def __init__(self, reader): self.UsageCount = ULONG(reader).value self.unk0 = LIST_ENTRY(reader) self.unk1 = LIST_ENTRY(reader) self.unk2 = PVOID(reader).value self.unk3 = ULONG(reader).value # // filetime.1 ? self.unk4 = ULONG(reader).value #// filetime.2 ?(reader).value self.unk5 = PVOID(reader).value self.unk6 = PVOID(reader).value self.unk7 = PVOID(reader).value self.LocallyUniqueIdentifier = LUID(reader).value reader.align(8) #self.unkAlign = ULONG(reader).value #aliing on x86(reader).value self.unk8 = FILETIME(reader).value self.unk9 = PVOID(reader).value self.unk10 = ULONG(reader).value # // filetime.1 ?(reader).value self.unk11 = ULONG(reader).value # // filetime.2 ?(reader).value self.unk12 = PVOID(reader).value self.unk13 = PVOID(reader).value self.unk14 = PVOID(reader).value self.credentials = KIWI_GENERIC_PRIMARY_CREDENTIAL(reader) self.unk15 = ULONG(reader).value self.unk16 = ULONG(reader).value self.unk17 = ULONG(reader).value self.unk18 = ULONG(reader).value self.unk19 = PVOID(reader).value self.unk20 = PVOID(reader).value self.unk21 = PVOID(reader).value self.unk22 = PVOID(reader).value self.pKeyList = PVOID(reader) self.unk24 = PVOID(reader).value self.Tickets_1 = LIST_ENTRY(reader) self.Tickets_2 = LIST_ENTRY(reader) self.Tickets_3 = LIST_ENTRY(reader) self.SmartcardInfos = PVOID(reader)
def __init__(self, reader): self.UsageCount = ULONG(reader).value reader.align() self.unk0 = LIST_ENTRY(reader) self.unk1 = PVOID(reader).value self.unk1b = ULONG(reader).value reader.align() self.unk2 = FILETIME(reader).value self.unk4 = PVOID(reader).value self.unk5 = PVOID(reader).value self.unk6 = PVOID(reader).value self.LocallyUniqueIdentifier = LUID(reader).value #print(hex(self.LocallyUniqueIdentifier)) #input('unk7\n' + hexdump(reader.peek(0x100))) reader.align() self.unk7 = FILETIME(reader).value self.unk8 = PVOID(reader).value self.unk8b = ULONG(reader).value reader.align() self.unk9 = FILETIME(reader).value self.unk11 = PVOID(reader).value self.unk12 = PVOID(reader).value self.unk13 = PVOID(reader).value reader.align(8) #input('credentials\n' + hexdump(reader.peek(0x100))) self.credentials = KIWI_KERBEROS_10_PRIMARY_CREDENTIAL(reader) self.unk14 = ULONG(reader).value self.unk15 = ULONG(reader).value self.unk16 = ULONG(reader).value self.unk17 = ULONG(reader).value #//PVOID unk18 = (reader).value reader.align(8) self.unk19 = PVOID(reader).value self.unk20 = PVOID(reader).value self.unk21 = PVOID(reader).value self.unk22 = PVOID(reader).value self.unk23 = PVOID(reader).value self.unk24 = PVOID(reader).value self.unk25 = PVOID(reader).value self.pKeyList = PVOID(reader) self.unk26 = PVOID(reader).value #input('pKeyList\n' + hexdump(reader.peek(0x100))) reader.align() #input('Tickets_1\n' + hexdump(reader.peek(0x100))) self.Tickets_1 = LIST_ENTRY(reader) self.unk27 = FILETIME(reader).value self.Tickets_2 = LIST_ENTRY(reader) self.unk28 = FILETIME(reader).value self.Tickets_3 = LIST_ENTRY(reader) self.unk29 = FILETIME(reader).value self.SmartcardInfos = PVOID(reader)
def __init__(self, reader): #IMPORTANT NOTICE, THE STRUCTURE STARTS BEFORE THE FLINK/BLINK POINTER, SO WE NEED TO READ BACKWARDS # #input('KIWI_CREDMAN_LIST_ENTRY \n%s' % hexdump(reader.peek(0x50), start = reader.tell())) reader.move(reader.tell() - 56) reader.align() #not sure if it's needed here #input('KIWI_CREDMAN_LIST_ENTRY \n%s' % hexdump(reader.peek(0x200), start = reader.tell())) # self.cbEncPassword = ULONG(reader).value reader.align() self.encPassword = PWSTR(reader) self.unk0 = ULONG(reader).value self.unk1 = ULONG(reader).value self.unk2 = PVOID(reader) self.unk3 = PVOID(reader) self.UserName = PWSTR(reader) self.cbUserName = ULONG(reader).value reader.align() self.Flink = PKIWI_CREDMAN_LIST_ENTRY(reader) self.Blink = PKIWI_CREDMAN_LIST_ENTRY(reader) self.unk4 = LIST_ENTRY(reader) self.type = LSA_UNICODE_STRING(reader) self.unk5 = PVOID(reader) self.server1 = LSA_UNICODE_STRING(reader) self.unk6 = PVOID(reader) self.unk7 = PVOID(reader) self.unk8 = PVOID(reader) self.unk9 = PVOID(reader) self.unk10 = PVOID(reader) self.user = LSA_UNICODE_STRING(reader) self.unk11 = ULONG(reader).value reader.align() self.server2 = LSA_UNICODE_STRING(reader)
def __init__(self, reader): #input('aaaaaaaaa\n' + hexdump(reader.peek(0x300))) self.UsageCount = ULONG(reader).value reader.align() self.unk0 = LIST_ENTRY(reader) self.unk1 = PVOID(reader).value self.unk1b = ULONG(reader).value reader.align() self.unk2 = FILETIME(reader).value self.unk4 = PVOID(reader).value self.unk5 = PVOID(reader).value self.unk6 = PVOID(reader).value self.LocallyUniqueIdentifier = LUID(reader).value self.unk7 = FILETIME(reader).value self.unk8 = PVOID(reader).value self.unk8b = ULONG(reader).value reader.align() self.unk9 = FILETIME(reader).value self.unk11 = PVOID(reader).value self.unk12 = PVOID(reader).value self.unk13 = PVOID(reader).value reader.align(8) self.credentials = KIWI_KERBEROS_10_PRIMARY_CREDENTIAL_1607(reader) self.unk14 = ULONG(reader).value self.unk15 = ULONG(reader).value self.unk16 = ULONG(reader).value self.unk17 = ULONG(reader).value self.unk18 = PVOID(reader).value self.unk19 = PVOID(reader).value self.unk20 = PVOID(reader).value self.unk21 = PVOID(reader).value self.unk22 = PVOID(reader).value self.unk23 = PVOID(reader).value #self.unk24 = PVOID(reader).value #self.unk25 = PVOID(reader).value reader.align() #reader.read(8+12) #input('pkeylist \n' + hexdump(reader.peek(0x50))) self.pKeyList = PVOID(reader) self.unk26 = PVOID(reader).value self.Tickets_1 = LIST_ENTRY(reader) self.unk27 = FILETIME(reader).value self.Tickets_2 = LIST_ENTRY(reader) self.unk28 = FILETIME(reader).value self.Tickets_3 = LIST_ENTRY(reader) self.unk29 = FILETIME(reader).value self.SmartcardInfos = PVOID(reader)
def __init__(self, reader): self.UsageCount = ULONG(reader).value reader.align() self.unk0 = LIST_ENTRY(reader) self.unk1 = PVOID(reader).value self.unk1b = ULONG(reader).value reader.align() self.unk2 = FILETIME(reader).value self.unk4 = PVOID(reader).value self.unk5 = PVOID(reader).value self.unk6 = PVOID(reader).value self.LocallyUniqueIdentifier = LUID(reader).value self.unk7 = FILETIME(reader).value self.unk8 = PVOID(reader).value self.unk8b = ULONG(reader).value reader.align() self.unk9 = FILETIME(reader).value self.unk11 = PVOID(reader).value self.unk12 = PVOID(reader).value self.unk13 = PVOID(reader).value self.credentials = KIWI_KERBEROS_10_PRIMARY_CREDENTIAL(reader) self.unk14 = ULONG(reader).value self.unk15 = ULONG(reader).value self.unk16 = ULONG(reader).value self.unk17 = ULONG(reader).value #self.unk18 = PVOID(reader).value self.unk19 = PVOID(reader).value self.unk20 = PVOID(reader).value self.unk21 = PVOID(reader).value self.unk22 = PVOID(reader).value self.unk23 = PVOID(reader).value self.unk24 = PVOID(reader).value self.unk25 = PVOID(reader).value self.pKeyList = PVOID(reader) self.unk26 = PVOID(reader).value self.Tickets_1 = LIST_ENTRY(reader) self.unk27 = FILETIME(reader).value self.Tickets_2 = LIST_ENTRY(reader) self.unk28 = FILETIME(reader).value self.Tickets_3 = LIST_ENTRY(reader) self.unk29 = FILETIME(reader).value self.SmartcardInfos = PVOID(reader)