Source: www.opengram.com
Author: Refdom
Email: Refdom@263.net
Homepage: www.opengram.com
2002/4/29
I, summary
II, About SAM
III, SAM database in the registry
IV, SAM database structure and main content
V, conclusion about SAM database analysis
First, summary
The analysis of the security account manager structure is a matter of more than a month, and only fragment is recorded, and it is not released. Not released main
The reason is that Safety Account Manager (SAM) is the core of WIN system account management, and very systematically, and there are many places to be pushed.
Broken and guess, at the same time, the SAM Hack may cause the LSAss.exe load account manager error when starting, even if it is safe mode (startup)
The SAM will inevitably load the SAM to start crash throughout the system (I usually need to rely on the second system to delete the SAM file to start). As for now
Come, mainly because ADAM and the "cloning administrator account" are made by the production rootkit approach hidden and harmful to SAM.
Familiar, can help security maintenance personnel do a good job of safety testing (of course, it is also possible to make poor attemperators).
Here is only the contents of SAM, which is not open to SECURITY.
Second, about SAM
Don't misunderstand SAM, this is not a file SAM so simple. Sam (Security Accounts Manager Security Account Manager)
Control and maintenance of SAM databases. The SAM database is located under the registry HKLM / SAM / SAM, which is protected by ACL, can use regedt32.exe to open note
Easter editor and set the appropriate permissions to view the contents of the SAM. SAM database is saved on disk in% systemroot% system32 / config /
In the SAM file recorded, in this directory, a security file is also included, which is the content of the secure database, and there are many relationships.
The SAM database contains all groups, account information, including the password hash, the SID of the account. These contents are described in detail later. Divide me
Analysis of the Chinese WIN2K ADV Server as an example.
Third, the structure of the SAM database in the registry
Expand Registry HKLM / SAM / SAM /:
HKLM --- Sam
| --- SAM
| --- Domains
| | | --- Account
| | | | --- Aliases
| | | | | --- MEMBERS
| | | | | --- Names
| | | | --- GROUPS
| | | | | --- 00000201
| | | | | --- Names
| | | | | --- None
| | | | --- Users
| | | --- 000001F4
| | | --- 000001F5
| | | | --- 000003E8
| | | | --- 000003E9
| | | | --- Names
| | | | --- AdamIistrator
| | | | --- Guest
| | | | --- IUSR_REFDOM
| | | | --- iWasm_refdom
| | | --- Builtin
| | | --- Aliases
| | | | --- 00000220
| | | | --- 00000221
| | | | --- 00000222
| | | --- 00000223
| | | | --- MEMBERS
| | | | --- S-1-5-21-1214440339-706699826-1708537768
| | | | | --- 000001F4
| | | | | --- 000001F5
| | | | | --- 000003E8
| | | | | --- 000003E9
| | | | --- Names
| | | --- Administrators | | | --- Users
| | | | --- Guests
| | | | --- Power Uses
| | | --- Groups
| | | | --- Names
| | |
| | | --- Users
| | | --- Names
|
| --- Rxact
This is the SAM tree in the registry on my machine.
Controlled in the SAM file, it can be seen that the SAM tree in the registry is actually the same as the SAM file. However, the SAM file is a list
Rxact is then in Domains content (pushes in this class), the order in which the file in the file is, and the tree order in the registry is opposite. If you are accustomed to see
The file content, from the file 0000h to 0006CH, indicating the location of the SAM database: / systemroot / system32 / config / sam,
The last blank, until 01000h (hbin), from here the content of the entire database. The content of the SAM database is not mainly introduced.
However, it will be inserted, interested in research.
Fourth, the structure and main content of the SAM database:
In the entire database, the main content of the account is below:
In / Domains / under the domain (or unit) SAM content, there are two branches "account" and "Builtin".
/ Domains / Account is the content of the user account.
/ Domains / Account / Users are information about each account. The subkey under which is the SID relative flag of each account. For example, 000001F4,
There are two children, f and v under each account. Where / Names / Under the user account name, each account name has only one default child, the type is not
Is a general registry data type, but point to the last item (relative identifier) of this account, such as the administrator,
The type is 0x1f4, which is corresponding to the content of the account name Administrator from the previous 000001F4. This shows the logic of the MS account search.
