Analysis of Windows login password cracking instance

How does one crack Windows login passwords? Here we will give you a comprehensive introduction to the Windows login password cracking principles, as well as specific operations and precautions. Let's start to talk about them one by one:

Windows logon password cracking principle:

Windows authentication is generally performed in the lsass process. The default module is msv00000.dll, and the key lies in its export function LsaApLogonUserEx2,

This program intercepts the password by injecting code to the lsass process hook LsaApLogonUserEx2. As long as there is an authentication process,

LsaApLogonUserEx2 will be triggered, such as ipc $, runsa, 3389 Remote Desktop login, etc.

The program processes different systems, which can be intercepted on, xp, and vista,

In, xp, the xor key is obtained through the high 8 bits of UNICODE_STRING.Length. If the password is encoded, It is decoded through ntdll. RtlRunDecodeUnicodeString,

Vista uses AdvApi32.CredIsProtectedW to determine whether the password has been encoded. AdvApi32.CredUnprotectW is used for decoding.

You can run lsass on your own debugger :)

Windows logon password cracking interface problems:

Hresult winapi DllInstall (BOOL bInstall, LPCWSTR psz1_line );

This is a function prototype exported by this dll. Please do not be confused by the name. This program is green.

This function does not perform any self-start installation action, and does not modify the registry or system file. You just want to select an interface that meets the regsvr32 call.

The first parameter is not used in this program,

Specify a file path (UNICODE) for the second parameter. The recorded data is saved here (Ansi ).

The file path can be C: x. log,

It can also be like \. pipeyour_pipename, \. mailslotyourslot,

Therefore, you can write the loader to call this dll and send the data to your program through pipe or mailslot when the dll is intercepted to the password. Data is a string (Ansi)

Windows login password cracking test:

You can use regsvr32 as the loader to test the function. (You may need to disable some active defenses)

Regsvr32/n/I: c: xxx. log c: pluginWinPswLogger. dll

If it is normal, a prompt is displayed, indicating that regsvr32 is successful.

At this time, you can switch the user or lock the computer, and then log in again. The password information is intercepted and saved to c: xxx. log.

I will introduce you to the Windows login password cracking process. Do you know something about Windows login password cracking?