如何获取SID Minifilter驱动程序?
在此过程FLT_PREOP_CALLBACK_STATUS SpyPreOperationCallback中,clientToken = Data-> Iopb-> Parameters.Create.SecurityContext-> AccessState-> SubjectSecurityContext
程序停止工作。它显示一个BDOS。
这是代码的一部分:
if ((NT_SUCCESS(nameStatus) && SpyIsWatchedPath(&nameInfo->Name))
|| (NT_SUCCESS(targetNameStatus) && SpyIsWatchedPath(&targetNameInfo->Name))) /*-The procedure SpyIsWatchedPath checks the directory C: \ 1 -*/
{
recordList = SpyNewRecord();
if (recordList)
{
USHORT offset = SpyAddRecordName(&recordList->LogRecord, &nameInfo->Name, 0);
if (NT_SUCCESS(targetNameStatus) && targetNameInfo != NULL)
{
SpyAddRecordName(&recordList->LogRecord, &targetNameInfo->Name, offset);
}
SpyLogPreOperationData(recordList);
*CompletionContext = recordList;
returnStatus = FLT_PREOP_SUCCESS_WITH_CALLBACK;
/*--------------------------*/
NTSTATUS status;
PACCESS_TOKEN clientToken;
PTOKEN_USER tokenInfo = NULL;
PUNICODE_STRING gSidUniString;
if (Data->Iopb->Parameters.Create.SecurityContext->AccessState->SubjectSecurityContext.ClientToken != NULL) /*Shows a BDOS*/
{
clientToken = Data->Iopb->Parameters.Create.SecurityContext->AccessState->SubjectSecurityContext.ClientToken;
}
else
{
clientToken = Data->Iopb->Parameters.Create.SecurityContext->AccessState->SubjectSecurityContext.PrimaryToken;
}
status = SeQueryInformationToken(clientToken, TokenUser, (PVOID*)&tokenInfo);
if (NT_SUCCESS(status))
{
status = RtlConvertSidToUnicodeString(&gSidUniString, tokenInfo->User.Sid, TRUE);
}
/*---------------------------*/
}
我尝试写成here,但没有任何反应。