-
Notifications
You must be signed in to change notification settings - Fork 28
spm
The security package manager (SPM) is an undocumented component of LSA. The SPM manages both the authentication package and security package DLLs that LSA loads. As far as I am aware, the SPM has not been previously written about.
As far back as NT 3.5, LSA has provided an API for interacting with authentication packages (e.g., the AU API) over LPC port \\LsaAuthenticationPort.
Clients could interact with the API by either using an abstracted Win32 function (ex. LsaLookupAuthenticationPackage) or by submitting data to the port formatted as an LSAP_AU_API_MESSAGE structure.
The ntoskrnl.exe has always provided Win32 function equivalents which are internally handled by the ksecdd.sys driver.
The ksecdd.sys driver currently implements this functionality as an NTOS extension host (e.g., SepAuthExtensionHost).
Microsoft later added an SPM API which extends the AU API.
The SPM API has been identified in NT 5.2 but may have existed as early as NT 5.0.
Microsoft provides Win32 and ntoskrnl.exe exports for some SPM APIs but clients must submit data to the SPM directly to interact with all of the API’s functions.
Data for SPM API calls are formated as an SPM_LPC_MESSAGE structure.
The first members of the LSAP_AU_API_MESSAGE and SPM_LPC_MESSAGE structures are binary compatible up until the structure member that identifies which API number is to be called.
That allows the SPM to know which API is being requested and which structure definition should be used to interpret the remainder of the data.
Oddly, Microsoft continued to use the same LPC port for communication in NT 6.0 despite the introduction of ALPC. The APIs have only been updated in NT 6.1 when the SSPI RPC interface was added to LSA.
The LPC port was removed in NT 6.1 and clients must now use the SspirCallRpc operation of the SSPI RPC interface to send data directly to either API.
Although the communication is now facilitated via RPC, the code for handling API requests has not been updated and still expects data to be formatted as an LSAP_AU_API_MESSAGE or SPM_LPC_MESSAGE structure.
Additionally, some API functions were removed to become SSPI RPC operations while others were removed entirely.
The only API function that was added was ChangeAccountPassword.
Other than the API updates for NT 6.1 and slight name changes for functions over the years both APIs have remaned stable.
LsapGetClientInfo checks for:
-
userPrincipalName capability which is documented as required for
GetUserNameEx.
Each AU API is linked to the documentation for the Win32 API it facilitates.
| Id | Message Type | CLI Support | NT Version | Notes |
|---|---|---|---|---|
|
|
|||
|
|
Moved to the SSPI RPC interface |
||
|
|
The main API used by LSA whisperer |
||
|
|
|||
|
Reserved |
➖ |
|
| Id | Message Type | CLI Support | NT Version | Notes |
|---|---|---|---|---|
|
|
|||
|
|
The main API used by LSA whisperer |
||
|
|
|||
|
Reserved |
➖ |
|
Each SPM API is linked to the documentation for the higher level API it facilitates (ex. Win32) if identified. The SPM APIs that are not implemented are marked by an ❌. The remainder are documented here.
| Id | Message Type | CLI Support | NT Version | Notes |
|---|---|---|---|---|
|
GetBinding |
|
||
|
SetSession |
|
||
|
FindPackage |
|
||
|
✔️ |
|
||
|
|
Moved to the SSPI RPC interface |
||
|
EstablishCreds |
❌ |
|
Later removed |
|
|
Moved to the SSPI RPC interface |
||
|
|
Later removed |
||
|
|
Later removed |
||
|
|
Moved to the SSPI RPC interface |
||
|
|
Moved to the SSPI RPC interface |
||
|
|
|||
|
✔️ |
|
||
|
GetCreds |
❌ |
|
Later removed |
|
SaveCreds |
❌ |
|
Later removed |
|
|
|||
|
|
|||
|
|
Never implemented and later removed |
||
|
EfsGenerateKey |
|
||
|
EfsGenerateDirEfs |
|
||
|
EfsDecryptFek |
|
||
|
EfsGenerateSessionKey |
|
||
|
|
Renamed to |
||
|
Callback |
❌ |
|
|
|
|
Facilitates two Win32 APIs |
||
|
|
Moved to the SSPI RPC interface |
||
|
|
Renamed to |
||
|
✔️ |
|
Renamed to |
|
|
✔️ |
|
||
|
|
Renamed to |
||
|
|
Moved to the SSPI RPC interface |
||
|
|
Renamed to |
||
|
LookupWellKnownSid |
|
||
|
Reserved |
➖ |
|
|
✏️
|
The SPM API has been identified in NT 5.2 but may have existed as early as NT 5.0. |
| Id | Message Type | CLI Support | NT Version | Notes |
|---|---|---|---|---|
|
GetBinding |
|
||
|
SetSession |
|
||
|
FindPackage |
|
||
|
✔️ |
|
||
|
|
|||
|
✔️ |
|
||
|
|
|||
|
|
|||
|
EfsGenerateKey |
❌ |
|
|
|
EfsGenerateDirEfs |
❌ |
|
|
|
EfsDecryptFek |
❌ |
|
|
|
EfsGenerateSessionKey |
❌ |
|
|
|
Callback |
❌ |
|
|
|
|
|||
|
|
Facilitates two Win32 APIs |
||
|
|
|||
|
✔️ |
|
||
|
✔️ |
|
||
|
|
|||
|
|
|||
|
LookupWellKnownSid |
|
||
|
|
|||
|
|
|||
|
Reserved |
➖ |
|
May only be called from kernel mode.
Used by the EFS file system filter to recover the File Encryption Key (FEK) for a provided $EFS attribute for a file being decrypted.
May only be called from kernel mode. Used by the EFS file system filter to generate an encrypted files system (EFS) stream for a directory being encrypted.
May only be called from kernel mode. Used by the EFS file system filter to generate a File Encryption Key (FEK) and encrypted files system (EFS) stream for a file being encrypted.
May only be called from kernel mode. Generates and returns a random 8 byte value. The value was used by the EFS file system filter driver as a DES key that was used when decrypting FSCTL input buffers.
Set an option for the LPC/ALPC session of the current client connection with LSA.
| Id | Option | Description |
|---|---|---|
|
Set status |
Returns |
|
Add workqueue |
Originally added a workqueue to support threaded SPM calls. The option was later removed |
|
Remove workqueue |
Never implemented |
|
Get dispatch |
Returns the address of |