查看進程令牌信息源代碼

    用過whoami吧，這個tokenInfor和它的功能相仿，不過是查看指定進程的用戶信息和訪問令牌信息。

    本版管理員不能查看普通用戶進程的信息，功能完整的版本可以從www.red8black.com上下載。

    用法如下：
D:\>E:\projects\tinfor\lcc\tinfor.exe /?
TokenInfor tell Token Infor and Owner Infor of Specify Process, -- bingle

Usage : E:\projects\tinfor\lcc\tinfor.exe [pid]
pid -- ID of target process, if not provide, use current process
-?|/? -- show this.

如果沒有指定進程ID就查詢當前進程，也就是tinfor自己了，就和whoami一樣了。

D:\>tinfor 160
TokenInfor tell Token Infor and Owner Infor of Specify Process, -- bingle

Token Information of Process ID = 160.
Execute File Path = \??\D:\WINNT\system32\csrss.exe.

User Name : NT AUTHORITY\SYSTEM S-1-5-18

Belong to 3 groups
[group 0] "BUILTIN\Administrators" S-1-5-32-544
[group 1] "\Everyone" S-1-1-0
[group 2] "NT AUTHORITY\Authenticated Users" S-1-5-11

Have 21 Privileges
[Privilege 0] SeTcbPrivilege - 以操作系統方式操作
[Privilege 1] SeCreateTokenPrivilege - 創建記號對象
[Privilege 2] SeTakeOwnershipPrivilege - 取得文件或其它對象的所有權
[Privilege 3] SeCreatePagefilePrivilege - 創建頁面文件
[Privilege 4] SeLockMemoryPrivilege - 內存中鎖定頁
[Privilege 5] SeAssignPrimaryTokenPrivilege - 替換進程級記號
[Privilege 6] SeIncreaseQuotaPrivilege - 添加配額
[Privilege 7] SeIncreaseBasePriorityPrivilege - 增加進度優先級
[Privilege 8] SeCreatePermanentPrivilege - 創建永久共享對象
[Privilege 9] SeDebugPrivilege - 調試程序
[Privilege 10] SeAuditPrivilege - 產生安全審核
[Privilege 11] SeSecurityPrivilege - 管理審核和安全日志
[Privilege 12] SeSystemEnvironmentPrivilege - 修改固件環境值
[Privilege 13] SeChangeNotifyPrivilege - 跳過遍歷檢查
[Privilege 14] SeBackupPrivilege - 備份文件和目錄
[Privilege 15] SeRestorePrivilege - 還原文件和目錄
[Privilege 16] SeShutdownPrivilege - 關閉系統
[Privilege 17] SeLoadDriverPrivilege - 裝載和卸載設備驅動程序
[Privilege 18] SeProfileSingleProcessPrivilege - 配置單一進程
[Privilege 19] SeSystemtimePrivilege - 更改系統時間
[Privilege 20] SeUndockPrivilege - 從插接工作站中取出計算機

Token Type : Primary Token
OpenProcessToken QUERY_SOURCE error : 5


whoami.exe是一個有錯誤的debug版tokenInfor程序，什麼錯誤，你調試看看把，這個錯誤不影響

程序的主要功能，程序代碼的實現也沒有問題。不要用vc重新編譯whoami.c，否則錯誤就沒有了。

vc和lcc有點不同。

源程序
/**
TokenInfor tell Token Infor and Owner Infor of Specify Process
--bingle, [email protected]
*/

#include
#include
#include
#include

#define UULEN 256
#define true 1
#define false 0

typedef DWORD GetModuleFileNameExType(
HANDLE hProcess, // handle to the process
HMODULE hModule, // handle to the module
LPTSTR lpFilename, // buffer that receives the path
DWORD nSize // size of the buffer
);
GetModuleFileNameExType *GetModuleFileNameExAddr;
HMODULE psapi;

int GetUserNameFromToken(HANDLE htoken, char user[]);
int OutPutGroupsFromToken(HANDLE htoken);
int OutPutPrivilegesFromToken(HANDLE htoken);
int OutPutTokenType(TOKEN_STATISTICS *tstat);
int GetProcessTokenSource(HANDLE hp, char src[]);
int EnableDebugPriv(int fEnable);

void Usage(char *prog)
{
printf(" Usage : [pid]\r\n", prog);
printf("\tpid -- ID of target process, if not provide, use current process\r\n");
printf("\t-?|/? -- show this. \r\n");

exit(0);
}

int LoadPsapi()
{
psapi = LoadLibrary("psapi.dll");
GetModuleFileNameExAddr = NULL;
if(psapi == NULL) return 0;
GetModuleFileNameExAddr = (GetModuleFileNameExType*)GetProcAddress(psapi, "GetModuleFileNameExA");
if(GetModuleFileNameExAddr == NULL)
{
psapi = NULL;
return 0;
}
return 1;
}


int main(int argc,char *argv[])
{
printf("TokenInfor tell Token Infor and Owner Infor of Specify Process, -- bingle\r\n\r\n");
if(argc == 2 && strcmp(argv[1], "/?") == 0)Usage(argv[0]);
if(argc == 2 && strcmp(argv[1], "-?") == 0)Usage(argv[0]);

HANDLE hp , htoken;
char buff[1024];
unsigned long size = 1024, ret, procID;

hp = htoken = INVALID_HANDLE_VALUE;
if(argc > 1)procID= atoi(argv[1]);
else procID = GetCurrentProcessId();

if(procID == 0)
{
printf(" Bad Process ID provided!!\r\n");
Usage(argv[0]);
}

if((ret = EnableDebugPriv(1)) != 0)printf("EnableDebugPriv(1) error : 0 \r\n", ret);
hp = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, false, procID);
ret = GetLastError();
EnableDebugPriv(0);
if(hp == NULL)
{
printf("Unable to open target process ID=0. Error : 0\r\n", procID, ret);
exit(0);
}

printf("Token Information of Process ID = 0.\r\n", procID);
if(LoadPsapi())
{
ret = GetModuleFileNameExAddr(hp, NULL, buff, 1024);
if(ret)printf("Execute File Path = .\r\n", buff);
else printf("Get Execute File Path Error : 0.\r\n", GetLastError());
FreeLibrary(psapi);
}else printf("Cannot Get Execute File Path, Load Psapi.dll Error.\r\n");

puts("");

ret = OpenProcessToken(hp, TOKEN_QUERY, &htoken);
if(!ret)
{
printf("OpenProcessToken QUERY error : 0\r\n", GetLastError());
goto exit_main;
}

if(GetUserNameFromToken(htoken, buff))
printf("User Name : \r\n", buff);

OutPutGroupsFromToken(htoken);

OutPutPrivilegesFromToken(htoken);

size = 1024;
TOKEN_STATISTICS *tstat;
if(!GetTokenInformation(htoken, TokenStatistics, (void*)buff, size, &size))
{
printf("GetTokenInformation TokenStatistics error : 0\r\n", GetLastError());
goto exit_main;
}
tstat = (TOKEN_STATISTICS *)buff;
OutPutTokenType(tstat);

char src[10];
if(GetProcessTokenSource(hp, src))
printf("Token source : \r\n", src);

exit_main:
if(htoken != INVALID_HANDLE_VALUE)CloseHandle(htoken);
if(hp != INVALID_HANDLE_VALUE)CloseHandle(hp);
return 0;
}

int GetUserNameFromToken(HANDLE htoken, char user[])
{
char buff[1024], tusr[UULEN], domain[UULEN];
unsigned long size;

TOKEN_USER *tuser;
PSID sid;
SID_NAME_USE snu;

size = 1024;
if(!GetTokenInformation(htoken, TokenUser, (void*)buff, size, &size))
{
printf("GetTokenInformation error : 0\r\n", GetLastError());
return false;
}

tuser = (TOKEN_USER*)buff;
sid = tuser->User.Sid;
size = UULEN;
if(!LookupAccountSid(NULL, sid, tusr, &size, domain, &size, &snu))
{
printf("LookupAccountSid error : 0\r\n", GetLastError());
return false;
}
sprintf(user, "\\", domain, tusr);

return true;
}

int OutPutGroupsFromToken(HANDLE htoken)
{
char buff[1024];
unsigned long size = 1024;
TOKEN_GROUPS *tgrps;
if(!GetTokenInformation(htoken, TokenGroups, (void*)buff, size, &size))
{
printf("GetTokenInformation TokenGroups error : 0\r\n", GetLastError());
return false;
}
tgrps = (TOKEN_GROUPS *)buff;
printf("\r\nBelong to 0 groups\r\n", tgrps->GroupCount);

