This tip is a downloadable project consisting of wrappers for most of Windows with the exception of graphical functions.
The code has been tested and proven in a real-world security application. It works on XP and Vista 32-bit. Will likely work on Windows 7 and 64-bit machines with minor changes.
Using the code
The organizational structure is normally through the DLL name. For example, Kernel.vb contains Kernel32.dll functions. The organization is not perfect, however nearly
all Win32 functions are in there.
Some of the major classes are:
- AclApi - Setting ownership and permissions on registry keys, files and directories. Adding and removing Sids.
- Active Directory - Create new users, set passwords, get the Sid for a user.
- FileApi - Creating files and handles and getting and setting time stamps
- KernelApi - Creating remote threads and processes, computer name, retrieving address of external procedures, tokens and handles,
opening processes, setting privileges on processes, opening desktops, Sid conversions, logging on users, checking privileges and permissions. These functions can access
any thread on the machine and take ownership with system level access.
- KeyboardHook - monitor keystrokes
- Logger - log events to windows events
- NetApi - retrieve user information and groups, create user profile, delete users, change user name, add and remove security groups, enable and disable accounts,
- OpenedFiles - view all open files on the computer and close the handles from other processes.
- Profile - create a user profile and access its hive,
setting permissions, retrieving system folders.
- ServiceApi - monitor Windows services, add service, delete service, start, and stop.
- ShellApi - empty recycle bin, get special folders
- TimeApi - convert various time formats Windows uses
- UserApi - shutdown Windows, find windows, send messages to other windows, disable close on windows
- UserProcess - create pipe, start process under different credentials
- Utilities - enable blank passwords, check processes security level,
check user's security, create recycle bin, get username and profile info, IsRunningElevated, enable and disable fast user switching, kill other processes, deleting files and folders,
IsInternetAvailable, list running processes, close all file handles in other processes, kill processes in other terminal service sessions.
- WindowsApi - setting positions, foreground window, always on top, parent window, enumerate child windows
- Terminal Services - enumerate active sessions, get session information, logon and logoff other sessions, UserIsLoggedIn, get other user's security token, identify active session.
Some of this code must run in an elevated process and frequently must run as SYSTEM. The functions do include ways of retrieving the appropriate token and impersonating.
Some are designed to be running as a service. It also allows access to the winlogon screen to display windows or monitor log in events and user switching.
Points of Interest
.NET has implemented much of the above functions, however plenty of them have not been.
Especially the security things with Acl manipulation, creating processes, accessing processes across sessions, etc. Some have not been exposed through .NET's API.
Much of the API functions were originally sourced on various sites on the internet, however, nearly every function was rewritten to fix bugs or memory leaks or for readability.