CN105893107B - A method of obtaining logged-in user decodement from the memory mirror file of 64 Windows operating systems - Google Patents
A method of obtaining logged-in user decodement from the memory mirror file of 64 Windows operating systems Download PDFInfo
- Publication number
- CN105893107B CN105893107B CN201610276405.7A CN201610276405A CN105893107B CN 105893107 B CN105893107 B CN 105893107B CN 201610276405 A CN201610276405 A CN 201610276405A CN 105893107 B CN105893107 B CN 105893107B
- Authority
- CN
- China
- Prior art keywords
- user
- dll
- file
- variable
- obtains
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/40—Transformation of program code
- G06F8/53—Decompilation; Disassembly
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F12/00—Accessing, addressing or allocating within memory systems or architectures
- G06F12/02—Addressing or allocation; Relocation
- G06F12/08—Addressing or allocation; Relocation in hierarchically structured memory systems, e.g. virtual memory systems
- G06F12/0802—Addressing of a memory level in which the access to the desired data or data block requires associative addressing means, e.g. caches
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F12/00—Accessing, addressing or allocating within memory systems or architectures
- G06F12/02—Addressing or allocation; Relocation
- G06F12/08—Addressing or allocation; Relocation in hierarchically structured memory systems, e.g. virtual memory systems
- G06F12/10—Address translation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Storage Device Security (AREA)
- Debugging And Monitoring (AREA)
Abstract
The method that logged-in user decodement is obtained from the memory mirror file of 64 Windows operating systems of the invention, comprising: a) obtains system version information;B) obtain the CR3 register of lsass.exe process, in process context block PEB structure variable value;C) comes out the execution sample dumps of dynamic link library lsasrv.dll and tspkg.dll;D) obtains cipher key related data;E) obtains user information from lsasrv.dll;F) obtains the main voucher of login user from the dump file of tspkg.dll;G) obtains decodement.The method of acquisition logged-in user decodement of the invention is accurate, efficient, analytical effect is not influenced by password complexity, it is the important means that user login information is obtained from physical memory image file, the logged-in user decodement of acquisition is that computer one of is collected evidence important evidence online.
Description
Technical field
The present invention relates to a kind of methods for obtaining logged-in user decodement, more specifically, more particularly to it is a kind of from
The method of the decodement of login user is obtained in the memory mirror file of 64 Windows operating systems.This method will answer
For computer forensics field, it is mainly used for the investigation and evidence collection of information security events and all kinds of computer crime cases.
Background technique
There are certain systems that can describe by the information of status when attacking, such as current operation in computer physical memory
Progress information, the dynamic link library information of process load, the user's name that system currently logs in and user password, opening text
Part information, network connection information etc..These information disappear with the shutdown of computer system, can not be protected as evidence
It deposits.Therefore, particularly important in terms of computer forensics to computer physical memory is obtained.To promote physics memory analysis technology
Develop, DFRWS(Digital Forensic Research Workshop) entitled " Forensics was proposed in 2005
The activity of Challenge ", movable theme are exactly physical memory analysis.From this, the analysis and acquisition of physical memory are become
Computer forensics research hotspot, however, password is stored in a manner of ciphertext when user logs on in computer system
, we can obtain its corresponding NThash value or LM cryptographic Hash by memory analysis, and the acquisition for decodement needs
It could be completed by means of the associated decryptions such as SamInside software, but password higher for complexity, needed for decryption software
Time also can be accordingly longer.With computer hardware level continuous development improve, at present most computers all have 4G with
Upper memory headroom, and support 64 bit manipulation systems, and with the free upgrade of current 64 Windows10 systems, use height
The user of version Windows operating system is more and more, therefore the memory mirror file analysis to 64 windows operating system
It works extremely urgent.
Summary of the invention
The present invention in order to overcome the shortcomings of the above technical problems, provides a kind of out of 64 Windows operating systems
Deposit the method that logged-in user decodement is obtained in image file.
