[求助]驱动怎么获取进程所属的用户-编程技术-看雪-安全社区|安全招聘|kanxue.com

qihoocom

雪币： 635

活跃值： (101)

能力值：

( LV12，RANK：420 )

在线值：

发帖

49

回帖

1165

粉丝

25

关注

私信

qihoocom 9: 2 楼

PsReferencePrimaryToken
ZwQueryInformationToken

2009-4-1 17:18

0

qihoocom

雪币： 635

活跃值： (101)

能力值：

( LV12，RANK：420 )

在线值：

发帖

49

回帖

1165

粉丝

25

关注

私信

qihoocom 9: 3 楼

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

// Largely based off of undelete.c from sysinternals
BOOLEAN GetUserSIDFromProcess(EPROCESS *pProcess, UNICODE_STRING *pusSID)
{
    NTSTATUS status;
    ULONG RetLen;
    HANDLE hToken;
    PTOKEN_USER tokenInfoBuffer;
    PACCESS_TOKEN Token;
 
    Token = PsReferencePrimaryToken(pProcess);
 
    status = ObOpenObjectByPointer(Token, 0, NULL, TOKEN_QUERY, NULL, KernelMode, &hToken);
    ObDereferenceObject(Token);
 
    if(!NT_SUCCESS(status))
        return FALSE;
 
    // Get the size of the sid.
    status = ZwQueryInformationToken(hToken, TokenUser, NULL, 0, &RetLen);
    if(status != STATUS_BUFFER_TOO_SMALL) {
    ZwClose(hToken);
    return FALSE;
  }
 
    tokenInfoBuffer = (PTOKEN_USER)ExAllocatePool(NonPagedPool, RetLen);
    if(tokenInfoBuffer)
      status = ZwQueryInformationToken(hToken, TokenUser, tokenInfoBuffer, RetLen, &RetLen);
  
  if(!NT_SUCCESS(status) || !tokenInfoBuffer ) {
    DBGOUT(("Error getting token information: %x\n", status));
    if(tokenInfoBuffer)
            ExFreePool(tokenInfoBuffer);
    ZwClose(hToken);
    return FALSE;
  }
  ZwClose(hToken);
 
  status = RtlConvertSidToUnicodeString(pusSID, tokenInfoBuffer->User.Sid, FALSE);
  ExFreePool(tokenInfoBuffer);
 
  if(!NT_SUCCESS(status)) {
    DBGOUT(("Unable to convert SID to UNICODE: %x\n", status ));
    return FALSE;
  }
 
    return TRUE;
}