def __init__(self, reader):
#IMPORTANT NOTICE, THE STRUCTURE STARTS BEFORE THE FLINK/BLINK POINTER, SO WE NEED TO READ BACKWARDS
#
reader.move(reader.tell() - 32)
reader.align() #not sure if it's needed here
#
#input('KIWI_CREDMAN_LIST_ENTRY_60 \n%s' % hexdump(reader.peek(0x200), start = reader.tell()))
#
self.cbEncPassword = ULONG(reader).value
reader.align()
self.encPassword = PWSTR(reader)
self.unk0 = ULONG(reader).value
self.unk1 = ULONG(reader).value
self.unk2 = PVOID(reader)
self.unk3 = PVOID(reader)
self.UserName = PWSTR(reader)
self.cbUserName = ULONG(reader).value
reader.align()
self.Flink = PKIWI_CREDMAN_LIST_ENTRY_60
self.Blink = PKIWI_CREDMAN_LIST_ENTRY_60
self.type = LSA_UNICODE_STRING(reader)
self.unk5 = PVOID(reader)
self.server1 = LSA_UNICODE_STRING(reader)
self.unk6 = PVOID(reader)
self.unk7 = PVOID(reader)
self.unk8 = PVOID(reader)
self.unk9 = PVOID(reader)
self.unk10 = PVOID(reader)
self.user = LSA_UNICODE_STRING(reader)
self.unk11 = ULONG(reader).value
reader.align()
self.server2 = LSA_UNICODE_STRING(reader)
def __init__(self, reader):
self.Flink = PKIWI_MSV1_0_LIST_51(reader)
self.Blink = PKIWI_MSV1_0_LIST_51(reader)
self.LocallyUniqueIdentifier = LUID(reader).value
self.UserName = LSA_UNICODE_STRING(reader)
self.Domaine = LSA_UNICODE_STRING(reader)
self.unk0 = PVOID(reader).value
self.unk1 = PVOID(reader).value
self.pSid = PSID(reader)
self.LogonType = ULONG(reader).value
self.Session = ULONG(reader).value
reader.align(8)
self.LogonTime = int.from_bytes(reader.read(8),
byteorder='little',
signed=False) #autoalign x86
reader.align()
self.LogonServer = LSA_UNICODE_STRING(reader)
self.Credentials_list_ptr = PKIWI_MSV1_0_CREDENTIAL_LIST(reader)
self.unk19 = ULONG(reader).value
reader.align()
self.unk20 = PVOID(reader).value
self.unk21 = PVOID(reader).value
self.unk22 = PVOID(reader).value
self.unk23 = ULONG(reader).value
reader.align()
self.CredentialManager = PVOID(reader)
def __init__(self, reader): self.Flink = PKIWI_KERBEROS_INTERNAL_TICKET_60(reader) self.Blink = PKIWI_KERBEROS_INTERNAL_TICKET_60(reader) self.unk0 = PVOID(reader).value self.unk1 = PVOID(reader).value self.ServiceName = PKERB_EXTERNAL_NAME(reader) self.TargetName = PKERB_EXTERNAL_NAME(reader) self.DomainName = LSA_UNICODE_STRING(reader) self.TargetDomainName = LSA_UNICODE_STRING(reader) self.Description = LSA_UNICODE_STRING(reader) self.AltTargetDomainName = LSA_UNICODE_STRING(reader) #//LSA_UNICODE_STRING KDCServer = //?(reader).value self.ClientName = PKERB_EXTERNAL_NAME(reader) self.name0 = PVOID(reader).value self.TicketFlags = int.from_bytes(reader.read(4), byteorder = 'big', signed = False) self.unk2 = ULONG(reader).value self.KeyType = ULONG(reader).value self.Key = KIWI_KERBEROS_BUFFER(reader) self.unk3 = PVOID(reader).value self.unk4 = PVOID(reader).value self.unk5 = PVOID(reader).value self.StartTime = FILETIME(reader).value self.EndTime = FILETIME(reader).value self.RenewUntil = FILETIME(reader).value self.unk6 = ULONG(reader).value self.unk7 = ULONG(reader).value self.domain = PCWSTR(reader).value self.unk8 = ULONG(reader).value self.strangeNames = PVOID(reader).value self.unk9 = ULONG(reader).value self.TicketEncType = ULONG(reader).value self.TicketKvno = ULONG(reader).value self.Ticket = KIWI_KERBEROS_BUFFER(reader)
def __init__(self, reader):
self.UserName = LSA_UNICODE_STRING(reader)
self.Domaine = LSA_UNICODE_STRING(reader)
self.unkFunction = PVOID(reader).value
self.type = DWORD(reader).value # // or flags 2 = normal, 1 = ISO(reader).value
reader.align()
self.Password = LSA_UNICODE_STRING(reader) # union {
self.IsoPassword = KIWI_KERBEROS_10_PRIMARY_CREDENTIAL_1607_ISO(reader)
def __init__(self, reader):
self.Flink = PKIWI_MSV1_0_LIST_63(reader)
self.Blink = PKIWI_MSV1_0_LIST_63(reader)
self.unk0 = PVOID(reader).value
self.unk1 = ULONG(reader).value
reader.align()
self.unk2 = PVOID(reader).value
self.unk3 = ULONG(reader).value
self.unk4 = ULONG(reader).value
self.unk5 = ULONG(reader).value
reader.align()
self.hSemaphore6 = HANDLE(reader).value
self.unk7 = PVOID(reader).value
self.hSemaphore8 = HANDLE(reader).value
self.unk9 = PVOID(reader).value
self.unk10 = PVOID(reader).value
self.unk11 = ULONG(reader).value
self.unk12 = ULONG(reader).value
self.unk13 = PVOID(reader).value
reader.align()
self.LocallyUniqueIdentifier = LUID(reader).value
self.SecondaryLocallyUniqueIdentifier = LUID(reader).value
self.waza = reader.read(12)
reader.align()
#
#print(hexdump(reader.peek(0x100)))
#input()
#
self.UserName = LSA_UNICODE_STRING(reader)
self.Domaine = LSA_UNICODE_STRING(reader)
self.unk14 = PVOID(reader).value
self.unk15 = PVOID(reader).value
self.Type = LSA_UNICODE_STRING(reader)
self.pSid = PSID(reader)
self.LogonType = ULONG(reader).value
reader.align()
self.unk18 = PVOID(reader).value
self.Session = ULONG(reader).value
reader.align(8)
self.LogonTime = int.from_bytes(reader.read(8),
byteorder='little',
signed=False) #autoalign x86
self.LogonServer = LSA_UNICODE_STRING(reader)
self.Credentials_list_ptr = PKIWI_MSV1_0_CREDENTIAL_LIST(reader)
self.unk19 = PVOID(reader).value
self.unk20 = PVOID(reader).value
self.unk21 = PVOID(reader).value
self.unk22 = ULONG(reader).value
self.unk23 = ULONG(reader).value
self.unk24 = ULONG(reader).value
self.unk25 = ULONG(reader).value
self.unk26 = ULONG(reader).value
reader.align()
#input('CredentialManager\n' + hexdump(reader.peek(0x100)))
self.unk27 = PVOID(reader).value
self.unk28 = PVOID(reader).value
self.unk29 = PVOID(reader).value
self.CredentialManager = PVOID(reader)
def __init__(self, reader):
self.LogonDomainName = LSA_UNICODE_STRING(reader)
self.UserName = LSA_UNICODE_STRING(reader)
self.NtOwfPassword = reader.read(16)
self.LmOwfPassword = reader.read(16)
self.ShaOwPassword = reader.read(20)
self.isNtOwfPassword = BOOLEAN(reader).value
self.isLmOwfPassword = BOOLEAN(reader).value
self.isShaOwPassword = BOOLEAN(reader).value
def add_entry(self, wdigest_entry):
"""
Changed the wdigest parsing, the struct only contains the pointers in the linked list, the actual data is read by
adding an offset to the current entry's position
"""
wc = WdigestCredential()
wc.luid = wdigest_entry.luid
#input(wdigest_entry.this_entry.value)
self.reader.move(wdigest_entry.this_entry.value + self.decryptor_template.primary_offset)
UserName = LSA_UNICODE_STRING(self.reader)
DomainName = LSA_UNICODE_STRING(self.reader)
Password = LSA_UNICODE_STRING(self.reader)
wc.username = UserName.read_string(self.reader)
wc.domainname = DomainName.read_string(self.reader)
wc.encrypted_password = Password.read_maxdata(self.reader)
if wc.username.endswith('$') is True:
wc.password, wc.password_raw = self.decrypt_password(wc.encrypted_password, bytes_expected=True)
if wc.password is not None:
wc.password = wc.password.hex()
else:
