探测Windows主机的NetBIOS信息

探测Windows主机的NetBIOS信息作者：TOo2y一 NetBIOS信息二主要函数与相关数据结构分析三如何防止NetBIOS信息的泄露四源代码大家一提到Windows2000/XP系统的安全性，很快就会想到NULL Session（空会话）。

这可以算是微软安置的一个后门，很多简单而容易的攻击都是基于空会话而实现的。

在此，我们不讨论如何攻陷一台Windows2000/XP系统，而是要谈谈在建立空会话之后，我们可以得到远程主机的哪些NetBIOS信息。

（由于本文是针对Windows2000/XP系统，所以使用了UNICODE 编码）。

一、NetBIOS信息在我们和远程Windows2000/XP主机建立了空会话之后，我们就有权枚举系统里的各项NetBIOS信息了。

当然在某些选项中需要较高的权利，不过我们只执行那些匿名用户可以获得的绝大多数系统信息。

时间：探测远程主机的当前日期和时间信息。

它会返回一个数据结构，包括年，月，日，星期，时，分，秒等等。

不过得到的是GMT标准时间，当然对于我们来说就应该换算为GMT+8:00了。

由此可以判断出主机所在的时区信息。

操作系统指纹：探测远程主机的操作系统指纹信息。

一共有三种级别的探测（100，101，102），我们使用的是101级，它会返回一个数据结构，可以获取远程主机的平台标识，服务器名称，操作系统的主次版本（Windows2000为5.0,WindowsXP为5.1,而最新操作系统Longhorn的版本为6.0），服务器类型（每台主机可能同时包含多种类型信息）和注释。

