WhatAboutSAM is my custom Windows SAM dumper, reading it from the registry. So, SYSTEM privileges are needed. I wanted to study at a low level how Windows stores local user credentials in the Security Account Manager (SAM). As a Cybersecurity Engineer with a mostly offensive mindset, I have used many times the tools we all know: mimikatz, secretsdump (impacket), pwdump, hashdump (metasploit), crackmapexec (--sam parameter), LaZAgne...
Also, I wanted to practice some malware development techniques (enumerated below) and I needed an excuse for it. That is why I decided to implement my custom SAM Dumper.
It is currently in development.
Please, take a look at the credits because without these projects this would not have been possible.
- PEB Walking (avoid GetModuleHandle + GetProcAddress)
- Call Stack Spoofing with Custom Callbacks (Thread Pools)
- Native Functions
- API Hashing
- Travis CI (Finally done with Github Actions)
- Debug Branch vs Release Branch
- Shadow Snapshot Method
- Test Old Algorithm. What a bummer. Microsoft Changed storage in SAM in Windows 10 1909
- Command Line Parameters
- Add more comments :)
- Debug prints
- Elevate to SYSTEM
Please, take a look to this project, without them I could not have developed WhatAboutSAM.
- https://github.com/Maldev-Academy/MaldevAcademyLdr.1/tree/main/HashCalculator
- https://github.com/tobiohlala/NTLMX
- https://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/
- https://0xdarkvortex.dev/hiding-in-plainsight/
- https://0xpat.github.io/Malware_development_part_4/
- https://github.com/gentilkiwi/mimikatz
- https://www.ired.team/miscellaneous-reversing-forensics/aes-encryption-example-using-cryptopp-.lib-in-visual-studio-c++
- https://cryptopp.com/docs/ref/
- https://github.com/ShiftMediaProject/VSNASM
- I believe I do not fortget any, if I am not right I will add it later :P