private static bool ConvertTokenStatisticsToUsername(WinAPI._TOKEN_STATISTICS tokenStatistics,
ref string userName)
{
var lpLuid = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(WinAPI._LUID)));
Marshal.StructureToPtr(tokenStatistics.AuthenticationId, lpLuid, false);
if (IntPtr.Zero == lpLuid)
{
return(false);
}
var ppLogonSessionData = new IntPtr();
if (0 != WinAPI.LsaGetLogonSessionData(lpLuid, out ppLogonSessionData))
{
return(false);
}
if (IntPtr.Zero == ppLogonSessionData)
{
return(false);
}
var securityLogonSessionData =
(WinAPI._SECURITY_LOGON_SESSION_DATA)Marshal.PtrToStructure(ppLogonSessionData,
typeof(WinAPI._SECURITY_LOGON_SESSION_DATA));
if (IntPtr.Zero == securityLogonSessionData.Sid ||
IntPtr.Zero == securityLogonSessionData.UserName.Buffer ||
IntPtr.Zero == securityLogonSessionData.LogonDomain.Buffer)
{
return(false);
}
if (Environment.MachineName + "$" == Marshal.PtrToStringUni(securityLogonSessionData.UserName.Buffer) &&
ConvertSidToName(securityLogonSessionData.Sid, ref userName))
{
return(true);
}
userName = string.Format("{0}\\{1}", Marshal.PtrToStringUni(securityLogonSessionData.LogonDomain.Buffer),
Marshal.PtrToStringUni(securityLogonSessionData.UserName.Buffer));
return(true);
}
public static Dictionary <uint, string> EnumerateUserProcesses(bool findElevation, string userAccount)
{
var users = new Dictionary <uint, string>();
var pids = Process.GetProcesses();
log.Log(LogType.Debug, "Examining {0} processes...", pids.Length);
//Console.WriteLine("[*] Examining {0} processes", pids.Length);
foreach (var p in pids)
{
var hProcess = WinAPI.OpenProcess(WinAPI.ProcessAccessFlags.QueryLimitedInformation, true, p.Id);
if (IntPtr.Zero == hProcess)
{
continue;
}
IntPtr hToken;
if (!WinAPI.OpenProcessToken(hProcess, (uint)WinAPI.ACCESS_MASK.MAXIMUM_ALLOWED, out hToken))
{
continue;
}
WinAPI.CloseHandle(hProcess);
if (findElevation && !CheckElevation(hToken))
{
continue;
}
uint dwLength = 0;
var tokenStatistics = new WinAPI._TOKEN_STATISTICS();
if (!WinAPI.GetTokenInformation(hToken, WinAPI._TOKEN_INFORMATION_CLASS.TokenStatistics,
ref tokenStatistics, dwLength, out dwLength))
{
if (!WinAPI.GetTokenInformation(hToken, WinAPI._TOKEN_INFORMATION_CLASS.TokenStatistics,
ref tokenStatistics, dwLength, out dwLength))
{
continue;
}
}
WinAPI.CloseHandle(hToken);
if (WinAPI.TOKEN_TYPE.TokenImpersonation == tokenStatistics.TokenType)
{
continue;
}
var userName = string.Empty;
if (!ConvertTokenStatisticsToUsername(tokenStatistics, ref userName))
{
continue;
}
if (userName.ToUpper() == userAccount.ToUpper())
{
users.Add((uint)p.Id, p.ProcessName);
if (findElevation)
{
return(users);
}
}
}
log.Log(LogType.Debug, "Discovered {0} processes...", users.Count);
//Console.WriteLine("[*] Discovered {0} processes", users.Count);
var sorted = new Dictionary <uint, string>();
foreach (var user in users.OrderBy(u => u.Value))
{
sorted.Add(user.Key, user.Value);
}
return(sorted);
}
