runas

[BackupUser]

Restored from previous forum. Originally posted by PB.

> If I shelled out coin every time I looked at a language to assess its
> capabilities it would cost me a fortune

Very true -- sorry that I overlooked that.

I reckon I could still come up with a solution to answer your question; it's just
that I don't fully understand the question. I thought you just wanted a command
line instruction to be applied, without typing the password? If so, this can
easily be done... but it appears that the password cannot be part of that command
line? Where is it entered, then?

PB - Registered PureBasic Coder

[BackupUser]

Restored from previous forum. Originally posted by Skully.

Nope.. gotta get outside the Purebasic box here

Currently there is a windows command called RunAs.. the XP defines usage as:

RUNAS [ [/noprofile | /profile] [/env] [/netonly] ] /user: program

This command is generally used in network environements when you need to give a program higher privelige on the network than your currently logged on account has. However, as you can see there is no way to specify a password

What I need is a replacement for this command that accepts a password parameter such as:

EXEAS [ [/noprofile | /profile] [/env] [/netonly] ] /user: /Pass:Password program

example:
runas /noprofile /user:mymachine\administrator cmd
exeas /noprofile /user:mymachine\administrator /pass:pungjow cmd

This call could then be encrypted within an executable to protect it from hacking.

Skully

[BackupUser]

Restored from previous forum. Originally posted by PB.

> There are lots of keyboard capture programs out there and its just too easy
> to compromise the password...

I will still look at your idea a bit later, but for now: why not just copy the
password to the clipboard (PureBasic can do that) and then use my SendKeys
routine to do a CTRL+V (paste) to the prompt that asks for the password?
That way you never actually "type" the password, and the keyloggers won't see
it. And don't forget to restore the clipboard to the previous contents right
after (as all good apps should).


PB - Registered PureBasic Coder

[BackupUser]

Restored from previous forum. Originally posted by Shawn.

And you should allocate space for the returned PROCESS_INFORMATION structure
values, let's say like this:

Code: Select all

lpProcessInfo.PROCESS_INFORMATION

And then give the function the pointer to it: @lpProcessInfo.

Excellent! There was another value that needed to be a structure too. I fixed it.

Now I am getting a useful error message. The function complains of a bad username or password. I suspect that I need to convert my strings somehow to unicode. I haven't figured out how to do that yet.

Code: Select all

 
BOOL CreateProcessWithLogonW(
  LPCWSTR lpUsername,                 // user's name
  LPCWSTR lpDomain,                   // user's domain
  LPCWSTR lpPassword,                 // user's password
  DWORD dwLogonFlags,                 // logon option
  LPCWSTR lpApplicationName,          // executable module name
  LPWSTR lpCommandLine,               // command-line string
  DWORD dwCreationFlags,              // creation flags
  LPVOID lpEnvironment,               // new environment block
  LPCWSTR lpCurrentDirectory,         // current directory name
  LPSTARTUPINFOW lpStartupInfo,       // startup information
  LPPROCESS_INFORMATION lpProcessInfo // process information
);
 
Requirements 
  Windows NT/2000/XP: Included in Windows 2000 and later.
  Windows 95/98/Me: Unsupported.
  Header: Declared in Winbase.h; include Windows.h.
  Library: Use Advapi32.lib.
  Unicode: Implemented only as Unicode.

Shawn

[BackupUser]

Restored from previous forum. Originally posted by fred.

LPCWSTR lpUsername, // user's name
LPCWSTR lpDomain, // user's domain
LPCWSTR lpPassword, // user's password

A LPCWSTR is an unicode string (also called WideString). So you have to use an API call to convert normal string in unicode one:

MultiByteToWideChar_(#CP_ACP, 0, "http://www.purebasic.com", -1, AllocateMemory(0, 1000, 0), 1000)

I hope .

Fred - AlphaSND

[BackupUser]

Restored from previous forum. Originally posted by Skully.

Using sendkeys and the clipboard are all security compromizable. Like I said.. I am already using a "sendkeys" type system in AutoIt.

