1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21 """Inspect the privileges in each process's tokens.
22
23 These sets of plugins are designed around the blog post "Windows Access Tokens -
24 !token and _TOKEN"::
25 https://bsodtutorials.wordpress.com/2014/08/09/windows-access-tokens-token-and-_token/
26 """
27
28 __author__ = "Michael Cohen <scudette@gmail.com>"
29
30 from rekall import plugin
31 from rekall.plugins.windows import common
32
33
35 """Fetch the PrivilegesHook table.
36
37 In Windows, privilege values are not constant, they are actually stored in
38 kernel globals. We can see this kind of privilege check:
39
40 0xf800027b4e10 mov rcx, qword ptr [rip + 0x3a42a1] 0x7 nt!SeTcbPrivilege
41 0xf800027b4e17 call 0xf80002956a58 nt!SeSinglePrivilegeCheck
42
43 Demonstrating that the kernel reads the values in these locations (i.e. they
44 are not hard coded). Although in reality they are never changed in runtime
45 and probably do not really change between systems or versions.
46
47 This hook collects these values from the image.
48 """
49 name = "privilege_table"
50
63
64
66 """Prints process privileges."""
67
68 name = "privileges"
69
70 table_header = [
71 dict(name="Process", type="_EPROCESS"),
72 dict(name="Value", width=3, align="r"),
73 dict(name="Privileges", width=40),
74 dict(name="Attributes", type="list")
75 ]
76
78 privilege_table = self.session.GetParameter("privilege_table")
79
80 for task in self.filter_processes():
81 for value, flags in task.Token.GetPrivileges():
82
83 if self.plugin_args.verbosity <= 1 and "Present" not in flags:
84 continue
85
86 yield (task,
87 value,
88 privilege_table.get(value),
89 flags)
90