diff --git a/README.md b/README.md index f5786ee..e9a378b 100644 --- a/README.md +++ b/README.md @@ -50,10 +50,13 @@ Everything will immediately show up in ImHex's Content Store and gets bundled wi | COFF | `application/x-coff` | [`patterns/coff.hexpat`](patterns/coff.hexpat) | Common Object File Format (COFF) executable | | CPIO | `application/x-cpio` | [`patterns/cpio.hexpat`](patterns/cpio.hexpat) | Old Binary CPIO Format | | CrashLvl | | [`patterns/Crashlvl.hexpat`](patterns/Crashlvl.hexpat) | Crash Bandicoot - Back in Time (fan game) User created level format | +| CREDHIST | | [`patterns/credhist.hexpat`](patterns/credhist.hexpat) | CREDHIST Format | | DDS | `image/vnd-ms.dds` | [`patterns/dds.hexpat`](patterns/dds.hexpat) | DirectDraw Surface | | DEX | | [`patterns/dex.hexpat`](patterns/dex.hexpat) | Dalvik EXecutable Format | | DICOM | `application/dicom` | [`patterns/dicom.hexpat`](patterns/dicom.hexpat) | DICOM image format | | DMG | | [`patterns/dmg.hexpat`](patterns/dmg.hexpat) | Apple Disk Image Trailer (DMG) | +| DPAPI_Blob | | [`patterns/dpapblob.hexpat`](patterns/dpapiblob.hexpat) | Data protection API Blob File Format | +| DPAPI_MasterKey | | [`patterns/dpapimasterkey.hexpat`](patterns/dpapimasterkey.hexpat) | Data protection API MasterKey | | DS_Store | | [`patterns/dsstore.hexpat`](patterns/dsstore.hexpat) | .DS_Store file format | | DTA | | [`patterns/max_v104.hexpat`](patterns/max_v104.hexpat) | Mechanized Assault and Exploration v1.04 (strategy game) save file format | | DTED | | [`patterns/dted.hexpat`](patterns/dted.hexpat) | Digital Terrain Elevation Data (DTED) | diff --git a/patterns/credhist.hexpat b/patterns/credhist.hexpat new file mode 100644 index 0000000..e425301 --- /dev/null +++ b/patterns/credhist.hexpat @@ -0,0 +1,99 @@ +#pragma description "CREDHIST" + +/* + FilePath: C:\Users\\AppData\Roaming\Microsoft\Protect\ + The files/folders are hidden. + + To unhide it + 1. Open Command Prompt (cmd.exe). + 2. Run the following command: + => attrib -h -s + +*/ + +import type.guid; +import std.mem; + +// https://learn.microsoft.com/en-us/windows/win32/seccrypto/alg-id +enum ALG_ID : u32 { + CALG_DH_EPHEM = 0x0000aa02, // Diffie-Hellman ephemeral key exchange algorithm. + CALG_DH_SF = 0x0000aa01, // Diffie-Hellman store and forward key exchange algorithm. + CALG_DSS_SIGN = 0x00002200, // DSA public key signature algorithm. + CALG_ECDH = 0x0000aa05, // Elliptic curve Diffie-Hellman key exchange algorithm. + CALG_ECDH_EPHEM = 0x0000ae06, // Ephemeral elliptic curve Diffie-Hellman key exchange algorithm. + CALG_ECDSA = 0x00002203, // Elliptic curve digital signature algorithm. + CALG_ECMQV = 0x0000a001, // Elliptic curve Menezes, Qu, and Vanstone (MQV) key exchange algorithm. + CALG_HASH_REPLACE_OWF = 0x0000800b, // One way function hashing algorithm. + CALG_HUGHES_MD5 = 0x0000a003, // Hughes MD5 hashing algorithm. + CALG_HMAC = 0x00008009, // HMAC keyed hash algorithm. + CALG_KEA_KEYX = 0x0000aa04, // KEA key exchange algorithm (FORTEZZA). + CALG_MAC = 0x00008005, // MAC keyed hash algorithm. + CALG_MD2 = 0x00008001, // MD2 hashing algorithm. + CALG_MD4 = 0x00008002, // MD4 hashing algorithm. + CALG_MD5 = 0x00008003, // MD5 hashing algorithm. + CALG_NO_SIGN = 0x00002000, // No signature algorithm. + CALG_OID_INFO_CNG_ONLY = 0xffffffff, // Algorithm is only implemented in