annibuliful · July 25, 2024 06:33
diff --git a/getSamAndSystemHash.ps1 b/getSamAndSystemHash.ps1
 # Ensure the script is run with administrative privileges
 if (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {
    Write-Host "You need to run this script as an Administrator."
    exit
 }

 # Validate file paths
 $samFilePath = "C:\sam"
 $systemFilePath = "C:\system"

 if (-not $samFilePath -or -not (Test-Path $samFilePath)) {
    throw "SAM file path '$samFilePath' is empty or does not exist."
 }
 if (-not $systemFilePath -or -not (Test-Path $systemFilePath)) {
    throw "SYSTEM file path '$systemFilePath' is empty or does not exist."
 }

 # Load necessary assemblies
 Add-Type -TypeDefinition @"
 using System;
 using System.Runtime.InteropServices;
 using System.Security.Cryptography;
 using System.Text;

 public class LSA {
    [DllImport("advapi32.dll", SetLastError=true, PreserveSig=true, CharSet=CharSet.Auto)]
    public static extern int LsaOpenPolicy(
        ref LSA_UNICODE_STRING SystemName,
        ref LSA_OBJECT_ATTRIBUTES ObjectAttributes,
        int AccessMask,
        out IntPtr PolicyHandle
    );

    [DllImport("advapi32.dll")]
    public static extern int LsaNtStatusToWinError(int status);

    [DllImport("advapi32.dll", SetLastError=true)]
    public static extern int LsaRetrievePrivateData(
        IntPtr PolicyHandle,
        ref LSA_UNICODE_STRING KeyName,
        out IntPtr PrivateData
    );

    [DllImport("advapi32.dll", SetLastError=true)]
    public static extern int LsaFreeMemory(IntPtr Buffer);

    [StructLayout(LayoutKind.Sequential)]
    public struct LSA_UNICODE_STRING {
        public ushort Length;
        public ushort MaximumLength;
        public IntPtr Buffer;
    }

    [StructLayout(LayoutKind.Sequential)]
    public struct LSA_OBJECT_ATTRIBUTES {
        public int Length;
        public IntPtr RootDirectory;
        public LSA_UNICODE_STRING ObjectName;
        public int Attributes;
        public IntPtr SecurityDescriptor;
        public IntPtr SecurityQualityOfService;
    }
 }
 "@

 # Function to convert bytes to hex string
 function ConvertTo-HexString {
    param (
        [byte[]]$Bytes
    )
    return ($Bytes | ForEach-Object { $_.ToString("x2") }) -join ''
 }

 # Debugging: Output the paths
 Write-Host "SAM Path: $samFilePath"
 Write-Host "SYSTEM Path: $systemFilePath"

 # Read the SAM and SYSTEM files
 $samBytes = [System.IO.File]::ReadAllBytes($samFilePath)
 $systemBytes = [System.IO.File]::ReadAllBytes($systemFilePath)

 # Placeholder for actual hash extraction logic
 # This would involve parsing the SAM and SYSTEM files and decrypting the hashes

 # For now, just return the lengths of the byte arrays as a placeholder
 $extractedHashes = @{
    SAMFileSize = $samBytes.Length
    SystemFileSize = $systemBytes.Length
 }

 # Output the extracted password hashes
 Write-Host "Extracted Password Hashes:"
 $extractedHashes | ForEach-Object { Write-Host "$($_.Key): $($_.Value)" }
	# Ensure the script is run with administrative privileges
	if (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {
	Write-Host "You need to run this script as an Administrator."
	exit
	}

	# Validate file paths
	$samFilePath = "C:\sam"
	$systemFilePath = "C:\system"

	if (-not $samFilePath -or -not (Test-Path $samFilePath)) {
	throw "SAM file path '$samFilePath' is empty or does not exist."
	}
	if (-not $systemFilePath -or -not (Test-Path $systemFilePath)) {
	throw "SYSTEM file path '$systemFilePath' is empty or does not exist."
	}

	# Load necessary assemblies
	Add-Type -TypeDefinition @"
	using System;
	using System.Runtime.InteropServices;
	using System.Security.Cryptography;
	using System.Text;

	public class LSA {
	[DllImport("advapi32.dll", SetLastError=true, PreserveSig=true, CharSet=CharSet.Auto)]
	public static extern int LsaOpenPolicy(
	ref LSA_UNICODE_STRING SystemName,
	ref LSA_OBJECT_ATTRIBUTES ObjectAttributes,
	int AccessMask,
	out IntPtr PolicyHandle
	);

	[DllImport("advapi32.dll")]
	public static extern int LsaNtStatusToWinError(int status);

	[DllImport("advapi32.dll", SetLastError=true)]
	public static extern int LsaRetrievePrivateData(
	IntPtr PolicyHandle,
	ref LSA_UNICODE_STRING KeyName,
	out IntPtr PrivateData
	);

	[DllImport("advapi32.dll", SetLastError=true)]
	public static extern int LsaFreeMemory(IntPtr Buffer);

	[StructLayout(LayoutKind.Sequential)]
	public struct LSA_UNICODE_STRING {
	public ushort Length;
	public ushort MaximumLength;
	public IntPtr Buffer;
	}

	[StructLayout(LayoutKind.Sequential)]
	public struct LSA_OBJECT_ATTRIBUTES {
	public int Length;
	public IntPtr RootDirectory;
	public LSA_UNICODE_STRING ObjectName;
	public int Attributes;
	public IntPtr SecurityDescriptor;
	public IntPtr SecurityQualityOfService;
	}
	}
	"@

	# Function to convert bytes to hex string
	function ConvertTo-HexString {
	param (
	[byte[]]$Bytes
	)
	return ($Bytes \| ForEach-Object { $_.ToString("x2") }) -join ''
	}

	# Debugging: Output the paths
	Write-Host "SAM Path: $samFilePath"
	Write-Host "SYSTEM Path: $systemFilePath"

	# Read the SAM and SYSTEM files
	$samBytes = [System.IO.File]::ReadAllBytes($samFilePath)
	$systemBytes = [System.IO.File]::ReadAllBytes($systemFilePath)

	# Placeholder for actual hash extraction logic
	# This would involve parsing the SAM and SYSTEM files and decrypting the hashes

	# For now, just return the lengths of the byte arrays as a placeholder
	$extractedHashes = @{
	SAMFileSize = $samBytes.Length
	SystemFileSize = $systemBytes.Length
	}

	# Output the extracted password hashes
	Write-Host "Extracted Password Hashes:"
	$extractedHashes \| ForEach-Object { Write-Host "$($_.Key): $($_.Value)" }