Skip to content

☆ 对"F"的Hacking

https://scz.617.cn/windows/200401082223.txt

HKEY_LOCAL_MACHINE\SECURITY\SAM\Domains\Account\Users\000001F4 F REG_BINARY V REG_BINARY

缺省情况下只有SYSTEM有权读、写"HKEY_LOCAL_MACHINE\SECURITY"。Administrator 有READ_CONTROL、WRITE_DAC这两种权限,因此可以先改变注册表权限设置,再读访 问之。

写了一个小程序,一条龙式地完成修改注册表权限,读访问"F"、"V",以16进制方式 转储数据,恢复注册表设置。发现"F"的数据固定长80字节,"V"的数据则长度不定。


0x000001F4

byteArray [ 80 bytes ] -> 00000000 02 00 01 00 00 00 00 00-80 05 EB 31 D6 D5 C3 01 ...........1.... 00000010 00 00 00 00 00 00 00 00-80 59 BA 6C CC BF C3 01 .........Y.l.... 00000020 FF FF FF FF FF FF FF 7F-60 66 EE 15 B7 D5 C3 01 ........`f...... 00000030 F4 01 00 00 01 02 00 00-10 02 00 00 00 00 00 00 ................ 00000040 00 00 F1 00 01 00 00 00-00 00 0D 00 0A 00 00 00 ................

0x000001F5

byteArray [ 80 bytes ] -> 00000000 02 00 01 00 00 00 00 00-70 36 52 72 C1 9D C3 01 ........p6Rr.... 00000010 00 00 00 00 00 00 00 00-10 EA 66 2D C0 9D C3 01 ..........f-.... 00000020 00 00 00 00 00 00 00 00-E0 36 27 F5 B5 D5 C3 01 .........6'..... 00000030 F5 01 00 00 01 02 00 00-15 02 00 00 00 00 00 00 ................ 00000040 04 00 00 00 00 00 00 00-00 00 0D 00 0A 00 00 00 ................

0x000003E8

byteArray [ 80 bytes ] -> 00000000 02 00 01 00 00 00 00 00-10 6C 93 92 64 77 C3 01 .........l..dw.. 00000010 00 00 00 00 00 00 00 00-A0 C7 04 0C CB D4 C3 01 ................ 00000020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 00000030 E8 03 00 00 01 02 00 00-11 02 00 00 00 00 00 00 ................ 00000040 00 00 09 00 00 00 00 00-00 00 00 00 00 84 44 00 ..............D.

0x000003EA

byteArray [ 80 bytes ] -> 00000000 02 00 01 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 00000010 00 00 00 00 00 00 00 00-70 E0 89 CB 57 BC C2 01 ........p...W... 00000020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 00000030 EA 03 00 00 01 02 00 00-11 02 00 00 00 00 00 00 ................ 00000040 00 00 00 00 00 00 00 00-00 00 00 00 00 84 44 00 ..............D.

0x000003EB

byteArray [ 80 bytes ] -> 00000000 02 00 01 00 00 00 00 00-70 90 88 6E 86 CA C3 01 ........p..n.... 00000010 00 00 00 00 00 00 00 00-30 AA 02 36 CA D4 C3 01 ........0..6.... 00000020 00 00 00 00 00 00 00 00-C0 4A 54 9F CA BF C3 01 .........JT..... 00000030 EB 03 00 00 01 02 00 00-11 00 00 00 00 00 00 00 ................ 00000040 00 00 05 00 00 00 00 00-00 00 00 00 00 84 44 00 ..............D.


参"SamrQueryInformationUser(36) level 21查询的响应报文解码":

https://scz.617.cn/network/200312241426.txt

对一连串的0x01C3...太敏感了,毕竟是自己费心计算过的数据。试着手工解码"F", 以0x000001F4为例:


02 00 01 00 00 00 00 00 意义不明 观察上述5组数据,这8个字节未变化 80 05 EB 31 D6 D5 C3 01 FILETIME型的"Last logon time" 00 00 00 00 00 00 00 00 FILETIME型的未知时间 总为0,似乎是"Last logoff time" 80 59 BA 6C CC BF C3 01 FILETIME型的"Password last set time",注意不是 Ethereal解码中的那个"PWD Last Set",Ethereal解 错了,实际对应Ethereal解码中的"Kickoff Time" FF FF FF FF FF FF FF 7F FILETIME型的未知时间 开始误以为对应"Password must change time" 60 66 EE 15 B7 D5 C3 01 FILETIME型的未知时间 开始误以为对应"Password can change time" F4 01 00 00 DWORD型的"User RID",500 01 02 00 00 DWORD型的"User primary group RID",513 10 02 00 00 DWORD型的"User flags", 也就是Ethereal解码中的"Account Control" 00 00 00 00 意义不明 00 00 总为0,似乎是USHORT型的"Bad Pwd Count" F1 00 USHORT型的"Num of user logged on ok",241 01 00 00 00 对于Administrator,这里是0x00000001,观察上述 5组数据,其它帐号,这里是0x00000000,不清楚是 什么意义,也可能是填充数据 00 00 未知 0D 00 0A 00 00 00 意义不明 观察上述5组数据,另一种可能是00 00 00 84 44 00


为了写程序方便,Hacking一个C风格的结构出来:


pragma pack( push, 1 )

/ * 自己Hacking得到的结构,不可靠。注意,起名SAM_RID_F_VALUE,对应 * HKEY_LOCAL_MACHINE\SECURITY\SAM\Domains\Account\Users\000001F4 * 以区别如下位置的"F"、"V" * HKEY_LOCAL_MACHINE\SECURITY\SAM\Domains\Account / typedef struct _SAM_RID_F_VALUE { BYTE Unknown_000[8]; // +0x000,似乎总为"02 00 01 00 00 00 00 00" FILETIME LastLogonTime; // +0x008 FILETIME LastLogoffTime; // +0x010,似乎总为0 FILETIME PwdLastSetTime; // +0x018,以修正后的解码为准,Ethereal解错了 FILETIME Unknown_020; // +0x020 FILETIME Unknown_028; // +0x028 DWORD UserRid; // +0x030,比如0x000001F4/500 DWORD UserPrimaryGid; // +0x034,比如0x00000201/513 DWORD UserFlags; // +0x038,参Ethereal解码中的"Account Control" DWORD Unknown_03C; // +0x03c WORD BadPwdCount; // +0x040,the number of times the user // tried to log on to the account using // an incorrect password WORD NumLogonsOk; // +0x042,Num of user logged on ok BYTE Unknown_044[12]; // +0x044 // +0x050 } SAM_RID_F_VALUE, PSAM_RID_F_VALUE, *PPSAM_RID_F_VALUE;

pragma pack( pop )


Petter Nordahl-Hagen在他的sam.h中也Hacking了"F"的结构([20]),几个时间域并 不正确,此外没有找出UserPrimaryGid。不过我在此处又多了一个教训,手边的文档 一定要多翻,留在那里不看的,不如不收集。正准备Hacking "V"结构,发现sam.h中 已经有了,可以少走很多弯路。

☆ 参考资源

[20] Offline NT Password & Registry Editor - Petter Nordahl-Hagen http://home.eunet.no/~pnordahl/ntpasswd/