Skip to content

Update dllmain.cpp to add padding support and make the API calls more secure. #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update dllmain.cpp to add padding support and make the API calls more secure. #3

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 9 additions & 7 deletions PwnedPasswordsDLL-API/dllmain.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@
#include <sha.h>
#include <filters.h>
#include <hex.h>
#include <regex>

#pragma comment(lib, "Ws2_32.lib")

Expand All @@ -51,8 +52,8 @@ BOOL APIENTRY DllMain(HMODULE hModule,
/*
* Quick and dirty function callback function for writing with cURL - append to string rather than using fwrite
*/

size_t cURL_Callback(void *contents, size_t size, size_t nmemb, std::string *s)

{
((std::string*)s)->append((char*)contents, size * nmemb);
return size * nmemb;
Expand Down Expand Up @@ -86,6 +87,8 @@ extern "C" __declspec(dllexport) BOOLEAN __stdcall PasswordFilter(PUNICODE_STRIN

// Declare and initialise cURL
CURL *curl = curl_easy_init();
// Declare and initialise the list for custom headers in the cURL
struct curl_slist* list = NULL;

// Initialise URL String as being the API address, as well as the first 5 letters of the password hash
std::string URL("https://api.pwnedpasswords.com/range/" + hash.substr(0, 5));
Expand All @@ -98,6 +101,8 @@ extern "C" __declspec(dllexport) BOOLEAN __stdcall PasswordFilter(PUNICODE_STRIN
CURLcode res;
curl_easy_setopt(curl, CURLOPT_URL, URL.c_str()); // Set the URL for CURL to the URL string
curl_easy_setopt(curl, CURLOPT_USERAGENT, "API Scraper/1.0"); // Troy requires a user-agent when calling API
list = curl_slist_append(list, "Add-Padding: true"); //Adds Add-Padding to the custom header list. Pads out responses to ensure all results contain a random number of records between 800 and 1,000."
curl_easy_setopt(curl, CURLOPT_HTTPHEADER, list); // Set the custom headers list
curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, cURL_Callback); // Set the write function for cURL to cURL_Callback
curl_easy_setopt(curl, CURLOPT_WRITEDATA, &APIResponse); // Set up cURL to write the API response to the APIResponse String

Expand All @@ -116,17 +121,14 @@ extern "C" __declspec(dllexport) BOOLEAN __stdcall PasswordFilter(PUNICODE_STRIN
}
else // If there was a response from the API
{
std::size_t found = APIResponse.find(hash.substr(5)); // Attempt to find the hash suffix

if (found != std::string::npos) // The find function will return string::npos if the requested string was no found
std::regex regexTest(hash.substr(5) + "(?!:0)");
if (regex_search(APIResponse, regexTest))
{
returnValue = FALSE; // If the hash exists, then set the return value to false (i.e. don't allow the password to be changed)
}
}
}
curl_easy_cleanup(curl); // Clean-up for cURL
}

return returnValue; // Return the Boolean value to LSA

}
}