2.4. Token¶
This module expose the Token
object that can be primarily retrieved through:
Note
If you need to directly access the Token
class, please use windows.security.Token
as the
path of token.py
may change.
Indeed SecurityDescriptor
& Token
are deeply related and I may move token.py
to a
security/
directory in the futur.
Note
See sample Token
2.4.1. Token¶
-
class
windows.winobject.token.
Token
(handle)[source]¶ Represent a Windows Token. The attributes only documented by a type are from the
TOKEN_INFORMATION_CLASS
, such return values may be improved version of the structure.Note
-
TokenAccessInformation
¶
-
TokenAppContainerNumber
¶ DWORD
-
TokenAppContainerSid
¶
-
TokenCapabilities
¶
-
TokenDefaultDacl
¶
-
TokenDeviceClaimAttributes
¶
-
TokenDeviceGroups
¶
-
TokenElevation
¶
-
TokenElevationType
¶
-
TokenGroups
¶
-
TokenGroupsAndPrivileges
¶
-
TokenHasRestrictions
¶ DWORD
-
TokenImpersonationLevel
¶
-
TokenIntegrityLevel
¶
-
TokenIsAppContainer
¶ DWORD
-
TokenLinkedToken
¶
-
TokenLogonSid
¶
-
TokenMandatoryPolicy
¶
-
TokenOrigin
¶
-
TokenOwner
¶
-
TokenPrimaryGroup
¶
-
TokenPrivileges
¶
-
TokenRestrictedDeviceGroups
¶
-
TokenRestrictedSids
¶ TokenGroups
-
TokenSandBoxInert
¶ DWORD
-
TokenSecurityAttributes
¶
-
TokenSessionId
¶ DWORD
-
TokenSource
¶
-
TokenStatistics
¶
-
TokenType
¶
-
TokenUIAccess
¶ DWORD
-
TokenUser
¶
-
TokenUserClaimAttributes
¶
-
TokenVirtualizationAllowed
¶ DWORD
-
TokenVirtualizationEnabled
¶ DWORD
-
access_information
¶ Alias for TokenAccessInformation (type may change in the future for improved struct)
-
adjust_privileges
(privileges)[source]¶ Adjust the token privileges according to
privileges
. This API is the complex one to adjust multiple privileges at once.To simply enable one privilege see
enable_privilege()
.Parameters: privileges – TOKEN_PRIVILEGES
(or subclass asTokenPrivileges
). To easily update your token privileges use the result ofprivileges
.Example:
>>> tok = windows.current_process.token >>> privs = tok.privileges >>> privs["SeShutdownPrivilege"] = gdef.SE_PRIVILEGE_ENABLED >>> privs["SeUndockPrivilege"] = gdef.SE_PRIVILEGE_ENABLED >>> tok.adjust_privileges(privs)
-
appcontainer_number
¶ Alias for TokenAppContainerNumber (type may change in the future for improved struct)
-
authentication_id
¶ The AuthenticationId Specifies an unique identifier assigned to the session this token represents. There can be many tokens representing a single logon session.
Type: int
-
capabilities
¶ Alias for TokenCapabilities (type may change in the future for improved struct)
-
default_dacl
¶ The defaul DACL of the token
Type: windows.security.Acl
-
duplicate
(access_rigth=MAXIMUM_ALLOWED(0x2000000), attributes=None, type=None, impersonation_level=None)[source]¶ Duplicate the token into a new
Token
.Parameters: - type – The type of token:
TokenPrimary(0x1L)
orTokenImpersonation(0x2L)
- impersonation_level –
The
SECURITY_IMPERSONATION_LEVEL
for aTokenImpersonation(0x2L)
:- If
type
isTokenPrimary(0x1L)
this parameter is ignored ifNone
or used as-is. - If
type
isTokenImpersonation(0x2L)
and this parameter is None,self.impersonation_level
is used. - If
type
isTokenImpersonation(0x2L)
and our Token is aTokenPrimary(0x1L)
this parameter MUST be provided
- If
Returns: Token
- The duplicate tokenExample:
>>> tok <Token TokenId=0x39d6dde5 Type=TokenPrimary(0x1L)> >>> tok.duplicate() <Token TokenId=0x39d7b206 Type=TokenPrimary(0x1L)> >>> tok.duplicate(type=gdef.TokenImpersonation) ... ValueError: Duplicating a PrimaryToken as a TokenImpersonation require explicit <impersonation_level> parameter >>> tok.duplicate(type=gdef.TokenImpersonation, impersonation_level=gdef.SecurityImpersonation) <Token TokenId=0x39dadbf8 Type=TokenImpersonation(0x2L) ImpersonationLevel=SecurityImpersonation(0x2L)>
- type – The type of token:
-
elevated
¶ True
if token is an elevated token
-
elevation_type
¶ The elevation type of the token.