Of the invention obtains logged-in user decodement from the memory mirror file of 64 Windows operating systems
Method, which is characterized in that realized by following steps:
A) obtains system version information, using the physical memory analysis method based on KPCR structure, from current memory mirror image
The operating system version information including major version number, secondary version number, build number is obtained in file;B) is obtained
The CR3 content of registers of lsass.exe process, the value of PEB structure variable in process context block;C) dump executes sample, obtains
The dynamic link library chained list for taking lsass.exe to load, by dynamic link library lsasrv.dll and tspkg.dll in memory mirror text
Execution sample dumps in part come out;D) obtain cipher key related data, from the dump file of lsasrv.dll obtain include
Cipher key related data including InitialzationVector value, hAesKey value, h3DesKey value;E), which is obtained, logs in quantity
And information, the user information from the quantity and login sessions list for obtaining login sessions list in lsasrv.dll;F) obtains master
Voucher obtains the main voucher of currently logged on user from the dump file of tspkg.dll;G) obtains decodement, load dynamic
Chained library nCryt.dll, by the cipher key related data obtained in step d), to ciphertext in main voucher acquired in step f)
It is decrypted, obtains login user decodement.
Of the invention obtains logged-in user decodement from the memory mirror file of 64 Windows operating systems
Method, dump described in step c) execute sample and realize by the following method:
C-1) obtains variables L dr, and variables L dr is obtained from lsass.exe process PEB structural body, and Ldr variable is directed toward
The list structure of all dynamic link library structures of process load;C-2) traverses list structure pointed by variables L dr, judgement
Whether the lsasrv.dll or tspkg.dll that the title of each dynamic link library and needs are found are identical, if there is identical, then
Obtain initial fictive address, the length variable of corresponding dynamic link library, and according to the two variables dynamic link library in memory
Execution sample dumps in image file come out.
Of the invention obtains logged-in user decodement from the memory mirror file of 64 Windows operating systems
Method, acquisition described in step e) logs in quantity and information is realized by the following method: carrying out first to dynamic link library anti-
Compilation, function LsapCreateLsaLogonSession is found in dynamic link library, checks the dis-assembling code of the function,
Obtain the value of variables L ogonSessionListConut and LogonSessionList;Then pass through variable
LogonSessionListConut obtains the quantity of login sessions list, double pointed by the variables L ogonSessionList
User information in login sessions list is obtained into list structure body.
Of the invention obtains logged-in user decodement from the memory mirror file of 64 Windows operating systems
Method, which is characterized in that the main voucher of acquisition described in step f) is realized by following steps:
F-1) from the computer documents of memory mirror file same operation system version folder X: Windows System
In find out dynamic link library tspkg.dll, X indicates system disk, and carries out dis-assembling to dynamic link library tspkg.dll, to look for
To function TSUnloadCredTable;F-2) finds variable in TSUnloadCredTable function body
The storage position of TSGlobalCredTable;F-3) checks two that the storage position variable TSGlobalCredTable is stored
Binary data, the code characterized by this binary data search for this condition code into lsasry.dll dump file;F-4) feature
After code is searched in lsasry.dll file, storage location is variable TSGlobalCredTable in tspkg.dll
Opposite offset address in core dump file, if the offset address is TSGlobalTabOffset;F-5) passes through following public
The virtual address TSGlobalTabVa of formula calculating variable TSGlobalCredTable:
TSGlobalTabVa=tspkgVa+sizeof (ULONG)+TSGlobal0ffset (1)
Wherein, tspkgVa be the dynamic link library that is loaded in lsass.exe of dynamic link library tspkg.dll virtually
Location, sizeof (ULONG) are the byte number for seeking data type ULONG;
Then virtual address is carried out to physical address translations to TSGlobalTabVa using lsassCR3Val, obtains variable
Position of the TSGlobalCredTable in memory image file, TSGlobalCredTable have been directed toward RTL_AVL_TABLE
Structure;LsassCR3Val is the content of the CR3 register of the lsass.exe process obtained in step b);f-6).RTL_AVL_
TABLE structure is a balanced binary tree, navigates to the physical address of TSGlobalCredTable, is tied from RTL_AVL_TABLE
The child of paper mulberry root begins stepping through the tree;F-7) reads variable in tree during traversing RTL_AVL_TABLE structure tree
The value of OrderedPoointer, the value are the virtual addresses of KIWI_TS_CREDENTIAL structure, which is converted to
Physical address, and navigate to this physical address in memory image file and find KIWI_TS_CREDENTIAL structure;F-8) is looked for
The value of variables L ocallyUniqueIdentifier into structure KIWI_TS_CREDENTIAL, variable storage is user
LUID execute step if the LUID of logged-in user is identical as user LUID in current KIWI_TS_CREDENTIAL structure
Rapid f-9), otherwise return to step f-6) continue binary tree traversal left child and right child;F-9) finds structure KIWI_TS_
Variable pTsPrimary in CREDENTIAL, pTsPrimary are directed toward KIWI_TS_PRIMARY_CREDENTIAL, the structural body
What is stored is the main voucher of user, reads the value of variable pTsPrimary, which is KIWI_TS_PRIMARY_CREDENTIAL
The virtual address is converted to physical address, navigates to physical address in memory image file and find by the virtual address of structure
This structure;F-10) finds variable credentials, credentials in structure KIWI_TS_PRIMARY_CREDENTIAL
Middle storage be active user user name, domain name and ciphertext;Wherein, user name, domain name and ciphertext are all in a manner of UNICODE
It is stored in physical memory image file, according to the definition of UNICODE structural body, obtains out ciphertext current length Len, maximum
Length MaxLen and the virtual address in physical memory, and virtual address is converted into physical address, arrive memory mirror file
In navigate to the physical address;F-11) reads length according to the physical address obtained in step f-10) in memory image file
Degree is the data of Len into memory space cryptBuffer, to the plaintext for obtaining logged-in user password after ciphertext decryption.
