堆栈内存溢出
  简体   繁体   English

用户更改密码时调用哪个 Windows API? 钩这个 API 的好方法是什么?

[英]Which windows API call when the user change password? what the good way to hook this API?

 原文  2016-05-31 11:48:02       c++/ windows/ authentication/ winapi/ hook

问题描述

I want to know when user try to change his password, and even hook this function.我想知道用户何时尝试更改他的密码,甚至挂钩此功能。

I know there is GINA option, and that was replaced from Vista to ICredentialProvider .我知道有GINA选项,它已从 Vista 替换为ICredentialProvider But at these two, I didn't find a specific API that will called anyway, or one function for every method, that will called when the user change his password.但是在这两个中,我没有找到一个无论如何都会调用的特定 API,或者每个方法都有一个函数,当用户更改密码时会调用该函数。 I think implement DLL proxy for the specific API (after I will find it), there is any better way to implement this hook, to catch the change password user and modify it?我想为特定的API实现DLL代理(我会找到它之后),有没有更好的方法来实现这个钩子,捕获更改密码用户并修改它?

In Addition, at my research I found the function ChangeAccountPassword .此外,在我的研究中,我发现了函数ChangeAccountPassword

And also reference to SpInitialize function with maybe relevant parameter:还可以参考带有相关参数的SpInitialize函数:

typedef struct SECPKG_FUNCTION_TABLE {
...
SpSetExtendedInformationFn       *SpChangeAccountPasswordFn;
...
};

Any advice?有什么建议吗?

Thanks谢谢

1 个解决方案

解决方案1
 1  2016-05-31 15:35:25

yes, SpChangeAccountPasswordFn really called in LSASS.EXE .是的, SpChangeAccountPasswordFn 确实在 LSASS.EXE 中调用。 this routine usually call这个程序通常调用

NTSTATUS
NTAPI
SamChangePasswordUser2(IN PUNICODE_STRING ServerName,
                       IN PUNICODE_STRING UserName,
                       IN PUNICODE_STRING OldPassword,
                       IN PUNICODE_STRING NewPassword);

from samlib.dll (this is exported function).来自 samlib.dll(这是导出函数)。 but most common and interesting point to hook :但最常见和有趣的一点是 hook :

BOOLEAN NTAPI LsaINotifyPasswordChanged(
  IN PVOID OPTIONAL, 
  IN PUNICODE_STRING ServerName,
  IN PUNICODE_STRING UserName,
  PVOID OPTIONAL,
  PVOID OPTIONAL,
  IN PUNICODE_STRING OldPassword,
  IN PUNICODE_STRING NewPassword);

this function is exported from lsasrv.dll and usually called from SpChangeAccountPasswordFn.此函数从 lsasrv.dll 导出,通常从 SpChangeAccountPasswordFn 调用。 it present from xp up to latest win10.它从 xp 到最新的 win10。 but signature in xp another than in later versions (1 param shifted to 7 place)但是 xp 中的签名不同于更高版本中的签名(1 个参数移至第 7 个位置)

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 有没有办法从用户模式调用Windows Native API函数? - Is there any way to call the Windows Native API functions from the user mode? 在实践中,在 API 头文件中添加宏是否会改变 class 的布局(或大小)? - In practice, is it good to add macros in API headers which way change the layout (or size) of a class? 密码策略Windows API - Password Policy Windows API 客户是否有办法在“长时间” Windows API调用期间强制崩溃(然后将生成小型转储)? - Is there a way a customer can force a crash (which then will generate a minidump) during a “long” Windows API call? 这个Windows API调用WaitForSingleObject有什么问题? - What's wrong with this Windows API call WaitForSingleObject? 在父进程中挂钩API调用 - Hook api call in a parent process Windows API挂钩C ++ - Windows API Hook C++ 使用 AdsGetObject MSDN API 对 Windows 操作系统实施 PSO 细粒度策略时,如何获取用户密码到期日期信息? - How to get user password expiry date information when PSO fine grained policy is in force for Windows OS using AdsGetObject MSDN API? 如何在Windows API上仅挂接KeyboardFocus - How to Hook only a KeyboardFocus on Windows API 调用 Windows 挂钩时,运行哪个代码? - When a Windows Hook is Called, Which Code is Run?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM