2014-04-06 18:31:53 +00:00
|
|
|
/* Benjamin DELPY `gentilkiwi`
|
|
|
|
http://blog.gentilkiwi.com
|
|
|
|
benjamin@gentilkiwi.com
|
2015-08-25 09:19:01 +00:00
|
|
|
Licence : https://creativecommons.org/licenses/by/4.0/
|
2014-04-06 18:31:53 +00:00
|
|
|
*/
|
|
|
|
#pragma once
|
|
|
|
#include "kuhl_m_sekurlsa_utils.h"
|
|
|
|
#include "kuhl_m_sekurlsa_nt6.h"
|
|
|
|
#include "kuhl_m_sekurlsa_packages.h"
|
2017-07-19 23:33:50 +00:00
|
|
|
#define DELAYIMP_INSECURE_WRITABLE_HOOKS
|
|
|
|
#include <delayimp.h>
|
2014-04-06 18:31:53 +00:00
|
|
|
|
|
|
|
USHORT NtBuildNumber;
|
|
|
|
|
2016-08-08 01:35:01 +00:00
|
|
|
#define KUHL_SEKURLSA_CREDS_DISPLAY_RAW 0x00000000
|
|
|
|
#define KUHL_SEKURLSA_CREDS_DISPLAY_LINE 0x00000001
|
|
|
|
#define KUHL_SEKURLSA_CREDS_DISPLAY_NEWLINE 0x00000002
|
2014-04-06 18:31:53 +00:00
|
|
|
|
2016-08-08 01:35:01 +00:00
|
|
|
#define KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIAL 0x08000000
|
|
|
|
#define KUHL_SEKURLSA_CREDS_DISPLAY_PRIMARY 0x01000000
|
|
|
|
#define KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIALKEY 0x02000000
|
|
|
|
#define KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIAL_MASK 0x07000000
|
2014-04-06 18:31:53 +00:00
|
|
|
|
2016-08-08 01:35:01 +00:00
|
|
|
#define KUHL_SEKURLSA_CREDS_DISPLAY_KERBEROS_10 0x00100000
|
|
|
|
#define KUHL_SEKURLSA_CREDS_DISPLAY_KEY_LIST 0x00200000
|
|
|
|
#define KUHL_SEKURLSA_CREDS_DISPLAY_CREDMANPASS 0x00400000
|
|
|
|
#define KUHL_SEKURLSA_CREDS_DISPLAY_PINCODE 0x00800000
|
|
|
|
#define KUHL_SEKURLSA_CREDS_DISPLAY_KERBEROS_10_1607 0x00010000
|
2014-04-06 18:31:53 +00:00
|
|
|
|
2016-08-08 01:35:01 +00:00
|
|
|
#define KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT 0x10000000
|
|
|
|
#define KUHL_SEKURLSA_CREDS_DISPLAY_WPASSONLY 0x20000000
|
|
|
|
#define KUHL_SEKURLSA_CREDS_DISPLAY_DOMAIN 0x40000000
|
|
|
|
#define KUHL_SEKURLSA_CREDS_DISPLAY_SSP 0x80000000
|
2014-04-06 18:31:53 +00:00
|
|
|
|
2019-03-25 00:57:56 +00:00
|
|
|
#if defined(_M_X64) || defined(_M_ARM64) // TODO:ARM64
|
2015-04-01 22:48:23 +00:00
|
|
|
#define SECDATA_KRBTGT_OFFSET 39
|
|
|
|
#elif defined _M_IX86
|
|
|
|
#define SECDATA_KRBTGT_OFFSET 47
|
|
|
|
#endif
|
|
|
|
|
2014-04-13 20:57:09 +00:00
|
|
|
typedef void (CALLBACK * PKUHL_M_SEKURLSA_PACKAGE_CALLBACK) (IN ULONG_PTR pKerbGlobalLogonSessionTable, IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData);
|
2014-04-06 18:31:53 +00:00
|
|
|
|
|
|
|
typedef struct _KUHL_M_SEKURLSA_PACKAGE {
|
|
|
|
const char * name;
|
|
|
|
const char * symbolName;
|
|
|
|
ULONG_PTR symbolPtr;
|
|
|
|
const PKUHL_M_SEKURLSA_PACKAGE_CALLBACK callback;
|
|
|
|
} KUHL_M_SEKURLSA_PACKAGE, *PKUHL_M_SEKURLSA_PACKAGE;
|
|
|
|
|
|
|
|
typedef struct _KUHL_M_SEKURLSA_ENUM_HELPER {
|
|
|
|
ULONG tailleStruct;
|
2014-04-13 20:57:09 +00:00
|
|
|
ULONG offsetToLuid;
|
|
|
|
ULONG offsetToLogonType;
|
|
|
|
ULONG offsetToSession;
|
|
|
|
ULONG offsetToUsername;
|
|
|
|
ULONG offsetToDomain;
|
|
|
|
ULONG offsetToCredentials;
|
|
|
|
ULONG offsetToPSid;
|
|
|
|
ULONG offsetToCredentialManager;
|
2015-03-12 00:46:03 +00:00
|
|
|
ULONG offsetToLogonTime;
|
|
|
|
ULONG offsetToLogonServer;
|
2014-04-06 18:31:53 +00:00
|
|
|
} KUHL_M_SEKURLSA_ENUM_HELPER, *PKUHL_M_SEKURLSA_ENUM_HELPER;
|
|
|
|
|
2017-05-08 20:12:31 +00:00
|
|
|
LPEXT_API_VERSION WDBGAPI kdbg_ExtensionApiVersion(void);
|
|
|
|
VOID WDBGAPI kdbg_WinDbgExtensionDllInit (PWINDBG_EXTENSION_APIS lpExtensionApis, USHORT usMajorVersion, USHORT usMinorVersion);
|
|
|
|
DECLARE_API(kdbg_coffee);
|
|
|
|
DECLARE_API(kdbg_mimikatz);
|
2014-04-06 18:31:53 +00:00
|
|
|
|
|
|
|
VOID kuhl_m_sekurlsa_genericCredsOutput(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCreds, PLUID luid, ULONG flags);
|
2016-07-29 21:32:06 +00:00
|
|
|
VOID kuhl_m_sekurlsa_genericKeyOutput(struct _KIWI_CREDENTIAL_KEY * key);
|
2015-05-24 22:24:46 +00:00
|
|
|
VOID kuhl_m_sekurlsa_genericLsaIsoOutput(struct _LSAISO_DATA_BLOB * blob);
|
2016-08-21 23:02:27 +00:00
|
|
|
VOID kuhl_m_sekurlsa_genericEncLsaIsoOutput(struct _ENC_LSAISO_DATA_BLOB * blob, DWORD size);
|
2015-04-01 22:48:23 +00:00
|
|
|
void kuhl_m_sekurlsa_krbtgt_keys(PVOID addr, LPCSTR prefix);
|
2015-04-19 19:21:05 +00:00
|
|
|
void kuhl_m_sekurlsa_krbtgt_trust(ULONG_PTR addr);
|
|
|
|
void kuhl_m_sekurlsa_trust_domainkeys(struct _KDC_DOMAIN_KEYS_INFO * keysInfo, PCSTR prefix, BOOL incoming, PUNICODE_STRING domain);
|
|
|
|
void kuhl_m_sekurlsa_trust_domaininfo(struct _KDC_DOMAIN_INFO * info);
|
2015-05-24 22:24:46 +00:00
|
|
|
void kuhl_sekurlsa_dpapi_backupkeys();
|
|
|
|
|
|
|
|
#define PVK_FILE_VERSION_0 0
|
|
|
|
#define PVK_MAGIC 0xb0b5f11e // bob's file
|
|
|
|
#define PVK_NO_ENCRYPT 0
|
|
|
|
#define PVK_RC4_PASSWORD_ENCRYPT 1
|
|
|
|
#define PVK_RC2_CBC_PASSWORD_ENCRYPT 2
|
|
|
|
|
|
|
|
typedef struct _PVK_FILE_HDR {
|
|
|
|
DWORD dwMagic;
|
|
|
|
DWORD dwVersion;
|
|
|
|
DWORD dwKeySpec;
|
|
|
|
DWORD dwEncryptType;
|
|
|
|
DWORD cbEncryptData;
|
|
|
|
DWORD cbPvk;
|
|
|
|
} PVK_FILE_HDR, *PPVK_FILE_HDR;
|
2014-04-13 20:57:09 +00:00
|
|
|
|
|
|
|
#define KULL_M_WIN_BUILD_XP 2600
|
|
|
|
#define KULL_M_WIN_BUILD_2K3 3790
|
|
|
|
#define KULL_M_WIN_BUILD_VISTA 6000
|
|
|
|
#define KULL_M_WIN_BUILD_7 7600
|
|
|
|
#define KULL_M_WIN_BUILD_8 9200
|
|
|
|
#define KULL_M_WIN_BUILD_BLUE 9600
|
2016-03-27 17:22:36 +00:00
|
|
|
#define KULL_M_WIN_BUILD_10_1507 10240
|
|
|
|
#define KULL_M_WIN_BUILD_10_1511 10586
|
2016-08-08 01:35:01 +00:00
|
|
|
#define KULL_M_WIN_BUILD_10_1607 14393
|
2014-04-13 20:57:09 +00:00
|
|
|
|
|
|
|
#define KULL_M_WIN_MIN_BUILD_XP 2500
|
|
|
|
#define KULL_M_WIN_MIN_BUILD_2K3 3000
|
2016-08-08 01:35:01 +00:00
|
|
|
#define KULL_M_WIN_MIN_BUILD_VISTA 5000
|
2014-04-13 20:57:09 +00:00
|
|
|
#define KULL_M_WIN_MIN_BUILD_7 7000
|
|
|
|
#define KULL_M_WIN_MIN_BUILD_8 8000
|
2014-12-21 14:38:14 +00:00
|
|
|
#define KULL_M_WIN_MIN_BUILD_BLUE 9400
|
|
|
|
#define KULL_M_WIN_MIN_BUILD_10 9800
|