1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23 """
24 @author: Brendan Dolan-Gavitt
25 @license: GNU General Public License 2.0 or later
26 @contact: bdolangavitt@wesleyan.edu
27 """
28
29 import struct
30 from rekall.plugins.windows.registry import hashdump
31 from Crypto import Hash
32 from Crypto import Cipher
33
34
35 lsa_types = {
36 'LSA_BLOB': [ 8, {
37 'cbData': [0, ['unsigned int']],
38 'cbMaxData': [4, ['unsigned int']],
39 'szData': [8, ['String', dict(length=lambda x: x.cbData)]],
40 }]
41 }
42
43
45 enc_reg_key = sec_registry.open_key(["Policy", "PolSecretEncryptionKey"])
46
47 enc_reg_value = enc_reg_key.ValueList.List.dereference()[0]
48 if not enc_reg_value:
49 return None
50
51 obf_lsa_key = enc_reg_value.Data.dereference_as(
52 "String", length=enc_reg_value.DataLength).v()
53
54 if not obf_lsa_key:
55 return None
56
57 md5 = Hash.MD5.new()
58 md5.update(bootkey)
59
60 for _i in xrange(1000):
61 md5.update(obf_lsa_key[60:76])
62 rc4key = md5.digest()
63
64 rc4 = Cipher.ARC4.new(rc4key)
65 lsa_key = rc4.decrypt(obf_lsa_key[12:60])
66
67 return lsa_key[0x10:0x20]
68
70 """Python implementation of SystemFunction005.
71
72 Decrypts a block of data with DES using given key.
73 Note that key can be longer than 7 bytes."""
74 decrypted_data = ''
75 j = 0
76 for i in xrange(0, len(secret), 8):
77 enc_block = secret[i:i + 8]
78 block_key = key[j:j + 7]
79 des_key = hashdump.str_to_key(block_key)
80
81 des = Cipher.DES.new(des_key, Cipher.DES.MODE_ECB)
82 decrypted_data += des.decrypt(enc_block)
83
84 j += 7
85 if len(key[j:j + 7]) < 7:
86 j = len(key[j:j + 7])
87
88 (dec_data_len,) = struct.unpack("<L", decrypted_data[:4])
89 return decrypted_data[8:8 + dec_data_len]
90
92 root = rawreg.get_root(secaddr)
93 if not root:
94 return None
95
96 enc_secret_key = rawreg.open_key(root, ["Policy", "Secrets", name, "CurrVal"])
97 if not enc_secret_key:
98 return None
99
100 enc_secret_value = enc_secret_key.ValueList.List.dereference()[0]
101 if not enc_secret_value:
102 return None
103
104 enc_secret = secaddr.read(enc_secret_value.Data,
105 enc_secret_value.DataLength)
106 if not enc_secret:
107 return None
108
109 return decrypt_secret(enc_secret[0xC:], lsakey)
110
112
113 bootkey = hashdump.get_bootkey(sys_registry)
114 lsakey = get_lsa_key(sec_registry, bootkey)
115
116 secrets_key = sec_registry.open_key(["Policy", "Secrets"])
117 if not secrets_key:
118 return
119
120 for key in secrets_key.subkeys():
121 sec_val_key = key.open_subkey("CurrVal")
122
123 if not sec_val_key:
124 continue
125
126 for enc_secret_value in sec_val_key.values():
127 enc_secret = enc_secret_value.Data.dereference_as(
128 "String", length=enc_secret_value.DataLength).v()
129
130 if enc_secret:
131 secret = decrypt_secret(enc_secret[0xC:], lsakey)
132 yield key.Name, secret
133