LOGON描述(7)

作者:陆麟
转载请征得作者同意.如有BUG,请汇报.
2000.10.1

LOGON描述继续写一篇.
当调用LsaApLogonUser(Ex/Ex2)被调用后,LsaApLogonUser(Ex/Ex2)通过LPC,告诉LSASS有活干了.
而LSASS乃是集成的安全子系统,负责NT的用户验证和权限定义.
NT3.51和4.0,WIN2000支持的集成验证包被称为MSV1_0.MSV1_0验证包的接口如下:
NTSTATUS LsaApInitializePackage(
  ULONG AuthenticationPackageId,
  PLSA_DISPATCH_TABLE LsaDispatchTable,
  PLSA_STRING Database OPTIONAL,
  PLSA_STRING Confidentiality OPTIONAL,
  PLSA_STRING *AuthenticationPackageName
);
该函数在验证包的验证函数被调用前会被调用.验证包得到一个机会来初始化.

NTSTATUS LsaApCallPackage(
  PLSA_CLIENT_REQUEST ClientRequest,
  PVOID ProtocolSubmitBuffer,
  PVOID ClientBufferBase,
  ULONG SubmitBufferLength,
  PVOID *ProtocolReturnBuffer,
  PULONG ReturnBufferLength,
  PNTSTATUS ProtocolStatus
);
LsaCallAuthenticationPackage会把调用转到该函数来实现.

NTSTATUS LsaApCallPackageUntrusted(
  PLSA_CLIENT_REQUEST ClientRequest,
  PVOID ProtocolSubmitBuffer,
  PVOID ClientBufferBase,
  ULONG SubmitBufferLength,
  PVOID *ProtocolReturnBuffer,
  PULONG ReturnBufferLength,
  PNTSTATUS ProtocolStatus
);
如系非信任连接,LsaCallAuthenticationPackage会把调用转到该函数来实现.

NTSTATUS LsaApLogonUser(
  PLSA_CLIENT_REQUEST ClientRequest,
  SECURITY_LOGON_TYPE LogonType,
  PVOID AuthenticationInformation,
  PVOID ClientAuthenticationBase,
  ULONG AuthenticationInformationLength,
  PVOID *ProfileBuffer,
  PULONG ProfileBufferLength,
  PLUID LogonId,
  PNTSTATUS SubStatus,
  PLSA_TOKEN_INFORMATION_TYPE TokenInformationType,
  PVOID *TokenInformation,
  PLSA_UNICODE_STRING *AccountName,
  PLSA_UNICODE_STRING *AuthenticatingAuthority
);
VOID
NTSTATUS LsaApLogonUserEx(
  PLSA_CLIENT_REQUEST ClientRequest,
  SECURITY_LOGON_TYPE LogonType,
  PVOID AuthenticationInformation,
  PVOID ClientAuthenticationBase,
  ULONG AuthenticationInformationLength,
  PVOID *ProfileBuffer,
  PULONG ProfileBufferLength,
  PLUID LogonId,
  PNTSTATUS SubStatus,
  PLSA_TOKEN_INFORMATION_TYPE TokenInformationType,
  PVOID *TokenInformation,
  PUNICODE_STRING *AccountName,
  PUNICODE_STRING *AuthenticatingAuthority,
  PUNICODE_STRING *MachineName
);
NTSTATUS
LsaApLogonUserEx2 (
   PLSA_CLIENT_REQUEST ClientRequest,
   SECURITY_LOGON_TYPE LogonType,
   PVOID ProtocolSubmitBuffer,
   PVOID ClientBufferBase,
   ULONG SubmitBufferSize,
   PVOID *ProfileBuffer,
   PULONG ProfileBufferSize,
   PLUID LogonId,
   PNTSTATUS SubStatus,
   PLSA_TOKEN_INFORMATION_TYPE TokenInformationType,
   PVOID *TokenInformation,
   PUNICODE_STRING *AccountName,
   PUNICODE_STRING *AuthenticatingAuthority,
   PUNICODE_STRING *MachineName,
   PSECPKG_PRIMARY_CRED PrimaryCredentials,
   PSECPKG_SUPPLEMENTAL_CRED_ARRAY* SupplementalCredentials
);
以上3个函数都用于验证客户端的登录请求是否合法.同时,HACKER们有机会获得用户名,密码信息.因为AuthenticationInformation和LsaLogonUser传来的一模一样.具体结构这里再列出一下.:)
typedef struct _MSV1_0_INTERACTIVE_LOGON {
  MSV1_0_LOGON_SUBMIT_TYPE MessageType;
  UNICODE_STRING LogonDomainName;
  UNICODE_STRING UserName;
  UNICODE_STRING Password;
} MSV1_0_INTERACTIVE_LOGON;

LsaApLogonTerminated(
  PLUID LogonId
);
登录结束.

WIN2000的另外一个验证包称为Kerberos也基本雷同.