public static void ExportCredentialPtr(IntPtr nCredPtr)
{
using (CriticalCredentialHandle critCred = new CriticalCredentialHandle(nCredPtr))
{
CREDENTIAL cred = critCred.GetCredential();
uint Flags = cred.Flags;
CredentialType Type = cred.Type;
string TargetName = Marshal.PtrToStringUni(cred.TargetName);
string Comment = Marshal.PtrToStringUni(cred.Comment);
System.Runtime.InteropServices.ComTypes.FILETIME LastWritten = cred.LastWritten;
uint CredentialBlobSize = cred.CredentialBlobSize;
var data = new byte[CredentialBlobSize];
if (CredentialBlobSize > 0)
{
Marshal.Copy(cred.CredentialBlob, data, 0, data.Length);
}
uint Persist = cred.Persist;
int AttributeCount = cred.AttributeCount;
var attribSize = Marshal.SizeOf(typeof(NativeCredentialAttribute));
ExportAttrib[] attribs = new ExportAttrib[AttributeCount];
if (AttributeCount > 0)
{
byte[] rawData = new byte[AttributeCount * attribSize];
var buffer = Marshal.AllocHGlobal(attribSize);
Marshal.Copy(cred.Attributes, rawData, (int)0, (int)AttributeCount * attribSize);
for (int i = 0; i < AttributeCount; i++)
{
Marshal.Copy(rawData, i * attribSize, buffer, attribSize);
var attr = (NativeCredentialAttribute)Marshal.PtrToStructure(buffer,
typeof(NativeCredentialAttribute));
var key = attr.Keyword;
var val = new byte[attr.ValueSize];
Marshal.Copy(attr.Value, val, (int)0, (int)attr.ValueSize);
Console.WriteLine("[-] Attribute {0}", key);
ExportAttrib attrib = new ExportAttrib();
attrib.Keyword = attr.Keyword;
attrib.Flags = attr.Flags;
attrib.ValueSize = attr.ValueSize;
attrib.Value = val;
attribs[i] = attrib;
}
Marshal.FreeHGlobal(buffer);
}
string TargetAlias = Marshal.PtrToStringUni(cred.TargetAlias);
string UserName = Marshal.PtrToStringUni(cred.UserName);
ExportCred export = new ExportCred();
export.Flags = Flags;
export.Type = Type;
export.TargetName = TargetName;
export.Comment = Comment;
export.LastWritten = LastWritten;
export.CredentialBlobSize = CredentialBlobSize;
export.CredentialBlob = data;
export.Persist = Persist;
export.AttributeCount = AttributeCount;
export.AttributesLength = AttributeCount * attribSize;
export.Attributes = attribs;
export.TargetAlias = TargetAlias;
export.UserName = UserName;
Console.WriteLine(JsonConvert.SerializeObject(export).Replace("\"", "'"));
}
}
public static void RestoreCredential(string jsonString, bool fromFile = false)
{
Console.WriteLine("[*] Importing credential");
if (fromFile)
{
jsonString = System.IO.File.ReadAllText(jsonString);
}
ExportCred export = JsonConvert.DeserializeObject <ExportCred>(jsonString);
CREDENTIAL new_cred = new CREDENTIAL();
new_cred.Flags = export.Flags;
new_cred.Type = export.Type;
new_cred.TargetName = Marshal.StringToCoTaskMemUni(export.TargetName);
new_cred.Comment = Marshal.StringToCoTaskMemUni(export.Comment);
new_cred.LastWritten = export.LastWritten;
new_cred.CredentialBlobSize = export.CredentialBlobSize;
int size = export.CredentialBlob.Length;
IntPtr unmanagedPointer = Marshal.AllocHGlobal(size);
Marshal.Copy(export.CredentialBlob, 0, unmanagedPointer, export.CredentialBlob.Length);
new_cred.CredentialBlob = unmanagedPointer;
new_cred.Persist = export.Persist;
new_cred.AttributeCount = export.AttributeCount;
var asize = Marshal.SizeOf(typeof(NativeCredentialAttribute));
byte[] oadata = new byte[export.AttributesLength];
List <IntPtr> attributesToFree = new List <IntPtr>();
for (int n = 0; n < export.AttributeCount; n++)
{
ExportAttrib attrib = export.Attributes[n];
Console.WriteLine("[-] Attribute {0}", attrib.Keyword);
NativeCredentialAttribute nativeAttrib = new NativeCredentialAttribute();
nativeAttrib.Keyword = attrib.Keyword;
nativeAttrib.Flags = attrib.Flags;
nativeAttrib.ValueSize = attrib.ValueSize;
IntPtr ptrattribvalue = Marshal.AllocHGlobal((int)attrib.ValueSize);
attributesToFree.Add(ptrattribvalue);
Marshal.Copy(attrib.Value, 0, ptrattribvalue, (int)attrib.ValueSize);
nativeAttrib.Value = ptrattribvalue;
var attrbuff = Marshal.AllocHGlobal(asize);
attributesToFree.Add(attrbuff);
Marshal.StructureToPtr(nativeAttrib, attrbuff, false);
Marshal.Copy(attrbuff, oadata, n * asize, asize);
}
GCHandle pinnedAttributes = default(GCHandle);
pinnedAttributes = GCHandle.Alloc(oadata, GCHandleType.Pinned);
new_cred.Attributes = pinnedAttributes.AddrOfPinnedObject();
new_cred.TargetAlias = Marshal.StringToCoTaskMemUni(export.TargetAlias);
new_cred.UserName = Marshal.StringToCoTaskMemUni(export.UserName);
bool written = CredWrite(ref new_cred, 0);
Marshal.FreeCoTaskMem(new_cred.TargetAlias);
Marshal.FreeCoTaskMem(new_cred.TargetName);
Marshal.FreeCoTaskMem(new_cred.UserName);
Marshal.FreeCoTaskMem(new_cred.Comment);
Marshal.FreeHGlobal(unmanagedPointer);
pinnedAttributes.Free();
foreach (IntPtr attributeToFree in attributesToFree)
{
Marshal.FreeHGlobal(attributeToFree);
}
if (!written)
{
int lastError = Marshal.GetLastWin32Error();
throw new Exception(string.Format("CredWrite failed with the error code {0}.", lastError));
}
Console.WriteLine("[*] Finished importing credential");
}
