CN105893107B - A method of obtaining logged-in user decodement from the memory mirror file of 64 Windows operating systems - Google Patents

A method of obtaining logged-in user decodement from the memory mirror file of 64 Windows operating systems Download PDF

Info

Publication number
CN105893107B
CN105893107B CN201610276405.7A CN201610276405A CN105893107B CN 105893107 B CN105893107 B CN 105893107B CN 201610276405 A CN201610276405 A CN 201610276405A CN 105893107 B CN105893107 B CN 105893107B
Authority
CN
China
Prior art keywords
user
dll
file
variable
obtains
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610276405.7A
Other languages
Chinese (zh)
Other versions
CN105893107A (en
Inventor
徐丽娟
王连海
葛亮
赵大伟
周洋
徐淑奖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shandong Computer Science Center
Original Assignee
Shandong Computer Science Center
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shandong Computer Science Center filed Critical Shandong Computer Science Center
Priority to CN201610276405.7A priority Critical patent/CN105893107B/en
Publication of CN105893107A publication Critical patent/CN105893107A/en
Application granted granted Critical
Publication of CN105893107B publication Critical patent/CN105893107B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/40Transformation of program code
    • G06F8/53Decompilation; Disassembly
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/02Addressing or allocation; Relocation
    • G06F12/08Addressing or allocation; Relocation in hierarchically structured memory systems, e.g. virtual memory systems
    • G06F12/0802Addressing of a memory level in which the access to the desired data or data block requires associative addressing means, e.g. caches
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/02Addressing or allocation; Relocation
    • G06F12/08Addressing or allocation; Relocation in hierarchically structured memory systems, e.g. virtual memory systems
    • G06F12/10Address translation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Storage Device Security (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The method that logged-in user decodement is obtained from the memory mirror file of 64 Windows operating systems of the invention, comprising: a) obtains system version information;B) obtain the CR3 register of lsass.exe process, in process context block PEB structure variable value;C) comes out the execution sample dumps of dynamic link library lsasrv.dll and tspkg.dll;D) obtains cipher key related data;E) obtains user information from lsasrv.dll;F) obtains the main voucher of login user from the dump file of tspkg.dll;G) obtains decodement.The method of acquisition logged-in user decodement of the invention is accurate, efficient, analytical effect is not influenced by password complexity, it is the important means that user login information is obtained from physical memory image file, the logged-in user decodement of acquisition is that computer one of is collected evidence important evidence online.

