导读:
登陆的部分发生在WlxLoggedOutSAS
在msdn里的例子ginA例子里,WlxLoggedOutSAS中首先调用
result = pWlxFuncs->WlxDialogBoxParam( hGlobalWlx,
hDllInstance,
(LPTSTR) MAKEINTRESOURCE(IDD_LOGON_DIALOG),
NULL,
LogonDlgProc,
(LPARAM) pGlobals );
生成一个登陆对话框,就是平时看到的那个,(LPARAM)pGlobAls 是从WlxLoggedOutSAS传递进来的,估计会吧登陆时输入的用户名和密码都放到里面,pGlobAls->pAccount.
然后调用列子中的函数
result = AttemptLogon(pGlobals, pGlobals->pAccount,
pLogonSid, pAuthenticationId);
进入后是
int
AttemptLogon(
PGlobals pGlobals,
PMiniAccount pAccount,
PSID pLogonSid,
PLUID pLogonId)
然后调用
LogonUser( pAccount->pszUsername,
pAccount->pszDomain,
pAccount->pszPassword,
LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT,
&hUser)
这个函数是AdvApi32.dll中的,hUser用来返回验证后得到的token,token 的类型是HANDLE,,很奇怪,在windows的文档上说调用的是LsALogonUser,只要得到或伪造这个token就可以了,,我想用个ring 0的程序来伪造这个token,
....后来看到在logonuser中调用L32pLogonUser,在里面Fill in the logon token group list,然后调用LsALogonUser
得到token后
GetTokenInformation(hUser,
TokenStatistics,
&TStats,
sizeof(TStats),
&size);
*pLogonId = TStats.AuthenticationId;
msdn:
AuthenticationId
Specifies an LUID assigned to the session this token represents. There can be many tokens representing a single logon session.
这个参数被传回,
//
// The tricky part. We need to get the Logon SID from the token,
// since that is what Winlogon will use to protect the windowstation
// and desktop.
//
GetTokenInformation(hUser,
TokenGroups,
pGroups,
1024,
&size);
if (size >1024)
{
pGroups = LocalReAlloc(pGroups, LMEM_FIXED, size);
GetTokenInformation(hUser,
TokenGroups,
pGroups,
size,
&size);
}
for (i = 0; i GroupCount ;i++)
{
if ((pGroups->Groups[i].Attributes &SE_GROUP_LOGON_ID) == SE_GROUP_LOGON_ID)
{
CopySid(GetLengthSid(pLogonSid),
pLogonSid,
pGroups->Groups[i].Sid );
break;
}
}
LocalFree(pGroups);
这部分的目的是把每个所有组的SID都加到这个token的Access-control list entry,,不知道话该怎么说,,这几个结构还不了解
msdn:
The TOKEN_GROUPSstructure contains information about the group SIDs in an access token.
An application can use the CopySidfunction to make a copy of a SID in an access token (in a TOKEN_GROUPSstructure, for instance) to use in an access-control entry.
....未完
本文转自
http://blog.csdn.net/uuty/archive/2005/02/21/294700.aspx
登陆的部分发生在WlxLoggedOutSAS
在msdn里的例子ginA例子里,WlxLoggedOutSAS中首先调用
result = pWlxFuncs->WlxDialogBoxParam( hGlobalWlx,
hDllInstance,
(LPTSTR) MAKEINTRESOURCE(IDD_LOGON_DIALOG),
NULL,
LogonDlgProc,
(LPARAM) pGlobals );
生成一个登陆对话框,就是平时看到的那个,(LPARAM)pGlobAls 是从WlxLoggedOutSAS传递进来的,估计会吧登陆时输入的用户名和密码都放到里面,pGlobAls->pAccount.
然后调用列子中的函数
result = AttemptLogon(pGlobals, pGlobals->pAccount,
pLogonSid, pAuthenticationId);
进入后是
int
AttemptLogon(
PGlobals pGlobals,
PMiniAccount pAccount,
PSID pLogonSid,
PLUID pLogonId)
然后调用
LogonUser( pAccount->pszUsername,
pAccount->pszDomain,
pAccount->pszPassword,
LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT,
&hUser)
这个函数是AdvApi32.dll中的,hUser用来返回验证后得到的token,token 的类型是HANDLE,,很奇怪,在windows的文档上说调用的是LsALogonUser,只要得到或伪造这个token就可以了,,我想用个ring 0的程序来伪造这个token,
....后来看到在logonuser中调用L32pLogonUser,在里面Fill in the logon token group list,然后调用LsALogonUser
得到token后
GetTokenInformation(hUser,
TokenStatistics,
&TStats,
sizeof(TStats),
&size);
*pLogonId = TStats.AuthenticationId;
msdn:
AuthenticationId
Specifies an LUID assigned to the session this token represents. There can be many tokens representing a single logon session.
这个参数被传回,
//
// The tricky part. We need to get the Logon SID from the token,
// since that is what Winlogon will use to protect the windowstation
// and desktop.
//
GetTokenInformation(hUser,
TokenGroups,
pGroups,
1024,
&size);
if (size >1024)
{
pGroups = LocalReAlloc(pGroups, LMEM_FIXED, size);
GetTokenInformation(hUser,
TokenGroups,
pGroups,
size,
&size);
}
for (i = 0; i GroupCount ;i++)
{
if ((pGroups->Groups[i].Attributes &SE_GROUP_LOGON_ID) == SE_GROUP_LOGON_ID)
{
CopySid(GetLengthSid(pLogonSid),
pLogonSid,
pGroups->Groups[i].Sid );
break;
}
}
LocalFree(pGroups);
这部分的目的是把每个所有组的SID都加到这个token的Access-control list entry,,不知道话该怎么说,,这几个结构还不了解
msdn:
The TOKEN_GROUPSstructure contains information about the group SIDs in an access token.
An application can use the CopySidfunction to make a copy of a SID in an access token (in a TOKEN_GROUPSstructure, for instance) to use in an access-control entry.
....未完
本文转自
http://blog.csdn.net/uuty/archive/2005/02/21/294700.aspx