查看进程令牌信息源代码

用过whoami吧，这个tokenInfor和它的功能相仿，不过是查看指定进程的用户信息和访问令牌信息。

本版管理员不能查看普通用户进程的信息，功能完整的版本可以从www.red8black.com上下载。

用法如下：
D:\>E:\projects\tinfor\lcc\tinfor.exe /?
TokenInfor tell Token Infor and Owner Infor of Specify Process, — bingle

Usage : E:\projects\tinfor\lcc\tinfor.exe [pid]
pid — ID of target process, if not provide, use current process
-?|/? — show this.

如果没有指定进程ID就查询当前进程，也就是tinfor自己了，就和whoami一样了。

D:\>tinfor 160
TokenInfor tell Token Infor and Owner Infor of Specify Process, — bingle

Token Information of Process ID = 160.
Execute File Path = \??\D:\WINNT\system32\csrss.exe.

User Name : NT AUTHORITY\SYSTEM S-1-5-18

Belong to 3 groups
[group 0] “BUILTIN\Administrators” S-1-5-32-544
[group 1] “\Everyone” S-1-1-0
[group 2] “NT AUTHORITY\Authenticated Users” S-1-5-11

Have 21 Privileges
[Privilege 0] SeTcbPrivilege – 以操作系统方式操作
[Privilege 1] SeCreateTokenPrivilege – 创建记号对象
[Privilege 2] SeTakeOwnershipPrivilege – 取得文件或其它对象的所有权
[Privilege 3] SeCreatePagefilePrivilege – 创建页面文件
[Privilege 4] SeLockMemoryPrivilege – 内存中锁定页
[Privilege 5] SeAssignPrimaryTokenPrivilege – 替换进程级记号
[Privilege 6] SeIncreaseQuotaPrivilege – 添加配额
[Privilege 7] SeIncreaseBasePriorityPrivilege – 增加进度优先级
[Privilege 8] SeCreatePermanentPrivilege – 创建永久共享对象
[Privilege 9] SeDebugPrivilege – 调试程序
[Privilege 10] SeAuditPrivilege – 产生安全审核
[Privilege 11] SeSecurityPrivilege – 管理审核和安全日志
[Privilege 12] SeSystemEnvironmentPrivilege – 修改固件环境值
[Privilege 13] SeChangeNotifyPrivilege – 跳过遍历检查
[Privilege 14] SeBackupPrivilege – 备份文件和目录
[Privilege 15] SeRestorePrivilege – 还原文件和目录
[Privilege 16] SeShutdownPrivilege – 关闭系统
[Privilege 17] SeLoadDriverPrivilege – 装载和卸载设备驱动程序
[Privilege 18] SeProfileSingleProcessPrivilege – 配置单一进程
[Privilege 19] SeSystemtimePrivilege – 更改系统时间
[Privilege 20] SeUndockPrivilege – 从插接工作站中取出计算机

Token Type : Primary Token
OpenProcessToken QUERY_SOURCE error : 5


whoami.exe是一个有错误的debug版tokenInfor程序，什么错误，你调试看看把，这个错误不影响

程序的主要功能，程序代码的实现也没有问题。不要用vc重新编译whoami.c，否则错误就没有了。

vc和lcc有点不同。

源程序 printf(“\t-?|/? — show this. \r\n”);

exit(0);
}

int LoadPsapi()
{
psapi = LoadLibrary(“psapi.dll”);
GetModuleFileNameExAddr = NULL;
if(psapi == NULL) return 0;
GetModuleFileNameExAddr = (GetModuleFileNameExType*)GetProcAddress(psapi, “GetModuleFileNameExA”);
if(GetModuleFileNameExAddr == NULL)
{
psapi = NULL;
return 0;
}
return 1;
}


int main(int argc,char *argv[])
{
printf(“TokenInfor tell Token Infor and Owner Infor of Specify Process, — bingle\r\n\r\n”);
if(argc == 2 && strcmp(argv[1], “/?”) == 0)Usage(argv[0]);
if(argc == 2 && strcmp(argv[1], “-?”) == 0)Usage(argv[0]);

