def __init__(self, reader):
#IMPORTANT NOTICE, THE STRUCTURE STARTS BEFORE THE FLINK/BLINK POINTER, SO WE NEED TO READ BACKWARDS
#
reader.move(reader.tell() - 32)
reader.align() #not sure if it's needed here
#
#input('KIWI_CREDMAN_LIST_ENTRY_60 \n%s' % hexdump(reader.peek(0x200), start = reader.tell()))
#
self.cbEncPassword = ULONG(reader).value
reader.align()
self.encPassword = PWSTR(reader)
self.unk0 = ULONG(reader).value
self.unk1 = ULONG(reader).value
self.unk2 = PVOID(reader)
self.unk3 = PVOID(reader)
self.UserName = PWSTR(reader)
self.cbUserName = ULONG(reader).value
reader.align()
self.Flink = PKIWI_CREDMAN_LIST_ENTRY_60
self.Blink = PKIWI_CREDMAN_LIST_ENTRY_60
self.type = LSA_UNICODE_STRING(reader)
self.unk5 = PVOID(reader)
self.server1 = LSA_UNICODE_STRING(reader)
self.unk6 = PVOID(reader)
self.unk7 = PVOID(reader)
self.unk8 = PVOID(reader)
self.unk9 = PVOID(reader)
self.unk10 = PVOID(reader)
self.user = LSA_UNICODE_STRING(reader)
self.unk11 = ULONG(reader).value
reader.align()
self.server2 = LSA_UNICODE_STRING(reader)
def __init__(self, reader):
self.Flink = PKIWI_MSV1_0_LIST_51(reader)
self.Blink = PKIWI_MSV1_0_LIST_51(reader)
self.LocallyUniqueIdentifier = LUID(reader).value
self.UserName = LSA_UNICODE_STRING(reader)
self.Domaine = LSA_UNICODE_STRING(reader)
self.unk0 = PVOID(reader).value
self.unk1 = PVOID(reader).value
self.pSid = PSID(reader)
self.LogonType = ULONG(reader).value
self.Session = ULONG(reader).value
reader.align(8)
self.LogonTime = int.from_bytes(reader.read(8),
byteorder='little',
signed=False) #autoalign x86
reader.align()
self.LogonServer = LSA_UNICODE_STRING(reader)
self.Credentials_list_ptr = PKIWI_MSV1_0_CREDENTIAL_LIST(reader)
self.unk19 = ULONG(reader).value
reader.align()
self.unk20 = PVOID(reader).value
self.unk21 = PVOID(reader).value
self.unk22 = PVOID(reader).value
self.unk23 = ULONG(reader).value
reader.align()
self.CredentialManager = PVOID(reader)
def __init__(self, reader):
#IMPORTANT NOTICE, THE STRUCTURE STARTS BEFORE THE FLINK/BLINK POINTER, SO WE NEED TO READ BACKWARDS
#
reader.move(reader.tell() - 32)
reader.align() #not sure if it's needed here
#
self.cbEncPassword = ULONG(reader).value
reader.align()
self.encPassword = PWSTR
self.unk0 = ULONG(reader).value
self.unk1 = ULONG(reader).value
self.unk2 = PVOID(reader)
self.unk3 = PVOID(reader)
self.UserName = PWSTR(reader)
self.cbUserName = ULONG(reader).value
reader.align()
self.Flink = PKIWI_CREDMAN_LIST_ENTRY_5
self.Blink = PKIWI_CREDMAN_LIST_ENTRY_5
self.server1 = LSA_UNICODE_STRING
self.unk6 = PVOID(reader)
self.unk7 = PVOID(reader)
self.user = LSA_UNICODE_STRING(reader)
self.unk8 = ULONG(reader).value
reader.align()
self.server2 = LSA_UNICODE_STRING
def __init__(self, reader): self.dwCspInfoLen = DWORD(reader).value self.ContextInformation = PVOID(reader).value self.nCardNameOffset = ULONG(reader).value self.nReaderNameOffset = ULONG(reader).value self.nContainerNameOffset = ULONG(reader).value self.nCSPNameOffset = ULONG(reader).value self.bBuffer = WCHAR(reader).value
