Thanks to @dfirfpi new samples, some cool adaptations!

dptechma · Jul 15, 2015 · 5084e9d · 5084e9d
1 parent f527ec2
commit 5084e9d
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 6 deletions.
diff --git a/mimikatz/modules/dpapi/packages/kuhl_m_dpapi_creds.c b/mimikatz/modules/dpapi/packages/kuhl_m_dpapi_creds.c
@@ -77,7 +77,7 @@ NTSTATUS kuhl_m_dpapi_vault(int argc, wchar_t * argv[])
 											if(attribute = vaultCredential->attributes[i])
 											{
 												kprintf(L"  > Attribute %u : ", attribute->id);
-												if(attribute->id < 100)
+												if(attribute->id && (attribute->id < 100))
 												{
 													if(len = (attribute->attributeElement.simpleAttribute.size >= 1) ? (attribute->attributeElement.simpleAttribute.size - 1) :  0)
 													{
@@ -91,6 +91,7 @@ NTSTATUS kuhl_m_dpapi_vault(int argc, wchar_t * argv[])
 																{
 																	kull_m_string_wprintf_hex(buffer, len, 0);
 																}
+																else PRINT_ERROR_AUTO(L"CryptDecrypt");
 																CryptDestroyKey(hKey);
 																LocalFree(buffer);
 															}
@@ -110,7 +111,7 @@ NTSTATUS kuhl_m_dpapi_vault(int argc, wchar_t * argv[])
 																if(CryptDecrypt(hKey, 0, TRUE, 0, (PBYTE) buffer, &len))
 																{
 																	kprintf(L"\n");
-																	if(attribute->id == 100)
+																	if(!attribute->id || (attribute->id == 100))
 																	{
 																		if(clear = kull_m_cred_vault_clear_create(buffer))
 																		{
@@ -121,6 +122,7 @@ NTSTATUS kuhl_m_dpapi_vault(int argc, wchar_t * argv[])
 																	else kull_m_string_wprintf_hex(buffer, len, 1 | (16 << 16));
 																	kprintf(L"\n");
 																}
+																else PRINT_ERROR_AUTO(L"CryptDecrypt");
 																CryptDestroyKey(hKey);
 																LocalFree(buffer);
 															}

diff --git a/modules/kull_m_cred.c b/modules/kull_m_cred.c
@@ -329,7 +329,7 @@ PKULL_M_CRED_VAULT_CREDENTIAL kull_m_cred_vault_credential_create(PVOID data/*,
 		kull_m_string_ptr_replace(&credential->attributesMap, credential->dwAttributesMapSize);
 
 		credential->__cbElements = credential->dwAttributesMapSize / sizeof(KULL_M_CRED_VAULT_CREDENTIAL_ATTRIBUTE_MAP);
-		if(credential->attributes = (PKULL_M_CRED_VAULT_CREDENTIAL_ATTRIBUTE * ) LocalAlloc(LPTR, credential->__cbElements * sizeof(PKULL_M_CRED_VAULT_CREDENTIAL_ATTRIBUTE)))
+		if(credential->attributes = (PKULL_M_CRED_VAULT_CREDENTIAL_ATTRIBUTE * ) LocalAlloc(LPTR, (credential->__cbElements + ((credential->unk0 < 4) ? 1 : 0)) * sizeof(PKULL_M_CRED_VAULT_CREDENTIAL_ATTRIBUTE)))
 		{
 			for(i = 0; i < credential->__cbElements; i++)
 			{
@@ -351,6 +351,17 @@ PKULL_M_CRED_VAULT_CREDENTIAL kull_m_cred_vault_credential_create(PVOID data/*,
 					}
 				}
 			}
+
+			if(attribute && credential->unk0 < 4)
+			{
+				if(credential->attributes[i] = (PKULL_M_CRED_VAULT_CREDENTIAL_ATTRIBUTE) LocalAlloc(LPTR, sizeof(KULL_M_CRED_VAULT_CREDENTIAL_ATTRIBUTE)))
+				{
+					RtlCopyMemory(&credential->attributes[i]->attributeElement.complexAttribute.size, (PBYTE) attribute + FIELD_OFFSET(KULL_M_CRED_VAULT_CREDENTIAL_ATTRIBUTE, attributeElement) + FIELD_OFFSET(KULL_M_CRED_VAULT_CREDENTIAL_ATTRIBUTE_SIMPLE, attributeData) + attribute->attributeElement.simpleAttribute.size + sizeof(USHORT), FIELD_OFFSET(KULL_M_CRED_VAULT_CREDENTIAL_ATTRIBUTE_COMPLEX, attributeData) - FIELD_OFFSET(KULL_M_CRED_VAULT_CREDENTIAL_ATTRIBUTE_COMPLEX, size));
+					credential->attributes[i]->attributeElement.complexAttribute.attributeData = (PKULL_M_CRED_VAULT_CREDENTIAL_ATTRIBUTE_DATA) ((PBYTE) attribute + FIELD_OFFSET(KULL_M_CRED_VAULT_CREDENTIAL_ATTRIBUTE, attributeElement) + FIELD_OFFSET(KULL_M_CRED_VAULT_CREDENTIAL_ATTRIBUTE_SIMPLE, attributeData) + attribute->attributeElement.simpleAttribute.size + sizeof(USHORT) + (FIELD_OFFSET(KULL_M_CRED_VAULT_CREDENTIAL_ATTRIBUTE_COMPLEX, attributeData)  - FIELD_OFFSET(KULL_M_CRED_VAULT_CREDENTIAL_ATTRIBUTE_COMPLEX, size)));
+					kull_m_string_ptr_replace(&credential->attributes[i]->attributeElement.complexAttribute.attributeData, credential->attributes[i]->attributeElement.complexAttribute.size);
+					credential->__cbElements++;
+				}
+			}
 		}
 	}
 	return credential;
@@ -372,7 +383,7 @@ void kull_m_cred_vault_credential_delete(PKULL_M_CRED_VAULT_CREDENTIAL credentia
 			{
 				if(credential->attributes[i])
 				{
-					if(credential->attributes[i]->id < 100)
+					if(credential->attributes[i]->id && (credential->attributes[i]->id < 100))
 					{
 						if(credential->attributes[i]->attributeElement.simpleAttribute.attributeData)
 							LocalFree(credential->attributes[i]->attributeElement.simpleAttribute.attributeData);
@@ -419,7 +430,7 @@ void kull_m_cred_vault_credential_attribute_descr(DWORD level, PKULL_M_CRED_VAUL
 	{
 		kprintf(L"%*s" L"  id      : %08x - %u\n", level << 1, L"", attribute->id, attribute->id);
 		kprintf(L"%*s" L"  unk0/1/2: %08x/%08x/%08x\n", level << 1, L"", attribute->unk0, attribute->unk1, attribute->unk2);
-		if(attribute->id < 100)
+		if(attribute->id && (attribute->id < 100))
 		{
 			if((attribute->attributeElement.simpleAttribute.size >= 1) && attribute->attributeElement.simpleAttribute.attributeData)
 			{

diff --git a/modules/kull_m_cred.h b/modules/kull_m_cred.h
@@ -128,7 +128,6 @@ typedef struct _KULL_M_CRED_VAULT_CREDENTIAL {
 
 	DWORD __cbElements;
 	PKULL_M_CRED_VAULT_CREDENTIAL_ATTRIBUTE *attributes;
-
 } KULL_M_CRED_VAULT_CREDENTIAL, *PKULL_M_CRED_VAULT_CREDENTIAL;
 
 typedef struct _KULL_M_CRED_VAULT_CLEAR_ENTRY {