void kull_m_key_capi_descr(DWORD level, PKULL_M_KEY_CAPI_BLOB capiKey)
{
kprintf(L"%*s" L"**KEY (capi)**\n", level << 1, L"");
if(capiKey)
{
kprintf(L"%*s" L" dwVersion : %08x - %u\n", level << 1, L"", capiKey->dwVersion, capiKey->dwVersion);
kprintf(L"%*s" L" dwUniqueNameLen : %08x - %u\n", level << 1, L"", capiKey->dwNameLen, capiKey->dwNameLen);
kprintf(L"%*s" L" dwSiPublicKeyLen : %08x - %u\n", level << 1, L"", capiKey->dwSiPublicKeyLen, capiKey->dwSiPublicKeyLen);
kprintf(L"%*s" L" dwSiPrivateKeyLen : %08x - %u\n", level << 1, L"", capiKey->dwSiPrivateKeyLen, capiKey->dwSiPrivateKeyLen);
kprintf(L"%*s" L" dwExPublicKeyLen : %08x - %u\n", level << 1, L"", capiKey->dwExPublicKeyLen, capiKey->dwExPublicKeyLen);
kprintf(L"%*s" L" dwExPrivateKeyLen : %08x - %u\n", level << 1, L"", capiKey->dwExPrivateKeyLen, capiKey->dwExPrivateKeyLen);
kprintf(L"%*s" L" dwHashLen : %08x - %u\n", level << 1, L"", capiKey->dwHashLen, capiKey->dwHashLen);
kprintf(L"%*s" L" dwSiExportFlagLen : %08x - %u\n", level << 1, L"", capiKey->dwSiExportFlagLen, capiKey->dwSiExportFlagLen);
kprintf(L"%*s" L" dwExExportFlagLen : %08x - %u\n", level << 1, L"", capiKey->dwExExportFlagLen, capiKey->dwExExportFlagLen);
kprintf(L"%*s" L" pUniqueName : ", level << 1, L""); kprintf(L"%S\n", capiKey->pName);
kprintf(L"%*s" L" pHash : ", level << 1, L""); kull_m_string_wprintf_hex(capiKey->pHash, capiKey->dwHashLen, 0); kprintf(L"\n");
kprintf(L"%*s" L" pSiPublicKey : ", level << 1, L""); kull_m_string_wprintf_hex(capiKey->pSiPublicKey, capiKey->dwSiPublicKeyLen, 0); kprintf(L"\n");
kprintf(L"%*s" L" pSiPrivateKey :\n", level << 1, L"");
if(capiKey->pSiPrivateKey && capiKey->dwSiPrivateKeyLen)
kull_m_dpapi_blob_quick_descr(level + 1, capiKey->pSiPrivateKey); /*kull_m_string_wprintf_hex(capiKey->pPrivateKey, capiKey->dwPrivateKeyLen, 0);*/
kprintf(L"%*s" L" pSiExportFlag :\n", level << 1, L"");
if(capiKey->pSiExportFlag && capiKey->dwSiExportFlagLen)
kull_m_dpapi_blob_quick_descr(level + 1, capiKey->pSiExportFlag); /*kull_m_string_wprintf_hex(capiKey->pExportFlag, capiKey->dwExportFlagLen, 0);*/
kprintf(L"%*s" L" pExPublicKey : ", level << 1, L""); kull_m_string_wprintf_hex(capiKey->pExPublicKey, capiKey->dwExPublicKeyLen, 0); kprintf(L"\n");
kprintf(L"%*s" L" pExPrivateKey :\n", level << 1, L"");
if(capiKey->pExPrivateKey && capiKey->dwExPrivateKeyLen)
kull_m_dpapi_blob_quick_descr(level + 1, capiKey->pExPrivateKey); /*kull_m_string_wprintf_hex(capiKey->pPrivateKey, capiKey->dwPrivateKeyLen, 0);*/
kprintf(L"%*s" L" pExExportFlag :\n", level << 1, L"");
if(capiKey->pExExportFlag && capiKey->dwExExportFlagLen)
kull_m_dpapi_blob_quick_descr(level + 1, capiKey->pExExportFlag); /*kull_m_string_wprintf_hex(capiKey->pExportFlag, capiKey->dwExportFlagLen, 0);*/
}
}
NTSTATUS kuhl_m_dpapi_cred(int argc, wchar_t * argv[])
{
PCWSTR infile;
PVOID file, out;
DWORD szFile, szOut;
PKULL_M_CRED_BLOB cred;
if(kull_m_string_args_byName(argc, argv, L"in", &infile, NULL))
{
if(kull_m_file_readData(infile, (PBYTE *) &file, &szFile))
{
kull_m_dpapi_blob_quick_descr(0, ((PKUHL_M_DPAPI_ENCRYPTED_CRED) file)->blob);
if(kuhl_m_dpapi_unprotect_raw_or_blob(((PKUHL_M_DPAPI_ENCRYPTED_CRED) file)->blob, ((PKUHL_M_DPAPI_ENCRYPTED_CRED) file)->blobSize, NULL, argc, argv, NULL, 0, &out, &szOut, L"Decrypting Credential:\n"))
{
if(cred = kull_m_cred_create(out))
{
kull_m_cred_descr(0, cred);
kull_m_cred_delete(cred);
}
LocalFree(out);
}
LocalFree(file);
}
else PRINT_ERROR_AUTO(L"kull_m_file_readData");
}
else PRINT_ERROR(L"Input CRED file needed (/in:file)\n");
