From 853ee232f061cef4c75cdbfcf7390fb16e53811d Mon Sep 17 00:00:00 2001 From: Benjamin DELPY Date: Wed, 23 Apr 2014 22:00:29 +0200 Subject: [PATCH] Code cleaning & Base64 output --- inc/globals.h | 3 +- mimidrv/_build_.cmd | 2 +- mimikatz/modules/kuhl_m_standard.c | 63 +++++------------------------- mimikatz/modules/kuhl_m_standard.h | 2 + modules/kull_m_file.c | 26 ++++++++++-- modules/kull_m_file.h | 4 +- modules/kull_m_string.c | 33 ---------------- modules/kull_m_string.h | 3 -- 8 files changed, 39 insertions(+), 97 deletions(-) diff --git a/inc/globals.h b/inc/globals.h index f92b7bf..b76f9b6 100644 --- a/inc/globals.h +++ b/inc/globals.h @@ -30,8 +30,7 @@ #define MIMIKATZ_VERSION L"2.0 alpha" #define MIMIKATZ_CODENAME L"Kiwi en C" #define MIMIKATZ_FULL MIMIKATZ L" " MIMIKATZ_VERSION L" (" MIMIKATZ_ARCH L") release \"" MIMIKATZ_CODENAME L"\" (" TEXT(__DATE__) L" " TEXT(__TIME__) L")" -#define MIMIKATZ_PIPE_PATH L"\\\\.\\pipe\\" MIMIKATZ -#define MIMIKATZ_DEFAULT_LOG L"mimikatz.log" +#define MIMIKATZ_DEFAULT_LOG MIMIKATZ L".log" #define MIMIKATZ_DRIVER L"mimidrv" #define MIMIKATZ_KERBEROS_EXT L"kirbi" diff --git a/mimidrv/_build_.cmd b/mimidrv/_build_.cmd index 7138486..ca80ab1 100644 --- a/mimidrv/_build_.cmd +++ b/mimidrv/_build_.cmd @@ -1,5 +1,5 @@ @echo off -set winddk=c:\WinDDK\7600.16385.1 +set winddk=%SystemDrive%\WinDDK\7600.16385.1 set mimidrv=%~dp0 set path=%systemroot%;%systemroot%\system32 diff --git a/mimikatz/modules/kuhl_m_standard.c b/mimikatz/modules/kuhl_m_standard.c index b39e7b8..ab22309 100644 --- a/mimikatz/modules/kuhl_m_standard.c +++ b/mimikatz/modules/kuhl_m_standard.c @@ -12,6 +12,7 @@ const KUHL_M_C kuhl_m_c_standard[] = { {kuhl_m_standard_answer, L"answer", L"Answer to the Ultimate Question of Life, the Universe, and Everything"}, {kuhl_m_standard_sleep, L"sleep", L"Sleep an amount of milliseconds"}, {kuhl_m_standard_log, L"log", L"Log mimikatz input/output to file"}, + {kuhl_m_standard_base64, L"base64", L"Switch file output/base64 output"}, {kuhl_m_standard_version, L"version", L"Display some version informations"}, }; const KUHL_M kuhl_m_standard = { @@ -21,60 +22,6 @@ const KUHL_M kuhl_m_standard = { /* NTSTATUS kuhl_m_standard_test(int argc, wchar_t * argv[]) { - SC_HANDLE hSC, hS; - DWORD i, szRoot, szNeeded, cbServices; - LPWSTR systemRoot; - LPENUM_SERVICE_STATUS_PROCESSW pEnumServiceBuffer; - LPQUERY_SERVICE_CONFIG pServiceConfigBuffer; - - if(szRoot = GetEnvironmentVariable(L"SystemRoot", NULL, 0)) - { - if(systemRoot = (LPWSTR) LocalAlloc(LPTR, szRoot * sizeof(wchar_t))) - { - if(GetEnvironmentVariable(L"SystemRoot", systemRoot, szRoot)) - { - if(hSC = OpenSCManager(NULL, SERVICES_ACTIVE_DATABASE, SC_MANAGER_CONNECT | SC_MANAGER_ENUMERATE_SERVICE)) - { - if(!EnumServicesStatusEx(hSC, SC_ENUM_PROCESS_INFO, SERVICE_TYPE_ALL, SERVICE_STATE_ALL, NULL, 0, &szNeeded, &cbServices, NULL, NULL) && (GetLastError() == ERROR_MORE_DATA)) - { - if(pEnumServiceBuffer = (LPENUM_SERVICE_STATUS_PROCESSW) LocalAlloc(LPTR, szNeeded)) - { - if(EnumServicesStatusEx(hSC, SC_ENUM_PROCESS_INFO, SERVICE_TYPE_ALL, SERVICE_STATE_ALL, (PBYTE) pEnumServiceBuffer, szNeeded, &szNeeded, &cbServices, NULL, NULL)) - { - for(i = 0; i < cbServices; i ++) - { - if(hS = OpenService(hSC, pEnumServiceBuffer[i].lpServiceName, SERVICE_QUERY_CONFIG)) - { - if(!QueryServiceConfig(hS, NULL, 0, &szNeeded) && (GetLastError() == ERROR_INSUFFICIENT_BUFFER)) - { - if(pServiceConfigBuffer = (LPQUERY_SERVICE_CONFIG) LocalAlloc(LPTR, szNeeded)) - { - if(QueryServiceConfig(hS, pServiceConfigBuffer, szNeeded, &szNeeded) && (GetLastError() == ERROR_INSUFFICIENT_BUFFER)) - { - if( - (_wcsnicmp(pServiceConfigBuffer->lpBinaryPathName, systemRoot, szRoot - 1) != 0) && - (_wcsnicmp(pServiceConfigBuffer->lpBinaryPathName, L"system32\\", 9) != 0) && - (_wcsnicmp(pServiceConfigBuffer->lpBinaryPathName, L"\\SystemRoot\\system32\\", 21) != 0) && - (_wcsnicmp(pServiceConfigBuffer->lpBinaryPathName, L"\\??\\", 4) != 0) - ) - kprintf(L"%s\t%s\n", pEnumServiceBuffer[i].lpServiceName, pServiceConfigBuffer->lpBinaryPathName); - } - LocalFree(pServiceConfigBuffer); - } - } else PRINT_ERROR_AUTO(L"QueryServiceConfig"); - CloseServiceHandle(hS); - } else PRINT_ERROR_AUTO(L"OpenService"); - } - } else PRINT_ERROR_AUTO(L"EnumServicesStatusEx"); - LocalFree(pEnumServiceBuffer); - } - } else PRINT_ERROR_AUTO(L"EnumServicesStatusEx"); - CloseServiceHandle(hSC); - } - } - LocalFree(systemRoot); - } - } return STATUS_SUCCESS; } */ @@ -119,6 +66,14 @@ NTSTATUS kuhl_m_standard_log(int argc, wchar_t * argv[]) return STATUS_SUCCESS; } +NTSTATUS kuhl_m_standard_base64(int argc, wchar_t * argv[]) +{ + kprintf(L"isBase64Intercept was : %s\n", isBase64Intercept ? L"true" : L"false"); + isBase64Intercept = !isBase64Intercept; + kprintf(L"isBase64Intercept is now : %s\n", isBase64Intercept ? L"true" : L"false"); + return STATUS_SUCCESS; +} + NTSTATUS kuhl_m_standard_version(int argc, wchar_t * argv[]) { BOOL isWow64; diff --git a/mimikatz/modules/kuhl_m_standard.h b/mimikatz/modules/kuhl_m_standard.h index a0acef8..e3287a3 100644 --- a/mimikatz/modules/kuhl_m_standard.h +++ b/mimikatz/modules/kuhl_m_standard.h @@ -6,6 +6,7 @@ #pragma once #include "kuhl_m.h" #include "../modules/kull_m_string.h" +#include "../modules/kull_m_file.h" const KUHL_M kuhl_m_standard; @@ -15,6 +16,7 @@ NTSTATUS kuhl_m_standard_cite(int argc, wchar_t * argv[]); NTSTATUS kuhl_m_standard_answer(int argc, wchar_t * argv[]); NTSTATUS kuhl_m_standard_sleep(int argc, wchar_t * argv[]); NTSTATUS kuhl_m_standard_log(int argc, wchar_t * argv[]); +NTSTATUS kuhl_m_standard_base64(int argc, wchar_t * argv[]); NTSTATUS kuhl_m_standard_version(int argc, wchar_t * argv[]); NTSTATUS kuhl_m_standard_test(int argc, wchar_t * argv[]); \ No newline at end of file diff --git a/modules/kull_m_file.c b/modules/kull_m_file.c index 1fb9b69..e4350af 100644 --- a/modules/kull_m_file.c +++ b/modules/kull_m_file.c @@ -5,6 +5,8 @@ */ #include "kull_m_file.h" +BOOL isBase64Intercept = FALSE; + BOOL kull_m_file_getCurrentDirectory(wchar_t ** ppDirName) { BOOL reussite = FALSE; @@ -56,10 +58,28 @@ BOOL kull_m_file_isFileExist(wchar_t *fileName) BOOL kull_m_file_writeData(PCWCHAR fileName, PBYTE data, DWORD lenght) { BOOL reussite = FALSE; - DWORD dwBytesWritten; - HANDLE hFile = CreateFile(fileName, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, NULL); + DWORD dwBytesWritten = 0, i; + HANDLE hFile = NULL; + LPWSTR base64; - if(hFile && hFile != INVALID_HANDLE_VALUE) + if(isBase64Intercept) + { + if(CryptBinaryToString(data, lenght, CRYPT_STRING_BASE64 | CRYPT_STRING_NOCRLF, NULL, &dwBytesWritten)) + { + if(base64 = (LPWSTR) LocalAlloc(LPTR, dwBytesWritten * sizeof(wchar_t))) + { + if(reussite = CryptBinaryToString(data, lenght, CRYPT_STRING_BASE64 | CRYPT_STRING_NOCRLF, base64, &dwBytesWritten)) + { + kprintf(L"\n===================\nBase64 interception\n===================\n"); + for(i = 0; i < dwBytesWritten; i++) + kprintf(L"%c", base64[i]); + kprintf(L"\n===================\n"); + } + LocalFree(base64); + } + } + } + else if((hFile = CreateFile(fileName, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, NULL)) && hFile != INVALID_HANDLE_VALUE) { if(WriteFile(hFile, data, lenght, &dwBytesWritten, NULL) && (lenght == dwBytesWritten)) reussite = FlushFileBuffers(hFile); diff --git a/modules/kull_m_file.h b/modules/kull_m_file.h index 0338a69..c2ae519 100644 --- a/modules/kull_m_file.h +++ b/modules/kull_m_file.h @@ -4,9 +4,11 @@ Licence : http://creativecommons.org/licenses/by/3.0/fr/ */ #pragma once -#include +#include "globals.h" #include +BOOL isBase64Intercept; + BOOL kull_m_file_getCurrentDirectory(wchar_t ** ppDirName); BOOL kull_m_file_getAbsolutePathOf(wchar_t *thisData, wchar_t ** reponse); BOOL kull_m_file_isFileExist(wchar_t *fileName); diff --git a/modules/kull_m_string.c b/modules/kull_m_string.c index e3bf99a..d795047 100644 --- a/modules/kull_m_string.c +++ b/modules/kull_m_string.c @@ -47,40 +47,7 @@ void kull_m_string_freeUnicodeStringBuffer(PUNICODE_STRING pString) if(pString->Buffer) LocalFree(pString->Buffer); } -/* -VOID kull_m_string_outputHighUnicodeString(PLSA_UNICODE_STRING pString) -{ - DWORD dwSize; - wchar_t * ptr = NULL; - if(pString) - { - ptr = pString->Buffer; - dwSize = pString->Length / sizeof(wchar_t); - } - kull_m_string_outputHighWideStringWithLen(ptr, dwSize); -} -VOID kull_m_string_outputHighWideString(wchar_t * pString) -{ - DWORD dwSize; - if(pString) - dwSize = (DWORD) wcslen(pString); - kull_m_string_outputHighWideStringWithLen(pString, dwSize); -} - -VOID kull_m_string_outputHighWideStringWithLen(wchar_t * pString, DWORD dwSize) -{ - //DWORD dwhConWritten; - //HANDLE hConOut = GetStdHandle(STD_OUTPUT_HANDLE); - if(!pString) - { - pString = L"(null)"; - dwSize = 6; - } - kprintf(L"%.*s", dwSize, pString); - //WriteConsole(hConOut, pString, dwSize, &dwhConWritten, NULL); -} -*/ wchar_t * kull_m_string_qad_ansi_to_unicode(const char * ansi) { wchar_t * buffer = NULL; diff --git a/modules/kull_m_string.h b/modules/kull_m_string.h index 90e1a12..9a4dfa0 100644 --- a/modules/kull_m_string.h +++ b/modules/kull_m_string.h @@ -42,9 +42,6 @@ BOOL kull_m_string_suspectUnicodeStringStructure(IN PUNICODE_STRING pUnicodeStri BOOL kull_m_string_getUnicodeString(IN PUNICODE_STRING string, IN PKULL_M_MEMORY_HANDLE source); void kull_m_string_freeUnicodeStringBuffer(PUNICODE_STRING pString); BOOL kull_m_string_suspectUnicodeString(IN PUNICODE_STRING pUnicodeString); -/*VOID kull_m_string_outputHighUnicodeString(PLSA_UNICODE_STRING pString); -VOID kull_m_string_outputHighWideString(wchar_t * pString); -VOID kull_m_string_outputHighWideStringWithLen(wchar_t * pString, DWORD dwSize);*/ wchar_t * kull_m_string_qad_ansi_to_unicode(const char * ansi); wchar_t * kull_m_string_qad_ansi_c_to_unicode(const char * ansi, SIZE_T szStr);