0: kd> !process 0 0 lsass.exe
PROCESS ffff9d8f19eec080
SessionId: 0 Cid: 035c Peb: bfc5a80000 ParentCid: 02c4
DirBase: 212a34002 ObjectTable: ffffd88b29f2f180 HandleCount: 1447.
Image: lsass.exe
0: kd> dt nt!_EPROCESS ffff9d8f19eec080 UniqueProcessId Token ImageFilename
+0x440 UniqueProcessId : 0x00000000`0000035c Void
+0x4b8 Token : _EX_FAST_REF
+0x5a8 ImageFileName : [15] "lsass.exe"
0: kd> dx -id 0,0,ffff9d8f17ca0040 -r1 (*((ntkrnlmp!_EX_FAST_REF *)0xffff9d8f19eec538))
(*((ntkrnlmp!_EX_FAST_REF *)0xffff9d8f19eec538)) [Type: _EX_FAST_REF]
[+0x000] Object : 0xffffd88b2a4713c3 [Type: void *]
[+0x000 ( 3: 0)] RefCnt : 0x3 [Type: unsigned __int64]
[+0x000] Value : 0xffffd88b2a4713c3 [Type: unsigned __int64]
0: kd> !token 0xffffd88b2a4713c0
_TOKEN 0xffffd88b2a4713c0
TS Session ID: 0
User: S-1-5-18
User Groups:
00 S-1-5-32-544
Attributes - Default Enabled Owner
01 S-1-1-0
Attributes - Mandatory Default Enabled
02 S-1-5-11
Attributes - Mandatory Default Enabled
03 S-1-16-16384
Attributes - GroupIntegrity GroupIntegrityEnabled
Primary Group: S-1-5-18
Privs:
02 0x000000002 SeCreateTokenPrivilege Attributes - Enabled
03 0x000000003 SeAssignPrimaryTokenPrivilege Attributes -
04 0x000000004 SeLockMemoryPrivilege Attributes - Enabled Default
05 0x000000005 SeIncreaseQuotaPrivilege Attributes -
07 0x000000007 SeTcbPrivilege Attributes - Enabled Default
08 0x000000008 SeSecurityPrivilege Attributes -
09 0x000000009 SeTakeOwnershipPrivilege Attributes -
10 0x00000000a SeLoadDriverPrivilege Attributes -
11 0x00000000b SeSystemProfilePrivilege Attributes - Enabled Default
12 0x00000000c SeSystemtimePrivilege Attributes -
13 0x00000000d SeProfileSingleProcessPrivilege Attributes - Enabled Default
14 0x00000000e SeIncreaseBasePriorityPrivilege Attributes - Enabled Default
15 0x00000000f SeCreatePagefilePrivilege Attributes - Enabled Default
16 0x000000010 SeCreatePermanentPrivilege Attributes - Enabled Default
17 0x000000011 SeBackupPrivilege Attributes -
18 0x000000012 SeRestorePrivilege Attributes -
19 0x000000013 SeShutdownPrivilege Attributes -
20 0x000000014 SeDebugPrivilege Attributes - Enabled Default
21 0x000000015 SeAuditPrivilege Attributes - Enabled Default
22 0x000000016 SeSystemEnvironmentPrivilege Attributes -
23 0x000000017 SeChangeNotifyPrivilege Attributes - Enabled Default
25 0x000000019 SeUndockPrivilege Attributes -
28 0x00000001c SeManageVolumePrivilege Attributes -
29 0x00000001d SeImpersonatePrivilege Attributes - Enabled Default
30 0x00000001e SeCreateGlobalPrivilege Attributes - Enabled Default
31 0x00000001f SeTrustedCredManAccessPrivilege Attributes -
32 0x000000020 SeRelabelPrivilege Attributes -
33 0x000000021 SeIncreaseWorkingSetPrivilege Attributes - Enabled Default
34 0x000000022 SeTimeZonePrivilege Attributes - Enabled Default
35 0x000000023 SeCreateSymbolicLinkPrivilege Attributes - Enabled Default
36 0x000000024 SeDelegateSessionUserImpersonatePrivilege Attributes - Enabled Default
Authentication ID: (0,3e7)
Impersonation Level: Anonymous
TokenType: Primary
Source: *SYSTEM* TokenFlags: 0x2000 ( Token in use )
Token ID: d694 ParentToken ID: 0
Modified ID: (0, e53e)
RestrictedSidCount: 0 RestrictedSids: 0x0000000000000000
OriginatingLogonSession: 0
PackageSid: (null)
CapabilityCount: 0 Capabilities: 0x0000000000000000
LowboxNumberEntry: 0x0000000000000000
Security Attributes:
Unable to get the offset of nt!_AUTHZBASEP_SECURITY_ATTRIBUTE.ListLink
Process Token TrustLevelSid: (null)
'Windows Drivers' 카테고리의 다른 글
| RtlStringCbPrintfW 사용시 BSOD 발생원인 (0) | 2023.12.12 |
|---|---|
| notepad.exe peb 정보 확인 (0) | 2023.04.21 |
| CallBackRegistration 수행을 위한 /INTEGRITYCHECK (0) | 2022.07.29 |
| Windbg 에서 DEBUG 심볼 디버깅 못하도록 설정 .pdb (0) | 2022.07.20 |
| SymbolicLinkName과 DeviceName 표기법 (0) | 2022.07.15 |