mirror of
https://github.com/gentilkiwi/mimikatz
synced 2025-01-19 03:20:43 +00:00
b008188f9f
[new] mimikatz & mimilib **very** experimental support for ARM64 [better] code for Mifare protocol [better] code for sekurlsa WinDBG plugin (credential keys, still not good enough) [new] mimilib sub authentication package for @vletoux with 'bad password knocking' and magic password [new] mimikatz: unmarshalling usernames when marshalled [fix] mimikatz SR98/RDM/Busylight could previously crash [fix #184] again and again ;) [fix #172] swscanf_s VS ARRAYSIZE macro [fix #127] stdout/stdin/stderr vs modern Visual Studio and Windows XP support (thank you @Crypt0-M3lon) [code] refactor for defined / !defined
103 lines
4.7 KiB
C
103 lines
4.7 KiB
C
/* Benjamin DELPY `gentilkiwi`
|
|
http://blog.gentilkiwi.com
|
|
benjamin@gentilkiwi.com
|
|
Licence : https://creativecommons.org/licenses/by/4.0/
|
|
*/
|
|
#pragma once
|
|
#include "globals.h"
|
|
#include "kull_m_minidump.h"
|
|
#include "kull_m_kernel.h"
|
|
|
|
void * _ReturnAddress(void);
|
|
//#pragma intrinsic(_ReturnAddress)
|
|
|
|
typedef enum _KULL_M_MEMORY_TYPE
|
|
{
|
|
KULL_M_MEMORY_TYPE_OWN,
|
|
KULL_M_MEMORY_TYPE_PROCESS,
|
|
KULL_M_MEMORY_TYPE_PROCESS_DMP,
|
|
KULL_M_MEMORY_TYPE_KERNEL,
|
|
KULL_M_MEMORY_TYPE_KERNEL_DMP,
|
|
KULL_M_MEMORY_TYPE_HYBERFILE,
|
|
KULL_M_MEMORY_TYPE_FILE,
|
|
} KULL_M_MEMORY_TYPE;
|
|
|
|
typedef struct _KULL_M_MEMORY_HANDLE_PROCESS
|
|
{
|
|
HANDLE hProcess;
|
|
} KULL_M_MEMORY_HANDLE_PROCESS, *PKULL_M_MEMORY_HANDLE_PROCESS;
|
|
|
|
typedef struct _KULL_M_MEMORY_HANDLE_FILE
|
|
{
|
|
HANDLE hFile;
|
|
} KULL_M_MEMORY_HANDLE_FILE, *PKULL_M_MEMORY_HANDLE_FILE;
|
|
|
|
typedef struct _KULL_M_MEMORY_HANDLE_PROCESS_DMP
|
|
{
|
|
PKULL_M_MINIDUMP_HANDLE hMinidump;
|
|
} KULL_M_MEMORY_HANDLE_PROCESS_DMP, *PKULL_M_MEMORY_HANDLE_PROCESS_DMP;
|
|
|
|
typedef struct _KULL_M_MEMORY_HANDLE_KERNEL
|
|
{
|
|
HANDLE hDriver;
|
|
} KULL_M_MEMORY_HANDLE_KERNEL, *PKULL_M_MEMORY_HANDLE_KERNEL;
|
|
|
|
typedef struct _KULL_M_MEMORY_HANDLE {
|
|
KULL_M_MEMORY_TYPE type;
|
|
union {
|
|
PKULL_M_MEMORY_HANDLE_PROCESS pHandleProcess;
|
|
PKULL_M_MEMORY_HANDLE_FILE pHandleFile;
|
|
PKULL_M_MEMORY_HANDLE_PROCESS_DMP pHandleProcessDmp;
|
|
PKULL_M_MEMORY_HANDLE_KERNEL pHandleDriver;
|
|
};
|
|
} KULL_M_MEMORY_HANDLE, *PKULL_M_MEMORY_HANDLE;
|
|
KULL_M_MEMORY_HANDLE KULL_M_MEMORY_GLOBAL_OWN_HANDLE;
|
|
|
|
typedef struct _KULL_M_MEMORY_ADDRESS {
|
|
LPVOID address;
|
|
PKULL_M_MEMORY_HANDLE hMemory;
|
|
} KULL_M_MEMORY_ADDRESS, *PKULL_M_MEMORY_ADDRESS;
|
|
|
|
typedef struct _KULL_M_MEMORY_RANGE {
|
|
KULL_M_MEMORY_ADDRESS kull_m_memoryAdress;
|
|
SIZE_T size;
|
|
} KULL_M_MEMORY_RANGE, *PKULL_M_MEMORY_RANGE;
|
|
|
|
typedef struct _KULL_M_MEMORY_SEARCH {
|
|
KULL_M_MEMORY_RANGE kull_m_memoryRange;
|
|
LPVOID result;
|
|
} KULL_M_MEMORY_SEARCH, *PKULL_M_MEMORY_SEARCH;