HANDLE hp , htoken;
char buff[1024];
unsigned long size = 1024, ret, procID;

hp = htoken = INVALID_HANDLE_VALUE;
if(argc > 1)procID= atoi(argv[1]);
else procID = GetCurrentProcessId();

if(procID == 0)
{
printf(” Bad Process ID provided!!\r\n”);
Usage(argv[0]);
}

if((ret = EnableDebugPriv(1)) != 0)printf(“EnableDebugPriv(1) error : 0 \r\n”, ret);
hp = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, false, procID);
ret = GetLastError();
EnableDebugPriv(0);
if(hp == NULL)
{
printf(“Unable to open target process ID=0. Error : 0\r\n”, procID, ret);
exit(0);
}

printf(“Token Information of Process ID = 0.\r\n”, procID);
if(LoadPsapi())
{
ret = GetModuleFileNameExAddr(hp, NULL, buff, 1024);
if(ret)printf(“Execute File Path = .\r\n”, buff);
else printf(“Get Execute File Path Error : 0.\r\n”, GetLastError());
FreeLibrary(psapi);
}else printf(“Cannot Get Execute File Path, Load Psapi.dll Error.\r\n”);

puts(“”);

ret = OpenProcessToken(hp, TOKEN_QUERY, &htoken);
if(!ret)
{
printf(“OpenProcessToken QUERY error : 0\r\n”, GetLastError());
goto exit_main;
}

if(GetUserNameFromToken(htoken, buff))
printf(“User Name : \r\n”, buff);

OutPutGroupsFromToken(htoken);

OutPutPrivilegesFromToken(htoken);

size = 1024;
TOKEN_STATISTICS *tstat;
if(!GetTokenInformation(htoken, TokenStatistics, (void*)buff, size, &size))
{
printf(“GetTokenInformation TokenStatistics error : 0\r\n”, GetLastError());
goto exit_main;
}
tstat = (TOKEN_STATISTICS *)buff;
OutPutTokenType(tstat);

char src[10];
if(GetProcessTokenSource(hp, src))
printf(“Token source : \r\n”, src);

exit_main:
if(htoken != INVALID_HANDLE_VALUE)CloseHandle(htoken);
if(hp != INVALID_HANDLE_VALUE)CloseHandle(hp);
return 0;
}

int GetUserNameFromToken(HANDLE htoken, char user[])
{
char buff[1024], tusr[UULEN], domain[UULEN];
unsigned long size;

TOKEN_USER *tuser;
PSID sid;
SID_NAME_USE snu;

size = 1024;
if(!GetTokenInformation(htoken, TokenUser, (void*)buff, size, &size))
{
printf(“GetTokenInformation error : 0\r\n”, GetLastError());
return false;
}

tuser = (TOKEN_USER*)buff;
sid = tuser->User.Sid;
size = UULEN;
if(!LookupAccountSid(NULL, sid, tusr, &size, domain, &size, &snu))
{
printf(“LookupAccountSid error : 0\r\n”, GetLastError());
return false;
}
sprintf(user, “\\”, domain, tusr);

return true;
}

int OutPutGroupsFromToken(HANDLE htoken)
{
char buff[1024];
unsigned long size = 1024;
TOKEN_GROUPS *tgrps;
if(!GetTokenInformation(htoken, TokenGroups, (void*)buff, size, &size))
{
printf(“GetTokenInformation TokenGroups error : 0\r\n”, GetLastError());
return false;
}
tgrps = (TOKEN_GROUPS *)buff;
printf(“\r\nBelong to 0 groups\r\n”, tgrps->GroupCount);

PSID sid;
char group[UULEN], domain[UULEN];
SID_NAME_USE snu;
for(int i = 0; i < tgrps->GroupCount; i++)
{
sid = tgrps->Groups.Sid;
size = UULEN;
if(!LookupAccountSid(NULL, sid, group, &size, domain, &size, &snu))
printf(“[group 0] error : 0\r\n”, i, GetLastError());
else printf(“[group 0] \\\r\n”, i, domain, group);
}

return true;
}

int OutPutPrivilegesFromToken(HANDLE htoken)
{
char buff[1024];
unsigned long size = 1024;
TOKEN_PRIVILEGES *tpriv;
if(!GetTokenInformation(htoken, TokenPrivileges, (void*)buff, size, &size))
{
printf(“GetTokenInformation TokenPrivileges error : 0\r\n”, GetLastError());
return false;
}
tpriv = (TOKEN_PRIVILEGES *)buff;
printf(“\r\nHave 0 Privileges\r\n”, tpriv->PrivilegeCount);