共享列表：探测远程主机的共享列表。

我们可以获得一个数据结构指针，枚举远程主机的所有共享信息（隐藏的共享列表在内）。

其中包括共享名称，类型与备注。

类型可分为：磁盘驱动器，打印队列，通讯设备，进程间通讯与特殊设备。

用户列表: 探测远程主机的用户列表，返回一个数据结构指针，枚举所有用户信息。

可获取用户名，全名，用户标识符，说明与标识信息。

标识信息可以探测用户的访问权限。

本地组列表: 探测远程主机的本地组列表信息。

枚举所有本地组信息，包含本地组名称和注释信息。

组列表: 探测远程主机的组列表信息。

枚举所有的组信息，包括组名称，注释，组标识符与属性。

在此基础上，我们可以枚举组内的所有用户信息。

组用户列表: 探测特定组内的用户信息。

我们可以获得组内所有用户的名称。

当我门获得了所有的用户列表，下一步就应该很清楚了，那就是挂一个字典进行破解了。

传输协议列表: 探测远程主机的传输协议信息，枚举所有的传输列表。

可以获得每个传输协议的名称，地址，网络地址和当前与本传输协议连接的用户数目。

会话列表: 探测远程主机的当前会话列表。

枚举每个会话的相关信息，包括客户端主机的名称，当前用户的名称，活动时间和空闲时间。

这可以帮助我们了解远程主机用户的喜好等等。

二、主要函数与相关数据结构分析1. 建立空会话WNetAddConnection2(&nr,username,password,0);//nr为NETRESOURCE数据结构的对象；//username为建立空会话的用户名，在此将用户名设置为NULL；//password为登陆密码，在此将密码设置为NULL；2. 撤消空会话WNetCancelConnection2(ipc,0,TRUE);//ipc为TCHAR的指针，我们可以这样获得：//swprintf(ipc,_T("\\\\%s\\ipc$"),argv[1])，argv[1]为主机名或地址；3. 探测主机时间nStatus=NetRemoteTOD(server,(PBYTE*)&pBuf);//参数server为主机的名称或地址；//pBuf为TIME_OF_DAY_INFO数据结构的指针；//nStatus为NET_API_STATUS成员；4. 探测操作系统指纹NetServerGetInfo(server,dwLevel,(PBYTE *)&pBuf);//dwLevel为等级数，我们选择的是101级；//pBuf是SERVER_INFO_101数据结构的指针；5. 探测共享列表NetShareEnum(server,dwLevel,(PBYTE*)&pBuf,MAX_PREFERRED_LENGTH,&er,&tr,&resume);//dwLevel的等级数为1级；//pBuf是SHARE_INFO_1数据结构的指针；//MAX_PREFERRED_LENGTH指定返回数据的长度；//er指明返回的实际可以枚举的成员数目；//tr返回所有的成员数目；//resume用于继续进行共享搜索；6. 探测用户列表NetQueryDisplayInformation(server,dwLevel,i,100,0xFFFFFFFF,&dwRec,(PVOID*)&pBuf);//dwLevel的等级数为1级；//i为枚举的索引；//dwRec返回获取的信息数目；//pBuf为NET_DISPLAY_USER数据结构的指针；7. 探测本地组列表NetLocalGroupEnum(server,dwLevel,(PBYTE *)&pBuf,-1,&er,&tr,&resume);//dwLevel的等级是1；//pBuf返回LOCALGROUP_INFO_1数据结构的指针；8. 探测组列表NetQueryDisplayInformation(server,dwLevel,i,100,0xFFFFFFFF,&dwRec,(PVOID*)&pGBuf );//dwLevel的等级为3；//pGBuf返回NET_DISPLAY_GROUP的数据结构指针；9. 探测组内的用户NetGroupGetUsers(server,pGBuffer->grpi3_name,0,(PBYTE*)&pUBuf,MAX_PREFERRED_LENGTH,&er,&tr,&resume);//pGBuffer->grpi3_name为组的名称；//pUBuf返回GROUP_USERS_INFO_0数据结构的指针；10.探测传输协议列表NetServerTransportEnum(server,dwLevel,(PBYTE*)&pBuf,MAX_PREFERRED_LENGTH,&er,&tr,&resume);//dwLevel的等级为0级；//pBuf返回SERVER_TRANSPORT_INFO_0数据结构的指针；11.探测会话列表NetSessionEnum(server,pszClient,pszUser,dwLevel,(PBYTE*)&pBuf,MAX_PREFERRED_LENGTH,&er,&tr,&resume);//pszClient指定客户的地址；//pszUser指定用户名；//dwLevel的等级是10级；//pBuf返回SESSION_INFO_10数据结构的指针；12.释放内存NetApiBufferFree(pBuf);//释放由系统分配的内存空间。

三、如何防止NetBIOS信息的泄露我们可以安装防火墙来禁止空会话的建立，或者我们可以在网络连接属性里禁用TCP/IP上的NetBIOS，当然也可以在IP安全策略里禁用445/tcp端口来实现。

