RepoMirrors/mimikatz
1
0
Fork 0
mirror of https://github.com/gentilkiwi/mimikatz synced 2025-02-20 11:46:49 +00:00
Code Issues Packages Projects Releases Wiki Activity

[fix] a lots of @vletoux errors checking ;)

Browse Source
This commit is contained in:
Benjamin DELPY 2018-02-06 00:16:51 +01:00
parent bef58c833c
commit 3d8be22fff
18 changed files with 79 additions and 75 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
mimikatz/mimikatz.c
View File

@ -142,7 +142,7 @@ NTSTATUS mimikatz_initOrClean(BOOL Init)
NTSTATUS mimikatz_dispatchCommand(wchar_t * input)
{
NTSTATUS status;
NTSTATUS status = STATUS_UNSUCCESSFUL;
PWCHAR full;
if(full = kull_m_file_fullPath(input))
{

4
mimikatz/modules/kerberos/kuhl_m_kerberos.c
View File

@ -410,11 +410,11 @@ wchar_t * kuhl_m_kerberos_generateFileName_short(PKIWI_KERBEROS_TICKET ticket, L
NTSTATUS kuhl_m_kerberos_golden(int argc, wchar_t * argv[])
{
BYTE key[AES_256_KEY_LENGTH] = {0};
DWORD i, j, nbGroups, nbSids = 0, id = 500, keyType, rodc = 0;
DWORD i, j, nbGroups, nbSids = 0, id = 500, keyType = 0, rodc = 0;
PCWCHAR szUser, szDomain, szService = NULL, szTarget = NULL, szSid, szKey = NULL, szId, szGroups, szSids, szRodc, szLifetime, szClaims, /*base,*/ filename;
PWCHAR baseDot, netbiosDomain;
PISID pSid;
PGROUP_MEMBERSHIP groups;
PGROUP_MEMBERSHIP groups = NULL;
PKERB_SID_AND_ATTRIBUTES sids = NULL;
PCLAIMS_SET pClaimsSet = NULL;
PBERVAL BerApp_KrbCred;

2
mimikatz/modules/kerberos/kuhl_m_kerberos_pac.c
View File

@ -11,7 +11,7 @@ BOOL kuhl_m_pac_validationInfo_to_PAC(PKERB_VALIDATION_INFO validationInfo, PFIL
PVOID pLogonInfo = NULL, pClaims = NULL;
PPAC_CLIENT_INFO pClientInfo = NULL;
PAC_SIGNATURE_DATA signature = {SignatureType, {0}};
DWORD n = 4, szLogonInfo = 0, szLogonInfoAligned, szClientInfo = 0, szClientInfoAligned, szClaims = 0, szClaimsAligned = 0, szSignature = FIELD_OFFSET(PAC_SIGNATURE_DATA, Signature), szSignatureAligned, offsetData = sizeof(PACTYPE) + 3 * sizeof(PAC_INFO_BUFFER);
DWORD n = 4, szLogonInfo = 0, szLogonInfoAligned = 0, szClientInfo = 0, szClientInfoAligned, szClaims = 0, szClaimsAligned = 0, szSignature = FIELD_OFFSET(PAC_SIGNATURE_DATA, Signature), szSignatureAligned, offsetData = sizeof(PACTYPE) + 3 * sizeof(PAC_INFO_BUFFER);
PKERB_CHECKSUM pCheckSum;
if(NT_SUCCESS(CDLocateCheckSum(SignatureType, &pCheckSum)))

2
mimikatz/modules/kuhl_m_crypto.c
View File

@ -698,7 +698,7 @@ NTSTATUS kuhl_m_crypto_l_sc(int argc, wchar_t * argv[])
status = SCardListCards(hContext, atr, NULL, 0, (LPWSTR) &mszCards, &dwLen);
if(status == SCARD_S_SUCCESS)
{
for(pCard = mszCards; *pCard; pCard += wcslen(pCard) + 1)
for(pCard = mszCards; pCard && *pCard; pCard += wcslen(pCard) + 1)
{
kprintf(L" Model: %s\n", pCard);

10
mimikatz/modules/kuhl_m_lsadump.c
View File

@ -239,8 +239,10 @@ BOOL kuhl_m_lsadump_getSyskey(PKULL_M_REGISTRY_HANDLE hRegistry, HKEY hLSA, LPBY
}
else PRINT_ERROR(L"LSA Key Class read error\n");
}
for(i = 0; i < SYSKEY_LENGTH; i++)
sysKey[i] = buffKey[kuhl_m_lsadump_SYSKEY_PERMUT[i]];
if(status)
for(i = 0; i < SYSKEY_LENGTH; i++)
sysKey[i] = buffKey[kuhl_m_lsadump_SYSKEY_PERMUT[i]];
return status;
}
@ -977,7 +979,7 @@ KULL_M_PATCH_GENERIC SamSrvReferences[] = {
PCWCHAR szSamSrv = L"samsrv.dll", szLsaSrv = L"lsasrv.dll", szNtDll = L"ntdll.dll", szKernel32 = L"kernel32.dll", szAdvapi32 = L"advapi32.dll";
NTSTATUS kuhl_m_lsadump_lsa(int argc, wchar_t * argv[])
{
NTSTATUS status, enumStatus;
NTSTATUS status = STATUS_UNSUCCESSFUL, enumStatus;
LSA_OBJECT_ATTRIBUTES objectAttributes;
LSA_HANDLE hPolicy;
@ -1115,7 +1117,7 @@ NTSTATUS kuhl_m_lsadump_lsa(int argc, wchar_t * argv[])
}
if(aRemoteThread)
kull_m_memory_free(aRemoteThread, 0);
kull_m_memory_free(aRemoteThread);
}
if(hMemory)

2
mimikatz/modules/kuhl_m_misc.c
View File

@ -831,7 +831,7 @@ void kuhl_m_misc_wp_for_pid(DWORD pid, PCWCHAR wp)
else PRINT_ERROR_AUTO(L"kull_m_remotelib_create");
LocalFree(iData);
}
kull_m_memory_free(&aRemoteFunc, 0);
kull_m_memory_free(&aRemoteFunc);
}
else PRINT_ERROR(L"kull_m_remotelib_CreateRemoteCodeWitthPatternReplace\n");
kull_m_memory_close(hMemory);

2
mimikatz/modules/kuhl_m_process.c
View File

@ -162,7 +162,7 @@ NTSTATUS kuhl_m_process_callbackProcess(int argc, wchar_t * argv[], PKULL_M_MODU
}
else PRINT_ERROR_AUTO(L"kull_m_memory_open");
if(type = KULL_M_MEMORY_TYPE_PROCESS)
if(type == KULL_M_MEMORY_TYPE_PROCESS)
CloseHandle(hProcess);
}
return STATUS_SUCCESS;

6
mimikatz/modules/kuhl_m_rpc.c
View File

@ -299,7 +299,7 @@ NTSTATUS kuhl_m_rpc_server(int argc, wchar_t * argv[])
NTSTATUS kuhl_m_rpc_connect(int argc, wchar_t * argv[])
{
RPC_STATUS status, ntStatus;
RPC_STATUS status = RPC_S_INVALID_ARG, ntStatus;
PCWSTR szRemote, szProtSeq, szEndpoint, szService, szAlg;
DWORD AuthnSvc, rpcExc;
ALG_ID alg;
@ -413,7 +413,7 @@ NTSTATUS SRV_MiniUnbind(MIMI_HANDLE *phMimi)
NTSTATUS SRV_MimiCommand(MIMI_HANDLE phMimi, DWORD szEncCommand, BYTE *encCommand, DWORD *szEncResult, BYTE **encResult)
{
NTSTATUS status;
NTSTATUS status = RPC_S_INVALID_ARG;
PBYTE clearCommand, encBuffer;
DWORD szClearCommand, szEncBuffer;
*szEncResult = 0;
@ -461,7 +461,7 @@ NTSTATUS SRV_MimiCommand(MIMI_HANDLE phMimi, DWORD szEncCommand, BYTE *encComman
NTSTATUS SRV_MimiClear(handle_t rpc_handle, wchar_t *command, DWORD *size, wchar_t **result)
{
NTSTATUS status;
NTSTATUS status = RPC_S_INVALID_ARG;
EnterCriticalSection(&outputCritical);
kprintf(L"\n\n" MIMIKATZ L"(rpc): %s\n", command);
outputBufferElements = 0xffff;

