Explain the principle of cracking Windows login password

To ensure the security of the files, users who use Windows are likely to use the "username" and "password" combination to log in. However, in the case of forgetting the password, the door of the windows system will say to the registrant "no", so that they can not enter. How to crack the Windows login password at this time? Here is a comprehensive introduction to the principle of Windows login password cracking and the specific operations and precautions, let us start one by one:

Windows login password cracking principle:

Windows authentication is generally in the lsass process, the default module is msv1_0.dll, and the key is in its export function LsaApLogonUserEx2,

This program intercepts the password by injecting code into the lsass process hook LsaApLogonUserEx2 . As long as there is an authentication process,

LsaApLogonUserEx2 will trigger, such as ipc$,runsa, 3389 remote desktop login.

The program handles different systems and can be intercepted on 2000, 2003, xp, vista,

in 2000, 2003, xp, through the upper 8 bits of UNICODE_STRING.Length Xor key, if the password is encoded, it is decoded by ntdll.RtlRunDecodeUnicodeString,

vista determines whether the password is encoded by AdvApi32.CredIsProtectedW, and the decoding uses AdvApi32.CredUnprotectW.

You can run your own debugger to hang lsass:)

Windows login password crack interface problem:

HRESULT WINAPI DllInstall( BOOL bInstall, LPCWSTR pszCmdLine);

This is a function prototype exported by this dll, please don't be confused by the name, this program is green.

This function does not do any self-starting installations, and does not modify the registry or system files. Just want to choose an interface that matches the regsvr32 call.

The first parameter is not used in this program,

Please specify a file path for the second parameter (note that it is UNICODE), the recorded data will be saved here (is Ansi's) ).

The file path can be like this C:\\x.log,

can also be like \\\\.\\pipe\\your_pipename,\\\\.\\mailslot\\yourslot

So you You can write the loader to call this dll, and let the dll send the data to your program through pipe or mailslot when the dll intercepts the password. The data is a string (Ansi)

Windows login password crack test:

You can not write your own loader to call, use regsvr32 as a loader to test: ( You may need to turn off some active defenses.

regsvr32 /n /i:c:\\xxx.log c:\\pluginWinPswLogger.dll

Normally regsvr32 pops up a prompt.

At this time, you can switch users or lock the computer, and then log in again. The password information is intercepted and saved to c:\\xxx.log.

However, as long as you understand the cracking principle of the login password in this tutorial, and prepare in advance, when you encounter the embarrassing event caused by forgetting the password again, you can use it to exercise & ldquo; Sesame Open Door ” The function goes smoothly into the operating system.