[Cvsnt] Re: [jakomail at emss.co.za: Re: User context switch in sshd using RSAAuthentication]

Tony Hoyle tmh at nothing-on.tv
Sun Dec 16 15:50:40 GMT 2001

Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.

This is a multi-part message in MIME format.
Corinna Vinschen wrote:

>>There is nothing to stop cvsnt & cygwin hooking the GetUserName() function with an
>>API hook - this is documented quite well in MSDN and would mean that all
>>NT programs which relied on this would return the correct user.
> Hum, that's just another way of workaround but it would be ok
> as long as we don't have a formally correct user context switch.
> Unfortunately I never hooked a Win32 function.  Could you give me
> a pointer here?  Oh, and don't forget to hook LookupAccountSid().

I wrote some code to do it a while back...  I'l see if I can find it.
Ahh here it is... (attached)

The code used to be in MSDN but it looks like it's been deleted since -
if you have an old one you might be able to find the article (from MSJ
December 1994).

> For us?  As I already wrote in private mail to Terris, I asked
> on microsoft mailing lists for that problem and just got no
> response... as usual when asking for anything security related
> developer problems.  I didn't get a response when asking for
> documentation on LSA auth modules and I didn't get a response
> when asking for sample source code.  Too bad.  And I'm not good
> in reverse engineering.  That requires to know i386 assembler
> language...

It's difficult to reverse engineer Windows - you need a kernel level
debugger (SoftICE) & of course to know assembly language (which is the
easy bit, really).  However it should be possible to work out what's
going on... tracing through LogonUser to see what it does that's special
shouldn't be too hard - I've often wondered if there's a simple way of
fooling the password check on that API, thereby bypassing all the
hacking to create fake tokens.

I wouldn't bother with the MS mailing lists.  If you're asking anything
more complex than 'where is the start menu' you're usually met with
deafening silence.  I gave up on them years ago.


[ Hook.c of type text/x-csrc deleted ]

Cvsnt mailing list
Cvsnt at cvsnt.org
http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt https://www.march-hare.com/cvspro/en.asp#downcvs

More information about the cvsnt mailing list
Download the latest CVSNT, TortosieCVS, WinCVS etc. for Windows 8 etc.
@CVSNT on Twitter   CVSNT on Facebook