Description

A kind of obtain from the memory mirror file of 64 Windows operating systems has logged in The method of user password plaintext
Technical field
The present invention relates to a kind of methods for obtaining logged-in user decodement, more specifically, more particularly to it is a kind of from The method of the decodement of login user is obtained in the memory mirror file of 64 Windows operating systems.This method will answer For computer forensics field, it is mainly used for the investigation and evidence collection of information security events and all kinds of computer crime cases.
Background technique
There are certain systems that can describe by the information of status when attacking, such as current operation in computer physical memory Progress information, the dynamic link library information of process load, the user's name that system currently logs in and user password, opening text Part information, network connection information etc..These information disappear with the shutdown of computer system, can not be protected as evidence It deposits.Therefore, particularly important in terms of computer forensics to computer physical memory is obtained.To promote physics memory analysis technology Develop, DFRWS(Digital Forensic Research Workshop) entitled " Forensics was proposed in 2005 The activity of Challenge ", movable theme are exactly physical memory analysis.From this, the analysis and acquisition of physical memory are become Computer forensics research hotspot, however, password is stored in a manner of ciphertext when user logs on in computer system , we can obtain its corresponding NThash value or LM cryptographic Hash by memory analysis, and the acquisition for decodement needs It could be completed by means of the associated decryptions such as SamInside software, but password higher for complexity, needed for decryption software Time also can be accordingly longer.With computer hardware level continuous development improve, at present most computers all have 4G with Upper memory headroom, and support 64 bit manipulation systems, and with the free upgrade of current 64 Windows10 systems, use height The user of version Windows operating system is more and more, therefore the memory mirror file analysis to 64 windows operating system It works extremely urgent.
Summary of the invention
The present invention in order to overcome the shortcomings of the above technical problems, provides a kind of out of 64 Windows operating systems Deposit the method that logged-in user decodement is obtained in image file.
Of the invention obtains logged-in user decodement from the memory mirror file of 64 Windows operating systems Method, which is characterized in that realized by following steps:
A) obtains system version information, using the physical memory analysis method based on KPCR structure, from current memory mirror image The operating system version information including major version number, secondary version number, build number is obtained in file;B) is obtained The CR3 content of registers of lsass.exe process, the value of PEB structure variable in process context block;C) dump executes sample, obtains The dynamic link library chained list for taking lsass.exe to load, by dynamic link library lsasrv.dll and tspkg.dll in memory mirror text Execution sample dumps in part come out;D) obtain cipher key related data, from the dump file of lsasrv.dll obtain include Cipher key related data including InitialzationVector value, hAesKey value, h3DesKey value;E), which is obtained, logs in quantity And information, the user information from the quantity and login sessions list for obtaining login sessions list in lsasrv.dll;F) obtains master Voucher obtains the main voucher of currently logged on user from the dump file of tspkg.dll;G) obtains decodement, load dynamic Chained library nCryt.dll, by the cipher key related data obtained in step d), to ciphertext in main voucher acquired in step f) It is decrypted, obtains login user decodement.
Of the invention obtains logged-in user decodement from the memory mirror file of 64 Windows operating systems Method, dump described in step c) execute sample and realize by the following method:
C-1) obtains variables L dr, and variables L dr is obtained from lsass.exe process PEB structural body, and Ldr variable is directed toward The list structure of all dynamic link library structures of process load;C-2) traverses list structure pointed by variables L dr, judgement Whether the lsasrv.dll or tspkg.dll that the title of each dynamic link library and needs are found are identical, if there is identical, then Obtain initial fictive address, the length variable of corresponding dynamic link library, and according to the two variables dynamic link library in memory Execution sample dumps in image file come out.
Of the invention obtains logged-in user decodement from the memory mirror file of 64 Windows operating systems Method, acquisition described in step e) logs in quantity and information is realized by the following method: carrying out first to dynamic link library anti- Compilation, function LsapCreateLsaLogonSession is found in dynamic link library, checks the dis-assembling code of the function, Obtain the value of variables L ogonSessionListConut and LogonSessionList;Then pass through variable LogonSessionListConut obtains the quantity of login sessions list, double pointed by the variables L ogonSessionList User information in login sessions list is obtained into list structure body.
Of the invention obtains logged-in user decodement from the memory mirror file of 64 Windows operating systems Method, which is characterized in that the main voucher of acquisition described in step f) is realized by following steps:
F-1) from the computer documents of memory mirror file same operation system version folder X: Windows System In find out dynamic link library tspkg.dll, X indicates system disk, and carries out dis-assembling to dynamic link library tspkg.dll, to look for To function TSUnloadCredTable;F-2) finds variable in TSUnloadCredTable function body The storage position of TSGlobalCredTable;F-3) checks two that the storage position variable TSGlobalCredTable is stored Binary data, the code characterized by this binary data search for this condition code into lsasry.dll dump file;F-4) feature After code is searched in lsasry.dll file, storage location is variable TSGlobalCredTable in tspkg.dll Opposite offset address in core dump file, if the offset address is TSGlobalTabOffset;F-5) passes through following public The virtual address TSGlobalTabVa of formula calculating variable TSGlobalCredTable:
TSGlobalTabVa=tspkgVa+sizeof (ULONG)+TSGlobal0ffset (1)
Wherein, tspkgVa be the dynamic link library that is loaded in lsass.exe of dynamic link library tspkg.dll virtually Location, sizeof (ULONG) are the byte number for seeking data type ULONG;
Then virtual address is carried out to physical address translations to TSGlobalTabVa using lsassCR3Val, obtains variable Position of the TSGlobalCredTable in memory image file, TSGlobalCredTable have been directed toward RTL_AVL_TABLE Structure;LsassCR3Val is the content of the CR3 register of the lsass.exe process obtained in step b);f-6).RTL_AVL_ TABLE structure is a balanced binary tree, navigates to the physical address of TSGlobalCredTable, is tied from RTL_AVL_TABLE The child of paper mulberry root begins stepping through the tree;F-7) reads variable in tree during traversing RTL_AVL_TABLE structure tree The value of OrderedPoointer, the value are the virtual addresses of KIWI_TS_CREDENTIAL structure, which is converted to Physical address, and navigate to this physical address in memory image file and find KIWI_TS_CREDENTIAL structure;F-8) is looked for The value of variables L ocallyUniqueIdentifier into structure KIWI_TS_CREDENTIAL, variable storage is user LUID execute step if the LUID of logged-in user is identical as user LUID in current KIWI_TS_CREDENTIAL structure Rapid f-9), otherwise return to step f-6) continue binary tree traversal left child and right child;F-9) finds structure KIWI_TS_ Variable pTsPrimary in CREDENTIAL, pTsPrimary are directed toward KIWI_TS_PRIMARY_CREDENTIAL, the structural body What is stored is the main voucher of user, reads the value of variable pTsPrimary, which is KIWI_TS_PRIMARY_CREDENTIAL The virtual address is converted to physical address, navigates to physical address in memory image file and find by the virtual address of structure This structure;F-10) finds variable credentials, credentials in structure KIWI_TS_PRIMARY_CREDENTIAL Middle storage be active user user name, domain name and ciphertext;Wherein, user name, domain name and ciphertext are all in a manner of UNICODE It is stored in physical memory image file, according to the definition of UNICODE structural body, obtains out ciphertext current length Len, maximum Length MaxLen and the virtual address in physical memory, and virtual address is converted into physical address, arrive memory mirror file In navigate to the physical address;F-11) reads length according to the physical address obtained in step f-10) in memory image file Degree is the data of Len into memory space cryptBuffer, to the plaintext for obtaining logged-in user password after ciphertext decryption.
The beneficial effects of the present invention are: the memory mirror file of (1) 64 windows operating system disclosed in this invention The acquisition methods analysis method of middle logged-in user decodement is accurate, efficient;(2) 64 windows disclosed in this invention In the memory mirror file of operating system the acquisition methods of logged-in user decodement to the analytical effect of decodement not by The influence of password complexity.(3) use has been logged in the memory mirror file of 64 windows operating system disclosed in this invention The acquisition methods of family decodement are the important means that user login information is obtained from physical memory image file.(4) this hair The acquisition methods analysis of logged-in user decodement in the memory mirror file of bright 64 disclosed windows operating systems The logged-in user decodement that method obtains is that computer one of is collected evidence important evidence online.
Detailed description of the invention
