archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 827363a95b
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '827363a95b'
${ noResults }
windows-server-2003/ds/security/tools/autologon/oldsrc/common/common.c

449 lines
13 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. #include <common.h>
  3. extern BOOL g_QuietMode;
  4. extern WCHAR g_TempString[];
  5. extern WCHAR g_ErrorString[];
  6. extern WCHAR g_FailureLocation[];
  8. extern BOOL g_RemoteOperation;
  9. extern WCHAR g_RemoteComputerName[];
  10. extern BOOL g_CheckNT4Also;
  14. VOID
  15. DisplayMessage(
  16. WCHAR *MessageText)
  17. {
  18. if (!g_QuietMode) {
  19. wprintf(L"%s", MessageText);
  20. }
  21. }
  23. WCHAR*
  24. GetErrorString(
  25. DWORD dwErrorCode)
  26. {
  27. LPVOID lpMsgBuf=NULL;
  28. ZeroMemory(g_ErrorString, MAX_STRING * sizeof(WCHAR));
  30. FormatMessage(
  31. FORMAT_MESSAGE_ALLOCATE_BUFFER |
  32. FORMAT_MESSAGE_FROM_SYSTEM |
  33. FORMAT_MESSAGE_IGNORE_INSERTS,
  34. NULL,
  35. dwErrorCode,
  36. MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language
  37. (LPTSTR) &lpMsgBuf,
  38. 0,
  39. NULL);
  41. // Free the bufferoa
  42. if (lpMsgBuf != NULL) {
  43. wcscpy(g_ErrorString, lpMsgBuf);
  44. LocalFree(lpMsgBuf);
  45. }
  46. return g_ErrorString;
  47. }
  51. //+---------------------------------------------------------------------------------------------------------
  52. //
  53. // Registry munging routines
  54. //
  55. //+---------------------------------------------------------------------------------------------------------
  57. DWORD
  58. GetRegValueSZ(
  59. WCHAR *ValueName,
  60. WCHAR *RegValue)
  61. {
  62. DWORD dwRetCode = ERROR_SUCCESS;
  63. HKEY hKey=NULL;
  64. DWORD dwMaxValueData = (MAX_STRING * sizeof(WCHAR)); // Longest Value data
  65. HANDLE hHeap=NULL;
  66. BYTE *bData=NULL;
  67. DWORD cbData;
  68. DWORD dwType;
  70. // ZeroMemory(RegValue, MAX_STRING * sizeof(WCHAR));
  72. // get a handle to the local or remote computer
  73. // (as specified by our global flag)
  74. dwRetCode = GetRegistryHandle(&hKey, KEY_READ);
  75. if (dwRetCode != ERROR_SUCCESS) {
  76. goto cleanup;
  77. }
  79. // create a heap
  80. hHeap = HeapCreate(0, 0, 0);
  81. if (hHeap == NULL) {
  82. dwRetCode = ERROR_NOT_ENOUGH_MEMORY;
  83. wsprintf(g_FailureLocation, L"GetRegValueSZ: HeapCreate: %s\n", GetErrorString(dwRetCode));
  84. goto cleanup;
  85. }
  87. // allocate some space on the heap for our regvalue we'll read in
  88. bData = (BYTE*)HeapAlloc(hHeap, 0, dwMaxValueData);
  89. if (bData == NULL) {
  90. dwRetCode = ERROR_NOT_ENOUGH_MEMORY;
  91. wsprintf(g_FailureLocation, L"GetRegValueSZ: HeapAlloc: %s\n", GetErrorString(dwRetCode));
  92. goto cleanup;
  93. }
  95. cbData = dwMaxValueData;
  97. // read the regkey using the handle we open above
  98. dwRetCode = RegQueryValueEx(
  99. hKey,
  100. ValueName,
  101. NULL,
  102. &dwType,
  103. bData,
  104. &cbData);
  105. if (dwRetCode != ERROR_SUCCESS) {
  106. wsprintf(g_FailureLocation, L"GetRegValueSZ: RegQueryValueEx: %s", GetErrorString(dwRetCode));
  107. goto cleanup;
  108. }
  110. // if it's not a type reg_sz, then something's wrong, so
  111. // report the error, which will cause us to stop.
  112. if (dwType != REG_SZ) {
  113. dwRetCode = ERROR_BADKEY;
  114. wsprintf(g_FailureLocation, L"GetRegValueSZ: RegQueryValueEx: %s: %s\n", ValueName, GetErrorString(dwRetCode));
  115. goto cleanup;
  116. }
  118. // copy the buffer to the registry value
  119. wcsncpy(RegValue, (WCHAR *)bData, cbData * sizeof(WCHAR));
  121. cleanup:
  122. if (bData != NULL) {
  123. ZeroMemory(bData, sizeof(bData));
  124. if (hHeap != NULL) {
  125. HeapFree(hHeap, 0, bData);
  126. HeapDestroy(hHeap);
  127. }
  128. }
  129. if (hKey != NULL) {
  130. RegCloseKey(hKey);
  131. }
  133. return dwRetCode;
  134. }
  137. DWORD
  138. ClearRegPassword()
  139. {
  140. DWORD dwRetCode = ERROR_SUCCESS;
  141. HKEY hKey=NULL;
  143. dwRetCode = GetRegistryHandle(&hKey, KEY_WRITE);
  144. if (dwRetCode != ERROR_SUCCESS) {
  145. goto cleanup;
  146. }
  148. dwRetCode = RegDeleteValue(hKey, L"DefaultPassword");
  149. if (dwRetCode != ERROR_SUCCESS) {
  150. wsprintf(g_FailureLocation, L"ClearRegPassword: RegDeleteValue: %s\n", GetErrorString(dwRetCode));
  151. // DisplayMessage(g_TempString);
  152. goto cleanup;
  153. }
  155. cleanup:
  156. if (hKey != NULL) {
  157. RegCloseKey(hKey);
  158. }
  159. return dwRetCode;
  160. }
  163. DWORD
  164. SetRegValueSZ(
  165. WCHAR *ValueName,
  166. WCHAR *ValueData)
  167. {
  168. DWORD dwRetCode = ERROR_SUCCESS;
  169. HKEY hKey=NULL;
  171. dwRetCode = GetRegistryHandle(&hKey, KEY_WRITE);
  172. if (dwRetCode != ERROR_SUCCESS) {
  173. goto cleanup;
  174. }
  176. dwRetCode = RegSetValueEx(
  177. hKey,
  178. ValueName,
  179. 0,
  180. REG_SZ,
  181. (LPSTR) ValueData,
  182. wcslen(ValueData)*sizeof(WCHAR));
  183. if (dwRetCode != ERROR_SUCCESS) {
  184. wsprintf(g_FailureLocation, L"SetRegValueSZ: RegSetValueEx: %s: %s\n", ValueName, GetErrorString(dwRetCode));
  185. goto cleanup;
  186. }
  188. cleanup:
  189. if (hKey != NULL) {
  190. RegCloseKey(hKey);
  191. }
  192. return dwRetCode;
  193. }
  196. DWORD
  197. GetRegistryHandle(
  198. HKEY *phKey,
  199. REGSAM samDesired)
  200. {
  201. HKEY RemoteRegistryHandle=NULL;
  202. DWORD dwRetCode = ERROR_SUCCESS;
  204. //
  205. // If not PRIVATE mode, ignore the access requested passed in and
  206. // request all access, even though we don't need it. This will force the
  207. // caller to need to be admin to use this tool. We don't want someone using
  208. // this tool to view the autologon passwords of all machines across the domain
  209. // as a normal domain user...
