public IActionResult Create([FromBody] string content)
{
if (content == null)
{
return(BadRequest());
}
byte[] cipherText = Convert.FromBase64String(content);
string plaintext;
// AES encrypt the password
{
sCrypt.setConfig(this.Configuration);
sCrypt.SetKey("AES");
plaintext = sCrypt.Decrypt(content);
}
// Read XML and parse
RegParser parser = new RegParser(plaintext, Configuration, sCrypt, aGuid);
parser.Parse();
// does order already exist ?
_context.Auser.Add(parser.auser);
_context.Sources.Add(parser.source);
foreach (AOrder _order in parser.itemorders)
{
_context.AOrder.Add(_order);
}
_context.SaveChanges();
return(Ok(true));
}
/// <summary>
///
/// </summary>
/// <returns></returns>
private List <ProfilePath> ExtractProfilePaths()
{
RegParser regParser = new RegParser(_softwareFile);
RegKey rootKey = regParser.RootKey;
RegKey regKey = rootKey.Key("Microsoft\\Windows NT\\CurrentVersion\\ProfileList");
if (regKey == null)
{
Console.WriteLine("Unable to locate the following registry key: Microsoft\\Windows NT\\CurrentVersion\\ProfileList");
return(null);
}
List <ProfilePath> profilePaths = new List <ProfilePath>();
List <RegKey> subKeys = regKey.SubKeys;
for (int index = 0; index < subKeys.Count; index++)
{
RegValue regValue = subKeys[index].Value("ProfileImagePath");
if (regValue == null)
{
continue;
}
ProfilePath profilePath = new ProfilePath();
string temp = regValue.Data.ToString().Replace("\0", string.Empty);
profilePath.Path = temp;
profilePath.Rid = woanware.Helper.RemoveHivePrefix(subKeys[index].Name).Replace("Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\", string.Empty);
profilePaths.Add(profilePath);
}
return(profilePaths);
}
/// <summary>
///
/// </summary>
/// <param name="bootKey"></param>
/// <returns></returns>
private byte[] GenerateHashedBootKey(List <byte> bootKey)
{
try
{
RegParser regParser = new RegParser(_samFile);
RegKey rootKey = regParser.RootKey;
RegKey regKey = rootKey.Key(@"SAM\Domains\Account");
if (regKey == null)
{
this.OnError("Unable to locate the following registry key: SAM\\SAM\\Domains\\Account");
return(null);
}
RegValue regValue = regKey.Value("F");
if (regValue == null)
{
this.OnError("Unable to locate the following registry key: SAM\\SAM\\Domains\\Account\\F");
return(null);
}
byte[] hashedBootKey = new byte[16];
Buffer.BlockCopy((byte[])regValue.Data, 112, hashedBootKey, 0, 16);
//this.PrintHex("Hashed bootkey", hashedBootKey.ToArray());
List <byte> data = new List <byte>();
data.AddRange(hashedBootKey.ToArray());
data.AddRange(Encoding.ASCII.GetBytes(_aqwerty));
data.AddRange(bootKey.ToArray());
data.AddRange(Encoding.ASCII.GetBytes(_anum));
byte[] md5 = MD5.Create().ComputeHash(data.ToArray());
byte[] encData = new byte[32];
byte[] encOutput = new byte[32];
Buffer.BlockCopy((byte[])regValue.Data, 128, encData, 0, 32);
RC4Engine rc4Engine = new RC4Engine();
rc4Engine.Init(true, new KeyParameter(md5));
rc4Engine.ProcessBytes(encData, 0, 32, encOutput, 0);
return(encOutput);
}
catch (Exception ex)
{
this.OnError("An error occured whilst generating the hashed boot key");
Misc.WriteToEventLog(Application.ProductName, ex.Message, EventLogEntryType.Error);
return(null);
}
}
private void RunParser()
{
try
{
var inputStream = new AntlrInputStream(Pattern);