The beneficial effects of the present invention are: the memory mirror file of (1) 64 windows operating system disclosed in this invention
The acquisition methods analysis method of middle logged-in user decodement is accurate, efficient;(2) 64 windows disclosed in this invention
In the memory mirror file of operating system the acquisition methods of logged-in user decodement to the analytical effect of decodement not by
The influence of password complexity.(3) use has been logged in the memory mirror file of 64 windows operating system disclosed in this invention
The acquisition methods of family decodement are the important means that user login information is obtained from physical memory image file.(4) this hair
The acquisition methods analysis of logged-in user decodement in the memory mirror file of bright 64 disclosed windows operating systems
The logged-in user decodement that method obtains is that computer one of is collected evidence important evidence online.
Detailed description of the invention
Fig. 1 is the flow chart that logged-in user decodement method is obtained in memory mirror file of the invention;
Fig. 2 gives the structural relation figure that cipher key content is obtained in the present invention;
Fig. 3 is that main document flowchart is obtained from tspkg.dll in the present invention.
Fig. 4 is to obtain main voucher structural relation figure from tspkg.dll in the present invention;
Fig. 5 is the part screenshot for the LsaInitializeProtectedMemory function that dis-assembling of the present invention goes out.
Specific embodiment
The invention will be further described with embodiment with reference to the accompanying drawing.
It has been stepped on as shown in Figure 1, giving of the invention obtain from the memory mirror file of 64 windows operating system
The flow chart for employing family decodement acquisition methods, according to " obtain operating system version --- obtain lsass.exe process knot
The process of structure body --- obtain key --- obtain voucher --- decryption ciphertext " carries out.Since process passes through the dynamic of its load
State chained library execute required function, therefore, can by analysis execute login authentication function process load dynamic link library into
Row decryption work.As shown in Figure 1, of the invention obtain from the memory mirror file of 64 windows operating system has logged in
The acquisition methods of user password plaintext first have to obtain operating system version, in the memory mirror text of different operating system version
In part, data storage position in associated dynamic chained library needed for ciphertext and decryption ciphertext is different, it is therefore desirable to first
Judge operating system version.Then the currently running lsass.exe process load of dump from memory mirror file
The sample file of lsasrv.dll and tspkg.dll chained library.The information that last basis is analyzed from sample file, by adding
The mode for carrying dynamic link library decrypts ciphertext present in main voucher, to obtain the decodement of login user.It specifically leads to
It crosses and is realized with step:
A) obtains system version information, using the physical memory analysis method based on KPCR structure, from current memory mirror image
The operating system version information including major version number, secondary version number, build number is obtained in file;
B) obtains the CR3 content of registers of lsass.exe process, the value of PEB structure variable in process context block;
C) dump executes sample, the dynamic link library chained list of lsass.exe load is obtained, by dynamic link library
Execution sample dumps of the lsasrv.dll and tspkg.dll in memory image file come out;
D) obtain cipher key related data, from the dump file of lsasrv.dll obtain include
Cipher key related data including InitialzationVector value, hAesKey value, h3DesKey value;
E), which is obtained, logs in quantity and information, and the quantity and login sessions of login sessions list are obtained from lsasrv.dll
User information in list;
F) obtains main voucher, from the dump file of tspkg.dll, obtains the main voucher of currently logged on user;
G) obtains decodement, loads dynamic link library nCryt.dll, by the key dependency number obtained in step d)
According to being decrypted to ciphertext in main voucher acquired in step f), obtain login user decodement.
