NTSTATUS kuhl_m_dpapi_wwan(int argc, wchar_t * argv[]) { PBYTE pFile, hex, dataOut; DWORD dwData, lenHex, lenDataOut; LPWSTR dataU, dataF; LPCWSTR infile; PKULL_M_DPAPI_BLOB blob; if(kull_m_string_args_byName(argc, argv, L"in", &infile, NULL)) { if(kull_m_file_readData(infile, &pFile, &dwData)) { if(dataU = kull_m_string_qad_ansi_to_unicode((const char *) pFile)) { if(kull_m_string_quickxml_simplefind(dataU, L"Name", &dataF)) { kprintf(L"Profile \'%s\'\n\n", dataF); LocalFree(dataF); } if(kull_m_string_quickxml_simplefind(dataU, L"AccessString", &dataF)) { kprintf(L" * AccessString : %s\n", dataF); LocalFree(dataF); } if(kull_m_string_quickxml_simplefind(dataU, L"SubscriberID", &dataF)) { if(kull_m_string_stringToHexBuffer(dataF, &hex, &lenHex)) { if(blob = kull_m_dpapi_blob_create(hex)) { kprintf(L"\n"); kull_m_dpapi_blob_descr(0, blob); if(kuhl_m_dpapi_unprotect_raw_or_blob(hex, lenHex, NULL, argc, argv, NULL, 0, (LPVOID *) &dataOut, &lenDataOut, NULL)) { kprintf(L" * SubscriberID : "); kull_m_string_wprintf_hex(dataOut, lenDataOut, 0); kprintf(L"\n"); kprintf(L"%.*s", lenDataOut / sizeof(wchar_t), dataOut); LocalFree(dataOut); } kull_m_dpapi_blob_delete(blob); } LocalFree(hex); } LocalFree(dataF); } LocalFree(dataU); } LocalFree(pFile); } else PRINT_ERROR_AUTO(L"kull_m_file_readData"); } else PRINT_ERROR(L"Input Wwan XML profile needed (/in:file)\n"); return STATUS_SUCCESS; }
NTSTATUS kull_m_process_getVeryBasicModuleInformations(PKULL_M_MEMORY_HANDLE memory, PKULL_M_MODULE_ENUM_CALLBACK callBack, PVOID pvArg) { NTSTATUS status = STATUS_DLL_NOT_FOUND; PLDR_DATA_TABLE_ENTRY pLdrEntry; PEB Peb; PEB_LDR_DATA LdrData; LDR_DATA_TABLE_ENTRY LdrEntry; #if defined(_M_X64) || defined(_M_ARM64) // TODO:ARM64 PLDR_DATA_TABLE_ENTRY_F32 pLdrEntry32; PEB_F32 Peb32; PEB_LDR_DATA_F32 LdrData32; LDR_DATA_TABLE_ENTRY_F32 LdrEntry32; #endif ULONG i; KULL_M_MEMORY_ADDRESS aBuffer = {NULL, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}; KULL_M_MEMORY_ADDRESS aProcess= {NULL, memory}; PBYTE aLire, fin; PWCHAR moduleNameW; UNICODE_STRING moduleName; PMINIDUMP_MODULE_LIST pMinidumpModuleList; PMINIDUMP_STRING pMinidumpString; KULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION moduleInformation; PRTL_PROCESS_MODULES modules = NULL; BOOL continueCallback = TRUE; moduleInformation.DllBase.hMemory = memory; switch(memory->type) { case KULL_M_MEMORY_TYPE_OWN: if(kull_m_process_peb(memory, &Peb, FALSE)) { for(pLdrEntry = (PLDR_DATA_TABLE_ENTRY) ((PBYTE) (Peb.Ldr->InMemoryOrderModulevector.Flink) - FIELD_OFFSET(LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks)); (pLdrEntry != (PLDR_DATA_TABLE_ENTRY) ((PBYTE) (Peb.Ldr) + FIELD_OFFSET(PEB_LDR_DATA, InLoadOrderModulevector))) && continueCallback; pLdrEntry = (PLDR_DATA_TABLE_ENTRY) ((PBYTE) (pLdrEntry->InMemoryOrderLinks.Flink ) - FIELD_OFFSET(LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks)) ) { moduleInformation.DllBase.address = pLdrEntry->DllBase; moduleInformation.SizeOfImage = pLdrEntry->SizeOfImage; moduleInformation.NameDontUseOutsideCallback = &pLdrEntry->BaseDllName; kull_m_process_adjustTimeDateStamp(&moduleInformation); continueCallback = callBack(&moduleInformation, pvArg); } status = STATUS_SUCCESS; } #if defined(_M_X64) || defined(_M_ARM64) // TODO:ARM64 moduleInformation.NameDontUseOutsideCallback = &moduleName; if(continueCallback && NT_SUCCESS(status) && kull_m_process_peb(memory, (PPEB) &Peb32, TRUE)) { status = STATUS_PARTIAL_COPY; for(pLdrEntry32 = (PLDR_DATA_TABLE_ENTRY_F32) ((PBYTE) ULongToPtr(((PEB_LDR_DATA_F32 *) ULongToPtr(Peb32.Ldr))->InMemoryOrderModulevector.Flink) - FIELD_OFFSET(LDR_DATA_TABLE_ENTRY_F32, InMemoryOrderLinks)); (pLdrEntry32 != (PLDR_DATA_TABLE_ENTRY_F32) ((PBYTE) ULongToPtr(Peb32.Ldr) + FIELD_OFFSET(PEB_LDR_DATA, InLoadOrderModulevector))) && continueCallback; pLdrEntry32 = (PLDR_DATA_TABLE_ENTRY_F32) ((PBYTE) ULongToPtr(pLdrEntry32->InMemoryOrderLinks.Flink) - FIELD_OFFSET(LDR_DATA_TABLE_ENTRY_F32, InMemoryOrderLinks)) ) { moduleInformation.DllBase.address = ULongToPtr(pLdrEntry32->DllBase); moduleInformation.SizeOfImage = pLdrEntry32->SizeOfImage; moduleName.Length = pLdrEntry32->BaseDllName.Length; moduleName.MaximumLength = pLdrEntry32->BaseDllName.MaximumLength; moduleName.Buffer = (PWSTR) ULongToPtr(pLdrEntry32->BaseDllName.Buffer); kull_m_process_adjustTimeDateStamp(&moduleInformation); continueCallback = callBack(&moduleInformation, pvArg); } status = STATUS_SUCCESS; } #endif break; case KULL_M_MEMORY_TYPE_PROCESS: moduleInformation.NameDontUseOutsideCallback = &moduleName; if(kull_m_process_peb(memory, &Peb, FALSE)) { aBuffer.address = &LdrData; aProcess.address = Peb.Ldr; if(kull_m_memory_copy(&aBuffer, &aProcess, sizeof(LdrData))) { for( aLire = (PBYTE) (LdrData.InMemoryOrderModulevector.Flink) - FIELD_OFFSET(LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks), fin = (PBYTE) (Peb.Ldr) + FIELD_OFFSET(PEB_LDR_DATA, InLoadOrderModulevector); (aLire != fin) && continueCallback; aLire = (PBYTE) LdrEntry.InMemoryOrderLinks.Flink - FIELD_OFFSET(LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks) ) { aBuffer.address = &LdrEntry; aProcess.address = aLire; if(continueCallback = kull_m_memory_copy(&aBuffer, &aProcess, sizeof(LdrEntry))) { moduleInformation.DllBase.address = LdrEntry.DllBase; moduleInformation.SizeOfImage = LdrEntry.SizeOfImage; moduleName = LdrEntry.BaseDllName; if(moduleName.Buffer = (PWSTR) LocalAlloc(LPTR, moduleName.MaximumLength)) { aBuffer.address = moduleName.Buffer; aProcess.address = LdrEntry.BaseDllName.Buffer; if(kull_m_memory_copy(&aBuffer, &aProcess, moduleName.MaximumLength)) { kull_m_process_adjustTimeDateStamp(&moduleInformation); continueCallback = callBack(&moduleInformation, pvArg); } LocalFree(moduleName.Buffer); } } } status = STATUS_SUCCESS; } } #if defined(_M_X64) || defined(_M_ARM64) // TODO:ARM64 if(continueCallback && NT_SUCCESS(status) && kull_m_process_peb(memory, (PPEB) &Peb32, TRUE)) { status = STATUS_PARTIAL_COPY; aBuffer.address = &LdrData32; aProcess.address = ULongToPtr(Peb32.Ldr); if(kull_m_memory_copy(&aBuffer, &aProcess, sizeof(LdrData32))) { for( aLire = (PBYTE) ULongToPtr(LdrData32.InMemoryOrderModulevector.Flink) - FIELD_OFFSET(LDR_DATA_TABLE_ENTRY_F32, InMemoryOrderLinks), fin = (PBYTE) ULongToPtr(Peb32.Ldr) + FIELD_OFFSET(PEB_LDR_DATA_F32, InLoadOrderModulevector); (aLire != fin) && continueCallback; aLire = (PBYTE) ULongToPtr(LdrEntry32.InMemoryOrderLinks.Flink) - FIELD_OFFSET(LDR_DATA_TABLE_ENTRY_F32, InMemoryOrderLinks) ) { aBuffer.address = &LdrEntry32; aProcess.address = aLire; if(kull_m_memory_copy(&aBuffer, &aProcess, sizeof(LdrEntry32))) { moduleInformation.DllBase.address = ULongToPtr(LdrEntry32.DllBase); moduleInformation.SizeOfImage = LdrEntry32.SizeOfImage; moduleName.Length = LdrEntry32.BaseDllName.Length; moduleName.MaximumLength = LdrEntry32.BaseDllName.MaximumLength; if(moduleName.Buffer = (PWSTR) LocalAlloc(LPTR, moduleName.MaximumLength)) { aBuffer.address = moduleName.Buffer; aProcess.address = ULongToPtr(LdrEntry32.BaseDllName.Buffer); if(kull_m_memory_copy(&aBuffer, &aProcess, moduleName.MaximumLength)) { kull_m_process_adjustTimeDateStamp(&moduleInformation); continueCallback = callBack(&moduleInformation, pvArg); } LocalFree(moduleName.Buffer); } } } status = STATUS_SUCCESS; } } #endif break; case KULL_M_MEMORY_TYPE_PROCESS_DMP: moduleInformation.NameDontUseOutsideCallback = &moduleName; if(pMinidumpModuleList = (PMINIDUMP_MODULE_LIST) kull_m_minidump_stream(memory->pHandleProcessDmp->hMinidump, ModuleListStream)) { for(i = 0; (i < pMinidumpModuleList->NumberOfModules) && continueCallback; i++) { moduleInformation.DllBase.address = (PVOID) pMinidumpModuleList->Modules[i].BaseOfImage; moduleInformation.SizeOfImage = pMinidumpModuleList->Modules[i].SizeOfImage; if(pMinidumpString = (PMINIDUMP_STRING) kull_m_minidump_RVAtoPTR(memory->pHandleProcessDmp->hMinidump, pMinidumpModuleList->Modules[i].ModuleNameRva)) { RtlInitUnicodeString(&moduleName, wcsrchr(pMinidumpString->Buffer, L'\\') + 1); kull_m_process_adjustTimeDateStamp(&moduleInformation); continueCallback = callBack(&moduleInformation, pvArg); } } status = STATUS_SUCCESS; } break; case KULL_M_MEMORY_TYPE_KERNEL: status = kull_m_process_NtQuerySystemInformation(SystemModuleInformation, &modules, 0); if(NT_SUCCESS(status)) { moduleInformation.NameDontUseOutsideCallback = &moduleName; for(i = 0; (i < modules->NumberOfModules) && continueCallback; i++) { moduleInformation.DllBase.address = modules->Modules[i].ImageBase; moduleInformation.SizeOfImage = modules->Modules[i].ImageSize; if(moduleNameW = kull_m_string_qad_ansi_to_unicode((char *) modules->Modules[i].FullPathName + modules->Modules[i].OffsetToFileName)) { RtlInitUnicodeString(&moduleName, moduleNameW); moduleInformation.TimeDateStamp = 0; continueCallback = callBack(&moduleInformation, pvArg); LocalFree(moduleNameW); } } } break; default: status = STATUS_NOT_IMPLEMENTED; break; } return status; }
NTSTATUS kuhl_m_dpapi_wifi(int argc, wchar_t * argv[]) { PBYTE pFile, hex, dataOut; DWORD dwData, lenHex, lenDataOut; LPWSTR dataU, dataSSID, dataF, dataAuth; LPCWSTR infile; PKULL_M_DPAPI_BLOB blob; if(kull_m_string_args_byName(argc, argv, L"in", &infile, NULL)) { if(kull_m_file_readData(infile, &pFile, &dwData)) { if(dataU = kull_m_string_qad_ansi_to_unicode((const char *) pFile)) { if(kull_m_string_quickxml_simplefind(dataU, L"name", &dataF)) { kprintf(L"Profile \'%s\'\n\n", dataF); LocalFree(dataF); } if(kull_m_string_quickxml_simplefind(dataU, L"SSID", &dataSSID)) { kprintf(L" * SSID "); if(kull_m_string_quickxml_simplefind(dataSSID, L"name", &dataF)) { kprintf(L"name : %s\n", dataF); LocalFree(dataF); } else if(kull_m_string_quickxml_simplefind(dataSSID, L"hex", &dataF)) { kprintf(L"hex : %s\n", dataF); LocalFree(dataF); } else kprintf(L"?\n"); LocalFree(dataSSID); } if(kull_m_string_quickxml_simplefind(dataU, L"authentication", &dataAuth)) { kprintf(L" * Authentication: %s\n", dataAuth); if(kull_m_string_quickxml_simplefind(dataU, L"encryption", &dataF)) { kprintf(L" * Encryption : %s\n", dataF); LocalFree(dataF); } if(kull_m_string_quickxml_simplefind(dataU, L"keyMaterial", &dataF)) { if(kull_m_string_stringToHexBuffer(dataF, &hex, &lenHex)) { if(blob = kull_m_dpapi_blob_create(hex)) { kprintf(L"\n"); kull_m_dpapi_blob_descr(0, blob); if(kuhl_m_dpapi_unprotect_raw_or_blob(hex, lenHex, NULL, argc, argv, NULL, 0, (LPVOID *) &dataOut, &lenDataOut, NULL)) { kprintf(L" * Key Material : "); if(_wcsicmp(dataAuth, L"WEP") == 0) { kprintf(L"(hex) "); kull_m_string_wprintf_hex(dataOut, lenDataOut, 0); } else kprintf(L"%.*S", lenDataOut, dataOut); kprintf(L"\n"); LocalFree(dataOut); } kull_m_dpapi_blob_delete(blob); } LocalFree(hex); } LocalFree(dataF); } LocalFree(dataAuth); } LocalFree(dataU); } LocalFree(pFile); } else PRINT_ERROR_AUTO(L"kull_m_file_readData"); } else PRINT_ERROR(L"Input Wlan XML profile needed (/in:file)\n"); return STATUS_SUCCESS; }
NTSTATUS kuhl_m_dpapi_keys_capi(int argc, wchar_t * argv[]) { PVOID file, out; PRSA_GENERICKEY_BLOB blob; DWORD szFile, outLen, szBlob; PKULL_M_KEY_CAPI_BLOB capiKey; LPCWSTR infile; PWSTR name; if(kull_m_string_args_byName(argc, argv, L"in", &infile, NULL)) { if(kull_m_file_readData(infile, (PBYTE *) &file, &szFile)) { if(capiKey = kull_m_key_capi_create(file)) { kull_m_key_capi_descr(0, capiKey); if(kuhl_m_dpapi_unprotect_raw_or_blob(capiKey->pSiExportFlag, capiKey->dwSiExportFlagLen, NULL, argc, argv, KIWI_DPAPI_ENTROPY_CAPI_KEY_EXPORTFLAGS, sizeof(KIWI_DPAPI_ENTROPY_CAPI_KEY_EXPORTFLAGS), &out, &outLen, L"Decrypting AT_SIGNATURE Export flags:\n")) { kull_m_string_wprintf_hex(out, outLen, 0); kprintf(L"\n"); LocalFree(out); } if(kuhl_m_dpapi_unprotect_raw_or_blob(capiKey->pSiPrivateKey, capiKey->dwSiPrivateKeyLen, NULL, argc, argv, NULL, 0, &out, &outLen, L"Decrypting AT_SIGNATURE Private Key:\n")) { kull_m_string_wprintf_hex(out, outLen, 0); kprintf(L"\n"); if(kull_m_key_capi_decryptedkey_to_raw(out, outLen, &blob, &szBlob)) { if(name = kull_m_string_qad_ansi_to_unicode(capiKey->pName)) { kuhl_m_crypto_exportRawKeyToFile(blob, szBlob, FALSE, L"raw_signature", 0, name, TRUE, TRUE); LocalFree(name); } LocalFree(blob); } LocalFree(out); } if(kuhl_m_dpapi_unprotect_raw_or_blob(capiKey->pExExportFlag, capiKey->dwExExportFlagLen, NULL, argc, argv, KIWI_DPAPI_ENTROPY_CAPI_KEY_EXPORTFLAGS, sizeof(KIWI_DPAPI_ENTROPY_CAPI_KEY_EXPORTFLAGS), &out, &outLen, L"Decrypting AT_EXCHANGE Export flags:\n")) { kull_m_string_wprintf_hex(out, outLen, 0); kprintf(L"\n"); LocalFree(out); } if(kuhl_m_dpapi_unprotect_raw_or_blob(capiKey->pExPrivateKey, capiKey->dwExPrivateKeyLen, NULL, argc, argv, NULL, 0, &out, &outLen, L"Decrypting AT_EXCHANGE Private Key:\n")) { kull_m_string_wprintf_hex(out, outLen, 0); kprintf(L"\n"); if(kull_m_key_capi_decryptedkey_to_raw(out, outLen, &blob, &szBlob)) { if(name = kull_m_string_qad_ansi_to_unicode(capiKey->pName)) { kuhl_m_crypto_exportRawKeyToFile(blob, szBlob, FALSE, L"raw_exchange", 0, name, TRUE, TRUE); LocalFree(name); } LocalFree(blob); } LocalFree(out); } kull_m_key_capi_delete(capiKey); } LocalFree(file); } else PRINT_ERROR_AUTO(L"kull_m_file_readData"); } else PRINT_ERROR(L"Input CAPI private key file needed (/in:file)\n"); return STATUS_SUCCESS; }