如何获取调用进程 Windows 用户访问令牌

发布于 12-05 03:17 字数 120 浏览 1 评论 0原文

如何获取创建调用我的应用程序的进程的用户的访问令牌?

我需要使用该令牌进行模拟,其想法是访问该用户 applicationData 中的文件。

PS 将模拟用户的应用程序是在系统下运行的服务。

How can I get the Access Token for the user that created the process that called my application?

I need to use that Token for impersonation, the idea is to access a file in that users applicationData.

P.S. The application that will be impersonating the user is a service running under System.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

满栀2024-12-12 03:17:33

检查MSDN,所有这些API都有详细记录。
您可能想做这样的事情:

HANDLE thisToken, thisProcess;

thisProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, GetCurrentProcessId() );
OpenProcessToken( thisProcess, TOKEN_ALL_ACCESS, &thisToken );

http:// /msdn.microsoft.com/en-us/library/aa379295(v=vs.85).aspx

尽管您可能需要比这更少的访问权限。
这将为您提供当前进程的令牌。

Check MSDN, all this API is well documented.
You probably want to do something like this:

HANDLE thisToken, thisProcess;

thisProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, GetCurrentProcessId() );
OpenProcessToken( thisProcess, TOKEN_ALL_ACCESS, &thisToken );

http://msdn.microsoft.com/en-us/library/aa379295(v=vs.85).aspx

Though you probably want less access than that.
This will get you the token for the current process.

┊风居住的梦幻卍2024-12-12 03:17:33

出于安全原因,我们一直在寻找一种方法来查看用户的访问令牌。

最近遇到一种情况,我们需要查明一名员工是否可以修改共享文件服务器上我们的一个文件的访问权限。我们最初尝试查看文件的 ACL,但由于所有嵌套成员身份都已就位,这种方法很快就变得不切实际。

然后,我们的一位开发人员建议尝试查看用户的访问令牌,并将其与文件上的 ACL 进行比较,因为这是一个相当简单的过程,并且可以立即产生准确的结果。

因此,我们开始寻找一种方法来查看用户的访问令牌。最初我们没有发现太多。遇到一些开发人员讨论如何获取用户令牌的网站,还有一些建议使用微软的“whoami”,但这也没有帮助,因为它只能用于查看自己的令牌。

几乎要放弃了,有一天我只是在谷歌上搜索“Windows Access Token Viewer”,并惊讶地发现了一个名为“Gold Finger for AD”的工具,该工具在其他一些安全分析功能中,有一个名为“Access Token Viewer”的功能。

我对这个发现很兴奋,拿到了一个评估版,并试了一下。它的工作原理正如所声称的那样,让我们​​可以看到任何用户的访问令牌,尤其是我们感兴趣的员工的访问令牌。我只希望它也以 API 格式提供相同的功能,以便我们的开发人员可以将其用于我们的内部应用程序。

尽管如此,它还是达到了我们的目的。技术详细信息位于 - Windows 访问令牌查看器

We've been looking for a way to peek into a user's access token as well, for security reasons.

We recently had a situation where we needed to find out whether one of the employees may had modify access to one of our files on a shared file-server. We initially tried looking at the ACL of the file, but with all the nested memberships in place, that approach quickly become impractical.

One of our devs then suggested trying to peek into the user's access token, and comparing it to the ACL on the file, as that's a fairly simple process and could yield accurate results immediately.

So we started looking for a way to peek into a user's access token. Initially we didn't find much. Came across a few sites that had devs discussing how to get a user's token, and a few that suggested using Microsoft's "whoami", but that too didn't help, as it could only be used to view one's own token.

Having almost given up, one day i just googled "Windows Access Token Viewer" and was surprised to come across a tool called Gold Finger for AD, that amongst a few other security analysis capabilities, had a capability called "Access Token Viewer".

Excited by the find, got my hands on an eval, and gave it a shot. It worked as claimed and let us see any user's access token, especially that of the employee we were interested in. I only wish it also offered the same ability in an API format, so our devs could use it for our in-house apps.

Nonetheless, it served our purpose. The technical details are over at - Windows Access Token Viewer.

弥枳2024-12-12 03:17:33

您可以使用 wcf 在客户端和服务之间进行通信。 “WCF 的委托和模拟”中有解释和示例

You can use wcf to communicate between the client and service. There are explanation and examples in "Delegation and Impersonation with WCF"

一城柳絮吹成雪2024-12-12 03:17:33

如果您的应用程序是一项服务,那么它很可能是通过 COM 或 DCOM 调用的。

您的服务器需要执行 CoGetCallContext 来检索 IServerSecurity 接口,以便检查客户端的身份验证并在需要时模拟客户端。

有关详细信息,请参阅 http://www.drdobbs.com/examining-dcom-security /184416352

(是的,我知道这是一个令人难以置信的老问题......但说真的,有人应该已经弄清楚了这一点。)

If your application is a service, then it's most likely being invoked via COM or DCOM.

Your server needs to do a CoGetCallContext to retrieve an IServerSecurity interface that lets it check the client's authentication and impersonate the client, if needed.

For more information, see http://www.drdobbs.com/examining-dcom-security/184416352

(Yes, I know this is an incredibly old question... but seriously, someone should have figured this out before now.)

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文