1

I'm writing a custom windows authentication package, but the LSA does not load my Dll.

I have the following methods exported via the .def file

EXTERN_C __declspec(dllexport) NTSTATUS NTAPI SpLsaModeInitialize(
    ULONG LsaVersion,
    PULONG PackageVersion,
    PSECPKG_FUNCTION_TABLE * ppTables,
    PULONG pcTables
) {
    __LOG_TRACE_FUNC_BEGIN(); // Write a log entry to C:\temp\log.txt

    *PackageVersion = SECPKG_INTERFACE_VERSION;
    *ppTables = sp_lsa_function_table;
    *pcTables = 1;

    __LOG_TRACE_FUNC_END(); // Write a log entry to C:\temp\log.txt

    return 0;
}

I also have the DllMain and DllInit functions.

BOOL APIENTRY DllMain(HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved)
{
    __LOG_TRACE_FUNC_BEGIN(); // Write a log entry to C:\temp\log.txt

    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }

    __LOG_TRACE_FUNC_END(); // Write a log entry to C:\temp\log.txt

    return TRUE;
}


BOOLEAN DllInit(IN PVOID DllHandle, IN ULONG Reason, IN PCONTEXT Context OPTIONAL)
{
    __LOG_TRACE_FUNC_BEGIN(); // Write a log entry to C:\temp\log.txt

    switch (Reason) 
    {
    case DLL_PROCESS_ATTACH:
#if defined (DEBUG)
        DebugBreak();
#endif
        InitializeCriticalSection(&DllCritSect);
        break;
    case DLL_PROCESS_DETACH:
        EnterCriticalSection(&DllCritSect);
        LeaveCriticalSection(&DllCritSect);
        DeleteCriticalSection(&DllCritSect);
        break;
    }

    __LOG_TRACE_FUNC_END(); // Write a log entry to C:\temp\log.txt

    return TRUE;

    UNREFERENCED_PARAMETER(Context);
    UNREFERENCED_PARAMETER(DllHandle);

}

I have the export definition in dap.def as below,

EXPORTS

DllMain
DllInit
SpLsaModeInitialize

I also have the dap.dll.manifest file (even though I'm not sure if it is required. The manifest file was required for another part of the project, a credential provider)

<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
    <dependency>
        <dependentAssembly>
            <assemblyIdentity 
                type='win32' 
                name='Microsoft.VC80.DebugCRT' 
                version='8.0.50608.0' 
                processorArchitecture='x64' 
                publicKeyToken='1fc8b3b9a1e18e3b' />
        </dependentAssembly>
    </dependency>
</assembly>

My Dll is compiled for Release/x64.

I'm signing my Dll (dap.dll) as below (not sure if this step is mandatory)

makecert.exe -sv dap.pvk -n "CN=Dallas" dap.cer -r
pvk2pfx.exe -pvk dap.pvk -spc dap.cer -pfx dap.pfx -po 123
signtool.exe sign /f "dap.pfx" /p 123 "dap.dll"

Then I move my file, dap.dll, into Windows\System32 in the target Windows 10 VM and add the following registry entry. enter image description here

I've also tried adding the same into the Security Packages.

enter image description here

Then I restart the VM.

But none of these attempts worked, and my Dll never gets called (I don't see any log entries created.).

Here is my OS info,

enter image description here

My questions are,

  1. Am I doing everything right? or am I missing any step?
  2. Does the signing step mandatory, and Am I doing it right?
  3. When the Local Security Authority process ignores my DLL, does it create any event entries? I tried enabling %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-LSA%4Operational.evtx events, but nothing useful came up. Is there any other place?
  4. Are there any other way to troubleshoot this?

Cheers,

Gert Arnold
  • 105,341
  • 31
  • 202
  • 291
Sency
  • 2,818
  • 8
  • 42
  • 59
  • signing step is not mandatory. you have to implement spInitialize(), spGetInfo() and spshutdown() and provide them in SpLsaModeInitialize function table – HNR Apr 06 '23 at 11:54
  • Were you able to make this work? I am unable to make my package load as well? Pretty much all the mandatory function return the NTSTATUS of STATUS_NOT_IMPLEMENTED. So It should not fail mid function as well...? Each time that I am "RDPing" to the machine only {"AuthenticationPackageName":"C:\\Windows\\system32\\msv1_0.DLL : MICROSOFT_AUTHENTICATION_PACKAGE_V1_0"} is loaded... Wonder if you were able to fix your issue? – S.Hary May 10 '23 at 14:32

2 Answers2

1

First of all, you don't have to sign your package or use a manifest file.

And you are not implementing the required methods for an authentication package.

My def file is as below

LIBRARY

EXPORTS
LsaApInitializePackage
LsaApLogonUserEx
LsaApLogonTerminated
LsaApCallPackage
LsaApCallPackagePassthrough
LsaApCallPackageUntrusted = LsaApCallPackage

As you can see I don't even have a DllMain or DllInit entry. And you don't need any Sp* methods either unless you also want to implement a security package.

Nehluxhes
  • 166
  • 2
  • 9
0

I have faced similar problem in hp windows 10 Pro where LSA Protection is enabled by default which prevented LSA from loading Custom AP dll. This can be verified in eventvwr (Applications and services\Microsoft\Windows\CodeIntegrity\Operational)

When LSA protection is enabled dll has to be signed as per Microsoft signing requirements.

As a temporary solution LSA protection can be disabled but it is not recommended. this has details related to LSA protection.

HNR
  • 101
  • 1
  • 4