This post was last edited by wowocock at, January 5 ,.
A few days ago, I tried to log on to a Windows system on the Virtual Machine and found that I couldn't remember the password. So I searched for the information and wrote a tool to solve the problem.
In fact, Windows login verification is to verify the password function through msv1_0.dll in Winlogon. Msv1_0! Msvppasswordvalidate, which is called internally Rtlcomparememory, The user password hash retrieved from Sam is 16 bytes in length compared with the password hash entered by the user. Therefore, if this parameter is patched, true is returned. Then, you can log on to Windows directly through password verification. Generally, we can write a driver, and patch this verification function. However, in fact, when a problem occurs, we may not be able to log on to Windows or install our driver. However, by using bootkit, we can use a USB flash drive to start a winpe, then install our bootkit in winpe to the hard disk MBR, and then start the system. Foreigners have previously written a simple example, but only supports xp. However, in the age when bootkit technology is already poor, it has been extended to support Vista and win7. 32-bit, also easy. However, Windows requires a lot of trouble, because patch guard processing is required. Although it also provides support, it may not work in some systems, currently, only some systems of win7 64 and win2008 R2 have been tested. The support is not as good as 32-bit systems, and 32-bit systems are basically supported except Win8 systems.
Currently only support 32bit XP, 2003, Vista, win7!
Maybe support 64bit win7!
Syntax:
Pwdignore/dump
Pwdignore/restoredump
Pwdignore/XP
Pwdignore/win7
Pwdignore/win7x64
First, use/dump to generate the MBR. binfile in the current directory for restoring the original MBR. Use/restoredump to restore the MBR.
If the target login system is 32-bit 2000, XP, 2003,/XP is used to write the XP series bootkit
If the target login system is 32-bit Vista win7,/win7 is used to write the bootkit of the win7 series.
If the target login system is a 64-bit win7 2008 R2,/win7x64 is used to write the bootkit of the win7 64-bit series.
Do not use other systems. Otherwise, the system may fail to be started. Of course, you can use/restoredump to recover MBR in winpe at any time.
If there are other vulnerabilities in a non-winpe environment, writing data to the MBR may be blocked. Click allow. If there is no prompt for writing, it indicates that you need to update your anti-bot service. We recommend that you use 360 security guard. The defense effect is good.
|