The specific steps of system version information being obtained described in step a) are as follows: a-1) is according to operating system kpcr structure
Body characteristics scan for memory image file, find position of the kpcr structural body in memory image file;A-2) is obtained
System process CR3 content of registers.The content of CR3 register is that the basis of system conversion is carried out in system space.For 64
For bit manipulation system, the content of CR3 register reads the number of 8 bytes at the offset 0x1D0 of kpcr structural body from there
According to being the content of CR3 register.A-3) obtains the virtual address of current thread.For different editions operating system,
The deviant that the virtual address of current thread is stored in kpcr structural body is different, for 64 8 or more versions of Windows
Operating system for, which is 0x188, from there read 8 bytes data, be current thread virtually
Location.A-4) obtains the virtual address and physical address of current process structural body according to the structural body of current thread.With 64
For windows 8.1, the virtual address+0xb8 of current thread is the virtual address of current process.Use step a-2) institute
The value of the system process CR3 register of acquisition carries out address conversion, and virtual address is converted to physical address, navigates to the physics
It is the initial position of the EPROCESS structural body of current process at address.A-5) is deposited in process EPROCESS structural body
The variable of entitled Peb is put, which houses operating system major version number, secondary version in the structural body
This number and build number.By taking 64 windows 8.1 as an example, in the inclined of the initial position of current process EPROCESS structural body
It is the value of variable peb, i.e. structural body _ PEB virtual address at shifting 0x3e8, which is converted into physical address, is obtained
To the initial position of _ PEB structural body, the position is navigated to, what it is in offset 0x118 place's storage is operating system major version number,
Minor release/point release is housed at 0x11c, houses build number at 0x120.
Described in step b) obtain lsass.exe process CR3 content of registers, process context block peb variable it is specific
Step is: b-1) according to current process EPROCESS structural body, traverses chain of processes.In step a-4), current process is obtained
EPROCESS structural body initial position, in EPROCESS structural body, house the EPROCESS structure for being directed toward next process
The pointer of body.B-2) begins stepping through chain of processes along the pointer, as the entitled lsass.exe of process, obtains the process
Peb variate-value and CR3 content of registers (being defined as lsassCR3Val).By taking 64 windows 8.1 as an example, in EPROCESS
At structure solid offsetting 0x28, the data for reading 8 bytes are the value of lsassCR3Val.
Described in step c) acquisition lsass.exe load dynamic link library chained list, dump lsasrv.dll and
Execution sample of the tspkg.dll in memory image file comprises the concrete steps that: c-1) is in lsass.exe process _ PEB structure
In body, variables L dr is housed, which has been directed toward the list structure of all dynamic link library structures of process load.C-2) is every
The pointer for being directed toward next dynamic link library structure, dynamic link library name, starting are all saved in a dynamic link library structure
The variables such as address (virtual address), length.The list structure is traversed, judges whether the title of each dynamic link library seeks with needs
The lsasrv.dll looked for and tspkg.dll is identical, if meeting condition, the initial address for obtaining corresponding dynamic link library is (empty
Quasi- address), length, and execution sample dumps of the dynamic link library in memory image file are come out according to the two variables.
Described in step d) from the dump file of lsasrv.dll, comprising the concrete steps that for cipher key related data: d- is obtained
1) from the computer of the same operation system version with memory mirror file C: Windows under System32 file, it is multiple
Lsasrv.dll dynamic link library processed carries out dis-assembling to dynamic link library using IDA, function is found in dynamic link library
LsaInitializeProtectedMemory checks the dis-assembling code of the function;D-2) is in the function dis-assembling code
In, the position of variable InitialzationVector is found, as shown in figure 5, giving what dis-assembling of the present invention went out
The part screenshot of LsaInitializeProtectedMemory function.D-3) checks binary data relevant to the position,
The code characterized by this data searches for this condition code to lsasrv.dll dump file, finds variable InitialzationVector
Opposite offset address in lsasrv.dll dump file, is set as InitVecOffset;Variable
The virtual address InitVecVa of InitialzationVector can be obtained by following formula:
InitVecVa = lsasrvVa+sizeof(ULONG)+ InitVecOffset。 (2)
Wherein, lsasrvVa is the dynamic link library virtual address that lsasrv.dll is loaded in lsass.exe, sizeof
It (ULONG) is the byte number for seeking data type ULONG.Since this variable is in the process space of lsass.exe, use
LsassCR3Val carries out virtual address to physical address translations to InitVecVa, obtains variable InitialzationVector
In the position of memory image file, to obtain the content of InitialzationVector.D-4) obtains variable hAesKey's
Then value creates the cipher key content of Aes encryption.D-5) obtains the value of variable h3DesKey, then creates 3Des cipher key content;
Step d-4) described in creation Aes cipher key content specific steps are as follows: d-4-1) obtain variable hAesKey value,
Specific method is similar with the content step of variable InitialzationVector is obtained in step d-1) -- d-3), such as Fig. 5 institute
Show.D-4-2) value of variables A esKey is directed toward KIWI_BCRYPT_HANDLE_KEY structure.
It is obtained as shown in Fig. 2, giving logged-in user decodement in 64 windows memory mirror files of the invention
Take the structural relation figure of the acquisition cipher key content of method.By taking 64 Windows8.1 as an example, the physics of AesKey direction is navigated to
Address, acquisition _ KIWI_BCRYPT_HANDLE_KEY structure content.Variable key is therefrom found, variable Key is directed to
The pointer of KIWI_BCRYPT_KEY81 structure reads 8 from the offset 0x10 of KIWI_BCRYPT_HANDLE_KEY structure
The data of byte, the value are exactly the virtual address of variable key, which are converted to physical address, in physical memory mirror
As navigating to the address in file, that is, find the content of KIWI_BCRYPT_HANDLE_KEY structure, KIWI_BCRYPT_
HardKey variable storage in HANDLE_KEY structure is exactly value needed for generating Aes key, using LoadLibrary plus
The bcrypt.dll in system identical with memory mirror file operating system version is carried, is called wherein
BCryptGenerateSymmetricKey function creates Aes key by parameter of HardKey.
Step d-5) described in creation 3Des cipher key content specific steps it is similar with step d-4).
User in the quantity and login sessions list of login sessions list is obtained in slave lsasrv.dll described in step e)
The method of information are as follows: dis-assembling is carried out to lsasrv.dll, which is from behaviour identical as memory mirror file
Make system version computer X: Windows System32 (wherein, X is system disk) file.Find function
LsapCreateLsaLogonSession checks the dis-assembling code of the function, obtains variable
The position of LogonSessionListConut and LogonSessionList and neighbouring characteristic value, according to characteristic value pair
Dump file of the lsasvr.dll in memory image file scans for, obtain variables L ogonSessionListConut with
And value of the LogonSessionList in memory image file.Variables L ogonSessionListCount, which is stored, logs in meeting
The quantity of list is talked about, variables L ogonSessionList is directed toward a doubly linked list structural body, houses login in the structural body
User information in session list.
As shown in figure 3, giving logged-in user in the memory mirror file of 64 windows operating systems of the invention
In decodement acquisition methods described in step f) from the dump file of tspkg.dll, obtain when the process with householder's voucher
Figure, comprises the concrete steps that:
F-1) from the computer documents of memory mirror file same operation system version folder X: Windows System
In find out dynamic link library tspkg.dll, X indicates system disk, and carries out dis-assembling to dynamic link library tspkg.dll, to look for
To function TSUnloadCredTable;
F-2) finds the storage position of variable TSGlobalCredTable in TSUnloadCredTable function body;
F-3) checks the binary data that the storage position variable TSGlobalCredTable is stored, with this binary number
According to code is characterized, this condition code is searched for into lsasry.dll dump file;
F-4 after) condition code is searched in lsasry.dll file, storage location is variable
Opposite offset address of the TSGlobalCredTable in tspkg.dll core dump file, if the offset address is
TSGlobalTabOffset;
F-5) calculates the virtual address TSGlobalTabVa of variable TSGlobalCredTable by following formula:
TSGlobalTabVa=tspkgVa+sizeof (ULONG)+TSGlobal0ffset (1)
Wherein, tspkgVa be the dynamic link library that is loaded in lsass.exe of dynamic link library tspkg.dll virtually
Location, sizeof (ULONG) are the byte number for seeking data type ULONG;
Then virtual address is carried out to physical address translations to TSGlobalTabVa using lsassCR3Val, obtains variable
Position of the TSGlobalCredTable in memory image file, TSGlobalCredTable have been directed toward RTL_AVL_TABLE
Structure;LsassCR3Val is the content of the CR3 register of the lsass.exe process obtained in step b);
F-6) .RTL_AVL_TABLE structure is a balanced binary tree, navigates to the physics of TSGlobalCredTable
Address begins stepping through the tree from the child of RTL_AVL_TABLE structure tree root;
F-7) reads variable OrderedPoointer in tree during traversing RTL_AVL_TABLE structure tree
Value, which is the virtual address of KIWI_TS_CREDENTIAL structure, which is converted to physical address, and in memory
This physical address is navigated in image file finds KIWI_TS_CREDENTIAL structure;
F-8) finds the value of variables L ocallyUniqueIdentifier in structure KIWI_TS_CREDENTIAL, the change
