Code
#include <windows.h>
#include <Ntsecapi.h>
#include <stdio.h>
#pragma comment(lib, "Secur32.lib")
int
main()
{
WCHAR UserName[256] = {0};
ULONG UserNameLength = 256;
BOOL bRet = FALSE;
NTSTATUS status = 0;
ULONG SessionCount = 0;
PLUID SessionList = NULL;
PSECURITY_LOGON_SESSION_DATA SessionData = NULL;
DWORD ErrorCode = 0;
bRet = GetUserNameW(UserName, &UserNameLength);
if (bRet == FALSE)
{
ErrorCode = GetLastError();
return bRet;
}
status = LsaEnumerateLogonSessions(&SessionCount, &SessionList);
if (status != 0)
{
return bRet;
}
for (ULONG Index = 0; Index < SessionCount; Index++, SessionList++)
{
status = LsaGetLogonSessionData(SessionList, &SessionData);
if (status != 0)
{
continue;
}
if (SessionData->UserName.Length &&
!_wcsnicmp(UserName, SessionData->UserName.Buffer, UserNameLength))
{
HANDLE UserToken = NULL;
bRet = LogonUserW(UserName, SessionData->LogonDomain.Buffer, NULL, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &UserToken);
if (bRet == TRUE)
{
CloseHandle(UserToken);
}else if (GetLastError() == ERROR_ACCOUNT_RESTRICTION)
{
bRet = TRUE;
}
}
LsaFreeReturnBuffer(SessionData);
}
LsaFreeReturnBuffer(SessionList);
getchar();
return bRet;
}
1.LsaGetLogonSessionData()
- Win7下,此段程序可以获取所有的SessionData
- Win10下,只能获取当前SessionData
- 以上结论错误,和系统版本无关,是因为UAC,能获取所有SessionData说明使用管理员权限启动进程,完整性标签为High;正常权限启动,完整性标签为Medium,拿不到其他SessionData信息返回拒绝访问。
2. LogonUser()
- Win7下,可以使用LOGON32_LOGON_NETWORK,进行空密码的试探登陆,类似于ipc$连接,如果密码确实为空则登陆成功
- Win10下,使用LOGON32_LOGON_NETWORK则依然会报ERROR_ACCOUNT_RESTRICTION错误,和使用高权限登陆(LOGON32_LOGON_INTERACTIV)进行空密码登陆一样的错误