RepoMirrors
/
mimikatz
mirror of https://github.com/gentilkiwi/mimikatz
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[fix] missing fltuser* includes 

[fix] mimidrv version
This commit is contained in:
Benjamin DELPY 2017-12-10 18:12:21 +01:00
parent 5e712a34d0
commit 9e42ea3b28
5 changed files with 1028 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
README.md
View File

@ -121,6 +121,11 @@ Follow instructions:
## Licence
CC BY 4.0 licence - https://creativecommons.org/licenses/by/4.0/
`mimikatz` needs coffee to be developed:
* ETH: 0x3a56af999b5e68f9e6e0a7dce1833efefad5b470
* BTC: 1C6bubazp9xq3BfYiHvsqP1sEhFYykUDo5
* PayPal: https://www.paypal.me/delpy/
## Author
* Benjamin DELPY `gentilkiwi`, you can contact me on Twitter ( @gentilkiwi ) or by mail ( benjamin [at] gentilkiwi.com )
* DCSync function in `lsadump` module was co-writed with Vincent LE TOUX, you can contact him by mail ( vincent.letoux [at] gmail.com ) or visit his website ( http://www.mysmartlogon.com )

420
inc/fltUser.h Normal file
View File

@ -0,0 +1,420 @@
/*++
Copyright (c) 1989-2002 Microsoft Corporation
Module Name:
fltUser.h
Abstract:
Header file which contains the structures, type definitions,
constants, global variables and function prototypes that are
visible to user mode applications that interact with filters.
Environment:
User mode
--*/
#ifndef __FLTUSER_H__
#define __FLTUSER_H__
//
// IMPORTANT!!!!!
//
// This is how FltMgr was released (from oldest to newest)
// xpsp2, (srv03, w2ksp5), LH, Win7
//
//
// The defines items that are part of the filter manager baseline
//
#define FLT_MGR_BASELINE (((OSVER(NTDDI_VERSION) == NTDDI_WIN2K) && (SPVER(NTDDI_VERSION) >= SPVER(NTDDI_WIN2KSP4))) || \
((OSVER(NTDDI_VERSION) == NTDDI_WINXP) && (SPVER(NTDDI_VERSION) >= SPVER(NTDDI_WINXPSP2))) || \
((OSVER(NTDDI_VERSION) == NTDDI_WS03) && (SPVER(NTDDI_VERSION) >= SPVER(NTDDI_WS03SP1))) || \
(NTDDI_VERSION >= NTDDI_VISTA))
//
// This defines items that were added after XPSP2 was released. This means
// they are in Srv03 SP1, W2K SP4+URP, and Longhorn and above.
//
#define FLT_MGR_AFTER_XPSP2 (((OSVER(NTDDI_VERSION) == NTDDI_WIN2K) && (SPVER(NTDDI_VERSION) >= SPVER(NTDDI_WIN2KSP4))) || \
((OSVER(NTDDI_VERSION) == NTDDI_WINXP) && (SPVER(NTDDI_VERSION) > SPVER(NTDDI_WINXPSP2))) || \
((OSVER(NTDDI_VERSION) == NTDDI_WS03) && (SPVER(NTDDI_VERSION) >= SPVER(NTDDI_WS03SP1))) || \
(NTDDI_VERSION >= NTDDI_VISTA))
//
// This defines items that only exist in longhorn or later
//
#define FLT_MGR_LONGHORN (NTDDI_VERSION >= NTDDI_VISTA)
//
// This defines items that only exist in Windows 7 or later
//
#define FLT_MGR_WIN7 (NTDDI_VERSION >= NTDDI_WIN7)
///////////////////////////////////////////////////////////////////////////////
//
// Standard includes
//
///////////////////////////////////////////////////////////////////////////////
#include <fltUserStructures.h>
#ifdef __cplusplus
extern "C" {
#endif
//
// These are all of the baseline set of user-mode functions in FltMgr.
