In order to ensure the security of the file, users who use Windows may use the combination of “user name” and “password” to log in. However, in the case of forgetting the password, the door of the windows system will say to the registrant "no", so that they can not enter. How to crack the Windows login password at this time? Here is a comprehensive introduction to the principle of Windows login password cracking and the specific operations and precautions, let us start one by one:
Windows login password cracking principle:
windows Authentication is generally in the lsass process, the default module is msv1_0.dll, and the key is in its export function LsaApLogonUserEx2,
This program intercepts the password by injecting code into the lsass process hook LsaApLogonUserEx2. As long as there is an authentication process,
LsaApLogonUserEx2 will trigger, such as ipc$, runsa, 3389 remote desktop login.
The program handles different systems. It can be intercepted on 2000, 2003, xp, vista. In
2000, 2003, xp, the xor key is taken by the upper 8 bits of UNICODE_STRING.Length. If the password is If the code is encoded, it is decoded by ntdll.RtlRunDecodeUnicodeString.
vista determines whether the password is encoded by AdvApi32.CredIsProtectedW, and the decoding uses AdvApi32.CredUnprotectW.
You can run your own debugger to hang lsass:)
Windows login password crack interface problem:
HRESULT WINAPI DllInstall( BOOL bInstall, LPCWSTR pszCmdLine);
This is a function prototype exported by this dll Please don't be confused by the name, this program is green.
This function does not do any self-starting installations, and does not modify the registry or system files. Just want to choose an interface that matches the regsvr32 call.
The first parameter is not used in this program.
Please specify a file path for the second parameter (note that it is UNICODE), and the recorded data will be saved here (is Ansi).
The file path can be like this C:\\x.log,
can also be like \\\\.\\pipe\\your_pipename,\\\\.\\mailslot\\yourslot
so you can write the dll by writing the loader yourself. Send the data to your program via pipe or mailslot when the dll intercepts the password. The data is a string (Ansi)
Windows login password crack test:
You can not write your own loader to call, use regsvr32 as a loader to test: (you may need to close some Active defense)
regsvr32 /n /i:c:\\xxx.log c:\\pluginWinPswLogger.dll
Normally regsvr32 pops up a prompt success.
At this time you can switch users or lock the computer, and then log in again, the password information is intercepted and saved to c:\\xxx.log.
However, as long as you understand the cracking principle of the login password in this tutorial, and prepare in advance, when you encounter the embarrassing event caused by forgetting the password again, you can use it to exercise the function of “Opening the door with sesame”. Successfully enter the operating system.