Fig. 1 is the flow chart that logged-in user decodement method is obtained in memory mirror file of the invention;
Fig. 2 gives the structural relation figure that cipher key content is obtained in the present invention;
Fig. 3 is that main document flowchart is obtained from tspkg.dll in the present invention.
Fig. 4 is to obtain main voucher structural relation figure from tspkg.dll in the present invention;
Fig. 5 is the part screenshot for the LsaInitializeProtectedMemory function that dis-assembling of the present invention goes out.
Specific embodiment
The invention will be further described with embodiment with reference to the accompanying drawing.
It has been stepped on as shown in Figure 1, giving of the invention obtain from the memory mirror file of 64 windows operating system The flow chart for employing family decodement acquisition methods, according to " obtain operating system version --- obtain lsass.exe process knot The process of structure body --- obtain key --- obtain voucher --- decryption ciphertext " carries out.Since process passes through the dynamic of its load State chained library execute required function, therefore, can by analysis execute login authentication function process load dynamic link library into Row decryption work.As shown in Figure 1, of the invention obtain from the memory mirror file of 64 windows operating system has logged in The acquisition methods of user password plaintext first have to obtain operating system version, in the memory mirror text of different operating system version In part, data storage position in associated dynamic chained library needed for ciphertext and decryption ciphertext is different, it is therefore desirable to first Judge operating system version.Then the currently running lsass.exe process load of dump from memory mirror file The sample file of lsasrv.dll and tspkg.dll chained library.The information that last basis is analyzed from sample file, by adding The mode for carrying dynamic link library decrypts ciphertext present in main voucher, to obtain the decodement of login user.It specifically leads to It crosses and is realized with step:
A) obtains system version information, using the physical memory analysis method based on KPCR structure, from current memory mirror image The operating system version information including major version number, secondary version number, build number is obtained in file;
B) obtains the CR3 content of registers of lsass.exe process, the value of PEB structure variable in process context block;
C) dump executes sample, the dynamic link library chained list of lsass.exe load is obtained, by dynamic link library Execution sample dumps of the lsasrv.dll and tspkg.dll in memory image file come out;
D) obtain cipher key related data, from the dump file of lsasrv.dll obtain include Cipher key related data including InitialzationVector value, hAesKey value, h3DesKey value;
E), which is obtained, logs in quantity and information, and the quantity and login sessions of login sessions list are obtained from lsasrv.dll User information in list;
F) obtains main voucher, from the dump file of tspkg.dll, obtains the main voucher of currently logged on user;
G) obtains decodement, loads dynamic link library nCryt.dll, by the key dependency number obtained in step d) According to being decrypted to ciphertext in main voucher acquired in step f), obtain login user decodement.
The specific steps of system version information being obtained described in step a) are as follows: a-1) is according to operating system kpcr structure Body characteristics scan for memory image file, find position of the kpcr structural body in memory image file;A-2) is obtained System process CR3 content of registers.The content of CR3 register is that the basis of system conversion is carried out in system space.For 64 For bit manipulation system, the content of CR3 register reads the number of 8 bytes at the offset 0x1D0 of kpcr structural body from there According to being the content of CR3 register.A-3) obtains the virtual address of current thread.For different editions operating system, The deviant that the virtual address of current thread is stored in kpcr structural body is different, for 64 8 or more versions of Windows Operating system for, which is 0x188, from there read 8 bytes data, be current thread virtually Location.A-4) obtains the virtual address and physical address of current process structural body according to the structural body of current thread.With 64 For windows 8.1, the virtual address+0xb8 of current thread is the virtual address of current process.Use step a-2) institute The value of the system process CR3 register of acquisition carries out address conversion, and virtual address is converted to physical address, navigates to the physics It is the initial position of the EPROCESS structural body of current process at address.A-5) is deposited in process EPROCESS structural body The variable of entitled Peb is put, which houses operating system major version number, secondary version in the structural body This number and build number.By taking 64 windows 8.1 as an example, in the inclined of the initial position of current process EPROCESS structural body It is the value of variable peb, i.e. structural body _ PEB virtual address at shifting 0x3e8, which is converted into physical address, is obtained To the initial position of _ PEB structural body, the position is navigated to, what it is in offset 0x118 place's storage is operating system major version number, Minor release/point release is housed at 0x11c, houses build number at 0x120.
