能力值:
( LV9,RANK:210 )
|
-
-
2 楼
按米前辈的改了个 可些执行失败 不知道为什么
NTSTATUS GetUserSIDFromProcess(PEPROCESS pProcess, PCHAR pSID)
{
NTSTATUS status = STATUS_SUCCESS;
HANDLE PrHandle=0;
HANDLE TokenHandle=0;
ULONG size;
ULONG ReturnLength;
PTOKEN_USER TokenInformation;
UNICODE_STRING SidString;
WCHAR SidStringBuffer[256];
status = ObOpenObjectByPointer(pProcess, 0, 0, PROCESS_ALL_ACCESS, (PVOID)*PsProcessType, KernelMode, &PrHandle);
if ( !NT_SUCCESS( status )) return status;
status=NtOpenProcessTokenEx(PrHandle, STANDARD_RIGHTS_READ | TOKEN_QUERY,OBJ_KERNEL_HANDLE,&TokenHandle);
if ( !NT_SUCCESS( status )) return status;//[COLOR="Red"][B]NtOpenProcessTokenEx执行失败[/B][/COLOR]
size = 0x1000;
TokenInformation = ExAllocatePool( NonPagedPool, size );
do {
status = NtQueryInformationToken( TokenHandle,
TokenUser,
TokenInformation,
size,
&ReturnLength );
if (status == STATUS_BUFFER_TOO_SMALL) {
ExFreePool( TokenInformation );
size *= 2;
TokenInformation = ExAllocatePool( NonPagedPool, size );
} else if ( !NT_SUCCESS (status) ) {
ExFreePool( TokenInformation );
ZwClose( TokenHandle );
return STATUS_UNSUCCESSFUL;
}
} while (status == STATUS_BUFFER_TOO_SMALL);
ZwClose( TokenHandle );
RtlZeroMemory( SidStringBuffer, sizeof(SidStringBuffer) );
SidString.Buffer = (PWCHAR)SidStringBuffer;
SidString.MaximumLength = sizeof( SidStringBuffer);
status = RtlConvertSidToUnicodeString( &SidString,
((PTOKEN_USER)TokenInformation)->User.Sid,
FALSE );
ExFreePool( TokenInformation );
DbgPrint("SidStringBuffer:%ws",SidStringBuffer);
ConvertFileNameWCHARToCHAR(SidStringBuffer,pSID);
return status;
}
|
能力值:
( LV12,RANK:420 )
|
-
-
3 楼
status=NtOpenProcessTokenEx(PrHandle, STANDARD_RIGHTS_READ | TOKEN_QUERY,OBJ_KERNEL_HANDLE,&TokenHandle);
if ( !NT_SUCCESS( status )) return status;//NtOpenProcessTokenEx执行失败
==================
使用ZwOpenProcessTokenEx
调用Nt系列函数而上个模式是User Mode的话,不能对函数传入kernel mode buffer
|
能力值:
( LV9,RANK:210 )
|
-
-
4 楼
非常感谢,受益良多
|
|
|
|
