rekall.plugins.windows.registry.lsasecrets

1 # Rekall Memory Forensics 2 # Copyright (c) 2008 Volatile Systems 3 # Copyright (c) 2008 Brendan Dolan-Gavitt <bdolangavitt@wesleyan.edu> 4 # Copyright 2013 Google Inc. All Rights Reserved. 5 # 6 # This program is free software; you can redistribute it and/or modify 7 # it under the terms of the GNU General Public License as published by 8 # the Free Software Foundation; either version 2 of the License, or (at 9 # your option) any later version. 10 # 11 # This program is distributed in the hope that it will be useful, but 12 # WITHOUT ANY WARRANTY; without even the implied warranty of 13 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 # General Public License for more details. 15 # 16 # You should have received a copy of the GNU General Public License 17 # along with this program; if not, write to the Free Software 18 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 19 # 20 21 #pylint: disable-msg=C0111 22 23 """ 24 @author: Brendan Dolan-Gavitt 25 @license: GNU General Public License 2.0 or later 26 @contact: bdolangavitt@wesleyan.edu 27 """ 28 29 import struct 30 from rekall.plugins.windows.registry import hashdump 31 from Crypto import Hash 32 from Crypto import Cipher 33 34 35 lsa_types = { 36 'LSA_BLOB': [ 8, { 37 'cbData': [0, ['unsigned int']], 38 'cbMaxData': [4, ['unsigned int']], 39 'szData': [8, ['String', dict(length=lambda x: x.cbData)]], 40 }] 41 } 42 43

44 -def get_lsa_key(sec_registry, bootkey):

45 enc_reg_key = sec_registry.open_key(["Policy", "PolSecretEncryptionKey"]) 46 47 enc_reg_value = enc_reg_key.ValueList.List.dereference()[0] 48 if not enc_reg_value: 49 return None 50 51 obf_lsa_key = enc_reg_value.Data.dereference_as( 52 "String", length=enc_reg_value.DataLength).v() 53 54 if not obf_lsa_key: 55 return None 56 57 md5 = Hash.MD5.new() 58 md5.update(bootkey) 59 60 for _i in xrange(1000): 61 md5.update(obf_lsa_key[60:76]) 62 rc4key = md5.digest() 63 64 rc4 = Cipher.ARC4.new(rc4key) 65 lsa_key = rc4.decrypt(obf_lsa_key[12:60]) 66 67 return lsa_key[0x10:0x20]

68

69 -def decrypt_secret(secret, key):

70 """Python implementation of SystemFunction005. 71 72 Decrypts a block of data with DES using given key. 73 Note that key can be longer than 7 bytes.""" 74 decrypted_data = '' 75 j = 0 # key index 76 for i in xrange(0, len(secret), 8): 77 enc_block = secret[i:i + 8] 78 block_key = key[j:j + 7] 79 des_key = hashdump.str_to_key(block_key) 80 81 des = Cipher.DES.new(des_key, Cipher.DES.MODE_ECB) 82 decrypted_data += des.decrypt(enc_block) 83 84 j += 7 85 if len(key[j:j + 7]) < 7: 86 j = len(key[j:j + 7]) 87 88 (dec_data_len,) = struct.unpack("<L", decrypted_data[:4]) 89 return decrypted_data[8:8 + dec_data_len]

90

91 -def get_secret_by_name(secaddr, name, lsakey):

92 root = rawreg.get_root(secaddr) 93 if not root: 94 return None 95 96 enc_secret_key = rawreg.open_key(root, ["Policy", "Secrets", name, "CurrVal"]) 97 if not enc_secret_key: 98 return None 99 100 enc_secret_value = enc_secret_key.ValueList.List.dereference()[0] 101 if not enc_secret_value: 102 return None 103 104 enc_secret = secaddr.read(enc_secret_value.Data, 105 enc_secret_value.DataLength) 106 if not enc_secret: 107 return None 108 109 return decrypt_secret(enc_secret[0xC:], lsakey)

110

111 -def get_secrets(sys_registry, sec_registry):

112 113 bootkey = hashdump.get_bootkey(sys_registry) 114 lsakey = get_lsa_key(sec_registry, bootkey) 115 116 secrets_key = sec_registry.open_key(["Policy", "Secrets"]) 117 if not secrets_key: 118 return 119 120 for key in secrets_key.subkeys(): 121 sec_val_key = key.open_subkey("CurrVal") 122 123 if not sec_val_key: 124 continue 125 126 for enc_secret_value in sec_val_key.values(): 127 enc_secret = enc_secret_value.Data.dereference_as( 128 "String", length=enc_secret_value.DataLength).v() 129 130 if enc_secret: 131 secret = decrypt_secret(enc_secret[0xC:], lsakey) 132 yield key.Name, secret

133

Source Code for Module rekall.plugins.windows.registry.lsasecrets