GetTokenInformation, TOKEN_OWNER, and LookupAccountSidA

Question

I'm trying to get the username of the process running using these functions.

Here is the code:

#include <windows.h> #include <psapi.h> using namespace std; int main() HANDLE hProcess = GetCurrentProcess(); HANDLE hToken; OpenProcessToken(hProcess, TOKEN_QUERY, &hToken); DWORD len = 0; GetTokenInformation(hToken, TokenOwner, NULL, 0, &len); PTOKEN_OWNER to = (PTOKEN_OWNER)LocalAlloc(LPTR, len); GetTokenInformation(hToken, TokenOwner, (LPVOID)&to, len, &len); char nameUser[50]; DWORD nameUserSize = sizeof(nameUser); SID_NAME_USE snu; cout << "work"; LookupAccountSidA(NULL, to->Owner, nameUser, &nameUserSize, NULL, NULL, &snu); cout << "not work"; cout << nameUser << endl; LocalFree(to); CloseHandle(hToken); CloseHandle(hProcess); return 0; }

I have everything crashes at the moment where the function LookupAccountSidA is LookupAccountSidA . But I suspect that this is due to the fact that I incorrectly either pass arguments to this function, or I incorrectly create the TOKEN_OWNER structure. And the second option is more likely, since I do not understand how memory is allocated here.

I took the example of MSDN and redid it to fit my needs, but nothing works. Here are examples with MSDN:

Accepted Answer · 2016-05-03T11:20:41

If during the execution of a function that is part of WinAPI, the program crashes, then an invalid or null pointer is accessed inside it.

We look, how exactly function is caused:

 LookupAccountSidA(NULL, to->Owner, nameUser, &nameUserSize, NULL, NULL, &snu);

We see the transfer of three null pointers. We look in the documentation , is it possible to do this:

lpSystemName [in, optional] - the parameter is optional ( optional ), it means it is possible.
lpReferencedDomainName [out, optional] is the same.
cchReferencedDomainName [in, out] - and here it NULL impossible to transfer NULL here.

Try passing to cchReferencedDomainName pointer to a local variable of the DWORD type initialized to zero.

Following the discussion, the following addition was made in the comments:

It turns out that this is not enough. The buffer for accepting the group name ( lpReferencedDomainName ) must also be specified and of sufficient size. Otherwise, the returned username will be @ .

A working example that Олег\FAMILYPC from me:

 #include <iostream> #include <windows.h> #include <psapi.h> int main() { HANDLE hProcess = GetCurrentProcess(); HANDLE hToken; OpenProcessToken(hProcess, TOKEN_QUERY, &hToken); DWORD len = 0; GetTokenInformation(hToken, TokenOwner, NULL, 0, &len); PTOKEN_OWNER to = (PTOKEN_OWNER)LocalAlloc(LPTR, len); GetTokenInformation(hToken, TokenOwner, to, len, &len); char userName[50]; char domainName[50]; DWORD userNameSize = sizeof(userName); DWORD domainNameSize = sizeof(domainName); SID_NAME_USE snu; LookupAccountSidA(NULL, to->Owner, userName, &userNameSize, domainName, &domainNameSize, &snu); std::cout << userName << "\\" << domainName << std::endl; LocalFree(to); CloseHandle(hToken); CloseHandle(hProcess); return 0; }

Here the problem is not in this parameter, but most likely in the second.
You better explain to me how memory is allocated in these lines (taken from Example 2): pGroupInfo = (PTOKEN_GROUPS) GlobalAlloc (GPTR, dwSize);
I redid it for my own, did it through GlobalAlloc and through LocalAlloc.
The problem is that I pass to the function GetTokenInformation (hToken, TokenOwner, (LPVOID) & to, len, & len);
the third parameter is the pointer address, but you just need (LPVOID) to.
Only I do not see Ivan \ IvanPc, but Administrators \ BUILTIN
@ van9petryk, which means that a program or development environment (rights are inherited, simply speaking, from launching programs to launching programs) is launched on behalf of the administrator.

GetTokenInformation, TOKEN_OWNER, and LookupAccountSidA

1 answer 1

More articles: