Index: sha1sum.c
===================================================================
--- sha1sum.c	(revision 0)
+++ sha1sum.c	(revision 1257)
@@ -0,0 +1,304 @@
+/* sha1sum.c - print SHA-1 Message-Digest Algorithm 
+ * Copyright (C) 1998, 1999, 2000, 2001 Free Software Foundation, Inc.
+ * Copyright (C) 2004 g10 Code GmbH
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2, or (at your option) any
+ * later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+ */
+
+/* SHA-1 coden take from gnupg 1.3.92. 
+
+   Note, that this is a simple tool to be used for MS Windows.
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <assert.h>
+#include <errno.h>
+#include "sha1sum.h"
+
+#undef BIG_ENDIAN_HOST
+
+/****************
+ * Rotate a 32 bit integer by n bytes
+ */
+#if defined(__GNUC__) && defined(__i386__)
+static inline u32
+rol( u32 x, int n)
+{
+	__asm__("roll %%cl,%0"
+		:"=r" (x)
+		:"0" (x),"c" (n));
+	return x;
+}
+#else
+#define rol(x,n) ( ((x) << (n)) | ((x) >> (32-(n))) )
+#endif
+
+
+void
+sha1_init( SHA1_CONTEXT *hd )
+{
+    hd->h0 = 0x67452301;
+    hd->h1 = 0xefcdab89;
+    hd->h2 = 0x98badcfe;
+    hd->h3 = 0x10325476;
+    hd->h4 = 0xc3d2e1f0;
+    hd->nblocks = 0;
+    hd->count = 0;
+}
+
+
+/****************
+ * Transform the message X which consists of 16 32-bit-words
+ */
+static void
+transform( SHA1_CONTEXT *hd, unsigned char *data )
+{
+    u32 a,b,c,d,e,tm;
+    u32 x[16];
+
+    /* get values from the chaining vars */
+    a = hd->h0;
+    b = hd->h1;
+    c = hd->h2;
+    d = hd->h3;
+    e = hd->h4;
+
+#ifdef BIG_ENDIAN_HOST
+    memcpy( x, data, 64 );
+#else
+    { int i;
+      unsigned char *p2;
+      for(i=0, p2=(unsigned char*)x; i < 16; i++, p2 += 4 ) {
+	p2[3] = *data++;
+	p2[2] = *data++;
+	p2[1] = *data++;
+	p2[0] = *data++;
+      }
+    }
+#endif
+
+
+#define K1  0x5A827999L
+#define K2  0x6ED9EBA1L
+#define K3  0x8F1BBCDCL
+#define K4  0xCA62C1D6L
+#define F1(x,y,z)   ( z ^ ( x & ( y ^ z ) ) )
+#define F2(x,y,z)   ( x ^ y ^ z )
+#define F3(x,y,z)   ( ( x & y ) | ( z & ( x | y ) ) )
+#define F4(x,y,z)   ( x ^ y ^ z )
+
+
+#define M(i) ( tm =   x[i&0x0f] ^ x[(i-14)&0x0f] \
+		    ^ x[(i-8)&0x0f] ^ x[(i-3)&0x0f] \
+	       , (x[i&0x0f] = rol(tm,1)) )
+
+#define R(a,b,c,d,e,f,k,m)  do { e += rol( a, 5 )     \
+				      + f( b, c, d )  \
+				      + k	      \
+				      + m;	      \
+				 b = rol( b, 30 );    \
+			       } while(0)
+    R( a, b, c, d, e, F1, K1, x[ 0] );
+    R( e, a, b, c, d, F1, K1, x[ 1] );
+    R( d, e, a, b, c, F1, K1, x[ 2] );
+    R( c, d, e, a, b, F1, K1, x[ 3] );
+    R( b, c, d, e, a, F1, K1, x[ 4] );
+    R( a, b, c, d, e, F1, K1, x[ 5] );
+    R( e, a, b, c, d, F1, K1, x[ 6] );
+    R( d, e, a, b, c, F1, K1, x[ 7] );
+    R( c, d, e, a, b, F1, K1, x[ 8] );
+    R( b, c, d, e, a, F1, K1, x[ 9] );
+    R( a, b, c, d, e, F1, K1, x[10] );
+    R( e, a, b, c, d, F1, K1, x[11] );
+    R( d, e, a, b, c, F1, K1, x[12] );
+    R( c, d, e, a, b, F1, K1, x[13] );
+    R( b, c, d, e, a, F1, K1, x[14] );
+    R( a, b, c, d, e, F1, K1, x[15] );
+    R( e, a, b, c, d, F1, K1, M(16) );
+    R( d, e, a, b, c, F1, K1, M(17) );
+    R( c, d, e, a, b, F1, K1, M(18) );
+    R( b, c, d, e, a, F1, K1, M(19) );
+    R( a, b, c, d, e, F2, K2, M(20) );
+    R( e, a, b, c, d, F2, K2, M(21) );
+    R( d, e, a, b, c, F2, K2, M(22) );
+    R( c, d, e, a, b, F2, K2, M(23) );
+    R( b, c, d, e, a, F2, K2, M(24) );
+    R( a, b, c, d, e, F2, K2, M(25) );
+    R( e, a, b, c, d, F2, K2, M(26) );
+    R( d, e, a, b, c, F2, K2, M(27) );
+    R( c, d, e, a, b, F2, K2, M(28) );
+    R( b, c, d, e, a, F2, K2, M(29) );
+    R( a, b, c, d, e, F2, K2, M(30) );
+    R( e, a, b, c, d, F2, K2, M(31) );
+    R( d, e, a, b, c, F2, K2, M(32) );
+    R( c, d, e, a, b, F2, K2, M(33) );
+    R( b, c, d, e, a, F2, K2, M(34) );
+    R( a, b, c, d, e, F2, K2, M(35) );
+    R( e, a, b, c, d, F2, K2, M(36) );
+    R( d, e, a, b, c, F2, K2, M(37) );
+    R( c, d, e, a, b, F2, K2, M(38) );
+    R( b, c, d, e, a, F2, K2, M(39) );
+    R( a, b, c, d, e, F3, K3, M(40) );
+    R( e, a, b, c, d, F3, K3, M(41) );
+    R( d, e, a, b, c, F3, K3, M(42) );
+    R( c, d, e, a, b, F3, K3, M(43) );
+    R( b, c, d, e, a, F3, K3, M(44) );
+    R( a, b, c, d, e, F3, K3, M(45) );
+    R( e, a, b, c, d, F3, K3, M(46) );
+    R( d, e, a, b, c, F3, K3, M(47) );
+    R( c, d, e, a, b, F3, K3, M(48) );
+    R( b, c, d, e, a, F3, K3, M(49) );
+    R( a, b, c, d, e, F3, K3, M(50) );
+    R( e, a, b, c, d, F3, K3, M(51) );
+    R( d, e, a, b, c, F3, K3, M(52) );
+    R( c, d, e, a, b, F3, K3, M(53) );
+    R( b, c, d, e, a, F3, K3, M(54) );
+    R( a, b, c, d, e, F3, K3, M(55) );
+    R( e, a, b, c, d, F3, K3, M(56) );
+    R( d, e, a, b, c, F3, K3, M(57) );
+    R( c, d, e, a, b, F3, K3, M(58) );
+    R( b, c, d, e, a, F3, K3, M(59) );
+    R( a, b, c, d, e, F4, K4, M(60) );
+    R( e, a, b, c, d, F4, K4, M(61) );
+    R( d, e, a, b, c, F4, K4, M(62) );
+    R( c, d, e, a, b, F4, K4, M(63) );
+    R( b, c, d, e, a, F4, K4, M(64) );
+    R( a, b, c, d, e, F4, K4, M(65) );
+    R( e, a, b, c, d, F4, K4, M(66) );
+    R( d, e, a, b, c, F4, K4, M(67) );
+    R( c, d, e, a, b, F4, K4, M(68) );
+    R( b, c, d, e, a, F4, K4, M(69) );
+    R( a, b, c, d, e, F4, K4, M(70) );
+    R( e, a, b, c, d, F4, K4, M(71) );
+    R( d, e, a, b, c, F4, K4, M(72) );
+    R( c, d, e, a, b, F4, K4, M(73) );
+    R( b, c, d, e, a, F4, K4, M(74) );
+    R( a, b, c, d, e, F4, K4, M(75) );
+    R( e, a, b, c, d, F4, K4, M(76) );
+    R( d, e, a, b, c, F4, K4, M(77) );
+    R( c, d, e, a, b, F4, K4, M(78) );
+    R( b, c, d, e, a, F4, K4, M(79) );
+
+    /* Update chaining vars */
+    hd->h0 += a;
+    hd->h1 += b;
+    hd->h2 += c;
+    hd->h3 += d;
+    hd->h4 += e;
+}
+
+
+/* Update the message digest with the contents
+ * of INBUF with length INLEN.
+ */
+void
+sha1_write( SHA1_CONTEXT *hd, unsigned char *inbuf, size_t inlen)
+{
+    if( hd->count == 64 ) { /* flush the buffer */
+	transform( hd, hd->buf );
+	hd->count = 0;
+	hd->nblocks++;
+    }
+    if( !inbuf )
+	return;
+    if( hd->count ) {
+	for( ; inlen && hd->count < 64; inlen-- )
+	    hd->buf[hd->count++] = *inbuf++;
+	sha1_write( hd, NULL, 0 );
+	if( !inlen )
+	    return;
+    }
+
+    while( inlen >= 64 ) {
+	transform( hd, inbuf );
+	hd->count = 0;
+	hd->nblocks++;
+	inlen -= 64;
+	inbuf += 64;
+    }
+    for( ; inlen && hd->count < 64; inlen-- )
+	hd->buf[hd->count++] = *inbuf++;
+}
+
+
+/* The routine final terminates the computation and
+ * returns the digest.
+ * The handle is prepared for a new cycle, but adding bytes to the
+ * handle will the destroy the returned buffer.
+ * Returns: 20 bytes representing the digest.
+ */
+
+void
+sha1_final(SHA1_CONTEXT *hd)
+{
+    u32 t, msb, lsb;
+    unsigned char *p;
+
+    sha1_write(hd, NULL, 0); /* flush */;
+
+    t = hd->nblocks;
+    /* multiply by 64 to make a byte count */
+    lsb = t << 6;
+    msb = t >> 26;
+    /* add the count */
+    t = lsb;
+    if( (lsb += hd->count) < t )
+	msb++;
+    /* multiply by 8 to make a bit count */
+    t = lsb;
+    lsb <<= 3;
+    msb <<= 3;
+    msb |= t >> 29;
+
+    if( hd->count < 56 ) { /* enough room */
+	hd->buf[hd->count++] = 0x80; /* pad */
+	while( hd->count < 56 )
+	    hd->buf[hd->count++] = 0;  /* pad */
+    }
+    else { /* need one extra block */
+	hd->buf[hd->count++] = 0x80; /* pad character */
+	while( hd->count < 64 )
+	    hd->buf[hd->count++] = 0;
+	sha1_write(hd, NULL, 0);  /* flush */;
+	memset(hd->buf, 0, 56 ); /* fill next block with zeroes */
+    }
+    /* append the 64 bit count */
+    hd->buf[56] = msb >> 24;
+    hd->buf[57] = msb >> 16;
+    hd->buf[58] = msb >>  8;
+    hd->buf[59] = msb	   ;
+    hd->buf[60] = lsb >> 24;
+    hd->buf[61] = lsb >> 16;
+    hd->buf[62] = lsb >>  8;
+    hd->buf[63] = lsb	   ;
+    transform( hd, hd->buf );
+
+    p = hd->buf;
+#ifdef BIG_ENDIAN_HOST
+#define X(a) do { *(u32*)p = hd->h##a ; p += 4; } while(0)
+#else /* little endian */
+#define X(a) do { *p++ = hd->h##a >> 24; *p++ = hd->h##a >> 16;	 \
+		      *p++ = hd->h##a >> 8; *p++ = hd->h##a; } while(0)
+#endif
+    X(0);
+    X(1);
+    X(2);
+    X(3);
+    X(4);
+#undef X
+}
+
Index: sha1sum.h
===================================================================
--- sha1sum.h	(revision 0)
+++ sha1sum.h	(revision 1257)
@@ -0,0 +1,41 @@
+/* sha1sum.h - print SHA-1 Message-Digest Algorithm 
+ * Copyright (C) 1998, 1999, 2000, 2001 Free Software Foundation, Inc.
+ * Copyright (C) 2004 g10 Code GmbH
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2, or (at your option) any
+ * later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+ */
+
+/* SHA-1 coden take from gnupg 1.3.92. 
+
+   Note, that this is a simple tool to be used for MS Windows.
