CSDN博客

img uuty

2月20 msdn中的ginA例子中的WlxLoggedOutSAS

发表于2005/2/20 14:22:00  3712人阅读

登陆的部分发生在WlxLoggedOutSAS
在msdn里的例子ginA例子里,WlxLoggedOutSAS中首先调用
 result = pWlxFuncs->WlxDialogBoxParam(  hGlobalWlx,
                                            hDllInstance,
                                            (LPTSTR) MAKEINTRESOURCE(IDD_LOGON_DIALOG),
                                            NULL,
                                            LogonDlgProc,
                                            (LPARAM) pGlobals );

生成一个登陆对话框,就是平时看到的那个,(LPARAM)pGlobAls 是从WlxLoggedOutSAS传递进来的,估计会吧登陆时输入的用户名和密码都放到里面,pGlobAls->pAccount.
然后调用列子中的函数
result = AttemptLogon(pGlobals, pGlobals->pAccount,
                                pLogonSid, pAuthenticationId);
进入后是
int
AttemptLogon(
    PGlobals        pGlobals,
    PMiniAccount    pAccount,
    PSID            pLogonSid,
    PLUID           pLogonId)
然后调用
LogonUser(  pAccount->pszUsername,
                    pAccount->pszDomain,
                    pAccount->pszPassword,
                    LOGON32_LOGON_INTERACTIVE,
                    LOGON32_PROVIDER_DEFAULT,
                    &hUser)
这个函数是AdvApi32.dll中的,hUser用来返回验证后得到的token,token 的类型是HANDLE,,很奇怪,在windows的文档上说调用的是LsALogonUser,只要得到或伪造这个token就可以了,,我想用个ring 0的程序来伪造这个token,
....后来看到在logonuser中调用L32pLogonUser,在里面Fill in the logon token group list,然后调用LsALogonUser
得到token后
 GetTokenInformation(hUser,
                            TokenStatistics,
                            &TStats,
                            sizeof(TStats),
                            &size);

        *pLogonId = TStats.AuthenticationId;
msdn:
AuthenticationId

Specifies an LUID assigned to the session this token represents. There can be many tokens representing a single logon session.

这个参数被传回,


//
        // The tricky part.  We need to get the Logon SID from the token,
        // since that is what Winlogon will use to protect the windowstation
        // and desktop.
        //
        GetTokenInformation(hUser,
                            TokenGroups,
                            pGroups,
                            1024,
                            &size);
        if (size > 1024)
        {
            pGroups = LocalReAlloc(pGroups, LMEM_FIXED, size);
            GetTokenInformation(hUser,
                                TokenGroups,
                                pGroups,
                                size,
                                &size);
        }
        for (i = 0; i < pGroups->GroupCount ; i++)
        {
            if ((pGroups->Groups[i].Attributes & SE_GROUP_LOGON_ID) == SE_GROUP_LOGON_ID)
            {
                CopySid(GetLengthSid(pLogonSid),
                        pLogonSid,
                        pGroups->Groups[i].Sid );
                break;
            }
        }
        LocalFree(pGroups);
这部分的目的是把每个所有组的SID都加到这个token的Access-control list entry,,不知道话该怎么说,,这几个结构还不了解
msdn:

The TOKEN_GROUPS structure contains information about the group SIDs in an access token.

An application can use the CopySid function to make a copy of a SID in an access token (in a TOKEN_GROUPS structure, for instance) to use in an access-control entry.


....未完

0 0

相关博文

我的热门文章

img
取 消
img