That amount is stored is the LUID of user, if user in the LUID of logged-in user and current KIWI_TS_CREDENTIAL structure
LUID is identical, thens follow the steps f-9), otherwise return to step f-6) continue binary tree traversal left child and right child;
F-9) finds variable pTsPrimary in structure KIWI_TS_CREDENTIAL, knot pointed by pTsPrimary
What structure body was stored is the main voucher of user, and pTsPrimary is directed toward KIWI_TS_PRIMARY_CREDENTIAL, reads variable
The value of pTsPrimary, the value are the virtual addresses of KIWI_TS_PRIMARY_CREDENTIAL structure, which is turned
It is changed to physical address, physical address is navigated in memory image file and finds this structure;
F-10) finds variable credentials, credentials in structure KIWI_TS_PRIMARY_CREDENTIAL
Middle storage be active user user name, domain name and ciphertext;Wherein, user name, domain name and ciphertext are all in a manner of UNICODE
It is stored in physical memory image file, according to the definition of UNICODE structural body, obtains out ciphertext current length Len, maximum
Length MaxLen and the virtual address in physical memory, and virtual address is converted into physical address, arrive memory mirror file
In navigate to the physical address;
F-11) reads the number that length is Len according to the physical address obtained in step f-10) in memory image file
According into memory space cryptBuffer, the plaintext of logged-in user password is obtained after decrypting to ciphertext.
Claims (4)
1. a method of logged-in user decodement is obtained from the memory mirror file of 64 Windows operating systems,
It is characterized in that, being realized by following steps:
A) obtains system version information, using the physical memory analysis method based on KPCR structure, from current memory image file
Operating system version information of the middle acquisition including major version number, secondary version number, build number;
B) obtains the CR3 content of registers of lsass.exe process, the value of PEB structure variable in process context block;
C) dump executes sample, the dynamic link library chained list of lsass.exe load is obtained, by dynamic link library lsasrv.dll
It is come out with execution sample dumps of the tspkg.dll in memory image file;
D) obtains cipher key related data, and obtaining from the dump file of lsasrv.dll includes InitialzationVector
Cipher key related data including value, hAesKey value, h3DesKey value;
E), which is obtained, logs in quantity and information, and the quantity and login sessions list of login sessions list are obtained from lsasrv.dll
Middle user information;
F) obtains main voucher, from the dump file of tspkg.dll, obtains the main voucher of currently logged on user;
G) obtains decodement, loads dynamic link library nCrypt.dll, by the cipher key related data obtained in step d),
Ciphertext in main voucher acquired in step f) is decrypted, login user decodement is obtained.
2. according to claim 1 obtain logged-in user from the memory mirror file of 64 Windows operating systems
The method of decodement, which is characterized in that dump described in step c) executes sample and realizes by the following method:
C-1) obtains variables L dr, and variables L dr is obtained from lsass.exe process PEB structural body, and Ldr variable has been directed toward process
The list structure of all dynamic link library structures of load;
C-2) traverses list structure pointed by variables L dr, judges what the title of each dynamic link library and needs were found
Whether lsasrv.dll or tspkg.dll is identical, if there is identical, then with obtaining the initial fictive of corresponding dynamic link library
Location, length variable, and execution sample dumps of the dynamic link library in memory image file are come out according to the two variables.
3. according to claim 1 or 2 obtain from the memory mirror file of 64 Windows operating systems has logged in use
The method of family decodement, which is characterized in that acquisition described in step e) logs in quantity and information is realized by the following method:
Dis-assembling is carried out to dynamic link library lsasrv.dll first, function is found in dynamic link library
LsapCreateLsaLogonSession checks the dis-assembling code of the function, obtains variable
The value of LogonSessionListConut and LogonSessionList;Then pass through variables L ogonSessionListConut
The quantity for obtaining login sessions list is obtained from doubly linked list structural body pointed by variables L ogonSessionList and is logged in
User information in session list.
