Which windows API call when the user change password? what the good way to hook this API?

Question

I want to know when user try to change his password, and even hook this function.

I know there is GINA option, and that was replaced from Vista to ICredentialProvider. But at these two, I didn't find a specific API that will called anyway, or one function for every method, that will called when the user change his password. I think implement DLL proxy for the specific API (after I will find it), there is any better way to implement this hook, to catch the change password user and modify it?

In Addition, at my research I found the function ChangeAccountPassword.

And also reference to SpInitialize function with maybe relevant parameter:

typedef struct SECPKG_FUNCTION_TABLE {
...
SpSetExtendedInformationFn       *SpChangeAccountPasswordFn;
...
};

Any advice?

Thanks

Answer 1

yes, SpChangeAccountPasswordFn really called in LSASS.EXE . this routine usually call

NTSTATUS
NTAPI
SamChangePasswordUser2(IN PUNICODE_STRING ServerName,
                       IN PUNICODE_STRING UserName,
                       IN PUNICODE_STRING OldPassword,
                       IN PUNICODE_STRING NewPassword);

from samlib.dll (this is exported function). but most common and interesting point to hook :

BOOLEAN NTAPI LsaINotifyPasswordChanged(
  IN PVOID OPTIONAL, 
  IN PUNICODE_STRING ServerName,
  IN PUNICODE_STRING UserName,
  PVOID OPTIONAL,
  PVOID OPTIONAL,
  IN PUNICODE_STRING OldPassword,
  IN PUNICODE_STRING NewPassword);

this function is exported from lsasrv.dll and usually called from SpChangeAccountPasswordFn. it present from xp up to latest win10. but signature in xp another than in later versions (1 param shifted to 7 place)