Cossack9989/Proof_of_DLL_hijacking.cpp

## Proof_of_DLL_hijacking.cpp
#include <iostream>
#include <cstring>
#include <Windows.h>
#include <WtsApi32.h>
#pragma comment(lib, "Wtsapi32.lib")

using namespace std;

void GetCurrProcessUser(int pid)
{
    HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, pid);
    HANDLE hToken;
    if (NULL == hProcess) {
        MessageBox(NULL, TEXT("访问进程失败"), TEXT("FAILURE"), MB_OK);
        return;
    }
    BOOL bRet = OpenProcessToken(hProcess, TOKEN_QUERY, &hToken);
    if (FALSE == bRet) {
        MessageBox(NULL, TEXT("获取进程令牌失败"), TEXT("FAILURE"), MB_OK);
        return;
    }
    TCHAR tkUser[MAX_PATH];
    DWORD dwRetLen;
    bRet = GetTokenInformation(hToken, TokenUser, NULL, 0, &dwRetLen);
    PTOKEN_USER pToken = new TOKEN_USER[dwRetLen];
    bRet = GetTokenInformation(hToken, TokenUser, pToken, dwRetLen, &dwRetLen);
    TCHAR szUserName[MAX_PATH];
    DWORD dwUserNameSize;
    TCHAR szDomainName[MAX_PATH];
    DWORD dwDomainNameSize;
    SID_NAME_USE snu;
    DWORD dwErr;
    memset(szUserName, 0, MAX_PATH * sizeof(TCHAR));
    memset(szDomainName, 0, MAX_PATH * sizeof(TCHAR));
    LookupAccountSid(0, pToken->User.Sid, szUserName, &dwUserNameSize, szDomainName, &dwDomainNameSize, &snu);
    dwErr = GetLastError();
    if (dwErr == ERROR_INSUFFICIENT_BUFFER) {
        bRet = LookupAccountSid(NULL, pToken->User.Sid, szUserName, &dwUserNameSize, szDomainName, &dwDomainNameSize, &snu);
    }
    MessageBox(NULL, szUserName, szDomainName, MB_OK);
    return;
}
BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
    DWORD pid;
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
        pid = GetCurrentProcessId();
        GetCurrProcessUser(pid);
        //MessageBoxW(NULL, TEXT("DLL已装载"), TEXT("STATUS"), MB_OKCANCEL);
        break;
    case DLL_THREAD_ATTACH:
        break;
    case DLL_THREAD_DETACH:
        break;
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}
	#include <iostream>
	#include <cstring>
	#include <Windows.h>
	#include <WtsApi32.h>
	#pragma comment(lib, "Wtsapi32.lib")

	using namespace std;

	void GetCurrProcessUser(int pid)
	{
	HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, pid);
	HANDLE hToken;
	if (NULL == hProcess) {
	MessageBox(NULL, TEXT("访问进程失败"), TEXT("FAILURE"), MB_OK);
	return;
	}
	BOOL bRet = OpenProcessToken(hProcess, TOKEN_QUERY, &hToken);
	if (FALSE == bRet) {
	MessageBox(NULL, TEXT("获取进程令牌失败"), TEXT("FAILURE"), MB_OK);
	return;
	}
	TCHAR tkUser[MAX_PATH];
	DWORD dwRetLen;
	bRet = GetTokenInformation(hToken, TokenUser, NULL, 0, &dwRetLen);
	PTOKEN_USER pToken = new TOKEN_USER[dwRetLen];
	bRet = GetTokenInformation(hToken, TokenUser, pToken, dwRetLen, &dwRetLen);
	TCHAR szUserName[MAX_PATH];
	DWORD dwUserNameSize;
	TCHAR szDomainName[MAX_PATH];
	DWORD dwDomainNameSize;
	SID_NAME_USE snu;
	DWORD dwErr;
	memset(szUserName, 0, MAX_PATH * sizeof(TCHAR));
	memset(szDomainName, 0, MAX_PATH * sizeof(TCHAR));
	LookupAccountSid(0, pToken->User.Sid, szUserName, &dwUserNameSize, szDomainName, &dwDomainNameSize, &snu);
	dwErr = GetLastError();
	if (dwErr == ERROR_INSUFFICIENT_BUFFER) {
	bRet = LookupAccountSid(NULL, pToken->User.Sid, szUserName, &dwUserNameSize, szDomainName, &dwDomainNameSize, &snu);
	}
	MessageBox(NULL, szUserName, szDomainName, MB_OK);
	return;
	}
	BOOL APIENTRY DllMain( HMODULE hModule,
	DWORD ul_reason_for_call,
	LPVOID lpReserved
	)
	{
	DWORD pid;
	switch (ul_reason_for_call)
	{
	case DLL_PROCESS_ATTACH:
	pid = GetCurrentProcessId();
	GetCurrProcessUser(pid);
	//MessageBoxW(NULL, TEXT("DLL已装载"), TEXT("STATUS"), MB_OKCANCEL);
	break;
	case DLL_THREAD_ATTACH:
	break;
	case DLL_THREAD_DETACH:
	break;
	case DLL_PROCESS_DETACH:
	break;
	}
	return TRUE;
	}