Windows Password Finder
这个是isno从LSAView里逆向后改写的代码,转过来:
#include <windows.h>#include <ntsecapi.h>#include <tchar.h>#include <stdio.h>#pragma comment(lib,"advapi32.lib")int _tmain(int argc, TCHAR* argv[], TCHAR* envp[]){ int nRetCode = 0; char private_data[0x500] = {0}; int data_len; LSA_OBJECT_ATTRIBUTES lsa_object_attr; LSA_HANDLE lsa_handle; PLSA_UNICODE_STRING plsa_private_data; LSA_UNICODE_STRING lsa_keyname; NTSTATUS status; int ret; memset(&lsa_object_attr, 0, sizeof(lsa_object_attr)); lsa_object_attr.Length = sizeof(LSA_OBJECT_ATTRIBUTES); LsaOpenPolicy(0, &lsa_object_attr, 0x800, &lsa_handle); plsa_private_data = (PLSA_UNICODE_STRING)malloc(sizeof(LSA_UNICODE_STRING)); plsa_private_data->Length = 0x500; plsa_private_data->MaximumLength = 0x500; plsa_private_data->Buffer = (PWSTR)malloc(0x500); lsa_keyname.MaximumLength = 0x200; lsa_keyname.Buffer = (PWSTR)malloc(0x200); wcscpy(lsa_keyname.Buffer,L"DefaultPassword"); lsa_keyname.Length = wcslen(lsa_keyname.Buffer) * 2; status = LsaRetrievePrivateData(lsa_handle, &lsa_keyname, &plsa_private_data); LsaClose(lsa_handle); if(status != 0) { printf("[-] LsaRetrievePrivateData failed: %d\n", LsaNtStatusToWinError(status)); return 0; } ret = WideCharToMultiByte(0, 0, plsa_private_data->Buffer, plsa_private_data->Length, private_data, sizeof(private_data), 0, 0); if(ret == 0) { printf("[-] WideCharToMultiByte failed:%d\n", GetLastError()); return 0; } data_len = ret; printf("Default Password: %s\r\n", private_data); return nRetCode;}