Monday, November 18, 2013

Copying SAM and SYSTEM hives (Or locked files) from a running system by directly dumping sectors.

My Kali installation did not have a copy of fgdump.exe, therefore while googling to download fgdump utility for a friend who is currently doing PWB from offensive security,  I stumbled upon a post which mentioned about dumping the sectors occupied by a file in order to copy a locked file from file system.

Thanks to my fat fingers.

One needs to have administrative privileges on system in order to achieve this but using this, the local SAM and SYSTEM hive can be copied from a running system without a need to reboot the system using linux bootable cd to free file locks.

The author Armen Hakobyan explains the implementation nicely with all the source codes listed. The list also holds a precompiled binary for 32 bit OS which is compatible with windows 7 as a demo project. 64 bit version can be compiled from sources.

Fdump-demo.exe binary in action.

FDUMP in Action.