From 16a87df2ac331711249c2fe0f2873d5a2143a6a5 Mon Sep 17 00:00:00 2001 From: Sabhya <89577007+5h4rrK@users.noreply.github.com> Date: Fri, 6 Dec 2024 01:56:43 +0530 Subject: [PATCH] patterns: Added DPAPI Blob, DPAPI MasterKey, CREDHIST patterns (#328) * [+]Added DPAPI MasterKey & Updated README.md * [+]Added DPAPI Blob Pattern & Updated README.md * [+] Added CREDHIST Pattern & Updated README.md * [+] Test Files added for dpapimasterkey, dpapiblob & CREDHIST --- README.md | 3 + patterns/credhist.hexpat | 99 ++++++++++++++ patterns/dpapiblob.hexpat | 73 +++++++++++ patterns/dpapimasterkey.hexpat | 124 ++++++++++++++++++ tests/patterns/test_data/credhist.hexpat.bin | Bin 0 -> 1176 bytes tests/patterns/test_data/dpapiblob.hexpat.bin | Bin 0 -> 312 bytes .../test_data/dpapimasterkey.hexpat.bin | Bin 0 -> 468 bytes 7 files changed, 299 insertions(+) create mode 100644 patterns/credhist.hexpat create mode 100644 patterns/dpapiblob.hexpat create mode 100644 patterns/dpapimasterkey.hexpat create mode 100644 tests/patterns/test_data/credhist.hexpat.bin create mode 100644 tests/patterns/test_data/dpapiblob.hexpat.bin create mode 100644 tests/patterns/test_data/dpapimasterkey.hexpat.bin diff --git a/README.md b/README.md index f5786ee..e9a378b 100644 --- a/README.md +++ b/README.md @@ -50,10 +50,13 @@ Everything will immediately show up in ImHex's Content Store and gets bundled wi | COFF | `application/x-coff` | [`patterns/coff.hexpat`](patterns/coff.hexpat) | Common Object File Format (COFF) executable | | CPIO | `application/x-cpio` | [`patterns/cpio.hexpat`](patterns/cpio.hexpat) | Old Binary CPIO Format | | CrashLvl | | [`patterns/Crashlvl.hexpat`](patterns/Crashlvl.hexpat) | Crash Bandicoot - Back in Time (fan game) User created level format | +| CREDHIST | | [`patterns/credhist.hexpat`](patterns/credhist.hexpat) | CREDHIST Format | | DDS | `image/vnd-ms.dds` | [`patterns/dds.hexpat`](patterns/dds.hexpat) | DirectDraw Surface | | DEX | | [`patterns/dex.hexpat`](patterns/dex.hexpat) | Dalvik EXecutable Format | | DICOM | `application/dicom` | [`patterns/dicom.hexpat`](patterns/dicom.hexpat) | DICOM image format | | DMG | | [`patterns/dmg.hexpat`](patterns/dmg.hexpat) | Apple Disk Image Trailer (DMG) | +| DPAPI_Blob | | [`patterns/dpapblob.hexpat`](patterns/dpapiblob.hexpat) | Data protection API Blob File Format | +| DPAPI_MasterKey | | [`patterns/dpapimasterkey.hexpat`](patterns/dpapimasterkey.hexpat) | Data protection API MasterKey | | DS_Store | | [`patterns/dsstore.hexpat`](patterns/dsstore.hexpat) | .DS_Store file format | | DTA | | [`patterns/max_v104.hexpat`](patterns/max_v104.hexpat) | Mechanized