Enumerating Windows credentials with CredEnumerate function (Windows XP/2003 Only)

最新推荐文章于 2025-08-21 15:32:02 发布

原创最新推荐文章于 2025-08-21 15:32:02 发布 · 1.8k 阅读

0 ·

CC 4.0 BY-SA版权

文章标签：

#windows #credentials #function #winapi #filter #byte

vcbcbdelphi的window编程专栏收录该内容

551 篇文章

订阅专栏

本文提供了一个代码示例，展示了如何使用CWinCredentials类枚举当前登录用户的全部凭证，并将这些凭证信息输出到标准输出中。该示例利用了Windows API函数CredRead和CredEnumerate。

The following code sample enumerates all credentials of the current logged on user, and dump them into the standard output.

First, the CWinCredentials class encapsulates the calls to credentials API functions:

class CWinCredentials
{
protected:

	typedef BOOL (WINAPI *CredReadFuncType)(
		LPCTSTR TargetName, 
		DWORD Type, 
		DWORD Flags, 
		PCREDENTIAL *Credential
		);

	typedef BOOL (WINAPI *CredEnumerateType)(
		LPCTSTR Filter, 
		DWORD Flags, 
		DWORD *Count, 
		PCREDENTIAL **Credentials
		);

	typedef VOID (WINAPI *CredFreeFuncType)(PVOID Buffer);

	
	HMODULE hAdvApi32;
	BOOL bLoaded;
	CredReadFuncType pCredRead;
	CredFreeFuncType pCredFree;
	CredEnumerateType pCredEnumerate;

public:
	CWinCredentials();
	~CWinCredentials();
	BOOL LoadCredsLibrary();
	void FreeCredsLibrary();
	BOOL IsLoaded();
	BOOL CredRead(
		LPCTSTR TargetName, 
		DWORD Type, 
		DWORD Flags, 
		PCREDENTIAL *Credential
		);

	BOOL CredEnumerate(
		LPCTSTR Filter, 
		DWORD Flags, 
		DWORD *Count, 
		PCREDENTIAL **Credentials
		);

	VOID CredFree(PVOID Buffer);
};

CWinCredentials::CWinCredentials()
{
	hAdvApi32 = NULL;
	bLoaded = FALSE;
}

CWinCredentials::~CWinCredentials()
{
	FreeCredsLibrary();
}

BOOL CWinCredentials::IsLoaded()
{
	return bLoaded;
}


BOOL CWinCredentials::LoadCredsLibrary()
{
	if (bLoaded) return TRUE;

	hAdvApi32 = LoadLibrary(_T("advapi32.dll"));
	if (hAdvApi32 != NULL)
	{
		//Dynamically load CredRead, CredEnumerate, and CredFree API functions.
		pCredRead = (CredReadFuncType)GetProcAddress(hAdvApi32, "CredReadW");
		pCredFree = (CredFreeFuncType)GetProcAddress(hAdvApi32, "CredFree");
		pCredEnumerate = (CredEnumerateType)GetProcAddress(hAdvApi32, "CredEnumerateW");

		//If all 3 functions are available, return TRUE.
		if (pCredRead != NULL && pCredFree != NULL && pCredEnumerate != NULL)
			bLoaded = TRUE;
		else
		{
			//Failed to load the credentials API functions.
			FreeCredsLibrary();
		}
	}

	return bLoaded;
}

void CWinCredentials::FreeCredsLibrary()
{
	//Free advapi32 library, if we previously loaded it.
	if (hAdvApi32 != NULL)
	{
		FreeLibrary(hAdvApi32);
		hAdvApi32 = NULL;
	}

	bLoaded = FALSE;

}


BOOL CWinCredentials::CredRead(
	LPCTSTR TargetName, 
	DWORD Type, 
	DWORD Flags, 
	PCREDENTIAL *Credential
	)
{
	if (bLoaded)
		return pCredRead(TargetName, Type, Flags, Credential);
	else
		return FALSE;
}


BOOL CWinCredentials::CredEnumerate(
	LPCTSTR Filter, 
	DWORD Flags, 
	DWORD *Count, 
	PCREDENTIAL **Credentials
	)
{
	if (bLoaded)
		return pCredEnumerate(Filter, Flags, Count, Credentials);
	else
		return FALSE;
}

VOID CWinCredentials::CredFree(PVOID Buffer)
{
	if (bLoaded)
		pCredFree(Buffer);
}

The main function uses the CWinCredentials class to enumerate the credentials of the current logged on user, and dump the information to the standard output:

int wmain( int argc, wchar_t *argv[])
{
	CWinCredentials WinCredentials;

	//Load Credentials API functions.
	if (WinCredentials.LoadCredsLibrary())
	{

		PCREDENTIAL *pCredArray = NULL;
		DWORD dwCount = 0;

		//Load all credentials into array.
		if (WinCredentials.CredEnumerate(NULL, 0, &dwCount, &pCredArray))
		{

			for (DWORD dwIndex = 0; dwIndex < dwCount; dwIndex++)
			{
				PCREDENTIAL pCredential = pCredArray[dwIndex];

				//Write the Credential information into the standard output.
				printf("*********************************************/r/n");
				printf(	"Flags:   %d/r/n"/
						"Type:    %d/r/n"/
						"Name:    %ls/r/n"/
						"Comment: %ls/r/n"/
						"Persist: %d/r/n"/
						"User:    %ls/r/n",
						pCredential->Flags,
						pCredential->Type,
						pCredential->TargetName, 
						pCredential->Comment,
						pCredential->Persist,
						pCredential->UserName);

				
				printf( "Data: /r/n");

				char szHexBuffer[256] = "";
				char szAsciiBuffer[256] = "";
				char szHex[16];
				char szAscii[2];
				DWORD dwByte;

				//Write the credential's data as Hex Dump.
				for (dwByte = 0; dwByte < pCredential->CredentialBlobSize; dwByte++)
				{
					BYTE byte1 = pCredential->CredentialBlob[dwByte];
					sprintf(szHex, "%2.2X ", byte1);
					szAscii[1] = '/0';

					if (byte1 >= 32 && byte1 < 128)
						szAscii[0] = (UCHAR)byte1;
					else
						szAscii[0] = ' ';

					strcat(szHexBuffer, szHex);
					strcat(szAsciiBuffer, szAscii);

					if (dwByte == pCredential->CredentialBlobSize - 1 
						|| dwByte % 16 == 15)
					{
						printf("%-50s %s/r/n", szHexBuffer, szAsciiBuffer);
						szHexBuffer[0] = '/0';
						szAsciiBuffer[0] = '/0';
					}


				}

				printf("*********************************************/r/n");
				printf("/r/n/r/n");

			}

			//Free the credentials array.
			WinCredentials.CredFree(pCredArray);
		}
		
	}
	else
	{

		printf("Failed to load the Credentials API functions !/r/n");
	}

	return 0;
}

Download CredView Sample Project