以下代码实现获取某个进程所属的用户名,比如RavMonD.exe的进程PID是1300,那么修改这条语句就OK GetProcessUser(1300,&bs);它的获取结果是:SYSTEM。 ----------------------------------------------------- #include <windows.h> #include <iostream.h> #include <COMDEF.H> #include <stdio.h> typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; } UNICODE_STRING, *PUNICODE_STRING; //SystemProcessInformation typedef struct _SYSTEM_PROCESS_INFORMATION { DWORD dwNextEntryOffset; DWORD dwNumberOfThreads; LARGE_INTEGER qSpareLi1; LARGE_INTEGER qSpareLi2; LARGE_INTEGER qSpareLi3; LARGE_INTEGER qCreateTime; LARGE_INTEGER qUserTime; LARGE_INTEGER qKernelTime; UNICODE_STRING ImageName; int nBasePriority; DWORD dwProcessId; DWORD dwInheritedFromUniqueProcessId; DWORD dwHandleCount; DWORD dwSessionId; ULONG dwSpareUl3; SIZE_T tPeakVirtualSize; SIZE_T tVirtualSize; DWORD dwPageFaultCount; DWORD dwPeakWorkingSetSize; DWORD dwWorkingSetSize; SIZE_T tQuotaPeakPagedPoolUsage; SIZE_T tQuotaPagedPoolUsage; SIZE_T tQuotaPeakNonPagedPoolUsage; SIZE_T tQuotaNonPagedPoolUsage; SIZE_T tPagefileUsage; SIZE_T tPeakPagefileUsage; SIZE_T tPrivatePageCount; LARGE_INTEGER qReadOperationCount; LARGE_INTEGER qWriteOperationCount; LARGE_INTEGER qOtherOperationCount; LARGE_INTEGER qReadTransferCount; LARGE_INTEGER qWriteTransferCount; LARGE_INTEGER qOtherTransferCount; }SYSTEM_PROCESS_INFORMATION; /*---------------------------------------------------- 函数说明: 动态加载动库文件 输入参数: pDllName 库文件名称,pProcName导出函数名字 输出参数: 无 返回值 : 返回函数的的地址 ----------------------------------------------------*/ VOID *GetDllProc(CHAR * pDllName, CHAR *pProcName) { HMODULE hMod; hMod = LoadLibraryA(pDllName); if(hMod == NULL) return NULL; return GetProcAddress(hMod, pProcName); } //宏定义函数的指针 typedef LONG (WINAPI *Fun_NtQuerySystemInformation) (int SystemInformationClass, OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT ULONG * pReturnLength OPTIONAL); typedef BYTE (WINAPI *Fun_WinStationGetProcessSid)(HANDLE hServer,DWORD ProcessId ,
FILETIME ProcessStartTime, PBYTE pProcessUserSid , PDWORD dwSidSize);
typedef VOID (WINAPI *Fun_CachedGetUserFromSid)( PSID pSid , PWCHAR pUserName,PULONG cbUserName);
#define STATUS_INFO_LENGTH_MISMATCH ((LONG)0xC0000004L)
#define SystemProcessInformation 5 /*------------------------------------------------------------------ 函数说明: 获取系统进程的信息 输入参数: SYSTEM_PROCESS_INFORMATION 输出参数: 无 --------------------------------------------------------------------*/ BOOL GetSysProcInfo(SYSTEM_PROCESS_INFORMATION ** ppSysProcInfo) { Fun_NtQuerySystemInformation _NtQuerySystemInformation; _NtQuerySystemInformation = (Fun_NtQuerySystemInformation)::GetDllProc("NTDLL.DLL", "NtQuerySystemInformation"); if(_NtQuerySystemInformation == NULL) return FALSE; DWORD dwSize = 1024*1024; VOID * pBuf = NULL; LONG lRetVal; for(;;) { if(pBuf) free(pBuf); pBuf = (VOID *)malloc(dwSize); lRetVal = _NtQuerySystemInformation(SystemProcessInformation, pBuf, dwSize, NULL); if(STATUS_INFO_LENGTH_MISMATCH != lRetVal) break; dwSize *= 2; } if(lRetVal == 0) { *ppSysProcInfo = (SYSTEM_PROCESS_INFORMATION *)pBuf; return TRUE; } free(pBuf); return FALSE; } BOOL GetProcessUser(DWORD dwPid, _bstr_t *pbStrUser) { Fun_WinStationGetProcessSid _WinStationGetProcessSid; Fun_CachedGetUserFromSid _CachedGetUserFromSid; _WinStationGetProcessSid = (Fun_WinStationGetProcessSid) GetDllProc("Winsta.dll", "WinStationGetProcessSid"); _CachedGetUserFromSid = (Fun_CachedGetUserFromSid) GetDllProc("utildll.dll", "CachedGetUserFromSid"); if(_WinStationGetProcessSid == NULL || _CachedGetUserFromSid == NULL) return FALSE; BYTE cRetVal; FILETIME ftStartTime; DWORD dwSize; BYTE * pSid; BOOL bRetVal, bFind; SYSTEM_PROCESS_INFORMATION * pProcInfo, * pCurProcInfo; bRetVal = GetSysProcInfo(&pProcInfo); if(bRetVal == FALSE || pProcInfo == NULL) return FALSE; bFind = FALSE; pCurProcInfo = pProcInfo; for(;;) { if(pCurProcInfo->dwProcessId == dwPid) { memcpy(&ftStartTime, &pCurProcInfo->qCreateTime, sizeof(ftStartTime)); bFind = TRUE; break; } if(pCurProcInfo->dwNextEntryOffset == 0) break; pCurProcInfo = (SYSTEM_PROCESS_INFORMATION *)((BYTE *)pCurProcInfo + pCurProcInfo->dwNextEntryOffset); } if(bFind == FALSE) { free(pProcInfo); return FALSE; } cRetVal = _WinStationGetProcessSid(NULL, dwPid, ftStartTime, NULL, &dwSize); if(cRetVal != 0) return FALSE; pSid = new BYTE[dwSize]; cRetVal = _WinStationGetProcessSid(NULL, dwPid, ftStartTime, pSid, &dwSize); if(cRetVal == 0) { delete [] pSid; return FALSE; } WCHAR szUserName[1024]; dwSize = 1024; _CachedGetUserFromSid(pSid, szUserName, &dwSize); delete [] pSid; if(dwSize == 0) return FALSE; *pbStrUser = szUserName; return TRUE; } int main() { char ch[256] = {0}; _bstr_t bs; memcpy(&bs,ch,sizeof(bs)); GetProcessUser(1300,&bs); //第一个参数写的是你的进程ID printf(bs); printf("/n"); return 0; }
