GetSidSubAuthorityCount
来源:互联网 发布:java 线程优先级 编辑:程序博客网 时间:2024/06/16 02:33
#include <stdio.h>#include <windows.h>#include <tlhelp32.h>typedef struct _SIDEX {BYTE Revision;BYTE SubAuthorityCount;SID_IDENTIFIER_AUTHORITY IdentifierAuthority;#ifdef MIDL_PASS[size_is(SubAuthorityCount)] DWORD SubAuthority[*];#else // MIDL_PASSDWORD SubAuthority[ANYSIZE_ARRAY];#endif // MIDL_PASS} SIDEX, *PISIDEX;//删除数组#define SafeDeleteArraySize(pData) { if(pData){delete []pData;pData=NULL;} }//关闭句柄#define SafeCloseHandle(Handle) { if(Handle){CloseHandle(Handle);Handle=NULL;} }#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)#define STATUS_UNSUCCESSFUL ((NTSTATUS)0xC0000001L)BYTE GetSidSubAuthorityCount(DWORD ProcessId){//定义变量BYTE SubAuthorityCount=0;HANDLE TokenHandle = NULL;ULONG ReturnLength = 0;PTOKEN_USER ProcessTokenUser = NULL;HANDLE ProcessHandle = NULL;NTSTATUS status=STATUS_UNSUCCESSFUL;typedef NTSTATUS (NTAPI *fnZwQueryInformationToken) (HANDLE TokenHandle,TOKEN_INFORMATION_CLASS TokenInformationClass,PVOID TokenInformation,ULONG TokenInformationLength,PULONG ReturnLength);static fnZwQueryInformationToken pZwQueryInformationToken=(fnZwQueryInformationToken)GetProcAddress(GetModuleHandle(TEXT("ntdll.dll")),"ZwQueryInformationToken");do {//打开进程ProcessHandle=OpenProcess(PROCESS_QUERY_INFORMATION,FALSE,ProcessId);if (ProcessHandle == NULL)break;//打开进程令牌if (!OpenProcessToken(ProcessHandle, TOKEN_QUERY, &TokenHandle))break;pZwQueryInformationToken(TokenHandle, TokenUser, NULL, 0, &ReturnLength);ReturnLength = 2 * ReturnLength;ProcessTokenUser = (TOKEN_USER *)new BYTE[ReturnLength];ZeroMemory(ProcessTokenUser,ReturnLength);status=pZwQueryInformationToken(TokenHandle, TokenUser, ProcessTokenUser, ReturnLength, &ReturnLength);if (!NT_SUCCESS(status)){break;}PISIDEX pisid= (PISIDEX)ProcessTokenUser->User.Sid;SubAuthorityCount=pisid->SubAuthorityCount;printf("%d %d\n",ProcessId,SubAuthorityCount);//SECURITY_LOGON_IDS_RID} while (FALSE);SafeCloseHandle(TokenHandle);SafeCloseHandle(ProcessHandle);SafeDeleteArraySize(ProcessTokenUser);return SubAuthorityCount;}//提升进程权限BOOL EnableDebugPrivilege(LPCWSTR lpName){//定义变量HANDLE hToken = NULL;LUID sedebugnameValue;TOKEN_PRIVILEGES tkp;BOOL bDebugPrivilege = FALSE;do{if (IsBadReadPtr(lpName, 1) != 0)break;if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))break;if (!LookupPrivilegeValue(NULL, lpName, &sedebugnameValue))break;tkp.PrivilegeCount = 1;tkp.Privileges[0].Luid = sedebugnameValue;tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL))break;bDebugPrivilege = TRUE;} while (FALSE);SafeCloseHandle(hToken);return bDebugPrivilege;}int main (void){EnableDebugPrivilege(SE_DEBUG_NAME);HANDLE handle; handle=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);PROCESSENTRY32 *info; info=new PROCESSENTRY32; info->dwSize=sizeof(PROCESSENTRY32); Process32First(handle,info); while(Process32Next(handle,info)!=FALSE) { GetSidSubAuthorityCount(info->th32ProcessID);} CloseHandle(handle); getchar();getchar();return 0;}
