Sometimes you want to log into Windows box, but you don't know the password. A few years ago (summer 2007), I wrote a utility to solve this problem. At the time, there was no similar tool around. There existed programs which were able to reset the password (it's not a very stealthy approach btw). Nowadays, such tools are nothing special (some Polish guy even created webpages for such a tool and he is charging money for it) and so I decided to publish my old stuff. I believe that bright people from CodeProject community can extend it into actually usable open source software.
BackgroundI came across this blog post [1]. The idea is to use kernel debugger in order to modify routine msv1_0!MsvpPasswordValidate in such a way it always returns TRUE, even for an incorrect password. I was impressed by the simplicity of the idea and decided to implement it using bootable CD instead of debugger. A great compilation of information on bootable CD is eEye's BootRoot [2]. Another inspirational material is [3]. Theory of operation:
CollapseFlow of execution
0 hic sum leones (DRAM initialization, POST, etc.) - see [4]
1 boot from CD:
CD code hooks int 15h and copies itself to RAM
CD code boots NTLDR from HDD
2 boot from HDD
NTLDR is running
NTLDR calls int 15h
int 15h hooked handler patches NTDLR with 32 bit stager
NTLDR is running
32 bit stager is called
32 bit stager calls payload
payload hooks IoCreateDriver
NTLDR is running
IoCreateDriver is called, hook registers custom callback
using PsSetLoadImageNotifyRoutine
PspLoadImageNotifyRoutine notifies us about images being loaded
if the image name is msv1_0.dll, hook (IAT style) RtlCompareMemory
3 windows logon dialog appears and arbitrary password is accepted
for every accountNota bene: * int 15h is used instead of usual int 13h used in BootRoot and its clones
* int 15h was found to be viable by using custom interrupt PCI-ROM based sniffer and leads to more compact code
* msv1_0!MsvpPasswordValidate is not hooked, because it's not exported
* password is validated also in ADVAPI32!SystemFunction031
* both functions mentioned above call RtlCompareMemory, which is exported
* RtlCompareMemory is modified in such a way it returns 0 (true) for all the blocks of length of password hash
* it's dirty hack, it's not intended for production use :)So, how does it work? When you enter password, Windows computes hash of the password and compares it with stored hash of the correct password. But the comparison routine was modified, so it returns true for any two hashes, i.e. for any password you enter. Read more: Codeproject
BackgroundI came across this blog post [1]. The idea is to use kernel debugger in order to modify routine msv1_0!MsvpPasswordValidate in such a way it always returns TRUE, even for an incorrect password. I was impressed by the simplicity of the idea and decided to implement it using bootable CD instead of debugger. A great compilation of information on bootable CD is eEye's BootRoot [2]. Another inspirational material is [3]. Theory of operation:
CollapseFlow of execution
0 hic sum leones (DRAM initialization, POST, etc.) - see [4]
1 boot from CD:
CD code hooks int 15h and copies itself to RAM
CD code boots NTLDR from HDD
2 boot from HDD
NTLDR is running
NTLDR calls int 15h
int 15h hooked handler patches NTDLR with 32 bit stager
NTLDR is running
32 bit stager is called
32 bit stager calls payload
payload hooks IoCreateDriver
NTLDR is running
IoCreateDriver is called, hook registers custom callback
using PsSetLoadImageNotifyRoutine
PspLoadImageNotifyRoutine notifies us about images being loaded
if the image name is msv1_0.dll, hook (IAT style) RtlCompareMemory
3 windows logon dialog appears and arbitrary password is accepted
for every accountNota bene: * int 15h is used instead of usual int 13h used in BootRoot and its clones
* int 15h was found to be viable by using custom interrupt PCI-ROM based sniffer and leads to more compact code
* msv1_0!MsvpPasswordValidate is not hooked, because it's not exported
* password is validated also in ADVAPI32!SystemFunction031
* both functions mentioned above call RtlCompareMemory, which is exported
* RtlCompareMemory is modified in such a way it returns 0 (true) for all the blocks of length of password hash
* it's dirty hack, it's not intended for production use :)So, how does it work? When you enter password, Windows computes hash of the password and compares it with stored hash of the correct password. But the comparison routine was modified, so it returns true for any two hashes, i.e. for any password you enter. Read more: Codeproject