The Brain

As it has already been said, if you pack/crypt an exe your AV might detect it by general detection of the cryptor. So you need a private packer. :-? As private means NOT public there are no links :D But you can also try one of the public known packers, like Yoda's Protector

Simply do a "Search for" -> "All referenced text strings" -> " * Access Denied *" in OllyDbg and you'll land at the right place. Scroll a bit up and you'll see the interesting code. Silva said that before: Correct password can be found in register EDX but you could also patch the JNZ.

Sure there are some exploits to do so. You may took a look at this.

I mentioned it above 8-) But does this also work with network-login? Anyone tested so far?

%systemroot%system32sethc.exe Replace it with cmd.exe Boot into Windows and press SHIFT five times. Command Prompt with SYSTEM privileges will pop-up (Not tested). --- Download DreamPackPL and replace %systemroot%System32sfcfiles.dll with the downloaded one (I'm not sure if it works with Windows XP, I only tested it in my W2K). --- Download WinlogonHijack and run it from a Service or anything else with SYSTEM-Privileges (I didn't test it yet, but the author claims it to work 100%). It'll log all passwords of logins to a file (But I don't know, if it catches network-pws (i.e. Domain-pws) too). --- --- Now I've got a question: kickarse posted a link to a nice paper about NT's login. Now, does anybody have a link to a similar paper about W2K, XP or maybe even Vista? Also I'd like to know if the password for domain-logins are saved anywehere (cached or just temporary in memory)? If so, it should be possible to save them anyhow . :twisted: L0phtcrack Crew wrote a Utility to catch these passwords in a NT-Network, it's called something like Blabla SMB ... maybe there's a new Version available? Let me know and thanks :D

Very interessting so far :D I'm working on a Solution tu put the CMD on the Loginscreen :twisted: But now that I have Admin-Privileges on the Local-Machine, I'd like to know how to gain those on the domain (like Arikirangi said). I don't have the possibility of creating a domain here at home, so if anyone has; Is pwdump (or any other tool like that) able, to read out the domain-passwords after you logged into the domain as a "normal"-user and start pwdump afterwards? I assume it'll only read out the local hashes but I think it's worth a try

Does the replacement of either utilman.exe or services.exe need to be a 16-Bit-App? If not, are there any other restrictions to the file? Could i also simply rename a .bat-File to utilman.exe? I tried to replace it with Cmd.exe, it seems to be started after pressing [Win]+ but I can't see it?! :( And BTW: does it also have SYSTEM-Privilieges when started from the Start-Menu?