主要看了下面两部分:
1.进程对系统进行特权操作需要有一个权限(Privilege),所以进程有特权集表示进程拥有的权限,内核会在执行这些权限时检查进程是否有权执行此操作。
2.进程对于每个内核对象的操作权限不同,内核对象有一个访问控制列表(ACL)来标示某个用户启动的进程有如何的访问权。进程对对象执行操作时,会检查相应的权限是否符合。
一、SID:用来表示系统中唯一的用户或组
typedef struct _SID {
UCHAR Revision;
UCHAR SubAuthorityCount;
SID_IDENTIFIER_AUTHORITY IdentifierAuthority; 6字节标明发证机关
#ifdef MIDL_PASS
[size_is(SubAuthorityCount)] ULONG SubAuthority[*];
#else // MIDL_PASS
ULONG SubAuthority[ANYSIZE_ARRAY]; RID数组,RID是一个域中成员随机分配的相对id,管理员一般是500
#endif // MIDL_PASS
} SID, *PISID;
IdentifierAuthority可以是:
#define SECURITY_NULL_SID_AUTHORITY {0,0,0,0,0,0}
#define SECURITY_WORLD_SID_AUTHORITY {0,0,0,0,0,1}
#define SECURITY_LOCAL_SID_AUTHORITY {0,0,0,0,0,2}
#define SECURITY_CREATOR_SID_AUTHORITY {0,0,0,0,0,3}
#define SECURITY_NON_UNIQUE_AUTHORITY {0,0,0,0,0,4}
#define SECURITY_RESOURCE_MANAGER_AUTHORITY {0,0,0,0,0,9}
SubAuthority是
#define SECURITY_NULL_RID (0x00000000L)
#define SECURITY_WORLD_RID (0x00000000L)
#define SECURITY_LOCAL_RID (0x00000000L)
#define SECURITY_CREATOR_OWNER_RID (0x00000000L)
#define SECURITY_CREATOR_GROUP_RID (0x00000001L)
#define SECURITY_CREATOR_OWNER_SERVER_RID (0x00000002L)
#define SECURITY_CREATOR_GROUP_SERVER_RID (0x00000003L)
二、令牌:进程的token,在eprocess中标明一个进程的权限
typedef struct _TOKEN {
TOKEN_SOURCE TokenSource; // Ro: 16-Bytes 令牌创建来源
LUID TokenId; // Ro: 8-Bytes 令牌id
LUID AuthenticationId; // Ro: 8-Bytes LsaLogonUser时lsass分配的
LUID ParentTokenId; // Ro: 8-Bytes
LARGE_INTEGER ExpirationTime; // Ro: 8-Bytes
PERESOURCE TokenLock; // Ro:
SEP_AUDIT_POLICY AuditPolicy; // RW: 8 bytes
LUID ModifiedId; // Wr: 8-Bytes 令牌特征修改时刷新的id
ULONG SessionId; // Wr: 4-bytes
ULONG UserAndGroupCount; // Ro: 4-Bytes
ULONG RestrictedSidCount; // Ro: 4-Bytes
ULONG PrivilegeCount; // Ro: 4-Bytes
ULONG VariableLength; // Ro: 4-Bytes
ULONG DynamicCharged; // Ro: 4-Bytes
ULONG DynamicAvailable; // Wr: 4-Bytes (Mod)
ULONG DefaultOwnerIndex; // Wr: 4-Bytes (Mod)
PSID_AND_ATTRIBUTES UserAndGroups; // Wr: 4-Bytes (Mod) sid数组,UserAndGroupCount标明其大小
PSID_AND_ATTRIBUTES RestrictedSids; // Ro: 4-Bytes sid数组
PSID PrimaryGroup; // Wr: 4-Bytes (Mod)
PLUID_AND_ATTRIBUTES Privileges; // Wr: 4-Bytes (Mod) luid数组,表示进程当前获得的特权,如SeLoadDriverPrivilege等等
PULONG DynamicPart; // Wr: 4-Bytes (Mod)
PACL DefaultDacl; // Wr: 4-Bytes (Mod) 访问控制列表,下面会看
TOKEN_TYPE TokenType; // Ro: 1-Byte TokenType有两种,通常是TokenPrimary。当他是TokenImpersonation时,表明它是rpc server应用,模仿客户的远程令牌去实现一个请求。
/*
typedef enum _SECURITY_IMPERSONATION_LEVEL {
SecurityAnonymous,
SecurityIdentification, 可获取客户信息
SecurityImpersonation, 可获取客户信息,模仿本地用户级别
SecurityDelegation 可获取客户信息,模仿远程用户级别
} SECURITY_IMPERSONATION_LEVEL, * PSECURITY_IMPERSONATION_LEVEL;
然而模仿是针对线程而言的,ethread->ImpersonationInfo结构有标明,这里不跟进了
*/
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; // Ro: 1-Byte 模仿级别
UCHAR TokenFlags; // Rw: 4-Bytes
BOOLEAN TokenInUse; // Wr: 1-Byte
PSECURITY_TOKEN_PROXY_DATA ProxyData; // Ro: 4-Bytes
PSECURITY_TOKEN_AUDIT_DATA AuditData; // Ro: 4-Bytes
PSEP_LOGON_SESSION_REFERENCES LogonSession; // Rw: Ptr
LUID OriginatingLogonSession ; // Rw: 8 bytes (set by LSA)
ULONG VariablePart; // Wr: 4-Bytes (Mod)
} TOKEN, * PTOKEN;
查看system的进程令牌
kd> !process 4 1
Searching for Process with Cid == 4
Cid handle table at e1001c68 with 50 entries in use
PROCESS 8179b7a8 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 0fc01000 ObjectTable: e1003e38 HandleCount: 137.
Image: System
VadRoot 817c11b0 Vads 2 Clone 0 Private 2. Modified 863. Locked 0.
DeviceMap e10007b8
Token e1000aa8
kd> !token e1000aa8
_TOKEN e1000aa8
TS Session ID: 0
User: S-1-5-18
User Groups:
00 S-1-5-32-544
Attributes - Default Enabled Owner
01 S-1-1-0 //包含所有用户的组
Attributes - Mandatory Default Enabled
02 S-1-5-11
Attributes - Mandatory Default Enabled
Primary Group: S-1-5-18
Privs:
00 0x000000007 SeTcbPrivilege Attributes - Enabled Default
01 0x000000002 SeCreateTokenPrivilege Attributes -
02 0x000000009 SeTakeOwnershipPrivilege Attributes -
03 0x00000000f SeCreatePagefilePrivilege Attributes - Enabled Default
04 0x000000004 SeLockMemoryPrivilege Attributes - Enabled Default
05 0x000000003 SeAssignPrimaryTokenPrivilege Attributes -
06 0x000000005 SeIncreaseQuotaPrivilege Attributes -
07 0x00000000e SeIncreaseBasePriorityPrivilege Attributes - Enabled Default
08 0x000000010 SeCreatePermanentPrivilege Attributes - Enabled Default
09 0x000000014 SeDebugPrivilege Attributes - Enabled Default
10 0x000000015 SeAuditPrivilege Attributes - Enabled Default
11 0x000000008 SeSecurityPrivilege