def main():
parser = argparse.ArgumentParser(description = "Hashed password grabber")
parser.add_argument("-mf",action="store",dest="file",help="memory file(.vmem)")
parser.add_argument("-p",action="store",dest="path",type=int,help="path to volatility")
results = parser.parse_args()
if results.file is None or results.path is None:
parser.print_help()
exit(0)
memory_file = results.file #.vmem
sys.path.append(results.path)
registry.PluginImporter()
config = conf.ConfObject()
config.parse_options()
config.PROFILE = "WinXPSP2x86"
config.LOCATION = "file://{0}".format(memory_file)
registry.register_global_options(config,commands.Command)
registry.register_global_options(config,addrspace.BaseAddressSpace)
registry = RegistryApi(config)
registry.populate_offsets()
sam_offset = None
sys_offset = None
for offset in registry.all_offsets:
if registry.all_offsets[offset].endswith("\\SAM"):
sam_offset = offset
print("[*]SAM: 0x%08x".format(offset))
if registry.all_offsets[offset].endswith("\\system"):
sys_offset = offset
print("[*]System: 0x%08x".format(offset))
if sam_offset is not None and sys_offset is not None:
config.sys_offset = sys_offset
config.sam_offset = sam_offset
hashdump = HashDump(config)
for hash in hashdump.calculate():
print(hash)
break
if sam_offset is None or sys_offset is None:
print("[*]Failed to find the system or SAM offset.")
import volatility.commands as commands
import volatility.addrspace as addrspace
config.parse_options()
config.PROFILE = "WinXPSP2x86"
config.LOCATION = "file://%s" % memory_file
registry.register_global_options(config, commands.Command)
registry.register_global_options(config, addrspace.BaseAddressSpace)
from volatility.plugins.registry.registryapi import RegistryApi
from volatility.plugins.registry.lsadump import HashDump
registry = RegistryApi(config)
registry.populate_offsets()
sam_offset = None
sys_offset = None
for offset in registry.all_offsets:
if registry.all_offsets[offset].endswith("\\SAM"):
sam_offset = offset
print("[*] SAM: 0x%08x" % offset)
if registry.all_offsets[offset].endswith("\\system"):
sys_offset = offset
print("[*] System: 0x%08x" % offset)
if sam_offset is not None and sys_offset is not None:
try:
sys.path.append(
"C:\\Python27\\Lib\\site-packages\\volatility") # volatility 경로
memory_file = raw_input(
"Input Memory Image File( ex) .vmem ) : ") # 분석할 메모리 이미지
registry.PluginImporter()
config = conf.ConfObject()
config.parse_options()
config.PROFILE = raw_input(
"Input Profile( ex) WinXPSP2x86) : "
) # https://github.com/volatilityfoundation/volatility
config.LOCATION = memory_file
registry.register_global_options(config, commands.Command)
registry.register_global_options(config, addrspace.BaseAddressSpace)
registry = RegistryApi(config)
registry.populate_offsets(
) # populate_offsets 함수는 hivelist 명령을 실행하는 작업을 수행한다.
sam_offset = None
sys_offset = None
for offset in registry.all_offsets: # 발견된 하이브를 모두 확인
if registry.all_offsets[offset].endswith("\\SAM"): # SAM 하이브를 찾는다.
sam_offset = offset
print "[+] SAM : 0x%08x" % offset
if registry.all_offsets[offset].endswith(
"\\system"): # SYSTEM 하이브를 찾는다.
sys_offset = offset
print "[+] System : 0x%08x" % offset
if sam_offset is not None and sys_offset is not None: # 두 하이브를 찾았을 경우
config.sys_offset = sys_offset # config 객체에 오프셋 저장
config.sam_offset = sam_offset
hashdump = HashDump(config) # HashDump 객체 생성
for hash in hashdump.calculate(): # 결과 출력
import volatility.commands as commands
import volatility.addrspace as addrspace
config.parse_options()
config.PROFILE = "WinXPSP2x86"
config.LOCATION = "file://%s" % memory_file
registry.register_global_options(config, commands.Command)
registry.register_global_options(config, addrspace.BaseAddressSpace)
from volatility.plugins.registry.registryapi import RegistryApi
from volatility.plugins.registry.lsadump import HashDump
registry = RegistryApi(config)
registry.populate_offsets()
sam_offset = None
sys_offset = None
for offset in registry.all_offsets:
if registry.all_offsets[offset].endswith("\\SAM"):
sam_offset = offset
print "[*] SAM: 0x%08x" % offset
if registry.all_offsets[offset].endswith("\\system"):
sys_offset = offset
print "[*] System: 0x%08x" % offset
if sam_offset is not None and sys_offset is not None:
config.parse_options(
) # geri kalanlar votalitie kodun geri kalani sadece votalitie ornegimiz profil ve konfigurasyon seceneklerini ayarlmak
config.PROFILE = "WinXPSP2x86"
config.LOCATION = "file://%s" % memory_file
registry.register_global_options(config, commands.Command)
registry.register_global_options(config, addrspace.BaseAddressSpace)
#simdi gerecek hash dokum kodu
from volatility.plugins.registry.registryapi import RegistryApi
from volatility.plugins.registry.lsadump import HashDump
registry = RegistryApi(
config
) # yaygin olarak kullanilan kayit defteri islevlerine sahip bir yardimci sinif olan yeni bir registryapi prnegi olusturuyoruz. parametre olarak sadce mevcut yapilandirmayi alir
registry.populate_offsets(
) # bu cagri daha once ele aldigimiz hivelist komutunu calistirmanin esdegerini gerceklestirir.
sam_offset = None
sys_offset = None
for offset in registry.all_offsets:
if registry.all_offsets[offset].endswith(
"\\SAM"
): # daha sonra sam ve sytem yerlerini arayan kesfedilen kovanlarin her birinde yurumeye baslariz.
sam_offset = offset
print "[*] SAM: 0x%08x" % offset
if registry.all_offsets[offset].endswith("\\system"):
sys_offset = offset
print "[*] System: 0x%08x" % offset
