Registry Code Updates

I've found a couple bugs in the registry code I released recently, and at least one is significant enough that a new release is warranted. Teach me to release code I wrote in a couple hours on a plane ;)

The list of fixes is:
  • Fix a bug that prevented any volatile subkeys from appearing when using the subkeys() function.
  • Add a check for None when using lsadump (reported by Paul Bobby, thanks!)
  • Add appropriate license statements at the top of each file (thanks AAron!). For the record, the license is the GNU General Public License (GPL).
You can download the new version as a zip or tarball, and install it exactly as the previous version, by extracting it into your Volatility directory. If you have a previous version installed, this should just overwrite it (though you may have to tell your unzip program that's okay). As before, PyCrypto is required for the credential extraction modules.

One final note: I have seen some crashes when people attempt to use the hash extraction code, but pass the wrong address for the hive in memory. I'd like to fix this, but I don't yet have a good way of checking to make sure that a given hive is the SYSTEM or SAM or SECURITY hive. I'll try to find something that works, though, and release it with the next update.

Comments

ForensicZone said…
First of all “Nice Job”!!!
I'm having a problem running hashdump, lsadump, and cachedump. I grabbed PyCrypto and installed (with an error: “...Python was built with Visual Studio 2003...”) onto a WindowsXPSP2 System. The build looks pretty good but running Volatility it errors out to the following:

*** Unable to load module cachedump: cannot import name MD4
*** Unable to load module hashdump: cannot import name MD4
*** Unable to load module lsadump: cannot import name MD4
*** Unable to load module cachedump: cannot import name MD4
*** Unable to load module hashdump: cannot import name MD4
*** Unable to load module lsadump: cannot import name MD4

I do have HMAC, MD5 RIPEMD160, RIPEMD and SHA(.py) python files in the HASH folder (C:\Python25\Lib\site-package\Crypto\Cipher).
I really could use your help to figure this out

Thanks
Rick
Forensiczone.com
January 25, 2009 at 12:44 AM
Brendan Dolan-Gavitt said…
It looks as though PyCrypto has portions that are written in C and need to be compiled. If you don't have Visual Studio installed on the machine, you will probably need to find a binary package of PyCrypto for Windows and your Python version.

This page appears to have some, though I don't have a Windows machine handy right now and so I can't vouch for their correctness. I'll try to give this a try on Windows within the next couple days.

Cheers,
Brendan
January 25, 2009 at 2:49 AM
ForensicZone said…
Brendan
Got It!! I down loaded the compiled self-extracting PyCrypto and installed it with no problems. LSADump and Hashdump are working great(I don't have any files to test cachedump). Your programs are simply "awesome". Thanks again for all the work.

Rick
ForensicZone.com
January 25, 2009 at 1:28 PM
dEViLpOiSeD said…
I copied the 3 folders into the volatility directory but it does not show me the list of installed plugins while running
June 1, 2009 at 12:04 AM
Brendan Dolan-Gavitt said…
The easiest way to install it is to extract the zipfile or tarball directly into the Volatility directory -- not all the folders go into the base directory. After unpacking, you should have these files, in these locations (assuming your Volatility directory is called Volatility-1.3_Beta):

Volatility-1.3_Beta/memory_plugins/registry/cachedump.py
Volatility-1.3_Beta/memory_plugins/registry/hashdump.py
Volatility-1.3_Beta/memory_plugins/registry/hivedump.py
Volatility-1.3_Beta/memory_plugins/registry/hivelist.py
Volatility-1.3_Beta/memory_plugins/registry/hivescan2.py
Volatility-1.3_Beta/memory_plugins/registry/lsadump.py
Volatility-1.3_Beta/memory_plugins/registry/printkey.py
Volatility-1.3_Beta/memory_objects/Windows/registry.py
Volatility-1.3_Beta/forensics/win32/regtypes.py
Volatility-1.3_Beta/forensics/win32/rawreg.py
Volatility-1.3_Beta/forensics/win32/lsasecrets.py
Volatility-1.3_Beta/forensics/win32/hive2.py
Volatility-1.3_Beta/forensics/win32/hashdump.py
Volatility-1.3_Beta/forensics/win32/domcachedump.py
Volatility-1.3_Beta/forensics/win32/regdump.py
June 1, 2009 at 10:37 AM
dEViLpOiSeD said…
Directory structure is exactly the same but still not showing plugins..Not sure if it has to do something with OS (Windows XP3) or the Python compiler being used. (http://sourceforge.net/projects/pywin32/)
June 1, 2009 at 11:51 PM
Brendan Dolan-Gavitt said…
Are you running Volatility from within the Volatility directory? At the moment Volatility can only see plugins if it is run from within the main Volatility directory (IIRC it just looks at the memory_plugins directory in the current working directory).

