mirror of
https://github.com/login-securite/DonPAPI
synced 2025-01-06 22:49:55 +00:00
716 lines
20 KiB
Python
716 lines
20 KiB
Python
|
# Vault Structure has been taken from mimikatz
|
||
|
from ctypes.wintypes import *
|
||
|
from ctypes import *
|
||
|
|
||
|
import sys
|
||
|
import os
|
||
|
|
||
|
try:
|
||
|
import _winreg as winreg
|
||
|
except ImportError:
|
||
|
import winreg
|
||
|
|
||
|
LPTSTR = LPSTR
|
||
|
LPCTSTR = LPSTR
|
||
|
PHANDLE = POINTER(HANDLE)
|
||
|
HANDLE = LPVOID
|
||
|
LPDWORD = POINTER(DWORD)
|
||
|
PVOID = c_void_p
|
||
|
INVALID_HANDLE_VALUE = c_void_p(-1).value
|
||
|
NTSTATUS = ULONG()
|
||
|
PWSTR = c_wchar_p
|
||
|
LPWSTR = c_wchar_p
|
||
|
PBYTE = POINTER(BYTE)
|
||
|
LPBYTE = POINTER(BYTE)
|
||
|
PSID = PVOID
|
||
|
LONG = c_long
|
||
|
WORD = c_uint16
|
||
|
|
||
|
# #############################- Constants ##############################
|
||
|
|
||
|
# Credential Manager
|
||
|
CRYPTPROTECT_UI_FORBIDDEN = 0x01
|
||
|
CRED_TYPE_GENERIC = 0x1
|
||
|
CRED_TYPE_DOMAIN_VISIBLE_PASSWORD = 0x4
|
||
|
|
||
|
# Regedit
|
||
|
HKEY_CURRENT_USER = -2147483647
|
||
|
HKEY_LOCAL_MACHINE = -2147483646
|
||
|
KEY_READ = 131097
|
||
|
KEY_ENUMERATE_SUB_KEYS = 8
|
||
|
KEY_QUERY_VALUE = 1
|
||
|
|
||
|
# custom key to read registry (not from msdn)
|
||
|
ACCESS_READ = KEY_READ | KEY_ENUMERATE_SUB_KEYS | KEY_QUERY_VALUE
|
||
|
|
||
|
# Token manipulation
|
||
|
PROCESS_QUERY_INFORMATION = 0x0400
|
||
|
STANDARD_RIGHTS_REQUIRED = 0x000F0000
|
||
|
READ_CONTROL = 0x00020000
|
||
|
STANDARD_RIGHTS_READ = READ_CONTROL
|
||
|
TOKEN_ASSIGN_PRIMARY = 0x0001
|
||
|
TOKEN_DUPLICATE = 0x0002
|
||
|
TOKEN_IMPERSONATE = 0x0004
|
||
|
TOKEN_QUERY = 0x0008
|
||
|
TOKEN_QUERY_SOURCE = 0x0010
|
||
|
TOKEN_ADJUST_PRIVILEGES = 0x0020
|
||
|
TOKEN_ADJUST_GROUPS = 0x0040
|
||
|
TOKEN_ADJUST_DEFAULT = 0x0080
|
||
|
TOKEN_ADJUST_SESSIONID = 0x0100
|
||
|
TOKEN_READ = (STANDARD_RIGHTS_READ | TOKEN_QUERY)
|
||
|
tokenprivs = (
|
||
|
TOKEN_QUERY | TOKEN_READ | TOKEN_IMPERSONATE | TOKEN_QUERY_SOURCE | TOKEN_DUPLICATE | TOKEN_ASSIGN_PRIMARY | (
|
||
|
131072 | 4))
|
||
|
TOKEN_ALL_ACCESS = (STANDARD_RIGHTS_REQUIRED | TOKEN_ASSIGN_PRIMARY |
|
||
|
TOKEN_DUPLICATE | TOKEN_IMPERSONATE | TOKEN_QUERY | TOKEN_QUERY_SOURCE |
|
||
|
TOKEN_ADJUST_PRIVILEGES | TOKEN_ADJUST_GROUPS | TOKEN_ADJUST_DEFAULT |
|
||
|
TOKEN_ADJUST_SESSIONID)
|
||
|
|
||
|
SE_DEBUG_PRIVILEGE = 20
|
||
|
|
||
|
|
||
|
# ############################# Structures ##############################
|
||
|
|
||
|
class CREDENTIAL_ATTRIBUTE(Structure):
|
||
|
_fields_ = [
|
||
|
('Keyword', LPSTR),
|
||
|
('Flags', DWORD),
|
||
|
('ValueSize', DWORD),
|
||
|
('Value', LPBYTE)
|
||
|
]
|
||
|
|
||
|
|
||
|
PCREDENTIAL_ATTRIBUTE = POINTER(CREDENTIAL_ATTRIBUTE)
|
||
|
|
||
|
|
||
|
class CREDENTIAL(Structure):
|
||
|
_fields_ = [
|
||
|
('Flags', DWORD),
|
||
|
('Type', DWORD),
|
||
|
('TargetName', LPSTR),
|
||
|
('Comment', LPSTR),
|
||
|
('LastWritten', FILETIME),
|
||
|
('CredentialBlobSize', DWORD),
|
||
|
# ('CredentialBlob', POINTER(BYTE)),
|
||
|
('CredentialBlob', POINTER(c_char)),
|
||
|
('Persist', DWORD),
|
||
|
('AttributeCount', DWORD),
|
||
|
('Attributes', PCREDENTIAL_ATTRIBUTE),
|
||
|
('TargetAlias', LPSTR),
|
||
|
('UserName', LPSTR)
|
||
|
]
|
||
|
|
||
|
|
||
|
PCREDENTIAL = POINTER(CREDENTIAL)
|
||
|
|
||
|
|
||
|
class DATA_BLOB(Structure):
|
||
|
_fields_ = [
|
||
|
('cbData', DWORD),
|
||
|
('pbData', POINTER(c_char))
|
||
|
]
|
||
|
|
||
|
|
||
|
class GUID(Structure):
|
||
|
_fields_ = [
|
||
|
("data1", DWORD),
|
||
|
("data2", WORD),
|
||
|
("data3", WORD),
|
||
|
("data4", BYTE * 6)
|
||
|
]
|
||
|
|
||
|
|
||
|
LPGUID = POINTER(GUID)
|
||
|
|
||
|
|
||
|
class VAULT_CREDENTIAL_ATTRIBUTEW(Structure):
|
||
|
_fields_ = [
|
||
|
('keyword', LPWSTR),
|
||
|
('flags', DWORD),
|
||
|
('badAlign', DWORD),
|
||
|
('valueSize', DWORD),
|
||
|
('value', LPBYTE),
|
||
|
]
|
||
|
|
||
|
|
||
|
PVAULT_CREDENTIAL_ATTRIBUTEW = POINTER(VAULT_CREDENTIAL_ATTRIBUTEW)
|
||
|
|
||
|
|
||
|
class VAULT_BYTE_BUFFER(Structure):
|
||
|
_fields_ = [
|
||
|
('length', DWORD),
|
||
|
('value', PBYTE),
|
||
|
]
|
||
|
|
||
|
|
||
|
class DATA(Structure):
|
||
|
_fields_ = [
|
||
|
# ('boolean', BOOL),
|
||
|
# ('short', SHORT),
|
||
|
# ('unsignedShort', WORD),
|
||
|
# ('int', LONG),
|
||
|
# ('unsignedInt', ULONG),
|
||
|
# ('double', DOUBLE),
|
||
|
('guid', GUID),
|
||
|
('string', LPWSTR),
|
||
|
('byteArray', VAULT_BYTE_BUFFER),
|
||
|
('protectedArray', VAULT_BYTE_BUFFER),
|
||
|
('attribute', PVAULT_CREDENTIAL_ATTRIBUTEW),
|
||
|
# ('Sid', PSID)
|
||
|
('sid', DWORD)
|
||
|
]
|
||
|
|
||
|
|
||
|
class Flag(Structure):
|
||
|
_fields_ = [
|
||
|
('0x00', DWORD),
|
||
|
('0x01', DWORD),
|
||
|
('0x02', DWORD),
|
||
|
('0x03', DWORD),
|
||
|
('0x04', DWORD),
|
||
|
('0x05', DWORD),
|
||
|
('0x06', DWORD),
|
||
|
('0x07', DWORD),
|
||
|
('0x08', DWORD),
|
||
|
('0x09', DWORD),
|
||
|
('0x0a', DWORD),
|
||
|
('0x0b', DWORD),
|
||
|
('0x0c', DWORD),
|
||
|
('0x0d', DWORD)
|
||
|
]
|
||
|
|
||
|
|
||
|
class VAULT_ITEM_DATA(Structure):
|
||
|
_fields_ = [
|
||
|
# ('schemaElementId', DWORD),
|
||
|
# ('unk0', DWORD),
|
||
|
# ('Type', DWORD),
|
||
|
# ('unk1', DWORD),
|
||
|
('data', DATA),
|
||
|
]
|
||
|
|
||
|
|
||
|
PVAULT_ITEM_DATA = POINTER(VAULT_ITEM_DATA)
|
||
|
|
||
|
|
||
|
# From https://github.com/gentilkiwi/mimikatz/blob/b008188f9fe5668b5dae80c210290c7efa872ffa/mimikatz/modules/kuhl_m_vault.h#L157
|
||
|
class VAULT_ITEM_WIN8(Structure):
|
||
|
_fields_ = [
|
||
|
('id', GUID),
|
||
|
('pName', PWSTR),
|
||
|
('pResource', PVAULT_ITEM_DATA),
|
||
|
('pUsername', PVAULT_ITEM_DATA),
|
||
|
