We all know that UAC is not a security boundary. That being said, it can be super annoying, and sometimes difficult, when you just want to spawn a window-less high integrity session so you can continue with funtimes.
Recently I came across the technique described on Tyranid’s Lair to bypass UAC, but I could only find Powershell implementations like UAC-TokenMagic and Invoke-TokenDuplication. So to take a different route, I put together a reflective DLL that uses this technique and an Aggressor script to make everything easy.
The DLL creates a duplicate token for wusa.exe, crafts a new restricted token, spawns an elevated hidden instance of cmd.exe, and proceeds to inject shellcode into cmd.exe via RTLCreateUserThread. I’ve tested it on Windows 7, 10, 2008, and 2012 on both x64 and x86 architectures.