exe in this special mode. Process
Explorer??™s representation of the token is shown in Figure 16-3.
Let??™s compare this token with the one attached to the process launched by the same
user in the same logon session earlier (Figure 16-1). First, notice that the token??™s user is
still JNESS2\jness. This has not changed and this will be interesting later as we think
about ways to circumvent Windows Access Control. However, notice that in this token
the Administrators group is present but denied. So even though the user JNESS2\jness is
an Administrator on the JNESS2 workstation, the Administrators group membership
has been explicitly denied. Next you??™ll notice that each of the groups that was in the
token before now has a matching restricted SID token. Anytime this token is presented
to gain access to a secured resource, both the token??™s Restricted group SIDs and its normal
group SIDs must have access to the resource or permission will be denied. Finally,
notice that all but one of the named Privileges (and all the good ones) have been
removed from this restricted token. For an attacker (or for malware), running with a
restricted token is a lousy experience??”you can??™t do much of anything. In fact, let??™s try
a few things:
dir C:\
Gray Hat Hacking: The Ethical Hacker??™s Handbook
392
Figure 16-2 Run As dialog box
PART IV
The restricted token does allow normal file-system access.
Pages:
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708