('pPassword', PVAULT_ITEM_DATA),
|
||
|
('pPackageSid', PVAULT_ITEM_DATA),
|
||
|
('LastWritten', FILETIME),
|
||
|
('Flags', DWORD),
|
||
|
('cbProperties', DWORD),
|
||
|
('Properties', PVAULT_ITEM_DATA),
|
||
|
]
|
||
|
|
||
|
|
||
|
PVAULT_ITEM_WIN8 = POINTER(VAULT_ITEM_WIN8)
|
||
|
|
||
|
|
||
|
# From https://github.com/gentilkiwi/mimikatz/blob/b008188f9fe5668b5dae80c210290c7efa872ffa/mimikatz/modules/kuhl_m_vault.h#L145
|
||
|
class VAULT_ITEM_WIN7(Structure):
|
||
|
_fields_ = [
|
||
|
('id', GUID),
|
||
|
('pName', PWSTR),
|
||
|
('pResource', PVAULT_ITEM_DATA),
|
||
|
('pUsername', PVAULT_ITEM_DATA),
|
||
|
('pPassword', PVAULT_ITEM_DATA),
|
||
|
('LastWritten', FILETIME),
|
||
|
('Flags', DWORD),
|
||
|
('cbProperties', DWORD),
|
||
|
('Properties', PVAULT_ITEM_DATA),
|
||
|
]
|
||
|
|
||
|
|
||
|
PVAULT_ITEM_WIN7 = POINTER(VAULT_ITEM_WIN7)
|
||
|
|
||
|
class OSVERSIONINFOEXW(Structure):
|
||
|
_fields_ = [
|
||
|
('dwOSVersionInfoSize', c_ulong),
|
||
|
('dwMajorVersion', c_ulong),
|
||
|
('dwMinorVersion', c_ulong),
|
||
|
('dwBuildNumber', c_ulong),
|
||
|
('dwPlatformId', c_ulong),
|
||
|
('szCSDVersion', c_wchar * 128),
|
||
|
('wServicePackMajor', c_ushort),
|
||
|
('wServicePackMinor', c_ushort),
|
||
|
('wSuiteMask', c_ushort),
|
||
|
('wProductType', c_byte),
|
||
|
('wReserved', c_byte)
|
||
|
]
|
||
|
|
||
|
|
||
|
class CRYPTPROTECT_PROMPTSTRUCT(Structure):
|
||
|
_fields_ = [
|
||
|
('cbSize', DWORD),
|
||
|
('dwPromptFlags', DWORD),
|
||
|
('hwndApp', HWND),
|
||
|
('szPrompt', LPCWSTR),
|
||
|
]
|
||
|
|
||
|
|
||
|
PCRYPTPROTECT_PROMPTSTRUCT = POINTER(CRYPTPROTECT_PROMPTSTRUCT)
|
||
|
|
||
|
|
||
|
class LUID(Structure):
|
||
|
_fields_ = [
|
||
|
("LowPart", DWORD),
|
||
|
("HighPart", LONG),
|
||
|
]
|
||
|
|
||
|
|
||
|
PLUID = POINTER(LUID)
|
||
|
|
||
|
|
||
|
class SID_AND_ATTRIBUTES(Structure):
|
||
|
_fields_ = [
|
||
|
("Sid", PSID),
|
||
|
("Attributes", DWORD),
|
||
|
]
|
||
|
|
||
|
|
||
|
class TOKEN_USER(Structure):
|
||
|
_fields_ = [
|
||
|
("User", SID_AND_ATTRIBUTES), ]
|
||
|
|
||
|
|
||
|
class LUID_AND_ATTRIBUTES(Structure):
|
||
|
_fields_ = [
|
||
|
("Luid", LUID),
|
||
|
("Attributes", DWORD),
|
||
|
]
|
||
|
|
||
|
|
||
|
class TOKEN_PRIVILEGES(Structure):
|
||
|
_fields_ = [
|
||
|
("PrivilegeCount", DWORD),
|
||
|
("Privileges", LUID_AND_ATTRIBUTES),
|
||
|
]
|
||
|
|
||
|
|
||
|
PTOKEN_PRIVILEGES = POINTER(TOKEN_PRIVILEGES)
|
||
|
|
||
|
|
||
|
class SECURITY_ATTRIBUTES(Structure):
|
||
|
_fields_ = [
|
||
|
("nLength", DWORD),
|
||
|
("lpSecurityDescriptor", LPVOID),
|
||
|
("bInheritHandle", BOOL),
|
||
|
]
|
||
|
|
||
|
|
||
|
PSECURITY_ATTRIBUTES = POINTER(SECURITY_ATTRIBUTES)
|
||
|
|
||
|
|
||
|
class SID_NAME_USE(DWORD):
|
||
|
_sid_types = dict(enumerate('''
|
||
|
User Group Domain Alias WellKnownGroup DeletedAccount
|
||
|
