天天看點
傳回

獲得使用者SID

最近的項目需要 是得到目前使用者的SID

獲得使用者SID

我用的方法比較山寨,就是枚舉HKEY_USERS下的所有鍵,此方法的優點是可以枚舉出本機上全部有效的SID

獲得使用者SID

----------------------------------------------------------------------------------------------------------------------------------------

如果要獲得目前使用者的SID,sudami大牛的文章裡已經寫的很清楚了。

http://hi.baidu.com/sudami/blog/item/5ba21ceef587e1ffb3fb9541.html

Ring3

int GetUserName ()
{
    HANDLE hProcess = GetCurrentProcess();
    if(!hProcess) {
        return 0;
    }
    
    HANDLE hToken;
    if( !OpenProcessToken(hProcess, TOKEN_QUERY, &hToken) || !hToken ){
        CloseHandle(hProcess);
        return 0;
    }
    
    DWORD dwTemp = 0;
    char tagTokenInfoBuf[256] = {0};
    PTOKEN_USER tagTokenInfo = (PTOKEN_USER)tagTokenInfoBuf;
    if( !GetTokenInformation( hToken, TokenUser, tagTokenInfoBuf, sizeof(tagTokenInfoBuf),\
        &dwTemp ) ) {
        CloseHandle(hToken);
        CloseHandle(hProcess);
        return 0;
    }
    
    PtrConvertSidToStringSid dwPtr = (PtrConvertSidToStringSid)GetProcAddress( 
        LoadLibrary("Advapi32.dll"), "ConvertSidToStringSidA" );
    
    LPTSTR MySid = NULL;
    dwPtr( tagTokenInfo->User.Sid, (LPTSTR*)&MySid );
    
    printf("Current user's SID:%s\n", MySid);

    LocalFree( (HLOCAL)MySid );
    
    CloseHandle(hToken);
    CloseHandle(hProcess);
    
    return 0;
}

Ring0(需要Attach到使用者程序下):

NTSTATUS  
GetUserName() 
{ 
    NTSTATUS status = STATUS_SUCCESS;  
    HANDLE         hProcess;  
    HANDLE         TokenHandle;  
    ULONG         ReturnLength;  
    ULONG       size; 
    UNICODE_STRING SidString; 
    PTOKEN_USER TokenInformation;  
    char SidStringBuffer[512]; 
    
    status = ZwOpenThreadTokenEx (NtCurrentThread(), 
        TOKEN_READ, 
        TRUE, 
        OBJ_KERNEL_HANDLE, 
        &TokenHandle); 
    
    if ( !NT_SUCCESS( status ) ) { 
        status = ZwOpenProcessTokenEx (NtCurrentProcess(), 
            TOKEN_READ, 
            OBJ_KERNEL_HANDLE, 
            &TokenHandle); 
        
        if ( !NT_SUCCESS( status )) { 
            return status; 
        } 
    } 
    
    // 擷取token資訊 
    size = 0x1000; 
    TokenInformation = ExAllocatePool( NonPagedPool, size ); 
    
    do { 
        status = ZwQueryInformationToken( TokenHandle,  
            TokenUser,  
            TokenInformation,  
            size,  
            &ReturnLength ); 
        
        if (status == STATUS_BUFFER_TOO_SMALL) { 
            ExFreePool( TokenInformation ); 
            size *= 2; 
            TokenInformation = ExAllocatePool( NonPagedPool, size );  
            
        } else if ( !NT_SUCCESS (status) ) { 
            DbgPrint(" ZwQueryInformationToken error\n");  
            ExFreePool( TokenInformation );  
            ZwClose( TokenHandle );  
            
            return STATUS_UNSUCCESSFUL; 
        } 
        
    } while (status == STATUS_BUFFER_TOO_SMALL); 
    
    ZwClose( TokenHandle ); 

    status = RtlConvertSidToUnicodeString( &SidString,  
        ((PTOKEN_USER)TokenInformation)->User.Sid,  
        TRUE );  
    
    ExFreePool( TokenInformation );  
    RtlFreeUnicodeString(&SidString);

    DbgPrint("SID: %wZ\n", &SidString); 

    return STATUS_SUCCESS;  
}

或者attach到使用者程序後,通過已經導出的RtlFormatCurrentUserKeyPath直接就可以得到了~o(*.*)0

Windows安全 token user buffer string query null
上一篇: JDK源碼分析之ArrayList(一)ArrayList源碼分析(一)
下一篇: java Request 獲得使用者IP位址

繼續閱讀