通常在获取到入口点之后我们需要快速收集当前主机的凭证,如chrome和navicat内存放的密码,如果能快速取得主机上安装的软件我们就能针对该软件进行密码的提取,本篇文章旨在解决这个问题。
具体定位到注册表则HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*
我们可以通过读取注册表子项的键值对来进行快速的确认,投入实战的话需要对系统进行判断,如果是x64位系统则需要对32位程序也进行遍历。(x64系统存在注册表重定位)
#include <stdio.h>
#include <Windows.h>
#include <tchar.h>
BOOL EnumInstalledSoft(TCHAR* subKey, TCHAR* subKeyName) {
HKEY hKey = NULL;
HKEY hSubKey = NULL;
DWORD dwIndexs = 0;
TCHAR keyName[MAX_PATH] = { 0 };
DWORD dwLength = 256;
TCHAR subKeyValue[MAX_PATH] = { 0 };
if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, subKey, 0, KEY_READ, &hKey) == ERROR_SUCCESS)
{
while (RegEnumKeyEx(hKey, dwIndexs, keyName, &dwLength, NULL, NULL, NULL, NULL) == ERROR_SUCCESS)
{
RegOpenKey(hKey, keyName, &hSubKey);
RegQueryValueEx(hSubKey,
subKeyName,
NULL,
NULL,
(LPBYTE)subKeyValue,
&dwLength);
printf("%s : %s \n", keyName, subKeyValue);
RegCloseKey(hSubKey);
hSubKey = 0;
++dwIndexs;
dwLength = 256;
}
}
else
{
return FALSE;
}
if (hKey != NULL)
{
RegCloseKey(hKey);
return TRUE;
}
}
int main()
{
EnumInstalledSoft((TCHAR*)"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall",(TCHAR*)"DisplayName");
EnumInstalledSoft((TCHAR*)"Software\\Classes\\Installer\\Products", (TCHAR*)"ProductName");
system("pause");
return 0;
}