//
#if FLT_MGR_BASELINE
//
// Functions for loading, unloading and monitoring Filters
//
__checkReturn
HRESULT
WINAPI
FilterLoad (
__in LPCWSTR lpFilterName
);
__checkReturn
HRESULT
WINAPI
FilterUnload (
__in LPCWSTR lpFilterName
);
//****************************************************************************
//
// Functions for creating and closing handles
//
//****************************************************************************
//
// Filter
//
__checkReturn
HRESULT
WINAPI
FilterCreate (
__in LPCWSTR lpFilterName,
__deref_out HFILTER *hFilter
);
HRESULT
WINAPI
FilterClose(
__in HFILTER hFilter
);
//
// FilterInstance
//
__checkReturn
HRESULT
WINAPI
FilterInstanceCreate (
__in LPCWSTR lpFilterName,
__in LPCWSTR lpVolumeName,
__in_opt LPCWSTR lpInstanceName,
__deref_out HFILTER_INSTANCE *hInstance
);
HRESULT
WINAPI
FilterInstanceClose(
__in HFILTER_INSTANCE hInstance
);
//****************************************************************************
//
// Functions for creating and deleting FilterInstances in the
// device stack.
//
//****************************************************************************
__checkReturn
HRESULT
WINAPI
FilterAttach (
__in LPCWSTR lpFilterName,
__in LPCWSTR lpVolumeName,
__in_opt LPCWSTR lpInstanceName ,
__in_opt DWORD dwCreatedInstanceNameLength ,
__out_bcount_opt(dwCreatedInstanceNameLength) LPWSTR lpCreatedInstanceName
);
__checkReturn
HRESULT
WINAPI
FilterAttachAtAltitude (
__in LPCWSTR lpFilterName,
__in LPCWSTR lpVolumeName,
__in LPCWSTR lpAltitude,
__in_opt LPCWSTR lpInstanceName ,
__in_opt DWORD dwCreatedInstanceNameLength ,
__out_bcount_opt(dwCreatedInstanceNameLength) LPWSTR lpCreatedInstanceName
);
__checkReturn
HRESULT
WINAPI
FilterDetach (
__in LPCWSTR lpFilterName,
__in LPCWSTR lpVolumeName,
__in_opt LPCWSTR lpInstanceName
);
//****************************************************************************
//
// Functions for iterating through Filters and FilterInstances and
// getting information on a Filter or FilterInstance.
//
//****************************************************************************
//
// Functions for iterating through Filters
//
__checkReturn
HRESULT
WINAPI
FilterFindFirst (
__in FILTER_INFORMATION_CLASS dwInformationClass,
__out_bcount_part(dwBufferSize,*lpBytesReturned) LPVOID lpBuffer,
__in DWORD dwBufferSize,
__out LPDWORD lpBytesReturned,
__out LPHANDLE lpFilterFind
);
__checkReturn
HRESULT
WINAPI
FilterFindNext (
__in HANDLE hFilterFind,
__in FILTER_INFORMATION_CLASS dwInformationClass,
__out_bcount_part(dwBufferSize,*lpBytesReturned) LPVOID lpBuffer,
__in DWORD dwBufferSize,
__out LPDWORD lpBytesReturned
);
__checkReturn
HRESULT
WINAPI
FilterFindClose(
__in HANDLE hFilterFind
);
__checkReturn
HRESULT
WINAPI
FilterVolumeFindFirst (
__in FILTER_VOLUME_INFORMATION_CLASS dwInformationClass,
__out_bcount_part(dwBufferSize,*lpBytesReturned) LPVOID lpBuffer,
__in DWORD dwBufferSize,
__out LPDWORD lpBytesReturned,
__out PHANDLE lpVolumeFind
);
__checkReturn
HRESULT
WINAPI
FilterVolumeFindNext (
__in HANDLE hVolumeFind,
__in FILTER_VOLUME_INFORMATION_CLASS dwInformationClass,
__out_bcount_part(dwBufferSize,*lpBytesReturned) LPVOID lpBuffer,
__in DWORD dwBufferSize,
__out LPDWORD lpBytesReturned
);
HRESULT
WINAPI
FilterVolumeFindClose(
__in HANDLE hVolumeFind
);
//
// Functions for iterating through FilterInstances
//
__checkReturn
HRESULT
WINAPI
FilterInstanceFindFirst (
__in LPCWSTR lpFilterName,
__in INSTANCE_INFORMATION_CLASS dwInformationClass,
__out_bcount_part(dwBufferSize,*lpBytesReturned) LPVOID lpBuffer,
__in DWORD dwBufferSize,
__out LPDWORD lpBytesReturned,
__out LPHANDLE lpFilterInstanceFind
);
