驱动程序中如何得到线程/进程的拥有者？

我想在驱动程序中得到线程或进程的拥有者（owner），即用户名，怎么实现？
比如说，在一个文件系统驱动程序中，我想判断来自LAN内正在试图访问本机的远端用户名，能做到吗？如何做？
谢谢！

收获不小，有没有相关的代码贴一点？
谢谢大侠们 :)

我想是的!

在www.sysinternals.com下可以下载tokenmon源程序，它可以得到当前活动进程（线程）的拥有者如用户名和登录ID（logonid），有了
登录ID就可以得到相应的主机名。 在WIN2000下我的办法是配置安全审核策略，远程用户登录到本机时系统会产生相应的日志文件。调用API函数可以打开日志文件取出登录ID所对应的主机名。但这种办法我感觉不好，各位大哥可否有更好的方法通过登录ID（logonid）找到对应的主机名。

[编辑 -  8/21/02 by  devil_jie]

[编辑 -  8/21/02 by  devil_jie]

good

     Thanks, I have seen the service, and I have had a mind of the service.
     I will try what you told me, and if any problems later, please don\'t hesitata to tell me. thanks for a second time.

1. What\'s a user mode service? Can I consider it as a user mode application ? Is it application ?

can not explain in several words.
you need see msdn -> platfrom sdk -> base services->service.

full documented.

2. Did you try like this in the past ? if so, can you tell me some technologies on it ?

i only does some. not all of your request.
I detect ontime access is from net or just from local account. i need not know accurate user name.

get username from sid, it should not be difficult in ring3.

in read/write phase, because sometimes IRP is not dealing in original context, so , there is no meaning for Dealing in read/write phase . in Create phase , IRP_MJ_CREATE, system always make sure it\'s in original context, then you can get username. cache it(just use filemon hash is ok), use in read/write phase.

this is from OCR. use this should work. good luck.

only thing maybe need care.
you should deal this in create phase. not read/write phase. if you want to use it in read/write, cache create phase user info youself.

 

Thans for your answer at first, I have some questions on it.
1. What\'s a user mode service? Can I consider it as a user mode application ? Is it application ?
2. Did you try like this in the past ? if so, can you tell me some technologies on it ?

thanks.

this is from OCR. use this should work. good luck.

only thing maybe need care.
you should deal this in create phase. not read/write phase. if you want to use it in read/write, cache create phase user info youself.

 Q35 How do I retrieve the \"user name\" for the user performing a given operation?
  User names, per se, are not a concept of the core OS. Rather, users are tracked internally as \"security identifiers\" or SIDs. It is possible to extract the SID of the current thread. If a \"user name\" is needed, a user mode service can be used to convert from the SID to the corresponding text user name. This is done using the Win32 function LookupAccountSid, which is documented in the Platform SDK. The SID of the calling thread can be extracted from its token. This is done by first attempting to open the thread token (ZwOpenThreadTokenEx or NtOpenThreadToken or NtOpenThreadTokenEx). If this fails because the thread has no token, the filter should open the process token (ZwOpenProcessTokenEx or NtOpenProcessToken or NtOpenProcessTokenEx). In either case, the filter will have a handle for a token. The SID can be retrieved from the given token using NtQueryInformationToken or ZwQueryInformationToken. The filter should specify TokenUser as the TOKEN_INFORMATION_CLASS value. The call will return a buffer that contains the TOKEN_USER structure. This structure contains the SID of the token. Note, however, that obtaining the SID of the current caller is often not precisely what a filter is trying to accomplish. Instead, often the filter wishes to know the SID of the requesting thread. For local calls, this will typically be the same. For remote calls, however, the CIFS server routinely utilizes impersonation during IRP_MJ_CREATE and for some IRP_MJ_SET_INFORMATION operations. Otherwise, the CIFS server uses the local system\'s credentials. To handle this case, a filter must store away the credential information of the original caller. In the case of IRP_MJ_CREATE the original caller\'s token is specified as part of the IO_SECURITY_CONTEXT parameter. The ACCESS_STATE structure in turn contains the SECURITY_SUBJECT_CONTEXT and the filter can retrieve a pointer to the token using SeQuerySubjectContextToken. The SID can then be retrieved from the token using SeQueryInformationToken.

还是在ring3得到？

你可以将线程句柄传给Ring3，Ring3里面自然有很多办法可以得到owner

和得到线程的拥有者有什么关系？

zdhe说得对，这只能是异步的，不是同步的，基本结构如下（9x）：
Ring3：
     创建一个Event，并得到该Event的Ring0句柄，通过DeviceIO，将该句柄传入Ring0，Ring3创建一个Thread，该Thread等待这个Event，当这个Event signaled以后，Ring3处理。

Ring0：
     当需要调用Ring3时，设置那个Event为signaled，然后等待Ring3结束。


这里还涉及到数据传送问题，如果有问题，再和我联系

以上各位兄弟发表了不少高见，但我还对怎样在内核态得到线程/进程的拥者还是没有思路。

use apc you can call ring3 from ring0.

any way, it\'a asyn, not syn call.

什么地干活？。。。。。。。。。。。

NT一样有让你在Ring0 call Ring3的服务，只是2000似乎不再支持。
其实所谓的Ring0 Call Ring3只是造一个系统服务返回的假象，运行Ring3代码后再用门机制恢复到安全状态。有点像V86监控机与V86程序相互切换的原理。

我没有研究过
估计可以从0->3

那你还说我说的不行的干活，5555555555 :(
如果用任务门可以的话，那用IDT和GDT当然也可以。

我没有研究过
估计可以从0->3