/// <summary> /// /// </summary> /// <param name="bootKey"></param> /// <returns></returns> private byte[] GenerateHashedBootKey(List <byte> bootKey) { try { RegParser regParser = new RegParser(_samFile); RegKey rootKey = regParser.RootKey; RegKey regKey = rootKey.Key(@"SAM\Domains\Account"); if (regKey == null) { this.OnError("Unable to locate the following registry key: SAM\\SAM\\Domains\\Account"); return(null); } RegValue regValue = regKey.Value("F"); if (regValue == null) { this.OnError("Unable to locate the following registry key: SAM\\SAM\\Domains\\Account\\F"); return(null); } byte[] hashedBootKey = new byte[16]; Buffer.BlockCopy((byte[])regValue.Data, 112, hashedBootKey, 0, 16); //this.PrintHex("Hashed bootkey", hashedBootKey.ToArray()); List <byte> data = new List <byte>(); data.AddRange(hashedBootKey.ToArray()); data.AddRange(Encoding.ASCII.GetBytes(_aqwerty)); data.AddRange(bootKey.ToArray()); data.AddRange(Encoding.ASCII.GetBytes(_anum)); byte[] md5 = MD5.Create().ComputeHash(data.ToArray()); byte[] encData = new byte[32]; byte[] encOutput = new byte[32]; Buffer.BlockCopy((byte[])regValue.Data, 128, encData, 0, 32); RC4Engine rc4Engine = new RC4Engine(); rc4Engine.Init(true, new KeyParameter(md5)); rc4Engine.ProcessBytes(encData, 0, 32, encOutput, 0); return(encOutput); } catch (Exception ex) { this.OnError("An error occured whilst generating the hashed boot key"); Misc.WriteToEventLog(Application.ProductName, ex.Message, EventLogEntryType.Error); return(null); } }
/// <summary> /// /// </summary> /// <returns></returns> private List <byte> ExtractBootKey() { try { RegParser regParser = new RegParser(_systemFile); RegKey rootKey = regParser.RootKey; StringBuilder output = new StringBuilder(); RegKey regKey = rootKey.Key(@"Select"); if (regKey == null) { this.OnError("Unable to locate the following registry key: Select"); return(null); } List <byte> bootKeyTemp = new List <byte>(); RegValue regValueCcs = regKey.Value("Current"); if (regValueCcs == null) { this.OnError("Unable to locate the following registry key: Current"); return(null); } regKey = rootKey.Key(@"ControlSet00" + regValueCcs.Data + "\\Control\\LSA\\JD"); if (regKey == null) { this.OnError("Unable to locate the following registry key: ControlSet00" + regValueCcs.Data + "\\Control\\LSA\\JD"); return(null); } string temp = regKey.ClassName; for (int i = 0; i < temp.Length / 2; i++) { bootKeyTemp.Add(Convert.ToByte(temp.Substring(i * 2, 2), 16)); } regKey = rootKey.Key(@"ControlSet00" + regValueCcs.Data + "\\Control\\LSA\\Skew1"); if (regKey == null) { this.OnError("Unable to locate the following registry key: ControlSet00" + regValueCcs.Data + "\\Control\\LSA\\Skew1"); return(null); } temp = regKey.ClassName; for (int i = 0; i < temp.Length / 2; i++) { bootKeyTemp.Add(Convert.ToByte(temp.Substring(i * 2, 2), 16)); } regKey = rootKey.Key(@"ControlSet00" + regValueCcs.Data + "\\Control\\LSA\\GBG"); if (regKey == null) { this.OnError("Unable to locate the following registry key: ControlSet00" + regValueCcs.Data + "\\Control\\LSA\\GBG"); return(null); } temp = regKey.ClassName; for (int i = 0; i < temp.Length / 2; i++) { bootKeyTemp.Add(Convert.ToByte(temp.Substring(i * 2, 2), 16)); } regKey = rootKey.Key(@"ControlSet00" + regValueCcs.Data + "\\Control\\LSA\\Data"); if (regKey == null) { this.OnError("Unable to locate the following registry key: ControlSet00" + regValueCcs.Data + "\\Control\\LSA\\Data"); return(null); } temp = regKey.ClassName; for (int i = 0; i < temp.Length / 2; i++) { bootKeyTemp.Add(Convert.ToByte(temp.Substring(i * 2, 2), 16)); } List <byte> bootKey = new List <byte>(); for (int index = 0; index < bootKeyTemp.Count; index++) { bootKey.Add(bootKeyTemp[_permutationMatrix[index]]); } //this.PrintHex("Bootkey", bootKey.ToArray()); return(bootKey); } catch (Exception ex) { this.OnError("An error occured whilst extracting the boot key"); Misc.WriteToEventLog(Application.ProductName, ex.Message, EventLogEntryType.Error); return(null); } }