3

Whenever I save an executable in OllyDBG (Right-click, Copy to executable, All modifications then Save File), the saved executable asks for administrator privileges when I run it.

I tried opening OllyDBG as a regular user and then saving the file, but no luck. I also tried manipulating the file's permissions, but no luck either.

Is there a way to save a file so that regular users can run it?

LmnICE
  • 133
  • 5
  • 1
    Maybe target executable is located in C:\ or other place with RW access only for administrators? – helloworld May 20 '14 at 08:40
  • 2
    Does this binary before modification need administrator privileges when you run it? – DOD May 20 '14 at 07:29
  • Is is possible you patched something, that will cause this? – Dominik Antal May 20 '14 at 10:54
  • @DOD, no, it's a program that is supposed to be run by any user. – LmnICE May 20 '14 at 10:59
  • @helloworld, indeed it is (Program Files directory), but I tried changing the save path to the Desktop, and it still asks for admin privileges before running. – LmnICE May 20 '14 at 11:04
  • @DominikAntal, I'm not sure. What could I patch that would cause this? – LmnICE May 20 '14 at 11:05
  • Was it code-signed before modification? What are the contents of the manifest (either external or in the resource). Has anybody set a shim up for the binary? Are there any ImageExecutionOptions affecting it? – 0xC0000022L May 20 '14 at 11:27
  • @0xC0000022L, this is a very simple, how-to-reverse-engineer sort of program. No, it wasn't code-signed before modification. I don't think there are shims for this binary, but I'm not sure. I'm not sure about the other 2 questions. As you can probably tell, I'm a noob at reverse engineering.. – LmnICE May 20 '14 at 13:27

1 Answers1

1

UAC has certain heuristics that will cause a file to request elevation unless a manifest exists that states otherwise. Such heuristics include files that seem to be setup programs for some software. But there are more heuristics and other situations where elevation is assumed to be required.

If the executable has no manifest, you need to add one. Otherwise you may have to modify the existing one.

You can tell by loading it into a resource editor or resource viewer such as:

... and so on. Check out the answers to this question: Freely available resource hacking applications ...

Workarounds are:

  • this can be done by setting the value level="asInvoker" in element requestedExecutionLevel of the manifest (see here and more generally here and here)
  • or if you don't have the requirement that the file be saved and can instead provide a script to launch it, you can set an environment variable (set __COMPAT_LAYER=RUNASINVOKER) as explained here

Unfortunately this is somewhat of a science to get right.

Community
  • 1
0xC0000022L
  • 10,908
  • 9
  • 41
  • 79
  • This is very helpful, thank you. Setting the level attribute in the requestedExecutionLevel element worked. There was a much easier fix though: the filename of the binary was original_patched.exe, which tripped the UAC heuristics you mentioned. So all I had to do was rename the file. Interestingly, setting the manifest correctly trumped the UAC heuristics. – LmnICE May 20 '14 at 22:09