wc.password, wc.password_raw = self.decrypt_password(wc.encrypted_password)
if wc.username == '' and wc.domainname == '' and wc.password is None:
return
self.credentials.append(wc)
def __init__(self, reader):
#IMPORTANT NOTICE, THE STRUCTURE STARTS BEFORE THE FLINK/BLINK POINTER, SO WE NEED TO READ BACKWARDS
#
reader.move(reader.tell() - 32)
reader.align() #not sure if it's needed here
#
self.cbEncPassword = ULONG(reader).value
reader.align()
self.encPassword = PWSTR
self.unk0 = ULONG(reader).value
self.unk1 = ULONG(reader).value
self.unk2 = PVOID(reader)
self.unk3 = PVOID(reader)
self.UserName = PWSTR(reader)
self.cbUserName = ULONG(reader).value
reader.align()
self.Flink = PKIWI_CREDMAN_LIST_ENTRY_5
self.Blink = PKIWI_CREDMAN_LIST_ENTRY_5
self.server1 = LSA_UNICODE_STRING
self.unk6 = PVOID(reader)
self.unk7 = PVOID(reader)
self.user = LSA_UNICODE_STRING(reader)
self.unk8 = ULONG(reader).value
reader.align()
self.server2 = LSA_UNICODE_STRING
def __init__(self, reader): self.PinCode = LSA_UNICODE_STRING(reader) self.unk0 = PVOID(reader) self.unk1 = PVOID(reader) self.CertificateInfos = PVOID(reader) self.unkData = PVOID(reader) # // 0 = CspData self.Flags = DWORD(reader).value # // 1 = CspData (not 0x21)(reader).value self.CspDataLength = DWORD(reader).value self.CspData = KERB_SMARTCARD_CSP_INFO_5(reader, size = self.CspDataLength)
def __init__(self, reader): self.PinCode = LSA_UNICODE_STRING(reader) self.unk0 = PVOID(reader).value self.unk1 = PVOID(reader).value self.CertificateInfos = PVOID(reader).value self.unk2 = PVOID(reader).value self.unkData = PVOID(reader).value #// 0 = CspData(reader).value self.Flags = DWORD(reader).value #// 0 = CspData(reader).value self.unkFlags = DWORD(reader).value #// 0x141 (not 0x61) self.CspDataLength = DWORD(reader).value self.CspData = KERB_SMARTCARD_CSP_INFO(reader).value
def __init__(self, reader):
self.LogonDomainName = LSA_UNICODE_STRING(reader)
self.UserName = LSA_UNICODE_STRING(reader)
self.pNtlmCredIsoInProc = PVOID(reader).value
self.isIso = BOOLEAN(reader).value
self.isNtOwfPassword = BOOLEAN(reader).value
self.isLmOwfPassword = BOOLEAN(reader).value
self.isShaOwPassword = BOOLEAN(reader).value
self.isDPAPIProtected = BOOLEAN(reader).value
self.align0 = BYTE(reader).value
self.align1 = BYTE(reader).value
self.align2 = BYTE(reader).value
self.unkD = DWORD(reader).value # // 1/2
# stuff to be done! #pragma pack(push, 2)
self.isoSize = WORD(reader).value #// 0000
self.DPAPIProtected = reader.read(16)
self.align3 = DWORD(reader).value #// 00000000
# stuff to be done! #pragma pack(pop)
self.NtOwfPassword = reader.read(16)
self.LmOwfPassword = reader.read(16)
self.ShaOwPassword = reader.read(20)
def __init__(self, reader):
self.Flink = PKIWI_LIVESSP_LIST_ENTRY(reader)
self.Blink = PKIWI_LIVESSP_LIST_ENTRY(reader)
self.unk0 = PVOID(reader)
self.unk1 = PVOID(reader)
self.unk2 = PVOID(reader)
self.unk3 = PVOID(reader)
self.unk4 = DWORD(reader).value
self.unk5 = DWORD(reader).value
self.unk6 = PVOID(reader)
self.LocallyUniqueIdentifier = LUID(reader).value
self.UserName = LSA_UNICODE_STRING(reader)
self.unk7 = PVOID(reader)
self.suppCreds = PKIWI_LIVESSP_PRIMARY_CREDENTIAL(reader)
def add_entry(self, wdigest_entry):
"""
Changed the wdigest parsing, the struct only contains the pointers in the linked list, the actual data is read by
adding an offset to the current entry's position
"""
wc = WdigestCredential()
wc.luid = wdigest_entry.luid