Assault and Exploration v1.04 (strategy game) save file format | | DTED | | [`patterns/dted.hexpat`](patterns/dted.hexpat) | Digital Terrain Elevation Data (DTED) | diff --git a/patterns/credhist.hexpat b/patterns/credhist.hexpat new file mode 100644 index 0000000..e425301 --- /dev/null +++ b/patterns/credhist.hexpat @@ -0,0 +1,99 @@ +#pragma description "CREDHIST" + +/* + FilePath: C:\Users\\AppData\Roaming\Microsoft\Protect\ + The files/folders are hidden. + + To unhide it + 1. Open Command Prompt (cmd.exe). + 2. Run the following command: + => attrib -h -s + +*/ + +import type.guid; +import std.mem; + +// https://learn.microsoft.com/en-us/windows/win32/seccrypto/alg-id +enum ALG_ID : u32 { + CALG_DH_EPHEM = 0x0000aa02, // Diffie-Hellman ephemeral key exchange algorithm. + CALG_DH_SF = 0x0000aa01, // Diffie-Hellman store and forward key exchange algorithm. + CALG_DSS_SIGN = 0x00002200, // DSA public key signature algorithm. + CALG_ECDH = 0x0000aa05, // Elliptic curve Diffie-Hellman key exchange algorithm. + CALG_ECDH_EPHEM = 0x0000ae06, // Ephemeral elliptic curve Diffie-Hellman key exchange algorithm. + CALG_ECDSA = 0x00002203, // Elliptic curve digital signature algorithm. + CALG_ECMQV = 0x0000a001, // Elliptic curve Menezes, Qu, and Vanstone (MQV) key exchange algorithm. + CALG_HASH_REPLACE_OWF = 0x0000800b, // One way function hashing algorithm. + CALG_HUGHES_MD5 = 0x0000a003, // Hughes MD5 hashing algorithm. + CALG_HMAC = 0x00008009, // HMAC keyed hash algorithm. + CALG_KEA_KEYX = 0x0000aa04, // KEA key exchange algorithm (FORTEZZA). + CALG_MAC = 0x00008005, // MAC keyed hash algorithm. + CALG_MD2 = 0x00008001, // MD2 hashing algorithm. + CALG_MD4 = 0x00008002, // MD4 hashing algorithm. + CALG_MD5 = 0x00008003, // MD5 hashing algorithm. + CALG_NO_SIGN = 0x00002000, // No signature algorithm. + CALG_OID_INFO_CNG_ONLY = 0xffffffff, // Algorithm is only implemented in CNG. + CALG_OID_INFO_PARAMETERS = 0xfffffffe, // Algorithm is defined in the encoded parameters. + CALG_PCT1_MASTER = 0x00004c04, // Used by the Schannel.dll operations system. + CALG_RC2 = 0x00006602, // RC2 block encryption algorithm. + CALG_RC4 = 0x00006801, // RC4 stream encryption algorithm. + CALG_RC5 = 0x0000660d, // RC5 block encryption algorithm. + CALG_RSA_KEYX = 0x0000a400, // RSA public key exchange algorithm. + CALG_RSA_SIGN = 0x00002400, // RSA public key signature algorithm. + CALG_SCHANNEL_ENC_KEY = 0x00004c07, // Used by the Schannel.dll operations system. + CALG_SCHANNEL_MAC_KEY = 0x00004c03, // Used by the Schannel.dll operations system. + CALG_SCHANNEL_MASTER_HASH = 0x00004c02, // Used by the Schannel.dll operations system. + CALG_SEAL = 0x00006802, // SEAL encryption algorithm. + CALG_SHA = 0x00008004, // SHA hashing algorithm. + CALG_SHA1 = 0x00008004, // Same as CALG_SHA. + CALG_SHA_256 = 0x0000800c, // 256-bit SHA hashing algorithm. + CALG_SHA_384 = 0x0000800d, // 384-bit SHA hashing algorithm. + CALG_SHA_512 = 0x0000800e, // 512-bit SHA hashing algorithm. + CALG_SKIPJACK = 0x0000660a, // Skipjack block encryption algorithm (FORTEZZA). + CALG_SSL2_MASTER = 0x00004c05, // Used by the Schannel.dll operations system. + CALG_SSL3_MASTER = 0x00004c01, // Used by the Schannel.dll operations system. + CALG_SSL3_SHAMD5 = 0x00008008, // Used by the Schannel.dll operations system. + CALG_TEK = 0x0000660b, // TEK (FORTEZZA). + CALG_TLS1_MASTER = 0x00004c06, // Used by the Schannel.dll operations system. + CALG_TLS1PRF = 0x0000800a // Used by the Schannel.dll operations system. +}; + +// https://devblogs.microsoft.com/oldnewthing/20040315-00/?p=40253 +struct SID { + u8 revisionlvl[[name("RevisionLevel"), comment("SID_REVISION")]]; + u8 dashes[[name("NoOfDashes"), comment("number of dashes minus two")]]; // dashes = actualdashes - 0x2 + char ntauth[0x6][[name("NtAuthority"), comment("SECURITY_NT_AUTHORITY")]]; + u32 subatuh1[[name("SubAuthority1"), comment("SECURITY_NT_NON_UNIQUE")]]; + u32 subatuh2[[name("SubAuthority2"), comment("these identify the machine that issued the SID")]]; + u32 subatuh3[[name("SubAuthority3"), comment("these identify the machine that issued the SID")]]; + u32 subatuh4[[name("SubAuthority4"), comment("these identify the machine that issued the SID")]]; + u32 rid[[name("RID"), comment("unique user id on the machine")]]; +}; + + +struct CREDHIST_HEADER{ + u32 version[[name("Version")]]; + type::GUID guid[[name("GUID")]]; + u32 nextlen[[name("NextCredSize")]]; +}; + +struct CREDHIST { + CREDHIST_HEADER credheader[[name("CredHistHeader")]]; + if (std::mem::eof()){ + break; + } + u32 flgas [[name("Flags")]]; + ALG_ID alghashid[[name("AlgorithmHashId")]]; + u32 rounds [[name("Rounds")]]; + u32 sidlen [[name("SIDLen")]]; + ALG_ID algcryptid[[name("AlgorithmCryptId")]]; + u32 sha1len[[name("SHA1Len")]]; + u32 md4len[[name("ntlmlen")]]; + char salt[0x10][[name("Salt")]]; + SID sid[[name("SID")]]; + char sha1hash[sha1len][[name("SHA1Hash")]]; + char md4hash[md4len][[name("NTLMHash")]]; + u64 unk1[[name("Unknown")]]; +}; + +CREDHIST credhist [while(!std::mem::eof())] @ 0x0[[name("CredHist")]]; \ No newline at end of file diff --git a/patterns/dpapiblob.hexpat b/patterns/dpapiblob.hexpat new file mode 100644 index 0000000..f49d332 --- /dev/null +++ b/patterns/dpapiblob.hexpat @@ -0,0 +1,73 @@ +#pragma description "DPAPI Blob" + +import type.guid; +import std.mem; + +enum ALG_ID : u32 { + CALG_DH_EPHEM = 0x0000aa02, + CALG_DH_SF = 0x0000aa01, + CALG_DSS_SIGN = 0x00002200, + CALG_ECDH = 0x0000aa05, + CALG_ECDH_EPHEM = 0x0000ae06, + CALG_ECDSA = 0x00002203, + CALG_ECMQV = 0x0000a001, + CALG_HASH_REPLACE_OWF = 0x0000800b, + CALG_HUGHES_MD5 = 0x0000a003, + CALG_HMAC = 0x00008009, + CALG_KEA_KEYX = 0x0000aa04, + CALG_MAC = 0x00008005, + CALG_MD2 = 0x00008001, + CALG_MD4 = 0x00008002, + CALG_MD5 = 0x00008003, + CALG_NO_SIGN = 0x00002000, + CALG_OID_INFO_CNG_ONLY = 0xffffffff, + CALG_OID_INFO_PARAMETERS = 0xfffffffe, + CALG_PCT1_MASTER = 0x00004c04, + CALG_RC2 = 0x00006602, + CALG_RC4 = 0x00006801, + CALG_RC5 = 0x0000660d, + CALG_RSA_KEYX = 0x0000a400, + CALG_RSA_SIGN = 0x00002400, + CALG_SCHANNEL_ENC_KEY = 0x00004c07, + CALG_SCHANNEL_MAC_KEY = 0x00004c03, + CALG_SCHANNEL_MASTER_HASH = 0x00004c02, + CALG_SEAL = 0x00006802, + CALG_SHA = 0x00008004, + CALG_SHA1 = 0x00008004, + CALG_SHA_256 = 0x0000800c, + CALG_SHA_384 = 0x0000800d, + CALG_SHA_512 = 0x0000800e, + CALG_SKIPJACK = 0x0000660a, + CALG_SSL2_MASTER = 0x00004c05, + CALG_SSL3_MASTER = 0x00004c01, + CALG_SSL3_SHAMD5 = 0x00008008, + CALG_TEK = 0x0000660b, + CALG_TLS1_MASTER = 0x00004c06, + CALG_TLS1PRF = 0x0000800a +}; + +struct DPAPI_BLOB{ + u32 version[[name("Version")]]; + type::GUID providerguid[[name("ProviderGUID")]]; + u32 masterguid[[name("MasterKeyVersion")]]; + type::GUID guid[[name("MasterKeyGUID")]]; + u32 flags[[name("Flags")]]; + u32 desclen [[name("DescriptionLen")]]; + char16 desc[desclen / 0x02 ] [[name("Description")]]; + ALG_ID cryptid [[name("AlgCryptId")]]; + u32 algcryptlen[[name("AlgCryptLen")]]; + u32 saltlen [[name("SaltLen")]]; + char salt[saltlen][[name("Salt")]]; + u32 hmackeylen[[name("HMACKeyLen")]]; + char hmackey[hmackeylen][[name("HMACKey")]]; + ALG_ID algid[[name("AlgHashId")]]; + u32 alghashkeylen[[name("AlgHashKeyLen")]]; + u32 hmac2keylen[[name("HMAC2keylen")]]; + char hmac2[hmac2keylen][[name("HMAC2Key")]]; + u32 datalen[[name("DataLen")]]; + char data[datalen][[name("Data")]]; + u32 signlen[[name("signlen")]]; + char signhash[signlen][[name("SignHash")]]; +}; + +DPAPI_BLOB dpapiblob @0x00 [[name("DPAPIBlob")]]; \ No newline at end of file diff --git a/patterns/dpapimasterkey.hexpat b/patterns/dpapimasterkey.hexpat new file mode 100644 index 0000000..a358b59 --- /dev/null +++ b/patterns/dpapimasterkey.hexpat @@ -0,0 +1,124 @@ +#pragma description "DPAPIMasterKey" + +/* + FilePath: C:\Users\\AppData\Roaming\Microsoft\Protect\ + This