CNG. + CALG_OID_INFO_PARAMETERS = 0xfffffffe, // Algorithm is defined in the encoded parameters. + CALG_PCT1_MASTER = 0x00004c04, // Used by the Schannel.dll operations system. + CALG_RC2 = 0x00006602, // RC2 block encryption algorithm. + CALG_RC4 = 0x00006801, // RC4 stream encryption algorithm. + CALG_RC5 = 0x0000660d, // RC5 block encryption algorithm. + CALG_RSA_KEYX = 0x0000a400, // RSA public key exchange algorithm. + CALG_RSA_SIGN = 0x00002400, // RSA public key signature algorithm. + CALG_SCHANNEL_ENC_KEY = 0x00004c07, // Used by the Schannel.dll operations system. + CALG_SCHANNEL_MAC_KEY = 0x00004c03, // Used by the Schannel.dll operations system. + CALG_SCHANNEL_MASTER_HASH = 0x00004c02, // Used by the Schannel.dll operations system. + CALG_SEAL = 0x00006802, // SEAL encryption algorithm. + CALG_SHA = 0x00008004, // SHA hashing algorithm. + CALG_SHA1 = 0x00008004, // Same as CALG_SHA. + CALG_SHA_256 = 0x0000800c, // 256-bit SHA hashing algorithm. + CALG_SHA_384 = 0x0000800d, // 384-bit SHA hashing algorithm. + CALG_SHA_512 = 0x0000800e, // 512-bit SHA hashing algorithm. + CALG_SKIPJACK = 0x0000660a, // Skipjack block encryption algorithm (FORTEZZA). + CALG_SSL2_MASTER = 0x00004c05, // Used by the Schannel.dll operations system. + CALG_SSL3_MASTER = 0x00004c01, // Used by the Schannel.dll operations system. + CALG_SSL3_SHAMD5 = 0x00008008, // Used by the Schannel.dll operations system. + CALG_TEK = 0x0000660b, // TEK (FORTEZZA). + CALG_TLS1_MASTER = 0x00004c06, // Used by the Schannel.dll operations system. + CALG_TLS1PRF = 0x0000800a // Used by the Schannel.dll operations system. +}; + +// https://devblogs.microsoft.com/oldnewthing/20040315-00/?p=40253 +struct SID { + u8 revisionlvl[[name("RevisionLevel"), comment("SID_REVISION")]]; + u8 dashes[[name("NoOfDashes"), comment("number of dashes minus two")]]; // dashes = actualdashes - 0x2 + char ntauth[0x6][[name("NtAuthority"), comment("SECURITY_NT_AUTHORITY")]]; + u32 subatuh1[[name("SubAuthority1"), comment("SECURITY_NT_NON_UNIQUE")]]; + u32 subatuh2[[name("SubAuthority2"), comment("these identify the machine that issued the SID")]]; + u32 subatuh3[[name("SubAuthority3"), comment("these identify the machine that issued the SID")]]; + u32 subatuh4[[name("SubAuthority4"), comment("these identify the machine that issued the SID")]]; + u32 rid[[name("RID"), comment("unique user id on the machine")]]; +}; + + +struct CREDHIST_HEADER{ + u32 version[[name("Version")]]; + type::GUID guid[[name("GUID")]]; + u32 nextlen[[name("NextCredSize")]]; +}; + +struct CREDHIST { + CREDHIST_HEADER credheader[[name("CredHistHeader")]]; + if (std::mem::eof()){ + break; + } + u32 flgas [[name("Flags")]]; + ALG_ID alghashid[[name("AlgorithmHashId")]]; + u32 rounds [[name("Rounds")]]; + u32 sidlen [[name("SIDLen")]]; + ALG_ID algcryptid[[name("AlgorithmCryptId")]]; + u32 sha1len[[name("SHA1Len")]]; + u32 md4len[[name("ntlmlen")]]; + char salt[0x10][[name("Salt")]]; + SID sid[[name("SID")]]; + char sha1hash[sha1len][[name("SHA1Hash")]]; + char md4hash[md4len][[name("NTLMHash")]]; + u64 unk1[[name("Unknown")]]; +}; + +CREDHIST credhist [while(!std::mem::eof())] @ 0x0[[name("CredHist")]]; \ No newline at end of file diff --git a/patterns/dpapiblob.hexpat b/patterns/dpapiblob.hexpat new file mode 100644 index 0000000..f49d332 --- /dev/null +++ b/patterns/dpapiblob.hexpat @@ -0,0 +1,73 @@ +#pragma description "DPAPI Blob" + +import type.guid; +import std.mem; + +enum ALG_ID : u32 { + CALG_DH_EPHEM = 0x0000aa02, + CALG_DH_SF = 0x0000aa01, + CALG_DSS_SIGN = 0x00002200, + CALG_ECDH = 0x0000aa05, + CALG_ECDH_EPHEM = 0x0000ae06, + CALG_ECDSA = 0x00002203, + CALG_ECMQV = 0x0000a001, + CALG_HASH_REPLACE_OWF = 0x0000800b, + CALG_HUGHES_MD5 = 0x0000a003, + CALG_HMAC = 0x00008009, + CALG_KEA_KEYX = 0x0000aa04, + CALG_MAC = 0x00008005, + CALG_MD2 = 0x00008001, + CALG_MD4 = 0x00008002, + CALG_MD5 = 0x00008003, + CALG_NO_SIGN = 0x00002000, + CALG_OID_INFO_CNG_ONLY = 0xffffffff, + CALG_OID_INFO_PARAMETERS = 0xfffffffe, + CALG_PCT1_MASTER = 0x00004c04, + CALG_RC2 = 0x00006602, + CALG_RC4 = 0x00006801, + CALG_RC5 = 0x0000660d, + CALG_RSA_KEYX = 0x0000a400, + CALG_RSA_SIGN = 0x00002400, + CALG_SCHANNEL_ENC_KEY = 0x00004c07, + CALG_SCHANNEL_MAC_KEY = 0x00004c03, + CALG_SCHANNEL_MASTER_HASH = 0x00004c02, + CALG_SEAL = 0x00006802, + CALG_SHA = 0x00008004, + CALG_SHA1 = 0x00008004, + CALG_SHA_256 = 0x0000800c, + CALG_SHA_384 = 0x0000800d, + CALG_SHA_512 = 0x0000800e, + CALG_SKIPJACK = 0x0000660a, + CALG_SSL2_MASTER = 0x00004c05, + CALG_SSL3_MASTER = 0x00004c01, + CALG_SSL3_SHAMD5 = 0x00008008, + CALG_TEK = 0x0000660b, + CALG_TLS1_MASTER = 0x00004c06, + CALG_TLS1PRF = 0x0000800a +}; + +struct DPAPI_BLOB{ + u32 version[[name("Version")]]; + type::GUID providerguid[[name("ProviderGUID")]]; + u32 masterguid[[name("MasterKeyVersion")]]; + type::GUID guid[[name("MasterKeyGUID")]]; + u32 flags[[name("Flags")]]; + u32 desclen [[name("DescriptionLen")]]; + char16 desc[desclen / 0x02 ] [[name("Description")]]; + ALG_ID cryptid [[name("AlgCryptId")]]; + u32 algcryptlen[[name("AlgCryptLen")]]; + u32 saltlen [[name("SaltLen")]]; + char salt[saltlen][[name("Salt")]]; + u32 hmackeylen[[name("HMACKeyLen")]]; + char hmackey[hmackeylen][[name("HMACKey")]]; + ALG_ID algid[[name("AlgHashId")]]; + u32 alghashkeylen[[name("AlgHashKeyLen")]]; + u32 hmac2keylen[[name("HMAC2keylen")]]; + char hmac2[hmac2keylen][[name("HMAC2Key")]]; + u32 datalen[[name("DataLen")]]; + char data[datalen][[name("Data")]]; + u32 signlen[[name("signlen")]]; + char signhash[signlen][[name("SignHash")]]; +}; + +DPAPI_BLOB dpapiblob @0x00 [[name("DPAPIBlob")]]; \ No newline at end of file diff --git a/patterns/dpapimasterkey.hexpat b/patterns/dpapimasterkey.hexpat new file mode 100644 index 0000000..a358b59 --- /dev/null +++ b/patterns/dpapimasterkey.hexpat @@ -0,0 +1,124 @@ +#pragma description "DPAPIMasterKey" + +/* + FilePath: C:\Users\\AppData\Roaming\Microsoft\Protect\ + This files are hidden. + To unhide it, + 1. Open Command Prompt (cmd.exe). + 2. Run the following command: + - attrib -h -s + +*/ + +import type.guid; + +// https://learn.microsoft.com/en-us/windows/win32/seccrypto/alg-id +enum ALG_ID : u32 { + CALG_DH_EPHEM = 0x0000aa02, + CALG_DH_SF = 0x0000aa01, + CALG_DSS_SIGN = 0x00002200, + CALG_ECDH = 0x0000aa05, + CALG_ECDH_EPHEM = 0x0000ae06, + CALG_ECDSA = 0x00002203, + CALG_ECMQV = 0x0000a001, + CALG_HASH_REPLACE_OWF = 0x0000800b, + CALG_HUGHES_MD5 = 0x0000a003, + CALG_HMAC = 0x00008009, + CALG_KEA_KEYX = 0x0000aa04, + CALG_MAC = 0x00008005, + CALG_MD2 = 0x00008001, + CALG_MD4 = 0x00008002, + CALG_MD5 = 0x00008003, + CALG_NO_SIGN = 0x00002000, + CALG_OID_INFO_CNG_ONLY = 0xffffffff, + CALG_OID_INFO_PARAMETERS = 