/* Benjamin DELPY `gentilkiwi` http://blog.gentilkiwi.com benjamin@gentilkiwi.com Licence : http://creativecommons.org/licenses/by/3.0/fr/ */ #pragma once #include "../utils.h" //#define KDEXT_64BIT #include typedef STRING ANSI_STRING; typedef struct _RTL_BALANCED_LINKS { struct _RTL_BALANCED_LINKS *Parent; struct _RTL_BALANCED_LINKS *LeftChild; struct _RTL_BALANCED_LINKS *RightChild; CHAR Balance; UCHAR Reserved[3]; // align } RTL_BALANCED_LINKS; typedef RTL_BALANCED_LINKS *PRTL_BALANCED_LINKS; typedef struct _RTL_AVL_TABLE { RTL_BALANCED_LINKS BalancedRoot; PVOID OrderedPointer; ULONG WhichOrderedElement; ULONG NumberGenericTableElements; ULONG DepthOfTree; PRTL_BALANCED_LINKS RestartKey; ULONG DeleteCount; PVOID CompareRoutine; // PVOID AllocateRoutine; // PVOID FreeRoutine; // PVOID TableContext; } RTL_AVL_TABLE, *PRTL_AVL_TABLE; typedef struct _KIWI_GENERIC_PRIMARY_CREDENTIAL { LSA_UNICODE_STRING UserName; LSA_UNICODE_STRING Domaine; LSA_UNICODE_STRING Password; } KIWI_GENERIC_PRIMARY_CREDENTIAL, *PKIWI_GENERIC_PRIMARY_CREDENTIAL; typedef struct _KIWI_MSV1_0_PRIMARY_CREDENTIALS { struct _KIWI_MSV1_0_PRIMARY_CREDENTIALS *next; ANSI_STRING Primary; LSA_UNICODE_STRING Credentials; } KIWI_MSV1_0_PRIMARY_CREDENTIALS, *PKIWI_MSV1_0_PRIMARY_CREDENTIALS; typedef struct _KIWI_MSV1_0_CREDENTIALS { struct _KIWI_MSV1_0_CREDENTIALS *next; DWORD AuthenticationPackageId; PKIWI_MSV1_0_PRIMARY_CREDENTIALS PrimaryCredentials; } KIWI_MSV1_0_CREDENTIALS, *PKIWI_MSV1_0_CREDENTIALS; typedef struct _KIWI_MSV1_0_LIST_6 { struct _KIWI_MSV1_0_LIST_6 *Flink; struct _KIWI_MSV1_0_LIST_6 *Blink; PVOID unk0; ULONG unk1; PVOID unk2; ULONG unk3; ULONG unk4; ULONG unk5; HANDLE hSemaphore6; PVOID unk7; HANDLE hSemaphore8; PVOID unk9; PVOID unk10; ULONG unk11; ULONG unk12; PVOID unk13; LUID LocallyUniqueIdentifier; LUID SecondaryLocallyUniqueIdentifier; LSA_UNICODE_STRING UserName; LSA_UNICODE_STRING Domaine; PVOID unk14; PVOID unk15; PSID pSid; ULONG LogonType; ULONG Session; LARGE_INTEGER LogonTime; // autoalign x86 LSA_UNICODE_STRING LogonServer; PKIWI_MSV1_0_CREDENTIALS Credentials; } KIWI_MSV1_0_LIST_6, *PKIWI_MSV1_0_LIST_6; typedef struct _KIWI_MSV1_0_LIST_62 { struct _KIWI_MSV1_0_LIST_62 *Flink; struct _KIWI_MSV1_0_LIST_62 *Blink; PVOID unk0; ULONG unk1; PVOID unk2; ULONG unk3; ULONG unk4; ULONG unk5; HANDLE hSemaphore6; PVOID unk7; HANDLE hSemaphore8; PVOID unk9; PVOID unk10; ULONG unk11; ULONG unk12; PVOID unk13; LUID LocallyUniqueIdentifier; LUID SecondaryLocallyUniqueIdentifier; LSA_UNICODE_STRING UserName; LSA_UNICODE_STRING Domaine; PVOID unk14; PVOID unk15; /*PVOID unk16; PVOID unk17;*/LSA_UNICODE_STRING Type; PSID pSid; ULONG LogonType; PVOID unk18; ULONG Session; LARGE_INTEGER LogonTime; // autoalign x86 LSA_UNICODE_STRING LogonServer; PKIWI_MSV1_0_CREDENTIALS Credentials; } KIWI_MSV1_0_LIST_62, *PKIWI_MSV1_0_LIST_62; typedef struct _KIWI_MSV1_0_LIST_63 { struct _KIWI_MSV1_0_LIST_63 *Flink; //off_2C5718 struct _KIWI_MSV1_0_LIST_63 *Blink; //off_277380 PVOID unk0; // unk_2C0AC8 ULONG unk1; // 0FFFFFFFFh PVOID unk2; // 0 ULONG unk3; // 0 ULONG unk4; // 0 ULONG unk5; // 0A0007D0h HANDLE hSemaphore6; // 0F9Ch PVOID unk7; // 0 HANDLE hSemaphore8; // 0FB8h PVOID unk9; // 0 PVOID unk10; // 0 ULONG unk11; // 0 ULONG unk12; // 0 PVOID unk13; // unk_2C0A28 LUID LocallyUniqueIdentifier; LUID SecondaryLocallyUniqueIdentifier; BYTE waza[12]; /// to do (maybe align) LSA_UNICODE_STRING UserName; LSA_UNICODE_STRING Domaine; PVOID unk14; PVOID unk15; /*PVOID unk16; PVOID unk17;*/LSA_UNICODE_STRING Type; PSID pSid; ULONG LogonType; PVOID unk18; ULONG Session; LARGE_INTEGER LogonTime; // autoalign x86 LSA_UNICODE_STRING LogonServer; PKIWI_MSV1_0_CREDENTIALS Credentials; } KIWI_MSV1_0_LIST_63, *PKIWI_MSV1_0_LIST_63; #define RtlEqualLuid(L1, L2) (((L1)->LowPart == (L2)->LowPart) && ((L1)->HighPart == (L2)->HighPart)) extern BOOLEAN WINAPI RtlEqualString(IN const STRING *String1, IN const STRING *String2, IN BOOLEAN CaseInSensitive); extern VOID WINAPI RtlFreeUnicodeString(IN PUNICODE_STRING UnicodeString); extern NTSTATUS WINAPI RtlStringFromGUID(IN LPCGUID Guid, PUNICODE_STRING UnicodeString); #define LM_NTLM_HASH_LENGTH 16 #define SHA_DIGEST_LENGTH 20 ULONG_PTR kuhl_m_sekurlsa_utils_pFromLinkedListByLuid(ULONG_PTR pSecurityStruct, ULONG LUIDoffset, PLUID luidToFind); ULONG_PTR kuhl_m_sekurlsa_utils_pFromAVLByLuid(ULONG_PTR pTable, ULONG LUIDoffset, PLUID luidToFind); ULONG_PTR kuhl_m_sekurlsa_utils_pFromAVLByLuidRec(ULONG_PTR pTable, ULONG LUIDoffset, PLUID luidToFind); void kuhl_m_sekurlsa_utils_NlpMakeRelativeOrAbsoluteString(PVOID BaseAddress, PLSA_UNICODE_STRING String, BOOL relative); BOOL kull_m_string_getDbgUnicodeString(IN PUNICODE_STRING string); void kull_m_string_dprintf_hex(LPCVOID lpData, DWORD cbData, DWORD flags); void kull_m_string_displayFileTime(IN PFILETIME pFileTime); void kull_m_string_displayLocalFileTime(IN PFILETIME pFileTime); void kull_m_string_displayGUID(IN LPCGUID pGuid); void kull_m_string_displaySID(IN PSID pSid); BOOL kull_m_string_suspectUnicodeString(IN PUNICODE_STRING pUnicodeString); BOOL kuhl_m_sekurlsa_utils_getSid(IN PSID * pSid);