CN114218128A - Method and system for offline extraction of DPAPI key based on memory mirror image - Google Patents

Method and system for offline extraction of DPAPI key based on memory mirror image Download PDF

Info

Publication number
CN114218128A
CN114218128A CN202111521652.6A CN202111521652A CN114218128A CN 114218128 A CN114218128 A CN 114218128A CN 202111521652 A CN202111521652 A CN 202111521652A CN 114218128 A CN114218128 A CN 114218128A
Authority
CN
China
Prior art keywords
offset
sign
key
memory
dpapi
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111521652.6A
Other languages
Chinese (zh)
Inventor
杜鑫辉
苏再添
陈俊珊
黄志炜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xiamen Meiya Pico Information Co Ltd
Original Assignee
Xiamen Meiya Pico Information Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xiamen Meiya Pico Information Co Ltd filed Critical Xiamen Meiya Pico Information Co Ltd
Priority to CN202111521652.6A priority Critical patent/CN114218128A/en
Publication of CN114218128A publication Critical patent/CN114218128A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/02Addressing or allocation; Relocation
    • G06F12/0223User address space allocation, e.g. contiguous or non contiguous base addressing
    • G06F12/023Free address space management
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Databases & Information Systems (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The method comprises the steps of loading a memory mirror image, obtaining system version information from the memory mirror image, and extracting minimump of an lsass. exe process; respectively carrying out Search Sign Apply Offset operation on different offsets of the flag bits of the Log Session Sign table corresponding to the system version in the lsasrv.dll memory range to obtain a Log Session List and a Log Session Count; obtaining a Cache Master Key corresponding to each Logon Session by a Cached Master Key structure in a memory range of a corresponding dynamic link library according to different system versions; respectively carrying out Search Sign Apply Offset operation on different offsets of flag bits of a corresponding system version Decrypt Key Sign table in an lsasrv.dll memory range to obtain 16-byte IV and Key3DES, and carrying out Search Sign Apply Offset operation on Key3DES to obtain Key AES; and decrypting according to the Cache Master Key, Key3DES, Key AES and IV to obtain the Master Key corresponding to each Logon Session. The invention has the characteristics of secret acquisition avoidance, good applicability and high success rate.

Description

Method and system for offline extraction of DPAPI key based on memory mirror image
Technical Field
The invention relates to the technical field of data encryption or decryption, in particular to a method and a system for extracting a DPAPI key off line based on a memory mirror image.
Background
Dpapi (data Protection Application Programming interface) is a data Protection interface component developed by Microsoft corporation, is built in Windows2000 and later Microsoft Windows operating systems, and provides data Protection services for Application programs and operating systems. The obvious characteristic of this group of interfaces is that the encryption and decryption operations must be performed on the same computer, and the generation, storage and use of the secret key are completed by the operating system without the user being concerned about the secret key storage and protection. Due to the high market occupancy rate of the microsoft Windows operating system and the simple use of the external interface of the DPAPI, the application range of the DPAPI is very wide, and various applications and functions such as remote desktop passwords, FTP account passwords, wireless internet passwords, private key encryption of EFS, part of mailbox account passwords, internet surfing automatic forms of common browsers and the like are used. Therefore, the DPAPI encrypted data is analyzed, and the method has important significance in the electronic evidence obtaining industry.
In the Windows operating system, there are two types of DPAPI encrypted data, DPAPI encrypted data of the user storage area and DPAPI encrypted data of the system storage area, the DPAPI encrypted data of the user storage area is encrypted by using a key derived from a password of a user, and the DPAPI encrypted data of the system storage area is encrypted by using a key derived from a set of data in the registry.
At present, most evidence obtaining software analyzes DPAPI encrypted data in a field online mode, namely, an operating system where a data source is located is directly started or dynamically simulated, a corresponding account is logged in, evidence obtaining software is installed and started, encrypted data blocks of the DPAPI are decrypted by calling a CryptUnProtectData function in the evidence obtaining software, and finally, results are displayed on an interface. The method is easy to pollute a data source in the operation process, destroys the read-only property of evidence, directly depends on a target source operating system, and cannot decrypt data if the system is destroyed and cannot be started.
In addition, in the prior art, for the decryption of the DPAPI encrypted data in the user storage area, although the encrypted data at the user account level can be analyzed, the SID and the plaintext password corresponding to the user login account need to be known in advance, otherwise, the decryption cannot be performed. There is also a solution for offline parsing to decrypt the system storage area, that is, the DPAPI encrypted data at the system level of the local computer, but this solution can only obtain the DPAPI key of the system storage area, and cannot obtain the DPAPI key of the user storage area.
Disclosure of Invention
In order to solve the technical problems of difficult extraction, incapability of decrypting and the like of DPAPI (data processing application program interface) encrypted data in the prior art, the invention provides a method and a system for extracting a DPAPI key off-line based on a memory mirror image, so as to solve the technical problems.
According to an aspect of the present invention, a method for offline extracting a DPAPI key based on a memory mirror is provided, including:
s1: loading a memory mirror image, acquiring system version information from the memory mirror image, and extracting minimump of the lass.
S2: respectively carrying out Search Sign Apply Offset operation on different offsets of the flag bits of the Log Session Sign table corresponding to the system version in the lsasrv.dll memory range to obtain a Log Session List and a Log Session Count;
s3: obtaining a Cache Master Key corresponding to each Logon Session by a Cached Master Key structure in a memory range of a corresponding dynamic link library according to different system versions;
s4: respectively carrying out Search Sign Apply Offset operation on different offsets of flag bits of a corresponding system version Decrypt Key Sign table in an lsasrv.dll memory range to obtain 16-byte IV and Key3DES, and carrying out Search Sign Apply Offset operation on Key3DES to obtain Key AES;
s5: and decrypting according to the Cache Master Key, Key3DES, Key AES and IV to obtain the Master Key corresponding to each Logon Session.
In some specific embodiments, the Search Sign Apply Offset operation is specifically: and searching the flag bit to obtain a position Sign Base and Offset Sign Offset byte, reading the 4 bytes unsigned long integer in a small-end format and recording the unsigned long integer as Offset, wherein the result is Sign Base + Sign Offset +4+ Offset.
In some specific embodiments, the flag bit of one system version in the log Session Sign table has two offset information, offset 0 and offset 1, corresponding to the flag bit.
In some specific embodiments, step S2 specifically includes:
in the lsasrv.dll memory range, taking a flag bit corresponding to a Logon Session Sign table of a system version and Offset 0 as Sign Offset to perform Search Sign Apply Offset operation, acquiring a Logon Session Address List, and acquiring information of a login Session List according to a Logon Session structure;
and in the lsasrv.dll memory range, taking the flag bit of the Logon Session Sign table corresponding to the system version and the Offset 1 as Sign Offset to perform the Search Sign Apply Offset operation, and acquiring the Logon Session Count.