__checkReturn
HRESULT
WINAPI
FilterInstanceFindNext (
__in HANDLE hFilterInstanceFind,
__in INSTANCE_INFORMATION_CLASS dwInformationClass,
__out_bcount_part(dwBufferSize,*lpBytesReturned) LPVOID lpBuffer,
__in DWORD dwBufferSize,
__out LPDWORD lpBytesReturned
);
__checkReturn
HRESULT
WINAPI
FilterInstanceFindClose(
__in HANDLE hFilterInstanceFind
);
//
// Functions for iterating through VolumeInstances
//
__checkReturn
HRESULT
WINAPI
FilterVolumeInstanceFindFirst (
__in LPCWSTR lpVolumeName,
__in INSTANCE_INFORMATION_CLASS dwInformationClass,
__out_bcount_part(dwBufferSize,*lpBytesReturned) LPVOID lpBuffer,
__in DWORD dwBufferSize,
__out LPDWORD lpBytesReturned,
__out LPHANDLE lpVolumeInstanceFind
);
__checkReturn
HRESULT
WINAPI
FilterVolumeInstanceFindNext (
__in HANDLE hVolumeInstanceFind,
__in INSTANCE_INFORMATION_CLASS dwInformationClass,
__out_bcount_part(dwBufferSize,*lpBytesReturned) LPVOID lpBuffer,
__in DWORD dwBufferSize,
__out LPDWORD lpBytesReturned
);
HRESULT
WINAPI
FilterVolumeInstanceFindClose(
__in HANDLE hVolumeInstanceFind
);
//
// Functions for getting information on Filters and FilterInstances
//
__checkReturn
HRESULT
WINAPI
FilterGetInformation (
__in HFILTER hFilter,
__in FILTER_INFORMATION_CLASS dwInformationClass,
__out_bcount_part(dwBufferSize,*lpBytesReturned) LPVOID lpBuffer,
__in DWORD dwBufferSize,
__out LPDWORD lpBytesReturned
);
__checkReturn
HRESULT
WINAPI
FilterInstanceGetInformation (
__in HFILTER_INSTANCE hInstance,
__in INSTANCE_INFORMATION_CLASS dwInformationClass,
__out_bcount_part(dwBufferSize,*lpBytesReturned) LPVOID lpBuffer,
__in DWORD dwBufferSize,
__out LPDWORD lpBytesReturned
);
//****************************************************************************
//
// Functions for communicating with Filters and FilterInstances
//
//****************************************************************************
__checkReturn
HRESULT
WINAPI
FilterConnectCommunicationPort(
__in LPCWSTR lpPortName,
__in DWORD dwOptions,
__in_bcount_opt(wSizeOfContext) LPCVOID lpContext,
__in WORD wSizeOfContext,
__in_opt LPSECURITY_ATTRIBUTES lpSecurityAttributes ,
__deref_out HANDLE *hPort
);
__checkReturn
HRESULT
WINAPI
FilterSendMessage (
__in HANDLE hPort,
__in_bcount_opt(dwInBufferSize) LPVOID lpInBuffer,
__in DWORD dwInBufferSize,
__out_bcount_part_opt(dwOutBufferSize,*lpBytesReturned) LPVOID lpOutBuffer,
__in DWORD dwOutBufferSize,
__out LPDWORD lpBytesReturned
);
__checkReturn
HRESULT
WINAPI
FilterGetMessage (
__in HANDLE hPort,
__out_bcount(dwMessageBufferSize) PFILTER_MESSAGE_HEADER lpMessageBuffer,
__in DWORD dwMessageBufferSize,
__inout LPOVERLAPPED lpOverlapped
);
__checkReturn
HRESULT
WINAPI
FilterReplyMessage (
__in HANDLE hPort,
__in_bcount(dwReplyBufferSize) PFILTER_REPLY_HEADER lpReplyBuffer,
__in DWORD dwReplyBufferSize
);
//****************************************************************************
//
// Other support functions
//
//****************************************************************************
__checkReturn
HRESULT
WINAPI
FilterGetDosName (
__in LPCWSTR lpVolumeName,
__out_ecount(dwDosNameBufferSize) LPWSTR lpDosName,
__in DWORD dwDosNameBufferSize
);
#endif // end the FLT_MGR_BASELINE
#ifdef __cplusplus
} // Balance extern "C" above
#endif
#endif /* __FLTUSER_H__ */

601
inc/fltUserStructures.h Normal file
View File

@ -0,0 +1,601 @@
/*++
Copyright (c) 1989-2002 Microsoft Corporation
Module Name:
fltUserStructures.h
Abstract:
This contains structures, types, and defintiions that are common to both
USER mode and KERNEL mode environments.