return STATUS_SUCCESS;
}
void kull_m_cred_vault_policy_key_descr(DWORD level, PKULL_M_CRED_VAULT_POLICY_KEY key)
{
kprintf(L"%*s" L"**VAULT POLICY KEY**\n", level << 1, L"");
if(key)
{
kprintf(L"%*s" L" unk0 : ", level << 1, L""); kull_m_string_displayGUID(&key->unk0); kprintf(L"\n");
kprintf(L"%*s" L" unk1 : ", level << 1, L""); kull_m_string_displayGUID(&key->unk1); kprintf(L"\n");
kull_m_dpapi_blob_quick_descr(level + 1, key->KeyBlob);
kprintf(L"\n");
}
}
void kull_m_key_cng_descr(DWORD level, PKULL_M_KEY_CNG_BLOB cngKey)
{
kprintf(L"%*s" L"**KEY (cng)**\n", level << 1, L"");
if(cngKey)
{
kprintf(L"%*s" L" dwVersion : %08x - %u\n", level << 1, L"", cngKey->dwVersion, cngKey->dwVersion);
kprintf(L"%*s" L" unk : %08x - %u\n", level << 1, L"", cngKey->unk, cngKey->unk);
kprintf(L"%*s" L" dwNameLen : %08x - %u\n", level << 1, L"", cngKey->dwNameLen, cngKey->dwNameLen);
kprintf(L"%*s" L" type : %08x - %u\n", level << 1, L"", cngKey->type, cngKey->type);
kprintf(L"%*s" L" dwPublicPropertiesLen : %08x - %u\n", level << 1, L"", cngKey->dwPublicPropertiesLen, cngKey->dwPublicPropertiesLen);
kprintf(L"%*s" L" dwPrivatePropertiesLen: %08x - %u\n", level << 1, L"", cngKey->dwPrivatePropertiesLen, cngKey->dwPrivatePropertiesLen);
kprintf(L"%*s" L" dwPrivateKeyLen : %08x - %u\n", level << 1, L"", cngKey->dwPrivateKeyLen, cngKey->dwPrivateKeyLen);
kprintf(L"%*s" L" unkArray[16] : ", level << 1, L""); kull_m_string_wprintf_hex(cngKey->unkArray, sizeof(cngKey->unkArray), 0); kprintf(L"\n");
kprintf(L"%*s" L" pName : ", level << 1, L""); kprintf(L"%.*s\n", cngKey->dwNameLen / sizeof(wchar_t), cngKey->pName);
kprintf(L"%*s" L" pPublicProperties : ", level << 1, L""); kull_m_key_cng_properties_descr(level + 1, cngKey->pPublicProperties, cngKey->cbPublicProperties);
kprintf(L"%*s" L" pPrivateProperties :\n", level << 1, L"");
if(cngKey->pPrivateProperties && cngKey->dwPrivatePropertiesLen)
kull_m_dpapi_blob_quick_descr(level + 1, cngKey->pPrivateProperties); /*kull_m_string_wprintf_hex(cngKey->pPrivateProperties, cngKey->dwPrivatePropertiesLen, 0);*/
kprintf(L"%*s" L" pPrivateKey :\n", level << 1, L"");
if(cngKey->pPrivateKey && cngKey->dwPrivateKeyLen)
kull_m_dpapi_blob_quick_descr(level + 1, cngKey->pPrivateKey); /*kull_m_string_wprintf_hex(cngKey->pPrivateKey, cngKey->dwPrivateKeyLen, 0);*/
}
}
NTSTATUS kuhl_m_dpapi_cred(int argc, wchar_t * argv[])
{
PCWSTR infile;
PVOID file, out;
DWORD szFile, szOut;
BOOL isNT5Cred;
PKULL_M_CRED_BLOB cred;
PKULL_M_CRED_LEGACY_CREDS_BLOB legacyCreds;
if(kull_m_string_args_byName(argc, argv, L"in", &infile, NULL))
{
if(kull_m_file_readData(infile, (PBYTE *) &file, &szFile))
{
isNT5Cred = RtlEqualGuid((PBYTE) file + sizeof(DWORD), &KULL_M_DPAPI_GUID_PROVIDER);
kull_m_dpapi_blob_quick_descr(0, isNT5Cred ? file : ((PKUHL_M_DPAPI_ENCRYPTED_CRED) file)->blob);
if(kuhl_m_dpapi_unprotect_raw_or_blob(isNT5Cred ? file : ((PKUHL_M_DPAPI_ENCRYPTED_CRED) file)->blob, isNT5Cred ? szFile : ((PKUHL_M_DPAPI_ENCRYPTED_CRED) file)->blobSize, NULL, argc, argv, NULL, 0, &out, &szOut, isNT5Cred ? L"Decrypting Legacy Credential(s):\n" : L"Decrypting Credential:\n"))
{
if(isNT5Cred)
{
if(legacyCreds = kull_m_cred_legacy_creds_create(out))
{
kull_m_cred_legacy_creds_descr(0, legacyCreds);
kull_m_cred_legacy_creds_delete(legacyCreds);
}
}
else
{
if(cred = kull_m_cred_create(out))
{
kull_m_cred_descr(0, cred);
kull_m_cred_delete(cred);
}
}
LocalFree(out);
}
LocalFree(file);
}
else PRINT_ERROR_AUTO(L"kull_m_file_readData");
}
else PRINT_ERROR(L"Input CRED file needed (/in:file)\n");
return STATUS_SUCCESS;
}
