用C++修改本地安全策略
2008-04-03 17:54
148 查看
author:baicker
(更新:注意编译运行文中程序后留意administrator可能会变成active=no,undocument,undocument........哈哈)
要写个修改本地安全策略的工具,本以为修改注册表就行了,没想到还挺复杂,改策略,对应的注册表项会变,倒过来,改对应的注册表项,策略没变,郁闷
[HKEY_LOCAL_MACHINE/SAM/SAM/Domains/Account] |--------------------------------修改次数
"F"=hex:02,00,01,00,00,00,00,00,e0,7c,9e,21,1a,12,c6,01,43,00,00,00,00,00,00,/ 00 ~ 22
00,00,80,d2,16,47,b9,ff,ff,00,80,2c,ab,6d,fe,ff,ff,00,00,00,00,00,00,00,80,/ 23 ~ 47
00,cc,1d,cf,fb,ff,ff,ff,00,cc,1d,cf,fb,ff,ff,ff,00,00,00,00,00,00,00,00,f1,/ 48 ~ 72
03,00,00,00,00,00,00,02,00,18,00,00,00,00,00,01,00,00,00,03,00,00,00,01,00,/ 73 ~ 97
^^ ^
|| |
|| |__ 密码长度最小值
||
||__ 密码必须符合复杂性要求
(0为禁止)
|___ 用可还原的加密来存储密码第 76 80 位账号(15禁用,14启用)第 56 位比如第76位,
0的时候是"密码必须符合复杂性要求 - 禁用" & "用可还原的加密来存储密码 - 禁用"
14的时候"密码必须符合复杂性要求 - 禁用" & "用可还原的加密来存储密码 - 启用"有些比如密码长度,
锁定什么的用NetUserModalsSet的USER_MODALS_INFO_0和USER_MODALS_INFO_3结构可以搞定。
审核策略用LsaSetInformationPolicy也好搞定,都有现成的代码。账户策略->密码策略中的"密码必须符合复杂性要求"和"用可还原的加密来存储密码",还有安全选项中的内容,似乎没有公开文档没想到写个这个破工具还要用到未公开API函数,之前在网上查了下有没有相关代码或文档什么的,查了N天google和MSDN,有问的,没有答的,或者就是答非所问,没办法只能自己想办法了
之前使用apimonitor(N多此类工具,都不好用,这个也不咋样),在修改策略的时候获得了如下信息
API Name Return Value Module Name Time Start IsEntry API
Process: c:/windows/system32/mmc.exe(5052) , Thread:2976
SceGetServerProductType 0 (0x0) C:/WINDOWS/system32/SCECLI.dll 2008-1-27 23:10:38 True
SceGetServerProductType 0 (0x0) C:/WINDOWS/system32/SCECLI.dll 2008-1-27 23:10:38 True
SceGetServerProductType 0 (0x0) C:/WINDOWS/system32/SCECLI.dll 2008-1-27 23:10:38 True
SceGetServerProductType 0 (0x0) C:/WINDOWS/system32/SCECLI.dll 2008-1-27 23:10:38 True
SceGetServerProductType 0 (0x0) C:/WINDOWS/system32/SCECLI.dll 2008-1-27 23:10:38 True
SceGetServerProductType 0 (0x0) C:/WINDOWS/system32/SCECLI.dll 2008-1-27 23:10:38 True
SceOpenProfile 0 (0x0) C:/WINDOWS/system32/SCECLI.dll 2008-1-27 23:10:38 True
SceGetSecurityProfileInfo 6 (0x6) C:/WINDOWS/system32/SCECLI.dll 2008-1-27 23:10:38 True
SceFreeMemory 0 (0x0) C:/WINDOWS/system32/SCECLI.dll 2008-1-27 23:10:38 True
SceGetSecurityProfileInfo 0 (0x0) C:/WINDOWS/system32/SCECLI.dll 2008-1-27 23:10:38 True
SceFreeMemory 0 (0x0) C:/WINDOWS/system32/SCECLI.dll 2008-1-27 23:10:38 True
SceGetServerProductType 0 (0x0) C:/WINDOWS/system32/SCECLI.dll 2008-1-27 23:11:34 True
SceGetServerProductType 0 (0x0) C:/WINDOWS/system32/SCECLI.dll 2008-1-27 23:11:34 True
SceGetServerProductType 0 (0x0) C:/WINDOWS/system32/SCECLI.dll 2008-1-27 23:11:34 True
SceRollbackTransaction 12 (0xC) C:/WINDOWS/system32/SCECLI.dll 2008-1-27 23:11:55 True
SceCloseProfile 0 (0x0) C:/WINDOWS/system32/SCECLI.dll 2008-1-27 23:11:55 True
SceFreeProfileMemory 0 (0x0) C:/WINDOWS/system32/SCECLI.dll 2008-1-27 23:11:55 True
SceFreeProfileMemory 0 (0x0) C:/WINDOWS/system32/SCECLI.dll 2008-1-27 23:11:55 True
SceFreeProfileMemory 0 (0x0) C:/WINDOWS/system32/SCECLI.dll 2008-1-27 23:11:55 True
SceFreeProfileMemory 1 (0x1) C:/WINDOWS/system32/SCECLI.dll 2008-1-27 23:11:55 True
Process: c:/windows/system32/mmc.exe(5052) , Thread:3928
SceOpenProfile 0 (0x0) C:/WINDOWS/system32/SCECLI.dll 2008-1-27 23:10:49 True
SceGetSecurityProfileInfo 0 (0x0) C:/WINDOWS/system32/SCECLI.dll 2008-1-27 23:10:49 True
SceCloseProfile 0 (0x0) C:/WINDOWS/system32/SCECLI.dll 2008-1-27 23:10:49 True
SceFreeMemory 0 (0x0) C:/WINDOWS/system32/SCECLI.dll 2008-1-27 23:10:49 True
SceFreeMemory 0 (0x0) C:/WINDOWS/system32/SCECLI.dll 2008-1-27 23:10:49 True
SceFreeMemory 0 (0x0) C:/WINDOWS/system32/SCECLI.dll 2008-1-27 23:10:56 True
SceUpdateSecurityProfile 0 (0x0) C:/WINDOWS/system32/SCECLI.dll 2008-1-27 23:10:56 True
Process: c:/windows/system32/mmc.exe(5052) , Thread:5472
SceFreeMemory 0 (0x0) C:/WINDOWS/system32/SCECLI.dll 2008-1-27 23:11:43 True
SceUpdateSecurityProfile 0 (0x0) C:/WINDOWS/system32/SCECLI.dll 2008-1-27 23:11:43 True郁闷的是before call和after call参数都没变,不知道是软件问题还是未注册的原因
请教了czy,帮忙逆向了一下,高手就是高手,没多久就给我一段asm代码解决了密码复杂度的策略
.386
.model stdcall,flat
option casemap:none
include /masm32/include/windows.inc
include /masm32/include/user32.inc
include /masm32/include/kernel32.inc
include /masm32/include/masm32.inc
include /masm32/include/shlwapi.inc
include /masm32/include/shell32.inc偏移10H如为0就是禁用,为1就是启用
.data?编译执行没问题,OK,改成C++的版本,老是提示内存不能写(内嵌汇编也不行),还请教了小榕,貌似变量定义的问题
使用OD动态跟踪,发现asm版本的生成exe后执行mydata变量是在.data可读写数据段里面,而C++的版本是在.rdata只读数据段里面,使用OD的时候修改数据测试可以成功,然后再修改C++代码
#include <stdio.h>
#include <windows.h>
char *sam2;
int main()
{
sam2 = new char[99];
char *sam =
"/x2e/x01/x00/x00/x0fe/x0ff/x0ff/x0ff"
"/x0fe/x0ff/x0ff/x0ff/x0fe/x0ff/x0ff/x0ff"
"/x00/x00/x00/x00/x0fe/x0ff/x0ff/x0ff"
"/x0fe/x0ff/x0ff/x0ff/x0fe/x0ff/x0ff/x0ff"
"/x0fe/x0ff/x0ff/x0ff/x0fe/x0ff/x0ff/x0ff"
"/xfe/x0ff/x0ff/x0ff/x00/x00/x00/x00";
memcpy(sam2, sam, 49);
HINSTANCE hInst;
hInst=LoadLibraryA("scecli.dll");
typedef BOOL (__stdcall *MYFUNC)(int, int, char*, int);
MYFUNC fun=NULL;
fun=(MYFUNC)GetProcAddress(hInst,"SceUpdateSecurityProfile");
int i = 4;
fun(NULL,TRUE,sam2,i);或者发 现如果SceUpdateSecurityProfile函数的第三个参数,后面如果有其它数据,会报错,要是后面大段/x00数据的话,就通过, undocument api只能这样了,估计第三个参数应该是个什么结构。在我的Windows2003 CN SP1上测试成功(执行后,会让本地策略“密码复杂度”那项变成禁用,还有其它一些策略如审核策略也会更改,应该是第三个参数的每个位对应着不同的策略, 安全选项中的似乎不会变),小榕的Windows2003 EN SP1上不能成功,估计是这个函数太底层了,应该有更高一层的函数先判断不同的操作系统版本,选择不同的参数,然后在调用 SceUpdateSecurityProfile函数。
还有安全选项里面的内容,估计是其它函数,有空我也softice一下。最后帖下关于变量定义后在内存什么地方的一段代码,不一定什么时候有用全局初始化区
char *p1; 全局未初始化区
main()
{
int b; 栈
char s[] = "abc"; 栈
char *p2;
栈
char *p3 = "123456"; 123456/0在常量区,p3在栈上。
static int c =0; 全局(静态)初始化区
p1 = (char *)malloc(10);
p2 = (char *)malloc(20);
分配得来得10和20字节的区域就在堆区。
strcpy(p1, "123456"); 123456/0放在常量区,编译器可能会将它与p3所指向的"123456"优化成一个地方。
}全局
char *str="/x20/x20/x20/x20/x20/x20/x20/x20";
str存在.data段,是一个指针,内容为一个地址(地址在.rdata区段),这个地址指向的内容为字符串全局
char str[]="/x20/x20/x20/x20/x20/x20/x20/x20";
str存在.data段,是一个指针,指针指向字符串
[HKEY_LOCAL_MACHINE/SAM/SAM/Domains/Account/Users/000001F5]
"F"=hex:02,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,/
00,80,c6,50,1f,2b,12,c6,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,/
f5,01,00,00,01,02,00,00,15,02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,/
^
|____ Guest
Summary Information
API Name: SceOpenProfile
API Define: (Undefine API)
Time Start: 00:11:49.015
Duration: 0.000 ms
Module Name: C:/WINDOWS/system32/SCECLI.dll
Is Entry API: True
