In order to protect personal data, most netizens will set the login password for their own computer. Everyone has a variety of passwords in their heads. Then, in win In 2003, how do I get the password of the logged in user? In all NT systems, there are several ways to get the password of the logged in user. Xiaobian will tell you the three ways he knows to achieve his goals.
1.Hook a few functions in winlogon, there are also this type of program on the Internet, the project called winlogonhijack is available in rootkit.com, but the project is only valid for local login users, remote login users are invalid.
2. Use Gina and winlogon for socketing. As long as you execute your own code for recording passwords for certain functions, you can record the passwords with high stability and effective for local or remote login. Existing gina backdoor programs have not been exported in XP or 2003, mainly because xp and 2003 have added new functions to winlogon.
3. Directly read the memory data to get the plain text password. In NT 4.0/2K, the program findpass can directly read the memory data in the winlogon process and directly get the login user password, because in NT4.0 and 2K, the account information, including the domain name, account number and password are It is regularly in the specific address in winlogon memory, so it can be obtained very simply. But in XP and 2003 systems, this method is invalid, it seems that we have no way to read the plaintext address directly. Let's talk about how to get the password of the login user in the server 2003 like findpass in NT 4.0 and 2K.
Although XP and 2003 do not store login user information in the memory address of the winlogon process as in the previous NT system, the base Lsass process needs to obtain the plaintext login user password when processing some information. So the login user's password will appear in the Lsass process (Microsoft did not encrypt the password in the Lsass process, Microsoft said that because Lsass needs to obtain the plaintext password, even if the password is encrypted, it can only be reversibly encrypted. As long as you track the operation of lsass, you can get the plaintext password, so Microsoft uses a lazy method, which may also be used to speed up the response, so the plaintext password is placed in the lsass process memory. Having said that, everyone knows that the password of the login user is in the memory of the lsass process. Yes, that's the way it is, but to get this plaintext password is as easy as using findpass under NT 4.0 and 2K? It's not that easy, for the following reasons:
A. The memory address stored in the lsass process is irregular.
B. The password may be overwritten by the last logged-in user (for example, the administrator abc logs in locally, then the administrator bbb logs in from the remote, and then manages The member bbb logs out the terminal, the password stored in the memory of the lsass.exe process, or the password of the administrator bbb), or after the user logs in, and then logs out, then even if we get the password, we do not know which user's password.
C. The data before and after the password is also irregular. If there is a regularity, such as the data before the password, there must be a segment of data that is all 01 characters, then the location password is simple.
Causes A and C both give us the difficulty of locating passwords. The original B brings problems that cannot be determined by passwords and accounts. It seems that Microsoft has done some work on the new system. However, we will not give up, even if we try our luck, we can see if we can get the password. If it fails, it doesn't matter.
The final code, I wrote to test whether I can get the password of the guest in the 2003 system, and the result is just like the analysis above (of course, the above result is to use this program) Measured). The success rate is of course not high, because it is affected by too many reasons, the difficulty of locating the password or the inability to locate, or the information that is not the password, etc., the failure rate is quite high, but it is always a method, or Someone can accurately locate in the future, and that is pleasing. Although the failure rate is high, in one case, the success rate is very high, that is, the administrator just logs in locally or in the terminal, and no user logs in from the local or terminal in the future, and the administrator does not have After locking the system, the success rate will be quite high.
Two ways to improve the success rate:
1. The program is written directly into the service, and the local or remote login is checked regularly (in fact, there is no difference). When the login is detected, the lsass process memory is searched. , try to get the password.
2. The program simulates a login (you can do it with LogonUser()), because using the LogonUser() API, you need to provide the account name and the corresponding correct password before you can succeed, then you can go Search for lsass process memory. Because we know what the password is, we can locate where the password is stored. Because the login user's password is stored in the same address or not far from the address, simulate login and search, you can first locate the password of the user who will log in later.
Regardless of the three methods, the most stable and safest method is to use Gina's method. Hijack has some methods of winlogn API. After all, it changes the system's stuff and the stability of the system. In fact, there will be a test, directly search for the lsass process memory method, although it is difficult, but the accuracy, the success rate is low.
The following code uses a very stupid, and very primitive search method, mainly searching for the string "localSystem Remote Procedure" in Lsass memory, because in quite a few tests, the password is saved. In the position after the address of this string, of course, many systems do not have this string, or even if there is, we get the wrong password. Previous123Next page Total 3 pages
I often hear my friends complain that using batch Windows auto-upgrade files, there is a bunch of pr
Network load balancing, like a splitter, can allocate a large number of requests to all set servers,
Users who have used Windows XP know that there is a very intimate and practical function in Windows
Windows Server 2003 is Microsofts server operating system for building and storing web applications,
Win2003 Group Policy Troubleshooting Six Tips
Experts teach you how to modify the Windows 2003 machine name
Easily set up a mail server in win2003
Win 2003 automatic login two great recipes
Integrate win2003 DNS into your DNS domain
Explain the little-known VPN server
How many coups let Windows system install free download serial number
Win2003 accelerates Dafa's inventory
Easy to implement small games from Win2003 to Win2003
Porting the system restore in xp to windows 2003
How to implement VPN2003 single network card VPN
How much do you know about the relevant settings after win2003 installation?
Geoserver and GDAL plugin for Windows system tutorial
How to improve the startup speed of Windows7 under dual-core CPU
Win10 internal T-shirt hidden mysterious code Where is the big god cracked?
Analysis of the reasons and solutions for slow web page opening
Win8 system to retrieve the account password through the Web credentials
How to solve the problem of software incompatibility in win10 system
Mouse action control window effect
Easily hide the icon in the lower right corner of the WinXP system desktop