Having per-process tokens is a powerful feature that enables scenarios that would
otherwise be impossible. In the real world, my boss, who sits across the hall from me,
can borrow my employee badge to walk down the hall and grant himself access to the
private lab to which I have access, effectively impersonating me. Windows allows a similar
type of impersonation. You might know of the RunAs feature. This allows one user,
given proper authentication, to run processes as another user or even as themselves with
fewer privileges. RunAs works by creating a new process having an impersonation token
or a restricted token.
PART IV
Chapter 16: Exploiting Windows Access Control Model for Local Elevation of Privilege
391
Figure 16-1 Process token
Let??™s take a closer look at this functionality, especially the token magic that happens
under the covers. You can launch the RunAs user interface by right-clicking a program,
shortcut, or Start menu entry in Windows. Run As will be one of the options and will
present the dialog box in Figure 16-2.
What do you think it means to run a program as the current user but choosing to
???Protect my computer and data from unauthorized program activity???? Let??™s open Process
Explorer and find out! In this case, I ran cmd.
Pages:
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707