2
mimikatz/modules/lsadump/kuhl_m_lsadump_dc.c
View File

@ -514,7 +514,7 @@ void kuhl_m_lsadump_dcsync_descrSecret(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLO
{
if(name == wcsstr(name, L"BCKUPKEY_"))
{
if(((_wcsicmp(name, L"BCKUPKEY_P Secret") == 0) || (_wcsicmp(name, L"BCKUPKEY_PREFERRED Secret") == 0)) && (size = sizeof(GUID)))
if(((_wcsicmp(name, L"BCKUPKEY_P Secret") == 0) || (_wcsicmp(name, L"BCKUPKEY_PREFERRED Secret") == 0)) && (size == sizeof(GUID)))
{
kprintf(L"Link to key with GUID: ");
kull_m_string_displayGUID((LPCGUID) data);

3
mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c
View File

@ -921,7 +921,7 @@ NTSTATUS kuhl_m_sekurlsa_pth(int argc, wchar_t * argv[])
kprintf(L"mode\t: replacing NTLM/RC4 key in a session\n");
kuhl_m_sekurlsa_pth_luid(&data);
}
else
else if(szUser)
{
if(kull_m_process_create(KULL_M_PROCESS_CREATE_LOGON, szRun, CREATE_SUSPENDED, NULL, LOGON_NETCREDENTIALS_ONLY, szUser, szDomain, L"", &processInfos, FALSE))
{
@ -958,6 +958,7 @@ NTSTATUS kuhl_m_sekurlsa_pth(int argc, wchar_t * argv[])
}
else PRINT_ERROR_AUTO(L"CreateProcessWithLogonW");
}
else PRINT_ERROR(L"Bas user or LUID\n");
}
else PRINT_ERROR(L"Missing at least one argument : ntlm/rc4 OR aes128 OR aes256\n");

2
modules/kull_m_busylight.h
View File

@ -42,7 +42,7 @@ typedef enum _BUSYLIGHT_MEDIA_SOUND_JINGLE {
BUSYLIGHT_MEDIA_JINGLE_IM2 = (10 << 3),
} BUSYLIGHT_MEDIA_SOUND_JINGLE, *PBUSYLIGHT_MEDIA_SOUND_JINGLE;
typedef const BUSYLIGHT_MEDIA_SOUND_JINGLE *PCBUSYLIGHT_MEDIA_SOUND_JINGLE;
#define BUSYLIGHT_MEDIA(sound, volume) (BUSYLIGHT_MEDIA_MASK | sound | volume)
#define BUSYLIGHT_MEDIA(sound, volume) (BUSYLIGHT_MEDIA_MASK | (sound) | (volume))
#define BUSYLIGHT_MEDIA_MUTE BUSYLIGHT_MEDIA(BUSYLIGHT_MEDIA_SOUND_MUTE, BUSYLIGHT_MEDIA_VOLUME_0_MUTE)
typedef struct _BUSYLIGHT_DEVICE_ID {

2
modules/kull_m_dpapi.c
View File

@ -283,7 +283,7 @@ PKULL_M_DPAPI_CREDHIST kull_m_dpapi_credhist_create(LPCVOID data, DWORD size)
currSize = ((PKULL_M_DPAPI_CREDHIST_ENTRY) ((PBYTE) data + size - (sumSize + currSize)))->header.dwNextLen, sumSize += currSize, credhist->__dwCount++
);
if(credhist->entries = (PKULL_M_DPAPI_CREDHIST_ENTRY *) LocalAlloc(LPTR, credhist->__dwCount * sizeof(PKULL_M_DPAPI_CREDHIST_ENTRY *)))
if(credhist->entries = (PKULL_M_DPAPI_CREDHIST_ENTRY *) LocalAlloc(LPTR, credhist->__dwCount * sizeof(PKULL_M_DPAPI_CREDHIST_ENTRY)))
for(
i = 0, sumSize = sizeof(KULL_M_DPAPI_CREDHIST_HEADER), currSize = credhist->current.dwNextLen;
(sumSize < size) && currSize;

