Get domain and user name of process

delphi package - getting into other processes

Get domain and user name of process

Postby nagylzs » Mon Nov 14, 2005 6:25 pm

Do you know if madRemote is capable of returning the domain/workgroup and user name for a given process id? I was experimenting with OpenProcess, VirtualAllocEx, WriteProcessMemory, CreateRemoteThread but under windows XP it does not work for some processes. madRemote can get almost any information for a process, but I could not get user and domain name (owner of the process).
nagylzs
 
Posts: 5
Joined: Mon Nov 14, 2005 6:16 pm

Postby madshi » Mon Nov 14, 2005 7:00 pm

Can you do it with your own process? I'm not sure about the right APIs to use for that in my own process. If you know that, madRemote should work for that, too, as long as you have enough access rights and privileges to create remote threads in the target process.
madshi
Site Admin
 
Posts: 9414
Joined: Sun Mar 21, 2004 5:25 pm

Postby nagylzs » Mon Nov 14, 2005 7:24 pm

>Can you do it with your own process?

I can execute GetUserName in a remote thread to get the user name in that thread. I do it from a win32 service, running under the SYSTEM user account. I use an IPC queue to send requests from an application to the service. For Win2K, it works fine. But when many users are logged in on WinXP, then I cannot do this for some of the running "explorer.exe" processes. Most strangely, I get an error for one user but don't for another, and this changes randomly. The most common error I get is getlasterror=8 while calling CreateRemoteThread.

BTW I did not use madRemote. I used VirtualAllocEx, WriteProcessMemory and CreateRemoteThread. I just thought I may have success with madRemote because it might use a different API for executing code in remote processes.
nagylzs
 
Posts: 5
Joined: Mon Nov 14, 2005 6:16 pm

Postby madshi » Mon Nov 14, 2005 7:33 pm

CreateRemoteThread doesn't work for other terminal server and fast user switching sessions, only for your own session. In contrast madRemote's CreateRemoteThreadEx and RemoteExecute *should* work for other sessions, as well (if you have enough privileges). Have you tried CreateRemoteThreadEx or RemoteExecute?
madshi
Site Admin
 
Posts: 9414
Joined: Sun Mar 21, 2004 5:25 pm

Solution found

Postby nagylzs » Tue Nov 15, 2005 9:01 am

Now I tried RemoteExecute with a function that uses LookupUserSID. I had to remove all Delphi related code, and only use Win32 API calls. It took a while, but now it is working like a dream! :-)

The only problem is that when I try to use it on a system process, the whole Windows hangs. But I can live with this - probably I only need to use it for normal processes.

Thanks a lot

Question: is this problem general enough to add new methods to IProcess?

IProcess.GetUser
IProcess.GetDomain
nagylzs
 
Posts: 5
Joined: Mon Nov 14, 2005 6:16 pm

Postby madshi » Tue Nov 15, 2005 9:04 am

Have you tried using OpenProcessToken + GetTokenInformation(TokenUser)? That might work without having to use madRemote at all.
madshi
Site Admin
 
Posts: 9414
Joined: Sun Mar 21, 2004 5:25 pm

Postby nagylzs » Tue Nov 15, 2005 6:38 pm

Yes, I tried. In fact, I'm using this sequence:

GetCurrentProcess()
OpenProcessToken()
GetTokenInformation(,TokenUser,)
LookupAccountSid()

Here is the problem. If I use this from a normal user account, it does not have the rights to do this. So I wrote a service and execute this function remotely with madRemote. I'm not sure why but if I simply use the pid of the other process instead of executing GetCurrentProcess() remotely then it does not work.
nagylzs
 
Posts: 5
Joined: Mon Nov 14, 2005 6:16 pm

Postby madshi » Tue Nov 15, 2005 6:51 pm

Of course you can't use the PID of the other process. You need to use the PH of the other process, or did you just say it wrong? I've used OpenProcessToken etc on other processes with success.
madshi
Site Admin
 
Posts: 9414
Joined: Sun Mar 21, 2004 5:25 pm

Postby nagylzs » Tue Nov 15, 2005 7:40 pm

Yes, I just said it wrong. BTW you said that CreateRemoteThread doesn't work for other terminal server and fast user switching sessions. Is there a similar issue with CreateProcess? I'm not able to 'RemoteExecute' a 'CreateProcess' call within any terminal based/fast user switching session. But I can do it in any 'normal' session. (LastError=1, Invalid parameter)

I cannot tell how much I owe you!
nagylzs
 
Posts: 5
Joined: Mon Nov 14, 2005 6:16 pm

Postby madshi » Tue Nov 15, 2005 9:17 pm

"LastError=1" is *not* "invalid parameter"!
madshi
Site Admin
 
Posts: 9414
Joined: Sun Mar 21, 2004 5:25 pm


Return to madRemote

Who is online

Users browsing this forum: No registered users and 1 guest