Invalid Unknown Computer Label'''.split(), 1))
|
||
|
|
||
|
def __init__(self, value=None):
|
||
|
if value is not None:
|
||
|
if value not in self.sid_types:
|
||
|
raise ValueError('invalid SID type')
|
||
|
DWORD.__init__(value)
|
||
|
|
||
|
def __str__(self):
|
||
|
if self.value not in self._sid_types:
|
||
|
raise ValueError('invalid SID type')
|
||
|
return self._sid_types[self.value]
|
||
|
|
||
|
def __repr__(self):
|
||
|
return 'SID_NAME_USE(%s)' % self.value
|
||
|
|
||
|
|
||
|
PSID_NAME_USE = POINTER(SID_NAME_USE)
|
||
|
|
||
|
# ############################# Load dlls ##############################
|
||
|
|
||
|
advapi32 = WinDLL('advapi32', use_last_error=True)
|
||
|
crypt32 = WinDLL('crypt32', use_last_error=True)
|
||
|
kernel32 = WinDLL('kernel32', use_last_error=True)
|
||
|
psapi = WinDLL('psapi', use_last_error=True)
|
||
|
ntdll = WinDLL('ntdll', use_last_error=True)
|
||
|
|
||
|
# ############################# Functions ##############################
|
||
|
|
||
|
RevertToSelf = advapi32.RevertToSelf
|
||
|
RevertToSelf.restype = BOOL
|
||
|
RevertToSelf.argtypes = []
|
||
|
|
||
|
ImpersonateLoggedOnUser = advapi32.ImpersonateLoggedOnUser
|
||
|
ImpersonateLoggedOnUser.restype = BOOL
|
||
|
ImpersonateLoggedOnUser.argtypes = [HANDLE]
|
||
|
|
||
|
DuplicateTokenEx = advapi32.DuplicateTokenEx
|
||
|
DuplicateTokenEx.restype = BOOL
|
||
|
DuplicateTokenEx.argtypes = [HANDLE, DWORD, PSECURITY_ATTRIBUTES, DWORD, DWORD, POINTER(HANDLE)]
|
||
|
|
||
|
AdjustTokenPrivileges = advapi32.AdjustTokenPrivileges
|
||
|
AdjustTokenPrivileges.restype = BOOL
|
||
|
AdjustTokenPrivileges.argtypes = [HANDLE, BOOL, PTOKEN_PRIVILEGES, DWORD, PTOKEN_PRIVILEGES, POINTER(DWORD)]
|
||
|
|
||
|
LookupPrivilegeValueA = advapi32.LookupPrivilegeValueA
|
||
|
LookupPrivilegeValueA.restype = BOOL
|
||
|
LookupPrivilegeValueA.argtypes = [LPCTSTR, LPCTSTR, PLUID]
|
||
|
|
||
|
ConvertSidToStringSid = advapi32.ConvertSidToStringSidW
|
||
|
ConvertSidToStringSid.restype = BOOL
|
||
|
ConvertSidToStringSid.argtypes = [DWORD, POINTER(LPWSTR)]
|
||
|
|
||
|
LookupAccountSid = advapi32.LookupAccountSidW
|
||
|
LookupAccountSid.restype = BOOL
|
||
|
LookupAccountSid.argtypes = [LPCWSTR, PSID, LPCWSTR, LPDWORD, LPCWSTR, LPDWORD, PSID_NAME_USE]
|
||
|
|
||
|
LocalAlloc = kernel32.LocalAlloc
|
||
|
LocalAlloc.restype = HANDLE
|
||
|
LocalAlloc.argtypes = [PSID, DWORD]
|
||
|
|
||
|
GetTokenInformation = advapi32.GetTokenInformation
|
||
|
GetTokenInformation.restype = BOOL
|
||
|
GetTokenInformation.argtypes = [HANDLE, DWORD, LPVOID, DWORD, POINTER(DWORD)]
|
||
|
|
||
|
OpenProcess = kernel32.OpenProcess
|
||
|
OpenProcess.restype = HANDLE
|
||
|
OpenProcess.argtypes = [DWORD, BOOL, DWORD]
|
||
|
|
||
|
OpenProcessToken = advapi32.OpenProcessToken
|
||
|
OpenProcessToken.restype = BOOL
|
||
|
OpenProcessToken.argtypes = [HANDLE, DWORD, POINTER(HANDLE)]
|
||
|
|
||
|
CloseHandle = kernel32.CloseHandle
|
||
|
CloseHandle.restype = BOOL
|
||
|
CloseHandle.argtypes = [HANDLE]
|
||
|
|
||
|
CredEnumerate = advapi32.CredEnumerateA
|
||
|
CredEnumerate.restype = BOOL
|
||
|
CredEnumerate.argtypes = [LPCTSTR, DWORD, POINTER(DWORD), POINTER(POINTER(PCREDENTIAL))]
|
||
|
|
||
|
CredFree = advapi32.CredFree
|
||
|
CredFree.restype = PVOID
|
||
|
CredFree.argtypes = [PVOID]
|
||
|
|
||
|
LocalFree = kernel32.LocalFree
|
||
|
LocalFree.restype = HANDLE
|
||
|
LocalFree.argtypes = [HANDLE]
|
||
|
|
||
|
CryptUnprotectData = crypt32.CryptUnprotectData
|
||
|
CryptUnprotectData.restype = BOOL
|
||
|
CryptUnprotectData.argtypes = [POINTER(DATA_BLOB), POINTER(LPWSTR), POINTER(DATA_BLOB), PVOID,
|
||
|
PCRYPTPROTECT_PROMPTSTRUCT, DWORD, POINTER(DATA_BLOB)]
|
||
|
|
||
|
# these functions do not exist on XP workstations
|
||
|
try:
|
||
|
prototype = WINFUNCTYPE(ULONG, DWORD, LPDWORD, POINTER(LPGUID))
|
||
|
vaultEnumerateVaults = prototype(("VaultEnumerateVaults", windll.vaultcli))
|
||
|
|
||
|
prototype = WINFUNCTYPE(ULONG, LPGUID, DWORD, HANDLE)
|
||
|
vaultOpenVault = prototype(("VaultOpenVault", windll.vaultcli))
|
||
|
|
||
|
prototype = WINFUNCTYPE(ULONG, HANDLE, DWORD, LPDWORD, POINTER(c_char_p))
|
||
|
vaultEnumerateItems = prototype(("VaultEnumerateItems", windll.vaultcli))
|
||
|
|
||
|
prototype = WINFUNCTYPE(ULONG, HANDLE, LPGUID, PVAULT_ITEM_DATA, PVAULT_ITEM_DATA, PVAULT_ITEM_DATA, HWND, DWORD,
|
||
|
POINTER(PVAULT_ITEM_WIN8))
|
||
|
vaultGetItem8 = prototype(("VaultGetItem", windll.vaultcli))
|
||
|
|
||
|
prototype = WINFUNCTYPE(ULONG, HANDLE, LPGUID, PVAULT_ITEM_DATA, PVAULT_ITEM_DATA, HWND, DWORD, POINTER(PVAULT_ITEM_WIN7))
|
||
|
vaultGetItem7 = prototype(("VaultGetItem", windll.vaultcli))
|
||
|
|
||
|
prototype = WINFUNCTYPE(ULONG, LPVOID)
|
||
|
vaultFree = prototype(("VaultFree", windll.vaultcli))
|
||
|
|
||
|
prototype = WINFUNCTYPE(ULONG, PHANDLE)
|
||
|
vaultCloseVault = prototype(("VaultCloseVault", windll.vaultcli))
|
||
|
|
||
|
def get_vault_objects_for_this_version_of_windows():
|
||
|
"""
|
||
|
@return: Tuple[
|
||
|
Type of vault item,
|
||
|
Pointer to type of vault item,
|
||
|
VaultGetItem function as Callable[[vault_handle, vault_item_prt, password_vault_item_ptr], int]
|
||
|
]
|
||
|
"""
|
||
|
os_version_float = float(get_os_version())
|
||
|
if os_version_float == 6.1:
|
||
|
# Windows 7
|
||
|
return (
|
||
|
VAULT_ITEM_WIN7,
|
||
|
PVAULT_ITEM_WIN7,
|
||
|
lambda hVault, pVaultItem, pPasswordVaultItem:
|
||
|
vaultGetItem7(hVault, byref(pVaultItem.id), pVaultItem.pResource, pVaultItem.pUsername,
|
||
|
None, 0, byref(pPasswordVaultItem))
|
||
|
)
|
||
|
elif os_version_float > 6.1:
|
||
|
# Later than Windows7
|
||
|
return (
|
||
|
VAULT_ITEM_WIN8,
|
||
|
PVAULT_ITEM_WIN8,