Do other plugins show up? You should at least be able to see the example plugins like pslist_ex_1 and memmap_ex_2.
June 2, 2009 at 7:53 AM
dEViLpOiSeD said…
Yes.. i am running it within the volatility directory..

\Volatility-1.3_Beta\Volatility-1.3_Beta\volatility

\Volatility-1.3_Beta\Volatility-1.3_Beta\volatility\memory_plugins

I don't see even the example plugins..
June 2, 2009 at 6:49 PM
Post a Comment

Popular posts from this blog

Someone’s Been Messing With My Subnormals!

Image
TL;DR: After noticing an annoying warning, I went on an absurd yak shave, and discovered that because of a tiny handful of Python packages built with an appealing-sounding but dangerous compiler option, more than 2,500 Python packages—some with more than a million downloads per month—could end up causing any program that uses them to compute incorrect numerical results. Once Upon a Time in My Terminal Recently, whenever I tried to import certain Python packages (notably, some models from Huggingface Transformers), I would see this weird and unsightly warning: Python 3.8.10 (default, Jun 22 2022, 20:18:18)   Type 'copyright', 'credits' or 'license' for more information IPython 8.4.0 -- An enhanced Interactive Python. Type '?' for help. In [ 1 ]: from transformers import CodeGenForCausalLM /home/moyix/.virtualenvs/sfcodegen/lib/python3.8/site-packages/numpy/core/getlimits.py:498: UserWarning: The value of the smallest subnormal for <class 'numpy.
Read more

Decrypting LSA Secrets

The LSA secrets store is a protected storage area used the the Local Security Authority (LSA) system in Windows to keep important pieces of information safe from prying eyes. As with Syskey, however, we will see that these secrets are only obfuscated, and once the mechanism is known, we can extract them from the registry with ease. Even without knowing the obfuscation algorithm, however, it is possible to read the values of this data using the LsarQuerySecret function exported by lsasrv.dll, but only if one has the LocalSystem privilege (for example, if the process is running under the SYSTEM account). What kind of data is stored in these secrets? Here are a few that I've come across: $MACHINE.ACC : has to do with domain authentication, see KB175468 DefaultPassword : password used to logon to Windows if auto-logon is enabled NL$KM : secret key used to encrypt cached domain passwords L$RTMTIMEBOMB_[...] : FILETIME giving the date when an unactivated copy of Windows w
Read more

SysKey and the SAM

The Security Accounts Manager The Security Accounts Manager , or SAM, has been used by Windows since the days of NT to store information on local user accounts (or, in the case of a domain controller, the accounts for all users on the domain). It takes the form of a registry hive, and is stored in %WINDIR%\system32\config . Generally, two types of hash are stored in the SAM: the LanMan hash and the NT hash. The LanMan hash has many flaws: It is not salted, and is thus vulnerable to precomputed dictionary attacks such as rainbow tables . The hash is split into two 7-byte pieces, which allows attacks to be performed against each piece at the same time. This also means that if the password is shorter than 7 characters, the last half of the hash will be a constant value. The password is converted to uppercase before hashing, which reduces the keyspace. The LM hash is computed by padding or truncating the password to 14 characters, splitting it into two halves, and then usin
Read more