-
-
Notifications
You must be signed in to change notification settings - Fork 415
FS_Process_Token
The directory token exists as a sub-directory in each process directory.
The token directory contains user information related to the process and other information extracted from the process Token.
The files and directories and their contents are listed below:
File | Description |
---|---|
integrity.txt | Process integrity level. |
luid.txt | User Logon ID. |
privileges.txt | List of process privileges. |
session.txt | The session ID of the process. |
sid.txt | The User SID. |
sid-all.txt | All SIDs in the primary process token. |
user.txt | The Username |
The directory exists only on Windows.
The file privileges.txt contains information about process privileges. The meaning of the different columns are as follows:
e
Process privilege is Enabled.
p
Process privilege is Present.
d
Process privilege is Enabled by Default.
# Flags Privilege Name
--------------------------------
0003 -p- SeAssignPrimaryTokenPrivilege
0004 --d SeLockMemoryPrivilege
0007 epd SeTcbPrivilege
...
The example below shows the sid, username and process privileges of a process.
The token sub-directory is implemented as a built-in native C-code plugin. The plugin source is located in the file modules/m_proc_token.c in the vmm project.
Sponsor PCILeech and MemProcFS:
PCILeech and MemProcFS is free and open source!
I put a lot of time and energy into PCILeech and MemProcFS and related research to make this happen. Some aspects of the projects relate to hardware and I put quite some money into my projects and related research. If you think PCILeech and/or MemProcFS are awesome tools and/or if you had a use for them it's now possible to contribute by becoming a sponsor!
If you like what I've created with PCIleech and MemProcFS with regards to DMA, Memory Analysis and Memory Forensics and would like to give something back to support future development please consider becoming a sponsor at: https://github.com/sponsors/ufrisk
Thank You 💖