|
||
|
lambda hVault, pVaultItem, pPasswordVaultItem:
|
||
|
vaultGetItem8(hVault, byref(pVaultItem.id), pVaultItem.pResource, pVaultItem.pUsername,
|
||
|
pVaultItem.pPackageSid, # additional parameter compared to Windows 7
|
||
|
None, 0, byref(pPasswordVaultItem))
|
||
|
)
|
||
|
|
||
|
raise Exception("Vault is not supported for this version of OS")
|
||
|
|
||
|
except Exception:
|
||
|
pass
|
||
|
|
||
|
GetModuleFileNameEx = psapi.GetModuleFileNameExW
|
||
|
GetModuleFileNameEx.restype = DWORD
|
||
|
GetModuleFileNameEx.argtypes = [HANDLE, HMODULE, LPWSTR, DWORD]
|
||
|
|
||
|
|
||
|
# ############################# Custom functions ##############################
|
||
|
|
||
|
|
||
|
def EnumProcesses():
|
||
|
_EnumProcesses = psapi.EnumProcesses
|
||
|
_EnumProcesses.argtypes = [LPVOID, DWORD, LPDWORD]
|
||
|
_EnumProcesses.restype = bool
|
||
|
|
||
|
size = 0x1000
|
||
|
cbBytesReturned = DWORD()
|
||
|
unit = sizeof(DWORD)
|
||
|
dwOwnPid = os.getpid()
|
||
|
while 1:
|
||
|
ProcessIds = (DWORD * (size // unit))()
|
||
|
cbBytesReturned.value = size
|
||
|
_EnumProcesses(byref(ProcessIds), cbBytesReturned, byref(cbBytesReturned))
|
||
|
returned = cbBytesReturned.value
|
||
|
if returned < size:
|
||
|
break
|
||
|
size = size + 0x1000
|
||
|
ProcessIdList = list()
|
||
|
for ProcessId in ProcessIds:
|
||
|
if ProcessId is None:
|
||
|
break
|
||
|
if ProcessId == dwOwnPid:
|
||
|
continue
|
||
|
ProcessIdList.append(ProcessId)
|
||
|
return ProcessIdList
|
||
|
|
||
|
|
||
|
def LookupAccountSidW(lpSystemName, lpSid):
|
||
|
# From https://github.com/MarioVilas/winappdbg/blob/master/winappdbg/win32/advapi32.py
|
||
|
_LookupAccountSidW = advapi32.LookupAccountSidW
|
||
|
_LookupAccountSidW.argtypes = [LPSTR, PSID, LPWSTR, LPDWORD, LPWSTR, LPDWORD, LPDWORD]
|
||
|
_LookupAccountSidW.restype = BOOL
|
||
|
|
||
|
ERROR_INSUFFICIENT_BUFFER = 122
|
||
|
cchName = DWORD(0)
|
||
|
cchReferencedDomainName = DWORD(0)
|
||
|
peUse = DWORD(0)
|
||
|
success = _LookupAccountSidW(lpSystemName, lpSid, None, byref(cchName), None, byref(cchReferencedDomainName),
|
||
|
byref(peUse))
|
||
|
error = GetLastError()
|
||
|
if not success or error == ERROR_INSUFFICIENT_BUFFER:
|
||
|
lpName = create_unicode_buffer(u'', cchName.value + 1)
|
||
|
lpReferencedDomainName = create_unicode_buffer(u'', cchReferencedDomainName.value + 1)
|
||
|
success = _LookupAccountSidW(lpSystemName, lpSid, lpName, byref(cchName), lpReferencedDomainName,
|
||
|
byref(cchReferencedDomainName), byref(peUse))
|
||
|
if success:
|
||
|
return lpName.value, lpReferencedDomainName.value, peUse.value
|
||
|
|
||
|
return None, None, None
|
||
|
|
||
|
|
||
|
def QueryFullProcessImageNameW(hProcess, dwFlags=0):
|
||
|
_QueryFullProcessImageNameW = kernel32.QueryFullProcessImageNameW
|
||
|
