I got a very interesting note from Ryan Reynolds and Jonathan Claudius, who will be presenting at BlackHat and Defcon 20 in a few weeks. They discovered that, in certain circumstances, the hashes returned by tools like fgdump3 (which is a very limited “ask-and-you-shall-receive” research version I unveiled at ToorCon 2011) as well as HashDump are wrong. They have a proposed patch to HashDump, and I will be incorporating it into the fgdump3 branch as well.
FAQ
So does this affect fgdump2/2.1?
No – this only affects versions pulling their values right from the registry (which version 3 is doing).
Where is fgdump3 anyway?
I unofficially/quietly released version 3 at ToorCon last year. However, speed issues continued to plague me (changing permissions on the keys is SLOW), and I started looking for a new solution. Right now, the NEW fgdump3 is about 80% done, and combines the old injection method, the registry method, and a new “super s3kr1t” method that looks to work well, and quickly I might add. I have yet to finish the new version (about 80% complete), but I’m going to see if I can pound this out before DC 20 in time for their presentation. It will be ultra-beta, but something to play with.
How can I get a copy to play with?
I can send you the old fgdump3 if you want to play with the registry method – email me at fizzgig@foofus.net if you like. It’s unsupported and may cause nausea, but feel free to give it a shot. :)