MyLoginOnGitHub · MyLoginOnGitHub · Jan 5, 2020 · Jan 3, 2020 · Jan 3, 2020 · Jan 3, 2020
diff --git a/Windows/lazagne/config/winstructure.py b/Windows/lazagne/config/winstructure.py
@@ -161,24 +161,6 @@ class DATA(Structure):
     ]
 
 
-class DATA2(Structure):
-    _fields_ = [
-        # ('boolean',       BOOL),
-        # ('short',             SHORT),
-        # ('unsignedShort',     WORD),
-        # ('int',           LONG),
-        # ('unsignedInt',   ULONG),
-        ('double',            DOUBLE),
-        ('guid', GUID),
-        ('string', LPWSTR),
-        # ('byteArray', VAULT_BYTE_BUFFER),
-        # ('protectedArray', VAULT_BYTE_BUFFER),
-        # ('attribute', PVAULT_CREDENTIAL_ATTRIBUTEW),
-        ('Sid',           PSID)
-        # ('sid', DWORD)
-    ]
-
-
 class Flag(Structure):
     _fields_ = [
         ('0x00', DWORD),
@@ -202,9 +184,7 @@ class VAULT_ITEM_DATA(Structure):
     _fields_ = [
         # ('schemaElementId',   DWORD),
         # ('unk0',              DWORD),
-        # ('Type',              VAULT_ELEMENT_TYPE),
-        # ('type',              Flag),
-        # ('type',              DWORD * 14),
+        # ('Type',              DWORD),
         # ('unk1',              DWORD),
         ('data', DATA),
     ]
@@ -213,28 +193,14 @@ class VAULT_ITEM_DATA(Structure):
 PVAULT_ITEM_DATA = POINTER(VAULT_ITEM_DATA)
 
 
-class VAULT_ITEM_DATA2(Structure):
-    _fields_ = [
-        # ('schemaElementId',   DWORD),
-        # ('unk0',              DWORD),
-        # ('Type',              VAULT_ELEMENT_TYPE),
-        # ('type',              Flag),
-        # ('type',              DWORD * 14),
-        # ('unk1',              DWORD),
-        ('data', DATA2),
-    ]
-
-
-PVAULT_ITEM_DATA2 = POINTER(VAULT_ITEM_DATA2)
-
-
+# From https://github.com/gentilkiwi/mimikatz/blob/b008188f9fe5668b5dae80c210290c7efa872ffa/mimikatz/modules/kuhl_m_vault.h#L157
 class VAULT_ITEM_WIN8(Structure):
     _fields_ = [
         ('id', GUID),
         ('pName', PWSTR),
         ('pResource', PVAULT_ITEM_DATA),
         ('pUsername', PVAULT_ITEM_DATA),
-        ('pPassword', PVAULT_ITEM_DATA2),
+        ('pPassword', PVAULT_ITEM_DATA),
         ('pPackageSid', PVAULT_ITEM_DATA),
         ('LastWritten', FILETIME),
         ('Flags', DWORD),
@@ -246,18 +212,21 @@ class VAULT_ITEM_WIN8(Structure):
 PVAULT_ITEM_WIN8 = POINTER(VAULT_ITEM_WIN8)
 
 
+# From https://github.com/gentilkiwi/mimikatz/blob/b008188f9fe5668b5dae80c210290c7efa872ffa/mimikatz/modules/kuhl_m_vault.h#L145
 class VAULT_ITEM_WIN7(Structure):
   _fields_ = [
       ('id',              GUID),
       ('pName',           PWSTR),
       ('pResource',       PVAULT_ITEM_DATA),
       ('pUsername',       PVAULT_ITEM_DATA),
-      ('pPassword',       PVAULT_ITEM_DATA2),
+      ('pPassword',       PVAULT_ITEM_DATA),
       ('LastWritten',     FILETIME),
       ('Flags',           DWORD),
       ('cbProperties',    DWORD),
       ('Properties',      PVAULT_ITEM_DATA),
   ]
+
+
 PVAULT_ITEM_WIN7 = POINTER(VAULT_ITEM_WIN7)
 
 class OSVERSIONINFOEXW(Structure):
@@ -426,10 +395,6 @@ def __repr__(self):
 CredFree.restype = PVOID
 CredFree.argtypes = [PVOID]
 