Described in step b) obtain lsass.exe process CR3 content of registers, process context block peb variable it is specific Step is: b-1) according to current process EPROCESS structural body, traverses chain of processes.In step a-4), current process is obtained EPROCESS structural body initial position, in EPROCESS structural body, house the EPROCESS structure for being directed toward next process The pointer of body.B-2) begins stepping through chain of processes along the pointer, as the entitled lsass.exe of process, obtains the process Peb variate-value and CR3 content of registers (being defined as lsassCR3Val).By taking 64 windows 8.1 as an example, in EPROCESS At structure solid offsetting 0x28, the data for reading 8 bytes are the value of lsassCR3Val.
Described in step c) acquisition lsass.exe load dynamic link library chained list, dump lsasrv.dll and Execution sample of the tspkg.dll in memory image file comprises the concrete steps that: c-1) is in lsass.exe process _ PEB structure In body, variables L dr is housed, which has been directed toward the list structure of all dynamic link library structures of process load.C-2) is every The pointer for being directed toward next dynamic link library structure, dynamic link library name, starting are all saved in a dynamic link library structure The variables such as address (virtual address), length.The list structure is traversed, judges whether the title of each dynamic link library seeks with needs The lsasrv.dll looked for and tspkg.dll is identical, if meeting condition, the initial address for obtaining corresponding dynamic link library is (empty Quasi- address), length, and execution sample dumps of the dynamic link library in memory image file are come out according to the two variables.
Described in step d) from the dump file of lsasrv.dll, comprising the concrete steps that for cipher key related data: d- is obtained 1) from the computer of the same operation system version with memory mirror file C: Windows under System32 file, it is multiple Lsasrv.dll dynamic link library processed carries out dis-assembling to dynamic link library using IDA, function is found in dynamic link library LsaInitializeProtectedMemory checks the dis-assembling code of the function;D-2) is in the function dis-assembling code In, the position of variable InitialzationVector is found, as shown in figure 5, giving what dis-assembling of the present invention went out The part screenshot of LsaInitializeProtectedMemory function.D-3) checks binary data relevant to the position, The code characterized by this data searches for this condition code to lsasrv.dll dump file, finds variable InitialzationVector Opposite offset address in lsasrv.dll dump file, is set as InitVecOffset;Variable The virtual address InitVecVa of InitialzationVector can be obtained by following formula:
InitVecVa = lsasrvVa+sizeof(ULONG)+ InitVecOffset。 (2)
Wherein, lsasrvVa is the dynamic link library virtual address that lsasrv.dll is loaded in lsass.exe, sizeof It (ULONG) is the byte number for seeking data type ULONG.Since this variable is in the process space of lsass.exe, use LsassCR3Val carries out virtual address to physical address translations to InitVecVa, obtains variable InitialzationVector In the position of memory image file, to obtain the content of InitialzationVector.D-4) obtains variable hAesKey's Then value creates the cipher key content of Aes encryption.D-5) obtains the value of variable h3DesKey, then creates 3Des cipher key content;
Step d-4) described in creation Aes cipher key content specific steps are as follows: d-4-1) obtain variable hAesKey value, Specific method is similar with the content step of variable InitialzationVector is obtained in step d-1) -- d-3), such as Fig. 5 institute Show.D-4-2) value of variables A esKey is directed toward KIWI_BCRYPT_HANDLE_KEY structure.
It is obtained as shown in Fig. 2, giving logged-in user decodement in 64 windows memory mirror files of the invention Take the structural relation figure of the acquisition cipher key content of method.By taking 64 Windows8.1 as an example, the physics of AesKey direction is navigated to Address, acquisition _ KIWI_BCRYPT_HANDLE_KEY structure content.Variable key is therefrom found, variable Key is directed to The pointer of KIWI_BCRYPT_KEY81 structure reads 8 from the offset 0x10 of KIWI_BCRYPT_HANDLE_KEY structure The data of byte, the value are exactly the virtual address of variable key, which are converted to physical address, in physical memory mirror As navigating to the address in file, that is, find the content of KIWI_BCRYPT_HANDLE_KEY structure, KIWI_BCRYPT_ HardKey variable storage in HANDLE_KEY structure is exactly value needed for generating Aes key, using LoadLibrary plus The bcrypt.dll in system identical with memory mirror file operating system version is carried, is called wherein BCryptGenerateSymmetricKey function creates Aes key by parameter of HardKey.
