Method for acquiring logged-on user password from memory mirroring documents of 64-bit Windows operation system

A technology of memory mirroring and operating system, which is applied in the field of obtaining plaintext passwords of logged-in users, can solve problems such as long time, and achieve the effect of accurate analysis methods

Active Publication Date: 2016-08-24
SHANDONG COMP SCI CENTNAT SUPERCOMP CENT IN JINAN
View PDF3 Cites 7 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

Since then, the analysis and acquisition of physical memory has become a hotspot in computer forensics research. However, when users log in to the computer system, their passwords are stored in ciphertext. We can obtain the corresponding NThash value or LM through memory analysis. Hash value, for the acquisition of password plaintext, it needs to be completed with the help of related decryption software such as SamInside, but for passwords with high complexity, the time required for decryption software will be correspondingly longer

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Method for acquiring logged-on user password from memory mirroring documents of 64-bit Windows operation system
  • Method for acquiring logged-on user password from memory mirroring documents of 64-bit Windows operation system
  • Method for acquiring logged-on user password from memory mirroring documents of 64-bit Windows operation system

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0020] The present invention will be further described below in conjunction with the accompanying drawings and embodiments.

[0021] Such as figure 1As shown, the flow chart of the method for obtaining the plaintext of the logged-in user password from the memory image file of the 64-bit windows operating system of the present invention is provided, which follows "obtaining the operating system version——obtaining the lsass.exe process structure—— Obtain the key - obtain the certificate - decrypt the ciphertext" process. Since the process executes the required function through the dynamic link library loaded by it, the decryption work can be performed by analyzing the dynamic link library loaded by the process performing the login authentication function. Such as figure 1 As shown, the method for obtaining the plaintext of the logged-in user password from the memory image file of the 64-bit windows operating system of the present invention first needs to obtain the operating s...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention provides a method for acquiring the logged-on user password from memory mirroring documents of a 64-bit Windows operation system. The method comprises the following steps: (a) acquiring version information of a system; (b) acquiring the value of a PEB structure variable from aCR3 register and a process environment block of lsass.exe process; (c) dumping execution samples of dynamic link library lsasrv.dll and tspkg.dll; (d) acquiring key related data; (e) acquiring user information from lsasrv.dll; (f) acquiring a login user master certificate from the tspkg.dll dumping document; and (g) acquiring the password. The method for acquiring the logged-on user password plaintext is accurate and efficient, has the analysis effect not influenced by password complexity, and is an important means for acquiring user login information from a physical memory mirroring document; and the acquired login user password is an important evidence in computer online evidence collection.

Description

technical field [0001] The invention relates to a method for obtaining the plaintext of the password of the logged-in user, more specifically, a method for obtaining the plaintext of the password of the logged-in user from the memory image file of the 64-bit Windows operating system. This method will be applied in the field of computer forensics, mainly for the investigation and evidence collection of information security incidents and various computer crime cases. Background technique [0002] There are some information in the physical memory of the computer that can describe the state of the system when it is under attack, such as the information of the currently running process, the information of the dynamic link library loaded by the process, the name and password of the user currently logged in to the system, the information of the opened file, and the information of the network. connection information, etc. This information disappears with the shutdown of the compute...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): G06F9/45G06F12/10G06F12/0802G06F21/31H04L9/32
CPCG06F8/53G06F12/0802G06F12/10G06F21/31H04L9/3226
Inventor 徐丽娟王连海葛亮赵大伟周洋徐淑奖
Owner SHANDONG COMP SCI CENTNAT SUPERCOMP CENT IN JINAN
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap