阅读:1710回复:2
IRP中有没有当前操作用户名的信息?如何取得?
请高手指教!
FileMon里当前操作的用户名信息是如何取得的 IRP里面有吗~请告诉我具体的变量名 多谢援助菜鸟啦 |
|
最新喜欢:agchen |
驱动老牛
|
沙发#
发布于:2005-03-29 12:51
The approach that I\'ve always taken to this is to capture the SID of the
caller during the IRP_MJ_CREATE handling. Here is the code that we routinely use. It does not use the ACCESS_TOKEN in the IRP and it can be called successfully in the IRP_MJ_CREATE entry path because you\'re a highest level driver (and hence guaranteed to be called at IRQL_PASSIVE_LEVEL) and you are called with correct security context. // // Demonstrate how to retrieve the SID for the caller. Typically, this information is // sent to the user application for further processing. We\'ve included it here // simply to demonstrate how to retrieve this information. // // The approach we use is to first try and open the thread token. If that fails, we // open the process token (which always works) and then use the token handle (in either // case) to query the SID information for the token. // code = ZwOpenThreadToken(NtCurrentThread(), TOKEN_READ, TRUE, &handle); if (code == STATUS_NO_TOKEN) { // // Since we don\'t have a thread level token we\'ll use the process // level token. This is the common case (in fact) since the only // time a thread has a token is when it is impersonating. // code = ZwOpenProcessToken(NtCurrentProcess(), TOKEN_READ, &handle); } ASSERT(NT_SUCCESS(code)); // // Retrieve the user information from the token. Note that this can be used to query // twice (once to get the size of the needed buffer.) For this example we\'ve allocated // a buffer that should always be large enough. // code = ZwQueryInformationToken(handle, TokenUser, buffer, sizeof(buffer), &tokenInfoLength); // // This call should always work. // ASSERT(NT_SUCCESS(code)); // // For this example, we print out the SID contents. If you wanted to pass it to the user // mode caller, you\'d copy it into their buffer (wherever you\'d like!) // DbgPrint((\"*** BEGIN SID Dump ***\")); DbgPrint(\"Caller\'s SID (Revision %u, SubAuthorityCount %u):\\n\", sid->Revision, sid->SubAuthorityCount); DbgPrint(\"\\tIdentifierAuthority = %u-%u-%u-%u-%u-%u\\n\", sid->IdentifierAuthority.Value[0], sid->IdentifierAuthority.Value[1], sid->IdentifierAuthority.Value[2], sid->IdentifierAuthority.Value[3], sid->IdentifierAuthority.Value[4], sid->IdentifierAuthority.Value[5]); if (sid->SubAuthorityCount) { DbgPrint(\"\\tSubAuthority =\"); for (index = 0; index SubAuthorityCount;index++) { if (index) { DbgPrint(\"-\"); } DbgPrint(\"%u\", sid->SubAuthority[index]); } DbgPrint(\"\\n\"); } DbgPrint((\"*** END SID Dump ***\")); |
|
板凳#
发布于:2005-03-29 13:40
这个方法很好
|
|
|