Step d-5) described in creation 3Des cipher key content specific steps it is similar with step d-4).
User in the quantity and login sessions list of login sessions list is obtained in slave lsasrv.dll described in step e) The method of information are as follows: dis-assembling is carried out to lsasrv.dll, which is from behaviour identical as memory mirror file Make system version computer X: Windows System32 (wherein, X is system disk) file.Find function LsapCreateLsaLogonSession checks the dis-assembling code of the function, obtains variable The position of LogonSessionListConut and LogonSessionList and neighbouring characteristic value, according to characteristic value pair Dump file of the lsasvr.dll in memory image file scans for, obtain variables L ogonSessionListConut with And value of the LogonSessionList in memory image file.Variables L ogonSessionListCount, which is stored, logs in meeting The quantity of list is talked about, variables L ogonSessionList is directed toward a doubly linked list structural body, houses login in the structural body User information in session list.
As shown in figure 3, giving logged-in user in the memory mirror file of 64 windows operating systems of the invention In decodement acquisition methods described in step f) from the dump file of tspkg.dll, obtain when the process with householder's voucher Figure, comprises the concrete steps that:
F-1) from the computer documents of memory mirror file same operation system version folder X: Windows System In find out dynamic link library tspkg.dll, X indicates system disk, and carries out dis-assembling to dynamic link library tspkg.dll, to look for To function TSUnloadCredTable;
F-2) finds the storage position of variable TSGlobalCredTable in TSUnloadCredTable function body;
F-3) checks the binary data that the storage position variable TSGlobalCredTable is stored, with this binary number According to code is characterized, this condition code is searched for into lsasry.dll dump file;
F-4 after) condition code is searched in lsasry.dll file, storage location is variable Opposite offset address of the TSGlobalCredTable in tspkg.dll core dump file, if the offset address is TSGlobalTabOffset;
F-5) calculates the virtual address TSGlobalTabVa of variable TSGlobalCredTable by following formula:
TSGlobalTabVa=tspkgVa+sizeof (ULONG)+TSGlobal0ffset (1)
Wherein, tspkgVa be the dynamic link library that is loaded in lsass.exe of dynamic link library tspkg.dll virtually Location, sizeof (ULONG) are the byte number for seeking data type ULONG;
Then virtual address is carried out to physical address translations to TSGlobalTabVa using lsassCR3Val, obtains variable Position of the TSGlobalCredTable in memory image file, TSGlobalCredTable have been directed toward RTL_AVL_TABLE Structure;LsassCR3Val is the content of the CR3 register of the lsass.exe process obtained in step b);
F-6) .RTL_AVL_TABLE structure is a balanced binary tree, navigates to the physics of TSGlobalCredTable Address begins stepping through the tree from the child of RTL_AVL_TABLE structure tree root;
F-7) reads variable OrderedPoointer in tree during traversing RTL_AVL_TABLE structure tree Value, which is the virtual address of KIWI_TS_CREDENTIAL structure, which is converted to physical address, and in memory This physical address is navigated in image file finds KIWI_TS_CREDENTIAL structure;
F-8) finds the value of variables L ocallyUniqueIdentifier in structure KIWI_TS_CREDENTIAL, the change That amount is stored is the LUID of user, if user in the LUID of logged-in user and current KIWI_TS_CREDENTIAL structure LUID is identical, thens follow the steps f-9), otherwise return to step f-6) continue binary tree traversal left child and right child;
F-9) finds variable pTsPrimary in structure KIWI_TS_CREDENTIAL, knot pointed by pTsPrimary What structure body was stored is the main voucher of user, and pTsPrimary is directed toward KIWI_TS_PRIMARY_CREDENTIAL, reads variable The value of pTsPrimary, the value are the virtual addresses of KIWI_TS_PRIMARY_CREDENTIAL structure, which is turned It is changed to physical address, physical address is navigated in memory image file and finds this structure;
F-10) finds variable credentials, credentials in structure KIWI_TS_PRIMARY_CREDENTIAL Middle storage be active user user name, domain name and ciphertext;Wherein, user name, domain name and ciphertext are all in a manner of UNICODE It is stored in physical memory image file, according to the definition of UNICODE structural body, obtains out ciphertext current length Len, maximum Length MaxLen and the virtual address in physical memory, and virtual address is converted into physical address, arrive memory mirror file In navigate to the physical address;
F-11) reads the number that length is Len according to the physical address obtained in step f-10) in memory image file According into memory space cryptBuffer, the plaintext of logged-in user password is obtained after decrypting to ciphertext.

Claims (4)

1. a method of logged-in user decodement is obtained from the memory mirror file of 64 Windows operating systems, It is characterized in that, being realized by following steps:
A) obtains system version information, using the physical memory analysis method based on KPCR structure, from current memory image file Operating system version information of the middle acquisition including major version number, secondary version number, build number;
B) obtains the CR3 content of registers of lsass.exe process, the value of PEB structure variable in process context block;
C) dump executes sample, the dynamic link library chained list of lsass.exe load is obtained, by dynamic link library lsasrv.dll It is come out with execution sample dumps of the tspkg.dll in memory image file;
D) obtains cipher key related data, and obtaining from the dump file of lsasrv.dll includes InitialzationVector Cipher key related data including value, hAesKey value, h3DesKey value;
E), which is obtained, logs in quantity and information, and the quantity and login sessions list of login sessions list are obtained from lsasrv.dll Middle user information;
F) obtains main voucher, from the dump file of tspkg.dll, obtains the main voucher of currently logged on user;
G) obtains decodement, loads dynamic link library nCrypt.dll, by the cipher key related data obtained in step d), Ciphertext in main voucher acquired in step f) is decrypted, login user decodement is obtained.
2. according to claim 1 obtain logged-in user from the memory mirror file of 64 Windows operating systems The method of decodement, which is characterized in that dump described in step c) executes sample and realizes by the following method:
C-1) obtains variables L dr, and variables L dr is obtained from lsass.exe process PEB structural body, and Ldr variable has been directed toward process The list structure of all dynamic link library structures of load;
C-2) traverses list structure pointed by variables L dr, judges what the title of each dynamic link library and needs were found Whether lsasrv.dll or tspkg.dll is identical, if there is identical, then with obtaining the initial fictive of corresponding dynamic link library Location, length variable, and execution sample dumps of the dynamic link library in memory image file are come out according to the two variables.
3. according to claim 1 or 2 obtain from the memory mirror file of 64 Windows operating systems has logged in use The method of family decodement, which is characterized in that acquisition described in step e) logs in quantity and information is realized by the following method: Dis-assembling is carried out to dynamic link library lsasrv.dll first, function is found in dynamic link library LsapCreateLsaLogonSession checks the dis-assembling code of the function, obtains variable The value of LogonSessionListConut and LogonSessionList;Then pass through variables L ogonSessionListConut The quantity for obtaining login sessions list is obtained from doubly linked list structural body pointed by variables L ogonSessionList and is logged in User information in session list.
4. according to claim 1 or 2 obtain from the memory mirror file of 64 Windows operating systems has logged in use The method of family decodement, which is characterized in that the main voucher of acquisition described in step f) is realized by following steps:
F-1) from the computer documents of memory mirror file same operation system version folder X: Windows look in System Dynamic link library tspkg.dll out, X indicate system disk, and carry out dis-assembling to dynamic link library tspkg.dll, to find letter Number TSUnloadCredTable;
F-2) finds the storage position of variable TSGlobalCredTable in TSUnloadCredTable function body;
F-3) checks the binary data that the storage position variable TSGlobalCredTable is stored, and is with this binary data Condition code searches for this condition code into lsasry.dll dump file;
F-4 after) condition code is searched in lsasry.dll file, storage location is variable Opposite offset address of the TSGlobalCredTable in tspkg.dll core dump file, if the offset address is TSGlobalTabOffset;
F-5) calculates the virtual address TSGlobalTabVa of variable TSGlobalCredTable by following formula:
TSGlobalTabVa=tspkgVa+sizeof (ULONG)+TSGlobal0ffset (1)
Wherein, tspkgVa is the dynamic link library virtual address that dynamic link library tspkg.dll is loaded in lsass.exe, Sizeof (ULONG) is the byte number for seeking data type ULONG;
Then virtual address is carried out to physical address translations to TSGlobalTabVa using lsassCR3Val, obtains variable Position of the TSGlobalCredTable in memory image file, TSGlobalCredTable have been directed toward RTL_AVL_TABLE Structure;LsassCR3Val is the content of the CR3 register of the lsass.exe process obtained in step b);
F-6) .RTL_AVL_TABLE structure is a balanced binary tree, navigates to the physical address of TSGlobalCredTable, The tree is begun stepping through from the child of RTL_AVL_TABLE structure tree root;
F-7) reads the value of variable OrderedPoointer in tree during traversing RTL_AVL_TABLE structure tree, should Value is the virtual address of KIWI_TS_CREDENTIAL structure, which is converted to physical address, and in memory mirror This physical address is navigated in file finds KIWI_TS_CREDENTIAL structure;
F-8) finds the value of variables L ocallyUniqueIdentifier in structure KIWI_TS_CREDENTIAL, which deposits That put is the LUID of user, if the LUID of logged-in user and user's LUID phase in current KIWI_TS_CREDENTIAL structure Together, then follow the steps f-9), otherwise return to step f-6) continue binary tree traversal left child and right child;
F-9) finds variable pTsPrimary in structure KIWI_TS_CREDENTIAL, and pTsPrimary is directed toward KIWI_TS_ PRIMARY_CREDENTIAL, what which stored is the main voucher of user, reads the value of variable pTsPrimary, which is The virtual address is converted to physical address, in memory mirror by the virtual address of KIWI_TS_PRIMARY_CREDENTIAL structure This structure is found as navigating to physical address in file;
F-10) finds variable credentials in structure KIWI_TS_PRIMARY_CREDENTIAL, deposits in credentials What is put is the user name, domain name and ciphertext of active user;Wherein, user name, domain name and ciphertext are stored in a manner of UNICODE In physical memory image file, according to the definition of UNICODE structural body, ciphertext current length Len, maximum length are obtained out MaxLen and the virtual address in physical memory, and virtual address is converted into physical address, it is fixed into memory mirror file The physical address is arrived in position;
F-11) reads the data that length is Len according to the physical address obtained in step f-10) in memory image file and arrives In memory space cryptBuffer, to the plaintext for obtaining logged-in user password after ciphertext decryption.
CN201610276405.7A 2016-04-29 2016-04-29 A method of obtaining logged-in user decodement from the memory mirror file of 64 Windows operating systems Active CN105893107B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610276405.7A CN105893107B (en) 2016-04-29 2016-04-29 A method of obtaining logged-in user decodement from the memory mirror file of 64 Windows operating systems