4. according to claim 1 or 2 obtain from the memory mirror file of 64 Windows operating systems has logged in use
The method of family decodement, which is characterized in that the main voucher of acquisition described in step f) is realized by following steps:
F-1) from the computer documents of memory mirror file same operation system version folder X: Windows look in System
Dynamic link library tspkg.dll out, X indicate system disk, and carry out dis-assembling to dynamic link library tspkg.dll, to find letter
Number TSUnloadCredTable;
F-2) finds the storage position of variable TSGlobalCredTable in TSUnloadCredTable function body;
F-3) checks the binary data that the storage position variable TSGlobalCredTable is stored, and is with this binary data
Condition code searches for this condition code into lsasry.dll dump file;
F-4 after) condition code is searched in lsasry.dll file, storage location is variable
Opposite offset address of the TSGlobalCredTable in tspkg.dll core dump file, if the offset address is
TSGlobalTabOffset;
F-5) calculates the virtual address TSGlobalTabVa of variable TSGlobalCredTable by following formula:
TSGlobalTabVa=tspkgVa+sizeof (ULONG)+TSGlobal0ffset (1)
Wherein, tspkgVa is the dynamic link library virtual address that dynamic link library tspkg.dll is loaded in lsass.exe,
Sizeof (ULONG) is the byte number for seeking data type ULONG;
Then virtual address is carried out to physical address translations to TSGlobalTabVa using lsassCR3Val, obtains variable
Position of the TSGlobalCredTable in memory image file, TSGlobalCredTable have been directed toward RTL_AVL_TABLE
Structure;LsassCR3Val is the content of the CR3 register of the lsass.exe process obtained in step b);
F-6) .RTL_AVL_TABLE structure is a balanced binary tree, navigates to the physical address of TSGlobalCredTable,
The tree is begun stepping through from the child of RTL_AVL_TABLE structure tree root;
F-7) reads the value of variable OrderedPoointer in tree during traversing RTL_AVL_TABLE structure tree, should
Value is the virtual address of KIWI_TS_CREDENTIAL structure, which is converted to physical address, and in memory mirror
This physical address is navigated in file finds KIWI_TS_CREDENTIAL structure;
F-8) finds the value of variables L ocallyUniqueIdentifier in structure KIWI_TS_CREDENTIAL, which deposits
That put is the LUID of user, if the LUID of logged-in user and user's LUID phase in current KIWI_TS_CREDENTIAL structure
Together, then follow the steps f-9), otherwise return to step f-6) continue binary tree traversal left child and right child;
F-9) finds variable pTsPrimary in structure KIWI_TS_CREDENTIAL, and pTsPrimary is directed toward KIWI_TS_
PRIMARY_CREDENTIAL, what which stored is the main voucher of user, reads the value of variable pTsPrimary, which is
The virtual address is converted to physical address, in memory mirror by the virtual address of KIWI_TS_PRIMARY_CREDENTIAL structure
This structure is found as navigating to physical address in file;
F-10) finds variable credentials in structure KIWI_TS_PRIMARY_CREDENTIAL, deposits in credentials
What is put is the user name, domain name and ciphertext of active user;Wherein, user name, domain name and ciphertext are stored in a manner of UNICODE
In physical memory image file, according to the definition of UNICODE structural body, ciphertext current length Len, maximum length are obtained out
MaxLen and the virtual address in physical memory, and virtual address is converted into physical address, it is fixed into memory mirror file
The physical address is arrived in position;
F-11) reads the data that length is Len according to the physical address obtained in step f-10) in memory image file and arrives
In memory space cryptBuffer, to the plaintext for obtaining logged-in user password after ciphertext decryption.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610276405.7A CN105893107B (en) | 2016-04-29 | 2016-04-29 | A method of obtaining logged-in user decodement from the memory mirror file of 64 Windows operating systems |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610276405.7A CN105893107B (en) | 2016-04-29 | 2016-04-29 | A method of obtaining logged-in user decodement from the memory mirror file of 64 Windows operating systems |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105893107A CN105893107A (en) | 2016-08-24 |
CN105893107B true CN105893107B (en) | 2019-03-19 |
Family
ID=56701934
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610276405.7A Active CN105893107B (en) | 2016-04-29 | 2016-04-29 | A method of obtaining logged-in user decodement from the memory mirror file of 64 Windows operating systems |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105893107B (en) |