0xfffffffe, + CALG_PCT1_MASTER = 0x00004c04, + CALG_RC2 = 0x00006602, + CALG_RC4 = 0x00006801, + CALG_RC5 = 0x0000660d, + CALG_RSA_KEYX = 0x0000a400, + CALG_RSA_SIGN = 0x00002400, + CALG_SCHANNEL_ENC_KEY = 0x00004c07, + CALG_SCHANNEL_MAC_KEY = 0x00004c03, + CALG_SCHANNEL_MASTER_HASH = 0x00004c02, + CALG_SEAL = 0x00006802, + CALG_SHA = 0x00008004, + CALG_SHA1 = 0x00008004, + CALG_SHA_256 = 0x0000800c, + CALG_SHA_384 = 0x0000800d, + CALG_SHA_512 = 0x0000800e, + CALG_SKIPJACK = 0x0000660a, + CALG_SSL2_MASTER = 0x00004c05, + CALG_SSL3_MASTER = 0x00004c01, + CALG_SSL3_SHAMD5 = 0x00008008, + CALG_TEK = 0x0000660b, + CALG_TLS1_MASTER = 0x00004c06, + CALG_TLS1PRF = 0x0000800a +}; + + +struct CREDHIST_MASTERKEY { + u32 version[[name("Version")]]; + type::GUID guid[[name("GUID")]]; + +}; + +struct DOMAINKEY_MASTERKEY { + u32 version[[name("Version")]]; + u32 seclen[[name("SecretLen")]]; + u32 accesschklen[[name("AccessCheckLen")]]; + type::GUID backupguid_[[name("BackupKeyGUID")]]; + char blob[seclen][[name("Secret")]]; + char accesschk[accesschklen][[name("AccessCheck")]]; + +}; + +struct BACKUP_MASTERKEY { + u32 start = $; + u32 version[[name("Version")]]; + char salt[16][[name("Salt")]]; + u32 rounds [[name("PBKDF2IterationCount")]]; + ALG_ID alghashid[[name("HMACAlgId")]]; + ALG_ID algcryptid[[name("CryptAlgId")]]; + u32 meta = $ - start; + char key[parent.backupkeylen - meta][[name("Key")]]; +}; + +struct PASSWORD_MASTERKEY { + u32 start = $; + u32 version[[name("Version")]]; + char salt[16][[name("Salt")]]; + u32 rounds [[name("PBKDF2IterationCount")]]; + ALG_ID alghashid[[name("HMACAlgId")]]; + ALG_ID algcryptid[[name("CryptAlgId")]]; + u32 meta = $ - start; + char key[parent.masterkeylen - meta][[name("Key")]]; +}; + +struct DPAPIMasterKey { + u32 version[[name("Version")]]; + u32 unk1[[name("Unknown1")]]; + u32 unk2[[name("Unknown2")]]; + char16 guid[0x24][[name("GUID"), comment("This GUID is the fileName itself")]]; + u32 unk3[[name("Unknown3")]]; + u32 unk4[[name("Unknown4")]]; + u32 policy[[name("Policy")]]; + u64 masterkeylen [[name("MasterKeyLen")]]; + u64 backupkeylen [[name("BackupKeyLen")]]; + u64 credhistlen [[name("CredHistoryLen")]]; + u64 domainkeylen [[name("DomainKeyLen")]]; + if (masterkeylen > 0){ + PASSWORD_MASTERKEY masterkey[[name("MasterKey")]]; + } + if (backupkeylen > 0){ + BACKUP_MASTERKEY backupkey[[name("BackupKey")]]; + } + if (credhistlen > 0){ + CREDHIST_MASTERKEY credhistkey[[name("CredHistoryKey")]]; + } + if (domainkeylen > 0){ + DOMAINKEY_MASTERKEY domainkey[[name("DomainKey")]]; + } +}; + +DPAPIMasterKey masterkey @0x00[[name("DPAPIMasterKey")]]; \ No newline at end of file diff --git a/tests/patterns/test_data/credhist.hexpat.bin b/tests/patterns/test_data/credhist.hexpat.bin new file mode 100644 index 0000000..aa55730 Binary files /dev/null and b/tests/patterns/test_data/credhist.hexpat.bin differ diff --git a/tests/patterns/test_data/dpapiblob.hexpat.bin b/tests/patterns/test_data/dpapiblob.hexpat.bin new file mode 100644 index 0000000..d1c7bd0 Binary files /dev/null and b/tests/patterns/test_data/dpapiblob.hexpat.bin differ diff --git a/tests/patterns/test_data/dpapimasterkey.hexpat.bin b/tests/patterns/test_data/dpapimasterkey.hexpat.bin new file mode 100644 index 0000000..f91327e Binary files /dev/null and b/tests/patterns/test_data/dpapimasterkey.hexpat.bin differ