0

I am trying to understand token kidnapping. I read this:

get the PID of the “rpcss” service

open the process, list all handles and for each handle try to duplicate it and get the handle type if handle type is “Token” and token owner is SYSTEM,

try to impersonate and launch a process with CreatProcessAsUser() or CreateProcessWithToken()

.... So I want to understand how the process is related to its handles. And why, in the case of rpcss, it has a handle which type is Token (own by system)

m

ilich262
  • 13
  • 2
  • all this is nonsense. simply enumerate processes and try open it tokens – RbMm Mar 26 '23 at 10:07
  • "I want to buy something with rpcss's credit card. So I break into rpcss's house and look in rpcss's wallet, and check each card to see if it's a credit card. Once I find one, I use it to make an online purchase." Your question is "How is rpcss's house related to the cards in its wallet?" (Because that's where rpcss keeps its wallet.) "Why does it have a credit card?" (Because rpcss decided to get a credit card.) – Raymond Chen Mar 26 '23 at 15:06
  • @RaymondChen I am new at windows system. So my question would be, why rpcss service is related to System. I guess there are other services that are not related to System. Why is rpc so crucial? – ilich262 Mar 28 '23 at 01:55
  • You can ask the person who wrote whatever document you're reading (you didn't cite it) why they chose rpcss. – Raymond Chen Mar 28 '23 at 02:07

0 Answers0