In some specific embodiments, three pieces of offset information, namely offset 0, offset 1 and offset 2, are correspondingly present in the flag bit of one system version in the decryption Key Sign table.
In some specific embodiments, step S4 specifically includes:
performing Search Sign Apply Offset operation on the mark bit of a Decrypt Key Sign table as Sign Offset in the lsasrv.dll memory range to obtain 16-byte IV;
in the lsasrv.dll memory range, taking Offset 1 in a zone bit of a Decrypt Key Sign table as Sign Offset to carry out Search Sign Apply Offset operation to obtain Decrypt Handle Address in a Decrypt Key structure, and then reading according to the Decrypt Key structure to obtain a Key Key3 DES;
and replacing the Sign Offset by an Offset 2 corresponding to the Decrypt Key Sign table, and repeatedly performing Search Sign Apply Offset operation to obtain the Key AES.
According to a second aspect of the invention, a computer-readable storage medium is proposed, on which one or more computer programs are stored, which when executed by a computer processor implement the method of any of the above.
According to a third aspect of the present invention, a system for offline extracting a DPAPI key based on a memory image is provided, where the system includes:
the memory mirror image loading unit is configured for loading a memory mirror image, acquiring system version information from the memory mirror image and extracting minimump of the lsass.
A Cache Master Key acquisition unit: the method comprises the steps that the Cache Master Key structure is configured and used for obtaining Cache Master Key corresponding to each Logon Session in a corresponding dynamic link library memory range according to different system versions;
an offset processing unit: the method comprises the steps that configuration is used for carrying out Search Sign Apply Offset operation on different offsets of flag bits corresponding to a Log Session Sign table of a system version in an lsasrv.dll memory range to obtain a Log Session List and a Log Session Count; respectively carrying out Search Sign Apply Offset operation on different offsets of flag bits of a corresponding system version Decrypt Key Sign table in an lsasrv.dll memory range to obtain 16-byte IV and Key3DES, and carrying out Search Sign Apply Offset operation on Key3DES to obtain Key AES;
a decryption unit: and the configuration is used for decrypting according to the Cache Master Key, Key3DES, Key AES and IV to obtain the Master Key corresponding to each Logon Session.
In some specific embodiments, the Search Sign Apply Offset operation is specifically: and searching the flag bit to obtain a position Sign Base and Offset Sign Offset byte, reading the 4 bytes unsigned long integer in a small-end format and recording the unsigned long integer as Offset, wherein the result is Sign Base + Sign Offset +4+ Offset.
In some specific embodiments, the flag bit of one system version in the log Session Sign table has two offset information, offset 0 and offset 1, corresponding to the flag bit.
In some specific embodiments, the offset processing unit specifically includes:
in the lsasrv.dll memory range, taking a flag bit corresponding to a Logon Session Sign table of a system version and Offset 0 as Sign Offset to perform Search Sign Apply Offset operation, acquiring a Logon Session Address List, and acquiring information of a login Session List according to a Logon Session structure;
and in the lsasrv.dll memory range, taking the flag bit of the Logon Session Sign table corresponding to the system version and the Offset 1 as Sign Offset to perform the Search Sign Apply Offset operation, and acquiring the Logon Session Count.
In some specific embodiments, three pieces of offset information, namely offset 0, offset 1 and offset 2, are correspondingly present in the flag bit of one system version in the decryption Key Sign table.
In some specific embodiments, the offset processing unit specifically includes:
performing Search Sign Apply Offset operation on the mark bit of a Decrypt Key Sign table as Sign Offset in the lsasrv.dll memory range to obtain 16-byte IV;
in the lsasrv.dll memory range, taking Offset 1 in a zone bit of a Decrypt Key Sign table as Sign Offset to carry out Search Sign Apply Offset operation to obtain Decrypt Handle Address in a Decrypt Key structure, and then reading according to the Decrypt Key structure to obtain a Key Key3 DES;
and replacing the Sign Offset by an Offset 2 corresponding to the Decrypt Key Sign table, and repeatedly performing Search Sign Apply Offset operation to obtain the Key AES.
The invention provides a method and a system for extracting a DPAPI key off-line based on a memory mirror image, which can extract and decrypt the key of encrypted data in a DPAPI system storage area and a user storage area without depending on an operating system where a target data source is located and knowing a user name and a password of a computer, and simultaneously meet the requirements of read-only operation and cross-platform decryption on an evidence source. The memory mirror image is loaded, the obtained DPAPI key field is obtained, and then the decrypted DPAPI Blob is called to obtain the plaintext of the DPAPI encrypted data, so that the evidence obtaining efficiency is improved, the memory mirror image and the hard disk mirror image only need to be manufactured on site, the memory mirror image and the hard disk mirror image can be reprocessed in a laboratory subsequently, and the purpose of reducing the site investigation pressure is achieved. And the method can be used for extracting the DPAPI key in the memory image, and avoids the problem that the key DPAPI key is lost possibly in the traditional method, so that important encrypted data cannot be decrypted. The data encrypted by DPAPI, such as a database capable of analyzing a password saved by the chromium, an Outlook encrypted database, a remote desktop password, an FTP account password, an Outlook account password, an IE and Chrome browser Internet access automatic form, a wireless Internet access password, an EFS private key encryption, an MSN Messenger password and the like.
