解剖安全帐号管理器(sam)结构Anatomical safety Account
Manager (SAM) structure
Article source: www.opengram.com
Article submission: refdom
HomePage: www.opengram.com
I, abstract
I I, about SAM
III, the SAM database structure in the registry
The structure and main content of IV and SAM databaseV, conclusions about SAM database analysis
I. s umm ary
The analysis of the security account manager structure was donemore than a month ago and only fragmentary records were notposted. The main issue is not released
The reason is that the security account manager (SAM) is thecore of WIN system account management, and it' s very systematic,and I also have a lot of room for just pushing
Break and guess, while SAM hack may cause the lsass.exe to loadaccount manager error when started, even security mode can not
be repaired (start up)
It must load SAM) to cause the whole system to start crashing(I usually need to rely on the second system to delete the SAMfile to start it) . As for now released
That is mainly because the Adam and the "Administrator" Dingclone described rootkit way of concealment and harmfulness, thestructure of SAM
Familiarity can help security personnel to do security testing(and, of course, to make use of undesirable candidates) .The contents of SAM are only introduced here, and the Securityrelated ones are not public for the time being.
Two, about SAM
Don' t get it wrong, SAM, it' s not a file, Sam is so simple. SAM(Security Accounts Manager security account manager) isresponsible for
Control and maintenance of SAM database. The SAM database islocated under the registry HKLM\SAM\SAM, protected by ACL, andcan be opened using regedt32.exe
Book table editor and set the appropriate permissions to viewthe contents of SAM. The SAM database is stored on the disk inthe%systemroot%system32\conf ig\ directory
Recorded in the SAM file, in this directory also includes a
security file, the contents of the security database, there aremany relations between the two.
The SAM database contains information about all groups,accounts, including passwords, HASH, accounts, SID, and so on.These are described in detail later. Points to me
Case analysis of Chinese Win2K Adv Server.
Three 、 the structure of the SAM database in the registryExpand registry HKLM\SAM\SAM\:
H KLM---SAM
|---SAM
|---Domains
| |---Account
| | |---Aliases
| | | |---Members
| | | |---Nam e s
| | |---Group s
| | | |---00000201
| | | |---Nam e s
| | | |---None
| | |---Users
| | |---000001F4
| | |---000001F5
| | |---000003E8
| | |---000003E9
| | |---Names
| | |---Adaministrator| | |---Gu e s t
| | |---IU SR_REFDOM| | |---IWASM_REFDOM| |---Builtin
| |---Aliases
| | |---00000220
| | |---00000221
| | |---00000222
| | |---00000223
| | |---Me mbe r s
| | | |---S-1-5-21-1214440339-706699826-1708537768| | | |---000001 F4
| | | |---000001F5
| | | |---000003E8
| | | |---000003E9
| | |--- Name s
| | |---Administrators
| | |---Users
| | |---Gu e s t s
| | |---Power Users
| |---Groups
| | |---Names
| |
| |---Users
| |---Name s
|
|---RXA CT
This is the SAM tree in the registry on my machine.
Comparing the contents of the SAM file, you can see that theSAM tree in the registry is in fact the same as in the SAM file.However, the SAM file is listed first
RXACT then, in the Domains content (and so on) , the order ofexpression in the file is in reverse order with the tree orderin the registry. If used to seeing
File contents, from file 0000H to 0006Ch,
Indicates the location of the SAM database:
\systemroot\system32\conf ig\sam, but
The end is blank, until 01000h (hbin) , from here on, is thecontent of the entire database. The contents of the SAM databasefile are not included,
But it will be interspersed with the introduction, interestedin their own to study.
Four, SAM database structure and main content:
In the entire database, the main contents of the account existin the following locations:
Under \Domains\ is the SAM content in the domain (or local) ,with two branches, Account, and Builtin".
\Domains\Account is the user account content.
