对 VaultRemoveItem 的函数参数进行逆向工程
Reverse engineering the function arguments of VaultRemoveItem
我需要调用从系统 dll vaultcli.dll 导出的名为 VaultRemoveItem(...) 的未记录函数。问题是我不知道函数原型,网上也没找到资料。
有人对我如何发现函数的参数有任何建议吗?它们很可能包含指向某些结构的指针。
enum VAULT_SCHEMA_ELEMENT_ID {
ElementId_Illegal = 0x0,
ElementId_Resource = 0x1,
ElementId_Identity = 0x2,
ElementId_Authenticator = 0x3,
ElementId_Tag = 0x4,
ElementId_PackageSid = 0x5,
ElementId_AppStart = 0x64,
ElementId_AppEnd = 0x2710
};
enum VAULT_ELEMENT_TYPE {
ElementType_Undefined = 0xffffffff,
ElementType_Boolean = 0x0,
ElementType_Short = 0x1,
ElementType_UnsignedShort = 0x2,
ElementType_Integer = 0x3,
ElementType_UnsignedInteger = 0x4,
ElementType_Double = 0x5,
ElementType_Guid = 0x6,
ElementType_String = 0x7,
ElementType_ByteArray = 0x8,
ElementType_TimeStamp = 0x9,
ElementType_ProtectedArray = 0xa,
ElementType_Attribute = 0xb,
ElementType_Sid = 0xc,
ElementType_Last = 0xd
};
struct _VAULT_CAUB {
ULONG NumBytes;
UCHAR * pByteArray;
};
struct _ATTRIBUTE {
WCHAR * pszName;
ULONG dwFlags;
_VAULT_CAUB Value;
};
struct _VAULT_VARIANT {
VAULT_ELEMENT_TYPE Type;
union {
UCHAR Boolean;
SHORT Short;
USHORT UnsignedShort;
INT Int;
UINT UnsignedInt;
double Double;
_GUID Guid;
const WCHAR * String;
_VAULT_CAUB ByteArray;
_VAULT_CAUB ProtectedArray;
_ATTRIBUTE * Attribute;
PSID Sid;
};
};
struct _VAULT_ITEM_ELEMENT {
VAULT_SCHEMA_ELEMENT_ID SchemaElementId;
_VAULT_VARIANT ItemValue;
};
HRESULT WINAPI VaultOpenVault(const GUID* Store, ULONG Flags, PHANDLE phVault);
HRESULT WINAPI VaultRemoveItem(HANDLE hVault, const GUID* Schema, _VAULT_ITEM_ELEMENT* Resource, _VAULT_ITEM_ELEMENT* Identity, _VAULT_ITEM_ELEMENT* PackageSid OPTIONAL, PVOID OPTIONAL);
HRESULT WINAPI VaultCloseVault(HANDLE hVault);
void RemoveItem(PCWSTR url, PCWSTR login, PSID Sid = 0)
{
struct __declspec(uuid("3CCD5499-87A8-4B10-A215-608888DD3B55")) Vault_Schema_WebPassword;
struct __declspec(uuid("4BF4C442-9B8A-41A0-B380-DD4A704DDB28")) Vault_DefaultVault_ID;
HANDLE hVault;
if (!VaultOpenVault(&__uuidof(Vault_DefaultVault_ID), 0, &hVault))
{
_VAULT_ITEM_ELEMENT
Resource = {ElementId_Resource, ElementType_String },
Identity = {ElementId_Identity, ElementType_String },
PackageSid = {ElementId_PackageSid, ElementType_Sid };
Resource.ItemValue.String = url;
Identity.ItemValue.String = login;
PackageSid.ItemValue.Sid = Sid; // must be SECURITY_MANDATORY_LABEL_AUTHORITY or SECURITY_APP_PACKAGE_AUTHORITY
VaultRemoveItem(hVault, &__uuidof(Vault_Schema_WebPassword), &Resource, &Identity, &PackageSid(/* 0 */), 0);
VaultCloseVault(hVault);
}
}
我需要调用从系统 dll vaultcli.dll 导出的名为 VaultRemoveItem(...) 的未记录函数。问题是我不知道函数原型,网上也没找到资料。
有人对我如何发现函数的参数有任何建议吗?它们很可能包含指向某些结构的指针。
enum VAULT_SCHEMA_ELEMENT_ID {
ElementId_Illegal = 0x0,
ElementId_Resource = 0x1,
ElementId_Identity = 0x2,
ElementId_Authenticator = 0x3,
ElementId_Tag = 0x4,
ElementId_PackageSid = 0x5,
ElementId_AppStart = 0x64,
ElementId_AppEnd = 0x2710
};
enum VAULT_ELEMENT_TYPE {
ElementType_Undefined = 0xffffffff,
ElementType_Boolean = 0x0,
ElementType_Short = 0x1,
ElementType_UnsignedShort = 0x2,
ElementType_Integer = 0x3,
ElementType_UnsignedInteger = 0x4,
ElementType_Double = 0x5,
ElementType_Guid = 0x6,
ElementType_String = 0x7,
ElementType_ByteArray = 0x8,
ElementType_TimeStamp = 0x9,
ElementType_ProtectedArray = 0xa,
ElementType_Attribute = 0xb,
ElementType_Sid = 0xc,
ElementType_Last = 0xd
};
struct _VAULT_CAUB {
ULONG NumBytes;
UCHAR * pByteArray;
};
struct _ATTRIBUTE {
WCHAR * pszName;
ULONG dwFlags;
_VAULT_CAUB Value;
};
struct _VAULT_VARIANT {
VAULT_ELEMENT_TYPE Type;
union {
UCHAR Boolean;
SHORT Short;
USHORT UnsignedShort;
INT Int;
UINT UnsignedInt;
double Double;
_GUID Guid;
const WCHAR * String;
_VAULT_CAUB ByteArray;
_VAULT_CAUB ProtectedArray;
_ATTRIBUTE * Attribute;
PSID Sid;
};
};
struct _VAULT_ITEM_ELEMENT {
VAULT_SCHEMA_ELEMENT_ID SchemaElementId;
_VAULT_VARIANT ItemValue;
};
HRESULT WINAPI VaultOpenVault(const GUID* Store, ULONG Flags, PHANDLE phVault);
HRESULT WINAPI VaultRemoveItem(HANDLE hVault, const GUID* Schema, _VAULT_ITEM_ELEMENT* Resource, _VAULT_ITEM_ELEMENT* Identity, _VAULT_ITEM_ELEMENT* PackageSid OPTIONAL, PVOID OPTIONAL);
HRESULT WINAPI VaultCloseVault(HANDLE hVault);
void RemoveItem(PCWSTR url, PCWSTR login, PSID Sid = 0)
{
struct __declspec(uuid("3CCD5499-87A8-4B10-A215-608888DD3B55")) Vault_Schema_WebPassword;
struct __declspec(uuid("4BF4C442-9B8A-41A0-B380-DD4A704DDB28")) Vault_DefaultVault_ID;
HANDLE hVault;
if (!VaultOpenVault(&__uuidof(Vault_DefaultVault_ID), 0, &hVault))
{
_VAULT_ITEM_ELEMENT
Resource = {ElementId_Resource, ElementType_String },
Identity = {ElementId_Identity, ElementType_String },
PackageSid = {ElementId_PackageSid, ElementType_Sid };
Resource.ItemValue.String = url;
Identity.ItemValue.String = login;
PackageSid.ItemValue.Sid = Sid; // must be SECURITY_MANDATORY_LABEL_AUTHORITY or SECURITY_APP_PACKAGE_AUTHORITY
VaultRemoveItem(hVault, &__uuidof(Vault_Schema_WebPassword), &Resource, &Identity, &PackageSid(/* 0 */), 0);
VaultCloseVault(hVault);
}
}