PSID sid;
char group[UULEN], domain[UULEN];
SID_NAME_USE snu;
for(int i = 0; i < tgrps->GroupCount; i++)
{
sid = tgrps->Groups[i].Sid;
size = UULEN;
if(!LookupAccountSid(NULL, sid, group, &size, domain, &size, &snu))
printf("[group 0] error : 0\r\n", i, GetLastError());
else printf("[group 0] \\\r\n", i, domain, group);
}

return true;
}

int OutPutPrivilegesFromToken(HANDLE htoken)
{
char buff[1024];
unsigned long size = 1024;
TOKEN_PRIVILEGES *tpriv;
if(!GetTokenInformation(htoken, TokenPrivileges, (void*)buff, size, &size))
{
printf("GetTokenInformation TokenPrivileges error : 0\r\n", GetLastError());
return false;
}
tpriv = (TOKEN_PRIVILEGES *)buff;
printf("\r\nHave 0 Privileges\r\n", tpriv->PrivilegeCount);

LUID_AND_ATTRIBUTES la;
char spriv[UULEN], sdisp[UULEN * 2];
for(int i = 0; i < tpriv->PrivilegeCount; i++)
{
la = tpriv->Privileges[i];
size = UULEN;
LookupPrivilegeName(NULL, &la.Luid, spriv, &size);
size = UULEN * 2;
if(!LookupPrivilegeDisplayName(NULL, spriv, sdisp, &size, &size))
printf("[Privilege 0] error : 0\r\n", i, GetLastError());
else printf("[Privilege 0] - \r\n", i, spriv, sdisp);
}
return true;
}

int OutPutTokenType(TOKEN_STATISTICS *tstat)
{
if(tstat->TokenType == TokenPrimary)
printf("Token Type : Primary Token\r\n");
else printf("Token Type : Impersonation Token\r\n");

struct IMPERSONATION_LEVEL
{
SECURITY_IMPERSONATION_LEVEL il;
char *dsp;
}imperLevel[4];
imperLevel[0].il = SecurityAnonymous;
imperLevel[0].dsp = "SecurityAnonymous -- The server process cannot obtain identification information\
about the client and it cannot impersonate the client. It is defined with no value given,\
and thus, by ANSI C rules, defaults to a value of 0.";
imperLevel[1].il = SecurityIdentification;
imperLevel[1].dsp = "SecurityIdentification -- The server process can obtain information about the client,\
such as security identifiers and privileges, but it cannot impersonate the client.\
This is useful for servers that export their own objects — for example,\
database products that export tables and views. Using the retrieved client-security\
information, the server can make access-validation decisions without being able to utilize\
other services using the client's security context.";
imperLevel[2].il = SecurityImpersonation;
imperLevel[2].dsp = "SecurityImpersonation -- The server process can impersonate the client's security context\
on its local system. The server cannot impersonate the client on remote systems.";
imperLevel[3].il = SecurityDelegation;
imperLevel[3].dsp = "SecurityDelegation -- The server process can impersonate the client's security context\
on remote systems.\r\n\
Windows NT: This impersonation level is not supported.\r\n\
Windows 2000: This impersonation level is supported.";

if(tstat->TokenType != TokenPrimary)
for(int i = 0; i < 4; i++)
if(tstat->ImpersonationLevel == imperLevel[i].il)
{
printf("\tToken Impersonation Level : \r\n", imperLevel[i].dsp);
break;
}

return 0;
}

int GetProcessTokenSource(HANDLE hp, char *src)
{
HANDLE htoken;
char buff[100];
unsigned long size;

src[0] = '\0';
if(!OpenProcessToken(hp, TOKEN_QUERY_SOURCE, &htoken))
{
printf("OpenProcessToken QUERY_SOURCE error : 0\r\n", GetLastError());
return false;
}

size = 100;
TOKEN_SOURCE *tsrc;
if(!GetTokenInformation(htoken, TokenSource, (void*)buff, size, &size))
{
CloseHandle(htoken);
printf("GetTokenInformation TokenSource error : 0\r\n", GetLastError());
return false;
}
CloseHandle(htoken);

tsrc = (TOKEN_SOURCE *)buff;
tsrc->SourceName[7] = '\0';
strcpy(src, tsrc->SourceName);

return true;
}

int EnableDebugPriv(int fEnable)
{
HANDLE htoken;
int fError=0;
if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &htoken))
{
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount=1;
if(!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid))
if(!fError)fError = GetLastError();
tp.Privileges[0].Attributes=fEnable?SE_PRIVILEGE_ENABLED:0;
if(!AdjustTokenPrivileges(htoken, FALSE, &tp, sizeof(tp), NULL, NULL))
if(!fError)fError = GetLastError();
CloseHandle(htoken);
if(!fError)fError=GetLastError();
}
else fError=GetLastError();
return fError;
}