Trendshift - Ask AI

base on Different methods to get current username without using whoami # Alternatives to whoami Some experiments to retrieve the current username without calling whoami.exe or similar binaries. ------------------------------------------------ ## Method 1: PRTL_USER_PROCESS_PARAMETERS Get the environment variables from the PEB structure and parse it to find the username. - Function [NtQueryInformationProcess](https://learn.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess) returns a "PROCESS_BASIC_INFORMATION" structure containing a pointer to the PEB base address. - The PEB structure contains a pointer "ProcessParameters" to a [RTL_USER_PROCESS_PARAMETERS](https://www.geoffchappell.com/studies/windows/km/ntoskrnl/inc/api/pebteb/rtl_user_process_parameters.htm) structure. - From that structure you can get a pointer "Environment" to the environment variables and a pointer "EnvironmentSize" to the size of the environment variables. - Reading the number of bytes indicated in "EnvironmentSize" from the address "Environment" as UNICODE text, parse the environment variables and print the one called "USERNAME". If you want all the env variables, check [this repository](https://github.com/ricardojoserf/StealthyEnv) ![esquema](https://raw.githubusercontent.com/ricardojoserf/ricardojoserf.github.io/master/images/stealthyenv/Screenshot_0.png) ![img](https://github.com/ricardojoserf/ricardojoserf.github.io/blob/master/images/whoamialternatives/Screenshot_1.png?raw=true) ------------------------------------------------ ## Method 2: LookupAccountSid Get access to a token, find the user's SID in string format and translate it using the function LookupAccountSid. - Function [NtOpenProcessToken](https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntopenprocesstoken) creates an access token associated with the current process. - Function [NtQueryInformationToken](https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntqueryinformationtoken) gets information from the token we created, using the value "tokenUser" (1) in the field "TOKEN_INFORMATION_CLASS" we get information about the username which is stored in the pointer "TokenInformation". - Function [ConvertSidToStringSid](https://learn.microsoft.com/en-us/windows/win32/api/sddl/nf-sddl-convertsidtostringsida) converts the username's SID in binary format to string format. - Function [LookupAccountSid](https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-lookupaccountsida) takes the SID in string format and returns the username. ![esquema](https://github.com/ricardojoserf/ricardojoserf.github.io/blob/master/images/whoamialternatives/LookupAccountSid_esquema.png?raw=true) ![img](https://github.com/ricardojoserf/ricardojoserf.github.io/blob/master/images/whoamialternatives/Screenshot_2.png?raw=true) ------------------------------------------------ ## Method 3: LsaLookupSids Get acccess to a token and a Policy object and get the username with the function LsaLookupSids. - Functions NtOpenProcessToken and NtQueryInformationToken are used like in method 2, return a pointer "TokenInformation" with the user's SID in binary format. - Function [LsaOpenPolicy](https://learn.microsoft.com/en-us/windows/win32/api/ntsecapi/nf-ntsecapi-lsaopenpolicy) creates a handle to the Policy object in the current system. - Function [LsaLookupSids](https://learn.microsoft.com/en-us/windows/win32/api/ntsecapi/nf-ntsecapi-lsalookupsids) takes a pointer to the SID and returns an structure LSA_TRANSLATED_NAME containing the username. ![esquema](https://github.com/ricardojoserf/ricardojoserf.github.io/blob/master/images/whoamialternatives/LsaLookupSids_esquema.drawio.png?raw=true) ![img](https://github.com/ricardojoserf/ricardojoserf.github.io/blob/master/images/whoamialternatives/Screenshot_3.png?raw=true) ------------------------------------------------ ## Method 4: NamedPipe Create a named pipe and a secondary thread, write and read from the named pipe and get the username from the undocumented function NpGetUsername. ![esquema](https://github.com/ricardojoserf/ricardojoserf.github.io/blob/master/images/whoamialternatives/NamedPipe_esquema.png?raw=true) ![img](https://raw.githubusercontent.com/ricardojoserf/ricardojoserf.github.io/master/images/whoamialternatives/Screenshot_4.png) ------------------------------------------------ ## Method 5: ADSystemInfo Get username if the computer is domain joined using the [CoCreateInstance](https://learn.microsoft.com/en-us/windows/win32/api/combaseapi/nf-combaseapi-cocreateinstance) function as in [MSDN example](https://learn.microsoft.com/es-es/windows/win32/api/iads/nn-iads-iadsadsysteminfo). It uses the class ADSystemInfoClass and the interfaces ADSystemInfo and IADsADSystemInfo from ActiveDS.dll, which are already in the project folder so you don't need the DLL. If there is no connection with the AD: ![img](https://raw.githubusercontent.com/ricardojoserf/ricardojoserf.github.io/master/images/whoamialternatives/Screenshot_5.png) If there is connection: ![img](https://raw.githubusercontent.com/ricardojoserf/ricardojoserf.github.io/master/images/whoamialternatives/Screenshot_6.png) ------------------------------------------------ ### Source [vx-underground's Twitter account](https://twitter.com/vxunderground) ", Assign "at most 3 tags" to the expected json: {"id":"4906","tags":[]} "only from the tags list I provide: [{"id":77,"name":"3d"},{"id":89,"name":"agent"},{"id":17,"name":"ai"},{"id":54,"name":"algorithm"},{"id":24,"name":"api"},{"id":44,"name":"authentication"},{"id":3,"name":"aws"},{"id":27,"name":"backend"},{"id":60,"name":"benchmark"},{"id":72,"name":"best-practices"},{"id":39,"name":"bitcoin"},{"id":37,"name":"blockchain"},{"id":1,"name":"blog"},{"id":45,"name":"bundler"},{"id":58,"name":"cache"},{"id":21,"name":"chat"},{"id":49,"name":"cicd"},{"id":4,"name":"cli"},{"id":64,"name":"cloud-native"},{"id":48,"name":"cms"},{"id":61,"name":"compiler"},{"id":68,"name":"containerization"},{"id":92,"name":"crm"},{"id":34,"name":"data"},{"id":47,"name":"database"},{"id":8,"name":"declarative-gui "},{"id":9,"name":"deploy-tool"},{"id":53,"name":"desktop-app"},{"id":6,"name":"dev-exp-lib"},{"id":59,"name":"dev-tool"},{"id":13,"name":"ecommerce"},{"id":26,"name":"editor"},{"id":66,"name":"emulator"},{"id":62,"name":"filesystem"},{"id":80,"name":"finance"},{"id":15,"name":"firmware"},{"id":73,"name":"for-fun"},{"id":2,"name":"framework"},{"id":11,"name":"frontend"},{"id":22,"name":"game"},{"id":81,"name":"game-engine "},{"id":23,"name":"graphql"},{"id":84,"name":"gui"},{"id":91,"name":"http"},{"id":5,"name":"http-client"},{"id":51,"name":"iac"},{"id":30,"name":"ide"},{"id":78,"name":"iot"},{"id":40,"name":"json"},{"id":83,"name":"julian"},{"id":38,"name":"k8s"},{"id":31,"name":"language"},{"id":10,"name":"learning-resource"},{"id":33,"name":"lib"},{"id":41,"name":"linter"},{"id":28,"name":"lms"},{"id":16,"name":"logging"},{"id":76,"name":"low-code"},{"id":90,"name":"message-queue"},{"id":42,"name":"mobile-app"},{"id":18,"name":"monitoring"},{"id":36,"name":"networking"},{"id":7,"name":"node-version"},{"id":55,"name":"nosql"},{"id":57,"name":"observability"},{"id":46,"name":"orm"},{"id":52,"name":"os"},{"id":14,"name":"parser"},{"id":74,"name":"react"},{"id":82,"name":"real-time"},{"id":56,"name":"robot"},{"id":65,"name":"runtime"},{"id":32,"name":"sdk"},{"id":71,"name":"search"},{"id":63,"name":"secrets"},{"id":25,"name":"security"},{"id":85,"name":"server"},{"id":86,"name":"serverless"},{"id":70,"name":"storage"},{"id":75,"name":"system-design"},{"id":79,"name":"terminal"},{"id":29,"name":"testing"},{"id":12,"name":"ui"},{"id":50,"name":"ux"},{"id":88,"name":"video"},{"id":20,"name":"web-app"},{"id":35,"name":"web-server"},{"id":43,"name":"webassembly"},{"id":69,"name":"workflow"},{"id":87,"name":"yaml"}]" returns me the "expected json"

AI prompts

AI prompts