Process: C:/WINDOWS/system32/mmc.exe
Thread: 4152
Before Call Parameters
Pointer Paramter0: 29449864 (0x1C15E88)
Pointer Paramter1: 1 (0x1)
Pointer Paramter2: 23981584 (0x16DEE10)
Pointer Paramter3: (null)
Pointer Paramter4: 8629392 (0x83AC90)
Pointer Paramter5: (null)
After Call Parameters
Pointer Paramter0: 29449864 (0x1C15E88)
Pointer Paramter1: 1 (0x1)
Pointer Paramter2: 23981584 (0x16DEE10)
Pointer Paramter3: (null)
Pointer Paramter4: 8629392 (0x83AC90)
Pointer Paramter5: (null)
Return
0 (0x0)
Summary Information
API Name: SceGetSecurityProfileInfo
API Define: (Undefine API)
Time Start: 00:11:49.015
Duration: 0.001 ms
Module Name: C:/WINDOWS/system32/SCECLI.dll
Is Entry API: True
Process: C:/WINDOWS/system32/mmc.exe
Thread: 4152
Before Call Parameters
Pointer Paramter0: 688576 (0xA81C0)
Pointer Paramter1: 302 (0x12E)
Pointer Paramter2: 65535 (0xFFFF)
Pointer Paramter3: 8629480 (0x83ACE8)
Pointer Paramter4: 23981572 (0x16DEE04)
Pointer Paramter5: 2088955995 (0x7C82F05B)
After Call Parameters
Pointer Paramter0: 688576 (0xA81C0)
Pointer Paramter1: 302 (0x12E)
Pointer Paramter2: 65535 (0xFFFF)
Pointer Paramter3: 8629480 (0x83ACE8)
Pointer Paramter4: 23981572 (0x16DEE04)
Pointer Paramter5: 2088955995 (0x7C82F05B)
Return
0 (0x0)
GetLastError
Value:3758096642
Description:
Summary Information
API Name: SceCloseProfile
API Define: (Undefine API)
Time Start: 00:11:49.109
Duration: 0.000 ms
Module Name: C:/WINDOWS/system32/SCECLI.dll
Is Entry API: True
Process: C:/WINDOWS/system32/mmc.exe
Thread: 4152
Before Call Parameters
Pointer Paramter0: 23981584 (0x16DEE10)
Pointer Paramter1: 2088955995 (0x7C82F05B)
Pointer Paramter2: 8629392 (0x83AC90)
Pointer Paramter3: 8570560 (0x82C6C0)
Pointer Paramter4: 8629296 (0x83AC30)
Pointer Paramter5: 302124616 (0x12020E48)
After Call Parameters
Pointer Paramter0: 23981584 (0x16DEE10)
Pointer Paramter1: 2088955995 (0x7C82F05B)
Pointer Paramter2: 8629392 (0x83AC90)
Pointer Paramter3: 8570560 (0x82C6C0)
Pointer Paramter4: 8629296 (0x83AC30)
Pointer Paramter5: 302124616 (0x12020E48)
Return
0 (0x0)
Summary Information
API Name: SceAddToNameStatusList
API Define: (Undefine API)
Time Start: 00:11:49.109
Duration: 0.000 ms
Module Name: C:/WINDOWS/system32/SCECLI.dll
Is Entry API: True
Process: C:/WINDOWS/system32/mmc.exe
Thread: 4152
Before Call Parameters
Pointer Paramter0: 23981476 (0x16DEDA4)
Pointer Paramter1: 787520 (0xC0440)
Pointer Paramter2: 76 (0x4C)
Pointer Paramter3: 1 (0x1)
Pointer Paramter4: (null)
Pointer Paramter5: 8629392 (0x83AC90)
After Call Parameters
Pointer Paramter0: 23981476 (0x16DEDA4)
Pointer Paramter1: 787520 (0xC0440)
Pointer Paramter2: 76 (0x4C)
Pointer Paramter3: 1 (0x1)
Pointer Paramter4: (null)
Pointer Paramter5: 8629392 (0x83AC90)
Return
0 (0x0)
Summary Information
API Name: SceFreeMemory
API Define: (Undefine API)
Time Start: 00:11:49.109
Duration: 0.000 ms
Module Name: C:/WINDOWS/system32/SCECLI.dll
Is Entry API: True
Process: C:/WINDOWS/system32/mmc.exe
Thread: 4152
Before Call Parameters
Pointer Paramter0: 1514080 (0x171A60)
Pointer Paramter1: 311 (0x137)
Pointer Paramter2: (null)
Pointer Paramter3: 8629392 (0x83AC90)
