private static bool ConvertTokenStatisticsToUsername(WinAPI._TOKEN_STATISTICS tokenStatistics, ref string userName) { var lpLuid = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(WinAPI._LUID))); Marshal.StructureToPtr(tokenStatistics.AuthenticationId, lpLuid, false); if (IntPtr.Zero == lpLuid) { return(false); } var ppLogonSessionData = new IntPtr(); if (0 != WinAPI.LsaGetLogonSessionData(lpLuid, out ppLogonSessionData)) { return(false); } if (IntPtr.Zero == ppLogonSessionData) { return(false); } var securityLogonSessionData = (WinAPI._SECURITY_LOGON_SESSION_DATA)Marshal.PtrToStructure(ppLogonSessionData, typeof(WinAPI._SECURITY_LOGON_SESSION_DATA)); if (IntPtr.Zero == securityLogonSessionData.Sid || IntPtr.Zero == securityLogonSessionData.UserName.Buffer || IntPtr.Zero == securityLogonSessionData.LogonDomain.Buffer) { return(false); } if (Environment.MachineName + "$" == Marshal.PtrToStringUni(securityLogonSessionData.UserName.Buffer) && ConvertSidToName(securityLogonSessionData.Sid, ref userName)) { return(true); } userName = string.Format("{0}\\{1}", Marshal.PtrToStringUni(securityLogonSessionData.LogonDomain.Buffer), Marshal.PtrToStringUni(securityLogonSessionData.UserName.Buffer)); return(true); }
public static Dictionary <uint, string> EnumerateUserProcesses(bool findElevation, string userAccount) { var users = new Dictionary <uint, string>(); var pids = Process.GetProcesses(); log.Log(LogType.Debug, "Examining {0} processes...", pids.Length); //Console.WriteLine("[*] Examining {0} processes", pids.Length); foreach (var p in pids) { var hProcess = WinAPI.OpenProcess(WinAPI.ProcessAccessFlags.QueryLimitedInformation, true, p.Id); if (IntPtr.Zero == hProcess) { continue; } IntPtr hToken; if (!WinAPI.OpenProcessToken(hProcess, (uint)WinAPI.ACCESS_MASK.MAXIMUM_ALLOWED, out hToken)) { continue; } WinAPI.CloseHandle(hProcess); if (findElevation && !CheckElevation(hToken)) { continue; } uint dwLength = 0; var tokenStatistics = new WinAPI._TOKEN_STATISTICS(); if (!WinAPI.GetTokenInformation(hToken, WinAPI._TOKEN_INFORMATION_CLASS.TokenStatistics, ref tokenStatistics, dwLength, out dwLength)) { if (!WinAPI.GetTokenInformation(hToken, WinAPI._TOKEN_INFORMATION_CLASS.TokenStatistics, ref tokenStatistics, dwLength, out dwLength)) { continue; } } WinAPI.CloseHandle(hToken); if (WinAPI.TOKEN_TYPE.TokenImpersonation == tokenStatistics.TokenType) { continue; } var userName = string.Empty; if (!ConvertTokenStatisticsToUsername(tokenStatistics, ref userName)) { continue; } if (userName.ToUpper() == userAccount.ToUpper()) { users.Add((uint)p.Id, p.ProcessName); if (findElevation) { return(users); } } } log.Log(LogType.Debug, "Discovered {0} processes...", users.Count); //Console.WriteLine("[*] Discovered {0} processes", users.Count); var sorted = new Dictionary <uint, string>(); foreach (var user in users.OrderBy(u => u.Value)) { sorted.Add(user.Key, user.Value); } return(sorted); }