Drawings
The accompanying drawings are included to provide a further understanding of the embodiments and are incorporated in and constitute a part of this specification. The drawings illustrate embodiments and together with the description serve to explain the principles of the invention. Other embodiments and many of the intended advantages of embodiments will be readily appreciated as they become better understood by reference to the following detailed description. Other features, objects and advantages of the present application will become more apparent upon reading of the following detailed description of non-limiting embodiments thereof, made with reference to the accompanying drawings in which:
fig. 1 is a flowchart of a method for offline extracting a DPAPI key based on a memory image according to an embodiment of the present application;
fig. 2 is a diagram of a Logon Session structure according to a specific embodiment of the present application;
FIG. 3 is a block diagram of the Cached Master Key of a specific embodiment of the present application;
fig. 4 is a structural diagram of a decryption Key according to a specific embodiment of the present application;
FIG. 5 is a flow diagram of a method of extracting a DPAPI key according to a specific embodiment of the present application;
fig. 6 is a system framework diagram for offline extraction of DPAPI keys based on memory images according to an embodiment of the present application;
FIG. 7 is a schematic block diagram of a computer system suitable for use in implementing an electronic device of an embodiment of the present application;
fig. 8 is a diagram illustrating the effect of the method for extracting the DPAPI key according to a specific embodiment of the present application.
Detailed Description
The present application will be described in further detail with reference to the following drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the relevant invention and not restrictive of the invention. It should be noted that, for convenience of description, only the portions related to the related invention are shown in the drawings.
It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict. The present application will be described in detail below with reference to the embodiments with reference to the attached drawings.
Fig. 1 shows a flowchart of a method for offline extracting a DPAPI key based on a memory image according to an embodiment of the present application. As shown in fig. 1, the method includes:
s101: and loading the memory mirror image, acquiring system version information from the memory mirror image, and extracting minimump of the lass. Minidump is a small dump file of an application program, and Minidump of an error process is extracted to be used for improving the speed and improving the efficiency.
S102: and respectively carrying out Search Sign Apply Offset operation on the different offsets of the flag bits of the Log Session Sign table corresponding to the system version in the lsasrv.
In a specific embodiment, the log Session Sign table stores a flag bit for acquiring a login Session and a corresponding offset, which includes two offsets, offset 0 and offset 1. Specifically, the following table 1 shows
TABLE 1 Logon Session Sign Table
Figure BDA0003407712390000061
If the system version is not in the table above, the closest system version may be referenced.
In a specific embodiment, the Search Sign Apply Offset operation specifically includes: and searching the flag bit to obtain a position Sign Base and Offset Sign Offset byte, reading the 4 bytes unsigned long integer in a small-end format and recording the unsigned long integer as Offset, wherein the result is Sign Base + Sign Offset +4+ Offset. Combining the table 1, in the step, performing Search Sign Offset operation by taking Offset 0 as Sign Offset in a zone bit corresponding to a system version LogonSessionsign table in the lsasrv.dll memory range to obtain a LogonSessionsessAddress List, and then obtaining information LogonSessionsistList of a login Session List according to a LogonSessionsetstructure; and in the lsasrv.dll memory range, taking the flag bit of the Logon Session Sign table corresponding to the system version and the Offset 1 as Sign Offset to perform the Search Sign Apply Offset operation, and acquiring the Logon Session Count.
S103: and obtaining the Cache Master Key corresponding to each Logon Session by a Cached Master Key structure in the memory range of the corresponding dynamic link library according to different system versions.
In a specific embodiment, information such as LogonId, SID, Domain and the like is recorded in the Logon Session structure, and can be used for acquiring a corresponding Master Key cache. A specific Logon Session structure is as shown in fig. 2, which is a structure diagram of a Logon Session according to a specific embodiment of the present application. The Cached Master Key structure records information such as Logon Id, Key Uid, Cached Master Key and the like, and the Cached Master Key corresponding to the Logon Id can be obtained through traversal. The specific Cached Master Key structure is as shown in fig. 3, which is a Cached Master Key structure diagram according to a specific embodiment of the present application, wherein DPAPISRV Base stores a dynamic link library memory Base address of the Cached Master Key, Windows8 and later versions are DPAPISRV.