-memcpy = cdll.msvcrt.memcpy
-memcpy.restype = PVOID
-memcpy.argtypes = [PVOID]
-
 LocalFree = kernel32.LocalFree
 LocalFree.restype = HANDLE
 LocalFree.argtypes = [HANDLE]
@@ -600,11 +565,10 @@ def RtlAdjustPrivilege(privilege_id):
 
 
 def getData(blobOut):
-    cbData = int(blobOut.cbData)
+    cbData = blobOut.cbData
     pbData = blobOut.pbData
-    buffer = c_buffer(cbData)
-
-    memcpy(buffer, pbData, cbData)
+    buffer = create_string_buffer(cbData)
+    memmove(buffer, pbData, sizeof(buffer))
     LocalFree(pbData);
     return buffer.raw
 
@@ -645,11 +609,11 @@ def Win32CryptUnprotectData(cipherText, entropy=False, is_current_user=True, use
             blobEntropy = DATA_BLOB(len(entropy), bufferEntropy)
 
             if CryptUnprotectData(byref(blobIn), None, byref(blobEntropy), None, None, 0, byref(blobOut)):
-                decrypted = getData(blobOut).decode("utf-8")
+                decrypted = getData(blobOut)
 
         else:
             if CryptUnprotectData(byref(blobIn), None, None, None, None, 0, byref(blobOut)):
-                decrypted = getData(blobOut).decode("utf-8")
+                decrypted = getData(blobOut)
 
     if not decrypted:
         can_decrypt = True

diff --git a/Windows/lazagne/softwares/browsers/chromium_based.py b/Windows/lazagne/softwares/browsers/chromium_based.py
@@ -112,8 +112,9 @@ def _export_credentials(self, db_path, is_yandex=False):
                     # Failed...
                 else:
                     # Decrypt the Password
-                    password = Win32CryptUnprotectData(password, is_current_user=constant.is_current_user,
-                                                       user_dpapi=constant.user_dpapi)
+                    password_bytes = Win32CryptUnprotectData(password, is_current_user=constant.is_current_user,
+                                                             user_dpapi=constant.user_dpapi)
+                    password = password_bytes.decode("utf-8")
 
                 if not url and not login and not password:
                     continue

diff --git a/Windows/lazagne/softwares/browsers/ie.py b/Windows/lazagne/softwares/browsers/ie.py
@@ -117,7 +117,8 @@ def history_from_regedit(self):
     def decipher_password(self, cipher_text, u):
         pwd_found = []
         # deciper the password
-        pwd = win.Win32CryptUnprotectData(cipher_text, u, is_current_user=constant.is_current_user, user_dpapi=constant.user_dpapi)
+        pwd_bytes = win.Win32CryptUnprotectData(cipher_text, u, is_current_user=constant.is_current_user, user_dpapi=constant.user_dpapi)
+        pwd = pwd_bytes.decode("utf-8")
         a = ''
         if pwd:
             for i in range(len(pwd)):

diff --git a/Windows/lazagne/softwares/chats/skype.py b/Windows/lazagne/softwares/chats/skype.py
@@ -40,7 +40,8 @@ def get_regkey(self):
 
             # num = winreg.QueryInfoKey(hkey)[1]
             k = winreg.EnumValue(hkey, 0)[1]
-            return win.Win32CryptUnprotectData(k, is_current_user=constant.is_current_user, user_dpapi=constant.user_dpapi)
+            result_bytes = win.Win32CryptUnprotectData(k, is_current_user=constant.is_current_user, user_dpapi=constant.user_dpapi)
+            return result_bytes.decode("utf-8")
         except Exception as e:
             self.debug(str(e))
             return False

diff --git a/Windows/lazagne/softwares/mails/outlook.py b/Windows/lazagne/softwares/mails/outlook.py
@@ -52,8 +52,13 @@ def retrieve_info(self, hkey, name_key):
             k = winreg.EnumValue(hkey, x)
             if 'password' in k[0].lower():
                 try:
-                    password = win.Win32CryptUnprotectData(k[1][1:], is_current_user=constant.is_current_user, user_dpapi=constant.user_dpapi)
-                    values[k[0]] = password
+                    password_bytes = win.Win32CryptUnprotectData(k[1][1:], is_current_user=constant.is_current_user, user_dpapi=constant.user_dpapi)
+                    #  password_bytes is <password in utf-16> + b'\x00\x00'
+                    terminator = b'\x00\x00'
+                    if password_bytes.endswith(terminator):
+                        password_bytes = password_bytes[: -len(terminator)]
+
+                    values[k[0]] = password_bytes.decode("utf-16")
                 except Exception as e:
                     self.debug(str(e))
                     values[k[0]] = 'N/A'

diff --git a/Windows/lazagne/softwares/svn/tortoise.py b/Windows/lazagne/softwares/svn/tortoise.py
@@ -57,11 +57,11 @@ def run(self):
                     # encrypted the password
                     if result:
                         try:
-                            password = Win32CryptUnprotectData(base64.b64decode(result), is_current_user=constant.is_current_user, user_dpapi=constant.user_dpapi)
+                            password_bytes = Win32CryptUnprotectData(base64.b64decode(result), is_current_user=constant.is_current_user, user_dpapi=constant.user_dpapi)
                             pwd_found.append({
                                 'URL': url,
                                 'Login': username,
-                                'Password': str(password)
+                                'Password': password_bytes.decode("utf-8")
                             })
                         except Exception:
                             pass

diff --git a/Windows/lazagne/softwares/sysadmin/cyberduck.py b/Windows/lazagne/softwares/sysadmin/cyberduck.py
@@ -37,10 +37,10 @@ def run(self):
                             or elem.attrib['name'].startswith('sftp') or elem.attrib['name'].startswith('http') \
                             or elem.attrib['name'].startswith('https'):
                         encrypted_password = base64.b64decode(elem.attrib['value'])
-                        password = Win32CryptUnprotectData(encrypted_password, is_current_user=constant.is_current_user, user_dpapi=constant.user_dpapi)
+                        password_bytes = Win32CryptUnprotectData(encrypted_password, is_current_user=constant.is_current_user, user_dpapi=constant.user_dpapi)
                         pwd_found.append({
                             'URL': elem.attrib['name'],
-                            'Password': password,
+                            'Password': password_bytes.decode("utf-8"),
                         })
                 except Exception as e:
                     self.debug(str(e))

diff --git a/Windows/lazagne/softwares/sysadmin/openvpn.py b/Windows/lazagne/softwares/sysadmin/openvpn.py
@@ -22,10 +22,11 @@ def check_openvpn_installed(self):
             return False
 
     def decrypt_password(self, encrypted_password, entropy):
-        return Win32CryptUnprotectData(encrypted_password,
-                                       entropy=entropy,
-                                       is_current_user=constant.is_current_user,
-                                       user_dpapi=constant.user_dpapi)
+        result_bytes = Win32CryptUnprotectData(encrypted_password,
+                                               entropy=entropy,
+                                               is_current_user=constant.is_current_user,
+                                               user_dpapi=constant.user_dpapi)
+        return result_bytes.decode("utf-8")
 
     def get_credentials(self, key):
         pwd_found = []

diff --git a/Windows/lazagne/softwares/sysadmin/rdpmanager.py b/Windows/lazagne/softwares/sysadmin/rdpmanager.py
@@ -17,7 +17,8 @@ def __init__(self):
     def decrypt_password(self, encrypted_password):
         try:
             decoded = base64.b64decode(encrypted_password)
-            password_decrypted = Win32CryptUnprotectData(decoded, is_current_user=constant.is_current_user, user_dpapi=constant.user_dpapi)
+            password_decrypted_bytes = Win32CryptUnprotectData(decoded, is_current_user=constant.is_current_user, user_dpapi=constant.user_dpapi)
+            password_decrypted = password_decrypted_bytes.decode("utf-8")
             password_decrypted = password_decrypted.replace('\x00', '')
         except Exception:
             password_decrypted = encrypted_password.replace('\x00', '')