(更新：注意編譯運行文中程序后留意administrator可能會變成active=no，undocument，undocument........哈哈)
要寫個修改本地安全策略的工具，本以為修改注冊表就行了，沒想到還挺復雜，改策略，對應的注冊表項會變，倒過來，改對應的注冊表項，策略沒變，郁悶
[HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account]??? ??? |--------------------------------修改次數
"F"=hex:02,00,01,00,00,00,00,00,e0,7c,9e,21,1a,12,c6,01,43,00,00,00,00,00,00,\??? ??? 00 ~ 22
? 00,00,80,d2,16,47,b9,ff,ff,00,80,2c,ab,6d,fe,ff,ff,00,00,00,00,00,00,00,80,\??? ??? 23 ~ 47
? 00,cc,1d,cf,fb,ff,ff,ff,00,cc,1d,cf,fb,ff,ff,ff,00,00,00,00,00,00,00,00,f1,\??? ??? 48 ~ 72
? 03,00,00,00,00,00,00,02,00,18,00,00,00,00,00,01,00,00,00,03,00,00,00,01,00,\??? ??? 73 ~ 97
? ??? ?? ^^??? ??? ^
??? ?? ||??? ??? |
??? ?? ||??? ??? |__ 密碼長度最小值
??? ?? ||
??? ?? ||__??? 密碼必須符合復雜性要求(0為禁止)
??? ?? |___ 用可還原的加密來存儲密碼

第 76 80 位

[HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F5]
"F"=hex:02,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
? 00,80,c6,50,1f,2b,12,c6,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
? f5,01,00,00,01,02,00,00,15,02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
??? ??? ??? ?? ^
??? ??? ??? ?? |____ Guest賬號(15禁用,14啟用)

第 56 位


比如第76位,
0的時候是"密碼必須符合復雜性要求 - 禁用" & "用可還原的加密來存儲密碼 - 禁用"
14的時候"密碼必須符合復雜性要求 - 禁用" & "用可還原的加密來存儲密碼 - 啟用"

有些比如密碼長度,鎖定什么的用NetUserModalsSet的USER_MODALS_INFO_0和USER_MODALS_INFO_3結構可以搞定。
審核策略用LsaSetInformationPolicy也好搞定，都有現成的代碼。

