//////////////////////////////////////////////////////////////////////////////// // //////////////////////////////////////////////////////////////////////////////// private void ReadCredentials(IntPtr hCredential, Int32 count) { WinCred._CREDENTIAL[] credentialObject = new WinCred._CREDENTIAL[count]; for (Int32 i = 0; i < count; i++) { IntPtr hTemp = Marshal.ReadIntPtr(hCredential, i * IntPtr.Size); try { WinCred._CREDENTIAL credential = (WinCred._CREDENTIAL)Marshal.PtrToStructure(hTemp, typeof(WinCred._CREDENTIAL)); Console.WriteLine("{0,-20} {1,-20}", "Flags", credential.Flags); Console.WriteLine("{0,-20} {1,-20}", "Type", credential.Type); Console.WriteLine("{0,-20} {1,-20}", "TargetName", PrintIntPtr(credential.TargetName)); Console.WriteLine("{0,-20} {1,-20}", "Comment", PrintIntPtr(credential.Comment)); //https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/dumpCredStore.ps1 Int64 lastWritten = credential.LastWritten.dwHighDateTime; lastWritten = (lastWritten << 32) + credential.LastWritten.dwLowDateTime; Console.WriteLine("{0,-20} {1,-20}", "LastWritten", DateTime.FromFileTime(lastWritten)); Console.WriteLine("{0,-20} {1,-20}", "Password Size", credential.CredentialBlobSize); String credentialBlob; if (0 < credential.CredentialBlobSize) { credentialBlob = Marshal.PtrToStringUni(credential.CredentialBlob, (Int32)credential.CredentialBlobSize / 2); } else { credentialBlob = PrintIntPtr(credential.CredentialBlob); } Console.WriteLine("{0,-20} {1,-20}", "Password", credentialBlob); Console.WriteLine("{0,-20} {1,-20}", "Persist", credential.Persist); Console.WriteLine("{0,-20} {1,-20}", "AttributeCount", credential.AttributeCount); Console.WriteLine("{0,-20} {1,-20}", "Attributes", credential.Attributes); Console.WriteLine("{0,-20} {1,-20}", "TargetAlias", PrintIntPtr(credential.TargetAlias)); Console.WriteLine("{0,-20} {1,-20}", "UserName", PrintIntPtr(credential.UserName)); Console.WriteLine(""); } catch (Exception ex) { Console.WriteLine("[-] {0}", ex.Message); } finally { kernel32.CloseHandle(hTemp); } } }
public static extern bool CredWriteW(ref WinCred._CREDENTIAL userCredential, uint flags);
public static extern Boolean CredWriteW( ref WinCred._CREDENTIAL userCredential, UInt32 flags );