therealdreg

Retrieving VMware Workstation VM encryption passwords saved in the the Windows Credential Manager

When creating an encrypted VM, VMware Workstation gives you the option to remember the password. It does this by storing the password in the Windows Credential Manager.

VMware does not provide a way to retrieve this stored password, but it can be accessed via the Win32 CredReadW API function.

There are a number of PowerShell projects including PowerShell Credential Manager which provide access to this API, but in testing I found they were unable to correctly display the VMware password.

This PowerShell example has been tested using Windows PowerShell (v5.1) and PowerShell (v7) using VMwa

therealdreg

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Synaptics\SynTP\TouchPadPS2TM1800]
"2FingerTapAction"=dword:00000002
[HKEY_LOCAL_MACHINE\SOFTWARE\Synaptics\SynTP\Win10]
"2FingerTapAction"=dword:00000002

;[HKEY_CURRENT_USER\Software\Synaptics\SynTPEnh\ZoneConfig\TouchPadPS2TM1800\2FHorizontalScrolling]
;"UserZoneFlags"=dword:00000005
;[HKEY_CURRENT_USER\Software\Synaptics\SynTPEnh\ZoneConfig\TouchPadPS2TM1800\2FVerticalScrolling]

therealdreg

push string generator x86 assembly shellcode malware exploits

#!/usr/bin/env python3

# by Dreg

import sys

def string_to_hex_chunks(input_string):
    byte_array = input_string.encode('utf-8')

therealdreg

{
  "version": "0.2.0",
  "configurations": [
    {
      "name": "Pico Debug (Cortex-Debug)",
      "cwd": "${workspaceFolder}",
      "executable": "${command:cmake.launchTargetPath}",
      "request": "launch",
      "type": "cortex-debug",
      "servertype": "openocd",

therealdreg

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\Directory\Background\shell]

[HKEY_CLASSES_ROOT\Directory\Background\shell\MSYS2]

[HKEY_CLASSES_ROOT\Directory\Background\shell\MSYS2\command]
@="\"C:\\msys64\\msys2_shell.cmd\" \"-here\""

[HKEY_CLASSES_ROOT\Directory\Background\shell\MSYS2 admin]

therealdreg

include				\masm32\macros\macros.asm
include				\masm32\include\masm32.inc



BochsPrintPW macro arg:VARARG    
; https://c9x.me/x86/html/file_module_x86_id_222.html
; port e9 hack https://bochs.sourceforge.io/doc/docbook/user/bochsrc.html#AEN2523
    nop
    push eax

therealdreg

#!/usr/bin/env bash

# ~/.bash_profile
# alias gitsquash=~/gitsquash.sh

set -x

args=$*

if [ -z "$1" ]

therealdreg

#!/usr/bin/env python

# Python 2 !!! original: http://bones7456.googlecode.com/svn/trunk/SimpleHTTPServerWithUpload.py

"""Simple HTTP Server With Upload.

This module builds on BaseHTTPServer by implementing the standard GET
and HEAD requests in a fairly straightforward manner. 
-
Modified by David Reguera Garcia aka Dreg for Cygwin Use (python 2)

therealdreg

#!/usr/bin/env bash

# ~/.bash_profile
# alias giterminator=~/giterminator.sh

set -x

args=$*

if [ -z "$1" ]

therealdreg

VirtualKD Redux windbg workspace name x86 command: 

"C:\Program Files (x86)\Debugging Tools for Windows (x86)\windbg.exe" -Q -W x86 -b -k com:pipe,resets=0,reconnect,port=$(pipename)

Force load pdb:

!sym noisy

.symopt+0x40