files are hidden. + To unhide it, + 1. Open Command Prompt (cmd.exe). + 2. Run the following command: + - attrib -h -s + +*/ + +import type.guid; + +// https://learn.microsoft.com/en-us/windows/win32/seccrypto/alg-id +enum ALG_ID : u32 { + CALG_DH_EPHEM = 0x0000aa02, + CALG_DH_SF = 0x0000aa01, + CALG_DSS_SIGN = 0x00002200, + CALG_ECDH = 0x0000aa05, + CALG_ECDH_EPHEM = 0x0000ae06, + CALG_ECDSA = 0x00002203, + CALG_ECMQV = 0x0000a001, + CALG_HASH_REPLACE_OWF = 0x0000800b, + CALG_HUGHES_MD5 = 0x0000a003, + CALG_HMAC = 0x00008009, + CALG_KEA_KEYX = 0x0000aa04, + CALG_MAC = 0x00008005, + CALG_MD2 = 0x00008001, + CALG_MD4 = 0x00008002, + CALG_MD5 = 0x00008003, + CALG_NO_SIGN = 0x00002000, + CALG_OID_INFO_CNG_ONLY = 0xffffffff, + CALG_OID_INFO_PARAMETERS = 0xfffffffe, + CALG_PCT1_MASTER = 0x00004c04, + CALG_RC2 = 0x00006602, + CALG_RC4 = 0x00006801, + CALG_RC5 = 0x0000660d, + CALG_RSA_KEYX = 0x0000a400, + CALG_RSA_SIGN = 0x00002400, + CALG_SCHANNEL_ENC_KEY = 0x00004c07, + CALG_SCHANNEL_MAC_KEY = 0x00004c03, + CALG_SCHANNEL_MASTER_HASH = 0x00004c02, + CALG_SEAL = 0x00006802, + CALG_SHA = 0x00008004, + CALG_SHA1 = 0x00008004, + CALG_SHA_256 = 0x0000800c, + CALG_SHA_384 = 0x0000800d, + CALG_SHA_512 = 0x0000800e, + CALG_SKIPJACK = 0x0000660a, + CALG_SSL2_MASTER = 0x00004c05, + CALG_SSL3_MASTER = 0x00004c01, + CALG_SSL3_SHAMD5 = 0x00008008, + CALG_TEK = 0x0000660b, + CALG_TLS1_MASTER = 0x00004c06, + CALG_TLS1PRF = 0x0000800a +}; + + +struct CREDHIST_MASTERKEY { + u32 version[[name("Version")]]; + type::GUID guid[[name("GUID")]]; + +}; + +struct DOMAINKEY_MASTERKEY { + u32 version[[name("Version")]]; + u32 seclen[[name("SecretLen")]]; + u32 accesschklen[[name("AccessCheckLen")]]; + type::GUID backupguid_[[name("BackupKeyGUID")]]; + char blob[seclen][[name("Secret")]]; + char accesschk[accesschklen][[name("AccessCheck")]]; + +}; + +struct BACKUP_MASTERKEY { + u32 start = $; + u32 version[[name("Version")]]; + char salt[16][[name("Salt")]]; + u32 rounds [[name("PBKDF2IterationCount")]]; + ALG_ID alghashid[[name("HMACAlgId")]]; + ALG_ID algcryptid[[name("CryptAlgId")]]; + u32 meta = $ - start; + char key[parent.backupkeylen - meta][[name("Key")]]; +}; + +struct PASSWORD_MASTERKEY { + u32 start = $; + u32 version[[name("Version")]]; + char salt[16][[name("Salt")]]; + u32 rounds [[name("PBKDF2IterationCount")]]; + ALG_ID alghashid[[name("HMACAlgId")]]; + ALG_ID algcryptid[[name("CryptAlgId")]]; + u32 meta = $ - start; + char key[parent.masterkeylen - meta][[name("Key")]]; +}; + +struct DPAPIMasterKey { + u32 version[[name("Version")]]; + u32 unk1[[name("Unknown1")]]; + u32 unk2[[name("Unknown2")]]; + char16 