Pointer Paramter4: (null)
Pointer Paramter5: 4 (0x4)
After Call Parameters
Pointer Paramter0: 1514080 (0x171A60)
Pointer Paramter1: 311 (0x137)
Pointer Paramter2: (null)
Pointer Paramter3: 8629392 (0x83AC90)
Pointer Paramter4: (null)
Pointer Paramter5: 4 (0x4)
Return
0 (0x0)
Summary Information
API Name: SceUpdateSecurityProfile
API Define: (Undefine API)
Time Start: 00:11:52.203
Duration: 0.000 ms
Module Name: C:/WINDOWS/system32/SCECLI.dll
Is Entry API: True
Process: C:/WINDOWS/system32/mmc.exe
Thread: 4152
Before Call Parameters
Pointer Paramter0: (null)
Pointer Paramter1: 1 (0x1)
Pointer Paramter2: 28866104 (0x1B87638)
Pointer Paramter3: 4 (0x4)
Pointer Paramter4: (null)
Pointer Paramter5: 8629056 (0x83AB40)
After Call Parameters
Pointer Paramter0: (null)
Pointer Paramter1: 1 (0x1)
Pointer Paramter2: 28866104 (0x1B87638)
Pointer Paramter3: 4 (0x4)
Pointer Paramter4: (null)
Pointer Paramter5: 8629056 (0x83AB40)
Return
0 (0x0)
includelib /masm32/lib/user32.lib
includelib /masm32/lib/kernel32.lib
includelib /masm32/lib/masm32.lib
includelib /masm32/lib/shlwapi.lib
includelib /masm32/lib/shell32.lib
.const
.data
nini db 'a',0
seclib db 'scecli.dll',0
myapi db 'SceUpdateSecurityProfile',0
mydata db 2eh,01h,00h,00h,0feh,0ffh,0ffh,0ffh,0feh,0ffh,0ffh,0ffh,0feh,0ffh,0ffh,0ffh,00h,00h,00h,00h,0feh,0ffh,0ffh,0ffh,0feh,0ffh,0ffh,0ffh,0feh,0ffh,0ffh,0ffh,0feh,0ffh,0ffh,0ffh,0feh,0ffh,0ffh,0ffh,0feh,0ffh,0ffh,0ffh,00h,00h,00h,00h
;
.code
start:
invoke MessageBox,0,offset nini,offset nini,1
invoke LoadLibraryA,offset seclib
invoke GetProcAddress,eax,offset myapi
mov esi,eax
push 4
mov eax,offset mydata
push eax
xor edi,edi
inc edi
push edi
xor ebx,ebx
push ebx
call esi
invoke ExitProcess,0
end start
/* __asm
{
mov esi,fun
push 4
mov eax,sam2
push eax
xor edi,edi
inc edi
push edi
xor ebx,ebx
push ebx
call esi
}
*/
return 0;
}
#include <stdio.h>
#include <windows.h>
char sam[]=
"/x2e/x01/x00/x00/x0fe/x0ff/x0ff/x0ff"
"/x0fe/x0ff/x0ff/x0ff/x0fe/x0ff/x0ff/x0ff"
"/x10/x00/x00/x00/x0fe/x0ff/x0ff/x0ff"
"/x0fe/x0ff/x0ff/x0ff/x0fe/x0ff/x0ff/x0ff"
"/x0fe/x0ff/x0ff/x0ff/x0fe/x0ff/x0ff/x0ff"
"/xfe/x0ff/x0ff/x0ff/x00/x00/x00/x00"
"/x00/x00/x00/x00/x00/x00/x00/x00"
"/x00/x00/x00/x00/x00/x00/x00/x00"
"/x00/x00/x00/x00/x00/x00/x00/x00"
"/x00/x00/x00/x00/x00/x00/x00/x00"
"/x00/x00/x00/x00/x00/x00/x00/x00"
"/x00/x00/x00/x00/x00/x00/x00/x00"
"/x00/x00/x00/x00/x00/x00/x00/x00"
"/x00/x00/x00/x00/x00/x00/x00/x00";
int main()
{
HINSTANCE hInst;
hInst=LoadLibraryA("scecli.dll");
typedef BOOL (__stdcall *MYFUNC)(int, int,char*, int);
MYFUNC fun=NULL;
fun=(MYFUNC)GetProcAddress(hInst,"SceUpdateSecurityProfile");
printf("sam=0x%08X/n",&sam);
printf("%s",sam);
fun(NULL,TRUE,sam,4);
/* __asm
{
mov esi,fun
push 4
mov eax,sam2
push eax
xor edi,edi
inc edi
push edi
xor ebx,ebx
push ebx
call esi
}
*/
return 0;
}
//main.cpp
int a = 0;
(更新:注意编译运行文中程序后留意administrator可能会变成active=no,undocument,undocument........哈哈)
要写个修改本地安全策略的工具,本以为修改注册表就行了,没想到还挺复杂,改策略,对应的注册表项会变,倒过来,改对应的注册表项,策略没变,郁闷
[HKEY_LOCAL_MACHINE/SAM/SAM/Domains/Account] |--------------------------------修改次数
"F"=hex:02,00,01,00,00,00,00,00,e0,7c,9e,21,1a,12,c6,01,43,00,00,00,00,00,00,/ 00 ~ 22
