The existing implementation wasn't really solid and I never liked it
anyway. Egypt rightfully pointed out flaws in the code, so it has
been changed so that it allocates the required memory up front
and returns that string to the caller, who then has to free it up.
Added a function to render SIDS.
Made the build set warnings as errors. Still no idea why this wasn't
the case already.
Previous commits removed the stack size parameter from the remote thread
creation function call. This caused issues in systems prior to Vista/2k8.
This fix puts that value back in and now everything is honky dory.
Tested on 2k/XP/2k3/Vista/7/2k8
Thanks to sinner being on the ball, x64 was broken and causing some
crazy things to happen. The CPU would peg at 100% despite x86 being
quite happy. It turns out, I suck at C, so I had to fix that up.
This commit includes the following changes:
* Fix up the WNDPROC callback so that the parameters are in the right
order.
* Specify the correct array size for wait handles in the monitor thread.
* Add extra debugging.
* Handle WM_* messages correctly and add WM_NCCREATE.
* Correctly use the CREATESTRUCT to pass in the state.
"How on earth did this ever work?"
Fixed now, thanks again sinner!
Hashdumping on Windows XP and earlier worked fine for processes
running as SYSTEM because CreateRemoteThread didn't have security
in place that Vista and later operating systems do. However, Vista
onwards required migration to SYSTEM processes (which behind the
scenes uses injection via APC) before hashdumping would succeed.
This commit fixes this so that in those cases the hidden API function
RtlCreateUserThread() to create the remote thread in lsass exe. The
result is that hashdumping works without having to migrate first.
Win.
When non-supported types were returned in queries, ADSI just pooped
itself and tore down the Meterpreter session. This a happy tester
Meterpreter does not make!
This code includes more support for ADSI types with attempts to be
semi-sane in stringifying them.
Plus, Meterpreter no longer crashes.
In a previous commit, I rejigged the way commands were overloaded,
and added what appeared to be a micro-optimisation to prevent
the thread from being imperonsated twice. Ultimately it wouldn't
make any differnce, so why I put it in there I really don't know.
The optimisation actually resulted in a breakage in the case where
base commands weren't present but extension commands were. As a
result all extended commands didn't get impersonated unless they
were overloading. This is not a good thing at all.
This fix removed that total stupidity and restores some level of
sanity.
Apologies for my idiocy.
In similar vein to the migration issue, incognito was crashing when
running under SYSTEM processes (such as lsass.exe). This was because
of a pointer truncation problem when processes were being enumerated.
There was also some other quirky logic going on, but nothing too
damaging. I added some other simple code tidies while I was in there.
* We now check to make sure that the required files are on disk and
show an error message if not found.
* README updated to indicate that submodule initialisation is needed.
Sometimes results can be success values but not S_OK, so this change
contains code which will force the result to S_OK in those cases so that
the caller doesn't get an indication which makes it believe that there is
an error.