As usual, there??™s more than one way to
do each task. All the enumeration we??™ve shown in the figures so far was done with free
tools downloadable from the Internet. Nothing is magic in this chapter or in this book.
We??™ll demonstrate each tool we used earlier, show you where to get them, and show you
how to use them.
Dumping the Process Token
The two easiest ways to dump the access token of a process or thread are Process Explorer
and the !token debugger command. Process Explorerwas built by SysInternals, whichwas
acquired by Microsoft in 2006. We??™ve shown screenshots (Figure 16-1 and Figure 16-3)
already of Process Explorer, but let??™s go through driving the UI of it now.
Process Explorer
The Process Explorer homepage is www.microsoft.com/technet/sysinternals/utilities/
ProcessExplorer.mspx. Scroll to the bottom of that page and you??™ll find a 1.5MB .zip file
to download. When you run procexp.exe, after accepting the EULA, you??™ll be presented
with a page of processes similar to Figure 16-8.
This hierarchical tree view shows all running processes. The highlighting is blue for
processes running as you, and pink for processes running as a service. Double-clicking
one of the processes brings up more detail, including a human-readable display of the
process token, as seen in Figure 16-9.
Pages:
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720