From: Alan Carre on 14 Dec 2008 17:13 I should also add (might be of interest) that "runas" doesn't use this function. Which was one of the places I went searching for an enumerate API: The following: C:\>dumpbin /imports C:\Windows\system32\runas.exe |find /i "enum" Produces no output. When unfiltered, it does produce a nice listing of possibly-interesting user-related functions to explore: ==================== dumpbin /imports runas.exe (slightly pruned) ------------------------------------- ADVAPI32.dll 77DD96C4 20F SaferGetPolicyInformation 77DE494C 20E SaferGetLevelInformation 77E171AE 20D SaferCreateLevel 77DD2EC0 20C SaferComputeTokenFromLevel 77DE5382 60 CreateProcessAsUserW 77DD31D3 20B SaferCloseLevel 77E128D4 72 CredMarshalCredentialW 77DDBDE7 7B CredUnmarshalCredentialW 77E1239B 6B CredFree 77DDBB6F 85 CryptAcquireContextW 77DFBE2F 9A CryptGetProvParam 77DE042E 9F CryptReleaseContext 77E10682 61 CreateProcessWithLogonW credui.dll 76C0961D 3 CredUIConfirmCredentialsW 76C09E37 1 CredUICmdLinePromptForCredentialsW CRYPT32.dll 762D5773 32 CertFindCertificateInStore 762CE057 3C CertFreeCertificateContext 762C4EA4 F CertCloseStore 762CBB2E 46 CertGetNameStringW 762C7C4A 41 CertGetCertificateContextProperty 762F644A 52 CertOpenSystemStoreW NETAPI32.dll 71C350BF 116 NetpGetDomainName 71C214BA 68 NetApiBufferFree 71C26365 111 NetpGetComputerName ========================= - Alan Carre
From: Alan Carre on 14 Dec 2008 17:46 "Ketchup" <ketchup(a)ketchup.com> wrote in message news:OURmNLjXJHA.760(a)TK2MSFTNGP02.phx.gbl... > Alan, thanks. I believe this approach would create too many forensics > artifacts on the machine. I am interested in a more stealthy approach. > I am actually copying files and reading them offline. There will be no > issue with locking or user permissions. Hmm, offline eh. I guess Tommy pointed you towards some source code that might help. Note that it still might be necessary to impersonate the user (in one form or another) since it's actually a full copy of NTUSER.DAT which is, as far as I know, tied into at least part of the user's SID [for obvious security reasons]. I'm assuming that when you "save as hive" that that information is stripped away [ie. No username/password required for access]. I remember once I wanted to retrieve some encrypted files from my machine after a hardware malfunction [CPU overheated and died] where I had to reinstall the OS. I couldn't read the files but I still had the user name (myself) and I knew the password (my own password). So I went online and found this... http://www.beginningtoseethelight.org/efsrecovery/ So I created an account that had the same username/password and same "user #". Luckily user 1003 or whatever was available so I used the trick described in there under "recovery with the orginal profile in the file system" (which I had obviously) to make sure that the next user was going to have that number and created it with the correct password. After logon I could recover the encrypted files, and decrypt them! I'll never make that mistake again... Anyway, there's a lot of useful info in there that could help you in this scenario. Particularly recovering encrypted files *without* the origninal file system intact. That's certainly similar to what you're trying to do as NTUSER.DAT will be tied into the user's SID in much the same way as encrypted files are. I'd be quite surprised if that wasn't the case. - Alan Carre
From: daniel on 15 Dec 2008 07:09 You can only load a hive with RegLoadKey as an immediate subkey of HKLM and not as one of its subkeys. Your process must have SE_BACKUP_NAME and SE_RESTORE_NAME privileges enabled. The hive will be a volatile key. Another option is to use RegRestoreKey which allows you to place the loaded hive anywhere in the registry. //Daniel "Ketchup" <ketchup(a)ketchup.com> wrote in message news:ObAswEhXJHA.868(a)TK2MSFTNGP06.phx.gbl... > First, I apologize if I am posting this in the wrong newsgroup. I > searched for a while and couldn't figure out where this go. > > I am trying to figure out if I can open a registry storage file and read > data from it. The files that I specifically need to open are the ones for > users that are not currently logged on, the NTUSER.DAT files. I am > assuming that the procedure would be similar for SYSTEM and SOFTWARE. I > have been reading the win32 documentation on the Registry and can't quite > figure out how to do this. RegLoadAppKey function appears to be able to > load entire hives, but the documentation says that the keys cannot be > enumerated. How do I load an entire hive into memory and retrieve values > from it? > > thanks! >