var lexer = new RegLexer(inputStream);
var tokenStream = new CommonTokenStream(lexer);
var parser = new RegParser(tokenStream);
var headContext = parser.pattern();
var visitor = new RegVisitor();
visitor.Alphabet = Alphabet;
Line = (PatternLine)visitor.Visit(headContext);
}
catch (Exception ex)
{
Console.WriteLine("Error: " + ex);
}
}
public IActionResult Post([FromBody] string value)
{
if (value == null)
{
return(BadRequest());
}
// Read XML and parse
RegParser parser = new RegParser(value, this.Configuration, sCrypt, aGuid);
parser.Parse();
_context.Auser.Add(parser.auser);
_context.Sources.Add(parser.source);
foreach (AOrder _order in parser.itemorders)
{
_context.AOrder.Add(_order);
}
_context.SaveChanges();
return(Ok(true));
}
/// <summary>
///
/// </summary>
/// <param name="path"></param>
/// <returns></returns>
private List <UserGroup> ExtractGroups()
{
RegParser regParser = new RegParser(_samFile);
RegKey rootKey = regParser.RootKey;
RegKey regKey = rootKey.Key("SAM\\Domains\\Builtin\\Aliases");
if (regKey == null)
{
Console.WriteLine("Unable to locate the following registry key: SAM\\Domains\\Builtin\\Aliases");
return(null);
}
List <UserGroup> userGroups = new List <UserGroup>();
List <RegKey> regKeys = regKey.SubKeys;
for (int indexKeys = 0; indexKeys < regKeys.Count; indexKeys++)
{
//Console.WriteLine(regKeys[indexKeys].Name);
RegValue regValue = regKeys[indexKeys].Value("C");
if (regValue == null)
{
continue;
}
byte[] data = (byte[])regValue.Data;
int offset = BitConverter.ToInt32((byte[])data, 16);
int length = BitConverter.ToInt32((byte[])data, 20);
offset += 52;
byte[] extract = new byte[length];
Buffer.BlockCopy(data, offset, extract, 0, length);
// Group Name
//Console.WriteLine("Group Name: " + Functions.ConvertUnicodeToAscii(Functions.ByteArray2String(extract, false, false)));
string groupName = Text.ConvertUnicodeToAscii(Text.ByteArray2String(extract, false, false));
offset = BitConverter.ToInt32((byte[])data, 28);
length = BitConverter.ToInt32((byte[])data, 32);
offset += 52;
extract = new byte[length];
Buffer.BlockCopy(data, offset, extract, 0, length);
// Comment
//Console.WriteLine("Comment: " + Functions.ConvertUnicodeToAscii(Functions.ByteArray2String(extract, false, false)));
int users = BitConverter.ToInt32((byte[])data, 48);
// No. Users
//Console.WriteLine("No. Users: " + users);
offset = BitConverter.ToInt32((byte[])data, 40);
length = BitConverter.ToInt32((byte[])data, 44);
if (users > 0)
{
int count = 0;
for (int indexUsers = 1; indexUsers <= users; indexUsers++)
{
int dataOffset = offset + 52 + count;
int sidType = BitConverter.ToInt32((byte[])data, dataOffset);
UserGroup userGroup = new UserGroup();
if (sidType == 257)
{
extract = new byte[12];
Buffer.BlockCopy(data, dataOffset, extract, 0, 12);
int rev = extract[0];
int dashes = BitConverter.ToInt32((byte[])extract, 1);
byte[] ntauthData = new byte[8];
Buffer.BlockCopy(extract, 2, ntauthData, 2, 6);
string ntauth = Text.ConvertByteArrayToHexString(ntauthData);
ntauth = Regex.Replace(ntauth, "^0+", string.Empty);
byte[] ntnonunique = new byte[4];
Buffer.BlockCopy(extract, 8, ntnonunique, 0, 4);
uint intntnonunique = BitConverter.ToUInt32((byte[])ntnonunique, 0);
//Console.WriteLine("S-" + rev + "-" + ntauth + "-" + intntnonunique);
userGroup.Group = groupName;
