Index: sha1sum.c =================================================================== --- sha1sum.c (revision 0) +++ sha1sum.c (revision 1257) @@ -0,0 +1,304 @@ +/* sha1sum.c - print SHA-1 Message-Digest Algorithm + * Copyright (C) 1998, 1999, 2000, 2001 Free Software Foundation, Inc. + * Copyright (C) 2004 g10 Code GmbH + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2, or (at your option) any + * later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software Foundation, + * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + */ + +/* SHA-1 coden take from gnupg 1.3.92. + + Note, that this is a simple tool to be used for MS Windows. +*/ + +#include +#include +#include +#include +#include +#include "sha1sum.h" + +#undef BIG_ENDIAN_HOST + +/**************** + * Rotate a 32 bit integer by n bytes + */ +#if defined(__GNUC__) && defined(__i386__) +static inline u32 +rol( u32 x, int n) +{ + __asm__("roll %%cl,%0" + :"=r" (x) + :"0" (x),"c" (n)); + return x; +} +#else +#define rol(x,n) ( ((x) << (n)) | ((x) >> (32-(n))) ) +#endif + + +void +sha1_init( SHA1_CONTEXT *hd ) +{ + hd->h0 = 0x67452301; + hd->h1 = 0xefcdab89; + hd->h2 = 0x98badcfe; + hd->h3 = 0x10325476; + hd->h4 = 0xc3d2e1f0; + hd->nblocks = 0; + hd->count = 0; +} + + +/**************** + * Transform the message X which consists of 16 32-bit-words + */ +static void +transform( SHA1_CONTEXT *hd, unsigned char *data ) +{ + u32 a,b,c,d,e,tm; + u32 x[16]; + + /* get values from the chaining vars */ + a = hd->h0; + b = hd->h1; + c = hd->h2; + d = hd->h3; + e = hd->h4; + +#ifdef BIG_ENDIAN_HOST + memcpy( x, data, 64 ); +#else + { int i; + unsigned char *p2; + for(i=0, p2=(unsigned char*)x; i < 16; i++, p2 += 4 ) { + p2[3] = *data++; + p2[2] = *data++; + p2[1] = *data++; + p2[0] = *data++; + } + } +#endif + + +#define K1 0x5A827999L +#define K2 0x6ED9EBA1L +#define K3 0x8F1BBCDCL +#define K4 0xCA62C1D6L +#define F1(x,y,z) ( z ^ ( x & ( y ^ z ) ) ) +#define F2(x,y,z) ( x ^ y ^ z ) +#define F3(x,y,z) ( ( x & y ) | ( z & ( x | y ) ) ) +#define F4(x,y,z) ( x ^ y ^ z ) + + +#define M(i) ( tm = x[i&0x0f] ^ x[(i-14)&0x0f] \ + ^ x[(i-8)&0x0f] ^ x[(i-3)&0x0f] \ + , (x[i&0x0f] = rol(tm,1)) ) + +#define R(a,b,c,d,e,f,k,m) do { e += rol( a, 5 ) \ + + f( b, c, d ) \ + + k \ + + m; \ + b = rol( b, 30 ); \ + } while(0) + R( a, b, c, d, e, F1, K1, x[ 0] ); + R( e, a, b, c, d, F1, K1, x[ 1] ); + R( d, e, a, b, c, F1, K1, x[ 2] ); + R( c, d, e, a, b, F1, K1, x[ 3] ); + R( b, c, d, e, a, F1, K1, x[ 4] ); + R( a, b, c, d, e, F1, K1, x[ 5] ); + R( e, a, b, c, d, F1, K1, x[ 6] ); + R( d, e, a, b, c, F1, K1, x[ 7] ); + R( c, d, e, a, b, F1, K1, x[ 8] ); + R( b, c, d, e, a, F1, K1, x[ 9] ); + R( a, b, c, d, e, F1, K1, x[10] ); + R( e, a, b, c, d, F1, K1, x[11] ); + R( d, e, a, b, c, F1, K1, x[12] ); + R( c, d, e, a, b, F1, K1, x[13] ); + R( b, c, d, e, a, F1, K1, x[14] ); + R( a, b, c, d, e, F1, K1, x[15] ); + R( e, a, b, c, d, F1, K1, M(16) ); + R( d, e, a, b, c, F1, K1, M(17) ); + R( c, d, e, a, b, F1, K1, M(18) ); + R( b, c, d, e, a, F1, K1, M(19) ); + R( a, b, c, d, e, F2, K2, M(20) ); + R( e, a, b, c, d, F2, K2, M(21) ); + R( d, e, a, b, c, F2, K2, M(22) ); + R( c, d, e, a, b, F2, K2, M(23) ); + R( b, c, d, e, a, F2, K2, M(24) ); + R( a, b, c, d, e, F2, K2, M(25) ); + R( e, a, b, c, d, F2, K2, M(26) ); + R( d, e, a, b, c, F2, K2, M(27) ); + R( c, d, e, a, b, F2, K2, M(28) ); + R( b, c, d, e, a, F2, K2, M(29) ); + R( a, b, c, d, e, F2, K2, M(30) ); + R( e, a, b, c, d, F2, K2, M(31) ); + R( d, e, a, b, c, F2, K2, M(32) ); + R( c, d, e, a, b, F2, K2, M(33) ); + R( b, c, d, e, a, F2, K2, M(34) ); + R( a, b, c, d, e, F2, K2, M(35) ); + R( e, a, b, c, d, F2, K2, M(36) ); + R( d, e, a, b, c, F2, K2, M(37) ); + R( c, d, e, a, b, F2, K2, M(38) ); + R( b, c, d, e, a, F2, K2, M(39) ); + R( a, b, c, d, e, F3, K3, M(40) ); + R( e, a, b, c, d, F3, K3, M(41) ); + R( d, e, a, b, c, F3, K3, M(42) ); + R( c, d, e, a, b, F3, K3, M(43) ); + R( b, c, d, e, a, F3, K3, M(44) ); + R( a, b, c, d, e, F3, K3, M(45) ); + R( e, a, b, c, d, F3, K3, M(46) ); + R( d, e, a, b, c, F3, K3, M(47) ); + R( c, d, e, a, b, F3, K3, M(48) ); + R( b, c, d, e, a, F3, K3, M(49) ); + R( a, b, c, d, e, F3, K3, M(50) ); + R( e, a, b, c, d, F3, K3, M(51) ); + R( d, e, a, b, c, F3, K3, M(52) ); + R( c, d, e, a, b, F3, K3, M(53) ); + R( b, c, d, e, a, F3, K3, M(54) ); + R( a, b, c, d, e, F3, K3, M(55) ); + R( e, a, b, c, d, F3, K3, M(56) ); + R( d, e, a, b, c, F3, K3, M(57) ); + R( c, d, e, a, b, F3, K3, M(58) ); + R( b, c, d, e, a, F3, K3, M(59) ); + R( a, b, c, d, e, F4, K4, M(60) ); + R( e, a, b, c, d, F4, K4, M(61) ); + R( d, e, a, b, c, F4, K4, M(62) ); + R( c, d, e, a, b, F4, K4, M(63) ); + R( b, c, d, e, a, F4, K4, M(64) ); + R( a, b, c, d, e, F4, K4, M(65) ); + R( e, a, b, c, d, F4, K4, M(66) ); + R( d, e, a, b, c, F4, K4, M(67) ); + R( c, d, e, a, b, F4, K4, M(68) ); + R( b, c, d, e, a, F4, K4, M(69) ); + R( a, b, c, d, e, F4, K4, M(70) ); + R( e, a, b, c, d, F4, K4, M(71) ); + R( d, e, a, b, c, F4, K4, M(72) ); + R( c, d, e, a, b, F4, K4, M(73) ); + R( b, c, d, e, a, F4, K4, M(74) ); + R( a, b, c, d, e, F4, K4, M(75) ); + R( e, a, b, c, d, F4, K4, M(76) ); + R( d, e, a, b, c, F4, K4, M(77) ); + R( c, d, e, a, b, F4, K4, M(78) ); + R( b, c, d, e, a, F4, K4, M(79) ); + + /* Update chaining vars */ + hd->h0 += a; + hd->h1 += b; + hd->h2 += c; + hd->h3 += d; + hd->h4 += e; +} + + +/* Update the message digest with the contents + * of INBUF with length INLEN. + */ +void +sha1_write( SHA1_CONTEXT *hd, unsigned char *inbuf, size_t inlen) +{ + if( hd->count == 64 ) { /* flush the buffer */ + transform( hd, hd->buf ); + hd->count = 0; + hd->nblocks++; + } + if( !inbuf ) + return; + if( hd->count ) { + for( ; inlen && hd->count < 64; inlen-- ) + hd->buf[hd->count++] = *inbuf++; + sha1_write( hd, NULL, 0 ); + if( !inlen ) + return; + } + + while( inlen >= 64 ) { + transform( hd, inbuf ); + hd->count = 0; + hd->nblocks++; + inlen -= 64; + inbuf += 64; + } + for( ; inlen && hd->count < 64; inlen-- ) + hd->buf[hd->count++] = *inbuf++; +} + + +/* The routine final terminates the computation and + * returns the digest. + * The handle is prepared for a new cycle, but adding bytes to the + * handle will the destroy the returned buffer. + * Returns: 20 bytes representing the digest. + */ + +void +sha1_final(SHA1_CONTEXT *hd) +{ + u32 t, msb, lsb; + unsigned char *p; + + sha1_write(hd, NULL, 0); /* flush */; + + t = hd->nblocks; + /* multiply by 64 to make a byte count */ + lsb = t << 6; + msb = t >> 26; + /* add the count */ + t = lsb; + if( (lsb += hd->count) < t ) + msb++; + /* multiply by 8 to make a bit count */ + t = lsb; + lsb <<= 3; + msb <<= 3; + msb |= t >> 29; + + if( hd->count < 56 ) { /* enough room */ + hd->buf[hd->count++] = 0x80; /* pad */ + while( hd->count < 56 ) + hd->buf[hd->count++] = 0; /* pad */ + } + else { /* need one extra block */ + hd->buf[hd->count++] = 0x80; /* pad character */ + while( hd->count < 64 ) + hd->buf[hd->count++] = 0; + sha1_write(hd, NULL, 0); /* flush */; + memset(hd->buf, 0, 56 ); /* fill next block with zeroes */ + } + /* append the 64 bit count */ + hd->buf[56] = msb >> 24; + hd->buf[57] = msb >> 16; + hd->buf[58] = msb >> 8; + hd->buf[59] = msb ; + hd->buf[60] = lsb >> 24; + hd->buf[61] = lsb >> 16; + hd->buf[62] = lsb >> 8; + hd->buf[63] = lsb ; + transform( hd, hd->buf ); + + p = hd->buf; +#ifdef BIG_ENDIAN_HOST +#define X(a) do { *(u32*)p = hd->h##a ; p += 4; } while(0) +#else /* little endian */ +#define X(a) do { *p++ = hd->h##a >> 24; *p++ = hd->h##a >> 16; \ + *p++ = hd->h##a >> 8; *p++ = hd->h##a; } while(0) +#endif + X(0); + X(1); + X(2); + X(3); + X(4); +#undef X +} + Index: sha1sum.h =================================================================== --- sha1sum.h (revision 0) +++ sha1sum.h (revision 1257) @@ -0,0 +1,41 @@ +/* sha1sum.h - print SHA-1 Message-Digest Algorithm + * Copyright (C) 1998, 1999, 2000, 2001 Free Software Foundation, Inc. + * Copyright (C) 2004 g10 Code GmbH + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2, or (at your option) any + * later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software Foundation, + * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + */ + +/* SHA-1 coden take from gnupg 1.3.92. + + Note, that this is a simple tool to be used for MS Windows. +*/ + +#ifndef SHA1SUM_H_ +#define SHA1SUM_H_ + +typedef unsigned int u32; + +typedef struct { + u32 h0,h1,h2,h3,h4; + u32 nblocks; + unsigned char buf[64]; + int count; +} SHA1_CONTEXT; + +void sha1_init( SHA1_CONTEXT *hd ); +void sha1_write( SHA1_CONTEXT *hd, unsigned char *inbuf, size_t inlen); +void sha1_final(SHA1_CONTEXT *hd); + +#endif Index: whosthere.c =================================================================== --- whosthere.c (revision 939) +++ whosthere.c (revision 1257) @@ -6,6 +6,7 @@ #include #include "../iam/findfuncs.h" #include "getopt.h" +#include "sha1sum.h" /* * whosthere.c @@ -470,6 +471,108 @@ } +/* Generate SHA-1 hash of lsasrv.dll and identify appropriate memory addresses + JoMo-Kun + 2009/11/03 +*/ +BOOL lookupKnownAddrs( AddressesGroup* outAddrGroup ) +{ + FILE *fp; + char path[400]; + char buffer[4096]; + char hash[41]; + size_t n; + SHA1_CONTEXT ctx; + int i; + + memset(path, 0, 400); + GetEnvironmentVariable("SystemRoot", path, 256); + strcat(path,"\\system32\\lsasrv.dll"); + fp = fopen (path, "rb"); + if (!fp) + { + fprintf (stderr, "Unable to open lsasrv.dll: %s\n", strerror (errno)); + return FALSE; + } + + sha1_init (&ctx); + + while ( (n = fread (buffer, 1, sizeof buffer, fp))) + sha1_write (&ctx, buffer, n); + + if (ferror (fp)) + { + fprintf (stderr, "Error reading lsasrv.dll: %s\n", strerror (errno)); + return FALSE; + } + + sha1_final (&ctx); + + fclose (fp); + + memset(hash, 0, 41); + for (i=0; i < 20; i++) + { + hash[2 * i] = (ctx.buf[i] & 0xf0) >> 4; + hash[2 * i + 1] = ctx.buf[i] & 0x0f; + } + + for (i=0; i<40; i++) + { + if (hash[i] > 9) + hash[i] += 0x57; + else + hash[i] += 0x30; + } + + /* 5.1.2600.5834 (xpsp_sp3_gdr.090624-1305) English (United States)*/ + if ( strcmp(hash, "42940943f90ee2f6bbc66571d530f7571559f063") == 0 ) + processAddrsFromUser("75753C20:7573FE43:757D0C98:757D0CA0:757CFC60:757CFE54", outAddrGroup); + /* 5.2.3790.4530 (srv03_sp2_gdr.090615-1611) English (United States) */ + else if ( strcmp(hash, "2eff51b92571718ab144cfe7f9c2c10c892d88aa") == 0 ) + processAddrsFromUser("4AB93FE9:4AB8C9E5:4AC240C8:4AC240D0:4AC23E30:4AC23B10", outAddrGroup); + /* 5.2.3790.4455 (srv03_sp2_gdr.090203-1205) English (United States) */ + else if ( strcmp(hash, "5c937e41ee705bb5b828083f330965a2fe872e28") == 0 ) + processAddrsFromUser("4AB94009:4AB8C9C5:4AC240C8:4AC240D0:4AC23E30:4AC23B10", outAddrGroup); + /* 5.1.2600.5512 (xpsp.080413-2113) English (United States) */ + else if ( strcmp(hash, "bdbf9f51b536880164a2afdc80b6749e59b24963") == 0 ) + processAddrsFromUser("75753BA0:7573FDEC:757D0C98:757D0CA0:757CFC60:757CFE54", outAddrGroup); + /* 5.2.3790.3959 (srv03_sp2_rtm.070216-1710) English (United States) */ + else if ( strcmp(hash, "d16e408af557e62c8401a838bb81e17a0bc4bd87") == 0 ) + processAddrsFromUser("4AB93F99:4AB8C955:4AC230C8:4AC230D0:4AC22E30:4AC22B10", outAddrGroup); + /* 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) English (United States) */ + else if ( strcmp(hash, "b7335206933b1fa486a4cc09d814a155e6b0e7af") == 0 ) + processAddrsFromUser("75753BE0:7573FDF4:757D0C98:757D0CA0:757CFC60:757CFE54", outAddrGroup); + /* 5.2.3790.4186 (srv03_sp2_gdr.071108-1306) English (United States) */ + else if ( strcmp(hash, "fa441b506656252a6bc6039f4d9376d1675d5a2c") == 0 ) + processAddrsFromUser("4AB93379:4AB8BD35:4AC230C8:4AC230D0:4AC22E30:4AC22B10", outAddrGroup); + /* 5.2.3790.1830 (srv03_sp1_rtm.050324-1447) English (United States) */ + else if ( strcmp(hash, "7d51299f1911a6cfd88b05960dd9cafe1d5b9cd3") == 0 ) + processAddrsFromUser("742E159B:742D823D:74374FC0:74374FC8:74374998:74374920", outAddrGroup); + /* 5.1.2600.5834 (xpsp_sp3_qfe.090624-1332) English (United States) */ + else if ( strcmp(hash, "9f01dab059dccfb3ac5bd66c2ce8f92ed36316e2") == 0 ) + processAddrsFromUser("75753C20:7573FE43:757D0C98:757D0CA0:757CFC60:757CFE54", outAddrGroup); + /* 5.1.2600.3520 (xpsp_sp2_gdr.090206-1233) English (United States) */ + else if ( strcmp(hash, "81c5d0d2a4dd759b2dfb599ddac42af1d1f6f88f") == 0 ) + processAddrsFromUser("75747C5C:75745751:757CFBF8:757CFC00:757CEC60:757CEE54", outAddrGroup); + /* 5.1.2600.3520 (xpsp_sp2_gdr.090206-1233) English (United States) */ + else if ( strcmp(hash, "a1dc5d6f18dc83fb7cffc0fb7081963dec1dfc1a") == 0 ) + processAddrsFromUser("75747BDC:757456D2:757CFBF8:757CFC00:757CEC60:757CEE54", outAddrGroup); + /* 5.1.2600.3520 (xpsp_sp2_gdr.090206-1233) English (United States) */ + else if ( strcmp(hash, "e8baa633f35c79a57313cb9182bedc2348fa1134") == 0 ) + processAddrsFromUser("75747AD4:757455CA:757D0BD8:757D0BE0:757CFC60:757CFE54", outAddrGroup); + /* 5.1.2600.3520 (xpsp_sp2_qfe.090206-1239) English (United States) */ + else if ( strcmp(hash, "effcc406a56ca3bc5cb7f205dce00b01bbf53716") == 0 ) + processAddrsFromUser("7575530C:757414FB:757D0BD8:757D0BE0:757CFC60:757CFE54", outAddrGroup); + else + { + printf("Unknown lsasrv.dll (SHA1: %s)\n", hash); + return FALSE; + } + + return TRUE; +} + void banner(void) { @@ -486,6 +589,7 @@ printf("\t-t\t\testablishes interval used by the -i switch (by default 2 seconds).\n"); printf("\t-o\t\tdump output to a file, -o filename\n"); printf("\t-a\t\tspecify addresses to use. Format: ADDCREDENTIAL_ADDR:ENCRYPTMEMORY_ADDR:FEEDBACK_ADDR:DESKEY_ADDR:LOGONSESSIONLIST_ADDR:LOGONSESSIONLIST_COUNT_ADDR (WARNING!: if you use the wrong values the system may crash)\n"); + printf("\t-l\t\tuse known addresses based on version of lsasrv.dll present\n"); } @@ -533,7 +637,7 @@ // check parameters while(1) { - unsigned int c = getopt(argc, argv, "-IiDhHo:t:a:"); + unsigned int c = getopt(argc, argv, "-IiDhHo:t:a:l"); if( c == -1 ) break; switch( c ) { @@ -551,6 +655,14 @@ } break; + case 'l': + // lookup addresses from known value list + buseSuppliedAddrs = lookupKnownAddrs(&_addrGroup); + if (buseSuppliedAddrs == FALSE) + printf("Failed to lookup lsasrv.dll address. Proceeding with default address location routine...\n"); + + break; + case 'o': // whatever... memset(g_dumpFile, '\x00', sizeof(g_dumpFile)); Index: compile.bat =================================================================== --- compile.bat (revision 939) +++ compile.bat (revision 1257) @@ -1 +1,1 @@ -cl.exe whosthere.c getopt.c psapi.lib ..\iam\findfuncs.c advapi32.lib +cl.exe whosthere.c getopt.c sha1sum.c psapi.lib ..\iam\findfuncs.c advapi32.lib