_QueryFullProcessImageNameW.argtypes = [HANDLE, DWORD, LPWSTR, POINTER(DWORD)]
|
||
|
_QueryFullProcessImageNameW.restype = bool
|
||
|
ERROR_INSUFFICIENT_BUFFER = 122
|
||
|
|
||
|
dwSize = MAX_PATH
|
||
|
while 1:
|
||
|
lpdwSize = DWORD(dwSize)
|
||
|
lpExeName = create_unicode_buffer('', lpdwSize.value + 1)
|
||
|
success = _QueryFullProcessImageNameW(hProcess, dwFlags, lpExeName, byref(lpdwSize))
|
||
|
if success and 0 < lpdwSize.value < dwSize:
|
||
|
break
|
||
|
error = GetLastError()
|
||
|
if error != ERROR_INSUFFICIENT_BUFFER:
|
||
|
return False
|
||
|
dwSize = dwSize + 256
|
||
|
if dwSize > 0x1000:
|
||
|
# this prevents an infinite loop in Windows 2008 when the path has spaces,
|
||
|
# see http://msdn.microsoft.com/en-us/library/ms684919(VS.85).aspx#4
|
||
|
return False
|
||
|
return lpExeName.value
|
||
|
|
||
|
|
||
|
def RtlAdjustPrivilege(privilege_id):
|
||
|
"""
|
||
|
privilege_id: int
|
||
|
"""
|
||
|
_RtlAdjustPrivilege = ntdll.RtlAdjustPrivilege
|
||
|
_RtlAdjustPrivilege.argtypes = [ULONG, BOOL, BOOL, POINTER(BOOL)]
|
||
|
_RtlAdjustPrivilege.restype = LONG
|
||
|
|
||
|
Enable = True
|
||
|
CurrentThread = False # enable for whole process
|
||
|
Enabled = BOOL()
|
||
|
|
||
|
status = _RtlAdjustPrivilege(privilege_id, Enable, CurrentThread, byref(Enabled))
|
||
|
if status != 0:
|
||
|
return False
|
||
|
|
||
|
return True
|
||
|
|
||
|
|
||
|
def getData(blobOut):
|
||
|
cbData = blobOut.cbData
|
||
|
pbData = blobOut.pbData
|
||
|
buffer = create_string_buffer(cbData)
|
||
|
memmove(buffer, pbData, sizeof(buffer))
|
||
|
LocalFree(pbData);
|
||
|
return buffer.raw
|
||
|
|
||
|
|
||
|
def get_full_path_from_pid(pid):
|
||
|
if pid:
|
||
|
filename = create_unicode_buffer("", 256)
|
||
|
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, False, int(pid))
|
||
|
if not hProcess:
|
||
|
return False
|
||
|
|
||
|
size = GetModuleFileNameEx(hProcess, None, filename, 256)
|
||
|
CloseHandle(hProcess)
|
||
|
if size:
|
||
|
return filename.value
|
||
|
else:
|
||
|
return False
|
||
|
|
||
|
|
||
|
python_version = 2
|
||
|
if sys.version_info[0]:
|
||
|
python_version = sys.version_info[0]
|
||
|
|
||
|
|
||
|
def Win32CryptUnprotectData(cipherText, entropy=False, is_current_user=True, user_dpapi=False):
|
||
|
if python_version == 2:
|
||
|
cipherText = str(cipherText)
|
||
|
|
||
|
decrypted = None
|
||
|
|
||
|
if is_current_user:
|
||
|
bufferIn = c_buffer(cipherText, len(cipherText))
|
||
|
blobIn = DATA_BLOB(len(cipherText), bufferIn)
|
||
|
blobOut = DATA_BLOB()
|
||
|
|
||
|
if entropy:
|
||
|
bufferEntropy = c_buffer(entropy, len(entropy))
|
||
|
blobEntropy = DATA_BLOB(len(entropy), bufferEntropy)
|
||
|
|
||
|
if CryptUnprotectData(byref(blobIn), None, byref(blobEntropy), None, None, 0, byref(blobOut)):
|
||
|
decrypted = getData(blobOut)
|
||
|
|
||
|
else:
|
||
|
if CryptUnprotectData(byref(blobIn), None, None, None, None, 0, byref(blobOut)):
|
||
|
decrypted = getData(blobOut)
|
||
|
|
||
|
if not decrypted:
|
||
|
can_decrypt = True
|
||
|
if not (user_dpapi and user_dpapi.unlocked):
|
||
|
from lazagne.config.dpapi_structure import are_masterkeys_retrieved
|
||
|
can_decrypt = are_masterkeys_retrieved()
|
||
|
|
||
|
if can_decrypt:
|
||
|
try:
|
||
|
decrypted = user_dpapi.decrypt_encrypted_blob(cipherText)
|
||
|
except:
|
||
|
# The encrypted blob cannot be parsed - weird (could happen with chrome v80)
|
||
|
return None
|
||
|
if decrypted is False:
|
||
|
decrypted = None
|
||
|
else:
|
||
|
# raise ValueError('MasterKeys not found')
|
||
|
pass
|
||
|
|
||
|
if not decrypted:
|
||
|
if not user_dpapi:
|
||
|
# raise ValueError('DPApi unavailable')
|
||
|
pass
|
||
|
elif not user_dpapi.unlocked:
|
||
|
# raise ValueError('DPApi locked')
|
||
|
pass
|
||
|
|
||
|
return decrypted
|
||
|
|
||
|
|
||
|
def get_os_version():
|
||
|
"""
|
||
|
return major anr minor version
|
||
|
https://msdn.microsoft.com/en-us/library/windows/desktop/ms724832(v=vs.85).aspx
|
||
|
"""
|
||
|
os_version = OSVERSIONINFOEXW()
|
||
|
os_version.dwOSVersionInfoSize = sizeof(os_version)
|
||
|
retcode = windll.Ntdll.RtlGetVersion(byref(os_version))
|
||
|
if retcode != 0:
|
||
|
return False
|
||
|
|
||
|
return '%s.%s' % (str(os_version.dwMajorVersion.real), str(os_version.dwMinorVersion.real))
|
||
|
|
||
|
|
||
|
def isx64machine():
|
||
|
archi = os.environ.get("PROCESSOR_ARCHITEW6432", '')
|
||
|
if '64' in archi:
|
||
|
return True
|
||
|
|
||
|
archi = os.environ.get("PROCESSOR_ARCHITECTURE", '')
|
||
|
if '64' in archi:
|
||
|
return True
|
||
|
|
||
|
return False
|
||
|
|
||
|
|
||
|
def OpenKey(key, path, index=0, access=KEY_READ):
|
||
|
if isx64:
|
||
|
return winreg.OpenKey(key, path, index, access | winreg.KEY_WOW64_64KEY)
|
||
|
else:
|
||
|
return winreg.OpenKey(key, path, index, access)
|
||
|
|
||
|
|
||
|
isx64 = isx64machine()
|
||
|
|
||
|
|
||
|
def string_to_unicode(string):
|
||
|
if python_version == 2:
|
||
|
return unicode(string)
|
||
|
else:
|
||
|
return string # String on python 3 are already unicode
|
||
|
|
||
|
|
||
|
def chr_or_byte(integer):
|
||
|
if python_version == 2:
|
||
|
return chr(integer)
|
||
|
else:
|
||
|
return bytes([integer]) # Python 3
|
||
|
|
||
|
|
||
|
def int_or_bytes(integer):
|
||
|
if python_version == 2:
|
||
|
return integer
|
||
|
else:
|
||
|
return bytes([integer]) # Python 3
|
||
|
|
||
|
|
||
|
def char_to_int(string):
|
||
|
if python_version == 2 or isinstance(string, str):
|
||
|
return ord(string)
|
||
|
else:
|
||
|
return string # Python 3
|
||
|
|
||
|
|
||
|
def convert_to_byte(string):
|
||
|
if python_version == 2:
|
||
|
return string
|
||
|
else:
|
||
|
return string.encode() # Python 3
|