Token Theft

Steal and impersonate process tokens to launch new processes under different security contexts.

Privilege Escalation

Token theft can be used to escalate privileges. Only use on systems you own or have explicit permission to test.

Algorithm

The steal_token() function performs the following steps:

OpenProcess with PROCESS_QUERY_LIMITED_INFORMATION
OpenProcessToken to obtain the target's primary token
DuplicateTokenEx(SecurityAnonymous, TokenPrimary) to create a usable copy
Enable SeAssignPrimaryTokenPrivilege via AdjustTokenPrivileges
ImpersonateLoggedOnUser to impersonate the token
CreateProcessAsUserW to spawn a new process under the stolen token
RevertToSelf to restore the original security context

Usage

Right-click on a process in the Process tab
Navigate to Miscellaneous → Steal Token
In the Token Thief window:
- • Source process name and PID are displayed
- • Select the executable to launch under the stolen token
- • Optionally provide command line arguments
Click Steal Token
Success shows the new process PID/TID

Common Targets

Useful token sources for privilege escalation research:

• SYSTEM processes — winlogon.exe, lsass.exe, services.exe
• Service accounts — Processes running as LocalService or NetworkService
• Elevated processes — Any process running with administrator privileges

Required Privileges

Token theft requires the following privileges (typically available to administrators):

• SeDebugPrivilege — To open processes with limited access
• SeAssignPrimaryTokenPrivilege — To assign tokens to new processes
• SeImpersonatePrivilege — To impersonate tokens

Implementation

Item	Value
File	crates/misc/src/token.rs
Function	steal_token(pid, exe_path, args)
UI Component	token_thief_window.rs