LUID_AND_ATTRIBUTES la;
char spriv[UULEN], sdisp[UULEN * 2];
for(int i = 0; i < tpriv->PrivilegeCount; i++)
{
la = tpriv->Privileges;
size = UULEN;
LookupPrivilegeName(NULL, &la.Luid, spriv, &size);
size = UULEN * 2;
if(!LookupPrivilegeDisplayName(NULL, spriv, sdisp, &size, &size))
printf(“[Privilege 0] error : 0\r\n”, i, GetLastError());
else printf(“[Privilege 0] – \r\n”, i, spriv, sdisp);
}
return true;
}

int OutPutTokenType(TOKEN_STATISTICS *tstat)
{
if(tstat->TokenType == TokenPrimary)
printf(“Token Type : Primary Token\r\n”);
else printf(“Token Type : Impersonation Token\r\n”);


struct IMPERSONATION_LEVEL
{
SECURITY_IMPERSONATION_LEVEL il;
char *dsp;
}imperLevel[4];
imperLevel[0].il = SecurityAnonymous;
imperLevel[0].dsp = “SecurityAnonymous — The server process cannot obtain identification information\
about the client and it cannot impersonate the client. It is defined with no value given,\
and thus, by ANSI C rules, defaults to a value of 0.”;
imperLevel[1].il = SecurityIdentification;
imperLevel[1].dsp = “SecurityIdentification — The server process can obtain information about the client,\
such as security identifiers and privileges, but it cannot impersonate the client.\
This is useful for servers that export their own objects — for example,\
database products that export tables and views. Using the retrieved client-security\
information, the server can make access-validation decisions without being able to utilize\
other services using the client’s security context.”;
imperLevel[2].il = SecurityImpersonation;
imperLevel[2].dsp = “SecurityImpersonation — The server process can impersonate the client’s security context\
on its local system. The server cannot impersonate the client on remote systems.”;
imperLevel[3].il = SecurityDelegation;
imperLevel[3].dsp = “SecurityDelegation — The server process can impersonate the client’s security context\
on remote systems.\r\n\
Windows NT: This impersonation level is not supported.\r\n\
Windows 2000: This impersonation level is supported.”;

if(tstat->TokenType != TokenPrimary)
for(int i = 0; i < 4; i++)
if(tstat->ImpersonationLevel == imperLevel.il)
{
printf(“\tToken Impersonation Level : \r\n”, imperLevel.dsp);
break;
}

return 0;
}

int GetProcessTokenSource(HANDLE hp, char *src)
{
HANDLE htoken;
char buff[100];
unsigned long size;

src[0] = ‘\0′;
if(!OpenProcessToken(hp, TOKEN_QUERY_SOURCE, &htoken))
{
printf(“OpenProcessToken QUERY_SOURCE error : 0\r\n”, GetLastError());
return false;
}

size = 100;
TOKEN_SOURCE *tsrc;
if(!GetTokenInformation(htoken, TokenSource, (void*)buff, size, &size))
{
CloseHandle(htoken);
printf(“GetTokenInformation TokenSource error : 0\r\n”, GetLastError());
return false;
}
CloseHandle(htoken);

tsrc = (TOKEN_SOURCE *)buff;
tsrc->SourceName[7] = ‘\0′;
strcpy(src, tsrc->SourceName);

return true;
}

int EnableDebugPriv(int fEnable)
{
HANDLE htoken;
int fError=0;
if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &htoken))
{
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount=1;
if(!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid))
if(!fError)fError = GetLastError();
tp.Privileges[0].Attributes=fEnable?SE_PRIVILEGE_ENABLED:0;
if(!AdjustTokenPrivileges(htoken, FALSE, &tp, sizeof(tp), NULL, NULL))
if(!fError)fError = GetLastError();
CloseHandle(htoken);
if(!fError)fError=GetLastError();
}
else fError=GetLastError();
return fError;
}