5
modules/kull_m_file.c
View File

@ -22,7 +22,7 @@ BOOL kull_m_file_getAbsolutePathOf(PCWCHAR thisData, wchar_t ** reponse)
{
BOOL reussite = FALSE;
wchar_t *monRep;
*reponse = (wchar_t *) LocalAlloc(LPTR, MAX_PATH);
*reponse = (wchar_t *) LocalAlloc(LPTR, MAX_PATH * sizeof(wchar_t));
if(PathIsRelative(thisData))
{
@ -32,8 +32,7 @@ BOOL kull_m_file_getAbsolutePathOf(PCWCHAR thisData, wchar_t ** reponse)
LocalFree(monRep);
}
}
else
reussite = PathCanonicalize(*reponse, thisData);
else reussite = PathCanonicalize(*reponse, thisData);
if(!reussite)
LocalFree(*reponse);

48
modules/kull_m_memory.c
View File

@ -235,17 +235,17 @@ BOOL kull_m_memory_alloc(IN PKULL_M_MEMORY_ADDRESS Address, IN SIZE_T Lenght, IN
return (Address->address) != NULL;
}
BOOL kull_m_memory_free(IN PKULL_M_MEMORY_ADDRESS Address, IN SIZE_T Lenght)
BOOL kull_m_memory_free(IN PKULL_M_MEMORY_ADDRESS Address)
{
BOOL status = FALSE;
switch(Address->hMemory->type)
{
case KULL_M_MEMORY_TYPE_OWN:
status = VirtualFree(Address->address, Lenght, MEM_RELEASE);
status = VirtualFree(Address->address, 0, MEM_RELEASE);
break;
case KULL_M_MEMORY_TYPE_PROCESS:
status = VirtualFreeEx(Address->hMemory->pHandleProcess->hProcess, Address->address, Lenght, MEM_RELEASE);
status = VirtualFreeEx(Address->hMemory->pHandleProcess->hProcess, Address->address, 0, MEM_RELEASE);
break;
case KULL_M_MEMORY_TYPE_KERNEL:
kull_m_kernel_ioctl_handle(Address->hMemory->pHandleDriver->hDriver, IOCTL_MIMIDRV_VM_FREE, Address->address, 0, NULL, NULL, FALSE);
@ -260,9 +260,9 @@ BOOL kull_m_memory_free(IN PKULL_M_MEMORY_ADDRESS Address, IN SIZE_T Lenght)
BOOL kull_m_memory_query(IN PKULL_M_MEMORY_ADDRESS Address, OUT PMEMORY_BASIC_INFORMATION MemoryInfo)
{
BOOL status = FALSE;
PMINIDUMP_MEMORY_INFO_LIST maListeInfo = NULL;
PMINIDUMP_MEMORY_INFO mesInfos = NULL;
ULONG i;
//PMINIDUMP_MEMORY_INFO_LIST maListeInfo = NULL;
//PMINIDUMP_MEMORY_INFO mesInfos = NULL;
//ULONG i;
switch(Address->hMemory->type)
{
@ -272,24 +272,24 @@ BOOL kull_m_memory_query(IN PKULL_M_MEMORY_ADDRESS Address, OUT PMEMORY_BASIC_IN
case KULL_M_MEMORY_TYPE_PROCESS:
status = VirtualQueryEx(Address->hMemory->pHandleProcess->hProcess, Address->address, MemoryInfo, sizeof(MEMORY_BASIC_INFORMATION)) == sizeof(MEMORY_BASIC_INFORMATION);
break;
case KULL_M_MEMORY_TYPE_PROCESS_DMP:
if(maListeInfo = (PMINIDUMP_MEMORY_INFO_LIST) kull_m_minidump_stream(Address->hMemory->pHandleProcessDmp->hMinidump, MemoryInfoListStream))
{
for(i = 0; (i < maListeInfo->NumberOfEntries) && !status; i++)
{
if(status = ((PBYTE) Address->address >= (PBYTE) mesInfos->BaseAddress) && ((PBYTE) Address->address <= (PBYTE) mesInfos->BaseAddress + (SIZE_T) mesInfos->RegionSize))
{
MemoryInfo->AllocationBase = (PVOID) mesInfos->AllocationBase;
MemoryInfo->AllocationProtect = mesInfos->AllocationProtect;
MemoryInfo->BaseAddress = (PVOID) mesInfos->BaseAddress;
MemoryInfo->Protect = mesInfos->Protect;
MemoryInfo->RegionSize = (SIZE_T) mesInfos->RegionSize;
MemoryInfo->State = mesInfos->State;
MemoryInfo->Type = mesInfos->Type;
}
}
}
break;
//case KULL_M_MEMORY_TYPE_PROCESS_DMP:
// if(maListeInfo = (PMINIDUMP_MEMORY_INFO_LIST) kull_m_minidump_stream(Address->hMemory->pHandleProcessDmp->hMinidump, MemoryInfoListStream))
// {
// for(i = 0; (i < maListeInfo->NumberOfEntries) && !status; i++)
// {
// if(status = ((PBYTE) Address->address >= (PBYTE) mesInfos->BaseAddress) && ((PBYTE) Address->address <= (PBYTE) mesInfos->BaseAddress + (SIZE_T) mesInfos->RegionSize))
// {
// MemoryInfo->AllocationBase = (PVOID) mesInfos->AllocationBase;
// MemoryInfo->AllocationProtect = mesInfos->AllocationProtect;
// MemoryInfo->BaseAddress = (PVOID) mesInfos->BaseAddress;
// MemoryInfo->Protect = mesInfos->Protect;
// MemoryInfo->RegionSize = (SIZE_T) mesInfos->RegionSize;
// MemoryInfo->State = mesInfos->State;
// MemoryInfo->Type = mesInfos->Type;
// }
// }
// }
// break;
default:
break;
}

2
modules/kull_m_memory.h
View File

@ -78,7 +78,7 @@ BOOL kull_m_memory_open(IN KULL_M_MEMORY_TYPE Type, IN HANDLE hAny, OUT PKULL_M_
PKULL_M_MEMORY_HANDLE kull_m_memory_close(IN PKULL_M_MEMORY_HANDLE hMemory);
BOOL kull_m_memory_alloc(IN PKULL_M_MEMORY_ADDRESS Address, IN SIZE_T Lenght, IN DWORD Protection);
BOOL kull_m_memory_free(IN PKULL_M_MEMORY_ADDRESS Address, IN SIZE_T Lenght);
BOOL kull_m_memory_free(IN PKULL_M_MEMORY_ADDRESS Address);
BOOL kull_m_memory_equal(IN PKULL_M_MEMORY_ADDRESS Address1, IN PKULL_M_MEMORY_ADDRESS Address2, IN SIZE_T Lenght);
#define COMPRESSION_FORMAT_NONE (0x0000) // winnt

51
modules/kull_m_process.c
View File

@ -481,35 +481,36 @@ BOOL kull_m_process_create(KULL_M_PROCESS_CREATE_TYPE type, PCWSTR commandLine,
RtlZeroMemory(&startupInfo, sizeof(STARTUPINFO));
startupInfo.cb = sizeof(STARTUPINFO);
ptrProcessInfos = pProcessInfos ? pProcessInfos : (PPROCESS_INFORMATION) LocalAlloc(LPTR, sizeof(PROCESS_INFORMATION));
if(dupCommandLine = _wcsdup(commandLine))
if(ptrProcessInfos = pProcessInfos ? pProcessInfos : (PPROCESS_INFORMATION) LocalAlloc(LPTR, sizeof(PROCESS_INFORMATION)))
{
switch(type)
if(dupCommandLine = _wcsdup(commandLine))
{
case KULL_M_PROCESS_CREATE_NORMAL:
status = CreateProcess(NULL, dupCommandLine, NULL, NULL, FALSE, iProcessFlags, NULL, NULL, &startupInfo, ptrProcessInfos);
break;
case KULL_M_PROCESS_CREATE_USER:
status = CreateProcessAsUser(hUserToken, NULL, dupCommandLine, NULL, NULL, FALSE, iProcessFlags, NULL, NULL, &startupInfo, ptrProcessInfos);
break;
/*case KULL_M_PROCESS_CREATE_TOKEN:
status = CreateProcessWithTokenW(hUserToken, iLogonFlags, NULL, dupCommandLine, iProcessFlags, NULL, NULL, &startupInfo, ptrProcessInfos);
break;*/
case KULL_M_PROCESS_CREATE_LOGON:
status = CreateProcessWithLogonW(user, domain, password, iLogonFlags, NULL, dupCommandLine, iProcessFlags, NULL, NULL, &startupInfo, ptrProcessInfos);
break;
}
switch(type)
{
case KULL_M_PROCESS_CREATE_NORMAL:
status = CreateProcess(NULL, dupCommandLine, NULL, NULL, FALSE, iProcessFlags, NULL, NULL, &startupInfo, ptrProcessInfos);
break;
case KULL_M_PROCESS_CREATE_USER:
status = CreateProcessAsUser(hUserToken, NULL, dupCommandLine, NULL, NULL, FALSE, iProcessFlags, NULL, NULL, &startupInfo, ptrProcessInfos);
break;
/*case KULL_M_PROCESS_CREATE_TOKEN:
status = CreateProcessWithTokenW(hUserToken, iLogonFlags, NULL, dupCommandLine, iProcessFlags, NULL, NULL, &startupInfo, ptrProcessInfos);
break;*/
case KULL_M_PROCESS_CREATE_LOGON:
status = CreateProcessWithLogonW(user, domain, password, iLogonFlags, NULL, dupCommandLine, iProcessFlags, NULL, NULL, &startupInfo, ptrProcessInfos);
break;
}
if(autoCloseHandle || !pProcessInfos)
{
CloseHandle(ptrProcessInfos->hThread);
CloseHandle(ptrProcessInfos->hProcess);
}
if(status && (autoCloseHandle || !pProcessInfos))
{
CloseHandle(ptrProcessInfos->hThread);
CloseHandle(ptrProcessInfos->hProcess);
}
if(!pProcessInfos)
LocalFree(ptrProcessInfos);
free(dupCommandLine);
if(!pProcessInfos)
LocalFree(ptrProcessInfos);
free(dupCommandLine);
}
}
return status;
}

6
modules/kull_m_remotelib.c
View File

@ -114,12 +114,12 @@ BOOL kull_m_remotelib_create(PKULL_M_MEMORY_ADDRESS aRemoteFunc, PREMOTE_LIB_INP
if(!success)
output->outputSize = 0;
}
kull_m_memory_free(&aSuppData, 0);
kull_m_memory_free(&aSuppData);
}
}
}
}
kull_m_memory_free(&aRemoteData, 0);
kull_m_memory_free(&aRemoteData);
}
LocalFree(data);
}
@ -203,7 +203,7 @@ BOOL kull_m_remotelib_CreateRemoteCodeWitthPatternReplace(PKULL_M_MEMORY_HANDLE
if(!(success = kull_m_memory_copy(DestAddress, &aLocalAddr, BufferSize)))
{
PRINT_ERROR_AUTO(L"kull_m_memory_copy");
kull_m_memory_free(DestAddress, 0);
kull_m_memory_free(DestAddress);
}
}
else PRINT_ERROR_AUTO(L"kull_m_memory_alloc / VirtualAlloc(Ex)");

3
modules/rpc/kull_m_rpc.c
View File

@ -221,7 +221,8 @@ void __RPC_FAR * __RPC_USER midl_user_allocate(size_t cBytes)
void __RPC_USER midl_user_free(void __RPC_FAR * p)
{
LocalFree(p);
if(p)
LocalFree(p);
}
void __RPC_USER ReadFcn(void *State, char **pBuffer, unsigned int *pSize)