SharpDPAPI icon indicating copy to clipboard operation
SharpDPAPI copied to clipboard

Published 20 hours ago verified publisher icon GhostPack

Debugging Issue & Marshal.PtrToStructure() question

Open kiwids0220 opened this issue 3 years ago • 0 comments

When debugging the SharpDPAPI with below config/flags, I had an questions on why the pointer is not showing in the correct address as the debugger says. image image

Then I realized it might be due to misdecleared variables within the Struct,

        public struct LSA_UNICODE_STRING : IDisposable
        {
            public ushort Length;
            public ushort MaximumLength;
            public ushort certLen;
            public IntPtr buffer;

            public LSA_UNICODE_STRING(string s)
            {
                Length = (ushort)(s.Length * 2);
                MaximumLength = (ushort)(Length + 2);
                certLen = (ushort)(Length + 2);
                buffer = Marshal.StringToHGlobalUni(s);
            }

            public void Dispose()
            {
                Marshal.FreeHGlobal(buffer);
                buffer = IntPtr.Zero;
            }

            public override string ToString()
            {
                return Marshal.PtrToStringUni(buffer);
            }
        }

which then I saw the ref to mimikatz header and added another declearation for certLen. And that matched with length appearing apperaing 3 times in the memory shown here image and stepping through. image

But previously, it also worked just fine without the certLen. So I was wondering Does Marshal.PtrToStructure() in Interop.LSA_UNICODE_STRING lusSecretData = (Interop.LSA_UNICODE_STRING)Marshal.PtrToStructure(PrivateData, typeof(Interop.LSA_UNICODE_STRING)); just magically finds the IntPtr in the memory of PrivateData which is really after the CertLen + 2 null bytes?

Sorry if im being confusing here.

kiwids0220 avatar Jun 14 '22 05:06 kiwids0220