Families Citing this family (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106788996A (en) * | 2016-12-08 | 2017-05-31 | 郑州云海信息技术有限公司 | A kind of operating system password remapping method and system |
CN107861729B (en) * | 2017-11-08 | 2021-08-24 | 中国信息安全测评中心 | Method and device for positioning firmware loading base address and electronic equipment |
CN110597557B (en) * | 2019-09-12 | 2024-06-07 | 腾讯科技(深圳)有限公司 | System information acquisition method, terminal and medium |
CN111444118B (en) * | 2020-03-23 | 2022-04-05 | 数网金融有限公司 | Process protection method, device, terminal equipment and storage medium |
CN112182555A (en) * | 2020-08-21 | 2021-01-05 | 网神信息技术(北京)股份有限公司 | Weak password detection method, device, electronic apparatus, storage medium, and program |
US11768935B2 (en) | 2020-09-29 | 2023-09-26 | Saudi Arabian Oil Company | System and method for detecting and preventing extraction of plaintext passwords using memory attacks |
CN112817615B (en) * | 2021-02-24 | 2023-12-26 | 共达地创新技术(深圳)有限公司 | File processing method, device, system and storage medium |
CN114218128A (en) * | 2021-12-13 | 2022-03-22 | 厦门市美亚柏科信息股份有限公司 | Method and system for offline extraction of DPAPI key based on memory mirror image |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102938036A (en) * | 2011-11-29 | 2013-02-20 | Ut斯达康通讯有限公司 | Section double encryption and safe loading method of Windows dynamic link library |
CN103207972A (en) * | 2013-01-31 | 2013-07-17 | 厦门市美亚柏科信息股份有限公司 | Device and method for recovering and analyzing login password of computer operation system |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9185136B2 (en) * | 2013-11-28 | 2015-11-10 | Cyber-Ark Software Ltd. | Correlation based security risk identification |
-
2016
- 2016-04-29 CN CN201610276405.7A patent/CN105893107B/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102938036A (en) * | 2011-11-29 | 2013-02-20 | Ut斯达康通讯有限公司 | Section double encryption and safe loading method of Windows dynamic link library |
CN103207972A (en) * | 2013-01-31 | 2013-07-17 | 厦门市美亚柏科信息股份有限公司 | Device and method for recovering and analyzing login password of computer operation system |
Also Published As
Publication number | Publication date |
---|---|
CN105893107A (en) | 2016-08-24 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105893107B (en) | A method of obtaining logged-in user decodement from the memory mirror file of 64 Windows operating systems | |
Caballero et al. | Automatic protocol reverse-engineering: Message format extraction and field semantics inference | |
CN101587479B (en) | Database management system kernel oriented data encryption/decryption system and method thereof | |
US20130262863A1 (en) | Searchable encryption processing system | |
Chen et al. | Bestie: Very practical searchable encryption with forward and backward security | |
Hejazi et al. | Extraction of forensically sensitive information from windows physical memory | |
WO2011134207A1 (en) | Method for protecting software | |
KR20090052130A (en) | Data protection method using data partition | |
Fu et al. | Data correlation‐based analysis methods for automatic memory forensic | |
Hur et al. | Data acquisition methods using backup data decryption of Sony smartphones | |
CN109313688A (en) | Key generates source determining device, key generates source and determines that method and key generate source and determine program | |
Spreitzenbarth et al. | Mastering python forensics | |
Sönmez et al. | Machine learning based side channel selection for time-driven cache attacks on aes | |
Mainardi et al. | Efficient oblivious substring search via architectural support | |
US20070150853A1 (en) | Method for processing assembly of data blocks using associated control application | |
Bates et al. | Secure and trustworthy provenance collection for digital forensics | |
Li et al. | BULKOR: Enabling Bulk Loading for Path ORAM | |
Kang et al. | Methods for decrypting the data encrypted by the latest Samsung smartphone backup programs in Windows and macOS | |
Bursztein et al. | Doing forensics in the cloud age OWADE: beyond files recovery forensic | |
Xu et al. | Research on extracting system logged-in password forensically from windows memory image file | |
Dija et al. | Towards successful forensic recovery of Bitlocked Volumes | |
Song et al. | Searchable Symmetric Encryption with Tunable Leakage Using Multiple Servers | |
JP6752347B1 (en) | Information processing equipment, computer programs and information processing methods | |
Kang et al. | Towards secure and fast mapping of genomic sequences on public clouds | |
WO2017221308A1 (en) | Data management device, data management method, data management program, search device, search method, and search program |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |