Recently I implemented an Antimalware Scan Interface (AMSI) provider to intercept script execution, and scan script content before it executed. I based my code on the Microsoft sample AMSI provider. (Github).
In amsi.h I found AMSI_UAC_REQUEST_TYPE enum with very interesting fields:
typedef enum AMSI_UAC_REQUEST_TYPE
{
AMSI_UAC_REQUEST_TYPE_EXE = 0,
AMSI_UAC_REQUEST_TYPE_COM = 1,
AMSI_UAC_REQUEST_TYPE_MSI = 2,
AMSI_UAC_REQUEST_TYPE_AX = 3,
AMSI_UAC_REQUEST_TYPE_MAX = 4
} AMSI_UAC_REQUEST_TYPE;
But I can't understand how to utilize it. Which callback should I use to intercept UAC request?