00,00,80,d2,16,47,b9,ff,ff,00,80,2c,ab,6d,fe,ff,ff,00,00,00,00,00,00,00,80,/ 23 ~ 47
00,cc,1d,cf,fb,ff,ff,ff,00,cc,1d,cf,fb,ff,ff,ff,00,00,00,00,00,00,00,00,f1,/ 48 ~ 72
03,00,00,00,00,00,00,02,00,18,00,00,00,00,00,01,00,00,00,03,00,00,00,01,00,/ 73 ~ 97
^^ ^
|| |
|| |__ 密码长度最小值
||
||__ 密码必须符合复杂性要求
(0为禁止)
|___ 用可还原的加密来存储密码第 76 80 位账号(15禁用,14启用)第 56 位比如第76位,
0的时候是"密码必须符合复杂性要求 - 禁用" & "用可还原的加密来存储密码 - 禁用"
14的时候"密码必须符合复杂性要求 - 禁用" & "用可还原的加密来存储密码 - 启用"有些比如密码长度,
锁定什么的用NetUserModalsSet的USER_MODALS_INFO_0和USER_MODALS_INFO_3结构可以搞定。
审核策略用LsaSetInformationPolicy也好搞定,都有现成的代码。账户策略->密码策略中的"密码必须符合复杂性要求"和"用可还原的加密来存储密码",还有安全选项中的内容,似乎没有公开文档没想到写个这个破工具还要用到未公开API函数,之前在网上查了下有没有相关代码或文档什么的,查了N天google和MSDN,有问的,没有答的,或者就是答非所问,没办法只能自己想办法了
之前使用apimonitor(N多此类工具,都不好用,这个也不咋样),在修改策略的时候获得了如下信息
API Name Return Value Module Name Time Start IsEntry API
Process: c:/windows/system32/mmc.exe(5052) , Thread:2976
SceGetServerProductType 0 (0x0) C:/WINDOWS/system32/SCECLI.dll 2008-1-27 23:10:38 True
SceGetServerProductType 0 (0x0) C:/WINDOWS/system32/SCECLI.dll 2008-1-27 23:10:38 True
SceGetServerProductType 0 (0x0) C:/WINDOWS/system32/SCECLI.dll 2008-1-27 23:10:38 True
SceGetServerProductType 0 (0x0) C:/WINDOWS/system32/SCECLI.dll 2008-1-27 23:10:38 True
SceGetServerProductType 0 (0x0) C:/WINDOWS/system32/SCECLI.dll 2008-1-27 23:10:38 True
SceGetServerProductType 0 (0x0) C:/WINDOWS/system32/SCECLI.dll 2008-1-27 23:10:38 True
SceOpenProfile 0 (0x0) C:/WINDOWS/system32/SCECLI.dll 2008-1-27 23:10:38 True
SceGetSecurityProfileInfo 6 (0x6) C:/WINDOWS/system32/SCECLI.dll 2008-1-27 23:10:38 True
SceFreeMemory 0 (0x0) C:/WINDOWS/system32/SCECLI.dll 2008-1-27 23:10:38 True
SceGetSecurityProfileInfo 0 (0x0) C:/WINDOWS/system32/SCECLI.dll 2008-1-27 23:10:38 True
SceFreeMemory 0 (0x0) C:/WINDOWS/system32/SCECLI.dll 2008-1-27 23:10:38 True
SceGetServerProductType 0 (0x0) C:/WINDOWS/system32/SCECLI.dll 2008-1-27 23:11:34 True
SceGetServerProductType 0 (0x0) C:/WINDOWS/system32/SCECLI.dll 2008-1-27 23:11:34 True
SceGetServerProductType 0 (0x0) C:/WINDOWS/system32/SCECLI.dll 2008-1-27 23:11:34 True
SceRollbackTransaction 12 (0xC) C:/WINDOWS/system32/SCECLI.dll 2008-1-27 23:11:55 True
SceCloseProfile 0 (0x0) C:/WINDOWS/system32/SCECLI.dll 2008-1-27 23:11:55 True
SceFreeProfileMemory 0 (0x0) C:/WINDOWS/system32/SCECLI.dll 2008-1-27 23:11:55 True
SceFreeProfileMemory 0 (0x0) C:/WINDOWS/system32/SCECLI.dll 2008-1-27 23:11:55 True
SceFreeProfileMemory 0 (0x0) C:/WINDOWS/system32/SCECLI.dll 2008-1-27 23:11:55 True
SceFreeProfileMemory 1 (0x1) C:/WINDOWS/system32/SCECLI.dll 2008-1-27 23:11:55 True
Process: c:/windows/system32/mmc.exe(5052) , Thread:3928
SceOpenProfile 0 (0x0) C:/WINDOWS/system32/SCECLI.dll 2008-1-27 23:10:49 True
SceGetSecurityProfileInfo 0 (0x0) C:/WINDOWS/system32/SCECLI.dll 2008-1-27 23:10:49 True
SceCloseProfile 0 (0x0) C:/WINDOWS/system32/SCECLI.dll 2008-1-27 23:10:49 True
SceFreeMemory 0 (0x0) C:/WINDOWS/system32/SCECLI.dll 2008-1-27 23:10:49 True
SceFreeMemory 0 (0x0) C:/WINDOWS/system32/SCECLI.dll 2008-1-27 23:10:49 True
SceFreeMemory 0 (0x0) C:/WINDOWS/system32/SCECLI.dll 2008-1-27 23:10:56 True
SceUpdateSecurityProfile 0 (0x0) C:/WINDOWS/system32/SCECLI.dll 2008-1-27 23:10:56 True
Process: c:/windows/system32/mmc.exe(5052) , Thread:5472
SceFreeMemory 0 (0x0) C:/WINDOWS/system32/SCECLI.dll 2008-1-27 23:11:43 True
SceUpdateSecurityProfile 0 (0x0) C:/WINDOWS/system32/SCECLI.dll 2008-1-27 23:11:43 True郁闷的是before call和after call参数都没变,不知道是软件问题还是未注册的原因
请教了czy,帮忙逆向了一下,高手就是高手,没多久就给我一段asm代码解决了密码复杂度的策略
.386
.model stdcall,flat
option casemap:none
include /masm32/include/windows.inc
include /masm32/include/user32.inc
include /masm32/include/kernel32.inc
include /masm32/include/masm32.inc
include /masm32/include/shlwapi.inc
include /masm32/include/shell32.inc偏移10H如为0就是禁用,为1就是启用
.data?编译执行没问题,OK,改成C++的版本,老是提示内存不能写(内嵌汇编也不行),还请教了小榕,貌似变量定义的问题
使用OD动态跟踪,发现asm版本的生成exe后执行mydata变量是在.data可读写数据段里面,而C++的版本是在.rdata只读数据段里面,使用OD的时候修改数据测试可以成功,然后再修改C++代码
#include <stdio.h>
#include <windows.h>
char *sam2;
int main()
{
sam2 = new char[99];
char *sam =
"/x2e/x01/x00/x00/x0fe/x0ff/x0ff/x0ff"
"/x0fe/x0ff/x0ff/x0ff/x0fe/x0ff/x0ff/x0ff"
"/x00/x00/x00/x00/x0fe/x0ff/x0ff/x0ff"
"/x0fe/x0ff/x0ff/x0ff/x0fe/x0ff/x0ff/x0ff"
"/x0fe/x0ff/x0ff/x0ff/x0fe/x0ff/x0ff/x0ff"
"/xfe/x0ff/x0ff/x0ff/x00/x00/x00/x00";
memcpy(sam2, sam, 49);
HINSTANCE hInst;
hInst=LoadLibraryA("scecli.dll");
typedef BOOL (__stdcall *MYFUNC)(int, int, char*, int);
MYFUNC fun=NULL;
fun=(MYFUNC)GetProcAddress(hInst,"SceUpdateSecurityProfile");
int i = 4;
fun(NULL,TRUE,sam2,i);或者发 现如果SceUpdateSecurityProfile函数的第三个参数,后面如果有其它数据,会报错,要是后面大段/x00数据的话,就通过, undocument api只能这样了,估计第三个参数应该是个什么结构。在我的Windows2003 CN SP1上测试成功(执行后,会让本地策略“密码复杂度”那项变成禁用,还有其它一些策略如审核策略也会更改,应该是第三个参数的每个位对应着不同的策略, 安全选项中的似乎不会变),小榕的Windows2003 EN SP1上不能成功,估计是这个函数太底层了,应该有更高一层的函数先判断不同的操作系统版本,选择不同的参数,然后在调用 SceUpdateSecurityProfile函数。
还有安全选项里面的内容,估计是其它函数,有空我也softice一下。最后帖下关于变量定义后在内存什么地方的一段代码,不一定什么时候有用全局初始化区
char *p1; 全局未初始化区
main()
{
int b; 栈
char s[] = "abc"; 栈
char *p2;
栈
char *p3 = "123456"; 123456/0在常量区,p3在栈上。
static int c =0; 全局(静态)初始化区
p1 = (char *)malloc(10);
p2 = (char *)malloc(20);
分配得来得10和20字节的区域就在堆区。
strcpy(p1, "123456"); 123456/0放在常量区,编译器可能会将它与p3所指向的"123456"优化成一个地方。
}全局
char *str="/x20/x20/x20/x20/x20/x20/x20/x20";
str存在.data段,是一个指针,内容为一个地址(地址在.rdata区段),这个地址指向的内容为字符串全局
char str[]="/x20/x20/x20/x20/x20/x20/x20/x20";
str存在.data段,是一个指针,指针指向字符串
[HKEY_LOCAL_MACHINE/SAM/SAM/Domains/Account/Users/000001F5]
"F"=hex:02,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,/
00,80,c6,50,1f,2b,12,c6,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,/
f5,01,00,00,01,02,00,00,15,02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,/
^
|____ Guest
Summary Information
API Name: SceOpenProfile
API Define: (Undefine API)
Time Start: 00:11:49.015
Duration: 0.000 ms
Module Name: C:/WINDOWS/system32/SCECLI.dll
Is Entry API: True
Process: C:/WINDOWS/system32/mmc.exe
Thread: 4152
Before Call Parameters
Pointer Paramter0: 29449864 (0x1C15E88)
Pointer Paramter1: 1 (0x1)
Pointer Paramter2: 23981584 (0x16DEE10)
Pointer Paramter3: (null)
Pointer Paramter4: 8629392 (0x83AC90)
Pointer Paramter5: (null)
After Call Parameters
Pointer Paramter0: 29449864 (0x1C15E88)
Pointer Paramter1: 1 (0x1)
Pointer Paramter2: 23981584 (0x16DEE10)
Pointer Paramter3: (null)
Pointer Paramter4: 8629392 (0x83AC90)
Pointer Paramter5: (null)
Return
0 (0x0)
Summary Information
API Name: SceGetSecurityProfileInfo
API Define: (Undefine API)
Time Start: 00:11:49.015
Duration: 0.001 ms
Module Name: C:/WINDOWS/system32/SCECLI.dll
Is Entry API: True
Process: C:/WINDOWS/system32/mmc.exe
Thread: 4152
Before Call Parameters
Pointer Paramter0: 688576 (0xA81C0)
Pointer Paramter1: 302 (0x12E)
Pointer Paramter2: 65535 (0xFFFF)
Pointer Paramter3: 8629480 (0x83ACE8)
Pointer Paramter4: 23981572 (0x16DEE04)
Pointer Paramter5: 2088955995 (0x7C82F05B)
After Call Parameters
Pointer Paramter0: 688576 (0xA81C0)
Pointer Paramter1: 302 (0x12E)
Pointer Paramter2: 65535 (0xFFFF)
Pointer Paramter3: 8629480 (0x83ACE8)
Pointer Paramter4: 23981572 (0x16DEE04)
Pointer Paramter5: 2088955995 (0x7C82F05B)
Return
0 (0x0)
GetLastError
Value:3758096642
Description:
Summary Information
API Name: SceCloseProfile
API Define: (Undefine API)
Time Start: 00:11:49.109
Duration: 0.000 ms
Module Name: C:/WINDOWS/system32/SCECLI.dll
Is Entry API: True
Process: C:/WINDOWS/system32/mmc.exe
Thread: 4152
Before Call Parameters
Pointer Paramter0: 23981584 (0x16DEE10)
Pointer Paramter1: 2088955995 (0x7C82F05B)
Pointer Paramter2: 8629392 (0x83AC90)
Pointer Paramter3: 8570560 (0x82C6C0)
Pointer Paramter4: 8629296 (0x83AC30)
Pointer Paramter5: 302124616 (0x12020E48)
After Call Parameters
Pointer Paramter0: 23981584 (0x16DEE10)
Pointer Paramter1: 2088955995 (0x7C82F05B)
Pointer Paramter2: 8629392 (0x83AC90)
Pointer Paramter3: 8570560 (0x82C6C0)
Pointer Paramter4: 8629296 (0x83AC30)
Pointer Paramter5: 302124616 (0x12020E48)
Return
0 (0x0)
Summary Information
API Name: SceAddToNameStatusList
API Define: (Undefine API)
Time Start: 00:11:49.109
Duration: 0.000 ms
Module Name: C:/WINDOWS/system32/SCECLI.dll
Is Entry API: True
Process: C:/WINDOWS/system32/mmc.exe
Thread: 4152
Before Call Parameters
Pointer Paramter0: 23981476 (0x16DEDA4)
Pointer Paramter1: 787520 (0xC0440)
Pointer Paramter2: 76 (0x4C)
Pointer Paramter3: 1 (0x1)
Pointer Paramter4: (null)
Pointer Paramter5: 8629392 (0x83AC90)
After Call Parameters
Pointer Paramter0: 23981476 (0x16DEDA4)
Pointer Paramter1: 787520 (0xC0440)
Pointer Paramter2: 76 (0x4C)
Pointer Paramter3: 1 (0x1)
Pointer Paramter4: (null)
Pointer Paramter5: 8629392 (0x83AC90)
Return
0 (0x0)
Summary Information
API Name: SceFreeMemory
API Define: (Undefine API)
Time Start: 00:11:49.109
Duration: 0.000 ms
Module Name: C:/WINDOWS/system32/SCECLI.dll
Is Entry API: True
Process: C:/WINDOWS/system32/mmc.exe
Thread: 4152
Before Call Parameters
Pointer Paramter0: 1514080 (0x171A60)
Pointer Paramter1: 311 (0x137)
Pointer Paramter2: (null)
Pointer Paramter3: 8629392 (0x83AC90)
Pointer Paramter4: (null)
Pointer Paramter5: 4 (0x4)
After Call Parameters
Pointer Paramter0: 1514080 (0x171A60)
Pointer Paramter1: 311 (0x137)
Pointer Paramter2: (null)
Pointer Paramter3: 8629392 (0x83AC90)
Pointer Paramter4: (null)
Pointer Paramter5: 4 (0x4)
Return
0 (0x0)
Summary Information
API Name: SceUpdateSecurityProfile
