RepoMirrors/mimikatz
1
0
Fork 0
mirror of https://github.com/gentilkiwi/mimikatz synced 2025-02-08 13:16:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

Thanks to @dfirfpi new samples, some cool adaptations!

Browse Source
This commit is contained in:
Benjamin DELPY 2015-07-16 01:19:48 +02:00
parent f527ec2297
commit 5084e9d803
3 changed files with 18 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
mimikatz/modules/dpapi/packages/kuhl_m_dpapi_creds.c
View File

@ -77,7 +77,7 @@ NTSTATUS kuhl_m_dpapi_vault(int argc, wchar_t * argv[])
if(attribute = vaultCredential->attributes[i])
{
kprintf(L" > Attribute %u : ", attribute->id);
if(attribute->id < 100)
if(attribute->id && (attribute->id < 100))
{
if(len = (attribute->attributeElement.simpleAttribute.size >= 1) ? (attribute->attributeElement.simpleAttribute.size - 1) : 0)
{
@ -91,6 +91,7 @@ NTSTATUS kuhl_m_dpapi_vault(int argc, wchar_t * argv[])
{
kull_m_string_wprintf_hex(buffer, len, 0);
}
else PRINT_ERROR_AUTO(L"CryptDecrypt");
CryptDestroyKey(hKey);
LocalFree(buffer);
}
@ -110,7 +111,7 @@ NTSTATUS kuhl_m_dpapi_vault(int argc, wchar_t * argv[])
if(CryptDecrypt(hKey, 0, TRUE, 0, (PBYTE) buffer, &len))
{
kprintf(L"\n");
if(attribute->id == 100)
if(!attribute->id || (attribute->id == 100))
{
if(clear = kull_m_cred_vault_clear_create(buffer))
{
@ -121,6 +122,7 @@ NTSTATUS kuhl_m_dpapi_vault(int argc, wchar_t * argv[])
else kull_m_string_wprintf_hex(buffer, len, 1 | (16 << 16));
kprintf(L"\n");
}
else PRINT_ERROR_AUTO(L"CryptDecrypt");
CryptDestroyKey(hKey);
LocalFree(buffer);
}

17
modules/kull_m_cred.c
View File

@ -329,7 +329,7 @@ PKULL_M_CRED_VAULT_CREDENTIAL kull_m_cred_vault_credential_create(PVOID data/*,
kull_m_string_ptr_replace(&credential->attributesMap, credential->dwAttributesMapSize);
credential->__cbElements = credential->dwAttributesMapSize / sizeof(KULL_M_CRED_VAULT_CREDENTIAL_ATTRIBUTE_MAP);
if(credential->attributes = (PKULL_M_CRED_VAULT_CREDENTIAL_ATTRIBUTE * ) LocalAlloc(LPTR, credential->__cbElements * sizeof(PKULL_M_CRED_VAULT_CREDENTIAL_ATTRIBUTE)))
if(credential->attributes = (PKULL_M_CRED_VAULT_CREDENTIAL_ATTRIBUTE * ) LocalAlloc(LPTR, (credential->__cbElements + ((credential->unk0 < 4) ? 1 : 0)) * sizeof(PKULL_M_CRED_VAULT_CREDENTIAL_ATTRIBUTE)))
{
for(i = 0; i < credential->__cbElements; i++)
{
@ -351,6 +351,17 @@ PKULL_M_CRED_VAULT_CREDENTIAL kull_m_cred_vault_credential_create(PVOID data/*,
}
}
}
if(attribute && credential->unk0 < 4)
{
if(credential->attributes[i] = (PKULL_M_CRED_VAULT_CREDENTIAL_ATTRIBUTE) LocalAlloc(LPTR, sizeof(KULL_M_CRED_VAULT_CREDENTIAL_ATTRIBUTE)))
{
RtlCopyMemory(&credential->attributes[i]->attributeElement.complexAttribute.size, (PBYTE) attribute + FIELD_OFFSET(KULL_M_CRED_VAULT_CREDENTIAL_ATTRIBUTE, attributeElement) + FIELD_OFFSET(KULL_M_CRED_VAULT_CREDENTIAL_ATTRIBUTE_SIMPLE, attributeData) + attribute->attributeElement.simpleAttribute.size + sizeof(USHORT), FIELD_OFFSET(KULL_M_CRED_VAULT_CREDENTIAL_ATTRIBUTE_COMPLEX, attributeData) - FIELD_OFFSET(KULL_M_CRED_VAULT_CREDENTIAL_ATTRIBUTE_COMPLEX, size));
credential->attributes[i]->attributeElement.complexAttribute.attributeData = (PKULL_M_CRED_VAULT_CREDENTIAL_ATTRIBUTE_DATA) ((PBYTE) attribute + FIELD_OFFSET(KULL_M_CRED_VAULT_CREDENTIAL_ATTRIBUTE, attributeElement) + FIELD_OFFSET(KULL_M_CRED_VAULT_CREDENTIAL_ATTRIBUTE_SIMPLE, attributeData) + attribute->attributeElement.simpleAttribute.size + sizeof(USHORT) + (FIELD_OFFSET(KULL_M_CRED_VAULT_CREDENTIAL_ATTRIBUTE_COMPLEX, attributeData) - FIELD_OFFSET(KULL_M_CRED_VAULT_CREDENTIAL_ATTRIBUTE_COMPLEX, size)));
kull_m_string_ptr_replace(&credential->attributes[i]->attributeElement.complexAttribute.attributeData, credential->attributes[i]->attributeElement.complexAttribute.size);
credential->__cbElements++;
}
}
}
}
return credential;
@ -372,7 +383,7 @@ void kull_m_cred_vault_credential_delete(PKULL_M_CRED_VAULT_CREDENTIAL credentia
{
if(credential->attributes[i])
{
if(credential->attributes[i]->id < 100)
if(credential->attributes[i]->id && (credential->attributes[i]->id < 100))
{
if(credential->attributes[i]->attributeElement.simpleAttribute.attributeData)
LocalFree(credential->attributes[i]->attributeElement.simpleAttribute.attributeData);
@ -419,7 +430,7 @@ void kull_m_cred_vault_credential_attribute_descr(DWORD level, PKULL_M_CRED_VAUL
{
kprintf(L"%*s" L" id : %08x - %u\n", level << 1, L"", attribute->id, attribute->id);
kprintf(L"%*s" L" unk0/1/2: %08x/%08x/%08x\n", level << 1, L"", attribute->unk0, attribute->unk1, attribute->unk2);
if(attribute->id < 100)
if(attribute->id && (attribute->id < 100))
{
if((attribute->attributeElement.simpleAttribute.size >= 1) && attribute->attributeElement.simpleAttribute.attributeData)
{

1
modules/kull_m_cred.h
View File

@ -128,7 +128,6 @@ typedef struct _KULL_M_CRED_VAULT_CREDENTIAL {
DWORD __cbElements;
PKULL_M_CRED_VAULT_CREDENTIAL_ATTRIBUTE *attributes;
} KULL_M_CRED_VAULT_CREDENTIAL, *PKULL_M_CRED_VAULT_CREDENTIAL;
typedef struct _KULL_M_CRED_VAULT_CLEAR_ENTRY {