Crash Dump Analysis Patterns (Part 191)
Sometimes we need to check under what security principal or group we run a process or what privileges it has or whether it has impersonating threads. We call this pattern Deviant Token when we find, for example, an unexpected token with a different security identifier, for example, Network Service instead of Local System (SID: S-1-5-18):
PROCESS 8f218d88 SessionId: 0 Cid: 09c4 Peb: 7ffdf000 ParentCid: 0240
DirBase: bffd4260 ObjectTable: e10eae90 HandleCount: 93.
Image: ServiceA.exe
VadRoot 8f1f70e8 Vads 141 Clone 0 Private 477. Modified 2. Locked 0.
DeviceMap e10038d8
Token e10ff5d8
[…]
0: kd> !token e10ff5d8
_TOKEN e10ff5d8
TS Session ID: 0
User: S-1-5-20
[…]
Well-known SIDs can be found in this MS article: http://support.microsoft.com/kb/243330
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -