Code
#include <windows.h>
#include <Ntsecapi.h>
#include <stdio.h>
#pragma comment(lib, "Secur32.lib")
int
main()
{
WCHAR UserName[256] = {0};
ULONG UserNameLength = 256;
BOOL bRet = FALSE;
NTSTATUS status = 0;
ULONG SessionCount = 0;
PLUID SessionList = NULL;
PSECURITY_LOGON_SESSION_DATA SessionData = NULL;
DWORD ErrorCode = 0;
bRet = GetUserNameW(UserName, &UserNameLength);
if (bRet == FALSE)
{
ErrorCode = GetLastError();
return bRet;
}
status = LsaEnumerateLogonSessions(&SessionCount, &SessionList);
if (status != 0)
{
return bRet;
}
for (ULONG Index = 0; Index < SessionCount; Index++, SessionList++)
{
status = LsaGetLogonSessionData(SessionList, &SessionData);
if (status != 0)
{
continue;
}
if (SessionData->UserName.Length &&
!_wcsnicmp(UserName, SessionData->UserName.Buffer, UserNameLength))
{
HANDLE UserToken = NULL;
bRet = LogonUserW(UserName, SessionData->LogonDomain.Buffer, NULL, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &UserToken);
if (bRet == TRUE)
{
CloseHandle(UserToken);
}else if (GetLastError() == ERROR_ACCOUNT_RESTRICTION)
{
bRet = TRUE;
}
}
LsaFreeReturnBuffer(SessionData);
}
LsaFreeReturnBuffer(SessionList);
getchar();
return bRet;
}
1.LsaGetLogonSessionData()
- Win7下,此段程序可以獲取所有的SessionData
- Win10下,只能獲取當前SessionData
- 以上結論錯誤,和系統版本無關,是因爲UAC,能獲取所有SessionData說明使用管理員權限啓動進程,完整性標籤爲High;正常權限啓動,完整性標籤爲Medium,拿不到其他SessionData信息返回拒絕訪問。
2. LogonUser()
- Win7下,可以使用LOGON32_LOGON_NETWORK,進行空密碼的試探登陸,類似於ipc$連接,如果密碼確實爲空則登陸成功
- Win10下,使用LOGON32_LOGON_NETWORK則依然會報ERROR_ACCOUNT_RESTRICTION錯誤,和使用高權限登陸(LOGON32_LOGON_INTERACTIV)進行空密碼登陸一樣的錯誤