只要空会话不能成功建立，那就很难获得上面提到的各项信息了。

四、源代码#define UNICODE#define _UNICODE#include <windows.h>#include <winnetwk.h>#include <tchar.h>#include "include\lmaccess.h"#include "include\lmserver.h"#include "include\lmshare.h"#include <lm.h>#pragma comment (lib,"mpr")#pragma comment (lib,"netapi32")void start();void usage();int datetime(PTSTR server);int fingerprint(PTSTR server);int netbios(PTSTR server);int users(PTSTR server);int localgroup(PTSTR server);int globalgroup(PTSTR server);int transport(PTSTR server);int session(PTSTR server);int wmain(int argc,TCHAR *argv[]){NETRESOURCE nr;DWORD ret;TCHAR username[100]=_T("");TCHAR password[100]=_T("");TCHAR ipc[100]=_T("");system("cls.exe");start();if(argc!=2){usage();return -1;}swprintf(ipc,_T("\\\\%s\\ipc$"),argv[1]);nr.lpLocalName=NULL;nr.lpProvider=NULL;nr.dwType=RESOURCETYPE_ANY;nr.lpRemoteName=ipc;ret=WNetAddConnection2(&nr,username,password,0);if(ret!=ERROR_SUCCESS){_tprintf(_T("\nIPC$ Connect Failed.\n"));return -1;}datetime(argv[1]);fingerprint(argv[1]);netbios(argv[1]);users(argv[1]);localgroup(argv[1]);globalgroup(argv[1]);transport(argv[1]);session(argv[1]);ret=WNetCancelConnection2(ipc,0,TRUE);if(ret!=ERROR_SUCCESS){_tprintf(_T("IPC$ Disconnect Failed.\n"));return -1;}return 0;}void start(){_tprintf(_T("=====[ T-SMB Scan, by TOo2y ]=====\n"));_tprintf(_T("=====[ E-mail: TOo2y@ ]=====\n"));_tprintf(_T("=====[ HomePage: ]=====\n"));_tprintf(_T("=====[ Date: 12-12-2002 ]=====\n"));}void usage(){_tprintf(_T("\nUsage:\t T-SMB Remoteip"));_tprintf(_T("\nRequest: Remote host must be opening port 445/tcp of Microsoft-DS.\n"));}int datetime(PTSTR server){PTIME_OF_DAY_INFO pBuf=NULL;NET_API_STATUS nStatus;DWORD lerror;_tprintf(_T("\n*** Date and Time ***\n"));nStatus=NetRemoteTOD(server,(PBYTE*)&pBuf);if(nStatus==NERR_Success){if(pBuf!=NULL){_tprintf(_T("\nCurrentdate:\t%.2d-%.2d-%d"),pBuf->tod_month,pBuf->tod_day,pBuf->tod_year);_tprintf(_T("\nCurrent time:\t%.2d:%.2d:%.2d.%.2d (GMT)"),pBuf->tod_hours,pBuf->tod_mins,pBuf->tod_secs,pBuf->tod_hunds);pBuf->tod_hours=(pBuf->tod_hours+8)%24;_tprintf(_T("\nCurrent time:\t%.2d:%.2d:%.2d.%.2d (GMT+08:00)\n"),pBuf->tod_hours,pBuf->tod_mins,pBuf->tod_secs,pBuf->tod_hunds);}}else{lerror=GetLastError();if(lerror==997){_tprintf(_T("\nDateTime:\tOverlapped I/O operation is in progress. \n"));}else{_tprintf(_T("\nDatetime Error:\t%d\n"),lerror);}}if(pBuf!=NULL){NetApiBufferFree(pBuf);}return 0;}int fingerprint(PTSTR server){DWORD dwlength;DWORD dwLevel;NET_API_STATUS nStatus;PSERVER_INFO_101 pBuf;DWORD lerror;dwLevel=101;pBuf=NULL;dwlength=_tcslen(server);_tprintf(_T("\n**** Fingerprint ****\n"));nStatus=NetServerGetInfo(server,dwLevel,(PBYTE *)&pBuf);if(nStatus==NERR_Success){_tprintf(_T("\nComputername:\t%s"),pBuf->sv101_name);_tprintf(_T("\nComment:\t%s"),pBuf->sv101_comment);_tprintf(_T("\nPlatform:\t%d"),pBuf->sv101_platform_id);_tprintf(_T("\nVersion:\t%d.%d"),pBuf->sv101_version_major,pBuf->sv101_v ersion_minor);_tprintf(_T("\nType:"));if(pBuf->sv101_type & SV_TYPE_NOVELL){_tprintf(_T("\t\tNovell server.\n"));}if(pBuf->sv101_type & SV_TYPE_XENIX_SERVER){_tprintf(_T("\t\tXenix server.\n"));}if(pBuf->sv101_type & SV_TYPE_DOMAIN_ENUM){_tprintf(_T("\t\tPrimary domain .\n"));}if(pBuf->sv101_type & SV_TYPE_TERMINALSERVER){_tprintf(_T("\t\tTerminal Server.\n"));}if(pBuf->sv101_type & SV_TYPE_WINDOWS){_tprintf(_T("\t\tWindows 95 or later.\n"));}if(pBuf->sv101_type & SV_TYPE_SERVER){_tprintf(_T("\t\tA LAN Manager server.\n"));}if(pBuf->sv101_type & SV_TYPE_WORKSTATION){_tprintf(_T("\t\tA LAN Manager workstation.\n"));}if(pBuf->sv101_type & SV_TYPE_PRINTQ_SERVER){_tprintf(_T("\t\tServer sharing print queue.\n"));}if(pBuf->sv101_type & SV_TYPE_DOMAIN_CTRL){_tprintf(_T("\t\tPrimary domain controller.\n"));}if(pBuf->sv101_type & SV_TYPE_DOMAIN_BAKCTRL){_tprintf(_T("\t\tBackup domain controller.\n"));}if(pBuf->sv101_type & SV_TYPE_AFP){_tprintf(_T("\t\tApple File Protocol server.\n"));}if(pBuf->sv101_type & SV_TYPE_DOMAIN_MEMBER){_tprintf(_T("\t\tLAN Manager 2.x domain member.\n"));}if(pBuf->sv101_type & SV_TYPE_LOCAL_LIST_ONLY){_tprintf(_T("\t\tServers maintained by the browser.\n"));}if(pBuf->sv101_type & SV_TYPE_DIALIN_SERVER){_tprintf(_T("\t\tServer running dial-in service.\n"));}if(pBuf->sv101_type & SV_TYPE_TIME_SOURCE){_tprintf(_T("\t\tServer running the Timesourceservice.\n"));}if(pBuf->sv101_type & SV_TYPE_SERVER_MFPN){_tprintf(_T("\t\tMicrosoft File and Print forNetWare.\n"));}if(pBuf->sv101_type & SV_TYPE_NT){_tprintf(_T("\t\tWindows NT/2000/XP workstation or server.\n"));}if(pBuf->sv101_type & SV_TYPE_WFW){_tprintf(_T("\t\tServer running Windows for Workgroups.\n"));}if(pBuf->sv101_type & SV_TYPE_POTENTIAL_BROWSER){_tprintf(_T("\t\tServer that can run the browser service.\n"));}if(pBuf->sv101_type & SV_TYPE_BACKUP_BROWSER){_tprintf(_T("\t\tServer running a browser service as backup.\n"));}if(pBuf->sv101_type & SV_TYPE_MASTER_BROWSER){_tprintf(_T("\t\tServer running the master browser service.\n"));}if(pBuf->sv101_type & SV_TYPE_DOMAIN_MASTER){_tprintf(_T("\t\tServer running the domain master browser.\n"));}if(pBuf->sv101_type & SV_TYPE_CLUSTER_NT){_tprintf(_T("\t\tServer clusters available in the domain.\n"));}if(pBuf->sv101_type & SV_TYPE_SQLSERVER){_tprintf(_T("\t\tAny server running with Microsoft SQL Server.\n"));}if(pBuf->sv101_type & SV_TYPE_SERVER_NT){_tprintf(_T("\t\tWindows NT/2000 server that is not a domain controller.\n"));}}else{lerror=GetLastError();if(lerror==997){_tprintf(_T("\nFingerprint:\tOverlapped I/O operation is in progress.\n"));}else{_tprintf(_T("\nFingerprint Error:\t%d\n"),lerror);}}if(pBuf!=NULL){NetApiBufferFree(pBuf);}return 0;}int netbios(PTSTR server){DWORD er,tr,resume;DWORD i,dwLength,dwLevel;PSHARE_INFO_1 pBuf,pBuffer;NET_API_STATUS nStatus;DWORD lerror;er=0;tr=0;resume=1;dwLevel=1;dwLength=_tcslen(server);_tprintf(_T("\n****** Netbios ******\n"));do{nStatus=NetShareEnum(server,dwLevel,(PBYTE*)&pBuf,MAX_PREFERRED_LENGTH,&er,&tr,&resume);if((nStatus==ERROR_SUCCESS) || (nStatus==ERROR_MORE_DATA)){pBuffer=pBuf;for(i=1;i<=er;i++){_tprintf(_T("\nName:\t\t%s"),pBuffer->shi1_netname);_tprintf(_T("\nRemark:\t\t%s"),pBuffer->shi1_remark);_tprintf(_T("\nType:\t\t"));if(pBuffer->shi1_type==STYPE_DISKTREE){_tprintf(_T("Disk drive.\n"));}else if(pBuffer->shi1_type==STYPE_PRINTQ){_tprintf(_T("Print queue.\n"));}else if(pBuffer->shi1_type==STYPE_DEVICE){_tprintf(_T("Communication device.\n"));}else if(pBuffer->shi1_type==STYPE_IPC){_tprintf(_T("Interprocess communication (IPC).\n"));}else if(pBuffer->shi1_type==STYPE_SPECIAL){_tprintf(_T("Special share reserved for interprocess communication (IPC$) or remote administration of the server (ADMIN$).\n"));}else{_tprintf(_T("\n"));}pBuffer++;}}else{lerror=GetLastError();if(lerror==997){_tprintf(_T("\nNetbios:\tOverlapped I/O operation is in progress.\n"));}else{_tprintf(_T("\nNetbios Error:\t%d\n"),lerror);}}if(pBuf!=NULL){NetApiBufferFree(pBuf);}}while(nStatus==ERROR_MORE_DATA);return 0;}int users(PTSTR server){PNET_DISPLAY_USER pBuf,pBuffer;DWORD nStatus;DWORD dwRec;DWORD i=0;DWORD dwLevel;dwLevel=1;_tprintf(_T("\n******* Users *******\n"));do{nStatus=NetQueryDisplayInformation(server,dwLevel,i,100,0xFFFFFFFF,&dwRe c,(PVOID *)&pBuf);if((nStatus==ERROR_SUCCESS) || (nStatus==ERROR_MORE_DATA)){pBuffer=pBuf;for(;dwRec>0;dwRec--){_tprintf(_T("\nName:\t\t%s"),pBuffer->usri1_name);_tprintf(_T("\nFullName:\t%s"),pBuffer->usri1_full_name);_tprintf(_T("\nUserID:\t%u"),pBuffer->usri1_user_id);_tprintf(_T("\nComment:\t%s"),pBuffer->usri1_comment);_tprintf(_T("\nFlag:"));if(pBuffer->usri1_flags & UF_ACCOUNTDISABLE){_tprintf(_T("\t\tThe user''s account is disabled.\n"));}if(pBuffer->usri1_flags &UF_TRUSTED_FOR_DELEGATION){_tprintf(_T("\t\tThe account is enabled for delegation. \n"));}if(pBuffer->usri1_flags & UF_LOCKOUT){_tprintf(_T("\t\tThe account is currently locked out (blocked).\n"));}if(pBuffer->usri1_flags & UF_SMARTCARD_REQUIRED){_tprintf(_T("\t\tRequires the user to log on to the user account with a smart card. \n"));}{_tprintf(_T("\t\tThis account does not require Kerberos preauthentication for logon.