Inference 1: From the registry structure to see the account, if you query about the information about REFDOM, then Microsoft is from the account name REFDOM
Find its type 0x3eb, then find the contents of the relative flag (or SID) 000003eb. All API functions (such as NetuseRenum ())
All is performed. Therefore, if the type 0x3eb in the Refdom account is changed to 0x1f4, then this account will be directed to the account 000001F4
Household. And this account 000001f4 is the Administrator account, so that the system turns completely to Administrator during the login process.
All the content used by the account, account refdomom, information is Adminisrtator content, including password, permissions, desktop, record, access time, etc.
Wait. This inference should be settled, but will mean that two usernames correspond to one user information, the system should have an error on the startup!
Inference One is to obtain the previous analysis structure, revealing the relationship between the account name and the SID association during the login process.
/ Domains / Account / Users / 000001F4, this is the account information of Administrator (other similar). Two of them have two children v and f.
The project V is saved is the basic information of the account, the username, the user's full name (full name), group, description, password Hash, note, is it more
Change password, account enable, password setting time, etc. Some login records in the project f, such as the last login time, the number of error logins, etc., there is an important place to be the SID relative flag of this account.
I didn't pay attention to this place when I analyze the structure, this is the idea of Adam. This place is this SID relative marker in registration
One account in the table appears twice, one is in sub-key 000001f4, another place is the content of the sub-key F, from the four bytes of 48 to 51:
F4 01 00 00, this is actually a long type variable, that is, 00 00 01 F4. When a flag appears in two places, it will happen
Synchronization problem. Obviously, Microsoft made this problem. Two variables should be unified to sign a user account, but Microsoft puts the two variables respectively
The role is not synchronous.
The 聽 0001f4 is used to correspond to the username Administrator, so that the account information is provided through the user, such as LookupaccountSID (), etc.
Account-related API functions are locked by this location, which should be used after logging in the account. The project V value
F4 01 00 00 is the most directly associated with the account login.
Inframe 2: When WIN is logged in, the relative flag will be obtained from the SAM, and the location of this relative flag is F4 01 00 00 in the V value. but,
Account information query is used by the SAM neutrical content.
Inference II Cause (Suppose One): When the account is logged in, the login process gets the account record information used by the username in the SAM database.
The relative flag value (equivalent to F4 01 00 00 in the V value), after the account is logged in, this value is no longer caused by the API function after all the account is logged in.
For use, the relative marker is replaced by a field name of a data record item (equivalent to subkey 000001f4). Microsoft commits a synchronous logic problem!
Inference, the second is based on ADAM, did not infer it before. : (Inference 2 If it is established, revealing the account SID during the login process
the process of. This is why the value in V is the reason why the account login record (login time, password error, etc.). At the same time, because F is saved in F
A username content, and the API function queries this username, so Adam's cloning method is still easy to look, after adding, this user
The name is also restored to the original user name, and the detection on the username is relatively difficult.
The above introduction to the project V knows that saving the basic information, user name, full name of the user (Full Name), group, description,
Password Hash, note, can you change your password, account enable, password setting time, and so on. Careful now is the password HASH.
Suppose II: In the entry of the account, the user hash is included, including the password encrypted in LM2 and NT, and Crack can be separated. after all
LM2 is simple.
/ Domains / Builtin's content is related to the account group. Its structure is similar to / ACCOUNT, and there is also a corresponding problem, no longer
Rusheng.
In the SAM database saved file SAM, there is no such concise content in the registry, which is mainly positioned by the offset, length. and
And the information of a single account is set in one, rather than the formation of the registry (one key of the name is in another key).
In the SAM file, you can locate the data meaning based on these separators:
NK (6e 6b) button or subkey name
VK (76 6B) corresponding value
IF (6C 66) Sub Keys List SK (73 6B) Permissions
V. Conclusion about SAM database analysis:
SAM Hack is very dangerous. Incorrect modification will destroy the system's security data manager, causing system launch problems, although
Delete the SAM file to get startup recovery. If you can be familiar with SAM's structure, you will find that it can be between user names and user names, between user groups and user groups.
Conversion, as well as the account and account group forgery, completely break the Microsoft's account pattern. And very concealed, let the account-related API function can not touch the mind.
Although a lot of logic issues have been made in Microsoft handle account information, the security account database is not safe, all operations must be fully managed.
Permission.
When the hidden back door is proposed, there will be many "hackers" to use, and the administrator should also be familiar with relevant technologies, do safety testing.
My purpose is reached. Simple detection tools for "Clone Administrator Account" can be downloaded in my home page (www.opengram.com), but more
It is a need for administrators to learn related knowledge to better detect invasion.
