Tag: dump

Forensics, Malware Analysis, Microsoft Windows, Windows Internals

Dump PE file in C

The Portable Executable (PE) format is a file format for executables, object code, DLLs, FON Font files,[1] and others used in 32-bit and 64-bit versions of Windows operating systems. The PE format is a data structure that encapsulates the information necessary for the Windows OS loader to manage the wrapped executable code. – Wikipedia Other …

C#, Mono.Cecil, Programming

Extract all strings using Mono.Cecil in C#

First check this post on how to build and use Mono.Cecil library. private List<String> ReadAssemblyStrings(String executable) { try { if (!File.Exists(executable)) return null;   AssemblyDefinition AssemblyDef = AssemblyDefinition.ReadAssembly(executable); List<String> sstrs = new List<String>();   foreach (ModuleDefinition md in AssemblyDef.Modules) { foreach (TypeDefinition td in md.GetTypes()) { foreach (MethodDefinition mdf in td.Methods) { if (mdf.HasBody) { …

Passwords, Penetration Testing

Dump credentials stored in Memory

Windows authentication system stores in memory users credentials. Windows caches user’s credentials so she can access for ex. network resources without having to enter her password constantly. There is a tool named Windows Credentials Editor (WCE) from Amplia Security company that can be used to to list logon sessions and add, change, list and delete …

Cracking, Cryptography, Passwords

Dump Windows password hashes

Download pwdump7 and run it to dump local system’s passwords from SAM and SYSTEM files.   ¬†Usage: Dump system passwords pwdump7.exepwdump7.exe Dump passwords from files pwdump7.exe -s <samfile> <systemfile>pwdump7.exe -s <samfile> <systemfile> Copy filename to destination pwdump7.exe -d <filename> [destination]pwdump7.exe -d <filename> [destination]