Home | hacker invade | crack analyzes | hacker course | Exploit | encryption decipher | network management | System crack | the virus to be related | invades the examination | firewall
You are here: hacking technology > encryption decipher > Content
Hot Articles
Wireless network to crac
Teaches you to use IAT h
Kaspersky Lab the online
Cracking lost or forgott
The Radmin password expl
How to face strongest al
Simple does not ask othe
Explains the MYSQL passw
Explains the Oracle data
http://www.heibai.net/ar
The encryption decipher
Breaks through Windows E
Uses Ophcrack to explain
Uses the MD5 transformat
Cygnia Technologies sele
Recommend Articles
Orders with Dos to untie
Orders with Dos to carry
The specification explai
And uses to some ASC det
Teaches you to use IAT h
Summarizes some encrypti
Teaches you a few words
Wondrous use DEBUG elimi
The Oracle cryptographic
Teaches you to explain f
Introduces seven kind of
Windows system folder en
Teaches you to hide the
Explains the MYSQL passw
Simple does not ask othe
New Articles
About Flash files of enc
Explains how to manually
Javascript large collect
Sep UPX shells ideas
Upx shelling tutorials (
Yoda 's Crypter 1.2 of s
How to decrypt encrypted
Share the Armadillo simp
Tells the operating prin
Origin Storage's Enigma
Detailed explanation Mol
For encrypted NTFS parti
Take your feelings of cr
Wireless WEP crack detai
Shallow disk encryption
Teaches you to use IAT hook to realize the windows universal code back door
  Add date: 07/10/2008   Publishing date: 07/10/2008   Hits: 768
Total 2 pages, Current page:1, Jump to page:
 
No matter is first really has, we may realize a such back door.

Introduces in the windows debarkation process simply first some processes.
the winlogon advancement gains the user name and the password with gina.dll, passes to the lsass advancement through LPC.
Then the lsass advancement transfer default authentication wraps msv1_0.dll to confirm the password to the mistake.
But msv1_0 obtains the user from SAM the information, including password Hasche.

Must realize this kind of back door, must first find the debarkation to confirm this a series of functions lowest level, then attempted to pervert in there.
Very obvious, this lowest level function in lsass in advancement msv1_0.dll module.

what lsass transfers msv1_0.dll is this function:

Code:
msv1_0! LsaApLogonUserEx2

LsaApLogonUserEx2 in MSDN

Then we should debug the lsass advancement then in msv1_0! Under LsaApLogonUserEx2 break point.
Here I use windbg and vmware and carry on the long-distance user condition debugging using dbgsrv.
http://blogs.msdn.com/spatdsg/archiv… 27/507265.aspx
Above Spat introduced in blog how to use dbgsrv to debug (Debugging LSA via dbgsrv.exe).
(Is debugged in the virtual machine end) to move

Code:
dbgsrv.exe - t tcp:port=1234, password=spat

Then in debugging end movement

Code:
windbg.exe - premote tcp:server= 192.168.1.102, port=1234, password=spat

Then the choice attaches the lsass advancement.
But after here we cannot land, moves again dbgsrv, such dbgsrv has been switched off, therefore I use windows the duty plan to let dbgsrv starting move.

After the virtual machine starts, dbgsrv has also gotten up, is connected including the above and the enclosed lsass advancement with windbg.
In break point msv1_0! After LsaApLogonUserEx2, lets lsass continue to move.
Then the debarkation, really windbg broke down.

At this time gives everybody to introduce that windbg a strong order, that is wt, it can all record function call relations, record ret, the concrete usage please look at the windbg help.
I guessed that wt is the single-step run, therefore is very slow.
But the wt output's text are many, has been too ugly, therefore I wrote the python script to transfer the wt output TreeCtrl

Everybody attention looked my mouse lights that function: ntdll! RtlCompareMemory.
After debugs me to discover that this function is that which I must look “the lowest level function”.

Code:
SIZE_T
  RtlCompareMemory (
    IN CONST VOID *Source1,
    IN CONST VOID *Source2,
    IN SIZE_T Length
    );

RtlCompareMemory in MSDN
And I have also discovered time the confirmation password this function 3 parameter details,
Source1 is user password Unicode which takes out from SAM the form md4 Hasche,
Source2 is user input password Unicode the form md4 Hasche,
Length always 16, because the md4 Hasche is 16.
Very easy I to have written under this substitution function:

Code:
int WINAPI MyRtlCompareMemory (void *a, void *b, int len) {

 
Other pages: : 1 * 2 * Next>>
Prev:And uses to some ASC detail network horse's explaining Next:Summarizes some encryption algorithm

Comment:

Category: Home > encryption decipher
Home