賬戶策略->密碼策略中的"密碼必須符合復雜性要求"和"用可還原的加密來存儲密碼"，還有安全選項中的內容，似乎沒有公開文檔

沒想到寫個這個破工具還要用到未公開API函數，之前在網上查了下有沒有相關代碼或文檔什么的，查了N天google和MSDN，有問的，沒有答的，或者就是答非所問，沒辦法只能自己想辦法了
之前使用apimonitor（N多此類工具，都不好用，這個也不咋樣），在修改策略的時候獲得了如下信息
API??? Name??? Return??? Value??? Module??? Name??? Time??? Start??? IsEntry??? API
Process:??? c:\windows\system32\mmc.exe(5052)??? ,??? Thread:2976
SceGetServerProductType??? 0??? (0x0)??? C:\WINDOWS\system32\SCECLI.dll??? 2008-1-27??? 23:10:38??? True
SceGetServerProductType??? 0??? (0x0)??? C:\WINDOWS\system32\SCECLI.dll??? 2008-1-27??? 23:10:38??? True
SceGetServerProductType??? 0??? (0x0)??? C:\WINDOWS\system32\SCECLI.dll??? 2008-1-27??? 23:10:38??? True
SceGetServerProductType??? 0??? (0x0)??? C:\WINDOWS\system32\SCECLI.dll??? 2008-1-27??? 23:10:38??? True
SceGetServerProductType??? 0??? (0x0)??? C:\WINDOWS\system32\SCECLI.dll??? 2008-1-27??? 23:10:38??? True
SceGetServerProductType??? 0??? (0x0)??? C:\WINDOWS\system32\SCECLI.dll??? 2008-1-27??? 23:10:38??? True
SceOpenProfile??? ??? 0??? (0x0)??? C:\WINDOWS\system32\SCECLI.dll??? 2008-1-27??? 23:10:38??? True
SceGetSecurityProfileInfo??? 6??? (0x6)??? C:\WINDOWS\system32\SCECLI.dll??? 2008-1-27??? 23:10:38??? True
SceFreeMemory??? ??? 0??? (0x0)??? C:\WINDOWS\system32\SCECLI.dll??? 2008-1-27??? 23:10:38??? True
SceGetSecurityProfileInfo??? 0??? (0x0)??? C:\WINDOWS\system32\SCECLI.dll??? 2008-1-27??? 23:10:38??? True
SceFreeMemory??? ??? 0??? (0x0)??? C:\WINDOWS\system32\SCECLI.dll??? 2008-1-27??? 23:10:38??? True
SceGetServerProductType??? 0??? (0x0)??? C:\WINDOWS\system32\SCECLI.dll??? 2008-1-27??? 23:11:34??? True
SceGetServerProductType??? 0??? (0x0)??? C:\WINDOWS\system32\SCECLI.dll??? 2008-1-27??? 23:11:34??? True
SceGetServerProductType??? 0??? (0x0)??? C:\WINDOWS\system32\SCECLI.dll??? 2008-1-27??? 23:11:34??? True
SceRollbackTransaction??? 12??? (0xC)??? C:\WINDOWS\system32\SCECLI.dll??? 2008-1-27??? 23:11:55??? True
SceCloseProfile??? ??? 0??? (0x0)??? C:\WINDOWS\system32\SCECLI.dll??? 2008-1-27??? 23:11:55??? True
SceFreeProfileMemory??? 0??? (0x0)??? C:\WINDOWS\system32\SCECLI.dll??? 2008-1-27??? 23:11:55??? True
SceFreeProfileMemory??? 0??? (0x0)??? C:\WINDOWS\system32\SCECLI.dll??? 2008-1-27??? 23:11:55??? True
SceFreeProfileMemory??? 0??? (0x0)??? C:\WINDOWS\system32\SCECLI.dll??? 2008-1-27??? 23:11:55??? True
SceFreeProfileMemory??? 1??? (0x1)??? C:\WINDOWS\system32\SCECLI.dll??? 2008-1-27??? 23:11:55??? True
Process:??? c:\windows\system32\mmc.exe(5052)??? ,??? Thread:3928
SceOpenProfile??? ??? 0??? (0x0)??? C:\WINDOWS\system32\SCECLI.dll??? 2008-1-27??? 23:10:49??? True
SceGetSecurityProfileInfo??? 0??? (0x0)??? C:\WINDOWS\system32\SCECLI.dll??? 2008-1-27??? 23:10:49??? True
SceCloseProfile??? ??? 0??? (0x0)??? C:\WINDOWS\system32\SCECLI.dll??? 2008-1-27??? 23:10:49??? True
SceFreeMemory??? ??? 0??? (0x0)??? C:\WINDOWS\system32\SCECLI.dll??? 2008-1-27??? 23:10:49??? True
SceFreeMemory??? ??? 0??? (0x0)??? C:\WINDOWS\system32\SCECLI.dll??? 2008-1-27??? 23:10:49??? True
SceFreeMemory??? ??? 0??? (0x0)??? C:\WINDOWS\system32\SCECLI.dll??? 2008-1-27??? 23:10:56??? True
SceUpdateSecurityProfile??? 0??? (0x0)??? C:\WINDOWS\system32\SCECLI.dll??? 2008-1-27??? 23:10:56??? True
Process:??? c:\windows\system32\mmc.exe(5052)??? ,??? Thread:5472
SceFreeMemory??? ??? 0??? (0x0)??? C:\WINDOWS\system32\SCECLI.dll??? 2008-1-27??? 23:11:43??? True
SceUpdateSecurityProfile??? 0??? (0x0)??? C:\WINDOWS\system32\SCECLI.dll??? 2008-1-27??? 23:11:43??? True

Summary Information
API Name: SceOpenProfile
API Define: (Undefine API)
Time Start: 00:11:49.015
Duration: 0.000 ms
Module Name: C:\WINDOWS\system32\SCECLI.dll
Is Entry API: True
Process: C:\WINDOWS\system32\mmc.exe
Thread: 4152
Before Call Parameters
Pointer? Paramter0: 29449864 (0x1C15E88)
Pointer? Paramter1: 1 (0x1)
Pointer? Paramter2: 23981584 (0x16DEE10)
Pointer? Paramter3: (null)
Pointer? Paramter4: 8629392 (0x83AC90)
Pointer? Paramter5: (null)
After Call Parameters
Pointer? Paramter0: 29449864 (0x1C15E88)
Pointer? Paramter1: 1 (0x1)
Pointer? Paramter2: 23981584 (0x16DEE10)
Pointer? Paramter3: (null)
Pointer? Paramter4: 8629392 (0x83AC90)
Pointer? Paramter5: (null)
Return
0 (0x0)

Summary Information
API Name: SceGetSecurityProfileInfo
API Define: (Undefine API)
Time Start: 00:11:49.015
Duration: 0.001 ms
Module Name: C:\WINDOWS\system32\SCECLI.dll
Is Entry API: True
Process: C:\WINDOWS\system32\mmc.exe
Thread: 4152
Before Call Parameters
Pointer? Paramter0: 688576 (0xA81C0)
Pointer? Paramter1: 302 (0x12E)
Pointer? Paramter2: 65535 (0xFFFF)
Pointer? Paramter3: 8629480 (0x83ACE8)
Pointer? Paramter4: 23981572 (0x16DEE04)
Pointer? Paramter5: 2088955995 (0x7C82F05B)
After Call Parameters
Pointer? Paramter0: 688576 (0xA81C0)
Pointer? Paramter1: 302 (0x12E)
Pointer? Paramter2: 65535 (0xFFFF)
Pointer? Paramter3: 8629480 (0x83ACE8)
Pointer? Paramter4: 23981572 (0x16DEE04)
Pointer? Paramter5: 2088955995 (0x7C82F05B)
Return
0 (0x0)
GetLastError
Value:3758096642
Description:

Summary Information
API Name: SceCloseProfile
API Define: (Undefine API)
Time Start: 00:11:49.109
Duration: 0.000 ms
Module Name: C:\WINDOWS\system32\SCECLI.dll
Is Entry API: True
Process: C:\WINDOWS\system32\mmc.exe
Thread: 4152
Before Call Parameters
Pointer? Paramter0: 23981584 (0x16DEE10)
Pointer? Paramter1: 2088955995 (0x7C82F05B)
Pointer? Paramter2: 8629392 (0x83AC90)
Pointer? Paramter3: 8570560 (0x82C6C0)
Pointer? Paramter4: 8629296 (0x83AC30)
Pointer? Paramter5: 302124616 (0x12020E48)
After Call Parameters
Pointer? Paramter0: 23981584 (0x16DEE10)
Pointer? Paramter1: 2088955995 (0x7C82F05B)
Pointer? Paramter2: 8629392 (0x83AC90)
Pointer? Paramter3: 8570560 (0x82C6C0)
Pointer? Paramter4: 8629296 (0x83AC30)
Pointer? Paramter5: 302124616 (0x12020E48)
Return
0 (0x0)

Summary Information
API Name: SceAddToNameStatusList
API Define: (Undefine API)
Time Start: 00:11:49.109
Duration: 0.000 ms
Module Name: C:\WINDOWS\system32\SCECLI.dll
Is Entry API: True
Process: C:\WINDOWS\system32\mmc.exe
Thread: 4152
Before Call Parameters
Pointer? Paramter0: 23981476 (0x16DEDA4)
Pointer? Paramter1: 787520 (0xC0440)
Pointer? Paramter2: 76 (0x4C)
Pointer? Paramter3: 1 (0x1)
Pointer? Paramter4: (null)
Pointer? Paramter5: 8629392 (0x83AC90)
After Call Parameters
Pointer? Paramter0: 23981476 (0x16DEDA4)
Pointer? Paramter1: 787520 (0xC0440)
Pointer? Paramter2: 76 (0x4C)
Pointer? Paramter3: 1 (0x1)
Pointer? Paramter4: (null)
Pointer? Paramter5: 8629392 (0x83AC90)
Return
0 (0x0)

Summary Information
API Name: SceFreeMemory
API Define: (Undefine API)
Time Start: 00:11:49.109
Duration: 0.000 ms
Module Name: C:\WINDOWS\system32\SCECLI.dll
Is Entry API: True
Process: C:\WINDOWS\system32\mmc.exe
Thread: 4152
Before Call Parameters
Pointer? Paramter0: 1514080 (0x171A60)
Pointer? Paramter1: 311 (0x137)
Pointer? Paramter2: (null)
Pointer? Paramter3: 8629392 (0x83AC90)
Pointer? Paramter4: (null)
Pointer? Paramter5: 4 (0x4)
After Call Parameters
Pointer? Paramter0: 1514080 (0x171A60)
Pointer? Paramter1: 311 (0x137)
Pointer? Paramter2: (null)
Pointer? Paramter3: 8629392 (0x83AC90)
Pointer? Paramter4: (null)
Pointer? Paramter5: 4 (0x4)
Return
0 (0x0)


Summary Information
API Name: SceUpdateSecurityProfile
API Define: (Undefine API)
Time Start: 00:11:52.203
Duration: 0.000 ms
Module Name: C:\WINDOWS\system32\SCECLI.dll
Is Entry API: True
Process: C:\WINDOWS\system32\mmc.exe
Thread: 4152
Before Call Parameters
Pointer? Paramter0: (null)
Pointer? Paramter1: 1 (0x1)
Pointer? Paramter2: 28866104 (0x1B87638)
Pointer? Paramter3: 4 (0x4)
Pointer? Paramter4: (null)
Pointer? Paramter5: 8629056 (0x83AB40)
After Call Parameters
Pointer? Paramter0: (null)
Pointer? Paramter1: 1 (0x1)
Pointer? Paramter2: 28866104 (0x1B87638)
Pointer? Paramter3: 4 (0x4)
Pointer? Paramter4: (null)
Pointer? Paramter5: 8629056 (0x83AB40)
Return
0 (0x0)

郁悶的是before call和after call參數都沒變，不知道是軟件問題還是未注冊的原因
請教了czy，幫忙逆向了一下，高手就是高手，沒多久就給我一段asm代碼解決了密碼復雜度的策略
.386
.model?stdcall,flat
option?casemap:none
include?\masm32\include\windows.inc
include?\masm32\include\user32.inc
include?\masm32\include\kernel32.inc
include?\masm32\include\masm32.inc
include?\masm32\include\shlwapi.inc
include?\masm32\include\shell32.inc

includelib?\masm32\lib\user32.lib
includelib?\masm32\lib\kernel32.lib
includelib?\masm32\lib\masm32.lib
includelib?\masm32\lib\shlwapi.lib
includelib?\masm32\lib\shell32.lib

.const

.data
nini????db?'a',0
seclib??db?'scecli.dll',0
myapi???db?'SceUpdateSecurityProfile',0
mydata??db?2eh,01h,00h,00h,0feh,0ffh,0ffh,0ffh,0feh,0ffh,0ffh,0ffh,0feh,0ffh,0ffh,0ffh,00h,00h,00h,00h,0feh,0ffh,0ffh,0ffh,0feh,0ffh,0ffh,0ffh,0feh,0ffh,0ffh,0ffh,0feh,0ffh,0ffh,0ffh,0feh,0ffh,0ffh,0ffh,0feh,0ffh,0ffh,0ffh,00h,00h,00h,00h
;偏移10H如為0就是禁用,為1就是啟用
.data?

.code

start:
????
????invoke????MessageBox,0,offset?nini,offset?nini,1??
????invoke??LoadLibraryA,offset?seclib
????invoke??GetProcAddress,eax,offset?myapi
????mov?????esi,eax
????push????4
????mov?????eax,offset?mydata
????push????eax
????xor?????edi,edi
????inc?????edi
????push????edi????
????xor?????ebx,ebx
????push????ebx
????call????esi

????invoke????ExitProcess,0

end?start

編譯執行沒問題，OK，改成C++的版本，老是提示內存不能寫（內嵌匯編也不行），還請教了小榕，貌似變量定義的問題
使用OD動態跟蹤，發現asm版本的生成exe后執行mydata變量是在.data可讀寫數據段里面，而C++的版本是在.rdata只讀數據段里面，使用OD的時候修改數據測試可以成功，然后再修改C++代碼
#include?<stdio.h>
#include?<windows.h>
char?*sam2;
int?main()
{
????sam2?=?new?char[99];
????char?*sam?=?
????"\x2e\x01\x00\x00\x0fe\x0ff\x0ff\x0ff"
????????"\x0fe\x0ff\x0ff\x0ff\x0fe\x0ff\x0ff\x0ff"
????????"\x00\x00\x00\x00\x0fe\x0ff\x0ff\x0ff"
????????"\x0fe\x0ff\x0ff\x0ff\x0fe\x0ff\x0ff\x0ff"
????????"\x0fe\x0ff\x0ff\x0ff\x0fe\x0ff\x0ff\x0ff"
????????"\xfe\x0ff\x0ff\x0ff\x00\x00\x00\x00";
????memcpy(sam2,?sam,?49);
????HINSTANCE?hInst;
????hInst=LoadLibraryA("scecli.dll");
????typedef?BOOL?(__stdcall?*MYFUNC)(int,?int,?char*,?int);
????MYFUNC?fun=NULL;
????fun=(MYFUNC)GetProcAddress(hInst,"SceUpdateSecurityProfile");
????int?i?=?4;
????fun(NULL,TRUE,sam2,i);

/*????__asm
????{
????????mov?esi,fun
????????push?4
????????mov?eax,sam2
????????push?eax
????????xor?edi,edi
????????inc?edi
????????push?edi
????????xor?ebx,ebx
????????push?ebx
????????call?esi
????}
*/
????return?0;
}

或者

#include?<stdio.h>
#include?<windows.h>
char?sam[]=
????"\x2e\x01\x00\x00\x0fe\x0ff\x0ff\x0ff"
????"\x0fe\x0ff\x0ff\x0ff\x0fe\x0ff\x0ff\x0ff"
????"\x10\x00\x00\x00\x0fe\x0ff\x0ff\x0ff"
????"\x0fe\x0ff\x0ff\x0ff\x0fe\x0ff\x0ff\x0ff"
????"\x0fe\x0ff\x0ff\x0ff\x0fe\x0ff\x0ff\x0ff"
????"\xfe\x0ff\x0ff\x0ff\x00\x00\x00\x00"
????"\x00\x00\x00\x00\x00\x00\x00\x00"
????"\x00\x00\x00\x00\x00\x00\x00\x00"
????"\x00\x00\x00\x00\x00\x00\x00\x00"
????"\x00\x00\x00\x00\x00\x00\x00\x00"
????"\x00\x00\x00\x00\x00\x00\x00\x00"
????"\x00\x00\x00\x00\x00\x00\x00\x00"
????"\x00\x00\x00\x00\x00\x00\x00\x00"
????"\x00\x00\x00\x00\x00\x00\x00\x00";

int?main()
{
????HINSTANCE?hInst;
????hInst=LoadLibraryA("scecli.dll");
????typedef?BOOL?(__stdcall?*MYFUNC)(int,?int,char*,?int);
????MYFUNC?fun=NULL;
????fun=(MYFUNC)GetProcAddress(hInst,"SceUpdateSecurityProfile");
????printf("sam=0x%08X\n",&sam);
????printf("%s",sam);
????fun(NULL,TRUE,sam,4);
/*????__asm
????{
????????mov?esi,fun
????????push?4
????????mov?eax,sam2
????????push?eax
????????xor?edi,edi
????????inc?edi
????????push?edi
????????xor?ebx,ebx
????????push?ebx
????????call?esi
????}
*/
????return?0;
}

發現如果SceUpdateSecurityProfile函數的第三個參數，后面如果有其它數據，會報錯，要是后面大段\x00數據的話，就通過，undocument api只能這樣了，估計第三個參數應該是個什么結構。在我的Windows2003 CN SP1上測試成功（執行后，會讓本地策略“密碼復雜度”那項變成禁用，還有其它一些策略如審核策略也會更改，應該是第三個參數的每個位對應著不同的策略，安全選項中的似乎不會變），小榕的Windows2003 EN SP1上不能成功，估計是這個函數太底層了，應該有更高一層的函數先判斷不同的操作系統版本，選擇不同的參數，然后在調用SceUpdateSecurityProfile函數。
還有安全選項里面的內容，估計是其它函數，有空我也softice一下。

最后帖下關于變量定義后在內存什么地方的一段代碼，不一定什么時候有用

//main.cpp
int a = 0; 全局初始化區
char *p1; 全局未初始化區
main()
{
int b; 棧
char s[] = "abc"; 棧
char *p2; 棧
char *p3 = "123456"; 123456\0在常量區，p3在棧上。
static int c =0； 全局（靜態）初始化區
p1 = (char *)malloc(10);
p2 = (char *)malloc(20);
分配得來得10和20字節的區域就在堆區。
strcpy(p1, "123456"); 123456\0放在常量區，編譯器可能會將它與p3所指向的"123456"優化成一個地方。
}

全局
char *str="\x20\x20\x20\x20\x20\x20\x20\x20";
str存在.data段，是一個指針，內容為一個地址（地址在.rdata區段），這個地址指向的內容為字符串

全局
char str[]="\x20\x20\x20\x20\x20\x20\x20\x20";
str存在.data段，是一個指針，指針指向字符串