Environment:
User mode
--*/
#ifndef __FLT_USER_STRUCTURES_H__
#define __FLT_USER_STRUCTURES_H__
#if FLT_MGR_BASELINE
//
// Disable warning for this file
//
#define FLTAPI NTAPI
#define FILTER_NAME_MAX_CHARS 255
#define FILTER_NAME_MAX_BYTES (FILTER_NAME_MAX_CHARS * sizeof( WCHAR ))
#define VOLUME_NAME_MAX_CHARS 1024
#define VOLUME_NAME_MAX_BYTES (VOLUME_NAME_MAX_CHARS * sizeof( WCHAR ))
#define INSTANCE_NAME_MAX_CHARS 255
#define INSTANCE_NAME_MAX_BYTES (INSTANCE_NAME_MAX_CHARS * sizeof( WCHAR ))
typedef HANDLE HFILTER;
typedef HANDLE HFILTER_INSTANCE;
typedef HANDLE HFILTER_VOLUME;
//
// Note: this may be removed in future when all translations from NTSTATUS to
// Win32 error codes are checked in. This is interim - since there the
// translation is not in for all filter manager error codes,
// apps will have to access NTSTATUS codes directly
//
typedef __success(return >= 0) LONG NTSTATUS;
typedef NTSTATUS *PNTSTATUS;
///////////////////////////////////////////////////////////////////////////////
//
// Known File System Types
//
///////////////////////////////////////////////////////////////////////////////
typedef enum _FLT_FILESYSTEM_TYPE {
FLT_FSTYPE_UNKNOWN, //an UNKNOWN file system type
FLT_FSTYPE_RAW, //Microsoft's RAW file system (\FileSystem\RAW)
FLT_FSTYPE_NTFS, //Microsoft's NTFS file system (\FileSystem\Ntfs)
FLT_FSTYPE_FAT, //Microsoft's FAT file system (\FileSystem\Fastfat)
FLT_FSTYPE_CDFS, //Microsoft's CDFS file system (\FileSystem\Cdfs)
FLT_FSTYPE_UDFS, //Microsoft's UDFS file system (\FileSystem\Udfs)
FLT_FSTYPE_LANMAN, //Microsoft's LanMan Redirector (\FileSystem\MRxSmb)
FLT_FSTYPE_WEBDAV, //Microsoft's WebDav redirector (\FileSystem\MRxDav)
FLT_FSTYPE_RDPDR, //Microsoft's Terminal Server redirector (\Driver\rdpdr)
FLT_FSTYPE_NFS, //Microsoft's NFS file system (\FileSystem\NfsRdr)
FLT_FSTYPE_MS_NETWARE, //Microsoft's NetWare redirector (\FileSystem\nwrdr)
FLT_FSTYPE_NETWARE, //Novell's NetWare redirector
FLT_FSTYPE_BSUDF, //The BsUDF CD-ROM driver (\FileSystem\BsUDF)
FLT_FSTYPE_MUP, //Microsoft's Mup redirector (\FileSystem\Mup)
FLT_FSTYPE_RSFX, //Microsoft's WinFS redirector (\FileSystem\RsFxDrv)
FLT_FSTYPE_ROXIO_UDF1, //Roxio's UDF writeable file system (\FileSystem\cdudf_xp)
FLT_FSTYPE_ROXIO_UDF2, //Roxio's UDF readable file system (\FileSystem\UdfReadr_xp)
FLT_FSTYPE_ROXIO_UDF3, //Roxio's DVD file system (\FileSystem\DVDVRRdr_xp)
FLT_FSTYPE_TACIT, //Tacit FileSystem (\Device\TCFSPSE)
FLT_FSTYPE_FS_REC, //Microsoft's File system recognizer (\FileSystem\Fs_rec)
FLT_FSTYPE_INCD, //Nero's InCD file system (\FileSystem\InCDfs)
FLT_FSTYPE_INCD_FAT, //Nero's InCD FAT file system (\FileSystem\InCDFat)
FLT_FSTYPE_EXFAT, //Microsoft's EXFat FILE SYSTEM (\FileSystem\exfat)
FLT_FSTYPE_PSFS, //PolyServ's file system (\FileSystem\psfs)
FLT_FSTYPE_GPFS //IBM General Parallel File System (\FileSystem\gpfs)
} FLT_FILESYSTEM_TYPE, *PFLT_FILESYSTEM_TYPE;
/////////////////////////////////////////////////////////////////////////////
//
// The different types information that can be return on an Filter.
