I am trying to understand token kidnapping. I read this:
get the PID of the “rpcss” service
open the process, list all handles and for each handle try to duplicate it and get the handle type if handle type is “Token” and token owner is SYSTEM,
try to impersonate and launch a process with CreatProcessAsUser() or CreateProcessWithToken()
.... So I want to understand how the process is related to its handles. And why, in the case of rpcss, it has a handle which type is Token (own by system)
m