public static void ExportCredentialPtr(IntPtr nCredPtr) { using (CriticalCredentialHandle critCred = new CriticalCredentialHandle(nCredPtr)) { CREDENTIAL cred = critCred.GetCredential(); uint Flags = cred.Flags; CredentialType Type = cred.Type; string TargetName = Marshal.PtrToStringUni(cred.TargetName); string Comment = Marshal.PtrToStringUni(cred.Comment); System.Runtime.InteropServices.ComTypes.FILETIME LastWritten = cred.LastWritten; uint CredentialBlobSize = cred.CredentialBlobSize; var data = new byte[CredentialBlobSize]; if (CredentialBlobSize > 0) { Marshal.Copy(cred.CredentialBlob, data, 0, data.Length); } uint Persist = cred.Persist; int AttributeCount = cred.AttributeCount; var attribSize = Marshal.SizeOf(typeof(NativeCredentialAttribute)); ExportAttrib[] attribs = new ExportAttrib[AttributeCount]; if (AttributeCount > 0) { byte[] rawData = new byte[AttributeCount * attribSize]; var buffer = Marshal.AllocHGlobal(attribSize); Marshal.Copy(cred.Attributes, rawData, (int)0, (int)AttributeCount * attribSize); for (int i = 0; i < AttributeCount; i++) { Marshal.Copy(rawData, i * attribSize, buffer, attribSize); var attr = (NativeCredentialAttribute)Marshal.PtrToStructure(buffer, typeof(NativeCredentialAttribute)); var key = attr.Keyword; var val = new byte[attr.ValueSize]; Marshal.Copy(attr.Value, val, (int)0, (int)attr.ValueSize); Console.WriteLine("[-] Attribute {0}", key); ExportAttrib attrib = new ExportAttrib(); attrib.Keyword = attr.Keyword; attrib.Flags = attr.Flags; attrib.ValueSize = attr.ValueSize; attrib.Value = val; attribs[i] = attrib; } Marshal.FreeHGlobal(buffer); } string TargetAlias = Marshal.PtrToStringUni(cred.TargetAlias); string UserName = Marshal.PtrToStringUni(cred.UserName); ExportCred export = new ExportCred(); export.Flags = Flags; export.Type = Type; export.TargetName = TargetName; export.Comment = Comment; export.LastWritten = LastWritten; export.CredentialBlobSize = CredentialBlobSize; export.CredentialBlob = data; export.Persist = Persist; export.AttributeCount = AttributeCount; export.AttributesLength = AttributeCount * attribSize; export.Attributes = attribs; export.TargetAlias = TargetAlias; export.UserName = UserName; Console.WriteLine(JsonConvert.SerializeObject(export).Replace("\"", "'")); } }
public static void RestoreCredential(string jsonString, bool fromFile = false) { Console.WriteLine("[*] Importing credential"); if (fromFile) { jsonString = System.IO.File.ReadAllText(jsonString); } ExportCred export = JsonConvert.DeserializeObject <ExportCred>(jsonString); CREDENTIAL new_cred = new CREDENTIAL(); new_cred.Flags = export.Flags; new_cred.Type = export.Type; new_cred.TargetName = Marshal.StringToCoTaskMemUni(export.TargetName); new_cred.Comment = Marshal.StringToCoTaskMemUni(export.Comment); new_cred.LastWritten = export.LastWritten; new_cred.CredentialBlobSize = export.CredentialBlobSize; int size = export.CredentialBlob.Length; IntPtr unmanagedPointer = Marshal.AllocHGlobal(size); Marshal.Copy(export.CredentialBlob, 0, unmanagedPointer, export.CredentialBlob.Length); new_cred.CredentialBlob = unmanagedPointer; new_cred.Persist = export.Persist; new_cred.AttributeCount = export.AttributeCount; var asize = Marshal.SizeOf(typeof(NativeCredentialAttribute)); byte[] oadata = new byte[export.AttributesLength]; List <IntPtr> attributesToFree = new List <IntPtr>(); for (int n = 0; n < export.AttributeCount; n++) { ExportAttrib attrib = export.Attributes[n]; Console.WriteLine("[-] Attribute {0}", attrib.Keyword); NativeCredentialAttribute nativeAttrib = new NativeCredentialAttribute(); nativeAttrib.Keyword = attrib.Keyword; nativeAttrib.Flags = attrib.Flags; nativeAttrib.ValueSize = attrib.ValueSize; IntPtr ptrattribvalue = Marshal.AllocHGlobal((int)attrib.ValueSize); attributesToFree.Add(ptrattribvalue); Marshal.Copy(attrib.Value, 0, ptrattribvalue, (int)attrib.ValueSize); nativeAttrib.Value = ptrattribvalue; var attrbuff = Marshal.AllocHGlobal(asize); attributesToFree.Add(attrbuff); Marshal.StructureToPtr(nativeAttrib, attrbuff, false); Marshal.Copy(attrbuff, oadata, n * asize, asize); } GCHandle pinnedAttributes = default(GCHandle); pinnedAttributes = GCHandle.Alloc(oadata, GCHandleType.Pinned); new_cred.Attributes = pinnedAttributes.AddrOfPinnedObject(); new_cred.TargetAlias = Marshal.StringToCoTaskMemUni(export.TargetAlias); new_cred.UserName = Marshal.StringToCoTaskMemUni(export.UserName); bool written = CredWrite(ref new_cred, 0); Marshal.FreeCoTaskMem(new_cred.TargetAlias); Marshal.FreeCoTaskMem(new_cred.TargetName); Marshal.FreeCoTaskMem(new_cred.UserName); Marshal.FreeCoTaskMem(new_cred.Comment); Marshal.FreeHGlobal(unmanagedPointer); pinnedAttributes.Free(); foreach (IntPtr attributeToFree in attributesToFree) { Marshal.FreeHGlobal(attributeToFree); } if (!written) { int lastError = Marshal.GetLastWin32Error(); throw new Exception(string.Format("CredWrite failed with the error code {0}.", lastError)); } Console.WriteLine("[*] Finished importing credential"); }