steel_mental
June 10th, 2005, 12:02 AM
I want to write code which can display process's owner as taskmgr.exe can do, here is piece of my code:
////////////////////////////////////////////////////////////////
SID_NAME_USE peUse;
TOKEN_PRIVILEGES tkpPrev;
HANDLE hp;
HANDLE hToken;
int isok;
WCHAR buf[0x400];
WCHAR buf1[100];
WCHAR buf2[100];
DWORD dwNumBytesRet;
DWORD dwNumBytesRet1;
// get debug privilege via SE_PRIVILEGE_ENABLED
//I promise no problem here
GetDebugPriv(&tkpPrev);
hp=OpenProcess(PROCESS_QUERY_INFORMATION,0,m_dwPID);
isok=OpenProcessToken(hp,TOKEN_READ,&hToken);
isok=GetTokenInformation(hToken,TokenUser,&buf,0x400,&dwNumBytesRet);
if(isok)
{
dwNumBytesRet = 100;
dwNumBytesRet1 = 100;
isok = LookupAccountSid(NULL,(DWORD *)(*(DWORD*)buf),buf1,&dwNumBytesRet,buf2,&dwNumBytesRet1,&peUse);
printf("Run Auth:%S\\%S \n",buf2,buf1);
CloseHandle(hToken);
}
CloseHandle(hp);
///////////////////////////////////////////////////////////////////
BOOL
WINAPI
GetDebugPriv(PTOKEN_PRIVILEGES ptkpPrev)
{
HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp;
BOOL bRet;
ULONG ulRet;
if (!OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&hToken))
return FALSE;
bRet=LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &sedebugnameValue);
if (!bRet)
{
CloseHandle(hToken);
return bRet;
}
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = sedebugnameValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
bRet=AdjustTokenPrivileges(hToken,FALSE,&tkp,sizeof(tkp),ptkpPrev,&ulRet);
CloseHandle(hToken);
return bRet;
}
///////////////////////////////////////////////////////////////////////
it work fine on none NT AUTHORITY process, but for process such as svchost.exe, it always failed on OpenProcessToken-- access deny. I know taskmgr.exe can do it so I must can do it also, is there any essential step I omitted?
thanks for any help,have good day!!!
////////////////////////////////////////////////////////////////
SID_NAME_USE peUse;
TOKEN_PRIVILEGES tkpPrev;
HANDLE hp;
HANDLE hToken;
int isok;
WCHAR buf[0x400];
WCHAR buf1[100];
WCHAR buf2[100];
DWORD dwNumBytesRet;
DWORD dwNumBytesRet1;
// get debug privilege via SE_PRIVILEGE_ENABLED
//I promise no problem here
GetDebugPriv(&tkpPrev);
hp=OpenProcess(PROCESS_QUERY_INFORMATION,0,m_dwPID);
isok=OpenProcessToken(hp,TOKEN_READ,&hToken);
isok=GetTokenInformation(hToken,TokenUser,&buf,0x400,&dwNumBytesRet);
if(isok)
{
dwNumBytesRet = 100;
dwNumBytesRet1 = 100;
isok = LookupAccountSid(NULL,(DWORD *)(*(DWORD*)buf),buf1,&dwNumBytesRet,buf2,&dwNumBytesRet1,&peUse);
printf("Run Auth:%S\\%S \n",buf2,buf1);
CloseHandle(hToken);
}
CloseHandle(hp);
///////////////////////////////////////////////////////////////////
BOOL
WINAPI
GetDebugPriv(PTOKEN_PRIVILEGES ptkpPrev)
{
HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp;
BOOL bRet;
ULONG ulRet;
if (!OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&hToken))
return FALSE;
bRet=LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &sedebugnameValue);
if (!bRet)
{
CloseHandle(hToken);
return bRet;
}
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = sedebugnameValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
bRet=AdjustTokenPrivileges(hToken,FALSE,&tkp,sizeof(tkp),ptkpPrev,&ulRet);
CloseHandle(hToken);
return bRet;
}
///////////////////////////////////////////////////////////////////////
it work fine on none NT AUTHORITY process, but for process such as svchost.exe, it always failed on OpenProcessToken-- access deny. I know taskmgr.exe can do it so I must can do it also, is there any essential step I omitted?
thanks for any help,have good day!!!