S104: in lsasrv.dll memory range, Search Sign Apply Offset operation is carried out by different offsets of flag bits corresponding to a system version Decrypt Key Sign table to obtain 16-byte IV and Key3DES, and Search Sign Apply Offset operation is carried out on Key3DES to obtain Key AES.
In a specific embodiment, a Key for decrypting the Cached Master Key is recorded in the decryption Key structure. A specific Decrypt Key structure is as shown in fig. 4, which is a structure diagram of the Decrypt Key according to a specific embodiment of the present application. The Decrypt Key Sign table stores a flag bit and a corresponding offset for acquiring a decrypted CachedMasterKey, wherein the flag bit and the corresponding offset comprise offset 0, offset 1 and offset 2. The details are shown in table 2 below:
TABLE 2 Decrypt Key Sign Table
Figure BDA0003407712390000071
If the system version is not in the table above, the closest system version may be referenced.
In a specific embodiment, in combination with table 2, in this step, a Search Sign Apply Offset operation is performed on the lsasrv.dll memory range with Offset 0 in the flag bit of the decryption Key Sign table as Sign Offset to obtain an IV of 16 bytes; in the lsasrv.dll memory range, taking Offset 1 in a zone bit of a Decrypt Key Sign table as Sign Offset to carry out Search Sign Apply Offset operation to obtain Decrypt Handle Address in a Decrypt Key structure, and then reading according to the Decrypt Key structure to obtain a Key Key3 DES; and replacing the Sign Offset by an Offset 2 corresponding to the Decrypt Key Sign table, and repeatedly performing Search Sign Apply Offset operation to obtain the Key AES.
S105: and decrypting according to the Cache Master Key, Key3DES, Key AES and IV to obtain the Master Key corresponding to each Logon Session. Wherein, Master Key is DPAPI user Key/system Key.
With continuing reference to fig. 5, fig. 5 is a flow chart illustrating a method of extracting a DPAPI key according to a specific embodiment of the present application, as shown in fig. 5, the method comprising:
step 501: loading a memory mirror image, acquiring a version number and extracting minimump of the lsass.exe; then steps 5021, 5022 and 5023 are respectively executed;
step 5021: the parameters in table 1 are used to perform Search Sign Apply Offset operation (specifically, step 102 in the foregoing method), so as to obtain a Logon Session List and a Logon Session Count in step 5031;
step 5022: extracting a dynamic library of the Cached Master Key according to the structure to obtain the Cache Master Key in the step 5032;
step 5023: table 2 parameters are used to perform Search Sign Apply Offset operation (specifically, as step 104 in the foregoing method), and obtain IV, Key3DES, Key AES in step 5033
Step 504: judging whether the Cache Master Key is traversed or not, if not, entering step 505;
step 505: obtaining the next Cache Master Key;
step 506: judging whether the LogonID of the Cache Master Key is in the LogonSession List, if not, returning to the step 504, and if so, entering the step 507;
step 507: judging whether the length of the Cache Master Key is a multiple of 8, if so, entering a step 508, and if not, entering a step 509;
step 508: using Key AES and IV to carry out AES-CFB decryption on the Cache Master Key; obtaining a Master Key of step 510;
step 509: and 3DES-CBC decryption is carried out on the Cache Master Key by using Key AES and the first 8 bytes of IV to obtain the Master Key of the step 510.
In a specific embodiment, the password stored in the Chrome is encrypted by using AES, the encryption key is encrypted by a DPAPI User key and stored in% APPDATA \ Local \ Google \ Chrome \ User Data \ Local State, the encryption key is stored in an os _ crypt field by using base64, a string of character strings beginning with DPAPI is obtained by decoding, the character string after the head DPAPI character string is removed is the AES key encrypted by the User DPAPI, and the DPAPI is decrypted to obtain a key plaintext, that is, the password stored in the Chrome can be decrypted. The decryption effect graph is shown in fig. 8.
The Lsass.exe process of the Windows operating system is used for local security and login strategies, the encrypted DPAPI user key and the system key are cached in a process memory, and an initialization key used for decrypting the encrypted DPAPI user key and the system key plaintext is stored in a specific position of the memory. The method searches through the zone bit of the key position, reads the data of the memory offset of the specific module and decrypts the data, and therefore the DPAPI key is obtained. The method can be used for extracting the DPAPI key in the memory image, and the problem that the key DPAPI key is lost possibly in the traditional method, so that important encrypted data cannot be decrypted is avoided. And various data encrypted by using the DPAPI, such as a database of a password saved by the chromium, an Outlook encrypted database, a remote desktop password, an FTP account password, an Outlook account password, an IE and Chrome browser Internet access automatic form, a wireless Internet access password, EFS private key encryption, an MSN Messenger password and the like can also be analyzed.
