Einzelnen Beitrag anzeigen

peanut
(Gast)

n/a Beiträge
 
#13

Programm lp

  Alt 12. Jun 2006, 18:10
War auch etwas fleißig:

Delphi-Quellcode:
program lp; {$APPTYPE CONSOLE}

uses
  SysUtils,
  Windows,
  tlhelp32,
  psapi;

type
  LPByte = ^Byte;

  TNET_DISPLAY_USER = record
    usri1_name : LPWSTR;
    usri1_comment : LPWSTR;
    usri1_flags : DWORD;
    usri1_full_name : LPWSTR;
    usri1_user_id : DWORD;
    usri1_next_index: DWORD;
  end;
  PNET_DISPLAY_USER = ^TNET_DISPLAY_USER;


  function ConvertSidToStringSidA(Sid: PSID; var StringSid: LPTSTR): LongBool; stdcall; external 'advapi32.dll';
  function GetSecurityInfo(handle: THandle; ObjectType: DWord;   SecurityInfo: SECURITY_INFORMATION; ppsidOwner: PSID; ppsidGroup: PSID;   ppDacl: PACL;   ppSacl: PACL; ppSecurityDescriptor: PSECURITY_DESCRIPTOR): DWORD; stdcall; external 'advapi32.dll';

  function NetQueryDisplayInformation(ServerName: LPWSTR; Level, Index, EntriesRequested, ReferredMaximumLength: DWORD; var ReturnedEntryCount: DWORD; var SortedBuffer: LPBYTE): LongWord; stdcall; external 'Netapi32.dll';
  function NetApiBufferFree(Buffer: Pointer): DWORD; stdcall; external 'Netapi32.dll';

const
  SE_UNKNOWN_OBJECT_TYPE: DWord = 0;
  SE_FILE_OBJECT: DWord = 1;
  SE_SERVICE: DWord = 2;
  SE_PRINTER: DWord = 3;
  SE_REGISTRY_KEY: DWord = 4;
  SE_LMSHARE: DWord = 5;
  SE_KERNEL_OBJECT: DWord = 6;
  SE_WINDOW_OBJECT: DWord = 7;

function AdjustToken(sPrivilege: String; boEnable: Boolean): Boolean;
var
  hToken : Cardinal;
  lpLuid : Int64;
  NewPState : TOKEN_PRIVILEGES;
  ReturnLength: DWORD;
begin
  Result := False;
  try
    if (OpenProcessToken(GetCurrentProcess, TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY, hToken)) then
    begin
      if (LookupPrivilegeValue(nil, PCHAR(sPrivilege), lpLuid)) then
      begin
        ZeroMemory(@NewPState, SizeOf(TOKEN_PRIVILEGES));
        NewPState.PrivilegeCount := 1;
        NewPState.Privileges[0].Luid := lpLuid;
        if (boEnable) then
          NewPState.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED;
        ReturnLength := 0;
        if (AdjustTokenPrivileges(hToken, False, NewPState, 0, nil, ReturnLength)) then
          Result := True;
      end;
      CloseHandle(hToken);
    end;
  except
  end;
end;

function GetEXEByPID(pid: DWord): String;
var
  h: THandle;
begin
  Result := '';
  h := OpenProcess(PROCESS_QUERY_INFORMATION or PROCESS_VM_READ, False, pid);
  if (h <> 0) then
  try
    SetLength(Result, MAX_PATH);
    ZeroMemory(@Result[1], MAX_PATH);
    GetModuleFileNameEx(h, 0, PChar(Result), MAX_PATH);
    Result:=TrimRight(Result);
  finally
    CloseHandle(h);
  end;
  Result := LowerCase(Result);
end;

function SidToString(ASID: PSID): String;
var
  sDummy: LPTSTR;
begin
  ConvertSidToStringSidA(ASID, sDummy);
  Result := String(sDummy);
end;

function GetUserBySID(ASID: PSID): String;
var
  total: DWord;
  sBuffer: LPByte;
  UserInfo: PNET_DISPLAY_USER;
  UserSID : PSID;
  cbUserSID: Cardinal;
  sDomain : String;
  sUserName: String;
  cbsDomain: Cardinal;
  pNameUse : SID_NAME_USE;

begin
  Result := '';
  NetQueryDisplayInformation('\\.', 1, 0, 8192, 65536, total, sBuffer);
  UserInfo := @sBuffer^;
  while (total > 0) do
  begin
    sUserName := String(UserInfo.usri1_name);
    cbUserSID := 0; UserSID := nil;
    sDomain := ''; cbsDomain := 0;
    LookupAccountName(PChar('\\.'),
                      PChar(sUserName),
                      UserSID,
                      cbUserSID,
                      @sDomain[1],
                      cbsDomain,
                      pNameUse);
    GetMem(UserSID, cbUserSID);
    ZeroMemory(UserSID, cbUserSID);
    SetLength(sDomain, cbsDomain);
    ZeroMemory(@sDomain[1], Length(sDomain));
    if (LookupAccountName(PChar('\\.'),
                          PChar(sUserName),
                          UserSID,
                          cbUserSID,
                          @sDomain[1],
                          cbsDomain,
                          pNameUse)) then
    begin
      ReallocMem(UserSID, cbUserSID);
      if IsValidSid(UserSID) and (SidToString(ASID) = SidToString(UserSID)) then
      begin
        Result := sUserName;
        break;
      end;
    end;
    dec(total);
    inc(UserInfo);
  end;
  NetApiBufferFree(sBuffer);
end;

function GetUserByPID(pid: DWord): String;
var
  phandle: THandle;
  ppsidOwner: PSID;
  SecDescriptor: PSECURITY_DESCRIPTOR;
  nResult: DWord;
begin
  Result := '';
  try
    phandle := OpenProcess(PROCESS_QUERY_INFORMATION or GENERIC_READ, False, pid);
    if (phandle <> 0) then
    begin
      nResult := GetSecurityInfo(phandle,
                                 SE_KERNEL_OBJECT,
                                 OWNER_SECURITY_INFORMATION,
                                 @ppsidOwner,
                                 nil,
                                 nil,
                                 nil,
                                 @SecDescriptor);
      if (nResult = 0) then
      begin
        Result := GetUserBySID(ppsidOwner); // SidToString(ppsidOwner); (*)
        LocalFree(Cardinal(SecDescriptor));
      end;
    end;
  except
  end;
end;

function GetProcessesAndUserNames: Integer;
var
  hProcSnap: THandle;
  pe32 : TProcessEntry32;
  sEXEname : String;
  sUserName: String;
begin
  Result := 0;

  AdjustToken('SeDebugPrivilege', True);

  // Perform snapshot
  hProcSnap := CreateToolHelp32SnapShot(TH32CS_SNAPALL, 0);
  if hProcSnap = INVALID_HANDLE_VALUE then exit;

  pe32.dwSize := SizeOf(pe32);
  if (Process32First(hProcSnap, pe32)) then
  begin
    // let`s go...
    writeln(UpperCase(pe32.szExeFile));
    inc(Result);
    while (Process32Next(hProcSnap, pe32) = true) and (pe32.th32ProcessID <> GetCurrentProcessId) do
    begin
      sEXEname := Trim(LowerCase(GetEXEByPID(pe32.th32ProcessID)));
      sUserName := Trim(LowerCase(GetUserByPID(pe32.th32ProcessID)));

      if (sEXEname <> '') and (sEXEname <> '?') then
        writeln(sEXEname + ' | ' + sUserName)
      else
        writeln('['+UpperCase(pe32.szExeFile)+']' + ' | ' + sUserName);

      inc(Result);
    end;
  end;
  CloseHandle(hProcSnap);

  AdjustToken('SeDebugPrivilege', False);
end;

begin
  GetProcessesAndUserNames;
  readln;
end.
Wie man testenkann (*), komme ich jetzt auch an alle SIDs, leider klappt das mit dem mapping nicht so toll und man erhält häufig nur leere Strings.
  Mit Zitat antworten Zitat