Accueil Explorer Aide
Connexion
zhensolid
/
OperatorsKit
1
0
Fork 0
Fichiers Tickets 0 Pull Requests 0 Wiki
Aborescence: b84ce05d33
Branches Tags
OperatorsKit
/
KIT
/
EnumLocalCert
/
enumlocalcert.c

enumlocalcert.c 6.8 KB
Historique Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244 
  1. #include <windows.h>
    2. 

  2. #include <wincrypt.h>
    3. 

  3. #include <stdio.h>
    4. 

  4. #include <stdlib.h>
    5. 

  5. #include <string.h>
    6. 

  6. #include "enumlocalcert.h"
    7. 

  7. #include "beacon.h"
    8. 

  8. 

  9. #pragma comment(lib, "Crypt32.lib")
    10. 

  10. #pragma comment(lib, "Advapi32.lib")
    11. 

  11. 

  12. 

  13. //https://github.com/outflanknl/C2-Tool-Collection/blob/main/BOF/Psx/SOURCE/Psx.c
    14. 

  14. HRESULT BeaconPrintToStreamW(_In_z_ LPCWSTR lpwFormat, ...) {
    15. 

  15. 	HRESULT hr = S_FALSE;
    16. 

  16. 	va_list argList;
    17. 

  17. 	DWORD dwWritten = 0;
    18. 

  18. 

  19. 	if (g_lpStream <= (LPSTREAM)1) {
    20. 

  20. 		hr = OLE32$CreateStreamOnHGlobal(NULL, TRUE, &g_lpStream);
    21. 

  21. 		if (FAILED(hr)) {
    22. 

  22. 			return hr;
    23. 

  23. 		}
    24. 

  24. 	}
    25. 

  25. 

  26. 	if (g_lpwPrintBuffer <= (LPWSTR)1) { 
    27. 

  27. 		g_lpwPrintBuffer = (LPWSTR)MSVCRT$calloc(MAX_STRING, sizeof(WCHAR));
    28. 

  28. 		if (g_lpwPrintBuffer == NULL) {
    29. 

  29. 			hr = E_FAIL;
    30. 

  30. 			goto CleanUp;
    31. 

  31. 		}
    32. 

  32. 	}
    33. 

  33. 

  34. 	va_start(argList, lpwFormat);
    35. 

  35. 	if (!MSVCRT$_vsnwprintf_s(g_lpwPrintBuffer, MAX_STRING, MAX_STRING -1, lpwFormat, argList)) {
    36. 

  36. 		hr = E_FAIL;
    37. 

  37. 		goto CleanUp;
    38. 

  38. 	}
    39. 

  39. 

  40. 	if (g_lpStream != NULL) {
    41. 

  41. 		if (FAILED(hr = g_lpStream->lpVtbl->Write(g_lpStream, g_lpwPrintBuffer, (ULONG)MSVCRT$wcslen(g_lpwPrintBuffer) * sizeof(WCHAR), &dwWritten))) {
    42. 

  42. 			goto CleanUp;
    43. 

  43. 		}
    44. 

  44. 	}
    45. 

  45. 

  46. 	hr = S_OK;
    47. 

  47. 

  48. CleanUp:
    49. 

  49. 

  50. 	if (g_lpwPrintBuffer != NULL) {
    51. 

  51. 		MSVCRT$memset(g_lpwPrintBuffer, 0, MAX_STRING * sizeof(WCHAR)); 
    52. 

  52. 	}
    53. 

  53. 

  54. 	va_end(argList);
    55. 

  55. 	return hr;
    56. 

  56. }
    57. 

  57. 

  58. //https://github.com/outflanknl/C2-Tool-Collection/blob/main/BOF/Psx/SOURCE/Psx.c
    59. 

  59. VOID BeaconOutputStreamW() {
    60. 

  60. 	STATSTG ssStreamData = { 0 };
    61. 

  61. 	SIZE_T cbSize = 0;
    62. 

  62. 	ULONG cbRead = 0;
    63. 

  63. 	LARGE_INTEGER pos;
    64. 

  64. 	LPWSTR lpwOutput = NULL;
    65. 

  65. 

  66. 	if (FAILED(g_lpStream->lpVtbl->Stat(g_lpStream, &ssStreamData, STATFLAG_NONAME))) {
    67. 

  67. 		return;
    68. 

  68. 	}
    69. 

  69. 

  70. 	cbSize = ssStreamData.cbSize.LowPart;
    71. 

  71. 	lpwOutput = KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), HEAP_ZERO_MEMORY, cbSize + 1);
    72. 

  72. 	if (lpwOutput != NULL) {
    73. 

  73. 		pos.QuadPart = 0;
    74. 

  74. 		if (FAILED(g_lpStream->lpVtbl->Seek(g_lpStream, pos, STREAM_SEEK_SET, NULL))) {
    75. 

  75. 			goto CleanUp;
    76. 

  76. 		}
    77. 

  77. 

  78. 		if (FAILED(g_lpStream->lpVtbl->Read(g_lpStream, lpwOutput, (ULONG)cbSize, &cbRead))) {		
    79. 

  79. 			goto CleanUp;
    80. 

  80. 		}
    81. 

  81. 

  82. 		BeaconPrintf(CALLBACK_OUTPUT, "%ls", lpwOutput);
    83. 

  83. 	}
    84. 

  84. 

  85. CleanUp:
    86. 

  86. 	if (g_lpStream != NULL) {
    87. 

  87. 		g_lpStream->lpVtbl->Release(g_lpStream);
    88. 

  88. 		g_lpStream = NULL;
    89. 

  89. 	}
    90. 

  90. 

  91. 	if (g_lpwPrintBuffer != NULL) {
    92. 

  92. 		MSVCRT$free(g_lpwPrintBuffer); 
    93. 

  93. 		g_lpwPrintBuffer = NULL;
    94. 

  94. 	}
    95. 

  95. 

  96. 	if (lpwOutput != NULL) {
    97. 

  97. 		KERNEL32$HeapFree(KERNEL32$GetProcessHeap(), 0, lpwOutput);
    98. 

  98. 	}
    99. 

  99. 	return;
    100. 

  100. }
    101. 

  101. 

  102. 

  103. void replace_wchar(LPWSTR str, wchar_t old_char, wchar_t new_char) {
    104. 

  104.     for (size_t i = 0; str[i] != L'\0'; i++) {
    105. 

  105.         if (str[i] == old_char) {
    106. 

  106.             str[i] = new_char;
    107. 

  107.         }
    108. 

  108.     }
    109. 

  109. }
    110. 

  110. 

  111. 

  112. 

  113. BOOL printCertProperties(PCCERT_CONTEXT pCertContext) {
    114. 

  114.     LPWSTR pszName = NULL;
    115. 

  115.     DWORD dwSize;
    116. 

  116. 	BYTE thumbprint[20];
    117. 

  117. 	DWORD thumbprintSize = sizeof(thumbprint);
    118. 

  118. 	WCHAR thumbprintStr[41];
    119. 

  119. 

  120.     // Get the "Issued By" property
    121. 

  121.     if (!CRYPT32$CertGetNameStringW(pCertContext, CERT_NAME_SIMPLE_DISPLAY_TYPE, 0, NULL, NULL, 0)) return FALSE;
    122. 

  122. 

  123.     dwSize = CRYPT32$CertGetNameStringW(pCertContext, CERT_NAME_SIMPLE_DISPLAY_TYPE, 0, NULL, NULL, 0);
    124. 

  124.     pszName = (LPWSTR)KERNEL32$LocalAlloc(LPTR, dwSize * sizeof(wchar_t));
    125. 

  125.     if (!pszName) return FALSE;
    126. 

  126. 

  127.     if (!CRYPT32$CertGetNameStringW(pCertContext, CERT_NAME_SIMPLE_DISPLAY_TYPE, 0, NULL, pszName, dwSize)) return FALSE;
    128. 

  128. 

  129.     BeaconPrintToStreamW(L"\nIssued By: %s\n", pszName);
    130. 

  130.     KERNEL32$LocalFree(pszName);
    131. 

  131. 	
    132. 

  132. 	// Get the "Thumbprint" property
    133. 

  133. 	if (CRYPT32$CertGetCertificateContextProperty(pCertContext, CERT_SHA1_HASH_PROP_ID, thumbprint, &thumbprintSize)) {
    134. 

  134. 		for (DWORD i = 0; i < thumbprintSize; ++i) {
    135. 

  135. 			MSVCRT$_snwprintf_s(thumbprintStr + (i * 2), 3, 2, L"%02X", thumbprint[i]);
    136. 

  136. 		}
    137. 

  137. 		thumbprintStr[40] = L'\0';
    138. 

  138. 		BeaconPrintToStreamW(L"Thumbprint: %s\n", thumbprintStr);
    139. 

  139. 	}
    140. 

  140. 	else {
    141. 

  141. 		BeaconPrintToStreamW(L"Failed to get thumbprint.\n");
    142. 

  142. 	}
    143. 

  143. 

  144. 	// Get the "Friendly Name" property
    145. 

  145. 	dwSize = 0;
    146. 

  146. 	dwSize = CRYPT32$CertGetNameStringW(pCertContext, CERT_NAME_FRIENDLY_DISPLAY_TYPE, 0, NULL, NULL, 0);
    147. 

  147. 	if (dwSize == 1) { 
    148. 

  148. 		BeaconPrintToStreamW(L"Friendly Name: none\n");
    149. 

  149. 	}
    150. 

  150. 	else
    151. 

  151. 	{
    152. 

  152. 		pszName = (LPWSTR)KERNEL32$LocalAlloc(LPTR, dwSize * sizeof(wchar_t));
    153. 

  153. 		if (!pszName) return FALSE;
    154. 

  154. 		if (!CRYPT32$CertGetNameStringW(pCertContext, CERT_NAME_FRIENDLY_DISPLAY_TYPE, 0, NULL, pszName, dwSize)) return FALSE;
    155. 

  155. 

  156. 		replace_wchar(pszName, L'\x2013', L'-');
    157. 

  157. 		BeaconPrintToStreamW(L"Friendly Name: %ls\n", pszName);
    158. 

  158. 		
    159. 

  159. 		KERNEL32$LocalFree(pszName);
    160. 

  160. 	}
    161. 

  161. 	
    162. 

  162. 

  163. 	// Get the "Expiration Date" property
    164. 

  164. 	SYSTEMTIME stExpirationDate;
    165. 

  165. 	KERNEL32$FileTimeToSystemTime(&pCertContext->pCertInfo->NotAfter, &stExpirationDate);
    166. 

  166. 

  167. 	WCHAR szExpirationDate[256];
    168. 

  168. 	KERNEL32$GetDateFormatW(LOCALE_USER_DEFAULT, 0, &stExpirationDate, L"yyyy-MM-dd", szExpirationDate, sizeof(szExpirationDate) / sizeof(WCHAR));
    169. 

  169. 	BeaconPrintToStreamW(L"Expiration Date: %s\n", szExpirationDate);
    170. 

  170. 

  171. 	
    172. 

  172. 	// Get the "Intended Purposes" property
    173. 

  173. 	PCERT_ENHKEY_USAGE pUsage = NULL;
    174. 

  174. 	DWORD dwUsageSize = 0;
    175. 

  175. 	if (!CRYPT32$CertGetEnhancedKeyUsage(pCertContext, 0, NULL, &dwUsageSize)) return FALSE;
    176. 

  176. 

  177. 	pUsage = (PCERT_ENHKEY_USAGE)KERNEL32$LocalAlloc(LPTR, dwUsageSize);
    178. 

  178. 	if (!pUsage) return FALSE;
    179. 

  179. 

  180. 	if (!CRYPT32$CertGetEnhancedKeyUsage(pCertContext, 0, pUsage, &dwUsageSize)) return FALSE;
    181. 

  181. 

  182. 	BeaconPrintToStreamW(L"Intended Purposes:\n");
    183. 

  183. 	for (DWORD i = 0; i < pUsage->cUsageIdentifier; ++i)
    184. 

  184. 	{
    185. 

  185. 		LPCSTR pszOID = pUsage->rgpszUsageIdentifier[i];
    186. 

  186. 		PCCRYPT_OID_INFO pInfo = CRYPT32$CryptFindOIDInfo(CRYPT_OID_INFO_OID_KEY, (void*)pszOID, 0);
    187. 

  187. 		if (pInfo)
    188. 

  188. 		{
    189. 

  189. 			BeaconPrintToStreamW(L"  - %s (%S)\n", pInfo->pwszName, pszOID);
    190. 

  190. 		}
    191. 

  191. 		else
    192. 

  192. 		{
    193. 

  193. 			BeaconPrintToStreamW(L"  - Unknown OID: %S\n", pszOID);
    194. 

  194. 		}
    195. 

  195. 	}
    196. 

  196. 	KERNEL32$LocalFree(pUsage);
    197. 

  197. 	
    198. 

  198. 	
    199. 

  199. 	BeaconPrintToStreamW(L"\n");
    200. 

  200. 	return TRUE;
    201. 

  201. }
    202. 

  202. 

  203. 

  204. 

  205. int go(char *args, int len) {
    206. 

  206. 	BOOL res = NULL;
    207. 

  207. 	WCHAR *store; // Options: ROOT, MY, TRUST, CA, USERDS, AuthRoot, Disallowed
    208. 

  208. 	HCERTSTORE hStore = NULL;
    209. 

  209. 	datap parser;
    210. 

  210. 	
    211. 

  211. 	BeaconDataParse(&parser, args, len);
    212. 

  212. 	store = BeaconDataExtract(&parser, NULL);
    213. 

  213. 	
    214. 

  214. 	// Open Local Computer store
    215. 

  215. 	hStore = CRYPT32$CertOpenStore(CERT_STORE_PROV_SYSTEM_W, 0, (HCRYPTPROV)NULL, CERT_SYSTEM_STORE_LOCAL_MACHINE | CERT_STORE_OPEN_EXISTING_FLAG, store); 
    216. 

  216. 	if (!hStore) {
    217. 

  217. 		BeaconPrintf(CALLBACK_ERROR, "Failed to open specified certificate store\n");
    218. 

  218. 		return 1;
    219. 

  219. 	}
    220. 

  220. 

  221. 

  222. 	PCCERT_CONTEXT pCertContext = NULL;
    223. 

  223. 	while (pCertContext = CRYPT32$CertEnumCertificatesInStore(hStore, pCertContext)) {
    224. 

  224. 			res = printCertProperties(pCertContext);
    225. 

  225. 		}
    226. 

  226. 	
    227. 

  227. 	if(!res) {
    228. 

  228. 		BeaconPrintf(CALLBACK_ERROR, "Failed to list certificates in specified store.\n");
    229. 

  229. 		return 0;
    230. 

  230. 	}
    231. 

  231. 	else  {
    232. 

  232. 		BeaconOutputStreamW();
    233. 

  233. 		BeaconPrintf(CALLBACK_OUTPUT, "[+] DONE");
    234. 

  234. 	}
    235. 

  235. 	
    236. 

  236. 	if (pCertContext) CRYPT32$CertFreeCertificateContext(pCertContext);
    237. 

  237. 	if (hStore) CRYPT32$CertCloseStore(hStore, 0);
    238. 

  238. 

  239. 	return 0;
    240. 

  240. }
    241. 

  241. 	
    242. 

  242. 	
    243. 

  243. 	
    244. 

  244. 	
    245.