userwork.cpp

在驱动下实现进程隐藏,在驱动下实现进程隐藏.

#include "StdAfx.h"
#include ".\userwork.h"
#include <Lm.h>
#include <Sddl.h>
#include <Mq.h>
#include <wchar.h>

bool GetUserNames(UserSidStorage& refUserNames)
{
	LPUSER_INFO_0 pBuf = NULL;
	LPUSER_INFO_0 pTmpBuf;
	DWORD dwLevel = 0;
	DWORD dwPrefMaxLen = MAX_PREFERRED_LENGTH;
	DWORD dwEntriesRead = 0;
	DWORD dwTotalEntries = 0;
	DWORD dwResumeHandle = 0;
	DWORD i;
	DWORD dwTotalCount = 0;
	NET_API_STATUS nStatus;
	LPTSTR pszServerName = NULL;


	do // begin do
	{
		nStatus = NetUserEnum(pszServerName,
			dwLevel,
			FILTER_NORMAL_ACCOUNT, // global users
			(LPBYTE*)&pBuf,
			dwPrefMaxLen,
			&dwEntriesRead,
			&dwTotalEntries,
			&dwResumeHandle);
		//
		// If the call succeeds,
		//
		if ((nStatus == NERR_Success) || (nStatus == ERROR_MORE_DATA))
		{
			if ((pTmpBuf = pBuf) != NULL)
			{
				//
				// Loop through the entries.
				//
				for (i = 0; (i < dwEntriesRead); i++)
				{
					ASSERT(pTmpBuf != NULL);

					if (pTmpBuf == NULL)
					{
						//AfxMessageBox(_T("An access violation has occurred\n"));
						break;
					}
					PSID ppSid = NULL;
					LPTSTR StringSid;
					// Retrieve the SID of the user.
					HRESULT hr = GetSidByName(pTmpBuf->usri0_name,&ppSid);
					if (FAILED(hr))
						AfxMessageBox(_T("ERROR GetSid"));
					else
					{
						ConvertSidToStringSid(ppSid,&StringSid);
						 
						refUserNames.push_back(make_pair(
							wstring(pTmpBuf->usri0_name),	// User Name
							wstring(StringSid)));			// User SID
					}
					delete[] ppSid;
					LocalFree(StringSid);
					
					pTmpBuf++;
					dwTotalCount++;
				}
			}
		}
		//
		// Otherwise, print the system error.
		//
		else
			AfxMessageBox(_T("A system error has occurred: %d\n"), nStatus);
		//
		// Free the allocated buffer.
		//
		if (pBuf != NULL)
		{
			NetApiBufferFree(pBuf);
			pBuf = NULL;
		}
	}
	// Continue to call NetUserEnum while 
	//  there are more entries. 
	// 
	while (nStatus == ERROR_MORE_DATA); // end do
	//
	// Check again for allocated memory.
	//
	if (pBuf != NULL)
		NetApiBufferFree(pBuf);

	return true;
};
HRESULT GetSidByName(
			LPCWSTR wszAccName,
			PSID * ppSid
			) 
{

	// Validate the input parameters.
	if (wszAccName == NULL || ppSid == NULL)
	{
		return MQ_ERROR_INSUFFICIENT_RESOURCES;
	}


	// Create buffers that may be large enough.
	// If a buffer is too small, the count parameter will be set to the size needed.
	const DWORD INITIAL_SIZE = 32;
	DWORD cbSid = 0;
	DWORD dwSidBufferSize = INITIAL_SIZE;
	DWORD cchDomainName = 0;
	DWORD dwDomainBufferSize = INITIAL_SIZE;
	WCHAR * wszDomainName = NULL;
	SID_NAME_USE eSidType;
	DWORD dwErrorCode = 0;
	HRESULT hr=MQ_OK;
	// Create buffers for the SID and the domain name.
	*ppSid = (PSID) new BYTE[dwSidBufferSize];
	if (*ppSid == NULL)
	{
		return MQ_ERROR_INSUFFICIENT_RESOURCES;
	}
	memset(*ppSid, 0, dwSidBufferSize);
	wszDomainName = new WCHAR[dwDomainBufferSize];
	if (wszDomainName == NULL)
	{
		return MQ_ERROR_INSUFFICIENT_RESOURCES;
	}
	memset(wszDomainName, 0, dwDomainBufferSize*sizeof(WCHAR));


	// Obtain the SID for the account name passed.
	for ( ; ; )
	{
		// Set the count variables to the buffer sizes and retrieve the SID.
		cbSid = dwSidBufferSize;
		cchDomainName = dwDomainBufferSize;
		if (LookupAccountName(
			NULL,            // Computer name. NULL for the local computer
			wszAccName,
			*ppSid,          // Pointer to the SID buffer. Use NULL to get the size needed,
			&cbSid,          // Size of the SID buffer needed.
			wszDomainName,   // wszDomainName,
			&cchDomainName,
			&eSidType
			))
		{
			if (IsValidSid(*ppSid) == FALSE)
			{
				hr = MQ_ERROR;
			}
			break;
		}
		dwErrorCode = GetLastError();


		// Check if one of the buffers was too small.
		if (dwErrorCode == ERROR_INSUFFICIENT_BUFFER)
		{
			if (cbSid > dwSidBufferSize)
			{

