IE7自動(dòng)完成口令獲取
作者:grassgrass (kityest_at_163.com)
前一陣子自己郵箱的口令忘記了,為了找回郵箱口令到網(wǎng)上找了好多密碼找回的工具��,發(fā)現(xiàn)在IE7下都不好使��,迫于無奈�����,只好自己研究了���,通過Google和 OllyDbg���,用了1整天時(shí)間終于弄清楚了IE7下的自動(dòng)完成口令獲取方法���,不敢獨(dú)享�����,特公布如下,希望能對(duì)大家有幫助���。
自Internet Explorer 7.0開始,微軟完全改變了密碼保存的方式,將網(wǎng)站的URL保存于歷史文件中,將自動(dòng)完成的密碼保存于注冊(cè)表中的以下位置: HKEY_CURRENT_USER/Software/Microsoft/Internet Explorer/IntelliForms/Storage2��。
要獲取IE7的自動(dòng)完成口令就需要同時(shí)獲取IE7環(huán)境下歷史文件夾中的URL記錄和注冊(cè)表HKEY_CURRENT_USER/Software/Microsoft/Internet Explorer/IntelliForms/Storage2下的密碼信息�����。
以下是IE7自動(dòng)完成口令獲取的步驟:
1�����、用ShGetSpecialFolder獲取History文件夾路徑
2�����、枚舉History文件夾下的index.dat文件��,并從index.dat文件中提取訪問過的網(wǎng)站URL。
index.dat文件結(jié)構(gòu):
文件頭32字節(jié)
從文件的第0x5000地址處開始存放的是訪問過的網(wǎng)站信息�����,網(wǎng)站信息順序存放�����,每個(gè)網(wǎng)站數(shù)據(jù)塊結(jié)構(gòu)為:
struct Web{
const char Tag[4]; //4個(gè)字節(jié)的標(biāo)志�����,內(nèi)容為"URL ",可作為數(shù)據(jù)是否正確的判斷。
int LenNumber; //該數(shù)據(jù)塊的長(zhǎng)度指數(shù)��,數(shù)據(jù)塊的長(zhǎng)度為L(zhǎng)enNumber*128
char unknown[44]; //44字節(jié)的未知數(shù)據(jù)
int DataPos; //Visited:字段相對(duì)于該結(jié)構(gòu)塊頭的偏移值�,即&Web+DataPos就指向Visited了
char unknown[]; //不定長(zhǎng)度未知數(shù)據(jù),不過據(jù)觀察似乎上述DataPos都是一樣的���,那這個(gè)也應(yīng)該定長(zhǎng)了,算了���,不管他,安全起見���,就當(dāng)不定長(zhǎng)了
const char Tag1[8]; //"Visited:"
char Data[]; //結(jié)構(gòu) XXX@????,其中XXX是用戶名,???就是URL,可以從Visited處搜索@來定位
char Unknown[]; //長(zhǎng)度不定
};
注意�,上述結(jié)構(gòu)中的URL是ANSI形式的
3�����、打開注冊(cè)表HKEY_CURRENT_USER/Software/Microsoft/Internet Explorer/IntelliForms/Storage2,枚舉其Values
注冊(cè)表該位置保存的是IE7自動(dòng)完成的用戶名密碼之類��,其中ValueName就是經(jīng)過Hash的網(wǎng)站的URL,ValueData就是加密的用戶名密碼之類了����。
4、對(duì)第2步獲取的URL依次進(jìn)行Hash���,然后用其Hash值依次與第三步中獲取的ValueName進(jìn)行比較,一致的就是該URL的信息
如果一致�����,就對(duì)ValueData進(jìn)行解密���。
ValueData解密后數(shù)據(jù)結(jié)構(gòu)
struct ValueData{
int HeadLen;//4字節(jié)�,用來表示該數(shù)據(jù)結(jié)構(gòu)的頭部長(zhǎng)度。
int DataPos;//真正的數(shù)據(jù)相對(duì)于數(shù)據(jù)結(jié)構(gòu)頭部的偏移�����,即:&ValueData+HeadLen+DataPos就指向有效數(shù)據(jù)了
int DataLen;//有效數(shù)據(jù)的長(zhǎng)度
char unknown[];
wchar UserName[];
wchar PassWord[];
};
HeadLen+HeadLen+DataPos=sizeof(ValueData);
注:
1�、Hash算法:
//Algorithm=0x8004
//0x8004=ALG_CLASS_HASH | ALG_TYPE_ANY | ALG_SID_SHA1=CALG_SHA1,原來采用的是CALG_SHA1算法
//注意:此處這個(gè)DataLen是帶Unicode的結(jié)尾的0的
BOOL HashData(WCHAR *pData,int DataLen, char *pHashData,int *pHashLen,int Algorithm)
{
BOOL bResult = TRUE;
HCRYPTPROV hProv = NULL;
HCRYPTHASH hHash = NULL;
DWORD dwLength;
// Get handle to user default provider.
if (CryptAcquireContext(&hProv, NULL, NULL, PROV_RSA_FULL, 0))//0xF0000000)) //兩個(gè)都行,不知道最后一個(gè)參數(shù)是干什么的
{
// Create hash object.
if (CryptCreateHash(hProv, Algorithm, 0, 0, &hHash))
{
// Hash password string.
if (CryptHashData(hHash, (BYTE *)pData, DataLen, 0))
{
CryptGetHashParam(hHash,2,(BYTE*)pHashData,(DWORD*)pHashLen,0);
}
else
{
// Error during CryptHashData!
bResult = FALSE;
}
CryptDestroyHash(hHash); // Destroy session key.
}
else
{
// Error during CryptCreateHash!
bResult = FALSE;
}
CryptReleaseContext(hProv, 0);
}
return bResult;
}
2、解密算法:
unsigned char pcryptdata[]={ //注冊(cè)表中提取出來的ValueData�,即加密過的用戶名密碼等信息
0x01,0x00,0x00,0x00,0xD0,0x8C,0x9D,0xDF,0x01,0x15,0xD1,0x11,0x8C,0x7A,0x00,0xC0,0x4F,0xC2,0x97,0xEB,0x01,0x00,0x00,0x00,0x58,0x26,0xE4,0x1A,0x81,0x86,0x2F,0x4D,
0xA9,0x19,0x95,0xED,0x94,0x6F,0xC5,0x2A,0x00,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x00,0x00,0x03,0x66,0x00,0x00,0xA8,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0xB5,0x67,
0x51,0xE5,0x1A,0x73,0x67,0x75,0x0F,0x84,0xF2,0x97,0xCE,0x07,0x21,0x31,0x00,0x00,0x00,0x00,0x04,0x80,0x00,0x00,0xA0,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x75,0xFB,
0x3F,0xC8,0x4C,0x7F,0xDB,0xBA,0xC8,0x27,0xD9,0xC0,0x64,0xD8,0x05,0xEF,0x68,0x00,0x00,0x00,0x50,0x63,0x0F,0x8B,0x7B,0xBC,0xDF,0x96,0xFD,0xE4,0x11,0xEB,0x97,0x43,
0xD8,0x4E,0x7C,0xB6,0x96,0x55,0xA6,0xB5,0x50,0x41,0x5D,0xD5,0xA7,0x4B,0xFA,0x16,0x4E,0x65,0xF5,0xB6,0x0D,0xC5,0xC1,0xCE,0xEB,0x3D,0x28,0x79,0xA2,0xBD,0xAA,0x97,
0x9D,0x31,0xE8,0x84,0xBD,0xC5,0x49,0x74,0x64,0x40,0xFA,0x09,0xE5,0x2C,0x0F,0x27,0xD7,0x65,0x9D,0xAF,0x39,0x80,0x89,0x70,0x4C,0x43,0x65,0x5F,0xDC,0x0A,0xF1,0x7E,
0x8E,0x35,0x61,0x4F,0xDB,0x84,0xFC,0x50,0xE7,0x96,0x1A,0xAE,0x12,0x82,0x2D,0xE6,0x3A,0x0A,0x86,0xA7,0xA7,0x60,0x30,0x99,0x54,0xA7,0x14,0x00,0x00,0x00,0x5B,0xA4,
0x89,0xFF,0xE6,0x48,0x4B,0x05,0x28,0xCF,0xFF,0x28,0xDC,0x11,0x46,0xCB,0x26,0x5D,0x9A,0x0F
};
WCHAR Test[]=L"http://www.devdao.com/0"; //通過對(duì)URL進(jìn)行HASH并與ValueName進(jìn)行比對(duì)獲取的URL地址
DATA_BLOB DataOut;
if(Decrypt(Test,74,pcryptdata,0xf2,&DataOut))
{
for(int i=0;i<DataOut.cbData;i++)
{
printf("%c",DataOut.pbData);
}
printf("/r/nOver/r/n");
}
bool Decrypt(WCHAR *pURL,int URLLen,unsigned char * pCryptedData,int CryptedLen,DATA_BLOB *pDataOut)//解密用
{
DATA_BLOB DataIn;
//DATA_BLOB DataOut;
DATA_BLOB DescrOut;
DataIn.pbData=pCryptedData;
DataIn.cbData=CryptedLen;
DescrOut.cbData=URLLen;
DescrOut.pbData=(unsigned char *)pURL;
if(CryptUnprotectData(&DataIn,NULL,&DescrOut,NULL,NULL,0,pDataOut))
{
//pBuffer=DataOut.pbData;
return true;
}
else
return false;
}