//
// Note: Entries with "Aggregate" in the name return information for
// both LEGACY and MINI filters.
//
/////////////////////////////////////////////////////////////////////////////
//
// In xpsp2 we do not have the concept of enumerating legacy filters
// For this reason there is no FilterAggregateBasicInfo in the V1 version
// of the enum
//
typedef enum _FILTER_INFORMATION_CLASS {
FilterFullInformation,
FilterAggregateBasicInformation, //Added to XP SP2 via QFE
FilterAggregateStandardInformation //Longhorn and later
} FILTER_INFORMATION_CLASS, *PFILTER_INFORMATION_CLASS;
//
// The structures for the information returned from the query of
// information on a Filter.
//
typedef struct _FILTER_FULL_INFORMATION {
ULONG NextEntryOffset;
ULONG FrameID;
ULONG NumberOfInstances;
USHORT FilterNameLength;
WCHAR FilterNameBuffer[1];
} FILTER_FULL_INFORMATION, *PFILTER_FULL_INFORMATION;
//
// This structure returns information for both legacy filters and mini
// filters.
//
// NOTE: Support for this structures exists in all OS's that support
// filter manager except XP SP2. It was added later to XP SP2
// via a QFE.
//
typedef struct _FILTER_AGGREGATE_BASIC_INFORMATION {
ULONG NextEntryOffset;
//
// ABI - Aggregate Basic Information flags
//
ULONG Flags;
#define FLTFL_AGGREGATE_INFO_IS_MINIFILTER 0x00000001
#define FLTFL_AGGREGATE_INFO_IS_LEGACYFILTER 0x00000002
union {
//
// Minifilter FULL information
//
struct {
ULONG FrameID;
ULONG NumberOfInstances;
USHORT FilterNameLength;
USHORT FilterNameBufferOffset;
USHORT FilterAltitudeLength;
USHORT FilterAltitudeBufferOffset;
} MiniFilter;
//
// Legacyfilter information
//
struct {
USHORT FilterNameLength;
USHORT FilterNameBufferOffset;
} LegacyFilter;
} Type;
} FILTER_AGGREGATE_BASIC_INFORMATION, *PFILTER_AGGREGATE_BASIC_INFORMATION;
//
// This structure returns information for both legacy filters and mini
// filters.
//
// NOTE: Support for this structures exists in Vista and Later
//
#if FLT_MGR_LONGHORN
typedef struct _FILTER_AGGREGATE_STANDARD_INFORMATION {
ULONG NextEntryOffset;
//
// ASI - Aggregate Standard Information flags
//
ULONG Flags;
#define FLTFL_ASI_IS_MINIFILTER 0x00000001
#define FLTFL_ASI_IS_LEGACYFILTER 0x00000002
union {
//
// Minifilter FULL information
//
struct {
//
// ASIM - Aggregate Standard Information Minifilter flags
//
ULONG Flags;
ULONG FrameID;
ULONG NumberOfInstances;
USHORT FilterNameLength;
USHORT FilterNameBufferOffset;
USHORT FilterAltitudeLength;
USHORT FilterAltitudeBufferOffset;
} MiniFilter;
//
// Legacyfilter information
//
struct {
//
// ASIL - Aggregate Standard Information LegacyFilter flags
//
ULONG Flags;
USHORT FilterNameLength;
USHORT FilterNameBufferOffset;
USHORT FilterAltitudeLength;
USHORT FilterAltitudeBufferOffset;
} LegacyFilter;
} Type;
} FILTER_AGGREGATE_STANDARD_INFORMATION, *PFILTER_AGGREGATE_STANDARD_INFORMATION;
#endif // FLT_MGR_LONGHORN
/////////////////////////////////////////////////////////////////////////////
//
// The different types information that can be return for a Volume
//
/////////////////////////////////////////////////////////////////////////////
typedef enum _FILTER_VOLUME_INFORMATION_CLASS {
FilterVolumeBasicInformation,
FilterVolumeStandardInformation //Longhorn and later
} FILTER_VOLUME_INFORMATION_CLASS, *PFILTER_VOLUME_INFORMATION_CLASS;
//
// Basic information about a volume (its name)
//
typedef struct _FILTER_VOLUME_BASIC_INFORMATION {
//
// Length of name
//
USHORT FilterVolumeNameLength;
//
// Buffer containing name (it's NOT NULL-terminated)
//
WCHAR FilterVolumeName[1];
} FILTER_VOLUME_BASIC_INFORMATION, *PFILTER_VOLUME_BASIC_INFORMATION;
//
// Additional volume information.