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610276405.7A CN105893107B (en) 2016-04-29 2016-04-29 A method of obtaining logged-in user decodement from the memory mirror file of 64 Windows operating systems

Publications (2)

Publication Number Publication Date
CN105893107A CN105893107A (en) 2016-08-24
CN105893107B true CN105893107B (en) 2019-03-19

Family

ID=56701934

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610276405.7A Active CN105893107B (en) 2016-04-29 2016-04-29 A method of obtaining logged-in user decodement from the memory mirror file of 64 Windows operating systems

Country Status (1)

Country Link
CN (1) CN105893107B (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106788996A (en) * 2016-12-08 2017-05-31 郑州云海信息技术有限公司 A kind of operating system password remapping method and system
CN107861729B (en) * 2017-11-08 2021-08-24 中国信息安全测评中心 Method and device for positioning firmware loading base address and electronic equipment
CN110597557B (en) * 2019-09-12 2024-06-07 腾讯科技(深圳)有限公司 System information acquisition method, terminal and medium
CN111444118B (en) * 2020-03-23 2022-04-05 数网金融有限公司 Process protection method, device, terminal equipment and storage medium
CN112182555A (en) * 2020-08-21 2021-01-05 网神信息技术(北京)股份有限公司 Weak password detection method, device, electronic apparatus, storage medium, and program
US11768935B2 (en) 2020-09-29 2023-09-26 Saudi Arabian Oil Company System and method for detecting and preventing extraction of plaintext passwords using memory attacks
CN112817615B (en) * 2021-02-24 2023-12-26 共达地创新技术(深圳)有限公司 File processing method, device, system and storage medium
CN114218128A (en) * 2021-12-13 2022-03-22 厦门市美亚柏科信息股份有限公司 Method and system for offline extraction of DPAPI key based on memory mirror image

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102938036A (en) * 2011-11-29 2013-02-20 Ut斯达康通讯有限公司 Section double encryption and safe loading method of Windows dynamic link library
CN103207972A (en) * 2013-01-31 2013-07-17 厦门市美亚柏科信息股份有限公司 Device and method for recovering and analyzing login password of computer operation system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9185136B2 (en) * 2013-11-28 2015-11-10 Cyber-Ark Software Ltd. Correlation based security risk identification

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102938036A (en) * 2011-11-29 2013-02-20 Ut斯达康通讯有限公司 Section double encryption and safe loading method of Windows dynamic link library
CN103207972A (en) * 2013-01-31 2013-07-17 厦门市美亚柏科信息股份有限公司 Device and method for recovering and analyzing login password of computer operation system

Also Published As

Publication number Publication date
CN105893107A (en) 2016-08-24

Similar Documents

Publication Publication Date Title
CN105893107B (en) A method of obtaining logged-in user decodement from the memory mirror file of 64 Windows operating systems
Caballero et al. Automatic protocol reverse-engineering: Message format extraction and field semantics inference
CN101587479B (en) Database management system kernel oriented data encryption/decryption system and method thereof
US20130262863A1 (en) Searchable encryption processing system
Chen et al. Bestie: Very practical searchable encryption with forward and backward security
Hejazi et al. Extraction of forensically sensitive information from windows physical memory
WO2011134207A1 (en) Method for protecting software
KR20090052130A (en) Data protection method using data partition
Fu et al. Data correlation‐based analysis methods for automatic memory forensic
Hur et al. Data acquisition methods using backup data decryption of Sony smartphones
CN109313688A (en) Key generates source determining device, key generates source and determines that method and key generate source and determine program
Spreitzenbarth et al. Mastering python forensics
Sönmez et al. Machine learning based side channel selection for time-driven cache attacks on aes
Mainardi et al. Efficient oblivious substring search via architectural support
US20070150853A1 (en) Method for processing assembly of data blocks using associated control application
Bates et al. Secure and trustworthy provenance collection for digital forensics
Li et al. BULKOR: Enabling Bulk Loading for Path ORAM
Kang et al. Methods for decrypting the data encrypted by the latest Samsung smartphone backup programs in Windows and macOS
Bursztein et al. Doing forensics in the cloud age OWADE: beyond files recovery forensic
Xu et al. Research on extracting system logged-in password forensically from windows memory image file
Dija et al. Towards successful forensic recovery of Bitlocked Volumes
Song et al. Searchable Symmetric Encryption with Tunable Leakage Using Multiple Servers
JP6752347B1 (en) Information processing equipment, computer programs and information processing methods
Kang et al. Towards secure and fast mapping of genomic sequences on public clouds
WO2017221308A1 (en) Data management device, data management method, data management program, search device, search method, and search program

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant