| |
| |
|
 | to about one year have I in a Delphiforum time a Interessante Fage red, The me since then not any more losgelassen has:
is the Access Token, the Personalausweis one Users the each Process zugeordnet becomes, directly änderbar?
usually is the Token only over with the OpenPocessToken To erlangende lever and the API zugänglich, d.h. one can also only The reaches the Tokens Change, on The Winows over the lever grabbed allows. How but, if one find out could How and where the the own Process zugeordnete Token itself in memory aufhält - would one direct grabbed possible, wären The Opportunities and Auswirkungen unvorstellbar!
to of/ one Time have I these Search began and this Thread should it in the next Time circa these Search weg. unfortunately have I today To little Time, circa here More To write (money is any  ), but I can achon time say, that I already a couple interesting things found have. |
|
| |
| |
| |
|
|
| before something seek is it meaningfully itself To consider, How the what seek vaguely looks could. One importent component one Tokens is the Userkennung (means the SID) the Users, which identification the Token verkörpert. If I as Andreas with my Kennwort into computer einlogge, might in each Token each Program that I starte means The Bytefolge the SIDs of Andreas stand - really logical.
as Process, whom I investigating wished, have I Notepad select. Notepad is a plainer Texteditor without plenty Beiwerk - the amplitude the allocated Prozessspeichers might means not very big his - a investigation the Prozessspeichers means not very good long last and not allzuviele Fundstellen supplying, The not to that Token belong.
TNT bid a whole crowd Opportunities, a Accountnamen in a hexadezimale SID-Bytefolge umzuwandeln - a of it have I genützt and so whom SID into Clipboard and later into function memory search transfer. The Startadresse the Search have I on The address 0.
found have I then very that here...
[...] 
...namely none.
One Token shining itself means not Userspeicher the jeweiligen Prozesses To find - but where seek one then?
into Artikeln, The I over the Token red have, was a Zuordnung to the individual Prozessen spoken been - so a Zuordnung must Yes not zwingendermaßen only memory the zugeordneten Prozesses come off. I have me means then moreover decided, me WinXP? another processes time something hither to examine. first thing have I the service LSASS.EXE select. Why straight this Process? the has something with the Namensgebung To do...
there LSASS.EXE one service in the Sytem-Account is, had to I TNT first once as service started, what over the Menu of TNT right simply possible is. thereafter have I me The Heaps the Prozesses lists let. too here have I The Startadresse the Search again on 0 staid - then ging’s go.
Bingo! there having we already something...
[...]
further important Bestandteile one Tokens are The LUIDs (64-bit Kennzahlen) the Privilegien and its jetziger status (attributes).
One LUID can itself relatively simply as hexadezimale Bytefolge from the Token-Info-Registrierkarte herauskopieren - means make we the time. the privilege SeChangeNotifyPrivilege is in each Account present, it bid itself for a Search means on.
[...]
LUIDs of Privilegien stand in the Token always in link with ihren Attributen, means their derzeitigen status - we need means yet whom status the Privilegs SeChangeNotifyPrivilege =>
Standardmäßig activate = SE_PRIVILEGE_ENABLED_BY_DEFAULT = $1
activate = SE_PRIVILEGE_ENABLED = $2
together would the then $3, what of/ one hexadezimalen Bytefolge of 03000000 corresponds to. the, I by me to search had, would So the here:
[...]
and that here have I found:
[...]
now look we time, whether it in the Process LSASS.EXE a Heapblock gives, the both contains - whom SID and the privilege. by me is the the 592 Bytes large Heapblock with the address 750992, which Content I me then as hexadezimale Bytefolge present let have.
[...]
circa me the whole something hither standing to, have I then whom whole block as hexadezimale Bytefolge into Clipboard and thereafter into Wordpad-document copies. time look, I there have...
[box:bc6ba1a7d2]
00000000FFFFFF7FFC750B0000000000B8750B0018760B00D8760B0040760B0098760B00000000000800000018760B000700000034760B000700000040760B000F00000050760B000700000060760B00070000C074760B000700000080760B00070000008C760B00070000000105000000000005150000000D7A5A338AA7323FF89FB474E80300000105000000000005150000000D7A5A338AA7323FF89FB474010200000101000000000001000000000102000000000005200000002002000001020000000000052000000021020000010300000000000505000000000000006B62000001010000000000020000000001010000000000050400000001010000000000050B00000002003400020000000000180000000010010200000000000520000000200200000000140000000010010100000000000512000000000000000000000000000000110000001700000000000000030000000800000000000000000000001100000000000000000000001200000000000000000000000C00000000000000000000001300000000000000000000001800000000000000000000001400000000000000000000001600000000000000000000000B00000000000000000000000D00000000000000000000000E00000000000000000000000A00000000000000000000000F0000000000000000000000050000000000000000000000190000000000000000000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000500490000010C00
[/box:bc6ba1a7d2]
thereafter have I the Schrott something Strukturiert...
