Skip to content
/ WhoamiAlternatives Public

Different methods to get current username without using whoami

173 stars 15 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

ricardojoserf/WhoamiAlternatives

BranchesTags

Repository files navigation

Alternatives to whoami

Some experiments to retrieve the current username without calling whoami.exe or similar binaries.

Method 1: PRTL_USER_PROCESS_PARAMETERS

Get the environment variables from the PEB structure and parse it to find the username.

  • Function NtQueryInformationProcess returns a "PROCESS_BASIC_INFORMATION" structure containing a pointer to the PEB base address.

  • The PEB structure contains a pointer "ProcessParameters" to a RTL_USER_PROCESS_PARAMETERS structure.

  • From that structure you can get a pointer "Environment" to the environment variables and a pointer "EnvironmentSize" to the size of the environment variables.

  • Reading the number of bytes indicated in "EnvironmentSize" from the address "Environment" as UNICODE text, parse the environment variables and print the one called "USERNAME". If you want all the env variables, check this repository

esquema

img

Method 2: LookupAccountSid

Get access to a token, find the user's SID in string format and translate it using the function LookupAccountSid.

  • Function NtOpenProcessToken creates an access token associated with the current process.

  • Function NtQueryInformationToken gets information from the token we created, using the value "tokenUser" (1) in the field "TOKEN_INFORMATION_CLASS" we get information about the username which is stored in the pointer "TokenInformation".

  • Function ConvertSidToStringSid converts the username's SID in binary format to string format.

  • Function LookupAccountSid takes the SID in string format and returns the username.

esquema

img

Method 3: LsaLookupSids

Get acccess to a token and a Policy object and get the username with the function LsaLookupSids.

  • Functions NtOpenProcessToken and NtQueryInformationToken are used like in method 2, return a pointer "TokenInformation" with the user's SID in binary format.

  • Function LsaOpenPolicy creates a handle to the Policy object in the current system.

  • Function LsaLookupSids takes a pointer to the SID and returns an structure LSA_TRANSLATED_NAME containing the username.

esquema

img

Method 4: NamedPipe

Create a named pipe and a secondary thread, write and read from the named pipe and get the username from the undocumented function NpGetUsername.

esquema

img

Method 5: ADSystemInfo

Get username if the computer is domain joined using the CoCreateInstance function as in MSDN example. It uses the class ADSystemInfoClass and the interfaces ADSystemInfo and IADsADSystemInfo from ActiveDS.dll, which are already in the project folder so you don't need the DLL.

If there is no connection with the AD:

img

If there is connection:

img

Source

vx-underground's Twitter account

About

Different methods to get current username without using whoami

Topics

pinvoke whoami malware-development

Resources

Readme
Activity

Stars

173 stars

Watchers

2 watching

Forks

15 forks
Report repository

Releases

No releases published

Sponsor this project

 
Learn more about GitHub Sponsors

Languages