#input(wdigest_entry.this_entry.value)
self.reader.move(wdigest_entry.this_entry.value +
self.decryptor_template.primary_offset)
UserName = LSA_UNICODE_STRING(self.reader)
DomainName = LSA_UNICODE_STRING(self.reader)
Password = LSA_UNICODE_STRING(self.reader)
wc.username = UserName.read_string(self.reader)
wc.domainname = DomainName.read_string(self.reader)
wc.encrypted_password = Password.read_maxdata(self.reader)
wc.password = self.decrypt_password(wc.encrypted_password)
self.credentials.append(wc)
def __init__(self, reader):
#input('KIWI_KERBEROS_INTERNAL_TICKET_10_1607\n' + hexdump(reader.peek(0x300)))
self.Flink = PKIWI_KERBEROS_INTERNAL_TICKET_10_1607(reader)
self.Blink = PKIWI_KERBEROS_INTERNAL_TICKET_10_1607(reader)
self.unk0 = PVOID(reader).value
self.unk1 = PVOID(reader).value
self.ServiceName = PKERB_EXTERNAL_NAME(reader)
self.TargetName = PKERB_EXTERNAL_NAME(reader)
self.DomainName = LSA_UNICODE_STRING(reader)
self.TargetDomainName = LSA_UNICODE_STRING(reader)
self.Description = LSA_UNICODE_STRING(reader)
self.AltTargetDomainName = LSA_UNICODE_STRING(reader)
self.KDCServer = LSA_UNICODE_STRING(reader) # //?(reader).value
self.unk10586_d = LSA_UNICODE_STRING(reader) #//?(reader).value
self.ClientName = PKERB_EXTERNAL_NAME(reader)
self.name0 = PVOID(reader).value
self.TicketFlags = int.from_bytes(reader.read(4), byteorder = 'big', signed = False)
self.unk2 = ULONG(reader).value
self.unk14393_0 = PVOID(reader).value
self.KeyType = ULONG(reader).value
reader.align()
self.Key = KIWI_KERBEROS_BUFFER(reader)
self.unk14393_1 = PVOID(reader).value
self.unk3 = PVOID(reader).value # // ULONG KeyType2 = (reader).value
self.unk4 = PVOID(reader).value # // KIWI_KERBEROS_BUFFER Key2 = (reader).value
self.unk5 = PVOID(reader).value # // up(reader).value
self.StartTime = FILETIME(reader).value
self.EndTime = FILETIME(reader).value
self.RenewUntil = FILETIME(reader).value
self.unk6 = ULONG(reader).value
self.unk7 = ULONG(reader).value
self.domain = PCWSTR(reader).value
self.unk8 = ULONG(reader).value
reader.align()
self.strangeNames = PVOID(reader).value
self.unk9 = ULONG(reader).value
self.TicketEncType = ULONG(reader).value
self.TicketKvno = ULONG(reader).value
reader.align()
self.Ticket = KIWI_KERBEROS_BUFFER(reader)
def __init__(self, reader): self.UserName = LSA_UNICODE_STRING(reader) self.Domaine = LSA_UNICODE_STRING(reader) self.unk0 = PVOID(reader).value self.Password = LSA_UNICODE_STRING(reader)
def __init__(self, reader):
self.Flink = PKIWI_MSV1_0_PRIMARY_CREDENTIAL_ENC(reader)
self.Primary = ANSI_STRING(reader)
reader.align()
self.encrypted_credentials = LSA_UNICODE_STRING(reader)
def __init__(self, reader): self.salt = LSA_UNICODE_STRING(reader) # // http://tools.ietf.org/html/rfc3962 self.generic = KERB_HASHPASSWORD_GENERIC(reader)
def __init__(self, reader):
#print('KERB_HASHPASSWORD_6')
#input(hexdump(reader.peek(0x100), start = reader.tell()))
self.salt = LSA_UNICODE_STRING(reader) #// http://tools.ietf.org/html/rfc3962
self.stringToKey = PVOID(reader) # // AES Iterations (dword ?)
self.generic = KERB_HASHPASSWORD_GENERIC(reader)
def __init__(self, reader): self.salt = LSA_UNICODE_STRING(reader) # // http://tools.ietf.org/html/rfc3962(reader).value self.stringToKey = PVOID(reader).value # // AES Iterations (dword ?)(reader).value self.unk0 = PVOID(reader).value self.generic = KERB_HASHPASSWORD_GENERIC(reader)