With continued reference to fig. 6, fig. 6 illustrates a system framework diagram for offline extraction of DPAPI keys based on memory images, according to an embodiment of the present invention. The system specifically comprises a memory mirror image loading unit 601, a Cache Master Key acquisition unit 602, an offset processing unit 603 and a decryption unit 604, wherein the memory mirror image loading unit 601 is configured to load a memory mirror image, acquire system version information from the memory mirror image, and extract minimums of an lsass. exe process; the Cache Master Key obtaining unit 602 is configured to obtain, according to different system versions, a Cache Master Key corresponding to each log Session in a Cached Master Key structure in a corresponding dynamic link library memory range; the Offset processing unit 603 is configured to perform Search Sign Apply Offset operation on the lsasrv.dll memory range by using different offsets of the flag bits of the corresponding system version Logon Session Sign table to obtain a Logon Session List and a Logon Session Count; respectively carrying out Search Sign Apply Offset operation on different offsets of flag bits of a corresponding system version Decrypt Key Sign table in an lsasrv.dll memory range to obtain 16-byte IV and Key3DES, and carrying out Search Sign Apply Offset operation on Key3DES to obtain Key AES; the decryption unit 604 is configured to decrypt and obtain the Master Key corresponding to each log Session according to the Cache Master Key, Key3DES, Key AES, and IV.
Referring now to FIG. 7, shown is a block diagram of a computer system 700 suitable for use in implementing the electronic device of an embodiment of the present application. The electronic device shown in fig. 7 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present application.
As shown in fig. 7, the computer system 700 includes a Central Processing Unit (CPU)701, which can perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM)702 or a program loaded from a storage section 708 into a Random Access Memory (RAM) 703. In the RAM 703, various programs and data necessary for the operation of the system 700 are also stored. The CPU 701, the ROM 702, and the RAM 703 are connected to each other via a bus 704. An input/output (I/O) interface 705 is also connected to bus 704.
The following components are connected to the I/O interface 705: an input portion 706 including a keyboard, a mouse, and the like; an output section 707 including a display such as a Liquid Crystal Display (LCD) and a speaker; a storage section 708 including a hard disk and the like; and a communication section 709 including a network interface card such as a LAN card, a modem, or the like. The communication section 709 performs communication processing via a network such as the internet. A drive 710 is also connected to the I/O interface 705 as needed. A removable medium 711 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 710 as necessary, so that a computer program read out therefrom is mounted into the storage section 708 as necessary.
In particular, according to an embodiment of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable storage medium, the computer program containing program code for performing the method illustrated by the flow chart. In such an embodiment, the computer program can be downloaded and installed from a network through the communication section 709, and/or installed from the removable medium 711. The computer program, when executed by a Central Processing Unit (CPU)701, performs the above-described functions defined in the method of the present application. It should be noted that the computer readable storage medium of the present application can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present application, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In this application, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable storage medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable storage medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present application may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + +, or the like, as well as conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The modules described in the embodiments of the present application may be implemented by software or hardware.
As another aspect, the present application also provides a computer-readable storage medium, which may be included in the electronic device described in the above embodiments; or may exist separately without being assembled into the electronic device. The computer readable storage medium carries one or more programs which, when executed by the electronic device, cause the electronic device to: loading a memory mirror image, acquiring system version information from the memory mirror image, and extracting minimump of the lass. Respectively carrying out Search Sign Apply Offset operation on different offsets of the flag bits of the Log Session Sign table corresponding to the system version in the lsasrv.dll memory range to obtain a Log Session List and a Log Session Count; obtaining a Cache Master Key corresponding to each Logon Session by a Cached Master Key structure in a memory range of a corresponding dynamic link library according to different system versions; respectively carrying out Search Sign Apply Offset operation on different offsets of flag bits of a corresponding system version Decrypt Key Sign table in an lsasrv.dll memory range to obtain 16-byte IV and Key3DES, and carrying out Search Sign Apply Offset operation on Key3DES to obtain Key AES; and decrypting according to the Cache Master Key, Key3DES, Key AES and IV to obtain the Master Key corresponding to each Logon Session.
The above description is only a preferred embodiment of the application and is illustrative of the principles of the technology employed. It will be appreciated by those skilled in the art that the scope of the invention herein disclosed is not limited to the particular combination of features described above, but also encompasses other arrangements formed by any combination of the above features or their equivalents without departing from the spirit of the invention. For example, the above features may be replaced with (but not limited to) features having similar functions disclosed in the present application.

