📄 tokenmon.htm
字号:
<li>Impersonation</li>
</ul>
<p><i>Tokenmon</i> has advanced filtering and search
capabilities that make it a powerful tool for
exploring the way NT works, seeing how applications
use security functions, or tracking down problems
in system or application configurations. </p>
<p><em>Tokenmon</em> works on NT 4.0 and Windows
2000.<br>
<br>
<img src="../../images/screenshots/tokeshot.gif" width="549" height="273">
</td>
</tr>
<tr>
<td colspan="3" height="40" valign="middle"><span class='sectionheader'>Installation
and Use </span></td>
</tr>
<tr>
<td valign="TOP" colspan="3"> Simply run the <i>Tokenmon</i>
GUI (Tokenmon.exe). Note that you must have administrative
privilege to run <i>Tokenmon</i>. Menus, hot-keys,
or toolbar buttons can be used to clear the window,
save the monitored data to a file, and to filter
and search output.
<p>When a thread impersonates you'll see the thread's
primary identity in the domain\user column and
the identity its adopting in the Other column.
Any security actions it performs at that point
are in the impersonation context. When it reverts
back to its own identity the thread's primary
identity is again shown in the domain\user column.</p>
<p>As events are printed to the output, they are
tagged with a sequence number. If <i>Tokenmon's</i>
internal buffers are overflowed during extremely
heavy activity, this will be reflected with gaps
in the sequence number.</p>
<p>Each time you exit <i>Tokenmon</i> it remembers
the position of the window and the widths of the
output columns.
</td>
</tr>
<tr>
<td height="40" colspan="3" valign="middle"><span class='sectionheader'>How
Tokenmon Works</span> </td>
</tr>
<tr>
<td colspan="3" valign="TOP"> <i>Tokenmon</i> intercepts
logon by hooking the <b>NtCreateToken</b> native
API. The local security authority uses this API
to create an initial login token when a user logs
in either remotely or locally. When a user logs
on the Local Security Authority Subsystem (LSASS)
assigns the logon session a locally unique identifer
(LUID) called a logon ID. To see a corresponding
logoff, Tokenmon registers with the Security Reference
Monitor (SRM) using the <b>SeRegisterLogonSessionTerminatedRoutine</b>
kernel function, which requests that the SRM call
the driver back whenever a user is logged off.
<p>In order to see a process enable and disable
privileges, <i>Tokenmon</i> hooks the <b>NtAdjustPrivilegesToken</b>
function, which is the native API-equivalent of
the Win32 <b>AdjustTokenPrivileges</b> functions.
This function takes an array of privileges with
a flag for each indicating whether the process
wants to enable or disable it. Tokenmon shows
the action for each privilege affected by a single
call in separate output lines.</p>
<p><i>Tokenmon</i> uses the <b>PsSetCreateProcessNotifyRoutine</b>
kernel function, which is documented in the Windows
2000 DDK (but available on NT 4), to register
a callback function whenever a process starts
or exits. </p>
<p>Finally, there are several functions that applications
can use to impersonate another user. <i>Tokenmon</i>
hooks <b>NtSetInformationThread</b>, a variant
of which is the native API-equivalent of the <b>ImpersonateLoggedOnUser</b>
and <b>ImpersonateSelf</b> Win32 APIs, the FSCTL_PIPE_IMPERSONATE
variant of <b>NtFsControlFile</b> (the native-equivalent
of <b>ImpersonateNamedPipeClient</b>), and <b>NtImpersonateClientOfPort</b>,
which is called by applications using the Local
Procedure Call (LPC) facility and local RPC for
impersonating the remote end of a LPC connection.</p>
<p><i>Tokenmon</i> relies on several undocumented
SRM functions to obtain a logon ID from a thread's
primary and impersonation tokens, and <b>GetSecurityUserInfo</b>,
an undocumented function exported by the <i>KSecDD</i>
(Kernel Security-support driver) that retrieves
a logon session user's name, domain name, and
logon server given a logon ID. Another interesting
implementation detail is that several of the native
API functions that <i>Tokenmon</i> hooks are not
exported by ntoskrnl.exe for use by drivers. Thus,
the <i>Tokenmon</i> GUI must reach into NTDLL.DLL,
extract their system call numbers, and pass them
to the driver. This contrasts with <a href="../../ntw2k/source/regmon.shtml">Regmon</a>,
which reaches into ntoskrnl.exe using Registry
function exports to obtain system call numbers.</p>
<p>See <a
href="../../insidew2k.shtml">Inside Windows 2000, 3rd Edition</a> by David Solomon
and Mark Russinovich (Microsoft Press) for more
information on the Windows NT/2000 security subsystem.
</td>
</tr>
<tr>
<td colspan="3" height="40" valign="middle"><span class='sectionheader'>Related
Utilities </span></td>
</tr>
<tr>
<td valign="TOP" colspan="3" align="left"> Here are
some other monitoring tools available at Sysinternals:
<ul>
<li><font color="#000000"><a href="../../ntw2k/source/regmon.shtml">Regmon</a>
- a Registry monitor</font></li>
<li><a href="../../ntw2k/source/filemon.shtml">Filemon</a>
- a file system monitor</li>
<li><a href="../../ntw2k/freeware/tdimon.shtml">TDImon</a>
- a TCP/IP monitor</li>
<li><a href="../../ntw2k/freeware/portmon.shtml">Portmon</a>
- a serial and parallel port monitor</li>
<li><a href="../../ntw2k/freeware/pmon.shtml">PMon</a>
- a process and thread monitor (NT/Win2K)</li>
<li><a href="../../ntw2k/freeware/diskmon.shtml">Diskmon</a>
- a hard disk monitor (NT/Win2K)</li>
<li><a href="../../ntw2k/freeware/debugview.shtml">DebugView/EE</a>
- a debug output monitor</li>
</ul>
</td>
</tr>
<tr>
<td colspan="3" height="40" valign="middle" align="center">
<p> </p>
<p><a href="../../files/TOKENMON.ZIP"><b>Download Tokenmon
(60 KB)</b></a></p>
<a href="../../files/TOKENSRC.ZIP"><b>Download Tokenmon
plus Source (190 KB)</b></a> <br>
<br>
<a href="#top"><b>Back to Top</b></a> </td>
</tr>
</table>
</td>
</tr>
</table>
</TD>
</TR>
</TABLE>
<!-- #EndEditable --></td>
</tr>
</table>
</td>
</tr>
</table>
</body>
<!-- #EndTemplate --></html>
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -