rekall.plugins.windows.registry.lsadump

1 # Rekall Memory Forensics 2 # Copyright (C) 2008 Volatile Systems 3 # Copyright (c) 2008 Brendan Dolan-Gavitt <bdolangavitt@wesleyan.edu> 4 # Copyright 2013 Google Inc. All Rights Reserved. 5 # 6 # This program is free software; you can redistribute it and/or modify 7 # it under the terms of the GNU General Public License as published by 8 # the Free Software Foundation; either version 2 of the License, or (at 9 # your option) any later version. 10 # 11 # This program is distributed in the hope that it will be useful, but 12 # WITHOUT ANY WARRANTY; without even the implied warranty of 13 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 # General Public License for more details. 15 # 16 # You should have received a copy of the GNU General Public License 17 # along with this program; if not, write to the Free Software 18 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 19 # 20 21 """ 22 @author: AAron Walters and Brendan Dolan-Gavitt 23 @license: GNU General Public License 2.0 or later 24 @contact: awalters@volatilesystems.com,bdolangavitt@wesleyan.edu 25 @organization: Volatile Systems 26 """ 27 28 from rekall import utils 29 30 from rekall.plugins.windows.registry import lsasecrets 31 from rekall.plugins.windows.registry import hashdump 32 from rekall.plugins.windows import common 33 from rekall.plugins.windows.registry import registry 34 35

36 -class LSADump(common.WindowsCommandPlugin):

37 """Dump (decrypted) LSA secrets from the registry""" 38 # Declare meta information associated with this plugin 39 40 name = "lsadump" 41 mode = "mode_xp" 42

43 - def __init__(self, sys_offset=None, security_offset=None, **kwargs):

44 """Dump (decrypted) LSA secrets from the registry. 45 46 Args: 47 sys_offset: The hive virtual offset to the system hive. 48 security_offset: The hive virtual offset to the security hive. 49 """ 50 super(LSADump, self).__init__(**kwargs) 51 self.sys_offset = sys_offset 52 self.security_offset = security_offset 53 self.profile = registry.RekallRegisteryImplementation(self.profile)

54

55 - def calculate(self):

56 sys_hive = registry.RegistryHive( 57 profile=self.profile, hive_offset=self.sys_offset, 58 kernel_address_space=self.kernel_address_space) 59 60 security_hive = registry.RegistryHive( 61 profile=self.profile, hive_offset=self.security_offset, 62 kernel_address_space=self.kernel_address_space) 63 64 return lsasecrets.get_secrets(sys_hive, security_hive)

65

66 - def render(self, outfd):

67 for k, v in self.calculate(): 68 outfd.write(k + "\n") 69 utils.WriteHexdump(outfd, v) 70 outfd.write("\n")

71 72

73 -class HashDump(LSADump):

74 """Dumps passwords hashes (LM/NTLM) from memory""" 75 76 __name = "hashdump" 77

78 - def __init__(self, sys_offset=None, sam_offset=None, **kwargs):

79 """Dump (decrypted) LSA secrets from the registry. 80 81 Args: 82 sys_offset: The hive virtual offset to the system hive. 83 sam_offset: The hive virtual offset to the sam hive. 84 """ 85 super(HashDump, self).__init__(**kwargs) 86 self.sys_offset = sys_offset 87 self.sam_offset = sam_offset 88 self.profile = registry.RekallRegisteryImplementation(self.profile)

89

90 - def calculate(self):

91 sys_registry = registry.RegistryHive( 92 profile=self.profile, hive_offset=self.sys_offset, 93 kernel_address_space=self.kernel_address_space) 94 95 sam_registry = registry.RegistryHive( 96 profile=self.profile, hive_offset=self.sam_offset, 97 kernel_address_space=self.kernel_address_space) 98 99 return hashdump.dump_hashes(sys_registry, sam_registry)

100

101 - def render(self, outfd):

102 for d in self.calculate(): 103 outfd.write(d + "\n")

104

Source Code for Module rekall.plugins.windows.registry.lsadump