|
|
|
|
BOOL kull_m_memory_copy(OUT PKULL_M_MEMORY_ADDRESS Destination, IN PKULL_M_MEMORY_ADDRESS Source, IN SIZE_T Length);
|
|
BOOL kull_m_memory_search(IN PKULL_M_MEMORY_ADDRESS Pattern, IN SIZE_T Length, IN PKULL_M_MEMORY_SEARCH Search, IN BOOL bufferMeFirst);
|
|
|
|
BOOL kull_m_memory_query(IN PKULL_M_MEMORY_ADDRESS Address, OUT PMEMORY_BASIC_INFORMATION MemoryInfo);
|
|
BOOL kull_m_memory_protect(IN PKULL_M_MEMORY_ADDRESS Address, IN SIZE_T dwSize, IN DWORD flNewProtect, OUT OPTIONAL PDWORD lpflOldProtect);
|
|
|
|
BOOL kull_m_memory_open(IN KULL_M_MEMORY_TYPE Type, IN HANDLE hAny, OUT PKULL_M_MEMORY_HANDLE *hMemory);
|
|
PKULL_M_MEMORY_HANDLE kull_m_memory_close(IN PKULL_M_MEMORY_HANDLE hMemory);
|
|
|
|
BOOL kull_m_memory_alloc(IN PKULL_M_MEMORY_ADDRESS Address, IN SIZE_T Lenght, IN DWORD Protection);
|
|
BOOL kull_m_memory_free(IN PKULL_M_MEMORY_ADDRESS Address);
|
|
BOOL kull_m_memory_equal(IN PKULL_M_MEMORY_ADDRESS Address1, IN PKULL_M_MEMORY_ADDRESS Address2, IN SIZE_T Lenght);
|
|
|
|
#define COMPRESSION_FORMAT_NONE (0x0000) // winnt
|
|
#define COMPRESSION_FORMAT_DEFAULT (0x0001) // winnt
|
|
#define COMPRESSION_FORMAT_LZNT1 (0x0002) // winnt
|
|
|
|
#define COMPRESSION_ENGINE_STANDARD (0x0000) // winnt
|
|
#define COMPRESSION_ENGINE_MAXIMUM (0x0100) // winnt
|
|
#define COMPRESSION_ENGINE_HIBER (0x0200) // winnt
|
|
|
|
NTSYSAPI NTSTATUS NTAPI RtlGetCompressionWorkSpaceSize (__in USHORT CompressionFormatAndEngine, __out PULONG CompressBufferWorkSpaceSize, __out PULONG CompressFragmentWorkSpaceSize);
|
|
NTSYSAPI NTSTATUS NTAPI RtlCompressBuffer (__in USHORT CompressionFormatAndEngine, __in_bcount(UncompressedBufferSize) PUCHAR UncompressedBuffer, __in ULONG UncompressedBufferSize, __out_bcount_part(CompressedBufferSize, *FinalCompressedSize) PUCHAR CompressedBuffer, __in ULONG CompressedBufferSize, __in ULONG UncompressedChunkSize, __out PULONG FinalCompressedSize, __in PVOID WorkSpace);
|
|
NTSYSAPI NTSTATUS NTAPI RtlDecompressBuffer (__in USHORT CompressionFormat, __out_bcount_part(UncompressedBufferSize, *FinalUncompressedSize) PUCHAR UncompressedBuffer, __in ULONG UncompressedBufferSize, __in_bcount(CompressedBufferSize) PUCHAR CompressedBuffer, __in ULONG CompressedBufferSize, __out PULONG FinalUncompressedSize );
|
|
|
|
BOOL kull_m_memory_quick_compress(IN PVOID data, IN DWORD size, IN OUT PVOID *compressedData, IN OUT PDWORD compressedSize);
|
|
BOOL kull_m_memory_quick_decompress(IN PVOID data, IN DWORD size, IN OPTIONAL DWORD originalSize, IN OUT PVOID *decompressedData, IN OUT PDWORD decompressedSize);
|
|
|
|
void kull_m_memory_reverseBytes(PVOID start, SIZE_T size);
|
|
#if defined(_M_ARM64)
|
|
PVOID kull_m_memory_arm64_AddrFromInstr(PVOID cur, ULONG i1, ULONG i2);
|
|
PVOID kull_m_memory_arm64_getRealAddress(PKULL_M_MEMORY_ADDRESS Address, LONG off);
|
|
#endif |