1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21 """
22 @author: AAron Walters and Brendan Dolan-Gavitt
23 @license: GNU General Public License 2.0 or later
24 @contact: awalters@volatilesystems.com,bdolangavitt@wesleyan.edu
25 @organization: Volatile Systems
26 """
27
28 from rekall import utils
29
30 from rekall.plugins.windows.registry import lsasecrets
31 from rekall.plugins.windows.registry import hashdump
32 from rekall.plugins.windows import common
33 from rekall.plugins.windows.registry import registry
34
35
36 -class LSADump(common.WindowsCommandPlugin):
37 """Dump (decrypted) LSA secrets from the registry"""
38
39
40 name = "lsadump"
41 mode = "mode_xp"
42
43 - def __init__(self, sys_offset=None, security_offset=None, **kwargs):
44 """Dump (decrypted) LSA secrets from the registry.
45
46 Args:
47 sys_offset: The hive virtual offset to the system hive.
48 security_offset: The hive virtual offset to the security hive.
49 """
50 super(LSADump, self).__init__(**kwargs)
51 self.sys_offset = sys_offset
52 self.security_offset = security_offset
53 self.profile = registry.RekallRegisteryImplementation(self.profile)
54
65
67 for k, v in self.calculate():
68 outfd.write(k + "\n")
69 utils.WriteHexdump(outfd, v)
70 outfd.write("\n")
71
72
74 """Dumps passwords hashes (LM/NTLM) from memory"""
75
76 __name = "hashdump"
77
78 - def __init__(self, sys_offset=None, sam_offset=None, **kwargs):
79 """Dump (decrypted) LSA secrets from the registry.
80
81 Args:
82 sys_offset: The hive virtual offset to the system hive.
83 sam_offset: The hive virtual offset to the sam hive.
84 """
85 super(HashDump, self).__init__(**kwargs)
86 self.sys_offset = sys_offset
87 self.sam_offset = sam_offset
88 self.profile = registry.RekallRegisteryImplementation(self.profile)
89
100
104