+*/
+
+#ifndef SHA1SUM_H_
+#define SHA1SUM_H_
+
+typedef unsigned int u32;
+
+typedef struct {
+    u32  h0,h1,h2,h3,h4;
+    u32  nblocks;
+    unsigned char buf[64];
+    int  count;
+} SHA1_CONTEXT;
+
+void sha1_init( SHA1_CONTEXT *hd );
+void sha1_write( SHA1_CONTEXT *hd, unsigned char *inbuf, size_t inlen);
+void sha1_final(SHA1_CONTEXT *hd);
+
+#endif
Index: whosthere.c
===================================================================
--- whosthere.c	(revision 939)
+++ whosthere.c	(revision 1257)
@@ -6,6 +6,7 @@
 #include <tlhelp32.h>
 #include "../iam/findfuncs.h"
 #include "getopt.h"
+#include "sha1sum.h"
 
 /*
  * whosthere.c
@@ -470,6 +471,108 @@
 
 }
 
+/*  Generate SHA-1 hash of lsasrv.dll and identify appropriate memory addresses 
+    JoMo-Kun <jmk@foofus.net>
+    2009/11/03
+*/
+BOOL lookupKnownAddrs( AddressesGroup* outAddrGroup )
+{
+  FILE *fp;
+  char path[400];
+  char buffer[4096];
+  char hash[41];
+  size_t n;
+  SHA1_CONTEXT ctx;
+  int i;
+
+  memset(path, 0, 400); 
+  GetEnvironmentVariable("SystemRoot", path, 256);
+  strcat(path,"\\system32\\lsasrv.dll");
+  fp = fopen (path, "rb");
+  if (!fp)
+  {
+    fprintf (stderr, "Unable to open lsasrv.dll: %s\n", strerror (errno));
+    return FALSE; 
+  }
+
+  sha1_init (&ctx);
+
+  while ( (n = fread (buffer, 1, sizeof buffer, fp)))
+    sha1_write (&ctx, buffer, n);
+
+  if (ferror (fp))
+  {
+    fprintf (stderr, "Error reading lsasrv.dll: %s\n", strerror (errno));
+    return FALSE; 
+  }
+
+  sha1_final (&ctx);
+
+  fclose (fp);
+  
+  memset(hash, 0, 41); 
+  for (i=0; i < 20; i++)
+  {
+    hash[2 * i] = (ctx.buf[i] & 0xf0) >> 4;
+    hash[2 * i + 1] = ctx.buf[i] & 0x0f;
+  }
+
+  for (i=0; i<40; i++)
+  {
+    if (hash[i] > 9)
+      hash[i] += 0x57;
+    else
+      hash[i] += 0x30;
+  }
+
+  /* 5.1.2600.5834 (xpsp_sp3_gdr.090624-1305) English (United States)*/
+  if ( strcmp(hash, "42940943f90ee2f6bbc66571d530f7571559f063") == 0 )
+    processAddrsFromUser("75753C20:7573FE43:757D0C98:757D0CA0:757CFC60:757CFE54", outAddrGroup);
+  /* 5.2.3790.4530 (srv03_sp2_gdr.090615-1611) English (United States) */
+  else if ( strcmp(hash, "2eff51b92571718ab144cfe7f9c2c10c892d88aa") == 0 )
+    processAddrsFromUser("4AB93FE9:4AB8C9E5:4AC240C8:4AC240D0:4AC23E30:4AC23B10", outAddrGroup);
+  /* 5.2.3790.4455 (srv03_sp2_gdr.090203-1205) English (United States) */
+  else if ( strcmp(hash, "5c937e41ee705bb5b828083f330965a2fe872e28") == 0 )
+    processAddrsFromUser("4AB94009:4AB8C9C5:4AC240C8:4AC240D0:4AC23E30:4AC23B10", outAddrGroup);
+  /* 5.1.2600.5512 (xpsp.080413-2113) English (United States) */
+  else if ( strcmp(hash, "bdbf9f51b536880164a2afdc80b6749e59b24963") == 0 )
+    processAddrsFromUser("75753BA0:7573FDEC:757D0C98:757D0CA0:757CFC60:757CFE54", outAddrGroup);
+  /* 5.2.3790.3959 (srv03_sp2_rtm.070216-1710) English (United States) */
+  else if ( strcmp(hash, "d16e408af557e62c8401a838bb81e17a0bc4bd87") == 0 )
+    processAddrsFromUser("4AB93F99:4AB8C955:4AC230C8:4AC230D0:4AC22E30:4AC22B10", outAddrGroup);
+  /* 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) English (United States) */
+  else if ( strcmp(hash, "b7335206933b1fa486a4cc09d814a155e6b0e7af") == 0 )
+    processAddrsFromUser("75753BE0:7573FDF4:757D0C98:757D0CA0:757CFC60:757CFE54", outAddrGroup);
+  /* 5.2.3790.4186 (srv03_sp2_gdr.071108-1306) English (United States) */
