Created
February 19, 2024 21:36
-
-
Save rbmm/3a4c80b45f87a11654cf4458d7418981 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
void PrintNameByToken(HANDLE hToken) | |
{ | |
ULONG cb; | |
SE_TOKEN_USER user; | |
NTSTATUS status = NtQueryInformationToken(hToken, TokenUser, &user, sizeof(user), &cb); | |
if (0 <= status) | |
{ | |
LSA_OBJECT_ATTRIBUTES oa = { sizeof(oa) }; | |
HANDLE hPolicy; | |
if (0 <= (status = LsaOpenPolicy(0, &oa, POLICY_LOOKUP_NAMES, &hPolicy))) | |
{ | |
PLSA_REFERENCED_DOMAIN_LIST ReferencedDomains = 0; | |
PLSA_TRANSLATED_NAME Names = 0; | |
if (0 <= (status = LsaLookupSids2(hPolicy, 0, 1, &user.TokenUser.User.Sid, &ReferencedDomains, &Names))) | |
{ | |
ULONG DomainIndex = Names->DomainIndex; | |
PCUNICODE_STRING DomainName = 0; | |
if (DomainIndex < ReferencedDomains->Entries) | |
{ | |
DomainName = &ReferencedDomains->Domains[DomainIndex].Name; | |
} | |
DbgPrint("%x %wZ\\%wZ\n", Names->Use, DomainName, &Names->Name); | |
} | |
LsaFreeMemory(ReferencedDomains); | |
LsaFreeMemory(Names); | |
LsaClose(hPolicy); | |
} | |
} | |
} | |
NTSTATUS IsSystem(_Out_ PBOOL pbIsSystem) | |
{ | |
HANDLE hToken; | |
NTSTATUS status = NtOpenProcessToken(NtCurrentProcess(), TOKEN_QUERY, &hToken); | |
if (0 <= status) | |
{ | |
TOKEN_STATISTICS ts; | |
if (0 <= (status = NtQueryInformationToken(hToken, TokenStatistics, &ts, sizeof(ts), &ts.DynamicCharged))) | |
{ | |
static const LUID System = SYSTEM_LUID; | |
*pbIsSystem = | |
System.LowPart == ts.AuthenticationId.LowPart && | |
System.HighPart == ts.AuthenticationId.HighPart; | |
PrintNameByToken(hToken); | |
} | |
NtClose(hToken); | |
} | |
return status; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment