these are standard smbclient-related and/or rpcclient-related functions.
NetUserGetInfo grabs the information from a NET_USER_INFO_3 structure
which is "cached" from the MSV1_0.DLL access token for example (it's a
really long story).
NetShareEnum() is a LANMAN function, whoopeee what fun.
in nt, there are _stacks_ of functions that tie pretty much
directly into samba source code.
l.
--
--
<a href="http://lkcl.net">http://lkcl.net</a>
--
oh maaan, that's really sad: i know what the stuff in subauth.h is all
about, aaaaagh!
it is incredibly similar to the MSRPC "NETLOGON" stuff that's
implemented in cli_nt_login_interactive, cli_nt_login_network
and cli_nt_login_generic in rpc_client/cli_login.c
joy.
l.
--
--
<a href="http://lkcl.net">http://lkcl.net</a>
--
lots of people appear to have done quite thorough amounts of digging
into MSV1_0.DLL due to it being the key to security attacks and stuff
e.g. http://www.security-protocols.com/whitepapers/NT/NTcred.txt
the two that i have read so far describe how WINLOGON.EXE is a
"user" of the LSASS system by doing a LsaLookupAuthenticationPackage
call, in order to obtain, presumably, the vector-table which MSV1_0.DLL
registers with the LSASS, and then once that vector-table is obtained,
they then go on to describe how MSV1_0.DLL may be attacked, by
describing in detail the data structures in it.
how very convenient for actually implementing one :)
l.
--
--
<a href="http://lkcl.net">http://lkcl.net</a>
--
hi,
thought people might want to know: rpcclient.exe already was confirmed
as working (by elrond) i just successfully compiled and tested
smbclient, that works too.
rpcclient.exe produces a _beautiful_ blue screen, i fell about when i
saw this.
elrond has a patch for smbd which removes fork() and i want
to try this out and also make the msrpc services do the same
thing, that will be fuuun. the sooner someone gets freedce
to compile on mingw32 the damn better is all i can say there.
i found some example code that uses NamedPipes i intend to add that in
at both the client side and the server side and see what breaks, oo
that will be fun i've never done nt named pipes programming before.
l.
--
--
<a href="http://lkcl.net">http://lkcl.net</a>
--
regarding your offer to help with LSASS.... GREAT!
because, coincidentally, this is exactly one of the areas required
to tie in MSV1_0.DLL which will be a registererer with the LSASS,
and MSV1_0.DLL is where all the nt authentication stuff happens.
great, great.
okay, here's something i found which describes the process, it looks
pretty damn good:
http://www.coresecurity.com/common/showdoc.php?idx=87&idxseccion=11
now, here's the bit that you _don't_ have to do: you do NOT have to do
_any_ of the bits _behind_ "access the sam database".
all of that is already written for you - in samba tng.
i've had a _brief_ look at the implementation of lsass in reactos, and i
believe it to be pretty good.
it's just that there are no "registerers" e.g. there is no
implementation of MSV1_0.DLL.
l.
--
--
<a href="http://lkcl.net">http://lkcl.net</a>
--
Someone sent me this a while back, but I lost it.
Basically I believe it was from a MS DDK, and it contained code for
MMDRV.DLL and SNDBLST.SYS. At the time I was feeling lazy and just
clumsily hacked in whatever I felt like, without any order to what I was
doing.
I want to have another stab at it, by reviewing the existing code,
documenting it for my own understanding, and then writing my own solution.
So if someone could send me those files, I'd appreciate it!
-Andrew
PS: The files in question were NOT obtained from the leaked Windows
source code.