The Dell vWorkspace (previously Quest vWorkspace) Client can save a connection to a .pit file which is very similar to an .rdp file with one big difference: it is encrypted!

I am not sure why Dell/Quest have chosen to encrypt their files but a while ago I needed to know what was in a particular pit file so I could troubleshoot an issue.

I first created a test .pit file with the client (pntsc.exe version 7.6.305.791).

SNAGHTML6c0786d

Using the Save As option I saved it as test.pit and the I opened it again via the Open option while monitoring the process with Process Monitor:

SNAGHTML6cae217

In the Process Monitor screenshot you can see that a few moments after opening the .pit file a temporary file tmpACE4.tmp is opened. Perhaps an intermediate file with the unencrypted version?

I opened pntsc.exe in Ida Pro and searched for pit in the strings tab:

image

There was only one reference to this string:

image

This code verifies if the file has a .pit extension and then copies the file to the temp path with a .tmp extension.

Then it calls into sub_41C91C with the tmp file, possibly to decrypt the file. To make it more readable I used Ida’s Rename function to rename sub_41C91C to DecryptPitFile

I tried this using Ida Pro’s Appcall mechanism. Appcall is a mechanism to call functions inside a debugged program from the debugger or your script as if it were a built-in function.

I copied my test.pit file to C:\Temp and launched pntsc with Ida’s integrated debugger. Once the GUI was shown I Paused the process and openend the Script Command Window (Shift-F2).

I intered the function’s name: sub_41C91C with the filename as a parameter and pressed the Run button:

SNAGHTML6e16a79

There was no output in Ida, however my test.pit file was decrypted:

My first solution was to build a tool that works similar to Ida’s Appcall. It launched the vWorkspace client but made sure the window was hidden.

Then it allocated and wrote a string (the filename) to the process and created a thread in it using the CreateRemoteThread API setting the lpStartAddress to the sub_41C91C function and the lpParameter address to the allocated string.

Last step is resuming the thread and waiting for it to finish.

I placed all that code in a dll and that was enough to solve my problem. If you are interested in the code, I  have included it in the download at the bottom of this post.

This solution depends on the exact same version of the pntsc.exe client though so it would be better to understand the encryption algorithm.

In Ida Pro a large (256) byte array was visible and screaming for attention:

Quest Secret Key (large byte array)

This byte array that I’ve renamed to QuestKey here is likely an encryption key or salt. In the code can we see that is used in a function that I’ve renamed to KeySchedule

Code Snippet showing the encryption

I had a chat with Benjamin Delpy about the encryption algorithm and he was very quick to recognise rc4 in the asm, impressive!

So if we look at the code snippet above we can conclude that a double rc4 encryption is used. The pit file is first encrypted with a random, 16 byte key and the output is encrypted a second time using a fixed key (the large byte array).

Finally a sanity check is performed, the content must start with the sequence PIT.

So in order to decrypt a pit file we must do the following:

  • Decrypt the the whole pit file using the 256 byte, fixed, key (the large byte array)
  • Get the last 16 bytes of the decrypted content and use this for the second decryption
  • Verify that the 3 first characters of the 2nd decryption are PIT
  • Save the decrypted content to disk, stripping the 3 characters (PIT ) and the 16 byte key.

I decided to do this in PowerShell because it would be a nice exercise (in fact, that’s why I wrote the rc4 function I published earlier).

The complete script can be downloaded at the bottom of the post and includes the rc4 function, an example pit file and the “Appcall” dll example.

First we need to define the large byte array in PowerShell:

Then the function that decrypts the PIT file:

Usage is very simple:

If you look at the unencrypted pit file you will notice that it’s very similar to the contents of an rdp file. This is logical since vWorkspace is built on top of RDP.

The password is only included when you’ve checked the “Save my password (encrypted) checkbox:

Save Password Option

The password is encrypted using CryptProtectData, again  similar to RDP passwords (as I described earlier).

However the password is encrypted before being passed to Crypt(Un)ProtectData.

DecryptPITFile.zip (8737 downloads )