//
// NOTE: Only available in LONGHORN and later OS's
//
#if FLT_MGR_LONGHORN
typedef struct _FILTER_VOLUME_STANDARD_INFORMATION {
ULONG NextEntryOffset;
//
// VSI - VOlume Standard Information flags
//
ULONG Flags;
//
// If set this volume is not current attached to a storage stack
//
#define FLTFL_VSI_DETACHED_VOLUME 0x00000001
//
// Identifies which frame this volume structure is in
//
ULONG FrameID;
//
// Identifies the type of file system being used on the volume
//
FLT_FILESYSTEM_TYPE FileSystemType;
//
// Length of name
//
USHORT FilterVolumeNameLength;
//
// Buffer containing name (it's NOT NULL-terminated)
//
WCHAR FilterVolumeName[1];
} FILTER_VOLUME_STANDARD_INFORMATION, *PFILTER_VOLUME_STANDARD_INFORMATION;
#endif // FLT_MGR_LONGHORN
/////////////////////////////////////////////////////////////////////////////
//
// The different types information that can be return on an Instance.
//
/////////////////////////////////////////////////////////////////////////////
typedef enum _INSTANCE_INFORMATION_CLASS {
InstanceBasicInformation,
InstancePartialInformation,
InstanceFullInformation,
InstanceAggregateStandardInformation //LONGHORN and later
} INSTANCE_INFORMATION_CLASS, *PINSTANCE_INFORMATION_CLASS;
//
// The structures for the information returned from the query of the information
// on the Instance.
//
typedef __struct_bcount(sizeof(INSTANCE_BASIC_INFORMATION) * InstanceNameLength) struct _INSTANCE_BASIC_INFORMATION {
ULONG NextEntryOffset;
USHORT InstanceNameLength;
USHORT InstanceNameBufferOffset;
} INSTANCE_BASIC_INFORMATION, *PINSTANCE_BASIC_INFORMATION;
typedef __struct_bcount(sizeof(INSTANCE_PARTIAL_INFORMATION) + InstanceNameLength + AltitudeLength) struct _INSTANCE_PARTIAL_INFORMATION {
ULONG NextEntryOffset;
USHORT InstanceNameLength;
USHORT InstanceNameBufferOffset;
USHORT AltitudeLength;
USHORT AltitudeBufferOffset;
} INSTANCE_PARTIAL_INFORMATION, *PINSTANCE_PARTIAL_INFORMATION;
typedef __struct_bcount(sizeof(INSTANCE_FULL_INFORMATION) + InstanceNameLength + AltitudeLength + VolumeNameLength + FilterNameLength) struct _INSTANCE_FULL_INFORMATION {
ULONG NextEntryOffset;
USHORT InstanceNameLength;
USHORT InstanceNameBufferOffset;
USHORT AltitudeLength;
USHORT AltitudeBufferOffset;
USHORT VolumeNameLength;
USHORT VolumeNameBufferOffset;
USHORT FilterNameLength;
USHORT FilterNameBufferOffset;
} INSTANCE_FULL_INFORMATION, *PINSTANCE_FULL_INFORMATION;
//
// This information class is used to return instance information about both
// legacy filters and minifilters.
