API 从 AppContainerSid 获取 AppContainerName
API to get AppContainerName from AppContainerSid
比如说,如果我有一个 DACL 用于我需要向最终用户展示的流程。我可以使用 ConvertSecurityDescriptorToStringSecurityDescriptor 将其转换为字符串表示形式。然后,我需要通过从中删除 "crazy" 本地 SID,使其对用户来说更易于管理。这是一个例子:
D:(A;;0x1fffff;;;S-1-5-21-2301966995-2804055512-1978750589-1002)(A;;0x1fffff;;;SY)(A;;0x121411;;;S-1-5-5-0-1207601)(A;;0x1fffff;;;S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708)
例如,生成的字符串可能包含用户 SID(或上述情况下的 S-1-5-21-2301966995-2804055512-1978750589-1002),我可以使用 LookupAccountName 将其转换为用户名,但我似乎无法找到一种将 AppContainer SID 转换为 AppContainer 名称的方法。
在这种情况下,S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708 代表 Microsoft.Windows.ShellExperienceHost。
有一个API可以将后者转换为前者,叫做DeriveAppContainerSidFromAppContainerName。
但我很好奇如何将 AppContainerSid 转换为 AppContainerName?
此任务存在未记录的函数(查看 app_container.cc
来自铬
)
LONG WINAPI AppContainerLookupMoniker(PSID Sid, PWSTR* packageFamilyName);
它从 api-ms-win-appmodel-identity-l1-2-0.dll
导出
它将您的 sid 作为输入和 return 字符串 - packageFamilyName。免费此字符串需要使用另一个未记录的 api
BOOLEAN WINAPI AppContainerFreeMemory(void* ptr);
returned packageFamilyName 我们可以使用已经记录在案的 api GetPackagesByPackageFamily. returned packageFullName we already can use in api like GetStagedPackagePathByFullName, OpenPackageInfoByFullName 等..
例如:
#include <appmodel.h>
void AppXtest(PSID Sid)
{
LONG (WINAPI* AppContainerLookupMoniker)(PSID Sid, PWSTR* packageFamilyName);
BOOLEAN (WINAPI* AppContainerFreeMemory)(void* ptr);
if (HMODULE hmod = LoadLibraryW(L"api-ms-win-appmodel-identity-l1-2-0"))
{
if ((*(void**)&AppContainerLookupMoniker = GetProcAddress(hmod, "AppContainerLookupMoniker")) &&
(*(void**)&AppContainerFreeMemory = GetProcAddress(hmod, "AppContainerFreeMemory")))
{
PWSTR packageFamilyName;
LONG err = AppContainerLookupMoniker(Sid, &packageFamilyName);
if (err == NOERROR)
{
DbgPrint("%S\n", packageFamilyName);
UINT32 count = 0, bufferLength = 0;
if (ERROR_INSUFFICIENT_BUFFER == GetPackagesByPackageFamily(packageFamilyName, &count, 0, &bufferLength, 0))
{
PWSTR *packageFullNames = (PWSTR*)alloca(count * sizeof(PWSTR) + bufferLength*sizeof(WCHAR));
PWSTR buffer = (PWSTR)(packageFullNames+ count);
if (NOERROR == GetPackagesByPackageFamily(packageFamilyName, &count, packageFullNames, &bufferLength, buffer))
{
if (count)
{
do
{
PCWSTR packageFullName = *packageFullNames++;
DbgPrint("%S\n", packageFullName);
WCHAR path[MAX_PATH];
UINT32 len = RTL_NUMBER_OF(path);
if (NOERROR == GetStagedPackagePathByFullName(packageFullName, &len, path))
{
DbgPrint("%S\n", path);
}
} while (--count);
}
}
}
AppContainerFreeMemory(packageFamilyName);
}
}
}
}
对于 sid S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708
我得到了:
microsoft.windows.shellexperiencehost_cw5n1h2txyewy
Microsoft.Windows.ShellExperienceHost_10.0.14393.0_neutral_neutral_cw5n1h2txyewy
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy
比如说,如果我有一个 DACL 用于我需要向最终用户展示的流程。我可以使用 ConvertSecurityDescriptorToStringSecurityDescriptor 将其转换为字符串表示形式。然后,我需要通过从中删除 "crazy" 本地 SID,使其对用户来说更易于管理。这是一个例子:
D:(A;;0x1fffff;;;S-1-5-21-2301966995-2804055512-1978750589-1002)(A;;0x1fffff;;;SY)(A;;0x121411;;;S-1-5-5-0-1207601)(A;;0x1fffff;;;S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708)
例如,生成的字符串可能包含用户 SID(或上述情况下的 S-1-5-21-2301966995-2804055512-1978750589-1002),我可以使用 LookupAccountName 将其转换为用户名,但我似乎无法找到一种将 AppContainer SID 转换为 AppContainer 名称的方法。
在这种情况下,S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708 代表 Microsoft.Windows.ShellExperienceHost。
有一个API可以将后者转换为前者,叫做DeriveAppContainerSidFromAppContainerName。
但我很好奇如何将 AppContainerSid 转换为 AppContainerName?
此任务存在未记录的函数(查看 app_container.cc 来自铬 )
LONG WINAPI AppContainerLookupMoniker(PSID Sid, PWSTR* packageFamilyName);
它从 api-ms-win-appmodel-identity-l1-2-0.dll
它将您的 sid 作为输入和 return 字符串 - packageFamilyName。免费此字符串需要使用另一个未记录的 api
BOOLEAN WINAPI AppContainerFreeMemory(void* ptr);
returned packageFamilyName 我们可以使用已经记录在案的 api GetPackagesByPackageFamily. returned packageFullName we already can use in api like GetStagedPackagePathByFullName, OpenPackageInfoByFullName 等..
例如:
#include <appmodel.h>
void AppXtest(PSID Sid)
{
LONG (WINAPI* AppContainerLookupMoniker)(PSID Sid, PWSTR* packageFamilyName);
BOOLEAN (WINAPI* AppContainerFreeMemory)(void* ptr);
if (HMODULE hmod = LoadLibraryW(L"api-ms-win-appmodel-identity-l1-2-0"))
{
if ((*(void**)&AppContainerLookupMoniker = GetProcAddress(hmod, "AppContainerLookupMoniker")) &&
(*(void**)&AppContainerFreeMemory = GetProcAddress(hmod, "AppContainerFreeMemory")))
{
PWSTR packageFamilyName;
LONG err = AppContainerLookupMoniker(Sid, &packageFamilyName);
if (err == NOERROR)
{
DbgPrint("%S\n", packageFamilyName);
UINT32 count = 0, bufferLength = 0;
if (ERROR_INSUFFICIENT_BUFFER == GetPackagesByPackageFamily(packageFamilyName, &count, 0, &bufferLength, 0))
{
PWSTR *packageFullNames = (PWSTR*)alloca(count * sizeof(PWSTR) + bufferLength*sizeof(WCHAR));
PWSTR buffer = (PWSTR)(packageFullNames+ count);
if (NOERROR == GetPackagesByPackageFamily(packageFamilyName, &count, packageFullNames, &bufferLength, buffer))
{
if (count)
{
do
{
PCWSTR packageFullName = *packageFullNames++;
DbgPrint("%S\n", packageFullName);
WCHAR path[MAX_PATH];
UINT32 len = RTL_NUMBER_OF(path);
if (NOERROR == GetStagedPackagePathByFullName(packageFullName, &len, path))
{
DbgPrint("%S\n", path);
}
} while (--count);
}
}
}
AppContainerFreeMemory(packageFamilyName);
}
}
}
}
对于 sid S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708
我得到了:
microsoft.windows.shellexperiencehost_cw5n1h2txyewy
Microsoft.Windows.ShellExperienceHost_10.0.14393.0_neutral_neutral_cw5n1h2txyewy
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy