(更新：注意編譯運(yùn)行文中程序后留意administrator可能會(huì)變成active=no，undocument，undocument........哈哈)
要寫(xiě)個(gè)修改本地安全策略的工具，本以為修改注冊(cè)表就行了，沒(méi)想到還挺復(fù)雜，改策略，對(duì)應(yīng)的注冊(cè)表項(xiàng)會(huì)變，倒過(guò)來(lái)，改對(duì)應(yīng)的注冊(cè)表項(xiàng)，策略沒(méi)變，郁悶
[HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account]??? ??? |--------------------------------修改次數(shù)
"F"=hex:02,00,01,00,00,00,00,00,e0,7c,9e,21,1a,12,c6,01,43,00,00,00,00,00,00,\??? ??? 00 ~ 22
? 00,00,80,d2,16,47,b9,ff,ff,00,80,2c,ab,6d,fe,ff,ff,00,00,00,00,00,00,00,80,\??? ??? 23 ~ 47
? 00,cc,1d,cf,fb,ff,ff,ff,00,cc,1d,cf,fb,ff,ff,ff,00,00,00,00,00,00,00,00,f1,\??? ??? 48 ~ 72
? 03,00,00,00,00,00,00,02,00,18,00,00,00,00,00,01,00,00,00,03,00,00,00,01,00,\??? ??? 73 ~ 97
? ??? ?? ^^??? ??? ^
??? ?? ||??? ??? |
??? ?? ||??? ??? |__ 密碼長(zhǎng)度最小值
??? ?? ||
??? ?? ||__??? 密碼必須符合復(fù)雜性要求(0為禁止)
??? ?? |___ 用可還原的加密來(lái)存儲(chǔ)密碼

第 76 80 位

[HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F5]
"F"=hex:02,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
? 00,80,c6,50,1f,2b,12,c6,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
? f5,01,00,00,01,02,00,00,15,02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
??? ??? ??? ?? ^
??? ??? ??? ?? |____ Guest賬號(hào)(15禁用,14啟用)

第 56 位


比如第76位,
0的時(shí)候是"密碼必須符合復(fù)雜性要求 - 禁用" & "用可還原的加密來(lái)存儲(chǔ)密碼 - 禁用"
14的時(shí)候"密碼必須符合復(fù)雜性要求 - 禁用" & "用可還原的加密來(lái)存儲(chǔ)密碼 - 啟用"

有些比如密碼長(zhǎng)度,鎖定什么的用NetUserModalsSet的USER_MODALS_INFO_0和USER_MODALS_INFO_3結(jié)構(gòu)可以搞定。
審核策略用LsaSetInformationPolicy也好搞定，都有現(xiàn)成的代碼。

賬戶策略->密碼策略中的"密碼必須符合復(fù)雜性要求"和"用可還原的加密來(lái)存儲(chǔ)密碼"，還有安全選項(xiàng)中的內(nèi)容，似乎沒(méi)有公開(kāi)文檔

沒(méi)想到寫(xiě)個(gè)這個(gè)破工具還要用到未公開(kāi)API函數(shù)，之前在網(wǎng)上查了下有沒(méi)有相關(guān)代碼或文檔什么的，查了N天google和MSDN，有問(wèn)的，沒(méi)有答的，或者就是答非所問(wèn)，沒(méi)辦法只能自己想辦法了
之前使用apimonitor（N多此類(lèi)工具，都不好用，這個(gè)也不咋樣），在修改策略的時(shí)候獲得了如下信息
API??? Name??? Return??? Value??? Module??? Name??? Time??? Start??? IsEntry??? API
Process:??? c:\windows\system32\mmc.exe(5052)??? ,??? Thread:2976
SceGetServerProductType??? 0??? (0x0)??? C:\WINDOWS\system32\SCECLI.dll??? 2008-1-27??? 23:10:38??? True
SceGetServerProductType??? 0??? (0x0)??? C:\WINDOWS\system32\SCECLI.dll??? 2008-1-27??? 23:10:38??? True
SceGetServerProductType??? 0??? (0x0)??? C:\WINDOWS\system32\SCECLI.dll??? 2008-1-27??? 23:10:38??? True
SceGetServerProductType??? 0??? (0x0)??? C:\WINDOWS\system32\SCECLI.dll??? 2008-1-27??? 23:10:38??? True
SceGetServerProductType??? 0??? (0x0)??? C:\WINDOWS\system32\SCECLI.dll??? 2008-1-27??? 23:10:38??? True
SceGetServerProductType??? 0??? (0x0)??? C:\WINDOWS\system32\SCECLI.dll??? 2008-1-27??? 23:10:38??? True
SceOpenProfile??? ??? 0??? (0x0)??? C:\WINDOWS\system32\SCECLI.dll??? 2008-1-27??? 23:10:38??? True
SceGetSecurityProfileInfo??? 6??? (0x6)??? C:\WINDOWS\system32\SCECLI.dll??? 2008-1-27??? 23:10:38??? True
SceFreeMemory??? ??? 0??? (0x0)??? C:\WINDOWS\system32\SCECLI.dll??? 2008-1-27??? 23:10:38??? True
SceGetSecurityProfileInfo??? 0??? (0x0)??? C:\WINDOWS\system32\SCECLI.dll??? 2008-1-27??? 23:10:38??? True
SceFreeMemory??? ??? 0??? (0x0)??? C:\WINDOWS\system32\SCECLI.dll??? 2008-1-27??? 23:10:38??? True
SceGetServerProductType??? 0??? (0x0)??? C:\WINDOWS\system32\SCECLI.dll??? 2008-1-27??? 23:11:34??? True
SceGetServerProductType??? 0??? (0x0)??? C:\WINDOWS\system32\SCECLI.dll??? 2008-1-27??? 23:11:34??? True
SceGetServerProductType??? 0??? (0x0)??? C:\WINDOWS\system32\SCECLI.dll??? 2008-1-27??? 23:11:34??? True
SceRollbackTransaction??? 12??? (0xC)??? C:\WINDOWS\system32\SCECLI.dll??? 2008-1-27??? 23:11:55??? True
SceCloseProfile??? ??? 0??? (0x0)??? C:\WINDOWS\system32\SCECLI.dll??? 2008-1-27??? 23:11:55??? True
SceFreeProfileMemory??? 0??? (0x0)??? C:\WINDOWS\system32\SCECLI.dll??? 2008-1-27??? 23:11:55??? True
SceFreeProfileMemory??? 0??? (0x0)??? C:\WINDOWS\system32\SCECLI.dll??? 2008-1-27??? 23:11:55??? True
SceFreeProfileMemory??? 0??? (0x0)??? C:\WINDOWS\system32\SCECLI.dll??? 2008-1-27??? 23:11:55??? True
SceFreeProfileMemory??? 1??? (0x1)??? C:\WINDOWS\system32\SCECLI.dll??? 2008-1-27??? 23:11:55??? True
Process:??? c:\windows\system32\mmc.exe(5052)??? ,??? Thread:3928
SceOpenProfile??? ??? 0??? (0x0)??? C:\WINDOWS\system32\SCECLI.dll??? 2008-1-27??? 23:10:49??? True
SceGetSecurityProfileInfo??? 0??? (0x0)??? C:\WINDOWS\system32\SCECLI.dll??? 2008-1-27??? 23:10:49??? True
SceCloseProfile??? ??? 0??? (0x0)??? C:\WINDOWS\system32\SCECLI.dll??? 2008-1-27??? 23:10:49??? True
SceFreeMemory??? ??? 0??? (0x0)??? C:\WINDOWS\system32\SCECLI.dll??? 2008-1-27??? 23:10:49??? True
SceFreeMemory??? ??? 0??? (0x0)??? C:\WINDOWS\system32\SCECLI.dll??? 2008-1-27??? 23:10:49??? True
SceFreeMemory??? ??? 0??? (0x0)??? C:\WINDOWS\system32\SCECLI.dll??? 2008-1-27??? 23:10:56??? True
SceUpdateSecurityProfile??? 0??? (0x0)??? C:\WINDOWS\system32\SCECLI.dll??? 2008-1-27??? 23:10:56??? True
Process:??? c:\windows\system32\mmc.exe(5052)??? ,??? Thread:5472
SceFreeMemory??? ??? 0??? (0x0)??? C:\WINDOWS\system32\SCECLI.dll??? 2008-1-27??? 23:11:43??? True
SceUpdateSecurityProfile??? 0??? (0x0)??? C:\WINDOWS\system32\SCECLI.dll??? 2008-1-27??? 23:11:43??? True

Summary Information
API Name: SceOpenProfile
API Define: (Undefine API)
Time Start: 00:11:49.015
Duration: 0.000 ms
Module Name: C:\WINDOWS\system32\SCECLI.dll
Is Entry API: True
Process: C:\WINDOWS\system32\mmc.exe
Thread: 4152
Before Call Parameters
Pointer? Paramter0: 29449864 (0x1C15E88)
Pointer? Paramter1: 1 (0x1)
Pointer? Paramter2: 23981584 (0x16DEE10)
Pointer? Paramter3: (null)
Pointer? Paramter4: 8629392 (0x83AC90)
Pointer? Paramter5: (null)
After Call Parameters
Pointer? Paramter0: 29449864 (0x1C15E88)
Pointer? Paramter1: 1 (0x1)
Pointer? Paramter2: 23981584 (0x16DEE10)
Pointer? Paramter3: (null)
Pointer? Paramter4: 8629392 (0x83AC90)
Pointer? Paramter5: (null)
Return
0 (0x0)

Summary Information
API Name: SceGetSecurityProfileInfo
API Define: (Undefine API)
Time Start: 00:11:49.015
Duration: 0.001 ms
Module Name: C:\WINDOWS\system32\SCECLI.dll
Is Entry API: True
Process: C:\WINDOWS\system32\mmc.exe
Thread: 4152
Before Call Parameters
Pointer? Paramter0: 688576 (0xA81C0)
Pointer? Paramter1: 302 (0x12E)
Pointer? Paramter2: 65535 (0xFFFF)
Pointer? Paramter3: 8629480 (0x83ACE8)
Pointer? Paramter4: 23981572 (0x16DEE04)
Pointer? Paramter5: 2088955995 (0x7C82F05B)
After Call Parameters
Pointer? Paramter0: 688576 (0xA81C0)
Pointer? Paramter1: 302 (0x12E)
Pointer? Paramter2: 65535 (0xFFFF)
Pointer? Paramter3: 8629480 (0x83ACE8)
Pointer? Paramter4: 23981572 (0x16DEE04)
Pointer? Paramter5: 2088955995 (0x7C82F05B)
Return
0 (0x0)
GetLastError
Value:3758096642
Description:

Summary Information
API Name: SceCloseProfile
API Define: (Undefine API)
Time Start: 00:11:49.109
Duration: 0.000 ms
Module Name: C:\WINDOWS\system32\SCECLI.dll
Is Entry API: True
Process: C:\WINDOWS\system32\mmc.exe
Thread: 4152
Before Call Parameters
Pointer? Paramter0: 23981584 (0x16DEE10)
Pointer? Paramter1: 2088955995 (0x7C82F05B)
Pointer? Paramter2: 8629392 (0x83AC90)
Pointer? Paramter3: 8570560 (0x82C6C0)
Pointer? Paramter4: 8629296 (0x83AC30)
Pointer? Paramter5: 302124616 (0x12020E48)
After Call Parameters
Pointer? Paramter0: 23981584 (0x16DEE10)
Pointer? Paramter1: 2088955995 (0x7C82F05B)
Pointer? Paramter2: 8629392 (0x83AC90)
Pointer? Paramter3: 8570560 (0x82C6C0)
Pointer? Paramter4: 8629296 (0x83AC30)
Pointer? Paramter5: 302124616 (0x12020E48)
Return
0 (0x0)

Summary Information
API Name: SceAddToNameStatusList
API Define: (Undefine API)
Time Start: 00:11:49.109
Duration: 0.000 ms
Module Name: C:\WINDOWS\system32\SCECLI.dll
Is Entry API: True
Process: C:\WINDOWS\system32\mmc.exe
Thread: 4152
Before Call Parameters
Pointer? Paramter0: 23981476 (0x16DEDA4)
Pointer? Paramter1: 787520 (0xC0440)
Pointer? Paramter2: 76 (0x4C)
Pointer? Paramter3: 1 (0x1)
Pointer? Paramter4: (null)
Pointer? Paramter5: 8629392 (0x83AC90)
After Call Parameters
Pointer? Paramter0: 23981476 (0x16DEDA4)
Pointer? Paramter1: 787520 (0xC0440)
Pointer? Paramter2: 76 (0x4C)
Pointer? Paramter3: 1 (0x1)
Pointer? Paramter4: (null)
Pointer? Paramter5: 8629392 (0x83AC90)
Return
0 (0x0)

Summary Information
API Name: SceFreeMemory
API Define: (Undefine API)
Time Start: 00:11:49.109
Duration: 0.000 ms
Module Name: C:\WINDOWS\system32\SCECLI.dll
Is Entry API: True
Process: C:\WINDOWS\system32\mmc.exe
Thread: 4152
Before Call Parameters
Pointer? Paramter0: 1514080 (0x171A60)
Pointer? Paramter1: 311 (0x137)
Pointer? Paramter2: (null)
Pointer? Paramter3: 8629392 (0x83AC90)
Pointer? Paramter4: (null)
Pointer? Paramter5: 4 (0x4)
After Call Parameters
Pointer? Paramter0: 1514080 (0x171A60)
Pointer? Paramter1: 311 (0x137)
Pointer? Paramter2: (null)
Pointer? Paramter3: 8629392 (0x83AC90)
Pointer? Paramter4: (null)
Pointer? Paramter5: 4 (0x4)
Return
0 (0x0)


Summary Information
API Name: SceUpdateSecurityProfile
API Define: (Undefine API)
Time Start: 00:11:52.203
Duration: 0.000 ms
Module Name: C:\WINDOWS\system32\SCECLI.dll
Is Entry API: True
Process: C:\WINDOWS\system32\mmc.exe
Thread: 4152
Before Call Parameters
Pointer? Paramter0: (null)
Pointer? Paramter1: 1 (0x1)
Pointer? Paramter2: 28866104 (0x1B87638)
Pointer? Paramter3: 4 (0x4)
Pointer? Paramter4: (null)
Pointer? Paramter5: 8629056 (0x83AB40)
After Call Parameters
Pointer? Paramter0: (null)
Pointer? Paramter1: 1 (0x1)
Pointer? Paramter2: 28866104 (0x1B87638)
Pointer? Paramter3: 4 (0x4)
Pointer? Paramter4: (null)
Pointer? Paramter5: 8629056 (0x83AB40)
Return
0 (0x0)

郁悶的是before call和after call參數(shù)都沒(méi)變，不知道是軟件問(wèn)題還是未注冊(cè)的原因
請(qǐng)教了czy，幫忙逆向了一下，高手就是高手，沒(méi)多久就給我一段asm代碼解決了密碼復(fù)雜度的策略
.386
.model?stdcall,flat
option?casemap:none
include?\masm32\include\windows.inc
include?\masm32\include\user32.inc
include?\masm32\include\kernel32.inc
include?\masm32\include\masm32.inc
include?\masm32\include\shlwapi.inc
include?\masm32\include\shell32.inc

includelib?\masm32\lib\user32.lib
includelib?\masm32\lib\kernel32.lib
includelib?\masm32\lib\masm32.lib
includelib?\masm32\lib\shlwapi.lib
includelib?\masm32\lib\shell32.lib

.const

.data
nini????db?'a',0
seclib??db?'scecli.dll',0
myapi???db?'SceUpdateSecurityProfile',0
mydata??db?2eh,01h,00h,00h,0feh,0ffh,0ffh,0ffh,0feh,0ffh,0ffh,0ffh,0feh,0ffh,0ffh,0ffh,00h,00h,00h,00h,0feh,0ffh,0ffh,0ffh,0feh,0ffh,0ffh,0ffh,0feh,0ffh,0ffh,0ffh,0feh,0ffh,0ffh,0ffh,0feh,0ffh,0ffh,0ffh,0feh,0ffh,0ffh,0ffh,00h,00h,00h,00h
;偏移10H如為0就是禁用,為1就是啟用
.data?

.code

start:
????
????invoke????MessageBox,0,offset?nini,offset?nini,1??
????invoke??LoadLibraryA,offset?seclib
????invoke??GetProcAddress,eax,offset?myapi
????mov?????esi,eax
????push????4
????mov?????eax,offset?mydata
????push????eax
????xor?????edi,edi
????inc?????edi
????push????edi????
????xor?????ebx,ebx
????push????ebx
????call????esi

????invoke????ExitProcess,0

end?start

編譯執(zhí)行沒(méi)問(wèn)題，OK，改成C++的版本，老是提示內(nèi)存不能寫(xiě)（內(nèi)嵌匯編也不行），還請(qǐng)教了小榕，貌似變量定義的問(wèn)題
使用OD動(dòng)態(tài)跟蹤，發(fā)現(xiàn)asm版本的生成exe后執(zhí)行mydata變量是在.data可讀寫(xiě)數(shù)據(jù)段里面，而C++的版本是在.rdata只讀數(shù)據(jù)段里面，使用OD的時(shí)候修改數(shù)據(jù)測(cè)試可以成功，然后再修改C++代碼
#include?<stdio.h>
#include?<windows.h>
char?*sam2;
int?main()
{
????sam2?=?new?char[99];
????char?*sam?=?
????"\x2e\x01\x00\x00\x0fe\x0ff\x0ff\x0ff"
????????"\x0fe\x0ff\x0ff\x0ff\x0fe\x0ff\x0ff\x0ff"
????????"\x00\x00\x00\x00\x0fe\x0ff\x0ff\x0ff"
????????"\x0fe\x0ff\x0ff\x0ff\x0fe\x0ff\x0ff\x0ff"
????????"\x0fe\x0ff\x0ff\x0ff\x0fe\x0ff\x0ff\x0ff"
????????"\xfe\x0ff\x0ff\x0ff\x00\x00\x00\x00";
????memcpy(sam2,?sam,?49);
????HINSTANCE?hInst;
????hInst=LoadLibraryA("scecli.dll");
????typedef?BOOL?(__stdcall?*MYFUNC)(int,?int,?char*,?int);
????MYFUNC?fun=NULL;
????fun=(MYFUNC)GetProcAddress(hInst,"SceUpdateSecurityProfile");
????int?i?=?4;
????fun(NULL,TRUE,sam2,i);

/*????__asm
????{
????????mov?esi,fun
????????push?4
????????mov?eax,sam2
????????push?eax
????????xor?edi,edi
????????inc?edi
????????push?edi
????????xor?ebx,ebx
????????push?ebx
????????call?esi
????}
*/
????return?0;
}

或者

#include?<stdio.h>
#include?<windows.h>
char?sam[]=
????"\x2e\x01\x00\x00\x0fe\x0ff\x0ff\x0ff"
????"\x0fe\x0ff\x0ff\x0ff\x0fe\x0ff\x0ff\x0ff"
????"\x10\x00\x00\x00\x0fe\x0ff\x0ff\x0ff"
????"\x0fe\x0ff\x0ff\x0ff\x0fe\x0ff\x0ff\x0ff"
????"\x0fe\x0ff\x0ff\x0ff\x0fe\x0ff\x0ff\x0ff"
????"\xfe\x0ff\x0ff\x0ff\x00\x00\x00\x00"
????"\x00\x00\x00\x00\x00\x00\x00\x00"
????"\x00\x00\x00\x00\x00\x00\x00\x00"
????"\x00\x00\x00\x00\x00\x00\x00\x00"
????"\x00\x00\x00\x00\x00\x00\x00\x00"
????"\x00\x00\x00\x00\x00\x00\x00\x00"
????"\x00\x00\x00\x00\x00\x00\x00\x00"
????"\x00\x00\x00\x00\x00\x00\x00\x00"
????"\x00\x00\x00\x00\x00\x00\x00\x00";

int?main()
{
????HINSTANCE?hInst;
????hInst=LoadLibraryA("scecli.dll");
????typedef?BOOL?(__stdcall?*MYFUNC)(int,?int,char*,?int);
????MYFUNC?fun=NULL;
????fun=(MYFUNC)GetProcAddress(hInst,"SceUpdateSecurityProfile");
????printf("sam=0x%08X\n",&sam);
????printf("%s",sam);
????fun(NULL,TRUE,sam,4);
/*????__asm
????{
????????mov?esi,fun
????????push?4
????????mov?eax,sam2
????????push?eax
????????xor?edi,edi
????????inc?edi
????????push?edi
????????xor?ebx,ebx
????????push?ebx
????????call?esi
????}
*/
????return?0;
}

發(fā)現(xiàn)如果SceUpdateSecurityProfile函數(shù)的第三個(gè)參數(shù)，后面如果有其它數(shù)據(jù)，會(huì)報(bào)錯(cuò)，要是后面大段\x00數(shù)據(jù)的話，就通過(guò)，undocument api只能這樣了，估計(jì)第三個(gè)參數(shù)應(yīng)該是個(gè)什么結(jié)構(gòu)。在我的Windows2003 CN SP1上測(cè)試成功（執(zhí)行后，會(huì)讓本地策略“密碼復(fù)雜度”那項(xiàng)變成禁用，還有其它一些策略如審核策略也會(huì)更改，應(yīng)該是第三個(gè)參數(shù)的每個(gè)位對(duì)應(yīng)著不同的策略，安全選項(xiàng)中的似乎不會(huì)變），小榕的Windows2003 EN SP1上不能成功，估計(jì)是這個(gè)函數(shù)太底層了，應(yīng)該有更高一層的函數(shù)先判斷不同的操作系統(tǒng)版本，選擇不同的參數(shù)，然后在調(diào)用SceUpdateSecurityProfile函數(shù)。
還有安全選項(xiàng)里面的內(nèi)容，估計(jì)是其它函數(shù)，有空我也softice一下。

最后帖下關(guān)于變量定義后在內(nèi)存什么地方的一段代碼，不一定什么時(shí)候有用

//main.cpp
int a = 0; 全局初始化區(qū)
char *p1; 全局未初始化區(qū)
main()
{
int b; 棧
char s[] = "abc"; 棧
char *p2; 棧
char *p3 = "123456"; 123456\0在常量區(qū)，p3在棧上。
static int c =0； 全局（靜態(tài)）初始化區(qū)
p1 = (char *)malloc(10);
p2 = (char *)malloc(20);
分配得來(lái)得10和20字節(jié)的區(qū)域就在堆區(qū)。
strcpy(p1, "123456"); 123456\0放在常量區(qū)，編譯器可能會(huì)將它與p3所指向的"123456"優(yōu)化成一個(gè)地方。
}

全局
char *str="\x20\x20\x20\x20\x20\x20\x20\x20";
str存在.data段，是一個(gè)指針，內(nèi)容為一個(gè)地址（地址在.rdata區(qū)段），這個(gè)地址指向的內(nèi)容為字符串

全局
char str[]="\x20\x20\x20\x20\x20\x20\x20\x20";
str存在.data段，是一個(gè)指針，指針指向字符串