function EnumerateGenericCredentials(credname){
const CredEnumerate_ptr = Module.getExportByName("advapi32", "CredEnumerateW");
const CredEnumerate = new NativeFunction(CredEnumerate_ptr, "pointer", ["pointer", "int", "pointer", "pointer"])
const count = Memory.alloc(8);
const pCredentials = Memory.alloc(8);
const ret = CredEnumerate(NULL, 0, count, pCredentials);
console.log("Enumerate complete! Found " + count.readInt() + " entries.");
for(var i=0; i<count.readInt(); i++){
const curr = pCredentials.add(i*8).readPointer();
console.log(curr.readByteArray(256));
[Remote::c:\windows\system32\cmd.exe]-> EnumerateGenericCredentials()
Enumerate complete! Found 1 entries.
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 18 41 e0 1c 37 02 00 00 00 00 00 00 02 00 00 00 .A..7...........
00000010 70 41 e0 1c 37 02 00 00 00 00 00 00 00 00 00 00 pA..7...........
00000020 a8 78 32 15 34 6c d7 01 00 00 00 00 00 00 00 00 .x2.4l..........
00000030 00 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000050 7e 41 e0 1c 37 02 00 00 00 00 00 00 00 00 00 00 ~A..7...........
00000060 74 00 65 00 73 00 74 00 65 00 31 00 00 00 75 00 t.e.s.t.e.1...u.
00000070 73 00 65 00 72 00 31 00 00 00 00 00 00 00 00 00 s.e.r.1.........
00000080 00 00 00 00 00 00 00 00 1e 88 b1 e6 00 12 00 80 ................
00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[Remote::c:\windows\system32\cmd.exe]-> EnumerateGenericCredentials()
Enumerate complete! Found 2 entries. pCredentials=0x1f3e83c2470
Credentials at 0x1f3e6184310 ret: 0x1
Credentials at 0x1f3e6184378 ret: 0x1
---------------------------------------------
function EnumerateGenericCredentials(credname){
const CredEnumerate_ptr = Module.getExportByName("advapi32", "CredEnumerateA");
const CredEnumerate = new NativeFunction(CredEnumerate_ptr, "pointer", ["pointer", "int", "pointer", "pointer"])
const count = Memory.alloc(Process.pointerSize);
const pCredentials = Memory.alloc(256);
const ret = CredEnumerate(NULL, 0, count, pCredentials);
console.log("Enumerate complete! Found " + count.readInt() + " entries. pCredentials="+pCredentials);
for(var i=0; i<count.readInt(); i++){
const curr = pCredentials.readPointer().add(i * Process.pointerSize).readPointer();//.add(Process.pointerSize*2);
console.log("Credentials at " + curr + " ret: " + ret);
const targetname = curr.add(8).readPointer().readAnsiString();
const size = curr.add(32).readU32();
const blob = curr.add(40).readPointer();
const username = curr.add(72).readPointer().readAnsiString();
const password = blob.readUtf16String();
console.log(targetname + ":" + username + ":" + password);
console.log("ret is false!");
[Remote::c:\windows\system32\cmd.exe]-> GetGenericCredentials("teste2")
CredReadA is 0x7ffdd7e44e90
Credentials at 0x1f3e83c23e0 ret: 0x1