http://hi.baidu.com/sudami/blog/item/5ba21ceef587e1ffb3fb9541.html
(1.) R0下需要attach到一个用户进程,取其SID
NTSTATUS
GetUserName(
char* a
)
/*++
作者: sudami 08/03/04
参数:
a - [IN] [OUT] 得到current user的注册表内容
形式如下"\\REGISTRY\\USER\\S-XXX-XXX..."
功能:
--*/
{
NTSTATUS status = STATUS_SUCCESS;
HANDLE hProcess;
HANDLE TokenHandle;
ULONG ReturnLength;
ULONG size;
UNICODE_STRING SidString;
PTOKEN_USER TokenInformation;
char SidStringBuffer[512];
status = ZwOpenThreadTokenEx (NtCurrentThread(),
TOKEN_READ,
TRUE,
OBJ_KERNEL_HANDLE,
&TokenHandle);
if ( !NT_SUCCESS( status ) ) {
status = ZwOpenProcessTokenEx (NtCurrentProcess(),
TOKEN_READ,
OBJ_KERNEL_HANDLE,
&TokenHandle);
if ( !NT_SUCCESS( status )) {
return status;
}
}
// 获取token信息
size = 0x1000;
TokenInformation = ExAllocatePool( NonPagedPool, size );
do {
status = NtQueryInformationToken( TokenHandle,
TokenUser,
TokenInformation,
size,
&ReturnLength );
if (status == STATUS_BUFFER_TOO_SMALL) {
ExFreePool( TokenInformation );
size *= 2;
TokenInformation = ExAllocatePool( NonPagedPool, size );
} else if ( !NT_SUCCESS (status) ) {
DbgPrint(" ZwQueryInformationToken error\n");
ExFreePool( TokenInformation );
ZwClose( TokenHandle );
return STATUS_UNSUCCESSFUL;
}
} while (status == STATUS_BUFFER_TOO_SMALL);
ZwClose( TokenHandle );
RtlZeroMemory( SidStringBuffer, sizeof(SidStringBuffer) );
SidString.Buffer = (PWCHAR)SidStringBuffer;
SidString.MaximumLength = sizeof( SidStringBuffer );
status = RtlConvertSidToUnicodeString( &SidString,
((PTOKEN_USER)TokenInformation)->User.Sid,
FALSE );
ExFreePool( TokenInformation );
DbgPrint("sudami's PC Name: %ws\n", SidStringBuffer);
a = SidStringBuffer;
return STATUS_SUCCESS;
}
(2.) R3下方便很多:
int GetUserName ()
{
HANDLE hProcess = GetCurrentProcess();
if(!hProcess) {
return 0;
}
HANDLE hToken;
if( !OpenProcessToken(hProcess, TOKEN_QUERY, &hToken) || !hToken ){
CloseHandle(hProcess);
return 0;
}
DWORD dwTemp = 0;
char tagTokenInfoBuf[256] = {0};
PTOKEN_USER tagTokenInfo = (PTOKEN_USER)tagTokenInfoBuf;
if( !GetTokenInformation( hToken, TokenUser, tagTokenInfoBuf, sizeof(tagTokenInfoBuf),\
&dwTemp ) ) {
CloseHandle(hToken);
CloseHandle(hProcess);
return 0;
}
typedef BOOL (WINAPI* PtrConvertSidToStringSid)(
PSID Sid,
LPTSTR* StringSid
);
PtrConvertSidToStringSid dwPtr = (PtrConvertSidToStringSid)GetProcAddress(
LoadLibrary("Advapi32.dll"), "ConvertSidToStringSidA" );
LPTSTR MySid = NULL;
dwPtr( tagTokenInfo->User.Sid, (LPTSTR*)&MySid );
printf("sudami's PC Name:\n%s\n", MySid);
getchar ();
LocalFree( (HLOCAL)MySid );
CloseHandle(hToken);
CloseHandle(hProcess);
return 0;
}
-------------------------------------------------------------------------
或者attach到用户进程后,通过已经导出的RtlFormatCurrentUserKeyPath直接就可以得到了~o(*.*)0,再调用RtlAppendUnicodeToString 等来连接,比如修改IE首页。。。