\n"));}if(pBuffer->usri1_flags &UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED){_tprintf(_T("\t\tThe user''s password is stored under reversible encryption in the Active Directory. \n"));}if(pBuffer->usri1_flags & UF_NOT_DELEGATED){_tprintf(_T("\t\tMarks the account as \"sensitive\"; other users cannot act as delegates of this user account.\n"));}if(pBuffer->usri1_flags & UF_USE_DES_KEY_ONLY){_tprintf(_T("\t\tRestrict this principal to use only Data Encryption Standard (DES) encryption types for keys.\n"));}if(pBuffer->usri1_flags & UF_HOMEDIR_REQUIRED){_tprintf(_T("\t\tThe home directory is required. Windows NT/Windows 2000/Windows XP ignores this value.\n"));}if(pBuffer->usri1_flags & UF_SCRIPT){_tprintf(_T("\t\tThe logon script executed. This value must be set for LAN Manager 2.0 and Windows NT/2000/XP.\n"));}i=pBuffer->usri1_next_index;pBuffer++;}}else{lerror=GetLastError();if(lerror==997){_tprintf(_T("\nUsers:\t\tOverlapped I/O operation is in progress.\n"));}else{_tprintf(_T("\nUsers Error:\t%d\n"),lerror);}if(pBuf!=NULL){NetApiBufferFree(pBuf);}}while(nStatus==ERROR_MORE_DATA);return 0;}int localgroup(PTSTR server){NET_API_STATUS nStatus;PLOCALGROUP_INFO_1 pBuf,pBuffer;DWORD i,dwLevel;DWORD er,tr,resume;DWORD lerror;resume=0;dwLevel=1;_tprintf(_T("\n**** Local Group ****\n"));do{nStatus=NetLocalGroupEnum(server,dwLevel,(PBYTE*)&pBuf,MAX_PREFERRED_LENGTH,&er,&tr,&resume);if((nStatus==NERR_Success) || (nStatus==ERROR_MORE_DATA)){pBuffer=pBuf;for(i=1;i<=er;i++){_tprintf(_T("\nName:\t\t%s"),pBuffer->lgrpi1_name);_tprintf(_T("\nComment:\t%s"),pBuffer->lgrpi1_comment);_tprintf(_T("\n"));pBuffer++;}}else{lerror=GetLastError();if(lerror==997){_tprintf(_T("\nLocal Group:\tOverlapped I/O operation is in progress.\n"));else{_tprintf(_T("\nLocal Group Error:\t%d\n"),lerror);}}if(pBuf!=NULL){NetApiBufferFree(pBuf);}}while(nStatus==ERROR_MORE_DATA);return 0;}int globalgroup(PTSTR server){PNET_DISPLAY_GROUP pGBuf,pGBuffer;PGROUP_USERS_INFO_0 pUBuf,pUBuffer;DWORD nGStatus,nUStatus;DWORD i;DWORD dwLevel,dwRec;DWORD k;DWORD er,tr,resume;DWORD lerror;i=0;dwLevel=3;er=0;tr=0;resume=0;_tprintf(_T("\n**** Global group ****\n"));do{nGStatus=NetQueryDisplayInformation(server,dwLevel,i,100,0xFFFFFFFF,&dwR ec,(PVOID*)&pGBuf);if((nGStatus==ERROR_SUCCESS) || (nGStatus==ERROR_MORE_DATA)){pGBuffer=pGBuf;for(;dwRec>0;dwRec--){_tprintf(_T("\nName:\t\t%s"),pGBuffer->grpi3_name);_tprintf(_T("\nComment:\t%s"),pGBuffer->grpi3_comment);_tprintf(_T("\nGroup ID:\t%u"),pGBuffer->grpi3_group_id);_tprintf(_T("\nAttributs:\t%u"),pGBuffer->grpi3_attributes);_tprintf(_T("\nMembers:\t"));nUStatus=NetGroupGetUsers(server,pGBuffer->grpi3_name,0,(PBYTE*)&pUBuf,MAX_PREFERRED_LENGTH,&er,&tr,&resume);if(nUStatus==NERR_Success){pUBuffer=pUBuf;for(k=1;k<=er;k++){_tprintf(_T("%s"),pUBuffer->grui0_name);pUBuffer++;}if(pUBuf!