Vulnerability Development mailing list archives
Re: Syskey
From: Nicola Cuomo <ncuomo () studenti unina it>
Date: Sat, 7 Sep 2002 00:38:24 +0200
Hi, I was studying the same subject some time ago in the free time between exam. An interesting thing to note is that Syskey.exe, if you change the way the bootkey is stored, during the generation of the new bootkey use these functions SamiGetBootKeyInformation and SamiSetBootKeyInformation Imported from SAMLIB.DLL I've not reverse engineered these function but the names look promising ^_^;
From the RAZOR paper - Windows NT's SYSKEY feature (December 16, 1999)
i've deduced that, given the bootkey, to restore the not syskeyed hash it's a matter of applying RC4. (maybe just a wrong inference ^_^;;) Moreover I've tried to contact Dmitry Andrianov to get SAMDUMP source code but he haven't still replayed to my email (waiting ^_^). When the key is stored in the registry (when you select the option to store the bootkey locally) it seem that it's value is stored obfuscated in the following registry keys - value: SYSTEM\CurrentControlSet\Control\Lsa\DATA - Pattern SYSTEM\CurrentControlSet\Control\Lsa\GBG - GrafBlumGroup SYSTEM\CurrentControlSet\Control\Lsa\JD - Lookup SYSTEM\CurrentControlSet\Control\Lsa\Skew1 - SkewMatrix if this is true (i've only see that Winlogon.exe working on those keys during the login as also do Syskey.exe and LSASRV.DLL ) and the obfuscation function is reversed a serious security bug would be that the ACL for these registry key allow normal user access making Syskey useless. Still researching.... I know that my English is heavily broken, i hope only it's someway readable ^_^;;;; Bye. -- Nicola mailto:ncuomo () studenti unina it
Current thread:
- Syskey Michel Arboi (Sep 06)
- Re: Syskey Nicola Cuomo (Sep 06)