最近的项目需要 是得到当前用户的SID
我用的方法比较山寨,就是枚举HKEY_USERS下的所有键,此方法的优点是可以枚举出本机上全部有效的SID
----------------------------------------------------------------------------------------------------------------------------------------
如果要获得当前用户的SID,sudami大牛的文章里已经写的很清楚了。
http://hi.baidu.com/sudami/blog/item/5ba21ceef587e1ffb3fb9541.html
Ring3
int GetUserName () { HANDLE hProcess = GetCurrentProcess(); if(!hProcess) { return 0; } HANDLE hToken; if( !OpenProcessToken(hProcess, TOKEN_QUERY, &hToken) || !hToken ){ CloseHandle(hProcess); return 0; } DWORD dwTemp = 0; char tagTokenInfoBuf[256] = {0}; PTOKEN_USER tagTokenInfo = (PTOKEN_USER)tagTokenInfoBuf; if( !GetTokenInformation( hToken, TokenUser, tagTokenInfoBuf, sizeof(tagTokenInfoBuf),\ &dwTemp ) ) { CloseHandle(hToken); CloseHandle(hProcess); return 0; } PtrConvertSidToStringSid dwPtr = (PtrConvertSidToStringSid)GetProcAddress( LoadLibrary("Advapi32.dll"), "ConvertSidToStringSidA" ); LPTSTR MySid = NULL; dwPtr( tagTokenInfo->User.Sid, (LPTSTR*)&MySid ); printf("Current user's SID:%s\n", MySid); LocalFree( (HLOCAL)MySid ); CloseHandle(hToken); CloseHandle(hProcess); return 0; }
Ring0(需要Attach到用户进程下):
NTSTATUS GetUserName() { NTSTATUS status = STATUS_SUCCESS; HANDLE hProcess; HANDLE TokenHandle; ULONG ReturnLength; ULONG size; UNICODE_STRING SidString; PTOKEN_USER TokenInformation; char SidStringBuffer[512]; status = ZwOpenThreadTokenEx (NtCurrentThread(), TOKEN_READ, TRUE, OBJ_KERNEL_HANDLE, &TokenHandle); if ( !NT_SUCCESS( status ) ) { status = ZwOpenProcessTokenEx (NtCurrentProcess(), TOKEN_READ, OBJ_KERNEL_HANDLE, &TokenHandle); if ( !NT_SUCCESS( status )) { return status; } } // 获取token信息 size = 0x1000; TokenInformation = ExAllocatePool( NonPagedPool, size ); do { status = ZwQueryInformationToken( TokenHandle, TokenUser, TokenInformation, size, &ReturnLength ); if (status == STATUS_BUFFER_TOO_SMALL) { ExFreePool( TokenInformation ); size *= 2; TokenInformation = ExAllocatePool( NonPagedPool, size ); } else if ( !NT_SUCCESS (status) ) { DbgPrint(" ZwQueryInformationToken error\n"); ExFreePool( TokenInformation ); ZwClose( TokenHandle ); return STATUS_UNSUCCESSFUL; } } while (status == STATUS_BUFFER_TOO_SMALL); ZwClose( TokenHandle ); status = RtlConvertSidToUnicodeString( &SidString, ((PTOKEN_USER)TokenInformation)->User.Sid, TRUE ); ExFreePool( TokenInformation ); RtlFreeUnicodeString(&SidString); DbgPrint("SID: %wZ\n", &SidString); return STATUS_SUCCESS; }
或者attach到用户进程后,通过已经导出的RtlFormatCurrentUserKeyPath直接就可以得到了~o(*.*)0