> There are lots of keyboard capture programs out there and its just too easy
> to compromise the password...

I will still look at your idea a bit later, but for now: why not just copy the
password to the clipboard (PureBasic can do that) and then use my SendKeys
routine to do a CTRL+V (paste) to the prompt that asks for the password?
That way you never actually "type" the password, and the keyloggers won't see
it. And don't forget to restore the clipboard to the previous contents right
after (as all good apps should).


PB - Registered PureBasic Coder

SoftSkull Productions
http://24.69.16.68/

[BackupUser]

Restored from previous forum. Originally posted by Shawn.

Thanks, Fred, for the last piece of the puzzle. It is getting easier to find things in the API documentation, but it is still a chore sometimes.

The program is working! Someone may be able to suggest improvements, but here is what I ended up with. There are other options you can set if you read the API documentation.

Code: Select all

*lpUserName = AllocateMemory(0, 1000, 0)
*lpDomainName = AllocateMemory(1, 1000, 0)
*lpPassword = AllocateMemory(2, 1000, 0)
*lpApplication = AllocateMemory(3, 1000, 0)
*lpCommandLine = AllocateMemory(4, 1000, 0)
lpProcessInfo.PROCESS_INFORMATION
lpStartUpInfo.STARTUPINFO
;convert ansi strings to unicode
MultiByteToWideChar_(#CP_ACP, 0, "UserName", -1, *lpUserName, 1000)
MultiByteToWideChar_(#CP_ACP, 0, "DomainOrLocalMachine", -1, *lpDomainName, 1000)
MultiByteToWideChar_(#CP_ACP, 0, "Password", -1, *lpPassword, 1000)
MultiByteToWideChar_(#CP_ACP, 0, "C:\winnt\notepad.exe", -1, *lpApplication, 1000)
MultiByteToWideChar_(#CP_ACP, 0, "", -1, *lpCommandLine, 1000)

If OpenLibrary(0, "ADVAPI32.DLL")
  *F = IsFunction(0, "CreateProcessWithLogonW")
  If *F
    If CallFunctionFast(*F, *lpUserName, *lpDomainName, *lpPassword, 0, *lpApplication,*lpCommandLine,0,0,0,@lpStartUpInfo,@lpProcessInfo) = 0
      Buffer.s = Space(200)
      LastError.l = GetLastError_()
      FormatMessage_(#FORMAT_MESSAGE_FROM_SYSTEM, 0, LastError, #LANG_NEUTRAL, @Buffer, 200, 0)
      MessageRequester("Error",Str(LastError)+" "+Buffer,0)
    EndIf
  Else
    MessageRequester("","Sorry - This function is not available.",0) 
  EndIf
  CloseLibrary(0)
EndIf
 

Thanks all!

Shawn

[BackupUser]

Restored from previous forum. Originally posted by Skully.

That looks great!

So I guess my last curiosities would be:

Does PB accept commandline parameters? if so how so?
[edit] found: ProgramParameter()

Does it run under WinNT? and can it be made to run as a service?
[edit] I see multithreading but thats not a definitive answer???

Skully

SoftSkull Productions
http://24.69.16.68/

Edited by - skully on 18 July 2002 20:57:12

[BackupUser]

Restored from previous forum. Originally posted by Skully.

ok.. I just had a browse through the help files etc and am convinced that PB has some serious stuff to offer.

So I bought it wth 2days! online ordering and I have to wait 2 days!

Funny how the submit button is also the "flush patients" button

Skully


SoftSkull Productions
http://24.69.16.68/

Edited by - skully on 18 July 2002 21:41:28

[BackupUser]

Restored from previous forum. Originally posted by TronDoc.

Requirements
Windows NT/2000/XP: Included in Windows 2000 and later.
Windows 95/98/Me: Unsupported.....

I should start reading these threads backwards from the end first!

elecTRONics DOCtor
{registeredPB}P150 32Mb w98/DOS/Linux NO DirX NO IE

Edited by - TronDoc on 20 July 2002 10:43:20