R0和R3下得到当前用户的SID

R0下需要attach到一个用户进程,取其SID

NTSTATUS  
GetUserName(  
    char* a 
     ) 
/*++ 
参数: 
a - [IN] [OUT] 得到current user的注册表内容 
形式如下"\\REGISTRY\\USER\\S-XXX-XXX..." 
功能: 
--*/ 

     NTSTATUS status = STATUS_SUCCESS;  
    HANDLE         hProcess;  
    HANDLE         TokenHandle;  
    ULONG         ReturnLength;  
    ULONG       size; 
     UNICODE_STRING SidString; 
     PTOKEN_USER TokenInformation;  
    char SidStringBuffer[512]; 

     status = ZwOpenThreadTokenEx (NtCurrentThread(), 
                                   TOKEN_READ, 
                                  TRUE
                                   OBJ_KERNEL_HANDLE, 
                                   &TokenHandle); 

    if ( !NT_SUCCESS( status ) ) { 
         status = ZwOpenProcessTokenEx (NtCurrentProcess(), 
                                   TOKEN_READ, 
                                   OBJ_KERNEL_HANDLE, 
                                   &TokenHandle); 

        if ( !NT_SUCCESS( status )) { 
            return status; 
         } 
     } 

    // 获取token信息 
     size = 0x1000; 
     TokenInformation = ExAllocatePool( NonPagedPool, size ); 

    do { 
         status = NtQueryInformationToken( TokenHandle,  
                                         TokenUser,  
                                         TokenInformation,  
                                         size,  
                                         &ReturnLength ); 

        if (status == STATUS_BUFFER_TOO_SMALL) { 
             ExFreePool( TokenInformation ); 
             size *= 2; 
             TokenInformation = ExAllocatePool( NonPagedPool, size );  

         } else if ( !NT_SUCCESS (status) ) { 
             DbgPrint(" ZwQueryInformationToken error\n");  
             ExFreePool( TokenInformation );  
             ZwClose( TokenHandle );  

            return STATUS_UNSUCCESSFUL; 
         } 

     } while (status == STATUS_BUFFER_TOO_SMALL); 

     ZwClose( TokenHandle ); 

    RtlZeroMemory( SidStringBuffer, sizeof(SidStringBuffer) );  
     SidString.Buffer = (PWCHAR)SidStringBuffer;  
     SidString.MaximumLength = sizeof( SidStringBuffer );  

     status = RtlConvertSidToUnicodeString( &SidString,  
                         ((PTOKEN_USER)TokenInformation)->User.Sid,  
                        FALSE );  

     ExFreePool( TokenInformation );  
     DbgPrint("sudami's PC Name: %ws\n", SidStringBuffer); 
     a = SidStringBuffer; 
    return STATUS_SUCCESS;  
}

(2.) R3下方便很多:

int GetUserName ()
{
HANDLE hProcess = GetCurrentProcess();
if(!hProcess) {
   return 0;
}

HANDLE hToken;
if( !OpenProcessToken(hProcess, TOKEN_QUERY, &hToken) || !hToken ){
   CloseHandle(hProcess);
   return 0;
}

DWORD dwTemp = 0;
char tagTokenInfoBuf[256] = {0};
PTOKEN_USER tagTokenInfo = (PTOKEN_USER)tagTokenInfoBuf;
if( !GetTokenInformation( hToken, TokenUser, tagTokenInfoBuf, sizeof(tagTokenInfoBuf),\
   &dwTemp ) ) {
   CloseHandle(hToken);
   CloseHandle(hProcess);
   return 0;
}

typedef BOOL (WINAPI* PtrConvertSidToStringSid)(
   PSID Sid,
   LPTSTR* StringSid
   );


PtrConvertSidToStringSid dwPtr = (PtrConvertSidToStringSid)GetProcAddress( 
   LoadLibrary("Advapi32.dll"), "ConvertSidToStringSidA" );

LPTSTR MySid = NULL;
dwPtr( tagTokenInfo->User.Sid, (LPTSTR*)&MySid );

printf("sudami's PC Name:\n%s\n", MySid);
getchar ();
LocalFree( (HLOCAL)MySid );

CloseHandle(hToken);
CloseHandle(hProcess);

return 0;
}

posted @ 2012-04-17 18:15  trxdy  阅读(491)  评论(0编辑  收藏  举报