Windows boot login authentication and Gina DLL

The Windows boot password authentication module is generally completed by Gina DLL. In NT/2000, interactive login support is implemented by WinLogon calling gina dll. gina dll provides an interactive interface to provide authentication requests for user login.

1. Gina Principle
WinLogon interacts with gina dll. The default value is MSGINA. DLL (in the System32 directory ). Microsoft also provides an interface for us. We can compile gina dll to replace MSGINA. DLL.

Three desktops will be created during WinLogon initialization:
(1) winlogon desktop: displays Windows security and other interfaces, such as pressing CTRL + ALT + DEL and logging on to the desktop.
(2) Application desktop: The interface we usually see on my computer
(3) Screen Saver desktop: Screen Saver display interface.

By default, the GINA logon dialog box is displayed. You can enter your username and password. To obtain the user name and password, you can write a new gina dll, which provides an interface to call the function WlxLoggedOutSAS of msgina. dll.

2. Gina DLL export Function

In NT/2000, interactive login support is implemented by WinLogon calling gina dll. gina dll provides an interactive interface to provide authentication requests for user login. Gina dll needs to output the following functions (Winlogon will call ):

(1) WlxActivateUserShell: activates the User Shell program.
(2) WlxDisplayLockedNotice: Allows gina dll to display the lock information.
(3) WlxDisplaySASNotice: when no user logs in, Winlogon calls this function.
(4) WlxDisplayStatusMessage: Winlogon calls this function with a status information for display.
(5) WlxGetStatusMessage: Winlogon calls this function to obtain the current status information.
(6) WlxInitialize: initializes gina dll for the specified window location.
(7) WlxIsLockOk: Verify that the workstation is properly locked.
(8) WlxIslogoffOk: Verify that the cancellation is normal.
(9) WlxLoggedOnSAS: the user has logged on and the workstation has not been locked. If a SAS event is received at this time, Winlogon calls this function.
(10) WlxLoggedOutSAS: No user logs in. If a SAS event is received at this time, Winlogon calls this function.
(11) WlxLogoff: The gina dll is notified when a request is sent for cancellation.
(12) WlxNegotiate: Indicates whether gina dll can be used in the current Winlogon version.
(13) WlxNetworkProviderLoad: After the network service provider collects identity and authentication information, Winlogon calls this function.
(14) WlxRemoveStatusMessage: Winlogon calls this function to tell gina dll to stop displaying status information.
(15) wlxscreensaverpolicy: Allows GINA to interact with screen saver operations.
(16) WlxShutdown: Before the function is disabled, Winlogon calls this function to allow GINA to disable any tasks, such as exiting the smart card from the card reader.
(17) WlxStartApplication: This function is called when the system needs to start the application in the user's context.
(18) WlxWkstaLockedSAS: When the workstation is locked and a SAS is received, Winlogon calls this function.
We rewrite the 18 basic functions above to implement Windows login identity authentication for the USB Identity Authentication System.

3. Gina DLL prototype code

// USBGina. cpp: defines the export function of the DLL application. // # Include "stdafx. h "# define REALGINA_PATH TEXT (" MSGINA. DLL ") // Winlogon function Allocation Table g_pWinlogon; // DLL address HINSTANCE hDllInstance; // HANDLE hGlobalWlx HANDLE of Winlogon; // variable parameters; PFWLXINITIALIZE pfWlxInitialize; variable parameters; PFWLXACTIVATEUSERSHELL pfWlxActivateUserShell; PFWLXLOGGEDONSAS Optional; optional values: PFWLXISLOCKOK; optional values; PFWLXLOGOFF pfWlxLogoff; PFWLXSHUTDOWN pfWlxShutdown; // optional pfWlxStartApplication = NULL; optional values = NULL; // optional pfWlxNetworkProv IderLoad = NULL; PFWLXDISPLAYSTATUSMESSAGE pfWlxDisplayStatusMessage = NULL; required bytes = NULL; // DLL application entry point bool apientry DllMain (HMODULE hModule, DWORD primary, LPVOID lpReserved) {switch (ul_reason_for_call) {case DLL_PROCESS_ATTACH: hDllInstance = hModule; case DLL_THREAD_ATTACH: case DLL_THREAD _ DETACH: case DLL_PROCESS_DETACH: break;} return TRUE;} // system initialization. In WlxNegotiate, BOOL MyInitialize (HINSTANCE hDll, DWORD dwWlxVersion) is called {// system initialization, starting from msgina. function pfWlxNegotiate = (PFWLXNEGOTIATE) GetProcAddress (hDll, "WlxNegotiate"); if (! PfWlxNegotiate) {return FALSE;} pfWlxInitialize = (PFWLXINITIALIZE) GetProcAddress (hDll, "WlxInitialize"); if (! PfWlxInitialize) {return FALSE;} pfWlxDisplaySASNotice = (PFWLXDISPLAYSASNOTICE) GetProcAddress (hDll, "WlxDisplaySASNotice"); if (! PfWlxDisplaySASNotice) {return FALSE;} pfWlxLoggedOutSAS = (PFWLXLOGGEDOUTSAS) GetProcAddress (hDll, "WlxLoggedOutSAS"); if (! PfWlxLoggedOutSAS) {return FALSE;} pfWlxActivateUserShell = (PFWLXACTIVATEUSERSHELL) GetProcAddress (hDll, "WlxActivateUserShell"); if (! PfWlxActivateUserShell) {return FALSE;} pfWlxLoggedOnSAS = (PFWLXLOGGEDONSAS) GetProcAddress (hDll, "WlxLoggedOnSAS"); if (! PfWlxLoggedOnSAS) {return FALSE;} pfWlxDisplayLockedNotice = (PFWLXDISPLAYLOCKEDNOTICE) GetProcAddress (hDll, "WlxDisplayLockedNotice"); if (! PfWlxDisplayLockedNotice) {return FALSE;} pfWlxIsLockOk = (PFWLXISLOCKOK) GetProcAddress (hDll, "WlxIsLockOk"); if (! PfWlxIsLockOk) {return FALSE;} pfWlxWkstaLockedSAS = (PFWLXWKSTALOCKEDSAS) GetProcAddress (hDll, "WlxWkstaLockedSAS"); if (! PfWlxWkstaLockedSAS) {return FALSE;} pfWlxIsLogoffOk = (PFWLXISLOGOFFOK) GetProcAddress (hDll, "WlxIsLogoffOk"); if (! PfWlxIsLogoffOk) {return FALSE;} pfWlxLogoff = (PFWLXLOGOFF) GetProcAddress (hDll, "WlxLogoff"); if (! PfWlxLogoff) {return FALSE;} pfWlxShutdown = (PFWLXSHUTDOWN) GetProcAddress (hDll, "WlxShutdown"); if (! PfWlxShutdown) {return FALSE;} // HOOK a new function in WLX_VERSION_1_1. If (dwWlxVersion> WLX_VERSION_1_0) {pfWlxStartApplication = (PFWLXSTARTAPPLICATION) GetProcAddress (hDll, "WlxStartApplication"); if (! PfWlxStartApplication) {return FALSE;} pfwlxscreensavery y = (pfwlxscreensavery y) GetProcAddress (hDll, "WlxScreenSaverNotify"); if (! Future) {return FALSE ;}// new function of HOOK future version if (dwWlxVersion> future) {pfWlxNetworkProviderLoad = (PFWLXNETWORKPROVIDERLOAD) GetProcAddress (hDll, "WlxNetworkProviderLoad"); if (! PfWlxNetworkProviderLoad) {return FALSE;} pfWlxDisplayStatusMessage = (PFWLXDISPLAYSTATUSMESSAGE) GetProcAddress (hDll, "WlxDisplayStatusMessage"); if (! PfWlxDisplayStatusMessage) {return FALSE;} pfWlxGetStatusMessage = (PFWLXGETSTATUSMESSAGE) GetProcAddress (hDll, "WlxGetStatusMessage"); if (! PfWlxGetStatusMessage) {return FALSE;} pfWlxRemoveStatusMessage = (PFWLXREMOVESTATUSMESSAGE) GetProcAddress (hDll, "WlxRemoveStatusMessage"); if (! PfWlxRemoveStatusMessage) {return FALSE ;}// HOOK function of the new version // return TRUE for all hooks;} bool winapi WlxNegotiate (DWORD dwWinlogonVersion, DWORD * pdwDllVersion) {HINSTANCE hDll = NULL; if (! (HDll = LoadLibrary (REALGINA_PATH) {return FALSE;} if (MyInitialize (hDll, dwWinlogonVersion) = TRUE) {return pfWlxNegotiate (dwWinlogonVersion, pdwDllVersion);} return FALSE ;} bool winapi WlxInitialize (LPWSTR lpWinsta, HANDLE hWlx, PVOID pvReserved, PVOID restart, PVOID * pWlxContext) {g_pWinlogon =, pvReserved, response, pWlxContext);} void WINAPI response (PVOID pWlxContext) {response (pWlxContext); g_pWinlogon-> response (hGlobalWlx, hDllInstance, (LPTSTR) MAKEINTRESOURCE (response), NULL, success, 0);} int WINAPI restart (PVOID pWlxContext, DWORD dwSasType, PLUID pAuthenticationId, PSID pLogonSid, PDWORD pdwOptions, PHANDLE phToken, PWLX_MPR_NOTIFY_INFO pMprNotifyInfo, PVOID * pProfile) {// use a standard Windows Password to log on to return terminal (pWlxContext, dwSasType, pAuthenticationId, pLogonSid, pdwOptions, phToken, pmprpolicyinfo, pProfile);} bool winapi terminal (PVOID pWlxContext, PWSTR pszshorttopname, PWSTR pszMprLogonScript, PVOID pEnvironment) {// use a standard Windows Password to log on and call MSGINA. return handler (pWlxContext, pszshorttopname, pszMprLogonScript, pEnvironment);} int WINAPI handle (PVOID pWlxContext, DWORD dwSasType, PVOID pReserved) {return handler (pWlxContext, dwSasType, pReserved);} void WINAPI WlxDisplayLockedNotice (PVOID pWlxContext) {pfWlxDisplayLockedNotice (pWlxContext); wcscpy (account. strUsername, TEXT (""); wcscpy (account. strPassword, TEXT (""); account. bLogonStatus = FALSE; g_pWinlogon-> values (hGlobalWlx, hDllInstance, (LPTSTR) MAKEINTRESOURCE (temperature), NULL, LogonDlgProc, 0);} bool winapi WlxIsLockOk (PVOID pWlxContext) {return pfWlxIsLockOk (pWlxContext);} int WINAPI unlock (PVOID pWlxContext, DWORD dwSasType) {return construct (pWlxContext, dwSasType);} bool winapi WlxIsLogoffOk (PVOID pWlxContext) {return callback (pWlxContext);} void WINAPI WlxLogoff (PVOID pWlxContext) {pfWlxLogoff (pWlxContext);} void WINAPI WlxShutdown (PVOID pWlxContext, DWORD ShutdownType) {pfWlxShutdown, shutdownType);} // optimized version of bool winapi firewall (PVOID pWlxContext, BOOL * handle cure) {return construct (pWlxContext, handle cure);} bool winapi WlxStartApplication (PVOID pWlxContext, PWSTR pszw.topname, PVOID pEnvironment, PWSTR psz1_line) {return pfWlxStartApplication (pWlxContext, distance, pEnvironment, psz1_line);} // release of bool winapi labels (PVOID pWlxContext, callback) {return condition (pWlxContext, pnprpolicyinfo);} bool winapi WlxDisplayStatusMessage (PVOID pWlxContext, HDESK hDesktop, DWORD dwOptions, PWSTR pTitle, PWSTR pMessage) {return messages (pWlxContext, hDesktop, dwOptions, pTitle, pMessage );} bool winapi restart (PVOID pWlxContext, DWORD * pdwOptions, PWSTR pMessage, DWORD dwBufferSize) {return terminate (pWlxContext, pdwOptions, pMessage, dwBufferSize);} bool winapi restart (PVOID * pdlxcontext) {return pfWlxRemoveStatusMessage (pWlxContext );}

4. Gina DLL Installation

(1) Add a Registry

(2) key name: HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \

(3) CurrentVersion \ Winlogon \

(4) variable name: GinaDLL

(5) variable type: [REG_SZ]

(6) content: Yourname. dll

(7) Copy Gina DLL (Yourname. dll) to the system directory (system32 ).

(8) restart the computer and Gina DLL (Yourname. dll) will run.

5. Conclusion

Above, Gina DLL is complete. After restart, we can see that this prototype calls Windows msgina. the functions in the dll, but in fact all the functions have been hooked up by us, and will inevitably pass through our functions before calling the system functions. The following information is related to this topic:

(1) You can use WlxLoggedOnSAS to block Ctrl + Alt + Del in Windows.

(2) You can intercept the user name and password for Logon in WlxLoggedOutSAS.

(3) through this prototype, You can implement some personalized boot authentication, including fingerprint (such as ThinkPad laptop) and specific USB for login.