Author:
Brendan Dolan-Gavitt
License:
GNU General Public License 2.0 or later
Contact:
bdolangavitt@wesleyan.edu
http://moyix.blogspot.com/2008/02/decrypting-lsa-secrets.html
Code seems to be inspired by eyas_at_xfocus.org
http://www.xfocus.net/articles/200411/749.html
|
|
|
|
|
|
|
|
|
find_control_set(sys_registry)
Determine which control set we are currently running with. |
source code
|
|
|
get_bootkey(sys_registry)
Derive the boot key by unscrambling the LSA. |
source code
|
|
|
|
|
|
|
decrypt_single_hash(rid,
hbootkey,
enc_hash,
lmntstr) |
source code
|
|
|
decrypt_hashes(rid,
enc_lm_hash,
enc_nt_hash,
hbootkey) |
source code
|
|
|
encrypt_single_hash(rid,
hbootkey,
hash,
lmntstr) |
source code
|
|
|
encrypt_hashes(rid,
lm_hash,
nt_hash,
hbootkey) |
source code
|
|
|
|
|
|
|
|
|
|
|
odd_parity = [ 1, 1, 2, 2, 4, 4, 7, 7, 8, 8, 11, 11, 13, 13, 14...
|
|
p = [ 8, 5, 4, 2, 11, 9, 13, 3, 0, 6, 1, 12, 14, 10, 15, 7]
|
|
aqwerty = ' !@#$%^&*()qwertyUIOPAzxcvbnmQQQQQQQQQQQQ)(*@&%\x00 '
|
|
anum = ' 0123456789012345678901234567890123456789\x00 '
|
|
antpassword = ' NTPASSWORD\x00 '
|
|
almpassword = ' LMPASSWORD\x00 '
|
|
lmkey = ' KGS!@#$% '
|
|
empty_lm = ' \xaa\xd3\xb45\xb5\x14\x04\xee\xaa\xd3\xb45\xb5\x14 ...
|
|
empty_nt = ' 1\xd6\xcf\xe0\xd1j\xe91\xb7<Y\xd7\xe0\xc0\x89\xc0 '
|
|
__package__ = ' rekall.plugins.windows.registry '
|