=NULL){NetApiBufferFree(pUBuf);}}_tprintf(_T("\n"));i=pGBuffer->grpi3_next_index;pGBuffer++;}}else{lerror=GetLastError();if(lerror==997){_tprintf(_T("\nGlobal Group:\tOverlapped I/O operation is in progress.\n"));}else{_tprintf(_T("\nGlobal GroupError:\t%d\n"),lerror);}}if(pGBuf!=NULL){NetApiBufferFree(pGBuf);}}while(nGStatus==ERROR_MORE_DATA);return 0;int transport(PTSTR server){NET_API_STATUS nStatus;PSERVER_TRANSPORT_INFO_0 pBuf,pBuffer;DWORD dwLevel;DWORD i;DWORD er,tr,resume;DWORD dwTotalCount;DWORD dwLength;DWORD lerror;er=0;tr=0;resume=0;dwLevel=0;dwTotalCount=0;_tprintf(_T("\n***** Transport *****\n"));dwLength=_tcslen(server);do{nStatus=NetServerTransportEnum(server,dwLevel,(PBYTE*)&pBuf,MAX_PREFERRED_LENGTH,&er,&tr,&resume);if((nStatus==NERR_Success) || (nStatus==ERROR_MORE_DATA)){pBuffer=pBuf;for(i=0;i<er;i++){_tprintf(_T("\nTransport:\t%s"),pBuffer->svti0_transportname);_tprintf(_T("\nNetworkAddr:\t%s"),pBuffer->svti0_networkaddress);_tprintf(_T("\nActiveClient:\t%dUser(s)\n"),pBuffer->svti0_numberofvcs);pBuffer++;dwTotalCount++;}}else{lerror=GetLastError();if(lerror==997){_tprintf(_T("\nTransport:\tOverlapped I/O}else{_tprintf(_T("\nTransport Error:\t%d\n"),lerror);}}if(pBuf!=NULL){NetApiBufferFree(pBuf);}}while(nStatus==ERROR_MORE_DATA);_tprintf(_T("\nTotal of %d entrie(s) enumerated.\n"),dwTotalCount);return 0;}int session(PTSTR server){PSESSION_INFO_10 pBuf,pBuffer;NET_API_STATUS nStatus;DWORD i,dwLevel;DWORD er,tr,resume;DWORD dwTotalCount;DWORD dwLength;PTSTR pszClient;PTSTR pszUser;DWORD lerror;_tprintf(_T("\n****** Session ******\n"));dwLevel=10;dwTotalCount=0;pszClient=NULL;pszUser=NULL;er=0;tr=0;resume=0;dwLength=_tcslen(server);do{nStatus=NetSessionEnum(server,pszClient,pszUser,dwLevel,(PBYTE *)&pBuf,MAX_PREFERRED_LENGTH,&er,&tr,&resume);if((nStatus==NERR_Success) || (nStatus==ERROR_MORE_DATA)){pBuffer=pBuf;for(i=0;i<er;i++)if(pBuffer==NULL){_tprintf(_T("An access violation has occurred.\n"));break;}_tprintf(_T("\nClient:\t\t%s"),pBuffer->sesi10_cname);_tprintf(_T("\nUser:\t\t%s"),pBuffer->sesi10_username);_tprintf(_T("\nSecondsActive:\t%d"),pBuffer->sesi10_time);_tprintf(_T("\nSecondsIdle:\t%d\n"),pBuffer->sesi10_idle_time);pBuffer++;dwTotalCount++;}}else{lerror=GetLastError();if(lerror==997){_tprintf(_T("\nSession:\tOverlapped I/O operation is in progress.\n"));}else{_tprintf(_T("\nSession Error:\t%d\n"),lerror);}}if(pBuf!=NULL){NetApiBufferFree(pBuf);}}while(nStatus==ERROR_MORE_DATA);_tprintf(_T("\nTotal of %d entrie(s) enumerated.\n"),dwTotalCount);return 0;}(全文完)。