+  else if ( strcmp(hash, "fa441b506656252a6bc6039f4d9376d1675d5a2c") == 0 )
+    processAddrsFromUser("4AB93379:4AB8BD35:4AC230C8:4AC230D0:4AC22E30:4AC22B10", outAddrGroup);
+  /* 5.2.3790.1830 (srv03_sp1_rtm.050324-1447) English (United States) */
+  else if ( strcmp(hash, "7d51299f1911a6cfd88b05960dd9cafe1d5b9cd3") == 0 )
+    processAddrsFromUser("742E159B:742D823D:74374FC0:74374FC8:74374998:74374920", outAddrGroup);
+  /* 5.1.2600.5834 (xpsp_sp3_qfe.090624-1332) English (United States) */
+  else if ( strcmp(hash, "9f01dab059dccfb3ac5bd66c2ce8f92ed36316e2") == 0 )
+    processAddrsFromUser("75753C20:7573FE43:757D0C98:757D0CA0:757CFC60:757CFE54", outAddrGroup);
+  /* 5.1.2600.3520 (xpsp_sp2_gdr.090206-1233) English (United States) */
+  else if ( strcmp(hash, "81c5d0d2a4dd759b2dfb599ddac42af1d1f6f88f") == 0 )
+    processAddrsFromUser("75747C5C:75745751:757CFBF8:757CFC00:757CEC60:757CEE54", outAddrGroup);
+  /* 5.1.2600.3520 (xpsp_sp2_gdr.090206-1233) English (United States) */
+  else if ( strcmp(hash, "a1dc5d6f18dc83fb7cffc0fb7081963dec1dfc1a") == 0 )
+    processAddrsFromUser("75747BDC:757456D2:757CFBF8:757CFC00:757CEC60:757CEE54", outAddrGroup);
+  /* 5.1.2600.3520 (xpsp_sp2_gdr.090206-1233) English (United States) */
+  else if ( strcmp(hash, "e8baa633f35c79a57313cb9182bedc2348fa1134") == 0 )
+    processAddrsFromUser("75747AD4:757455CA:757D0BD8:757D0BE0:757CFC60:757CFE54", outAddrGroup);
+  /* 5.1.2600.3520 (xpsp_sp2_qfe.090206-1239) English (United States) */
+  else if ( strcmp(hash, "effcc406a56ca3bc5cb7f205dce00b01bbf53716") == 0 )
+    processAddrsFromUser("7575530C:757414FB:757D0BD8:757D0BE0:757CFC60:757CFE54", outAddrGroup);
+  else
+  {
+    printf("Unknown lsasrv.dll (SHA1: %s)\n", hash);
+    return FALSE;
+  }
+
+  return TRUE;
+}
+
 void banner(void)
 {
 
@@ -486,6 +589,7 @@
 	printf("\t-t\t\testablishes interval used by the -i switch (by default 2 seconds).\n");
 	printf("\t-o\t\tdump output to a file, -o filename\n");
 	printf("\t-a\t\tspecify addresses to use. Format: ADDCREDENTIAL_ADDR:ENCRYPTMEMORY_ADDR:FEEDBACK_ADDR:DESKEY_ADDR:LOGONSESSIONLIST_ADDR:LOGONSESSIONLIST_COUNT_ADDR (WARNING!: if you use the wrong values the system may crash)\n");
+	printf("\t-l\t\tuse known addresses based on version of lsasrv.dll present\n");
 
 	
 }
@@ -533,7 +637,7 @@
 
 		// check parameters
 		while(1) {
-			unsigned int c = getopt(argc, argv, "-IiDhHo:t:a:");
+			unsigned int c = getopt(argc, argv, "-IiDhHo:t:a:l");
 			if( c == -1 ) break;
 			
 			switch( c ) {
@@ -551,6 +655,14 @@
 					}
 					break;
 
+				case 'l':
+					// lookup addresses from known value list 
+          buseSuppliedAddrs = lookupKnownAddrs(&_addrGroup);
+          if (buseSuppliedAddrs == FALSE)
+						printf("Failed to lookup lsasrv.dll address. Proceeding with default address location routine...\n");
+					
+          break;
+
 				case 'o':
                                         // whatever...
                                         memset(g_dumpFile, '\x00', sizeof(g_dumpFile));
Index: compile.bat
===================================================================
--- compile.bat	(revision 939)
+++ compile.bat	(revision 1257)
@@ -1 +1,1 @@
-cl.exe whosthere.c getopt.c psapi.lib ..\iam\findfuncs.c advapi32.lib
+cl.exe whosthere.c getopt.c sha1sum.c psapi.lib ..\iam\findfuncs.c advapi32.lib
