如何获取SID Minifilter驱动程序?

时间:2019-03-18 16:03:17

标签: c++

如何获取SID Minifilter驱动程序?

在此过程FLT_PREOP_CALLBACK_STATUS SpyPreOperationCallback中,clientToken = Data-> Iopb-> Parameters.Create.SecurityContext-> AccessState-> SubjectSecurityContext程序停止工作。它显示一个BDOS。

这是代码的一部分:

if ((NT_SUCCESS(nameStatus) && SpyIsWatchedPath(&nameInfo->Name))
        || (NT_SUCCESS(targetNameStatus) && SpyIsWatchedPath(&targetNameInfo->Name))) /*-The procedure SpyIsWatchedPath checks the directory C: \ 1 -*/
    {
        recordList = SpyNewRecord();

        if (recordList)
        {
            USHORT offset = SpyAddRecordName(&recordList->LogRecord, &nameInfo->Name, 0);
            if (NT_SUCCESS(targetNameStatus) && targetNameInfo != NULL)
            {
                SpyAddRecordName(&recordList->LogRecord, &targetNameInfo->Name, offset);
            }

            SpyLogPreOperationData(recordList);
            *CompletionContext = recordList;
            returnStatus = FLT_PREOP_SUCCESS_WITH_CALLBACK;

            /*--------------------------*/

             NTSTATUS status;
             PACCESS_TOKEN  clientToken;
             PTOKEN_USER tokenInfo = NULL;
             PUNICODE_STRING gSidUniString;

             if (Data->Iopb->Parameters.Create.SecurityContext->AccessState->SubjectSecurityContext.ClientToken != NULL) /*Shows a BDOS*/
             {
               clientToken = Data->Iopb->Parameters.Create.SecurityContext->AccessState->SubjectSecurityContext.ClientToken;
              }
             else
             {
                 clientToken = Data->Iopb->Parameters.Create.SecurityContext->AccessState->SubjectSecurityContext.PrimaryToken;
             }

             status = SeQueryInformationToken(clientToken, TokenUser, (PVOID*)&tokenInfo);

             if (NT_SUCCESS(status))
             {
               status = RtlConvertSidToUnicodeString(&gSidUniString, tokenInfo->User.Sid, TRUE);
             }

            /*---------------------------*/
        }

我尝试写成here,但没有任何反应。

0 个答案:

没有答案