Claims (13)

1. A method for extracting a DPAPI key off-line based on a memory mirror image is characterized by comprising the following steps:
s1: loading a memory mirror image, acquiring system version information from the memory mirror image, and extracting minimump of the lsass.
S2: respectively carrying out Search Sign Apply Offset operation on different offsets of the flag bits of the Log Session Sign table corresponding to the system version in the lsasrv.dll memory range to obtain a Log Session List and a Log Session Count;
s3: obtaining a Cache Master Key corresponding to each Logon Session by a Cached Master Key structure in a memory range of a corresponding dynamic link library according to different system versions;
s4: respectively carrying out Search Sign Apply Offset operation on different offsets of flag bits of a corresponding system version Decrypt Key Sign table in an lsasrv.dll memory range to obtain 16-byte IV and Key3DES, and carrying out Search Sign Apply Offset operation on the Key3DES to obtain Key AES;
s5: and decrypting according to the Cache Master Key, Key3DES, Key AES and IV to obtain the Master Key corresponding to each Logon Session.
2. The method for offline extracting the DPAPI key based on the memory image according to claim 1, wherein the Search Sign Apply Offset operation specifically comprises: and searching the flag bit to obtain a position Sign Base and Offset Sign Offset byte, reading the 4 bytes unsigned long integer in a small-end format and recording the unsigned long integer as Offset, wherein the result is Sign Base + Sign Offset +4+ Offset.
3. The method for offline extracting the DPAPI key based on the memory mirror image as claimed in claim 2, wherein two offset information, offset 0 and offset 1, are correspondingly present in the flag bit of one system version in the Logon Session Sign table.
4. The method for offline extracting a DPAPI key based on memory mirroring according to claim 3, wherein the step S2 specifically includes:
in the lsasrv.dll memory range, taking a flag bit corresponding to a Logon Session Sign table of a system version and Offset 0 as Sign Offset to perform Search Sign Apply Offset operation, acquiring a Logon Session Address List, and acquiring information of a login Session List according to a Logon Session structure;
and in the lsasrv.dll memory range, taking the flag bit of the Logon Session Sign table corresponding to the system version and the Offset 1 as Sign Offset to perform the Search Sign Apply Offset operation, and acquiring the Logon Session Count.
5. The method for offline extracting the DPAPI Key based on the memory mirror image of claim 2, wherein three offset information, namely offset 0, offset 1 and offset 2, are correspondingly present in the flag bit of one system version in the decryption Key Sign table.
6. The memory image off-line DPAPI key extraction method according to claim 5, wherein the step S4 specifically includes:
performing Search Sign Apply Offset operation on the lsasrv.dll memory range by taking Offset 0 in the flag bit of the Decrypt Key Sign table as Sign Offset to obtain an IV with 16 bytes;
in the lsasrv.dll memory range, taking the Offset 1 in the zone bit of the Decrypt Key Sign table as Sign Offset to carry out Search Sign Apply Offset operation to obtain Decrypt Handle Address in a Decrypt Key structure, and then reading according to the Decrypt Key structure to obtain a Key Key3 DES;
and replacing the Sign Offset by an Offset 2 corresponding to the Decrypt Key Sign table, and repeatedly performing Search Sign Apply Offset operation to obtain the Key AES.
7. A computer-readable storage medium having one or more computer programs stored thereon, which when executed by a computer processor perform the method of any of claims 1 to 6.
8. A system for offline extraction of a DPAPI key based on memory mirroring, the system comprising:
the memory mirror image loading unit is configured for loading a memory mirror image, acquiring system version information from the memory mirror image and extracting minimump of the class.
A Cache Master Key acquisition unit: the method comprises the steps that the Cache Master Key structure is configured and used for obtaining Cache Master Key corresponding to each Logon Session in a corresponding dynamic link library memory range according to different system versions;
an offset processing unit: the method comprises the steps that configuration is used for carrying out Search Sign Apply Offset operation on different offsets of flag bits corresponding to a Log Session Sign table of a system version in an lsasrv.dll memory range to obtain a Log Session List and a Log Session Count; respectively carrying out Search Sign Apply Offset operation on different offsets of flag bits of a corresponding system version Decrypt Key Sign table in an lsasrv.dll memory range to obtain 16-byte IV and Key3DES, and carrying out Search Sign Apply Offset operation on the Key3DES to obtain Key AES;
a decryption unit: and the configuration is used for decrypting according to the Cache Master Key, Key3DES, Key AES and IV to obtain the Master Key corresponding to each Logon Session.
9. The system for offline extracting a DPAPI key based on memory mirroring according to claim 8, wherein the Search Sign Apply Offset operation specifically is: and searching the flag bit to obtain a position Sign Base and Offset Sign Offset byte, reading the 4 bytes unsigned long integer in a small-end format and recording the unsigned long integer as Offset, wherein the result is Sign Base + Sign Offset +4+ Offset.
10. The system for offline extracting the DPAPI key based on the memory mirror image as claimed in claim 9, wherein two offset information, offset 0 and offset 1, are correspondingly present in a flag bit of one system version in the Logon Session Sign table.
11. The system for offline extracting a DPAPI key based on memory mirroring of claim 10, wherein the offset processing unit specifically comprises:
in the lsasrv.dll memory range, taking a flag bit corresponding to a Logon Session Sign table of a system version and Offset 0 as Sign Offset to perform Search Sign Apply Offset operation, acquiring a Logon Session Address List, and acquiring information of a login Session List according to a Logon Session structure;
and in the lsasrv.dll memory range, taking the flag bit of the Logon Session Sign table corresponding to the system version and the Offset 1 as Sign Offset to perform the Search Sign Apply Offset operation, and acquiring the Logon Session Count.
12. The system for offline extraction of the DPAPI Key based on the memory image according to claim 9, wherein three offset information, namely offset 0, offset 1 and offset 2, are correspondingly present in a flag bit of a system version in the decryption Key Sign table.
13. The system for offline extracting a DPAPI key based on memory mirroring of claim 12, wherein the offset processing unit specifically comprises:
performing Search Sign Apply Offset operation on the lsasrv.dll memory range by taking Offset 0 in the flag bit of the Decrypt Key Sign table as Sign Offset to obtain an IV with 16 bytes;
in the lsasrv.dll memory range, taking the Offset 1 in the zone bit of the Decrypt Key Sign table as Sign Offset to carry out Search Sign Apply Offset operation to obtain Decrypt Handle Address in a Decrypt Key structure, and then reading according to the Decrypt Key structure to obtain a Key Key3 DES;
and replacing the Sign Offset by an Offset 2 corresponding to the Decrypt Key Sign table, and repeatedly performing Search Sign Apply Offset operation to obtain the Key AES.
CN202111521652.6A 2021-12-13 2021-12-13 Method and system for offline extraction of DPAPI key based on memory mirror image Pending CN114218128A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111521652.6A CN114218128A (en) 2021-12-13 2021-12-13 Method and system for offline extraction of DPAPI key based on memory mirror image

