreateLowProcess(String szProcessName; String IntegritySid)
{
    hToken: THandle;
    hNewToken: THandle;
    szIntegritySid: WideString;
    pIntegritySid: PSID;
    TIL: TOKEN_MANDATORY_LABEL;
    ProcInfo: PROCESS_INFORMATION;
    startupInfo: TStartupInfo;

    const int SE_GROUP_INTEGRITY = 0x00000020;
    const int TokenIntegrityLevel = 25;

    const String SLowIntegritySid = "S-1-16-4096";
    const String SMediumIntegritySid = "S-1-16-8192";
    const String SHighIntegritySid = "S-1-16-12288";
    const String SSystemIntegritySid = "S-1-16-16384";

    /*
        Designing Applications to Run at a Low Integrity Level
        http://msdn.microsoft.com/en-us/library/bb625960.aspx
    */

    // Low integrity SID
    if IntegritySid == ""
       IntegritySid = SMediumIntegritySid;

    pIntegritySid = null;

    ZeroMemory(@startupInfo, sizeof(startupInfo));


    if (!OpenProcessToken(GetCurrentProcess(), 
          TOKEN_DUPLICATE or TOKEN_ADJUST_DEFAULT or TOKEN_QUERY or TOKEN_ASSIGN_PRIMARY, 
          ref hToken))
    RaiseLastWin32Error;
    try
        if (not DuplicateTokenEx(hToken, 0, nil, SecurityImpersonation, TokenPrimary, {var}hNewToken)) then
            RaiseLastWin32Error;
        try
            if (not ConvertStringSidToSidW(PWideChar(szIntegritySid), {var}pIntegritySid)) then
                RaiseLastWin32Error;
            try
                TIL._Label.Attributes := SE_GROUP_INTEGRITY;
                TIL._Label.Sid := pIntegritySid;

                // Set the process integrity level
                if (not SetTokenInformation(hNewToken, TTokenInformationClass(TokenIntegrityLevel), @TIL,
                        sizeof(TOKEN_MANDATORY_LABEL) + GetLengthSid(pIntegritySid))) then
                    RaiseLastWin32Error;

                //Create the new process at Low integrity
                Result := CreateProcessAsUserW(
                        hNewToken,
                        nil,
                        PWideChar(szProcessName),
                        nil, //ProcessAttributes
                        nil, //ThreadAttributes
                        False, //bInheritHandles
                        0, //dwCreationFlags
                        nil, //lpEnvironment
                        nil, //lpCurrentDirectory
                        startupInfo,
                        ProcInfo);
            finally
                LocalFree(Cardinal(pIntegritySid));
            end;
        finally
            CloseHandle(hNewToken);
        end;
    finally
        CloseHandle(hToken);
    end;
end;

And i give up transcoding the rest from pascal to C#. It can't be done anyway, that's the answer.

来源：https://stackoverflow.com/questions/8331976/elevating-from-low-to-medium-integrity