您的位置:首页 > 其它

获取进程token(令牌)和sd(安全描述符)

2013-06-06 18:00 274 查看
先找到windbg进程内核对象指针

lkd> !process 0 0 windbg.exe
Unable to read selector for PCR for processor 0
PROCESS 8144c3a8  SessionId: 0  Cid: 02ac    Peb: 7ffdb000  ParentCid: 0820
    DirBase: 0c0c05a0  ObjectTable: e5bcf470  HandleCount: 525.
    Image: windbg.exe



查看进程token信息

token存在于进程和线程中。一般情况下线程是没有token的。线程的token称为impersonation token(模拟令牌)。

模拟令牌的应用主要有两种:

1. 模拟其他用户

2. 模拟主令牌(所属进程),在主令牌的基础上增加或删除特权等。

主令牌和模拟令牌的更多信息:http://blog.sina.com.cn/s/blog_71b3a9690100q9w8.html
http://msdn.microsoft.com/en-us/library/windows/desktop/aa374909(v=vs.85).aspx
使用windbg的!token可以查看token的详细信息

找到token所在进程内核对象的偏移



lkd> dt _EPROCESS token 8144c3a8 
nt!_EPROCESS
   +0x0c8 Token : _EX_FAST_REF


取出token字段中的值

lkd> dt _EX_FAST_REF 8144c3a8+c8
nt!_EX_FAST_REF
   +0x000 Object           : 0xe5674d4a Void
   +0x000 RefCnt           : 0y001
   +0x000 Value            : 0xe5674d4f


获取token详细信息

lkd> !token 0xe5674d4a&fffffff8
_TOKEN e5674d48
TS Session ID: 0
User: S-1-5-21-2052111302-1972579041-1417001333-500
Groups: 
 00 S-1-5-21-2052111302-1972579041-1417001333-513
    Attributes - Mandatory Default Enabled 
 01 S-1-1-0
    Attributes - Mandatory Default Enabled 
 02 S-1-5-32-544
    Attributes - Mandatory Default Enabled Owner 
 03 S-1-5-32-545
    Attributes - Mandatory Default Enabled 
 04 S-1-5-4
    Attributes - Mandatory Default Enabled 
 05 S-1-5-11
    Attributes - Mandatory Default Enabled 
 06 S-1-5-5-0-53673
    Attributes - Mandatory Default Enabled LogonId 
 07 S-1-2-0
    Attributes - Mandatory Default Enabled 
Primary Group: S-1-5-21-2052111302-1972579041-1417001333-513
Privs: 
 00 0x000000017 SeChangeNotifyPrivilege           Attributes - Enabled Default 
 01 0x000000008 SeSecurityPrivilege               Attributes - Enabled 
 02 0x000000011 SeBackupPrivilege                 Attributes - Enabled 
 03 0x000000012 SeRestorePrivilege                Attributes - 
 04 0x00000000c SeSystemtimePrivilege             Attributes - 
 05 0x000000013 SeShutdownPrivilege               Attributes - 
 06 0x000000018 SeRemoteShutdownPrivilege         Attributes - 
 07 0x000000009 SeTakeOwnershipPrivilege          Attributes - 
 08 0x000000014 SeDebugPrivilege                  Attributes - Enabled 
 09 0x000000016 SeSystemEnvironmentPrivilege      Attributes - 
 10 0x00000000b SeSystemProfilePrivilege          Attributes - 
 11 0x00000000d SeProfileSingleProcessPrivilege   Attributes - 
 12 0x00000000e SeIncreaseBasePriorityPrivilege   Attributes - 
 13 0x00000000a SeLoadDriverPrivilege             Attributes - Enabled 
 14 0x00000000f SeCreatePagefilePrivilege         Attributes - 
 15 0x000000005 SeIncreaseQuotaPrivilege          Attributes - 
 16 0x000000019 SeUndockPrivilege                 Attributes - Enabled 
 17 0x00000001c SeManageVolumePrivilege           Attributes - 
 18 0x00000001d SeImpersonatePrivilege            Attributes - Enabled Default 
 19 0x00000001e SeCreateGlobalPrivilege           Attributes - Enabled Default 
Authentication ID:         (0,179fe)
Impersonation Level:       Anonymous
TokenType:                 Primary
Source: User32             TokenFlags: 0x89 ( Token in use )
Token ID: 2580be59         ParentToken ID: 0
Modified ID:               (0, 2580be5b)
RestrictedSidCount: 0      RestrictedSids: 00000000



获取安全描述符

每个内核对象都有对应的安全描述符

安全描述符指针放置在内核对象头部的字段中。

使用!sd可以查看安全描述符信息

lkd> !object 8144c3a8 
Object: 8144c3a8  Type: (821bbe70) Process
    ObjectHeader: 8144c390 (old version)
    HandleCount: 7  PointerCount: 146
lkd> dt _object_header 8144c390 
nt!_OBJECT_HEADER
   +0x000 PointerCount     : 0n146
   +0x004 HandleCount      : 0n7
   +0x004 NextToFree       : 0x00000007 Void
   +0x008 Type             : 0x821bbe70 _OBJECT_TYPE
   +0x00c NameInfoOffset   : 0 ''
   +0x00d HandleInfoOffset : 0 ''
   +0x00e QuotaInfoOffset  : 0 ''
   +0x00f Flags            : 0x20 ' '
   +0x010 ObjectCreateInfo : 0x819e7c60 _OBJECT_CREATE_INFORMATION
   +0x010 QuotaBlockCharged : 0x819e7c60 Void
   +0x014 SecurityDescriptor : 0xe206a482 Void
   +0x018 Body             : _QUAD
lkd> !sd 0xe206a482&0xfffffff8
->Revision: 0x1
->Sbz1    : 0x0
->Control : 0x8004
            SE_DACL_PRESENT
            SE_SELF_RELATIVE
->Owner   : S-1-5-21-2052111302-1972579041-1417001333-500
->Group   : S-1-5-21-2052111302-1972579041-1417001333-513
->Dacl    : 
->Dacl    : ->AclRevision: 0x2
->Dacl    : ->Sbz1       : 0x0
->Dacl    : ->AclSize    : 0x40
->Dacl    : ->AceCount   : 0x2
->Dacl    : ->Sbz2       : 0x0
->Dacl    : ->Ace[0]: ->AceType: ACCESS_ALLOWED_ACE_TYPE
->Dacl    : ->Ace[0]: ->AceFlags: 0x0
->Dacl    : ->Ace[0]: ->AceSize: 0x24
->Dacl    : ->Ace[0]: ->Mask : 0x001f0fff
->Dacl    : ->Ace[0]: ->SID: S-1-5-21-2052111302-1972579041-1417001333-500

->Dacl    : ->Ace[1]: ->AceType: ACCESS_ALLOWED_ACE_TYPE
->Dacl    : ->Ace[1]: ->AceFlags: 0x0
->Dacl    : ->Ace[1]: ->AceSize: 0x14
->Dacl    : ->Ace[1]: ->Mask : 0x001f0fff
->Dacl    : ->Ace[1]: ->SID: S-1-5-18

->Sacl    :  is NULL






转载请注明出处。ddlx studio。点点灵犀。 http://blog.csdn.net/sunyikuyu
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 点击这里给我发消息
标签: 
相关文章推荐
新的分享
章节导航