  210. //
  211. #ifndef PRIVATE_VERSION
  212. samDesired = KEY_ALL_ACCESS;
  213. #endif
  214. //
  215. // If we're connecting against a remote computer
  216. //
  217. if (g_RemoteOperation) {
  218. // open a handle to the remote registry
  219. dwRetCode = RegConnectRegistry(
  220. g_RemoteComputerName,
  221. HKEY_LOCAL_MACHINE,
  222. &RemoteRegistryHandle);
  224. if (dwRetCode != ERROR_SUCCESS) {
  225. wsprintf(g_FailureLocation, L"GetRegistryHandle: RegConnectRegistry: %s: %s\n", g_RemoteComputerName, GetErrorString(dwRetCode));
  226. goto cleanup;
  227. }
  229. // open the WINLOGON key on the remote machine
  230. dwRetCode = RegOpenKeyEx(
  231. RemoteRegistryHandle,
  232. WINLOGON_REGKEY,
  233. 0,
  234. samDesired,
  235. phKey);
  236. if (dwRetCode != ERROR_SUCCESS) {
  237. wsprintf(g_FailureLocation, L"GetRegistryHandle: RegOpenKeyEx: %s: %s\n", g_RemoteComputerName, GetErrorString(dwRetCode));
  238. goto cleanup;
  239. }
  240. } else {
  241. // open the WINLOGON key on the local machine
  242. dwRetCode = RegOpenKeyEx(
  243. HKEY_LOCAL_MACHINE,
  244. WINLOGON_REGKEY,
  245. 0,
  246. samDesired,
  247. phKey);
  248. if (dwRetCode != ERROR_SUCCESS) {
  249. wsprintf(g_FailureLocation, L"GetRegistryHandle: RegOpenKeyEx: %s\n", GetErrorString(dwRetCode));
  250. goto cleanup;
  251. }
  252. }
  254. cleanup:
  255. if (RemoteRegistryHandle != NULL) {
  256. RegCloseKey(RemoteRegistryHandle);
  257. }
  258. return dwRetCode;
  259. }
  261. //+---------------------------------------------------------------------------------------------------------
  262. //
  263. // LSASecret munging routines
  264. //
  265. //+---------------------------------------------------------------------------------------------------------
  267. DWORD
  268. GetPolicyHandle(LSA_HANDLE *LsaPolicyHandle)
  269. {
  270. LSA_OBJECT_ATTRIBUTES ObjectAttributes;
  271. NTSTATUS ntsResult;
  272. LSA_UNICODE_STRING TargetMachine;
  273. USHORT TargetMachineLength;
  274. DWORD dwRetCode = ERROR_SUCCESS;
  276. // Object attributes are reserved, so initialize to zeroes.
  277. ZeroMemory(&ObjectAttributes, sizeof(ObjectAttributes));
  279. if (g_RemoteOperation) {
  280. //Initialize an LSA_UNICODE_STRING
  281. TargetMachineLength = (USHORT)wcslen(g_RemoteComputerName);
  282. TargetMachine.Buffer = g_RemoteComputerName;
  283. TargetMachine.Length = TargetMachineLength * sizeof(WCHAR);
  284. TargetMachine.MaximumLength = (TargetMachineLength+1) * sizeof(WCHAR);
  286. // Get a handle to the Policy object.
  287. ntsResult = LsaOpenPolicy(
  288. &TargetMachine, //local machine
  289. &ObjectAttributes,
  290. POLICY_CREATE_SECRET | POLICY_GET_PRIVATE_INFORMATION,
  291. LsaPolicyHandle);
  293. } else {
  294. // Get a handle to the Policy object.
  295. ntsResult = LsaOpenPolicy(
  296. NULL, //local machine
  297. &ObjectAttributes,
  298. POLICY_CREATE_SECRET | POLICY_GET_PRIVATE_INFORMATION,
  299. LsaPolicyHandle);
  300. }
  302. if (ntsResult != STATUS_SUCCESS)
  303. {
  304. // An error occurred. Display it as a win32 error code.
  305. dwRetCode = LsaNtStatusToWinError(ntsResult);
  306. wsprintf(g_FailureLocation, L"GetPolicyHandle: LsaOpenPolicy: %s\n", GetErrorString(dwRetCode));
  307. goto cleanup;
  308. }
  310. cleanup:
  311. return dwRetCode;
  313. }
  315. DWORD
  316. SetSecret(
  317. WCHAR *Password,
  318. BOOL bClearSecret)
  319. {
  320. DWORD dwRetCode = ERROR_SUCCESS;
  321. NTSTATUS ntsResult;
  322. USHORT SecretNameLength, SecretDataLength;
  323. LSA_HANDLE LsaPolicyHandle=NULL;
  324. LSA_UNICODE_STRING lusSecretName, lusSecretData;