\Domains\Account\Users is the information of each account. Thesub key is the SID relative symbol of each account. Such as000001F4,
Each account has two sub items, F and V. Where \Names\ is theuser account name, each account name has only one default subkey,and the type in the item is not
Is the generic registry data type, but refers to the last item(relative identifier) of the SID that signs the account, suchas the Administrator under it,
The type is 0x1F4, so the 000001F4 from the front correspondsto the content of the account name administrator. This showsthe logic of MS account search.
Inference 1: from the registry structure to see the account,if you query an account name refdom related information, then,Microsoft from the account name refdom
Find its type, 0x3EB, and then find the relative sign (or SID)for the account content of 000003EB. All API functions (suchas NetUserEnum ())
That' s how it works. Therefore, if you change the type 0x3EBin the refdom account to 0x1F4, the account will be directedto the account of class 000001F4
Households. And this account 000001F4 is the administratoraccount, so that the system in the login process, the refdomaccount completely converted to administrator
Account, account refdom all content used, information isadminisrtator content, including passwords, permissions,desktop, records, access time and so on
Etc. . This inference should be true, but it will mean that twouser names correspond to one user' s information and that thereshould be an error in system startup!
The inference is that, in the previous analysis of the structure,the relationship between the account name and the SIDassociation was revealed during and after the login process.\Domains\Account\Users\000001F4, this is the accountinformation for administrator (other similar) . There are twosub items, V and F.
In the project V, the basic information of the account is kept,the user name, the user' s full name (full name) , the group, thedescription, the password, the hash, the annotation, and
whether it can be more
Change password, account enable, password setup time, etc. . Inthe project F, some login records are saved, such as the lastlogin time, the wrong login number, and so on
One important place is the SID relative symbol for this account.Before the analysis of the structure, did not pay attention tothis place, this is the idea put forward by Adam. This is wherethe SID relative sign is registered
An account in the table for two times, one is in the key of000001F4, another is the key content of F sub items, from fourbytes 48 to 51:
F4 010000, which is actually a long type variable, that is,000001 F4. When a flag appears in two places, it will happenSynchronization problem. Obviously, Microsoft has made themistake. The two variable should have been unified to mark auser account, but Microsoft played two variables separatelyBut there is no synchronization.
The 000001F4 in the subkey is used to correspond to the username administrator, which facilitates querying the accountinformation through the user, such as LookupAccountSid () andso on
The account related API function is used to locate user
Sharktech(鲨鱼服务器商)我们还是比较懂的,有提供独立服务器和高防服务器,而且性价比都还算是不错,而且我们看到有一些主机商的服务器也是走这个商家渠道分销的。这不看到鲨鱼服务器商家洛杉矶独立服务器纷纷促销,不限制流量的独立服务器起步99美元,这个还未曾有过。第一、鲨鱼机房服务器方案洛杉矶机房,默认1Gbps带宽,不限流量,自带5个IPv4,免费60Gbps / 48Mpps DDoS防御。C...
ThomasHost域名注册自2012年,部落最早分享始于2016年,还算成立了有几年了,商家提供基于KVM架构的VPS,数据中心包括美国、法国、英国、加拿大和爱尔兰等6个地区机房,VPS主机套餐最低2GB内存起步,支持Windows或者Linux操作系统,1Gbps端口不限制流量。最近商家提供了一个5折优惠码,优惠后最低套餐月付5美元起。下面列出部分套餐配置信息。CPU:1core内存:2GB硬...
前几天看到网友反馈到PacificRack商家关于处理问题的工单速度慢,于是也有后台提交个工单问问,没有得到答复导致工单自动停止,不清楚商家最近在调整什么。而且看到有网友反馈到,PacificRack 商家的之前年付低价套餐全部下架,而且如果到期续费的话账单中的产品价格会涨价不少。所以,如果我们有需要续费产品的话,谨慎选择。1、特价产品下架我们看到他们的所有原来发布的特价方案均已下架。如果我们已有...