API Define: (Undefine API)
Time Start: 00:11:52.203
Duration: 0.000 ms
Module Name: C:/WINDOWS/system32/SCECLI.dll
Is Entry API: True
Process: C:/WINDOWS/system32/mmc.exe
Thread: 4152
Before Call Parameters
Pointer Paramter0: (null)
Pointer Paramter1: 1 (0x1)
Pointer Paramter2: 28866104 (0x1B87638)
Pointer Paramter3: 4 (0x4)
Pointer Paramter4: (null)
Pointer Paramter5: 8629056 (0x83AB40)
After Call Parameters
Pointer Paramter0: (null)
Pointer Paramter1: 1 (0x1)
Pointer Paramter2: 28866104 (0x1B87638)
Pointer Paramter3: 4 (0x4)
Pointer Paramter4: (null)
Pointer Paramter5: 8629056 (0x83AB40)
Return
0 (0x0)
includelib /masm32/lib/user32.lib
includelib /masm32/lib/kernel32.lib
includelib /masm32/lib/masm32.lib
includelib /masm32/lib/shlwapi.lib
includelib /masm32/lib/shell32.lib
.const
.data
nini db 'a',0
seclib db 'scecli.dll',0
myapi db 'SceUpdateSecurityProfile',0
mydata db 2eh,01h,00h,00h,0feh,0ffh,0ffh,0ffh,0feh,0ffh,0ffh,0ffh,0feh,0ffh,0ffh,0ffh,00h,00h,00h,00h,0feh,0ffh,0ffh,0ffh,0feh,0ffh,0ffh,0ffh,0feh,0ffh,0ffh,0ffh,0feh,0ffh,0ffh,0ffh,0feh,0ffh,0ffh,0ffh,0feh,0ffh,0ffh,0ffh,00h,00h,00h,00h
;
.code
start:
invoke MessageBox,0,offset nini,offset nini,1
invoke LoadLibraryA,offset seclib
invoke GetProcAddress,eax,offset myapi
mov esi,eax
push 4
mov eax,offset mydata
push eax
xor edi,edi
inc edi
push edi
xor ebx,ebx
push ebx
call esi
invoke ExitProcess,0
end start
/* __asm
{
mov esi,fun
push 4
mov eax,sam2
push eax
xor edi,edi
inc edi
push edi
xor ebx,ebx
push ebx
call esi
}
*/
return 0;
}
#include <stdio.h>
#include <windows.h>
char sam[]=
"/x2e/x01/x00/x00/x0fe/x0ff/x0ff/x0ff"
"/x0fe/x0ff/x0ff/x0ff/x0fe/x0ff/x0ff/x0ff"
"/x10/x00/x00/x00/x0fe/x0ff/x0ff/x0ff"
"/x0fe/x0ff/x0ff/x0ff/x0fe/x0ff/x0ff/x0ff"
"/x0fe/x0ff/x0ff/x0ff/x0fe/x0ff/x0ff/x0ff"
"/xfe/x0ff/x0ff/x0ff/x00/x00/x00/x00"
"/x00/x00/x00/x00/x00/x00/x00/x00"
"/x00/x00/x00/x00/x00/x00/x00/x00"
"/x00/x00/x00/x00/x00/x00/x00/x00"
"/x00/x00/x00/x00/x00/x00/x00/x00"
"/x00/x00/x00/x00/x00/x00/x00/x00"
"/x00/x00/x00/x00/x00/x00/x00/x00"
"/x00/x00/x00/x00/x00/x00/x00/x00"
"/x00/x00/x00/x00/x00/x00/x00/x00";
int main()
{
HINSTANCE hInst;
hInst=LoadLibraryA("scecli.dll");
typedef BOOL (__stdcall *MYFUNC)(int, int,char*, int);
MYFUNC fun=NULL;
fun=(MYFUNC)GetProcAddress(hInst,"SceUpdateSecurityProfile");
printf("sam=0x%08X/n",&sam);
printf("%s",sam);
fun(NULL,TRUE,sam,4);
/* __asm
{
mov esi,fun
push 4
mov eax,sam2
push eax
xor edi,edi
inc edi
push edi
xor ebx,ebx
push ebx
call esi
}
*/
return 0;
}
//main.cpp
int a = 0;
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- C++中的auto_ptr (修改版本)
- VS2008中自定义C++工程模板与修改新建文件默认编码的办法
- C++如何修改SDI程序的默认背景颜色
- ubuntu9.10使用第一天(教育网直通车+源修改+C++编译环境搭建+输入法安装)
- Caffemodel之C++修改参数
- C++中出现“IntelliSense: 表达式必须是可修改的左值”的Bug解决
- c++修改文件某行内容
- C++ 虚函数 修改虚表
- C#中可以消除常见且浪费时间的C和C++错误的修改
- C++ VS2013 修改金钱 二
- C++ 修改文件名
- C++中MFC DLL 按条件查询mysql数据并修改
- C++如何修改SDI程序的默认背景颜色
- c/c++向函数传递指针并修改其指向的问题
- C++ "multiple definition of .. first defined here 错误的修改
- Linux下修改Matlab配置文件支持C++ 11标准以生成mex
- 修改Visual Assist中的方法注释样式;Eclipse中使用doxygen注释C++方法
- 修改的C++版Opengl艺术画实现
- 与lwj问答之 C++中如何修改const变量
- C++实现双向链表的创建,插入,修改,删除