This morning Arjan Beijer sent me an interesting link to a youtube video about obtaining the Citrix IMA Datastore password using Windbg.

The video shows a method, discovered by Denis Gundarev to obtain the IMA Datastore password. Basically he uses DSMaint.exe and set’s a breakpoint on the call to CryptUnprotectData and then reads the password from memory.

I tried to call the CryptUnprotectData API with the data read from the registry directly but this failed with error NTE_BAD_KEY_STATE, this is defined in winerror.h and it means “Key not valid for use in specified state”.


I assumed Citrix was using an Entropy (salt) to make the decoding a little more difficult so I checked the disassembly from DSMaint with Ida Pro and it imports a function called GlobalData_GetDecryptedStrW from ImaSystem.dll:


I openend ImaSystem.dll in Ida Pro and found CryptUnprotectData in the Imports Tab:


I checked the references (Ctrl-X) and went to the one on the top of the list:


I don’t think it’s difficult to spot the Entropy here?



The code needed to decrypt the password is just a few lines:


At the bottom of this post is a downloadable tool that reads the username and password data from the registry, decrypts and displays it:



Security Breach?

But where does this leave us? Is it a security breach?

I don’t think so, since the call to CryptUnprotectData fails if we do not have Admin privileges. Further more we can read the values remotely (if we have admin privileges) but we can only decrypt it locally.

Citrix IMA DataStore Username & Password Decoder (1766)