#include "stdafx.h"
#include <windows.h>
#include <iostream>
#include <COMDEF.H>
#include <stdio.h>
#include <Tlhelp32.h>
using namespace std;
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, * PUNICODE_STRING;
//SystemProcessInformation
typedef struct _SYSTEM_PROCESS_INFORMATION
{
DWORD dwNextEntryOffset;
DWORD dwNumberOfThreads;
LARGE_INTEGER qSpareLi1;
LARGE_INTEGER qSpareLi2;
LARGE_INTEGER qSpareLi3;
LARGE_INTEGER qCreateTime;
LARGE_INTEGER qUserTime;
LARGE_INTEGER qKernelTime;
UNICODE_STRING ImageName;
int nBasePriority;
DWORD dwProcessId;
DWORD dwInheritedFromUniqueProcessId;
DWORD dwHandleCount;
DWORD dwSessionId;
ULONG dwSpareUl3;
SIZE_T tPeakVirtualSize;
SIZE_T tVirtualSize;
DWORD dwPageFaultCount;
DWORD dwPeakWorkingSetSize;
DWORD dwWorkingSetSize;
SIZE_T tQuotaPeakPagedPoolUsage;
SIZE_T tQuotaPagedPoolUsage;
SIZE_T tQuotaPeakNonPagedPoolUsage;
SIZE_T tQuotaNonPagedPoolUsage;
SIZE_T tPagefileUsage;
SIZE_T tPeakPagefileUsage;
SIZE_T tPrivatePageCount;
LARGE_INTEGER qReadOperationCount;
LARGE_INTEGER qWriteOperationCount;
LARGE_INTEGER qOtherOperationCount;
LARGE_INTEGER qReadTransferCount;
LARGE_INTEGER qWriteTransferCount;
LARGE_INTEGER qOtherTransferCount;
}SYSTEM_PROCESS_INFORMATION;
/*----------------------------------------------------
函数说明: 动态加载动库文件
输入参数: pDllName 库文件名称,pProcName导出函数名字
输出参数: 无
返回值 : 返回函数的的地址
----------------------------------------------------*/
VOID* GetDllProc(const TCHAR* pDllName, const CHAR* pProcName)
{
HMODULE hMod;
hMod = LoadLibrary(pDllName);
if (hMod == NULL)
return NULL;
return GetProcAddress(hMod, pProcName);
}
//宏定义函数的指针
typedef LONG(WINAPI* Fun_NtQuerySystemInformation) (int SystemInformationClass,
OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT ULONG* pReturnLength OPTIONAL);
typedef BYTE(WINAPI* Fun_WinStationGetProcessSid)(HANDLE hServer, DWORD ProcessId,
FILETIME ProcessStartTime, PBYTE pProcessUserSid, PDWORD dwSidSize);
typedef VOID(WINAPI* Fun_CachedGetUserFromSid)(PSID pSid, PWCHAR pUserName, PULONG cbUserName);
#define STATUS_INFO_LENGTH_MISMATCH ((LONG)0xC0000004L)
#define SystemProcessInformation 5
/*------------------------------------------------------------------
函数说明: 获取系统进程的信息
输入参数: SYSTEM_PROCESS_INFORMATION
输出参数: 无
--------------------------------------------------------------------*/
BOOL GetSysProcInfo(SYSTEM_PROCESS_INFORMATION * *ppSysProcInfo)
{
Fun_NtQuerySystemInformation _NtQuerySystemInformation;
_NtQuerySystemInformation = (Fun_NtQuerySystemInformation)::GetDllProc(TEXT("NTDLL.DLL"), "NtQuerySystemInformation");
if (_NtQuerySystemInformation == NULL)
return FALSE;
DWORD dwSize = 1024 * 1024;
VOID* pBuf = NULL;
LONG lRetVal;
while(true)
{
if (pBuf)
free(pBuf);
pBuf = (VOID*)malloc(dwSize);
lRetVal = _NtQuerySystemInformation(SystemProcessInformation,pBuf, dwSize, NULL);
if (STATUS_INFO_LENGTH_MISMATCH != lRetVal)
break;
dwSize *= 2;
}
if (lRetVal == 0)
{
*ppSysProcInfo = (SYSTEM_PROCESS_INFORMATION*)pBuf;