def __init__(self, reader): self.UsageCount = ULONG(reader).value self.unk0 = LIST_ENTRY(reader) self.unk1 = LIST_ENTRY(reader) self.unk2 = PVOID(reader).value self.unk3 = ULONG(reader).value # // filetime.1 ? self.unk4 = ULONG(reader).value #// filetime.2 ?(reader).value self.unk5 = PVOID(reader).value self.unk6 = PVOID(reader).value self.unk7 = PVOID(reader).value self.LocallyUniqueIdentifier = LUID(reader).value reader.align(8) #self.unkAlign = ULONG(reader).value #aliing on x86(reader).value self.unk8 = FILETIME(reader).value self.unk9 = PVOID(reader).value self.unk10 = ULONG(reader).value # // filetime.1 ?(reader).value self.unk11 = ULONG(reader).value # // filetime.2 ?(reader).value self.unk12 = PVOID(reader).value self.unk13 = PVOID(reader).value self.unk14 = PVOID(reader).value self.credentials = KIWI_GENERIC_PRIMARY_CREDENTIAL(reader) self.unk15 = ULONG(reader).value self.unk16 = ULONG(reader).value self.unk17 = ULONG(reader).value self.unk18 = ULONG(reader).value self.unk19 = PVOID(reader).value self.unk20 = PVOID(reader).value self.unk21 = PVOID(reader).value self.unk22 = PVOID(reader).value self.pKeyList = PVOID(reader) self.unk24 = PVOID(reader).value self.Tickets_1 = LIST_ENTRY(reader) self.Tickets_2 = LIST_ENTRY(reader) self.Tickets_3 = LIST_ENTRY(reader) self.SmartcardInfos = PVOID(reader)
def __init__(self, reader, size): pos = reader.tell() #self.dwCspInfoLen = DWORD(reader).value self.ContextInformation = PVOID(reader).value self.nCardNameOffset = ULONG(reader).value self.nReaderNameOffset = ULONG(reader).value self.nContainerNameOffset = ULONG(reader).value self.nCSPNameOffset = ULONG(reader).value diff = reader.tell() - pos data = reader.read(size - diff + 4) self.bBuffer = io.BytesIO(data)
def __init__(self, reader):
self.Flink = PKIWI_MSV1_0_LIST_60(reader)
self.Blink = PKIWI_MSV1_0_LIST_60(reader)
reader.align()
self.unk0 = PVOID(reader).value
self.unk1 = ULONG(reader).value
reader.align()
self.unk2 = PVOID(reader).value
self.unk3 = ULONG(reader).value
self.unk4 = ULONG(reader).value
self.unk5 = ULONG(reader).value
reader.align()
self.hSemaphore6 = HANDLE(reader).value
reader.align()
self.unk7 = PVOID(reader).value
reader.align()
self.hSemaphore8 = HANDLE(reader).value
reader.align()
self.unk9 = PVOID(reader).value
reader.align()
self.unk10 = PVOID(reader).value
self.unk11 = ULONG(reader).value
self.unk12 = ULONG(reader).value
reader.align()
self.unk13 = PVOID(reader).value
reader.align()
self.LocallyUniqueIdentifier = int.from_bytes(reader.read(8),
byteorder='little',
signed=False)
self.SecondaryLocallyUniqueIdentifier = int.from_bytes(
reader.read(8), byteorder='little', signed=False)
reader.align()
self.UserName = LSA_UNICODE_STRING(reader)
self.Domaine = LSA_UNICODE_STRING(reader)
self.unk14 = PVOID(reader).value
self.unk15 = PVOID(reader).value
self.pSid = PSID(reader)
self.LogonType = ULONG(reader).value
self.Session = ULONG(reader).value
reader.align(8)
self.LogonTime = int.from_bytes(reader.read(8),
byteorder='little',
signed=False) #autoalign x86
self.LogonServer = LSA_UNICODE_STRING(reader)
self.Credentials_list_ptr = PKIWI_MSV1_0_CREDENTIAL_LIST(reader)
self.unk19 = ULONG(reader).value