[box:bc6ba1a7d2]
00000000FFFFFF7FFC750B0000000000B8750B0018760B00D8760B0040760B0098760B00000000000800000018760B000700000034760B000700000040760B000F00000050760B000700000060760B00070000C074760B000700000080760B00070000008C760B0007000000
0105000000000005150000000D7A5A338AA7323FF89FB474E8030000 => SID the executing Users (Andreas)
groups in the Token
0105000000000005150000000D7A5A338AA7323FF89FB47401020000 => SID the group no
010100000000000100000000 => SID the group eachone
01020000000000052000000020020000 => SID the group Administratoren
01020000000000052000000021020000 => SID the group user
010300000000000505000000000000006B620000
010100000000000200000000 => SID the group LOKAL
010100000000000504000000 => SID the group Interaktiv
01010000000000050B000000 => SID the group Authentifizierte user
standard DACL
02 => Type of Zugriffskontrollliste (ACL_REVISION)
00 => two Nullbytes to Anpassung
3400 => Size the ACLs (= 52 Bytes)
0200 => Number of ACEs in the Zugriffskontrollliste (= 2)
0000 => two Nullbytes to Anpassung
00 => type the 1.ACEs, ACE = Zugriffskontrolleintrag (= ACCESS_ALLOWED_ACE_TYPE)
00 => ? Happen? (u.a.Heredity) the 1.Zugriffskontrolleintrags
1800 => Size the 1.Zugriffskontrolleintrags (=24 Bytes)
00000010 => Zugriffsmaske the 1.ACEs (GENERIC_ALL)
01020000000000052000000020020000 => SID the group Administratoren
00 => type the 2.Zugriffskontrolleintrags (= ACCESS_ALLOWED_ACE_TYPE)
00 => ? Happen? (u.a.Heredity) the 2.Zugriffskontrolleintrags
1400 => Size the 2.Zugriffskontrolleintrags (=20 Bytes)
00000010 => Zugriffsmaske the 1.ACEs (GENERIC_ALL)
010100000000000512000000 => SID the group system
00000000000000000000000011000000
Privilegien in the Token
1700000000000000 => by me LUID the Privilegs SeChangeNotifyPrivilege
03000000 => activate and standardmäßig activate
0800000000000000 => by me LUID the Privilegs SeSecurityPrivilege
00000000 => deaktiviert
1100000000000000 => by me LUID the Privilegs SeBackupPrivilege
00000000 => deaktiviert
1200000000000000 => by me LUID the Privilegs SeRestorePrivilege
00000000 => deaktiviert
0C00000000000000 => by me LUID the Privilegs SeSystemtimePrivilege
00000000 => deaktiviert
1300000000000000 => by me LUID the Privilegs SeShutdownPrivilege
00000000 => deaktiviert
1800000000000000 => by me LUID the Privilegs SeRemoteShutdownPrivilege
00000000 => deaktiviert
1400000000000000 => by me LUID the Privilegs SeDebugPrivilege
00000000 => deaktiviert
1600000000000000 => by me LUID the Privilegs SeSystemEnvironmentPrivilege
00000000 => deaktiviert
0B00000000000000 => by me LUID the Privilegs SeSystemProfilePrivilege
00000000 => deaktiviert
0D00000000000000 => by me LUID the Privilegs SeProfileSingleProcessPrivilege
00000000 => deaktiviert
0E00000000000000 => by me LUID the Privilegs SeIncreaseBasePriorityPrivilege
00000000 => deaktiviert
0A00000000000000 => by me LUID the Privilegs SeLoadDriverPrivilege
00000000 => deaktiviert
0F00000000000000 => by me LUID the Privilegs SeCreatePagefilePrivilege
00000000 => deaktiviert
0500000000000000 => by me LUID the Privilegs SeIncreaseQuotaPrivilege
00000000 => deaktiviert
1900000000000000 => by me LUID the Privilegs SeUndockPrivilege
00000000 => deaktiviert
0900000000000000 => by me LUID the Privilegs SeTakeOwnershipPrivilege
00000000 => deaktiviert
000000000000000000000000000000000000000000000000000000000000000000000000000000000500490000010C00
[/box:bc6ba1a7d2]
and that here shows TNT in the dazugehörigen Registrierkarte by me on:
[...]
[...]
[...]
what there standing are means zweifelsfrei Tokenstrukturen one strangers Prozesses (means not of LSASS.EXE self, the Yes in the system-Account runs)! but is it too the, what one Process really currently in the moment zugeordnet is? time look...
to that testing have I each ongoing Process the privilege SeSystemtimePrivilege activate and me then respected, whether on whom here found Structures something changed - it doing itself nothing. what there standing, is means not one in the moment one Process zugeordneter Token - but what then?
with PrivAktivate can I right simply in a ongoing Session a Process with the Token one not eingeloggten Users started. too this Token have I then in the service LSASS.EXE found. in the found structure have I then whom Status Privilegs on the worth 02000000 staid (= activate).
thereafter have I me whom Token with TNT respected - here having itself nothing changed, the privilege was furthermore deaktiviert.
after I the Login over PrivAktivate but repeatedly having, was the in the Heapblock before of me on 02000000 gesetzte worth again on 00000000 (= deaktiviert) reset been! The service LSASS.EXE created means definitiv at Login whom Token and points it the launched Process To!
but where is the Token to the Zuweisung?
Folgender cut offed the WIN32.HLP gives there evtl. something closer operator:
[box:bc6ba1a7d2]
In the Microsoft® Win32® application programming interface (API), each process has its own 32-bit virtual address space that enables addressing up to 4 gigabytes (GB) of memory. The 2 GB in low memory (0x00 to 0x7FFFFFFF) are available to the user, and the 2 GB in high memory (0x80000000 to 0xFFFFFFFF) are reserved for the kernel.
[/box:bc6ba1a7d2].
there's means apparently Pipe.pcu 2GB (oberhalb the address $7FFFFFFF) a further Adressbereich, the not for User certainly is and therefore neither without further read go can. in the moment suspect I, that itself the Token there find - together with the Sicherheitsbeschreibungen the current Prozesses and which Threads (as well as further Objects the Kernels). If I right have, might one not without further on this Speicherbereich herankommen - Perhaps there but here a Possibility, with very, very plenty Trickserei................................. |
 |
| |
| |
| |
|
(1.146)
Deutsch
English
Français
Español
Italia
