My Biggest Hack

My biggest hack is a shipping product-- Evo’s End User Elevation (EUE). What EUE does is intercept the Windows User Access Control (UAC) process and allows a regular desktop user to elevate his privileges to run a program or installer as an administrator and then drop the user back down into his regular privilege level.

Think about it… In the old days, or maybe even these days, I remember working for a big corporation and wanting to install a piece of software. I could not do it because the software needed admin privileges to install and so I would have to request an IT tech come to my desk and install the software. These days, the tech is not necessary to come to your desk, but they still have to make a remote connection to your laptop/desktop and install the software.

EUE obviates the need for this. EUE allows the techs to define rules for which software is allowed to install/run and which is prohibited. For a new customer, no rules are defined. So when the end user tries to run something needing elevation, the user is prompted with a dialog box giving the reason the software/action is needed, and after submitting the form, tech support is notified that a customer is wanting to elevate.Tech support can at that time approve or deny the request. Tech support is given information about who, what, why and an analysis of the program trying to run and can make a decision. But, it would be a pain to always have to approve or deny customers wanting elevation. The beauty of EUE is that the techs can create a rule when they approve the software and so when someone else wants to run a piece of software, it is already approved or denied.

This describes what EUE is/does, but not why it is a hack.

It’s a hack because when a user elevates, he doesn’t see the standard UAC dialog, but he sees one of Evo’s dialogs. Instead of Windows consent, the user sees Evo Consent. At the point where the user is prompted for credentials, the user sees details about the program like name and certificate information.

When the user needs elevation, and needs to enter credentials, Evo inserts itself into the elevation process, collects metadata information about the file/executable/installer and either asks the user to enter a reason to run, or if there is a rule, whether they want to go and run the program. When the elevation is approved via a rule, or a tech manually approves the elevation, then the process is elevated temporarily giving the user the necessary permissions.

How this happens and what happens is the big hack.This is actually not supposed to happen. Microsoft does not give an explanation of how to do this. To make a credential provider with MFA, Microsoft explains the COM interfaces and how you might accomplish it. For this, there is no roadmap. Instead, I had to look at what is happening..What process is being run? How is the data being passed? What is the data? None of this is documented. Stack Overflow gave some hints about what process was running. After knowing that, I could at least trap the process and look at its command line, and where the data was. That was it. After that, I had to get to investigating what the data might be. I added a bunch of logging, and could look at the data block contents after logging it. I did a bunch of analysis trying to look at what was common between each elevation, and what was different. I tried MSIs, EXEs, and other types of elevations trying to categorize each type of elevation, and then from the data block determine its structure. After looking at all this data, I could see that certain offsets in the data block indicated what kind of elevation it was. Other offsets indicated information about the file. Others about the user session. And, one of our partners that was helping us indicated to us about some security information. So, in this data block we were able to identify enough information to accomplish our task of extracting the elevation information. I suppose it would have been much easier if we had the source code, but we were trying to reverse engineer it. There was a lot of other information we could not identify, but thankfully enough to intercept the process.

I would love to give more details, but that is confidential information. Evo is a company that has accomplished this and there is at least one other who has a product that does something similar, but maybe not as polished.

All I can ask is for the reader to consider the hack… You go to launch some program. It needs elevation. Windows internally tries to launch a program to get credentials to elevate, and instead, Evo’s program is launched instead. There is no COM interface that you can register, no registry setting to manipulate. It’s just pure unadulterated hackery/reverse engineering.