Hi, I have a problem with NetUserEnum function, I found the topic at this forum about NetUserEnum function but it couldn't help me.

Could someone look at this code and tell me what is wrong:


format PE GUI 4.0
entry start

include '%flatpath%\Include\win32ax.inc'

struct USER_INFO_0
  usri0_name        db 20 dup (0)
ends

section '.data' data readable writeable
  _buf      USER_INFO_0
  EntRead    dd ?
  TotEntr    dd ?

section '.code' code readable executable
  start:
        invoke  NetUserEnum,0,0,2,addr _buf,-1,EntRead,TotEntr,0
        invoke  MessageBox,HWND_DESKTOP,_buf.usri0_name,"TEST",MB_OK
  exit:
        invoke ExitProcess,0

section '.idata' import data readable writeable
  library kernel,'KERNEL32.DLL',\
          netapi32,'NETAPI32.DLL',\
          user,'USER32.DLL'
  import  kernel,\
          ExitProcess,'ExitProcess'
  import  netapi32,\
          NetUserEnum,'NetUserEnum'
  import  user,\
          MessageBox,'MessageBoxA'


The result is two chars that are not the user name :).

I also tried NetQueryDisplayInformation, but the result was simliar.

Maybe someone have an example of how to use these functions. Assembler code, of course...


Posted on 2007-09-24 15:07:34 by Kr!z
The bufptr parameter:

Pointer to the buffer that receives the data. The format of this data depends on the value of the level parameter. This buffer is allocated by the system and must be freed using the NetApiBufferFree function. Note that you must free the buffer even if the function fails with ERROR_MORE_DATA.

Change a couple of lines of code and it works:

section '.data' data readable writeable
  _buf      dd ?

section '.code' code readable executable
        invoke  NetUserEnum,0,0,2,_buf,-1,EntRead,TotEntr,0

Then _buf points to an array of pointers which (finally) contain user names.
Just watch out - those names are in Unicode.
Posted on 2007-09-24 17:52:17 by sinsi
Had a play around and got some odd user accounts on my computer (XPHSP2).
Control Panel -> Users shows 2 - mine and Guest.
This code shows me 6 - now "Administrator" and "ASPNET" I can figure out, but "HelpAssistant" and "SUPPORT_388945a0"???

format PE GUI 4.0
entry start

include 'win32wx.inc'

section '.data' data readable writeable
  _buf      dd ?
  EntRead    dd ?
  TotEntr    dd ?

section '.code' code readable executable
  start:
        invoke  NetUserEnum,0,0,2,_buf,-1,EntRead,TotEntr,0
        mov esi,
        mov edi,[_buf]
    .1: mov eax,
        add edi,4
        invoke MessageBox,HWND_DESKTOP,eax,"TEST",MB_OK
        dec esi
        jnz .1
  exit:
        invoke ExitProcess,0

section '.idata' import data readable writeable
  library kernel,'KERNEL32.DLL',\
          netapi32,'NETAPI32.DLL',\
          user,'USER32.DLL'
  import  kernel,\
          ExitProcess,'ExitProcess'
  import  netapi32,\
          NetUserEnum,'NetUserEnum'
  import  user,\
          MessageBox,'MessageBoxW'


Posted on 2007-09-25 01:49:04 by sinsi
Thank you sinsi, your code works fine, so these two chars was the pointer to an array.

Now, I have to figure out how to convert the result to ANSII, because I'm using this code bellow to print the result in the console and it works like MessageBoxA, I only see the first letter of user name...


proc WriteText text
        local    wr dd ?
        invoke    WriteFile,<invoke GetStdHandle,STD_OUTPUT_HANDLE>,,<invoke lstrlen,>,addr wr,0
        ret
endp


Thanks again...
Posted on 2007-09-25 03:01:57 by Kr!z
Like I said, the strings are unicode (wide) strings, so you have to either convert them to ansi, or do what I did and use the unicode version of MessageBox (MessageBoxW).

If you're writing it to a console, use WriteConsoleW instead of WriteFile.
Posted on 2007-09-25 03:22:50 by sinsi