Giter VIP home page Giter VIP logo

whoamialternatives's Introduction

Alternatives to whoami

Some experiments to retrieve the current username without calling whoami.exe or similar binaries.

Method 1: PRTL_USER_PROCESS_PARAMETERS

Get the environment variables from the PEB structure and parse it to find the username.

  • Function NtQueryInformationProcess returns a "PROCESS_BASIC_INFORMATION" structure containing a pointer to the PEB base address.

  • The PEB structure contains a pointer "ProcessParameters" to a RTL_USER_PROCESS_PARAMETERS structure.

  • From that structure you can get a pointer "Environment" to the environment variables and a pointer "EnvironmentSize" to the size of the environment variables.

  • Reading the number of bytes indicated in "EnvironmentSize" from the address "Environment" as UNICODE text, parse the environment variables and print the one called "USERNAME". If you want all the env variables, check this repository

esquema

img

Method 2: LookupAccountSid

Get access to a token, find the user's SID in string format and translate it using the function LookupAccountSid.

  • Function NtOpenProcessToken creates an access token associated with the current process.

  • Function NtQueryInformationToken gets information from the token we created, using the value "tokenUser" (1) in the field "TOKEN_INFORMATION_CLASS" we get information about the username which is stored in the pointer "TokenInformation".

  • Function ConvertSidToStringSid converts the username's SID in binary format to string format.

  • Function LookupAccountSid takes the SID in string format and returns the username.

esquema

img

Method 3: LsaLookupSids

Get acccess to a token and a Policy object and get the username with the function LsaLookupSids.

  • Functions NtOpenProcessToken and NtQueryInformationToken are used like in method 2, return a pointer "TokenInformation" with the user's SID in binary format.

  • Function LsaOpenPolicy creates a handle to the Policy object in the current system.

  • Function LsaLookupSids takes a pointer to the SID and returns an structure LSA_TRANSLATED_NAME containing the username.

esquema

img

Method 4: NamedPipe

Create a named pipe and a secondary thread, write and read from the named pipe and get the username from the undocumented function NpGetUsername.

esquema

img

Method 5: ADSystemInfo

Get username if the computer is domain joined using the CoCreateInstance function as in MSDN example. It uses the class ADSystemInfoClass and the interfaces ADSystemInfo and IADsADSystemInfo from ActiveDS.dll, which are already in the project folder so you don't need the DLL.

If there is no connection with the AD:

img

If there is connection:

img

Source

vx-underground's Twitter account

whoamialternatives's People

Contributors

ricardojoserf avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.