From: m on 15 Dec 2008 18:38 I'm sorry if I misunderstood you suggestion - keep in mind that even admins can't just impersonate users without their passwords There is, of course, no reason for RunAs to get a list of users because if the one that you pass it doesn't exist, it will just get an error (no mapping between account name and SID or something like it). It would be prohibitively difficult to validate the username too because in an enterprise AD environment, there may be many domains too look in or it may be an account managed by another, possibly 3rd party, system with a trust relationship. "Alan Carre" <alan(a)twilightgames.com> wrote in message news:%232iYwkjXJHA.552(a)TK2MSFTNGP06.phx.gbl... >I should also add (might be of interest) that "runas" doesn't use this >function. Which was one of the places I went searching for an enumerate >API: > > The following: > > C:\>dumpbin /imports C:\Windows\system32\runas.exe |find /i "enum" > > Produces no output. > > When unfiltered, it does produce a nice listing of possibly-interesting > user-related functions to explore: > > ==================== > > dumpbin /imports runas.exe (slightly pruned) > ------------------------------------- > > ADVAPI32.dll > > 77DD96C4 20F SaferGetPolicyInformation > 77DE494C 20E SaferGetLevelInformation > 77E171AE 20D SaferCreateLevel > 77DD2EC0 20C SaferComputeTokenFromLevel > 77DE5382 60 CreateProcessAsUserW > 77DD31D3 20B SaferCloseLevel > 77E128D4 72 CredMarshalCredentialW > 77DDBDE7 7B CredUnmarshalCredentialW > 77E1239B 6B CredFree > 77DDBB6F 85 CryptAcquireContextW > 77DFBE2F 9A CryptGetProvParam > 77DE042E 9F CryptReleaseContext > 77E10682 61 CreateProcessWithLogonW > > credui.dll > > 76C0961D 3 CredUIConfirmCredentialsW > 76C09E37 1 CredUICmdLinePromptForCredentialsW > > CRYPT32.dll > > 762D5773 32 CertFindCertificateInStore > 762CE057 3C CertFreeCertificateContext > 762C4EA4 F CertCloseStore > 762CBB2E 46 CertGetNameStringW > 762C7C4A 41 CertGetCertificateContextProperty > 762F644A 52 CertOpenSystemStoreW > > NETAPI32.dll > > 71C350BF 116 NetpGetDomainName > 71C214BA 68 NetApiBufferFree > 71C26365 111 NetpGetComputerName > > ========================= > > - Alan Carre > >
From: m on 15 Dec 2008 18:45 What hive were you hoping to create? AFAIK the hives are (semi) static look at the description of the registry in MSDN http://msdn.microsoft.com/en-us/library/ms724182(VS.85).aspx "Ketchup" <ketchup(a)ketchup.com> wrote in message news:OfGn2JjXJHA.5828(a)TK2MSFTNGP03.phx.gbl... > They appear to be using the reg.exe LOAD command to load the registry into > a subkey of one of the already initialized hives on the system. I should > be able to mimic this using RegLoadKey, although I was hoping to be able > to create an entirely new hive. Thanks, this link was very helpful! > > "Tommy" <bad(a)reallybad.com> wrote in message > news:uvUwKoiXJHA.5064(a)TK2MSFTNGP02.phx.gbl... >> Ketchup wrote: >>> First, I apologize if I am posting this in the wrong newsgroup. I >>> searched for a while and couldn't figure out where this go. >>> >>> I am trying to figure out if I can open a registry storage file and read >>> data from it. The files that I specifically need to open are the ones >>> for users that are not currently logged on, the NTUSER.DAT files. I am >>> assuming that the procedure would be similar for SYSTEM and SOFTWARE. I >>> have been reading the win32 documentation on the Registry and can't >>> quite figure out how to do this. RegLoadAppKey function appears to be >>> able to load entire hives, but the documentation says that the keys >>> cannot be enumerated. How do I load an entire hive into memory and >>> retrieve values from it? >> >> I was just able to do it from an embedded XP boot CD with this >> application: >> >> http://regeditpe.sourceforge.net/ >> >> This comes with source code, but it asked to many questions, which hive, >> what users, etc, and there was 2nd editor which was quick to load (I don' >> remember off hand the name). However, I see now from the web page, the >> one I had was a 2006 version and the new one at the above web site is a >> 2007 version and from the instructions, no QUESTIONS are ask, it just >> loads like the other one I was using. >> >> Of course, this is offline when the OS is locking the files. But maybe >> you can see from the source code what it is doing. >> >> -- > >
First
|
Prev
|
Pages: 1 2 3 Prev: VC98 IDL compiler (MIDL) - Where to get it ? Next: Type Conversions |