/* $Id: sspap3.cpp,v 1.1.1.1 2005/07/07 15:05:59 oflebbe Exp $ Copyright (C) 2003 Olaf Flebbe, Science and Computing AG o.flebbe@science-computing.de This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */ #define UNICODE #define SECURITY_WIN32 #define WIN32_LEAN_AND_MEAN #include #include #include #include #include //#include #include //#include #include #include #include #include "reg.h" HMODULE msvHandle = 0; #include "manageUser.h" extern "C" { NTSTATUS SEC_ENTRY SpUserModeInitialize( ULONG LsaVersion, PULONG PackageVersion, PSECPKG_USER_FUNCTION_TABLE* ppTables, PULONG pcTables ) { if (!msvHandle) msvHandle = LoadLibrary(L"kerberos.dll"); NTSTATUS status = (*((SpUserModeInitializeFn ) GetProcAddress( msvHandle, "SpUserModeInitialize"))) (LsaVersion, PackageVersion,ppTables, pcTables ); return status; } SpInitializeFn *oldSpInitialize = 0; // SpInitialize is special, it should be both exported // and be referenced in the SpLsaModeInitialize Call NTSTATUS SEC_ENTRY SpInitialize( ULONG_PTR PackageId, PSECPKG_PARAMETERS Parameters, PLSA_SECPKG_FUNCTION_TABLE FunctionTable) { if (oldSpInitialize == 0) { if (!msvHandle) msvHandle = LoadLibrary(L"kerberos.dll"); NTSTATUS status = (*((SpInitializeFn *) GetProcAddress( msvHandle, "SpInitialize"))) (PackageId, Parameters,FunctionTable ); return status; } else { return (*oldSpInitialize)( PackageId, Parameters,FunctionTable); } } // Todo: Should be wrapped too NTSTATUS SEC_ENTRY SpInstanceInit( ULONG Version, PSECPKG_DLL_FUNCTIONS FunctionTable, PVOID* UserFunctions ) { if (!msvHandle) msvHandle = LoadLibrary(L"kerberos.dll"); NTSTATUS status = (*((SpInstanceInitFn *) GetProcAddress( msvHandle, "SpInstanceInit"))) (Version, FunctionTable, UserFunctions); return status; } PLSA_AP_LOGON_USER_EX2 oldLogonUserEx2 = 0; NTSTATUS NTAPI myLogonUserEx2( PLSA_CLIENT_REQUEST ClientRequest, SECURITY_LOGON_TYPE LogonType, PVOID AuthenticationInformation, PVOID ClientAuthenticationBase, ULONG AuthenticationInformationLength, PVOID* ProfileBuffer, PULONG ProfileBufferLength, PLUID LogonId, PNTSTATUS SubStatus, PLSA_TOKEN_INFORMATION_TYPE TokenInformationType, PVOID* TokenInformation, PUNICODE_STRING* AccountName, PUNICODE_STRING* AuthenticatingAuthority, PUNICODE_STRING* MachineName, PSECPKG_PRIMARY_CRED PrimaryCredentials, PSECPKG_SUPPLEMENTAL_CRED_ARRAY* SupplementalCredentials ) { FILE *fp = fopen("C:\\lsa.txt", "ab"); fprintf( fp, "LogonUserEx2 %d\n", LogonType); //,ClientAuthenticationBase, AuthenticationInformationLength, ClientRequest ); for (unsigned int i = 0; i < AuthenticationInformationLength; i++) { fprintf( fp, "%02x ", (char) ((char *) AuthenticationInformation)[i]); } fprintf( fp, "\n----\n"); // fwrite( AuthenticationInformation, AuthenticationInformationLength, 1, fp); fflush(fp); KERB_INTERACTIVE_LOGON *ptr = ((KERB_INTERACTIVE_LOGON *)AuthenticationInformation); if (LogonType == 2 && ptr->MessageType == KerbInteractiveLogon) { LPWSTR userName = (LPWSTR) calloc( ptr->UserName.Length + 2, 1); LPWSTR domain = (LPWSTR) calloc( ptr->LogonDomainName.Length + 2, 1); if (userName && domain) { wcsncpy( userName, (wchar_t *) ((char *) ptr + ((char *)ptr->UserName.Buffer - (char *) ClientAuthenticationBase)), ptr->UserName.Length / 2); wcsncpy( domain, (wchar_t *) ((char *) ptr + ((char *)ptr->LogonDomainName.Buffer - (char *) ClientAuthenticationBase)), ptr->LogonDomainName.Length / 2); Registry kerbReg( L"System\\CurrentControlSet\\Control\\Lsa\\Kerberos\\Domains"); std::list realms = kerbReg.getSubKeys(); mystring strDomain( domain); // if logon domain is a kerberos realm, create and delete users and groups according to LDAP entries if ( std::find( realms.begin(), realms.end(), mystring( domain)) != realms.end()) manageLocalAccount( userName, fp); } if (userName) free( userName); if (domain) free( domain); } fflush(fp); NTSTATUS status = (*oldLogonUserEx2) (ClientRequest, LogonType, AuthenticationInformation, ClientAuthenticationBase, AuthenticationInformationLength, ProfileBuffer, ProfileBufferLength, LogonId, SubStatus, TokenInformationType, TokenInformation, AccountName, AuthenticatingAuthority, MachineName, PrimaryCredentials, SupplementalCredentials); fprintf( fp, "LogonUserEx2 %x Fertig\n", status); fclose( fp); return status; } PLSA_AP_CALL_PACKAGE oldCallPackage = 0; NTSTATUS myCallPackage( PLSA_CLIENT_REQUEST ClientRequest, PVOID ProtocolSubmitBuffer, PVOID ClientBufferBase, ULONG SubmitBufferLength, PVOID* ProtocolReturnBuffer, PULONG ReturnBufferLength, PNTSTATUS ProtocolStatus ) { FILE *fp = fopen("C:\\lsa.txt", "a"); fprintf( fp, "LsaApCallPackage\n"); fclose( fp); NTSTATUS status = (*oldCallPackage) (ClientRequest, ProtocolSubmitBuffer, ClientBufferBase, SubmitBufferLength, ProtocolReturnBuffer, ReturnBufferLength, ProtocolStatus); return status; } PLSA_AP_CALL_PACKAGE_PASSTHROUGH oldCallPackagePassthrough = 0; NTSTATUS myCallPackagePassthrough( PLSA_CLIENT_REQUEST ClientRequest, PVOID ProtocolSubmitBuffer, PVOID ClientBufferBase, ULONG SubmitBufferLength, PVOID* ProtocolReturnBuffer, PULONG ReturnBufferLength, PNTSTATUS ProtocolStatus ) { FILE *fp = fopen("C:\\lsa.txt", "a"); fprintf( fp, "LsaApCallPackagePassThrough\n"); fclose( fp); return (*oldCallPackagePassthrough) (ClientRequest, ProtocolSubmitBuffer, ClientBufferBase, SubmitBufferLength, ProtocolReturnBuffer, ReturnBufferLength, ProtocolStatus); } PLSA_AP_CALL_PACKAGE_PASSTHROUGH oldCallPackageUntrusted = 0; NTSTATUS myCallPackageUntrusted( PLSA_CLIENT_REQUEST ClientRequest, PVOID ProtocolSubmitBuffer, PVOID ClientBufferBase, ULONG SubmitBufferLength, PVOID* ProtocolReturnBuffer, PULONG ReturnBufferLength, PNTSTATUS ProtocolStatus ) { FILE *fp = fopen("C:\\lsa.txt", "a"); fprintf( fp, "LsaApCallPackagePassUntrusted\n"); fclose( fp); return (*oldCallPackageUntrusted) (ClientRequest, ProtocolSubmitBuffer, ClientBufferBase, SubmitBufferLength, ProtocolReturnBuffer, ReturnBufferLength, ProtocolStatus); } NTSTATUS NTAPI SpLsaModeInitialize( ULONG LsaVersion, PULONG PackageVersion, PSECPKG_FUNCTION_TABLE* ppTables, PULONG pcTables ) { if (!msvHandle) msvHandle = LoadLibrary(L"kerberos.dll"); NTSTATUS status = (*((SpLsaModeInitializeFn ) GetProcAddress( msvHandle, "SpLsaModeInitialize"))) (LsaVersion, PackageVersion, ppTables, pcTables); oldLogonUserEx2 = (*ppTables)->LogonUserEx2; (*ppTables)->LogonUserEx2 = &myLogonUserEx2; oldCallPackage = (*ppTables)->CallPackage; (*ppTables)->CallPackage = &myCallPackage; oldCallPackagePassthrough = (*ppTables)->CallPackagePassthrough; (*ppTables)->CallPackagePassthrough = &myCallPackagePassthrough; oldCallPackageUntrusted = (*ppTables)->CallPackageUntrusted; (*ppTables)->CallPackageUntrusted = &myCallPackageUntrusted; oldSpInitialize = (*ppTables)->Initialize; (*ppTables)->Initialize = &SpInitialize; return status; } }