return TRUE;
}
free(pBuf);
return FALSE;
}
BOOL GetProcessUser(DWORD dwPid, _bstr_t* pbStrUser)
{
Fun_WinStationGetProcessSid _WinStationGetProcessSid;
Fun_CachedGetUserFromSid _CachedGetUserFromSid;
_WinStationGetProcessSid = (Fun_WinStationGetProcessSid)
GetDllProc(TEXT("Winsta.dll"), "WinStationGetProcessSid");
_CachedGetUserFromSid = (Fun_CachedGetUserFromSid)
GetDllProc(TEXT("utildll.dll"), "CachedGetUserFromSid");
if (_WinStationGetProcessSid == NULL || _CachedGetUserFromSid == NULL)
return FALSE;
BYTE cRetVal;
FILETIME ftStartTime;
DWORD dwSize;
BYTE* pSid;
BOOL bRetVal, bFind;
SYSTEM_PROCESS_INFORMATION* pProcInfo, * pCurProcInfo;
bRetVal = GetSysProcInfo(&pProcInfo);
if (bRetVal == FALSE || pProcInfo == NULL)
return FALSE;
bFind = FALSE;
pCurProcInfo = pProcInfo;
for (;;)
{
if (pCurProcInfo->dwProcessId == dwPid)
{
memcpy(&ftStartTime, &pCurProcInfo->qCreateTime, sizeof(ftStartTime));
bFind = TRUE;
break;
}
if (pCurProcInfo->dwNextEntryOffset == 0)
break;
pCurProcInfo = (SYSTEM_PROCESS_INFORMATION*)((BYTE*)pCurProcInfo +
pCurProcInfo->dwNextEntryOffset);
}
if (bFind == FALSE)
{
free(pProcInfo);
return FALSE;
}
cRetVal = _WinStationGetProcessSid(NULL, dwPid, ftStartTime, NULL, &dwSize);
if (cRetVal != 0)
return FALSE;
pSid = new BYTE[dwSize];
cRetVal = _WinStationGetProcessSid(NULL, dwPid, ftStartTime, pSid, &dwSize);
if (cRetVal == 0)
{
delete[] pSid;
return FALSE;
}
WCHAR szUserName[1024];
_CachedGetUserFromSid(pSid, szUserName, &dwSize);
delete[] pSid;
if (dwSize == 0)
return FALSE;
*pbStrUser = szUserName;
return TRUE;
}
void AdjustPrivilege()
{
HANDLE hToken;
if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken))
{
printf("OpenProcessToken error\n");
return;
}
LUID myLUID;
LookupPrivilegeValue(NULL,SE_DEBUG_NAME, &myLUID);
TOKEN_PRIVILEGES tp={sizeof(tp)};
tp.PrivilegeCount=1;
tp.Privileges[0].Luid=myLUID;
tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
if(AdjustTokenPrivileges(hToken,FALSE,&tp,sizeof(tp),NULL,NULL))
{
/*MessageBox(NULL,TEXT("权限提升成功"),TEXT(""),0);*/
}
CloseHandle(hToken);
}
int main()
{
TCHAR szProcessName[] = TEXT("services.exe");
BOOL bFind = FALSE;
TCHAR ch[256] = { 0 };
_bstr_t bs;
memcpy(&bs, ch, sizeof(bs));
PROCESSENTRY32 pe32;
pe32.dwSize = sizeof(pe32);
HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);//获取进程快照
if(hProcessSnap == INVALID_HANDLE_VALUE)
return false;
BOOL bResult = Process32First(hProcessSnap,&pe32);
AdjustPrivilege();
while (bResult)
{
GetProcessUser(804, &bs);
bResult = Process32Next(hProcessSnap,&pe32);
}
// GetProcessUser(pi.th32ProcessID, &bs); //第一个参数写的是你的进程ID
}
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 记一次.NET内存居高不下排查解决与启示
· 探究高空视频全景AR技术的实现原理
· 理解Rust引用及其生命周期标识(上)
· 浏览器原生「磁吸」效果!Anchor Positioning 锚点定位神器解析
· 没有源码,如何修改代码逻辑?
· 全程不用写代码,我用AI程序员写了一个飞机大战
· DeepSeek 开源周回顾「GitHub 热点速览」
· MongoDB 8.0这个新功能碉堡了,比商业数据库还牛
· 记一次.NET内存居高不下排查解决与启示
· 白话解读 Dapr 1.15:你的「微服务管家」又秀新绝活了