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111521652.6A CN114218128A (en) 2021-12-13 2021-12-13 Method and system for offline extraction of DPAPI key based on memory mirror image

Publications (1)

Publication Number Publication Date
CN114218128A true CN114218128A (en) 2022-03-22

Family

ID=80701489

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111521652.6A Pending CN114218128A (en) 2021-12-13 2021-12-13 Method and system for offline extraction of DPAPI key based on memory mirror image

Country Status (1)

Country Link
CN (1) CN114218128A (en)

Similar Documents

Publication Publication Date Title
US10958638B2 (en) Securely sharing confidential information in a document
US20170295013A1 (en) Method for fulfilling a cryptographic request requiring a value of a private key
TW201638798A (en) Database server and client for query processing on encrypted data
US20220121780A1 (en) Security Systems and Methods for Social Networking
CN107248984B (en) Data exchange system, method and device
US8874932B2 (en) Method for order invariant correlated encrypting of data and SQL queries for maintaining data privacy and securely resolving customer defects
JP5735539B2 (en) System, apparatus and method for encrypting and decrypting data transmitted over a network
US11582266B2 (en) Method and system for protecting privacy of users in session recordings
US7996892B2 (en) Method and apparatus for using a proxy to manage confidential information
WO2019233259A1 (en) Method and device for processing information
CN111163095A (en) Network attack analysis method, network attack analysis device, computing device, and medium
CN113806806A (en) Desensitization and restoration method and system for webpage screenshot
CN114547558B (en) Authorization method, authorization control device, equipment and medium
US9276742B1 (en) Unified storage and management of cryptographic keys and certificates
US20160292221A1 (en) Vertically partitioned databases
CN114218128A (en) Method and system for offline extraction of DPAPI key based on memory mirror image
CN112182603B (en) Anti-crawler method and device
CN114978934A (en) Information desensitization method and apparatus, electronic device, and computer-readable storage medium
CN110516468B (en) Method and device for encrypting memory snapshot of virtual machine
CN113221554A (en) Text processing method and device, electronic equipment and storage medium
CN112883397A (en) Data storage method, data reading method, device, equipment and storage medium
CN110543772A (en) Offline decryption method and device
CN113645239B (en) Application login method and device, user terminal and storage medium
CN109766161B (en) Method and system for generating water affair application based on configuration technology
CN109614788B (en) Audit information processing method and audit system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination