实现自定义 Windows 身份验证包
我正在为 Windows 7 的 MSV1_0 构建自定义身份验证子包。我使用了 Windows SDK 中的 msvsubauth 示例,对于我遇到的一些问题,我有 2 个问题:
当我尝试时确保调用例程并将注册表中的 Auth0 属性设置为我的包,并在创建文件的 Msv1_0SubAuthenticationRoutine 末尾添加一个简单的代码:
<前><代码>// // 返回前清理。 // 清理: hTestFile = 创建文件( TEXT("C:\\lsa\\lsa.txt"), GENERIC_READ|GENERIC_WRITE, 0, 空,总是创建, 文件_属性_正常,空); if(hTestFile != INVALID_HANDLE_VALUE) { 关闭句柄(hTestFile); } 返回状态; } // Msv1_0SubAuthenticationRoutine显然该包被调用,因为当我输入密码时,我从 Windows 收到一条错误消息“参数不正确”,这是一个好兆头。但为什么我会收到这个错误?当从单独的 .exe 文件执行完全相同的代码时,它可以完美运行并创建测试文本文件。我已经检查了权限并为“所有人”设置了“完全控制”。有什么想法吗? SDK 没有确切提及 LSA 正在为 auth 包中的代码创建哪种类型的隔离。
第二个问题是测试AP。目前,每次更改时,我都会重建库,将其复制到测试虚拟机,然后复制到 System32 文件夹并重新启动它。有没有更简单的方法来做到这一点?
预先感谢!
I'm building a custom authentication subpackage for MSV1_0 for Windows 7. I've used the msvsubauth sample in from the Windows SDK and I have 2 questions regarding some problems I'm facing with that:
When I'm trying just to make sure that the routine get's invoked and set the Auth0 property in the registry to my package and add a simple code at the end of the Msv1_0SubAuthenticationRoutine that creates a file:
// // Cleanup up before returning. // Cleanup: hTestFile = CreateFile( TEXT("C:\\lsa\\lsa.txt"), GENERIC_READ|GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); if(hTestFile != INVALID_HANDLE_VALUE) { CloseHandle(hTestFile); } return Status; } // Msv1_0SubAuthenticationRoutineApparently the package gets invoked because when I enter my password I get an error message from windows "the parameter is incorrect" which is a good sign. But why I'm getting that error? when the exactly same code is executed from a separate .exe file it runs perfectly and creates the test text file. I've checked the permissions and set "full control" for "everyone". Any ideas? the SDK doesn't exactly mention what kind of isolation LSA is creating for code within auth packages.
The second problem is testing the AP. Currently with every change I rebuild the library, copy it to a test VM and then to the System32 folder and reboot it. Is there an easier way to do that?
Thank in advance!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
Winlogon 和 LSASS 中的调试是最耗时的调试。
为了简化调试,您可以编写一个导出相同功能的代理 AP。加载后,proxy_ap 会将
但是您需要密切关注开发目标上发生的情况,因为要处理 dll 开关处理来自多个线程的请求可能会成为比您要解决的问题更糟糕的噩梦。
LogonUI.exe 每次都会启动一个新实例,但 LSASS.exe 的寿命很长。
+查看 CVSNT 源代码 (http://cvsnt.sourcearchive.com/)。他们有一个非常好的 AP 实现了 su。使用
psexec -s在本地系统帐户中运行示例(来自 Microsoft/SysInternals pstools 套件)Debugging in Winlogon and LSASS makes for the most time consuming debugging.
To ease your debugging, you could write a proxy AP that exports the same functions. When loaded, you proxy_ap would
But you need to keep a tight grip on what happens on your development target, because handling the dll switch while dealing with requests comming from many threads can become a worse nightmare that what you are trying to solve.
LogonUI.exe starts a new instance every time, but LSASS.exe is long lived.
+Have a look at CVSNT source code (http://cvsnt.sourcearchive.com/). They have a pretty nice AP that implements su. Run the sample in the local system account with
psexec -s(from Microsoft/SysInternals pstools suite)也许您的问题是每个人都只包括经过身份验证的用户?这只是一个猜测。
我建议您使用进程监视器来监视“拒绝访问”消息或您的路径。它非常适合调试各种权限/路径问题。
如果您在“解锁工作站”或“更改密码”屏幕上遇到问题,并且不会阻止您登录,那么这应该很容易做到 - 将其设置为运行,重现问题,然后重新登录嘿,快点。
否则,您可能不得不采取一些技巧,例如仅针对某些用户帐户执行该代码路径,在第 N 次尝试时等等。
Perhaps your problem is Everyone only includes Authenticated users? This is just a guess.
I suggest you use Process Monitor to monitor for Access Denied messages or for your path. It is fantastic for debugging permission/path problems of all kinds.
If you experience the issue at the "Unlock Workstation" or "change Password" screens, and it doesn't prevent you logging in, this should be easy to do - set it running, reproduce the problem, log back in and hey presto.
Otherwise you might have to resort to tricks like executing that code path only for certain user accounts, on the Nth try, etc.