Reading Notebook: 24-May-10
Monday, May 24th, 2010Comments in italics are mine and express my own views, thoughts and opinions
Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:
Process integrity levels as SIDs (pp. 464 - 465)
Protected mode IE startup sequence (pp. 467 - 470) - ieuser.exe might block several iexplore.exe instances: http://www.dumpanalysis.org/blog/index.php/2009/02/11/stack-trace-collection-blocked-thread-and-coupled-processes-pattern-cooperation/
Integrity levels and mandatory policies for objects (pp. 471- 473)
Many faces of an Administrator, filtered admin tokens (p. 474)
CreateProcessWithLogonW (p. 474)
The token source field (p. 476)
Token authentication and modified IDs (pp. 476 - 477) - token structure from x64 Windows Server R2:
0: kd> dt _TOKEN
nt!_TOKEN
+0x000 TokenSource : _TOKEN_SOURCE
+0x010 TokenId : _LUID
+0x018 AuthenticationId : _LUID
+0x020 ParentTokenId : _LUID
+0x028 ExpirationTime : _LARGE_INTEGER
+0x030 TokenLock : Ptr64 _ERESOURCE
+0x038 ModifiedId : _LUID
+0x040 Privileges : _SEP_TOKEN_PRIVILEGES
+0x058 AuditPolicy : _SEP_AUDIT_POLICY
+0x074 SessionId : Uint4B
+0x078 UserAndGroupCount : Uint4B
+0x07c RestrictedSidCount : Uint4B
+0x080 VariableLength : Uint4B
+0x084 DynamicCharged : Uint4B
+0x088 DynamicAvailable : Uint4B
+0x08c DefaultOwnerIndex : Uint4B
+0x090 UserAndGroups : Ptr64 _SID_AND_ATTRIBUTES
+0x098 RestrictedSids : Ptr64 _SID_AND_ATTRIBUTES
+0x0a0 PrimaryGroup : Ptr64 Void
+0x0a8 DynamicPart : Ptr64 Uint4B
+0x0b0 DefaultDacl : Ptr64 _ACL
+0x0b8 TokenType : _TOKEN_TYPE
+0x0bc ImpersonationLevel : _SECURITY_IMPERSONATION_LEVEL
+0x0c0 TokenFlags : Uint4B
+0x0c4 TokenInUse : UChar
+0x0c8 IntegrityLevelIndex : Uint4B
+0x0cc MandatoryPolicy : Uint4B
+0x0d0 LogonSession : Ptr64 _SEP_LOGON_SESSION_REFERENCES
+0x0d8 OriginatingLogonSession : _LUID
+0x0e0 SidHash : _SID_AND_ATTRIBUTES_HASH
+0x1f0 RestrictedSidHash : _SID_AND_ATTRIBUTES_HASH
+0x300 pSecurityAttributes : Ptr64 _AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION
+0x308 VariablePart : Uint8B