mimikatz/mimilib/sekurlsadbg/kwindbg.h

/*	Benjamin DELPY `gentilkiwi`
	http://blog.gentilkiwi.com
	benjamin@gentilkiwi.com
	Licence : http://creativecommons.org/licenses/by/3.0/fr/
*/
#pragma once
#include "kuhl_m_sekurlsa_utils.h"
#include "kuhl_m_sekurlsa_nt6.h"
#include "kuhl_m_sekurlsa_packages.h"

USHORT NtBuildNumber;

#define KUHL_SEKURLSA_CREDS_DISPLAY_RAW				0x00000000
#define KUHL_SEKURLSA_CREDS_DISPLAY_LINE			0x00000001
#define KUHL_SEKURLSA_CREDS_DISPLAY_NEWLINE			0x00000002

#define KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIAL		0x08000000
#define KUHL_SEKURLSA_CREDS_DISPLAY_PRIMARY			0x01000000
#define KUHL_SEKURLSA_CREDS_DISPLAY_PRIMARY_10		0x02000000
#define KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIALKEY	0x03000000
#define KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIAL_MASK	0x07000000

#define KUHL_SEKURLSA_CREDS_DISPLAY_KEY_LIST		0x00200000
#define KUHL_SEKURLSA_CREDS_DISPLAY_CREDMANPASS		0x00400000
#define KUHL_SEKURLSA_CREDS_DISPLAY_PINCODE			0x00800000

#define KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT		0x10000000
#define KUHL_SEKURLSA_CREDS_DISPLAY_WPASSONLY		0x20000000
#define KUHL_SEKURLSA_CREDS_DISPLAY_DOMAIN			0x40000000
#define KUHL_SEKURLSA_CREDS_DISPLAY_SSP				0x80000000

#ifdef _M_X64
#define SECDATA_KRBTGT_OFFSET	39
#elif defined _M_IX86
#define SECDATA_KRBTGT_OFFSET	47
#endif

typedef void (CALLBACK * PKUHL_M_SEKURLSA_PACKAGE_CALLBACK) (IN ULONG_PTR pKerbGlobalLogonSessionTable, IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData);

typedef struct _KUHL_M_SEKURLSA_PACKAGE {
	const char * name;
	const char * symbolName;
	ULONG_PTR symbolPtr;
	const PKUHL_M_SEKURLSA_PACKAGE_CALLBACK callback;
} KUHL_M_SEKURLSA_PACKAGE, *PKUHL_M_SEKURLSA_PACKAGE;

typedef struct _KUHL_M_SEKURLSA_ENUM_HELPER {
	ULONG tailleStruct;
	ULONG offsetToLuid;
	ULONG offsetToLogonType;
	ULONG offsetToSession;
	ULONG offsetToUsername;
	ULONG offsetToDomain;
	ULONG offsetToCredentials;
	ULONG offsetToPSid;
	ULONG offsetToCredentialManager;
	ULONG offsetToLogonTime;
	ULONG offsetToLogonServer;
} KUHL_M_SEKURLSA_ENUM_HELPER, *PKUHL_M_SEKURLSA_ENUM_HELPER;

LPEXT_API_VERSION WDBGAPI ExtensionApiVersion (void);
VOID CheckVersion(void);
VOID WDBGAPI WinDbgExtensionDllInit (PWINDBG_EXTENSION_APIS lpExtensionApis, USHORT usMajorVersion, USHORT usMinorVersion);
DECLARE_API(mimikatz);

VOID kuhl_m_sekurlsa_genericCredsOutput(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCreds, PLUID luid, ULONG flags);
VOID kuhl_m_sekurlsa_genericKeyOutput(struct _MARSHALL_KEY * key, PVOID * dirtyBase);
void kuhl_m_sekurlsa_krbtgt_keys(PVOID addr, LPCSTR prefix);
void kuhl_m_sekurlsa_krbtgt_trust(ULONG_PTR addr);
void kuhl_m_sekurlsa_trust_domainkeys(struct _KDC_DOMAIN_KEYS_INFO * keysInfo, PCSTR prefix, BOOL incoming, PUNICODE_STRING domain);
void kuhl_m_sekurlsa_trust_domaininfo(struct _KDC_DOMAIN_INFO * info);

#define KULL_M_WIN_BUILD_XP		2600
#define KULL_M_WIN_BUILD_2K3	3790
#define KULL_M_WIN_BUILD_VISTA	6000
#define KULL_M_WIN_BUILD_7		7600
#define KULL_M_WIN_BUILD_8		9200
#define KULL_M_WIN_BUILD_BLUE	9600
#define KULL_M_WIN_BUILD_10		9800

#define KULL_M_WIN_MIN_BUILD_XP		2500
#define KULL_M_WIN_MIN_BUILD_2K3	3000
#define KULL_M_WIN_MIN_BUILD_VISTA	6000
#define KULL_M_WIN_MIN_BUILD_7		7000
#define KULL_M_WIN_MIN_BUILD_8		8000
#define KULL_M_WIN_MIN_BUILD_BLUE	9400
#define KULL_M_WIN_MIN_BUILD_10		9800
Initial upload 2014-04-06 18:31:53 +00:00			/* Benjamin DELPY `gentilkiwi`
			`http://blog.gentilkiwi.com`
			`benjamin@gentilkiwi.com`
			`Licence : http://creativecommons.org/licenses/by/3.0/fr/`
			`*/`
			`#pragma once`
			`#include "kuhl_m_sekurlsa_utils.h"`
			`#include "kuhl_m_sekurlsa_nt6.h"`
			`#include "kuhl_m_sekurlsa_packages.h"`

			`USHORT NtBuildNumber;`

			`#define KUHL_SEKURLSA_CREDS_DISPLAY_RAW 0x00000000`
			`#define KUHL_SEKURLSA_CREDS_DISPLAY_LINE 0x00000001`
			`#define KUHL_SEKURLSA_CREDS_DISPLAY_NEWLINE 0x00000002`

			`#define KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIAL 0x08000000`
			`#define KUHL_SEKURLSA_CREDS_DISPLAY_PRIMARY 0x01000000`
Some fixes for mimidrv & crypto. Preparation for Windows 10. 2014-12-21 14:38:14 +00:00			`#define KUHL_SEKURLSA_CREDS_DISPLAY_PRIMARY_10 0x02000000`
			`#define KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIALKEY 0x03000000`
Initial upload 2014-04-06 18:31:53 +00:00			`#define KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIAL_MASK 0x07000000`

Kerberos key list for mimilib 2014-05-08 23:04:09 +00:00			`#define KUHL_SEKURLSA_CREDS_DISPLAY_KEY_LIST 0x00200000`
Credential Manager in mimikatz and mimilib! 2014-04-13 20:57:09 +00:00			`#define KUHL_SEKURLSA_CREDS_DISPLAY_CREDMANPASS 0x00400000`
Initial upload 2014-04-06 18:31:53 +00:00			`#define KUHL_SEKURLSA_CREDS_DISPLAY_PINCODE 0x00800000`

			`#define KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT 0x10000000`
			`#define KUHL_SEKURLSA_CREDS_DISPLAY_WPASSONLY 0x20000000`
			`#define KUHL_SEKURLSA_CREDS_DISPLAY_DOMAIN 0x40000000`
			`#define KUHL_SEKURLSA_CREDS_DISPLAY_SSP 0x80000000`

krbtgt for WinDbg 2015-04-01 22:48:23 +00:00			`#ifdef _M_X64`
			`#define SECDATA_KRBTGT_OFFSET 39`
			`#elif defined _M_IX86`
			`#define SECDATA_KRBTGT_OFFSET 47`
			`#endif`

Credential Manager in mimikatz and mimilib! 2014-04-13 20:57:09 +00:00			`typedef void (CALLBACK * PKUHL_M_SEKURLSA_PACKAGE_CALLBACK) (IN ULONG_PTR pKerbGlobalLogonSessionTable, IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData);`
Initial upload 2014-04-06 18:31:53 +00:00
			`typedef struct _KUHL_M_SEKURLSA_PACKAGE {`
			`const char * name;`
			`const char * symbolName;`
			`ULONG_PTR symbolPtr;`
			`const PKUHL_M_SEKURLSA_PACKAGE_CALLBACK callback;`
			`} KUHL_M_SEKURLSA_PACKAGE, *PKUHL_M_SEKURLSA_PACKAGE;`

			`typedef struct _KUHL_M_SEKURLSA_ENUM_HELPER {`
			`ULONG tailleStruct;`
Credential Manager in mimikatz and mimilib! 2014-04-13 20:57:09 +00:00			`ULONG offsetToLuid;`
			`ULONG offsetToLogonType;`
			`ULONG offsetToSession;`
			`ULONG offsetToUsername;`
			`ULONG offsetToDomain;`
			`ULONG offsetToCredentials;`
			`ULONG offsetToPSid;`
			`ULONG offsetToCredentialManager;`
Windows 10 Preview, driver & lsa minor fix + WinDbg 2015-03-12 00:46:03 +00:00			`ULONG offsetToLogonTime;`
			`ULONG offsetToLogonServer;`
Initial upload 2014-04-06 18:31:53 +00:00			`} KUHL_M_SEKURLSA_ENUM_HELPER, *PKUHL_M_SEKURLSA_ENUM_HELPER;`

			`LPEXT_API_VERSION WDBGAPI ExtensionApiVersion (void);`
			`VOID CheckVersion(void);`
			`VOID WDBGAPI WinDbgExtensionDllInit (PWINDBG_EXTENSION_APIS lpExtensionApis, USHORT usMajorVersion, USHORT usMinorVersion);`
			`DECLARE_API(mimikatz);`

			`VOID kuhl_m_sekurlsa_genericCredsOutput(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCreds, PLUID luid, ULONG flags);`
Credential Manager in mimikatz and mimilib! 2014-04-13 20:57:09 +00:00			`VOID kuhl_m_sekurlsa_genericKeyOutput(struct _MARSHALL_KEY * key, PVOID * dirtyBase);`
krbtgt for WinDbg 2015-04-01 22:48:23 +00:00			`void kuhl_m_sekurlsa_krbtgt_keys(PVOID addr, LPCSTR prefix);`
trust cache for WinDbg mimilib, fix for mimikatz 2015-04-19 19:21:05 +00:00			`void kuhl_m_sekurlsa_krbtgt_trust(ULONG_PTR addr);`
			`void kuhl_m_sekurlsa_trust_domainkeys(struct _KDC_DOMAIN_KEYS_INFO * keysInfo, PCSTR prefix, BOOL incoming, PUNICODE_STRING domain);`
			`void kuhl_m_sekurlsa_trust_domaininfo(struct _KDC_DOMAIN_INFO * info);`
Credential Manager in mimikatz and mimilib! 2014-04-13 20:57:09 +00:00
			`#define KULL_M_WIN_BUILD_XP 2600`
			`#define KULL_M_WIN_BUILD_2K3 3790`
			`#define KULL_M_WIN_BUILD_VISTA 6000`
			`#define KULL_M_WIN_BUILD_7 7600`
			`#define KULL_M_WIN_BUILD_8 9200`
			`#define KULL_M_WIN_BUILD_BLUE 9600`
Some fixes for mimidrv & crypto. Preparation for Windows 10. 2014-12-21 14:38:14 +00:00			`#define KULL_M_WIN_BUILD_10 9800`
Credential Manager in mimikatz and mimilib! 2014-04-13 20:57:09 +00:00
			`#define KULL_M_WIN_MIN_BUILD_XP 2500`
			`#define KULL_M_WIN_MIN_BUILD_2K3 3000`
			`#define KULL_M_WIN_MIN_BUILD_VISTA 6000`
			`#define KULL_M_WIN_MIN_BUILD_7 7000`
			`#define KULL_M_WIN_MIN_BUILD_8 8000`
Some fixes for mimidrv & crypto. Preparation for Windows 10. 2014-12-21 14:38:14 +00:00			`#define KULL_M_WIN_MIN_BUILD_BLUE 9400`
			`#define KULL_M_WIN_MIN_BUILD_10 9800`