				// Reallocate memory for the SID buffer.
				//wprintf(L"The SID buffer was too small. It will be reallocated.\n");
				delete[] *ppSid; //FreeSid(*ppSid);
				*ppSid = (PSID) new BYTE[cbSid];
				if (*ppSid == NULL)
				{
					return MQ_ERROR_INSUFFICIENT_RESOURCES;
				}
				memset(*ppSid, 0, cbSid);
				dwSidBufferSize = cbSid;
			}
			if (cchDomainName > dwDomainBufferSize)
			{

				// Reallocate memory for the domain name buffer.
				//wprintf(L"The domain name buffer was too small. It will be reallocated.\n");
				delete [] wszDomainName;
				wszDomainName = new WCHAR[cchDomainName];
				if (wszDomainName == NULL)
				{
					return MQ_ERROR_INSUFFICIENT_RESOURCES;
				}
				memset(wszDomainName, 0, cchDomainName*sizeof(WCHAR));
				dwDomainBufferSize = cchDomainName;
			}
		}
		else
		{
			//wprintf(L"LookupAccountNameW failed. GetLastError returned: %d\n", dwErrorCode);
			hr = HRESULT_FROM_WIN32(dwErrorCode);
			break;
		}
	}

	delete [] wszDomainName;
	return hr; 
}
HRESULT GetNameBySid(
				  PSID pSid,
				  LPCWSTR* pwszAccName
				  ) 
{
	// Validate the input parameters.
	if (pwszAccName == NULL || pSid == NULL)
	{
		return ERROR_INVALID_PARAMETER;
	}


	// Create buffers that may be large enough.
	// If a buffer is too small, the count parameter will be set to the size needed.
	const DWORD INITIAL_SIZE = 32;
	DWORD cchAccName = 0;
	DWORD dwAccBufferSize = INITIAL_SIZE;
	WCHAR * wszAccName = NULL;
	DWORD cchDomainName = 0;
	DWORD dwDomainBufferSize = INITIAL_SIZE;
	WCHAR * wszDomainName = NULL;
	
	SID_NAME_USE eSidType;
	DWORD dwErrorCode = 0;
	HRESULT hr=MQ_OK;
	// Create buffers for the user name and the domain name.
	wszAccName = new WCHAR[dwAccBufferSize];
	if (wszDomainName == NULL)
	{
		return MQ_ERROR_INSUFFICIENT_RESOURCES;
	}
	memset(wszDomainName, 0, dwDomainBufferSize*sizeof(WCHAR));

	wszDomainName = new WCHAR[dwDomainBufferSize];
	if (wszDomainName == NULL)
	{
		return MQ_ERROR_INSUFFICIENT_RESOURCES;
	}
	memset(wszDomainName, 0, dwDomainBufferSize*sizeof(WCHAR));


	// Obtain the SID for the account name passed.
	for ( ; ; )
	{

		// Set the count variables to the buffer sizes and retrieve the SID.
		cchAccName   = dwAccBufferSize;
		cchDomainName = dwDomainBufferSize;
		if (LookupAccountSid(
			NULL,            // Computer name. NULL for the local computer
			pSid,
			wszAccName,          // Pointer to the SID buffer. Use NULL to get the size needed,
			&cchAccName,          // Size of the SID buffer needed.
			wszDomainName,   // wszDomainName,
			&cchDomainName,
			&eSidType
			))
		{
			if (IsValidSid(pSid) == FALSE)
			{
				hr = MQ_ERROR;
			}
			break;
		}

		// Check if one of the buffers was too small.
		if ((cchAccName > dwAccBufferSize) || (cchDomainName > dwDomainBufferSize))
		{

			// Reallocate memory for the buffers and try again.
			//wprintf(L"The name buffers were too small. They will be reallocated.\n");
			delete [] wszAccName;
			delete [] wszDomainName;
			wszAccName = new WCHAR[cchAccName];
			if (wszAccName == NULL)
			{
				return MQ_ERROR_INSUFFICIENT_RESOURCES;
			}
			wszDomainName = new WCHAR[cchDomainName];
			if (wszDomainName == NULL)
			{
				return MQ_ERROR_INSUFFICIENT_RESOURCES;
			}
			memset(wszAccName, 0, cchAccName*sizeof(WCHAR));
			memset(wszDomainName, 0, cchDomainName*sizeof(WCHAR));
			dwAccBufferSize = cchAccName;
			dwDomainBufferSize = cchDomainName;
			continue;
		}


		// Something went wrong in the call to LookupAccountSid.
		// Check if an unexpected error occurred.
		if (GetLastError() == ERROR_NONE_MAPPED)
		{
			//wprintf(L"An unexpected error occurred during the call to LookupAccountSid. A name could not be found for the SID.\n" );
			wszDomainName[0] = L'\0';
			if (dwAccBufferSize < wcslen(L"!Unknown!"))
			{
				wcscpy(wszAccName,L"!Unknown!");
				wszAccName[dwAccBufferSize - 1] = L'\0';
			}
			break;
		}
		else
		{
			dwErrorCode = GetLastError();
			//wprintf(L"LookupAccountSid failed. GetLastError returned: %d\n", dwErrorCode);
			delete [] wszAccName;
			delete [] wszDomainName;
			return HRESULT_FROM_WIN32(dwErrorCode);
		}
	}

	delete [] wszDomainName;
	*pwszAccName = wszAccName;
	return hr; 
}