/// <summary>
///
/// </summary>
/// <param name="bootKey"></param>
/// <returns></returns>
private byte[] GenerateHashedBootKey(List <byte> bootKey)
{
try
{
RegParser regParser = new RegParser(_samFile);
RegKey rootKey = regParser.RootKey;
RegKey regKey = rootKey.Key(@"SAM\Domains\Account");
if (regKey == null)
{
this.OnError("Unable to locate the following registry key: SAM\\SAM\\Domains\\Account");
return(null);
}
RegValue regValue = regKey.Value("F");
if (regValue == null)
{
this.OnError("Unable to locate the following registry key: SAM\\SAM\\Domains\\Account\\F");
return(null);
}
byte[] hashedBootKey = new byte[16];
Buffer.BlockCopy((byte[])regValue.Data, 112, hashedBootKey, 0, 16);
//this.PrintHex("Hashed bootkey", hashedBootKey.ToArray());
List <byte> data = new List <byte>();
data.AddRange(hashedBootKey.ToArray());
data.AddRange(Encoding.ASCII.GetBytes(_aqwerty));
data.AddRange(bootKey.ToArray());
data.AddRange(Encoding.ASCII.GetBytes(_anum));
byte[] md5 = MD5.Create().ComputeHash(data.ToArray());
byte[] encData = new byte[32];
byte[] encOutput = new byte[32];
Buffer.BlockCopy((byte[])regValue.Data, 128, encData, 0, 32);
RC4Engine rc4Engine = new RC4Engine();
rc4Engine.Init(true, new KeyParameter(md5));
rc4Engine.ProcessBytes(encData, 0, 32, encOutput, 0);
return(encOutput);
}
catch (Exception ex)
{
this.OnError("An error occured whilst generating the hashed boot key");
Misc.WriteToEventLog(Application.ProductName, ex.Message, EventLogEntryType.Error);
return(null);
}
}
/// <summary>
///
/// </summary>
/// <returns></returns>
private List <byte> ExtractBootKey()
{
try
{
RegParser regParser = new RegParser(_systemFile);
RegKey rootKey = regParser.RootKey;
StringBuilder output = new StringBuilder();
RegKey regKey = rootKey.Key(@"Select");
if (regKey == null)
{
this.OnError("Unable to locate the following registry key: Select");
return(null);
}
List <byte> bootKeyTemp = new List <byte>();
RegValue regValueCcs = regKey.Value("Current");
if (regValueCcs == null)
{
this.OnError("Unable to locate the following registry key: Current");
return(null);
}
regKey = rootKey.Key(@"ControlSet00" + regValueCcs.Data + "\\Control\\LSA\\JD");
if (regKey == null)
{
this.OnError("Unable to locate the following registry key: ControlSet00" + regValueCcs.Data + "\\Control\\LSA\\JD");
return(null);
}
string temp = regKey.ClassName;
for (int i = 0; i < temp.Length / 2; i++)
{
bootKeyTemp.Add(Convert.ToByte(temp.Substring(i * 2, 2), 16));
}
regKey = rootKey.Key(@"ControlSet00" + regValueCcs.Data + "\\Control\\LSA\\Skew1");
if (regKey == null)
{
this.OnError("Unable to locate the following registry key: ControlSet00" + regValueCcs.Data + "\\Control\\LSA\\Skew1");
return(null);
}
temp = regKey.ClassName;
for (int i = 0; i < temp.Length / 2; i++)
{
bootKeyTemp.Add(Convert.ToByte(temp.Substring(i * 2, 2), 16));
}
regKey = rootKey.Key(@"ControlSet00" + regValueCcs.Data + "\\Control\\LSA\\GBG");
if (regKey == null)
{
this.OnError("Unable to locate the following registry key: ControlSet00" + regValueCcs.Data + "\\Control\\LSA\\GBG");
return(null);
}
temp = regKey.ClassName;
for (int i = 0; i < temp.Length / 2; i++)
{
bootKeyTemp.Add(Convert.ToByte(temp.Substring(i * 2, 2), 16));
}
regKey = rootKey.Key(@"ControlSet00" + regValueCcs.Data + "\\Control\\LSA\\Data");
if (regKey == null)
{
this.OnError("Unable to locate the following registry key: ControlSet00" + regValueCcs.Data + "\\Control\\LSA\\Data");
return(null);
}
temp = regKey.ClassName;
for (int i = 0; i < temp.Length / 2; i++)
{
bootKeyTemp.Add(Convert.ToByte(temp.Substring(i * 2, 2), 16));
}
List <byte> bootKey = new List <byte>();
for (int index = 0; index < bootKeyTemp.Count; index++)
{
bootKey.Add(bootKeyTemp[_permutationMatrix[index]]);
}
//this.PrintHex("Bootkey", bootKey.ToArray());
return(bootKey);
}
catch (Exception ex)
{
this.OnError("An error occured whilst extracting the boot key");
Misc.WriteToEventLog(Application.ProductName, ex.Message, EventLogEntryType.Error);
return(null);
}
}