guid[0x24][[name("GUID"), comment("This GUID is the fileName itself")]]; + u32 unk3[[name("Unknown3")]]; + u32 unk4[[name("Unknown4")]]; + u32 policy[[name("Policy")]]; + u64 masterkeylen [[name("MasterKeyLen")]]; + u64 backupkeylen [[name("BackupKeyLen")]]; + u64 credhistlen [[name("CredHistoryLen")]]; + u64 domainkeylen [[name("DomainKeyLen")]]; + if (masterkeylen > 0){ + PASSWORD_MASTERKEY masterkey[[name("MasterKey")]]; + } + if (backupkeylen > 0){ + BACKUP_MASTERKEY backupkey[[name("BackupKey")]]; + } + if (credhistlen > 0){ + CREDHIST_MASTERKEY credhistkey[[name("CredHistoryKey")]]; + } + if (domainkeylen > 0){ + DOMAINKEY_MASTERKEY domainkey[[name("DomainKey")]]; + } +}; + +DPAPIMasterKey masterkey @0x00[[name("DPAPIMasterKey")]]; \ No newline at end of file diff --git a/tests/patterns/test_data/credhist.hexpat.bin b/tests/patterns/test_data/credhist.hexpat.bin new file mode 100644 index 0000000000000000000000000000000000000000..aa55730a000ae04985fb8dbba8b8da6c66085fc4 GIT binary patch literal 1176 zcmZQ%fPk>%Nx@Jim|_Hyd<_f?AX)~91=1K8M1V91pIK26_W6lfN`T_zFCCY*oM&VO z3NkRTiUJ9x^hJ>};zC^dC#HwLWM*KP`uF1;z7U2}ZgS@)f1UcO+VhsjPmwPI*O@P^ zaueP>^;V1X=_UVFGL*j_KQcSG_`*eyeIT$ZxvvnyVqlm6WZ-j8?W?*YMTQIdI@ZfS zZ&Yz|z~`Rpe>PfwW@uJ&c0ZTMe{!1G&MQT}pLaj+S4-A;<#he(&WF=wnqS)2CzT}> zPyeJHegNj4?aA9_5$hhl&>u?A7BM{Q*e5mL*uhf@pL_oJxSV*%vbSvGMbAo(=W}mHY!fDfJScH3UD zZ8S1cD3r$MoK(@ujECq zu90AJp^!ezJ*=sjHN?6{S5WrrkAx3W_k~kaq$Gkm@ww;3an1F;2UgAw`TFM#5BHJq z#$BI!uXJvZ6&Bi2aJc2MeY(i=X-rc+Bx*um%?#w8;{kKer_}2giFHreDxSW5iQCx> zcfKnUte=>I&plIJJv%1E?|!?x^yEX=>+L>tCV&~epd6Sq; z-`bb6aN}3;@*A^5E9b9k zOHJ_owkgcS)@#N*(Jc*^c-}HAEpB=-`4o$$`j*(!eJP)MU-&J|9}XX0}Yk3@bz?bbw@3%jZ$9?Ik#Vwq;y`{=jy<(nQSO)sj=In*1q-Q;)i XfB!JPr0j_+Th_tcqo1x5fb1Rs6D&aM literal 0 HcmV?d00001 diff --git a/tests/patterns/test_data/dpapiblob.hexpat.bin b/tests/patterns/test_data/dpapiblob.hexpat.bin new file mode 100644 index 0000000000000000000000000000000000000000..d1c7bd06f2574b9859ad669818422fc82094bb36 GIT binary patch literal 312 zcmZQ%U|_h=Gxt8D=taSvDux68ho-+~1d4qxQJ=VO>lE*`uB%$6|L*Dq3Ng3%Y26D~U_&|JM(j4?SOUJwsa=sFH!N0Z1@G)CV7&^e?nu z_WDuVTeT;cyZ(1Qf4#;sO-uIgj`@)j#VWEDfJ*nDJvyW0RPoZ^%3k^pR0_7Y)SUf4 zMd#ilZRabRAE(~?>Ht(T_gAj|FKx&d1Qh}^Qpej?Knlzw@ z8IYF*6i))OV1NzC*Z}2BfYKr`Nhr+(r0w;$t>V7&XQs5h+zgxKP2U~l85sB)7#IZ7 z7#LLaYCEZj}`ENG#v)Mk57C)WjFm>P3 zCWR>djCDPqbT;|fO;8h7)Kt8GFL85)(>nFpZr{vaaOfM~Dm=bgX`bqC-_%LvZHRqrZttp+CsI zx0XzObbaO3Mc%#>*SZ${nuY9MEypiaX(>Ax`RpIhZ?JWmqkD35`uB7bLqow`YomEi zeO{}wK;V{lmT{`UDVD3&Mk@?F+f-e5Iw>bF7x{2OdmX>!X?a(^iF_w_R~)NZm^v|6 rZ2iN$I5wr9lAo^M%-Ns&;ru(3KMyWnn`+0c$u0QbWiK-{9FZvibLf_Y literal 0 HcmV?d00001