можно попробовать так:
ULONG
KQueryPrimarySidByProcess (
IN void* pSid,
IN ULONG dwSidLength,
IN PEPROCESS pEProcess
)
{
if (
pEProcess == NULL| KeGetCurrentIrql() != PASSIVE_LEVEL
)
return 0;
ULONG dwSidLengthReal = 0;
HANDLE hToken = NULL;
NTSTATUS NtStatus;// = ZwOpenProcessToken(pEProcess, TOKEN_READ, &hToken);
void* pToken = PsReferencePrimaryToken(pEProcess);
if (pToken != NULL)
{
NtStatus = ObOpenObjectByPointer(pToken, 0, 0, TOKEN_QUERY, 0, KernelMode, &hToken);
if (NT_SUCCESS(NtStatus))
{
ULONG dwSizeOfToken = 0;
NtStatus = ZwQueryInformationToken(hToken, TokenUser, NULL, 0, &dwSizeOfToken);
if (NtStatus == STATUS_BUFFER_TOO_SMALL)
{
PTOKEN_USER pTokenUser = (PTOKEN_USER) new char[dwSizeOfToken];
if (pTokenUser != NULL)
{
NtStatus = ZwQueryInformationToken(hToken, TokenUser, pTokenUser, dwSizeOfToken, &dwSizeOfToken);
if (NT_SUCCESS(NtStatus))
{
if (RtlValidSid(pTokenUser->User.Sid) == TRUE)
{
dwSidLengthReal = RtlLengthSid(pTokenUser->User.Sid);
if (dwSidLengthReal != 0 && dwSidLengthReal <= dwSidLength && pSid != NULL)
{
RtlCopySid(dwSidLengthReal+1, pSid, pTokenUser->User.Sid);
}
}
}
delete[] (char*) pTokenUser;
}
}
ZwClose(hToken);
}
ObDereferenceObject(pToken);
}
return dwSidLengthReal;
}
ULONG
KQueryImpersonationSidByThread (
IN void* pSid,
IN ULONG dwSidLength,
IN PETHREAD pEThread
)
{
if (
pEThread == NULL| KeGetCurrentIrql() != PASSIVE_LEVEL
)
return 0;
ULONG dwSidLengthReal = 0;
HANDLE hToken = NULL;
NTSTATUS NtStatus;
BOOLEAN bCopyOnUse, bEffectiveOnly;
SECURITY_IMPERSONATION_LEVEL Level;
void* pToken = PsReferenceImpersonationToken(pEThread, &bCopyOnUse, &bEffectiveOnly, &Level);
if (pToken != NULL)
{
NtStatus = ObOpenObjectByPointer(pToken, 0, 0, TOKEN_QUERY, 0, KernelMode, &hToken);
if (NT_SUCCESS(NtStatus))
{
ULONG dwSizeOfToken = 0;
NtStatus = ZwQueryInformationToken(hToken, TokenUser, NULL, 0, &dwSizeOfToken);
if (NtStatus == STATUS_BUFFER_TOO_SMALL)
{
PTOKEN_USER pTokenUser = (PTOKEN_USER) new char[dwSizeOfToken];
if (pTokenUser != NULL)
{
NtStatus = ZwQueryInformationToken(hToken, TokenUser, pTokenUser, dwSizeOfToken, &dwSizeOfToken);
if (NT_SUCCESS(NtStatus))
{
if (RtlValidSid(pTokenUser->User.Sid) == TRUE)
{
dwSidLengthReal = RtlLengthSid(pTokenUser->User.Sid);
if (dwSidLengthReal != 0 && dwSidLengthReal <= dwSidLength && pSid != NULL)
{
RtlCopySid(dwSidLengthReal, pSid, pTokenUser->User.Sid);
}
}
}
delete[] (char*) pTokenUser;
}
}
ZwClose(hToken);
}
ObDereferenceObject(pToken);
}
return dwSidLengthReal;
}
---
|