Type: int
– Enum value fromTOKEN_ELEVATION_TYPE
-
enable_privilege
(name)[source]¶ Enable privilege
name
in the tokenRaises: ValueError
ifToken
has no privilegename
-
groups
¶ Alias for TokenGroups (type may change in the future for improved struct)
-
groups_and_privileges
¶ Alias for TokenGroupsAndPrivileges (type may change in the future for improved struct)
-
handle
¶ An handle on the object
Type: HANDLE
Note
The handle is automaticaly closed when the object is destroyed
-
has_restriction
¶ Alias for TokenHasRestrictions (type may change in the future for improved struct)
-
id
¶ The TokenId Specifies an unique identifier that identifies this instance of the token object.
Type: int
-
impersonation_level
¶ The impersonation level of a
TokenImpersonation
token.Raises: WindowsError
if token is not aTokenImpersonation
Type: int
– Enum value fromSECURITY_IMPERSONATION_LEVEL
-
integrity
¶ The integrity of the token as an int (extracted from integrity PSID)
Getter: get_integrity()
Setter: set_integrity()
-
integrity_level
¶ The integrity level and attributes of the token
Type: windows.generated_def.winstructs.SID_AND_ATTRIBUTES
-
is_appcontainer
¶ Alias for TokenIsAppContainer (type may change in the future for improved struct)
-
is_elevated
¶ Alias for
elevated
deprecated and may disapear
-
logon_sid
¶ The logon sid of the token. (Case of multiple logon sid not handled and will raise AssertionError)
Type: windows.generated_def.winstructs.SID_AND_ATTRIBUTES
-
mandatory_policy
¶ mandatory integrity access policy for the associated token
Type: int
– see [MSDN] mandatory policy
-
modified_id
¶ The ModifiedId Specifies an unique identifier that changes each time the token is modified.
Type: int
-
privileges
¶ Alias for
TokenPrivileges
Type: TokenPrivileges
-
restricted_sids
¶ Alias for TokenRestrictedSids (type may change in the future for improved struct)
-
sandbox_inert
¶ Alias for TokenSandBoxInert (type may change in the future for improved struct)
-
security_attributes
¶ The security attributes of the token
Type: [ TokenSecurityAttributeV1
] - A list of token security attributes
-
session_id
¶ Alias for TokenSessionId (type may change in the future for improved struct)
-
statistics
¶ Alias for TokenStatistics (type may change in the future for improved struct)
-
type
¶ The type (Primary / Impersonation) of the token
-
ui_access
¶ Alias for TokenUIAccess (type may change in the future for improved struct)
-
virtualization_allowed
¶ Alias for TokenVirtualizationAllowed (type may change in the future for improved struct)
-
virtualization_enabled
¶ Alias for TokenVirtualizationEnabled (type may change in the future for improved struct)
-
wait
(timeout=INFINITE(0xffffffff))¶ Wait for the object
-
2.4.2. TokenGroups¶
-
class
windows.winobject.token.
TokenGroups
[source]¶ Bases:
windows.generated_def.winstructs._TOKEN_GROUPS
-
sids_and_attributes
¶ The sids and attributes of each group
Type: [ SID_AND_ATTRIBUTES
] - A list ofSID_AND_ATTRIBUTES
-
2.4.3. TokenPrivileges¶
-
class
windows.winobject.token.
TokenPrivileges
[source]¶ Bases:
windows.generated_def.winstructs._TOKEN_PRIVILEGES
Improved
TOKEN_PRIVILEGES
usable like a mapping-
__getitem__
(name)[source]¶ Retrieve the attribute value for privilege
name
Raises: KeyError if privilege name
not in the TokenPrivilegesReturns: int
-
__setitem__
(name, value)[source]¶ Set the attribute value for privilege
name
Raises: KeyError if privilege name
not in the TokenPrivileges
-
all
()[source]¶ The list of all privileges
Returns: [ LUID_AND_ATTRIBUTES
] - A list ofLUID_AND_ATTRIBUTES
-
2.4.4. TokenSecurityAttributesInformation¶
-
class
windows.winobject.token.
TokenSecurityAttributesInformation
[source]¶ Bases:
windows.generated_def.winstructs._TOKEN_SECURITY_ATTRIBUTES_INFORMATION
-
attributes
¶ Return all the attributes as
TokenSecurityAttributeV1
Type: [ TokenSecurityAttributeV1
] - A list of token security attributes
-