[Win32utils-devel] Get current process owner (sid)

Heesob Park phasis at gmail.com
Wed Dec 3 21:28:21 EST 2008


Hi,

2008/12/4 Daniel Berger <djberg96 at gmail.com>:
> Hi,
>
> I'm close, but what I've got doesn't quite match what
> Win32::Security::SID.new returns:
>
> require 'windows/file'
> require 'windows/handle'
> require 'windows/error'
> require 'windows/security'
> require 'windows/process'
>
> include Windows::File
> include Windows::Handle
> include Windows::Error
> include Windows::Security
> include Windows::Process
>
> token = 0.chr * 4
>
> unless OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, token)
>   raise error, get_last_error
> end
>
> token = token.unpack('V')[0]
> rlength = 0.chr * 4
> tu = 0.chr * 512 # TokenUser
>
> bool = GetTokenInformation(
>   token,
>   TokenUser,
>   tu,
>   tu.size,
>   rlength
> )
>
> unless bool
>   raise get_last_error
> end
>
> p tu.strip
>
> Looks like the first 8 bytes are unwanted. Are these the attributes? If so,
> why are they the first 8 bytes instead of the last 8? I guess I'm confused
> about how to properly unroll a SID_AND_ATTRIBUTES struct.
>
According to the document, the first 4bytes is the pointer of SID and
the second 4bytes are attributes.

In my test with the above code,
[tu].pack('P').unpack('L').first is 50436232
tu[0,4].unpack('L').first is 50436240
rlength.unpack('L').first is 36

The  SID is at 50436240 and equal to address of tu[8]
Thus the actual SID is tu[8,(36-8)]

Regards,

Park Heesob


More information about the win32utils-devel mailing list