-1

I need to call an undocumented function called VaultRemoveItem(...) exported from a system dll vaultcli.dll. The problem is that I do not know the function prototype, and I haven't been able to find any information online.

Anyone has any suggestions on how I would go about discovering the arguments of the function? They are very likely to include pointers to some struct.

Cody Gray - on strike
  • 239,200
  • 50
  • 490
  • 574
mpium
  • 272
  • 3
  • 9
  • 1
    Disassemble the function? – EOF May 30 '16 at 11:12
  • Try to see if you can get public symbols from Microsoft's symbol server. In any case, if you want to reverse engineer a piece of code, try to go with the 32-bit binary. 64-bit builds are a bit more challenging to analyze. – IInspectable May 30 '16 at 11:16
  • There is a [ReverseEngineering.SE] site that you may find to be of help. Of course, you'll need to show up there with a *specific question* that they can help you with. You can't just ask for "suggestions" on how to start. – Cody Gray - on strike May 30 '16 at 12:40
  • 2
    Make it clear to your customers that your program uses undocumented APIs, so that they know whom to complain to when it stops working. – Raymond Chen May 30 '16 at 14:12

1 Answers1

3
enum VAULT_SCHEMA_ELEMENT_ID {
    ElementId_Illegal = 0x0,
    ElementId_Resource = 0x1,
    ElementId_Identity = 0x2,
    ElementId_Authenticator = 0x3,
    ElementId_Tag = 0x4,
    ElementId_PackageSid = 0x5,
    ElementId_AppStart = 0x64,
    ElementId_AppEnd = 0x2710
};

enum VAULT_ELEMENT_TYPE {
    ElementType_Undefined = 0xffffffff,
    ElementType_Boolean = 0x0,
    ElementType_Short = 0x1,
    ElementType_UnsignedShort = 0x2,
    ElementType_Integer = 0x3,
    ElementType_UnsignedInteger = 0x4,
    ElementType_Double = 0x5,
    ElementType_Guid = 0x6,
    ElementType_String = 0x7,
    ElementType_ByteArray = 0x8,
    ElementType_TimeStamp = 0x9,
    ElementType_ProtectedArray = 0xa,
    ElementType_Attribute = 0xb,
    ElementType_Sid = 0xc,
    ElementType_Last = 0xd
};

struct _VAULT_CAUB {
    ULONG NumBytes;
    UCHAR * pByteArray;
};

struct _ATTRIBUTE {
    WCHAR * pszName;
    ULONG dwFlags;
    _VAULT_CAUB Value;
};

struct _VAULT_VARIANT {
    VAULT_ELEMENT_TYPE Type;
    union {
        UCHAR Boolean;
        SHORT Short;
        USHORT UnsignedShort;
        INT Int;
        UINT UnsignedInt;
        double Double;
        _GUID Guid;
        const WCHAR * String;
        _VAULT_CAUB ByteArray;
        _VAULT_CAUB ProtectedArray;
        _ATTRIBUTE * Attribute;
        PSID Sid;
    };
};

struct _VAULT_ITEM_ELEMENT {
    VAULT_SCHEMA_ELEMENT_ID SchemaElementId;
    _VAULT_VARIANT ItemValue;
};

HRESULT WINAPI VaultOpenVault(const GUID* Store, ULONG Flags, PHANDLE phVault);
HRESULT WINAPI VaultRemoveItem(HANDLE hVault, const GUID* Schema, _VAULT_ITEM_ELEMENT* Resource, _VAULT_ITEM_ELEMENT* Identity, _VAULT_ITEM_ELEMENT* PackageSid OPTIONAL, PVOID OPTIONAL);
HRESULT WINAPI VaultCloseVault(HANDLE hVault);

void RemoveItem(PCWSTR url, PCWSTR login, PSID Sid = 0)
{
    struct __declspec(uuid("3CCD5499-87A8-4B10-A215-608888DD3B55")) Vault_Schema_WebPassword;

    struct __declspec(uuid("4BF4C442-9B8A-41A0-B380-DD4A704DDB28")) Vault_DefaultVault_ID;

    HANDLE hVault;
    if (!VaultOpenVault(&__uuidof(Vault_DefaultVault_ID), 0, &hVault))
    {
        _VAULT_ITEM_ELEMENT 
            Resource = {ElementId_Resource, ElementType_String }, 
            Identity = {ElementId_Identity, ElementType_String }, 
            PackageSid = {ElementId_PackageSid, ElementType_Sid };

        Resource.ItemValue.String = url;
        Identity.ItemValue.String = login;
        PackageSid.ItemValue.Sid = Sid; // must be SECURITY_MANDATORY_LABEL_AUTHORITY or SECURITY_APP_PACKAGE_AUTHORITY

        VaultRemoveItem(hVault, &__uuidof(Vault_Schema_WebPassword), &Resource, &Identity, &PackageSid(/* 0 */), 0);

        VaultCloseVault(hVault);
    }
}
RbMm
  • 31,280
  • 3
  • 35
  • 56
  • Thanks for the detailed answer. I've confirmed that this works. Is this the result of disassembly, or is it through other means? – mpium May 31 '16 at 08:42
  • 2
    yes, this result of disassembly and process information pdb files – RbMm May 31 '16 at 09:08