forked from dfirfpi/dpapilab
-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathlsasecrets.py
53 lines (45 loc) · 2.51 KB
/
lsasecrets.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
#!/usr/bin/env python
# ############################################################################
## ##
## This file is part of DPAPIck ##
## Windows DPAPI decryption & forensic toolkit ##
## ##
## ##
## Copyright (C) 2010, 2011 Cassidian SAS. All rights reserved. ##
## This document is the property of Cassidian SAS, it may not be copied or ##
## circulated without prior licence ##
## ##
## Author: Jean-Michel Picod <jmichel.p@gmail.com> ##
## ##
## This program is distributed under GPLv3 licence (see LICENCE.txt) ##
## ##
#############################################################################
from DPAPI.Core import registry
import sys
from datetime import datetime
from optparse import OptionParser
if __name__ == "__main__":
parser = OptionParser()
parser.add_option("--system", metavar="HIVE", dest="system")
parser.add_option("--security", metavar="HIVE", dest="security")
parser.add_option("--secret", metavar="NAME", dest="secret")
parser.add_option("--hex", default=False, dest="hexencode", action="store_true")
(options, args) = parser.parse_args()
reg = registry.Regedit()
secrets = reg.get_lsa_secrets(options.security, options.system)
if options.secret is not None:
if secrets.get(options.secret) is not None:
if options.hexencode:
print secrets[options.secret]["CurrVal"].encode('hex')
print secrets[options.secret]["OldVal"].encode('hex')
else:
print secrets[options.secret]["CurrVal"]
print secrets[options.secret]["OldVal"]
else:
for i in secrets.keys():
for k, v in secrets[i].iteritems():
if k in ("CurrVal", "OldVal"):
print "\t".join([i, k, v.encode('hex') if options.hexencode else v])
elif k in ("OupdTime", "CupdTime"):
print "\t".join([i, k, datetime.utcfromtimestamp(v).isoformat(" ")])
# vim:ts=4:expandtab:sw=4