userGroup.Rid = "S-" + rev + "-" + ntauth + "-" + intntnonunique;
userGroups.Add(userGroup);
count += 12;
}
else if (sidType == 1281)
{
extract = new byte[26];
Buffer.BlockCopy(data, dataOffset, extract, 0, 26);
int rev = extract[0];
int dashes = BitConverter.ToInt32((byte[])extract, 1);
byte[] ntauthData = new byte[8];
Buffer.BlockCopy(extract, 2, ntauthData, 2, 6);
string ntauth = Text.ConvertByteArrayToHexString(ntauthData);
ntauth = Regex.Replace(ntauth, "^0+", string.Empty);
byte[] ntnonunique = new byte[4];
Buffer.BlockCopy(extract, 8, ntnonunique, 0, 4);
uint intntnonunique = BitConverter.ToUInt32((byte[])ntnonunique, 0);
byte[] part1 = new byte[4];
Buffer.BlockCopy(extract, 12, part1, 0, 4);
uint intpart1 = BitConverter.ToUInt32((byte[])part1, 0);
byte[] part2 = new byte[4];
Buffer.BlockCopy(extract, 16, part2, 0, 4);
uint intpart2 = BitConverter.ToUInt32((byte[])part2, 0);
byte[] part3 = new byte[4];
Buffer.BlockCopy(extract, 20, part3, 0, 4);
uint intpart3 = BitConverter.ToUInt32((byte[])part3, 0);
byte[] rid = new byte[4];
Buffer.BlockCopy(extract, 24, rid, 0, 2);
int intrid = BitConverter.ToInt32((byte[])rid, 0);
//Console.WriteLine("S-" + rev + "-" + ntauth + "-" + intntnonunique + "-" + intpart1 + "-" + intpart2 + "-" + intpart3 + "-" + intrid);
userGroup.Group = groupName;
userGroup.Rid = "S-" + rev + "-" + ntauth + "-" + intntnonunique + "-" + intpart1 + "-" + intpart2 + "-" + intpart3 + "-" + intrid;
userGroups.Add(userGroup);
count += 28;
}
}
}
}
return(userGroups);
}
/// <summary>
///
/// </summary>
/// <param name="hashedBootKey"></param>
/// <returns></returns>
private bool EnumerateUsers(byte[] hashedBootKey)
{
try
{
RegParser regParser = new RegParser(_samFile);
RegKey rootKey = regParser.RootKey;
RegKey regkey = rootKey.Key("SAM\\Domains\\Account\\Users");
if (regkey == null)
{
this.OnError("Unable to locate the following registry key: SAM\\Domains\\Account\\Users");
return(false);
}
List <RegKey> regKeys = regkey.SubKeys;
for (int indexKeys = 0; indexKeys < regKeys.Count; indexKeys++)
{
RegValue regValue = regKeys[indexKeys].Value("V");
if (regValue == null)
{
continue;
}
UserAccount userAccount = new UserAccount();
string hexRid = Helper.RemoveHivePrefix(regKeys[indexKeys].Name).Replace("SAM\\Domains\\Account\\Users\\", string.Empty);
hexRid = Helper.RemoveHivePrefix(hexRid).Replace("SAM\\", string.Empty);
hexRid = Helper.RemoveHivePrefix(hexRid).Replace("ROOT\\", string.Empty);
byte[] data = (byte[])regValue.Data;
int offset = BitConverter.ToInt32((byte[])data, 12);
int length = BitConverter.ToInt32((byte[])data, 16);
offset += 204;
byte[] extract = new byte[length];
Buffer.BlockCopy(data, offset, extract, 0, length);
userAccount.LoginName = Helper.ReplaceNulls(Text.ConvertUnicodeToAscii(Text.ByteArray2String(extract, false, false)));
offset = BitConverter.ToInt32((byte[])data, 24);
length = BitConverter.ToInt32((byte[])data, 28);
offset += 204;
extract = new byte[length];
Buffer.BlockCopy(data, offset, extract, 0, length);
// Name
userAccount.Name = Helper.ReplaceNulls(Text.ConvertUnicodeToAscii(Text.ByteArray2String(extract, false, false)));
offset = BitConverter.ToInt32((byte[])data, 36);
length = BitConverter.ToInt32((byte[])data, 40);
offset += 204;
extract = new byte[length];
Buffer.BlockCopy(data, offset, extract, 0, length);
// Description
if (length > 0)
{
userAccount.Description = Helper.ReplaceNulls(Text.ConvertUnicodeToAscii(Text.ByteArray2String(extract, false, false)));
}
offset = BitConverter.ToInt32((byte[])data, 48);
length = BitConverter.ToInt32((byte[])data, 52);
offset += 204;
extract = new byte[length];
Buffer.BlockCopy(data, offset, extract, 0, length);
// User Comment
if (length > 0)
{
userAccount.UserComment = Helper.ReplaceNulls(Text.ConvertUnicodeToAscii(Text.ByteArray2String(extract, false, false)));
}
// LM Hash
offset = BitConverter.ToInt32((byte[])data, 156);
length = BitConverter.ToInt32((byte[])data, 160);
offset += 204;
userAccount.EncLmHash = new byte[length];
Buffer.BlockCopy(data, offset, userAccount.EncLmHash, 0, length);
// NT Hash
offset = BitConverter.ToInt32((byte[])data, 168);
length = BitConverter.ToInt32((byte[])data, 172);
offset += 204;
userAccount.EncNtHash = new byte[length];
Buffer.BlockCopy(data, offset, userAccount.EncNtHash, 0, length);
if (userAccount.EncLmHash.Length == 20)
{
byte[] tempLmHash = new byte[16];
Buffer.BlockCopy(userAccount.EncLmHash, 4, tempLmHash, 0, 16);
userAccount.EncLmHash = tempLmHash;
this.DecryptHash(hexRid, hashedBootKey, _lmpassword, true, userAccount);
}
else
{
userAccount.Rid = Int32.Parse(hexRid, System.Globalization.NumberStyles.HexNumber);
Debug.WriteLine("**LMLEN**: " + userAccount.EncLmHash.Length);
}
if (userAccount.EncNtHash.Length == 20)
{
byte[] tempNtHash = new byte[16];
Buffer.BlockCopy(userAccount.EncNtHash, 4, tempNtHash, 0, 16);
userAccount.EncNtHash = tempNtHash;
this.DecryptHash(hexRid, hashedBootKey, _ntpassword, false, userAccount);
}
else
{
userAccount.Rid = Int32.Parse(hexRid, System.Globalization.NumberStyles.HexNumber);
Debug.WriteLine("**NTLEN**: " + userAccount.EncNtHash.Length);
}
// F
regValue = regKeys[indexKeys].Value("F");
data = (byte[])regValue.Data;
extract = new byte[8];
Buffer.BlockCopy(data, 8, extract, 0, 8);
long i = BitConverter.ToInt64((byte[])extract, 0);
DateTime dateTime = DateTime.FromFileTimeUtc(i);
userAccount.LastLoginDate = dateTime.ToShortTimeString() + " " + dateTime.ToShortDateString();
extract = new byte[8];
Buffer.BlockCopy(data, 24, extract, 0, 8);
i = BitConverter.ToInt64((byte[])extract, 0);
dateTime = DateTime.FromFileTimeUtc(i);
userAccount.PasswordResetDate = dateTime.ToShortTimeString() + " " + dateTime.ToShortDateString();
extract = new byte[8];
Buffer.BlockCopy(data, 32, extract, 0, 8);
i = BitConverter.ToInt64((byte[])extract, 0);
if (i == 0 | i == 9223372036854775807)
{
userAccount.AccountExpiryDate = string.Empty;
}
else
{
dateTime = DateTime.FromFileTimeUtc(i);
userAccount.AccountExpiryDate = dateTime.ToShortTimeString() + " " + dateTime.ToShortDateString();
}
extract = new byte[8];
Buffer.BlockCopy(data, 40, extract, 0, 8);
i = BitConverter.ToInt64((byte[])extract, 0);
dateTime = DateTime.FromFileTimeUtc(i);
userAccount.LoginFailedDate = dateTime.ToShortTimeString() + " " + dateTime.ToShortDateString();
//extract = new byte[4];
//Buffer.BlockCopy(data, 48, extract, 0, 4);
//i = BitConverter.ToInt32((byte[])extract, 0);
//output.AppendLine("RID: " + i);
extract = new byte[2];
Buffer.BlockCopy(data, 56, extract, 0, 2);
i = BitConverter.ToInt16((byte[])extract, 0);
if ((i & (int)0x0001) == 0x0001)
{
userAccount.IsDisabled = true;
}
//foreach (DictionaryEntry de in _acbs)
//{
// if ((i & (int)de.Key) == (int)de.Key)
// {
// output.AppendLine(de.Value.ToString());
// }
//}
extract = new byte[2];
Buffer.BlockCopy(data, 64, extract, 0, 2);
i = BitConverter.ToInt16((byte[])extract, 0);
userAccount.FailedLogins = i;
extract = new byte[2];
Buffer.BlockCopy(data, 66, extract, 0, 2);
i = BitConverter.ToInt16((byte[])extract, 0);
userAccount.LoginCount = i;
_userAccounts.Add(userAccount);
}
return(true);
}
catch (Exception ex)
{
this.OnError("An error occured whilst enumerating users");
Misc.WriteToEventLog(Application.ProductName, "An error occured whilst enumerating users: " + ex.Message, EventLogEntryType.Error);
return(false);
}
}
/// <summary>
///
/// </summary>
/// <returns></returns>
private List <byte> ExtractBootKey()
{
try
{
RegParser regParser = new RegParser(_systemFile);
RegKey rootKey = regParser.RootKey;
StringBuilder output = new StringBuilder();
RegKey regKey = rootKey.Key(@"Select");
if (regKey == null)
{
this.OnError("Unable to locate the following registry key: Select");
return(null);
}
List <byte> bootKeyTemp = new List <byte>();
RegValue regValueCcs = regKey.Value("Current");
if (regValueCcs == null)
{
this.OnError("Unable to locate the following registry key: Current");
return(null);
}
regKey = rootKey.Key(@"ControlSet00" + regValueCcs.Data + "\\Control\\LSA\\JD");
if (regKey == null)
{
this.OnError("Unable to locate the following registry key: ControlSet00" + regValueCcs.Data + "\\Control\\LSA\\JD");
return(null);
}
string temp = regKey.ClassName;
for (int i = 0; i < temp.Length / 2; i++)
{
bootKeyTemp.Add(Convert.ToByte(temp.Substring(i * 2, 2), 16));
}
regKey = rootKey.Key(@"ControlSet00" + regValueCcs.Data + "\\Control\\LSA\\Skew1");
if (regKey == null)
{
this.OnError("Unable to locate the following registry key: ControlSet00" + regValueCcs.Data + "\\Control\\LSA\\Skew1");
return(null);
}
temp = regKey.ClassName;
for (int i = 0; i < temp.Length / 2; i++)
{
bootKeyTemp.Add(Convert.ToByte(temp.Substring(i * 2, 2), 16));
}
regKey = rootKey.Key(@"ControlSet00" + regValueCcs.Data + "\\Control\\LSA\\GBG");
if (regKey == null)
{
this.OnError("Unable to locate the following registry key: ControlSet00" + regValueCcs.Data + "\\Control\\LSA\\GBG");
return(null);
}
temp = regKey.ClassName;
for (int i = 0; i < temp.Length / 2; i++)
{
bootKeyTemp.Add(Convert.ToByte(temp.Substring(i * 2, 2), 16));
}
regKey = rootKey.Key(@"ControlSet00" + regValueCcs.Data + "\\Control\\LSA\\Data");
if (regKey == null)
{
this.OnError("Unable to locate the following registry key: ControlSet00" + regValueCcs.Data + "\\Control\\LSA\\Data");
return(null);
}
temp = regKey.ClassName;
for (int i = 0; i < temp.Length / 2; i++)
{
bootKeyTemp.Add(Convert.ToByte(temp.Substring(i * 2, 2), 16));
}
List <byte> bootKey = new List <byte>();
for (int index = 0; index < bootKeyTemp.Count; index++)
{
bootKey.Add(bootKeyTemp[_permutationMatrix[index]]);
}
//this.PrintHex("Bootkey", bootKey.ToArray());
return(bootKey);
}
catch (Exception ex)
{
this.OnError("An error occured whilst extracting the boot key");
Misc.WriteToEventLog(Application.ProductName, ex.Message, EventLogEntryType.Error);
return(null);
}
}
