/usr/lib/python2.7/dist-packages/rekall/plugins/windows/registry/lsadump.py is in python-rekall-core 1.6.0+dfsg-2.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 | # Rekall Memory Forensics
# Copyright (C) 2008 Volatile Systems
# Copyright (c) 2008 Brendan Dolan-Gavitt <bdolangavitt@wesleyan.edu>
# Copyright 2013 Google Inc. All Rights Reserved.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or (at
# your option) any later version.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
"""
@author: AAron Walters and Brendan Dolan-Gavitt
@license: GNU General Public License 2.0 or later
@contact: awalters@volatilesystems.com,bdolangavitt@wesleyan.edu
@organization: Volatile Systems
"""
from rekall import utils
from rekall.plugins.windows.registry import lsasecrets
from rekall.plugins.windows.registry import hashdump
from rekall.plugins.windows import common
from rekall.plugins.windows.registry import registry
class LSADump(common.WindowsCommandPlugin):
"""Dump (decrypted) LSA secrets from the registry"""
# Declare meta information associated with this plugin
name = "lsadump"
mode = "mode_xp"
def __init__(self, sys_offset=None, security_offset=None, **kwargs):
"""Dump (decrypted) LSA secrets from the registry.
Args:
sys_offset: The hive virtual offset to the system hive.
security_offset: The hive virtual offset to the security hive.
"""
super(LSADump, self).__init__(**kwargs)
self.sys_offset = sys_offset
self.security_offset = security_offset
self.profile = registry.RekallRegisteryImplementation(self.profile)
def calculate(self):
sys_hive = registry.RegistryHive(
profile=self.profile, hive_offset=self.sys_offset,
kernel_address_space=self.kernel_address_space)
security_hive = registry.RegistryHive(
profile=self.profile, hive_offset=self.security_offset,
kernel_address_space=self.kernel_address_space)
return lsasecrets.get_secrets(sys_hive, security_hive)
def render(self, outfd):
for k, v in self.calculate():
outfd.write(k + "\n")
utils.WriteHexdump(outfd, v)
outfd.write("\n")
class HashDump(LSADump):
"""Dumps passwords hashes (LM/NTLM) from memory"""
__name = "hashdump"
def __init__(self, sys_offset=None, sam_offset=None, **kwargs):
"""Dump (decrypted) LSA secrets from the registry.
Args:
sys_offset: The hive virtual offset to the system hive.
sam_offset: The hive virtual offset to the sam hive.
"""
super(HashDump, self).__init__(**kwargs)
self.sys_offset = sys_offset
self.sam_offset = sam_offset
self.profile = registry.RekallRegisteryImplementation(self.profile)
def calculate(self):
sys_registry = registry.RegistryHive(
profile=self.profile, hive_offset=self.sys_offset,
kernel_address_space=self.kernel_address_space)
sam_registry = registry.RegistryHive(
profile=self.profile, hive_offset=self.sam_offset,
kernel_address_space=self.kernel_address_space)
return hashdump.dump_hashes(sys_registry, sam_registry)
def render(self, outfd):
for d in self.calculate():
outfd.write(d + "\n")
|