  326. //Initialize an LSA_UNICODE_STRING
  327. SecretNameLength = (USHORT)wcslen(L"DefaultPassword");
  328. lusSecretName.Buffer = L"DefaultPassword";
  329. lusSecretName.Length = SecretNameLength * sizeof(WCHAR);
  330. lusSecretName.MaximumLength = (SecretNameLength+1) * sizeof(WCHAR);
  332. dwRetCode = GetPolicyHandle(&LsaPolicyHandle);
  333. if (dwRetCode != ERROR_SUCCESS) {
  334. goto cleanup;
  335. }
  337. // if bClearSecret is set, then delete the secret
  338. // otherwise set the secret to Password
  339. if (bClearSecret) {
  340. ntsResult = LsaStorePrivateData(
  341. LsaPolicyHandle,
  342. &lusSecretName,
  343. NULL);
  344. if (ntsResult != STATUS_SUCCESS) {
  345. dwRetCode = LsaNtStatusToWinError(ntsResult);
  346. wsprintf(g_FailureLocation, L"SetSecret: LsaStorePrivateData: %s\n", GetErrorString(dwRetCode));
  347. goto cleanup;
  348. }
  350. } else {
  351. //Initialize the Password LSA_UNICODE_STRING
  352. SecretDataLength = (USHORT)wcslen(Password);
  353. lusSecretData.Buffer = Password;
  354. lusSecretData.Length = SecretDataLength * sizeof(WCHAR);
  355. lusSecretData.MaximumLength = (SecretDataLength+1) * sizeof(WCHAR);
  357. ntsResult = LsaStorePrivateData(
  358. LsaPolicyHandle,
  359. &lusSecretName,
  360. &lusSecretData);
  361. if (ntsResult != STATUS_SUCCESS) {
  362. dwRetCode = LsaNtStatusToWinError(ntsResult);
  363. wsprintf(g_FailureLocation, L"SetSecret: LsaStorePrivateData: %s\n", GetErrorString(dwRetCode));
  364. goto cleanup;
  365. }
  366. }
  368. cleanup:
  369. if (LsaPolicyHandle != NULL) {
  370. LsaClose(LsaPolicyHandle);
  371. }
  372. return dwRetCode;
  373. }
  376. DWORD
  377. GetSecret(
  378. WCHAR *Password)
  379. {
  380. DWORD dwRetCode = ERROR_SUCCESS;
  381. NTSTATUS ntsResult;
  382. USHORT SecretNameLength;
  383. LSA_HANDLE LsaPolicyHandle=NULL;
  384. LSA_UNICODE_STRING lusSecretName;
  385. LSA_UNICODE_STRING *PrivateData=NULL;
  387. //Initialize an LSA_UNICODE_STRING
  388. SecretNameLength = (USHORT)wcslen(L"DefaultPassword");
  389. lusSecretName.Buffer = L"DefaultPassword";
  390. lusSecretName.Length = SecretNameLength * sizeof(WCHAR);
  391. lusSecretName.MaximumLength= (SecretNameLength+1) * sizeof(WCHAR);
  393. dwRetCode = GetPolicyHandle(&LsaPolicyHandle);
  394. if (dwRetCode != ERROR_SUCCESS) {
  395. goto cleanup;
  396. }
  398. ntsResult = LsaRetrievePrivateData(
  399. LsaPolicyHandle,
  400. &lusSecretName,
  401. &PrivateData);
  403. if (ntsResult != STATUS_SUCCESS) {
  404. if (ntsResult == STATUS_OBJECT_NAME_NOT_FOUND) {
  405. return ntsResult;
  406. } else {
  407. dwRetCode = LsaNtStatusToWinError(ntsResult);
  408. wsprintf(g_FailureLocation, L"GetSecret: LsaRetrievePrivateData: %s \n", GetErrorString(dwRetCode));
  409. goto cleanup;
  410. }
  411. }
  413. // copy the buffer data to Password
  414. wcsncpy(Password, PrivateData->Buffer, (PrivateData->Length)/sizeof(WCHAR));
  416. cleanup:
  417. if (PrivateData != NULL) {
  418. ZeroMemory(PrivateData->Buffer, PrivateData->Length);
  419. LsaFreeMemory(PrivateData);
  420. }
  421. if (LsaPolicyHandle != NULL) {
  422. LsaClose(LsaPolicyHandle);
  423. }
  424. return dwRetCode;
  425. }
  429. DWORD
  430. GetMajorNTVersion(
  431. WCHAR *Server)
  432. {
  433. SERVER_INFO_101* pInf;
  434. DWORD ver = 0;
  436. if(!NetServerGetInfo(Server, 101, (BYTE**)&pInf))
  437. {
  438. if(pInf->sv101_platform_id == PLATFORM_ID_NT) {
  439. ver = pInf->sv101_version_major;
  440. } else {
  441. ver = 0;
  442. }
  443. NetApiBufferFree(pInf);
  444. } else {
  445. ver = 0;
  446. }
  448. return ver;
  449. }