驱动中获得当前current user遇到的奇怪问题
为了得到 CurrentUser 的 SID(因为要操作
\\registry\\user\\下的键),所以写了个函数:
Quote:
NTSTATUS
GetUserName(
char* a
)
/*++
作者: sudami 08/03/04
参数:
a - [IN] [OUT] 得到current user的注册表内容
形式如下"\\REGISTRY\\USER\\S-XXX-XXX..."
功能:
--*/
{
NTSTATUS status = STATUS_SUCCESS;
HANDLE hProcess;
HANDLE TokenHandle;
ULONG ReturnLength;
ULONG size;
UNICODE_STRING SidString;
PTOKEN_USER TokenInformation;
char SidStringBuffer[512];
status = ZwOpenThreadTokenEx (NtCurrentThread(),
TOKEN_READ,
TRUE,
OBJ_KERNEL_HANDLE,
&TokenHandle);
if ( !NT_SUCCESS( status ) ) {
status = ZwOpenProcessTokenEx (NtCurrentProcess(),
TOKEN_READ,
OBJ_KERNEL_HANDLE,
&TokenHandle);
if ( !NT_SUCCESS( status )) {
return status;
}
}
// 获取token信息
size = 0x1000;
TokenInformation = ExAllocatePool( NonPagedPool, size );
do {
status = NtQueryInformationToken( TokenHandle,
TokenUser,
TokenInformation,
size,
&ReturnLength );
if (status == STATUS_BUFFER_TOO_SMALL) {
ExFreePool( TokenInformation );
size *= 2;
TokenInformation = ExAllocatePool( NonPagedPool, size );
}
else if ( !NT_SUCCESS (status) ) {
DbgPrint(
" ZwQueryInformationToken error\n");
ExFreePool( TokenInformation );
ZwClose( TokenHandle );
return STATUS_UNSUCCESSFUL;
}
}
while (status == STATUS_BUFFER_TOO_SMALL);
ZwClose( TokenHandle );
RtlZeroMemory( SidStringBuffer,
sizeof(SidStringBuffer) );
SidString.Buffer = (
PWCHAR)SidStringBuffer;
SidString.MaximumLength =
sizeof( SidStringBuffer );
status = RtlConvertSidToUnicodeString( &SidString,
((PTOKEN_USER)TokenInformation)->User.Sid,
FALSE );
ExFreePool( TokenInformation );
DbgPrint(
"sudami's PC Name: %ws\n", SidStringBuffer);
a = SidStringBuffer;
return STATUS_SUCCESS;
}
然后很无语的是,得到的内容是下面这样的:
实际上偶电脑当前的用户的SID是下面这个,偶也证实了是下面这个:
在虚拟机上加载驱动后得到的也是一个固定的值,即 "
S-1-5-18"
看了下注册表,发现总是第一个的内容:
附件是R3 下得到当前SID的code,很正常,但在驱动中实现就出问题了~o(*.*)0
俺搞不明白,希望各位大虾指点一下,嘿嘿~
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!