/* Benjamin DELPY `gentilkiwi` http://blog.gentilkiwi.com benjamin@gentilkiwi.com Licence : http://creativecommons.org/licenses/by/3.0/fr/ */ #pragma once #include "kuhl_m_sekurlsa_utils.h" #include "kuhl_m_sekurlsa_nt6.h" #include "kuhl_m_sekurlsa_packages.h" USHORT NtBuildNumber; #define KUHL_SEKURLSA_CREDS_DISPLAY_RAW 0x00000000 #define KUHL_SEKURLSA_CREDS_DISPLAY_LINE 0x00000001 #define KUHL_SEKURLSA_CREDS_DISPLAY_NEWLINE 0x00000002 #define KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIAL 0x08000000 #define KUHL_SEKURLSA_CREDS_DISPLAY_PRIMARY 0x01000000 #define KUHL_SEKURLSA_CREDS_DISPLAY_PRIMARY_10 0x02000000 #define KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIALKEY 0x03000000 #define KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIAL_MASK 0x07000000 #define KUHL_SEKURLSA_CREDS_DISPLAY_KEY_LIST 0x00200000 #define KUHL_SEKURLSA_CREDS_DISPLAY_CREDMANPASS 0x00400000 #define KUHL_SEKURLSA_CREDS_DISPLAY_PINCODE 0x00800000 #define KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT 0x10000000 #define KUHL_SEKURLSA_CREDS_DISPLAY_WPASSONLY 0x20000000 #define KUHL_SEKURLSA_CREDS_DISPLAY_DOMAIN 0x40000000 #define KUHL_SEKURLSA_CREDS_DISPLAY_SSP 0x80000000 typedef void (CALLBACK * PKUHL_M_SEKURLSA_PACKAGE_CALLBACK) (IN ULONG_PTR pKerbGlobalLogonSessionTable, IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData); typedef struct _KUHL_M_SEKURLSA_PACKAGE { const char * name; const char * symbolName; ULONG_PTR symbolPtr; const PKUHL_M_SEKURLSA_PACKAGE_CALLBACK callback; } KUHL_M_SEKURLSA_PACKAGE, *PKUHL_M_SEKURLSA_PACKAGE; typedef struct _KUHL_M_SEKURLSA_ENUM_HELPER { ULONG tailleStruct; ULONG offsetToLuid; ULONG offsetToLogonType; ULONG offsetToSession; ULONG offsetToUsername; ULONG offsetToDomain; ULONG offsetToCredentials; ULONG offsetToPSid; ULONG offsetToCredentialManager; ULONG offsetToLogonTime; ULONG offsetToLogonServer; } KUHL_M_SEKURLSA_ENUM_HELPER, *PKUHL_M_SEKURLSA_ENUM_HELPER; LPEXT_API_VERSION WDBGAPI ExtensionApiVersion (void); VOID CheckVersion(void); VOID WDBGAPI WinDbgExtensionDllInit (PWINDBG_EXTENSION_APIS lpExtensionApis, USHORT usMajorVersion, USHORT usMinorVersion); DECLARE_API(mimikatz); VOID kuhl_m_sekurlsa_genericCredsOutput(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCreds, PLUID luid, ULONG flags); VOID kuhl_m_sekurlsa_genericKeyOutput(struct _MARSHALL_KEY * key, PVOID * dirtyBase); #define KULL_M_WIN_BUILD_XP 2600 #define KULL_M_WIN_BUILD_2K3 3790 #define KULL_M_WIN_BUILD_VISTA 6000 #define KULL_M_WIN_BUILD_7 7600 #define KULL_M_WIN_BUILD_8 9200 #define KULL_M_WIN_BUILD_BLUE 9600 #define KULL_M_WIN_BUILD_10 9800 #define KULL_M_WIN_MIN_BUILD_XP 2500 #define KULL_M_WIN_MIN_BUILD_2K3 3000 #define KULL_M_WIN_MIN_BUILD_VISTA 6000 #define KULL_M_WIN_MIN_BUILD_7 7000 #define KULL_M_WIN_MIN_BUILD_8 8000 #define KULL_M_WIN_MIN_BUILD_BLUE 9400 #define KULL_M_WIN_MIN_BUILD_10 9800