//
#if FLT_MGR_LONGHORN
typedef struct _INSTANCE_AGGREGATE_STANDARD_INFORMATION {
ULONG NextEntryOffset;
//
// IASI - Instance Aggregate Standard Information flags
//
ULONG Flags;
#define FLTFL_IASI_IS_MINIFILTER 0x00000001
#define FLTFL_IASI_IS_LEGACYFILTER 0x00000002
union {
//
// MiniFilter information
//
struct {
//
// IASIM - Instance Aggregate Standard Information Minifilter flags
//
ULONG Flags;
//
// If set this volume is not current attached to a storage stack
//
#define FLTFL_IASIM_DETACHED_VOLUME 0x00000001
//
// Identifies which frame this volume structure is in
//
ULONG FrameID;
//
// The type of file system this instance is attached to
//
FLT_FILESYSTEM_TYPE VolumeFileSystemType;
//
// The name of this instance
//
USHORT InstanceNameLength;
USHORT InstanceNameBufferOffset;
//
// The altitude of this instance
//
USHORT AltitudeLength;
USHORT AltitudeBufferOffset;
//
// The volume name this instance is attached to
//
USHORT VolumeNameLength;
USHORT VolumeNameBufferOffset;
//
// The name of the minifilter associated with this instace
//
USHORT FilterNameLength;
USHORT FilterNameBufferOffset;
} MiniFilter;
//
// Legacyfilter information
//
struct {
//
// IASIL - Instance Aggregate Standard Information LegacyFilter flags
//
ULONG Flags;
//
// If set this volume is not current attached to a storage stack
//
#define FLTFL_IASIL_DETACHED_VOLUME 0x00000001
//
// The altitude of this attachment
//
USHORT AltitudeLength;
USHORT AltitudeBufferOffset;
//
// The volume name this filter is attached to
//
USHORT VolumeNameLength;
USHORT VolumeNameBufferOffset;
//
// The name of the filter associated with this attachment
//
USHORT FilterNameLength;
USHORT FilterNameBufferOffset;
} LegacyFilter;
} Type;
} INSTANCE_AGGREGATE_STANDARD_INFORMATION, *PINSTANCE_AGGREGATE_STANDARD_INFORMATION;
#endif // FLT_MGR_LONGHORN
/////////////////////////////////////////////////////////////////////////////
//
// Message defintitions
//
/////////////////////////////////////////////////////////////////////////////
typedef struct _FILTER_MESSAGE_HEADER {
//
// OUT
//
// Total buffer length in bytes, including the FILTER_REPLY_HEADER, of
// the expected reply. If no reply is expected, 0 is returned.
//
ULONG ReplyLength;
//
// OUT
//
// Unique Id for this message. This will be set when the kernel message
// satifies this FilterGetMessage or FilterInstanceGetMessage request.
// If replying to this message, this is the MessageId that should be used.
//
ULONGLONG MessageId;
//
// General filter-specific buffer data follows...
//
} FILTER_MESSAGE_HEADER, *PFILTER_MESSAGE_HEADER;
typedef struct _FILTER_REPLY_HEADER {
//
// IN.
//
// Status of this reply. This status will be returned back to the filter
// driver who is waiting for a reply.
//
NTSTATUS Status;
//
// IN
//
// Unique Id for this message. This id was returned in the
// FILTER_MESSAGE_HEADER from the kernel message to which we are replying.
//
ULONGLONG MessageId;
//
// General filter-specific buffer data follows...
//
} FILTER_REPLY_HEADER, *PFILTER_REPLY_HEADER;
#endif //FLT_MGR_BASELINE
#endif /* __FLT_USER_STRUCTURES_H__ */

BIN
mimidrv/mimidrv.rc
View File

Binary file not shown.

2
mimikatz.sln
View File

@ -16,6 +16,8 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "inc", "inc", "{282B4B77-BFF
inc\DbgHelp.h = inc\DbgHelp.h
inc\DhcpSSdk.h = inc\DhcpSSdk.h
inc\DsGetDC.h = inc\DsGetDC.h
inc\fltUser.h = inc\fltUser.h
inc\fltUserStructures.h = inc\fltUserStructures.h
inc\globals.h = inc\globals.h
inc\Midles.h = inc\Midles.h
inc\msasn1.h = inc\msasn1.h