コード例 #1
0
        public static LsaDecryptor.LsaKeys LsaDecryptor(Program.MiniDump minidump, lsaTemplate_NT6.LsaTemplate_NT6 template)
        {
            LsaDecryptor.LsaKeys LsaKeys = new LsaDecryptor.LsaKeys();

            acquire_crypto_material(minidump, template, ref LsaKeys);

            return(LsaKeys);
        }
コード例 #2
0
        public static long find_signature(Program.MiniDump minidump, lsaTemplate_NT6.LsaTemplate_NT6 template)
        {
            //Console.WriteLine("Looking for main struct signature in memory...");
            long fl = Helpers.find_in_module(minidump, "lsasrv.dll", template.key_pattern.signature);

            if (fl == 0)
            {
                throw new Exception("LSA signature not found!");
            }
            return(fl);
        }
コード例 #3
0
        public static byte[] get_IV(Program.MiniDump minidump, long pos, lsaTemplate_NT6.LsaTemplate_NT6 template)
        {
            //Console.WriteLine("Reading IV");
            long offset = (pos + template.key_pattern.offset_to_IV_ptr);

            long ptr_iv = (long)Helpers.get_ptr_with_offset(minidump.fileBinaryReader, (long)offset, minidump.sysinfo);

            minidump.fileBinaryReader.BaseStream.Seek(ptr_iv, 0);
            byte[] data = minidump.fileBinaryReader.ReadBytes(template.key_pattern.IV_length);

            return(data.Take(16).ToArray());
        }
コード例 #4
0
        public static void acquire_crypto_material(Program.MiniDump minidump, lsaTemplate_NT6.LsaTemplate_NT6 template, ref LsaDecryptor.LsaKeys LsaKeys)
        {
            //Console.WriteLine("Acquireing crypto stuff...");

            long sigpos = find_signature(minidump, template);

            minidump.fileBinaryReader.BaseStream.Seek(sigpos, 0);

            LsaKeys.iv      = get_IV(minidump, sigpos, template);
            LsaKeys.des_key = get_des_key(minidump, sigpos, template);
            LsaKeys.aes_key = get_aes_key(minidump, sigpos, template);
        }
コード例 #5
0
        public static byte[] get_des_key(Program.MiniDump minidump, long pos, lsaTemplate_NT6.LsaTemplate_NT6 template)
        {
            ///Console.WriteLine("Acquireing DES key...");
            long offset = (pos + template.key_pattern.offset_to_DES_key_ptr);
            long ptr_iv = (long)Helpers.get_ptr_with_offset(minidump.fileBinaryReader, (long)offset, minidump.sysinfo);

            minidump.fileBinaryReader.BaseStream.Seek(ptr_iv, 0);
            ptr_iv = (long)Minidump.Helpers.ReadUInt64(minidump.fileBinaryReader);

            ptr_iv = Helpers.Rva2offset(minidump, ptr_iv);

            minidump.fileBinaryReader.BaseStream.Seek(ptr_iv, 0);

            byte[] h3DesKeyBytes            = minidump.fileBinaryReader.ReadBytes(Marshal.SizeOf(typeof(KIWI_BCRYPT_HANDLE_KEY)));
            KIWI_BCRYPT_HANDLE_KEY h3DesKey = Helpers.ReadStruct <KIWI_BCRYPT_HANDLE_KEY>(h3DesKeyBytes);

            byte[]            extracted3DesKeyByte = minidump.fileBinaryReader.ReadBytes(Marshal.SizeOf(typeof(KIWI_BCRYPT_KEY81)));
            KIWI_BCRYPT_KEY81 extracted3DesKey     = Helpers.ReadStruct <KIWI_BCRYPT_KEY81>(extracted3DesKeyByte);

            return(extracted3DesKey.hardkey.data.Take(24).ToArray());
        }