PART IV
Chapter 16: Exploiting Windows Access Control Model for Local Elevation of Privilege
401
Figure 16-8 Process Explorer
Process Explorer makes it easy to display the access token of any running process. It??™s
one of the few tools that I always put on the Quick Launch bar of every machine where I
work.
!token in the Debugger
If you have the Windows debugger installed, you can attach to any process and dump its
token quickly and easily with the !token debugger command. It??™s not quite as pretty as
the Process Explorer output but it gives all the same information. Let??™s open the same
rapimgr.exe process from Figure 16-9 in the debugger. You can see from the Process
Explorer title bar that the process ID is 2428, so the debugger command-line to attach to
this process (assuming you??™ve installed the debugger to c:\debuggers) would be c:\
debuggers\ntsd.exe ??“p 2428. Windows itself ships with an old, old version of ntsd that
does not have support for the !token command, so be sure to use the version of the
debugger included with the Windows debugging tools, not the built-in version. If you
launch the debugger correctly, you should see output similar to Figure 16-10.
Gray Hat Hacking: The Ethical Hacker??™s Handbook
402
Figure 16-9 Process Explorer token display
PART IV
You can issue the !token debugger command directly from this initial break-in.
Pages:
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721