reader.align()
self.unk20 = PVOID(reader).value
self.unk21 = PVOID(reader).value
self.unk22 = PVOID(reader).value
self.unk23 = ULONG(reader).value
reader.align()
self.CredentialManager = PVOID(reader)
def __init__(self, reader): self.dwCspInfoLen = DWORD(reader).value self.MessageType = DWORD(reader).value self.ContextInformation = PVOID(reader).value #U self.SpaceHolderForWow64 = ULONG64(reader).value #U self.flags = DWORD(reader).value self.KeySpec = DWORD(reader).value self.nCardNameOffset = ULONG(reader).value self.nReaderNameOffset = ULONG(reader).value self.nContainerNameOffset = ULONG(reader).value self.nCSPNameOffset = ULONG(reader).value self.bBuffer[ANYSIZE_ARRAY] = WCHAR(reader).value
def __init__(self, reader): self.Flink = PKIWI_KERBEROS_INTERNAL_TICKET_60(reader) self.Blink = PKIWI_KERBEROS_INTERNAL_TICKET_60(reader) self.unk0 = PVOID(reader).value self.unk1 = PVOID(reader).value self.ServiceName = PKERB_EXTERNAL_NAME(reader) self.TargetName = PKERB_EXTERNAL_NAME(reader) self.DomainName = LSA_UNICODE_STRING(reader) self.TargetDomainName = LSA_UNICODE_STRING(reader) self.Description = LSA_UNICODE_STRING(reader) self.AltTargetDomainName = LSA_UNICODE_STRING(reader) #//LSA_UNICODE_STRING KDCServer = //?(reader).value self.ClientName = PKERB_EXTERNAL_NAME(reader) self.name0 = PVOID(reader).value self.TicketFlags = int.from_bytes(reader.read(4), byteorder = 'big', signed = False) self.unk2 = ULONG(reader).value self.KeyType = ULONG(reader).value self.Key = KIWI_KERBEROS_BUFFER(reader) self.unk3 = PVOID(reader).value self.unk4 = PVOID(reader).value self.unk5 = PVOID(reader).value self.StartTime = FILETIME(reader).value self.EndTime = FILETIME(reader).value self.RenewUntil = FILETIME(reader).value self.unk6 = ULONG(reader).value self.unk7 = ULONG(reader).value self.domain = PCWSTR(reader).value self.unk8 = ULONG(reader).value self.strangeNames = PVOID(reader).value self.unk9 = ULONG(reader).value self.TicketEncType = ULONG(reader).value self.TicketKvno = ULONG(reader).value self.Ticket = KIWI_KERBEROS_BUFFER(reader)
def __init__(self, reader, size): pos = reader.tell() #self.dwCspInfoLen = DWORD(reader).value self.MessageType = DWORD(reader).value self.ContextInformation = PVOID(reader).value #U self.SpaceHolderForWow64 = ULONG64(reader).value #U self.flags = DWORD(reader).value self.KeySpec = DWORD(reader).value self.nCardNameOffset = ULONG(reader).value * 2 self.nReaderNameOffset = ULONG(reader).value * 2 self.nContainerNameOffset = ULONG(reader).value * 2 self.nCSPNameOffset = ULONG(reader).value * 2 diff = reader.tell() - pos data = reader.read(size - diff + 4) self.bBuffer = io.BytesIO(data)
def __init__(self, reader):
self.Flink = PKIWI_CREDMAN_SET_LIST_ENTRY(reader)
self.Blink = PKIWI_CREDMAN_SET_LIST_ENTRY(reader)
self.unk0 = ULONG(reader).value
reader.align()
self.list1 = PKIWI_CREDMAN_LIST_STARTER(reader)
self.list2 = PKIWI_CREDMAN_LIST_STARTER(reader)
def __init__(self, reader):
self.Flink = PWdigestListEntry(reader)
self.Blink = PWdigestListEntry(reader)
self.usage_count = ULONG(reader)
reader.align() #8?
self.this_entry = PWdigestListEntry(reader)
self.luid = LUID(reader).value
def __init__(self, reader): self.Length = ULONG(reader).value reader.align() self.Value = PVOID(reader) ##not part of struct self.Data = None
def __init__(self, reader):
self.unk1 = USHORT(reader).value
self.unk2 = USHORT(reader).value
self.unk_tag = reader.read(4) #0xcccccc
self.unk_remaining_size = ULONG(reader).value #0x50
reader.read(40)
self.LengthOfNtOwfPassword = ULONG(reader).value
self.NtOwfPassword = reader.read(16)
self.LengthOfShaOwfPassword = ULONG(reader).value
self.ShaOwPassword = reader.read(20)
self.LogonDomainName = None
self.UserName = None
self.LmOwfPassword = None
self.isNtOwfPassword = None
self.isLmOwfPassword = None
self.isShaOwPassword = None
def __init__(self, reader):
#input('aaaaaaaaa\n' + hexdump(reader.peek(0x300)))
self.UsageCount = ULONG(reader).value
reader.align()
self.unk0 = LIST_ENTRY(reader)
self.unk1 = PVOID(reader).value
self.unk1b = ULONG(reader).value
reader.align()
self.unk2 = FILETIME(reader).value
self.unk4 = PVOID(reader).value
self.unk5 = PVOID(reader).value
self.unk6 = PVOID(reader).value
self.LocallyUniqueIdentifier = LUID(reader).value
#input('LocallyUniqueIdentifier\n' + hex(self.LocallyUniqueIdentifier))
self.unk7 = FILETIME(reader).value
self.unk8 = PVOID(reader).value
self.unk8b = ULONG(reader).value
reader.align()
self.unk9 = FILETIME(reader).value
self.unk11 = PVOID(reader).value
self.unk12 = PVOID(reader).value
self.unk13 = PVOID(reader).value
self.unkAlign = ULONG(reader).value
#input('credentials \n' + hexdump(reader.peek(0x200)))
self.credentials = KIWI_KERBEROS_10_PRIMARY_CREDENTIAL_1607(reader)
self.unk14 = ULONG(reader).value
self.unk15 = ULONG(reader).value
self.unk16 = ULONG(reader).value
self.unk17 = ULONG(reader).value
self.unk18 = PVOID(reader).value
self.unk19 = PVOID(reader).value
self.unk20 = PVOID(reader).value
self.unk21 = PVOID(reader).value
self.unk22 = PVOID(reader).value
self.unk23 = PVOID(reader).value
#self.unk24 = PVOID(reader).value
#self.unk25 = PVOID(reader).value
reader.align()
self.pKeyList = PVOID(reader)
self.unk26 = PVOID(reader).value
#input('Tickets_1 \n' + hexdump(reader.peek(0x200)))
self.Tickets_1 = LIST_ENTRY(reader)
self.unk27 = FILETIME(reader).value
self.Tickets_2 = LIST_ENTRY(reader)
self.unk28 = FILETIME(reader).value
self.Tickets_3 = LIST_ENTRY(reader)
self.unk29 = FILETIME(reader).value
self.SmartcardInfos = PVOID(reader)
def __init__(self, reader):
#input('KIWI_KERBEROS_INTERNAL_TICKET_10_1607\n' + hexdump(reader.peek(0x300)))
self.Flink = PKIWI_KERBEROS_INTERNAL_TICKET_10_1607(reader)
self.Blink = PKIWI_KERBEROS_INTERNAL_TICKET_10_1607(reader)
self.unk0 = PVOID(reader).value
self.unk1 = PVOID(reader).value
self.ServiceName = PKERB_EXTERNAL_NAME(reader)
self.TargetName = PKERB_EXTERNAL_NAME(reader)
self.DomainName = LSA_UNICODE_STRING(reader)
self.TargetDomainName = LSA_UNICODE_STRING(reader)
self.Description = LSA_UNICODE_STRING(reader)
self.AltTargetDomainName = LSA_UNICODE_STRING(reader)
self.KDCServer = LSA_UNICODE_STRING(reader) # //?(reader).value
self.unk10586_d = LSA_UNICODE_STRING(reader) #//?(reader).value
self.ClientName = PKERB_EXTERNAL_NAME(reader)
self.name0 = PVOID(reader).value
self.TicketFlags = int.from_bytes(reader.read(4), byteorder = 'big', signed = False)
self.unk2 = ULONG(reader).value
self.unk14393_0 = PVOID(reader).value
self.KeyType = ULONG(reader).value
reader.align()
self.Key = KIWI_KERBEROS_BUFFER(reader)
self.unk14393_1 = PVOID(reader).value
self.unk3 = PVOID(reader).value # // ULONG KeyType2 = (reader).value
self.unk4 = PVOID(reader).value # // KIWI_KERBEROS_BUFFER Key2 = (reader).value
self.unk5 = PVOID(reader).value # // up(reader).value
self.StartTime = FILETIME(reader).value
self.EndTime = FILETIME(reader).value
self.RenewUntil = FILETIME(reader).value
self.unk6 = ULONG(reader).value
self.unk7 = ULONG(reader).value
self.domain = PCWSTR(reader).value
self.unk8 = ULONG(reader).value
reader.align()
self.strangeNames = PVOID(reader).value
self.unk9 = ULONG(reader).value
self.TicketEncType = ULONG(reader).value
self.TicketKvno = ULONG(reader).value
reader.align()
self.Ticket = KIWI_KERBEROS_BUFFER(reader)
def __init__(self, reader): self.UsageCount = ULONG(reader).value reader.align() self.unk0 = LIST_ENTRY(reader) self.unk1 = PVOID(reader).value self.unk1b = ULONG(reader).value reader.align() self.unk2 = FILETIME(reader).value self.unk4 = PVOID(reader).value self.unk5 = PVOID(reader).value self.unk6 = PVOID(reader).value self.LocallyUniqueIdentifier = LUID(reader).value self.unk7 = FILETIME(reader).value self.unk8 = PVOID(reader).value self.unk8b = ULONG(reader).value reader.align() self.unk9 = FILETIME(reader).value self.unk11 = PVOID(reader).value self.unk12 = PVOID(reader).value self.unk13 = PVOID(reader).value self.credentials = KIWI_KERBEROS_10_PRIMARY_CREDENTIAL(reader) self.unk14 = ULONG(reader).value self.unk15 = ULONG(reader).value self.unk16 = ULONG(reader).value self.unk17 = ULONG(reader).value #self.unk18 = PVOID(reader).value self.unk19 = PVOID(reader).value self.unk20 = PVOID(reader).value self.unk21 = PVOID(reader).value self.unk22 = PVOID(reader).value self.unk23 = PVOID(reader).value self.unk24 = PVOID(reader).value self.unk25 = PVOID(reader).value self.pKeyList = PVOID(reader) self.unk26 = PVOID(reader).value self.Tickets_1 = LIST_ENTRY(reader) self.unk27 = FILETIME(reader).value self.Tickets_2 = LIST_ENTRY(reader) self.unk28 = FILETIME(reader).value self.Tickets_3 = LIST_ENTRY(reader) self.unk29 = FILETIME(reader).value self.SmartcardInfos = PVOID(reader)
def __init__(self, reader):
self.isSupp = ULONG(reader).value
self.unk0 = ULONG(reader).value
self.credentials = KIWI_GENERIC_PRIMARY_CREDENTIAL(reader)
def __init__(self, reader):
self.unk0 = ULONG(reader)
reader.align()
self.start = PKIWI_CREDMAN_LIST_ENTRY(reader)