I have an object of IRP and EPROCESS in my driver i want to know how can i retrieve process privilege (like normal or Administrator or SYSTEM) from these structures ?
KPROCESSOR_MODE ProcessRequestorMode = pIrp->RequestorMode;
UNICODE_STRING PRM;
if (ProcessRequestorMode == KernelMode)
status = RtlInitUnicodeStringEx(&PRM, L"Kernel-Mode");
else
{
status = RtlInitUnicodeStringEx(&PRM, L"User-Mode");
//////////////////////////TODO////////////////////
//retrieving process previlage
//////////////////////////////////////////////////
}
DBGMSG1("Processor Mode : %wZ ", PRM);
if (!NT_SUCCESS(status))
{
DBGMSG0("Can not convert RequestorMode to UNICODE_STRING\n");
ASSERT(FALSE);
return status;
}
This information is stored in the process token.
You can get that using PsReferencePrimaryToken
If the process is impersonating you can use PsReferenceImpersonationToken instead.
After that you simply query the token for the TokenUser using ZwQueryInformationToken.
Good luck,
Gabriel